253 files changed, 41924 insertions, 2924 deletions

diff --git a/docs/htmldocs/using_samba/appa.html b/docs/htmldocs/using_samba/appa.html
new file mode 100644
index 0000000000..9f3dc4b56f
--- /dev/null
+++ b/docs/htmldocs/using_samba/appa.html
@@ -0,0 +1,362 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76" 
+hspace="10" align="left" />
+<h1 class="head0">Appendix A. Example Configuration Files</h1>
+
+
+<p>Earlier in this book, we provided information on how to set
+parameters inside the Samba configuration file, but rarely have we
+shown an example of a complete file that can actually be used to run
+a server. In this appendix, we provide examples of complete
+configuration files for running Samba in the various modes
+we've discussed. Using one of these examples, you
+can run Samba as a workgroup authentication server, workgroup server,
+primary domain controller, or domain member server.</p>
+
+<p>We have kept the examples simple so that they have the most universal
+application. They can be used as starting templates, which you can
+easily modify to fit your own needs, to get a Samba server up and
+running with minimal delay. The comments inside the files indicate
+what needs to be changed, and how, to work on a particular system on
+your network.</p>
+
+
+
+<div class="sect1"><a name="samba2-APP-A-SECT-1"/>
+
+<h2 class="head1">Samba in a Workgroup</h2>
+
+<p>If your network is configured as a workgroup, adding a Samba server
+is pretty simple. Samba even lets you add features, such as
+user-level security and WINS, that would normally require an
+expensive Windows NT/2000 Server.</p>
+
+
+<div class="sect2"><a name="samba2-APP-A-SECT-1.1"/>
+
+<h3 class="head2">Authentication and WINS Server</h3>
+
+<p>In a workgroup environment, Samba can be set up with share-level
+security and without offering WINS name service. This works and is
+simple, but we generally recommend that user-level security be
+enabled to allow Windows 95/98/Me systems to make use of it. Also, it
+only takes a single parameter to enable Samba as a WINS server,
+resulting in far better network efficiency.
+<a name="INDEX-1"/><a name="INDEX-2"/><a name="INDEX-3"/>Here is the configuration file
+that does it:</p>
+
+<blockquote><pre class="code">[global]
+    # replace &quot;toltec&quot; with your system's hostname
+
+    netbios name = toltec
+
+    # replace &quot;METRAN&quot; with the name of your workgroup
+
+    workgroup = METRAN
+
+    security = user
+    encrypt passwords = yes
+
+    # Run a WINS server
+
+    wins support = yes
+
+    # The following three lines ensure that the Samba
+    # server will maintain the role of master browser.
+    # Make sure no other Samba server has its OS level
+    # set higher than it is here.
+
+    local master = yes
+    preferred master = yes
+    os level = 65
+
+# Make home directories on the server available to users.
+
+[homes]
+    comment = %u's Home Directory
+    browsable = no
+    read only = no
+    map archive = yes
+
+# This is a shared directory, accessible by all
+# users. Use your own share name and path.
+
+[d]
+    path = /d
+    create mask = 0700
+    read only = no</pre></blockquote>
+
+<p>Generally, you will use a configuration file similar to this one when
+<a name="INDEX-4"/><a name="INDEX-5"/>adding your first Samba server to the
+workgroup.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-A-SECT-1.2"/>
+
+<h3 class="head2">Workgroup Server</h3>
+
+<p><a name="INDEX-6"/><a name="INDEX-7"/>Things are a
+little different if another system&mdash;either a Samba server or
+Windows NT/2000 server&mdash;is already handling WINS and/or
+authentication. In this case, Samba is configured to use that server
+for WINS. Here is a configuration file that does this:</p>
+
+<blockquote><pre class="code">[global]
+    # replace &quot;mixtec&quot; with your system's hostname
+
+    netbios name = mixtec
+
+    # replace &quot;METRAN&quot; with your workgroup name
+
+    workgroup = METRAN
+
+    security = user
+    encrypt passwords = yes
+
+    # Replace &quot;172.16.1.1&quot; with the IP address
+    # of your WINS server. If there is none,
+    # omit this line.
+
+    wins server = 172.16.1.1
+
+    # The OS level is set to 17 to allow
+    # this system to win over all Windows
+    # versions, but not the Samba server 
+    # that uses the configuration file
+    # in the previous section.
+
+    os level = 17
+
+[homes]
+    comment = %u's Home Directory
+    browsable = no
+    read only = no
+
+# This is a shared directory, accessible by all
+# users. Use your own share name and path.
+
+[d]
+    path = /d
+    create mask = 0700
+    read only = no</pre></blockquote>
+
+<p>Once you have a server in your workgroup handling authentication and
+WINS, this is the configuration file to use when adding additional
+Samba servers to the workgroup.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-APP-A-SECT-2"/>
+
+<h2 class="head1">Samba in a Windows NT Domain</h2>
+
+<p>When operating in a Windows NT domain, Samba can act either as a
+primary domain controller or as a domain member server.</p>
+
+
+<div class="sect2"><a name="samba2-APP-A-SECT-2.1"/>
+
+<h3 class="head2">Primary Domain Controller</h3>
+
+<p><a name="INDEX-8"/><a name="INDEX-9"/>Setting up Samba as a primary domain
+controller is more complicated than the other configurations.
+However, the extra difficulty is offset by having a more secure
+network and additional features such as logon scripts and roaming
+profiles. In the following configuration file, we also include
+support for a Microsoft Dfs share:</p>
+
+<blockquote><pre class="code">[global]
+    # Replace &quot;toltec&quot; with the hostname of your system.
+
+    netbios name = toltec
+
+    # Replace &quot;METRAN&quot; with the name of your Windows NT domain.
+
+    workgroup = METRAN
+
+    # Run a WINS server
+
+    wins support = yes
+    
+    # Always act as the local master browser
+    # and domain master browser.  Do not allow
+    # any other system to take over these roles!
+
+    domain master = yes
+    local master = yes
+    preferred master = yes
+    os level = 255
+
+    # Perform domain authentication.
+
+    security = user
+    encrypt passwords = yes
+    domain logons = yes
+    
+    # The location of user profiles for Windows NT/2000/XP.
+
+    logon path = \\%L\profiles\%u\%m
+
+    # Users' Windows home directories and storage of Win95/98/Me roaming profiles.
+
+    logon drive = G:
+    logon home = \\toltec\%u\.win_profile\%m
+
+    # The following line is optional because
+    # Samba always offers NetBIOS time service.
+    # This causes it to also be advertised:
+
+    time server = yes
+
+    # The logon script used for all users,
+    # Relative to [netlogon] share directory.
+
+    logon script = logon.bat
+
+    # The group identifying administrative users.
+    # If you have domain users in the Domain Admins
+    # group, use them here instead of &quot;jay&quot;.
+
+    domain admin group = root jay
+
+    # For adding machine accounts automatically.
+    # This example works on Linux. For other host
+    # operating systems, you might need a different
+    # command.
+
+    add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
+
+    # Provide Microsoft Dfs support.
+
+    host msdfs = yes
+
+# The netlogon share is required for
+# functioning as the primary domain controller.
+# Make sure the directory used for the path exists.
+
+[netlogon]
+    path = /usr/local/samba/lib/netlogon
+    writable = no
+    browsable = no
+
+# The profiles share is for storing
+# Windows NT/2000/XP roaming profiles.
+# Use your own path, and make sure
+# the directory exists.
+
+[profiles]
+    path = /home/samba-ntprof
+    writable = yes
+    create mask = 0600
+    directory mask = 0700
+    browsable = no
+
+[homes]
+    comment = Home Directory
+    browsable = no
+    read only = no
+    map archive = yes
+
+# The Dfs share.
+# Use your own path, making
+# sure the directory exists.
+
+[dfs]
+    comment = Dfs share
+    path = /usr/local/samba/dfs
+    msdfs root = yes
+
+# A shared directory, accessible by all domain users.
+# Use your own share name and path.
+
+[d]
+    comment = %u's Home Directory
+    path = /d
+    create mask = 0700
+    read only = no</pre></blockquote>
+
+<p>See <a href="ch04.html">Chapter 4</a> for more information on configuring
+Samba as a primary domain controller, and see <a href="ch08.html">Chapter 8</a> for more information about setting up a
+Microsoft Dfs share. <a name="INDEX-10"/><a name="INDEX-11"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-A-SECT-2.2"/>
+
+<h3 class="head2">Domain Member Server</h3>
+
+<p><a name="INDEX-12"/><a name="INDEX-13"/>In a domain that
+already has either a Samba PDC or Windows NT/2000 Server PDC,
+additional Samba servers can be added as domain member servers using
+the following configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    # Replace &quot;mixtec&quot; with the system's hostname.
+
+    netbios name = mixtec
+
+    # Replace &quot;METRAN&quot; with the name of your domain.
+
+    workgroup = METRAN
+
+    # Replace &quot;172.16.1.1&quot; with the
+    # IP address of your WINS server.
+
+    wins server = 172.16.1.1
+
+    os level = 33
+    
+    security = domain
+    encrypt passwords = yes
+    password server = *
+
+# Home directories.
+
+[homes]
+    comment = %u's Home Directory
+    browsable = no
+    read only = no
+    map archive = yes
+
+# This is an example printers
+# share, which works for Linux.
+
+[printers]
+    printable = yes
+    printing = BSD
+    print command = /usr/bin/lpr -P%p %s
+    path = /var/tmp
+    min print space = 2000
+
+# A shared directory, accessible by all domain users.
+# Use your own share name and path.
+
+[d]
+    path = /d
+    create mask = 0755
+    read only = no</pre></blockquote>
+
+<p>See <a href="ch10.html">Chapter 10</a> for more information on sharing
+printers with Samba.</p>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/appb.html b/docs/htmldocs/using_samba/appb.html
new file mode 100644
index 0000000000..9cb6d957a8
--- /dev/null
+++ b/docs/htmldocs/using_samba/appb.html
@@ -0,0 +1,1840 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix B. Samba Configuration Option Quick Reference</h1>
+
+
+<p>The first section of this appendix lists each option that can be used
+in a Samba configuration file, which is usually named
+<em class="filename">smb.conf</em>. Most configuration files contain a
+global section of options that apply to all services (shares) and a
+separate section for various individual shares. If an option applies
+only to the global section, <tt class="literal">[global]</tt> appears to
+the right of its name in the following reference section.</p>
+
+<p>Except where noted, when specifying elements of a list, the elements
+can be separated by spaces, tabs, commas, semicolons, escaped
+newlines, or escaped carriage returns.</p>
+
+<p>Following this reference section is a glossary of value types, and a
+list of variables Samba recognizes.</p>
+
+
+
+<div class="sect1"><a name="samba2-APP-B-SECT-1"/>
+
+<h2 class="head1">Configuration File Options</h2>
+
+</div>
+
+
+<a name="INDEX-1"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>abort shutdown script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that stops the shutdown procedure started by
+<tt class="literal">shutdown script</tt>. The command will be run with the
+UID of the connected user. New in Samba 3.0.</p></div>
+<a name="INDEX-2"/><a name="INDEX-3"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add printer command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
+<a name="INDEX-3"/>printer on the system hosting the Samba
+server. This command runs as <tt class="literal">root</tt> when the Windows
+NT/2000/XP Add Printer Wizard is run. The command will be passed a
+printer name, share name, port name, driver name, Windows NT/2000/XP
+driver location, and Windows 95/98/Me driver location, in that order.
+It will need to add the printer to the system and a share definition
+for the printer to <em class="filename">smb.conf.</em> See also
+<tt class="literal">add printer wizard</tt>, <tt class="literal">printing</tt>,
+and <tt class="literal">show add printer wizard</tt>.</p></div>
+<a name="INDEX-4"/><a name="INDEX-5"/><a name="INDEX-6"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add machine script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that adds a computer to the Samba
+server's <a name="INDEX-5"/><a name="INDEX-6"/>domain. New in Samba 3.0.</p></div>
+<a name="INDEX-7"/><a name="INDEX-8"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add share command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
+<a name="INDEX-8"/>share on the Samba server. This command
+runs as <tt class="literal">root</tt> when a share is created using the
+Windows NT/2000/XP Server Manager. The client user must be logged on
+as the <tt class="literal">root</tt> user. The command will be passed the
+name of the Samba configuration file, the name of the share to be
+created, the full pathname of a directory on the Samba server (which
+must already exist), and a string to use as a comment for the share,
+in that order. The command must add a share definition for the share
+to <em class="filename">smb.conf.</em> See also <tt class="literal">add printer
+command</tt>, for adding a print share.</p></div>
+<a name="INDEX-9"/><a name="INDEX-10"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add user script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
+<a name="INDEX-10"/>user on the system hosting the Samba
+server. This command runs as <tt class="literal">root</tt> when access to a
+Samba share is attempted by a Windows user who does not have an
+account on the hosting system, but does have an account maintained by
+a primary domain controller on a different system. The command should
+accept the name of the user as a single argument that matches the
+behavior of typical <em class="emphasis">adduser</em> commands. Samba
+honors the <tt class="literal">%u</tt> value (username) as the argument to
+the command. Requires <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">server</tt> or
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">domain</tt>. See also <tt class="literal">delete user</tt>
+<tt class="literal">script</tt>.</p></div>
+<a name="INDEX-11"/><a name="INDEX-12"/><a name="INDEX-13"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>admin users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p><a name="INDEX-12"/>Specifies users who will be granted
+<a name="INDEX-13"/><tt class="literal">root</tt>
+permissions on the share by Samba.</p></div>
+<a name="INDEX-14"/><a name="INDEX-15"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ads server = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: DNS hostname or IP address</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies the <a name="INDEX-15"/>Active Directory server, used by
+Samba 3.0 for authenticating clients. Requires
+<tt class="literal">security</tt> <tt class="literal">= ads</tt>. New in Samba
+3.0.</p></div>
+<a name="INDEX-16"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>algorithmic rid base = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 1000</p><p>Specifies the base value that Samba uses when calculating Windows
+domain security identifier equivalents to Unix UIDs. See also
+<tt class="literal">non unix account range</tt>. New in Samba 3.0.</p></div>
+<a name="INDEX-17"/><a name="INDEX-18"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>allow hosts = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies systems that can connect to the share or
+<a name="INDEX-18"/>shares. If NULL, any
+system can access the share unless there is a <tt class="literal">hosts
+deny</tt> option. Synonym for <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt>.</p></div>
+<a name="INDEX-19"/><a name="INDEX-20"/><a name="INDEX-21"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>allow trusted domains = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows access to users who lack accounts on the Samba server but have
+accounts in another, trusted <a name="INDEX-20"/><a name="INDEX-21"/>domain.
+Requires <tt class="literal">security</tt> <tt class="literal">= server</tt> or
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">domain</tt>.</p></div>
+<a name="INDEX-22"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>announce as = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NT, Win95, Wf W</p><p><b class="emphasis-bold">Default</b>: NT</p><p>Has Samba announce itself as something other than an NT server.
+Discouraged because it interferes with serving browse lists.</p></div>
+<a name="INDEX-23"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>announce version = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: two numbers separated by a dot character</p><p><b class="emphasis-bold">Default</b>: 4.5</p><p>Instructs Samba to announce itself as a different version SMB server.
+Discouraged.</p></div>
+<a name="INDEX-24"/><a name="INDEX-25"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>auth methods = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: guest, sam, ntdomain</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies what methods Samba tries in turn to
+<a name="INDEX-25"/>authenticate users. New in Samba
+3.0.</p></div>
+<a name="INDEX-26"/><a name="INDEX-27"/><a name="INDEX-28"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>auto services = service list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: service list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of <a name="INDEX-27"/><a name="INDEX-28"/>shares that always appear in
+browse lists. Also called <tt class="literal">preload</tt>.</p></div>
+<a name="INDEX-29"/><a name="INDEX-30"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>available = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, denies access to a share. The
+<a name="INDEX-30"/>share appears in the browse list, but
+attempts to access it will fail.</p></div>
+<a name="INDEX-31"/><a name="INDEX-32"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>bind interfaces only = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, shares and browsing are provided only on interfaces in
+an <a name="INDEX-32"/>interfaces list (see
+<tt class="literal">interfaces</tt>). If you set this option to YES, be
+sure to add 127.0.0.1 to the interfaces list to allow
+<em class="emphasis">smbpasswd</em> to connect to the local system to
+change passwords. This is a convenience option; it does not improve
+security.</p></div>
+<a name="INDEX-33"/><a name="INDEX-34"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>block size = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 1024</p><p>Sets the size of disk blocks as reported by <em class="emphasis">smbd</em>
+to the client. <a name="INDEX-34"/>Obsolete
+starting with Samba 3.0.</p></div>
+<a name="INDEX-35"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>blocking locks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, honors byte range lock requests with time limits. Samba will
+queue the requests and retry them until the time period expires.</p></div>
+<a name="INDEX-36"/><a name="INDEX-37"/><a name="INDEX-38"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browsable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p><a name="INDEX-37"/><a name="INDEX-38"/>Allows a share to be announced
+in browse lists. Also called <tt class="literal">browseable</tt>.</p></div>
+<a name="INDEX-39"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browse list = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, serves the browse list to other systems on the network. Avoid
+changing.</p></div>
+<a name="INDEX-40"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browseable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">browsable</tt>.</p></div>
+<a name="INDEX-41"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>case sensitive = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, uses the exact case the client supplied when trying to
+resolve a filename. If NO, matches either upper- or lowercase name.
+Avoid changing. Also called <tt class="literal">casesignames</tt>.</p></div>
+<a name="INDEX-42"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>casesignames = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Synonym for <tt class="literal">case</tt> <tt class="literal">sensitive</tt>.</p></div>
+<a name="INDEX-43"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>change notify timeout = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive number</p><p><b class="emphasis-bold">Default</b>: 60</p><p>Sets the number of seconds between checks when a client asks for
+notification of changes in a directory. Avoid lowering.</p></div>
+<a name="INDEX-44"/><a name="INDEX-45"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>change share command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that modifies a
+<a name="INDEX-45"/>share
+definition on the Samba server. This command runs as
+<tt class="literal">root</tt> when a share is created using the Windows
+NT/2000/XP Server Manager. The client user must be logged on as the
+<tt class="literal">root</tt> user. The command is passed the name of the
+Samba configuration file, the name of the share to be modified, the
+full pathname of a directory on the Samba server (which must already
+exist), and a string to use as a comment for the share, in that
+order. The command modifies the share definition for the share in
+<em class="filename">smb.conf.</em> See also <tt class="literal">add share
+command</tt> and <tt class="literal">delete share command</tt>.</p></div>
+<a name="INDEX-46"/><a name="INDEX-47"/><a name="INDEX-48"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>character set = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ISO8859-1, ISO8859-2, ISO8859-5, KOI8-R</p><p><b class="emphasis-bold">Default</b>: NULL</p><p><a name="INDEX-47"/>If set, translates from DOS code
+pages to the Western European (ISO8859-1), Eastern European
+(ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian
+(KOI8-R) character set. The <tt class="literal">client</tt>
+<tt class="literal">code</tt> <tt class="literal">page</tt> option must be set to
+850. <a name="INDEX-48"/>Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-49"/><a name="INDEX-50"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>client code page = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: see <a href="ch11.html#samba2-CHP-11-TABLE-4">Table 11-4</a> in <a href="ch11.html">Chapter 11</a></p><p><b class="emphasis-bold">Default</b>: 850 (MS-DOS Latin 1)</p><p>Sets the DOS code page explicitly, overriding any previous
+<tt class="literal">valid</tt> <tt class="literal">chars</tt> settings. Examples
+of values are 850 for Western European, 437 for the U.S. standard,
+and 932 for Japanese Shift-JIS. <a name="INDEX-50"/>Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-51"/><a name="INDEX-52"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>code page directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full directory name</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/lib/codepages</em></p><p>Specifies the directory that stores code pages.
+<a name="INDEX-52"/>Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-53"/><a name="INDEX-54"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>coding system = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: euc, cap, hex, hexN, sjis, j8bb, j8bj, jis8, j8bh,
+j8@b, j8@j,j8@h, j7bb, j7bj, jis7, j7bh, j7@b, j7@j, j7@h, jubb,
+jubj, junet, jubh, ju@b, ju@j, ju@h</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the coding system used, notably for Kanji. This is employed for
+filenames and should correspond to the code page in use. The
+<tt class="literal">client</tt> <tt class="literal">code</tt>
+<tt class="literal">page</tt> option must be set to 932 ( Japanese
+Shift-JIS). <a name="INDEX-54"/>Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-55"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>comment = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the comment corresponding to a share. The comment appears in
+places such as a <em class="emphasis">net view</em> listing or through the
+Network Neighborhood. See also the <tt class="literal">server</tt>
+<tt class="literal">string</tt> configuration option.</p></div>
+<a name="INDEX-56"/><a name="INDEX-57"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>config file = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: \filename</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Selects a new Samba <a name="INDEX-57"/>configuration file to read instead of the
+current one. Used to relocate the configuration file or used with
+<tt class="literal">%</tt> variables to select custom configuration files
+for some users or systems.</p></div>
+<a name="INDEX-58"/><a name="INDEX-59"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>copy = section name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: existing section's name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Copies the configuration of an already defined share into the
+<a name="INDEX-59"/>share in which this option
+appears. Used with <tt class="literal">%</tt> variables to select custom
+configurations for systems, architectures, and users. Each option
+specified or copied takes precedence over earlier specifications of
+the option.</p></div>
+<a name="INDEX-60"/><a name="INDEX-61"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>create mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0744</p><p>Sets the maximum allowable <a name="INDEX-61"/>permissions for new files (e.g.,
+0755). See also <tt class="literal">directory</tt> <tt class="literal">mask</tt>.
+To require certain permissions to be set, see
+<tt class="literal">force</tt> <tt class="literal">create</tt>
+<tt class="literal">mask</tt> and <tt class="literal">force</tt>
+<tt class="literal">directory</tt> <tt class="literal">mask</tt>. Also called
+<tt class="literal">create</tt> <tt class="literal">mode</tt>.</p></div>
+<a name="INDEX-62"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>create mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0744</p><p>Synonym for <tt class="literal">create</tt> <tt class="literal">mask</tt>.</p></div>
+<a name="INDEX-63"/><a name="INDEX-64"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>csc policy = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: manual, documents, programs, or disable</p><p><b class="emphasis-bold">Default</b>: manual</p><p>Sets the client-side <a name="INDEX-64"/>caching policy, telling them how to
+cache files offline if they are capable of doing so.</p></div>
+<a name="INDEX-65"/><a name="INDEX-66"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>deadtime = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the time in minutes before an unused
+<a name="INDEX-66"/>connection will be
+terminated. Zero means never. Used to keep clients from tying up
+server resources for long periods of time. If used, clients must
+autoreconnect after the specified period of inactivity. See also
+<tt class="literal">keepalive</tt>.</p></div>
+<a name="INDEX-67"/><a name="INDEX-68"/><a name="INDEX-69"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug hires timestamp = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Changes the <a name="INDEX-68"/><a name="INDEX-69"/>timestamps in log entries from seconds
+to microseconds. Useful for measuring performance.</p></div>
+<a name="INDEX-70"/><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug pid = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Adds the process ID of the Samba server to <a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/>log lines, making it easier to
+debug a particular server. Requires debug <tt class="literal">timestamp =
+yes</tt> to work.</p></div>
+<a name="INDEX-74"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug timestamp = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Timestamps all log messages. Can be turned off when
+it's not useful (e.g., in debugging ). Also called
+<tt class="literal">timestamp</tt> <tt class="literal">logs</tt>.</p></div>
+<a name="INDEX-75"/><a name="INDEX-76"/><a name="INDEX-77"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug uid = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-76"/><a name="INDEX-77"/>Adds the real and effective
+user ID and group ID of the user being served to the logs, making it
+easier to debug one particular user.</p></div>
+<a name="INDEX-78"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debuglevel = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the logging level used. Values of 3 or more slow Samba
+noticeably. Also called <tt class="literal">log</tt>
+<tt class="literal">level</tt>. Recommended value is 1.</p></div>
+<a name="INDEX-79"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default = service name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the name of a service (share) to provide if someone
+requests a service he doesn't have permission to use
+or that doesn't exist. The path is set from the name
+the client specified, with any underscore ( _ ) characters changed to
+slash ( / ) characters, allowing access to any directory on the Samba
+server. Use is discouraged. See also <tt class="literal">load
+printers</tt>. Also called <tt class="literal">default service</tt>.</p></div>
+<a name="INDEX-80"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default case = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: LOWER, UPPER</p><p><b class="emphasis-bold">Default</b>: LOWER</p><p>Sets the case in which to store new filenames. LOWER indicates
+lowercase, and UPPER indicates uppercase.</p></div>
+<a name="INDEX-81"/><a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default devmode = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Used with printer shares being accessed by Windows NT/2000/XP clients
+to set a default device mode for the
+<a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/>printer. Can be
+problematic. Use with care.</p></div>
+<a name="INDEX-85"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default service = share name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">default</tt>.</p></div>
+<a name="INDEX-86"/><a name="INDEX-87"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete printer command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that removes a
+<a name="INDEX-87"/>printer from the system hosting the
+Samba server and deletes its service definition from
+<em class="filename">smb.conf</em>. The command is passed a printer name
+as its only argument. See also <tt class="literal">add printer
+command</tt>, <tt class="literal">printing</tt>, and <tt class="literal">show add
+printer wizard</tt>.</p></div>
+<a name="INDEX-88"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete readonly = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NO, YES</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allows delete requests to remove read-only files. This
+is not allowed in MS-DOS/Windows, but it is normal in Unix, which has
+separate directory permissions. Used with programs such as RCS.</p></div>
+<a name="INDEX-89"/><a name="INDEX-90"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete share command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that deletes a
+<a name="INDEX-90"/>share
+from the Samba server. The command runs when a user logged in as the
+<tt class="literal">root</tt> user on a Windows NT/2000/XP system deletes a
+share using Server Manager. The command is passed the name of the
+Samba configuration file and the name of the share to be deleted. The
+command must remove the definition of the share from the
+configuration file. See also <tt class="literal">add share command</tt> and
+<tt class="literal">change share command</tt>.</p></div>
+<a name="INDEX-91"/><a name="INDEX-92"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete user script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run as <tt class="literal">root</tt> when a user
+connects who no longer has an account on the
+domain's PDC. Honors <tt class="literal">%u</tt>. Can be
+used to delete the
+<a name="INDEX-92"/>user account automatically from
+the Samba server's host. Requires
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">domain</tt> or <tt class="literal">security = user</tt>. Use
+with caution. See also <tt class="literal">add user script</tt>.</p></div>
+<a name="INDEX-93"/><a name="INDEX-94"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete veto files = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NO, YES</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allows delete requests for a
+<a name="INDEX-94"/>directory containing
+files or subdirectories the user can't see due to
+the <tt class="literal">veto</tt> <tt class="literal">files</tt> option. If set
+to NO, the directory is not deleted and still contains invisible
+files.</p></div>
+<a name="INDEX-95"/><a name="INDEX-96"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>deny hosts = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems from which to refuse
+<a name="INDEX-96"/>connections.
+Also called <tt class="literal">hosts</tt> <tt class="literal">deny</tt>.</p></div>
+<a name="INDEX-97"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dfree command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Specifies a command to run on the server to return free disk space.
+Not needed unless the Samba host system's
+<em class="emphasis">dfree</em> command does not work properly.</p></div>
+<a name="INDEX-98"/><a name="INDEX-99"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Unix directory name</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the path to the
+<a name="INDEX-99"/>directory provided by a file share or
+used by a printer share. If the option is omitted in the
+<tt class="literal">[homes]</tt> share, it is set automatically to the
+user's home directory; otherwise, it defaults
+to<em class="filename"> /tmp</em>. For a printer share, the directory is
+used to spool printer files. Honors the <tt class="literal">%u</tt> (user)
+and <tt class="literal">%m</tt> (machine) variables. Synonym for
+<tt class="literal">path</tt>.</p></div>
+<a name="INDEX-100"/><a name="INDEX-101"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0755</p><p>Sets the maximum allowable permissions for newly created
+<a name="INDEX-101"/>directories. To require
+that certain permissions be set, see the <tt class="literal">force</tt>
+<tt class="literal">create</tt> <tt class="literal">mask</tt> and
+<tt class="literal">force</tt> <tt class="literal">directory</tt>
+<tt class="literal">mask</tt> options. Also called
+<tt class="literal">directory</tt> <tt class="literal">mode</tt>.</p></div>
+<a name="INDEX-102"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0755</p><p>Synonym for <tt class="literal">directory</tt> <tt class="literal">mask</tt>.</p></div>
+<a name="INDEX-103"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory security mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>:  same as <tt class="literal">directory</tt> <tt class="literal">mode</tt></p><p>Controls which permission bits can be changed if a user edits the
+Unix permissions of directories on the Samba server from a Windows
+system. Any bit that is set in the mask can be changed by the user;
+any bit that is clear remains the same on the directory even if the
+user tries to change it. Requires <tt class="literal">nt</tt>
+<tt class="literal">acl</tt> <tt class="literal">support</tt>
+<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
+<a name="INDEX-104"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>disable spools = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Windows NT/2000/XP systems will downgrade to
+Lanman-style printing. Prevents printer driver uploading and
+downloading from working. Use with care. See also <tt class="literal">use client
+driver</tt>.</p></div>
+<a name="INDEX-105"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dns proxy = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES and if <tt class="literal">wins</tt>
+<tt class="literal">server</tt> <tt class="literal">=</tt>
+<tt class="literal">YES</tt>, looks up hostnames in DNS when they are not
+found using WINS.</p></div>
+<a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain admin group = user list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: usernames and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies users who are in the <a name="INDEX-107"/>Domain Admins group and have
+<a name="INDEX-108"/>domain
+administrator authority when Samba is the PDC. See also
+<tt class="literal">domain guest group</tt> and <tt class="literal">domain
+logons</tt>. Useful in Samba 2.2 only. Obsolete in Samba 3.0.</p></div>
+<a name="INDEX-109"/><a name="INDEX-110"/><a name="INDEX-111"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain guest group = user/group list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of usernames and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies users who are in the <a name="INDEX-110"/>Domain Guest group when Samba is the PDC.
+See also <tt class="literal">domain admin group</tt> and <tt class="literal">domain
+logons</tt>. Useful in Samba 2.2 only. <a name="INDEX-111"/>Obsolete in Samba 3.0.</p></div>
+<a name="INDEX-112"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain logons = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Causes Samba to serve domain logons. This is one of the basic
+functions required when Samba is acting as the PDC.</p></div>
+<a name="INDEX-113"/><a name="INDEX-114"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain master = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: automatic</p><p>Makes Samba a <a name="INDEX-114"/>domain master browser for its domain. When
+domain logons are enabled, <tt class="literal">domain master</tt> defaults
+to YES. Otherwise, it defaults to NO.</p></div>
+<a name="INDEX-115"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dont descend = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of directories</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Prohibits a change directory or search in the directories specified.
+This is a browsing-convenience option; it doesn't
+provide any extra security.</p></div>
+<a name="INDEX-116"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filemode = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows anyone with write permissions to change permissions on a file,
+as allowed by MS-DOS.</p></div>
+<a name="INDEX-117"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filetime resolution = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets file times on Unix to match MS-DOS standards (rounding to the
+next even second). Recommended if using Visual C++ or a PC
+<em class="emphasis">make</em> program to avoid remaking the programs
+unnecessarily. Use with the <tt class="literal">dos</tt>
+<tt class="literal">filetimes</tt> option.</p></div>
+<a name="INDEX-118"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filetimes = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows nonowners to change file times if they can write to the files,
+matching the behavior of MS-DOS and Windows. See also
+<tt class="literal">dos</tt> <tt class="literal">filetime</tt>
+<tt class="literal">resolution</tt>.</p></div>
+<a name="INDEX-119"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>encrypt passwords = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO in Samba 2.2, YES in Samba 3.0</p><p>If enabled, Samba will use password encryption. Requires an
+<em class="filename">smbpasswd</em> file on the Samba server.</p></div>
+<a name="INDEX-120"/><a name="INDEX-121"/><a name="INDEX-122"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>enhanced browsing = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Automatically synchronizes <a name="INDEX-121"/><a name="INDEX-122"/>browse lists with all domain master
+browsers known to the WINS server. Makes cross-subnet browsing more
+reliable, but also can cause empty workgroups to persist forever in
+browse lists.</p></div>
+<a name="INDEX-123"/><a name="INDEX-124"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>enumports command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Allows for a command to provide clients with customized
+MS-DOS/Windows <a name="INDEX-124"/>port names (e.g., PRN:) corresponding
+to printers. Samba's default behavior is to return
+<tt class="literal">Samba Printer Port</tt>. The command must return a
+series of lines, with one port name per line.</p></div>
+<a name="INDEX-125"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>exec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user before connecting to the share.
+Synonym for <tt class="literal">preexec</tt>. See also the
+<tt class="literal">postexec</tt>, <tt class="literal">root</tt>
+<tt class="literal">preexec</tt>, and <tt class="literal">root postexec</tt>
+options.</p></div>
+<a name="INDEX-126"/><a name="INDEX-127"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fake directory create times = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>A bug fix for users of Microsoft
+<em class="emphasis">nmake</em><a name="INDEX-127"/>. If YES, Samba sets directory create
+times such that <em class="emphasis">nmake</em> won't
+remake all files every time.</p></div>
+<a name="INDEX-128"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fake oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, returns YES whenever a client asks if it can lock a file and
+cache it locally but does not enforce the lock on the server. Results
+in performance improvement for read-only shares. <em class="emphasis">Never use
+with read/write shares!</em> See also
+<tt class="literal">oplocks</tt> and <tt class="literal">veto</tt>
+<tt class="literal">oplock</tt> <tt class="literal">files</tt>.</p></div>
+<a name="INDEX-129"/><a name="INDEX-130"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>follow symlinks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, Samba follows <a name="INDEX-130"/>symlinks in a file share(s). See the
+<tt class="literal">wide</tt> <tt class="literal">links</tt> option if you want
+to restrict symlinks to just the current share.</p></div>
+<a name="INDEX-131"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force create mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Takes effect when a user on a Windows client creates a file that
+resides on the Samba server. This option ensures that bits set in
+this mask will always be set on the new file. Used with the
+<tt class="literal">create mask</tt> configuration option.</p></div>
+<a name="INDEX-132"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force directory mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Takes effect when a user on a Windows client creates a directory on
+the Samba server. This option ensures that bits set in the mask will
+be set on every newly created directory. Used with <tt class="literal">directory
+mask</tt>.</p></div>
+<a name="INDEX-133"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force directory security mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>:  same as <tt class="literal">force</tt>
+<tt class="literal">directory</tt> <tt class="literal">mode</tt></p><p>Takes effect when a user on a Windows client edits the Unix
+permissions of a directory on the Samba server. This option ensures
+that bits set in this mask will be set on the directory. Requires
+<tt class="literal">nt</tt> <tt class="literal">acl</tt>
+<tt class="literal">support</tt> <tt class="literal">=</tt>
+<tt class="literal">YES</tt>.</p></div>
+<a name="INDEX-134"/><a name="INDEX-135"/><a name="INDEX-136"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force group = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a Unix group name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the effective group name assigned to all users accessing a
+share. Used to override a
+<a name="INDEX-135"/><a name="INDEX-136"/>user's
+normal group memberships.</p></div>
+<a name="INDEX-137"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force security mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: same as <tt class="literal">force</tt> <tt class="literal">create</tt>
+<tt class="literal">mode</tt></p><p>Takes effect when a user on a Windows client edits the Unix
+permissions of a file on the Samba server. This option ensures that
+bits set in the mask will always be set on the file. Requires
+<tt class="literal">nt</tt> <tt class="literal">acl</tt>
+<tt class="literal">support</tt> <tt class="literal">=</tt>
+<tt class="literal">YES</tt>. See also <tt class="literal">force directory security
+mode</tt> for directories.</p></div>
+<a name="INDEX-138"/><a name="INDEX-139"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force unknown acl user = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>When set, unknown users or groups in Windows NT ACLs will be mapped
+to the user or group of the connected user. <a name="INDEX-139"/>Obsolete starting with Samba
+3.0.</p></div>
+<a name="INDEX-140"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force user = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a single username</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the effective username assigned to all users accessing a share.
+Discouraged.</p></div>
+<a name="INDEX-141"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fstype = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NTFS, FAT, Samba</p><p><b class="emphasis-bold">Default</b>: NTFS</p><p>Sets the filesystem type reported to the client. Avoid changing.</p></div>
+<a name="INDEX-142"/><a name="INDEX-143"/><a name="INDEX-144"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>getwd cache = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Caches the current <a name="INDEX-143"/><a name="INDEX-144"/>directory for performance.
+Recommended with the <tt class="literal">wide</tt> <tt class="literal">links</tt>
+option.</p></div>
+<a name="INDEX-145"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>group = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a Unix group name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">force</tt> <tt class="literal">group</tt>.</p></div>
+<a name="INDEX-146"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest account = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a single username</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the name of the unprivileged Unix account to use for tasks such
+as printing and for accessing shares marked with
+<tt class="literal">guest</tt> <tt class="literal">ok</tt>. The default is
+specified at compile time and is usually set to
+<tt class="literal">nobody</tt>.</p></div>
+<a name="INDEX-147"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, doesn't need passwords for this
+share. Used with <tt class="literal">security = share</tt>. Synonym for
+<tt class="literal">public</tt>.</p></div>
+<a name="INDEX-148"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest only = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces users of a share to log on as the guest account. Requires
+<tt class="literal">guest</tt> <tt class="literal">ok</tt> or
+<tt class="literal">public</tt> to be YES. Also called
+<tt class="literal">only</tt> <tt class="literal">guest</tt>.</p></div>
+<a name="INDEX-149"/><a name="INDEX-150"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide dot files = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Treats files with names beginning with a dot as if they had the
+MS-DOS <a name="INDEX-150"/>hidden
+attribute set. The files are either not displayed on a Windows client
+or appear grayed-out, depending on the settings on the client.</p></div>
+<a name="INDEX-151"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: patterns, separated by <tt class="literal">/</tt>
+characters</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of file or directory names on which to set the
+MS-DOS hidden attribute. Names can contain <tt class="literal">?</tt> or
+<tt class="literal">*</tt> pattern characters and <tt class="literal">%</tt>
+variables. See also <tt class="literal">hide</tt> <tt class="literal">dot</tt>
+<tt class="literal">files</tt> and <tt class="literal">veto</tt>
+<tt class="literal">files</tt>.</p></div>
+<a name="INDEX-152"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide local users = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, hides Unix-specific dummy accounts
+(<tt class="literal">root</tt>, <tt class="literal">wheel</tt>,
+<tt class="literal">floppy</tt>, etc.) from clients.</p></div>
+<a name="INDEX-153"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide unreadable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, hides all unreadable files.</p></div>
+<a name="INDEX-154"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>homedir map = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NIS map name</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Used with <tt class="literal">nis</tt> <tt class="literal">homedir</tt> to locate
+a user's Unix home directory from Sun NIS (not
+NIS+).</p></div>
+<a name="INDEX-155"/><a name="INDEX-156"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>host msdfs = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-156"/>If set to YES and Samba was
+configured with the <tt class="literal">--with-msdfs</tt> option, provides
+Microsoft Distributed filesystem (Dfs) service, allowing Dfs-capable
+clients to browse Dfs trees on the Samba server. See also
+<tt class="literal">msdfs root</tt>.</p></div>
+<a name="INDEX-157"/><a name="INDEX-158"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts allow = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems that can access the
+<a name="INDEX-158"/>share. If NULL, any system can access
+the share unless there is a <tt class="literal">hosts</tt>
+<tt class="literal">deny</tt> option. Synonym for <tt class="literal">allow</tt>
+<tt class="literal">hosts</tt>.</p></div>
+<a name="INDEX-159"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts deny = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems that cannot connect to the share. Synonym
+for <tt class="literal">deny</tt> <tt class="literal">hosts</tt>.</p></div>
+<a name="INDEX-160"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts equiv = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the path to a file of trusted systems from which
+passwordless logons are allowed. Strongly discouraged because Windows
+NT/2000/XP users can always override the username&mdash;the only
+security in this scheme.</p></div>
+<a name="INDEX-161"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>include = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Includes the named file in <em class="filename">smb.conf</em> at the line
+where it appears. This option accepts most variables, but not
+<tt class="literal">%u</tt> (user), <tt class="literal">%P</tt> (current
+share's <tt class="literal">root</tt> directory), or
+<tt class="literal">%S</tt> (current share's name) because
+they are not set at the time the file is read.</p></div>
+<a name="INDEX-162"/><a name="INDEX-163"/><a name="INDEX-164"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>inherit acls = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, files and subdirectories are created with the same
+<a name="INDEX-163"/>ACLs
+as their parent directories. Directories are given Unix permissions
+of 0777 (full permissions) ensuring that the ACL on the directory
+will govern the actual permissions given to clients. Requires
+<a name="INDEX-164"/>POSIX ACL
+support to be provided on the Samba host system.</p></div>
+<a name="INDEX-165"/><a name="INDEX-166"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>inherit permissions = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, files and subdirectories are created with the same
+<a name="INDEX-166"/>permissions as their parent
+directories. This allows Unix directory permissions to be propagated
+automatically to new files and subdirectories, especially in the
+<tt class="literal">[homes]</tt> share. This option overrides
+<tt class="literal">create</tt> <tt class="literal">mask</tt>,
+<tt class="literal">directory</tt> <tt class="literal">mask</tt>,
+<tt class="literal">force</tt> <tt class="literal">create</tt>
+<tt class="literal">mode</tt>, and <tt class="literal">force</tt>
+<tt class="literal">directory</tt> <tt class="literal">mode</tt>, but not
+<tt class="literal">map</tt> <tt class="literal">archive</tt>,
+<tt class="literal">map</tt> <tt class="literal">hidden</tt>, or
+<tt class="literal">map</tt> <tt class="literal">system</tt>. Samba never sets
+the <tt class="literal">setuid</tt> bit when creating a file or directory.</p></div>
+<a name="INDEX-167"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>interfaces = interface list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: interface list</p><p><b class="emphasis-bold">Default</b>: NULL (all interfaces except 127.0.0.1)</p><p>Sets the interfaces to which Samba will respond. The default is the
+system's primary interface only. Recommended on
+multihomed systems or to override erroneous addresses and netmasks.
+Allows interface names such as <tt class="literal">eth0</tt>, DNS names,
+address/netmask pairs, and broadcast/netmask pairs. See also
+<tt class="literal">bind interfaces only</tt>.</p></div>
+<a name="INDEX-168"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>invalid users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of users not permitted access to the share.</p></div>
+<a name="INDEX-169"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>keepalive = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 300</p><p>Sets the number of seconds between checks for a crashed client. The
+value of 0 causes no checks to be performed. Setting
+<tt class="literal">keepalive = 3600</tt> will turn on checks every hour. A
+value of 600 (every 10 minutes) is recommended if you want more
+frequent checks. See also <tt class="literal">socket</tt>
+<tt class="literal">options</tt> for another approach.</p></div>
+<a name="INDEX-170"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>kernel oplocks = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Breaks the oplock when a local Unix process or NFS operation accesses
+an oplocked file, thus preventing corruption. This works only on
+operating systems that support kernel-based oplocks, such as Linux
+2.4 and Irix. Avoid changing. See also <tt class="literal">oplocks</tt> and
+<tt class="literal">level2</tt> <tt class="literal">oplocks</tt>.</p></div>
+<a name="INDEX-171"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lanman auth = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, allows clients to use the (weak) LANMAN password hash
+used by Windows 95/98/Me. If set to NO, allows only the better NT1
+hash used by Windows NT/2000/XP.</p></div>
+<a name="INDEX-172"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>large readwrite = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO in Samba 2.2, YES in Samba 3.0</p><p>If set to YES, allows Windows 2000/XP to read and write 64KB at a
+time to improve performance. Requires Samba to be hosted by a 64-bit
+OS, such as Linux 2.4, Irix, or Solaris. Somewhat experimental.</p></div>
+<a name="INDEX-173"/><a name="INDEX-174"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap admin dn = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Distinguished Name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the Distinguished Name used by Samba when contacting the LDAP
+server. Requires Samba to be configured with the
+<tt class="literal">--with-ldapsam</tt> configuration option. Experimental
+option added in Samba 2.2.3 and <a name="INDEX-174"/>obsolete in Samba 3.0.</p></div>
+<a name="INDEX-175"/><a name="INDEX-176"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap filter = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: LDAP search filter</p><p><b class="emphasis-bold">Default</b>: <tt class="literal">(&amp;(uid=%u)(objectclass=sambaAccount))</tt></p><p>Sets the LDAP search filter. Requires that Samba be configured with
+the <tt class="literal">--with-ldapsam</tt> configuration option.
+Experimental option added in Samba 2.2.3 and
+<a name="INDEX-176"/>obsolete in Samba 3.0.</p></div>
+<a name="INDEX-177"/><a name="INDEX-178"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap port = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: In Samba 2.2, 636 if <tt class="literal">ldap ssl = on</tt>;
+otherwise 389</p><p>Sets the TCP port number for contacting the LDAP server. Requires
+that Samba be configured with the <tt class="literal">--with-ldapsam</tt>
+configuration option. Experimental option added in Samba 2.2.3 and
+<a name="INDEX-178"/>obsolete
+starting with Samba 3.0. See also <tt class="literal">ldap ssl</tt>.</p></div>
+<a name="INDEX-179"/><a name="INDEX-180"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap server = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: fully qualified domain name</p><p><b class="emphasis-bold">Default</b>: localhost</p><p>Sets the domain name of the LDAP server. Requires that Samba be
+configured with the <tt class="literal">--with-ldapsam</tt> configuration
+option. Experimental option added in Samba 2.2.3 and
+<a name="INDEX-180"/>obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-181"/><a name="INDEX-182"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap ssl = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ON, OFF, START TLS</p><p><b class="emphasis-bold">Default</b>: ON</p><p>Sets whether Samba uses SSL to contact the LDAP server. ON and OFF
+turn SSL encryption on or off. The START TLS setting causes Samba to
+use LDAPv3 StartTLS extended operation. Requires that Samba be
+configured with the <tt class="literal">--with-ldapsam</tt> configuration
+option. Experimental option added in Samba 2.2.3 and
+<a name="INDEX-182"/>obsolete
+in Samba 3.0.</p></div>
+<a name="INDEX-183"/><a name="INDEX-184"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap suffix = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Distinguished Name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the base Distinguished Name to use for LDAP searches. Requires
+that Samba be configured with the <tt class="literal">--with-ldapsam</tt>
+configuration option. Experimental option added in Samba 2.2.3 and
+<a name="INDEX-184"/>obsolete in Samba 3.0.</p></div>
+<a name="INDEX-185"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>level2 oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows files to be cached read-only on the client when multiple
+clients have opened the file. This allows executables to be cached
+locally, improving performance.</p></div>
+<a name="INDEX-186"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lm announce = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: AUTO, YES, NO</p><p><b class="emphasis-bold">Default</b>: AUTO</p><p>Produces OS/2 SMB broadcasts at an interval specified by the
+<tt class="literal">lm</tt> <tt class="literal">interval</tt> option. YES/NO
+turns them on/off unconditionally. AUTO causes the Samba server to
+wait for a LAN manager announcement from another client before
+sending one out. Required for OS/2 client browsing.</p></div>
+<a name="INDEX-187"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lm interval = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 60</p><p>Sets the time period, in seconds, between OS/2 SMB broadcast
+announcements.</p></div>
+<a name="INDEX-188"/><a name="INDEX-189"/><a name="INDEX-190"/><a name="INDEX-191"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>load printers = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Loads all printer names from the system's
+<em class="emphasis">printcap</em><a name="INDEX-189"/> file into the
+<a name="INDEX-190"/><a name="INDEX-191"/>browse
+list. Uses configuration options from the
+<tt class="literal">[printers]</tt> section.</p></div>
+<a name="INDEX-192"/><a name="INDEX-193"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>local master = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows Samba to participate in <a name="INDEX-193"/>elections for the local master
+browser. See also <tt class="literal">domain</tt> <tt class="literal">master</tt>
+and <tt class="literal">os</tt> <tt class="literal">level</tt>.</p></div>
+<a name="INDEX-194"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock dir = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/var/locks</em></p><p>Synonym for <tt class="literal">lock</tt> <tt class="literal">directory</tt>.</p></div>
+<a name="INDEX-195"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/var/locks</em></p><p>Sets a directory in which to keep lock files. The directory must be
+writable by Samba and readable by everyone. Also called
+<tt class="literal">lock</tt> <tt class="literal">dir</tt>.</p></div>
+<a name="INDEX-196"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock spin count = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 2</p><p>Sets the number of attempts to attain a byte range lock. See also
+<tt class="literal">lock spin time</tt>.</p></div>
+<a name="INDEX-197"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock spin time = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of microseconds</p><p><b class="emphasis-bold">Default</b>: 10</p><p>Sets the number of microseconds between attempts to attain a lock.
+See also <tt class="literal">lock</tt> <tt class="literal">spin</tt>
+<tt class="literal">count</tt>.</p></div>
+<a name="INDEX-198"/><a name="INDEX-199"/><a name="INDEX-200"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Performs <a name="INDEX-199"/><a name="INDEX-200"/>file locking. If set to NO, Samba
+accepts lock requests but won't actually lock
+resources. Turn off for read-only filesystems.</p></div>
+<a name="INDEX-201"/><a name="INDEX-202"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>log file = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the name and location of the <a name="INDEX-202"/>log file. Allows all <tt class="literal">%</tt>
+variables.</p></div>
+<a name="INDEX-203"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>log level = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the logging level used. Values of 3 or more slow the system
+noticeably. Recommended value is 1. Synonym for
+<tt class="literal">debug</tt> <tt class="literal">level</tt>.</p></div>
+<a name="INDEX-204"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon drive = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: MS-DOS drive name</p><p><b class="emphasis-bold">Default</b>: Z:</p><p>Sets the drive to be used as a home directory for domain logons by
+Windows NT/2000/XP clients. See also <tt class="literal">logon</tt>
+<tt class="literal">home</tt>.</p></div>
+<a name="INDEX-205"/><a name="INDEX-206"/><a name="INDEX-207"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon home = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ %N \ %U</em></p><p>Sets the home <a name="INDEX-206"/><a name="INDEX-207"/>directory of a Windows 95/98/Me or
+NT/2000/XP user. Allows <tt class="literal">NET</tt> <tt class="literal">USE</tt>
+<tt class="literal">H:/HOME</tt> from the command prompt if Samba is acting
+as a logon server. Append <tt class="literal">\profile</tt> or other
+directory to the value of this parameter if storing Windows 95/98/Me
+profiles in a subdirectory of the user's home
+directory. See <tt class="literal">logon path</tt> for Windows NT/2000/XP
+roaming profiles.</p></div>
+<a name="INDEX-208"/><a name="INDEX-209"/><a name="INDEX-210"/><a name="INDEX-211"/><a name="INDEX-212"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon path = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ %N \  %U \ profile</em></p><p>Sets the path to the directory where Windows NT/2000/XP
+<a name="INDEX-209"/><a name="INDEX-210"/><a name="INDEX-211"/><a name="INDEX-212"/>roaming profiles are stored. See
+also <tt class="literal">logon home</tt> for Windows 95/98/Me roaming
+profiles.</p></div>
+<a name="INDEX-213"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon script = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the pathname (relative to the <tt class="literal">[netlogon]</tt>
+share) of an MS-DOS/NT command to run on the client at logon time.
+Allows all <tt class="literal">%</tt> variables.</p></div>
+<a name="INDEX-214"/><a name="INDEX-215"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lppause command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to pause a <a name="INDEX-215"/>print job.
+Honors the <tt class="literal">%p</tt> (printer name) and
+<tt class="literal">%j</tt> (job number) variables.</p></div>
+<a name="INDEX-216"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpq cache time = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 10</p><p>Sets how long to keep print queue status cached, in seconds.</p></div>
+<a name="INDEX-217"/><a name="INDEX-218"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpq command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to get <a name="INDEX-218"/>printer status. Usually
+initialized to a default value by the <tt class="literal">printing</tt>
+option. Honors the <tt class="literal">%p</tt> (printer name) variable.</p></div>
+<a name="INDEX-219"/><a name="INDEX-220"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpresume command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to resume a paused <a name="INDEX-220"/>print job.
+Honors the <tt class="literal">%p</tt> (printer name) and
+<tt class="literal">%j</tt> ( job number) variables.</p></div>
+<a name="INDEX-221"/><a name="INDEX-222"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lprm command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to delete a <a name="INDEX-222"/>print job.
+Usually initialized to a default value by the
+<tt class="literal">printing</tt> option. Honors the <tt class="literal">%p</tt>
+(printer name) and <tt class="literal">%j</tt> (job number) variables.</p></div>
+<a name="INDEX-223"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>machine password timeout = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 604800 (1 week)</p><p>Sets the period between (NT domain) computer account password changes.</p></div>
+<a name="INDEX-224"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>magic output = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="replaceable">command</em><em class="emphasis">.out</em></p><p>Sets the output file for the <tt class="literal">magic</tt>
+<tt class="literal">scripts</tt> option. Default is the command name,
+followed by the <em class="emphasis">.out</em> extension.</p></div>
+<a name="INDEX-225"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>magic script = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a filename for execution via a shell whenever the file is closed
+from the client, allowing clients to run commands on the server. The
+scripts will be deleted on completion, if permissions allow. Use is
+discouraged.</p></div>
+<a name="INDEX-226"/><a name="INDEX-227"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangle case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-227"/>Mangles a
+name if it is in mixed case.</p></div>
+<a name="INDEX-228"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled map = map list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of to/from pairs</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets up a table of names to remap (e.g., <em class="emphasis">.html</em>
+to <em class="emphasis">.htm</em>).</p></div>
+<a name="INDEX-229"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled names = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Sets Samba to abbreviate to the MS-DOS 8.3 style names that are too
+long or have unsupported characters.</p></div>
+<a name="INDEX-230"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled stack = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Sets the size of the cache of recently mangled filenames.</p></div>
+<a name="INDEX-231"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangling char = character</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: character</p><p><b class="emphasis-bold">Default</b>: ~</p><p>Sets the unique mangling character used in all mangled names.</p></div>
+<a name="INDEX-232"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangling method = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hash, hash2</p><p><b class="emphasis-bold">Default</b>: hash</p><p>Sets the algorithm used to mangle filenames. The
+<tt class="literal">hash2</tt> method is a newer method introduced in Samba
+2.2.x, and it creates different filenames than the
+<tt class="literal">hash</tt> method.</p></div>
+<a name="INDEX-233"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map archive = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, Samba sets the executable-by-user (0100) bit on Unix files if
+the MS-DOS archive attribute is set. If used, the
+<tt class="literal">create</tt> <tt class="literal">mask</tt> must contain the
+0100 bit.</p></div>
+<a name="INDEX-234"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map hidden = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, Samba sets the executable-by-other (0001) bit on Unix files
+if the MS-DOS hidden attribute is set. If used, the <tt class="literal">create
+mask</tt> option must contain the 0001 bit.</p></div>
+<a name="INDEX-235"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map system = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, Samba sets the executable-by-group (0010) bit on Unix files
+if the MS-DOS system attribute is set. If used, the
+<tt class="literal">create</tt> <tt class="literal">mask</tt> must contain the
+0010 bit.</p></div>
+<a name="INDEX-236"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map to guest = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Never, Bad User, Bad Password</p><p><b class="emphasis-bold">Default</b>:  Never</p><p>If set to Bad User, allows users without accounts on the Samba system
+to log in and be assigned the guest account. This option can be used
+as part of making public shares for anyone to use. If set to Bad
+Password, users who mistype their passwords will be logged in to the
+guest account instead of their own. Because no warning is given, the
+Bad Password value can be extremely confusing: we recommend against
+it. The default setting of Never prevents users without accounts from
+logging in.</p></div>
+<a name="INDEX-237"/><a name="INDEX-238"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max connections = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0 (infinity)</p><p>Sets the maximum number of
+<a name="INDEX-238"/>share connections allowed from each
+client system.</p></div>
+<a name="INDEX-239"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max disk size = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in MB</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Sets the maximum disk size/free-space size (in megabytes) to return
+to the client. Some clients or applications can't
+understand large maximum disk sizes.</p></div>
+<a name="INDEX-240"/><a name="INDEX-241"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max log size = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in KB</p><p><b class="emphasis-bold">Default</b>: 5000</p><p>Sets the size (in kilobytes) at which Samba will start a new
+<a name="INDEX-241"/>log file. The current log file will be
+renamed with a <em class="emphasis">.old</em> extension, replacing any
+existing file with that name.</p></div>
+<a name="INDEX-242"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max mux = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Sets the number of simultaneous SMB operations that Samba clients can
+make. Avoid changing.</p></div>
+<a name="INDEX-243"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max open files = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 10000</p><p>Limits the number of files a Samba process will try to keep open at
+one time. Samba allows you to set this to less than the maximum
+imposed by the Unix host operating system. Avoid changing.</p></div>
+<a name="INDEX-244"/><a name="INDEX-245"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max print jobs = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 1000</p><p>Limits the number of jobs that can be in the queue for this
+<a name="INDEX-245"/>printer share at any one time. The printer
+will report <tt class="literal">out of space</tt> if the limit is exceeded.
+See also <tt class="literal">total print jobs</tt>.</p></div>
+<a name="INDEX-246"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max protocol = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: CORE, COREPLUS, LANMAN1, LANMAN2, NT1</p><p><b class="emphasis-bold">Default</b>: NT1</p><p>If set, limits the negotiation to the protocol specified, or older.
+See <tt class="literal">min protocol</tt>. Avoid using.</p></div>
+<a name="INDEX-247"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max smbd processes = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Limits the number of users who can connect to the server. Used to
+prevent degraded service under an overload, at the cost of refusing
+services entirely.</p></div>
+<a name="INDEX-248"/><a name="INDEX-249"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max ttl = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 259200 (3 days)</p><p>Sets the <a name="INDEX-249"/>time to live (TTL) of NetBIOS names in the
+<em class="emphasis">nmbd</em> WINS cache. Avoid changing.</p></div>
+<a name="INDEX-250"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max wins ttl = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 518400 (6 days)</p><p>Limits the TTL, in seconds, of a NetBIOS name in the
+<em class="emphasis">nmbd</em> WINS cache. Avoid changing. See also
+<tt class="literal">min wins ttl</tt>.</p></div>
+<a name="INDEX-251"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max xmit = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in bytes</p><p><b class="emphasis-bold">Default</b>: 65535</p><p>Sets the maximum packet size negotiated by Samba. This is a tuning
+parameter for slow links and bugs in older clients. Values less than
+2048 are discouraged.</p></div>
+<a name="INDEX-252"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>message command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run on the server when a WinPopup message arrives
+from a client. If it does not complete quickly, the command must end
+in <tt class="literal">&amp;</tt> to allow immediate return. Honors all
+<tt class="literal">%</tt> variables except <tt class="literal">%u</tt> (user)
+and supports the extra variables <tt class="literal">%s</tt> (filename the
+message is in), <tt class="literal">%t</tt> (destination system), and
+<tt class="literal">%f</tt> (from).</p></div>
+<a name="INDEX-253"/><a name="INDEX-254"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min passwd length = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 5</p><p><a name="INDEX-254"/>Synonym for <tt class="literal">min</tt>
+<tt class="literal">password</tt> <tt class="literal">length</tt>.</p></div>
+<a name="INDEX-255"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min password length = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 5</p><p>Sets the shortest Unix password allowed by Samba when updating a
+user's password on its system. Also called
+<tt class="literal">min</tt> <tt class="literal">passwd</tt>
+<tt class="literal">length</tt>.</p></div>
+<a name="INDEX-256"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min print space = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: space in kilobytes</p><p><b class="emphasis-bold">Default</b>: 0 (unlimited)</p><p>Sets the minimum spool space required before accepting a print
+request.</p></div>
+<a name="INDEX-257"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min protocol = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: CORE, COREPLUS, LANMAN1, LANMAN2, NT1</p><p><b class="emphasis-bold">Default</b>: CORE</p><p>If set, prevents use of old (less secure) protocols. Using NT1
+disables MS-DOS clients. See also <tt class="literal">lanman auth</tt>.</p></div>
+<a name="INDEX-258"/><a name="INDEX-259"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min wins ttl = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 21600 (6 hours)</p><p>Sets the minimum <a name="INDEX-259"/>TTL, in seconds, of a NetBIOS name in the
+<em class="emphasis">nmbd</em> WINS cache. Avoid changing.</p></div>
+<a name="INDEX-260"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>msdfs root = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Makes the share a Dfs <tt class="literal">root</tt>. Requires the
+<tt class="literal">--with-msdfs</tt> configure option. Any symbolic links
+of the form <tt class="literal">msdfs:server\share</tt> will be seen as Dfs
+links. See also <tt class="literal">host msdfs</tt>.</p></div>
+<a name="INDEX-261"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>name resolve order = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: lmhosts, wins, host, bcast</p><p><b class="emphasis-bold">Default</b>: lmhosts, host, wins, bcast</p><p>Sets the order of lookup when trying to get IP addresses from names.
+The host parameter carries out a regular name lookup using the
+server's normal sources:
+<em class="emphasis">/etc/hosts</em>, DNS, NIS, or a combination of these.</p></div>
+<a name="INDEX-262"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios aliases = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of NetBIOS names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds additional NetBIOS names by which the Samba server will
+advertise itself.</p></div>
+<a name="INDEX-263"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios name = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: local hostname</p><p><b class="emphasis-bold">Default</b>: DNS name of system</p><p>Sets the NetBIOS name by which a Samba server is known, or the
+primary name if NetBIOS aliases exist. See also <tt class="literal">netbios
+aliases</tt>.</p></div>
+<a name="INDEX-264"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios scope = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the NetBIOS scope string, an early predecessor of workgroups.
+Samba will not communicate with a system with a different scope. This
+option is not recommended.</p></div>
+<a name="INDEX-265"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nis homedir = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, the <tt class="literal">homedir</tt> <tt class="literal">map</tt> is used
+to look up the server hosting the user's home
+directory and return it to the client. The client will contact that
+system to connect to the share. This avoids mounting from a system
+that doesn't actually have the directory, which
+would cause the data to be transmitted twice. The system with the
+home directories must be an SMB server.</p></div>
+<a name="INDEX-266"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>non unix account range = numeric range</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: range of positive integers</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies a range of Unix UIDs for Samba to use for user accounts and
+computer accounts that are maintained outside of
+<em class="filename">/etc/passwd</em>. The UIDs in this range must not
+overlap those of regular Unix users in
+<em class="filename">/etc/passwd</em>. See also <tt class="literal">algorithmic rid
+base</tt>. New in Samba 3.0.</p></div>
+<a name="INDEX-267"/><a name="INDEX-268"/><a name="INDEX-269"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt acl support = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Causes the Samba server to map Unix
+<a name="INDEX-268"/><a name="INDEX-269"/>permissions to Windows NT
+ACLs.</p></div>
+<a name="INDEX-270"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt pipe support = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows turning off of NT-specific pipe calls. This is a
+developer/benchmarking option and might be removed in the future.
+Avoid changing.</p></div>
+<a name="INDEX-271"/><a name="INDEX-272"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt smb support = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, allows the use of NT-specific SMBs. This is a
+developer/benchmarking option that is <a name="INDEX-272"/>obsolete in Samba 3.0. Avoid changing.</p></div>
+<a name="INDEX-273"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt status support = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, allows the use of NT-specific status messages. This is a
+developer/benchmarking option and might be removed in the future.
+Avoid changing.</p></div>
+<a name="INDEX-274"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>null passwords = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, allows access to accounts that have null passwords. Strongly
+discouraged.</p></div>
+<a name="INDEX-275"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>obey pam restrictions = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, Samba will adhere to the PAM's account and
+session restrictions. Requires <tt class="literal">--with-pam</tt>
+configuration option.</p></div>
+<a name="INDEX-276"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>only guest = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces users of a share to log on as the guest account. Synonym for
+<tt class="literal">guest</tt> <tt class="literal">only</tt>. Requires
+<tt class="literal">guest</tt> <tt class="literal">ok</tt> or
+<tt class="literal">public</tt> to be YES.</p></div>
+<a name="INDEX-277"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>only user = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Requires that users of the share be in the list specified by the
+<tt class="literal">user</tt> option.</p></div>
+<a name="INDEX-278"/><a name="INDEX-279"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplock break wait time = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p><a name="INDEX-279"/>This is an advanced tuning parameter and
+is recommended only for experts who know how Samba handles oplocks.
+This option might need to be set if a Windows system fails to release
+an oplock in response to a break request from the Samba server. Due
+to bugs on some Windows systems, they might fail to respond if Samba
+responds too quickly; the default on this option can be lengthened in
+such cases.</p></div>
+<a name="INDEX-280"/><a name="INDEX-281"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplock contention limit = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of milliseconds</p><p><b class="emphasis-bold">Default</b>:  2</p><p><a name="INDEX-281"/>This is an advanced tuning
+parameter and is recommended only for experts who know how Samba
+handles oplocks. It causes Samba to refuse to grant an oplock if the
+number of clients contending for a file exceeds the specified value.</p></div>
+<a name="INDEX-282"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, supports local caching of oplocked files on the client. This
+option is recommended because it improves performance by about 30%.
+See also <tt class="literal">fake</tt> <tt class="literal">oplocks</tt> and
+<tt class="literal">veto</tt> <tt class="literal">oplock</tt>
+<tt class="literal">files</tt>.</p></div>
+<a name="INDEX-283"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>os level = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 20</p><p>Sets the candidacy of the server when electing a browse master. Used
+with the <tt class="literal">domain</tt> <tt class="literal">master</tt> or
+<tt class="literal">local</tt> <tt class="literal">master</tt> options. You can
+set a higher value than a competing operating system if you want
+Samba to win. Windows for Workgroups and Windows 95/98/Me use 1.
+Windows NT/2000/XP, when not acting as a PDC, use 16 and, when acting
+as a PDC, use 32. Warning: this can override non-Samba browse masters
+unexpectedly.</p></div>
+<a name="INDEX-284"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>os2 driver map = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing mappings of Windows NT printer driver
+names to OS/2 printer driver names.</p></div>
+<a name="INDEX-285"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pam password change = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, and if Samba is configured with
+<tt class="literal">--with-pam</tt>, PAM is allowed to handle password
+changes from clients, instead of using the program defined by the
+<tt class="literal">passwd</tt> <tt class="literal">program</tt> parameter.</p></div>
+<a name="INDEX-286"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>panic action = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run when Samba panics. Honors all
+<tt class="literal">%</tt> variables. For Samba developers and testers,
+<tt class="literal">/usr/bin/X11/xterm</tt> <tt class="literal">-display</tt>
+<tt class="literal">:0</tt> <tt class="literal">-e</tt> <tt class="literal">gdb</tt>
+<tt class="literal">/samba/bin/smbd</tt> <tt class="literal">%d</tt> is a
+possible value.</p></div>
+<a name="INDEX-287"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passdb backend = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: smbpasswd, smbpasswd_nua, tdbsam, tdbsam_nua, plugin</p><p><b class="emphasis-bold">Default</b>: smbpasswd</p><p>Specifies methods Samba uses to store and retrieve passwords when
+using a method other than the Unix system's
+<em class="filename">/etc/passwd</em>. See also <tt class="literal">non unix account
+range</tt>. New in Samba 3.0.</p></div>
+<a name="INDEX-288"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd chat = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: sequence of strings</p><p><b class="emphasis-bold">Default</b>: compiled-in value</p><p>Sets the chat strings used to change passwords on the server.
+Supports the variables <tt class="literal">%o</tt> (old password) and
+<tt class="literal">%n</tt> (new password) and allows the escapes
+<tt class="literal">\r</tt>, <tt class="literal">\n</tt>, <tt class="literal">\t</tt>,
+and <tt class="literal">\s</tt> (space) in the sequence. See also
+<tt class="literal">unix password sync</tt>, <tt class="literal">passwd
+program</tt>, <tt class="literal">passwd chat debug</tt>, and
+<tt class="literal">pam</tt> <tt class="literal">password change</tt>.</p></div>
+<a name="INDEX-289"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd chat debug = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Logs an entire password chat, including passwords passed, with a log
+level of 100. For debugging only. See also <tt class="literal">passwd
+chat</tt>, <tt class="literal">pam password change</tt>, and
+<tt class="literal">passwd program</tt>.</p></div>
+<a name="INDEX-290"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd program = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/bin/passwd</em></p><p>Sets the command used to change a user's password.
+Will be run as <tt class="literal">root</tt>. Supports
+<tt class="literal">%u</tt> (user). See also <tt class="literal">unix password
+sync</tt>.</p></div>
+<a name="INDEX-291"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>password level = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the number of uppercase-letter permutations used to match
+passwords. A workaround for clients that change passwords to a single
+case before sending them to the Samba server. Causes repeated login
+attempts with mixed-case passwords, which can trigger account
+lockouts. Required for Windows 95/98/Me, plain-text passwords, and
+mixed-case passwords. Try to avoid using.</p></div>
+<a name="INDEX-292"/><a name="INDEX-293"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>password server = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of NetBIOS names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of SMB servers that validate
+<a name="INDEX-293"/>passwords. Used with a Windows
+NT/2000 password server (PDC or BDC) and the
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">server</tt> or <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">domain</tt> configuration options.
+Caution: a Windows NT/2000 password server must allow logins from the
+Samba server. If set to <tt class="literal">*</tt>, Samba will look up the
+PDC by resolving the NetBIOS name WORKGROUP&lt;1C&gt;.</p></div>
+<a name="INDEX-294"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>path = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the path to the directory provided by a file share or used by a
+printer share. If the option is omitted, it is set automatically in
+the <tt class="literal">[homes]</tt> share to the user's
+home directory; otherwise, defaults to<em class="filename"> /tmp</em>.
+Honors the <tt class="literal">%u</tt> (user) and <tt class="literal">%m</tt>
+(machine) variables.</p></div>
+<a name="INDEX-295"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pid directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/var/locks</em></p><p>Sets the path to the directory where PID files are located.</p></div>
+<a name="INDEX-296"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>posix locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, Samba will map file locks owned by SMB clients to
+POSIX locks. Avoid changing.</p></div>
+<a name="INDEX-297"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>postexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user after disconnecting from the share.
+See also the <tt class="literal">preexec</tt>, <tt class="literal">root</tt>
+<tt class="literal">preexec</tt>, and <tt class="literal">root</tt>
+<tt class="literal">postexec</tt> options.</p></div>
+<a name="INDEX-298"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>postscript = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces a printer to recognize a file as PostScript by inserting
+<tt class="literal">%!</tt> as the first line. Works only if the printer is
+actually PostScript-compatible.</p></div>
+<a name="INDEX-299"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user before connecting to the share.
+Synonym for <tt class="literal">exec</tt>. See also the
+<tt class="literal">postexec</tt>, <tt class="literal">root</tt>
+<tt class="literal">preexec</tt>, and <tt class="literal">root</tt>
+<tt class="literal">postexec</tt> options.</p></div>
+<a name="INDEX-300"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preexec close = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>:  NO</p><p>If set, allows the <tt class="literal">preexec</tt> command to decide if
+the share can be accessed by the user. If the command returns a
+nonzero return code, the user is denied permission to connect.</p></div>
+<a name="INDEX-301"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preferred master = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: auto</p><p>If YES, Samba is the preferred master browser. Causes Samba to call a
+browsing election when it comes online. See also <tt class="literal">os
+level</tt>.</p></div>
+<a name="INDEX-302"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>prefered master = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: auto</p><p>Synonym for <tt class="literal">preferred master</tt>.</p></div>
+<a name="INDEX-303"/><a name="INDEX-304"/><a name="INDEX-305"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preload = service list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of shares</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of shares that always appears in
+<a name="INDEX-304"/><a name="INDEX-305"/>browse lists. Synonym for
+<tt class="literal">auto</tt> <tt class="literal">services</tt>. See also
+<tt class="literal">load printers</tt>.</p></div>
+<a name="INDEX-306"/><a name="INDEX-307"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preserve case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p><a name="INDEX-307"/>Leaves filenames in the case
+sent by the client. If NO, it forces filenames to the case specified
+by the <tt class="literal">default</tt> <tt class="literal">case</tt> option. See
+also <tt class="literal">short</tt> <tt class="literal">preserve</tt>
+<tt class="literal">case</tt>.</p></div>
+<a name="INDEX-308"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets a share to be a print share. Required for all printers. Synonym
+for <tt class="literal">print</tt> <tt class="literal">ok</tt>.</p></div>
+<a name="INDEX-309"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printcap name = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/etc/printcap</em></p><p>Sets the path to the printer capabilities file used by the
+<tt class="literal">[printers]</tt> share. The default value changes to
+<em class="filename">/etc/qconfig</em> under AIX and
+<em class="filename">lpstat</em> on System V. Also called
+<tt class="literal">printcap</tt>.</p></div>
+<a name="INDEX-310"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>print command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to send a spooled file to the printer. Usually
+initialized to a default value corresponding to the
+<tt class="literal">printing</tt> option. This option honors the
+<tt class="literal">%p</tt> (printer name), <tt class="literal">%s</tt> (spool
+file), and <tt class="literal">%f</tt> (spool file as a relative path)
+variables. The command must delete the spool file.</p></div>
+<a name="INDEX-311"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: printer name</p><p><b class="emphasis-bold">Default</b>: lp</p><p>Sets the name of the Unix printer used by the share. Also called
+<tt class="literal">printer</tt> <tt class="literal">name</tt>.</p></div>
+<a name="INDEX-312"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer admin = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>:  NULL</p><p>Specifies users who can administer a printer using the remote printer
+administration interface on a Windows system. The
+<tt class="literal">root</tt> user always has these privileges.</p></div>
+<a name="INDEX-313"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: exact printer driver string used by Windows</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the string to pass to Windows when asked which driver to use to
+prepare files for a printer share. Note that the value is
+case-sensitive. Part of pre-2.2 printing system. Deprecated.</p></div>
+<a name="INDEX-314"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver file = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/printers/printers.def</em></p><p>Sets the location of a <em class="emphasis">msprint.def</em> file. Usable
+by Windows 95/98/Me. Part of pre-2.2 printing system. Deprecated.</p></div>
+<a name="INDEX-315"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver location = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ server\ PRINTER$</em></p><p>Sets the location of the driver for a particular printer. The value
+is the pathname of the share that stores the printer driver files.
+Part of pre-2.2 printing system. Deprecated.</p></div>
+<a name="INDEX-316"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer name = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">printer</tt>.</p></div>
+<a name="INDEX-317"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printing = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: bsd, sysv, hpux, aix, qnx, plp, softq, lprng, cups</p><p><b class="emphasis-bold">Default</b>: bsd</p><p>Sets the printing style to a value other than that in which
+you've compiled. This sets initial values of at
+least <tt class="literal">print</tt> <tt class="literal">command</tt> ,
+<tt class="literal">lpq</tt> <tt class="literal">command</tt> , and
+<tt class="literal">lprm</tt> <tt class="literal">command</tt>.</p></div>
+<a name="INDEX-318"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>print ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Synonym for <tt class="literal">printable</tt>.</p></div>
+<a name="INDEX-319"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>private directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/private</em></p><p>Specifies the directory used for storing security-sensitive files
+such as <em class="filename">smbpasswd</em> and
+<em class="filename">secrets.tdb</em>. New in Samba 3.0.</p></div>
+<a name="INDEX-320"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>protocol = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NT1, LANMAN2, LANMAN1, COREPLUS, CORE</p><p><b class="emphasis-bold">Default</b>: NT1</p><p>Synonym for <tt class="literal">max protocol</tt>.</p></div>
+<a name="INDEX-321"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>public = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, passwords are not needed for this share. Also called
+<tt class="literal">guest</tt> <tt class="literal">ok</tt>.</p></div>
+<a name="INDEX-322"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>queuepause command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to pause a print queue. Usually initialized to
+a default value by the <tt class="literal">printing</tt> option.</p></div>
+<a name="INDEX-323"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>queueresume command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to resume a print queue. Usually initialized to
+a default value by the <tt class="literal">printing</tt> option.</p></div>
+<a name="INDEX-324"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read bmpx = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, supports the &quot;Read Block
+Multiplex&quot; message. Avoid changing.</p></div>
+<a name="INDEX-325"/><a name="INDEX-326"/><a name="INDEX-327"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read list = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of user and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of <a name="INDEX-326"/><a name="INDEX-327"/>users given read-only access
+to a writable share.</p></div>
+<a name="INDEX-328"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read only = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets a share to read-only. Antonym of <tt class="literal">writable</tt>,
+<tt class="literal">writeable</tt>, and <tt class="literal">write ok</tt>.</p></div>
+<a name="INDEX-329"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read raw = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows clients to read data using a 64K packet size. Recommended.</p></div>
+<a name="INDEX-330"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read size = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 16384</p><p>Allows disk reads and writes to overlap network reads and writes. A
+tuning parameter. Do not set larger than the default.</p></div>
+<a name="INDEX-331"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>realm = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Kerberos realm name</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies the realm name for Kerberos 5 authentication. Requires the
+<tt class="literal">--with-krb5</tt> configure option. New in Samba 3.0.</p></div>
+<a name="INDEX-332"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>remote announce = remote list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of remote addresses</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds workgroups to the list on which the Samba server will announce
+itself. Specified as an IP address and optional workgroup (for
+instance, 192.168.220.215/SIMPLE) with multiple entries separated by
+spaces. Addresses can be the specific address of the browse master on
+a subnet or on directed broadcasts (i.e., ###.###.###.255). The
+server will appear on those workgroups' browse
+lists. Does not require WINS.</p></div>
+<a name="INDEX-333"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>remote browse sync = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: IP addresses</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Perform browse list synchronization with other Samba local master
+browsers. Addresses can be specific addresses or directed broadcasts
+(i.e., ###.###.###.255). The latter causes Samba to locate the local
+master browser on that subnet.</p></div>
+<a name="INDEX-334"/><a name="INDEX-335"/><a name="INDEX-336"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>restrict anonymous = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-335"/><a name="INDEX-336"/>Denies access to users who do not
+supply a username. This is disabled by default because when the Samba
+server acts as the domain's PDC, the option can keep
+a client from revalidating its computer account when someone new logs
+in. Use of the option is recommended only when all clients are
+Windows NT/2000/XP systems.</p></div>
+<a name="INDEX-337"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">root</tt> <tt class="literal">directory</tt>.</p></div>
+<a name="INDEX-338"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root dir = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">root</tt> <tt class="literal">directory</tt>.</p></div>
+<a name="INDEX-339"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: /</p><p>Specifies a directory to <em class="emphasis">chroot( )</em> before
+starting daemons. Prevents any access outside that directory tree.
+See also the <tt class="literal">wide</tt> <tt class="literal">links</tt>
+configuration option. Also called <tt class="literal">root</tt> and
+<tt class="literal">root</tt> <tt class="literal">dir</tt>.</p></div>
+<a name="INDEX-340"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root postexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as <tt class="literal">root</tt> after disconnecting
+from the share. See also the <tt class="literal">preexec</tt>,
+<tt class="literal">postexec</tt>, and <tt class="literal">root</tt>
+<tt class="literal">preexec</tt> configuration options. Runs after the
+user's <tt class="literal">postexec</tt> command. Use with
+caution.</p></div>
+<a name="INDEX-341"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root preexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as <tt class="literal">root</tt> before connecting to
+the share. See also the <tt class="literal">preexec</tt>,
+<tt class="literal">postexec</tt>, and <tt class="literal">root</tt>
+<tt class="literal">postexec</tt> configuration options. Runs before the
+user's <tt class="literal">preexec</tt> command. Use with
+caution.</p></div>
+<a name="INDEX-342"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root preexec close = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>:  NO</p><p>If set, allows the <tt class="literal">root</tt> <tt class="literal">preexec</tt>
+command to decide if the share can be accessed by the user. If the
+command returns a nonzero return code, the user will be denied
+permission to connect.</p></div>
+<a name="INDEX-343"/><a name="INDEX-344"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>security = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share, user, server, domain</p><p><b class="emphasis-bold">Default</b>: user</p><p>Sets the client
+<a name="INDEX-344"/>authentication method. If
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">share</tt>, services are password-protected, available
+to everyone who knows the password. If <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">user</tt>, users have accounts and
+passwords, and are required to authenticate with the server before
+accessing services. If <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">server</tt>, users have accounts
+and passwords as with <tt class="literal">security = user</tt>, and a
+separate system authenticates them for Samba. If
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">domain</tt>, Windows NT domain authentication is
+implemented using a Windows NT/2000 or other Samba server to validate
+accounts. See also the <tt class="literal">password server</tt> and
+<tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
+configuration options.</p></div>
+<a name="INDEX-345"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>security mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>:  0777</p><p>Controls which permission bits can be changed if a user on a Windows
+NT/2000/XP system edits the Unix permissions of files on the Samba
+server using the Windows system's ACL editing dialog
+box. Any bit that is set in the mask can be changed by the user; any
+bit that is clear remains the same on the file even if the user tries
+to change it. Requires <tt class="literal">nt</tt> <tt class="literal">acl</tt>
+<tt class="literal">support</tt> <tt class="literal">=</tt>
+<tt class="literal">YES</tt>. Note that some rarely used bits map to the
+DOS system, hidden, and archive bits in the file attributes in a
+nonintuitive way.</p></div>
+<a name="INDEX-346"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>server string = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: Samba <tt class="literal">%v</tt></p><p>Sets the name that corresponds to the Samba server in browse lists.
+Honors the <tt class="literal">%v</tt> (Samba version number) and
+<tt class="literal">%h</tt> (hostname) variables.</p></div>
+<a name="INDEX-347"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>set directory = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows the DEC Pathworks client to use the <em class="emphasis">set
+dir</em> command.</p></div>
+<a name="INDEX-348"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>share modes = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Directs Samba to support Windows-style whole-file (deny mode) locks.
+Do not change.</p></div>
+<a name="INDEX-349"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>short preserve case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, leaves mangled 8.3-style filenames in the case sent by
+the client. If NO, forces the case to that specified by the
+<tt class="literal">default</tt> <tt class="literal">case</tt> option. See also
+<tt class="literal">preserve</tt> <tt class="literal">case</tt>.</p></div>
+<a name="INDEX-350"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>show add printer wizard = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set, tells clients that the Add Printer Wizard can be used to add
+a Samba printer from Windows NT/2000/XP clients. See also
+<tt class="literal">add printer command</tt>, <tt class="literal">delete
+printer</tt> <tt class="literal">comamnd</tt>, and <tt class="literal">printer
+admin</tt>.</p></div>
+<a name="INDEX-351"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>shutdown script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies a command that initiates a system shutdown. The command is
+run with the UID of the connected user. The <tt class="literal">%m</tt>
+(message), <tt class="literal">%t</tt> (delay time), <tt class="literal">%r</tt>
+(reboot), and <tt class="literal">%f</tt> (force) options are supported.
+See also <tt class="literal">abort shutdown script</tt>. New in Samba 3.0.</p></div>
+<a name="INDEX-352"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smb passwd file = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/private/smbpasswd</em></p><p>Overrides the compiled-in path to the encrypted password file. See
+also <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt> and
+<tt class="literal">private dir</tt>.</p></div>
+<a name="INDEX-353"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>socket address = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: IP address</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the address on which to listen for connections. Default is to
+listen to all addresses.</p></div>
+<a name="INDEX-354"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>socket options = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: socket option list</p><p><b class="emphasis-bold">Default</b>: TCP_NODELAY</p><p>Sets OS-specific socket options. SO_KEEPALIVE makes TCP check clients
+every four hours to see if they are still accessible. TCP_NODELAY
+sends even tiny packets to keep delay low. Both are recommended
+wherever the operating system supports them.</p></div>
+<a name="INDEX-355"/><a name="INDEX-356"/><a name="INDEX-357"/><a name="INDEX-358"/><a name="INDEX-359"/><a name="INDEX-360"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>source environment = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Causes Samba to read a list of <a name="INDEX-356"/>environment variables from a file upon
+startup. This can be useful when setting up Samba in a
+<a name="INDEX-357"/><a name="INDEX-358"/><a name="INDEX-359"/><a name="INDEX-360"/>clustered environment. The
+filename can begin with a &quot;|&quot;
+(pipe) character, in which case it causes Samba to run the file as a
+command to obtain the variables.</p><p>The file must be owned by <tt class="literal">root</tt> and must not be
+world-writable. If the filename begins with a
+&quot;|&quot; character, it must point to a
+command that is neither world-writable nor resides in a
+world-writable directory.</p><p>The data should be in the form of lines such as
+SAMBA_NETBIOS_NAME=<em class="replaceable">myhostname</em>. This value
+will then be available in the <em class="filename">smb.conf</em> files as
+%$SAMBA_NETBIOS_NAME.</p></div>
+<a name="INDEX-361"/><a name="INDEX-362"/><a name="INDEX-363"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>:  NO</p><p><a name="INDEX-362"/><a name="INDEX-363"/>Makes
+Samba use SSL for data exchange with some or all hosts. Requires
+<tt class="literal">--with-ssl</tt> configure option.Obsolete starting with
+Samba 3.0.</p></div>
+<a name="INDEX-364"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl CA certDir = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs</em></p><p>Specifies a directory containing a file for each Certification
+Authority (CA) that the Samba server trusts so that Samba can verify
+client certificates. Part of SSL support. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-365"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl CA certFile = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs/trustedCAs.pem</em></p><p>Specifies a file that contains information for each CA that the Samba
+server trusts so that Samba can verify client certificates. Part of
+SSL support. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-366"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl ciphers = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of ciphers</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies which ciphers should be offered during SSL negotiation. Not
+recommended. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-367"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl client cert = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs/smbclient.pem</em></p><p>Specifies a file containing the server's SSL
+certificate, for use by <em class="emphasis">smbclient</em> if
+certificates are required in this environment. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-368"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl client key = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/private/smbclient.pem</em></p><p>Specifies a file containing the server's private SSL
+key, for use by <em class="emphasis">smbclient</em>. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-369"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl compatibility = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Determines whether SSLeay should be configured for bug compatibility
+with other SSL implementations. Not recommended. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-370"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl hosts = host list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Requires that SSL be used with the hosts listed. By default, if the
+<tt class="literal">ssl</tt> option is set, the server requires SSL with
+all hosts. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-371"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl hosts resign = host list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Suppresses the use of SSL with the hosts listed. By default, if the
+<tt class="literal">ssl</tt> option is set, the server requires SSL with
+all hosts. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-372"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl require clientcert = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Requires clients to use certificates when SSL is in use. This option
+is recommended if SSL is used. Requires <tt class="literal">--with-ssl</tt>
+configure option. Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-373"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl require servercert = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>When SSL is in use, <em class="emphasis">smbclient</em> requires servers
+to use certificates. This option is recommended if SSL is used.
+Requires <tt class="literal">--with-ssl</tt> configure option. Obsolete
+starting with Samba 3.0.</p></div>
+<a name="INDEX-374"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl server cert = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing the server's SSL
+certificate. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-375"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl server key = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing the server's private SSL
+key. If no file is specified and SSL is in use, the server looks up
+its key in its server certificate. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-376"/><a name="INDEX-377"/><a name="INDEX-378"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl version = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: &quot;ssl2&quot;,
+&quot;ssl3&quot;,
+&quot;ssl2or3&quot;,
+&quot;tls1&quot;</p><p><b class="emphasis-bold">Default</b>: &quot;ssl2or3&quot;</p><p>Defines which versions of the SSL protocol the server can use:
+Version 2 only (&quot;ssl2&quot;), Version 3
+only (&quot;ssl3&quot;), Version 2 or 3
+dynamically negotiated (&quot;ssl2or3&quot;),
+or Transport Layer Security
+(&quot;tls1&quot;). Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.<a name="INDEX-377"/><a name="INDEX-378"/></p></div>
+<a name="INDEX-379"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>stat cache = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Makes the Samba server cache client names for faster resolution.
+Should not be changed.</p></div>
+<a name="INDEX-380"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>stat cache size = number </i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Determines the number of client names cached for faster resolution.
+Should not be changed.</p></div>
+<a name="INDEX-381"/><a name="INDEX-382"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>status = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, logs connections to a file (or shared memory)
+accessible to <em class="filename">smbstatus</em>.
+<a name="INDEX-382"/>Obsolete
+starting with Samba 3.0.</p></div>
+<a name="INDEX-383"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict allocate = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allocates all disk blocks when creating or extending
+the size of files, instead of using the normal sparse file allocation
+used on Unix. This slows the server, but results in behavior that
+matches that of Windows and helps Samba correctly report
+&quot;out of quota&quot; messages.</p></div>
+<a name="INDEX-384"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, checks locks on every access, not just on demand and
+at open time. Not recommended.</p></div>
+<a name="INDEX-385"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict sync = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Samba synchronizes to disk whenever the client sets
+the sync bit in a packet. If set to NO, Samba flushes data to disk
+whenever buffers fill. Defaults to NO because Windows 98 Explorer
+sets the bit (incorrectly) in all packets.</p></div>
+<a name="INDEX-386"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strip dot = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Removes trailing dots from filenames. Dysfunctional in Samba 2.2; use
+<tt class="literal">mangled</tt> <tt class="literal">map</tt> instead.</p></div>
+<a name="INDEX-387"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>sync always = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Samba forces the data to disk through <em class="emphasis">fsync</em>
+(3) after every write. Avoid except to debug crashing
+servers.</p></div>
+<a name="INDEX-388"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>syslog = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 1</p><p>Sets the level of Samba log messages to send to
+<em class="filename">syslog</em>. Higher is more verbose. The
+<em class="filename">syslog.conf</em> file must have suitable logging
+enabled.</p></div>
+<a name="INDEX-389"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>syslog only = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, logs only to <em class="emphasis">syslog</em> instead of
+the standard Samba log files.</p></div>
+<a name="INDEX-390"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>template homedir = path</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to directory</p><p><b class="emphasis-bold">Default</b>: /home/<tt class="literal">%D</tt>/<tt class="literal">%U</tt></p><p>Sets the home directory for Unix login sessions for users
+authenticated through winbind. <tt class="literal">%D</tt> will be replaced
+with user's domain name; <tt class="literal">%U</tt> by
+the username.</p></div>
+<a name="INDEX-391"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>template shell = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to shell</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/bin/false</em></p><p>Sets the shell for Unix login sessions for users authenticated
+through winbind. The default value prevents all Windows domain user
+logins.</p></div>
+<a name="INDEX-392"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>time offset = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of minutes</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the number of minutes to add to the system time-zone
+calculation. Provided to fix a client daylight-savings bug. Not
+recommended.</p></div>
+<a name="INDEX-393"/><a name="INDEX-394"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>time server = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, <em class="emphasis">nmbd</em><a name="INDEX-394"/>
+advertises itself as a provider of SMB time service to clients. This
+option only affects whether the time service is advertised. It does
+not enable or disable time service.</p></div>
+<a name="INDEX-395"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>timestamp logs = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">debug</tt> <tt class="literal">timestamp</tt>.</p></div>
+<a name="INDEX-396"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>total print jobs = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Limits total number of current print jobs on server. See also
+<tt class="literal">max print jobs</tt>.</p></div>
+<a name="INDEX-397"/><a name="INDEX-398"/><a name="INDEX-399"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>unix extensions = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, supports
+<a name="INDEX-398"/>CIFS Unix extensions, providing
+better filesystem support for Unix clients. <a name="INDEX-399"/>Obsolete in Samba 3.0, which always
+offers support.</p></div>
+<a name="INDEX-400"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>unix password sync = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, attempts to change the user's Unix
+password whenever the user changes her SMB password. Used to ease
+synchronization of Unix and Microsoft password databases. See also
+<tt class="literal">password program</tt> and <tt class="literal">passwd</tt>
+<tt class="literal">chat</tt>.</p></div>
+<a name="INDEX-401"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>update encrypted = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Updates the encrypted password file when a user logs on with an
+unencrypted password. Provided to ease conversion from unencrypted to
+encrypted passwords.</p></div>
+<a name="INDEX-402"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use client driver = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Used for avoiding <tt class="literal">Access Denied; Unable to connect</tt>
+messages when connecting to a Samba printer from Windows NT/2000/XP
+clients. Necessary only when the client has a local printer driver
+for the Samba printer.</p></div>
+<a name="INDEX-403"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use mmap = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Tells Samba whether the <em class="emphasis">mmap( )</em> system call
+works correctly on the Samba host. Default is automatically set
+correctly. Do not change.</p></div>
+<a name="INDEX-404"/><a name="INDEX-405"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use rhosts = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, users' <em class="filename">~/.rhosts</em>
+files will be used to identify systems from which users can connect
+without providing a password. Discouraged. <a name="INDEX-405"/>Obsolete
+in Samba 3.0.</p></div>
+<a name="INDEX-406"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use sendfile = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If yes, Samba will perform some data transfers for exclusively
+oplocked files using the <em class="emphasis">sendfile( )</em> system
+call, which results in significant performance improvements. This is
+available if Samba has been configured with the
+<tt class="literal">--with-sendfile-support</tt> option. This is an
+experimental option and is new in Samba 2.2.5.</p></div>
+<a name="INDEX-407"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>user = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">username</tt>.</p></div>
+<a name="INDEX-408"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a list of users that are tried when logging on with share-level
+security in effect. Also called <tt class="literal">user</tt> or
+<tt class="literal">users</tt>. Discouraged. Use <tt class="literal">NET</tt>
+<tt class="literal">USE</tt>
+<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\</tt><em class="replaceable">share
+</em><tt class="literal">%</tt><em class="replaceable">user</em>
+from the client instead.</p></div>
+<a name="INDEX-409"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username level = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the number of uppercase-letter permutations allowed to
+match Unix usernames. A workaround for Windows'
+single-case usernames. Use is discouraged.</p></div>
+<a name="INDEX-410"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username map = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Names a file of Unix-to-Windows name pairs; used to map different
+spellings of account names and Windows usernames longer than eight
+characters.</p></div>
+<a name="INDEX-411"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">username</tt>.</p></div>
+<a name="INDEX-412"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>utmp = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>This is available if Samba has been configured with the
+<tt class="literal">--with-utmp</tt> option. If set, Samba adds
+<em class="emphasis">utmp</em>/<em class="emphasis">utmpx</em> records whenever
+a connection is made to a Samba server. Sites can use this option to
+record each connection to a Samba share as a system login.</p></div>
+<a name="INDEX-413"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>utmp directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>This is available if Samba has been configured with the
+<tt class="literal">--with-utmp</tt> option. If this option and
+<tt class="literal">utmp</tt> are set, Samba will look in the specified
+directory rather than the default system directory for
+<em class="filename">utmp</em>/<em class="filename">utmpx</em> files.</p></div>
+<a name="INDEX-414"/><a name="INDEX-415"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>valid chars = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of numeric values</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds national characters to a character set map. See also
+<tt class="literal">client</tt> <tt class="literal">code</tt>
+<tt class="literal">page</tt>. <a name="INDEX-415"/>Obsolete in Samba 3.0.</p></div>
+<a name="INDEX-416"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>valid users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL (allows everyone)</p><p>Specifies a list of users that can connect to a share. See also
+<tt class="literal">invalid users</tt>.</p></div>
+<a name="INDEX-417"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>veto files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: slash-separated list of filenames</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of files that the client will not see when listing a
+directory's contents. See also
+<tt class="literal">delete</tt> <tt class="literal">veto</tt>
+<tt class="literal">files</tt> and <tt class="literal">hide files</tt>.</p></div>
+<a name="INDEX-418"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>veto oplock files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: slash-separated list of filenames</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of files not to oplock (and cache on clients). See
+also <tt class="literal">oplocks</tt> and <tt class="literal">fake</tt>
+<tt class="literal">oplocks</tt>.</p></div>
+<a name="INDEX-419"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>vfs object = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to shared library</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the shared library to use for Samba's
+Virtual File System (VFS). Requires the <tt class="literal">--with-vfs</tt>
+configure option.</p></div>
+<a name="INDEX-420"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>vfs options = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: space-separated list of options</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies parameters to the VFS. Requires the
+<tt class="literal">--with-vfs</tt> configure option. See <tt class="literal">vfs
+object</tt>.</p></div>
+<a name="INDEX-421"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>volume = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the volume label of a disk share. Especially useful with shared
+CD-ROMs.</p></div>
+<a name="INDEX-422"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wide links = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set, Samba follows symlinks out of the disk share. See also the
+<tt class="literal">root</tt> <tt class="literal">dir</tt> and
+<tt class="literal">follow</tt> <tt class="literal">symlinks</tt> options.</p></div>
+<a name="INDEX-423"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind cache time = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 15</p><p>Sets the amount of time that the <em class="emphasis">winbindd</em> daemon
+caches user and group information.</p></div>
+<a name="INDEX-424"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind enum users = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES/NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, enumeration of users is suppressed by winbind.
+Discouraged.</p></div>
+<a name="INDEX-425"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind enum groups = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES/NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, enumeration of groups is suppressed by winbind.
+Discouraged.</p></div>
+<a name="INDEX-426"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind gid = numeric range</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer-integer</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the group ID range winbind uses for Windows NT domain users
+connecting to Samba.</p></div>
+<a name="INDEX-427"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind separator = character</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ASCII character</p><p><b class="emphasis-bold">Default</b>: \</p><p>Specifies the character winbind uses to separate a domain name and
+username.</p></div>
+<a name="INDEX-428"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind uid = numeric range</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer-integer</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the user ID range winbind will use for Windows NT domain
+users connecting to Samba.</p></div>
+<a name="INDEX-429"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins hook = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command to run whenever the WINS server updates its
+database. Allows WINS to be synchronized with DNS or other services.
+The command is passed one of the arguments <tt class="literal">add</tt>,
+<tt class="literal">delete</tt>, or <tt class="literal">refresh</tt>, followed by
+the NetBIOS name, the name type (two hexadecimal digits), the TTL in
+seconds, and the IP addresses corresponding to the NetBIOS name.
+Requires <tt class="literal">wins</tt> <tt class="literal">service</tt>
+<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
+<a name="INDEX-430"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins proxy = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, <em class="emphasis">nmbd</em> proxies resolution requests
+to WINS servers on behalf of old clients, which use broadcasts. The
+WINS server is typically on another subnet.</p></div>
+<a name="INDEX-431"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins server = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hostname or IP address</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the DNS name or IP address of the WINS server.</p></div>
+<a name="INDEX-432"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins support = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, activates the WINS service. The
+<tt class="literal">wins</tt> <tt class="literal">server</tt> option must not be
+set if <tt class="literal">wins</tt> <tt class="literal">support</tt>
+<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
+<a name="INDEX-433"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>workgroup = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: workgroup name</p><p><b class="emphasis-bold">Default</b>: compiled-in</p><p>Sets the workgroup or domain to which the Samba server belongs.
+Overrides the compiled-in default of WORKGROUP. Choosing a name other
+than WORKGROUP is highly recommended.</p></div>
+<a name="INDEX-434"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>writable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Antonym for <tt class="literal">read</tt> <tt class="literal">only</tt>;
+<tt class="literal">writeable</tt> and <tt class="literal">write</tt>
+<tt class="literal">ok</tt> are synonyms.</p></div>
+<a name="INDEX-435"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>writeable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Antonym for <tt class="literal">read</tt> <tt class="literal">only</tt>;
+<tt class="literal">writable</tt> and <tt class="literal">write</tt>
+<tt class="literal">ok</tt> are synonyms.</p></div>
+<a name="INDEX-436"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write cache size = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: decimal number of bytes</p><p><b class="emphasis-bold">Default</b>: 0 (disabled)</p><p>Allocates a write buffer of the specified size in which Samba
+accumulates data before a write to disk. This option can be used to
+ensure that each write has the optimal size for a given filesystem.
+It is typically used with RAID drives, which have a preferred write
+size, and with systems that have large memory and slow disks.</p></div>
+<a name="INDEX-437"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write list = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of users that are given read/write access to a
+read-only share. See also <tt class="literal">read</tt>
+<tt class="literal">list</tt>.</p></div>
+<a name="INDEX-438"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">writable</tt>.</p></div>
+<a name="INDEX-439"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write raw = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows fast-streaming writes over TCP using 64KB buffers. Recommended.</p></div>
+
+
+
+<div class="sect1"><a name="samba2-APP-B-SECT-2"/>
+
+<h2 class="head1">Glossary of Configuration Value Types</h2>
+
+<dl>
+<dt><b><a name="INDEX-440"/><em class="emphasis">boolean</em></b></dt>
+<dd>
+<p>One of two values, either YES or NO.</p>
+</dd>
+
+
+
+<dt><b>character</b></dt>
+<dd>
+<p>A single ASCII character.</p>
+</dd>
+
+
+
+<dt><b>command</b></dt>
+<dd>
+<p>A Unix script or compiled program, with an absolute path specified
+for the executable and parameters.</p>
+</dd>
+
+
+
+<dt><b>directory</b></dt>
+<dd>
+<p>An absolute path specification to a directory. For example:</p>
+
+<blockquote><pre class="code">/usr/local/samba/lib</pre></blockquote>
+</dd>
+
+</dl>
+
+<dl>
+<dt><b>filename</b></dt>
+<dd>
+<p>An absolute path specification to a file. For example:</p>
+
+<blockquote><pre class="code">/etc/printcap</pre></blockquote>
+</dd>
+
+
+<dt><b>host list</b></dt>
+<dd>
+<p>A list of hosts. Allows IP addresses, address masks, domain names,
+ALL, and EXCEPT.</p>
+</dd>
+
+
+
+<dt><b>interface list</b></dt>
+<dd>
+<p>A list of interfaces, in either address/netmask or address/n-bits
+format. For example:</p>
+
+
+<blockquote><pre class="code">192.168.2.10/255.255.255.0, 192.168.2.10/24</pre></blockquote>
+</dd>
+
+
+<dt><b>map list</b></dt>
+<dd>
+<p>A list of filename remapping strings such as
+<tt class="literal">(*.html</tt> <tt class="literal">*.htm)</tt>.</p>
+</dd>
+
+
+
+<dt><b>name</b></dt>
+<dd>
+<p>A single name of a type of object, as specified in the
+option's description.</p>
+</dd>
+
+
+
+<dt><b>number</b></dt>
+<dd>
+<p>A positive integer.</p>
+</dd>
+
+
+
+<dt><b>numeric range</b></dt>
+<dd>
+<p>Two numbers separated by a dash, specifying a minimum and a maximum
+value. For example:</p>
+
+
+<blockquote><pre class="code">100-250</pre></blockquote>
+</dd>
+
+
+<dt><b>remote list</b></dt>
+<dd>
+<p>A list of subnet-broadcast-address/workgroup pairs. For example:</p>
+
+<blockquote><pre class="code">192.168.2.255/SERVERS 192.168.4.255/STAFF</pre></blockquote>
+</dd>
+
+
+<dt><b>service (share) list</b></dt>
+<dd>
+<p>A list of service (share) names, without the enclosing parentheses.</p>
+</dd>
+
+
+
+<dt><b>slash-separated list</b></dt>
+<dd>
+<p>A list of filenames, separated by
+&quot;/&quot; characters to allow embedded
+spaces. For example:</p>
+
+
+<blockquote><pre class="code">/.*/My Documents/*.doc/</pre></blockquote>
+</dd>
+
+
+<dt><b>string</b></dt>
+<dd>
+<p>One line of arbitrary text.</p>
+</dd>
+
+
+
+<dt><b>user list</b></dt>
+<dd>
+<p>A list of usernames and/or group names.
+<tt class="literal">@</tt><em class="replaceable">group_name</em> includes
+whomever is in the NIS netgroup
+<em class="replaceable">group_name</em>, if one exists, or otherwise
+whomever is in the Unix group <em class="replaceable">group_name</em>.
+In addition,
+<tt class="literal">+</tt><em class="replaceable">group_name</em> is a Unix
+group, <tt class="literal">&amp;</tt><em class="replaceable">group_name</em>
+is an NIS netgroup, and <tt class="literal">&amp;+</tt> and
+<tt class="literal">+&amp;</tt> cause an ordered search of both Unix and
+NIS groups.</p>
+</dd>
+
+
+
+<dt><b>value</b></dt>
+<dd>
+<p>A value of some miscellaneous type, as specified in the
+option's description.<a name="INDEX-441"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-APP-B-SECT-3"/>
+
+<h2 class="head1">Configuration File Variables</h2>
+
+<p><a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> lists the Samba configuration file
+variables.</p>
+
+<a name="samba2-APP-B-TABLE-1"/><h4 class="head4">Table B-1. Configuration file variables</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Name</p>
+</th>
+<th>
+<p>Meaning</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">%a</tt></p>
+</td>
+<td>
+<p>Client's architecture (Samba, WfWg, WinNT, Win95, or
+UNKNOWN)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%d</tt></p>
+</td>
+<td>
+<p>Current server process's process ID</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%D</tt></p>
+</td>
+<td>
+<p>User's Windows NT Domain</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%f</tt></p>
+</td>
+<td>
+<p>Printer spool file as a relative path (printing only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%f</tt></p>
+</td>
+<td>
+<p>User from which a message was sent (messages only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%G</tt></p>
+</td>
+<td>
+<p>Primary group name of <tt class="literal">%U</tt> (requested username)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%g</tt></p>
+</td>
+<td>
+<p>Primary group name of <tt class="literal">%u</tt> (actual username)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%H</tt></p>
+</td>
+<td>
+<p>Home directory of <tt class="literal">%u</tt> (actual username)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%h</tt></p>
+</td>
+<td>
+<p>Samba server's (Internet) hostname</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%I</tt></p>
+</td>
+<td>
+<p>Client's IP address</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%j</tt></p>
+</td>
+<td>
+<p>Print job number (printing only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%L</tt></p>
+</td>
+<td>
+<p>Samba server's NetBIOS name (virtual servers have
+multiple names)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%M</tt></p>
+</td>
+<td>
+<p>Client's (Internet) hostname</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%m</tt></p>
+</td>
+<td>
+<p>Client's NetBIOS name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%N</tt></p>
+</td>
+<td>
+<p>Name of the NIS home directory server (without NIS, same as
+<tt class="literal">%L</tt>)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%n</tt></p>
+</td>
+<td>
+<p>New password (password change only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%o</tt></p>
+</td>
+<td>
+<p>Old password (password change only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%P</tt></p>
+</td>
+<td>
+<p>Current share's root directory (actual)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%p</tt></p>
+</td>
+<td>
+<p>Current share's root directory (in an NIS homedir
+map)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%p</tt></p>
+</td>
+<td>
+<p>Print filename (printing only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%R</tt></p>
+</td>
+<td>
+<p>Protocol level in use (CORE, COREPLUS, LANMAN1, LANMAN2, or NT1)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%S</tt></p>
+</td>
+<td>
+<p>Current share's name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%s</tt></p>
+</td>
+<td>
+<p>Name of the file in which the message resides (messages only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%s</tt></p>
+</td>
+<td>
+<p>Printer spool filename (printing only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%T</tt></p>
+</td>
+<td>
+<p>Current date and time</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%t</tt></p>
+</td>
+<td>
+<p>Destination system (messages only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%U</tt></p>
+</td>
+<td>
+<p>Requested username for current share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%u</tt></p>
+</td>
+<td>
+<p>Current share's username</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%v</tt></p>
+</td>
+<td>
+<p>Samba version</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>%$<em class="replaceable">name</em></p>
+</td>
+<td>
+<p>Value of environment variable <em class="replaceable">name</em></p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+
+</body></html>
diff --git a/docs/htmldocs/using_samba/appc.html b/docs/htmldocs/using_samba/appc.html
new file mode 100644
index 0000000000..22ec5a5115
--- /dev/null
+++ b/docs/htmldocs/using_samba/appc.html
@@ -0,0 +1,4534 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix C. Summary of Samba Daemons and Commands</h1>
+
+
+<p>This appendix is a reference listing of command-line options and
+other information to help you use the programs that come with the
+Samba distribution.</p>
+
+
+
+<div class="sect1"><a name="samba2-APP-C-SECT-1"/>
+
+<h2 class="head1">Samba Daemons</h2>
+
+<p>The following sections provide information about the command-line
+parameters for <em class="emphasis">smbd</em>, <em class="emphasis">nmbd</em>,
+and <em class="emphasis">winbindd</em>.</p>
+
+</div>
+
+
+<a name="INDEX-1"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbd</em> program provides
+Samba's file and printer services, using one TCP/IP
+stream and one daemon per client. It is controlled from
+<em class="filename">/usr/local/samba/lib/smb.conf</em>, the default
+configuration file, which can be overridden by command-line options.</p><p>The configuration file is automatically reevaluated every minute. If
+it has changed, most new options are immediately effective. You can
+force Samba to reload the configuration file immediately by sending a
+SIGHUP signal to <em class="emphasis">smbd</em>. Reloading the
+configuration file does not affect any clients that are already
+connected. To escape this condition, a client would need to
+disconnect and reconnect, or the server itself would have to be
+restarted, forcing all clients to reconnect.</p>
+<div class="sect1"><a name="appc-5-fm2xml"/>
+
+<h4 class="refsect1">Other Signals</h4>
+<p>To shut down an <em class="emphasis">smbd</em> process, send it the
+termination signal SIGTERM (15), which allows it to die gracefully,
+instead of a SIGKILL (9). With Samba versions prior to 2.2, the
+debugging level could be raised or lowered using SIGUSR1 or SIGUSR2.
+This is no longer supported. Use <em class="emphasis">smbcontrol</em>
+instead.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-6-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbd <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-7-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt></b></dt>
+<dd>
+<p>Causes each new connection to the Samba server to append all logging
+messages to the log file. This option is the opposite of
+<tt class="literal">-o</tt> and is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt></b></dt>
+<dd>
+<p>Runs the <em class="emphasis">smbd</em> program as a daemon. This is the
+recommended way to use <em class="emphasis">smbd</em>. It is also the
+default action when <em class="emphasis">smbd</em> is run from an
+interactive command line. In addition, <em class="emphasis">smbd</em> can
+be run from <em class="emphasis">inetd</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Specifying the value on the command line overrides the
+value specified in the <em class="filename">smb.conf</em> file. Debug
+level 0 logs only the most important messages; level 1 is normal;
+levels 3 and above are primarily for debugging and slow
+<em class="emphasis">smbd</em> considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt> </b></dt>
+<dd>
+<p>Prints usage information for the <em class="emphasis">smbd</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Runs <em class="emphasis">smbd</em> interactively, rather than as a
+daemon. This option is used to override the default daemon mode when
+<em class="emphasis">smbd</em> is run from the command line.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ directory</em></b></dt>
+<dd>
+<p>Sends the log messages to somewhere other than the location compiled
+into the executable or specified in the <em class="filename">smb.conf</em>
+file. The default is often
+<em class="filename">/usr/local/samba/var/</em>,
+<em class="filename">/usr/samba/var/</em>, or
+<em class="filename">/var/log/</em>. The log file is placed in the
+specified directory and named <em class="filename">log.smbd</em>. If the
+directory does not exist, Samba's compiled-in
+default will be used.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
+<dd>
+<p>Sets the TCP/IP socket options, using the same parameters as the
+<tt class="literal">socket options</tt> configuration option. Often used
+for performance tuning and testing.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-o</tt></b></dt>
+<dd>
+<p>Causes log files to be overwritten when opened (the opposite of
+<tt class="literal">-a</tt>). Using this option saves you from hunting for
+the right log entries if you are performing a series of tests and
+inspecting the log file each time.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
+<dd>
+<p>Sets the TCP/IP port number from which the server will accept
+requests. All Microsoft clients send to the default port of 139,
+except for Windows 2000/XP, which can use port 445 for SMB
+networking, without the NetBIOS protocol layer.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-P</tt></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbd</em> to run in
+&quot;passive&quot; mode, in which it just
+listens, and does not transmit any network traffic. This is useful
+only for debugging by developers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file. Although the
+file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
+you can override it on the command line. Typically used for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Prints the current version of Samba.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-2"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nmbd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">nmbd</em> program is Samba's
+NetBIOS name service and browsing daemon. It replies to NetBIOS over
+TCP/IP (also called NetBT or NBT) name-service requests broadcast
+from SMB clients, and optionally to Microsoft's
+Windows Internet Name Service (WINS) requests. Both are versions of
+the name-to-address lookup required by SMB clients. The broadcast
+version uses UDP broadcast on the local subnet only, while WINS uses
+TCP, which can be routed. If running as a WINS server,
+<em class="emphasis">nmbd</em> keeps a current name and address database
+in the file <em class="filename">/usr/local/samba/var/locks/wins.dat</em>.</p><p>An active <em class="emphasis">nmbd</em> daemon also responds to browsing
+protocol requests used by the Windows Network Neighborhood. This
+protocol provides a dynamic directory of servers, as well as the
+disks and printers that the servers are providing. As with WINS, this
+was initially done by making UDP broadcasts on the local subnet. With
+the addition of the local master browser to the network architecture,
+it is done by making TCP connections to a server. If
+<em class="emphasis">nmbd</em> is acting as a local master browser, it
+stores the browsing database in the file
+<em class="filename">/usr/local/samba/var/locks/browse.dat</em>.</p><p>Some clients (especially older ones) cannot use the WINS protocol. To
+support these clients, <em class="emphasis">nmbd</em> can act as a WINS
+proxy, accepting broadcast requests from the non-WINS clients,
+contacting a WINS server on their behalf, and returning the WINS
+server's response to them.</p>
+<div class="sect1"><a name="appc-9-fm2xml"/>
+
+<h4 class="refsect1">Signals</h4>
+<p>Like <em class="emphasis">smbd</em>, the <em class="emphasis">nmbd</em> program
+responds to several Unix signals. Sending <em class="emphasis">nmbd</em> a
+SIGHUP signal causes it to dump the names it knows about to the
+<em class="filename">/usr/local/samba/var/locks/namelist.debug</em> file.
+To shut down an <em class="emphasis">nmbd</em> process and allow it to die
+gracefully, send it a SIGTERM (15) signal, rather than a SIGKILL (9).
+With Samba versions prior to 2.2, the debugging level could be raised
+or lowered using SIGUSR1 or SIGUSR2. This is no longer supported. Use
+<em class="emphasis">smbcontrol</em> instead.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-10-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">nmbd <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-11-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt></b></dt>
+<dd>
+<p>Causes each new connection to the Samba server to append all logging
+messages to the log file. This option is the opposite of
+<tt class="literal">-o</tt> and is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Specifying the value on the command line overrides the
+value specified in the <em class="filename">smb.conf</em> file. Debug
+level 0 logs only the most important messages; level 1 is normal;
+levels 3 and above are primarily for debugging and slow
+<em class="emphasis">nmbd</em> considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt></b></dt>
+<dd>
+<p>Instructs the <em class="emphasis">nmbd</em> program to run as a daemon.
+This is the recommended way to use <em class="emphasis">nmbd</em> and is
+the default when <em class="emphasis">nmbd</em> is run from an interactive
+shell. In addition, <em class="emphasis">nmbd</em> can be run from
+<em class="emphasis">inetd</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt> </b></dt>
+<dd>
+<p>Prints usage information for the <em class="emphasis">nmbd</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-H</tt> <em class="replaceable">lmhosts_  file</em></b></dt>
+<dd>
+<p>Specifies the location of the <em class="emphasis">lmhosts</em> file for
+name resolution. This file is used only to resolve names for the
+local server, and not to answer queries from remote systems. The
+compiled-in default is commonly
+<em class="filename">/usr/local/samba/lib/lmhosts</em>,
+<em class="filename">/usr/samba/lib/lmhosts</em>, or
+<em class="filename">/etc/lmhosts</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Runs <em class="emphasis">nmbd</em> interactively, rather than as a
+daemon. This option is used to override the default daemon mode when
+<em class="emphasis">nmbd</em> is run from the command line.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ file</em></b></dt>
+<dd>
+<p>Sends the log messages to somewhere other than the location compiled
+into the executable or specified in the <em class="filename">smb.conf</em>
+file. The default is often
+<em class="filename">/usr/local/samba/var/log.nmbd</em>,
+<em class="emphasis">/usr/samba/var/log.nmbd</em>, or <em class="emphasis">/var/log
+/log.nmbd</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Allows you to override the NetBIOS name by which the daemon
+advertises itself. Specifying this option on the command line
+overrides the <tt class="literal">netbios name</tt> option in the Samba
+configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
+<dd>
+<p>Sets the TCP/IP socket options, using the same parameters as the
+<tt class="literal">socket options</tt> configuration option. Often used
+for performance tuning and testing.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-o</tt></b></dt>
+<dd>
+<p>Causes log files to be overwritten when opened (the opposite of
+<tt class="literal">-a</tt>). This option saves you from hunting for the
+right log entries if you are performing a series of tests and
+inspecting the log file each time.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
+<dd>
+<p>Sets the UDP port number from which the server accepts requests.
+Currently, all Microsoft clients use only the default port, 137.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file. Although the
+file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
+you can override it here on the command line. Typically used for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Prints the current version of Samba.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-3"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbindd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">winbindd</em> daemon is part of the winbind
+service and is used to allow Unix systems to obtain user and group
+information from a Windows NT/2000 server. Winbind maps Windows
+relative IDs (RIDs) to Unix UIDs and GIDs and allows accounts stored
+on the Windows server to be used for Unix authentication. Its purpose
+is to ease integration of Microsoft and Unix networks when a
+preexisting Windows domain controller is set up to handle user and
+computer accounts.</p><p>The daemon is accessed by users via the name service switch and PAM.
+The name service switch calls a library
+(<em class="filename">/lib/libnss_winbind.so</em>), which calls the
+daemon, which in turn calls the Windows NT/2000 server using
+Microsoft RPC. The PAM module for winbind can call the daemon
+similarly, allowing users whose accounts are stored on the Windows
+server to log in to the Unix system and run an interactive shell,
+FTP, or any other program that authenticates users through PAM.</p><p>The winbind subsystem is currently available only for the Linux
+operating system and a few other systems that use shared libraries,
+nsswitch and PAM.</p>
+<div class="sect1"><a name="appc-13-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">winbindd <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-14-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Specifying the value on the command line overrides the
+value specified in the <em class="filename">smb.conf</em> file. Debug
+level 0 logs only the most important messages; level 1 is normal;
+levels 3 and above are primarily for debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Runs <em class="emphasis">winbindd</em> interactively. This option is used
+to override the default, which is for winbindd to detach and run as a
+daemon.</p>
+</dd>
+
+</dl>
+
+</div>
+</div>
+
+
+
+
+
+<div class="sect1"><a name="samba2-APP-C-SECT-2"/>
+
+<h2 class="head1">Samba Distribution Programs</h2>
+
+<p>This section lists the command-line options and subcommands provided
+by each nondaemon program in the Samba distribution.</p>
+
+</div>
+
+
+
+<a name="INDEX-4"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>findsmb</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This Perl script reports information about systems on the subnet that
+respond to SMB name-query requests. The report includes the IP
+address, NetBIOS name, workgroup/domain, and operating system of each
+system.</p>
+<div class="sect1"><a name="appc-17-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">findsmb <em class="replaceable">[subnet_broadcast_address]</em></pre></blockquote>
+<p>If a different subnet's broadcast address is
+provided, it will find SMB servers on that subnet. If no subnet
+broadcast address is supplied, <em class="emphasis">findsmb</em> will look
+on the local subnet.</p>
+
+<p>The output from <em class="emphasis">findsmb</em> looks like this:</p>
+<blockquote><pre class="code">$ <tt class="userinput"><b>findsmb</b></tt>
+                                *=DMB
+                                +=LMB
+IP ADDR         NETBIOS NAME     WORKGROUP/OS/VERSION
+---------------------------------------------------------------------
+172.16.1.1      TOLTEC         *[METRAN] [Unix] [Samba 2.2.6]
+172.16.1.3      MIXTEC         +[METRAN] [Unix] [Samba 2.2.6]
+172.16.1.4      ZAPOTEC         [METRAN] [Windows 5.0] [Windows 2000 LAN Manager]
+172.16.1.5      HUASTEC         [       METRAN        ]
+172.16.1.6      MAYA            [       METRAN        ]
+172.16.1.7      OLMEC           [METRAN] [Windows 5.1] [Windows 2000 LAN Manager]
+172.16.1.10     UTE             [       METRAN        ]
+172.16.1.13     DINE            [METRAN] [Windows NT 4.0] [NT LAN Manager 4.0]</pre></blockquote>
+<p>The system with an asterisk (<tt class="literal">*</tt>) in front of its
+workgroup name is the domain master browser for the workgroup/domain,
+and the system with a plus sign (+) preceding its workgroup name is
+the local master browser.</p>
+
+<p>The <em class="emphasis">findsmb</em> command was introduced during the
+development of Samba 2.2 and is installed by default in Samba
+Versions 2.2.5 and later.</p>
+
+</div>
+</div>
+
+<a name="INDEX-5"/><a name="INDEX-6"/><a name="INDEX-7"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>make_smbcodepage</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program is part of the
+<a name="INDEX-6"/>internationalization features of
+Samba 2.2 and is obsolete in Samba 3.0, which supports
+<a name="INDEX-7"/>Unicode
+automatically. The <em class="emphasis">make_smbcodepage</em> program
+compiles a binary codepage file from a text-format codepage
+definition. It can also perform the reverse operation, decompiling a
+binary codepage file into a text version. Examples of text-format
+codepage files can be found in the Samba distribution in the
+<em class="filename">source/codepages</em> directory. After Samba has been
+installed, examples of binary codepages can be found in the directory
+<em class="filename">/usr/local/samba/lib/codepages</em>.</p>
+<div class="sect1"><a name="appc-19-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">make_smbcodepage <em class="replaceable">c|d codepage_number input_file output_file</em></pre></blockquote>
+<p>For the first argument, use <tt class="literal">c</tt> to compile a
+codepage and <tt class="literal">d</tt> to decompile a codepage file. The
+<em class="replaceable">codepage_number</em> argument is the number of
+the codepage being processed (e.g., 850). The
+<em class="replaceable">input_file</em> and
+<em class="replaceable">output_file</em> are the text- and
+binary-format codepages, with the types dependent on the operation
+(compiling or decompiling) that is being performed.</p>
+
+</div>
+</div>
+
+<a name="INDEX-8"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>make_unicodemap</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program is part of the internationalization features of Samba
+2.2 and is obsolete in Samba 3.0, which supports Unicode
+automatically. The <em class="emphasis">make_unicodemap</em> command
+compiles binary Unicode maps from text files, so Samba can display
+non-ASCII characters in file and directory names via the Unicode
+international alphabets. Examples of input mapping files can be found
+in the directory <em class="filename">source/codepages</em> in the Samba
+source distribution.</p>
+<div class="sect1"><a name="appc-21-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">make_unicodemap <em class="replaceable">codepage_number inputfile outputfile</em></pre></blockquote>
+<p>The input file is an ASCII map; the output file is a binary file
+loadable by Samba. The codepage is the number of the DOS codepage
+(e.g., 850) for the map.</p>
+
+</div>
+</div>
+
+<a name="INDEX-9"/><a name="INDEX-10"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>net</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">net</em> command, new to Samba 3.0, is a program
+with a syntax similar to the MS-DOS/Windows command of the same name.
+It is used for performing various administrative functions related to
+Windows networking, which can be executed either locally or on a
+remote system.</p>
+<div class="sect1"><a name="appc-23-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">net <em class="replaceable">[method] function [misc_options] [target_options]</em></pre></blockquote>
+<p>The <em class="replaceable">function</em> argument is made up of one or
+more space-separated words. In Windows terminology, it is sometimes
+referred to as a function with options. Here we list every function
+in its complete form, including multiple words.</p>
+
+<p>By default, the action is performed on the local system. The
+<em class="replaceable">target_options</em> argument can be used to
+specify a remote system (either by hostname or IP address), a domain,
+or a workgroup.</p>
+
+<p>Depending on the function, the <em class="replaceable">method</em>
+argument can be optional, required, or disallowed. It specifies one
+of three methods for performing the operation specified by the rest
+of the command. It can be <tt class="literal">ads</tt> (Active Directory),
+<tt class="literal">rpc</tt> (Microsoft's DCE/RPC), or
+<tt class="literal">rap</tt> (Microsoft's original SMB
+remote procedure call). To determine which methods (if any) can be
+used with a function, the <tt class="literal">net help ads</tt>,
+<tt class="literal">net help rap</tt>, and <tt class="literal">net help rpc</tt>
+commands can be used to list the functions for each method.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-24-fm2xml"/>
+
+<h4 class="refsect1">Miscellaneous options</h4>
+
+<dl>
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">level</em></b></dt>
+<dt><b><tt class="literal">--debug=l</tt><em class="replaceable">evel</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt></b></dt>
+<dt><b><tt class="literal">--long</tt></b></dt>
+<dd>
+<p><tt class="literal">S</tt>pecifies the long listing mode. This is provided
+for functions that print informational listings.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">name</em></b></dt>
+<dt><b><tt class="literal">--myname</tt><em class="emphasis">=</em><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Specifies the NetBIOS name for the client.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">port</em></b></dt>
+<dt><b><tt class="literal">--port</tt><em class="emphasis">=</em><em class="replaceable">port</em></b></dt>
+<dd>
+<p>Specifies the port number to use.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dt><b><tt class="literal">--conf</tt><em class="emphasis">=</em><em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the name of the Samba configuration file, overriding the
+compiled-in default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
+<dt><b><tt class="literal">--user</tt><em class="emphasis">=</em><em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
+<dd>
+<p>Specifies the username and, optionally, the password to use for
+functions that require authentication.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-W</tt> <em class="replaceable">name</em></b></dt>
+<dt><b><tt class="literal">--myworkgroup</tt>=<em class="replaceable">name</em></b></dt>
+<dd>
+<p>Specifies the name of the client's workgroup,
+overriding the definition of the <tt class="literal">workgroup</tt>
+parameter in the Samba configuration file.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-25-fm2xml"/>
+
+<h4 class="refsect1">Target options</h4>
+
+<dl>
+<dt><b><tt class="literal">-S</tt> <em class="replaceable">hostname</em></b></dt>
+<dd>
+<p>Specifies the remote system using a hostname or NetBIOS name.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-I</tt> <em class="replaceable">ip_address</em></b></dt>
+<dd>
+<p>Specifies the remote system using its IP address.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-w</tt> <em class="replaceable">workgroup</em></b></dt>
+<dd>
+<p>Specifies the name of the target domain or workgroup.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-26-fm2xml"/>
+
+<h4 class="refsect1">Functions</h4>
+
+<dl>
+<dt><b><tt class="literal">abortshutdown</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc</tt> <tt class="literal">abortshutdown</tt>
+function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads</tt> <tt class="literal">info</tt></b></dt>
+<dd>
+<p>Prints information about the Active Directory server. The method
+(<tt class="literal">ads</tt>) must be specified to differentiate this
+function from the <tt class="literal">rpc info</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads</tt> <tt class="literal">join</tt> <em class="replaceable">OU</em></b></dt>
+<dd>
+<p>Joins the local system to the Active Directory realm (organizational
+unit) specified by OU. The method (<tt class="literal">ads</tt>) must be
+specified to differentiate this function from the <tt class="literal">rpc
+join</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads</tt> <tt class="literal">leave</tt></b></dt>
+<dd>
+<p>Removes the local system from the Active Directory realm.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads password</tt> <em class="replaceable">username</em><tt class="literal">@</tt><em class="replaceable">REALM</em> <tt class="literal">-U</tt><em class="replaceable">admin_username</em><tt class="literal">@</tt><em class="replaceable">REALM</em><tt class="literal">%admin_</tt><em class="replaceable">password</em></b></dt>
+<dd>
+<p>Changes the Active Directory password for the user specified by
+<em class="replaceable">username</em><tt class="literal">@</tt><em class="replaceable">REALM</em>.
+The administrative account authentication information is specified
+with the <tt class="literal">-U</tt> option. The Active Directory realm
+must be supplied in all uppercase.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads printer info</tt> <em class="replaceable">[printer] [server]</em></b></dt>
+<dd>
+<p>Prints information on the specified printer on the specified server.
+The <em class="replaceable">printer</em> argument defaults to an
+asterisk (<tt class="literal">*</tt>), meaning all printers, and the
+<em class="replaceable">server</em> argument defaults to
+<tt class="literal">localhost</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads printer publish</tt> <em class="replaceable">printer_name</em></b></dt>
+<dd>
+<p>Publishes the specified printer in Active Directory.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads printer remove</tt> <em class="replaceable">printer_name</em></b></dt>
+<dd>
+<p>Removes the specified printer from Active Directory.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads search</tt> <em class="replaceable">expr attrib</em></b></dt>
+<dd>
+<p>Performs a raw Active Directory search, using the standard LDAP
+search expression and attributes specified by the
+<em class="replaceable">expr</em> and <em class="replaceable">attrib</em>
+arguments, respectively.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads status</tt></b></dt>
+<dd>
+<p>Prints details about the Active Directory computer account of the
+system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">change localhost pass</tt></b></dt>
+<dd>
+<p>Changes the Active Directory password for the local
+system's computer trust account.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">domain</tt></b></dt>
+<dd>
+<p>Lists the domains or workgroups on the network.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">file</tt></b></dt>
+<dd>
+<p>Lists open files on the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">file close</tt> <em class="replaceable">file_id</em></b></dt>
+<dd>
+<p>Closes the specified file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">file info</tt> <em class="replaceable">file_id</em></b></dt>
+<dd>
+<p>Prints information about the specified file, which must be open.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">file user</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Lists all files opened on the server by the user specified by
+<em class="replaceable">username</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">group add</tt> <em class="replaceable">group_name</em></b></dt>
+<dd>
+<p>Adds the specified group. This function accepts the miscellaneous
+option <tt class="literal">-C</tt> <em class="replaceable">comment</em>
+(which can also be specified as <tt class="literal">-
+-comment=</tt><em class="replaceable">string</em>) to set the
+descriptive comment for the group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">group delete</tt> <em class="replaceable">group_name</em></b></dt>
+<dd>
+<p>Deletes the specified group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">groupmember add</tt> <em class="replaceable">group_name username</em></b></dt>
+<dd>
+<p>Adds the user specified by <em class="replaceable">username</em> to the
+group specified by <em class="replaceable">group_name</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">groupmember delete</tt> <em class="replaceable">group_name username</em></b></dt>
+<dd>
+<p>Deletes the user specified by <em class="replaceable">username</em>
+from the group specified by <em class="replaceable">group_name</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">groupmember list</tt> <em class="replaceable">group_name</em></b></dt>
+<dd>
+<p>Lists the users who are members of the specified group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt></b></dt>
+<dd>
+<p>Prints a help message for the <em class="emphasis">net</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt> <em class="replaceable">method</em></b></dt>
+<dd>
+<p>Prints a help message for <em class="replaceable">method</em>, which
+can be <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
+<tt class="literal">rpc</tt>. This lists the functions that can use the
+method, along with a brief description.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt> <em class="replaceable">function</em></b></dt>
+<dd>
+<p>Prints a help message for the specified function, which can be more
+than one word.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">info</tt></b></dt>
+<dd>
+<p>Must be preceded by a method. See the <tt class="literal">ads</tt>
+<tt class="literal">info</tt> and <tt class="literal">rpc</tt>
+<tt class="literal">info</tt> functions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">join</tt></b></dt>
+<dd>
+<p>Joins the computer to a Windows NT domain or Active Directory realm.
+If the method argument is not specified, a check is made to determine
+if Active Directory is in use, and if so, <tt class="literal">ads join</tt>
+is performed. Otherwise, <tt class="literal">rpc join</tt> is run. See also
+the <tt class="literal">ads join</tt> and <tt class="literal">rpc join</tt>
+functions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">leave</tt></b></dt>
+<dd>
+<p>Must be preceded by a method. See the <tt class="literal">ads</tt>
+<tt class="literal">leave</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup dc</tt> <em class="replaceable">[domain]</em></b></dt>
+<dd>
+<p>Prints the IP address of the specified domain's
+domain controllers. The domain defaults to the value of the
+<tt class="literal">workgroup</tt> parameter in the Samba configuration
+file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup host</tt> <em class="replaceable">hostname [type]</em></b></dt>
+<dd>
+<p>Prints the IP address of the specified host.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup kdc</tt> <em class="replaceable">[realm]</em></b></dt>
+<dd>
+<p>Prints the IP address of the specified realm's
+Kerberos domain controller. If <em class="replaceable">realm</em> is
+not specified, it defaults to the value of the
+<tt class="literal">realm</tt> parameter in the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup ldap</tt> <em class="replaceable">[domain]</em></b></dt>
+<dd>
+<p>Prints the IP address of the specified domain's LDAP
+server. If <em class="replaceable">domain</em> is not specified, it
+defaults to the value of the <tt class="literal">workgroup</tt> parameter
+in the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup master</tt> <em class="replaceable">[domain]</em></b></dt>
+<dd>
+<p>Prints the IP address of the master browser of the specified domain
+or workgroup. If <em class="replaceable">domain</em> is not specified,
+it defaults to the value of the <tt class="literal">workgroup</tt>
+parameter in the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">password</tt> <em class="replaceable">username old_password new_password</em></b></dt>
+<dd>
+<p>Changes the password for the user specified by the
+<em class="replaceable">username</em> argument. The
+user's old and new passwords are provided in plain
+text as part of the command. Be careful regarding security issues.
+See also the <tt class="literal">ads password</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printer info</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads printer info</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printer publish</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads printer publish</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printer remove</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads printer remove</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printq</tt></b></dt>
+<dd>
+<p>Prints information (including the job IDs) about printer queues on
+the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printq delete</tt> <em class="replaceable">queue_name</em></b></dt>
+<dd>
+<p>Deletes the specified printer queue. The
+<tt class="literal">-j</tt>
+<em class="replaceable">job_id</em> (which can also be
+specified as
+<tt class="literal">--jobid</tt><em class="emphasis">=</em><em class="replaceable">job_id</em>
+) option may be used to specify the job ID of the queue.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc abortshutdown</tt></b></dt>
+<dd>
+<p>Aborts the shutdown of a remote server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc info</tt></b></dt>
+<dd>
+<p>Prints information about the server's domain. The
+method (<tt class="literal">rpc</tt>) must be specified to differentiate
+this function from the <tt class="literal">ads</tt> <tt class="literal">info</tt>
+function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc join</tt> </b></dt>
+<dd>
+<p>Joins a computer to a Windows NT domain. If the <tt class="literal">-U</tt>
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
+option is included, the specified username and password will be used
+as the administrative account required for authenticating with the
+PDC. If the <tt class="literal">-U</tt> option is not included, this
+function can be used only to join the computer to the domain after
+the computer account has been created using the Server Manager. The
+method (<tt class="literal">rpc</tt>) must be specified to differentiate
+this function from the <tt class="literal">ads</tt> <tt class="literal">join</tt>
+function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc shutdown</tt></b></dt>
+<dd>
+<p>Shuts down a server. This function accepts the <tt class="literal">-r</tt>,
+<tt class="literal">-f</tt>, <tt class="literal">-t</tt>, and
+<tt class="literal">-c</tt> miscellaneous options. The
+<tt class="literal">-r</tt> option (which can also be specified as
+<tt class="literal">--reboot</tt>) requests that the system reboot after
+shutting down. The <tt class="literal">-f</tt> option (which can also be
+specified as <tt class="literal">--force</tt>) forces a shutdown. The
+<tt class="literal">-t</tt> <em class="replaceable">timeout</em> option
+(which can also be specified as <tt class="literal">-
+-timeout=</tt><em class="replaceable">number</em>) specifies the
+number of seconds to wait before shutting down, and the
+<tt class="literal">-c</tt> <em class="replaceable">comment</em> option
+(which can also be specified as <tt class="literal">-
+-comment=</tt><em class="replaceable">string</em>) can be used to
+specify a message to the client user. On Windows, the comment appears
+in the Message area in the System Shutdown dialog box.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc trustdom add</tt> <em class="replaceable">domain_name</em></b></dt>
+<dd>
+<p>Adds an account for the trust relationship with the specified Windows
+NT domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc trustdom establish</tt> <em class="replaceable">domain_name</em></b></dt>
+<dd>
+<p>Establishes a trust relationship with the specified Windows NT domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc trustdom revoke</tt> <em class="replaceable">domain_name</em></b></dt>
+<dd>
+<p>Revokes the trust relationship with the specified Windows NT domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">search</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads search</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">server</tt></b></dt>
+<dd>
+<p>Lists servers in the domain or workgroup, which defaults to the value
+of the <tt class="literal">workgroup</tt> parameter in the Samba
+configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">session</tt></b></dt>
+<dd>
+<p>Lists clients with open sessions to the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">session delete NetBIOS_</tt><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Closes the session to the server from the specified client. A synonym
+is <tt class="literal">session</tt> <tt class="literal">close</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">session close</tt></b></dt>
+<dd>
+<p>A synonym for <tt class="literal">session delete</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">share</tt></b></dt>
+<dd>
+<p>Lists the shares offered by the server. When a Windows 95/98/Me
+server is the target system, it might be necessary to specify the
+method as <tt class="literal">rap</tt> for this to work properly.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">share add</tt> <em class="replaceable">share_name</em><tt class="literal">=</tt><em class="replaceable">server_path</em></b></dt>
+<dd>
+<p>Adds a share on the target server. The name of the share and the
+folder to be shared are specified by the
+<em class="replaceable">share_name</em><tt class="literal">=</tt><em class="replaceable">server_path</em>
+argument, with <em class="replaceable">server_path</em> the Windows
+directory name, with spaces and other special characters (if any)
+quoted and with the backslashes escaped (e.g.,
+&quot;<tt class="literal">data=C:\\Documents</tt> <tt class="literal">and</tt>
+<tt class="literal">Settings\\jay\\Desktop\\data</tt>&quot;). The
+<tt class="literal">-C</tt> <em class="replaceable">comment</em> option
+(which can also be specified as <tt class="literal">-
+-comment=</tt><em class="replaceable">string</em>) can be used to
+define a description for the share. The <tt class="literal">-M</tt>
+<em class="replaceable">number</em> option (which can also be specified
+as <tt class="literal">--maxusers=</tt><em class="replaceable">number</em>)
+can be used to set the maximum number of users that can connect to
+the share. The method (<tt class="literal">rap</tt> or
+<tt class="literal">rpc</tt>) might need to be specified for this function
+to work. The regular folder icon cannot change into a
+&quot;shared folder&quot; icon in Windows
+Explorer until the display is refreshed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">share delete</tt> <em class="replaceable">share_name</em></b></dt>
+<dd>
+<p>Deletes a share from the target server. The
+<em class="replaceable">share_name</em> argument is simply the name of
+the share on the target server, not a UNC. The method
+(<tt class="literal">rap</tt> or <tt class="literal">rpc</tt>) might need to be
+specified for this function to work. The &quot;shared
+folder&quot; icon in Windows Explorer cannot change back
+to the regular folder icon until the display is refreshed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">shutdown</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc shutdown</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">status</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads status</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">time</tt></b></dt>
+<dd>
+<p>Displays the system time&mdash;in Unix <em class="emphasis">date</em>
+command format&mdash;on the target system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">time set</tt></b></dt>
+<dd>
+<p>Sets the local system's hardware clock using the
+time obtained from the operating system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">time system</tt></b></dt>
+<dd>
+<p>Sets the time on the local system using the time obtained from the
+remote system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">time zone</tt></b></dt>
+<dd>
+<p>Prints the time zone (in hours from GMT) in use on the system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">trustdom add</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc trustdom add</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">trustdom establish</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc trustdom establish</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">trustdom revoke</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc trustdom revoke</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">user</tt></b></dt>
+<dd>
+<p>Lists user accounts. The method can be specified as
+<tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
+<tt class="literal">rpc</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">user add</tt> <em class="replaceable">username [password]</em></b></dt>
+<dd>
+<p>Adds a user account for the user specified by
+<em class="replaceable">username</em>. The <tt class="literal">-c</tt>
+<em class="replaceable">comment</em> option (which can also be
+specified as <tt class="literal">-
+-comment=</tt><em class="replaceable">string</em>) can be used to
+set a comment for the account. The <tt class="literal">-F</tt>
+<em class="replaceable">user_flags</em> option can be used to set flags
+(specified in numeric format) for the account. The method can be
+specified as <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
+<tt class="literal">rpc</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">user delete</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Deletes the specified user's account. The method can
+be specified as <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
+<tt class="literal">rpc</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">user info</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Lists the domain groups to which the specified user belongs. The
+method can be specified as <tt class="literal">ads</tt>,
+<tt class="literal">rap</tt>, or <tt class="literal">rpc</tt>. <a name="INDEX-10"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-11"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nmblookup</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">nmblookup</em> program is a client program that
+allows command-line access to NetBIOS name service for resolving
+NetBIOS computer names into IP addresses. The program works by
+broadcasting its queries on the local subnet until a machine with the
+specified name responds. You can think of it as a Windows analog of
+<em class="emphasis">nslookup</em> or <em class="emphasis">dig</em>. This is
+useful for looking up regular computer names, as well as
+special-purpose names, such as _ _MSBROWSE_ _ . If you wish to query
+for a particular type of NetBIOS name, add the NetBIOS type to the
+end of the name, using the format
+<em class="replaceable">netbios_name</em><tt class="literal">#&lt;</tt><em class="replaceable">dd</em><tt class="literal">&gt;</tt>.</p>
+<div class="sect1"><a name="appc-28-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">nmblookup <em class="replaceable">[options] netbios_name</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-29-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-A</tt></b></dt>
+<dd>
+<p>Interprets <em class="replaceable">netbios_name</em> as an IP address
+and does a node status query on it.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-B</tt> <em class="replaceable">broadcast_address</em></b></dt>
+<dd>
+<p>Sends the query to the given broadcast address. The default is to
+send the query to the broadcast address of the primary network
+interface.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Debug level 0 logs only the most important messages.
+Level 1 is normal; levels 3 and above are primarily used by
+developers for debugging the <em class="emphasis">nmblookup</em> program
+itself and slow the program considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-f</tt></b></dt>
+<dd>
+<p>Prints the flags in the packet headers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints command-line usage information for the program.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt> <em class="replaceable">scope</em></b></dt>
+<dd>
+<p>Sets a NetBIOS scope identifier. NetBIOS scope is a rarely used
+precursor to workgroups.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-M</tt></b></dt>
+<dd>
+<p>Searches for a local master browser by looking up
+<em class="replaceable">netbios_name</em><tt class="literal">&lt;1d&gt;</tt>.
+If <em class="replaceable">netbios_name</em> is specified as a dash
+(<tt class="literal">-</tt>), a lookup is done on the special name _
+_MSBROWSE_ _ .</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-R</tt></b></dt>
+<dd>
+<p>Sets the &quot;recursion desired&quot; bit in
+the packet. This causes the system that responds to try a WINS lookup
+and return the address and any other information the WINS server has
+saved.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-r</tt></b></dt>
+<dd>
+<p>Uses the <tt class="literal">root</tt> port of 137. This option exists as a
+bug workaround for Windows 95. This option might require the user to
+be superuser.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt></b></dt>
+<dd>
+<p>Performs a node status query once the name query has returned an IP
+address. This returns all the resource types that the system knows
+about, including their numeric attributes. For example:</p>
+
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S toltec</b></tt>
+querying toltec on 172.16.1.255
+172.16.1.1 toltec&lt;00&gt;
+Looking up status of 172.16.1.1
+    TOLTEC          &lt;00&gt; -         M &lt;ACTIVE&gt;
+    TOLTEC          &lt;03&gt; -         M &lt;ACTIVE&gt;
+    TOLTEC          &lt;20&gt; -         M &lt;ACTIVE&gt;
+    ..__MSBROWSE__. &lt;01&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
+    METRAN          &lt;00&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
+    METRAN          &lt;1b&gt; -         M &lt;ACTIVE&gt;
+    METRAN          &lt;1c&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
+    METRAN          &lt;1d&gt; -         M &lt;ACTIVE&gt;
+    METRAN          &lt;1e&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;</pre></blockquote>
+</dd>
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file. Although the
+file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
+you can override it here on the command line. Normally used for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-T</tt></b></dt>
+<dd>
+<p>Translates IP addresses into resolved names.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">unicast_address</em></b></dt>
+<dd>
+<p>Performs a unicast query to the specified address. Used with
+<tt class="literal">-R</tt> to query WINS servers.</p>
+</dd>
+
+</dl>
+
+
+<p>Note that <em class="emphasis">nmblookup</em> has no option for setting
+the workgroup. You can get around this by putting
+<tt class="literal">workgroup</tt> <tt class="literal">=</tt>
+<em class="replaceable">workgroup_name</em> in a file and passing it to
+<em class="emphasis">nmblookup</em> with the
+<tt class="literal">-s</tt> option.</p>
+
+</div>
+</div>
+
+<a name="INDEX-12"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pdbedit</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program, new to Samba 3.0, can be used to manage accounts that
+are held in a SAM database. The implementation of the database can be
+any of the types supported by Samba, including the
+<em class="filename">smbpasswd</em> file, LDAP, NIS+ and the
+<em class="filename">tdb</em> database library. The user must be the
+superuser to use this tool.</p>
+<div class="sect1"><a name="appc-31-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">pdbedit <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-32-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt></b></dt>
+<dd>
+<p>Adds the user specified by the <tt class="literal">-u</tt> option to the
+SAM database. The command issues a prompt for the
+user's password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">drive_letter</em></b></dt>
+<dd>
+<p>Sets the Windows drive letter to which to map the
+user's home directory. The drive letter should be
+specified as a letter followed by a colon&mdash;e.g.,
+<tt class="literal">H</tt>:.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Debug level 0 logs only the most important messages.
+Level 1 is normal, and levels 3 and above are primarily for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-e</tt> <em class="replaceable">pwdb_backend</em></b></dt>
+<dd>
+<p>Exports the user account database to another format, written to the
+specified location. Used for migrating from one type of account
+database to another. The <em class="replaceable">pwdb_backend</em>
+argument is specified in the format of a database type, followed by a
+colon, then the location of the database. For example, to export the
+existing account database to an <em class="filename">smbpasswd</em>
+database in the file
+<em class="filename">/usr/local/samba/private/smbpw</em>,
+<em class="replaceable">pwdb_backend</em> would be specified as
+<tt class="literal">smbpasswd:/usr/local/samba/private/smbpw</tt>. The
+allowable database types are <tt class="literal">smbpasswd</tt>,
+<tt class="literal">smbpasswd nua</tt>, <tt class="literal">tdbsam</tt>,
+<tt class="literal">tdbsam nua</tt>, <tt class="literal">ldapsam</tt>,
+<tt class="literal">ldapsam_nua</tt>, and <tt class="literal">plugin</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-f</tt> <em class="replaceable">full_name</em></b></dt>
+<dd>
+<p>Sets the full name of the user specified with the
+<tt class="literal">-u</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt> <em class="replaceable">unc</em></b></dt>
+<dd>
+<p>Sets the home directory path (as a UNC) for the user specified with
+the <tt class="literal">-u</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt> <em class="replaceable">pwdb_backend</em></b></dt>
+<dd>
+<p>Specifies a password database backend from which to retrieve account
+information, overriding the one specified by the <tt class="literal">passdb
+backend</tt> parameter in the Samba configuration file. This,
+along with the <tt class="literal">-e</tt> option, is useful for migrating
+user accounts from one type of account database to another. See the
+<tt class="literal">-e</tt> option regarding how to specify the
+<em class="replaceable">pwdb_backend</em> argument.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt></b></dt>
+<dd>
+<p>Lists the user accounts in the database. See also the
+<tt class="literal">-v</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-m</tt></b></dt>
+<dd>
+<p>Indicates that the account is a computer account rather than a user
+account. Used only with the <tt class="literal">-a</tt> option when
+creating the account. In this case, the <tt class="literal">-u</tt> option
+specifies the computer name rather than a username.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">unc</em></b></dt>
+<dd>
+<p>Sets the directory in which the user's profile is
+kept. The directory is specified as a UNC.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">unc</em></b></dt>
+<dd>
+<p>Specifies the UNC of the user's logon script.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Specifies the username of the account to add (with the
+<tt class="literal">-a</tt> option), delete (with the <tt class="literal">-x</tt>
+option), or modify.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Selects verbose mode when listing accounts with the
+<tt class="literal">-l</tt> option. The account fields will be printed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-w</tt></b></dt>
+<dd>
+<p>Selects the <tt class="literal">smbpasswd</tt> listing mode, for use with
+the <tt class="literal">-l</tt> option, which prints information in the
+same format as it would appear in an <em class="filename">smbpasswd</em>
+file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-x</tt></b></dt>
+<dd>
+<p>Deletes the user (specified with the <tt class="literal">-u</tt> option)
+from the account database.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-13"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>rpcclient</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a program for issuing administrative commands that are
+implemented using Microsoft RPCs. It provides access to the RPCs that
+Windows administrative GUIs use for system management. The
+<em class="emphasis">rpcclient</em> command is mainly for use by advanced
+users who understand the RPCs. More information on these can be found
+in Microsoft's Platform Software Development Kit
+(SDK), available for download from the Microsoft web site at
+<a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p><p>You can run a single <em class="emphasis">rpcclient</em> command by using
+the <tt class="literal">-c command string</tt> option, or interactively
+with <em class="emphasis">rpcclient</em> prompting for commands.</p>
+<div class="sect1"><a name="appc-34-fm2xml"/>
+
+<h4 class="refsect1">Command Synopsis</h4>
+
+<p>rpcclient <em class="replaceable">server [options]</em></p>
+
+
+</div>
+
+<div class="sect1"><a name="appc-35-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-A</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies a file from which to read the authentication values used in
+the connection. The format of the file is as follows:</p>
+
+<blockquote><pre class="code">username = <em class="replaceable">value</em>
+password = <em class="replaceable">value</em>
+domain   = <em class="replaceable">value</em></pre></blockquote>
+
+<p>This option is used to avoid password prompts or to have the password
+appear in plain text inside scripts. The permissions on the file
+should be very restrictive (0600, for example) to prevent access from
+unwanted users.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-c</tt> <em class="replaceable">command_string</em></b></dt>
+<dd>
+<p>Executes a sequence of semicolon-separated commands. Commands are
+listed in the following section.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Specifying the value on the command line overrides the
+value specified in the <em class="filename">smb.conf</em> file. Debug
+level 0 logs only the most important messages; level 1 is normal;
+levels 3 and above are primarily for debugging and slow the program
+considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints a summary of options.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">logbasename</em></b></dt>
+<dd>
+<p>Sets the filename for log/debug files. The extension
+<em class="filename">.client</em> is appended to the filename.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-N</tt></b></dt>
+<dd>
+<p>Does not prompt for a password. This is used when Samba is configured
+for share-mode security and a service with no password is being
+accessed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file, which by
+default is usually
+<em class="filename">/usr/local/samba/lib/smb.conf</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
+<dd>
+<p>Sets the SMB username or username and password to use. Be careful
+when specifying the password with
+<tt class="literal">%</tt><em class="replaceable">password</em>; this is a
+major security risk. If
+<tt class="literal">%</tt><em class="replaceable">password</em> is not
+specified, the user will be prompted for the password, which will not
+be echoed. Normally the user is set from the USER or LOGNAME
+environment variable. The <tt class="literal">-U</tt> option by itself
+means to use the guest account. See also <tt class="literal">-A</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-W</tt> <em class="replaceable">domain</em></b></dt>
+<dd>
+<p>Sets the domain, overriding the <tt class="literal">workgroup</tt>
+parameter in the Samba configuration file. If the domain is the
+server's NetBIOS name, it causes the client to log
+on using the server's local SAM database rather than
+the SAM of the domain.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-14"/><a name="INDEX-15"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>rpcclient commands</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>Aside from a few miscellaneous commands, the
+<em class="emphasis">rpclient</em> commands fall into three groups:
+LSARPC, SAMR, and SPOOLSS. The function names mentioned in some of
+the commands are those documented in the Microsoft Platform SDK.</p>
+<div class="sect1"><a name="appc-37-fm2xml"/>
+
+<h4 class="refsect1">General commands</h4>
+
+<dl>
+<dt><b><tt class="literal">debuglevel</tt> <em class="replaceable">level</em></b></dt>
+<dd>
+<p>Sets the debugging level to <em class="replaceable">level</em>. With no
+argument, the current debugging level is printed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt></b></dt>
+<dd>
+<p>Prints help on the commands.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">quit</tt></b></dt>
+<dd>
+<p>Exits <em class="emphasis">rpcclient</em>. A synonym is
+<tt class="literal">exit</tt>.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-38-fm2xml"/>
+
+<h4 class="refsect1">Local Security Authority Remote Procedure Calls (LSARPC) commands</h4>
+
+<dl>
+<dt><b><tt class="literal">enumprivs</tt></b></dt>
+<dd>
+<p>Lists the types of privileges known to this domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumtrust</tt></b></dt>
+<dd>
+<p>Lists the domains trusted by this domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">getdispname</tt> <em class="replaceable">priv_name</em></b></dt>
+<dd>
+<p>Prints information on the privilege named
+<em class="replaceable">priv_name</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookupsids</tt> <em class="replaceable">name</em></b></dt>
+<dd>
+<p>Finds a name that corresponds to a security identifier (SID).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookupnames</tt> <em class="replaceable">sid</em></b></dt>
+<dd>
+<p>Finds the SID for one or more names.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lsaquery</tt></b></dt>
+<dd>
+<p>Queries the LSA object.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lsaenumsid</tt></b></dt>
+<dd>
+<p>Lists SIDs for the local LSA.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lsaquerysecobj</tt></b></dt>
+<dd>
+<p>Prints information on security objects for the LSA.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-39-fm2xml"/>
+
+<h4 class="refsect1">Security Access Manager RPC (SAMR) commands</h4>
+
+<dl>
+<dt><b><tt class="literal">createdomuser</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Adds a new user in the domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">deletedomuser</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Removes a user from the domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumalsgroups</tt> <em class="replaceable">type</em></b></dt>
+<dd>
+<p>Lists alias groups in the domain, along with their group RIDs. The
+<em class="replaceable">type</em> argument can be either
+<tt class="literal">builtin</tt>, to list Windows built-in groups such as
+<tt class="literal">Administrators</tt> and <tt class="literal">Power</tt>
+<tt class="literal">Users</tt>, or <tt class="literal">domain</tt>, to list
+groups in the domain. See also the
+<em class="emphasis">queryuseraliases</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumdomgroups</tt></b></dt>
+<dd>
+<p>Lists the groups in the domain, along with their group RIDs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queryaliasmem</tt> <em class="replaceable">user_rid</em></b></dt>
+<dd>
+<p>Prints information regarding alias membership. See also the
+<em class="emphasis">queryuseraliases</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">querydispinfo</tt></b></dt>
+<dd>
+<p>Prints out the account database. The information printed includes the
+RID, username, and full name of each user. The RID is printed in
+hexadecimal notation and can be used in this form for commands that
+take a RID as an argument.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">querydominfo</tt></b></dt>
+<dd>
+<p>Prints information regarding the domain. This includes the name of
+the domain, as well as the number of users, groups, and aliases.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">querygroup</tt> <em class="replaceable">group_rid</em></b></dt>
+<dd>
+<p>Given a group RID, prints the group name, description, number of
+members, and group description.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queryuser</tt> <em class="replaceable">user_rid</em></b></dt>
+<dd>
+<p>Given a user RID, prints the corresponding username, full name, and
+other information pertaining to the user.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queryuseraliases</tt> <em class="replaceable">type</em> <em class="replaceable">user_rid</em></b></dt>
+<dd>
+<p>Prints aliases for the user. The <em class="replaceable">type</em>
+argument can be either <tt class="literal">builtin</tt> or
+<tt class="literal">domain</tt>. Aliases are used with the Windows
+messaging service and act like usernames, but they can be attached to
+a computer rather than a user. This allows messages intended for a
+user to be sent to a computer on which the user is either not logged
+on, or logged on under another username.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queryusergroups</tt> <em class="replaceable">user_rid</em></b></dt>
+<dd>
+<p>Prints information on each group inhabited by the user.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">querygroupmem</tt> <em class="replaceable">group_rid</em></b></dt>
+<dd>
+<p>Prints the RID and attributes for each member of the group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">samlookupnames</tt> <em class="replaceable">type username</em></b></dt>
+<dd>
+<p>Looks up the <em class="replaceable">username</em> in the SAM database
+and prints its associated RID. The <em class="replaceable">type</em>
+argument can be either <tt class="literal">builtin</tt>, to look up
+built-in Windows usernames, or <tt class="literal">domain</tt>, to look up
+names in the domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">samlookuprids</tt> <em class="replaceable">type rid</em></b></dt>
+<dd>
+<p>Looks up <em class="replaceable">rid</em> in the SAM database and
+prints its associated group or username. The
+<em class="replaceable">type</em> argument can be either
+<tt class="literal">builtin</tt>, to look up built-in Windows usernames, or
+<tt class="literal">domain</tt>, to look up names in the domain. The RID
+argument can be given in either 0xDDD hexadecimal notation or
+decimal.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">samquerysecobj</tt></b></dt>
+<dd>
+<p>Prints information on security objects (such as ACLs) in the SAM
+database.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-40-fm2xml"/>
+
+<h4 class="refsect1">Windows NT/2000/XP Printing Services (SPOOLSS) commands</h4>
+
+<dl>
+<dt><b><tt class="literal">adddriver</tt> <em class="replaceable">arch config_file</em> </b></dt>
+<dd>
+<p>Adds a printer driver to the server. The driver files must already
+exist in the directory returned by <em class="emphasis">getdriverdir</em>.
+The <em class="replaceable">arch</em> argument can be one of
+<tt class="literal">Windows 4.0</tt> for Windows 95/98/Me, or
+<tt class="literal">Windows NT x86</tt>, <tt class="literal">Windows NT
+PowerPC</tt>, <tt class="literal">Windows Alpha_AXP</tt>, and
+<tt class="literal">Windows NT R4000</tt>. Others might be introduced in
+the future.</p>
+
+
+<p>The <em class="replaceable">config_file</em> should contain:</p>
+
+<blockquote><pre class="code">Long Printer Name:\
+Driver File Name:\
+Data File Name:\
+Config File Name:\
+Help File Name:\
+NULL:\
+Default Data Type:\</pre></blockquote>
+
+<p>followed by a comma-separated list of files. Any empty fields should
+contain the string <tt class="literal">NULL</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">addprinter</tt> <em class="replaceable">printername sharename drivername port</em> </b></dt>
+<dd>
+<p>Adds a printer on the remote server as
+<em class="replaceable">sharename</em>. The printer driver must already
+be installed on the server with <em class="emphasis">adddriver</em>, and
+the port must be a valid port name returned by
+<em class="emphasis">enumports</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">deldriver</tt> <em class="replaceable">drivername</em></b></dt>
+<dd>
+<p>Deletes a printer driver (for all architectures) from the
+server's list of printer drivers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumports</tt> <em class="replaceable">[level]</em></b></dt>
+<dd>
+<p>Prints information regarding the printer ports on the server. The
+<em class="replaceable">level</em> argument can be <tt class="literal">1</tt>
+or <tt class="literal">2</tt>. Level 1 is the default and prints out only
+the Port Name. Information level 2 is the Port Name, Monitor Name,
+Description, and Port Type.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumdrivers</tt> <em class="replaceable">[level]</em> </b></dt>
+<dd>
+<p>Lists all the printer drivers on the system. The
+<em class="replaceable">level</em> argument specifies the information
+level. Level 1 is the default and prints the Driver Name(s). Level 2
+prints the Version, Driver Name, Architecture, Driver Path, Data
+File, and Config File. Level 3 prints the contents of Level 2, plus
+the Help File, one or more Dependent Files, Monitor Name, and Default
+Data Type.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumprinters</tt> <em class="replaceable">[level]</em></b></dt>
+<dd>
+<p>Lists all installed printers, regardless of whether they are shared.
+The <em class="replaceable">level</em> argument specifies the
+information level. Level 1 is the default, and prints Flags, Name,
+Description, and Comment. Level 2 prints the Server Name, Printer
+Name, Share Name, Port Name, Driver Name, Comment, Location,
+Separator File, Print Processor, Data Type, Parameters, Attributes,
+Priority, Default Priority, Start Time, Until Time, Status, Current
+Jobs, Average PPM (pages per minute), and a Security Descriptor.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">getdriver</tt> <em class="replaceable">[level] printername</em></b></dt>
+<dd>
+<p>Prints the printer driver information for the given printer. The
+<em class="replaceable">level</em> argument specifies the information
+level.</p>
+
+
+<p>Level 1 is the default, and prints the Driver Name. Level 2 prints
+the Version, Driver Name, Architecture, Driver Path, Data File, and
+Config File. Level 3 prints the contents of level 2, plus the Help
+File, one or more Dependent Files, Monitor Name, and Default Data
+Type.</p>
+</dd>
+
+
+<dt><b><tt class="literal">getdriverdir</tt> <em class="replaceable">arch</em></b></dt>
+<dd>
+<p>Retrieves the share name and directory for storing printer driver
+files for a given architecture. Possible values for
+<em class="replaceable">arch</em> are &quot;<tt class="literal">Windows</tt>
+<tt class="literal">4.0</tt>&quot; for Windows 95/98/Me,
+&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
+<tt class="literal">x86</tt>&quot; for Windows NT on Intel,
+&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
+<tt class="literal">PowerPC</tt>&quot; for Windows NT on PowerPC,
+&quot;<tt class="literal">Windows</tt> <tt class="literal">Alpha</tt>
+<tt class="literal">AXP</tt>&quot; for Windows NT on Alpha, and
+&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
+<tt class="literal">R4000</tt>&quot; for Windows NT on MIPS. Include the quote
+marks in the command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">getprinter</tt> <em class="replaceable">printername</em></b></dt>
+<dd>
+<p>Prints the current printer information. The
+<em class="replaceable">level</em> argument specifies the information
+level.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">openprinter</tt> <em class="replaceable">printername</em></b></dt>
+<dd>
+<p>Attempts to open and close a specified printer and reports whether it
+was successful.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">setdriver</tt> <em class="replaceable">printername drivername</em></b></dt>
+<dd>
+<p>Unconditionally updates the printer driver used by an installed
+printer. Both the printer and printer driver must already be
+correctly installed on the print server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">setprinter</tt> <em class="replaceable">printername comment</em></b></dt>
+<dd>
+<p>Assigns a comment string to a printer.<a name="INDEX-15"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-16"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbcacls</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program provides a way of modifying Windows NT ACLs on files and
+directories shared by the Samba server.</p>
+<div class="sect1"><a name="appc-42-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbcacls //<em class="replaceable">server</em>/<em class="replaceable">share filename</em> <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-43-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-A</tt> <em class="replaceable">acls</em></b></dt>
+<dd>
+<p>Adds one or more ACLs to the file or directory. Any ACLs already
+existing for the file or directory are unchanged.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-M</tt> <em class="replaceable">acls</em></b></dt>
+<dd>
+<p>Modifies the <em class="replaceable">mask</em> of the ACLs specified.
+Refer to the following section, &quot;Specifying
+ACLs,&quot; for details.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt> <em class="replaceable">acls</em></b></dt>
+<dd>
+<p>Deletes the specified ACLs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt> <em class="replaceable">acls</em></b></dt>
+<dd>
+<p>Sets the specified ACLs, deleting any ACLs previously set on the file
+or directory. The ACLs must contain at least a revision, type, owner,
+and group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Sets the username used to connect to the specified service. The user
+is prompted for a password unless the argument is specified as
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>.
+(Specifying the password on the command line is a security risk.) If
+<tt class="literal">-U</tt>
+<em class="replaceable">domain</em><tt class="literal">\\</tt><em class="replaceable">username</em>
+is specified, the specified domain or workgroup will be used in place
+of the one specified in the <em class="filename">smb.conf</em> file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-C</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Changes the owner of the file or directory. This is a shortcut for
+<tt class="literal">-M</tt>
+<tt class="literal">OWNER</tt>:<em class="replaceable">username</em>. The
+<em class="replaceable">username</em> argument can be given as a
+username or a SID in the form
+<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-G</tt> <em class="replaceable">groupname</em></b></dt>
+<dd>
+<p>Changes the group of the file or directory. This is a shortcut for
+<tt class="literal">-M</tt>
+<tt class="literal">GROUP</tt>:<em class="replaceable">groupname</em>. The
+<em class="replaceable">groupname</em> argument can be given as a group
+name or a SID in the form
+<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt></b></dt>
+<dd>
+<p>Causes all ACL information to be displayed in numeric format rather
+than in readable strings.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints a help message.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-44-fm2xml"/>
+
+<h4 class="refsect1">Specifying ACLs</h4>
+<p>In the previous options, the same format is always used when
+specifying ACLs. An ACL is made up of one or more Access Control
+Entries (ACEs), separated by either commas or escaped newlines. An
+ACE can be one of the following:</p>
+
+<blockquote class="simplelist">
+
+<p><tt class="literal">REVISION</tt>:<em class="replaceable">revision_number</em></p>
+
+
+
+
+<p><tt class="literal">OWNER</tt>:<em class="replaceable">username_or_SID</em></p>
+
+
+
+
+<p><tt class="literal">GROUP</tt>:<em class="replaceable">group_name_or_SID</em></p>
+
+
+
+
+<p><tt class="literal">ACL</tt>:<em class="replaceable">name_or_SID</em>:<em class="replaceable">type</em>/<em class="replaceable">flags</em>/<em class="replaceable">mask</em></p>
+
+</blockquote>
+
+
+<p>The <em class="replaceable">revision_number</em> should always be 1.
+The <tt class="literal">OWNER</tt> and <tt class="literal">GROUP</tt> entries can
+be used to set the owner and group for the file or directory. The
+names can be the textual ones or SIDs in the form
+<tt class="literal">S-1-</tt><em class="replaceable">N</em><tt class="literal">-</tt><em class="replaceable">N</em><tt class="literal">-</tt><em class="replaceable">D</em><tt class="literal">-</tt><em class="replaceable">D-D-R</em>.</p>
+
+<p>The <tt class="literal">ACL</tt> entry specifies what access rights to
+apply to the file or directory. The
+<em class="replaceable">name_or_SID</em> field specifies to which user
+or group the permissions apply and can be supplied either as a
+textual name or a SID. An ACE can be used to either allow or deny
+access. The <em class="replaceable">type</em> field is set to
+<tt class="literal">1</tt> to specify a permission to be allowed or
+<tt class="literal">0</tt> for specifying a permission to deny. The
+<em class="replaceable">mask</em> field is the name of the permission
+and is one of the following:</p>
+
+<dl>
+<dt><b><tt class="literal">R</tt></b></dt>
+<dd>
+<p>Read access.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">W</tt></b></dt>
+<dd>
+<p>Write access.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">X</tt></b></dt>
+<dd>
+<p>Execute permission.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">D</tt></b></dt>
+<dd>
+<p>Permission to delete.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">P</tt></b></dt>
+<dd>
+<p>Change permissions on the object.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">O</tt></b></dt>
+<dd>
+<p>Take ownership.</p>
+</dd>
+
+</dl>
+
+
+<p>The following combined permissions can also be specified:</p>
+
+<dl>
+<dt><b><tt class="literal">READ</tt></b></dt>
+<dd>
+<p>Equivalent to RX permissions</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">CHANGE</tt></b></dt>
+<dd>
+<p>Equivalent to RWXD permissions</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">FULL</tt></b></dt>
+<dd>
+<p>Equivalent to RWXDPO permissions</p>
+</dd>
+
+</dl>
+
+
+<p>The <em class="replaceable">flags</em> field is for specifying how
+objects in directories are to inherit their default permissions from
+their parent directory. For files, <em class="replaceable">flags</em>
+is normally set to <tt class="literal">0</tt>. For directories,
+<em class="replaceable">flags</em> is usually set to either
+<tt class="literal">9</tt> or <tt class="literal">2</tt>.</p>
+
+</div>
+</div>
+
+<a name="INDEX-17"/><a name="INDEX-18"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbclient</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbclient</em> program is the
+&quot;Swiss army knife&quot; of the Samba
+suite. Initially developed as a testing tool, it has become a command
+shell capable of acting as a general-purpose Unix client, with a
+command set very similar to that of <em class="emphasis">ftp</em>. It
+offers the following set of functions:</p><ul><li>
+<p>Interactive file transfer, similar to <em class="emphasis">ftp</em></p>
+</li>
+<li>
+<p>Interactive printing to shared SMB printers</p>
+</li>
+<li>
+<p>Interactive tar format archiving</p>
+</li>
+<li>
+<p>Sending messages on the SMB network</p>
+</li>
+<li>
+<p>Batch mode tar format archiving</p>
+</li>
+<li>
+<p>&quot;What services do you have?&quot;
+querying</p>
+</li>
+<li>
+<p>Debugging</p>
+</li></ul>
+<div class="sect1"><a name="appc-45-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/<em class="replaceable">share</em> <em class="replaceable">[ password] [options]</em></pre></blockquote>
+<p>It is possible to run <em class="emphasis">smbclient</em>
+noninteractively, for use in scripts, by specifying the
+<tt class="literal">-c</tt> option along with a list of commands to
+execute. Otherwise, <em class="emphasis">smbclient</em> runs in
+interactive mode, prompting for commands such as this:</p>
+
+<blockquote><pre class="code">smb:\&gt;</pre></blockquote>
+<p>The backslash in the prompt is replaced by the current directory
+within the share as you change your working directory with
+<em class="emphasis">smbclient</em>'s
+<em class="emphasis">cd</em> command.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-46-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-A</tt> <em class="replaceable">authfile</em></b></dt>
+<dd>
+<p>Specifies a file from which to read the username and password used
+for the connection. The format of the file is as follows:</p>
+
+
+<blockquote><pre class="code">username = <em class="replaceable">value</em>
+password = <em class="replaceable">value</em>
+domain   = <em class="replaceable">value</em></pre></blockquote>
+
+<p>This is to avoid having the password prompted for or have it appear
+in plain text in scripts. The permissions on the file should be very
+restrictive (0600, for example) to prevent access by unwanted users.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-b</tt> <em class="replaceable">buffer_size</em></b></dt>
+<dd>
+<p>Sets the size of the buffer used when transferring files. It defaults
+to 65520 bytes and can be changed as a tuning measure. Generally it
+should be quite large or set to match the size of the buffer on the
+remote system. It can be set smaller to work around Windows bugs:
+some Windows 98 systems work best with a buffer size of 1200.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-B</tt> <em class="replaceable">IP_addr</em></b></dt>
+<dd>
+<p>Sets the broadcast address.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-c</tt> <em class="replaceable">command_string</em> </b></dt>
+<dd>
+<p>Passes a command string to the <em class="emphasis">smbclient</em> command
+interpreter. The argument consists of a semicolon-separated list of
+commands to be executed.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-d</em> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (logging) level, from 0 to 10, with A for all.
+Overrides the value in <em class="filename">smb.conf</em>. Debug level 0
+logs only the most important messages; level 1 is normal; debug
+levels 3 and above are for debugging and slow
+<em class="emphasis">smbclient</em> considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt> <em class="replaceable">init_dir</em></b></dt>
+<dd>
+<p>Upon starting up, causes <em class="emphasis">smbclient</em> to change its
+working directory to <em class="replaceable">init_dir</em> on the
+remote host.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-E</tt></b></dt>
+<dd>
+<p>Sends output from commands to <em class="emphasis">stderr</em> instead of
+<em class="emphasis">stdout</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints the command-line help information (usage) for
+<em class="emphasis">smbclient</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-I</tt> <em class="replaceable">IP_address</em></b></dt>
+<dd>
+<p>Sets the IP address of the server to which the client connects.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt> <em class="replaceable">scope</em></b></dt>
+<dd>
+<p>Sets a NetBIOS scope identifier.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ file</em></b></dt>
+<dd>
+<p>Sends the log messages to <em class="replaceable">log_file</em> rather
+than to the log file specified in the Samba configuration file or the
+compiled-in default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-L</tt> <em class="replaceable">server</em></b></dt>
+<dd>
+<p>Lists services (shares) offered by the server. This can be used as a
+quick way to test an SMB server to see if it is working. If there is
+a name-service problem, use the <tt class="literal">-I</tt> option to
+specify the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-M</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Allows you to send messages using the Windows messaging protocol.
+Once a connection is established, you can type your message, pressing
+Ctrl-D to end. The <tt class="literal">-U</tt> and <tt class="literal">-I</tt>
+options can be used to control the
+&quot;From&quot; and
+&quot;To&quot; parts of the message.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-N</tt></b></dt>
+<dd>
+<p>Suppresses the password prompt. Useful when using share mode security
+and accessing a service that has no password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Allows you to override the NetBIOS name by which
+<em class="emphasis">smbclient</em> will advertise itself.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
+<dd>
+<p>Sets the TCP/IP socket options using the same parameters as the
+<tt class="literal">socket options</tt> configuration option. Often used
+for performance tuning and testing.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
+<dd>
+<p>Sets the port number with which <em class="emphasis">smbclient</em> will
+connect.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order</em></b></dt>
+<dd>
+<p>Sets the resolve order of the name servers. This option is similar to
+the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
+option and can take any of the four parameters
+<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
+If more than one is specified, the argument is specified as a
+space-separated list. This option can be used to test name service by
+specifying only the name service to be tested.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file. Used for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-t</tt> <em class="replaceable">terminal_code</em></b></dt>
+<dd>
+<p>Sets the terminal code for Asian languages.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-T</tt> <em class="replaceable">command_string tarfile</em></b></dt>
+<dd>
+<p>Runs the tar archiver, which is <em class="emphasis">gtar</em> compatible.
+The tar file that is written to or read from is specified by
+<em class="replaceable">tarfile</em>. The two main commands are
+<tt class="literal">c</tt> (create) and <tt class="literal">x</tt> (extract),
+which can be followed by any of these:</p>
+
+<dl>
+<dt><b><tt class="literal">a</tt></b></dt>
+<dd>
+<p>Resets the archive attribute on files after they have been saved. See
+also the <tt class="literal">g</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">b</tt> <em class="replaceable">size</em></b></dt>
+<dd>
+<p>Sets the block size for writing the tar file, in 512-byte units.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">g</tt></b></dt>
+<dd>
+<p>Backs up only files that have their archive bit set. See also the
+<tt class="literal">a</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">I</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Includes files and directories. This is the default, so specifying
+this is redundant. To perform pattern matching, see also the
+<tt class="literal">r</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">N</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Backs up only those files newer than <em class="replaceable">file</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">q</tt></b></dt>
+<dd>
+<p>Suppresses diagnostics.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">r</tt></b></dt>
+<dd>
+<p>Performs regular expression matching, which can be used along with
+the <tt class="literal">I</tt> or <tt class="literal">E</tt> option to include or
+exclude files.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">X</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Excludes files and directories.</p>
+</dd>
+
+</dl>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Sets the username and, optionally, the password used for
+authentication when connecting to the share.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-W</tt> <em class="replaceable">workgroup</em></b></dt>
+<dd>
+<p>Specifies the workgroup/domain in which
+<em class="emphasis">smbclient</em> will claim to be a member.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-47-fm2xml"/>
+
+<h4 class="refsect1">smbclient commands</h4>
+
+<dl>
+<dt><b><tt class="literal">help</tt> <em class="replaceable">[smbclient_command]</em></b></dt>
+<dd>
+<p>With no command specified, prints a list of available commands. If a
+command is specified as an argument, a brief help message will be
+printed for it.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">!</tt> <em class="replaceable">[shell_command]</em></b></dt>
+<dd>
+<p>Shell escape. With no command specified, runs a Unix shell. If a
+command is specified, runs the command in a Unix shell.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">altname</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbclient</em> to request from the server and
+then print the old-style, 8.3-format filename for the specified file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">cancel</tt> <em class="replaceable">print_jobid [...]</em></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbclient</em> to request the server to cancel
+one or more print jobs, as specified by the numeric job IDs provided
+as arguments. See also the <em class="emphasis">queue</em> command, which
+prints job IDs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">chmod</tt> <em class="replaceable">filename octal_mode</em></b></dt>
+<dd>
+<p>Requests that the server change the Unix file permissions on
+<em class="replaceable">filename</em> to
+<em class="replaceable">octal_mode</em>, specified in octal numeric
+format. Works only if the server supports Unix CIFS extensions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">chown</tt> <em class="replaceable">filename UID GID</em></b></dt>
+<dd>
+<p>Requests that the server change the owner and group of the file
+specified by <em class="replaceable">filename</em> to those provided as
+decimal numeric arguments <em class="replaceable">UID</em> and
+<em class="replaceable">GID</em>. Works only if the server supports
+Unix CIFS extensions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">cd</tt> <em class="replaceable">[directory]</em></b></dt>
+<dd>
+<p>With no argument, prints the current working directory on the remote
+system. If a directory name is supplied as an argument, changes the
+working directory on the remote system to that specified.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">del</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Requests that the server delete one or more files, as specified by
+the argument, from the current working directory. The argument can be
+a filename globbing pattern using the * and ? characters.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">dir</tt> [<em class="replaceable">filename]</em></b></dt>
+<dd>
+<p>With no arguments, prints a list of files and directories in the
+working directory on the server. If an argument is provided, only
+files and directories whose names match the argument will be listed.
+The argument can be a filename globbing pattern using the * and ?
+characters.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">exit</tt></b></dt>
+<dd>
+<p>Quits the <em class="emphasis">smbclient</em> program after terminating
+the SMB connection to the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">get</tt> <em class="replaceable">remote_file [local_file]</em></b></dt>
+<dd>
+<p>Copies the file specified by <em class="replaceable">remote_file</em>
+from the server to the local system. If no
+<em class="replaceable">local_file</em> argument is specified,
+<em class="emphasis">smbclient</em> will name the local file the same as
+it is named on the server. If <em class="replaceable">local_file</em>
+is specified, it will be used as the name of the local copy. See also
+the <em class="emphasis">lowercase</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt> <em class="replaceable">[command]</em></b></dt>
+<dd>
+<p>A synonym for the <em class="emphasis">?</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lcd</tt> <em class="replaceable">[directory]</em></b></dt>
+<dd>
+<p>If no argument is provided, prints the name of
+<em class="emphasis">smbclient</em>'s working directory
+on the local system. If a directory name is provided as an argument,
+changes <em class="emphasis">smbclient</em>'s working
+directory to the directory specified.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">link</tt> <em class="replaceable">link_name filename</em></b></dt>
+<dd>
+<p>Requests that the server create a hard link to
+<em class="replaceable">filename</em> and name it
+<em class="replaceable">link_name</em>. This command works only if the
+server supports Unix CIFS extensions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lowercase</tt></b></dt>
+<dd>
+<p>Toggles the boolean lowercasing setting. When this setting is on,
+names of files copied from the server with the
+<em class="emphasis">get</em> and <em class="emphasis">mget</em> commands will
+be changed to all lowercase. This is mainly used for accessing
+servers that report filenames in all uppercase only.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ls</tt> <em class="replaceable">[filename]</em></b></dt>
+<dd>
+<p>A synonym for <em class="emphasis">dir</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">mask</tt> <em class="replaceable">[globbing_pattern]</em></b></dt>
+<dd>
+<p>Sets the filename globbing pattern for use with the
+<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands when
+recursion is turned on. (When recursion is off, the setting has no
+effect.) Both <em class="emphasis">mget</em> and <em class="emphasis">mput</em>
+accept a globbing pattern as arguments; however, those patterns apply
+only to the current directory. This command specifies the pattern
+used for all subdirectories that are recursively traversed. The
+pattern stays in effect until it is changed with another
+<em class="emphasis">mask</em> command. To return the setting to its
+original default, specify a
+<em class="replaceable">globbing_pattern</em> of an asterisk
+(<tt class="literal">*</tt>), which matches all files. See also the
+<em class="emphasis">mget</em>, <em class="emphasis">mput</em>, and
+<em class="emphasis">recurse</em> commands.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">mdir</tt> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>A synonym for the <em class="emphasis">mkdir</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">mget</tt> <em class="replaceable">pattern</em></b></dt>
+<dd>
+<p>When recursion is turned off, copies files matching the file-globbing
+pattern, as specified by the argument, from the current working
+directory on the server to the local system. When recursion is on,
+the <em class="replaceable">pattern</em> argument is used to match
+directories in the current working directory, and the pattern
+specified by the <em class="emphasis">mask</em> command is used for
+matching files within each directory and all subdirectories. See also
+the <em class="emphasis">lowercase</em>, <em class="emphasis">mask</em>, and
+<em class="emphasis">recurse</em> commands.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">print</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Prints the specified file. This requires that
+<em class="emphasis">smbclient</em> be connected to a print share. See
+also the <em class="emphasis">printmode</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printmode</tt> <em class="replaceable">mode</em></b></dt>
+<dd>
+<p>Sets the mode that is used by the <em class="emphasis">print</em> command.
+The mode can be either <tt class="literal">text</tt>, for printing text
+files such as the ASCII files commonly found on Unix, or
+<tt class="literal">graphics</tt>, for printing binary files.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">prompt</tt></b></dt>
+<dd>
+<p>Toggles the prompting mode. When prompting is on (the default), the
+<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands will
+interactively prompt the user for permission to transfer each file.
+The user can answer either <tt class="literal">y</tt> (yes) or
+<tt class="literal">n</tt> (no), followed by a newline, to this prompt.
+When prompting is off, all the files will be transferred with no
+prompts issued.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">put</tt> <em class="replaceable">local_file [remote_file]</em></b></dt>
+<dd>
+<p>Copies the file specified by <em class="replaceable">local_file</em>
+from the local to the remote system. If no
+<em class="replaceable">remote_file</em> argument is specified,
+<em class="emphasis">smbclient</em> will name the remote file the same as
+it is named on the local system. If
+<em class="replaceable">remote_file</em> is specified, it will be used
+as the name of the remote copy. See also the
+<em class="emphasis">lowercase</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queue</tt></b></dt>
+<dd>
+<p>Prints information on the print queue on the server. This requires
+that <em class="emphasis">smbclient</em> is connected to a print share.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">quit</tt></b></dt>
+<dd>
+<p>A synonym for <em class="emphasis">exit</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rd</tt> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>A synonym for <em class="emphasis">rmdir</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">recurse</tt></b></dt>
+<dd>
+<p>Toggles the recursion mode, which affects the
+<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands.
+When recursion is off (the default), the <em class="emphasis">mget</em>
+and <em class="emphasis">mput</em> commands will copy only files from the
+current working directory that match the file-globbing pattern
+specified as an argument to the command, and the pattern set by the
+<em class="emphasis">mask</em> command is ignored. When recursion is
+turned on, the <em class="emphasis">mget</em> and
+<em class="emphasis">mput</em> commands recursively traverse any
+directories that match the pattern specified as the argument to the
+command, and the pattern set by the <em class="emphasis">mask</em> command
+is used to match files in those directories.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rm</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>A synonym for <em class="emphasis">del</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rmdir</tt> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Requests that the server remove the specified directory.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">setmode</tt> <em class="replaceable">filename attributes</em></b></dt>
+<dd>
+<p>Requests that the server assign the specified MS-DOS file attributes
+on the specified file. The <em class="replaceable">attributes</em>
+argument has the format of a leading plus sign (<tt class="literal">+</tt>)
+or minus sign (<tt class="literal">-</tt>) either to set or to unset the
+attribute(s), respectively, followed by one or more of the characters
+<tt class="literal">r</tt> (read), <tt class="literal">s</tt> (system),
+<tt class="literal">h</tt> (hidden), or <tt class="literal">a</tt> (archive).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">symlink</tt> <em class="replaceable">link_name filename</em></b></dt>
+<dd>
+<p>Requests that the server create a symbolic link named
+<em class="replaceable">link_name</em> to
+<em class="replaceable">filename</em>. This command works only if the
+server supports Unix CIFS extensions. The server will not create a
+link that refers to a file not in the share to which
+<em class="emphasis">smbclient</em> is connected.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">tar</tt> <em class="replaceable">cmd_str</em></b></dt>
+<dd>
+<p>Performs an archiving operation using the tar format. This is the
+interactive form of the <tt class="literal">-T</tt> command-line operation,
+and the <em class="replaceable">cmd_str</em> argument is specified in
+the same manner. See also the <em class="emphasis">tarmode</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">blocksize</tt> <em class="replaceable">size</em></b></dt>
+<dd>
+<p>Sets the block size, in units of 512 bytes, for files written by the
+<em class="emphasis">tar</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">tarmode</tt> <em class="replaceable">mode ...</em></b></dt>
+<dd>
+<p>Specifies how the <em class="emphasis">tar</em> command performs its
+archiving, including how it handles the archive attribute on files.
+Multiple <em class="replaceable">mode</em> arguments can be provided,
+chosen from the following:</p>
+
+<dl>
+<dt><b><tt class="literal">full</tt></b></dt>
+<dd>
+<p>All files will be included, regardless of whether their
+<tt class="literal">archive</tt> attribute is set. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">inc</tt></b></dt>
+<dd>
+<p>Only files that have the <tt class="literal">archive</tt> attribute set
+will be included in the backup.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">reset</tt></b></dt>
+<dd>
+<p>The <tt class="literal">archive</tt> attribute will be unset by
+<em class="emphasis">tar</em> after the file is included in the archive.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">noreset</tt></b></dt>
+<dd>
+<p>The <tt class="literal">archive</tt> attribute will be left unchanged. This
+is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">system</tt></b></dt>
+<dd>
+<p>Files with the <tt class="literal">system</tt> attribute set will be
+included in the archive. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">nosystem</tt></b></dt>
+<dd>
+<p>Files with the <tt class="literal">system</tt> attribute set will not be
+included in the archive.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">hidden</tt></b></dt>
+<dd>
+<p>Files with the <tt class="literal">hidden</tt> attribute set will be
+included in the archive. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">nohidden</tt></b></dt>
+<dd>
+<p>Files with the <tt class="literal">hidden</tt> attribute set will not be
+included in the archive.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">verbose</tt></b></dt>
+<dd>
+<p>As files are included in the archive (when creating the archive) or
+are read from the archive (when extracting it), the name of each file
+will be printed. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">noverbose</tt></b></dt>
+<dd>
+<p>This turns verbose mode off, causing <em class="emphasis">tar</em> to
+perform its work quietly.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">quiet</tt></b></dt>
+<dd>
+<p>An antonym for the <tt class="literal">verbose</tt> mode. When quiet is on,
+verbose is off, and vice versa.<a name="INDEX-18"/></p>
+</dd>
+
+</dl>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-19"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbcontrol</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbcontrol</em> command sends control messages to
+running <em class="emphasis">smbd</em> or <em class="emphasis">nmbd</em>
+processes.</p>
+<div class="sect1"><a name="appc-49-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbcontrol -i<em class="replaceable"> [options]</em></pre></blockquote>
+<p>or:</p>
+
+<blockquote><pre class="code">smbcontrol <em class="replaceable">[options] process message-type [parameters]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-50-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Runs <em class="emphasis">smbcontrol</em> interactively, executing
+commands until a blank line or &quot;q&quot;
+is read. The user must have superuser privileges.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
+<dd>
+<p>Sets the debugging level for logging. The debug level can be set from
+to 10.</p>
+</dd>
+
+</dl>
+
+
+<p>Whether <em class="emphasis">smbcontrol</em> commands are issued in
+interactive mode or from the command line, the commands are in the
+same format. Each command has up to three parts:</p>
+
+<dl>
+<dt><b><em class="replaceable">process</em></b></dt>
+<dd>
+<p>Specifies the process or group of processes to which to send the
+message. If <em class="replaceable">process</em> is
+<tt class="literal">smbd</tt>, all <em class="emphasis">smbd</em> processes will
+receive the message. If <em class="replaceable">process</em> is
+<tt class="literal">nmbd</tt>, only the main <em class="emphasis">nmbd</em>
+process (identified by Samba's
+<em class="filename">nmbd.pid</em> file) receives the message. If
+<em class="replaceable">process</em> is the numeric PID of a running
+process on the system, that process will receive the message.</p>
+</dd>
+
+
+
+<dt><b><em class="replaceable">message-type</em></b></dt>
+<dd>
+<p>Specifies the type of message that is sent. For more information, see
+<a href="appc.html#appc-51-fm2xml">smbcontrol message
+types</a> that follows.</p>
+</dd>
+
+
+
+<dt><b><em class="replaceable">parameters</em></b></dt>
+<dd>
+<p>Specifies additional parameters required by some messages.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-51-fm2xml"/>
+
+<h4 class="refsect1">smbcontrol message types</h4>
+
+<dl>
+<dt><b><tt class="literal">close-share</tt> <em class="replaceable">share_name</em></b></dt>
+<dd>
+<p>Closes the connection to a share or shares. If
+<em class="replaceable">share_name</em> is specified as an asterisk
+(<tt class="literal">*</tt>), connections to all shares will be closed. To
+close a single connection, <em class="replaceable">share_name</em> is
+given as the name of a share, as specified in the Samba configuration
+file, not including the enclosing brackets. Warning: no message is
+printed if there is an error in specifying
+<em class="replaceable">share_name</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">debug</tt> <em class="replaceable">num</em></b></dt>
+<dd>
+<p>Sets the debugging level. The <em class="replaceable">num</em>
+parameter specifies the level, which can be from 0 to 10.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">debuglevel</tt></b></dt>
+<dd>
+<p>Prints the current debugging level.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">force-election</tt></b></dt>
+<dd>
+<p>Can be used only with <em class="emphasis">nmbd</em>, telling it to force
+a master browser election.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ping</tt> <em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sends <em class="emphasis">number</em> of pings and reports when they
+receive a reply or timeout. Used for connectivity testing.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">profile</tt> <em class="replaceable">mode</em></b></dt>
+<dd>
+<p>Controls profiling statistics collection. If
+<em class="replaceable">mode</em> is <tt class="literal">on</tt>, profile
+statistics will be collected. If <em class="replaceable">mode</em> is
+<tt class="literal">off</tt>, collection of statistics is turned off. If
+<em class="replaceable">mode</em> is specified as
+<tt class="literal">count</tt>, only counting statistics are collected (and
+not timing statistics). If <em class="replaceable">mode</em> is
+<tt class="literal">flush</tt>, the data set is cleared (initialized).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">profilelevel</tt></b></dt>
+<dd>
+<p>Prints the current profiling level.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printer-notify</tt> <em class="replaceable">printer_name</em></b></dt>
+<dd>
+<p>Sends a printer notify message to Windows NT/2000/XP for the
+specified printer. This message can be sent only to
+<em class="emphasis">smbd</em>. Warning: no message is printed if the
+<em class="replaceable">printer_name</em> parameter is specified
+incorrectly.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-20"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbgroupedit</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This command, new to Samba 3.0, sets up mappings between Unix groups
+and Windows NT/2000/XP groups and also allows a Unix group to become
+a domain group. This command must be run by the superuser.</p>
+<div class="sect1"><a name="appc-53-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbgroupedit <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-54-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt> <em class="replaceable">Unix_group_name</em></b></dt>
+<dd>
+<p>Adds a mapping for the specified Unix group. The
+<tt class="literal">-n</tt> option is used along with this option to
+specify the Windows NT group to which the Unix group is mapped.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-c</tt> <em class="replaceable">SID</em></b></dt>
+<dd>
+<p>Changes a mapping between a Windows NT group and a Unix group. The
+Windows NT group is specified as a SID with this option, and the Unix
+group is specified with the <tt class="literal">-u</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">description</em></b></dt>
+<dd>
+<p>Specifies a comment for the mapping, which will be stored along with
+it.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt></b></dt>
+<dd>
+<p>When used with the <tt class="literal">-v</tt> option, prints a long
+listing. This is the default. The information printed includes the
+name of the Windows NT group, its SID, its corresponding Unix group
+(if a mapping has been defined), the group type, the comment, and the
+privileges of the group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">Windows_group_name</em></b></dt>
+<dd>
+<p>Specifies the name of the Windows NT group. Used with the
+<tt class="literal">-a</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">privilege</em></b></dt>
+<dd>
+<p>Used along with the <tt class="literal">-a</tt> option to specify a Windows
+NT privilege to be given to the Unix group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt></b></dt>
+<dd>
+<p>When used with the <tt class="literal">-v</tt> option, prints a short
+listing. The information printed includes just the name of the
+Windows NT group, its SID, and, if a mapping has been defined, its
+corresponding Unix group. This option is useful for determining the
+SID of a group, for use with the <tt class="literal">-c</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-t</tt> <em class="replaceable">TYPE</em></b></dt>
+<dd>
+<p>Assigns a Windows group type to the group.
+<em class="replaceable">TYPE</em> is a single character, and is one of
+<tt class="literal">b</tt> (built-in), <tt class="literal">d</tt> (domain), or
+<tt class="literal">l</tt> (local).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">Unix_group_name</em></b></dt>
+<dd>
+<p>Specifies the name of the Unix group to map to the Windows NT group.
+Used with the <tt class="literal">-c</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Prints a list of groups in the Windows NT domain in which the Samba
+server is operating. See also the <tt class="literal">-l</tt> and
+<tt class="literal">-s</tt> options.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-x</tt> <em class="replaceable">Unix_group_name</em></b></dt>
+<dd>
+<p>Deletes the mapping for the Unix group specified.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-21"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbmnt</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a low-level helper program for mounting smbfs filesystems. It
+used by <em class="emphasis">smbmount</em> to do the privileged part of
+the mount operation on behalf of an ordinary user. Generally, users
+should not run this command directly.</p>
+<div class="sect1"><a name="appc-56-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbmnt mnt_point <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-57-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-r</tt></b></dt>
+<dd>
+<p>Mounts the filesystem as read-only.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">uid</em> </b></dt>
+<dd>
+<p>Specifies the UID to use for the owner of the files.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-g</tt> <em class="replaceable">gid</em></b></dt>
+<dd>
+<p>Specifies the GID to use for the group of the files.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-f</tt> <em class="replaceable">mask</em></b></dt>
+<dd>
+<p>Specifies the octal file mask.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">mask</em></b></dt>
+<dd>
+<p>Specifies the octal directory mask.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-o</tt> <em class="replaceable">options</em></b></dt>
+<dd>
+<p>Specifies the list of options that are passed to the smbfs module.</p>
+</dd>
+
+</dl>
+
+
+<p>To allow users to mount SMB shares without help from an
+administrator, set the &quot;set user
+ID&quot; permission on the <em class="emphasis">smbmnt</em>
+executable. However, note that this can raise security issues.</p>
+
+</div>
+</div>
+
+<a name="INDEX-22"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbmount</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program mounts an smbfs filesystem on a mount point in the Unix
+filesystem. It is typically called as <em class="emphasis">mount.smb</em>
+from <em class="emphasis">mount</em>, although it can also be run directly
+by users. After mounting the smbfs filesystem,
+<em class="emphasis">smbmount</em> continues to run as a daemon as long as
+the filesystem is mounted. It logs events in the file
+<em class="filename">log.smbmount</em> in the same directory as the other
+Samba log files (which is commonly
+<em class="filename">/usr/local/samba/var</em> by default). The logging
+level is controlled by the <tt class="literal">debug level</tt> parameter
+in the Samba configuration file.</p>
+<div class="sect1"><a name="appc-59-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbmount <em class="replaceable">service mount_point [-o options]</em></pre></blockquote>
+<p>The service argument specifies the SMB share to mount, given as a
+UNC. The <em class="replaceable">mount_point</em> argument specifies a
+directory to use as the mount point. The options to
+<em class="emphasis">smbmount</em> are specified as a comma-separated list
+of
+<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
+pairs. The documented options are as follows. Others can be passed if
+the kernel supports them.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-60-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">username=</tt><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Specifies the username to connect as. If this is not provided, the
+environment variable USER will be tried. The name can be specified as
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>,
+<em class="replaceable">user</em><tt class="literal">/</tt><em class="replaceable">workgroup</em>,
+or
+<em class="replaceable">user</em><tt class="literal">/</tt><em class="replaceable">workgroup</em><tt class="literal">%</tt><em class="replaceable">password</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">password=</tt><em class="replaceable">string</em></b></dt>
+<dd>
+<p>Specifies the SMB password. If no password is provided using this
+option, the <em class="emphasis">username</em> option, or the
+<em class="emphasis">credentials</em> option, the environment variable
+PASSWD is used. If that also does not exist,
+<em class="emphasis">smbmount</em> will prompt interactively for a
+password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">credentials=</tt><em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies a file that contains a username and password in the
+following format:</p>
+
+
+<blockquote><pre class="code">username = <em class="replaceable">value</em>
+password = <em class="replaceable">value</em></pre></blockquote>
+</dd>
+
+
+<dt><b><tt class="literal">uid=</tt><em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sets the Unix user ID to be used as the owner of all files in the
+mounted filesystem. It can be specified as a username or numeric UID.
+Defaults to the UID of the user running
+<em class="emphasis">smbmount</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">gid=</tt><em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sets the Unix group ID to be used as the group for all files in the
+mounted filesystem. It can be specified as a group name or a numeric
+GID. Defaults to the GID of the user running
+<em class="emphasis">smbmount</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">port=</tt><em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sets the TCP port number. This is 139, which is required by most
+Windows versions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">fmask=</tt><em class="replaceable">octal_mask</em> </b></dt>
+<dd>
+<p>Sets the Unix permissions of all files in the mounted filesystem.
+Defaults to the user's current umask.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">dmask=</tt><em class="replaceable">octal_mask</em></b></dt>
+<dd>
+<p>Sets the Unix permissions of all directories in the mounted
+filesystem. Defaults to the current umask.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">debug=</tt><em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sets the debugging level.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ip=</tt><em class="replaceable">host</em></b></dt>
+<dd>
+<p>Sets the destination hostname or IP address.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">netbiosname=</tt><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Sets the computer name to connect as. This defaults to the hostname
+of the local system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">workgroup=</tt><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Sets the workgroup or domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">sockopt=</tt><em class="replaceable">opts</em></b></dt>
+<dd>
+<p>Sets TCP socket options.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">scope=</tt><em class="replaceable">num</em></b></dt>
+<dd>
+<p>Sets the NetBIOS scope.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">guest</tt></b></dt>
+<dd>
+<p>Don't expect or prompt for a password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ro</tt></b></dt>
+<dd>
+<p>Mounts the share read-only.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rw</tt></b></dt>
+<dd>
+<p>Mounts the share read-write.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">iocharset=</tt><em class="replaceable">charset</em></b></dt>
+<dd>
+<p>Sets the charset used by the Linux machine for codepage-to-charset
+translation. See also the <em class="emphasis">codepage</em> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">codepage=</tt><em class="replaceable">page</em></b></dt>
+<dd>
+<p>Sets the DOS code page. See also the <em class="emphasis">iocharset</em>
+option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ttl=</tt><em class="replaceable">milliseconds</em></b></dt>
+<dd>
+<p>Sets the time to live, in milliseconds, for entries in the directory
+cache. A higher value gives better performance on large directories
+and/or slower connections. The default is 1000ms. Try 10000ms (10
+seconds) as a starting value if directory operations are visibly
+slow.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-23"/><a name="INDEX-24"/><a name="INDEX-25"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbpasswd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbpasswd</em> program provides the general
+function of managing <a name="INDEX-24"/><a name="INDEX-25"/>encrypted
+passwords. How it works depends on whether it is run by the superuser
+or an ordinary user.</p><p>For the superuser, <em class="emphasis">smbpasswd</em> can be used to
+maintain Samba's <em class="filename">smbpasswd</em>
+file. It can add or delete users, change their passwords, and modify
+other attributes pertaining to the user that are held in the
+<em class="filename">smbpasswd</em> file.</p><p>When run by ordinary users, <em class="emphasis">smbpasswd</em> can be
+used only to change their encrypted passwords. In this mode of
+operation, <em class="emphasis">smbpasswd</em> acts as a client to the
+<em class="emphasis">smbd</em> daemon. The program will fail if
+<em class="emphasis">smbd</em> is not operating, if the <tt class="literal">hosts
+allow</tt> or <tt class="literal">hosts deny</tt> parameters in the
+Samba configuration file do not permit connections from localhost (IP
+address 127.0.0.1), or if the <tt class="literal">encrypted passwords</tt>
+option is set to <tt class="literal">no</tt>. It is also possible for
+<em class="emphasis">smbpasswd</em> to change a user's
+password when it is maintained on a remote system, including a
+Windows NT domain controller.</p>
+<div class="sect1"><a name="appc-62-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+<p>When run by the superuser:</p>
+
+<blockquote><pre class="code">smbpasswd <em class="replaceable">[options] [username] [password]</em></pre></blockquote>
+<p>In this case, the username of the user whose
+<em class="emphasis">smbpasswd</em> entry is to be modified is provided as
+the second argument.</p>
+
+<p>Otherwise:</p>
+
+<blockquote><pre class="code">smbpasswd <em class="replaceable">[options] [password]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-63-fm2xml"/>
+
+<h4 class="refsect1">Superuser-only options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Adds a user to the encrypted password file. The user must already
+exist in the system password file (<em class="filename">/etc/passwd</em>
+). If the user already exists in the <em class="filename">smbpasswd</em>
+file, the <tt class="literal">-a</tt> option changes the existing password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Disables a user in the encrypted password file. The
+user's entry in the file will remain, but will be
+marked with a flag disabling the user from authenticating.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-e</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Enables a disabled user in the encrypted password file. This
+overrides the effect of the <tt class="literal">-d</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-j</tt> <em class="replaceable">domain</em></b></dt>
+<dd>
+<p>Joins the Samba server to a Windows NT domain as a domain member
+server. The <em class="replaceable">domain</em> argument is the NetBIOS
+name of the Windows NT domain that is being joined. See also the
+<tt class="literal">-r</tt> and <tt class="literal">-U</tt> options.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-m</tt></b></dt>
+<dd>
+<p>Indicates that the account is a computer account in a Windows NT
+domain rather than a domain user account.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt></b></dt>
+<dd>
+<p>Sets the user's password to a null password. For the
+user to authenticate, the parameter <tt class="literal">null</tt>
+<tt class="literal">passwords</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> must exist in the <tt class="literal">[global]</tt>
+section of the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order_list</em></b></dt>
+<dd>
+<p>Sets the resolve order of the name servers. This option is similar to
+the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
+option and can take any of the four parameters
+<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
+If more than one is specified, the argument is specified as a
+space-separated list.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-w</tt> <em class="replaceable">password</em></b></dt>
+<dd>
+<p>For use when Samba has been compiled with the
+<tt class="literal">--with-ldapsam</tt> configure option. Specifies the
+password that goes with the value of the <tt class="literal">ldap admin
+dn</tt> Samba configuration file parameter.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-x</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Deletes the user from the <em class="filename">smbpasswd</em> file. This
+is a one-way operation, and all information associated with the entry
+is lost. To disable the account without deleting the
+user's entry in the file, see the
+<tt class="literal">-d</tt> option.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-64-fm2xml"/>
+
+<h4 class="refsect1">Other options</h4>
+
+<dl>
+<dt><b><tt class="literal">-c</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the Samba configuration file, overriding the compiled-in
+default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (also called logging) level. The level can range from
+to 10. Debug level 0 logs only the most important messages; level 1
+is normal; levels 3 and above are primarily for debugging and slow
+the program considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints command-line usage information.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-L</tt></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbpasswd</em> to run in local mode, in which
+ordinary users are allowed to use the superuser-only options. This
+requires that the <em class="filename">smbpasswd</em> file be made
+readable and writable by the user. This is for testing purposes.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-r</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Specifies on which machine the password should change. If changing a
+Windows NT domain password, the remote system specified by
+<em class="replaceable">NetBIOS_name</em> must be the PDC for the
+domain. The user's username on the local system is
+used by default. See also the <tt class="literal">-U</tt> option for use
+when the user's Samba username is different from the
+local username.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order</em></b></dt>
+<dd>
+<p>Sets the resolve order of the name servers. This option is similar to
+the resolve order configuration option and can take any of the four
+parameters <tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
+If more than one is specified, the argument is specified as a
+space-separated list.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbpasswd</em> not to prompt for passwords
+from <em class="filename">/dev/tty</em>, but instead to read the old and
+new passwords from the standard input. This is useful when calling
+<em class="emphasis">smbpasswd</em> from a script.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt></b></dt>
+<dd>
+<p>Queries the domain controller of the domain, as specified by the
+<tt class="literal">workgroup</tt> parameter in the Samba configuration
+file, and retrieves the domain's SID. This will then
+be used as the SID for the local system. A specific PDC can be
+selected by combining this option with the <tt class="literal">-r</tt>
+option, and its domain's SID will be used. This
+option is for migrating domain accounts from a Windows NT primary
+domain controller to a Samba PDC.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
+<dd>
+<p>Changes the password for <em class="replaceable">username</em> on the
+remote system. This is to handle instances in which the remote
+username and local username are different. This option requires that
+<tt class="literal">-r</tt> also be used. Often used with
+<tt class="literal">-j</tt> to provide the username of the administrative
+user on the primary domain controller for adding computer accounts.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-26"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbsh</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbsh</em> program allows SMB shares to be
+accessed from a Unix system. When <em class="emphasis">smbsh</em> is run,
+an extra directory tree called <em class="filename">/smb </em>becomes
+available to dynamically linked shell commands. The first level of
+directories under <em class="filename">/smb</em> represent available
+workgroups, the next level of subdirectories represent the SMB
+servers in each workgroup, and the third level of subdirectories
+represent the disk and printer shares of each server.</p><p>Samba must be compiled with the <tt class="literal">--with-smbwrappers</tt>
+option to enable <em class="emphasis">smbsh</em>.</p>
+<div class="sect1"><a name="appc-66-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><em class="emphasis">-d</em> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0, the default, to 10. Debug level 0 logs only the most
+important messages; level 1 is normal; levels 3 and above are
+primarily for debugging and slow <em class="emphasis">smbsh</em>
+considerably.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-l</em> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Sets the name of the logging file. By default, messages are sent to
+<em class="emphasis">stderr</em>.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-L</em> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the location of
+<em class="emphasis">smbsh</em>'s shared libraries,
+overriding the compiled-in default.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-P</em> <em class="replaceable">prefix</em></b></dt>
+<dd>
+<p>Sets the name of the <tt class="literal">root</tt> directory to use for the
+SMB filesystem. The default is <em class="filename">/smb</em>.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-R</em> <em class="replaceable">resolve_order</em></b></dt>
+<dd>
+<p>Sets the resolve order of the name servers. This option is similar to
+the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
+option and can take any of the four parameters
+<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
+If more than one is specified, the argument is specified as a
+space-separated list.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-U</em> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Provides the username, and optionally the password, for
+authenticating the connection to the SMB server. The password can be
+supplied using the
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
+format. If either or both the username and password are not provided,
+<em class="emphasis">smbsh</em> will prompt interactively for them.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-W</em> <em class="replaceable">workgroup</em></b></dt>
+<dd>
+<p>Specifies the NetBIOS workgroup or domain to which the client will
+connect. This overrides the workgroup parameter in the Samba
+configuration file and is sometimes necessary to connect to some
+servers.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-27"/><a name="INDEX-28"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbspool</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbspool</em> program provides a
+<a name="INDEX-28"/>CUPS-compatible
+interface to Samba printing by providing a way to send a print job to
+an SMB printer using the command-line format specified by CUPS
+printers. Although <em class="emphasis">smbspool</em> is designed to work
+best with CUPS printers, it can be used to send print jobs to
+non-CUPS Samba printers as well.</p>
+<div class="sect1"><a name="appc-68-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbspool <em class="replaceable">job user title copies options filename</em></pre></blockquote>
+<p>The arguments for <em class="emphasis">smbspool</em>, as shown here, are
+those used in the CUPS printing system. However, some of the
+arguments are currently ignored because they don't
+correspond to the Samba printing system. These arguments must be
+supplied in the command and can be filled in with
+&quot;dummy&quot; values.</p>
+
+<p>The <em class="replaceable">job</em> argument refers to the job number
+and is currently ignored. The <em class="replaceable">user</em>
+argument is the name of the user who submitted the print job and is
+also ignored. The <em class="replaceable">title</em> argument is the
+name of the print job and must be supplied. It is used as the name of
+the remote print file. The <em class="replaceable">copies</em> argument
+is the number of copies that will be printed. This number is used
+only if the (optional) <em class="filename">filename</em> argument is
+supplied. Otherwise, only one copy is printed. The
+<em class="replaceable">options</em> argument, for specifying printing
+options, is ignored. The <em class="replaceable">filename</em> argument
+is used for specifying the name of the file to be printed. If it is
+not provided, the standard input will be used.</p>
+
+<p>The printer that the job is to be sent to is specified in the
+DEVICE_URI environment variable. The format for the printer name is a
+device Universal Resource Indicator, which can be in any of the
+following formats:</p>
+
+<blockquote class="simplelist">
+
+<p><em class="emphasis">smb://server/printer</em></p>
+
+
+
+
+<p><em class="emphasis">smb://workgroup/server/printer</em></p>
+
+
+
+
+<p><em class="emphasis">smb://username:password@server/printer</em></p>
+
+
+
+
+<p><em class="emphasis">smb://username:password@workgroup/server/printer</em></p>
+
+</blockquote>
+
+
+</div>
+</div>
+
+<a name="INDEX-29"/><a name="INDEX-30"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbstatus</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program lists the current connections on a Samba server.</p>
+<div class="sect1"><a name="appc-70-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-b</tt></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbstatus</em> to produce brief output. This
+includes the version of Samba and auditing information about the
+users that are connected to the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt></b></dt>
+<dd>
+<p>Gives verbose output, which includes a list of services, a list of
+locked files, and memory usage statistics. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-L</tt></b></dt>
+<dd>
+<p>Prints only the list of current file locks.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt></b></dt>
+<dd>
+<p>Prints only a list of <em class="emphasis">smbd</em> process IDs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-P</tt></b></dt>
+<dd>
+<p>Prints only the contents of the profiling memory area. Requires that
+Samba has been compiled with the profiling option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt></b></dt>
+<dd>
+<p>Prints only a list of shares and their connections.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the Samba configuration file to use when processing this
+command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Limits the report to the activity of a single user.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-31"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbtar</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbtar</em> program is a shell-script wrapper
+around <em class="emphasis">smbclient</em> for doing tar-format archiving
+operations. It is functionally very similar to the Unix
+<em class="emphasis">tar</em> program.</p>
+<div class="sect1"><a name="appc-72-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbtar <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-73-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt></b></dt>
+<dd>
+<p>Resets (clears) the archive attribute on files after they are backed
+up. The default is to leave the archive attribute unchanged.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-b</tt> <em class="replaceable">blocksize</em></b></dt>
+<dd>
+<p>Sets block size, in units of 512 bytes, for reading or writing the
+archive file. Defaults to 20, which results in a block size of 10240
+bytes.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Changes the working directory on the remote system to
+<em class="replaceable">directory</em> before starting the restore or
+backup operation.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Specifies incremental mode; files are backed up only if they have the
+DOS archive attribute set. The archive attribute is reset (cleared)
+after each file is read.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_level</em></b></dt>
+<dd>
+<p>Sets the logging level. This corresponds to the <tt class="literal">-d</tt>
+option of <em class="emphasis">smbclient</em> and other Samba programs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-N</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Backs up only files newer than <em class="filename">filename</em>. For
+incremental backups.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">password</em></b></dt>
+<dd>
+<p>Specifies the password to use to access a share. An alternative to
+using the
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
+format with the <tt class="literal">-u</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-r</tt></b></dt>
+<dd>
+<p>Restores files to the share from the tar file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">server</em></b></dt>
+<dd>
+<p>Specifies the SMB server. See also the <tt class="literal">-x</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-t</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the file or Unix device to use as the archiving medium. The
+default is <em class="filename">tar.out</em> or the value of the TAPE
+environment variable, if it has been set.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Specifies the user account to use when connecting to the share. You
+can specify the password as well, in the format
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>.
+The username defaults to the user's Unix username.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Operates in verbose mode, printing error messages and additional
+information that can be used in debugging and monitoring. Backup and
+restore operations will list each file as it is processed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-x</tt> <em class="replaceable">share</em></b></dt>
+<dd>
+<p>States the name of the share on the server to which to connect. The
+default is <tt class="literal">backup</tt>. See also the
+<tt class="literal">-s</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-X</tt> <em class="replaceable">file_list</em></b></dt>
+<dd>
+<p>Tells <em class="emphasis">smbtar</em> to exclude the specified files from
+the backup or restore operation.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-32"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbumount</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbumount</em> command exists to allow an
+ordinary (nonsuperuser) user to unmount a smbfs filesystem, which the
+user had previously mounted using <em class="emphasis">smbmount</em>.</p>
+<div class="sect1"><a name="appc-75-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbumount <em class="replaceable">mount_point</em></pre></blockquote>
+<p>For ordinary users to issue the command,
+<em class="emphasis">smbumount</em> must be made suid
+<tt class="literal">root</tt>.</p>
+
+</div>
+</div>
+
+<a name="INDEX-33"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>testparm</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">testparm</em> program checks a Samba
+configuration file for obvious errors.</p>
+<div class="sect1"><a name="appc-77-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">testparm <em class="replaceable">[options] [filename] [hostname IP_addr]</em></pre></blockquote>
+<p>If the configuration file is not provided using the
+<em class="filename">filename</em> argument, then it defaults to
+<em class="filename">/usr/local/samba/lib/smb.conf</em>. If the hostname
+and an IP address of a system are included, an extra check is made to
+ensure that the system is allowed to connect to each service defined
+in the configuration file. This is done by comparing the hostname and
+IP address to the definitions of the <tt class="literal">hosts allow</tt>
+and <tt class="literal">hosts deny</tt> parameters.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-78-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints usage information for the program.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-L</tt> <em class="replaceable">server_name</em></b></dt>
+<dd>
+<p>Sets the <tt class="literal">%L</tt> configuration variable to the
+specified server name.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt></b></dt>
+<dd>
+<p>Disables the default behavior of prompting for the Enter key to be
+pressed before printing the list of configuration options for the
+server.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-34"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>testprns</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a very simple program that checks to see if a specified
+printer name exists in the system printer capabilities (printcap)
+file.</p>
+<div class="sect1"><a name="appc-80-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">testprns <em class="replaceable">printername [printcapname]</em></pre></blockquote>
+<p>If <em class="replaceable">printcapname</em> isn't
+specified, Samba attempts to use the one specified in the Samba
+configuration file with the <tt class="literal">printcap name</tt>
+parameter. If none is specified there, Samba will try
+<em class="filename">/etc/printcap</em>.</p>
+
+</div>
+</div>
+
+<a name="INDEX-35"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wbinfo</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program retrieves and prints information from the
+<em class="emphasis">winbindd</em> daemon, which must be running for
+<em class="emphasis">wbinfo</em> to function.</p>
+<div class="sect1"><a name="appc-82-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">wbinfo <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-83-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-u</tt> </b></dt>
+<dd>
+<p>Prints all usernames that have been mapped from the Windows NT domain
+to Unix users. Users in all trusted domains are also listed.</p>
+</dd>
+
+
+
+<dt><b> <tt class="literal">-</tt><em class="emphasis">g</em> </b></dt>
+<dd>
+<p>Prints all group names that have been mapped from the Windows NT
+domain to Unix groups. Groups in all trusted domains are also
+reported.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Queries the WINS server and prints the IP address of the specified
+system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">name</em> </b></dt>
+<dd>
+<p>Prints the SID corresponding to the name specified. The argument can
+be specified as <em class="replaceable">DOMAIN/name</em> (or by using a
+character other than the slash, as defined by the winbind separator
+character) to specify both the domain and the name. If the domain and
+separator are omitted, the value of the <tt class="literal">workgroup</tt>
+parameter in the Samba configuration file is used as the name of the
+domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">SID</em> </b></dt>
+<dd>
+<p>Prints the name mapped to a SID, which is specified in the format
+<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">UID</em></b></dt>
+<dd>
+<p>Prints the SID mapped to a Unix UID, if one exists in the current
+domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-G</tt> <em class="replaceable">gid</em></b></dt>
+<dd>
+<p>Prints the SID mapped to a Unix group ID, if one exists in the
+current domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt> <em class="replaceable">SID</em></b></dt>
+<dd>
+<p>Prints the Unix UID that winbind has mapped to the specified SID, if
+one exists.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-Y</tt> <em class="replaceable">SID</em></b></dt>
+<dd>
+<p>Prints the Unix group ID that winbind has mapped to the specified
+SID, if one exists.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-t</tt></b></dt>
+<dd>
+<p>Tests to see that the workstation trust account for the Samba server
+is valid.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-m</tt> </b></dt>
+<dd>
+<p>Prints a list of Windows NT domains trusted by the Windows server.
+This does not include the PDC's domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-r</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Prints the list of Unix group IDs to which the user belongs. This
+works only if the user's account is maintained on a
+domain controller.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-a</tt> <em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em></b></dt>
+<dd>
+<p>Checks to see if a user can authenticate through
+<em class="emphasis">winbindd</em> using the specified username and
+password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-A</tt> <em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em></b></dt>
+<dd>
+<p>Saves the username and password used by <em class="emphasis">winbindd</em>
+to the domain controller. For use when operating in a Windows 2000
+domain.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+
+</body></html>
diff --git a/docs/htmldocs/using_samba/appd.html b/docs/htmldocs/using_samba/appd.html
new file mode 100644
index 0000000000..0e2a8822f8
--- /dev/null
+++ b/docs/htmldocs/using_samba/appd.html
@@ -0,0 +1,82 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix D. Downloading Samba with CVS</h1>
+
+
+<p>In <a href="ch02.html">Chapter 2</a> we showed you how to download the
+latest stable version of Samba published by the Samba developers. For
+most purposes (including virtually all production servers) this
+procedure will meet your needs. However, sometimes you might want to
+run a version of Samba that includes the latest bug fixes and
+features, maybe for research and testing purposes, or just to see
+what the Samba developers have been up to lately.</p>
+
+<p>The Samba team keeps the latest updates of the Samba source code in a
+<a name="INDEX-1"/><a name="INDEX-2"/>Concurrent Versions System
+(CVS) repository. CVS is a freely available
+<a name="INDEX-3"/>configuration management tool
+and is distributed under the GNU General Public License. You can
+download the latest copy from <a href="http://www.cvshome.org/">http://www.cvshome.org/</a>. The Samba team
+describes various ways to access its CVS repository at <a href="http://www.samba.org/samba/cvs.html">http://www.samba.org/samba/cvs.html</a>.</p>
+
+<a name="samba2-APP-D-NOTE-162"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Although the CVS code contains the latest features, it also contains
+the latest bugs and sometimes won't even compile
+properly! If you prefer a less &quot;bleeding
+edge&quot; release, try looking in the
+<em class="filename">alpha</em> and <em class="filename">pre</em> directories
+on the Samba FTP server. The <em class="filename">alpha</em> directory
+contains alpha releases, and the <em class="emphasis">pre</em> directory
+contains (usually more stable) prerelease versions. (See <a href="ch02.html">Chapter 2</a> for information on downloading via FTP.) Alpha
+releases might be a little behind the latest CVS code, but are less
+buggy and usually compile properly on the more common Unix versions.</p>
+</blockquote>
+
+<p>One of the nicest things about CVS is its ability to handle remote
+logins. This means that people across the globe on the Internet can
+download and update various source files for any project that uses a
+CVS repository. Such is the case with Samba. Once you have CVS
+installed on your system, you must first log in to the Samba source
+server with the following command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login</b></tt></pre></blockquote>
+
+<p>When you are prompted for a password, enter <tt class="literal">cvs</tt>.
+You are connected to the CVS server at
+<tt class="literal">pserver.samba.org</tt>. Once you are connected, you can
+download the latest source tree with the following command:<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cvs -z5 -d :pserver:pserver@pserver.samba.org:/cvsroot co samba</b></tt></pre></blockquote>
+
+<p>This downloads the entire Samba distribution (file by file) into a
+directory called <em class="filename">samba</em>, created in your current
+directory. The <em class="filename">samba</em> directory has the same
+structure as the Samba source distribution described in <a href="ch02.html">Chapter 2</a>, except that it has additional directories
+named <em class="filename">CVS</em> throughout the source tree. These
+directories are used by CVS to store information about each file in
+the source tree and how to update them. After the download is
+completed, you can follow the instructions in <a href="ch02.html">Chapter 2</a> to configure, compile, and install your new
+Samba release.</p>
+
+<p>The Samba developers typically update the Samba source code one or
+more times per day. Whenever you want to catch up to the latest
+changes, simply <em class="emphasis">cd</em> to the
+<em class="filename">samba</em> directory and run the following command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cvs update -d -P</b></tt></pre></blockquote>
+
+<p>Each time you do this, you will need to reconfigure, recompile, and
+reinstall to update your installation as we showed you in <a href="ch02.html">Chapter 2</a>.</p>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
+<p><a href="#FNPTR-1">[1]</a> The <tt class="literal">-z</tt> option causes the transfer to be made
+in GNU gzip compressed format and requires the
+<em class="filename">gzip</em> program to be installed on your system to
+work. If you do not have <em class="filename">gzip</em>, omit the
+<tt class="literal">-z</tt> option.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+
+</body></html>
diff --git a/docs/htmldocs/using_samba/appe.html b/docs/htmldocs/using_samba/appe.html
new file mode 100644
index 0000000000..d3263eb3cb
--- /dev/null
+++ b/docs/htmldocs/using_samba/appe.html
@@ -0,0 +1,826 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix E. Configure Options</h1>
+
+
+<p><a name="INDEX-1"/>As we
+explained in <a href="ch02.html">Chapter 2</a>, the
+<em class="emphasis">configure</em> program is run before the Samba source
+code is compiled to fit the compilation process to the local
+architecture. At this stage, it is possible to specify options to
+customize Samba's behavior further and include or
+exclude features. This is an example of specifying configure options:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure --with-smbmount --with-configdir=/etc/samba --with-manpages-langs=ja</b></tt></pre></blockquote>
+
+<p>This example configures the Samba installation to support mounting
+SMB filesystems, look for the Samba configuration file in
+<em class="filename">/etc/samba</em> (instead of the default location of
+<em class="filename">/usr/local/samba/lib</em>), and install
+Japanese-language manual pages. We have picked these three configure
+options because they illustrate the usage of the three types of
+options that are included up to Samba 3.0. The
+<tt class="literal">--with-smbmount</tt> option is a Boolean option, which
+can take a value of <tt class="literal">yes</tt> or <tt class="literal">no</tt>.
+All the Boolean options are set to <tt class="literal">no</tt> by default,
+and it is only necessary to provide the option to turn it on. If you
+want to be more explicit, you can specify
+<tt class="literal">--with-smbmount=yes</tt>. To turn an option off
+explicitly, you can also specify
+<tt class="literal">--without-</tt><em class="replaceable">feature</em>
+rather than
+<tt class="literal">--with-</tt><em class="replaceable">feature</em><tt class="literal">=no</tt>.</p>
+
+<p>In the case of the other two options we have shown, an argument must
+be supplied after the equals (<tt class="literal">=</tt>) sign. Some of the
+options are used to specify the directories that Samba uses for
+various purposes. Only one option is in the last group, where
+something other than a directory is specified as an option argument.</p>
+
+<p>The supported configure options vary from release to release. For
+example, between Samba 2.2.x and Samba 3.0, many options were
+dropped, and a few were added. To get a list of the configure options
+for your release, use the following command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure --help</b></tt></pre></blockquote>
+
+<p><a href="appe.html#samba2-APP-E-TABLE-1">Table E-1</a> lists Samba's configure
+options.</p>
+
+<a name="samba2-APP-E-TABLE-1"/><h4 class="head4">Table E-1. Configuration options</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Configuration option</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">--with-acl-support</tt></p>
+</td>
+<td>
+<p>Support Windows NT/2000/XP ACLs</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-afs</tt></p>
+</td>
+<td>
+<p>Support the Andrew Filesystem (AFS)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-automount</tt></p>
+</td>
+<td>
+<p>Support the NFS automounter</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-codepagedir=</tt><em class="replaceable">dir</em></p>
+</td>
+<td>
+<p>Location of codepage files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-configdir=</tt><em class="replaceable">dir</em></p>
+</td>
+<td>
+<p>Location of configuration files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-dce-dfs</tt></p>
+</td>
+<td>
+<p>Support DCE/DFS</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-fhs</tt></p>
+</td>
+<td>
+<p>Use FHS-compliant locations of files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-included-popt</tt></p>
+</td>
+<td>
+<p>Use Samba's <em class="emphasis">popt(  )</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-krb4=base-</tt><em class="replaceable">dir</em></p>
+</td>
+<td>
+<p>Support Kerberos 4</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-krb5=base-</tt><em class="replaceable">dir</em></p>
+</td>
+<td>
+<p>Support Kerberos 5 (Microsoft ADS)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-ldapsam</tt></p>
+</td>
+<td>
+<p>Support LDAP SAM</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-libiconv=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Specify <em class="filename">iconv</em> library</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-libsmbclient</tt></p>
+</td>
+<td>
+<p>Build <em class="filename">smbclient</em> library</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-lockdir=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of lock files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-logfilebase=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of log files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-manpages-langs=</tt><em class="replaceable">language</em></p>
+</td>
+<td>
+<p>Specify language for manual pages</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-msdfs</tt></p>
+</td>
+<td>
+<p>Support Microsoft Dfs</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-nisplus-home</tt></p>
+</td>
+<td>
+<p>Support NIS+ home directories</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-nisplussam</tt></p>
+</td>
+<td>
+<p>Support NIS+ SAM</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-pam</tt></p>
+</td>
+<td>
+<p>Support PAM restrictions</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-pam_smbpass</tt></p>
+</td>
+<td>
+<p>Build <em class="filename">pam_smbpass.so</em> PAM module</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-piddir=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of PID files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-privatedir=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of <em class="filename">smbpasswd</em> file</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-profiling-data</tt></p>
+</td>
+<td>
+<p>Support gathering of profiling information</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-quotas</tt></p>
+</td>
+<td>
+<p>Support disk quotas</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-readline=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Specify readline library</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-sendfile-support</tt></p>
+</td>
+<td>
+<p>Support <em class="emphasis">sendfile</em>(  ) system call</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-smbmount</tt></p>
+</td>
+<td>
+<p>Support <em class="emphasis">smbmount</em> and smbfs</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-smbwrapper</tt></p>
+</td>
+<td>
+<p>Build <em class="filename">smbwrapper</em> library for
+<em class="emphasis">smbsh</em> support</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-spinlocks</tt></p>
+</td>
+<td>
+<p>Use spinlocks instead of fcntl locks</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-ssl</tt></p>
+</td>
+<td>
+<p>Support SSL</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-sslinc=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of SSL include files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-ssllib=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of SSL libraries</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-swatdir=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of SWAT files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-syslog</tt></p>
+</td>
+<td>
+<p>Support syslog message logging</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-tdbsam</tt></p>
+</td>
+<td>
+<p>Support TDB database files for SAM</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-utmp</tt></p>
+</td>
+<td>
+<p>Support utmp file accounting</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-winbind</tt></p>
+</td>
+<td>
+<p>Build winbind</p>
+</td>
+</tr>
+
+</table>
+
+<dl>
+<dt><b><tt class="literal">--with-acl-support</tt><a name="INDEX-2"/><a name="INDEX-3"/></b></dt>
+<dd>
+<p>Includes support for Windows NT/2000/XP access control lists
+(<a name="INDEX-4"/>ACLs). For this to work, you need
+to have POSIX ACL support in the host operating system. See <a href="ch08.html">Chapter 8</a> for details.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-afs</tt><a name="INDEX-5"/><a name="INDEX-6"/></b></dt>
+<dd>
+<p>Includes support for the <a name="INDEX-7"/>Andrew
+Filesystem (AFS), for authenticating users who are accessing files
+through AFS.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-automount</tt><a name="INDEX-8"/><a name="INDEX-9"/></b></dt>
+<dd>
+<p>Includes support for the automounter, a feature often used in
+conjunction with NFS, to mount <a name="INDEX-10"/><a name="INDEX-11"/>NFS shares automatically at the
+first attempt to access them. You might wish to enable this feature
+if any of the directories shared by your Samba server are (or
+include) NFS-mounted directories.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-codepagedir</tt><a name="INDEX-12"/><a name="INDEX-13"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which to put codepage files for
+<a name="INDEX-14"/>internationalization
+support. See the
+&quot;Internationalization&quot; section
+earlier in this chapter for more information on this feature. By
+default, this directory is
+<em class="filename">/usr/local/samba/lib/codepages</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-configdir</tt><a name="INDEX-15"/><a name="INDEX-16"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps its configuration file,
+usually called <em class="filename">smb.conf</em>. By default, this is
+<em class="filename">/usr/local/samba/lib</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-dce-dfs</tt><a name="INDEX-17"/><a name="INDEX-18"/></b></dt>
+<dd>
+<p>Includes support for the <a name="INDEX-19"/>Distributed Computing Environment
+Distributed Filesystem (DCE/DFS). This is a distributed filesystem
+included in some Unix variants and is not the same as
+Microsoft's Distributed Filesystem (Dfs).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-fhs</tt><a name="INDEX-20"/><a name="INDEX-21"/></b></dt>
+<dd>
+<p>Adheres to the <a name="INDEX-22"/>Filesystem Hierarchy Standard when
+locating files. For details, see <a href="http://www.pathname.com/fhs">http://www.pathname.com/fhs</a>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-included-popt</tt><a name="INDEX-23"/><a name="INDEX-24"/></b></dt>
+<dd>
+<p>Includes Samba's own support for parsing
+<a name="INDEX-25"/>command-line options, instead of using
+the local system's <em class="emphasis">popt( )</em>
+C-library function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-krb4</tt><a name="INDEX-26"/><a name="INDEX-27"/>=<em class="replaceable">base-dir</em></b></dt>
+<dd>
+<p>Includes support for <a name="INDEX-28"/>Kerberos Version 4.0, specifying the base
+directory of the Kerberos distribution. Kerberos is an authentication
+protocol developed at MIT that uses private-key cryptography to
+provide strong security between nodes. This version is not the same
+as Microsoft's adaptation of Kerberos in Active
+Directory, which is the preferred version for use with Samba. This
+option exists only in versions of Samba earlier than 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-krb5</tt><a name="INDEX-29"/><a name="INDEX-30"/>=<em class="replaceable">base-dir</em></b></dt>
+<dd>
+<p>Includes support for Kerberos Version 5.0, specifying the base
+directory of the Kerberos distribution. This version of Kerberos is
+compatible with the Kerberos authentication in
+Microsoft's Active Directory used in Windows 2000
+and Windows XP.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-ldapsam</tt><a name="INDEX-31"/><a name="INDEX-32"/></b></dt>
+<dd>
+<p>Includes support for using
+<a name="INDEX-33"/>LDAP instead of the
+<em class="filename">smbpasswd</em> file for maintaining
+Samba's equivalent to the Windows NT SAM database.
+This option is necessary to use the parameters
+<tt class="literal">ldap</tt> <tt class="literal">admin</tt>
+<tt class="literal">dn</tt>, <tt class="literal">ldap</tt>
+<tt class="literal">filter</tt>, <tt class="literal">ldap</tt>
+<tt class="literal">port</tt>, <tt class="literal">ldap</tt>
+<tt class="literal">server</tt>, <tt class="literal">ldap</tt>
+<tt class="literal">ssl</tt>, and <tt class="literal">ldap</tt>
+<tt class="literal">suffix</tt> in the Samba configuration file. It is
+necessary to specify <tt class="literal">--with-ldapsam</tt> only in Samba
+versions prior to 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-libiconv</tt><a name="INDEX-34"/><a name="INDEX-35"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies a location for <em class="emphasis">iconv( )</em> support. The
+<a name="INDEX-36"/><em class="emphasis">iconv( )</em> function
+exists in the C library to perform conversion between different
+character sets. This option allows Samba's default
+method of determining the location of the <em class="emphasis">iconv()</em> 
+library to be overridden. Ordinarily, the configuration
+process checks for support in the C library on the system and, if not
+found, uses code included in the Samba source tree. Using
+<tt class="literal">--with-libiconv</tt>, it is possible to specify
+explicitly where the support is located. The include files are
+assumed to be in
+<em class="replaceable">directory</em><em class="filename">/include</em>,
+and library files are assumed to be in
+<em class="replaceable">directory</em><em class="filename">/lib</em>. This
+option is new in Samba 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-libsmbclient</tt><a name="INDEX-37"/><a name="INDEX-38"/></b></dt>
+<dd>
+<p>Allows applications outside the
+<a name="INDEX-39"/>Samba
+suite to access Samba's features. When
+<tt class="literal">--with-libsmbclient</tt> is specified, the library is
+built during the compilation process.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-lockdir</tt><a name="INDEX-40"/><a name="INDEX-41"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps
+<a name="INDEX-42"/>lock
+files. By default this directory is
+<em class="filename">/usr/local/samba/var/locks</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-logfilebase</tt><a name="INDEX-43"/><a name="INDEX-44"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps <a name="INDEX-45"/>log files for the
+<em class="emphasis">smbd</em>, <em class="emphasis">nmbd</em>, and
+<em class="emphasis">winbindd</em> daemons. This defaults to
+<em class="filename">/usr/local/samba/var</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-manpages-langs</tt><a name="INDEX-46"/><a name="INDEX-47"/>=<em class="replaceable">language</em></b></dt>
+<dd>
+<p>Starting with Samba 3.0, <a name="INDEX-48"/><a name="INDEX-49"/>Samba's manual pages
+are available in different languages. The default is
+<tt class="literal">en</tt> for English, and the language can be specified
+as <tt class="literal">ja</tt> for Japanese or <tt class="literal">pl</tt> for
+Polish.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-msdfs</tt><a name="INDEX-50"/><a name="INDEX-51"/></b></dt>
+<dd>
+<p>Includes support for Microsoft Distributed Filesystem
+(<a name="INDEX-52"/>Dfs). See <a href="ch08.html">Chapter 8</a> for
+more information on this feature. Specifying this option is necessary
+only in Samba versions prior to 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-nisplus-home</tt><a name="INDEX-53"/><a name="INDEX-54"/></b></dt>
+<dd>
+<p>Includes support for locating the
+<a name="INDEX-55"/>NIS+ server that is
+serving a particular user's home directory and
+telling the client to connect to it. Use
+<tt class="literal">--with-automount</tt> along with this option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-nisplussam</tt><a name="INDEX-56"/><a name="INDEX-57"/></b></dt>
+<dd>
+<p>Includes support for integrating
+<a name="INDEX-58"/>NIS+ into Samba's
+equivalent of the Windows NT password database.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-pam</tt><a name="INDEX-59"/><a name="INDEX-60"/></b></dt>
+<dd>
+<p>When this configure option is specified and the parameter
+<tt class="literal">obey</tt> <tt class="literal">pam</tt>
+<tt class="literal">restrictions</tt> in the Samba configuration file is
+set to <tt class="literal">yes</tt>, obeys PAM's
+configuration regarding account and session management. When
+encrypted passwords are in use, Samba uses the
+<em class="filename">smbpasswd</em> file for authentication, bypassing the
+PAM subsystem. Therefore, this option works only when
+<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> is set to
+<tt class="literal">no</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-pam_smbpass</tt><a name="INDEX-61"/><a name="INDEX-62"/></b></dt>
+<dd>
+<p>When this option is specified, the compilation process builds a PAM
+module called <em class="filename">pam_smbpass.so</em> and places it in
+the <em class="filename">source/bin</em> directory. This module allows
+applications outside of the Samba suite to authenticate users with
+Samba's <em class="filename">smbpasswd</em> file. For
+more information, see the <em class="filename">README</em> file in the
+<em class="filename">source/pam_smbpass</em> directory of the Samba
+distribution and the file
+<em class="filename">PAM-Authentication-And-Samba.html</em> in the
+<em class="filename">docs/html</em> directory.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-piddir</tt><a name="INDEX-63"/><a name="INDEX-64"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps files such as
+<a name="INDEX-65"/>browse lists, WINS
+data, and PID files for keeping track of the process IDs of the Samba
+daemons. The default is
+<em class="filename">/usr/local/samba/var/locks</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-privatedir</tt><a name="INDEX-66"/><a name="INDEX-67"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps the
+<em class="filename">smbpasswd</em>, <em class="filename">secrets.tdb,</em> and
+related files for
+<a name="INDEX-68"/>authentication.
+The default is <em class="filename">/usr/local/samba/private</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-profiling-data</tt><a name="INDEX-69"/><a name="INDEX-70"/></b></dt>
+<dd>
+<p>Includes support for analyzing the execution time of
+Samba's internal code. This is normally used only by
+the Samba developers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-quotas</tt><a name="INDEX-71"/><a name="INDEX-72"/></b></dt>
+<dd>
+<p>Includes <a name="INDEX-73"/>disk-quota support. This is classified
+as an experimental option by the Samba developers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-readline</tt><a name="INDEX-74"/><a name="INDEX-75"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies a location for
+<a name="INDEX-76"/><em class="emphasis">readline( )</em>
+support. The <em class="emphasis">readline( )</em> function exists in the
+C library to accept a line of input from an interactive user and
+provide support for editing and history. Samba uses these functions
+in <em class="emphasis">smbclient</em> and <em class="emphasis">rpcclient</em>.</p>
+
+<p>This option allows Samba's default method of
+determining the location of the <tt class="function">readline( )</tt>
+library to be overridden. Ordinarily, the configuration process
+checks for support in the C library on the system and, if not found,
+uses code included in the Samba source tree. Using
+<tt class="literal">--with-readline</tt>, it is possible to specify the
+directory explicitly in which the library containing
+<em class="emphasis">readline( )</em> is located.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-sendfile-support</tt><a name="INDEX-77"/><a name="INDEX-78"/></b></dt>
+<dd>
+<p>Checks to see if the Samba host operating system supports the
+<a name="INDEX-79"/><em class="emphasis">sendfile( )</em> system
+call, which speeds up file transfers by copying data directly to and
+from kernel buffers, avoiding the overhead of copying to and from
+buffers in user space. If the operating system has the
+<em class="emphasis">sendfile( )</em> system call, support is included in
+Samba for the <tt class="literal">use</tt> <tt class="literal">sendfile</tt>
+configuration file option. This is an experimental option included in
+Samba 2.2.5 and later versions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-smbmount</tt><a name="INDEX-80"/><a name="INDEX-81"/></b></dt>
+<dd>
+<p>Must be specified if you want to mount SMB shares in your Unix
+filesystem using the <em class="filename"/><a name="INDEX-82"/>smbfs</em> filesystem and the
+<em class="emphasis">smbmount</em><a name="INDEX-83"/> command, as discussed in <a href="ch05.html">Chapter 5</a>. Currently, this works only with Linux.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-smbwrapper</tt><a name="INDEX-84"/><a name="INDEX-85"/></b></dt>
+<dd>
+<p>To use <a name="INDEX-86"/>smbsh to access SMB shares from Unix (as
+discussed in <a href="ch05.html">Chapter 5</a>), use this option to
+include the
+<em class="filename">smbwrapper</em><a name="INDEX-87"/> library.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-spinlocks</tt><a name="INDEX-88"/><a name="INDEX-89"/></b></dt>
+<dd>
+<p>Uses <a name="INDEX-90"/><a name="INDEX-91"/>spin locks instead of the normal method of
+file locking that uses the <em class="emphasis">fcntl( )</em> C-library
+function. Using this option results in a Samba installation that
+consumes much more CPU time on the host system. Use it only when
+absolutely necessary.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-ssl</tt><a name="INDEX-92"/><a name="INDEX-93"/></b></dt>
+<dd>
+<p>Includes support for running Samba with
+<a name="INDEX-94"/>SSL encryption. This little-used
+feature was dropped for Samba 3.0. It still works with Samba 2.2.x
+and before, but a better method is to use a <a name="INDEX-95"/>virtual private
+network (VPN).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-sslinc</tt><a name="INDEX-96"/><a name="INDEX-97"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the location of the SSL include files.
+<em class="filename">/usr/local/ssl/include</em> is the default location.
+This option exists in versions prior to Samba 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-ssllib</tt><a name="INDEX-98"/><a name="INDEX-99"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the location of the SSL libraries. The default location is
+<em class="filename">/usr/local/ssl/lib</em>. This option exists in
+versions prior to Samba 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-swatdir</tt><a name="INDEX-100"/><a name="INDEX-101"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies where to install the files for
+<a name="INDEX-102"/>SWAT.
+<em class="filename">/usr/local/samba/swat</em> is the default location.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-syslog</tt><a name="INDEX-103"/><a name="INDEX-104"/></b></dt>
+<dd>
+<p>Includes support for
+<a name="INDEX-105"/>syslog error
+logging. This option must be specified for the Samba configuration
+file parameters <tt class="literal">syslog</tt> and
+<tt class="literal">syslog</tt> <tt class="literal">only</tt> to work. This
+option is widely supported, but might not work correctly on all Samba
+host systems.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-tdbsam</tt><a name="INDEX-106"/><a name="INDEX-107"/></b></dt>
+<dd>
+<p>Includes support for keeping Samba's equivalent of
+the Windows NT SAM in a <em class="filename">.tdb</em> database file
+rather than in the <em class="filename">smbpasswd</em> file. This is an
+experimental feature.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-utmp</tt><a name="INDEX-108"/><a name="INDEX-109"/></b></dt>
+<dd>
+<p>Includes support for <a name="INDEX-110"/>user accounting in the
+system's
+<em class="filename">utmp</em><a name="INDEX-111"/> file. It is necessary for the
+<tt class="literal">utmp</tt> and <tt class="literal">utmp</tt>
+<tt class="literal">directory</tt> Samba configuration file options to
+work. This option is widely supported, but might not work correctly
+on all Samba host systems.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-winbind</tt><a name="INDEX-112"/><a name="INDEX-113"/></b></dt>
+<dd>
+<p>Includes <a name="INDEX-114"/>winbind support in Samba.
+Instead of defaulting to <tt class="literal">no</tt>, as with other boolean
+options, <tt class="literal">--with-winbind</tt> is
+automatically set to <tt class="literal">yes</tt> on systems that support
+winbind functionality. The only time you would need to specify this
+option is to turn it off, like this:</p>
+
+
+<blockquote><pre class="code"># <tt class="userinput"><b>configure --without-winbind</b></tt></pre></blockquote>
+
+<p>This excludes winbind functionality from Samba even when the local
+operating system can support it. For more information on winbind, see
+<a href="ch09.html">Chapter 9</a>. <a name="INDEX-115"/></p>
+</dd>
+
+</dl>
+
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/appf.html b/docs/htmldocs/using_samba/appf.html
new file mode 100644
index 0000000000..c3eb7d4d81
--- /dev/null
+++ b/docs/htmldocs/using_samba/appf.html
@@ -0,0 +1,780 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix F. Running Samba on Mac OS X Server</h1>
+
+
+
+<p><a name="INDEX-1"/>Mac OS X Server is an Apple
+operating-system product based on Mac OS X, with the addition of
+administrative tools and server software. One area in which it
+differs from Mac OS X is in the configuration of Samba-based
+services. In this appendix, we'll tell you how to
+set up SMB file and printer shares, enable client user access, and
+monitor activity. Our specific focus is on Mac OS X Server 10.2.</p>
+
+
+
+<div class="sect1"><a name="samba2-APP-F-SECT-1"/>
+
+<h2 class="head1">Setup Procedures</h2>
+
+<p>The first thing to note is that the procedure described in <a href="ch02.html">Chapter 2</a> using System Preferences to enable Samba does
+not apply to Mac OS X Server. Unlike Mac OS X, the Sharing pane of
+System Preferences does not include an option to turn on Windows File
+Sharing. Instead, there is a set of applications to configure,
+activate, and monitor services: Workgroup Manager, Server Settings,
+Server Status, and Open Directory Assistant, all located in the
+directory <em class="filename">/Applications/Utilities</em>.</p>
+
+<a name="samba2-APP-F-NOTE-163"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>In addition to being installed with Mac OS X Server, these and other
+administrative applications are included on a separate installation
+CD-ROM sold with the operating system. They can be used to manage Mac
+OS X Server systems remotely from any Mac OS X machine.</p>
+
+<p>For more information, refer to the <em class="citetitle">Mac OS X Server
+Administrator's
+Guide</em><a name="INDEX-2"/>, included as a PDF
+file in the <em class="filename">/Library/Documentation/MacOSXServer</em>
+directory, and also downloadable from Apple
+Computer's web site at <a href="http://www.apple.com/server/">http://www.apple.com/server/</a>.</p>
+</blockquote>
+
+<p>Briefly, the procedure for setting up SMB file and printer shares is
+as follows:</p>
+
+<ol><li>
+<p>Designate share points in Workgroup Manager for file sharing.</p>
+</li><li>
+<p>Set up print queues in Server Settings for printer sharing, and
+activate Printer Service.</p>
+</li><li>
+<p>Configure and activate Windows Services in Server Settings.</p>
+</li><li>
+<p>Activate Password Server and enable SMB authentication in Open
+Directory Assistant.</p>
+</li><li>
+<p>Enable Password Server authentication for user accounts in Workgroup
+Manager.</p>
+</li><li>
+<p>Monitor file and print services with Server Status.</p>
+</li></ol>
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.1"/>
+
+<h3 class="head2">Sharing Files</h3>
+
+<p><a name="INDEX-3"/><a name="INDEX-4"/>The
+first step to enable SMB file sharing is to designate one or more
+<em class="firstterm">share points</em>. Share points are folders that
+form the root of shared volumes for any of the protocols supported by
+Mac OS X Server: Apple Filesharing Protocol (AFP), Network Filesystem
+(NFS), File Transfer Protocol (FTP), and SMB.</p>
+
+<p>To designate a share point, launch Workgroup Manager. You will be
+prompted for the local or remote server's hostname
+or IP address, as well as for a username and password; this process
+is required by all the Mac OS X Server administrative applications.
+Once Workgroup Manager is open, click the Sharing button in the
+toolbar. The list on the left, under the Share Points tab, displays
+currently defined share points. To add a new one, click the All tab,
+and navigate to the folder you want to share.</p>
+
+<p>On the right, under the General tab, check the box labeled Share this
+item and its contents, change the ownership and permissions if
+desired, then click the Save button. Next, under the Protocols tab,
+select Windows File Settings from the pop-up menu, and ensure that
+the box labeled Share this item using SMB is checked. At this point,
+you can also decide whether to allow guest access to the share,
+change the name of the share displayed to SMB clients, or set
+permissions for files and folders created by SMB clients. Click the
+Save button when you're finished making changes. See
+<a href="appf.html#samba2-APP-F-FIG-1">Figure F-1</a>.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-1"/><img src="figs/sam2_af01.gif"/></div><h4 class="head4">Figure F-1. Workgroup Manager: Share Points and Windows File Settings</h4>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.2"/>
+
+<h3 class="head2">Sharing Printers</h3>
+
+<p><a name="INDEX-5"/><a name="INDEX-6"/>Printer shares are set up
+differently. First, launch Server Settings; under the File &amp;
+Print tab, select Print, then Configure Print Service.... Check the
+box labeled Automatically share new queues for Windows printing.
+Next, click the Print icon again and then Show Print Monitor. Make
+sure the printers you want to share are listed. Printers directly
+attached to the server should have queues created automatically, but
+remote printers you wish to reshare must be added by clicking New
+Queue and discovering or specifying the printers. When
+you're finished, click Save, select the Print icon
+one more time, and select Start Print Service. See <a href="appf.html#samba2-APP-F-FIG-2">Figure F-2</a>.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-2"/><img src="figs/sam2_af02.gif"/></div><h4 class="head4">Figure F-2. Server Settings: Print Service</h4>
+
+<a name="samba2-APP-F-NOTE-164"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Server Settings will make local printers available for sharing only
+if they're PostScript compatible. Unfortunately,
+many printers, including consumer-grade USB inkjet printers,
+aren't. If you want to make one of these printers
+available to SMB clients, you can still add the share to
+<em class="filename">/etc/smb.conf</em> yourself with a text editor. See
+&quot;Rolling Your Own&quot; later in this
+chapter for instructions and caveats related to making manual changes
+to <em class="filename">smb.conf</em>.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.3"/>
+
+<h3 class="head2">Configuring and Activating Services</h3>
+
+<p><a name="INDEX-7"/>At this point, neither
+the file shares nor the printer shares are available to SMB clients.
+To activate them, click the Windows icon in Server Settings, and
+click Configure Windows Services.... Under the General tab, you can
+set the server's NetBIOS hostname, the workgroup or
+Windows NT domain in which the server resides, and the description
+that gets displayed in a browse list. You can also specify the code
+page for an alternate character set. Finally, you can enable
+boot-time startup of Samba. See <a href="appf.html#samba2-APP-F-FIG-3">Figure F-3</a>.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-3"/><img src="figs/sam2_af03.gif"/></div><h4 class="head4">Figure F-3. Server Settings: Windows Services</h4>
+
+<p>The Windows Services Access tab offers options to enable guest access
+and limit the number of simultaneous client connections; under the
+Logging tab, you can specify the verbosity of your logging. With
+options under the Neighborhood tab, you can configure your machine as
+a WINS client or server or have it provide browser services locally
+or across subnets.</p>
+
+<a name="samba2-APP-F-SIDEBAR-1"/><blockquote><table border="1" cellpadding="6"><tr><td>
+<h4 class="head4">Password Server</h4>
+
+<p><a name="INDEX-8"/><a name="INDEX-9"/>Password Server is a feature
+introduced with Mac OS X Server 10.2. In prior versions of Mac OS X
+Server, Windows authentication was handled with Authentication
+Manager, which stored a user's Windows password in
+the <tt class="literal">tim_password</tt> property of the
+user's NetInfo record. This can still be done in
+Version 10.2, although it's strongly discouraged
+because the encrypted password is visible to other users with access
+to the NetInfo domain and can potentially be decrypted.</p>
+
+<p>If you need to use Authentication Manager, use the following
+procedure to enable it:</p>
+
+<ol><li>
+<p>On every machine hosting a domain that will bind into the NetInfo
+hierarchy, execute the command <tt class="literal">tim -init -auto</tt>
+<em class="replaceable">tag</em> for each domain, where
+<em class="replaceable">tag</em> is the name of the
+domain's database.</p>
+</li>
+<li>
+<p>When prompted, provide a password to be used as the encryption key
+for the domain. This key is used to decrypt the Windows passwords and
+is stored in an encrypted file readable only by root,
+<em class="filename">/var/db/netinfo/.tag.tim</em>.</p>
+</li>
+<li>
+<p>Set <tt class="literal">AUTHSERVER=-YES-</tt> in
+<em class="filename">/etc/hostconfig</em>.</p>
+</li>
+<li>
+<p>Start Authentication Manager by invoking <em class="emphasis">tim</em>.
+This is also executed during the boot sequence by the AuthServer
+startup item.</p>
+</li>
+<li>
+<p>Reset the password of each user requiring SMB client access. In Mac
+OS X Server 10.2 or later, make sure the user is set up for Basic
+authentication, not Password Server authentication.</p>
+</li></ol></td></tr></table></blockquote>
+
+<p>When you've finished configuring Windows Services,
+click the Save button, then click the Windows icon in Server
+Settings, and select Start Windows Services. This starts the Samba
+daemons, enabling access from SMB clients.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.4"/>
+
+<h3 class="head2">Activating Password Server</h3>
+
+<p><a name="INDEX-10"/><a name="INDEX-11"/>Now that
+you've set up file and printer shares, you need to
+make sure users can properly authenticate to access them. In Mac OS X
+Server, this is accomplished with the <a name="INDEX-12"/>Open Directory
+Password Server, a service based on the <a name="INDEX-13"/>Simple Authentication and Security
+Layer (SASL) standard and usable with many different authentication
+protocols, including the LAN Manager and Windows NT LAN Manager
+(NTLM) protocols. This section describes how to support SMB client
+authentication, but for more information on what Password Server does
+and how it works, see the Mac OS X Server
+Administrator's Guide.</p>
+
+<p>To enable Password Server or merely check its settings, start the
+Open Directory Assistant. Unless you wish to change any of the
+settings, just click the right arrow button in the lower-right corner
+of the window until you get to the first Security step. At this
+point, activate Password Server by selecting the option marked
+Password and authentication information will be provided to other
+systems. The next step displays the main administrative account, and
+the one after that gives you a choice of authentication protocols to
+enable (see <a href="appf.html#samba2-APP-F-FIG-4">Figure F-4</a>). Make sure that SMB-NT is
+checked, and check SMB-Lan Manager if you have Windows 95/98/Me or
+older clients. The final step saves the Password Server configuration
+and prompts you to reboot.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-4"/><img src="figs/sam2_af04.gif"/></div><h4 class="head4">Figure F-4. Password Server authentication protocols</h4>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.5"/>
+
+<h3 class="head2">Enabling Password Server</h3>
+
+<p><a name="INDEX-14"/><a name="INDEX-15"/>To enable the
+use of Password Server for a user account, launch Workgroup Manager,
+and click the Accounts button in the toolbar. Under the Users tab on
+the far left (with the silhouette of a single person), select the
+account, and under the Advanced tab on the right, select Password
+Server for the User Password Type (see <a href="appf.html#samba2-APP-F-FIG-5">Figure F-5</a>).
+You are prompted to enter a new user password to be stored in the
+Password Server database. After saving the account configuration, the
+user can authenticate and access shares from an SMB client.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-5"/><img src="figs/sam2_af05.gif"/></div><h4 class="head4">Figure F-5. Workgroup Manager: Enabling Password Server authentication</h4>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.6"/>
+
+<h3 class="head2">Monitoring Services</h3>
+
+<p><a name="INDEX-16"/>Once you've got
+everything working, you'll want to keep an eye on
+things. The Server Status application gives you views into the
+various services provided by Mac OS X Server. For Windows Services,
+you can see the current state of the service, browse the logs
+(located in the directory
+<em class="filename">/Library/Logs/WindowsServices</em>), display and
+terminate individual connections, and view a graph of connections
+over time (see <a href="appf.html#samba2-APP-F-FIG-6">Figure F-6</a>). Similar information is
+provided for Print Service.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-6"/><img src="figs/sam2_af06.gif"/></div><h4 class="head4">Figure F-6. Server Status: Windows Services</h4>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-APP-F-SECT-2"/>
+
+<h2 class="head1">Configuration Details</h2>
+
+<p><a name="INDEX-17"/>Underneath the GUI, a lot of activity
+takes place to offer Windows Services. In the non-Server version of
+Mac OS X, selecting Windows File Sharing sets the
+<tt class="literal">SMBSERVER</tt> parameter in
+<em class="filename">/etc/hostconfig</em> and triggers the Samba startup
+item. In Mac OS X Server, under normal circumstances the Samba
+startup item and the <tt class="literal">SMBSERVER</tt> parameter are never
+used.</p>
+
+<p>Instead, a process named <em class="emphasis">sambadmind</em> generates
+<em class="filename">/etc/smb.conf</em> from the configuration specified
+in Server Settings and Workgroup Manager and handles starting and
+restarting the Samba daemons as necessary. The
+<em class="emphasis">sambadmind</em> process is in turn monitored by
+<em class="emphasis">watchdog</em>, which keeps an eye on certain
+processes and restarts those which fail. The
+<em class="emphasis">watchdog</em> utility is configured in
+<em class="filename">/etc/watchdog.conf</em>, a file similar to a System V
+<em class="filename">inittab</em>, which specifies how the services under
+<em class="emphasis">watchdog</em>'s purview are to be
+treated. For example, the line for <em class="emphasis">sambadmind</em>
+looks like this:</p>
+
+<blockquote><pre class="code">sambadmin:respawn:/usr/sbin/sambadmind -d     # SMB Admin daemon</pre></blockquote>
+
+<p>Using a <em class="emphasis">watchdog</em>-monitored process such as
+<em class="emphasis">sambadmind</em> to start the Samba daemons, instead
+of a one-time execution of a startup item, results in more reliable
+service. In Mac OS X Server, if a Samba daemon dies unexpectedly, it
+is quickly restarted. (Examples of other services monitored by
+<em class="emphasis">watchdog</em> are Password Server, Print Service, and
+the Server Settings daemon that allows remote management.)</p>
+
+<p>There's another wrinkle in Mac OS X Server: the
+Samba configuration settings are not written directly to
+<em class="filename">/etc/smb.conf</em>, as they are in the non-Server
+version of Mac OS X. Instead, they're stored in the
+server's local Open Directory domain,<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> from which <em class="emphasis">sambadmind</em> retrieves them
+and regenerates <em class="filename">smb.conf</em>. For example, the Samba
+global parameters are stored in
+<em class="filename">/config/SMBServer</em> (see <a href="appf.html#samba2-APP-F-FIG-7">Figure F-7</a>). Share point information is also kept in Open
+Directory, under <em class="filename">/config/SharePoints</em>, while CUPS
+takes responsibility for printer configuration in
+<em class="filename">/etc/cups/printers.conf</em> (also creating stub
+entries used by Samba in <em class="filename">/etc/printcap</em>).</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-7"/><img src="figs/sam2_af07.gif"/></div><h4 class="head4">Figure F-7. NetInfo Manager: SMBServer properties</h4>
+
+<p><a href="appf.html#samba2-APP-F-TABLE-1">Table F-1</a> summarizes the association of Windows
+Services settings in the Server Settings application, properties
+stored in Open Directory, and parameters in
+<em class="filename">/etc/smb.conf</em>.</p>
+
+<a name="samba2-APP-F-TABLE-1"/><h4 class="head4">Table F-1. Samba configuration settings in Mac OS X Server</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Server Settings graphical element in Windows Services</p>
+</th>
+<th>
+<p>Open Directory property in <em class="filename">/config/SMBServer</em></p>
+</th>
+<th>
+<p>Samba global parameter in<em class="filename">/etc/smb.conf</em></p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>General &rarr; Server Name</p>
+</td>
+<td>
+<p><tt class="literal">netbios_name</tt></p>
+</td>
+<td>
+<p><tt class="literal">netbios name</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>General &rarr; Workgroup</p>
+</td>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>General &rarr; Description</p>
+</td>
+<td>
+<p><tt class="literal">description</tt></p>
+</td>
+<td>
+<p><tt class="literal">server string</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>General &rarr; Code Page</p>
+</td>
+<td>
+<p><tt class="literal">code_page</tt></p>
+</td>
+<td>
+<p><tt class="literal">client code page</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>General &rarr; Start Windows Services on system startup</p>
+</td>
+<td>
+<p><tt class="literal">auto_start</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Access &rarr; Allow Guest Access</p>
+</td>
+<td>
+<p><tt class="literal">guest_access</tt>, <tt class="literal">map_to_guest</tt></p>
+</td>
+<td>
+<p><tt class="literal">map to guest</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">guest_account</tt></p>
+</td>
+<td>
+<p><tt class="literal">guest account</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Access &rarr; Maximum client connections</p>
+</td>
+<td>
+<p><tt class="literal">max_connections</tt></p>
+</td>
+<td>
+<p><tt class="literal">max smbd processes</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Logging &rarr; Detail Level</p>
+</td>
+<td>
+<p><tt class="literal">logging</tt></p>
+</td>
+<td>
+<p><tt class="literal">log level</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; WINS Registration &rarr;
+Off</p>
+</td>
+<td>
+<p><tt class="literal">WINS_enabled</tt>, <tt class="literal">WINS_register</tt></p>
+</td>
+<td>
+<p><tt class="literal">wins support</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; WINS Registration &rarr;
+Enable WINS server</p>
+</td>
+<td>
+<p><tt class="literal">WINS_enabled</tt></p>
+</td>
+<td>
+<p><tt class="literal">wins support</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; WINS Registration &rarr;
+Register with WINS server</p>
+</td>
+<td>
+<p><tt class="literal">WINS_register</tt>, <tt class="literal">WINS_address</tt></p>
+</td>
+<td>
+<p><tt class="literal">wins server</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; Workgroup/Domain Services
+&rarr; Master Browser</p>
+</td>
+<td>
+<p><tt class="literal">Local_Master</tt></p>
+</td>
+<td>
+<p><tt class="literal">local master</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; Workgroup/Domain Services
+&rarr; Domain Master Browser</p>
+</td>
+<td>
+<p><tt class="literal">Domain_Master</tt></p>
+</td>
+<td>
+<p><tt class="literal">domain master</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Print &rarr; Start Print Service</p>
+</td>
+<td>
+<p><tt class="literal">printing</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">lprm_command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lprm command</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">lppause_command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lppause command</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">lpresume_command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpresume command</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">printer_admin</tt></p>
+</td>
+<td>
+<p><tt class="literal">printer admin</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">encryption</tt></p>
+</td>
+<td>
+<p><tt class="literal">encrypt passwords</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">coding_system</tt></p>
+</td>
+<td>
+<p><tt class="literal">coding system</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">log_dir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">smb_log</tt></p>
+</td>
+<td>
+<p><tt class="literal">log file</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">nmb_log</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_sbindir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_bindir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_libdir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_lockdir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_vardir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">stop_time</tt></p>
+</td>
+<td>
+<p>N/A <a name="INDEX-19"/></p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-APP-F-SECT-3"/>
+
+<h2 class="head1">Rolling Your Own</h2>
+
+<p><a name="INDEX-20"/>When making manual changes to the Samba
+configuration file, take care to block changes initiated from
+graphical applications by invoking this command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chflags uchg /etc/smb.conf</b></tt></pre></blockquote>
+
+<p>From that point on, the GUI will be useful only for starting,
+stopping, and monitoring the service&mdash;not for configuring it.</p>
+
+<p>If you install your own version of Samba, you can still manage it
+from Server Settings by changing some of the Open Directory
+properties in <em class="filename">/config/SMBServer</em>.</p>
+
+<p>To do this, open NetInfo Manager and modify the
+<tt class="literal">samba_sbindir</tt> and <tt class="literal">samba_bindir</tt>
+properties to match the location of your Samba installation.
+Optionally, you can modify <tt class="literal">samba_libdir</tt>,
+<tt class="literal">samba_vardir</tt>, and
+<tt class="literal">samba_lockdir</tt>. Assuming a default Samba
+installation, you can also change these at the command line with the
+following commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>nicl . -create /config/SMBServer samba_sbindir /usr/local/samba/bin</b></tt>
+# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_bindir /usr/local/samba/bin</b></tt>
+# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_libdir /usr/local/samba/lib</b></tt>
+# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_vardir /usr/local/samba/var</b></tt>
+# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_lockdir /usr/local/samba/var/locks</b></tt></pre></blockquote>
+
+<p>You can check your settings with this command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>nicl . -read /config/SMBServer</b></tt></pre></blockquote>
+
+<p>In Server Settings, select Stop Windows Services, then run this
+command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>killall sambadmind</b></tt></pre></blockquote>
+
+<p>The <em class="emphasis">watchdog</em> utility restarts
+<em class="emphasis">sambadmind</em> within seconds. Finally, go back to
+Server Settings, and select Start Windows Services.</p>
+
+<p>If you don't modify Open Directory properties to
+match your active Samba installation (because you wish to manage your
+configuration another way), be sure never to activate Windows
+Services from the Server Settings application, or
+you'll wind up with two sets of Samba daemons
+running concurrently. <a name="INDEX-21"/></p>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
+<p><a href="#FNPTR-1">[1]</a> In versions of Mac OS X prior to 10.2, Open Directory domains
+were called NetInfo domains. NetInfo Manager (located in
+<em class="filename">/Applications/Utilities</em>) provides a graphical
+interface to view and modify the contents of Open Directory
+databases. For more information, see the <em class="citetitle">Mac OS X Server
+Administrator's Guide</em>, as well as
+<em class="citetitle">Understanding and Using NetInfo</em>, downloadable
+from the Mac OS X Server resources web page at <a href="http://www.apple.com/server/resources.html">http://www.apple.com/server/resources.html</a>.</p>
+</blockquote>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/appg.html b/docs/htmldocs/using_samba/appg.html
new file mode 100644
index 0000000000..779f68034f
--- /dev/null
+++ b/docs/htmldocs/using_samba/appg.html
@@ -0,0 +1,500 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix G. GNU Free Documentation License</h1>
+
+
+<div class="sect1"><a name="samba2-APP-G-SECT-1"/>
+
+<a name="INDEX-1"/><h2 class="head1">GNU Free Documentation License</h2>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.1"/>
+
+<h3 class="head2">Version 1.2, November 2002</h3>
+
+<p>Copyright &copy; 2000, 2001, 2002 Free Software Foundation, Inc.</p>
+
+<p>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</p>
+
+<p>Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.2"/>
+
+<h3 class="head2">0. PREAMBLE</h3>
+
+<p>The purpose of this License is to make a manual, textbook, or other
+functional and useful document
+&quot;free&quot; in the sense of freedom: to
+assure everyone the effective freedom to copy and redistribute it,
+with or without modifying it, either commercially or noncommercially.
+Secondarily, this License preserves for the author and publisher a
+way to get credit for their work, while not being considered
+responsible for modifications made by others.</p>
+
+<p>This License is a kind of
+&quot;copyleft&quot;, which means that
+derivative works of the document must themselves be free in the same
+sense. It complements the GNU General Public License, which is a
+copyleft license designed for free software.</p>
+
+<p>We have designed this License in order to use it for manuals for free
+software, because free software needs free documentation: a free
+program should come with manuals providing the same freedoms that the
+software does. But this License is not limited to software manuals;
+it can be used for any textual work, regardless of subject matter or
+whether it is published as a printed book. We recommend this License
+principally for works whose purpose is instruction or reference.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.3"/>
+
+<h3 class="head2">1. APPLICABILITY AND DEFINITIONS</h3>
+
+<p>This License applies to any manual or other work, in any medium, that
+contains a notice placed by the copyright holder saying it can be
+distributed under the terms of this License. Such a notice grants a
+world-wide, royalty-free license, unlimited in duration, to use that
+work under the conditions stated herein. The
+&quot;Document&quot;, below, refers to any
+such manual or work. Any member of the public is a licensee, and is
+addressed as &quot;you&quot;. You accept the
+license if you copy, modify or distribute the work in a way requiring
+permission under copyright law.</p>
+
+<p>A &quot;Modified Version&quot; of the
+Document means any work containing the Document or a portion of it,
+either copied verbatim, or with modifications and/or translated into
+another language.</p>
+
+<p>A &quot;Secondary Section&quot; is a named
+appendix or a front-matter section of the Document that deals
+exclusively with the relationship of the publishers or authors of the
+Document to the Document's overall subject (or to
+related matters) and contains nothing that could fall directly within
+that overall subject. (Thus, if the Document is in part a textbook of
+mathematics, a Secondary Section may not explain any mathematics.)
+The relationship could be a matter of historical connection with the
+subject or with related matters, or of legal, commercial,
+philosophical, ethical or political position regarding them.</p>
+
+<p>The &quot;Invariant Sections&quot; are
+certain Secondary Sections whose titles are designated, as being
+those of Invariant Sections, in the notice that says that the
+Document is released under this License. If a section does not fit
+the above definition of Secondary then it is not allowed to be
+designated as Invariant. The Document may contain zero Invariant
+Sections. If the Document does not identify any Invariant Sections
+then there are none.</p>
+
+<p>The &quot;Cover Texts&quot; are certain short
+passages of text that are listed, as Front-Cover Texts or Back-Cover
+Texts, in the notice that says that the Document is released under
+this License. A Front-Cover Text may be at most 5 words, and a
+Back-Cover Text may be at most 25 words.</p>
+
+<p>A &quot;Transparent&quot; copy of the
+Document means a machine-readable copy, represented in a format whose
+specification is available to the general public, that is suitable
+for revising the document straightforwardly with generic text editors
+or (for images composed of pixels) generic paint programs or (for
+drawings) some widely available drawing editor, and that is suitable
+for input to text formatters or for automatic translation to a
+variety of formats suitable for input to text formatters. A copy made
+in an otherwise Transparent file format whose markup, or absence of
+markup, has been arranged to thwart or discourage subsequent
+modification by readers is not Transparent. An image format is not
+Transparent if used for any substantial amount of text. A copy that
+is not &quot;Transparent&quot; is called
+&quot;Opaque&quot;.</p>
+
+<p>Examples of suitable formats for Transparent copies include plain
+ASCII without markup, T<sup class="superscript">E</sup>Xinfo input
+format, L<sup class="superscript">A</sup>T<sup class="superscript">E</sup>X
+input format, SGML or XML using a publicly available DTD, and
+standard-conforming simple HTML, PostScript or PDF designed for human
+modification. Examples of transparent image formats include PNG, XCF
+and JPG. Opaque formats include proprietary formats that can be read
+and edited only by proprietary word processors, SGML or XML for which
+the DTD and/or processing tools are not generally available, and the
+machine-generated HTML, PostScript or PDF produced by some word
+processors for output purposes only.</p>
+
+<p>The &quot;Title Page&quot; means, for a
+printed book, the title page itself, plus such following pages as are
+needed to hold, legibly, the material this License requires to appear
+in the title page. For works in formats which do not have any title
+page as such, &quot;Title Page&quot; means
+the text near the most prominent appearance of the
+work's title, preceding the beginning of the body of
+the text.</p>
+
+<p>A section &quot;Entitled XYZ&quot; means a
+named subunit of the Document whose title either is precisely XYZ or
+contains XYZ in parentheses following text that translates XYZ in
+another language. (Here XYZ stands for a specific section name
+mentioned below, such as
+&quot;Acknowledgments&quot;,
+&quot;Dedications&quot;,
+&quot;Endorsements&quot;, or
+&quot;History&quot;.) To
+&quot;Preserve the Title&quot; of such a
+section when you modify the Document means that it remains a section
+&quot;Entitled XYZ&quot; according to this
+definition.</p>
+
+<p>The Document may include Warranty Disclaimers next to the notice
+which states that this License applies to the Document. These
+Warranty Disclaimers are considered to be included by reference in
+this License, but only as regards disclaiming warranties: any other
+implication that these Warranty Disclaimers may have is void and has
+no effect on the meaning of this License.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.4"/>
+
+<h3 class="head2">2. VERBATIM COPYING</h3>
+
+<p>You may copy and distribute the Document in any medium, either
+commercially or noncommercially, provided that this License, the
+copyright notices, and the license notice saying this License applies
+to the Document are reproduced in all copies, and that you add no
+other conditions whatsoever to those of this License. You may not use
+technical measures to obstruct or control the reading or further
+copying of the copies you make or distribute. However, you may accept
+compensation in exchange for copies. If you distribute a large enough
+number of copies you must also follow the conditions in section 3.</p>
+
+<p>You may also lend copies, under the same conditions stated above, and
+you may publicly display copies.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.5"/>
+
+<h3 class="head2">3. COPYING IN QUANTITY</h3>
+
+<p>If you publish printed copies (or copies in media that commonly have
+printed covers) of the Document, numbering more than 100, and the
+Document's license notice requires Cover Texts, you
+must enclose the copies in covers that carry, clearly and legibly,
+all these Cover Texts: Front-Cover Texts on the front cover, and
+Back-Cover Texts on the back cover. Both covers must also clearly and
+legibly identify you as the publisher of these copies. The front
+cover must present the full title with all words of the title equally
+prominent and visible. You may add other material on the covers in
+addition. Copying with changes limited to the covers, as long as they
+preserve the title of the Document and satisfy these conditions, can
+be treated as verbatim copying in other respects.</p>
+
+<p>If the required texts for either cover are too voluminous to fit
+legibly, you should put the first ones listed (as many as fit
+reasonably) on the actual cover, and continue the rest onto adjacent
+pages.</p>
+
+<p>If you publish or distribute Opaque copies of the Document numbering
+more than 100, you must either include a machine-readable Transparent
+copy along with each Opaque copy, or state in or with each Opaque
+copy a computer-network location from which the general network-using
+public has access to download using public-standard network protocols
+a complete Transparent copy of the Document, free of added material.
+If you use the latter option, you must take reasonably prudent steps,
+when you begin distribution of Opaque copies in quantity, to ensure
+that this Transparent copy will remain thus accessible at the stated
+location until at least one year after the last time you distribute
+an Opaque copy (directly or through your agents or retailers) of that
+edition to the public.</p>
+
+<p>It is requested, but not required, that you contact the authors of
+the Document well before redistributing any large number of copies,
+to give them a chance to provide you with an updated version of the
+Document.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.6"/>
+
+<h3 class="head2">4. MODIFICATIONS</h3>
+
+<p>You may copy and distribute a Modified Version of the Document under
+the conditions of sections 2 and 3 above, provided that you release
+the Modified Version under precisely this License, with the Modified
+Version filling the role of the Document, thus licensing distribution
+and modification of the Modified Version to whoever possesses a copy
+of it. In addition, you must do these things in the Modified Version:</p>
+
+<ol><li>
+<p>Use in the Title Page (and on the covers, if any) a title distinct
+from that of the Document, and from those of previous versions (which
+should, if there were any, be listed in the History section of the
+Document). You may use the same title as a previous version if the
+original publisher of that version gives permission.</p>
+</li><li>
+<p>List on the Title Page, as authors, one or more persons or entities
+responsible for authorship of the modifications in the Modified
+Version, together with at least five of the principal authors of the
+Document (all of its principal authors, if it has fewer than five),
+unless they release you from this requirement.</p>
+</li><li>
+<p>State on the Title page the name of the publisher of the Modified
+Version, as the publisher.</p>
+</li><li>
+<p>Preserve all the copyright notices of the Document.</p>
+</li><li>
+<p>Add an appropriate copyright notice for your modifications adjacent
+to the other copyright notices.</p>
+</li><li>
+<p>Include, immediately after the copyright notices, a license notice
+giving the public permission to use the Modified Version under the
+terms of this License, in the form shown in the Addendum below.</p>
+</li><li>
+<p>Preserve in that license notice the full lists of Invariant Sections
+and required Cover Texts given in the Document's
+license notice.</p>
+</li><li>
+<p>Include an unaltered copy of this License.</p>
+</li><li>
+<p>Preserve the section Entitled
+&quot;History&quot;, Preserve its Title, and
+add to it an item stating at least the title, year, new authors, and
+publisher of the Modified Version as given on the Title Page. If
+there is no section Entitled
+&quot;History&quot; in the Document, create
+one stating the title, year, authors, and publisher of the Document
+as given on its Title Page, then add an item describing the Modified
+Version as stated in the previous sentence.</p>
+</li><li>
+<p>Preserve the network location, if any, given in the Document for
+public access to a Transparent copy of the Document, and likewise the
+network locations given in the Document for previous versions it was
+based on. These may be placed in the
+&quot;History&quot; section. You may omit a
+network location for a work that was published at least four years
+before the Document itself, or if the original publisher of the
+version it refers to gives permission.</p>
+</li><li>
+<p>For any section Entitled
+&quot;Acknowledgments&quot; or
+&quot;Dedications&quot;, Preserve the Title
+of the section, and preserve in the section all the substance and
+tone of each of the contributor acknowledgments and/or dedications
+given therein.</p>
+</li><li>
+<p>Preserve all the Invariant Sections of the Document, unaltered in
+their text and in their titles. Section numbers or the equivalent are
+not considered part of the section titles.</p>
+</li><li>
+<p>Delete any section Entitled
+&quot;Endorsements&quot;. Such a section may
+not be included in the Modified Version.</p>
+</li><li>
+<p>Do not retitle any existing section to be Entitled
+&quot;Endorsements&quot; or to conflict in
+title with any Invariant Section.</p>
+</li><li>
+<p>Preserve any Warranty Disclaimers.</p>
+
+<p>If the Modified Version includes new front-matter sections or
+appendices that qualify as Secondary Sections and contain no material
+copied from the Document, you may at your option designate some or
+all of these sections as invariant. To do this, add their titles to
+the list of Invariant Sections in the Modified
+Version's license notice. These titles must be
+distinct from any other section titles.</p>
+
+<p>You may add a section Entitled
+&quot;Endorsements&quot;, provided it
+contains nothing but endorsements of your Modified Version by various
+parties&mdash;for example, statements of peer review or that the text
+has been approved by an organization as the authoritative definition
+of a standard.</p>
+
+<p>You may add a passage of up to five words as a Front-Cover Text, and
+a passage of up to 25 words as a Back-Cover Text, to the end of the
+list of Cover Texts in the Modified Version. Only one passage of
+Front-Cover Text and one of Back-Cover Text may be added by (or
+through arrangements made by) any one entity. If the Document already
+includes a cover text for the same cover, previously added by you or
+by arrangement made by the same entity you are acting on behalf of,
+you may not add another; but you may replace the old one, on explicit
+permission from the previous publisher that added the old one.</p>
+
+<p>The author(s) and publisher(s) of the Document do not by this License
+give permission to use their names for publicity for or to assert or
+imply endorsement of any Modified Version.</p>
+</li></ol>
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.7"/>
+
+<h3 class="head2">5. COMBINING DOCUMENTS</h3>
+
+<p>You may combine the Document with other documents released under this
+License, under the terms defined in section 4 above for modified
+versions, provided that you include in the combination all of the
+Invariant Sections of all of the original documents, unmodified, and
+list them all as Invariant Sections of your combined work in its
+license notice, and that you preserve all their Warranty Disclaimers.</p>
+
+<p>The combined work need only contain one copy of this License, and
+multiple identical Invariant Sections may be replaced with a single
+copy. If there are multiple Invariant Sections with the same name but
+different contents, make the title of each such section unique by
+adding at the end of it, in parentheses, the name of the original
+author or publisher of that section if known, or else a unique
+number. Make the same adjustment to the section titles in the list of
+Invariant Sections in the license notice of the combined work.</p>
+
+<p>In the combination, you must combine any sections Entitled
+&quot;History&quot; in the various original
+documents, forming one section Entitled
+&quot;History&quot;; likewise combine any
+sections Entitled
+&quot;Acknowledgements&quot;, and any
+sections Entitled &quot;Dedications&quot;.
+You must delete all sections Entitled
+&quot;Endorsements&quot;.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.8"/>
+
+<h3 class="head2">6. COLLECTIONS OF DOCUMENTS</h3>
+
+<p>You may make a collection consisting of the Document and other
+documents released under this License, and replace the individual
+copies of this License in the various documents with a single copy
+that is included in the collection, provided that you follow the
+rules of this License for verbatim copying of each of the documents
+in all other respects.</p>
+
+<p>You may extract a single document from such a collection, and
+distribute it individually under this License, provided you insert a
+copy of this License into the extracted document, and follow this
+License in all other respects regarding verbatim copying of that
+document.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.9"/>
+
+<h3 class="head2">7. AGGREGATION WITH INDEPENDENT WORKS</h3>
+
+<p>A compilation of the Document or its derivatives with other separate
+and independent documents or works, in or on a volume of a storage or
+distribution medium, is called an
+&quot;aggregate&quot; if the copyright
+resulting from the compilation is not used to limit the legal rights
+of the compilation's users beyond what the
+individual works permit. When the Document is included as an
+aggregate, this License does not apply to the other works in the
+aggregate which are not themselves derivative works of the Document.</p>
+
+<p>If the Cover Text requirement of section 3 is applicable to these
+copies of the Document, then if the Document is less than one half of
+the entire aggregate, the Document's Cover Texts may
+be placed on covers that bracket the Document within the aggregate,
+or the electronic equivalent of covers if the Document is in
+electronic form. Otherwise they must appear on printed covers that
+bracket the whole aggregate.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.10"/>
+
+<h3 class="head2">8. TRANSLATION</h3>
+
+<p>Translation is considered a kind of modification, so you may
+distribute translations of the Document under the terms of section 4.
+Replacing Invariant Sections with translations requires special
+permission from their copyright holders, but you may include
+translations of some or all Invariant Sections in addition to the
+original versions of these Invariant Sections. You may include a
+translation of this License, and all the license notices in the
+Document, and any Warranty Disclaimers, provided that you also
+include the original English version of this License and the original
+versions of those notices and disclaimers. In case of a disagreement
+between the translation and the original version of this License or a
+notice or disclaimer, the original version will prevail.</p>
+
+<p>If a section in the Document is Entitled
+&quot;Acknowledgements&quot;,
+&quot;Dedications&quot;, or
+&quot;History&quot;, the requirement (section
+4) to Preserve its Title (section 1) will typically require changing
+the actual title.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.11"/>
+
+<h3 class="head2">9. TERMINATION</h3>
+
+<p>You may not copy, modify, sublicense, or distribute the Document
+except as expressly provided for under this License. Any other
+attempt to copy, modify, sublicense or distribute the Document is
+void, and will automatically terminate your rights under this
+License. However, parties who have received copies, or rights, from
+you under this License will not have their licenses terminated so
+long as such parties remain in full compliance.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.12"/>
+
+<h3 class="head2">10. FUTURE REVISIONS OF THIS LICENSE</h3>
+
+<p>The Free Software Foundation may publish new, revised versions of the
+GNU Free Documentation License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in
+detail to address new problems or concerns. See <a href="http://www.gnu.org/copyleft/">http://www.gnu.org/copyleft/</a>.</p>
+
+<p>Each version of the License is given a distinguishing version number.
+If the Document specifies that a particular numbered version of this
+License &quot;or any later version&quot;
+applies to it, you have the option of following the terms and
+conditions either of that specified version or of any later version
+that has been published (not as a draft) by the Free Software
+Foundation. If the Document does not specify a version number of this
+License, you may choose any version ever published (not as a draft)
+by the Free Software Foundation. <a name="INDEX-2"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/book.html b/docs/htmldocs/using_samba/book.html
deleted file mode 100644
index 5145c80307..0000000000
--- a/docs/htmldocs/using_samba/book.html
+++ /dev/null
@@ -1,2924 +0,0 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Using Samba</title><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a name="id2491109"></a>Using Samba</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="preface"><a href="#copyright"></a></span></dt><dt><span class="preface"><a href="#ch00">Preface</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch00-SECT-1">The Samba Suite</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-2">Audience for this Book</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-3">Samba Installation Checklist</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-4">Organization</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-5">Conventions</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-6">Request for Comments</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-7">Acknowledgments</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch01-48078">1. Learning the Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch01-28119">1.1. What is Samba?</a></span></dt><dt><span class="sect1"><a href="#ch01-SECT-2">1.2. What Can Samba Do For Me?</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-2.1">1.2.1. Sharing a Disk Service</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-2.2">1.2.2. Sharing a Printer</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-88536">1.3. Getting Familiar with a SMB/CIFS Network</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-3.1">1.3.1. Understanding NetBIOS</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.2">1.3.2. Getting a Name</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.3">1.3.3. Node Types</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.4">1.3.4. What's in a Name?</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.5">1.3.5. Datagrams and Sessions</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-43359">1.4. Microsoft Implementations</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-4.1">1.4.1. Windows Domains</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.2">1.4.2. Browsing</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.3">1.4.3. Can a Windows Workgroup Span Multiple Subnets?</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.4">1.4.4. The Windows Internet Name Service (WINS)</a></span></dt><dt><span class="sect2"><a href="#ch01-12452">1.4.5. What Can Samba Do?</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-32691">1.5. An Overview of the Samba Distribution</a></span></dt><dt><span class="sect1"><a href="#ch01-SECT-6">1.6. How Can I Get Samba?</a></span></dt><dt><span class="sect1"><a href="#ch01-40528">1.7. What's New in Samba 2.0?</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-7.1">1.7.1. NT Domains</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.2">1.7.2. Ease of Administration</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.3">1.7.3. Performance</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.4">1.7.4. More Features</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.5">1.7.5. Compatibility Improvements</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.6">1.7.6. Smbwrapper</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-99818">1.8. And That's Not All...</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-2">2. Installing Samba on a Unix System</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch02-85028">2.1. Downloading the Samba Distribution</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-1.1">2.1.1. Binary or Source?</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-1.2">2.1.2. Read the Documentation</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-28558">2.2. Configuring Samba</a></span></dt><dt><span class="sect1"><a href="#ch02-13217">2.3. Compiling and Installing Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-3.1">2.3.1. Final Installation Steps</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-13464">2.4. A Basic Samba Configuration File</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-4.1">2.4.1. Using SWAT</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-4.2">2.4.2. Testing the Configuration File</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-29069">2.5. Starting the Samba Daemons</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-5.1">2.5.1. Starting the Daemons by Hand</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-5.2">2.5.2. Stand-alone Daemons</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-5.3">2.5.3. Starting From Inetd</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-67898">2.6. Testing the Samba Daemons</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-3">3. Configuring Windows Clients</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch03-55770">3.1. Setting Up Windows 95/98 Computers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-1.1">3.1.1. Accounts and Passwords</a></span></dt><dt><span class="sect2"><a href="#ch03-36280">3.1.2. Setting Up the Network</a></span></dt><dt><span class="sect2"><a href="#ch03-48802">3.1.3. Setting Your Name and Workgroup </a></span></dt><dt><span class="sect2"><a href="#ch03-13238">3.1.4. Accessing the Samba Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch03-23093">3.2. Setting Up Windows NT 4.0 Computers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-2.1">3.2.1. Basic Configuration</a></span></dt><dt><span class="sect2"><a href="#ch03-85837">3.2.2. Configuring TCP/IP</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-2.3">3.2.3. Connecting to the Samba Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch03-64069">3.3. An Introduction to SMB/CIFS</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-3.1">3.3.1. SMB Format</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.2">3.3.2. SMB Clients and Servers</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.3">3.3.3. A Simple SMB Connection</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.4">3.3.4. Negotiating the Protocol Variant</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.5">3.3.5. Set Session and Login Parameters</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.6">3.3.6. Making Connection to a Resource</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch04-21486">4. Disk Shares </a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch04-76968">4.1. Learning the Samba Configuration File</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-52415">4.1.1. Configuration File Structure</a></span></dt><dt><span class="sect2"><a href="#ch04-87365">4.1.2. Variables</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-81402">4.2. Special Sections</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-2.1">4.2.1. The [globals] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.2">4.2.2. The [ homes] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.3">4.2.3. The [printers] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.4">4.2.4. Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-46076">4.3. Configuration File Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-3.0.1">4.3.1. 
-config file</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-3.0.2">4.3.2. 
-include</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-3.0.3">4.3.3. 
-copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-71382">4.4. Server Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-4.1">4.4.1. Server Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-14274">4.5. Disk Share Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-5.1">4.5.1. Disk Share Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-86705">4.6. Networking Options with Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-6.1">4.6.1. Networking Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-16899">4.7. Virtual Servers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-7.0.1">4.7.1. 
-netbios aliases</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-29331">4.8. Logging Configuration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-97929">4.8.1. Using syslog</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-8.1">4.8.2. Logging Configuration Options</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-5">5. Browsing and Advanced Disk Shares </a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch05-23763">5.1. Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-1.1">5.1.1. Preventing Browsing</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.2">5.1.2. Default Services</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.3">5.1.3. Browsing Elections</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.4">5.1.4. Domain Master Browser</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.5">5.1.5. Browsing Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-34221">5.2. Filesystem Differences</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-2.1">5.2.1. Hiding and Vetoing Files</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-2.2">5.2.2. Links</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-2.3">5.2.3. Filesystem Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-34062">5.3. File Permissions and Attributes on MS-DOS and Unix</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-3.0.1">5.3.1. Creation masks</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-3.1">5.3.2. File and Directory Permission Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-30534">5.4. Name Mangling and Case</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-4.1">5.4.1. The Samba Mangling Operation</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-4.2">5.4.2. Mangling Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-75933">5.5. Locks and Oplocks</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-5.1">5.5.1. Opportunistic Locking</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-5.2">5.5.2. Unix and Locking</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-6">6. Users, Security, and Domains </a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch06-92902">6.1. Users and Groups</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-1.1">6.1.1. The [ homes] Share</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-27678">6.2. Controlling Access to Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-2.1">6.2.1. Guest Access</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-2.2">6.2.2. Access Control Options</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-2.3">6.2.3. Username Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-88596">6.3. Authentication Security</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-3.1">6.3.1. Share-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.2">6.3.2. User-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.3">6.3.3. Server-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.4">6.3.4. Domain-level Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-61393">6.4. Passwords</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-4.0.1">6.4.1. Disabling encrypted passwords on the client</a></span></dt><dt><span class="sect2"><a href="#ch06-17782">6.4.2. The smbpasswd File</a></span></dt><dt><span class="sect2"><a href="#ch06-97004">6.4.3. Password Synchronization</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-4.3">6.4.4. Password Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-23084">6.5. Windows Domains</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-36822">6.5.1. Configuring Samba for Windows Domain Logons</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-5.2">6.5.2. Configuring Windows Clients for Domain Logons</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-5.3">6.5.3. Domain Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-38153">6.6. Logon Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-6.0.1">6.6.1. Roaming profiles</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.0.2">6.6.2. Mandatory profiles</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.1">6.6.3. Logon Script Options</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.2">6.6.4. Other Connection Scripts</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.3">6.6.5. Working with NIS and NFS</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-7">7. Printing and Name Resolution</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch07-61388">7.1. Sending Print Jobs to Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-1.1">7.1.1. Print Commands</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.2">7.1.2. Printing Variables</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.3">7.1.3. A Minimal Printing Setup</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.4">7.1.4. The [printers] Share</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.5">7.1.5. Test Printing</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.6">7.1.6. Setting Up and Testing a Windows Client</a></span></dt><dt><span class="sect2"><a href="#ch07-30008">7.1.7. Automatically Setting Up Printer Drivers</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch07-31526">7.2. Printing to Windows Client Printers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-2.0.1">7.2.1. BSD printers</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-2.0.2">7.2.2. System V printers</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-2.1">7.2.3. Samba Printing Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch07-12219">7.3. Name Resolution with Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-3.1">7.3.1. The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-3.2">7.3.2. Setting Up Samba to Use Another WINS Server</a></span></dt><dt><span class="sect2"><a href="#ch07-83429">7.3.3. Setting Up Samba as a WINS Server</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-3.4">7.3.4. Name Resolution Configuration Options</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-8">8. Additional Samba Information </a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch08-56646">8.1. Supporting Programmers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-1.1">8.1.1. Time Synchronization</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-79987">8.2. Magic Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-2.0.1">8.2.1. magic script</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-2.0.2">8.2.2. 
-magic output</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-91233">8.3. Internationalization</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-17721">8.3.1. 
-client code page</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.2">8.3.2. character set</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.3">8.3.3. coding system</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.4">8.3.4. valid chars</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-82569">8.4. WinPopup Messages</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-4.0.1">8.4.1. message command</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-SECT-5">8.5. Recently Added Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-5.0.1">8.5.1. change notify timeout</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.2">8.5.2. machine password timeout</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.3">8.5.3. stat cache</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.4">8.5.4. stat cache size</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-70923">8.6. Miscellaneous Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-6.0.1">8.6.1. 
-deadtime</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.2">8.6.2. 
-dfree command</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.3">8.6.3. 
-fstype</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.4">8.6.4. keep alive</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.5">8.6.5. 
-max disk size</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.6">8.6.6. 
-max mux</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.7">8.6.7. 
-max open files</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.8">8.6.8. 
-max xmit</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.9">8.6.9. 
-nt pipe support</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.10">8.6.10. 
-nt smb support</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.11">8.6.11. 
-ole locking compatibility</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.12">8.6.12. 
-panic action</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.13">8.6.13. 
-set directory</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.14">8.6.14. 
-smbrun</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.15">8.6.15. 
-status</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.16">8.6.16. 
-strict sync</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.17">8.6.17. 
-sync always</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.18">8.6.18. 
-strip dot</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-74829">8.7. Backups with smbtar</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SAMBA-CH-9">9. Troubleshooting Samba</a></span></dt><dd><dl><dt><span class="sect1"><a href="#ch09-36385">9.1. The Tool Bag</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-1.1">9.1.1. Samba Logs</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-1.2">9.1.2. Samba Test Utilities</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-1.3">9.1.3. Unix Utilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch09-29538">9.2. The Fault Tree</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-2.1">9.2.1. How to use the fault tree</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.2">9.2.2. Troubleshooting Low-level IP </a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.3">9.2.3. Troubleshooting TCP</a></span></dt><dt><span class="sect2"><a href="#ch09-88968">9.2.4. Troubleshooting Server Daemons</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.5">9.2.5. Troubleshooting SMB Connections</a></span></dt><dt><span class="sect2"><a href="#ch09-23573">9.2.6. Troubleshooting Browsing </a></span></dt><dt><span class="sect2"><a href="#ch09-21713">9.2.7. Other Things that Fail </a></span></dt><dt><span class="sect2"><a href="#ch09-23768">9.2.8. Troubleshooting Name Services</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.9">9.2.9. Troubleshooting Network Addresses</a></span></dt><dt><span class="sect2"><a href="#ch09-35552">9.2.10. Troubleshooting NetBIOS Names</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch09-49719">9.3. Extra Resources</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-3.1">9.3.1. Documentation and FAQs</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.2">9.3.2. Samba Newsgroups</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.3">9.3.3. Samba Mailing Lists</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.4">9.3.4. Samba Discussion Archives</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.5">9.3.5. Further Reading</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-A">A. Configuring Samba with SSL</a></span></dt><dd><dl><dt><span class="sect1"><a href="#appa-SECT-1">A.1. About Certificates</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-1.1">A.1.1. What is a Certificate?</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-1.2">A.1.2. What is an X.509 certificate, technically?</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-1.3">A.1.3. What are the implications of this certificate structure?</a></span></dt></dl></dd><dt><span class="sect1"><a href="#appa-SECT-2">A.2. Requirements</a></span></dt><dt><span class="sect1"><a href="#appa-SECT-3">A.3. Installing SSLeay</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-3.1">A.3.1. Configuring SSLeay for Your System</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.2">A.3.2. Configuring Samba to use SSL</a></span></dt><dt><span class="sect2"><a href="#appa-62097">A.3.3. Becoming a Certificate Authority</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.4">A.3.4. Creating Certificates for Clients</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.5">A.3.5. Configuring the Samba Server</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.6">A.3.6. Testing with smbclient</a></span></dt></dl></dd><dt><span class="sect1"><a href="#appa-SECT-4">A.4. Setting Up SSL Proxy</a></span></dt><dt><span class="sect1"><a href="#appa-SECT-5">A.5. SSL Configuration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-5.0.1">A.5.1. 
-ssl</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.2">A.5.2. 
-ssl hosts</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.3">A.5.3. 
-ssl hosts resign</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.4">A.5.4. 
-ssl CA certDir</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.5">A.5.5. 
-ssl CA certFile</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.6">A.5.6. 
-ssl server cert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.7">A.5.7. 
-ssl server key</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.8">A.5.8. 
-ssl client cert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.9">A.5.9. 
-ssl client key</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.10">A.5.10. 
-ssl require clientcert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.11">A.5.11. 
-ssl require servercert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.12">A.5.12. 
-ssl ciphers</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.13">A.5.13. 
-ssl version</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.14">A.5.14. 
-ssl compatibility</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-B">B. Samba Performance Tuning</a></span></dt><dd><dl><dt><span class="sect1"><a href="#appb-47134">B.1. A Simple Benchmark</a></span></dt><dt><span class="sect1"><a href="#appb-50295">B.2. Samba Tuning</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appb-SECT-2.1">B.2.1. Benchmarking</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.2">B.2.2. Things to Tweak</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.3">B.2.3. Other Samba Options</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.4">B.2.4. Our Recommendations </a></span></dt></dl></dd><dt><span class="sect1"><a href="#appb-22511">B.3. Sizing Samba Servers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appb-SECT-3.1">B.3.1. The Bottlenecks</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.2">B.3.2. Reducing Bottlenecks </a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.3">B.3.3. Practical Examples</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.4">B.3.4. How Many Clients can Samba Handle?</a></span></dt><dt><span class="sect2"><a href="#appb-90359">B.3.5. Measurement Forms</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-C">C. Samba Configuration Option Quick Reference</a></span></dt><dd><dl><dt><span class="sect1"><a href="#appc-SECT-1">C.1. Configuration Options</a></span></dt><dt><span class="sect1"><a href="#appc-SECT-2">C.2. Glossary of Configuration Values</a></span></dt><dt><span class="sect1"><a href="#appc-SECT-3">C.3. Configuration File Variables</a></span></dt></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-D">D. Summary of Samba Daemons and Commands</a></span></dt><dd><dl><dt><span class="sect1"><a href="#appd-SECT-1">D.1. Samba Distribution Programs</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appd-SECT-1.1">D.1.1. smbd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.2">D.1.2. nmbd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.3">D.1.3. Samba Startup File </a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.4">D.1.4. smbsh</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.5">D.1.5. smbclient</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.6">D.1.6. smbstatus</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.7">D.1.7. smbtar</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.8">D.1.8. nmblookup</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.9">D.1.9. smbpasswd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.10">D.1.10. testparm</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.11">D.1.11. testprns</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.12">D.1.12. rpcclient</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.13">D.1.13. tcpdump</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#SAMBA-AP-E">E. Downloading Samba with CVS</a></span></dt><dt><span class="appendix"><a href="#SAMBA-AP-F">F. Sample Configuration File</a></span></dt></dl></div><div class="list-of-figures"><p><b>List of Figures</b></p><dl><dt>1.1. <a href="#ch01-45964">A simple network setup with a Samba server</a></dt><dt>1.2. <a href="#ch01-60493">The Network Neighborhood directory</a></dt><dt>1.3. <a href="#ch01-76011">Shares available on the hydra sever as viewed from phoenix</a></dt><dt>1.4. <a href="#ch01-55465">Mapping a network drive to a Windows letter-drive</a></dt><dt>1.5. <a href="#ch01-32686">The Network directory mapped to the client letter-drive G</a></dt><dt>1.6. <a href="#ch01-29255">Shares available on hydra (viewed from chimaera) </a></dt><dt>1.7. <a href="#ch01-46265">A network printer available on hydra (viewed from chimaera)</a></dt><dt>1.8. <a href="#ch01-86658">NBNS versus non-NBNS name registration</a></dt><dt>1.9. <a href="#ch01-72484">NBNS versus non-NBNS name resolution</a></dt><dt>1.10. <a href="#ch01-74707">The structure of NetBIOS names</a></dt><dt>1.11. <a href="#ch01-96972">A simple Windows domain</a></dt><dt>1.12. <a href="#ch01-49344">Using a domain controller for authentication</a></dt><dt>1.13. <a href="#ch01-77521">A Windows domain with a local master and local backup browser</a></dt><dt>1.14. <a href="#ch01-52572">A workgroup that spans more than one subnet</a></dt><dt>2.1. <a href="#ch02-60915">SWAT login</a></dt><dt>2.2. <a href="#ch02-49138">SWAT Global Variables page</a></dt><dt>2.3. <a href="#ch02-29175">SWAT Share Creation screen</a></dt><dt>2.4. <a href="#ch02-37186">SWAT Share Parameters screen</a></dt><dt>3.1. <a href="#ch03-84319">The Passwords Properties panel</a></dt><dt>3.2. <a href="#ch03-26778">The Change Passwords tab</a></dt><dt>3.3. <a href="#ch03-97002">The Change Windows Password dialog box</a></dt><dt>3.4. <a href="#ch03-48947">Windows Networking profiles</a></dt><dt>3.5. <a href="#ch03-15320">The Windows 95/98 Network panel</a></dt><dt>3.6. <a href="#ch03-24245">Selecting a protocol to install</a></dt><dt>3.7. <a href="#ch03-50801">Selecting a protocol to install</a></dt><dt>3.8. <a href="#ch03-61576">Selecting the correct TCP/IP protocol</a></dt><dt>3.9. <a href="#ch03-73526">STCP/IP Properties panel</a></dt><dt>3.10. <a href="#ch03-86883">The DNS Configuration tab</a></dt><dt>3.11. <a href="#ch03-95608">The WINS Configuration tab</a></dt><dt>3.12. <a href="#ch03-42906">The Bindings tab</a></dt><dt>3.13. <a href="#ch03-42408">The Identification tab</a></dt><dt>3.14. <a href="#ch03-88553">Windows Network Neighborhood</a></dt><dt>3.15. <a href="#ch03-17463">Shares on Server</a></dt><dt>3.16. <a href="#ch03-82592">Network panel Identification tab</a></dt><dt>3.17. <a href="#ch03-67735">Changing the identification</a></dt><dt>3.18. <a href="#ch03-66055">The Protocols tab</a></dt><dt>3.19. <a href="#ch03-22321">Select Network Protocol dialog box</a></dt><dt>3.20. <a href="#ch03-97222">Network Services panel dialog box</a></dt><dt>3.21. <a href="#ch03-40000">Select Network Service dialog box </a></dt><dt>3.22. <a href="#ch03-97098">Microsoft TCP/IP Properties for Windows NT</a></dt><dt>3.23. <a href="#ch03-61878">The DNS panel</a></dt><dt>3.24. <a href="#ch03-20855">The WINS Address tab</a></dt><dt>3.25. <a href="#ch03-83060">Service bindings</a></dt><dt>3.26. <a href="#ch03-50785">Windows NT Network Neighborhood</a></dt><dt>3.27. <a href="#ch03-89532">Server's shares</a></dt><dt>3.28. <a href="#ch03-69480">Two computers that both have resources to share</a></dt><dt>4.1. <a href="#ch04-97340">The include option in a Samba configuration file</a></dt><dt>4.2. <a href="#ch04-38915">Network Neighborhood showing the Samba server</a></dt><dt>4.3. <a href="#ch04-50900">Network Neighborhood details listing</a></dt><dt>4.4. <a href="#ch04-13866">The initial data share on the Samba server</a></dt><dt>4.5. <a href="#ch04-88746">Windows client view of a network filesystem specified by path</a></dt><dt>4.6. <a href="#ch04-34850">Windows client view of a share comment</a></dt><dt>4.7. <a href="#ch04-28393">Using NetBIOS aliases for a Samba server
- </a></dt><dt>5.1. <a href="#ch05-15706">Multiple subnets with Samba servers</a></dt><dt>5.2. <a href="#ch05-77260">Hidden files in the [data] share</a></dt><dt>5.3. <a href="#ch05-19743">Hiding files based on filename patterns</a></dt><dt>5.4. <a href="#ch05-62659">Contents of the [data] share with dont descend
-
- </a></dt><dt>5.5. <a href="#ch05-36377">An error dialog trying to follow symbolic links when forbidden by Samba</a></dt><dt>5.6. <a href="#ch05-76568">DOS and Windows file properties</a></dt><dt>5.7. <a href="#ch05-56404">How Samba and Unix view the permissions of a file</a></dt><dt>5.8. <a href="#ch05-74304">Opportunistic locking</a></dt><dt>6.1. <a href="#ch06-33100">Selecting share-level security on a Windows machine</a></dt><dt>6.2. <a href="#ch06-89929">A typical system setup using server level security</a></dt><dt>6.3. <a href="#ch06-54128">Structure of the smbpasswd file entry (actually one line)</a></dt><dt>6.4. <a href="#ch06-48609">Configuring a Windows 95/98 client for domain logons</a></dt><dt>6.5. <a href="#ch06-89804">Configuring a Windows NT client for domain logons</a></dt><dt>6.6. <a href="#ch06-71393">Local profiles versus roaming profiles</a></dt><dt>7.1. <a href="#ch07-35075">A Samba printer in the Network Neighborhood</a></dt><dt>7.2. <a href="#ch07-60084">A printer in the Network Neighborhood</a></dt><dt>7.3. <a href="#ch07-69466">Printer manufacturers and models</a></dt><dt>7.4. <a href="#ch07-43374">Printing successfully completed</a></dt><dt>7.5. <a href="#ch07-52397">The Printers window</a></dt><dt>7.6. <a href="#ch07-60108">Automatically configuring the printer driver</a></dt><dt>7.7. <a href="#ch07-32814">The Printers window</a></dt><dt>7.8. <a href="#ch07-92021">The Sharing tab of the printer</a></dt><dt>7.9. <a href="#ch07-46183">The Add Printer Wizard dialog box in Windows 98</a></dt><dt>8.1. <a href="#ch08-66444">The WinPopup application</a></dt><dt>8.2. <a href="#ch08-18303">The Networking window</a></dt><dt>8.3. <a href="#ch08-41042">TCP/IP Bindings</a></dt><dt>8.4. <a href="#ch08-64918">My Documents Properties</a></dt><dt>8.5. <a href="#ch08-29192">MyFiles Properties as shared</a></dt><dt>9.1. <a href="#ch09-91668">Pinging the Samba server from a Windows client</a></dt><dt>9.2. <a href="#ch09-99328">Results of the NET USE command</a></dt><dt>9.3. <a href="#ch09-74414">Accessing the /tmp directory with Windows Explorer</a></dt><dt>9.4. <a href="#ch09-83710">Using the net view command</a></dt><dt>9.5. <a href="#ch09-60004">List of shares on a server</a></dt><dt>A.1. <a href="#appa-89929">Two possible ways of proxying Windows 95/98 clients</a></dt><dt>B.1. <a href="#appb-34738">SO_SNDBUF size and performance</a></dt><dt>B.2. <a href="#appb-98866">Data flow through a Samba server, with possible bottlenecks</a></dt></dl></div><div class="list-of-tables"><p><b>List of Tables</b></p><dl><dt>1.1. <a href="#ch01-91681">NetBIOS Node Types </a></dt><dt>1.2. <a href="#ch01-11471">NetBIOS Unique Resource Types </a></dt><dt>1.3. <a href="#ch01-52395">NetBIOS Group Resource Types </a></dt><dt>1.4. <a href="#ch01-29352">Datagram Primitives </a></dt><dt>1.5. <a href="#ch01-75575">Session Primitives </a></dt><dt>1.6. <a href="#ch01-14021">Samba Roles (as of 2.0.4b) </a></dt><dt>2.1. <a href="#ch02-85125">Additional Configure Options </a></dt><dt>2.2. <a href="#SAMBA-CH-2-TBL-2.2">Samba Installation Directories </a></dt><dt>3.1. <a href="#ch03-31015">SMB Header Fields  </a></dt><dt>3.2. <a href="#ch03-38178">SMB Command Contents </a></dt><dt>3.3. <a href="#ch03-67366">SMB Protocol Dialects </a></dt><dt>4.1. <a href="#ch04-10883">Samba Variables </a></dt><dt>4.2. <a href="#ch04-94939">Configuration File Options </a></dt><dt>4.3. <a href="#ch04-61150">Server Configuration Options </a></dt><dt>4.4. <a href="#ch04-82964">Basic Share Configuration Options </a></dt><dt>4.5. <a href="#ch04-32963">Networking Configuration Options </a></dt><dt>4.6. <a href="#ch04-92259">Virtual Server Configuration Options </a></dt><dt>4.7. <a href="#ch04-92838">Global Configuration Options </a></dt><dt>4.8. <a href="#ch04-80576">Syslog Priority Conversion </a></dt><dt>5.1. <a href="#ch05-51423">Operating System Values in an Election </a></dt><dt>5.2. <a href="#SAMBA-CH-5-TBL-5.2">Computer Role Settings in an Election </a></dt><dt>5.3. <a href="#ch05-81028">Browsing Configuration Options </a></dt><dt>5.4. <a href="#ch05-48353">Filesystem Configuration Options </a></dt><dt>5.5. <a href="#ch05-96508">File and Directory Permission Options </a></dt><dt>5.6. <a href="#ch05-24354">Operating System Filename Limitations </a></dt><dt>5.7. <a href="#ch05-47431">Name Mangling Options </a></dt><dt>5.8. <a href="#ch05-53407">Locks and Oplocks Configuration Options </a></dt><dt>5.9. <a href="#ch05-55885">SMB Deny-Mode Locks </a></dt><dt>6.1. <a href="#ch06-28077">Share-level Access Options </a></dt><dt>6.2. <a href="#ch06-82964">Username Options </a></dt><dt>6.3. <a href="#ch06-73905">Security Option </a></dt><dt>6.4. <a href="#ch06-80998">Share-Level Access Options </a></dt><dt>6.5. <a href="#ch06-75183">Windows Operating Systems with Encrypted Passwords </a></dt><dt>6.6. <a href="#ch06-77246">Password Chat Response Characters </a></dt><dt>6.7. <a href="#ch06-38512">Password Chat Send Characters </a></dt><dt>6.8. <a href="#ch06-68460">Password Configuration Options </a></dt><dt>6.9. <a href="#ch06-53106">Windows 95/98 Domain Logon Options </a></dt><dt>6.10. <a href="#ch06-46661">Logon Script Options </a></dt><dt>6.11. <a href="#ch06-67528">Connection Script Options </a></dt><dt>6.12. <a href="#ch06-27466">NIS Options </a></dt><dt>7.1. <a href="#ch07-29758">Printing Variables </a></dt><dt>7.2. <a href="#ch07-19361">Printing Configuration Options </a></dt><dt>7.3. <a href="#ch07-28758">Printing Types </a></dt><dt>7.4. <a href="#ch07-82964">Default Commands for Various Printing Commands </a></dt><dt>7.5. <a href="#ch07-82331">WINS Options </a></dt><dt>8.1. <a href="#ch08-73167">Programming Configuration Options </a></dt><dt>8.2. <a href="#ch08-33693">Networking Configuration Options </a></dt><dt>8.3. <a href="#ch08-40870">Networking Configuration Options </a></dt><dt>8.4. <a href="#ch08-20815">Valid Code Pages with Samba 2.0 </a></dt><dt>8.5. <a href="#ch08-14126">Valid Character Sets with Samba 2.0 </a></dt><dt>8.6. <a href="#ch08-57476">Valid Coding System Parameters with Samba 2.0 </a></dt><dt>8.7. <a href="#ch08-18671">WinPopup Configuration Option </a></dt><dt>8.8. <a href="#ch08-29758">Message Command Variables </a></dt><dt>8.9. <a href="#ch08-72538">Recently Added Options </a></dt><dt>8.10. <a href="#ch08-83566">Miscellaneous Options </a></dt><dt>8.11. <a href="#ch08-80519">Filesystem Types </a></dt><dt>A.1. <a href="#appa-61150">SSL Configuration Options </a></dt><dt>B.1. <a href="#appb-73167">Sample Benchmark Benchmarks </a></dt><dt>B.2. <a href="#appb-78077">Disk Throughput </a></dt><dt>B.3. <a href="#appb-42029">CPU Throughput </a></dt><dt>B.4. <a href="#appb-67604">Network Throughput </a></dt><dt>B.5. <a href="#appb-26613">Tuning a Medium-Sized Server </a></dt><dt>B.6. <a href="#appb-82208">Ethernet Interface to Same Host: FTP </a></dt><dt>B.7. <a href="#appb-34846">Ethernet Interface to Same Host: FTP </a></dt><dt>B.8. <a href="#appb-51003">Bottleneck Calculation Table</a></dt><dt>B.9. <a href="#appb-37370">Ethernet Interface to Same Host: FTP </a></dt><dt>B.10. <a href="#SAMBA-AP-B-TBL-10">Sparc 20 Example, Redux</a></dt><dt>C.1. <a href="#appc-88529">Variables in Alphabetic Order </a></dt><dt>D.1. <a href="#appd-89417">smbclient Commands </a></dt><dt>D.2. <a href="#appd-39300">smbclient Printing Commands </a></dt><dt>D.3. <a href="#appd-54517">smbclient Printing Commands </a></dt><dt>D.4. <a href="#appd-65243">rpcclient commands </a></dt></dl></div><div class="preface" lang="en"><div class="titlepage"></div><p>Copyright © 2000 O'Reilly &amp; Associates, Inc. All rights reserved. This material may be redistributed only under the terms of the Open Content
-License.  For information on the Open Content License under which the
-contents of this book are licensed, see <code class="systemitem">http://www.oreilly.com/catalog/samba/</code>.</p><p>Printed in the United States of America.</p><p>Published by O'Reilly &amp; Associates, Inc., 101 Morris Street,
-Sebastopol, CA 95472.</p><p>The O'Reilly logo is a registered trademark of O'Reilly &amp;
-Associates, Inc.  Many of the designations used by manufacturers and
-sellers to distinguish their products are claimed as trademarks.
-Where those designations appear in this book, and O'Reilly &amp;
-Associates, Inc. was aware of a trademark claim, the designations have
-been printed in caps or initial caps. The association between the
-image of the North African ground hornbill and the topic of Samba is
-a trademark of O'Reilly &amp; Associates, Inc.</p><p>While every precaution has been taken in the preparation of this
-book, the publisher assumes no responsibility for errors or omissions,
-or for damages resulting from the use of the information contained
-herein.</p></div><div class="preface" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch00"></a>Preface</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch00-SECT-1">The Samba Suite</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-2">Audience for this Book</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-3">Samba Installation Checklist</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-4">Organization</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-5">Conventions</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-6">Request for Comments</a></span></dt><dt><span class="sect1"><a href="#ch00-SECT-7">Acknowledgments</a></span></dt></dl></div><p>It's nine in the morning and you've just arrived at the computer center after a refreshing night's sleep. Your pager hasn't gone off in months. Life is pretty good as a system administrator &#8212; and why shouldn't it be, with the network you're running? Two hundred identical machines, all running the same operating system. All of the printers are networked, accessible from anywhere in the building, and the auto-configuration scripts that the manufacturer supplied ensure that everyone in the company has a consistent view of the shared disks you've set up. Yes, this is the good life. You lean back and take that first delicious sip of morning coffee . . . .</p><p>And then, the alarm clock jolts you out of your blissful reverie. If you're like most system administrators, this could only be a dream. Your morning probably starts with a tireless struggle to get four different computer platforms running three different operating systems simply to talk to each other &#8212; that is, if the phone ever stops ringing. Most of your users don't understand why it's so hard to access a file on another computer or to send a job to a remote printer. The logs show that the backups are late. For some reason the PCs on the second floor can't find the tape server. With all these headaches, what's a network administrator to do?</p><p>Easy: take the day off, read this book, and learn Samba!</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-1"></a>The Samba Suite</h2></div></div></div><p>Samba is a suite of tools for sharing resources such as printers and files across a network. This may be a bit of an oversimplification, but Samba is really designed to make your life easier. Samba uses the Server Message Block (SMB) protocol, which is endorsed jointly by Microsoft and IBM, to communicate low-level data between Windows clients and Unix servers on a TCP/IP network.</p><p>
-<a class="indexterm" name="ch00-idx-941381-0"></a>Four features of Samba make it extremely attractive:</p><div class="itemizedlist"><ul type="disc"><li><p>Samba speaks the same SMB protocol that Microsoft and IBM operating systems have used as their standard since DOS 3.0. This means that almost all Windows machines already understand it and there is no extra client software to install.</p></li><li><p>Samba runs on a variety of platforms, including most variants of Unix, OpenVMS, OS/2, AmigaDOS, and NetWare. This means that you can use a single program on the server to provide files and printers to a community of PCs.</p></li><li><p>Samba is free. There are several commercial products that duplicate Samba's features, and some of them are quite expensive. Samba offers you an alternative to packages that could gobble up a significant portion of your IS budget. Samba is distributed under the GNU General Public License (GPL), and is considered by its authors to be <em class="firstterm">Open Source</em> software. In other words, you can freely download both the application and the accompanying source code to your computer, and even improve on the original Samba programs if you like.</p></li><li><p>Samba administration is centralized on the server. You don't have to visit every one of your machines, floppy or CD-ROM in hand, to upgrade the client software.</p></li></ul></div><p>Samba is a complete solution for local area networks (LANs) of all sizes&#8212;everything from the two-computer home network to corporate installations with hundreds of nodes. Samba is simple to set up and to administer, and presents itself as a transparent network environment that offers users access to all of the resources they need to get their work done. Once you've set it up, Samba will let you:</p><div class="itemizedlist"><ul type="disc"><li><p>Serve Unix files to Windows, OS/2, and other OS clients</p></li><li><p>Allow Unix clients to access PC files</p></li><li><p>Serve network printers to Windows clients</p></li><li><p>Provide name services (broadcast and WINS)</p></li><li><p>Allow browsing of network resources from Windows clients</p></li><li><p>Create Windows workgroups or domains</p></li><li><p>Enforce username and password authentication of clients</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-2"></a>Audience for this Book</h2></div></div></div><p>The primary audience of this book is Unix administrators who need to support PCs on their network, and anyone who needs to provide a Unix server in a PC environment. But we don't want to burden you with an endless series of arcane system administration tools and vocabulary. While we assume you are familiar with basic Unix system administration, we will <span class="emphasis"><em>not</em></span> assume you are a networking expert. We'll do our best along the way to help out with unusual definitions and terms.</p><p>Because we don't assume a tremendous amount of experience with Microsoft Windows, we will go through the PC side of the installation task in considerable detail and give examples for both Windows 95/98 and Windows NT, which are subtly different. For the Unix side, we will give examples for common Unix operating systems, such as Linux 2.0 or Solaris 2.6.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-3"></a>Samba Installation Checklist</h2></div></div></div><p>Before you get started, you should have:</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="ch00-idx-941383-0"></a><a class="indexterm" name="ch00-idx-941383-1"></a><a class="indexterm" name="ch00-idx-941383-2"></a>
-
-
-
-The latest Samba distribution, which you can download directly off the Internet at <code class="systemitem">http://www.samba.org/</code>.</p></li><li><p>The names and IP addresses of the servers and client machines you plan to use, the netmask of your network, and the names and IP addresses of your domain name (DNS) servers.</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-4"></a>Organization</h2></div></div></div><p>The book can be roughly divided into two sections: Samba installation (<a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a> through <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a>) and Samba configuration and optimization (<a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a> through <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>). Here is a detailed breakdown of each of the chapters:</p><div class="variablelist"><dl><dt><span class="term"><a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a></span></dt><dd><p>This chapter introduces each of the Samba components and gives a brief overview of NetBIOS and Windows networking.</p></dd><dt><span class="term"><a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a></span></dt><dd><p>This chapter covers configuring, compiling, installing, and testing the Samba server on a Unix platform.</p></dd><dt><span class="term"><a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a></span></dt><dd><p>This chapter explains how to configure Microsoft Windows 95/98 and NT 4.0 clients to participate in an SMB network. It also gives a brief introduction to the SMB protocol in action.</p></dd><dt><span class="term"><a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a></span></dt><dd><p>This chapter gets you up to speed with the individual parts of the Samba configuration file and shows you how to configure disk services.</p></dd><dt><span class="term"><a href="#SAMBA-CH-5" title="Chapter 5. Browsing and Advanced Disk Shares">Chapter 5</a></span></dt><dd><p>This chapter continues the discussion of disk options and examines browsing with Samba.</p></dd><dt><span class="term"><a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a></span></dt><dd><p>This chapter discusses how to set up users, introduces you to Samba security, and shows you how to work with encrypted and non-encrypted passwords. We also discuss how to set up Samba as a primary domain controller for Windows 95/98 and NT clients.</p></dd><dt><span class="term"><a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a></span></dt><dd><p>This chapter discusses printer and Windows Internet Naming Service (WINS) setup with Samba.</p></dd><dt><span class="term"><a href="#SAMBA-CH-8" title="Chapter 8. Additional Samba Information">Chapter 8</a></span></dt><dd><p>This chapter bundles several miscellaneous activities associated with Samba, such as configuring Samba shares for programmers, internationalization issues, and backing up with <span class="emphasis"><em>smbtar</em></span>.</p></dd><dt><span class="term"><a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a></span></dt><dd><p>If you have problems installing Samba, this comparatively large chapter is packed with troubleshooting hints and strategies as to what might be going wrong.</p></dd><dt><span class="term"><a href="#SAMBA-AP-A" title="Appendix A. Configuring Samba with SSL">Appendix A</a></span></dt><dd><p>This appendix shows you the nitty-gritty of setting up Samba with Secure Sockets Layers (SSL) connections between the server and its clients.</p></dd><dt><span class="term"><a href="#SAMBA-AP-B" title="Appendix B. Samba Performance Tuning">Appendix B</a></span></dt><dd><p>This appendix discusses various techniques to optimize Samba processing on your network.</p></dd><dt><span class="term"><a href="#SAMBA-AP-C" title="Appendix C. Samba Configuration Option Quick Reference">Appendix C</a></span></dt><dd><p>This appendix covers each of the options used in the <code class="filename">smb.conf</code> file.</p></dd><dt><span class="term"><a href="#SAMBA-AP-D" title="Appendix D. Summary of Samba Daemons and Commands">Appendix D</a></span></dt><dd><p>Each of the server daemons and tools that make up the Samba suite are covered in this appendix. In addition, we provide a list of mirror sites on the Internet from which Samba can be downloaded.</p></dd><dt><span class="term"><a href="#SAMBA-AP-E" title="Appendix E. Downloading Samba with CVS">Appendix E</a></span></dt><dd><p>This appendix explains how to download the latest version of Samba with CVS.</p></dd><dt><span class="term"><a href="#SAMBA-AP-F" title="Appendix F. Sample Configuration File">Appendix F</a></span></dt><dd><p>This appendix provides a large-scale Samba configuration file, which you might find in place at a large corporation. We have embedded comments in the file to explain the more arcane options.</p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-5"></a>Conventions</h2></div></div></div><p>The following font conventions are followed throughout this book:</p><div class="variablelist"><dl><dt><span class="term">Italic </span></dt><dd><p>Filenames, file extensions, URLs, Internet addresses, executable files, commands, and emphasis.</p></dd><dt><span class="term"><code class="literal">Constant Width</code> </span></dt><dd><p>Samba configuration options and other code that appear in the text, and command-line information that should be typed verbatim on the screen.</p></dd><dt><span class="term"><strong class="userinput"><code>Bold Constant Width</code></strong> </span></dt><dd><p>Commands that are entered by the user, and new configuration options that we wish to bring to the attention of the reader.</p></dd><dt><span class="term"><em class="replaceable"><code>Constant Width Italic</code></em></span></dt><dd><p>Replaceable content in code and command-line information.</p></dd></dl></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch00-NOTE-0"></a>Tip</h3><p>This icon designates a note, which is an important aside to the nearby text.</p></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch00-NOTE-1"></a>Warning</h3><p>This icon designates a warning related to the nearby text.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-6"></a>Request for Comments</h2></div></div></div><p>As a reader of this book, you can help us to improve the next edition. If you find errors, inaccuracies, or typographical errors anywhere in the book, please let us at O'Reilly know about them. Also, if you find any misleading statements or confusing explanations, let us know that as well. Send all correspondence to:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>O'Reilly &amp; Associates</td></tr><tr><td>101 Morris Street</td></tr><tr><td>Sebastopol, CA 95472</td></tr><tr><td>1-800-998-9938 (in the U.S. or Canada)</td></tr><tr><td>1-707-829-0515 (international/local)</td></tr><tr><td>1-707-829-0104 (fax)</td></tr><tr><td><code class="email">&lt;<a href="mailto:bookquestions@ora.com">bookquestions@ora.com</a>&gt;</code></td></tr></table><p>Please let us know what we can do to make the book more helpful to you. We take your comments seriously, and will do whatever we can to make this book as useful as it can be.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch00-SECT-7"></a>Acknowledgments</h2></div></div></div><p>Robert Eckstein</p><div class="blockquote"><blockquote class="blockquote"><p>I'd first like to recognize Dave Collier-Brown and Peter Kelly for all their help in the creation of this book. I'd also like to thank each of the technical reviewers that helped polish this book into shape on such short notice: Matthew Temple, Jeremy Allison, and of course Andrew Tridgell. Andrew and Jeremy deserve special recognition, not only for creating such a wonderful product, but for providing a tireless amount of support in the final phase of this book&#8212;hats off to you, guys! A warm hug goes out to my wife Michelle, who once again put up with a husband loaded down with too much caffeine on a tight schedule. Thanks to Dave Sifry and the people at LinuxCare, San Francisco, for hosting me on such short notice for Andrew Tridgell's visit. And finally, a huge amount of thanks to our editor, Andy Oram, who (very) patiently helped guide this book through its many stages until we got it right.</p></blockquote></div><p>David Collier-Brown</p><div class="blockquote"><blockquote class="blockquote"><p>I'd especially like to thank Joyce, who put up with me during the sometimes exciting development of the book. My thanks to Andy Oram, who was kind enough to provide the criticism that allowed me to contribute; the crew at Opcom who humored the obvious madman in their midst; and Ian MacMillan, who voluntarily translated several of my early drafts from nerd to English. I would also like to give special thanks to Perry Donham, Drew Sullivan, and Jerry DeRoo.</p></blockquote></div><p>Peter Kelly</p><div class="blockquote"><blockquote class="blockquote"><p>A few people really made this book possible, and I have to bow to them. Dave Collier-Brown, and then Bob Eckstein, took over my part of this project with style and professionalism and I can't explain how much I owe them for the great work that came out of it. Editor Andy Oram is by far the most patient and pleasant person I have met. Also, I don't think that I would have been involved in this book without the help of Xavier Cazin from O'Reilly, who originally came to me asking for a proposal after reading my Linux Journal article. I also would like to thank all of the JDP.COM consultants (  Jerry, Peggyann, Drew, Gord, Jerome, Mark, Rick&#8212;too many to list!) for allowing me to continue to work with them. I thank the O'Reilly staff that I have worked with as well; they are a great bunch of people. Also, thanks to the Samba Team for making Samba in the first place. And most importantly, Kate McKay, for staying with me this long!</p></blockquote></div><p>We would especially like to give thanks to Perry Donham for helping mold the first draft of this book. Although Perry was unable to contribute to subsequent drafts, his material was essential to getting this book off on the right foot. In addition, some of the browsing material came from text originally written by Dan Shearer for O'Reilly.</p><p>We are deeply indebted to the production department at O'Reilly for another fantastic job. Sarah Jane Shangraw worked long hours accommodating our seemingly endless edits, and Rob Romano tirelessly edited our images again and again until they were perfect. Special thanks also to Claire Cloutier LeBlanc, Rhon Porter, and Mike Sierra for their help&#8212;we couldn't have done it without any of them. It is largely through their collective efforts that this book arrived to you in November 1999 instead of November 2000.</p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch01-48078"></a>Chapter 1. Learning the Samba</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch01-28119">1.1. What is Samba?</a></span></dt><dt><span class="sect1"><a href="#ch01-SECT-2">1.2. What Can Samba Do For Me?</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-2.1">1.2.1. Sharing a Disk Service</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-2.2">1.2.2. Sharing a Printer</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-88536">1.3. Getting Familiar with a SMB/CIFS Network</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-3.1">1.3.1. Understanding NetBIOS</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.2">1.3.2. Getting a Name</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.3">1.3.3. Node Types</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.4">1.3.4. What's in a Name?</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-3.5">1.3.5. Datagrams and Sessions</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-43359">1.4. Microsoft Implementations</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-4.1">1.4.1. Windows Domains</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.2">1.4.2. Browsing</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.3">1.4.3. Can a Windows Workgroup Span Multiple Subnets?</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-4.4">1.4.4. The Windows Internet Name Service (WINS)</a></span></dt><dt><span class="sect2"><a href="#ch01-12452">1.4.5. What Can Samba Do?</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-32691">1.5. An Overview of the Samba Distribution</a></span></dt><dt><span class="sect1"><a href="#ch01-SECT-6">1.6. How Can I Get Samba?</a></span></dt><dt><span class="sect1"><a href="#ch01-40528">1.7. What's New in Samba 2.0?</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch01-SECT-7.1">1.7.1. NT Domains</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.2">1.7.2. Ease of Administration</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.3">1.7.3. Performance</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.4">1.7.4. More Features</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.5">1.7.5. Compatibility Improvements</a></span></dt><dt><span class="sect2"><a href="#ch01-SECT-7.6">1.7.6. Smbwrapper</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch01-99818">1.8. And That's Not All...</a></span></dt></dl></div><p>
-<a class="indexterm" name="ch01-idx-951466-0"></a>If you are a typical system administrator, then you know what it means to be <span class="emphasis"><em>swamped</em></span> with work. Your daily routine is filled with endless hardware incompatibility issues, system outages, data backup problems, and a steady stream of angry users. So adding another program to the mix of tools that you have to maintain may sound a bit perplexing. However, if you're determined to reduce the complexity of your work environment, as well as the workload of keeping it running smoothly, Samba may be the tool you've been waiting for.</p><p>A case in point: one of the authors of this book used to look after 70 Unix developers sharing 5 Unix servers. His neighbor administered 20 Windows 3.1 users and 5 OS/2 and Windows NT servers. To put it mildly, the Windows 3.1 administrator was swamped. When he finally left&#8212;and the domain controller melted&#8212;Samba was brought to the rescue. Our author quickly replaced the Windows NT and   OS/2 servers with Samba running on a Unix server, and eventually bought PCs for most of the company developers. However, he did the latter without hiring a new PC administrator; the administrator now manages one centralized Unix application instead of fifty distributed PCs.</p><p>If you know you're facing a problem with your network and you're sure there is a better way, we encourage you to start reading this book. Or, if you've heard about Samba and you want to see what it can do for you, this is also the place to start. We'll get you started on the path to understanding Samba and its potential. Before long, you can provide Unix services to all your Windows machines&#8212;all without spending tons of extra time or money. Sound enticing? Great, then let's get started.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-28119"></a>What is Samba?</h2></div></div></div><p>Samba is a suite of Unix applications that speak the <a class="indexterm" name="ch01-idx-951468-0"></a>
-<a class="indexterm" name="ch01-idx-951468-1"></a>SMB (Server Message Block) protocol. Many operating systems, including Windows and OS/2, use SMB to perform client-server networking. By supporting this protocol, Samba allows Unix servers to get in on the action, communicating with the same networking protocol as Microsoft Windows products. Thus, a Samba-enabled Unix machine can masquerade as a server on your Microsoft network and offer the following services:</p><div class="itemizedlist"><ul type="disc"><li><p>
-<a class="indexterm" name="ch01-idx-951506-0"></a>Share one or more filesystems</p></li><li><p>Share printers installed on both the server and its clients</p></li><li><p>Assist clients with Network Neighborhood browsing</p></li><li><p>Authenticate clients logging onto a Windows domain</p></li><li><p>Provide or assist with WINS name server resolution</p></li></ul></div><p>Samba is the brainchild of <a class="indexterm" name="ch01-idx-951508-0"></a>Andrew Tridgell, who currently heads the Samba development team from his home of Canberra, Australia. The project was born in 1991 when Andrew created a fileserver program for his local network that supported an odd DEC protocol from Digital Pathworks. Although he didn't know it at the time, that protocol later turned out to be SMB. A few years later, he expanded upon his custom-made SMB server and began distributing it as a product on the Internet under the name SMB Server. However, Andrew couldn't keep that name&#8212;it already belonged to another company's product&#8212;so he tried the following Unix renaming approach:</p><pre class="programlisting">grep -i 's.*m.*b' /usr/dict/words<a class="indexterm" name="ch01-idx-951514-0"></a></pre><p>And the response was:</p><pre class="programlisting">salmonberry samba sawtimber scramble</pre><p>Thus, the name "Samba" was born.<sup>[<a name="ch01-pgfId-946532" href="#ftn.ch01-pgfId-946532">1</a>]</sup></p><p>Today, the Samba suite revolves around a pair of <a class="indexterm" name="ch01-idx-951515-0"></a>
-<a class="indexterm" name="ch01-idx-951515-1"></a>Unix daemons that provide <a class="indexterm" name="ch01-idx-951518-0"></a>shared resources&#8212;or <em class="firstterm">shares</em>&#8212;to SMB clients on the network. (Shares are sometimes called <a class="indexterm" name="ch01-idx-951527-0"></a>s<em class="firstterm">ervices</em> as well.) These daemons are:</p><div class="variablelist"><dl><dt><span class="term">smbd</span></dt><dd><p>
-<a class="indexterm" name="ch01-idx-951528-0"></a>A daemon that allows file and printer sharing on an SMB network and provides authentication and authorization for SMB clients.</p></dd><dt><span class="term">nmbd</span></dt><dd><p>
-<a class="indexterm" name="ch01-idx-951529-0"></a>A daemon that looks after the <a class="indexterm" name="ch01-idx-951530-0"></a>Windows Internet Name Service (WINS), and assists with browsing.</p></dd></dl></div><p>Samba is currently maintained and extended by a group of volunteers under the active supervision of Andrew Tridgell. Like the Linux operating system, Samba is considered <em class="firstterm">Open Source software </em>
-<a class="indexterm" name="ch01-idx-951531-0"></a>
-<a class="indexterm" name="ch01-idx-951531-1"></a>(OSS) by its authors, and is distributed under the <a class="indexterm" name="ch01-idx-951532-0"></a>GNU General Public License (GPL). Since its inception, development of Samba has been sponsored in part by the <a class="indexterm" name="ch01-idx-951533-0"></a>Australian National University, where Andrew Tridgell earned his Ph.D.<sup>[<a name="ch01-pgfId-946542" href="#ftn.ch01-pgfId-946542">2</a>]</sup> In addition, some development has been sponsored by independent vendors such as <a class="indexterm" name="ch01-idx-951534-0"></a>Whistle and <a class="indexterm" name="ch01-idx-951535-0"></a>SGI. It is a true testament to Samba that both commercial and non-commercial entities are prepared to spend money to support an Open Source effort.</p><p>
-<a class="indexterm" name="ch01-idx-951536-0"></a>Microsoft has also contributed materially by putting forward its definition of SMB and the Internet-savvy <a class="indexterm" name="ch01-idx-951537-0"></a>
-<a class="indexterm" name="ch01-idx-951537-1"></a>Common Internet File System (CIFS), as a public <a class="indexterm" name="ch01-idx-951538-0"></a>
-<a class="indexterm" name="ch01-idx-951538-1"></a>Request for Comments (RFC), a standards document. The CIFS protocol is Microsoft's renaming of future versions of the SMB protocol that will be used in Windows products&#8212;the two terms can be used interchangeably in this book. Hence, you will often see the protocol written as "<a class="indexterm" name="ch01-idx-951539-0"></a>SMB/CIFS."</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-SECT-2"></a>What Can Samba Do For Me?</h2></div></div></div><p>As explained earlier, Samba can help Windows and Unix machines coexist in the same network. However, there are some specific reasons why you might want to set up a Samba server on your network:</p><div class="itemizedlist"><ul type="disc"><li><p>
-<a class="indexterm" name="ch01-idx-951583-0"></a>You don't want to pay for&#8212;or can't afford&#8212;a full-fledged Windows NT server, yet you still need the functionality that one provides.</p></li><li><p>You want to provide a common area for data or user directories in order to transition from a Windows server to a Unix one, or vice versa.</p></li><li><p>You want to be able to share printers across both Windows and Unix workstations.</p></li><li><p>You want to be able to access NT files from a Unix server.</p></li></ul></div><p>Let's take a quick tour of Samba in action. Assume that we have the following basic network configuration: a Samba-enabled Unix machine, to which we will assign the name <code class="literal">hydra</code>, and a pair of Windows clients, to which we will assign the names <code class="literal">phoenix</code> and <code class="literal">chimaera</code>, all connected via a local area network (LAN). Let's also assume that <code class="literal">hydra</code> also has a local inkjet printer connected to it, <code class="literal">lp</code>, and a disk share named <code class="literal">network</code>&#8212;both of which it can offer to the other two machines. A graphic of this network is shown in <a href="#ch01-45964" title="Figure 1.1. A simple network setup with a Samba server">Figure 1.1</a>.</p><div class="figure"><a name="ch01-45964"></a><p class="title"><b>Figure 1.1. A simple network setup with a Samba server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 209px"><td><img src="figs/sam.0101.gif" height="209" alt="A simple network setup with a Samba server"></td></tr></table></div></div></div><br class="figure-break"><p>In this network, each of the computers listed share the same <em class="firstterm">workgroup</em>
-<a class="indexterm" name="ch01-idx-951584-0"></a>. A workgroup is simply a group nametag that identifies an arbitrary collection of computers and their resources on an <a class="indexterm" name="ch01-idx-951585-0"></a>SMB network. There can be several workgroups on the network at any time, but for our basic network example, we'll have only one: the SIMPLE workgroup.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-2.1"></a>Sharing a Disk Service</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951617-0"></a>If <a class="indexterm" name="ch01-idx-951876-0"></a>
-<a class="indexterm" name="ch01-idx-951876-1"></a>everything is properly configured, we should be able to see the Samba server, <code class="literal">hydra</code>, through the Network Neighborhood of the <code class="literal">phoenix</code> Windows desktop. In fact, <a href="#ch01-60493" title="Figure 1.2. The Network Neighborhood directory">Figure 1.2</a> shows the Network Neighborhood of the <code class="literal">phoenix</code> computer, including <code class="literal">hydra</code> and each of the computers that reside in the SIMPLE workgroup. Note the Entire Network icon at the top of the list. As we just mentioned, there can be more than one workgroup on an SMB network at any given time. If a user clicks on the <a class="indexterm" name="ch01-idx-951586-0"></a>Entire Network icon, he or she will see a list of all the workgroups that currently exist on the network.</p><div class="figure"><a name="ch01-60493"></a><p class="title"><b>Figure 1.2. The Network Neighborhood directory</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 174px"><td><img src="figs/sam.0102.gif" height="174" alt="The Network Neighborhood directory"></td></tr></table></div></div></div><br class="figure-break"><p>We can take a closer look at the <code class="literal">hydra</code> server by double-clicking on its icon. This contacts <code class="literal">hydra</code> itself and requests a list of its <em class="firstterm">shares</em>&#8212;the file and printer resources&#8212;that the machine provides. In this case, there is a printer entitled <code class="literal">lp</code> and a disk share entitled <code class="literal">network</code> on the server, as shown in <a href="#ch01-76011" title="Figure 1.3. Shares available on the hydra sever as viewed from phoenix">Figure 1.3</a>. Note that the Windows display shows hostnames in mixed case (Hydra). <a class="indexterm" name="ch01-idx-951589-0"></a>Case is irrelevant in <a class="indexterm" name="ch01-idx-951588-0"></a>hostnames, so you may see hydra, Hydra, and HYDRA in various displays or command output, but they all refer to a single system. Thanks to Samba, Windows 98 sees the Unix server as a valid SMB server, and can access the <code class="literal">network</code> folder as if it were just another system folder.</p><div class="figure"><a name="ch01-76011"></a><p class="title"><b>Figure 1.3. Shares available on the hydra sever as viewed from phoenix</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 148px"><td><img src="figs/sam.0103.gif" height="148" alt="Shares available on the hydra sever as viewed from phoenix"></td></tr></table></div></div></div><br class="figure-break"><p>One popular feature of Windows 95/98/NT is that you can map a letter-drive to a known network directory using the <a class="indexterm" name="ch01-idx-951590-0"></a>
-<a class="indexterm" name="ch01-idx-951590-1"></a>
-<a class="indexterm" name="ch01-idx-951590-2"></a>
-<a class="indexterm" name="ch01-idx-951590-3"></a>Map Network Drive option in the Windows Explorer.<sup>[<a name="ch01-pgfId-941061" href="#ftn.ch01-pgfId-941061">3</a>]</sup> Once you do so, your applications can access the folder across the network with a standard <a class="indexterm" name="ch01-idx-951592-0"></a>drive letter. Hence, you can store data on it, install and run programs from it, and even password-protect it against unwanted visitors. See <a href="#ch01-55465" title="Figure 1.4. Mapping a network drive to a Windows letter-drive">Figure 1.4</a> for an example of mapping a letter-drive to a network directory.</p><div class="figure"><a name="ch01-55465"></a><p class="title"><b>Figure 1.4. Mapping a network drive to a Windows letter-drive</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 336px"><td><img src="figs/sam.0104.gif" width="502" alt="Mapping a network drive to a Windows letter-drive"></td></tr></table></div></div></div><br class="figure-break"><p>Take a look at the Path: entry in the dialog box of <a href="#ch01-55465" title="Figure 1.4. Mapping a network drive to a Windows letter-drive">Figure 1.4</a>. An equivalent way to represent a directory on a network machine is by using two <a class="indexterm" name="ch01-idx-951593-0"></a>
-<a class="indexterm" name="ch01-idx-951593-1"></a>backslashes, followed by the name of the networked machine, another backslash, and the networked directory of the machine, as shown below:</p><pre class="programlisting"><span class="emphasis"><em>\\</em></span><em class="replaceable"><code>network-machine</code></em><span class="emphasis"><em>\</em></span><em class="replaceable"><code>directory</code></em></pre><p>This is known as the <em class="firstterm">UNC</em>
-<a class="indexterm" name="ch01-idx-951594-0"></a>
-<a class="indexterm" name="ch01-idx-951594-1"></a> (Universal Naming Convention) in the Windows world. For example, the dialog box in <a href="#ch01-55465" title="Figure 1.4. Mapping a network drive to a Windows letter-drive">Figure 1.4</a> represents the network directory on the <code class="literal">hydra</code> server as:</p><pre class="programlisting">\\HYDRA\<em class="replaceable"><code>network</code></em></pre><p>If this looks somewhat familiar to you, you're probably thinking of <em class="firstterm">uniform resource locators</em>
-<a class="indexterm" name="ch01-idx-951607-0"></a>
-<a class="indexterm" name="ch01-idx-951607-1"></a> (URLs), which are addresses that web browsers such as Netscape Navigator and Internet Explorer use to resolve machines across the Internet. Be sure not to confuse the two: web browsers typically use <a class="indexterm" name="ch01-idx-951608-0"></a>forward slashes instead of back slashes, and they precede the initial slashes with the <a class="indexterm" name="ch01-idx-951611-0"></a>data transfer protocol (i.e., <a class="indexterm" name="ch01-idx-951612-0"></a>ftp, <a class="indexterm" name="ch01-idx-951613-0"></a>http) and a <a class="indexterm" name="ch01-idx-951610-0"></a>
-<a class="indexterm" name="ch01-idx-951610-1"></a>colon (:). In reality, URLs and UNCs are two completely separate things.</p><p>Once the network drive is set up, Windows and its programs will behave as if the networked directory was a fixed disk. If you have any applications that support <a class="indexterm" name="ch01-idx-952014-0"></a>
-<a class="indexterm" name="ch01-idx-952014-1"></a>multiuser functionality on a network, you can install those programs on the network drive.<sup>[<a name="ch01-pgfId-952017" href="#ftn.ch01-pgfId-952017">4</a>]</sup> <a href="#ch01-32686" title="Figure 1.5. The Network directory mapped to the client letter-drive G">Figure 1.5</a> shows the resulting network drive as it would appear with other storage devices in the Windows 98 client. Note the pipeline attachment in the icon for the G: drive; this indicates that it is a network drive instead of a fixed drive.</p><div class="figure"><a name="ch01-32686"></a><p class="title"><b>Figure 1.5. The Network directory mapped to the client letter-drive G</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 224px"><td><img src="figs/sam.0105.gif" height="224" alt="The Network directory mapped to the client letter-drive G"></td></tr></table></div></div></div><br class="figure-break"><p>From our Windows NT Workstation machine, <code class="literal">chimaera</code>, Samba looks almost identical to Windows 98. <a href="#ch01-29255" title="Figure 1.6. Shares available on hydra (viewed from chimaera)">Figure 1.6</a> shows the same view of the <code class="literal">hydra</code> server from the Windows NT 4.0 Network Neighborhood. Setting up the network drive using the Map Network Drive option in Windows NT Workstation 4.0 would have identical results as well.</p><div class="figure"><a name="ch01-29255"></a><p class="title"><b>Figure 1.6. Shares available on hydra (viewed from chimaera) </b></p><div class="figure-contents"><a class="indexterm" name="ch01-idx-951618-0"></a><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 141px"><td><img src="figs/sam.0106.gif" height="141" alt="Shares available on hydra (viewed from chimaera)"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-2.2"></a>Sharing a Printer</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951620-0"></a>
-<a class="indexterm" name="ch01-idx-951620-1"></a>You probably noticed that the printer <code class="literal">lp</code> appeared under the available shares for <code class="literal">hydra</code> in <a href="#ch01-76011" title="Figure 1.3. Shares available on the hydra sever as viewed from phoenix">Figure 1.3</a>. This indicates that the Unix server has a printer that can be shared by the various SMB clients in the workgroup. Data sent to the printer from any of the clients will be spooled on the Unix server and printed in the order it is received.</p><p>
-<a class="indexterm" name="ch01-idx-951636-0"></a>Setting up a Samba-enabled printer on the Windows side is even easier than setting up a disk share. By double-clicking on the printer and identifying the manufacturer and model, you can install a driver for this printer on the Windows client. Windows can then properly format any information sent to the network printer and access it as if it were a local printer (we show you how to do this later in the chapter). <a href="#ch01-46265" title="Figure 1.7. A network printer available on hydra (viewed from chimaera)">Figure 1.7</a> shows the resulting network printer in the Printers window of Windows 98. Again, note the pipeline attachment below the printer, which identifies it as being on a network.</p><div class="figure"><a name="ch01-46265"></a><p class="title"><b>Figure 1.7. A network printer available on hydra (viewed from chimaera)</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 223px"><td><img src="figs/sam.0107.gif" height="223" alt="A network printer available on hydra (viewed from chimaera)"></td></tr></table></div></div></div><br class="figure-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-2.2.1"></a>Seeing things from the Unix side</h4></div></div></div><p>As mentioned earlier, Samba appears in Unix as a set of <a class="indexterm" name="ch01-idx-951638-0"></a>
-<a class="indexterm" name="ch01-idx-951638-1"></a>
-<a class="indexterm" name="ch01-idx-951638-2"></a>
-<a class="indexterm" name="ch01-idx-951638-3"></a>daemon programs. You can view them with the Unix <code class="literal">ps</code> and <code class="literal">netstat</code> commands, you can read any messages they generate through custom debug files or the Unix <code class="literal">syslog</code> (depending on how Samba is set up), and you can configure it from a single Samba properties file: <span class="emphasis"><em>smb.conf</em></span>
-<a class="indexterm" name="ch01-idx-951639-0"></a>. In addition, if you want to get an idea of what each of the <a class="indexterm" name="ch01-idx-951640-0"></a>
-<a class="indexterm" name="ch01-idx-951640-1"></a>daemons are doing, Samba has a program called <span class="emphasis"><em>smbstatus</em></span>
-<a class="indexterm" name="ch01-idx-951641-0"></a> that will lay it all on the line. Here is how it works:</p><pre class="programlisting"># <span class="bold"><strong>smbstatus</strong></span>
-Samba version 2.0.4
-Service      uid      gid      pid     machine
-----------------------------------------------
-network      davecb   davecb   7470   phoenix  (192.168.220.101) Sun May 16 
-network      davecb   davecb   7589   chimaera (192.168.220.102) Sun May 16 
-
-Locked files:
-Pid    DenyMode   R/W        Oplock          Name
---------------------------------------------------
-7589   DENY_NONE  RDONLY     EXCLUSIVE+BATCH /home/samba/quicken/inet/common/system/help.bmp   Sun May 16 21:23:40 1999
-7470   DENY_WRITE RDONLY     NONE            /home/samba/word/office/findfast.exe   
-Sun May 16 20:51:08 1999
-7589   DENY_WRITE RDONLY     EXCLUSIVE+BATCH /home/samba/quicken/lfbmp70n.dll   Sun May 16 21:23:39 1999
-7589   DENY_WRITE RDWR       EXCLUSIVE+BATCH /home/samba/quicken/inet/qdata/runtime.dat   Sun May 16 21:23:41 1999
-7470   DENY_WRITE RDONLY     EXCLUSIVE+BATCH /home/samba/word/office/osa.exe   
-Sun May 16 20:51:09 1999
-7589   DENY_WRITE RDONLY     NONE            /home/samba/quicken/qversion.dll   Sun May 16 21:20:33 1999
-7470   DENY_WRITE RDONLY     NONE                             /home/samba/quicken/qversion.dll   Sun May 16 20:51:11 1999
-
-Share mode memory usage (bytes):
-   1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total</pre><p>The Samba status from this output provides three sets of data, each divided into separate sections. The first section tells which systems have <a class="indexterm" name="ch01-idx-951646-0"></a>connected to the Samba server, identifying each client by its machine name (<code class="literal">phoenix</code> and <code class="literal">chimaera</code>) and IP address. The second section reports the name and status of the <a class="indexterm" name="ch01-idx-951647-0"></a>files that are currently in use on a share on the server, including the read/write status and any <a class="indexterm" name="ch01-idx-951648-0"></a>locks on the files. Finally, Samba reports the amount of <a class="indexterm" name="ch01-idx-951649-0"></a>memory it has currently allocated to the shares that it administers, including the amount actively used by the shares plus additional overhead. (Note that this is not the same as the total amount of memory that the <span class="emphasis"><em>smbd</em></span> or <span class="emphasis"><em>nmbd</em></span> processes are using.)</p><p>Don't worry if you don't understand these statistics; they will become easier to understand as you move through the<a class="indexterm" name="ch01-idx-951621-0"></a> book.<a class="indexterm" name="ch01-idx-951467-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-88536"></a>Getting Familiar with a SMB/CIFS Network</h2></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951651-0"></a>Now that you have had a brief tour of Samba, let's take some time to get familiar with Samba's adopted environment: an SMB/CIFS network. Networking with SMB is significantly different from working with a Unix <a class="indexterm" name="ch01-idx-951650-0"></a>TCP/IP network, because there are several new concepts to learn and a lot of information to cover. First, we will discuss the basic concepts behind an SMB network, followed by some Microsoft implementations of it, and finally we will show you where a Samba server can and cannot fit into the picture.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.1"></a>Understanding NetBIOS</h3></div></div></div><p>To begin, let's step back in time. In 1984, IBM authored a simple <a class="indexterm" name="ch01-idx-951659-0"></a>application programming interface (API) for networking its computers called the <em class="firstterm">Network Basic Input/Output System </em>
-<a class="indexterm" name="ch01-idx-951660-0"></a>
-<a class="indexterm" name="ch01-idx-951660-1"></a>(NetBIOS). The NetBIOS API provided a rudimentary design for an application to connect and share data with other computers.</p><p>It's helpful to think of the NetBIOS API as networking extensions to the standard BIOS API calls. With BIOS, each low-level call is confined to the hardware of the local machine and doesn't need any help traveling to its destination. NetBIOS, however, originally had to exchange instructions with computers across IBM PC or Token Ring networks. It therefore required a low-level transport protocol to carry its requests from one computer to the next.</p><p>In late 1985, IBM released one such protocol, which it merged with the NetBIOS API to become the <em class="firstterm">NetBIOS Extended User Interface</em>
-<a class="indexterm" name="ch01-idx-951661-0"></a>
-<a class="indexterm" name="ch01-idx-951661-1"></a> (<span class="emphasis"><em>NetBEUI</em></span>). NetBEUI was designed for small local area networks (LANs), and it let each machine claim a name (up to 15 characters) that wasn't already in use on the network. By a "small LAN," we mean fewer than 255 nodes on the network&#8212;which was considered a practical restriction in 1985!</p><p>The NetBEUI protocol was very popular with networking applications, including those running under Windows for Workgroups. Later, implementations of NetBIOS over Novell's IPX networking protocols also emerged, which competed with NetBEUI. However, the networking protocols of choice for the burgeoning Internet community were TCP/IP and UDP/IP, and implementing the NetBIOS APIs over those protocols soon became a necessity.</p><p>Recall that <a class="indexterm" name="ch01-idx-951666-0"></a>TCP/IP uses numbers to represent computer addresses, such as 192.168.220.100, while <a class="indexterm" name="ch01-idx-951667-0"></a>
-<a class="indexterm" name="ch01-idx-951667-1"></a>NetBIOS uses only names. This was a major issue when trying to mesh the two protocols together. In 1987, the Internet Engineering Task Force (IETF) published a series of standardization documents, titled RFC 1001 and 1002, that outlined how NetBIOS would work over a TCP/UDP network. This set of documents still governs each of the implementations that exist today, including those provided by Microsoft with their Windows operating systems as well as the Samba suite.</p><p>Since then, the standard this document governs has become known as <em class="firstterm">NetBIOS over TCP/IP</em>
-<a class="indexterm" name="ch01-idx-951668-0"></a>
-<a class="indexterm" name="ch01-idx-951668-1"></a>
-<a class="indexterm" name="ch01-idx-951668-2"></a>, or NBT for short. The NBT standard (RFC 1001/1002) currently outlines a trio of services on a network:</p><div class="itemizedlist"><ul type="disc"><li><p>A name service</p></li><li><p>Two communication services:</p><div class="itemizedlist"><ul type="circle"><li><p>Datagrams</p></li><li><p>Sessions</p></li></ul></div></li></ul></div><p>The <a class="indexterm" name="ch01-idx-951671-0"></a>name service solves the name-to-address problem mentioned earlier; it allows each computer to declare a specific name on the network that can be translated to a machine-readable IP address, much like today's DNS on the Internet. The <a class="indexterm" name="ch01-idx-951672-0"></a>
-<a class="indexterm" name="ch01-idx-951672-1"></a>datagram and session services are both secondary communication protocols used to transmit data back and forth from NetBIOS machines across the network.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.2"></a>Getting a Name</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951674-0"></a>
-<a class="indexterm" name="ch01-idx-951674-1"></a>For a human being, getting a name is easy. However, for a machine on a NetBIOS network, it can be a little more complicated. Let's look at a few of the issues.</p><p>In the NetBIOS world, when each machine comes online, it wants to claim a name for itself; this is called <em class="firstterm">name registration</em>
-<a class="indexterm" name="ch01-idx-951675-0"></a>. However, no two machines in the same workgroup should be able to claim the same name; this would cause endless confusion for any machine that wanted to communicate with either machine. There are two different approaches to ensuring that this doesn't happen:</p><div class="itemizedlist"><ul type="disc"><li><p>Use a <em class="firstterm">NetBIOS Name Server</em>
-<a class="indexterm" name="ch01-idx-951677-0"></a>
-<a class="indexterm" name="ch01-idx-951677-1"></a> (NBNS) to keep track of which hosts have registered a NetBIOS name.</p></li><li><p>Allow each machine on the network to defend its name in the event that another machine attempts to use it.</p></li></ul></div><p><a href="#ch01-86658" title="Figure 1.8. NBNS versus non-NBNS name registration">Figure 1.8</a> illustrates a (failed) name registration, with and without a NetBIOS Name Server.</p><div class="figure"><a name="ch01-86658"></a><p class="title"><b>Figure 1.8. NBNS versus non-NBNS name registration</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 391px"><td><img src="figs/sam.0108.gif" width="502" alt="NBNS versus non-NBNS name registration"></td></tr></table></div></div></div><br class="figure-break"><p>In addition, there must be a way to resolve a NetBIOS name to a specific IP address as mentioned earlier; this is known as <em class="firstterm">name resolution</em>
-<a class="indexterm" name="ch01-idx-951679-0"></a>. There are two different approaches with NBT here as well:</p><div class="itemizedlist"><ul type="disc"><li><p>Have each machine report back its IP address when it "hears" a broadcast request for its NetBIOS name.</p></li><li><p>Use the NBNS to help resolve NetBIOS names to IP addresses.</p></li></ul></div><p><a href="#ch01-72484" title="Figure 1.9. NBNS versus non-NBNS name resolution">Figure 1.9</a> illustrates the two types of name resolution.</p><div class="figure"><a name="ch01-72484"></a><p class="title"><b>Figure 1.9. NBNS versus non-NBNS name resolution</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 391px"><td><img src="figs/sam.0109.gif" width="502" alt="NBNS versus non-NBNS name resolution"></td></tr></table></div></div></div><br class="figure-break"><p>As you might expect, having an NBNS on your network can help out tremendously. To see exactly why, let's look at the non-NBNS method.</p><p>Here, when a client machine boots, it will broadcast a message declaring that it wishes to register a specified NetBIOS name as its own. If nobody objects to the use of the name after multiple registration attempts, it keeps the name. On the other hand, if another machine on the local <a class="indexterm" name="ch01-idx-951896-0"></a>subnet is currently using the requested name, it will send a message back to the requesting client that the name is already taken. This is known as <em class="firstterm">defending</em>
-<a class="indexterm" name="ch01-idx-951687-0"></a> the hostname. This type of system comes in handy when one client has unexpectedly dropped off the network&#8212;another can take its name unchallenged&#8212;but it does incur an inordinate amount of traffic on the network for something as simple as name registration.</p><p>With an NBNS, the same thing occurs, except that the communication is confined to the requesting machine and the NBNS server. No broadcasting occurs when the machine wishes to register the name; the registration message is simply sent directly from the client to NBNS server and the NBNS server replies whether or not the name is already taken. This is known as <em class="firstterm">point-to-point communication</em>
-<a class="indexterm" name="ch01-idx-951688-0"></a>, and is often beneficial on networks with more than one subnet. This is because routers are often preconfigured to block incoming packets that are broadcast to all machines in the subnet.</p><p>The same principles apply to name resolution. Without an NBNS, NetBIOS name resolution would also be done with a broadcast mechanism. All request packets would be sent to each computer in the network, with the hope that one machine that might be affected will respond directly back to the machine that asked. At this point, it's clear that using an NBNS server and point-to-point communication for this purpose is far less taxing on the network than flooding the network with broadcasts for every name resolution request.<a class="indexterm" name="ch01-idx-951682-0"></a>
-<a class="indexterm" name="ch01-idx-951682-1"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.3"></a>Node Types</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951690-0"></a>How can you tell what strategy each client on your network will use when performing name registration and resolution? Each machine on an NBT network earns one of the following designations, depending on how it handles name registration and resolution: <a class="indexterm" name="ch01-idx-951691-0"></a>
-<a class="indexterm" name="ch01-idx-951691-1"></a>
-<a class="indexterm" name="ch01-idx-951691-2"></a>
-<a class="indexterm" name="ch01-idx-951691-3"></a>b-node, p-node, m-node, and h-node. The behaviors of each type of node are summarized in <a href="#ch01-91681" title="Table 1.1. NetBIOS Node Types">Table 1.1</a>.</p><div class="table"><a name="ch01-91681"></a><p class="title"><b>Table 1.1. NetBIOS Node Types </b></p><div class="table-contents"><table summary="NetBIOS Node Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Role</p></th><th><p>Value</p></th></tr></thead><tbody><tr><td><p>b-node</p></td><td><p>Uses<a class="indexterm" name="ch01-idx-951692-0"></a>
-<a class="indexterm" name="ch01-idx-951692-1"></a> broadcast registration and resolution only.</p></td></tr><tr><td><p>p-node</p></td><td><p>Uses <a class="indexterm" name="ch01-idx-951693-0"></a>point-to-point registration and resolution only.</p></td></tr><tr><td><p>m-node</p></td><td><p>Uses broadcast for registration. If successful, it notifies the NBNS server of the result. Uses broadcast for resolution; uses NBNS server if broadcast is unsuccessful.</p></td></tr><tr><td><p>h-node (hybrid)</p></td><td><p>Uses NBNS server for registration and resolution; uses broadcast if the NBNS server is unresponsive or inoperative.</p></td></tr></tbody></table></div></div><br class="table-break"><p>In the case of Windows clients, you will usually find them listed as <em class="firstterm">h-nodes</em> or <em class="firstterm">hybrid nodes</em>. Incidentally, h-nodes were invented later by Microsoft, as a more  fault-tolerant route, and do not appear in RFC 1001/1002.</p><p>You can find out the node type of any Windows machine by typing the command <code class="literal">ipconfig</code> <code class="literal">/all</code> and searching for the line that says <code class="literal">Node Type</code>.</p><pre class="programlisting"><span class="bold"><strong>C:\&gt;ipconfig /all</strong></span>
-Windows 98 IP Configuration
-...
-  Node Type .  .  .  .  .  .  .  .  .  .  : Hybrid
-...</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.4"></a>What's in a Name?</h3></div></div></div><p>The <a class="indexterm" name="ch01-idx-951695-0"></a>names NetBIOS uses are quite different from the DNS hostnames you might be familiar with. First, NetBIOS names exist in a <a class="indexterm" name="ch01-idx-951696-0"></a>flat namespace. In other words, there are no qualifiers such as <span class="emphasis"><em>ora.com</em></span> or <span class="emphasis"><em>samba.org</em></span> to section off hostnames; there is only a single unique name to represent each computer. Second, NetBIOS names are allowed to be only 15 characters, may not begin with an asterisk (*), and can consist only of standard alphanumeric characters (a-z, A-Z, 0-9) and the following:</p><pre class="programlisting">! @ # $ % ^ &amp; ( ) - ' { } . ~</pre><p>Although you are allowed to use a period (.) in a NetBIOS name, we recommend against it because those names are not guaranteed to work in future versions of NetBIOS over TCP/IP.</p><p>It's not a coincidence that all valid <a class="indexterm" name="ch01-idx-952041-0"></a>DNS names are also valid NetBIOS names. In fact, the DNS name for a Samba server is often reused as its NetBIOS name. For example, if you had a machine <code class="literal">phoenix.ora.com </code>, its NetBIOS name would likely be PHOENIX (followed by 8 blanks).</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-3.4.1"></a>Resource names and types</h4></div></div></div><p>With NetBIOS, a machine not only advertises its presence, but also tells others what types of services it offers. For example, <code class="literal">phoenix</code> can indicate that it's not just a workstation, but is also a file server and can receive WinPopup messages. This is done by adding a 16th byte to the end of the machine (<a class="indexterm" name="ch01-idx-951698-0"></a>resource) name, called the <a class="indexterm" name="ch01-idx-951704-0"></a><em class="firstterm">resource type</em>, and registering the name more than once. See <a href="#ch01-74707" title="Figure 1.10. The structure of NetBIOS names">Figure 1.10</a>.</p><div class="figure"><a name="ch01-74707"></a><p class="title"><b>Figure 1.10. The structure of NetBIOS names</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 153px"><td><img src="figs/sam.0110.gif" height="153" alt="The structure of NetBIOS names"></td></tr></table></div></div></div><br class="figure-break"><p>The one-byte resource type indicates a unique service the named machine provides. In this book, you will often see the resource type shown in <a class="indexterm" name="ch01-idx-951708-0"></a>angled brackets (<a class="indexterm" name="ch01-idx-951709-0"></a>&lt;&gt;) after the NetBIOS name, such as:</p><pre class="programlisting">PHOENIX&lt;00&gt;</pre><p>You can see which names are registered for a particular NBT machine using the Windows command-line <a class="indexterm" name="ch01-idx-951710-0"></a>NBTSTAT utility. Because these services are unique (i.e., there cannot be more than one registered), you will see them listed as type UNIQUE in the output. For example, the following partial output describes the <code class="literal">hydra</code> server:</p><pre class="programlisting"><span class="bold"><strong>D:\&gt;NBTSTAT -a hydra</strong></span>
-
-       NetBIOS Remote Machine Name Table
-   Name               Type         Status
----------------------------------------------
-HYDRA          &lt;00&gt;  UNIQUE      Registered
-HYDRA          &lt;03&gt;  UNIQUE      Registered
-HYDRA          &lt;20&gt;  UNIQUE      Registered
-...</pre><p>This says the server has registered the NetBIOS name <code class="literal">hydra</code> as a <a class="indexterm" name="ch01-idx-951711-0"></a>
-<a class="indexterm" name="ch01-idx-951711-1"></a>machine (workstation) name, a recipient of WinPopup messages, and a file server. Some possible attributes a name can have are listed in <a href="#ch01-11471" title="Table 1.2. NetBIOS Unique Resource Types">Table 1.2</a>.</p><div class="table"><a name="ch01-11471"></a><p class="title"><b>Table 1.2. NetBIOS Unique Resource Types </b></p><div class="table-contents"><table summary="NetBIOS Unique Resource Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>
-<a class="indexterm" name="ch01-idx-951723-0"></a>Named Resource</p></th><th><p>
-<a class="indexterm" name="ch01-idx-951735-0"></a>Hexidecimal Byte Value</p></th></tr></thead><tbody><tr><td><p>Standard Workstation Service</p></td><td><p>00</p></td></tr><tr><td><p>Messenger Service (WinPopup)</p></td><td><p>03</p></td></tr><tr><td><p>RAS Server Service</p></td><td><p>06</p></td></tr><tr><td><p>Domain Master Browser Service (associated with primary domain controller)</p></td><td><p>1B</p></td></tr><tr><td><p>Master Browser name</p></td><td><p>1D</p></td></tr><tr><td><p>NetDDE Service</p></td><td><p>1F</p></td></tr><tr><td><p>Fileserver (including printer server)</p></td><td><p>20</p></td></tr><tr><td><p>RAS Client Service</p></td><td><p>21</p></td></tr><tr><td><p>Network Monitor Agent</p></td><td><p>BE</p></td></tr><tr><td><p>Network Monitor Utility</p></td><td><p>BF</p></td></tr></tbody></table></div></div><br class="table-break"><p>Note that because <a class="indexterm" name="ch01-idx-951737-0"></a>DNS names don't have resource types, the designers intentionally made hexidecimal value 20 (an ASCII space) default to the type for a file server.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-3.4.2"></a>Group names and types</h4></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951786-0"></a>
-<a class="indexterm" name="ch01-idx-951786-1"></a>SMB also uses the concept of groups, with which machines can register themselves. Earlier, we mentioned that the machines in our example belonged to a <em class="firstterm">workgroup</em>, which is a partition of machines on the same network. For example, a business might very easily have an ACCOUNTING and a SALES workgroup, each with different servers and printers. In the Windows world, a workgroup and an SMB group are the same thing.</p><p>Continuing our NBTSTAT example, the <code class="literal">hydra</code> Samba server is also a member of the SIMPLE workgroup (the GROUP attribute hex 00), and will stand for election as a browse master (GROUP attribute 1E). Here is the remainder of the NBTSTAT utility output:</p><pre class="programlisting">       NetBIOS Remote Machine Name Table, continued
-   Name               Type         Status
----------------------------------------------
-SIMPLE           &lt;00&gt;  GROUP       Registered
-SIMPLE           &lt;1E&gt;  GROUP       Registered
-.._ _MSBROWSE_ _.&lt;01&gt;  GROUP       Registered</pre><p>The possible group attributes a machine can have are illustrated in <a href="#ch01-52395" title="Table 1.3. NetBIOS Group Resource Types">Table 1.3</a>. More information is available in <a class="indexterm" name="ch01-idx-951787-0"></a><em class="citetitle">Windows NT in a Nutshell</em> by Eric Pearce, also published by O'Reilly.</p><div class="table"><a name="ch01-52395"></a><p class="title"><b>Table 1.3. NetBIOS Group Resource Types </b></p><div class="table-contents"><table summary="NetBIOS Group Resource Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Named Resource</p></th><th><p>
-<a class="indexterm" name="ch01-idx-951781-0"></a>Hexidecimal Byte Value</p></th></tr></thead><tbody><tr><td><p>Standard Workstation group</p></td><td><p>00</p></td></tr><tr><td><p>Logon Server</p></td><td><p>1C</p></td></tr><tr><td><p>Master Browser name</p></td><td><p>1D</p></td></tr><tr><td><p>Normal Group name (used in browser elections)</p></td><td><p>1E</p></td></tr><tr><td><p>Internet Group name (administrative)</p></td><td><p>20</p></td></tr><tr><td><p><code class="literal">&lt;01&gt;&lt;02&gt;_ _MSBROWSE_ _&lt;02&gt;</code></p></td><td><p>01</p></td></tr></tbody></table></div></div><br class="table-break"><p>The final entry, <code class="literal">_ _ MSBROWSE _ _  </code>, is used to announce a group to other master browsers. The nonprinting characters in the name show up as dots in a NBTSTAT printout. Don't worry if you don't understand all of the resource or group types. Some of them you will not need with Samba, and others you will pick up as you move through the rest of the chapter. The important thing to remember here is the logistics of the naming mechanism.<a class="indexterm" name="ch01-idx-951790-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-3.5"></a>Datagrams and Sessions</h3></div></div></div><p><em class="firstterm"></em>
-<a class="indexterm" name="ch01-idx-951800-0"></a>
-<a class="indexterm" name="ch01-idx-951800-1"></a>At this point, let's digress to introduce another responsibility of NBT: to provide connection services between two NetBIOS machines. There are actually two services offered by NetBIOS over TCP/IP: the <em class="firstterm">session service</em> and the <em class="firstterm">datagram service</em>. Understanding how these two services work is not essential to using Samba, but it does give you an idea of how NBT works and how to troubleshoot Samba when it doesn't work.</p><p>The datagram service has no stable connection between one machine and another. Packets of data are simply sent or broadcast from one machine to another, without regard for the order that they arrive at the destination, or even if they arrive at all. The use of datagrams is not as network intensive as sessions, although they can bog down a network if used unwisely (remember broadcast name resolution earlier?) Datagrams, therefore, are used for quickly sending simple blocks of data to one or more machines. The datagram service communicates using the simple primitives shown in <a href="#ch01-29352" title="Table 1.4. Datagram Primitives">Table 1.4</a>.</p><div class="table"><a name="ch01-29352"></a><p class="title"><b>Table 1.4. Datagram Primitives </b></p><div class="table-contents"><table summary="Datagram Primitives " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Primitive</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p>Send Datagram</p></td><td><p>Send datagram packet to machine or groups of machines.</p></td></tr><tr><td><p>Send Broadcast Datagram</p></td><td><p>Broadcast datagram to any machine waiting with a Receive Broadcast Datagram.</p></td></tr><tr><td><p>Receive Datagram</p></td><td><p>Receive a datagram from a machine.</p></td></tr><tr><td><p>Receive Broadcast Datagram</p></td><td><p>Wait for a broadcast datagram.</p></td></tr></tbody></table></div></div><br class="table-break"><p>The session service is more complex. Sessions are a communication method that, in theory, offers the ability to detect problematic or inoperable connections between two NetBIOS applications. It helps to think of an NBT session in terms of a telephone call.<sup>[<a name="ch01-pgfId-946249" href="#ftn.ch01-pgfId-946249">5</a>]</sup> A full-duplex connection is opened between a caller machine and a called machine, and it must remain open throughout the duration of their conversation. Each side knows who the caller and the called machine is, and can communicate with the simple primitives shown in <a href="#ch01-75575" title="Table 1.5. Session Primitives">Table 1.5</a>.</p><div class="table"><a name="ch01-75575"></a><p class="title"><b>Table 1.5. Session Primitives </b></p><div class="table-contents"><table summary="Session Primitives " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Primitive</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p>Call</p></td><td><p>Initiate a session with a machine listening under a specified name.</p></td></tr><tr><td><p>Listen</p></td><td><p>Wait for a call from a known caller or any caller.</p></td></tr><tr><td><p>Hang-up</p></td><td><p>Exit a call.</p></td></tr><tr><td><p>Send</p></td><td><p>Send data to the other machine.</p></td></tr><tr><td><p>Receive</p></td><td><p>Receive data from the other machine.</p></td></tr><tr><td><p>Session Status</p></td><td><p>Get information on requested sessions.</p></td></tr></tbody></table></div></div><br class="table-break"><p>Sessions are the backbone of resource sharing on an NBT network. They are typically used for establishing stable connections from client machines to disk or printer shares on a server. The client "calls" the server and starts trading information such as which files it wishes to open, which data it wishes to exchange, etc. These calls can last a long time&#8212;hours, even days&#8212;and all of this occurs within the context of a single connection. If there is an error, the session software (TCP) will retransmit until the data is received properly, unlike the "punt-and-pray" approach of the datagram service (UDP).</p><p>In truth, while sessions are supposed to be able to handle problematic communications, they often don't. As you've probably already discovered when using Windows networks, this is a serious detriment to using NBT sessions. If the connection is interrupted for some reason, session information that is open between the two computers can easily become invalidated. If that happens, the only way to regain the session information is for the same two computers to call each other again and start over.</p><p>If you want more information on each of these services, we recommend you look at RFC 1001. However, there are two important things to remember here:</p><div class="itemizedlist"><ul type="disc"><li><p>Sessions always occur between <span class="emphasis"><em>two</em></span> NetBIOS machines&#8212;no more and no less. If a session service is interrupted, the client is supposed to store sufficient state information for it to re-establish the connection. However, in practice, this is rarely the case.</p></li><li><p>Datagrams can be broadcast to multiple machines, but they are unreliable. In other words, there is no way for the source to know that the datagrams it sent have indeed arrived at their<em class="firstterm"></em>
-<a class="indexterm" name="ch01-idx-951807-0"></a>
-<a class="indexterm" name="ch01-idx-951807-1"></a> destinations.<a class="indexterm" name="ch01-idx-951654-0"></a></p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-43359"></a>Microsoft Implementations</h2></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951821-0"></a>
-<a class="indexterm" name="ch01-idx-951821-1"></a>With that amount of background, we can now talk about some of Microsoft's implementations of the preceding concepts in the CIFS/SMB networking world. And, as you might expect, there are some complex extensions to introduce as well.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-4.1"></a>Windows Domains</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951815-0"></a>Recall that a workgroup is a collection of SMB computers that all reside on a subnet and subscribe to the same SMB group. A <em class="firstterm">Windows domain</em> goes a step further. It is a workgroup of SMB machines that has one addition: a server acting as a <em class="firstterm">domain controller</em>. You must have a domain controller in order to have a Windows domain.<sup>[<a name="ch01-pgfId-947021" href="#ftn.ch01-pgfId-947021">6</a>]</sup> Otherwise, it is only a workgroup. See <a href="#ch01-96972" title="Figure 1.11. A simple Windows domain">Figure 1.11</a>.</p><div class="figure"><a name="ch01-96972"></a><p class="title"><b>Figure 1.11. A simple Windows domain</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 209px"><td><img src="figs/sam.0111.gif" height="209" alt="A simple Windows domain"></td></tr></table></div></div></div><br class="figure-break"><p>
-<a class="indexterm" name="ch01-idx-951829-0"></a>
-<a class="indexterm" name="ch01-idx-951829-1"></a>There are currently two separate protocols used by a domain controller (logon server): one for communicating with Windows 95/98 machines and one for communicating with Windows NT machines. While Samba currently implements the domain controller protocol for Windows 95/98 (which allows it to act as a domain controller for Windows 9<span class="emphasis"><em>x</em></span> machines), it still does not fully support the protocol for Windows NT computers. However, the Samba team promises that support for the Windows NT domain controller protocol is forthcoming in Samba 2.1.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch01-NOTE-0"></a>Tip</h3><p>Why all the difficulty? The protocol that Windows domain controllers use to communicate with their clients and other domain controllers is proprietary and has not been released by Microsoft. This has forced the Samba development team to reverse-engineer the domain controller protocol to see which codes perform specific tasks.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-4.1.1"></a>Domain controllers</h4></div></div></div><p>The domain controller is the nerve center of a Windows domain, much like an NIS server is the nerve center of the Unix network information service. Domain controllers have a variety of responsibilities. One responsibility that you need to be concerned with is <em class="firstterm">authentication</em>
-<a class="indexterm" name="ch01-idx-951839-0"></a>. Authentication is the process of granting or denying a user access to a shared resource on another network machine, typically through the use of a password.</p><p>Each domain controller uses a <em class="firstterm">security account manager</em>
-<a class="indexterm" name="ch01-idx-951840-0"></a>
-<a class="indexterm" name="ch01-idx-951840-1"></a> (SAM) to maintain a list of username-password combinations. The domain controller then forms a central repository of passwords that are tied to usernames (one password per user), which is more efficient than each client machine maintaining hundreds of passwords for every network resource available.</p><p>On a Windows domain, when a non-authenticated client requests access to a server's shares, the server will turn around and ask the domain controller whether that user is authenticated. If it is, the server will establish a session connection with the access rights it has for that service and user. If not, the connection is denied. Once a user is authenticated by the domain controller, a special authenticated token will be returned to the client so that the user will not need to relogin to other resources on that domain. At this point, the user is considered "logged in" to the domain itself. See <a href="#ch01-49344" title="Figure 1.12. Using a domain controller for authentication">Figure 1.12</a>.</p><div class="figure"><a name="ch01-49344"></a><p class="title"><b>Figure 1.12. Using a domain controller for authentication</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 242px"><td><img src="figs/sam.0112.gif" height="242" alt="Using a domain controller for authentication"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-4.1.2"></a>Primary and backup domain controllers</h4></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951842-0"></a>
-<a class="indexterm" name="ch01-idx-951842-1"></a>
-<a class="indexterm" name="ch01-idx-951842-2"></a>
-<a class="indexterm" name="ch01-idx-951842-3"></a>
-<a class="indexterm" name="ch01-idx-951842-4"></a>Redundancy is a key idea behind a Windows domain. The domain controller that is currently active on a domain is called the <em class="firstterm">primary domain controller</em> (PDC). There can be one or more <em class="firstterm">backup domain controllers</em> (BDCs) in the domain as well, which will take over in the event that the primary domain controller fails or becomes inaccessible. BDCs frequently synchronize their SAM data with the primary domain controller so that, if the need arises, any one of them can perform DC services transparently without impacting its clients. Note that BDCs, however, have only read-only copies of the SAM; they can update their data only by synchronizing with a PDC. A server in a Windows domain can use the SAM of any primary or backup domain controller to authenticate a user who attempts to access its resources and logon to the domain.</p><p>Note that in many aspects, the behaviors of a <a class="indexterm" name="ch01-idx-951844-0"></a>
-<a class="indexterm" name="ch01-idx-951844-1"></a>Windows workgroup and a Windows domain overlap. This is not accidental since the concept of Windows domains did not evolve until Windows NT 3.5 was introduced, and Windows domains were forced to remain <a class="indexterm" name="ch01-idx-951873-0"></a>backwards compatible with the workgroups present in Windows for Workgroups 3.1. The key thing to remember here is that a Windows domain is simply a Windows workgroup with one or more domain controllers added.</p><p>Samba can function as a primary domain controller for Windows 95/98 machines without any problems. However, <a class="indexterm" name="ch01-idx-951845-0"></a>
-<a class="indexterm" name="ch01-idx-951845-1"></a>Samba 2.0 can act as a primary domain controller only for authentication purposes; it currently cannot assume any other PDC responsibilities. (By the time you read this, Samba 2.1 may be available so you can use Samba as a PDC for NT clients.) Also, because of the closed protocol used by Microsoft to synchronize SAM data, Samba currently cannot serve as a backup domain<a class="indexterm" name="ch01-idx-951832-0"></a>
-<a class="indexterm" name="ch01-idx-951832-1"></a> controller.<a class="indexterm" name="ch01-idx-951820-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-4.2"></a>Browsing</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951846-0"></a>Browsing is a high-level answer to the user question: "What machines are out there on the Windows network?" Note that there is no connection with a World Wide Web browser, apart from the general idea of "discovering what's there." And, like the Web, what's out there can change without warning.</p><p>Before browsing, users had to know the name of the specific computer they wanted to connect to on the network, and then manually enter a UNC such as the following into an application or file manager to access resources:</p><pre class="programlisting">\\HYDRA\network\</pre><p>With browsing, however, you can examine the contents of a machine using a standard point-and-click GUI&#8212;in this case, the<a class="indexterm" name="ch01-idx-951848-0"></a> Network Neighborhood window in a Windows client.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-4.2.1"></a>Levels of browsing</h4></div></div></div><p>As we hinted at the beginning of the chapter, there are actually two types of browsing that you will encounter in an SMB/CIFS network:</p><div class="itemizedlist"><ul type="disc"><li><p>Browsing a list of machines (with shared resources)</p></li><li><p>Browsing the shared resources of a specific machine</p></li></ul></div><p>
-<a class="indexterm" name="ch01-idx-951851-0"></a>Let's look at the first one. On each Windows workgroup (or domain) subnet, one computer has the responsibility of maintaining a list of the machines that are currently accessible through the network. This computer is called the <em class="firstterm">local master browser</em>
-<a class="indexterm" name="ch01-idx-951850-0"></a>
-<a class="indexterm" name="ch01-idx-951850-1"></a>, and the list that it maintains is called the <em class="firstterm">browse list</em>. Machines on a subnet use the browse list in order to cut down on the amount of network traffic generated while browsing. Instead of each computer dynamically polling to determine a list of the currently available machines, the computer can simply query the local master browser to obtain a complete, up-to-date list.</p><p>
-<a class="indexterm" name="ch01-idx-951852-0"></a>To browse the actual resources on a machine, a user must connect to the specific machine; this information cannot be obtained from the browse list. Browsing the list of resources on a machine can be done by clicking on the machine's icon when it is presented in the Network Neighborhood in Windows 95/98 or NT. As you saw at the opening of the chapter, the machine will respond with a list of shared resources that can be accessed if that user is successfully authenticated.</p><p>Each of the servers on a Windows workgroup is required to announce its presence to the local master browser after it has registered a NetBIOS name, and (theoretically) announce that it is leaving the workgroup when it is shut down. It is the local master browser's responsibility to record what the servers have announced. Note that the local master browser is not necessarily the same machine as a NetBIOS name server (NBNS), which we discussed earlier.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch01-NOTE-1"></a>Warning</h3><p>The <a class="indexterm" name="ch01-idx-952154-0"></a>Windows Network Neighborhood can behave oddly: until you select a particular machine to browse, the Network Neighborhood window may contain data that is not up-to-date. That means that the Network Neighborhood window can be showing machines that have crashed, or can be missing machines that haven't been noticed yet. Put succinctly, once you've selected a server and connected to it, you can be a lot more confident that the shares and printers really exist on the network.</p></div><p>Unlike the roles you've seen earlier, almost any Windows machine (NT Server, NT Workstation, 98, 95, or Windows 3.1 for Workgroups) can act as a local master browser. As with the domain controller, the local master browser can have one or more <em class="firstterm">backup browsers</em>
-<a class="indexterm" name="ch01-idx-952161-0"></a> on the local subnet that will take over in the event that the local master browser fails or becomes inaccessible. To ensure fluid operation, the local backup browsers will frequently synchronize their browse list with the local master browser. Let's update our Windows domain diagram to include both a local master and local backup browser. The result is shown in <a href="#ch01-77521" title="Figure 1.13. A Windows domain with a local master and local backup browser">Figure 1.13</a>.</p><div class="figure"><a name="ch01-77521"></a><p class="title"><b>Figure 1.13. A Windows domain with a local master and local backup browser</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 209px"><td><img src="figs/sam.0113.gif" height="209" alt="A Windows domain with a local master and local backup browser"></td></tr></table></div></div></div><br class="figure-break"><p>Here is how to calculate the minimum number of <a class="indexterm" name="ch01-idx-951868-0"></a>backup browsers that will be allocated on a workgroup:</p><div class="itemizedlist"><ul type="disc"><li><p>If there are between 1 and 32 Windows NT workstations on the network, or between 1 and 16 Windows 95/98 machines on the network, the local master browser allocates one backup browser in addition to the local master browser.</p></li><li><p>If the number of Windows NT workstations falls between 33 and 64, or the number of Windows 95/98 workstations falls between 17 and 32, the local master browser allocates two backup browsers.</p></li><li><p>For each group of 32 NT workstations or 16 Windows 95/98 machines beyond this, the local master browser allocates another backup browser.</p></li></ul></div><p>There is currently no upper limit on the number of <a class="indexterm" name="ch01-idx-951869-0"></a>
-<a class="indexterm" name="ch01-idx-951869-1"></a>backup browsers that can be allocated by the local master browser.<a class="indexterm" name="ch01-idx-951855-0"></a></p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch01-SECT-4.2.2"></a>Browsing elections</h4></div></div></div><p>Browsing is a critical aspect of any Windows workgroup. However, not everything runs perfectly on any network. For example, let's say that the Windows NT Server on the desk of a small company's CEO is the local master browser&#8212;that is, until he switches it off while plugging in his massage chair. At this point the Windows NT Workstation in the spare parts department might agree to take over the job. However, that computer is currently running a large, poorly written program that has brought its processor to its knees. The moral: browsing has to be very tolerant of servers coming and going. Because nearly every Windows machine can serve as a browser, there has to be a way of deciding at any time who will take on the job. This decision-making process is called an <em class="firstterm">election</em>
-<a class="indexterm" name="ch01-idx-951870-0"></a>
-<a class="indexterm" name="ch01-idx-951870-1"></a>.</p><p>An election algorithm is built into nearly all Windows operating systems such that they can each agree who is going to be a local master browser and who will be local backup browsers. An election can be forced at any time. For example, let's assume that the CEO has finished his massage and reboots his server. As the server comes online, it will announce its presence and an election will take place to see if the PC in the spare parts department should still be the master browser.</p><p>When an election is performed, each machine broadcasts via datagrams information about itself. This information includes the following:</p><div class="itemizedlist"><ul type="disc"><li><p>The version of the election protocol used</p></li><li><p>The operating system on the machine</p></li><li><p>The amount of time the client has been on the network</p></li><li><p>The hostname of the client</p></li></ul></div><p>These values determine which operating system has seniority and will fulfill the role of the local master browser. (<a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>, describes the election process in more detail.) The architecture developed to achieve this is not elegant and has built-in security problems. While a browsing domain can be integrated with domain security, the election algorithm does not take into consideration which computers become browsers. Thus it is possible for any machine running a browser service to register itself as participating in the browsing election, and (after winning) being able to change the browse list. Nevertheless, browsing is a key feature of Windows networking and <a class="indexterm" name="ch01-idx-951871-0"></a>backwards compatibility requirements will ensure that it is in use for years to come.<a class="indexterm" name="ch01-idx-951847-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-4.3"></a>Can a Windows Workgroup Span Multiple Subnets?</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951886-0"></a>
-<a class="indexterm" name="ch01-idx-951886-1"></a>
-<a class="indexterm" name="ch01-idx-951886-2"></a>Yes, but most people who have done it have had their share of headaches. Spanning multiple subnets was not part of the initial design of Windows NT 3.5 or Windows for Workgroups. As a result, a Windows domain that spans two or more subnets is, in reality, the "gluing" together of two or more workgroups that share an identical name. The good news is that you can still use a primary domain controller to control authentication across each of the subnets. The bad news is that things are not as simple with browsing.</p><p>As mentioned previously, each subnet must have its own local master browser. When a Windows domain spans multiple subnets, a system administrator will have to assign one of the machines as the <em class="firstterm">domain master browser</em>. The domain master browser will keep a browse list for the entire Windows domain. This browse list is created by periodically synchronizing the browse lists of each of the local master browsers with the browse list of the domain master browser. After the synchronization, the local master browser and the domain master browser should contain identical entries. See <a href="#ch01-52572" title="Figure 1.14. A workgroup that spans more than one subnet">Figure 1.14</a> for an illustration.</p><div class="figure"><a name="ch01-52572"></a><p class="title"><b>Figure 1.14. A workgroup that spans more than one subnet</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 438px"><td><img src="figs/sam.0114.gif" width="502" alt="A workgroup that spans more than one subnet"></td></tr></table></div></div></div><br class="figure-break"><p>Sound good? Well, it's not quite nirvana for the following reasons:</p><div class="itemizedlist"><ul type="disc"><li><p>If it exists, a primary domain controller always plays the role of the domain master browser. By Microsoft design, the two always share the NetBIOS <a class="indexterm" name="ch01-idx-951898-0"></a>
-<a class="indexterm" name="ch01-idx-951898-1"></a>resource type &lt;1B&gt;, and (unfortunately) cannot be separated.</p></li><li><p>Windows 95/98 machines cannot become <span class="emphasis"><em>or</em></span> <span class="emphasis"><em>even contact</em></span> a domain master browser. The Samba group feels that this is a marketing decision from Microsoft that forces customers to have at least one Windows NT workstation (or Samba server) on each <a class="indexterm" name="ch01-idx-951900-0"></a>subnet of a multi-subnet workgroup.</p></li></ul></div><p>Each subnet's local master browser continues to maintain the browse list for its subnet, for which it becomes authoritative. So if a computer wants to see a list of servers within its own subnet, the local master browser of that subnet will be queried. If a computer wants to see a list of servers outside the subnet, it can still go only as far as the local master browser. This works because, at appointed intervals, the authoritative browse list of a subnet's local master browser is synchronized with the domain master browser, which is synchronized with the local master browser of the other subnets in the domain. This is called <em class="firstterm">browse list propagation</em>
-<a class="indexterm" name="ch01-idx-951902-0"></a>
-<a class="indexterm" name="ch01-idx-951902-1"></a>.</p><p>Samba can act as a domain master browser on a Windows domain if required. In addition, it can also act as a local master browser for a Windows subnet, synchronizing its browse list with the domain master browser.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-4.4"></a>The Windows Internet Name Service (WINS)</h3></div></div></div><p>The <a class="indexterm" name="ch01-idx-951904-0"></a>
-<a class="indexterm" name="ch01-idx-951904-1"></a>Windows Internet Name Service (WINS) is Microsoft's implementation of a <a class="indexterm" name="ch01-idx-951906-0"></a>NetBIOS name server (NBNS). As such, WINS inherits much of NetBIOS's characteristics. First, WINS is <a class="indexterm" name="ch01-idx-951907-0"></a>flat; you can only have machines named <code class="literal">fred</code> or workgroups like CANADA or USA. In addition, WINS is dynamic: when a client first comes online, it is required to report its hostname, its address, and its workgroup to the local WINS server. This WINS server will retain the information so long as the client periodically refreshes its WINS registration, which indicates that it's still connected to the network. Note that <a class="indexterm" name="ch01-idx-951908-0"></a>WINS servers are not domain or workgroup specific; they can appear anywhere and serve anyone.</p><p>Multiple WINS servers can be set to synchronize with each other after a specified amount of time. This allows entries for machines that come online and offline on the network to propagate from one WINS server to another. While in theory this seems efficient, it can quickly become cumbersome if there are several WINS servers covering a network. Because WINS services can cross multiple subnets (you'll either hardcode the address of a WINS server in each of your clients or obtain it via DHCP), it is often more efficient to have each Windows client, no matter how many Windows domains there are, point themselves to the same WINS server. That way, there will only be one authoritative WINS server with the correct information, instead of several WINS servers continually struggling to synchronize themselves with the most recent changes.</p><p>The currently active WINS server is known as the <em class="firstterm">primary WINS server</em>
-<a class="indexterm" name="ch01-idx-951910-0"></a>
-<a class="indexterm" name="ch01-idx-951910-1"></a>
-<a class="indexterm" name="ch01-idx-951910-2"></a>. You can also install a secondary WINS server, which will take over in the event that the primary WINS server fails or becomes inaccessible. Note that there is no <a class="indexterm" name="ch01-idx-951912-0"></a>election to determine which machine becomes a primary or backup WINS server&#8212;the choice of WINS servers is static and must be predetermined by the <a class="indexterm" name="ch01-idx-951913-0"></a>system administrator. Both the primary and any backup WINS servers will synchronize their address databases on a periodic basis.</p><p>In the Windows family of operating systems, only an NT Workstation or an NT server can serve as a <em class="firstterm"></em>
-<a class="indexterm" name="ch01-idx-951916-0"></a>WINS server. Samba can also function as a primary WINS server, but not a secondary WINS server.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-12452"></a>What Can Samba Do?</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951921-0"></a>
-<a class="indexterm" name="ch01-idx-951921-1"></a>
-<a class="indexterm" name="ch01-idx-951921-2"></a>Whew! Bet you never thought Microsoft networks would be that complex, did you? Now, let's wrap up by showing where Samba can help out. <a href="#ch01-14021" title="Table 1.6. Samba Roles (as of 2.0.4b)">Table 1.6</a> summarizes which roles Samba can and cannot play in a Windows NT Domain or Windows workgroup. As you can see, because many of the NT domain protocols are proprietary and have not been documented by Microsoft, Samba cannot properly synchronize its data with a Microsoft server and cannot act as a backup in most roles. However, with version 2.0.<span class="emphasis"><em>x</em></span>, Samba does have limited support for the primary domain controller's authentication protocols and is gaining more functionality every day.</p><div class="table"><a name="ch01-14021"></a><p class="title"><b>Table 1.6. Samba Roles (as of 2.0.4b) </b></p><div class="table-contents"><table summary="Samba Roles (as of 2.0.4b) " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Role</p></th><th><p>Can Perform?</p></th></tr></thead><tbody><tr><td><p>File Server</p></td><td><p>Yes</p></td></tr><tr><td><p>Printer Server</p></td><td><p>Yes</p></td></tr><tr><td><p>Primary Domain Controller</p></td><td><p>Yes (Samba 2.1 or higher recommended)</p></td></tr><tr><td><p>Backup Domain Controller</p></td><td><p>No</p></td></tr><tr><td><p>Windows 95/98 Authentication</p></td><td><p>Yes</p></td></tr><tr><td><p>Local Master Browser</p></td><td><p>Yes</p></td></tr><tr><td><p>Local Backup Browser</p></td><td><p>No</p></td></tr><tr><td><p>Domain Master Browser</p></td><td><p>Yes</p></td></tr><tr><td><p>Primary WINS Server</p></td><td><p>Yes</p></td></tr><tr><td><p>Secondary WINS Server</p></td><td><p>No<a class="indexterm" name="ch01-idx-951824-0"></a>
-<a class="indexterm" name="ch01-idx-951824-1"></a></p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-32691"></a>An Overview of the Samba Distribution</h2></div></div></div><p>As mentioned earlier, Samba actually contains several programs that serve different but related purposes. Let's introduce each of them briefly, and show how they work together. The majority of the programs that come with the Samba distribution center on its two daemons. Let's take a refined look at the responsibilities of each daemon:</p><div class="variablelist"><dl><dt><span class="term"><span class="emphasis"><em>smbd</em></span></span></dt><dd><p>The <span class="emphasis"><em>smbd</em></span> daemon is responsible for managing the shared resources between the Samba server machine and its clients. It provides file, print, and browser services to <acronym class="acronym">SMB</acronym> clients across one or more networks. <span class="emphasis"><em>smdb</em></span> handles all notifications between the Samba server and the network clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the <acronym class="acronym">SMB</acronym> protocol.</p></dd><dt><span class="term"><span class="emphasis"><em>nmbd</em></span></span></dt><dd><p>The <span class="emphasis"><em>nmbd</em></span> daemon is a simple nameserver that mimics the WINS and NetBIOS name server functionality, as you might expect to encounter with the LAN Manager package. This daemon listens for nameserver requests and provides the appropriate information when called upon. It also provides browse lists for the Network Neighborhood and participates in browsing elections.</p></dd></dl></div><p>The Samba distribution also comes with a small set of Unix command-line tools:</p><div class="variablelist"><dl><dt><span class="term">smbclient</span></dt><dd><p>An FTP-like Unix client that can be used to connect to Samba shares</p></dd><dt><span class="term">smbtar</span></dt><dd><p>A program for backing up data in shares, similar to the Unix <code class="filename">tar</code> command</p></dd><dt><span class="term">nmblookup</span></dt><dd><p>A program that provides NetBIOS over TCP/IP name lookups</p></dd><dt><span class="term">smbpasswd</span></dt><dd><p>A program that allows an administrator to change the encrypted passwords used by Samba</p></dd><dt><span class="term">smbstatus</span></dt><dd><p>A program for reporting the current network connections to the shares on a Samba server</p></dd><dt><span class="term">testparm</span></dt><dd><p>A simple program to validate the Samba configuration file</p></dd><dt><span class="term">testprns</span></dt><dd><p>A program that tests whether various printers are recognized by the <code class="filename">smbd</code> daemon</p></dd></dl></div><p>Each significant release of Samba goes through a significant exposure test before it's announced. In addition, it is quickly updated afterward if problems or unwanted side-effects are found. The latest stable distribution as of this writing is Samba 2.0.5, the long-awaited production version of Samba 2.0. This book focuses on the functionality supported in Samba 2.0, as opposed to the older 1.9.<span class="emphasis"><em>x</em></span> versions of Samba, which are now obsolete.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-SECT-6"></a>How Can I Get Samba?</h2></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951923-0"></a>Samba is available in both binary and source format from a set of <a class="indexterm" name="ch01-idx-951925-0"></a>mirror sites across the Internet. The primary home site for Samba is located at <a class="indexterm" name="ch01-idx-951924-0"></a>
-<a class="indexterm" name="ch01-idx-951924-1"></a><code class="systemitem">http://www.samba.org/</code>.</p><p>However, if you don't want to wait for packets to arrive all the way from Australia, mirror sites for Samba can be found at any of several locations on the Internet. A list of mirrors is given at the primary Samba home page.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-40528"></a>What's New in Samba 2.0?</h2></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951929-0"></a>
-<a class="indexterm" name="ch01-idx-951929-1"></a>Samba 2.0 was an eagerly-awaited package. The big additions to Samba 2.0 are more concrete support for NT Domains and the new Samba Web Administration Tool (SWAT), a browser-based utility for configuring Samba. However, there are dozens of other improvements that were introduced in the summer and fall of 1998.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.1"></a>NT Domains</h3></div></div></div><p>Samba's support for <a class="indexterm" name="ch01-idx-951930-0"></a>
-<a class="indexterm" name="ch01-idx-951930-1"></a>NT Domains (starting with version 2.0.<span class="emphasis"><em>x</em></span>) produced a big improvement: it allows SMB servers to use its authentication mechanisms, which is essential for future NT compatibility, and to support <em class="firstterm">NT domain logons</em>
-<a class="indexterm" name="ch01-idx-951931-0"></a>
-<a class="indexterm" name="ch01-idx-951931-1"></a>
-<a class="indexterm" name="ch01-idx-951931-2"></a>
-<a class="indexterm" name="ch01-idx-951931-3"></a>. Domain logons allow a user to log in to a Windows NT domain and use all the computers in the domain without logging into them individually. Previous to version 2.0.0, Samba supported Windows 95/98 logon services, but not NT domain logons. Although domain logons support is not complete is Samba 2.0, it is partially implemented.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.2"></a>Ease of Administration</h3></div></div></div><p>
-<a class="indexterm" name="ch01-idx-951933-0"></a>SWAT, the <a class="indexterm" name="ch01-idx-951934-0"></a>Samba Web Administration Tool, makes it easy to set up a server and change its configuration, without giving up the simple text-based configuration file. SWAT provides a graphical interface to the resources that Samba shares with its clients. In addition, SWAT saves considerable experimentation and memory work in setting up or changing configurations across the network. You can even create an initial setup with SWAT and then modify the file later by hand, or vice versa. Samba will not complain.</p><p>On the <a class="indexterm" name="ch01-idx-951935-0"></a>compilation side, <a class="indexterm" name="ch01-idx-951936-0"></a>GNU <code class="filename">autoconf</code> is now used to make the task of initial compilation and setup easier so you can get to SWAT quicker.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.3"></a>Performance</h3></div></div></div><p>There are major performance and scalability increases in Samba: the code has been reorganized and <span class="emphasis"><em>nmbd</em></span>
-<a class="indexterm" name="ch01-idx-951937-0"></a> (the Samba name service daemon) heavily rewritten:</p><div class="itemizedlist"><ul type="disc"><li><p>Name/browsing service now supports approximately 35,000 simultaneous clients.</p></li><li><p>File and print services support 500 concurrent users from a single medium-sized server without noticeable performance degradation.</p></li><li><p>
-<a class="indexterm" name="ch01-idx-951938-0"></a>Linux/Samba on identical hardware now consistently performs better than NT Server. And best of all, Samba is improving.</p></li><li><p>Improved <a class="indexterm" name="ch01-idx-951939-0"></a>
-<a class="indexterm" name="ch01-idx-951939-1"></a>
-<a class="indexterm" name="ch01-idx-951939-2"></a>"opportunistic" locking allows client machines to cache entire files locally, greatly improving speed without running the risk of accidentally overwriting the cached files.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.4"></a>More Features</h3></div></div></div><p>There are several additional features in Samba 2.0. You can now have multiple Samba <a class="indexterm" name="ch01-idx-951942-0"></a>aliases on the same machine, each pretending to be a different server, a feature similar to <a class="indexterm" name="ch01-idx-951943-0"></a>virtual hosts in modern web servers. This allows a host to serve multiple departments and groups, or provide disk shares with normal username/password security while also providing printers to everyone without any security. Printing has been changed to make it easier for <a class="indexterm" name="ch01-idx-951944-0"></a>Unix System V owners: Samba can now find the available printers automatically, just as it does with Berkeley-style printing. In addition, Samba now has the capability to use <a class="indexterm" name="ch01-idx-951945-0"></a>
-<a class="indexterm" name="ch01-idx-951945-1"></a>
-<a class="indexterm" name="ch01-idx-951945-2"></a>
-<a class="indexterm" name="ch01-idx-951945-3"></a>multiple code pages, so it can be used with non-European languages, and to use the <a class="indexterm" name="ch01-idx-951946-0"></a>Secure Sockets Layer protocol (SSL) to encrypt all the data it sends across the Internet, instead of just passwords.<sup>[<a name="ch01-pgfId-938280" href="#ftn.ch01-pgfId-938280">7</a>]</sup></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.5"></a>Compatibility Improvements</h3></div></div></div><p>At the same time as it's becoming more capable, Samba is also becoming more <a class="indexterm" name="ch01-idx-951947-0"></a>
-<a class="indexterm" name="ch01-idx-951947-1"></a>compatible with Windows NT. Samba has always supported Microsoft-style password encryption. It now provides tools and options for changing over to <a class="indexterm" name="ch01-idx-951948-0"></a>
-<a class="indexterm" name="ch01-idx-951948-1"></a>Microsoft encryption, and for keeping the Unix and Microsoft password files synchronized while doing so. Finally, a Samba master browser can be instructed to hunt down and synchronize itself with other SMB servers on different LANs, allowing <a class="indexterm" name="ch01-idx-951950-0"></a>SMB to work seamlessly across multiple networks. Samba uses a different method of accomplishing this from the Microsoft method, which is undocumented.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch01-SECT-7.6"></a>Smbwrapper</h3></div></div></div><p>Finally, there is an entirely new version of the Unix client called <em class="firstterm">smbwrapper</em>
-<a class="indexterm" name="ch01-idx-951955-0"></a>. Instead of a kernel module that allows Linux to act as a Samba client, there is now a command-line entry to load the library that provides a complete SMB filesystem on some brands of Unix. Once loaded, the command <code class="literal">ls</code> <code class="literal">/smb</code> will list all the machines in your workgroup, and <code class="literal">cd</code> <code class="literal">/smb/</code><em class="replaceable"><code>server_name</code></em><code class="literal">/</code><em class="replaceable"><code>share_name</code></em> will take you to a particular <a class="indexterm" name="ch01-idx-951956-0"></a>
-<a class="indexterm" name="ch01-idx-951956-1"></a>share (shared directory), similar to the <a class="indexterm" name="ch01-idx-951957-0"></a>
-<a class="indexterm" name="ch01-idx-951957-1"></a>Network File System (NFS). As of this writing, <span class="emphasis"><em>smbwrapper</em></span> currently runs on Linux, Solaris, SunOS 4, IRIX, and OSF/1, and is expected to run on several more operating systems in the near future.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch01-99818"></a>And That's Not All...</h2></div></div></div><p>Samba is a wonderful tool with potential for even the smallest SMB/CIFS network. This chapter presented you with a thorough introduction to what Samba is, and more importantly, how it fits into a Windows network. The next series of chapters will help you set up Samba on both the Unix server side, where its two daemons reside, as well as configure the Windows 95, 98, and NT clients to work with Samba. Before long, the aches and pains of your heterogeneous network may seem like a thing of the past. Welcome to the wonderful world of Samba!</p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-946532" href="#ch01-pgfId-946532">1</a>] </sup>Which is a good thing, because our marketing people highly doubt you would have picked up a book called "Using Salmonberry"!</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-946542" href="#ch01-pgfId-946542">2</a>] </sup>At the time of this printing, Andrew had completed his Ph.D. work and had joined San Francisco-based LinuxCare.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-941061" href="#ch01-pgfId-941061">3</a>] </sup>You can also right-click on the shared resource in the <a class="indexterm" name="ch01-idx-951603-0"></a>Network Neighborhood, and then select the Map Network Drive menu item.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-952017" href="#ch01-pgfId-952017">4</a>] </sup>Be warned that many end-user license agreements forbid installing a program on a network such that multiple clients can access it. Check the legal agreements that accompany the product to be absolutely sure.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-946249" href="#ch01-pgfId-946249">5</a>] </sup>As you can see in RFC 1001, the telephone analogy was strongly evident in the creation of the NBT service.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-947021" href="#ch01-pgfId-947021">6</a>] </sup>Windows domains are called <a class="indexterm" name="ch01-idx-953044-0"></a>
-<a class="indexterm" name="ch01-idx-953044-1"></a>"Windows NT domains" by Microsoft because they assume that Windows NT machines will take the role of the domain controller. However, because Samba can perform this function as well, we'll simply call them "Windows domains" to avoid confusion.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch01-pgfId-938280" href="#ch01-pgfId-938280">7</a>] </sup>If you reside in the United States, there are some federal rules and regulations dealing with strong cryptography. We'll talk about his later when we set up Samba and SSL in <a href="#SAMBA-AP-A" title="Appendix A. Configuring Samba with SSL">Appendix A</a>.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-2"></a>Chapter 2. Installing Samba on a Unix System</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch02-85028">2.1. Downloading the Samba Distribution</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-1.1">2.1.1. Binary or Source?</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-1.2">2.1.2. Read the Documentation</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-28558">2.2. Configuring Samba</a></span></dt><dt><span class="sect1"><a href="#ch02-13217">2.3. Compiling and Installing Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-3.1">2.3.1. Final Installation Steps</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-13464">2.4. A Basic Samba Configuration File</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-4.1">2.4.1. Using SWAT</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-4.2">2.4.2. Testing the Configuration File</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-29069">2.5. Starting the Samba Daemons</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch02-SECT-5.1">2.5.1. Starting the Daemons by Hand</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-5.2">2.5.2. Stand-alone Daemons</a></span></dt><dt><span class="sect2"><a href="#ch02-SECT-5.3">2.5.3. Starting From Inetd</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch02-67898">2.6. Testing the Samba Daemons</a></span></dt></dl></div><p>
-<a class="indexterm" name="ch02-idx-947293-0"></a>
-<a class="indexterm" name="ch02-idx-947293-1"></a>Now that you know what Samba can do for you and your users, it's time to get your own network set up. Let's start with the installation of Samba itself on a Unix system. When dancing the samba, one learns by taking small steps. It's just the same when installing Samba; we need to teach it step by step. This chapter will help you to start off on the right foot.</p><p>For illustrative purposes, we will be installing the 2.0.4 version of the Samba server on a <a class="indexterm" name="ch02-idx-947307-0"></a>Linux<sup>[<a name="ch02-pgfId-939741" href="#ftn.ch02-pgfId-939741">1</a>]</sup> system running version 2.0.31 of the kernel. However, the installation steps are the same for all of the platforms that Samba supports. A typical installation will take about an <a class="indexterm" name="ch02-idx-947305-0"></a>hour to complete, including downloading the source files and compiling them, setting up the configuration files, and testing the server.</p><p>
-<a class="indexterm" name="ch02-idx-947306-0"></a>Here is an overview of the steps:</p><div class="orderedlist"><ol type="1"><li><p>Download the source or binary files.</p></li><li><p>Read the installation documentation.</p></li><li><p>Configure a makefile.</p></li><li><p>Compile the server code.</p></li><li><p>Install the server files.</p></li><li><p>Create a Samba configuration file.</p></li><li><p>Test the configuration file.</p></li><li><p>Start the Samba daemons.</p></li><li><p>Test the Samba daemons.</p></li></ol></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-85028"></a>Downloading the Samba Distribution</h2></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947308-0"></a>
-<a class="indexterm" name="ch02-idx-947308-1"></a>
-
-</p><p>If you want to download the latest version, the primary web site
-for the Samba software is <a class="indexterm" name="ch02-idx-947318-0"></a><code class="systemitem">http://www.samba.org</code>. Once connected to this
-page, you'll see links to several Samba mirror sites across the
-world, both for the standard Samba web pages and sites devoted
-exclusively to downloading Samba. For the best performance, choose a
-site that is closest to your own geographic location.</p><p>The standard <a class="indexterm" name="ch02-idx-947320-0"></a> <a class="indexterm" name="ch02-idx-947320-1"></a>Samba web
-sites have Samba documentation and tutorials, mailing list archives,
-and the latest Samba news, as well as source and binary distributions
-of Samba. The download sites (sometimes called <span class="emphasis"><em>FTP
-sites</em></span>) have only the source and binary
-distributions. Unless you specifically want an older version of the
-Samba server or are going to install a binary distribution, download
-the latest source distribution from the closest mirror site. This
-distribution is always named:</p><pre class="programlisting">samba-latest.tar.gz</pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-1.1"></a>Binary or Source?</h3></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947323-0"></a>
-<a class="indexterm" name="ch02-idx-947323-1"></a>Precompiled packages are also available for a large number of Unix platforms. These packages contain binaries for each of the Samba executables as well as the standard Samba documentation. Note that while installing a binary distribution can save you a fair amount of trouble and time, there are a couple of issues that you should keep in mind when deciding whether to use the binary or compile the source yourself:</p><div class="itemizedlist"><ul type="disc"><li><p>The binary packages can lag behind the latest version
-of the software by one or two (maybe more) minor releases, especially
-after a series of small changes and for less popular
-platforms. Compare the release notes for the source and binary
-packages to make sure that there aren't any new features that
-you need on your platform. 
-
-</p></li><li><p>If you use a precompiled binary, you will need to ensure that you have the correct libraries required by the executables. On some platforms the executables are statically linked so this isn't an issue, but on modern Unix operating systems (e.g., Linux, SGI Irix, Solaris, HP-UX, etc.), libraries are often <a class="indexterm" name="ch02-idx-947325-0"></a>dynamically linked. This means that the binary looks for the right version of each library on your system, so you may have to install a new version of a library. The <code class="filename">README</code> file or <code class="filename">makefile</code>
-<a class="indexterm" name="ch02-idx-947333-0"></a> that accompanies the binary distribution should list any special requirements.<sup>[<a name="ch02-pgfId-943622" href="#ftn.ch02-pgfId-943622">2</a>]</sup></p><p>Many machines with shared libraries come with a nifty tool called <span class="emphasis"><em>ldd</em></span>
-<a class="indexterm" name="ch02-idx-947322-0"></a>. This tool will tell you which libraries a specific binary requires and which libraries on the system satisfy that requirement. For example, checking the <span class="emphasis"><em>smbd</em></span> program on our test machine gave us:</p></li></ul></div><pre class="programlisting">$ <span class="bold"><strong>ldd smbd</strong></span>
-libreadline.so.3 =&gt; /usr/lib/libreadline.so.3
-libdl.so.2 =&gt; /lib/libdl.so.2
-libcrypt.so.1 =&gt; /lib/libcrypt.so.1
-libc.so.6 =&gt; /lib/libc.so.6
-libtermcap.so.2 =&gt; /lib/libtermcap.so.2
-/lib/ld-linux.so.2 =&gt; /lib/ld-linux.so.2</pre><div class="itemizedlist"><ul type="disc"><li><p>If there are any incompatibilities between Samba and specific libraries on your machine, the distribution-specific documentation should highlight those.</p></li><li><p>Keep in mind that each binary distribution carries preset values about the target platform, such as default directories and configuration option values. Again, check the documentation and the makefile included in the source directory to see which directives and variables were used when the binary was compiled. In some cases, these will not be appropriate for your situation.</p><p>A few configuration items can be reset with command-line options at runtime instead of at compile time. For example, if your binary tries to place any log, lock, or status files in the "wrong" place (for example, in <code class="filename">/usr/local</code>  ), you can override this without recompiling.</p></li></ul></div><p>One point worth mentioning is that the Samba source requires an <a class="indexterm" name="ch02-idx-947324-0"></a>
-<a class="indexterm" name="ch02-idx-947324-1"></a>
-<a class="indexterm" name="ch02-idx-947324-2"></a>ANSI C compiler. If you are on a platform with a non-ANSI compiler, such as the <span class="emphasis"><em>cc</em></span> compiler on SunOS version 4, you'll have to install an ANSI-compliant compiler such as <span class="emphasis"><em>gcc</em></span> before you do anything else.<sup>[<a name="ch02-pgfId-939049" href="#ftn.ch02-pgfId-939049">3</a>]</sup> If installing a compiler isn't something you want to wrestle with, you can start off with a binary package. However, for the most flexibility and compatibility on your system, we always recommend compiling from the latest source.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-1.2"></a>Read the Documentation</h3></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947327-0"></a>
-<a class="indexterm" name="ch02-idx-947327-1"></a>
-<a class="indexterm" name="ch02-idx-947327-2"></a>This sounds like an obvious thing to say, but there have probably been times where you have uncompressed a package, blindly typed <code class="literal">configure</code>, <code class="literal">make</code>, and <code class="literal">make</code> <code class="literal">install</code>, and walked away to get another cup of coffee. We'll be the first to admit that we do that, many more times than we should. It's a bad idea&#8212;especially when planning a network with Samba.</p><p>Samba 2.0 automatically configures itself prior to compilation. This reduces the likelihood of a machine-specific problem, but there may be an option mentioned in the <code class="filename">README</code> file that you end up wishing for after Samba's been installed. With both source and binary packages you'll find a large number of documents in the <code class="filename">docs</code>
-<a class="indexterm" name="ch02-idx-947328-0"></a> directory, in a variety of formats. The most important files to look at in the distribution are:</p><pre class="programlisting"><a class="indexterm" name="ch02-idx-947329-0"></a>
-<a class="indexterm" name="ch02-idx-947329-1"></a>WHATSNEW.txt
-docs/textdocs/UNIX_INSTALL.txt</pre><p>These files tell you what features you can expect in your Samba distribution, and will highlight common installation problems that you're likely to face. Be sure to look over both of them before you start the compilation process.<a class="indexterm" name="ch02-idx-947311-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-28558"></a>Configuring Samba</h2></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947339-0"></a>
-<a class="indexterm" name="ch02-idx-947339-1"></a>The <a class="indexterm" name="ch02-idx-947330-0"></a>source distribution of Samba 2.0 and above doesn't initially have a <a class="indexterm" name="ch02-idx-947337-0"></a>makefile. Instead, one is generated through a GNU <code class="filename">configure</code>
-<a class="indexterm" name="ch02-idx-947338-0"></a>
-<a class="indexterm" name="ch02-idx-947338-1"></a> script, which is located in the <code class="filename">samba-2.0.x /source/</code> directory. The <em class="firstterm">configure</em> script, which must be run as root, takes care of the machine-specific issues of building Samba. However, you still may want to decide on some global options. Global options can be set by passing options on the command-line:</p><pre class="programlisting"># ./configure --with-ssl</pre><p>For example, this will configure the Samba makefile with support for the<a class="indexterm" name="ch02-idx-947347-0"></a>
-<a class="indexterm" name="ch02-idx-947347-1"></a> Secure Sockets Layer (SSL) encryption protocol. If you would like a complete list of <a class="indexterm" name="ch02-idx-947348-0"></a>options, type the following:</p><pre class="programlisting">#./configure --help</pre><p>
-<a class="indexterm" name="ch02-idx-947349-0"></a>
-<a class="indexterm" name="ch02-idx-947349-1"></a>Each of these options enable or disable various features. You typically enable a feature by specifying the <code class="literal">--with-</code><em class="replaceable"><code>feature</code></em> option, which will cause the feature to be compiled and installed. Likewise, if you specify a <code class="literal">--without-</code><em class="replaceable"><code>feature</code></em> option, the feature will be disabled. As of Samba 2.0.5, each of the following features is disabled by default:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">--with-smbwrapper</code></span></dt><dd><p>Include SMB <a class="indexterm" name="ch02-idx-947350-0"></a>
-<a class="indexterm" name="ch02-idx-947350-1"></a>wrapper support, which allows executables on the Unix side to access <a class="indexterm" name="ch02-idx-947351-0"></a>SMB/CIFS filesystems as if they were regular Unix filesystems. We recommend using this option. However, at this time this book went to press, there were several incompatibilities between the <code class="filename">smbwrapper</code>
-<a class="indexterm" name="ch02-idx-947352-0"></a> package and the GNU <code class="filename">libc</code> version 2.1, and it would not compile on Red Hat 6.0. Look for more information on these incompatibilities on the Samba home page.</p></dd><dt><span class="term"><code class="literal">--with-afs</code></span></dt><dd><p>Include support of the <a class="indexterm" name="ch02-idx-947353-0"></a>Andrew Filesystem from <a class="indexterm" name="ch02-idx-947354-0"></a>Carnegie Mellon University. If you're going to serve <a class="indexterm" name="ch02-idx-947355-0"></a>AFS files via Samba, we recommend compiling Samba once first without enabling this feature to ensure that everything runs smoothly. Once that version is working smoothly, recompile Samba with this feature enabled and compare any errors you might receive against the previous setup.</p></dd><dt><span class="term"><code class="literal">--with-dfs</code></span></dt><dd><p>Include support for <a class="indexterm" name="ch02-idx-947356-0"></a>DFS, a later version of AFS, used by <a class="indexterm" name="ch02-idx-947357-0"></a>OSF/1 (Digital Unix). Note that this is <span class="emphasis"><em>not</em></span> the same as Microsoft DFS, which is an entirely different filesystem. Again, we recommend compiling Samba once first without this feature to ensure that everything runs smoothly, then recompile with this feature to compare any errors against the previous setup.</p></dd><dt><span class="term"><code class="literal">--with-krb4</code>=<em class="replaceable"><code>base-directory</code></em></span></dt><dd><p>Include support for <a class="indexterm" name="ch02-idx-947358-0"></a>Kerberos version 4.0, explicitly specifying the base directory of the distribution. Kerberos is a network security protocol from <a class="indexterm" name="ch02-idx-947359-0"></a>MIT that uses <a class="indexterm" name="ch02-idx-947360-0"></a>
-<a class="indexterm" name="ch02-idx-947360-1"></a>private key cryptography to provide strong security between nodes. Incidentally, Microsoft has announced that Kerberos 5.0 will be the standard <a class="indexterm" name="ch02-idx-947362-0"></a>authentication mechanism for Microsoft Windows 2000 (NT 5.0). However, the Kerberos 5.0 authentication mechanisms are quite different from the Kerberos 4.0 <a class="indexterm" name="ch02-idx-947363-0"></a>security mechanisms. If you have Kerberos version 4 on your system, the Samba team recommends that you upgrade and use the <code class="literal">--with-krb5</code> option (see the next item). You can find more information on <a class="indexterm" name="ch02-idx-947364-0"></a>Kerberos at <code class="systemitem">http://web.mit.edu/kerberos/www</code>.</p></dd><dt><span class="term"><code class="literal">--with-krb5</code>=<em class="replaceable"><code>base-directory</code></em></span></dt><dd><p>Include support for Kerberos version 5.0, explicitly specifying the base directory of the distribution. Microsoft has announced that Kerberos 5.0 will be the standard authentication mechanism for Microsoft Windows 2000 (NT 5.0). However, there is no guarantee that Microsoft will not extend Kerberos for their own needs in the future. Currently, Samba's Kerberos support only uses a plaintext password interface and not an encrypted one. You can find more information on Kerberos at its home page: <code class="systemitem">http://web.mit.edu/kerberos/www</code>.</p></dd><dt><span class="term"><code class="literal">--with-automount</code></span></dt><dd><p>Include support for <a class="indexterm" name="ch02-idx-947365-0"></a>automounter, a feature often used on sites that offer NFS.</p></dd><dt><span class="term"><code class="literal">--with-smbmount</code></span></dt><dd><p>Include <span class="emphasis"><em>smbmount</em></span>
-<a class="indexterm" name="ch02-idx-947366-0"></a> support, which is for <a class="indexterm" name="ch02-idx-947367-0"></a>Linux only. This feature wasn't being maintained at the time the book was written, so the Samba team made it an optional feature and provided <span class="emphasis"><em>smbwrapper</em></span> instead. The <span class="emphasis"><em>smbwrapper</em></span> feature works on more Unix platforms than <span class="emphasis"><em>smbmount</em></span>, so you'll usually want to use <code class="literal">--with-smbwrapper</code> instead of this option.</p></dd><dt><span class="term"><code class="literal">--with-pam</code></span></dt><dd><p>Include support for <a class="indexterm" name="ch02-idx-947368-0"></a>
-<a class="indexterm" name="ch02-idx-947368-1"></a>pluggable authentication modules (PAM), an authentication feature common in the Linux operating system.</p></dd><dt><span class="term"><code class="literal">--with-ldap</code></span></dt><dd><p>Include support for the <a class="indexterm" name="ch02-idx-947369-0"></a>
-<a class="indexterm" name="ch02-idx-947369-1"></a>Lightweight Directory Access Protocol (LDAP). A future version of LDAP will be used in the Windows 2000 (NT 5.0) operating system; this Samba support is experimental. LDAP is a flexible client-server directory protocol that can carry information such as certificates and group memberships.<sup>[<a name="ch02-pgfId-943655" href="#ftn.ch02-pgfId-943655">4</a>]</sup></p></dd><dt><span class="term"><code class="literal">--with-nis</code></span></dt><dd><p>Include support for getting password-file information from <a class="indexterm" name="ch02-idx-947370-0"></a>NIS (network yellow pages).</p></dd><dt><span class="term"><code class="literal">--with-nisplus</code></span></dt><dd><p>Include support for obtaining password-file information from NIS+, the successor to NIS.</p></dd><dt><span class="term"><code class="literal">--with-ssl</code></span></dt><dd><p>Include experimental support for the <a class="indexterm" name="ch02-idx-947374-0"></a>Secure Sockets Layer (SSL), which is used to provide encrypted connections from client to server. <a href="#SAMBA-AP-A" title="Appendix A. Configuring Samba with SSL">Appendix A</a>, describes setting up Samba with SSL support.</p></dd><dt><span class="term"><code class="literal">--with-nisplus-home</code></span></dt><dd><p>Include support for locating which server contains a particular user's <a class="indexterm" name="ch02-idx-947380-0"></a>
-<a class="indexterm" name="ch02-idx-947380-1"></a>home directory and telling the client to connect to it. Requires <code class="literal">--with-nis</code> and, usually, <code class="literal">--with-automounter</code>.</p></dd><dt><span class="term"><code class="literal">--with-mmap</code></span></dt><dd><p>Include experimental<a class="indexterm" name="ch02-idx-947381-0"></a> memory mapping code. This is not required for <a class="indexterm" name="ch02-idx-947382-0"></a>fast locking, which already uses mmap or System V shared memory.</p></dd><dt><span class="term"><code class="literal">--with-syslog</code></span></dt><dd><p>Include support for using the <a class="indexterm" name="ch02-idx-947383-0"></a>SYSLOG utility for logging information generated from the Samba server. There are a couple of Samba configuration options that you can use to enable SYSLOG support; <a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, discusses these options.</p></dd><dt><span class="term"><code class="literal">--with-netatalk</code></span></dt><dd><p>Include experimental support for interoperating with the (Macintosh) <a class="indexterm" name="ch02-idx-947412-0"></a>Netatalk file server.</p></dd><dt><span class="term"><code class="literal">--with-quotas</code></span></dt><dd><p>Include <a class="indexterm" name="ch02-idx-947413-0"></a>disk-quota support.</p></dd></dl></div><p>Because each of these options is disabled by default, none of these features are essential to Samba. However, you may want to come back and build a modified version of Samba if you discover that you need one at a later time.</p><p>In addition, <a href="#ch02-85125" title="Table 2.1. Additional Configure Options">Table 2.1</a> shows some other parameters that you can give the <code class="filename">configure</code> script if you wish to store parts of the Samba distribution in different places, perhaps to make use of multiple disks or partitions. Note that the defaults sometimes refer to a prefix specified earlier in the table.</p><div class="table"><a name="ch02-85125"></a><p class="title"><b>Table 2.1. Additional Configure Options </b></p><div class="table-contents"><table summary="Additional Configure Options " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Meaning</p></th><th><p>Default</p></th></tr></thead><tbody><tr><td><p><code class="literal">--prefix</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install architecture-independent files at the base directory specified.</p></td><td><p><code class="filename">/usr/local/samba</code></p></td></tr><tr><td><p><code class="literal">--eprefix</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install architecture-dependent files at the base directory specified.</p></td><td><p><code class="filename">/usr/local/samba</code></p></td></tr><tr><td><p><code class="literal">--bindir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install user executables in the directory specified.</p></td><td><p><em class="replaceable"><code>eprefix</code></em><code class="filename">/bin</code></p></td></tr><tr><td><p><code class="literal">--sbindir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install administrator executables in the directory specified.</p></td><td><p><em class="replaceable"><code>eprefix</code></em><code class="filename">/bin</code></p></td></tr><tr><td><p><code class="literal">--libexecdir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install program executables in the directory specified.</p></td><td><p><em class="replaceable"><code>eprefix</code></em><code class="filename">/libexec</code></p></td></tr><tr><td><p><code class="literal">--datadir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install read-only architecture independent data in the directory specified.</p></td><td><p><em class="replaceable"><code>prefix</code></em><code class="filename">/share</code></p></td></tr><tr><td><p><code class="literal">--libdir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install program libraries in the directory specified.</p></td><td><p><em class="replaceable"><code>eprefix</code></em><code class="filename">/lib</code></p></td></tr><tr><td><p><code class="literal">--includedir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install package include files in the directory specified.</p></td><td><p><em class="replaceable"><code>prefix</code></em><code class="filename">/include</code></p></td></tr><tr><td><p><code class="literal">--infodir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install additional information files in the directory specified.</p></td><td><p><em class="replaceable"><code>prefix</code></em><code class="filename">/info</code></p></td></tr><tr><td><p><code class="literal">--mandir</code>=<em class="replaceable"><code>directory</code></em></p></td><td><p>Install manual pages in the directory specified.<a class="indexterm" name="ch02-idx-947428-0"></a></p></td><td><p><em class="replaceable"><code>prefix</code></em><code class="filename">/man</code></p></td></tr></tbody></table></div></div><br class="table-break"><p>Again, before running the <code class="filename">configure</code> script, it is important that you are the <a class="indexterm" name="ch02-idx-947433-0"></a>root user on the system. Otherwise, you may get a warning such as:</p><pre class="programlisting">configure: warning: running as non-root will disable some tests</pre><p>You don't want any test to be disabled when the Samba makefile is being created; this leaves the potential for errors down the road when compiling or running Samba on your system.</p><p>Here is a sample execution of the <code class="filename">configure</code>
-<a class="indexterm" name="ch02-idx-947434-0"></a> script, which creates a Samba 2.0.4 makefile for the Linux platform. Note that you must run the configure script in the <span class="emphasis"><em>source</em></span> directory, and that several lines from the middle of the excerpt have been omitted:</p><pre class="programlisting"># cd samba-2.0.4b/source/
-# ./configure | tee mylog
-
-loading cache ./config.cache
-checking for gcc... (cached) gcc
-checking whether the C compiler (gcc -O ) works... yes
-checking whether the C compiler (gcc -O ) is a cross-compiler... no
-checking whether we are using GNU C... (cached) yes
-checking whether gcc accepts -g... (cached) yes
-checking for a BSD compatible install... (cached) /usr/bin/install -c
-
-<span class="emphasis"><em>...(content omitted)...</em></span>
-
-checking configure summary
-configure OK
-creating ./config.status
-creating include/stamp-h
-creating Makefile
-creating include/config.h</pre><p>In general, any message from <code class="filename">configure</code> that doesn't begin with the words <code class="literal">checking</code> or <code class="literal">creating</code> is an error; it often helps to redirect the output of the configure script to a file so you can quickly search for <a class="indexterm" name="ch02-idx-947435-0"></a>errors, as we did with the <code class="literal">tee</code> command above. If there was an error during configuration, more detailed information about it can be found in the <code class="filename">config.log</code> file, which is written to the local directory by the <code class="filename">configure</code> script.</p><p>If the configuration works, you'll see a <code class="literal">checking</code> <code class="literal">configure</code> <code class="literal">summary</code> message followed by a <code class="literal">configure</code> <code class="literal">OK</code> message and four or five file creation messages. So far, so good.... Next step: compiling.<a class="indexterm" name="ch02-idx-947719-0"></a></p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-13217"></a>Compiling and Installing Samba</h2></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947438-0"></a>At <a class="indexterm" name="ch02-idx-947440-0"></a>this point you should be ready to build the Samba executables. Compiling is also easy: in the <code class="filename">source</code> directory, type <code class="literal">make</code> on the command line. The <code class="filename">make</code>
-<a class="indexterm" name="ch02-idx-947436-0"></a> utility will produce a stream of explanatory and success messages, beginning with:</p><pre class="programlisting">Using FLAGS = -O -Iinclude ...</pre><p>This build includes compiles for both <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span>, and ends in a linking command for <code class="filename">bin/make_ printerdef</code>. For example, here is a sample make of Samba version 2.0.4 on a Linux server:</p><pre class="programlisting"># make
-Using FLAGS =  -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -DSMBLOGFILE="/
-usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.nmb" -
-DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/lib/
-lmhosts"   -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin" -
-DLOCKDIR="/usr/local/samba/var/locks" -DSMBRUN="/usr/local/samba/bin/smbrun" -
-DCODEPAGEDIR="/usr/local/samba/lib/codepages" -DDRIVERFILE="/usr/local/samba/lib/
-printers.def" -DBINDIR="/usr/local/samba/bin" -DHAVE_INCLUDES_H -DPASSWD_
-PROGRAM="/bin/passwd" -DSMB_PASSWD_FILE="/usr/local/samba/private/smbpasswd"
-Using FLAGS32 =  -O -Iinclude -I./include -I./ubiqx -I./smbwrapper  -
-DSMBLOGFILE="/usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.
-nmb" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/
-lib/lmhosts"   -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin" 
--DLOCKDIR="/usr/local/samba/var/locks" -DSMBRUN="/usr/local/samba/bin/smbrun" -
-DCODEPAGEDIR="/usr/local/samba/lib/codepages" -DDRIVERFILE="/usr/local/samba/lib/
-printers.def" -DBINDIR="/usr/local/samba/bin" -DHAVE_INCLUDES_H -DPASSWD_
-PROGRAM="/bin/passwd" -DSMB_PASSWD_FILE="/usr/local/samba/private/smbpasswd"
-Using LIBS = -lreadline -ldl  -lcrypt -lpam
-Compiling smbd/server.c
-Compiling smbd/files.c
-Compiling smbd/chgpasswd.c
-
-<span class="emphasis"><em>...(content omitted)...</em></span>
-
-Compiling rpcclient/cmd_samr.c
-Compiling rpcclient/cmd_reg.c
-Compiling rpcclient/cmd_srvsvc.c
-Compiling rpcclient/cmd_netlogon.c
-Linking bin/rpcclient
-Compiling utils/smbpasswd.c
-Linking bin/smbpasswd
-Compiling utils/make_smbcodepage.c
-Linking bin/make_smbcodepage
-Compiling utils/nmblookup.c
-Linking bin/nmblookup
-Compiling utils/make_printerdef.c
-Linking bin/make_printerdef</pre><p>If you encounter problems when compiling, check the Samba documentation to see if it is easily fixable. Another possibility is to search or post to the <a class="indexterm" name="ch02-idx-947437-0"></a>Samba mailing lists, which are given at the end of <a href="#SAMBA-AP-D" title="Appendix D. Summary of Samba Daemons and Commands">Appendix D</a>, and on the Samba home page. Most compilation issues are system specific and almost always easy to overcome.</p><p>Now that the files have been compiled, you can install them into the directories you identified with the command:</p><pre class="programlisting">#<strong class="userinput"><code> make install</code></strong></pre><p>If you happen to be upgrading, your old Samba files will be saved with the extension <span class="emphasis"><em>.old</em></span> <a class="indexterm" name="ch02-idx-947448-0"></a>, and you can go back to that previous version with the command <code class="literal">make</code> <code class="literal">revert</code>. After doing a <code class="literal">make</code> <code class="literal">install</code>, you should copy the <span class="emphasis"><em>.old</em></span> files (if they exist) to a new location or name. Otherwise, the next time you install Samba, the original <span class="emphasis"><em>.old</em></span>  will be overwritten without warning and you could lose your earlier version. If you configured Samba to use the default locations for files, the new files will be installed in the directories listed in <a href="#SAMBA-CH-2-TBL-2.2" title="Table 2.2. Samba Installation Directories">Table 2.2</a>. Remember that you need to  perform the installation from an account that has <a class="indexterm" name="ch02-idx-947451-0"></a>write privileges on these target <a class="indexterm" name="ch02-idx-947452-0"></a>directories; this is typically the root account.</p><div class="table"><a name="SAMBA-CH-2-TBL-2.2"></a><p class="title"><b>Table 2.2. Samba Installation Directories </b></p><div class="table-contents"><table summary="Samba Installation Directories " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Directory</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><span class="emphasis"><em>/usr/local/samba</em></span></p></td><td><p>
-<a class="indexterm" name="ch02-idx-947450-0"></a>
-<a class="indexterm" name="ch02-idx-947450-1"></a>Main tree</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/bin</em></span></p></td><td><p>Binaries</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/lib</em></span></p></td><td><p><span class="emphasis"><em>smb.conf</em></span>, <span class="emphasis"><em>lmhosts</em></span>, configuration files, etc.</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/man</em></span></p></td><td><p>Samba documentation</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/private</em></span></p></td><td><p>Samba encrypted password file</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/swat</em></span></p></td><td><p>SWAT files</p></td></tr><tr><td><p><span class="emphasis"><em>/usr/local/samba/var</em></span></p></td><td><p>Samba log files, lock files, browse list info, shared memory files, process ID files</p></td></tr></tbody></table></div></div><br class="table-break"><p>Throughout the remainder of the book, we occasionally refer to the location of the <a class="indexterm" name="ch02-idx-947454-0"></a>main tree as <em class="replaceable"><code>samba_dir</code></em>. In most configurations, this is the <a class="indexterm" name="ch02-idx-947479-0"></a>base directory of the installed Samba package: <code class="filename">/usr/local/samba </code>
-<a class="indexterm" name="ch02-idx-947455-0"></a>.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Watch out if you've made <code class="filename">/usr</code> a <a class="indexterm" name="ch02-idx-947472-0"></a>read-only partition. You will want to put the logs, locks, and password files somewhere else.</p></div><p>Here is the installation that we performed on our machine. You can see that we used <code class="filename">/usr/local/samba</code> as the base directory for the distribution (e.g., <em class="replaceable"><code>samba_dir</code></em>):</p><pre class="programlisting"># <strong class="userinput"><code>make install</code></strong>
-Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -DSMBLOGFILE="/
-usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.nmb" -
-DCONFIGFILE="/usr/local/samba/lib/smb.conf" -
-
-<em class="lineannotation"><span class="lineannotation">...(content omitted)...</span></em>
-
-The binaries are installed. You may restore the old binaries
-(if there were any) using the command "make revert". You may
-uninstall the binaries using the command "make uninstallbin"
-or "make uninstall" to uninstall binaries, man pages and shell
-scripts.
-
-<em class="lineannotation"><span class="lineannotation">...(content omitted)...</span></em>
-
-============================================================
-The SWAT files have been installed. Remember to read the 
-README for information on enabling and using SWAT.
-============================================================</pre><p>If the last message is about SWAT, you've successfully installed all the files. Congratulations! You now have Samba on your system!</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-3.1"></a>Final Installation Steps</h3></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947480-0"></a>There are a couple of final steps to perform. Specifically, add the <a class="indexterm" name="ch02-idx-947486-0"></a>
-<a class="indexterm" name="ch02-idx-947486-1"></a>Samba Web Administration Tool (SWAT) to the <code class="filename">/etc/services</code>
-<a class="indexterm" name="ch02-idx-947491-0"></a> and <code class="filename">/etc/inetd.conf</code>
-<a class="indexterm" name="ch02-idx-947493-0"></a> configuration files. SWAT runs as a daemon under <span class="emphasis"><em>inetd</em></span> and provides a forms-based editor in your web browser for creating and modifying SMB configuration files.</p><div class="orderedlist"><ol type="1"><li><p>To add SWAT, add the following line to the end of the <code class="filename">/etc/services</code> file:</p><pre class="programlisting">swat   901/tcp</pre></li><li><p>Add these lines to <code class="filename">/etc/inetd.conf.</code> (Check your <code class="filename">inetd.conf</code> manual page to see the exact format of the<code class="filename"> inetd.conf</code> file if it differs from the following example.) Don't forget to change the path to the SWAT binary if you installed it in a different location from the default <code class="filename">/usr/local/samba</code>.</p><pre class="programlisting">swat   stream  tcp  nowait.400  root  /usr/local/samba/bin/swat  swat</pre></li></ol></div><p>And that's pretty much it for the installation. Before you can start up Samba, however, you need to create a configuration file for it.<a class="indexterm" name="ch02-idx-947442-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-13464"></a>A Basic Samba Configuration File</h2></div></div></div><p>The <a class="indexterm" name="ch02-idx-947692-0"></a>key to configuring Samba is its lone configuration file: <code class="filename">smb.conf</code>
-<a class="indexterm" name="ch02-idx-947693-0"></a>. This configuration file can be very simple or extremely complex, and the rest of this book is devoted to helping you get deeply personal with this file. For now, however, we'll show you how to set up a single file service, which will allow you to fire up the Samba daemons and see that everything is running as it should be. In later chapters, you will see how to configure Samba for more complicated and interesting tasks.</p><p>The installation process does not automatically create an <code class="filename">smb.conf</code> configuration file, although several example files are included in the Samba distribution. <a class="indexterm" name="ch02-idx-947541-0"></a>To test the server software, though, we'll use the following file. It should be named <code class="filename">smb.conf</code> and placed in the <span class="emphasis"><em>/usr/local/samba/lib</em></span> directory.<sup>[<a name="ch02-pgfId-943223" href="#ftn.ch02-pgfId-943223">5</a>]</sup></p><pre class="programlisting">[global]
-	workgroup = SIMPLE 
-[test] 
-	comment = For testing only, please
-	path = /export/samba/test
-	read only = no
-	guest ok = yes</pre><p>This brief configuration file tells the Samba server to offer the directory <code class="filename">/export/samba/test</code>
-<a class="indexterm" name="ch02-idx-947498-0"></a> on the server as an SMB/CIFS share called <a class="indexterm" name="ch02-idx-947499-0"></a><code class="literal">test</code>. The server also becomes part of the named workgroup SIMPLE, which each of the clients must also be a part of. (Use your own workgroup here if you already know what it is.) We'll use the <code class="literal">[test]</code> share in the next chapter to set up the Windows clients. For now, you can complete the setup by performing the following commands as root on your Unix server:</p><pre class="programlisting"># <strong class="userinput"><code>mkdir /export/samba/test</code></strong>
-# <strong class="userinput"><code>chmod 777 /export/samba/test</code></strong></pre><p>We should point out that in terms of system security, this is the worst setup possible. For the moment, however, we only wish to test Samba, so we'll leave security out of the picture. In addition, there are some encrypted password issues that we will encounter with Windows clients later on, so this setup will afford us the least amount of headaches.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you are using Windows 98 or Windows NT Service Pack 3 or above, you must add the following entry to the <code class="literal">[global]</code> section of the Samba configuration file: <code class="literal">encrypt passwords = yes</code>. In addition, you must use the <code class="filename">smbpassword</code> program (typically located in    <code class="filename">/usr/local/samba/bin/ </code>) to reenter the username/password combinations of those users on the Unix server who should be able to access shares into Samba's encrypted client database. For example, if you wanted to allow Unix user <code class="literal">steve</code> to access shares from an SMB client, you could type: <code class="literal">smbpassword -a steve</code>. The first time a user is added, the program will output an error saying that the encrypted password database does not exist. Don't worry, it will then create the database for you. Make sure that the username/password combinations that you add to the encrypted database match the usernames and passwords that you intend to use on the Windows client side.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-4.1"></a>Using SWAT</h3></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947510-0"></a>With Samba 2.0, creating a configuration file is even easier than writing a configuration file by hand. You can use your browser to connect to <span class="emphasis"><em>http://localhost:901</em></span>, and log on as the root account, as shown in <a href="#ch02-60915" title="Figure 2.1. SWAT login">Figure 2.1</a>.</p><div class="figure"><a name="ch02-60915"></a><p class="title"><b>Figure 2.1. SWAT login</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 188px"><td><img src="figs/sam.0201.gif" height="188" alt="SWAT login"></td></tr></table></div></div></div><br class="figure-break"><p>After logging in, press the GLOBALS button at the top of the screen. You should see the Global Variables page shown in <a href="#ch02-49138" title="Figure 2.2. SWAT Global Variables page">Figure 2.2</a>.</p><div class="figure"><a name="ch02-49138"></a><p class="title"><b>Figure 2.2. SWAT Global Variables page</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 455px"><td><img src="figs/sam.0202.gif" width="502" alt="SWAT Global Variables page"></td></tr></table></div></div></div><br class="figure-break"><p>In this example, set the workgroup field to SIMPLE and the security field to USER. The only other option you need to change from the menu is one determining which system on the LAN resolves NetBIOS addresses; this system is called the <span class="emphasis"><em>WINS server</em></span>
-<a class="indexterm" name="ch02-idx-947528-0"></a>. At the very bottom of the page, set the wins support field to Yes, unless you already have a WINS server on your network. If you do, put the WINS server's IP address in the wins server field instead. Then return to the top and press the Commit Changes button to write the changes out to the <span class="emphasis"><em>smb.conf</em></span> file.</p><div class="figure"><a name="ch02-29175"></a><p class="title"><b>Figure 2.3. SWAT Share Creation screen</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 392px"><td><img src="figs/sam.0203.gif" width="502" alt="SWAT Share Creation screen"></td></tr></table></div></div></div><br class="figure-break"><p>Next, press the Shares icon. You should see a page similar to <a href="#ch02-29175" title="Figure 2.3. SWAT Share Creation screen">Figure 2.3</a>. Choose Test in the field beside the Choose Share button. You will see the Share Parameters screen, as shown in <a href="#ch02-37186" title="Figure 2.4. SWAT Share Parameters screen">Figure 2.4</a>. We added a comment to remind us that this is a test share in the <code class="filename">smb.conf</code> file. SWAT has copies of all that information here.</p><div class="figure"><a name="ch02-37186"></a><p class="title"><b>Figure 2.4. SWAT Share Parameters screen</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 407px"><td><img src="figs/sam.0204.gif" width="502" alt="SWAT Share Parameters screen"></td></tr></table></div></div></div><br class="figure-break"><p>If you press the View button, SWAT shows you the following <code class="filename">smb.conf</code> file:</p><pre class="programlisting"># Samba config file created using SWAT
-# from localhost (127.0.0.1)
-# Date: 1998/11/27 15:42:40
-
-# Global parameters
-        workgroup = SIMPLE
-[test]
-        comment = For testing only, please
-        path = /export/samba/test
-        read only = no
-        guest ok = yes</pre><p>Once this configuration file is completed, you can skip the next step because the output of SWAT is guaranteed to be syntactically correct.<a class="indexterm" name="ch02-idx-947704-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-4.2"></a>Testing the Configuration File</h3></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947573-0"></a>
-<a class="indexterm" name="ch02-idx-947573-1"></a>If you didn't use SWAT to create your configuration file, you should probably test it to ensure that it is syntactically correct. It may seem silly to run a test program against an eight-line configuration file, but it's good practice for the real ones that we'll be writing later on.</p><p>The<a class="indexterm" name="ch02-idx-947577-0"></a> test parser, <code class="filename">testparm</code>
-<a class="indexterm" name="ch02-idx-947578-0"></a>, examines an <code class="filename">smb.conf</code> file for <a class="indexterm" name="ch02-idx-947583-0"></a>
-<a class="indexterm" name="ch02-idx-947583-1"></a>syntax errors and reports any it finds along with a list of the <a class="indexterm" name="ch02-idx-947579-0"></a>services enabled on your machine. An example follows; you'll notice that in our haste to get the server running we mistyped <code class="literal">workgroup</code> as <code class="literal">workgrp</code> (the output is often lengthy, so we recommend capturing the last parts with the <code class="literal">tee</code> command):</p><pre class="programlisting">Load smb config files from smb.conf
-Unknown parameter encountered: "workgrp"
-Ignoring unknown parameter "workgrp"
-Processing section "[test]"
-Loaded services file OK.
-Press enter to see a dump of your service definitions
-# Global parameters
-[global]
-        workgroup = WORKGROUP
-        netbios name = 
-        netbios aliases = 
-        server string = Samba 2.0.5a
-        interfaces = 
-        bind interfaces only = No
-
-<em class="lineannotation"><span class="lineannotation">...(content omitted)...</span></em>
-
-[test]
-        comment = For testing only, please               
-    path = /export/samba/test
-        read only = No
-        guest ok = Yes</pre><p>The interesting parts are at the top and bottom. The top of the output will flag any syntax errors that you may have made, and the bottom lists the services that the server thinks it should offer. A word of advice: make sure that you and the server have the same expectations.<a class="indexterm" name="ch02-idx-947566-0"></a></p><p>If everything looks good, then you are ready to fire up the server daemons!</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-29069"></a>Starting the Samba Daemons</h2></div></div></div><p>There <a class="indexterm" name="ch02-idx-947584-0"></a>
-<a class="indexterm" name="ch02-idx-947584-1"></a>are two Samba processes, <span class="emphasis"><em>smbd</em></span>
-<a class="indexterm" name="ch02-idx-947586-0"></a> and <span class="emphasis"><em>nmbd</em></span>
-<a class="indexterm" name="ch02-idx-947587-0"></a>, that need to be running for Samba to work correctly. There are three ways to start:</p><div class="itemizedlist"><ul type="disc"><li><p>By hand</p></li><li><p>As stand-alone daemons</p></li><li><p>From <span class="emphasis"><em>inetd</em></span></p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-5.1"></a>Starting the Daemons by Hand</h3></div></div></div><p>If you're in a hurry, you can start the Samba daemons by hand. As root, simply enter the following commands:</p><pre class="programlisting">#<strong class="userinput"><code> /usr/local/samba/bin/smbd -D</code></strong>
-#<strong class="userinput"><code> /usr/local/samba/bin/nmbd -D</code></strong></pre><p>At this point, Samba will be running on your system and will be ready to accept connections.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-5.2"></a>Stand-alone Daemons</h3></div></div></div><p>To run the Samba processes as <a class="indexterm" name="ch02-idx-947591-0"></a>
-<a class="indexterm" name="ch02-idx-947591-1"></a>stand-alone daemons, you need to add the commands listed in the previous section to your standard Unix startup scripts. This varies depending on whether you have a BSD-style <a class="indexterm" name="ch02-idx-947596-0"></a>Unix system or a System V Unix.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch02-SECT-5.2.1"></a>BSD Unix</h4></div></div></div><p>WIth a <a class="indexterm" name="ch02-idx-947597-0"></a>BSD-style Unix, you need to append the following code to the <code class="filename">rc.local </code>
-<a class="indexterm" name="ch02-idx-947598-0"></a>file, which is typically found in the <code class="filename">/etc</code>
-<a class="indexterm" name="ch02-idx-947599-0"></a>
-<a class="indexterm" name="ch02-idx-947599-1"></a> or <code class="filename">/etc/rc.d</code> directories:</p><pre class="programlisting">if [ -x /usr/local/samba/bin/smbd]; then
-	echo "Starting smbd..."
-	/usr/local/samba/bin/smbd -D
-	echo "Starting nmbd..."
-	/usr/local/samba/bin/nmbd -D
-fi</pre><p>This code is very simple; it checks to see if the <code class="filename">smbd</code>
-<a class="indexterm" name="ch02-idx-947600-0"></a> file has <a class="indexterm" name="ch02-idx-947601-0"></a>execute permissions on it, and if it does, it starts up each of the Samba daemons on system boot.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch02-SECT-5.2.2"></a>System V Unix</h4></div></div></div><p>With<a class="indexterm" name="ch02-idx-947602-0"></a> System V, things can get a little more complex. System V typically uses scripts to start and stop daemons on the system. Hence, you need to instruct Samba how to operate when it starts and when it stops. You can modify the contents of the <code class="filename">/etc/rc.local</code> directory and add something similar to the following program entitled <code class="filename">smb </code>:</p><pre class="programlisting">#!/bin/sh
-
-# Contains the "killproc" function on Red Hat Linux
-./etc/rc.d/init.d/functions
-
-PATH="/usr/local/samba/bin:$PATH"
-
-case $1 in 
-	'start')
-		echo "Starting smbd..."
-		smbd -D
-		echo "Starting nmbd..."
-		nmbd -D
-		;;
-	'stop')
-		echo "Stopping smbd and nmbd..."
-		killproc smbd
-		killproc nmbd
-		rm -f /usr/local/samba/var/locks/smbd.pid
-		rm -f /usr/local/samba/var/locks/nmbd.pid
-		;;
-	*)
-		echo "usage: smb {start|stop}"
-		;;
-esac</pre><p>With this script, you can start and stop the SMB service with the following commands:</p><pre class="programlisting"># /etc/rc.local/smb start
-Starting smbd...
-Starting nmbd...
-# /etc/rc.local/smb stop
-Stopping smbd and nmbd...</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch02-SECT-5.3"></a>Starting From Inetd</h3></div></div></div><p>The <span class="emphasis"><em>inetd</em></span>
-<a class="indexterm" name="ch02-idx-947588-0"></a> daemon is a Unix system's Internet "super daemon." It listens on TCP ports defined in <code class="filename">/etc/services</code>
-<a class="indexterm" name="ch02-idx-947610-0"></a> and executes the appropriate program for each port, which is defined in <code class="filename">/etc/inetd.conf</code>
-<a class="indexterm" name="ch02-idx-947618-0"></a>. The advantage of this scheme is that you can have a large number of daemons ready to answer queries, but they don't all have to be running. Instead, the <span class="emphasis"><em>inetd</em></span> daemon listens in places of all the others. The penalty is a small overhead cost of creating a new daemon process, and the fact that you need to edit two files rather than one to set things up. This is handy if you have only one or two users or your machine has too many daemons already. It's also easier to perform an upgrade without disturbing an existing connection.</p><p>If you wish to start from <code class="filename">inetd</code>, first open <code class="filename">/etc/services</code> in your text editor. If you don't already have them defined, add the following two lines:</p><pre class="programlisting">netbios-ssn     139/tcp
-netbios-ns      137/udp</pre><p>Next, edit <code class="filename">/etc/inetd.conf</code>. Look for the following two lines and add them if they don't exist. If you already have <code class="literal">smbd</code> and <code class="literal">nmbd</code> lines in the file, edit them to point at the new <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> you've installed. Your brand of Unix may use a slightly different syntax in this file; use the existing entries and the <code class="filename">inetd.conf </code><span><strong class="command"> </strong></span>manual page<span><strong class="command"> </strong></span>as a guide:</p><pre class="programlisting">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
-netbios-ns  dgram  udp wait   root /usr/local/samba/bin/nmbd nmbd</pre><p>Finally, kill any <span class="emphasis"><em>smbd</em></span>
-<a class="indexterm" name="ch02-idx-947623-0"></a> or <span class="emphasis"><em>nmbd</em></span>
-<a class="indexterm" name="ch02-idx-947634-0"></a>
-<a class="indexterm" name="ch02-idx-947634-1"></a> processes and send the <span class="emphasis"><em>inetd</em></span> process a <a class="indexterm" name="ch02-idx-947624-0"></a>
-<a class="indexterm" name="ch02-idx-947624-1"></a>hangup (HUP) signal. (The <span class="emphasis"><em>inetd</em></span> daemon rereads its configuration file on a HUP signal.) To do this, use the <code class="literal">ps</code> command to find its process ID, then signal it with the following command:</p><pre class="programlisting"># <strong class="userinput"><code>kill -HUP process_id</code></strong></pre><p>After that, Samba should be up and running.<a class="indexterm" name="ch02-idx-947585-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch02-67898"></a>Testing the Samba Daemons</h2></div></div></div><p>
-<a class="indexterm" name="ch02-idx-947635-0"></a>
-<a class="indexterm" name="ch02-idx-947635-1"></a>It's hard to believe, but we're nearly done with the Samba server setup. All that's left to do is to make sure that everything is working as we think it should. A convenient way to do this is to use the <code class="filename">smbclient</code>
-<a class="indexterm" name="ch02-idx-947636-0"></a> program to examine what the server is offering to the network. If everything is set up properly, you should be able to do the following:</p><pre class="programlisting"><strong class="userinput"><code># smbclient -U% -L localhost</code></strong>
-
-Added interface ip=192.168.220.100 bcast=192.168.220.255 nmask=255.255.255.0
-Domain=[SIMPLE] OS=[Unix] Server=[Samba 2.0.5a]
-
-        Sharename      Type      Comment
-        ---------      ----      -------
-        test           Disk      For testing only, please
-        IPC$           IPC       IPC Service (Samba 2.0.5a)
-
-        Server               	    Comment
-        ---------            	    -------
-        HYDRA                	    Samba 2.0.5a
-
-        Workgroup            	    Master
-        ---------            	    -------
-        SIMPLE               	    HYDRA</pre><p>If there is a problem, don't panic! Try to start the daemons manually, and check the system output or the <a class="indexterm" name="ch02-idx-947637-0"></a>debug files at <code class="filename">/usr/local/samba/var/log.smb</code>
-<a class="indexterm" name="ch02-idx-947638-0"></a> to see if you can determine what happened. If you think it may be a more serious problem, skip to <a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a>, for help on troubleshooting the Samba daemons.</p><p>If it worked, congratulations! You now have successfully set up the Samba server with a <a class="indexterm" name="ch02-idx-947664-0"></a>disk share. It's a simple one, but we can use it to set up and test the Windows 95 and NT clients in the next chapter. Then we will start making it more interesting by adding services such as home directories, printers, and security, and seeing how to integrate the server into a larger Windows domain.<a class="indexterm" name="ch02-idx-947297-0"></a></p></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-939741" href="#ch02-pgfId-939741">1</a>] </sup>If you haven't heard of Linux yet, then you're in for a treat. Linux is a freely distributed Unix-like operating system that runs on the Intel x86, Motorola PowerPC, and Sun Sparc platforms. The operating system is relatively easy to configure, extremely robust, and is gaining in popularity. You can get more information on the Linux operating system at <code class="systemitem">http://www.linux.org/</code>.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-943622" href="#ch02-pgfId-943622">2</a>] </sup>This is especially true with programs that use <span class="emphasis"><em>glibc-2.1</em></span> (which comes standard with Red Hat Linux 6). This library caused quite a consternation in the development community when it was released because it was incompatable with previous versions of <span class="emphasis"><em>g</em></span><code class="filename">libc</code>.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-939049" href="#ch02-pgfId-939049">3</a>] </sup><span class="emphasis"><em>gcc</em></span> binaries are available for almost every modern machine. See <code class="systemitem">http://www.gnu.org/</code> for a list of sites with <span class="emphasis"><em>gcc</em></span> and other GNU software.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-943655" href="#ch02-pgfId-943655">4</a>] </sup>By <span class="emphasis"><em>directory</em></span>, we don't mean a directory in a file system, but instead an indexed directory (such as a phone directory). Information is stored and can be easily retrieved in a public LDAP system.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch02-pgfId-943223" href="#ch02-pgfId-943223">5</a>] </sup>If you did not compile Samba, but instead downloaded a binary, check with the documentation for the package to find out where it expects the <code class="filename">smb.conf</code> file. If Samba came preinstalled with your Unix system, there is probably already an <code class="filename">smb.conf</code> file somewhere on your system.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-3"></a>Chapter 3. Configuring Windows Clients</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch03-55770">3.1. Setting Up Windows 95/98 Computers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-1.1">3.1.1. Accounts and Passwords</a></span></dt><dt><span class="sect2"><a href="#ch03-36280">3.1.2. Setting Up the Network</a></span></dt><dt><span class="sect2"><a href="#ch03-48802">3.1.3. Setting Your Name and Workgroup </a></span></dt><dt><span class="sect2"><a href="#ch03-13238">3.1.4. Accessing the Samba Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch03-23093">3.2. Setting Up Windows NT 4.0 Computers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-2.1">3.2.1. Basic Configuration</a></span></dt><dt><span class="sect2"><a href="#ch03-85837">3.2.2. Configuring TCP/IP</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-2.3">3.2.3. Connecting to the Samba Server</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch03-64069">3.3. An Introduction to SMB/CIFS</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch03-SECT-3.1">3.3.1. SMB Format</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.2">3.3.2. SMB Clients and Servers</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.3">3.3.3. A Simple SMB Connection</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.4">3.3.4. Negotiating the Protocol Variant</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.5">3.3.5. Set Session and Login Parameters</a></span></dt><dt><span class="sect2"><a href="#ch03-SECT-3.6">3.3.6. Making Connection to a Resource</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="ch03-idx-947918-0"></a>
-<a class="indexterm" name="ch03-idx-947918-1"></a>You'll be glad to know that configuring Windows to use your new Samba server is quite simple. SMB is Microsoft's native language for resource sharing on a local area network, so much of the installation and setup on the Windows client side has been taken care of already. The primary issues that we will cover in this chapter involve communication and coordination between Windows and Unix, two completely different operating systems.</p><p>Samba uses TCP/IP to talk to its clients on the network. If you aren't already using TCP/IP on your Windows computers, this chapter will show you how to install it. Then you'll need to configure your Windows machines to operate on a TCP/IP network. Once these two requirements have been taken care of, we can show how to access a shared disk on the Samba server.</p><p>This chapter is divided into three sections. The first section covers setting up Windows 95/98 computers while the second covers Windows NT 4.0 machines. The final section provides some prerequisite information on how SMB connections are made from Windows clients and servers, which is useful as we move into the later chapters of the book.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch03-55770"></a>Setting Up Windows 95/98 Computers</h2></div></div></div><p>
-<a class="indexterm" name="ch03-idx-947927-0"></a>
-<a class="indexterm" name="ch03-idx-947927-1"></a>Unfortunately, Windows 95/98 wasn't designed for a PC to have more than one user; that concept is more inherent to a Unix operating system or Windows NT. However, <a class="indexterm" name="ch03-idx-947953-0"></a>Windows 95/98 does have <span class="emphasis"><em>limited</em></span> support for multiple users: if you tell it, the operating system will keep a separate <a class="indexterm" name="ch03-idx-947955-0"></a>profile (desktop layout) and password file for each user. This is a far cry from true multiuser security. In other words, Windows 95/98 won't try to keep one user from destroying the work of another on the local hard drive like Unix, but profiles are a place to start.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-1.1"></a>Accounts and Passwords</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-947956-0"></a>
-<a class="indexterm" name="ch03-idx-947956-1"></a>
-<a class="indexterm" name="ch03-idx-947956-2"></a>The first thing we need to do is to tell Windows to keep user profiles separate, and to collect usernames and passwords to authenticate anyone trying to access a Samba share. We do so via the <a class="indexterm" name="ch03-idx-947957-0"></a>Password settings in the Control Panel. If you are not familiar with the Windows Control Panel, you can access it by choosing the Settings menu item from the pop-up menu of the Start button in the lower-left corner of the screen. Alternatively, you'll find it as a folder under the icon in the upper-left corner that represents your computer and is typically labeled <a class="indexterm" name="ch03-idx-947958-0"></a>My Computer.</p><p>After selecting the Passwords icon in the Control Panel, click on the User Profiles tab on the far right. You should see the dialog box shown in <a href="#ch03-84319" title="Figure 3.1. The Passwords Properties panel">Figure 3.1</a>. Then click the lower of the two radio buttons that starts "Users can customize their preferences...." This causes Windows to store a separate profile for each user, and saves the username and password you provide, which it will use later when it connects to an SMB/CIFS server. Finally, check <span class="emphasis"><em>both</em></span> the options under the User Profile Settings border, as shown in the figure.</p><div class="figure"><a name="ch03-84319"></a><p class="title"><b>Figure 3.1. The Passwords Properties panel</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 289px"><td><img src="figs/sam.0301.gif" height="289" alt="The Passwords Properties panel"></td></tr></table></div></div></div><br class="figure-break"><p>The next step is to select the Change Passwords tab on the left side of the dialog box. In order for Samba to allow you access to its shares, the username and password you give to Windows must match the account and password on the Samba server. If you don't have this tab in your dialog box, don't worry; it's probably because you haven't given yourself a Windows username and password yet. Simply click the OK button at the bottom and respond Yes when Windows asks to reboot. Then, skip down to <a href="#ch03-57581" title="Logging in for the first time">Section 3.1.1.2</a>.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.1.1"></a>Changing the Windows password</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-947966-0"></a>After selecting the Change Passwords tab, the dialog box in <a href="#ch03-26778" title="Figure 3.2. The Change Passwords tab">Figure 3.2</a> will appear.</p><div class="figure"><a name="ch03-26778"></a><p class="title"><b>Figure 3.2. The Change Passwords tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 306px"><td><img src="figs/sam.0302.gif" height="306" alt="The Change Passwords tab"></td></tr></table></div></div></div><br class="figure-break"><p>Select the Change Windows Password button. The <a class="indexterm" name="ch03-idx-947967-0"></a>Change Windows Password dialog box should appear, as shown in <a href="#ch03-97002" title="Figure 3.3. The Change Windows Password dialog box">Figure 3.3</a>. From here, you can change your password to match the password of the account on the Samba server through which you intend to log in.</p><div class="figure"><a name="ch03-97002"></a><p class="title"><b>Figure 3.3. The Change Windows Password dialog box</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 135px"><td><img src="figs/sam.0303.gif" height="135" alt="The Change Windows Password dialog box"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-57581"></a>Logging in for the first time</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-947969-0"></a>
-<a class="indexterm" name="ch03-idx-947969-1"></a>If you didn't have a Change Passwords tab in the Passwords Properties window, then after Windows has finished rebooting, it will ask you to log in with a username and a password. Give yourself the same username and password that you have on the Samba server. After confirming your new username and password, or if you already have one, Windows should ask you if you want to have a <a class="indexterm" name="ch03-idx-947970-0"></a>profile, using the dialog shown in <a href="#ch03-48947" title="Figure 3.4. Windows Networking profiles">Figure 3.4</a>. <a class="indexterm" name="ch03-idx-947961-0"></a>
-<a class="indexterm" name="ch03-idx-947961-1"></a>
-<a class="indexterm" name="ch03-idx-947961-2"></a></p><div class="figure"><a name="ch03-48947"></a><p class="title"><b>Figure 3.4. Windows Networking profiles</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 121px"><td><img src="figs/sam.0304.gif" height="121" alt="Windows Networking profiles"></td></tr></table></div></div></div><br class="figure-break"><p>Answer Yes, upon which Windows will create a separate profile and password file for you and save a copy of your password in the file. Now when you connect to Samba, Windows will send its password, which will be used to authenticate you for each share. We won't worry about profiles for the moment; we'll cover them in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>. We should point out, however, that there is a small security risk: someone can steal the <a class="indexterm" name="ch03-idx-947972-0"></a>password file and decrypt the passwords because it's weakly encrypted. Unfortunately, there isn't a solution to this with Windows 95/98. In Windows 2000 (NT 5.0), the password encryption should be replaced with a much better algorithm.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-36280"></a>Setting Up the Network</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-947983-0"></a>The next thing we need to do is make sure we have the <a class="indexterm" name="ch03-idx-947973-0"></a>TCP/IP networking protocol set up correctly. To do this, double-click on the <a class="indexterm" name="ch03-idx-947975-0"></a>Network icon in the Control Panel. You should see the network configuration dialog box, as shown in <a href="#ch03-15320" title="Figure 3.5. The Windows 95/98 Network panel">Figure 3.5</a>.</p><div class="figure"><a name="ch03-15320"></a><p class="title"><b>Figure 3.5. The Windows 95/98 Network panel</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 371px"><td><img src="figs/sam.0305.gif" width="502" alt="The Windows 95/98 Network panel"></td></tr></table></div></div></div><br class="figure-break"><p>Microsoft networking works by binding specific protocols, such as IPX or TCP/IP, to a specific hardware device, such as an <a class="indexterm" name="ch03-idx-947977-0"></a>Ethernet card or a <a class="indexterm" name="ch03-idx-948013-0"></a>dialup connection. By routing a <a class="indexterm" name="ch03-idx-947976-0"></a>protocol through a hardware device, the machine can act as a client or server for a particular type of network. For Samba, we are interested in binding the TCP/IP protocol through a networking device, making the machine a client for Microsoft networks. Thus, when the dialog box appears, you should see at least the Client for Microsoft Networks component installed on the machine, and hopefully a networking device (preferably an Ethernet card) bound to the TCP/IP protocol. If there is only one networking hardware device, you'll see the TCP/IP protocol listed below that device. If it appears similar to <a href="#ch03-15320" title="Figure 3.5. The Windows 95/98 Network panel">Figure 3.5</a>, the protocol is bound to the device.</p><p>You may also see <a class="indexterm" name="ch03-idx-947979-0"></a>"File and printer sharing for Microsoft Networks," which is useful. In addition, you might see <a class="indexterm" name="ch03-idx-947981-0"></a>NetBEUI or <a class="indexterm" name="ch03-idx-947982-0"></a>Novell Networking, which are standard with Windows installations but undesirable when TCP/IP is running. Remove NetBEUI if you possibly can&#8212;it's unnecessary and makes debugging Windows browsing difficult. If you don't have any Novell servers on your network, you can remove Novell (IPX/SPX) as well.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.1"></a>Adding TCP/IP</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-947991-0"></a>If you don't see TCP/IP listed at all, you'll need to install the protocol. If you already have TCP/IP, skip this section, and continue with <a href="#ch03-48802" title="Setting Your Name and Workgroup">Section 3.1.3</a>, later in this chapter.</p><p>Installing TCP/IP isn't difficult since Microsoft distributes its own version of TCP/IP for free on their installation CD-ROM. You can add the protocol by clicking on the Add button below the component window. Indicate that you wish to add a specific protocol by selecting Protocol and clicking Add... on the following dialog box, which should look similar to <a href="#ch03-24245" title="Figure 3.6. Selecting a protocol to install">Figure 3.6</a>.</p><div class="figure"><a name="ch03-24245"></a><p class="title"><b>Figure 3.6. Selecting a protocol to install</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 195px"><td><img src="figs/sam.0306.gif" height="195" alt="Selecting a protocol to install"></td></tr></table></div></div></div><br class="figure-break"><p>After that, select the protocol TCP/IP from manufacturer Microsoft, as shown in <a href="#ch03-50801" title="Figure 3.7. Selecting a protocol to install">Figure 3.7</a>, then click OK. After doing so, you will be returned to the network dialog. Click OK there to close the dialog box, upon which Windows will install the necessary components from disk and reboot the machine.</p><div class="figure"><a name="ch03-50801"></a><p class="title"><b>Figure 3.7. Selecting a protocol to install</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 296px"><td><img src="figs/sam.0307.gif" height="296" alt="Selecting a protocol to install"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.2"></a>Configuring TCP/IP</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948011-0"></a>If you have more than one networking device (for example, both an <a class="indexterm" name="ch03-idx-948014-0"></a>Ethernet card and a dialup networking <a class="indexterm" name="ch03-idx-948015-0"></a>modem), each appropriate hardware device should be "linked" to the TCP/IP protocol with an arrow, as shown in <a href="#ch03-61576" title="Figure 3.8. Selecting the correct TCP/IP protocol">Figure 3.8</a>. Select the TCP/IP protocol linked to the networking device that will be accessing the Samba network. When it is highlighted, click the<a class="indexterm" name="ch03-idx-948019-0"></a> Properties button.</p><div class="figure"><a name="ch03-61576"></a><p class="title"><b>Figure 3.8. Selecting the correct TCP/IP protocol</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 389px"><td><img src="figs/sam.0308.gif" width="502" alt="Selecting the correct TCP/IP protocol"></td></tr></table></div></div></div><br class="figure-break"><p>After doing so, the <a class="indexterm" name="ch03-idx-948028-0"></a>TCP/IP Properties panel for that device is displayed, as shown in <a href="#ch03-73526" title="Figure 3.9. STCP/IP Properties panel">Figure 3.9</a>.</p><div class="figure"><a name="ch03-73526"></a><p class="title"><b>Figure 3.9. STCP/IP Properties panel</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 303px"><td><img src="figs/sam.0309.gif" height="303" alt="STCP/IP Properties panel"></td></tr></table></div></div></div><br class="figure-break"><p>There are seven tabs near the top of this panel, and you will need to configure four of them:</p><div class="itemizedlist"><ul type="disc"><li><p>IP address</p></li><li><p>DNS configuration</p></li><li><p>WINS configuration</p></li><li><p>Bindings</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.3"></a>IP Address tab </h4></div></div></div><p>The <a class="indexterm" name="ch03-idx-948038-0"></a>
-<a class="indexterm" name="ch03-idx-948038-1"></a>IP Address tab is shown in <a href="#ch03-73526" title="Figure 3.9. STCP/IP Properties panel">Figure 3.9</a>. Press the "Specify an IP address" radio button and enter the client's address and subnet <a class="indexterm" name="ch03-idx-948214-0"></a>
-<a class="indexterm" name="ch03-idx-948214-1"></a>mask in the space provided. You or your network manager should have selected an address for the machine. The values should place the computer on the same subnet as the Samba server. For example, if the server's address is 192.168.236.86, and its network <a class="indexterm" name="ch03-idx-948217-0"></a>
-<a class="indexterm" name="ch03-idx-948217-1"></a>
-<a class="indexterm" name="ch03-idx-948217-2"></a>mask 255.255.255.0, you might use address 192.168.236.10 (if it is available) for the Windows 98 computer, along with the same netmask as the server. If you already use DHCP on your network to provide IP addresses to Windows machines, select the "Obtain an IP address automatically" button.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.4"></a>DNS Configuration tab</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948039-0"></a>Domain Name Service (<a class="indexterm" name="ch03-idx-948040-0"></a>
-<a class="indexterm" name="ch03-idx-948040-1"></a>DNS) is responsible for translating Internet computer names such as <span class="emphasis"><em>hobbes.example.com</em></span> into machine-readable IP addresses such as 192.168.236.10. There are two ways to accomplish this on a Windows 98 machine: you can specify a server to do the translation for you or you can keep a local list of name/address pairs to refer to.</p><p>Networks that are connected to the Internet typically use a server, since the hosts files required would otherwise be huge. For an unconnected LAN, the list of possible hosts is small and well-known and might be kept on a Unix machine in the <span class="emphasis"><em>/etc/hosts</em></span>
-<a class="indexterm" name="ch03-idx-948046-0"></a> file. If you are in doubt as to whether a DNS server is being used, or what its address might be, look at the file <span class="emphasis"><em>/etc/resolv.conf</em></span>
-<a class="indexterm" name="ch03-idx-948047-0"></a> on your Unix servers. Any machine using DNS will have this file, which looks like:</p><pre class="programlisting">#resolv.conf
-domain example.com
-nameserver 127.0.0.1
-nameserver 192.168.236.20</pre><p>In the example shown, the second <code class="literal">nameserver</code> line in the list contains the IP address of another machine on the local network: 192.168.236.20. It's a good candidate for a DNS server.<sup>[<a name="ch03-pgfId-942097" href="#ftn.ch03-pgfId-942097">1</a>]</sup></p><p>You must type the correct IP address of one or more DNS servers (note that you <span class="emphasis"><em>cannot</em></span> use its Internet name, such as <span class="emphasis"><em>dns.oreilly.com</em></span>) into the appropriate field in <a href="#ch03-86883" title="Figure 3.10. The DNS Configuration tab">Figure 3.10</a>. Be sure not to use 127.0.0.1&#8212;that will never be the correct DNS server address!</p><p>Try to select addresses on your own network. Any name servers listed in <span class="emphasis"><em>/etc/resolv.conf</em></span> should work, but you'll get better performance by using a server nearby. (If you don't find <span class="emphasis"><em>/etc/resolv.conf</em></span> files on your Unix machines, just disable DNS until you can find the address of at least one DNS server.) Let's assume you only have one DNS server, and its address is 192.168.236.20. Click the Enable DNS radio button, as shown in <a href="#ch03-86883" title="Figure 3.10. The DNS Configuration tab">Figure 3.10</a>, and add the server's address to the top DNS Server Search Order field.</p><div class="figure"><a name="ch03-86883"></a><p class="title"><b>Figure 3.10. The DNS Configuration tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 360px"><td><img src="figs/sam.0310.gif" width="502" alt="The DNS Configuration tab"></td></tr></table></div></div></div><br class="figure-break"><p>Also, provide the name of the Windows 95/98 machine and the Internet domain you're in. You can safely ignore the Domain Suffix Search Order field for anything related to Samba.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.5"></a>WINS Configuration tab</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948063-0"></a>WINS is the <a class="indexterm" name="ch03-idx-948065-0"></a>
-<a class="indexterm" name="ch03-idx-948065-1"></a>Windows Internet Name Service, its version of a <a class="indexterm" name="ch03-idx-948066-0"></a>NetBIOS name server. If you've enabled WINS on Samba, you must tell Windows the Samba server's address. If you are using WINS servers that are entirely Windows NT, enter each of them here as well. The dialog box shown after selecting the WINS Configuration tab is shown in <a href="#ch03-95608" title="Figure 3.11. The WINS Configuration tab">Figure 3.11</a>.</p><div class="figure"><a name="ch03-95608"></a><p class="title"><b>Figure 3.11. The WINS Configuration tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 389px"><td><img src="figs/sam.0311.gif" width="502" alt="The WINS Configuration tab"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Do <span class="emphasis"><em>not</em></span> mix a Samba WINS server and a Windows NT server as a primary/backup combination in the WINS dialog. Because the two cannot replicate their databases, this will cause name resolution to perform incorrectly.</p></div><p>From here, select Enable WINS Resolution and enter the <a class="indexterm" name="ch03-idx-948058-0"></a>WINS server's address in the space provided, then press Add. Do not enter anything in the Scope ID field.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.6"></a>Hosts files</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948067-0"></a>If you do not have either DNS or WINS, and you don't wish to use <a class="indexterm" name="ch03-idx-948070-0"></a>broadcast resolution, you'll need to provide a table of IP addresses and hostnames, in the standard Unix <code class="filename">/etc/hosts</code> format. On a Windows machine, this goes in <a class="indexterm" name="ch03-idx-948075-0"></a>\WINDOWS\HOSTS under whichever drive you installed Windows on (typically C:\). A sample host file follows:</p><pre class="programlisting"># 127.0.0.1             localhost
-192.168.236.1       escrime.example.com 	escrime
-192.168.236.2      riposte.example.com 	riposte
-192.168.236.3       wizzin.example.com 	wizzin
-192.168.236.4       touche.example.com 	touche
-192.168.236.10     hobbes.example.com 	hobbes</pre><p>You can copy this file directly from any of your Unix machines' <span class="emphasis"><em>/etc/hosts</em></span> <a class="indexterm" name="ch03-idx-948074-0"></a>; the format is identical. However, <span class="emphasis"><em>you should only use hosts files in Windows as a last resort for name resolution</em></span>
-<a class="indexterm" name="ch03-idx-948069-0"></a>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-1.2.7"></a>Check the bindings</h4></div></div></div><p>The final tab to look at is <a class="indexterm" name="ch03-idx-948076-0"></a>Bindings, as shown in <a href="#ch03-42906" title="Figure 3.12. The Bindings tab">Figure 3.12</a>.</p><div class="figure"><a name="ch03-42906"></a><p class="title"><b>Figure 3.12. The Bindings tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 249px"><td><img src="figs/sam.0312.gif" height="249" alt="The Bindings tab"></td></tr></table></div></div></div><br class="figure-break"><p>You should have a check beside Client for Microsoft Networks, indicating that it's using TCP/IP. If you have <a class="indexterm" name="ch03-idx-948077-0"></a>"File and printer sharing for Microsoft Networks" in the dialog, it should also be checked, as shown in the figure.<a class="indexterm" name="ch03-idx-947986-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-48802"></a>Setting Your Name and Workgroup </h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948082-0"></a>
-<a class="indexterm" name="ch03-idx-948082-1"></a>Finally, press the OK button in the TCP/IP configuration panel, and you'll be taken back to the Network Configuration screen. Then select the <a class="indexterm" name="ch03-idx-948078-0"></a>Identification tab, which will take you to the dialog box shown in <a href="#ch03-42408" title="Figure 3.13. The Identification tab">Figure 3.13</a>.</p><div class="figure"><a name="ch03-42408"></a><p class="title"><b>Figure 3.13. The Identification tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 285px"><td><img src="figs/sam.0313.gif" height="285" alt="The Identification tab"></td></tr></table></div></div></div><br class="figure-break"><p>Here, for the second time, set your machine's name. This time, instead of your DNS hostname and domain, you're setting your <a class="indexterm" name="ch03-idx-948084-0"></a>NetBIOS name. However, it is best to make this the <span class="emphasis"><em>same</em></span> as your hostname. Try not to make a <a class="indexterm" name="ch03-idx-948085-0"></a>spelling mistake: it can be very confusing to configure a machine if TCP thinks it's <code class="literal">fred</code> and SMB thinks its <code class="literal">ferd</code> !</p><p>You also set your workgroup name here. In our case, it's SIMPLE, but if you used a different one in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>, when creating the Samba configuration file, use that here as well. Try to avoid calling it WORKGROUP or you'll be in the same workgroup as every unconfigured (or ill-configured) machine in the world.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-13238"></a>Accessing the Samba Server</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948086-0"></a>
-<a class="indexterm" name="ch03-idx-948086-1"></a>Click on the OK button to complete the configuration; you will need to reboot in order for your changes to take effect.</p><p>Now for the big moment. Your Samba server is running, and you have set up your Windows 95/98 client to communicate with it. After rebooting, log in and double-click the <a class="indexterm" name="ch03-idx-948087-0"></a>Network Neighborhood icon on the desktop. You should see your Samba server listed as a member of the workgroup, as shown in <a href="#ch03-88553" title="Figure 3.14. Windows Network Neighborhood">Figure 3.14</a>.</p><div class="figure"><a name="ch03-88553"></a><p class="title"><b>Figure 3.14. Windows Network Neighborhood</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 139px"><td><img src="figs/sam.0314.gif" height="139" alt="Windows Network Neighborhood"></td></tr></table></div></div></div><br class="figure-break"><p>Double-clicking the server name will show the resources that the server is offering to the network, as shown in <a href="#ch03-17463" title="Figure 3.15. Shares on Server">Figure 3.15</a> (in this case a printer and the <span class="emphasis"><em>test</em></span> directory).</p><div class="figure"><a name="ch03-17463"></a><p class="title"><b>Figure 3.15. Shares on Server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 152px"><td><img src="figs/sam.0315.gif" height="152" alt="Shares on Server"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you are presented with a dialog requesting the password for a user <code class="literal">IPC$</code>, then Samba did not accept the password that was sent from the client. In this case, the username and the password that were created on the client side <span class="emphasis"><em>must</em></span> match the username/password combination on the Samba server. If you are using Windows 98 or Windows NT Service Pack 3 or above, this is probably because the client is sending encrypted passwords instead of plaintext passwords. You can remedy this situation by performing two steps on the Samba server. First, add the following entry to the <code class="literal">[global]</code> section of your Samba configuration file: <code class="literal">encrypt password=yes</code>. Second, find the <code class="filename">smbpasswd</code> program on the samba server (it is located in <code class="filename">/usr/local/samba/bin</code> by default) and use it to add an entry to Samba's encrypted password database. For example, to add user <code class="literal">steve</code> to Samba's encrypted password database, type <em class="replaceable"><code>smbpasswd  -a steve</code></em>. The first time you enter this password, the program will output an error message indicating that the password database does not exist; it will then create the database, which is typically stored in <code class="filename">/usr/local/samba/private/smbpasswd</code>.</p></div><p>If you don't see the server listed, start Windows Explorer (not Internet Explorer!) and select <a class="indexterm" name="ch03-idx-948088-0"></a>Map Network Drive from the Tools menu. This will give you a dialog box into which you can type the name of your server and the share <code class="literal">test </code>in the <a class="indexterm" name="ch03-idx-948089-0"></a>Windows UNC format: <code class="filename">\\</code><em class="replaceable"><code>server</code></em><code class="filename">\test</code>, like we did in the first chapter. This should attempt to contact the Samba server and its temporary share. If things still aren't right, go to <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>, for troubleshooting assistance.<a class="indexterm" name="ch03-idx-947933-0"></a>
-<a class="indexterm" name="ch03-idx-947933-1"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch03-23093"></a>Setting Up Windows NT 4.0 Computers</h2></div></div></div><p>
-<a class="indexterm" name="ch03-idx-947940-0"></a>
-<a class="indexterm" name="ch03-idx-947940-1"></a>Configuring Windows NT is a little different than configuring Windows 95/98. In order to use Samba with Windows NT, you will need both the Workstation service and the TCP/IP protocol. Both come standard with NT, but we'll work through installing and configuring them because they may not be configured correctly.</p><p>There are six basic steps:</p><div class="orderedlist"><ol type="1"><li><p>Assign the machine a name.</p></li><li><p>Install the Workstation service.</p></li><li><p>Install the TCP/IP protocol.</p></li><li><p>Set the machine's name and IP address.</p></li><li><p>Configure the DNS and WINS name services.</p></li><li><p>Bind the protocol and service together.</p></li></ol></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-2.1"></a>Basic Configuration</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948108-0"></a>This section presents an outline of the steps to follow for getting Windows NT to cooperate with Samba. If you need more details on Windows NT network administration, refer to Craig Hunt and Robert Bruce Thompsom's <em class="citetitle">Windows NT TCP/IP Network Administration </em>(O'Reilly), an excellent guide. You should perform these steps as the "Administrator" user.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.1.1"></a>Name the machine</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948120-0"></a>
-<a class="indexterm" name="ch03-idx-948120-1"></a>The first thing you need to do is to give the machine a <a class="indexterm" name="ch03-idx-948122-0"></a>NetBIOS name. From the Control Panel, double click on the <a class="indexterm" name="ch03-idx-948123-0"></a>Network icon. This will take you to the <a class="indexterm" name="ch03-idx-948124-0"></a>Network dialog box for the machine. The first tab in this dialog box should be the Identification tab, as illustrated in <a href="#ch03-82592" title="Figure 3.16. Network panel Identification tab">Figure 3.16</a>.</p><div class="figure"><a name="ch03-82592"></a><p class="title"><b>Figure 3.16. Network panel Identification tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 260px"><td><img src="figs/sam.0316.gif" height="260" alt="Network panel Identification tab"></td></tr></table></div></div></div><br class="figure-break"><p>Here, you need to identify your machine with a name (we use the name Artish here) and change the default workgroup to the one you specified in the <span class="emphasis"><em>smb.conf</em></span>
-<a class="indexterm" name="ch03-idx-948125-0"></a> file of your Samba server. In this case, the workgroup name is SIMPLE. However, you cannot edit either name here (as you could in Windows 95/98), but instead must use the Change button below the two text fields. Pressing this button raises an <a class="indexterm" name="ch03-idx-948126-0"></a>Identification Changes dialog box, where you can reset the workgroup and the machine name, as shown in <a href="#ch03-67735" title="Figure 3.17. Changing the identification">Figure 3.17</a>.</p><div class="figure"><a name="ch03-67735"></a><p class="title"><b>Figure 3.17. Changing the identification</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 360px"><td><img src="figs/sam.0317.gif" width="502" alt="Changing the identification"></td></tr></table></div></div></div><br class="figure-break"><p>
-<a class="indexterm" name="ch03-idx-948129-0"></a>A word of warning: you will have to set the machine name again later while configuring TCP/IP, so be sure that the two names match. The name you set here is the NetBIOS name. You're allowed to make it different from the TCP/IP hostname, but doing so is usually not a good thing. Don't worry that Windows NT forces the computer name and the workgroup to be all capital letters; it's smart enough to figure out what you mean when it connects to the network.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.1.2"></a>Installing the TCP/IP protocol</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948143-0"></a>
-<a class="indexterm" name="ch03-idx-948143-1"></a>Next, select the <a class="indexterm" name="ch03-idx-948150-0"></a>Protocols tab in the Network dialog box, and look to see if you have the TCP/IP protocol installed, as shown in <a href="#ch03-66055" title="Figure 3.18. The Protocols tab">Figure 3.18</a>.</p><div class="figure"><a name="ch03-66055"></a><p class="title"><b>Figure 3.18. The Protocols tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 257px"><td><img src="figs/sam.0318.gif" height="257" alt="The Protocols tab"></td></tr></table></div></div></div><br class="figure-break"><p>If the protocol is not installed, you need to add it. Press the Add button, which will display the <a class="indexterm" name="ch03-idx-948148-0"></a>Select Network Protocol dialog box shown in <a href="#ch03-22321" title="Figure 3.19. Select Network Protocol dialog box">Figure 3.19</a>. Unlike Windows 95/98, you should immediately see the TCP/IP protocol as one of the last protocols listed.</p><div class="figure"><a name="ch03-22321"></a><p class="title"><b>Figure 3.19. Select Network Protocol dialog box</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 285px"><td><img src="figs/sam.0319.gif" height="285" alt="Select Network Protocol dialog box"></td></tr></table></div></div></div><br class="figure-break"><p>Select TCP/IP<span class="emphasis"><em></em></span> as the protocol and confirm it. If possible, install only the TCP/IP protocol. You usually do not want <a class="indexterm" name="ch03-idx-948149-0"></a>NetBEUI installed because this causes the machine to look for services under two different protocols, only one of which is likely in use.<sup>[<a name="ch03-pgfId-943371" href="#ftn.ch03-pgfId-943371">2</a>]</sup></p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.1.3"></a>Installing the Workstation service</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948151-0"></a>
-<a class="indexterm" name="ch03-idx-948151-1"></a>
-<a class="indexterm" name="ch03-idx-948151-2"></a>After installing TCP/IP, press the <a class="indexterm" name="ch03-idx-948152-0"></a>Services tab in the Network panel and check that you have a Workstation service, as shown at the end of the list in <a href="#ch03-97222" title="Figure 3.20. Network Services panel dialog box">Figure 3.20</a>.</p><div class="figure"><a name="ch03-97222"></a><p class="title"><b>Figure 3.20. Network Services panel dialog box</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 289px"><td><img src="figs/sam.0320.gif" height="289" alt="Network Services panel dialog box"></td></tr></table></div></div></div><br class="figure-break"><p>This service is actually the <a class="indexterm" name="ch03-idx-948153-0"></a>Microsoft Networking Client, which allows the machine to access SMB services. The Workstation service is mandatory. The service is installed by default on both <a class="indexterm" name="ch03-idx-948154-0"></a>
-<a class="indexterm" name="ch03-idx-948155-0"></a>Windows NT Workstation 4.0 and <a class="indexterm" name="ch03-idx-948159-0"></a>
-<a class="indexterm" name="ch03-idx-948159-1"></a>Server 4.0. If it's not there, you can install it much like TCP/IP. In this case you need to press the Add button and then select Workstation Service, as shown in <a href="#ch03-40000" title="Figure 3.21. Select Network Service dialog box">Figure 3.21</a>.</p><div class="figure"><a name="ch03-40000"></a><p class="title"><b>Figure 3.21. Select Network Service dialog box </b></p><div class="figure-contents"><a class="indexterm" name="ch03-idx-948115-0"></a><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 285px"><td><img src="figs/sam.0321.gif" height="285" alt="Select Network Service dialog box"></td></tr></table></div></div></div><br class="figure-break"></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-85837"></a>Configuring TCP/IP</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948163-0"></a>
-<a class="indexterm" name="ch03-idx-948163-1"></a>After you've installed the Workstation service, return to the <a class="indexterm" name="ch03-idx-948172-0"></a>Protocols tab and select the TCP/IP Protocol entry in the window. Then click the Properties button below the window. The Microsoft TCP/IP Protocol panel will be displayed. There are five tabs on the Windows NT panel, and (like Windows 95/98) you will need to work on three of them:</p><div class="itemizedlist"><ul type="disc"><li><p>IP address</p></li><li><p>DNS</p></li><li><p>WINS address</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.1"></a>IP Address tab</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948191-0"></a>The IP Address tab is shown in <a href="#ch03-97098" title="Figure 3.22. Microsoft TCP/IP Properties for Windows NT">Figure 3.22</a>.</p><div class="figure"><a name="ch03-97098"></a><p class="title"><b>Figure 3.22. Microsoft TCP/IP Properties for Windows NT</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 380px"><td><img src="figs/sam.0322.gif" width="502" alt="Microsoft TCP/IP Properties for Windows NT"></td></tr></table></div></div></div><br class="figure-break"><p>
-<a class="indexterm" name="ch03-idx-948212-0"></a>
-<a class="indexterm" name="ch03-idx-948212-1"></a>Select the "Specify an IP address" radio button and enter the computer's address and <a class="indexterm" name="ch03-idx-948231-0"></a>
-<a class="indexterm" name="ch03-idx-948231-1"></a>subnet mask in the space provided for the proper adapter (Ethernet card). You or your network manager should have selected an address for the client on the same subnet (LAN) as the Samba server. For example, if the server's address is 192.168.236.86 and its network mask 255.255.255.0, you might use the address 192.168.236.10, if it is available, for the NT workstation, along with the same <a class="indexterm" name="ch03-idx-948235-0"></a>netmask. If you use <a class="indexterm" name="ch03-idx-948242-0"></a>DHCP on your network, select the "Obtain an IP Address from a DHCP server" button.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you don't have an IP address to use, and you are on a network by yourself, steal ours, as the 192.168.<span class="emphasis"><em>x.x</em></span> subnet is specifically reserved by the Internic for LANs. If you're not by yourself, see your system administrator for some available addresses on your network.</p></div><p>The<a class="indexterm" name="ch03-idx-948244-0"></a> gateway field refers to a machine typically known as a <span class="emphasis"><em>router</em></span>
-<a class="indexterm" name="ch03-idx-948243-0"></a>. If you have routers connecting multiple networks, you should put in the IP address of the one on your subnet.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.2"></a>DNS tab</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948199-0"></a>Next we go to the tab for DNS, as shown in <a href="#ch03-61878" title="Figure 3.23. The DNS panel">Figure 3.23</a>. This brings up the DNS panel.</p><div class="figure"><a name="ch03-61878"></a><p class="title"><b>Figure 3.23. The DNS panel</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 407px"><td><img src="figs/sam.0323.gif" width="502" alt="The DNS panel"></td></tr></table></div></div></div><br class="figure-break"><p>The <a class="indexterm" name="ch03-idx-948248-0"></a>
-<a class="indexterm" name="ch03-idx-948248-1"></a>Domain Name System (DNS) is responsible for translating human-readable computer names such as <span class="emphasis"><em>atrish.example.com</em></span> into IP addresses such as 192.168.236.10. There are two ways to accomplish this on a NT machine. First, you can specify a DNS server to do the translation for you, or you can keep a local list of name/address pairs for your workstation to refer to.</p><p>For a LAN that's not on the Internet, the list of possible hosts is typically small and well known, and may be kept in a file locally. Networks that are connected to the Internet typically use DNS service since it isn't possible to guess ahead of time what addresses you might be accessing out on the net. If you are in doubt as to whether a DNS server is being used, or what its address might be, look at the file <span class="emphasis"><em>/etc/resolv.conf</em></span> on your Samba server: any machine using DNS will have this file. It looks like the following:</p><pre class="programlisting">#resolv.conf 
-domain example.com 
-nameserver 127.0.0.1 
-nameserver 192.168.236.20</pre><p>In this example, the first nameserver in the list is 127.0.0.1, which indicates that the Samba server is also a DNS server for this LAN.<sup>[<a name="ch03-pgfId-946587" href="#ftn.ch03-pgfId-946587">3</a>]</sup> In that case, you would use its network IP address (not 127.0.0.1, its localhost address) when filling in the DNS Configuration dialog box. Otherwise, use the other addresses you find in the lines beginning with <code class="literal">nameserver</code>. Try to select ones on your own network. Any name servers listed in <span class="emphasis"><em>/etc/resolv.conf</em></span> should work, but you'll get better performance by using a server nearby.</p><p>Finally, enter the machine name once more, making sure that it's the same one listed in the Identification tab of the Network dialog box (before the NetBIOS name). Also, enter the DNS domain on which this machine resides. For example, if your workstation has a domain name such as <span class="emphasis"><em>example.com</em></span>, enter it here. You can safely ignore the other options.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.3"></a>WINS Address tab</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948207-0"></a>
-<a class="indexterm" name="ch03-idx-948207-1"></a>
-<a class="indexterm" name="ch03-idx-948207-2"></a>If you are not using a DNS server, you still need a way of translating NetBIOS names to addresses and back again. We recommend that you configure both DNS and WINS; <a class="indexterm" name="ch03-idx-948268-0"></a>NT has a preference for WINS and WINS can use DNS as a fallback if  it cannot resolve any machine address. The WINS Address tab is shown in <a href="#ch03-20855" title="Figure 3.24. The WINS Address tab">Figure 3.24</a>.</p><div class="figure"><a name="ch03-20855"></a><p class="title"><b>Figure 3.24. The WINS Address tab</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 342px"><td><img src="figs/sam.0324.gif" width="502" alt="The WINS Address tab"></td></tr></table></div></div></div><br class="figure-break"><p>If you have a WINS server, enter its address in the space marked Primary WINS Server. If your Samba server is providing WINS service (in other words, you have the line <code class="literal">wins</code> <code class="literal">service</code> <code class="literal">=</code> <code class="literal">yes</code> in the <span class="emphasis"><em>smb.conf</em></span> file of your Samba server), provide the Samba server's IP address here. Otherwise, provide the address of another WINS server on your network.</p><p>You probably noticed that there is a field here for the adaptor; this field must specify the <a class="indexterm" name="ch03-idx-948269-0"></a>Ethernet adaptor that you're running TCP/IP on so that WINS will provide name service on the correct network. If you have both a LAN and a dialup adaptor, make sure you have the LAN's adaptor here.</p><p>Finally, select the "Enable DNS for Windows Resolution" checkbox, so WINS will try <a class="indexterm" name="ch03-idx-948270-0"></a>DNS as a fallback if it can't find a name. You can safely ignore the other options.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.4"></a>Hosts files</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948271-0"></a>If you don't have either DNS or WINS, and you don't wish to use broadcast name resolution, you'll need to provide a table of IP addresses and hosts names, in standard Unix <code class="filename">/etc/hosts</code> format. We recommend against this because maintenance of this file on any dynamic network is troublesome, but we will explain it just the same. The Windows host file should appear in the <span class="emphasis"><em>\WINDOWS\HOSTS</em></span>
-<a class="indexterm" name="ch03-idx-948273-0"></a> directory of whatever local drive Windows is installed on. A sample follows:</p><pre class="programlisting">127.0.0.1       localhost
-192.168.236.1    escrime    escrime.example.com 
-192.168.236.2    riposte    riposte.example.com 
-192.168.236.3    wizzin     wizzin.example.com 
-192.168.236.4    touche     touche.example.com 
-192.168.236.5    gurgi      gurgi.example.com 
-192.168.236.6    jessiac    jessiac.example.com 
-192.168.236.7    skyline    skyline.example.com</pre><p>If you wish, you can copy the contents directly from the Samba server's<code class="filename"> /etc/hosts</code>. The format is identical. This file will then serve the same purpose as the hosts file on the Unix server. Again, <span class="emphasis"><em>hosts</em></span> files on Windows should only be used as a last resort.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-2.2.5"></a>Bindings</h4></div></div></div><p>The term <em class="firstterm">bindings</em>
-<a class="indexterm" name="ch03-idx-948274-0"></a>
-<a class="indexterm" name="ch03-idx-948274-1"></a> is a way of saying "connected together at configuration time." It means that the TCP/IP protocol will channel through the Ethernet card (instead of, say, a dialup connection), and is actually connected properly. If you return to the Network dialog box and set the Show field to "all services" and click on all the + buttons in the tree, you should see a display similar to <a href="#ch03-83060" title="Figure 3.25. Service bindings">Figure 3.25</a>.</p><div class="figure"><a name="ch03-83060"></a><p class="title"><b>Figure 3.25. Service bindings</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 332px"><td><img src="figs/sam.0325.gif" height="332" alt="Service bindings"></td></tr></table></div></div></div><br class="figure-break"><p>This means that the Workstation, Server, and NetBIOS interface services are connected to the WINS client. This is the correct binding for Microsoft TCP/IP.<a class="indexterm" name="ch03-idx-948166-0"></a>
-<a class="indexterm" name="ch03-idx-948166-1"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-2.3"></a>Connecting to the Samba Server</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948286-0"></a>You can safely leave the default values for the remainder of the tabs in the Network dialog box. Click on the OK button to complete the configuration. Once the proper files are loaded (if any), you will need to reboot in order for your changes to take effect.</p><p>Now for the big moment. Your Samba server is running and you have set up your NT client to communicate with it. After the machine reboots, login and double-click the <a class="indexterm" name="ch03-idx-948283-0"></a>
-<a class="indexterm" name="ch03-idx-948283-1"></a>Network Neighborhood icon on the desktop, and you should see your Samba server listed as a member of the workgroup, as shown in <a href="#ch03-50785" title="Figure 3.26. Windows NT Network Neighborhood">Figure 3.26</a>.</p><div class="figure"><a name="ch03-50785"></a><p class="title"><b>Figure 3.26. Windows NT Network Neighborhood</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 163px"><td><img src="figs/sam.0326.gif" height="163" alt="Windows NT Network Neighborhood"></td></tr></table></div></div></div><br class="figure-break"><p>
-<a class="indexterm" name="ch03-idx-949153-0"></a>Double-clicking the server name will show the resources that the server is offering to the network, as shown in <a href="#ch03-89532" title="Figure 3.27. Server's shares">Figure 3.27</a>. In this case, the test and the default printer are offered to the Window NT workstation. For more information, see the warning under <a href="#ch03-13238" title="Accessing the Samba Server">Section 3.1.4</a> earlier in this chapter.</p><div class="figure"><a name="ch03-89532"></a><p class="title"><b>Figure 3.27. Server's shares</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 152px"><td><img src="figs/sam.0327.gif" height="152" alt="Server's shares"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you are presented with a dialog requesting the password for a user <code class="literal">IPC$</code>, then Samba did not accept the password that was sent from the client. In this case, the username and the password that were created on the client side <span class="emphasis"><em>must</em></span> match the username/password combination on the Samba server. If you are using Windows 98 or Windows NT Service Pack 3 or above, this is probably because the client is sending encrypted passwords instead of plaintext passwords. You can remedy this situation by performing two steps on the Samba server. First, add the following entry to the <code class="literal">[global]</code> section of your Samba configuration file: <code class="literal">encrypt password=yes</code>. Second, find the <code class="filename">smbpasswd</code> program on the samba server (it is located in <code class="filename">/usr/local/samba/bin</code> by default) and use it to add an entry to Samba's encrypted password database. For example, to add user <code class="literal">steve</code> to Samba's encrypted password database, type <em class="replaceable"><code>smbpasswd  -a steve</code></em>. The first time you enter this password, the program will output an error message indicating that the password database does not exist; it will then create the database, which is typically stored in <code class="filename">/usr/local/samba/private/smbpasswd</code>.</p></div><p>If you don't see the server listed, don't panic. Start the Windows NT Explorer (not Internet Explorer!) and select Map Network Drive from the Tools menu. A dialog box appears that allows you to type the name of your server and its share directory in Windows format. For example, you would enter <code class="filename">\\</code><em class="replaceable"><code>server</code></em><code class="filename">\temp</code> if your server happened to be named "server." If things still aren't right, go directly to <a href="#ch09-29538" title="The Fault Tree">Section 9.2</a> in <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>, to see if you can troubleshoot what is wrong with the network.</p><p>If it works, congratulations! Try writing to the server and sending data to the network printer. You will be pleasantly surprised how seamlessly everything works! Now that you've finished setting up the Samba server and its clients, we can starting talking about how Samba works and how to configure it to your liking. <a class="indexterm" name="ch03-idx-947946-0"></a>
-<a class="indexterm" name="ch03-idx-947946-1"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch03-64069"></a>An Introduction to SMB/CIFS</h2></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948288-0"></a>We'll wrap up this chapter with a short tutorial on SMB/CIFS. SMB/CIFS is the protocol that Windows 95/98 and NT machines use to communicate with the Samba server and each other. At a high level, the SMB protocol suite is relatively simple. It includes commands for all of the file and print operations that you might do on a local disk or printer, such as:</p><div class="itemizedlist"><ul type="disc"><li><p> Opening and closing a file</p></li><li><p> Creating and deleting files and directories</p></li><li><p> Reading and writing a file</p></li><li><p> Searching for files</p></li><li><p> Queueing and dequeueing files to a print spool</p></li></ul></div><p>Each of these operations can be encoded into an SMB message and transmitted to and from a server. The original name SMB comes from their data format: these are versions of the standard DOS system-call data structures, or <em class="firstterm">Server Message Blocks</em>, redesigned for transmitting to another machine across a network.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.1"></a>SMB Format</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948317-0"></a>Richard <a class="indexterm" name="ch03-idx-948318-0"></a>Sharpe of the Samba team defines SMB as a "request-response" protocol.<sup>[<a name="ch03-pgfId-942928" href="#ftn.ch03-pgfId-942928">4</a>]</sup> In effect, this means that a client sends an SMB request to a server, and the server sends an <a class="indexterm" name="ch03-idx-948320-0"></a>
-<a class="indexterm" name="ch03-idx-948320-1"></a>SMB response back to the client. Rarely does a server send a message that is not in response to a client.</p><p>An SMB message is not as complex as you might think. Let's take a closer look at the internal structure of such a message. It can be broken down into two parts: the <em class="firstterm">header</em>
-<a class="indexterm" name="ch03-idx-948321-0"></a>, which is a fixed size, and the <em class="firstterm">command string</em>, whose size can vary dramatically based on the contents of the message.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-3.1.1"></a>SMB header format</h4></div></div></div><p><a href="#ch03-31015" title="Table 3.1. SMB Header Fields">Table 3.1</a> shows the format of an SMB header. SMB commands are not required to use all the fields in the SMB header. For example, when a client first attempts to connect to a server, it does not yet have a <a class="indexterm" name="ch03-idx-948332-0"></a>
-<a class="indexterm" name="ch03-idx-948332-1"></a>tree identifier (TID) value&#8212;one is assigned after it successfully connects&#8212;so a <a class="indexterm" name="ch03-idx-948333-0"></a>null TID (0xFFFF) is placed in its header field. Other fields may be padded with zeros when not used.</p><p>The fields of the SMB header are listed in <a href="#ch03-31015" title="Table 3.1. SMB Header Fields">Table 3.1</a>.</p><div class="table"><a name="ch03-31015"></a><p class="title"><b>Table 3.1. SMB Header Fields  </b></p><div class="table-contents"><table summary="SMB Header Fields  " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Field</p></th><th><p>Size (bytes)</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">0xFF 'SMB'</code></p></td><td><p><code class="literal">1</code></p></td><td><p>
-<a class="indexterm" name="ch03-idx-948337-0"></a>Protocol identifier</p></td></tr><tr><td><p><code class="literal">COM</code></p></td><td><p><code class="literal">1</code></p></td><td><p>Command code, from 0x00 to 0xFF</p></td></tr><tr><td><p><code class="literal">RCLS</code></p></td><td><p><code class="literal">1</code></p></td><td><p>Error class</p></td></tr><tr><td><p><code class="literal">REH</code></p></td><td><p><code class="literal">1</code></p></td><td><p>Reserved</p></td></tr><tr><td><p><code class="literal">ERR</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Error code</p></td></tr><tr><td><p><code class="literal">REB</code></p></td><td><p><code class="literal">1</code></p></td><td><p>Reserved</p></td></tr><tr><td><p><code class="literal">RES</code></p></td><td><p><code class="literal">14</code></p></td><td><p>Reserved</p></td></tr><tr><td><p><code class="literal">TID</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Tree identifier; a unique ID for a resource in use by client</p></td></tr><tr><td><p><code class="literal">PID</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Caller process ID</p></td></tr><tr><td><p><code class="literal">UID</code></p></td><td><p><code class="literal">2</code></p></td><td><p>User identifier</p></td></tr><tr><td><p><code class="literal">MID</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Multiplex identifier; used to route requests inside a process</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-3.1.2"></a>SMB command format</h4></div></div></div><p><em class="firstterm"></em>
-<a class="indexterm" name="ch03-idx-948328-0"></a>Immediately after the header is a variable number of bytes that constitute an SMB command or reply. Each command, such as Open File (COM field identifier: <code class="literal">SMBopen</code>) or Get Print Queue (<code class="literal">SMBsplretq </code>), has its own set of parameters and data. Like the SMB header fields, not all of the command fields need to be filled, depending on the specific command. For example, the Get Server Attributes (<code class="literal">SMBdskattr</code>) command sets the WCT and BCC fields to zero. The fields of the command segment are shown in <a href="#ch03-38178" title="Table 3.2. SMB Command Contents">Table 3.2</a>.</p><div class="table"><a name="ch03-38178"></a><p class="title"><b>Table 3.2. SMB Command Contents </b></p><div class="table-contents"><table summary="SMB Command Contents " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Field</p></th><th><p>Size in Bytes</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">WCT</code></p></td><td><p><code class="literal">1</code></p></td><td><p><em class="firstterm"></em>
-<a class="indexterm" name="ch03-idx-948340-0"></a>Word count</p></td></tr><tr><td><p><code class="literal">VWV</code></p></td><td><p>Variable</p></td><td><p>Parameter words (size given by WCT)</p></td></tr><tr><td><p><code class="literal">BCC</code></p></td><td><p><code class="literal">2</code></p></td><td><p>Parameter byte count</p></td></tr><tr><td><p><code class="literal">DATA</code></p></td><td><p>Variable</p></td><td><p>Data (size given by BCC)</p></td></tr></tbody></table></div></div><br class="table-break"><p>Don't worry if you don't understand each of these fields; they are not necessary for using Samba at an administrator level. However, they do come in handy when debugging system messages. We will show you some of the more common SMB messages that clients and servers send using a modified version of <code class="filename">tcpdump</code> later in this section. (If you would like an SMB sniffer with a graphical interface, try "ethereal," which uses the GTK libraries; see the Samba homepage for more information on this tool.)</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="ch03-resources-for-further-information"></a>Tip</h3><p>If you would like more information on each of the commands for the SMB protocol, see the SMB/CIFS documentation at <code class="systemitem">ftp://ftp.microsoft.com/developr/drg/CIFS/</code>.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-3.1.3"></a>SMB variations</h4></div></div></div><p>The SMB protocol has been extended with new commands several times since its inception. Each new version is backwards compatible with the previous versions. This makes it quite possible for a LAN to have various clients and servers running different versions of the SMB protocol at once.</p><p><a href="#ch03-67366" title="Table 3.3. SMB Protocol Dialects">Table 3.3</a> outlines the major versions of the SMB protocol. Within each "dialect" of SMB are many sub-versions that include commands supporting particular releases of major operating systems. The ID string is used by clients and servers to determine what level of the protocol they will speak to each other.</p><div class="table"><a name="ch03-67366"></a><p class="title"><b>Table 3.3. SMB Protocol Dialects </b></p><div class="table-contents"><table summary="SMB Protocol Dialects " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Protocol Name</p></th><th><p>ID String</p></th><th><p>Used By</p></th></tr></thead><tbody><tr><td><p>Core</p></td><td><p><code class="literal">PC NETWORK PROGRAM 1.0</code></p></td><td> </td></tr><tr><td><p>Core Plus</p></td><td><p><code class="literal">MICROSOFT NETWORKS 1.03 </code></p></td><td> </td></tr><tr><td><p>LAN Manager 1.0</p></td><td><p><code class="literal">LANMAN1.0</code></p></td><td> </td></tr><tr><td><p>LAN Manager 2.0</p></td><td><p><code class="literal">LM1.2X002</code></p></td><td> </td></tr><tr><td><p>LAN Manager 2.1</p></td><td><p><code class="literal">LANMAN2.1</code></p></td><td> </td></tr><tr><td><p>NT LAN Manager 1.0</p></td><td><p><code class="literal">NT LM 0.12</code></p></td><td><p>Windows NT 4.0</p></td></tr><tr><td><p>Samba's NT LM 0.12</p></td><td><p><code class="literal">Samba</code></p></td><td><p>Samba</p></td></tr><tr><td><p>Common Internet File System</p></td><td><p><code class="literal">CIFS 1.0</code></p></td><td><p>Windows 2000</p></td></tr></tbody></table></div></div><br class="table-break"><p>Samba implements the <code class="literal">NT</code> <code class="literal">LM</code> <code class="literal">0.12</code> specification for NT LAN Manager 1.0. It is backwards compatible with all of the other SMB variants. The CIFS specification is, in reality, LAN Manager 0.12 with a few specific additions.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.2"></a>SMB Clients and Servers</h3></div></div></div><p>As mentioned earlier, SMB is a client/server protocol. In the purest sense, this means that a client sends a request to a server, which acts on the request and returns a reply. However, the client/server roles can often be reversed, sometimes within the context of a single SMB session. For example, consider the two Windows 95/98 computers in <a href="#ch03-69480" title="Figure 3.28. Two computers that both have resources to share">Figure 3.28</a>. The computer named WIZZIN shares a printer to the network, and the computer named ESCRIME shares a disk directory. WIZZIN is in the client role when accessing ESCRIME's network drive, and in the server role when printing a job for ESCRIME.</p><div class="figure"><a name="ch03-69480"></a><p class="title"><b>Figure 3.28. Two computers that both have resources to share</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 153px"><td><img src="figs/sam.0328.gif" height="153" alt="Two computers that both have resources to share"></td></tr></table></div></div></div><br class="figure-break"><p>This brings out an important point in Samba terminology:</p><div class="itemizedlist"><ul type="disc"><li><p>A <em class="firstterm">server</em> is a machine with a resource to share.</p></li><li><p>A <em class="firstterm">client</em> is a machine that wishes to use that resource.</p></li><li><p>A server can be a client (of another computer's resource) at any given time.</p></li></ul></div><p>Note that there are no implications as to the amount of resources that make up a server, or whether it has a large disk space or fast processor. A server could be an old 486 with a printer attached to it, or it could be an UltraSparc station with a 10 gigabyte disk service.</p><p>Microsoft Windows products have both the SMB client and server built in to the operating system. <a class="indexterm" name="ch03-idx-948356-0"></a>Wndows NT 4.0 uses a newer SMB protocol than Windows for Workgroups, and it offers an enhanced form of network security which will be discussed in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>. In addition, there are a large number of commercial <a class="indexterm" name="ch03-idx-948361-0"></a>SMB server products available from companies such as Sun, Compaq, SCO, Hewlett-Packard, Syntax, and IBM. Unfortunately, on the client side there are far fewer offerings, limited mainly to Digital Equipment's Pathworks product, and of course, Samba.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.3"></a>A Simple SMB Connection</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948363-0"></a>
-<a class="indexterm" name="ch03-idx-948363-1"></a>Before we close this chapter, let's take a look at a simple SMB connection. This is some pretty technical data&#8212;which isn't really necessary to administer Samba&#8212;so you can skip over it if you like. We present this information largely as a way to help you get familiar with how the SMB protocol negotiates connections with other computers on the network.</p><p>There are four steps that the client and server must complete in order to establish a connection to a resource:</p><div class="orderedlist"><ol type="1"><li><p> Establish a virtual connection.</p></li><li><p> Negotiate the protocol variant to speak.</p></li><li><p> Set session parameters.</p></li><li><p> Make a tree connection to a resource.</p></li></ol></div><p>We will examine each of these steps through the eyes of a useful tool that we mentioned earlier: the modified <code class="filename">tcpdump</code>
-<a class="indexterm" name="ch03-idx-948362-0"></a>
-<a class="indexterm" name="ch03-idx-948362-1"></a> that is available from the Samba web site.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>You can download this program at <code class="filename">samba.org</code> in the <code class="filename">samba/ftp/tcpdump-smb</code> directory; the latest version as of this writing is 3.4-5. Use this program as you would use the standard <code class="filename">tcpdump</code> application, but add the <code class="literal">-s 1500</code> switch to ensure that you get the whole packet and not just the first few bytes.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch03-SECT-3.3.1"></a>Establishing a virtual connection</h4></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948365-0"></a>
-<a class="indexterm" name="ch03-idx-948365-1"></a>When a user first makes a request to access a network disk or send a print job to a remote printer, NetBIOS takes care of making a connection at the <a class="indexterm" name="ch03-idx-948366-0"></a>session layer. The result is a bidirectional virtual channel between the client and server. In reality, there are only two messages that the client and server need to establish this connection. This is shown in the following example session request and response, as captured by <code class="filename">tcpdump</code> :</p><pre class="programlisting">&gt;&gt;&gt; NBT Packet
-NBT Session Request
-Flags=0x81000044
-Destination=ESCRIME      NameType=0x20 (Server)
-Source=WIZZIN            NameType=0x00 (Workstation)
-
-&gt;&gt;&gt; NBT Packet
-NBT Session Granted
-Flags=0x82000000</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.4"></a>Negotiating the Protocol Variant</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948367-0"></a>At this point, there is an open channel between the client and server. Next, the client sends a message to the server to negotiate an SMB protocol. As mentioned earlier, the client sets its <a class="indexterm" name="ch03-idx-948373-0"></a>
-<a class="indexterm" name="ch03-idx-948373-1"></a>tree identifier (TID) field to zero, since it does not yet know what TID to use. A <span class="emphasis"><em>tree identifier</em></span> is a number that represents a connection to a share on a server.</p><p>The command in the message is <code class="literal">SMBnegprot</code>, a request to negotiate a protocol variant that will be used for the entire session. Note that the client sends to the server a list of all of the variants that it can speak, not vice versa.</p><p>The server responds to the <code class="literal">SMBnegprot</code> request with an index into the list of variants that the client offered, starting with index 0, or with the value 0xFF if none of the protocol variants are acceptable. Continuing this example, the server responds with the value 5, which indicates that the <code class="literal">NT</code> <code class="literal">LM</code> <code class="literal">0.12</code> dialect will be used for the remainder of the session:</p><pre class="programlisting">&gt;&gt;&gt; NBT Packet
-NBT Session Packet
-Flags=0x0
-Length=154
-
-SMB PACKET: SMBnegprot (REQUEST)
-SMB Command   =  0x72
-Error class   =  0x0
-Error code    =  0
-Flags1        =  0x0
-Flags2        =  0x0
-Tree ID       =  0
-Proc ID       =  5371
-UID           =  0
-MID           =  385
-Word Count    =  0
-Dialect=PC NETWORK PROGRAM 1.0
-Dialect=MICROSOFT NETWORKS 3.0
-Dialect=DOS LM1.2X002
-Dialect=DOS LANMAN2.1
-Dialect=Windows for Workgroups 3.1a
-Dialect=NT LM 0.12
-
-&gt;&gt;&gt; NBT Packet
-NBT Session Packet
-Flags=0x0
-Length=69
-
-SMB PACKET: SMBnegprot (REPLY)
-SMB Command   =  0x72
-Error class   =  0x0
-Error code    =  0
-Flags1        =  0x0
-Flags2        =  0x1
-Tree ID       =  0
-Proc ID       =  5371
-UID           =  0
-MID           =  385
-Word Count    =  02
-[000] 05 00</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.5"></a>Set Session and Login Parameters</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948377-0"></a>
-<a class="indexterm" name="ch03-idx-948377-1"></a>The next step is to transmit session and login parameters for the session. This includes the account name and password (if there is one), the workgroup name, the maximum size of data that can be transferred, and the number of pending requests that may be in the queue at any one time.</p><p>In the following example, the Session Setup command presented allows for an additional SMB command to be piggybacked onto it. The letter X at the end of the command name indicates this, and the hexadecimal code of the second command is given in the <code class="literal">Com2</code> field. In this case the command is <code class="literal">0x75</code>, which is the Tree Connect and X command. The <code class="literal">SMBtconX</code> message looks for the name of the resource in the <span><strong class="command">smb_buf</strong></span> buffer. (This is the last field listed in the following request.) In this example, <span><strong class="command">smb_buf</strong></span> contains the string <code class="literal">\\ESCRIME\PUBLIC</code>, which is the full pathname to a shared directory on node ESCRIME. Using the "and X" commands like this speeds up each transaction, since the server doesn't have to wait on the client to make a second request.</p><p>Note that the <a class="indexterm" name="ch03-idx-948382-0"></a>
-<a class="indexterm" name="ch03-idx-948382-1"></a>TID is still zero. The server will provide a TID to the client once the session has been established and a connection has been made to the requested resource. In addition, note that the password is sent in the open. We can change this later using encrypted passwords:</p><pre class="programlisting">&gt;&gt;&gt; NBT Packet
-NBT Session Packet
-Flags=0x0
-Length=139
-
-SMB PACKET: SMBsesssetupX (REQUEST)
-SMB Command   =  0x73
-Error class   =  0x0
-Error code    =  0
-Flags1        =  0x10
-Flags2        =  0x0
-Tree ID       =  0
-Proc ID       =  5371
-UID           =  1
-MID           =  385
-Word Count    =  13
-Com2=0x75
-Res1=0x0
-Off2=106
-MaxBuffer=2920
-MaxMpx=2
-VcNumber=0
-SessionKey=0x1FF2
-CaseInsensitivePasswordLength=1
-CaseSensitivePasswordLength=1
-Res=0x0
-Capabilities=0x1
-Pass1&amp;Pass2&amp;Account&amp;Domain&amp;OS&amp;LanMan=  
-  KRISTIN PARKSTR Windows 4.0 Windows 4.0
-PassLen=2
-Passwd&amp;Path&amp;Device=
-smb_bcc=22
-smb_buf[]=\\ESCRIME\PUBLIC</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch03-SECT-3.6"></a>Making Connection to a Resource</h3></div></div></div><p>
-<a class="indexterm" name="ch03-idx-948383-0"></a>
-<a class="indexterm" name="ch03-idx-948383-1"></a>For the final step, the server returns a TID to the client, indicating that the user has been authorized access and that the resource is ready to be used. It also sets the <span><strong class="command">ServiceType</strong></span> field to "A" to indicate that this is a file service. Available service types are:</p><div class="itemizedlist"><ul type="disc"><li><p> "A" for a disk or file</p></li><li><p> "LPT1" for a spooled output</p></li><li><p> "COMM" for a direct-connect printer or modem</p></li><li><p> "IPC" for a named pipe</p></li></ul></div><p>The output is:</p><pre class="programlisting">&gt;&gt;&gt; NBT Packet
-NBT Session Packet
-Flags=0x0
-Length=78
-
-SMB PACKET: SMBsesssetupX (REPLY)
-SMB Command   =  0x73
-Error class   =  0x0
-Error code    =  0
-Flags1        =  0x80
-Flags2        =  0x1
-Tree ID       =  121
-Proc ID       =  5371
-UID           =  1
-MID           =  385
-Word Count    =  3
-Com2=0x75
-Off2=68
-Action=0x1
-[000] Unix Samba 1.9.1
-[010] PARKSTR
-
-SMB PACKET: SMBtconX (REPLY) (CHAINED)
-smbvwv[]=
-Com2=0xFF
-Off2=78
-smbbuf[]=
-ServiceType=A:</pre><p>Now that a TID has been assigned, the client may issue any sort of command that it would use on a local disk drive. It can open files, read and write to them, delete them, create new files, search for filenames, and so<a class="indexterm" name="ch03-idx-948291-0"></a> on.<a class="indexterm" name="ch03-idx-947921-0"></a>
-<a class="indexterm" name="ch03-idx-947921-1"></a></p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch03-pgfId-942097" href="#ch03-pgfId-942097">1</a>] </sup>We can disqualify the other address because every Unix machine has a localhost address of 127.0.0.1 whether it is connected to a network or not. This address is required for some system tools to operate correctly.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch03-pgfId-943371" href="#ch03-pgfId-943371">2</a>] </sup>A common occurrence: after looking at the unused protocol for a while, the machine will time out and try the good one. This fruitless searching gives you terrible performance and mysterious delays.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch03-pgfId-946587" href="#ch03-pgfId-946587">3</a>] </sup>The address 127.0.0.1 is known as the <span class="emphasis"><em>localhost</em></span>
-<a class="indexterm" name="ch03-idx-948263-0"></a> address, and always refers to itself. For example, if you type <code class="literal">ping 127.0.0.1</code> on a Unix server, you should always get a response, as you're pinging the host itself.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch03-pgfId-942928" href="#ch03-pgfId-942928">4</a>] </sup>See <code class="systemitem">http://anu.samba.org/cifs/docs/what-is-smb.html</code> for Richard's excellent summary of SMB.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ch04-21486"></a>Chapter 4. Disk Shares </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch04-76968">4.1. Learning the Samba Configuration File</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-52415">4.1.1. Configuration File Structure</a></span></dt><dt><span class="sect2"><a href="#ch04-87365">4.1.2. Variables</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-81402">4.2. Special Sections</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-2.1">4.2.1. The [globals] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.2">4.2.2. The [ homes] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.3">4.2.3. The [printers] Section</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-2.4">4.2.4. Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-46076">4.3. Configuration File Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-3.0.1">4.3.1. 
-config file</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-3.0.2">4.3.2. 
-include</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-3.0.3">4.3.3. 
-copy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-71382">4.4. Server Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-4.1">4.4.1. Server Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-14274">4.5. Disk Share Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-5.1">4.5.1. Disk Share Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-86705">4.6. Networking Options with Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-6.1">4.6.1. Networking Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-16899">4.7. Virtual Servers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-SECT-7.0.1">4.7.1. 
-netbios aliases</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch04-29331">4.8. Logging Configuration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch04-97929">4.8.1. Using syslog</a></span></dt><dt><span class="sect2"><a href="#ch04-SECT-8.1">4.8.2. Logging Configuration Options</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="ch04-idx-967030-0"></a>In the previous three chapters, we showed you how to install Samba on a Unix server and set up Windows clients to use a simple disk share. This chapter will show you how Samba can assume more productive roles on your network.</p><p>Samba's <a class="indexterm" name="ch04-idx-967124-0"></a>daemons, <span class="emphasis"><em>smbd</em></span>
-<a class="indexterm" name="ch04-idx-967122-0"></a> and <span class="emphasis"><em>nmbd</em></span>
-<a class="indexterm" name="ch04-idx-967123-0"></a>, are controlled through a single ASCII file, <code class="filename">smb.conf</code>, that can contain over 200 unique options. These options define how Samba reacts to the network around it, including everything from simple permissions to encrypted connections and NT domains. The next five chapters are designed to help you get familiar with this file and its options. Some of these options you will use and change frequently; others you may never use&#8212;it all depends on how much functionality you want Samba to offer its clients.</p><p>This chapter introduces the structure of the Samba configuration file and shows you how to use these options to create and modify disk shares. Subsequent chapters will discuss browsing, how to configure users, security, domains, and printers, and a host of other myriad topics that you can implement with Samba on your network.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-76968"></a>Learning the Samba Configuration File</h2></div></div></div><p><code class="filename"></code>
-<a class="indexterm" name="ch04-idx-968372-0"></a>Here is an <code class="filename"></code>
-<a class="indexterm" name="ch04-idx-968374-0"></a>example of a Samba configuration file. If you have worked with a Windows .INI file, the structure of the <code class="filename">smb.conf </code> file should look very familiar:</p><pre class="programlisting">[global] 
-	log level = 1 
-	max log size = 1000
-	socket options = TCP_NODELAY IPTOS_LOWDELAY 
-	guest ok = no
-[homes] 
-	browseable = no
-	map archive = yes
-[printers] 
-	path = /usr/tmp
-	guest ok = yes
-	printable = yes
-[test]
-	browseable = yes
-	read only = yes
-	guest ok = yes
-	path = /export/samba/test</pre><p>Although you may not understand the contents yet, this is a good configuration file to grab if you're in a hurry. (If you're not, we'll create a new one from scratch shortly.) In a nutshell, this configuration file sets up basic debug logging in a default log file not to exceed 1MB, optimizes TCP/IP socket connections between the Samba server and any SMB clients, and allows Samba to create a disk share for each user that has a standard Unix account on the server. In addition, each of the printers registered on the server will be publicly available, as will a single read-only share that maps to the <code class="filename">/export/samba/test</code> directory. The last part of this file is similar to the disk share you used to test Samba in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-52415"></a>Configuration File Structure</h3></div></div></div><p><code class="filename"></code>
-<a class="indexterm" name="ch04-idx-967054-0"></a>Let's take another look at this configuration file, this time from a higher level:</p><pre class="programlisting">[global] 
-	...
-[homes] 
-	...
-[printers] 
-	...
-[test] 
-	...</pre><p>The names inside the <a class="indexterm" name="ch04-idx-967103-0"></a>square brackets delineate unique sections of the <code class="filename">smb.conf</code> file; each <a class="indexterm" name="ch04-idx-967104-0"></a>section names the <em class="firstterm">share</em>
-<a class="indexterm" name="ch04-idx-967105-0"></a> (or <a class="indexterm" name="ch04-idx-967106-0"></a>service) that the section refers to. For example, the <code class="literal">[test]</code> and <code class="literal">[homes]</code> sections are each unique disk shares; they contain options that map to specific directories on the Samba server. The <code class="literal">[printers]</code> share contains options that map to various printers on the server. All the sections defined in the <code class="filename">smb.conf</code> file, with the exception of the <code class="literal">[global]</code> section, will be available as a disk or printer share to clients connecting to the Samba server.</p><p>The remaining lines are individual configuration options unique to that share. These options will continue until a new bracketed section is encountered, or until the end of the file is reached. Each <a class="indexterm" name="ch04-idx-967107-0"></a>
-<a class="indexterm" name="ch04-idx-967107-1"></a>configuration option follows a simple format:</p><pre class="programlisting"><em class="replaceable"><code>option</code></em> = <em class="replaceable"><code>value</code></em></pre><p>Options in the <code class="filename">smb.conf</code> file are set by assigning a value to them. We should warn you up front that some of the <a class="indexterm" name="ch04-idx-967109-0"></a>option names in Samba are poorly chosen. For example, <code class="literal">read</code> <code class="literal">only</code> is self-explanatory, and is typical of many recent Samba options. <code class="literal">public</code> is an older option, and is vague; it now has a less-confusing synonym <code class="literal">guest</code> <code class="literal">ok</code> (may be accessed by guests). We describe some of the more common historical names in this chapter in sections that highlight each major task. In addition,  <a href="#SAMBA-AP-C" title="Appendix C. Samba Configuration Option Quick Reference">Appendix C</a>, contains an alphabetical index of all the configuration options and their meanings.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.1"></a>Whitespaces, quotes, and commas</h4></div></div></div><p>An important item to remember about configuration options is that all <a class="indexterm" name="ch04-idx-967110-0"></a>whitespaces in the <em class="replaceable"><code>value</code></em> are significant. For example, consider the following option:</p><pre class="programlisting">volume = The Big Bad Hard Drive Number 3543</pre><p>Samba strips away the spaces between the final <code class="literal">e</code> in <code class="literal">volume</code> and the first <code class="literal">T</code> in <code class="literal">The</code>. These whitespaces are insignificant. The rest of the whitespaces are significant and will be recognized and preserved by Samba when reading in the file. Space is not significant in option names (such as <code class="literal">guest</code> <code class="literal">ok</code>), but we recommend you follow convention and keep spaces between the words of options.</p><p>If you feel safer including <a class="indexterm" name="ch04-idx-967111-0"></a>quotation marks at the beginning and ending of a configuration option's value, you may do so. Samba will ignore these quotation marks when it encounters them. Never use quotation marks around an option itself; Samba will treat this as an error.</p><p>Finally, you can use whitespaces to separate a series of values in a list, or you can use commas. These two options are equivalent:</p><pre class="programlisting">netbios aliases = sales, accounting, payroll
-netbios aliases = sales accounting payroll</pre><p>In some values, however, you must use one form of separation&#8212;<a class="indexterm" name="ch04-idx-967367-0"></a>spaces in some cases, <a class="indexterm" name="ch04-idx-967112-0"></a>commas in others.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.2"></a>Capitalization</h4></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967113-0"></a>Capitalization is not important in the Samba configuration file except in locations where it would confuse the underlying operating system. For example, let's assume that you included the following option in a share that pointed to <code class="filename">/export/samba/simple </code>:</p><pre class="programlisting">PATH = /EXPORT/SAMBA/SIMPLE</pre><p>Samba would have no problem with the <code class="literal">path</code> configuration option appearing entirely in capital letters. However, when it tries to connect to the given directory, it would be unsuccessful because the Unix filesystem in the underlying operating system <span class="emphasis"><em>is</em></span> case sensitive. Consequently, the path listed would not be found and clients would be unable to connect to the share.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.3"></a>Line continuation</h4></div></div></div><p>You can continue a <a class="indexterm" name="ch04-idx-967114-0"></a>line in the Samba configuration file using the <a class="indexterm" name="ch04-idx-967115-0"></a>
-<a class="indexterm" name="ch04-idx-967115-1"></a>backslash, as follows:</p><pre class="programlisting">comment = The first share that has the primary copies \
-          of the new Teamworks software product.</pre><p>Because of the backslash, these two lines will be treated as one line by Samba. The second line begins at the first non-whitespace character that Samba encounters; in this case, the <code class="literal">o</code> in <code class="literal">of</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.4"></a>Comments</h4></div></div></div><p>You can insert <a class="indexterm" name="ch04-idx-967118-0"></a>comments in the <code class="filename">smb.conf</code> configuration file by preceding a line with either a<a class="indexterm" name="ch04-idx-967119-0"></a>
-<a class="indexterm" name="ch04-idx-967119-1"></a> hash mark (#) or a<a class="indexterm" name="ch04-idx-967120-0"></a>
-<a class="indexterm" name="ch04-idx-967120-1"></a> semicolon ( ; ). Both characters are equivalent. For example, the first three lines in the following example would be considered comments:</p><pre class="programlisting">#  This is the printers section. We have given a minimum print 
-;  space of 2000 to prevent some errors that we've seen when
-;  the spooler runs out of space.
-
-[printers] 
-	public = yes
-	min print space = 2000</pre><p>Samba will ignore all comment lines in its configuration file; there are no limitations to what can be placed on a comment line after the initial hash mark or semicolon. Note that the line <a class="indexterm" name="ch04-idx-967121-0"></a>
-<a class="indexterm" name="ch04-idx-967121-1"></a>continuation character (<code class="literal">\</code>) will <span class="emphasis"><em>not</em></span> be honored on a commented line. Like the rest of the line, it is ignored.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-1.1.5"></a>Changes at runtime</h4></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967126-0"></a>You can modify the <code class="filename">smb.conf</code> configuration file and any of its options at any time while the Samba daemons are running. By default, Samba checks the configuration file every 60 seconds for changes. If it finds any, the changes are immediately put into effect. If you don't wish to wait that long, you can force a reload by either sending a <a class="indexterm" name="ch04-idx-967127-0"></a>SIGHUP signal to the <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> processes, or simply restarting the daemons.</p><p>For example, if the <span class="emphasis"><em>smbd</em></span> <a class="indexterm" name="ch04-idx-967128-0"></a>
-<a class="indexterm" name="ch04-idx-967128-1"></a>
-<a class="indexterm" name="ch04-idx-967128-2"></a>process was 893, you could force it to reread the configuration file with the following command:</p><pre class="programlisting"># <span class="bold"><strong>kill -SIGHUP 893</strong></span></pre><p>Not all changes will be immediately recognized by clients. For example, changes to a share that is currently in use will not be registered until the client disconnects and reconnects to that share. In addition, server-specific parameters such as the workgroup or NetBIOS name of the server will not register immediately either. This keeps active clients from being suddenly disconnected or encountering unexpected access problems while a session is open.<code class="filename"></code>
-<a class="indexterm" name="ch04-idx-967061-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-87365"></a>Variables</h3></div></div></div><p><code class="filename"></code>
-<a class="indexterm" name="ch04-idx-967393-0"></a>
-<a class="indexterm" name="ch04-idx-967393-1"></a>Samba includes a complete set of variables for determining characteristics of the Samba server and the clients to which it connects. Each of these variables begins with a <a class="indexterm" name="ch04-idx-967129-0"></a>
-<a class="indexterm" name="ch04-idx-967129-1"></a>percent sign, followed by a single uppercase or lowercase letter, and can be used only on the right side of a configuration option (e.g., after the equal sign):</p><pre class="programlisting">[pub]
-    path = /home/ftp/pub/%a</pre><p>The <code class="literal">%a</code> stands for the client machine's architecture (e.g., <code class="literal">WinNT</code> for Windows NT, <code class="literal">Win95</code> for Windows 95 or 98, or <code class="literal">WfWg</code> for Windows for Workgroups). Because of this, Samba will assign a unique <a class="indexterm" name="ch04-idx-967130-0"></a>path for the <code class="literal">[pub]</code> share to client machines running Windows NT, a different path for client machines running Windows 95, and another path for Windows for Workgroups. In other words, the paths that each client would see as its share differ according to the client's architecture, as follows:</p><pre class="programlisting">/home/ftp/pub/WinNT
-/home/ftp/pub/Win95
-/home/ftp/pub/WfWg</pre><p>Using variables in this manner comes in handy if you wish to have different users run custom configurations based on their own unique characteristics or conditions. Samba has 19 variables, as shown in <a href="#ch04-10883" title="Table 4.1. Samba Variables">Table 4.1</a>.</p><div class="table"><a name="ch04-10883"></a><p class="title"><b>Table 4.1. Samba Variables </b></p><div class="table-contents"><table summary="Samba Variables " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td colspan="2"><p><span class="bold"><strong>
-<a class="indexterm" name="ch04-idx-968086-0"></a>Client variables</strong></span></p></td></tr><tr><td><p><code class="literal">%a</code></p></td><td><p><code class="filename"></code>
-<a class="indexterm" name="ch04-idx-968093-0"></a>Client's architecture (e.g., Samba, WfWg, WinNT, Win95, or UNKNOWN)</p></td></tr><tr><td><p><code class="literal">%I</code></p></td><td><p>Client's IP address (e.g., 192.168.220.100)</p></td></tr><tr><td><p><code class="literal">%m</code></p></td><td><p>Client's NetBIOS name</p></td></tr><tr><td><p><code class="literal">%M</code></p></td><td><p>Client's DNS name</p></td></tr><tr><td colspan="2"><p><span class="bold"><strong>
-<a class="indexterm" name="ch04-idx-968108-0"></a>User variables</strong></span></p></td></tr><tr><td><p><code class="literal">%g</code></p></td><td><p>Primary group of <code class="literal">%u</code></p></td></tr><tr><td><p><code class="literal">%G</code></p></td><td><p>Primary group of <code class="literal">%U</code></p></td></tr><tr><td><p><code class="literal">%H</code></p></td><td><p>Home directory of <code class="literal">%u</code></p></td></tr><tr><td><p><code class="literal">%u</code></p></td><td><p>Current Unix username</p></td></tr><tr><td><p><code class="literal">%U</code></p></td><td><p>Requested client username (not always used by Samba)</p></td></tr><tr><td colspan="2"><p><span class="bold"><strong>Share variables</strong></span></p></td></tr><tr><td><p><code class="literal">%p</code></p></td><td><p>Automounter's path to the share's root directory, if different from <code class="literal">%P</code></p></td></tr><tr><td><p><code class="literal">%P</code></p></td><td><p>Current share's root directory</p></td></tr><tr><td><p><code class="literal">%S</code></p></td><td><p>Current share's name</p></td></tr><tr><td colspan="2"><p><span class="bold"><strong>Server variables</strong></span></p></td></tr><tr><td><p><code class="literal">%d</code></p></td><td><p>Current server process ID</p></td></tr><tr><td><p><code class="literal">%h</code></p></td><td><p>Samba server's DNS hostname</p></td></tr><tr><td><p><code class="literal">%L</code></p></td><td><p>Samba server's NetBIOS name</p></td></tr><tr><td><p><code class="literal">%N</code></p></td><td><p>Home directory server, from the automount map</p></td></tr><tr><td><p><code class="literal">%v</code></p></td><td><p>Samba version</p></td></tr><tr><td colspan="2"><p><span class="bold"><strong>Miscellaneous variables</strong></span></p></td></tr><tr><td><p><code class="literal">%R</code></p></td><td><p>The SMB protocol level that was negotiated</p></td></tr><tr><td><p><code class="literal">%T</code></p></td><td><p>The current date and time</p></td></tr></tbody></table></div></div><br class="table-break"><p>
-<a class="indexterm" name="ch04-idx-967143-0"></a>Here's another example of using variables: let's say that there are five clients on your network, but one client, <code class="literal">fred</code>, requires a slightly different <code class="literal">[homes]</code> configuration loaded when it connects to the Samba server. With Samba, it's simple to attack such a problem:</p><pre class="programlisting">[homes] 
-	...
-	include = /usr/local/samba/lib/smb.conf.%m
-	...</pre><p>The <code class="literal">include</code> option here causes a separate configuration file for each particular NetBIOS machine (<code class="literal">%m</code>) to be read in addition to the current file. If the hostname of the client machine is <code class="literal">fred</code>, and if a <code class="filename">smb.conf.fred</code> file exists in the <em class="replaceable"><code>samba_dir</code></em><code class="filename">/lib/</code> directory (or whatever directory you've specified for your configuration files), Samba will insert that configuration file into the default one. If any configuration options are restated in <code class="filename">smb.conf.fred</code>, those values will override any options previously encountered in that share. Note that we say "previously." If any options are restated in the main configuration file after the <code class="literal">include</code> option, Samba will honor those restated values for the share in which they are defined.</p><p>Here's the important part: if there is no such file, Samba will not generate an error. In fact, it won't do anything at all. This allows you to create only one extra configuration file for <code class="literal">fred</code> when using this strategy, instead of one for each NetBIOS machine that is on the network.</p><p>Machine-specific configuration files can be used both to customize particular clients and to make debugging Samba easier. Consider the latter; if we have one client with a problem, we can use this approach to give it a private log file with a more verbose logging level. This allows us to see what Samba is doing without slowing down all the other clients or overflowing the disk with useless logs. Remember, with large networks you may not always have the option to restart the Samba server to perform debugging!</p><p>You can use each of the variables in <a href="#ch04-10883" title="Table 4.1. Samba Variables">Table 4.1</a> to give custom values to a variety of Samba options. We will highlight several of these options as we move through the next few chapters.<code class="filename"></code>
-<a class="indexterm" name="ch04-idx-967084-0"></a>
-<a class="indexterm" name="ch04-idx-967084-1"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-81402"></a>Special Sections</h2></div></div></div><p><code class="filename"></code>
-<a class="indexterm" name="ch04-idx-967091-0"></a>
-<a class="indexterm" name="ch04-idx-967091-1"></a>Now that we've gotten our feet wet with variables, there are a few special sections of the Samba configuration file that we should talk about. Again, don't worry if you do not understand each and every configuration options listed below; we'll go over each of them over the course of the upcoming chapters.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-2.1"></a>The [globals] Section</h3></div></div></div><p>The <code class="literal">[globals]</code>
-<a class="indexterm" name="ch04-idx-967171-0"></a>
-<a class="indexterm" name="ch04-idx-967171-1"></a> section appears in virtually every Samba configuration file, even though it is not mandatory to define one. Any option set in this section of the file will apply to all the other shares, as if the contents of the section were copied into the share itself. There is one catch: other sections can list the same option in their section with a new value; this has the effect of overriding the value specified in the <code class="literal">[globals]</code> section.</p><p>To illustrate this, let's again look at the opening example of the chapter:</p><pre class="programlisting">[global] 
-	log level = 1 
-	max log size = 1000
-	socket options = TCP_NODELAY IPTOS_LOWDELAY 
-	guest ok = no
-[homes] 
-	browseable = no
-	map archive = yes
-[printers] 
-	path = /usr/tmp
-	guest ok = yes
-	printable = yes
-	min print space = 2000
-[test] 
-	browseable = yes
-	read only = yes
-	guest ok = yes
-	path = /export/samba/test</pre><p>In the previous example, if we were going to connect a client to the <code class="literal">[test]</code> share, Samba would first read in the <code class="literal">[globals]</code> section. At that point, it would set the option <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">no</code> as the global default for each share it encounters throughout the configuration file. This includes the <code class="literal">[homes]</code> and <code class="literal">[printers]</code> shares. When it reads in the <code class="literal">[test]</code> share, however, it would then find the configuration option <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">yes</code>, and override the default from the <code class="literal">[globals]</code> section with the value <code class="literal">yes</code> in the context of the <code class="literal">[pub]</code> share.</p><p>Any option that appears outside of a section (before the first marked section) is also assumed to be a global option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-2.2"></a>The [ homes] Section</h3></div></div></div><p>If a client attempts to connect to a share that doesn't appear in the <code class="filename">smb.conf</code> file, Samba will search for a <code class="literal">[homes]</code>
-<a class="indexterm" name="ch04-idx-967172-0"></a> share in the configuration file. If one exists, the unidentified share name is assumed to be a Unix username, which is queried in the password database of the Samba server. If that username appears, Samba assumes the client is a Unix user trying to connect to his or her home directory on the server.</p><p>For example, assume a client machine is connecting to the Samba server <code class="literal">hydra</code> for the first time, and tries to connect to a share named [<code class="literal">alice]</code>. There is no <code class="literal">[alice]</code> share defined in the <code class="filename">smb.conf</code> file, but there is a <code class="literal">[homes]</code>, so Samba searches the password database file and finds an <code class="literal">alice</code> user account is present on the system. Samba then checks the password provided by the client against user <code class="literal">alice</code>'s Unix password&#8212;either with the password database file if it's using non-encrypted passwords, or Samba's <code class="filename">smbpasswd</code> file if encrypted passwords are in use. If the passwords match, then Samba knows it has guessed right: the user <code class="literal">alice</code> is trying to connect to her home directory. Samba will then create a share called <code class="literal">[alice]</code> for her.</p><p>The process of using the <code class="literal">[homes]</code> section to create <a class="indexterm" name="ch04-idx-967175-0"></a>users (and dealing with their passwords) is discussed in more detail in the <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-2.3"></a>The [printers] Section</h3></div></div></div><p>The third special section is called <code class="literal">[printers]</code>
-<a class="indexterm" name="ch04-idx-967173-0"></a> and is similar to <code class="literal">[homes]</code>. If a client attempts to connect to a share that isn't in the <code class="filename">smb.conf</code>  file, and its name can't be found in the password file, Samba will check to see if it is a printer share. Samba does this by reading the <a class="indexterm" name="ch04-idx-967182-0"></a>printer capabilities file (usually <code class="filename">/etc/printcap</code>) to see if the share name appears there.<sup>[<a name="ch04-pgfId-960558" href="#ftn.ch04-pgfId-960558">1</a>]</sup> If it does, Samba creates a share named after the printer.</p><p>Like <code class="literal">[homes]</code>, this means you don't have to maintain a share for each of your system printers in the <code class="filename">smb.conf</code>  file. Instead, Samba honors the Unix printer registry if you request it to, and provides the registered printers to the client machines. There is, however, an obvious limitation: if you have an account named <code class="literal">fred</code> and a printer named <code class="literal">fred</code>, Samba will always find the user account first, even if the client really needed to connect to the printer.</p><p>The process of setting up the <code class="literal">[printers]</code>
-<a class="indexterm" name="ch04-idx-968220-0"></a> share is discussed in more detail in <a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a>.<code class="filename"></code>
-<a class="indexterm" name="ch04-idx-968225-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-2.4"></a>Configuration Options</h3></div></div></div><p><code class="filename"></code>
-<a class="indexterm" name="ch04-idx-967407-0"></a>Options in the Samba configuration files fall into one of two categories: <em class="firstterm">global</em> or <em class="firstterm">share</em>. Each category dictates where an option can appear in the configuration file.</p><div class="variablelist"><dl><dt><span class="term">Global</span></dt><dd><p>
-<a class="indexterm" name="ch04-idx-967207-0"></a>Global options <span class="emphasis"><em>must</em></span> appear in the <code class="literal">[global]</code> section and nowhere else. These are options that typically apply to the behavior of the Samba server itself, and not to any of its shares.</p></dd><dt><span class="term">Share</span></dt><dd><p>
-<a class="indexterm" name="ch04-idx-967209-0"></a>Share options can appear in specific shares, or they can appear in the <code class="literal">[global]</code> section. If they appear in the <code class="literal">[global]</code> section, they will define a default behavior for all shares, unless a share overrides the option with a value of its own.</p></dd></dl></div><p>In addition, the values that a configuration option can take can be divided into four categories. They are as follows:</p><div class="variablelist"><dl><dt><span class="term">Boolean</span></dt><dd><p>
-<a class="indexterm" name="ch04-idx-967210-0"></a>These are simply yes or no values, but can be represented by any of the following: <code class="literal">yes</code>, <code class="literal">no</code>, <code class="literal">true</code>, <code class="literal">false</code>, <code class="literal">0</code>, <code class="literal">1</code>. The values are case insensitive: <code class="literal">YES</code> is the same as <code class="literal">yes</code>.</p></dd><dt><span class="term">Numerical</span></dt><dd><p>
-<a class="indexterm" name="ch04-idx-967220-0"></a>An integer, hexidecimal, or octal number. The standard <code class="literal">0x</code><span class="emphasis"><em>nn</em></span> syntax is used for hexadecimal and <code class="literal">0</code><span class="emphasis"><em>nnn</em></span> for octal.</p></dd><dt><span class="term">String</span></dt><dd><p>A <a class="indexterm" name="ch04-idx-967222-0"></a>string of case-sensitive characters, such as a filename or a username.</p></dd><dt><span class="term">Enumerated list</span></dt><dd><p>A finite list of known values. In effect, a boolean is an <a class="indexterm" name="ch04-idx-967223-0"></a>enumerated list with only two values.<code class="filename"></code>
-<a class="indexterm" name="ch04-idx-967166-0"></a>
-<a class="indexterm" name="ch04-idx-967166-1"></a></p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-46076"></a>Configuration File Options</h2></div></div></div><p>Samba has well over 200 configuration options at its disposal. So let's start off easy by introducing some of the options you can use to modify the configuration file itself.</p><p>As we hinted earlier in the chapter, configuration files are by no means static. You can instruct Samba to include or even replace configuration options as it is processing them. The options to do this are summarized in <a href="#ch04-94939" title="Table 4.2. Configuration File Options">Table 4.2</a>.</p><div class="table"><a name="ch04-94939"></a><p class="title"><b>Table 4.2. Configuration File Options </b></p><div class="table-contents"><table summary="Configuration File Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">config file</code></p></td><td><p>string (fully-qualified name)</p></td><td><p>Sets the location of a configuration file to use instead of the current one.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">include</code></p></td><td><p>string (fully-qualified name)</p></td><td><p>Specifies an additional segment of configuration options to be included at this point in the configuration file.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">copy</code></p></td><td><p>string (name of share)</p></td><td><p>Allows you to clone the configuration options of another share in the current share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-3.0.1"></a>
-config file</h3></div></div></div><a class="indexterm" name="ch04-idx-968272-0"></a><p>The global <code class="literal">config</code> <code class="literal">file</code> option specifies a replacement configuration file that will be loaded when the option is encountered. If the target file exists, the remainder of the current configuration file, as well as the options encounter so far, will be discarded; Samba will configure itself entirely with the options in the new file. The <code class="literal">config</code> <code class="literal">file</code> option takes advantage of the variables above, which is useful in the event that you want load a special configuration file based on the machine name or user of the client that it connecting.</p><p>For example, the following line instructs Samba to use a configuration file specified by the NetBIOS name of the client connecting, if such a file exists. If it does, options specified in the original configuration file are ignored. The following example attempts to lead a new configuration file based on the client's NetBIOS name:</p><pre class="programlisting">[global]
-	config file = /usr/local/samba/lib/smb.conf.%m</pre><p>If the configuration file specified does not exist, the option is ignored and Samba will continue to configure itself based on the current file.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-3.0.2"></a>
-include</h3></div></div></div><a class="indexterm" name="ch04-idx-968282-0"></a><p>This option, discussed in greater detail earlier, copies the target file into the current configuration file at the point specified, as shown in <a href="#ch04-97340" title="Figure 4.1. The include option in a Samba configuration file">Figure 4.1</a>. This option also takes advantage of the variables specified earlier in the chapter, which is useful in the event that you want load configuration options based on the machine name or user of the client that it connecting. You can use this option as follows:</p><pre class="programlisting">[global]
-	include = /usr/local/samba/lib/smb.conf.%m</pre><p>If the configuration file specified does not exist, the option is ignored. Remember that any option specified previously is overridden. In <a href="#ch04-97340" title="Figure 4.1. The include option in a Samba configuration file">Figure 4.1</a>, all three options will override their previous values.</p><div class="figure"><a name="ch04-97340"></a><p class="title"><b>Figure 4.1. The include option in a Samba configuration file</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 232px"><td><img src="figs/sam.0401.gif" height="232" alt="The include option in a Samba configuration file"></td></tr></table></div></div></div><br class="figure-break"><p>The <code class="literal">include</code> option cannot understand the variables <code class="literal">%u</code> (user), <code class="literal">%p</code> (current share's rout directory), or <code class="literal">%s</code> (current share) because they are not set at the time the file is read.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-3.0.3"></a>
-copy</h3></div></div></div><a class="indexterm" name="ch04-idx-968285-0"></a><p>The <code class="literal">copy</code> configuration option allows you to clone the configuration options of the share name that you specify in the current share. The target share must appear earlier in the configuration file than the share that is performing the copy. For example:</p><pre class="programlisting">[template]
-	writable = yes
-	browsable = yes
-	valid users = andy, dave, peter
-
-[data]
-	path = /usr/local/samba
-	copy = template</pre><p>Note that any options in the share that invoked the <code class="literal">copy</code> directive will override those in the cloned share; it does not matter whether they appear before or after the <code class="literal">copy</code><code class="filename"></code>
-<a class="indexterm" name="ch04-idx-968230-0"></a> directive.<code class="filename"></code>
-<a class="indexterm" name="ch04-idx-967416-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-71382"></a>Server Configuration</h2></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967242-0"></a>Now it's time to begin configuring your Samba server. Let's introduce three basic configuration options that can appear in the <code class="literal">[global]</code> section of your <code class="filename">smb.conf</code> file:</p><pre class="programlisting">[global]
-	#  Server configuration parameters
-	netbios name = HYDRA
-	server string = Samba %v on (%L)
-	workgroup = SIMPLE</pre><p>This configuration file is pretty simple; it advertises the Samba server on a NBT network under the NetBIOS name <code class="literal">hydra</code>. In addition, the machine belongs to the workgroup SIMPLE and displays a description to clients that includes the Samba version number as well as the NetBIOS name of the Samba server.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you had to enter <code class="literal">encrypt passwords=yes</code> in your earlier configuration file, you should do so here as well.</p></div><p>Go ahead and try this configuration file. Create a file named <code class="filename">smb.conf</code>
-<a class="indexterm" name="ch04-idx-967246-0"></a> under the <code class="filename">/usr/local/samba/lib</code> directory with the text listed above. Then reset the Samba server and use a Windows client to verify the results. Be sure that your Windows clients are in the SIMPLE workgroup as well. After clicking on the <a class="indexterm" name="ch04-idx-967247-0"></a>Network Neighborhood on a Windows client, you should see a window similar to <a href="#ch04-38915" title="Figure 4.2. Network Neighborhood showing the Samba server">Figure 4.2</a>. (In this figure, <code class="literal">phoenix</code> and <code class="literal">chimaera</code> are our Windows clients.)</p><div class="figure"><a name="ch04-38915"></a><p class="title"><b>Figure 4.2. Network Neighborhood showing the Samba server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 206px"><td><img src="figs/sam.0402.gif" height="206" alt="Network Neighborhood showing the Samba server"></td></tr></table></div></div></div><br class="figure-break"><p>You can verify the <code class="literal">server</code> <code class="literal">string</code> by listing the details of the Network Neighborhood window (select the Details menu item under the View menu), at which point you should see a window similar to <a href="#ch04-50900" title="Figure 4.3. Network Neighborhood details listing">Figure 4.3</a>.</p><div class="figure"><a name="ch04-50900"></a><p class="title"><b>Figure 4.3. Network Neighborhood details listing</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 220px"><td><img src="figs/sam.0403.gif" height="220" alt="Network Neighborhood details listing"></td></tr></table></div></div></div><br class="figure-break"><p>If you were to click on the Hydra icon, a window should appear that shows the services that it provides. In this case, the window would be completely empty because there are no shares on the server yet.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-4.1"></a>Server Configuration Options</h3></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967248-0"></a>
-<a class="indexterm" name="ch04-idx-967248-1"></a><a href="#ch04-61150" title="Table 4.3. Server Configuration Options">Table 4.3</a> summarizes the server configuration options introduced previously. Note that all three of these options are global in scope; in other words, they must appear in the <code class="literal">[global]</code> section of the configuration file.</p><div class="table"><a name="ch04-61150"></a><p class="title"><b>Table 4.3. Server Configuration Options </b></p><div class="table-contents"><table summary="Server Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">netbios name</code></p></td><td><p>string</p></td><td><p>Sets the primary NetBIOS name of the Samba server.</p></td><td><p>Server DNS hostname</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">server string</code></p></td><td><p>string</p></td><td><p>Sets a descriptive string for the Samba server.</p></td><td><p><code class="literal">Samba %v</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">workgroup</code></p></td><td><p>string</p></td><td><p>Sets the NetBIOS group of machines that the server belongs to.</p></td><td><p>Defined at compile time</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-4.1.1"></a>
-netbios name</h4></div></div></div><a class="indexterm" name="ch04-idx-968288-0"></a><p>The <code class="literal">netbios</code> <code class="literal">name</code> option allows you to set the NetBIOS name of the server. For example:</p><pre class="programlisting">netbios name = YORKVM1</pre><p>The default value for this configuration option is the server's hostname; that is, the first part of its complete DNS machine name. For example, a machine with the DNS name <code class="literal">ruby.ora.com</code> would be given the NetBIOS name <code class="literal">RUBY</code> by default. While you can use this option to restate the machine's NetBIOS name in the configuration file (as we did previously), it is more commonly used to assign the Samba server a NetBIOS name other than its current DNS name. Remember that the name given must follow the rules for valid NetBIOS machine names as outlines in <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a>.</p><p>Changing the NetBIOS name of the server is not recommended unless you have a good reason. One such reason might be if the hostname of the machine is not unique because the LAN is divided over two or more DNS domains. For example, YORKVM1 is a good NetBIOS candidate for <span class="emphasis"><em>vm1.york.example.com</em></span> to differentiate it from <span class="emphasis"><em>vm1.falkirk.example.com</em></span>, which has the same hostname but resides in a different DNS domain.</p><p>Another use of this option is for relocating SMB services from a dead or retired machine. For example, if <code class="literal">SALES</code> is the SMB server for the department, and it suddenly dies, you could immediately reset <code class="literal">netbios</code> <code class="literal">name</code> <code class="literal">=</code> <code class="literal">SALES</code> on a backup Samba machine that's taking over for it. Users won't have to change their drive mappings to a different machine; new connections to <code class="literal">SALES</code> will simply go to the new machine.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-4.1.2"></a>
-server string</h4></div></div></div><a class="indexterm" name="ch04-idx-968291-0"></a><p>The <code class="literal">server</code> <code class="literal">string</code> parameter defines a comment string that will appear next to the server name in both the Network Neighborhood (when shown with the Details menu) and the comment entry of the Microsoft Windows print manager. You can use the standard variables to provide information in the description. For example, our entry earlier was:</p><pre class="programlisting">[global]
-	server string = Samba %v on (%h)</pre><p>The default for this option simply presents the current version of Samba and is equivalent to:</p><pre class="programlisting">server string = Samba %v</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-4.1.3"></a>
-workgroup</h4></div></div></div><a class="indexterm" name="ch04-idx-968294-0"></a><p>The <code class="literal">workgroup</code> parameter sets the current workgroup where the Samba server will advertise itself. Clients that wish to access shares on the Samba server should be on the same NetBIOS workgroup. Remember that workgroups are really just NetBIOS group names, and must follow the standard NetBIOS naming conventions outlined in <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a>. For example:</p><pre class="programlisting">[global]
-	workgroup = SIMPLE</pre><p>The default option for this parameter is set at compile time. If the entry is not changed in the makefile, it will be <code class="literal">WORKGROUP</code>. Because this tends to be the workgroup name of every unconfigured NetBIOS network, we recommend that you always set your workgroup name in the Samba configuration<a class="indexterm" name="ch04-idx-967252-0"></a>
-<a class="indexterm" name="ch04-idx-967252-1"></a> file.<sup>[<a name="ch04-pgfId-962322" href="#ftn.ch04-pgfId-962322">2</a>]</sup>
-<a class="indexterm" name="ch04-idx-967243-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-14274"></a>Disk Share Configuration</h2></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967244-0"></a>
-<a class="indexterm" name="ch04-idx-967244-1"></a>We mentioned in the previous section that there were no disk shares on the <code class="literal">hydra</code> server. Let's continue with the configuration file and create an empty <a class="indexterm" name="ch04-idx-967268-0"></a>disk share called [<code class="literal">data</code>]. Here are the additions that will do it:</p><pre class="programlisting">[global]
-	netbios name = HYDRA
-	server string = Samba %v on (%L)
-	workgroup = SIMPLE
-
-[data]
-	path = /export/samba/data
-	comment = Data Drive
-	volume = Sample-Data-Drive
-	writeable = yes
-	guest ok = yes</pre><p>The <code class="literal">[data]</code> share is typical for a Samba disk share. The share maps to a directory on the Samba server: <code class="filename">/export/samba/data</code>. We've also provided a comment that describes the share as a <code class="literal">Data</code> <code class="literal">Drive</code>, as well as a volume name for the share itself.</p><p>The share is set to writeable so that users can write data to it; the default with Samba is to create a read-only share. As a result, this option needs to be explicitly set for each disk share you wish to make writeable.</p><p>You may have noticed that we set the <code class="literal">guest</code> <code class="literal">ok</code> parameter to <code class="literal">yes</code>. While this isn't very security-conscious, there are some password issues that we need to understand before setting up individual users and authentication. For the moment, this will sidestep those issues and let anyone connect to the share.</p><p>Go ahead and make these additions to your configuration file. In addition, create the <code class="filename">/export/samba/data</code> directory as root on your Samba machine with the following commands:</p><pre class="programlisting"># <span class="bold"><strong>mkdir /export/samba/data</strong></span>
-# <span class="bold"><strong>chmod 777 /export/samba/data</strong></span></pre><p>Now, if you connect to the <code class="literal">hydra</code> server again (you can do this by clicking on its icon in the Windows Network Neighborhood), you should see a single share listed entitled <code class="literal">data</code>, as shown in <a href="#ch04-13866" title="Figure 4.4. The initial data share on the Samba server">Figure 4.4</a>. This share should also have read/write access to it. Try creating or copying a file into the share. Or, if you're really feeling adventurous, you can even try mapping a network drive to it!</p><div class="figure"><a name="ch04-13866"></a><p class="title"><b>Figure 4.4. The initial data share on the Samba server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 175px"><td><img src="figs/sam.0404.gif" height="175" alt="The initial data share on the Samba server"></td></tr></table></div></div></div><br class="figure-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-5.1"></a>Disk Share Configuration Options</h3></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967272-0"></a>The basic Samba configuration options for disk shares previously introduced are listed in <a href="#ch04-82964" title="Table 4.4. Basic Share Configuration Options">Table 4.4</a>.</p><div class="table"><a name="ch04-82964"></a><p class="title"><b>Table 4.4. Basic Share Configuration Options </b></p><div class="table-contents"><table summary="Basic Share Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">path (directory)</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Sets the Unix directory that will be provided for a disk share or used for spooling by a printer share</p></td><td><p><code class="literal">/tmp</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">guest ok (public)</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, authentication is not needed to access this share</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">comment</code></p></td><td><p>string</p></td><td><p>Sets the comment that appears with the share</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">volume</code></p></td><td><p>string</p></td><td><p>Sets the volume name: the DOS name of the physical drive</p></td><td><p>Share name</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">read only</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, allows read only access to a share.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">writeable (write ok)</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">no</code>, allows read only access to a share.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.1"></a>path</h4></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967257-0"></a>
-<a class="indexterm" name="ch04-idx-967257-1"></a>
-<a class="indexterm" name="ch04-idx-967257-2"></a>This option, which has the synonym <code class="literal">directory</code>, indicates the pathname at the root of the file or printing share. You can choose any path on the Samba server, so long as the owner of the Samba process that is connecting has read and write access to that directory. If the path is for a printing share, it should point to a temporary directory where files can be written on the server before being spooled to the target printer ( <code class="filename"> /tmp</code> and <code class="filename">/var/spool</code> are popular choices). If this path is for a <a class="indexterm" name="ch04-idx-967258-0"></a>disk share, the contents of the folder representing the share name on the client will match the content of the directory on the Samba server. For example, if we have the following disk share listed in our configuration file:</p><pre class="programlisting">[network]
-	path = /export/samba/network
-	writable = yes
-	guest ok = yes</pre><p>And the contents of the directory <code class="filename">/usr/local/network</code> on the Unix side are:</p><pre class="programlisting">$ <span class="bold"><strong>ls -al /export/samba/network</strong></span>
-drwxrwxrwx  9  root   nobody  1024  Feb 16 17:17  .
-drwxr-xr-x  9  nobody nobody  1024  Feb 16 17:17  ..
-drwxr-xr-x  9  nobody nobody  1024  Feb 16 17:17  quicken
-drwxr-xr-x  9  nobody nobody  1024  Feb 16 17:17  tax98
-drwxr-xr-x  9  nobody nobody  1024  Feb 16 17:17  taxdocuments</pre><p>Then we should see the equivalent of <a href="#ch04-88746" title="Figure 4.5. Windows client view of a network filesystem specified by path">Figure 4.5</a> on the client side.</p><div class="figure"><a name="ch04-88746"></a><p class="title"><b>Figure 4.5. Windows client view of a network filesystem specified by path</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 155px"><td><img src="figs/sam.0405.gif" height="155" alt="Windows client view of a network filesystem specified by path"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.2"></a>
-guest ok</h4></div></div></div><a class="indexterm" name="ch04-idx-968300-0"></a><p>This option (which has an older synonym <code class="literal">public</code>) allows or prohibits guest access to a share. The default value is <code class="literal">no</code>. If set to <code class="literal">yes</code>, it means that no username or password will be needed to connect to the share. When a user connects, the access rights will be equivalent to the designated guest user. The default account to which Samba offers the share is <code class="literal">nobody</code>. However, this can be reset with the <code class="literal">guest</code> <code class="literal">account</code> configuration option. For example, the following lines allow guest user access to the <code class="literal">[accounting]</code> share with the permissions of the <span class="emphasis"><em>ftp</em></span> account:</p><pre class="programlisting">[global]
-	guest account = ftp
-[accounting]
-	path = /usr/local/account
-	guest ok = yes</pre><p>Note that users can still connect to the share using a valid username/password combination. If successful, they will hold the access rights granted by their own account and not the guest account. If a user attempts to log in and fails, however, he or she will default to the access rights of the guest account. You can mandate that every user who attaches to the share will be using the guest account (and will have the permissions of the guest) by setting the option <code class="literal">guest</code> <code class="literal">only</code> <code class="literal">=</code> <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.3"></a>
-comment</h4></div></div></div><a class="indexterm" name="ch04-idx-968303-0"></a><p>The <code class="literal">comment</code> option allows you to enter a comment that will be sent to the client when it attempts to browse the share. The user can see the comment by listing Details on the share folder under the appropriate computer in the Windows Network Neighborhood, or type the command <code class="literal">NET</code> <code class="literal">VIEW</code> at an MS-DOS prompt. For example, here is how you might insert a comment for a <code class="literal">[network]</code> share:</p><pre class="programlisting">[network]
-	comment = Network Drive
-	path = /export/samba/network</pre><p>This yields a folder similar to <a href="#ch04-34850" title="Figure 4.6. Windows client view of a share comment">Figure 4.6</a> on the client side. Note that with the current configuration of Windows, this comment will not be shown once a share is mapped to a Windows network drive.</p><div class="figure"><a name="ch04-34850"></a><p class="title"><b>Figure 4.6. Windows client view of a share comment</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 135px"><td><img src="figs/sam.0406.gif" height="135" alt="Windows client view of a share comment"></td></tr></table></div></div></div><br class="figure-break"><p>Be sure not to confuse the <code class="literal">comment</code> option, which documents a Samba server's shares, with the <code class="literal">server</code> <code class="literal">string</code> option, which documents the server itself.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.4"></a>
-volume</h4></div></div></div><a class="indexterm" name="ch04-idx-968306-0"></a><p>This option allows you to specify the volume name of the share as reported by SMB. This normally resolves to the name of the share given in the <code class="filename">smb.conf</code>  file. However, if you wish to name it something else (for whatever reason) you can do so with this option.</p><p>For example, an installer program may check the volume name of a CD-ROM to make sure the right CD-ROM is in the drive before attempting to install it. If you copy the contents of the CD-ROM into a network share, and wish to install from there, you can use this option to get around the issue:</p><pre class="programlisting">[network]
-	comment = Network Drive
-	volume = ASVP-102-RTYUIKA
-	path = /home/samba/network</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-5.1.5"></a>
-
-read only and writeable</h4></div></div></div><a class="indexterm" name="ch04-idx-968309-0"></a><a class="indexterm" name="ch04-idx-968309-1"></a><p>The options <code class="literal">read</code> <code class="literal">only</code> and <code class="literal">writeable</code> (or <code class="literal">write</code> <code class="literal">ok </code>) are really two ways of saying the same thing, but approached from opposite ends. For example, you can set either of the following options in the <code class="literal">[global]</code> section or in an individual share:</p><pre class="programlisting">read only = yes
-writeable = no</pre><p>If either option is set as shown, data can be read from a share, but cannot be written to it. You might think you would need this option only if you were creating a read-only share. However, note that this read-only behavior is the <span class="emphasis"><em>default</em></span> action for shares; if you want to be able to write data to a share, you must explicitly specify one of the following options in the configuration file for each share:</p><pre class="programlisting">read only = no
-writeable = yes</pre><p>Note that if you specify more than one occurrence of either option, Samba will adhere to the last value it encounters for the<a class="indexterm" name="ch04-idx-967387-0"></a> share.<a class="indexterm" name="ch04-idx-967245-0"></a>
-<a class="indexterm" name="ch04-idx-967245-1"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-86705"></a>Networking Options with Samba</h2></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967291-0"></a>If you're running Samba on a multi-homed machine (that is, one on multiple subnets), or even if you want to implement a security policy on your own subnet, you should take a close look at the networking configuration options:</p><p>For the purposes of this exercise, let's assume that our Samba server is connected to a network with more than one subnet. Specifically, the machine can access both the 192.168.220.* and 134.213.233.* subnets. Here are our additions to the ongoing configuration file for the networking configuration options:</p><pre class="programlisting">[global]
-	netbios name = HYDRA
-	server string = Samba %v on (%L)
-	workgroup = SIMPLE
-
-	#  Networking configuration options
-	hosts allow = 192.168.220. 134.213.233. localhost
-	hosts deny = 192.168.220.102
-	interfaces = 192.168.220.100/255.255.255.0 \
-                         134.213.233.110/255.255.255.0
-	bind interfaces only = yes
-
-[data]
-	path = /home/samba/data
-	guest ok = yes
-	comment = Data Drive
-	volume = Sample-Data-Drive
-	writeable = yes</pre><p>
-<a class="indexterm" name="ch04-idx-967305-0"></a>Let's first talk about the <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny</code> options. If these options sound familiar, you're probably thinking of the <code class="filename">hosts.allow</code> and <code class="filename">hosts.deny</code> files that are found in the <code class="filename">/etc</code> directories of many Unix systems. The purpose of these options is identical to those files; they provide a means of security by allowing or denying the connections of other hosts based on their IP addresses. Why not just use the <code class="filename">hosts.allow</code> and <code class="filename">hosts.deny</code> files themselves? Because there may be services on the server that you want others to access without giving them access Samba's disk or printer shares</p><p>With the <code class="literal">hosts</code> <code class="literal">allow</code> option above, we've specified a cropped IP address: 192.168.220. (Note that there is still a third period; it's just missing the fourth number.) This is equivalent to saying: "All hosts on the 192.168.220 subnet." However, we've explicitly specified in a hosts deny line that 192.168.220.102 is not to be allowed access.</p><p>You might be wondering: why will 192.168.220.102 be denied even though it is still in the subnet matched by the <code class="literal">hosts</code> <code class="literal">allow</code> option? Here is how Samba sorts out the rules specified by <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny </code>:</p><div class="orderedlist"><ol type="1"><li><p>If there are no <code class="literal">allow</code> or <code class="literal">deny</code> options defined anywhere in <code class="filename">smb.conf</code>, Samba will allow connections from any machine allowed by the system itself.</p></li><li><p>If there are <code class="literal">hosts</code> <code class="literal">allow</code> or <code class="literal">hosts</code> <code class="literal">deny</code> options defined in the <code class="literal">[global]</code> section of <code class="filename">smb.conf</code>, they will apply to all shares, even if the shares have an overriding option defined.</p></li><li><p>If there is only a <code class="literal">hosts</code> <code class="literal">allow</code> option defined for a share, only the hosts listed will be allowed to use the share. All others will be denied.</p></li><li><p>If there is only a <code class="literal">hosts</code> <code class="literal">deny</code> option defined for a share, any machine which is not on the list will be able to use the share.</p></li><li><p>If both a <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny</code> option are defined, a host must appear in the allow list and not appear in the deny list (in any form) in order to access the share. Otherwise, the host will not be allowed.</p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
-<a class="indexterm" name="ch04-idx-967307-0"></a>
-<a class="indexterm" name="ch04-idx-967307-1"></a>Take care that you don't explicity
-allow a host to access a share, but then deny access to the entire
-subnet of which the host is part.</p></div><p>Let's look at another example of that final item. Consider the following options:</p><pre class="programlisting">hosts allow = 111.222.
-hosts deny = 111.222.333.</pre><p>In this case, only the hosts that belong to the subnet 111.222.*.* will be allowed access to the Samba shares. However, if a client belongs to the 111.222.333.* subnet, it will be denied access, even though it still matches the qualifications outlined by <code class="literal">hosts</code> <code class="literal">allow</code>. The client must appear on the <code class="literal">hosts</code> <code class="literal">allow</code> list and <span class="emphasis"><em>must not</em></span> appear on the <code class="literal">hosts</code> <code class="literal">deny</code> list in order to gain access to a Samba share. If a computer attempts to access a share to which it is not allowed access, it will receive an error message.</p><p>The other two options that we've specified are the <code class="literal">interfaces</code> and the <code class="literal">bind</code> <code class="literal">interface</code> <code class="literal">only</code> address. Let's look at the <code class="literal">interfaces</code> option first. Samba, by default, sends data only from the primary network interface, which in our example is the 192.168.220.100 subnet. If we would like it to send data to more than that one <a class="indexterm" name="ch04-idx-967310-0"></a>interface, we need to specify the complete list with the <code class="literal">interfaces</code> option. In the previous example, we've bound Samba to interface with both subnets (192.168.220 and 134.213.233) on which the machine is operating by specifying the other network interface address: 134.213.233.100. If you have more than one interface on your computer, you should always set this option as there is no guarantee that the primary interface that Samba chooses will be the right one.</p><p>Finally, the <code class="literal">bind</code> <code class="literal">interfaces</code> <code class="literal">only</code> option instructs the <code class="filename">nmbd</code> process not to accept any broadcast messages other than those subnets specified with the <code class="literal">interfaces</code> option. Note that this is different from the <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny</code> options, which prevent machines from making connections to services, but not from receiving broadcast messages. Using the <code class="literal">bind</code> <code class="literal">interfaces</code> <code class="literal">only</code> option is a way to shut out even datagrams from foreign subnets from being received by the Samba server. In addition, it instructs the <span class="emphasis"><em>smbd</em></span> process to bind to only the interface list given by the <span class="emphasis"><em>interfaces</em></span> option. This restricts the networks that Samba will serve.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-6.1"></a>Networking Options</h3></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967302-0"></a>The networking options we introduced above are summarized in <a href="#ch04-32963" title="Table 4.5. Networking Configuration Options">Table 4.5</a>.</p><div class="table"><a name="ch04-32963"></a><p class="title"><b>Table 4.5. Networking Configuration Options </b></p><div class="table-contents"><table summary="Networking Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">hosts allow (allow hosts)</code></p></td><td><p>string (list of hostnames)</p></td><td><p>Specifies the machines that can connect to Samba.</p></td><td><p>none</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">hosts deny (deny hosts)</code></p></td><td><p>string (list of hostnames)</p></td><td><p>Specifies the machines that cannot connect to Samba.</p></td><td><p>none</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">interfaces</code></p></td><td><p>string (list of IP/netmask combinations)</p></td><td><p>Sets the network interfaces Samba will respond to. Allows correcting defaults.</p></td><td><p>system-dependent</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">bind</code></p>
-
-<p><code class="literal">interfaces only</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, Samba will bind only to those interfaces specified by the <code class="literal">interfaces</code> option.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">socket</code></p>
-
-<p><code class="literal">address</code></p></td><td><p>string (IP address)</p></td><td><p>Sets IP address to listen on, for use with multiple virtual interfaces on a server.</p></td><td><p>none</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.1"></a>
-hosts allow</h4></div></div></div><a class="indexterm" name="ch04-idx-968312-0"></a><p>
-<a class="indexterm" name="ch04-idx-967314-0"></a>The <code class="literal">hosts</code> <code class="literal">allow</code> option (sometimes written as <code class="literal">allow</code> <code class="literal">hosts</code>) specifies the machines that have permission to access shares on the Samba server, written as a comma- or space-separated list of names of machines or their IP addresses. You can gain quite a bit of security by simply placing your LAN's subnet address in this option. For example, we specified the following in our example:</p><pre class="programlisting">hosts allow = 192.168.220. localhost</pre><p>Note that we placed <code class="literal">localhost</code> after the subnet address. One of the most common mistakes when attempting to use the <code class="literal">hosts</code> <code class="literal">allow</code> option is to accidentally disallow the Samba server from communicating with itself. The <code class="filename">smbpasswd</code> program will occasionally need to connect to the Samba server as a client in order to change a user's encrypted password. In addition, local browsing propagation requires local host access. If this option is enabled and the localhost address is not specified, the locally-generated packets requesting the change of the encrypted password will be discarded by Samba, and browsing propagation will not work properly. To avoid this, explicitly allow the loopback address (either <code class="literal">localhost</code> or <code class="literal">127.0.0.1</code>) to be used.<sup>[<a name="ch04-pgfId-965714" href="#ftn.ch04-pgfId-965714">3</a>]</sup></p><p>You can specify any of the following formats for this option:</p><div class="itemizedlist"><ul type="disc"><li><p>Hostnames, such as <code class="literal">ftp.example.com </code>.</p></li><li><p>IP addresses, like <code class="literal">130.63.9.252</code>.</p></li><li><p>Domain names, which can be differentiated from individual hostnames because they start with a dot. For example, <code class="literal">.ora.com</code> represents all machines within the <span class="emphasis"><em>ora.com</em></span> domain.</p></li><li><p>Netgroups, which start with an at-sign, such as <code class="literal">@printerhosts</code>. Netgroups are available on systems running yellow pages/NIS or NIS+, but rarely otherwise. If netgroups are supported on your system, there should be a <code class="literal">netgroups</code> manual page that describes them in more detail.</p></li><li><p>Subnets, which end with a dot. For example, <code class="literal">130.63.9.</code> means all the machines whose IP addresses begin with 130.63.9.</p></li><li><p>The keyword <code class="literal">ALL</code>, which allows any client access.</p></li><li><p>The keyword <code class="literal">EXCEPT</code> followed by more one or more names, IP addresses, domain names, netgroups, or subnets. For example, you could specify that Samba allow all hosts except those on the 192.168.110 subnet with <code class="literal">hosts</code> <code class="literal">allow</code> <code class="literal">=</code> <code class="literal">ALL</code> <code class="literal">EXCEPT</code> <code class="literal">192.168.110.</code> (remember the trailing dot).</p></li></ul></div><p>Using the <code class="literal">ALL</code> keyword is almost always a bad idea, since it means that anyone on any network can browse your files if they guess the name of your server.</p><p>Note that there is no default value for the <code class="literal">hosts</code> <code class="literal">allow</code> configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. In addition, if you specify this option in the <code class="literal">[global]</code> section of the configuration file, it will override any <code class="literal">hosts</code> <code class="literal">allow</code> options defined shares.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.2"></a>
-hosts deny</h4></div></div></div><a class="indexterm" name="ch04-idx-968319-0"></a><p>The <code class="literal">hosts</code> <code class="literal">deny</code> option (also <code class="literal">deny</code> <code class="literal">hosts</code>) specifies machines that do not have permission to access a share, written as a comma- or space-separated list of machine names or their IP addresses. Use the same format as specifying clients as the <code class="literal">hosts</code> <code class="literal">allow</code> option above. For example, to restrict access to the server from everywhere but <code class="filename">example.com</code>, you could write:</p><pre class="programlisting">hosts deny = ALL EXCEPT .example.com</pre><p>Like <code class="literal">hosts</code> <code class="literal">allow</code>, there is no default value for the <code class="literal">hosts</code> <code class="literal">deny</code> configuration option, although the default course of action in the event that neither option is specified is to allow access from all sources. Also, if you specify this option in the <code class="literal">[global]</code> section of the configuration file, it will override any <code class="literal">hosts</code> <code class="literal">deny</code> options defined in shares. If you wish to deny <span class="emphasis"><em>hosts</em></span> access to specific shares, omit both the <code class="literal">hosts</code> <code class="literal">allow</code> and <code class="literal">hosts</code> <code class="literal">deny</code> options in the <code class="literal">[global]</code> section of the configuration file.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.3"></a>
-interfaces</h4></div></div></div><a class="indexterm" name="ch04-idx-968322-0"></a><p>
-<a class="indexterm" name="ch04-idx-967320-0"></a>The <code class="literal">interfaces</code> option outlines the network addresses to which you want the Samba server to recognize and respond. This option is handy if you have a computer that resides on more than one network subnet. If this option is not set, Samba searches for the primary network interface of the server (typically the first Ethernet card) upon startup and configures itself to operate on only that subnet. If the server is configured for more than one subnet and you do not specify this option, Samba will only work on the first subnet it encounters. You must use this option to force Samba to serve the other subnets on your network.</p><p>The value of this option is one or more sets of IP address/netmask pairs, such as the following:</p><pre class="programlisting">interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0</pre><p>You can optionally specify a CIDR format bitmask, as follows:</p><pre class="programlisting">interfaces = 192.168.220.100/24 192.168.210.30/24</pre><p>The bitmask number specifies the first number of bits that will be turned on in the netmask. For example, the number 24 means that the first 24 (of 32) bits will be activated in the bit mask, which is the same as saying 255.255.255.0. Likewise, 16 would be equal to 255.255.0.0, and 8 would be equal to 255.0.0.0.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>This option may not work correctly if you are using DHCP.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.4"></a>
-bind interfaces only</h4></div></div></div><a class="indexterm" name="ch04-idx-968325-0"></a><p>The <code class="literal">bind</code> <code class="literal">interfaces</code> <code class="literal">only</code> option can be used to force the <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> processes to serve SMB requests to only those addresses specified by the <code class="literal">interfaces</code> option. The <span class="emphasis"><em>nmbd</em></span> process normally binds to the all addresses interface (0.0.0.0.) on ports 137 and 138, allowing it to receive broadcasts from anywhere. However, you can override this behavior with the following:</p><pre class="programlisting">bind interfaces only = yes</pre><p>This will cause both Samba processes to ignore any packets whose origination address does not match the broadcast address(es) specified by the <code class="literal">interfaces</code> option, including broadcast packets. With <span class="emphasis"><em>smbd</em></span>, this option will cause Samba to not serve file requests to subnets other than those listed in the <code class="literal">interfaces</code> option. You should avoid using this option if you want to allow temporary network connections, such as those created through SLIP or PPP. It's very rare that this option is needed, and it should only be used by experts.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you set <code class="literal">bind interfaces only</code> to <code class="literal">yes </code>, you should add the localhost address (127.0.01) to the "interfaces" list. Otherwise, <span class="emphasis"><em>smbpasswd</em></span> will be unable to connect to the server using its default mode in order to change a password.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-6.1.5"></a>
-socket address</h4></div></div></div><a class="indexterm" name="ch04-idx-968328-0"></a><p>
-<a class="indexterm" name="ch04-idx-967324-0"></a>The <code class="literal">socket</code> <code class="literal">address</code> option dictates which of the addresses specified with the <code class="literal">interfaces</code> parameter Samba should listen on for connections. Samba accepts connections on all addresses specified by default. When used in an <code class="filename">smb.conf</code>  file, this option will force Samba to listen on only one IP address. For example:</p><pre class="programlisting">interfaces = 192.168.220.100/24 192.168.210.30/24
-socket address = 192.168.210.30</pre><p>This option is a programmer's tool and we recommend that you do not use it.<a class="indexterm" name="ch04-idx-967297-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-16899"></a>Virtual Servers</h2></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967325-0"></a>
-<a class="indexterm" name="ch04-idx-967325-1"></a>Virtual servers are a technique for creating the illusion of multiple <a class="indexterm" name="ch04-idx-967337-0"></a>NetBIOS servers on the network, when in reality there is only one. The technique is simple to implement: a machine simply registers more than one NetBIOS name in association with its IP address. There are tangible benefits to doing this.</p><p>The accounting department, for example, might have an <code class="literal">accounting</code> server, and clients of it would see just the accounting disks and printers. The marketing department could have their own server, <code class="literal">marketing</code>, with their own reports, and so on. However, all the services would be provided by one medium-sized Unix workstation (and one relaxed administrator), instead of having one small server and one administrator per department.</p><p>Samba will allow a Unix server to use more than one NetBIOS name with the <code class="literal">netbios</code> <code class="literal">aliases</code> option. See <a href="#ch04-92259" title="Table 4.6. Virtual Server Configuration Options">Table 4.6</a>.</p><div class="table"><a name="ch04-92259"></a><p class="title"><b>Table 4.6. Virtual Server Configuration Options </b></p><div class="table-contents"><table summary="Virtual Server Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">netbios aliases</code></p></td><td><p>
-<a class="indexterm" name="ch04-idx-967338-0"></a>
-<a class="indexterm" name="ch04-idx-967338-1"></a>List of NetBIOS names</p></td><td><p>Additional NetBIOS names to respond to, for use with multiple "virtual" Samba servers.</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-7.0.1"></a>
-netbios aliases</h3></div></div></div><a class="indexterm" name="ch04-idx-968331-0"></a><p>The <code class="literal">netbios</code> <code class="literal">aliases</code> option can be used to give the Samba server more than one <a class="indexterm" name="ch04-idx-967339-0"></a>
-<a class="indexterm" name="ch04-idx-967339-1"></a>NetBIOS name. Each NetBIOS name listed as a value will be displayed in the Network Neighborhood of a browsing machine. When a connection is requested to any machine, however, it will connect to the same Samba server.</p><p>This might come in handy, for example, if you're transferring three departments' data to a single Unix server with modern large disks, and are retiring or reallocating the old NT servers. If the three servers are called <code class="literal">sales</code>, <code class="literal">accounting</code>, and <code class="literal">admin</code>, you can have Samba represent all three servers with the following options:</p><pre class="programlisting">[global]
-	netbios aliases = sales accounting admin
-	include = /usr/local/samba/lib/smb.conf.%L</pre><p>See <a href="#ch04-28393" title="Figure 4.7. Using NetBIOS aliases for a Samba server">Figure 4.7</a> for what the Network Neighborhood would display from a client.When a client attempts to connect to Samba, it will specify the name of the server that it's trying to connect to, which you can access through the <code class="literal">%L</code> variable. If the requested server is <code class="literal">sales</code>, Samba will include the <code class="filename">/usr/local/samba/lib/smb.conf.sales</code> file. This file might contain global and share declarations exclusively for the sales team, such as the following:</p><pre class="programlisting">[global]
-	workgroup = SALES
-	hosts allow = 192.168.10.255
-
-[sales1998]
-	path = /usr/local/samba/sales/sales1998/
-...</pre><p>This particular example would set the workgroup to SALES as well, and set the IP address to allow connections only from the SALES subnet (192.168.10). In addition, it would offer shares specific to the sales department.</p><div class="figure"><a name="ch04-28393"></a><p class="title"><b>Figure 4.7. Using NetBIOS aliases for a Samba server
- </b></p><div class="figure-contents"><a class="indexterm" name="ch04-idx-967332-0"></a><a class="indexterm" name="ch04-idx-967332-1"></a><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 196px"><td><img src="figs/sam.0407.gif" height="196" alt="Using NetBIOS aliases for a Samba server"></td></tr></table></div></div></div><br class="figure-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch04-29331"></a>Logging Configuration Options</h2></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967340-0"></a>
-<a class="indexterm" name="ch04-idx-967340-1"></a>Occasionally, we need to find out what Samba is up to. This is especially true when Samba is performing an unexpected action or is not performing at all. To find out this information, we need to check Samba's log files to see exactly why it did what it did.</p><p>Samba log files can be as brief or verbose as you like. Here is an example of what a Samba log file looks like:</p><pre class="programlisting">[1999/07/21 13:23:25, 3] smbd/service.c:close_cnum(514)
-  phoenix (192.168.220.101) closed connection to service IPC$
-[1999/07/21 13:23:25, 3] smbd/connection.c:yield_connection(40)
-  Yielding connection to IPC$
-[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
-  Transaction 923 of length 49
-[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
-  switch message SMBread (pid 467)
-[1999/07/21 13:23:25, 3] lib/doscalls.c:dos_ChDir(336)
-  dos_ChDir to /home/samba
-[1999/07/21 13:23:25, 3] smbd/reply.c:reply_read(2199)
-  read fnum=4207 num=2820 nread=2820
-[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
-  Transaction 924 of length 55
-[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
-  switch message SMBreadbraw (pid 467)
-[1999/07/21 13:23:25, 3] smbd/reply.c:reply_readbraw(2053)
-  readbraw fnum=4207 start=130820 max=1276 min=0 nread=1276
-[1999/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
-  Transaction 925 of length 55
-[1999/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
-  switch message SMBreadbraw (pid 467)</pre><p>Many of these options are of use only to Samba programmers. However, we will go over the meaning of some of these entries in more detail in <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>.</p><p>Samba contains six options that allow users to describe how and where logging information should be written. Each of these options are global options and cannot appear inside a share definition. Here is an up-to-date configuration file that covers each of the share and logging options that we've seen so far:</p><pre class="programlisting">[global]
-	netbios name = HYDRA
-	server string = Samba %v on (%I)
-	workgroup = SIMPLE
-
-	#  Networking configuration options
-	hosts allow = 192.168.220. 134.213.233. localhost
-	hosts deny = 192.168.220.102
-	interfaces = 192.168.220.100/255.255.255.0 \
-                         134.213.233.110/255.255.255.0
-	bind interfaces only = yes
-
-	# Debug logging information
-	log level = 2
-	log file = /var/log/samba.log.%m
-	max log size = 50
-	debug timestamp = yes
-
-[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	comment = Data Drive
-	volume = Sample-Data-Drive
-	writeable = yes</pre><p>	Here, we've added a custom log file that reports information up to debug level 2. This is a relatively light debugging level. The logging level ranges from 1 to 10, where level 1 provides only a small amount of information and level 10 provides a plethora of low-level information. Level 2 will provide us with useful debugging information without wasting disk space on our server. In practice, you should avoid using log levels greater than 3 unless you are programming Samba.</p><p>This file is located in the <code class="filename">/var/log</code> directory thanks to the <code class="literal">log</code> <code class="literal">file</code> configuration option. However, we can use variable substitution to create log files specifically for individual users or clients, such as with the <code class="literal">%m</code> variable in the following line:</p><pre class="programlisting">log file = /usr/local/logs/samba.log.%m</pre><p>Isolating the log messages can be invaluable in tracking down a network error if you know the problem is coming from a specific machine or user.</p><p>We've added another precaution to the log files: no one log file can exceed 50 kilobytes in size, as specified by the <code class="literal">max</code> <code class="literal">log</code> <code class="literal">size</code> option. If a log file exceeds this size, the contents are moved to a file with the same name but with the suffix <span class="emphasis"><em>.old</em></span> appended. If the <span class="emphasis"><em>.old</em></span> file already exists, it is overwritten and its contents are lost. The original file is cleared, waiting to receive new logging information. This prevents the hard drive from being overwhelmed with Samba log files during the life of our daemons.</p><p>For convenience, we have decided to leave the debug timestamp in the logs with the <code class="literal">debug</code> <code class="literal">timestamp</code> option, which is the default behavior. This will place a timestamp next to each message in the logging file. If we were not interested in this information, we could specify <code class="literal">no</code> for this option instead.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-97929"></a>Using syslog</h3></div></div></div><p>If you wish to use the system logger (<code class="filename">syslog </code>
-<a class="indexterm" name="ch04-idx-967351-0"></a>) in addition to or in place of the standard Samba logging file, Samba provides options for this as well. However, to use <code class="filename">syslog</code>, the first thing you will have to do is make sure that Samba was built with the <code class="literal">configure</code> <code class="literal">--with-syslog</code> option. See <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a> for more information on configuring and compiling Samba.</p><p>Once that is done, you will need to configure your <code class="filename">/etc/syslog.conf</code> to accept logging information from Samba. If there is not already a <code class="literal">daemon.*</code> entry in the <em class="replaceable"><code>/etc/syslog.conf</code></em> file, add the following:</p><pre class="programlisting">daemon.*        /var/log/daemon.log</pre><p>This specifies that any logging information from system daemons will be stored in the <code class="filename">/var/log/daemon.log</code> file. This is where the Samba information will be stored as well. From there, you can specify the following global option in your configuration file:</p><pre class="programlisting">syslog = 2</pre><p>This specifies that any logging messages with a level of 1 will be sent to both the <code class="filename">syslog</code> and the Samba logging files. (The mappings to <code class="filename">syslog</code> priorities are described in the upcoming <a href="#ch04-78696" title="syslog">Section 4.8.2.5</a>.) Let's assume that we set the regular <code class="literal">log</code> <code class="literal">level</code> option above to 4. Any logging messages with a level of 2, 3, or 4 will be sent to the Samba logging files, but not to the <code class="filename">syslog</code>. Only level 1 logging messages will be sent to both. If the <code class="literal">syslog</code> value exceeds the <code class="literal">log</code> <code class="literal">level</code> value, nothing will be written to the <code class="filename">syslog</code>.</p><p>If you want to specify that messages be sent only to <code class="filename">syslog</code>&#8212;and not to the standard Samba logging files&#8212;you can place this option in the configuration file:</p><pre class="programlisting">syslog only = yes</pre><p>If this is the case, any logging information above the number specified in the <code class="literal">syslog</code> option will be discarded, just like the <code class="literal">log</code> <code class="literal">level</code> option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch04-SECT-8.1"></a>Logging Configuration Options</h3></div></div></div><p><a href="#ch04-92838" title="Table 4.7. Global Configuration Options">Table 4.7</a> lists each of the<a class="indexterm" name="ch04-idx-967341-0"></a> logging configuration options that Samba can use.</p><div class="table"><a name="ch04-92838"></a><p class="title"><b>Table 4.7. Global Configuration Options </b></p><div class="table-contents"><table summary="Global Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">log file</code></p></td><td><p>string (fully-qualified filename)</p></td><td><p>Sets the name and location of the log file that Samba is to use. Uses standard variables.</p></td><td><p>Specified in Samba makefile</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">log level</code></p>
-
-<p><code class="literal">(debug level)</code></p></td><td><p>numerical (0-10)</p></td><td><p>Sets the amount of log/debug messages that are sent to the log file. 0 is none, 3 is considerable.</p></td><td><p><code class="literal">1</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max log size</code></p></td><td><p>numerical (size in KB)</p></td><td><p>Sets the maximum size of log file. After the log exceeds this size, the file will be renamed to <span class="emphasis"><em>.bak</em></span> and a new log file started.</p></td><td><p><code class="literal">5000</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">debug</code></p>
-
-<p><code class="literal">timestamp (timestamp logs)</code></p></td><td><p>boolean</p></td><td><p>If no, doesn't timestamp logs, making them easier to read during heavy debugging.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">syslog</code></p></td><td><p>numerical (0-10)</p></td><td><p>Sets level of messages sent to <span class="emphasis"><em>syslog</em></span>. Those levels below <code class="literal">syslog level</code> will be sent to the system logger.</p></td><td><p><code class="literal">1</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">syslog only</code></p></td><td><p>boolean</p></td><td><p>If yes, uses <span class="emphasis"><em>syslog</em></span> entirely and sends no output to the standard Samba log files.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-log-file-option"></a>log file</h4></div></div></div><p>On our server, Samba outputs log information to text files in the <code class="filename">var</code> subdirectory of the Samba home directory, as set by the makefile during the build. The <code class="literal">log</code> <code class="literal">file</code> option can be used to reset the name of the log file to another location. For example, to reset the name and location of the Samba log file to <code class="filename">/usr/local/logs/samba.log</code>, you could use the following:</p><pre class="programlisting">[global]
-	log file = /usr/local/logs/samba.log</pre><p>You may use variable substitution to create log files specifically for individual users or clients.</p><p>You can override the default log file location using the <code class="literal">-l</code> command-line switch when either daemon is started. However, this does not override the <code class="literal">log</code> <code class="literal">file</code> option. If you do specify this parameter, initial logging information will be sent to the file specified after <code class="literal">-l</code> (or the default specified in the Samba makefile) until the daemons have processed the <code class="filename">smb.conf</code> file and know to redirect it to a new log file.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-8.1.2"></a>
-log level</h4></div></div></div><a class="indexterm" name="ch04-idx-968338-0"></a><p>The <code class="literal">log</code> <code class="literal">level</code> option sets the amount of data to be logged. Normally this is left at 0 or 1. However, if you have a specific problem you may want to set it at 3, which provides the most useful debugging information you would need to track down a problem. Levels above 3 provide information that's primarily for the developers to use for chasing internal bugs, and slows down the server considerably. Therefore, we recommend that you avoid setting this option to anything above 3.</p><pre class="programlisting">[global]
-log file = /usr/local/logs/samba.log.%m
-log level = 3</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-8.1.3"></a>
-max log size</h4></div></div></div><a class="indexterm" name="ch04-idx-968341-0"></a><p>The <code class="literal">max</code> <code class="literal">log</code> <code class="literal">size</code> option sets the maximum size, in kilobytes, of the debugging log file that Samba keeps. When the log file exceeds this size, the current log file is renamed to add an <span class="emphasis"><em>.old</em></span> extension (erasing any previous file with that name) and a new debugging log file is started with the original name. For example:</p><pre class="programlisting">[global]
-log file = /usr/local/logs/samba.log.%m
-max log size = 1000</pre><p>Here, if the size of any log file exceeds one megabyte in size, Samba renames the log file <span class="emphasis"><em>samba.log.</em></span> <em class="replaceable"><code>machine-name</code></em><span class="emphasis"><em>.old</em></span> and a new log file is generated. If there was a file there previously with the <span class="emphasis"><em>.old</em></span> extension, Samba deletes it. We highly recommend setting this option in your configuration files because debug logging (even at lower levels) can covertly eat away at your available disk space. Using this option protects unwary administrators from suddenly discovering that most of their disk space has been swallowed up by a single Samba log file.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-8.1.4"></a>
-
-;debug timestamp or timestamp logs</h4></div></div></div><a class="indexterm" name="ch04-idx-968344-0"></a><a class="indexterm" name="ch04-idx-968344-1"></a><p>If you happen to be debugging a network problem and you find that the date-stamp and timestamp information within the Samba log lines gets in the way, you can turn it off by giving either the <code class="literal">timestamp</code> <code class="literal">logs</code> or the <code class="literal">debug</code> <code class="literal">timestamp</code> option (they're synonymous) a value of <code class="literal">no</code>. For example, a regular Samba log file presents its output in the following form:</p><pre class="programlisting">12/31/98 12:03:34 hydra (192.168.220.101) connect to server network as user davecb</pre><p>With a <code class="literal">no</code> value for this option, the output would appear without the datestamp or  the timestamp:</p><pre class="programlisting">hydra (192.168.220.101) connect to server network as user davecb</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-78696"></a>syslog</h4></div></div></div><p>
-<a class="indexterm" name="ch04-idx-967365-0"></a>The <code class="literal">syslog</code>
-<a class="indexterm" name="ch04-idx-968349-0"></a> option causes Samba log messages to be sent to the Unix system logger. The type of log information to be sent is specified as the parameter for this argument. Like the <code class="literal">log</code> <code class="literal">level</code> option, it can be a number from 0 to 10. Logging information with a level less than the number specified will be sent to the system logger. However, debug logs equal to or above the <code class="literal">syslog</code> level, but less than log level, will still be sent to the standard Samba log files. To get around this, use the <code class="literal">syslog</code> <code class="literal">only</code> option. For example:</p><pre class="programlisting">[global]
-	log level = 3
-	syslog = 1</pre><p>With this, all logging information with a level of 0 would be sent to the standard Samba logs and the system logger, while information with levels 1, 2, and 3 would be sent only to the standard Samba logs. Levels above 3 are not logged at all. Note that all messages sent to the system logger are mapped to a priority level that the <span class="emphasis"><em>syslog</em></span> process understands, as shown in <a href="#ch04-80576" title="Table 4.8. Syslog Priority Conversion">Table 4.8</a>. The default level is 1.</p><div class="table"><a name="ch04-80576"></a><p class="title"><b>Table 4.8. Syslog Priority Conversion </b></p><div class="table-contents"><table summary="Syslog Priority Conversion " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Log Level</p></th><th><p>Syslog Priority</p></th></tr></thead><tbody><tr><td><p>0</p></td><td><p><code class="literal">LOG_ERR</code></p></td></tr><tr><td><p>1</p></td><td><p><code class="literal">LOG_WARNING</code></p></td></tr><tr><td><p>2</p></td><td><p><code class="literal">LOG_NOTICE</code></p></td></tr><tr><td><p>3</p></td><td><p><code class="literal">LOG_INFO</code></p></td></tr><tr><td><p>4 and above</p></td><td><p><code class="literal">LOG_DEBUG</code></p></td></tr></tbody></table></div></div><br class="table-break"><p>If you wish to use <span class="emphasis"><em>syslog</em></span>, you will have to run <code class="literal">configure</code> <code class="literal">--with-syslog</code> when compiling Samba, and you will need to configure your <code class="filename">/etc/syslog.conf</code> to suit. (See <a href="#ch04-97929" title="Using syslog">Section 4.8.1</a> earlier in this chapter.)</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch04-SECT-8.1.6"></a>
-syslog only</h4></div></div></div><a class="indexterm" name="ch04-idx-968350-0"></a><p>The <code class="literal">syslog</code> <code class="literal">only</code> option tells Samba not to use the regular logging files&#8212;the system logger only. To enable this, specify the following option in the global ection of the Samba configuration file:</p><pre class="programlisting">[global]
-	syslog only = <a class="indexterm" name="ch04-idx-967342-0"></a>
-<a class="indexterm" name="ch04-idx-967342-1"></a>yes<a class="indexterm" name="ch04-idx-967031-0"></a></pre></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch04-pgfId-960558" href="#ch04-pgfId-960558">1</a>] </sup>Depending on your system, this file may not be <span class="emphasis"><em>/etc/printcap</em></span>. You can use the <span class="emphasis"><em>testparm</em></span> command that comes with Samba to determine the value of the <code class="literal">printcap</code> <code class="literal">name</code> configuration option; this was the default value chosen when Samba was compiled.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch04-pgfId-962322" href="#ch04-pgfId-962322">2</a>] </sup>We should also mention that it is an inherently bad idea to have a workgroup that shares the same name as a server.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch04-pgfId-965714" href="#ch04-pgfId-965714">3</a>] </sup>Starting with Samba 2.0.5, <code class="literal">localhost</code> will automatically be allowed unless it is explicitly denied.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-5"></a>Chapter 5. Browsing and Advanced Disk Shares </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch05-23763">5.1. Browsing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-1.1">5.1.1. Preventing Browsing</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.2">5.1.2. Default Services</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.3">5.1.3. Browsing Elections</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.4">5.1.4. Domain Master Browser</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-1.5">5.1.5. Browsing Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-34221">5.2. Filesystem Differences</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-2.1">5.2.1. Hiding and Vetoing Files</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-2.2">5.2.2. Links</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-2.3">5.2.3. Filesystem Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-34062">5.3. File Permissions and Attributes on MS-DOS and Unix</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-3.0.1">5.3.1. Creation masks</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-3.1">5.3.2. File and Directory Permission Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-30534">5.4. Name Mangling and Case</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-4.1">5.4.1. The Samba Mangling Operation</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-4.2">5.4.2. Mangling Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch05-75933">5.5. Locks and Oplocks</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch05-SECT-5.1">5.5.1. Opportunistic Locking</a></span></dt><dt><span class="sect2"><a href="#ch05-SECT-5.2">5.5.2. Unix and Locking</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="ch05-idx-969559-0"></a>
-<a class="indexterm" name="ch05-idx-969559-1"></a>This chapter continues our discussion of disk shares from the previous chapter. Here, we will discuss various differences between the Windows and Unix filesystems&#8212;and how Samba works to bridge the gap. There are a surprising number of inconsistencies between a DOS filesystem and a Unix filesystem. In addition, we will talk briefly about name mangling, file locking, and a relatively new feature for Samba: opportunistic locking, or oplocks. However, before we move into that territory, we should first discuss the somewhat arcane topic of browsing with Samba.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-23763"></a>Browsing</h2></div></div></div><p>Browsing is the ability to examine the servers and <a class="indexterm" name="ch05-idx-969575-0"></a>shares that are currently available on your network. On a Windows NT 4.0 or 95/98 client, a user can browse network servers through the Network Neighborhood folder. By double-clicking  the icon representing the server, the user should be able to see the printer and disk share resources available on that machine as well. (If you have Windows NT 3.<span class="emphasis"><em>x</em></span>, you can use the Disk-Connect Network Drive menu in the File Manager to display the available shares on a server.)</p><p>From the Windows command line, you can also use the <code class="literal">net</code> <code class="literal">view</code> option to see which servers are currently on the network. Here is an example of the <code class="literal">net</code> <code class="literal">view</code> command in action:</p><pre class="programlisting">C:\&gt;<strong class="userinput"><code>net view</code></strong>
-Servers available in workgroup SIMPLE
-Server name            Remark
-----------------------------------------------------------
-\\CHIMAERA             Windows NT 4.0
-\\HYDRA                Samba 2.0.4 on (hydra)
-\\PHOENIX              Windows 98</pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.1"></a>Preventing Browsing</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969576-0"></a>
-<a class="indexterm" name="ch05-idx-969576-1"></a>
-<a class="indexterm" name="ch05-idx-969576-2"></a>
-<a class="indexterm" name="ch05-idx-969576-3"></a>You can restrict a share from being in a browse list by using the <code class="literal">browseable</code> option. This boolean option prevents a share from being seen in the Network Neighborhood at all. For example, to prevent the <code class="literal">[data]</code> share from the previous chapter from being visible, we could write:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = no
-	guest ok = yes
-	comment = Data Drive
-	volume = Sample-Data-Drive
-	writeable = yes</pre><p>Although you typically don't want to do this to an ordinary disk share, the browseable option is useful in the event that you need to create a share with contents that you do not want others to see, such as a <code class="literal">[netlogin]</code> share for storing logon scripts for Windows domain control (see <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a> for more information on logon scripts).</p><p>Another example is the <code class="literal">[homes]</code> share. This share is often marked non-browsable so that a share named <code class="literal">[homes]</code> won't appear when its machine's resources are browsed. However, if a user <code class="literal">alice</code> logs on and looks at the machine's shares, an <code class="literal">[alice]</code> share will appear under the machine. What if we wanted to make sure <code class="literal">alice</code>'s share appeared to everyone before she logs in? This could be done with the global <code class="literal">auto</code> <code class="literal">services</code> option. This option preloads shares into the browse list to ensure that they are always visible:</p><pre class="programlisting">[global]
-	...
-	auto services = alice
-	...</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.2"></a>Default Services</h3></div></div></div><p>In the event that a user cannot successfully connect to a share, you can specify a default <a class="indexterm" name="ch05-idx-969587-0"></a>
-<a class="indexterm" name="ch05-idx-969587-1"></a>share to which they can connect. Since you do not know who will default to this share at any time, you will probably want to set the <code class="literal">guest</code> <code class="literal">ok</code> option to <code class="literal">yes</code> for this share. Specifying a <code class="literal">default</code> <code class="literal">service</code> can be useful when sending the utterly befuddled to a directory of help files. For example:</p><pre class="programlisting">[global]
-	...
-	default service = helpshare
-	...
-	
-[helpshare]
-	path = /home/samba/helpshare/%S
-	browseable = yes
-	guest ok = yes
-	comment = Default Share for Unsuccessful Connections
-	volume = Sample-Data-Drive
-	writeable = no</pre><p>Note that we used the <code class="literal">%S</code> variable in the <code class="literal">path</code> option. If you use the <code class="literal">%S</code> variable, it will refer to the requested nonexistent share (the original share requested by the user), not the name of the resulting default share. This allows us to create different paths with the names of each server, which can provide more customized help files for users. In addition, any <a class="indexterm" name="ch05-idx-969588-0"></a>
-<a class="indexterm" name="ch05-idx-969588-1"></a>underscores ( _ ) specified in the requested share will be converted to<a class="indexterm" name="ch05-idx-969589-0"></a>
-<a class="indexterm" name="ch05-idx-969589-1"></a> slashes ( / ) when the <code class="literal">%S</code> variable is used.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.3"></a>Browsing Elections</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969892-0"></a>As mentioned in <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a>, one machine in each subnet always keeps a list of the currently active <a class="indexterm" name="ch05-idx-969897-0"></a>machines. This list is called the <em class="firstterm">browse list</em>
-<a class="indexterm" name="ch05-idx-969898-0"></a> and the server that maintains it is called the <a class="indexterm" name="ch05-idx-970543-0"></a><em class="firstterm">local master browser</em>. As machines come on and off the network, the local master browser continually updates the information in the browse list and provides it to any machine that requests it.</p><p>A computer becomes a local master browser by holding a browsing election on the local subnet. Browsing elections can be called at any time. Samba can rig a browsing election for a variety of outcomes, including always becoming the local master browser of the subnet or never becoming it. For example, the following options, which we've added to the configuration file from <a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, will ensure that Samba always wins the election for local master browser no matter which machines are also present:</p><pre class="programlisting">[global]
-	netbios name = HYDRA
-	server string = Samba %v on (%L)
-	workgroup = SIMPLE
-
-	#  Browsing election options
-	os level = 34
-	local master = yes
-
-	#  Networking configuration options
-	hosts allow = 192.168.220. 134.213.233. localhost
-	hosts deny = 192.168.220.102
-	interfaces = 192.168.220.100/255.255.255.0 \
-                         134.213.233.110/255.255.255.0
-
-	# Debug logging information
-	log level = 2
-	log file = /var/log/samba.log.%m
-	max log size = 50
-	debug timestamp = yes
-
-[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	comment = Data Drive
-	volume = Sample-Data-Drive
-	writable = yes</pre><p>However, what if we didn't always want to win the election? What if we wanted to yield browsing to a Windows NT Server if present? In order to do that, we need to learn how browsing elections work. As you already know, each machine that takes place in the election must broadcast information about itself. This information includes the following:</p><div class="itemizedlist"><ul type="disc"><li><p>The version of the election protocol used</p></li><li><p>The operating system on the machine</p></li><li><p>The amount of time the client has been on the network</p></li><li><p>The hostname of the client</p></li></ul></div><p>Here is how the election is decided. Operating systems are assigned a binary value according to their version, as shown in <a href="#ch05-51423" title="Table 5.1. Operating System Values in an Election">Table 5.1</a>.</p><div class="table"><a name="ch05-51423"></a><p class="title"><b>Table 5.1. Operating System Values in an Election </b></p><div class="table-contents"><table summary="Operating System Values in an Election " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Operating System</p></th><th><p>Value</p></th></tr></thead><tbody><tr><td><p>
-<a class="indexterm" name="ch05-idx-969634-0"></a>
-<a class="indexterm" name="ch05-idx-969634-1"></a>Windows NT Server 4.0</p></td><td><p>33</p></td></tr><tr><td><p>Windows NT Server 3.51</p></td><td><p>32</p></td></tr><tr><td><p>Windows NT Workstation 4.0</p></td><td><p>17</p></td></tr><tr><td><p>Windows NT Workstation 3.51</p></td><td><p>16</p></td></tr><tr><td><p>Windows 98</p></td><td><p>2</p></td></tr><tr><td><p>Windows 95</p></td><td><p>1</p></td></tr><tr><td><p>Windows 3.1 for Workgroups</p></td><td><p>1</p></td></tr></tbody></table></div></div><br class="table-break"><p>Following that, each computer on the network is assigned a separate value according to its role, as shown in <a href="#SAMBA-CH-5-TBL-5.2" title="Table 5.2. Computer Role Settings in an Election">Table 5.2</a>.</p><div class="table"><a name="SAMBA-CH-5-TBL-5.2"></a><p class="title"><b>Table 5.2. Computer Role Settings in an Election </b></p><div class="table-contents"><table summary="Computer Role Settings in an Election " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Role</p></th><th><p>Value</p></th></tr></thead><tbody><tr><td><p>
-<a class="indexterm" name="ch05-idx-969635-0"></a>
-<a class="indexterm" name="ch05-idx-969635-1"></a>
-<a class="indexterm" name="ch05-idx-969635-2"></a>
-<a class="indexterm" name="ch05-idx-969635-3"></a>Primary Domain Controller</p></td><td><p>128</p></td></tr><tr><td><p>WINS Client</p></td><td><p>32</p></td></tr><tr><td><p>Preferred Master Browser</p></td><td><p>8</p></td></tr><tr><td><p>Active Master Browser</p></td><td><p>4</p></td></tr><tr><td><p>Standby Browser</p></td><td><p>2</p></td></tr><tr><td><p>Active Backup Browser</p></td><td><p>1</p></td></tr></tbody></table></div></div><br class="table-break"><p>
-<a class="indexterm" name="ch05-idx-969637-0"></a>Elections are decided in the following order:</p><div class="orderedlist"><ol type="1"><li><p>The machine with the highest version of the election protocol will win. (So far, this is meaningless, as all Windows clients have version 1 of the election protocol.)</p></li><li><p>The machine with the highest operating system value wins the election.</p></li><li><p>If there is a tie, the machine with the setting of Preferred Master Browser (role 8) wins the election.</p></li><li><p>If there is still a tie, the client who has been online the longest wins the election.</p></li><li><p>And finally, if there is still a tie, the client name that comes first alphabetically wins.</p></li><li><p>The machine that is the "runner-up" can become a backup browser.</p></li></ol></div><p>As a result, if you want Samba to take the role of a local master browser, but only if there isn't a Windows NT Server (4.0 or 3.51) on the network, you could change the <code class="literal">os</code> <code class="literal">level</code> parameter in the previous example to:</p><pre class="programlisting">os level = 31</pre><p>This will cause Samba to immediately lose the election to a Windows NT 4.0 or  Windows NT 3.5 Server, both of which have a higher operating systems level. On the other hand, if you wanted to decide the local master browser on the basis of the network role, such as which machine is the primary domain controller, you could set the <code class="literal">os</code> <code class="literal">level</code> to match the highest type of operating system on the network and let the election protocol fall down to the next level.</p><p>
-<a class="indexterm" name="ch05-idx-969646-0"></a>How can you can tell if a machine is a local master browser? By using the <code class="literal">nbtstat</code> command. Place the NetBIOS name of the machine you wish to check after the <code class="literal">-a</code> option:</p><pre class="programlisting">C:\&gt;<strong class="userinput"><code>nbtstat -a hydra</code></strong>
-
-       NetBIOS Remote Machine Name Table
-
- Name                            Type         Status
-----------------------------------------------------------
- HYDRA                     &lt;00&gt;  UNIQUE       Registered
- HYDRA                     &lt;03&gt;  UNIQUE       Registered
- HYDRA                     &lt;20&gt;  UNIQUE       Registered
- .._ _MSBROWSE_ _.         &lt;01&gt;  GROUP        Registered
- SIMPLE                    &lt;00&gt;  GROUP        Registered
- SIMPLE                    &lt;1D&gt;  UNIQUE       Registered
- SIMPLE                    &lt;1E&gt;  GROUP        Registered
-
- MAC Address = 00-00-00-00-00-00</pre><p>The resource entry that you're looking for is the <code class="literal">.._   _MSBROWSE_   _.&lt;01&gt;</code>. This indicates that the server is currently acting as the local master browser for the current subnet. In addition, if the machine is a Samba server, you can check the Samba <code class="filename">nmbd</code> log file for an entry such as:</p><pre class="programlisting">nmbd/nmbd_become_lmb.c:become_local_master_stage2(406)
-*****
-Samba name server HYDRA is now a local master browser for
-workgroup SIMPLE on subnet 192.168.220.100
-****</pre><p>Finally, Windows NT servers serving as primary domain controllers contain a sneak that allows them to assume the role of the local master browser in certain conditions; this is called the <span class="emphasis"><em>preferred</em></span>
-<a class="indexterm" name="ch05-idx-969647-0"></a> <span class="emphasis"><em>master browser</em></span> bit. Earlier, we mentioned that Samba could set this bit on itself as well. You can enable it with the <code class="literal">preferred</code> <code class="literal">master</code> option:</p><pre class="programlisting">#  Browsing election options
-os level = 33
-local master = yes
-preferred master = yes</pre><p>If the preferred master bit is set, the machine will force a browsing election at startup. Of course, this is needed only if you set the <code class="literal">os</code> <code class="literal">level</code> option to match the Windows NT machine. We recommend that you don't use this option if another machine also has the role of preferred master, such as an NT server.<a class="indexterm" name="ch05-idx-969633-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.4"></a>Domain Master Browser</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969654-0"></a>
-<a class="indexterm" name="ch05-idx-969654-1"></a>
-<a class="indexterm" name="ch05-idx-969654-2"></a>In the opening chapter, we mentioned that in order for a Windows workgroup or domain to extend into multiple subnets, one machine would have to take the role of the <em class="firstterm">domain master browser</em>. The domain master browser propagates browse lists across each of the subnets in the workgroup. This works because each local master browser periodically synchronizes its browse list with the domain master browser. During this synchronization, the local master browser passes on any server that the domain master browser does not have in its browse list, and vice versa. In a perfect world, each local master browser would eventually have the browse list for the entire domain.</p><p>Unlike the local master browser, there is no election to determine which machine assumes the role of the domain master browser. Instead, the administrator has to set it manually. By Microsoft design, however, the domain master browser and the primary domain controller (PDC) both register a resource type of &lt;1B&gt;, so the roles&#8212;and the machines&#8212;are inseparable.</p><p>If you have a <a class="indexterm" name="ch05-idx-969663-0"></a>Windows NT server on the network acting as a PDC, we recommend that you do not use Samba to become the domain master browser. The reverse is true as well: if Samba is taking on the responsibilities of a <a class="indexterm" name="ch05-idx-969665-0"></a>PDC, we recommend making it the domain master browser as well. Although it is possible to split the roles with Samba, this is not a good idea. Using two different machines to serve as the PDC and the domain master browser can cause random errors to occur on a Windows workgroup.</p><p>Samba can assume the role of a domain master browser for all subnets in the workgroup with the following option:</p><pre class="programlisting">domain master = yes</pre><p>You can verify that a Samba machine is in fact the domain master browser by checking the <span class="emphasis"><em>nmbd</em></span> log file:</p><pre class="programlisting">nmbd/nmbd_become_dmb.c:become_domain_master_stage2(118)
-*****
-Samba name server HYDRA is now a domain master browser for
-workgroup SIMPLE on subnet 192.168.220.100
-*****</pre><p>Or you can use the <code class="literal">nmblookup</code> command that comes with the Samba distribution to query for a unique &lt;1B&gt; resource type in the workgroup:</p><pre class="programlisting"># <strong class="userinput"><code>nmblookup SIMPLE#1B</code></strong>
-Sending queries to 192.168.220.255
-192.168.220.100 SIMPLE&lt;1b&gt;</pre><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.4.1"></a>Multiple subnets</h4></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969667-0"></a>There are three rules that you must remember when creating a workgroup/domain that spans more than one subnet:</p><div class="itemizedlist"><ul type="disc"><li><p>You must have either a Windows NT or Samba machine acting as a local master browser on each subnet in the workgroup/domain. (If you have a domain master browser in a subnet, a local master browser is not needed.)</p></li><li><p>You must have a Windows NT Server or a Samba machine acting as a domain master browser somewhere in the workgroup.</p></li><li><p>Each local master browser must be instructed to synchronize with the domain master browser.</p></li></ul></div><p>Samba has a few other features in this arena in the event that you don't have or want a domain master browser on your network. Consider the subnets shown in <a href="#ch05-15706" title="Figure 5.1. Multiple subnets with Samba servers">Figure 5.1</a>.</p><div class="figure"><a name="ch05-15706"></a><p class="title"><b>Figure 5.1. Multiple subnets with Samba servers</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 325px"><td><img src="figs/sam.0501.gif" height="325" alt="Multiple subnets with Samba servers"></td></tr></table></div></div></div><br class="figure-break"><p>First, a Samba server that is a local master browser can use the <code class="literal">remote</code> <code class="literal">announce</code> configuration option to make sure that computers in different subnets are sent broadcast announcements about the server. This has the effect of ensuring that the Samba server appears in the browse lists of foreign subnets. To achieve this, however, the directed broadcasts must reach the local master browser on the other subnet. Be aware that many routers do not allow directed broadcasts by default; you may have to change this setting on the router for the directed broadcasts to get through to its subnet.</p><p>With the <code class="literal">remote</code> <code class="literal">announce</code> option, list the subnets and the workgroup that should receive the broadcast. For example, to ensure that machines in the 192.168.221 and 192.168.222 subnets and SIMPLE workgroup are sent broadcast information from our Samba server, we could specify the following:</p><pre class="programlisting">#  Browsing election options
-os level = 34
-local master = yes
-remote announce = 192.168.221.255/SIMPLE \
-	192.168.222.255/SIMPLE</pre><p>In addition, you are allowed to specify the exact address to send broadcasts to if the local master browser on the foreign subnet is guaranteed to always have a fixed IP address.</p><p>A Samba local master browser can synchronize its browse list directly with another Samba server acting as a local master browser on a different subnet. For example, let's assume that Samba is configured as a local master browser, and Samba local master browsers exist at 192.168.221.130 and 192.168.222.120. We can use the <code class="literal">remote</code> <code class="literal">browse</code> <code class="literal">sync</code> option to sync directly with the Samba servers, as follows:</p><pre class="programlisting">#  Browsing election options
-os level = 34
-local master = yes
-remote browse sync = 192.168.221.130 192.168.222.120</pre><p>In order for this to work, the other Samba machines must also be local master browsers. You can also use directed broadcasts with this option if you do not know specific IP addresses of local master browsers.<a class="indexterm" name="ch05-idx-969939-0"></a>
-<a class="indexterm" name="ch05-idx-969940-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-1.5"></a>Browsing Options</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969668-0"></a>
-<a class="indexterm" name="ch05-idx-969668-1"></a><a href="#ch05-81028" title="Table 5.3. Browsing Configuration Options">Table 5.3</a> shows 14 options that define how Samba handles browsing tasks. We recommend the defaults for a site that prefers to be easy on its users with respect to locating shares and printers.</p><div class="table"><a name="ch05-81028"></a><p class="title"><b>Table 5.3. Browsing Configuration Options </b></p><div class="table-contents"><table summary="Browsing Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">announce as</code></p></td><td><p><code class="literal">NT</code>
-<a class="indexterm" name="ch05-idx-969670-0"></a> or <code class="literal">Win95</code> or <code class="literal">Wf W</code></p></td><td><p>Sets the operating system that Samba will announce itself as.</p></td><td><p><code class="literal">N T</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">announce version</code></p></td><td><p>numerical</p></td><td><p>Sets the version of the operating system that Samba will announce itself as.</p></td><td><p><code class="literal">4.2</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">browseable (browsable)</code></p></td><td><p>boolean</p></td><td><p>Allows share to be displayed in list of machine resources.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">browse list</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will provide a browse list on this server.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">auto services (preload)</code></p></td><td><p>string (share list)</p></td><td><p>Sets a list of shares that will always appear in the browse list.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">default service (default)</code></p></td><td><p>string (share name)</p></td><td><p>Names a share (service) that will be provided if the client requests a share not listed in <span class="emphasis"><em>smb.conf.</em></span></p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">local master</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will try to become a master browser on the local subnet.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">lm announce</code></p></td><td><p><code class="literal">yes</code> or <code class="literal">no</code> or <code class="literal">auto</code></p></td><td><p>Enables or disables LAN Manager style host announcements.</p></td><td><p><code class="literal">auto</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">lm interval</code></p></td><td><p>numerical</p></td><td><p>Specifies the frequency in seconds that LAN Manager announcements will be made if activated.</p></td><td><p><code class="literal">60</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">preferred master (prefered master)</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will use the preferred master browser bit to attempt to become the local master browser.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">domain master</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will try to become the main browser master for the workgroup.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">os level</code></p></td><td><p>numerical</p></td><td><p>Sets the operating system level of Samba in an election for local master browser.</p></td><td><p><code class="literal">0</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">remote browse sync</code></p></td><td><p>string (list of IP addresses)</p></td><td><p>Lists Samba servers to synchronize browse lists with.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">remote announce</code></p></td><td><p>string (IP address/ workgroup pairs)</p></td><td><p>Lists subnets and workgroups to send directed broadcast packets to, allowing Samba to appear to browse lists.</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.1"></a>
-announce as</h4></div></div></div><a class="indexterm" name="ch05-idx-970552-0"></a><p>This global configuration option specifies the type of operating system that Samba will announce to other machines on the network. The default value for this option is <code class="literal">N T</code>, which represents a Windows NT operating system. Other possible values are <code class="literal">Win95</code>, which represents a Windows 95 operating system, and <code class="literal">W f W</code> for a Windows for Workgroup operating system. You can override the default value with the following:</p><pre class="programlisting">[global]
-	announce as = Win95</pre><p>We recommend against changing the default value of this configuration option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.2"></a>
-announce version</h4></div></div></div><a class="indexterm" name="ch05-idx-970555-0"></a><p>This global option is frequently used with the <code class="literal">announce</code> <code class="literal">as</code> configuration option; it specifies the version of the operating system that Samba will announce to other machines on the network. The default value of this options is 4.2, which places itself above the current Windows NT version of 4.0. You can specify a new value with a global entry such as the following:</p><pre class="programlisting">[global]
-	announce version = 4.3</pre><p>We recommend against changing the default value of this configuration option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-38345"></a>browseable</h4></div></div></div><p>The <code class="literal">browseable</code> option (also spelled <code class="literal">browsable</code>) indicates whether the share referenced should appear in the list of available resources of the machine on which it resides. This option is always set to <code class="literal">yes</code> by default. If you wish to prevent the share from being seen in a client's browser, you can reset this option to <code class="literal">no</code>.</p><p>Note that this does not prevent someone from accessing the share using other means, such as specifying a UNC location (<code class="literal">//server/accounting)</code> in Windows Explorer. It only prevents the share from being listed under the machine's resources when being browsed.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.4"></a>browse list</h4></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969674-0"></a>You should never need to change this parameter from its default value of <code class="literal">yes</code>. If your Samba server is acting as a local master browser (i.e., it has won the browsing election), you can use the global <code class="literal">browse</code> <code class="literal">list</code> option to instruct Samba to provide or withhold its browse list to all clients. By default, Samba always provides a browse list. You can withhold this information by specifying the following:</p><pre class="programlisting">[global]
-	browse list = no</pre><p>If you disable the browse list, clients cannot browse the names of other machines, their services, and other domains currently available on the network. Note that this won't make any particular machine inaccessible; if someone knows a valid machine name/address and a share on that machine, they can still connect to it explicitly using NET USE or by mapping a drive letter to it using Windows Explorer. It simply prevents information in the browse list from being retrieved by any client that requests it.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.5"></a>auto services</h4></div></div></div><p>The global <code class="literal">auto</code>
-<a class="indexterm" name="ch05-idx-970563-0"></a> <code class="literal">services</code> option, which is also called <code class="literal">preload </code>, ensures that the specified shares are always visible in the browse list. One common use for this option is to advertise specific user or printer shares that are created by the <code class="literal">[homes]</code> or <code class="literal">[printers]</code> shares, but are not otherwise browsable.</p><p>This option works best with disk shares. If you wish to force each of your system printers (i.e., those listed in the printer capabilities file) into the browse list using this option, we recommend using the <code class="literal">load</code> <code class="literal">printers</code> option instead. Any shares listed with the <code class="literal">auto</code> <code class="literal">services</code> option will not be displayed if the <code class="literal">browse</code> <code class="literal">list</code> option is set to <code class="literal">no</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.6"></a>default service</h4></div></div></div><p>The global <code class="literal">default</code>
-<a class="indexterm" name="ch05-idx-970564-0"></a> <code class="literal">service</code> option (sometimes called <code class="literal">default</code>) names a "last-ditch" share. If set to an existing share name, and a client requests a nonexistent disk or printer share, Samba will attempt to connect the user to the share specified by this option instead. The option is specified as follows:</p><pre class="programlisting">default service = helpshare</pre><p>Note that there are no braces surrounding the share name <code class="literal">helpshare</code>, even though the definition of the share later in the Samba configuration file will have braces. Also, if you use the <code class="literal">%S</code> variable in the share specified by this option, it will represent the requested, nonexistent share, not the default service. Any underscores (  <code class="literal">_ </code> ) specified in the request share will be converted to slashes (<code class="literal">/</code>) when the variable is used.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.7"></a>
-local master</h4></div></div></div><a class="indexterm" name="ch05-idx-970565-0"></a><p>
-<a class="indexterm" name="ch05-idx-969675-0"></a>This global option specifies whether Samba will attempt to become the local master browser for the subnet when it starts up. If this option is set to <code class="literal">yes</code>, Samba will take place in elections. However, setting this option by itself does not guarantee victory. (Other parameters, such as <code class="literal">preferred</code> <code class="literal">master</code> and <code class="literal">os</code> <code class="literal">level</code> help Samba win browsing elections.) If this option is set to <code class="literal">no</code>, Samba will lose all browsing elections, no matter which values are specified by the other configuration options. The default value is <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.8"></a>lm announce</h4></div></div></div><p>The global <code class="literal">lm</code>
-<a class="indexterm" name="ch05-idx-970566-0"></a> <code class="literal">announce</code> option tells Samba's <span class="emphasis"><em>nmbd</em></span>
-<a class="indexterm" name="ch05-idx-969678-0"></a> whether or not to send LAN Manager host announcements on behalf of the server. These host announcements may be required by older clients, such as IBM's OS/2 operating system. This announcement allows the server to be added to the browse lists of the client. If activated, Samba will announce itself repetitively at the number of seconds specified by the <code class="literal">lm</code> <code class="literal">interval</code> option.</p><p>This configuration option takes the standard boolean values, <code class="literal">yes</code> and <code class="literal">no</code>, which engage or disengage LAN Manager announcements, respectively. In addition, there is a third option, <code class="literal">auto</code>, which causes <span class="emphasis"><em>nmbd</em></span> to passively listen for LAN Manager announcements, but not send any of its own initially. If LAN Manager announcements are detected for another machine on the network, <span class="emphasis"><em>nmbd</em></span> will start sending its own LAN Manager announcements to ensure that it is visible. You can specify the option as follows:</p><pre class="programlisting">[global]
-	lm announce = yes</pre><p>The default value is <code class="literal">auto</code>. You probably won't need to change this value from its default.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.9"></a>
-lm interval</h4></div></div></div><a class="indexterm" name="ch05-idx-970567-0"></a><p>This option, which is used in conjunction with <code class="literal">lm</code> <code class="literal">announce</code>, indicates the number of seconds <span class="emphasis"><em>nmbd</em></span> will wait before repeatedly broadcasting LAN Manager-style announcements. Remember that LAN Manager announcements must be activated in order for this option to be used. The default value is 60 seconds. If you set this value to 0, Samba will not send any LAN Manager host announcements, no matter what the value of the <code class="literal">lm</code> <code class="literal">announce</code> option. You can reset the value of this option as follows:</p><pre class="programlisting">[global]
-	lm interval = 90</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.10"></a>preferred master</h4></div></div></div><p>The <code class="literal">preferred</code>
-<a class="indexterm" name="ch05-idx-970568-0"></a> <code class="literal">master</code> option requests that Samba set the preferred master bit when participating in an election. This gives the server a higher preferred status in the workgroup than other machines at the same operating system level. If you are configuring your Samba machine to become the local master browser, it is wise to set the following value:</p><pre class="programlisting">[global]
-	preferred master = yes</pre><p>Otherwise, you should leave it set to its default, <code class="literal">no</code>. If Samba is configured as a preferred master browser, it will force an election when it first comes online.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.11"></a>os level</h4></div></div></div><p>The global <code class="literal">os</code>
-<a class="indexterm" name="ch05-idx-970569-0"></a> <code class="literal">level</code> option dictates the operating system level at which Samba will masquerade during a browser election. If you wish to have Samba win an election and become the master browser, you can set the level above that of the operating system on your network with the highest current value. The values are shown in <a href="#ch05-51423" title="Table 5.1. Operating System Values in an Election">Table 5.1</a> . The default level is 0, which means that Samba will lose all elections. If you wish Samba to win all elections, you can reset its value as follows:</p><pre class="programlisting">os level = 34</pre><p>This means that the server will vote for itself 34 times each time an election is called, which ensures a victory.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.12"></a>
-domain master</h4></div></div></div><a class="indexterm" name="ch05-idx-970570-0"></a><p>If Samba is the primary domain controller for your workgroup or NT domain, it should also be the <a class="indexterm" name="ch05-idx-969682-0"></a> domain master browser. The domain master browser is a special machine that has the NetBIOS resource type &lt;1B&gt; and is used to propagate browse lists to and from each of the local master browsers in individual subnets across the domain. To force Samba to become the domain master browser, set the following in the <code class="literal">[global]</code> section of the <code class="filename">smb.conf</code>:</p><pre class="programlisting">[global]
-	domain master = yes</pre><p>If you have a Windows NT server on the network acting as a primary domain controller (PDC), we recommend that you do not use Samba to become the domain master browser. The reverse is true as well: if Samba is taking on the responsibilities of a PDC, we recommend making it the domain master browser. Splitting the PDC and the domain master browser will cause unpredictable errors to occur on the network.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.13"></a>remote browse sync</h4></div></div></div><p>The global <code class="literal">remote</code>
-<a class="indexterm" name="ch05-idx-970571-0"></a> <code class="literal">browse</code> <code class="literal">sync</code> option specifies that Samba should synchronize its <a class="indexterm" name="ch05-idx-969683-0"></a>browse lists with local master browsers in other subnets. However, the synchronization can occur only with other Samba servers, and not with Windows computers. For example, if your Samba server was a master browser on the subnet 192.168.235, and Samba local master browsers existed on other subnets at 192.168.234.92 and 192.168.236.2, you could specify the following:</p><pre class="programlisting">remote browse sync = 192.168.234.92 192.168.236.2</pre><p>The Samba server would then directly contact the other machines on the address list and synchronize browse lists. You can also say:</p><pre class="programlisting">remote browse sync = 192.168.234.255 192.168.236.255</pre><p>This forces Samba to broadcast queries to determine the IP addresses of the local master browser on each subnet, with which it will then synchronize browse lists. This only works, however, if your router doesn't block directed broadcast requests ending in 255.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-1.5.14"></a>remote announce</h4></div></div></div><p>Samba servers are capable of providing browse lists to foreign subnets with the <code class="literal">remote</code>
-<a class="indexterm" name="ch05-idx-970572-0"></a> <code class="literal">announce</code> option. This is typically sent to the local master browser of the foreign subnet in question. However, if you do not know the address of the local master browser, you can do the following:</p><pre class="programlisting">[global]
-    remote announce = 192.168.234.255/ACCOUNTING \
-                          192.168.236.255/ACCOUNTING</pre><p>With this, Samba will broadcast host announcements to all machines on subnets 192.168.234 and 192.168.236, which will hopefully reach the local master browser of the<a class="indexterm" name="ch05-idx-969669-0"></a>
-<a class="indexterm" name="ch05-idx-969669-1"></a> subnet.<a class="indexterm" name="ch05-idx-969569-0"></a> You can also specify exact IP addresses, if they are known.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-34221"></a>Filesystem Differences</h2></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969684-0"></a>One <a class="indexterm" name="ch05-idx-969692-0"></a>of the biggest issues for which Samba has to correct is the difference between Unix and non-Unix filesystems. This includes items such as handling symbolic links, hidden files, and dot files. In addition, file permissions can also be a headache if not accounted for properly. This section describes how to use Samba to make up for some of those annoying differences, and even how to add some new functionality of its own.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-2.1"></a>Hiding and Vetoing Files</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969693-0"></a>
-<a class="indexterm" name="ch05-idx-969693-1"></a>There are some cases when we need to ensure that a user cannot see or access a file at all. Other times, we don't want to keep a user from accessing a file&#8212;we just want to hide it when they view the contents of the directory. On Windows systems, an attribute of files allows them to be hidden from a folder listing. With Unix, the traditional way of hiding files in a directory is to precede them with a <a class="indexterm" name="ch05-idx-969701-0"></a>
-<a class="indexterm" name="ch05-idx-969701-1"></a>dot (.). This prevents items such as configuration files or defaults from being seen when performing an ordinary <code class="literal">ls</code> command. Keeping a user from accessing a file at all, however, involves working with permissions on files and or directories.</p><p>The first option we should discuss is the boolean <code class="literal">hide</code> <code class="literal">dot</code> <code class="literal">files</code>. This option does exactly what it says. When set to <code class="literal">yes</code>, the option treats files beginning with a <a class="indexterm" name="ch05-idx-969702-0"></a>
-<a class="indexterm" name="ch05-idx-969702-1"></a>period (.) as hidden. If set to <code class="literal">no</code>, those files are always shown. The important thing to remember is that the files are only hidden. If the user has chosen to show all hidden files while browsing (e.g., using the Folder Options menu item under the View menu in Windows 98), they will still be able to see the files, as shown in <a href="#ch05-77260" title="Figure 5.2. Hidden files in the [data] share">Figure 5.2</a>.</p><div class="figure"><a name="ch05-77260"></a><p class="title"><b>Figure 5.2. Hidden files in the [data] share</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 210px"><td><img src="figs/sam.0502.gif" height="210" alt="Hidden files in the [data] share"></td></tr></table></div></div></div><br class="figure-break"><p>Instead of simply hiding files beginning with a dot, you can also specify a string pattern to Samba for files to hide, using the <code class="literal">hide</code> <code class="literal">files</code> option. For example, let's assume that we specified the following in our example <code class="literal">[data]</code> share:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-	case sensitive = no
-	hide files = /*.java/*README*/</pre><p>Each entry for this option must begin, end, or be separated from another with a <a class="indexterm" name="ch05-idx-969703-0"></a>
-<a class="indexterm" name="ch05-idx-969703-1"></a>slash ( / ) character, even if there is only one pattern listed. This convention allows spaces to appear in filenames. In this example, the share directory would appear as shown in <a href="#ch05-19743" title="Figure 5.3. Hiding files based on filename patterns">Figure 5.3</a>. Again, note that we have set the Windows 98 option to view hidden files for the window.</p><div class="figure"><a name="ch05-19743"></a><p class="title"><b>Figure 5.3. Hiding files based on filename patterns</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 210px"><td><img src="figs/sam.0503.gif" height="210" alt="Hiding files based on filename patterns"></td></tr></table></div></div></div><br class="figure-break"><p>
-<a class="indexterm" name="ch05-idx-969704-0"></a>
-<a class="indexterm" name="ch05-idx-969704-1"></a>If we want to prevent users from seeing files at all, we can instead use the <code class="literal">veto</code> <code class="literal">files</code> option. This option, which takes the same syntax as the <code class="literal">hide</code> <code class="literal">files</code> option, specifies a list of files that should never be seen by the user. For example, let's change the <code class="literal">[data]</code> share to the following:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-	case sensitive = no
-	veto files = /*.java/*README*/</pre><p>The syntax of this option is identical to the <code class="literal">hide</code> <code class="literal">files</code> configuration option: each entry must begin, end, or be separated from another with a slash (<code class="literal">/</code>) character, even if there is only one pattern listed. By doing so, the files <code class="literal">hello.java</code> and <code class="literal">README</code> will simply disappear from the directory, and the user will not be able to access them through SMB.</p><p>There is one other question that we need to address. What happens if the user tries to delete a directory that contains vetoed files? This is where the <code class="literal">delete</code>
-<a class="indexterm" name="ch05-idx-969711-0"></a> <code class="literal">veto</code> <code class="literal">files</code> option comes in. If this boolean option is set to <code class="literal">yes</code>, the user is allowed to delete both the regular files and the vetoed files in the directory, and the directory itself will be removed. If the option is set to <code class="literal">no</code>, the user will not be able to delete the vetoed files, and consequently the directory will not be deleted either. From the user's perspective, the directory will appear to be empty, but cannot be removed.</p><p>The <code class="literal">dont</code> <code class="literal">descend</code> directive specifies a list of <a class="indexterm" name="ch05-idx-969715-0"></a>directories whose contents Samba should not allow to be visible. Note that we say <span class="emphasis"><em>contents</em></span>, not the directory itself. Users will be able to enter a directory marked as such, but they are prohibited from descending the directory tree any farther&#8212;they will always see an empty folder. For example, let's use this option with a more basic form of the share that we defined earlier in the chapter:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-	case sensitive = no
-	dont descend = config defaults</pre><p>In addition, let's assume that the <code class="filename">/home/samba/data</code> directory has the following contents:</p><pre class="programlisting">drwxr-xr-x   6 tom      users     1024 Jun 13 09:24 .
-drwxr-xr-x   8 root     root      1024 Jun 10 17:53 ..
--rw-r--r--   2 tom      users     1024 Jun  9 11:43 README
-drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 config
-drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 defaults
-drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 market</pre><p>If the user then connects to the share, he or she would see the directories shown in <a href="#ch05-62659" title="Figure 5.4. Contents of the [data] share with dont descend">Figure 5.4</a>. However, the contents of the <code class="filename">/config</code> and <code class="filename">/defaults</code> directories would appear empty to the user, even if other folders or files existed in them. In addition, users cannot write any data to the folder (which prevents them from creating a file or folder with the same name as one that is already there but invisible). If a user attempts to do so, he or she will receive an "Access Denied" message. <code class="literal">dont</code> <code class="literal">descend</code> is an administrative option, not a security option, and is not a substitute for good file permissions.</p><div class="figure"><a name="ch05-62659"></a><p class="title"><b>Figure 5.4. Contents of the [data] share with dont descend
-
- </b></p><div class="figure-contents"><a class="indexterm" name="ch05-idx-969696-0"></a><a class="indexterm" name="ch05-idx-969696-1"></a><a class="indexterm" name="ch05-idx-969696-2"></a><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 210px"><td><img src="figs/sam.0504.gif" height="210" alt="Contents of the [data] share with dont descend"></td></tr></table></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-2.2"></a>Links</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969716-0"></a>
-<a class="indexterm" name="ch05-idx-969716-1"></a>DOS and NT filesystems don't have symbolic links; Windows 95/98/NT systems approximate this with "shortcuts" instead. Therefore, when a client tries to open a symbolic link on a Samba server share, Samba attempts to follow the link to find the real file and let the client open it, as if he or she were on a Unix machine. If you don't want to allow this, set the <code class="literal">follow</code> <code class="literal">symlinks</code> option:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-	case sensitive = no
-	follow symlinks = no</pre><p>You can test this by creating a directory on the Unix server inside the share as the user that you are logging in with. Enter the following commands:</p><pre class="programlisting">% <strong class="userinput"><code>mkdir hello; cd hello</code></strong>
-% <strong class="userinput"><code>cat "This is a test" &gt;hello.txt</code></strong>
-% <strong class="userinput"><code>ln -s hello.txt "Link to hello"</code></strong></pre><p>This results in the two files shown in the window in <a href="#ch05-36377" title="Figure 5.5. An error dialog trying to follow symbolic links when forbidden by Samba">Figure 5.5</a>. Normally, if you click on either one, you will receive a file which has the text "This is a test" inside of it. However, with the <code class="literal">follow</code> <code class="literal">symlinks</code> option set to <code class="literal">no</code>, you should receive an error similar to the dialog in <a href="#ch05-36377" title="Figure 5.5. An error dialog trying to follow symbolic links when forbidden by Samba">Figure 5.5</a> if you click on "Link to hello."</p><div class="figure"><a name="ch05-36377"></a><p class="title"><b>Figure 5.5. An error dialog trying to follow symbolic links when forbidden by Samba</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 149px"><td><img src="figs/sam.0505.gif" height="149" alt="An error dialog trying to follow symbolic links when forbidden by Samba"></td></tr></table></div></div></div><br class="figure-break"><p>Finally, let's discuss the <code class="literal">wide</code> <code class="literal">links</code> option. This option, if set to <code class="literal">yes</code>, allows the client user to follow symbolic links that point outside the shared directory tree, including files or directories at the other end of the link. For example, let's assume that we modified the <code class="literal">[data]</code> share as follows:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-	case sensitive = no
-	follow symlinks = yes
-	wide links = yes</pre><p>As long as the <code class="literal">follow</code> <code class="literal">symlinks</code> option is enabled, this will cause Samba to follow all symbolic links outside the current share tree. If we create a file outside the share (for example, in someone's home directory) and then create a link to it in the share as follows:</p><pre class="programlisting">ln -s ~tom/datafile ./datafile</pre><p>then you will be able to open the file in Tom's directory as per the target file's permissions.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-2.3"></a>Filesystem Options</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969717-0"></a><a href="#ch05-48353" title="Table 5.4. Filesystem Configuration Options">Table 5.4</a> shows a breakdown of the options we discussed earlier. We recommend the defaults for most, except those listed in the following descriptions.</p><div class="table"><a name="ch05-48353"></a><p class="title"><b>Table 5.4. Filesystem Configuration Options </b></p><div class="table-contents"><table summary="Filesystem Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">unix realname</code></p></td><td><p>boolean</p></td><td><p>Provides Unix user's full name to client.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">dont descend</code></p></td><td><p>string (list of directories)</p></td><td><p>Indicates a list of directories whose contents Samba should make invisible to clients.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">follow symlinks</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">no</code>, Samba will not honor symbolic links.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">getwd cache</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, Samba will use a cache for <code class="literal">getwd( )</code> calls.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">wide links</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, Samba will follow symbolic links outside the share.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">hide dot files</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, treats Unix hidden files as hidden files in Windows.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">hide files</code></p></td><td><p>string (list of files)</p></td><td><p>List of file patterns to treat as hidden.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">veto files</code></p></td><td><p>string (list of files)</p></td><td><p>List of file patterns to never show.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">delete veto files</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, will delete files matched by <code class="literal">veto files</code> when the directory they reside in is deleted.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.1"></a>
-unix realname</h4></div></div></div><a class="indexterm" name="ch05-idx-970574-0"></a><p>Some programs require a full username in order to operate. For example, a Windows email program often needs to associate a username with a given real name. If your system password file contains the real names of users in the GCOS field, the <code class="literal">unix</code> <code class="literal">realname</code> option instructs Samba to provide this information to clients. Without it, the name of the user will simply be his or her login ID. For example, if your Unix password file contains the following line:</p><pre class="programlisting">rcollins:/KaBfco47Rer5:500:500:Robert Collins:
-/home/rcollins:/bin/ksh</pre><p>And the option in the configuration file is:</p><pre class="programlisting">[global]
-	unix realname = yes</pre><p>then the name Robert Collins will be provided to any client that requests the real name of user <code class="literal">rcollins</code>. You typically don't need to bother with this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.2"></a>dont descend</h4></div></div></div><p>The <code class="literal">dont</code>
-<a class="indexterm" name="ch05-idx-970575-0"></a> <code class="literal">descend</code> option can be used to specify various <a class="indexterm" name="ch05-idx-969728-0"></a>directories that should appear empty to the client. Note that the directory itself will still appear. However, Samba will not show any of the contents of the directory to the client user. This is not a good option to use as a security feature (a user could probably find a way around it); it really is meant only as a convenience to keep client users from browsing into directories that might have sensitive files. See our example earlier in this section.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.3"></a>
-follow symlinks</h4></div></div></div><a class="indexterm" name="ch05-idx-970576-0"></a><p>
-<a class="indexterm" name="ch05-idx-969732-0"></a>This option, which is discussed in greater detail earlier, controls whether Samba will follow a symbolic link in the Unix operating system to the target, or if it should return an error to the client user. If the option is set to <code class="literal">yes</code>, the target of the link will be interpreted as the file.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.4"></a>
-getwd cache</h4></div></div></div><a class="indexterm" name="ch05-idx-970577-0"></a><p>This global option specifies whether Samba should use a local cache for the Unix <code class="literal">getwd()</code> ( get current working directory) system call. You can override the default value of <code class="literal">yes</code> as follows:</p><pre class="programlisting">[global]
-	getwd cache = no</pre><p>Setting this option to <code class="literal">yes</code> can significantly increase the time it takes to resolve the <a class="indexterm" name="ch05-idx-969733-0"></a>
-<a class="indexterm" name="ch05-idx-969733-1"></a>working directory, especially if the <code class="literal">wide</code> <code class="literal">links</code> option is set to <code class="literal">no</code>. You should normally not need to alter this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.5"></a>
-wide links</h4></div></div></div><a class="indexterm" name="ch05-idx-970578-0"></a><p>This option specifies whether the client user can follow symbolic links that point outside the shared directory tree. This includes any files or directories at the other end of the link, as long as the permissions are correct for the user. The default value for this option is <code class="literal">yes</code>. Note that this option will not be honored if the <code class="literal">follow</code> <code class="literal">symlinks</code> options is set to <code class="literal">no</code>. Setting this option to <code class="literal">no</code> slows <span class="emphasis"><em>smbd</em></span> considerably.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.6"></a>hide files</h4></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969738-0"></a>
-<a class="indexterm" name="ch05-idx-969738-1"></a>The <code class="literal">hide</code> <code class="literal">files</code> option provides one or more directory or filename patterns to Samba. Any file matching this pattern will be treated as a hidden file from the perspective of the client. Note that this simply means that the DOS hidden attribute is set, which may or may not mean that the user can actually see it while browsing.</p><p>Each entry in the list must begin, end, or be separated from another entry with a <a class="indexterm" name="ch05-idx-969734-0"></a>
-<a class="indexterm" name="ch05-idx-969734-1"></a>slash (<code class="literal">/</code>) character, even if there is only one pattern listed. This allows spaces to appear in the list. Asterisks can be used as a wildcard to represent zero or more characters. Questions marks can be used to represent exactly one character. For example:</p><pre class="programlisting">hide files = /.jav*/README.???/</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.7"></a>hide dot files</h4></div></div></div><p>The <code class="literal">hide</code> <code class="literal">dot</code> <code class="literal">files</code> option hides any files on the server that begin with a <a class="indexterm" name="ch05-idx-969735-0"></a>
-<a class="indexterm" name="ch05-idx-969735-1"></a>dot (.) character, in order to mimic the functionality behind several shell commands that are present on Unix systems. Like <code class="literal">hide</code> <code class="literal">files</code>, those files that begin with a dot have the DOS hidden attribute set, which doesn't necessarily guarantee that a client cannot view them. The default value for this option is <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.8"></a>
-veto files</h4></div></div></div><a class="indexterm" name="ch05-idx-970581-0"></a><p>More stringent than the hidden files state is the state provided by the <code class="literal">veto</code> <code class="literal">files</code> configuration option. Samba won't even admit these files exist. You cannot list or open them from the client. In reality, this isn't a trustworthy security option. It is actually a mechanism to keep PC programs from deleting special files, such as ones used to store the resource fork of a Macintosh file on a Unix filesystem. If both Windows and Macs are sharing the same files, this can prevent ill-advised power users from removing files the Mac users need.</p><p>The syntax of this option is identical to that of the <code class="literal">hide</code> <code class="literal">files</code> configuration option: each entry must begin, end, or be separated from another with a <a class="indexterm" name="ch05-idx-969758-0"></a>
-<a class="indexterm" name="ch05-idx-969758-1"></a>slash ( / ) character, even if only one pattern is listed. Asterisks can be used as a wildcard to represent zero or more characters. <a class="indexterm" name="ch05-idx-969762-0"></a>
-<a class="indexterm" name="ch05-idx-969762-1"></a>Questions marks can be used to represent exactly one character. For example:</p><pre class="programlisting">veto files = /*config/*default?/</pre><p>This option is primarily administrative&#8212;not a substitute for good file permissions.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-2.3.9"></a>
-delete veto files</h4></div></div></div><a class="indexterm" name="ch05-idx-970582-0"></a><p>
-<a class="indexterm" name="ch05-idx-969768-0"></a>
-<a class="indexterm" name="ch05-idx-969768-1"></a>This option tells Samba to delete vetoed files when a user attempts to delete the directory in which they reside. The default value is <code class="literal">no</code>. This means if a user tries to delete a directory that contains a vetoed file, the file (and the directory) will not be deleted. Instead, the directory will remain and appear to be empty from the perspective of the user. If set to <code class="literal">yes</code>, the directory and the vetoed files will be<a class="indexterm" name="ch05-idx-969721-0"></a> deleted.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-34062"></a>File Permissions and Attributes on MS-DOS and Unix</h2></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969769-0"></a>
-<a class="indexterm" name="ch05-idx-969769-1"></a>
-<a class="indexterm" name="ch05-idx-969769-2"></a>
-<a class="indexterm" name="ch05-idx-969769-3"></a>DOS was never intended to be a multiuser, networked operating system. Unix, on the other hand, was designed that way from the start. Consequently, there are inconsistencies and gaps in coverage between the two filesystems that Samba must not only be aware of, but also provide solutions for. One of the biggest gaps is how Unix and DOS handle permissions with files.</p><p>Let's take a look at how Unix assigns permissions. All Unix files have read, write, and execute bits for three classifications of users: <a class="indexterm" name="ch05-idx-969803-0"></a>owner, group, and world. These permissions can be seen at the extreme left-hand side when a <code class="literal">ls</code> <code class="literal">-al</code> command is issued in a Unix directory. For example:</p><pre class="programlisting">-rwxr--r--   1 tom     users   2014 Apr 13 14:11 access.conf</pre><p>Windows, on the other hand, has four principal bits that it uses with any file: read-only, system, hidden, and archive. You can view these bits by right-clicking on the file and choosing the Properties menu item. You should see a dialog similar to <a href="#ch05-76568" title="Figure 5.6. DOS and Windows file properties">Figure 5.6</a>.<sup>[<a name="ch05-pgfId-964268" href="#ftn.ch05-pgfId-964268">1</a>]</sup></p><div class="figure"><a name="ch05-76568"></a><p class="title"><b>Figure 5.6. DOS and Windows file properties</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 435px"><td><img src="figs/sam.0506.gif" width="502" alt="DOS and Windows file properties"></td></tr></table></div></div></div><br class="figure-break"><p>The definition of each of those bits follows:</p><div class="variablelist"><dl><dt><span class="term">
-<a class="indexterm" name="ch05-idx-969799-0"></a>
-<a class="indexterm" name="ch05-idx-969799-1"></a>Read-only</span></dt><dd><p>The file's contents can be read by a user but cannot be written to.</p></dd><dt><span class="term">
-<a class="indexterm" name="ch05-idx-969800-0"></a>
-<a class="indexterm" name="ch05-idx-969800-1"></a>System</span></dt><dd><p>This file has a specific purpose required by the operating system.</p></dd><dt><span class="term">
-<a class="indexterm" name="ch05-idx-969801-0"></a>
-<a class="indexterm" name="ch05-idx-969801-1"></a>Hidden</span></dt><dd><p>This file has been marked to be invisible to the user, unless the operating systems is explicitly set to show it.</p></dd><dt><span class="term">
-<a class="indexterm" name="ch05-idx-969802-0"></a>
-<a class="indexterm" name="ch05-idx-969802-1"></a>Archive</span></dt><dd><p>This file has been touched since the last DOS backup was performed on it.</p></dd></dl></div><p>Note that there is no bit to specify that a file is executable. DOS and Windows NT filesystems identify executable files by giving them the extensions .EXE, .COM, .CMD, or .BAT.</p><p>Consequently, there is no use for any of the three Unix executable bits that are present on a file in a Samba disk share. DOS files, however, have their own attributes that need to be preserved when they are stored in a Unix environment: the archive, system, and hidden bits. Samba can preserve these bits by reusing the executable permission bits of the file on the Unix side&#8212;if it is instructed to do so. Mapping these bits, however, has an unfortunate side-effect: if a Windows user stores a file in a Samba share, and you view it on Unix with the <code class="literal">ls</code> <code class="literal">-al</code> command, some of the executable bits won't mean what you'd expect them to.</p><p>Three Samba options decide whether the bits are mapped: <code class="literal">map</code> <code class="literal">archive</code>, <code class="literal">map</code> <code class="literal">system </code>, and <code class="literal">map</code> <code class="literal">hidden</code>. These options map the archive, system, and hidden attributes to the owner, group, and world execute bits of the file, respectively. You can add these options to the <code class="literal">[data]</code> share, setting each of their values as follows:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-	map archive = yes
-	map system = yes
-	map hidden = yes</pre><p>After that, try creating a file in the share under Unix&#8212;such as <code class="literal">hello.java</code>&#8212;and change the permissions of the file to 755. With these Samba options set, you should be able to check the permissions on the Windows side and see that each of the three values has been checked in the Properties dialog box. What about the read-only attribute? By default, Samba 2.0 sets this whenever a file does not have the Unix owner write permission bit set. In other words, you can set this bit by changing the permissions of the file to 555.</p><p>We should warn you that the default value of the <code class="literal">map</code> <code class="literal">archive</code> option is <code class="literal">yes</code>, while the other two options have a default value of <code class="literal">no</code>. This is because many programs do not work properly if the archive bit is not stored correctly for DOS and Windows files. The system and hidden attributes, however, are not critical for a program's operation and are left to the discretion of the administrator.</p><p><a href="#ch05-56404" title="Figure 5.7. How Samba and Unix view the permissions of a file">Figure 5.7</a> summarizes the Unix permission bits and illustrates how Samba maps those bits to DOS attributes. Note that the group read/write and world read/write bits do not directly translate to a DOS attribute, but they still retain their original Unix definitions on the Samba server.</p><div class="figure"><a name="ch05-56404"></a><p class="title"><b>Figure 5.7. How Samba and Unix view the permissions of a file</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 211px"><td><img src="figs/sam.0507.gif" height="211" alt="How Samba and Unix view the permissions of a file"></td></tr></table></div></div></div><br class="figure-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-3.0.1"></a>Creation masks</h3></div></div></div><p>Samba has several options to help with file <a class="indexterm" name="ch05-idx-969796-0"></a>
-<a class="indexterm" name="ch05-idx-969796-1"></a>
-<a class="indexterm" name="ch05-idx-969796-2"></a>
-<a class="indexterm" name="ch05-idx-969796-3"></a>creation masks. File creation masks (or <em class="firstterm">umasks</em>
-<a class="indexterm" name="ch05-idx-969797-0"></a>) help to define the permissions a file or directory will receive at the time it is created. In Unix, this means that you can control what permissions a file or directory does not have when it is created. For files accessed from Windows, this means you can disable the read-only, archive, system, and hidden attributes of a file as well.</p><p>For example, the <code class="literal">create</code> <code class="literal">mask</code> option will force the permissions of a file created by a Windows client to be at most 744:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-	create mask = 744</pre><p>while the <code class="literal">directory</code>
-<a class="indexterm" name="ch05-idx-970586-0"></a> <code class="literal">mask</code> option shown here will force the permissions of a newly created directory to be at most 755:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-	directory mask = 755</pre><p>Alternatively, you can also force various bits with the <code class="literal">force</code> <code class="literal">create</code> <code class="literal">mode</code> and <code class="literal">force</code> <code class="literal">directory</code> <code class="literal">mode</code> options. These options will perform a logical OR against the file and directory creation masks, ensuring that those bits that are specified will always be set. You would typically set these options globally in order to ensure that group and world read/write permissions have been set appropriately for new files or directories in each share.</p><p>In the same spirit, if you wish to explicitly set the Unix user and group attributes of a file that is created on the Windows side, you can use the <code class="literal">force</code>
-<a class="indexterm" name="ch05-idx-970587-0"></a>
-<a class="indexterm" name="ch05-idx-970587-1"></a> <code class="literal">user</code> and <code class="literal">force</code> <code class="literal">group</code> options. For example:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-
-	create mask = 744
-	directory mask = 755
-	force user = joe
-	force group = accounting</pre><p>These options actually assign a static Unix user and group to each connection that is made to a share. However, this occurs <span class="emphasis"><em>after</em></span> the client authenticates; it does not allow free access to a share. These options are frequently used for their side effects of assigning a specific user and group to each new file or directory that is created in a share. Use these options with discretion.</p><p>Finally, one of the capabilities of Unix that DOS lacks is the ability to delete a read-only file from a writable directory. In Unix, if a directory is writable, a read-only file in that directory can still be removed. This could permit you to delete files in any of your directories, even if the file was left by someone else.</p><p>DOS filesystems are not designed for multiple users, and so its designers decided that <a class="indexterm" name="ch05-idx-969808-0"></a>
-<a class="indexterm" name="ch05-idx-969808-1"></a>read-only means "protected against accidental change, including deletion," rather than "protected against some other user on a single-user machine." So the designers of DOS prohibited removal of a read-only file. Even today, Windows file systems exhibit the same behavior.</p><p>Normally, this is harmless. Windows programs don't try to remove read-only files because they know it's a bad idea. However, a number of source-code control programs&#8212;which were first written for Unix&#8212;run on Windows and require the ability to delete read-only files. Samba permits this behavior with the <code class="literal">delete</code>
-<a class="indexterm" name="ch05-idx-970588-0"></a> <code class="literal">readonly</code> option. In order to enable this functionality, set the option to <code class="literal">yes</code>:</p><pre class="programlisting">[data]
-	path = /home/samba/data
-	browseable = yes
-	guest ok = yes
-	writeable = yes
-
-	create mask = 744
-	directory mask = 755
-	force user = joe
-	force group = accounting
-	delete readonly = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-3.1"></a>File and Directory Permission Options</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969813-0"></a>
-<a class="indexterm" name="ch05-idx-969813-1"></a>
-<a class="indexterm" name="ch05-idx-969813-2"></a>The options for file and directory permissions are summarized in <a href="#ch05-96508" title="Table 5.5. File and Directory Permission Options">Table 5.5</a>; each option is then described in detail.</p><div class="table"><a name="ch05-96508"></a><p class="title"><b>Table 5.5. File and Directory Permission Options </b></p><div class="table-contents"><table summary="File and Directory Permission Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">map archive</code></p></td><td><p>boolean</p></td><td><p>Preserve DOS archive attribute in user execute bit (0100).</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">map system</code></p></td><td><p>boolean</p></td><td><p>Preserve DOS system attribute in group execute bit (0010).</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">map hidden</code></p></td><td><p>boolean</p></td><td><p>Preserve DOS hidden attribute in world execute bit (0001).</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">create mask (create mode)</code></p></td><td><p>numeric</p></td><td><p>Sets the maximum permissions for files created by Samba.</p></td><td><p><code class="literal">0744</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">directory mask (directory mode)</code></p></td><td><p>numeric</p></td><td><p>Sets the maximum permissions for directories created by Samba.</p></td><td><p><code class="literal">0755</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">force create mode</code></p></td><td><p>numeric</p></td><td><p>Forces the specified permissions (bitwise or) for directories created by Samba.</p></td><td><p><code class="literal">0000</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">force directory mode</code></p></td><td><p>numeric</p></td><td><p>Forces the specified permissions (bitwise or) for directories created by Samba.</p></td><td><p><code class="literal">0000</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">force group (group)</code></p></td><td><p>string ( group name)</p></td><td><p>Sets the effective group for a user accessing this share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">force user</code></p></td><td><p>string (username)</p></td><td><p>Sets the effective username for a user accessing this share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">delete readonly</code></p></td><td><p>boolean</p></td><td><p>Allows a user to delete a read-only file from a writable directory.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.1"></a>create mask</h4></div></div></div><p>The argument for this option is an octal number indicating which permission flags may be set at file creation by a client in a share. The default is 0755, which means the Unix owner can at most read, write, and optionally execute his or her own files, while members of the user's group and others can only read or execute them. If you need to change it for non-executable files, we recommend 0644, or <code class="literal">rw-r--r--</code>. Keep in mind that the execute bits may be used by the server to map certain DOS file attributes, as described earlier. If you're altering the <a class="indexterm" name="ch05-idx-969816-0"></a>create mask, those bits have to be part of the create mask as well.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.2"></a>
-directory mask</h4></div></div></div><a class="indexterm" name="ch05-idx-970593-0"></a><p>The argument for this option is an octal number indicating which permission flags may be set at directory creation by a client in a share. The default is 0755, which allows everyone on the Unix side to at most read and traverse the directories, but allows only you to modify them. We recommend the mask 0750, removing access by world users.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.3"></a>
-force create mode</h4></div></div></div><a class="indexterm" name="ch05-idx-970594-0"></a><p>This option sets the permission bits that Samba will force to be set when a file permission change is made. It's often used to force group permissions, mentioned previously. It can also be used to preset any of the DOS attributes we mentioned: archive (0100), system (0010), or hidden (0001). This option always takes effect after the <code class="literal">map</code> <code class="literal">archive</code>, <code class="literal">map</code> <code class="literal">system </code>, <code class="literal">map</code> <code class="literal">hidden</code>, and <code class="literal">create</code> <code class="literal">mask</code> options.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Many Windows applications rename their data files to <span class="emphasis"><em>datafile.bak</em></span> and create new ones, thus changing their ownership and permissions so that members of the same Unix group can't edit them. Setting <code class="literal">force create mask = 0660</code> will keep the new file editable by members of the group.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.4"></a>
-force directory mode</h4></div></div></div><a class="indexterm" name="ch05-idx-970595-0"></a><p>This option sets the permission bits which Samba will force when a directory permission change is made or a directory is created. It's often used to force group permissions, as mentioned previously. This option defaults to 0000, and can be used just like the <code class="literal">force</code> <code class="literal">create</code> <code class="literal">mode</code> to add group or other permissions if needed. This option always takes effect after the <code class="literal">map</code> <code class="literal">archive</code>, <code class="literal">map</code> <code class="literal">system</code>, <code class="literal">map</code> <code class="literal">hidden</code>, and <code class="literal">directory</code> <code class="literal">mask</code> options.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.5"></a>
-force group</h4></div></div></div><a class="indexterm" name="ch05-idx-970596-0"></a><p>This option, sometimes called <code class="literal">group</code>, assigns a static group ID that will be used on all connections to a service after the client has successfully authenticated. This assigns a specific group to each new file or directory created from an SMB client.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.6"></a>
-force user</h4></div></div></div><a class="indexterm" name="ch05-idx-970597-0"></a><p>The <code class="literal">force</code> <code class="literal">user</code> option assigns a static user ID that will be used on all connections to a service after the client has successfully authenticated. This assigns a specific user to each new file or directory created from an SMB client.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.7"></a>
-delete readonly</h4></div></div></div><a class="indexterm" name="ch05-idx-970598-0"></a><p>
-<a class="indexterm" name="ch05-idx-969827-0"></a>
-<a class="indexterm" name="ch05-idx-969827-1"></a>This option allows a user to delete a directory containing a read-only file. By default, DOS and Windows will not allow such an operation. You probably will want to leave this option turned off unless a program needs this capability; many Windows users would be appalled to find that they'd accidentally deleted a file which they had set read-only. In fact, even the Unix <code class="literal">rm</code> command will ask users if they really want to override the protection and delete read-only files. It's a good idea to have Samba be at least as cautious.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.8"></a>
-map archive</h4></div></div></div><a class="indexterm" name="ch05-idx-970600-0"></a><p>The DOS archive bit is used to flag a file that has been changed since it was last archived (e.g., backed up with the DOS archive program.) Setting the Samba option <code class="literal">map</code> <code class="literal">archive</code> <code class="literal">=</code> <code class="literal">yes</code> causes the DOS archive flag to be mapped to the Unix execute-by-owner (0100) bit. It's best to leave this option on if your Windows users are doing their own backups, or are using programs that require the archive bit. Unix lacks the notion of an archive bit entirely. Backup programs typically keep a file that lists what files were backed up on what date, so comparing file modification dates serves the same purpose.</p><p>Setting this option to <code class="literal">yes</code> causes an occasional surprise on Unix when a user notices that a data file is marked as executable, but rarely causes harm. If a user tries to run it, he or she will normally get a string of error messages as the shell tries to execute the first few lines as commands. The reverse is also possible; an executable Unix program looks like it hasn't been backed up recently on Windows. But again, this is rare, and is usually harmless.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.9"></a>
-map system</h4></div></div></div><a class="indexterm" name="ch05-idx-970601-0"></a><p>The DOS system attribute is used to indicate files that are required by the operating system, and should not be deleted, renamed, or moved without special effort. Set this option only if you need to store Windows system files on the Unix file server. Executable Unix programs will appear to be non-removable special Windows files when viewed from Windows clients. This may prove mildly inconvenient if you want to move or remove one. For most sites, however, this is fairly harmless.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-3.1.10"></a>
-map hidden</h4></div></div></div><a class="indexterm" name="ch05-idx-970602-0"></a><p>
-<a class="indexterm" name="ch05-idx-969828-0"></a>DOS uses the hidden attribute to indicate that a file should not ordinarily be visible in directory listings. Unix doesn't have such a facility; it's up to individual programs (notably the shell) to decide what to display and what not to display. Normally, you won't have any DOS files that need to be hidden, so the best thing to do is to leave this option turned off.</p><p>Setting this option to <code class="literal">yes</code> causes the server to map the hidden flag onto the executable-by-others bit (0001). This feature can produce a rather startling effect. Any Unix program that is executable by world seems to vanish when you look for it from a Windows client. If this option is not set, however, and a Windows user attempts to mark a file hidden on a Samba share, it will not work&#8212;Samba has no place to store the hidden attribute!<a class="indexterm" name="ch05-idx-969791-0"></a>
-<a class="indexterm" name="ch05-idx-969791-1"></a>
-<a class="indexterm" name="ch05-idx-969791-2"></a>
-<a class="indexterm" name="ch05-idx-969791-3"></a>
-<a class="indexterm" name="ch05-idx-969791-4"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-30534"></a>Name Mangling and Case</h2></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969835-0"></a>Back in the days of DOS and Windows 3.1, every filename was limited to eight upper-case characters, followed by a dot, and three more uppercase characters. This was known as the <em class="firstterm">8.3 format</em>
-<a class="indexterm" name="ch05-idx-969833-0"></a>
-<a class="indexterm" name="ch05-idx-969833-1"></a>, and was a huge nuisance. Windows 95/98, Windows NT, and Unix have since relaxed this problem by allowing many more case-sensitive characters to make up a filename. <a href="#ch05-24354" title="Table 5.6. Operating System Filename Limitations">Table 5.6</a> shows the current naming state of several popular operating systems.</p><div class="table"><a name="ch05-24354"></a><p class="title"><b>Table 5.6. Operating System Filename Limitations </b></p><div class="table-contents"><table summary="Operating System Filename Limitations " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Operating System</p></th><th><p>File Naming Rules</p></th></tr></thead><tbody><tr><td><p>DOS 6.22 or below</p></td><td><p>
-<a class="indexterm" name="ch05-idx-969834-0"></a>Eight characters followed by a dot followed by a three-letter extension (8.3 format); case insensitive</p></td></tr><tr><td><p>Windows 3.1 for Workgroups</p></td><td><p>Eight characters followed by a dot followed by a three-letter extension (8.3 format); case insensitive</p></td></tr><tr><td><p>Windows 95/98</p></td><td><p>127 characters; case sensitive</p></td></tr><tr><td><p>Windows NT</p></td><td><p>127 characters; case sensitive</p></td></tr><tr><td><p>Unix</p></td><td><p>255 characters; case sensitive</p></td></tr></tbody></table></div></div><br class="table-break"><p>
-<a class="indexterm" name="ch05-idx-969837-0"></a>Samba still has to remain backwards compatible with network clients who store files only in the 8.3 format, such as Windows for Workgroups. If a user creates a file on a share called <span class="emphasis"><em>antidisestablishmentarianism.txt</em></span>, a Windows for Workgroups client couldn't tell it apart from another file in the same directory called <span class="emphasis"><em>antidisease.txt</em></span>. Like Windows 95/98 and Windows NT, Samba has to employ a special methodology of translating a long filename to an 8.3 filename in such a way that similar filenames will not cause collisions. This is called <em class="firstterm">name mangling</em>, and Samba deals with this in a manner that is similar, but not identical to, Windows 95 and its successors.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-4.1"></a>The Samba Mangling Operation</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969840-0"></a>Here is how Samba mangles a long filename into an 8.3 filename:</p><div class="itemizedlist"><ul type="disc"><li><p>If the original filename does not begin with a dot, up to the first five alphanumeric characters that occur before the last dot (if there is one) are converted to uppercase. These characters are used as the first five characters of the 8.3 mangled filename.</p></li><li><p>If the original filename begins with a dot, the dot is removed and up to the first five alphanumeric characters that occur before the last dot (if there is one) are converted to uppercase. These characters are used as the first five characters of the 8.3 mangled filename.</p></li><li><p>These characters are immediately followed a special mangling character: by default, a tilde (~), although Samba allows you to change this character.</p></li><li><p>The base of the long filename before the last period is hashed into a two-character code; parts of the name after the last dot may be used if necessary. This two character code is appended to the 8.3 filename after the mangling character.</p></li><li><p>The first three characters after the last dot (if there is one) of the original filename are converted to uppercase and appended onto the mangled name as the extension. If the original filename began with a dot, three underscores (  <code class="literal">_   _   _  </code>) are used as the extension instead.</p></li></ul></div><p>Here are some examples:</p><pre class="programlisting">virtuosity.dat                       VIRTU~F1.DAT
-.htaccess                            HTACC~U0._ _ _
-hello.java                           HELLO~1F.JAV
-team.config.txt                      TEAMC~04.TXT
-antidisestablishmentarianism.txt     ANTID~E3.TXT
-antidiseast.txt                      ANTID~9K.TXT</pre><p>Using these rules will allow Windows for Workgroups to differentiate the two files on behalf of the poor individual who is forced to see the network through the eyes of that operating system. Note that the same long filename should always hash to the same mangled name with Samba; this doesn't always happen with Windows. The downside of this approach is that there can still be collisions; however, the chances are greatly reduced.</p><p>You generally want to use the mangling configuration options with only the oldest clients. We recommend doing this without disrupting other clients by adding an <code class="literal">include</code> directive to the <code class="filename">smb.conf</code> file:</p><pre class="programlisting">[global]
-	include = /ucsr/local/samba/lib/smb.conf.%m</pre><p>This resolves to <code class="filename">smb.conf.WfWg</code> when a Window for Workgroups client attaches.  Now you can create a file <code class="filename">/usr/local/samba/lib/smb.conf.WfWg</code> which might contain these options:</p><pre class="programlisting">[global]
-	case sensitive = no
-	default case = upper
-	preserve case = no
-	short preserve case = no
-	mangle case = yes
-	mangled names= yes</pre><p>If you are not using Windows for Workgroups 3.1, then you probably do not need to change any of these options from their defaults.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.1.1"></a>Representing and resolving filenames with Samba</h4></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969841-0"></a>
-<a class="indexterm" name="ch05-idx-969841-1"></a>Another item that we should point out is that there is a difference between how an operating system <span class="emphasis"><em>represents</em></span> a file and how it <span class="emphasis"><em>resolves</em></span> it. For example, if you've used Windows 95/98/NT, you have likely run across a file called <code class="filename">README.TXT</code>. The file can be represented by the operating system entirely in uppercase letters. However, if you open an MS-DOS prompt and enter the command <code class="literal">edit</code> <code class="literal">readme.txt</code>, the all-caps file is loaded into the editing program, even though you typed the name in lowercase letters!</p><p>This is because the Windows 95/98/NT family of operating systems resolves files in a case-insensitive manner, even though the files are represented it in a case-sensitive manner. Unix-based operating systems, on the other hand, always resolve files in a case-sensitive manner; if you try to edit <code class="filename">README.TXT</code> with the command <code class="literal">vi</code> <code class="literal">readme.txt</code>, you will likely be editing the empty buffer of a new file.</p><p>Here is how Samba handles case: if the <code class="literal">preserve</code> <code class="literal">case</code> is set to <code class="literal">yes</code>, Samba will always use the case provided by the operating system for representing (not resolving) filenames. If it is set to <code class="literal">no</code>, it will use the case specified by the <code class="literal">default</code> <code class="literal">case</code> option. The same is true for <code class="literal">short</code> <code class="literal">preserve</code> <code class="literal">case</code>. If this option is set to <code class="literal">yes</code>, Samba will use the default case of the operating system for representing 8.3 filenames; otherwise it will use the case specified by the <code class="literal">default</code> <code class="literal">case</code> option. Finally, Samba will always resolve filenames in its shares based on the value of the <code class="literal">case</code> <code class="literal">sensitive</code> option.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-4.2"></a>Mangling Options</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969842-0"></a>Samba allows you to give it more refined instructions on how it should perform name mangling, including those controlling the case sensitivity, the character inserted to form a mangled name, and the ability to manually map filenames from one format to another. These options are shown in <a href="#ch05-47431" title="Table 5.7. Name Mangling Options">Table 5.7</a>.</p><div class="table"><a name="ch05-47431"></a><p class="title"><b>Table 5.7. Name Mangling Options </b></p><div class="table-contents"><table summary="Name Mangling Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">case sensitive</code></p>
-
-<p><code class="literal">(casesignames)</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will treat filenames as case-sensitive (Windows doesn't).</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">default case</code></p></td><td><p>(<code class="literal">upper</code> or <code class="literal">lower</code>)</p></td><td><p>Case to assume as default (only used when preserve case is <code class="literal">no</code>).</p></td><td><p>Lower</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">preserve case</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, keep the case the client supplied (i.e., do not convert to <code class="literal">default case</code>).</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">short preserve case</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, preserve case of 8.3-format names that the client provides.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">mangle case</code></p></td><td><p>boolean</p></td><td><p>Mangle a name if it is mixed case.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">mangled names</code></p></td><td><p>boolean</p></td><td><p>8.3 DOS format.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">mangling char</code></p></td><td><p>string (single character)</p></td><td><p>Gives mangling character.</p></td><td><p><code class="literal">~</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">mangled stack</code></p></td><td><p>numerical</p></td><td><p>Number of mangled names to keep on the local mangling stack.</p></td><td><p><code class="literal">50</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">mangled map</code></p></td><td><p>string (list of patterns)</p></td><td><p>Allows mapping of filenames from one format into another.</p></td><td><p>None</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.1"></a>case sensitive</h4></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969856-0"></a>This share-level option, which has the obtuse synonym <code class="literal">casesignames</code>, specifies whether Samba should preserve case when resolving filenames in a specific share. The default value for this option is <code class="literal">no</code>, which is how Windows handles file resolution. If clients are using an operating system that takes advantage of case-sensitive filenames, you can set this configuration option to <code class="literal">yes</code> as shown here:</p><pre class="programlisting">[accounting]
-	case sensitive = yes</pre><p>Otherwise, we recommend that you leave this option set to its default.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.2"></a>default case</h4></div></div></div><p>The <code class="literal">default</code>
-<a class="indexterm" name="ch05-idx-970606-0"></a> <code class="literal">case</code> option is used with <code class="literal">preserve</code> <code class="literal">case</code>. This specifies the default case (upper or lower) that Samba will use when it creates a file on one of its shares on behalf of a client. The default case is <code class="literal">lower</code>, which means that newly created files will use the mixed-case names given to them by the client. If you need to, you can override this global option by specifying the following:</p><pre class="programlisting">[global]
-	default case = upper</pre><p>If you specify this value, the names of newly created files will be translated into uppercase, and cannot be overridden in a program. We recommend that you use the default value unless you are dealing with a Windows for Workgroups or other 8.3 client, in which case it should be <code class="literal">upper</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.3"></a>
-preserve case</h4></div></div></div><a class="indexterm" name="ch05-idx-970607-0"></a><p>This option specifies whether a file created by Samba on behalf of the client is created with the case provided by the client operating system, or the case specified by the <code class="literal">default</code> <code class="literal">case</code> configuration option above. The default value is <code class="literal">yes</code>, which uses the case provided by the client operating system. If it is set to <code class="literal">no</code>, the value of the <code class="literal">default</code> <code class="literal">case</code> option is used.</p><p>Note that this option does not handle 8.3 file requests sent from the client&#8212;see the <code class="literal">short</code> <code class="literal">preserve</code> <code class="literal">case</code> option below. You may want to set this option to <code class="literal">yes</code> if applications that create files on the Samba server are sensitive to the case used when creating the file. If you want to force Samba, for example, to mimic the behavior of a Windows NT filesystem, you can leave this option to its default, <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.4"></a>short preserve case</h4></div></div></div><a class="indexterm" name="ch05-idx-970608-0"></a><p>This option specifies whether an 8.3 filename created by Samba on behalf of the client is created with the default case of the client operating system, or the case specified by the <code class="literal">default</code> <code class="literal">case</code> configuration option. The default value is <code class="literal">yes</code>, which uses the case provided by the client operating system. You can let Samba choose the case through the <code class="literal">default</code> <code class="literal">case</code> option by setting it as follows:</p><pre class="programlisting">[global]
-	short preserve case = no</pre><p>If you want to force Samba to mimic the behavior of a Windows NT filesystem, you can leave this option set to its default, <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.5"></a>
-mangled names</h4></div></div></div><a class="indexterm" name="ch05-idx-970609-0"></a><p>This share-level option specifies whether Samba will mangle filenames for 8.3 clients in that share. If the option is set to <code class="literal">no</code>, Samba will not mangle the names and (depending on the client), they will either be invisible or appear truncated to those using 8.3 operating systems. The default value is <code class="literal">yes</code>. You can override it per share as follows:</p><pre class="programlisting">[data]
-	mangled names = no</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.6"></a>
-mangle case</h4></div></div></div><a class="indexterm" name="ch05-idx-970610-0"></a><p>This option tells Samba whether it should mangle filenames that are not composed entirely of the case specified using the <code class="literal">default</code> <code class="literal">case</code> configuration option. The default for this option is <code class="literal">no</code>. If you set it to <code class="literal">yes</code>, you should be sure that all clients will be able to handle the mangled filenames that result. You can override it per share as follows:</p><pre class="programlisting">[data]
-	mangle case = yes</pre><p>We recommend that you leave this option alone unless you have a well-justified need to change it.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.7"></a>
-mangling char</h4></div></div></div><a class="indexterm" name="ch05-idx-970611-0"></a><p>This share-level option specifies the mangling character used when Samba mangles filenames into the 8.3 format. The default character used is a tilde (~). You can reset it to whatever character you wish, for instance:</p><pre class="programlisting">[data]
-	mangling char = #</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.8"></a>
-mangled stack</h4></div></div></div><a class="indexterm" name="ch05-idx-970612-0"></a><p>Samba maintains a local stack of recently mangled 8.3 filenames; this stack can be used to reverse map mangled filenames back to their original state. This is often needed by applications that create and save a file, close it, and need to modify it later. The default number of long filename/mangled filename pairs stored on this stack is 50. However, if you want to cut down on the amount of processor time used to mangle filenames, you can increase the size of the stack to whatever you wish, at the expense of memory and slightly slower file access.</p><pre class="programlisting">[global]
-	mangled stack = 100</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-4.2.9"></a>
-mangled map</h4></div></div></div><a class="indexterm" name="ch05-idx-970613-0"></a><p>If the default behavior of name mangling is not sufficient, you can give Samba further instructions on how to behave using the <code class="literal">mangled</code> <code class="literal">map</code> option. This option allows you to specify mapping patterns that can be used before or even in place of name mangling performed by Samba. For example:</p><pre class="programlisting">[data]
-	mangled map =(*.database *.db) (*.class *.cls)</pre><p>Here, Samba is instructed to search each file it encounters for characters that match the first pattern specified in the parenthesis and convert them to the modified second pattern in the parenthesis for display on an 8.3 client. This is useful in the event that name mangling converts the filename incorrectly or to a format that the client cannot understand<a class="indexterm" name="ch05-idx-969851-0"></a> readily. Patterns are separated by whitespaces.<a class="indexterm" name="ch05-idx-969845-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch05-75933"></a>Locks and Oplocks</h2></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969857-0"></a>
-<a class="indexterm" name="ch05-idx-969857-1"></a>Concurrent writes to a single file are not desirable in any operating system. To prevent this, most operating systems use <em class="firstterm">locks</em> to guarantee that only one process can write to a file at a time. Operating systems traditionally lock entire files, although newer ones allow a range of bytes within a file to be locked. If another process attempts to write to a file (or section of one) that is already locked, it will receive an error from the operating system and will wait until the lock is released.</p><p>Samba supports the standard DOS and NT filesystem (deny-mode) locking requests, which allow only one process to write to an entire file on a server at a give time, as well as byte-range locking. In addition, Samba supports a new locking mechanism known in the Windows NT world as <em class="firstterm">opportunistic locking&#8212;</em><span class="emphasis"><em>oplock</em></span> for short.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-5.1"></a>Opportunistic Locking</h3></div></div></div><p>Opportunistic locking allows a client to notify the Samba server that it will not only be the exclusive writer of a file, but will also cache its changes to that file on its own machine (and not on the Samba server) in order to speed up file access for that client. When Samba knows that a file has been opportunistically locked by a client, it marks its version as having an opportunistic lock and waits for the client to complete work on the file, at which point it expects the client to send the final changes back to the Samba server for synchronization.</p><p>If a second client requests access to that file before the first client has finished working on it, Samba can send an <em class="firstterm">oplock break</em>
-<a class="indexterm" name="ch05-idx-969865-0"></a> request to the first client. This tells the client to stop caching its changes and return the current state of the file to the server so that the interrupting client can use it as it sees fit. An opportunistic lock, however, is not a replacement for a standard deny-mode lock. It is not unheard of for the interrupting process to be granted an oplock break only to discover that the original process also has a deny-mode lock on a file as well. <a href="#ch05-74304" title="Figure 5.8. Opportunistic locking">Figure 5.8</a> illustrates this opportunistic locking process.</p><div class="figure"><a name="ch05-74304"></a><p class="title"><b>Figure 5.8. Opportunistic locking</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 314px"><td><img src="figs/sam.0508.gif" height="314" alt="Opportunistic locking"></td></tr></table></div></div></div><br class="figure-break"><p>In terms of locks, we highly recommend using the defaults provided by Samba: standard DOS/Windows deny-mode locks for compatibility and oplocks for the extra performance that local caching allows. If your operating system can take advantage of oplocks, it should provide significant performance improvements. Unless you have a specific reason for changing any of these options, it's best to leave them as they are.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch05-SECT-5.2"></a>Unix and Locking</h3></div></div></div><p>
-<a class="indexterm" name="ch05-idx-969866-0"></a>
-<a class="indexterm" name="ch05-idx-969866-1"></a>Windows systems cooperate well to avoid overwriting each other's changes. But if a file stored on a Samba system is accessed by a Unix process, this process won't know a thing about Windows oplocks and could easily ride roughshod over a lock. Some Unix systems have been enhanced to understand the Windows oplocks maintained by Samba. Currently the support exists only in SGI Irix 6.5.2f and later; Linux and FreeBSD should soon follow.</p><p>If you have a system that understands oplocks, set <code class="literal">kernel</code> <code class="literal">oplocks</code> <code class="literal">=</code> <code class="literal">yes</code> in the Samba configuration file. That should eliminate conflicts between Unix processes and Windows users.</p><p>If your system does not support kernel oplocks, you could end up with corrupted data when somebody runs a Unix process that reads or writes a file that Windows users also access. However, Samba provides a rough protection mechanism in the absence of kernel oplocks: the <code class="literal">veto</code> <code class="literal">oplock</code> <code class="literal">files</code> option. If you can anticipate which Samba files are used by both Windows users and Unix users, set their names in a <code class="literal">veto</code> <code class="literal">oplock</code> <code class="literal">files</code> option. This will suppress the use of oplocks on matching filenames, which will supress client caching, and let the Windows and Unix programs use system locking or update times to detect competition for the same file. A sample option is:</p><pre class="programlisting">veto oplock files = /*.dbm/</pre><p>This option allows both Unix processes and Windows users to edit files ending in the suffix <span class="emphasis"><em>.dbm</em></span>. Note that the syntax of this option is similar to <code class="literal">veto</code> <code class="literal">files</code>.</p><p>Samba's options for locks and oplocks are given in <a href="#ch05-53407" title="Table 5.8. Locks and Oplocks Configuration Options">Table 5.8</a>.</p><div class="table"><a name="ch05-53407"></a><p class="title"><b>Table 5.8. Locks and Oplocks Configuration Options </b></p><div class="table-contents"><table summary="Locks and Oplocks Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">share modes</code></p></td><td><p>
-<a class="indexterm" name="ch05-idx-969867-0"></a>
-<a class="indexterm" name="ch05-idx-969867-1"></a>boolean</p></td><td><p>If set to <code class="literal">yes</code>, turns on support for DOS-style whole-file locks.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">locking</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, turns on byte-range locks.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">strict locking</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, denies access to an entire file if a byte-range lock exists in it.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">oplocks</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, turn on local caching of files on the client for this share.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">kernel oplocks</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, indicates that the kernel supports oplocks.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">fake oplocks</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, tells client the lock was obtained, but doesn't actually lock it.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">blocking locks </code></p></td><td><p>boolean</p></td><td><p>Allows lock requestor to wait for the lock to be granted.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">veto oplock files</code></p></td><td><p>string (list of filenames)</p></td><td><p>Does not oplock specified files.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lock directory</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Sets the location where various Samba files, including locks, are stored.</p></td><td><p>As specified in Samba makefile</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.1"></a>share modes</h4></div></div></div><p>The most primitive locks available to Samba are deny-mode locks, known as <em class="firstterm">share modes</em>
-<a class="indexterm" name="ch05-idx-969868-0"></a>
-<a class="indexterm" name="ch05-idx-969868-1"></a>, which are employed by programs such as text editors to avoid accidental overwriting of files. For reference, the deny-mode locks are listed in <a href="#ch05-55885" title="Table 5.9. SMB Deny-Mode Locks">Table 5.9</a>.</p><div class="table"><a name="ch05-55885"></a><p class="title"><b>Table 5.9. SMB Deny-Mode Locks </b></p><div class="table-contents"><table summary="SMB Deny-Mode Locks " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Lock</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">DENY_NONE</code></p></td><td><p>Do not deny any other file requests.</p></td></tr><tr><td><p><code class="literal">DENY_ALL</code></p></td><td><p>Deny all open requests on the current file.</p></td></tr><tr><td><p><code class="literal">DENY_READ</code></p></td><td><p>Deny any read-only open requests on the current file.</p></td></tr><tr><td><p><code class="literal">DENY_WRITE</code></p></td><td><p>Deny any write-only open requests on the current file.</p></td></tr><tr><td><p><code class="literal">DENY_DOS</code></p></td><td><p>If opened for reading, others can read but cannot write to the file. If opened for writing, others cannot open the file at all.</p></td></tr><tr><td><p><code class="literal">DENY_FCB</code></p></td><td><p>Obsolete.</p></td></tr></tbody></table></div></div><br class="table-break"><p>The <code class="literal">share</code> <code class="literal">modes</code> parameter, which enforces the use of these locks, is enabled by default. To disable it, use the following command:</p><pre class="programlisting">[accounting]
-	share modes = no</pre><p>We highly recommend against disabling the default locking mechanism unless you have a justifiable reason for doing so. Most Windows and DOS applications rely on these locking mechanisms in order to work correctly, and will complain bitterly if this functionality is taken away.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.2"></a>locking</h4></div></div></div><p>The<a class="indexterm" name="ch05-idx-970616-0"></a> <code class="literal">locking</code> option can be used to tell Samba to engage or disengage server-side byte-range locks on behalf of the client. Samba implements byte-range locks on the server side with normal Unix advisory locks and will consequently prevent other properly-behaved Unix processes from overwriting a locked byte range.</p><p>This option can be specified per share as follows:</p><pre class="programlisting">[accounting]
-	locking = yes</pre><p>If the <code class="literal">locking</code> option is set to <code class="literal">yes</code>, the requestor will be delayed until the holder of either type of lock releases it (or crashes). If, however, the option is set to <code class="literal">no</code>, no byte-range locks will be kept for the files, although requests to lock and unlock files will appear to succeed. The option is set to <code class="literal">yes</code> by default; however, you can turn this option off if you have read-only media.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.3"></a>
-strict locking</h4></div></div></div><a class="indexterm" name="ch05-idx-970617-0"></a><p>This option checks every file access for a byte-range lock on the range of bytes being accessed. This is typically not needed if a client adheres to all the locking mechanisms in place. This option is set to <code class="literal">no</code> by default; however, you can reset it per share as follows:</p><pre class="programlisting">[accounting]
-	strict locking = yes</pre><p>If this option is set to <code class="literal">yes</code>, mandatory locks are enforced on any file with byte-range locks.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.4"></a>
-blocking locks</h4></div></div></div><a class="indexterm" name="ch05-idx-970618-0"></a><p>Samba also supports <em class="firstterm">blocking locks</em>, a minor variant of range locks. Here, if the range of bytes is not available, the client specifies an amount of time that it's willing to wait. The server then caches the lock request, periodically checking to see if the file is available. If it is, it notifies the client; however, if time expires, Samba will tell the client that the request has failed. This strategy prevents the client from continually polling to see if the lock is available.</p><p>You can disable this option per share as follows:</p><pre class="programlisting">[accounting]
-	blocking locks = no</pre><p>When set to <code class="literal">yes</code>, blocking locks will be enforced on the file. If this option is set to <code class="literal">no</code>, Samba behaves as if normal locking mechanisms are in place on the file. The default is <code class="literal">yes</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.5"></a>
-oplocks</h4></div></div></div><a class="indexterm" name="ch05-idx-970619-0"></a><p>This option enables or disables support for oplocks on the client. The option is enabled by default. However, you can disable it with the following command:</p><pre class="programlisting">[data]
-	oplocks = no</pre><p>If you are in an extremely unstable network environment or have many clients that cannot take advantage of opportunistic locking, it may be better to shut this Samba feature off. Oplocks should be disabled if you are accessing the same files from both Unix applications (such as <span class="emphasis"><em>vi</em></span>  ) and SMB clients (unless you are lucky enough to have an operating system that supports kernel oplocks as discussed earlier).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.6"></a>
-fake oplocks</h4></div></div></div><a class="indexterm" name="ch05-idx-970620-0"></a><p>Before opportunistic locking was available on Samba, the Samba daemons pretended to allow oplocks via the <code class="literal">fake</code> <code class="literal">oplocks</code> option. If this option was enabled, all clients were told that the file is available for opportunistic locking, and never warned of simultaneous access. This option is deprecated now that real oplocks are available on Samba.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.7"></a>
-kernel oplocks</h4></div></div></div><a class="indexterm" name="ch05-idx-970621-0"></a><p>If a Unix application separate from Samba tries to update a file that Samba has oplocked to a Windows client, it will likely succeed (depending on the operating system) and both Samba and the client will never be aware of it. However, if the local Unix operating system supports it, Samba can warn it of oplocked files, which can suspend the Unix process, notify the client via Samba to write its copy back, and only then allow the open to complete. Essentially, this means that the operating system kernel on the Samba system has the ability to handle oplocks as well as Samba.</p><p>You can enable this behavior with the <code class="literal">kernel</code> <code class="literal">oplocks</code> option, as follows:</p><pre class="programlisting">[global]
-	kernel oplocks = yes</pre><p>Samba can automatically detect kernel oplocks and use them if present. At the time of this writing, this feature is supported only by SGI Irix 6.5.2f and later. However, Linux and FreeBSD support are expected in the near future. A system without kernel oplocks will allow the Unix process to update the file, but the client programs will notice the change only at a later time, if at all.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.8"></a>
-veto oplock files</h4></div></div></div><a class="indexterm" name="ch05-idx-970622-0"></a><p>You can provide a list of filenames that are never granted opportunistic locks with the <code class="literal">veto</code> <code class="literal">oplock</code> <code class="literal">files</code> option. This option can be set either globally or on a per-share basis. For example:</p><pre class="programlisting">veto oplock files = /*.bat/*.htm/</pre><p>The value of this option is a series of patterns. Each pattern entry must begin, end, or be separated from another with a slash ( / ) character, even if there is only one pattern listed. Asterisks can be used as a wildcard to represent zero or more characters. Questions marks can be used to represent exactly one character.</p><p>We recommend that you disable oplocks on any files that are meant to be updated by Unix or are intended to be shared by several processes simultaneously.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch05-SECT-5.2.9"></a>
-lock directory</h4></div></div></div><a class="indexterm" name="ch05-idx-970623-0"></a><p>This option (sometimes called <code class="literal">lock</code> <code class="literal">dir</code>) specifies the location of a directory where Samba will store SMB deny-mode lock files. Samba stores other files in this directory as well, such as browse lists and its shared memory file. If WINS is enabled, the WINS database is written to this directory as well. The default for this option is specified in the Samba makefile; it is typically <code class="filename">/usr/local/samba/var/locks</code>. You can override this location as follows:</p><pre class="programlisting">[global]
-	lock directory = /usr/local/samba/locks</pre><p>You typically would not need to override this option, unless you want to move the lock files to a more standardized location, such<a class="indexterm" name="ch05-idx-969871-0"></a>
-<a class="indexterm" name="ch05-idx-969871-1"></a> as<a class="indexterm" name="ch05-idx-969860-0"></a>
-<a class="indexterm" name="ch05-idx-969860-1"></a>
-<a class="indexterm" name="ch05-idx-969860-2"></a> <code class="filename">/var/spool/locks</code>.<a class="indexterm" name="ch05-idx-969562-0"></a></p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch05-pgfId-964268" href="#ch05-pgfId-964268">1</a>] </sup>The system checkbox will probably be greyed for your file. Don't worry about that&#8212;you should still be able to see when the box is checked and when it isn't.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-6"></a>Chapter 6. Users, Security, and Domains </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch06-92902">6.1. Users and Groups</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-1.1">6.1.1. The [ homes] Share</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-27678">6.2. Controlling Access to Shares</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-2.1">6.2.1. Guest Access</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-2.2">6.2.2. Access Control Options</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-2.3">6.2.3. Username Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-88596">6.3. Authentication Security</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-3.1">6.3.1. Share-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.2">6.3.2. User-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.3">6.3.3. Server-level Security</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-3.4">6.3.4. Domain-level Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-61393">6.4. Passwords</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-4.0.1">6.4.1. Disabling encrypted passwords on the client</a></span></dt><dt><span class="sect2"><a href="#ch06-17782">6.4.2. The smbpasswd File</a></span></dt><dt><span class="sect2"><a href="#ch06-97004">6.4.3. Password Synchronization</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-4.3">6.4.4. Password Configuration Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-23084">6.5. Windows Domains</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-36822">6.5.1. Configuring Samba for Windows Domain Logons</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-5.2">6.5.2. Configuring Windows Clients for Domain Logons</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-5.3">6.5.3. Domain Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch06-38153">6.6. Logon Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch06-SECT-6.0.1">6.6.1. Roaming profiles</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.0.2">6.6.2. Mandatory profiles</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.1">6.6.3. Logon Script Options</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.2">6.6.4. Other Connection Scripts</a></span></dt><dt><span class="sect2"><a href="#ch06-SECT-6.3">6.6.5. Working with NIS and NFS</a></span></dt></dl></dd></dl></div><p>This chapter discusses how to configure users with the Samba server. This topic may seem straightforward at first, but you'll soon discover that there are several ancillary problems that can crop up. One issue that Samba administrators have difficulty with is user authentication&#8212;password and security problems are by far the most common support questions on the Samba mailing lists. Learning why various authentication mechanisms work on certain architectures (and don't on others) can save you a tremendous amount of time testing and debugging Samba users in the future.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-92902"></a>Users and Groups</h2></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967489-0"></a>
-<a class="indexterm" name="ch06-idx-967489-1"></a>Before we start, we need to warn you up front that if you are connecting to Samba with a Windows 98 or NT 4.0 Workstation SP3, you need to configure your server for encrypted passwords before you can make a connection; otherwise, the clients will refuse to connect to the Samba server. This is because each of those Windows clients sends encrypted passwords, and Samba needs to be configured to expect and decrypt them. We'll show you how to set up Samba for this task later in the chapter, assuming you haven't already tackled this problem in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>.</p><p>
-<a class="indexterm" name="ch06-idx-967590-0"></a>
-<a class="indexterm" name="ch06-idx-967590-1"></a>Let's start with a single user. The easiest way to set up a client user is to create a Unix account (and <a class="indexterm" name="ch06-idx-967591-0"></a>home directory) for that individual on the server, and notify Samba of the user's existence. You can do the latter by creating a disk share that maps to the user's home directory in the Samba configuration file, and restricting access to that user with the <code class="literal">valid</code> <code class="literal">users</code> option. For example:</p><pre class="programlisting">[dave]
-                path = /home/dave
-                comment = Dave's home directory
-                writeable = yes
-<span class="bold"><strong>                valid users = dave</strong></span></pre><p>The <code class="literal">valid</code> <code class="literal">users</code> option lists the users that will be allowed to access the share.  In this case, only the user <code class="literal">dave</code> is allowed to access the share. In the previous chapters, we specified that any user could access a disk share using the <code class="literal">guest</code> <code class="literal">ok</code> parameter. Because we don't wish to allow guest access, that option is absent here. We could grant both authenticated users and guest users access to a specific share if we wanted to. The difference between the two typically involves access rights for each of the files.</p><p>Remember that you can abbreviate the user's home directory by using the <code class="literal">%H</code> variable. In addition, you can use the Unix username variable <code class="literal">%u</code> and/or the client username variable <code class="literal">%U</code> in your options as well. For example:</p><pre class="programlisting">[dave]
-	comment = %U home directory
-	writeable = yes
-	valid users = dave
-	path = %H</pre><p>Both of these examples work as long as the Unix user that Samba uses to represent the client has read/write access to the directory referenced by the <code class="literal">path</code> option. In other words, a client must first pass Samba's security mechanisms (e.g., encrypted passwords, the <code class="literal">valid users</code> option, etc.) as well as the normal Unix file and directory permissions of its Unix-side user <span class="emphasis"><em>before</em></span> it can gain read/write access to a share.</p><p>With a single user accessing a home directory, access permissions are taken care of when the operating system creates the user account. However, if you're creating a shared directory for group access, there are a few more steps you need to perform. Let's take a stab at a group share for the accounting department in the <span class="emphasis"><em>smb.conf</em></span> file:</p><pre class="programlisting">[accounting]
-	comment = Accounting Department Directory
-	writeable = yes
-	valid users = @account
-	path = /home/samba/accounting
-	create mode = 0660
-	directory mode = 0770</pre><p>The first thing that you might notice we did differently is to specify <code class="literal">@account</code> as the valid user instead of one or more individual usernames. This is shorthand for saying that the valid users are represented by the Unix group <code class="literal">account</code>. These users will need to be added to the group entry <code class="literal">account</code> in the system group file ( <code class="filename">/etc/group</code> or equivalent) to be recognized as part of the group. Once they are, Samba will recognize those users as valid users for the share.</p><p>In addition, you will need to create a <a class="indexterm" name="ch06-idx-967592-0"></a>shared directory that the members of the group can access, which is pointed to by the <code class="literal">path</code> configuration option. Here are the Unix commands that create the shared directory for the accounting department (assuming <span class="emphasis"><em>/home/samba</em></span> already exists):</p><pre class="programlisting"># <span class="bold"><strong>mkdir /home/samba/accounting</strong></span># <span class="bold"><strong>chgrp account /home/samba/accounting</strong></span># <span class="bold"><strong>chmod 770 /home/samba/accounting</strong></span></pre><p>There are two other options in this <code class="filename">smb.conf</code> example, both of which we saw in the previous chapter. These options are <code class="literal">create</code> <code class="literal">mode</code> and <code class="literal">directory</code> <code class="literal">mode</code>. These options set the maximum file and directory permissions that a new file or directory can have. In this case, we have denied all world access to the contents of this share. (This is reinforced by the <span class="emphasis"><em>chmod</em></span> command, shown earlier.).</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-1.1"></a>The [ homes] Share</h3></div></div></div><p>Let's return to user shares for a moment. If we have several users to set up home directory shares for, we probably want to use the special <code class="literal">[homes]</code> share that we introduced in <a href="#SAMBA-CH-5" title="Chapter 5. Browsing and Advanced Disk Shares">Chapter 5</a>. With the <code class="literal">[homes]</code>
-<a class="indexterm" name="ch06-idx-967594-0"></a>
-<a class="indexterm" name="ch06-idx-967594-1"></a> share, all we need to say is:</p><pre class="programlisting">[homes]
-	browsable = no
-	writable = yes</pre><p>The <code class="literal">[homes]</code> share is a special section of the Samba configuration file. If a user attempts to connect to an ordinary share that doesn't appear in the <code class="filename">smb.conf</code> file (such as specifying it with a UNC in Windows Explorer), Samba will search for a <code class="literal">[homes]</code> share. If one exists, the incoming share name is assumed to be a username and is queried as such in the password database ( <code class="filename">/etc/passwd</code> or equivalent) file of the Samba server. If it appears, Samba assumes the client is a Unix user trying to connect to his or her home directory.</p><p>As an illustration, let's assume that <code class="literal">sofia</code> is attempting to connect to a share called [<code class="literal">sofia]</code> on the Samba server. There is no share by that name in the configuration file, but a <code class="literal">[homes]</code> share exists and user <code class="literal">sofia</code> is present in the password database, so Samba takes the following steps:</p><div class="orderedlist"><ol type="1"><li><p>Samba creates a new disk share called <code class="literal">[sofia]</code> with the <code class="literal">path</code> specified in the <code class="literal">[homes]</code> section. If there is no <code class="literal">path</code> option specified in <code class="literal">[homes]</code>, Samba initializes it to her home directory.</p></li><li><p>Samba initializes the new share's options from the defaults in <code class="literal">[globals]</code>, and any overriding options in <code class="literal">[homes]</code> with the exception of <code class="literal">browseable</code>.</p></li><li><p>Samba connects <code class="literal">sofia</code>'s client to that share.</p></li></ol></div><p>The <code class="literal">[homes]</code> share is a fast, painless way to create shares for your user community without having to duplicate the information from the password database file in the <code class="filename">smb.conf</code> file. It does have some peculiarities, however, that we need to point out:</p><div class="itemizedlist"><ul type="disc"><li><p>The <code class="literal">[homes]</code> section can represent any account on the machine, which isn't always desirable. For example, it can potentially create a share for <span class="emphasis"><em>root</em></span>, <span class="emphasis"><em>bin</em></span>, <span class="emphasis"><em>sys</em></span>, <span class="emphasis"><em>uucp</em></span>, and the like. (You can set a global <code class="literal">invalid</code> <code class="literal">users</code> option to protect against this.)</p></li><li><p>The meaning of the <code class="literal">browseable</code> configuration option is different from other shares; it indicates only that a <code class="literal">[homes]</code> section won't show up in the local browse list, not that the <code class="literal">[alice]</code> share won't. When the <code class="literal">[alice]</code> section is created (after the initial connection), it will use the browsable value from the <code class="literal">[globals]</code> section for that share, not the value from <code class="literal">[homes]</code>.</p></li></ul></div><p>As we mentioned, there is no need for a path statement in <code class="literal">[homes]</code> if the users have Unix home directories in the server's <code class="filename">/etc/passwd</code> file. You should ensure that a valid home directory does exist, however, as Samba will not automatically create a home directory for a user, and will refuse a tree connect if the user's directory does not exist or is not accessible.<a class="indexterm" name="ch06-idx-967568-0"></a>
-<a class="indexterm" name="ch06-idx-967568-1"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-27678"></a>Controlling Access to Shares</h2></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967497-0"></a>
-<a class="indexterm" name="ch06-idx-967497-1"></a>Often you will need to restrict the users who can access a specific share for security reasons. This is very easy to do with Samba since it contains a wealth of options for creating practically any security configuration. Let's introduce a few configurations that you might want to use in your own Samba setup.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Again, if you are connecting with Windows 98 or NT 4.0 with Service Pack 3 (or above), those clients will send encrypted passwords to the Samba server. If Samba is not configured for this, it will continually refuse the connection. This chapter describes how to set up Samba for encrypted passwords. See <a href="#ch06-61393" title="Passwords">Section 6.4</a>.</p></div><p>We've seen what happens when you specify valid users. However, you are also allowed to specify a list of invalid <a class="indexterm" name="ch06-idx-967599-0"></a>users&#8212;users who should never be allowed access to Samba or its shares. This is done with the <code class="literal">invalid</code> <code class="literal">users</code> option. We hinted at one frequent use of this option earlier: a global default with the <code class="literal">[homes]</code> section to ensure that various system users and superusers cannot be forged for access. For example:</p><pre class="programlisting">[global]
-	invalid users = root bin daemon adm sync shutdown \
-                             halt mail news uucp operator gopher
-	auto services = dave peter bob
-
-[homes]
-	browsable = no
-	writeable = yes</pre><p>The <code class="literal">invalid</code> <code class="literal">users</code> option, like <code class="literal">valid</code> <code class="literal">users</code>, can take group names as well as usernames. In the event that a user or group appears in both lists, the <code class="literal">invalid</code> <code class="literal">users</code> option takes precedence and the user or group will be denied access to the share.</p><p>At the other end of the spectrum, you can explicitly specify users who will be allowed <a class="indexterm" name="ch06-idx-967600-0"></a>
-<a class="indexterm" name="ch06-idx-967600-1"></a>
-<a class="indexterm" name="ch06-idx-967600-2"></a>superuser (root) access to a share with the <code class="literal">admin</code> <code class="literal">users</code> option. An example follows:</p><pre class="programlisting">[sales]
-		path = /home/sales
-		comment = Fiction Corp Sales Data
-		writeable = yes
-		valid users = tom dick harry
-		admin users = mike</pre><p>This option takes both group names and usernames. In addition, you can specify NIS netgroups by preceding them with an <code class="literal">@</code> as well; if the netgroup is not found, Samba will assume that you are referring to a standard Unix group.</p><p>Be careful if you assign an entire <a class="indexterm" name="ch06-idx-967601-0"></a>group administrative privileges to a share. The Samba team highly recommends you avoid using this option, as it essentially gives root access to the specified users or groups for that share.</p><p>If you wish to force <a class="indexterm" name="ch06-idx-967602-0"></a>
-<a class="indexterm" name="ch06-idx-967602-1"></a>read-only or read-write access to users who access a share, you can do so with the <code class="literal">read</code> <code class="literal">list</code> and <code class="literal">write</code> <code class="literal">list</code> options, respectively. These options can be used on a per-share basis to restrict a writable share or grant write access to specific users in a read-only share, respectively. For example:</p><pre class="programlisting">[sales]
-		path = /home/sales
-		comment = Fiction Corp Sales Data
-		read only = yes
-		write list = tom dick</pre><p>The <code class="literal">write</code> <code class="literal">list</code> option cannot override <a class="indexterm" name="ch06-idx-968868-0"></a>Unix permissions. If you've created the share without giving the write-list user write permission on the Unix system, he or she will be denied write access regardless of the setting of <code class="literal">write</code> <code class="literal">list</code>.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-2.1"></a>Guest Access</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967606-0"></a>As mentioned earlier, you can specify users who have guest access to a share. The options that control guest access are easy to work with. The first option, <code class="literal">guest</code> <code class="literal">account</code>, specifies the Unix account that guest users should be assigned when connecting to the Samba server. The default value for this is set during compilation, and is typically <code class="literal">nobody</code>. However, you may want to reset the guest user to <code class="literal">ftp</code> if you have trouble accessing various system services.</p><p>If you wish to restrict access in a share only to guests&#8212;in other words, all clients connect as the guest account when accessing the share&#8212;you can use the <code class="literal">guest</code> <code class="literal">only</code> option in conjunction with the <code class="literal">guest ok</code> option, as shown in the following example:</p><pre class="programlisting">[sales]
-		path = /home/sales
-		comment = Fiction Corp Sales Data
-		writeable = yes
-		guest ok = yes
-		guest account = ftp
-		guest only = yes</pre><p>Make sure you specify <code class="literal">yes</code> for both <code class="literal">guest only</code> and <code class="literal">guest ok</code> in this scenario; otherwise, Samba will not use the guest acount that you specify.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-2.2"></a>Access Control Options</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967608-0"></a><a href="#ch06-28077" title="Table 6.1. Share-level Access Options">Table 6.1</a> summarizes the options that you can use to control access to shares.</p><div class="table"><a name="ch06-28077"></a><p class="title"><b>Table 6.1. Share-level Access Options </b></p><div class="table-contents"><table summary="Share-level Access Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">admin users</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users who can perform operations as root.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">valid users</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users that can connect to a share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">invalid users</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users that will be denied access to a share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">read list</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users that have read-only access to a writable share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">write list</code></p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users that have read-write access to a read-only share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">max connections</code></p></td><td><p>numerical</p></td><td><p>Indicates the maximum number of connections for a share at a given time.</p></td><td><p><code class="literal">0</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">guest only (only guest)</code></p></td><td><p>boolean</p></td><td><p>Specifies that this share allows only guest access.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">guest account</code></p></td><td><p>string (name of account)</p></td><td><p>Names the Unix account that will be used for guest access.</p></td><td><p><code class="literal">nobody</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.1"></a>
-admin users</h4></div></div></div><a class="indexterm" name="ch06-idx-969448-0"></a><p>This option specifies a list of users that perform file operations as if they were <code class="literal">root</code>. This means that they can modify or destroy any other user's work, no matter what the permissions. Any files that they create will have root ownership and will use the default group of the admin user. The <code class="literal">admin</code> <code class="literal">users</code> option is used to allow PC users to act as administrators for particular shares. We urge you to avoid this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.2"></a>v
-alid users and invalid users</h4></div></div></div><a class="indexterm" name="ch06-idx-969449-0"></a><a class="indexterm" name="ch06-idx-969449-1"></a><p>These two options let you enumerate the users and groups who are granted or denied access to a particular share. You can enter a list of comma-delimited users, or indicate an NIS or Unix group name by prefixing the name with an at-sign (<code class="literal">@</code>).</p><p>The important rule to remember with these options is that any name or group in the <code class="literal">invalid</code> <code class="literal">users</code> list will <span class="emphasis"><em>always</em></span> be denied access, even if it is included (in any form) in the <code class="literal">valid</code> <code class="literal">users</code> list. By default, neither option has a value associated with it. If both options have no value, any user is allowed to access the share.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.3"></a>
-
-read list and write list</h4></div></div></div><a class="indexterm" name="ch06-idx-969450-0"></a><a class="indexterm" name="ch06-idx-969450-1"></a><p>Like the <code class="literal">valid</code> <code class="literal">users</code> <code class="literal">and</code> <code class="literal">invalid</code> <code class="literal">users</code> options, this pair of options specifies which users have read-only access to a writeable share and read-write access to a read-only share, respectively. The value of either options is a list of users. <code class="literal">read</code> <code class="literal">list</code> overrides any other Samba permissions granted&#8212;as well as Unix file permissions on the server system&#8212;to deny users write access. <code class="literal">write</code> <code class="literal">list</code> overrides other Samba permissions to grant write access, but cannot grant write access if the user lacks write permissions for the file on the Unix system. You can specify NIS or Unix group names by prefixing the name with an at sign (such as <code class="literal">@users</code>). Neither configuration option has a default value associated with it.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.4"></a>
-max connections</h4></div></div></div><a class="indexterm" name="ch06-idx-969451-0"></a><p>This option specifies the maximum number of client connections that a share can have at any given time. Any connections that are attempted after the maximum is reached will be rejected. The default value is <code class="literal">0</code>, which means that an unlimited number of connections are allowed. You can override it per share as follows:</p><pre class="programlisting">[accounting]
-	max connections = 30</pre><p>This option is useful in the event that you need to limit the number of users who are accessing a licensed program or piece of data concurrently.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.5"></a>
-guest only</h4></div></div></div><a class="indexterm" name="ch06-idx-969452-0"></a><p>This share-level option (sometimes called <code class="literal">only</code> <code class="literal">guest</code>) forces a connection to a share to be performed with the user specified by the <code class="literal">guest</code> <code class="literal">account</code> option. The share to which this is applied must explicitly specify <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">yes</code> in order for this option to be recognized by Samba. The default value for this option is <code class="literal">no</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.2.6"></a>
-guest account</h4></div></div></div><a class="indexterm" name="ch06-idx-969453-0"></a><p>This option specifies the name of account to be used for guest access to shares in Samba. The default for this option varies from system to system, but it is often set to <code class="literal">nobody</code>. Some default user accounts have trouble connecting as guest users. If that occurs on your system, the Samba team recommends using the ftp account as the guest<a class="indexterm" name="ch06-idx-967617-0"></a> user.<a class="indexterm" name="ch06-idx-967607-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-2.3"></a>Username Options</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967622-0"></a><a href="#ch06-82964" title="Table 6.2. Username Options">Table 6.2</a> shows two additional options that Samba can use to correct for incompatibilities in usernames between Windows and Unix.</p><div class="table"><a name="ch06-82964"></a><p class="title"><b>Table 6.2. Username Options </b></p><div class="table-contents"><table summary="Username Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">username map</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Sets the name of the username mapping file.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">username level</code></p></td><td><p>numerical</p></td><td><p>Indicates the number of capital letters to use when trying to match a username.</p></td><td><p><code class="literal">0</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.3.1"></a>
-username map</h4></div></div></div><a class="indexterm" name="ch06-idx-969456-0"></a><p>
-<a class="indexterm" name="ch06-idx-967632-0"></a>
-<a class="indexterm" name="ch06-idx-967632-1"></a>
-<a class="indexterm" name="ch06-idx-967632-2"></a>Client usernames on an SMB network can be relatively large (up to 255 characters), while usernames on a Unix network often cannot be larger than eight characters. This means that an individual user may have one username on a client and another (shorter) one on the Samba server. You can get past this issue by<em class="firstterm"> mapping</em> a free-form client username to a Unix username of eight or fewer characters. It is placed in a standard text file, using a format that we'll describe shortly. You can then specify the pathname to Samba with the global <code class="literal">username</code> <code class="literal">map</code> option. Be sure to restrict access to this file; make the root user the file's owner and deny write access to others. Otherwise, an untrusted user who can access the file can easily map their client username to the root user of the Samba server.</p><p>You can specify this option as follows:</p><pre class="programlisting">[global]
-	username map = /etc/samba/usermap.txt</pre><p>Each of the entries in the username map file should be listed as follows: the Unix username, followed by an equal sign (<code class="literal">=</code>), followed by one or more whitespace-separated SMB client usernames. Note that unless instructed otherwise, (i.e., a guest connection), Samba will expect both the client and the server user to have the same password. You can also map NT groups to one or more specific Unix groups using the <code class="literal">@</code> sign. Here are some examples:</p><pre class="programlisting">jarwin = JosephArwin
-manderso = MarkAnderson
-users = @account</pre><p>Also, you can use the asterisk to specify a wildcard that matches any free-form client username as an entry in the username map file:</p><pre class="programlisting">nobody = *</pre><p>Comments in the file can be specified as lines beginning with (#) and (<code class="literal">;</code>).</p><p>Note that you can also use this file to redirect one Unix user to another user. Be careful if you do so because Samba and your client may not notify the user that the mapping has been made and Samba may be expecting a different password.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-2.3.2"></a>
-username level</h4></div></div></div><a class="indexterm" name="ch06-idx-969459-0"></a><p>
-<a class="indexterm" name="ch06-idx-967633-0"></a>
-<a class="indexterm" name="ch06-idx-967633-1"></a>SMB clients (such as Windows) will often send usernames in SMB connection requests entirely in capital letters; in other words, client usernames are not necessarily case sensitive. On a Unix server, however, usernames <span class="emphasis"><em>are</em></span> case sensitive: the user <code class="literal">ANDY</code> is different from the user <code class="literal">andy</code>. By default, Samba attacks this problem by doing the following:</p><div class="orderedlist"><ol type="1"><li><p>Checking for a user account with the exact name sent by the client</p></li><li><p>Testing the username in all lowercase letters</p></li><li><p>Testing the username in lowercase letters with only the first letter capitalized</p></li></ol></div><p>If you wish to have Samba attempt more combinations of uppercase and lowercase letters, you can use the <code class="literal">username</code> <code class="literal">level</code> global configuration option. This option takes an integer value that specifies how many letters in the username should be capitalized when attempting to connect to a share. You can specify this options as follows:</p><pre class="programlisting">[global]
-	username level = 3</pre><p>In this case, Samba will then attempt all permutations of usernames it can compute having three capital letters. The larger the number, the more computations Samba will have to perform to match the username and the longer the authentication wil<a class="indexterm" name="ch06-idx-967629-0"></a>l take.<a class="indexterm" name="ch06-idx-967624-0"></a>
-<a class="indexterm" name="ch06-idx-967624-1"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-88596"></a>Authentication Security</h2></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967505-0"></a>
-<a class="indexterm" name="ch06-idx-967505-1"></a>At this point, we should discuss how Samba authenticates users. Each user who attempts to connect to a share that does not allow guest access must provide a password to make a successful connection. What Samba does with that password&#8212;and consequently the strategy Samba will use to handle user authentication&#8212;is the arena of the <code class="literal">security</code> configuration option. There are currently four <a class="indexterm" name="ch06-idx-967637-0"></a>security levels that Samba supports on its network: <em class="firstterm">share</em>, <em class="firstterm">user</em>, <em class="firstterm">server</em>, and <em class="firstterm">domain</em>.</p><div class="variablelist"><dl><dt><span class="term">
-<a class="indexterm" name="ch06-idx-967638-0"></a>Share-level security</span></dt><dd><p>Each share in the workgroup has one or more passwords associated with it. Anyone who knows a valid password for the share can access it.</p></dd><dt><span class="term">
-<a class="indexterm" name="ch06-idx-967639-0"></a>User-level security</span></dt><dd><p>Each share in the workgroup is configured to allow access from certain users. With each initial tree connection, the Samba server verifies users and their passwords to allow them access to the share.</p></dd><dt><span class="term">Server-level security</span></dt><dd><p>This is the same as user-level security, except that the Samba server uses a separate SMB server to validate users and their passwords before granting access to the share.</p></dd><dt><span class="term">
-<a class="indexterm" name="ch06-idx-967641-0"></a>Domain-level security</span></dt><dd><p>Samba becomes a member of a Windows domain and uses the domain's <a class="indexterm" name="ch06-idx-967642-0"></a>primary domain controller (PDC) to perform authentication. Once authenticated, the user is given a special token that allows him or her access to any share with appropriate access rights. With this token, the PDC will not have to revalidate the user's password each time he or she attempts to access another share within the domain.</p></dd></dl></div><p>Each of these security policies can be implemented with the global <code class="literal">security</code> option, as shown in <a href="#ch06-73905" title="Table 6.3. Security Option">Table 6.3</a>.</p><div class="table"><a name="ch06-73905"></a><p class="title"><b>Table 6.3. Security Option </b></p><div class="table-contents"><table summary="Security Option " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">security</code></p></td><td><p>
-<a class="indexterm" name="ch06-idx-968919-0"></a><code class="literal">domain</code>, <code class="literal">server</code>, <code class="literal">share</code>, or <code class="literal">user</code></p></td><td><p>Indicates the type of security that the Samba server will use.</p></td><td><p><code class="literal">user</code> (Samba 2.0) or <code class="literal">share</code> (Samba 1.9)</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-3.1"></a>Share-level Security</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967644-0"></a>
-<a class="indexterm" name="ch06-idx-967644-1"></a>With share-level security, each share has one or more passwords associated with it. This differs from the other modes of security in that there are no restrictions as to whom can access a share, as long as that individual knows the correct password. Shares often have multiple passwords. For example, one password may grant read-only access, while another may grant read-write access, and so on. Security is maintained as long as unauthorized users do not discover the password for a share to which they shouldn't have access.</p><p>
-<a class="indexterm" name="ch06-idx-967666-0"></a>
-<a class="indexterm" name="ch06-idx-967666-1"></a>OS/2 and Window 95/98 both support share-level security on their resources. You can set up share-level security with Windows 95/98 by first enabling share-level security using the Access Control tab of the Network Control Panel dialog. Then select the Share-level Access Control radio button (which deselects the user-level access control radio button), as shown in <a href="#ch06-33100" title="Figure 6.1. Selecting share-level security on a Windows machine">Figure 6.1</a>, and press the OK button.</p><div class="figure"><a name="ch06-33100"></a><p class="title"><b>Figure 6.1. Selecting share-level security on a Windows machine</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 284px"><td><img src="figs/sam.0601.gif" height="284" alt="Selecting share-level security on a Windows machine"></td></tr></table></div></div></div><br class="figure-break"><p>Next, right click on a resource&#8212;such as a hard drive or a CD-ROM&#8212;and select the Properties menu item. This will bring up the Resource Properties dialog box. Select the Sharing tab at the top of the dialog box and enable the resource as Shared As. From here, you can configure how the shared resource will appear to individual users, as well as assigning whether the resource will appear as read-only, read-write, or a mix, depending on the password that is supplied.</p><p>You might be thinking that this security model is not a good fit for Samba&#8212;and you would be right. In fact, if you set the <code class="literal">security</code> <code class="literal">=</code> <code class="literal">share</code> option in the Samba configuration file, Samba will still reuse the username/passwords combinations in the system password files to authenticate access. More precisely, Samba will take the following steps when a client requests a connection using <a class="indexterm" name="ch06-idx-967667-0"></a>share-level security:</p><div class="orderedlist"><ol type="1"><li><p>When a connection is requested, Samba will accept the password and (if sent) the username of the client.</p></li><li><p>If the share is <code class="literal">guest</code> <code class="literal">only </code>, the user is immediately granted access to the share with the rights of the user specified by the <code class="literal">guest</code> <code class="literal">account</code> parameter; no password checking is performed.</p></li><li><p>For other shares, Samba appends the username to a list of users who are allowed access to the share. It then attempts to validate the password given in association with that username. If successful, Samba grants the user access to the share with the rights assigned to that user. The user will not need to authenticate again unless a <code class="literal">revalidate</code> <code class="literal">=</code> <code class="literal">yes</code> option has been set inside the share.</p></li><li><p>If the authentication is unsuccessful, Samba will attempt to validate the password against the list of users it has previously compiled throughout the attempted connections, as well as any specified under the share in the configuration file. If the password does not match any usernames (as specified in the system password file, typically <code class="filename">/etc/passwd </code>), the user is not granted access to the share under that username.</p></li><li><p>However, if the share has a <code class="literal">guest</code> <code class="literal">ok</code> or <code class="literal">public</code> option set, the user will default to access with the rights of the user specified by the <code class="literal">guest</code> <code class="literal">account</code> option.</p></li></ol></div><p>You can indicate in the configuration file which users should be initially placed on the share-level security user list by using the <code class="literal">username</code> configuration option, as shown below:</p><pre class="programlisting">[global]
-	security = share
-[accounting1]
-	path = /home/samba/accounting1
-	guest ok = no
-	writable = yes
-	username = davecb, pkelly, andyo</pre><p>Here, when a user attempts to connect to a share, Samba will verify the password that was sent against each of the users in its own list, in addition to the passwords of users <code class="literal">davecb</code>, <code class="literal">pkelly</code>, and <code class="literal">andyo</code>. If any of the passwords match, the connection will be verified and the user will be allowed. Otherwise, connection to the specific share will fail.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-3.1.1"></a>
-
-Share Level Security Options</h4></div></div></div><a class="indexterm" name="ch06-idx-967668-0"></a><a class="indexterm" name="ch06-idx-967668-1"></a><p><a href="#ch06-80998" title="Table 6.4. Share-Level Access Options">Table 6.4</a> shows the options typically associated with share-level security.</p><div class="table"><a name="ch06-80998"></a><p class="title"><b>Table 6.4. Share-Level Access Options </b></p><div class="table-contents"><table summary="Share-Level Access Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">only user</code></p></td><td><p>boolean</p></td><td><p>Indicates whether usernames specified by <code class="literal">username</code> will be the only ones allowed.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">username </code>(user or users)</p></td><td><p>string (list of usernames)</p></td><td><p>Specifies a list of users against which a client's password will be tested.</p></td><td><p>None</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-3.1.2"></a>only user</h4></div></div></div><p>This boolean option indicates whether Samba will allow connections to a share using share-level security based solely on the individuals specified in the <code class="literal">username</code> option, instead of those users compiled on Samba's internal list. The default value for this option is <code class="literal">no</code>. You can override it per share as follows:</p><pre class="programlisting">[global]
-    security = share
-[data]
-    username = andy, peter, valerie
-    only user = yes</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-3.1.3"></a>
-username</h4></div></div></div><a class="indexterm" name="ch06-idx-969462-0"></a><p>This option presents a list of users against which Samba will test a connection password to allow access. It is typically used with clients that have share-level security to allow connections to a particular service based solely on a qualifying password&#8212;in this case, one that matches a password set up for a specific user:</p><pre class="programlisting">[global]
-    security = share
-[data]
-     username = andy, peter, terry</pre><p>We recommend against using this option unless you are implementing a Samba server with share-level security.<a class="indexterm" name="ch06-idx-967645-0"></a>
-<a class="indexterm" name="ch06-idx-967645-1"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-3.2"></a>User-level Security</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967646-0"></a>
-<a class="indexterm" name="ch06-idx-967646-1"></a>The preferred mode of security with Samba is <em class="firstterm">user-level security</em>. With this method, each share is assigned specific users that can access it. When a user requests a connection to a share, Samba authenticates by validating the given username and password with the authorized users in the configuration file and the passwords in the password database of the Samba server. As mentioned earlier in the chapter, one way to isolate which users are allowed access to a specific <a class="indexterm" name="ch06-idx-967676-0"></a>share is by using the <code class="literal">valid</code> <code class="literal">users</code> option for each share:</p><pre class="programlisting">[global]
-	security = user
-[accounting1]
-	writable = yes
-	valid users = bob, joe, sandy</pre><p>Each of the users listed will be allowed to connect to the share if the password provided matches the password stored in the system password database on the server. Once the initial authentication succeeds, the user will not need to re-enter a password again to access that share unless the <code class="literal">revalidate</code> <code class="literal">=</code> <code class="literal">yes</code> option has been set.</p><p>
-<a class="indexterm" name="ch06-idx-967677-0"></a>Passwords can be sent to the Samba server in either an encrypted or a non-encrypted format. If you have both types of systems on your network, you should ensure that the passwords represented by each user are stored both in a traditional account database and Samba's encrypted password database. This way, authorized users can gain access to their shares from any type of client.<sup>[<a name="ch06-pgfId-968956" href="#ftn.ch06-pgfId-968956">1</a>]</sup> However, we recommend that you move your system to encrypted passwords and abandon non-encrypted passwords if security is an issue. <a href="#ch06-61393" title="Passwords">Section 6.4</a> in this chapter explains how to use encrypted as well as non-encrypted passwords.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-3.3"></a>Server-level Security</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967648-0"></a>
-<a class="indexterm" name="ch06-idx-967648-1"></a>Server-level security is similar to user-level security. However, with server-level security, Samba delegates password authentication to another <a class="indexterm" name="ch06-idx-967679-0"></a>SMB password server, typically another Samba server or a Windows NT Server acting as a <a class="indexterm" name="ch06-idx-967680-0"></a>PDC on the network. Note that Samba still maintains its list of shares and their configuration in its <code class="filename">smb.conf</code> file. When a client attempts to make a connection to a particular share, Samba validates that the user is indeed authorized to connect to the share. Samba will then attempt to validate the password by contacting the SMB password server through a known protocol and presenting the username and password to the SMB password server. If the password is accepted, a session will be established with the client. See <a href="#ch06-89929" title="Figure 6.2. A typical system setup using server level security">Figure 6.2</a> for an illustration of this setup.</p><div class="figure"><a name="ch06-89929"></a><p class="title"><b>Figure 6.2. A typical system setup using server level security</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 177px"><td><img src="figs/sam.0602.gif" height="177" alt="A typical system setup using server level security"></td></tr></table></div></div></div><br class="figure-break"><p>You can configure Samba to use a separate password server under server-level security with the use of the <code class="literal">password</code> <code class="literal">server</code> global configuration option, as follows:</p><pre class="programlisting">[global]
-	security = server
-	password server = PHOENIX120 HYDRA134</pre><p>Note that you can specify more than one machine as the target of the <code class="literal">password</code> <code class="literal">server </code>; Samba will move down the list of servers in the event that its first choice is unreachable. The servers identified by the <code class="literal">password</code> <code class="literal">server</code> option are given as NetBIOS names, not their DNS names or equivalent IP addresses. Also, if any of the servers reject the given password, the connection will automatically fail&#8212;Samba will not attempt another server.</p><p>One caveat: when using this option, you will still need an account representing that user on the regular Samba server. This is because the Unix operating system needs a username to perform various I/O operations. The preferable method of handling this is to give the user an account on the Samba server but disable the account's password by replacing it in the system password file (e.g., <code class="filename">/etc/passwd  </code>) with an <a class="indexterm" name="ch06-idx-967681-0"></a>
-<a class="indexterm" name="ch06-idx-967681-1"></a>asterisk (*).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-3.4"></a>Domain-level Security</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967649-0"></a>
-<a class="indexterm" name="ch06-idx-967649-1"></a>Domain-level security is similar to server-level security. However, with domainlevel security, the Samba server is acting as a member of a Windows domain. Recall from <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a> that each domain has a <em class="firstterm">domain controller</em>
-<a class="indexterm" name="ch06-idx-967685-0"></a>, which is usually a Windows NT server offering password authentication. Including these controllers provides the workgroup with a definitive password server. The domain controllers keep track of users and passwords in their own <a class="indexterm" name="ch06-idx-967688-0"></a>
-<a class="indexterm" name="ch06-idx-967688-1"></a>security authentication module (SAM), and authenticates each user when he or she first logs on and wishes to access another machine's shares.</p><p>As mentioned earlier in this chapter, Samba has a similar ability to offer user-level security, but this option is Unix-centric and assumes that the authentication occurs via <a class="indexterm" name="ch06-idx-967689-0"></a>Unix password files. If the Unix machine is part of a <a class="indexterm" name="ch06-idx-967690-0"></a>NIS or NIS+ domain, Samba will authenticate the users transparently against a shared password file, in typical Unix fashion. Samba then provides access to the NIS or NIS+ domain from Windows. There is, of course, no relationship between the NIS concept of a domain and the Windows concept of a domain.</p><p>
-<a class="indexterm" name="ch06-idx-967696-0"></a>
-<a class="indexterm" name="ch06-idx-967696-1"></a>With domain-level security, we now have the option of using the native NT mechanism. This has a number of advantages:</p><div class="itemizedlist"><ul type="disc"><li><p>It provides far better integration with NT: there are fewer "kludges" in the <code class="filename">smb.conf</code> options dealing with domains than with most Windows features. This allows more extensive use of NT management tools, such as the User Manager for Domains tool allowing PC support individuals to treat Samba servers as if they were large NT machines.</p></li><li><p>With the better integration comes protocol and code cleanups, allowing the Samba team to track the evolving NT implementation. NT Service Pack 4 corrects several problems in the protocol, and Samba's better integration makes it easier to track and adapt to these changes.</p></li><li><p>There is less overhead on the PDC because there is one less permanent network connection between it and the Samba server. Unlike the protocol used by the <code class="literal">security</code> <code class="literal">=</code> <code class="literal">server</code> option, the Samba server can make a Remote Procedure Call (RPC) call only when it needs authentication information. It can not keep a connection permanently up just for that.</p></li><li><p>Finally, the NT domain authentication scheme returns the full set of user attributes, not just success or failure. The attributes include a longer, more network-oriented version of the Unix uid, NT groups, and other information. This includes:</p><div class="itemizedlist"><ul type="circle"><li><p>Username</p></li><li><p>Full name</p></li><li><p>Description</p></li><li><p>Security identifier (a domain-wide extension of the Unix uid)</p></li><li><p>NT group memberships</p></li><li><p>Logon hours, and whether to force the user to log out immediately</p></li><li><p>Workstations the user is allowed to use</p></li><li><p>Account expiration date</p></li><li><p>Home directory</p></li><li><p>Login script</p></li><li><p>Profile</p></li><li><p>Account type</p></li></ul></div></li><li><p>The Samba developers used domain-level security in Samba version 2.0.4 to add and delete domain <a class="indexterm" name="ch06-idx-967702-0"></a>users on Samba servers semi-automatically. In addition, it adds room for other NT-like additions, such as supporting access control lists and changing permissions of files from the client.</p></li></ul></div><p>The advantage to this approach is less administration; there is only one authentication database to keep synchronized. The only local administration required on the Samba server will be creating directories for users to work in and <code class="filename">/etc/passwd</code> entries to keep their UIDs and groups in.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-3.4.1"></a>Adding a Samba server to a Windows NT Domain</h4></div></div></div><p>If you already have an NT <a class="indexterm" name="ch06-idx-967704-0"></a>domain, you can easily add a Samba server to it. First, you will need to stop the Samba daemons. Then, add the Samba server to the NT domain on the PDC using the <a class="indexterm" name="ch06-idx-967706-0"></a>"Windows NT Server Manager for Domains" tool. When it asks for the computer type, choose "Windows NT Workstation or Server," and give it the NetBIOS name of the Samba server. This creates the machine account on the NT server.</p><p>Next, generate a Microsoft-format machine password using the <code class="filename">smbpasswd</code>
-<a class="indexterm" name="ch06-idx-967707-0"></a> tool, which is explained in further detail in the next section. For example, if our domain is SIMPLE and the Windows NT PDC is <code class="literal">beowulf</code>, we could use the following command on the Samba server to accomplish this:</p><pre class="programlisting">smbpasswd -j SIMPLE -r beowulf</pre><p>Finally, add the following options to the <code class="literal">[global]</code> section of your <code class="filename">smb.conf</code> and restart the Samba daemons.</p><pre class="programlisting">[global]
-	security = domain
-	domain logins = yes
-	workgroup = SIMPLE
-	password server = beowulf</pre><p>Samba should now be configured for domain-level security. The <code class="literal">domain</code> <code class="literal">logins</code> option is explained in more detail later in this<a class="indexterm" name="ch06-idx-967657-0"></a>
-<a class="indexterm" name="ch06-idx-967657-1"></a> chapter.<a class="indexterm" name="ch06-idx-967506-0"></a>
-<a class="indexterm" name="ch06-idx-967506-1"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-61393"></a>Passwords</h2></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967574-0"></a>Passwords are a thorny issue with Samba. So much so, in fact, that they are almost always the first major problem that users encounter when they install Samba, and generate by far the most questions sent to Samba support groups. In previous chapters, we've gotten around the need for passwords by placing the <code class="literal">guest</code> <code class="literal">ok</code> option in each of our configuration files, which allows connections without authenticating passwords. However, at this point, we need to delve deeper into Samba to discover what is happening on the network.</p><p>
-<a class="indexterm" name="ch06-idx-967709-0"></a>
-<a class="indexterm" name="ch06-idx-967709-1"></a>Passwords sent from individual clients can be either encrypted or non-encrypted. Encrypted passwords are, of course, more secure. A <a class="indexterm" name="ch06-idx-967710-0"></a>non-encrypted password can be easily read with a packet sniffing program, such as the modified <span class="emphasis"><em>tcpdump</em></span>
-<a class="indexterm" name="ch06-idx-967712-0"></a> program for Samba that we used in <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a>. Whether passwords are encrypted depends on the operating system that the client is using to connect to the Samba server. <a href="#ch06-75183" title="Table 6.5. Windows Operating Systems with Encrypted Passwords">Table 6.5</a> lists which Windows operating systems encrypt their passwords before sending them to the primary domain controller for authentication. If your client is not Windows, check the system documentation to see if SMB passwords are encrypted.</p><div class="table"><a name="ch06-75183"></a><p class="title"><b>Table 6.5. Windows Operating Systems with Encrypted Passwords </b></p><div class="table-contents"><table summary="Windows Operating Systems with Encrypted Passwords " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Operating System</p></th><th><p>Encrypted or Non-encrypted</p></th></tr></thead><tbody><tr><td><p><code class="literal"></code>
-<a class="indexterm" name="ch06-idx-967714-0"></a>Windows 95</p></td><td><p>Non-encrypted</p></td></tr><tr><td><p>Windows 95 with SMB Update</p></td><td><p>Encrypted</p></td></tr><tr><td><p>Windows 98</p></td><td><p>Encrypted</p></td></tr><tr><td><p>Windows NT 3.<span class="emphasis"><em>x</em></span></p></td><td><p>Non-encrypted</p></td></tr><tr><td><p>Windows NT 4.0 before SP 3</p></td><td><p>Non-encrypted</p></td></tr><tr><td><p>Windows NT 4.0 after SP 3</p></td><td><p>Encrypted</p></td></tr></tbody></table></div></div><br class="table-break"><p>There are actually two different encryption methods used: one for <a class="indexterm" name="ch06-idx-967715-0"></a>Windows 95 and 98 clients that reuses Microsoft's LAN Manager encryption style, and a separate one for <a class="indexterm" name="ch06-idx-967716-0"></a>Windows NT clients and servers. Windows 95 and 98 use an older encryption system inherited from the LAN Manager network software, while Windows NT clients and servers use a newer encryption system.</p><p>If encrypted passwords are supported, Samba stores the encrypted passwords in a file called <code class="filename">smbpasswd</code>
-<a class="indexterm" name="ch06-idx-967717-0"></a>
-<a class="indexterm" name="ch06-idx-967717-1"></a>. By default, this file is located in the <code class="filename">private</code>
-<a class="indexterm" name="ch06-idx-967719-0"></a> directory of the Samba distribution (<code class="filename">/usr/local/samba/private</code>). At the same time, the client stores an encrypted version of a user's password on its own system. The plaintext password is never stored on either system. Each system encrypts the password automatically using a known algorithm when the password is set or changed.</p><p>When a client requests a connection to an SMB server that supports encrypted passwords (such as Samba or Windows NT), the two computers undergo the following negotiations:</p><div class="orderedlist"><ol type="1"><li><p>The client attempts to negotiate a protocol with the server.</p></li><li><p>The server responds with a protocol and indicates that it supports encrypted passwords. At this time, it sends back a randomly-generated 8-byte challenge string.</p></li><li><p>The client uses the challenge string as a key to encrypt its already encrypted password using an algorithm predefined by the negotiated protocol. It then sends the result to the server.</p></li><li><p>The server does the same thing with the encrypted password stored in its database. If the results match, the passwords are equivalent and the user is authenticated.</p></li></ol></div><p>Note that even though the original passwords are not involved in the authentication process, you need to be very careful that the encrypted passwords located inside of the <code class="filename">smbpasswd</code>
-<a class="indexterm" name="ch06-idx-967721-0"></a> file are guarded from unauthorized users. If they are compromised, an unauthorized user can break into the system by replaying the steps of the previous algorithm. The <a class="indexterm" name="ch06-idx-967722-0"></a>
-<a class="indexterm" name="ch06-idx-967722-1"></a>
-<a class="indexterm" name="ch06-idx-967722-2"></a>encrypted passwords are just as sensitive as the plaintext passwords&#8212;this is known as <em class="firstterm">plaintext-equivalent</em> data in the cryptography world. Of course, you should also ensure that the clients safeguard their plaintext-equivalent passwords as well.</p><p>You can configure Samba to accept encrypted passwords with the following global additions to <code class="filename">smb.conf</code>. Note that we explicitly name the location of the Samba password file:</p><pre class="programlisting">[global]
-	security = user
-	encrypt passwords = yes
-	smb passwd file = /usr/local/samba/private/smbpasswd</pre><p>Samba, however, will not accept any users until the <code class="filename">smbpasswd</code> file has been initialized.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-4.0.1"></a>Disabling encrypted passwords on the client</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967724-0"></a>While Unix authentication has been in use for decades, including the use of <span class="emphasis"><em>telnet</em></span> and <span class="emphasis"><em>rlogin</em></span> access across the Internet, it embodies well-known security risks. Plaintext passwords are sent over the Internet and can be retrieved from TCP packets by malicious snoopers. However, if you feel that your network is secure and you wish to use standard Unix <code class="filename">/etc/passwd</code> authentication for all clients, you can do so, but you must disable encrypted passwords on those Windows clients that default to using them.</p><p>In order to do this, you must modify the Windows registry by installing two files on each system. Depending on the platform involved, the files are either <code class="filename">NT4_PlainPassword.reg</code> or <code class="filename">Win95_PlainPassword.reg</code>. You can perform this installation by copying the appropriate <code class="filename">.reg</code> files from the Samba distribution's <code class="filename">/docs</code> directory to a DOS floppy, and running it from the Run menu item on the client's Start Menu button. Incidentally, the Windows 95 <code class="filename">.reg</code> file works fine on Windows 98 as well.</p><p>After you reboot the machine, the client will not encrypt its hashed passwords before sending them to the server. This means that the plaintext-equivalent passwords can been seen in the TCP packets that are broadcast across the network. Again, we encourage you not to do this unless you are absolutely sure that your network is secure.</p><p>If passwords are not encrypted, you can indicate as much in your Samba configuration file:</p><pre class="programlisting">[global]
-	security = user
-	encrypt passwords = no</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-17782"></a>The smbpasswd File</h3></div></div></div><p><code class="filename"></code>
-<a class="indexterm" name="ch06-idx-967731-0"></a>Samba stores its encrypted passwords in a file called <code class="filename">smbpasswd</code>, which by default resides in the <code class="filename">/usr/local/samba/private</code> directory. The <code class="filename">smbpasswd</code>
-<a class="indexterm" name="ch06-idx-967742-0"></a> file should be guarded as closely as the <code class="filename">passwd</code> file; it should be placed in a directory to which only the root user has read/write access. All other users should not be able to read from the directory at all. In addition, the file should have all access closed off to all users except for root.</p><p>Before you can use encrypted passwords, you will need to create an entry for each Unix user in the <code class="filename">smbpasswd</code> file. The structure of the file is somewhat similar to a Unix <code class="filename">passwd</code> file, but has different fields. <a href="#ch06-54128" title="Figure 6.3. Structure of the smbpasswd file entry (actually one line)">Figure 6.3</a> illustrates the layout of the <code class="filename">smbpasswd</code> file; the entry shown is actually one line in the file.</p><div class="figure"><a name="ch06-54128"></a><p class="title"><b>Figure 6.3. Structure of the smbpasswd file entry (actually one line)</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 177px"><td><img src="figs/sam.0603.gif" height="177" alt="Structure of the smbpasswd file entry (actually one line)"></td></tr></table></div></div></div><br class="figure-break"><p>Here is a breakdown of the individual fields:</p><div class="variablelist"><dl><dt><span class="term">Username</span></dt><dd><p>This is the username of the account. It is taken directly from the system password file.</p></dd><dt><span class="term">UID</span></dt><dd><p>This is the user ID of the account. Like the username, it is taken directly from the system password file and must match the user it represents there.</p></dd><dt><span class="term">LAN Manager Password Hash</span></dt><dd><p>This is a 32-bit hexadecimal sequence that represents the password Windows 95 and 98 clients will use. It is derived by encrypting the string <code class="literal">KGS!@#$%</code> with a 56-bit DES algorithm using the user's password (forced to 14 bytes and converted to capital letters) twice repeated as the key. If there is currently no password for this user, the first 11 characters of the hash will consist of the sequence <code class="literal">NO</code> <code class="literal">PASSWORD</code> followed by <code class="literal">X</code> characters for the remainder. Anyone can access the share with no password. On the other hand, if the password has been disabled, it will consist of 32 <code class="literal">X</code> characters. Samba will not grant access to a user without a password unless the <code class="literal">null</code> <code class="literal">passwords</code> option has been set.</p></dd><dt><span class="term">NT Password Hash</span></dt><dd><p>This is a 32-bit hexadecimal sequence that represents the password Windows NT clients will use. It is derived by hashing the user's password (represented as a 16-bit little-endian Unicode sequence) with an MD4 hash. The password is not converted to uppercase letters first.</p></dd><dt><span class="term">Account Flags</span></dt><dd><p>This field consists of 11 characters between two braces ( [ ] ). Any of the following characters can appear in any order; the remaining characters should be spaces:</p><div class="variablelist"><dl><dt><span class="term">U</span></dt><dd><p>This account is a standard user account.</p></dd><dt><span class="term">D</span></dt><dd><p>This account is currently disabled and Samba should not allow any logins.</p></dd><dt><span class="term">N</span></dt><dd><p>This account has no password associated with it.</p></dd><dt><span class="term">W</span></dt><dd><p>This is a workstation trust account that can be used to configure Samba as a primary domain controller (PDC) when allowing Windows NT machines to join its domain.</p></dd></dl></div></dd><dt><span class="term">Last Change Time</span></dt><dd><p>This code consists of the characters <code class="literal">LCT-</code> followed by a hexidecimal representation of the amount of seconds since the epoch (midnight on January 1, 1970) that the entry was last changed.</p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.1.1"></a>Adding entries to smbpasswd</h4></div></div></div><p><code class="filename"></code>
-<a class="indexterm" name="ch06-idx-967757-0"></a>There are a few ways you can add a new entry to the <code class="filename">smbpasswd</code> file:</p><div class="itemizedlist"><ul type="disc"><li><p>You can use the <em class="firstterm">smbpasswd</em> program with the <code class="literal">-a</code> option to automatically add any user that currently has a standard Unix system account on the server. This program resides in the <code class="filename">/usr/local/samba/bin</code> directory.</p></li><li><p>You can use the <em class="firstterm">addtosmbpass</em>
-<a class="indexterm" name="ch06-idx-967763-0"></a> executable inside the <em class="firstterm">/usr/local/samba/bin</em> directory. This is actually a simple <span class="emphasis"><em>awk</em></span>
-<a class="indexterm" name="ch06-idx-967764-0"></a> script that parses a system password file and extracts the username and UID of each entry you wish to add to the SMB password file. It then adds default fields for the remainder of the user's entry, which can be updated using the <code class="filename">smbpasswd</code> program later. In order to use this program, you will probably need to edit the first line of the file to correctly point to <span class="emphasis"><em>awk</em></span> on your system.</p></li><li><p>In the event that the neither of those options work for you, you can create a default entry by hand in the <code class="filename">smbpasswd</code> file. The entry should be entirely on one line. Each field should be colon-separated and should look similar to the following:</p><pre class="programlisting">dave:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:</pre><p>This consists of the username and the UID as specified in the system password file, followed by two sets of exactly 32 <code class="literal">X</code> characters, followed by the account flags and last change time as it appears above. After you've added this entry, you must use the <em class="firstterm">smbpasswd</em> program to change the password for the user.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.1.2"></a>Changing the encrypted password</h4></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967765-0"></a>If you need to change the encrypted password in the <code class="filename">smbpasswd</code> file, you can also use the <code class="filename">smbpasswd</code>
-<a class="indexterm" name="ch06-idx-967766-0"></a> program. Note that this program shares the same name as the encrypted password file itself, so be sure not to accidentally confuse the password file with the password-changing program.</p><p>The <code class="filename">smbpasswd</code> program is almost identical to the <code class="filename">passwd</code> program that is used to change Unix account passwords. The program simply asks you to enter your old password (unless you're the root user), and duplicate entries of your new password. No password characters are shown on the screen.</p><pre class="programlisting"># <span class="bold"><strong>smbpasswd dave</strong></span>
-Old SMB password:
-New SMB password:
-Retype new SMB password:
-Password changed for user dave</pre><p>You can look at the <code class="filename">smbpasswd</code> file after this command completes to verify that both the LAN Manager and the NT hashes of the passwords have been stored in their respective positions. Once users have encrypted password entries in the database, they should be able to connect to shares using encrypted passwords!<code class="filename"></code>
-<a class="indexterm" name="ch06-idx-967737-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-97004"></a>Password Synchronization</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967768-0"></a>
-<a class="indexterm" name="ch06-idx-967768-1"></a>Having a regular password and an encrypted version of the same password can be troublesome when you need to change both of them. Luckily, Samba affords you a limited ability to keep your passwords synchronized. Samba has a pair of configuration options that can be used to automatically update a user's regular Unix password when the encrypted password is changed on the system. The feature can be activated by specifying the <code class="literal">unix</code> <code class="literal">password</code> <code class="literal">sync</code> global configuration option:</p><pre class="programlisting">[global]
-	encrypt passwords = yes
-	smb passwd file = /usr/local/samba/private/smbpasswd
-
-	unix password sync = yes</pre><p>With this option enabled, Samba will attempt to change the user's regular password (as <code class="literal">root</code>) when the encrypted version is changed with <code class="filename">smbpasswd</code>. However, there are two other options that have to be set correctly in order for this to work.</p><p>The easier of the two is <code class="literal">passwd</code> <code class="literal">program</code>. This option simply specifies the Unix command used to change a user's standard system password. It is set to <code class="literal">/bin/passw</code>d <code class="literal">%u</code> by default. With some Unix systems, this is sufficient and you do not need to change anything. Others, such as Red Hat Linux, use <code class="filename">/usr/bin/passwd</code> instead. In addition, you may want to change this to another program or script at some point in the future. For example, let's assume that you want to use a script called <code class="literal">changepass</code> to change a user's password. Recall that you can use the variable <code class="literal">%u</code> to represent the current Unix username. So the example becomes:</p><pre class="programlisting">[global]
-	encrypt passwords = yes
-	smb passwd file = /usr/local/samba/private/smbpasswd
-
-	unix password sync = yes
-	passwd program = changepass %u</pre><p>Note that this program will be called as the <code class="literal">root</code> user when the <code class="literal">unix</code> <code class="literal">password</code> <code class="literal">sync</code> option is set to <code class="literal">yes</code>. This is because Samba does not necessarily have the plaintext old password of the user.</p><p>The harder option to configure is <code class="literal">passwd</code> <code class="literal">chat</code>. The <code class="literal">passwd</code> <code class="literal">chat</code> option works like a Unix chat script. It specifies a series of strings to send as well as responses to expect from the program specified by the <code class="literal">passwd</code> <code class="literal">program</code> option. For example, this is what the default <code class="literal">passwd</code> <code class="literal">chat</code> looks like. The delimiters are the spaces between each groupings of characters:</p><pre class="programlisting">passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*</pre><p>The first grouping represents a response expected from the password-changing program. Note that it can contain <a class="indexterm" name="ch06-idx-967780-0"></a>
-<a class="indexterm" name="ch06-idx-967780-1"></a>wildcards (*), which help to generalize the chat programs to be able to handle a variety of similar outputs. Here, <code class="literal">*old*password*</code> indicates that Samba is expecting any line from the password program containing the letters <code class="literal">old</code> followed by the letters <code class="literal">password</code>, without regard for what comes on either side or between them. Once instructed to, Samba will wait indefinitely for such a match. Is Samba does not receive the expected response, the password will fail.</p><p>The second grouping indicates what Samba should send back once the data in the first grouping has been matched. In this case, you see <code class="literal">%o\n</code>. This response is actually two items: the variable <code class="literal">%o</code> represents the old password, while the <code class="literal">\n</code> is a newline character. So, in effect, this will "type" the old password into the standard input of the password changing program, and then "press" Enter.</p><p>Following that is another response grouping, followed by data that will be sent back to the password changing program. (In fact, this response/send pattern continues indefinitely in any standard Unix <span class="emphasis"><em>chat</em></span> script.) The script continues until the final pattern is matched.<sup>[<a name="ch06-pgfId-969009" href="#ftn.ch06-pgfId-969009">2</a>]</sup></p><p>You can help match the response strings sent from the password program with the characters listed in <a href="#ch06-77246" title="Table 6.6. Password Chat Response Characters">Table 6.6</a>. In addition, you can use the characters listed in <a href="#ch06-38512" title="Table 6.7. Password Chat Send Characters">Table 6.7</a> to help formulate your response.</p><div class="table"><a name="ch06-77246"></a><p class="title"><b>Table 6.6. Password Chat Response Characters </b></p><div class="table-contents"><table summary="Password Chat Response Characters " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Character</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">*</code></p></td><td><p>
-<a class="indexterm" name="ch06-idx-967781-0"></a>
-<a class="indexterm" name="ch06-idx-967781-1"></a>Zero or more occurrences of any character.</p></td></tr><tr><td><p><code class="literal">" "</code></p></td><td><p>Allows you to include matching strings that contain spaces. Asterisks are still considered wildcards even inside of quotes, and you can represent a null response with empty quotes.</p></td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="ch06-38512"></a><p class="title"><b>Table 6.7. Password Chat Send Characters </b></p><div class="table-contents"><table summary="Password Chat Send Characters " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Character</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">%o</code></p></td><td><p>The user's old password</p></td></tr><tr><td><p><code class="literal">%n</code></p></td><td><p>The user's new password</p></td></tr><tr><td><p><code class="literal">\n</code></p></td><td><p>The linefeed character</p></td></tr><tr><td><p><code class="literal">\r</code></p></td><td><p>The carriage-return character</p></td></tr><tr><td><p><code class="literal">\t</code></p></td><td><p>The tab character</p></td></tr><tr><td><p><code class="literal">\s</code></p></td><td><p>A space</p></td></tr></tbody></table></div></div><br class="table-break"><p>For example, you may want to change your password chat to the following entry. This will handle scenarios in which you do not have to enter the old password. In addition, this will also handle the new <code class="literal">all</code> <code class="literal">tokens</code> <code class="literal">updated</code> <code class="literal">successfully</code> string that Red Hat Linux sends:</p><pre class="programlisting">passwd chat = *new password* %n\n *new password* %n\n *success*</pre><p>Again, the default chat should be sufficient for many Unix systems. If it isn't, you can use the <code class="literal">passwd</code> <code class="literal">chat</code> <code class="literal">debug</code> global option to set up a new chat script for the password change program. The <code class="literal">passwd</code> <code class="literal">chat</code> <code class="literal">debug</code> option logs everything during a password chat. This option is a simple boolean, as shown below:</p><pre class="programlisting">[global]
-    encrypted passwords = yes
-    smb passwd file = /usr/local/samba/private/smbpasswd
-
-    unix password sync = yes
-    passwd chat debug = yes
-    log level = 100</pre><p>After you activate the password chat debug feature, all I/O received by Samba through the password chat will be sent to the Samba logs with a debug level of 100, which is why we entered a new log level option as well. As this can often generate multitudes of error logs, it may be more efficient to use your own script, by setting the <code class="literal">passwd</code> <code class="literal">program</code> option, in place of <code class="filename">/bin/passwd</code> to record what happens during the exchange. Also, make sure to protect your log files with strict file permissions and to delete them as soon as you've grabbed the information you need, because they contain the passwords in plaintext.</p><p>The operating system on which Samba is running may have strict requirements for valid passwords in order to make them more impervious to dictionary attacks and the like. Users should be made aware of these restrictions when changing their passwords.</p><p>Earlier we said that password synchronization is limited. This is because there is no reverse synchronization of the encrypted <code class="filename">smbpasswd</code> file when a standard Unix password is updated by a user. There are various strategies to get around this, including NIS and freely available implementations of the <a class="indexterm" name="ch06-idx-967787-0"></a>
-<a class="indexterm" name="ch06-idx-967787-1"></a>pluggable authentication modules (PAM) standard, but none of them really solve all the problems yet. In the future, when Windows 2000 emerges, we will see more compliance with the <a class="indexterm" name="ch06-idx-967788-0"></a>Lightweight Directory Access Protocol (LDAP), which promises to make password synchronization a thing of the past.<a class="indexterm" name="ch06-idx-967772-0"></a>
-<a class="indexterm" name="ch06-idx-967772-1"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-4.3"></a>Password Configuration Options</h3></div></div></div><p>The options in <a href="#ch06-68460" title="Table 6.8. Password Configuration Options">Table 6.8</a> will help you work with passwords in Samba.</p><div class="table"><a name="ch06-68460"></a><p class="title"><b>Table 6.8. Password Configuration Options </b></p><div class="table-contents"><table summary="Password Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">encrypt passwords</code></p></td><td><p>boolean</p></td><td><p>
-<a class="indexterm" name="ch06-idx-969358-0"></a>Turns on encrypted passwords.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">unix password sync </code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba updates the standard Unix password database when a user changes his or her encrypted password.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">passwd chat</code></p></td><td><p>string (chat commands)</p></td><td><p>Sets a sequence of commands that will be sent to the password program.</p></td><td><p>See earlier section on this option</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">passwd chat debug</code></p></td><td><p>boolean</p></td><td><p>Sends debug logs of the password-change process to the log files with a level of 100.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">passwd program</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets the program to be used to change passwords.</p></td><td><p><code class="literal">/bin/passwd %u</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">password level</code></p></td><td><p>numeric</p></td><td><p>Sets the number of capital letter permutations to attempt when matching a client's password.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">update encrypted</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba updates the encrypted password file when a client connects to a share with a plaintext password.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">null passwords</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba allows access for users with null passwords.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">smb passwd file</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the name of the encrypted password file.</p></td><td><p><code class="literal">/usr/local/samba/private/smbpasswd</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">hosts equiv</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the name of a file that contains hosts and users that can connect without using a password.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">use rhosts</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>.<span class="emphasis"><em>rhosts</em></span> file that allows users to connect without using a password.</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.1"></a>
-unix password sync</h4></div></div></div><a class="indexterm" name="ch06-idx-969469-0"></a><p>The <code class="literal">unix</code> <code class="literal">password</code> <code class="literal">sync</code> global option allows Samba to update the standard Unix password file when a user changes his or her encrypted password. The encrypted password is stored on a Samba server in the <code class="filename">smbpasswd</code> file, which is located in <code class="filename">/usr/local/samba/private</code> by default. You can activate this feature as follows:</p><pre class="programlisting">[global]
-	unix password sync = yes</pre><p>If this option is enabled, Samba changes the encrypted password and, in addition, attempts to change the standard Unix password by passing the username and new password to the program specified by the <code class="literal">passwd</code> <code class="literal">program</code> option (described earlier). Note that Samba does not necessarily have access to the plaintext password for this user, so the password changing program must be invoked as <code class="literal">root</code>.<sup>[<a name="ch06-pgfId-959675" href="#ftn.ch06-pgfId-959675">3</a>]</sup> If the Unix password change does not succeed, for whatever reason, the SMB password will not be changed either.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.2"></a>
-encrypt passwords</h4></div></div></div><a class="indexterm" name="ch06-idx-969472-0"></a><p>
-<a class="indexterm" name="ch06-idx-967797-0"></a>The <code class="literal">encrypt</code> <code class="literal">passwords</code> global option switches Samba from using plaintext passwords to encrypted passwords for authentication. Encrypted passwords will be expected from clients if the option is set to <code class="literal">yes</code>:</p><pre class="programlisting">encrypt passwords = yes</pre><p>By default, Windows NT 4.0 with Service Pack 3 or above and Windows 98 transmit encrypted passwords over the network. If you are enabling encrypted passwords, you must have a valid <code class="filename">smbpasswd</code> file in place and populated with usernames that will authenticate with encrypted passwords. (See <a href="#ch06-17782" title="The smbpasswd File">Section 6.4.2</a> earlier in this chapter.) In addition, Samba must know the location of the <code class="filename">smbpasswd</code> file; if it is not in the default location (typically <code class="filename">/usr/local/samba/private/smbpasswd</code>), you can explicitly name it using the <code class="literal">smb</code> <code class="literal">passwd</code> <code class="literal">file</code> option.</p><p>If you wish, you can use the <code class="literal">update</code> <code class="literal">encrypted</code> to force Samba to update the <code class="filename">smbpasswd</code> file with encrypted passwords each time a client connects to a non-encrypted password.</p><p>A common strategy to ensure that hosts who need encrypted password authentication indeed receive it is with the <code class="literal">include</code> option. With this, you can create individual configuration files that will be read in based on OS-type (<code class="literal">%a</code>) or client name (<code class="literal">%m</code>). These host-specific or OS-specific configuration files can contain an <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">yes</code> option that will activate only when those clients are connecting to the server.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.3"></a>
-passwd program</h4></div></div></div><a class="indexterm" name="ch06-idx-969475-0"></a><p>The <code class="literal">passwd</code>
-<a class="indexterm" name="ch06-idx-967798-0"></a> <code class="literal">program</code> is used to specify a program on the Unix Samba server that Samba can use to update the standard system password file when the encrypted password file is updated. This option defaults to the standard <span class="emphasis"><em>passwd</em></span> program, usually located in the <code class="filename">/bin</code> directory. The <code class="literal">%u</code> variable is typically used here as the requesting user when the command is executed. The actual handling of input and output to this program during execution is handled through the <code class="literal">passwd</code> <code class="literal">chat</code> option. <a href="#ch06-97004" title="Password Synchronization">Section 6.4.3</a>, earlier in this chapter, covers this option in detail.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.4"></a>
-passwd chat</h4></div></div></div><a class="indexterm" name="ch06-idx-969476-0"></a><p>This option specifies a series of send/response strings similar to a Unix chat script, which are used to interface with the password-changing program on the Samba server. <a href="#ch06-97004" title="Password Synchronization">Section 6.4.3</a>, earlier in this chapter, covers this option in detail.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.5"></a>
-passwd chat debug</h4></div></div></div><a class="indexterm" name="ch06-idx-969477-0"></a><p>If set to <code class="literal">yes</code>, the <code class="literal">passwd</code> <code class="literal">chat</code> <code class="literal">debug</code> global option logs everything sent or received by Samba during a password chat. All the I/O received by Samba through the password chat is sent to the Samba logs with a debug level of 100; you will need to specify <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">100</code> in order for the information to be recorded. <a href="#ch06-97004" title="Password Synchronization">Section 6.4.3</a> earlier in this chapter, describes this option in more detail. Be aware that if you do set this option, the plaintext passwords will be visible in the debugging logs, which could be a security hazard if they are not properly secured.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.6"></a>
-password level</h4></div></div></div><a class="indexterm" name="ch06-idx-969478-0"></a><p>With SMB, non-encrypted (or plaintext) passwords are sent with capital letters, just like the usernames mentioned previously. Many Unix users, however, choose passwords with both uppercase and lowercase letters. Samba, by default, only attempts to match the password entirely in lowercase letters, and not capitalizing the first letter.</p><p>Like <code class="literal">username</code> <code class="literal">level</code>, there is a <code class="literal">password</code> <code class="literal">level</code> option that can be used to attempt various permutations of the password with capital letters. This option takes an integer value that specifies how many letters in the password should be capitalized when attempting to connect to a share. You can specify this options as follows:</p><pre class="programlisting">[global]
-	password level = 3</pre><p>In this case, Samba will then attempt all permutations of the password it can compute having three capital letters. The larger the number, the more computations Samba will have to perform to match the password, and the longer a connection to a specific share may take.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.7"></a>update encrypted</h4></div></div></div><a class="indexterm" name="ch06-idx-969481-0"></a><p>For sites switching over to the <a class="indexterm" name="ch06-idx-967799-0"></a>encrypted password format, Samba provides an option that should help with the transition. The <code class="literal">update</code> <code class="literal">encrypted</code> option allows a site to ease into using encrypted passwords from plaintext passwords. You can activate this option as follows:</p><pre class="programlisting">[global]
-    update encrypted = yes</pre><p>This instructs Samba to create an encrypted version of each user's Unix password in the <code class="filename">smbpasswd</code> file each time he or she connects to a share. When this option is enabled, you must have the <code class="literal">encrypt</code> <code class="literal">passwords</code> option set to <code class="literal">no</code> so that the client will pass plaintext passwords to Samba to use to update the files. Once each user has connected at least once, you can set <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">yes</code>, allowing you to use only the encrypted passwords. The user must already have a valid entry in the <code class="filename">smbpasswd</code> file for this option to work.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.8"></a>null passwords</h4></div></div></div><p>This global option tells Samba whether or not to allow access from users that have <a class="indexterm" name="ch06-idx-967801-0"></a>
-<a class="indexterm" name="ch06-idx-967801-1"></a>null passwords (encrypted or non-encrypted) set in their accounts. The default value is <code class="literal">no</code>. You can override it as follows:</p><pre class="programlisting">null passwords = yes</pre><p>We highly recommend against doing so unless you are familiar with the security risks this option can present to your system, including inadvertent access to system users (such as <code class="filename">bin</code>) in the system password file who have null passwords set.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.9"></a>
-smb passwd file</h4></div></div></div><a class="indexterm" name="ch06-idx-969483-0"></a><p>
-<a class="indexterm" name="ch06-idx-968245-0"></a>This global option identifies the location of the encrypted password database. By default, it is set to <code class="filename">/usr/local/samba/private/smbpasswd</code>. You can override it as follows:</p><pre class="programlisting">[global]
-	smb passwd file = /etc/smbpasswd</pre><p>This location, for example, is common on many Red Hat distributions.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.10"></a>
-hosts equiv</h4></div></div></div><a class="indexterm" name="ch06-idx-969486-0"></a><p>This global option specifies the name of a standard Unix <code class="filename">hosts.equiv</code> file that will allow hosts or users to access shares without specifying a password. You can specify the location of such a file as follows:</p><pre class="programlisting">[global]
-	hosts equiv = /etc/hosts.equiv</pre><p>The default value for this option does not specify any <code class="filename">hosts.equiv</code> file. Because using such a file is essentially a huge security risk, we highly recommend that you do not use this option unless you are confident in the security of your network.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-4.3.11"></a>
-use rhosts</h4></div></div></div><a class="indexterm" name="ch06-idx-969487-0"></a><p>This global option specifies the name of a standard Unix user's <code class="filename">.rhosts</code> file that will allow foreign hosts to access <a class="indexterm" name="ch06-idx-967803-0"></a>shares without specifying a password. You can specify the location of such a file as follows:</p><pre class="programlisting">[global]
-	use rhosts = /home/dave/.rhosts</pre><p>The default value for this option does not specify any <code class="filename">.rhosts</code> file. Like the <code class="literal">hosts</code> <code class="literal">equiv</code> option above, using such a file is a security risk. We highly recommend that you do use this option unless you are confident in the security of<a class="indexterm" name="ch06-idx-968233-0"></a> your network.<a class="indexterm" name="ch06-idx-968235-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-23084"></a>Windows Domains</h2></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967533-0"></a>
-<a class="indexterm" name="ch06-idx-967533-1"></a>
-<a class="indexterm" name="ch06-idx-967533-2"></a>Now that you are comfortable with users and passwords on a Samba server, we can show you how to set up Samba to become a <a class="indexterm" name="ch06-idx-967819-0"></a>primary domain controller for Windows 95/98 and NT machines. Why use domains? The answer probably isn't obvious until you look behind the scenes, especially with Windows 95/98.</p><p>Recall that with traditional workgroups, Windows 95/98 simply accepts each username and password that you enter when logging on to the system. There are no unauthorized users with Windows 95/98; if a new user logs on, the operating system simply asks for a new password and authenticates the user against that password from then on. The only time that Windows 95/98 attempts to use the password you entered is when connecting to another share.</p><p>
-<a class="indexterm" name="ch06-idx-967805-0"></a>Domain logons, on the other hand, are similar to Unix systems. In order to log on to the domain, a valid username and password must be presented at startup, which is then authenticated against the primary domain controller's password database. If the password is invalid, the user is immediately notified and they cannot log on to the domain.</p><p>There's more good news: once you have successfully logged on to the domain, you can access any of the shares in the domain to which you have rights without having to reauthenticate yourself. More precisely, the primary domain controller returns a token to the client machine that allows it to access any share without consulting the PDC again. Although you probably won't notice the shift, this can be beneficial in cutting down network traffic. (You can disable this behavior if you wish by using the <code class="literal">revalidate</code> option.)</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-36822"></a>Configuring Samba for Windows Domain Logons</h3></div></div></div><p>If you wish to allow Samba to act as a domain controller, use the following sections to configure Samba and your clients to allow domain access.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you would like more information on how to set up domains, see the <code class="filename">DOMAINS.TXT</code> file that comes with the Samba distribution.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.1.1"></a>Windows 95/98 clients</h4></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967815-0"></a>Setting up Samba as a PDC for Windows 95/98 clients is somewhat anticlimactic. All you really need to do on the server side is ensure that:</p><div class="itemizedlist"><ul type="disc"><li><p>Samba is the only primary domain controller for the current workgroup.</p></li><li><p>There is a <a class="indexterm" name="ch06-idx-967817-0"></a>WINS server available on the network, either a Samba machine or a Windows NT server. (See <a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a>, for more information on WINS.)</p></li><li><p>Samba is using user-level security (i.e., it doesn't hand off password authentication to anyone else). You do not want to use domain-level security if Samba itself is acting as the PDC.</p></li></ul></div><p>At that point, you can insert the following options into your Samba configuration file:</p><pre class="programlisting">[global]
-	workgroup = SIMPLE
-	domain logons = yes
-
-# Be sure to set user-level security!
-
-	security = user
-
-# Be sure to become the primary domain controller!
-
-	os level = 34
-	local master = yes
-	preferred master = yes
-	domain master = yes</pre><p>The <code class="literal">domain</code> <code class="literal">logons</code> option enables Samba to perform domain authentication on behalf of other clients that request it. The name of the domain will be the same as the workgroup listed in the Samba configuration file, in this case: SIMPLE.</p><p>After that, you need to create a non-writable, non-public, non-browesable disk share called <code class="literal">[netlogon]</code> (it does not matter where this share points to as long as each Windows client can connect to it):</p><pre class="programlisting">[netlogon]
-	comment = The domain logon service
-	path = /export/samba/logon
-	public = no
-	writeable = no
-	browsable = no</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.1.2"></a>Windows NT clients</h4></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967816-0"></a>If you have Window NT clients on your system, there are a few more steps that need to be taken in order for Samba to act as their primary domain controller.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>You will need to use at least <a class="indexterm" name="ch06-idx-967821-0"></a>
-<a class="indexterm" name="ch06-idx-967821-1"></a>
-<a class="indexterm" name="ch06-idx-967821-2"></a>Samba 2.1 to ensure that PDC functionality for Windows NT clients is present. Prior to Samba 2.1, only limited user authentication for NT clients was present. At the time this book went to press, Samba 2.0.5 was the latest version, but Samba  2.1 was available through CVS download. Instructions on downloading alpha versions of Samba are given in <a href="#SAMBA-AP-E" title="Appendix E. Downloading Samba with CVS">Appendix E</a>.</p></div><p>As before, you need to ensure that Samba is a primary domain controller for the current workgroup and is using user-level security. However, you must also ensure that Samba is using encrypted passwords. In other words, alter the <code class="literal">[global]</code> options the previous example to include the <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">yes</code> option, as shown here:</p><pre class="programlisting">[global]
-	workgroup = SIMPLE
-	encrypted passwords = yes
-	domain logons = yes
-
-	security = user</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.1.3"></a>Creating trust accounts for NT clients</h4></div></div></div><p>This step is exclusively for Windows NT clients. All NT clients that connect to a primary domain controller make use of <em class="firstterm">trust accounts</em>
-<a class="indexterm" name="ch06-idx-967823-0"></a>. These accounts allow a machine to log in to the <a class="indexterm" name="ch06-idx-967824-0"></a>PDC itself (not one of its shares), which means that the PDC can trust any further connections from users on that client. For all intents and purposes, a trust account is identical to a user account. In fact, we will be using standard Unix user accounts to emulate trust accounts for the Samba server.</p><p>The login name of a machine's trust account is the name of the machine with a dollar sign appended to it. For example, if our Windows NT machine is named <code class="literal">chimaera</code>, the login account would be <code class="literal">chimaera$</code>. The initial password of the account is simply the name of the machine in lowercase letters. In order to forge the trust account on the Samba server, you need to create a Unix account with the appropriate machine name, as well as an encrypted password entry in the <code class="filename">smbpasswd</code> database.</p><p>Let's tackle the first part. Here, we only need to modify the <code class="filename">/etc/passwd</code> file to support the trust account; there is no need to create a home directory or assign a shell to the "user" because the only part we are interested in is whether a login is permitted. Therefore, we can create a "dummy" account with the following entry:</p><pre class="programlisting">chimaera$:*:1000:900:Trust Account:/dev/null:/dev/null</pre><p>Note that we have also disabled the password field by placing a <code class="literal">*</code> in it. This is because Samba will use the <code class="filename">smbpasswd</code> file to contain the password instead, and we don't want anyone to telnet into the machine using that account. In fact, the only value other than the account name that is used here is the UID of the account for the encrypted password database (1000). This number must map to a unique resource ID on the NT server and cannot conflict with any other resource IDs. Hence, no NT user or group should map to this number or a networking error will occur.</p><p>Next, add the encrypted password using the <code class="filename">smbpasswd</code> command, as follows:</p><pre class="programlisting"># <strong class="userinput"><code>smbpasswd -a -m chimaera</code></strong>
-Added user chimaera$
-Password changed for user chimaera$</pre><p>The <code class="literal">-m</code> option specifies that a machine trust account is being generated. The <code class="filename">smbpasswd</code> program will automatically set the initial encrypted password as the NetBIOS name of the machine in lowercase letters; you don't need to enter it. When specifying this option on the command line, do not put a dollar sign after the machine name&#8212;it will be appended automatically. Once the encrypted password has been added, Samba is ready to handle domain logins from a NT client.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-5.2"></a>Configuring Windows Clients for Domain Logons</h3></div></div></div><p>Once you have Samba configured for domain logons, you need to set up your Windows clients to log on to the domain at startup.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.2.1"></a>Windows 95/98</h4></div></div></div><p>
-<a class="indexterm" name="ch06-idx-969407-0"></a>
-<a class="indexterm" name="ch06-idx-969407-1"></a>With Windows 95/98, this can be done by raising the Network configuration dialog in the Windows Control Panel and selecting the Properties for "Client for Microsoft Networks." At this point, you should see a dialog box similar to <a href="#ch06-48609" title="Figure 6.4. Configuring a Windows 95/98 client for domain logons">Figure 6.4</a>. Select the "Logon to Windows Domain" checkbox at the top of the dialog box, and enter the workgroup that is listed in the Samba configuration file as the Windows NT domain. Then click on OK and reboot the machine when asked.</p><div class="figure"><a name="ch06-48609"></a><p class="title"><b>Figure 6.4. Configuring a Windows 95/98 client for domain logons</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 359px"><td><img src="figs/sam.0604.gif" width="502" alt="Configuring a Windows 95/98 client for domain logons"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If Windows complains that you are already logged into the domain,  you probably have an active connection to a share in the workgroup (such as a mapped network drive). Simply disconnect the resource temporarily by right-clicking on its icon and choosing the Disconnect pop-up menu item.</p></div><p>When Windows reboots, you should see the standard <a class="indexterm" name="ch06-idx-967825-0"></a>login dialog with an addition: a field for a domain. The domain name should already be filled in, so simply enter your password and click on the OK button. At this point, Windows should consult the primary domain controller (Samba) to see if the password is correct. (You can check the log files if you want to see this in action.) If it worked, congratulations! You have properly configured Samba to act as a domain controller for Windows 95/98 machines and your client is successfully connected.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.2.2"></a>Windows NT 4.0</h4></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967826-0"></a>To configure Windows NT for domain logons, open the Network configuration dialog in the Windows NT Control Panel. The first tab that you see should list the identification of the machine.</p><p>Press the Change button and you should see the dialog box shown in <a href="#ch06-89804" title="Figure 6.5. Configuring a Windows NT client for domain logons">Figure 6.5</a>. In this dialog box, you can choose to have the Windows NT client become a member of the domain by selecting the radio button marked Domain in the "Member of " box. Then, type in the domain that you wish the client to login to; it should be the same as the workgroup that you specified in the Samba configuration file. Do not check the box marked "Create a Computer Account in the Domain"&#8212;Samba does not currently support this functionality.</p><div class="figure"><a name="ch06-89804"></a><p class="title"><b>Figure 6.5. Configuring a Windows NT client for domain logons</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 359px"><td><img src="figs/sam.0605.gif" width="502" alt="Configuring a Windows NT client for domain logons"></td></tr></table></div></div></div><br class="figure-break"><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Like Windows 95/98, if NT complains that you are already logged in, you probably have an active connection to a share in the workgroup (such as a mapped network drive). Disconnect the resource temporarily by right-clicking on its icon and choosing the Disconnect pop-up menu item.</p></div><p>After you press the OK button, Windows should present you with a small <a class="indexterm" name="ch06-idx-967838-0"></a>dialog box welcoming you to the domain. At this point, you will need to reset the Windows NT machine. Once it comes up again, the machine will automatically present you with a log on screen similar to the one for Windows 95/98 clients. You can now log in using any account that you have already on the Samba server that is configured to accept logins.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Be sure to select the correct domain in the <a class="indexterm" name="ch06-idx-967844-0"></a>
-<a class="indexterm" name="ch06-idx-967844-1"></a>Windows NT logon dialog box. Once selected, it may take a moment for Windows NT to build the list of available domains.</p></div><p>After you enter the password, Windows NT should consult the primary domain controller (Samba) to see if the password is correct. Again, you can check the log files if you want to see this in action. If it worked, you have successfully configured Samba to act as a domain controller for Windows NT machines.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-5.3"></a>Domain Options</h3></div></div></div><p><a href="#ch06-53106" title="Table 6.9. Windows 95/98 Domain Logon Options">Table 6.9</a> shows the options that are commonly used in association with domain logons.</p><div class="table"><a name="ch06-53106"></a><p class="title"><b>Table 6.9. Windows 95/98 Domain Logon Options </b></p><div class="table-contents"><table summary="Windows 95/98 Domain Logon Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">domain logons</code></p></td><td><p>boolean</p></td><td><p>Indicates whether Windows domain logons are to be used.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">domain group map</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Name of the file used to map Unix to Windows NT domain groups.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">domain user map</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Name of the file used to map Unix to Windows NT domain users.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">local group map</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Name of the file used to map Unix to Windows NT local groups.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">revalidate</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba forces users to authenticate themselves with each connection to a share.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.1"></a>
-domain logons</h4></div></div></div><a class="indexterm" name="ch06-idx-969495-0"></a><p>This option configures Samba to accept domain logons as a <a class="indexterm" name="ch06-idx-968113-0"></a>primary domain controller. When a client successfully logs on to the domain, Samba will return a special token to the client that allows the client to access domain shares without consulting the PDC again for authentication. Note that the Samba machine must be in user-level security (<code class="literal">security</code> <code class="literal">=</code> <code class="literal">user</code>) and must be the PDC in order for this option to function. In addition, Windows machines will expect a <code class="literal">[netlogon]</code> share to exist on the Samba server (see <a href="#ch06-36822" title="Configuring Samba for Windows Domain Logons">Section 6.5.1</a> earlier in this chapter).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.2"></a>
-domain group map</h4></div></div></div><a class="indexterm" name="ch06-idx-969498-0"></a><p>This option specifies the location of a <a class="indexterm" name="ch06-idx-968114-0"></a>mapping file designed to translate Windows NT domain group names to Unix group names. The file should reside on the Samba server. For example:</p><pre class="programlisting">/usr/local/samba/private/groups.mapping</pre><p>The file has a simple format:</p><pre class="programlisting"><em class="replaceable"><code>UnixGroup = NTGroup</code></em></pre><p>An example is:</p><pre class="programlisting">admin = Administrative</pre><p>The specified Unix group should be a valid group in the <code class="filename">/etc/group</code> file. The NT group should be the name to which you want the Unix group to map on an NT client. This option will work only with Windows NT clients.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.3"></a>
-domain user map</h4></div></div></div><a class="indexterm" name="ch06-idx-969499-0"></a><p>This option specifies the location of a mapping file designed to translate Unix usernames to Windows NT domain usernames. The file should reside on the Samba server. For example:</p><pre class="programlisting">/usr/local/samba/private/domainuser.mapping</pre><p>The file has a simple format:</p><pre class="programlisting"><em class="replaceable"><code>UnixUsername</code></em> = [\\<em class="replaceable"><code>Domain</code></em>\\]<em class="replaceable"><code>NTUserName</code></em></pre><p>An example entry is:</p><pre class="programlisting">joe = Joseph Miller</pre><p>The Unix name specified should be a valid username in the <code class="filename">/etc/passwd</code> file. The NT name should be the username to which you want to Unix username to map on an NT client. This option will work with Windows NT clients only.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you would like more information on how Windows NT uses domain usernames and local groups, we recommend Eric Pearce's <em class="citetitle">Windows NT in a Nutshell</em>, published by O'Reilly.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.4"></a>
-local group map</h4></div></div></div><a class="indexterm" name="ch06-idx-969502-0"></a><p>This option specifies the location of a mapping file designed to translate Windows NT local group names to Unix group names. Local group names include those such as Administrator and Users. The file should reside on the Samba server. For example:</p><pre class="programlisting">/usr/local/samba/private/localgroup.mapping</pre><p>The file has a simple format:</p><pre class="programlisting"><em class="replaceable"><code>UnixGroup</code></em> = [BUILTIN\]<em class="replaceable"><code>NTGroup</code></em></pre><p>An example entry is:</p><pre class="programlisting">root = BUILTIN\Administrators</pre><p>This option will work with Windows NT clients only. For more information, see Eric Pearce's <em class="citetitle">Windows NT in a Nutshell</em> (O'Reilly).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-5.3.5"></a>revalidate</h4></div></div></div><p>This share-level option tells Samba to force users to authenticate with <a class="indexterm" name="ch06-idx-968116-0"></a>
-<a class="indexterm" name="ch06-idx-968116-1"></a>
-<a class="indexterm" name="ch06-idx-968116-2"></a>
-<a class="indexterm" name="ch06-idx-968116-3"></a>passwords each time they connect to a different share on a machine, no matter what level of security is in place on the Samba server. The default value is <code class="literal">no</code>, which allows users to be trusted once they successfully authenticate themselves. You can override it as:</p><pre class="programlisting">revalidate = yes</pre><p>You can use this option to increase security on your system. However, you should weigh it against the inconvenience of having users revalidate themselves to every share.<a class="indexterm" name="ch06-idx-968204-0"></a>
-<a class="indexterm" name="ch06-idx-968204-1"></a>
-<a class="indexterm" name="ch06-idx-968204-2"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch06-38153"></a>Logon Scripts</h2></div></div></div><p>
-<a class="indexterm" name="ch06-idx-967542-0"></a>
-<a class="indexterm" name="ch06-idx-967542-1"></a>
-<a class="indexterm" name="ch06-idx-967542-2"></a>Samba supports the execution of Windows logon scripts, which are scripts (<a class="indexterm" name="ch06-idx-968119-0"></a>
-<a class="indexterm" name="ch06-idx-968119-1"></a>.BAT or .CMD) that are executed on the client when a user logs on to a Windows domain. Note that these scripts are stored on the Unix side, but are transported across the network to the client side and executed once a user logs on. These scripts are invaluable for dynamically setting up network configurations for users when they log on. The downside is that because they run on Windows, they must use the <a class="indexterm" name="ch06-idx-968120-0"></a>
-<a class="indexterm" name="ch06-idx-968120-1"></a>Windows network configuration commands.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you would like more information on NET commands, we recommend the following O'Reilly handbooks: <span class="emphasis"><em>Windows NT in a Nutshell</em></span>, <span class="emphasis"><em>Windows 95 in a Nutshell</em></span>, and <span class="emphasis"><em>Windows 98 in a Nutshell.</em></span></p></div><p>You can instruct Samba to use a logon script with the <code class="literal">logon</code> <code class="literal">script</code> option, as follows:</p><pre class="programlisting">[global]
-	domain logons = yes
-	security = user
-	workgroup = SIMPLE
-
-	os level = 34
-	local master = yes
-	preferred master = yes
-	domain master = yes
-	logon script = %U.bat
-
-[netlogon]
-	comment = The domain logon service
-	path = /export/samba/logon
-	public = no
-	writeable = no
-	browsable = no</pre><p>Note that this example uses the <code class="literal">%U</code> variable, which will individualize the script based on the user that is logging in. It is common to customize logon scripts based on the user or machine name that is logging onto the domain. These scripts can then be used to configure individual settings for users or clients.</p><p>Each logon script should be stored at the base of the <code class="literal">[netlogon]</code> share. For example, if the base of the <code class="literal">[netlogon]</code> share is <code class="filename">/export/samba/logon</code> and the logon script is <code class="filename">jeff.bat</code>, the file should be located at <code class="filename">/export/samba/logon/jeff.bat</code>. When a user logs on to a domain that contains a startup script, he or she will see a small dialog that informs them that the script is executing, as well as any output the script generates in an MS-DOS-like box.</p><p>One warning: because these scripts are loaded by Windows and executed on the Windows side, they must consist of DOS formatted <a class="indexterm" name="ch06-idx-968122-0"></a>
-<a class="indexterm" name="ch06-idx-968122-1"></a>
-<a class="indexterm" name="ch06-idx-968122-2"></a>carriage-return/linefeed characters instead of Unix carriage returns. It's best to use a DOS- or Windows-based editor to create them.</p><p>Here is an example of a logon script that sets the current time to match that of the Samba server and maps two network drives, <code class="literal">h</code> and <code class="literal">i</code>, to individual shares on the server:</p><pre class="programlisting">#  Reset the current time to that shown by the server.
-#  We must have the "time server = yes" option in the
-#  smb.conf for this to work.
-
-echo Setting Current Time...
-net time \\hydra /set /yes
-
-#  Here we map network drives to shares on the Samba
-#  server
-echo Mapping Network Drives to Samba Server Hydra...
-net use h: \\hydra\data
-net use i: \\hydra\network</pre><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.0.1"></a>Roaming profiles</h3></div></div></div><p><em class="firstterm"></em>
-<a class="indexterm" name="ch06-idx-968132-0"></a>
-<a class="indexterm" name="ch06-idx-968132-1"></a>In Windows 95 and NT, each user can have his or her own <em class="firstterm">profile</em>
-<a class="indexterm" name="ch06-idx-968123-0"></a>. A profile bundles information such as: the appearance of a user's desktop, the applications that appear on the start menus, the background, and other miscellaneous items. If the profile is stored on a local disk, it's called a <em class="firstterm">local profile</em>
-<a class="indexterm" name="ch06-idx-968124-0"></a>
-<a class="indexterm" name="ch06-idx-968124-1"></a>, since it describes what a user's environment is like on one machine. If the profile is stored on a server, on the other hand, the user can download the same profile to any client machine that is connected to the server. The latter is called a <em class="firstterm">roaming profile</em> because the user can roam around from machine to machine and still use the same profile. This makes it particularly convenient when someone might be logging in from his or her desk one day and from a portable in the field the next. <a href="#ch06-71393" title="Figure 6.6. Local profiles versus roaming profiles">Figure 6.6</a> illustrates local and roaming profiles.</p><div class="figure"><a name="ch06-71393"></a><p class="title"><b>Figure 6.6. Local profiles versus roaming profiles</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 303px"><td><img src="figs/sam.0606.gif" height="303" alt="Local profiles versus roaming profiles"></td></tr></table></div></div></div><br class="figure-break"><p>Samba will provide roaming profiles if it is configured for domain logons and you provide a tree of directories pointed to by the <code class="literal">logon</code> <code class="literal">path</code> option. This option is typically used with one of the user variables, as shown in this example:</p><pre class="programlisting">[global]
-	domain logons = yes
-	security = user
-	workgroup = SIMPLE
-	os level = 34
-	local master = yes
-	preferred master = yes
-	domain master = yes
-
-	logon path =  \\hydra\profile\%U</pre><p>We need to create a new share to support the profiles, which is a basic disk share accessible only by the Samba process' user (<code class="literal">root</code>). This share must be writeable, but should not be browseable. In addition, we must create a directory for each user who wishes to log on (based on how we specified our <code class="literal">logon</code> <code class="literal">path</code> in the example above), which is accessible only by that user. For an added measure of security, we use the <code class="literal">directory</code> <code class="literal">mode</code> and <code class="literal">create</code> <code class="literal">mode</code> options to keep anyone who connects to it from viewing or altering the files created in those directories:</p><pre class="programlisting">[profile]
-  comment = User profiles
-  path = /export/samba/profile
-  create mode = 0600
-  directory mode = 0700
-  writable = yes
-  browsable = no</pre><p>Once a user initially logs on, the Windows client will create a <code class="filename">user.dat</code> or <code class="filename">ntuser.dat</code> file&#8212;depending on which operating system the client is running. The client then uploads the contents of the desktop, the Start Menu, the Network Neighborhood, and the programs folders in individual folders in the directory. When the user subsequently logs on, those contents will be downloaded from the server and activated for the client machine with which the user is logging on. When he or she logs off, those contents will be uploaded back on the server until the next time the user connects. If you look at the directory listing of a profile folder, you'll see the following:</p><pre class="programlisting"># ls -al 
-
-total 321
-drwxrwxr-x   9 root  simple    Jul 21 20:44 .
-drwxrwxr-x   4 root  simple    Jul 22 14:32 ..
-drwxrwx---   3 fred  develope  Jul 12 07:15 Application Data
-drwxrwx---   3 fred  develope  Jul 12 07:15 Start Menu
-drwxrwx---   2 fred  develope  Jul 12 07:15 cookies
-drwxrwx---   2 fred  develope  Jul 12 07:15 desktop
-drwxrwx---   7 fred  develope  Jul 12 07:15 history
-drwxrwx---   2 fred  develope  Jul 12 07:15 nethood
-drwxrwx---   2 fred  develope  Jul 19 21:05 recent
--rw-------   1 fred  develope  Jul 21 21:59 user.dat</pre><p>The <code class="filename">user.dat</code> files are binary configuration files, created automatically by Windows. They can be edited with the Profile Editor on a Windows client, but they can be somewhat tricky to get correct. Samba supports them correctly for all clients up to NT 5.0 beta, but they're still relatively new<em class="firstterm"></em>
-<a class="indexterm" name="ch06-idx-968138-0"></a>
-<a class="indexterm" name="ch06-idx-968138-1"></a>.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Hints and HOWTOs for handling logon scripts are available in the Samba documentation tree, in both <code class="filename">docs/textdocs/DOMAIN.txt</code> and <code class="filename">docs/textdocs/PROFILES.txt</code>.<em class="firstterm"></em>
-<a class="indexterm" name="ch06-idx-968148-0"></a>
-<a class="indexterm" name="ch06-idx-968148-1"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.0.2"></a>Mandatory profiles</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-968144-0"></a>
-<a class="indexterm" name="ch06-idx-968144-1"></a>Users can also have <em class="firstterm">mandatory profiles</em>, which are roaming profiles that they cannot change. For example, with a mandatory profile, if a user adds a command to the Start Menu on Tuesday, it will be gone when he or she logs in again on Wednesday. The mandatory profile is simply a <code class="filename">user.dat</code> file that has been renamed to <code class="filename">user.man</code> and made read-only on the Unix server. It normally contains settings that the administrator wishes to ensure the user always executes. For example, if an administrator wants to create a <a class="indexterm" name="ch06-idx-968145-0"></a>fixed user configuration, he or she can do the following:</p><div class="orderedlist"><ol type="1"><li><p>Create the read-write directory on the Samba server.</p></li><li><p>Set the <code class="literal">logon</code> <code class="literal">path</code> option in the <span class="emphasis"><em>smb.conf</em></span> file to point to this directory.</p></li><li><p>Logon as the user from Windows 95/98 to have the client populate the directory.</p></li><li><p>Rename the resulting <code class="filename">user.dat</code> to <code class="filename">user.man</code>.</p></li><li><p>Make the directory and its contents read only.</p></li></ol></div><p>Mandatory profiles are fairly unusual. Roaming profiles, on the other hand, are one of the more desirable features of Windows that Samba can support.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.1"></a>Logon Script Options</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-968152-0"></a><a href="#ch06-46661" title="Table 6.10. Logon Script Options">Table 6.10</a> summarizes the options commonly used in association with Windows domain logon scripts.</p><div class="table"><a name="ch06-46661"></a><p class="title"><b>Table 6.10. Logon Script Options </b></p><div class="table-contents"><table summary="Logon Script Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">logon script</code></p></td><td><p>string (DOS path)</p></td><td><p>Name of DOS/NT batch file</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">logon path</code></p></td><td><p>string (UNC server and share name)</p></td><td><p>Location of roaming profile for user</p></td><td><p><code class="literal">\\%N\%U\profile</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">logon drive</code></p></td><td><p>string (drive letter)</p></td><td><p>Specifies the logon drive for a home directory (NT only)</p></td><td><p><code class="literal">Z</code>:</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">logon home</code></p></td><td><p>string (UNC server and share name)</p></td><td><p>Specifies a location for home directories for clients logging on to the domain</p></td><td><p><code class="literal">\\%N\%U</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.1.1"></a>
-logon script</h4></div></div></div><a class="indexterm" name="ch06-idx-969510-0"></a><p>This option specifies a Windows .BAT or .CMD file with lines ending in carriage-return/line feed that will be executed on the client after a user has logged on to the domain. Each logon script should be stored at the base of a share entitled <code class="literal">[netlogin]</code> (see <a href="#ch06-36822" title="Configuring Samba for Windows Domain Logons">Section 6.5.1</a> for details.) This option frequently uses the <code class="literal">%U</code> or <code class="literal">%m</code> variables (user or NetBIOS name) to point to an individual script. For example:</p><pre class="programlisting">logon script = %U.bat</pre><p>will execute a script based on the username located at the base of the <code class="literal">[netlogin]</code> share. If the user who is connecting is <code class="literal">fred</code> and the path of the <code class="literal">[netlogin]</code> share maps to the directory <code class="filename">/export/samba/netlogin</code>, the script should be <code class="filename">/export/samba/netlogin/fred.bat</code>. Because these scripts are downloaded to the client and executed on the Windows side, they must consist of DOS formatted carriage-return/linefeed characters instead of Unix carriage returns.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.1.2"></a>
-logon path</h4></div></div></div><a class="indexterm" name="ch06-idx-969513-0"></a><p>This option provides a location for <a class="indexterm" name="ch06-idx-968161-0"></a>
-<a class="indexterm" name="ch06-idx-968161-1"></a>roaming profiles. When the user logs on, a roaming profile will be downloaded from the server to the client and activated for the user who is logging on. When the user logs off, those contents will be uploaded back on the server until the next time the user connects.</p><p>It is often more secure to create a separate share exclusively for storing user profiles:</p><pre class="programlisting">logon path =  \\hydra\profile\%U</pre><p>For more informaiton on this option, see <a href="#ch06-38153" title="Logon Scripts">Section 6.6</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.1.3"></a>
-logon drive</h4></div></div></div><a class="indexterm" name="ch06-idx-969514-0"></a><p>This option specifies the drive letter on an NT client to which the home directory specified with the <code class="literal">logon</code> <code class="literal">home</code> option will be mapped. Note that this option will work with Windows NT clients only. For example:</p><pre class="programlisting">logon home = I:</pre><p>You should always use drive letters that will not conflict with fixed drives on the client machine. The default is Z:, which is a good choice because it is as far away from A:, C:, and D: as possible.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.1.4"></a>
-logon home </h4></div></div></div><a class="indexterm" name="ch06-idx-969517-0"></a><p>This option specifies the location of a user's <a class="indexterm" name="ch06-idx-968162-0"></a>
-<a class="indexterm" name="ch06-idx-968162-1"></a>home directory for use by the DOS NET commands. For example, to specify a home directory as a share on a Samba server, use the following:</p><pre class="programlisting">logon home = \\hydra\%U</pre><p>Note that this works nicely with the <code class="literal">[homes]</code> service, although you can specify any directory you wish. Home directories can be mapped with a logon script using the following command:</p><pre class="programlisting">NET USE I: /HOME</pre><p>In addition, you can use the User Environment Profile under User Properties in the Windows NT User Manager to verify that the home directory has automatically been set.<a class="indexterm" name="ch06-idx-968155-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.2"></a>Other Connection Scripts</h3></div></div></div><p>
-<a class="indexterm" name="ch06-idx-968164-0"></a>
-<a class="indexterm" name="ch06-idx-968164-1"></a>After a user successfully makes a connection to any Samba share, you may want the Samba server to execute a program on its side to prepare the share for use. Samba allows scripts to be executed before and after someone connects to a share. You do not need to be using Windows domains to take advantage of the options. <a href="#ch06-67528" title="Table 6.11. Connection Script Options">Table 6.11</a> introduces some of the configuration options provided for setting up users.</p><div class="table"><a name="ch06-67528"></a><p class="title"><b>Table 6.11. Connection Script Options </b></p><div class="table-contents"><table summary="Connection Script Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">root preexec</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets a command to run as <code class="literal">root</code>, before connecting to the share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">preexec (exec)</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets a Unix command to run as the user before connecting to the share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">postexec</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets a Unix command to run as the user after disconnecting from the share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">root postexec</code></p></td><td><p>string (Unix command)</p></td><td><p>Sets a Unix command to run as <code class="literal">root</code> after disconnecting from the share.</p></td><td><p>None</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.2.1"></a>
-root preexec</h4></div></div></div><a class="indexterm" name="ch06-idx-969520-0"></a><p>The first form of the logon command is called <code class="literal">root</code> <code class="literal">preexec</code>. This option specifies a Unix command as its value that will be run <span class="emphasis"><em>as the root user</em></span> before any connection to a share is completed. You should use this option specifically for performing actions that require <a class="indexterm" name="ch06-idx-968166-0"></a>
-<a class="indexterm" name="ch06-idx-968166-1"></a>root privilege. For example, <code class="literal">root</code> <code class="literal">preexec</code> can be used to mount CD-ROMs for a share that makes them available to the clients, or to create necessary directories. If no <code class="literal">root</code> <code class="literal">preexec</code> option is specified, there is no default action. Here is an example of how you can use the command to mount a CD-ROM:</p><pre class="programlisting">[homes]
-	browseable = no
-	writeable = yes
-	root preexec = /etc/mount /dev/cdrom2</pre><p>Remember that these commands will be run as the root user. Therefore, in order to ensure security, users should never be able to modify the target of the <code class="literal">root</code> <code class="literal">preexec</code> command.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.2.2"></a>
-preexec</h4></div></div></div><a class="indexterm" name="ch06-idx-969523-0"></a><p>The next option run before logon is the <code class="literal">preexec</code> option, sometimes just called <code class="literal">exec</code>. This is an ordinary unprivileged command run by Samba as the user specified by the variable <code class="literal">%u</code>. For example, a common use of this option is to perform <a class="indexterm" name="ch06-idx-968167-0"></a>logging, such as the following:</p><pre class="programlisting">[homes]
-<strong class="userinput"><code>preexec = echo "%u connected to %S from %m (%I)\" &gt;&gt;/tmp/.log</code></strong></pre><p>Be warned that any information the command sends to standard output will not be seen by the user, but is instead thrown away. If you intend to use a <code class="literal">preexec</code> script, you should ensure that it will run correctly before having Samba invoke it.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.2.3"></a>
-postexec</h4></div></div></div><a class="indexterm" name="ch06-idx-969524-0"></a><p>Once the user disconnects from the share, the command specified with <code class="literal">postexec</code> is run as the user on the Samba server to do any necessary cleanup. This option is essentially the same as the <code class="literal">preexec</code> option. Again, remember that the command is run as the user represented by <code class="literal">%u</code> and any information sent to standard output will be ignored.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.2.4"></a>
-root postexec</h4></div></div></div><a class="indexterm" name="ch06-idx-969525-0"></a><p>Following the <code class="literal">postexec</code> option, the <code class="literal">root</code> <code class="literal">postexec</code> command is run, if one has been specified. Again, this option specifies a Unix command as its value that will be run <span class="emphasis"><em>as the</em></span> <a class="indexterm" name="ch06-idx-968179-0"></a>
-<a class="indexterm" name="ch06-idx-968179-1"></a><span class="emphasis"><em>root user</em></span> before disconnecting from a share. You should use this option specifically for performing actions that require root privilege.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch06-SECT-6.3"></a>Working with NIS and NFS</h3></div></div></div><p>Finally, Samba has the ability to work with <a class="indexterm" name="ch06-idx-968184-0"></a>NIS and NIS+. If there is more than one file server, and each runs Samba, it may be desirable to have the SMB client connect to the server whose disks actually house the user's home directory. It isn't normally a good idea to ship files across the network once via NFS to a Samba server, only to be sent across the network once again to the client via SMB. (For one thing, it's slow&#8212;about 30 percent of normal Samba speed). Therefore, there are a pair of options to tell Samba that NIS knows the name of the right server and indicate in which NIS map the information lives.</p><p><a href="#ch06-27466" title="Table 6.12. NIS Options">Table 6.12</a> introduces some of the other configuration options specifically for setting up users.</p><div class="table"><a name="ch06-27466"></a><p class="title"><b>Table 6.12. NIS Options </b></p><div class="table-contents"><table summary="NIS Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">nis homedir</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, use NIS instead of <code class="filename">/etc/passwd</code> to look up the path of a user's home directory</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">homedir map</code></p></td><td><p>string (NIS map name)</p></td><td><p>Sets the NIS map to use to look up a user's home directory</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch06-SECT-6.3.1"></a>nis homedir and homedir map</h4></div></div></div><p>The <code class="literal">nis</code>
-<a class="indexterm" name="ch06-idx-969528-0"></a>
-<a class="indexterm" name="ch06-idx-969528-1"></a> <code class="literal">homedir</code> and <code class="literal">homedir</code> <code class="literal">map</code> options are for Samba servers on network sites where Unix home directories are provided using NFS, the automounter, and NIS (Yellow Pages).</p><p>The <code class="literal">nis</code> <code class="literal">homedir</code> option indicates that the home directory server for the user needs to be looked up in NIS. The <code class="literal">homedir</code> <code class="literal">map</code> option tells Samba what NIS map to look in for the server that has the user's home directory. The server needs to be a Samba server, so the client can do an SMB connect to it, and the other Samba servers need to have NIS installed so they can do the lookup.</p><p>For example, if user <code class="literal">joe</code> asks for a share called <code class="literal">[joe]</code>, and the <code class="literal">nis</code> <code class="literal">homedir</code> option is set to <code class="literal">yes</code>, Samba will look in the file specified by <code class="literal">homedir</code> <code class="literal">map</code> for a home directory for <code class="literal">joe</code>. If it finds one, Samba will return the associated machine name to the client. The client will then try to connect to <span class="emphasis"><em>that</em></span> machine and get the share from there. Enabling NIS lookups looks<a class="indexterm" name="ch06-idx-967545-0"></a>
-<a class="indexterm" name="ch06-idx-967545-1"></a>
-<a class="indexterm" name="ch06-idx-967545-2"></a> like the following:</p><pre class="programlisting">[globals]
-	nis homedir = yes
-	homedir map = amd.map</pre></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch06-pgfId-968956" href="#ch06-pgfId-968956">1</a>] </sup>Having both encrypted and non-encrypted password clients on your network is another reason why Samba allows you to include (or not include) various options in the Samba configuration file based on the client operating system or machine name variables.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch06-pgfId-969009" href="#ch06-pgfId-969009">2</a>] </sup>This may not work under Red Hat Linux, as the password program typically responds "All authentication tokens updated successfully," instead of "Password changed." We provide a fix for this later in this section.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch06-pgfId-959675" href="#ch06-pgfId-959675">3</a>] </sup>This is because the Unix <span class="emphasis"><em>passwd</em></span> program, which is the usual target for this operation, allows <code class="literal">root</code> to change a user's password without the security restriction that requests the old password of that user.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-7"></a>Chapter 7. Printing and Name Resolution</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch07-61388">7.1. Sending Print Jobs to Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-1.1">7.1.1. Print Commands</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.2">7.1.2. Printing Variables</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.3">7.1.3. A Minimal Printing Setup</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.4">7.1.4. The [printers] Share</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.5">7.1.5. Test Printing</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-1.6">7.1.6. Setting Up and Testing a Windows Client</a></span></dt><dt><span class="sect2"><a href="#ch07-30008">7.1.7. Automatically Setting Up Printer Drivers</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch07-31526">7.2. Printing to Windows Client Printers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-2.0.1">7.2.1. BSD printers</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-2.0.2">7.2.2. System V printers</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-2.1">7.2.3. Samba Printing Options</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch07-12219">7.3. Name Resolution with Samba</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch07-SECT-3.1">7.3.1. The LMHOSTS File</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-3.2">7.3.2. Setting Up Samba to Use Another WINS Server</a></span></dt><dt><span class="sect2"><a href="#ch07-83429">7.3.3. Setting Up Samba as a WINS Server</a></span></dt><dt><span class="sect2"><a href="#ch07-SECT-3.4">7.3.4. Name Resolution Configuration Options</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="ch07-idx-956351-0"></a>This chapter tackles two Samba topics: setting up printers for use with a Samba server and configuring Samba to use or become a Windows Internet Name Service (WINS) server. Samba allows client machines to send documents to printers connected to the Samba server. In addition, Samba can also assist you with printing Unix documents to a printer on a Windows machine. In the first part of this chapter, we will discuss how to get printers configured to work on either side.</p><p>In the second half of the chapter, we will introduce the Windows Internet Name Service, Microsoft's implementation of a NetBIOS Name Server (NBNS). As mentioned in <a href="#ch01-48078" title="Chapter 1. Learning the Samba">Chapter 1</a>, an NBNS allows machines to perform name resolution on a NetBIOS network without having to rely on broadcasts. Instead, each machine knows exactly where the WINS server is and can query it for the IP addresses of other machines on the network.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch07-61388"></a>Sending Print Jobs to Samba</h2></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956360-0"></a>A printer attached to the Samba server shows up in the list of shares offered in the Network Neighborhood. If the printer is registered on the client machine and the client has the correct printer driver installed, the client can effortlessly send print jobs to a printer attached to a Samba server. <a href="#ch07-35075" title="Figure 7.1. A Samba printer in the Network Neighborhood">Figure 7.1</a> shows a Samba printer as it appears in the Network Neighborhood of a Windows client.</p><p>
-<a class="indexterm" name="ch07-idx-956377-0"></a>
-<a class="indexterm" name="ch07-idx-956377-1"></a>To administer printers with Samba, you should understand the basic process by which printing takes place on a network. Sending a print job to a printer on a Samba server involves four steps:</p><div class="orderedlist"><ol type="1"><li><p>Opening and authenticating a connection to the printer share</p></li><li><p>Copying the file over the network</p></li><li><p>Closing the connection</p></li><li><p>Printing and deleting the copy of the file</p><div class="figure"><a name="ch07-35075"></a><p class="title"><b>Figure 7.1. A Samba printer in the Network Neighborhood</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 171px"><td><img src="figs/sam.0701.gif" height="171" alt="A Samba printer in the Network Neighborhood"></td></tr></table></div></div></div><br class="figure-break"></li></ol></div><p>When a print job arrives at a Samba server, the print data is temporarily written to disk in the directory specified by the <code class="literal">path</code> option of the printer share. Samba then executes a Unix print command to send that data file to the printer. The job is printed as the authenticated user of the share. Note that this may be the guest user, depending on how the share is configured.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.1"></a>Print Commands</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956378-0"></a>In order to print the document, you'll need to tell Samba what the command is to print and delete a file. On Linux, such a command is:</p><pre class="programlisting">lpr -r -P<em class="replaceable"><code>printer</code></em> <em class="replaceable"><code>file</code></em></pre><p>This tells <code class="literal">lpr</code> to copy the document to a spool area, usually <code class="filename">/var/spool</code>, retrieve the name of the printer in the system configuration file (<code class="filename">/etc/printcap</code>), and interpret the rules it finds there to decide how to process the data and which physical device to send it to. Note that because the <code class="literal">-r</code> option has been listed, the file specified on the command line will be deleted after it has been printed. Of course, the file removed is just a copy stored on the Samba server; the original file on the client is unaffected.</p><p>Linux uses a Berkeley (BSD) style of printing. However, the process is similar on System V Unix. Here, printing and deleting becomes a compound command:</p><pre class="programlisting">lp -d<em class="replaceable"><code>printer</code></em> -s <em class="replaceable"><code>file</code></em>; rm <em class="replaceable"><code>file</code></em></pre><p>With System V, the <code class="filename">/etc/printcap</code> file is replaced with different set of configuration files hiding in <code class="filename">/usr/spool/lp</code>, and there is no option to delete the file. You have to do it yourself, which is why we have added the <code class="literal">rm</code> command afterward.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.2"></a>Printing Variables</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956380-0"></a>Samba provides four variables specifically for use with <a class="indexterm" name="ch07-idx-956450-0"></a>printing configuration options. They are shown in <a href="#ch07-29758" title="Table 7.1. Printing Variables">Table 7.1</a>.</p><div class="table"><a name="ch07-29758"></a><p class="title"><b>Table 7.1. Printing Variables </b></p><div class="table-contents"><table summary="Printing Variables " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">%s</code></p></td><td><p>The full pathname of the file on the Samba server to be printed</p></td></tr><tr><td><p><code class="literal">%f</code></p></td><td><p>The name of the file itself (without the preceding path) on the Samba server to be printed</p></td></tr><tr><td><p><code class="literal">%p</code></p></td><td><p>The name of the Unix printer to use</p></td></tr><tr><td><p><code class="literal">%j</code></p></td><td><p>The number of the print job (for use with <code class="literal">lprm</code>, <code class="literal">lppause</code>, and <code class="literal">lpresume</code>)</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.3"></a>A Minimal Printing Setup</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956382-0"></a>Let's start with a simple but illustrative printing share. Assuming that you're on a Linux system and you have a printer called <code class="literal">lp</code> listed in the printer capabilities file, the following addition to your <code class="filename">smb.conf</code>
-<a class="indexterm" name="ch07-idx-956439-0"></a> file will make the printer accessible through the network:</p><pre class="programlisting">[printer1]
-	printable = yes
-	print command = /usr/bin/lpr -r  %s
-	printer = lp
-	printing = BSD
-	read only = yes
-	guest ok = yes</pre><p>This configuration allows anyone to send data to the printer, something we may want to change later. For the moment, what's important to understand is that the variable <code class="literal">%s</code> in the <code class="literal">print</code> <code class="literal">command</code> option will be replaced with the name of the file to be printed when Samba executes the command. Changing the <code class="literal">print command</code> to reflect a different style of Unix machine typically involves only replacing the right side of the <code class="literal">print</code> <code class="literal">command</code> option with whatever command you need for your system and changing the target of the <code class="literal">printing</code> option.</p><p>Let's look at the commands for a <a class="indexterm" name="ch07-idx-956440-0"></a>
-<a class="indexterm" name="ch07-idx-956440-1"></a>System V Unix. With variable substitution, the System V Unix command becomes:</p><pre class="programlisting">print command = lp -d%p -s %s; rm %s</pre><p>As mentioned earlier, the <code class="literal">%p</code> variable resolves to the name of the printer, while the <code class="literal">%s</code> variable resolves to the name of the file. After that, you can change the <code class="literal">printing</code> option to reflect that you're using a System V architecture:</p><pre class="programlisting">printing = SYSV</pre><p>If you are using <a class="indexterm" name="ch07-idx-956441-0"></a>share-level security, pay special attention to the guest account used by Samba. The typical setting, <code class="literal">nobody</code>, may not be allowed to print by the operating system. If that's true for your operating system, you should place a <code class="literal">guest</code> <code class="literal">account</code> option under the <a class="indexterm" name="ch07-idx-956445-0"></a>printing share (or even perhaps the global share) specifying an account that can. A popular candidate with the Samba authors is the <code class="literal">ftp</code> account, which is often preconfigured to be safe for untrusted guest users. You can set it with the following command:</p><pre class="programlisting">guest account = ftp</pre><p>Another common printing issue is that clients may need to request the status of a <a class="indexterm" name="ch07-idx-956443-0"></a>print job sent to the Samba server. Samba will not reject a document from being sent to an already busy printer share. Consequently, Samba needs the ability to communicate not only the status of the current printing job to the client, but also which documents are currently waiting to be printed on that printer. Samba also has to provide the client the ability to pause print jobs, resume print jobs, and remove print jobs from the printing queue. Samba provides options for each of these tasks. As you might expect, they borrow functionality from existing Unix commands. The options are:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">lpq command</code></p></li><li><p><code class="literal">lprm command</code></p></li><li><p><code class="literal">lppause command</code></p></li><li><p><code class="literal">lpresume command</code></p></li></ul></div><p>We will cover these options in more detail below. For the most part, however, the value of the <code class="literal">printing</code> configuration option will determine their values, and you should not need to alter the default values of these options.</p><p>Here are a few important items to remember about printing shares:</p><div class="itemizedlist"><ul type="disc"><li><p>You must put <code class="literal">printable</code> <code class="literal">=</code> <code class="literal">yes</code> in all printer shares (even <code class="literal">[printers]</code>), so that Samba will know that they are printer shares. If you forget, the shares will not be usable for printing and will instead be treated as disk shares.</p></li><li><p>If you set the <code class="literal">path</code> configuration option in the printer section, any files sent to the printer(s) will be copied to the directory you specify instead of to the default location of <code class="filename">/tmp</code>. As the amount of disk space allocated to <code class="filename">/tmp</code> can be relatively small in some Unix operating systems, many administrators opt to use <code class="filename">/var/spool</code> or some other directory instead.</p></li><li><p>The <code class="literal">read only</code> option is ignored for printer shares.</p></li><li><p>If you set <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">yes</code> in a printer share and Samba is configured for share-level security, it will allow anyone to send data to the printer as the <code class="literal">guest</code> <code class="literal">account</code> user.</p></li></ul></div><p>Using one or more Samba machines as a print server gives you a great deal of flexibility on your LAN. You can easily partition your available printers, restricting some to members of one department, or you can maintain a bank of printers available to all. In addition, you can restrict a printer to a selected few by adding the trusty <code class="literal">valid</code> <code class="literal">users</code> option to its share definition:</p><pre class="programlisting">[deskjet]
-	printable = yes
-	path = /var/spool/samba/print
-	valid users = gail sam</pre><p>All of the other share accessibility options defined in the previous chapter should work for printing shares as well. Since the printers themselves are accessed through Samba by name, it's also simple to delegate print services among several servers using familiar Unix commands for tasks such as load balancing or maintenance.<a class="indexterm" name="ch07-idx-956385-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.4"></a>The [printers] Share</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956390-0"></a><a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, briefly introduced <code class="literal">[printers]</code>, a special share for automatically creating printing services. Let's review how it works: if you create a share named <code class="literal">[printers]</code> in the configuration file, Samba will automatically read in your printer capabilities file and create a printing share for each printer that appears in the file. For example, if the Samba server had <code class="literal">lp</code>, <code class="literal">pcl</code> and <code class="literal">ps</code> printers in its printer capabilities file, Samba would provide three printer shares with those names, each configured with the options in the <code class="literal">[printers]</code> share.</p><p>
-<a class="indexterm" name="ch07-idx-956509-0"></a>Recall that Samba obeys following rules when a client requests a share that has not been created through the <code class="filename">smb.conf</code> file:</p><div class="itemizedlist"><ul type="disc"><li><p>If the share name matches a username in the system password file and a <code class="literal">[homes]</code> share exists, a new share is created with the name of the user and is initialized using the values given in the <code class="literal">[homes]</code> and <code class="literal">[global]</code> sections.</p></li><li><p>Otherwise, if the name matches a printer in the system printer capabilities file, and a <code class="literal">[printers]</code> share exists, a new share is created with the name of the printer and initialized using the values given in the <code class="literal">[printers]</code> section. (Variables in the <code class="literal">[global]</code> section do not apply here.)</p></li><li><p>If neither of those succeed, Samba looks for a <code class="literal">default</code> <code class="literal">service</code> share. If none is found, it returns an error.</p></li></ul></div><p>This brings to light an important point: be careful that you do not give a <a class="indexterm" name="ch07-idx-956508-0"></a>printer the same name as a user. Otherwise, you will end up connecting to a disk share when you may have wanted a printer share instead.</p><p>Here is an example <code class="literal">[printers]</code> share for a Linux (BSD) system. Some of these options are already defaults; however, we have listed them anyway for illustrative purposes:</p><pre class="programlisting">[global] 
-	printing = BSD
-	print command = /usr/bin/lpr -P%p -r %s 
-	printcap file = /etc/printcap 
-	min print space = 2000
-
-[printers] 
-	path = /usr/spool/public 
-	printable = true  
-	guest ok = true 
-	guest account = pcguest</pre><p>Here, we've given Samba global options that specify the printing type (BSD), a print command to send data to the printer and remove a temporary file, our default printer capabilities file, and a minimum printing space of 2 megabytes.</p><p>In addition, we've created a <code class="literal">[printers]</code> share for each of the system printers. Our temporary spooling directory is specified by the <code class="literal">path</code> option: <code class="filename">/usr/spool/public</code>. Each of the shares is marked as printable&#8212;this is necessary, even in the <code class="literal">[printers]</code> section. The two <code class="literal">guest</code> options are useful in the event that Samba is using share-level security: we allow guest access to the printer and we specify the guest user that Samba should use to execute print commands.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.5"></a>Test Printing</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956391-0"></a>Here is how you can test printing from the Samba server. Let's assume the most complex case and use a guest account. First, run the Samba <span class="emphasis"><em>testparm</em></span> command on your configuration file that contains the print shares, as we did in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>. This will tell you if there are any syntactical problems with the configuration file. For example, here is what you would see if you left out the <code class="literal">path</code> configuration option in the previous example:</p><pre class="programlisting"># testparm 
-Load smb config files from /usr/local/samba/lib/smb.conf 
-Processing configuration file "/usr/local/samba/lib/smb.conf" 
-Processing section "[global]" 
-Processing section "[homes]" 
-Processing section "[data]" 
-Processing section "[printers]" 
-No path in service printers - using /tmp 
-Loaded services file OK. 
-Press enter to see a dump of your service definitions
-Global parameters: 
-	load printers: Yes 
-	printcap name: /etc/printcap
-Default service parameters: 
-	guest account: ftp 
-	min print space: 0 
-	print command: lpr -r -P%p %s 
-	lpq command: lpq -P%p 
-	lprm command: lprm -P%p %j 
-lppause command: 
-	lpresume command: 
- Service parameters [printers]: 
-	path: /tmp 	
-	print ok: Yes 
-	read only: true 
-	public: true</pre><p>Second, try the command <code class="literal">testprns</code> <em class="replaceable"><code>printername</code></em>. This is a simple program that verifies that the specified printer is available in your <span class="emphasis"><em>printcap</em></span> file. If your <span class="emphasis"><em>printcap</em></span> file is not in the usual place, you can specify its full pathname as the second argument to the <span class="emphasis"><em>testprns</em></span> command:</p><pre class="programlisting"># testprns lp /etc/printcap
-Looking for printer lp in printcap file /etc/printcap
-Printer name lp is valid.</pre><p>Next, log on as the guest user, go to the spooling directory, and ensure that you can print using the same command that <span class="emphasis"><em>testparm</em></span> says Samba will use. As mentioned before, this will tell you if you need to change the guest account, as the default account may not be allowed to print.</p><p>Finally, print something to the Samba server via <code class="literal">smbclient</code>, and see if the following actions occur:</p><div class="itemizedlist"><ul type="disc"><li><p>The job appears (briefly) in the Samba spool directory specified by the path.</p></li><li><p>The job shows up in your print systems spool directory.</p></li><li><p>The job disappears from the spool directory that Samba used.</p></li></ul></div><p>If <span class="emphasis"><em>smbclient</em></span> cannot print, you can reset the <code class="literal">print</code> <code class="literal">command</code> option to collect debugging information:</p><pre class="programlisting">print command = /bin/cat %s &gt;&gt;/tmp/printlog; rm %s</pre><p>or:</p><pre class="programlisting">print command = echo "printed %s on %p" &gt;&gt;/tmp/printlog</pre><p>A common problem with Samba printer configuration is forgetting to use the full <a class="indexterm" name="ch07-idx-956511-0"></a>
-<a class="indexterm" name="ch07-idx-956511-1"></a>pathnames for commands; simple commands often don't work because the guest account's PATH doesn't include them. Another frequent problem is not having the correct <a class="indexterm" name="ch07-idx-956512-0"></a>
-<a class="indexterm" name="ch07-idx-956512-1"></a>permissions on the spooling directory.<a class="indexterm" name="ch07-idx-956494-0"></a></p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>
-<a class="indexterm" name="ch07-idx-956514-0"></a>
-<a class="indexterm" name="ch07-idx-956514-1"></a>There is more information on debugging printers in the Samba documentation (<code class="filename">Printing.txt</code>). In addition, the Unix print systems are covered in detail in AEleen Frisch's <span class="emphasis"><em>Essential Systems Administration</em></span> (published by O'Reilly).</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-1.6"></a>Setting Up and Testing a Windows Client</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956392-0"></a>
-<a class="indexterm" name="ch07-idx-956392-1"></a>Now that Samba is offering a workable printer, you need to set it up on a Windows client. Look at the Samba server in the Network Neighborhood. It should now show each of the printers that are available. For example, in <a href="#ch07-35075" title="Figure 7.1. A Samba printer in the Network Neighborhood">Figure 7.1</a>, we saw a printer called <code class="literal">lp</code>.</p><p>Next, you need to have the Windows client recognize the printer. Double-click on the printer icon to get started. If you try to select an uninstalled printer (as you just did), Windows will ask you if it should help configure it for the Windows system. Respond "Yes," which will open the Printer Wizard.</p><p>The first thing the wizard will ask is whether you need to print from DOS.  Let's assume you don't, so choose No and press the Next button to get to the manufacturer/model window as shown in <a href="#ch07-60084" title="Figure 7.2. A printer in the Network Neighborhood">Figure 7.2</a>.</p><div class="figure"><a name="ch07-60084"></a><p class="title"><b>Figure 7.2. A printer in the Network Neighborhood</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 128px"><td><img src="figs/sam.0702.gif" height="128" alt="A printer in the Network Neighborhood"></td></tr></table></div></div></div><br class="figure-break"><p>In this dialog box, you should see a large list of manufacturers and models for almost every printer imaginable. If you don't see your printer on the list, but you know it's a PostScript printer, select Apple as the manufacturer and Apple LaserWriter as the model. This will give you the most basic Postscript printer setup, and arguably one of the most reliable. If you already have any Postscript printers attached, you will be asked about replacing or reusing the existing driver. Be aware that if you replace it with a new one, you may make your other printers fail. Therefore, we recommend you keep using your existing printer drivers as long as they're working properly.</p><p>Following that, the Printer Wizard will ask you to name the printer. <a href="#ch07-69466" title="Figure 7.3. Printer manufacturers and models">Figure 7.3</a> shows this example, where the name has defaulted to our second laserwriter. Here, you rename it from Apple Laserwriter (Copy 2) to "ps on Samba server," so you know where to look for the printouts. In reality, you can name the printer anything you want.</p><div class="figure"><a name="ch07-69466"></a><p class="title"><b>Figure 7.3. Printer manufacturers and models</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 296px"><td><img src="figs/sam.0703.gif" height="296" alt="Printer manufacturers and models"></td></tr></table></div></div></div><br class="figure-break"><p>Finally, the Printing Wizard asks if it should print a test page. Click on Yes, and you should be presented with the dialog in <a href="#ch07-43374" title="Figure 7.4. Printing successfully completed">Figure 7.4</a>.</p><div class="figure"><a name="ch07-43374"></a><p class="title"><b>Figure 7.4. Printing successfully completed</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 232px"><td><img src="figs/sam.0704.gif" height="232" alt="Printing successfully completed"></td></tr></table></div></div></div><br class="figure-break"><p>If the test printing was unsuccessful, press the No button in <a href="#ch07-43374" title="Figure 7.4. Printing successfully completed">Figure 7.4</a> and the Printing Wizard will walk you through some debugging steps for the client side of the process. If the test printing does work, congratulations! The remote printer will now be available to all your PC applications through the File and Print menu items.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-30008"></a>Automatically Setting Up Printer Drivers</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956393-0"></a>The previous section described how to manually configure a printer driver for your Windows system. As a system administrator, however, you can't always guarantee that users can perform such a process without making mistakes. Luckily, however, you can ask Samba to automatically set up the printer drivers for a specific printer.</p><p>Samba has three options that can be used to automatically set up printer drivers for clients who are connecting for the first time. These options are <code class="literal">printer</code> <code class="literal">driver</code>, <code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">file</code>, and <code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">location</code>. This section explains how to use these options to allow users to skip over the Manufacturer dialog in the Add Printer Wizard above.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>For more information on how to do this, see the <code class="filename">PRINTER_DRIVER.TXT</code> file in the Samba distribution documentation.</p></div><p>There are four major steps:</p><div class="orderedlist"><ol type="1"><li><p>Install the drivers for the printer on a Windows client (the printer need not be attached).</p></li><li><p>Create a printer definition file from the information on a Windows machine.</p></li><li><p>Create a <code class="literal">PRINTER$</code> share where the resulting driver files can be placed.</p></li><li><p>Modify the Samba configuration file accordingly.</p></li></ol></div><p>Let's go over each of the four steps in greater detail.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.1"></a>Install the drivers on a windows client</h4></div></div></div><p>Use <a class="indexterm" name="ch07-idx-956517-0"></a>Windows 95/98 for this step. It doesn't matter which client you choose, as long as it has the ability to load the appropriate drivers for the printer. In fact, you don't even need to have the printer attached to the machine. All you're interested in here is getting the appropriate driver files into the Windows directory. First, go to the Printers window of My Computer and double-click on the Add Printer icon, as shown in <a href="#ch07-52397" title="Figure 7.5. The Printers window">Figure 7.5</a>.</p><div class="figure"><a name="ch07-52397"></a><p class="title"><b>Figure 7.5. The Printers window</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 223px"><td><img src="figs/sam.0705.gif" height="223" alt="The Printers window"></td></tr></table></div></div></div><br class="figure-break"><p>At this point, you can follow the Add Printer Wizard dialogs through to select the manufacturer and model of the printer in question. If it asks you if you want to print from MS-DOS, answer No. Windows should load the appropriate driver resources from its CD-ROM and ask you if you want to print a test page. Again, respond No and close the Add Printer Wizard dialog.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.2"></a>Create a printer definition file</h4></div></div></div><p>You can create a <a class="indexterm" name="ch07-idx-956518-0"></a>printer definition file by using the <code class="filename">make_ printerdef</code> script in the <code class="filename">/usr/local/samba/bin</code> directory. In order to use this script, you need to copy over the following four files from a Windows client:<sup>[<a name="ch07-pgfId-951615" href="#ftn.ch07-pgfId-951615">1</a>]</sup></p><table class="simplelist" border="0" summary="Simple list"><tr><td><span class="emphasis"><em>C:\WINDOWS\INF\MSPRINT.INF</em></span></td></tr><tr><td><span class="emphasis"><em>C:\WINDOWS\INF\MSPRINT2.INF</em></span></td></tr><tr><td><span class="emphasis"><em>C:\WINDOWS\INF\MSPRINT3.INF</em></span></td></tr><tr><td><span class="emphasis"><em>C:\WINDOWS\INF\MSPRINT4.INF</em></span></td></tr></table><p>Once you have the four files, you can create a printer definition file using the appropriate printer driver and its .INF file. If the printer driver starts with the letters A-K, use either the <span class="emphasis"><em>MSPRINT.INF</em></span> file or the <span class="emphasis"><em>MSPRINT3.INF</em></span> file. If it begins with the letters L-Z, use the <span class="emphasis"><em>MSPRINT2.INF</em></span> file or the <span class="emphasis"><em>MSPRINT4.INF</em></span> file. You may need to <span class="emphasis"><em>grep</em></span> through each of the files to see where your specific driver is. For the following example, we have located our driver in <span class="emphasis"><em>MSPRINT3.INF</em></span> and created a printer definition file for a HP DeskJet 560C printer:</p><pre class="programlisting">$grep "HP DeskJet 560C Printer" MSPRINT.INF MSPRINT3.INF
-MSPRINT3.INF: "HP DeskJet 560C Printer"=DESKJETC.DRV,HP_DeskJet_ ...
-
-$make_printerdef MSPRINT3.INF "HP DeskJet 560C Printer" &gt;printers.def
-FOUND:DESKJETC.DRV
-End of section found
-CopyFiles: DESKJETC,COLOR_DESKJETC
-Datasection: (null)
-Datafile: DESKJETC.DRV
-Driverfile: DESKJETC.DRV
-Helpfile: HPVDJC.HLP
-LanguageMonitor: (null)
-
-Copy the following files to your printer$ share location:
-DESKJETC.DRV
-HPVCM.HPM
-HPVIOL.DLL
-HPVMON.DLL
-HPVRES.DLL
-HPCOLOR.DLL
-HPVUI.DLL
-HPVDJCC.HLP
-color\HPDESK.ICM</pre><p>Note the files that the script asks you to copy. You'll need those for the next step.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.3"></a>Create a PRINTER$ share</h4></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956525-0"></a>This part is relatively easy. Create a share called <code class="literal">[PRINTER$]</code> in your <code class="filename">smb.conf</code> that points to an empty directory on the Samba server. Once that is done, copy over the files that the <code class="filename">make_ printerdef</code> script requested of you into the location of the <code class="literal">path</code> configuration option for the <code class="literal">[PRINTER$]</code> share. For example, you can put the following in your configuration file:</p><pre class="programlisting">[PRINTER$]
-	path = /usr/local/samba/print
-	read only = yes
-	browsable = no
-	guest ok = yes</pre><p>The files requested by the <code class="filename">make_ printerdef</code> script are typically located in the <span class="emphasis"><em>C:\WINDOWS\SYSTEM</em></span> directory, although you can use the following commands to find out exactly where they are:</p><pre class="programlisting">cd C:\WINDOWS
-dir <em class="replaceable"><code>filename</code></em> /s</pre><p>In this case, each of the files needs to be copied to the <code class="filename">/usr/local/samba/print</code> directory on the Samba server. In addition, copy the <code class="filename">printers.def</code> file that you created over to that share as well. Once you've done that, you're almost ready to go.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.4"></a>Modify the Samba configuration file</h4></div></div></div><p><code class="filename"></code>
-<a class="indexterm" name="ch07-idx-956532-0"></a>The last step is to modify the Samba configuration file by adding the following three options:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">printer</code> <code class="literal">driver</code></p></li><li><p><code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">file</code></p></li><li><p><code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">location</code></p></li></ul></div><p>The <code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">file</code> is a global option that points to the <code class="filename">printers.def</code> file; place that option in your <code class="literal">[global]</code> section. The other options should be set in the printer share for which you wish to automatically configure the drivers. The value for <code class="literal">printer</code> <code class="literal">driver</code> should match the string that shows up in the Printer Wizard on the Windows system. The value of the <code class="literal">printer</code> <code class="literal">driver</code> <code class="literal">location</code> is the pathname of the PRINTER$ share you set up, not the Unix pathname on the server. Thus, you could use the following:</p><pre class="programlisting">[global]
-	printer driver file = /usr/local/samba/print/printers.def
-[hpdeskjet]
-	path = /var/spool/samba/printers
-	printable = yes
-
-	printer driver = HP DeskJet 560C Printer
-	printer driver location = \\%L\PRINTER$</pre><p>Now you're ready to test it out. At this point, remove the Windows printer that you "set up" in the first step from the list of printers in the Printers window of My Computer. If Samba asks you to delete unneeded files, do so. These files will be replaced shortly on the client, as they now exist on the Samba server.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-1.7.5"></a>Testing the configuration</h4></div></div></div><p>Restart the Samba daemons and look for the <code class="literal">[hpdeskjet]</code> share under the machine name in the Network Neighborhood. At this point, if you click on the printer icon, you should begin the printer setup process and come to the dialog shown in <a href="#ch07-60108" title="Figure 7.6. Automatically configuring the printer driver">Figure 7.6</a>.</p><p>This is different from the dialog you saw earlier when setting up a printer. Essentially, the dialog is asking if you wish to accept the driver that is "already installed"&#8212;in other words, offered by Samba. Go ahead and keep the existing driver, and press the Next button. At this point, you can give the printer a name and print out a test page. If it works, the setup should be complete. You should be able to repeat the process now from any Windows<a class="indexterm" name="ch07-idx-956413-0"></a> client. <a class="indexterm" name="ch07-idx-956407-0"></a></p><div class="figure"><a name="ch07-60108"></a><p class="title"><b>Figure 7.6. Automatically configuring the printer driver</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 296px"><td><img src="figs/sam.0706.gif" height="296" alt="Automatically configuring the printer driver"></td></tr></table></div></div></div><br class="figure-break"></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch07-31526"></a>Printing to Windows Client Printers</h2></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956368-0"></a>If you have printers connected to clients running Windows 95/98 or NT 4.0, those printers can also be accessed from Samba. Samba comes equipped with a tool called <span class="emphasis"><em>smbprint</em></span>
-<a class="indexterm" name="ch07-idx-956539-0"></a>
-<a class="indexterm" name="ch07-idx-956539-1"></a> that can be used to spool print jobs to Windows-based printers. In order to use this, however, you need to set up the printer as a shared resource on the client machine. If you haven't already done this, you can reset this from the Printers window, reached from the Start button, as shown in <a href="#ch07-32814" title="Figure 7.7. The Printers window">Figure 7.7</a>.</p><div class="figure"><a name="ch07-32814"></a><p class="title"><b>Figure 7.7. The Printers window</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 273px"><td><img src="figs/sam.0707.gif" height="273" alt="The Printers window"></td></tr></table></div></div></div><br class="figure-break"><p>Select a printer that's locally connected (for example, ours is the Canon printer), press the right mouse button to bring up a menu, and select Sharing. This will give you the Sharing tab of the Printer Properties frame, as shown in <a href="#ch07-92021" title="Figure 7.8. The Sharing tab of the printer">Figure 7.8</a>. If you want it available to everybody on your LAN as the Windows guest user, enter a blank password.</p><div class="figure"><a name="ch07-92021"></a><p class="title"><b>Figure 7.8. The Sharing tab of the printer</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 273px"><td><img src="figs/sam.0708.gif" height="273" alt="The Sharing tab of the printer"></td></tr></table></div></div></div><br class="figure-break"><p>Once you've got this working, you can add your printer to the list of standard printers and Samba can make it available to all the other PCs in the workgroup. To make installation on Unix easier, the Samba distribution provides two sample scripts: <code class="filename">smbprint</code> and <code class="filename">smbprint.sysv</code>. The first works with BSD-style printers; the second is designed for System V printers.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-2.0.1"></a>BSD printers</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956540-0"></a>There are two steps you need to have a BSD Unix recognize a remote printer:</p><div class="orderedlist"><ol type="1"><li><p>Place an entry for the printer in the <code class="filename">/etc/printcap</code> file (or equivalent).</p></li><li><p>Place a configuration file in the <code class="filename">/var/spool</code> directory for the printer.</p></li></ol></div><p>First, edit your <code class="filename">/etc/printcap</code> file and add an entry for the remote printer. Note that the input filter (<code class="literal">if</code>) entry needs to point to the <span class="emphasis"><em>smbprint</em></span> program if the machine is on Windows 95/98. The following set of lines will accomplish on a Linux machine, for example:</p><pre class="programlisting">laserjet:\
-  :sd=/var/spool/lpd/laser:\         <em class="replaceable"><code># spool directory</code></em>
-  :mx#0:\                            <em class="replaceable"><code># maximum file size (none)</code></em>
-  :sh:\                              <em class="replaceable"><code># surpress burst header (no)</code></em>
-  :if=/usr/local/samba/bin/smbprint: <em class="replaceable"><code># text filter</code></em></pre><p>After that, you need to create a configuration file in the spool directory that you specified with the <code class="literal">sd</code> parameter above. (You may need to create that directory.) The file must have the name <span class="emphasis"><em>.config</em></span> and should contain the following information:</p><div class="itemizedlist"><ul type="disc"><li><p>The NetBIOS name of the Windows machine with the printer</p></li><li><p>The service name that represents the printer</p></li><li><p>The password used to access that service</p></li></ul></div><p>The last two parameters were set up in the Sharing dialog for the requested resource on the Windows machine. In this case, the <span class="emphasis"><em>.config</em></span> file would have three lines:</p><pre class="programlisting">server = phoenix
-service = CANON
-password = ""</pre><p>After you've done that, reset the Samba server machine and try printing to it using any standard Unix program.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-2.0.2"></a>System V printers</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956541-0"></a>Sending print jobs from a System V Unix system is a little easier. Here, you need to get obtain the <code class="filename">smbprint.sysv</code> script in the <code class="filename">/usr/local/samba/examples/printing</code> directory and do the following:</p><div class="orderedlist"><ol type="1"><li><p>Change the <code class="literal">server</code>, <code class="literal">service</code>, and <code class="literal">password</code> parameters in the script to match the NetBIOS machine, its shared printer service, and its password, respectively. For example, the following entries would be correct for the service in the previous example:</p><pre class="programlisting">server = phoenix
-service = CANON
-password = ""</pre></li><li><p>Run the following commands, which create a reference for the printer in the printer capabilities file. Note that the new Unix printer entry <code class="literal">canon_  printer</code> is named:</p><pre class="programlisting"># lpadmin -p canon_printer -v /dev/null -i./smbprint.sysv
-# enable canon_printer
-# accept canon_printer</pre></li></ol></div><p>After you've done that, restart the Samba daemons and try printing to it using any standard Unix program. You should now be able to send data to a printer on a Windows client across the network.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-2.1"></a>Samba Printing Options</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956419-0"></a><a href="#ch07-19361" title="Table 7.2. Printing Configuration Options">Table 7.2</a> summarizes the Samba printing options.</p><div class="table"><a name="ch07-19361"></a><p class="title"><b>Table 7.2. Printing Configuration Options </b></p><div class="table-contents"><table summary="Printing Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">printing</code></p></td><td><p><code class="literal">bsd</code>, <code class="literal">sysv</code>, <code class="literal">hpux</code>, <code class="literal">aix</code>, <code class="literal">qnx</code>, <code class="literal">plp</code>, <code class="literal">softq</code>, or <code class="literal">lprng</code></p></td><td><p>Sets the print system type for your Unix system.</p></td><td><p>System dependent</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printable (print ok)</code></p></td><td><p>boolean</p></td><td><p>Marks a share as a printing share.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printer (printer name)</code></p></td><td><p>string (Unix printer name)</p></td><td><p>Sets the name of the printer to be shown to clients.</p></td><td><p>System dependent</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printer driver</code></p></td><td><p>string (printer driver name)</p></td><td><p>Sets the driver name that should be used by the client to send data to the printer.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printer driver file</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Sets the name of the printer driver file.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">printer driver location</code></p></td><td><p>string (network pathname)</p></td><td><p>Specifies the pathname of the share for the printer driver file.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lpq cache time</code></p></td><td><p>numeric (time in seconds)</p></td><td><p>Sets the amount of time in seconds that Samba will cache the lpq status.</p></td><td><p><code class="literal">10</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">postscript</code></p></td><td><p>boolean</p></td><td><p>Treats all print jobs sent as postscript by prepending <code class="literal">%!</code> at the beginning of each file.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">load printers</code></p></td><td><p>boolean</p></td><td><p>Automatically loads each of the printers in the <span class="emphasis"><em>printcap</em></span> file as printing shares.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">print command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to perform printing.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lpq command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to return the status of the printing queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lprm command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to remove a job from the printing queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lppause command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to pause a job on the printing queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">lpresume command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to resume a paused job on the printing queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">printcap name</code></p>
-
-<p><code class="literal">(printcap)</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the printer capabilities file.</p></td><td><p>System dependent</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">min print space</code></p></td><td><p>numeric (size in kilobytes)</p></td><td><p>Sets the minimum amount of disk free space that must be present to print.</p></td><td><p><code class="literal">0</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">queuepause command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to pause a queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">queueresume command</code></p></td><td><p>string (shell command)</p></td><td><p>Sets the Unix command to resume a queue.</p></td><td><p>See below</p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.1"></a>printing</h4></div></div></div><p>The <code class="literal">printing</code>
-<a class="indexterm" name="ch07-idx-958423-0"></a> configuration option tells Samba a little about your Unix printing system, in this case which printing parser to use. With Unix, there are several different families of commands to control printing and print statusing. Samba supports seven different types, as shown in <a href="#ch07-28758" title="Table 7.3. Printing Types">Table 7.3</a>.</p><div class="table"><a name="ch07-28758"></a><p class="title"><b>Table 7.3. Printing Types </b></p><div class="table-contents"><table summary="Printing Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p>BSD</p></td><td><p>
-<a class="indexterm" name="ch07-idx-956545-0"></a>Berkeley Unix system</p></td></tr><tr><td><p>SYSV</p></td><td><p>System V</p></td></tr><tr><td><p>AIX</p></td><td><p>AIX Operating System (IBM)</p></td></tr><tr><td><p>HPUX</p></td><td><p>Hewlett-Packard Unix</p></td></tr><tr><td><p>QNX</p></td><td><p>QNX Realtime Operating System (QNX)</p></td></tr><tr><td><p>LPRNG</p></td><td><p>LPR Next Generation (Powell)</p></td></tr><tr><td><p>SOFTQ</p></td><td><p>SOFTQ system</p></td></tr><tr><td><p>PLP</p></td><td><p>Portable Line Printer (Powell)</p></td></tr></tbody></table></div></div><br class="table-break"><p>The value for this optio.n will be one of these seven options. For example:</p><pre class="programlisting">printing = SYSV</pre><p>The default value of this option is system dependent and is configured when Samba is first compiled. For most systems, the <code class="filename">configure</code> script will automatically detect the printing system to be used and configure it properly in the Samba makefile. However, if your system is a PLP, LPRNG, or QNX printing system, you will need to explicitly specify this in the makefile or the printing share.</p><p>The most common system types are BSD and SYSV. Each of the printers on a BSD Unix server are described in the printer capabilities file&#8212;normally <code class="filename">/etc/printcap</code>.</p><p>Setting the <code class="literal">printing</code> configuration option automatically sets at least three other printing options for the service in question: <code class="literal">print</code> <code class="literal">command</code>, <code class="literal">lpq</code> <code class="literal">command</code>, and <code class="literal">lprm</code> <code class="literal">command</code>. If you are running Samba on a system that doesn't support any of these printing styles, simply set the commands for each of these manually.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.2"></a>printable</h4></div></div></div><p>The <a class="indexterm" name="ch07-idx-958426-0"></a>printable option must be set to <code class="literal">yes</code> in order to flag a share as a printing service. If this option is not set, the share will be treated as a disk share instead. You can set the option as follows:</p><pre class="programlisting">[printer1]
-	printable = yes</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.3"></a>printer</h4></div></div></div><p>
-<a class="indexterm" name="ch07-idx-957248-0"></a>The <a class="indexterm" name="ch07-idx-958427-0"></a>option, sometimes called <code class="literal">printer</code> <code class="literal">name</code>, specifies the name of the printer on the server to which the share points. This option has no default and should be set explicitly in the configuration file, even though Unix systems themselves often recognize a default name such as <code class="literal">lp</code> for a printer. For example:</p><pre class="programlisting">[deskjet]
-	printer = hpdkjet1</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.4"></a>printer driver</h4></div></div></div><p>The <code class="literal">printer</code>
-<a class="indexterm" name="ch07-idx-958428-0"></a> <code class="literal">driver</code> option sets the string that Samba uses to tell Windows what the printer is. If this option is set correctly, the Windows Printer Wizard will already know what the printer is, making installation easier for end users by giving them one less dialog to worry about. The string given should match the string that shows up in the Printer Wizard, as shown in <a href="#ch07-46183" title="Figure 7.9. The Add Printer Wizard dialog box in Windows 98">Figure 7.9</a>. For example, an Apple LaserWriter typically uses <code class="literal">Apple</code> <code class="literal">LaserWriter</code>; a Hewlett Packard Deskjet 560C uses <code class="literal">HP</code> <code class="literal">DeskJet</code> <code class="literal">560C</code> <code class="literal">Printer</code>.</p><div class="figure"><a name="ch07-46183"></a><p class="title"><b>Figure 7.9. The Add Printer Wizard dialog box in Windows 98</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 296px"><td><img src="figs/sam.0709.gif" height="296" alt="The Add Printer Wizard dialog box in Windows 98"></td></tr></table></div></div></div><br class="figure-break"><p>Automatically configuring printer drivers with Samba is explained in greater detail in <a href="#ch07-30008" title="Automatically Setting Up Printer Drivers">Section 7.1.7</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.5"></a>
-printer driver file</h4></div></div></div><a class="indexterm" name="ch07-idx-958429-0"></a><p>This global option gives the location of the Windows 95/98 printer driver definition file, which is needed to give printer drivers to clients using a Samba printer. The default value of this option is <code class="filename">/usr/local/samba/lib/printers.def</code>. You can override this default as shown below:</p><pre class="programlisting">[deskjet]
-	printer driver file = /var/printers/printers.def</pre><p>This option is explained in greater detail in <a href="#ch07-30008" title="Automatically Setting Up Printer Drivers">Section 7.1.7</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.6"></a>
-printer driver location</h4></div></div></div><a class="indexterm" name="ch07-idx-958432-0"></a><p>This option specifies a specific share that contains Windows 95 and 98 printer driver and definition files. There is no default parameter for this value. You can specify the location as a network pathname. A frequent approach is to use a share on your own machine, as shown here:</p><pre class="programlisting">[deskjet]
-	printer driver location = \\%L\PRINTER$</pre><p>This option is also explained in greater detail in <a href="#ch07-30008" title="Automatically Setting Up Printer Drivers">Section 7.1.7</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.7"></a>
-lpq cache time</h4></div></div></div><a class="indexterm" name="ch07-idx-958433-0"></a><p>
-<a class="indexterm" name="ch07-idx-956564-0"></a>The global <code class="literal">lpq</code> <code class="literal">cache</code> <code class="literal">time</code> option allows you to set the number of seconds that Samba will remember the current printer status. After this time elapses, Samba will issue an <span class="emphasis"><em>lpq</em></span> command (or whatever command you specify with the <code class="literal">lpq</code> <code class="literal">command</code> option) to get a more up-to-date status. This defaults to 10 seconds, but can be increased if your <code class="literal">lpq</code> <code class="literal">command</code> takes an unusually long time to run or you have lots of clients. The following example resets the time to 30 seconds:</p><pre class="programlisting">[deskjet]
-	lpq cache time = 30</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.8"></a>postscript</h4></div></div></div><p>The<a class="indexterm" name="ch07-idx-958438-0"></a> <code class="literal">postscript</code> option forces the printer to treat all data sent to it as Postscript. It does this by prepending the characters <code class="literal">%!</code> at the beginning of the first line of each job. It is normally used with PCs that insert a <code class="literal">^D</code> (control-D or "end-of-file mark) in front of the first line of a PostScript file. It will not, obviously, turn a non-PostScript printer into a PostScript one. The default value of this options is <code class="literal">no</code>. You can override it as follows:<a class="indexterm" name="ch07-idx-957258-0"></a></p><pre class="programlisting">[deskjet]
-	postscript = yes</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.9"></a>
-
-
-
-
-print command, lpq command, lprm command, lppause command, lpresume command</h4></div></div></div><a class="indexterm" name="ch07-idx-958439-0"></a><a class="indexterm" name="ch07-idx-958439-1"></a><a class="indexterm" name="ch07-idx-958439-2"></a><a class="indexterm" name="ch07-idx-958439-3"></a><a class="indexterm" name="ch07-idx-958439-4"></a><p>
-<a class="indexterm" name="ch07-idx-956566-0"></a>These options tell Samba which Unix commands used to control and send data to the printer. The Unix commands involved are: <span class="emphasis"><em>lpr</em></span> (send to Line PRinter), <span class="emphasis"><em>lpq</em></span> (List Printer Queue), <span class="emphasis"><em>lprm</em></span> (Line printer ReMove), and optionally <span class="emphasis"><em>lppause</em></span> and <span class="emphasis"><em>lpresume</em></span>. Samba provides an option named after each of these commands, in case you need to override any of the system defaults. For example, consider:</p><pre class="programlisting">lpq command = /usr/ucb/lpq %p</pre><p>This would set the <code class="literal">lpq command</code> to use <code class="filename">/usr/ucb/lpq</code>. Similarly:</p><pre class="programlisting">lprm command = /usr/local/lprm -P%p %j</pre><p>would set the Samba printer remove command to <code class="filename">/usr/local/lprm</code>, and provide it the print job number using the <code class="literal">%j</code> variable.</p><p>The default values for each of these options are dependent on the value of the <code class="literal">printing</code> option. <a href="#ch07-82964" title="Table 7.4. Default Commands for Various Printing Commands">Table 7.4</a> shows the default commands for each of the printing options. The most popular printing system is BSD.</p><div class="table"><a name="ch07-82964"></a><p class="title"><b>Table 7.4. Default Commands for Various Printing Commands </b></p><div class="table-contents"><table summary="Default Commands for Various Printing Commands " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>BSD, AIX, PLP, LPRNG</p></th><th><p>SYSV, HPUX</p></th><th><p>QNX</p></th><th><p>SOFTQ</p></th></tr></thead><tbody><tr><td><p><code class="literal">print command</code></p></td><td><p><code class="literal">lpr -r -P%p %s</code>
-<a class="indexterm" name="ch07-idx-958518-0"></a></p></td><td><p><code class="literal">lp -c -d%p %s; rm %s</code></p></td><td><p><code class="literal">lp -r -P%p %s</code></p></td><td><p><code class="literal">lp -d%p -s %s; rm %s</code></p></td></tr><tr><td><p><code class="literal">lpq command</code></p></td><td><p><code class="literal">lpq -P%p</code></p></td><td><p><code class="literal">lpstat -o%p</code></p></td><td><p><code class="literal">lpq -P%p</code></p></td><td><p><code class="literal">lpstat -o%p</code></p></td></tr><tr><td><p><code class="literal">lprm command</code></p></td><td><p><code class="literal">lprm -P%p %j</code></p></td><td><p><code class="literal">cancel %p-%j</code></p></td><td><p><code class="literal">cancel %p-%j</code></p></td><td><p><code class="literal">cancel %p-%j</code></p></td></tr><tr><td><p><code class="literal">lppause command</code></p></td><td><p><code class="literal">lp -i %p-%j -H hold </code></p>
-
-<p>(SYSV only)</p></td><td><p>None</p></td><td><p>None</p></td><td><p>None</p></td></tr><tr><td><p><code class="literal">lpresume command</code></p></td><td><p><code class="literal">lp -i %p-%j -H resume</code></p>
-
-<p>(SYSV only)</p></td><td><p>None</p></td><td><p>None</p></td><td><p><code class="literal">qstat -s -j%j -r</code></p></td></tr></tbody></table></div></div><br class="table-break"><p>It is typically not necessary to reset these options in Samba, with the possible exception of <code class="literal">print</code> <code class="literal">command</code>. This option may need to be explicitly set if your printing system doesn't have a <code class="literal">-r</code> (remove after printing) option on the printing command. For example:</p><pre class="programlisting">/usr/local/lpr -P%p %s; /bin/rm %s</pre><p>With a bit of judicious programming, these <code class="filename">smb.conf</code> options can also used for debugging:</p><pre class="programlisting">print command = cat %s &gt;&gt;/tmp/printlog; lpr -r -P%p %s</pre><p>For example, this configuration can verify that files are actually being delivered to the Samba server. If they are, their contents will show up in the <code class="filename">/tmp/printlog</code> file.</p><p>After BSD, the next most popular kind of printing system is SYSV (or System V) printing, plus some SYSV variants for IBM's AIX and Hewlett-Packard's HP-UX. These system do not have an <code class="filename">/etc/printcap</code> file. Instead, the <code class="literal">printcap</code> <code class="literal">file</code> option can be set to an appropriate <span class="emphasis"><em>lpstat</em></span> command for the system. This tells Samba to get a list of printers from the <span class="emphasis"><em>lpstat</em></span> command. Alternatively, you can set the global configuration option <code class="literal">printcap</code> <code class="literal">name</code> to the name of a dummy <code class="filename">printcap</code> file you provide. In the latter case, the file must contain a series of lines such as:</p><pre class="programlisting">lp|print1|My Printer 1
-print2|My Printer 2
-print3|My Printer 3</pre><p>Each line names a printer, and provides aliases for it. In this example, the first printer is called <code class="literal">lp</code>, <code class="literal">print1</code>, or <code class="literal">My</code> <code class="literal">Printer</code> <code class="literal">1</code>, whichever the user prefers to use. The first name will be used in place of <code class="literal">%p</code> in any command Samba executes for that printer.</p><p>Two additional printer types are also supported by Samba: LPRNG (LPR New Generation) and PLP (Public Line Printer). These are public domain and Open Source printing systems, and are used by many sites to overcome problems with vendor-supplied software. In addition, the SOFTQ and QNX realtime operating systems are supported by Samba.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.10"></a>load printers</h4></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956568-0"></a>The <code class="literal">load</code>
-<a class="indexterm" name="ch07-idx-958440-0"></a> <code class="literal">printers</code> option tells Samba to create shares for all known printer names and load those shares into the browse list. Samba will create and list a printer share for each printer name in <code class="filename">/etc/printcap</code> (or system equivalent). For example, if your <code class="filename">printcap</code> file looks like this:<sup>[<a name="ch07-pgfId-950654" href="#ftn.ch07-pgfId-950654">2</a>]</sup></p><pre class="programlisting">lp:\
-  :sd=/var/spool/lpd/lp:\            <em class="replaceable"><code># spool directory</code></em>
-  :mx#0:\                            <em class="replaceable"><code># maximum file size (none)</code></em>
-  :sh:\                              <em class="replaceable"><code># surpress burst header (no)</code></em>
-  :lp=/dev/lp1:\                     <em class="replaceable"><code># device name for output</code></em>
-  :if=/var/spool/lpd/lp/filter:      <em class="replaceable"><code># text filter</code></em>
-
-laser:\
-  :sd=/var/spool/lpd/laser:\         <em class="replaceable"><code># spool directory</code></em>
-  :mx#0:\                            <em class="replaceable"><code># maximum file size (none)</code></em>
-  :sh:\                              <em class="replaceable"><code># surpress burst header (no)</code></em>
-  :lp=/dev/laser:\                   <em class="replaceable"><code># device name for output</code></em>
-  :if=/var/spool/lpd/lp/filter:      <em class="replaceable"><code># text filter</code></em></pre><p>and you specify:</p><pre class="programlisting">load printers = yes</pre><p>the shares <code class="literal">[lp]</code> and <code class="literal">[laser]</code> will automatically be created as valid print shares when Samba is started. Both shares will borrow the configuration options specified in the <code class="literal">[printers]</code> section to configure themselves, and will be available in the browse list for the Samba server.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.11"></a>printcap name</h4></div></div></div><p>If the <code class="literal">printcap</code>
-<a class="indexterm" name="ch07-idx-958442-0"></a> <code class="literal">name</code> option (also called <code class="literal">printcap</code>) appears in a printing share, Samba will use the file specified as the system printer capabilities file. This is normally <code class="filename">/etc/printcap</code>. However, you can reset it to a file consisting of only the printers you want to share over the network. The value must be a fully-qualified filename of a printer capabilities file on the server:</p><pre class="programlisting">[deskjet]
-	printcap name = /usr/local/printcap</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.12"></a>min print space</h4></div></div></div><p>The <code class="literal">min</code>
-<a class="indexterm" name="ch07-idx-958443-0"></a> <code class="literal">print</code> <code class="literal">space</code> option sets the amount of <a class="indexterm" name="ch07-idx-956570-0"></a>spool space that must be available on the disk before printing is allowed. Setting it to zero (the default) turns the check off; setting it to any other number sets the amount of free space in kilobytes required. This option helps avoid having print jobs fill up the remaining disk space on the server, which may cause other processes to fail:</p><pre class="programlisting">[deskjet]
-	min print space = 4000</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.13"></a>
-queuepause command</h4></div></div></div><a class="indexterm" name="ch07-idx-958444-0"></a><p>This configuration option specifies a command that tells Samba how to pause a <a class="indexterm" name="ch07-idx-956571-0"></a>print queue entirely, as opposed to a single job on the queue. The default value depends on the printing type chosen. You should not need to alter this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-2.1.14"></a>
-queueresume command</h4></div></div></div><a class="indexterm" name="ch07-idx-958445-0"></a><p>This configuration option specifies a command that tells Samba how to resume a paused print queue, as opposed to resuming a single job on the print queue. The default value depends on the printing type chosen. You should not need to alter<a class="indexterm" name="ch07-idx-956423-0"></a> this<a class="indexterm" name="ch07-idx-956372-0"></a> option.<a class="indexterm" name="ch07-idx-956352-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch07-12219"></a>Name Resolution with Samba</h2></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956353-0"></a>Before NetBIOS Name Servers (NBNS) came about, name resolution worked entirely by broadcast. If you needed a machine's address, you simply <a class="indexterm" name="ch07-idx-956574-0"></a>broadcast its name across the network and, in theory, the machine itself would reply. This approach is still possible: anyone looking for a machine named <code class="literal">fred</code> can still broadcast a query and find out if it exists and what its IP address is. (We use this capability to troubleshoot Samba name services with the <code class="literal">nmblookup</code> command in <a href="#SAMBA-CH-9" title="Chapter 9. Troubleshooting Samba">Chapter 9</a>.)</p><p>As you saw in the first chapter, however, broadcasting&#8212;whether it be browsing or name registration and resolution&#8212;does not pass easily across multiple subnets. In addition, many broadcasts tend to bog down networks. To solve this problem, Microsoft now provides the <a class="indexterm" name="ch07-idx-956577-0"></a>Windows Internet Naming Service (WINS), a cross-subnet NBNS, which Samba supports. With it, an administrator can designate a single machine to act as a WINS server, and can then provide each client that requires name resolution the address of the WINS server. Consequently, name registration and resolution requests can be directed to a single machine from any point on the network, instead of broadcast.</p><p>WINS and broadcasting are not the only means of name resolution, however. There are actually four mechanisms that can be used with Samba:</p><div class="itemizedlist"><ul type="disc"><li><p>WINS</p></li><li><p>Broadcasting</p></li><li><p>Unix <code class="filename">/etc/hosts</code> or NIS/NIS+ matches</p></li><li><p><span class="emphasis"><em>LMHOSTS</em></span> file</p></li></ul></div><p>Samba can use any or all of these name resolution methods in the order that you specify in the Samba configuration file using the <code class="literal">name</code> <code class="literal">resolve</code> <code class="literal">order</code> parameter. However, before delving into configuration options, let's discuss the one that you've probably not encountered before: the <code class="filename">LMHOSTS</code> file.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-3.1"></a>The LMHOSTS File</h3></div></div></div><p><code class="filename">LMHOSTS</code>
-<a class="indexterm" name="ch07-idx-956428-0"></a> is the standard LAN Manager <span class="emphasis"><em>hosts</em></span> file used to resolve names into IP addresses on the system. It is the NBT equivalent of the <code class="filename">/etc/hosts</code> file that is standard on all Unix systems. By default, the file is usually stored as <code class="filename">/usr/local/samba/lib/LMHOSTS</code> and shares a format similar to <code class="filename">/etc/hosts</code>. For example:</p><pre class="programlisting">192.168.220.100    hydra
-192.168.220.101    phoenix</pre><p>The only difference is that the names on the right side of the entries are NetBIOS names instead of DNS names. Because they are NetBIOS names, you can assign resource types to them as well:</p><pre class="programlisting">192.168.220.100    hydra#20
-192.168.220.100    simple#1b
-192.168.220.101    phoenix#20</pre><p>Here, we've assigned the <code class="literal">hydra</code> machine to be the primary domain controller of the <code class="literal">SIMPLE</code> domain, as indicated by the resource type &lt;1B&gt; assigned to the name after <code class="literal">hydra</code>'s IP address in the second line. The other two are standard workstations.</p><p>If you wish to place an <span class="emphasis"><em>LMHOSTS</em></span> file somewhere other than the default location, you will need to notify the <span class="emphasis"><em>nmbd</em></span> process upon start up, as follows:</p><pre class="programlisting">nmbd -H /etc/samba/lmhosts -D</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-3.2"></a>Setting Up Samba to Use Another WINS Server</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956595-0"></a>
-<a class="indexterm" name="ch07-idx-956595-1"></a>You can set up Samba to use a WINS server somewhere else on the network by simply pointing it to the IP address of the WINS server. This is done with the global <code class="literal">wins</code> <code class="literal">server</code> configuration option, as shown here:</p><pre class="programlisting">[global]
-	wins server = 192.168.200.122</pre><p>With this option enabled, Samba will direct all WINS requests to the server at 192.168.200.122. Note that because the request is directed at a single machine, we don't have to worry about any of the problems inherent to broadcasting. However, though you have specified an IP address for a WINS server in the configuration file, Samba will not necessarily use the WINS server before other forms of name resolution. The order in which Samba attempts various name-resolution techniques is given with the <code class="literal">name</code> <code class="literal">resolve</code> <code class="literal">order</code> configuration option, which we will discuss shortly.</p><p>If you have a Samba server on a subnet that still uses broadcasting and the Samba server knows the correct location of a WINS server on another subnet, you can configure the Samba server to forward any name resolution requests with the <code class="literal">wins</code> <code class="literal">proxy</code> option:</p><pre class="programlisting">[global]
-	wins server = 192.168.200.12
-	wins proxy = yes</pre><p>Use this only in situations where the WINS server resides on another subnet. Otherwise, the broadcast will reach the WINS server regardless of any proxying.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-83429"></a>Setting Up Samba as a WINS Server</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956600-0"></a>You can set up Samba as a WINS server by setting two global options in the configuration file, as shown below:</p><pre class="programlisting">[global]
-	wins support = yes
-	name resolve order = wins lmhosts hosts bcast</pre><p>The <code class="literal">wins</code> <code class="literal">support</code> option turns Samba into a WINS server. Believe it or not, that's all you need to do! Samba handles the rest of the details behind the scenes, leaving you a relaxed administrator. The <code class="literal">wins</code> <code class="literal">support=yes</code> and the <code class="literal">wins</code> <code class="literal">server</code> option are mutually exclusive; you cannot simultaneously offer Samba as the WINS server and point to another system as the server.</p><p>If Samba is acting as a WINS server, you should probably get familiar with the <code class="literal">name</code> <code class="literal">resolve</code> <code class="literal">order</code> option mentioned earlier. This option tells Samba the order of methods in which it tries to resolve a NetBIOS name. It can take up to four values:</p><div class="variablelist"><dl><dt><span class="term">lmhosts</span></dt><dd><p>Uses a LAN Manager <span class="emphasis"><em>LMHOSTS</em></span> file</p></dd><dt><span class="term">hosts</span></dt><dd><p>Uses the standard name resolution methods of the Unix system, <span class="emphasis"><em>/etc/hosts</em></span>, DNS, NIS, or a combination (as configured for the system)</p></dd><dt><span class="term">wins</span></dt><dd><p>Uses the WINS server</p></dd><dt><span class="term">bcast</span></dt><dd><p>Uses a broadcast method</p></dd></dl></div><p>The order in which you specify them in the value is the order in which Samba will attempt name resolution when acting as a WINS server. For example, let's look at the value specified previously:</p><pre class="programlisting">name resolve order = wins lmhosts hosts bcast</pre><p>This means that Samba will attempt to use its WINS entries first for name resolution, followed by the LAN Manager <span class="emphasis"><em>LMHOSTS</em></span> file on its system. Next, the hosts value causes it to use Unix name resolution methods. The word <code class="literal">hosts</code> may be misleading; it covers not only the <code class="filename">/etc/hosts</code> file, but also the use of DNS or NIS (as configured on the Unix host). Finally, if those three do not work, it will use a broadcast to try to locate the correct machine.</p><p>Finally, you can instruct a Samba server that is acting as a WINS server to check with the system's DNS server if a requested host cannot be found in its WINS database. With a typical Linux system, for example, you can find the IP address of the DNS server by searching the <code class="filename">/etc/resolv.conf</code> file. In it, you might see an entry such as the following:</p><pre class="programlisting">nameserver 127.0.0.1
-nameserver 192.168.200.192</pre><p>This tells us that a DNS server is located at 192.168.220.192. (The 127.0.0.1 is the localhost address and is never a valid DNS server address.)</p><p>Use the global <code class="literal">dns</code> <code class="literal">proxy</code> option to alert Samba to use the configured DNS server:</p><pre class="programlisting">[global]
-	wins support = yes
-	name resolve order = wins lmhosts hosts bcast
-	dns proxy = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch07-SECT-3.4"></a>Name Resolution Configuration Options</h3></div></div></div><p>
-<a class="indexterm" name="ch07-idx-956430-0"></a>Samba's WINS options are shown in <a href="#ch07-82331" title="Table 7.5. WINS Options">Table 7.5</a>.</p><div class="table"><a name="ch07-82331"></a><p class="title"><b>Table 7.5. WINS Options </b></p><div class="table-contents"><table summary="WINS Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">wins support</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, Samba will act as a WINS server.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">wins server</code></p></td><td><p>string (IP address or DNS name)</p></td><td><p>Identifies a WINS server for Samba to use for name registration and resolution.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">wins proxy</code></p></td><td><p>boolean</p></td><td><p>Allows Samba to act as a proxy to a WINS server on another subnet.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">dns proxy</code></p></td><td><p>boolean</p></td><td><p>If set to <code class="literal">yes</code>, a Samba WINS server will search DNS if it cannot find a name in WINS.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">name resolve order</code></p></td><td><p><code class="literal">lmhosts</code>, <code class="literal">hosts</code>, <code class="literal">wins</code>, or <code class="literal">bcast</code></p></td><td><p>Specifies an order of the methods used to resolve NetBIOS names.</p></td><td><p><code class="literal">lmhosts hosts wins bcast</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max ttl</code></p></td><td><p>numerical</p></td><td><p>Specifies the maximum time-to-live in seconds for a requested NetBIOS names.</p></td><td><p><code class="literal">259200</code>( 3 days)</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max wins ttl</code></p></td><td><p>numerical</p></td><td><p>Specifies the maximum time-to-live in seconds for NetBIOS names given out by Samba as a WINS server.</p></td><td><p><code class="literal">518400</code>(6 days)</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">min wins ttl</code></p></td><td><p>numerical</p></td><td><p>Specifies the minimum time-to-live in seconds for NetBIOS names given out by Samba as a WINS server.</p></td><td><p><code class="literal">21600</code>(6 hours)</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.1"></a>
-wins support</h4></div></div></div><a class="indexterm" name="ch07-idx-958447-0"></a><p>Samba will provide <a class="indexterm" name="ch07-idx-956607-0"></a>WINS name service to all machines in the network if you set the following in the <code class="literal">[global]</code> section of the <code class="filename">smb.conf</code> file:</p><pre class="programlisting">[global]
-    wins support = yes</pre><p>The default value is <code class="literal">no</code>, which is typically used to allow another Windows NT server to become a WINS server. If you do enable this option, remember that a Samba WINS server currently cannot exchange data with any backup WINS servers. If activated, this option is mutually exclusive with the <code class="literal">wins</code> <code class="literal">server</code> parameter; you cannot set both to <code class="literal">yes</code> at the same time or Samba will flag an error.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.2"></a>
-wins server</h4></div></div></div><a class="indexterm" name="ch07-idx-958448-0"></a><p>Samba will use an existing WINS server on the network if you specify the <code class="literal">wins</code> <code class="literal">server</code> global option in your configuration file. The value of this option is either the IP address or DNS name (not NetBIOS name) of the WINS server. For example:</p><pre class="programlisting">[global]
-    wins server = 192.168.220.110</pre><p>or:</p><pre class="programlisting">[global]
-    wins server = wins.example.com</pre><p>In order for this option to work, the <code class="literal">wins</code> <code class="literal">support</code> option must be set to <code class="literal">no</code> (the default). Otherwise, Samba will report an error. You can specify only one WINS server using this option.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.3"></a>
-wins proxy</h4></div></div></div><a class="indexterm" name="ch07-idx-958449-0"></a><p>This option allows Samba to act as a proxy to another WINS server, and thus relay name registration and resolution requests from itself to the real WINS server, often outside the current subnet. The WINS server can be indicated through the <code class="literal">wins</code> <code class="literal">server</code> option. The proxy will then return the WINS response back to the client. You can enable this option by specifying the following in the <code class="literal">[global]</code> section:</p><pre class="programlisting">[global]
-    wins proxy = yes</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.4"></a>
-dns proxy</h4></div></div></div><a class="indexterm" name="ch07-idx-958450-0"></a><p>If you want the <a class="indexterm" name="ch07-idx-956608-0"></a>domain name service (DNS) to be used if a name isn't found in WINS, you can set the following option:</p><pre class="programlisting">[global]
-    dns proxy = yes</pre><p>This will cause <code class="filename">nmbd</code> to query for machine names using the server's standard domain name service. You may wish to deactivate this option if you do not have a permanent connection to your DNS server. Despite this option, we recommend using a WINS server. If you don't already have any WINS servers on your network, make one Samba machine a WINS server. Do not, however, make two Samba machines WINS servers (one primary and one backup) as they currently cannot exchange WINS databases.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.5"></a>
-name resolve order</h4></div></div></div><a class="indexterm" name="ch07-idx-958451-0"></a><p>The global <code class="literal">name</code> <code class="literal">resolve</code> <code class="literal">order</code> option specifies the order of services that Samba will use in attempting name resolution. The default order is to use the <span class="emphasis"><em>LMHOSTS</em></span> file, followed by standard Unix name resolution methods (some combination of    <code class="filename">/etc/hosts</code>, DNS, and NIS), then query a WINS server, and finally use broadcasting to determine the address of a NetBIOS name. You can override this option by specifying something like the following:</p><pre class="programlisting">[global]
-    name resolve order = lmhosts wins hosts bcast</pre><p>This causes resolution to use the <span class="emphasis"><em>LMHOSTS</em></span> file first, followed by a query to a WINS server, the system password file, and finally broadcasting. You need not use all four options if you don't want to. This option is covered in more detail in <a href="#ch07-83429" title="Setting Up Samba as a WINS Server">Section 7.3.3</a> earlier in this chapter.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.6"></a>
-max ttl</h4></div></div></div><a class="indexterm" name="ch07-idx-958452-0"></a><p>This option gives the maximum t<a class="indexterm" name="ch07-idx-956610-0"></a>
-<a class="indexterm" name="ch07-idx-956610-1"></a>ime to live (T T L) during which a NetBIOS name registered with the Samba server will remain active. You should never need to alter this value.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.7"></a>
-max wins ttl</h4></div></div></div><a class="indexterm" name="ch07-idx-958453-0"></a><p>This option give the maximum time to live (T T L) during which a NetBIOS name resolved from a WINS server will remain active. You should never need to change this value from its default.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch07-SECT-3.4.8"></a>
-min wins ttl</h4></div></div></div><a class="indexterm" name="ch07-idx-958454-0"></a><p>This option give the minimum time to live (T T L) during which a NetBIOS name resolved from a WINS server will remain active. You should never need to alter this value from its<a class="indexterm" name="ch07-idx-956431-0"></a> default.<a class="indexterm" name="ch07-idx-956354-0"></a></p></div></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.ch07-pgfId-951615" href="#ch07-pgfId-951615">1</a>] </sup>Older Windows 95 clients may have only the first two files.</p></div><div class="footnote"><p><sup>[<a name="ftn.ch07-pgfId-950654" href="#ch07-pgfId-950654">2</a>] </sup>We have placed annotated comments off to the side in case you've never dealt with this file before.</p></div></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-8"></a>Chapter 8. Additional Samba Information </h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch08-56646">8.1. Supporting Programmers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-1.1">8.1.1. Time Synchronization</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-79987">8.2. Magic Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-2.0.1">8.2.1. magic script</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-2.0.2">8.2.2. 
-magic output</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-91233">8.3. Internationalization</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-17721">8.3.1. 
-client code page</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.2">8.3.2. character set</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.3">8.3.3. coding system</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-3.0.4">8.3.4. valid chars</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-82569">8.4. WinPopup Messages</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-4.0.1">8.4.1. message command</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-SECT-5">8.5. Recently Added Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-5.0.1">8.5.1. change notify timeout</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.2">8.5.2. machine password timeout</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.3">8.5.3. stat cache</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-5.0.4">8.5.4. stat cache size</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-70923">8.6. Miscellaneous Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch08-SECT-6.0.1">8.6.1. 
-deadtime</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.2">8.6.2. 
-dfree command</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.3">8.6.3. 
-fstype</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.4">8.6.4. keep alive</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.5">8.6.5. 
-max disk size</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.6">8.6.6. 
-max mux</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.7">8.6.7. 
-max open files</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.8">8.6.8. 
-max xmit</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.9">8.6.9. 
-nt pipe support</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.10">8.6.10. 
-nt smb support</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.11">8.6.11. 
-ole locking compatibility</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.12">8.6.12. 
-panic action</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.13">8.6.13. 
-set directory</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.14">8.6.14. 
-smbrun</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.15">8.6.15. 
-status</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.16">8.6.16. 
-strict sync</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.17">8.6.17. 
-sync always</a></span></dt><dt><span class="sect2"><a href="#ch08-SECT-6.0.18">8.6.18. 
-strip dot</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch08-74829">8.7. Backups with smbtar</a></span></dt></dl></div><p>This chapter wraps up our coverage of the <code class="filename">smb.conf</code> configuration file with some miscellaneous options that can perform a variety of tasks. We will talk briefly about options for supporting programmers, internationalization, messages, and common Windows bugs. For the most part, you will use these options only in isolated circumstances. We also cover performing automated backups with the <code class="filename">smbtar</code> command at the end of this chapter. So without further ado, let's jump into our first subject: options to help programmers.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-56646"></a>Supporting Programmers</h2></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965254-0"></a>If <a class="indexterm" name="ch08-idx-965351-0"></a>you have programmers accessing your Samba server, you'll want to be aware of the special options listed in <a href="#ch08-73167" title="Table 8.1. Programming Configuration Options">Table 8.1</a>.</p><div class="table"><a name="ch08-73167"></a><p class="title"><b>Table 8.1. Programming Configuration Options </b></p><div class="table-contents"><table summary="Programming Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">time server</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, <span class="emphasis"><em>nmbd</em></span> announces itself as a SMB time service to Windows clients.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">time offset</code></p></td><td><p>numerical (number of minutes)</p></td><td><p>Adds a specified number of minutes to the reported time.</p></td><td><p><code class="literal">0</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">dos filetimes</code></p></td><td><p>boolean</p></td><td><p>Allows non-owners of a file to change its time if they can write to it.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">dos filetime</code></p>
-
-<p><code class="literal">resolution</code></p></td><td><p>boolean</p></td><td><p>Causes file times to be rounded to the next even second.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">fake directory create times</code></p></td><td><p>boolean</p></td><td><p>Sets directory times to avoid a MS <span class="emphasis"><em>nmake</em></span> bug.</p></td><td><p><code class="literal">no</code></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-1.1"></a>Time Synchronization</h3></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965360-0"></a>
-<a class="indexterm" name="ch08-idx-965360-1"></a>Time synchronization can be very important to programmers. Consider the following options:</p><pre class="programlisting">time service = yes
-dos filetimes = yes
-fake directory create times = yes
-dos filetime resolution = yes
-delete readonly = yes</pre><p>If you set these options, Samba shares will provide the kind of compatible file times that Visual C++, <span class="emphasis"><em>nmake</em></span>, and other Microsoft programming tools require. Otherwise, PC <span class="emphasis"><em>make</em></span> programs will tend to think that all the files in a directory need to be recompiled every time. Obviously, this is not the behavior you want.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.1"></a>time server</h4></div></div></div><p>If your Samba server has an accurate clock, or if it's a client of one of the Unix network time servers, you can instruct it to advertise itself as an SMB time server by setting the<a class="indexterm" name="ch08-idx-965946-0"></a> <code class="literal">time</code> <code class="literal">server</code> option as follows:</p><pre class="programlisting">[global]
-	time service = yes</pre><p>The client will still have to request the correct time with the following DOS command, substituting the Samba server name in at the appropriate point:</p><pre class="programlisting">C:\NET TIME \\<em class="replaceable"><code>server</code></em> /YES /SET</pre><p>This command can be placed in a Windows logon script (see <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>).</p><p>By default, the <code class="literal">time</code> <code class="literal">server</code> option is normally set to <code class="literal">no</code>. If you turn this service on, you can use the command above to keep the client clocks from drifting. Time synchronization is important to clients using programs such as <span class="emphasis"><em>make</em></span>, which compile based on the last time the file was changed. Incorrectly synchronized times can cause such programs to either remake all files in a directory, which wastes time, or not recompile a source file that was just modified because of a slight clock drift.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.2"></a>time offset</h4></div></div></div><p>To deal with clients that don't process daylight savings time properly, Samba provides the <code class="literal">time</code> <code class="literal">offset</code> option. If set, it adds the specified number of minutes to the current time. This is handy if you're in Newfoundland and Windows doesn't know about the 30-minute time difference there:</p><pre class="programlisting">[global]
-	time offset = 30</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.3"></a>dos filetimes</h4></div></div></div><p>Traditionally, only the root user and the owner of a file can change its last-modified date on a Unix system. The share-level <code class="literal">dos</code> <code class="literal">filetimes</code> option allows the Samba server to mimic the characteristics of a DOS/Windows machine: any user can change the last modified date on a file in that share if he or she has write permission to it. In order to do this, Samba uses its root privileges to modify the timestamp on the file.</p><p>By default, this option is disabled. Setting this option to <code class="literal">yes</code> is often necessary to allow PC <span class="emphasis"><em>make</em></span> programs to work properly. Without it, they cannot change the last-modified date themselves. This often results in the program thinking <span class="emphasis"><em>all</em></span> files need recompiling when they really don't.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.4"></a>dos filetime resolution</h4></div></div></div><p><code class="literal">dos</code>
-<a class="indexterm" name="ch08-idx-965949-0"></a> <code class="literal">filetime</code> <code class="literal">resolution</code> is share-level option. If set to <code class="literal">yes</code>, Samba will arrange to have the file times rounded to the closest two-second boundary. This option exists primarily to satisfy a quirk in Windows that prevents Visual C++ from correctly recognizing that a file has not changed. You can enable it as follows:</p><pre class="programlisting">[data]
-	dos filetime resolution = yes</pre><p>We recommend using this option only if you are using Microsoft Visual C++ on a Samba share that supports opportunistic locking.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch08-SECT-1.1.5"></a>fake directory create times</h4></div></div></div><p>The <code class="literal">fake</code>
-<a class="indexterm" name="ch08-idx-965950-0"></a> <code class="literal">directory</code> <code class="literal">create</code> <code class="literal">times</code> option exists to keep PC <span class="emphasis"><em>make</em></span> programs sane. VFAT and NTFS filesystems record the creation date of a specific directory while Unix does not. Without this option, Samba takes the earliest recorded date it has for the directory (often the last-modified date of a file) and returns it to the client. If this is not sufficient, set the following option under a share definition:</p><pre class="programlisting">[data]
-	fake directory create times = yes</pre><p>If set, Samba will adjust the directory create time it reports to the hardcoded value January 1st, 1980. This is primarily used to convince the Visual C++ <span class="emphasis"><em>nmake</em></span> program that any object files in its build directories are indeed younger than the creation date of the directory itself and need to be recompiled.<a class="indexterm" name="ch08-idx-965924-0"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-79987"></a>Magic Scripts</h2></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965216-0"></a>
-<a class="indexterm" name="ch08-idx-965216-1"></a>The following options deal with <em class="firstterm">magic scripts</em> on the Samba server. Magic scripts are a method of running programs on Unix and redirecting the output back to the <a class="indexterm" name="ch08-idx-965385-0"></a>SMB client. These are essentially an experimental hack. However, some users and their programs still rely on these two options for their programs to function correctly. Magic scripts are not widely trusted and their use is highly discouraged by the Samba team. See <a href="#ch08-33693" title="Table 8.2. Networking Configuration Options">Table 8.2</a> for more information.</p><div class="table"><a name="ch08-33693"></a><p class="title"><b>Table 8.2. Networking Configuration Options </b></p><div class="table-contents"><table summary="Networking Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">magic script</code></p></td><td><p>
-<a class="indexterm" name="ch08-idx-965386-0"></a>string (fully-qualified filename)</p></td><td><p>Sets the name of a file to be executed by Samba, as the logged-on user, when closed.</p></td><td><p>None</p></td><td><p>Share</p></td></tr><tr><td><p><code class="literal">magic output</code></p></td><td><p>string (fully-qualified filename)</p></td><td><p>Sets a file to log output from the magic file.</p></td><td><p><span class="emphasis"><em>scriptname.out</em></span></p></td><td><p>Share</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-2.0.1"></a>magic script</h3></div></div></div><p>If the <code class="literal">magic</code>
-<a class="indexterm" name="ch08-idx-965952-0"></a> <code class="literal">script</code> option is set to a filename and the client creates a file by that name in that share, Samba will run the file as soon as the user has opened and closed it. For example, let's assume that the following option was created in the share <code class="literal">[accounting]</code>:</p><pre class="programlisting">[accounting]
-	magic script = tally.sh</pre><p>Samba continually monitors the files in that share. If one by the name of <span class="emphasis"><em>tally.sh</em></span> is closed (after being opened) by a user, Samba will execute the contents of that file locally. The file will be passed to the shell to execute; it must therefore be a legal Unix shell script. This means that it must have newline characters as line endings instead of Windows CR/LFs. In addition, it helps if you use the <code class="literal">#!</code> directive at the beginning of the file to indicate under which shell the script should run.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-2.0.2"></a>
-magic output</h3></div></div></div><a class="indexterm" name="ch08-idx-965953-0"></a><p>This option specifies an output file that the script specified by the <code class="literal">magic</code> <code class="literal">script</code> option will send output to. You must specify a filename in a writable directory:</p><pre class="programlisting">[accounting]
-	magic script = tally.sh
-	magic output = /var/log/magicoutput</pre><p>If this option is omitted, the default output file is the name of the script (as stated in the <code class="literal">magic</code> <code class="literal">script</code> option) with the extension <span class="emphasis"><em>.out</em></span> appended onto it.<a class="indexterm" name="ch08-idx-965526-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-91233"></a>Internationalization</h2></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965219-0"></a>
-<a class="indexterm" name="ch08-idx-965219-1"></a>
-<a class="indexterm" name="ch08-idx-965219-2"></a>Samba has a limited ability to speak foreign tongues: if you need to deal with characters that aren't in standard ASCII, some options that can help you are shown in <a href="#ch08-40870" title="Table 8.3. Networking Configuration Options">Table 8.3</a>. Otherwise, you can skip over this section.</p><div class="table"><a name="ch08-40870"></a><p class="title"><b>Table 8.3. Networking Configuration Options </b></p><div class="table-contents"><table summary="Networking Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">client code page</code></p></td><td><p>Described in this section</p></td><td><p>Sets a code page to expect from clients</p></td><td><p>850</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">character set</code></p></td><td><p>Described in this section</p></td><td><p>Translates code pages into alternate UNIX character sets</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">coding system</code></p></td><td><p>Described in this section</p></td><td><p>Translates code page 932 into an Asian character set</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">valid chars</code></p></td><td><p>string (set of characters)</p></td><td><p>Obsolete: formerly added individual characters to a code page, and had to be used after setting client code page</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-17721"></a>
-client code page</h3></div></div></div><a class="indexterm" name="ch08-idx-965956-0"></a><p>The character sets on Windows platforms hark back to the original concept of a <span class="emphasis"><em>code page</em></span>
-<a class="indexterm" name="ch08-idx-965388-0"></a>. These code pages are used by DOS and Windows clients to determine rules for mapping lowercase letters to uppercase letters. Samba can be instructed to use a variety of code pages through the use of the global <code class="literal">client</code> <code class="literal">code</code> <code class="literal">page</code> option in order to match the corresponding code page in use on the client. This option loads a code-page definition file, and can take the values specified in <a href="#ch08-20815" title="Table 8.4. Valid Code Pages with Samba 2.0">Table 8.4</a>.</p><div class="table"><a name="ch08-20815"></a><p class="title"><b>Table 8.4. Valid Code Pages with Samba 2.0 </b></p><div class="table-contents"><table summary="Valid Code Pages with Samba 2.0 " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Code Page</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">437</code></p></td><td><p>
-<a class="indexterm" name="ch08-idx-965389-0"></a>MS-DOS Latin (United States)</p></td></tr><tr><td><p><code class="literal">737</code></p></td><td><p>Windows 95 Greek</p></td></tr><tr><td><p><code class="literal">850</code></p></td><td><p>MS-DOS Latin 1 (Western European)</p></td></tr><tr><td><p><code class="literal">852</code></p></td><td><p>MS-DOS Latin 2 (Eastern European)</p></td></tr><tr><td><p><code class="literal">861</code></p></td><td><p>MS-DOS Icelandic</p></td></tr><tr><td><p><code class="literal">866</code></p></td><td><p>MS-DOS Cyrillic (Russian)</p></td></tr><tr><td><p><code class="literal">932</code></p></td><td><p>MS-DOS Japanese Shift-JIS</p></td></tr><tr><td><p><code class="literal">936</code></p></td><td><p>MS-DOS Simplified Chinese</p></td></tr><tr><td><p><code class="literal">949</code></p></td><td><p>MS-DOS Korean Hangul</p></td></tr><tr><td><p><code class="literal">950</code></p></td><td><p>MS-DOS Traditional Chinese</p></td></tr></tbody></table></div></div><br class="table-break"><p>You can set the client code page as follows:</p><pre class="programlisting">[global]
-	client code page = 852</pre><p>The default value of this option is 850. You can use the <span class="emphasis"><em>make_smbcodepage</em></span> tool that comes with Samba (by default in <code class="filename">/usr/local/samba/bin</code> ) to create your own SMB code pages, in the event that those listed earlier are not sufficient.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-3.0.2"></a>character set</h3></div></div></div><p>The global <code class="literal">character</code> <code class="literal">set</code> option can be used to convert filenames offered through a DOS code page (see the previous section, <a href="#ch08-17721" title="client code page">Section 8.3.1</a>) to equivalents that can be represented by Unix character sets other than those in the United States. For example, if you want to convert the Western European MS-DOS character set on the client to a Western European Unix character set on the server, you can use the following in your configuration file:</p><pre class="programlisting">[global]
-	client code page = 850
-	character set = ISO8859-1</pre><p>Note that you must include a <code class="literal">client</code> <code class="literal">code</code> <code class="literal">page</code> option to specify the character set from which you are converting. The valid character sets (and their matching code pages) that Samba 2.0 accepts are listed in <a href="#ch08-14126" title="Table 8.5. Valid Character Sets with Samba 2.0">Table 8.5</a>:</p><div class="table"><a name="ch08-14126"></a><p class="title"><b>Table 8.5. Valid Character Sets with Samba 2.0 </b></p><div class="table-contents"><table summary="Valid Character Sets with Samba 2.0 " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Character Set</p></th><th><p>Matching Code Page</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">ISO8859-1</code></p></td><td><p><code class="literal">850</code>
-<a class="indexterm" name="ch08-idx-965390-0"></a></p></td><td><p>Western European Unix</p></td></tr><tr><td><p><code class="literal">ISO8859-2</code></p></td><td><p><code class="literal">852</code></p></td><td><p>Eastern European Unix</p></td></tr><tr><td><p><code class="literal">ISO8859-5</code></p></td><td><p><code class="literal">866</code></p></td><td><p>Russian Cyrillic Unix</p></td></tr><tr><td><p><code class="literal">KOI8-R</code></p></td><td><p><code class="literal">866</code></p></td><td><p>Alternate Russian Cyrillic Unix</p></td></tr></tbody></table></div></div><br class="table-break"><p>Normally, the <code class="literal">character</code> <code class="literal">set</code> option is disabled completely.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-3.0.3"></a>coding system</h3></div></div></div><p>The <code class="literal">coding</code>
-<a class="indexterm" name="ch08-idx-965965-0"></a> <code class="literal">system</code> option is similar to the <code class="literal">character</code> <code class="literal">set</code> option. However, its purpose is to determine how to convert a Japanese Shift JIS code page into an appropriate Unix character set. In order to use this option, the <code class="literal">client</code> <code class="literal">code</code> <code class="literal">page</code> option described previously must be set to page 932. The valid coding systems that Samba 2.0 accepts are listed in <a href="#ch08-57476" title="Table 8.6. Valid Coding System Parameters with Samba 2.0">Table 8.6</a>.</p><div class="table"><a name="ch08-57476"></a><p class="title"><b>Table 8.6. Valid Coding System Parameters with Samba 2.0 </b></p><div class="table-contents"><table summary="Valid Coding System Parameters with Samba 2.0 " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Character Set</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">SJIS</code></p></td><td><p>
-<a class="indexterm" name="ch08-idx-965393-0"></a>Standard Shift JIS</p></td></tr><tr><td><p><code class="literal">JIS8</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8BB</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8BH</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8@B</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8@J</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J8@H</code></p></td><td><p>Eight-bit JIS codes</p></td></tr><tr><td><p><code class="literal">JIS7</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7BB</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7BH</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7@B</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7@J</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">J7@H</code></p></td><td><p>Seven-bit JIS codes</p></td></tr><tr><td><p><code class="literal">JUNET</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JUBB</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JUBH</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JU@B</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JU@J</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">JU@H</code></p></td><td><p>JUNET codes</p></td></tr><tr><td><p><code class="literal">EUC</code></p></td><td><p>EUC codes</p></td></tr><tr><td><p><code class="literal">HEX</code></p></td><td><p>Three-byte hexidecimal code</p></td></tr><tr><td><p><code class="literal">CAP</code></p></td><td><p>Three-byte hexidecimal code (Columbia Appletalk Program)</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-3.0.4"></a>valid chars</h3></div></div></div><p>The <code class="literal">valid</code>
-<a class="indexterm" name="ch08-idx-965969-0"></a> <code class="literal">chars</code> option is an older Samba feature that will add individual characters to a code page. However, this option is being phased out in favor of more modern coding systems. You can use this option as follows:</p><pre class="programlisting">valid chars = Î
-valid chars = 0450:0420 0x0A20:0x0A00
-valid chars = A:a</pre><p>Each of the characters in the list specified should be separated by spaces. If there is a colon between two characters or their numerical equivalents, the data to the left of the colon is considered an uppercase character, while the data to the right is considered the lowercase character. You can represent characters both by literals (if you can type them) and by octal, hexidecimal, or decimal Unicode equivalents.</p><p>We recommend against using this option. Instead, go with one of the standard code pages listed earlier in this section. If you do use this option, however, it must be listed after the <code class="literal">client</code> <code class="literal">code</code> <code class="literal">page</code> to which you wish to add the character. Otherwise, the characters will not be added.<a class="indexterm" name="ch08-idx-965533-0"></a>
-<a class="indexterm" name="ch08-idx-965533-1"></a>
-<a class="indexterm" name="ch08-idx-965533-2"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-82569"></a>WinPopup Messages</h2></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965227-0"></a>
-<a class="indexterm" name="ch08-idx-965227-1"></a>
-<a class="indexterm" name="ch08-idx-965227-2"></a>You can use the WinPopup tool (<code class="filename">WINPOPUP.EXE </code>  ) in Windows to send messages to users, machines, or entire workgroups on the network. This tool is provided with Windows 95 OSR2 and comes standard with Windows 98. With either Windows 95 or 98, however, you need to be running WinPopup to receive and send WinPopup messages. With Windows NT, you can still receive messages without starting such a tool; they will automatically appear in a small dialog box on the screen when received. The WinPopup application is shown in <a href="#ch08-66444" title="Figure 8.1. The WinPopup application">Figure 8.1</a>.</p><div class="figure"><a name="ch08-66444"></a><p class="title"><b>Figure 8.1. The WinPopup application</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 360px"><td><img src="figs/sam.0801.gif" width="502" alt="The WinPopup application"></td></tr></table></div></div></div><br class="figure-break"><p>Samba has a single WinPopup messaging option, <code class="literal">message</code> <code class="literal">command</code>, as shown in <a href="#ch08-18671" title="Table 8.7. WinPopup Configuration Option">Table 8.7</a>.</p><div class="table"><a name="ch08-18671"></a><p class="title"><b>Table 8.7. WinPopup Configuration Option </b></p><div class="table-contents"><table summary="WinPopup Configuration Option " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameter</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">message command</code></p></td><td><p>
-<a class="indexterm" name="ch08-idx-965394-0"></a>
-<a class="indexterm" name="ch08-idx-965394-1"></a>
-<a class="indexterm" name="ch08-idx-965394-2"></a>string (fully-qualified pathname)</p></td><td><p>Sets a command to run on Unix when a WinPopup message is received.</p></td><td><p>None</p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-4.0.1"></a>message command</h3></div></div></div><p>Samba's <code class="literal">message</code>
-<a class="indexterm" name="ch08-idx-965971-0"></a> <code class="literal">command</code> option sets the path to a program that will run on the server when a Windows popup message arrives at the server. The command will be executed using the <code class="literal">guest</code> <code class="literal">account</code> user. What to do with one of these is questionable since it's probably for the Samba administrator, and Samba doesn't know his or her name. If you know there's a human using the console, the Samba team once suggested the following:</p><pre class="programlisting">[global]
-	message command = /bin/csh -c 'xedit %s; rm %s' &amp;</pre><p>Note the use of variables here. The <code class="literal">%s</code> variable will become the file that the message is in. This file should be deleted when the command is finished with it; otherwise, there will be a buildup of pop-up files collecting on the Samba server. In addition, the command must fork its own process (note the &amp; after the command); otherwise the client may suspend and wait for notification that the command was sent successfully before continuing.</p><p>In addition to the standard variables, <a href="#ch08-29758" title="Table 8.8. Message Command Variables">Table 8.8</a> shows the three unique variables that you can use in a <code class="literal">message</code> <code class="literal">command</code>.</p><div class="table"><a name="ch08-29758"></a><p class="title"><b>Table 8.8. Message Command Variables </b></p><div class="table-contents"><table summary="Message Command Variables " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p><code class="literal">%s</code></p></td><td><p>The name of the file in which the message resides</p></td></tr><tr><td><p><code class="literal">%</code>f</p></td><td><p>The name of the client that sent the message</p></td></tr><tr><td><p><code class="literal">%t</code></p></td><td><p>The name of the machine that is the destination of the message</p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-SECT-5"></a>Recently Added Options</h2></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965236-0"></a>Samba has several options that appeared around the time of Samba 2.0, but are not entirely supported. However, we will give you a brief overview of their workings in this section. These options are shown in <a href="#ch08-72538" title="Table 8.9. Recently Added Options">Table 8.9</a>.</p><div class="table"><a name="ch08-72538"></a><p class="title"><b>Table 8.9. Recently Added Options </b></p><div class="table-contents"><table summary="Recently Added Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">change notify timeout</code></p></td><td><p>numerical (number of seconds)</p></td><td><p>Sets the interval between checks when a client asks to wait for a change in a specified directory.</p></td><td><p><code class="literal">60</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">machine password timeout</code></p></td><td><p>numerical (number of seconds)</p></td><td><p>Sets the renewal interval for NT domain machine passwords.</p></td><td><p><code class="literal">604,800</code> (1 week )</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">stat cache</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, Samba will cache recent name mappings.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">stat cache size</code></p></td><td><p>numerical</p></td><td><p>Sets the size of the stat cache.</p></td><td><p><code class="literal">50</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-5.0.1"></a>change notify timeout</h3></div></div></div><p>The <code class="literal">change</code>
-<a class="indexterm" name="ch08-idx-965973-0"></a> <code class="literal">notify</code> <code class="literal">timeout</code> global option emulates a Windows NT SMB feature called <em class="firstterm">change notification</em>
-<a class="indexterm" name="ch08-idx-965415-0"></a>. This allows a client to request that a Windows NT server periodically monitor a specific directory on a share for any changes. If any changes occur, the server will notify the client.</p><p>As of version 2.0, Samba will perform this function for its clients. However, performing these checks too often can slow the server down considerably. This option sets the time period that Samba should wait between such checks. The default is one minute (60 seconds); however, you can use this option to specify an alternate time that Samba should wait between performing checks:</p><pre class="programlisting">[global]
-	change notify timeout = 30</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-5.0.2"></a>machine password timeout</h3></div></div></div><p>The <code class="literal">machine</code>
-<a class="indexterm" name="ch08-idx-965974-0"></a> <code class="literal">password</code> <code class="literal">timeout</code> global option sets a retention period for NT <a class="indexterm" name="ch08-idx-965417-0"></a>
-<a class="indexterm" name="ch08-idx-965417-1"></a>domain machine passwords. The default is currently set to the same time period that Windows NT 4.0 uses: 604,800 seconds (one week). Samba will periodically attempt to change the <em class="firstterm">machine account password</em>, which is a password used specifically by another server to report changes to it. This option specifies the number of seconds that Samba should wait before attempting to change that password. The following example changes it to a single day, by specifying the following:</p><pre class="programlisting">[global]
-	machine password timeout = 86400</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-5.0.3"></a>stat cache</h3></div></div></div><p>The <code class="literal">stat</code>
-<a class="indexterm" name="ch08-idx-965977-0"></a> <code class="literal">cache</code> global option turns on caching of recent case-insensitive name mappings. The default is <code class="literal">yes</code>. The Samba team recommends that you never change this parameter.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-5.0.4"></a>stat cache size</h3></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965418-0"></a>The <code class="literal">stat</code>
-<a class="indexterm" name="ch08-idx-965978-0"></a> <code class="literal">cache</code> <code class="literal">size</code> global option sets the size of the cache entries to be used for the <code class="literal">stat</code> <code class="literal">cache</code> option. The default here is 50. Again, the Samba team recommends that you never change this parameter.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-70923"></a>Miscellaneous Options</h2></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965426-0"></a>
-<a class="indexterm" name="ch08-idx-965426-1"></a>
-<a class="indexterm" name="ch08-idx-965426-2"></a>Many Samba options are present to deal with operating system issues on either  Unix or Windows. The options shown in <a href="#ch08-83566" title="Table 8.10. Miscellaneous Options">Table 8.10</a> deal specifically with some of these known problems. We usually don't change these and we recommend the same to you.</p><div class="table"><a name="ch08-83566"></a><p class="title"><b>Table 8.10. Miscellaneous Options </b></p><div class="table-contents"><table summary="Miscellaneous Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">deadtime</code></p></td><td><p>
-<a class="indexterm" name="ch08-idx-965429-0"></a>numerical (<a class="indexterm" name="ch08-idx-965437-0"></a>number of minutes)</p></td><td><p>Specifies the number of minutes of inactivity before a connection should be terminated.</p></td><td><p><code class="literal">0</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">dfree command</code></p></td><td><p>string (command)</p></td><td><p>Used to provide a command that returns disk free space in a format recognized by Samba.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">fstype</code></p></td><td><p><code class="literal">NTFS</code>, <code class="literal">FAT</code>, or <code class="literal">Samba</code></p></td><td><p>Sets the filesystem type reported by the server to the client.</p></td><td><p><code class="literal">NTFS</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">keep alive</code></p></td><td><p>seconds</p></td><td><p>Sets the number of seconds between checks for an inoperative client.</p></td><td><p>(none)</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max disk size</code></p></td><td><p>numerical (size in MB)</p></td><td><p>Sets the largest disk size to return to a client, some of which have limits. Does not affect actual operations on the disk.</p></td><td><p>(infinity)</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max mux</code></p></td><td><p>numerical</p></td><td><p>Sets the maximum number of simultaneous SMB operations that clients may make.</p></td><td><p><code class="literal">50</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max open files</code></p></td><td><p>numerical</p></td><td><p>Limits number of open files to be below Unix limits.</p></td><td><p><code class="literal">10,000</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">max xmit</code></p></td><td><p>numerical</p></td><td><p>Specifies the maximum packet size that Samba will send.</p></td><td><p><code class="literal">65,535</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">nt pipe support</code></p></td><td><p>boolean</p></td><td><p>Turns off an experimental NT feature, for benchmarking or in case of an error.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">nt smb support</code></p></td><td><p>boolean</p></td><td><p>Turns off an experimental NT feature, for benchmarking or in case of an error.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ole locking compatib-ility</code></p></td><td><p>boolean</p></td><td><p>Remaps out-of-range lock requests used on Windows to fit in allowable range on Unix. Turning it off causes Unix lock errors.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">panic action</code></p></td><td><p>command</p></td><td><p>Program to run if Samba server fails; for debugging.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">set directory</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, allows VMS clients to issue <code class="literal">set</code> <code class="literal">dir</code> commands.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">smbrun</code></p></td><td><p>string (fully-qualified command)</p></td><td><p>Sets the command Samba uses as a wrapper for shell commands.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">status</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, allows Samba to monitor status for <code class="literal">smbstatus</code> command.</p></td><td><p><code class="literal">yes</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">strict sync</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">no</code>, ignores Windows applications requests to perform a sync-to-disk.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">sync always</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, forces all client writes to be committed to disk before returning from the call.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">strip dot</code></p></td><td><p>boolean</p></td><td><p>If <code class="literal">yes</code>, strips trailing dots from Unix filenames.<a class="indexterm" name="ch08-idx-965441-0"></a></p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.1"></a>
-deadtime</h3></div></div></div><a class="indexterm" name="ch08-idx-965979-0"></a><p>This global option sets the number of minutes that Samba will wait for an inactive client before closing its session with the Samba server. A client is considered inactive when it has no open files and there is no data being sent from it. The default value for this option is 0, which means that Samba never closes any connections no matter how long they have been inactive. You can override it as follows:</p><pre class="programlisting">[global]
-	deadtime = 10</pre><p>This tells Samba to terminate any inactive client sessions after 10 minutes. For most networks, setting this option as such will work because reconnections from the client are generally performed transparently to the user.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.2"></a>
-dfree command</h3></div></div></div><a class="indexterm" name="ch08-idx-965980-0"></a><p>
-<a class="indexterm" name="ch08-idx-965466-0"></a>This global option is used on systems that incorrectly determine the free space left on the disk. So far, the only confirmed system that needs this option set is Ultrix. There is no default value for this option, which means that Samba already knows how to compute the free disk space on its own and the results are considered reliable. You can override it as follows:</p><pre class="programlisting">[global]
-	dfree command = /usr/local/bin/dfree</pre><p>This option should point to a script that should return the total disk space in a block, and the number of available blocks. The Samba documentation recommends the following as a usable script:</p><pre class="programlisting">#!/bin/sh
-df $1 | tail -1 | awk '{print $2" "$4}'</pre><p>On System V machines, the following will work:</p><pre class="programlisting">#!/bin/sh
-/usr/bin/df $1 | tail -1 | awk '{print $3" "$5}'</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.3"></a>
-fstype</h3></div></div></div><a class="indexterm" name="ch08-idx-965983-0"></a><p>This share-level option sets the type of <a class="indexterm" name="ch08-idx-965467-0"></a>filesystem that Samba reports when queried by the client. There are three strings that can be used as a value to this configuration option, as listed in <a href="#ch08-80519" title="Table 8.11. Filesystem Types">Table 8.11</a>.</p><div class="table"><a name="ch08-80519"></a><p class="title"><b>Table 8.11. Filesystem Types </b></p><div class="table-contents"><table summary="Filesystem Types " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Variable</p></th><th><p>Definition</p></th></tr></thead><tbody><tr><td><p>NTFS</p></td><td><p>
-<a class="indexterm" name="ch08-idx-965468-0"></a>Microsoft Windows NT filesystem</p></td></tr><tr><td><p>FAT</p></td><td><p>DOS FAT filesystem</p></td></tr><tr><td><p>Samba</p></td><td><p>Samba filesystem</p></td></tr></tbody></table></div></div><br class="table-break"><p>The default value for this option is <code class="literal">NTFS</code>, which represents a Windows NT filesystem. There probably isn't a need to specify any other type of filesystem. However, if you need to, you can override it per share as follows:</p><pre class="programlisting">[data]
-	fstype = FAT</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.4"></a>keep alive</h3></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965469-0"></a>This global option specifies the number of seconds that Samba waits between sending NetBIOS <span class="emphasis"><em>keep-alive packets</em></span>. These packets are used to ping a client to detect whether it is still alive and on the network. The default value for this option is <code class="literal">0</code>, which means that Samba will not send any such packets at all. You can override it as follows:</p><pre class="programlisting">[global]
-	keep alive = 10</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.5"></a>
-max disk size</h3></div></div></div><a class="indexterm" name="ch08-idx-965985-0"></a><p>
-<a class="indexterm" name="ch08-idx-965470-0"></a>This global option specifies an illusory limit, in megabytes, for each of the shares that Samba is using. You would typically set this option to prevent clients with older operating systems from incorrectly processing large disk spaces, such as those over one gigabyte.</p><p>The default value for this option is <code class="literal">0</code>, which means there is no upper limit at all. You can override it as follows:</p><pre class="programlisting">[global]
-	max disk size = 1000</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.6"></a>
-max mux</h3></div></div></div><a class="indexterm" name="ch08-idx-965986-0"></a><p>
-<a class="indexterm" name="ch08-idx-965471-0"></a>This global option specifies the maximum number of concurrent SMB operations that Samba allows. The default value for this option is <code class="literal">50</code>. You can override it as follows:</p><pre class="programlisting">[global]
-	max mux = 100</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.7"></a>
-max open files</h3></div></div></div><a class="indexterm" name="ch08-idx-965987-0"></a><p>
-<a class="indexterm" name="ch08-idx-965478-0"></a>This global option specifies the maximum number of open files that Samba should allow at any given time for all processes. This value must be equal to or less than the amount allowed by the operating system, which varies from system to system. The default value for this option is <code class="literal">10,000</code>. You can override it as follows:</p><pre class="programlisting">[global]
-	max open files = 8000</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.8"></a>
-max xmit</h3></div></div></div><a class="indexterm" name="ch08-idx-965988-0"></a><p>
-<a class="indexterm" name="ch08-idx-965482-0"></a>This global option sets the maximum size of packets that Samba exchanges with a client. In some cases, setting a smaller maximum packet size can increase performance, especially with Windows for Workgroups. The default value for this option is <code class="literal">65535</code>. You can override it as follows:</p><pre class="programlisting">[global]
-	max xmit = 4096</pre><p><a href="#appb-19919" title="The TCP receive window">Section 2.2.2.6</a> in <a href="#SAMBA-AP-B" title="Appendix B. Samba Performance Tuning">Appendix B</a>," shows some uses for this option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.9"></a>
-nt pipe support</h3></div></div></div><a class="indexterm" name="ch08-idx-965989-0"></a><p>
-<a class="indexterm" name="ch08-idx-965483-0"></a>This global option is used by developers to allow or disallow Windows NT clients the ability to make connections to the NT SMB-specific IPC$ pipes. As a user, you should never need to override the default:</p><pre class="programlisting">[global]
-	nt pipe support = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.10"></a>
-nt smb support</h3></div></div></div><a class="indexterm" name="ch08-idx-965990-0"></a><p>
-<a class="indexterm" name="ch08-idx-965484-0"></a>
-<a class="indexterm" name="ch08-idx-965484-1"></a>This global option is used by developers to negotiate NT-specific SMB options with Windows NT clients. The Samba team has discovered that slightly better performance comes from setting this value to <code class="literal">no</code>. However, as a user, you should probably not override the default:</p><pre class="programlisting">[global]
-	nt smb support = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.11"></a>
-ole locking compatibility</h3></div></div></div><a class="indexterm" name="ch08-idx-965991-0"></a><p>This global option turns off Samba's internal byte-range locking manipulation in files, which gives compatibility with Object Linking and Embedding (OLE) applications that use high byte-range locks as a method of interprocess communication. The default value for this option is <code class="literal">yes</code>. If you trust your Unix locking mechanisms, you can override it as follows:</p><pre class="programlisting">[global]
-	ole locking compatibility = no</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.12"></a>
-panic action</h3></div></div></div><a class="indexterm" name="ch08-idx-965992-0"></a><p>
-<a class="indexterm" name="ch08-idx-965492-0"></a>This global option specifies a command to execute in the event that Samba itself encounters a fatal error when loading or running. There is no default value for this option. You can specify an action as follows:</p><pre class="programlisting">[global]
-	panic action = /bin/csh -c
-          'xedit &lt; "Samba has shutdown unexpectedly!'</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.13"></a>
-set directory</h3></div></div></div><a class="indexterm" name="ch08-idx-965993-0"></a><p>This boolean share-level option allows <a class="indexterm" name="ch08-idx-965497-0"></a>Digital Pathworks clients to use the <code class="literal">setdir</code> command to change directories on the server. If you are not using the Digital Pathworks client, you should not need to alter this option. The default value for this option is <code class="literal">no</code>. You can override it per share as follows:</p><pre class="programlisting">[data]
-	set directory = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.14"></a>
-smbrun</h3></div></div></div><a class="indexterm" name="ch08-idx-965994-0"></a><p>This option sets the location of the <span class="emphasis"><em>smbrun</em></span> executable, which Samba uses as a wrapper to run shell commands. The default value for this option is automatically configured by Samba when it is compiled. If you did not install Samba to the standard directory, you can specify where the binary is as follows:</p><pre class="programlisting">[global]
-	smbrun = /usr/local/bin/smbrun</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.15"></a>
-status</h3></div></div></div><a class="indexterm" name="ch08-idx-965995-0"></a><p>This global option indicates whether Samba should log all <a class="indexterm" name="ch08-idx-965499-0"></a>
-<a class="indexterm" name="ch08-idx-965499-1"></a>active connections to   a status file. This file is used only by the <span class="emphasis"><em>smbstatus</em></span> command. If you have no intentions of using this command, you can set this option to <code class="literal">no</code>, which can result in a small increase of speed on the server. The default value for this option is <code class="literal">yes</code>. You can override it as follows:</p><pre class="programlisting">[global]
-	status = no</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.16"></a>
-strict sync</h3></div></div></div><a class="indexterm" name="ch08-idx-965996-0"></a><p>This share-level option determines whether Samba honors all requests to perform a <a class="indexterm" name="ch08-idx-965500-0"></a>disk sync when requested to do so by a client. Many clients request a disk sync when they are really just trying to flush data to their own open files. As a result, this can substantially slow a Samba server down. The default value for this option is <code class="literal">no</code>. You can override it as follows:</p><pre class="programlisting">[data]
-	strict sync = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.17"></a>
-sync always</h3></div></div></div><a class="indexterm" name="ch08-idx-965997-0"></a><p>This share-level option decides whether every write to disk should be followed by a disk synchronization before the write call returns control to the client. Even if the value of this option is <code class="literal">no</code>, clients can request a disk synchronization; see the <code class="literal">strict</code> <code class="literal">sync</code> option above. The default value for this option is <code class="literal">no</code>. You can override it per share as follows:</p><pre class="programlisting">[data]
-	sync always = yes</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch08-SECT-6.0.18"></a>
-strip dot</h3></div></div></div><a class="indexterm" name="ch08-idx-965998-0"></a><p>This global option determines whether to remove the <a class="indexterm" name="ch08-idx-965502-0"></a>
-<a class="indexterm" name="ch08-idx-965502-1"></a>
-<a class="indexterm" name="ch08-idx-965502-2"></a>trailing dot from Unix filenames that are formatted with a dot at the end. The default value for this option is <code class="literal">no</code>. You can override it per share as follows:</p><pre class="programlisting">[global]
-	strip dot = yes</pre><p>This option is now considered obsolete; the user should use the <code class="literal">mangled</code> <code class="literal">map</code> option insead.<a class="indexterm" name="ch08-idx-965454-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch08-74829"></a>Backups with smbtar</h2></div></div></div><p>
-<a class="indexterm" name="ch08-idx-965244-0"></a>
-<a class="indexterm" name="ch08-idx-965244-1"></a>Our final topic in this chapter is the <code class="filename">smbtar</code> tool. One common problem with modem PCs is that floppies and even CD-ROMs are often too small to use for backups. However, buying one tape drive per machine would also be silly. Consequently, many sites don't back up their PCs at all. Instead, they reinstall them using floppy disks and CD-ROMs when they fail.</p><p>Thankfully, Samba provides us with another option: you can back up PCs' data using the <code class="filename">smbtar</code> tool. This can be done on a regular basis if you keep user data on your Samba system, or only occasionally, to save the local applications and configuration files and thus make repairs and reinstallations quicker.</p><p>To back up PCs from a <a class="indexterm" name="ch08-idx-965519-0"></a>Unix server, you need to do three things:</p><div class="orderedlist"><ol type="1"><li><p>Ensure that File and Printer Sharing is installed on the PC and is bound to the TCP/IP protocol.</p></li><li><p>Explicitly share a disk on the PC so it can be read from the server.</p></li><li><p>Set up the backup scripts on the server.</p></li></ol></div><p>We'll use Windows 95/98 to illustrate the first two steps. Go to the Networking icon in the Control Panel window, and check that <a class="indexterm" name="ch08-idx-965520-0"></a>File and Printer Sharing for Microsoft Networks is currently listed in the top window, as shown in <a href="#ch08-18303" title="Figure 8.2. The Networking window">Figure 8.2</a>.</p><div class="figure"><a name="ch08-18303"></a><p class="title"><b>Figure 8.2. The Networking window</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 368px"><td><img src="figs/sam.0802.gif" width="502" alt="The Networking window"></td></tr></table></div></div></div><br class="figure-break"><p>If "File and printer sharing for Microsoft Networks" isn't installed, you can install it  by clicking on the Add button on the Network panel. After pressing it, you will be asked what service to add. Select Service and move forward, and you will be asked for a vendor and a service to install. Finally, select "File and printer sharing for Microsoft Networks," and click on Done to install the service.</p><p>Once you've installed "File and printer sharing for Microsoft Networks," return to the Network panel and select the TCP/IP protocol that is tied to your Samba network adapter. Then, click on the Properties button and choose the Bindings tab at the top. You should see a dialog box similar to <a href="#ch08-41042" title="Figure 8.3. TCP/IP Bindings">Figure 8.3</a>. Here, you'll need to verify that the "File and Printer Sharing" checkbox is checked, giving it access to TCP/IP. At this point you can share disks with other machines on the net.</p><div class="figure"><a name="ch08-41042"></a><p class="title"><b>Figure 8.3. TCP/IP Bindings</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 248px"><td><img src="figs/sam.0803.gif" height="248" alt="TCP/IP Bindings"></td></tr></table></div></div></div><br class="figure-break"><p>The next step is to share the disk you want to back up with the tape server. Go to My Computer and select, for example, the My Documents directory. Then right-click on the icon and select its Properties. This should yield the dialog box in <a href="#ch08-64918" title="Figure 8.4. My Documents Properties">Figure 8.4</a>.</p><div class="figure"><a name="ch08-64918"></a><p class="title"><b>Figure 8.4. My Documents Properties</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 352px"><td><img src="figs/sam.0804.gif" width="502" alt="My Documents Properties"></td></tr></table></div></div></div><br class="figure-break"><p>Select the Sharing tab and turn file sharing on. You now have the choice to share the disk as read-only, read-write (Full), or either, each with separate password. This is the Windows 95/98 version, so it provides only share-level security. In this example, we made it read/write and set a password, as shown in <a href="#ch08-29192" title="Figure 8.5. MyFiles Properties as shared">Figure 8.5</a>. When you enter the password and click on OK, you'll be prompted to re-enter it. After that, you have finished the second step.</p><div class="figure"><a name="ch08-29192"></a><p class="title"><b>Figure 8.5. MyFiles Properties as shared</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 374px"><td><img src="figs/sam.0805.gif" width="502" alt="MyFiles Properties as shared"></td></tr></table></div></div></div><br class="figure-break"><p>Finally, the last step is to set up a backup script on the tape server, using the <code class="filename">smbtar</code> program. The simplest script might contain only a single line and would be something like the following:</p><pre class="programlisting">smbtar -s client -t /dev/rst0 -x "My Documents" -p <em class="replaceable"><code>password</code></em></pre><p>This unconditionally backs up the <span class="emphasis"><em>//client/My Documents</em></span> share to the device <code class="filename">/dev/rst0</code>. Of course, this is excessively simple and quite insecure. What you will want to do will depend on your existing backup scheme.</p><p>However, to whet your appetite, here are some possibilities of what <code class="filename">smbtar</code> can do:</p><div class="itemizedlist"><ul type="disc"><li><p>Back up files incrementally using the DOS archive bit (the <code class="literal">-i</code> option). This requires the client share to be accessed read-write so the bit can be cleared by <code class="filename">smbtar</code></p></li><li><p>Back up only files that have changed since a specified date (using the <code class="literal">-N</code> <em class="replaceable"><code>filename </code></em>option)</p></li><li><p>Back up entire PC drives, by sharing all of C: or D:, for example, and backing that up</p></li></ul></div><p>Except for the first example, each of these can be done with the PC sharing set to read-only, reducing the security risk of having passwords in scripts and passing them on the command line.<a class="indexterm" name="ch08-idx-965514-0"></a>
-<a class="indexterm" name="ch08-idx-965514-1"></a></p></div></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-CH-9"></a>Chapter 9. Troubleshooting Samba</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#ch09-36385">9.1. The Tool Bag</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-1.1">9.1.1. Samba Logs</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-1.2">9.1.2. Samba Test Utilities</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-1.3">9.1.3. Unix Utilities</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch09-29538">9.2. The Fault Tree</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-2.1">9.2.1. How to use the fault tree</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.2">9.2.2. Troubleshooting Low-level IP </a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.3">9.2.3. Troubleshooting TCP</a></span></dt><dt><span class="sect2"><a href="#ch09-88968">9.2.4. Troubleshooting Server Daemons</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.5">9.2.5. Troubleshooting SMB Connections</a></span></dt><dt><span class="sect2"><a href="#ch09-23573">9.2.6. Troubleshooting Browsing </a></span></dt><dt><span class="sect2"><a href="#ch09-21713">9.2.7. Other Things that Fail </a></span></dt><dt><span class="sect2"><a href="#ch09-23768">9.2.8. Troubleshooting Name Services</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-2.9">9.2.9. Troubleshooting Network Addresses</a></span></dt><dt><span class="sect2"><a href="#ch09-35552">9.2.10. Troubleshooting NetBIOS Names</a></span></dt></dl></dd><dt><span class="sect1"><a href="#ch09-49719">9.3. Extra Resources</a></span></dt><dd><dl><dt><span class="sect2"><a href="#ch09-SECT-3.1">9.3.1. Documentation and FAQs</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.2">9.3.2. Samba Newsgroups</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.3">9.3.3. Samba Mailing Lists</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.4">9.3.4. Samba Discussion Archives</a></span></dt><dt><span class="sect2"><a href="#ch09-SECT-3.5">9.3.5. Further Reading</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="ch09-idx-953453-0"></a>Samba is extremely robust. Once you've got everything set up the way you want, you'll probably forget that it is running. When trouble occurs, it's typically during installation or when you're trying to add something new to the server. Fortunately, there are a wide variety of resources that you can use to diagnose these troubles. While we can't describe in detail the solution to every problem that you might encounter, you should be able to get a good start at a resolution by following the advice given in this chapter.</p><p>The first section of the chapter lists the tool bag, a collection of tools available for troubleshooting Samba; the second section is a detailed how-to, and the last section lists extra resources you may need to track down particularly stubborn problems.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch09-36385"></a>The Tool Bag</h2></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953455-0"></a>Sometimes Unix seems to be made up of a handful of applications and tools. There are tools to troubleshoot tools. And of course, there are several ways to accomplish the same task. When you are trying to solve a problem related to Samba, a good plan of attack is to check the following:</p><div class="orderedlist"><ol type="1"><li><p>Samba logs</p></li><li><p>Fault tree</p></li><li><p>Unix utilities</p></li><li><p>Samba test utilities</p></li><li><p>Documentation and FAQs</p></li><li><p>Searchable archives</p></li><li><p>Samba newsgroups</p></li></ol></div><p>Let's go over each of these one by one in the following sections.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-1.1"></a>Samba Logs</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953456-0"></a>Your first line of attack should always be to check the log files. The Samba log files can help diagnose the vast majority of the problems that beginning to intermediate Samba administrators are likely to face. Samba is quite flexible when it comes to logging. You can set up the server to log as little or as much as you want. Substitution variables that allow you to isolate individual logs for each machine, share, or combination thereof.</p><p>By default, logs are placed in <em class="replaceable"><code>samba_directory</code></em><span class="emphasis"><em>/var/smbd.log</em></span> and <em class="replaceable"><code>samba_directory</code></em><span class="emphasis"><em>/var/nmbd.log</em></span>, where <code class="literal">samba_directory</code> is the location where Samba was installed (typically, <code class="filename">/usr/local/samba</code>). As we mentioned in <a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, you can override the location and name using the <code class="literal">log</code> <code class="literal">file</code> configuration option in <code class="filename">smb.conf</code>. This option accepts all of the substitution variables mentioned in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>, so you could easily have the server keep a separate log for each connecting client by specifying the following in the <code class="literal">[global]</code> section of <code class="filename">smb.conf </code>:</p><pre class="programlisting">log file = %m.log</pre><p>Alternatively, you can specify a log directory to use with the <code class="literal">-l</code> flag on the command line. For example:</p><pre class="programlisting">smbd -l /usr/local/var/samba</pre><p>Another useful trick is to have the server keep a log for each service (share) that is offered, especially if you suspect a particular share is causing trouble. Use the <code class="literal">%S</code> variable to set this up in the <code class="literal">[global]</code> section of the configuration file:</p><pre class="programlisting">log file = %S.log</pre><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-28969"></a>Log levels</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953457-0"></a>The level of logging that Samba uses can be set in the <code class="filename">smb.conf</code> file using the global <code class="literal">log</code>
-<a class="indexterm" name="ch09-idx-954135-0"></a>
-<a class="indexterm" name="ch09-idx-954135-1"></a> <code class="literal">level</code> or <code class="literal">debug</code> <code class="literal">level</code> option; they are equivalent. The logging level is an integer which ranges from 0 (no logging), and increases the logging to voluminous by <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">3</code>. For example, let's assume that we are going to use a Windows client to browse a directory on a Samba server. For a small amount of log information, you can use <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">1</code>, which instructs Samba to show only cursory information, in this case only the connection itself:</p><pre class="programlisting">105/25/98 22:02:11 server (192.168.236.86) connect to service public as user pcguest (uid=503,gid=100) (pid 3377)</pre><p>Higher debug levels produce more detailed information. Usually you won't need any more than level 3; this is more than adequate for most Samba administrators. Levels above 3 are for use by the developers and dump enormous amounts of cryptic information.</p><p>Here is example output at levels 2 and 3 for the same operation. Don't worry if you don't understand the intricacies of an SMB connection; the point is simply to show you what types of information are shown at the different logging levels:</p><pre class="programlisting">/* Level 2 */
-Got SIGHUP
-Processing section "[homes]"
-Processing section "[public]"
-Processing section "[temp]"
-Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
-Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/
-
-
-/* Level 3 */
-05/25/98 22:15:09 Transaction 63 of length 67
-switch message SMBtconX (pid 3377)
-Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
-ACCEPTED: guest account and guest ok
-found free connection number 105
-Connect path is /tmp
-chdir to /tmp
-chdir to /
-05/25/98 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest (uid=503,gid=100) (pid 3377)
-05/25/98 22:15:09 tconX service=ipc$ user=pcguest cnum=105
-05/25/98 22:15:09 Transaction 64 of length 99
-switch message SMBtrans (pid 3377)
-chdir to /tmp
-trans &lt;\PIPE\LANMAN&gt; data=0 params=19 setup=0
-Got API command 0 of form &lt;WrLeh&gt; &lt;B13BWz&gt; (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
-Doing RNetShareEnum
-RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
-05/25/98 22:15:11 Transaction 65 of length 99
-switch message SMBtrans (pid 3377)
-chdir to /
-chdir to /tmp
-trans &lt;\PIPE\LANMAN&gt; data=0 params=19 setup=0
-Got API command 0 of form &lt;WrLeh&gt; &lt;B13BWz&gt; (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
-Doing RNetShareEnum
-RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
-05/25/98 22:15:11 Transaction 66 of length 95
-switch message SMBtrans2 (pid 3377)
-chdir to /
-chdir to /pcdisk/public
-call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end = 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432
-unix_clean_name [./DESKTOP.INI]
-unix_clean_name [desktop.ini]
-unix_clean_name [./]
-creating new dirptr 1 for path ./, expect_close = 1
-05/25/98 22:15:11 Transaction 67 of length 53
-switch message SMBgetatr (pid 3377)
-chdir to /
-
-[...]</pre><p>We cut off this listing after the first packet because it runs on for many pages. However, you should be aware that log levels above 3 will quickly fill your disk with megabytes of excruciating detail concerning Samba internal operations. Log level 3 is extremely useful for following exactly what the server is doing, and most of the time it will be obvious where an error is occurring by glancing through the log file.</p><p>A word of warning: using a high log level (3 or above) will <span class="emphasis"><em>seriously</em></span> slow down the Samba server. Remember that every log message generated causes a write to disk (an inherently slow operation) and log levels greater than 2 produce massive amounts of data. Essentially, you should turn on logging level 3 only when you're actively tracking a problem in the Samba server.<a class="indexterm" name="ch09-idx-953461-0"></a></p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-1.1.2"></a>Activating and deactivating logging</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953474-0"></a>To turn logging on and off, set the appropriate level in the <code class="literal">[global]</code> section of <code class="filename">smb.conf</code>. Then, you can either restart Samba, or force the current daemon to reprocess the configuration file. You also can send the <span class="emphasis"><em>smbd</em></span> process a SIGUSR1 signal to increase its log level by one while it's running, and a SIGUSR2 signal to decrease it by one:</p><pre class="programlisting"># Increase the logging level by 1
-kill -SIGUSR1 1234
-
-# Decrease the logging level by 1
-kill -SIGUSR2 1234</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-34448"></a>Logging by individual client machines or users</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953475-0"></a>
-<a class="indexterm" name="ch09-idx-953475-1"></a>An effective way to diagnose problems without hampering other users is to assign different log levels for different machines in <code class="literal">[global]</code> section of the <code class="filename">smb.conf</code> file. We can do this by building on the strategy we presented earlier:</p><pre class="programlisting">[global]
-	log level = 0
-	log file = /usr/local/samba/lib/log.%m
-	include = /usr/local/samba/lib/smb.conf.%m</pre><p>These options instruct Samba to use unique configuration and log files for each client that connects. Now all you have to do is create an <code class="filename">smb.conf</code>
-<a class="indexterm" name="ch09-idx-953477-0"></a> file for a specific client machine with a <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">3</code> entry in it (the others will pick up the default log level of 0) and use that log file to track down the problem.</p><p>Similarly, if only particular users are experiencing a problem, and it travels from machine to machine with them, you can isolate logging to a specific user by adding the following to the <code class="filename">smb.conf</code> file:</p><pre class="programlisting">[global]
-	log level = 0
-	log file = /usr/local/samba/lib/log.%u
-	include = /usr/local/samba/lib/smb.conf.%u</pre><p>Then you can create a unique <code class="filename">smb.conf</code> file for each user (e.g., <code class="filename">/usr/local/samba/lib/smb.conf.tim</code>) files containing the configuration option <code class="literal">log</code> <code class="literal">level</code> <code class="literal">=</code> <code class="literal">3</code> and only those users will get more detailed logging.<a class="indexterm" name="ch09-idx-953469-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-1.2"></a>Samba Test Utilities</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953478-0"></a>
-<a class="indexterm" name="ch09-idx-953478-1"></a>A rigorous set of tests that exercise the major parts of Samba are described in various files in the <span class="emphasis"><em>/docs/textdocs</em></span>
-<a class="indexterm" name="ch09-idx-953497-0"></a> directory of the Samba distribution kit, starting with <span class="emphasis"><em>DIAGNOSIS.TXT.</em></span> The fault tree in this chapter is a more detailed version of the basic tests suggested by the Samba team, but covers only installation and reconfiguration diagnosis, like <span class="emphasis"><em>DIAGNOSIS.TXT.</em></span> The other files in the <span class="emphasis"><em>/docs</em></span> subdirectoryies address specific problems (such as Windows NT clients) and instruct you how to troubleshoot items not included in this book. If the fault tree doesn't suffice, be sure to look at <span class="emphasis"><em>DIAGNOSIS.TXT</em></span> and its friends.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-1.3"></a>Unix Utilities</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953505-0"></a>Sometimes it's useful to use a tool outside of the Samba suite to examine what's happening inside the server. Unix has always been a "kitchen-sink" operating system. Two diagnostic tools can be of particular help in debugging Samba troubles: <span class="emphasis"><em>trace</em></span> and <span class="emphasis"><em>tcpdump</em></span>.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-1.3.1"></a>Using trace</h4></div></div></div><a class="indexterm" name="ch09-idx-953506-0"></a><p>The <span class="emphasis"><em>trace</em></span> command masquerades under several different names, depending on the operating system that you are using. On Linux it will be <span class="emphasis"><em>strace</em></span>, on Solaris you'll use <span class="emphasis"><em>truss</em></span>, and SGI will have <span class="emphasis"><em>padc</em></span> and <span class="emphasis"><em>par</em></span>. All have essentially the same function, which is to display each operating system function call as it is executed. This allows you to follow the execution of a program, such as the Samba server, and will often pinpoint the exact call that is causing the difficulty.</p><p>One problem that <span class="emphasis"><em>trace</em></span> can highlight is the location of an incorrect version of a dynamically linked library. This can happen if you've downloaded prebuilt binaries of Samba. You'll typically see the offending call at the end of the <span class="emphasis"><em>trace</em></span>, just before the program terminates.</p><p>A sample <code class="literal">strace</code> output for the Linux operating system follows. This is a small section of a larger file created during the opening of a directory on the Samba server. Each line is a system-call name, and includes its parameters and the return value. If there was an error, the error value (e.g., <code class="literal">ENOENT</code>) and its explanation are also shown. You can look up the parameter types and the errors that can occur in the appropriate <code class="literal">trace</code> manual page for the operating system that you are using.</p><pre class="programlisting">chdir("/pcdisk/public")                 = 0
-stat("mini/desktop.ini", 0xbffff7ec)    = -1 ENOENT (No such file or directory)
-stat("mini", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
-stat("mini/desktop.ini", 0xbffff7ec)    = -1 ENOENT (No such file or directory)
-open("mini", O_RDONLY)                  = 5
-fcntl(5, F_SETFD, FD_CLOEXEC)           = 0
-fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
-lseek(5, 0, SEEK_CUR)                   = 0
-SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196
-lseek(5, 0, SEEK_CUR)                   = 1024
-SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0
-close(5)                                = 0
-stat("mini/desktop.ini", 0xbffff86c)    = -1 ENOENT (No such file or directory)
-write(3, "\0\0\0#\377SMB\10\1\0\2\0\200\1\0"..., 39) = 39
-SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1
-read(3, "\0\0\0?", 4)                   = 4
-read(3, "\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0"..., 63) = 63
-time(NULL)                              = 896143871</pre><p>This example shows several <code class="literal">stat</code> calls failing to find the files they were expecting. You don't have to be a expert to see that the file <span class="emphasis"><em>desktop.ini</em></span> is missing from that directory. In fact, many difficult problems can be identified by looking for obvious, repeatable errors with <span class="emphasis"><em>trace</em></span>. Often, you need not look farther than the last message before a crash.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-1.3.2"></a>Using tcpdump</h4></div></div></div><p>The <span class="emphasis"><em>tcpdump</em></span>
-<a class="indexterm" name="ch09-idx-953802-0"></a> program, written by <a class="indexterm" name="ch09-idx-953803-0"></a>
-<a class="indexterm" name="ch09-idx-953803-1"></a>
-<a class="indexterm" name="ch09-idx-953803-2"></a>
-<a class="indexterm" name="ch09-idx-953803-3"></a>Van Jacobson, Craig Leres, and Steven McCanne, and extended by Andrew Tridgell, allows you to monitor network traffic in real time. A variety of output formats are available and you can filter the output to look at only a particular type of traffic. The <span class="emphasis"><em>tcpdump</em></span> program lets you examine all conversations between client and server, including SMB and NMB <a class="indexterm" name="ch09-idx-953805-0"></a>broadcast messages. While its troubleshooting capabilities lie mainly at the OSI network layer, you can still use its output to get a general idea of what the server and client are attempting to accomplish.</p><p>A sample <span class="emphasis"><em>tcpdump</em></span> log follows. In this instance, the client has requested a directory listing and the server has responded appropriately, giving the directory names <code class="literal">homes</code>, <code class="literal">public</code>, <code class="literal">IPC$</code>, and <code class="literal">temp</code> (we've added a few explanations on the right):</p><pre class="programlisting">$<strong class="userinput"><code>tcpdump -v -s 255 -i eth0 port not telnet</code></strong>
-SMB PACKET: SMBtrans (REQUEST)	                      <em class="replaceable"><code>Request packet</code></em>
-SMB Command   =  0x25                                 <em class="replaceable"><code>Request was ls or dir</code></em>.
-
-[000] 01 00 00 10                                     ....
-
-
-&gt;&gt;&gt; NBT Packet
-<em class="replaceable"><code>Outer frame of SMB packe</code></em>t
-NBT Session Packet
-Flags=0x0
-Length=226
-[lines skipped]
-                         
-SMB PACKET: SMBtrans (REPLY)                          <em class="replaceable"><code>Beginning of a reply to  request </code></em>
-SMB Command   =  0x25			              <em class="replaceable"><code>Command was an ls or dir</code></em>
-Error class   =  0x0			 
-Error code    =  0                       
-<em class="replaceable"><code>No errors</code></em>
-Flags1        =  0x80
-Flags2        =  0x1
-Tree ID       =  105
-Proc ID       =  6075
-UID           =  100
-MID           =  30337
-Word Count    =  10
-TotParamCnt=8 
-TotDataCnt=163 
-Res1=0
-ParamCnt=8 
-ParamOff=55 
-Res2=0 
-DataCnt=163 
-DataOff=63 
-Res3=0
-Lsetup=0
-Param Data: (8 bytes)
-[000] 00 00 00 00 05 00 05 00                           ........ 
-
-Data Data: (135 bytes)                                                       
-<em class="replaceable"><code>Actual directory contents:</code></em>
-[000] 68 6F 6D 65 73 00 00 00  00 00 00 00 00 00 00 00  homes... ........
-[010] 64 00 00 00 70 75 62 6C  69 63 00 00 00 00 00 00  d...publ ic......
-[020] 00 00 00 00 75 00 00 00  74 65 6D 70 00 00 00 00  ....u... temp....
-[030] 00 00 00 00 00 00 00 00  76 00 00 00 49 50 43 24  ........ v...IPC$
-[040] 00 00 00 00 00 00 00 00  00 00 03 00 77 00 00 00  ........ ....w...
-[050] 64 6F 6E 68 61 6D 00 00  00 00 00 00 00 00 00 00  donham.. ........
-[060] 92 00 00 00 48 6F 6D 65  20 44 69 72 65 63 74 6F  ....Home  Directo
-[070] 72 69 65 73 00 00 00 49  50 43 20 53 65 72 76 69  ries...I PC Servi
-[080] 63 65 20 28 53 61 6D                              ce (Sam</pre><p>This is more of the same debugging session as with the <span class="emphasis"><em>trace</em></span> command; the listing of a directory. The options we used were <code class="literal">-v</code> (verbose), <code class="literal">-i</code> <code class="literal">eth0</code> to tell <span class="emphasis"><em>tcpdump</em></span> the interface to listen on (an Ethernet port), and <code class="literal">-s</code> <code class="literal">255</code> to tell it to save the first 255 bytes of each packet instead of the default: the first 68. The option <code class="literal">port</code>
-<a class="indexterm" name="ch09-idx-954174-0"></a> <code class="literal">not</code> <code class="literal">telnet</code> is used to avoid screens of telnet traffic, since we were logged in to the server remotely. The <span class="emphasis"><em>tcpdump</em></span> program actually has quite a number of options to filter just the traffic you want to look at. If you've used <span class="emphasis"><em>snoop</em></span> or <span class="emphasis"><em>etherdump</em></span>, they'll look vaguely familiar.</p><p>You can download the modified <span class="emphasis"><em>tcpdump</em></span>
-<a class="indexterm" name="ch09-idx-953518-0"></a> from the Samba FTP server at <code class="systemitem">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</code>. Other versions don't include support for the SMB protocol; if you don't see output such as that shown in the example, you'll need to<span class="emphasis"><em></em></span>
-<a class="indexterm" name="ch09-idx-953513-0"></a> use the SMB-enabled version.<a class="indexterm" name="ch09-idx-953481-0"></a>
-<a class="indexterm" name="ch09-idx-953481-1"></a></p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch09-29538"></a>The Fault Tree</h2></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953543-0"></a>
-<a class="indexterm" name="ch09-idx-953543-1"></a>The fault tree is for diagnosing and fixing problems that occur when you're installing and reconfiguring Samba. It's an expanded form of a trouble and diagnostic document that is part of the Samba distribution.</p><p>
-<a class="indexterm" name="ch09-idx-953548-0"></a>Before you set out to troubleshoot any part of the Samba suite, you should know the following information:</p><div class="itemizedlist"><ul type="disc"><li><p> Your client IP address (we use 192.168.236.10)</p></li><li><p> Your server IP address (we use 192.168.236.86)</p></li><li><p> The netmask for your network (typically 255.255.255.0)</p></li><li><p> Whether the machines are all on the same subnet (ours are)</p></li></ul></div><p>For clarity, we've renamed the server in the following examples to <span class="emphasis"><em>server.example.com</em></span>, and the client machine to <span class="emphasis"><em>client.example.com</em></span>.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.1"></a>How to use the fault tree</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953549-0"></a>Start the tests here, without skipping forward; it won't take long (about five minutes) and may actually save you time backtracking. Whenever a test succeeds, you will be given a section name and page number to which you can safely skip.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.2"></a>Troubleshooting Low-level IP </h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953556-0"></a>The first series of tests is that of the low-level services that Samba needs in order to run. The tests in this section will verify that:</p><div class="itemizedlist"><ul type="disc"><li><p> The IP software works</p></li><li><p> The Ethernet hardware works</p></li><li><p> Basic name service is in place</p></li></ul></div><p>Subsequent sections will add TCP software, the Samba daemons <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span>, host-based access control, authentication and per-user access control, file services, and browsing. The tests are described in considerable detail in order to make them understandable by both technically oriented end users and experienced systems and network administrators.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.2.1"></a>Testing the networking software with ping </h4></div></div></div><p>The first command to enter on both the server and the client is <code class="literal">ping 127.0.0.1</code>. This is the <em class="firstterm">loopback</em> <span class="emphasis"><em>address</em></span> and testing it will indicate whether any networking support is functioning at all. On Unix, you can use <code class="literal">ping</code> <code class="literal">127.0.0.1</code> with the statistics option and interrupt it after a few lines. On Sun workstations, the command is typically <code class="literal">/usr/etc/ping</code> <code class="literal">-s</code> <code class="literal">127.0.0.1</code>; on Linux, just <code class="literal">ping</code> <code class="literal">127.0.0.1</code>. On Windows clients, run <code class="literal">ping</code> <code class="literal">127.0.0.1</code> in an MS-DOS window and it will stop by itself after four lines.</p><p>Here is an example on a Linux server:</p><pre class="programlisting">server% <span class="bold"><strong>ping 127.0.0.1</strong></span> 
-PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): 
-icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1): 
-icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): 
-icmp-seq=2. time=1. ms ^C 
-----127.0.0.1 PING Statistics---- 
-3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
-min/avg/max = 0/0/1</pre><p>If you get "ping: no answer from..." or "100% packet loss," you have no IP networking at all installed on the machine. The address <code class="literal">127.0.0.1</code> is the internal loopback address and doesn't depend on the computer being physically connected to a network. If this test fails, you have a serious local problem. TCP/IP either isn't installed or is seriously misconfigured. See your operating system documentation if it is a Unix server. If it is a Windows client, follow the instructions in <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a>, to install networking support.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If <span class="emphasis"><em>you're</em></span> the network manager, some good references are Craig Hunt's <span class="emphasis"><em>TCP/IP Network Administration</em></span>, Chapter 11, and Craig Hunt &amp; Robert Bruce Thompson's new book, <span class="emphasis"><em>Windows NT TCP/IP Network Administration,</em></span> both published by O'Reilly.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-20350"></a>Testing local name services with ping </h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953658-0"></a>Next, try to ping <code class="literal">localhost</code> on the Samba server. <code class="literal">localhost</code> is the conventional hostname for the 127.0.0.1 loopback, and it should resolve to that address. After typing <code class="literal">ping</code> <code class="literal">localhost</code>, you should see output similar to the following:</p><pre class="programlisting">server% <span class="bold"><strong>ping localhost</strong></span> 
-PING localhost: 56 data bytes  64 bytes from localhost (127.0.0.1):
-icmp-seq=0. time=0. ms  64 bytes from localhost (127.0.0.1): 
-icmp-seq=1. time=0. ms  64 bytes from localhost (127.0.0.1): 
-icmp-seq=2. time=0. ms  ^C</pre><p>If this succeeds, try the same test on the client. Otherwise:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "unknown host: localhost," there is a problem resolving the host name localhost into a valid IP address. (This may be as simple as a missing entry in a local <span class="emphasis"><em>hosts</em></span> file.) From here, skip down to <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>.</p></li><li><p>If you get "ping: no answer," or "100% packet loss," but pinging 127.0.0.1 worked, then name services is resolving to an address, but it isn't the correct one. Check the file or database (typically <code class="filename">/etc/hosts</code> on a Unix system) that the name service is using to resolve addresses to ensure that the entry is corrected.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.2.3"></a>Testing the networking hardware with ping </h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953666-0"></a>Next, ping the server's network IP address from itself. This should get you exactly the same results as pinging 127.0.0.1:</p><pre class="programlisting">server% <span class="bold"><strong>ping 192.168.236.86</strong></span> 
-PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86): 
-icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86): 
-icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86): 
-icmp-seq=2. time=1. ms ^C 
-----192.168.236.86 PING Statistics---- 
-3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
-min/avg/max = 0/0/1</pre><p>If this works on the server, repeat it for the client. Otherwise:</p><div class="itemizedlist"><ul type="disc"><li><p>If <code class="literal">ping</code> <em class="replaceable"><code>network_ip</code></em> fails on either the server or client, but ping 127.0.0.1 works on that machine, you have a TCP/IP problem that is specific to the Ethernet network interface card on the computer. Check with the documentation for the network card or the host operating system to determine how to correctly configure it. However, be aware that on some operating systems, the <span class="emphasis"><em>ping</em></span> command appears to work even if the network is disconnected, so this test doesn't always diagnose all hardware problems.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-84079"></a>Testing connections with ping</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953831-0"></a>Now, ping the server by name (instead of its IP address), once from the server and once from the client. This is the general test for working network hardware:</p><pre class="programlisting">server% <span class="bold"><strong>ping server</strong></span> 
-PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86): 
-icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86): 
-icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86): 
-icmp-seq=2. time=1. ms ^C 
-----server.example.com PING Statistics---- 
-3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
-min/avg/max = 0/0/1</pre><p>On Microsoft Windows, a ping of the server would look like <a href="#ch09-91668" title="Figure 9.1. Pinging the Samba server from a Windows client">Figure 9.1</a>.</p><div class="figure"><a name="ch09-91668"></a><p class="title"><b>Figure 9.1. Pinging the Samba server from a Windows client</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 285px"><td><img src="figs/sam.0901.gif" height="285" alt="Pinging the Samba server from a Windows client"></td></tr></table></div></div></div><br class="figure-break"><p>If successful, this test tells us five things:</p><div class="orderedlist"><ol type="1"><li><p>The hostname (e.g., "server") is being found by your local nameserver.</p></li><li><p>The hostname has been expanded to the full name (e.g., <span class="emphasis"><em>server.example.com</em></span>).</p></li><li><p>Its address is being returned (192.168.236.86).</p></li><li><p>The client has sent the Samba server four 56-byte UDP/IP packets.</p></li><li><p>The Samba server has replied to all four packets.</p></li></ol></div><p>If this test isn't successful, there can be one of several things wrong with the network:</p><div class="itemizedlist"><ul type="disc"><li><p>First, if you get "ping: no answer," or "100% packet loss," you're not connecting to the network, the other machine isn't connecting, or one of the addresses is incorrect. Check the addresses that the <code class="literal">ping</code> command reports on each machine, and ensure that they match the ones you set up initially.</p><p>If not, there is at least one mismatched address between the two machines. Try entering the command <code class="literal">arp</code> <code class="literal">-a</code>, and see if there is an entry for the other machine. The <code class="literal">arp</code> command stands for the Address Resolution Protocol. The <code class="literal">arp</code> <code class="literal">-a</code> command lists all the addresses known on the local machine. Here are some things to try:</p><div class="itemizedlist"><ul type="circle"><li><p>If you receive a message like "192.168.236.86 at (incomplete)," the Ethernet address of 192.168.236.86 is unknown. This indicates a complete lack of connectivity, and you're likely having a problem at the very bottom of the TCP/IP Network Administration protocol stack, at the Ethernet-interface layer. This is discussed in Chapters 5 and 6 of <em class="citetitle">TCP/IP Network Administration </em>(O'Reilly).</p></li><li><p>If you receive a response similar to "server (192.168.236.86) at 8:0:20:12:7c:94," then the server has been reached at some time, or another machine is answering on its behalf. However, this means that <span class="emphasis"><em>ping</em></span> should have worked: you may have an intermittent networking or ARP problem.</p></li><li><p>If the IP address from ARP doesn't match the addresses you expected, investigate and correct the addresses manually.</p></li></ul></div></li><li><p>If each machine can ping itself but not another, something is wrong on the network between them.</p></li><li><p>If you get "ping: network unreachable" or "ICMP Host Unreachable," then you're not receiving an answer and there is likely more than one network involved.</p><p>In principle, you shouldn't try to troubleshoot SMB clients and servers on different networks. Try to test a server and client on the same network. The three tests that follow assume you might be testing between two networks:</p><div class="orderedlist"><ol type="1"><li><p>First, perform the tests for no answer described earlier in this section. If this doesn't identify the problem, the remaining possibilities are the following: an address is wrong, your netmask is wrong, a network is down, or just possibly you've been stopped by a firewall.</p></li><li><p>Check both the address and the netmasks on source and destination machines to see if something is obviously wrong. Assuming both machines really are on the same network, they both should have the same netmasks and <span class="emphasis"><em>ping</em></span> should report the correct addresses. If the addresses are wrong, you'll need to correct them. If they're right, the programs may be confused by an incorrect netmask. See <a href="#ch09-21203" title="Netmasks">Section 9.2.9.1</a>, later in this chapter.</p></li><li><p>If the commands are still reporting that the network is unreachable and neither of the previous two conditions is in error, one network really may be unreachable from the other. This, too, is a network manager issue.</p></li></ol></div></li><li><p>If you get "ICMP Administratively Prohibited," you've struck a firewall of some sort or a misconfigured router. You will need to speak to your network security officer.</p></li><li><p>If you get "ICMP Host redirect," and <span class="emphasis"><em>ping</em></span> reports packets getting through, this is generally harmless: you're simply being rerouted over the network.</p></li><li><p>If you get a host redirect and no <span class="emphasis"><em>ping</em></span> responses, you are being redirected, but no one is responding. Treat this just like the "Network unreachable" response   and check your addresses and netmasks.</p></li><li><p>If you get "ICMP Host Unreachable from gateway <span class="emphasis"><em>gateway_name</em></span>," ping packets are being routed to another network, but the other machine isn't responding and the router is reporting the problem on its behalf. Again, treat this like a "Network unreachable" response and start checking addresses and netmasks.</p></li><li><p>If you get "ping: unknown host <span class="emphasis"><em>hostname</em></span>," your machine's name is not known. This tends to indicate a name-service problem, which didn't affect <code class="literal">localhost</code>. Have a look at <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>," later in this chapter.</p></li><li><p>If you get a partial success, with some pings failing but others succeeding, you either have an intermittent problem between the machines or an overloaded network. Ping for longer, and see if more than about 3 percent of the packets fail. If so, check it with your network manager: a problem may just be starting. However, if only a few fail, or if you happen to know some massive network program is running, don't worry unduly. Ping's ICMP (and UDP) are designed to drop occasional packets.</p></li><li><p>If you get a response like "smtsvr.antares.net is alive" when you actually pinged <span class="emphasis"><em>client.example.com</em></span>, you're either using someone else's address or the machine has multiple names and addresses. If the address is wrong, name service is clearly the culprit; you'll need to change the address in the name service database to refer to the right machine. This is discussed in <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>," later in this chapter.</p><p>Server machines are often <span class="emphasis"><em>multihomed</em></span> : connected to more than one network, with different names on each net. If you are getting a response from an unexpected name on a multihomed server, look at the address and see if it's on your network (see <a href="#ch09-21203" title="Netmasks">Section 9.2.9.1</a> later in this chapter). If so, you should use that address, rather than one on a different network, for both performance and reliability reasons.</p><p>Servers may also have multiple names for a single Ethernet address, especially if they are web servers. This is harmless, if otherwise startling. You probably will want to use the official (and permanent) name, rather than an alias which may change.</p></li><li><p>If everything works, but the IP address reported is 127.0.0.1, you have a name service error. This typically occurs when a operating system installation program generates an <code class="filename">/etc/hosts</code> line similar to <code class="literal">127.0.0.1</code> <code class="literal">localhost</code> <span class="emphasis"><em>hostnamedomainname</em></span>. The localhost line should say <code class="literal">127.0.0.1</code> <code class="literal">localhost</code> or <code class="literal">127.0.0.1</code> <code class="literal">localhost</code> <code class="literal">loghost</code>. Correct it, lest it cause failures to negotiate who is the master browse list holder and who is the master browser. It can, also cause (ambiguous) errors in later tests.</p></li></ul></div><p>If this worked from the server, repeat it from the<a class="indexterm" name="ch09-idx-953672-0"></a> client.<a class="indexterm" name="ch09-idx-953563-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.3"></a>Troubleshooting TCP</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953568-0"></a>Now that you've tested IP, UDP, and a name service with <span class="emphasis"><em>ping</em></span>, it's time to test TCP. <span class="emphasis"><em>ping</em></span> and browsing use ICMP and UDP; file and print services (shares) use TCP. Both depend on IP as a lower layer and all four depend on name services. Testing TCP is most conveniently done using the FTP (file transfer protocol) program.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-78512"></a>Testing TCP with FTP </h4></div></div></div><p>Try connecting via FTP, once from the server to itself, and once from the client to the server:</p><pre class="programlisting">server%  <strong class="userinput"><code>ftp server</code></strong>
-Connected to server.example.com. 
-220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready.
- Name (server:davecb): 
-331 Password required for davecb. 
-Password: 
-230 User davecb logged in.
- ftp&gt;<strong class="userinput"><code> quit </code></strong>
-221 Goodbye.</pre><p>If this worked, skip to <a href="#ch09-88968" title="Troubleshooting Server Daemons">Section 9.2.4</a>. Otherwise:</p><div class="itemizedlist"><ul type="disc"><li><p>If you received the message "server: unknown host," then nameservice has failed. Go back to the corresponding <span class="emphasis"><em>ping</em></span> step, <a href="#ch09-20350" title="Testing local name services with ping">Section 9.2.2.2</a>,"  and rerun those tests to see why name lookup failed.</p></li><li><p>If you received "ftp: connect: Connection refused," the machine isn't running an FTP daemon. This is mildly unusual on Unix servers. Optionally, you might try this test by connecting to the machine using telnet instead of FTP; the messages are very similar and telnet uses TCP as well.</p></li><li><p>If there was a long pause, then "ftp: connect: Connection timed out," the machine isn't reachable. Return to <a href="#ch09-84079" title="Testing connections with ping">Section 9.2.2.4</a>.</p></li><li><p>If you received "530 Logon Incorrect," you connected successfully, but you've just found a different problem. You likely provided an incorrect username or password. Try again, making sure you use your username from the Unix server and type your password correctly.</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-88968"></a>Troubleshooting Server Daemons</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953569-0"></a>Once you've confirmed that TCP networking is working properly, the next step is to make sure the daemons are running on the server. This takes three separate tests because no single one of the following will decisively prove that they're working correctly.</p><p>To be sure they're running, you need to find out if:</p><div class="orderedlist"><ol type="1"><li><p>The daemon has started</p></li><li><p>The daemons are registered or bound to a TCP/IP port by the operating system</p></li><li><p>They're actually paying attention</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.4.1"></a>Before you start</h4></div></div></div><p>First, check the logs. If you've started the daemons, the message "smbd version <span class="emphasis"><em>some_number</em></span> started" should appear. If it doesn't, you will need to restart the Samba daemons.</p><p>If the daemon reports that it has indeed started, look out for "bind failed on port 139 socket_addr=0 (Address already in use)". This means another daemon has been started on port 139 (<span class="emphasis"><em>smbd</em></span> ). Also, <span class="emphasis"><em>nmbd</em></span> will report a similar failure if it cannot bind to port 137. Either you've started them twice, or the <span class="emphasis"><em>inetd</em></span> server has tried to provide a daemon for you. If it's the latter, we'll diagnose that in a moment.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-49239"></a>Looking for daemon processes with ps</h4></div></div></div><p>Next, you need to see if the daemons have been started. Use the <code class="literal">ps</code> command on the server with the <code class="literal">long</code> option for your machine type (commonly <code class="literal">ps</code> <code class="literal">ax</code> or <code class="literal">ps</code>    <code class="literal">-ef</code>), and see if you have either <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> already running. This often looks like the following:</p><pre class="programlisting">server% <span class="bold"><strong>ps ax</strong></span>
- PID TTY STAT TIME   COMMAND
- 1   ?   S    0:03   init [2]
- 2   ?   SW   0:00   (kflushd)
-<span class="emphasis"><em>(...many lines of processes...)</em></span>
- 234 ?   S    0:14   nmbd -D3
- 237 ?   S    0:11   smbd -D3
-<span class="emphasis"><em>(...more lines, possibly including more smbd lines...)</em></span></pre><p>This example illustrates that <span class="emphasis"><em>smbd</em></span> and <span class="emphasis"><em>nmbd</em></span> have already started as stand-alone daemons (the <code class="literal">-D</code> option) at log level 3.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.4.3"></a>Looking for daemons bound to ports</h4></div></div></div><p>Next, the daemons have to be registered with the operating system so they can get access to TCP/IP ports. The <code class="literal">netstat</code> command will tell you if this has been done. Run the command <code class="literal">netstat</code> <code class="literal">-a</code> on the server, and look for lines mentioning <code class="literal">netbios</code>, <code class="literal">137</code> or <code class="literal">139</code>:</p><pre class="programlisting">server% <span class="bold"><strong>netstat -a</strong></span> 
-Active Internet connections (including servers) 
-Proto Recv-Q Send-Q  Local Address          Foreign Address      (state) 
-udp   0      0       *.netbios-             *.* 
-tcp   0      0       *.netbios-             *.*                                 
-LISTEN 
-tcp   8370   8760    server.netbios-        client.1439               
-ESTABLISHED</pre><p>or:</p><pre class="programlisting">server% <span class="bold"><strong>netstat -a</strong></span> 
-Active Internet connections (including servers) 
-Proto Recv-Q Send-Q  Local Address          Foreign Address        (state) 
-udp   0      0       *.137                  *.* 
-tcp   0      0       *.139                  *.*                                    
-LISTEN 
-tcp   8370   8760    server.139             client.1439                 
-ESTABLISHED</pre><p>Among many similar lines, there should be at least one UDP line for <code class="literal">*.netbios-</code> or <code class="literal">*.137</code>. This indicates that the <span class="emphasis"><em>nmbd</em></span> server is registered and (we hope) is waiting to answer requests. There should also be at least one TCP line mentioning    <code class="literal">*.netbios-</code> or <code class="literal">*.139</code>, and it will probably be in the LISTENING state. This means that <span class="emphasis"><em>smbd</em></span> is up and listening for connections.</p><p>There may be other TCP lines indicating connections from <span class="emphasis"><em>smbd</em></span> to clients, one for each client. These are usually in the ESTABLISHED state. If there are <span class="emphasis"><em>smbd</em></span> lines in the ESTABLISHED state, <span class="emphasis"><em>smbd</em></span> is definitely running. If there is only one line in the LISTENING state, we're not sure yet. If both of the lines is missing, a daemon has not succeeded in starting, so it's time to check the logs and then go back to <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>.</p><p>If there is a line for each client, it may be coming either from a Samba daemon or from the master IP daemon, <span class="emphasis"><em>inetd</em></span>. It's quite possible that your <span class="emphasis"><em>inetd</em></span> startup file contains lines that start Samba daemons without your realizing it; for instance, the lines may have been placed there if you installed Samba as part of a Linux distribution. The daemons started by <span class="emphasis"><em>inetd</em></span> prevent ours from running. This problem typically produces log messages such as "bind failed on port 139 socket_addr=0 (Address already in use)."</p><p>Check your <code class="filename">/etc/inetd.conf</code> ; unless you're intentionally starting the daemons from there, there <span class="emphasis"><em>must not</em></span> be any <code class="literal">netbios-ns</code> (udp port 137) or <code class="literal">netbios-ssn</code> (tcp port 139) servers mentioned there. <span class="emphasis"><em>inetd</em></span> is a daemon that provides numerous services, controlled by entries in <span class="emphasis"><em>/etc/inetd.conf</em></span>. If your system is providing an SMB daemon via <span class="emphasis"><em>inetd</em></span>, there will be lines like the following in the file:</p><pre class="programlisting">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
-netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.4.4"></a>Checking smbd with telnet</h4></div></div></div><p>Ironically, the easiest way to test that the <span class="emphasis"><em>smbd</em></span>
-<a class="indexterm" name="ch09-idx-953678-0"></a> server is actually working is to send it a meaningless message and see if it rejects it. Try something like the following:</p><pre class="programlisting"><strong class="userinput"><code>echo hello | telnet localhost 139</code></strong></pre><p>This sends an erroneous but harmless message to <span class="emphasis"><em>smbd</em></span>. The <code class="literal">hello</code> message is important. Don't try telneting to the port and typing just anything; you'll probably just hang your process. <code class="literal">hello</code>, however, is generally a harmless message.</p><pre class="programlisting">server% <span class="bold"><strong>echo "hello" | telnet localhost 139</strong></span> 
-Trying
-Trying 192.168.236.86 ... 
-Connected to localhost. Escape character is '^]'. 
-Connection closed by foreign host.</pre><p>If you get a "Connected" message followed by a "Connection closed" message, the test was a success. You have an <span class="emphasis"><em>smbd</em></span> daemon listening on the port and rejecting improper connection messages. On the other hand, if you get "telnet: connect: Connection refused," there is probably no daemon present. Check the logs and go back to <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>.</p><p>Regrettably, there isn't an easy test for <span class="emphasis"><em>nmbd</em></span>. If the <code class="literal">telnet</code> test and the <code class="literal">netstat</code> test both say that there is an <span class="emphasis"><em>smbd</em></span> running, there is a good chance that <code class="literal">netstat</code> will also be correct about <span class="emphasis"><em>nmbd</em></span> running.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-67494"></a>Testing daemons with testparm</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953679-0"></a>Once you know there's a daemon, you should always run <code class="literal">testparm</code>, in hopes of getting:</p><pre class="programlisting">server% <span class="bold"><strong>testparm</strong></span> 
-Load smb config files from /opt/samba/lib/smb.conf
-Processing section "[homes]" 
-Processing section "[printers]" ... 
-Processing section "[tmp]" 
-Loaded services file OK. ...</pre><p>The <code class="literal">testparm</code> program normally reports processing a series of sections, and responds with "Loaded services file OK" if it succeeds. If not, it will report one or more of the following messages, which will also appear in the logs as noted:</p><div class="variablelist"><dl><dt><span class="term"><span class="emphasis"><em>"Allow/Deny connection from account (n) to service"</em></span></span></dt><dd><p>A <span class="emphasis"><em>testparm</em></span>-only message produced if you have valid/invalid user options set in your <span class="emphasis"><em>smb.conf</em></span>. You will want to make sure that you are on the valid user list, and that root, bin, etc., are on the invalid user list. If you don't, you will not be able to connect, or folks who shouldn't <span class="emphasis"><em>will</em></span> be able to.</p></dd><dt><span class="term"><span class="emphasis"><em>"Warning: You have some share names that are longer than eight chars"</em></span></span></dt><dd><p>For anyone using Windows for Workgroups and older clients. They will fail to connect to shares with long names, producing an overflow message that sounds confusingly like a memory overflow.</p></dd><dt><span class="term">"Warning: [name] service MUST be printable!"</span></dt><dd><p>A printer share lacks a <code class="literal">printable</code> <code class="literal">=</code> <code class="literal">yes</code> option.</p></dd><dt><span class="term">"No path in service name using [name]"</span></dt><dd><p>A file share doesn't know which directory to provide to the user, or a print share doesn't know which directory to use for spooling. If no path is specified, the service will try to run with a path of <span class="emphasis"><em>/tmp</em></span>, which may not be what you want.</p></dd><dt><span class="term">"Note: Servicename is flagged unavailable"</span></dt><dd><p>Just a reminder that you have used the <code class="literal">available</code> <code class="literal">=</code> <code class="literal">no</code> option in a share.</p></dd><dt><span class="term">"Can't find include file [name]" </span></dt><dd><p>A configuration file referred to by an <code class="literal">include</code> option did not exist. If you were including the file unconditionally, this is an error and probably a serious one: the share will not have the configuration you intended. If you were including it based one of the <code class="literal">%</code> variables, such as <code class="literal">%a</code> (architecture), you will need to decide if, for example, a missing Windows for Workgroups configuration file is a problem. It often isn't.</p></dd><dt><span class="term">"Can't copy service name, unable to copy to itself"</span></dt><dd><p>You tried to copy a <code class="filename">smb.conf</code> section into itself.</p></dd><dt><span class="term">"Unable to copy service&#8212;source not found: [name]"</span></dt><dd><p>Indicates a missing or misspelled section in a <code class="literal">copy</code> <code class="literal">=</code> option.</p></dd><dt><span class="term">"Ignoring unknown parameter name" </span></dt><dd><p>Typically indicates an obsolete, misspelled or unsupported option.</p></dd><dt><span class="term">"Global parameter name found in service section" </span></dt><dd><p>Indicates a global-only parameter has been used in an individual share. Samba will ignore the parameter.</p></dd></dl></div><p>After the <code class="literal">testparm</code> test, repeat it with (exactly) three parameters: the name of your <code class="filename">smb.conf</code> file, the name of your client, and its IP address:</p><pre class="programlisting">testparm <em class="replaceable"><code>samba_directory</code></em>/lib/smb.conf client 192.168.236.10</pre><p>This will run one more test that checks the host name and address against <code class="literal">host</code> <code class="literal">allow</code> and <code class="literal">host</code> <code class="literal">deny</code> options and may produce the "Allow/Deny connection from account account_name" to service message for the client machine. This message indicates you have valid/invalid host options in your <code class="filename">smb.conf</code>, and they prohibit access from the client machine. Entering <code class="literal">testparm</code> <code class="literal">/usr/local/lib/experimental.conf</code> is also an effective way to test an experimental <code class="filename">smb.conf</code> file before putting it into production.<a class="indexterm" name="ch09-idx-953573-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.5"></a>Troubleshooting SMB Connections</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953578-0"></a>Now that you know the servers are up, you need to make sure that they're running properly. We start with the <code class="filename">smb.conf</code> file in the <em class="replaceable"><code>samba_directory</code></em><code class="filename">/lib</code> directory.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-67928"></a>A minimal smb.conf file</h4></div></div></div><p>In the following tests, we assume you have a <code class="literal">[temp]</code> share suitable for testing, plus at least one account. An <code class="filename">smb.conf</code> file that includes just these is:</p><pre class="programlisting">[global] 
-    workgroup = <em class="replaceable"><code>EXAMPLE</code></em> 
-    security = user
-    browsable = yes 
-    local master = yes 
-[homes] 
-    guest ok = no 
-    browseble = no
-[temp] 
-    path = /tmp 
-    public = yes</pre><p>A word of warning: the <code class="literal">public</code> <code class="literal">=</code> <code class="literal">yes</code> option in the <code class="literal">[temp]</code> share is just for testing. You probably don't want people without accounts to be able to store things on your Samba server, so you should comment it out when you're done.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-40595"></a>Testing locally with smbclient</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953682-0"></a>The first test is to ensure the server can list its own services (shares). Run the command <code class="literal">smbclient</code> with a <code class="literal">-L</code> option of <code class="literal">localhost</code> to connect to itself, and a <code class="literal">-U</code> option of just <code class="literal">%</code> to specify the guest user. You should see the following:</p><pre class="programlisting">server% <strong class="userinput"><code>smbclient -L localhost -U% </code></strong>
-Server time is Wed May 27 17:57:40 1998 Timezone is UTC-4.0
-Server=[localhost] 
-User=[davecb] 
-Workgroup=[EXAMPLE] 
-Domain=[EXAMPLE]
-	Sharename      Type      Comment 
-	---------           -----       ----------
-	temp               Disk
-	IPC$               IPC       IPC Service (Samba 1.9.18) 
-	homes            Disk       Home directories
-This machine does not have a browse list</pre><p>If you received this output, move on to the next test, <a href="#ch09-77154" title="Testing connections with smbclient">Section 9.2.5.3</a>." On the other hand, if you receive an error, check the following:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "Get_hostbyname: unknown host localhost," either you've spelled its name wrong or there actually is a problem (which should have been seen back in <a href="#ch09-20350" title="Testing local name services with ping">Section 9.2.2.2</a>) In the latter case, move on to <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>.</p></li><li><p>If you get "Connect error: Connection refused," the server machine was found, but it wasn't running an <span class="emphasis"><em>nmbd</em></span> daemon. Skip back to <a href="#ch09-88968" title="Troubleshooting Server Daemons">Section 9.2.4</a>," and retest the daemons.</p></li><li><p>If you get the message "Your server software is being unfriendly," the initial session request packet got a garbage response from the server. The server may have crashed or started improperly. The common causes of this can be discovered by scanning the logs for:</p><div class="itemizedlist"><ul type="circle"><li><p>Invalid command-line parameters to <span class="emphasis"><em>smbd</em></span>; see the <span class="emphasis"><em>smbd</em></span> manual page.</p></li><li><p>A fatal problem with the <code class="filename">smb.conf</code> file that prevents the startup of <span class="emphasis"><em>smbd</em></span>. Always check your changes, as was done in <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>.</p></li><li><p>The directories where Samba keeps its log and lock files are missing.</p></li><li><p>There is already a server on the port (139 for <span class="emphasis"><em>smbd</em></span>, 137 for <span class="emphasis"><em>nmbd </em></span>), preventing it from starting.</p></li></ul></div></li><li><p>If you're using <span class="emphasis"><em>inetd</em></span> instead of stand-alone daemons, check your <code class="filename">/etc/inetd.conf</code> and <code class="filename">/etc/services</code> entries against their manual pages for errors as well.</p></li><li><p>If you get a <code class="literal">Password:</code> prompt, your guest account is not set up properly. The <code class="literal">%U</code> option tells <span class="emphasis"><em>smbclient</em></span> to do a "null login," which requires that the guest account be present but does not require it to have any privileges.</p></li><li><p>If you get the message "SMBtconX failed. ERRSRV&#8212;ERRaccess," you aren't permitted access to the server. This normally means you have a <code class="literal">valid</code> <code class="literal">hosts</code> option that doesn't include the server, or an <code class="literal">invalid</code> <code class="literal">hosts</code> option  that does. Recheck with the command <code class="literal">testparm</code> <code class="literal">smb.conf</code> <em class="replaceable"><code>your_hostname</code></em> <em class="replaceable"><code>your_ip_address</code></em> (see <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>) and correct any unintended prohibitions.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-77154"></a>Testing connections with smbclient</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953689-0"></a>Run the command <code class="literal">smbclient</code> <code class="literal">\\</code><em class="replaceable"><code>server</code></em><code class="literal">\temp</code>, which connects to your server's   <code class="filename">/tmp</code> share, to see if you can connect to a file service. You should get the following response:</p><pre class="programlisting">server% <span class="bold"><strong>smbclient '\\server\temp'</strong></span> 
-Server time is Tue May  5 09:49:32 1998 Timezone is UTC-4.0 Password:
-smb: \&gt; <span class="bold"><strong>quit</strong></span></pre><div class="itemizedlist"><ul type="disc"><li><p>If you get "Get_Hostbyname: Unknown host name," "Connect error: Connection refused," or "Your server software is being unfriendly," see <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a> for the diagnoses.</p></li><li><p>If you get the message "servertemp: Not enough `\' characters in service," you likely didn't quote the address, so Unix stripped off backslashes. You can also write the command:</p><pre class="programlisting">smbclient \\\\<em class="replaceable"><code>server</code></em>\\temp</pre><p>or:</p><pre class="programlisting">smbclient //<em class="replaceable"><code>server</code></em>/temp</pre></li></ul></div><p>Now, provide your Unix account password to the <code class="literal">Password</code> prompt. If you then get an <code class="literal">smb\&gt;</code> prompt, it worked. Enter <code class="literal">quit</code>, and continue on to <a href="#ch09-97081" title="Testing connections with NET USE">Section 9.2.5.4</a>." If you then get "SMBtconX failed. ERRSRV&#8212;ERRinvnetname," the problem can be any of the following:</p><div class="itemizedlist"><ul type="disc"><li><p>A wrong share name: you may have spelled it wrong, it may be too long, it may be in mixed case, or it may not be available. Check that it's what you expect with testparm (see <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>.)</p></li><li><p><code class="literal">security</code> <code class="literal">=</code> <code class="literal">share</code>, in which you may have to add <em class="replaceable"><code>-U your_account</code></em> to the <span class="emphasis"><em>smbclient</em></span> command, or know the password of a Unix account named temp.</p></li><li><p>An erroneous username.</p></li><li><p>An erroneous password.</p></li><li><p>An <code class="literal">invalid</code> <code class="literal">users</code> or <code class="literal">valid</code> <code class="literal">users</code> option in your <span class="emphasis"><em>smb.conf</em></span> file that doesn't allow your account to connect. Recheck with <code class="literal">testparm</code> <code class="literal">smb.conf</code> <em class="replaceable"><code>your_hostname your_ip_address</code></em> (see <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>).</p></li><li><p>A <code class="literal">valid</code> <code class="literal">hosts</code> option that doesn't include the server, or an <code class="literal">invalid</code> <code class="literal">hosts</code> option that does. Also test this with <span class="emphasis"><em>testparm</em></span>.</p></li><li><p>A problem in authentication, such as if shadow passwords or the PAM (Password Authentication Module) is used on the server, but Samba is not compiled to use it. This is rare, but occasionally happens when a SunOS 4 Samba binary (no shadow passwords) is run without recompilation on a Solaris system (with shadow passwords).</p></li><li><p>The <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">yes</code> option in the configuration file, but no password for your account in the <span class="emphasis"><em>smbpasswd</em></span> file.</p></li><li><p>You have a null password entry, either in Unix <code class="filename">/etc/passwd</code> or in the <span class="emphasis"><em>smbpasswd</em></span> file.</p></li><li><p>You are connecting to <code class="literal">[temp]</code>, and you do not have the <code class="literal">guest</code> <code class="literal">ok</code> <code class="literal">=</code> <code class="literal">yes</code> option in the <code class="literal">[temp]</code> section of the <span class="emphasis"><em>smb.conf</em></span> file.</p></li><li><p>You are connecting to <code class="literal">[temp]</code> before connecting to your home directory, and your guest account isn't set up correctly. If you can connect to your home directory and then connect to <code class="literal">[temp]</code>, that's the problem. See <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a> for more information on creating a basic Samba configuration file.</p><p>A bad guest account will also prevent you from printing or browsing until after you've logged in to your home directory.</p></li></ul></div><p>There is one more reason for this failure that has nothing at all to do with passwords: the <code class="literal">path</code> <code class="literal">=</code>  line in your <code class="filename">smb.conf</code> file may point somewhere that doesn't exist. This will not be diagnosed by <span class="emphasis"><em>testparm</em></span>, and most SMB clients can't tell it from other types of bad user accounts. You will have to check it manually.</p><p>Once you have connected to <code class="literal">[temp]</code> successfully, repeat the test, this time logging in to your home directory (e.g., map network drive <em class="replaceable"><code>server</code></em><code class="literal">\davecb</code>) looking for failures in doing that. If you have to change anything to get that to work, re-test <code class="literal">[temp]</code> again afterwards.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-97081"></a>Testing connections with NET USE</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953696-0"></a>Run the command <code class="literal">net</code> <code class="literal">use</code> <code class="literal">*</code> <code class="literal">\</code><em class="replaceable"><code>server</code></em><code class="literal">\temp</code> on the DOS or Windows client to see if it can connect to the server. You should be prompted for a password, then receive the response "The command was completed successfully," as shown in <a href="#ch09-99328" title="Figure 9.2. Results of the NET USE command">Figure 9.2</a>.</p><div class="figure"><a name="ch09-99328"></a><p class="title"><b>Figure 9.2. Results of the NET USE command</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 471px"><td><img src="figs/sam.0902.gif" width="502" alt="Results of the NET USE command"></td></tr></table></div></div></div><br class="figure-break"><p>If that succeeded, continue with the steps in <a href="#ch09-57065" title="Testing connections with Windows Explorer">Section 9.2.5.5</a>. Otherwise:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "The specified shared directory cannot be found," or "Cannot locate specified share name," the directory name is either misspelled or not in the <span class="emphasis"><em>smb.conf</em></span> file. This message can also warn of a name in mixed case, including spaces, or is longer than eight characters.</p></li><li><p>If you get "The computer name specified in the network path cannot be located," or "Cannot locate specified computer," the directory name has been misspelled, the name service has failed, there is a networking problem, or the <code class="literal">hosts</code> <code class="literal">deny</code> <code class="literal">=</code> option includes your host.</p><div class="itemizedlist"><ul type="circle"><li><p>If it is not a spelling mistake, you need to double back to at least <a href="#ch09-77154" title="Testing connections with smbclient">Section 9.2.5.3</a>, to investigate why it doesn't connect.</p></li><li><p>If <span class="emphasis"><em>smbclient</em></span> does work, it's a name service problem with the client name service, and you need to go forward to <a href="#ch09-12446" title="Testing the server with nmblookup">Section 9.2.6.2</a>, and see if you can look up both client and server with <span class="emphasis"><em>nmblookup</em></span>.</p></li></ul></div></li><li><p>If you get "The password is invalid for <code class="literal">\</code><em class="replaceable"><code>server</code></em><code class="literal">\</code><em class="replaceable"><code>username</code></em>," your locally cached copy on the client doesn't match the one on the server. You will be prompted for a replacement.</p></li></ul></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Windows 95 and 98 clients keep a local <span class="emphasis"><em>password</em></span> file, but it's really just a cached copy of the password it sends to Samba and NT servers to authenticate you. That's what is being prompted for here. You can still log on to a Windows machine without a password (but not to NT).</p></div><div class="itemizedlist"><ul type="disc"><li><p>
-If you provide your password, and it still fails, your password is not being matched on the server, you have a <code class="literal">valid</code> <code class="literal">users</code> or <code class="literal">invalid</code> <code class="literal">users</code> list denying you permission, NetBEUI is interfering, or the encrypted password problem described in the next paragraph exists.</p></li><li><p>If your client is NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98 or any of these with Internet Explorer 4.0, these default to using Microsoft encryption for passwords (discussed in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>'s <a href="#ch06-61393" title="Passwords">Section 6.4</a>, along with the alternatives). In general, if you have installed a major Microsoft product recently, you may have applied an update and turned on encrypted passwords.</p></li></ul></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>Because of Internet Explorer's willingness to honor URLs such as <code class="filename">file://somehost/somefile</code> by making SMB connections, clients up to and including Windows 95 Patch Level 2 would happily send your password, in plaintext, to SMB servers anywhere on the Internet. This was considered a bad idea, and Microsoft quite promptly switched to using only encrypted passwords in the SMB protocol. All subsequent releases of their products have included this correction. Encrypted passwords aren't actually needed unless you're using Internet Explorer 4.0 without a firewall, so it's reasonable to keep using unencrypted passwords on your own networks.</p></div><div class="itemizedlist"><ul type="disc"><li><p>If you have a mixed-case password on Unix, the client is probably sending it in all one case. If changing your password to all one case works, this was the problem. Regrettably, all but the oldest clients support uppercase passwords, so Samba will try once with it in uppercase and once in lower case. If you wish to use mixed-case passwords, see the <code class="literal">password</code> <code class="literal">level</code> option in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a> for a workaround.</p></li><li><p>You may have a <code class="literal">valid</code> <code class="literal">users</code> problem, as tested with <span class="emphasis"><em>smbclient</em></span> (see <a href="#ch09-77154" title="Testing connections with smbclient">Section 9.2.5.3</a>).</p></li><li><p>You may have the NetBEUI protocol bound to the Microsoft client. This often produces long timeouts and erratic failures, and is known to have caused failures to accept passwords in the past.</p></li></ul></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>The term "bind" is used to mean connecting a piece of software to another in this case. The Microsoft SMB client is "bound to" TCP/IP in the bindings section of the TCP/IP properties panel under the Windows 95/98 Network icon in the Control Panel. TCP/IP in turn is bound to an Ethernet card. This is not the same sense of the word as binding an SMB daemon to a TCP/IP port.<a class="indexterm" name="ch09-idx-953703-0"></a></p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-57065"></a>Testing connections with Windows Explorer</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953710-0"></a>Start Windows Explorer or NT Explorer (not Internet Explorer), select Tools&#8594;Map Network Drive and specify \\<em class="replaceable"><code>server</code></em>\<code class="literal">temp</code> to see if you can make Explorer connect to the <code class="filename">/tmp</code> directory. You should see a screen similar to the one in <a href="#ch09-74414" title="Figure 9.3. Accessing the /tmp directory with Windows Explorer">Figure 9.3</a>. If so, you've succeeded and can skip to <a href="#ch09-23573" title="Troubleshooting Browsing">Section 9.2.6</a>."</p><div class="figure"><a name="ch09-74414"></a><p class="title"><b>Figure 9.3. Accessing the /tmp directory with Windows Explorer</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 336px"><td><img src="figs/sam.0903.gif" width="502" alt="Accessing the /tmp directory with Windows Explorer"></td></tr></table></div></div></div><br class="figure-break"><p>A word of caution: Windows Explorer and NT Explorer are rather poor as diagnostic tools: they do tell you that something's wrong, but rarely what it is. If you get a failure, you'll need to track it down with the NET USE command, which has far superior error reporting:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "The password for this connection that is in your password file is no longer correct," you may have any of the following:</p><div class="itemizedlist"><ul type="circle"><li><p>Your locally cached copy on the client doesn't match the one on the server.</p></li><li><p>You didn't provide a username and password when logging on to the client. Most Explorers will continue to send a username and password of null, even if you provide a password.</p></li><li><p>You have misspelled the password.</p></li><li><p>You have an <code class="literal">invalid</code> <code class="literal">users</code> or <code class="literal">valid</code> <code class="literal">users</code> list denying permission.</p></li><li><p>Your client is NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98, or any of these with Internet Explorer 4. They will all want encrypted passwords.</p></li><li><p>You have a mixed-case password, which the client is supplying in all one case.</p></li></ul></div></li><li><p>If you get "The network name is either incorrect, or a network to which you do not have full access," or "Cannot locate specified computer," you may have any of the following:</p><div class="itemizedlist"><ul type="circle"><li><p> Misspelled name</p></li><li><p> Malfunctioning service</p></li><li><p> Failed share</p></li><li><p> Networking problem</p></li><li><p> Bad <code class="literal">path</code> line</p></li><li><p> <code class="literal">hosts</code> <code class="literal">deny</code> line that excludes you</p></li></ul></div></li><li><p>If you get "You must supply a password to make this connection," the password on the client is out of synchronization with the server, or this is the first time you've tried from this client machine and the client hasn't cached it locally yet.</p></li><li><p>If you get "Cannot locate specified share name," you have a wrong share name or a syntax error in specifying it, a share name longer than eight characters, or one containing spaces or in mixed case.</p></li></ul></div><p>Once you can reliably connect to the <code class="literal">[temp]</code> directory, try once again, this time using your home directory. If you have to change something to get home directories working, then retest with <code class="literal">[temp]</code>, and vice versa, as we showed in <a href="#ch09-97081" title="Testing connections with NET USE">Section 9.2.5.4</a>. As always, if Explorer fails, drop back to that section and debug it<a class="indexterm" name="ch09-idx-953717-0"></a> there.<a class="indexterm" name="ch09-idx-953581-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-23573"></a>Troubleshooting Browsing </h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953586-0"></a>Finally, we come to browsing. This was left to last, not because it is hardest, but because it's both optional and partially dependent on a protocol that doesn't guarantee delivery of a packet. Browsing is hard to diagnose if you don't already know all the other services are running.</p><p>Browsing is purely optional: it's just a way to find the servers on your net and the shares that they provide. Unix has nothing of the sort and happily does without. Browsing also assumes all your machines are on a local area network (LAN) where broadcasts are allowable.</p><p>First, the browsing mechanism identifies a machine using the unreliable UDP protocol; then it makes a normal (reliable) TCP/IP connection to list the shares the machine provides.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-96207"></a>Testing browsing with smbclient </h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953724-0"></a>We'll start with testing the reliable connection first. From the server, try listing its own shares via <span class="emphasis"><em>smbclient</em></span> with a <code class="literal">-L</code> option of your server's name. You should get:</p><pre class="programlisting">server% <strong class="userinput"><code>smbclient -L server</code></strong> 
-Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server time is Tue Apr 28 09:57:28 1998 Timezone is UTC-4.0 
-Password: 
-Domain=[EXAMPLE] 
-OS=[Unix] 
-Server=[Samba 1.9.18]
-Server=[server] 
-User=[davecb] 
-Workgroup=[EXAMPLE] 
-Domain=[EXAMPLE]
-   Sharename      Type      Comment    
-   ---------      ----      -------    
-    cdrom          Disk      CD-ROM    
-    cl             Printer   Color Printer 1    
-    davecb         Disk      Home Directories
-
- This machine has a browse list:
-   Server         Comment    
-   ---------      -------    
-   SERVER          Samba 1.9.18
-
- This machine has a workgroup list:
-   Workgroup      Master    
-    ---------      -------    
-    EXAMPLE        SERVER</pre><div class="itemizedlist"><ul type="disc"><li><p>If you didn't get a Sharename list, the server is not allowing you to browse any shares. This should not be the case if you've tested any of the shares with Windows Explorer or the NET USE command. If you haven't done the <code class="literal">smbclient</code> <code class="literal">-L</code> <code class="literal">localhost</code> <code class="literal">-U%</code> test yet (see <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a>), do it now. An erroneous guest account can prevent the shares from being seen. Also, check the <code class="filename">smb.conf</code> file to make sure you do not have the option <code class="literal">browsable</code> <code class="literal">=</code> <code class="literal">no</code> anywhere in it: we suggest a minimal <code class="filename">smb.conf</code> file (see <a href="#ch09-67928" title="A minimal smb.conf file">Section 9.2.5.1</a>) for you to steal from. You need to have <code class="literal">browseable</code> enabled in order to be able to see at least the <code class="literal">[temp]</code> share.</p></li><li><p>If you didn't get a browse list, the server is not providing information about the machines on the network. At least one machine on the net must support browse lists. Make sure you have <code class="literal">local</code> <code class="literal">master</code> <code class="literal">=</code> <code class="literal">yes</code> in the <code class="filename">smb.conf</code> file if you want Samba be the local master browser.</p></li><li><p>If you got a browse list but didn't get <span class="emphasis"><em>/tmp</em></span>, you probably have a <code class="filename">smb.conf</code> problem. Go back to <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>."</p></li><li><p>If you didn't get a workgroup list with your workgroup name in it, it is possible that your workgroup is set incorrectly in the <code class="filename">smb.conf</code> file.</p></li><li><p>If you didn't get a workgroup list at all, ensure that <code class="literal">workgroup</code> <code class="literal">=EXAMPLE</code> is present in the <code class="filename">smb.conf</code> file.</p></li><li><p>If you get nothing, try once more with the options <code class="literal">-I</code> <em class="replaceable"><code>ip_address</code></em> <code class="literal">-n</code> <em class="replaceable"><code>netbios_name</code></em> <code class="literal">-W</code> <em class="replaceable"><code>workgroup</code></em> <code class="literal">-d3</code> with the NetBIOS and workgroup name in uppercase. (The <code class="literal">-d</code> <code class="literal">3</code> option sets the log /debugging level to 3.)</p></li></ul></div><p>If you're still getting nothing, you shouldn't have gotten this far. Double back to at least <a href="#ch09-78512" title="Testing TCP with FTP">Section 9.2.3.1</a>," or perhaps <a href="#ch09-84079" title="Testing connections with ping">Section 9.2.2.4</a>." On the other hand:</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "SMBtconX failed. ERRSRV&#8212;ERRaccess," you aren't permitted access to the server. This normally means you have a <code class="literal">valid</code> <code class="literal">hosts</code> option that doesn't include the server, or an invalid hosts option that does.</p></li><li><p> If you get "Bad password," then you presumably have one of the following:</p><div class="itemizedlist"><ul type="circle"><li><p> An incorrect <code class="literal">hosts</code> <code class="literal">allow</code> or <code class="literal">hosts</code> <code class="literal">deny</code> line</p></li><li><p> An incorrect <code class="literal">invalid</code> <code class="literal">users</code> or <code class="literal">valid</code> <code class="literal">users</code> line</p></li><li><p> A lowercase password and OS/2 or Windows for Workgroups clients</p></li><li><p> A missing or invalid guest account</p></li></ul></div><p>Check what your guest account is (see <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a>) and verify your <code class="filename">smb.conf</code> file with <code class="literal">testparm</code> <code class="literal">smb.conf</code> <em class="replaceable"><code>your_hostname your_ip_address</code></em> (see <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>) and change or comment out any <code class="literal">hosts</code> <code class="literal">allow</code>, <code class="literal">hosts</code> <code class="literal">deny</code>, <code class="literal">valid</code> <code class="literal">users</code> or <code class="literal">invalid</code> <code class="literal">users</code> lines.</p></li><li><p>If you get "Connection refused," the <span class="emphasis"><em>smbd</em></span> server is not running or has crashed. Check that it's up, running, and listening to the network with <span class="emphasis"><em>netstat</em></span>, see step <a href="#ch09-67494" title="Testing daemons with testparm">Section 9.2.4.5</a>."</p></li><li><p>If you get "Get_Hostbyname: Unknown host name," you've made a spelling error, there is a mismatch between Unix and NetBIOS hostname, or there is a name service problem. Start nameservice debugging with <a href="#ch09-97081" title="Testing connections with NET USE">Section 9.2.5.4</a>." If this works, suspect a name mismatch and go to step <a href="#ch09-35552" title="Troubleshooting NetBIOS Names">Section 9.2.10</a>."</p></li><li><p>If you get "Session request failed," the server refused the connection. This usually indicates an internal error, such as insufficient memory to fork a process.</p></li><li><p>If you get "Your server software is being unfriendly," the initial session request packet received a garbage response from the server. The server may have crashed or started improperly. Go back to <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a>," where the problem is first analyzed.</p></li><li><p>If you suspect the server is not running, go back to <a href="#ch09-49239" title="Looking for daemon processes with ps">Section 9.2.4.2</a> to see why the server daemon isn't responding.<a class="indexterm" name="ch09-idx-953731-0"></a></p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-12446"></a>Testing the server with nmblookup</h4></div></div></div><p>This will test the "advertising" system used for Windows name services and browsing. Advertising works by broadcasting one's presence or willingness to provide services. It is the part of browsing that uses an unreliable protocol (UDP), and works only on broadcast networks like Ethernets. The <span class="emphasis"><em>nmblookup</em></span>
-<a class="indexterm" name="ch09-idx-953736-0"></a> program broadcasts name queries for the hostname you provide, and returns its IP address and the name of the machine, much like <span class="emphasis"><em>nslookup</em></span> does with DNS. Here, the <code class="literal">-d</code> (debug- or log-level) option, and the <code class="literal">-B</code> (broadcast address) options direct queries to specific machines.</p><p>First, we check the server from itself. Run <span class="emphasis"><em>nmblookup</em></span> with a <code class="literal">-B</code> option of your server's name to tell it to send the query to the Samba server, and a parameter of  <code class="literal">_ _SAMBA_ _</code> as the symbolic name to look up. You should get:</p><pre class="programlisting">server% <span class="bold"><strong>nmblookup -B</strong></span><em class="replaceable"><code>server</code></em><span class="bold"><strong> _ _SAMBA_ _</strong></span>
-Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 
-Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre><p>You should get the IP address of the server, followed by the name <code class="literal">_ _SAMBA_ _ </code>, which means that the server has successfully advertised that it has a service called <code class="literal">_ _SAMBA_ _ </code>, and therefore at least part of NetBIOS nameservice works.</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "Name_query failed to find name _ _SAMBA_ _" you may have specified the wrong address to the <code class="literal">-B</code> option, or <span class="emphasis"><em>nmbd</em></span> is not running. The <code class="literal">-B</code> option actually takes a broadcast address: we're using a machine-name to get a unicast address, and to ask server if it has claimed <code class="literal">_ _SAMBA_ _</code>.</p></li><li><p>Try again with <code class="literal">-B</code><em class="replaceable"><code> ip_address</code></em>, and if that fails too, <span class="emphasis"><em>nmbd</em></span> isn't claiming the name. Go back briefly to "Testing daemons with testparm" to see if <span class="emphasis"><em>nmbd</em></span> is running. If so, it may not claiming names; this means that Samba is not providing the browsing service&#8212;a configuratiuon problem. If that is the case, make sure that <code class="filename">smb.conf</code> doesn't contain the option <code class="literal">browsing</code> <code class="literal">=</code> <code class="literal">no</code>.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-32122"></a>Testing the client with nmblookup</h4></div></div></div><p>Next, check the IP address of the client from the server with <span class="emphasis"><em>nmblookup</em></span>
-<a class="indexterm" name="ch09-idx-953737-0"></a> using <code class="literal">-B</code> option for the client's name and a parameter of <code class="literal">'*'</code> meaning "anything," as shown here:</p><pre class="programlisting">server% <span class="bold"><strong>nmblookup -B client '*'</strong></span> 
-Sending queries to 192.168.236.10 192.168.236.10 *
-Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre><div class="itemizedlist"><ul type="disc"><li><p>If you receive "Name-query failed to find name *," you have made a spelling mistake, or the client software on the PC isn't installed, started, or bound to TCP/IP. Double back to <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a> or <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a> and ensure you have a client installed and listening to the network.</p></li></ul></div><p>Repeat the command with the following options if you had any failures:</p><div class="itemizedlist"><ul type="disc"><li><p>If <code class="literal">nmblookup</code> <code class="literal">-B</code> <em class="replaceable"><code>client_IP_address</code></em>  succeeds but <code class="literal">-B</code> <em class="replaceable"><code>client_name</code></em> fails, there is a name service problem with the client's name; go to <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>."</p></li><li><p>If <code class="literal">nmblookup</code> <code class="literal">-B</code> <code class="literal">127.0.0.1'*'</code> succeeds, but <code class="literal">-B</code> <em class="replaceable"><code>client_IP_address</code></em> fails, there is a hardware problem and ping should have failed. See your network manager.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-98123"></a>Testing the network with nmblookup</h4></div></div></div><p>Run the command <span class="emphasis"><em>nmblookup</em></span>
-<a class="indexterm" name="ch09-idx-953741-0"></a>
-<a class="indexterm" name="ch09-idx-953741-1"></a> again with a <code class="literal">-d</code> option (debug level) of 2 and a parameter of <code class="literal">'*'</code> again. This time we are testing the ability of programs (such as <span class="emphasis"><em>nmbd</em></span> ) to use broadcast. It's essentially a connectivity test, done via a broadcast to the default broadcast address.</p><p>A number of NetBIOS/TCP-IP hosts on the network should respond with "got a positive name query response" messages. Samba may not catch all of the responses in the short time it listens, so you won't always see all the SMB clients on the network. However, you should see most of them:</p><pre class="programlisting">server% <span class="bold"><strong>nmblookup -d 2 '*'</strong></span>
-Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending queries to 192.168.236.255 
-Got a positive name query response from 192.168.236.191 (192.168.236.191) 
-Got a positive name query response from 192.168.236.228 (192.168.236.228) 
-Got a positive name query response from 192.168.236.75 (192.168.236.75) 
-Got a positive name query response from 192.168.236.79 (192.168.236.79) 
-Got a positive name query response from 192.168.236.206 (192.168.236.206) 
-Got a positive name query response from 192.168.236.207 (192.168.236.207) 
-Got a positive name query response from 192.168.236.217 (192.168.236.217) 
-Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre><p>However:</p><div class="itemizedlist"><ul type="disc"><li><p>If this doesn't give at least the client address you previously tested, the default broadcast address is wrong. Try <code class="literal">nmblookup</code> <code class="literal">-B</code> <code class="literal">255.255.255.255</code> <code class="literal">-d</code> <code class="literal">2</code> <code class="literal">'*'</code>, which is a last-ditch variant (a broadcast address of all ones). If this draws responses, the broadcast address you've been using before is wrong. Troubleshooting these is discussed in the <a href="#ch09-45060" title="Broadcast addresses">Section 9.2.9.2</a>, later in this chapter.</p></li><li><p>If the address 255.255.255.255 fails too, check your notes to see if your PC and server are on different subnets, as discovered in <a href="#ch09-84079" title="Testing connections with ping">Section 9.2.2.4</a>." You should try to diagnose this with a server and client on the same subnet, but if you can't, you can try specifying the remote subnet's broadcast address with <code class="literal">-B</code>. Finding that address is discussed in the same place as troubleshooting broadcast addresses, in <a href="#ch09-45060" title="Broadcast addresses">Section 9.2.9.2</a>s," later in this chapter. The <code class="literal">-B</code> option will work if your router supports directed broadcasts; if it doesn't, you may be forced to test with a client on the same network.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.6.5"></a>Testing client browsing with net view</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953742-0"></a>On the client, run the command <em class="replaceable"><code>net view \\server</code></em> in a DOS window to see if you can connect to the client and ask what shares it provides. You should get back a list of available shares on the server, as shown in <a href="#ch09-83710" title="Figure 9.4. Using the net view command">Figure 9.4</a>.</p><div class="figure"><a name="ch09-83710"></a><p class="title"><b>Figure 9.4. Using the net view command</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 206px"><td><img src="figs/sam.0904.gif" height="206" alt="Using the net view command"></td></tr></table></div></div></div><br class="figure-break"><p>If you received this, continue with <a href="#ch09-21713" title="Other Things that Fail">Section 9.2.7</a>."</p><div class="itemizedlist"><ul type="disc"><li><p>If you get "Network name not found" for the name you just tested in  <a href="#ch09-32122" title="Testing the client with nmblookup">Section 9.2.6.3</a>," there is a problem with the client software itself. Double-check this by running <span class="emphasis"><em>nmblookup</em></span> on the client; if it works and NET VIEW doesn't, the client is at fault.</p></li><li><p>Of course, if <span class="emphasis"><em>nmblookup</em></span> fails, there is a NetBIOS nameservice problem, as discussed in <a href="#ch09-35552" title="Troubleshooting NetBIOS Names">Section 9.2.10</a>."</p></li><li><p>If you get "You do not have the necessary access rights," or "This server is not configured to list shared resources," either your guest account is misconfigured (see <a href="#ch09-40595" title="Testing locally with smbclient">Section 9.2.5.2</a>), or you have a <code class="literal">hosts</code> <code class="literal">allow</code> or <code class="literal">hosts</code> <code class="literal">deny</code> line that prohibits connections from your machine. These problems should have been detected by the <span class="emphasis"><em>smbclient</em></span> tests starting in <a href="#ch09-96207" title="Testing browsing with smbclient">Section 9.2.6.1</a>."</p></li><li><p>If you get "The specified computer is not receiving requests," you have misspelled the name, the machine is unreachable by broadcast (tested in "Testing the network with nmblookup"), or it's not running <span class="emphasis"><em>nmbd</em></span>.</p></li><li><p>If you get "Bad password error," you're probably encountering the Microsoft-encrypted password problem, as discussed in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>, with its corrections.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.6.6"></a>Browsing the server from the client</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953743-0"></a>From the Network Neighborhood (File Manager in older releases), try to browse the server. Your Samba server should appear in the browse list of your local workgroup. You should be able to double click on the name of the server and get a list of shares, as illustrated in <a href="#ch09-60004" title="Figure 9.5. List of shares on a server">Figure 9.5</a>.</p><div class="figure"><a name="ch09-60004"></a><p class="title"><b>Figure 9.5. List of shares on a server</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 202px"><td><img src="figs/sam.0905.gif" height="202" alt="List of shares on a server"></td></tr></table></div></div></div><br class="figure-break"><div class="itemizedlist"><ul type="disc"><li><p>If you get an "Invalid password" error with NT 4.0, NT 3.5 with Patch 3, Windows 95 with Patch 3, Windows 98 or any of these with Internet Explorer 4.0, it's most likely the encryption problem again. All of these clients default to using Microsoft encryption for passwords (see <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>).</p></li><li><p>If you receive an "Unable to browse the network" error, one of the following has ocurred:</p><div class="itemizedlist"><ul type="circle"><li><p>You have looked too soon, before the broadcasts and updates have completed; try waiting 30 seconds before re-attempting.</p></li><li><p>There is a network problem you've not yet diagnosed.</p></li><li><p>There is no browse master. Add the configuration option <code class="literal">local</code> <code class="literal">master</code> <code class="literal">=</code> <code class="literal">yes</code> to your <span class="emphasis"><em>smb.conf</em></span> file.</p></li><li><p>No shares are marked <code class="literal">browsable</code> in the <span class="emphasis"><em>smb.conf</em></span> file.</p></li></ul></div></li><li><p>If you receive the message "\\server is not accessible," then:</p><div class="itemizedlist"><ul type="circle"><li><p> You have the encrypted password problem</p></li><li><p> The machine really isn't accessible</p></li><li><p> The machine doesn't support browsing<a class="indexterm" name="ch09-idx-953589-0"></a></p></li></ul></div></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-21713"></a>Other Things that Fail </h3></div></div></div><p>If you've made it here, either the problem is solved or it's not one we've seen. The next sections cover troubleshooting tasks that are required to have the infrastructure to run Samba, not Samba itself.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.7.1"></a>Not logging on</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953594-0"></a>An occasional problem is forgetting to log in to the client or logging in as a wrong (account-less) person. The former is not diagnosed at all: Windows tries to be friendly and lets you on. Locally! The only warning of the latter is that Windows welcomes you and asks about your new account. Either of these leads to repeated refusals to connect and endless requests for passwords. If nothing else seems to work, try logging out or shutting down and logging in again.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-23768"></a>Troubleshooting Name Services</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953595-0"></a>This section looks at simple troubleshooting of all the name services that you will encounter, but only for the common problems that affect Samba.</p><p>There are several good references for troubleshooting particular name services: Paul Albitz and Cricket Liu's <span class="emphasis"><em>DNS and Bind</em></span> covers the Domain Name Service (DNS), Hal Stern's <span class="emphasis"><em>NFS and NIS</em></span> (both from O'Reilly) covers NIS ("Yellow pages") while WINS (Windows Internet Name Service), <code class="filename">hosts/LMHOSTS</code> files and NIS+ are best covered by their respective vendor's manuals.</p><p>The problems addressed in this section are:</p><div class="itemizedlist"><ul type="disc"><li><p>Identifying name services</p></li><li><p>A hostname can't be looked up</p></li><li><p>The long (FQDN) form of a hostname works but the short form doesn't</p></li><li><p>The short form of the name works, but the long form doesn't</p></li><li><p>A long delay ocurrs before the expected result</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.1"></a>Identifying what's in use</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953744-0"></a>First, see if both the server and the client are using DNS, WINS, NIS, or <code class="filename">hosts</code> files to look up IP addresses when you give them a name. Each kind of machine will have a different preference:</p><div class="itemizedlist"><ul type="disc"><li><p>Windows 95 and 98 machines will look in WINS and <code class="filename">LMHOSTS</code> files first, then broadcast, and finally try DNS and <code class="filename">hosts</code> files.</p></li><li><p>NT will look in WINS, then broadcast, LMHOSTS files, and finally <code class="filename">hosts</code> and DNS.</p></li><li><p>Windows programs using the WINSOCK standard (like PC-NFSs) will use hosts files, DNS, WINS, and then broadcast. Don't assume that if a different program's name service works, the SMB client program's name service will!</p></li><li><p>Samba daemons will use <code class="filename">LMHOSTS</code>, WINS, the Unix host's preference, and then broadcast.</p></li><li><p>Unix hosts can be configured to use any combination of DNS, <code class="filename">hosts</code> files, and NIS and NIS+, generally in any order.</p></li></ul></div><p>We recommend that the client machines be configured to use WINS and DNS, the Samba daemons to use WINS and DNS, and the Unix server to use DNS. You'll have to look at your notes and the actual machines to see which is in use.</p><p>On the clients, the name services are all set in the TCP/IP Properties panel of the Networking Control Panel, as discussed in <a href="#SAMBA-CH-3" title="Chapter 3. Configuring Windows Clients">Chapter 3</a>. You may need to check there to see what you've actually turned on. On the server, see if an <code class="filename">/etc/resolv.conf</code> file exists. If it does, you're using DNS. You may be using the others as well, though. You'll need to check for NIS and combinations of services.</p><p>Check for an <code class="filename">/etc/nsswitch.conf</code> file on Solaris and other System V Unix operating systems. If you have one, look for a line that begins <code class="literal">host</code>:, followed by one or more of <code class="literal">files</code>, <code class="literal">bind</code>, <code class="literal">nis</code> or <code class="literal">nis+</code>. These are the name services to use, in order, with optional extra material in square brackets. <span class="emphasis"><em>files</em></span> stands for using <span class="emphasis"><em>hosts</em></span> files, while <span class="emphasis"><em>bind</em></span> (the Berkeley Internet Name Daemon) stands for using DNS.</p><p>If the client and server differ, the first thing to do is to get them in sync. Clients can only use only DNS, WINS, <span class="emphasis"><em>hosts</em></span> files and <span class="emphasis"><em>lmhosts</em></span> files, not NIS or NIS+. Servers can use <span class="emphasis"><em>hosts</em></span> files, DNS, and NIS or NIS+, but not WINS&#8212;even if your Samba server provides WINS services. If you can't get all the systems to use the same services, you'll have to carefully check the server and the client for the same data.</p><p>Samba 2.0 (and late 1.9 versions) added a <code class="literal">-R</code><code class="option"> </code>(resolve order) option to <span class="emphasis"><em>smbclient</em></span>. If you want to troubleshoot WINS, for example, you'd say:</p><pre class="programlisting">smbclient -L <em class="replaceable"><code>server</code></em> -R wins</pre><p>The possible settings are <code class="literal">hosts</code> (which means whatever the Unix machine is using, not just<code class="filename"> /etc/hosts</code> files), <code class="literal">lmhosts</code>, <code class="literal">wins</code> and <code class="literal">bcast</code> (broadcast).</p><p>In the following sections, we use the term <span class="emphasis"><em>long name</em></span> for a fully-qualified domain name (FQDN), like <code class="literal">server.example.com </code>, and the term <span class="emphasis"><em>short name</em></span> for the host part of a FQDN, like <code class="literal">server</code>.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.2"></a>Cannot look up hostnames</h4></div></div></div><p> <a class="indexterm" name="ch09-idx-953745-0"></a>Try the following:</p><div class="itemizedlist"><ul type="disc"><li><p>In DNS:</p><p>Run <code class="literal">nslookup</code> <em class="replaceable"><code>name</code></em>. If this fails, look for a <code class="filename">resolv.conf</code> error, a downed DNS server, or a short/long name problem (see the next section). Try the following:</p><div class="itemizedlist"><ul type="circle"><li><p>Your <code class="filename">/etc/resolv.conf</code> should contain one or more name-server lines, each with an IP address. These are the addresses of your DNS servers.</p></li><li><p>ping each of the server addresses you find. If this fails for one, suspect the machine. If it fails for each, suspect your network.</p></li><li><p>Retry the lookup using the full domain name (e.g., <span class="emphasis"><em>server.example.com</em></span>) if you tried the short name first, or the short name if you tried the long name first. If results differ, skip to the next section.</p></li></ul></div></li><li><p>In Broadcast/ WINS:</p><p>Broadcast/ WINS does only short names such as <code class="literal">server</code>, (not long ones, such as <code class="literal">server.example.com)</code>. Run <code class="literal">nmblookup</code> <code class="literal">-S</code> <em class="replaceable"><code>server</code></em>.<em class="replaceable"><code> </code></em>This reports everything broadcast has registered for the name. In our example, it looks like this:</p></li></ul></div><pre class="programlisting">Looking up status of 192.168.236.86
-received 10 names
-        SERVER           &lt;00&gt; -         M &lt;ACTIVE&gt; 
-        SERVER           &lt;03&gt; -         M &lt;ACTIVE&gt; 
-        SERVER           &lt;1f&gt; -         M &lt;ACTIVE&gt; 
-        SERVER           &lt;20&gt; -         M &lt;ACTIVE&gt; 
-        .._ _MSBROWSE_ _.&lt;01&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
-        MYGROUP          &lt;00&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
-        MYGROUP          &lt;1b&gt; -         M &lt;ACTIVE&gt; 
-        MYGROUP          &lt;1c&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
-        MYGROUP          &lt;1d&gt; -         M &lt;ACTIVE&gt; 
-        MYGROUP          &lt;1e&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;</pre><div class="itemizedlist"><ul type="disc"><li><p>
-The required entry is <code class="literal">SERVER</code> <code class="literal">&lt;00&gt;</code>, which identifies <em class="replaceable"><code>server</code></em> as being this machine's NetBIOS name. You should also see your workgroup mentioned one or more times. If these lines are missing, Broadcast/WINS cannot look up names and will need attention.</p></li></ul></div><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>The numbers in angle brackets in the previous output identify NetBIOS names as being workgroups, workstations, and file users of the messenger service, master browsers, domain master browsers, domain controllers and a plethora of others. We primarily use <code class="literal">&lt;00&gt;</code> to identify machine and workgroup names and <code class="literal">&lt;20&gt;</code> to identify machines as servers. The complete list is available at <code class="systemitem">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</code>.</p></div><div class="itemizedlist"><ul type="disc"><li><p>In NIS:</p><p>Try <code class="literal">ypmatch</code> <code class="literal">name</code> <code class="literal">hosts</code>. If this fails, NIS is down. Find out the NIS server's name by running <span class="emphasis"><em>ypwhich</em></span>, and ping the machine it to see if it's accessible.</p></li><li><p>In NIS+:</p><p>If you're running NIS+, try <code class="literal">nismatch</code> <code class="literal">name</code> <code class="literal">hosts</code>. If this fails, NIS is down. Find out the NIS server's name by running <span class="emphasis"><em>niswhich</em></span>, and ping that machine to see if it's accessible.</p></li><li><p>In <code class="filename">hosts</code> files:</p><p>Inspect <code class="filename">/etc/hosts</code> on the client (<code class="literal">C:\WINDOWS\HOSTS</code>). Each line should have an IP number and one or more names, the primary name first, then any optional aliases. An example follows:</p></li></ul></div><pre class="programlisting">127.0.0.1         localhost
-        192.168.236.1     dns.svc.example.com 
-        192.168.236.10    client.example.com client 
-        192.168.236.11    backup.example.com loghost 
-        192.168.236.86    server.example.com server 
-        192.168.236.254   router.svc.example.com</pre><div class="itemizedlist"><ul type="disc"><li><p>
-On Unix, <code class="literal">localhost</code> should always be 127.0.0.1, although it may be just an alias for a hostname on the PC. On the client, check that there are no <code class="literal">#XXX</code> directives at the ends of the lines; these are LAN Manager/NetBIOS directives, and should appear only in <span class="emphasis"><em>LMHOSTS</em></span> files (<code class="literal">C:\WINDOWS\LMHOSTS</code>).</p></li><li><p>In <span class="emphasis"><em>LMHOSTS</em></span> files:</p><p>This file is a local source for LAN Manager (NetBIOS) names. It has a format very similar to <code class="filename">/etc/hosts</code> files, but does not support long-form domain names (e.g., <code class="literal">server.example.com</code>), and may have a number of optional <code class="literal">#XXX</code> directives following the names. Note there usually is a <span class="emphasis"><em>lmhosts.sam</em></span> (for sample) file in <code class="literal">C:\WINDOWS</code>, but it's not used unless renamed to <code class="literal">C:\WINDOWS\LMHOSTS</code>.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.3"></a>Long and short hostnames</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953754-0"></a>Where the long (FQDN) form of a hostname works but the short name doesn't (for example, <code class="literal">client.example.com</code> works but <code class="literal">client</code> doesn't), consider the following:</p><div class="itemizedlist"><ul type="disc"><li><p>DNS:</p><p>This usually indicates there is no default domain in which to look up the short names. Look for a <code class="literal">default</code> line in <code class="filename">/etc/resolv.conf</code> on the Samba server with your domain in it, or a <code class="literal">search</code> line with one or more domains in it. One or the other may need to be present to make short names usable; which one depends on vendor and version of the DNS resolver. Try adding <code class="literal">domain</code> <em class="replaceable"><code>your domain</code></em> to <code class="filename">resolv.conf</code> and ask your network or DNS administrator what should have been in the file.</p></li><li><p>Broadcast/WINS:</p><p>Broadcast/WINS doesn't support long names; it won't suffer from this problem.</p></li><li><p>NIS:</p><p>Try the command <code class="literal">ypmatch</code> <code class="literal">hostname</code> <code class="literal">hosts</code>. If you don't get a match, your tables don't include short names. Speak to your network manager; short names may be missing by accident, or may be unsupported as a matter of policy. Some sites don't ever use (ambiguous) short names.</p></li><li><p>NIS+ :</p><p>Try <code class="literal">nismatch</code> <em class="replaceable"><code>hostname</code></em> <code class="literal">hosts</code>, and treat failure exactly as with NIS above.</p></li><li><p><span class="emphasis"><em>hosts:</em></span></p><p>If the short name is not in <code class="filename">/etc/hosts</code>, consider adding it as an alias. Avoid, if you can, short names as primary names (the first one on a line). Have them as aliases if your system permits.</p></li><li><p><code class="filename">LMHOSTS</code>:</p><p>LAN Manager doesn't support long names, so it won't suffer from this problem.</p></li></ul></div><p>On the other hand, if the short form of the name works and the long doesn't, consider the following:</p><div class="itemizedlist"><ul type="disc"><li><p>DNS:</p><p>This is bizarre; see your network or DNS administrator, as this is probably a DNS setup bug.</p></li><li><p>Broadcast/WINS:</p><p>This is a normal bug; Broadcast/WINS can't use the long form. Optionally, consider DNS. Microsoft has stated that they will switch to DNS, though it's not providing name types like &lt;00&gt;.</p></li><li><p>NIS:</p><p>If you can use <code class="literal">ypmatch</code> to look up the short form but not the long, consider adding the long form to the table as at least an alias.</p></li><li><p>NIS+:</p><p>Same as NIS, except you use <code class="literal">nismatch</code> instead of <code class="literal">ypmatch</code> to look up names.</p></li><li><p><code class="filename">hosts:</code></p><p>Add the long name as at least an alias, and preferably as the primary form. Also consider using DNS if it's practical.</p></li><li><p><code class="filename">LMHOSTS</code>:</p><p>This is a normal bug. LAN Manager can't use the long form; consider switching to DNS or <code class="filename">hosts</code>.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.4"></a>Unusual delays</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953755-0"></a>When there is a long delay before the expected result:</p><div class="itemizedlist"><ul type="disc"><li><p>DNS:</p><p>Test the same name with the <span><strong class="command">nslookup</strong></span> command on the machine (client or server) that is slow. If <span><strong class="command">nslookup</strong></span> is also slow, you have a DNS problem. If it's slower on a client, you have too many protocols bound to the Ethernet card. Eliminate NetBEUI, which is infamously slow, and optionally, Novel, assuming you don't need them. This is especially important on Windows 95, which is particularly sensitive to excess protocols.</p></li><li><p>Broadcast/ WINS:</p><p>Test the client using <code class="literal">nmblookup</code>, and if it's faster, you probably have the protocols problem as  mentioned in the previous item.</p></li><li><p>NIS:</p><p>Try <code class="literal">ypmatch</code>, and if it's slow, report the problem to your network manager.</p></li><li><p>NIS+:</p><p>Try <code class="literal">nismatch</code>, similarly.</p></li><li><p><span class="emphasis"><em>hosts</em></span>:</p><p><span class="emphasis"><em>hosts</em></span> files, if of reasonable size, are always fast. You probably have the protocols problem mentioned under DNS, above.</p></li><li><p><span class="emphasis"><em>LMHOSTS</em></span>:</p><p>This is not a name lookup problem; <span class="emphasis"><em>LMHOSTS</em></span> files are as fast as <span class="emphasis"><em>hosts</em></span> files.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.8.5"></a>Localhost issues</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953756-0"></a>When a localhost isn't 127.0.0.1, try the following:</p><div class="itemizedlist"><ul type="disc"><li><p>DNS:</p><p>There is probably no record for <code class="literal">localhost.</code> <code class="literal">A</code> <code class="literal">127.0.0.1</code>. Arrange to add one, and a reverse entry, <code class="literal">1.0.0.127.IN-ADDR.ARPA</code> <code class="literal">PTR</code> <code class="literal">127.0.0.1</code>.</p></li><li><p>Broadcast/WINS:</p><p>Not applicable.</p></li><li><p>NIS:</p><p>If <code class="literal">localhost</code> isn't in the table, add it.</p></li><li><p>NIS+:</p><p>If <code class="literal">localhost</code> isn't in the table, add it.</p></li><li><p><code class="filename">hosts:</code></p><p>Add a line is the <span class="emphasis"><em>hosts</em></span> file that says <code class="literal">127.0.0.1</code> <code class="literal">localhost</code></p></li><li><p><code class="filename">LMHOSTS</code>:</p><p>Not applicable.<a class="indexterm" name="ch09-idx-953603-0"></a></p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-2.9"></a>Troubleshooting Network Addresses</h3></div></div></div><p>A number of common problems are caused by incorrect Internet address routing or the incorrect assignment of addresses. This section helps you determine what your addresses are.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-21203"></a>Netmasks</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953973-0"></a>
-<a class="indexterm" name="ch09-idx-953973-1"></a>
-<a class="indexterm" name="ch09-idx-953973-2"></a>The <a class="indexterm" name="ch09-idx-953974-0"></a>netmasks tell each machine which addresses can be reached directly (are on your local network) and which addresses require forwarding packets through a router. If the netmask is wrong, the machines will make one of two mistakes. One is to try to route local packets via a router, which is an expensive way to waste time&#8212;it may work reasonably fast, it may run slowly, or it may fail utterly. The second mistake is to fail to send packets for a remote machine to the router, which will prevent them from being forwarded to the remote machine.</p><p>The netmask is a number like an IP address, with one-bits for the network part of an address and zero-bits for the host portion. The netmask is literally used to mask off parts of the address inside the TCP/IP code. If the mask is 255.255.0.0, the first 2 bytes are the network part and the last 2 are the host part. More common is 255.255.255.0, in which the first 3 bytes are the network part and the last one is the host part.</p><p>For example, let's say your IP address is 192.168.0.10 and the Samba server is 192.168.236.86. If your netmask happens to be 255.255.255.0, the network part of the addresses is the first 3 bytes and the host part is the last byte. In this case, the network parts are different, and the machines are on different networks:</p><div class="informaltable"><table border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Network Part</p></th><th><p>Host Part</p></th></tr></thead><tbody><tr><td><p>192 168 000</p></td><td><p>10</p></td></tr><tr><td><p>192 168 235</p></td><td><p>86</p></td></tr></tbody></table></div><p>If your netmask happens to be 255.255.0.0, the network part is just the first two bytes. In this case, the network parts match and so the two machines are on the same network:</p><div class="informaltable"><table border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Network Part</p></th><th><p>Host Part</p></th></tr></thead><tbody><tr><td><p>192 168</p></td><td><p>000 10</p></td></tr><tr><td><p>192 168</p></td><td><p>236 86</p></td></tr></tbody></table></div><p>Of course, if your netmask says one thing and your network manager says another, the netmask is wrong.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-45060"></a>Broadcast addresses</h4></div></div></div><p>The <a class="indexterm" name="ch09-idx-953758-0"></a>broadcast address is a normal address, with the hosts part all one-bits. It means "all hosts on your network." You can compute it easily from your netmask and address: take the address and put one-bits in it for all the bits that are zero at the end of the netmask (the host part). The following table illustrates this:</p><div class="informaltable"><table border="1"><colgroup><col><col><col></colgroup><thead><tr><th> </th><th><p>Network Part</p></th><th><p>Host Part</p></th></tr></thead><tbody><tr><td><p><span class="bold"><strong>IP address</strong></span></p></td><td><p>192 168 236</p></td><td><p>86</p></td></tr><tr><td><p><span class="bold"><strong>Netmask</strong></span></p></td><td><p>255 255 255</p></td><td><p>000</p></td></tr><tr><td><p><span class="bold"><strong>Broadcast</strong></span></p></td><td><p>192 168 236</p></td><td><p>255</p></td></tr></tbody></table></div><p>In this example, the broadcast address on the 192.168.236 network is 192.168.236.255. There is also an old "universal" broadcast address, 255.255.255.255. Routers are prohibited from forwarding these, but most machines on your local network will respond to broadcasts to this address.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.9.3"></a>Network address ranges</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953762-0"></a>A number of address ranges have been reserved for testing and for non-connected networks; we use one of these for the book. If you don't have an address yet, feel free to use one of these to start with. They include one class A (large) network, 10.*.*.*, and 254 class C (smaller) networks, 192.168.1.* through to 192.168.254.*. In this book we use one of the latter, 192.168.236.*. The domain <code class="filename">example.com</code> is also reserved for unconnected networks, explanatory examples, and books.</p><p>If you're actually connecting to the Internet, you'll need to get a real network and a domain name, probably through the same company that provides your connection.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch09-SECT-2.9.4"></a>Finding your network address</h4></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953761-0"></a>If you haven't recorded your IP address, it will be displayed by the <span><strong class="command">ifconfig</strong></span> command on Unix or by the IPCONFIG command on Windows 95 and NT. (Check your manual pages for any options required by your brand of Unix: Sun wants <code class="literal">ifconfig</code> <code class="literal">-a</code>). You should see output similar to the following:</p><pre class="programlisting">server% ifconfig -a 
-le0: flags=63&lt;UP,BROADCAST,NOTRAILERS,RUNNING &gt; 
-      inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255 
-lo0: flags=49&lt;&amp;lt&gt;UP,LOOPBACK,RUNNING&lt;&amp;gt&gt; 		
-      inet 127.0.0.1 netmask ff000000</pre><p>One of the interfaces will be loopback (in our examples <code class="literal">lo0</code>), and the other will be the regular IP interface. The flags should show that the interface is running, and Ethernet interfaces will also say they support broadcasts (PPP interfaces don't). The other places to look for IP addresses are <code class="filename">/etc/hosts</code> files, Windows <span class="emphasis"><em>HOSTS</em></span> files, Windows <span class="emphasis"><em>LMHOSTS</em></span> files, NIS, NIS+ and DNS.<a class="indexterm" name="ch09-idx-953611-0"></a>
-<a class="indexterm" name="ch09-idx-953611-1"></a>
-<a class="indexterm" name="ch09-idx-953611-2"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-35552"></a>Troubleshooting NetBIOS Names</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953616-0"></a>Historically, SMB protocols have depended on the NetBIOS name system, also called the LAN Manager name system. This was a simple scheme where each machine had a unique 20-character name and broadcast it on the LAN for everyone to know. With TCP/IP, we tend to use names like <span class="emphasis"><em>client.example.com</em></span> stored in <code class="filename">/etc/hosts</code> files, through DNS or WINS.</p><p>The usual mapping to domain names such as <span class="emphasis"><em>server.example.com</em></span> simply uses the <span class="emphasis"><em>server</em></span> part as the NetBIOS name and converts it to uppercase. Alas, this doesn't always work, especially if you have a machine with a 21-character name; not everyone uses the same NetBIOS and DNS names. For example, <span class="emphasis"><em>corpvm1</em></span> along with <span class="emphasis"><em>vm1.corp.com</em></span> is not unusual.</p><p>A machine with a different NetBIOS name and domain name is confusing when you're troubleshooting; we recommend that you try to avoid this wherever possible. NetBIOS names are discoverable with <span class="emphasis"><em>smbclient</em></span> :</p><div class="itemizedlist"><ul type="disc"><li><p>If you can list shares on your Samba server with <span class="emphasis"><em>smbclient</em></span> and a <code class="literal">-L</code> option (list shares) of <em class="replaceable"><code>short_name_of_server</code></em>, the short name is the NetBIOS name.</p></li><li><p>If you get "Get_Hostbyname: Unknown host name," there is probably a mismatch. Check in the <code class="filename">smb.conf</code> file to see if the NetBIOS name is explicitly set.</p></li><li><p>Try again, specifying <code class="literal">-I</code> and the IP address of the Samba server (e.g., <code class="literal">smbclient</code> <code class="literal">-L</code> <code class="literal">server</code> <code class="literal">-I</code> <code class="literal">192.168.236.86</code>). This overrides the name lookup and forces the packets to go to the IP address. If this works, there was a mismatch.</p></li><li><p>Try with <code class="literal">-I</code> and the full domain name of the server (e.g., <code class="literal">smbclient</code> <code class="literal">-L</code> <code class="literal">server</code> <code class="literal">-I</code> <code class="literal">server.example.com</code>). This tests the lookup of the domain name, using whatever scheme the Samba server uses (e.g., DNS). If it fails, you have a name service problem. You should reread <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a> after you finish troubleshooting the NetBIOS names.</p></li><li><p>Try with <code class="literal">-n</code> (NetBIOS name) and the name you expect to work (e.g., <code class="literal">smbclient</code> <code class="literal">-n</code> <code class="literal">server</code> <code class="literal">-L</code> <code class="literal">server-12</code>) but without overriding the IP address through <code class="literal">-I</code>. If this works, the name you specified with <code class="literal">-n</code> is the actual NetBIOS name of the server. If you receive "Get-Hostbyname: Unknown host MARY," it's not the right server yet.</p></li><li><p>If nothing is working so far, repeat the tests specifying <code class="literal">-U</code> <em class="replaceable"><code>username</code></em> and <code class="literal">-W</code> <em class="replaceable"><code>workgroup</code></em>, with the username and workgroup in uppercase, to make sure you're not being derailed by a user or workgroup mismatch.</p></li><li><p>If nothing works still and you had evidence of a name service problem, troubleshoot name service in <a href="#ch09-23768" title="Troubleshooting Name Services">Section 9.2.8</a>," and then return to NetBIOS name<a class="indexterm" name="ch09-idx-953533-0"></a>
-<a class="indexterm" name="ch09-idx-953533-1"></a> service.<a class="indexterm" name="ch09-idx-953526-0"></a></p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch09-49719"></a>Extra Resources</h2></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953618-0"></a>
-<a class="indexterm" name="ch09-idx-953618-1"></a>At some point during your Samba career, you will want to turn to online or printed resources for news, updates, and aid.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.1"></a>Documentation and FAQs</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953626-0"></a>
-<a class="indexterm" name="ch09-idx-953626-1"></a>It's okay to read the documentation. Really. Nobody can see you, and we won't tell. In fact, Samba ships with a large set of documentation files, and it is well worth the effort to at least browse through them, either in the distribution directory on your computer under <code class="filename">/docs</code>, or online at the Samba web site: <a class="indexterm" name="ch09-idx-953628-0"></a>
-<a class="indexterm" name="ch09-idx-953628-1"></a><code class="systemitem">http://samba.anu.edu.au/samba/</code>. The most current FAQ list, bug information, and distribution locations are located at the web site, with links to all of the Samba manual pages and HOW-TOs.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.2"></a>Samba Newsgroups</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953634-0"></a>Usenet newsgroups have always been a great place to get advice on just about any topic. In the past few years, though, this vast pool of knowledge has developed something that has made it into an invaluable resource: a memory. Archival and search sites such as DejaNews (<code class="systemitem">http://www.dejanews.com</code>) have made sifting through years of valuable solutions on a topic as simple as a few mouse clicks.</p><p>The primary newsgroup for Samba is <span class="emphasis"><em>comp.protocols.smb</em></span>. This should always be your first stop when there's a problem. More often than not, spending five minutes researching an error here will save hours of frustration while trying to debug something yourself.</p><p>When searching a newsgroup, try to be as specific as possible, but not too wordy. Searching on actual error messages is best. If you don't find an answer immediately in the newsgroup, resist the temptation to post a request for help until you've done a bit more work on the problem. You may find that the answer is in a FAQ or one of the many documentation files that ships with Samba, or a solution might become evident when you run one of Samba's diagnostic tools. If nothing works, post a request in <span class="emphasis"><em>comp.protocols.smb</em></span>, and be as specific as possible about what you have tried and what you are seeing. Include any error messages that appear. It may be several days before you receive help, so be patient and keep trying things while you wait.</p><p>Once you post a request for help, keep poking at the problem yourself. Most of us have had the experience of posting a Usenet article containing hundreds of lines of intricate detail, only to solve the problem an hour later after the article has blazed its way across several continents. The rule of thumb goes something like this: the more folks who have read your request, the simpler the solution. Usually this means that once everyone in the Unix community has seen your article, the solution will be something simple like, "Plug the computer into the wall socket."</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.3"></a>Samba Mailing Lists</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953635-0"></a>The following are mailing lists for support with Samba. See the Samba homepage, <code class="systemitem">http://www.samba.org/</code> for information on subscribing and unsubscribing to these mailing lists:</p><div class="variablelist"><dl><dt><span class="term"><code class="email">&lt;<a href="mailto:samba-binaries@samba.org">samba-binaries@samba.org</a>&gt;</code></span></dt><dd><p>This mailing list has information on precompiled binaries for the Samba platform.</p></dd><dt><span class="term"><code class="email">&lt;<a href="mailto:samba-bugs@samba.org">samba-bugs@samba.org</a>&gt;</code></span></dt><dd><p>This mailing list is the place to report suspected bugs in Samba.</p></dd><dt><span class="term"><code class="email">&lt;<a href="mailto:samba-ntdom@samba.org">samba-ntdom@samba.org</a>&gt;</code></span></dt><dd><p>This mailing list has information on support for domains (particularly Windows NT) with the Samba product.</p></dd><dt><span class="term"><code class="email">&lt;<a href="mailto:samba-technical@samba.org">samba-technical@samba.org</a>&gt;</code></span></dt><dd><p>This mailing list maintains debate about where the future of Samba is headed.</p></dd><dt><span class="term"><code class="email">&lt;<a href="mailto:samba@samba.org">samba@samba.org</a>&gt;</code></span></dt><dd><p>This is the primary Samba mailing list that contains general questions and HOW-TO information on Samba.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.4"></a>Samba Discussion Archives</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953640-0"></a>There is a search service for the primary Samba mailing list. At the time this book was written, it was listed under "searchable" in the Sources paragraph on the first page of the Samba site and its mirrors, <code class="systemitem">http://samba.anu.edu.au/listproc/ghindex.html</code>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch09-SECT-3.5"></a>Further Reading</h3></div></div></div><p>
-<a class="indexterm" name="ch09-idx-953645-0"></a>Hunt, Craig; <em class="citetitle">TCP/IP
-Network Administration: 2nd Edition</em>. Sebastopol, CA:
-O'Reilly and Associates, 1997 (ISBN 1-56592-322-7).</p><p>Hunt, Craig, and Robert Bruce Thompson; <em class="citetitle">Windows NT
-TCP/IP Network Administration</em>. Sebastopol, CA: O'Reilly
-and Associates, 1998 (ISBN 1-56592-377-4).</p><p>
-<a class="indexterm" name="ch09-idx-953646-0"></a>Albitz, Paul, and Cricket Liu;
-<em class="citetitle">DNS and Bind, 3rd Edition</em>. Sebastopol, CA:
-O'Reilly and Associates, 1998 (ISBN 1-56592-512-2).</p><p>
-<a class="indexterm" name="ch09-idx-953653-0"></a>
-<a class="indexterm" name="ch09-idx-953653-1"></a>
-<a class="indexterm" name="ch09-idx-953653-2"></a>
-<a class="indexterm" name="ch09-idx-953657-0"></a>Stern, Hal; <em class="citetitle">Managing NFS
-and NIS</em>. Sebastopol, CA: O'Reilly and Associates, 1991
-(ISBN 0-937175-75-7).<a class="indexterm" name="ch09-idx-953621-0"></a> <a class="indexterm" name="ch09-idx-953621-1"></a></p></div></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-A"></a>Appendix A. Configuring Samba with SSL</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#appa-SECT-1">A.1. About Certificates</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-1.1">A.1.1. What is a Certificate?</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-1.2">A.1.2. What is an X.509 certificate, technically?</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-1.3">A.1.3. What are the implications of this certificate structure?</a></span></dt></dl></dd><dt><span class="sect1"><a href="#appa-SECT-2">A.2. Requirements</a></span></dt><dt><span class="sect1"><a href="#appa-SECT-3">A.3. Installing SSLeay</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-3.1">A.3.1. Configuring SSLeay for Your System</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.2">A.3.2. Configuring Samba to use SSL</a></span></dt><dt><span class="sect2"><a href="#appa-62097">A.3.3. Becoming a Certificate Authority</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.4">A.3.4. Creating Certificates for Clients</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.5">A.3.5. Configuring the Samba Server</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-3.6">A.3.6. Testing with smbclient</a></span></dt></dl></dd><dt><span class="sect1"><a href="#appa-SECT-4">A.4. Setting Up SSL Proxy</a></span></dt><dt><span class="sect1"><a href="#appa-SECT-5">A.5. SSL Configuration Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appa-SECT-5.0.1">A.5.1. 
-ssl</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.2">A.5.2. 
-ssl hosts</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.3">A.5.3. 
-ssl hosts resign</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.4">A.5.4. 
-ssl CA certDir</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.5">A.5.5. 
-ssl CA certFile</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.6">A.5.6. 
-ssl server cert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.7">A.5.7. 
-ssl server key</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.8">A.5.8. 
-ssl client cert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.9">A.5.9. 
-ssl client key</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.10">A.5.10. 
-ssl require clientcert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.11">A.5.11. 
-ssl require servercert</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.12">A.5.12. 
-ssl ciphers</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.13">A.5.13. 
-ssl version</a></span></dt><dt><span class="sect2"><a href="#appa-SECT-5.0.14">A.5.14. 
-ssl compatibility</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="appa-idx-990325-0"></a>
-<a class="indexterm" name="appa-idx-990325-1"></a>This appendix describes how to set up Samba to use secure connections between the Samba server and its clients. The protocol used here is Netscape's Secure Sockets Layer (SSL). For this example, we will establish a secure connection between a Samba server and a Windows NT workstation.</p><p>Before we begin, we will assume that you are familiar with the fundamentals of public-key cryptography and X.509 certificates. If not, we highly recommend Bruce Schneier's <code class="filename">Applied Cryptography, 2nd Edition</code> (Wiley) as the premiere source for learning the many secret faces of cryptography.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you would like more information on Samba and SSL, be sure to look at the document <code class="filename">SSLeay.txt</code> in the <code class="filename">docs/textdocs</code> directory of the Samba distribution, which is the basis for this appendix.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-1"></a>About Certificates</h2></div></div></div><p>Here are a few quick questions and answers from the <code class="filename">SSLeay.txt</code> file in the Samba documentation, regarding the benefits of SSL and certificates. This text was written by Christian Starkjohann for the Samba projects.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-1.1"></a>What is a Certificate?</h3></div></div></div><p>A certificate is issued by an issuer, usually a <span class="emphasis"><em>Certification Authority</em></span> (CA), who confirms something by issuing the certificate. The subject of this confirmation depends on the CA's policy. CAs for secure web servers (used for shopping malls, etc.) usually attest only that the given public key belongs the given domain name. Company-wide CAs might attest that you are an employee of the company, that you have permissions to use a server, and so on.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-1.2"></a>What is an X.509 certificate, technically?</h3></div></div></div><p>Technically, the certificate is a block of data signed by the certificate issuer (the CA). The relevant fields are:</p><div class="itemizedlist"><ul type="disc"><li><p>
-Unique identifier (name) of the certificate issuer</p></li><li><p>Time range during which the certificate is valid</p></li><li><p>Unique identifier (name) of the certified object</p></li><li><p>Public key of the certified object</p></li><li><p>The issuer's signature over all the above</p></li></ul></div><p>If this certificate is to be verified, the verifier must have a table of the names and public keys of trusted CAs. For simplicity, these tables should list certificates issued by the respective CAs for themselves (self-signed certificates).</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-1.3"></a>What are the implications of this certificate structure?</h3></div></div></div><p>Four implications follow:</p><div class="itemizedlist"><ul type="disc"><li><p>Because the certificate contains the subjects's public key, the certificate and the private key together are all that is needed to encrypt and decrypt.</p></li><li><p>To verify certificates, you need the certificates of all CAs you trust.</p></li><li><p>The simplest form of a dummy-certificate is one that is signed by the subject.</p></li><li><p>A CA is needed. The client can't simply issue local certificates for servers it trusts because the server determines which certificate it presents.</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-2"></a>Requirements</h2></div></div></div><p>
-<a class="indexterm" name="appa-idx-990348-0"></a>
-<a class="indexterm" name="appa-idx-990348-1"></a>To set up SSL connections, you will need to download two programs in addition to Samba:</p><div class="variablelist"><dl><dt><span class="term">
-<a class="indexterm" name="appa-idx-990613-0"></a>SSLeay</span></dt><dd><p>Eric <a class="indexterm" name="appa-idx-990362-0"></a>Young's implementation of the Secure Socket's Layer (SSL) protocol as a series of Unix programming libraries</p></dd><dt><span class="term">
-<a class="indexterm" name="appa-idx-990357-0"></a>SSL Proxy</span></dt><dd><p>A freeware SSL application from Objective Development, which can be used to proxy a secure link on Unix or Windows NT platforms</p></dd></dl></div><p>These two products assist with the server and client side of the encrypted SSL connection. The SSLeay libraries are compiled and installed directly on the Unix system. SSL Proxy, on the other hand, can be downloaded and compiled (or downloaded in binary format) and located on the client side. If you intend to have a Windows NT client or a Samba client on the other end of the SSL connection, you will not require a special setup.</p><p>SSL Proxy, however, does not work on Windows 95/98 machines. Therefore, if you want to have a secure connection between a Samba server and Windows 95/98 client, you will need to place either a Unix server or a Windows NT machine on the same subnet with the Windows 9<span class="emphasis"><em>x</em></span> clients and route all network connections through the SSL-Proxy-enabled machine. See <a href="#appa-89929" title="Figure A.1. Two possible ways of proxying Windows 95/98 clients">Figure 1.1</a>.</p><div class="figure"><a name="appa-89929"></a><p class="title"><b>Figure A.1. Two possible ways of proxying Windows 95/98 clients</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 317px"><td><img src="figs/sam.aa01.gif" height="317" alt="Two possible ways of proxying Windows 95/98 clients"></td></tr></table></div></div></div><br class="figure-break"><p>For the purposes of this chapter, we will create a simple SSL connection between the Samba server and a Windows NT client. This configuration can be used to set up more complex networks at the administrator's discretion.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-3"></a>Installing SSLeay</h2></div></div></div><p>Samba uses the SSLeay package, written by Eric Young, to provide Secure Sockets Layer support on the server side. Because of U.S. export law, however, the SSLeay package cannot be shipped with Samba distributions that are based in the United States. For that reason, the Samba creators decided to leave it as a separate package entirely. You can download the SSLeay distribution from any of the following sites:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="systemitem">ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/</code></p></li><li><p><code class="systemitem">ftp://ftp.uni-mainz.de/pub/internet/security/ssl</code></p></li><li><p><code class="systemitem">ftp://ftp.cert.dfn.de/pub/tools/crypt/sslapps</code></p></li><li><p><code class="systemitem">ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.psy.uq.oz.au</code></p></li><li><p><code class="systemitem">ftp://ftp.sunet.se/ftp/pub/security/tools/crypt/ssleay</code></p></li></ul></div><p>The latest version as of this printing is 0.9.0b. Download it to the same server as the Samba distribution, then uncompress and untar it. You should be left with a directory entitled <code class="filename">SSLeay-0.9.0b</code>. After changing to that directory, you will need to configure and build the SSL encryption package in the same way that you did with Samba.</p><p>SSLeay uses a Perl-based <code class="filename">configure</code> script. This script modifies the Makefile that constructs the utilities and libraries of the SSLeay package. However, the default script is hardcoded to find Perl at <code class="filename">/usr/local/bin/perl</code>. You may need to change the <code class="filename">configure</code> script to point to the location of the Perl executable file on your Unix system. For example, you can type the following to locate the Perl executable:</p><pre class="programlisting"># <strong class="userinput"><code>which perl</code></strong>
-/usr/bin/perl</pre><p>Then modify the first line of the <code class="filename">configure</code> script to force it to use the correct Perl executable. For example, on our Red Hat Linux system:</p><pre class="programlisting">#!/usr/bin/perl
-#
-# see PROBLEMS for instructions on what sort of things to do
-# when tracking a bug -tjh
-...</pre><p>After that, you need to run the <code class="filename">configure</code> script by specifying a target platform for the distribution. This target platform can be any of the following:</p><pre class="programlisting">BC-16              BC-32              FreeBSD            NetBSD-m86
-NetBSD-sparc       NetBSD-x86         SINIX-N            VC-MSDOS
-VC-NT              VC-W31-16          VC-W31-32          VC-WIN16
-VC-WIN32           aix-cc             aix-gcc            alpha-cc
-alpha-gcc          alpha400-cc        cc                 cray-t90-cc
-debug              debug-irix-cc      debug-linux-elf    dgux-R3-gcc
-dgux-R4-gcc        dgux-R4-x86-gcc    dist               gcc
-hpux-cc            hpux-gcc           hpux-kr-cc         irix-cc
-irix-gcc           linux-aout         linux-elf          ncr-scde
-nextstep           purify             sco5-cc            solaris-sparc-cc
-solaris-sparc-gcc  solaris-sparc-sc4  solaris-usparc-sc4 solaris-x86-gcc
-sunos-cc           sunos-gcc          unixware-2.0       unixware</pre><p>For our system, we would enter the following:</p><pre class="programlisting"># <strong class="userinput"><code>./Configure linux-elf</code></strong>
-CC            =gcc
-CFLAG         =-DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer 
-EX_LIBS       =
-BN_MULW       =asm/bn86-elf.o
-DES_ENC       =asm/dx86-elf.o asm/yx86-elf.o
-BF_ENC        =asm/bx86-elf.o
-CAST_ENC      =asm/cx86-elf.o
-RC4_ENC       =asm/rx86-elf.o
-RC5_ENC       =asm/r586-elf.o
-MD5_OBJ_ASM   =asm/mx86-elf.o
-SHA1_OBJ_ASM  =asm/sx86-elf.o
-RMD160_OBJ_ASM=asm/rm86-elf.o
-THIRTY_TWO_BIT mode
-DES_PTR used
-DES_RISC1 used
-DES_UNROLL used
-BN_LLONG mode
-RC4_INDEX mode</pre><p>After the package has been configured, you can build it by typing <code class="literal">make</code>. If the build did not successfully complete, consult the documentation that comes with the distribution or the FAQ at <code class="systemitem">http://www.cryptsoft.com/ssleay/</code> for more information on what may have happened. If the build did complete, type <code class="literal">make</code> <code class="literal">install</code> to install the libraries on the system. Note that the makefile installs the package in <code class="filename">/usr/local/ssl</code> by default. If you decide to install it in another directory, remember the directory when configuring Samba to use SSL.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.1"></a>Configuring SSLeay for Your System</h3></div></div></div><p>The first thing you need to do is to set the <code class="literal">PATH</code> environment variable on your system to include the <code class="filename">/bin</code> directory of the SSL distribution. This can be done with the following statement:</p><pre class="programlisting">PATH=$PATH:/usr/local/ssl/bin</pre><p>That's the easy part. Following that, you will need to create a random series of characters that will be used to prime SSLeay's random number generator. The random number generator will be used to create key pairs for both the clients and the server. You can create this random series by filling a text file of a long series of random characters. For example, you can use your favorite editor to create a text file with random characters, or use this command and enter arbitrary characters at the standard input:</p><pre class="programlisting">cat &gt;/tmp/private.txt</pre><p>The Samba documentation recommends that you type characters for longer than a minute before interrupting the input stream by hitting Control-D. Try not to type only the characters that are under your fingers on the keyboard; throw in some symbols and numbers as well. Once you've completed the random file, you can prime the random number generator with the following command:</p><pre class="programlisting"># ssleay genrsa -rand /tmp/private.txt &gt;/dev/null
-2451 semi-random bytes loaded
-Generating RSA private key, 512 bit long modulus
-..+++++
-.................................+++++
-e is 65537 (0x10001)</pre><p>You can safely ignore the output of this command. After it has completed, remove the series of characters used to create the key because this could be used to recreate any private keys that were generated from this random number generator:</p><pre class="programlisting">rm -f /tmp/private.txt</pre><p>The result of this command is the hidden file .<span class="emphasis"><em>rnd</em></span>, which is stored in your home directory. SSLeay will use this file when creating key pairs in the future.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.2"></a>Configuring Samba to use SSL</h3></div></div></div><p>
-<a class="indexterm" name="appa-idx-990398-0"></a>At this point, you can compile Samba to use SSL. Recall that in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>, we said you have to first run the configure script, which initializes the makefile, before you compile Samba. In order to use SSL with Samba, you will need to reconfigure the makefile:</p><pre class="programlisting">./configure --with-ssl</pre><p>After that, you can compile Samba with the following commands:</p><pre class="programlisting"># <strong class="userinput"><code>make clean</code></strong>
-# <strong class="userinput"><code>make all</code></strong></pre><p>If you encounter an error that says the <code class="filename">smbd</code> executable is missing the file <code class="filename">ssl.h</code>, you probably didn't install SSLeay in the default directory. Use the configure option <code class="literal">--with-sslinc</code> to point to the base directory of the SSL distribution&#8212;in this case, the directory that contains <span class="emphasis"><em>include/ssl.h</em></span>.</p><p>On the other hand, if you have a clean compile, you're ready to move on to the next step: creating certificates.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-62097"></a>Becoming a Certificate Authority</h3></div></div></div><p><em class="firstterm"></em>
-<a class="indexterm" name="appa-idx-990405-0"></a>The SSL protocol requires the use of X.509 certificates in the protocol handshake to ensure that either one or both parties involved in the communication are indeed who they say they are. Certificates in real life, such as those use for SSL connections on public web sites, can cost in the arena of $300 a year. This is because the certificate must have a digital signature placed on it by a <em class="firstterm">certificate authority</em>. A certificate authority is an entity that vouches for the authenticity of a digital certificate by signing it with its own private key. This way, anyone who wishes to check the authenticity of the certificate can simply use the certificate authority's public key to check the signature.</p><p>You are allowed to use a public certificate authority with SSLeay. However, you don't have to. Instead, SSLeay will allow you to declare yourself a trusted certificate authority&#8212;specifying which clients you choose to trust and which clients you do not. In order to do this, you will need to perform several tasks with the SSLeay distribution.</p><p>The first thing you need to do is specify a secure location where the certificates of the clients and potentially the server will be stored. We have chosen <code class="filename">/etc/certificates</code> as our default. Execute the following commands as <code class="literal">root</code>:</p><pre class="programlisting"># <strong class="userinput"><code>cd /etc</code></strong>
-# <strong class="userinput"><code>mkdir certificates</code></strong>
-# <strong class="userinput"><code>chmod 700 certificates</code></strong></pre><p>Note that we shut out all access to users other than <code class="literal">root</code> for this directory. This is very important.</p><p>Next, you need to set up the SSLeay scripts and configuration files to use the certificates stored in this directory. In order to do this, first modify the <code class="filename">CA.sh</code> script located at <span class="emphasis"><em>/usr/local/ssl/bin/CA.sh</em></span> to specify the location of the directory you just created. Find the line that contains the following entry:</p><pre class="programlisting">CATOP=./demoCA</pre><p>Then change it to:</p><pre class="programlisting">CATOP=/etc/certificates</pre><p>Next, you need to modify the <span class="emphasis"><em>/usr/local/ssl/lib/ssleay.cnf</em></span> file to specify the same directory. Find the entry:</p><pre class="programlisting">[ CA_default ]
-dir     = ./demoCA             # Where everything is kept</pre><p>Then change it to:</p><pre class="programlisting">[ CA_default ]
-dir     =  /etc/certificates   # Where everything is kept</pre><p>Next, run the certificate authority setup script, <code class="filename">CA.sh</code>, in order to create the certificates. Be sure to do this as the same user that you used to prime the random number generator above:</p><pre class="programlisting">/usr/local/ssl/bin/CA.sh -newca
-mkdir: cannot make directory '/etc/certificates': File exists
-CA certificate filename (or enter to create)</pre><p>Press the Enter key to create a certificate for the CA. You should then see:</p><pre class="programlisting">Making CA certificate ...
-Using configuration from /usr/local/ssl/lib/ssleay.cnf
-Generating a 1024 bit RSA private key
-.............................+++++
-.....................+++++
-writing new private key to /etc/certificates/private/cakey.pem
-Enter PEM pass phrase:</pre><p>Enter a new pass phrase for your certificate. You will need to enter it twice correctly before SSLeay will accept it:</p><pre class="programlisting">Enter PEM pass phrase:
-Verifying password - Enter PEM pass phrase:</pre><p>Be sure to remember this pass phrase. You will need it to sign the client certificates in the future. Once SSLeay has accepted the pass phrase, it will continue on with a series of questions for each of the fields in the X509 certificate:</p><pre class="programlisting">You are about to be asked to enter information that will be
-incorporated into your certificate request.
-What you are about to enter is what is called a Distinguished
-Name or a DN.
-There are quite a few fields but you can leave some blank
-For some fields there will be a default value,
-If you enter '.', the field will be left blank.</pre><p>Fill out the remainder of the fields with information about your organization. For example, our certificate looks like this:</p><pre class="programlisting">Country Name (2 letter code) [AU]:<strong class="userinput"><code>US</code></strong>
-State or Province Name (full name) [Some-State]:<strong class="userinput"><code>California</code></strong>
-Locality Name (eg, city) []:<strong class="userinput"><code>Sebastopol</code></strong>
-Organization Name (eg, company) []:<strong class="userinput"><code>O'Reilly</code></strong>
-Organizational Unit Name (eg, section) []:<strong class="userinput"><code>Books</code></strong>
-Common Name (eg, YOUR name) []:<strong class="userinput"><code>John Doe</code></strong>
-Email Address []:<strong class="userinput"><code>doe@ora.com</code></strong></pre><p>After that, SSLeay will be configured as a certificate authority and can be used to sign certificates for client machines that will be connecting to the Samba server.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.4"></a>Creating Certificates for Clients</h3></div></div></div><p>It's simple to create a certificate for a client machine. First, you need to generate a public/private key pair for each entity, create a certificate request file, and then use <span class="emphasis"><em>SSLeay</em></span> to sign the file as a trusted authority.</p><p>For our example client <code class="literal">phoenix</code>, this boils down to three SSLeay commands. The first generates a key pair for the client and places it in the file <code class="filename">phoenix.key</code>. The private key will be encrypted, in this case using triple DES. Enter a pass phrase when requested below&#8212;you'll need it for the next step:</p><pre class="programlisting"># ssleay genrsa -des3 1024 &gt;phoenix.key
-1112 semi-random bytes loaded
-Generating RSA private key, 1024 bit long modulus
-........................................+++++
-.............+++++
-e is 65537 (0x10001)
-Enter PEM pass phrase:
-Verifying password - Enter PEM pass phrase:</pre><p>After that command has completed, type in the following command:</p><pre class="programlisting"># <strong class="userinput"><code>ssleay req -new -key phoenix.key -out phoenix-csr</code></strong>
-Enter PEM pass phrase:</pre><p>Enter the pass phrase for the client certificate you just created (not the certificate authority). At this point, you will need to answer the questionnaire again, this time for the client machine. In addition, you must type in a challenge password and an optional company name&#8212;those do not matter here. When the command completes, you will have a certificate request in the file <span class="emphasis"><em>phoenix-csr.</em></span></p><p>Then, you must sign the certificate request as the trusted certificate authority. Type in the following command:</p><pre class="programlisting"># <strong class="userinput"><code>ssleay ca -days 1000 -inflies phoenix-csr &gt;phoenix.pem</code></strong></pre><p>This command will prompt you to enter the PEM pass phrase of the <span class="emphasis"><em>certificate authority</em></span>. Be sure that you do not enter the PEM pass phrase of the client certificate that you just created. After entering the correct pass phrase, you should see the following:</p><pre class="programlisting">Check that the request matches the signature
-Signature ok
-The Subjects Distinguished Name is as follows:
-...</pre><p>This will be followed by the information that you just entered for the client certificate. If there is an error in the fields, the program will notify you. On the other hand, if everything is fine, SSLeay will confirm that it should sign the certificate and commit it to the database. This adds a record of the certificate to the <code class="filename">/etc/certificates/newcerts</code> directory.</p><p>The operative files at the end of this exercise are the <span class="emphasis"><em>phoenix.key</em></span> and <span class="emphasis"><em>phoenix.pem</em></span> files, which reside in the current directory. These files will be passed off to the client with whom the SSL-enabled Samba server will interact, and will be used by SSL Proxy.<em class="firstterm"></em>
-<a class="indexterm" name="appa-idx-990421-0"></a></p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.5"></a>Configuring the Samba Server</h3></div></div></div><p>The next step is to modify the Samba configuration file to include the following setup options. These options assume that you created the certificates directory for the certificate authority at <code class="filename">/etc/certificates </code>:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl server cert = /etc/certificates/cacert.pem
-	ssl server key = /etc/certificates/private/cakey.pem
-	ssl CA certDir = /etc/certificates</pre><p>At this point, you will need to kill the Samba daemons and restart them manually:</p><pre class="programlisting"># <strong class="userinput"><code>nmbd -D</code></strong>
-# <strong class="userinput"><code>smbd -D</code></strong>
-Enter PEM pass phrase:</pre><p>You will need to enter the PEM pass phrase of the certificate authority to start up the Samba daemons. Note that this may present a problem in terms of starting the program using ordinary means. However, you can get around this using advanced scripting languages, such as Expect or Python.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-3.6"></a>Testing with smbclient</h3></div></div></div><p>A good way to test whether Samba is working properly is to use the <span class="emphasis"><em>smbclient</em></span> program. On the Samba server, enter the following command, substituting the appropriate share and user for a connection:</p><pre class="programlisting"># <strong class="userinput"><code>smbclient //hydra/data -U tom</code></strong></pre><p>You should see several debugging statements followed by a line indicating the negotiated cipher, such as:</p><pre class="programlisting">SSL: negotiated cipher: DES-CBC3-SHA</pre><p>After that, you can enter your password and connect to the share normally. If this works, you can be sure that Samba is correctly supporting SSL connections. Now, on to the client setup. <a class="indexterm" name="appa-idx-990386-0"></a></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-4"></a>Setting Up SSL Proxy</h2></div></div></div><p>The <a class="indexterm" name="appa-idx-990393-0"></a>SSL Proxy program is available as a standalone binary or as source code. You can download it from <code class="systemitem">http://obdev.at/Products/sslproxy.html</code>.</p><p>Once it is downloaded, you can configure and compile it like Samba. We will configure it on a Windows NT system. However, setting it up for a Unix system involves a nearly identical series of steps. Be sure that you are the superuser (administrator) for the next series of steps.</p><p>If you downloaded the binary for Windows NT, you should have the following files in a directory:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="filename">cygwinb19.dll</code></p></li><li><p><code class="filename">README.TXT</code></p></li><li><p><code class="filename">sslproxy.exe</code></p></li><li><p><code class="filename">dummyCert.pem</code></p></li></ul></div><p>The only one that you will be interested in is the SSL Proxy executable. Copy over the <span class="emphasis"><em>phoenix.pem</em></span> and <span class="emphasis"><em>phoenix.key</em></span> files that you generated earlier for the client to the same directory as the SSL proxy executable. Make sure that the directory is secure from the prying eyes of other users.</p><p>The next step is to ensure that the Windows NT machine can resolve the NetBIOS name of the Samba server. This means that you should either have a WINS server up and running (the Samba server can perform this task with the <code class="literal">wins</code> <code class="literal">support</code> <code class="literal">=</code> <code class="literal">yes</code> option) or have it listed in the appropriate <span class="emphasis"><em>hosts</em></span> file of the system. See <a href="#SAMBA-CH-7" title="Chapter 7. Printing and Name Resolution">Chapter 7</a>, for more information on WINS server.<sup>[<a name="appa-pgfId-986801" href="#ftn.appa-pgfId-986801">1</a>]</sup></p><p>Finally, start up SSL Proxy with the following command. Here, we assume that <code class="literal">hydra</code> is the name of the Samba server:</p><pre class="programlisting">#<strong class="userinput"><code> C:\SSLProxy&gt;sslproxy -l 139 -R hydra -r 139 -n -c phoenix.pem -k phoenix.key</code></strong></pre><p>This tells SSL Proxy to listen for connections to port 139 and relay those requests to port 139 on the NetBIOS machine <code class="literal">hydra</code>. It also instructs SSL Proxy to use the <code class="filename">phoenix.pem</code> and <code class="filename">phoenix.key</code> files to generate the certificate and keys necessary to initiate the SSL connection. SSL Proxy responds with:</p><pre class="programlisting">Enter PEM pass phrase:</pre><p>Enter the PEM pass phrase of the client keypair that you generated, <span class="emphasis"><em>not</em></span> the certificate authority. You should then see the following output:</p><pre class="programlisting">SSL: No verify locations, trying default
-proxy ready, listening for connections</pre><p>That should take care of the client. You can place this command in a startup sequence on either Unix or Windows NT if you want this functionality available at all times. Be sure to set any clients you have connecting to the NT server (including the NT server itself) to point to this server instead of the Samba server.</p><p>After you've completed setting this up, try to connect using clients that proxy through the NT server. You should find that it works almost transparently.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appa-SECT-5"></a>SSL Configuration Options</h2></div></div></div><p>
-<a class="indexterm" name="appa-idx-990427-0"></a><a href="#appa-61150" title="Table A.1. SSL Configuration Options">Table 1.1</a> summarizes the configuration options introduced in the previous section for using SSL. Note that all of these options are global in scope; in other words, they must appear in the <code class="literal">[global]</code> section of the configuration file.</p><div class="table"><a name="appa-61150"></a><p class="title"><b>Table A.1. SSL Configuration Options </b></p><div class="table-contents"><table summary="SSL Configuration Options " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Option</p></th><th><p>Parameters</p></th><th><p>Function</p></th><th><p>Default</p></th><th><p>Scope</p></th></tr></thead><tbody><tr><td><p><code class="literal">ssl</code></p></td><td><p>boolean</p></td><td><p>Indicates whether SSL mode is enabled with Samba.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl hosts</code></p></td><td><p>string (list of addresses)</p></td><td><p>Specifies a list of hosts that must always connect using SSL.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl hosts resign</code></p></td><td><p>string (list of addresses)</p></td><td><p>Specifies a list of hosts that never connect using SS.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl CA certDir</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the directory where the certificates are stored.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl CA certFile</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies a file that contains all of the certificates for Samba.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl server cert</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the server's certificate.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl server key</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the server's private key.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl client cert</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the client's certificate.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl client key</code></p></td><td><p>string (fully-qualified pathname)</p></td><td><p>Specifies the location of the client's private key.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl require clientcert</code></p></td><td><p>boolean</p></td><td><p>Indicates whether Samba should require each client to have a certificate.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl require servercert</code></p></td><td><p>boolean</p></td><td><p>Indicates whether the server itself should have a certificate.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl ciphers</code></p></td><td><p>String</p></td><td><p>Specifies the cipher suite to use during protocol negotiation.</p></td><td><p>None</p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl version</code></p></td><td><p><code class="literal">ssl2or3</code>, <code class="literal">ssl3</code>, or <code class="literal">tls1</code></p></td><td><p>Specifies the version of SSL to use.</p></td><td><p><code class="literal">ssl2or3</code></p></td><td><p>Global</p></td></tr><tr><td><p><code class="literal">ssl compatibility</code></p></td><td><p>boolean</p></td><td><p>Indicates whether compatibility with other implementations of SSL should be activated.</p></td><td><p><code class="literal">no</code></p></td><td><p>Global</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.1"></a>
-ssl</h3></div></div></div><a class="indexterm" name="appa-idx-990620-0"></a><p>This global option configures Samba to use SSL for communication between itself and clients. The default value of this option is <code class="literal">no</code>. You can reset it as follows:</p><pre class="programlisting">[global]
-	ssl = yes</pre><p>Note that in order to use this option, you must have a proxy for Windows 95/98 clients, such as in the model presented earlier in this chapter.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.2"></a>
-ssl hosts</h3></div></div></div><a class="indexterm" name="appa-idx-990625-0"></a><p>This option specifies the hosts that will be forced into using SSL. The syntax for specifying hosts and addresses is the same as the <code class="literal">hosts</code> <code class="literal">allow</code> and the <code class="literal">hosts</code> <code class="literal">deny</code> configuration options. For example:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts = 192.168.220.</pre><p>This example specifies that all hosts that fall into the 192.168.220 subnet must use SSL connections with the client. This type of structure is useful if you know that various connections will be made by a subnet that lies across an untrusted network, such as the Internet. If neither this option nor the <code class="literal">ssl</code> <code class="literal">hosts</code> <code class="literal">resign</code> option has been specified, and <code class="literal">ssl</code> is set to <code class="literal">yes</code>, Samba will allow only SSL connections from all clients.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.3"></a>
-ssl hosts resign</h3></div></div></div><a class="indexterm" name="appa-idx-990628-0"></a><p>This option specifies the hosts that will <span class="emphasis"><em>not</em></span> be forced into SSL mode. The syntax for specifying hosts and addresses is the same as the <code class="literal">hosts</code> <code class="literal">allow</code> and the <code class="literal">hosts</code> <code class="literal">deny</code> configuration options. For example:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts resign = 160.2.310. 160.2.320.</pre><p>This example specifies that all hosts that fall into the 160.2.310 or 160.2.320 subnets will not use SSL connections with the client. If neither this option nor the <code class="literal">ssl</code> <code class="literal">hosts</code> option has been specified, and <code class="literal">ssl</code> is set to <code class="literal">yes</code>, Samba will allow only SSL connections from all clients.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.4"></a>
-ssl CA certDir</h3></div></div></div><a class="indexterm" name="appa-idx-990631-0"></a><p>This option specifies the directory containing the certificate authority's certificates that Samba will use to authenticate clients. There must be one file in this directory for each certificate authority, named as specified earlier in this chapter. Any other files in this directory are ignored. For example:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts = 192.168.220.
-	ssl CA certDir = /usr/local/samba/cert</pre><p>There is no default for this option. You can alternatively use the option <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certFile</code> if you wish to place all the certificate authority information in the same file.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.5"></a>
-ssl CA certFile</h3></div></div></div><a class="indexterm" name="appa-idx-990634-0"></a><p>This option specifies a file that contains the certificate authority's certificates that Samba will use to authenticate clients. This option differs from <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certDir</code> in that there is only one file used for all the certificate authorities. An example of its usage follows:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts = 192.168.220.
-	ssl CA certFile = /usr/local/samba/cert/certFile</pre><p>There is no default for this option. You can also use the option <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certDir</code> if you wish to have a separate file for each certificate authority that Samba trusts.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.6"></a>
-ssl server cert</h3></div></div></div><a class="indexterm" name="appa-idx-990637-0"></a><p>This option specifies the location of the server's certificate. This option is mandatory; the server must have a certificate in order to use SSL. For example:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts = 192.168.220.
-	ssl CA certFile = /usr/local/samba/cert/certFile
-	ssl server cert = /usr/local/samba/private/server.pem</pre><p>There is no default for this option. Note that the certificate may contain the private key for the server.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.7"></a>
-ssl server key</h3></div></div></div><a class="indexterm" name="appa-idx-990640-0"></a><p>This option specifies the location of the server's private key. You should ensure that the location of the file cannot be accessed by anyone other than <code class="literal">root</code>. For example:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts = 192.168.220.
-	ssl CA certFile = /usr/local/samba/cert/certFile
-	ssl server key = /usr/local/samba/private/samba.pem</pre><p>There is no default for this option. Note that the private key may be contained in the certificate for the server.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.8"></a>
-ssl client cert</h3></div></div></div><a class="indexterm" name="appa-idx-990643-0"></a><p>This option specifies the location of the client's certificate. The certificate may be requested by the Samba server with the <code class="literal">ssl</code> <code class="literal">require</code> <code class="literal">clientcert</code> option; the certificate is also used by <code class="filename">smbclient</code>. For example:</p><pre class="programlisting">[global]
-    ssl = yes
-    ssl hosts = 192.168.220.
-    ssl CA certFile = /usr/local/samba/cert/certFile
-    ssl server cert = /usr/local/ssl/private/server.pem
-    ssl client cert= /usr/local/ssl/private/clientcert.pem</pre><p>There is no default for this option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.9"></a>
-ssl client key</h3></div></div></div><a class="indexterm" name="appa-idx-990646-0"></a><p>This option specifies the location of the client's private key. You should ensure that the location of the file cannot be accessed by anyone other than <code class="literal">root</code>. For example:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts = 192.168.220.
-	ssl CA certDir = /usr/local/samba/cert/
-	ssl server key = /usr/local/ssl/private/samba.pem
-	ssl client key = /usr/local/ssl/private/clients.pem</pre><p>There is no default for this option. This option is only needed if the client has a certificate.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.10"></a>
-ssl require clientcert</h3></div></div></div><a class="indexterm" name="appa-idx-990649-0"></a><p>This option specifies whether the client is required to have a certificate. The certificates listed with either the <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certDir</code> or the <code class="literal">ssl</code> <code class="literal">CA</code> <code class="literal">certFile</code> will be searched to confirm that the client has a valid certificate and is authorized to connect to the Samba server. The value of this option is a simple boolean. For example:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts = 192.168.220.
-	ssl CA certFile = /usr/local/samba/cert/certFile
-	ssl require clientcert = yes</pre><p>We recommend that you require certificates from all clients that could be connecting to the Samba server. The default value for this option is <code class="literal">no</code>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.11"></a>
-ssl require servercert</h3></div></div></div><a class="indexterm" name="appa-idx-990652-0"></a><p>This option specifies whether the server is required to have a certificate. Again, this will be used by the <code class="filename">smbclient</code> program. The value of this option is a simple boolean. For example:</p><pre class="programlisting">[global]
-	ssl = yes
-	ssl hosts = 192.168.220.
-	ssl CA certFile = /usr/local/samba/cert/certFile
-	ssl require clientcert = yes
-	ssl require servercert = yes</pre><p>Although we recommend that you require certificates from all clients that could be connecting to the Samba server, a server certificate is not required. It is, however,  recommended. The default value for this option is <code class="literal">no</code>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.12"></a>
-ssl ciphers</h3></div></div></div><a class="indexterm" name="appa-idx-990655-0"></a><p>This option sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection. Samba can use any of the following ciphers:</p><pre class="programlisting">DEFAULT
-DES-CFB-M1
-NULL-MD5
-RC4-MD5
-EXP-RC4-MD5
-RC2-CBC-MD5
-EXP-RC2-CBC-MD5
-IDEA-CBC-MD5
-DES-CBC-MD5
-DES-CBC-SHA
-DES-CBC3-MD5
-DES-CBC3-SHA
-RC4-64-MD5
-NULL</pre><p>It is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific cipher suite.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.13"></a>
-ssl version</h3></div></div></div><a class="indexterm" name="appa-idx-990658-0"></a><p>This global option specifies the version of SSL that Samba will use when handling encrypted connections. The default value is <code class="literal">ssl2or3</code>, which specifies that either version 2 or 3 of the SSL protocol can be used, depending on which version is negotiated in the handshake between the server and the client. However, if you want Samba to use only a specific version of the protocol, you can specify the following:</p><pre class="programlisting">[global]
-	ssl version = ssl3</pre><p>Again, it is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific version.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appa-SECT-5.0.14"></a>
-ssl compatibility</h3></div></div></div><a class="indexterm" name="appa-idx-990661-0"></a><p>This global option specifies whether Samba should be configured to use other versions of SSL. However, because no other versions exist at this writing, the issue is  moot and the variable should always be left at the<a class="indexterm" name="appa-idx-990431-0"></a> default.<a class="indexterm" name="appa-idx-990339-0"></a>
-<a class="indexterm" name="appa-idx-990339-1"></a></p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.appa-pgfId-986801" href="#appa-pgfId-986801">1</a>] </sup>If you are running SSL Proxy on a Unix server, you should ensure that the DNS name of the Samba server can be resolved.</p></div></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-B"></a>Appendix B. Samba Performance Tuning</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#appb-47134">B.1. A Simple Benchmark</a></span></dt><dt><span class="sect1"><a href="#appb-50295">B.2. Samba Tuning</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appb-SECT-2.1">B.2.1. Benchmarking</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.2">B.2.2. Things to Tweak</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.3">B.2.3. Other Samba Options</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-2.4">B.2.4. Our Recommendations </a></span></dt></dl></dd><dt><span class="sect1"><a href="#appb-22511">B.3. Sizing Samba Servers</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appb-SECT-3.1">B.3.1. The Bottlenecks</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.2">B.3.2. Reducing Bottlenecks </a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.3">B.3.3. Practical Examples</a></span></dt><dt><span class="sect2"><a href="#appb-SECT-3.4">B.3.4. How Many Clients can Samba Handle?</a></span></dt><dt><span class="sect2"><a href="#appb-90359">B.3.5. Measurement Forms</a></span></dt></dl></dd></dl></div><p>
-<a class="indexterm" name="appb-idx-959725-0"></a>
-<a class="indexterm" name="appb-idx-959725-1"></a>
-<a class="indexterm" name="appb-idx-959725-2"></a>This appendix discusses various ways of performance tuning and system sizing with Samba. <em class="firstterm">Performance tuning</em> is the art of finding bottlenecks and adjusting to eliminate them. <span class="emphasis"><em>Sizing</em></span> is the practice of eliminating bottlenecks by spending money to avoid having them in the first place. Normally, you won't have to worry about either with Samba. On a completely untuned server, Samba will happily support a small community of users. However, on a properly tuned server, Samba will support at least twice as many users. This chapter is devoted to outlining various performance-tuning and sizing techniques that you can use if you want to stretch your Samba server to the limit.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appb-47134"></a>A Simple Benchmark</h2></div></div></div><p>
-<a class="indexterm" name="appb-idx-959739-0"></a>
-<a class="indexterm" name="appb-idx-959739-1"></a>
-<a class="indexterm" name="appb-idx-959739-2"></a>How do you know if you're getting reasonable performance? A simple benchmark is to compare Samba with FTP. <a href="#appb-73167" title="Table B.1. Sample Benchmark Benchmarks">Table 2.1</a> shows the throughput, in kilobytes per second, of a pair of servers: a medium-size Sun SPARC Ultra and a small Linux Pentium server. Numbers are reported in kilobytes per second (KB/s).</p><div class="table"><a name="appb-73167"></a><p class="title"><b>Table B.1. Sample Benchmark Benchmarks </b></p><div class="table-contents"><table summary="Sample Benchmark Benchmarks " border="1"><colgroup><col><col><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>FTP</p></th><th><p>Untuned Samba</p></th><th><p>Tuned Samba</p></th></tr></thead><tbody><tr><td><p>Sparc get</p></td><td><p>1014.5</p></td><td><p>645.3</p></td><td><p>866.7</p></td></tr><tr><td><p>Sparc put</p></td><td><p>379.8</p></td><td><p>386.1</p></td><td><p>329.5</p></td></tr><tr><td><p>Pentium get</p></td><td><p>973.27</p></td><td><p>N/A</p></td><td><p>725</p></td></tr><tr><td><p>Pentium put</p></td><td><p>1014.5</p></td><td><p>N/A</p></td><td><p>1100</p></td></tr></tbody></table></div></div><br class="table-break"><p>If you run the same tests on your server, you probably won't see the same numbers. However, you <span class="emphasis"><em>should</em></span> see similar ratios of Samba to FTP, probably in the range of 68 to 80 percent. It's not a good idea to base <span class="emphasis"><em>all</em></span> of Samba's throughput against FTP. The golden rule to remember is this: if Samba is much slower than FTP, it's time to tune it.</p><p>You might think that an equivalent test would be to compare Samba to NFS. In reality, however, it's much less useful to compare their speeds. Depending entirely on whose version of NFS you have and how well it's tuned, Samba can be slower or faster than NFS. We usually find that Samba is faster, but watch out; NFS uses a different algorithm from Samba, so tuning options that are optimal for NFS may be detrimental for Samba. If you run Samba on a well-tuned NFS server, Samba may perform rather badly.</p><p>A more popular benchmark is Ziff-Davis' <span class="emphasis"><em>NetBench,</em></span> a simulation of many users on client machines running word processors and accessing data on the SMB server. It's not a prefect measure (each NetBench client does about ten times the work of a normal user on our site), but it is a fair comparison of similar servers. In tests performed by Jeremy Allison in November 1998, Samba 2.0 on a SGI multiprocessor outperformed NT Server 4.0 (Patch Level 2) on an equivalent high-end Compaq. This was confirmed and strengthened by a Sm@rt Reseller test of NT and Linux on identical hardware in February 1999.</p><p>In April 1999, the Mindcraft test lab released a report about a test showing that Samba on a four-processor Linux machine was significantly slower than native file serving on the same machine running Windows NT. While the original report was slammed by the Open Source community because it was commissioned by Microsoft and tuned the systems to favor Windows NT, a subsequent test was fairer and generally admitted to reveal some areas where Linux needed to improve its performance, especially on multiprocessors. Little was said about Samba itself. Samba is known to scale well on multiprocessors, and exceeds 440MB/s on a four-processor SGI O200, beating Mindcraft's 310MB/s.</p><p>Relative performance will probably change as NT and PC hardware get faster, of course, but Samba is improving as well. For example, Samba 1.9.18 was faster only with more than 35 clients. Samba 2.0, however, is faster regardless of the number of clients. In short, Samba is very competitive with the best networking software in the industry, and is only getting better.</p><p>As we went to press, Andrew Tridgell released the alpha-test version suite of benchmarking programs for Samba and SMB networks. Expect even more work on performance from the Samba team in the future.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appb-50295"></a>Samba Tuning</h2></div></div></div><p>
-<a class="indexterm" name="appb-idx-959765-0"></a>That being said, let's discuss how you can take an already fast networking package and make it even faster.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-2.1"></a>Benchmarking</h3></div></div></div><p>
-<a class="indexterm" name="appb-idx-959749-0"></a>
-<a class="indexterm" name="appb-idx-959749-1"></a>
-<a class="indexterm" name="appb-idx-959749-2"></a>Benchmarking is an arcane and somewhat black art, but the level of expertise needed for simple performance tuning is fairly low. Since the Samba server's goal in life is to transfer files, we will examine only throughput, not response time to particular events, under the benchmarking microscope. After all, it's relatively easy to measure file transfer speed, and Samba doesn't suffer too badly from response-time problems that would require more sophisticated techniques.</p><p>Our basic strategy for this work will be:</p><div class="itemizedlist"><ul type="disc"><li><p>Find a reasonably-sized file to copy and a program that reports on copy speeds, such as <code class="filename">smbclient</code>.</p></li><li><p>Find a quiet (or typical) time to do the test.</p></li><li><p>Pre-run each test a few times to preload buffers.</p></li><li><p>Run tests several times and watch for unusual results.</p></li><li><p>Record each run in detail.</p></li><li><p>Compare the average of the valid runs to expected values.</p></li></ul></div><p>After establishing a baseline using this method, we can adjust a single parameter and do the measurements all over again. An empty table for your tests is provided at the end of this chapter.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-2.2"></a>Things to Tweak</h3></div></div></div><p>There are literally thousands of Samba setting combinations that you can use in search of that perfect server. Those of us with lives outside of system administration, however, can narrow down the number of options to those listed in this section, which are the most likely to affect overall throughput. They are presented  roughly in order of impact.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.1"></a>Log level</h4></div></div></div><p>
-<a class="indexterm" name="appb-idx-959753-0"></a>This is an obvious one. Increasing the logging level (<code class="literal">log</code>
-<a class="indexterm" name="appb-idx-960330-0"></a>
-<a class="indexterm" name="appb-idx-960330-1"></a> <code class="literal">level</code> or <code class="literal">debug</code> <code class="literal">level</code> configuration options) is a good way to debug a problem, unless you happen to be searching for a performance problem! As mentioned in <a href="#ch04-21486" title="Chapter 4. Disk Shares">Chapter 4</a>, Samba produces a ton of debugging messages at level 3 and above, and writing them to disk or syslog is a slow operation. In our <code class="filename">smbclient/ftp</code> tests, raising the log level from 0 to 3 cut the untuned <code class="literal">get</code> <code class="literal">speed</code> from 645.3 to 622.2KB/s, or roughly 5 percent. Higher log levels were even worse.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.2"></a>Socket options</h4></div></div></div><p>The next thing to look at are the <code class="literal">socket</code>
-<a class="indexterm" name="appb-idx-960332-0"></a> <code class="literal">options</code> configuration options. These are really host system tuning options, but they're set on a per-connection basis, and can be reset by Samba on the sockets it employs by adding <code class="literal">socket</code> <code class="literal">options</code> <code class="literal">=</code> <code class="literal">option</code> to the <code class="literal">[global]</code> section of your <code class="filename">smb.conf </code>file. Not all of these options are supported by all vendors; check your vendor's manual pages on <span class="emphasis"><em>setsockopt </em></span>(1) or <span class="emphasis"><em>socket </em></span>(5) for details.</p><p>The main options are:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">TCP_NODELAY</code></span></dt><dd><p>Have the server send as many packets as necessary to keep delay low. This is used on telnet connections to give good response time, and is used&#8212;somewhat counter-intuitively&#8212;to get good speed even when doing small requests or when acknowledgments are delayed (as seems to occur with Microsoft TCP/IP). This is worth a 30-50 percent speedup by itself. Incidentally, in Samba 2.0.4, <code class="literal">socket</code> <code class="literal">options</code> <code class="literal">=</code> <code class="literal">TCP_NODELAY</code> became the default value for that option.</p></dd><dt><span class="term"><code class="literal">IPTOS_LOWDELAY</code></span></dt><dd><p>This is another option that trades off throughput for lower delay, but which affects routers and other systems, not the server. All the IPTOS options are new; they're not supported by all operating systems and routers. If they are supported, set <code class="literal">IPTOS_LOWDELAY</code> whenever you set <code class="literal">TCP_NODELAY</code>.</p></dd><dt><span class="term"><code class="literal">SO_SNDBUF</code> <code class="literal">and</code> <code class="literal">SO_RCVBUF</code></span></dt><dd><p>The send and receive buffers can often be the reset to a value higher than that of the operating system. This yields a marginal increase of speed (until it reaches a point of diminishing returns).</p></dd><dt><span class="term"><code class="literal">SO_KEEPALIVE</code></span></dt><dd><p>This initiates a periodic (four-hour) check to see if the client has disappeared. Expired connections are addressed somewhat better with Samba's <code class="literal">keepalive</code> and <code class="literal">dead</code> <code class="literal">time</code> options. All three eventually arrange to close dead connections, returning unused memory and process-table entries to the operating system.</p></dd></dl></div><p>There are several other socket options you might look at, (e.g., <code class="literal">SO_SNDLOWAT</code>), but they vary in availability from vendor to vendor. You probably want to look at <em class="citetitle">TCP/IP Illustrated</em> if you're interested in exploring more of these options for performance tuning with Samba.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.3"></a>read raw and write raw</h4></div></div></div><p>
-<a class="indexterm" name="appb-idx-959754-0"></a>
-<a class="indexterm" name="appb-idx-959754-1"></a>These are important performance configuration options; they enable Samba to use large reads and writes to the network, of up to 64KB in a single SMB request. They also require the largest SMB packet structures, <code class="literal">SMBreadraw</code> and <code class="literal">SMBwriteraw</code>, from which the options take their names. Note that this is not the same as a Unix <span class="emphasis"><em>raw read</em></span>. This Unix term usually refers to reading disks without using the files system, quite a different sense from the one described here for Samba.</p><p>In the past, some client programs failed if you tried to use <code class="literal">read</code> <code class="literal">raw</code>. As far as we know, no client suffers from this problem any more. Read and write raw default to <code class="literal">yes</code>, and should be left on unless you find you have one of the buggy clients.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.4"></a>Opportunistic locking</h4></div></div></div><p>
-<a class="indexterm" name="appb-idx-959755-0"></a>
-<a class="indexterm" name="appb-idx-959755-1"></a>Opportunistic locks, or <span class="emphasis"><em>oplocks</em></span>, allow clients to cache files locally, improving performance on the order of 30 percent. This option is now enabled by default. For read-only files, the <code class="literal">fake</code> <code class="literal">oplocks</code> provides the same functionality without actually doing any caching. If you have files that cannot be cached, <span class="emphasis"><em>oplocks</em></span> can be turned off.</p><p>Database files should never be cached, nor should any files that are updated both on the server and the client and whose changes must be immediately visible. For these files, the <code class="literal">veto</code> <code class="literal">oplock</code>
-<a class="indexterm" name="appb-idx-960336-0"></a> <code class="literal">files</code> option allows you to specify a list of individual files or a pattern containing wildcards to avoid caching. <span class="emphasis"><em>oplocks</em></span> can be turned off on a share-by-share basis if you have large groups of files you don't want cached on clients. See <a href="#SAMBA-CH-5" title="Chapter 5. Browsing and Advanced Disk Shares">Chapter 5</a>, for more information on opportunistic locks.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.5"></a>IP packet size (MTU)</h4></div></div></div><p>
-<a class="indexterm" name="appb-idx-959756-0"></a>Networks generally set a limit to the size of an individual transmission or packet This is called the Maximum Segment Size, or if the packet header size is included, the <a class="indexterm" name="appb-idx-959757-0"></a>
-<a class="indexterm" name="appb-idx-959757-1"></a>Maximum Transport Unit (MTU). This MTU is not set by Samba, but Samba needs to use a <code class="literal">max</code> <code class="literal">xmit</code> (write size) bigger than the MTU, or throughput will be reduced. This is discussed in further detail in the following note. The MTU is normally preset to 1500 bytes on an Ethernet and 4098 bytes on FDDI. In general, having it too low cuts throughput, and having it too high causes a sudden performance dropoff due to fragmentation and retransmissions.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Tip</h3><p>If you are communicating over a router, some systems will assume the router is a serial link (e.g., a T1) and set the MTU to more or less 536 bytes. Windows 95 makes this mistake, which causes nearby clients to perform well, but clients on the other side of the router to be noticeably slower. If the client makes the opposite error and uses a large MTU on a link which demands a small one, the packets will be broken up into fragments. This slows transfers slightly, and any networking errors will cause multiple fragments to be retransmitted, which slows Samba significantly. Fortunately, you can modify the Windows MTU size to prevent either error. To understand this in more detail, see "The Windows 95 Networking Frequently Asked Questions (FAQ)" at <code class="systemitem">http://www.stanford.edu/~llurch/win95netbugs/faq.html</code>, which explains how to override the Windows MTU and Window Size.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-19919"></a>The TCP receive window</h4></div></div></div><p>
-<a class="indexterm" name="appb-idx-959758-0"></a>TCP/IP works by breaking down data into small packets that can be transmitted from one machine to another. When each packet is transmitted, it contains a checksum that allows the receiver to check the packet data for potential errors in transmission. Theoretically, when a packet is received and verified, an acknowledgment packet should be sent back to the sender that essentially says, "Everything arrived intact: please continue."</p><p>In order to keep things moving, however, TCP accepts a range (window) of packets that allows a sender to keep transmitting without having to wait for an acknowledgment of every single packet. (It can then bundle a group of acknowledgments and transmit them back to the sender at the same time.) In other words, this receive window is the number of bytes that the sender can transmit before it has to stop and wait for a receiver's acknowledgment. Like the MTU, it is automatically set based on the type of connection. Having the window too small causes a lot of unnecessary waiting for acknowledgment messages. Various operating systems set moderate buffer sizes on a per-socket basis to keep one program from hogging all the memory.</p><p>The buffer sizes are assigned in bytes, such as <code class="literal">SO_SNDBUF=8192</code> in the <code class="literal">socket</code> <code class="literal">options</code> line. Thus, an example <code class="literal">socket</code> <code class="literal">options</code> configuration option is:</p><pre class="programlisting">socket options = SO_SNDBUF=8192</pre><p>Normally, one tries to set these socket options higher than the default: 4098 in SunOS 4.1.3 and SVR4, and 8192-16384 in AIX, Solaris, and BSD. 16384 has been suggested as a good starting point: in a non-Samba test mentioned in Stevens' book, it yielded a 40 percent improvement. You'll need to experiment, because performance will fall off again if you set the sizes too high. This is illustrated in <a href="#appb-34738" title="Figure B.1. SO_SNDBUF size and performance">Figure 2.1</a>, a test done on a particular Linux system.</p><div class="figure"><a name="appb-34738"></a><p class="title"><b>Figure B.1. SO_SNDBUF size and performance</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 263px"><td><img src="figs/sam.ab01.gif" height="263" alt="SO_SNDBUF size and performance"></td></tr></table></div></div></div><br class="figure-break"><p>Setting the socket options <code class="literal">O_SNDBUF</code> and <code class="literal">SO_RCVBUF</code> to less than the default is inadvisable. Setting them higher improves performance, up to a network-specific limit. However, once you exceed that limit, performance will abruptly level off.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.7"></a>
-max xmit</h4></div></div></div><a class="indexterm" name="appb-idx-960371-0"></a><p>
-<a class="indexterm" name="appb-idx-960373-0"></a>In Samba, the option that is directly related with the MTU and window size is <code class="literal">max</code> <code class="literal">xmit</code>. This option sets the largest block of data Samba will try to write at any one time. It's sometimes known as the <em class="firstterm">write size</em>, although that is not the name of the Samba configuration option.</p><p>Because the percentage of each block required for overhead falls as the blocks get larger, max xmit is conventionally set as large as possible. It defaults to the protocol's upper limit, which is 64 kilobytes. The smallest value that doesn't cause significant slowdowns is 2048. If it is set low enough, it will limit the largest packet size that Samba will be able to negotiate. This can be used to simulate a small MTU if you need to test an unreliable network connection. However, such a test should not be used in production for reducing the effective MTU.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.8"></a>read size</h4></div></div></div><p>
-<a class="indexterm" name="appb-idx-959760-0"></a>If <code class="literal">max</code> <code class="literal">xmit</code> is commonly called the write size, you'd expect <code class="literal">read</code> <code class="literal">size</code> to be the maximum amount of data that Samba would want to read from the client via the network. Actually, it's not. In fact, it's an option to trigger <em class="firstterm">write ahead</em>
-<a class="indexterm" name="appb-idx-959764-0"></a>. This means that if Samba gets behind reading from the disk and writing to the network (or vice versa) by the specified amount, it will start overlapping network writes with disk reads (or vice versa).</p><p>The read size doesn't have a big performance effect on Unix, unless you set its value quite small. At that point, it causes a detectable slowdown. For this reason, it defaults to 2048 and can't be set lower than 1024.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-2.2.9"></a>read prediction </h4></div></div></div><p>
-<a class="indexterm" name="appb-idx-959766-0"></a>Besides being counterintuitive, this option is also obsolete. It enables Samba to read ahead on files opened read only by the clients. The option is disabled in Samba 2.0 (and late 1.9) Because it interferes with opportunistic locking.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-2.3"></a>Other Samba Options</h3></div></div></div><p>
-<a class="indexterm" name="appb-idx-959775-0"></a>
-<a class="indexterm" name="appb-idx-959775-1"></a>
-<a class="indexterm" name="appb-idx-959775-2"></a>The following Samba options will affect performance if they're set incorrectly, much like the debug level. They're mentioned here so you will know what to look out for:</p><div class="variablelist"><dl><dt><span class="term">
-<a class="indexterm" name="appb-idx-960358-0"></a><code class="literal">hide files</code></span></dt><dd><p>Providing a pattern to identify files hidden by the Windows client <code class="literal">hide</code> <code class="literal">files</code> will result in any file matching the pattern being passed to the client with the DOS hidden attribute set. It requires a pattern match per file when listing directories, and slows the server noticeably.</p></dd><dt><span class="term"><code class="literal">lpq cache time</code>
-<a class="indexterm" name="appb-idx-960359-0"></a></span></dt><dd><p>If your <code class="literal">lpq</code> (printer queue contents) command takes a long time to complete, you should increase <code class="literal">lpq</code> <code class="literal">cache</code> <code class="literal">time</code> to a value higher than the actual time required for <code class="literal">lpq</code> to execute, so as to keep Samba from starting a new query when one's already running. The default is 10 seconds, which is reasonable.</p></dd><dt><span class="term"><code class="literal">strict locking</code>
-<a class="indexterm" name="appb-idx-960360-0"></a></span></dt><dd><p>Setting the <code class="literal">strict</code> <code class="literal">locking</code> option causes Samba to check for locks on every access, not just when asked to by the client. The option is primarily a bug-avoidance feature, and can prevent ill-behaved DOS and Windows applications from corrupting shared files. However, it is slow and should typically be avoided.</p></dd><dt><span class="term"><code class="literal">strict sync</code>
-<a class="indexterm" name="appb-idx-960361-0"></a></span></dt><dd><p>Setting <code class="literal">strict</code> <code class="literal">sync</code> will cause Samba to write each packet to disk and wait for the write to complete whenever the client sets the sync bit in a packet. Windows 98 Explorer sets the bit in all packets transmitted, so if you turn this on, anyone with Windows 98 will think Samba servers are horribly slow.</p></dd><dt><span class="term"><code class="literal">sync always</code>
-<a class="indexterm" name="appb-idx-960362-0"></a></span></dt><dd><p>Setting <code class="literal">sync</code> <code class="literal">always</code> causes Samba to flush every write to disk. This is good if your server crashes constantly, but the performance costs are immense. SMB servers normally use oplocks and automatic reconnection to avoid the ill effects of crashes, so setting this option is not normally necessary.</p></dd><dt><span class="term">
-<a class="indexterm" name="appb-idx-960363-0"></a><code class="literal">wide links</code></span></dt><dd><p>Turning off <code class="literal">wide</code> <code class="literal">links</code> prevents Samba from following symbolic links in one file share to files that are not in the share. It is turned on by default, since following links in Unix is not a security problem. Turning it off requires extra processing on every file open. If you do turn off wide links, be sure to turn on <code class="literal">getwd</code> <code class="literal">cache</code> to cache some of the required data.</p><p>There is also a <code class="literal">follow</code> <code class="literal">symlinks</code> option that can be turned off to prevent following any symbolic links at all. However, this option does not pose a performance problem.</p></dd><dt><span class="term">
-<a class="indexterm" name="appb-idx-960364-0"></a><code class="literal">getwd cache</code></span></dt><dd><p>This option caches the path to the current directory, avoiding long tree-walks to discover it. It's a nice performance improvement on a printer server or if you've turned off <code class="literal">wide</code> <code class="literal">links</code>.</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-2.4"></a>Our Recommendations </h3></div></div></div><p>
-<a class="indexterm" name="appb-idx-959782-0"></a>Here's an <code class="filename">smb.conf</code> file that incorporates the recommended performance enhancements so far. Comments have been added on the right side.</p><pre class="programlisting">[global] 
-	log level = 1                      # Default is 0 
-	socket options = TCP_NODELAY IPTOS_LOWDELAY 
-	read raw = yes                     # Default 
-	write raw = yes                    # Default 
-	oplocks = yes                      # Default 
-	max xmit = 65535                   # Default 
-	dead time = 15                     # Default is 0
-	getwd cache = yes
-	lpq cache = 30
-[okplace] 
-	veto oplock files = this/that/theotherfile
-[badplace] 
-	oplocks = no</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appb-22511"></a>Sizing Samba Servers</h2></div></div></div><p>
-<a class="indexterm" name="appb-idx-959783-0"></a>
-<a class="indexterm" name="appb-idx-959783-1"></a>Sizing is a way to prevent bottlenecks before they occur. The preferred way to do this is to know how many requests per second or how many kilobytes per second the clients will need, and ensure that all the components of the server provide at least that many.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-3.1"></a>The Bottlenecks</h3></div></div></div><p>
-<a class="indexterm" name="appb-idx-959791-0"></a>The <a class="indexterm" name="appb-idx-959799-0"></a>three primary bottlenecks you should worry about are CPU, disk I/O, and the network. For most machines, CPUs are rarely a bottleneck. A single Sun SPARC 10 CPU can start (and complete) between 700 and 800 I/O operations a second, giving approximately 5,600 to 6,400KB/s of throughput when the data averages around 8KBs (a common buffer size). A single Intel Pentium 133 can do less only because of somewhat slower cache and bus interfaces, not due to lack of CPU power. Purpose-designed Pentium servers, like some Compaq servers, will be able to start 700 operations per CPUs, on up to four CPUs.</p><p>Too little memory, on the other hand, can easily be a bottleneck; each Samba process will use between 600 and 800KB on Intel Linux, and more on RISC CPUs. Having less will cause an increase in virtual memory paging and therefore a performance hit. On Solaris, where it has been measured, <span class="emphasis"><em>smbd</em></span> will use 2.6 MB for program and shared libraries, plus 768KB for each connected client. <span class="emphasis"><em>nmbd</em></span> occupies 2.1 MB, plus 496KB extra for its (single) auxiliary process.</p><p>Hard disks will always bottleneck at a specific number of I/O operations per second: for example, each 7200 RPM SCSI disk is capable of performing 70 operations per second, for a throughput of 560KB/s; a 4800 RPM disk will perform fewer than 50, for a throughput of 360KB/s. A single IDE disk will do still fewer. If the disks are independent, or striped together in a RAID 1 configuration, they will each peak out at 400 to 560KB/s and will scale linearly as you add more. Note that this is true only of RAID 1. RAID levels other than 1 (striping) add extra overhead.</p><p>Ethernets (and other networks) are obvious bottleneck: a 10 Mb/s (mega<span class="emphasis"><em>bits</em></span>/second) Ethernet will handle around 1100KB/s (kilo<span class="emphasis"><em>bytes</em></span>/s) using 1500-byte packets A 100 Mb/s Fast Ethernet will bottleneck below 65,000KB/s with the same packet size. FDDI, at 155 Mb/s will top out at approximately 6,250KB/s, but gives good service at even 100 percent load and transmits much larger packets (4KB).</p><p>ATM should be much better, but as of the writing of this book it was too new to live up to its potential; it seems to deliver around 7,125 Mb/s using 9KB packets.</p><p>Of course, there can be other bottlenecks: more than one IDE disk per controller is not good, as are more than three 3600 SCSI-I disks per slow/narrow controller, or more than three 7200 SCSI-II disks per SCSI-II fast/wide controller. RAID 5 is also slow, as it requires twice as many writes as independent disks or RAID 1.</p><p>After the second set of Ethernets and the second disk controller, start worrying about bus bandwidth, especially if you are using ISA/EISA buses.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-3.2"></a>Reducing Bottlenecks </h3></div></div></div><p>
-<a class="indexterm" name="appb-idx-959800-0"></a>From the information above we can work out a model that will tell us the maximum capability of a given machine. The data is mostly taken from <a class="indexterm" name="appb-idx-959815-0"></a>
-<a class="indexterm" name="appb-idx-959815-1"></a>Brian Wong's <em class="citetitle">Configuration and Capacity Planning for Solaris Servers</em>,<em class="citetitle">
-<sup>[<a name="appb-pgfId-951214" href="#ftn.appb-pgfId-951214">1</a>]</sup></em> so there is a slight Sun bias to our examples.</p><p>A word of warning: this is not a complete model. Don't assume that this model will predict every bottleneck or even be within 10 percent in its estimates. A model to predict performance instead of one to warn you of bottlenecks would be much more complex and would contain rules like "not more than three disks per SCSI chain". (A good book on real models is Raj Jain's <em class="citetitle">The Art of Computer Systems Performance Analysis</em>.<sup>[<a name="appb-pgfId-951230" href="#ftn.appb-pgfId-951230">2</a>]</sup>) With that warning, we present the system in <a href="#appb-98866" title="Figure B.2. Data flow through a Samba server, with possible bottlenecks">Figure 2.2</a>.</p><div class="figure"><a name="appb-98866"></a><p class="title"><b>Figure B.2. Data flow through a Samba server, with possible bottlenecks</b></p><div class="figure-contents"><div><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="502"><tr style="height: 185px"><td><img src="figs/sam.ab02.gif" height="185" alt="Data flow through a Samba server, with possible bottlenecks"></td></tr></table></div></div></div><br class="figure-break"><p>The flow of data should be obvious. For example, on a read, data flows from the disk, across the bus, through or past the CPU, and to the network interface card (NIC). It is then broken up into packets and sent across the network. Our strategy here is to follow the data through the system and see what bottlenecks will choke it off. Believe it or not, it's rather easy to make a set of tables that list the maximum performance of common disks, CPUs, and network cards on a system. So that's exactly what we're going to do.</p><p>Let's take a concrete example: a Linux Pentium 133 MHz machine with a single 7200 RPM data disk, a PCI bus, and a 10-Mb/s Ethernet card. This is a perfectly reasonable server. We start with <a href="#appb-78077" title="Table B.2. Disk Throughput">Table 2.2</a>, which describes the hard drive&#8212;the first potential bottleneck in the system.</p><div class="table"><a name="appb-78077"></a><p class="title"><b>Table B.2. Disk Throughput </b></p><div class="table-contents"><table summary="Disk Throughput " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>Disk RPM</p></th><th><p>I/O Operations/second</p></th><th><p>KB/second</p></th></tr></thead><tbody><tr><td><p>7200</p></td><td><p>70</p></td><td><p>560</p></td></tr><tr><td><p>4800</p></td><td><p>60</p></td><td><p>480</p></td></tr><tr><td><p>3600</p></td><td><p>40</p></td><td><p>320</p></td></tr></tbody></table></div></div><br class="table-break"><p>Disk throughput is the number of kilobytes of data that a disk can transfer per second. It is computed from the number of 8KB I/O operations per second a disk can perform, which in turn is strongly influenced by disk RPM and bit density. In effect, the question is: how much data can pass below the drive heads in one second? With a single 7200 RPM disk, the example server will give us 70 I/O operations per second at roughly 560KB/s.</p><p>The second possible bottleneck is the CPU. The data doesn't actually flow through the CPU on any modern machines, so we have to compute throughput somewhat indirectly.</p><p>The CPU has to issue I/O requests and handle the interrupts coming back, then transfer the data across the bus to the network card. From much past experimentation, we know that the overhead that dominates the processing is consistently in the filesystem code, so we can ignore the other software being run. We compute the throughput by just multiplying the (measured) number of file I/O operations per second that a CPU can process by the same 8K average request size. This gives us the results shown in <a href="#appb-42029" title="Table B.3. CPU Throughput">Table 2.3</a>.</p><div class="table"><a name="appb-42029"></a><p class="title"><b>Table B.3. CPU Throughput </b></p><div class="table-contents"><table summary="CPU Throughput " border="1"><colgroup><col><col><col></colgroup><thead><tr><th><p>CPU</p></th><th><p>I/O Operations/second</p></th><th><p>KB/second</p></th></tr></thead><tbody><tr><td><p>Intel Pentium 133</p></td><td><p>700</p></td><td><p>5,600</p></td></tr><tr><td><p>Dual Pentium 133</p></td><td><p>1,200</p></td><td><p>9,600</p></td></tr><tr><td><p>Sun SPARC II</p></td><td><p>660</p></td><td><p>5,280</p></td></tr><tr><td><p>Sun SPARC 10</p></td><td><p>750</p></td><td><p>6,000</p></td></tr><tr><td><p>Sun Ultra 200</p></td><td><p>2,650</p></td><td><p>21,200</p></td></tr></tbody></table></div></div><br class="table-break"><p>Now we put the disk and the CPU together: in the Linux example, we have a single 7200 RPM disk, which can give us 560KB/s, and a CPU capable of starting 700 I/O operations, which could give us 5600KB/s. So far, as you would expect, our bottleneck is clearly going to be the hard disk.</p><p>The last potential bottleneck is the network. If the network speed is below 100 Mb/s, the bottleneck will be the network speed. After that, the design of the network card is more likely to slow us down. <a href="#appb-67604" title="Table B.4. Network Throughput">Table 2.4</a> shows us the average throughput of many types of data networks. Although network speed is conventionally measured in bits per second, <a href="#appb-67604" title="Table B.4. Network Throughput">Table 2.4</a> lists bytes per second to make comparison with the disk and CPU (<a href="#appb-78077" title="Table B.2. Disk Throughput">Table 2.2</a> and <a href="#appb-42029" title="Table B.3. CPU Throughput">Table 2.3</a>) easier.</p><div class="table"><a name="appb-67604"></a><p class="title"><b>Table B.4. Network Throughput </b></p><div class="table-contents"><table summary="Network Throughput " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Network Type</p></th><th><p>KB/second</p></th></tr></thead><tbody><tr><td><p> ISDN</p></td><td><p> 16</p></td></tr><tr><td><p> T1</p></td><td><p> 197</p></td></tr><tr><td><p> Ethernet 10m</p></td><td><p> 1,113</p></td></tr><tr><td><p> Token ring</p></td><td><p> 1,500</p></td></tr><tr><td><p> FDDI</p></td><td><p> 6,250</p></td></tr><tr><td><p> Ethernet 100m</p></td><td><p> 6,500<sup>[<a name="appb-pgfId-960131" href="#ftn.appb-pgfId-960131">3</a>]</sup></p></td></tr><tr><td><p> ATM 155</p></td><td><p> 7,125a</p></td></tr></tbody><tbody class="footnotes"><tr><td colspan="2"><div class="footnote"><p><sup>[<a name="ftn.appb-pgfId-960131" href="#appb-pgfId-960131">3</a>] </sup>These will increase. For example, Crays, Sun Ultras, and DEC/Compaq Alphas already have bettered these figures.</p></div></td></tr></tbody></table></div></div><br class="table-break"><p>In the running example, we have a bottleneck at 560KB/s due to the disk. <a href="#appb-67604" title="Table B.4. Network Throughput">Table 2.4</a> shows us that a standard 10 megabit per second Ethernet (1,113KB/s) is far faster than the disk. Therefore, the hard disk is still the limiting factor. (This scenario, by the way, is very common.) Just by looking at the tables, we can predict that small servers won't have CPU problems, and that large ones with multiple CPUs will support striping and multiple Ethernets long before they start running out of CPU power. This, in fact, is exactly what happens.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-3.3"></a>Practical Examples</h3></div></div></div><p>An example from <span class="emphasis"><em>Configuration and Capacity Planning for Solaris Servers</em></span> (Wong) shows that a dual-processor SPARCstation 20/712 with four Ethernets and six 2.1 GB disks will spend all its time waiting for the disks to return some data. If it was loaded with disks (Brian Wong suggests as many as 34 of them), it would still be held below 1,200KB/s by the Ethernet cards. To get the performance the machine is capable of, we would need to configure multiple Ethernets, 100 Mbps Fast Ethernet, or 155 Mbps FDDI.</p><p>The progression you'd work through to get that conclusion looks something like <a href="#appb-26613" title="Table B.5. Tuning a Medium-Sized Server">Table 2.5</a>.</p><div class="table"><a name="appb-26613"></a><p class="title"><b>Table B.5. Tuning a Medium-Sized Server </b></p><div class="table-contents"><table summary="Tuning a Medium-Sized Server " border="1"><colgroup><col><col><col><col><col></colgroup><thead><tr><th><p>Machine</p></th><th><p>Disk Throughput</p></th><th><p>CPU Throughput</p></th><th><p>Network Throughput</p></th><th><p>Actual Throughput</p></th></tr></thead><tbody><tr><td><p>Dual SPARC 10, 1 disk</p></td><td><p>560</p></td><td><p>6000</p></td><td><p>1,113</p></td><td><p>560</p></td></tr><tr><td><p>Add 5 more disks</p></td><td><p>3,360</p></td><td><p>6000</p></td><td><p>1,113</p></td><td><p>1,113</p></td></tr><tr><td><p>Add 3 more Ethernets</p></td><td><p>3,360</p></td><td><p>16000</p></td><td><p>4,452</p></td><td><p>3,360</p></td></tr><tr><td><p>Change to using a 20-disk array</p></td><td><p>11,200</p></td><td><p>6000</p></td><td><p>4,452</p></td><td><p>4,452</p></td></tr><tr><td><p>Use dual 100 Mbps ether</p></td><td><p>11,200</p></td><td><p>6000</p></td><td><p>13,000</p></td><td><p>11,200</p></td></tr></tbody></table></div></div><br class="table-break"><p>Initially, the bottleneck is the disk with only 560 MB/s of throughput available. Our solution is to add five more disks. This gives us more throughput on the disks than on the Ethernet, so then the Ethernet becomes the problem. Consequently, as we continue to expand, we go back and forth several times between these two. As you add disks, CPUs, and network cards, the bottleneck moves. Essentially, the strategy is to add more equipment to try to avoid each bottleneck until you reach your target performance, or (unfortunately) you either can't add any more or run out of money.</p><p>Our experience bears out this kind of calculation; a large SPARC 10 file server that one author maintained was quite capable of saturating an Ethernet plus about a third of an FDDI ring when using two processors. It did nearly as well with a single processor, albeit with a fast operating system and judicious over-optimization.</p><p>The same process applies to other brands of purpose-designed servers. We found the same rules applied to DECstation 2100s as to the newest Alphas or Compaqs, old MIPS 3350s and new SGI O2s. In general, a machine offering multi-CPU server configurations will have enough bus bandwidth and CPU power to reliably bottleneck on hard disk I/O when doing file service. As one would hope, considering the cost!</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-SECT-3.4"></a>How Many Clients can Samba Handle?</h3></div></div></div><p>Well, that depends entirely on how much data each user consumes. A small server with three SCSI-1 disks, which can serve about 960KB/s of data, will support between 36 and 80 clients in an ordinary office environment where they are typically loading, and saving equal-sized spreadsheets or word processing documents (36 clients  ×  2.3 transfers/second  ×  12k file 1 MB/s).</p><p>On the same server in a development environment with programmers running a fairly heavy edit-compile-test cycle, one can easily see requests for 1 MB/s, limiting the server to 25 or fewer clients. To take this a bit further, an imaging system whose clients each require 10 MB/s will perform poorly no matter how big a server is if they're all on a 10 MB/s Ethernet. And so on.</p><p>If you don't know how much data an average user consumes, you can size your Samba servers by patterning them after existing NFS, Netware, or LAN Manager servers. You should be especially careful that the new servers have as many disks and disk controllers as the ones you've copied. This technique is appropriately called "punt and hope."</p><p>If you know how many clients an existing server can support, you're in <span class="emphasis"><em>much</em></span> better shape. You can analyze the server to see what its maximum capacity is and use that to estimate how much data they must be demanding. For example, if serving home directories to 30 PCs from a PC server with two IDE disks is just too slow, and 25 clients is about right, then you can safely assume you're bottlenecked on Ethernet I/O (approximately 375KB) rather than disk I/O (up to 640KB). If so, you can then conclude that the clients are demanding 15 (that is, 375/25)KB/s on average.</p><p>Supporting a new lab of 75 clients will mean you'll need 1,125KB/s, spread over multiple (preferably three) Ethernets, and a server with at least three 7200 RPM disks and a CPU capable of keeping up. These requirements can be met by a Pentium 133 or above with the bus architecture to drive them all at full speed (e.g., PCI).</p><p>A custom-built PC server or a multiprocessor-capable workstation like a Sun Sparc, a DEC/Compaq Alpha, an SGI, or the like, would scale up easier, as would a machine with fast Ethernet, plus a switching hub to drive the client machines on individual 10 MB/s Ethernets.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appb-SECT-3.4.1"></a>How to guess</h4></div></div></div><p>If you have no idea at all what you need, the best thing is to try to guess based on someone else's experience. Each individual client machine can average from less than 1 I/O per second (normal PC or Mac used for sales/accounting) to as much as 4 (fast workstation using large applications). A fast workstation running a compiler can happily average 3-4 MB/s in data transfer requests, and an imaging system can demand even more.</p><p>Our recommendation? Spy on someone with a similar configuration and try to estimate their bandwidth requirements from their bottlenecks and the volume of the screams from their users. We also recommend Brian Wong's <em class="citetitle">Configuration and Capacity Planning for Solaris Servers</em>. While he uses Sun Solaris foremost in his examples, his bottlenecks are disks and network cards, which are common among all the major vendors. His tables for FTP servers also come very close to what we calculated for Samba servers, and make a good starting point.<a class="indexterm" name="appb-idx-959809-0"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appb-90359"></a>Measurement Forms</h3></div></div></div><p>
-<a class="indexterm" name="appb-idx-959816-0"></a><a href="#appb-82208" title="Table B.6. Ethernet Interface to Same Host: FTP">Table 2.6</a> and <a href="#appb-34846" title="Table B.7. Ethernet Interface to Same Host: FTP">Table 2.7</a> are empty tables that you can use for copying and recording data. The bottleneck calculation in the previous example can be done in a spreadsheet, or manually with <a href="#appb-51003" title="Table B.8. Bottleneck Calculation Table">Table 2.8</a>. If Samba is as good as or better than FTP, and if there aren't any individual test runs that are much different from the average, you have a well-configured system. If loopback isn't much faster than anything else, you have a problem with your TCP/IP software. If both FTP and Samba are slow, you probably have a problem with your networking: a faulty Ethernet card will produce this, as will accidentally setting an Ethernet card to half-duplex when it's not connected to a half-duplex hub. Remember that CPU and disk speeds are commonly measured in bytes, network speeds in bits.</p><p>We've included columns for both bytes and bits in the tables. In the last column, we compare results to 10 Mb/s because that's the speed of a traditional Ethernet.</p><div class="table"><a name="appb-82208"></a><p class="title"><b>Table B.6. Ethernet Interface to Same Host: FTP </b></p><div class="table-contents"><table summary="Ethernet Interface to Same Host: FTP " border="1"><colgroup><col><col><col><col><col><col></colgroup><thead><tr><th><p>Run No</p></th><th><p>Size in Bytes</p></th><th><p>Time (sec)</p></th><th><p>Bytes/sec</p></th><th><p>Bits/sec</p></th><th><p>% of 10 Mb/s</p></th></tr></thead><tbody><tr><td><p>1</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>2</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>3</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>4</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>5</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>Average:</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>Deviation:</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="appb-34846"></a><p class="title"><b>Table B.7. Ethernet Interface to Same Host: FTP </b></p><div class="table-contents"><table summary="Ethernet Interface to Same Host: FTP " border="1"><colgroup><col><col><col><col><col><col></colgroup><thead><tr><th><p>Run No</p></th><th><p>Size in Bytes</p></th><th><p>Time, sec</p></th><th><p>Bytes/sec</p></th><th><p>Bits/sec</p></th><th><p>% of 10 Mb/s</p></th></tr></thead><tbody><tr><td><p>1</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>2</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>3</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>4</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>5</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>Average:</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td><p>Deviation:</p></td><td> </td><td> </td><td> </td><td> </td><td> </td></tr></tbody></table></div></div><br class="table-break"><div class="table"><a name="appb-51003"></a><p class="title"><b>Table B.8. Bottleneck Calculation Table</b></p><div class="table-contents"><table summary="Bottleneck Calculation Table" border="1"><colgroup><col><col><col><col><col><col><col></colgroup><thead><tr><th><p>CPU</p></th><th><p>Throughput</p></th><th><p>of Disks</p></th><th><p>Disk Throughput</p></th><th><p>Number of Networks</p></th><th><p>Network Throughput</p></th><th><p>Total Throughput</p></th></tr></thead><tbody><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr><tr><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td><td> </td></tr></tbody></table></div></div><br class="table-break"><p>In <a href="#appb-51003" title="Table B.8. Bottleneck Calculation Table">Table 2.8</a>:</p><div class="itemizedlist"><ul type="disc"><li><p>CPU throughput = (KB/second from <a href="#ch06-89804" title="Figure 6.5. Configuring a Windows NT client for domain logons">Figure 6.5</a>)  ×  (number of CPUs)</p></li><li><p>Disk throughput = (KB/second from <a href="#ch06-48609" title="Figure 6.4. Configuring a Windows 95/98 client for domain logons">Figure 6.4</a>)  ×  (number of disks)</p></li><li><p>Network throughput = (KB/second from <a href="#ch06-71393" title="Figure 6.6. Local profiles versus roaming profiles">Figure 6.6</a>)  ×  (number of networks)</p></li><li><p>Total throughput = min (Disk, CPU, and Network throughput)</p></li></ul></div><p>A typical test, in this case for an FTP <code class="literal">get</code>, would be entered as in <a href="#appb-37370" title="Table B.9. Ethernet Interface to Same Host: FTP">Table 2.9</a></p><div class="table"><a name="appb-37370"></a><p class="title"><b>Table B.9. Ethernet Interface to Same Host: FTP </b></p><div class="table-contents"><table summary="Ethernet Interface to Same Host: FTP " border="1"><colgroup><col><col><col><col><col><col></colgroup><thead><tr><th><p>Run No</p></th><th><p>Size in Bytes</p></th><th><p>Time, sec</p></th><th><p>Bytes/sec</p></th><th><p>Bits/sec</p></th><th><p>% of 10 Mb/s</p></th></tr></thead><tbody><tr><td><p>1</p></td><td><p>1812898</p></td><td><p>2.3</p></td><td><p>761580</p></td><td> </td><td> </td></tr><tr><td><p>2</p></td><td> </td><td><p>2.3</p></td><td><p>767820</p></td><td> </td><td> </td></tr><tr><td><p>3</p></td><td> </td><td><p>2.4</p></td><td><p>747420</p></td><td> </td><td> </td></tr><tr><td><p>4</p></td><td> </td><td><p>2.3</p></td><td><p>760020</p></td><td> </td><td> </td></tr><tr><td><p>5</p></td><td> </td><td><p>2.3</p></td><td><p>772700</p></td><td> </td><td> </td></tr><tr><td><p>Average:</p></td><td> </td><td><p>2.32</p></td><td><p>777310</p></td><td><p>6218480</p></td><td><p>62</p></td></tr><tr><td><p>Deviation:</p></td><td> </td><td><p>0.04</p></td><td> </td><td> </td><td> </td></tr></tbody></table></div></div><br class="table-break"><p>The Sparc example we used earlier would look like <a href="#SAMBA-AP-B-TBL-10" title="Table B.10. Sparc 20 Example, Redux">Table 2.10</a>.</p><div class="table"><a name="SAMBA-AP-B-TBL-10"></a><p class="title"><b>Table B.10. Sparc 20 Example, Redux</b></p><div class="table-contents"><table summary="Sparc 20 Example, Redux" border="1"><colgroup><col><col><col><col><col><col><col></colgroup><thead><tr><th><p>CPU</p></th><th><p>CPU Throughput</p></th><th><p>Number of Disks</p></th><th><p>Disk Throughput</p></th><th><p>Number of Networks</p></th><th><p>Network Throughput</p></th><th><p>Total Throughput</p></th></tr></thead><tbody><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>1</p></td><td><p>560</p></td><td><p>1 10base2</p></td><td><p>1,113</p></td><td><p>560</p></td></tr><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>6</p></td><td><p>3,360</p></td><td><p>1</p></td><td><p>1,113</p></td><td><p>1,113</p></td></tr><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>6</p></td><td><p>3,360</p></td><td><p>4 10base2</p></td><td><p>4,452</p></td><td><p>3,360</p></td></tr><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>20</p></td><td><p>11,200</p></td><td><p>4</p></td><td><p>4,452</p></td><td><p>4,452</p></td></tr><tr><td><p>2</p></td><td><p>6,000</p></td><td><p>20</p></td><td><p>11,200</p></td><td><p>2 100base2</p></td><td><p>13,000</p></td><td><p>11,200</p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.appb-pgfId-951214" href="#appb-pgfId-951214">1</a>] </sup>See Wong. Brian L, <span class="emphasis"><em>Configuration and Capacity Planning for Solaris Servers</em></span>, Englewood Cliffs, NJ (Sun/Prentice-Hall), 1997, ISBN 0-13-349952-9.</p></div><div class="footnote"><p><sup>[<a name="ftn.appb-pgfId-951230" href="#appb-pgfId-951230">2</a>] </sup>See Jain, Raj, <span class="emphasis"><em>The Art of Computer Systems Performance Analysis</em></span>, New York, NY (John Wiley and Sons), 1991, ISBN 0-47-150336-3.</p></div></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-C"></a>Appendix C. Samba Configuration Option Quick Reference</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#appc-SECT-1">C.1. Configuration Options</a></span></dt><dt><span class="sect1"><a href="#appc-SECT-2">C.2. Glossary of Configuration Values</a></span></dt><dt><span class="sect1"><a href="#appc-SECT-3">C.3. Configuration File Variables</a></span></dt></dl></div><p>The following pages list each of the Samba configuration
-options. If an option is applicable only to the global section,
-"[global]" will appear before its name. Any lists mentioned are space
-separated, except where noted. A glossary of terms follows the
-options.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appc-SECT-1"></a>Configuration Options</h2></div></div></div><div class="refentry" lang="en"><a name="appc-refentry-1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>admin users = user list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of users who will be granted root permissions on the share by Samba.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-2"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>allow hosts = host list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">hosts allow</code>. List of machines that may connect to a share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-3"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>alternate permissions = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Obsolete. Has no effect in Samba 2. Files will be shown as read-only if the owner can't write them. In Samba 1.9 and earlier, setting this option would set the DOS filesystem read-only attribute on any file the user couldn't read. This in turn required the <code class="literal">delete readonly</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-4"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] announce as = system type</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Have Samba announce itself as something other than an NT server. Discouraged because it interferes with serving browse lists.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] announce version = number.number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Instructs Samba to announce itself as an older version SMB server. Discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-6"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] auto services = share list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of shares that will always appear in browse lists. A synonym is <code class="literal">preload</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-7"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>available = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to NO, denies access to a share. Doesn't affect browsing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-8"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] bind interfaces only = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, shares and browsing will be provided only on interfaces in an interfaces list (see <code class="literal">interfaces</code>). New in Samba 1.9.18. If you set this option to YES, be sure to add 127.0.0.1 to the interfaces list to allow <span class="emphasis"><em>smbpasswd</em></span> to connect to the local machine to change passwords. This is a convienence option; it does not improve security.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-9"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>browsable = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows a share to be announced in browse lists.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-10"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>blocking locks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, honors byte range lock requests with time limits for queuing the request and retrying it until the time period expires. New in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-11"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] browse list = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Turns on/off <code class="literal">browse</code> <code class="literal">list</code> from this server. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-12"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] case sensitive = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, uses exactly the case the client supplied when trying to resolve a filename. If NO, matches either upper- or lowercase name. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-13"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] case sig names = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">case sensitive</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-14"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] change notify timeout = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the number of seconds between checks when a client asks for notification of changes in a directory. Introduced in Samba 2.0 to limit the performance cost of the checks. Avoid lowering.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-15"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>character set = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set, translates from DOS code pages to the Western European (ISO8859-1), Eastern European (ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian (KOI8-R) character set. The <code class="literal">client code page</code> must be set to 850.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-16"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>client code page = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the DOS code page explicitly, overriding any previous <code class="literal">valid chars</code> settings. Examples of values are 850 for European, 437 is the US standard, and 932 for Japanese Shift-JIS. Introduced in Samba 1.9.19.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-17"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>coding system = code</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the coding system used, notably for Kanji. This is employed for filenames and should  correspond to the code page in use. The <code class="literal">client code page</code> option must be set to 932 (Japanese Shift-JIS). Introduced in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-18"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>comment = text</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the comment that appears beside a share in a NET VIEW or the details list of a Microsoft directory window. See also the <code class="literal">server string</code> configuration option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-19"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] config file = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Selects an additional Samba configuration file to read instead of the current one. Used to relocate the configuration file, or used with %-variables to select custom configuration files for some users or machines.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-20"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>copy = section name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Copies the configuration of a previously seen share into the share where it appears. Used with %-variables to select custom configurations for machines, architectures and users. The copied section must be earlier in the configuration file. Copied options are of lesser priority than those explicitly listed in the section.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-21"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>create mask = octal value</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Also called <code class="literal">create mode</code>. Sets the maximum allowable permissions for new files (e.g., 0755). See also <code class="literal">directory mask</code>. To require certain permissions to be set, see <code class="literal">force create mask/force directory mask</code>. This option stopped affecting directories in Samba 1.9.17, and the default value changed in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-22"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>create mode = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">create mask</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-23"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] deadtime = minutes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>The time in minutes before an unused connection will be terminated. Zero means forever. Used to keep clients from tying up server resources forever. If used, clients will have to auto-reconnect after minutes of inactivity. See also <code class="literal">keepalive</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-24"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] debug level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the logging level used. Values of 3 or more slow Samba noticeably. A synonym is <code class="literal">log level</code>. Recommended value: 1.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-25"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] debug timestamp = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Timestamps all log messages. Can be turned off when it's not useful (e.g., in debugging). New in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-26"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] default = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Also called <code class="literal">default service</code>. The name of a service (share) to provide if someone requests a service they don't have permission to use or which doesn't exist. As of Samba 1.9.14, the path will be set from the name the client specified, with any "_" characters changed to "/" characters, allowing access to any directory on the Samba server. Use is strongly discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-27"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>default case = case</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the case in which to store new filenames. LOWER indicates mixed case, UPPER indicates uppercase letters.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-28"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] default service = share name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">default</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-29"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>delete readonly = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allow delete requests to remove read-only files. This is not allowed in DOS/Windows, but is normal in Unix, which has separate directory permissions. Used with programs like RCS, or with the older <code class="literal">alternate permissions</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-30"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>delete veto files = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allow delete requests for a directory containing files or subdirectories the user can't see due to the <code class="literal">veto files</code> option. If set to NO, the directory will not be deleted and will still contain invisible files.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-31"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>deny hosts = host list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A synonym is <code class="literal">hosts deny</code>. Specifies a list of machines from which to refuse connections or shares.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-32"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] dfree command = command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A command to run on the server to return disk free space. Not needed unless the OS command does not work properly.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-33"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>directory = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">path</code>. A directory provided by a file share, or used by a printer share. Set automatically in the <code class="literal">[homes]</code> share to user's home directory, otherwise defaults to<code class="filename"> /tmp</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-34"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>directory mask = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Also called <code class="literal">directory mode</code>. Sets the maximum allowable permissions for newly created directories. To require certain permissions be set, see the <code class="literal">force create mask</code> and <code class="literal">force directory mask</code> options.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-35"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>directory mode = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">directory mask</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-36"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] dns proxy = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, and if <code class="literal">wins server = YES</code>, look up hostnames in DNS if they are not found using WINS.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-37"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] domain logons = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allow Windows 95/98 or NT clients to log on to an NT-like domain.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-38"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] domain master = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Become a domain master browser list collector if possible for the entire workgroup/domain.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-39"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>dont descend = comma-list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Does not allow a change directory or search in the directories specified. This is a browsing convenience option; it doesn't provide any extra security.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-40"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>dos filetimes = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allow non-owners to change file times if they can write to the file. See also <code class="literal">dos filetime resolution</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-41"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>dos filetime resolution = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set file times on Unix to match DOS standards (round to next even second). Recommended if using Visual C++ or a PC <span class="emphasis"><em>make</em></span> program to avoid remaking the programs unnecesarily. Use with the <code class="literal">dos filetimes</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-42"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] encrypt passwords = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Uses Windows NT-style password encryption. Requires an <code class="filename">smbpasswd</code> on the Samba server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-43"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>exec = command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">preexec</code>, a command to run as the user just before connecting to the share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-44"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>fake directory create times = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Bug fix for users of Microsoft <span class="emphasis"><em>nmake</em></span>. If set, Samba will set directory create times such that <span class="emphasis"><em>nmake</em></span> won't remake all files every time.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-45"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>fake oplocks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Return YES whenever a client asks if it can lock a file and cache it locally, but does not enforce lock on the server. Use only for read-only disks, as Samba now supports real <code class="literal">oplocks</code> and has per-file overrides. See also <code class="literal">oplocks</code> and <code class="literal">veto oplock files</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-46"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>follow symlinks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, Samba will follow symlinks in a file share or shares. See the <code class="literal">wide links</code> option if you want to restrict symlinks to just the current share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-47"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force create mask = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Provides bits that will be <code class="literal">OR</code>ed into the permissions of newly created files. Used with the <code class="literal">create mode</code> configuration option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-48"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force create mode = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">force create mask</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-49"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force directory mask = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Provides bits that will be <code class="literal">OR</code>ed into the permissions of newly created directories, forcing those bits to be set. Used with <code class="literal">directory mode</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-50"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force directory mode = octal permission bits</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">force</code> <code class="literal">directory</code> <code class="literal">mask</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-51"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force group = unix group</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the effective group name assigned to all users accessing a share. Used to override user's normal groups.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-52"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>force user = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the effective username assigned to all users accessing a share. Discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-53"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>fstype = string</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the filesystem type reported to the client.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-54"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] getwd cache = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Cache current directory for performance. Recommended with the <code class="literal">wide links</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-55"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>group = group</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>An obsolete form of <code class="literal">force group</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-56"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>guest account = user</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the name of the unprivileged Unix account to use for tasks like printing and for accessing shares marked with <code class="literal">guest ok</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-57"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>guest ok = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, passwords are not needed for this share. Synonym of <code class="literal">public</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-58"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>guest only = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Forces user of a share to do so as the guest account. Requires <code class="literal">guest</code> <code class="literal">ok</code> or <code class="literal">public</code> to be <code class="literal">yes</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-59"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>hide dot files = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Treats files beginning with a dot in a share as if they had the DOS/Windows hidden attribute set.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-60"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>hide files = slash-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of file or directory names to set the DOS hidden attribute on. Names may contain <code class="literal">?</code> or <code class="literal">*</code> pattern-characters and <code class="literal">%</code>-variables. See also <code class="literal">hide</code> <code class="literal">dot</code> <code class="literal">files</code> and <code class="literal">veto</code> <code class="literal">files</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-61"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] homedir map = NIS map name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Used with <code class="literal">nis homedir</code> to locate user's Unix home directory from Sun NIS (not NIS+).</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-62"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>hosts allow = host list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">allow hosts</code>, a list of machines that can access a share or shares. If NULL (the default) any machine can access the share unless there is a <code class="literal">hosts deny</code> option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-63"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>hosts deny = host list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">deny hosts</code>, a list of machines that cannot connect to a share or shares.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-64"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] hosts equiv = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Path to a file of trusted machines from which password-less logins are allowed. Strongly discouraged, because Windows/NT users can always override the user name, the only security in this scheme.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-65"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>include = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Include the named file in <code class="filename">smb.conf</code> at the line where it appears. This option does not understand the variables <code class="literal">%u</code> (user), <code class="literal">%P</code> (current share's root directory), or <code class="literal">%S</code> (current share name), because they are not set at the time the file is read.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-66"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] interfaces = interface list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the interfaces to which Samba will respond. The default is the machine's primary interface only. Recommended on multihomed machines or to override erroneous addresses and netmasks.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-67"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>invalid users = user list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of users that will not be permitted access to a share or shares.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-68"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] keepalive = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Number of seconds between checks for a crashed client. The default of 0 causes no checks to be performed. Recommended if you want checks more often than every four hours. 3600 (10 minutes) is reasonable. See also <code class="literal">socket options</code> for another approach.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-69"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] kernel oplocks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Break oplock when a Unix process accesses an <span class="emphasis"><em>oplocked</em></span> file, preventing corruption. Set to YES on operating systems supporting this, otherwise set to NO. New in Samba 2.0; supported on SGI, and hopefully soon on Linux and BSD. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-70"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap filter = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-71"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap port = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-72"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap root = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-73"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap server = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-74"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] ldap suffix = various</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Options beginning with <code class="literal">ldap</code> are part of an experimental (circa Samba 2.0) use of the Lightweight Directory Access Protocol (LDAP) general directory/distributed database for user, name, and host information. This option is reserved for future use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-75"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] load printers = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Load all printer names from the system printer capabilities into browse list. Uses configuration options from the <code class="literal">[printers]</code> section.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-76"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] local master = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Stands for election as the local master browser. See also <code class="literal">domain master</code> and <code class="literal">os level</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-77"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] lm announce = value</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Produce OS/2 SMB broadcasts at an interval specified by the <code class="literal">lm interval</code> option. YES/NO turns them on/off unconditionally. AUTO causes the Samba server to wait for a LAN Manager announcement from another client before sending one out. Required for OS/2 client browsing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-78"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] lm interval = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the time period, in seconds, between OS/2 SMB broadcast announcements.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-79"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] lock directory = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set a directory to keep lock files in. The directory must be writable by Samba, readable by everyone.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-80"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>locking = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Perform file locking. If set to NO, Samba will accept lock requests but will not actually lock resources. Recommended only for read-only file systems.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-81"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] log file = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set name and location of the log file. Allows all %-variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-82"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] log level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A synonym of <code class="literal">debug level</code>. Sets the logging level used. Values of 3 or more slow the system noticeably.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-83"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] logon drive = drive</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the drive on Windows NT (only) of the <code class="literal">logon path</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-84"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] logon home = path</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the home directory of a Windows 95/98 or NT Workstation user. Allows <code class="literal">NET</code> <code class="literal">USE</code> <code class="literal">H:/HOME</code> from the command prompt.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-85"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] logon path = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets path to Windows profile directory. This contains <span class="emphasis"><em>USER.MAN</em></span> and/or <span class="emphasis"><em>USER.DAT</em></span> profile files and the Windows 95 Desktop, Start Menu, Network Neighborhood, and programs folders.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-86"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] logon script = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets pathname relative to <code class="literal">[netlogin]</code> share of a DOS/NT script to run on the client at login time. Allows all %-variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-87"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lppause command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command to pause a print job. Honors the <code class="literal">%p</code> (printer name) and <code class="literal">%j</code> (job number) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-88"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lpresume command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command to resume a paused print job. Honors the <code class="literal">%p</code> (printer name) and <code class="literal">%j</code> ( job number) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-89"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] lpq cache time = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets how long to keep print queue (<code class="literal">lpq  </code>) status is cached, in seconds.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-90"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lpq command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to get printer status. Usually initialized to a default value by the <code class="literal">printing</code> option. Honors the <code class="literal">%p</code> (printer name) variable.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-91"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>lprm command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command to delete a print job. Usually initialized to a default value by the <code class="literal">printing</code> option. Honors the <code class="literal">%p</code> (printer name) and <code class="literal">%j</code> (job number) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-92"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>machine password timeout = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the period between (NT domain) machine password changes. Default is 1 week, or 604,800 seconds.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-93"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>magic output = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the output file for the discouraged <code class="literal">magic scripts</code> option. Default is the script name, followed by the extension <span class="emphasis"><em>.out</em></span>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-94"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>magic script = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a filename for execution via a shell whenever the file is closed from the client, to allow clients to run commands on the server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-95"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mangle case = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Mangle a name if it is in mixed case.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-96"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mangled map = map list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set up a table of names to remap (e.g., <span class="emphasis"><em>.html</em></span> to <span class="emphasis"><em>.htm</em></span>).</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-97"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mangled names = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets Samba to abbreviate names that are too long or have unsupported characters to the DOS 8.3 style.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-98"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>mangling char = character</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the unique mangling character used in all mangled names.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-99"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] mangled stack = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the size of a cache of recently-mangled filenames.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-100"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map aliasname = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Points to a file of Unix group/NT group pairs, one per line. This is used to map NT aliases to Unix group names. See also the configuration options <code class="literal">username</code> <code class="literal">map</code> and <code class="literal">map</code> <code class="literal">groupname</code>. Introduced in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-101"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map archive = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, Samba sets the executable-by-user (0100) bit on Unix files if the DOS archive attribute is set. Recommended: if used, the <code class="literal">create mask</code> must contain the 0100 bit.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-102"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map hidden = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, sets executable-by-other (0001) bit on Unix files if the DOS hidden attribute is set. If used, the <code class="literal">create mask</code> option must contain the  0001 bit.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-103"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map groupname = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Points to a file of Unix group/NT group, one per line. This is used to map NT group names to Unix group names. See also the configuration options <code class="literal">username</code> <code class="literal">map</code> and <code class="literal">map</code> <code class="literal">aliasname</code>. Introduced in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-104"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>map system = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, Samba sets the executable-by-group (0010) bit on Unix files if the DOS system attribute is set. If used, the <code class="literal">create mask</code> must contain the  0010 bit.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-105"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>max connections = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Set maximum number of connections allowed to a share from each individual client machine.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-106"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max disk size = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets maximum disk size/free-space size (in megabytes) to return to client. Some clients or applications can't understand large maximum disk sizes.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-107"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max log size = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the size (in kilobytes) at which Samba will start a new log file. The current log file will be renamed with an <span class="emphasis"><em>.old</em></span> extension, replacing any previous file with that name.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-108"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max mux = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the number of simultaneous operations that Samba clients may make. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-109"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max packet = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">packet size</code>. Obsolete as of Samba 1.7. Use <code class="literal">max xmit</code> instead.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-110"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max open files = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Limits the number of files a Samba process will try to keep open at one time. Samba allows you to set this to less than the Unix maximum. This option is a workaround for a separate problem. Avoid changing. This option was introduced in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-111"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max ttl = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the time to keep NetBIOS names in <span class="emphasis"><em>nmbd</em></span> cache while trying to perform a lookup on it. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-112"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max wins ttl = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Limits time-to-live of a NetBIOS name in <span class="emphasis"><em>nmbd</em></span> WINS cache, in seconds. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-113"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] max xmit = bytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets maximum packet size that will be negotiated by Samba. Tuning parameter for slow links and older client bugs. Values less than 2048 are discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-114"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] message command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command on the server to run when a WinPopup message arrives from a client. The command must end in "<code class="literal">&amp;</code>" to allow immediate return. Honors all %-variables except <code class="literal">%u</code> (user), and supports the extra variables <code class="literal">%s</code> (filename the message is in), <code class="literal">%t</code> (destination machine), and <code class="literal">%f</code> (from).</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-115"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>min print space = kilobytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets minimum spool space required before accepting a print request.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-116"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] min wins ttl = seconds</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets minimum time-to-live of a NetBIOS name in <span class="emphasis"><em>nmbd</em></span> WINS cache, in seconds. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-117"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>name resolve order = list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets order of lookup when trying to get IP address from names. The <code class="literal">hosts</code> parameter carrries out a regular name look up using the server's normal sources: <span class="emphasis"><em>/etc/hosts</em></span>, DNS, NIS, or a combination of them. Introduced in Samba 1.9.18p4.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-118"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] netbios aliases = list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Adds additional NetBIOS names by which a Samba server will advertise itself.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-119"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>netbios name = hostname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the NetBIOS name by which a Samba server is known, or primary name if NetBIOS aliases exist.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-120"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] networkstation user login = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to NO, clients will not do a full login when <code class="literal">security = server</code>. Avoid changing. Turning it off is a temporary workaround (introduced in Samba 1.9.18p3) for NT trusted domains bug. Automatic correction was introduced in Samba 1.9.18p10; the parameter may eventually be removed.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-121"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] nis homedir = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, the <code class="literal">homedir map</code> will be used to look up the user's home-directory server name and return it to the client. The client will contact that machine to connect to the share. This avoids mounting from a machine that doesn't actually have the disk. The machine with the home directories must be an SMB server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-122"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] nt pipe support = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows turning off NT-specific pipe calls. This is a developer/benchmarking option and may be removed in the future. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-123"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] nt smb support = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, allow NT-specific SMBs to be used. This is a developer/benchmarking option and may be removed in the future. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-124"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] null passwords = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, allows access to accounts that have null passwords. Strongly discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-125"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ole locking compatibility = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, locking ranges will be mapped to avoid Unix locks crashing when Windows uses locks above 32KB. You should avoid changing this option. Introduced in Samba 1.9.18p10.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-126"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>only guest = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A synonym for <code class="literal">guest only</code>. Forces user of a share to login as the guest account.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-127"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>only user = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Requires that users of the share be on a <code class="literal">username =</code> list.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-128"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>oplocks = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, support local caching of <span class="emphasis"><em>opportunistic</em></span> locked files on client. This option is recommended because it improves performance by about 30%. See also <code class="literal">fake</code> <code class="literal">oplocks</code> and <code class="literal">veto</code> <code class="literal">oplock</code> <code class="literal">files</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-129"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] os level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the candidacy of the server when electing a browse master. Used with the <code class="literal">domain</code> <code class="literal">master</code> or <code class="literal">local</code> <code class="literal">master</code> options. You can set a higher value than a competing operating system if you want Samba to win. Windows for Workgroups and Windows 95 use 1, Windows NT client uses 17, and Windows NT Server uses 33.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-130"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] packet size = bytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Obsolete. Discouraged synonym of <code class="literal">max packet</code>. See <code class="literal">max xmit</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-131"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] passwd chat debug = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Logs an entire password chat, including passwords passed, with a log level of 100. For debugging only. Introduced in Samba 1.9.18p5.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-132"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] passwd chat = command sequence</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to change passwords on the server. Supports the variables <code class="literal">%o</code> (old password) and <code class="literal">%n</code> (new password) and allows <code class="literal">\r</code> <code class="literal">\n</code> <code class="literal">\t</code> and <code class="literal">\s</code> (space) escapes in the sequence.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-133"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] passwd program = program</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to change user's password. Will be run as <code class="literal">root</code>. Supports <code class="literal">%u</code> (user).</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-134"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] password level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Specifies the number of uppercase letter permutations used to match passwords. Workaround for clients that change passwords to a single case before sending them to the Samba server. Causes repeated login attempts with passwords in different cases, which can trigger account lockouts.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-135"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] password server = netbios names</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>A list of SMB servers that will validate passwords for you. Used with an NT password server (PDC or BDC) and the <code class="literal">security</code> <code class="literal">=</code> <code class="literal">server</code> or <code class="literal">security</code> <code class="literal">=</code> <code class="literal">domain</code> configuration options. Caution: an NT password server must allow logins from the Samba server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-136"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>panic action = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command to run when Samba panics. For Samba developers and testers, <code class="literal">/usr/bin/X11/xterm -display :0 -e gdb /samba/bin/smbd %d</code> is a possible value.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-137"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>path = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the path to the directory provided by a file share or used by a printer share. Set automatically in <code class="literal">[homes]</code> share to user's home directory, otherwise defaults to<code class="filename"> /tmp</code>. Honors the <code class="literal">%u</code> (user) and <code class="literal">%m</code> (machine) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-138"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>postexec = /absolute_  path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a command to run as the user after disconnecting from the share. See also the options <code class="literal">preexec</code>, <code class="literal">root preexec</code>, and <code class="literal">root postexec</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-139"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>postscript = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Flags a printer as PostScript to avoid a Windows bug by inserting <code class="literal">%!</code> as the first line. Works only if printer actually is PostScript compatible.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-140"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>preexec = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a command to run as the user before connecting to the share. See also the options <code class="literal">postexec</code>, <code class="literal">root preexec</code>, and <code class="literal">root postexec</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-141"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] preferred master = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, Samba is preferred to become the master browser. Causes Samba to call a browsing election when it comes online.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-142"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>preload = share list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">auto</code> <code class="literal">services</code>. Specifies a list of shares that will always appear in browse lists.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-143"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>preserve case = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, this option leaves filenames in the case sent by client. If no, it forces filenames to the case specified by the <code class="literal">default</code> <code class="literal">case</code> option. See also <code class="literal">short preserve case</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-144"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>print command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to send a spooled file to the printer. Usually initialized to a default value by the <code class="literal">printing</code> option. This option honors the <code class="literal">%p</code> (printer name), <code class="literal">%s</code> (spool file) and <code class="literal">%f</code> (spool file as a relative path) variables. Note that the command in the value of the option must include file deletion of the spool file.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-145"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>print ok = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">printable</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-146"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printable = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a share to be a print share. Required for all printers.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-147"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] printcap name = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the path to the printer capabilities file used by the <code class="literal">[printers]</code> share. The default value changes to <code class="filename">/etc/qconfig</code> under AIX and <code class="filename">lpstat</code> on System V.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-148"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printer = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the name of the Unix printer.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-149"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printer driver = printer driver name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the string to pass to Windows when asked what driver to use to prepare files for a printer share. Note that the value is case sensitive.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-150"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] printer driver file = path</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the location of a <span class="emphasis"><em>msprint.def</em></span> file, usable by Windows 95/98.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-151"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printer driver location = path</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the location of the driver for a particular printer. The value is a pathname for a share that stores the printer driver files.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-152"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printer name = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of <code class="literal">printer</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-153"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>printing = style</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets printing style to one of the above, instead of the compiled-in value. This sets initial values of at least the <code class="literal">print</code> <code class="literal">command </code>, <code class="literal">print</code> <code class="literal">command </code>, <code class="literal">lpq</code> <code class="literal">command </code>, and <code class="literal">lprm</code> <code class="literal">command</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-154"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] protocol = protocol</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets SMB protocol version to one of the allowable
-values. Resetting is highly discouraged. Only for backwards
-compatibility with older-client bugs.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-155"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>public = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, passwords are not needed for this share. A synonym is <code class="literal">guest ok</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-156"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>queuepause command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to pause a print queue. Usually initialized to a default value by the <code class="literal">printing</code> option. Introduced in Samba 1.9.18p10.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-157"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>queueresume command = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the command used to resume a print queue. Usually initialized to a default value by the <code class="literal">printing</code> option. Introduced in Samba 1.9.18p10.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-158"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>read bmpx = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Obsolete. Do not change.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-159"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>read list = comma-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Specifies a list of users given read-only access to a writeable share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-160"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>read only = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a share to read-only. Antonym of <code class="literal">writable</code> and <code class="literal">write ok</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-161"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] read prediction = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Reads ahead data for read-only files. Obsolete; removed in Samba 2.0.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-162"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] read raw = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows fast streaming reads over TCP using 64K buffers. Recommended.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-163"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] read size = bytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a buffering option for servers with mismatched disk and network speeds. Requires experimentation. Avoid changing. Should not exceed 65536.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-164"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] remote announce = remote list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Adds workgroups to the list on which the Samba server will announce itself. Specified as IP address/workgroup (for instance, 192.168.220.215/SIMPLE) with multiple groups separated by spaces. Allows directed broadcasts. The server will appear on those workgroup's browse lists. Does not require WINS.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-165"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] remote browse sync = address list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Enables Samba-only browse list synchronization with other Samba local master browsers. Addresses can be specific addresses or directed broadcasts (i.e., ###.###.###.255). The latter will cause Samba to hunt down the local master.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-166"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>revalidate = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, requires users to re-enter passwords even after a successful initial logon to a share with a password.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-167"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] root = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">root directory</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-168"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] root dir = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">root directory</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-169"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] root directory = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Specifies a directory to <code class="literal">chroot()</code> to before starting daemons. Prevents any access below that directory tree. See also the <code class="literal">wide links</code> configuration option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-170"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>root postexec = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a command to run as root after disconnecting from the share. See also <code class="literal">preexec</code>, <code class="literal">postexec</code>, and <code class="literal">root</code> <code class="literal">preexec</code> configuration options. Runs after the user's <code class="literal">postexec</code> command. Use with caution.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-171"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>root preexec = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a command to run as root before connecting to the share. See also <code class="literal">preexec</code>, <code class="literal">postexec</code>, and <code class="literal">root</code> <code class="literal">postexec</code> configuration options. Runs before the user's <code class="literal">preexec</code> command. Use with caution.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-172"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] security = value</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets password-security policy. If <code class="literal">security</code> <code class="literal">=</code> <code class="literal">share</code>, services have a shared password, available to everyone. If <code class="literal">security</code> <code class="literal">=</code> <code class="literal">user</code>, users have (Unix) accounts and passwords. If <code class="literal">security</code> <code class="literal">=</code> <code class="literal">server</code>, users have accounts and passwords and a separate machine authenticates them for Samba. If <code class="literal">security</code> <code class="literal">=</code> <code class="literal">domain</code>, full NT-domain authentication is done. See also the <code class="literal">password server</code> and <code class="literal">encrypted passwords</code> configuration options.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-173"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] server string = text</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the name that appears beside a server in browse lists. Honors the <code class="literal">%v</code> (Samba version number) and <code class="literal">%h</code> (hostname) variables.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-174"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>set directory = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows DEC Pathworks client to use the <span class="emphasis"><em>set dir</em></span> command.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-175"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] shared file entries = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Obsolete; do not use.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-176"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>shared mem size = bytes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If compiled with FAST_SHARE_MODES (mmap), sets the shared memory size in bytes. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-177"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] smb passwd file = path</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Overrides compiled-in path to password file if <code class="literal">encrypted passwords</code> <code class="literal">=</code> <code class="literal">yes</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-178"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] smbrun = /absolute_ path/command</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Overrides compiled-in path to <code class="filename">smbrun</code> binary. Avoid changing.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-179"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>share modes = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, this option supports Windows-style whole-file (deny mode) locks.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-180"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>short preserve case = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, leaves mangled 8.3-style filenames in the case sent by client. If no, it forces the case to that specified by the <code class="literal">default case</code> option. See also <code class="literal">preserve case</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-181"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] socket address = IP address</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets address on which to listen for connections. Default is to listen to all addresses. Used to support multiple virtual interfaces on one server. Highly discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-182"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] socket options = socket option list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets OS-specific socket options. <code class="literal">SO_KEEPALIVE</code> has TCP check clients every 4 hours to see if they are still accessible. <code class="literal">TCP_NODELAY</code> sends even tiny packets to keep delay low. Recommended wherever the operating system supports them. See <a href="#SAMBA-AP-B" title="Appendix B. Samba Performance Tuning">Appendix B</a>, for more information.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-183"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] status = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, logs connections to a file (or shared memory) accessible to <code class="filename">smbstatus</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-184"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>strict sync = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba will synchronize to disk whenever the client sets the sync bit in a packet. If set to NO, Samba flushes data to disk whenever buffers fill. Defaults to NO because Windows 98 Explorer sets the bit (incorrectly) in all packets. Introduced in Samba 1.9.18p10.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-185"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>strict locking = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba checks locks on every access, not just on demand and at open time. Not recommended.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-186"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] strip dot = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Removes trailing dots from filenames. Use <code class="literal">mangled map</code> instead.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-187"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] syslog = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets number of Samba log messages to send to <code class="filename">syslog</code>. Higher is more verbose. The <code class="filename">syslog.conf</code> file must have suitable logging enabled.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-188"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] syslog only = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, log only to <span class="emphasis"><em>syslog,</em></span> not standard Samba log files.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-189"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>sync always = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba calls <span class="emphasis"><em>fsync</em></span>(3) after every write. Avoid except for debugging crashing servers.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-190"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] time offset = minutes</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets number of minutes to add to system time zone calculation. Provided to fix a client daylight-savings bug; not recommended.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-191"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] time server = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If YES, <span class="emphasis"><em>nmbd</em></span> will provide time service to its clients.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-192"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>unix password sync = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set, will attempt to change the user's Unix password whenever the user changes his or her SMB password. Used to ease synchronization of Unix and Microsoft password databases. Added in Samba 1.9.18p4. See also <code class="literal">passwd chat</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-193"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>unix realname = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set, will provide the GCOS field of <code class="filename">/etc/passwd</code> to the client as the user's full name.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-194"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>update encrypted = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Updates the Microsoft-format password file when a user logs in with unencrypted passwords. Provided to ease conversion to encryped passwords for Windows 95/98 and NT. Added in Samba 1.9.18p5.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-195"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>user = comma-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym for <code class="literal">username</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-196"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>username = comma-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets a list of users to try to log in as for a share or shares with share-level security. Synonyms are <code class="literal">user</code> and <code class="literal">users</code>. Discouraged. Use <code class="literal">NET USE \\</code><em class="replaceable"><code>server</code></em><code class="literal">\</code><em class="replaceable"><code>share </code></em><code class="literal">%</code><em class="replaceable"><code>user</code></em> from the client instead.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-197"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>username level = number</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Number of uppercase letter permutations allowed to match Unix usernames. Workaround for Windows feature (single-case usernames). Use is discouraged.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-198"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] username map = pathname</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Names a file of Unix-to-Windows name pairs; used to map different spellings of account names and those Windows usernames longer than eight characters.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-199"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>valid chars = list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Semi-obsolete. Adds national characters to a character set map. Overridden by <code class="literal">client code page</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-200"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>valid users = user list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of users that can log in to a share.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-201"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>veto files = slash-list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of files not to allow the client to see when listing a directory's contents. See also <code class="literal">delete veto files</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-202"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>veto oplock files = slash-list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of files not to oplock (and cache on clients). See also <code class="literal">oplocks</code> and <code class="literal">fake oplocks</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-203"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>volume = share name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the volume label of a disk share, notably a CD-ROM.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-204"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>wide links = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba will follow symlinks out of the current disk share(s). See also the <code class="literal">root dir</code> and <code class="literal">follow symlinks</code> options.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-205"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] wins proxy = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, <span class="emphasis"><em>nmbd</em></span> will proxy resolution requests to WINS servers on behalf of old clients, which use broadcasts. WINS server is typically on another subnet.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-206"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] wins server = host</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the DNS name or IP address of the WINS server.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-207"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] wins support = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>If set to YES, Samba activates WINS service. The <code class="literal">wins server</code> option must not be set if <code class="literal">wins support = yes</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-208"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] workgroup = name</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Sets the workgroup to which things will be served. Overrides compiled-in value. Choosing a name other than <code class="literal">WORKGROUP</code> is strongly recommended.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-209"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>writable = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Antonym for <code class="literal">read only</code>; synonym of <code class="literal">write ok</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-210"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>write list = comma-separated list</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>List of users that are given read-write access to a read-only share. See also <code class="literal">read list</code>.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-211"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>write ok = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Synonym of the <code class="literal">writable</code> configuration option.</p></div></div><div class="refentry" lang="en"><div class="refentry.separator"><hr></div><a name="appc-refentry-212"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>[global] write raw = boolean</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p>Allows fast streaming writes over TCP, using 64KB buffers. Recommended.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appc-SECT-2"></a>Glossary of Configuration Values</h2></div></div></div><div class="variablelist"><dl><dt><span class="term">
-<a class="indexterm" name="appc-idx-990655-0"></a>Address list</span></dt><dd><p>A space-separated list of IP addresses in ###.###.###.### format.</p></dd><dt><span class="term">Comma-separated list</span></dt><dd><p>A list of items separated by commas.</p></dd><dt><span class="term">Command</span></dt><dd><p>A Unix command, with full path and parameters.</p></dd><dt><span class="term">Host list</span></dt><dd><p>A space-separated list of hosts. Allows IP addresses, address masks, domain names, ALL, and EXCEPT</p></dd><dt><span class="term">Interface list</span></dt><dd><p>A space-separated list of interfaces, in either address/netmask or address/n-bits format. For example, 192.168.2.10/24 or 192.168.2.10/255.255.255.0</p></dd><dt><span class="term">Map list</span></dt><dd><p>A space-separated list of file-remapping strings such as <code class="literal">(*.html</code> <code class="literal">*.htm)</code>.</p></dd><dt><span class="term">Remote list</span></dt><dd><p>A space-separated list of subnet-broadcast-address/workgroup pairs. For example, 192.168.2.255/SERVERS 192.168.4.255/STAFF.</p></dd><dt><span class="term">Service (share) list</span></dt><dd><p>A space-separated list of share names, without the enclosing square brackets.</p></dd><dt><span class="term">Slash-list</span></dt><dd><p>A list of filenames, separated by "/" characters to allow embedded spaces. For example, <code class="literal">/.*/fred</code> <code class="literal">flintstone/*.frk/</code>.</p></dd><dt><span class="term">Text</span></dt><dd><p>One line of text.</p></dd><dt><span class="term">User list</span></dt><dd><p>A space-separated list of usernames. In Samba 1.9, <code class="literal">@group-name</code> will include everyone in Unix group <code class="literal">group-name</code>. In Samba 2.0, <code class="literal">@group-name</code> includes whomever is in the NIS netgroup <code class="literal">group_name</code> if one exists, otherwise whomever is in the Unix group <code class="literal">group_name</code>. In addition, +<code class="literal">group_name</code> is a Unix group, &amp;<code class="literal">group_name</code> is an NIS netgroup, and &amp;+ and +&amp; cause an ordered search of both Unix and NIS groups.</p></dd></dl></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appc-SECT-3"></a>Configuration File Variables</h2></div></div></div><p><a href="#appc-88529" title="Table C.1. Variables in Alphabetic Order">Table 3.1</a> lists of Samba configuration file variables.</p><div class="table"><a name="appc-88529"></a><p class="title"><b>Table C.1. Variables in Alphabetic Order </b></p><div class="table-contents"><table summary="Variables in Alphabetic Order " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Name</p></th><th><p>Meaning</p></th></tr></thead><tbody><tr><td><p><code class="literal">%a</code></p></td><td><p>Client's architecture (one of Samba, WfWg, WinNT, Win95, or UNKNOWN)</p></td></tr><tr><td><p><code class="literal">%d</code></p></td><td><p>Current server process's processID</p></td></tr><tr><td><p><code class="literal">%f</code></p></td><td><p>Print-spool file as a relative path (printing only)</p></td></tr><tr><td><p><code class="literal">%f</code></p></td><td><p>User from which a message was sent (messages only)</p></td></tr><tr><td><p><code class="literal">%G</code></p></td><td><p>Primary group name of <code class="literal">%U</code> (requested username)</p></td></tr><tr><td><p><code class="literal">%g</code></p></td><td><p>Primary group name of <code class="literal">%u</code> (actual username)</p></td></tr><tr><td><p><code class="literal">%H</code></p></td><td><p>Home directory of <code class="literal">%u</code> (actual username)</p></td></tr><tr><td><p><code class="literal">%h</code></p></td><td><p>Samba server's (Internet) hostname</p></td></tr><tr><td><p><code class="literal">%I</code></p></td><td><p>Client's IP address</p></td></tr><tr><td><p><code class="literal">%j</code></p></td><td><p>Print job number (printing only)</p></td></tr><tr><td><p><code class="literal">%L</code></p></td><td><p>Samba server's NetBIOS name (virtual servers have multiple names)</p></td></tr><tr><td><p><code class="literal">%M</code></p></td><td><p>Client's (Internet) hostname</p></td></tr><tr><td><p><code class="literal">%m</code></p></td><td><p>Client's NetBIOS name</p></td></tr><tr><td><p><code class="literal">%n</code></p></td><td><p>New password (password change only)</p></td></tr><tr><td><p><code class="literal">%N</code></p></td><td><p>Name of the NIS home directory server (without NIS, same as <code class="literal">%L</code>)</p></td></tr><tr><td><p><code class="literal">%o</code></p></td><td><p>Old password (password change only)</p></td></tr><tr><td><p><code class="literal">%P</code></p></td><td><p>Current share's root directory (actual)</p></td></tr><tr><td><p><code class="literal">%p</code></p></td><td><p>Current share's root directory (in an NIS homedir map)</p></td></tr><tr><td><p><code class="literal">%p</code></p></td><td><p>Print filename (printing only)</p></td></tr><tr><td><p><code class="literal">%R</code></p></td><td><p>Protocol level in use (one of CORE, COREPLUS, LANMAN1, LANMAN2, or NT1)</p></td></tr><tr><td><p><code class="literal">%S</code></p></td><td><p>Current share's name</p></td></tr><tr><td><p><code class="literal">%s</code></p></td><td><p>Filename the message is in (messages only)</p></td></tr><tr><td><p><code class="literal">%s</code></p></td><td><p>Print-spool file name (printing only)</p></td></tr><tr><td><p><code class="literal">%T</code></p></td><td><p>Current date and time</p></td></tr><tr><td><p><code class="literal">%t</code></p></td><td><p>Destination machine (messages only)</p></td></tr><tr><td><p><code class="literal">%u</code></p></td><td><p>Current share's username</p></td></tr><tr><td><p><code class="literal">%U</code></p></td><td><p>Requested username for current share</p></td></tr><tr><td><p><code class="literal">%v</code></p></td><td><p>Samba version</p></td></tr></tbody></table></div></div><br class="table-break"></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-D"></a>Appendix D. Summary of Samba Daemons and Commands</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#appd-SECT-1">D.1. Samba Distribution Programs</a></span></dt><dd><dl><dt><span class="sect2"><a href="#appd-SECT-1.1">D.1.1. smbd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.2">D.1.2. nmbd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.3">D.1.3. Samba Startup File </a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.4">D.1.4. smbsh</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.5">D.1.5. smbclient</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.6">D.1.6. smbstatus</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.7">D.1.7. smbtar</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.8">D.1.8. nmblookup</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.9">D.1.9. smbpasswd</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.10">D.1.10. testparm</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.11">D.1.11. testprns</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.12">D.1.12. rpcclient</a></span></dt><dt><span class="sect2"><a href="#appd-SECT-1.13">D.1.13. tcpdump</a></span></dt></dl></dd></dl></div><p>This appendix is a reference listing of command-line options and other information to help you use the executables that come with Samba distribution.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="appd-SECT-1"></a>Samba Distribution Programs</h2></div></div></div><p>The following sections provide information about the command-line parameters for Samba programs.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.1"></a>smbd</h3></div></div></div><p>
-<a class="indexterm" name="appd-idx-993627-0"></a>
-<a class="indexterm" name="appd-idx-993627-1"></a>The <span class="emphasis"><em>smbd</em></span> program provides Samba's file and printer services, using one TCP/IP stream and one daemon per client. It is controlled from the default configuration file, <em class="replaceable"><code>samba_dir</code></em><span class="emphasis"><em>/lib/smb.conf</em></span>, and can be overridden by command-line options.</p><p>The configuration file is automatically re-evaluated every minute. If it has changed, most new options are immediately effective. You can force Samba to immediately reload the configuration file if you send a SIGHUP to <span class="emphasis"><em>smbd</em></span>. Reloading the configuration file, however, will not affect any clients that are already connected. To escape this "grandfather" configuration, a client would need to disconnect and reconnect, or the server itself would have to be restarted, forcing all clients to reconnect.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.1.1"></a>Other signals</h4></div></div></div><p>To shut down a <span class="emphasis"><em>smbd</em></span> process, send it the termination signal SIGTERM (-15) which allows it to die gracefully instead of a SIGKILL (-9). To increment the debug logging level of <span class="emphasis"><em>smbd</em></span> at runtime, send the program a SIGUSR1 signal. To decrement it at runtime, send the program a SIGUSR2 signal.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.1.2"></a>Command-line options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-D</code></span></dt><dd><p>The <span class="emphasis"><em>smbd</em></span> program is run as a daemon. This is the recommended way to use <span class="emphasis"><em>smbd</em></span> (it is also the default action). In addition, <span class="emphasis"><em>smbd</em></span> can also be run from <span class="emphasis"><em>inetd</em></span>.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debuglevel</code></em></span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. Specifying the value on the command line overrides the value specified in the <code class="filename">smb.conf</code> file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow <span class="emphasis"><em>smbd</em></span> considerably.</p></dd><dt><span class="term"><code class="literal">-h</code> </span></dt><dd><p>Prints command-line usage information for the <code class="filename">smbd</code> program.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.1.3"></a>Testing/debugging options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-a</code></span></dt><dd><p>If this is specified, each new connection to the Samba server will append all logging messages to the log file. This option is the opposite of <code class="literal">-o</code>, and is the default.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>scope</code></em></span></dt><dd><p>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backwards compatibility.</p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>log_file</code></em></span></dt><dd><p>Send the log messages to somewhere other than the location compiled in or specified in the <code class="filename">smb.conf</code> file. The default is often <code class="filename">/usr/local/samba/var/log.smb</code>, <code class="filename">/usr/samba/var/log.smb,</code> or <code class="filename">/var/log/log.smb</code>. The first two are strongly discouraged on Linux, where <code class="filename">/usr</code> may be a read-only filesystem.</p></dd><dt><span class="term"><code class="literal">-O</code> <em class="replaceable"><code>socket_options</code></em></span></dt><dd><p>This sets the TCP/IP socket options, using the same parameters as the <code class="literal">socket</code> <code class="literal">options</code> configuration option. It is often used for performance tuning and testing.</p></dd><dt><span class="term"><code class="literal">-o</code></span></dt><dd><p>This option is the opposite of <code class="literal">-a</code>. It causes log files to be overwritten when opened. Using this option saves hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.</p></dd><dt><span class="term"><code class="literal">-P</code></span></dt><dd><p>This option forces <code class="filename">smbd</code> not to send any network data out. This option is typically used only by Samba developers.<a class="indexterm" name="appd-idx-994096-0"></a></p></dd><dt><span class="term"><code class="literal">-P</code></span></dt><dd><p>This option forces <code class="filename">smbd</code> not to send any network data out. This option is typically used only by Samba developers.  <a class="indexterm" name="appd-idx-994102-0"></a></p></dd><dt><span class="term"><code class="literal">-p</code> <em class="replaceable"><code>port_number</code></em></span></dt><dd><p>This sets the TCP/IP port number that the server will accept requests from. Currently, all Microsoft clients send only to the default port: 139.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Specifies the location of the Samba configuration file. Although the file defaults to <code class="filename">/usr/local/samba/lib/smb.conf</code>, you can override it here on the command line, typically for debugging.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.2"></a>nmbd</h3></div></div></div><p>
-<a class="indexterm" name="appd-idx-993645-0"></a>The <span class="emphasis"><em>nmbd</em></span> program is Samba's NetBIOS name and browsing daemon. It replies to broadcast NetBIOS over TCP/IP (NBT) name-service requests from SMB clients and optionally to Microsoft's Windows Internet Name Service (WINS) requests. Both of these are versions of the name-to-address lookup required by SMB clients. The broadcast version uses UDP/IP broadcast on the local subnet only, while WINS uses TCP/IP, which may be routed. If running as a WINS server, <span class="emphasis"><em>nmbd</em></span> keeps a current name and address database in the file <code class="filename">wins.dat</code> in the <code class="literal">samba_dir</code><code class="filename">/var/locks</code> directory.</p><p>An active <span class="emphasis"><em>nmbd</em></span> program can also respond to browsing protocol requests used by the Windows Network Neighborhood. Browsing is a combined advertising, service announcement, and active directory protocol. This protocol provides a dynamic directory of servers and the disks and printers that the servers are providing. As with WINS, this was initially done by making UDP/IP broadcasts on the local subnet. Now, with the concept of a local master browser, it is done by making TCP/IP connections to a server. If <span class="emphasis"><em>nmbd</em></span> is acting as a local master browser, it stores the browsing database in the file <code class="filename">browse.dat</code> in the <code class="literal">samba_dir</code><code class="filename">/var/locks</code> directory.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.2.1"></a>Signals</h4></div></div></div><p>Like <span class="emphasis"><em>smbd</em></span>, the <span class="emphasis"><em>nmbd</em></span> program responds to several Unix signals. Sending <span class="emphasis"><em>nmbd</em></span> a SIGHUP signal will cause it to dump the names it knows about to the file <code class="filename">namelist.debug</code> in the <code class="literal">samba_dir</code>/<span class="emphasis"><em>locks</em></span> directory and its browsing database to the <code class="filename">browse.dat </code>file in the same directory. To shut down a <span class="emphasis"><em>nmbd</em></span> process send it a SIGTERM (-15) signal instead of a SIGKILL (-9) to allow it to die gracefully. You can increment the debug logging level of <span class="emphasis"><em>nmbd</em></span> by sending it a SIGUSR1 signal; you can decrement it by sending a SIGUSR2 signal.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.2.2"></a>Command-line options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-D</code></span></dt><dd><p>Instructs the <code class="filename">nmbd</code> program to run as a daemon. This is the recommended way to use <code class="filename">nmbd</code>. In addition, <code class="filename">nmbd</code> can also be run from <em class="firstterm">inetd</em>.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debuglevel</code></em></span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0, all the way to 10. Specifying the value on the command line overrides the value specified in the <code class="filename">smb.conf</code> file. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging, and slow <span class="emphasis"><em>nmbd</em></span> considerably.</p></dd><dt><span class="term"><code class="literal">-h</code> </span></dt><dd><p>Prints command-line usage information for the <code class="filename">nmbd</code> program (also <code class="literal">-?</code>).</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.2.3"></a>Testing/debugging options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-a</code></span></dt><dd><p>If this is specified, each new connection to the Samba server will append all logging messages to the log file. This option is the opposite of <code class="literal">-o</code>, and is the default.</p></dd><dt><span class="term"><code class="literal">-H</code> <em class="replaceable"><code>hosts_  file</code></em></span></dt><dd><p>This option loads a standard <span class="emphasis"><em>hosts</em></span> file for name resolution.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>scope</code></em></span></dt><dd><p>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward<a class="indexterm" name="appd-idx-994134-0"></a> compatibility.<a class="indexterm" name="appd-idx-994135-0"></a></p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>log_file</code></em></span></dt><dd><p>Sends the log messages to somewhere other than the location compiled-in or specified in the <code class="filename">smb.conf</code> file. The default is often <code class="filename">/usr/local/samba/var/log.nmb</code>, <code class="filename">/usr/samba/var/log.nmb,</code> or <code class="filename">/var/log/log.nmb</code>. The first two are strongly discouraged on Linux, where <code class="filename">/usr</code> may be a read-only filesystem.</p></dd><dt><span class="term"><code class="literal">-n</code> <em class="replaceable"><code>NetBIOS_name</code></em></span></dt><dd><p>This option allows you to override the NetBIOS name by which the daemon will advertise itself. Specifying the option on the command line overrides the <code class="literal">netbios</code> <code class="literal">name</code> option in the Samba configuration file.</p></dd><dt><span class="term"><code class="literal">-O</code> <em class="replaceable"><code>socket_options</code></em></span></dt><dd><p>This sets the TCP/IP socket options, using the same parameters as the <code class="literal">socket</code> <code class="literal">options</code> configuration option. It is often used for performance tuning and testing.</p></dd><dt><span class="term"><code class="literal">-o</code></span></dt><dd><p>This option is the opposite of <code class="literal">-a</code>. It causes log files to be overwritten when opened. Using this option saves hunting for the right log entries if you are performing a series of tests and inspecting the log file each time.</p></dd><dt><span class="term"><code class="literal">-p</code> <em class="replaceable"><code>port_number</code></em></span></dt><dd><p>This sets the UDP/IP port number from which the server will accept requests. Currently, all Microsoft clients send only to the default port: 137.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Specifies the location of the Samba configuration file. Although the file defaults to <code class="filename">/usr/local/samba/lib/smb.conf</code>, you can override it here on the command line, typically for debugging.</p></dd><dt><span class="term"><code class="literal">-v</code></span></dt><dd><p>This option prints the current version of Samba.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.3"></a>Samba Startup File </h3></div></div></div><p>
-<a class="indexterm" name="appd-idx-993647-0"></a>
-<a class="indexterm" name="appd-idx-993647-1"></a>
-<a class="indexterm" name="appd-idx-993647-2"></a>Samba is normally started by running it from your Unix system's <code class="filename">rc</code> files at boot time. For systems with a System V-like set of <code class="filename">/etc/rcN.d</code> directories, this can be done by placing a suitably named script in the <code class="filename">/rc</code> directory. Usually, the script  starting Samba is called <span class="emphasis"><em>S91samba</em></span>, while the script stopping or "killing" Samba is called <span class="emphasis"><em>K91samba.</em></span> On Linux, the usual subdirectory for the scripts is <code class="filename">/etc/rc2.d.</code> On Solaris, the directory is <code class="filename">/etc/rc3.d</code>. For machines with <code class="filename">/etc/rc.local</code> files, you would normally add the following lines to that file:</p><pre class="programlisting">/usr/local/samba/bin/smbd -D
-/usr/local/samba/bin/nmbd -D</pre><p>The following example script supports two extra commands, <code class="literal">status</code> and <code class="literal">restart</code>, in addition to the normal <code class="literal">start</code> and <code class="literal">stop</code> for System V machines:</p><pre class="programlisting">#!/bin/sh
-#
-# /etc/rc2.d./S91Samba  --manage the SMB server in a System V manner
-#
-OPTS="-D"
-#DEBUG=-d3
-PS="ps  ax"
-SAMBA_DIR=/usr/local/samba
-case "$1" in
-'start')
-	echo "samba "
-	$SAMBA_DIR/bin/smbd $OPTS $DEBUG
-	$SAMBA_DIR/bin/nmbd $OPTS $DEBUG
-	;;
-'stop')
-	echo "Stopping samba"
-	$PS | awk '/usr.local.samba.bin/ { print $1}' |\
-	xargs kill
-	;;
-'status')
-	x=`$PS | grep -v grep | grep '$SAMBA_DIR/bin'`
-	if [ ! "$x" ]; then
-		echo "No samba processes running"
-	else
-		echo "  PID TT STAT  TIME COMMAND"
-		echo "$x"
-	fi
-	;;
-'restart')
-	/etc/rc2.d/S91samba stop
-	/etc/rc2.d/S91samba start
-	/etc/rc2.d/S91samba status
-	;;
-*)
-	echo "$0: Usage error -- you must say $0 start,  stop, status or restart ."
-	;;
-esac
-exit</pre><p>You'll need to set the actual paths and <code class="literal">ps</code> options to suit the machine you're using. In addition, you might want to add additional commands to tell Samba to reload its <code class="filename">smb.conf</code> file or dump its <span class="emphasis"><em>nmbd</em></span> tables, depending on your actual needs.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.4"></a>smbsh</h3></div></div></div><p>The <span class="emphasis"><em>smbsh</em></span>
-<a class="indexterm" name="appd-idx-993744-0"></a> program lets you use a remote Windows share on your Samba server as if the share was a regular Unix directory. When it's run, it provides an extra directory tree under <code class="filename">/smb</code>. Subdirectories of <code class="filename">/smb</code> are servers, and subdirectories of the servers are their individual disk and printer shares. Commands run by <span class="emphasis"><em>smbsh</em></span> treat the <code class="filename">/smb</code> filesystem as if it were local to Unix. This means that you don't need <span class="emphasis"><em>smbmount</em></span> in your kernel to mount Windows filesystems the way you mount with NFS filesystems. However, you do need to configure Samba with the <code class="literal">--with-smbwrappers</code> option to enable <code class="filename">smbsh</code>.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.4.1"></a>Options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-d</code> debuglevel</span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0, the default, all the way to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging, and slow <span class="emphasis"><em>smbsh</em></span> considerably.</p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>logfile</code></em></span></dt><dd><p>Sets the name of the logfile to use.</p></dd><dt><span class="term"><code class="literal">-P</code> <em class="replaceable"><code>prefix</code></em></span></dt><dd><p>Sets the root directory to mount the SMB filesystem. The default is <code class="filename">/smb</code>.</p></dd><dt><span class="term"><code class="literal">-R</code> <em class="replaceable"><code>resolve order</code></em></span></dt><dd><p>Sets the resolve order of the name servers. This option is similar to the <code class="literal">resolve order</code> configuration option, and can take any of the four parameters, <code class="literal">lmhosts</code>, <code class="literal">host</code>, <code class="literal">wins</code>, and <code class="literal">bcast</code>, in any order.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>user</code></em></span></dt><dd><p>Supports <em class="replaceable"><code>user%password.</code></em></p></dd><dt><span class="term"><code class="literal">-W</code> <em class="replaceable"><code>workgroup</code></em></span></dt><dd><p>Sets the NetBIOS workgroup to which the client will connect.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.5"></a>smbclient</h3></div></div></div><p>The <span class="emphasis"><em>smbclient</em></span>
-<a class="indexterm" name="appd-idx-993745-0"></a>
-<a class="indexterm" name="appd-idx-993745-1"></a> program is the maid-of-all-work of the Samba suite. Initially intended as a testing tool, it has become a full command-line Unix client, with an FTP-like interactive client. Some of its options are still used for testing and tuning, and it makes a simple tool for ensuring that Samba is running on a server.</p><p>It's convenient to look at <span class="emphasis"><em>smbclient</em></span> as a suite of programs:</p><div class="itemizedlist"><ul type="disc"><li><p>FTP-like interactive file transfer program</p></li><li><p>Interactive printing program</p></li><li><p>Interactive tar program</p></li><li><p>Command-line message program</p></li><li><p>Command-line <span class="emphasis"><em>tar</em></span> program (but see <span class="emphasis"><em>smbtar</em></span> later)</p></li><li><p>"What services do you have" query program</p></li><li><p>Command-line debugging program</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.1"></a>General command-line options</h4></div></div></div><p>The program has the usual set of <span class="emphasis"><em>smbd</em></span>-like options, which apply to all the interactive and command-line use. The syntax is:</p><pre class="programlisting">smbclient //<em class="replaceable"><code>server_name</code></em>/<em class="replaceable"><code>share_name</code></em> [<em class="replaceable"><code>password</code></em>] [-<em class="replaceable"><code>options</code></em>]</pre><p>Here is an explanation of each of the command-line options:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debug_level</code></em></span></dt><dd><p>Sets the debug (logging) level, from 0 to 10, with <code class="literal">A</code> for all. Overrides the value in <code class="filename">smb.conf</code>. Debug level 0 logs only the most important messages; level 1 is normal; debug level 3 and above are for debugging, and slow <span class="emphasis"><em>smbclient</em></span> considerably.</p></dd><dt><span class="term"><code class="literal">-h</code></span></dt><dd><p>Prints the command-line help information (usage) for smbclient.</p></dd><dt><span class="term"><code class="literal">-n</code> <em class="replaceable"><code>NetBIOS_name</code></em></span></dt><dd><p>Allows you to override the NetBIOS name by which the program will advertise itself.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.2"></a>Smbclient operations</h4></div></div></div><p>Running <code class="literal">smbclient</code> <code class="literal">//</code><em class="replaceable"><code>server_name</code></em><code class="literal">/</code><em class="replaceable"><code>share</code></em> will cause it to prompt you for a username and password. If the login is successful, it will connect to the share and give you a prompt much like an FTP prompt (the backslash in the prompt will be replaced by the current directory within the share as you move around the filesystem):</p><pre class="programlisting">smb:\&gt;</pre><p>
-<a class="indexterm" name="appd-idx-994034-0"></a>From this command line, you can use several FTP-like commands, as listed in <a href="#appd-89417" title="Table D.1. smbclient Commands">Table 4.1</a>. Arguments in square brackets are optional.</p><div class="table"><a name="appd-89417"></a><p class="title"><b>Table D.1. smbclient Commands </b></p><div class="table-contents"><table summary="smbclient Commands " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">?</code> <em class="replaceable"><code>command</code></em></p></td><td><p>Provides list of commands or help on specified command.</p></td></tr><tr><td><p><code class="literal">help</code> [<em class="replaceable"><code>command</code></em>]</p></td><td><p>Provides list of commands or help on specified command.</p></td></tr><tr><td><p><code class="literal">!</code> [<em class="replaceable"><code>command</code></em>]</p></td><td><p>If a command is specified, it will be run in a local shell. If not, you will be placed into a local shell on the client.</p></td></tr><tr><td><p><code class="literal">dir</code> [<em class="replaceable"><code>filename</code></em>]</p></td><td><p>Displays any files matching <em class="replaceable"><code>filename</code></em> in the current directory on the server, or all files if <em class="replaceable"><code>filename</code></em> is omitted.</p></td></tr><tr><td><p><code class="literal">ls</code> [<em class="replaceable"><code>filename</code></em>]</p></td><td><p>Displays any files matching <em class="replaceable"><code>filename</code></em> in the current directory on the server, or all files if <em class="replaceable"><code>filename</code></em> is omitted.</p></td></tr><tr><td><p><code class="literal">cd</code> [<em class="replaceable"><code>directory</code></em>]</p></td><td><p>If <em class="replaceable"><code>directory</code></em> is specified, changes to the specified directory on the remote server. If not, reports the current directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">lcd</code> [<em class="replaceable"><code>director</code></em><code class="literal">y</code>]</p></td><td><p>If <em class="replaceable"><code>directory</code></em> is specified, the current directory on the local machine will be changed. If not, the name of the current directory on the local machine will be reported.</p></td></tr><tr><td><p><code class="literal">get</code> <span class="emphasis"><em>remotefile</em></span> [<em class="replaceable"><code>localfile</code></em>]</p></td><td><p>Copies the file <em class="replaceable"><code>remotefile</code></em> to the local machine. If a <em class="replaceable"><code>localfile</code></em> is specified, uses that name to copy the file to. Treats the file as binary; does <span class="emphasis"><em>not</em></span> do LF to CR/LF conversions.</p></td></tr><tr><td><p><code class="literal">put</code> <span class="emphasis"><em>localfile</em></span> [<em class="replaceable"><code>remotefile</code></em>]</p></td><td><p>Copies <em class="replaceable"><code>localfile</code></em> to the remote machine. If a <em class="replaceable"><code>remotefile</code></em> is specified, uses that as the name to copy to on the remote server. Treats the file as binary; does <span class="emphasis"><em>not</em></span> do LF to CR/LF conversions.</p></td></tr><tr><td><p><code class="literal">mget</code> <em class="replaceable"><code>pattern</code></em></p></td><td><p>Gets all files matching <em class="replaceable"><code>pattern</code></em> from the remote machine.</p></td></tr><tr><td><p><code class="literal">mput</code><em class="replaceable"><code> pattern</code></em></p></td><td><p>Places all local files matching <em class="replaceable"><code>pattern</code></em> on the remote machine.</p></td></tr><tr><td><p><code class="literal">prompt</code></p></td><td><p>Toggles interactive prompting on and off for <code class="literal">mget</code> and <code class="literal">mput</code>.</p></td></tr><tr><td><p><code class="literal">lowercase ON </code>(or<code class="literal"> OFF </code>)</p></td><td><p>If lowercase is on, <span class="emphasis"><em>smbclient</em></span> will convert filenames to lowercase during an <code class="literal">mget</code> or <code class="literal">get</code> (but not a <code class="literal">mput</code> or <code class="literal">put</code>).</p></td></tr><tr><td><p><code class="literal">del</code> <em class="replaceable"><code>filename</code></em></p></td><td><p>Delete a file on the remote machine.</p></td></tr><tr><td><p><code class="literal">md</code> <em class="replaceable"><code>directory</code></em></p></td><td><p>Create a directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">mkdir</code> <em class="replaceable"><code>directory</code></em></p></td><td><p>Create a directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">rd</code> <em class="replaceable"><code>directory</code></em></p></td><td><p>Remove the specified directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">rmdir</code> <em class="replaceable"><code>directory</code></em></p></td><td><p>Remove the specified directory on the remote machine.</p></td></tr><tr><td><p><code class="literal">setmode</code> <em class="replaceable"><code>filename</code></em> <code class="literal">[+|-]rsha</code></p></td><td><p>Set DOS filesystem attribute bits, using Unix-like modes. <code class="literal">r</code> is read-only, <code class="literal">s</code> is system, <code class="literal">h</code> is hidden, and <code class="literal">a</code> is archive.</p></td></tr><tr><td><p><code class="literal">exit</code></p></td><td><p>Exits <span class="emphasis"><em>smbclient</em></span>.</p></td></tr><tr><td><p><code class="literal">quit</code></p></td><td><p>Exits <span class="emphasis"><em>smbclient</em></span>.</p></td></tr></tbody></table></div></div><br class="table-break"><p>There are also mask and recursive commands for large copies; see the <code class="filename">smbclient</code> manual page for details on how to use these. With the exception of mask, recursive, and the lack of an ASCII transfer mode, <span class="emphasis"><em>smbclient</em></span> works exactly the same as FTP. Note that because it does binary transfers, Windows files copied to Unix will have lines ending in carriage-return and linefeed (<code class="literal">\r\n</code>), not Unix's linefeed (<code class="literal">\n</code>).</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.3"></a>Printing commands</h4></div></div></div><p>The <span class="emphasis"><em>smbclient</em></span> program can also be used for access to a printer by connecting to a print share. Once connected, the commands shown in <a href="#appd-39300" title="Table D.2. smbclient Printing Commands">Table 4.2</a> can be used to print.</p><div class="table"><a name="appd-39300"></a><p class="title"><b>Table D.2. smbclient Printing Commands </b></p><div class="table-contents"><table summary="smbclient Printing Commands " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">print</code><em class="replaceable"><code> filename</code></em></p></td><td><p>Prints the file by copying it from the local machine to the remote one and then submitting it as a print job there.</p></td></tr><tr><td><p><code class="literal">printmode</code> <em class="replaceable"><code>text </code></em>|<em class="replaceable"><code> graphics</code></em></p></td><td><p>Instructs the server that the following files will be plain text (ASCII) or the binary graphics format that the printer requires. It's up to the user to ensure that the file is indeed the right kind.</p></td></tr><tr><td><p><code class="literal">queue</code></p></td><td><p>Displays the queue for the print share you're connected to, showing job ID, name, size, and status.</p></td></tr></tbody></table></div></div><br class="table-break"><p>Finally, to print from the <span class="emphasis"><em>smbclient</em></span>, use the <code class="literal">-c</code> option:</p><pre class="programlisting">cat <em class="replaceable"><code>printfile</code></em> | smbclient //<em class="replaceable"><code>server</code></em>/<em class="replaceable"><code>printer_name</code></em>  -c "print -"</pre></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.4"></a>Tar commands</h4></div></div></div><p><span class="emphasis"><em>smbclient</em></span> can tar up files from a file share. This is normally done from the command line using the <span class="emphasis"><em>smbtar</em></span> command, but the commands shown in <a href="#appd-54517" title="Table D.3. smbclient Printing Commands">Table 4.3</a> are also available interactively.</p><div class="table"><a name="appd-54517"></a><p class="title"><b>Table D.3. smbclient Printing Commands </b></p><div class="table-contents"><table summary="smbclient Printing Commands " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">tar c|x[IXbgNa]</code> <em class="replaceable"><code>operands</code></em></p></td><td><p>Performs a creation or extraction <span class="emphasis"><em>tar</em></span> similar to the command-line program.</p></td></tr><tr><td><p><code class="literal">blocksize</code> <em class="replaceable"><code>size</code></em></p></td><td><p>Sets the block size to be used by <span class="emphasis"><em>tar</em></span>, in 512-byte blocks.</p></td></tr><tr><td><p><code class="literal">noreset</code></p></td><td><p>Makes <span class="emphasis"><em>tar</em></span> pay attention to DOS archive bit for all following commands. In <code class="literal">full</code> mode (the default), <span class="emphasis"><em>tar</em></span> will back up everything. In <code class="literal">inc</code> (incremental) mode, <span class="emphasis"><em>tar</em></span> will back up only those files with the archive bit set. In <code class="literal">reset</code> mode, <span class="emphasis"><em>tar</em></span> will reset the archive bit on all files it backs up. (this requires the share to be writable), and in <code class="literal">noreset</code> mode the archive bit will not be reset even after the file has been backed up.</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.5"></a>Command-line message program options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-M</code> <em class="replaceable"><code>NetBIOS_machine_name</code></em></span></dt><dd><p>This option allows you to send immediate messages using the WinPopup protocol to another computer. Once a connection is established, you can type your message, pressing control-D to end. If WinPopup is not running on the receiving machine, the program returns an error.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>user</code></em> </span></dt><dd><p>This<em class="replaceable"><code> </code></em>option allows you to indirectly control the FROM part of the message.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.6"></a>Command-line tar program options</h4></div></div></div><p>The <code class="literal">-T</code> (tar), <code class="literal">-D</code> (starting directory), and <code class="literal">-c</code> (command) options are used together to tar up files interactively. This is better done with <code class="filename">smbtar</code>, which will be discussed shortly. We don't recommend using <span class="emphasis"><em>smbclient</em></span> directly as a <span class="emphasis"><em>tar</em></span> program.</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-D</code> <em class="replaceable"><code>initial_directory</code></em></span></dt><dd><p>Changes to initial directory before starting.</p></dd><dt><span class="term"><code class="literal">-c</code> <em class="replaceable"><code>command_string</code></em> </span></dt><dd><p>Passes a command string to the <span class="emphasis"><em>smbclient</em></span> command interpreter, which treats it as a semicolon-separated list of commands to be executed. This is handy to say things such as <code class="literal">tarmode</code> <code class="literal">inc</code>, for example, which forces <code class="literal">smbclient</code> <code class="literal">-T</code> to back up only files with the archive bit set.</p></dd><dt><span class="term"><code class="literal">-T</code> <em class="replaceable"><code>command filename</code></em></span></dt><dd><p>Runs the <span class="emphasis"><em>tar</em></span> driver, which is <span class="emphasis"><em>gtar</em></span> compatible. The two main commands are: <code class="literal">c</code> (create) and <code class="literal">x</code> (extract), which may be followed by any of:</p></dd><dt><span class="term"><code class="literal">a</code></span></dt><dd><p>Resets archive bits once files are saved.</p></dd><dt><span class="term"><code class="literal">b</code> <em class="replaceable"><code>size</code></em></span></dt><dd><p>Sets blocksize in 512-byte units.</p></dd><dt><span class="term"><code class="literal">g</code></span></dt><dd><p>Backs up only files with the archive bit set.</p></dd><dt><span class="term"><code class="literal">I</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Includes files and directories (this is the default). Does not do pattern-matching.</p></dd><dt><span class="term"><code class="literal">N</code> <em class="replaceable"><code>filename</code></em></span></dt><dd><p>Backs up only those files newer than <em class="replaceable"><code>filename.</code></em></p></dd><dt><span class="term"><code class="literal">q</code></span></dt><dd><p>Does not produce diagnostics.</p></dd><dt><span class="term"><code class="literal">X</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Excludes files.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.7"></a>Command-line query program</h4></div></div></div><p>If <code class="filename">smbclient</code> is run as:</p><pre class="programlisting">smbclient -L <em class="replaceable"><code>server_name</code></em></pre><p>it will list the shares and other services that machine provides. This is handy if you don't have <code class="filename">smbwrappers</code>. It can also be helpful as a testing program in its own right.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.5.8"></a>Command-line debugging /diagnostic program options</h4></div></div></div><p>Any of the various modes of operation of <span class="emphasis"><em>smbclient</em></span> can be used with the debugging and testing command-line options:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-B</code> <em class="replaceable"><code>IP_addr</code></em></span></dt><dd><p>Sets the broadcast address.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debug_level</code></em></span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. In addition, you can specify <code class="literal">A</code> for all debugging options. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow operations considerably.</p></dd><dt><span class="term"><code class="literal">-E</code></span></dt><dd><p>Sends all messages to stderr instead of stdout.</p></dd><dt><span class="term"><code class="literal">-I</code> <em class="replaceable"><code>IP_address</code></em> </span></dt><dd><p>Sets the IP address of the server to which it connects.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>scope</code></em></span></dt><dd><p>This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility.</p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>log_file</code></em></span></dt><dd><p>Sends the log messages to the specified file.</p></dd><dt><span class="term"><code class="literal">-N</code></span></dt><dd><p>Suppresses the password prompt. Unless a password is specified on the command line or this parameter is specified, the client will prompt for a password.</p></dd><dt><span class="term"><code class="literal">-n</code> <em class="replaceable"><code>NetBIOS_name</code></em></span></dt><dd><p>This option allows you to override the NetBIOS name by which the daemon will advertise itself.</p></dd></dl></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-O</code> <em class="replaceable"><code>socket_options</code></em></span></dt><dd><p>Sets the TCP/IP socket options using the same parameters as the <code class="literal">socket</code> <code class="literal">options</code> configuration option. It is often used for performance tuning and testing.</p></dd><dt><span class="term"><code class="literal">-p</code> <em class="replaceable"><code>port_number</code></em></span></dt><dd><p>Sets the port number from which the client will accept requests.</p></dd><dt><span class="term"><code class="literal">-R</code> <em class="replaceable"><code>resolve_order</code></em></span></dt><dd><p>Sets the resolve order of the name servers. This option is similar to the <code class="literal">resolve</code> <code class="literal">order</code> configuration option, and can take any of the four parameters, <code class="literal">lmhosts</code>, <code class="literal">host</code>, <code class="literal">wins</code>, and <code class="literal">bcast</code>, in any order .</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Specifies the location of the Samba configuration file. Used for debugging.</p></dd><dt><span class="term"><code class="literal">-t</code> <em class="replaceable"><code>terminal_code</code></em></span></dt><dd><p>Sets the terminal code for Asian languages.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Sets the username and optionally password (e.g., <code class="literal">-U</code> <code class="literal">fred%secret</code>).</p></dd><dt><span class="term"><code class="literal">-W</code> <em class="replaceable"><code>workgroup</code></em></span></dt><dd><p>Specifies the workgroup that you want the client to connect as.</p></dd></dl></div><p>If you want to test a particular name service, run <span class="emphasis"><em>smbclient</em></span> with <code class="literal">-R</code> and just the name of the service. This will force <span class="emphasis"><em>smbclient</em></span> to use only the service you gave.<span class="emphasis"><em></em></span>
-<a class="indexterm" name="appd-idx-993802-0"></a>
-<a class="indexterm" name="appd-idx-993802-1"></a></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.6"></a>smbstatus</h3></div></div></div><p>The <code class="filename">smbstatus</code>
-<a class="indexterm" name="appd-idx-993754-0"></a>
-<a class="indexterm" name="appd-idx-993754-1"></a> program lists the current connections on a Samba server. There are three separate sections. The first section lists various shares that are in use by specific users. The second section lists the locked files that Samba currently has on all of its shares. Finally, the third section lists the amount of memory usage for each of the shares. For example:</p><pre class="programlisting"># <span class="bold"><strong>smbstatus</strong></span>
-Samba version 2.0.3
-Service      uid      gid      pid     machine
-----------------------------------------------
-network      davecb   davecb   7470   phoenix  (192.168.220.101) Sun May 16 
-network      davecb   davecb   7589   chimaera (192.168.220.102) Sun May 16 
-
-Locked files:
-Pid    DenyMode   R/W        Oplock           Name
---------------------------------------------------
-7589   DENY_NONE  RDONLY   EXCLUSIVE+BATCH  /home/samba/quicken/inet/common/system/help.bmp
-Sun May 16 21:23:40 1999
-7470   DENY_WRITE RDONLY   NONE             /home/samba/word/office/findfast.exe
-Sun May 16 20:51:08 1999
-7589   DENY_WRITE RDONLY   EXCLUSIVE+BATCH  /home/samba/quicken/lfbmp70n.dll 
-Sun May 16 21:23:39 1999
-7589   DENY_WRITE RDWR     EXCLUSIVE+BATCH  /home/samba/quicken/inet/qdata/runtime.dat
-Sun May 16 21:23:41 1999
-7470   DENY_WRITE RDONLY   EXCLUSIVE+BATCH  /home/samba/word/office/osa.exe
-Sun May 16 20:51:09 1999
-7589   DENY_WRITE RDONLY   NONE             /home/samba/quicken/qversion.dll
-Sun May 16 21:20:33 1999
-7470   DENY_WRITE RDONLY   NONE             /home/samba/quicken/qversion.dll
-Sun May 16 20:51:11 1999
-
-Share mode memory usage (bytes):
-   1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total</pre><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.6.1"></a>Options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-b</code></span></dt><dd><p>Forces <code class="filename">smbstatus</code> to produce brief output. This includes the version of Samba and auditing information about the users that have logged into the server.</p></dd><dt><span class="term"><code class="literal">-d</code></span></dt><dd><p>Gives verbose output, including each of the three reporting sections listed in the previous example. This is the default.</p></dd><dt><span class="term"><code class="literal">-L</code></span></dt><dd><p>Forces <code class="filename">smbstatus</code> to print only the current file locks it has. This corresponds to the second section in a verbose output.</p></dd><dt><span class="term"><code class="literal">-p</code></span></dt><dd><p>Prints a list of <code class="filename">smbd</code> process IDs only. This is often used for scripts.</p></dd><dt><span class="term"><code class="literal">-S</code></span></dt><dd><p>Prints only a list of shares and their connections. This corresponds to the first section in a verbose output.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Sets the Samba configuration file to use when processing this command.</p></dd><dt><span class="term"><code class="literal">-u</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Limits the <code class="filename">smbstatus</code> report to the activity of a single user.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.7"></a>smbtar</h3></div></div></div><p>The <span class="emphasis"><em>smbtar</em></span>
-<a class="indexterm" name="appd-idx-993755-0"></a>
-<a class="indexterm" name="appd-idx-993755-1"></a> program is a shell script on top of <span class="emphasis"><em>smbclient</em></span> that gives the program more intelligible options when doing tar operations. Functionally, it is equivalent to the Unix <span class="emphasis"><em>tar</em></span> program.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.7.1"></a>Options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-a</code></span></dt><dd><p>Resets the archive bit mode</p></dd><dt><span class="term"><code class="literal">-b</code> <em class="replaceable"><code>blocksize</code></em></span></dt><dd><p>Blocking size. Defaults to 20.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>directory</code></em></span></dt><dd><p>Changes to initial directory before restoring or backing up files.</p></dd><dt><span class="term"><code class="literal">-i</code></span></dt><dd><p>Incremental mode; tar files are backed up only if they have the DOS archive bit set. The archive bit is reset after each file is read.</p></dd><dt><span class="term"><code class="literal">-l</code> <em class="replaceable"><code>log_level</code></em></span></dt><dd><p> Sets the logging level.</p></dd><dt><span class="term"><code class="literal">-N</code> <em class="replaceable"><code>filename</code></em></span></dt><dd><p>Backs up only the files newer than the last modification date of <em class="replaceable"><code>filename</code></em>. For incremental backups.</p></dd><dt><span class="term"><code class="literal">-p</code> <em class="replaceable"><code>password</code></em></span></dt><dd><p>Specifies the password to use to access a share.</p></dd><dt><span class="term"><code class="literal">-r</code></span></dt><dd><p>Restores files to the share from the tar file.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>server</code></em></span></dt><dd><p>Specifies the SMB/CIFS server in which the share resides.</p></dd><dt><span class="term"><code class="literal">-t</code> <em class="replaceable"><code>tape</code></em></span></dt><dd><p>Tape device or file. Default is the value of the environment variable <code class="literal">$TAPE</code>, or <span class="emphasis"><em>tar.out</em></span> if <code class="literal">$TAPE</code> isn't set.</p></dd><dt><span class="term"><code class="literal">-u</code> <em class="replaceable"><code>user</code></em></span></dt><dd><p>Specifies the user to connect to the share as. You can specify the password as well, in the format <em class="replaceable"><code>username</code></em><code class="literal">%</code><em class="replaceable"><code>password</code></em>.</p></dd><dt><span class="term"><code class="literal">-v</code></span></dt><dd><p>Specifies the use of verbose mode.</p></dd><dt><span class="term"><code class="literal">-X</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Tells <em class="firstterm">smbtar</em> to exclude the specified file from the <span class="emphasis"><em>tar</em></span> create or restore.</p></dd><dt><span class="term"><code class="literal">-x</code> <em class="replaceable"><code>share</code></em></span></dt><dd><p>States the share name on the server to connect to. The default is <code class="literal">backup</code>, which is a common share name to perform backups with.</p></dd></dl></div><p>For example, a trivial backup command to archive the data for user <code class="literal">sue</code> is:</p><pre class="programlisting"># <span class="bold"><strong>smbtar -s pc_name -x sue -u sue -p secret -t sue.tar</strong></span></pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.8"></a>nmblookup</h3></div></div></div><p>The <code class="filename">nmblookup</code>
-<a class="indexterm" name="appd-idx-993756-0"></a>
-<a class="indexterm" name="appd-idx-993756-1"></a> program is a client program that exercises the NetBIOS-over-UDP/IP name service for resolving NBT machine names into IP addresses. The command works by broadcasting its queries on the local subnet until a machine with that name responds. You can think of it as a Windows <span class="emphasis"><em>nslookup(1)</em></span> or <span class="emphasis"><em>dig(1)</em></span>. This is useful for looking up both normal NetBIOS names, and the odd ones like <code class="literal">_ _MSBROWSE_ _</code> that the Windows name services use to provide directory-like services. If you wish to query for a particular type of NetBIOS name, add the NetBIOS <code class="literal">&lt;type&gt;</code> to the end of the name.</p><p>The command line is:</p><pre class="programlisting">nmblookup [-options] <em class="replaceable"><code>name</code></em></pre><p>The options supported are:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-A</code></span></dt><dd><p>Interprets <em class="replaceable"><code>name</code></em> as an IP address and do a node-status query on this address.</p></dd><dt><span class="term"><code class="literal">-B</code> <em class="replaceable"><code>broadcast _address</code></em></span></dt><dd><p>Sends the query to the given broadcast address. The default is to send the query to the broadcast address of the primary network interface.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>debuglevel</code></em></span></dt><dd><p>Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow the program considerably.</p></dd><dt><span class="term"><code class="literal">-h</code></span></dt><dd><p>Prints command-line usage information for the program.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>scope</code></em></span></dt><dd><p>Sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility.</p></dd><dt><span class="term"><code class="literal">-M</code></span></dt><dd><p>Searches for a local master browser. This is done with a broadcast searching for a machine that will respond to the special name <code class="literal">_ _MSBROWSE_ _ </code>, and then asking that machine for information, instead of broadcasting the query itself.</p></dd><dt><span class="term"><code class="literal">-R</code></span></dt><dd><p>Sets the recursion desired bit in the packet. This will cause the machine that responds to try to do a WINS lookup and return the address and any other information the WINS server has saved.</p></dd><dt><span class="term"><code class="literal">-r</code></span></dt><dd><p>Use the root port of 137 for Windows 95 machines.</p></dd><dt><span class="term"><code class="literal">-S</code></span></dt><dd><p>Once the name query has returned an IP address, does a node status query as well. This returns all the resource types that the machine knows about, with their numeric attributes. For example:</p></dd></dl></div><pre class="programlisting">% <span class="bold"><strong>nmblookup -d 4 -S elsbeth</strong></span>
-received 6 names
-      ELSBETH                &lt;00&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt;
-      ELSBETH                &lt;03&gt; -         B &lt;ACTIVE&gt;
-      ELSBETH                &lt;1d&gt; -         B &lt;ACTIVE&gt;
-      ELSBETH                &lt;1e&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt;
-      ELSBETH                &lt;20&gt; -         B &lt;ACTIVE&gt;
-      .._ _MSBROWSE_   _..   &lt;01&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt;</pre><div class="variablelist"><dl><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>configuration_file</code></em></span></dt><dd><p>Specifies the location of the Samba configuration file. Although the file defaults to <code class="filename">/usr/local/samba/lib/smb.conf</code>, you can override it here on the command-line, normally for debugging.</p></dd><dt><span class="term"><code class="literal">-T</code></span></dt><dd><p>This option can be used to translate IP addresses into resolved names.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>unicast_address</code></em></span></dt><dd><p>Performs a unicast query to the specified address. Used with <code class="literal">-R</code> to query WINS servers.</p></dd></dl></div><p>Note that there is no workgroup option for <span class="emphasis"><em>nmblookup</em></span> ; you can get around this by putting <code class="literal">workgroup</code> <code class="literal">=</code> <em class="replaceable"><code>workgroup_name </code></em>in a file and passing it to <span class="emphasis"><em>nmblookup</em></span> with the <code class="literal">-s</code> <em class="replaceable"><code>smb.conf_file</code></em> option.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.9"></a>smbpasswd</h3></div></div></div><p>The <span class="emphasis"><em>smbpasswd</em></span>
-<a class="indexterm" name="appd-idx-993757-0"></a>
-<a class="indexterm" name="appd-idx-993757-1"></a> password has two distinct sets of functions. When run by users, it changes their encrypted passwords. When run by <code class="literal">root</code>, it updates the encrypted password file. When run by an ordinary user with no options, it connects to the primary domain controller and changes his or her Windows password.</p><p>The program will fail if <span class="emphasis"><em>smbd</em></span> is not operating, if the <code class="literal">hosts</code> <code class="literal">allow</code> or <code class="literal">hosts</code> <code class="literal">deny</code> configuration options will not permit connections from localhost (IP address 127.0.0.1), or the <code class="literal">encrypted</code> <code class="literal">passwords</code> <code class="literal">=</code> <code class="literal">no</code> option is set.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.9.1"></a>Regular user options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-D</code> <em class="replaceable"><code>debug_level</code></em></span></dt><dd><p>Sets the debug (also called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow the program considerably.</p></dd><dt><span class="term"><code class="literal">-h</code></span></dt><dd><p>Prints command-line usage information for the program.</p></dd><dt><span class="term"><code class="literal">-r</code> <em class="replaceable"><code>remote_machine_name</code></em></span></dt><dd><p>Specifies on which machine the password should change. The remote machine must be a primary domain controller (PDC).</p></dd><dt><span class="term"><code class="literal">-R</code> <em class="replaceable"><code>resolve_order</code></em></span></dt><dd><p>Sets the resolve order of the name servers. This option is similar to the <code class="literal">resolve</code> <code class="literal">order</code> configuration option, and can take any of the four parameters, <code class="literal">lmhosts</code>, <code class="literal">host</code>, <code class="literal">wins</code>, and <code class="literal">bcast</code>,<code class="literal"> </code>in any order.</p></dd><dt><span class="term"><code class="literal">-U</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Used only with <code class="literal">-r</code>, to modify a username that is spelled differently on the remote machine.</p></dd></dl></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.9.2"></a>Root-only options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-a</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Adds a user to the encrypted password file.</p></dd><dt><span class="term"><code class="literal">-d</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Disables a user in the encrypted password file.</p></dd><dt><span class="term"><code class="literal">-e</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Enables a disabled user in the encrypted password file.</p></dd><dt><span class="term"><code class="literal">-m</code> <em class="replaceable"><code>machine_name</code></em></span></dt><dd><p>Changes a machine account's password. The machine accounts are used to authenticate machines when they connect to a primary or backup domain controller.</p></dd><dt><span class="term"><code class="literal">-j</code> <em class="replaceable"><code>domain_name</code></em></span></dt><dd><p>Adds a Samba server to a Windows NT Domain.</p></dd><dt><span class="term"><code class="literal">-n</code></span></dt><dd><p>Sets no password for the user.</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>username</code></em></span></dt><dd><p>Causes <span class="emphasis"><em>smbpasswd</em></span> to be silent and to read its old and new passwords from standard input, rather than from <code class="filename">/dev/tty</code>. This is useful for writing scripts.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.10"></a>testparm</h3></div></div></div><p>The <span class="emphasis"><em>testparm</em></span>
-<a class="indexterm" name="appd-idx-993999-0"></a>
-<a class="indexterm" name="appd-idx-993999-1"></a> program checks an <code class="filename">smb.conf</code> file for obvious errors and self-consistency. Its command line is:</p><pre class="programlisting">testparm [options] <em class="replaceable"><code>configfile_name [hostname IP_addr]</code></em></pre><p>If the configuration file is not specified, the file at <em class="replaceable"><code>samba_dir</code></em><code class="filename">/lib/smb.conf</code> is checked by default. If you specify a hostname and an IP address, an extra check will be made to ensure that the specified machine would be allowed to connect to Samba. If a hostname is specified, an IP address should be present as well.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.10.1"></a>Options</h4></div></div></div><div class="variablelist"><dl><dt><span class="term"><code class="literal">-h</code></span></dt><dd><p>Prints command-line information for the program.</p></dd><dt><span class="term"><code class="literal">-L</code> server_name</span></dt><dd><p>Resets the <code class="literal">%L</code> configuration variable to the specified server name.</p></dd><dt><span class="term"><code class="literal">-s</code></span></dt><dd><p>This option prevents the <span class="emphasis"><em>testparm</em></span> program from prompting the user to press the Enter key before printing a list of the configuration options for the server.</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.11"></a>testprns</h3></div></div></div><p>The<a class="indexterm" name="appd-idx-993761-0"></a>
-<a class="indexterm" name="appd-idx-993761-1"></a> <span class="emphasis"><em>testprns</em></span> program checks a specified printer name against the system printer capabilities (<code class="filename">printcap</code>) file. Its command line is:</p><pre class="programlisting">testprns <em class="replaceable"><code>printername</code></em> [<em class="replaceable"><code>printcapname</code></em>]</pre><p>If the <code class="literal">printcapname</code> isn't specified, Samba attempts to use one located in the <code class="filename">smb.conf</code> file. If one isn't specified there, Samba will try <code class="filename">/etc/printcap</code>. If that fails, the program will generate an error.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.12"></a>rpcclient</h3></div></div></div><p>This is a new client that exercises the <a class="indexterm" name="appd-idx-993762-0"></a>
-<a class="indexterm" name="appd-idx-993762-1"></a>RPC (remote procedure call) interfaces of an SMB server. Like <span class="emphasis"><em>smbclient</em></span>, <span class="emphasis"><em>rpcclient</em></span>
-<a class="indexterm" name="appd-idx-993763-0"></a> started its life as a test program for the Samba developers and will likely stay that way for a while. Its command line is:</p><pre class="programlisting">rpcclient //<em class="replaceable"><code>server</code></em>/<em class="replaceable"><code>share</code></em></pre><p>The command-line options are the same as the Samba 2.0 <span class="emphasis"><em>smbclient</em></span>, and the operations you can try are listed in <a href="#appd-65243" title="Table D.4. rpcclient commands">Table 4.4</a>.</p><div class="table"><a name="appd-65243"></a><p class="title"><b>Table D.4. rpcclient commands </b></p><div class="table-contents"><table summary="rpcclient commands " border="1"><colgroup><col><col></colgroup><thead><tr><th><p>Command</p></th><th><p>Description</p></th></tr></thead><tbody><tr><td><p><code class="literal">regenum keyname</code></p></td><td><p>Registry Enumeration (keys, values)</p></td></tr><tr><td><p><code class="literal">regdeletekey keyname </code></p></td><td><p>Registry Key Delete</p></td></tr><tr><td><p><code class="literal">regcreatekey keyname [keyvalue]</code></p></td><td><p>Registry Key Create</p></td></tr><tr><td><p><code class="literal">regquerykey keyname</code></p></td><td><p>Registry Key Query</p></td></tr><tr><td><p><code class="literal">regdeleteval valname</code></p></td><td><p>Registry Value Delete</p></td></tr><tr><td><p><code class="literal">regcreateval valname valtype value</code></p></td><td><p>Registry Key Create</p></td></tr><tr><td><p><code class="literal">reggetsec keyname</code></p></td><td><p>Registry Key Security</p></td></tr><tr><td><p><code class="literal">regtestsec keyname</code></p></td><td><p>Test Registry Key Security</p></td></tr><tr><td><p><code class="literal">ntlogin [username] [password]</code></p></td><td><p>NT Domain Login Test</p></td></tr><tr><td><p><code class="literal">wksinfo</code></p></td><td><p>Workstation Query Info</p></td></tr><tr><td><p><code class="literal">srvinfo</code></p></td><td><p>Server Query Info</p></td></tr><tr><td><p><code class="literal">srvsessions</code></p></td><td><p>List Sessions on a Server</p></td></tr><tr><td><p><code class="literal">srvshares</code></p></td><td><p>List shares on a server</p></td></tr><tr><td><p><code class="literal">srvconnections</code></p></td><td><p>List connections on a server</p></td></tr><tr><td><p><code class="literal">srvfiles</code></p></td><td><p>List files on a server</p></td></tr><tr><td><p><code class="literal">lsaquery</code></p></td><td><p>Query Info Policy (domain member or server)</p></td></tr><tr><td><p><code class="literal">lookupsids</code></p></td><td><p>Resolve names from SIDs</p></td></tr><tr><td><p><code class="literal">ntpass</code></p></td><td><p>NT SAM Password Change</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="appd-SECT-1.13"></a>tcpdump</h3></div></div></div><p>The <span class="emphasis"><em>tcpdump</em></span>
-<a class="indexterm" name="appd-idx-993765-0"></a>
-<a class="indexterm" name="appd-idx-993765-1"></a> utility, a classic system administration tool, dumps all the packet headers it sees on an interface that match an expression. The version included in the Samba distribution is enhanced to understand the SMB protocol. The <span class="emphasis"><em>expression</em></span> is a logical expression with "and," "or," and "not," although sometimes it's very simple. For example, <code class="literal">host</code> <code class="literal">escrime</code> would select every packet going to or from <code class="literal">escrime</code>. The expression is normally one or more of:</p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">host</code> <em class="replaceable"><code>name</code></em></p></li><li><p><code class="literal">ne</code>t <em class="replaceable"><code>network_number</code></em></p></li><li><p><code class="literal">port</code> <em class="replaceable"><code>number</code></em></p></li><li><p><code class="literal">src</code> <em class="replaceable"><code>name </code></em></p></li><li><p><code class="literal">dst</code> <em class="replaceable"><code>name</code></em></p></li></ul></div><p>The most common options are <code class="literal">src</code> (source), <code class="literal">dst</code> (destination), and <code class="literal">port</code>. For example, in the book we used the command:</p><pre class="programlisting">tcpdump port not telnet</pre><p>This dumps all the packets except telnet; we were logged-in via telnet and  wanted to see only the SMB packets.</p><p>Another <span class="emphasis"><em>tcpdump</em></span> example is selecting traffic between server and either <code class="literal">sue</code> or <code class="literal">joe</code>:</p><pre class="programlisting">tcpdump host server and \( sue or joe \)</pre><p>We recommend using the <code class="literal">-s</code> <code class="literal">1500</code> option so that you capture all of the SMB messages sent, instead of just the header information.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="appd-SECT-1.13.1"></a>Options</h4></div></div></div><p>There are many options, and many other kinds of expressions that can be used with <span class="emphasis"><em>tcpdump</em></span>. See the manual page for details on the advanced options. The most common options are as follows:</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">-c</code> <em class="replaceable"><code>count</code></em></span></dt><dd><p>Forces the program to exit after receiving the specified number of packets.</p></dd><dt><span class="term"><code class="literal">-F</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Reads the expression from the specified file and ignores expressions on the command line.</p></dd><dt><span class="term"><code class="literal">-i</code> <em class="replaceable"><code>interface</code></em></span></dt><dd><p>Forces the program to listen on the specified interface.</p></dd><dt><span class="term"><code class="literal">-r</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Reads packets from the specified file (captured with <code class="literal">-w</code>).</p></dd><dt><span class="term"><code class="literal">-s</code> <em class="replaceable"><code>length</code></em></span></dt><dd><p>Saves the specified number of bytes of data from each packet (rather than 68 bytes).</p></dd><dt><span class="term"><code class="literal">-w</code> <em class="replaceable"><code>file</code></em></span></dt><dd><p>Writes the packets to the specified file.<a class="indexterm" name="appd-idx-993743-0"></a></p></dd></dl></div></div></div></div></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-E"></a>Appendix E. Downloading Samba with CVS</h2></div></div></div><p>
-<a class="indexterm" name="appe-idx-992918-0"></a>
-<a class="indexterm" name="appe-idx-992918-1"></a>This appendix contains information on how to download the latest source version of Samba using the C<a class="indexterm" name="appe-idx-992919-0"></a>
-<a class="indexterm" name="appe-idx-992919-1"></a>oncurrent Versions System (CVS). CVS is a freely available configuration management tool available from <a class="indexterm" name="appe-idx-992920-0"></a>Cyclic Software and is distributed under the<a class="indexterm" name="appe-idx-992921-0"></a> GNU General Public License. You can download the latest copy from <code class="systemitem">http://www.cyclic.com/</code>.<a class="indexterm" name="appe-idx-992922-0"></a></p><p>CVS works on top of the GNU <a class="indexterm" name="appe-idx-992923-0"></a>
-<a class="indexterm" name="appe-idx-992923-1"></a>Revision Control System (RCS). Many Unix
-systems come preinstalled with RCS. However, if you want to download
-the latest version of RCS, you can find it at <a class="indexterm" name="appe-idx-992936-0"></a><code class="systemitem">http://ftp.gnu.org/gnu/rcs/</code>.</p><p>One of the nicest things about CVS is its ability to handle remote logins. This means that people across the globe on the Internet can download and update various source files for any project that uses a CVS repository. Such is the case with Samba. Once you have RCS and CVS installed on your system, you must first log in to the Samba source server with the following command:</p><pre class="programlisting">cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login</pre><p>This tells CVS to connect to the CVS server at <code class="filename">cvs.samba.org</code>. Once you are connected, you can download the latest source tree with the following command:</p><pre class="programlisting">cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba</pre><p>This will download the entire Samba distribution (file by file) into a directory entitled <code class="filename">/samba</code>, which it will create on your hard drive. This directory will have the same structure as the Samba source distribution described in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a>. It includes source and header files, documentation, and sample configuration files to help get you started. After that is completed, you can follow the instructions in <a href="#SAMBA-CH-2" title="Chapter 2. Installing Samba on a Unix System">Chapter 2</a> to configure and compile Samba on your server.</p></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="SAMBA-AP-F"></a>Appendix F. Sample Configuration File</h2></div></div></div><p>
-<a class="indexterm" name="appf-idx-993481-0"></a>This appendix gives an example of a production <code class="filename">smb.conf</code> file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients:</p><pre class="programlisting"># smb.conf -- File Server System for: 1 Example.COM  BSC &amp; Management Office 
-[globals]
-	workgroup = 1EG_BSC
-	interfaces = 10.10.1.14/24</pre><p>We provide this service on only one of the machine's interfaces. The <code class="literal">interfaces</code> option sets its address and netmask, where <code class="literal">/24</code> is the same as using the netmask 255.255.255.0:</p><pre class="programlisting">comment = Samba ver. %v
-	preexec = csh -c `echo /usr/samba/bin/smbclient \
-                     -M %m -I %I` &amp;</pre><p>We use the <span><strong class="command">preexec</strong></span> command to log information about all connections by machine name (<code class="literal">%m</code>) and IP address (<code class="literal">%I)</code>:</p><pre class="programlisting"># smbstatus will output various info on current status
-	status = yes
-	browseable = yes
-	printing = bsd
-
-	# the username that will be used for access to services
-	# specified with 'guest = ok'
-	guest account = samba</pre><p>The default guest account was <code class="literal">nobody</code>, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing:</p><pre class="programlisting"># superuser account - admin privilages to shares, with no
-	# restrictions
-	# WARNING - use this with care: files can be modified,
-	# regardless of file permissions
-	admin users = root
-
-	# who is NOT allowed to connect to ANY service
-	invalid users = @wheel, mail, deamon, adt</pre><p>Daemons can't use Samba, only people. The <code class="literal">invalid</code> <code class="literal">users</code> option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process.</p><pre class="programlisting"># hosts that are ALLOWED or DENIED from connecting to ANY service
-	hosts allow = 10.10.1.
-	hosts deny = 10.10.1.6
-	
-	# where the lock files will be located
-	lock directory = /var/lock/samba/locks
-		
-	# debug log files 
-	# %m = separate log for each NetBIOS name (each machine)
-	log file = /var/log/samba/log.%m
-
-	# We send priority 0, 1 and 2 messages to the system logs
-	syslog = 2
-		
-	# If a WinPopup message is sent to the server,
-	# redirect it to a user via e-mail
-	
-	message command = /bin/mail -s 'message from #% on %m' \
-                               pkelly &lt; %s; rm %s
-
-# ---------------------------------------------------
-# [globals] Performance Tuning
-# ---------------------------------------------------
-	
-	# caching algorithm to reduce time doing getwd() calls.  
-	getwd cache = yes
-
-	socket options = TCP_NODELAY
-
-	# tell the server whether the client is present and
-	# responding in seconds
-	keep alive = 60
-
-	# num minutes of inactivity before a connection is
-	# considered dead
-	dead time = 30 
-
-	read prediction = yes
-	share modes = yes
-	max xmit = 17384 
-	read size = 512</pre><p>The <code class="literal">share</code> <code class="literal">modes</code>, <code class="literal">max</code>, <code class="literal">xinit</code>, and <code class="literal">read</code> <code class="literal">size</code> options are machine-specific (see <a href="#SAMBA-AP-B" title="Appendix B. Samba Performance Tuning">Appendix B</a>):</p><pre class="programlisting"># locking is done by the server
-	locking = yes
-
-	# control whether dos style attributes should be mapped
-	# to unix execute bits
-	map hidden = yes
-	map archive = yes
-	map system = yes</pre><p>The three <code class="literal">map</code> options will work only on shares with a create mode that includes the execute bits (0111). Our <code class="literal">homes</code> and <code class="literal">printers</code> shares won't honor them, but the [<code class="literal">www]</code> share will:</p><pre class="programlisting"># ---------------------------------------------------------
-# [globals] Security and Domain Logon Services
-# ---------------------------------------------------------	
-# connections are made with UID and GID, not as shares
-	security = user
-
-# boolean variable that controls whether passwords
-# will be encrypted
-	encrypt passwords = yes
-	passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"
-	passwd program = /usr/bin/passwd %u
-	
-# Always become the local master browser
-	domain master = yes
-	preferred master = yes
-	os level = 34
-	
-# For domain logons to work correctly. Samba acts as a
-# primary domain controller.
-	domain logons = yes
-	
-# Logon script to run for user off the server each time
-# username (%U) logs in.  Set the time, connect to shares,
-# virus checks, etc.
-	logon script = scripts\%U.bat
-
-[netlogon]
-	comment = "Domain Logon Services"
-	path = /u/netlogon
-	writable = yes
-	create mode = 444
-	guest ok = no
-	volume = "Network"</pre><p>This share, discussed in <a href="#SAMBA-CH-6" title="Chapter 6. Users, Security, and Domains">Chapter 6</a>, is required for Samba to work smoothly in a Windows NT domain:</p><pre class="programlisting"># -----------------------------------------------------------
-# [homes] User Home Directories
-# -----------------------------------------------------------
-[homes]
-	comment = "Home Directory for : %u "
-	path = /u/users/%u</pre><p>The password file of the Samba server specifies each person's home directory as   <span class="emphasis"><em>/home/</em></span><em class="replaceable"><code>machine_name</code></em><span class="emphasis"><em>/</em></span><em class="replaceable"><code>person</code></em>, which NFS converts to point to the actual physicl location under <span class="emphasis"><em>/u/users</em></span>. The <code class="literal">path</code> option in the <code class="literal">[homes]</code> share tells Samba the actual (non-NFS) location:</p><pre class="programlisting">guest ok = no
-	read only = no
-	create mode = 644
-	writable = yes
-	browseable = no 
-
-# -----------------------------------------------------------
-# [printers] System Printers
-# -----------------------------------------------------------
-[printers]
-	comment = "Printers"
-	path = /var/spool/lpd/samba
-	printcap name = /etc/printcap
-	printable = yes
-	public = no 
-	writable = no
-
-	lpq command = /usr/bin/lpq -P%p
-	lprm command = /usr/bin/lprm -P%p %j
-	lppause command = /usr/sbin/lpc stop %p
-	lpresume command = /usr/sbin/lpc start %p
-
-	create mode = 0700
-
-	browseable = no 
-	load printers = yes  
-
-# -----------------------------------------------------------
-# Specific Descriptions: [programs] [data] [retail]
-# -----------------------------------------------------------
-[programs]
-	comment = "Shared Programs %T"
-	volume = "programs"</pre><p>Shared Programs shows up in the Network Neighborhood, and <code class="literal">programs</code> is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading:</p><pre class="programlisting">path = /u/programs
-	public = yes
-	writeable = yes
-	printable = no
-	create mode = 664
-[cdrom]
-	comment = "Unix CDROM"
-	path = /u/cdrom
-	public = no 
-	writeable = no 
-	printable = no
-	volume = "cdrom"
-
-[data]
-	comment =  "Data Directories %T"
-	path = /u/data
-	public = no
-	create mode = 770
-	writeable = yes
-	volume = "data"
-
-[nt4]
-	comment =  "NT4 Server"
-	path = /u/systems/nt4
-	public = yes 
-	create mode = 770
-	writeable = yes
-	volume = "nt4_server"
-
-[www]
-	comment =  "WWW System"
-	path = /usr/www/http
-	public = yes 
-	create mode = 775
-	writeable = yes
-	volume = "www_system"</pre><p>The <code class="literal">[www]</code> share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages.</p></div><div class="colophon" lang="en"><h2 class="title"><a name="colophon"></a>Colophon</h2><p>Our look is the result of reader comments, our own
-experimentation, and feedback from distribution channels. Distinctive
-covers complement our distinctive approach to technical topics,
-breathing personality and life into potentially dry subjects.</p><p>The animal on the cover of <em class="citetitle">Using Samba</em> is
-a African ground hornbill (<span class="foreignphrase"><em class="foreignphrase">Bucorvus
-cafer</em></span>). This type of bird is one of fifty hornbill
-species. The African ground hornbill is a medium to large sized bird
-characterized by a bright red waddle under a very long beak,
-dark-colored body and wings, long eyelashes, and short legs. Like all
-hornbills, it has a casque, a large but lightweight growth on the top
-of its beak, which grows more folds as the bird ages. It is the only
-ground-dwelling species of hornbill, though it is able to fly when
-necessary. It lives in the grasslands of southern and eastern Africa,
-and nests in the foliage of dense trees, not in nest holes in the
-ground as other hornbills do. Its diet includes mostly fruit, as well
-as large insects and small mammals. The African ground hornbill is
-considered to be sacred by many Africans, and as such this bird is
-part of many legends and superstitions.</p><p>Sarah Jane Shangraw was the production editor and proofreader
-for <em class="citetitle">Using Samba</em>. Sarah Lemaire copyedited the
-text. Maureen Dempsey and Claire Cloutier LeBlanc provided quality
-control. Brenda Miller wrote the index.</p><p>Edie Freedman designed the cover of this book based on her own
-series design. The cover image of an African ground hornbill is a
-19th-century engraving from the Dover Pictorial Archive. Kathleen
-Wilson produced the cover layout with QuarkXPress 3.32 using Adobe's
-ITC Garamond font. Kathleen Wilson also created the CD design.</p><p>Alicia Cech designed the interior layout based on a series
-design by Nancy Priest. Mike Sierra implemented the design in
-FrameMaker 5.5. The text and heading fonts are ITC Garamond Light and
-Garamond Book. The illustrations that appear in the book were produced
-by Robert Romano and Rhon Porter using Macromedia FreeHand 8 and Adobe
-Photoshop 5. Interior composition was done by Sarah Jane Shangraw,
-Sebastian Banker, Jeff Holcolmb, and Abigail Myers. This colophon was
-written by Nicole Arigo.</p><p>The online edition of this book was created by the Safari
-production group (John Chodacki, Becki Maisch, and Madeleine Newell)
-using a set of Frame-to-XML conversion and cleanup tools written and
-maintained by Erik Ray, Benn Salter, John Chodacki, and Jeff
-Liggett.</p></div></div></body></html>
diff --git a/docs/htmldocs/using_samba/ch00.html b/docs/htmldocs/using_samba/ch00.html
new file mode 100644
index 0000000000..5a2c89feb8
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch00.html
@@ -0,0 +1,368 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Preface</h1>
+
+
+<p>You are reading a book about Samba, a software suite that networks
+Windows, Unix, and other operating systems using
+Windows' native networking protocol. Samba allows
+Unix servers to offer Windows networking services by matching the
+filesystem and networking models of Unix to those of Windows. Samba
+acts as a bridge between the two systems, connecting the
+corresponding parts of their architectures and providing a
+translation wherever necessary.</p>
+
+<p>Bridging the gap between systems as dissimilar as Windows and Unix is
+a complex task, which Samba handles surprisingly well. To be a good
+Samba administrator, your abilities must parallel
+Samba's. For starters, you need to know basic Unix
+system and network administration and have a good understanding of
+Windows filesystems and networking fundamentals. In addition, you
+need to learn how Samba fills in the &quot;gray
+area&quot; between Unix and Windows. Once you know how
+everything fits together, you'll find it easy to
+configure a Samba server to provide your network with reliable and
+high-performance computational resources.</p>
+
+<p>Our job is to make all of that easier for you. We do this by starting
+out with a quick and yet comprehensive tour of Windows networking in
+<a href="ch01.html">Chapter 1</a>, followed by tutorially-oriented
+<a href="ch02.html">Chapter 2</a> and <a href="ch03.html">Chapter 3</a>, which tell you how to set up a minimal Samba server
+and configure Windows clients to work with it. Most likely, you will
+be surprised how quickly you can complete the required tasks.</p>
+
+<p>We believe that a hands-on approach is the most effective, and you
+can use the Samba server you build in <a href="ch02.html">Chapter 2</a> and <a href="ch03.html">Chapter 3</a> as a test
+system for trying out examples that we show and describe throughout
+the book. You can jump around from chapter to chapter if you like,
+but if you continue sequentially from <a href="ch04.html">Chapter 4</a>
+onward, by the time you finish the book you will have a
+well-configured production Samba server ready for use. All you have
+to do is add the appropriate support for your intended purpose as we
+explain how to use each feature.</p>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-1"/>
+
+<h2 class="head1">Audience for This Book</h2>
+
+<p>This book is primarily intended for Unix administrators who need to
+support Windows clients on their network, as well as anyone who needs
+to access the resources of a Windows network environment from a Unix
+client. While we assume you are familiar with basic Unix system
+administration, we do <em class="emphasis">not</em> assume you are a
+networking expert. We do our best along the way to help out with
+unusual definitions and terms.</p>
+
+<p>Furthermore, we don't assume that you are an expert
+in Microsoft Windows. We carefully explain all the essential concepts
+related to Windows networking, and we go through the Windows side of
+the installation task in considerable detail, providing examples for
+both Windows 95/98/Me and Windows NT/2000/XP, which are significantly
+different. For the Unix side, we give examples that work with common
+Unix operating systems, such as Linux, Solaris, FreeBSD, and Mac OS
+X.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-2"/>
+
+<h2 class="head1">Organization</h2>
+
+<p>Here is a quick description of each chapter:</p>
+
+<p><a href="ch01.html">Chapter 1</a> introduces Samba and its capabilities,
+then describes the most important concepts of NetBIOS and SMB/CIFS
+networking. Finally, we give you a quick overview of the daemons and
+utilities that are included in the Samba distribution.</p>
+
+<p><a href="ch02.html">Chapter 2</a> covers configuring, compiling,
+installing, setting up, and testing the Samba server on a Unix
+platform.</p>
+
+<p><a href="ch03.html">Chapter 3</a> explains how to configure Microsoft
+Windows 95/98/Me and Windows NT/2000/XP clients to participate in an
+SMB network.</p>
+
+<p><a href="ch04.html">Chapter 4</a> explains the ins and outs of Windows NT
+domains and how to configure Samba to work in a network set up as a
+Windows NT domain.</p>
+
+<p><a href="ch05.html">Chapter 5</a> describes methods for accessing SMB
+shares on the network from Unix client systems.</p>
+
+<p><a href="ch06.html">Chapter 6</a>
+gets you up to speed on the structure of the Samba
+configuration file and shows you how to take control of file-sharing
+services.</p>
+
+<p><a href="ch07.html">Chapter 7</a> introduces name resolution, which is
+used to convert NetBIOS computer names into IP addresses, and
+browsing, the method used in SMB networking to find what resources
+are being shared on the network.</p>
+
+<p><a href="ch08.html">Chapter 8</a> continues the discussion of file-sharing options, and
+covers more advanced functions such as permissions, access control
+lists, opportunistic locks, and setting up a Distributed filesystem
+tree.</p>
+
+<p><a href="ch09.html">Chapter 9</a> discusses how
+to set up Samba users, introduces you to Samba security, and shows
+you how to work with encrypted and nonencrypted passwords.</p>
+
+<p><a href="ch10.html">Chapter 10</a>
+discusses printer setup for sharing Unix printers on the
+SMB network, and allowing Unix workstations to access SMB shared
+printers.</p>
+
+<p><a href="ch11.html">Chapter 11</a>
+bundles several miscellaneous topics associated with
+Samba, such as configuring Samba shares for programmers and
+internationalization issues.</p>
+
+<p><a href="ch12.html">Chapter 12</a> details what to do if
+you have problems installing Samba. This comparatively
+large chapter is packed with troubleshooting hints and strategies for
+identifying what is going wrong.</p>
+
+<p><a href="appa.html">Appendix A</a> provides working examples of
+<em class="filename">smb.conf</em> files for use in configuring Samba for
+its more common applications. You can easily modify the examples for
+use in a wide variety of circumstances.</p>
+
+<p><a href="appb.html">Appendix B</a> covers each option that can be used in
+the Samba configuration file.</p>
+
+<p><a href="appc.html">Appendix C</a> is a quick reference that covers each
+server daemon and tool that make up the Samba suite.</p>
+
+<p><a href="appd.html">Appendix D</a> explains how to download the latest
+development version of the Samba source code using CVS.</p>
+
+<p><a href="appe.html">Appendix E</a> documents each option that can be used
+with the <em class="emphasis">configure</em> command before compiling the
+Samba source code.</p>
+
+<p><a href="appf.html">Appendix F</a> includes directions for sharing files
+and printers with the Server edition of Mac OS X.</p>
+
+<p><a href="appg.html">Appendix G</a> is the copyright license under which
+this book is published.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-3"/>
+
+<h2 class="head1">Conventions Used in This Book</h2>
+
+<p>The following font conventions are followed throughout this book:</p>
+
+<dl>
+<dt><b>Italic </b></dt>
+<dd>
+<p>Filenames, file extensions, URLs, executable files, command options,
+and emphasis.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">Constant</tt> <tt class="literal">width</tt> </b></dt>
+<dd>
+<p>Samba configuration options, computer names, user and group names,
+hostnames, domain names, other code that appears in the text, and
+command-line information that should be typed verbatim on the screen.</p>
+</dd>
+
+
+
+<dt><b><tt class="userinput"><b>Constant width bold</b></tt> </b></dt>
+<dd>
+<p>Commands that are entered by the user and new configuration options
+that we wish to bring to the attention of the reader.</p>
+</dd>
+
+
+
+<dt><b><em class="replaceable">Constant width italic</em></b></dt>
+<dd>
+<p>Replaceable content in code and command-line information.</p>
+</dd>
+
+</dl>
+
+<a name="samba2-PREFACE-2-NOTE-82"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>This designates a note, which is an important aside to the nearby
+text.</p>
+</blockquote>
+<a name="samba2-PREFACE-2-NOTE-83"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>This designates a warning related to the nearby text.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-4"/>
+
+<h2 class="head1">How to Contact Us</h2>
+
+<p>We have tested and verified the information in this book to the best
+of our ability, but you might find that features have changed (or
+even that we have made mistakes!). Please let us know about any
+errors you find, as well as your suggestions for future editions, by
+writing to:</p>
+
+<blockquote class="simplelist">
+
+<p>O'Reilly &amp; Associates, Inc.</p>
+
+<p>1005 Gravenstein Highway North</p>
+
+<p>Sebastopol, CA 95472</p>
+
+<p>(800) 998-9938 (in the United States or Canada)</p>
+
+<p>(707) 829-0515 (international/local)</p>
+
+<p>(707) 829-0104 (fax)</p>
+
+</blockquote>
+
+<p>To ask technical questions or comment on the book, send email to:</p>
+
+<blockquote class="simplelist">
+
+<p><em class="email">bookquestions@oreilly.com</em></p>
+
+</blockquote>
+
+<p>We have a web page for this book where we list examples and any plans
+for future editions. You can access this information at:</p>
+
+<blockquote class="simplelist">
+
+<p><a href="http://www.oreilly.com/catalog/samba2">http://www.oreilly.com/catalog/samba2</a></p>
+
+</blockquote>
+
+<p>You can also contact Jay Ts, the lead author of this edition, through
+his web site at:</p>
+
+<blockquote class="simplelist">
+
+<p><a href="http://www.jayts.com">http://www.jayts.com</a></p>
+
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-5"/>
+
+<h2 class="head1">Acknowledgments</h2>
+
+<p>We thank Leon Towns-von Stauber for thoroughly researching the use of
+Samba on Mac OS X and writing material that appears in <a href="ch02.html">Chapter 2</a>, <a href="ch05.html">Chapter 5</a>, and <a href="ch10.html">Chapter 10</a>, as well as the entire <a href="appf.html">Appendix F</a>. We also thank our technical reviewers Sam
+Johnston, Matthew Temple, Marty Leisner, and Don McCall.</p>
+
+
+<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.1"/>
+
+<h3 class="head2">Jay Ts</h3>
+
+<p>This book would have been extremely difficult to write if it
+hadn't been for the copy of VMware Workstation
+graciously provided by VMware, Inc. I want to thank Rik Farrow for
+his clarifying comments on security topics related to Samba and
+Windows, and both him and Rose Moon for their supportive friendship.
+Thanks also go to Mark Watson for his encouragement and advice on the
+topic of authoring technical books. Additionally,
+I'd like to express my appreciation to Andy Oram at
+O'Reilly for being a supportive, friendly, and
+easygoing editor, and for offering me terms that I could say yes
+to&mdash;something that a few other publishers
+didn't even approach. SuSE, Inc. generously provided
+a copy of SuSE Linux 8.1 Professional.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.2"/>
+
+<h3 class="head2">Robert Eckstein</h3>
+
+<p>I'd first like to recognize Dave Collier-Brown and
+Peter Kelly for all their help in the creation of this book.
+I'd also like to thank each technical reviewer who
+helped polish this book into shape on such short notice: Matthew
+Temple, Jeremy Allison, and of course Andrew Tridgell. Andrew and
+Jeremy deserve special recognition, not only for creating such a
+wonderful product, but also for providing a tireless amount of
+support in the final phase of this book&mdash;hats off to you, guys!
+A warm hug goes out to my wife Michelle, who once again put up with a
+husband loaded down with too much caffeine and a tight schedule.
+Thanks to Dave Sifry and the people at LinuxCare, San Francisco, for
+hosting me on such short notice for Andrew
+Tridgell's visit. And finally, a huge amount of
+thanks to our editor, Andy Oram, who (very) patiently helped guide
+this book through its many stages until we got it right.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.3"/>
+
+<h3 class="head2">David Collier-Brown</h3>
+
+<p>I'd particularly like to thank Joyce, who put up
+with me during the sometimes exciting development of the book. My
+thanks to Andy Oram, who was kind enough to provide the criticism
+that allowed me to contribute; the crew at ACE (Opcom) who humored
+the obvious madman in their midst; and Ian MacMillan, who voluntarily
+translated several of my early drafts from nerd to English. I would
+also like to give special thanks to Perry Donham, Drew Sullivan, and
+Jerry DeRoo for starting and sustaining this mad project. Finally,
+I'd like to thank Bob Eckstein for a final,
+sustained, and professional effort that lifted the whole book up to
+the level that Andy needed.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.4"/>
+
+<h3 class="head2">All</h3>
+
+<p>We would especially like to give thanks to Perry Donham and Peter
+Kelly for helping mold the first draft of this book. Although Perry
+was unable to contribute to subsequent drafts, his material was
+essential to getting this book off on the right foot. In addition,
+some of the browsing material came from text originally written by
+Dan Shearer for O'Reilly.</p>
+
+
+</div>
+
+
+</div>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch01.html b/docs/htmldocs/using_samba/ch01.html
new file mode 100644
index 0000000000..98a687f08e
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch01.html
@@ -0,0 +1,3193 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 1. Learning the Samba</h1>
+
+
+<p><a name="INDEX-1"/>Samba
+is an extremely useful networking tool for anyone who has both
+Windows and Unix systems on his network. Running on a Unix system, it
+allows Windows to share files and printers on the Unix host, and it
+also allows Unix users to access resources shared by Windows systems.</p>
+
+<p>Although it might seem natural to use a Windows server to serve files
+and printers to a network containing Windows clients, there are good
+reasons for preferring a Samba server for this duty. Samba is
+reliable software that runs on reliable Unix operating systems,
+resulting in fewer problems and a low cost of maintenance. Samba also
+offers better performance under heavy loads, outperforming Windows
+2000 Server by a factor of 2 to 1 on identical PC hardware, according
+to published third-party benchmarks. When common, inexpensive PC
+hardware fails to meet the demands of a huge client load, the Samba
+server can easily be moved to a proprietary &quot;big
+iron&quot; Unix mainframe, which can outperform Windows
+running on a PC many times. If all that weren't
+enough, Samba has a very nice cost advantage: it's
+free. Not only is the software itself freely available, but also no
+client licenses are required, and it runs on high-quality, free
+operating systems such as Linux and FreeBSD.</p>
+
+<p>After reading the previous paragraph, you might come to the
+conclusion that Samba is commonly used by large organizations with
+thousands of users on their networks&mdash;and you'd
+be right! But Samba's user base includes
+organizations all over the planet, of all types and sizes: from
+international corporations, to medium and small businesses, to
+individuals who run Samba on their Linux laptops. In the last case, a
+tool such as VMware is used to run Windows on the same computer, with
+Samba enabling the two operating systems to share files.</p>
+
+<p>The types of users vary even more&mdash;Samba is used by
+corporations, banks and other financial institutions, government and
+military organizations, schools, public libraries, art galleries,
+families, and even authors! This book was developed on a Linux system
+running VMware and Windows 2000, with Adobe FrameMaker running on
+Windows and the document files served by Samba from the Linux
+filesystem.</p>
+
+<p>Does all this whet your technological appetite? If so, we encourage
+you to keep reading, learn about Samba, and follow our examples to
+set up a Samba server of your own. In this and upcoming chapters, we
+will tell you exactly how to get started.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-1"/>
+
+<h2 class="head1">What Is Samba?</h2>
+
+<p><a name="INDEX-2"/>Samba
+is a suite of Unix applications that speak the
+<a name="INDEX-3"/><a name="INDEX-4"/>Server
+Message Block (SMB) protocol. Microsoft Windows operating systems and
+the OS/2 operating system use SMB to perform client-server networking
+for file and printer sharing and associated operations. By supporting
+this protocol, Samba enables computers running Unix to get in on the
+action, communicating with the same networking protocol as Microsoft
+Windows and appearing as another Windows system on the network from
+the perspective of a Windows client. A <a name="INDEX-5"/>Samba
+server offers the following services:</p>
+
+<ul><li>
+<p>Share one or more directory trees</p>
+</li><li>
+<p>Share one or more Distributed filesystem (Dfs) trees</p>
+</li><li>
+<p>Share printers installed on the server among Windows clients on the
+network</p>
+</li><li>
+<p>Assist clients with network browsing</p>
+</li><li>
+<p>Authenticate clients logging onto a Windows domain</p>
+</li><li>
+<p>Provide or assist with Windows Internet Name Service (WINS)
+name-server resolution</p>
+</li></ul>
+<p>The Samba suite also includes client tools that allow users on a Unix
+system to access folders and printers that Windows systems and Samba
+servers offer on the network.</p>
+
+<p>Samba is the brainchild of Andrew <a name="INDEX-6"/>Tridgell, who currently heads the Samba
+development team. Andrew started the project in 1991, while working
+with a Digital Equipment Corporation (DEC) software suite called
+Pathworks, created for connecting DEC VAX computers to computers made
+by other companies. Without knowing the significance of what he was
+doing, Andrew created a file-server program for an odd protocol that
+was part of Pathworks. That protocol later turned out to be SMB. A
+few years later, he expanded upon his custom-made SMB server and
+began distributing it as a product on the Internet under the name
+&quot;SMB Server.&quot; However, Andrew
+couldn't keep that name&mdash;it already belonged to
+another company's product&mdash;so he tried the
+following Unix renaming approach:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>grep -i '^s.*m.*b' /usr/dict/words</b></tt></pre></blockquote>
+
+<p>And the response was:</p>
+
+<blockquote><pre class="code">salmonberry
+samba
+sawtimber
+scramble</pre></blockquote>
+
+<p>Thus, the name &quot;Samba&quot; was born.</p>
+
+<p>Today, the Samba suite revolves around a pair of Unix daemons that
+provide shared resources&mdash;called <em class="firstterm">shares
+</em>or s<em class="firstterm">ervices</em>&mdash;to SMB clients
+on the network. These are:</p>
+
+<dl>
+<dt><b><a name="INDEX-7"/>smbd</b></dt>
+<dd>
+<p>A daemon that handles file and printer sharing and provides
+authentication and authorization for SMB clients.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-8"/>nmbd</b></dt>
+<dd>
+<p>A daemon that supports NetBIOS Name Service and WINS, which is
+Microsoft's implementation of a NetBIOS Name Server
+(NBNS). It also assists with network browsing.</p>
+</dd>
+
+</dl>
+
+<p>Samba is currently maintained and extended by a group of volunteers
+under the active supervision of Andrew Tridgell. Like the Linux
+operating system, Samba is distributed as open source software
+(<a href="http://opensource.org">http://opensource.org</a>) by its
+authors and is distributed under the GNU General Public License
+(GPL). Since its inception, development of Samba has been sponsored
+in part by the Australian National University, where Andrew Tridgell
+earned his Ph.D. Since then, many other organizations have sponsored
+Samba developers, including LinuxCare, VA Linux Systems,
+Hewlett-Packard, and IBM. It is a true testament to Samba that both
+commercial and noncommercial entities are prepared to spend money to
+support an open source effort.</p>
+
+<p>Microsoft has also contributed by offering its definition of the SMB
+protocol to the Internet Engineering Task Force (IETF) in 1996 as the
+<a name="INDEX-9"/><a name="INDEX-10"/>Common
+Internet File System (CIFS). Although we prefer to use the term
+&quot;SMB&quot; in this book, you will also
+often find the protocol being referred to as
+&quot;CIFS.&quot; This is especially true on
+Microsoft's web site.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-2"/>
+
+<h2 class="head1">What Can Samba Do for Me?</h2>
+
+<p><a name="INDEX-11"/>As explained earlier, Samba can help
+Windows and Unix computers coexist in the same network. However,
+there are some specific reasons why you might want to set up a Samba
+server on your network:</p>
+
+<ul><li>
+<p>You don't want to pay for&mdash;or
+can't afford&mdash;a full-fledged Windows server,
+yet you still need the functionality that one provides.</p>
+</li><li>
+<p>The Client Access Licenses (CALs) that Microsoft requires for each
+Windows client to access a Windows server are unaffordable.</p>
+</li><li>
+<p>You want to provide a common area for data or user directories to
+transition from a Windows server to a Unix one, or vice versa.</p>
+</li><li>
+<p>You want to share printers among Windows and Unix workstations.</p>
+</li><li>
+<p>You are supporting a group of computer users who have a mixture of
+Windows and Unix computers.</p>
+</li><li>
+<p>You want to integrate Unix and Windows authentication, maintaining a
+single database of user accounts that works with both systems.</p>
+</li><li>
+<p>You want to network Unix, Windows, Macintosh (OS X), and other
+systems using a single protocol.</p>
+</li></ul>
+<p>Let's take a quick tour of
+<a name="INDEX-12"/>Samba in action. Assume that we have
+the following basic network configuration: a Samba-enabled Unix
+system, to which we will assign the name <tt class="literal">toltec</tt>,
+and a pair of Windows clients, to which we will assign the names
+<tt class="literal">maya</tt> and <tt class="literal">aztec</tt>, all connected
+via a local area network (LAN). Let's also assume
+that <tt class="literal">toltec</tt> also has a local inkjet printer
+connected to it, <tt class="literal">lp</tt>, and a disk share named
+<tt class="literal">spirit</tt>&mdash;both of which it can offer to the
+other two computers. A graphic of this network is shown in <a href="ch01.html#samba2-CHP-1-FIG-1">Figure 1-1</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-1"/><img src="figs/sam2_0101.gif"/></div><h4 class="head4">Figure 1-1. A simple network set up with a Samba server</h4>
+
+<p>In this network, each computer listed shares the same
+<em class="firstterm">workgroup</em>. A workgroup is a group name tag
+that identifies an arbitrary collection of computers and their
+resources on an SMB network. Several workgroups can be on the network
+at any time, but for our basic network example,
+we'll have only one: the METRAN workgroup.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-2.1"/>
+
+<h3 class="head2">Sharing a Disk Service</h3>
+
+<p><a name="INDEX-13"/><a name="INDEX-14"/><a name="INDEX-15"/>If everything is properly
+configured, we should be able to see the Samba server,
+<tt class="literal">toltec</tt>, through the Network Neighborhood of the
+<tt class="literal">maya</tt> Windows desktop. In fact, <a href="ch01.html#samba2-CHP-1-FIG-2">Figure 1-2</a> shows the Network Neighborhood of the
+<tt class="literal">maya</tt> computer, including <tt class="literal">toltec</tt>
+and each computer that resides in the METRAN workgroup. Note the
+Entire Network icon at the top of the list. As we just mentioned,
+more than one workgroup can be on an SMB network at any given time.
+If a user clicks the Entire Network icon, she will see a list of all
+the workgroups that currently exist on the network.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-2"/><img src="figs/sam2_0102.gif"/></div><h4 class="head4">Figure 1-2. The Network Neighborhood directory</h4>
+
+<p>We can take a closer look at the <tt class="literal">toltec</tt> server by
+double-clicking its icon. This contacts <tt class="literal">toltec</tt>
+itself and requests a list of its
+<em class="firstterm">shares</em>&mdash;the file and printer
+resources&mdash;that the computer provides. In this case, a printer
+named <tt class="literal">lp</tt>, a home directory named
+<tt class="literal">jay</tt>, and a disk share named
+<tt class="literal">spirit</tt> are on the server, as shown in <a href="ch01.html#samba2-CHP-1-FIG-3">Figure 1-3</a>. Note that the Windows display shows hostnames
+in mixed case (Toltec). Case is irrelevant in hostnames, so you might
+see toltec, Toltec, and TOLTEC in various displays or command output,
+but they all refer to a single system. Thanks to Samba, Windows 98
+sees the Unix server as a valid SMB server and can access the
+<tt class="literal">spirit</tt> folder as if it were just another system
+folder.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-3"/><img src="figs/sam2_0103.gif"/></div><h4 class="head4">Figure 1-3. Shares available on the Toltec server as viewed from maya</h4>
+
+<p>One popular Windows feature is the ability to map a drive letter
+(such as E:, F:, or Z:) to a shared directory on the network using
+the Map Network Drive option in Windows Explorer.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a>
+Once you do so, your applications can access the folder across the
+network using the drive letter. You can store data on it, install and
+run programs from it, and even password-protect it against unwanted
+visitors. See <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a> for an example of mapping
+a <a name="INDEX-16"/><a name="INDEX-17"/>drive letter to a network
+directory.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-4"/><img src="figs/sam2_0104.gif"/></div><h4 class="head4">Figure 1-4. Mapping a network drive to a Windows drive letter</h4>
+
+<p>Take a look at the Path: entry in the dialog box of <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a>. An equivalent way to represent a directory on
+a network computer is by using two backslashes, followed by the name
+of the networked computer, another backslash, and the networked
+directory of the computer, as shown here:</p>
+
+<blockquote><pre class="code">\\<em class="replaceable">network-computer</em>\<em class="replaceable">directory</em></pre></blockquote>
+
+<p>This is known as the <em class="firstterm"/><a name="INDEX-18"/>Universal
+Naming Convention (UNC)</em>  in the Windows world. For example, the dialog
+box in <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a> represents the network directory
+on the <tt class="literal">toltec</tt> server as:</p>
+
+<blockquote><pre class="code">\\toltec\spirit</pre></blockquote>
+
+<p>If this looks somewhat familiar to you, you're
+probably thinking of <em class="firstterm">uniform resource
+locators</em><a name="INDEX-19"/><a name="INDEX-20"/> (URLs), which are addresses that web
+browsers such as Netscape Navigator and Internet Explorer use to
+resolve systems across the Internet. Be sure not to confuse the two:
+URLs such as <a href="http://www.oreilly.com">http://www.oreilly.com</a> use forward slashes
+instead of backslashes, and they precede the initial slashes with the
+data transfer protocol (i.e., ftp, http) and a colon (:). In reality,
+URLs and UNCs are two completely separate things, although sometimes
+you can specify an SMB share using a URL rather than a UNC. As a URL,
+the <em class="filename">\\toltec\spirit</em> share would be specified as
+<em class="filename">smb://toltec/spirit</em>.</p>
+
+<p>Once the network drive is set up, Windows and its programs behave as
+if the networked directory were a local disk. If you have any
+applications that support multiuser functionality on a network, you
+can install those programs on the network drive.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> <a href="ch01.html#samba2-CHP-1-FIG-5">Figure 1-5</a> shows the
+resulting network drive as it would appear with other storage devices
+in the Windows 98 client. Note the pipeline attachment in the icon
+for the J: drive; this indicates that it is a network drive rather
+than a fixed drive.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-5"/><img src="figs/sam2_0105.gif"/></div><h4 class="head4">Figure 1-5. The Network directory mapped to the client drive letter J</h4>
+
+<p>My Network Places, found in Windows Me, 2000, and XP, works
+differently from Network Neighborhood. It is necessary to click a few
+more icons, but eventually we can get to the view of the
+<tt class="literal">toltec</tt> server as shown in <a href="ch01.html#samba2-CHP-1-FIG-6">Figure 1-6</a>. This is from a Windows 2000 system. Setting
+up the network drive using the Map Network Drive option in Windows
+2000 works similarly to other Windows versions. <a name="INDEX-21"/><a name="INDEX-22"/><a name="INDEX-23"/></p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-6"/><img src="figs/sam2_0106.gif"/></div><h4 class="head4">Figure 1-6. Shares available on Toltec (viewed from dine)</h4>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-2.2"/>
+
+<h3 class="head2">Sharing a Printer</h3>
+
+<p><a name="INDEX-24"/><a name="INDEX-25"/><a name="INDEX-26"/>You probably noticed that the printer
+<tt class="literal">lp</tt> appeared under the available shares for
+<tt class="literal">toltec</tt> in <a href="ch01.html#samba2-CHP-1-FIG-3">Figure 1-3</a>. This
+indicates that the Unix server has a printer that can be shared by
+the various SMB clients in the workgroup. Data sent to the printer
+from any of the clients will be spooled on the Unix server and
+printed in the order in which it is received.</p>
+
+<p><a name="INDEX-27"/><a name="INDEX-28"/>Setting up a Samba-enabled
+printer on the Windows side is even easier than setting up a disk
+share. By double-clicking the printer and identifying the
+manufacturer and model, you can install a driver for this printer on
+the Windows client. Windows can then properly format any information
+sent to the network printer and access it as if it were a local
+printer. On Windows 98, double-clicking the Printers icon in the
+Control Panel opens the Printers window shown in <a href="ch01.html#samba2-CHP-1-FIG-7">Figure 1-7</a>. Again, note the pipeline attachment below the
+printer, which identifies it as being on a network.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-7"/><img src="figs/sam2_0107.gif"/></div><h4 class="head4">Figure 1-7. A network printer available on Toltec</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-2.2.1"/>
+
+<h3 class="head3">Seeing things from the Unix side</h3>
+
+<p><a name="INDEX-29"/><a name="INDEX-30"/>As mentioned earlier, Samba
+appears in Unix as a set of daemon programs. You can view them with
+the Unix <a name="INDEX-31"/><em class="emphasis">ps</em> command; you can
+read any messages they generate through custom debug files or the
+Unix <em class="emphasis">syslog</em> (depending on how Samba is set up);
+and you can configure them from a single Samba configuration file:
+<em class="emphasis">smb.conf</em>. In addition, if you want to get an idea of
+what the daemons are doing, Samba has a program called
+<em class="emphasis">smbstatus</em><a name="INDEX-32"/> that will lay it all on the line. Here
+is how it works:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbstatus</b></tt>
+Processing section &quot;[homes]&quot;
+Processing section &quot;[printers]&quot;
+Processing section &quot;[spirit]&quot;
+
+Samba version 2.2.6
+Service     uid    gid    pid     machine
+-----------------------------------------
+spirit      jay    jay    7735    maya     (172.16.1.6) Sun Aug 12 12:17:14 2002
+spirit      jay    jay    7779    aztec    (172.16.1.2) Sun Aug 12 12:49:11 2002
+jay         jay    jay    7735    maya     (172.16.1.6) Sun Aug 12 12:56:19 2002
+
+Locked files:
+Pid    DenyMode   R/W        Oplock     Name
+--------------------------------------------------
+7735   DENY_WRITE RDONLY     NONE       /u/RegClean.exe   Sun Aug 12 13:01:22 2002
+
+Share mode memory usage (bytes):
+   1048368(99%) free + 136(0%) used + 72(0%) overhead = 1048576(100%) total</pre></blockquote>
+
+<p>The Samba status from this output provides three sets of data, each
+divided into separate sections. The first section tells which systems
+have connected to the Samba server, identifying each client by its
+machine name (<tt class="literal">maya</tt> and <tt class="literal">aztec</tt>)
+and IP (Internet Protocol) address. The second section reports the
+name and status of the files that are currently in use on a share on
+the server, including the read/write status and any locks on the
+files. Finally, Samba reports the amount of memory it has currently
+allocated to the shares that it administers, including the amount
+actively used by the shares plus additional overhead. (Note that this
+is not the same as the total amount of memory that the
+<em class="emphasis">smbd</em> or <em class="emphasis">nmbd</em> processes are
+using.)</p>
+
+<p>Don't worry if you don't understand
+these statistics; they will become easier to understand as you move
+through the book.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-3"/>
+
+<h2 class="head1">Getting Familiar with an SMB Network</h2>
+
+<p><a name="INDEX-33"/>Now that you have had a brief tour of
+Samba, let's take some time to get familiar with
+Samba's adopted environment: an SMB network.
+Networking with SMB is significantly different from working with
+common TCP/IP protocols such as FTP and Telnet because there are
+several new concepts to learn and a lot of information to cover.
+First, we will discuss the basic concepts behind an SMB network,
+followed by some Microsoft implementations of it, and finally we will
+show you where a Samba server can and cannot fit into the picture.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.1"/>
+
+<h3 class="head2">Understanding NetBIOS</h3>
+
+<p>To begin, let's step back in time. In 1984, IBM
+authored a simple application programming interface (API) for
+networking its computers, called the <em class="firstterm">Network Basic
+Input/Output System
+</em>(<a name="INDEX-34"/>NetBIOS).
+The NetBIOS API provided a rudimentary design for an application to
+connect and share data with other computers.</p>
+
+<p>It's helpful to think of the NetBIOS API as
+networking extensions to the standard BIOS API calls. The BIOS
+contains low-level code for performing filesystem operations on the
+local computer. NetBIOS originally had to exchange instructions with
+computers across IBM PC or Token Ring networks. It therefore required
+a low-level transport protocol to carry its requests from one
+computer to the next.</p>
+
+<p>In late 1985, IBM released one such protocol, which it merged with
+the NetBIOS API to become the <em class="firstterm">NetBIOS Extended User
+Interface</em> (<em class="emphasis">NetBEUI</em> ).
+<a name="INDEX-35"/>NetBEUI was
+designed for small LANs, and it let each computer claim a name (up to
+15 characters) that wasn't already in use on the
+network. By a &quot;small LAN,&quot; we mean
+fewer than 255 nodes on the network&mdash;which was considered a
+generous number in 1985!</p>
+
+<p>The NetBEUI protocol was very popular with networking applications,
+including those running under Windows for Workgroups. Later,
+implementations of NetBIOS over Novell's IPX
+networking protocols also emerged, which competed with NetBEUI.
+However, the networking protocols of choice for the burgeoning
+Internet community were TCP/IP and UDP/IP, and implementing the
+NetBIOS APIs over those protocols soon became a necessity.</p>
+
+<p>Recall that TCP/IP uses numbers to represent computer addresses
+(192.168.220.100, for instance) while NetBIOS uses only names. This
+was a major issue when trying to mesh the two protocols together. In
+1987, the IETF published standardization documents, titled RFC 1001
+and 1002, that outlined how NetBIOS would work over a TCP/UDP
+network. This set of documents still governs each implementation that
+exists today, including those provided by Microsoft with its Windows
+operating systems, as well as the Samba suite.</p>
+
+<p>Since then, the standard that this document governs has become known
+as <em class="firstterm">NetBIOS over
+TCP/IP</em><a name="INDEX-36"/><a name="INDEX-37"/><a name="INDEX-38"/>, or NBT for short.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> </p>
+
+<p>The NBT standard (RFC 1001/1002)
+currently outlines a trio of services on a network:</p>
+
+<ul><li>
+<p>A name service</p>
+</li><li>
+<p>Two communication services:</p>
+<ul><li>
+<p>Datagrams</p>
+</li>
+
+<li>
+<p>Sessions</p>
+</li></ul>
+</li>
+</ul>
+
+<p>The <a name="INDEX-39"/>name
+service solves the name-to-address problem mentioned earlier; it
+allows each computer to declare a specific name on the network that
+can be translated to a machine-readable IP address, much like
+today's Domain Name System (DNS) on the Internet.
+The <a name="INDEX-40"/>datagram and <a name="INDEX-41"/>session services are both
+secondary communication protocols used to transmit data back and
+forth from NetBIOS computers across the network.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.2"/>
+
+<h3 class="head2">Getting a Name</h3>
+
+<p><a name="INDEX-42"/><a name="INDEX-43"/>In the NetBIOS world, when each
+computer comes online, it wants to claim a name for itself; this is
+called <em class="firstterm">name registration</em>. However, no two
+computers in the same workgroup should be able to claim the same
+name; this would cause endless confusion for any computer that wanted
+to communicate with either of them. There are two different
+approaches to ensuring that this doesn't happen:</p>
+
+<ul><li>
+<p>Use an <em class="firstterm"/>NBNS</em> to keep track of which hosts have
+registered a NetBIOS name.</p>
+</li><li>
+<p>Allow each computer on the network to defend its name in the event
+that another computer attempts to use it.</p>
+</li></ul>
+<p><a href="ch01.html#samba2-CHP-1-FIG-8">Figure 1-8</a> illustrates a (failed) name
+registration, with and without an NBNS.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-8"/><img src="figs/sam2_0108.gif"/></div><h4 class="head4">Figure 1-8. Broadcast versus NBNS name registration</h4>
+
+<p><a name="INDEX-44"/><a name="INDEX-45"/>As mentioned earlier,
+there must be a way to resolve a NetBIOS name to a specific IP
+address; this is known as <em class="firstterm">name resolution</em>.
+There are two different approaches with NBT here as well:</p>
+
+<ul><li>
+<p>Have each computer report back its IP address when it
+&quot;hears&quot; a broadcast request for its
+NetBIOS name.</p>
+</li><li>
+<p>Use an NBNS to help resolve NetBIOS names to IP addresses.</p>
+</li></ul>
+<p><a href="ch01.html#samba2-CHP-1-FIG-9">Figure 1-9</a> illustrates the two types of name
+resolution.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-9"/><img src="figs/sam2_0109.gif"/></div><h4 class="head4">Figure 1-9. Broadcast versus NBNS name resolution</h4>
+
+<p>As you might expect, having an NBNS on your network can help out
+tremendously. To see exactly why, let's look at the
+broadcast method.</p>
+
+<p>Here, when a client computer boots, it will
+<a name="INDEX-46"/>broadcast a
+message declaring that it wishes to register a specified NetBIOS name
+as its own. If nobody objects to the use of the name, it keeps the
+name. On the other hand, if another computer on the local subnet is
+currently using the requested name, it will send a message back to
+the requesting client that the name is already taken. This is known
+as <em class="firstterm">defending</em><a name="INDEX-47"/><a name="INDEX-48"/> the hostname. This type of system
+comes in handy when one client has unexpectedly dropped off the
+network&mdash;another can take its name unchallenged&mdash;but it
+does incur an inordinate amount of traffic on the network for
+something as simple as name registration.</p>
+
+<p>With an NBNS, the same thing occurs, except the communication is
+confined to the requesting computer and the NBNS. No broadcasting
+occurs when the computer wishes to register the name; the
+registration message is simply sent directly from the client to the
+NBNS, and the NBNS replies regardless of whether the name is already
+taken. This is known as <em class="firstterm">point-to-point
+communication</em><a name="INDEX-49"/>, and it is often beneficial on
+networks with more than one subnet. This is because routers are
+generally configured to block incoming packets that are broadcast to
+all computers in the subnet.</p>
+
+<p>The same principles apply to name resolution. Without an NBNS,
+NetBIOS name resolution would also be done with a broadcast
+mechanism. All request packets would be sent to each computer in the
+network, with the hope that one computer that might be affected will
+respond directly back to the computer that asked. Using an NBNS and
+point-to-point communication for this purpose is far less taxing on
+the network than flooding the network with broadcasts for every
+name-resolution request.</p>
+
+<p>It can be argued that broadcast packets do not cause significant
+problems in modern, high-bandwidth networks of hosts with fast CPUs,
+if only a small number of hosts are on the network, or the demand for
+bandwidth is low. There are certainly cases where this is true;
+however, our advice throughout this book is to avoid relying on
+broadcasts as much as possible. This is a good rule to follow for
+large, busy networks, and if you follow our advice when configuring a
+small network, your network will be able to grow without encountering
+problems later on that might be difficult to diagnose. <a name="INDEX-50"/><a name="INDEX-51"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.3"/>
+
+<h3 class="head2">Node Types</h3>
+
+<p><a name="INDEX-52"/><a name="INDEX-53"/>How can you tell what strategy each
+client on your network will use when performing name registration and
+resolution? Each computer on an NBT network earns one of the
+following designations, depending on how it handles name registration
+and resolution: <a name="INDEX-54"/><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>b-node, p-node, m-node, and h-node. The
+behaviors of each type of node are summarized in <a href="ch01.html#samba2-CHP-1-TABLE-1">Table 1-1</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-1"/><h4 class="head4">Table 1-1. NetBIOS node types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Role</p>
+</th>
+<th>
+<p>Value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>b-node</p>
+</td>
+<td>
+<p>Uses broadcast registration and resolution only.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>p-node</p>
+</td>
+<td>
+<p>Uses point-to-point registration and resolution only.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>m-node (mixed)</p>
+</td>
+<td>
+<p>Uses broadcast for registration. If successful, it notifies the NBNS
+of the result. Uses broadcast for resolution; uses the NBNS if
+broadcast is unsuccessful.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>h-node (hybrid)</p>
+</td>
+<td>
+<p>Uses the NBNS for registration and resolution; uses broadcast if the
+NBNS is unresponsive or inoperative.</p>
+</td>
+</tr>
+
+</table>
+
+<p>In the case of Windows clients, you will usually find them listed as
+h-nodes or hybrid nodes. The first three node types appear in RFC
+1001/1002, and h-nodes were invented later by Microsoft, as a more
+fault-tolerant method.</p>
+
+<p>You can find the node type of a Windows 95/98/Me computer by running
+the <em class="emphasis">winipcfg</em><a name="INDEX-58"/><a name="INDEX-59"/> command from the Start
+&rarr; Run dialog (or from an MS-DOS prompt) and clicking
+the More Info&gt;&gt; button. On Windows NT/2000/XP, you can use the
+<tt class="literal">ipconfig</tt><a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/>
+<tt class="literal">/all</tt> command in a command-prompt window. In either
+case, search for the line that says <tt class="literal">Node Type</tt>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.4"/>
+
+<h3 class="head2">What's in a Name?</h3>
+
+<p>The names <a name="INDEX-64"/><a name="INDEX-65"/>NetBIOS uses are quite different
+from the DNS hostnames you might be familiar with. First, NetBIOS
+names exist in a flat namespace. In other words, there are no
+hierarchical levels, such as in <tt class="literal">oreilly.com</tt> (two
+levels) or <em class="emphasis">ftp</em><em class="emphasis">.samba.org</em> (three
+levels). NetBIOS names consist of a single unique string such as
+<tt class="literal">navaho</tt> or <tt class="literal">hopi</tt> within each
+workgroup or domain. Second, NetBIOS names are allowed to be only 15
+characters and can consist only of standard alphanumeric characters
+(a-z, A-Z, 0-9) and the following:</p>
+
+<blockquote><pre class="code">! @ # $ % ^ &amp; ( ) - ' { } . ~</pre></blockquote>
+
+<p>Although you are allowed to use a <a name="INDEX-66"/><a name="INDEX-67"/><a name="INDEX-68"/>period (.) in a NetBIOS name, we recommend
+against it because those names are not guaranteed to work in future
+versions of NBT.</p>
+
+<p>It's not a coincidence that all valid DNS names are
+also valid NetBIOS names. In fact, the unqualified DNS name for a
+Samba server is often reused as its NetBIOS name. For example, if you
+had a system with a hostname of <tt class="literal">mixtec.ora.com</tt> ,
+its NetBIOS name would likely be MIXTEC (followed by 9 spaces).</p>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.1"/>
+
+<h3 class="head3">Resource names and types</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>With NetBIOS, a computer not
+only advertises its presence, but also tells others what types of
+services it offers. For example, <tt class="literal">mixtec</tt> can
+indicate that it's not just a workstation, but that
+it's also a file server and can receive Windows
+Messenger messages. This is done by adding a 16th byte to the end of
+the machine (resource) name, called the <em class="firstterm">resource
+type</em>, and registering the name multiple times, once for
+each service that it offers. See <a href="ch01.html#samba2-CHP-1-FIG-10">Figure 1-10</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-10"/><img src="figs/sam2_0110.gif"/></div><h4 class="head4">Figure 1-10. The structure of NetBIOS names</h4>
+
+<p>The 1-byte resource type indicates a unique service that the named
+computer provides. In this book, you will often see the resource type
+shown in angled brackets (&lt;&gt;) after the NetBIOS name, such as:</p>
+
+<blockquote><pre class="code">MIXTEC&lt;00&gt;</pre></blockquote>
+
+<p>You can see which names are registered for a particular NBT computer
+using the Windows command-line
+<em class="emphasis">nbtstat</em><a name="INDEX-71"/> utility.
+Because these services are unique (i.e., there cannot be more than
+one registered), you will see them listed as type UNIQUE in the
+output. For example, the following partial output describes the
+<tt class="literal">toltec</tt> server:</p>
+
+<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>nbtstat -a toltec</b></tt>
+
+       NetBIOS Remote Machine Name Table
+   Name               Type         Status
+---------------------------------------------
+TOLTEC          &lt;00&gt;  UNIQUE      Registered
+TOLTEC          &lt;03&gt;  UNIQUE      Registered
+TOLTEC          &lt;20&gt;  UNIQUE      Registered
+...</pre></blockquote>
+
+<p>This says the server has registered the NetBIOS name
+<tt class="literal">toltec</tt> as a machine (computer) name, as a
+recipient of messages from the Windows Messenger service, and as a
+file server. Some possible attributes a name can have are listed in
+<a href="ch01.html#samba2-CHP-1-TABLE-2">Table 1-2</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-2"/><h4 class="head4">Table 1-2. NetBIOS unique resource types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Named resource</p>
+</th>
+<th>
+<p>Hexadecimal byte value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Standard Workstation Service</p>
+</td>
+<td>
+<p>00</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Messenger Service</p>
+</td>
+<td>
+<p>03</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>RAS Server Service</p>
+</td>
+<td>
+<p>06</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Domain Master Browser Service (associated with primary domain controller)</p>
+</td>
+<td>
+<p>1B</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Master Browser name</p>
+</td>
+<td>
+<p>1D</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>NetDDE Service</p>
+</td>
+<td>
+<p>1F</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Fileserver (including printer server)</p>
+</td>
+<td>
+<p>20</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>RAS Client Service</p>
+</td>
+<td>
+<p>21</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Network Monitor Agent</p>
+</td>
+<td>
+<p>BE</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Network Monitor Utility</p>
+</td>
+<td>
+<p>BF</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.2"/>
+
+<h3 class="head3">Group names and types</h3>
+
+<p>SMB also uses the concept of groups, with which computers can
+register themselves. Earlier we mentioned that the computers in our
+example belonged to a
+<em class="firstterm">workgroup</em><a name="INDEX-73"/>,
+which is a partition of computers on the same network. For example, a
+business might very easily have an ACCOUNTING and a SALES workgroup,
+each with different servers and printers. In the Windows world, a
+workgroup and an
+<a name="INDEX-74"/>SMB
+group are the same thing.</p>
+
+<p>Continuing our
+<em class="emphasis">nbtstat</em><a name="INDEX-75"/> example,
+the <tt class="literal">toltec</tt> Samba server is also a member of the
+METRAN workgroup (the GROUP attribute hex 00) and will participate in
+elections for the browse master (GROUP attribute 1E). Here is the
+remainder of the <em class="emphasis">nbtstat</em> output:</p>
+
+<blockquote><pre class="code">       NetBIOS Remote Machine Name Table
+   Name               Type         Status
+---------------------------------------------
+METRAN         &lt;00&gt;   GROUP       Registered
+METRAN         &lt;1E&gt;   GROUP       Registered
+..__MSBROWSE__.&lt;01&gt;   GROUP       Registered</pre></blockquote>
+
+<p>The possible group attributes a computer can have are illustrated in
+<a href="ch01.html#samba2-CHP-1-TABLE-3">Table 1-3</a>. More
+<a name="INDEX-76"/><a name="INDEX-77"/>information
+is available in <em class="emphasis">Windows NT in a Nutshell</em> by Eric
+<a name="INDEX-78"/>Pearce, also
+published by O'Reilly.</p>
+
+<a name="samba2-CHP-1-TABLE-3"/><h4 class="head4">Table 1-3. NetBIOS group resource types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Named resource</p>
+</th>
+<th>
+<p>Hexadecimal byte value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Standard Workstation group</p>
+</td>
+<td>
+<p>00</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Logon server</p>
+</td>
+<td>
+<p>1C</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Master Browser name</p>
+</td>
+<td>
+<p>1D</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Normal Group name (used in browser elections)</p>
+</td>
+<td>
+<p>1E</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Internet Group name (administrative)</p>
+</td>
+<td>
+<p>20</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">&lt;01&gt;&lt;02&gt;_ _MSBROWSE_ _&lt;02&gt;</tt></p>
+</td>
+<td>
+<p>01</p>
+</td>
+</tr>
+
+</table>
+
+<p>The final entry, <tt class="literal">_ _ MSBROWSE _ _</tt>
+<a name="INDEX-80"/>, is used to announce a group to other
+master browsers. The nonprinting characters in the name show up as
+dots in an <em class="emphasis">nbtstat</em> printout.
+Don't worry if you don't understand
+all of the resource or group types. Some of them you will not need
+with Samba, and others you will pick up as you move through the rest
+of the chapter. The important thing to remember here is the logistics
+of the naming mechanism.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.3"/>
+
+<h3 class="head3">Scope ID</h3>
+
+<p>In the dark ages of SMB networking before NetBIOS groups were
+introduced, you could use a very primitive method to isolate groups
+of computers from the rest of the network. Each SMB packet contains a
+field called the <em class="firstterm">scope
+ID</em><a name="INDEX-81"/><a name="INDEX-82"/>, with the idea being that
+systems on the network could be configured to accept only packets
+with a scope ID matching that of their configuration. This feature
+was hardly ever used and unfortunately lingers in modern
+implementations. Some of the utilities included in the Samba
+distribution allow the scope ID to be set. Setting the scope ID in a
+network is likely to cause problems, and we are mentioning scope ID
+only so that you will not be confused by it when you later encounter
+it in various places.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.5"/>
+
+<h3 class="head2">Datagrams and Sessions</h3>
+
+<p>At this point, let's digress to discuss the
+responsibility of NBT: to provide connection services between two
+NetBIOS computers.
+<a name="INDEX-83"/>NBT
+offers two services: the <em class="firstterm">session
+service</em><a name="INDEX-84"/> and the
+<em class="firstterm">datagram service</em><a name="INDEX-85"/>.
+Understanding how these two services work is not essential to using
+Samba, but it does give you an idea of how NBT works and how to
+troubleshoot Samba when it doesn't work.</p>
+
+<p>The datagram service has no stable connection between computers.
+Packets of data are simply sent or broadcast from one computer to
+another, without regard to the order in which they arrive at the
+destination, or even if they arrive at all. The use of datagrams
+requires less processing overhead than sessions, although the
+reliability of the connection can suffer. Datagrams, therefore, are
+used for quickly sending nonvital blocks of data to one or more
+computers. The datagram service communicates using the simple
+primitives shown in <a href="ch01.html#samba2-CHP-1-TABLE-4">Table 1-4</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-4"/><h4 class="head4">Table 1-4. Datagram primitives</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Primitive</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Send Datagram</p>
+</td>
+<td>
+<p>Send datagram packet to computer or groups of computers.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Send Broadcast Datagram</p>
+</td>
+<td>
+<p>Broadcast datagram to any computer waiting with a Receive Broadcast
+datagram.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Receive Datagram</p>
+</td>
+<td>
+<p>Receive a datagram from a computer.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Receive Broadcast Datagram</p>
+</td>
+<td>
+<p>Wait for a Broadcast datagram.</p>
+</td>
+</tr>
+
+</table>
+
+<p>The session service is more complex. Sessions are a communication
+method that, in theory, offers the ability to detect problematic or
+inoperable connections between two NetBIOS applications. It helps to
+think of an NBT session as being similar to a telephone call, an
+analogy that obviously influenced the design of the CIFS standard.</p>
+
+<p>Once the connection is made, it remains open throughout the duration
+of the conversation, each side knows who the caller and the called
+computer are, and each can communicate with the simple primitives
+shown in <a href="ch01.html#samba2-CHP-1-TABLE-5">Table 1-5</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-5"/><h4 class="head4">Table 1-5. Session primitives</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Primitive</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Call</p>
+</td>
+<td>
+<p>Initiate a session with a computer listening under a specified name.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Listen</p>
+</td>
+<td>
+<p>Wait for a call from a known caller or any caller.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Hang-up</p>
+</td>
+<td>
+<p>Exit a call.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Send</p>
+</td>
+<td>
+<p>Send data to the other computer.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Receive</p>
+</td>
+<td>
+<p>Receive data from the other computer.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Session Status</p>
+</td>
+<td>
+<p>Get information on requested sessions.</p>
+</td>
+</tr>
+
+</table>
+
+<p>Sessions are the backbone of resource sharing on an NBT network. They
+are typically used for establishing stable connections from client
+computers to disk or printer shares on a server. The client
+&quot;calls&quot; the server and starts
+trading information such as which files it wishes to open, which data
+it wishes to exchange, etc. These calls can last a long
+time&mdash;hours, even days&mdash;and all of this occurs within the
+context of a single connection. If there is an error, the session
+software (TCP) will retransmit until the data is received properly,
+unlike the &quot;punt-and-pray&quot; approach
+of the datagram service (UDP).</p>
+
+<p>In truth, while sessions are supposed to handle problematic
+communications, they sometimes don't. If the
+connection is interrupted, session information that is open between
+the two computers might become invalid. If that happens, the only way
+to regain the session information is for the same two computers to
+call each other again and start over.</p>
+
+<p>If you want more information on each service, we recommend you look
+at RFC 1001. However, there are two important things to remember
+here:</p>
+
+<ul><li>
+<p><a name="INDEX-88"/>Sessions always
+occur between two NetBIOS computers. If a session service is
+interrupted, the client is supposed to store sufficient state
+information for it to reestablish the connection. However, in
+practice, this often does not happen.</p>
+</li><li>
+<p><a name="INDEX-89"/>Datagrams can
+be broadcast to multiple computers, but they are unreliable. In other
+words, there is no way for the source to know that the datagrams it
+sent have indeed arrived at their destinations. <a name="INDEX-90"/></p>
+</li></ul>
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-4"/>
+
+<h2 class="head1">An Introduction to the SMB Protocol</h2>
+
+<p><a name="INDEX-91"/>Now
+we're going to cover some low-level technical
+details and explore the elementals of the SMB protocol. You probably
+don't need to know much about this to implement a
+simple Samba network, and therefore you might want to skip or skim
+over this section and go on to the next one
+(&quot;Windows Workgroups and Domains&quot;)
+on your first reading. However, assuming you are going to be
+responsible for long-term maintenance of a Samba network, it will
+help if you understand how it actually works. You will more easily be
+able to diagnose and correct any odd problems that pop up.</p>
+
+<p>At a high level, the SMB protocol suite is relatively simple. It
+includes commands for all the file and print operations that you
+might perform on a local disk or printer, such as:</p>
+
+<ul><li>
+<p>Opening and closing files</p>
+</li><li>
+<p>Creating and deleting files and directories</p>
+</li><li>
+<p>Reading and writing files</p>
+</li><li>
+<p>Searching for files</p>
+</li><li>
+<p>Queueing and dequeueing files in a print spool</p>
+</li></ul>
+<p>Each operation can be encoded into an SMB message and transmitted to
+and from a server. The original name
+&quot;SMB&quot; comes from the way in which
+the commands are formatted: they are versions of the standard DOS
+system-call data structures, or <em class="firstterm">Server Message
+Blocks</em>, redesigned for transmitting to another computer
+across a network.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.1"/>
+
+<h3 class="head2">SMB Format</h3>
+
+<p>Richard <a name="INDEX-92"/>Sharpe of the Samba team defines SMB as
+a <em class="firstterm">request-response</em> protocol.<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> In effect,
+this means that a client sends an SMB request to a server and the
+server sends an SMB response back to the client. In only one rare
+circumstance does a server send a message that is not in response to
+a client.</p>
+
+<p>An <a name="INDEX-94"/>SMB message is not as complex as you
+might think. Let's take a closer look at the
+internal structure of such a message. It can be broken down into two
+parts: the <em class="firstterm">header</em>, which is a fixed size, and
+the <em class="firstterm">command string</em>, whose size can vary
+dramatically based on the contents of the message.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.1"/>
+
+<h3 class="head3">SMB header format</h3>
+
+<p><a href="ch01.html#samba2-CHP-1-TABLE-6">Table 1-6</a> shows the format of an
+<a name="INDEX-95"/>SMB header. The COM field identifies
+the command being performed. SMB commands are not required to use all
+the fields in the SMB header. For example, when a client first
+attempts to connect to a server, it does not yet have a tree
+identifier (TID) value&mdash;one is assigned after it successfully
+connects&mdash;so a null TID is placed in its header field. Other
+fields can be padded with zeros when not used.</p>
+
+<p>The <a name="INDEX-96"/>SMB header fields are listed in <a href="ch01.html#samba2-CHP-1-TABLE-6">Table 1-6</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-6"/><h4 class="head4">Table 1-6. SMB header fields</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Field</p>
+</th>
+<th>
+<p>Size (bytes)</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">0xFF 'SMB</tt>'</p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Protocol identifier</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">COM</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Command code, from 0x00 to 0xFF</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">RCLS</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Error class</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">REH</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Reserved</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ERR</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>Error code</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">REB</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Reserved</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">RES</tt></p>
+</td>
+<td>
+<p><tt class="literal">14</tt></p>
+</td>
+<td>
+<p>Reserved</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">TID</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>TID; a unique ID for a resource in use by the client</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">PID</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>Caller process ID</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">UID</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>User identifier</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">MID</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>Multiplex identifier; used to route requests inside a process</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.2"/>
+
+<h3 class="head3">SMB command format</h3>
+
+<p>Immediately after the header is a variable number of bytes that
+constitute an <a name="INDEX-97"/>SMB command or reply. Each command,
+such as Open File (COM field identifier: <tt class="literal">SMBopen</tt>)
+or Get Print Queue (<tt class="literal">SMBsplretq</tt> ), has its own set
+of parameters and data. Like the SMB header fields, not all of the
+command fields need to be filled, depending on the specific command.
+For example, the Get Server Attributes
+(<tt class="literal">SMBdskattr</tt>) command sets the WCT and BCC fields
+to zero. The fields of the command segment are shown in <a href="ch01.html#samba2-CHP-1-TABLE-7">Table 1-7</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-7"/><h4 class="head4">Table 1-7. SMB command contents</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Field</p>
+</th>
+<th>
+<p>Size (bytes)</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">WCT</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Word count</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">VWV</tt></p>
+</td>
+<td>
+<p>Variable</p>
+</td>
+<td>
+<p>Parameter words (size given by WCT)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">BCC</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>Parameter byte count</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">DATA</tt></p>
+</td>
+<td>
+<p>Variable</p>
+</td>
+<td>
+<p>Data (size given by BCC)</p>
+</td>
+</tr>
+
+</table>
+
+<p>Don't worry if you don't understand
+each field; they are not necessary for using Samba at an
+administrator level. However, they do come in handy when debugging
+system messages. We will show you some of the more common SMB
+messages that clients and servers send using a modified version of
+<em class="filename">tcpdump</em> later in this section. (If you prefer an
+<a name="INDEX-98"/><a name="INDEX-99"/>SMB sniffer with a graphical
+interface, try Ethereal, which uses the GTK libraries; see
+<a href="http://www.ethereal.com">http://www.ethereal.com</a> for more
+information on this tool.)</p>
+
+<a name="samba2-CHP-1-NOTE-84"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>For more information on each command in the
+<a name="INDEX-100"/>SMB protocol, see the
+<em class="citetitle">CIFS Technical
+Reference</em><a name="INDEX-101"/> at <a href="http://www.snia.org/tech_activities/CIFS">http://www.snia.org/tech_activities/CIFS</a>.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.3"/>
+
+<h3 class="head3">SMB variations</h3>
+
+<p>The SMB protocol has been extended with new commands several times
+since its inception. Each new version is backward-compatible with the
+previous versions, so it is possible for a LAN to have clients and
+servers concurrently running different versions of the SMB protocol.</p>
+
+<p><a href="ch01.html#samba2-CHP-1-TABLE-8">Table 1-8</a> outlines the major versions of the
+<a name="INDEX-102"/>SMB
+protocol. Within each &quot;dialect&quot; of
+SMB are many sub-versions that include commands supporting particular
+releases of major operating systems. The ID string in column 2 is
+used by clients and servers to determine in which level of the
+protocol they will speak to each other.</p>
+
+<a name="samba2-CHP-1-TABLE-8"/><h4 class="head4">Table 1-8. SMB protocol dialects</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Protocol name</p>
+</th>
+<th>
+<p>ID string</p>
+</th>
+<th>
+<p>Used by</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Core</p>
+</td>
+<td>
+<p><tt class="literal">PC NETWORK PROGRAM 1.0</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-103"/>Core Plus</p>
+</td>
+<td>
+<p><tt class="literal">MICROSOFT NETWORKS 1.03</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-104"/>LAN Manager 1.0</p>
+</td>
+<td>
+<p><tt class="literal">LANMAN1.0</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p>LAN Manager 2.0</p>
+</td>
+<td>
+<p><tt class="literal">LM1.2X002</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p>LAN Manager 2.1</p>
+</td>
+<td>
+<p><tt class="literal">LANMAN2.1</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-105"/>NT LAN
+Manager 1.0</p>
+</td>
+<td>
+<p><tt class="literal">NT LM 0.12</tt></p>
+</td>
+<td>
+<p>Windows NT 4.0</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-106"/>Samba's NT LM 0.12</p>
+</td>
+<td>
+<p><tt class="literal">Samba</tt></p>
+</td>
+<td>
+<p>Samba</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-107"/><a name="INDEX-108"/>Common
+Internet File System</p>
+</td>
+<td>
+<p><tt class="literal">CIFS 1.0</tt></p>
+</td>
+<td>
+<p>Windows 2000/XP</p>
+</td>
+</tr>
+
+</table>
+
+<p>Samba implements the NT LM 0.12 specification for NT LAN Manager 1.0.
+It is backward-compatible with all the other SMB variants. The CIFS
+specification is, in reality, LAN Manager 0.12 with a few specific
+additions.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.2"/>
+
+<h3 class="head2">SMB Clients and Servers</h3>
+
+<p><a name="INDEX-109"/><a name="INDEX-110"/>As
+mentioned earlier, SMB is a client/server protocol. In the purest
+sense, this means that a client sends a request to a server, which
+acts on the request and returns a reply. However, the client/server
+roles can often be reversed, sometimes within the context of a single
+SMB session. For example, consider the two Windows 95/98/Me computers
+in <a href="ch01.html#samba2-CHP-1-FIG-11">Figure 1-11</a>. The computer named
+<tt class="literal">maya</tt> shares a printer to the network, and the
+computer named <tt class="literal">toltec</tt> shares a disk directory.
+<tt class="literal">maya</tt> is in the client role when accessing
+<tt class="literal">toltec</tt>'s network drive and in the
+server role when printing a job for <tt class="literal">toltec</tt>.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-11"/><img src="figs/sam2_0111.gif"/></div><h4 class="head4">Figure 1-11. Two computers that both have resources to share</h4>
+
+<p>This brings out an important point in Samba terminology:</p>
+
+<ul><li>
+<p>A <em class="firstterm">server</em> is a computer with a resource to
+share.</p>
+</li><li>
+<p>A <em class="firstterm">client</em> is a computer that wishes to use that
+resource.</p>
+</li><li>
+<p>A computer can be a client, a server, or both, or it can be neither
+at any given time.</p>
+</li></ul>
+<p>Microsoft Windows products have both the SMB client and server built
+into the operating system, and it is common to find Windows acting as
+a server, client, both, or neither at any given time in a production
+network. Although Samba has been developed primarily to function as a
+server, there are also ways that it and associated software can act
+as an SMB client. As with Windows, it is even possible to set up a
+Unix system to act as an SMB client and not as a server. See <a href="ch05.html">Chapter 5</a> for more details on this topic.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.3"/>
+
+<h3 class="head2">A Simple SMB Connection</h3>
+
+<p><a name="INDEX-111"/>The client and server must complete
+three steps to establish a connection to a resource:</p>
+
+<ol><li>
+<p>Establish a NetBIOS session.</p>
+</li><li>
+<p>Negotiate the protocol variant.</p>
+</li><li>
+<p>Set session parameters, and make a tree connection to a resource.</p>
+</li></ol>
+<p>We will examine each step through the eyes of a useful tool that we
+mentioned earlier: the modified
+<em class="filename">tcpdump</em><a name="INDEX-112"/> that is
+available from the Samba web site.</p>
+
+<a name="samba2-CHP-1-NOTE-85"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>You can download the tcpdump program at <a href="http://www.samba.org">http://www.samba.org</a> in the
+<em class="filename">samba/ftp/tcpdump-smb</em> directory; the latest
+version as of this writing is 3.4-10. Use this program as you would
+use the standard <em class="filename">tcpdump</em> application, but add
+the <tt class="literal">-s 1500</tt> switch to ensure that you get the
+whole packet and not just the first few bytes.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.4"/>
+
+<h3 class="head2">Establishing a NetBIOS Session</h3>
+
+<p><a name="INDEX-113"/>When a user first makes a request
+to access a network disk or send a print job to a remote printer,
+NetBIOS takes care of making a connection at the session layer. The
+result is a bidirectional channel between the client and server. The
+client and server need only two messages to establish this
+connection. This is shown in the following example session request
+and response, as captured by <em class="filename">tcpdump</em> .</p>
+
+<p>First, the client sends a request to open a session, and
+<em class="filename">tcpdump </em><a name="INDEX-114"/>reports:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Request
+Flags=0x81000044
+Destination=TOLTEC      NameType=0x20 (Server)
+Source=MAYA             NameType=0x00 (Workstation)</pre></blockquote>
+
+<p>Then the server responds, granting a session to the client:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Granted
+Flags=0x82000000</pre></blockquote>
+
+<p>At this point, there is an open channel between the client and server.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.5"/>
+
+<h3 class="head2">Negotiating the Protocol Variant</h3>
+
+<p>Next, the client sends a message to the server to negotiate an
+<a name="INDEX-115"/>SMB protocol. As mentioned
+earlier, the client sets its <a name="INDEX-116"/>tree identifier (TID) field to
+zero, because it does not yet know what TID to use. A <em class="emphasis">tree
+identifier</em> is a number that represents a connection to a
+share on a server.</p>
+
+<p>The command in the message is <tt class="literal">SMBnegprot</tt>, a
+request to negotiate a protocol variant that will be used for the
+entire session. Note that the client sends to the server a list of
+all the variants that it can speak, not vice versa:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Packet
+Flags=0x0
+Length=154
+
+SMB PACKET: SMBnegprot (REQUEST)
+SMB Command   =  0x72
+Error class   =  0x0
+Error code    =  0
+Flags1        =  0x0
+Flags2        =  0x0
+Tree ID       =  0
+Proc ID       =  5315
+UID           =  0
+MID           =  257
+Word Count    =  0
+Dialect=PC NETWORK PROGRAM 1.0
+Dialect=MICROSOFT NETWORKS 3.0
+Dialect=DOS LM1.2X002
+Dialect=DOS LANMAN2.1
+Dialect=Windows for Workgroups 3.1a
+Dialect=NT LM 0.12</pre></blockquote>
+
+<p>The server responds to the
+<tt class="literal">SMBnegprot</tt><a name="INDEX-117"/> request with an index (with counting
+starting at 0) into the list of variants that the client offered, or
+with the value 0xFF if none of the protocol variants is acceptable:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Packet
+Flags=0x0
+Length=84
+
+SMB PACKET: SMBnegprot (REPLY)
+SMB Command   =  0x72
+Error class   =  0x0
+Error code    =  0
+Flags1        =  0x80
+Flags2        =  0x1
+Tree ID       =  0
+Proc ID       =  5315
+UID           =  0
+MID           =  257
+Word Count    =  17
+NT1 Protocol
+DialectIndex=5
+[...]</pre></blockquote>
+
+<p>In this example, the server responds with the value 5, which
+indicates that the <tt class="literal">NT</tt> <tt class="literal">LM</tt>
+<tt class="literal">0.12</tt> dialect will be used for the remainder of the
+session.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.6"/>
+
+<h3 class="head2">Set Session and Login Parameters</h3>
+
+<p><a name="INDEX-118"/><a name="INDEX-119"/>The next step is to transmit session and
+login parameters for the session, which you do using the
+<a name="INDEX-120"/><tt class="literal">SMBSesssetupX</tt>
+command. The parameters include the following:</p>
+
+<ul><li>
+<p>The account name and password (if there is one)</p>
+</li><li>
+<p>The workgroup name</p>
+</li><li>
+<p>The maximum size of data that can be transferred</p>
+</li><li>
+<p>The number of pending requests that can be in the queue at a time</p>
+</li></ul>
+<p>The resulting output from <em class="filename">tcpdump </em>is:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Packet
+Flags=0x0
+Length=150
+
+SMB PACKET: SMBsesssetupX (REQUEST)
+SMB Command   =  0x73
+Error class   =  0x0
+Error code    =  0
+Flags1        =  0x10
+Flags2        =  0x0
+Tree ID       =  0
+Proc ID       =  5315
+UID           =  1
+MID           =  257
+Word Count    =  13
+Com2=0x75
+Res1=0x0
+Off2=120
+MaxBuffer=2920
+MaxMpx=50
+VcNumber=0
+SessionKey=0x1380
+CaseInsensitivePasswordLength=24
+CaseSensitivePasswordLength=0
+Res=0x0
+Capabilities=0x1
+Pass1&amp;Pass2&amp;Account&amp;Domain&amp;OS&amp;LanMan=  
+  JAY METRAN Windows 4.0 Windows 4.0
+
+SMB PACKET: SMBtconX (REQUEST) (CHAINED)
+smbvwv[]=
+Com2=0xFF
+Off2=0
+Flags=0x2
+PassLen=1
+Passwd&amp;Path&amp;Device=
+smb_bcc=23
+smb_buf[]=\\TOLTEC\SPIRIT</pre></blockquote>
+
+<p>In this example, the <tt class="literal">SMBsesssetupX</tt> Session Setup
+command allows for an additional SMB command to be piggybacked onto
+it (indicated by the letter X at the end of the command name). The
+hexadecimal code of the second command is given in the
+<tt class="literal">Com2</tt> field. In this case the command is
+<tt class="literal">0x75</tt>, which is the <tt class="literal">SMBtconX</tt>
+<tt class="literal">(</tt>Tree Connect and X) command. The
+<tt class="literal">SMBtconX</tt><a name="INDEX-121"/> message looks for the name of the
+resource in the <em class="emphasis">smb_buf</em> buffer. In this example,
+<em class="emphasis">smb_buf</em> contains the string
+<tt class="literal">\\TOLTEC\SPIRIT</tt>, which is the full pathname to a
+shared directory on <tt class="literal">toltec</tt>. Using the
+&quot;and X&quot; commands like this speeds
+up each transaction because the server doesn't have
+to wait on the client to make a second request.</p>
+
+<p>Note that the TID is still zero. Finally, the server returns a TID to
+the client, indicating that the user has been authorized access and
+that the resource is ready to be used:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Packet
+Flags=0x0
+Length=85
+
+SMB PACKET: SMBsesssetupX (REPLY)
+SMB Command   =  0x73
+Error class   =  0x0
+Error code    =  0
+Flags1        =  0x80
+Flags2        =  0x1
+Tree ID       =  1
+Proc ID       =  5315
+UID           =  100
+MID           =  257
+Word Count    =  3
+Com2=0x75
+Off2=68
+Action=0x1
+[000] Unix Samba 2.2.6
+[010] METRAN
+
+SMB PACKET: SMBtconX (REPLY) (CHAINED)
+smbvwv[]=
+Com2=0xFF
+Off2=0
+smbbuf[]=
+ServiceType=A:</pre></blockquote>
+
+<p>The <em class="emphasis">ServiceType</em> field is set to
+&quot;A&quot; to indicate that this is a file
+service. Available service types are:</p>
+
+<ul><li>
+<p>&quot;A&quot; for a disk or file</p>
+</li><li>
+<p>&quot;LPT1&quot; for a spooled output</p>
+</li><li>
+<p>&quot;COMM&quot; for a direct-connect printer
+or modem</p>
+</li><li>
+<p>&quot;IPC&quot; for a named pipe</p>
+</li></ul>
+<p>Now that a TID has been assigned, the client can use it as a handle
+to perform any operation that it would use on a local disk drive. It
+can open files, read and write to them, delete them, create new
+files, search for filenames, and so on. <a name="INDEX-122"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-5"/>
+
+<h2 class="head1">Windows Workgroups and Domains</h2>
+
+<p>Up to now, we've covered basic SMB technology, which
+is all you would need if you had nothing more advanced than MS-DOS
+clients on your network. We do assume you want to support Windows
+clients, especially the more recent versions, so next
+we'll describe the enhancements Microsoft has added
+to SMB networking&mdash;namely, Windows for Workgroups and Windows
+domains.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-5.1"/>
+
+<h3 class="head2">Windows Workgroups</h3>
+
+<p><a name="INDEX-123"/><a name="INDEX-124"/>Windows
+Workgroups are very similar to the SMB groups already described. You
+need to know just a few additional things.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.1"/>
+
+<h3 class="head3">Browsing</h3>
+
+<p><a name="INDEX-125"/>Browsing
+is the process of finding the other computers and shared resources in
+the Windows network. Note that there is no connection with a World
+Wide Web browser, apart from the general idea of
+&quot;discovering what's
+there.&quot; On the other hand, browsing the Windows
+network is like the Web in that what's out there can
+change without warning.</p>
+
+<p>Before browsing existed, users had to know the name of the computer
+they wanted to connect to on the network and then manually enter a
+UNC such as the following into an application or file manager to
+access resources:</p>
+
+<blockquote><pre class="code">\\toltec\spirit\</pre></blockquote>
+
+<p>Browsing is much more convenient, making it possible to examine the
+contents of a network by using the point-and-click GUI interface of
+the Network Neighborhood (or My Network Places<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a>) on a Windows client.</p>
+
+<p>You will encounter two types of browsing in an SMB network:</p>
+
+<ul><li>
+<p><a name="INDEX-129"/>Browsing a list
+of computers and shared resources</p>
+</li><li>
+<p><a name="INDEX-130"/>Browsing the shared resource
+of a specific computer</p>
+</li></ul>
+<p>Let's look at the first one. On each LAN (or subnet)
+with a Windows workgroup or domain, one computer has the
+responsibility of maintaining a list of the computers that are
+currently accessible through the network. This computer is called the
+<em class="firstterm">local master
+browser</em><a name="INDEX-131"/><a name="INDEX-132"/>, and the list that it maintains is
+called the <em class="firstterm">browse
+list</em><a name="INDEX-133"/>. Computers on a subnet use the browse
+list to cut down on the amount of network traffic generated while
+browsing. Instead of each computer dynamically polling to determine a
+list of the currently available computers, the computer can simply
+query the local master browser to obtain a complete, up-to-date list.</p>
+
+<p>To browse the resources on a computer, a user must connect to the
+specific computer; this information cannot be obtained from the
+browse list. Browsing the list of resources on a computer can be done
+by double-clicking the computer's icon when it is
+presented in the Network Neighborhood. As you saw at the opening of
+the chapter, the computer will respond with a list of shared
+resources that can be accessed after the user is successfully
+authenticated.</p>
+
+<p>Each server on a Windows workgroup is required to announce its
+presence to the local master browser after it has registered a
+NetBIOS name, and (theoretically) announce that it is leaving the
+workgroup when it is shut down. It is the local master
+browser's responsibility to record what the servers
+have announced.</p>
+<a name="samba2-CHP-1-NOTE-86"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>The Windows <a name="INDEX-134"/>Network Neighborhood can behave
+oddly: until you select a particular computer to browse, the Network
+Neighborhood window might contain data that is not up-to-date. That
+means the Network Neighborhood window can be showing computers that
+have crashed or can be missing computers that
+haven't been noticed yet. Put succinctly, once
+you've selected a server and connected to it, you
+can be a lot more confident that the shares and printers really exist
+on the network.</p>
+</blockquote>
+
+<p>Unlike the roles you've seen earlier, almost any
+Windows system (including Windows for Workgroups and Windows 95/98/Me
+or NT/2000/XP) can act as a local master browser. The local master
+browser can have one or more
+<em class="firstterm"/><a name="INDEX-135"/><a name="INDEX-136"/>backup 
+browsers</em> on the local subnet
+that will take over in the event that the local master browser fails
+or becomes inaccessible. To ensure fluid operation, the local backup
+browsers will frequently synchronize their browse list with the local
+master browser.</p>
+
+<p>Here is how to calculate the minimum number of backup browsers that
+will be allocated on a workgroup:</p>
+
+<ul><li>
+<p>If up to 32 Windows NT/2000/XP workstations are on the network, or up
+to 16 Windows 95/98/Me computers are on the network, the local master
+browser allocates one backup browser in addition to the local master
+browser.</p>
+</li><li>
+<p>If the number of Windows NT/2000/XP workstations falls between 33 and
+64, or the number of Windows 95/98/Me workstations falls between 17
+and 32, the local master browser allocates two backup browsers.</p>
+</li><li>
+<p>For each group of 32 NT/2000/XP workstations or 16 Windows 95/98/Me
+computers beyond this, the local master browser allocates another
+backup browser.</p>
+</li></ul>
+<p>There is currently no upper limit on the number of backup browsers
+that can be allocated by the local master browser.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.2"/>
+
+<h3 class="head3">Browsing elections</h3>
+
+<p><a name="INDEX-137"/>Browsing
+is a critical aspect of any Windows workgroup. However, not
+everything runs perfectly on any network. For example,
+let's say that a computer running Windows on the
+desk of a small company's CEO is the local master
+browser&mdash;that is, until he switches it off while plugging in his
+massage chair. At this point the Windows NT Workstation in the spare
+parts department might agree to take over the job. However, that
+computer is currently running a large, poorly written program that
+has brought its processor to its knees. The moral: browsing has to be
+very tolerant of servers coming and going. Because nearly every
+Windows system can serve as a browser, there has to be a way of
+deciding at any time who will take on the job. This decision-making
+process is called an <em class="firstterm">election</em>.</p>
+
+<p>An election algorithm is built into nearly all Windows operating
+systems such that they can each agree who is going to be a local
+master browser and who will be local backup browsers. An election can
+be forced at any time. For example, let's assume
+that the CEO has finished his massage and reboots his server. As the
+server comes online, it will announce its presence, and an election
+will take place to see if the PC in the spare parts department should
+still be the master browser.</p>
+
+<p>When an election is performed, each computer broadcasts information
+about itself via datagrams. This information includes the following:</p>
+
+<ul><li>
+<p>The version of the election protocol used</p>
+</li><li>
+<p>The operating system on the computer</p>
+</li><li>
+<p>The amount of time the client has been on the network</p>
+</li><li>
+<p>The hostname of the client</p>
+</li></ul>
+<p>These values determine which operating system has seniority and will
+fulfill the role of the local master browser. (<a href="ch07.html">Chapter 7</a> describes the election process in more
+detail.) The architecture developed to achieve this is not elegant
+and has built-in security problems. While a browsing domain can be
+integrated with domain security, the election algorithm does not take
+into consideration which computers become browsers. Thus it is
+possible for any computer running a browser service to register
+itself as participating in the browsing election and (after winning)
+being able to change the browse list. Nevertheless, browsing is a key
+feature of Windows networking, and backward-compatibility
+requirements will ensure that it is in use for years to come.
+<a name="INDEX-138"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.3"/>
+
+<h3 class="head3">Windows 95/98/Me authentication</h3>
+
+<p>Three types of passwords arise when
+<a name="INDEX-139"/><a name="INDEX-140"/>Windows
+95/98/Me is operating in a Windows workgroup:</p>
+
+<ul><li>
+<p>A Windows password</p>
+</li><li>
+<p>A Windows Networking password</p>
+</li><li>
+<p>A password for each shared resource that has been assigned password
+protection</p>
+</li></ul>
+<p>The Windows <a name="INDEX-141"/>password functions in a manner
+that might be a source of confusion for Unix system administrators.
+It is not there to prevent unauthorized users from using the
+computer. (If you don't believe that, try clicking
+the Cancel button on the password dialog box and see what happens!)
+Instead, the Windows password is used to gain access to a file that
+contains the Windows Networking and network resource passwords. There
+is one such file per registered user of the system, and they can be
+found in the <em class="filename">C:\Windows</em> directory with a name
+composed of the user's account name, followed by a
+<em class="filename">.pwl</em><a name="INDEX-142"/><a name="INDEX-143"/><a name="INDEX-144"/> extension. For example, if the
+user's account name is
+&quot;sarah,&quot; the file will be
+<em class="filename">C:\Windows\sarah.pwl</em>. This file is encrypted
+using the Windows password as the encryption key.</p>
+
+<a name="samba2-CHP-1-NOTE-87"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>As a security measure, you might want to check for junk
+<em class="filename">.pwl</em> files on Windows 95/98/Me clients, which
+might have been created by mistakes users made while attempting to
+log on. A <em class="filename">.pwl</em> file is easily cracked and can
+contain valid passwords for Samba accounts and network shares.</p>
+</blockquote>
+
+<p>The first time the network is accessed, Windows attempts to use the
+Windows password as the Windows Networking password. If this is
+successful, the user will not be prompted for two separate passwords,
+and subsequent logins to the Windows system will automatically result
+in logging on to the Windows network as well, making things much
+simpler for the user.</p>
+
+<p>Shared network resources in the workgroup can also have passwords
+assigned to them to limit their accessibility. The first time a user
+attempts to access the resource, she is asked for its password, and a
+checkbox in the password dialog box gives the user the option to add
+the password to her password list. This is the default; if it is
+accepted, Windows will store the password in the
+user's <em class="filename">.pwl</em> file, and all
+further authentication to the resource will be handled automatically
+by Windows.</p>
+
+<p>Samba's approach to workgroup authentication is a
+little different, which is a result of blending the Windows workgroup
+model with that of the Unix host upon which Samba runs. This will be
+discussed further in <a href="ch09.html">Chapter 9</a>. <a name="INDEX-145"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-5.2"/>
+
+<h3 class="head2">Windows NT Domains</h3>
+
+<p><a name="INDEX-146"/>The
+peer-to-peer networking model of
+<a name="INDEX-147"/>workgroups functions fairly well as long as
+the number of computers on the network is small and there is a
+close-knit community of users. However, in larger networks the
+simplicity of workgroups becomes a limiting factor. Workgroups offer
+only the most basic level of security, and because each resource can
+have its own password, it is inconvenient (to say the least) for
+users to remember the password for each resource in a large network.
+Even if that were not a problem, many people find it frustrating to
+have to interrupt their creative workflow to enter a shared password
+into a dialog box every time another network resource is accessed.</p>
+
+<p>To support the needs of larger networks, such as those found in
+departmental computing environments, Microsoft introduced domains
+with Windows NT 3.51. A <em class="firstterm">Windows NT domain</em> is
+essentially a workgroup of SMB computers that has one addition: a
+server acting as a <em class="firstterm">domain
+controller</em><a name="INDEX-148"/> (see <a href="ch01.html#samba2-CHP-1-FIG-12">Figure 1-12</a>).</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-12"/><img src="figs/sam2_0112.gif"/></div><h4 class="head4">Figure 1-12. A simple Windows domain</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.1"/>
+
+<h3 class="head3">Domain controllers</h3>
+
+<p>A domain controller in a Windows NT domain functions much like a
+<a name="INDEX-149"/><a name="INDEX-150"/>Network
+Information Service (NIS) server in a Unix network, maintaining a
+domain-wide database of user and group information, as well as
+performing related services. The responsibilities of a domain
+controller are mainly centered around security, including
+<em class="firstterm">authentication</em><a name="INDEX-151"/>,
+the process of granting or denying a user access to the resources of
+the domain. This is typically done through the use of a username and
+password. The service that maintains the database on the domain
+controllers is called the <a name="INDEX-152"/><a name="INDEX-153"/>Security Account Manager (SAM).</p>
+
+<p>The <a name="INDEX-154"/>Windows NT security model revolves
+around <em class="firstterm">security
+identifiers</em><a name="INDEX-155"/><a name="INDEX-156"/> (SIDs) and <em class="firstterm">access
+control lists</em><a name="INDEX-157"/><a name="INDEX-158"/>
+(ACLs). Security identifiers are used to represent objects in the
+domain, which include (but are not limited to) users, groups,
+computers, and processes. SIDs are commonly written in ASCII form as
+hyphen-separated fields, like this:</p>
+
+<blockquote><pre class="code">S-1-5-21-1638239387-7675610646-9254035128-545</pre></blockquote>
+
+<p>The part of the SID starting with the
+&quot;S&quot; and leading up to the rightmost
+hyphen identifies a domain. The number after the rightmost hyphen is
+called a <a name="INDEX-159"/>relative identifier (RID) and is a unique
+number within the domain that identifies the user, group, computer,
+or other object. The RID is the analog of a <a name="INDEX-160"/>user ID (UID) or
+<a name="INDEX-161"/>group ID
+(GID) on a Unix system or within an NIS domain.</p>
+
+<p>ACLs supply the same function as
+&quot;rwx&quot;
+<a name="INDEX-162"/><a name="INDEX-163"/><a name="INDEX-164"/><a name="INDEX-165"/><a name="INDEX-166"/>file permissions that are common in Unix
+systems. However, ACLs are more versatile. Unix file permissions only
+set permissions for the owner and group to which the file belongs,
+and &quot;other,&quot; meaning everyone else.
+Windows NT/2000/XP ACLs allow permissions to be set individually for
+any number of arbitrary users and/or groups. ACLs are made up of one
+or more <em class="firstterm">access control
+entries</em><a name="INDEX-167"/> (ACEs), each of which contains an SID
+and the access rights associated with it.</p>
+
+<p>ACL support has been added as a standard feature for some Unix
+variants and is available as an add-on for others. Samba supports
+mappings between Windows and Unix ACLs, and this will be covered in
+<a href="ch08.html">Chapter 8</a>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.2"/>
+
+<h3 class="head3">Primary and backup domain controllers</h3>
+
+<p>You've already read about master and backup
+browsers. Domain controllers are similar in that a domain has a
+<em class="firstterm">primary domain
+controller</em><a name="INDEX-168"/><a name="INDEX-169"/><a name="INDEX-170"/> (PDC) and can have
+one or more <em class="firstterm">backup domain
+controllers</em><a name="INDEX-171"/> (BDCs) as well. If the PDC fails or
+becomes inaccessible, its duties are automatically taken over by one
+of the BDCs. BDCs frequently synchronize their SAM data with the PDC
+so if the need arises, any one of them can immediately begin
+performing domain-controller services without impacting the clients.
+However, note that BDCs have read-only copies of the SAM database;
+they can update their data only by synchronizing with a PDC. A server
+in a Windows domain can use the SAM of any PDC or BDC to authenticate
+a user who attempts to access its resources and log on to the domain.</p>
+
+<p>All recent versions of Windows can log on to a domain as clients to
+access the resources of the domain servers. The systems that are
+considered members of the domain are a more exclusive class, composed
+of the PDC and BDCs, as well as domain member servers, which are
+systems that have joined a domain as members, and are known to the
+domain controllers by having a computer account in the SAM database.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.3"/>
+
+<h3 class="head3">Authentication</h3>
+
+<p><a name="INDEX-172"/>When
+a user logs on to a Windows domain by typing in a username and
+password, a secure challenge and response protocol is invoked between
+the client computer and a domain controller to verify that the
+username and password are valid. Then the domain controller sends a
+SID back to the client, which uses it to create a
+<a name="INDEX-173"/>Security Access Token (SAT) that is valid
+only for that system, to be used for further authentication. This
+access token has information about the user coded into it, including
+the username, the group, and the rights the user has within the
+domain. At this point, the user is logged on to the domain.</p>
+
+<p>Subsequently, when the client attempts to access a shared resource
+within the domain, the client system enters into a secure challenge
+and response exchange with the server of the resource. The server
+then enters into another secure challenge and response conversation
+with a domain controller to check that the client is valid. (What
+actually happens is that the server uses information it gets from the
+client to pretend to be the client and authenticate itself with the
+domain controller. If the domain controller validates the
+credentials, it sends an SID back to the server, which uses the SID
+to create its own SAT for the client to enable access to its local
+resources on the client's behalf.) At this point,
+the client is authenticated for resources on the server and is
+allowed to access them. The server then uses the SID in the access
+token to determine what permissions the client has to use and modify
+the requested resource by comparing them to entries in the ACL of the
+resource.</p>
+
+<p>Although this method of authentication might seem overly complicated,
+it allows clients to authenticate without having plain-text passwords
+travel through the network, and it is much more difficult to crack
+than the relatively weak workgroup security we described earlier.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.4"/>
+
+<h3 class="head3">Name service with WINS and DNS</h3>
+
+<p>The <a name="INDEX-174"/><a name="INDEX-175"/>Windows
+Internet Name Service (WINS) is Microsoft's
+implementation of a NetBIOS name server (NBNS). As such, WINS
+inherits much of NetBIOS's characteristics. First,
+WINS is flat; you can have only simple machine names such as
+<tt class="literal">inca</tt>, <tt class="literal">mixtec</tt>, or
+<tt class="literal">navaho</tt>, and workgroups such as PERU, MEXICO, or
+USA. In addition, WINS is dynamic: when a client first comes online,
+it is required to report its hostname, its address, and its workgroup
+to the local WINS server. This WINS server will retain the
+information so long as the client periodically refreshes its WINS
+registration, which indicates that it's still
+connected to the network. Note that WINS servers are not workgroup-
+or domain-specific; they can contain information for multiple domains
+and/or workgroups, which might exist on more than one subnet.</p>
+
+<p>Multiple <a name="INDEX-176"/>WINS
+servers can be set to synchronize with each other. This allows
+entries for computers that come online and go offline in the network
+to propagate from one WINS server to another. While in theory this
+seems efficient, it can quickly become cumbersome if several WINS
+servers are covering a network. Because WINS services can cross
+multiple subnets (you'll either hardcode the address
+of a WINS server in each of your clients or obtain it via DHCP), it
+is often more efficient to have each Windows client, regardless of
+the number of Windows domains, point themselves to the same WINS
+server. That way, only one authoritative WINS server will have the
+correct information, instead of several WINS servers continually
+struggling to synchronize themselves with the most recent changes.</p>
+
+<p>The currently active WINS server is known as the <em class="firstterm">primary
+WINS server</em><a name="INDEX-177"/><a name="INDEX-178"/>. You can also install a secondary WINS
+server, which will take over if the primary WINS server fails or
+becomes inaccessible. Both the primary and any other WINS servers
+will synchronize their address databases on a periodic basis.</p>
+
+<p>In the Windows family of operating systems, only a server edition of
+Windows NT/2000 can act as a WINS server. Samba 2.2 can function as a
+primary WINS server, but cannot <a name="INDEX-179"/><a name="INDEX-180"/>synchronize
+its database with other WINS servers. It therefore cannot act as a
+secondary WINS server or as a primary WINS server for a Windows
+secondary WINS server.</p>
+
+<p>WINS handles name service by default, although Microsoft added DNS
+starting with Windows NT 4 Server. It is compatible with DNS that is
+standard on virtually every Unix system, and a Unix server (such as
+the Samba host) can also be used for DNS.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.5"/>
+
+<h3 class="head3">Trust relationships</h3>
+
+<p>One additional aspect of Windows NT domains not yet supported in
+Samba 2.2 is that it is possible to set up a <em class="emphasis">trust
+relationship</em><a name="INDEX-181"/><a name="INDEX-182"/><a name="INDEX-183"/> between domains, allowing clients
+within one domain to access the resources within another without the
+user having to go through additional authentication. The protocol
+that is followed is called <em class="emphasis">pass-through authentication</em>,
+<a name="INDEX-184"/><a name="INDEX-185"/>in which the
+user's credentials are passed from the client system
+in the first domain to the server in the second domain, which
+consults a domain controller in the first (trusted) domain to check
+that the user is valid before granting access to the resource.</p>
+
+<p>Note that in many aspects, the behaviors of a Windows workgroup and a
+Windows NT domain overlap. For example, the master and backup
+browsers in a domain are always the PDC and BDC, respectively.
+Let's update our Windows domain diagram to include
+both a local master and local backup browser. The result is shown in
+<a href="ch01.html#samba2-CHP-1-FIG-13">Figure 1-13</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-13"/><a name="INDEX-186"/><img src="figs/sam2_0113.gif"/></div><h4 class="head4">Figure 1-13. A Windows domain with a local master and local backup browser</h4>
+
+<p>The similarity between workgroups and NT domains is not accidental
+because the concept of Windows domains did not evolve until Windows
+NT 3.5 was introduced, and Windows domains were forced to remain
+backward-compatible with the workgroups present in Windows for
+Workgroups.</p>
+
+<p>Samba can function as a primary domain controller for Windows
+95/98/Me and Windows NT/2000/XP clients with the limitation that it
+can act as a PDC only, and not as a BDC.</p>
+
+<p>Samba can also function as a <em class="firstterm">domain member
+server</em><a name="INDEX-187"/><a name="INDEX-188"/>, meaning that it has a computer account
+in the PDC's account database and is therefore
+recognized as being part of the domain. A domain member server does
+not authenticate users logging on to the domain, but still handles
+security functions (such as file permissions) for domain users
+accessing its resources.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-5.3"/>
+
+<h3 class="head2">Active Directory Domains</h3>
+
+<p>Starting with Windows 2000, Microsoft has introduced
+<a name="INDEX-189"/><a name="INDEX-190"/>Active
+Directory, the next step beyond Windows NT domains. We
+won't go into much detail concerning Active
+Directory because it is a huge topic. <a name="INDEX-191"/>Samba 2.2 doesn't
+support Active Directory at all, and support in Samba 3.0 is limited
+to acting as a client. For now, be aware that with Active Directory,
+the authentication model is centered around
+<a name="INDEX-192"/>Lightweight Directory
+Access Protocol (LDAP), and name service is provided by DNS instead
+of WINS. Domains in Active Directory can be organized in a
+hierarchical tree structure, in which each domain controller operates
+as a peer, with no distinction between primary and backup controllers
+as in Windows NT domains.</p>
+
+<p>Windows 2000/XP systems can be set up as simple workgroup or Windows
+NT domain clients (which will function with Samba). The server
+editions of Windows 2000 can be set up to run Active Directory and
+support Windows NT domains for backward compatibility
+(<em class="firstterm">mixed mode</em>). In this case, Samba 2.2 works
+with Windows 2000 servers in the same way it works with Windows NT
+4.0 servers. When set up to operate in <em class="firstterm">native mode,
+</em><a name="INDEX-193"/>Windows 2000 servers support only
+Active Directory. Even so, <a name="INDEX-194"/>Samba 2.2 can operate as a server
+in a domain hosted by a native-mode Windows 2000 server, using the
+<a name="INDEX-195"/>Windows 2000 server's
+<em class="firstterm">PDC emulation mode</em>. However, it is not
+possible for Samba 2.2 or 3.0 to operate as a domain controller in a
+Windows 2000 Active Directory domain.</p>
+
+<p>If you want to know more about Active Directory, we encourage you to
+obtain a copy of the O'Reilly book,
+<em class="emphasis">Windows 2000 Active Directory</em>. <a name="INDEX-196"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-5.4"/>
+
+<h3 class="head2">Can a Windows Workgroup Span Multiple Subnets?</h3>
+
+<p><a name="INDEX-197"/><a name="INDEX-198"/>Yes, but most people who have
+done it have had their share of headaches. Spanning multiple subnets
+was not part of the initial design of Windows NT 3.5 or Windows for
+Workgroups. As a result, a Windows domain that spans two or more
+subnets is, in reality, the
+&quot;gluing&quot; together of two or more
+workgroups that share an identical name. The good news is that you
+can still use a PDC to control authentication across each subnet. The
+bad news is that things are not as simple with browsing.</p>
+
+<p>As mentioned previously, each subnet must have its own local master
+browser. When a Windows domain spans multiple subnets, a system
+administrator will have to assign one of the computers as the
+<em class="firstterm">domain master
+browser</em><a name="INDEX-199"/><a name="INDEX-200"/>. The domain master browser will keep a
+browse list for the entire Windows domain. This browse list is
+created by periodically synchronizing the browse lists of each local
+master browser with the browse list of the domain master browser.
+After the synchronization, the local master browser and the domain
+master browser should contain identical entries. See <a href="ch01.html#samba2-CHP-1-FIG-14">Figure 1-14</a> for an illustration.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-14"/><img src="figs/sam2_0114.gif"/></div><h4 class="head4">Figure 1-14. A workgroup that spans more than one subnet</h4>
+
+<p>Sound good? <a name="INDEX-201"/>Well, it's not quite
+nirvana for the following reasons:</p>
+
+<ul><li>
+<p>If it exists, a PDC always plays the role of the domain master
+browser. By Microsoft design, the two always share the NetBIOS
+resource type <tt class="literal">&lt;1B&gt;</tt> and (unfortunately)
+cannot be separated.</p>
+</li><li>
+<p>Windows 95/98/Me computers cannot become <em class="emphasis">or</em>
+<em class="emphasis">even contact</em> a domain master browser. This means
+that it is necessary to have at least one Windows NT/2000/XP system
+(or Samba server) on each subnet of a multisubnet workgroup.</p>
+</li></ul>
+<p>Each subnet's local master browser continues to
+maintain the browse list for its subnet, for which it becomes
+authoritative. So if a computer wants to see a list of servers within
+its own subnet, the local master browser of that subnet will be
+queried. If a computer wants to see a list of servers outside the
+subnet, it can still go only as far as the local master browser. This
+works because at appointed intervals, the authoritative browse list
+of a subnet's local master browser is synchronized
+with the domain master browser, which is synchronized with the local
+master browser of the other subnets in the domain. This is called
+<em class="firstterm">browse list propagation</em>.</p>
+
+<p>Samba can act as a domain master browser in a Windows NT domain, or
+it can act as a local master browser for a subnet, synchronizing its
+browse list with the domain master browser.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-6"/>
+
+<h2 class="head1">What's New in Samba 2.2?</h2>
+
+<p><a name="INDEX-202"/><a name="INDEX-203"/>In
+Version 2.2, Samba has more advanced support for Windows networking,
+including the ability to perform the more important tasks necessary
+for acting in a Windows NT domain. In addition, Samba 2.2 has some
+support for technologies that Microsoft introduced in Windows 2000,
+although the Samba team has saved Active Directory support for
+Version 3.0.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.1"/>
+
+<h3 class="head2">PDC Support for Windows 2000/XP Clients</h3>
+
+<p>Samba previously could act as a PDC to authenticate Windows 95/98/Me
+and Windows NT 4 systems. This functionality has been extended in
+Release 2.2 to include Windows 2000 and Windows XP. Thus, it is
+possible to have a Samba server supporting domain logons for a
+network of Windows clients, including the most recent releases from
+Microsoft. This can result in a very stable, high-performance, and
+more secure network, and gives you the added benefit of not having to
+purchase per-seat Windows CALs from Microsoft.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.2"/>
+
+<h3 class="head2">Microsoft Dfs Support</h3>
+
+<p><a name="INDEX-204"/>Microsoft Dfs allows shared resources that
+are dispersed among a number of servers in the network to be gathered
+together and appear to users as if they all exist in a single
+directory tree on one server. This method of organization makes life
+much simpler for users. Instead of having to browse around the
+network on a treasure hunt to locate the resource they want to use,
+they can go directly to the Dfs server and grab what they want. Samba
+2.2 offers support for serving Dfs, so a Windows server is no longer
+needed for this purpose.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.3"/>
+
+<h3 class="head2">Windows NT/2000/XP Printing Support</h3>
+
+<p>Windows NT/2000/XP has a different Remote Procedure Call (RPC)-based
+printer interface than Windows 95/98/Me does. In Samba 2.2, the
+Windows NT/2000/XP interface is supported. Along with this, the Samba
+team has been adding support for automatically downloading the
+printer driver from the Samba server while adding a new printer to a
+Windows client.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.4"/>
+
+<h3 class="head2">ACLs</h3>
+
+<p>Samba now supports
+<a name="INDEX-205"/>ACLs on its Unix host for Unix variants
+that support them. The list includes Solaris 2.6, 7, and 8, Irix,
+AIX, Linux (with either the ACL patch for the
+<a name="INDEX-206"/>ext2/ext3 filesystem from <a href="http://acl.bestbits.at">http://acl.bestbits.at</a> or when using the
+<a name="INDEX-207"/>XFS
+filesystem), and FreeBSD (Version 5.0 and later). When using ACL
+support, Samba translates between Unix ACLs and Windows NT/2000/XP
+ACLs, making the Samba host look and act more like a Windows
+NT/2000/XP server from the point of view of Windows clients.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.5"/>
+
+<h3 class="head2">Support for Windows Client Administration Tools</h3>
+
+<p>Windows comes with tools that can be used from a client to manage
+shared resources remotely on a Windows server. Samba 2.2 allows these
+tools to operate on shares on the Samba server as well.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.6"/>
+
+<h3 class="head2">Integration with Winbind</h3>
+
+<p><a name="INDEX-208"/>Winbind is a
+facility that allows users whose account information is stored in a
+Windows domain database to authenticate on a Unix system. The result
+is a unified logon environment, in which a user account can be kept
+on either the Unix system or a Windows NT/2000 domain controller.
+This greatly facilitates account management because administrators no
+longer need to keep the two systems synchronized, and it is possible
+for users whose accounts are held in a Windows domain to authenticate
+when accessing Samba shares.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.7"/>
+
+<h3 class="head2">Unix CIFS Extensions</h3>
+
+<p>The <a name="INDEX-209"/><a name="INDEX-210"/>Unix CIFS extensions were developed
+at Hewlett-Packard and introduced in Samba 2.2.4. They allow Samba
+servers to support Unix filesystem attributes, such as links and
+permissions, when sharing files with other Unix systems. This allows
+Samba to be used as an alternative to network file sharing (NFS) for
+Unix-to-Unix file sharing. An advantage of using Samba is that it
+authenticates individual users, whereas NFS authenticates only
+clients (based on their IP addresses, which is a poor security
+model). This gives Samba an edge in the area of security, along with
+its much greater configurability. See <a href="ch05.html">Chapter 5</a>
+for information on how to operate Unix systems as Samba clients.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.8"/>
+
+<h3 class="head2">And More...</h3>
+
+<p>As usual, the code has numerous improvements that do not show up at
+the administrative level in an immediate or obvious way. Samba now
+functions better on systems that employ <a name="INDEX-211"/>PAM
+(Pluggable Authentication Modules), and there is new support for
+profiling. Samba's support for oplocks has been
+strengthened, offering better integration with NFS server-terminated
+leases (currently on Irix and Linux only) and in the local filesystem
+with SMB locks mapped to POSIX locks (which is dependent on each Unix
+variant's implementation of POSIX locks). And of
+course there have been the usual bug fixes.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-7"/>
+
+<h2 class="head1">What's New in Samba 3.0?</h2>
+
+<p>The main distinguishing feature of <a name="INDEX-212"/><a name="INDEX-213"/>Samba 3.0
+is that it includes support for <a name="INDEX-214"/>Kerberos 5 authentication and
+<a name="INDEX-215"/>LDAP, which are
+required to act as clients in an Active Directory domain. Another
+feature that appeared in Samba 3.0 is support for Unicode, which
+greatly simplifies supporting international languages.</p>
+
+<p>In later Version 3 releases, the Samba team plans to develop support
+for
+<a name="INDEX-216"/>WINS
+replication, allowing Samba to act as a secondary WINS server or as a
+primary WINS server with Windows or Samba secondary WINS servers.
+Also planned are support for acting as a Windows NT BDC and support
+for Windows NT domain trust relationships.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-8"/>
+
+<h2 class="head1">What Can Samba Do?</h2>
+
+<p>Now let's wrap up by showing where Samba can help
+out and where it is limited. <a href="ch01.html#samba2-CHP-1-TABLE-9">Table 1-9</a> summarizes
+which roles Samba can and cannot play in a Windows NT or Active
+Directory domain or a Windows workgroup. Many of the Windows domain
+protocols are proprietary and have not been documented by Microsoft
+and therefore must be reverse-engineered by the Samba team before
+Samba can support them. As of Version 3.0, Samba cannot act as a
+backup in most roles and does not yet fully support Active Directory.</p>
+
+<a name="samba2-CHP-1-TABLE-9"/><h4 class="head4">Table 1-9. Samba roles (as of Version 3.0)</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Role</p>
+</th>
+<th>
+<p>Can perform?</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><a name="INDEX-217"/>File server</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Printer server</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Microsoft Dfs server</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Primary domain controller</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Backup domain controller</p>
+</td>
+<td>
+<p>No</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Active Directory domain controller</p>
+</td>
+<td>
+<p>No</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95/98/Me authentication</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT/2000/XP authentication</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Local master browser</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Local backup browser</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Domain master browser</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Primary WINS server</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Secondary WINS server</p>
+</td>
+<td>
+<p>No</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-9"/>
+
+<h2 class="head1">An Overview of the Samba Distribution</h2>
+
+<p><a name="INDEX-218"/>As mentioned earlier, Samba actually
+contains several programs that serve different but related purposes.
+These programs are documented more fully in <a href="appc.html">Appendix C</a>. For now, we will introduce each of them
+briefly and describe how they work together.</p>
+
+<p>The majority of the programs that come with Samba center on its two
+daemons. Let's take a refined look at the
+responsibilities of each daemon:</p>
+
+<dl>
+<dt><b><em class="emphasis">nmbd</em></b></dt>
+<dd>
+<p>The <em class="emphasis">nmbd</em><a name="INDEX-219"/> daemon is a simple name server that
+supplies WINS functionality. This daemon listens for name-server
+requests and provides the appropriate IP addresses when called upon.
+It also provides browse lists for the Network Neighborhood and
+participates in browsing elections.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbd</em></b></dt>
+<dd>
+<p>The <em class="emphasis">smbd</em><a name="INDEX-220"/> daemon manages the shared resources
+between the Samba server and its clients. It provides file, print,
+and browse services to <span class="acronym">SMB</span> clients across one or
+more networks and handles all notifications between the Samba server
+and the network clients. In addition, it is responsible for user
+authentication, resource locking, and data sharing through the
+<span class="acronym">SMB</span> protocol.</p>
+</dd>
+
+</dl>
+
+<p>New with Version 2.2, there is an additional daemon:</p>
+
+<dl>
+<dt><b><a name="INDEX-221"/><em class="emphasis">winbindd</em></b></dt>
+<dd>
+<p>This daemon is used along with the name service switch to get
+information on users and groups from a Windows NT server and allows
+Samba to authorize users through a Windows NT/2000 server.</p>
+</dd>
+
+</dl>
+
+<p>The Samba distribution also comes with a small set of Unix
+command-line tools:</p>
+
+<dl>
+<dt><b><em class="emphasis">findsmb</em><a name="INDEX-222"/></b></dt>
+<dd>
+<p>A program that searches the local network for computers that respond
+to SMB protocol and prints information on them.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">make_smbcodepage</em><a name="INDEX-223"/></b></dt>
+<dd>
+<p>A program used when working with Samba's
+internationalization features for telling Samba how to convert
+between upper- and lowercase in different character sets.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">make_unicodemap</em><a name="INDEX-224"/></b></dt>
+<dd>
+<p>Another internationalization program used with Samba for compiling
+Unicode map files that Samba uses to translate DOS codepages or Unix
+character sets into 16-bit unicode.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-225"/><em class="emphasis">net</em></b></dt>
+<dd>
+<p>A new program distributed with Samba 3.0 that can be used to perform
+remote administration of servers.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">nmblookup</em><a name="INDEX-226"/></b></dt>
+<dd>
+<p>A program that provides NBT name lookups to find a
+computer's IP address when given its machine name.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-227"/><em class="emphasis">pdbedit</em></b></dt>
+<dd>
+<p>A new program distributed with Samba 3.0 that is helpful for managing
+user accounts held in SAM databases.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">rpcclient</em><a name="INDEX-228"/></b></dt>
+<dd>
+<p>A program that can be used to run MS-RPC functions on Windows clients.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbcacls</em><a name="INDEX-229"/></b></dt>
+<dd>
+<p>A program that is used to set or show ACLs on Windows NT filesystems.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbclient</em><a name="INDEX-230"/></b></dt>
+<dd>
+<p>An <em class="emphasis">ftp</em>-like Unix client that can be used to connect to
+SMB shares and operate on them. The <em class="emphasis">smbclient</em>
+command is discussed in detail in <a href="ch05.html">Chapter 5</a>.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbcontrol</em><a name="INDEX-231"/></b></dt>
+<dd>
+<p>A simple administrative utility that sends messages to <em class="emphasis">nmbd</em>
+or <em class="emphasis">smbd</em>.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-232"/><em class="emphasis">smbgroupedit</em></b></dt>
+<dd>
+<p>A command that can be used to define mappings between Windows NT
+groups and Unix groups. It is new in Samba 3.0.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbmnt</em><a name="INDEX-233"/></b></dt>
+<dd>
+<p>A helper utility used along with <em class="emphasis">smbmount.</em></p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbmount</em><a name="INDEX-234"/></b></dt>
+<dd>
+<p>A program that mounts an smbfs filesystem, allowing remote SMB shares
+to be mounted in the filesystem of the Samba host.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbpasswd</em><a name="INDEX-235"/></b></dt>
+<dd>
+<p>A program that allows an administrator to change the passwords used
+by Samba.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbsh</em><a name="INDEX-236"/></b></dt>
+<dd>
+<p>A tool that functions like a command shell to allow access to a
+remote SMB filesystem and allow Unix utilities to operate on it. This
+command is covered in <a href="ch05.html">Chapter 5</a>.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbspool</em><a name="INDEX-237"/></b></dt>
+<dd>
+<p>A print-spooling program used to send files to remote printers that
+are shared on the SMB network.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbstatus</em><a name="INDEX-238"/></b></dt>
+<dd>
+<p>A program that reports the current network connections to the shares
+on a Samba server.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbtar</em><a name="INDEX-239"/></b></dt>
+<dd>
+<p>A program similar to the Unix <em class="filename">tar</em> command, for
+backing up data in SMB shares.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbumount</em><a name="INDEX-240"/></b></dt>
+<dd>
+<p>A program that works along with <em class="emphasis">smbmount</em> to unmount
+smbfs filesystems.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">testparm</em><a name="INDEX-241"/></b></dt>
+<dd>
+<p>A simple program for checking the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">testprns</em><a name="INDEX-242"/></b></dt>
+<dd>
+<p>A program that tests whether printers on the Samba host are
+recognized by the <em class="filename">smbd</em> daemon.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">wbinfo</em><a name="INDEX-243"/></b></dt>
+<dd>
+<p>A utility used to query the <em class="filename">winbindd
+</em><a name="INDEX-244"/>daemon.</p>
+</dd>
+
+</dl>
+
+<p>Each major release of Samba goes through an exposure test before
+it's announced. In addition, it is quickly updated
+afterward if problems or unwanted side effects are found. The latest
+stable distribution as of this writing is Samba 2.2.6, and this book
+focuses mainly on the functionality supported in Samba 2.2.6, as
+opposed to older versions of Samba.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-10"/>
+
+<h2 class="head1">How Can I Get Samba?</h2>
+
+<p><a name="INDEX-245"/><a name="INDEX-246"/>Source
+and binary distributions of Samba are available from mirror sites
+across the Internet. The primary web site for Samba is located at
+<a href="http://www.samba.org/">http://www.samba.org/</a>. From there, you
+can select a mirror site that is geographically near you.</p>
+
+<p>Most Linux and many Unix vendors provide binary packages. These can
+be more convenient to install and maintain than the Samba
+team's source or binary packages, due to the
+vendor's efforts to supply a package that matches
+its specific products. <a name="INDEX-247"/></p>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> You
+can also right-click the shared resource in the Network Neighborhood
+and then select the Map Network Drive menu item.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Be
+warned that many end-user license agreements forbid installing a
+program on a network so that multiple clients can access it. Check
+the legal agreements that accompany the product to be absolutely
+sure.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> You
+might also see the abbreviation NetBT, which is common in Microsoft
+literature.</p> <a name="FOOTNOTE-4"/>
+<p><a href="#FNPTR-4">[4]</a> See
+<a href="http://www.samba.org/cifs/docs/what-is-smb.html">http://www.samba.org/cifs/docs/what-is-smb.html</a>
+for Richard's excellent summary of
+<a name="INDEX-93"/>SMB.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This
+was originally called <a name="INDEX-126"/><a name="INDEX-127"/><a name="INDEX-128"/>Network Neighborhood in Windows 95/98/NT,
+but Microsoft has changed the name to My Network Places in the more
+recent Windows Me/2000/XP. We will continue to call it Network
+Neighborhood, and if you're using a new version of
+Windows, be aware that My Network Places can act a little differently
+in some ways.</p> </blockquote>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch02.html b/docs/htmldocs/using_samba/ch02.html
new file mode 100644
index 0000000000..ecefb2fb7d
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch02.html
@@ -0,0 +1,1849 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 2. Installing Samba on a Unix System</h1>
+
+<p><a name="INDEX-1"/>Now
+that you know what Samba can do for you and your users,
+it's time to get your own network set up.
+Let's start with the installation of Samba. When
+dancing the samba, one learns by taking small steps.
+It's just the same when installing Samba; we need to
+teach it step by step. This chapter will help you start off on the
+right foot.</p>
+
+<p>For illustrative purposes, we will be installing the 2.2.6 version of
+the Samba server on a Linux system running Version 2.4 of the kernel.
+However, the installation steps are essentially the same for all the
+platforms Samba supports.</p>
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-1"/>
+
+<h2 class="head1">Bundled Versions</h2>
+
+<p><a name="INDEX-2"/><a name="INDEX-3"/>Samba is in such
+popular use that many Unix distributions come with it already
+installed. If you choose to use a bundled version of Samba, you can
+breeze through most of this chapter, but you'll be
+stuck with the Samba version and compile-time options your vendor
+selected for you. That version of Samba can't be any
+newer than the operating system release, so you're
+likely to be pretty far behind the latest developments. On the other
+hand, you can be fairly sure that a bundled version has been
+installed properly, and perhaps it will take only a few simple
+modifications to your <em class="emphasis">smb.conf</em> file for you to
+be off and running. Samba is mature enough that you probably
+don't need the latest release to meet your basic
+needs, so you might be perfectly happy running a bundled version.</p>
+
+<p>If you choose this option, be aware that your Samba files, including
+the very important
+<em class="emphasis">smb.conf</em>,<a name="INDEX-4"/> might be in different places
+than they would be if you were to install from a binary or source
+distribution. For example, with the Red Hat, Debian, and Mandrake
+Linux distributions, <em class="emphasis">smb.conf</em> and some other
+Samba-related files are in the <em class="emphasis">/etc/samba</em>
+directory.</p>
+
+<p>If Samba is already installed on your system, you can check to see
+what version you have by using the command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbd -V</b></tt>
+Version 2.2.6</pre></blockquote>
+
+<p>(If this doesn't work, it might be because
+<em class="emphasis">smbd</em> is not in your shell's
+search path. If you have the <em class="emphasis">locate</em> or
+<em class="emphasis">whereis</em> command in your Unix variant, you can
+use it to locate the <em class="emphasis">smbd</em> executable.)</p>
+
+<p>You might also be able to use a system-specific tool to query a
+software-package maintenance utility. On Red Hat Linux, you can use
+the <em class="emphasis">rpm</em><a name="INDEX-5"/> command to query the installed packages
+for Samba:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>rpm -qa | grep samba</b></tt>
+samba-client-2.0.8-1.7.1
+samba-2.0.8-1.7.1
+samba-common-2.0.8-1.7.1</pre></blockquote>
+
+<p>This shows we have Samba 2.0.8, divided into three Red Hat Package
+Manager (RPM) packages, bundled with Red Hat 7.1. If your version of
+Samba is old, you might at the very least want to check with your
+vendor for an update.</p>
+
+<p>Otherwise, if you're sure you are going to install
+from a binary or source distribution, you can remove the RPM packages
+as follows:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>rpm -e samba</b></tt>
+# <tt class="userinput"><b>rpm -e samba-client</b></tt>
+# <tt class="userinput"><b>rpm -e samba-common</b></tt></pre></blockquote>
+
+<p>If you are not using Red Hat Linux, consult your
+system's documentation to find the method that works
+for you.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-1.1"/>
+
+<h3 class="head2">Binary or Source?</h3>
+
+<p><a name="INDEX-6"/>Precompiled
+&quot;binary&quot; packages are also
+available for a large number of Unix platforms. These packages
+contain binaries for each Samba executable, as well as the standard
+Samba documentation. Note that while installing a binary distribution
+can save you a fair amount of time and trouble, you should keep a
+couple of issues in mind when deciding whether to use the binary or
+compile the source yourself:</p>
+
+<ul><li>
+<p>The binary packages can lag behind the latest version of the software
+by one or two (maybe more) minor releases, especially after a series
+of small changes and for less popular platforms. Compare the release
+notes for the source and binary packages to make sure there
+aren't any new features that you need on your
+platform.</p>
+</li><li>
+<p>If you use a precompiled binary that is dynamically linked, you will
+need to ensure that you have the correct libraries required by the
+executables. If your system does not already have the required
+version of a library, you might have to install a new version. The
+<em class="filename">README</em> file or <em class="filename">makefile</em>
+that accompanies the binary distribution should list any special
+requirements.</p>
+
+<p>Many systems with shared libraries come with a nifty tool called
+<em class="emphasis">ldd</em>. This tool will tell you which libraries a
+specific binary requires and which libraries on the system satisfy
+that requirement. For example, checking the <em class="emphasis">smbd</em>
+program on our test machine gave us:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ldd smbd</b></tt>
+        libdl.so.2 =&gt; /lib/libdl.so.2 (0x40026000)
+        libnsl.so.1 =&gt; /lib/libnsl.so.1 (0x4002a000)
+        libpam.so.0 =&gt; /lib/libpam.so.0 (0x40041000)
+        libc.so.6 =&gt; /lib/libc.so.6 (0x40049000)
+        /lib/ld-linux.so.2 =&gt; /lib/ld-linux.so.2 (0x40000000)</pre></blockquote>
+
+<p>If there are any incompatibilities between Samba and specific
+libraries on your machine, the distribution-specific documentation
+should highlight them.</p>
+</li><li>
+<p>If your precompiled binary is statically linked, it is still possible
+to have problems. There have been cases in which the statically
+linked C library calls in Samba programs have been out of sync with
+the operating-system kernel, even though this is
+&quot;not supposed to happen.&quot;</p>
+</li><li>
+<p>Keep in mind that each binary distribution carries preset values
+about the target platform, such as default directories and
+configuration option values. Again, check the documentation and the
+makefile included in the source directory to see which directives and
+variables were used when the binary was compiled. In some cases,
+these will not be appropriate for your situation.</p>
+
+<p>A few configuration items can be reset with command-line options at
+runtime rather than at compile time. For example, if your binary
+tries to place any log, lock, or status files in the
+&quot;wrong&quot; place (for example, in
+<em class="filename">/usr/local</em> ), you can override this without
+recompiling.</p>
+</li></ul>
+<p>One point worth mentioning is that the Samba source requires an
+<a name="INDEX-7"/><a name="INDEX-8"/><a name="INDEX-9"/>ANSI C
+compiler. If you are on a legacy platform with a non-ANSI compiler,
+such as the <em class="emphasis">cc</em> compiler on SunOS Version 4,
+you'll have to install an ANSI-compliant compiler
+such as <em class="emphasis">gcc</em> <a name="INDEX-10"/>before you do anything else.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a>
+If installing a compiler isn't something you want to
+wrestle with, you can start off with a binary package. However, for
+the most flexibility and compatibility on your system, we always
+recommend compiling from the latest stable or production source.</p>
+
+<p>A typical installation will take about an hour to complete, including
+downloading the source files and compiling them, setting up the
+configuration files, and testing the server.</p>
+
+<p>Here is an overview of the steps:</p>
+
+<ol><li>
+<p><a name="INDEX-11"/>Download the source or binary files.</p>
+</li><li>
+<p>Read the installation documentation.</p>
+</li><li>
+<p>Configure a makefile.</p>
+</li><li>
+<p>Compile the server and utility programs.</p>
+</li><li>
+<p>Install the server files.</p>
+</li><li>
+<p>Create a Samba configuration file.</p>
+</li><li>
+<p>Test the configuration file.</p>
+</li><li>
+<p>Start the Samba daemons.</p>
+</li><li>
+<p>Test the Samba daemons. <a name="INDEX-12"/></p>
+</li></ol>
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-2"/>
+
+<h2 class="head1">Downloading the Samba Distribution</h2>
+
+<p><a name="INDEX-13"/>If
+you would like to download the latest version of the Samba software,
+the primary web site is <a href="http://www.samba.org">http://www.samba.org</a>. Once connected to this
+page, you'll see links to several Samba mirror sites
+across the world, both for the standard Samba web pages and for sites
+devoted exclusively to downloading Samba. For the best performance,
+choose a site that is closest to your own geographic location.</p>
+
+<p>The standard Samba web sites have Samba
+<a name="INDEX-14"/>documentation and
+<a name="INDEX-15"/>tutorials,
+<a name="INDEX-16"/>mailing-list
+archives, and the latest Samba <a name="INDEX-17"/>news, as well as source and binary
+distributions of Samba. The download sites (sometimes called
+<em class="emphasis">F T P sites</em>) have only the source and binary
+distributions. Unless you specifically want an older version of the
+Samba server or are going to install a binary distribution, download
+the latest source distribution from the closest mirror site. This
+distribution is always named:</p>
+
+<blockquote><pre class="code">samba-latest.tar.gz</pre></blockquote>
+
+<p>which for the 2.2.6 release is an approximately 5MB file.</p>
+
+<p>The source distribution has been archived with
+<em class="emphasis">tar</em> and then compressed with the GNU
+<em class="emphasis">gzip</em> program. To unpack it, move the file to the
+directory in which you want the Samba source directory to be located,
+then <em class="emphasis">cd</em> to that directory and run the command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>tar xvfz samba-latest.tar.gz</b></tt></pre></blockquote>
+
+<p>Or, if you do not have the GNU <em class="emphasis">tar</em> program
+(which also handles the unzipping):</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>gunzip samba-latest.tar.gz</b></tt>
+$ <tt class="userinput"><b>tar xvf samba-latest.tar</b></tt></pre></blockquote>
+
+<p>In that latter case, you might need to install the GNU
+<em class="emphasis">gunzip</em> program first. While the
+<em class="emphasis">tar</em> command runs, it will print out a list of
+the files it installs.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-2.1"/>
+
+<h3 class="head2">Read the Documentation</h3>
+
+<p><a name="INDEX-18"/>This
+part might seem obvious, but at one time or other you probably
+uncompressed a package, blindly typed:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>configure; make; make install</b></tt></pre></blockquote>
+
+<p>and walked away to get another cup of coffee. Do yourself a favor and
+be a little more careful this time.</p>
+
+<p>In the top-level directory that you just installed, there is a file
+named <em class="filename">WHATSNEW.txt</em>, which contains the latest
+news about the release. If you are upgrading, you can find important
+information about bug fixes or configuration parameters that have
+been added or are no longer supported.</p>
+
+<p>With both source and binary packages you'll find a
+large number of documents in the <em class="filename">docs</em> directory,
+in a variety of formats. One file is especially important:</p>
+
+<blockquote><pre class="code">docs/htmldocs/UNIX_INSTALL.html</pre></blockquote>
+
+<p>This is the Samba Team's official instructions on
+installing Samba on a Unix system, which you might like to use as
+another perspective besides what we are telling you here.</p>
+
+<p>In general, we expect you'll find to be most useful
+the files in the following directories:</p>
+
+<dl>
+<dt><b>docs/faq</b></dt>
+<dd>
+<p>This is the Samba Frequently Asked Questions (FAQ) files.</p>
+</dd>
+
+
+
+<dt><b>docs/htmldocs</b></dt>
+<dd>
+<p>This is the miscellaneous documentation in HTML format.</p>
+</dd>
+
+
+
+<dt><b>docs/textdocs</b></dt>
+<dd>
+<p>Here is more documentation, in simple text format.</p>
+</dd>
+
+
+
+<dt><b>docs/manpages</b></dt>
+<dd>
+<p>You don't need to worry about these yet; during the
+installation, the files will be installed so that you can use the
+<em class="emphasis">man</em> command to read them. But you can take a
+look in the directory to see which manpages are available.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-3"/>
+
+<h2 class="head1">Configuring Samba</h2>
+
+<p><a name="INDEX-19"/><a name="INDEX-20"/>Samba automatically configures itself
+prior to compilation. This reduces the likelihood of a
+machine-specific problem, but you might end up wishing for an option
+after Samba has been installed.</p>
+
+<p>The source distribution of Samba 2.2 and above
+doesn't initially have a
+<a name="INDEX-21"/>makefile. Instead, one is
+generated through a <a name="INDEX-22"/><a name="INDEX-23"/>GNU <em class="filename">configure</em>
+script, which is located in the <em class="filename">samba-2.2.x
+/source/</em> directory. The <em class="firstterm">configure</em>
+script takes care of the machine-specific issues of building Samba.</p>
+
+<a name="samba2-CHP-2-NOTE-88"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+
+
+
+<p>Before running the <em class="filename">configure</em> script, it is
+important that you become the root user on the system. Otherwise, you
+might get a warning such as:</p>
+
+
+<blockquote><pre class="code">configure: warning: running as non-root will disable some tests</pre></blockquote>
+
+
+<p>You don't want any test to be disabled when the
+Samba makefile is being created; it would leave the potential for
+errors down the road when compiling or running Samba on your system.</p>
+</blockquote>
+
+<p>When the <em class="filename">configure </em>script is run, it prints out
+messages telling what it is doing, and error messages might be mixed
+in. To make sure you see those very important error messages, we
+suggest you run <em class="filename">configure </em>with its standard
+output passed through some filter to capture the output and keep it
+from scrolling out of sight. One method is using the
+<em class="filename">more</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure | more</b></tt></pre></blockquote>
+
+<p>We will show you another in a moment.</p>
+
+<p>Although you can run <em class="filename">configure </em>as previously
+with no options, you might want to add support for extra features by
+passing options on the command line. For example:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure --with-winbind</b></tt></pre></blockquote>
+
+<p>will configure the Samba makefile with support for winbind
+authentication. If you would like a complete list of options, type
+the following:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure --help</b></tt></pre></blockquote>
+
+<p>Each option enables or disables various features. You typically
+enable a feature by specifying the
+<tt class="literal">--</tt><a name="INDEX-24"/><a name="INDEX-25"/><a name="INDEX-26"/><a name="INDEX-27"/><tt class="literal">with-</tt><em class="replaceable">feature</em>
+option, which will cause the feature to be compiled and installed.
+Likewise, if you specify a
+<tt class="literal">--without-</tt><em class="replaceable">feature</em>
+option, the feature will be disabled. A full list of configuration
+options is provided in <a href="appe.html">Appendix E</a>, but for now we
+want to point out three of them, which are features we cover later in
+this book:</p>
+
+<dl>
+<dt><b><tt class="literal">--with-msdfs</tt><a name="INDEX-28"/><a name="INDEX-29"/></b></dt>
+<dd>
+<p>Include support for Microsoft Distributed filesystem (Dfs), which
+allows dispersed network resources to be clumped together into one
+easy-to-navigate directory tree. See <a href="ch08.html">Chapter 8</a>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-smbwrapper</tt><a name="INDEX-30"/><a name="INDEX-31"/></b></dt>
+<dd>
+<p>Include SMB wrapper support, which allows programs running on the
+Unix host to access SMB shared folders as if they were Unix
+filesystems. We recommend using this option. See <a href="ch05.html">Chapter 5</a>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-smbmount</tt><a name="INDEX-32"/><a name="INDEX-33"/></b></dt>
+<dd>
+<p>Include <em class="emphasis">smbmount</em> support, which allows SMB
+shared folders to be mounted in the Unix filesystem. At the time of
+this writing, support for this feature exists only for Linux. This is
+also covered in <a href="ch05.html">Chapter 5</a>.</p>
+</dd>
+
+</dl>
+
+<p>Each option is disabled by default, and none of the features is
+essential to Samba. However, you may want to include them in your
+configuration (as we will in our example) at least to be able to try
+out the options in later chapters.</p>
+
+<p>In addition, <a href="ch02.html#samba2-CHP-2-TABLE-1">Table 2-1</a> shows some other parameters
+that you can give the <em class="filename">configure</em> script if you
+wish to store parts of the Samba distribution in different places,
+perhaps to make use of multiple disks or partitions. Note that the
+defaults sometimes refer to a prefix specified earlier in the table.</p>
+
+<a name="samba2-CHP-2-TABLE-1"/><h4 class="head4">Table 2-1. Additional configure options</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Meaning</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">--prefix</tt><a name="INDEX-34"/><a name="INDEX-35"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install architecture-independent files at the base directory
+specified.</p>
+</td>
+<td>
+<p><em class="filename">/usr/local/samba</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--eprefix</tt><a name="INDEX-36"/><a name="INDEX-37"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install architecture-dependent files at the base directory specified.</p>
+</td>
+<td>
+<p><em class="filename">/usr/local/samba</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--bindir</tt><a name="INDEX-38"/><a name="INDEX-39"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install user executables in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">eprefix</em><em class="filename">/bin</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--sbindir</tt><a name="INDEX-40"/><a name="INDEX-41"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install administrator executables in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">eprefix</em><em class="filename">/bin</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--libexecdir</tt><a name="INDEX-42"/><a name="INDEX-43"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install program executables in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">eprefix</em><em class="filename">/libexec</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--datadir</tt><a name="INDEX-44"/><a name="INDEX-45"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install read-only architecture-independent data in the directory
+specified.</p>
+</td>
+<td>
+<p><em class="replaceable">prefix</em><em class="filename">/share</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--libdir</tt><a name="INDEX-46"/><a name="INDEX-47"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install program libraries in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">eprefix</em><em class="filename">/lib</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--includedir</tt><a name="INDEX-48"/><a name="INDEX-49"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install package-include files in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">prefix</em><em class="filename">/include</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--infodir</tt><a name="INDEX-50"/><a name="INDEX-51"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install additional information files in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">prefix</em><em class="filename">/info</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--mandir</tt><a name="INDEX-52"/><a name="INDEX-53"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install manual pages in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">prefix</em><em class="filename">/man</em></p>
+</td>
+</tr>
+
+</table>
+
+<p>Here is a sample execution of the
+<em class="filename">configure</em><a name="INDEX-54"/>
+script, which creates a Samba 2.2.6 makefile for the Linux platform.
+Note that you must run the configure script in the
+<em class="emphasis">source</em> directory and that we are showing you yet
+another way to capture the output of the script:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cd samba-2.2.6/source/</b></tt>
+$ <tt class="userinput"><b>su</b></tt>
+Password:
+# <tt class="userinput"><b>./configure --with-smbwrapper --with-smbmount \</b></tt>
+<tt class="userinput"><b>--with-msdfs --with-syslog --with-utmp 2&gt;&amp;1 | tee config.my.log</b></tt>
+loading cache ./config.cache
+checking for gcc... (cached) gcc
+checking whether the C compiler (gcc -O ) works... yes
+checking whether the C compiler (gcc -O ) is a cross-compiler... no
+checking whether we are using GNU C... (cached) yes
+checking whether gcc accepts -g... (cached) yes
+checking for a BSD-compatible install... (cached) /usr/bin/install -c
+
+<i class="lineannotation">...(content omitted)...</i>
+
+checking configure summary
+configure OK
+creating ./config.status
+creating include/stamp-h
+creating Makefile
+creating include/config.h</pre></blockquote>
+
+<p>In general, any message from <em class="filename">configure</em> that
+doesn't begin with the words
+<tt class="literal">checking</tt><a name="INDEX-55"/> or
+<tt class="literal">creating</tt><a name="INDEX-56"/> is an
+<a name="INDEX-57"/>error; it often helps to redirect the
+output of the configure script to a file so that you can quickly
+search for errors, as we did with the <em class="filename">tee</em>
+command earlier. If there was an error during configuration, more
+detailed information about it can be found in the
+<em class="filename">config.log</em><a name="INDEX-58"/> file, which is written to the local
+directory by the <em class="filename">configure</em> script, as well as in
+the <em class="filename">config.my.log</em> file, which we created by
+piping through the <em class="filename">tee</em> command. These files are
+very similar in both name and content, but be careful to check both
+of them for error messages before continuing!</p>
+
+<p>If the configuration works, you'll see a
+<tt class="literal">checking</tt> <tt class="literal">configure</tt>
+<tt class="literal">summary</tt> message followed by a
+<tt class="literal">configure</tt> <tt class="literal">OK</tt> message and four
+or five file-creation messages. So far, so good. <a name="INDEX-59"/></p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-4"/>
+
+<h2 class="head1">Compiling and Installing Samba</h2>
+
+<p><a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/>At this point you should be ready to build
+the Samba executables. Compiling is also easy: in the
+<em class="filename">source</em> directory, type <tt class="literal">make</tt>
+on the command line. The
+<em class="filename">make</em><a name="INDEX-64"/> utility will produce a stream of
+explanatory and success messages, beginning with:</p>
+
+<blockquote><pre class="code">Using FLAGS = -O -Iinclude ...</pre></blockquote>
+
+<p>This build includes compiles for both <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> and ends in a linking command for
+<em class="filename">bin/nmblookup</em>. For example, here is a sample
+make of Samba Version 2.2.6 on a Linux server:</p>
+
+<blockquote><pre class="code"># make 2&gt;&amp;1 | tee make.log
+Using FLAGS =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE64
+_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE=&quot;/usr/local/samba/va
+r&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot; -DLMHOSTSFILE=&quot;/usr/local/samba/
+lib/lmhosts&quot;   -DSWATDIR=&quot;/usr/local/samba/swat&quot; -DSBINDIR=&quot;/usr/local/samba/bin
+&quot; -DLOCKDIR=&quot;/usr/local/samba/var/locks&quot; -DCODEPAGEDIR=&quot;/usr/local/samba/lib/cod
+epages&quot; -DDRIVERFILE=&quot;/usr/local/samba/lib/printers.def&quot; -DBINDIR=&quot;/usr/local/sa
+mba/bin&quot;  -DHAVE_INCLUDES_H -DPASSWD_PROGRAM=&quot;/bin/passwd&quot; -DSMB_PASSWD_FILE=&quot;/u
+sr/local/samba/private/smbpasswd&quot; -DTDB_PASSWD_FILE=&quot;/usr/local/samba/private/sm
+bpasswd.tdb&quot;
+Using FLAGS32 =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE
+64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE=&quot;/usr/local/samba/
+var&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot; -DLMHOSTSFILE=&quot;/usr/local/samb
+a/lib/lmhosts&quot;   -DSWATDIR=&quot;/usr/local/samba/swat&quot; -DSBINDIR=&quot;/usr/local/samba/b
+in&quot; -DLOCKDIR=&quot;/usr/local/samba/var/locks&quot; -DCODEPAGEDIR=&quot;/usr/local/samba/lib/c
+odepages&quot; -DDRIVERFILE=&quot;/usr/local/samba/lib/printers.def&quot; -DBINDIR=&quot;/usr/local/
+samba/bin&quot;  -DHAVE_INCLUDES_H -DPASSWD_PROGRAM=&quot;/bin/passwd&quot; -DSMB_PASSWD_FILE=&quot;
+/usr/local/samba/private/smbpasswd&quot; -DTDB_PASSWD_FILE=&quot;/usr/local/samba/private/
+smbpasswd.tdb&quot;
+Using LIBS = -ldl -lnsl -lpam
+Compiling smbd/server.c
+Compiling smbd/files.c
+Compiling smbd/chgpasswd.c
+Compiling smbd/connection.c
+Compiling smbd/utmp.c
+Compiling smbd/session.c
+Compiling smbd/dfree.c
+Compiling smbd/dir.c
+
+<i class="lineannotation">...(content omitted)...</i>
+
+Compiling rpc_server/srv_srvsvc.c
+Compiling rpc_server/srv_srvsvc_nt.c
+Compiling rpc_server/srv_util.c
+Compiling rpc_server/srv_wkssvc.c
+Compiling rpc_server/srv_wkssvc_nt.c
+Compiling rpc_server/srv_pipe.c
+Compiling rpc_server/srv_dfs.c
+Compiling rpc_server/srv_dfs_nt.c
+Compiling rpc_server/srv_spoolss.c
+Compiling rpc_server/srv_spoolss_nt.c
+Compiling lib/util_getent.c
+Compiling rpc_parse/parse_lsa.c
+Compiling rpc_parse/parse_net.c
+Compiling rpc_parse/parsen/smbmount
+Compiling client/smbmnt.c
+Linking bin/smbmnt
+Compiling client/smbumount.c
+Linking bin/smbumount
+Compiling utils/nmblookup.c
+Linking bin/nmblookup</pre></blockquote>
+
+<p>If you encounter a problem when compiling, first check the Samba
+documentation to see if it is easily fixable. Another possibility is
+to search or post to the Samba mailing lists, which are given at the
+end of <a href="ch12.html">Chapter 12</a> and on the Samba home page. Most
+compilation issues are system-specific and almost always easy to
+overcome.</p>
+
+<p>Now that the files have been compiled, you can install them into the
+directories you identified with the command:</p>
+
+<blockquote><pre class="code">#<tt class="userinput"><b> make install</b></tt></pre></blockquote>
+
+<p>If you happen to be <a name="INDEX-65"/>upgrading, your old Samba files will be
+saved with the extension
+<em class="emphasis">.old</em>,<a name="INDEX-66"/> and you can go back to that previous
+version with the command
+<tt class="literal">make</tt><a name="INDEX-67"/> <tt class="literal">revert</tt>. After doing a
+<tt class="literal">make</tt><a name="INDEX-68"/> <tt class="literal">install</tt>, you should
+copy the <em class="emphasis">.old</em> files (if they exist) to a new
+location or name. Otherwise, the next time you install Samba, the
+original <em class="emphasis">.old</em> will be overwritten without
+warning and you could lose your earlier version. If you configured
+Samba to use the default locations for files, the new files will be
+installed in the directories listed in <a href="ch02.html#samba2-CHP-2-TABLE-2">Table 2-2</a>.
+Remember that you need to perform the installation from an account
+that has write privileges on these target directories; this is
+typically the root account.</p>
+
+<a name="samba2-CHP-2-TABLE-2"/><h4 class="head4">Table 2-2. Samba installation directories</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Directory</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba</em></p>
+</td>
+<td>
+<p>Main tree</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/bin</em></p>
+</td>
+<td>
+<p>Binaries</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/lib</em></p>
+</td>
+<td>
+<p><em class="emphasis">smb.conf</em>, <em class="emphasis">lmhosts</em>,
+configuration files, etc.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/man</em></p>
+</td>
+<td>
+<p>Samba documentation</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/private</em></p>
+</td>
+<td>
+<p>Samba-encrypted password file</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/swat</em></p>
+</td>
+<td>
+<p>SWAT files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/var</em></p>
+</td>
+<td>
+<p>Samba log files, lock files, browse list info, shared memory files,
+process ID files</p>
+</td>
+</tr>
+
+</table>
+
+<p>Throughout the remainder of the book, we occasionally refer to the
+location of the main tree as <em class="filename">/usr/local/samba</em>.
+In most configurations, this is the base directory of the installed
+Samba package; however, it can vary from system to system<em class="filename">
+</em>.</p>
+
+<a name="samba2-CHP-2-NOTE-90"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Watch out if you've made <em class="filename">/usr</em> a
+read-only partition. You will want to put the logs, locks, and
+password files somewhere else.</p>
+</blockquote>
+
+<p>Here is the installation that we performed on our machine. You can
+see that we used <em class="filename">/usr/local/samba</em> as the base
+directory for the distribution:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>make install 2&gt;&amp;1 | tee make-install.log</b></tt>
+Using FLAGS =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE64
+_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE=&quot;/usr/local/samba/va
+r&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot;
+
+<i class="lineannotation">...(content omitted)...</i>
+
+The binaries are installed. You can restore the old binaries (if there
+were any) using the command &quot;make revert&quot;. You can uninstall the binaries
+using the command &quot;make uninstallbin&quot; or &quot;make uninstall&quot; to uninstall
+binaries, manpages and shell scripts.
+
+<i class="lineannotation">...(content omitted)...</i>
+
+======================================================================
+The SWAT files have been installed. Remember to read the swat/README
+for information on enabling and using SWAT.
+======================================================================</pre></blockquote>
+
+<p>If the last message is about SWAT, you've
+successfully installed all the files. Congratulations! You now have
+Samba on your system!</p>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-4.1"/>
+
+<h3 class="head2">Upgrading Your Installation</h3>
+
+<p><a name="INDEX-70"/><a name="INDEX-71"/>Eventually a new version of
+Samba will be released, and you will want to upgrade. This is simple;
+just repeat the same steps you used to install your current version.
+Download the source distribution from the Samba web site and install
+it, then run the <tt class="literal">./configure</tt>,
+<tt class="literal">make</tt>, and <tt class="literal">make</tt>
+<tt class="literal">install</tt> commands as before. If
+you've forgotten which options you used with the
+<a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/><a name="INDEX-75"/><em class="emphasis">configure</em>
+script, take a look at the
+<em class="filename">source/config.status</em><a name="INDEX-76"/><a name="INDEX-77"/> file in your previous
+version's source distribution. The first few lines
+of this file show the options used the last time
+<em class="emphasis">configure</em> was run.</p>
+
+<p>When you run the <tt class="literal">make
+install</tt><a name="INDEX-78"/> command to install your new
+version, the files of the previous version are replaced with the new
+ones, and then all you have to do is restart the Samba daemons to get
+your new version running. See <a href="ch02.html#samba2-CHP-2-SECT-8">Section 2.8</a> later in this chapter for directions on how to do this.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-4.2"/>
+
+<h3 class="head2">Reconfiguring Samba</h3>
+
+<p><a name="INDEX-79"/>If you
+have already compiled Samba and wish to recompile the same source
+code with different <em class="emphasis">configure</em> options, you
+should run the following three commands in the
+<em class="emphasis">source</em> directory before rerunning the
+<em class="emphasis">configure</em> script:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>autoconf</b></tt>
+# <tt class="userinput"><b>make clean</b></tt>
+# <tt class="userinput"><b>rm config.cache</b></tt></pre></blockquote>
+
+<p>This ensures that you are starting with a clean slate and that your
+previous <em class="emphasis">configure</em> command does not leave any
+data around that can affect your new build. From here, you can rerun
+<tt class="literal">./configure</tt> and then <tt class="literal">make</tt> and
+<tt class="literal">make install</tt>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-4.3"/>
+
+<h3 class="head2">Setting Search Paths</h3>
+
+<p><a name="INDEX-80"/>You
+will probably want to run commands included in the Samba distribution
+without having to specify their full directory paths. For that to
+work, the directory in which the Samba executables are located,
+<em class="filename">/usr/local/samba/bin</em> by default, must be added
+to your shell's <a name="INDEX-81"/>PATH environment variable. This
+environment variable is usually set in one or more of the
+shell's startup files, which in the case of
+<em class="emphasis">bash</em> are <em class="filename">/etc/profile</em>
+(systemwide) and the <em class="filename">.bash_profile</em> and
+<em class="filename">.bashrc</em> files in each user's
+home directory.</p>
+
+<p>To be able to read the <a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/>Samba manual pages using the
+<em class="emphasis">man</em> command, the directory where
+Samba's manual pages reside,
+<em class="filename">/usr/local/samba/man</em> by default, must be in your
+<a name="INDEX-85"/>MANPATH environment variable. On Red
+Hat Linux, this can be accomplished by adding the following two lines
+to <em class="filename">/etc/man.config</em>:</p>
+
+<a name="INDEX-86"/><a name="INDEX-87"/><blockquote><pre class="code">
+MANPATH            /usr/local/samba/man
+MANPATH_MAP        /usr/local/samba/bin     /usr/local/samba/man</pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-5"/>
+
+<h2 class="head1">Enabling SWAT</h2>
+
+<p>The <a name="INDEX-88"/><a name="INDEX-89"/>Samba
+Web Administration Tool (SWAT) runs as a daemon under
+<em class="emphasis">inetd</em> or <em class="filename">xinetd </em>and
+provides a forms-based editor in your web browser for creating and
+modifying <a name="INDEX-90"/>Samba's
+configuration file. For SWAT to work, entries must be added for it in
+the <em class="filename">/etc/services</em> and
+<em class="filename">/etc/inetd.conf</em> (or
+<em class="filename">/etc/xinetd.d/swat) </em>configuration files. To add
+the entries, follow these two steps:</p>
+
+<ol><li>
+<p>Check your <em class="filename">/etc/services</em> file, and if it does
+not contain the following line, add it to the end of the file:</p>
+
+<blockquote><pre class="code">swat   901/tcp</pre></blockquote>
+</li>
+<li>
+<p>Now for <em class="filename">inetd </em><a name="INDEX-91"/>or <em class="filename">xinetd.
+</em><a name="INDEX-92"/>These are &quot;Internet
+super daemons&quot; that handle starting daemons on
+demand, instead of letting them sit around in memory consuming system
+resources. Most systems use <em class="filename">inetd, </em>but
+<em class="filename">xinetd </em>is also used in some versions of Unix,
+notably the Red Hat Linux (Versions 7 and newer) that we use in our
+examples. You can use the <em class="emphasis">ps</em> command to see
+which of the two your system is running.</p>
+</li></ol>
+<p>For <em class="filename">inetd, </em>add a line to the
+<em class="emphasis">/etc/</em><em class="filename">inetd.conf </em>file.
+(Check your <em class="filename">inetd.conf</em> manual page to see the
+exact format of the<em class="filename"> inetd.conf</em> file if it
+differs from the following example.) Don't forget to
+change the path to the SWAT binary if you installed it in a different
+location from the default <em class="filename">/usr/local/samba</em>:</p>
+
+<blockquote><pre class="code">swat   stream  tcp  nowait  root  /usr/local/samba/bin/swat  swat</pre></blockquote>
+
+<p>Then force <em class="filename">inetd</em> to reread its configuration
+file by sending it a SIGHUP (hangup) signal:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -HUP -a inetd</b></tt></pre></blockquote>
+
+<p>Notice that we are using a version of the <em class="emphasis">kill</em>
+command that supports the <em class="emphasis">-a</em> option, so as to
+allow us to specify the process by name. On FreeBSD and Linux, you
+can use the <em class="emphasis">killall</em> command<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> as follows:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>killall -HUP inetd</b></tt></pre></blockquote>
+
+<p>If you are not running Linux or FreeBSD and your version of
+<em class="emphasis">kill</em> doesn't have the
+<em class="emphasis">-a</em> option, you will need to use the
+<em class="emphasis">ps</em> command to find the process ID and then
+supply that to <em class="emphasis">kill</em>:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ps ax | grep inetd</b></tt>
+  780 ?        S      0:00 inetd
+ 1981 pts/4    S      0:00 grep inetd                                         
+# <tt class="userinput"><b>kill -HUP 780</b></tt></pre></blockquote>
+
+<p>If your system is using <em class="filename">xinet, </em>add a file named
+<em class="emphasis">swat</em> in your <em class="filename">/etc/xinetd.d
+</em>directory, containing the following:</p>
+
+<blockquote><pre class="code"># description: swat is the Samba Web Administration Tool, which
+#       allows an administrator to configure Samba using a web
+#       browser interface, with the URL http://localhost:901
+service swat.
+{
+        socket_type             = stream
+        wait                    = no
+        protocol                = tcp
+        only_from               = localhost
+        user                    = root
+        log_on_failure          += USERID
+        server                  = /usr/local/samba/bin/swat
+        port                    = 901
+        disable                 = no
+}</pre></blockquote>
+
+<p>Then <em class="emphasis">xinetd</em> needs to be sent a signal<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> to make it reread its configuration files:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -HUP -a xinetd</b></tt></pre></blockquote>
+
+<p>And that's pretty much it for the installation.
+Before you can start up Samba, however, you need to create a
+configuration file for it.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-6"/>
+
+<h2 class="head1">A Basic Samba Configuration File</h2>
+
+<p><a name="INDEX-93"/>The
+key to configuring Samba is its configuration file,
+<em class="filename">smb.conf</em>. This configuration file can be very
+simple or extremely complex, and the rest of this book is devoted to
+helping you get deeply personal with this file. For now, however,
+we'll show you how to set up a single file service,
+which will allow you to fire up the Samba daemons and see that
+everything is running as it should be. In later chapters, you will
+see how to configure Samba for more complicated and interesting
+tasks.</p>
+
+<p>The installation process does not automatically create an
+<em class="filename">smb.conf</em> configuration file, although several
+example files are included in the Samba distribution. To test the
+server software, though, we'll use the following
+file, which you can create in a text editor. It should be named
+<em class="filename">smb.conf</em> and placed in the
+<em class="emphasis">/usr/local/samba/lib</em> directory:<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a></p>
+
+<blockquote><pre class="code">[global]
+    workgroup = METRAN 
+[test] 
+    comment = For testing only, please
+    path = /usr/local/samba/tmp
+    read only = no
+    guest ok = yes</pre></blockquote>
+
+<p>This brief configuration file tells the Samba server to offer the
+<em class="filename">/usr/local/samba/tmp</em> directory on the server as
+an SMB share called <em class="emphasis">test</em>. The server also
+becomes part of the METRAN workgroup, of which each client must also
+be a part. If you have already chosen a name for your own workgroup,
+use the name of your workgroup instead of METRAN in the previous
+example. In case you are connecting your Samba system into an
+existing network and need to know the workgroup name, you can ask
+another system administrator or go to a Windows system in the
+workgroup and follow these instructions:</p>
+
+<ul><li>
+<p>Windows 95/98/Me/NT: open the Control Panel, then double-click the
+Network icon. Click the Identification tab, and look for the
+&quot;Workgroup:&quot; label.</p>
+</li><li>
+<p>Windows 2000: open the Control Panel and double-click the System
+icon. Click the Network Identification tab. The workgroup name will
+appear below the computer name.</p>
+</li><li>
+<p>Windows XP: open the Control Panel in Classic View mode and
+double-click the System icon. Then click the Computer Name tab.</p>
+</li></ul>
+<p>We'll use the <tt class="literal">[test]</tt> share in the
+next chapter to set up the Windows clients. For now, you can complete
+the setup by performing the following commands as root on your Unix
+server:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/tmp</b></tt>
+# <tt class="userinput"><b>chmod 777 /usr/local/samba/tmp</b></tt></pre></blockquote>
+
+<p>You might also want to put a file or two in the
+<em class="filename">/usr/local/samba/tmp</em> directory so that after
+your Windows systems are initially configured, you will have
+something to use to check that everything works.</p>
+
+<p>We should point out that in terms of system security, this is the
+worst setup possible. For the moment, however, we only wish to test
+Samba, so we'll leave security out of the picture.
+In addition, we will encounter some encrypted password issues with
+Windows clients later on, so this setup will afford us the least
+amount of headaches.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-6.1"/>
+
+<h3 class="head2">Encrypted Passwords</h3>
+
+<p><a name="INDEX-94"/><a name="INDEX-95"/><a name="INDEX-96"/>If your Windows clients are using Windows
+98 or Windows NT 4 Service Pack 3 or above (including Windows 2000
+and Windows XP) and you are using a version of Samba earlier than
+3.0, you must add the following entry to the
+<tt class="literal">[global]</tt> section of the Samba configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    encrypt passwords = yes</pre></blockquote>
+
+<p>In addition, you must use the
+<em class="filename">smbpasswd</em><a name="INDEX-97"/> program (typically located in the
+directory <em class="filename">/usr/local/samba/bin/ </em>) to enter the
+username/password combinations of the Samba users into
+Samba's encrypted password database. For example, if
+you wanted to allow Unix user <tt class="literal">steve</tt> to access
+shares from a client system, you would use this command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a steve</b></tt>
+New SMB password:
+Retype new SMB password:
+Added user steve.</pre></blockquote>
+
+<p>When the first user is added, the program will output a message
+saying that the encrypted password database does not exist.
+Don't worry: it will then create the database for
+you. Make sure that the username/password combinations you add to the
+encrypted database match the usernames and passwords you intend to
+use on the Windows client side. You must run
+<em class="emphasis">smbpasswd</em> for each client user.</p>
+
+<p>In Samba 3.0, passwords are encrypted by default, so the
+<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> parameter in the
+configuration file is optional. However, you will still need to run
+the <em class="emphasis">smbpasswd</em> command to add users to the
+encrypted password file.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-6.2"/>
+
+<h3 class="head2">Using SWAT</h3>
+
+<p><a name="INDEX-98"/>Creating
+a configuration file with SWAT is even easier than writing a
+configuration file by hand. To invoke SWAT, use your web browser to
+connect to <em class="emphasis">http://localhost:901</em>, and log on as
+root with the root password, as shown in <a href="ch02.html#samba2-CHP-2-FIG-1">Figure 2-1</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-2-FIG-1"/><a name="INDEX-99"/><img src="figs/sam2_0201.gif"/></div><h4 class="head4">Figure 2-1. SWAT login</h4>
+
+<p>After logging in, click the GLOBALS button at the top of the screen.
+You should see the Global Variables page shown in <a href="ch02.html#samba2-CHP-2-FIG-2">Figure 2-2</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-2-FIG-2"/><img src="figs/sam2_0202.gif"/></div><h4 class="head4">Figure 2-2. SWAT Global Variables page</h4>
+
+<p>In this example, notice that SWAT retrieved the workgroup name from
+the <em class="emphasis">smb.conf</em> file that you created. (If it
+didn't, go back and perform that step correctly.)
+Make sure that the <tt class="literal">security</tt> field is set to
+<tt class="literal">USER</tt>.</p>
+
+<p>If you are running Samba 2.2 and your Windows clients are at least
+Windows 98 or Windows NT 4 SP 3 or later versions, find
+<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> in the
+Security Options section and select <tt class="literal">yes</tt>.</p>
+
+<p>The only other option you need to change from the menu is one
+determining which system on the LAN resolves NetBIOS addresses; this
+system is called the <em class="emphasis">WINS server</em>. At the very
+bottom of the page, set the <tt class="literal">wins</tt>
+<tt class="literal">support</tt> field to <tt class="literal">Yes</tt>, unless
+you already have a WINS server on your network. If you do, put the
+WINS server's IP address in the
+<tt class="literal">wins</tt> <tt class="literal">server</tt> field instead. Then
+return to the top of the screen, and press the Commit Changes button
+to write the changes out to the <em class="emphasis">smb.conf</em> file.</p>
+
+<p>Next, click the SHARES icon. You should see a page similar to <a href="ch02.html#samba2-CHP-2-FIG-3">Figure 2-3</a>. Select <tt class="literal">test</tt> (to the right
+of the Choose Share button), and click the Choose Share button. You
+will see the Share Parameters screen, as shown in <a href="ch02.html#samba2-CHP-2-FIG-3">Figure 2-3</a>, with the <tt class="literal">comment</tt> and
+<tt class="literal">path</tt> fields filled in from your
+<em class="emphasis">smb.conf</em> file.</p>
+
+<div class="figure"><a name="samba2-CHP-2-FIG-3"/><img src="figs/sam2_0203.gif"/></div><h4 class="head4">Figure 2-3. SWAT Share Parameters screen</h4>
+
+<p>If you specified that you want to use encrypted passwords on the
+GLOBALS page, click the PASSWORD button. Near the top of the screen,
+you will see the Server Password Management section. Enter your Unix
+username and password in the spaces, and click the Add New User
+button. This functions the same as the <em class="emphasis">smbpasswd</em>
+utility and creates an entry in the
+<em class="emphasis">/usr/local/samba/private/smbpasswd</em> file to allow
+you to authenticate from a Windows client.</p>
+
+<p>Now click the VIEW button at the top, and SWAT shows you the
+following <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code"># Samba config file created using SWAT
+# from localhost (127.0.0.1)
+# Date: 2002/09/05 04:56:43
+
+# Global parameters
+        workgroup = METRAN
+        encrypt passwords = Yes
+        wins support = Yes
+
+[test]
+        comment = For testing only!
+        path = /usr/local/samba/tmp
+        read only = No</pre></blockquote>
+
+<p>Once this configuration file is completed, you can skip the next step
+because the output of SWAT is guaranteed to be syntactically correct.
+<a name="INDEX-100"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-6.3"/>
+
+<h3 class="head2">Disabling Oplocks</h3>
+
+<p>The <em class="filename">smb.conf</em><a name="INDEX-101"/><a name="INDEX-102"/>
+file you have just created is certainly good enough for the purpose
+of initial setup and testing, and you can use it as a starting point
+from which to develop the configuration of your production Samba
+server. But before you get too far with that, we want to bring one
+thing to your attention.</p>
+
+<p>If you are the type of administrator who is highly concerned about
+data integrity, you might want to make the following modification to
+your <em class="filename">smb.conf</em> file before continuing:</p>
+
+<blockquote><pre class="code">[global]
+    oplocks = no</pre></blockquote>
+
+<p>That is, use a text editor to add the line <tt class="literal">oplocks</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> to the
+<tt class="literal">[global]</tt> section of your
+<em class="filename">smb.conf</em> file. With this example, as with other
+examples we will present throughout this book, you do not need to
+enter the <tt class="literal">[global]</tt> line again in your
+configuration file. We include it only to indicate in which section
+the parameter belongs.</p>
+
+<p>The <tt class="literal">oplocks</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> parameter disables opportunistic locking by
+clients. This will result in significantly poorer performance, but
+will help ensure that flaky Windows clients and/or unreliable network
+hardware will not lead to corrupted files on the Samba server.</p>
+
+<p>We will cover opportunistic locking (oplocks) in more detail in the
+section &quot;Locks and Oplocks&quot; in
+<a href="ch08.html">Chapter 8</a>, and recommend that you understand the
+ideas presented there before implementing a production Samba server
+that serves database files or other valuable data.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-6.4"/>
+
+<h3 class="head2">Testing the Configuration File</h3>
+
+<p><a name="INDEX-103"/>If you
+didn't use SWAT to create your configuration file,
+you should probably test it to ensure that it is syntactically
+correct. It might seem silly to run a test program against an
+eight-line configuration file, but it's good
+practice for the real ones that we'll be writing
+later on.</p>
+
+<p>The test parser,
+<em class="filename">testparm</em><a name="INDEX-104"/>, examines an
+<em class="filename">smb.conf</em> file for syntax errors and reports any
+it finds along with a list of the services enabled on your machine.
+An example follows; you'll notice that in our haste
+to get the server running we mistyped <tt class="literal">workgroup</tt> as
+<tt class="literal">workgrp</tt> (the output is often lengthy, so we
+recommend capturing it with the <em class="emphasis">tee</em> command):</p>
+
+<blockquote><pre class="code">Load smb config files from smb.conf
+Unknown parameter encountered: &quot;workgrp&quot;
+Ignoring unknown parameter &quot;workgrp&quot;
+Processing section &quot;[test]&quot;
+Loaded services file OK.
+Press Enter to see a dump of your service definitions
+# Global parameters
+[global]
+    workgroup = WORKGROUP
+    netbios name = 
+    netbios aliases = 
+    server string = Samba 2.2.6
+    interfaces = 
+    bind interfaces only = No
+
+<i class="lineannotation">...(content omitted)...</i>
+
+[test]
+    comment = For testing only!
+    path = /usr/local/samba/tmp
+    read only = No</pre></blockquote>
+
+<p>The interesting parts are at the top and bottom. The top of the
+output will flag any syntax errors that you might have made, and the
+bottom lists the services that the server thinks it should offer. A
+word of advice: make sure you and the server have the same
+expectations. <a name="INDEX-105"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-7"/>
+
+<h2 class="head1">Firewall Configuration</h2>
+
+<p><a name="INDEX-106"/>As
+with any services that run on TCP/IP, the SMB networking services
+offered by Samba can be accessed from across the Internet unless your
+organization's firewall is properly configured. The
+following ports are used by Samba for SMB networking and SWAT:</p>
+
+<dl>
+<dt><b>Port 137</b></dt>
+<dd>
+<p>Used for NetBIOS network browsing</p>
+</dd>
+
+
+
+<dt><b>Port 138</b></dt>
+<dd>
+<p>Used for NetBIOS name service</p>
+</dd>
+
+
+
+<dt><b>Port 139</b></dt>
+<dd>
+<p>Used for file and printer sharing and other operations</p>
+</dd>
+
+
+
+<dt><b>Port 445</b></dt>
+<dd>
+<p>Used by Windows 2000/XP when NetBIOS over TCP/IP is disabled</p>
+</dd>
+
+
+
+<dt><b>Port 901</b></dt>
+<dd>
+<p>Used by SWAT</p>
+</dd>
+
+</dl>
+
+<p>At the minimum, your organization's Internet
+firewall should shut down all the ports in the list to traffic in
+both directions. Do not assume that preventing incoming connections
+is sufficient; there are cracks that trick Windows clients into
+sending data out of the local area network and into the Internet by
+SMB protocol, even from a local network that uses private IP
+addresses not forwarded by routers. If you want SMB traffic to travel
+across the Internet to remote sites, the best way is to use a virtual
+private network (VPN). See the O'Reilly book,
+<em class="citetitle">Virtual Private Networks</em>, for more information
+on this subject.</p>
+
+<p>In addition, you might wish to configure a firewall on the Samba host
+system to keep SMB packets from traveling further than necessary
+within your organization's network. For example,
+port 901 can be shut down for remote accesses so that SWAT can be run
+only on the Samba host system. If you are using Samba to serve only a
+fraction of the client systems within your organization, consider
+allowing SMB packets (i.e., packets on ports 137-139 and 445) to go
+to or come from only those clients.</p>
+
+<p>For more information on configuring firewalls, see the
+O'Reilly book <em class="citetitle">Building Internet
+Firewalls</em>.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-8"/>
+
+<h2 class="head1">Starting the Samba Daemons</h2>
+
+<p>Two Samba processes,
+<em class="emphasis">smbd</em><a name="INDEX-107"/> and
+<em class="emphasis">nmbd</em><a name="INDEX-108"/>, need to be running for Samba to work
+correctly. There are three ways to start them:</p>
+
+<ul><li>
+<p>Manually</p>
+</li><li>
+<p>Automatically, during system boot</p>
+</li><li>
+<p>From <em class="emphasis">inetd or xinetd</em></p>
+</li></ul>
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-8.1"/>
+
+<h3 class="head2">Starting the Daemons Manually</h3>
+
+<p><a name="INDEX-109"/><a name="INDEX-110"/>If you're in a
+hurry, you can start the Samba daemons by hand. As root, simply enter
+the following commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/usr/local/samba/bin/smbd -D</b></tt>
+# <tt class="userinput"><b>/usr/local/samba/bin/nmbd -D</b></tt></pre></blockquote>
+
+<p>Samba will now be running on your system and is ready to accept
+connections. However, keep in mind that if either of the daemons exit
+for any reason (including system reboots), they will need to be
+restarted manually.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-8.2"/>
+
+<h3 class="head2">Automatic Startup</h3>
+
+<p><a name="INDEX-111"/><a name="INDEX-112"/>To have the Samba daemons
+started automatically when the system boots, you need to add the
+commands listed in the previous section to your standard Unix startup
+scripts. The exact method varies depending on the flavor of Unix
+you're using.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.1"/>
+
+<h3 class="head3">BSD Unix</h3>
+
+<p><a name="INDEX-113"/><a name="INDEX-114"/><a name="INDEX-115"/>With a BSD-style Unix, you need to append
+the following code to the <em class="filename">rc.local </em>file, which
+is typically found in the <em class="filename">/etc</em> or
+<em class="filename">/etc/rc.d</em> directories:</p>
+
+<blockquote><pre class="code">if [ -x /usr/local/samba/bin/smbd]; then
+    echo &quot;Starting smbd...&quot;
+    /usr/local/samba/bin/smbd -D
+    echo &quot;Starting nmbd...&quot;
+    /usr/local/samba/bin/nmbd -D
+fi</pre></blockquote>
+
+<p>This code is very simple: it checks to see if the
+<em class="filename">smbd</em> file exists and has execute permissions,
+and if it does, it starts up both of the Samba daemons on system
+boot.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.2"/>
+
+<h3 class="head3">System V Unix</h3>
+
+<p><a name="INDEX-116"/><a name="INDEX-117"/><a name="INDEX-118"/>With System V, things can get a little
+more complex. Depending on your Unix version, you might be able to
+get away with making a simple change to an
+<em class="filename">rc.local</em> file as with BSD Unix, but System V
+typically uses directories containing links to scripts that control
+daemons on the system. Hence, you need to instruct the system how to
+start and stop the Samba daemons. The first step to implement this is
+to modify the contents of the <em class="filename">/etc/rc.d/init.d</em>
+directory by adding something similar to the following shell script,
+which for this example we will name <em class="filename">smb </em>:</p>
+
+<blockquote><pre class="code">#!/bin/sh
+
+# Check that the Samba configuration file exists
+[ -f /usr/local/samba/lib/smb.conf ] || exit 0
+
+start(  )
+{
+        echo -n &quot;Starting SMB services: &quot;
+        /usr/local/samba/bin/smbd -D
+        ERROR=$?
+        echo
+
+        echo -n &quot;Starting NMB services: &quot;
+        /usr/local/samba/bin/nmbd -D
+        ERROR2=$?
+        if [ $ERROR2 -ne 0 ]
+        then
+                ERROR=1
+        fi
+        echo
+
+        return $ERROR
+}
+
+stop(  )
+{
+        echo -n &quot;Shutting down SMB services: &quot;
+        /bin/kill -TERM -a smbd
+        ERROR=$?
+        echo
+
+        echo -n &quot;Shutting down NMB services: &quot;
+        /bin/kill -TERM -a nmbd
+        ERROR2=$?
+        if [ $ERROR2 -ne 0 ]
+        then
+                ERROR=1
+        fi
+        echo
+
+        return $ERROR
+}
+
+case &quot;$1&quot; in
+  start)
+        start
+        ;;
+  stop)
+        stop
+        ;;
+  *)
+        echo &quot;Usage: $0 {start|stop}&quot;
+        exit 1
+esac
+
+exit $?</pre></blockquote>
+
+<p>With this script, you can start and stop <em class="emphasis">smbd</em>
+and <em class="emphasis">nmbd</em> like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/smb start</b></tt>
+Starting SMB services:
+Starting NMB services:
+# <tt class="userinput"><b>ps ax | grep mbd</b></tt>
+ 1268 ?        S      0:00 /usr/local/samba/bin/smbd -D
+ 1270 ?        S      0:00 /usr/local/samba/bin/nmbd -D
+ 1465 pts/2    S      0:00 grep mbd
+# <tt class="userinput"><b>/etc/rc.d/init.d/smb stop</b></tt>
+Shutting down SMB services:
+Shutting down NMB services:</pre></blockquote>
+
+<p>If you are having trouble writing a startup script for your system,
+check to see if there is a packaged release of Samba (available from
+your Unix vendor or the Samba FTP site). If so, you might be able to
+extract a startup script from it to use as a starting point.
+Typically, this script doesn't change much (if at
+all) from release to release, so using a script from an older Samba
+version should not be a problem. Another possibility is to check the
+<em class="filename">packaging</em> directory in the Samba source
+distribution. In that directory, there are subdirectories for many
+Unix versions in which you can find a startup script for those
+versions. Even if your version isn't included, you
+can probably find a startup script for a similar version to use as a
+starting point.</p>
+
+<p>Finally, we need to add symbolic links to the
+<em class="filename">smb</em> script in the
+<em class="emphasis">/etc/rc.d/rcX.d</em> directories:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc3.d/S35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc5.d/S35smb</b></tt>
+
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc0.d/K35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc1.d/K35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc2.d/K35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc4.d/K35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc6.d/K35smb</b></tt></pre></blockquote>
+
+<p>The first two commands, with link names starting with an
+&quot;S&quot;, cause Samba to be started when
+entering runlevels 3 or 5, which are the runlevels in which network
+file sharing (NFS) is normally enabled. The second group of commands,
+with link names starting with a
+&quot;K&quot;, cause Samba to be shut down
+when entering any of the other runlevels (0, 1, 2, 4, or 6).</p>
+
+<p>The links starting with &quot;S&quot; are
+used to start the daemons, and the links starting with
+&quot;K&quot; are used for killing them. When
+the runlevel is changed, the links starting with
+&quot;K&quot; in the corresponding directory
+(e.g., the <em class="filename">rc3.d</em> directory for runlevel 3) are
+executed, followed by the links starting with
+&quot;S&quot;. If we wanted, we could have
+Samba restarted when switching between runlevels 3 and 5 by adding a
+<em class="filename">K35smb</em> link to each <em class="filename">rc3.d</em>
+and <em class="filename">rc5.d </em>directory.</p>
+
+<p>The number after the K or S in the link names is used to set the
+order in which all the daemons with links in the directory are
+started or killed off. Get a long listing of the
+<em class="emphasis">rc3.d</em> or <em class="emphasis">rc5.d</em> directories
+to see how this is set up on your system. We use 35 to match the
+behavior of Red Hat's Samba RPM package. The
+important thing is to make sure when starting Samba that all services
+it requires are started before it. When shutting down, it is a good
+idea to shut down Samba before services it requires to avoid excess
+error messages in the log files, but the order is not as crucial.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.3"/>
+
+<h3 class="head3">Darwin and Mac OS X</h3>
+
+<p><a name="INDEX-119"/><a name="INDEX-120"/><a name="INDEX-121"/><a name="INDEX-122"/>An installation of Samba is bundled with the
+Darwin distribution, which is included in Mac OS X.<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> </p>
+
+<p>The Samba daemons are started during system
+boot by the script
+<em class="filename">/System/Library/StartupItems/Samba/Samba</em>. To
+trigger the execution of this script, edit the file
+<em class="filename">/etc/hostconfig</em> and change the SMBSERVER
+parameter to look like this:</p>
+
+<blockquote><pre class="code">SMBSERVER=-YES-</pre></blockquote>
+
+<p>On Mac OS X, the graphical user interface (GUI) provides an
+alternative to using the command line. Launch the System Preferences
+application, and select Sharing (see <a href="ch02.html#samba2-CHP-2-FIG-4">Figure 2-4</a>).
+Under the Services tab, turn on Windows File Sharing. This will make
+the aforementioned change to <em class="filename">/etc/hostconfig</em> and
+immediately execute the startup item.</p>
+
+<div class="figure"><a name="samba2-CHP-2-FIG-4"/><img src="figs/sam2_0204.gif"/></div><h4 class="head4">Figure 2-4. Mac OS X sharing preferences</h4>
+
+<p>If you decide to install Samba yourself on Mac OS X,
+it's best not to stomp on the installation provided
+with the OS. Use the procedures detailed earlier in this chapter to
+install the software into <em class="filename">/usr/local/samba</em> or
+some other area unaffected by OS upgrades. (Remember to set up users
+with <em class="emphasis">smbpasswd</em> if you're using
+encrypted passwords, as described earlier in this chapter. This step
+is handled automatically with entries in
+<em class="filename">/var/db/samba/hash</em> if you're
+using the built-in server on Mac OS X.) Once you've
+got that working, you can edit the Samba startup item script to refer
+to your installation, like this:</p>
+
+<blockquote><pre class="code">    #!/bin/sh
+    # Start Samba
+
+    . /etc/rc.common
+
+    if [ &quot;${SMBSERVER:=-NO-}&quot; = &quot;-YES-&quot; ]; then
+        ConsoleMessage &quot;Starting SMB server&quot;
+
+        if [ -f /usr/local/samba/lib/smb.conf ]; then
+            /usr/local/samba/bin/smbd -D
+            /usr/local/samba/bin/nmbd -D
+        fi
+    fi</pre></blockquote>
+
+<p>However, beware of OS updates, which can wipe out your changes. One
+solution is to make the script immutable, like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chflags uchg /System/Library/StartupItems/Samba/Samba</b></tt></pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.4"/>
+
+<h3 class="head3">Testing automatic startup</h3>
+
+<p><a name="INDEX-123"/><a name="INDEX-124"/>If you can afford a few minutes of
+downtime, reboot your system and again use the
+<em class="emphasis">ps</em> command to check that the
+<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> daemons are
+running. And if you are managing a 24/7 server, we highly recommend
+that you find some downtime in which to reboot and perform this
+check. Otherwise, your next unscheduled downtime might surprise you
+with a mysterious absence of SMB networking services when the system
+comes up again! <a name="INDEX-125"/><a name="INDEX-126"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-8.3"/>
+
+<h3 class="head2">Starting from inetd</h3>
+
+<p><a name="INDEX-127"/><a name="INDEX-128"/><a name="INDEX-129"/>The <em class="emphasis">inetd</em>
+<em class="emphasis"><a name="FNPTR-6"/><a href="#FOOTNOTE-6">[6]</a></em> daemon is a Unix
+system's Internet &quot;super
+daemon.&quot; It listens on ports defined in
+<em class="filename">/etc/services</em> and executes the appropriate
+program for each port, which is defined in
+<em class="filename">/etc/inetd.conf</em>. The advantage of this scheme is
+that you can have a large number of daemons ready to answer queries,
+but they don't all have to be running all the time.
+Instead, <em class="emphasis">inetd</em> listens for connection requests
+and starts the appropriate daemon when it is needed. The penalty is a
+small overhead cost of creating a new daemon process, as well as the
+fact that you need to edit two files rather than one to set things
+up. The <em class="emphasis">inetd</em> daemon is handy if you have only
+one or two Samba users or your machine is running too many daemons
+already. It's also easier to perform an upgrade
+without disturbing an existing connection.</p>
+
+<p>If you wish to start from <em class="filename">inetd</em>, first open
+<em class="filename">/etc/services</em> in your text editor. If you
+don't already have them defined, add the following
+two lines:</p>
+
+<blockquote><pre class="code">netbios-ssn     139/tcp
+netbios-ns      137/udp</pre></blockquote>
+
+<p>Next, edit <em class="filename">/etc/inetd.conf</em>. Look for the
+following two lines and add them if they don't
+exist. If you already have <tt class="literal">smbd</tt> and
+<tt class="literal">nmbd</tt> lines in the file, edit them to point at the
+new <em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>
+you've installed. Your brand of Unix might use a
+slightly different syntax in this file; use the existing entries and
+the <em class="filename">inetd.conf </em> manual
+page as a guide:</p>
+
+<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
+netbios-ns  dgram  udp wait   root /usr/local/samba/bin/nmbd nmbd</pre></blockquote>
+
+<p>Finally, kill any <em class="emphasis">smbd</em> or
+<em class="emphasis">nmbd</em> processes and send the
+<em class="emphasis">inetd</em> process a hangup (HUP) signal to tell it
+to reread its configuration file:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -TERM -a smbd</b></tt>
+# <tt class="userinput"><b>/bin/kill -TERM -a nmbd</b></tt>
+# <tt class="userinput"><b>/bin/kill -HUP -a inetd</b></tt></pre></blockquote>
+
+<p>After that, Samba should be up and running.</p>
+
+<p>As we've pointed out before, Red Hat and perhaps
+other Unix vendors supply <em class="emphasis">xinetd</em> rather than
+<em class="emphasis">inetd</em>. If you need to use
+<em class="emphasis">xinetd</em>, you will need to supply a configuration
+file in the <em class="emphasis">/etc/xinetd.d</em> directory.
+<a name="INDEX-130"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-9"/>
+
+<h2 class="head1">Testing the Samba Daemons</h2>
+
+<p><a name="INDEX-131"/><a name="INDEX-132"/>We're
+nearly done with the Samba server setup. All that's
+left to do is to make sure everything is working as we think it
+should. A convenient way to do this is to use the
+<em class="filename">smbclient</em><a name="INDEX-133"/> program to examine what the server is
+offering to the network. If everything is set up properly, you should
+be able to do the following:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/usr/local/samba/bin/smbclient -U% -L localhost</b></tt>
+added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
+Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.6]
+
+        Sharename      Type      Comment
+        ---------      ----      -------
+        test           Disk      For testing only, please
+        IPC$           IPC       IPC Service (Samba 2.2.6)
+        ADMIN$         Disk      IPC Service (Samba 2.2.6)
+        
+        Server               Comment
+        ---------            -------
+        TOLTEC               Samba 2.2.6 on toltec
+
+        Workgroup            Master
+        ---------            -------
+        METRAN               TOLTEC</pre></blockquote>
+
+<p>If there is a problem, don't panic! Try to start the
+daemons manually, and check the system output or the debug files at
+<em class="filename">/usr/local/samba/var/log.smb</em><a name="INDEX-134"/><a name="INDEX-135"/><a name="INDEX-136"/> to see if you can determine what happened.
+If you think it might be a more serious problem, skip to <a href="ch12.html">Chapter 12</a> for help on troubleshooting the Samba daemons.</p>
+
+<p>If it worked, congratulations! You now have successfully set up the
+Samba server with a disk share. It's a simple one,
+but we can use it to set up and test the Windows 95/98/Me and
+NT/2000/XP clients in the next chapter. Then we will start making it
+more interesting by adding services such as home directories,
+printers, and security, and by seeing how to integrate the server
+into a larger Windows domain. <a name="INDEX-137"/></p>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
+<p><a href="#FNPTR-1">[1]</a> <em class="emphasis">gcc</em> binaries are available for almost
+every modern machine. See <a href="http://www.gnu.org/">http://www.gnu.org/</a> for a list of sites with
+<em class="emphasis">gcc</em> and other GNU software.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Do
+not confuse this with the Solaris <em class="emphasis">killall</em>
+command, which performs part of the system shutdown sequence!</p>
+<a name="FOOTNOTE-3"/>
+<p><a href="#FNPTR-3">[3]</a> Depending on the version of <em class="emphasis">xinetd</em> you
+have and how it was compiled, you might need to send a USR1 or some
+other signal rather than the HUP signal. Check the manual page for
+<em class="emphasis">xinetd (8)</em> on your system for details.</p>
+<a name="FOOTNOTE-4"/>
+<p><a href="#FNPTR-4">[4]</a> If you did not compile Samba, but instead downloaded a binary,
+check with the documentation for the package to find out where it
+expects the <em class="filename">smb.conf</em> file to be. Or, try running
+the <em class="emphasis">testparm</em> program and look for the location
+of <em class="filename">smb.conf</em> in the first line of output. If
+Samba came preinstalled with your Unix system, an
+<em class="filename">smb.conf</em> file is probably already somewhere on
+your system.</p> <a name="FOOTNOTE-5"/>
+<p><a href="#FNPTR-5">[5]</a> In this book, we cover Darwin Version 6.0 and OS X Version
+10.2.</p> <a name="FOOTNOTE-6"/> <p><a href="#FNPTR-6">[6]</a> With early releases of Samba 2.2, there were reports
+of intermittent errors when starting from <em class="emphasis">inetd</em>.
+We provide this information so that it will be available for later
+releases when the problem will hopefully have been identified and
+corrected.</p> </blockquote>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch03.html b/docs/htmldocs/using_samba/ch03.html
new file mode 100644
index 0000000000..16e86f4f6d
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch03.html
@@ -0,0 +1,2086 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 3. Configuring Windows Clients</h1>
+
+
+<p><a name="INDEX-1"/><a name="INDEX-2"/>Configuring Windows to use
+your new Samba server is really quite simple. SMB is
+Microsoft's native language for resource sharing on
+a local area network, so much of the installation and setup on the
+Windows client side have been taken care of already.</p>
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-1"/>
+
+<h2 class="head1">Windows Networking Concepts</h2>
+
+<p><a name="INDEX-3"/><a name="INDEX-4"/>Windows is different from Unix in
+many ways, including how it supports networking. Before we get into
+the hands-on task of clicking our way through the dialog boxes to
+configure each version of Windows, we need to provide you with a
+common foundation of networking technologies and concepts that apply
+to the entire family of Windows operating systems.</p>
+
+<p>For each Windows version, these are the main issues we will be
+dealing with:</p>
+
+<ul><li>
+<p>Making sure required networking components are installed and bound to
+the network adapter</p>
+</li><li>
+<p>Configuring networking with a valid IP address, netmask and gateway,
+and WINS and DNS name servers</p>
+</li><li>
+<p>Assigning workgroup and computer names</p>
+</li><li>
+<p>Setting the username(s) and password(s)</p>
+</li></ul>
+<p>In addition, some minor issues involving communication and
+coordination between Windows and Unix are different among Windows
+versions.</p>
+
+<p>One can go crazy thinking about the ways in which Unix is different
+from Windows, or the ways in which members of the Windows family are
+different from each other in underlying technology, behavior, or
+appearance. For now let's just focus on their
+similarities and see if we can find some common ground.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-1.1"/>
+
+<h3 class="head2">Components</h3>
+
+<p><a name="INDEX-5"/><a name="INDEX-6"/>Unix
+systems historically have been monolithic in nature, requiring
+recompilation or relinking to create a kernel with a customized
+feature set. However, modern versions have the ability to load or
+unload device drivers or various other operating-system features as
+modules while the system is running, without even needing to reboot.</p>
+
+<p>Windows allows for configuration by installing or uninstalling
+<em class="firstterm">components</em>. As far as networking goes,
+components can be one of three things:<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
+
+<ul><li>
+<p>Protocols</p>
+</li><li>
+<p>Clients</p>
+</li><li>
+<p>Services</p>
+</li></ul>
+<p>Since Samba works using the TCP/IP protocol, of course
+we'll want to have that installed. In some cases, we
+also will want to find protocols to <em class="emphasis">uninstall</em>.
+For example, if Netware protocol (IPX/SPX) is not required on the
+network, it might as well be removed.</p>
+
+<p><a name="INDEX-7"/><a name="INDEX-8"/>NetBEUI protocol should be removed if
+possible. Having NetBEUI running at the same time as NetBIOS over
+TCP/IP causes the system to look for services under two different
+protocols, only one of which is likely to be in use. When Windows is
+configured with one or more unused protocols, 30-second delays will
+result when Windows tries to communicate with the unused protocol.
+Eventually, it times out and tries another one, until it finds one
+that works. This fruitless searching results in terrible performance.</p>
+
+<p>The other two items in the list, client and service components, are
+pretty much what you'd expect. Client components
+perform tasks related to connecting with network servers, and service
+components are for making the local system into a server of resources
+on the network. In <a href="ch01.html">Chapter 1</a> we told you that SMB
+systems can act as both clients and servers, offering resources on
+the network at the same time they request resources. In accordance
+with that, it is possible to install a component for SMB client
+services and, separately, a service component that allows file and
+printer shares on the local system to be accessible from other
+systems on the network.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.1.1"/>
+
+<h3 class="head3">Bindings</h3>
+
+<p><a name="INDEX-9"/><a name="INDEX-10"/><a name="INDEX-11"/>Once
+a networking component is installed, it must be
+<em class="firstterm">bound</em> to a hardware interface, or
+<em class="firstterm">adapter</em>, to be used on the network. At first
+this might seem like an odd complication; however, it is a conceptual
+model that allows the associations between hardware and software to
+be clearly displayed and easily modified through a graphical
+interface.</p>
+
+<p>We will want to make sure that your Windows client has both TCP/IP
+and the client component for SMB networking installed and also that
+it is bound to the network adapter that connects to our Samba
+network, which in most cases will be an Ethernet adapter.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-1.2"/>
+
+<h3 class="head2">IP Address</h3>
+
+<p>Just like any Unix system (or any other system that is using TCP/IP),
+your Windows systems will need an <a name="INDEX-12"/>IP address. If you are using
+<a name="INDEX-13"/>DHCP
+on your network, you can configure Windows to obtain its IP address
+automatically by using a DHCP server. Otherwise, you will need to
+assign a static IP address manually along with a netmask.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a></p>
+
+<p>If you are on a private network where you have the authority to
+assign your own IP addresses, you can select from addresses in one of
+three ranges:<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a></p>
+
+<ul><li>
+<p>10.0.0.1 through 10.255.255.254</p>
+</li><li>
+<p>172.16.0.1 through 172.31.255.254</p>
+</li><li>
+<p>192.168.0.1 through 192.168.255.254</p>
+</li></ul>
+<p>These address ranges are reserved for private networks not directly
+connected to the Internet. For more information on using these
+private network addresses, see RFC 1918.</p>
+
+<p>If you're not maintaining your own separate network,
+see your system administrator for some available addresses on your
+network, as well as for the proper netmask to use.</p>
+
+<p>You should also be prepared to enter the IP address of the default
+gateway for the network. In some networks, the default gateway is the
+system or router that connects the LAN to the Internet. In other
+cases, the default gateway connects a subnet into a larger
+departmental or enterprise network.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-1.3"/>
+
+<h3 class="head2">Name Resolution</h3>
+
+<p><a name="INDEX-14"/><a name="INDEX-15"/>Name resolution is the function of
+translating human-friendly hostnames, such as
+<em class="emphasis">hopi</em>, or fully qualified domain names (FQDNs),
+such as <tt class="literal">mixtec.metran.cx</tt>, into IP addresses, such
+as 172.16.1.11 or 172.16.1.7.</p>
+
+<p>Unix systems can perform name resolution using an
+<em class="filename">/etc/hosts</em><a name="INDEX-16"/><a name="INDEX-17"/> file at the minimum, and more commonly can
+also incorporate services such as
+<a name="INDEX-18"/>DNS (Domain Name System)
+and <a name="INDEX-19"/>NIS (Network Information Service).
+Thus, name resolution is not necessarily performed by one isolated
+part of the operating system or one daemon, but is a system that can
+have a number of dispersed parts (although the
+<a name="INDEX-20"/>name
+service switch, with its
+<em class="filename">/etc/nsswitch.conf</em><a name="INDEX-21"/><a name="INDEX-22"/> configuration file, helps to tie them
+together).</p>
+
+<p>Although the specific implementation is different, name resolution in
+Windows is also performed by querying a number of resources, some of
+which are similar (or even identical) to their Unix counterparts.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.1"/>
+
+<h3 class="head3">Broadcast name resolution</h3>
+
+<p>On the other hand, there is one way in which Windows is not at all
+similar to Unix. If a Windows workstation is set up with no WINS name
+server, it will use the broadcast method of
+<a name="INDEX-23"/><a name="INDEX-24"/>name resolution, as described in <a href="ch01.html">Chapter 1</a>,<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> probably resulting in a
+very busy network. And even if you provide name servers for your
+Windows system to use, it might still resort to broadcast name
+resolution if it is unsuccessful at querying the name servers. For
+this reason, we recommend that you provide multiple reliable name
+servers for your Windows computers on the network.</p>
+
+<p>If that weren't enough to get you interested in
+setting up WINS and DNS servers, broadcast name resolution is usually
+limited to working on the local subnet because routers are usually
+configured not to forward broadcast packets to other networks.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.2"/>
+
+<h3 class="head3">WINS</h3>
+
+<p>We've already told you about WINS in <a href="ch01.html">Chapter 1</a>, and we don't have much more
+to say about it here. WINS can translate simple NetBIOS computer
+names such as <em class="emphasis">huastec</em> or
+<em class="emphasis">navajo</em> into IP addresses, as required on an SMB
+network. Of course, the interesting thing here is that Samba can act
+as a WINS server if you include the line:</p>
+
+<blockquote><pre class="code">wins support = yes</pre></blockquote>
+
+<p>in your Samba server's
+<em class="filename">smb.conf</em><a name="INDEX-25"/><a name="INDEX-26"/> file.
+This can be a good thing, to be sure, and we highly recommend it. Not
+only will you have a reliable WINS server to reduce the number of
+broadcast packets, but you won't need to run Windows
+NT/2000/XP to get it.</p>
+<a name="samba2-CHP-3-NOTE-91"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>One caveat about using Samba as a <a name="INDEX-27"/><a name="INDEX-28"/>WINS server is that Samba (up to Version
+2.2, at least) cannot synchronize with other WINS servers. So if you
+specify a Samba server as your Windows system's WINS
+server, you must be careful not to specify any additional (i.e.,
+secondary) WINS servers. If you do, you are likely to run into
+problems because the servers will not be able to synchronize their
+databases with each other. In Samba's defense, if
+you are using a Samba WINS server (running on a typically reliable
+Unix host), you will probably have little need for a secondary WINS
+server anyway.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.3"/>
+
+<h3 class="head3">LMHOSTS</h3>
+
+<p>All Windows versions support a backup method of name resolution, in
+the form of a file called
+<em class="filename">LMHOSTS</em><a name="INDEX-29"/> <em class="emphasis"><a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a></em>
+that contains a lookup table of computer names and IP addresses. This
+exists for &quot;historical purposes,&quot;
+and is a rather awkward method of name resolution because it requires
+the administrator (i.e., you!) to keep copies of
+<em class="filename">LMHOSTS</em> up to date on every single Windows
+system on the network. To be fully effective,
+<em class="filename">LMHOSTS</em> would have to be updated every time a
+new system were added to (or removed from) the network. Of course,
+there might be ways to automate that process, but a better option
+would be simply to run a WINS name server that is intentionally
+designed to solve that specific problem.</p>
+
+<p>There are perhaps a couple of reasons why you might want to bother
+with <em class="filename">LMHOSTS</em> files. In rare situations, there
+might be no WINS server on the network. Or maybe a WINS server
+exists, but it's unreliable. In both cases, if the
+Windows system has a valid <em class="filename">LMHOSTS</em> file, it can
+help to avoid your network bogging down from those dreaded broadcast
+name queries.</p>
+
+<p>The format of the <em class="filename">LMHOSTS</em> file is simple and
+similar to the <em class="filename">/etc/hosts</em> file with which you
+might be familiar from running Unix systems. Here are the contents of
+a sample <em class="filename">LMHOSTS</em> file:</p>
+
+<blockquote><pre class="code">172.16.1.1      toltec
+172.16.1.2      aztec
+172.16.1.3      mixtec
+172.16.1.4      zapotec
+172.16.1.5      huastec
+172.16.1.6      maya
+172.16.1.7      olmec
+172.16.1.8      chichimec
+172.16.1.11     hopi
+172.16.1.12     zuni
+172.16.1.13     dine
+172.16.1.14     pima
+172.16.1.15     apache
+172.16.1.21     inca
+172.16.1.22     qero</pre></blockquote>
+
+<p>As you can see, the format is like that of
+<em class="filename">/etc/hosts</em>, except that instead of an FQDN
+(e.g., <tt class="literal">toltec.metran.cx</tt>), only a NetBIOS computer
+name (<tt class="literal">toltec</tt>) is given. One way to create an
+<em class="filename">LMHOSTS</em> file for your Windows systems is to copy
+a <em class="filename">/etc/hosts</em> file and edit out the parts you
+don't need. This will work great if your network
+doesn't have a DNS (or NIS) name server and the Unix
+system is dependent on <em class="filename">/etc/hosts</em> for its own
+name service. But if your Unix system is querying a DNS server (which
+is the most frequent case on anything larger than the very smallest
+networks), you would be better advised to look in the DNS
+server's configuration files for your source of
+computer names and IP addresses.</p>
+
+<p>If you do not have administrative access to your
+network's DNS server, you might be able to use tools
+such as <em class="emphasis">nslookup</em><a name="INDEX-30"/>,
+<em class="emphasis">nmap</em><a name="INDEX-31"/>, and
+<em class="emphasis">dig</em><a name="INDEX-32"/> to query the server and obtain the
+information you need.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.4"/>
+
+<h3 class="head3">DNS</h3>
+
+<p>The <a name="INDEX-33"/><a name="INDEX-34"/>DNS
+is responsible for translating human-readable, Internet-style
+hostnames such as <tt class="literal">pima.metran.cx</tt> or
+<tt class="literal">sales.oreilly.com</tt> into IP addresses.</p>
+
+<p>On your first reading of this section, you might be wondering what a
+section on DNS is doing in a book about NetBIOS and SMB networking.
+Remember, we told you that Windows can use more than WINS (NetBIOS
+Name Service) in its strategy for performing name resolution. Because
+DNS is also able to supply IP addresses for simple hostnames (which
+are usually the same as NetBIOS computer names), it can be helpful to
+configure Windows to know about a DNS server on your network. This is
+slightly more important for newer Windows versions than older ones,
+and more so for Windows NT/2000/XP than for Windows 95/98/Me, because
+nowadays Microsoft is focusing more on TCP/IP as the standard
+protocol and DNS as the primary name service.</p>
+
+<p>To find the address of your DNS server, look at the file
+<em class="emphasis">/etc/resolv.conf</em><a name="INDEX-35"/><a name="INDEX-36"/> on your Samba server or any other Unix
+system on the local network that is using DNS. It looks like the
+following:</p>
+
+<blockquote><pre class="code">#resolv.conf 
+domain metran.cx
+nameserver 127.0.0.1 
+nameserver 172.16.1.53</pre></blockquote>
+
+<p>In this example, the first name server in the list is 127.0.0.1,
+which indicates that the Samba server is also a DNS server for this
+LAN.<a name="FNPTR-6"/><a href="#FOOTNOTE-6">[6]</a> In that case, you would use its network IP
+address (not <a name="INDEX-37"/><a name="INDEX-38"/>127.0.0.1, its localhost address)
+for your DNS server when configuring Windows. Otherwise, use the
+other addresses you find in the lines beginning with
+<tt class="literal">nameserver</tt>. Try to select ones on your own
+network. Any name servers listed in
+<em class="emphasis">/etc/resolv.conf</em> should work, but
+you'll get better performance by using a server
+nearby.</p>
+
+<p>All versions of Windows can be configured to know of multiple domain
+name servers, and you might wish to take advantage of this for
+increased reliability. If the first domain name server does not
+respond, Windows can try others in its list.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.5"/>
+
+<h3 class="head3"><em class="filename">HOSTS</em></h3>
+
+<p>Similar to how the <em class="filename">LMHOSTS</em> file can be added to
+supplement WINS, the
+<em class="filename">HOSTS</em><a name="INDEX-39"/> file on a Windows system can be optionally
+added to supplement DNS name resolution. Most of our comments
+regarding <em class="filename">LMHOSTS</em> also apply here.</p>
+
+<p>This time the format of the file is not just similar to that of
+<em class="filename">/etc/hosts</em> found on Unix&mdash;the format is
+<em class="emphasis">exactly</em> the same. You can simply copy
+<em class="filename">/etc/hosts</em> from your Samba server or other Unix
+system to the proper directory on your Windows system.</p>
+
+<p>On Windows 95/98/Me, the <em class="filename">HOSTS</em> file goes in the
+Windows installation directory, which is usually
+<em class="filename">C:\Windows</em>. Note that a file called
+<em class="filename">hosts.sam</em><a name="INDEX-40"/> is already there, which is a sample
+<em class="filename">HOSTS</em> file provided by Microsoft.</p>
+
+<p>On Windows NT/2000/XP, the <em class="filename">HOSTS</em> file goes in
+the <em class="filename">\system32\drivers\etc</em> directory under the
+Windows installation directory, which is usually
+<em class="filename">C:\WINNT</em>.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-1.4"/>
+
+<h3 class="head2">Passwords</h3>
+
+<p><a name="INDEX-41"/><a name="INDEX-42"/><a name="INDEX-43"/>Unix systems use
+username and password pairs to authenticate users either on a local
+system or in an NIS domain. Windows NT/2000/XP are very similar; a
+user supplies his username and password to log on to the local system
+or to a Windows domain.</p>
+
+<p>When the SMB network is set up as a workgroup, things are different.
+There is no domain to log on to, although shares on the network can
+be password-protected. In this case, one password is associated with
+each password-protected share, rather than with individual users.</p>
+
+<p>Samba's default user-level
+<a name="INDEX-44"/>authentication in a workgroup is
+different from that of Windows. To access shares on the Samba host,
+users are required to supply a valid username and password for an
+account on the Samba host. This will be discussed in more detail in
+<a href="ch09.html">Chapter 9</a>.</p>
+
+<p><a name="INDEX-45"/>An unfortunate
+complication arises with passwords. In the first release of Windows
+95 and in Windows NT 4.0 with Service Pack 2 (SP2) or less, as well
+as in all previous versions of Windows, passwords are allowed to be
+sent over the network in plain text. But in Windows 95 with the
+network redirector update,<a name="FNPTR-7"/><a href="#FOOTNOTE-7">[7]</a></p>
+
+<p>Windows NT 4.0 SP3 or later, and all subsequent releases of Windows,
+a registry setting must be <a name="INDEX-46"/><a name="INDEX-47"/><a name="INDEX-48"/>modified to enable plain-text
+passwords. These more modern versions of Windows prefer to send
+encrypted passwords, and if you are working with one of them (and
+don't want to have to modify the registry), you must
+have the line:</p>
+
+<blockquote><pre class="code">encrypt passwords = yes</pre></blockquote>
+
+<p>in the <tt class="literal">[global]</tt> section of your
+<em class="filename">smb.conf</em><a name="INDEX-49"/><a name="INDEX-50"/> file. In addition, you must run the
+command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a <em class="replaceable">username</em></b></tt></pre></blockquote>
+
+<p>for each user on the Samba host to add their passwords to
+Samba's collection of encrypted passwords. We showed
+you how to do this in <a href="ch02.html">Chapter 2</a>.</p>
+
+<p>If your first attempt to access a Samba share results in a dialog box
+asking for a password for
+<tt class="literal">IPC$</tt><a name="INDEX-51"/><a name="INDEX-52"/>, as shown in <a href="ch03.html#samba2-CHP-3-FIG-1">Figure 3-1</a>, it is probably because you neglected either
+or both of these two steps, and the Samba server did not recognize
+the encrypted password that the Windows system sent to it. Another
+possible dialog box that might come up is the one shown in <a href="ch03.html#samba2-CHP-3-FIG-2">Figure 3-2</a>, which was presented by a Windows 2000 client.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-1"/><img src="figs/sam2_0301.gif"/></div><h4 class="head4">Figure 3-1. Windows 98 asking for IPC$ password</h4>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-2"/><img src="figs/sam2_0302.gif"/></div><h4 class="head4">Figure 3-2. Windows 2000 logon error dialog</h4>
+
+<p>The rest of this chapter is divided into four sections. The first
+section covers setting up Windows 95/98/Me computers, and the rest of
+the sections cover Windows NT 4.0, Windows 2000, and Windows XP
+individually. Each section roughly parallels the order in which
+we've introduced networking concepts in this
+section. You need to read only the section that applies to the
+Windows version with which you are working, and once you have
+finished reading it, you can continue at the beginning of the next
+chapter where we will start covering more advanced Samba features and
+networking issues.</p>
+
+<a name="samba2-CHP-3-NOTE-92"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Keep in mind that we are continuing our example from <a href="ch02.html">Chapter 2</a>, in which we are setting up a very simple
+prototype network using a workgroup that has very lax security. After
+you have the basics working, we recommend you continue with later
+chapters to learn how to implement both better security and a Samba
+domain. <a name="INDEX-53"/></p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-2"/>
+
+<h2 class="head1">Setting Up Windows 95/98/Me Computers</h2>
+
+<p>The <a name="INDEX-54"/>Windows 95/98/Me operating systems are very
+similar to each other, and as far as this chapter is concerned, it is
+possible to treat them with a common set of directions.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-2.1"/>
+
+<h3 class="head2">Setting Up the Network</h3>
+
+<p>Samba uses TCP/IP to communicate with clients on the network, so you
+will need to make sure there is support for TCP/IP on each Windows
+client. Unlike Unix operating systems, Windows does not necessarily
+have support for TCP/IP installed. However, when Windows is installed
+on a computer with a network card or a network card is added to a
+system already running Windows, TCP/IP support is installed by
+default, along with the Client for Microsoft Networks, which supports
+SMB file and printer sharing.</p>
+
+<p>To make sure both services are installed on your Windows system,
+double-click the Network icon in the Control Panel to open the
+Network dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-3">Figure 3-3</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-3"/><img src="figs/sam2_0303.gif"/></div><h4 class="head4">Figure 3-3. The Windows 95/98/Me Network dialog</h4>
+
+<p>You should see at least the Client for Microsoft Networks component
+installed on the system, and hopefully a networking device
+(preferably an Ethernet card) bound to the TCP/IP protocol. If there
+is only one networking hardware device, you'll see
+the TCP/IP protocol listed below the device to which it is bound, as
+shown in <a href="ch03.html#samba2-CHP-3-FIG-1">Figure 3-1</a>.</p>
+
+<p>You might also see &quot;File and printer sharing for
+Microsoft Networks,&quot; which is used to make the
+system into a server. In addition, you might see NetBEUI or Novell
+Networking. Definitely remove NetBEUI unless you are sure you need
+it, and if you don't have any Novell servers on your
+network, you can remove Novell (IPX/SPX) as well. To remove a
+service, simply click its name and then click the Remove button.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.1"/>
+
+<h3 class="head3">Adding TCP/IP</h3>
+
+<p><a name="INDEX-55"/><a name="INDEX-56"/>If
+you don't see TCP/IP listed, you'll
+need to install the protocol.</p>
+
+<p>You can add the protocol by inserting the Windows distribution CD-ROM
+in your CD-ROM drive and clicking the Add button below the component
+window. Indicate that you wish to add a protocol by selecting
+Protocol and clicking &quot;Add...&quot; on
+the following dialog box, which should look similar to <a href="ch03.html#samba2-CHP-3-FIG-4">Figure 3-4</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-4"/><img src="figs/sam2_0304.gif"/></div><h4 class="head4">Figure 3-4. Selecting a component type</h4>
+
+<p>After that, select manufacturer Microsoft, then protocol TCP/IP, as
+shown in <a href="ch03.html#samba2-CHP-3-FIG-3">Figure 3-3</a>, then click OK. After doing so,
+you will be returned to the network dialog. Click OK to close the
+dialog box, and Windows will install the necessary components from
+the CD-ROM and request that the system be rebooted. Go ahead and
+reboot the system, and you're set.</p>
+
+<p>If Client for Microsoft Networks is not in the list, you can add it
+similarly. The only significant difference is that you are adding a
+client instead of a protocol, so make sure to select
+&quot;Client&quot; rather than
+&quot;Protocol&quot; when asked.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.2"/>
+
+<h3 class="head3">Configuring TCP/IP</h3>
+
+<p><a name="INDEX-57"/><a name="INDEX-58"/>If you have more than one networking
+device (for example, both an Ethernet card and a modem for dial-up
+networking), the protocol to hardware bindings will be indicated by
+arrows, as shown in <a href="ch03.html#samba2-CHP-3-FIG-5">Figure 3-5</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-5"/><img src="figs/sam2_0305.gif"/></div><h4 class="head4">Figure 3-5. Selecting a protocol to install</h4>
+
+<p>Select the TCP/IP protocol linked to the networking device that will
+be accessing the Samba network. If you have only one networking
+device, simply click the TCP/IP item. Now click the Properties button
+to open the TCP/IP Properties dialog. You should see something
+similar to <a href="ch03.html#samba2-CHP-3-FIG-6">Figure 3-6</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-6"/><img src="figs/sam2_0306.gif"/></div><h4 class="head4">Figure 3-6. Selecting the correct TCP/IP protocol</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.3"/>
+
+<h3 class="head3">IP Address tab</h3>
+
+<p><a name="INDEX-59"/><a name="INDEX-60"/>The
+IP Address tab is shown in <a href="ch03.html#samba2-CHP-3-FIG-7">Figure 3-7</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-7"/><img src="figs/sam2_0307.gif"/></div><h4 class="head4">Figure 3-7. The IP Address tab</h4>
+
+<p>If you use DHCP on your network to provide IP addresses automatically
+to Windows systems, select the &quot;Obtain an IP address
+automatically&quot; radio button. Otherwise, click the
+&quot;Specify an IP address&quot; radio
+button and enter the client's address and subnet
+mask in the space provided. You or your network manager should have
+selected an address for the client on the same subnet (LAN) as the
+Samba server.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.4"/>
+
+<h3 class="head3">WINS Configuration tab</h3>
+
+<p><a name="INDEX-61"/><a name="INDEX-62"/>If you've
+enabled WINS on Samba or are choosing to make use of another WINS
+server on your network, you must tell Windows the
+server's address. After selecting the WINS
+Configuration tab, you will see the dialog box shown in <a href="ch03.html#samba2-CHP-3-FIG-8">Figure 3-8</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-8"/><img src="figs/sam2_0308.gif"/></div><h4 class="head4">Figure 3-8. The WINS Configuration tab</h4>
+
+<p>This is for Windows 98/Me; Windows 95 is just a little different,
+having separate spaces for the primary and backup WINS server IP
+addresses.</p>
+
+<p>Select the &quot;Enable WINS Resolution&quot;
+radio button, and enter the WINS server's address in
+the space provided, then click the Add button. Do not enter anything
+in the Scope ID field.</p>
+<a name="samba2-CHP-3-NOTE-93"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>A bug in Windows 95/98 sometimes causes the IP address of the WINS
+server to disappear after the OK button is clicked. This happens only
+when only a primary WINS server has been specified. The workaround is
+to fill in the fields for both primary and secondary WINS servers,
+using the same IP address for each.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.5"/>
+
+<h3 class="head3">DNS Configuration tab</h3>
+
+<p><a name="INDEX-63"/><a name="INDEX-64"/>Unless you are using DHCP, you
+will need to provide the IP address of one or more DNS servers. Click
+the DNS tab, then click the &quot;Enable
+DNS&quot; radio button, and type the IP address of one or
+more DNS servers into the appropriate field, shown in <a href="ch03.html#samba2-CHP-3-FIG-9">Figure 3-9</a>, to add the server's address
+to the top DNS Server Search Order field.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-9"/><img src="figs/sam2_0309.gif"/></div><h4 class="head4">Figure 3-9. The DNS Configuration tab</h4>
+
+<p>Also, provide the hostname (which is the same as the NetBIOS computer
+name) of the Windows 95/98/Me computer and your Internet domain. (You
+will need to enter the computer name again later, along with the
+workgroup. Make sure to enter the same name each time.) You can
+safely ignore the Domain Suffix Search Order field for anything
+related to Samba.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.6"/>
+
+<h3 class="head3">LMHOSTS file</h3>
+
+<p><a name="INDEX-65"/><a name="INDEX-66"/>If
+you want to install an <em class="filename">LMHOSTS</em> file, it must be
+placed in your Windows installation directory (usually
+<em class="filename">C:\Windows</em>). In the same directory, Microsoft
+has provided a sample <em class="filename">LMHOSTS</em> file named
+<em class="filename">lmhosts.sam</em>, which you might want to look at for
+further information on the file's format.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.7"/>
+
+<h3 class="head3">NetBIOS tab</h3>
+
+<p><a name="INDEX-67"/><a name="INDEX-68"/>This tab
+appears in Windows 98/Me, but not in Windows 95. All you need to do
+here is make sure the checkbox is checked, enabling NetBIOS over
+TCP/IP. If TCP/IP is your only protocol installed (as we recommended
+earlier), the selection will be grayed out, with the box checked so
+that you couldn't uncheck it even if you wanted to.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.8"/>
+
+<h3 class="head3">Bindings tab</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>The
+final tab to look at is Bindings, as shown in <a href="ch03.html#samba2-CHP-3-FIG-10">Figure 3-10</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-10"/><img src="figs/sam2_0310.gif"/></div><h4 class="head4">Figure 3-10. The Bindings tab</h4>
+
+<p>You should have a check beside Client for Microsoft Networks,
+indicating that it's using TCP/IP. If you have
+&quot;File and printer sharing for Microsoft
+Networks&quot; in the dialog, it should also be checked,
+as shown in <a href="ch03.html#samba2-CHP-3-FIG-10">Figure 3-10</a>.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-2.2"/>
+
+<h3 class="head2">Setting the Computer Name and Workgroup</h3>
+
+<p><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/>Finally, click the OK button in the
+TCP/IP configuration dialog, and you'll be taken
+back to the Network Configuration dialog. Then select the
+Identification tab, which will take you to the dialog box shown in
+<a href="ch03.html#samba2-CHP-3-FIG-11">Figure 3-11</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-11"/><img src="figs/sam2_0311.gif"/></div><h4 class="head4">Figure 3-11. The Identification tab</h4>
+
+<p>This is where you set your system's NetBIOS name
+(which Microsoft likes to call &quot;computer
+name&quot;). Usually, it is best to make this the same as
+your DNS hostname, if you are going to have one for this system. For
+example, if the system's DNS name is
+<tt class="literal">huastec.metran.cx</tt>, give the computer a NetBIOS
+name of <tt class="literal">huastec</tt> on this tab.</p>
+
+<p>You also set your workgroup name here. In our case,
+it's METRAN, but if you used a different one in
+<a href="ch02.html">Chapter 2</a>, when creating the Samba configuration
+file, use that instead. Just don't call it WORKGROUP
+(the default workgroup name) or you'll be in the
+same workgroup as every misconfigured Windows computer on the planet!</p>
+
+<p>You can also enter a comment string for this computer. See if you can
+come up with some way of describing it that will remind you of what
+and where it is when you see the comment in a list displayed on
+another computer. Everyone on the network will be able to see your
+comment, so be careful not to include any information that might be
+useful to crackers.</p>
+
+<p>Finally, click the OK button and follow whatever instructions Windows
+provides. (You might have to insert your Windows distribution CD-ROM
+and/or reboot.)</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-2.3"/>
+
+<h3 class="head2">Username and Password</h3>
+
+<p><a name="INDEX-75"/><a name="INDEX-76"/><a name="INDEX-77"/>You have probably already given
+Windows a username and password by now. However, to authenticate with
+the Samba server, your Windows username and password must match with
+a valid account on the Samba server.</p>
+
+<p>It is simple to add a new user and password to a Windows 95/98/Me
+system. Just reboot or log out, and when you are prompted for a
+username and password, enter your Unix username and password. (If you
+are using encrypted passwords, you must run
+<em class="emphasis">smbpasswd</em> on the Unix host to enter them into
+Samba's password database, if you have not already
+done so.) You can use this method to add as many users as you want,
+so as to allow more than one user to use the Windows system to gain
+access to the Samba shares.</p>
+
+<p>If you mistakenly entered the wrong password or your Unix password
+changes, you can change your password on the Windows system by going
+to the Control Panel and double-clicking the Passwords icon. This
+will bring up the Passwords Properties dialog. Click the Change
+Passwords tab, and you will see the dialog shown in <a href="ch03.html#samba2-CHP-3-FIG-12">Figure 3-12</a>. Now click the &quot;Change
+Windows Password...&quot; button, which will bring up the
+Change Windows Password dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-13">Figure 3-13</a>. As indicated by the text entry fields in the
+dialog, enter your old password, and then the new password, and again
+to confirm it. Click the OK button and then the Close button on the
+Password Properties dialog box. Reboot or log out, and use your new
+password when you log in again.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-12"/><img src="figs/sam2_0312.gif"/></div><h4 class="head4">Figure 3-12. The Password Properties dialog</h4>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-13"/><img src="figs/sam2_0313.gif"/></div><h4 class="head4">Figure 3-13. The Change Windows Password dialog</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.1"/>
+
+<h3 class="head3">Logging in for the first time</h3>
+
+<p>If you don't have a Change Passwords tab in the
+Passwords Properties window, it is because networking is not fully
+set up yet. Assuming you've followed all the
+directions given so far, you just need to reboot; when the system
+comes up, it will ask you to log in with a username and a password.</p>
+
+<p>Now for the big moment. Your Samba server is running, and you have
+set up your Windows 95/98/Me client to communicate with it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.2"/>
+
+<h3 class="head3">Accessing the Samba Server from Windows 95/98</h3>
+
+<p><a name="INDEX-78"/><a name="INDEX-79"/>Double-click the Network Neighborhood
+icon on the desktop. You should see your Samba server listed as a
+member of the workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-14">Figure 3-14</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-14"/><img src="figs/sam2_0314.gif"/></div><h4 class="head4">Figure 3-14. Windows 95/98 Network Neighborhood</h4>
+
+<p>Double-clicking the server name will show the resources that the
+server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-15">Figure 3-15</a> (in this case, the <em class="emphasis">test</em>
+directory).</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-15"/><img src="figs/sam2_0315.gif"/></div><h4 class="head4">Figure 3-15. The test shared folder on the Toltec server</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.3"/>
+
+<h3 class="head3">Accessing the Samba Server from Windows Me</h3>
+
+<p>Double-click the My Network Places icon on the desktop. You should
+see the test shared directory as shown in <a href="ch03.html#samba2-CHP-3-FIG-16">Figure 3-16</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-16"/><img src="figs/sam2_0316.gif"/></div><h4 class="head4">Figure 3-16. My Network Places on Windows Me</h4>
+
+<p>Double-click the Entire Network icon, and you should see an icon for
+your workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-17">Figure 3-17</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-17"/><img src="figs/sam2_0317.gif"/></div><h4 class="head4">Figure 3-17. Entire Network window, showing the Metran workgroup</h4>
+
+<p>Double-clicking the workgroup icon will bring up a window showing
+every computer in the workgroup, which should include your Samba
+server, as shown in <a href="ch03.html#samba2-CHP-3-FIG-18">Figure 3-18</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-18"/><img src="figs/sam2_0318.gif"/></div><h4 class="head4">Figure 3-18. Computers in Metran workgroup</h4>
+
+<p>Double-click the Samba server's icon, and you will
+get a window showing its shared resources (in this case, the test
+directory) as shown in <a href="ch03.html#samba2-CHP-3-FIG-19">Figure 3-19</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-19"/><img src="figs/sam2_0319.gif"/></div><h4 class="head4">Figure 3-19. View of shares on the Toltec server</h4>
+
+<p>If you don't see the server listed, it might be that
+browsing is not working correctly or maybe the server is just taking
+a few minutes to show up in the browse list. In either case, you can
+click the Start button, then select
+&quot;Run...&quot;. This will give you a
+dialog box into which you can type the name of your server and the
+share name <em class="emphasis">test</em> in the Windows UNC format
+<em class="filename">\\</em><em class="replaceable">server</em><em class="filename">\test</em>,
+as we did in <a href="ch01.html">Chapter 1</a>. This should open a window
+on the desktop showing the contents of the folder. If this does not
+work, there is likely a problem with name resolution, and you can try
+using the server's IP address instead of its
+computer name, like this:</p>
+
+<blockquote><pre class="code">\\172.16.1.1\test</pre></blockquote>
+
+<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
+with the network.</p>
+
+<p>If it works, congratulations! Try copying files to and from the
+server using the Windows drag-and-drop functionality. You might be
+pleasantly surprised how seamlessly everything works. <a name="INDEX-80"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-3"/>
+
+<h2 class="head1">Setting Up Windows NT 4.0 Computers</h2>
+
+<p>Configuring <a name="INDEX-81"/>Windows NT
+is a little different than configuring Windows 95/98/Me. To use Samba
+with Windows NT, you will need both the Workstation service and the
+TCP/IP protocol. Both come standard with NT, but
+we'll work through installing and configuring them
+to make sure they are configured correctly.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-3.1"/>
+
+<h3 class="head2">Basic Configuration</h3>
+
+<p><a name="INDEX-82"/>This section presents the steps
+to follow for TCP/IP-related configuration on Windows NT to get it to
+cooperate with Samba. If you need more details on Windows NT network
+administration, refer to Craig <a name="INDEX-83"/>Hunt and Robert Bruce
+<a name="INDEX-84"/>Thompson's
+<em class="citetitle">Windows NT TCP/IP Network Administration
+</em>(O'Reilly), an excellent guide.</p>
+
+<p>You should perform the following steps as the
+<tt class="literal">Administrator</tt> or another user in the
+<tt class="literal">Administrators</tt> group.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.1"/>
+
+<h3 class="head3">Installing the TCP/IP protocol</h3>
+
+<p><a name="INDEX-85"/><a name="INDEX-86"/>From
+the Control Panel, double-click the Network icon, click the Protocols
+tab in the Network dialog box, and look to see if you have the TCP/IP
+protocol installed, as shown in <a href="ch03.html#samba2-CHP-3-FIG-20">Figure 3-20</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-20"/><img src="figs/sam2_0320.gif"/></div><h4 class="head4">Figure 3-20. The Protocols tab</h4>
+
+<p>If the protocol is not installed, you need to add it. Click the Add
+button, which will display the Select Network Protocol dialog box
+shown in <a href="ch03.html#samba2-CHP-3-FIG-21">Figure 3-21</a>. You should immediately see the
+TCP/IP protocol as one of the last protocols listed.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-21"/><img src="figs/sam2_0321.gif"/></div><h4 class="head4">Figure 3-21. Select Network Protocol dialog box</h4>
+
+<p>Select TCP/IP as the protocol and confirm it. If
+possible, install only the TCP/IP protocol. If you see anything other
+than TCP/IP listed in the Protocols tab and it is not a protocol that
+you need, you can remove it. If you try to remove a protocol and get
+an error message saying that the protocol is being used by another
+service, you need to click the Services tab and remove that service
+before you can remove the protocol. For example, to remove the NWLink
+IPX/SPX Compatible Transport protocol, you would need to remove the
+Client Service for Netware first.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.2"/>
+
+<h3 class="head3">Installing the Workstation service</h3>
+
+<p><a name="INDEX-87"/><a name="INDEX-88"/>After installing TCP/IP, click the
+Services tab in the Network dialog, and check that you have a
+Workstation service, as shown at the end of the list in <a href="ch03.html#samba2-CHP-3-FIG-22">Figure 3-22</a>.<a name="FNPTR-8"/><a href="#FOOTNOTE-8">[8]</a></p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-22"/><img src="figs/sam2_0322.gif"/></div><h4 class="head4">Figure 3-22. Network Services tab</h4>
+
+<p>This service is actually the Microsoft Networking Client, which
+allows the computer to access SMB services. The Workstation service
+is mandatory. The service is installed by default on both Windows NT
+Workstation 4.0 and NT Server 4.0. If it's not
+there, you can install it much like TCP/IP. In this case you need to
+click the Add button and then select Workstation Service, as shown in
+<a href="ch03.html#samba2-CHP-3-FIG-23">Figure 3-23</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-23"/><img src="figs/sam2_0323.gif"/></div><h4 class="head4">Figure 3-23. Select Network Service dialog box</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.3"/>
+
+<h3 class="head3">Configuring TCP/IP</h3>
+
+<p><a name="INDEX-89"/><a name="INDEX-90"/>After you've installed
+the Workstation service, return to the Protocols tab and select the
+TCP/IP Protocol entry in the window. Then click the Properties button
+below the window. The Microsoft TCP/IP Protocol dialog will be
+displayed. There are five tabs in the dialog, and you will need to
+work with four of them:</p>
+
+<ul><li>
+<p>IP Address</p>
+</li><li>
+<p>WINS Address</p>
+</li><li>
+<p>DNS</p>
+</li><li>
+<p>Bindings</p>
+</li></ul>
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.1"/>
+
+<h4 class="head4">IP Address tab</h4>
+
+<p><a name="INDEX-91"/><a name="INDEX-92"/>The IP
+Address tab is shown in <a href="ch03.html#samba2-CHP-3-FIG-24">Figure 3-24</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-24"/><img src="figs/sam2_0324.gif"/></div><h4 class="head4">Figure 3-24. Microsoft TCP/IP Properties dialog for Windows NT</h4>
+
+<p>Select the &quot;Specify an IP address&quot;
+radio button, and enter the computer's IP address
+and netmask in the space provided for the proper adapter (Ethernet
+card). You or your network manager should have selected an address
+for the client on the same subnet (LAN) as the Samba server. For
+example, if the server's address is 172.16.1.1 and
+its network mask is 255.255.255.0, you might use the address
+172.16.1.13 (if it is available) for the NT workstation, along with
+the same netmask. If you use DHCP on your network, select the
+&quot;Obtain an IP Address from a DHCP
+server&quot; button instead.</p>
+
+<p>The gateway field refers to a system typically known as a
+<em class="emphasis">router</em>. If you have routers connecting multiple
+networks, you should enter the IP address of the one on your subnet.
+In our example, the gateway happens to be the same system as the
+Samba server, but they do not by any means have to be the same.</p>
+
+
+</div>
+
+
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.2"/>
+
+<h4 class="head4">WINS Address tab</h4>
+
+<p><a name="INDEX-93"/><a name="INDEX-94"/>Click the
+WINS Address tab, shown in <a href="ch03.html#samba2-CHP-3-FIG-25">Figure 3-25</a>, and you can
+begin to enter information about name servers. Enter the address of
+your WINS server in the space labeled Primary WINS Server. If your
+Samba server is providing WINS service (in other words, you have the
+line <tt class="literal">wins</tt> <tt class="literal">support</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="emphasis">smb.conf</em> file of your Samba server), provide the
+Samba server's IP address here. Otherwise, provide
+the address of another WINS server on your network.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-25"/><img src="figs/sam2_0325.gif"/></div><h4 class="head4">Figure 3-25. The WINS Address tab</h4>
+
+<p>You probably noticed that there is a field here for the network
+adapter. This field must specify the Ethernet adapter on which
+you're running TCP/IP so that WINS will provide name
+service on the correct network. For example, if you have both a LAN
+and a dial-up adapter, make sure you have the LAN's
+network card specified here.</p>
+
+<p>The checkboxes in the lower half of the dialog are for enabling two
+other methods of name resolution that Windows can incorporate into
+its name service. Samba doesn't require either of
+them, but you might want to enable them to increase the reliability
+or functionality of name service for your client. See <a href="ch07.html">Chapter 7</a> for further information on name resolution
+issues.</p>
+
+<p>If you'd like to use a DNS server, select the Enable
+DNS for Windows Resolution checkbox. In addition, you will need to do
+some configuration to allow the Windows system to find the DNS
+server, unless you're using DHCP.</p>
+
+
+</div>
+
+
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.3"/>
+
+<h4 class="head4">DNS tab</h4>
+
+<p><a name="INDEX-95"/><a name="INDEX-96"/>Click
+the tab for DNS, as shown in <a href="ch03.html#samba2-CHP-3-FIG-26">Figure 3-26</a>. Enter the
+IP addresses for one or more DNS servers in the space provided. Also,
+enter the hostname (which should be the same as the NetBIOS computer
+name). You will enter this again later in another control panel, so
+make sure they match. Finally, enter the DNS domain on which this
+system resides. For example, if your workstation has a domain name
+such as <em class="emphasis">metran.cx</em>, enter it here. You can safely
+ignore the other options.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-26"/><img src="figs/sam2_0326.gif"/></div><h4 class="head4">Figure 3-26. The DNS tab</h4>
+
+
+</div>
+
+
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.4"/>
+
+<h4 class="head4">The LMHOSTS file</h4>
+
+<p>If you want to install an
+<em class="filename">LMHOSTS</em><a name="INDEX-97"/><a name="INDEX-98"/> file, it
+must be placed in the directory
+<em class="filename">\system32\drivers\etc</em> under your Windows
+installation directory (usually <em class="filename">C:\WINNT</em>). The
+easy way to make sure it gets to the proper location is to use the
+Import LMHOSTS button on the WINS Address tab. (But if you want to do
+it over the network, you will have to do that after file sharing is
+configured!) Remember to click the Enable LMHOSTS Lookup checkbox on
+the WINS Address tab to enable this functionality.</p>
+
+<p>When you are satisfied with your settings for IP Address, WINS
+Address, and DNS, click OK to return to the Network dialog box.</p>
+
+
+</div>
+
+
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.5"/>
+
+<h4 class="head4">Bindings</h4>
+
+<p><a name="INDEX-99"/><a name="INDEX-100"/>Now click the
+Bindings tab, and check the bindings of network hardware, services,
+and protocols. Set the &quot;Show Bindings
+for&quot; field to &quot;all
+services,&quot; and click all the + buttons in the tree.
+You should see a display similar to <a href="ch03.html#samba2-CHP-3-FIG-27">Figure 3-27</a>,
+which shows that the NetBIOS, Server, and Workstation interface
+services are connected to the WINS client running TCP/IP protocol,
+and that the WINS client is bound to the Ethernet adapter of the
+local area network.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-27"/><img src="figs/sam2_0327.gif"/></div><h4 class="head4">Figure 3-27. The Bindings tab</h4>
+
+<p>You can safely leave the default values for the remainder of the tabs
+in the Network dialog box. Click the OK button to complete the
+configuration. Once the proper files are loaded (if any), you might
+need to reboot for your changes to take effect.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-3.2"/>
+
+<h3 class="head2">Computer Name and Workgroup</h3>
+
+<p><a name="INDEX-101"/><a name="INDEX-102"/><a name="INDEX-103"/><a name="INDEX-104"/>The next
+thing you need to do is to give the system a NetBIOS computer name.
+From the Control Panel, double-click the Network icon to open the
+Network dialog box. The first tab in this dialog box should be the
+Identification tab, as illustrated in <a href="ch03.html#samba2-CHP-3-FIG-28">Figure 3-28</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-28"/><img src="figs/sam2_0328.gif"/></div><h4 class="head4">Figure 3-28. The Identification tab</h4>
+
+<p>Here, you need to identify your computer with a name and change the
+default workgroup to the one you specified in the
+<em class="emphasis">smb.conf</em> file of your Samba server. Click the
+Change button below the two text fields. This will open an
+Identification Changes dialog box, where you can set the workgroup
+and the computer name, as shown in <a href="ch03.html#samba2-CHP-3-FIG-29">Figure 3-29</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-29"/><img src="figs/sam2_0329.gif"/></div><h4 class="head4">Figure 3-29. The Identification Changes dialog</h4>
+<a name="samba2-CHP-3-NOTE-94"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>You entered the computer name earlier as a DNS hostname while
+configuring TCP/IP, so be sure that the two names match. The name you
+set here is the NetBIOS name. You're allowed to make
+it different from the TCP/IP hostname, but doing so is usually not a
+good idea. Don't worry that Windows NT forces the
+computer name and the workgroup to be all capital letters;
+it's smart enough to figure out what you mean when
+it connects to the network.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-3.3"/>
+
+<h3 class="head2">Adding a User</h3>
+
+<p><a name="INDEX-105"/><a name="INDEX-106"/>In all
+the previous steps, you were logged into your Windows NT system as
+<tt class="literal">Administrator</tt> or another user in the
+<tt class="literal">Administrators</tt> group. To access resources on the
+Samba server, you will need to have a username and password that the
+Samba server recognizes as valid. Generally, the best way to do this
+is to add a user to your NT system, with the same username and
+password as a user on the Samba host system.</p>
+
+<a name="samba2-CHP-3-NOTE-95"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The directions in this section assume that your network is set up as
+a workgroup. If you have already set up your network as a domain, as
+we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
+follow the instructions here for adding a local user on the Windows
+NT client system. Simply log on to the domain from the client using a
+username and password in Samba's
+<em class="filename">smbpasswd</em> account database, and continue with
+the next section, <a href="ch03.html#samba2-CHP-3-SECT-3.4">Section 3.3.4</a>.</p>
+</blockquote>
+
+<p>To add a new user, open the Start menu, navigate through the Programs
+submenu to Administrative Tools (Common), and select User Manager for
+Domains. Click the User menu and select the first item, Add User...,
+shown in <a href="ch03.html#samba2-CHP-3-FIG-30">Figure 3-30</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-30"/><img src="figs/sam2_0330.gif"/></div><h4 class="head4">Figure 3-30. User Manager for Domains window</h4>
+
+<p>This brings up the New User dialog box shown in <a href="ch03.html#samba2-CHP-3-FIG-31">Figure 3-31</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-31"/><img src="figs/sam2_0331.gif"/></div><h4 class="head4">Figure 3-31. The New User dialog</h4>
+
+<p>Fill it out as shown, using the username and password that were added
+in the previous chapter, and make sure that only the checkbox labeled
+Password Never Expires is checked. (This is not the default!) Click
+the Add button to add the user, and then click the Close button. You
+should now see your new account added to the list in the User Manager
+dialog box.</p>
+
+<p>Now open the Start menu, select Shut Down, and select the
+&quot;Close all programs and log on as a different
+user?&quot; radio button. Click the Yes button, then log
+in as the user you just added.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-3.4"/>
+
+<h3 class="head2">Connecting to the Samba Server</h3>
+
+<p>Now for the big moment. Your <a name="INDEX-107"/><a name="INDEX-108"/>Samba
+server is running, and you have set up your NT client to communicate
+with it. Double-click the Network Neighborhood icon on the desktop,
+and you should see your Samba server listed as a member of the
+workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-32">Figure 3-32</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-32"/><img src="figs/sam2_0332.gif"/></div><h4 class="head4">Figure 3-32. The Windows NT Network Neighborhood</h4>
+
+<p>Double-clicking the server name will show the resources that the
+server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-33">Figure 3-33</a>. In this case, the <em class="filename">test</em>
+directory and the default printer are offered to the Windows NT
+workstation.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-33"/><img src="figs/sam2_0333.gif"/></div><h4 class="head4">Figure 3-33. Shares offered by the Toltec server</h4>
+
+<p>If you don't see the server listed,
+don't panic. Select Run... from the Start menu. A
+dialog box appears that allows you to type the name of your server
+and its share directory in Windows format. For example, you would
+enter
+<em class="filename">\\</em>toltec<em class="filename">\</em><tt class="literal">test</tt>,
+as shown in <a href="ch03.html#samba2-CHP-3-FIG-34">Figure 3-34</a>, and use your
+server's hostname instead of
+&quot;toltec&quot;.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-34"/><img src="figs/sam2_0334.gif"/></div><h4 class="head4">Figure 3-34. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
+
+<p>This will work even if browsing services are not set up right, which
+is a common problem. You can also work around a name-service problem
+by entering the server's IP Address (such as
+172.16.1.1 in our example) instead of the Samba
+server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-35">Figure 3-35</a>. Go back and check your configuration, and if
+things still aren't right, go to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong with the
+network.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-35"/><img src="figs/sam2_0335.gif"/></div><h4 class="head4">Figure 3-35. Opening a shared directory, using the server's IP address in the UNC</h4>
+
+<p>If it works, congratulations! Try copying files to and from the
+server by dragging their icons to and from the folder on the Samba
+share. You might be pleasantly surprised how seamlessly everything
+works. <a name="INDEX-109"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-4"/>
+
+<h2 class="head1">Setting Up Windows 2000 Computers</h2>
+
+<p><a name="INDEX-110"/>Although
+Windows 2000 is based on NT technology and is similar to Windows NT
+in many respects, configuring it for use with Samba is quite
+different.</p>
+
+<p>You should perform the following steps as the
+<tt class="literal">Administrator</tt> or another user in the
+<tt class="literal">Administrators</tt> group.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.1"/>
+
+<h3 class="head2">Networking Components</h3>
+
+<p><a name="INDEX-111"/><a name="INDEX-112"/>Go to the Control Panel and
+double-click the Network and Dial-up Connections icon. You should see
+at least one Local Area Connection icon. If there is more than one,
+identify the one that corresponds to the network adapter that is
+connected to your Samba network. Right-click the Local Area
+Connection icon, and click the Properties button. (Or double-click
+the Local Area Connection icon, and then click the Properties button
+in the dialog box that comes up.) You should now be looking at the
+Local Area Connection Properties dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-36">Figure 3-36</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-36"/><img src="figs/sam2_0336.gif"/></div><h4 class="head4">Figure 3-36. Windows 2000 Local Area Connection Properties dialog</h4>
+
+<p>First of all, you might want to click the Configure button under the
+field for the network adapter, to make sure you see the message
+&quot;This device is working properly&quot;
+in the Device status window. If there is a problem, make sure to
+correct it before continuing. You should also see the message
+&quot;Use this device (enable)&quot; in the
+Device usage field of the dialog box. Make sure to set it this way if
+it is not already. Click OK or Cancel to get back to the Local Area
+Connection Properties dialog box.</p>
+
+<p>You should see at least the following two components:</p>
+
+<ul><li>
+<p>Client for Microsoft Networks</p>
+</li><li>
+<p>Internet Protocol (TCP/IP)</p>
+</li></ul>
+<p>If you do not see either Client for Microsoft Networks or Internet
+Protocol (TCP/IP) in your list, you will need to add them. For
+either, the method is to click the Install... button, click the type
+of component (Client or Protocol), and then click the Add... button.
+Next, click the component you want to add, and click the OK button.
+You should see the component added to the list with the others.</p>
+
+<p>Some components should be removed if you see them in the list:</p>
+
+<ul><li>
+<p>NetBEUI Protocol</p>
+</li><li>
+<p>NWLink NetBIOS</p>
+</li><li>
+<p>NWLink IPX/SPX/NetBIOS Compatible Transport Protocol</p>
+</li><li>
+<p>Client Service for Netware</p>
+</li></ul>
+<p>If you see anything other than TCP/IP listed as a protocol, and it is
+not a protocol that you need, you can remove it. Uninstall NetBEUI,
+unless you are sure you need it, and the other three if you do not
+need to support Netware. If you try to remove a protocol and get an
+error message saying that the protocol is being used by another
+service, you need to remove that service before you can remove the
+protocol. For example, to remove the NWLink IPX/SPX Compatible
+Transport Protocol, you would need to remove the Client Service for
+Netware first.</p>
+
+<p>To remove a component, click the component in the list, click the
+Uninstall button, and then click Yes in the dialog box that pops up.
+In some cases, Windows might need to reboot to put the change into
+effect.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.2"/>
+
+<h3 class="head2">Bindings</h3>
+
+<p><a name="INDEX-113"/><a name="INDEX-114"/>Next to each
+client, service, or protocol listed in the window in the Local Area
+Connections Properties dialog box, you will see a checkbox. Make sure
+the checkbox is checked for both Client for Microsoft Networks and
+Internet Protocol (TCP/IP). The check marks indicate the networking
+components are bound to the network adapter shown at the top of the
+dialog box.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.3"/>
+
+<h3 class="head2">Configuring TCP/IP</h3>
+
+<p><a name="INDEX-115"/><a name="INDEX-116"/>Now click Internet Protocol (TCP/IP),
+and then click Properties to open the Internet Protocol (TCP/IP)
+Properties dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-37">Figure 3-37</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-37"/><img src="figs/sam2_0337.gif"/></div><h4 class="head4">Figure 3-37. Internet Protocol (TCP/IP) Properties dialog</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.1"/>
+
+<h3 class="head3">IP address</h3>
+
+<p><a name="INDEX-117"/><a name="INDEX-118"/>If
+you are using DHCP on your network to assign IP addresses
+dynamically, select the &quot;Obtain IP address
+automatically&quot; radio button. Otherwise, select the
+&quot;Use the following address:&quot; radio
+button, and fill in the computer's IP address and
+netmask in the spaces provided. You or your network manager should
+have selected an address for the client on the same subnet (LAN) as
+the Samba server. For example, if the server's
+address is 172.16.1.1 and its network mask is 255.255.255.0, you
+might use the address 172.16.1.14, if it is available, along with the
+same netmask. You can also fill in the IP address of the default
+gateway.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.2"/>
+
+<h3 class="head3">DNS server</h3>
+
+<p><a name="INDEX-119"/><a name="INDEX-120"/>In
+the lower part of the dialog box, click the &quot;Use the
+following DNS server addresses:&quot; radio button, and
+fill in the IP address of your DNS server.</p>
+
+<p>Now click the Advanced... button to bring up the Advanced TCP/IP
+Settings dialog box, and then click the WINS tab.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.3"/>
+
+<h3 class="head3">WINS server</h3>
+
+<p><a name="INDEX-121"/><a name="INDEX-122"/>Enter the
+address of your WINS server in the space labeled
+&quot;WINS addresses, in order of use:&quot;.
+If your Samba server is providing WINS service (in other words, you
+have the line <tt class="literal">wins</tt> <tt class="literal">service</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="emphasis">smb.conf</em> file of your Samba server), provide the
+Samba server's IP address here. Otherwise, provide
+the address of another WINS server on your network.</p>
+
+<p>Near the bottom of the dialog box, select the radio button labeled
+&quot;Enable NetBIOS over TCP/IP&quot;. <a href="ch03.html#samba2-CHP-3-FIG-38">Figure 3-38</a> shows what your Advanced TCP/IP Settings
+dialog box should look like at this point.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-38"/><img src="figs/sam2_0338.gif"/></div><h4 class="head4">Figure 3-38. Advanced TCP/IP Settings dialog, showing WINS tab</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.4"/>
+
+<h3 class="head3">The LMHOSTS file</h3>
+
+<p>If you want to install an
+<em class="filename">LMHOSTS</em><a name="INDEX-123"/><a name="INDEX-124"/> file,
+it must be placed in the <em class="filename">\system32\drivers\etc</em>
+directory under your Windows installation directory (usually
+<em class="filename">C:\WINNT</em> ). The easy way to make sure it gets to
+the proper location is to use the Import LMHOSTS... button on the
+WINS Address tab. (But if you want to do it over the network, you
+will have to do that after file sharing is configured!) Remember to
+click the Enable LMHOSTS Lookup checkbox on the WINS Address tab to
+enable this functionality.</p>
+
+<p>When you are satisfied with your settings for IP Address, WINS
+Address, and DNS, click the OK buttons in each open dialog box to
+complete the configuration. Windows might need to load some files
+from the Windows 2000 distribution CD-ROM, and you might need to
+reboot for your changes to take effect.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.4"/>
+
+<h3 class="head2">Computer and Workgroup Names</h3>
+
+<p><a name="INDEX-125"/><a name="INDEX-126"/><a name="INDEX-127"/><a name="INDEX-128"/>From
+the Control Panel, double-click the System icon to open the System
+Properties dialog box. Click the Network Identification tab, and your
+System Properties dialog box will look similar to <a href="ch03.html#samba2-CHP-3-FIG-39">Figure 3-39</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-39"/><img src="figs/sam2_0339.gif"/></div><h4 class="head4">Figure 3-39. System Properties dialog, showing Network Identification tab</h4>
+
+<p>To give your system computer a name and a workgroup, click the
+Properties button, which will bring up the Identification Changes
+dialog box, as in <a href="ch03.html#samba2-CHP-3-FIG-40">Figure 3-40</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-40"/><img src="figs/sam2_0340.gif"/></div><h4 class="head4">Figure 3-40. Identification Changes dialog</h4>
+
+<p>You need to identify your computer with a name and change the
+workgroup to the one you specified in the
+<em class="emphasis">smb.conf</em> file of your Samba server.
+Don't worry that Windows forces the computer name
+and the workgroup to be all capital letters; it's
+smart enough to figure out what you mean when it connects to the
+network.</p>
+
+<p>Click the More... button to bring up the DNS Suffix and NetBIOS
+Computer Name dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-41">Figure 3-41</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-41"/><img src="figs/sam2_0341.gif"/></div><h4 class="head4">Figure 3-41. DNS Suffix and NetBIOS Computer Name dialog</h4>
+
+<p>Enter the DNS domain name of this computer in the text field labeled
+Primary DNS Suffix for this computer:, and then click OK. You should
+now see the FQDN of this system underneath the label
+&quot;Full computer name:&quot;. Click the OK
+button and then reboot when requested to put your configuration
+changes into effect. Once again, log in using your administrative
+account.</p>
+<a name="samba2-CHP-3-NOTE-96"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>There have been reports of authentication problems with Samba when a
+username on a Windows 2000 system is the same as its computer name.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.5"/>
+
+<h3 class="head2">Adding a Samba-Enabled User</h3>
+
+<p><a name="INDEX-129"/><a name="INDEX-130"/>So far,
+you have been logged into your Windows 2000 system as a user in the
+<tt class="literal">Administrators</tt> group. To access resources on the
+Samba server, you will need a username and password that the Samba
+server recognizes as valid. If your administrative account has such a
+username and password, you can use it, but you might want to access
+your system and the network from a nonadministrative user account
+instead.</p>
+<a name="samba2-CHP-3-NOTE-97"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>The directions in this section assume that your network is set up as
+a workgroup. If you have already set up your network as a domain, as
+we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
+follow the instructions here for adding a local user on the Windows
+2000 client system. Simply log on to the domain from the client using
+a username and password in Samba's
+<em class="filename">smbpasswd</em> account database, and continue with
+the next section, <a href="ch03.html#samba2-CHP-3-SECT-4.6">Section 3.4.6</a>.</p>
+</blockquote>
+
+<p>To add a new user, open the Control Panel, and double-click the Users
+and Passwords icon to open the Users and Passwords dialog box, shown
+in <a href="ch03.html#samba2-CHP-3-FIG-42">Figure 3-42</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-42"/><img src="figs/sam2_0342.gif"/></div><h4 class="head4">Figure 3-42. Users and Passwords dialog</h4>
+
+<p>The first thing to do is make sure the checkbox labeled
+&quot;Users must enter a user name and password to use
+this computer.&quot; is checked. Next, click the Add...
+button to bring up the first dialog box of the User Wizard, shown in
+<a href="ch03.html#samba2-CHP-3-FIG-43">Figure 3-43</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-43"/><img src="figs/sam2_0343.gif"/></div><h4 class="head4">Figure 3-43. Adding a new user</h4>
+
+<p>Fill out the fields, using the username of a valid user account on
+the Samba host, and then click the Next &gt; button to enter and
+confirm the user's password. This password must be
+the same as the user's password on the Samba host.
+If you are using encrypted passwords, make sure this username and
+password are the same as what you used when you ran the
+<em class="emphasis">smbpasswd</em> program. Click the Next &gt; button,
+which brings up the final dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-44">Figure 3-44</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-44"/><img src="figs/sam2_0344.gif"/></div><h4 class="head4">Figure 3-44. Specifying a group for the new user</h4>
+
+<p>Pick a group for the user (the default Standard User should do), and
+click the Finish button. You should now see your new account added to
+the list in the Users and Passwords dialog box. Click the OK button
+to complete the process.</p>
+
+<p>Now return to the Users and Passwords control panel window, click the
+Advanced tab, then click on the Advanced button. Click the Users
+folder in the left side of the Local Users and Groups window that
+appears, and then double-click the account you just added in the
+right side of the window. In the Properties window that opens, click
+the checkbox labeled Password never expires. You are done! Click the
+OK buttons in all the dialog boxes, and close all open windows.</p>
+
+<p>Open the Start menu, select Shut Down, and select Log off
+<em class="emphasis">username</em> from the drop-down menu. Click the OK
+button, then log on with the username and password you just added.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.6"/>
+
+<h3 class="head2">Connecting to the Samba Server</h3>
+
+<p>Now for the big moment. Your Samba server is running, and you have
+set up your <a name="INDEX-131"/><a name="INDEX-132"/>Windows 2000 client to communicate with
+it. Double-click the My Network Places icon on the desktop, and then
+double-click the Computers Near Me icon to browse the workgroup. You
+should see your Samba server listed as a member of the workgroup, as
+shown in <a href="ch03.html#samba2-CHP-3-FIG-45">Figure 3-45</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-45"/><img src="figs/sam2_0345.gif"/></div><h4 class="head4">Figure 3-45. The Computers Near Me window, showing computers in the workgroup</h4>
+
+<p>Double-clicking the server name will show the resources that the
+server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-46">Figure 3-46</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-46"/><img src="figs/sam2_0346.gif"/></div><h4 class="head4">Figure 3-46. Shares offered by the Toltec server</h4>
+
+<p>In this case, the <em class="filename">test</em> directory and the default
+printer are offered to the Windows 2000 workstation. If you
+don't see the server listed, don't
+panic. Select Run from the Start menu. A dialog box appears that
+allows you to type the name of your server and its share directory in
+Windows format. For example, you would enter
+<em class="filename">\\toltec\</em><tt class="literal">test</tt>, as shown in
+<a href="ch03.html#samba2-CHP-3-FIG-47">Figure 3-47</a>, and use your server's
+hostname instead of &quot;toltec&quot;.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-47"/><img src="figs/sam2_0347.gif"/></div><h4 class="head4">Figure 3-47. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
+
+<p>This will work even if browsing services are not set up right, which
+is a common problem. You can also work around a name-service problem
+by entering the server's IP address (such as
+172.16.1.1 in our example) instead of the Samba
+server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-48">Figure 3-48</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-48"/><img src="figs/sam2_0348.gif"/></div><h4 class="head4">Figure 3-48. Opening a shared directory, using the server's IP address in the UNC</h4>
+
+<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
+with the network.</p>
+
+<p>If it works, congratulations! Try copying files to and from the
+server. You will be pleasantly surprised how seamlessly everything
+works. Now that you've finished setting up the Samba
+server and its clients, you can proceed to the next chapter.
+<a name="INDEX-133"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-5"/>
+
+<h2 class="head1">Setting Up Windows XP Computers</h2>
+
+<p>Although <a name="INDEX-134"/>Windows XP
+is very similar to Windows 2000, it has a very different user
+interface, and there are a number of subtle differences. For example,
+getting to the Control Panel is different than in any previous
+version of Windows&mdash;one must click the Control Panel item from
+the Start menu (there is no Settings item in the Start menu in XP).
+By default, XP will display the Control Panel in Category View mode.
+If you see this, click the Switch to Classic View item in the
+upper-left corner of the window. All of our directions are for using
+the Control Panel in Classic View mode.</p>
+
+<p>You should perform the following steps as the
+<tt class="literal">Administrator</tt> or another user in the
+Administrators group.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.1"/>
+
+<h3 class="head2">Networking Components</h3>
+
+<p><a name="INDEX-135"/><a name="INDEX-136"/>Go to the Control Panel and
+double-click the Network and Dial-up Connections icon. You should see
+at least one Local Area Connection icon. If there is more than one,
+identify the one that corresponds to the network adapter that is
+connected to your Samba network. Right-click the Local Area
+Connection icon and click the Properties button. (Or double-click the
+Local Area Connection icon and then click the Properties button in
+the dialog box that comes up.) You should now be looking at the Local
+Area Connection Properties dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-49">Figure 3-49</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-49"/><img src="figs/sam2_0349.gif"/></div><h4 class="head4">Figure 3-49. The Local Area Connection Properties dialog</h4>
+
+<p>First of all, you might want to click the Configure button under the
+field for the network adapter to make sure you see the message
+&quot;This device is working properly&quot;
+in the Device status window. If there is a problem, make sure to
+correct it before continuing. You should also see the message
+&quot;Use this device (enable)&quot; in the
+Device usage field of the dialog box. Make sure to set it this way if
+it is not already. Click OK or Cancel to close this dialog box, then
+reopen the Local Area Connection Properties dialog box.</p>
+
+<p>You should see at least the following two components:</p>
+
+<ul><li>
+<p>Client for Microsoft Networks</p>
+</li><li>
+<p>Internet Protocol (TCP/IP)</p>
+</li></ul>
+<p>If you do not see either Client for Microsoft Networks or Internet
+Protocol (TCP/IP) in your list, you will need to add them. For
+either, the method is to click the Install... button, click the type
+of component (Client or Protocol), and then click the Add... button.
+Next, click the component you want to add, and click the OK button.
+You should see the component added to the list with the others.</p>
+
+<p>If you see anything other than TCP/IP listed as a protocol, and it is
+not a protocol that you need, you can remove it. If NetBEUI appears
+in the list, uninstall it if you possibly can. Also uninstall any
+Netware-related components if you do not need to support Netware. If
+you try to remove a protocol and get an error message saying that the
+protocol is being used by another service, you need to remove that
+service before you can remove the protocol. For example, to remove
+the NWLink IPX/SPX Compatible Transport Protocol, you would need to
+remove the Client Service for Netware first.</p>
+
+<p>To remove a component, click the component in the list, click the
+Uninstall button, and then click Yes in the dialog box that pops up.
+In some cases, Windows might need to reboot to put the change into
+effect.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.1.1"/>
+
+<h3 class="head3">Bindings</h3>
+
+<p><a name="INDEX-137"/><a name="INDEX-138"/>Next to each client, service, or protocol
+listed in the window in the Local Area Connections Properties dialog
+box, you will see a checkbox. Make sure the checkbox is checked for
+both Client for Microsoft Networks and Internet Protocol (TCP/IP).
+The check marks indicate that the networking components are bound to
+the network adapter shown at the top of the dialog box.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.2"/>
+
+<h3 class="head2">Configuring TCP/IP</h3>
+
+<p><a name="INDEX-139"/><a name="INDEX-140"/>Now click Internet Protocol
+(TCP/IP) and then click Properties to open the Internet Protocol
+(TCP/IP) Properties dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-50">Figure 3-50</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-50"/><img src="figs/sam2_0350.gif"/></div><h4 class="head4">Figure 3-50. The Internet Protocol (TCP/IP) Properties dialog</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.1"/>
+
+<h3 class="head3">IP address</h3>
+
+<p><a name="INDEX-141"/><a name="INDEX-142"/>If
+you are using DHCP on your network to assign IP addresses
+dynamically, select the &quot;Obtain IP address
+automatically&quot; radio button. Otherwise, select the
+&quot;Use the following address:&quot; radio
+button, and fill in the computer's IP address and
+netmask in the spaces provided. You or your network manager should
+have selected an address for the client on the same subnet (LAN) as
+the Samba server. For example, if the server's
+address is 172.16.1.1 and its network mask is 255.255.255.0, you
+might use the address 172.16.1.12 (if it is available) along with the
+same netmask. You can also fill in the IP address of the default
+gateway.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.2"/>
+
+<h3 class="head3">DNS server</h3>
+
+<p><a name="INDEX-143"/><a name="INDEX-144"/>In the lower part of the dialog box, click
+the &quot;Use the following DNS server
+addresses:&quot; radio button, and fill in the IP address
+of your DNS server.</p>
+
+<p>Now click the Advanced... button to bring up the Advanced TCP/IP
+Settings dialog box, and then click the WINS tab.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.3"/>
+
+<h3 class="head3">WINS server</h3>
+
+<p><a name="INDEX-145"/><a name="INDEX-146"/>Enter
+the address of your WINS server in the space labeled
+&quot;WINS addresses, in order of use:&quot;.
+If your Samba server is providing WINS service (in other words, you
+have the line <tt class="literal">wins</tt> <tt class="literal">support</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="emphasis">smb.conf</em> file of your Samba server), provide the
+Samba server's IP address here. Otherwise, provide
+the address of another WINS server on your network.</p>
+
+<p>Near the bottom of the dialog box, select the radio button labeled
+Enable NetBIOS over TCP/IP. <a href="ch03.html#samba2-CHP-3-FIG-51">Figure 3-51</a> shows what
+your Advanced TCP/IP Settings dialog box should look like at this
+point.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-51"/><img src="figs/sam2_0351.gif"/></div><h4 class="head4">Figure 3-51. The Advanced TCP/IP Settings dialog, showing the WINS tab</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.4"/>
+
+<h3 class="head3">The LMHOSTS file</h3>
+
+<p>If you want to install an
+<em class="filename">LMHOSTS</em><a name="INDEX-147"/><a name="INDEX-148"/> file, it
+must be placed in the <em class="filename">\system32\drivers\etc</em>
+directory under your Windows installation directory (usually
+<em class="filename">C:\WINNT</em> ). The easy way to make sure it gets to
+the proper location is to use the Import LMHOSTS... button on the
+WINS Address tab. (But if you want to do it over the network, you
+will have to do that after file sharing is configured!) Remember to
+click the Enable LMHOSTS Lookup checkbox on the WINS Address tab to
+enable this functionality.</p>
+
+<p>When you are satisfied with your settings for IP Address, WINS
+Address, and DNS, click the OK buttons in each open dialog box (and
+the Close button in the Local Area Connection Properties dialog box)
+to complete the configuration. Windows might need to load some files
+from the Windows XP distribution CD-ROM, and you might need to reboot
+for your changes to take effect.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.3"/>
+
+<h3 class="head2">Computer and Workgroup Names</h3>
+
+<p><a name="INDEX-149"/><a name="INDEX-150"/><a name="INDEX-151"/><a name="INDEX-152"/>From the
+Control Panel, double-click the System icon to open the System
+Properties dialog box. Click the Computer Name tab, and your System
+Properties dialog box will look similar to <a href="ch03.html#samba2-CHP-3-FIG-52">Figure 3-52</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-52"/><img src="figs/sam2_0352.gif"/></div><h4 class="head4">Figure 3-52. The System Properties dialog, showing the Computer Name tab</h4>
+
+<p>To give your system computer a name and a workgroup, click the
+Change... button, which will bring up the Computer Name Changes
+dialog box, as in <a href="ch03.html#samba2-CHP-3-FIG-53">Figure 3-53</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-53"/><img src="figs/sam2_0353.gif"/></div><h4 class="head4">Figure 3-53. The Computer Name Changes dialog</h4>
+
+<p>You need to identify your computer with a name and change the
+workgroup to the one you specified in the
+<em class="emphasis">smb.conf</em> file of your Samba server.
+Don't worry that Windows forces the workgroup to be
+all capital letters; it's smart enough to figure out
+what you mean when it connects to the network.</p>
+
+<p>Click the More... button to bring up the DNS Suffix and NetBIOS
+Computer Name dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-54">Figure 3-54</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-54"/><img src="figs/sam2_0354.gif"/></div><h4 class="head4">Figure 3-54. The DNS Suffix and NetBIOS Computer Name dialog</h4>
+
+<p>Enter the DNS domain name of this computer in the text field labeled
+Primary DNS Suffix for this computer:, and then click OK. You should
+now see the FQDN of this system underneath the label Full computer
+name: in the Computer Name Changes dialog box. Click the OK button
+and then reboot when requested to put your configuration changes into
+effect. Once again, log in using your administrative account.</p>
+<a name="samba2-CHP-3-NOTE-98"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>There have been reports of authentication problems with Samba when a
+username on a Windows XP system is the same as its computer name.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.4"/>
+
+<h3 class="head2">Adding a Samba-Enabled User</h3>
+
+<p><a name="INDEX-153"/><a name="INDEX-154"/>So far,
+you have been logged into your Windows XP system as a user in the
+Administrators group. To access resources on the Samba server, you
+will need to have a username and password that the Samba server
+recognizes as valid. If your administrative account has such a
+username and password, you can use it, but you might want to access
+your system and the network from a nonadministrative user account
+instead.</p>
+
+<a name="samba2-CHP-3-NOTE-99"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The directions in this section assume that your network is set up as
+a workgroup. If you have already set up your network as a domain, as
+we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
+follow the instructions here for adding a local user on the Windows
+XP client system. Simply log on to the domain from the client using a
+username and password in Samba's
+<em class="filename">smbpasswd</em> account database, and continue with
+the next section, <a href="ch03.html#samba2-CHP-3-SECT-5.5">Section 3.5.5</a>.</p>
+</blockquote>
+
+<p>To add a new user, open the Control Panel, and double-click the Users
+Accounts icon to open the User Accounts window, shown in <a href="ch03.html#samba2-CHP-3-FIG-55">Figure 3-55</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-55"/><img src="figs/sam2_0355.gif"/></div><h4 class="head4">Figure 3-55. The User Accounts window</h4>
+
+<p>Click the Create a new account task, which will bring up the window
+shown in <a href="ch03.html#samba2-CHP-3-FIG-56">Figure 3-56</a>. Enter the username, then click
+the Next &gt; button.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-56"/><img src="figs/sam2_0356.gif"/></div><h4 class="head4">Figure 3-56. Entering the username</h4>
+
+<p>Click the radio button labeled
+&quot;Limited&quot;, as shown in <a href="ch03.html#samba2-CHP-3-FIG-57">Figure 3-57</a>.</p>
+
+<p>Click the Create Account button, and you will see the username you
+added next to a picture at the bottom of the User Accounts window. We
+still need to assign a password to the account. Click the account to
+bring up the &quot;What do you want to change about
+<em class="emphasis">username</em>'s
+account?&quot; window, and then click Create a password.
+Enter the password, and enter it again to confirm it.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-57"/><img src="figs/sam2_0357.gif"/></div><h4 class="head4">Figure 3-57. Setting the account type</h4>
+
+<p>This password must be the same as the user's
+password on the Samba host. If you are using encrypted passwords,
+make sure this username and password are the same as what you used
+when you ran the <em class="emphasis">smbpasswd</em> program. Click the
+Create Password button, and you're done adding the
+account.</p>
+
+<p>Now open the Start menu and click the Log Off button. In the Log Off
+Windows dialog box that pops up, again click the Log Off button. When
+Windows displays the login screen, click the user you just added, and
+type in the password to log in.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.5"/>
+
+<h3 class="head2">Connecting to the Samba Server</h3>
+
+<p><a name="INDEX-155"/><a name="INDEX-156"/>Now for
+the big moment. Your Samba server is running, and you have set up
+your Windows XP client to communicate with it. In the Start menu,
+select My Computer<a name="FNPTR-9"/><a href="#FOOTNOTE-9">[9]</a> to open the My Computer window. Click My
+Network Places, in the Other Places box in the left part of the
+window. You should see a folder icon for the
+<em class="filename">test</em> directory, as shown in <a href="ch03.html#samba2-CHP-3-FIG-58">Figure 3-58</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-58"/><img src="figs/sam2_0358.gif"/></div><h4 class="head4">Figure 3-58. The My Network Places window</h4>
+
+<p>Now click View workgroup computers in the Network Tasks box at the
+left of the window. You should see your Samba server listed as a
+member of the workgroup. Double-click its icon, and you will see a
+window that looks like <a href="ch03.html#samba2-CHP-3-FIG-59">Figure 3-59</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-59"/><img src="figs/sam2_0359.gif"/></div><h4 class="head4">Figure 3-59. Shares offered by the Toltec server</h4>
+
+<p>If you don't see the server listed in the workgroup,
+don't panic. Select Run... from the Start menu. A
+dialog box appears that allows you to type the name of your server
+and its share directory in Windows format. For example, you would
+enter <em class="filename">\\toltec\</em><tt class="literal">test</tt>, as shown
+in <a href="ch03.html#samba2-CHP-3-FIG-60">Figure 3-60</a>, and use your
+server's hostname instead of
+&quot;toltec&quot;.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-60"/><img src="figs/sam2_0360.gif"/></div><h4 class="head4">Figure 3-60. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
+
+<p>This will work even if browsing services are not set up right, which
+is a common problem. You can also work around a name-service problem
+by entering the server's IP Address (such as
+172.16.1.1 in our example) instead of the Samba
+server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-61">Figure 3-61</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-61"/><img src="figs/sam2_0361.gif"/></div><h4 class="head4">Figure 3-61. Opening a shared directory, using the server's IP address in the UNC</h4>
+
+<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
+with the network.</p>
+
+<p>If it works, congratulations! Try copying files to and from the
+server by dragging their icons to and from the Samba
+server's <em class="filename">test</em> folder. You might
+be pleasantly surprised how seamlessly everything works. <a name="INDEX-157"/> <a name="INDEX-158"/></p>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> We are
+intentionally omitting device drivers because they are
+hardware-specific, and we assume you are getting installation
+directions from the manufacturer.</p> <a name="FOOTNOTE-2"/>
+<p><a href="#FNPTR-2">[2]</a> Make sure to use the same netmask as all other systems on the
+network. You can find the netmask in use by checking with Unix or
+Windows systems that have already been configured.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> Keep in mind that IP addresses ending
+in .0 are reserved for network addresses and that ones ending in .255
+are for broadcast addresses. These should never be assigned to any
+system on the network.</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> To be more explicit about
+this, the system will identify itself to the network as a b-node
+rather than an h-node.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> We put the
+names of the <em class="filename">LMHOSTS</em> and
+<em class="filename">HOSTS</em> files in uppercase for additional
+clarity&mdash;to remind you that we are referring to the files on
+Windows rather than on Unix, and because that's the
+way we see them in other books on Windows. The case of the letters in
+the two names actually does not matter.</p> <a name="FOOTNOTE-6"/> <p><a href="#FNPTR-6">[6]</a> The address 127.0.0.1 is known as the
+<em class="emphasis">localhost</em> address and always refers to itself.
+For example, if you type <tt class="literal">ping</tt>
+<tt class="literal">127.0.0.1</tt> on a Unix server, you should always get
+a response, because you're pinging the host
+itself.</p> <a name="FOOTNOTE-7"/> <p><a href="#FNPTR-7">[7]</a> This update is supplied in
+various update packages issued by Microsoft.</p> <a name="FOOTNOTE-8"/> <p><a href="#FNPTR-8">[8]</a> Notice how in Windows NT,
+some clients are called &quot;services&quot;!
+In these directions, we will conform to Microsoft's
+terminology.</p> <a name="FOOTNOTE-9"/> <p><a href="#FNPTR-9">[9]</a> If there is a My Network Places
+item in the Start menu at this point, you can save yourself a little
+time and just click that. If you don't see it,
+don't worry; it will appear automatically
+later.</p> </blockquote>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch04.html b/docs/htmldocs/using_samba/ch04.html
new file mode 100644
index 0000000000..02cc979284
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch04.html
@@ -0,0 +1,2556 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 4. Windows NT Domains</h1>
+
+
+
+<p><a name="INDEX-1"/>In previous
+chapters, we've focused on workgroup networking to
+keep things simple and introduce you to networking with Samba in the
+most painless manner we could find. However, workgroup computing has
+its drawbacks, and for many computing environments, the greater
+security and single logon of the Windows NT domain make it worthwhile
+to spend the extra effort to implement a domain.</p>
+
+<p>In addition to the domain features of
+<a name="INDEX-2"/>that we discussed in <a href="ch01.html">Chapter 1</a>, having a domain makes it possible to use
+<em class="firstterm">logon scripts</em><a name="INDEX-3"/> and <em class="firstterm">roaming profiles
+</em><a name="INDEX-4"/>(also called<em class="firstterm"> roving
+profiles</em><a name="INDEX-5"/>). A logon
+script is a text file of commands that are run during startup, and a
+profile is a collection of information regarding the desktop
+environment, including the contents of the Start menu, icons that
+appear on the desktop, and other characteristics about the GUI
+environment that users are allowed to customize. A roaming profile
+can follow its owner from computer to computer, allowing her to have
+the same familiar interface appear wherever she logs on.</p>
+
+<p>A Windows NT domain offers centralized control over the network.
+<em class="firstterm">Policies</em><a name="INDEX-6"/> can be set up by an administrator to
+define aspects of the users' environment and limit
+the amount of control they have over the network and their computers.
+It is also possible for administrators to perform remote
+administration of the domain controllers from any Windows NT/2000/XP
+workstation.</p>
+
+<p>Samba 2.2 has the ability to act as a primary domain controller,
+supporting domain logons from Windows 95/98/Me/NT/2000/XP computers
+and allowing Windows NT/2000/XP<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> systems to join the domain as domain
+member servers. Samba can also join a domain as a member server,
+allowing the primary domain controller to be a Windows NT/2000 system
+or another Samba server.</p>
+
+<a name="samba2-CHP-4-NOTE-100"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Samba 2.2 does not support <a name="INDEX-7"/><a name="INDEX-8"/><a name="INDEX-9"/>LDAP and <a name="INDEX-10"/>Kerberos authentication of Active
+Directory, so it cannot act as a Windows 2000 Active Directory domain
+controller. However, Samba can be added to an Active Directory domain
+as a member server, with the Windows 2000 domain controllers running
+in either mixed or native mode. The Windows 2000 server (even if it
+is running in native mode) supports the Samba server by acting as a
+<a name="INDEX-11"/><a name="INDEX-12"/>PDC emulator, using the Windows NT
+style of authentication rather than the Kerberos style.</p>
+</blockquote>
+
+<p>If you're adding a Samba server to a network that
+has already been set up, you won't have to decide
+whether to use a workgroup or a domain; you will simply have to be
+compatible with what's already in place. If you do
+have a choice, we suggest you evaluate both workgroup and domain
+computing carefully before rolling out a big installation. You will
+have a lot of work to do if you later need to convert one to the
+other. One last thought on this matter is that Microsoft is
+developing Windows in the direction of increased use of domains and
+is intending that eventually Windows networks be composed solely of
+Active Directory domains. If you implement a Windows NT domain now,
+you'll be in a better position to transition to
+Active Directory later, after Samba has better support for it.</p>
+
+<p>In this chapter, we cover various topics directly related to using
+Samba in a Windows NT domain, including:</p>
+
+<ul><li>
+<p>Configuring and using Samba as the primary domain controller</p>
+</li><li>
+<p>Setting up Windows 95/98/Me systems to log on to the domain</p>
+</li><li>
+<p>Implementing user-level security on Windows 95/98/Me</p>
+</li><li>
+<p>Adding Windows NT/2000/XP systems to the domain</p>
+</li><li>
+<p>Configuring logon scripts, roaming profiles, and system policies</p>
+</li><li>
+<p>Adding a Samba server to a domain as a member server</p>
+</li></ul>
+
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-1"/>
+
+<h2 class="head1">Samba as the Primary Domain Controller</h2>
+
+<p><a name="INDEX-13"/>Samba 2.2
+is able to handle the most desired functions of a primary domain
+controller in a Windows NT domain, handling domain logons and
+authentication for accessing shared resources, as well as supporting
+logon scripts, roaming profiles, and system policies.</p>
+
+<a name="samba2-CHP-4-NOTE-101"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>You will need to use at least Samba 2.2 to ensure that PDC
+functionality for Windows NT/2000/XP clients is present. Prior to
+Samba 2.2, only limited user authentication for NT clients was
+present.</p>
+</blockquote>
+
+<p>In this section, we will show you how to configure Samba as a PDC for
+use with Windows 95/98/Me and Windows NT/2000/XP clients. The two
+groups of Windows versions interact differently within domains, and
+in some cases are supported in slightly different ways. If you know
+you are going to be using only Windows 95/98/Me or Windows
+NT/2000/XP, you can set up Samba to support only that group. However,
+there isn't any harm in supporting both at the same
+time.</p>
+
+<a name="samba2-CHP-4-NOTE-102"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you would like more information on how to set up
+<a name="INDEX-14"/>domains, see the file
+<em class="filename">Samba-PDC-HOWTO.html</em><a name="INDEX-15"/>
+in the <em class="filename">docs/htmldocs</em> directory of the Samba
+source distribution.</p>
+</blockquote>
+
+<p>Samba must be the only domain controller for the domain. Make sure
+that a PDC isn't already active, and that there are
+no backup domain controllers. Samba 2.2 is not able to communicate
+with backup domain controllers, and having domain controllers in your
+domain with unsynchronized data would result in a very dysfunctional
+network.</p>
+
+<a name="samba2-CHP-4-NOTE-103"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Although Samba 2.2 cannot function as, or work with, a Windows NT
+<a name="INDEX-16"/><a name="INDEX-17"/>BDC, it is possible to set up
+another Samba server to act as a backup for a Samba PDC. For further
+information, see the file
+<em class="filename">Samba-BDC-HOWTO.html</em><a name="INDEX-18"/>
+in the <em class="filename">docs/htmldocs</em> directory of the Samba
+source distribution.</p>
+</blockquote>
+
+<p>Configuring Samba to be a PDC is a matter of modifying the
+<em class="filename">smb.conf</em> file, creating some directories, and
+restarting the server.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-1.1"/>
+
+<h3 class="head2">Modifying smb.conf</h3>
+
+<p>First you will need to start with an
+<em class="filename">smb.conf</em><a name="INDEX-19"/><a name="INDEX-20"/> file that correctly configures Samba for
+workgroup computing, such as the one we created in <a href="ch02.html">Chapter 2</a>, and insert the following lines into the
+<tt class="literal">[global]</tt> section:</p>
+
+<blockquote><pre class="code">[global]
+    ; use the name of your Samba server instead of toltec
+    ; and your own workgroup instead of METRAN
+    netbios name = toltec
+    workgroup = METRAN
+    encrypt passwords = yes
+        
+    domain master = yes
+    local master = yes
+    preferred master = yes
+    os level = 65
+
+    security = user
+    domain logons = yes
+    
+    ; logon path tells Samba where to put Windows NT/2000/XP roaming profiles
+    logon path = \\%L\profiles\%u\%m
+    logon script = logon.bat
+
+    logon drive = H:
+    ; logon home is used to specify home directory and
+    ; Windows 95/98/Me roaming profile location
+    logon home = \\%L\%u\.win_profile\%m
+    
+    time server = yes
+
+    ; instead of jay, use the names of all users in the Windows NT/2000/XP
+    ; Administrators group who log on to the domain
+    domain admin group = root jay
+
+    ; the below works on Red Hat Linux - other OSs might need a different command
+    add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote>
+
+<p>And after the <tt class="literal">[global]</tt> section, add these three
+new shares:</p>
+
+<blockquote><pre class="code">[netlogon]
+    path = /usr/local/samba/lib/netlogon
+    writable = no
+    browsable = no
+
+[profiles]
+    ; you might wish to use a different directory for your
+    ; Windows NT/2000/XP roaming profiles
+    path = /home/samba-ntprof
+    browsable = no
+    writable = yes
+    create mask = 0600
+    directory mask = 0700
+
+[homes]
+    read only = no
+    browsable = no
+    guest ok = no
+    map archive = yes</pre></blockquote>
+
+<p>Now for the explanation. If you are comparing this example to the
+configuration file presented in <a href="ch02.html">Chapter 2</a>, you
+will notice that the first three parameter settings are similar. We
+start out in the <tt class="literal">[global]</tt> section by setting the
+NetBIOS name of the Samba server. We are using the default, which is
+the DNS hostname, but are being explicit because the NetBIOS name is
+used in UNCs that appear later in <em class="filename">smb.conf</em>. The
+next two lines, setting the workgroup name and choosing to use
+encrypted passwords, are identical to our
+<em class="filename">smb.conf</em> file from <a href="ch02.html">Chapter 2</a>.
+However, things are now a little different: even though it still
+reads &quot;workgroup&quot;, we are actually
+setting the name of the domain. For a workgroup, using encrypted
+passwords is optional; when using a domain, they are required.</p>
+
+<p>The next four lines set up our Samba PDC to handle browsing services.
+The line <tt class="literal">domain</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to be the
+domain master browser, which handles browsing services for the domain
+across multiple subnets if necessary. Although it looks very similar,
+<tt class="literal">local</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> does not cause Samba to
+be the master browser on the subnet, but merely tells it to
+participate in browser elections and allow itself to win. (These two
+lines are yet more default settings that we include to be clear.) The
+next two lines ensure that Samba wins the elections. Setting the
+<tt class="literal">preferred</tt> <tt class="literal">master</tt> parameter
+makes Samba force an election when it starts up. The
+<tt class="literal">os</tt> <tt class="literal">level</tt> parameter is set
+higher than that of any other system, which results in Samba winning
+that election. (At the time of this writing, an <tt class="literal">os</tt>
+level of 65 was sufficient to win over all versions of
+Windows&mdash;but make sure no other Samba server is set higher!) We
+make sure Samba is both the <a name="INDEX-21"/><a name="INDEX-22"/>domain and local master browser
+because Windows NT/2000 PDCs always reserve the domain master browser
+role for themselves and because Windows clients require things to be
+that way to find the primary domain controller. It is possible to
+allow another computer on the network to win the role of local master
+browser, but having the same server act as both domain and local
+masters is simpler and more efficient.</p>
+
+<p>The next two lines in the <tt class="literal">[global]</tt> section set up
+Samba to handle the actual domain logons. We set
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">user</tt> so that Samba will require a username and
+password. This is actually the same as in the workgroup setup we
+covered in <a href="ch01.html">Chapter 1</a> and <a href="ch02.html">Chapter 2</a> because it is the default. The only
+reason we're including it explicitly is to avoid
+confusion: another valid setting is <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">domain</tt>, but that is for
+having another (Windows or Samba) domain controller handle the logons
+and should never be found in the <em class="filename">smb.conf</em> of a
+Samba PDC. The next line, <tt class="literal">domain</tt>
+<tt class="literal">logons</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt>, is what tells Samba we want this server to
+handle domain logons.</p>
+
+<p>Defining a logon path is necessary for supporting
+<a name="INDEX-23"/><a name="INDEX-24"/>roaming profiles for
+Windows NT/2000/XP clients. The UNC
+<tt class="literal">\\%L\profiles\%u</tt> refers to a share held on the
+Samba server where the profiles are kept. The variables
+<tt class="literal">%L</tt> and <tt class="literal">%u</tt> are replaced by Samba
+with the name of the server and the username of the logged on user,
+respectively. The section in <em class="filename">smb.conf</em> defining
+the <tt class="literal">[profiles]</tt> share contains the definition of
+exactly where the profiles are kept on the server.
+We'll get back to this topic a bit later in this
+chapter.</p>
+
+<p>The <tt class="literal">logon</tt> <tt class="literal">script</tt>
+<tt class="literal">=</tt> <tt class="literal">logon.bat</tt> line specifies the
+name of an MS-DOS batch file that will be executed when the client
+logs on to the domain. The path specified here is relative to the
+<tt class="literal">[netlogon]</tt> share that is defined later in the
+<em class="filename">smb.conf</em> file.</p>
+
+<p>The settings of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and
+<tt class="literal">logon</tt> <tt class="literal">home</tt> have a couple of
+purposes. Setting <tt class="literal">logon</tt> <tt class="literal">drive</tt>
+<tt class="literal">=</tt> <tt class="literal">H</tt>: allows the home directory
+of the user to be connected to drive letter H on the client. The
+<tt class="literal">logon</tt> <tt class="literal">home</tt> parameter is set to
+the location of the home directory on the server, and again,
+<tt class="literal">%u</tt> is replaced at runtime by the logged on
+user's username. The home directory is used to store
+roaming profiles for Windows 95/98/Me clients. These parameters tie
+into the <tt class="literal">[homes]</tt> share that we are adding, as we
+will explain a bit later.</p>
+
+<p>Setting <tt class="literal">time</tt> <tt class="literal">server</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to advertise
+itself as a <a name="INDEX-25"/>time service for the network. This is
+optional.</p>
+
+<p>The <tt class="literal">domain</tt> <tt class="literal">admin</tt>
+<tt class="literal">group</tt> parameter exists as a short-term measure in
+Samba 2.2 to give Samba a list of users who have administrative
+privileges in the domain. The list should contain any Samba users who
+log on from Windows NT/2000/XP systems and are members of the
+Administrators or Domain Admins groups, if roaming profiles are to
+work correctly.</p>
+
+<p>The last parameter to add to the <tt class="literal">[global]</tt> section
+is <tt class="literal">add</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt>, and you will need it only if one or more
+of your clients is a Windows NT/2000/XP system. We will tell you more
+about this in <a href="ch04.html#samba2-CHP-4-SECT-2">Section 4.2</a> later in this chapter.</p>
+
+<p>The rest of the additions to <em class="filename">smb.conf</em> are the
+definitions for three <a name="INDEX-26"/><a name="INDEX-27"/>shares. The
+<tt class="literal">[netlogon]</tt><a name="INDEX-28"/> share is necessary for Samba to
+handle domain logons because Windows clients need to connect to it
+during the logon process and will fail if the share does not exist.
+Other than that, the only function of <tt class="literal">[netlogon]</tt>
+is to be a repository for logon scripts and system-policy files,
+which we shall cover in detail later in this chapter. The path to a
+directory on the Samba server is given, and because the clients only
+read logon scripts and system-policy files from the share, the
+<tt class="literal">writable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> definition is used to make the share read-only.
+Users do not need to see the share, so we set
+<tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> to make the share invisible.</p>
+
+<p>The <tt class="literal">[profiles]</tt><a name="INDEX-29"/> share is needed for use with
+Windows NT/2000/XP roaming profiles. The path points to a directory
+on the Samba server where the profiles are kept, and in this case,
+the clients must be able to read and write the profile data. The
+<tt class="literal">create</tt> <tt class="literal">mask</tt> (read and write
+permitted for the owner only) and <tt class="literal">directory</tt>
+<tt class="literal">mask</tt> (read, write, and search permitted for the
+owner only) are set up such that a user's profile
+data can be read and written only by the user and not accessed or
+modified by anyone else.</p>
+
+<p>The <tt class="literal">[homes]</tt><a name="INDEX-30"/> share is necessary for our
+definitions of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and
+<tt class="literal">logon</tt> <tt class="literal">home</tt> to work. Samba uses
+the <tt class="literal">[homes]</tt> share to add the home directory of the
+user (found in <em class="filename">/etc/passwd</em> ) as a share. Instead
+of appearing as &quot;homes&quot;, the share
+will be accessible on the client through a folder having the same
+name as the user's username. We will cover this
+topic in more detail in <a href="ch09.html">Chapter 9</a>.</p>
+
+<p>At this point, you might want to run
+<em class="filename">testparm</em><a name="INDEX-31"/> to check your
+<em class="filename">smb.conf</em> file. <a name="INDEX-32"/><a name="INDEX-33"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-1.2"/>
+
+<h3 class="head2">Creating Directories on the Samba Server</h3>
+
+<p><a name="INDEX-34"/><a name="INDEX-35"/>The
+<tt class="literal">[netlogon]</tt> and <tt class="literal">[profiles]</tt>
+shares defined in our new <em class="filename">smb.conf</em> file
+reference directories on the Samba server, and it is necessary to
+create those directories with the proper permissions:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/lib/netlogon</b></tt>
+# <tt class="userinput"><b>chmod 775 /usr/local/samba/lib/netlogon</b></tt>
+# <tt class="userinput"><b>mkdir /home/samba-ntprof</b></tt>
+# <tt class="userinput"><b>chmod 777 /home/samba-ntprof</b></tt></pre></blockquote>
+
+<p>The directory names we use are just examples. You are free to choose
+your own.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-1.3"/>
+
+<h3 class="head2">Restarting the Samba Server</h3>
+
+<p><a name="INDEX-36"/>At this
+point, the only thing left to do is restart the Samba server, and the
+changes will be put into effect:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/smb restart</b></tt></pre></blockquote>
+
+<p>(or use whatever method works on your system, as discussed in <a href="ch02.html">Chapter 2</a>.) The server is now ready to accept domain
+logons. <a name="INDEX-37"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-2"/>
+
+<h2 class="head1">Adding Computer Accounts</h2>
+
+<p>To interact in a domain, a Windows NT/2000/XP system must be a member
+of the domain. <a name="INDEX-38"/>Domain membership is implemented
+using <em class="firstterm">computer
+accounts,</em><a name="INDEX-39"/><a name="INDEX-40"/> which are similar to user
+accounts and allow a domain controller to keep information with which
+to authenticate computers on the network. That is, the domain
+controller must be able to tell if requests that arrive from a
+computer are coming from a computer that it
+&quot;knows&quot; as being part of the
+domain. Each Windows NT/2000/XP system in the domain has a computer
+account in the domain controllers' database, which
+on a Windows NT/2000 hosted domain is the <a name="INDEX-41"/>SAM
+database. Although Samba uses a different method (involving the
+<em class="filename">smbpasswd</em><a name="INDEX-42"/> file), it also treats computer accounts
+similarly to user accounts.</p>
+
+<p>To create a computer account, an administrator configures a Windows
+NT/2000/XP system to be part of the domain. For Samba 2.2, the
+&quot;<a name="INDEX-43"/><a name="INDEX-44"/>domain
+administrator&quot; is the <a name="INDEX-45"/><a name="INDEX-46"/>root account on the Samba
+server, and you will need to run the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a root</b></tt></pre></blockquote>
+
+<p>to add the root user to Samba's password database.
+In this case, do not provide <em class="filename">smbpasswd</em> with the
+same password as the actual root account on the server. Create a
+different password to be used solely for creating computer accounts.
+This will reduce the possibility of compromising the root password.</p>
+
+<p>When the computer account is created, two things must happen on the
+Samba server. An entry is added to the <em class="filename">smbpasswd</em>
+file, with a &quot;username&quot; that is the
+NetBIOS name of the computer with a dollar sign
+(<tt class="literal">$</tt>) appended to it. This part is handled by the
+<em class="emphasis">smbpasswd</em> command, and you do not need to
+perform any additional action to implement it.</p>
+
+<p>With Samba 2.2, an entry is also required in the
+<em class="filename">/etc/passwd</em> file<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> to give the computer account a
+user ID (UID) on the Samba server.</p> 
+
+<p>This account will never be used to
+log in to the Unix system, so it should not be given a valid home
+directory or login shell. To make this part work, you must set the
+<tt class="literal">add</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt> parameter in your Samba configuration file,
+using a command that adds the entry in the proper manner. On our Red
+Hat Linux system, we set <tt class="literal">add</tt>
+<tt class="literal">user</tt> <tt class="literal">script</tt> to:</p>
+
+<blockquote><pre class="code">/usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote>
+
+<p>This command adds an entry in <em class="filename">/etc/passwd</em>
+similar to the following:</p>
+
+<blockquote><pre class="code">aztec$:x:505:100::/dev/null:/bin/false</pre></blockquote>
+
+<p>Again, notice that the username ends in a dollar sign. The user
+account shown has a &quot;home
+directory&quot; of <em class="filename">/dev/null</em>, a
+group ID (GID) of 100, and a &quot;login
+shell&quot; of <em class="filename">/bin/false</em>. The
+<em class="emphasis">-M</em> flag in our <em class="emphasis">useradd</em>
+command prevents it from creating the home directory. Samba replaces
+the <tt class="literal">%u</tt> variable in the
+<em class="emphasis">useradd</em> command with the NetBIOS name of the
+computer, including the trailing dollar sign. The basic idea here is
+to create an entry with a valid username and UID. These are the only
+parts that Samba uses. It is important that the UID be unique, not
+also used for other accounts&mdash;especially ones that are
+associated with Samba users.</p>
+
+<p>If you are using some other variety of Unix, you will need to replace
+our <em class="emphasis">useradd</em> command with a command that performs
+the same function on your system. If a command such as
+<em class="emphasis">useradd</em> does not come with your system, you can
+write a shell script yourself that performs the same function. In any
+case, the command should add a password hash that does not correspond
+to any valid password. For example, in the<em class="filename">
+/etc/shadow</em> file of our Linux server, we find the
+following two lines:</p>
+
+<blockquote><pre class="code">jay:%1%zQ7j7ok8$D/IubyRAY5ovM3bTrpUCn1:11566:0:99999:7:::
+zapotec$:!!:11625:0:99999:7:::</pre></blockquote>
+
+<p>The first line is for <tt class="literal">jay</tt>'s user
+account. The second field is the password hash&mdash;the long string
+between the first and second colons. The second line is for the
+computer account of <tt class="literal">zapotec</tt>, a domain member
+server. Its &quot;username&quot; ends with a
+dollar sign (<tt class="literal">$</tt>), and the second field in this case
+has been set to &quot;!!&quot;, which is an
+arbitrary string not produced from any password. Therefore, there is
+no valid password for this account on the Linux host. Just about any
+ASCII string can be used instead of
+&quot;!!&quot;. For example, you could use
+&quot;DISABLED&quot; instead.</p>
+
+<a name="samba2-CHP-4-NOTE-104"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>It is possible to <a name="INDEX-47"/><a name="INDEX-48"/><a name="INDEX-49"/><a name="INDEX-50"/>create the entries for
+<em class="filename">/etc/passwd</em> and <em class="filename">smbpasswd</em>
+manually; however, we suggest this method be used very carefully, and
+only for initial testing, or as a last resort. The reason for this is
+to maintain security. After the computer account has been created on
+the server, the next Windows NT/2000/XP system on the network with a
+matching NetBIOS name to log on to the domain will be associated with
+this account. This allows crackers a window of opportunity to take
+over computer accounts for their own purposes.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-3"/>
+
+<h2 class="head1">Configuring Windows Clients for Domain Logons</h2>
+
+<p><a name="INDEX-51"/>The client-side configuration for Windows
+clients is really simple. All you have to do is switch from workgroup
+to domain networking by enabling domain logons, and in the case of
+Windows NT/2000/XP, also provide the root password you gave
+<em class="filename">smbpasswd</em> for creating computer accounts. This
+results in the Windows NT/2000/XP system becoming a member of the
+domain.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.1"/>
+
+<h3 class="head2">Windows 95/98/Me</h3>
+
+<p><a name="INDEX-52"/><a name="INDEX-53"/>To
+enable domain logons with Windows 95/98/Me, open the Control Panel
+and double-click the Network icon. Then click Client for Microsoft
+Networks, and click the Properties button. At this point, you should
+see a dialog box similar to <a href="ch04.html#samba2-CHP-4-FIG-1">Figure 4-1</a>. Select the
+Logon to Windows Domain checkbox at the top of the dialog box, and
+enter the name of the domain as you have defined it with the
+<tt class="literal">workgroup</tt> parameter in the Samba configuration
+file. Then click OK, and reboot the machine when asked.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-1"/><img src="figs/sam2_0401.gif"/></div><h4 class="head4">Figure 4-1. Configuring a Windows 95/98 client for domain logons</h4>
+<a name="samba2-CHP-4-NOTE-105"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If <a name="INDEX-54"/>Windows complains that you are already
+logged into the domain, you probably have an active connection to a
+share in the workgroup (such as a mapped network drive). Simply
+disconnect the resource temporarily by right-clicking its icon and
+choosing the Disconnect pop-up menu item.</p>
+</blockquote>
+
+<p>When Windows reboots, you should see the standard logon dialog with
+an addition: a field for a domain. The domain name should already be
+filled in, so simply enter your password and click the OK button. At
+this point, Windows should consult the primary domain controller
+(Samba) to see if the password is correct. (You can check the log
+files if you want to see this in action.) If it worked,
+congratulations! You have properly configured Samba to act as a
+domain controller for Windows 95/98/Me machines, and your client is
+successfully connected.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.2"/>
+
+<h3 class="head2">User-Level Security for Windows 95/98/Me</h3>
+
+<p><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>Now that you have a primary domain
+controller to authenticate users, you can implement much better
+security for shares that reside on Windows 95/98/Me
+systems.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> To enable this functionality, open the
+Control Panel, double-click the Network icon, and click the Access
+Control tab in the dialog box. The window should now look like <a href="ch04.html#samba2-CHP-4-FIG-2">Figure 4-2</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-2"/><img src="figs/sam2_0402.gif"/></div><h4 class="head4">Figure 4-2. Setting user-level access control</h4>
+
+<p>Click the User-level access control radio button, and type in the
+name of your domain in the text area. Click the OK button. If you get
+the dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-3">Figure 4-3</a>, it means that
+shares are already on the system.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-3"/><img src="figs/sam2_0403.gif"/></div><h4 class="head4">Figure 4-3. Error dialog while changing to user-level access control</h4>
+
+<p>In that case, you might want to cancel the operation and make a
+record of each of the computer's shares, making it
+easier to re-create them, and then redo this part. (To get a list of
+shares, open an MS-DOS prompt window and run the
+<tt class="literal">net</tt> <tt class="literal">view</tt>
+<tt class="literal">\\</tt><em class="replaceable">computer_name</em>
+command.) Otherwise, you will get a message asking you to reboot to
+put the change in configuration into effect.</p>
+
+<p>After rebooting, you can create shares with user-level access
+control. To do this, right-click the folder you wish to share, and
+select Sharing.... This will bring up the Shared Properties dialog
+box, shown in <a href="ch04.html#samba2-CHP-4-FIG-4">Figure 4-4</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-4"/><img src="figs/sam2_0404.gif"/></div><h4 class="head4">Figure 4-4. The Shared Properties dialog</h4>
+
+<p>Click the Shared As: radio button, and give the share a name and
+comment. Then click the Add... button, and you will see the Add Users
+dialog box, shown in <a href="ch04.html#samba2-CHP-4-FIG-5">Figure 4-5</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-5"/><img src="figs/sam2_0405.gif"/></div><h4 class="head4">Figure 4-5. The Add Users dialog</h4>
+
+<p>What has happened is that Windows has contacted the primary domain
+controller (in this case, Samba) and requested a list of domain users
+and groups. You can now select a user or group and add it to one or
+more of the three lists on the righthand side of the window&mdash;for
+Read Only, Full Access, or Custom Control&mdash;by clicking the
+buttons in the middle of the window. When you are done, click the OK
+button. If you added any users or groups to the Custom Control list,
+you will be presented with the Change Access Rights dialog box, shown
+in <a href="ch04.html#samba2-CHP-4-FIG-6">Figure 4-6</a>, in which you can specify the rights
+you wish to allow. Then click the OK button to close the dialog box.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-6"/><img src="figs/sam2_0406.gif"/></div><h4 class="head4">Figure 4-6. The Change Access Rights dialog</h4>
+
+<p>You are now returned to the Shared Properties dialog box, where you
+will see the Name: and Access Rights: columns filled in with the
+permissions that you just created. Click the OK button to finalize
+the process. Remember, you will have to perform these actions on any
+folders that you had previously shared using share-level security.
+<a name="INDEX-58"/><a name="INDEX-59"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.3"/>
+
+<h3 class="head2">Windows NT 4.0</h3>
+
+<p><a name="INDEX-60"/><a name="INDEX-61"/>To
+configure Windows NT for domain logons, log in to the computer as
+Administrator or another user in the Administrators group, open the
+Control Panel, and double-click the Network icon. If it
+isn't already selected, click on the Network
+Identification tab.</p>
+
+<p>Click the Change... button, and you should see the dialog box shown
+in <a href="ch04.html#samba2-CHP-4-FIG-7">Figure 4-7</a>. In this dialog box, you can choose
+to have the Windows NT client become a member of the domain by
+clicking the checkbox marked Domain: in the Member of box. Then type
+in the name of the domain to which you wish the client to log on; it
+should be the same as the one you specified using the
+<tt class="literal">workgroup</tt> parameter in the Samba configuration
+file. Click the checkbox marked Create a Computer Account in the
+Domain, and fill in &quot;root&quot; for the
+text area labeled User Name:. In the Password: text area, fill in the
+root password you gave <em class="emphasis">smbpasswd</em> for creating
+computer accounts.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-7"/><img src="figs/sam2_0407.gif"/></div><h4 class="head4">Figure 4-7. Configuring a Windows NT client for domain logons</h4>
+<a name="samba2-CHP-4-NOTE-106"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If Windows complains that you are already logged in, you probably
+have an active connection to a share in the workgroup (such as a
+mapped network drive). Disconnect the resource temporarily by
+right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
+</blockquote>
+
+<p>After you press the OK button, Windows should present you with a
+small dialog box welcoming you to the domain. Click the Close button
+in the Network dialog box, and reboot the computer as requested. When
+the system comes up again, the machine will automatically present you
+with a logon screen similar to the one for Windows 95/98/Me clients,
+except that the domain text area has a drop-down menu so that you can
+opt to log on to either the local system or the domain. Make sure
+your domain is selected, and log on to the domain using any
+Samba-enabled user account on the Samba server.</p>
+<a name="samba2-CHP-4-NOTE-107"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Be sure to select the correct domain in the Windows NT logon dialog
+box. Once it is selected, it might take a moment for Windows NT to
+build the list of available domains.</p>
+</blockquote>
+
+<p>After you enter the password, Windows NT should consult the primary
+domain controller (Samba) to see if the password is correct. Again,
+you can check the log files if you want to see this in action. If it
+worked, you have successfully configured Samba to act as a domain
+controller for Windows NT machines. <a name="INDEX-62"/><a name="INDEX-63"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.4"/>
+
+<h3 class="head2">Windows 2000</h3>
+
+<p><a name="INDEX-64"/><a name="INDEX-65"/>To
+configure Windows 2000 for domain logons, log in to the computer as
+Administrator or another user in the Administrators group, open the
+Control Panel, and double-click the System icon to open the System
+Properties dialog box. Click the Network Identification tab, and then
+click the Properties button. You should now see the Identification
+Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-8">Figure 4-8</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-8"/><img src="figs/sam2_0408.gif"/></div><h4 class="head4">Figure 4-8. The Identification Changes dialog</h4>
+
+<p>Click the radio button labeled
+&quot;Domain:&quot; and fill in the name of
+your domain in the text-entry area. Then click the OK button. This
+will bring up the Domain Username and Password dialog box. Enter
+&quot;root&quot; for the username. For the
+password, use the password that you gave to
+<em class="emphasis">smbpasswd</em> for the root account.</p>
+<a name="samba2-CHP-4-NOTE-108"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If Windows complains that you are already logged in, you probably
+have an active connection to a share in the workgroup (such as a
+mapped network drive). Disconnect the resource temporarily by
+right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
+</blockquote>
+
+<p>After you press the OK button, Windows should present you with a
+small dialog box welcoming you to the domain. When you click the OK
+button in this dialog box, you will be told that you need to reboot
+the computer. Click the OK button in the System Properties dialog
+box, and reboot the computer as requested. When the system comes up
+again, the machine will automatically present you with a Log On to
+Windows dialog box similar to the one shown in <a href="ch04.html#samba2-CHP-4-FIG-9">Figure 4-9</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-9"/><img src="figs/sam2_0409.gif"/></div><h4 class="head4">Figure 4-9. The Windows 2000 logon window</h4>
+
+<p>If you do not see the Log on to: drop-down menu, click the Options
+&lt;&lt; button and it will appear. Select your domain, rather than
+the local computer, from the menu.</p>
+<a name="samba2-CHP-4-NOTE-109"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Be sure to select the correct domain in the logon dialog box. Once it
+is selected, it might take a moment for Windows to build the list of
+available domains.</p>
+</blockquote>
+
+<p>Enter the username and password of any Samba-enabled user in the User
+name: and Password: fields, and either press the Enter key or click
+the OK button. If it worked, your Windows session will start up with
+no error dialogs. <a name="INDEX-66"/><a name="INDEX-67"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.5"/>
+
+<h3 class="head2">Windows XP Home</h3>
+
+<p><a name="INDEX-68"/>You have our
+condolences if you are trying to use the Home edition of Windows XP
+in a domain environment! Microsoft has omitted support for Windows NT
+domains from Windows XP Home, resulting in a product that is
+ill-suited for use in a domain-based network.</p>
+
+<p>On the client side, Windows XP Home users cannot log on to a Windows
+NT domain. Although it is still possible to access domain resources,
+a username and password must be supplied each time the user connects
+to a resource, rather than the &quot;single
+signon&quot; of a domain logon. Domain features such as
+logon scripts and roaming profiles are not supported.</p>
+
+<p>As a server, Windows XP Home cannot join a Windows NT domain as a
+domain member server. It can serve files and printers, but only using
+share-mode (&quot;workgroup&quot;) security.
+It can't even use user-mode security, as Windows
+95/98/Me can.</p>
+
+<p>Considering these limitations, we do not recommend Windows XP Home
+for any kind of local area network computing.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.6"/>
+
+<h3 class="head2">Windows XP Professional</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>To configure Windows XP
+Professional for domain logons, log in to the computer as
+Administrator or another user in the Administrators group, open the
+Control Panel in Classic View, and double-click the System icon to
+open the System Properties dialog box. Click the Computer Name tab
+and then click the Change... button. You should now see the Computer
+Name Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-10">Figure 4-10</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-10"/><img src="figs/sam2_0410.gif"/></div><h4 class="head4">Figure 4-10. The Computer Name Changes dialog</h4>
+
+<p>Click the radio button labeled
+&quot;Domain:&quot;, and fill in the name of
+your domain in the text-entry area. Then click the OK button. This
+will bring up the Domain Username and Password dialog box. Enter
+&quot;root&quot; for the username. For the
+password, use the password that you gave to
+<em class="emphasis">smbpasswd</em> for the root account.</p>
+<a name="samba2-CHP-4-NOTE-110"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If Windows complains that you are already logged in, you probably
+have an active connection to a share in the workgroup (such as a
+mapped network drive). Disconnect the resource temporarily by
+right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
+</blockquote>
+
+<p>After you press the OK button, Windows should present you with a
+small dialog box welcoming you to the domain. When you click the OK
+button in this dialog box, you will be told that you need to reboot
+the computer to put the changes into effect. Click the OK buttons in
+the dialog boxes to close them, and reboot the computer as requested.
+When the system comes up again, the machine will automatically
+present you with a Log On to Windows dialog box similar to the one
+shown in <a href="ch04.html#samba2-CHP-4-FIG-11">Figure 4-11</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-11"/><img src="figs/sam2_0411.gif"/></div><h4 class="head4">Figure 4-11. The Windows XP logon window</h4>
+
+<p>If you get a dialog box at this point that tells you the domain
+controller cannot be found, the solution is to change a registry
+setting as follows.</p>
+
+<p>Open the Start Menu and click the Run... menu item. In the text area
+in the dialog box that opens, type in
+&quot;regedit&quot; and click the OK button
+to start the Registry Editor. You will be editing the registry, so
+follow the rest of the directions very carefully. Click the
+&quot;<tt class="literal">+</tt>&quot; button next
+to the HKEY_LOCAL_MACHINE folder, and in the contents that open up,
+click the &quot;<tt class="literal">+</tt>&quot;
+button next to the SYSTEM folder. Continue in the same manner to open
+CurrentControlSet, then Services, then Netlogon. (You will have to
+scroll down many times to find Netlogon in the list of services.)
+Then click the Parameters folder, and you will see items appear in
+the right side of the window. Double-click
+&quot;requiresignorseal&quot;, and a dialog
+box will open. In the Value data: text area, change the
+&quot;1&quot; to a
+&quot;0&quot; (zero), and click the OK
+button, which modifies the registry both in memory and on disk. Now
+close the Registry Editor and log off and back on again.</p>
+
+<p>If you do not see the Log on to: drop-down menu, click the Options
+&lt;&lt; button and it will appear. Select your domain from the menu,
+rather than the local computer.</p>
+<a name="samba2-CHP-4-NOTE-111"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Be sure to select the correct domain in the logon dialog box. Once it
+is selected, it might take a moment for Windows to build the list of
+available domains.</p>
+</blockquote>
+
+<p>Enter the username and password of any Samba-enabled user in the User
+name: and Password: fields, and either press the Enter key or click
+the OK button. If it worked, your Windows session will start up with
+no error dialogs. <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-4"/>
+
+<h2 class="head1">Logon Scripts</h2>
+
+<p><a name="INDEX-74"/>After a Windows client connects with a
+domain controller (either to authenticate a user, in the case of
+Windows 95/98/Me, or to log on to the domain, in the case of Windows
+NT/2000/XP), the client downloads an MS-DOS batch file to run. The
+domain controller supplies the file assuming one has been made
+available for it. This batch file is the logon script and is useful
+in setting up an initial environment for the user.</p>
+
+<p>In a Unix environment, the ability to run such a script might lead to
+a very complex initialization and deep customization. However, the
+Windows environment is mainly oriented to the GUI, and the
+command-line functions are more limited. Most commonly, the logon
+script is used to run a <em class="emphasis">net</em> command, such as
+<em class="emphasis">net use</em><a name="INDEX-75"/>, to connect a network drive letter,
+like this:</p>
+
+<blockquote><pre class="code">net use T: \\toltec\test</pre></blockquote>
+
+<p>This command will make our <tt class="literal">[test]</tt> share (from
+<a href="ch02.html">Chapter 2</a>) show up as the T: drive in My Computer.
+This will happen automatically, and T: will be available to the user
+at the beginning of her session, instead of requiring her to run the
+<em class="emphasis">net use</em> command or connect the T: drive using
+the Map Network Drive function of Windows Explorer.</p>
+
+<p>Another useful command is:</p>
+
+<blockquote><pre class="code">net use H: /home</pre></blockquote>
+
+<p>which <a name="INDEX-76"/><a name="INDEX-77"/>connects the
+user's home directory to a drive letter (which can
+be H:, as shown here, or some other letter, as defined by
+<tt class="literal">logon</tt> <tt class="literal">drive</tt>). For this to work,
+you must have a <tt class="literal">[homes]</tt> share defined in your
+<em class="filename">smb.conf</em> file.</p>
+
+<p>If you are using <a name="INDEX-78"/><a name="INDEX-79"/>roaming profiles, you should definitely
+have:</p>
+
+<a name="INDEX-80"/><blockquote><pre class="code">net time \\<em class="replaceable">toltec</em> /set /yes</pre></blockquote>
+
+<p>in your logon script. (As usual, replace
+&quot;toltec&quot; with the name of your
+Samba PDC.) This will make sure the clocks of the Windows clients are
+synchronized with the PDC, which is important for roaming profiles to
+work correctly.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-4.1"/>
+
+<h3 class="head2">Creating a Logon Script</h3>
+
+<p><a name="INDEX-81"/>In our
+<em class="filename">smb.conf</em> file, we have the line:</p>
+
+<a name="INDEX-82"/><blockquote><pre class="code">logon script = logon.bat</pre></blockquote>
+
+<p>This defines the location and name of the logon script batch file on
+the Samba server. The path is relative to the
+<tt class="literal">[netlogon]</tt><a name="INDEX-83"/> share, defined later in the
+file like this:</p>
+
+<blockquote><pre class="code">[netlogon]
+    path = /usr/local/samba/lib/netlogon
+    writable = no
+    browsable = no</pre></blockquote>
+
+<p>With this example, the logon script is
+<em class="filename">/user/local/samba/lib/netlogon/logon.bat</em>. We
+include the directives <tt class="literal">writable</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt>, to make sure network
+clients cannot change anything in the <tt class="literal">[netlogon]</tt>
+share, and also <tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt>, which keeps them from even seeing the share
+when they browse the contents of the server. Nothing in
+<tt class="literal">[netlogon]</tt> should ever be modified by
+nonadministrative users. Also, the permissions on the directory for
+<tt class="literal">[netlogon]</tt> should be set appropriately (no write
+permissions for &quot;other&quot; users), as
+we showed you earlier in this chapter.</p>
+
+<p>Notice also that the extension of our logon script is
+<em class="filename">.bat</em><a name="INDEX-84"/>. Be careful about this&mdash;an extension
+of <em class="filename">.cmd</em><a name="INDEX-85"/> will work for Windows NT/2000/XP clients,
+but will result in errors for Windows 95/98/Me clients, which do not
+recognize <em class="filename">.cmd</em> as an extension for batch files.</p>
+
+<p>Because the logon script will be executed on a Windows system, it
+must be in MS-DOS text-file format, with the end of line composed of
+a carriage return followed by a linefeed. The Unix convention is a
+newline, which is simply a linefeed character, so if you use a Unix
+text editor to create your logon script, you must somehow make it use
+the appropriate characters. With
+<em class="emphasis">vim</em><a name="INDEX-86"/><a name="INDEX-87"/> (a clone of the <em class="emphasis">vi</em>
+editor that is distributed with Red Hat Linux), the method is to
+create a new file and use the command:</p>
+
+<blockquote><pre class="code">:se ff=dos</pre></blockquote>
+
+<p>to set the file format to MS-DOS style before typing in any text.
+With <em class="emphasis">emacs</em><a name="INDEX-88"/>, the same can be done using the command:</p>
+
+<blockquote><pre class="code">^X <em class="replaceable">Enter</em> f dos <em class="replaceable">Enter</em></pre></blockquote>
+
+<p>where <tt class="literal">^X</tt> is a Control-X character and
+<tt class="literal">Enter</tt> is a press of the Enter key. Another method
+is to create a Unix-format file in any text editor and then convert
+it to MS-DOS format using the
+<em class="emphasis">unix2dos</em><a name="INDEX-89"/> program:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos unix_file &gt;logon.bat</b></tt></pre></blockquote>
+
+<p>If your system does not have <em class="emphasis">unix2dos</em>,
+don't worry. You can implement it yourself with the
+following two-line Perl script:</p>
+
+<blockquote><pre class="code">#!/usr/bin/perl
+open FILE, $ARGV[0];
+while (&lt;FILE&gt;) { s/$/\r/; print }</pre></blockquote>
+
+<p>Or, you can use Notepad on a Windows system to write your script and
+then drag the logon script over to a folder on the Samba server. In
+any case, you can <a name="INDEX-90"/>check the format of your script using
+the <em class="emphasis">od</em><a name="INDEX-91"/> command, like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>od -c logon.bat</b></tt></pre></blockquote>
+
+<p>You should see output resembling this:</p>
+
+<blockquote><pre class="code">0000000   n  e  t     u  s  e      T   :    \  \  t  o  l
+0000020   t  e  c  \  t  e  s  t  \r  \n
+0000032</pre></blockquote>
+
+<p>The important detail here is that at the end of each line is a
+<tt class="literal">\r</tt> <tt class="literal">\n</tt>, which is a carriage
+return followed by a linefeed.</p>
+
+<p>Our example logon script, containing a single <em class="emphasis">net
+use</em> command, was created and set up in a way that allows
+it to be run successfully on any Windows client, regardless of which
+Windows version is installed on the client and which user is
+authenticating or logging on to the domain. But what if we need to
+have different users, computers, or Windows versions running
+different logon scripts?</p>
+
+<p>One method is to use variables inside the <a name="INDEX-92"/>logon script that cause commands to be
+conditionally executed. For details on how to do this, you can
+consult a reference on batch-file programming for MS-DOS and Windows
+NT command language. One such reference is <em class="citetitle">Windows NT
+System Administration</em>, published by
+O'Reilly.</p>
+
+<p>Windows batch-command language is very limited in functionality.
+Fortunately, Samba also supports a means by which customization can
+be handled. The
+<em class="filename">smb.conf</em><a name="INDEX-93"/><a name="INDEX-94"/> file contains variables that can be
+used to insert (at runtime) the name of the server
+(<tt class="literal">%L</tt><a name="INDEX-95"/>), the username of the person who is
+accessing the server's resources
+(<tt class="literal">%u</tt><a name="INDEX-96"/>), or the computer name of the client
+system (<tt class="literal">%m</tt><a name="INDEX-97"/>). To give an example, if we set up the
+path to the logon script as:</p>
+
+<blockquote><pre class="code">logon script = %u/logon.bat</pre></blockquote>
+
+<p>we would then put a directory for each user in the
+<tt class="literal">[netlogon]</tt> share, with each directory named the
+same as the user's username, and in each directory
+we would put a customized <em class="filename">logon.bat</em> file. Then
+each user would have his own custom logon script. We will give you a
+better example of how to do this kind of thing in the next section,
+<a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a>.</p>
+
+<a name="samba2-CHP-4-NOTE-112"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>For more information on Samba configuration file variables, such as
+the <tt class="literal">%L</tt>, <tt class="literal">%u</tt>, and
+<tt class="literal">%m</tt> variables we just used, see <a href="ch06.html">Chapter 6</a> and <a href="appb.html">Appendix B</a>.</p>
+</blockquote>
+
+<p>When modifying and testing your logon script, don't
+just log off of your Windows session and log back on to make your
+script run. Instead, restart (reboot) your system before logging back
+on. Because Windows often keeps the <tt class="literal">[netlogon]</tt>
+share open across logon sessions, the reboot ensures that Windows and
+Samba have completely released and reconnected the
+<tt class="literal">[netlogon]</tt> share, and the new version of the logon
+script is being run while logging on.</p>
+
+<p>More information regarding <a name="INDEX-98"/>logon scripts can be found in the
+O'Reilly book, <em class="emphasis">Managing Windows NT
+Logons</em>. <a name="INDEX-99"/> <a name="INDEX-100"/><a name="INDEX-101"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-5"/>
+
+<h2 class="head1">Roaming Profiles</h2>
+
+<p><a name="INDEX-102"/>One benefit of the centralized
+authentication of Windows NT domains is that a user
+<a name="INDEX-103"/>can log on from more than just one
+computer. To help users feel more &quot;at
+home&quot; when logged on at a computer other than their
+usual one, Microsoft has added the ability for
+users' personal settings to
+&quot;roam&quot; from one computer to
+another.</p>
+
+<p>All Windows versions can be configured individually for each user of
+the computer. Windows NT/2000/XP supports the ability to handle
+multiple user accounts, and Windows 95/98/Me can be configured for
+use by multiple users, keeping the configuration settings for each
+user separate. Each user can configure the
+computer's settings to her liking, and the system
+saves these settings as the user's
+<em class="firstterm">profile</em>, such that upon logging on to the
+system, the user is presented with her familiar desktop.</p>
+
+<p>Some of the settings, such as folder options or the image used for
+the desktop background, are held in the registry. Others, including
+the documents and folders appearing on the desktop and the contents
+of the Start menu, are stored as folders and files in the filesystem.</p>
+
+<p>When the profile is stored on the local system, it is called a
+<em class="firstterm">local profile</em><a name="INDEX-104"/>. On Windows NT, local profiles are
+stored in <em class="filename">C:\winnt\profiles</em>. On Windows 2000/XP,
+they can be found in <em class="filename">C:\Documents and Settings.
+</em>On Windows 95/98/Me, when configured for a single user
+(the default case), the local profile is scattered in places such as
+the registry and directories such as
+<em class="filename">C:\Windows\Desktop</em> and
+<em class="filename">C:\Windows\Start Menu</em>. When Windows 95/98/Me is
+configured for multiple users, the local profile of the preexisting
+user is moved to a folder in <em class="filename">C:\Windows\Profiles</em>
+that has the same name as the user, and any users that are
+subsequently added to the computer have their local profiles created
+in that directory as well. You can browse through the local profiles
+to see their structure&mdash;each has a <a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><a name="INDEX-109"/>registry file
+(<em class="filename">USER.DAT</em><a name="INDEX-110"/><a name="INDEX-111"/> for Windows 95/98/Me and
+<em class="filename">NTUSER.DAT</em><a name="INDEX-112"/><a name="INDEX-113"/> for Windows NT/2000/XP) and some folders
+that contain shortcuts and documents.</p>
+
+<p>A roaming profile is a user profile that is stored on a server and
+&quot;follows&quot; its owner around the
+network so that when the user logs on to the domain from another
+computer, his profile is downloaded from the server and his familiar
+desktop appears on that computer as well.</p>
+<a name="samba2-CHP-4-NOTE-113"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p><a name="INDEX-114"/>Samba can
+support roaming profiles, and it is a fairly simple matter to
+configure it for them. However, this is one feature that we recommend
+you <em class="emphasis">do not</em> use, at least until you are sure you
+understand roaming profiles well and are very confident that you can
+implement them with no harm incurred. If you want to (or are required
+to) implement roaming profiles for your Windows clients, we suggest
+you first set up a small domain with a Samba server and a few Windows
+clients exclusively for the purposes of research and testing.
+<em class="emphasis">Under no circumstances should you attempt to implement
+roaming profiles in a careless or frivolous manner</em>.</p>
+</blockquote>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.1"/>
+
+<h3 class="head2">How Roaming Profiles work</h3>
+
+<p><a name="INDEX-115"/>We will start out by explaining to you
+how roaming profiles work when set up correctly. You will need a
+clear understanding of them to tell the difference between when they
+are working as they are designed and when they are not. In addition,
+roaming profiles can be a source of confusion for your users in many
+ways, and you should know how to detect when a problem with a client
+is related to roaming profile function or dysfunction.</p>
+
+<a name="samba2-CHP-4-NOTE-114"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p><a name="INDEX-116"/>A definitive source of
+documentation on Windows NT roaming profiles is the Microsoft white
+paper <em class="citetitle">Implementing Policies and Profiles for Windows NT
+4.0</em><a name="INDEX-117"/>, which can be found at
+<a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>
+</blockquote>
+
+<p>During the domain logon process, the roaming profile is copied from
+the domain controller and used as a local profile during the
+user's logon session. When the user logs off the
+domain, the local profile is copied back to the domain controller and
+stored as the new roaming profile. When the local profile is changed,
+the server does not receive an update until the user logs off the
+domain or shuts down or reboots the client. The client does not send
+an update to the server during the logon session, and a client does
+not receive an update of a setting changed on another client during a
+logon session. When the user does log off, changes in the
+configuration settings in the local profile are sent to the server,
+and the updates of the roaming profile are available for the next
+logon session.</p>
+
+<p>This simple behavior can lead to unexpected results when users are
+<a name="INDEX-118"/>logged on to the domain
+on more than one client at a time. If a user makes a change to the
+configuration settings on one client and then logs off, the settings
+can result in the roaming profile being modified accordingly. But the
+next client that logs off might cause those changes to be
+overwritten, and if so, the settings from the first client will be
+lost. The behavior of different Windows versions varies with regard
+to this, and we've seen a wide variety of
+behaviors&mdash;not always in alignment with
+Microsoft's documentation or even working the same
+way on separate occasions. Sometimes Windows will refuse to overwrite
+a profile, perhaps giving an &quot;access
+denied&quot; error, and at other times it will seem to
+work while producing odd side effects. A common source of confusion
+is what happens if a file is added to or deleted from the desktop,
+which is by default configured to be part of the profile. A deleted
+file might later reappear, and it is even possible for a file to
+irrecoverably disappear without warning (on Windows 95/98). Or maybe
+a file that is added to the desktop on one client never gets added to
+the roaming profile and fails to propagate to other clients. This
+behavior is somewhat improved on Windows 2000/XP, which attempts to
+merge items into the profile that are added on concurrently logged-on
+clients.</p>
+
+<p>One factor that comes into play is that Windows compares the
+<a name="INDEX-119"/>timestamps of the local and roaming
+profiles and can refuse to overwrite a roaming profile if it is newer
+than the local profile on the client, or vice versa. For this reason,
+it is important to keep the clocks of the Windows clients and the
+Samba PDC synchronized. We have already shown you how to do this,
+using the <em class="emphasis">net time
+\\</em><em class="replaceable">server</em>
+<em class="emphasis">/set</em> <em class="emphasis">/yes</em> command in the
+logon script.</p>
+
+<p><a name="INDEX-120"/>Even when the server and clients are
+correctly configured, a number of things that can happen make things
+seem &quot;broken.&quot; The most common
+occurrence is that some shortcuts on clients other than the one that
+created the roaming profile will not work. These shortcuts can exist
+on the desktop or as items in the Start menu. This behavior is a
+result of applications or files that exist on one computer but not
+others. Windows will display these shortcuts, but if they appear on
+the desktop, they will have a generic icon and will bring up an error
+message if a user double-clicks them.</p>
+
+<a name="samba2-CHP-4-NOTE-115"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Because profiles can and usually do include the contents of the
+desktop and other folders, it is possible for the roaming profile to
+grow to a huge size due to actions of a user, such as creating new
+files on the desktop or copying files there. By default, Internet
+Explorer keeps its disk cache in the <em class="filename">Temporary Internet
+Files</em><a name="INDEX-121"/><a name="INDEX-122"/> folder in the profile and has been
+known to populate this directory with thousands of files. This can
+result in a huge roaming profile that causes network congestion and
+very large delays while users are logging on to the domain. (A fix
+for this can be found in article Q185255 in the Microsoft Knowledge
+Base.)</p>
+</blockquote>
+
+<p>One behavior we've seen a few times is that if, for
+some reason (e.g., a network error or misconfiguration), the roaming
+profile is not available during the logon process, Windows will use
+the local profile on the client instead. When this happens, the user
+might receive an unfamiliar profile, and all the benefits of roaming
+profiles are lost for that logon session.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.2"/>
+
+<h3 class="head2">Configuring Samba for Roaming Profiles</h3>
+
+<p><a name="INDEX-123"/><a name="INDEX-124"/>In an ideal world, different Windows
+versions would share the same roaming profile, allowing users to log
+on to the domain from any Windows client system, ranging from Windows
+95 to Windows XP, and enjoy their familiar settings. It would even be
+possible to be logged on concurrently from multiple clients, and a
+change made to the profile on any of them would quickly propagate to
+all the others. Settings in a roaming profile made on a client that
+didn't apply to another would be handled sanely.</p>
+
+<p>Unfortunately, this scenario does not work in reality, and it is
+important to maintain separate roaming profiles to prevent different
+Windows versions from using or modifying a roaming profile created
+by, and/or in use by, another version.</p>
+
+<p>We do this by using configuration file variables to point to
+different profile directories. If you look at <a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> in <a href="appb.html#samba2-APP-B#samba2-APP-B">Appendix B</a>, which shows
+the variables that can be used, you might be tempted to use the
+<a name="INDEX-125"/><tt class="literal">%a</tt> variable, which
+is replaced by the name of the operating system the client is
+running. However, this does not work because all of Windows 95/98/Me
+will be seen as the same operating system, and likewise for Windows
+2000/XP. So, we use <a name="INDEX-126"/><tt class="literal">%m</tt> to get the
+NetBIOS name of the client, and combine that with a symbolic link to
+point to the directory containing the profile for the Windows version
+that particular client is running.</p>
+
+<p>Our additions to <em class="filename">smb.conf</em> that appeared earlier
+in this chapter included the two lines:</p>
+
+<blockquote><pre class="code">logon path = \\%L\profiles\%u\%m
+logon home = \\%L\%u\.win_profile\%m</pre></blockquote>
+
+<p>The first line specifies where the roaming profiles for Windows
+NT/2000/XP clients are kept, and the second line performs the same
+function for Windows 95/98/Me clients. In both cases, the location is
+specified as a UNC, but
+<tt class="literal">logon</tt><a name="INDEX-127"/> <tt class="literal">path</tt> (for Windows
+NT/2000/XP) is specified relative to the
+<tt class="literal">[profiles]</tt> share, while
+<tt class="literal">logon</tt><a name="INDEX-128"/> <tt class="literal">home</tt> (for Windows
+95/98/Me) is specified relative to the user's home
+directory. This is done to comply with Samba's
+emulation of Windows NT/2000 PDC behavior.</p>
+
+<p>The <tt class="literal">logon</tt> <tt class="literal">home</tt> UNC must begin
+by specifying the user's home directory, which in
+our previous example would be <tt class="literal">\\%L\%u</tt>. The
+variable <tt class="literal">%L</tt><a name="INDEX-129"/> expands to the NetBIOS name of the
+server (in this case, toltec), and
+<tt class="literal">%u</tt><a name="INDEX-130"/> expands to the name of the user. This
+must be done to allow the command:</p>
+
+<a name="INDEX-131"/><blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net use h: /home</b></tt></pre></blockquote>
+
+<p>to function correctly to connect the user's home
+directory to drive letter H: on all Windows clients. (The drive
+letter used for this purpose is defined by <tt class="literal">logon</tt>
+<tt class="literal">drive</tt>.) We add the directory
+<em class="filename">.win_profile</em><a name="INDEX-132"/> to the UNC to put the Windows
+95/98/Me roaming profile in a subdirectory of the
+user's home directory.</p>
+<a name="samba2-CHP-4-NOTE-116"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Note that in both <tt class="literal">logon path</tt> and <tt class="literal">logon
+home</tt>, we absolutely avoid making the profile directory the
+same as the user's home directory, and the directory
+that contains the profile is not used for any other purpose. This is
+because when the roaming profile is updated, all directories and
+files in the roaming-profile directory that are not part of the
+roaming profile are deleted.</p>
+</blockquote>
+
+<p>In the <tt class="literal">logon</tt> <tt class="literal">path</tt> line in
+<em class="filename">smb.conf</em>, we use <tt class="literal">%u</tt> to put
+the profiles directory in a subdirectory in the
+<tt class="literal">[profiles]</tt> share, such that each user gets her own
+directory that holds her roaming profiles.</p>
+
+<p>We define the <tt class="literal">[profiles]</tt> share like this:</p>
+
+<blockquote><pre class="code">[profiles]
+    writable = yes
+    create mask = 0600
+    directory mask = 0700
+    browsable = no
+    path = /home/samba-ntprof</pre></blockquote>
+
+<p>The first four parameters in the previous share definition specify to
+allow roaming profiles to be written with the users'
+permissions, to create files with read and write permissions for the
+owner, and to create directories with read, write, and search
+permissions for the owner and no access allowed for other users. As
+with the <tt class="literal">[netlogon]</tt> share, we set
+<tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> so that the share will not show up on the
+clients in Windows Explorer.</p>
+
+<p>We've decided to put our Windows NT/2000/XP profiles
+in <em class="filename">/home</em>, the default location of the home
+directories on Linux. This will make it simple to include the roaming
+profiles in backups of the home directories. You can use another
+directory if you like.</p>
+
+<p>Notice that in both <tt class="literal">logon</tt> <tt class="literal">path</tt>
+and <tt class="literal">logon</tt> <tt class="literal">home</tt>, the directory
+we specify ends in <tt class="literal">%m</tt>, which Samba replaces with
+the NetBIOS name of the client. We are using the
+client's computer name to identify indirectly which
+version of Windows it is running.</p>
+
+<p>Initially, the directories you specify to hold the roaming profiles
+will be empty and will become populated as clients log off for the
+first time. (Samba will even create the directories if they do not
+already exist.) At first, the directories will simply contain
+profiles that are identical to the clients' local
+profiles, and we highly recommend that you make a backup at this
+point before things get complicated. A listing of the roaming profile
+directory for user <tt class="literal">iman</tt>, after she has logged off
+from Windows 98 clients <tt class="literal">mixtec</tt> and
+<tt class="literal">pueblo</tt> and Windows Me clients
+<tt class="literal">huastec</tt> and <tt class="literal">navajo</tt>, might look
+something like the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>
+total 4
+drwx------    6 iman      iman          4096 Dec  8 18:09 huastec
+drwx------    9 iman      iman          4096 Dec  7 03:47 mixtec
+drwx------   11 iman      iman          4096 Dec  7 03:05 navajo
+drwx------   11 iman      iman          4096 Dec  7 03:05 pueblo</pre></blockquote>
+
+<p>If things were left like this, the clients would not share their
+roaming profiles, so next we change from using separate directories
+to having symbolic links point to common directories:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mv mixtec Win98</b></tt>
+# <tt class="userinput"><b>mv navajo WinMe</b></tt>
+# <tt class="userinput"><b>rm huastec pueblo</b></tt>
+# <tt class="userinput"><b>ln -s Win98 pueblo</b></tt>
+# <tt class="userinput"><b>ln -s WinMe huastec</b></tt>
+# <tt class="userinput"><b>chown iman:iman *</b></tt>
+# <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>
+total 6
+lrwxrwxrwx    1 iman      iman             5 Nov 16 01:40 huastec -&gt; WinMe
+lrwxrwxrwx    1 iman      iman             5 Nov 16 01:40 mixtec -&gt; Win98
+lrwxrwxrwx    1 iman      iman             5 Nov 21 17:24 navajo -&gt; WinMe
+lrwxrwxrwx    1 iman      iman             5 Nov 23 01:16 pueblo -&gt; Win98
+drwx------    9 iman      iman          4096 Dec  7 03:47 Win98
+drwx------   11 iman      iman          4096 Dec  7 03:05 WinMe</pre></blockquote>
+
+<p>Now when <tt class="literal">iman</tt> logs on to the domain from either
+Windows 98 system, the client from which she is logging on will get
+the profile stored in the <em class="filename">Win98</em> directory (that
+started out as her local profile on <tt class="literal">mixtec</tt>). This
+works likewise for the Windows Me clients.</p>
+
+<p>To show a more complete example, here is a listing of a fully
+operational Windows 95/98/Me profiles directory:</p>
+
+<a name="INDEX-133"/><blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/jay/.win_profile</b></tt>
+total 12
+lrwxrwxrwx    1 jay      jay             9 Nov 16 22:14 aztec -&gt; /home/jay
+lrwxrwxrwx    1 jay      jay             5 Nov 16 01:40 hopi -&gt; Win95
+lrwxrwxrwx    1 jay      jay             5 Nov 16 01:40 huastec -&gt; WinMe
+lrwxrwxrwx    1 jay      jay             5 Nov 16 01:38 maya -&gt; Win98
+lrwxrwxrwx    1 jay      jay             5 Nov 16 01:40 mixtec -&gt; Win98
+lrwxrwxrwx    1 jay      jay             5 Nov 21 17:24 navajo -&gt; WinMe
+lrwxrwxrwx    1 jay      jay             5 Nov 23 01:16 pueblo -&gt; Win98
+lrwxrwxrwx    1 jay      jay             5 Nov 22 02:06 ute -&gt; Win95
+drwx------    6 jay      jay          4096 Dec  8 18:09 Win95
+drwx------    9 jay      jay          4096 Dec  7 03:47 Win98
+drwx------   11 jay      jay          4096 Dec  7 03:05 WinMe
+lrwxrwxrwx    1 jay      jay             5 Nov 21 22:48 yaqui -&gt; Win98
+lrwxrwxrwx    1 jay      jay             9 Nov 16 22:14 zuni -&gt; /home/jay</pre></blockquote>
+
+<p>Again, the computer name of each client exists in this directory as a
+symbolic link that points to the directory containing the actual
+roaming profile. For example, <tt class="literal">maya</tt>, a client that
+runs Windows 98, has a symbolic link named <em class="filename">maya</em>
+to the <em class="filename">Win98</em> directory. A listing of
+<em class="filename">Win98</em> shows:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l Win98</b></tt>
+total 148
+drwxr-xr-x    3 jay      jay          4096 Nov 23 01:30 Application Data
+drwxr-xr-x    2 jay      jay          4096 Nov 23 01:30 Cookies
+drwxr-xr-x    3 jay      jay          4096 Dec  7 03:47 Desktop
+drwxr-xr-x    3 jay      jay          4096 Nov 23 01:30 History
+drwxr-xr-x    2 jay      jay          4096 Nov 23 01:30 NetHood
+drwxr-xr-x    2 jay      jay          4096 Dec  7 03:47 Recent
+drwxr-xr-x    3 jay      jay          4096 Nov 23 01:30 Start Menu
+-rw-r--r--    1 jay      jay        114720 Dec  7 03:46 USER.DAT</pre></blockquote>
+
+<p>The contents of the <em class="filename">Win95</em> and
+<em class="filename">WinMe</em> directories appear similar and contain
+roaming profiles that work exactly as they should on their respective
+operating systems.</p>
+
+<p>Notice in the previous listing that <em class="filename">aztec</em> and
+<em class="filename">zuni</em> are symbolic links to
+<em class="filename">/home/jay</em>. We've cautioned you
+never to configure a roaming profile directory to be a
+user's home directory, but this is to handle
+something different. The clients <tt class="literal">aztec</tt> and
+<tt class="literal">zuni</tt> are Windows XP systems, which handle
+<tt class="literal">logon</tt> <tt class="literal">home</tt> differently than
+other versions of Windows. We have set <tt class="literal">logon</tt>
+<tt class="literal">home</tt> <tt class="literal">=</tt>
+<tt class="literal">\\%L\%u\</tt>.<tt class="literal">win</tt>
+<tt class="literal">profile</tt>, and all versions of Windows except for
+Windows XP strip off everything after <tt class="literal">\\%L\%u</tt> and
+correctly locate the home directory&mdash;in this case,
+<em class="filename">/home/jay</em>. Windows XP uses the full UNC, so we
+simply add a symbolic link to redirect it to the correct directory to
+get the <em class="emphasis">net use H: /home</em> command to work as it
+should. The roaming profiles for Windows XP systems are not affected
+by this and are kept with the other roaming profiles in the Windows
+NT/2000/XP family, as shown in this listing:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/samba-ntprof/jay</b></tt>
+total 16
+lrwxrwxrwx    1 jay      jay             5 Nov 20 03:45 apache -&gt; Win2K
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:35 aztec -&gt; WinXP
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:34 dine -&gt; WinNT
+lrwxrwxrwx    1 jay      jay             5 Nov 24 03:44 inca -&gt; Win2K
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:34 pima -&gt; Win2K
+drwx------   13 jay      jay          4096 Dec  3 15:24 qero
+drwx------   13 jay      jay          4096 Dec  1 20:31 Win2K
+drwx------   12 jay      jay          4096 Nov 30 17:04 WinNT
+drwx------   13 jay      jay          4096 Nov 20 01:23 WinXP
+lrwxrwxrwx    1 jay      jay             5 Nov 20 06:09 yavapai -&gt; WinXP
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:34 zapotec -&gt; Win2K
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:35 zuni -&gt; WinXP</pre></blockquote>
+
+<p>As you can see, we are using a similar method for the Windows
+NT/2000/XP roaming profiles. In the listing,
+<em class="filename">qero</em> is not a symbolic link, but rather a
+directory that holds the roaming profile for <tt class="literal">qero</tt>,
+a Windows 2000 client that has recently been added. We had not
+created a symbolic link called <em class="filename">qero</em> before
+installing Windows 2000, so when jay logged off for the first time,
+Samba created a directory named <em class="filename">qero</em> and copied
+the roaming profile received from the client to the new directory.
+Because this is a separate directory from <em class="filename">Win2K</em>,
+which all other Windows 2000 clients are using to share their roaming
+profiles, the roaming profile for <tt class="literal">qero</tt> works like
+a local profile, except that it is stored on the primary domain
+controller.</p>
+
+<p>This might seem like an odd thing to do, but it has some purpose.
+Sometimes you might wish to isolate a client in this manner,
+especially while the operating system is being installed and
+initially configured. Remember, if that client, with its default
+local profile, is logged off the domain, the local profile will be
+written to the roaming profile directory. If the client were using
+the shared roaming profile directory, the effect could be
+undesirable, to say the least. Using our method, the
+<em class="filename">qero</em> directory can later be renamed to make it
+into an archival backup, or it can just be deleted. Then a new
+symlink named <em class="filename">qero</em> can be created to point to
+the <em class="filename">Win2K</em> directory, and <tt class="literal">qero</tt>
+will share the roaming profile in <em class="filename">Win2K</em> with the
+other Windows 2000 clients.</p>
+
+<p>An alternative method is simply to create the
+<a name="INDEX-134"/>symbolic
+links before the clients are added to the network. After you become
+more comfortable with the way roaming profiles work, you might find
+this method to be simpler and quicker.</p>
+
+<p>Again, we urge you to be careful about letting different versions of
+Windows share the same roaming profile. The method of configuring
+roaming profiles we've shown you here allows you to
+test a configuration for a few clients at a time without affecting
+your whole network of clients. For example, we could install a small
+number of Windows 2000 and Windows XP systems in the domain for
+testing purposes and then create symlinks for them that point to a
+directory called <em class="filename">Win2KXP</em> to find out if sharing
+roaming profiles between our Windows 2000 and Windows XP systems
+meets our expectations. The <em class="filename">Win2KXP</em> directory
+could be created as an empty directory, in which case it would have a
+roaming profile written to it by the first of the clients to log off.
+Or, <em class="filename">Win2KXP</em> could simply be a renamed roaming
+profile directory that was created by one of the clients when it was
+added to the domain. <a name="INDEX-135"/><a name="INDEX-136"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.3"/>
+
+<h3 class="head2">Configuring Windows 95/98/Me for Roaming Profiles</h3>
+
+<p><a name="INDEX-137"/><a name="INDEX-138"/>For roaming profiles to work on
+Windows 95/98/Me clients, all you need to do is change one setting to
+allow each user to have a separate local profile. This has the side
+effect of enabling roaming profiles as well.</p>
+
+<p>Open the Control Panel and double-click the Passwords icon to open
+the Passwords Properties dialog box. Click the User Profiles tab, and
+the dialog box will appear as shown in <a href="ch04.html#samba2-CHP-4-FIG-12">Figure 4-12</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-12"/><img src="figs/sam2_0412.gif"/></div><h4 class="head4">Figure 4-12. The Windows 98 Passwords Properties dialog</h4>
+
+<p>Click the button labeled &quot;Users can customize their
+preferences and desktop settings.&quot; In the User
+profile settings box, you can check the options you prefer. When
+done, click the OK button and reboot as requested. During this first
+reboot, Windows will copy the local profile data to
+<em class="filename">C:\windows\profiles</em> but will not attempt to copy
+the roaming profile from the server. The next time the system is shut
+down, the local profile will be copied to the server, and when
+Windows reboots, it will copy the roaming profile from the server.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.4"/>
+
+<h3 class="head2">Configuring Windows NT/2000/XP for Roaming Profiles</h3>
+
+<p><a name="INDEX-139"/><a name="INDEX-140"/><a name="INDEX-141"/><a name="INDEX-142"/>Roaming profiles are enabled by
+default on Windows NT/2000/XP. In case you would like to check or
+modify your settings, follow these directions.</p>
+
+<p>Make sure you are logged in to the local system as Administrator or
+another user in the Administrators group. Open the Control Panel and
+double-click the System icon. On Windows NT/2000, click the User
+Profiles tab, or on Windows XP, click the Advanced tab and then the
+Settings button in the User Profiles box. You should see the dialog
+box in <a href="ch04.html#samba2-CHP-4-FIG-13">Figure 4-13</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-13"/><img src="figs/sam2_0413.gif"/></div><h4 class="head4">Figure 4-13. The Windows 2000 System Properties, User Profiles tab</h4>
+
+<p>Notice in the figure that there are two entries for the username
+<tt class="literal">jay</tt>. The entry ZAPOTEC\jay refers to the account
+on the local system, and METRAN\jay refers to the domain account.
+Recall that when a user logs on, a drop-down menu in the dialog box
+allows him to log on to a domain or log in to the local system. When
+<tt class="literal">jay</tt> logs in to the local machine, only the local
+profile is used. When logged on to the domain, the configuration
+shown will use the roaming profile. To switch a
+user's profile type for a domain logon account,
+click the account name to select it, then click the Change Type...
+button near the bottom of the dialog box. The Change Profile Type
+dialog box will appear. Click the radio button for either roaming or
+local profile, and then click the OK buttons for each dialog box.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.5"/>
+
+<h3 class="head2">Mandatory Profiles</h3>
+
+<p><a name="INDEX-143"/>With a simple
+modification, a <a name="INDEX-144"/>roaming profile can be made into a
+<a name="INDEX-145"/>mandatory
+profile, which has the quality of being unmodifiable by its owner.
+Mandatory profiles are used in some computing environments to
+simplify administration. The theory is that if users cannot modify
+their profiles, less can go wrong, and it is also possible to use the
+same standardized profile for all users.</p>
+
+<p>In practice, some issues come up. Because the users can still modify
+the configuration settings in their local profile during their logon
+session, confusion can result the next time they log on to the domain
+and discover their changes have been
+&quot;lost.&quot; If the user of a client
+reinstalls an application in a different place, the shortcuts to the
+program on the desktop, in the Start menu, or in a Quick Launch bar
+cannot be permanently deleted. They will reappear every time the user
+logs back on to the domain. Essentially, a mandatory profile is a
+roaming profile that always fails to update to the server upon
+logging off!</p>
+
+<p>Another complication is that different versions of Windows behave
+differently with mandatory profiles. If a user who has a mandatory
+profile creates a new file on her desktop, the file might be missing
+the next time the user logs off and on again or reboots. Some Windows
+versions preserve desktop files in the local profile (even if the
+file does not exist in the mandatory profile), whereas others do not.</p>
+
+<p>To change a <a name="INDEX-146"/><a name="INDEX-147"/>roaming profile to a mandatory
+profile, all you have to do is rename the
+<em class="filename">.dat</em><a name="INDEX-148"/><a name="INDEX-149"/> file in the roaming profile directory
+on the server to have a <em class="filename">.man</em> extension instead.
+For a Windows 95/98/Me roaming profile, you would rename
+<em class="filename">USER.DAT</em> to <em class="filename">USER.MAN</em>, and
+for a Windows NT/2000/XP roaming profile, you would rename
+<em class="filename">NTUSER.DAT</em> to <em class="filename">NTUSER.MAN</em>.
+Also, you might want to make the roaming-profile directory and its
+contents read-only, to make sure that a user can't
+change it by logging into his Unix user account on the Samba host
+system.</p>
+
+<p>If you want to have all your users share a mandatory profile, you can
+change the definitions of <tt class="literal">logon</tt>
+<tt class="literal">path</tt> and <tt class="literal">logon</tt>
+<tt class="literal">home</tt> in your <em class="filename">smb.conf</em> file to
+point to a shared mandatory profile on the server and adjust your
+directory structure and symbolic links accordingly. For example,
+<tt class="literal">logon</tt> <tt class="literal">path</tt> and
+<tt class="literal">logon</tt> <tt class="literal">home</tt> might be defined
+like this:</p>
+
+<blockquote><pre class="code">logon path = \\%L\profiles\%m
+logon home = \\%L\%u\.win_profile\%m</pre></blockquote>
+
+<p>Notice that we've removed the <tt class="literal">%u</tt>
+part of the path for <tt class="literal">logon</tt>
+<tt class="literal">path</tt>, and we would also change the directory
+structure on the server to do away with the separation of the
+profiles by username and have just one profile for each Windows
+NT/2000/XP version.</p>
+
+<p>We cannot use the same treatment for <tt class="literal">logon</tt>
+<tt class="literal">home</tt> because it is also used to specify the home
+directory. In this case, we would change the symbolic links in each
+user's <em class="filename">.win_profile</em> directory
+to point to a common mandatory profile directory containing the
+mandatory profiles for each of Windows 95/98/Me. Again, check the
+ownership and permissions on the files in the directory, and modify
+them if necessary to make sure a user can't modify
+any files by logging into her Unix account on the Samba host system.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.6"/>
+
+<h3 class="head2">Logon Script and Roaming-Profile Options</h3>
+
+<p><a href="ch04.html#samba2-CHP-4-TABLE-1">Table 4-1</a> summarizes the options commonly used in
+association with Windows NT domain <a name="INDEX-150"/><a name="INDEX-151"/>logon
+scripts and roaming profiles.</p>
+
+<a name="samba2-CHP-4-TABLE-1"/><h4 class="head4">Table 4-1. Logon-script options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">logon</tt> <tt class="literal">script</tt></p>
+</td>
+<td>
+<p>string (MS-DOS path)</p>
+</td>
+<td>
+<p>Name of logon script batch file</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">logon</tt> <tt class="literal">path</tt></p>
+</td>
+<td>
+<p>string (UNC server and share name)</p>
+</td>
+<td>
+<p>Location of roaming profile</p>
+</td>
+<td>
+<p><tt class="literal">\\%N\%U\profile</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">logon</tt> <tt class="literal">drive</tt></p>
+</td>
+<td>
+<p>string (drive letter)</p>
+</td>
+<td>
+<p>Specifies the logon drive for a home directory</p>
+</td>
+<td>
+<p><tt class="literal">Z</tt>:</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">logon</tt> <tt class="literal">home</tt></p>
+</td>
+<td>
+<p>string (UNC server and share name)</p>
+</td>
+<td>
+<p>Specifies a location for home directories for clients logging on to
+the domain</p>
+</td>
+<td>
+<p><tt class="literal">\\%N\%U</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.1"/>
+
+<a name="INDEX-152"/><h3 class="head3">logon script</h3>
+
+<p>This option specifies a Windows batch file that will be executed on
+the client after a user has logged on to the domain. Each logon
+script should be stored in the root directory of the
+<tt class="literal">[netlogon]</tt> share or a subdirectory. This option
+frequently uses the <tt class="literal">%U</tt> or <tt class="literal">%m</tt>
+variables (user or NetBIOS name) to point to an individual script.
+For example:</p>
+
+<blockquote><pre class="code">[global]
+    logon script = %U.bat</pre></blockquote>
+
+<p>will execute a script based on the username. If the user who is
+connecting is <tt class="literal">fred</tt> and the path of the
+<tt class="literal">[netlogon]</tt> share maps to the directory
+<em class="filename">/export/samba/netlogon</em>, the script should be
+<em class="filename">/export/samba/netlogon/fred.bat</em>. Because these
+scripts are downloaded to the client and executed on the Windows
+side, they must have MS-DOS-style newline characters rather than Unix
+newlines.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.2"/>
+
+<a name="INDEX-153"/><h3 class="head3">logon path</h3>
+
+<p>This option specifies the location where roaming profiles are kept.
+When the user logs on, a roaming profile will be downloaded from the
+server to the client and used as the local profile during the logon
+session. When the user logs off, the contents of the local profile
+will be uploaded back to the server until the next time the user
+connects.</p>
+
+<p>It is often more secure to create a separate share exclusively for
+storing user profiles:</p>
+
+<blockquote><pre class="code">[global]
+    logon path = \\hydra\profile\%U</pre></blockquote>
+
+<p>For more information on this option, see <a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a> earlier in this chapter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.3"/>
+
+<a name="INDEX-154"/><h3 class="head3">logon drive</h3>
+
+<p>This option specifies the drive letter on a Windows NT/2000/XP client
+to which the home directory specified with the
+<tt class="literal">logon</tt> <tt class="literal">home</tt> option will be
+mapped. Note that this option will work with Windows NT/2000/XP
+clients only. For example:</p>
+
+<blockquote><pre class="code">[global]
+    logon drive = I:</pre></blockquote>
+
+<p>You should always use drive letters that will not conflict with fixed
+drives on the client machine. The default is Z:, which is a good
+choice because it is as far away from A:, C:, and D: as possible.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.4"/>
+
+<a name="INDEX-155"/><h3 class="head3">logon home</h3>
+
+<p>This option specifies the location of a user's home
+directory for use by the MS-DOS <em class="emphasis">net</em> commands.
+For example, to specify a home directory as a share on a Samba
+server, use the following:</p>
+
+<blockquote><pre class="code">[global]
+    logon home = \\hydra\%U</pre></blockquote>
+
+<p>Note that this works nicely with the <tt class="literal">[homes]</tt>
+service, although you can specify any directory you wish. Home
+directories can be mapped with a logon script using the following
+command:</p>
+
+<a name="INDEX-156"/><blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net use i: /home  </b></tt></pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-6"/>
+
+<h2 class="head1">System Policies</h2>
+
+<p>A <a name="INDEX-157"/>system policy can be used in a Windows
+NT domain as a remote administration tool for implementing a similar
+computing environment on all clients and limiting the abilities of
+users to change configuration settings on their systems or allowing
+them to run only a limited set of programs. One application of system
+policies is to use them along with mandatory profiles to implement a
+collection of computers for public use, such as in a library, school,
+or Internet cafe.</p>
+
+<p>A system policy is a collection of registry settings that is stored
+in a file on the PDC and is automatically downloaded to the clients
+when users log on to the domain. The file containing the settings is
+created on a Windows system using the <a name="INDEX-158"/>System Policy Editor. Because the format
+of the registry is different between Windows 95/98/Me and Windows
+NT/2000/XP, it is necessary to make sure that the file that is
+created is in the proper format. This is a very simple matter because
+when the System Policy Editor runs on Windows 95/98/Me, it will
+create a file in the format for Windows 95/98/Me, and if it is run on
+Windows NT/2000/XP, it will use the format needed by those versions.
+After the policy file is created with the System Policy Editor, it is
+stored on the primary domain controller and is automatically
+downloaded by the clients during the logon process, and the policies
+are applied to the client system.</p>
+
+<p>On Windows NT 4.0 Server, you can run the System Policy Editor by
+logging in to the system as Administrator or another user in the
+Administrators group, opening the Start menu, and selecting Programs,
+then Administrative Tools, then System Policy Editor. On Windows 2000
+Advanced Server, open the Start menu and click Run . . . . In the
+dialog box that comes up, type in
+<tt class="literal">C:\winnt\poledit.exe</tt>, and click the OK button.</p>
+
+<p>If you are using a Windows version other than NT Server or Windows
+2000 Advanced Server, you must install the System Policy Editor, and
+getting a copy of it can be a little tricky. If you are running
+Windows NT 4.0 Workstation or Windows 2000 Professional and have a
+Windows NT 4.0 Server installation CD-ROM, you can run the file
+<em class="filename">\Clients\Svrtools\Winnt\Setup.bat</em> from that CD
+to install the Client-based Network Administration Tools, which
+includes <em class="emphasis">poledit.exe</em>. Then open the Start menu,
+click Run..., type <tt class="literal">C:\winnt\system32\poledit.exe</tt>
+into the text area, and click the OK button.</p>
+
+<p>If you are using Windows 95/98, insert a Windows 95 or Windows 98
+distribution CD-ROM<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> into your CD-ROM drive,
+then open the Control Panel and double-click the Add/Remove Programs
+button.</p>
+
+<p>Click the Windows Setup tab, and then click the Have Disk...
+button. In the new dialog box that appears, click the Browse...
+button, then select the CD-ROM drive from the Drives drop-down menu.
+Then:</p>
+
+<ul><li>
+<p>If you are using a Windows 95 installation CD-ROM, double-click the
+admin, then apptools, then poledit folder icons.</p>
+</li><li>
+<p>If you are using a Windows 98 installation CD-ROM, double-click the
+tools, then reskit, then netadmin, then poledit folder icons.</p>
+</li></ul>
+<p>You should see &quot;<a name="INDEX-159"/>grouppol.inf&quot; appear in
+the File name: text area on the left of the dialog box. Click the OK
+buttons in two dialog boxes, and you will be presented with a dialog
+box in which you should select both the Group Policies and System
+Policy Editor checkboxes. Then click the Install button. Close the
+remaining dialog box, and you can now run the System Policy Editor by
+opening the Start menu and selecting Programs, then Accessories, then
+System Tools, then System Policy Editor. Or click the Run... item in
+the Start Menu, and enter <tt class="literal">C:\Windows\Poledit</tt>.</p>
+
+<p>When the System Policy Editor starts up, select New Policy from the
+File menu, and you will see a window similar to that in <a href="ch04.html#samba2-CHP-4-FIG-14">Figure 4-14</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-14"/><img src="figs/sam2_0414.gif"/></div><h4 class="head4">Figure 4-14. The System Policy Editor window</h4>
+
+<p>The next step is to make a selection from the File menu to add
+policies for users, groups, and computers. For each item you add, you
+will be asked for the username, or name of the group or computer, and
+a new icon will appear in the window. Double-clicking one of the
+icons will bring up the Properties dialog box, such as the one shown
+in <a href="ch04.html#samba2-CHP-4-FIG-15">Figure 4-15</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-15"/><img src="figs/sam2_0415.gif"/></div><h4 class="head4">Figure 4-15. The Properties dialog of System Policy Editor</h4>
+
+<p>The upper window in the dialog shows the registry settings that can
+be modified as part of the system policy, and the lower window shows
+descriptive information or more settings pertaining to the one
+selected in the upper window. Notice in the figure that there are
+three checkboxes and that they are all in different states:</p>
+
+<dl>
+<dt><b>Checked</b></dt>
+<dd>
+<p>Meaning that the registry setting is enabled in the policy</p>
+</dd>
+
+
+
+<dt><b>White (unchecked)</b></dt>
+<dd>
+<p>Which clears the registry setting</p>
+</dd>
+
+
+
+<dt><b>Gray</b></dt>
+<dd>
+<p>Which causes the registry setting on the client to be unmodified</p>
+</dd>
+
+</dl>
+
+<p>Basically, if all the items are left gray (the default), the system
+policy will have no effect. The registry of the logged-on client will
+not be modified. However, if any of the items are either checked or
+unchecked (white), the registry on the client will be modified to
+enable the setting or clear it.</p>
+<a name="samba2-CHP-4-NOTE-117"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>In this section, we are giving you enough information on using the
+System Policy Editor to get you started&mdash;or, should we say,
+enough rope with which to hang yourself. Remember that a system
+policy, once put into action, will be modifying the registries of all
+clients who log on to the domain. The usual warnings about editing a
+Windows registry apply here with even greater importance. Consider
+how difficult (or even impossible) it will be for you to restore the
+registries on all those clients if anything happens to go wrong.
+<em class="emphasis">As with roaming profiles, casual or careless implementation
+of system policies can easily lead to domain-wide
+disaster</em>.</p>
+
+<p>Creating a good system policy file is a complex topic, which we
+cannot cover in detail here. It would take a whole book, and yes,
+there happens to be an O'Reilly book on the subject,
+<em class="citetitle">Windows System Policy Editor</em>. Another
+definitive source of documentation on Windows NT system policies and
+the System Policy Editor is the Microsoft white paper
+<em class="citetitle">Implementing Policies and Profiles for Windows NT
+4.0</em>, which can be found at <a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>
+</blockquote>
+
+<p>Once you have created a policy, click the OK button and use the Save
+As... item from the File menu to save it. Use the filename
+<em class="filename">config.pol</em><a name="INDEX-160"/> for a Windows 95/98 system policy and
+<em class="filename">ntconfig.pol</em><a name="INDEX-161"/> for a policy that will be used on Windows
+NT/2000/XP clients. Finally, copy the <em class="filename">.pol</em> file
+to the directory used for the <tt class="literal">[netlogon]</tt> share on
+the Samba PDC. The <em class="filename">config.pol</em> and
+<em class="filename">ntconfig.pol</em> files must go in this
+directory&mdash;unlike roaming profiles and logon scripts, there is
+no way to specify the location of the system policy files in
+<em class="filename">smb.conf</em>. If you want to have different system
+policies for different users or computers, you must perform that part
+of the configuration within the System Policy Editor.</p>
+
+<a name="samba2-CHP-4-NOTE-118"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you have, or will have, any <a name="INDEX-162"/><a name="INDEX-163"/>Windows Me clients on your network,
+be careful. Microsoft has stated that Windows Me does not support
+system policies. The odd thing about this is that it will download
+the policy from a <em class="filename">config.pol</em> file on the PDC,
+but there is no guarantee that the results will be what was intended.
+Check the effect of your system policy carefully on your Windows Me
+clients to make sure it is working how you want.</p>
+</blockquote>
+
+<p>When a user logs on to the domain, her Windows client will download
+the <em class="filename">.pol</em> file from the server, and the settings
+in it (that is, the items either checked or cleared in the System
+Policy Editor) will override the client's settings.</p>
+
+<p>If things &quot;should work&quot; but
+don't, try shutting down the Windows client and
+restarting, rather than just logging off and on again. Windows
+sometimes will hold the <tt class="literal">[netlogon]</tt> share open
+across logon sessions, and this can prevent the client from getting
+the updated <em class="filename">.pol</em> file from the server.
+<a name="INDEX-164"/>
+<a name="INDEX-165"/></p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-7"/>
+
+<h2 class="head1">Samba as a Domain Member Server</h2>
+
+<p><a name="INDEX-166"/>Up to now,
+we've focused on configuring and using Samba as the
+primary domain controller. If you already have a domain controller on
+your network, either a Windows NT/2000 Server system or a Samba PDC,
+you can add a Samba server to the domain as a domain member server.
+This involves setting up the Samba server to have a computer account
+with the primary domain controller, in a similar way that Windows
+NT/2000/XP clients can have computer accounts on a Samba PDC. When a
+client accesses shares on the Samba domain member server, Samba will
+pass off the authentication to the domain controller rather than
+performing the task on the local system. If the PDC is a Windows
+server, any number of Windows BDCs might exist that can handle the
+authentication instead of the PDC.</p>
+
+<p>The first step is to add the Samba server to the domain by creating a
+computer account for it on the primary domain controller. You can do
+this using the <em class="emphasis">smbpasswd</em> command, as follows:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j <em class="replaceable">DOMAIN</em> -r <em class="replaceable">PDCNAME</em> -U<em class="replaceable">admin_acct</em>%<em class="replaceable">password</em></b></tt></pre></blockquote>
+
+<p>In this command, <em class="replaceable">DOMAIN</em> is replaced by the
+name of the domain the Samba host is joining,
+<em class="replaceable">PDCNAME</em> is replaced by the computer name
+of the primary domain controller,
+<em class="replaceable">admin_acct</em> is replaced by the username of
+an administrative account on the domain controller (either
+Administrator&mdash;or another user in the Administrators
+group&mdash;on Windows NT/2000, and root on Samba), and
+<em class="replaceable">password</em> is replaced with the password of
+that user. To give a more concrete example, on our domain that has a
+Windows NT 4 Server primary domain controller or a Windows 2000
+Active Directory domain controller named <tt class="literal">SINAGUA</tt>,
+the command would be:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r SINAGUA -UAdministrator%hup8ter</b></tt></pre></blockquote>
+
+<p>and if the PDC is a Samba system, we would use the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r toltec -Uroot%jwun83jb</b></tt></pre></blockquote>
+
+<p>where <tt class="literal">jwun83jb</tt> is the password for the root user
+that is contained in the<em class="filename"> smbpasswd</em> file, as we
+explained earlier in this chapter.</p>
+
+<p>If you did it right, <em class="emphasis">smbpasswd</em> will respond with
+a message saying the domain has been joined. The security
+identifier<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> returned to Samba from the PDC is kept in
+the file <em class="filename">/usr/local/samba/private/secrets.tdb</em>.
+The information in
+<em class="filename">secrets.tdb</em><a name="INDEX-167"/> is security-sensitive, so make sure to
+protect <em class="filename">secrets.tdb</em> in the same way you would
+treat Samba's password file.</p>
+
+<p>The next step is to modify the
+<em class="filename">smb.conf</em><a name="INDEX-168"/> file. Assuming you are starting with a
+valid <em class="filename">smb.conf</em> file that correctly configures
+Samba to function in a workgroup, such as the one we used in <a href="ch02.html">Chapter 2</a>, it is simply a matter of adding the following
+three lines to the <tt class="literal">[global]</tt> section:</p>
+
+<blockquote><pre class="code">workgroup = METRAN
+security = domain
+password server = *</pre></blockquote>
+
+<p>The first line establishes the name of the domain (even though it
+says &quot;workgroup&quot;). Instead of
+METRAN, use the name of the domain you are joining. Setting security
+to &quot;domain&quot; causes Samba to hand
+off authentication to a domain controller, and the
+<tt class="literal">password</tt> <tt class="literal">server</tt>
+<tt class="literal">=</tt> <tt class="literal">*</tt> line tells Samba to find
+the domain controller for authentication (which could be the primary
+domain controller or a backup domain controller) by querying the WINS
+server or using broadcast packets if a WINS server is not available.</p>
+
+<p>At this point, it would be prudent to run
+<em class="emphasis">testparm</em> to check that your
+<em class="filename">smb.conf</em> is free of errors. Then restart the
+Samba daemons.</p>
+
+<p>If the PDC is a Windows NT system, you can use Server Manager to
+check that the Samba server has been added successfully. Open the
+Start menu, then select Programs, then Administrative Tools (Common),
+and then Server Manager. Server Manager starts up with a window that
+looks like <a href="ch04.html#samba2-CHP-4-FIG-16">Figure 4-16</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-16"/><img src="figs/sam2_0416.gif"/></div><h4 class="head4">Figure 4-16. The Windows NT Server Manager window</h4>
+
+<p>As you can see, we've added both
+<tt class="literal">toltec</tt> and <tt class="literal">mixtec</tt> to a domain
+for which the Windows NT 4.0 Server system,
+<tt class="literal">sinagua</tt>, is the primary domain controller.</p>
+
+<p>You can check your setup on Windows 2000 Advanced Server by opening
+the Start menu and selecting Programs, then Administrative Tools,
+then Active Directory Users and Computers. The window that opens up
+will look like <a href="ch04.html#samba2-CHP-4-FIG-17">Figure 4-17</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-17"/><img src="figs/sam2_0417.gif"/></div><h4 class="head4">Figure 4-17. The Windows 2000 Active Directory Users and Computers window</h4>
+
+<p>Click Computers in the left side of the window with the Tree tab. You
+should see your Samba system listed in the right pane of the window.
+<a name="INDEX-169"/></p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-8"/>
+
+<h2 class="head1">Windows NT Domain Options</h2>
+
+<p><a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a> shows the options that are commonly used
+in association with Samba on a Windows NT domain.</p>
+
+<a name="samba2-CHP-4-TABLE-2"/><h4 class="head4">Table 4-2. Windows NT domain options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">domain logons</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>Indicates whether Windows domain logons are to be used</p>
+</td>
+<td>
+<p><tt class="literal">No</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">domain master</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>For telling Samba to take the role of domain master browser</p>
+</td>
+<td>
+<p>Auto</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">add user script</tt></p>
+</td>
+<td>
+<p>string (command)</p>
+</td>
+<td>
+<p>Script to run to add a user or computer account</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">delete user</tt> <tt class="literal">script</tt></p>
+</td>
+<td>
+<p>string (command)</p>
+</td>
+<td>
+<p>Script to run to delete a user or computer account</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">domain admin group</tt></p>
+</td>
+<td>
+<p>string (list of users)</p>
+</td>
+<td>
+<p>Users that are in the Domain Admins group</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">domain guest group</tt></p>
+</td>
+<td>
+<p>string (list of users)</p>
+</td>
+<td>
+<p>Users that are in the Domain Guests group</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">password server</tt></p>
+</td>
+<td>
+<p>string (list of computers)</p>
+</td>
+<td>
+<p>List of domain controllers used for authentication when Samba is
+running as a domain member server</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">machine password timeout</tt></p>
+</td>
+<td>
+<p>numeric (seconds)</p>
+</td>
+<td>
+<p>Sets the renewal interval for NT domain machine passwords</p>
+</td>
+<td>
+<p><tt class="literal">604,800</tt> (1 week )</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+<p>Here are detailed explanations of each <a name="INDEX-170"/>Windows NT domain option listed
+in <a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-8.1"/>
+
+<a name="INDEX-171"/><h3 class="head2">domain logons</h3>
+
+<p>This option configures Samba to accept domain logons as a primary
+domain controller. When a client successfully logs on to the domain,
+Samba will return a special token to the client that allows the
+client to access domain shares without consulting the PDC again for
+authentication. Note that the Samba machine must employ user-level
+security (<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">user</tt>) and must be the PDC for this option to
+function. In addition, Windows machines will expect a
+<tt class="literal">[netlogon]</tt> share to exist on the Samba server.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.1"/>
+
+<a name="INDEX-172"/><h3 class="head3">domain master</h3>
+
+<p>In a Windows network, a local master browser handles browsing within
+a subnet. A Windows domain can be made up of a number of subnets,
+each of which has its own local master browser. The primary domain
+controller serves the function of domain master browser, collecting
+the browse lists from the local master browser of each subnet. Each
+local master browser queries the domain master browser and adds the
+information about other subnets to their own browse lists. When Samba
+is configured as a primary domain controller, it automatically sets
+<tt class="literal">domain</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt>, making itself the domain
+master browser.</p>
+
+<p>Because Windows NT PDCs always claim the role of domain master
+browser, Samba should never be allowed to be domain master if there
+is a Windows PDC in the domain.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.2"/>
+
+<a name="INDEX-173"/><h3 class="head3">add user script</h3>
+
+<p>There are two ways in which <tt class="literal">add</tt>
+<tt class="literal">user</tt> <tt class="literal">script</tt> can be used. When
+the Samba server is set up as a primary domain controller, it can be
+assigned to a command that will run on the Samba server to add a
+Windows NT/2000/XP computer account to Samba's
+password database. When the user on the Windows system changes the
+computer's settings to join a domain, he is asked
+for the username and password of a user who has administrative rights
+on the domain controller. Samba authenticates this user and then runs
+the <tt class="literal">add</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt> with root permissions.</p>
+
+<p>When Samba is configured as a domain member server, the
+<tt class="literal">add</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt> can be assigned to a command to add a user
+to the system. This allows Windows clients to add users that can
+access shares on the Samba system without requiring an administrator
+to create the account manually on the Samba host.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.3"/>
+
+<a name="INDEX-174"/><h3 class="head3">delete user script</h3>
+
+<p>There are times when users are automatically deleted from the domain,
+and the <tt class="literal">delete</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt> can be assigned to a command that removes a
+user from the Samba host as a Windows server would do. However, you
+might not want this to happen, because the Unix user might need the
+account for reasons other than use with Samba. Therefore, we
+recommend that you be very careful about using this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.4"/>
+
+<a name="INDEX-175"/><h3 class="head3">domain admin group</h3>
+
+<p>In a domain of Windows systems, it is possible for a server to get a
+list of the members of the Domain Admins group from a domain
+controller. Samba 2.2 does not have the ability to handle this, and
+the <tt class="literal">domain</tt> <tt class="literal">admin</tt>
+<tt class="literal">group</tt> parameter exists as a manual means of
+informing Samba who is in the group. The list should contain root
+(necessary for adding computer accounts) and any users on Windows
+NT/2000/XP clients in the domain who are in the Domain Admins group.
+These users must be recognized by the primary controller in order for
+them to perform some administrative duties such as adding users to
+the domain.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.5"/>
+
+<a name="INDEX-176"/><h3 class="head3">password server</h3>
+
+<p>In a Windows domain in which the domain controllers are a Windows
+primary domain controller, along with any number of Windows backup
+domain controllers, clients and domain member servers authenticate
+users by querying either the PDC or any of the BDCs. When Samba is
+configured as a domain member server, the <tt class="literal">password</tt>
+<tt class="literal">server</tt> parameter allows some control over how
+Samba finds a domain controller. Earlier versions of Samba could not
+use the same method that Windows systems use, and it was necessary to
+specify a list of systems to try. When you set
+<tt class="literal">password</tt> <tt class="literal">server</tt>
+<tt class="literal">=</tt> <tt class="literal">*</tt>, Samba 2.2 is able to find
+the domain controller in the same manner that Windows does, which
+helps to spread the requests over several backup domain controllers,
+minimizing the possibility of them becoming overloaded with
+authentication requests. We recommend that you use this method.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.6"/>
+
+<a name="INDEX-177"/><h3 class="head3">machine password timeout</h3>
+
+<p>The <tt class="literal">machine</tt> <tt class="literal">password</tt>
+<tt class="literal">timeout</tt> global option sets a retention period for
+Windows NT domain machine passwords. The default is currently set to
+the same time period that Windows NT 4.0 uses: 604,800 seconds (one
+week). Samba will periodically attempt to change the
+<em class="firstterm">machine account password</em>, which is a password
+used specifically by another server to report changes to it. This
+option specifies the number of seconds that Samba should wait before
+attempting to change that password. The timeout period can be changed
+to a single day by specifying the following:</p>
+
+<blockquote><pre class="code">[global]
+    machine password timeout = 86400</pre></blockquote>
+
+<a name="samba2-CHP-4-NOTE-119"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you would like more information on how Windows NT uses domain
+usernames and groups, we recommend Eric <a name="INDEX-178"/>Pearce's
+<em class="citetitle">Windows NT in a Nutshell</em>, published by
+O'Reilly. <a name="INDEX-179"/></p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> When we include
+Windows XP in discussions of Windows NT domains in this book, we are
+referring to Windows XP Professional and not to the Home edition. The
+reason for this is explained in the section on Windows XP later in
+this chapter.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> The entry in
+<em class="filename">/etc/passwd</em> might not be required in future
+Samba versions.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> If you want to follow our example in this
+section, and your network doesn't have any Windows
+systems offering shares, see <a href="ch05.html">Chapter 5</a> for
+directions on how to create one. Make sure you understand how to set
+up shares before continuing with the directions presented
+here!</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> The version of the System Policy
+Editor distributed with Windows 98 is an update of the version
+shipped with Windows 95. Use the version from the Windows 98
+distribution if you can.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This security identifier (SID) is part of
+an access token that allows the PDC to identify and authenticate the
+client.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch05.html b/docs/htmldocs/using_samba/ch05.html
new file mode 100644
index 0000000000..07a65cd08a
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch05.html
@@ -0,0 +1,1779 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 5. Unix Clients</h1>
+
+<p><a name="INDEX-1"/>In <a href="ch03.html">Chapter 3</a> we showed you how to configure Windows systems
+to access shared resources on both Windows and Samba servers. This
+has probably opened up a whole new world of computing for
+you&mdash;one in which you have to run to a Windows system every time
+you want to copy a file between Unix and Windows! In this chapter, we
+will show you the &quot;other
+side&quot;&mdash;how to access SMB shares from your
+favorite Unix system.</p>
+
+<p>You can access SMB resources from Unix in three ways, depending on
+your version of Unix. A program included with the Samba distribution
+called <em class="emphasis">smbclient</em><a name="INDEX-2"/> can be used to connect with a share on
+the network in a manner similar to using <em class="emphasis">ftp</em>
+when transferring files to or from an FTP site.</p>
+
+<p>If your system is running Linux, you can use the
+<a name="INDEX-3"/>smbfs
+filesystem to mount SMB shares right onto your Linux filesystem, just
+as you would mount a disk partition or NFS filesystem. The SMB shares
+can then be accessed and manipulated by all programs running on the
+Linux system: command shells, desktop GUI interfaces, and application
+software.</p>
+
+<p>On some BSD-based systems, including Mac OS X, a pair of utilities
+named <em class="emphasis">smbutil</em> <a name="INDEX-4"/>and <em class="emphasis">mount_smbfs</em>
+<a name="INDEX-5"/>can be used to query SMB servers and
+mount shares.</p>
+
+<p>For other Unix variants,
+<em class="emphasis">smbsh</em><a name="INDEX-6"/> can be run to enable common shell
+commands such as <em class="emphasis">cd</em>, <em class="emphasis">ls</em>,
+<em class="emphasis">mv, wc</em>, and <em class="emphasis">grep</em> to access
+and manipulate files and directories on SMB shares. This effectively
+extends the reach of the Unix shell and utilities beyond the Unix
+filesystem and into the SMB network.</p>
+
+<p>All the Unix clients can access shares offered by either Windows
+systems or Samba servers. We have already shown you how to set up a
+share on a Samba server and could use that as an example to work
+with. But it's much more fun to use the Unix clients
+with shares served by Windows systems. So before we start covering
+the Unix clients in detail, we will take a quick detour and show you
+how to set up file shares on both Windows 95/98/Me and Windows
+NT/2000/XP systems.</p>
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-1"/>
+
+<h2 class="head1">Sharing Files on Windows 95/98/Me</h2>
+
+<p>When <a name="INDEX-7"/><a name="INDEX-8"/>sharing files on Windows 95/98/Me, you
+can authenticate users in two different ways.
+<a name="INDEX-9"/><a name="INDEX-10"/>Share-level security is the default
+and is easy to use. However, it is not as secure and can require
+users to type in passwords when connecting to shares. User-level
+security offers a better security model and can be used if you have
+either a Samba or Windows NT/2000 server on your network performing
+user authentication.</p>
+
+<p>To configure the type of access control for your system, open the
+Control Panel, double-click the Network icon, then click the Access
+Control tab. You should see the dialog box shown in <a href="ch05.html#samba2-CHP-5-FIG-1">Figure 5-1</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-1"/><img src="figs/sam2_0501.gif"/></div><h4 class="head4">Figure 5-1. The Access Control tab of the Windows 98 Network Control Panel window</h4>
+
+<p>Click the &quot;Share-level access
+control&quot; or &quot;User-level access
+control&quot; radio button, depending on which you want
+to use. When using user-level access control, you will also need to
+fill in the name of your workgroup or Windows NT domain. Reboot as
+requested.</p>
+
+<p>To share a folder, right-click the folder's icon and
+select Sharing . . . . This will open the Sharing tab of the
+folder's Properties dialog box. Click the
+&quot;Shared As:&quot; radio button, and fill
+in a name for the share (which defaults to the
+folder's name) and a description, which will be
+visible to client users. If you don't want the share
+to be visible in the Network Neighborhood view of other Windows
+clients, pick a name for the share that ends in a dollar sign
+(<tt class="literal">$</tt>).</p>
+
+<p><a href="ch05.html#samba2-CHP-5-FIG-2">Figure 5-2</a> shows what the Sharing tab of the
+folder's Properties dialog box will look like when
+using share-level security. The security settings are very simple.
+You can select a radio button for read-only access or full
+(read/write) access, or have the user's permissions
+(either read-only or read/write) depend on which password they use.
+In accordance with which you select, you will be asked to assign
+either or both of the read-only and full-access passwords for the
+share.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-2"/><img src="figs/sam2_0502.gif"/></div><h4 class="head4">Figure 5-2. The Sharing tab of the folder's Properties dialog, with share-level security</h4>
+
+<p>If your system is configured with user-level security, the Sharing
+tab of the folder's Properties dialog box will look
+like <a href="ch05.html#samba2-CHP-5-FIG-3">Figure 5-3</a>. As you can see,
+we've created a share named
+&quot;DATA&quot;, and used the Add . . .
+button to create permissions that allow read-only access for all
+domain users and read/write (full access) for <tt class="literal">jay</tt>.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-3"/><img src="figs/sam2_0503.gif"/></div><h4 class="head4">Figure 5-3. The Sharing tab of the folder Properties dialog, with user-level security</h4>
+
+<p>When you are done specifying your settings for the share, click on
+the OK button, and the share will become available to users on
+network clients. Unless you chose a share name ending in a dollar
+sign, you can see it in the Network Neighborhood or My Network Places
+of Windows clients on the network. You can also now use the Unix
+clients described in this chapter to connect to the share.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-2"/>
+
+<h2 class="head1">Sharing Files on Windows NT/2000/XP</h2>
+
+<p>To create a file share on <a name="INDEX-11"/><a name="INDEX-12"/><a name="INDEX-13"/><a name="INDEX-14"/>Windows NT/2000/XP, you first must
+log in to the system as any member of the Administrators, Power
+Users, or Server Operators groups. Right-click the icon of a folder
+you wish to share, and click Sharing . . . in the pop-up menu. The
+Sharing tab of the folder's Properties dialog box
+will appear, as shown in <a href="ch05.html#samba2-CHP-5-FIG-4">Figure 5-4</a>. Click the
+&quot;Share this folder&quot; radio button.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-4"/><img src="figs/sam2_0504.gif"/></div><h4 class="head4">Figure 5-4. The Sharing tab of the folder's Properties dialog on Windows 2000</h4>
+
+<p>Share name: will default to the name of the folder, and you can
+change it if you want. One reason you might want to use a different
+name for the share is to make the share not appear in browse lists
+(as displayed by the Network Neighborhood, for example). This can be
+done by using a share name ending in a dollar sign
+(<tt class="literal">$</tt>). You can also add a description of the share
+in the Comment: text area. The description will appear to users of
+network clients and can help them understand the contents of the
+share.</p>
+
+<p><a name="INDEX-15"/><a name="INDEX-16"/><a name="INDEX-17"/><a name="INDEX-18"/><a name="INDEX-19"/>By clicking the Permissions button,
+you can set permissions for the share on a user-by-user basis. This
+is equivalent to the user-level security of Windows 95/98/Me file
+sharing. On Windows NT/2000/XP, Microsoft recommends that share
+permissions be set to allow full access by everyone, with the
+permissions controlled on a file-by-file basis using filesystem
+access control lists
+(<a name="INDEX-20"/>ACLs). The actual permissions given
+to network clients are a combination of the share permissions and
+file access permissions. To edit the ACL for the folder, click the
+Security tab. For more information on ACLs, see <a href="ch08.html#samba2-CHP-8-SECT-3">Section 8.3</a> in <a href="ch08.html">Chapter 8</a>.</p>
+
+<p>If you want, you can limit the number of users who can concurrently
+connect to the share using the &quot;User
+limit:&quot; radio button. The New Share button allows
+you to create multiple file shares for the same folder, each having
+its own name, comment, user limit, and other parameters.</p>
+
+<p>When you are done, click the OK button, and the folder will be
+accessible from clients on the network.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-3"/>
+
+<h2 class="head1">smbclient</h2>
+
+<p>The Samba Team supplies <em class="emphasis">smbclient</em><a name="INDEX-21"/> as a basic part of the Samba suite. At
+first, it might seem to be a primitive interface to the SMB network,
+but <em class="emphasis">smbclient</em> is actually a versatile tool. It
+can be used for browsing shares on servers, testing configurations,
+debugging, accessing shared printers, backing up shared data, and
+automating administrative tasks in shell scripts. And unlike
+<tt class="literal">smbfs</tt><a name="INDEX-22"/><a name="INDEX-23"/><a name="INDEX-24"/> and <em class="emphasis">smbsh</em>,
+<em class="emphasis">smbclient</em> works on all Unix variants that
+support Samba.</p>
+
+<p>In this chapter we'll focus mostly on running
+<em class="emphasis">smbclient</em> as an interactive shell, using its
+<em class="emphasis">ftp</em>-like commands to access shared directories
+on the network. Using <em class="emphasis">smbclient</em> to access
+printers and perform backups will be covered in <a href="ch10.html">Chapter 10</a>.</p>
+
+<p>A complete reference to <em class="emphasis">smbclient</em> is found in
+<a href="appc.html">Appendix C</a>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.1"/>
+
+<h3 class="head2">Listing Services</h3>
+
+<p><a name="INDEX-25"/>The <em class="emphasis">-L</em> option
+can be used with <em class="emphasis">smbclient</em> to list the resources
+on a single computer. Assuming the Samba server is configured to take
+the role of the master browser, we can obtain a list of the computers
+in the domain or workgroup like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L toltec</b></tt>
+added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
+Password:
+Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.5]
+
+    Sharename      Type      Comment
+    ---------      ----      -------
+    test           Disk      For testing only, please
+    IPC$           IPC       IPC Service (Samba 2.2.5)
+    ADMIN$         Disk      IPC Service (Samba 2.2.5)
+
+    Server               Comment
+    ---------            -------
+    MAYA                 Windows 98
+    MIXTEC               Samba 2.2.5
+    TOLTEC               Samba 2.2.5
+    ZAPOTEC              
+
+    Workgroup            Master
+    ---------            -------
+    METRAN               TOLTEC</pre></blockquote>
+
+<p>In the column labeled &quot;Server&quot;,
+<tt class="literal">maya</tt>, <tt class="literal">mixtec</tt>, and
+<tt class="literal">zapotec</tt> are shown along with toltec, the Samba
+server. The services on <tt class="literal">toltec</tt> are listed under
+&quot;Sharename&quot;. The IPC$ and ADMIN$
+shares are standard Windows services that are used for network
+communication and administrative purposes, and
+<em class="filename">test</em> is the directory we added as a share in
+<a href="ch02.html">Chapter 2</a>.</p>
+
+<p>Now that we know the names of computers in the domain, we can list
+services on any of those computers. For example, here is how we would
+list the services offered by <tt class="literal">maya</tt>, a Windows 98
+workstation:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L maya</b></tt>
+added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
+Password:
+
+
+    Sharename      Type      Comment
+    ---------      ----      -------
+    PRINTER$       Disk      
+    HP             Printer   HP 932C on Maya
+    D              Disk      D: on Maya
+    E              Disk      E: on Maya
+
+    ADMIN$         Disk      
+    IPC$           IPC       Remote Inter Process Communication
+
+    Server               Comment
+    ---------            -------
+
+    Workgroup            Master
+    ---------            -------</pre></blockquote>
+
+<p>A shared printer is attached to <tt class="literal">maya</tt>, so we see
+the PRINTER$ administrative service, along with the HP share for the
+printer itself. Also on <tt class="literal">maya</tt> are the D and E
+shares, which allow access across the network to
+<tt class="literal">maya</tt>'s D: and E: drives. It is
+normal for the Server and Workgroup sections to be empty when listing
+services on a Windows client.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.2"/>
+
+<h3 class="head2">Authenticating with smbclient</h3>
+
+<p><a name="INDEX-26"/>As with any other SMB client,
+<em class="emphasis">smbclient</em> needs to supply a username and
+password if it is authenticating in a domain environment or if it is
+contacting a Samba server that is set up with user-level security. In
+a workgroup environment, it will at least need a password to use when
+connecting with a password-protected resource.</p>
+
+<p>By default, <em class="emphasis">smbclient</em> uses the username of the
+user who runs it and then prompts for a password. If you are using
+<em class="emphasis">smbclient</em> a lot, you might tire of entering your
+password every time.</p>
+
+<p><em class="emphasis">smbclient</em> supports some alternate methods of
+entering a username and password. The password can be entered on the
+command line, like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e jayspassword</b></tt></pre></blockquote>
+
+<p>Or both the username and password can be supplied by using the
+<em class="emphasis">-U</em> option, including the username and password
+separated by a percent (<tt class="literal">%</tt>) character:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -U kelly%kellyspassword</b></tt></pre></blockquote>
+
+<p>This method is useful if you are logged in to the system under an
+account that is not Samba-enabled or you are testing your
+configuration to see how it treats another user. With either method,
+you can avoid having to enter the username and/or password each time
+you run <em class="emphasis">smbclient</em> by creating an alias for the
+command or creating a shell function or shell script. For example,
+with the <em class="emphasis">bash</em> shell, it is possible to define a
+function like this:</p>
+
+<blockquote><pre class="code">smbcl(  )
+{
+    smbclient $* -U jay%jayspassword
+}</pre></blockquote>
+
+<p>Adding the definition to the shell's startup script
+(which would be <em class="filename">~/.bash_profile</em> for
+<em class="emphasis">bash</em>) would result in the definition affecting
+all subsequent shell invocations.</p>
+
+<p>Another method that can be used to supply both the username and
+password is to set the USER and <a name="INDEX-27"/><a name="INDEX-28"/>PASSWD environment variables. Either
+set the USER environment variable using the
+<em class="replaceable">username</em>%<em class="replaceable">password</em>
+format, or set the USER environment variable to the username, and set
+PASSWD to the user's password.</p>
+
+<p>It is also possible to create a credentials file containing the
+username on the first line and the password on the second line, like
+this:</p>
+
+<blockquote><pre class="code">username = jay
+password = jayspassword</pre></blockquote>
+
+<p>Then, <em class="emphasis">smbclient</em> is run using the
+<em class="emphasis">-A</em> option to specify the name of the file:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -A ~/.smbpw</b></tt></pre></blockquote>
+
+<a name="samba2-CHP-5-NOTE-120"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>Of the methods we described in this section, the only one that is
+really secure is the default method of allowing
+<em class="emphasis">smbclient</em><a name="INDEX-29"/> to
+prompt for the password and typing in the password without echoing.</p>
+
+<p>If security is a concern, you definitely should avoid providing your
+password on the command line because it is very easy for
+&quot;shoulder surfers&quot; to obtain, as
+well as anyone who looks through your shell's
+command history.</p>
+
+<p>If you keep your Samba password in a credentials file, shell startup
+file, or shell script, make sure the file's
+permissions prohibit other users from reading or writing it. (Use an
+octal permissions mode of 0600.) Security experts never keep
+passwords in files owned by nonroot users or accessible by anyone
+other than the superuser. As part of their security policy, some
+organizations do not permit passwords to be stored in files, so you
+might want to check first before using this method.</p>
+
+<p>The authentication method that uses the USER and PASSWD environment
+variables isn't any more secure. Environment
+variables are usually set either on the command line or in one or
+more of the shell's startup files, so this method
+suffers from the same weaknesses we've just
+discussed. In addition, any program run by the user has access to the
+shell's environment variables, making a Trojan horse
+attack on the PASSWD variable really easy!</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.3"/>
+
+<h3 class="head2">An Interactive smbclient Session</h3>
+
+<p><a name="INDEX-30"/>A common use for
+<em class="emphasis">smbclient</em> is to use it as an
+<em class="emphasis">ftp</em>-like shell to access SMB resources on the
+network. To begin a session, <em class="emphasis">smbclient</em> must be
+provided with the UNC of a resource (which you can find using the
+<em class="emphasis">-L</em> option) on the command line, like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e</b></tt>
+added interface ip=172.16.1.3 bcast=172.16.1.255 nmask=255.255.255.0
+Password: 
+smb: \&gt;</pre></blockquote>
+
+<p>Forward slashes are accepted by <em class="emphasis">smbclient</em> for
+the share's UNC, which makes entering the UNC on the
+command line easier. Backslashes can also be used, but they must be
+quoted or escaped, and it is somewhat more difficult to type
+'<tt class="literal">\\maya\e</tt>' or <tt class="literal">\\\\maya\\e</tt>.
+After connecting to the share, <em class="emphasis">smbclient</em>
+displays the <tt class="literal">smb: \&gt;</tt> prompt, waiting for a
+command to be entered. Commands are similar to those with which you
+might be familiar in <em class="emphasis">ftp</em> and are also somewhat
+similar to Unix shell commands. To get a list of
+<em class="emphasis">smbclient</em><a name="INDEX-31"/> commands, use the
+<em class="emphasis">help</em> command:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>help</b></tt>
+ls             dir            du             lcd            cd             
+pwd            get            mget           put            mput           
+rename         more           mask           del            open           
+rm             mkdir          md             rmdir          rd             
+prompt         recurse        translate      lowercase      print          
+printmode      queue          cancel         quit           q              
+exit           newer          archive        tar            blocksize      
+tarmode        setmode        help           ?              history        
+!</pre></blockquote>
+
+<p>Some commands in the previous list are synonyms for other commands.
+For example, the <em class="emphasis">?</em> command is a synonym for
+<em class="emphasis">help</em>. You can give this command the name of
+another command as an argument to get a concise reminder of what the
+command does and how to use it:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>? ls</b></tt>
+HELP ls:
+        &lt;mask&gt; list the contents of the current directory</pre></blockquote>
+
+<p>The term <tt class="literal">&lt;mask&gt;</tt> refers to a file-matching
+pattern as commonly found in Unix shells and utilities. For example:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>ls *doc</b></tt>
+  ms-ProfPol-wp.doc                   A      131  Tue Dec 18 09:12:34 2002
+  smbclient.doc                       A    33969  Mon Dec 10 20:22:24 2002
+  smbmount.doc                        A     7759  Mon Dec 10 20:20:00 2002
+
+                      48590 blocks of size 524288. 40443 blocks available</pre></blockquote>
+
+<p>lists all files ending in &quot;doc&quot; in
+the current directory on the remote system. In the listing, the
+leftmost column shows the filename. Moving left to right, we see the
+file's MS-DOS attributes, then its size, and the
+time it was last modified.</p>
+
+<p>As with any other Unix utility, <em class="emphasis">smbclient</em> has a
+working directory on the local host. It also has another current
+directory on the remote SMB share. With
+<em class="citetitle">smbclient</em>, the <em class="emphasis">cd</em> command
+is used to move around on the remote system:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>cd trans  </b></tt> 
+smb: \trans\&gt;</pre></blockquote>
+
+<p>Notice how the prompt changes to reflect the new current working
+directory. To change your current directory on the local system, use
+the <em class="emphasis">lcd</em> command:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>lcd /u/snd</b></tt>
+the local directory is now /u/snd</pre></blockquote>
+
+<p>Most of <em class="emphasis">smbclient</em>'s commands
+are for performing operations on remote files and directories. There
+is no command for listing the contents of the local directory.
+However, <em class="emphasis">smbclient</em> allows a shell escape. Any
+command preceded by an exclamation point (<tt class="literal">!</tt>) is
+interpreted as a shell command and is run in a subshell on the local
+system. For example:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>! ls -l</b></tt>
+total 16
+drwxrwxr-x    2 jay      jay          4096 Jan 10 14:46 dr220-fet
+drwxrwxr-x    2 jay      jay          4096 Sep 22 12:16 dr220-tube
+-rw-rw-r--    1 jay      jay           131 Jan 10 02:22 readme.txt
+drwxrwxr-x    7 jay      jay          4096 Jan 10 02:19 xl1</pre></blockquote>
+
+<p>lists the contents of <em class="filename">/u/snd</em>. By using
+<em class="emphasis">smbclient</em>'s commands to operate
+on the remote system&mdash;and shell-escaped commands to operate on
+the local system&mdash;it is possible to manipulate data on both
+systems without having to exit <em class="emphasis">smbclient</em> or open
+another shell window.</p>
+
+<p><a name="INDEX-32"/><a name="INDEX-33"/>File transfer is performed using
+the <em class="emphasis">get</em> and
+<em class="emphasis">put</em><a name="INDEX-34"/><a name="INDEX-35"/> commands. The <em class="emphasis">get</em>
+command transfers a single file from the remote to the local system,
+and the <em class="emphasis">put</em> command copies a file from the local
+to the remote system. For example, the following command copies the
+file <em class="filename">readme.txt</em> to the SMB share:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>put readme.txt</b></tt>
+putting file readme.txt as \trans\readme.txt (127.9 kb/s) (average 10.7 kb/s)</pre></blockquote>
+
+<a name="samba2-CHP-5-NOTE-121"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>Unlike <em class="emphasis">ftp</em>, <em class="emphasis">smbclient</em> does
+not have <em class="emphasis">ascii</em> and <em class="emphasis">binary</em>
+commands to set the type of the file that is being transferred.
+Before transferring a text file from a Unix system to a Windows or
+Macintosh system, you might want to use the GNU
+<em class="emphasis">unix2dos</em><a name="INDEX-36"/> command to reformat newlines in the
+file to work with the carriage return linefeed (CRLF) standard:</p>
+
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos text_file &gt;text_file.txt</b></tt></pre></blockquote>
+
+
+<p>and then transfer the CRLF-formatted version. After transferring a
+text file from a Windows or Macintosh system to Unix, you can use the
+GNU <em class="emphasis">dos2unix</em><a name="INDEX-37"/> command to perform the inverse
+operation:</p>
+
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>dos2unix text_file.txt &gt;text_file</b></tt></pre></blockquote>
+</blockquote>
+
+<p>To transfer more than one file with a single command, you can use the
+<em class="emphasis">mget</em><a name="INDEX-38"/><a name="INDEX-39"/> and <em class="emphasis">mput</em> commands,
+which accept a list of filenames in the command line. The list can be
+provided by typing in the filenames on the command line separated by
+spaces, or the group of files can be specified with a pattern as one
+would use in Unix shell commands. The command:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget plain/*</b></tt></pre></blockquote>
+
+<p>copies all the files in the directory <em class="filename">plain</em> on
+the SMB share to the current directory on the local system. By
+default, <em class="emphasis">smbclient</em> prompts for each file, asking
+if you want to copy it:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget plain/*</b></tt>
+Get file tomm.wav? n
+Get file toml.wav? n
+Get file tomh.wav? n
+Get file snare.wav? n
+Get file rim.wav? n
+Get file handclap.wav? n
+Get file bassdrum.wav? n</pre></blockquote>
+
+<p>If you are sure you want to copy all the files, you can turn off
+prompting with the <em class="emphasis">prompt</em> command, like this:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>prompt</b></tt>
+prompting is now off</pre></blockquote>
+
+<p>By default, if you specify the name of a directory,
+<em class="emphasis">smbclient</em> will not copy the contents of the
+directory. To transfer the entire contents of directories listed in
+the <em class="emphasis">mput</em> or <em class="emphasis">mget</em> command,
+you must first use the <em class="emphasis">recurse</em> command:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>recurse</b></tt>
+directory recursion is now on</pre></blockquote>
+
+<p>After setting things up with the
+<em class="emphasis">prompt</em><a name="INDEX-40"/><a name="INDEX-41"/> and <em class="emphasis">recurse</em>
+commands, we can copy a directory like this:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget acc</b></tt>
+getting file tomm.wav of size 55494 as tomm.wav (2580.6 kb/s) (average 2087.3 kb/s)
+getting file toml.wav of size 57220 as toml.wav (2660.9 kb/s) (average 2167.6 kb/s)
+getting file tomh.wav of size 55936 as tomh.wav (2601.2 kb/s) (average 2220.8 kb/s)
+getting file snare.wav of size 22132 as snare.wav (1200.7 kb/s) (average 2123.7 kb/s)
+getting file rim.wav of size 8314 as rim.wav (1623.8 kb/s) (average 2110.8 kb/s)
+getting file handclap.wav of size 14180 as handclap.wav (1978.2 kb/s) (average 2106.2 
+kb/s)
+getting file bassdrum.wav of size 6950 as bassdrum.wav (2262.3 kb/s) (average 2108.5 
+kb/s)</pre></blockquote>
+
+<p><a name="INDEX-42"/>Directory recursion applies to all
+commands, so if an <em class="emphasis">ls</em> command is used while
+directory recursion is on, all files in the directory tree are
+listed. To turn directory recursion off again, simply re-enter the
+command. At the same time, you might also wish to toggle prompting
+back to its initial state:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>recurse</b></tt>
+directory recursion is now off
+smb: \trans\&gt; <tt class="userinput"><b>prompt</b></tt>
+prompting is now on</pre></blockquote>
+
+<p>There are other <em class="emphasis">smbclient</em> commands that you
+might find useful. The <em class="emphasis">mkdir</em> command can be used
+to create a directory; <em class="emphasis">rmdir</em> removes a
+directory; <em class="emphasis">rm</em> deletes a file; and
+<em class="emphasis">rename</em> changes a file's name.
+These behave very similarly to their Unix shell counterparts. <a href="appc.html">Appendix C</a> contains a complete reference to
+<em class="emphasis">smbclient</em> and its command set.</p>
+
+<p>To exit <em class="emphasis">smbclient</em>, use the
+<em class="emphasis">exit</em> or <em class="emphasis">quit</em> command:</p>
+
+<a name="INDEX-43"/><blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>quit </b></tt></pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.4"/>
+
+<h3 class="head2">Programming with smbclient</h3>
+
+<p><a name="INDEX-44"/>The <em class="emphasis">-c</em> option
+<em class="emphasis">of smbclient</em> allows a list of commands to be
+passed on the command line. To copy the file
+<em class="filename">\\maya\e\trans\readme.txt</em> to
+<em class="filename">/u/snd/readme.txt</em>, we might use the command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -c &quot;lcd /u/snd; cd trans; get readme.txt&quot; -A ~/.smbpw</b></tt></pre></blockquote>
+
+<p>Everything that <em class="emphasis">smbclient</em> needs to know to
+perform the operation has been specified in the command. There is no
+interactive session, so a command such as this can be placed inside a
+shell script or a program in some other programming language.</p>
+
+<p>By using <em class="emphasis">smbclient</em> in this manner, it is
+possible to create customized commands using shell functions, scripts
+or aliases. For example, suppose we wanted a command to print a short
+listing of files in a shared directory, showing just the names of the
+files. Using a <em class="emphasis">bash</em> function, we could define a
+command <em class="emphasis">smbls</em> as follows:</p>
+
+<blockquote><pre class="code">smbls(  )
+{
+        share=`echo $1 | cut -d '/' -f '1-4'`
+        dir=`echo $1 | cut -d '/' -f '5-'`
+        smbclient $share -c &quot;cd $dir; ls&quot; -A ~/.smbpw | \
+                        grep &quot;^  &quot; | cut -d ' ' -f 3 - | sort
+}</pre></blockquote>
+
+<p>After defining this function, we can use <em class="emphasis">smbls</em>
+like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbls //maya/e</b></tt>
+CD-images
+lectures
+ms-ProfPol-wp.doc
+profile-map
+readme.txt
+RECYCLED
+smbclient.doc
+smbmount.doc
+smbsh.txt
+trans
+$ <tt class="userinput"><b>smbls //maya/e/lectures</b></tt>
+.
+..
+lecture1.mp3
+lecture2.mp3
+lecture3.mp3
+lecture4.mp3
+lecture5.mp3
+lecture6.mp3
+lecture7.mp3
+lecture8.mp3
+lecture9.mp3</pre></blockquote>
+
+<p>Another use for <em class="emphasis">smbclient</em> in scripts is
+performing administrative tasks. Suppose a group of users on Windows
+clients are sharing a set of files as part of a project on which they
+are working. Instead of expecting them to coordinate making daily
+backups, we could write a script that copies the share to the Samba
+server and run the script nightly as a cron job. The directory on the
+Samba server could be shared as well, allowing any of the users to
+retrieve a backup file on their own, without having to bother an
+administrator.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.5"/>
+
+<h3 class="head2">Backups with smbclient</h3>
+
+<p>A major use of <em class="emphasis">smbclient</em><a name="INDEX-45"/><a name="INDEX-46"/> is to create and restore backups of
+SMB file shares. The backup files <em class="emphasis">smbclient</em>
+writes are in tar format, making them easy to work with and portable
+among all Unix versions. Using <em class="emphasis">smbclient</em> on a
+Unix server to run network backups can result in a more centralized
+and easily managed solution for providing data integrity because both
+SMB shares and NFS filesystems can be backed up on the same system.</p>
+
+<p>You can use <em class="emphasis">smbclient</em> to perform backups in two
+ways. When backing up an entire share, the simplest method is to use
+the <em class="emphasis">-Tc</em> option on the command line:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -Tc &gt;maya-e.tar</b></tt></pre></blockquote>
+
+<p>This will create a tar archive of the <em class="filename">\\maya\e</em>
+share in the file <em class="filename">maya-e.tar</em>. By using the
+<em class="emphasis">-D</em> option, it is possible to back up a directory
+in the share, rather than the whole share:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -D trans -Tc &gt;maya-e.tar</b></tt></pre></blockquote>
+
+<p>This causes <em class="emphasis">smbclient</em> to change its working
+directory to the <em class="filename">trans</em> directory of the
+<em class="filename">\\maya\e</em> share before starting the backup. It is
+also possible to use
+<em class="emphasis">smbclient</em>'s
+<em class="emphasis">tar</em> command in interactive mode, like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e </b></tt>
+added interface ip=172.16.1.3 bcast=172.16.1.255 nmask=255.255.255.0
+Password:
+smb: \&gt; <tt class="userinput"><b>cd trans</b></tt>
+smb: \trans\&gt; <tt class="userinput"><b>tarmode full hidden system quiet</b></tt>
+smb: \trans\&gt; <tt class="userinput"><b>tar c maya-e-trans.tar</b></tt></pre></blockquote>
+
+<p>With the previous code, only the <em class="emphasis">trans</em>
+subdirectory in the <em class="emphasis">\\maya\e</em> share will be
+backed up, using the settings specified in the
+<em class="emphasis">tarmode</em> command. To have this type of backup run
+automatically from a script, use the <em class="emphasis">-c</em> option:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -c &quot;cd trans; tarmode full hidden \</b></tt>
+<tt class="userinput"><b>    system quiet; tar &gt;maya-e-trans.tar&quot;</b></tt></pre></blockquote>
+
+<p>Using either the <em class="emphasis">-T</em> command-line option or
+<em class="emphasis">smbclient</em>'s
+<em class="emphasis">tar</em> command, additional options can be supplied.
+It is necessary to specify either the <em class="emphasis">c</em> option
+to create a backup archive or the <em class="emphasis">x</em> option to
+extract (restore) one.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> </p>
+
+<p>The other options can be appended to the option string
+and are explained in the section on <em class="emphasis">smbclient</em> in
+<a href="appc.html">Appendix C</a>. They allow you to create incremental
+backups, specify which files to include or exclude from the backup,
+and specify a few other miscellaneous settings. For example, suppose
+we wish to create an incremental backup of a share and reset the
+archive bit on the files to set things up for the next incremental
+backup. Instead of using the interactive commands:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>tarmode inc reset quiet</b></tt>
+smb: \&gt; <tt class="userinput"><b>tar c backup.tar</b></tt></pre></blockquote>
+
+<p>we could either use the interactive command:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>tar cgaq backup.tar</b></tt></pre></blockquote>
+
+<p>or specify the <em class="emphasis">-Tcgaq</em> option on the
+<em class="emphasis">smbclient</em> command line.</p>
+
+<p>Your best strategy for using <em class="emphasis">smbclient</em> for
+network backups depends on your local configuration. If you have only
+a few Windows systems sharing a small amount of data, you might
+create a script containing <em class="emphasis">smbclient -Tc</em>
+commands to back up each share to a separate tar file, placing the
+files in a directory that is included with regular backups of the
+Unix system. If you have huge SMB shares on your network, you might
+prefer to write the backup directly to a tape drive. You can do this
+with <em class="emphasis">smbclient</em> just as you would with a Unix
+<em class="emphasis">tar</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/d -A samba-domain-pw -Tc &gt;/dev/tape</b></tt></pre></blockquote>
+
+<p>After you have become more familiar with
+<em class="emphasis">smbclient</em> and have an automated backup system in
+place, you might find that using Samba has dramatically decreased
+your anxiety regarding the integrity of your
+network's data. The authors of this book are
+experienced Unix system administrators, and we highly recommend
+having a backup strategy that has been carefully planned,
+implemented, and most importantly, <em class="emphasis">tested and known to work
+as it is supposed to</em>.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-4"/>
+
+<h2 class="head1">smbfs</h2>
+
+<p>On Linux, the <a name="INDEX-47"/>smbfs filesystem can be used to mount
+SMB shares onto the Linux filesystem in a manner similar to mounting
+disk partitions on NFS filesystems. The result is so transparent that
+users on the Linux system might never be aware that they are
+accessing files through a Windows or Samba server. Files and
+directories appear as any other files or directories on the local
+Linux system, although there are a few differences in behavior
+relating to ownership and permissions.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a></p>
+
+<p>Although smbfs is based on the Samba code, it is not itself part of
+the Samba distribution. Instead, it is included with Linux as a
+standard part of the Linux filesystem support.</p>
+
+<p>The <em class="emphasis">smbmount</em> and
+<em class="emphasis">smbmnt</em><a name="INDEX-48"/> programs are part of the Samba
+distribution and are needed on the client to mount smbfs filesystems.
+Samba must be compiled with the <tt class="literal">--with-smbmount</tt>
+configure option to make sure these programs are compiled. They refer
+to <em class="filename">smb.conf</em> for information they need regarding
+the local system and network configuration, so you will need a
+working <em class="filename">smb.conf</em><a name="INDEX-49"/><a name="INDEX-50"/>
+file on the system, even if it is not acting as a Samba server.
+ <a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/></p>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-4.1"/>
+
+<h3 class="head2">Mounting an smbfs Filesystem</h3>
+
+<p>The <em class="emphasis">smbmount</em><a name="INDEX-54"/> command is used to mount an smbfs
+filesystem into the Linux filesystem. The basic usage is:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbmount </b></tt><em class="replaceable">Share-UNC mount-point</em><tt class="userinput"><b> -o </b></tt><em class="replaceable">options</em></pre></blockquote>
+
+<p>Replace <em class="replaceable">Share-UNC</em> with the UNC for the SMB
+share, and <em class="replaceable">mount-point</em> with the full path
+to the directory in the Linux filesystem to use as the mount point.
+The <em class="replaceable">options</em> argument is used to set the
+exact manner in which the share is mounted. Let's
+look at an example of a <em class="emphasis">smbmount</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbmount //maya/e /smb/e \</b></tt>
+<tt class="userinput"><b>    -o &quot;credentials=/home/jay/.smbpw,uid=jay,gid=jay,fmask=664,dmask=775&quot;</b></tt></pre></blockquote>
+
+<p>Here we are mounting share <em class="filename">\\maya\e</em> from a
+Windows 98 system on the mount point <em class="filename">/smb/e</em> on
+the Linux system.</p>
+
+<a name="samba2-CHP-5-NOTE-122"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>If your Linux kernel doesn't include smbfs support,
+you will get the error message:</p>
+
+<blockquote><pre class="code">ERROR: smbfs filesystem not supported by the kernel</pre></blockquote>
+
+
+<p>In this case, you must configure and compile a new kernel to include
+support for smbfs. When smbfs is installed, and an SMB share is
+mounted, you can run the command:</p>
+
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cat /proc/filesystems</b></tt></pre></blockquote>
+
+<p>and see a line that looks like:</p>
+
+<blockquote><pre class="code">nodev   smbfs</pre></blockquote>
+
+
+<p>in the command's output.</p>
+</blockquote>
+
+<p>The mount point must exist before <em class="emphasis">smbmount</em> is
+run and can be created using the <em class="emphasis">mkdir</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /smb/e</b></tt></pre></blockquote>
+
+<p>The argument to the <em class="emphasis">-o</em> option might look a
+little complex. It is a comma-separated list of
+<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
+pairs. The <tt class="literal">credentials</tt> key is set to the name of
+the credentials file, which is used to give
+<em class="emphasis">smbmount</em> a valid username and password with
+which to authenticate while connecting to the share. The format is
+identical to that used by <em class="emphasis">smbclient</em> (as
+explained in the previous section), so you can use the same
+credentials file for both clients. If you want, you can use the
+<em class="replaceable">key</em>=<em class="replaceable">value</em> pair
+<tt class="literal">username</tt>=<em class="replaceable">name</em>%<em class="replaceable">password</em>
+to specify the username and password directly in the
+<em class="emphasis">smbmount</em> command, although this is considerably
+less secure.</p>
+
+<a name="samba2-CHP-5-NOTE-123"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The <em class="emphasis">smbmount</em> command accepts the same
+authentication methods as <em class="emphasis">smbclient</em>. The
+comments in the section on <em class="emphasis">smbclient</em> regarding
+supplying passwords on the command line&mdash;and keeping passwords
+in files and environment variables&mdash;also apply here.</p>
+</blockquote>
+
+<p>The rest of the options tell <em class="emphasis">smbmount</em> how to
+translate between the SMB filesystem and the Unix filesystem, which
+differ in their handling of ownership and permissions. The
+<em class="emphasis">uid</em> and <em class="emphasis">gid</em> options specify
+the owner and group to be assigned to all directories and files in
+the mounted share.</p>
+
+<p>The <em class="emphasis">fmask</em><a name="INDEX-55"/> and
+<em class="emphasis">dmask</em><a name="INDEX-56"/> options specify
+<a name="INDEX-57"/>bitmasks for
+permissions of files and directories, respectively. These bitmasks
+are logically ANDed with whatever permissions are granted by the
+server to create the effective permissions on the client Unix system.
+On the server side, the permissions granted depend on the
+server's operating system. For a Windows 95/98/Me
+server using share-mode security, the MS-DOS read-only attribute can
+be set on individual files and directories and combined with the Full
+Access or Read Only permissions on the share as a whole. In
+user-level security mode, Windows 95/98/Me can have ACL-like
+permissions applied to the entire share, as discussed in <a href="ch04.html">Chapter 4</a>. Windows NT/2000/XP support ACLs on individual
+files and directories, with Full Control, Change, or Read permissions
+that can be applied to the entire share. If the server is a Samba
+server, the permissions are whatever is defined by the Samba share
+and the local Unix system for the individual files and directories.
+In every case, the permissions applied to the share act to further
+limit access, beyond what is specified for the individual files and
+directories.</p>
+
+<a name="samba2-CHP-5-NOTE-124"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>You might think that the <em class="emphasis">fmask</em> and
+<em class="emphasis">dmask</em> permission masks can be used only to
+reduce the effective permissions on files and directories, but this
+is not always the case. For example, suppose that a file is being
+shared by a Windows 95/98/Me server using share-mode security and
+that some number of users have been given the Full Access password
+for the share. If the share is mounted with
+<em class="emphasis">smbmount</em> using an <em class="emphasis">fmask</em> of
+666, read/write permissions are granted on the Unix system not only
+for the owner, but for everyone else on the Unix system as well!</p>
+</blockquote>
+
+<p>After mounting the <em class="filename">\\maya\d</em> share to
+<em class="filename">/smb/e</em>, here is what the contents of
+<em class="filename">/smb/e</em> look like:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cd /smb/e ; ls -l</b></tt>
+total 47
+drwxrwxr-x    1 jay      jay           512 Jan  8 20:21 CD-images
+drwxrwxr-x    1 jay      jay           512 Jan  6 21:50 lectures
+-rw-rw-r--    1 jay      jay           131 Dec 18 09:12 ms-ProfPol-wp.doc
+-rw-rw-r--    1 jay      jay            59 Dec 18 09:12 profile-map
+-rw-rw-r--    1 jay      jay           131 Jan 15 05:01 readme.txt
+drwxrwxr-x    1 jay      jay           512 Feb  4  2002 RECYCLED
+-rw-rw-r--    1 jay      jay         33969 Dec 10 20:22 smbclient.doc
+-rw-rw-r--    1 jay      jay          7759 Dec 10 20:20 smbmount.doc
+-rw-rw-r--    1 jay      jay          1914 Dec 10 20:17 smbsh.txt
+drwxrwxr-x    1 jay      jay           512 Jan 10 03:54 trans</pre></blockquote>
+
+<p>For the most part, the files and directories contained in the mounted
+smbfs filesystem will work just like any others, except for
+limitations imposed by the nature of SMB networking. For example, not
+even the superuser can perform the operation:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chown root lectures</b></tt>
+chown: changing ownership of 'lectures': Operation not permitted</pre></blockquote>
+
+<p>because SMB shares do not intrinsically support the idea of
+ownership. Some odd behaviors can result from this. For example, the
+command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chmod 777 readme.txt</b></tt></pre></blockquote>
+
+<p>does not produce an error message, although nothing has been changed.
+The file <em class="filename">readme.txt</em> still has permissions set to
+664:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ls -l readme.txt</b></tt>
+-rw-rw-r--    1 jay      jay           131 Jan 15 05:01 readme.txt</pre></blockquote>
+
+<p>Aside from little things such as these, the mounted smbfs filesystem
+can be used in conjunction with virtually any application, and you
+might be pleasantly surprised at how nicely it integrates with your
+Linux-based computing environment. You can even create symbolic links
+in the Unix filesystem, pointing to files and directories inside SMB
+shares. However, unless the server is a Samba server that supports
+Unix CIFS extensions, you will not be able to create a symbolic link
+inside the mounted smbfs filesystem.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-4.2"/>
+
+<h3 class="head2">Mounting smbfs Filesystems Automatically</h3>
+
+<p><a name="INDEX-58"/>As with other types of
+filesystems, an smbfs filesystem can be mounted automatically during
+system bootup by creating an entry for it in
+<em class="filename">/etc/fstab</em>. The format for the entry is as
+follows:</p>
+
+<blockquote><pre class="code"><em class="replaceable">Share-UNC mount-point</em>  smbfs  <em class="replaceable">options</em> 0 0</pre></blockquote>
+
+<p>Replace <em class="replaceable">Share-UNC</em> with the UNC of the
+share (using the forward slash format), and replace
+<em class="replaceable">mount-point</em> with the name of the directory
+in the Linux filesystem on which the share will be mounted. In place
+of <em class="replaceable">options</em>, simply use the string that you
+used with the <em class="emphasis">-o</em> flag in the
+<em class="emphasis">smbmount</em> command.</p>
+
+<p>Once you have found the arguments to use with the
+<em class="emphasis">smbmount</em> command to mount the share the way you
+like it, it is a very simple matter to create the entry for
+<em class="filename">/etc/fstab</em>. The <em class="emphasis">smbmount</em>
+command we used to mount the share <em class="filename">\\maya\e</em> on
+<em class="filename">/smb/e</em> would translate to this
+<em class="filename">/etc/fstab</em> entry:</p>
+
+<blockquote><pre class="code">//maya/e /smb/e  smbfs  
+credentials=/home/jay/.smbpw,uid=jay,gid=jay,fmask=664,dmask=775 0 0
+
+<i class="lineannotation">(Please note that this should all go on one line.)</i></pre></blockquote>
+<a name="samba2-CHP-5-NOTE-125"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If you make a mistake in modifying
+<em class="filename">/etc/fstab</em><a name="INDEX-59"/><a name="INDEX-60"/>, your system might not
+reboot properly, and you might be forced to boot into single-user
+mode to fix the problem. Before you edit
+<em class="filename">/etc/fstab</em>, be sure to make a backup copy of it,
+and be prepared to recover your system if anything goes wrong.</p>
+</blockquote>
+
+<p>Once the entry has been added, the system will automatically mount
+the share when booting. Or, the system administrator can manually
+mount or unmount the share with commands such as these:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mount /smb/e</b></tt>
+# <tt class="userinput"><b>umount /smb/e</b></tt></pre></blockquote>
+
+<a name="samba2-CHP-5-NOTE-126"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>It is possible to use <em class="emphasis">mount</em> and
+<em class="emphasis">umount</em> by giving them the UNC for the share
+using forward slashes, as in our <em class="filename">/etc/fstab</em>
+entry. However, be careful about this. A share might be listed more
+than once in <em class="filename">/etc/fstab</em> so that it can be
+mounted at more than one place in the Linux filesystem. If you use
+the UNC to specify the share you wish to mount or unmount, you might
+cause it to be mounted or unmounted at another mount point from the
+one you intended.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-4.3"/>
+
+<h3 class="head2">Common smbmount Options</h3>
+
+<p><a href="ch05.html#samba2-CHP-5-TABLE-1">Table 5-1</a> lists
+<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
+pairs that can be used with the <em class="emphasis">-o</em> option of
+<em class="emphasis">smbmount</em> or in the options field of the
+<em class="filename">/etc/fstab</em> entry for the smbfs filesystem. See
+the <em class="emphasis">smbmount</em> manual page for a complete list of
+options.</p>
+
+<a name="samba2-CHP-5-TABLE-1"/><h4 class="head4">Table 5-1. smbmount options</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Key</p>
+</th>
+<th>
+<p>Value</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">username</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Provides the username, and optionally the password and workgroup, for
+authentication.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">password</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Provides the share or domain password, if it hasn't
+been supplied by another means.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">credentials</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Name of file containing the username and password.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">uid</tt></p>
+</td>
+<td>
+<p>string or numeric</p>
+</td>
+<td>
+<p>User ID to apply to all files and directories of the mounted share.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">gid</tt></p>
+</td>
+<td>
+<p>string or numeric</p>
+</td>
+<td>
+<p>Group ID to apply to all files and directories of the mounted share.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">fmask</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Permissions to apply to files. Default is based on current umask.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dmask</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Permissions to apply to directories. Default is based on current
+umask.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">debug</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Debug level.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Name of workgroup of remote server.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">guest</tt></p>
+</td>
+<td>
+<p>(none)</p>
+</td>
+<td>
+<p>Suppresses password prompt.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ro</tt></p>
+</td>
+<td>
+<p>(none)</p>
+</td>
+<td>
+<p>Mount read-only.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">rw</tt></p>
+</td>
+<td>
+<p>(none)</p>
+</td>
+<td>
+<p>Mount read/write. This is the default.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ttl</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Amount of time to cache the contents of directories. Defaults to 1000
+ms <a name="INDEX-62"/>.</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-5"/>
+
+<h2 class="head1">smbsh</h2>
+
+<p>The <em class="emphasis">smbsh</em><a name="INDEX-63"/> program is part of the Samba suite and
+works on some, but not all, Unix variants.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> Effectively, it adds a wrapper around the
+user's command shell, enabling it and common Unix
+utilities to work on files and directories in SMB shares, in addition
+to files and directories in the local Unix filesystem. From the
+user's perspective, the effect is that of a
+simulated mount of the SMB shares onto the Unix filesystem.</p>
+
+<p><em class="emphasis">smbsh</em> works by running the shell and programs
+run from it in an environment in which calls to the standard C
+library are redirected to the
+<em class="emphasis">smbwrapper</em><a name="INDEX-64"/> library, which has support for
+operating on SMB shares. This redirection can work only if the
+program being run is dynamically linked. Fortunately, modern Unix
+versions ship with most common utilities linked dynamically rather
+than statically.</p>
+
+<a name="samba2-CHP-5-NOTE-127"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>To determine whether a program is dynamically or statically linked,
+try using the <em class="emphasis">file</em> command.</p>
+</blockquote>
+
+<p>To use <em class="emphasis">smbsh</em>, your Samba installation must be
+configured using the configure option
+<tt class="literal">--with-smbwrapper</tt>.</p>
+
+<p>If you have a number of Unix systems with the same host operating
+system and architecture and don't want to bother
+with a full Samba installation, you can simply move the following
+files to the other systems:</p>
+
+<blockquote><pre class="code">/usr/local/samba/bin/smbsh
+/usr/local/samba/bin/smbwrapper.so
+/usr/local/samba/lib/smb.conf</pre></blockquote>
+
+<p>Make sure that <em class="filename">/usr/local/samba/bin</em> is in your
+shell's search path. The
+<em class="filename">smb.conf</em><a name="INDEX-65"/><a name="INDEX-66"/> file is
+needed only for <em class="emphasis">smbsh</em> to determine the workgroup
+or domain and does not need to be as elaborate as your Samba
+server's configuration file.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-5.1"/>
+
+<h3 class="head2">An Interactive Session with smbsh</h3>
+
+<p><a name="INDEX-67"/>To start <em class="emphasis">smbsh</em>,
+simply type in the <em class="emphasis">smbsh</em> command at the shell
+prompt. You will be prompted for a username and password with which
+to authenticate on the SMB network:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbsh</b></tt>
+Username: davecb
+Password:
+smbsh$</pre></blockquote>
+
+<p>While working within the <em class="emphasis">smbsh</em> shell, you have a
+virtual <em class="filename">/smb</em> directory. This does not actually
+exist in the Unix filesystem and is supported within
+<em class="emphasis">smbsh</em> only to help organize the SMB shares in a
+structure familiar to Unix users. You can list the contents of the
+<em class="filename">/smb</em> virtual directory and get a list of
+workgroups in the local network, which are also presented as virtual
+directories:</p>
+
+<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd /smb ; ls</b></tt>
+ZOOL PLANK BACIL</pre></blockquote>
+
+<p>You can change your working directory to one of the workgroup virtual
+directories, and listing one of them will show the computers in the
+workgroup:</p>
+
+<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd ZOOL ; ls</b></tt>
+ANTILLES         DODO             MILO             SEAL
+ARGON            HANGGLIDE        OSTRICH          SPARTA
+BALLET           INFUSION         PLAQUE           THEBES
+CHABLIS          JAZ              PRAETORIAN       TJ
+COBRA            KIKO             RAYOPCI          TRANCE
+COUGUR           MACHINE-HEADPCI  RUMYA            VIPERPCI
+CRUSTY           MATHUMA          SCOT</pre></blockquote>
+
+<p>Likewise, you can change your current directory to, and list the
+contents of, a computer virtual directory, and then you can see a
+listing of shares offered by that computer:</p>
+
+<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd scot ; ls</b></tt>
+ADMIN$      davecb      nc          np2s        pl
+ace         dhcp-mrk03  np          nps         xp
+cl          ep          np2         opcom</pre></blockquote>
+
+<p>This is the lowest level of
+<em class="emphasis">smbsh</em>'s virtual directory
+system. Once you <em class="emphasis">cd</em> into a share, you are within
+the SMB share on the remote computer:</p>
+
+<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd davecb ; ls</b></tt>
+Mail                                mkanalysis_dirs.idx
+SUNWexplo                           nfs.ps
+Sent                                nsmail
+allsun.html                         projects.txt
+bin                                 sumtimex</pre></blockquote>
+
+<p>Once in a remote share, most of the Unix shell utilities will work,
+and you can operate on files and directories much as you would on any
+Unix system. You can even create symbolic links in the Unix
+filesystem pointing to files and directories in the SMB share.
+However, attempts to create symbolic links in the SMB share will fail
+unless the share is being served by Samba with support for Unix CIFS
+extensions.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-6"/>
+
+<h2 class="head1">smbutil and mount_smbfs</h2>
+
+<p>The <em class="emphasis">smbutil</em> and <em class="emphasis">mount_smbfs</em>
+programs provide SMB client functionality for FreeBSD, Darwin, and
+Mac OS X. Neither of the programs is part of the Samba distribution;
+however, we are including them to give you a little additional
+support in case you have BSD-related Unix systems on your network.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-6.1"/>
+
+<h3 class="head2">smbutil</h3>
+
+<p>The <em class="emphasis">smbutil</em><a name="INDEX-68"/> program provides functionality similar
+to some of the Samba suite's command-line utilities.
+It can be used to list the shares available on an SMB server or
+perform NetBIOS name lookups.</p>
+
+<p>The first argument given to <em class="emphasis">smbutil</em> is one of a
+number of subcommands and is usually followed by arguments specific
+to the subcommand. For example, to list the resources offered by a
+server, use the <em class="emphasis">view</em> subcommand, and enter your
+server password when prompted:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //vamana</b></tt>
+Password:
+Share        Type        Comment
+-------------------------------------------------------------
+public        disk
+SS2500        printer     Stylus Scan 2500
+IPC$          pipe        IPC Service (Samba 2.2.5)
+ADMIN$        disk        IPC Service (Samba 2.2.5)
+leonvs        disk        User Home Directories
+
+5 shares listed from 5 available</pre></blockquote>
+
+<p>If you wish to connect to the server with a username that differs
+from that on your client, you can specify it on the command line by
+preceding the name of the server with the username and using an at
+sign (<tt class="literal">@</tt>) as a separator:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //leonvs@vamana</b></tt></pre></blockquote>
+
+<p>You can also include the password after the username, using a colon
+(:) as a separator, to avoid being prompted for
+it:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //leonvs:leonspassword@vamana</b></tt></pre></blockquote>
+
+<p>Typing your password in the open like this is strongly discouraged.
+It's a little better if you use an encrypted
+password, which you can generate using
+<em class="emphasis">smbutil</em>'s
+<em class="emphasis">crypt</em> subcommand:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil crypt leonspassword</b></tt>
+$$1625a5723293f0710e5faffcfc6</pre></blockquote>
+
+<p>This can then be used in place of a clear-text password. However, the
+encryption is not particularly strong and will foil only the most
+casual inspection. As noted earlier, the only reasonably secure
+method of providing a password is to be prompted for it.</p>
+
+<p>While starting up, <em class="emphasis">smbutil</em> reads the file
+<em class="filename">.nsmbrc</em><a name="INDEX-69"/> in the user's home
+directory. Also, the file
+<em class="filename">/usr/local/etc/nsmb.conf</em><a name="INDEX-70"/><a name="INDEX-71"/> is read, and directives in that file
+override those in users'
+<em class="filename">~/.nsmbrc</em> files. This is to allow administrators
+to apply mandatory settings to all users. Directives can be placed in
+this file using the section and parameter format similar to that of
+the Samba configuration file. A list of common configuration
+parameters is given in <a href="ch05.html#samba2-CHP-5-TABLE-2">Table 5-2</a>.</p>
+
+<p>For example, to keep your password in your
+<em class="filename">~/.nsmbrc</em> file, you can create an entry in the
+file such as the following:</p>
+
+<blockquote><pre class="code">[VAMANA:LEONVS]
+    password=$$1625a5723293f0710e5faffcfc6</pre></blockquote>
+
+<p>The section heading in brackets specifies the SMB
+server's NetBIOS name and the username to which the
+subsequent parameter settings apply. (The hostname and username
+should be supplied in uppercase characters.) Section headings can
+also consist of just a hostname or can contain a share name as a
+third element for specifying parameters applicable to a single share.
+Finally, if a <tt class="literal">[default]</tt> section is present, the
+settings in it apply to all connections.</p>
+
+<p>The following example <em class="filename">.nsmbrc</em> shows some of the
+other parameters you might use:</p>
+
+<blockquote><pre class="code">[default]
+    username=leonvs
+    # NetBIOS name server
+    nbns=192.168.1.3
+
+[VAMANA]
+    # server IP address
+    addr=192.168.1.6
+    workgroup=TEST
+
+[VAMANA:LEONVS]
+    password=$$1625a5723293f0710e5faffcfc6</pre></blockquote>
+
+<p>Another thing you can do with <em class="emphasis">smbutil</em> is
+<a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/>translate between IP addresses or DNS
+names and
+<a name="INDEX-75"/>NetBIOS
+names. For example, the <em class="emphasis">status</em> subcommand takes
+an IP address or DNS hostname as an argument and returns the
+corresponding SMB server's NetBIOS name and
+workgroup:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil status 192.168.1.6</b></tt>
+Workgroup: TEST
+Server: VAMANA</pre></blockquote>
+
+<p>The <em class="emphasis">lookup</em> subcommand returns the IP address
+associated with a given NetBIOS hostname. A NetBIOS name server can
+be optionally specified with the <em class="emphasis">-w</em> argument:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil lookup -w 192.168.1.3 VAMANA</b></tt>
+Got response from 192.168.1.3
+IP address of VAMANA: 192.168.1.6</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-6.2"/>
+
+<h3 class="head2">mount_smbfs</h3>
+
+<p>The <em class="emphasis">mount_smbfs</em><a name="INDEX-76"/> program performs essentially the same
+function as <em class="emphasis">smbmount</em> on Linux. It mounts an SMB
+share on a directory in the local filesystem. The SMB share can then
+be accessed just like any other directory, subject to some behavioral
+differences noted earlier in <a href="ch05.html#samba2-CHP-5-SECT-4.1">Section 5.4.1</a>.</p>
+
+<p>The command synopsis for <em class="emphasis">mount_smbfs</em> is:</p>
+
+<blockquote><pre class="code">mount_smbfs <em class="replaceable">[options]</em> <em class="replaceable">Share-UNC</em> <em class="replaceable">mount-point</em></pre></blockquote>
+
+<p>where <em class="replaceable">Share-UNC</em> is of the form:</p>
+
+<blockquote><pre class="code">//[<em class="replaceable">workgroup</em>;][<em class="replaceable">username</em>[:<em class="replaceable">password</em>]@]<em class="replaceable">server</em>[/<em class="replaceable">share</em>]</pre></blockquote>
+
+<p>For example:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mount_smbfs '//TEST;leonvs:$$1625a5723293f0710e5faffcfc6@vamana/leonvs' /</b></tt>
+\<tt class="userinput"><b>Volumes/leonvs</b></tt></pre></blockquote>
+
+<p>The ownership and permissions of the mount point determine the
+default ownership and permissions for files and directories in the
+mounted share. These can be modified with command-line arguments,
+like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mount_smbfs -u leonvs -g admin -f 0750 -d 0755 //leonvs@vamana/leonvs </b></tt>
+\<tt class="userinput"><b>/Volumes/leonvs</b></tt></pre></blockquote>
+
+<p>In this example, the files and directories in the mounted share will
+be owned by the user leonvs and the group admin, with files and
+directories having permissions 750 and 755, respectively. (As usual,
+the permissions are specified in the octal format used by the Unix
+<em class="emphasis">chmod</em> command.)</p>
+
+<p>The <em class="emphasis">mount_smbfs</em><a name="INDEX-77"/><a name="INDEX-78"/> command
+also makes use of settings in
+<em class="filename">/usr/local/etc/nsmb.conf</em> and
+<em class="filename">~/.nsmbrc</em>, as described earlier. A list of
+common configuration parameters and command-line options is provided
+in <a href="ch05.html#samba2-CHP-5-TABLE-2">Table 5-2</a>.</p>
+
+<a name="samba2-CHP-5-TABLE-2"/><h4 class="head4">Table 5-2. Common smbutil and mount_smbfs options</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Command-line option</p>
+</th>
+<th>
+<p>Configuration file parameter</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">-I</tt> <em class="replaceable">hostname</em></p>
+</td>
+<td>
+<p><tt class="literal">addr</tt></p>
+</td>
+<td>
+<p>Avoid NetBIOS name resolution and connect to the server using the
+specified DNS hostname or IP address.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-N</p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Do not prompt for a password.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-R <em class="replaceable">count</em></p>
+</td>
+<td>
+<p><tt class="literal">retry_count</tt></p>
+</td>
+<td>
+<p>Number of times to retry connection before giving up.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-T <em class="replaceable">seconds</em></p>
+</td>
+<td>
+<p><tt class="literal">timeout</tt></p>
+</td>
+<td>
+<p>Timeout, in seconds, per connection request.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-U <em class="replaceable">username</em></p>
+</td>
+<td>
+<p><tt class="literal">username</tt></p>
+</td>
+<td>
+<p>Username to use for authentication. Defaults to Unix username.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-W <em class="replaceable">workgroup</em></p>
+</td>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+<td>
+<p>Name of workgroup of remote server.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-d <em class="replaceable">mode</em></p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Permissions to apply to directories in the mounted share. Defaults to
+the same as the file permissions, plus an execute (search) bit
+whenever the read bit is set.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-f <em class="replaceable">mode</em></p>
+</td>
+<td>
+<p><em class="filename">none</em></p>
+</td>
+<td>
+<p>Permissions to apply to files in the mounted share. Defaults to the
+same as the permissions set on the directory used as the mount point.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-g <em class="replaceable">group</em></p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Name or numeric GID to apply to all files and directories in the
+mounted share. Defaults to the group of the directory used as the
+mount point.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-n <em class="replaceable">long</em></p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Disable support for long filenames. Restrict filenames to 8.3 naming
+standard.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-u <em class="replaceable">username</em></p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Username or numeric UID to apply as the owner of all files and
+directories in the mounted share. Defaults to the owner of the
+directory used as the mount point.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-w <em class="replaceable">hostname</em></p>
+</td>
+<td>
+<p><tt class="literal">nbns</tt></p>
+</td>
+<td>
+<p>Hostname or IP address of the NetBIOS name server.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p><tt class="literal">password</tt></p>
+</td>
+<td>
+<p>Password to use for authentication.</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-6.3"/>
+
+<h3 class="head2">Mac OS X</h3>
+
+<p><a name="INDEX-79"/>In addition to
+<em class="emphasis">smbutil</em> and <em class="emphasis">mount_smbfs</em>, OS
+X includes a graphical interface to the functionality they provide.
+To use this interface, open the Go menu and select the Connect to
+Server . . . menu item. Instead of using a UNC, specify the share in
+the form of a Uniform Resource Identifier (URI) with a prefix of
+<tt class="literal">smb://</tt> entered in the Address field, as shown in
+<a href="ch05.html#samba2-CHP-5-FIG-5">Figure 5-5</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-5"/><img src="figs/sam2_0505.gif"/></div><h4 class="head4">Figure 5-5. OS X Connect to Server dialog</h4>
+
+<p>You can specify a server, share, workgroup, username, and password
+(optionally encrypted with <em class="emphasis">smbutil crypt</em>) in the
+URI, in the same format as the UNC argument to
+<em class="emphasis">mount_smbfs</em>. If you don't
+specify a share name in the URI, you will be shown a window that lets
+you choose from a list of shares available to mount. See <a href="ch05.html#samba2-CHP-5-FIG-6">Figure 5-6</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-6"/><img src="figs/sam2_0506.gif"/></div><h4 class="head4">Figure 5-6. Selecting a share to mount</h4>
+
+<p>Only guest-accessible shares will show up in the list until
+you've authenticated. After pressing the
+Authenticate button, you'll be prompted for a
+workgroup, username, and password, as shown in <a href="ch05.html#samba2-CHP-5-FIG-7">Figure 5-7</a>. You'll also see this dialog
+if you provide a share name in the URI, but not a username and
+password.<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a></p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-7"/><img src="figs/sam2_0507.gif"/></div><h4 class="head4">Figure 5-7. Client authentication</h4>
+
+<p>As usual for Mac OS X, shares are mounted under
+<em class="filename">/Volumes</em>, but show up in the root of the Finder
+hierarchy.</p>
+
+<p>If you have a WINS server on your network, you can provide the
+server's IP address in the Directory Access
+application, or by using the <tt class="literal">wins</tt>
+<tt class="literal">server</tt> parameter in
+<em class="filename">/etc/smb.conf</em>.</p>
+
+<p>If you don't know the name of a server to which you
+wish to connect, you can look for it in the browse list, using the
+graphical frontend to the <em class="emphasis">nmblookup</em> command
+provided with Samba. Click the downward-pointing arrow in the Connect
+to Server . . . dialog box to show a hierarchical, column-based view
+of available workgroups and servers, similar to that shown in <a href="ch05.html#samba2-CHP-5-FIG-8">Figure 5-8</a>. If your client is also acting as an SMB file
+server, it won't show up in its own browse
+list.<a name="INDEX-80"/></p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-8"/><a name="INDEX-81"/><img src="figs/sam2_0508.gif"/></div><h4 class="head4">Figure 5-8. Browsing the network</h4>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> An alternative to extracting
+the tar archive directly to the SMB share is to use the Unix
+system's <em class="emphasis">tar</em> command to extract
+it to a directory on the Unix server, then copy the desired file(s)
+to a shared directory. This allows a greater amount of control over
+the restoration process, as when correcting for an accidental file
+deletion or reverting a set of files to a previous condition.</p>
+<a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Samba Versions
+2.2.4 and later have support for Unix CIFS extensions developed by
+Hewlett-Packard, which add full support for Unix ownership, group,
+and permissions in smbfs filesystems when shared between two Samba
+systems. You will also need a recent version of smbfs in your Linux
+kernel.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> At the
+time of this writing, <em class="emphasis">smbsh</em> does not work on
+HP/UX or Linux. However, Linux support might return in the
+future.</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> If you've previously
+stored your authentication information in a Keychain, you will
+instead be prompted for your Keychain password.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch06.html b/docs/htmldocs/using_samba/ch06.html
new file mode 100644
index 0000000000..a507b7c9d9
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch06.html
@@ -0,0 +1,2727 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 6. The Samba Configuration File</h1>
+
+
+<p><a name="INDEX-1"/>In
+previous chapters, we showed you how to install Samba on a Unix
+server and set up Windows clients to use a simple disk share. This
+chapter will show you how Samba can assume more productive roles on
+your network.</p>
+
+<p>Samba's daemons, <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em>, are controlled through a single ASCII
+file, <em class="filename">smb.conf</em>, that can contain over 300 unique
+options (also called parameters). Some of these options you will use
+and change frequently; others you might never use, depending on how
+much functionality you want Samba to offer its clients.</p>
+
+<p>This chapter introduces the structure of the Samba configuration file
+and shows you how to use options to create and modify disk shares.
+Subsequent chapters will discuss browsing, how to configure users,
+security, printing, and other topics related to implementing Samba on
+your network.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-1"/>
+
+<h2 class="head1">The Samba Configuration File</h2>
+
+<p>The Samba configuration file, called <em class="filename">smb.conf</em> by
+default, uses the same format as Windows
+<em class="filename">.ini</em><a name="INDEX-2"/><a name="INDEX-3"/> files. If you have ever worked with a
+<em class="filename">.ini</em> file, you will find
+<em class="filename">smb.conf</em> easy to create and modify. Even if you
+haven't, you will find the format to be simple and
+easy to learn. Here is an example of a Samba
+<a name="INDEX-4"/>configuration
+file:</p>
+
+<blockquote><pre class="code">[global]
+    workgroup = METRAN
+    encrypt passwords = yes
+    wins support = yes
+    log level = 1 
+    max log size = 1000
+    read only = no
+[homes] 
+    browsable = no
+    map archive = yes
+[printers] 
+    path = /var/tmp
+    printable = yes
+    min print space = 2000
+[test]
+    browsable = yes
+    read only = yes
+    path = /usr/local/samba/tmp</pre></blockquote>
+
+<p>This configuration file is based on the one we created in <a href="ch02.html">Chapter 2</a> and sets up a workgroup in which Samba
+authenticates users using encrypted passwords and the default
+user-level security method. Samba is providing WINS name server
+support. We've configured very basic event logging
+to use a log file not to exceed 1MB in size. The
+<tt class="literal">[homes]</tt> share has been added to allow Samba to
+create a disk share for the home directory of each user who has a
+standard Unix account on the server. In addition, each printer
+registered on the server will be publicly available, as will a single
+read-only share that maps to the
+<em class="filename">/usr/local/samba/tmp</em> directory.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-1.1"/>
+
+<h3 class="head2">Configuration File Structure</h3>
+
+<p><a name="INDEX-5"/>Let's take another
+look at this configuration file, this time from a higher level:</p>
+
+<blockquote><pre class="code">[global] 
+    ...
+[homes] 
+    ...
+[printers] 
+    ...
+[test] 
+    ...</pre></blockquote>
+
+<p><a name="INDEX-6"/><a name="INDEX-7"/>The
+names inside the square brackets delineate unique
+<em class="firstterm">sections</em> of the <em class="filename">smb.conf</em>
+file; each section names the share (or service) to which the section
+refers. For example, the <tt class="literal">[test]</tt> and
+<tt class="literal">[homes]</tt> sections are unique disk shares; they
+contain options that map to specific directories on the Samba server.
+The <tt class="literal">[printers]</tt> share contains options that map to
+various printers on the server. All the sections defined in the
+<em class="filename">smb.conf</em> file, with the exception of the
+<tt class="literal">[global]</tt> section, will be available as a disk or
+printer share to clients connecting to the Samba server.</p>
+
+<p>The remaining lines are individual configuration options for that
+share. These options will continue until a new section is encountered
+or until the end of the file is reached. Each configuration option
+follows a simple format:</p>
+
+<blockquote><pre class="code"><em class="replaceable">option</em> = <em class="replaceable">value</em></pre></blockquote>
+
+<p><a name="INDEX-8"/>Options in
+the <em class="filename">smb.conf</em> file are set by assigning a value
+to them. We should warn you up front that some of the option names in
+Samba are poorly chosen. For example, <tt class="literal">read</tt>
+<tt class="literal">only</tt> is self-explanatory and is typical of many
+recent Samba options. The <tt class="literal">public</tt> option is an
+older option and is vague. It now has a less-confusing synonym
+<tt class="literal">guest</tt> <tt class="literal">ok</tt> (meaning it can be
+accessed by guests). <em class="emphasis">Appendix B</em> contains an
+alphabetical index of all the configuration options and their
+meanings.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.1"/>
+
+<h3 class="head3">Whitespace, quotes, and commas</h3>
+
+<p>An important item to remember about configuration options is that all
+whitespace within the <em class="replaceable">value</em> is
+significant. For example, consider the following option:</p>
+
+<blockquote><pre class="code">volume = The Big Bad Hard Drive Number 3543</pre></blockquote>
+
+<p>Samba strips away the spaces up to the first <tt class="literal">T</tt> in
+<tt class="literal">The</tt>. These whitespaces are insignificant. The rest
+of the whitespaces are significant and will be recognized and
+preserved by Samba when reading in the file. Space is not significant
+in option names (such as <tt class="literal">read</tt>
+<tt class="literal">only</tt>), but we recommend you follow convention and
+keep spaces between the words of options.</p>
+
+<p>If you feel safer including quotation marks at the beginning and end
+of a configuration option's value, you can do so.
+Samba will ignore these quotation marks when it encounters them.
+Never use quotation marks around an option name; Samba will treat
+this as an error.</p>
+
+<p>Usually, you can use whitespaces or commas to separate a series of
+values in a list. These two options are equivalent:</p>
+
+<blockquote><pre class="code">netbios aliases = sales, accounting, payroll
+netbios aliases = sales accounting payroll</pre></blockquote>
+
+<p>In some cases, you must use one form of separation&mdash;sometimes
+spaces are required, and sometimes commas.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.2"/>
+
+<h3 class="head3">Capitalization</h3>
+
+<p><a name="INDEX-9"/>Capitalization
+is not important in the Samba configuration file except in locations
+where it would confuse the underlying operating system. For example,
+let's assume that you included the following option
+in a share that pointed to <em class="filename">/export/samba/simple
+</em>:</p>
+
+<blockquote><pre class="code">PATH = /EXPORT/SAMBA/SIMPLE</pre></blockquote>
+
+<p>Samba would have no problem with the <tt class="literal">path</tt>
+configuration option appearing entirely in capital letters. However,
+when it tries to connect to the given directory, it would be
+unsuccessful because the Unix filesystem <em class="emphasis">is</em>
+case-sensitive. Consequently, the path listed would not be found, and
+clients could not connect to the share.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.3"/>
+
+<h3 class="head3">Line continuation</h3>
+
+<p><a name="INDEX-10"/>You can continue a line in the
+Samba configuration file using the backslash, like this:</p>
+
+<blockquote><pre class="code">comment = The first share that has the primary copies \
+          of the new Teamworks software product.</pre></blockquote>
+
+<p>Because of the backslash, these two lines will be treated as one line
+by Samba. The second line begins at the first nonwhitespace character
+that Samba encounters; in this case, the <tt class="literal">o</tt> in
+<tt class="literal">of</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.4"/>
+
+<h3 class="head3">Comments</h3>
+
+<p><a name="INDEX-11"/>You can
+insert comments in the <em class="filename">smb.conf</em> configuration
+file by starting a line with either a hash (<tt class="literal">#</tt>) or
+a semicolon ( <tt class="literal">;</tt> ). For this purpose, both
+characters are equivalent. For example, the first three lines in the
+following example would be considered comments:</p>
+
+<blockquote><pre class="code">#  This is the printers section. We have given a minimum print 
+;  space of 2000 to prevent some errors that we've seen when
+;  the spooler runs out of space.
+
+[printers] 
+    public = yes
+    min print space = 2000</pre></blockquote>
+
+<p>Samba will ignore all comment lines in its configuration file; there
+are no limitations to what can be placed on a comment line after the
+initial hash mark or semicolon. Note that the line continuation
+character (<tt class="literal">\</tt>) will <em class="emphasis">not</em> be
+honored on a commented line. Like the rest of the line, it is
+ignored.</p>
+<a name="samba2-CHP-6-NOTE-128"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Samba does not allow mixing of comment lines and parameters. Be
+careful not to put comments on the same line as anything else, such
+as:</p>
+
+
+<blockquote><pre class="code">path = /d # server's data partition</pre></blockquote>
+
+
+<p>Errors such as this, where the parameter value is defined with a
+string, can be tricky to notice. The <em class="emphasis">testparm</em>
+program won't complain, and the only clues
+you'll receive are that
+<em class="emphasis">testparm</em> reports the <tt class="literal">path</tt>
+parameter set to <tt class="literal">/d # server's data partition</tt>, and
+the failures that result when clients attempt to access the share.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.5"/>
+
+<h3 class="head3">Changes at runtime</h3>
+
+<p><a name="INDEX-12"/>You can modify the
+<em class="filename">smb.conf</em> configuration file and any of its
+options at any time while the Samba daemons are running. By default,
+Samba checks the configuration file every 60 seconds. If it finds any
+changes, they are immediately put into effect.</p>
+
+<a name="samba2-CHP-6-NOTE-129"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Having Samba check the configuration file automatically can be
+convenient, but it also means that if you edit
+<em class="filename">smb.conf</em> directly, you might be immediately
+changing your network's <a name="INDEX-13"/>configuration every time you save the
+file. If you're making anything more than a minor
+change, it may be wiser to copy <em class="filename">smb.conf</em> to a
+temporary file, edit that, run <tt class="literal">testparm</tt>
+<em class="replaceable">filename</em> to check it, and then copy the
+temporary file back to <em class="filename">smb.conf</em>. That way, you
+can be sure to put all your changes into effect at once, and only
+after you are confident that you have created the exact configuration
+you wish to implement.</p>
+</blockquote>
+
+<p>If you don't want to wait for the configuration file
+to be reloaded automatically, you can force a reload either by
+sending a hangup signal to the <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> processes or simply by restarting the
+daemons. Actually, it can be a good idea to restart the daemons
+because it forces the clients to disconnect and reconnect, ensuring
+that the new configuration is applied to all clients. We showed you
+how to restart the daemons in <a href="ch02.html">Chapter 2</a>, and
+sending them a hangup (HUP) signal is very similar. On Linux, it can
+be done with the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>killall -HUP smbd nmbd</b></tt></pre></blockquote>
+
+<p>In this case, not all changes will be immediately recognized by
+clients. For example, changes to a share that is currently in use
+will not be registered until the client disconnects and reconnects to
+that share. In addition, server-specific parameters such as the
+workgroup or NetBIOS name of the server will not go into effect
+immediately either. (This behavior was implemented intentionally
+because it keeps active clients from being suddenly disconnected or
+encountering unexpected access problems while a session is open.)
+<a name="INDEX-14"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-1.2"/>
+
+<h3 class="head2">Variables</h3>
+
+<p><a name="INDEX-15"/>Because a
+new copy of the<em class="filename"> </em><em class="emphasis">smbd</em> daemon
+is created for each connecting client, it is possible for each client
+to have its own customized configuration file. Samba allows a
+limited, yet useful, form of variable substitution in the
+configuration file to allow information about the Samba server and
+the client to be included in the configuration at the time the client
+connects. Inside the configuration file, a variable begins with a
+percent sign (<tt class="literal">%</tt>), followed by a single upper- or
+lowercase letter, and can be used only on the right side of a
+configuration option (i.e., after the equal sign). An example is:</p>
+
+<blockquote><pre class="code">[pub]
+    path = /home/ftp/pub/%a</pre></blockquote>
+
+<p>The <tt class="literal">%a</tt><a name="INDEX-16"/> stands for the client
+system's architecture and will be replaced as shown
+in <a href="ch06.html#samba2-CHP-6-TABLE-1">Table 6-1</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-1"/><h4 class="head4">Table 6-1. %a substitution</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Client operating system
+(&quot;architecture&quot;)</p>
+</th>
+<th>
+<p>Replacement string</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Windows for Workgroups</p>
+</td>
+<td>
+<p><tt class="literal">WfWg</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95 and Windows 98</p>
+</td>
+<td>
+<p><tt class="literal">Win95</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT</p>
+</td>
+<td>
+<p><tt class="literal">WinNT</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 2000 and Windows XP</p>
+</td>
+<td>
+<p><tt class="literal">Win2K</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Samba</p>
+</td>
+<td>
+<p><tt class="literal">Samba</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Any OS not listed earlier</p>
+</td>
+<td>
+<p><tt class="literal">UNKNOWN</tt></p>
+</td>
+</tr>
+
+</table>
+
+<p>In this example, Samba will assign a unique path for the
+<tt class="literal">[pub]</tt> share to client systems based on what
+operating system they are running. The paths that each client would
+see as its share differ according to the client's
+architecture:</p>
+
+<blockquote><pre class="code">/home/ftp/pub/WfwG
+/home/ftp/pub/Win95
+/home/ftp/pub/WinNT
+/home/ftp/pub/Win2K
+/home/ftp/pub/Samba
+/home/ftp/pub/UNKNOWN</pre></blockquote>
+
+<p>Using variables in this manner comes in handy if you wish to have
+different users run custom configurations based on their own unique
+characteristics or conditions.
+<a name="INDEX-17"/><a name="INDEX-18"/>Samba
+has 20 variables, as shown in <a href="ch06.html#samba2-CHP-6-TABLE-2">Table 6-2</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-2"/><h4 class="head4">Table 6-2. Samba variables</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Variable</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><b class="emphasis-bold">Client variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%a</tt><a name="INDEX-19"/></p>
+</td>
+<td>
+<p>Client's architecture (see <a href="ch06.html#samba2-CHP-6-TABLE-1">Table 6-1</a>)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%I</tt><a name="INDEX-20"/></p>
+</td>
+<td>
+<p>Client's IP address (e.g., 172.16.1.2)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%m</tt><a name="INDEX-21"/></p>
+</td>
+<td>
+<p>Client's NetBIOS name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%M</tt><a name="INDEX-22"/></p>
+</td>
+<td>
+<p>Client's DNS name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b class="emphasis-bold">User variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%u</tt><a name="INDEX-23"/></p>
+</td>
+<td>
+<p>Current Unix username</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%U</tt><a name="INDEX-24"/></p>
+</td>
+<td>
+<p>Requested client username (not always used by Samba)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%H</tt><a name="INDEX-25"/></p>
+</td>
+<td>
+<p>Home directory of <tt class="literal">%u</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%g</tt><a name="INDEX-26"/></p>
+</td>
+<td>
+<p>Primary group of <tt class="literal">%u</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%G</tt><a name="INDEX-27"/></p>
+</td>
+<td>
+<p>Primary group of <tt class="literal">%U</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b class="emphasis-bold">Share variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%S</tt><a name="INDEX-28"/></p>
+</td>
+<td>
+<p>Current share's name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%P</tt><a name="INDEX-29"/></p>
+</td>
+<td>
+<p>Current share's root directory</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%p</tt><a name="INDEX-30"/></p>
+</td>
+<td>
+<p>Automounter's path to the share's
+root directory, if different from <tt class="literal">%P</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b class="emphasis-bold">Server variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%d</tt><a name="INDEX-31"/></p>
+</td>
+<td>
+<p>Current server process ID</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%h</tt><a name="INDEX-32"/></p>
+</td>
+<td>
+<p>Samba server's DNS hostname</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%L</tt><a name="INDEX-33"/></p>
+</td>
+<td>
+<p>Samba server's NetBIOS name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%N</tt><a name="INDEX-34"/></p>
+</td>
+<td>
+<p>Home directory server, from the automount map</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%v</tt><a name="INDEX-35"/></p>
+</td>
+<td>
+<p>Samba version</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b class="emphasis-bold">Miscellaneous variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%R</tt><a name="INDEX-36"/></p>
+</td>
+<td>
+<p>The SMB protocol level that was negotiated</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%T</tt><a name="INDEX-37"/></p>
+</td>
+<td>
+<p>The current date and time</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-38"/>%$<em class="replaceable">var</em></p>
+</td>
+<td>
+<p>The value of environment variable <tt class="literal">var</tt></p>
+</td>
+</tr>
+
+</table>
+
+<p>Here's another example of using
+<a name="INDEX-39"/><a name="INDEX-40"/><a name="INDEX-41"/>variables: let's say there
+are five clients on your network, but one client,
+<tt class="literal">maya</tt>, requires a slightly different
+<tt class="literal">[homes]</tt> configuration. With Samba,
+it's simple to handle this:</p>
+
+<blockquote><pre class="code">[homes] 
+    ...
+    include = /usr/local/samba/lib/smb.conf.%m
+    ...</pre></blockquote>
+
+<p>The <tt class="literal">include</tt> option here causes a separate
+configuration file for each particular NetBIOS machine
+(<tt class="literal">%m</tt>) to be read in addition to the current file.
+If the hostname of the client system is <tt class="literal">maya</tt>, and
+if a <em class="filename">smb.conf.maya</em> file exists in the
+<em class="filename">/usr/local/samba/lib</em> directory, Samba will
+insert that configuration file into the default one. If any
+configuration options are restated in
+<em class="filename">smb.conf.maya</em>, those values will override any
+options previously encountered in that share. Note that we say
+&quot;previously.&quot; If any options are
+restated in the main configuration file after the
+<tt class="literal">include</tt> option, Samba will honor those restated
+values for the share in which they are defined.</p>
+
+<p>If the file specified by the <tt class="literal">include</tt> parameter
+does not exist, Samba will not generate an error. In fact, it
+won't do anything at all. This allows you to create
+only one extra configuration file for <tt class="literal">maya</tt> when
+using this strategy, instead of one for each client that is on the
+network.</p>
+
+<p>Client-specific configuration files can be used to customize
+particular clients. They also can be used to make debugging Samba
+easier. For example, if we have one client with a problem, we can use
+this approach to give it a private log file with a more verbose
+logging level. This allows us to see what Samba is doing without
+slowing down all the other clients or overflowing the disk with
+useless logs.</p>
+
+<p>You can use the variables in <a href="ch06.html#samba2-CHP-6-TABLE-2">Table 6-2</a> to give
+custom values to a variety of Samba options. We will highlight
+several of these options as we move through the next few chapters.
+<a name="INDEX-42"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-2"/>
+
+<h2 class="head1">Special Sections</h2>
+
+<p>Now that we've gotten our feet wet with variables,
+there are a few special sections of the Samba configuration file that
+we should talk about. Again, don't worry if you do
+not understand every configuration option listed here;
+we'll go over each of them in the upcoming chapters.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-2.1"/>
+
+<h3 class="head2">The [ global] Section</h3>
+
+<p>The <tt class="literal">[global]</tt><a name="INDEX-43"/><a name="INDEX-44"/> section appears in virtually
+every Samba configuration file, even though it is not mandatory.
+There are two purposes for the <tt class="literal">[global]</tt> section.
+Server-wide settings are defined here, and any options that apply to
+shares will be used as a default in all share definitions, unless
+overridden within the share definition.</p>
+
+<p>To illustrate this, let's again look at the example
+at the beginning of the chapter:</p>
+
+<blockquote><pre class="code">[global]
+    workgroup = METRAN
+    encrypt passwords = yes
+    wins support = yes
+    log level = 1 
+    max log size = 1000
+    read only = no
+[homes] 
+    browsable = no
+    map archive = yes
+[printers] 
+    path = /var/tmp
+    printable = yes
+    min print space = 2000
+[test]
+    browsable = yes
+    read only = yes
+    path = /usr/local/samba/tmp</pre></blockquote>
+
+<p>When a client connects to the <tt class="literal">[test]</tt> share, Samba
+first reads the <tt class="literal">[global]</tt> section and sets the
+option <tt class="literal">read</tt> <tt class="literal">only</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> as the global default for
+each share it encounters throughout the configuration file. This
+includes the <tt class="literal">[homes]</tt> and <tt class="literal">[test]</tt>
+shares. When it reads the definition of the <tt class="literal">[test]</tt>
+share, it then finds the configuration option <tt class="literal">read</tt>
+<tt class="literal">only</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt>
+and overrides the default from the <tt class="literal">[global]</tt>
+section with the value <tt class="literal">yes</tt>.</p>
+
+<p>Any option that appears before the first marked section is assumed to
+be a global option. This means that the <tt class="literal">[global]</tt>
+section heading is not absolutely required; however, we suggest you
+always include it for clarity and to ensure future compatibility.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-2.2"/>
+
+<h3 class="head2">The [ homes] Section</h3>
+
+<p>If a client attempts to connect to a share that
+doesn't appear in the <em class="filename">smb.conf</em>
+file, Samba will search for a
+<tt class="literal">[homes]</tt><a name="INDEX-45"/><a name="INDEX-46"/> share in the
+configuration file. If a <tt class="literal">[homes]</tt> share exists, the
+unresolved share name is assumed to be a Unix username. If that
+username appears in the password database on the Samba server, Samba
+assumes the client is a Unix user trying to connect to her home
+directory on the server.</p>
+
+<p>For example, assume a client system is connecting to the Samba server
+<tt class="literal">toltec</tt> for the first time and tries to connect to
+a share named <tt class="literal">[alice]</tt>. There is no
+<tt class="literal">[alice]</tt> share defined in the
+<em class="filename">smb.conf</em> file, but there is a
+<tt class="literal">[homes]</tt>, so Samba searches the password database
+file and finds an <tt class="literal">alice</tt> user account is present on
+the system. Samba then checks the password provided by the client
+against user <tt class="literal">alice</tt>'s Unix
+password&mdash;either with the password database file if
+it's using nonencrypted passwords or with
+Samba's <em class="filename">smbpasswd</em> file if
+encrypted passwords are in use. If the passwords match, Samba knows
+it has guessed right: the user <tt class="literal">alice</tt> is trying to
+connect to her home directory. Samba will then create a share called
+<tt class="literal">[alice]</tt> for her, with the share's
+path set to <tt class="literal">alice</tt>'s home
+directory.</p>
+
+<p>The process of using the <tt class="literal">[homes]</tt> section to create
+users (and dealing with their passwords) is discussed in more detail
+in <a href="ch09.html">Chapter 9</a>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-2.3"/>
+
+<h3 class="head2">The [printers] Section</h3>
+
+<p>The third special section is called
+<tt class="literal">[printers]</tt><a name="INDEX-47"/><a name="INDEX-48"/> and is similar to
+<tt class="literal">[homes]</tt>. If a client attempts to connect to a
+share that isn't in the
+<em class="filename">smb.conf</em> file and its name
+can't be found in the password file, Samba will
+check to see if it is a printer share. Samba does this by reading the
+printer capabilities file (usually
+<em class="filename">/etc/printcap</em>) to see if the share name appears
+there.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> If it does, Samba creates a share named after the
+printer.</p>
+
+<p>This means that as with <tt class="literal">[homes]</tt>, you
+don't have to maintain a share for each system
+printer in the <em class="filename">smb.conf</em> file. Instead, Samba
+honors the Unix printer registry if you ask it to, and it provides
+the registered printers to the client systems. However, there is a
+potential difficulty: if you have an account named
+<tt class="literal">fred</tt> and a printer named <tt class="literal">fred</tt>,
+Samba will always find the user account first, even if the client
+really needed to connect to the printer.</p>
+
+<p>The process of setting up the <tt class="literal">[printers]</tt> share is
+discussed in more detail in <a href="ch10.html">Chapter 10</a>.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-3"/>
+
+<h2 class="head1">Configuration Options</h2>
+
+<p><a name="INDEX-49"/>Options in
+the Samba configuration files fall into one of two categories:
+<em class="firstterm">global</em> options or <em class="firstterm">share</em>
+options. Each category dictates where an option can appear in the
+configuration file.</p>
+
+<dl>
+<dt><b>Global options</b></dt>
+<dd>
+<p>Global options must appear in the <tt class="literal">[global]</tt> section
+and nowhere else. These are options that typically apply to the
+behavior of the Samba server itself and not to any of its shares.</p>
+</dd>
+
+
+
+<dt><b>Share options</b></dt>
+<dd>
+<p>Share options can appear in share definitions, the
+<tt class="literal">[global]</tt> section, or both. If they appear in the
+<tt class="literal">[global]</tt> section, they will define a default
+behavior for all shares unless a share overrides the option with a
+value of its own.</p>
+</dd>
+
+</dl>
+
+<p>In addition, configuration options can take three kinds of values.
+They are as follows:</p>
+
+<dl>
+<dt><b>Boolean</b></dt>
+<dd>
+<p>These are simply yes or no values, but can be represented by any of
+the following: <tt class="literal">yes</tt>, <tt class="literal">no</tt>,
+<tt class="literal">true</tt>, <tt class="literal">false</tt>,
+<tt class="literal">1</tt>, or <tt class="literal">0</tt>. The values are
+case-insensitive: <tt class="literal">YES</tt> is the same as
+<tt class="literal">yes</tt>.</p>
+</dd>
+
+
+
+<dt><b>Numeric</b></dt>
+<dd>
+<p>This is a decimal, hexadecimal, or octal number. The standard
+<tt class="literal">0x</tt><em class="emphasis">nn</em> syntax is used for
+hexadecimal and <tt class="literal">0</tt><em class="emphasis">nnn</em> for
+octal.</p>
+</dd>
+
+
+
+<dt><b>String</b></dt>
+<dd>
+<p>This is a string of case-sensitive characters, such as a filename or
+a username.</p>
+</dd>
+
+</dl>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-3.1"/>
+
+<h3 class="head2">Configuration File Options</h3>
+
+<p>You can instruct Samba to include or replace configuration options as
+it is processing them. The options to do this are summarized in <a href="ch06.html#samba2-CHP-6-TABLE-3">Table 6-3</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-3"/><h4 class="head4">Table 6-3. Configuration file options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">config</tt> <tt class="literal">file</tt></p>
+</td>
+<td>
+<p>string (name of file)</p>
+</td>
+<td>
+<p>Sets the location of a configuration file to use instead of the
+current one</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">include</tt></p>
+</td>
+<td>
+<p>string (name of file)</p>
+</td>
+<td>
+<p>Specifies an additional set of configuration options to be included
+in the configuration file</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">copy</tt></p>
+</td>
+<td>
+<p>string (name of share)</p>
+</td>
+<td>
+<p>Allows you to clone the configuration options of another share in the
+current share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.1"/>
+
+<h3 class="head3">config file</h3>
+
+<p>The global <tt class="literal">config</tt><a name="INDEX-50"/> <tt class="literal">file</tt>
+option specifies a replacement configuration file that will be loaded
+when the option is encountered. If the target file exists, the
+remainder of the current configuration file, as well as the options
+encountered so far, will be discarded, and Samba will configure
+itself entirely with the options in the new file. Variables can be
+used with the <tt class="literal">config</tt> <tt class="literal">file</tt>
+option, which is useful in the event that you want to use a special
+configuration file based on the NetBIOS machine name or user of the
+client that is connecting.</p>
+
+<p>For example, the following line instructs Samba to use a
+configuration file specified by the NetBIOS name of the client
+connecting, if such a file exists. If it does, options specified in
+the original configuration file are ignored:</p>
+
+<blockquote><pre class="code">[global]
+    config file = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
+
+<p>If the configuration file specified does not exist, the option is
+ignored, and Samba will continue to configure itself based on the
+current file. This allows a default configuration file to serve most
+clients, while providing for exceptions with customized configuration
+files.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.2"/>
+
+<h3 class="head3">include</h3>
+
+<p>This <a name="INDEX-51"/>option, discussed in greater detail
+earlier, copies the target file into the current configuration file
+at the point specified, as shown in <a href="ch06.html#samba2-CHP-6-FIG-1">Figure 6-1</a>.
+This option also can be used with variables. You can use this option
+as follows:</p>
+
+<blockquote><pre class="code">[global]
+    include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
+
+<p>If the configuration file specified does not exist, the option is
+ignored. Options in the include file override any option specified
+previously, but not options that are specified later. In <a href="ch06.html#samba2-CHP-6-FIG-1">Figure 6-1</a>, all three options will override their
+previous values.</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-1"/><img src="figs/sam2_0601.gif"/></div><h4 class="head4">Figure 6-1. The include option in a Samba configuration file</h4>
+
+<p>The <tt class="literal">include</tt> option does not work with the
+variables <tt class="literal">%u</tt> (user), <tt class="literal">%P</tt>
+(current share's root directory), or
+<tt class="literal">%S</tt> (current share's name) because
+they are not set at the time the <tt class="literal">include</tt> parameter
+is processed.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.3"/>
+
+<h3 class="head3">copy</h3>
+
+<p>The <tt class="literal">copy</tt><a name="INDEX-52"/> configuration option allows you to clone
+the configuration options of the share name that you specify in the
+current share. The target share must appear earlier in the
+configuration file than the share that is performing the copy. For
+example:</p>
+
+<blockquote><pre class="code">[template]
+    writable = yes
+    browsable = yes
+    valid users = andy, dave, jay
+
+[data]
+    path = /usr/local/samba
+    copy = template</pre></blockquote>
+
+<p>Note that any options in the share that invoked the
+<tt class="literal">copy</tt> directive will override those in the cloned
+share; it does not matter whether they appear before or after the
+<tt class="literal">copy</tt> directive. <a name="INDEX-53"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-4"/>
+
+<h2 class="head1">Server Configuration</h2>
+
+<p><a name="INDEX-54"/>We will now start from
+scratch and build a configuration file for our Samba server. First we
+will introduce three basic configuration options that can appear in
+the <tt class="literal">[global]</tt> section of the
+<em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+    #  Server configuration parameters
+    netbios name = toltec
+    server string = Samba %v on %L
+    workgroup = METRAN
+    encrypt passwords = yes</pre></blockquote>
+
+<p>This configuration file is pretty simple; it advertises the Samba
+server under the NetBIOS name <tt class="literal">toltec</tt>. In addition,
+it places the system in the METRAN workgroup and displays a
+description to clients that includes the Samba version number, as
+well as the NetBIOS name of the Samba server.</p>
+
+<a name="samba2-CHP-6-NOTE-130"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you used the line <tt class="literal">encrypt passwords = yes</tt> in
+your earlier configuration file, you should do so here as well.</p>
+</blockquote>
+
+<p>If you like, you can go ahead and try this configuration file. Create
+a file named <em class="filename">smb.conf</em> under the
+<em class="filename">/usr/local/samba/lib</em> directory with the text
+listed earlier. Then restart the Samba server and use a Windows
+client to verify the results. Be sure that your Windows clients are
+in the METRAN workgroup as well. After double-clicking the Network
+Neighborhood on a Windows client, you should see a window similar to
+<a href="ch06.html#samba2-CHP-6-FIG-2">Figure 6-2</a>. (In this figure,
+<tt class="literal">Mixtec</tt> is another Samba server,
+<tt class="literal">a</tt>nd <tt class="literal">Zapotec</tt> is a Windows
+client.)</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-2"/><img src="figs/sam2_0602.gif"/></div><h4 class="head4">Figure 6-2. Network Neighborhood showing Toltec, the Samba server</h4>
+
+<p>You can verify the <tt class="literal">server</tt>
+<tt class="literal">string</tt> by listing the details of the Network
+Neighborhood window (select Details in the View menu). You should see
+a window similar to <a href="ch06.html#samba2-CHP-6-FIG-3">Figure 6-3</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-3"/><img src="figs/sam2_0603.gif"/></div><h4 class="head4">Figure 6-3. Network Neighborhood details listing</h4>
+
+<p>If you were to click the <em class="filename">toltec</em> icon, a window
+should appear that shows the services that it provides. In this case,
+the window would be completely empty because there are no shares on
+the server yet.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-4.1"/>
+
+<h3 class="head2">Server Configuration Options</h3>
+
+<p><a href="ch06.html#samba2-CHP-6-TABLE-4">Table 6-4</a> summarizes the server configuration
+options introduced previously. All three of these options are global
+in scope, so they must appear in the <tt class="literal">[global]</tt>
+section of the configuration file.<a name="INDEX-55"/></p>
+
+<a name="samba2-CHP-6-TABLE-4"/><h4 class="head4">Table 6-4. Server configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">netbios</tt> <tt class="literal">name</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>NetBIOS name of the Samba server</p>
+</td>
+<td>
+<p>Server's unqualified DNS hostname</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>NetBIOS group to which the server belongs</p>
+</td>
+<td>
+<p>Defined at compile time</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">server</tt> <tt class="literal">string</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Descriptive string for the Samba server</p>
+</td>
+<td>
+<p><tt class="literal">Samba %v</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.1"/>
+
+<h3 class="head3">netbios name</h3>
+
+<p>The <tt class="literal">netbios</tt><a name="INDEX-56"/> <tt class="literal">name</tt> option
+allows you to set the NetBIOS name of the server. For example:</p>
+
+<blockquote><pre class="code">netbios name = YORKVM1</pre></blockquote>
+
+<p>The default value for this configuration option is the
+server's hostname&mdash;that is, the first part of
+its fully qualified domain name. For example, a system with the DNS
+name <tt class="literal">ruby.ora.com</tt> would be given the NetBIOS name
+<tt class="literal">RUBY</tt> by default. While you can use this option to
+restate the system's NetBIOS name in the
+configuration file (as we did previously), it is more commonly used
+to assign the Samba server a NetBIOS name other than its current DNS
+name. Remember that the name given must follow the rules for valid
+NetBIOS machine names as outlined in <a href="ch01.html">Chapter 1</a>.</p>
+
+<p>Changing the NetBIOS name of the server is not recommended unless you
+have a good reason. One such reason might be if the hostname of the
+system is not unique because the LAN is divided over two or more DNS
+domains. For example, YORKVM1 is a good NetBIOS candidate for
+<tt class="literal">vm1.york.example.com</tt> to differentiate it from
+<tt class="literal">vm1.falkirk.example.com</tt>, which has the same
+hostname but resides in a different DNS domain.</p>
+
+<p>Another use of this option is for relocating SMB services from a dead
+or retired system. For example, if <tt class="literal">SALES</tt> is the
+SMB server for the department and it suddenly dies, you could
+immediately reset <tt class="literal">netbios</tt> <tt class="literal">name</tt>
+<tt class="literal">=</tt> <tt class="literal">SALES</tt> on a backup Samba
+server that's taking over for it. Users
+won't have to change their drive mappings to a
+different server; new connections to <tt class="literal">SALES</tt> will
+simply go to the new server.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.2"/>
+
+<h3 class="head3">workgroup</h3>
+
+<p>The <tt class="literal">workgroup</tt><a name="INDEX-57"/> parameter sets the
+current workgroup (or domain) in which the Samba server will
+advertise itself. Clients that wish to access shares on the Samba
+server should be in the same NetBIOS group. Remember that workgroups
+are really just NetBIOS group names and must follow the standard
+NetBIOS naming conventions outlined in <a href="ch01.html">Chapter 1</a>.</p>
+
+<p>The default option for this parameter is set at compile time to
+<tt class="literal">WORKGROUP</tt>. Because this is the default workgroup
+name of every unconfigured Windows and Samba system, we recommend
+that you always set your workgroup name in the Samba configuration
+file. When choosing your workgroup name, try to avoid making it the
+same name as a server or user. This will avoid possible problems with
+WINS name resolution.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.3"/>
+
+<h3 class="head3">server string</h3>
+
+<p>The <tt class="literal">server</tt><a name="INDEX-58"/> <tt class="literal">string</tt>
+parameter defines a comment string that will appear next to the
+server name in both the Network Neighborhood (when shown with the
+Details view) and the comment entry of the Microsoft Windows printer
+manager.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> </p>
+
+<p>You can use variables to provide
+information in the description. For example, our entry earlier was:</p>
+
+<blockquote><pre class="code">[global]
+    server string = Samba %v on (%h)</pre></blockquote>
+
+<p>The default for this option simply presents the current version of
+Samba and is equivalent to:</p>
+
+<a name="INDEX-59"/><blockquote><pre class="code">server string = Samba %v</pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-5"/>
+
+<h2 class="head1">Disk Share Configuration</h2>
+
+<p><a name="INDEX-60"/><a name="INDEX-61"/>We mentioned in the previous section that
+there were no disk shares on the <tt class="literal">toltec</tt> server.
+Let's continue building the configuration file and
+create an empty disk share called <tt class="literal">[data]</tt>. Here are
+the additions that will do it:</p>
+
+<blockquote><pre class="code">[data]
+    path = /export/samba/data
+    comment = Data Drive
+    volume = Sample-Data-Drive
+    writable = yes</pre></blockquote>
+
+<p>The <tt class="literal">[data]</tt> share is typical for a Samba disk
+share. The share maps to the directory <em class="filename">/export/samba/data
+</em>on the Samba server. We've also provided
+a comment that describes the share as a <tt class="literal">Data</tt>
+<tt class="literal">Drive</tt>, as well as a volume name for the share
+itself.</p>
+
+<p>Samba's default is to create a read-only share. As a
+result, the <tt class="literal">writable</tt> option needs to be explicitly
+set for each disk share you wish to make writable.</p>
+
+<p>We will also need to create the
+<em class="filename">/export/samba/data</em> directory on the Samba server
+with the following commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /export/samba/data</b></tt>
+# <tt class="userinput"><b>chmod 777 /export/samba/data</b></tt></pre></blockquote>
+
+<p>Now, if we connect to the <tt class="literal">toltec</tt> server again by
+double-clicking its icon in the Windows Network Neighborhood, we will
+see a single share entitled <tt class="literal">data</tt>, as shown in
+<a href="ch06.html#samba2-CHP-6-FIG-4">Figure 6-4</a>. This share has read/write access, so
+files can be copied to or from it.</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-4"/><img src="figs/sam2_0604.gif"/></div><h4 class="head4">Figure 6-4. The initial data share on the Samba server</h4>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-5.1"/>
+
+<h3 class="head2">Disk Share Configuration Options</h3>
+
+<p>The basic Samba configuration options for disk shares previously
+introduced are listed in <a href="ch06.html#samba2-CHP-6-TABLE-5">Table 6-5</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-5"/><h4 class="head4">Table 6-5. Basic share configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">path</tt> <tt class="literal">(directory)</tt></p>
+</td>
+<td>
+<p>string (directory name)</p>
+</td>
+<td>
+<p>Sets the Unix directory that will be provided for a disk share or
+used for spooling by a printer share.</p>
+</td>
+<td>
+<p><tt class="literal">/tmp</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">comment</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Sets the comment that appears with the share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">volume</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Sets the MS-DOS volume name for the share.</p>
+</td>
+<td>
+<p>Share name</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">read only</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows read-only access to a share.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">writable</tt> <tt class="literal">(write ok or writeable)</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">no</tt>, allows read-only access to a share. If
+<tt class="literal">yes</tt>, both reading and writing are allowed.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.1"/>
+
+<h3 class="head3">path</h3>
+
+<p>This <a name="INDEX-63"/>option, which has the synonym
+<tt class="literal">directory</tt>, indicates the pathname for the root of
+the shared directory or printer. You can choose any directory on the
+Samba server, so long as the owner of the Samba process that is
+connecting has read and write access to that directory. If the path
+is for a printing share, it should point to a temporary directory
+where files can be written on the server before being spooled to the
+target printer ( <em class="filename"> /tmp</em> and
+<em class="filename">/var/spool</em> are popular choices). If this path is
+for a disk share, the contents of the folder representing the share
+name on the client will match the contents of the directory on the
+Samba server.</p>
+
+<p>The directory specified as the value for <tt class="literal">path</tt> can
+be given as a relative path, in which case it will be relative to the
+directory specified by the <tt class="literal">root</tt>
+<tt class="literal">directory</tt> parameter. Because
+<tt class="literal">root</tt> <tt class="literal">directory</tt> defaults to root
+(<em class="filename">/</em> ), it is generally a good idea to use
+absolute paths for the <tt class="literal">path</tt> parameter, unless
+<tt class="literal">root</tt> <tt class="literal">directory</tt> has been set to
+something other than the default.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.2"/>
+
+<h3 class="head3">comment</h3>
+
+<p>The <tt class="literal">comment</tt><a name="INDEX-64"/> option allows you to enter a
+comment that will be sent to the client when it attempts to browse
+the share. The user can see the comment by using the Details view on
+the share folder or with the <em class="emphasis">net view</em> command at
+an MS-DOS prompt. For example, here is how you might insert a comment
+for a share:</p>
+
+<blockquote><pre class="code">[network]
+    comment = Network Drive
+    path = /export/samba/network</pre></blockquote>
+
+<p>Be sure not to confuse the <tt class="literal">comment</tt> option, which
+documents a Samba server's shares, with the
+<tt class="literal">server</tt> <tt class="literal">string</tt> option, which
+documents the server itself.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.3"/>
+
+<h3 class="head3">volume</h3>
+
+<p>This <a name="INDEX-65"/>option allows you to specify the volume
+name of the share, which would otherwise default to the name of the
+share given in the <em class="filename">smb.conf</em> file.</p>
+
+<p>Some software installation programs check the volume name of the
+distribution CD-ROM to make sure the correct CD-ROM is in the drive
+before attempting to install from it. If you copy the contents of the
+CD-ROM into a network share and wish to install from there, you can
+use this option to make sure the installation program sees the
+correct volume name:</p>
+
+<blockquote><pre class="code">[network]
+    comment = Network Drive
+    volume = ASVP-102-RTYUIKA
+    path = /home/samba/network</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.4"/>
+
+<h3 class="head3">read only, writable</h3>
+
+<p>The options <tt class="literal">read</tt><a name="INDEX-66"/> <tt class="literal">only</tt>
+and <tt class="literal">writable</tt><a name="INDEX-67"/> (also called
+<tt class="literal">writeable</tt><a name="INDEX-68"/> or
+<tt class="literal">write</tt><a name="INDEX-69"/> <tt class="literal">ok</tt> ) are really two
+ways of saying the same thing, but they are approached from opposite
+ends. For example, you can set either of the following options in the
+<tt class="literal">[global]</tt> section or in an individual share:</p>
+
+<blockquote><pre class="code">read only = yes
+writable = no</pre></blockquote>
+
+<p>If either option is set as shown, data can be read from a share, but
+cannot be written to it. You might think you would need this option
+only if you were creating a read-only share. However, note that this
+read-only behavior is the <em class="emphasis">default</em> action for
+shares; if you want to be able to write data to a share, you must
+explicitly specify one of the following options in the configuration
+file for each share:</p>
+
+<blockquote><pre class="code">read only = no
+writable = yes</pre></blockquote>
+
+<p>If you specify more than one occurrence of either option, Samba will
+adhere to the last value it encounters for the share. <a name="INDEX-70"/><a name="INDEX-71"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-6"/>
+
+<h2 class="head1">Networking Options with Samba</h2>
+
+<p><a name="INDEX-72"/><a name="INDEX-73"/>If
+you're running <a name="INDEX-74"/><a name="INDEX-75"/>Samba on a multihomed
+system (on multiple subnets), you will need to configure Samba to use
+all the network interfaces. Another use for the options presented in
+this section is to implement better security by allowing or
+disallowing connections on the specified interfaces.</p>
+
+<p>Let's assume that our Samba server can access both
+the subnets 192.168.220.* and 134.213.233.*. Here are our additions
+to the configuration file to add the networking configuration
+options:</p>
+
+<blockquote><pre class="code">[global]
+    #  Networking configuration options
+    hosts allow = 192.168.220. 134.213.233.
+    hosts deny = 192.168.220.102
+    interfaces = 192.168.220.100/255.255.255.0 \
+                    134.213.233.110/255.255.255.0
+    bind interfaces only = yes</pre></blockquote>
+
+<p>Take a look at the <tt class="literal">hosts</tt><a name="INDEX-76"/> <tt class="literal">allow</tt>
+and <tt class="literal">hosts</tt><a name="INDEX-77"/> <tt class="literal">deny</tt> options. If these
+options sound familiar, you're probably thinking of
+the <em class="filename">hosts.allow</em> and
+<em class="filename">hosts.deny</em> files that are found in the
+<em class="filename">/etc</em> directories of many Unix systems. The
+purpose of these options is identical to those files; they provide a
+means of security by allowing or denying the connections of other
+hosts based on their IP addresses. We could use the
+<em class="filename">hosts.allow</em> and <em class="filename">hosts.deny</em>
+files, but we are using this method instead because there might be
+services on the server that we want others to access without also
+giving them access to Samba's disk or printer
+shares.</p>
+
+<p>With the <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option,
+we've specified a 192.168.220 IP address, which is
+equivalent to saying: &quot;All hosts on the 192.168.220
+subnet.&quot; However, we've explicitly
+specified in a <tt class="literal">hosts</tt> <tt class="literal">deny</tt> line
+that 192.168.220.102 is not to be allowed access.</p>
+
+<p>You might be wondering why 192.168.220.102 will be denied even though
+it is still in the subnet matched by the <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> option. It is important to understand how
+Samba sorts out the rules specified by <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> and <tt class="literal">hosts</tt> <tt class="literal">deny</tt>
+:</p>
+
+<ol><li>
+<p>If no <tt class="literal">allow</tt> or <tt class="literal">deny</tt> options are
+defined anywhere in <em class="filename">smb.conf</em>, Samba will allow
+connections from any system.</p>
+</li><li>
+<p>If <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options are defined
+in the <tt class="literal">[global]</tt> section of
+<em class="filename">smb.conf</em>, they will apply to all shares, even if
+either option is defined in one or more of the shares.</p>
+</li><li>
+<p>If only a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option is
+defined for a share, only the hosts listed will be allowed to use the
+share. All others will be denied.</p>
+</li><li>
+<p>If only a <tt class="literal">hosts</tt> <tt class="literal">deny</tt> option is
+defined for a share, any client which is not on the list will be able
+to use the share.</p>
+</li><li>
+<p>If both a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option are defined,
+a host must appear in the allow list and not appear in the deny list
+(in any form) to access the share. Otherwise, the host will not be
+allowed.</p>
+</li></ol><a name="samba2-CHP-6-NOTE-131"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Take care that you don't explicitly allow a host to
+access a share, but then deny access to the entire subnet of which
+the host is part.</p>
+</blockquote>
+
+<p>Let's look at another example of that final item.
+Consider the following options:</p>
+
+<blockquote><pre class="code">hosts allow = 111.222.
+hosts deny = 111.222.333.</pre></blockquote>
+
+<p>In this case, only the hosts that belong to the subnet 111.222.*.*
+will be allowed access to the Samba shares. However, if a client
+belongs to the 111.222.333.* subnet, it will be denied access, even
+though it still matches the qualifications outlined by
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt>. The client must
+appear on the <tt class="literal">hosts</tt> <tt class="literal">allow</tt> list
+and <em class="emphasis">must not</em> appear on the
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> list to gain access
+to a Samba share.</p>
+
+<p>The other two options that we've specified are
+<tt class="literal">interfaces</tt> and <tt class="literal">bind</tt>
+<tt class="literal">interface</tt> <tt class="literal">only</tt>.
+Let's look at the <tt class="literal">interfaces</tt>
+option first. Samba, by default, sends data only from the primary
+network interface, which in our example is the 192.168.220.100
+subnet. If we would like it to send data to more than that one
+interface, we need to specify the complete list with the
+<tt class="literal">interfaces</tt> option. In the previous example,
+we've bound Samba to interface with both subnets
+(192.168.220 and 134.213.233) on which the system is operating by
+specifying the other network interface address: 134.213.233.100. If
+you have more than one interface on your computer, you should always
+set this option, as there is no guarantee that the primary interface
+that Samba chooses will be the right one.</p>
+
+<p>Finally, the <tt class="literal">bind</tt> <tt class="literal">interfaces</tt>
+<tt class="literal">only</tt> option instructs the
+<em class="filename">nmbd</em> process not to accept any broadcast
+messages other than on the subnets specified with the
+<tt class="literal">interfaces</tt> option. This is different from the
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options, which
+prevent clients from making connections to services, but not from
+receiving broadcast messages. Using the <tt class="literal">bind</tt>
+<tt class="literal">interfaces</tt> <tt class="literal">only</tt> option is a way
+to shut out all datagrams from foreign subnets. In addition, it
+instructs the <em class="emphasis">smbd</em> process to bind to only the
+interface list given by the <em class="emphasis">interfaces</em> option.
+This restricts the networks that Samba will serve.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-6.1"/>
+
+<h3 class="head2">Networking Options</h3>
+
+<p>The networking options we introduced earlier are summarized in <a href="ch06.html#samba2-CHP-6-TABLE-6">Table 6-6</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-6"/><h4 class="head4">Table 6-6. Networking configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">hosts allow (allow</tt> <tt class="literal">hosts)</tt></p>
+</td>
+<td>
+<p>string (list of hostnames)</p>
+</td>
+<td>
+<p>Client systems that can connect to Samba.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">hosts deny (deny</tt> <tt class="literal">hosts)</tt></p>
+</td>
+<td>
+<p>string (list of hostnames)</p>
+</td>
+<td>
+<p>Client systems that cannot connect to Samba.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">interfaces</tt></p>
+</td>
+<td>
+<p>string (list of IP/netmask combinations)</p>
+</td>
+<td>
+<p>Network interfaces Samba will respond to. Allows correcting defaults.</p>
+</td>
+<td>
+<p>System-dependent</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">bind</tt></p>
+
+<p><tt class="literal">interfaces only</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, Samba will bind only to those
+interfaces specified by the <tt class="literal">interfaces</tt> option.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.1"/>
+
+<h3 class="head3">hosts allow</h3>
+
+<p>The <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option
+(sometimes written as <tt class="literal">allow</tt>
+<tt class="literal">hosts</tt>) specifies the clients that have permission
+to access shares on the Samba server, written as a comma- or
+space-separated list of hostnames of systems or their IP addresses.
+You can gain quite a bit of security by simply placing your
+LAN's subnet address in this option.</p>
+
+<p>You can specify any of the following formats for this option:</p>
+
+<ul><li>
+<p>Hostnames, such as <tt class="literal">ftp.example.com</tt> .</p>
+</li><li>
+<p>IP addresses, such as <tt class="literal">130.63.9.252</tt>.</p>
+</li><li>
+<p>Domain names, which can be differentiated from individual hostnames
+because they start with a dot. For example,
+<tt class="literal">.ora.com</tt> represents all systems within the
+<em class="emphasis">ora.com</em> domain.</p>
+</li><li>
+<p>Netgroups, which start with an at sign (<tt class="literal">@</tt>), such
+as <tt class="literal">@printerhosts</tt>. Netgroups are usually available
+only on systems running NIS or NIS+. If netgroups are supported on
+your system, there should be a <tt class="literal">netgroups</tt> manual
+page that describes them in more detail.</p>
+</li><li>
+<p>Subnets, which end with a dot. For example,
+<tt class="literal">130.63.9</tt>. means all the systems whose IP addresses
+begin with 130.63.9.</p>
+</li><li>
+<p>The keyword <tt class="literal">ALL</tt>, which allows any client access.</p>
+</li><li>
+<p>The keyword <tt class="literal">EXCEPT</tt> followed by one or more names,
+IP addresses, domain names, netgroups, or subnets. For example, you
+could specify that Samba allow all hosts except those on the
+192.168.110 subnet with <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> <tt class="literal">=</tt> <tt class="literal">ALL</tt>
+<tt class="literal">EXCEPT</tt> <tt class="literal">192.168.110</tt>. (remember
+to include the trailing dot).</p>
+</li></ul>
+<p>Using the <tt class="literal">ALL</tt> keyword by itself is almost always a
+bad idea because it means that crackers on any network can access
+your Samba server.</p>
+
+<p>The hostname <tt class="literal">localhost</tt>, for the loopback address
+127.0.0.1, is included in the <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> list by default and does not need to be
+listed explicitly unless you have specified the
+<tt class="literal">bind</tt> <tt class="literal">interfaces</tt>
+<tt class="literal">only</tt> parameter. This address is required for Samba
+to work properly.</p>
+
+<p>Other than that, there is no default value for the
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> configuration
+option. The default course of action in the event that neither the
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option is specified
+in <em class="filename">smb.conf</em> is to allow access from all sources.</p>
+
+<a name="samba2-CHP-6-NOTE-132"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you specify <tt class="literal">hosts allow</tt> in the
+<tt class="literal">[global]</tt> section, that definition will override
+any <tt class="literal">hosts allow</tt> lines in the share definitions.
+This is the opposite of the usual behavior, which is for parameters
+set in share definitions to override default values set in the
+<tt class="literal">[global]</tt> section.<a name="INDEX-78"/></p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.2"/>
+
+<h3 class="head3">hosts deny</h3>
+
+<p>The <tt class="literal">hosts</tt> <tt class="literal">deny</tt> option
+(synonymous with <tt class="literal">deny</tt> <tt class="literal">hosts</tt>)
+specifies client systems that do not have permission to access a
+share, written as a comma- or space-separated list of hostnames or
+their IP addresses. Use the same format for specifying clients as the
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option earlier. For
+example, to restrict access to the server from everywhere but
+<tt class="literal">example.com</tt>, you could write:</p>
+
+<blockquote><pre class="code">hosts deny = ALL EXCEPT .example.com</pre></blockquote>
+
+<p>There is no default value for the <tt class="literal">hosts</tt>
+<tt class="literal">deny</tt> configuration option, although the default
+course of action in the event that neither option is specified is to
+allow access from all sources. Also, if you specify this option in
+the <tt class="literal">[global]</tt> section of the configuration file, it
+will override any <tt class="literal">hosts</tt> <tt class="literal">deny</tt>
+options defined in shares. If you wish to deny access to specific
+shares, omit both the <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> and <tt class="literal">hosts</tt>
+<tt class="literal">deny</tt> options from the <tt class="literal">[global]</tt>
+section of the configuration file.</p>
+
+<a name="samba2-CHP-6-NOTE-133"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>Never include the loopback address (<tt class="literal">localhost</tt> at
+IP address 127.0.0.1) in the <tt class="literal">hosts deny</tt> list. The
+<em class="filename">smbpasswd</em> program needs to connect through the
+loopback address to the Samba server as a client to change a
+user's encrypted password. If the loopback address
+is disabled, the locally generated packets requesting the change of
+the encrypted password will be discarded by Samba.</p>
+
+
+<p>In addition, both local browsing propagation and some functions of
+SWAT require access to the Samba server through the loopback address
+and will not work correctly if this address is disabled.
+<a name="INDEX-79"/></p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.3"/>
+
+<h3 class="head3">interfaces</h3>
+
+<p>The <tt class="literal">interfaces</tt><a name="INDEX-80"/> option specifies the
+networks that you want the Samba server to recognize and respond to.
+This option is handy if you have a computer that resides on more than
+one network subnet. If this option is not set, Samba searches for the
+primary network interface of the server (typically the first Ethernet
+card) upon startup and configures itself to operate on only that
+subnet. If the server is configured for more than one subnet and you
+do not specify this option, Samba will only work on the first subnet
+it encounters. You must use this option to force Samba to serve the
+other subnets on your network.</p>
+
+<p>The value of this option is one or more sets of IP address/netmask
+pairs, as in the following:</p>
+
+<blockquote><pre class="code">interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0</pre></blockquote>
+
+<p>You can optionally specify a
+<a name="INDEX-81"/><a name="INDEX-82"/>CIDR format bitmask, like this:</p>
+
+<blockquote><pre class="code">interfaces = 192.168.220.100/24 192.168.210.30/24</pre></blockquote>
+
+<p>The number after the slash specifies the number of bits that will be
+set in the netmask. For example, the number 24 means that the first
+24 (of 32) bits will be set in the bitmask, which is the same as
+specifying 255.255.255.0 as the netmask. Likewise, 16 would be
+equivalent to a netmask of 255.255.0.0, and 8 would be the same as a
+netmask of 255.0.0.0.</p>
+<a name="samba2-CHP-6-NOTE-135"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>This option might not work correctly if you are using DHCP.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.4"/>
+
+<h3 class="head3">bind interfaces only</h3>
+
+<p>The <tt class="literal">bind</tt><a name="INDEX-83"/>
+<tt class="literal">interfaces</tt> <tt class="literal">only</tt> option can be
+used to force the <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> processes to respond only to those
+addresses specified by the <tt class="literal">interfaces</tt> option. The
+<em class="emphasis">nmbd</em> process normally binds to the all-addresses
+interface (0.0.0.0.) on ports 137 and 138, allowing it to receive
+broadcasts from anywhere. However, you can override this behavior
+with the following:</p>
+
+<blockquote><pre class="code">bind interfaces only = yes</pre></blockquote>
+
+<p>This will cause Samba to ignore any packets (including broadcast
+packets) whose source address does not correspond to any of the
+network interfaces specified by the <tt class="literal">interfaces</tt>
+option. You should avoid using this option if you want to allow
+temporary network connections, such as those created through SLIP or
+PPP. It's very rare that this option is needed, and
+it should be used only by experts.</p>
+
+<a name="samba2-CHP-6-NOTE-136"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you set <tt class="literal">bind interfaces only</tt> to <tt class="literal">yes</tt>
+, add the <a name="INDEX-84"/><a name="INDEX-85"/><a name="INDEX-86"/>local host
+address (127.0.01) to the
+&quot;interfaces&quot; list. Otherwise,
+<em class="emphasis">smbpasswd</em> will be unable to connect to the
+server using its default mode in order to change a password, local
+browse list propagation will fail, and some functions of swat will
+not work properly. <a name="INDEX-87"/><a name="INDEX-88"/></p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-7"/>
+
+<h2 class="head1">Virtual Servers</h2>
+
+<p><a name="INDEX-89"/>Virtual
+servers can be used to create the illusion of having multiple servers
+on the network, when in reality there is only one. The technique is
+simple to implement: a system simply registers more than one NetBIOS
+name in association with its IP address. There are tangible benefits
+to doing this.</p>
+
+<p>For example, the accounting department might have an
+<tt class="literal">accounting</tt> server, and clients of it would see
+just the accounting disks and printers. The marketing department
+could have its own server, <tt class="literal">marketing</tt>, with its own
+reports, and so on. However, all the services would be provided by
+one medium-size Unix server (and one relaxed administrator) instead
+of having one small server per department.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-7.1"/>
+
+<h3 class="head2">Virtual Server Configuration Options</h3>
+
+<p><a name="INDEX-90"/><a name="INDEX-91"/>Samba will allow a server to use more
+than one NetBIOS name with the <tt class="literal">netbios</tt>
+<tt class="literal">aliases</tt> option. See <a href="ch06.html#samba2-CHP-6-TABLE-7">Table 6-7</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-7"/><h4 class="head4">Table 6-7. Virtual server configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">netbios</tt> <tt class="literal">aliases</tt></p>
+</td>
+<td>
+<p>string (list of NetBIOS names)</p>
+</td>
+<td>
+<p>Additional NetBIOS names to respond to, for use with multiple
+&quot;virtual&quot; Samba servers</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-7.1.1"/>
+
+<h3 class="head3">netbios aliases</h3>
+
+<p>The <tt class="literal">netbios</tt><a name="INDEX-92"/>
+<tt class="literal">aliases</tt> option can be used to give the Samba
+server more than one NetBIOS name. Each NetBIOS name listed as a
+value will be displayed in the Network Neighborhood of Windows
+clients. When a connection is requested to any of the servers, it
+will connect to the same Samba server.</p>
+
+<p>This might come in handy, for example, if you're
+transferring three departments' data to a single
+Unix server with larger and faster disks and are retiring or
+reallocating the old Windows NT/2000 servers. If the three servers
+are called <tt class="literal">sales</tt>, <tt class="literal">accounting</tt>,
+and <tt class="literal">admin</tt>, you can have Samba represent all three
+servers with the following options:</p>
+
+<blockquote><pre class="code">[global]
+    netbios aliases = sales accounting admin
+    include = /usr/local/samba/lib/smb.conf.%L</pre></blockquote>
+
+<p>See <a href="ch06.html#samba2-CHP-6-FIG-5">Figure 6-5</a> for what the Network Neighborhood
+would display from a client. When a client attempts to connect to
+Samba, it will specify the name of the server to which
+it's trying to connect, which is made available in
+the configuration file through the <tt class="literal">%L</tt> variable. If
+the requested server is <tt class="literal">sales</tt>, Samba will include
+the file <em class="filename">/usr/local/samba/lib/smb.conf.sales</em>.
+This file might contain global and share declarations exclusively for
+the sales team, such as the following:</p>
+
+<blockquote><pre class="code">[global]
+    workgroup = SALES
+    hosts allow = 192.168.10.255
+
+[sales2003]
+    path = /usr/local/samba/sales/sales2003/
+...</pre></blockquote>
+
+<p>This particular example would set the workgroup to SALES as well and
+set the IP address to allow connections only from the SALES subnet
+(192.168.10). In addition, it would offer shares specific to the
+sales department.</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-5"/><img src="figs/sam2_0605.gif"/></div><h4 class="head4">Figure 6-5. Using NetBIOS aliases for a Samba server</h4>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-8"/>
+
+<h2 class="head1">Logging Configuration Options</h2>
+
+<p><a name="INDEX-93"/><a name="INDEX-94"/>Occasionally,
+we need to find out what Samba is up to. This is especially true when
+Samba is performing an unexpected action or is not performing at all.
+To find out this information, we need to check
+Samba's log files to see exactly why it did what it
+did.</p>
+
+<p>Samba <a name="INDEX-95"/>log files
+can be as brief or verbose as you like. Here is an example of what a
+Samba log file looks like:</p>
+
+<blockquote><pre class="code">[2002/07/21 13:23:25, 3] smbd/service.c:close_cnum(514)
+  maya (172.16.1.6) closed connection to service IPC$
+[2002/07/21 13:23:25, 3] smbd/connection.c:yield_connection(40)
+  Yielding connection to IPC$
+[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
+  Transaction 923 of length 49
+[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
+  switch message SMBread (pid 467)
+[2002/07/21 13:23:25, 3] lib/doscalls.c:dos_ChDir(336)
+  dos_ChDir to /home/samba
+[2002/07/21 13:23:25, 3] smbd/reply.c:reply_read(2199)
+  read fnum=4207 num=2820 nread=2820
+[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
+  Transaction 924 of length 55
+[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
+  switch message SMBreadbraw (pid 467)
+[2002/07/21 13:23:25, 3] smbd/reply.c:reply_readbraw(2053)
+  readbraw fnum=4207 start=130820 max=1276 min=0 nread=1276
+[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
+  Transaction 925 of length 55
+[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
+  switch message SMBreadbraw (pid 467)</pre></blockquote>
+
+<p>Much of this information is of use only to Samba programmers.
+However, we will go over the meaning of some of these entries in more
+detail in <a href="ch12.html">Chapter 12</a>.</p>
+
+<p>Samba contains six options that allow users to describe how and where
+logging information should be written. Each of these are global
+options and cannot appear inside a share definition. Here is an
+example of some logging options that we are adding to our
+configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    log level = 2
+    log file = /var/log/samba.log.%m
+    max log size = 50
+    debug timestamp = yes</pre></blockquote>
+
+<p>Here, we've added a custom log file that reports
+information up to debug level 2. This is a relatively light debugging
+level. The logging level ranges from 1 to 10, where level 1 provides
+only a small amount of information and level 10 provides a plethora
+of low-level information. Levels 2 or 3 will provide us with useful
+debugging information without wasting disk space on our server. In
+practice, you should avoid using log levels greater than 3 unless you
+are working on the Samba source code.</p>
+
+<p>The logging file is located in the <em class="filename">/var/log</em>
+directory thanks to the <tt class="literal">log</tt>
+<tt class="literal">file</tt> configuration option. However, we can use
+variable substitution to create log files specifically for individual
+users or clients, such as with the <tt class="literal">%m</tt> variable in
+the following line:</p>
+
+<blockquote><pre class="code">log file = /usr/local/logs/samba.log.%m</pre></blockquote>
+
+<p>Isolating the log messages can be invaluable in tracking down a
+network error if you know the problem is coming from a specific
+client system or user.</p>
+
+<p>We've added a precaution to the log files: no one
+log file can exceed 50 KB in size, as specified by the
+<tt class="literal">max</tt> <tt class="literal">log</tt> <tt class="literal">size</tt>
+option. If a log file exceeds this size, the contents are moved to a
+file with the same name but with the suffix <em class="emphasis">.old</em>
+appended. If the <em class="emphasis">.old</em> file already exists, it is
+overwritten and its contents are lost. The original file is cleared,
+waiting to receive new logging information. This prevents the hard
+drive from being overwhelmed with Samba log files during the life of
+the Samba daemons.</p>
+
+<p>We have decided to write the timestamps of the messages in the logs
+with the <tt class="literal">debug</tt> <tt class="literal">timestamp</tt>
+option, which is the default behavior. This will place a timestamp in
+each message written to the logging file. If we were not interested
+in this information, we could specify <tt class="literal">no</tt> for this
+option instead.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-8.1"/>
+
+<h3 class="head2">Using syslog</h3>
+
+<p>If you wish to use the system logger
+(<a name="INDEX-96"/>syslog<em class="filename">
+</em>) in addition to or in place of the standard Samba logging
+file, Samba provides options for this as well. However, to use
+syslog, the first thing you will have to do is make sure that Samba
+was built with the <tt class="literal">configure</tt>
+<tt class="literal">--with-syslog</tt> option. See <a href="ch02.html">Chapter 2</a> for more information on configuring and
+compiling Samba. See <a href="appe.html">Appendix E</a> for more
+information about the <tt class="literal">--with-syslog</tt> option.</p>
+
+<p>Once that is done, you will need to configure your
+<em class="filename">/etc/syslog.conf</em><a name="INDEX-97"/> to accept logging information from Samba.
+If there is not already a <tt class="literal">daemon.*</tt> entry in the
+<em class="filename">/etc/syslog.conf</em> file, add the following:</p>
+
+<blockquote><pre class="code">daemon.*        /var/log/daemon.log</pre></blockquote>
+
+<p>This specifies that any logging information from system daemons will
+be stored in the <em class="filename">/var/log/daemon.log</em> file. This
+is where the Samba information will be stored as well. From there,
+you can set a value for the <tt class="literal">syslog</tt> parameter in
+your Samba configuration file to specify which logging messages are
+to be sent to syslog. Only messages that have debug levels lower than
+the value of the <tt class="literal">syslog</tt> parameter will be sent to
+syslog. For example, setting the following:</p>
+
+<blockquote><pre class="code">syslog = 3</pre></blockquote>
+
+<p>specifies that any logging messages with a level of 2 or below will
+be sent to both syslog and the Samba logging files. (The mappings to
+<em class="filename">syslog</em> priorities are described in the upcoming
+section &quot;syslog.&quot;) To continue the
+example, let's assume that we have set the
+<tt class="literal">log</tt> <tt class="literal">level</tt> option to 4. Logging
+messages with levels of 2 and 1 will be sent to both syslog and the
+Samba logging files, and messages with a level of 3 or 4 will be sent
+to the Samba logging files, but not to syslog. If the
+<tt class="literal">syslog</tt> value exceeds the <tt class="literal">log</tt>
+<tt class="literal">level</tt> value, nothing will be sent to syslog.</p>
+
+<p>If you want to specify that messages be sent only to syslog&mdash;and
+not to the standard Samba logging files&mdash;you can place this
+option in the configuration file:</p>
+
+<blockquote><pre class="code">syslog only = yes</pre></blockquote>
+
+<p>If this is the case, any logging information above the number
+specified in the <tt class="literal">syslog</tt> option will be discarded,
+as with the <tt class="literal">log</tt> <tt class="literal">level</tt> option.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-8.2"/>
+
+<h3 class="head2">Logging Configuration Options</h3>
+
+<p><a href="ch06.html#samba2-CHP-6-TABLE-8">Table 6-8</a> lists each logging configuration option
+that Samba can use.</p>
+
+<a name="samba2-CHP-6-TABLE-8"/><h4 class="head4">Table 6-8. Logging configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">log file</tt></p>
+</td>
+<td>
+<p>string (name of file)</p>
+</td>
+<td>
+<p>Name of the log file that Samba is to use. Works with all variables.</p>
+</td>
+<td>
+<p>Specified in Samba makefile</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">log level</tt></p>
+
+<p><tt class="literal">(debug level)</tt></p>
+</td>
+<td>
+<p>numeric (0-10)</p>
+</td>
+<td>
+<p>Amount of log/debug messages that are sent to the log file. 0 is
+none; 3 is considerable.</p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max log size</tt></p>
+</td>
+<td>
+<p>numeric (size in KB)</p>
+</td>
+<td>
+<p>Maximum size of log file.</p>
+</td>
+<td>
+<p><tt class="literal">5000</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">debug timestamp</tt> <tt class="literal">(timestamp logs)</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">no</tt>, doesn't timestamp logs,
+making them easier to read during heavy debugging.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">syslog</tt></p>
+</td>
+<td>
+<p>numeric (0-10)</p>
+</td>
+<td>
+<p>Level of messages sent to <em class="emphasis">syslog</em>. Those levels
+below <tt class="literal">syslog</tt> <tt class="literal">level</tt> will be sent
+to the system logger.</p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">syslog only</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, uses <em class="emphasis">syslog</em> entirely
+and sends no output to the Samba log files.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.1"/>
+
+<h3 class="head3">log file</h3>
+
+<p>By default, Samba writes log information to text files in the
+<em class="filename">/usr/local/samba/var</em> directory. The
+<tt class="literal">log</tt><a name="INDEX-98"/> <tt class="literal">file</tt> option can be
+used to set the name of the log file to another location. For
+example, to put the Samba log information in
+<em class="filename">/usr/local/logs/samba.log</em>, you could use the
+following:</p>
+
+<blockquote><pre class="code">[global]
+    log file = /usr/local/logs/samba.log</pre></blockquote>
+
+<p>You can use variable substitution to create log files specifically
+for individual users or clients.</p>
+
+<p>You can override the default log file location using the
+<em class="emphasis">-l</em> command-line switch when either daemon is
+started. However, this does not override the <tt class="literal">log</tt>
+<tt class="literal">file</tt> option. If you do specify this parameter,
+initial logging information will be sent to the file specified after
+<em class="emphasis">-l</em> (or the default specified in the Samba
+makefile) until the daemons have processed the
+<em class="filename">smb.conf</em> file and know to redirect it to a new
+log file.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.2"/>
+
+<h3 class="head3">log level</h3>
+
+<p>The <tt class="literal">log</tt><a name="INDEX-99"/> <tt class="literal">level</tt> option
+sets the amount of data to be logged. Normally this is set to 0 or 1.
+However, if you have a specific problem, you might want to set it at
+3, which provides the most useful debugging information you would
+need to track down a problem. Levels above 3 provide information
+that's primarily for the developers to use for
+chasing internal bugs, and it slows down the server considerably.
+Therefore, we recommend that for normal day-to-day operation, you
+avoid setting this option to anything above 3.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.3"/>
+
+<h3 class="head3">max log size</h3>
+
+<p>The <tt class="literal">max</tt><a name="INDEX-100"/> <tt class="literal">log</tt>
+<tt class="literal">size</tt> option sets the maximum size, in kilobytes,
+of the debugging log file that Samba keeps. When the log file exceeds
+this size, the current log file is renamed to add a
+<em class="filename">.old</em> extension (erasing any previous file with
+that name) and a new debugging log file is started with the original
+name. For example:</p>
+
+<blockquote><pre class="code">[global]
+    log file = /usr/local/logs/samba.log.%m
+    max log size = 1000</pre></blockquote>
+
+<p>Here, if the size of any log file exceeds 1MB, Samba renames the log
+file <em class="emphasis">samba.log</em>.
+<em class="replaceable">machine-name</em><em class="emphasis">.old</em>,
+and a new log file is generated. If there is already a file with the
+<em class="emphasis">.old</em> extension, Samba deletes it. We highly
+recommend setting this option in your configuration files because
+debug logging (even at lower levels) can quietly eat away at your
+available disk space. Using this option protects unwary
+administrators from suddenly discovering that most of the space on a
+disk or partition has been swallowed up by a single Samba log file.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.4"/>
+
+<h3 class="head3">debug timestamp or timestamp logs</h3>
+
+<p>If you happen to be debugging a network problem and you find that the
+timestamp information within the Samba log lines gets in the way, you
+can turn it off by giving either the
+<tt class="literal">timestamp</tt><a name="INDEX-101"/> <tt class="literal">logs</tt> or the
+synonymous <tt class="literal">debug</tt><a name="INDEX-102"/>
+<tt class="literal">timestamp</tt> option a value of <tt class="literal">no</tt>.
+For example, a regular Samba log file presents its output in the
+following form:</p>
+
+<blockquote><pre class="code">12/31/01 12:03:34 toltec (172.16.1.1) connect to server network as user jay</pre></blockquote>
+
+<p>With a <tt class="literal">no</tt> value for this option, the output would
+appear without the timestamp:</p>
+
+<blockquote><pre class="code">toltec (172.16.1.1) connect to server network as user jay</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.5"/>
+
+<h3 class="head3">syslog</h3>
+
+<p>The <tt class="literal">syslog</tt><a name="INDEX-103"/> option causes Samba log
+messages to be sent to the Unix system logger. The type of log
+information to be sent is specified as a numeric value. Like the
+<tt class="literal">log</tt> <tt class="literal">level</tt> option, it can be a
+number from 0 to 10. Logging information with a level less than the
+number specified will be sent to the system logger. Debug logs
+greater than or equal to the <tt class="literal">syslog</tt> level, but
+less than log level, will still be sent to the standard Samba log
+files. For example:</p>
+
+<blockquote><pre class="code">[global]
+    log level = 3
+    syslog = 1</pre></blockquote>
+
+<p>With this, all logging information with a level of 0 would be sent to
+the standard Samba logs and the system logger, while information with
+levels 1, 2, and 3 would be sent only to the standard Samba logs.
+Levels above 3 are not logged at all. All messages sent to the system
+logger are mapped to a priority level that the syslogd daemon
+understands, as shown in <a href="ch06.html#samba2-CHP-6-TABLE-9">Table 6-9</a>. The default
+level is 1.</p>
+
+<a name="samba2-CHP-6-TABLE-9"/><h4 class="head4">Table 6-9. syslog priority conversion</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Log level</p>
+</th>
+<th>
+<p>syslog priority</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>0</p>
+</td>
+<td>
+<p><tt class="literal">LOG_ERR</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>1</p>
+</td>
+<td>
+<p><tt class="literal">LOG_WARNING</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>2</p>
+</td>
+<td>
+<p><tt class="literal">LOG_NOTICE</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>3</p>
+</td>
+<td>
+<p><tt class="literal">LOG_INFO</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>4 and above</p>
+</td>
+<td>
+<p><tt class="literal">LOG_DEBUG</tt></p>
+</td>
+</tr>
+
+</table>
+
+<p>If you wish to use <em class="emphasis">syslog</em>, you will have to run
+<tt class="literal">configure</tt> <tt class="literal">--with-syslog</tt> when
+compiling Samba, and you will need to configure your
+<em class="filename">/etc/syslog.conf</em> to suit. (See <a href="ch06.html#samba2-CHP-6-SECT-8.1">Section 6.8.1</a>, earlier in this chapter.)</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.6"/>
+
+<h3 class="head3">syslog only</h3>
+
+<p>The <tt class="literal">syslog</tt><a name="INDEX-104"/> <tt class="literal">only</tt> option
+tells Samba not to use its own logging files at all and to use only
+the system logger. To enable this, specify the following option in
+the global section of the Samba configuration file:</p>
+
+<a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><blockquote><pre class="code">[global]
+    syslog only = yes</pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Depending on your system, this file might not
+be <em class="emphasis">/etc/printcap</em>. You can use the
+<em class="emphasis">testparm</em> command that comes with Samba to dump
+the parameter definitions and determine the value of the
+<tt class="literal">printcap</tt> <tt class="literal">name</tt> configuration
+option. The value assigned to it is the default value chosen when
+Samba was configured and compiled, which should be correct.</p>
+<a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> We are referring here to the window that
+opens when a printer icon in the Printers control panel is
+double-clicked.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch07.html b/docs/htmldocs/using_samba/ch07.html
new file mode 100644
index 0000000000..a6dc8d94b0
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch07.html
@@ -0,0 +1,2139 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 7. Name Resolution and Browsing</h1>
+
+
+
+
+<p><a name="INDEX-1"/><em class="firstterm">Name
+resolution</em> is critical to Samba's
+operation because names are used to find the servers that share files
+or printers. <em class="firstterm">Browsing</em> takes the task of
+finding servers to a new level of sophistication by allowing a user
+to delve down into a hierarchy of networks, domains, hosts, and
+services offered by each server.</p>
+
+<p>While name resolution and
+<a name="INDEX-2"/>browsing are not
+difficult to configure, some complexity is introduced by the variety
+of available name-resolution systems. Historically, Unix and other
+TCP/IP users have moved from a flat hosts file to the Domain Name
+System, with the Network Information System being another popular
+choice. Meanwhile, Microsoft has moved from a broadcasting system to
+a simple, LAN-only name server called WINS and ultimately to DNS.</p>
+
+<p>The reason for going over that history is that all previous systems
+of name resolution are still in use today! Finding a host is so
+crucial to networking that sites want robust (if limited)
+name-resolution systems to fall back on in case the main system
+fails. Browsing is also complicated by the frequent need to show
+hosts in other subnets. This chapter shows you how to configure your
+network to handle name resolution and browsing any way you want.</p>
+
+<p>Some of the differences between Unix and Microsoft networking
+implementations are the result of fundamental design goals. Unix
+networking was originally designed largely to implement a relatively
+formal group of systems that were assumed to be small in number,
+well-maintained, and highly available, that have static IP addresses,
+and that wouldn't physically move around from place
+to place. Bringing a new server online was a labor-intensive task,
+but it did not have to be performed frequently. In contrast, Windows
+networking was originally developed as a peer-to-peer collection of
+small personal computers on a single subnet, having no centrally or
+hierarchically organized structure.</p>
+
+<p>SMB networking is dynamic. Computers are allowed to leave the network
+at any time, sometimes without warning, and also to join or rejoin
+the network at any time. Furthermore, any user in a Windows network
+can add a new shared resource to the network or remove a resource
+that he had previously added. The change in the
+network's configuration is handled automatically by
+the rest of the network without requiring a system administrator to
+take any action.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-7-SECT-1"/>
+
+<h2 class="head1">Name Resolution</h2>
+
+<p>TCP/IP networks identify systems by IP addresses and always associate
+these addresses with more human-readable text names. In
+Microsoft's earliest networking implementations (for
+MS-DOS and Windows for Workgroups), the translation of names to
+network addresses was carried out in a manner that was very simple,
+yet very inefficient. When a system on the network needed an IP
+address corresponding to a name, it broadcasted the name to every
+other system on the network and waited for the system that owned the
+name to respond with its IP address.</p>
+
+<p>The main problem with performing <a name="INDEX-3"/>name resolution using broadcast
+packets is poor performance of the network as a whole, including CPU
+time consumed by each host on the network, which has to accept every
+broadcast packet and decide whether to respond to it. Also, broadcast
+packets usually aren't forwarded by routers,
+limiting name resolution to the local subnet.
+Microsoft's solution was to add WINS (Windows
+Internet Name Service) support to Windows NT so that the computers on
+the network can perform a direct query of the WINS server instead of
+using broadcast packets.</p>
+
+<p>Modern Windows clients use a variety of methods for translating
+hostnames into IP addresses. The exact method varies depending on the
+version of Windows the client is running, how the client is
+configured (i.e., whether DNS server and/or WINS server IP addresses
+are provided), and whether the application software is accessing the
+network through Microsoft's Winsock or TCP/IP API.
+In general, Windows uses some combination of the following
+methods:<a name="INDEX-4"/></p>
+
+<ul><li>
+<p>Looking up the name in its cache of recently resolved names</p>
+</li><li>
+<p>Querying DNS servers</p>
+</li><li>
+<p>Using the DNS <em class="filename">Hosts</em> file</p>
+</li><li>
+<p>Querying WINS servers</p>
+</li><li>
+<p>Using the WINS <em class="filename">LMHOSTS</em> file</p>
+</li><li>
+<p>Performing broadcast name resolution</p>
+</li></ul>
+<p>The first method is pretty much self-explanatory. A hostname is
+checked against a cache of hostnames that have been recently resolved
+to IP addresses. This helps to save time and network bandwidth for
+resolving names that are used frequently.</p>
+
+<p>When a Windows system is configured with the IP address of at least
+one <a name="INDEX-5"/>DNS server, it can use DNS to
+resolve fully qualified domain names, such as those for sites on the
+Internet. The DNS servers can be either Windows NT/2000 or Unix
+systems. You can learn more about DNS and DNS server configuration in
+the O'Reilly book <em class="citetitle">DNS and
+BIND</em>.</p>
+
+<p>In this chapter, we focus mainly on name resolution using WINS, which
+is supported by Samba with the <em class="emphasis">nmbd</em> daemon.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.1"/>
+
+<h3 class="head2">WINS Clients and Server Interaction</h3>
+
+<p>There are two types of interaction between a
+<a name="INDEX-6"/>WINS client and a server: the
+client keeps its own NetBIOS name<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> registered with the server and
+queries the server to get the IP address corresponding to the NetBIOS
+name of another system.</p>
+
+<p>When a WINS client joins the network, it registers its NetBIOS name
+with the WINS server, which stores it along with the
+client's IP address in the WINS database. This entry
+is marked <em class="firstterm">active</em>. The client is then expected
+to renew the registration of its name periodically (typically, every
+four days) to inform the server that it is still using the name. This
+period is called the <em class="firstterm">time to live</em>, or TTL.
+When the client leaves the network by being shut down gracefully, it
+informs the server, and the server marks the
+client's entry in its database as
+<em class="firstterm">released</em>.</p>
+
+<p>When a client leaves the network without telling the WINS server to
+release its name, the server waits until after it fails to receive
+the expected registration renewal from the client and then marks the
+entry as released.</p>
+
+<p>In either case, the released name is available for use by other
+clients joining the network. It might persist in the released state
+in the WINS database, and if it is not reregistered, the entry will
+eventually be deleted.</p>
+
+<p>More information on WINS can be found in the Microsoft white paper
+<em class="citetitle">Windows Internet Naming Service (WINS) Architecture and
+Capacity Planning</em><a name="INDEX-7"/>. It can be downloaded from the
+Microsoft web site at <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.2"/>
+
+<h3 class="head2">The lmhosts File</h3>
+
+<p>In <a href="ch03.html">Chapter 3</a> we showed you how to configure
+Windows systems to use the
+<em class="filename">LMHOSTS</em><a name="INDEX-8"/>
+file as an alternative to the WINS server for name resolution. Samba
+also can use an <em class="filename">LMHOSTS</em> file, which by default
+is <em class="filename">/usr/local/samba/lib/lmhosts</em>.
+Samba's <em class="filename">lmhosts</em> is the same
+format as the Windows version. A simple <em class="filename">lmhosts</em>
+file might look like this:</p>
+
+<blockquote><pre class="code">172.16.1.1    toltec
+172.16.1.6    maya</pre></blockquote>
+
+<p>The names on the right side of the entries are NetBIOS names, so you
+can assign resource types to them and add additional entries for
+computers:</p>
+
+<blockquote><pre class="code">172.16.1.1    toltec#20
+172.16.1.1    metran#1b
+172.16.1.6    maya#20</pre></blockquote>
+
+<p>Here, we've made <tt class="literal">toltec</tt> the
+primary domain controller of the <tt class="literal">METRAN</tt> domain on
+the second line. This line starts with
+<tt class="literal">toltec</tt>'s IP address, followed by
+the name metran and the resource type &lt;1B&gt;. The other lines are
+entries for <tt class="literal">toltec</tt> and <tt class="literal">maya</tt> as
+standard workstations.</p>
+
+<p>If you wish to place an <em class="emphasis">lmhosts</em> file somewhere
+other than the default location, you will need to notify the
+<em class="emphasis">nmbd</em> process upon startup using the
+<em class="emphasis">-H</em> option, followed by the name of your
+<em class="filename">lmhosts</em> file, as follows:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>nmbd -H /etc/samba/lmhosts -D</b></tt></pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.3"/>
+
+<h3 class="head2">Configuring Name Resolution for the Samba Suite</h3>
+
+<p>Various daemons and tools in the Samba suite need to perform
+<a name="INDEX-9"/>name resolution. You can define the
+order in which the programs try each name-resolution method through
+the <tt class="literal">name</tt><a name="INDEX-10"/><a name="INDEX-11"/>
+<tt class="literal">resolve</tt> <tt class="literal">order</tt> parameter, like
+this:</p>
+
+<blockquote><pre class="code">[global]
+    name resolve order = wins lmhosts hosts bcast</pre></blockquote>
+
+<p>The string used to define the parameter can take up to four values:</p>
+
+<dl>
+<dt><b>lmhosts</b></dt>
+<dd>
+<p>Uses the Samba server's local
+<em class="filename">lmhosts</em> file</p>
+</dd>
+
+
+
+<dt><b>hosts</b></dt>
+<dd>
+<p>Uses the standard Unix name-resolution methods, which can be
+<em class="emphasis">/etc/hosts</em>, DNS, NIS, or a combination,
+depending on how the local system is configured</p>
+</dd>
+
+
+
+<dt><b>wins</b></dt>
+<dd>
+<p>Uses the WINS server</p>
+</dd>
+
+
+
+<dt><b>bcast</b></dt>
+<dd>
+<p>Uses the broadcast method</p>
+</dd>
+
+</dl>
+
+<p>The order in which they are specified is the order in which name
+resolution will be attempted. In our example, Samba will attempt to
+use its WINS server first for name resolution, followed by the
+<em class="emphasis">lmhosts</em> file on the local system. Next, the
+<tt class="literal">hosts</tt> value tells it to use Unix name-resolution
+methods. The word <tt class="literal">hosts</tt> can be misleading; it
+covers not only the <em class="filename">/etc/hosts</em> file, but also
+the use of DNS or NIS (as configured on the Unix host). Finally, if
+those three do not work, it will perform a broadcast name resolution.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.4"/>
+
+<h3 class="head2">Setting Up Samba as a WINS Server</h3>
+
+<p>You can set up Samba as a <a name="INDEX-12"/>WINS server by setting the
+<tt class="literal">wins</tt><a name="INDEX-13"/> <tt class="literal">support</tt>
+parameter in the configuration file, like this:</p>
+
+<blockquote><pre class="code">[global]
+    wins support = yes</pre></blockquote>
+
+<p>Believe it or not, that's all you need to do! The
+<tt class="literal">wins</tt> <tt class="literal">support</tt> option turns Samba
+into a WINS server. For most installations, Samba's
+default configuration is sufficient.</p>
+<a name="samba2-CHP-7-NOTE-137"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Remember, Samba cannot communicate with Windows WINS servers. If you
+are using Samba as your WINS server, you must make sure not to allow
+any Windows systems or other Samba servers on your network to be
+configured as WINS servers. If you do, their WINS databases will not
+synchronize, resulting in inconsistent name resolution.</p>
+</blockquote>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.4.1"/>
+
+<h3 class="head3">Configuring a DNS proxy</h3>
+
+<p>A Samba <a name="INDEX-14"/><a name="INDEX-15"/>WINS server can check with the
+system's DNS server if a requested host cannot be
+found in its WINS database. With a typical Linux system, for example,
+you can find the IP address of the DNS server by searching the
+<em class="filename">/etc/resolv.conf</em><a name="INDEX-16"/><a name="INDEX-17"/> file. In it, you might see an entry such
+as the following:</p>
+
+<blockquote><pre class="code">nameserver 127.0.0.1
+nameserver 172.16.1.192</pre></blockquote>
+
+<p>This tells us that the Linux system is configured to use a DNS server
+located at 172.16.1.192. (The 127.0.0.1 is the
+<tt class="literal">localhost</tt> address and is never a valid DNS server
+address.)</p>
+
+<p>Now it is a simple matter of using the
+<tt class="literal">dns</tt><a name="INDEX-18"/> <tt class="literal">proxy</tt> option to tell
+Samba to use the DNS server:</p>
+
+<blockquote><pre class="code">[global]
+    dns proxy = yes</pre></blockquote>
+
+<a name="samba2-CHP-7-NOTE-138"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Although this allows Windows clients to resolve fully qualified
+Internet domain names through the Samba WINS server, it will work
+only for domain names that fit within the 15-character limitation of
+NetBIOS names. For this reason, we recommend you use <tt class="literal">dns
+proxy</tt> only to act as a supplement to your WINS server,
+rather than as a replacement for a DNS server.</p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.5"/>
+
+<h3 class="head2">Setting Up Samba to Use Another WINS Server</h3>
+
+<p>You can configure Samba to use a <a name="INDEX-19"/>WINS server somewhere else on the
+network by simply providing it with the IP address of the WINS
+server. This is done with the global
+<tt class="literal">wins</tt><a name="INDEX-20"/> <tt class="literal">server</tt>
+configuration option, as shown here:</p>
+
+<blockquote><pre class="code">[global]
+    wins server = 172.16.1.1</pre></blockquote>
+
+<p>With this option enabled, Samba will direct all WINS requests to the
+server located at 172.16.1.1. Note that because the request is
+directed at a single machine, we don't have to worry
+about any of the problems inherent in broadcasting. However, Samba
+will not necessarily use the WINS server before other forms of name
+resolution. The order in which Samba attempts various name-resolution
+techniques is given with the <tt class="literal">name</tt>
+<tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
+option, which we discussed earlier.</p>
+
+<p>The <tt class="literal">wins</tt> <tt class="literal">support</tt> and the
+<tt class="literal">wins</tt> <tt class="literal">server</tt> parameters are
+mutually exclusive; you cannot simultaneously offer Samba as the WINS
+server and use another system as the server! Typically, one Samba
+server is set up as the WINS server using <tt class="literal">wins</tt>
+<tt class="literal">support</tt>, and all other Samba servers are
+configured with the <tt class="literal">wins</tt> <tt class="literal">server</tt>
+parameter pointing to the Samba WINS server.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.5.1"/>
+
+<h3 class="head3">Configuring a WINS proxy</h3>
+
+<p><a name="INDEX-21"/>If you have a Samba server on a
+subnet that doesn't have a WINS server, and the
+Samba server has been configured with a WINS server on another
+subnet, you can tell the Samba server to forward any name-resolution
+requests with the <tt class="literal">wins</tt><a name="INDEX-22"/>
+<tt class="literal">proxy</tt> option:</p>
+
+<blockquote><pre class="code">[global]
+    wins server = 172.16.200.12
+    wins proxy = yes</pre></blockquote>
+
+<p>Use this only in situations where the WINS server resides on another
+subnet. Otherwise, the broadcast will reach the WINS server
+regardless of any proxying.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.6"/>
+
+<h3 class="head2">Name-Resolution Configuration Options</h3>
+
+<p><a name="INDEX-23"/>Samba's <a name="INDEX-24"/>name-resolution options
+are shown in <a href="ch07.html#samba2-CHP-7-TABLE-1">Table 7-1</a>.</p>
+
+<a name="samba2-CHP-7-TABLE-1"/><h4 class="head4">Table 7-1. Name-resolution options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">wins support</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, allows Samba to act as a WINS server</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">wins server</tt></p>
+</td>
+<td>
+<p>string (IP address or DNS name)</p>
+</td>
+<td>
+<p>Identifies a WINS server for Samba to use for name registration and
+resolution</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">wins proxy</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>Allows Samba to act as a proxy to a WINS server on another subnet</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">wins hook</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Command to run when the WINS database changes</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dns proxy</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, allows a Samba WINS server to
+search DNS if it cannot find a name in WINS</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">name resolve</tt> <tt class="literal">order</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>The order of methods used to resolve NetBIOS names</p>
+</td>
+<td>
+<p><tt class="literal">lmhosts</tt> <tt class="literal">hosts wins bcast</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max ttl</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum TTL in seconds for a requested NetBIOS name</p>
+</td>
+<td>
+<p><tt class="literal">259200</tt> ( 3 days)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max wins ttl</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum TTL in seconds for NetBIOS names given out by Samba as a WINS
+server</p>
+</td>
+<td>
+<p><tt class="literal">518400</tt> (6 days)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">min wins ttl</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Minimum TTL in seconds for NetBIOS names given out by Samba as a WINS
+server</p>
+</td>
+<td>
+<p><tt class="literal">21600</tt> (6 hours)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.1"/>
+
+<a name="INDEX-25"/><h3 class="head3">wins support</h3>
+
+<p>Samba will provide WINS name service to all machines in the network
+if you set the following in the <tt class="literal">[global]</tt> section
+of the <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+    wins support = yes</pre></blockquote>
+
+<p>The default value is <tt class="literal">no</tt>, which is typically used
+to allow a Windows NT/2000 server or another Samba server to be the
+WINS server. If you enable this option, remember that a Samba WINS
+server currently cannot exchange data with other WINS servers, so do
+not allow any other WINS servers on the network. When set to
+<tt class="literal">yes</tt>, this option is mutually exclusive with the
+<tt class="literal">wins</tt> <tt class="literal">server</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.2"/>
+
+<a name="INDEX-26"/><h3 class="head3">wins server</h3>
+
+<p>Samba will use an existing WINS server on the network if you specify
+the <tt class="literal">wins</tt> <tt class="literal">server</tt> global option
+in your configuration file. The value of this option is either the IP
+address or DNS name (not NetBIOS name) of the WINS server. For
+example:</p>
+
+<blockquote><pre class="code">[global]
+    wins server = 172.16.220.110</pre></blockquote>
+
+<p>or:</p>
+
+<blockquote><pre class="code">[global]
+    wins server = wins.metran.cx</pre></blockquote>
+
+<p>For this option to work, the <tt class="literal">wins</tt>
+<tt class="literal">support</tt> option must be set to
+<tt class="literal">no</tt> (the default). Otherwise, Samba will report an
+error. You can specify only one WINS server using this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.3"/>
+
+<a name="INDEX-27"/><h3 class="head3">wins proxy</h3>
+
+<p>This option allows Samba to act as a proxy to another WINS server,
+and thus relay name registration and resolution requests from itself
+to the real WINS server, often outside the current subnet. The WINS
+server can be indicated through the <tt class="literal">wins</tt>
+<tt class="literal">server</tt> option. The proxy will then return the WINS
+response back to the client. You can enable this option by specifying
+the following in the <tt class="literal">[global]</tt> section:</p>
+
+<blockquote><pre class="code">[global]
+    wins proxy = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.4"/>
+
+<a name="INDEX-28"/><h3 class="head3">wins hook</h3>
+
+<p>This option allows you to run a script or other program whenever the
+WINS database is modified. One application might be to set up another
+Samba server to act as a backup for another Samba WINS server. This
+is done by having the <tt class="literal">wins</tt> <tt class="literal">hook</tt>
+script call <em class="emphasis">rsync</em> to synchronize the WINS
+databases (<em class="filename">/usr/local/samba/var/locks/wins.dat</em>)
+on the two systems whenever an entry is added or deleted. The script
+would be specified in the Samba configuration file like this:</p>
+
+<blockquote><pre class="code">[global]
+    wins hook = /usr/local/bin/sync_wins</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.5"/>
+
+<a name="INDEX-29"/><h3 class="head3">dns proxy</h3>
+
+<p>If you want the DNS to be used if a NetBIOS name
+isn't found in WINS, you can set the following
+option:</p>
+
+<blockquote><pre class="code">[global]
+    dns proxy = yes</pre></blockquote>
+
+<p>This will permit <em class="filename">nmbd</em> to query the
+server's standard DNS. You might wish to deactivate
+this option if you do not have a permanent connection to your DNS
+server. This option should not be used in place of a DNS server on
+your network; it is intended for resolving NetBIOS names rather than
+fully qualified Internet domain names.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.6"/>
+
+<h3 class="head3">name resolve order</h3>
+
+<p>The global <tt class="literal">name</tt><a name="INDEX-30"/>
+<tt class="literal">resolve</tt> <tt class="literal">order</tt> option specifies
+the order of services that Samba will use in performing name
+resolution. The default order is to use the
+<em class="emphasis">lmhosts</em> file, followed by standard Unix
+name-resolution methods (some combination of
+<em class="filename">/etc/hosts</em>, DNS, and NIS), then to query a WINS
+server, and finally to use broadcasting to determine the address of a
+NetBIOS name. You can override this option by specifying something
+like the following:</p>
+
+<blockquote><pre class="code">[global]
+    name resolve order = lmhosts wins hosts bcast</pre></blockquote>
+
+<p>This causes resolution to use the <em class="emphasis">lmhosts</em> file
+first, followed by a query to a WINS server, the
+<em class="filename">/etc/hosts</em> file, and finally broadcasting. You
+need not use all four options. This option is covered in more detail
+in <a href="ch07.html#samba2-CHP-7-SECT-1.4">Section 7.1.4</a>,
+earlier in this chapter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.7"/>
+
+<a name="INDEX-31"/><h3 class="head3">max ttl</h3>
+
+<p>This option is used when Samba is not acting as a WINS server but is
+using another system on the network for its WINS server. It sets the
+maximum T T L for NetBIOS names registered by the Samba server with
+the WINS server. You should never need to alter this value.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.8"/>
+
+<a name="INDEX-32"/><h3 class="head3">max wins ttl</h3>
+
+<p>This option is used when Samba is providing WINS name service, and it
+sets the maximum T T L for NetBIOS names registered with Samba. You
+should never need to change this value from its default.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.9"/>
+
+<a name="INDEX-33"/><h3 class="head3">min wins ttl</h3>
+
+<p>This option is used when Samba is providing WINS name service, and it
+sets the minimum T T L for NetBIOS names registered with Samba. You
+should never need to alter this value from its default. <a name="INDEX-34"/> <a name="INDEX-35"/> <a name="INDEX-36"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-7-SECT-2"/>
+
+<h2 class="head1">Browsing</h2>
+
+<p><a name="INDEX-37"/>Browsing
+was developed by Microsoft to help users find shared resources on the
+network. In a networked computing environment where users can add or
+remove shares at any time, it is important to have some automatic
+means of keeping track of the shared resources and allowing users to
+&quot;browse&quot; through them to find the
+ones they wish to use.</p>
+
+<p>Before browsing was added to SMB networking, when anyone added a new
+share, the people with whom they wished to share the data or printer
+would have to be informed of the share's UNC, using
+some relatively low-tech method such as speaking to them in person or
+over the phone, or sending email. Already, this was very inconvenient
+in large organizations. To further complicate matters, the users
+working on client computers had to type in the
+share's UNC to connect to it. The only way to get
+around typing in the share's UNC every time it was
+used was to map a network drive to it, and with a large number of
+shares on the network, this could easily get out of hand.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.1"/>
+
+<h3 class="head2">Browsing in a Windows Network</h3>
+
+<p><a name="INDEX-38"/>To keep things simple, we will
+first describe network browsing in a network that contains only
+Windows systems and then show you how to add a Samba server.</p>
+
+<p>The basic way browsing works is that one computer in the network
+takes on the role of the <em class="firstterm">master
+browser</em><a name="INDEX-39"/> (also
+called <em class="firstterm">local master
+browser</em><a name="INDEX-40"/>,<em class="firstterm"> browse
+master</em><a name="INDEX-41"/>, or
+<em class="firstterm">browse server</em><a name="INDEX-42"/>) and
+keeps a list of all the computers on the local subnet that are acting
+as SMB servers. The list of computers is called the <em class="firstterm">browse
+list</em><a name="INDEX-43"/> and includes all Samba servers, Windows
+NT/2000/XP systems, and any Windows 95/98/Me systems that have the
+&quot;File and printer sharing for Microsoft
+Networks&quot; networking component installed. The browse
+list also contains the names of all workgroups and domains. At this
+level, browsing is limited to the local subnet because the browsing
+protocol depends on broadcast packets, which are typically not
+forwarded to other subnets by routers.</p>
+
+<p>A user at any Windows system can view the browse list by opening up
+the Network Neighborhood (or My Network Places), as we showed you in
+<a href="ch01.html">Chapter 1</a>. Or, the <em class="emphasis">net
+view</em><a name="INDEX-44"/> command can be used from a Windows
+command prompt:</p>
+
+<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net view</b></tt>
+Server Name            Remark
+
+-------------------------------------------------------------------------------
+\\MAYA                 Windows 98
+\\MIXTEC               Samba 2.2.5
+\\OLMEC                Windows XP Pro on Pentium/ASUS
+\\TOLTEC               Samba 2.2.5
+\\YAQUI                Windows 95 on mixtec/VMware
+\\ZAPOTEC
+The command completed successfully.</pre></blockquote>
+
+<p>Then, <em class="emphasis">net view</em> can be used with a computer name
+as an argument to contact a server directly and list the resources it
+is sharing:</p>
+
+<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net view \\maya</b></tt>
+Shared resources at \\maya
+
+Windows 98
+
+Share name   Type         Used as  Comment
+
+-------------------------------------------------------------------------------
+D            Disk
+E            Disk
+HP           Print
+The command completed successfully.</pre></blockquote>
+
+<p>The computers on the network involved in browsing are more than just
+the master browser and its clients. There are also backup browsers,
+which maintain copies of the browse list and respond to client
+requests for it. Backup browsers are therefore able to take over the
+role of master browser seamlessly in case it fails. The master
+browser usually doesn't serve the browse list
+directly to clients. Instead, its job is mainly to keep the master
+copy of the browse list up-to-date, and also periodically update the
+backup browsers. Clients are expected to get their copies of the
+browse list from backup browsers, selecting among them randomly to
+help to distribute the load on the backup browsers more evenly.
+Ideally, the interaction between any client and the master browser is
+limited to the client announcing when it joins or leaves the network
+(if it is a server) and requesting a list of backup browsers.</p>
+
+<p>There can be more than one <a name="INDEX-45"/>backup browser. A workgroup will have a
+backup browser if two or more computers are running Windows 95/98/Me
+or Windows NT Workstation (or another nonserver version of Windows
+NT/2000/XP) on the subnet. For every 32 additional computers, another
+backup browser is added.</p>
+
+<p>In a Windows NT domain, the <a name="INDEX-46"/>primary domain controller is
+always the local master browser, and if it fails, another Windows
+NT/2000 server (if one exists) will take over the role of local
+master browser. Other versions of Windows can function as backup
+browsers, but will never become a master browser if a Windows NT/2000
+server is available.</p>
+
+<p>In addition to acting as the local master browser, the primary domain
+controller also acts as the <em class="firstterm">domain master
+browser</em><a name="INDEX-47"/>, which ties subnets together and allows
+browse lists to be shared between master and backup browsers on
+separate subnets. This is how browsing is extended to function beyond
+the local subnet. Each subnet functions as a separate browsing
+entity, and the domain master browser synchronizes the master
+browsers of each subnet. In a Windows-only network, browsing cannot
+function across subnets unless a Windows NT/2000 PDC exists on the
+network. Samba can act as a domain master browser and can perform
+that task even in a workgroup network, which means that the Windows
+PDC is not required for this task. (It is also possible to use the
+<tt class="literal">remote</tt> <tt class="literal">browse</tt>
+<tt class="literal">sync</tt> parameter to configure a Samba server to
+synchronize its browse list with a Samba server on another subnet. In
+this case, each server must be acting as the local master browser of
+its subnet.)</p>
+
+<p>Unless it is configured never to act as a browser, each computer on
+the subnet is considered a <em class="firstterm">potential browser</em>
+and can be ordered by the browse master to become a backup browser,
+or it can identify itself as a backup browser and accept the role on
+its own.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.2"/>
+
+<h3 class="head2">Browser Elections</h3>
+
+<p><a name="INDEX-48"/>When no master browser is running on
+the subnet, potential browsers choose a new master browser among
+themselves in a process called an <em class="firstterm">election</em>. An
+election is started by a computer in the subnet when it discovers
+that no master browser is currently running. If a master browser is
+shut down gracefully, it will broadcast an election request datagram,
+initiating an election by the remaining computers. If the master
+browser fails, the election can be started by a client computer that
+requests a list of backup browsers from the master browser or by a
+backup browser that requests to have its browse list updated from the
+master browser. In each case, the system fails to receive a reply
+from the master browser and initiates the election.</p>
+
+<p>Browser elections are decided in multiple rounds of self-elimination.
+During each round, potential browsers broadcast election request
+datagrams containing their qualifications to notify other potential
+browsers that an election is happening and that if the recipient is
+more qualified, it should also broadcast a bid. When a potential
+browser receives an election request datagram from a more qualified
+opponent, it drops out, disqualifying itself from becoming the master
+browser. Otherwise, it responds with its own election request
+datagram. After a few rounds, only one potential browser is left in
+the election. After an additional four rounds of sending out an
+election request datagram and receiving no response, it becomes the
+master browser and sends a broadcast datagram announcing itself as
+the local master browser for the subnet. It then assigns runners-up
+in the election as backup browsers, as needed.</p>
+
+<p>A potential browser's qualifications include the
+following:</p>
+
+<ul><li>
+<p>Whether it has recently lost an election</p>
+</li><li>
+<p>The version of the election protocol it is running</p>
+</li><li>
+<p>Its election criteria</p>
+</li><li>
+<p>The amount of time the system has been up</p>
+</li><li>
+<p>The computer's NetBIOS name</p>
+</li></ul>
+<p>If the potential browser has lost an election recently, it
+immediately disqualifies itself. The version of the election protocol
+it is running is checked, but so far, all Windows systems (and Samba)
+use the same election protocol, so the check is not very meaningful.
+The election criteria are usually what determine which computer
+becomes the local master browser. There are two parts to the election
+criteria, shown in Tables <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a> and <a href="ch07.html#samba2-CHP-7-TABLE-3">Table 7-3</a>.</p>
+
+<a name="samba2-CHP-7-TABLE-2"/><h4 class="head4">Table 7-2. Operating-system values in an election</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Operating system</p>
+</th>
+<th>
+<p>Value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Windows NT/2000 Server, running as PDC</p>
+</td>
+<td>
+<p>32</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT/2000/XP, if not the PDC</p>
+</td>
+<td>
+<p>16</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95/98/Me</p>
+</td>
+<td>
+<p>1</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows for Workgroups</p>
+</td>
+<td>
+<p>1</p>
+</td>
+</tr>
+
+</table>
+
+<a name="samba2-CHP-7-TABLE-3"/><h4 class="head4">Table 7-3. Computer-role settings in an election</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Role</p>
+</th>
+<th>
+<p>Value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Domain master browser</p>
+</td>
+<td>
+<p>128</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>WINS client</p>
+</td>
+<td>
+<p>32</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Preferred master</p>
+</td>
+<td>
+<p>8</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Running master</p>
+</td>
+<td>
+<p>4</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Recent backup browser</p>
+</td>
+<td>
+<p>2</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Backup browser</p>
+</td>
+<td>
+<p>1</p>
+</td>
+</tr>
+
+</table>
+
+<p>The operating-system type is compared first, and the system with the
+highest value wins. The values have been chosen to cause the primary
+domain controller, if there is one, to become the local master
+browser. Otherwise, a Windows NT/2000/XP system will win over a
+Windows for Workgroups or Windows 95/98/Me system.</p>
+
+<p>When an operating-system type comparison results in a tie, the role
+of the computer is compared. A computer can have more than one of the
+values in <a href="ch07.html#samba2-CHP-7-TABLE-3">Table 7-3</a>, in which case the values are
+added.</p>
+
+<p>A domain master browser has a role value of 128 to weight the
+election so heavily in its favor that it will also become the local
+master browser on its own subnet. Although the primary domain
+controller (which is always the domain master browser) will win the
+election based solely on its operating system value, sometimes there
+is no primary domain controller on the network, and the domain master
+browser would not otherwise be distinguished from other potential
+browsers.</p>
+
+<p>Systems that are using a WINS server for name resolution are weighted
+heavily over ones that use broadcast name resolution with a role
+value of 32.</p>
+
+<p>A <em class="firstterm">preferred master</em> is a computer that has been
+selected and configured manually by a system administrator to be
+favored as the choice master browser. When a preferred master starts
+up, it forces a browser election, even if an existing master browser
+is still active. A preferred master has a role value of 8, and the
+existing master browser gets a value of 4.</p>
+
+<p>A backup browser that has recently been a master browser and still
+has an up-to-date browse list is given a role value of 2, and a
+potential browser that has been running as a backup browser gets a
+value of 1.</p>
+
+<p>If comparing the operating-system type and role results in a tie, the
+computer that has been running the longest wins. In the unlikely
+event that the two have been up for the same amount of time, the
+computer that wins is the one with the NetBIOS name that sorts first
+alphabetically.</p>
+
+<p>You can tell if a machine is a local master browser by using the
+Windows <em class="emphasis">nbtstat</em><a name="INDEX-49"/> command. Place the NetBIOS name of the
+machine you wish to check after the <em class="emphasis">-a</em> option:</p>
+
+<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>nbtstat -a toltec</b></tt>
+
+Local Area Connection:
+Node IpAddress: [172.16.1.4] Scope Id: []
+
+           NetBIOS Remote Machine Name Table
+
+       Name               Type         Status
+    ---------------------------------------------
+    TOLTEC         &lt;00&gt;  UNIQUE      Registered
+    TOLTEC         &lt;03&gt;  UNIQUE      Registered
+    TOLTEC         &lt;20&gt;  UNIQUE      Registered
+    ..__MSBROWSE__.&lt;01&gt;  GROUP       Registered
+    METRAN         &lt;00&gt;  GROUP       Registered
+    METRAN         &lt;1B&gt;  UNIQUE      Registered
+    METRAN         &lt;1C&gt;  GROUP       Registered
+    METRAN         &lt;1D&gt;  UNIQUE      Registered
+    METRAN         &lt;1E&gt;  GROUP       Registered
+
+    MAC Address = 00-00-00-00-00-00</pre></blockquote>
+
+<p>The resource entry that you're looking for is
+<tt class="literal">.._ _MSBROWSE_ _.&lt;01&gt;</tt><a name="INDEX-50"/>. This indicates
+that the server is currently acting as the local master browser for
+the current subnet. If the machine is a Samba server, you can check
+the Samba <em class="filename">nmbd</em> log file for an entry such as:</p>
+
+<blockquote><pre class="code">nmbd/nmbd_become_lmb.c:become_local_master_stage2(406)
+*****
+Samba name server TOLTEC is now a local master browser for
+workgroup METRAN on subnet 172.16.1.0</pre></blockquote>
+
+<p>Or, you can use the
+<em class="emphasis">nmblookup</em><a name="INDEX-51"/> command with the
+<em class="emphasis">-M</em> option and the workgroup or domain name on
+any Samba server to find the IP address of the local master:</p>
+
+<a name="INDEX-52"/><blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -M metran</b></tt>
+querying metran on 172.16.1.255
+172.16.1.1 metran&lt;1d&gt;</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.3"/>
+
+<h3 class="head2">Server Announcements</h3>
+
+<p><a name="INDEX-53"/>After
+the master browser election is decided, each server on the network
+announces itself to the network to allow the master and backup
+browsers to build their browse lists. At first, the server
+announcements happen every minute, but the interval is gradually
+stretched out to every 12 minutes. When a server is shut down
+gracefully, it sends an announcement that it is going offline to
+allow the master and backup browsers to remove it from the browse
+list. However, when a server goes offline by crashing or by some
+other failure, the master browser notices its disappearance only
+because it stops receiving server announcements. The master browser
+waits for three of the server's announcement periods
+before deciding that it is offline, which can take up to 36 minutes.
+Because backup browsers have their browse lists updated from the
+master browser once every 15 minutes, it can take up to 51 minutes
+for clients to be informed of a failed server.</p>
+
+<p>For more detailed information on Microsoft's
+browsing protocols, consult the Microsoft documents
+<em class="citetitle">Browsing and Windows 95
+Networking</em><a name="INDEX-54"/> and
+<em class="citetitle">CIFS/E Browser Protocol</em>. You can find these by
+searching for the titles on the Microsoft web site at <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
+
+<p>More information on configuring Samba for browsing can be found in
+<em class="filename">BROWSING.txt</em><a name="INDEX-55"/> and
+<em class="filename">BROWSING-Config.txt</em> in the Samba
+distribution's <em class="filename">docs/textdocs</em>
+directory. <a name="INDEX-56"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.4"/>
+
+<h3 class="head2">Configuring Samba for Browsing</h3>
+
+<p><a name="INDEX-57"/><a name="INDEX-58"/><a name="INDEX-59"/>Samba has full support for browsing
+and can participate as a master browser, a backup browser, a domain
+master browser, a potential browser, or just a server that
+doesn't participate in browsing elections. If you
+want to make sure your Samba server never becomes a master or backup
+browser, simply set:</p>
+
+<a name="INDEX-60"/><blockquote><pre class="code">[global]
+    local master = no</pre></blockquote>
+
+<p>Usually, you will want Samba to be available as a local master or at
+least a backup browser. In the simplest case, you
+don't need to do anything because
+Samba's default is to participate in browsing
+elections with its operating system value set to 20, which will beat
+any Windows system less than a Windows NT/2000 primary domain
+controller (see <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a>). The operating-system
+value Samba reports for itself in browser elections can be set using
+the <tt class="literal">os</tt><a name="INDEX-61"/> <tt class="literal">level</tt>
+parameter:</p>
+
+<blockquote><pre class="code">[global]
+    os level = 33</pre></blockquote>
+
+<p>The preceding value will allow Samba to beat even a Windows 2000
+Advanced Server acting as a primary domain controller. As we show in
+the following section, though, forcing Samba to win this way is not
+recommended.</p>
+
+<p>If you want to allow a Windows XP Professional system to be the
+master browser, you would need to set Samba lower:</p>
+
+<blockquote><pre class="code">[global]
+    os level = 8</pre></blockquote>
+
+<p>The maximum value for <tt class="literal">os</tt> <tt class="literal">level</tt>
+is 255 because it is handled as an 8-bit unsigned integer. Supposing
+we wanted to make absolutely sure our Samba server will be the local
+master browser at all times, we might say:</p>
+
+<blockquote><pre class="code">[global]
+    local master = yes
+    os level = 255
+    preferred master = yes</pre></blockquote>
+
+<p>The addition of the
+<tt class="literal">preferred</tt><a name="INDEX-62"/>
+<tt class="literal">master</tt> parameter causes Samba to start a browser
+election as soon as it starts up, and the <tt class="literal">os</tt>
+<tt class="literal">level</tt> of 255 allows it to beat any other system on
+the network. This includes other Samba servers, assuming they are
+configured properly! If another server is using a similar
+configuration file (with <tt class="literal">os</tt>
+<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">255</tt>
+and <tt class="literal">preferred</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt>), the two will fight each
+other for the master browser role, winning elections based on minor
+criteria, such as uptime or their current role. To avoid this, other
+Samba servers should be set with a lower <tt class="literal">os</tt>
+<tt class="literal">level</tt> and not configured to be the preferred
+master.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.5"/>
+
+<h3 class="head2">Samba as the Domain Master Browser</h3>
+
+<p><a name="INDEX-63"/>Previously we mentioned that for a Windows
+workgroup or domain to extend into multiple subnets, one system would
+have to take the role of the domain master browser. The domain master
+browser propagates browse lists across each subnet in the workgroup.
+This works because each local master browser periodically
+synchronizes its browse list with the domain master browser. During
+this synchronization, the local master browser passes on the name of
+any server that the domain master browser does not have in its browse
+list, and vice versa. Each local master browser eventually holds the
+browse list for the entire domain.</p>
+
+<p>There is no election to determine which machine assumes the role of
+the domain master browser. Instead, the administrator has to set it
+manually. By Microsoft design, however, the domain master browser and
+the PDC both register a resource type of &lt;1B&gt;, so the
+roles&mdash;and the machines&mdash;are inseparable.</p>
+
+<p>If you have a Windows NT server on the network acting as a PDC, we
+recommend that you do not try to use Samba to become the domain
+master browser. The reverse is true as well: if Samba is taking on
+the responsibilities of a PDC, we recommend making it the domain
+master browser as well. Although it is possible to split the roles
+with Samba, this is not a good idea. Using two different machines to
+serve as the PDC and the domain master browser can cause random
+errors to occur in a Windows workgroup.</p>
+
+<p>Samba can assume the role of a domain master browser for all subnets
+in the workgroup with the following options:</p>
+
+<blockquote><pre class="code">[global]
+    domain master = yes
+    preferred master = yes
+    local master = yes
+    os level = 255</pre></blockquote>
+
+<p>The final three parameters ensure that the server is also the local
+master browser, which is vital for it to work properly as the domain
+master browser. You can verify that a Samba machine is in fact the
+<a name="INDEX-64"/>domain master browser by checking the
+<em class="emphasis">nmbd</em><a name="INDEX-65"/><a name="INDEX-66"/> log file:</p>
+
+<blockquote><pre class="code">nmbd/nmbd_become_dmb.c:become_domain_master_stage2(118)
+*****
+Samba name server TOLTEC is now a domain master browser for
+workgroup METRAN on subnet 172.16.1.0</pre></blockquote>
+
+<p>Or you can use the
+<em class="emphasis">nmblookup</em><a name="INDEX-67"/> command that comes with the Samba
+distribution to query for a unique &lt;1B&gt; resource type in the
+workgroup:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>nmblookup METRAN#1B</b></tt>
+Sending queries to 172.16.1.255
+172.16.1.1 METRAN&lt;1b&gt;</pre></blockquote>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.5.1"/>
+
+<h3 class="head3">Multiple subnets</h3>
+
+<p><a name="INDEX-68"/>You must
+remember three rules when creating a
+<a name="INDEX-69"/>workgroup/domain
+that spans more than one subnet:</p>
+
+<ul><li>
+<p>You must have either a Windows NT/2000 or Samba server acting as a
+local master browser on each subnet in the workgroup/domain.</p>
+</li><li>
+<p>You must have a Windows NT/2000 Server edition or a Samba server
+acting as a domain master browser somewhere in the workgroup/domain.</p>
+</li><li>
+<p>A WINS server should be on the network, with each system on the
+network configured to use it for name resolution.</p>
+</li></ul>
+<p>Samba has some additional features you can use if you
+don't have or want a domain master browser on your
+network and still need to have <a name="INDEX-70"/>cross-subnet browsing. Consider the
+subnets shown in <a href="ch07.html#samba2-CHP-7-FIG-1">Figure 7-1</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-7-FIG-1"/><a name="INDEX-71"/><a name="INDEX-72"/><img src="figs/sam2_0701.gif"/></div><h4 class="head4">Figure 7-1. Multiple subnets with Samba servers</h4>
+
+<p>First, a Samba server that is a local master browser can use the
+<tt class="literal">remote</tt><a name="INDEX-73"/> <tt class="literal">announce</tt>
+configuration option to make sure that computers in different subnets
+are sent broadcast announcements about the server. This has the
+effect of ensuring that the Samba server appears in the browse lists
+of foreign subnets. To achieve this, however, the directed broadcasts
+must reach the local master browser on the other subnet. Be aware
+that many routers do not allow directed broadcasts by default; you
+might have to change this setting on the router for the directed
+broadcasts to get through to its subnet.</p>
+
+<p>With the <tt class="literal">remote</tt> <tt class="literal">announce</tt>
+option, list the subnets and the workgroup that should receive the
+broadcast. For example, to ensure that machines in the 172.16.2 and
+172.16.3 subnets and the METRAN workgroup are sent broadcast
+information from our Samba server, we could specify the following:</p>
+
+<blockquote><pre class="code">[global]
+    remote announce = 172.16.2.255/METRAN \
+        172.16.3.255/METRAN</pre></blockquote>
+
+<p>Instead of supplying a broadcast address of the remote subnet, you
+are allowed to specify the exact address where broadcasts should be
+sent if the local master browser on the foreign subnet is guaranteed
+to always have the same IP address.</p>
+
+<p>A Samba local master browser can synchronize its browse list directly
+with one or more Samba servers, each acting as a local master browser
+on a different subnet. This is another way to implement browsing
+across subnets. For example, let's assume that Samba
+is configured as a local master browser, and Samba local master
+browsers exist at 172.16.2.130 and 172.16.3.120. We can use the
+<tt class="literal">remote</tt> <tt class="literal">browse</tt>
+<tt class="literal">sync</tt> option to sync directly with the Samba
+servers, as follows:</p>
+
+<blockquote><pre class="code">[global]
+    remote browse sync = 172.16.2.130 172.16.3.120</pre></blockquote>
+
+<p>For this to work, the other Samba machines must also be local master
+browsers. You can also use directed broadcasts with this option if
+you do not know specific IP addresses of local master browsers.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.6"/>
+
+<h3 class="head2">Making a Share Invisible</h3>
+
+<p><a name="INDEX-74"/><a name="INDEX-75"/><a name="INDEX-76"/>You can keep a share from being in the
+browse list by using the
+<tt class="literal">browsable</tt><a name="INDEX-77"/> option. This Boolean option
+prevents a share from being seen in the Network Neighborhood or My
+Network Places. For example, to prevent the <tt class="literal">[data]</tt>
+share from being visible, we could write:</p>
+
+<blockquote><pre class="code">[data]
+    path = /export/samba/userdata
+    browsable = no</pre></blockquote>
+
+<p>Although you typically don't want to do this to an
+ordinary disk share, the <tt class="literal">browsable</tt> option is
+useful in the event that you need to create a share with contents
+that you do not want others to see, such as a
+<tt class="literal">[netlogon]</tt><a name="INDEX-78"/> share for storing logon scripts
+for Windows domain control (see <a href="ch04.html">Chapter 4</a> for more
+information on logon scripts).</p>
+
+<p>Another example is the
+<tt class="literal">[homes]</tt><a name="INDEX-79"/> share. This share is often marked
+nonbrowsable so that a share named <tt class="literal">[homes]</tt>
+won't appear when its machine's
+resources are browsed. However, if a user <tt class="literal">alice</tt>
+logs on and looks at the machine's shares, an
+<tt class="literal">[alice]</tt> share will appear under the machine.</p>
+
+<p>What if we wanted to make sure
+<tt class="literal">alice</tt>'s share appeared to
+everyone before she logs on? This could be done with the global
+<tt class="literal">auto</tt><a name="INDEX-80"/> <tt class="literal">services</tt>
+option. This option preloads shares into the browse list to ensure
+that they are always visible:</p>
+
+<blockquote><pre class="code">[global]
+    auto services = alice</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.7"/>
+
+<h3 class="head2">Browsing Options</h3>
+
+<p><a href="ch07.html#samba2-CHP-7-TABLE-4">Table 7-4</a> <a name="INDEX-81"/><a name="INDEX-82"/>shows
+options that define how Samba handles browsing tasks.</p>
+
+<a name="samba2-CHP-7-TABLE-4"/><h4 class="head4">Table 7-4. Browsing configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">announce as</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Operating system that Samba will announce itself as.</p>
+</td>
+<td>
+<p><tt class="literal">N T Server</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">announce</tt> <tt class="literal">version</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Version of the operating system that Samba will announce itself as.</p>
+</td>
+<td>
+<p><tt class="literal">4.5</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">browsable</tt> <tt class="literal">(browseable)</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Allows share to be displayed in list of machine resources.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">browse list</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to provide a browse list on
+this server.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">auto services</tt> <tt class="literal">(preload)</tt></p>
+</td>
+<td>
+<p>string (share list)</p>
+</td>
+<td>
+<p>List of shares that will always appear in the browse list.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">default</tt> <tt class="literal">service (default)</tt></p>
+</td>
+<td>
+<p>string (share name)</p>
+</td>
+<td>
+<p>Name of a share (service) that will be provided if the client
+requests a share not listed in <em class="emphasis">smb.conf</em>.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">local master</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to participate in browsing
+elections.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lm announce</tt></p>
+</td>
+<td>
+<p><tt class="literal">yes</tt>, <tt class="literal">no</tt>, or
+<tt class="literal">auto</tt></p>
+</td>
+<td>
+<p>Enables or disables LAN Manager-style host announcements.</p>
+</td>
+<td>
+<p><tt class="literal">auto</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lm interval</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Frequency in seconds that LAN Manager announcements will be made if
+activated.</p>
+</td>
+<td>
+<p><tt class="literal">60</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">preferred</tt> <tt class="literal">master (prefered
+master)</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to use the preferred master
+browser bit to attempt to become the local master browser.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">domain master</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to become the domain browser
+master for the workgroup or domain.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">os level</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Operating system level of Samba in an election for local master
+browser.</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">remote browse</tt> <tt class="literal">sync</tt></p>
+</td>
+<td>
+<p>string (list of IP addresses)</p>
+</td>
+<td>
+<p>Samba servers to synchronize browse lists with.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">remote</tt> <tt class="literal">announce</tt></p>
+</td>
+<td>
+<p>string (IP address/workgroup pairs)</p>
+</td>
+<td>
+<p>Subnets and workgroups to send directed broadcast packets to,
+allowing Samba to appear in their browse lists.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.1"/>
+
+<a name="INDEX-83"/><h3 class="head3">announce as</h3>
+
+<p>This global configuration option specifies the type of operating
+system that Samba announces to other machines on the network. The
+default value for this option is <tt class="literal">N T</tt>
+<tt class="literal">Server</tt>, which causes Samba to masquerade as a
+Windows NT Server operating system. Other possible values are
+<tt class="literal">NT</tt>, <tt class="literal">NT</tt>
+<tt class="literal">Workstation</tt>, <tt class="literal">Win95</tt>, and
+<tt class="literal">W f W</tt> for a Windows for Workgroup operating
+system. You can override the default value with the following:</p>
+
+<blockquote><pre class="code">[global]
+    announce as = Win95</pre></blockquote>
+
+<p>We recommend against changing the default value of this configuration
+option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.2"/>
+
+<a name="INDEX-84"/><h3 class="head3">announce version</h3>
+
+<p>This global option is frequently used with the
+<tt class="literal">announce</tt> <tt class="literal">as</tt> configuration
+option; it specifies the version of the operating system that Samba
+announces to other machines on the network. The default value of this
+option is 4.5, which places Samba above Windows NT Version 4.0, but
+below Windows 2000. You can specify a new value with a global entry
+such as the following:</p>
+
+<blockquote><pre class="code">[global]
+    announce version = 4.3</pre></blockquote>
+
+<p>We recommend against changing the default value of this configuration
+option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.3"/>
+
+<h3 class="head3">browsable</h3>
+
+<p>The <tt class="literal">browsable</tt><a name="INDEX-85"/> option (also spelled
+<tt class="literal">browseable</tt>) indicates whether the share referenced
+should appear in the list of available resources for the system on
+which it resides. This option is always set to <tt class="literal">yes</tt>
+by default. If you wish to prevent the share from being seen in a
+client's browser, you can reset this option to
+<tt class="literal">no</tt>.</p>
+
+<p>Note that this does not prevent someone from accessing the share
+using other means, such as specifying a UNC location (e.g.,
+<tt class="literal">\\server\accounting)</tt> in Windows Explorer. It only
+prevents the share from being listed under the
+system's resources when being browsed.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.4"/>
+
+<a name="INDEX-86"/><h3 class="head3">browse list</h3>
+
+<p>You should never need to change this parameter from its default value
+of <tt class="literal">yes</tt>. If your Samba server is acting as a local
+master browser (i.e., it has won the browsing election), you can use
+the global <tt class="literal">browse</tt> <tt class="literal">list</tt> option
+to instruct Samba to provide or withhold its browse list to all
+clients. By default, Samba always provides a browse list. You can
+withhold this information by specifying the following:</p>
+
+<blockquote><pre class="code">[global]
+    browse list = no</pre></blockquote>
+
+<p>If you disable the browse list, clients cannot browse the names of
+other machines, their services, and other domains currently available
+on the network. Note that this won't make any
+particular machine inaccessible; if someone knows a valid machine
+name/address and a share on that machine, he can still connect to it
+explicitly using the Windows <em class="emphasis">net use</em> command or
+by mapping a drive letter to it using Windows Explorer. It simply
+prevents information in the browse list from being retrieved by any
+client that requests it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.5"/>
+
+<h3 class="head3">auto services</h3>
+
+<p>The global <tt class="literal">auto</tt><a name="INDEX-87"/>
+<tt class="literal">services</tt> option, which is also called
+<tt class="literal">preload</tt> <a name="INDEX-88"/>, ensures that the specified
+shares are always visible in the browse list. One common use for this
+option is to advertise specific user or printer shares that are
+created by the <tt class="literal">[homes]</tt> or
+<tt class="literal">[printers]</tt> shares, but are not otherwise
+browsable.</p>
+
+<p>This option works best with disk shares. If you wish to force each of
+your system printers (i.e., those listed in the printer capabilities
+file) to appear in the browse list, we recommend using the
+<tt class="literal">load</tt> <tt class="literal">printers</tt> option instead.</p>
+
+<p>Shares listed with the <tt class="literal">auto</tt>
+<tt class="literal">services</tt> option will not be displayed if the
+<tt class="literal">browse</tt> <tt class="literal">list</tt> option is set to
+<tt class="literal">no</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.6"/>
+
+<h3 class="head3">default service</h3>
+
+<p>The global <tt class="literal">default</tt><a name="INDEX-89"/>
+<tt class="literal">service</tt> option (sometimes called
+<tt class="literal">default</tt>) names a
+&quot;last-ditch&quot; share. The value is
+set to an existing share name without the enclosing brackets. When a
+client requests a nonexistent disk or printer share, Samba will
+attempt to connect the user to the share specified by this option
+instead. The option is specified as follows:</p>
+
+<blockquote><pre class="code">[global]
+    default service = helpshare</pre></blockquote>
+
+<p>When Samba redirects the requested, nonexistent service to the
+service specified by <tt class="literal">default</tt>
+<tt class="literal">service</tt>, the <tt class="literal">%S</tt> option takes on
+the value of the requested service, with any underscores (
+<tt class="literal">_</tt> ) in the requested service replaced by forward slashes
+(<tt class="literal">/</tt>).</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.7"/>
+
+<a name="INDEX-90"/><h3 class="head3">local master</h3>
+
+<p>This global option specifies whether Samba will attempt to become the
+local master browser for the subnet when it starts up. If this option
+is set to <tt class="literal">yes</tt>, Samba will participate in
+elections. However, setting this option by itself does not guarantee
+victory. (Other parameters, such as <tt class="literal">preferred</tt>
+<tt class="literal">master</tt> and <tt class="literal">os</tt>
+<tt class="literal">level</tt>, help Samba win browsing elections.) If this
+option is set to <tt class="literal">no</tt>, Samba will lose all browsing
+elections, regardless of which values are specified by the other
+configuration options. The default value is <tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.8"/>
+
+<h3 class="head3">lm announce</h3>
+
+<p>The global <tt class="literal">lm</tt><a name="INDEX-91"/>
+<tt class="literal">announce</tt> option tells Samba's
+<em class="emphasis">nmbd</em> whether to send <a name="INDEX-92"/>LAN Manager host
+announcements on behalf of the server. These host announcements might
+be required by older clients, such as IBM's OS/2
+operating system. This announcement allows the server to be added to
+the browse lists of the client. If activated, Samba will announce
+itself repetitively at the number of seconds specified by the
+<tt class="literal">lm</tt> <tt class="literal">interval</tt> option.</p>
+
+<p>You can specify the option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    lm announce = yes</pre></blockquote>
+
+<p>This configuration option takes the standard Boolean values,
+<tt class="literal">yes</tt> and <tt class="literal">no</tt>, which enable or
+disable LAN Manager announcements, respectively. In addition, a third
+option, <tt class="literal">auto</tt>, causes <em class="emphasis">nmbd</em> to
+listen passively for LAN Manager announcements, but not to send any
+of its own initially. If LAN Manager announcements are detected for
+another machine on the network, <em class="emphasis">nmbd</em> will start
+sending its own LAN Manager announcements to ensure that it is
+visible. The default value is <tt class="literal">auto</tt>. You probably
+won't need to change this value from its default.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.9"/>
+
+<a name="INDEX-93"/><h3 class="head3">lm interval</h3>
+
+<p>This option, which is used in conjunction with <tt class="literal">lm</tt>
+<tt class="literal">announce</tt>, indicates the number of seconds
+<em class="emphasis">nmbd</em> will wait before repeatedly broadcasting
+LAN Manager-style announcements. LAN Manager announcements must be
+enabled for this option to work. The default value is 60 seconds. If
+you set this value to 0, Samba will not send any LAN Manager host
+announcements, regardless of the value of the <tt class="literal">lm</tt>
+<tt class="literal">announce</tt> option. You can reset the value of this
+option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    lm interval = 90</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.10"/>
+
+<h3 class="head3">preferred master</h3>
+
+<p>The <tt class="literal">preferred</tt><a name="INDEX-94"/>
+<tt class="literal">master</tt> option requests that Samba set the
+preferred master bit when participating in an election. This gives
+the server a higher preferred status in the workgroup than other
+machines at the same operating-system level. If you are configuring
+your Samba machine to become the local master browser, it is wise to
+set the following value:</p>
+
+<blockquote><pre class="code">[global]
+    preferred master = yes</pre></blockquote>
+
+<p>Otherwise, you should leave it set to its default,
+<tt class="literal">no</tt>. If Samba is configured as a preferred master
+browser, it will force an election when it first comes online.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.11"/>
+
+<a name="INDEX-95"/><h3 class="head3">domain master</h3>
+
+<p>If Samba is the primary domain controller for your workgroup or NT
+domain, it should also be made the domain master browser. The domain
+master browser is a special machine that has the NetBIOS resource
+type &lt;1B&gt; and is used to propagate browse lists to and from
+each local master browser in individual subnets across the domain. To
+force Samba to become the <a name="INDEX-96"/>domain master browser, set the following in
+the <tt class="literal">[global]</tt> section of the
+<em class="filename">smb.conf</em>:</p>
+
+<blockquote><pre class="code">[global]
+    domain master = yes</pre></blockquote>
+
+<p>If you have a Windows NT server on the network acting as a primary
+domain controller (PDC), we recommend that you do not use Samba to
+become the domain master browser. The reverse is true as well: if
+Samba is taking on the responsibilities of a PDC, we recommend making
+it the domain master browser. Splitting the PDC and the domain master
+browser will cause unpredictable errors to occur on the network.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.12"/>
+
+<h3 class="head3">os level</h3>
+
+<p>The global <tt class="literal">os</tt><a name="INDEX-97"/> <tt class="literal">level</tt> option
+defines the operating-system value with which Samba will masquerade
+during a browser election. If you wish to have Samba win an election
+and become the master browser, set the <tt class="literal">os</tt>
+<tt class="literal">level</tt> higher than that of any other system on the
+subnet. The values are shown in <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a>. The
+default level is 20, which means that Samba will win elections
+against all versions of Windows, except Windows NT/2000 if it is
+operating as the PDC. If you wish Samba to win all elections, you can
+set its operating system value as follows:</p>
+
+<blockquote><pre class="code">[global]
+    os level = 255</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.13"/>
+
+<h3 class="head3">remote browse sync</h3>
+
+<p>The global <tt class="literal">remote</tt><a name="INDEX-98"/>
+<tt class="literal">browse</tt> <tt class="literal">sync</tt> option specifies
+that Samba should synchronize its browse lists with local master
+browsers in other subnets. However, the synchronization can occur
+only with other Samba servers and not with Windows computers. For
+example, if your Samba server were a master browser on the subnet
+172.16.235, and Samba local master browsers existed on other subnets
+located at 172.16.234.92 and 172.16.236.2, you would specify the
+following:</p>
+
+<blockquote><pre class="code">[global]
+    remote browse sync = 172.16.234.92 172.16.236.2</pre></blockquote>
+
+<p>The Samba server would then directly contact the other machines on
+the address list and synchronize browse lists. You can also say:</p>
+
+<blockquote><pre class="code">[global]
+    remote browse sync = 172.16.234.255 172.16.236.255</pre></blockquote>
+
+<p>This forces Samba to broadcast queries to determine the IP addresses
+of the local master browser on each subnet, with which it will then
+synchronize browse lists. This works, however, only if your router
+doesn't block directed broadcast requests ending in
+255.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.14"/>
+
+<h3 class="head3">remote announce</h3>
+
+<p>Samba servers are capable of providing browse lists to foreign
+subnets with the <tt class="literal">remote</tt><a name="INDEX-99"/>
+<tt class="literal">announce</tt> option. This is typically sent to the
+local master browser of the foreign subnet in question. However, if
+you do not know the address of the local master browser, you can do
+the following:</p>
+
+<blockquote><pre class="code">[global]
+    remote announce = 172.16.234.255/ACCOUNTING \       
+                        172.16.236.255/ACCOUNTING</pre></blockquote>
+
+<p>With this, Samba will broadcast host announcements to all machines on
+subnets 172.16.234 and 172.16.236, which will hopefully reach the
+local master browser of the subnet.</p>
+
+<p>You can also specify exact IP addresses, if they are known, but this
+works only if the systems are guaranteed to maintain the role of
+master browser on their subnets. By appending a workgroup or domain
+name to the IP address, Samba announces that it is in that workgroup
+or domain. If this is left out, the workgroup set by the
+<tt class="literal">workgroup</tt> parameter is used. <a name="INDEX-100"/> <a name="INDEX-101"/><a name="INDEX-102"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> As we explained in
+<a href="ch01.html">Chapter 1</a>, a system can register under more than
+one NetBIOS name. We use the singular here only to keep our
+explanation simple.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch08.html b/docs/htmldocs/using_samba/ch08.html
new file mode 100644
index 0000000000..001a86a4a3
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch08.html
@@ -0,0 +1,3744 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 8. Advanced Disk Shares</h1>
+
+
+<p>This chapter continues our discussion of configuring Samba from <a href="ch06.html">Chapter 6</a>. We will cover some more advanced issues
+regarding the integration of Unix and Windows filesystems, including
+hidden files, Unix links, file permissions, name mangling, case
+sensitivity of filenames, file locking, opportunistic locking
+(oplocks), connection scripts, supporting Microsoft Dfs (Distributed
+filesystem) shares, and using NIS home directories.</p>
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-1"/>
+
+<h2 class="head1">Filesystem Differences</h2>
+
+<p>One of the biggest issues for which Samba has to correct is the
+difference between Unix and Microsoft filesystems. This includes
+items such as handling symbolic links, hidden files, and dot files.
+In addition, file permissions can also be a headache if not properly
+accounted for.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-1.1"/>
+
+<h3 class="head2">Hiding and Vetoing Files</h3>
+
+<p><a name="INDEX-1"/><a name="INDEX-2"/>Sometimes you need to ensure that a user
+cannot see or access a file at all. Other times, you
+don't want to keep users from accessing a
+file&mdash;you just want to hide it when they view the contents of
+the directory. On Windows systems, an attribute of files allows them
+to be hidden from a folder listing. With Unix, the traditional way of
+hiding files in a directory is to use a <a name="INDEX-3"/><a name="INDEX-4"/>dot (.) as the first character in the
+filename. This prevents items such as configuration files from being
+seen when performing an ordinary <em class="emphasis">ls</em> command.
+Keeping a user from accessing a file at all, however, involves
+working with permissions on files and directories.</p>
+
+<p>The first option we should discuss is the Boolean
+<tt class="literal">hide</tt><a name="INDEX-5"/><a name="INDEX-6"/> <tt class="literal">dot</tt>
+<tt class="literal">files</tt>. When it is set to <tt class="literal">yes</tt>,
+Samba reports files beginning with a period (.) as having their
+hidden attribute set. If the user has chosen to show all hidden files
+while browsing (e.g., using the Folder Options menu item under the
+View menu in Windows 98), he will still be able to see the files,
+although his icons will appear
+&quot;ghosted,&quot; or slightly grayed-out.
+If the client is configured not to show hidden files, the files will
+not appear at all.</p>
+
+<p>Instead of simply hiding files beginning with a dot, you can also
+specify a string pattern to Samba for files to hide, using the
+<tt class="literal">hide</tt><a name="INDEX-7"/> <tt class="literal">files</tt>
+option. For example, let's assume you specified the
+following in our example <tt class="literal">[data]</tt> share:</p>
+
+<blockquote><pre class="code">[data]
+    hide files = /*.java/*README*/</pre></blockquote>
+
+<p>Each entry for this option must begin, end, or be separated from
+another with a slash ( / ) character, even if only one pattern is
+listed. This convention allows spaces to appear in filenames. The
+slashes have nothing to do with Unix directories; they are instead
+acting as delimiters for the <tt class="literal">hide</tt>
+<tt class="literal">files</tt> values.</p>
+
+<p>If you want to prevent users from seeing files completely, you can
+instead use the <tt class="literal">veto</tt><a name="INDEX-8"/> <tt class="literal">files</tt>
+option. This option, which takes the same syntax as the
+<tt class="literal">hide</tt> <tt class="literal">files</tt> option, specifies a
+list of files that should never be seen by the user. For example,
+let's change the <tt class="literal">[data]</tt> share to
+the following:</p>
+
+<blockquote><pre class="code">[data]
+    veto files = /*.java/*README*/</pre></blockquote>
+
+<p>The syntax of this option is identical to the <tt class="literal">hide</tt>
+<tt class="literal">files</tt> configuration option: each entry must begin,
+end, or be separated from another with a slash (<tt class="literal">/</tt>)
+character, even if only one pattern is listed. If you do so, files
+that match the pattern, such as <em class="filename">hello.java</em> and
+<em class="filename">README.txt,</em> will simply disappear from the
+directory, and the user cannot access them through SMB.</p>
+
+<p><a name="INDEX-9"/>We need to address
+one other question. What happens if the user tries to delete a
+directory that contains vetoed files? This is where the
+<tt class="literal">delete</tt><a name="INDEX-10"/> <tt class="literal">veto</tt>
+<tt class="literal">files</tt> option comes in. If this Boolean option is
+set to <tt class="literal">yes</tt>, the user can delete both the regular
+files and the vetoed files in the directory, and the directory itself
+is removed. If the option is set to <tt class="literal">no</tt>, the user
+cannot delete the vetoed files, and consequently the directory is not
+deleted either. From the user's perspective, the
+directory appears empty, but cannot be removed.</p>
+
+<p>The <tt class="literal">dont</tt><a name="INDEX-11"/> <tt class="literal">descend</tt>
+directive specifies a list of directories whose contents Samba should
+not make visible. Note that we say <em class="emphasis">contents</em>, not
+the directory itself. Users can enter a directory marked as such, but
+they are prohibited from descending the directory tree any
+farther&mdash;they always see an empty folder. For example,
+let's use this option with a more basic form of the
+share that we defined earlier in the chapter:</p>
+
+<blockquote><pre class="code">[data]
+    dont descend = config defaults</pre></blockquote>
+
+<p>In addition, let's assume that the
+<em class="filename">/home/samba/data</em> directory has the following
+contents:</p>
+
+<blockquote><pre class="code">drwxr-xr-x   6 tom      users     1024 Jun 13 09:24 .
+drwxr-xr-x   8 root     root      1024 Jun 10 17:53 ..
+-rw-r--r--   2 tom      users     1024 Jun  9 11:43 README
+drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 config
+drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 defaults
+drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 market</pre></blockquote>
+
+<p>If the user then connects to the share, she would see the directories
+in the share. However, the contents of the
+<em class="filename">/config</em> and <em class="filename">/defaults</em>
+directories would appear empty to her, even if other folders or files
+existed in them. In addition, users cannot write any data to the
+folder (which prevents them from creating a file or folder with the
+same name as one that is already there but invisible). If a user
+attempts to do so, she will receive an &quot;Access
+Denied&quot; message. The <tt class="literal">dont</tt>
+<tt class="literal">descend</tt> option is an administrative
+option&mdash;not a security option&mdash;and is not a substitute for
+good file permissions. <a name="INDEX-12"/><a name="INDEX-13"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-1.2"/>
+
+<h3 class="head2">Links</h3>
+
+<p><a name="INDEX-14"/>When a client
+tries to open a symbolic link on a Samba server share, Samba attempts
+to follow the link to find the real file and let the client open it,
+as if the user were on a Unix machine. If you don't
+want to allow this, set the <tt class="literal">follow</tt>
+<tt class="literal">symlinks</tt> option like this:</p>
+
+<blockquote><pre class="code">[data]
+    follow symlinks = no</pre></blockquote>
+
+<p>You can test this by setting up and trying to access a symbolic link.
+Create a directory on the Unix server inside the share, acting as the
+user under which you will log in to Samba. Enter the following
+commands:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>echo &quot;This is a test&quot; &gt;hello.txt</b></tt>
+$ <tt class="userinput"><b>ln -s hello.txt hello-link.txt</b></tt></pre></blockquote>
+
+<p>This results in the text file <em class="filename">hello.txt</em> and a
+symbolic link to it called <em class="filename">hello-link.txt</em>.
+Normally, if you double-click either one, you will receive a file
+that has the text &quot;This is a test&quot;
+inside of it. However, with the <tt class="literal">follow</tt>
+<tt class="literal">symlinks</tt><a name="INDEX-15"/> option set to
+<tt class="literal">no</tt>, you will receive an error dialog if you
+double-click <em class="filename">hello-link.txt</em>.</p>
+
+<p>The <tt class="literal">wide</tt><a name="INDEX-16"/> <tt class="literal">links</tt>
+option, if set to <tt class="literal">no</tt>, prevents the client user
+from following symbolic links that point outside the shared directory
+tree. For example, let's assume that we modified the
+<tt class="literal">[data]</tt> share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    follow symlinks = yes
+    wide links = no</pre></blockquote>
+
+<p>As long as the <tt class="literal">follow</tt><a name="INDEX-17"/>
+<tt class="literal">symlinks</tt> option is disabled, Samba will refuse to
+follow any symbolic links outside the current share tree. If we
+create a file outside the share (for example, in
+someone's home directory) and then create a link to
+it in the share as follows:</p>
+
+<blockquote><pre class="code">ln -s ~tom/datafile ./datafile</pre></blockquote>
+
+<p>the client cannot open the file in Tom's home
+directory.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-1.3"/>
+
+<h3 class="head2">Filesystem Options</h3>
+
+<p><a href="ch08.html#samba2-CHP-8-TABLE-1">Table 8-1</a> <a name="INDEX-18"/><a name="INDEX-19"/>shows a breakdown of the options we
+discussed earlier. We recommend the defaults for most, except those
+listed in the following descriptions.</p>
+
+<a name="samba2-CHP-8-TABLE-1"/><h4 class="head4">Table 8-1. Filesystem configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">dont descend</tt></p>
+</td>
+<td>
+<p>string (list of directories)</p>
+</td>
+<td>
+<p>Indicates a list of directories whose contents Samba should make
+invisible to clients.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">follow</tt> <tt class="literal">symlinks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">no</tt>, will not honor symbolic links.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">getwd cache</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, will use a cache for
+<tt class="literal">getwd( )</tt> calls.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">wide links</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, will follow symbolic links outside
+the share.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">hide dot files</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, treats Unix hidden files as hidden
+files in Windows.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">hide files</tt></p>
+</td>
+<td>
+<p>string (list of files)</p>
+</td>
+<td>
+<p>List of file patterns to treat as hidden.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">veto files</tt></p>
+</td>
+<td>
+<p>string (list of files)</p>
+</td>
+<td>
+<p>List of file patterns to never show.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">delete veto</tt> <tt class="literal">files</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, will delete files matched by
+<tt class="literal">veto files</tt> when the directory they reside in is
+deleted.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.1"/>
+
+<h3 class="head3">dont descend</h3>
+
+<p>The <tt class="literal">dont</tt><a name="INDEX-20"/> <tt class="literal">descend</tt>
+option can be used to specify various directories that should appear
+empty to the client. Note that the directory itself will still
+appear. However, Samba will not show any of the contents of the
+directory to the client user. This is not a good option to use as a
+security feature; it is really meant only as a convenience to keep
+users from casually browsing into directories that might have
+sensitive files. See our example earlier in this section.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.2"/>
+
+<a name="INDEX-21"/><h3 class="head3">follow symlinks</h3>
+
+<p>This option controls whether Samba will follow a symbolic link in the
+Unix operating system to the target or if it should return an error
+to the client user. If the option is set to <tt class="literal">yes</tt>,
+the target of the link will be interpreted as the file. If set to
+<tt class="literal">no</tt>, an error will be generated if the symbolic
+link is accessed.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.3"/>
+
+<a name="INDEX-22"/><h3 class="head3">getwd cache</h3>
+
+<p>This global option specifies whether Samba should use a local cache
+for the Unix <em class="emphasis">getwd( )</em> ( get current working
+directory) system call. You can override the default value of
+<tt class="literal">yes</tt> as follows:</p>
+
+<blockquote><pre class="code">[global]
+    getwd cache = no</pre></blockquote>
+
+<p>Setting this option to <tt class="literal">no</tt> can significantly
+increase the time it takes to resolve the working directory,
+especially if the <tt class="literal">wide</tt> <tt class="literal">links</tt>
+option is set to <tt class="literal">no</tt>. You should normally not need
+to alter this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.4"/>
+
+<a name="INDEX-23"/><h3 class="head3">wide links</h3>
+
+<p>This option specifies whether the client user can follow symbolic
+links that point outside the shared directory tree. This includes any
+files or directories at the other end of the link, as long as the
+permissions are correct for the user. The default value for this
+option is <tt class="literal">yes</tt>. Note that this option will not be
+honored if the <tt class="literal">follow</tt> <tt class="literal">symlinks</tt>
+options is set to <tt class="literal">no</tt>. Setting this option to
+<tt class="literal">no</tt> slows <em class="emphasis">smbd</em> considerably
+because it will have to check each link it encounters.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.5"/>
+
+<h3 class="head3">hide dot files</h3>
+
+<p>The <tt class="literal">hide</tt><a name="INDEX-24"/><a name="INDEX-25"/> <tt class="literal">dot</tt>
+<tt class="literal">files</tt> option hides any files on the server that
+begin with a dot (.) character to mimic the functionality behind
+several shell commands that are present on Unix systems. Like
+<tt class="literal">hide</tt> <tt class="literal">files</tt>, those files that
+begin with a dot have the DOS hidden attribute set, which
+doesn't guarantee that a client cannot view them.
+The default value for this option is <tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.6"/>
+
+<h3 class="head3">hide files</h3>
+
+<p>The <tt class="literal">hide</tt><a name="INDEX-26"/> <tt class="literal">files</tt> option
+provides one or more directory or filename patterns to Samba. Any
+file matching this pattern will be treated as a hidden file from the
+perspective of the client. Note that this simply means that the DOS
+hidden attribute is set, which might or might not mean that the user
+can actually see it while browsing.</p>
+
+<p>Each entry in the list must begin, end, or be separated from another
+entry with a slash (<tt class="literal">/</tt>) character, even if only one
+pattern is listed. This allows spaces to appear in the list.
+Asterisks can be used as a wildcard to represent zero or more
+characters. Questions marks can be used to represent exactly one
+character. For example:</p>
+
+<blockquote><pre class="code">hide files = /.jav*/README.???/</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.7"/>
+
+<a name="INDEX-27"/><h3 class="head3">veto files</h3>
+
+<p>More stringent than the hidden files state is the state provided by
+the <tt class="literal">veto</tt> <tt class="literal">files</tt> configuration
+option. Samba won't even admit these files exist.
+You cannot list or open them from the client. This should not be used
+as a means of implementing security. It is actually a mechanism to
+keep PC programs from deleting special files, such as ones used to
+store the resource fork of a Macintosh file on a Unix filesystem. If
+both Windows and Macs are sharing the same files, this can prevent
+ill-advised power users from removing files the Mac users need.</p>
+
+<p>The syntax of this option is identical to that of the
+<tt class="literal">hide</tt> <tt class="literal">files</tt> configuration
+option: each entry must begin, end, or be separated from another with
+a slash ( / ) character, even if only one pattern is listed.
+Asterisks can be used as a wildcard to represent zero or more
+characters. Question marks can be used to represent exactly one
+character. For example:</p>
+
+<blockquote><pre class="code">veto files = /*config/*default?/</pre></blockquote>
+
+<p>This option is primarily administrative and is not a substitute for
+good file permissions.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.8"/>
+
+<a name="INDEX-28"/><h3 class="head3">delete veto files</h3>
+
+<p>This option tells Samba to delete vetoed files when a user attempts
+to delete the directory in which they reside. The default value is
+<tt class="literal">no</tt>. This means that if a user tries to delete a
+directory that contains a vetoed file, the file (and the directory)
+will not be deleted. Instead, the directory remains and appears empty
+from the perspective of the user. If set to <tt class="literal">yes</tt>,
+the directory and the vetoed files will be deleted. <a name="INDEX-29"/><a name="INDEX-30"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-2"/>
+
+<h2 class="head1">File Permissions and Attributes on MS-DOS and Unix</h2>
+
+<p><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>Originally, DOS was not intended to be a
+multiuser, networked operating system. Unix, on the other hand, was
+designed for multiple users from the start. Consequently, Samba must
+not only be aware of, but also provide special solutions for,
+inconsistencies and gaps in coverage between the two filesystems. One
+of the biggest gaps is how Unix and DOS handle permissions on files.</p>
+
+<p>Let's take a look at how Unix assigns permissions.
+All Unix files have read, write, and execute bits for three
+classifications of users: owner, group, and world. These permissions
+can be seen at the extreme lefthand side when an <em class="emphasis">ls
+-al</em> command is issued in a Unix directory. For example:</p>
+
+<blockquote><pre class="code">-rwxr--r--   1 tom     users   2014 Apr 13 14:11 access.conf</pre></blockquote>
+
+<p>Windows, on the other hand, has four principal bits that it uses with
+any file: read-only, system, hidden, and archive. You can view these
+bits by right-clicking the file and choosing the Properties menu
+item. You should see a dialog similar to <a href="ch08.html#samba2-CHP-8-FIG-1">Figure 8-1</a>.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-1"/><img src="figs/sam2_0801.gif"/></div><h4 class="head4">Figure 8-1. DOS and Windows file properties</h4>
+
+<p>The definition of each bit follows:</p>
+
+<dl>
+<dt><b>Read-only</b></dt>
+<dd>
+<p>The file's contents can be read by a user but cannot
+be written to.</p>
+</dd>
+
+
+
+<dt><b>System</b></dt>
+<dd>
+<p>This file has a specific purpose required by the operating system.</p>
+</dd>
+
+
+
+<dt><b>Hidden</b></dt>
+<dd>
+<p>This file has been marked to be invisible to the user, unless the
+operating system is explicitly set to show it.</p>
+</dd>
+
+
+
+<dt><b>Archive</b></dt>
+<dd>
+<p>This file has been touched since the last DOS backup was performed on
+it.</p>
+</dd>
+
+</dl>
+
+<p>Note that there is no bit to specify that a file is executable. DOS
+and Windows NT filesystems identify executable files by giving them
+the extensions <em class="filename">.exe</em>, <em class="filename">.com</em>,
+<em class="filename">.cmd</em>, or <em class="filename">.bat</em>.</p>
+
+<p>Consequently, there is no use for any of the three Unix executable
+bits that are present on a file in a Samba disk share. DOS files,
+however, have their own attributes that need to be preserved when
+they are stored in a Unix environment: the archive, system, and
+hidden bits. Samba can preserve these bits by reusing the executable
+permission bits of the file on the Unix side&mdash;if it is
+instructed to do so. Mapping these bits, however, has an unfortunate
+side effect: if a Windows user stores a file in a Samba share, and
+you view it on Unix with the <em class="emphasis">ls -al</em> command,
+some of the executable bits won't mean what
+you'd expect them to.</p>
+
+<p>Three Samba options decide whether the bits are mapped:
+<tt class="literal">map</tt><a name="INDEX-34"/> <tt class="literal">archive</tt>,
+<tt class="literal">map</tt><a name="INDEX-35"/> <tt class="literal">system</tt> , and
+<tt class="literal">map</tt><a name="INDEX-36"/> <tt class="literal">hidden</tt>. These options
+map the archive, system, and hidden attributes to the owner, group,
+and world execute bits of the file, respectively. You can add these
+options to the <tt class="literal">[data]</tt> share, setting each of their
+values as follows:</p>
+
+<blockquote><pre class="code">[data]
+    map archive = yes
+    map system = yes
+    map hidden = yes</pre></blockquote>
+
+<p>After that, try creating a file in the share under Unix&mdash;such as
+<em class="emphasis">hello.java</em>&mdash;and change the permissions of
+the file to 755. With these Samba options set, you should be able to
+check the permissions on the Windows side and see that each of the
+three values has been checked in the Properties dialog box. What
+about the read-only attribute? By default, Samba sets this whenever a
+file does not have the Unix owner write permission bit set. In other
+words, you can set this bit by changing the permissions of the file
+to 555.</p>
+
+<p>The default value of the <tt class="literal">map</tt>
+<tt class="literal">archive</tt> option is <tt class="literal">yes</tt>, while
+the other two options have a default value of <tt class="literal">no</tt>.
+This is because many programs do not work properly if the archive bit
+is not stored correctly for DOS and Windows files. The system and
+hidden attributes, however, are not critical for a
+program's operation and are left to the discretion
+of the administrator.</p>
+
+<p><a href="ch08.html#samba2-CHP-8-FIG-2">Figure 8-2</a> summarizes the <a name="INDEX-37"/><a name="INDEX-38"/>Unix permission bits and
+illustrates how Samba maps those bits to DOS attributes. Note that
+the group read/write and world read/write bits do not directly
+translate to a DOS attribute, but they still retain their original
+Unix definitions on the Samba server.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-2"/><img src="figs/sam2_0802.gif"/></div><h4 class="head4">Figure 8-2. How Samba and Unix view the permissions of a file</h4>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-2.1"/>
+
+<h3 class="head2">Creation Masks</h3>
+
+<p><a name="INDEX-39"/>File and directory creation masks are
+similar to <a name="INDEX-40"/>umasks you
+have probably encountered while working with Unix systems. They are
+used to help define the permissions that will be assigned to a file
+or directory at the time it is created. Samba's
+masks work differently in that the bits that can be set are set in
+the creation mask, while in Unix umasks, the bits
+<em class="emphasis">cannot</em> be set are set in the umask. We think you
+will find Samba's method to be much more intuitive.
+Once in a while you might need to convert between a Unix umask and
+the equivalent Samba mask. It is simple: one is just the bitwise
+complement of the other. For example, an octal umask of 0022 has the
+same effect as a Samba mask of 0755.</p>
+
+<p>Unix umasks are set on a user-by-user basis, usually while executing
+the GUI's or command-line shell's
+startup scripts. When users connect to a Samba share from a network
+client, these scripts are not executed, so Samba supplies the ability
+to set the creation masks for files and directories. By default, this
+is done on a share-by-share basis, although you can use the
+<tt class="literal">include</tt> parameter in the Samba configuration file
+(as explained in <a href="ch06.html">Chapter 6</a>) to assign masks on a
+user-by-user basis, thus matching conventional Unix behavior.</p>
+
+<p>To show how Samba's create masks work, suppose we
+have a Windows Me user connecting to his Unix home directory through
+Samba, and Samba is configured with <tt class="literal">create</tt>
+<tt class="literal">mask</tt> <tt class="literal">=</tt> <tt class="literal">777</tt>
+in the <tt class="literal">[homes]</tt> share. With this value,
+<tt class="literal">create</tt> <tt class="literal">mask</tt> will not affect the
+bits that are set on new files. If the user creates a file with
+Wordpad, it will appear in the Unix filesystem like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l file.doc</b></tt>
+-rwxrw-rw-    1 jay      jay             0 Sep 21 11:02 file.doc</pre></blockquote>
+
+<p>Wordpad created the file with read/write permissions (i.e., the
+MS-DOS read-only attribute was not set), so Samba mapped the MS-DOS
+attributes to Unix read/write permissions for user, group, and other.
+The <a name="INDEX-41"/><a name="INDEX-42"/>execute bit is set for the owner
+because by default, the <tt class="literal">map</tt>
+<tt class="literal">archive</tt> parameter is set to
+<tt class="literal">yes</tt>. The other execute bits are not set because
+<tt class="literal">map</tt> <tt class="literal">system</tt> and
+<tt class="literal">map</tt> <tt class="literal">hidden</tt> are set to
+<tt class="literal">no</tt> by default. You can customize this behavior as
+you see fit, and unless you do backups from MS-DOS or Windows
+systems, you might want to specify <tt class="literal">map</tt>
+<tt class="literal">archive</tt> <tt class="literal">=</tt> <tt class="literal">no</tt>
+to avoid Windows files from appearing as executables on the Unix
+system.</p>
+
+<p>Now suppose we set
+<tt class="literal">create</tt><a name="INDEX-43"/> <tt class="literal">mask</tt> to have
+an effect. For example:</p>
+
+<blockquote><pre class="code">[homes]
+    create mask = 664</pre></blockquote>
+
+<p>This is equivalent to a Unix umask of 113. If the user creates the
+Wordpad document as before, it will show up as:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l file.doc</b></tt>
+-rw-rw-r--    1 jay      jay             0 Sep 22 16:38 file.doc</pre></blockquote>
+
+<p>Comparing this to the previous example, notice that not only has the
+write permission for other disappeared as we expected, but so has the
+execute permission for owner. This happened because the value of
+<tt class="literal">create</tt> <tt class="literal">mask</tt> logically ANDs the
+owner's permissions with a 6, which has masked off
+the execute bit. The lesson here is that if you want to enable any of
+<tt class="literal">map</tt> <tt class="literal">archive</tt>,
+<tt class="literal">map</tt> <tt class="literal">system</tt>, or
+<tt class="literal">map</tt> <tt class="literal">hidden</tt>, you must be careful
+not to mask off the corresponding execute bit with your
+<tt class="literal">create</tt> <tt class="literal">mask</tt>.</p>
+
+<p>The <tt class="literal">directory</tt><a name="INDEX-44"/> <tt class="literal">mask</tt>
+option works similarly, masking permissions for newly created
+directories. The following example will allow the permissions of a
+newly created directory to be, at most, 755:</p>
+
+<blockquote><pre class="code">[data]
+    directory mask = 755</pre></blockquote>
+
+<p>Also, you can force various bits with the <tt class="literal">force</tt>
+<tt class="literal">create</tt> <tt class="literal">mode</tt> and
+<tt class="literal">force</tt> <tt class="literal">directory</tt>
+<tt class="literal">mode</tt> options. These options will perform a logical
+OR against the file and directory creation masks, ensuring that those
+bits that are specified will always be set. You would typically set
+these options globally to ensure that group and world read/write
+permissions have been set appropriately for new files or directories
+in each share.</p>
+
+<p>In the same spirit, if you wish to set explicitly the Unix user and
+group attributes of a file created on the Windows side, you can use
+the <tt class="literal">force</tt><a name="INDEX-45"/> <tt class="literal">user</tt> and
+<tt class="literal">force</tt><a name="INDEX-46"/> <tt class="literal">group</tt>
+options. For example:</p>
+
+<blockquote><pre class="code">[data]
+    create mask = 744
+    directory mask = 755
+    force user = joe
+    force group = accounting</pre></blockquote>
+
+<p>These options assign the same Unix username and group to every client
+that connects to the share. However, this occurs
+<em class="emphasis">after</em> the client authenticates; it does not
+allow free access to a share. These options are frequently used for
+their side effects of assigning a specific user and group to each new
+file or directory that is created in a share. Use these options with
+discretion.</p>
+
+<p>Finally, one of the capabilities of Unix that DOS lacks is the
+ability to delete a read-only file from a writable directory. In
+Unix, if a directory is writable, a read-only file in that directory
+can still be removed. This could permit you to delete files in any of
+your directories, even if the file was left by someone else.</p>
+
+<p>DOS filesystems are not designed for multiple users, and so its
+designers decided that read-only means &quot;protected
+against accidental change, including deletion,&quot;
+rather than &quot;protected against some other user on a
+single-user machine.&quot; So the designers of DOS
+prohibited removal of a read-only file. Even today, Windows
+filesystems exhibit the same behavior.</p>
+
+<p>Normally, this is harmless. Windows programs don't
+try to remove read-only files because they know it's
+a bad idea. However, a number of source-code control
+programs&mdash;which were first written for Unix&mdash;run on Windows
+and require the ability to delete read-only files. Samba permits this
+behavior with the <tt class="literal">delete</tt><a name="INDEX-47"/>
+<tt class="literal">readonly</tt> option. To enable this functionality, set
+the option to <tt class="literal">yes</tt>:</p>
+
+<a name="INDEX-48"/><blockquote><pre class="code">[data]
+    delete readonly = yes</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-2.2"/>
+
+<h3 class="head2">File and Directory Permission Options</h3>
+
+<p><a name="INDEX-49"/><a name="INDEX-50"/><a name="INDEX-51"/>The
+options for file and directory permissions are summarized in <a href="ch08.html#samba2-CHP-8-TABLE-2">Table 8-2</a>; each option is then described in detail.</p>
+
+<a name="samba2-CHP-8-TABLE-2"/><h4 class="head4">Table 8-2. File and directory permission options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">create mask</tt> <tt class="literal">(create mode)</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum permissions for files created by Samba.</p>
+</td>
+<td>
+<p><tt class="literal">0744</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">directory mask</tt> <tt class="literal">(directory mode)</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum permissions for directories created by Samba.</p>
+</td>
+<td>
+<p><tt class="literal">0744</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force create mode</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Forces the specified permissions (bitwise <tt class="literal">or</tt>) for
+directories created by Samba.</p>
+</td>
+<td>
+<p><tt class="literal">0000</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force directory</tt> <tt class="literal">mode</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Forces the specified permissions (bitwise <tt class="literal">or</tt>) for
+directories created by Samba.</p>
+</td>
+<td>
+<p><tt class="literal">0000</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force group</tt> <tt class="literal">(group)</tt></p>
+</td>
+<td>
+<p>string ( group name)</p>
+</td>
+<td>
+<p>Effective group for a user accessing this share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force user</tt></p>
+</td>
+<td>
+<p>string (username)</p>
+</td>
+<td>
+<p>Effective username for a user accessing this share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">delete readonly</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Allows a user to delete a read-only file from a writable directory.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">map archive</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Preserve DOS archive attribute in user execute bit (0100).</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">map system</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Preserve DOS system attribute in group execute bit (0010).</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">map hidden</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Preserve DOS hidden attribute in world execute bit (0001).</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">inherit permissions</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, permissions on new files and directories
+are inherited from parent directory.</p>
+</td>
+<td>
+<p>no</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.1"/>
+
+<a name="INDEX-52"/><h3 class="head3">create mask</h3>
+
+<p>The argument for this option is an octal number indicating which
+permission flags can be set at file creation by a client in a share.
+The default is 0744, which means that the Unix owner can at most
+read, write, and optionally execute her own files, while members of
+the user's group and others can only read or execute
+them. If you need to change it for nonexecutable files, we recommend
+0644, or <tt class="literal">rw-r--r--</tt>. Keep in mind that the execute
+bits can be used by the server to map certain DOS file attributes, as
+described earlier. If you're altering the create
+mask, those bits have to be part of the create mask as well.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.2"/>
+
+<a name="INDEX-53"/><h3 class="head3">directory mask</h3>
+
+<p>The argument for this option is an octal number indicating which
+permission flags can be set at directory creation by a client in a
+share. The default is 0744, which allows everyone on the Unix side
+to, at most, read and traverse the directories, but allows only you
+to modify them. We recommend the mask 0750, removing access by
+&quot;the world.&quot;</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.3"/>
+
+<a name="INDEX-54"/><h3 class="head3">force create mode</h3>
+
+<p>This option sets the permission bits that Samba will set when a file
+permission change is made. It's often used to force
+group permissions, as mentioned previously. It can also be used to
+preset any of the DOS attributes we mentioned: archive (0100), system
+(0010), or hidden (0001).</p>
+
+<a name="samba2-CHP-8-NOTE-139"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p><a name="INDEX-55"/>When saving
+documents, many Windows applications rename their datafiles with a
+<em class="filename">.bak</em> extension and create new ones. When the
+files are in a Samba share, this changes their ownership and
+permissions so that members of the same Unix group
+can't edit them. Setting <tt class="literal">force</tt>
+<tt class="literal">create mode = 0660</tt> will keep the new file editable
+by members of the group.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.4"/>
+
+<a name="INDEX-56"/><h3 class="head3">force directory mode</h3>
+
+<p>This option sets the permission bits that Samba will set when a
+directory permission change is made or a directory is created.
+It's often used to force group permissions, as
+mentioned previously. This option defaults to 0000 and can be used
+just like the <tt class="literal">force</tt> <tt class="literal">create</tt>
+<tt class="literal">mode</tt> to add group or other permissions if needed.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.5"/>
+
+<a name="INDEX-57"/><h3 class="head3">force group</h3>
+
+<p>This option, sometimes called <tt class="literal">group</tt>, assigns a
+static group ID that will be used on all connections to a share after
+the client has successfully authenticated. This assigns a specific
+group to each new file or directory created from an SMB client.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.6"/>
+
+<h3 class="head3">force user</h3>
+
+<p>The <tt class="literal">force</tt><a name="INDEX-58"/> <tt class="literal">user</tt> option
+assigns a static user ID that will be used on all connections to a
+share after the client has successfully authenticated. This assigns a
+specific user to each new file or directory created from an SMB
+client.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.7"/>
+
+<a name="INDEX-59"/><h3 class="head3">delete readonly</h3>
+
+<p>This option allows a user to delete a directory containing a
+read-only file. By default, DOS and Windows will not allow such an
+operation. You probably will want to leave this option turned off
+unless a program (for example, an RCS program) needs this capability;
+many Windows users would be appalled to find that
+they'd accidentally deleted a file that they had set
+as read-only.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.8"/>
+
+<a name="INDEX-60"/><h3 class="head3">map archive</h3>
+
+<p>The DOS archive bit is used to flag a file that has been changed
+since it was last archived (e.g., backed up with the DOS archive
+program). Setting the Samba option <tt class="literal">map</tt>
+<tt class="literal">archive</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> maps the DOS archive flag to the Unix
+execute-by-owner (0100) bit. It's best to leave this
+option on if your Windows users are doing their own backups or are
+using programs that require the archive bit. Unix lacks the notion of
+an archive bit entirely. Backup programs typically keep a file that
+lists what files were backed up on what date, so comparing
+file-modification dates serves the same purpose.</p>
+
+<p>Setting this option to <tt class="literal">yes</tt> causes an occasional
+surprise on Unix when a user notices that a datafile is marked as
+executable, but rarely causes harm. If a user tries to run it, he
+will normally get a string of error messages as the shell tries to
+execute the first few lines as commands. The reverse is also
+possible; an executable Unix program looks like it
+hasn't been backed up recently on Windows. But
+again, this is rare and usually harmless.</p>
+
+<p>For map archive to work properly, the execute bit for owner must not
+be masked off with the <tt class="literal">create</tt>
+<tt class="literal">mask</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.9"/>
+
+<a name="INDEX-61"/><h3 class="head3">map system</h3>
+
+<p>The DOS system attribute indicates files that are required by the
+operating system and should not be deleted, renamed, or moved without
+special effort. Set this option only if you need to store Windows
+system files on the Unix fileserver. Executable Unix programs will
+appear to be nonremovable, special Windows files when viewed from
+Windows clients. This might prove mildly inconvenient if you want to
+move or remove one. For most sites, however, this is fairly harmless.</p>
+
+<p>For map archive to work properly, the execute bit for group must not
+be masked off with the <tt class="literal">create</tt>
+<tt class="literal">mask</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.10"/>
+
+<a name="INDEX-62"/><h3 class="head3">map hidden</h3>
+
+<p>DOS uses the hidden attribute to indicate that a file should not
+ordinarily be visible in directory listings. Unix
+doesn't have such a facility; it's
+up to individual programs (notably, the shell) to decide what to
+display and what not to display. Normally, you won't
+have any DOS files that need to be hidden, so the best thing to do is
+to leave this option turned off.</p>
+
+<p>Setting this option to <tt class="literal">yes</tt> causes the server to
+map the hidden flag onto the executable-by-others bit (0001). This
+feature can produce a rather startling effect. Any Unix program that
+is executable by world seems to vanish when you look for it from a
+Windows client. If this option is not set, however, and a Windows
+user attempts to mark a file hidden on a Samba share, it will not
+work&mdash;Samba has no place to store the hidden attribute!</p>
+
+<p>For map archive to work properly, the execute bit for other must not
+be masked off with the <tt class="literal">create</tt>
+<tt class="literal">mask</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.11"/>
+
+<h3 class="head3">inherit permissions</h3>
+
+<p>When the <tt class="literal">inherit</tt><a name="INDEX-63"/>
+<tt class="literal">permissions</tt> option is set to
+<tt class="literal">yes</tt>, the <tt class="literal">create</tt>
+<tt class="literal">mask</tt>, <tt class="literal">directory</tt>
+<tt class="literal">mask</tt>, <tt class="literal">force</tt>
+<tt class="literal">create</tt> <tt class="literal">mode</tt>, and
+<tt class="literal">force</tt> <tt class="literal">directory</tt>
+<tt class="literal">mode</tt> are ignored. The normal behavior of setting
+the permissions on newly created files is overridden such that the
+new files and directories take on permissions from their parent
+directory. New directories will have exactly the same permissions as
+the parent, and new files will inherit the read and write bits from
+the parent directory, while the execute bits are determined as usual
+by the values of the <tt class="literal">map</tt>
+<tt class="literal">archive</tt>, <tt class="literal">map</tt>
+<tt class="literal">hidden</tt>, and <tt class="literal">map</tt>
+<tt class="literal">system</tt> parameters.</p>
+
+<p>By default, this option is set to <tt class="literal">no</tt>. <a name="INDEX-64"/><a name="INDEX-65"/><a name="INDEX-66"/> <a name="INDEX-67"/><a name="INDEX-68"/><a name="INDEX-69"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-3"/>
+
+<h2 class="head1">Windows NT/2000/XP ACLs</h2>
+
+<p><a name="INDEX-70"/><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/>Unix and Windows
+have different <a name="INDEX-74"/>security models, and Windows NT/2000/XP
+has a security model that is different from Windows 95/98/Me. One
+area in which this is readily apparent is file protections. On Unix
+systems, the method used has traditionally been the 9-bit
+&quot;user, group, other&quot; system, in
+which read, write, and execute bits can be set separately for the
+owner of the file, the groups to which the owner belongs, and
+everyone else, respectively.</p>
+
+<p><a name="INDEX-75"/>Windows 95/98/Me has a file-protection
+system that is essentially no protection at all. This family of
+operating systems was developed from MS-DOS, which was implemented as
+a non-networked, single-user system. Multiuser security simply was
+never added. One apparent exception to this is user-level security
+for shared files, which we will discuss in <a href="ch09.html">Chapter 9</a>. Here, separate access permissions can be
+assigned to individual network client users or groups. However,
+user-level security on Windows 95/98/Me systems requires a Windows
+NT/2000 or Samba server to perform the actual authentication.</p>
+
+<p>On <a name="INDEX-76"/><a name="INDEX-77"/><a name="INDEX-78"/>Windows NT/2000/XP,
+user-level security is an extension of the native file security
+model, which involves access control lists (ACLs). This system is
+somewhat more extensive than the Unix security model, allowing the
+access rights on individual files to be set separately for any number
+of individual users and/or any number of arbitrary groups of users.
+<a href="ch08.html#samba2-CHP-8-FIG-3">Figure 8-3</a>, <a href="ch08.html#samba2-CHP-8-FIG-4">Figure 8-4</a>,
+and <a href="ch08.html#samba2-CHP-8-FIG-5">Figure 8-5</a> show the dialog boxes on a Windows
+2000 system in which the ACL is set for a file. By right-clicking a
+file's icon and selecting Properties, then selecting
+the Security tab, we get to the dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-3">Figure 8-3</a>. Here, we can set the basic permissions for a
+file, which are similar to Unix permissions, although not identical.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-3"/><img src="figs/sam2_0803.gif"/></div><h4 class="head4">Figure 8-3. The Security tab of the file Properties dialog</h4>
+
+<p>By clicking the Advanced tab, we can bring up the dialog box shown in
+<a href="ch08.html#samba2-CHP-8-FIG-4">Figure 8-4</a>, which shows the list of
+<a name="INDEX-79"/>access control entries (ACEs) in the ACL.
+In this dialog, ACEs can be added to or deleted from the ACL, or an
+existing ACE can be viewed and modified. Each ACE either allows or
+denies a set of permissions for a specific user or group.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-4"/><img src="figs/sam2_0804.gif"/></div><h4 class="head4">Figure 8-4. The Permissions tab of the Access Control Settings dialog</h4>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-5"/><img src="figs/sam2_0805.gif"/></div><h4 class="head4">Figure 8-5. Permission Entry dialog, showing the settings of an ACE</h4>
+
+<p><a href="ch08.html#samba2-CHP-8-FIG-5">Figure 8-5</a> shows the dialog box for adding an ACE.
+As you can see, there are more options for permissions in an ACL than
+with the permission bits on typical Unix systems. You can learn more
+about these settings in <em class="citetitle">Essential Windows NT System
+Administration</em>, published by O'Reilly.</p>
+
+<p>In a networked environment where a Samba server is serving files to
+Windows NT/2000/XP clients, Samba has to map Unix permissions for
+files and directories to Windows NT/2000/XP access control lists.
+When a Windows NT/2000/XP client accesses a shared file or directory
+on a Samba server, Samba translates the object's
+ownership, group, and permissions into an ACL and returns them to the
+client.</p>
+
+<p><a href="ch08.html#samba2-CHP-8-FIG-6">Figure 8-6</a> shows the Properties dialog box for the
+file <em class="filename">shopping_list.doc</em> that resides on the Samba
+server.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-6"/><img src="figs/sam2_0806.gif"/></div><h4 class="head4">Figure 8-6. The Properties dialog for a file on the Samba server</h4>
+
+<p>From Unix, this file appears as:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l shopping_list.doc</b></tt>
+-rw-------    1 adilia   users          49 Mar 29 11:58 shopping_list.doc</pre></blockquote>
+
+<p>Notice that because the file has read permissions for the owner, the
+Read-only checkbox will show as cleared, even though the user on the
+Windows client (who is not <tt class="literal">adilia</tt> in this example)
+does not have read access permissions. The checkboxes here show only
+DOS attributes. By clicking the Security tab, we can start to examine
+the ACLs, as shown in <a href="ch08.html#samba2-CHP-8-FIG-7">Figure 8-7</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-7"/><img src="figs/sam2_0807.gif"/></div><h4 class="head4">Figure 8-7. The Security tab of the Properties dialog for a file on the Samba server</h4>
+
+<p>The owner of the file (<tt class="literal">adilia</tt>) is shown as one
+entry, while the group (<tt class="literal">users</tt>) and other
+permissions are presented as the groups called
+<tt class="literal">users</tt> and <tt class="literal">Everyone</tt>. Clicking
+one of the items in the upper windows causes the simplified view of
+the permissions in that item to appear in the bottom window. Here,
+the read/write permissions for <tt class="literal">adilia</tt> appear in a
+manner that makes the security model of Unix and Windows seem
+similar. However, clicking the Advanced . . . button brings up the
+additional dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-8">Figure 8-8</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-8"/><img src="figs/sam2_0808.gif"/></div><h4 class="head4">Figure 8-8. The Access Control Settings dialog for a file on the Samba server</h4>
+
+<p>In this dialog box, we see the actual ACL of the file. The ACEs for
+<tt class="literal">users</tt> and <tt class="literal">Everyone</tt> are listed
+with Take Ownership in the Permission column. This is a trick used by
+Samba for ACLs that have no permissions on the Unix side. On Windows,
+an ACL with nothing set results in no ACL at all, so Samba sets the
+Take Ownership permission to make sure that all the ACLs
+corresponding to the Unix &quot;user, group,
+other&quot; permissions will show up on Windows. The Take
+Ownership permission has no corresponding Unix attribute, so the
+setting on Windows does not affect the actual file on the Unix system
+in any way. Although Windows client users might be misled into
+thinking they can take ownership of the file (that is, change the
+ownership of the file to themselves), an actual attempt to do so will
+fail.</p>
+
+<p>The Permissions column for the <tt class="literal">adilia</tt> ACL is
+listed as Special because Samba reports permissions for the file that
+do not correspond to settings for which Windows has a more
+descriptive name. Clicking the entry and then clicking the View/Edit
+. . . button brings up the dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-9">Figure 8-9</a>, in which the details of the ACL permissions
+can be viewed and perhaps modified.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-9"/><img src="figs/sam2_0809.gif"/></div><h4 class="head4">Figure 8-9. Permission Entry dialog for a file served by Samba</h4>
+
+<p>We say &quot;perhaps&quot; here because
+checking or unchecking boxes in this dialog box might not result in
+settings that Samba is able to map back into the Unix security model.
+When a user attempts to modify a setting (either permissions or
+ownership) that she does not have authority to change, or does not
+correspond to a valid setting on the Unix system, Samba will respond
+with an error dialog or by quietly ignoring the unmappable settings.</p>
+
+<p>The ACLs for a directory are slightly different. <a href="ch08.html#samba2-CHP-8-FIG-10">Figure 8-10</a> shows the ACL view after clicking the Advanced
+button.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-10"/><img src="figs/sam2_0810.gif"/></div><h4 class="head4">Figure 8-10. The Access Control Settings dialog for a directory on the Samba server</h4>
+
+<p>Here, there are two ACLs each for <tt class="literal">users</tt> and
+<tt class="literal">Everyone</tt>. One ACL specifies the permissions for
+the directory itself, and the other specifies permissions for the
+directory's contents. When changing settings in the
+View/Edit... dialog, there is an extra drop-down menu to apply the
+settings either to just the directory or to some combination of the
+directory and the files and directories it contains. If settings are
+applied to more than just the directory, Samba will match the
+behavior of a Windows server and change the permissions on the
+contents of the directory, as specified in the dialog.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-3.1"/>
+
+<h3 class="head2">Unix ACLs</h3>
+
+<p><a name="INDEX-80"/><a name="INDEX-81"/>In
+most cases, users of Windows clients will find the Unix security
+model to be sufficient. However, in some cases, people might want the
+Samba server to support the full Windows ACL security model. Even if
+they don't need the fine-grained control over file
+and directory permissions, they might find Samba's
+translation between ACLs and Unix permissions to be a source of
+confusion or frustration.</p>
+
+<p>When the underlying Unix host operating system supports
+<a name="INDEX-82"/><a name="INDEX-83"/>POSIX.1e ACLs, Samba provides much better
+support of Windows NT/2000/XP ACLs. Versions of Unix that offer the
+necessary support include the following:</p>
+
+<ul><li>
+<p>Solaris 2.6 and later</p>
+</li><li>
+<p>SGI Irix</p>
+</li><li>
+<p>Linux, with Andreas Gr&uuml;nbacher's kernel
+patch from <a href="http://acl.bestbits.at">http://acl.bestbits.at</a>
+that adds ACL support to the Linux ext2 and ext3 filesystems</p>
+</li><li>
+<p>Linux, with the XFS filesystem</p>
+</li><li>
+<p>AIX</p>
+</li><li>
+<p>FreeBSD 5.0 and later</p>
+</li><li>
+<p>HP/UX 11.0 and later, with the JFS 3.3 filesystem layout Version 4</p>
+</li></ul>
+<p>If you are fortunate enough to have a Unix host operating system with
+ACL support already provided, all you need to do is recompile Samba
+using the <tt class="literal">--with-acl-support</tt> configure option, as
+we described in <a href="ch02.html">Chapter 2</a>. If you are running
+Linux and need to patch your kernel, things are much more
+complicated. We suggest you refer to the documentation that comes
+with the patch for details on using it.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-3.2"/>
+
+<h3 class="head2">Configuration Options for ACLs</h3>
+
+<p><a href="ch08.html#samba2-CHP-8-TABLE-3">Table 8-3</a> <a name="INDEX-84"/><a name="INDEX-85"/>shows the Samba configuration options
+for working with Windows NT/2000/XP access control lists.</p>
+
+<a name="samba2-CHP-8-TABLE-3"/><h4 class="head4">Table 8-3. ACL configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">nt acl support</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows users on Windows NT/2000/XP clients
+to modify ACL settings</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">security mask</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Bitmask that allows or denies permission settings on files</p>
+</td>
+<td>
+<p><tt class="literal">0777</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force security</tt> <tt class="literal">mode</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Bits that are always set when modifying file permissions</p>
+</td>
+<td>
+<p><tt class="literal">0000</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">directory</tt> <tt class="literal">security mask</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Bitmask that allows or denies permission settings on directories</p>
+</td>
+<td>
+<p><tt class="literal">0777</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force directory</tt> <tt class="literal">security mode</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Bits that are always set when modifying directory permissions</p>
+</td>
+<td>
+<p><tt class="literal">0000</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.1"/>
+
+<a name="INDEX-86"/><h3 class="head3">nt acl support</h3>
+
+<p>This parameter defaults to <tt class="literal">yes</tt>, which allows users
+on Windows NT/2000/XP clients to modify ACL settings for files on the
+Samba server. When set to <tt class="literal">no</tt>, files show up as
+owned by <tt class="literal">Everyone</tt>, with permissions appearing as
+&quot;Full Control&quot;. However,
+<em class="emphasis">actual</em> ownership and permissions are enforced as
+whatever they are set to on the Samba server, and the user on the
+Windows client cannot view or modify them with the dialog boxes used
+for managing ACLs.</p>
+
+<p>When enabled, support for Windows NT/2000/XP ACLs is limited to
+whatever ownerships and permissions can map into valid users and
+permissions on the Samba server. If the server supports ACLs (either
+&quot;out of the box&quot; or with an
+additional patch to enhance the filesystem), Samba's
+ACL support more closely matches that of a Windows NT/2000/XP server.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.2"/>
+
+<h3 class="head3">security mask</h3>
+
+<p>Using the <tt class="literal">security</tt><a name="INDEX-87"/>
+<tt class="literal">mask</tt> option, it is possible to define which file
+permissions users can modify from Windows NT/2000/XP clients. This is
+for files only and not directories, which are handled with the
+<tt class="literal">directory</tt><a name="INDEX-88"/>
+<tt class="literal">security</tt> <tt class="literal">mask</tt> option. The
+parameter is assigned a numeric value that is a Unix-style
+permissions mask. For bits in the mask that are set, the client can
+modify the corresponding bits in the files'
+permissions. If the bit is zero, the client cannot modify that
+permission. For example, if <tt class="literal">security</tt>
+<tt class="literal">mask</tt> is set as:</p>
+
+<blockquote><pre class="code">[data]
+    security mask = 0777</pre></blockquote>
+
+<p>the client can modify all the user/group/other permissions for the
+files in the share. This is the default. A value of
+<tt class="literal">0</tt> would deny clients from changing any of the
+permissions, and setting <tt class="literal">security</tt>
+<tt class="literal">mask</tt> as:</p>
+
+<blockquote><pre class="code">[data]
+    security mask = 0666</pre></blockquote>
+
+<p>would allow client users to modify the read and write permissions,
+but not the execute permissions.</p>
+
+<p>Do not count on <tt class="literal">security</tt> <tt class="literal">mask</tt>
+for complete control because if the user can access the files on the
+Samba server through any other means (for example, by logging
+directly into the Unix host), he can modify the permissions using
+that method.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.3"/>
+
+<h3 class="head3">force security mode</h3>
+
+<p>The <tt class="literal">force</tt><a name="INDEX-89"/>
+<tt class="literal">security</tt> <tt class="literal">mode</tt> option can be
+used to define a set of permissions that are always set whenever the
+user on a Windows NT/2000/XP client modifies a
+file's permissions. (See the
+<tt class="literal">force</tt> <tt class="literal">directory</tt>
+<tt class="literal">security</tt> <tt class="literal">mode</tt> option for
+handling directories.)</p>
+
+<p>Be careful to understand this properly. The mask given as the
+parameter's value is not necessarily equal to the
+resulting permissions on the file. The permissions that the client
+user attempts to modify are logically OR'd with the
+<tt class="literal">force</tt> <tt class="literal">security</tt>
+<tt class="literal">mode</tt> <tt class="literal">mask</tt> option, and any bits
+that are turned on will cause the file's
+corresponding permissions to be set. As an example, suppose
+<tt class="literal">force</tt> <tt class="literal">security</tt>
+<tt class="literal">mode</tt> is set in a share thusly:</p>
+
+<blockquote><pre class="code">[data]
+    force security mode = 0440</pre></blockquote>
+
+<p>(This sets the read bit for owner and group, but not other.) If a
+user on a Windows NT/2000/XP client modifies an ACL on a file in the
+<tt class="literal">[data]</tt> share and attempts to remove all read
+permissions, the read permission for other
+(<tt class="literal">Everyone</tt>) will be removed, but the read
+permission for the owner and group will remain. Note that this
+parameter cannot force a permission bit to be turned off.</p>
+
+<p>As with the <tt class="literal">security</tt> <tt class="literal">mask</tt>
+option, if a user can access the files in the share through any means
+other than Samba, she can easily work around Samba's
+enforcement of this parameter.</p>
+
+<p>The default value of <tt class="literal">force</tt>
+<tt class="literal">security</tt> <tt class="literal">mode</tt> is
+<tt class="literal">0000</tt>, which allows users to remove any permission
+from files.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.4"/>
+
+<a name="INDEX-90"/><h3 class="head3">directory security mask</h3>
+
+<p>This option works exactly the same as the <tt class="literal">security</tt>
+<tt class="literal">mask</tt> option, except that it operates on
+directories rather than files. As with <tt class="literal">security</tt>
+<tt class="literal">mask</tt>, it has a default value of
+<tt class="literal">0777</tt>, which allows Windows NT/2000/XP client users
+to modify all Unix permissions on directories in the share.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.5"/>
+
+<a name="INDEX-91"/><h3 class="head3">force directory security mode</h3>
+
+<p>This option works exactly the same as the <tt class="literal">force</tt>
+<tt class="literal">security</tt> <tt class="literal">mode</tt> option, except
+that it operates on directories rather than files. It also has a
+default value of <tt class="literal">0000</tt>, which allows Windows
+NT/2000/XP client users to remove any permissions from directories in
+the share. <a name="INDEX-92"/><a name="INDEX-93"/><a name="INDEX-94"/><a name="INDEX-95"/> <a name="INDEX-96"/><a name="INDEX-97"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-4"/>
+
+<h2 class="head1">Name Mangling and Case</h2>
+
+<p><a name="INDEX-98"/><a name="INDEX-99"/><a name="INDEX-100"/><a name="INDEX-101"/>Back
+in the days of DOS and Windows 3.1, every filename was limited to
+eight uppercase characters, followed by a dot, and three more
+uppercase characters. This was known as the <em class="firstterm">8.3
+format</em> and was a huge nuisance. Windows 95/98/Me, Windows
+NT/2000/XP, and Unix have since relaxed this problem by allowing
+longer, sometimes case-sensitive, filenames. <a href="ch08.html#samba2-CHP-8-TABLE-4">Table 8-4</a> shows the current naming state of several
+popular operating systems.</p>
+
+<a name="samba2-CHP-8-TABLE-4"/><h4 class="head4">Table 8-4. Operating system filename limitations</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Operating system</p>
+</th>
+<th>
+<p>File-naming rules</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>DOS 6.22 or below</p>
+</td>
+<td>
+<p>Eight characters followed by a dot followed by a three-letter
+extension (8.3 format); case-insensitive</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 3.1 for Workgroups</p>
+</td>
+<td>
+<p>Eight characters followed by a dot followed by a three-letter
+extension (8.3 format); case-insensitive</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95/98/Me</p>
+</td>
+<td>
+<p>255 characters; case-insensitive but case-preserving</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT/2000/XP</p>
+</td>
+<td>
+<p>255 characters; case-insensitive but case-preserving</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Unix</p>
+</td>
+<td>
+<p>255 characters; case-sensitive</p>
+</td>
+</tr>
+
+</table>
+
+<p>Samba still has to remain backward-compatible with network clients
+that store files in just the 8.3 format, such as Windows for
+Workgroups. If a user creates a file on a share called
+<em class="emphasis">antidisestablishmentarianism.txt</em>, a Windows for
+Workgroups client cannot tell it apart from another file in the same
+directory called <em class="emphasis">antidisease.txt</em>. Like Windows
+95/98/Me and Windows NT/2000/XP, Samba has to employ a special method
+for translating a long filename to an 8.3 filename in such a way that
+similar filenames will not cause collisions. This is called
+<em class="firstterm">name mangling</em>, and Samba deals with this in a
+manner that is similar, but not identical to, Windows 95 and its
+successors.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-4.1"/>
+
+<h3 class="head2">The Samba Mangling Operation</h3>
+
+<p><a name="INDEX-102"/>Here is how Samba mangles a long
+filename into an 8.3 filename:</p>
+
+<ul><li>
+<p>If the original filename does not begin with a dot, the first five
+characters before the dot (if there is one) are converted to
+uppercase. These characters are used as the first five characters of
+the 8.3 mangled filename.</p>
+</li><li>
+<p>If the original filename begins with a dot, the dot is removed and
+then the previous step is performed on what is left.</p>
+</li><li>
+<p>These characters are immediately followed by a special mangling
+character: by default, a tilde (~), although Samba allows you to
+change this character.</p>
+</li><li>
+<p>The base of the long filename before the last period is hashed into a
+two-character code; parts of the name after the last dot can be used
+if necessary. This two-character code is appended to the filename
+after the mangling character.</p>
+</li><li>
+<p>The first three characters after the last dot (if there is one) of
+the original filename are converted to uppercase and appended onto
+the mangled name as the extension. If the original filename began
+with a dot, three underscores ( <tt class="literal">_ _ _</tt> ) are used
+as the extension instead.</p>
+</li></ul>
+<p>Here are some examples:</p>
+
+<blockquote><pre class="code">virtuosity.dat                       VIRTU~F1.DAT
+.htaccess                            HTACC~U0._ _ _
+hello.java                           HELLO~1F.JAV
+team.config.txt                      TEAMC~04.TXT
+antidisestablishmentarianism.txt     ANTID~E3.TXT
+antidisease.txt                      ANTID~9K.TXT</pre></blockquote>
+
+<p>Using these rules will allow Windows for Workgroups to differentiate
+the two files on behalf of the poor individual who is forced to see
+the network through the eyes of that operating system. Note that the
+same long filename should always hash to the same mangled name with
+Samba; this doesn't always happen with Windows. The
+downside of this approach is that there can still be collisions;
+however, the chances are greatly reduced.</p>
+
+<p>You generally want to use the mangling configuration options with
+only the oldest clients. We recommend doing this without disrupting
+other clients by adding an <tt class="literal">include</tt> directive to
+the <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+    include = /usr/local/samba/lib/smb.conf.%a</pre></blockquote>
+
+<p>This resolves to <em class="filename">smb.conf.WfWg</em> when a Windows
+for Workgroups client attaches. Now you can create a file
+<em class="filename">/usr/local/samba/lib/smb.conf.WfWg</em>, which might
+contain these options:</p>
+
+<blockquote><pre class="code">[global]
+    case sensitive = no
+    default case = upper
+    preserve case = no
+    short preserve case = no
+    mangle case = yes
+    mangled names= yes</pre></blockquote>
+
+<p>If you are not using Windows for Workgroups, you probably do not need
+to change any of these options from their defaults.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.1.1"/>
+
+<h3 class="head3">Representing and resolving filenames with Samba</h3>
+
+<p><a name="INDEX-103"/>Another item that we should
+point out is that there is a difference between how an operating
+system <em class="emphasis">represents</em> a file and how it
+<em class="emphasis">resolves</em> it. For example, you have likely run
+across a file on a Windows system called
+<em class="filename">README.TXT</em>. The file can be represented by the
+operating system entirely in uppercase letters. However, if you open
+an MS-DOS command prompt and enter the command:</p>
+
+<blockquote><pre class="code">C:\&gt; <tt class="userinput"><b>notepad readme.txt</b></tt></pre></blockquote>
+
+<p>the all-caps file is loaded into the editing program, even though you
+typed the name in lowercase letters.</p>
+
+<p>This is because the Windows 95/98/Me and Windows NT/2000/XP families
+of operating systems resolve filenames in a case-insensitive manner,
+even though the files are represented in a case-sensitive manner.
+Unix-based operating systems, on the other hand, always resolve files
+in a case-sensitive manner; if you try to edit
+<em class="filename">README.TXT</em> with the command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>vi readme.txt</b></tt></pre></blockquote>
+
+<p>you will likely be editing the empty buffer of a new file.</p>
+
+<p><a name="INDEX-104"/>Here is how Samba handles case: if the
+<tt class="literal">preserve</tt><a name="INDEX-105"/> <tt class="literal">case</tt> is set
+to <tt class="literal">yes</tt>, Samba will always use the case provided by
+the operating system for representing (not resolving) filenames. If
+it is set to <tt class="literal">no</tt>, it will use the case specified by
+the <tt class="literal">default</tt><a name="INDEX-106"/> <tt class="literal">case</tt> option.
+The same is true for
+<tt class="literal">short</tt><a name="INDEX-107"/>
+<tt class="literal">preserve</tt> <tt class="literal">case</tt>. If this option
+is set to <tt class="literal">yes</tt>, Samba will use the default case of
+the operating system for representing 8.3 filenames; otherwise, it
+will use the case specified by the <tt class="literal">default</tt>
+<tt class="literal">case</tt> option. Finally, Samba will always resolve
+filenames in its shares based on the value of the
+<tt class="literal">case</tt> <tt class="literal">sensitive</tt> option.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-4.2"/>
+
+<h3 class="head2">Mangling Options</h3>
+
+<p><a name="INDEX-108"/><a name="INDEX-109"/>Samba
+allows more refined instructions on how it should perform name
+mangling, including those controlling the case sensitivity, the
+character inserted to form a mangled name, and the ability to map
+filenames manually from one format to another. These options are
+shown in <a href="ch08.html#samba2-CHP-8-TABLE-5">Table 8-5</a>.</p>
+
+<a name="samba2-CHP-8-TABLE-5"/><h4 class="head4">Table 8-5. Name-mangling options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">case sensitive</tt></p>
+
+<p><tt class="literal">(casesignames)</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, treats filenames as case-sensitive
+(Windows doesn't).</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">default case</tt></p>
+</td>
+<td>
+<p>string (<tt class="literal">upper</tt> or <tt class="literal">lower</tt>)</p>
+</td>
+<td>
+<p>Case to assume as default (used only when preserve case is
+<tt class="literal">no</tt>).</p>
+</td>
+<td>
+<p>Lower</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">preserve case</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, keep the case the client supplied (i.e.,
+do not convert to <tt class="literal">default</tt>
+<tt class="literal">case</tt>).</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">short preserve case</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, preserve case of 8.3-format names that the
+client provides.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangled names</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Mangles long names into 8.3 DOS format.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangle case</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Mangle a name if it is mixed case.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangling char</tt></p>
+</td>
+<td>
+<p>string (single character)</p>
+</td>
+<td>
+<p>Gives mangling character.</p>
+</td>
+<td>
+<p><tt class="literal">~</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangled stack</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Number of mangled names to keep on the local mangling stack.</p>
+</td>
+<td>
+<p><tt class="literal">50</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangled map</tt></p>
+</td>
+<td>
+<p>string (list of patterns)</p>
+</td>
+<td>
+<p>Allows mapping of filenames from one format into another.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.1"/>
+
+<a name="INDEX-110"/><h3 class="head3">case sensitive</h3>
+
+<p>This share-level option, which has the obtuse synonym
+<tt class="literal">casesignames</tt>, specifies whether Samba should
+preserve case when resolving filenames in a specific share. The
+default value for this option is <tt class="literal">no</tt>, which is how
+Windows handles file resolution. If clients are using an operating
+system that takes advantage of case-sensitive filenames, you can set
+this configuration option to <tt class="literal">yes</tt> as shown here:</p>
+
+<blockquote><pre class="code">[accounting]
+    case sensitive = yes</pre></blockquote>
+
+<p>Otherwise, we recommend that you leave this option set to its default.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.2"/>
+
+<h3 class="head3">default case</h3>
+
+<p>The <tt class="literal">default</tt><a name="INDEX-111"/> <tt class="literal">case</tt> option
+is used with <tt class="literal">preserve</tt> <tt class="literal">case</tt>.
+This specifies the default case (upper or lower) Samba uses to create
+a file on one of its shares on behalf of a client. The default case
+is <tt class="literal">lower</tt>, which means that newly created files
+will have lowercase names. If you need to, you can override this
+global option by specifying the following:</p>
+
+<blockquote><pre class="code">[global]
+    default case = upper</pre></blockquote>
+
+<p>If you specify this value, the names of newly created files are
+translated into uppercase and cannot be overridden in a program. We
+recommend that you use the default value unless you are dealing with
+a Windows for Workgroups or other 8.3 client, in which case it should
+be <tt class="literal">upper</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.3"/>
+
+<a name="INDEX-112"/><h3 class="head3">preserve case</h3>
+
+<p>This option specifies whether a file created by Samba on behalf of
+the client is created with the case provided by the client operating
+system or the case specified by the earlier
+<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
+option. The default value is <tt class="literal">yes</tt>, which uses the
+case provided by the client operating system. If it is set to
+<tt class="literal">no</tt>, the value of the <tt class="literal">default</tt>
+<tt class="literal">case</tt> option (upper or lower) is used.</p>
+
+<p>Note that this option does not handle 8.3 file requests sent from the
+client&mdash;see the upcoming <tt class="literal">short</tt>
+<tt class="literal">preserve</tt> <tt class="literal">case</tt> option. You might
+want to set this option to <tt class="literal">yes</tt>, for example, if
+applications that create files on the Samba server demand the file be
+all uppercase. If instead you want Samba to mimic the behavior of a
+Windows NT filesystem, you can leave this option set to its default,
+<tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.4"/>
+
+<a name="INDEX-113"/><h3 class="head3">short preserve case</h3>
+
+<p>This option specifies whether an 8.3 filename created by Samba on
+behalf of the client is created with the default case of the client
+operating system or the case specified by the
+<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
+option. The default value is <tt class="literal">yes</tt>, which uses the
+case provided by the client operating system. You can let Samba
+choose the case through the <tt class="literal">default</tt>
+<tt class="literal">case</tt> option by setting it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    short preserve case = no</pre></blockquote>
+
+<p>If you want to force Samba to mimic the behavior of a Windows NT
+filesystem, you can leave this option set to its default,
+<tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.5"/>
+
+<a name="INDEX-114"/><h3 class="head3">mangled names</h3>
+
+<p>This share-level option specifies whether Samba will mangle filenames
+for 8.3 clients. If the option is set to <tt class="literal">no</tt>, Samba
+will not mangle the names, and (depending on the client) they will
+either be invisible or appear truncated to those using 8.3 operating
+systems. The default value is <tt class="literal">yes</tt>. You can
+override it per share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    mangled names = no</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.6"/>
+
+<a name="INDEX-115"/><h3 class="head3">mangle case</h3>
+
+<p>This option tells Samba whether it should mangle filenames that are
+not composed entirely of the case specified using the
+<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
+option. The default for this option is <tt class="literal">no</tt>. If you
+set it to <tt class="literal">yes</tt>, you should be sure that all clients
+can handle the mangled filenames that result. You can override it per
+share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    mangle case = yes</pre></blockquote>
+
+<p>We recommend that you leave this option alone unless you have a
+well-justified need to change it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.7"/>
+
+<a name="INDEX-116"/><h3 class="head3">mangling char</h3>
+
+<p>This share-level option specifies the mangling character used when
+Samba mangles filenames into the 8.3 format. The default character
+used is a tilde (~). You can reset it to whatever character you wish.
+For instance:</p>
+
+<blockquote><pre class="code">[data]
+    mangling char = #</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.8"/>
+
+<a name="INDEX-117"/><h3 class="head3">mangled stack</h3>
+
+<p>Samba maintains a local stack of recently mangled 8.3 filenames; this
+stack can be used to reverse-map mangled filenames back to their
+original state. This is often needed by applications that create and
+save a file, close it, and need to modify it later. The default
+number of long filename/mangled filename pairs stored on this stack
+is 50. However, if you want to cut down on the amount of processor
+time used to mangle filenames, you can increase the size of the stack
+to whatever you wish, at the expense of memory and slightly slower
+file access:</p>
+
+<blockquote><pre class="code">[global]
+    mangled stack = 100</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.9"/>
+
+<a name="INDEX-118"/><h3 class="head3">mangled map</h3>
+
+<p>If the default behavior of name mangling is not sufficient, you can
+give Samba further instructions on how to behave using the
+<tt class="literal">mangled</tt> <tt class="literal">map</tt> option. This option
+allows you to specify mapping patterns that can be used in place of
+name mangling performed by Samba. For example:</p>
+
+<blockquote><pre class="code">[data]
+    mangled map =(*.database *.db) (*.class *.cls)</pre></blockquote>
+
+<p>Here, Samba is instructed to search each encountered file for
+characters that match the first pattern specified in the parenthesis
+and convert them to the modified second pattern in the parenthesis
+for display on an 8.3 client. This is useful in the event that name
+mangling converts the filename incorrectly or converts it to a format
+that the client cannot understand readily. Patterns are separated by
+whitespaces. <a name="INDEX-119"/><a name="INDEX-120"/> <a name="INDEX-121"/><a name="INDEX-122"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-5"/>
+
+<h2 class="head1">Locks and Oplocks</h2>
+
+<p><a name="INDEX-123"/><a name="INDEX-124"/><a name="INDEX-125"/><a name="INDEX-126"/>Concurrent
+writes to a single file are not desirable in any operating system. To
+prevent this, most operating systems use <em class="firstterm">locks</em>
+to guarantee that only one process can write to a file at a time.
+Operating systems traditionally lock entire files, although newer
+ones allow a range of bytes within a file to be locked. If another
+process attempts to write to a file (or section of one) that is
+already locked, it receives an error from the operating system and
+will have to wait until the lock is released.</p>
+
+<p>Samba supports the standard DOS and NT filesystem (deny-mode) locking
+requests&mdash;which allow only one process to write to an entire
+file on a server at a given time&mdash;as well as byte-range locking.
+In addition, Samba supports a locking mechanism known in the Windows
+NT world as <em class="firstterm">opportunistic locking,
+</em><a name="INDEX-127"/>or<em class="firstterm">
+</em><em class="emphasis">oplock</em> for short.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-5.1"/>
+
+<h3 class="head2">Opportunistic Locking</h3>
+
+<p>Opportunistic locking allows a client to notify the Samba server that
+it will not only be the exclusive writer of a file, but will also
+cache its changes to that file locally to speed up access by reducing
+network activity. This can result in a large performance
+gain&mdash;typically 30%&mdash;while at the same time reserving
+network bandwidth for other purposes.</p>
+
+<p>Because exclusive access can be obtained using regular file locks,
+the value of opportunistic locks is not so much to lock the file as
+it is to cache it. In fact, a better name for opportunistic locking
+might be <em class="firstterm">opportunistic caching</em>.</p>
+
+<p>When Samba knows that a file in one of its shares has been oplocked
+by a client, it marks its version as having an opportunistic lock and
+waits for the client to complete work on the file, at which point it
+expects the client to send its changes back to the Samba server for
+synchronization with the copy on the server.</p>
+
+<p>If a second client requests access to that file before the first
+client has finished working on it, Samba sends an oplock break
+request to the first client. This tells the client to stop caching
+its changes and return the current state of the file to the server so
+that the interrupting client can use it as it sees fit. An
+opportunistic lock, however, is not a replacement for a standard
+deny-mode lock. It is not unheard of for the interrupting process to
+be granted an oplock break only to discover that the original process
+also has a deny-mode lock on a file as well. <a href="ch08.html#samba2-CHP-8-FIG-11">Figure 8-11</a> illustrates this <a name="INDEX-128"/>opportunistic locking process.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-11"/><img src="figs/sam2_0811.gif"/></div><h4 class="head4">Figure 8-11. Opportunistic locking</h4>
+
+<p>In most cases, the extra performance resulting from the use of
+oplocks is highly desirable. However, allowing the client to cache
+data can be a big risk if either the client or network hardware are
+unreliable. Suppose a client opens a file for writing, creating an
+oplock on it. When another client also tries to open the file, an
+oplock break request is sent to the first client. If this request
+goes unfulfilled for any reason and the second client starts writing
+to the file, the file can be easily corrupted as a result of the two
+processes writing to it concurrently. Unfortunately, this scenario is
+very real. Uncoordinated behavior such as this has been observed many
+times among Windows clients in SMB networks (with files served by
+Windows NT/2000 or Samba). Typically, the affected files are database
+files, which multiple clients open concurrently for writing.</p>
+
+<p>A more concrete example of <a name="INDEX-129"/>oplock failure occurs when database
+files are very large. If a client is allowed to oplock this kind of
+file, there can be a huge delay while the client copies the entire
+file from the server to cache it, even though it might need to update
+only one record. The situation goes from bad to worse when another
+client tries to open the oplocked file. The first client might need
+to write the entire file back to the server before the second
+client's file open request can succeed. This results
+in another huge delay (for both clients), which in practice often
+results in a failed open due to a timeout on the second client,
+perhaps along with a message warning of possible database corruption!</p>
+
+<p>If you are having problems of this variety, you can turn off oplocks
+for the affected files by using the
+<tt class="literal">veto</tt><a name="INDEX-130"/> <tt class="literal">oplock</tt>
+<tt class="literal">files</tt> parameter:</p>
+
+<blockquote><pre class="code">[dbdata]
+    veto oplock files = /*.dbm/</pre></blockquote>
+
+<p>Use the value of the parameter (a list of filename-matching patterns
+separated by slash characters) to match all the files in the share
+that might be a source of trouble. The syntax of this parameter is
+similar to that of the <tt class="literal">veto</tt>
+<tt class="literal">files</tt> parameter.</p>
+
+<p>If you want to be really careful and can live with reduced
+performance, you can turn off oplocks altogether, preventing the
+oplock break problem from ever occurring:</p>
+
+<blockquote><pre class="code">[global]
+    oplocks = no</pre></blockquote>
+
+<p>This disables oplocks for all files in all shares served by the Samba
+server. If you wish to disable oplocks in just a specific share, you
+can specify the <tt class="literal">oplocks</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> parameter in just that share:</p>
+
+<blockquote><pre class="code">[database]
+    oplocks = no</pre></blockquote>
+
+<p>This example allows other shares, which might have less sensitive
+data, to attain better performance, while trading performance for
+better data integrity for files in the <tt class="literal">[database]</tt>
+share.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-5.2"/>
+
+<h3 class="head2">Unix and Oplocks</h3>
+
+<p><a name="INDEX-131"/>Most of the time, oplocks help Windows
+client systems cooperate to avoid overwriting each
+other's changes. Unix systems also have file-locking
+mechanisms to allow Unix processes to cooperate with each other. But
+if a file stored on a Samba system is accessed by both a Windows
+network client and a local Unix process&mdash;without an additional
+coordination between the two systems&mdash;the Unix process could
+easily ride roughshod over an oplock.</p>
+
+<p>Some Unix systems have enhanced kernels that understand the Windows
+oplocks maintained by Samba. Currently the support exists only in SGI
+Irix and Linux.</p>
+
+<p>If you leave oplocks enabled and your Unix system does not support
+kernel oplocks, you could end up with corrupted data when somebody
+runs a Unix process that reads or writes a file that Windows users
+also access. This is another case where the
+<tt class="literal">veto</tt><a name="INDEX-132"/> <tt class="literal">oplock</tt>
+<tt class="literal">files</tt> parameter can be used, assuming you can
+anticipate which Samba files are used by both Windows users and Unix
+users. For example, suppose the <tt class="literal">[usrfiles]</tt> share
+contains some ASCII text files with the <em class="filename">.txt</em>
+filename extension and OpenOffice word processor documents with the
+<em class="filename">.doc</em> filename extension, which Unix and Windows
+users both modify. We can use <tt class="literal">veto</tt>
+<tt class="literal">oplock</tt> <tt class="literal">files</tt> like this:</p>
+
+<blockquote><pre class="code">[usrfiles]
+    veto oplock files = /*.txt/*.doc/</pre></blockquote>
+
+<p>This will suppress the use of oplocks on <em class="filename">.txt</em>
+and <em class="filename">.doc</em> files, which will suppress client
+caching, while allowing the Windows and Unix programs to use regular
+file locking to prevent concurrent writes to the same file.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-5.3"/>
+
+<h3 class="head2">Locks and Oplocks Configuration Options</h3>
+
+<p><a name="INDEX-133"/><a name="INDEX-134"/>Samba's options for
+locks and oplocks are given in <a href="ch08.html#samba2-CHP-8-TABLE-6">Table 8-6</a>.</p>
+
+<a name="samba2-CHP-8-TABLE-6"/><h4 class="head4">Table 8-6. Locks and oplocks configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">locking</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, turns on byte-range locks.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">strict</tt> <tt class="literal">locking</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, denies access to an entire file if a
+byte-range lock exists in it.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">posix locking</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, maps oplocks to POSIX locks on the local
+system.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">oplocks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, turns on local caching of files on the
+client for this share.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">kernel</tt> <tt class="literal">oplocks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, indicates that the kernel supports oplocks.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">level2 oplocks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows oplocks to downgrade to read-only.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">fake oplocks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, tells client the lock was obtained, but
+doesn't actually lock it.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">blocking</tt> <tt class="literal">locks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Allows lock requestor to wait for the lock to be granted.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">veto oplock</tt> <tt class="literal">files</tt></p>
+</td>
+<td>
+<p>string (list of filenames)</p>
+</td>
+<td>
+<p>Does not oplock specified files.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lock</tt> <tt class="literal">directory</tt></p>
+</td>
+<td>
+<p>string (fully qualified pathname)</p>
+</td>
+<td>
+<p>Sets the location where various Samba files, including locks, are
+stored.</p>
+</td>
+<td>
+<p>As specified in Samba makefile</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.1"/>
+
+<h3 class="head3">locking</h3>
+
+<p>The <tt class="literal">locking</tt><a name="INDEX-135"/> option can be used to tell
+Samba to engage or disengage server-side byte-range locks on behalf
+of the client. Samba implements byte-range locks on the server side
+with normal Unix advisory locks and consequently prevents other
+properly behaved Unix processes from overwriting a locked byte range.</p>
+
+<p>This option can be specified per share as follows:</p>
+
+<blockquote><pre class="code">[accounting]
+    locking = yes</pre></blockquote>
+
+<p>If the <tt class="literal">locking</tt> option is set to
+<tt class="literal">yes</tt>, the requestor is delayed until the holder of
+either type of lock releases it (or crashes). If, however, the option
+is set to <tt class="literal">no</tt>, no byte-range locks are kept for the
+files, although requests to lock and unlock files will appear to
+succeed. The option is set to <tt class="literal">yes</tt> by default;
+however, you can turn this option off if you have read-only media.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.2"/>
+
+<a name="INDEX-136"/><h3 class="head3">strict locking</h3>
+
+<p>This option checks every file access for a byte-range lock on the
+range of bytes being accessed. This is typically not needed if a
+client adheres to all the locking mechanisms in place. This option is
+set to <tt class="literal">no</tt> by default; however, you can reset it
+per share as follows:</p>
+
+<blockquote><pre class="code">[accounting]
+    strict locking = yes</pre></blockquote>
+
+<p>If this option is set to <tt class="literal">yes</tt>, mandatory locks are
+enforced on any file with byte-range locks.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.3"/>
+
+<a name="INDEX-137"/><h3 class="head3">posix locking</h3>
+
+<p>On systems that support POSIX locking, Samba automatically maps
+oplocks to POSIX locks. This behavior can be disabled by setting
+<tt class="literal">posix</tt> <tt class="literal">locking</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt>. You should never need to
+change the default behavior, which is <tt class="literal">posix</tt>
+<tt class="literal">locking</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.4"/>
+
+<a name="INDEX-138"/><h3 class="head3">oplocks</h3>
+
+<p>This option enables or disables support for oplocks on the client.
+The option is enabled by default. However, you can disable it with
+the following command:</p>
+
+<blockquote><pre class="code">[data]
+    oplocks = no</pre></blockquote>
+
+<p>If you are in an extremely unstable network environment or have many
+clients that cannot take advantage of opportunistic locking, it might
+be better to shut this Samba feature off. If the host operating
+system does not support kernel oplocks, oplocks should be disabled if
+users are accessing the same files from both Unix applications (such
+as <em class="emphasis">vi</em>) and SMB clients.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.5"/>
+
+<a name="INDEX-139"/><h3 class="head3">kernel oplocks</h3>
+
+<p>If a Unix application on the Samba host system (that is not part of
+the Samba suite) tries to open a file for writing that Samba has
+oplocked to a Windows client, it is likely to succeed (depending on
+the operating system), and both Samba and the client are never aware
+of it.</p>
+
+<p>Some versions of Unix have support for oplocks in the kernel that can
+work along with Samba's oplocks. In this case, the
+Unix process trying to open the file is suspended while Samba directs
+the client to write its copy back. After that has happened, the
+operating system allows the open to complete. At the time of this
+writing, this feature is supported only by SGI Irix and Linux.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.6"/>
+
+<a name="INDEX-140"/><h3 class="head3">level2 oplocks</h3>
+
+<p>Windows NT/2000/XP clients can downgrade their read-write oplocks to
+read-only oplocks when another client opens the same file. This can
+result in significant improvements in performance on files that are
+written infrequently or not at all&mdash;especially
+executables&mdash;because all clients can then maintain a read-ahead
+cache for the file. By default, <tt class="literal">level2</tt>
+<tt class="literal">oplocks</tt> is set to <tt class="literal">yes</tt>, and you
+probably won't need to change it.</p>
+
+<p>Currently, Samba cannot support level 2 oplocks along with kernel
+oplocks and automatically disables level 2 oplocks when kernel
+oplocks are in use. (This might change in future releases as improved
+support for oplocks is added by the Samba developers.) If you are
+running Samba on a host system that supports kernel oplocks, you must
+set <tt class="literal">kernel</tt> <tt class="literal">oplocks</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> to enable support for
+level 2 oplocks.</p>
+
+<p>Disabling oplocks with <tt class="literal">oplocks</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> also disables level 2
+oplocks.</p>
+
+<p>Samba can automatically detect its Unix host's
+support of kernel oplocks and will set the value of
+<tt class="literal">kernel</tt> <tt class="literal">oplocks</tt> automatically.
+You should never need to set this option in your Samba configuration
+file.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.7"/>
+
+<a name="INDEX-141"/><h3 class="head3">fake oplocks</h3>
+
+<p>When this option is set to <tt class="literal">yes</tt>, Samba pretends to
+allow oplocks rather than actually supporting them. If this option is
+enabled on a read-only share (such as a shared CD-ROM drive), all
+clients are told that the files are available for opportunistic
+locking and never warned of simultaneous access. As a result, Windows
+clients cache more of the file's data and obtain
+much better performance.</p>
+
+<p>This option was added to Samba before opportunistic-locking support
+was available, and it is now generally considered better to use real
+oplocks. Do not ever enable <tt class="literal">fake</tt>
+<tt class="literal">oplocks</tt> on a read/write share.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.8"/>
+
+<h3 class="head3">blocking locks</h3>
+
+<p>Samba also supports <em class="firstterm">blocking locks</em>, a minor
+variant of range locks. Here, if the range of bytes is not available,
+the client specifies an amount of time that it's
+willing to wait. The server then caches the lock request,
+periodically checking to see if the file is available. If it is, it
+notifies the client; however, if time expires, Samba will tell the
+client that the request has failed. This strategy prevents the client
+from continually polling to see if the lock is available.</p>
+
+<p>You can disable this option per share as follows:</p>
+
+<blockquote><pre class="code">[accounting]
+    blocking locks = no</pre></blockquote>
+
+<p>When set to <tt class="literal">yes</tt>, blocking locks are enforced on
+the file. If this option is set to <tt class="literal">no</tt>, Samba
+behaves as if normal locking mechanisms are in place on the file. The
+default is <tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.9"/>
+
+<a name="INDEX-142"/><h3 class="head3">veto oplock files</h3>
+
+<p>You can provide a list of filenames that are never granted
+opportunistic locks with the <tt class="literal">veto</tt>
+<tt class="literal">oplock</tt> <tt class="literal">files</tt> option. This
+option can be set either globally or on a per-share basis. For
+example:</p>
+
+<blockquote><pre class="code">veto oplock files = /*.bat/*.htm/</pre></blockquote>
+
+<p>The value of this option is a series of patterns. Each pattern entry
+must begin, end, or be separated from another with a slash ( / )
+character, even if only one pattern is listed. Asterisks can be used
+as a wildcard to represent zero or more characters. Questions marks
+can be used to represent exactly one character.</p>
+
+<p>We recommend that you disable oplocks on any files that are meant to
+be updated by Unix or are intended for simultaneous sharing by
+several processes.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.10"/>
+
+<a name="INDEX-143"/><h3 class="head3">lock directory</h3>
+
+<p>This option (sometimes called <tt class="literal">lock</tt>
+<tt class="literal">dir</tt>) specifies the location of a directory where
+Samba will store SMB deny-mode lock files. Samba stores other files
+in this directory as well, such as browse lists and its shared memory
+file. If WINS is enabled, the WINS database is written to this
+directory as well. The default for this option is specified in the
+Samba makefile; it is typically
+<em class="filename">/usr/local/samba/var/locks</em>. You can override
+this location as follows:</p>
+
+<blockquote><pre class="code">[global]
+    lock directory = /usr/local/samba/locks</pre></blockquote>
+
+<p>You typically would not need to override this option, unless you want
+to move the lock files to a more standard location, such as
+<em class="filename">/var/spool/locks</em>. <a name="INDEX-144"/> <a name="INDEX-145"/><a name="INDEX-146"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-6"/>
+
+<h2 class="head1">Connection Scripts</h2>
+
+<p><a name="INDEX-147"/><a name="INDEX-148"/><a name="INDEX-149"/>Samba supports a mechanism called
+<em class="firstterm">connection scripts</em>, by which commands can be
+executed on the server as clients connect to a share or later
+disconnect from it. By using configuration file variables along with
+some custom programming, you can create connection scripts that
+perform a wide range of functions. As a simple example, here is a
+&quot;quick and dirty&quot; way to monitor
+connections to shares on the Samba server in real time. First, the
+value of the <tt class="literal">preexec</tt><a name="INDEX-150"/> parameter is set as
+follows:</p>
+
+<blockquote><pre class="code">[global]
+    preexec = /bin/echo %u at %m connected to //%L/%S on %T &gt;&gt;/tmp/smblog</pre></blockquote>
+
+<p>This causes information about the user and the connection to be
+written to the file <em class="filename">/tmp/smblog</em> whenever any
+client connects to any share. To watch clients connect, run the
+following command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>tail -f /tmp/smblog</b></tt>
+jay at maya connected to //toltec/data on 2002/11/21 21:21:15
+david at apache connected to //toltec/techs on 2002/11/21 21:21:57
+sally at seminole connected to //toltec/payroll on 2002/11/21 21:22:16
+martha at dine connected to //toltec/profiles on 2002/11/21 21:23:38
+martha at dine connected to //toltec/netlogon on 2002/11/21 21:23:39
+martha at dine connected to //toltec/martha on 2002/11/21 21:23:40
+aaron at huastec connected to //toltec/netlogon on 2002/11/21 21:24:19
+aaron at huastec connected to //toltec/aaron on 2002/11/21 21:24:20</pre></blockquote>
+
+<p>With the <em class="emphasis">-f</em> option, the
+<em class="emphasis">tail</em> command monitors
+<em class="filename">/tmp/smblog</em> and prints additional output as new
+data is appended to the file. Every time a new connection is made, an
+additional line is printed, showing the output of the
+<tt class="literal">preexec</tt> command. Notice the lines resulting from
+connections by user <tt class="literal">martha</tt> and
+<tt class="literal">aaron</tt>. User <tt class="literal">martha</tt> logged on to
+the domain from a Windows NT client, which accessed the
+<tt class="literal">[profiles]</tt> share to download her profile, then the
+<tt class="literal">[netlogon]</tt> share to read the logon script, and
+then her home directory (because her logon script contains a
+<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">H</tt>:
+<tt class="literal">/home</tt> command) to connect her home directory to
+drive letter H. The connections from <tt class="literal">aaron</tt> are
+similar, except that he connected from a Windows 98 system, which
+does not use the <tt class="literal">[profiles]</tt> share. (See <a href="ch04.html">Chapter 4</a> for more information about domain logons.)</p>
+
+<p>A more advanced use of
+<a name="INDEX-151"/><a name="INDEX-152"/>connection scripts is to monitor the
+contents of users' home directories and/or other
+shared directories and perform checks ensuring that local
+administrative policies are followed. Checked items might include the
+following:</p>
+
+<ul><li>
+<p>Disk usage, on a per-share, per-directory, or per-file basis</p>
+</li><li>
+<p>Types of files stored on the server</p>
+</li><li>
+<p>Whether filenames follow naming guidelines</p>
+</li><li>
+<p>Whether viruses have copied themselves to the Samba server</p>
+</li></ul>
+<p>To handle this kind of task, a shell script or other program would be
+written to perform the checks and take appropriate actions, such as
+removing offending files. The <tt class="literal">root</tt>
+<tt class="literal">preexec</tt> parameter would be used to run the command
+as the root user, using configuration file variables to pass
+arguments. For example:</p>
+
+<blockquote><pre class="code">[homes]
+    root preexec = admin_checks %S
+    root preexec close = yes</pre></blockquote>
+
+<p>In this example, a specially written administrative checking program
+(<em class="emphasis">admin_checks</em>) is used to monitor
+users' home directories on the Samba server. The
+<tt class="literal">%S</tt> variable is used to pass the name of the home
+directory to the script. The
+<tt class="literal">root</tt><a name="INDEX-153"/> <tt class="literal">preexec</tt>
+<tt class="literal">close</tt> parameter has been set to
+<tt class="literal">yes</tt> so that if <em class="emphasis">admin_checks</em>
+detects a serious violation of local policy, it can exit with a
+nonzero status, and the client is prevented from connecting.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-6.1"/>
+
+<h3 class="head2">Connection Script Options</h3>
+
+<p><a href="ch08.html#samba2-CHP-8-TABLE-7">Table 8-7</a> introduces some of the configuration
+options provided for setting up users.</p>
+
+<a name="samba2-CHP-8-TABLE-7"/><h4 class="head4">Table 8-7. Connection script options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">root preexec</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Sets a Unix command to run as <tt class="literal">root</tt>, before
+connecting to the share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">root preexec close</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, nonzero exit status of
+<tt class="literal">root preexec</tt> command will disconnect.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">preexec</tt> <tt class="literal">(exec)</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Sets a Unix command to run as the user before connecting to the share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">preexec close</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, nonzero exit status of
+<tt class="literal">preexec</tt> command will disconnect.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">postexec</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Sets a Unix command to run as the user after disconnecting from the
+share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">root</tt> <tt class="literal">postexec</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Sets a Unix command to run as <tt class="literal">root</tt> after
+disconnecting from the share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.1"/>
+
+<a name="INDEX-156"/><h3 class="head3">root preexec</h3>
+
+<p>This option specifies as its value a Unix command to be run
+<em class="emphasis">as the root user</em> before any connection to a
+share is completed. You should use this option specifically for
+performing actions that require root privilege.</p>
+
+<p>To ensure security, users should never be able to modify the target
+of the <tt class="literal">root</tt> <tt class="literal">preexec</tt> command. In
+addition, unless you explicitly redirect it, any information the
+command sends to standard output will be discarded. If you intend to
+use any <tt class="literal">preexec</tt> or <tt class="literal">postexec</tt>
+script, you should ensure that it will run correctly before having
+Samba invoke it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.2"/>
+
+<a name="INDEX-157"/><h3 class="head3">root preexec close</h3>
+
+<p>Sometimes you might want the share to disconnect if the
+<tt class="literal">root</tt> <tt class="literal">preexec</tt> script fails,
+giving the client an error rather than allowing it to connect. For
+example, if you are using <tt class="literal">root</tt>
+<tt class="literal">preexec</tt> to mount a CD-ROM or filesystem, it would
+make no sense to connect the client to it in the event that the mount
+fails. If you specify <tt class="literal">root</tt>
+<tt class="literal">preexec</tt> <tt class="literal">close</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt>, the share will fail to
+connect if the <tt class="literal">root</tt> <tt class="literal">preexec</tt>
+script returns a nonzero exit status.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.3"/>
+
+<a name="INDEX-158"/><h3 class="head3">preexec</h3>
+
+<p>Sometimes just called <tt class="literal">exec</tt>, this option defines an
+ordinary unprivileged command run by Samba as the user specified by
+the variable <tt class="literal">%u</tt>. For example, a common use of this
+option is to perform logging, such as the following:</p>
+
+<blockquote><pre class="code">[homes]
+    preexec = echo &quot;%u connected from %m (%I)\&quot; &gt;&gt;/tmp/.log</pre></blockquote>
+
+<p>You must redirect the standard output of the command if you want to
+use it. Otherwise, it is discarded. This warning also applies to the
+command's standard error output. If you intend to
+use a <tt class="literal">preexec</tt> script, you should ensure that it
+will run correctly before having Samba invoke it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.4"/>
+
+<a name="INDEX-159"/><h3 class="head3">preexec close</h3>
+
+<p>This is similar to <tt class="literal">root</tt> <tt class="literal">preexec</tt>
+<tt class="literal">close</tt>, except that it goes with the
+<tt class="literal">preexec</tt> option. By setting
+<tt class="literal">preexec</tt> <tt class="literal">close</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt>, a
+<tt class="literal">preexec</tt> script that returns nonzero will cause the
+share to disconnect immediately.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.5"/>
+
+<a name="INDEX-160"/><h3 class="head3">postexec</h3>
+
+<p>Once the user disconnects from the share, the command specified with
+<tt class="literal">postexec</tt> is run as the user on the Samba server to
+do any necessary cleanup. This option is essentially the same as the
+<tt class="literal">preexec</tt> option. Again, remember that the command
+is run as the user represented by <tt class="literal">%u</tt>, and any
+information sent to standard output will be ignored.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.6"/>
+
+<a name="INDEX-161"/><h3 class="head3">root postexec</h3>
+
+<p>Following the <tt class="literal">postexec</tt> option, the
+<tt class="literal">root</tt> <tt class="literal">postexec</tt> command is run,
+if one has been specified. Again, this option specifies as its value
+a Unix command to be run <em class="emphasis">as the root user</em> before
+disconnecting from a share. You should use this option specifically
+for performing actions that require root privilege. <a name="INDEX-162"/> <a name="INDEX-163"/><a name="INDEX-164"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-7"/>
+
+<h2 class="head1">Microsoft Distributed Filesystems</h2>
+
+<p><a name="INDEX-165"/>In a
+large network where many shared folders are spread out over a large
+number of servers, it can be difficult for users to locate the
+resources they are trying to find. Browsing through Network
+Neighborhood or My Network Places can become an ordeal rather than a
+time-saving convenience. To mitigate this problem, Microsoft added an
+extension to file sharing called <em class="firstterm">Distributed
+filesystem</em><a name="INDEX-166"/><a name="INDEX-167"/> (Dfs). Using Dfs, it
+is possible to organize file shares on the network so that they
+appear to users as organized in a single directory tree on a single
+server, regardless of which servers on the network actually contain
+the resources. Instead of having to browse the entire network, users
+can go to the Dfs share and locate their data much more easily.</p>
+
+<p>Dfs can also help administrators because it provides a level of
+indirection between the name of a shared folder and its actual
+location. The Dfs share contains references to resources on the
+network, and when a resource is accessed, the Dfs server hands the
+client off to the actual server of the resource. When moving
+resources to another computer, the reference to the resource in the
+Dfs share can be redirected to the new location in one step, with the
+change being entirely seamless for users.</p>
+
+<p>To a limited extent, Dfs also can help improve performance for
+read-only shares because it provides <a name="INDEX-168"/>load balancing. It is possible
+to set up a Dfs reference to point to identical shares on two or more
+servers. The Dfs server then divides requests between the servers,
+dividing the client load among them. However, this works well only
+for static, read-only data because no provision is included in Dfs
+for synchronization among the servers when changes are made on any of
+them.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-7.1"/>
+
+<h3 class="head2">Windows Dfs Clients</h3>
+
+<p><a name="INDEX-169"/>Modern versions of Windows come with
+client-side support for Dfs, and no extra configuration is required.
+Support is more limited for older versions, however. Windows for
+Workgroups cannot function as a Dfs client at all. Windows NT 4.0
+must be upgraded to at least Service Pack 3 to act as a Dfs client,
+and the Dfs Client must be installed. Later service packs (such as
+Service Pack 6) include the Dfs Client. Windows 95 must also have the
+Dfs Client software installed to act as a Dfs client. Without the Dfs
+Client software, double-clicking a remote folder in a Dfs share will
+show an empty folder, and no error message will appear.</p>
+
+<a name="samba2-CHP-8-NOTE-140"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>To use the Dfs Client for Windows 95 or Windows NT, you must first
+download and install it. See the web page <a href="http://microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp">http://microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp</a>
+for a link to download the installation program and instructions on
+how to install the Dfs Client.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-7.2"/>
+
+<h3 class="head2">Configuring Samba for Dfs</h3>
+
+<p><a name="INDEX-170"/>To act as a Dfs server, Samba 2.2 must
+be compiled with the <tt class="literal">--with-msdfs</tt> configure
+option. (See <a href="ch02.html">Chapter 2</a> for instructions on
+configuring and compiling Samba.) Samba 3.0 includes Dfs support by
+default and does not need to be compiled with the
+<tt class="literal">--with-msdfs</tt> configure option.</p>
+
+<p>Once a Dfs-enabled Samba server is running, there are just two steps
+to serving a Dfs share. First we will set up a Dfs root directory on
+the server, and then we will modify the <em class="filename">smb.conf</em>
+configuration file to enable the share.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-7.2.1"/>
+
+<h3 class="head3">Setting up the Dfs root</h3>
+
+<p>First we need to create a directory to act as the Dfs root:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/dfs</b></tt></pre></blockquote>
+
+<p>This can be any directory, but it is important that it be owned by
+root and given the proper permissions:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chown root:root /usr/local/samba/dfs</b></tt>
+# <tt class="userinput"><b>chmod 755 /usr/local/samba/dfs</b></tt></pre></blockquote>
+
+<p>The Dfs directory tree can have subdirectories and files, just like
+any other shared directory. These will function just as they would in
+any other share, allowing clients to access the directories and files
+on the Samba server. The whole idea of Dfs, though, is to gather
+together shares on other servers by making references to them in the
+Dfs tree. The way this is implemented with Samba involves a clever
+use of symbolic links, which can be in the Dfs root directory or any
+subdirectory in the Dfs tree.</p>
+
+<p>You are probably familiar with using symbolic links to create
+references to files that exist on the same system, and perhaps
+crossing a local filesystem boundary (which ordinary Unix links
+cannot do). But maybe you didn't know that symbolic
+links have a more general functionality. Although we
+can't display its contents directly, as we could
+with a text or binary file, a symbolic link
+&quot;contains&quot; an ASCII text string
+naming what the link points to. For example, take a look at the
+listing for these symbolic links:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l wrdlnk alnk</b></tt>
+lrwxrwxrwx    1 jay      jay            15 Mar 14 06:50 wrdlnk -&gt; /usr/dict/words
+lrwxrwxrwx    1 jay      jay             9 Mar 14 06:53 alnk -&gt; dreamtime</pre></blockquote>
+
+<p>As you can infer from the size of the <em class="filename">wrdlnk</em>
+link (15 bytes), the string <tt class="literal">/usr/dict/words</tt> is
+encoded into it. The size of <em class="filename">alnk</em> (9 bytes) is
+smaller, corresponding to the shorter name of
+<em class="filename">dreamtime</em>.</p>
+
+<p>Now let's create a link in our Dfs root for an SMB
+share:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cd /usr/local/samba/dfs</b></tt>
+# <tt class="userinput"><b>ln -s 'msdfs:maya\e' maya-e</b></tt>
+# <tt class="userinput"><b>ls -l maya-e</b></tt>
+lrwxrwxrwx    1 root     root           12 Mar 13 17:34 maya-e -&gt; msdfs:maya\e</pre></blockquote>
+
+<p>This link might appear as a
+&quot;broken&quot; link in a directory
+listing because it points to something that isn't a
+file on the local system. For example, the <em class="emphasis">file</em>
+command will report:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>file maya-e</b></tt>
+maya-e: broken symbolic link to msdfs:maya\e</pre></blockquote>
+
+<p>However, <em class="filename">maya-e</em> is a valid reference to the
+<em class="filename">\\maya\e</em> share when used with
+Samba's Dfs support. When Samba encounters this
+file, it sees the leading <tt class="literal">msdfs</tt>: and interprets
+the rest as the name of a remote share. The client is then redirected
+to the remote share.</p>
+
+<p>When creating links in the Dfs root directory, simply follow the same
+format, which in general is
+<tt class="literal">msdfs</tt>:<em class="replaceable">server</em>\<em class="replaceable">share</em>.
+Note that this is similar to a UNC appended onto the
+<tt class="literal">msdfs</tt>: string, except that in this case, the two
+backslashes preceding the server's name are omitted.</p>
+
+<a name="samba2-CHP-8-NOTE-141"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The names for the symbolic links in Dfs shares must be in all
+lowercase.</p>
+</blockquote>
+
+<p>In addition to regular network shares, you can use symbolic links of
+this type to reference Dfs shares on other Dfs servers. However,
+referencing printer shares does not work. Dfs is for sharing files
+only. <a name="INDEX-171"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-7.2.2"/>
+
+<h3 class="head3">Load balancing</h3>
+
+<p><a name="INDEX-172"/>To
+set up a load-balancing Dfs share, create the symbolic link like
+this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ln -s 'msdfs:toltec\data,msdfs:mixtec\data' lb-data</b></tt></pre></blockquote>
+
+<p>That is, simply use a list of shares separated by commas as the
+reference. Remember, it is up to you to make sure the shared folders
+remain identical. Set up permissions on the servers to make the
+shares read-only to users.</p>
+
+<p>The last thing we need to do is to modify the
+<em class="filename">smb.conf</em> file to define the Dfs root share and
+add Dfs support. The Dfs root is added as a share definition:</p>
+
+<a name="INDEX-173"/><blockquote><pre class="code">[dfs]
+    path = /usr/local/samba/dfs
+    msdfs root = yes</pre></blockquote>
+
+<p>You can use any name you like for the share. The path is set to the
+Dfs root directory we just set up, and the parameter
+<tt class="literal">msdfs</tt> <tt class="literal">root</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> tells Samba that this share is a Dfs root.</p>
+
+<p>To enable support for Dfs in the server, we need to add one line to
+the <tt class="literal">[global]</tt> section:</p>
+
+<a name="INDEX-174"/><blockquote><pre class="code">[global]
+    host msdfs = yes</pre></blockquote>
+
+<p>Restart the Samba daemons&mdash;or just wait a minute for them to
+reread the configuration file&mdash;and you will see the new share
+from Windows clients. If you have trouble accessing any of the remote
+shares in the Dfs share, recheck your symbolic links to make sure
+they were created correctly. <a name="INDEX-175"/></p>
+
+<a name="samba2-CHP-8-NOTE-142"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you previously had a share by the same name as your Dfs share, you
+might need to reboot Windows clients before they can access the share
+as a Dfs share.</p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-8"/>
+
+<h2 class="head1">Working with NIS</h2>
+
+<p>In networks where NIS and NFS are in use, it is common for
+users' home directories to be mounted over the
+network by NFS. If a Samba server being used to authenticate user
+logons is running on a system with NFS-mounted home directories
+shared with a <tt class="literal">[homes]</tt> share, the additional
+overhead can result in poor performance&mdash;about 30% of normal
+Samba speed.</p>
+
+<p>Samba has the ability to work with <a name="INDEX-176"/>NIS and NIS+ to find the
+server on which the home directories actually reside so that they can
+be shared directly from that server. For this to work, the server
+that holds the home directories must also have Samba running, with a
+<tt class="literal">[homes]</tt> share of its own.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-8.1"/>
+
+<h3 class="head2">NIS Configuration Options</h3>
+
+<p><a href="ch08.html#samba2-CHP-8-TABLE-8">Table 8-8</a> introduces the
+<a name="INDEX-177"/><a name="INDEX-178"/>NIS configuration options specifically
+for setting up users.</p>
+
+<a name="samba2-CHP-8-TABLE-8"/><h4 class="head4">Table 8-8. NIS options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">nis homedir</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, uses NIS instead of
+<em class="filename">/etc/passwd</em> to look up the path of a
+user's home directory.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">homedir map</tt></p>
+</td>
+<td>
+<p>string (NIS map name)</p>
+</td>
+<td>
+<p>Sets the NIS map to use to look up a user's home
+directory.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-8.1.1"/>
+
+<h3 class="head3">nis homedir, homedir map</h3>
+
+<p>The <tt class="literal">nis</tt><a name="INDEX-179"/> <tt class="literal">homedir</tt> and
+<tt class="literal">homedir</tt><a name="INDEX-180"/> <tt class="literal">map</tt> options
+are for Samba servers on network sites where Unix home directories
+are provided using NFS, the automounter, and NIS.</p>
+
+<p>The <tt class="literal">nis</tt> <tt class="literal">homedir</tt> option
+indicates that the home-directory server for the user needs to be
+looked up in NIS. The <tt class="literal">homedir</tt>
+<tt class="literal">map</tt> option tells Samba in which NIS map to look
+for the server that has the user's home directory.
+The server needs to be a Samba server so that the client can do an
+SMB connect to it, and the other Samba servers need to have NIS
+installed so that they can do the lookup.</p>
+
+<p>For example, if user <tt class="literal">joe</tt> asks for a share called
+<tt class="literal">[joe]</tt>, and the <tt class="literal">nis</tt>
+<tt class="literal">homedir</tt> option is set to <tt class="literal">yes</tt>,
+Samba will look in the file specified by <tt class="literal">homedir</tt>
+<tt class="literal">map</tt> for a home directory for
+<tt class="literal">joe</tt>. If it finds one, Samba will return the
+associated system name to the client. The client will then try to
+connect to that machine and get the share from there. Enabling NIS
+lookups looks like the following:</p>
+
+<blockquote><pre class="code">[globals]
+    nis homedir = yes
+    homedir map = amd.map</pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> The system checkbox will
+probably be grayed for your file. Don't worry about
+that&mdash;you should still be able to see when the box is checked
+and when it isn't.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch09.html b/docs/htmldocs/using_samba/ch09.html
new file mode 100644
index 0000000000..bc2a5bb007
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch09.html
@@ -0,0 +1,3448 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 9. Users and Security</h1>
+
+ 
+
+<p><a name="INDEX-1"/>In this chapter, we
+cover the basic concepts of managing security in Samba so that you
+can set up your Samba server with a security policy suited to your
+network.</p>
+
+<p>One of Samba's most complicated tasks lies in
+reconciling the security models of Unix and Windows systems. Samba
+must identify users by associating them with valid usernames and
+groups, authenticate them by checking their passwords, then control
+their access to resources by comparing their access rights to the
+permissions on files and directories. These are complex topics on
+their own, and it doesn't help that there are three
+different operating system types to deal with (Unix, Windows
+95/98/Me, and Windows NT/2000/XP) and that Samba supports multiple
+methods of handling user authentication.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-1"/>
+
+<h2 class="head1">Users and Groups</h2>
+
+<p><a name="INDEX-2"/>Let's start
+out as simply as possible and add support for a single user. The
+easiest way to set up a client user is to create a Unix account (and
+home directory) for that individual on the server and notify Samba of
+the user's existence. You can do the latter by
+creating a disk share that maps to the user's home
+directory in the Samba configuration file and restricting access to
+that user with the <tt class="literal">valid</tt><a name="INDEX-3"/>
+<tt class="literal">users</tt> option. For example:</p>
+
+<blockquote><pre class="code">[dave]
+        path = /home/dave
+        comment = Dave's home directory
+        writable = yes
+        valid users = dave</pre></blockquote>
+
+<p>The <tt class="literal">valid</tt> <tt class="literal">users</tt> option lists
+the users allowed to access the share. In this case, only the user
+<tt class="literal">dave</tt> is allowed to access the share. In some
+situations it is possible to specify that any user can access a disk
+share by using the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
+parameter. Because we don't wish to allow guest
+access, that option is absent here. If you allow both authenticated
+users and guest users access to the same share, you can make some
+files accessible to guest users by assigning world-readable
+permissions to those files while restricting access to other files to
+particular users or groups.</p>
+
+<p>When client users access a Samba share, they have to pass two levels
+of restriction. Unix permissions on files and directories apply as
+usual, and configuration parameters specified in the Samba
+configuration file apply as well. In other words, a client must first
+pass Samba's security mechanisms (e.g.,
+authenticating with a valid username and password, passing the check
+for the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter
+and the <tt class="literal">read</tt> <tt class="literal">only</tt> parameter,
+etc.), as well as the normal Unix file and directory permissions of
+its Unix-side user, before it can gain read/write access to a share.</p>
+
+<p>Remember that you can abbreviate the user's home
+directory by using the <tt class="literal">%H</tt><a name="INDEX-4"/> variable. In addition, you can use the
+Unix username variable <tt class="literal">%u</tt><a name="INDEX-5"/> and/or the client username variable
+<tt class="literal">%U</tt><a name="INDEX-6"/> in your options as well. For
+example :</p>
+
+<blockquote><pre class="code">[dave]
+    comment = %U home directory
+    writable = yes
+    valid users = dave
+    path = %H</pre></blockquote>
+
+<p>With a single user accessing a home directory, access permissions are
+taken care of when the user account is created. The home directory is
+owned by the user, and permissions on it are set appropriately.
+However, if you're creating a shared directory for
+group access, you need to perform a few more steps.
+Let's take a stab at a
+<a name="INDEX-7"/>group share for the
+accounting department in the <em class="emphasis">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[accounting]
+    comment = Accounting Department Directory
+    writable = yes
+    valid users = @account
+    path = /home/samba/accounting
+    create mode = 0660
+    directory mode = 0770</pre></blockquote>
+
+<p>The first thing we did differently is to specify
+<tt class="literal">@account</tt> as the valid user instead of one or more
+individual usernames. This is shorthand for saying that the valid
+users are represented by the Unix group <tt class="literal">account</tt>.
+These users will need to be added to the group entry
+<tt class="literal">account</tt> in the
+<a name="INDEX-8"/><a name="INDEX-9"/>system group file (
+<em class="filename">/etc/group</em><a name="INDEX-10"/>
+or equivalent) to be recognized as part of the group. Once they are,
+Samba will recognize those users as valid users for the share.</p>
+
+<p>In addition, you need to create a shared directory that the members
+of the group can access and point to it with the
+<tt class="literal">path</tt> configuration option. Here are the Unix
+commands that create the shared directory for the accounting
+department (assuming <em class="emphasis">/home/samba</em> already
+exists):</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/samba/accounting</b></tt>
+# <tt class="userinput"><b>chgrp account /home/samba/accounting</b></tt>
+# <tt class="userinput"><b>chmod 770 /home/samba/accounting</b></tt></pre></blockquote>
+
+<p>There are two other options in this <em class="filename">smb.conf</em>
+example, both of which we saw in the previous chapter. These options
+are <tt class="literal">create</tt><a name="INDEX-11"/> <tt class="literal">mode</tt> and
+<tt class="literal">directory</tt><a name="INDEX-12"/> <tt class="literal">mode</tt>. These
+options set the maximum file and directory permissions that a new
+file or directory can have. In this case, we have denied all world
+access to the contents of this share. (This is reinforced by the
+<em class="emphasis">chmod</em> command, shown earlier.)<a name="INDEX-13"/></p>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-1.1"/>
+
+<h3 class="head2">Handling Multiple Individual Users</h3>
+
+<p><a name="INDEX-14"/>Let's return
+to user shares for a moment. If we have several users for whom to set
+up home directory shares, we probably want to use the special
+<tt class="literal">[homes]</tt> share that we introduced in <a href="ch08.html">Chapter 8</a>. With the
+<tt class="literal">[homes]</tt><a name="INDEX-15"/> share, all we need to say is:</p>
+
+<blockquote><pre class="code">[homes]
+    browsable = no
+    writable = yes</pre></blockquote>
+
+<p>The <tt class="literal">[homes]</tt> share is a special section of the
+Samba configuration file. If a user attempts to connect to an
+ordinary share that doesn't appear in the
+<em class="filename">smb.conf</em> file (such as specifying it with a UNC
+in Windows Explorer), Samba will search for a
+<tt class="literal">[homes]</tt> share. If one exists, the incoming share
+name is assumed to be a username and is queried as such in the
+password database ( <em class="filename">/etc/passwd</em> or equivalent)
+file of the Samba server. If it appears, Samba assumes the client is
+a Unix user trying to connect to his home directory.</p>
+
+<p>As an illustration, let's assume that
+<tt class="literal">sofia</tt> is attempting to connect to a share called
+<tt class="literal">[sofia]</tt> on the Samba server. There is no share by
+that name in the configuration file, but a <tt class="literal">[homes]</tt>
+share exists and user <tt class="literal">sofia</tt> is present in the
+password database, so Samba takes the following steps:</p>
+
+<ol><li>
+<p>Samba creates a new disk share called <tt class="literal">[sofia]</tt> with
+the <tt class="literal">path</tt> specified in the
+<tt class="literal">[homes]</tt> section. If no <tt class="literal">path</tt>
+option is specified in <tt class="literal">[homes]</tt>, Samba initializes
+it to her home directory.</p>
+</li><li>
+<p>Samba initializes the new share's options from the
+defaults in <tt class="literal">[globals]</tt>, as well as any overriding
+options in <tt class="literal">[homes]</tt> with the exception of
+<tt class="literal">browsable</tt>.</p>
+</li><li>
+<p>Samba connects <tt class="literal">sofia</tt>'s client to
+that share.</p>
+</li></ol>
+<p>The <tt class="literal">[homes]</tt> share is a fast, painless way to
+create shares for your user community without having to duplicate the
+information from the password database file in the
+<em class="filename">smb.conf</em> file. It does have some
+<a name="INDEX-16"/>peculiarities, however, that we need to
+point out:</p>
+
+<ul><li>
+<p>The <tt class="literal">[homes]</tt> section can represent any account on
+the machine, which isn't always desirable. For
+example, it can potentially create a share for
+<tt class="literal">root</tt>, <tt class="literal">bin</tt>,
+<tt class="literal">sys</tt>, <tt class="literal">uucp</tt>, and the like. You
+can set a global
+<tt class="literal">invalid</tt><a name="INDEX-17"/> <tt class="literal">users</tt> option
+to protect against this.</p>
+</li><li>
+<p>The meaning of the
+<tt class="literal">browsable</tt><a name="INDEX-18"/> configuration option is
+different from other shares; it indicates only that a
+<tt class="literal">[homes]</tt> section won't show up in
+the local browse list, not that the <tt class="literal">[alice]</tt> share
+won't. When the <tt class="literal">[alice]</tt> section
+is created (after the initial connection), it will use the
+<tt class="literal">browsable</tt> value from the
+<tt class="literal">[globals]</tt> section for that share, not the value
+from <tt class="literal">[homes]</tt>.</p>
+</li></ul>
+<p>As we mentioned, there is no need for a path statement in
+<tt class="literal">[homes]</tt> if the users have Unix home directories in
+the server's <em class="filename">/etc/passwd</em> file.
+You should ensure that a valid home directory does exist, however, as
+Samba will not automatically create a home directory for a user and
+will refuse a tree connect if the user's directory
+does not exist or is not accessible. <a name="INDEX-19"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-2"/>
+
+<h2 class="head1">Controlling Access to Shares</h2>
+
+<p><a name="INDEX-20"/><a name="INDEX-21"/>Often you will need to restrict the users who
+can access a specific share for security reasons. This is very easy
+to do with Samba because it contains a wealth of options for creating
+practically any security configuration. Let's
+introduce a few configurations that you might want to use in your own
+Samba setup.</p>
+
+<p>We've seen what happens when you specify valid
+users. However, you are also allowed to specify a list of
+<a name="INDEX-22"/>invalid users&mdash;users who should never be
+allowed access to Samba or its shares. This is done with the
+<tt class="literal">invalid</tt><a name="INDEX-23"/> <tt class="literal">users</tt>
+option. We hinted at one frequent use of this option earlier: a
+global default with the <tt class="literal">[homes]</tt> section to ensure
+that various system users and superusers cannot be forged for access.
+For example:</p>
+
+<blockquote><pre class="code">[global]
+    invalid users = root bin daemon adm sync shutdown \
+                        halt mail news uucp operator
+    auto services = dave peter bob
+
+[homes]
+    browsable = no
+    writable = yes</pre></blockquote>
+
+<p>The <tt class="literal">invalid</tt> <tt class="literal">users</tt> option, like
+<tt class="literal">valid</tt> <tt class="literal">users</tt>, can take group
+names, preceded by an at sign (<tt class="literal">@</tt>), as well as
+usernames. In the event that a user or group appears in both lists,
+the <tt class="literal">invalid</tt> <tt class="literal">users</tt> option takes
+precedence, and the user or group is denied access to the share.</p>
+
+<p>At the other end of the spectrum, you can explicitly specify users
+who will be allowed <a name="INDEX-24"/><a name="INDEX-25"/>superuser (root) access to a share with
+the <tt class="literal">admin</tt><a name="INDEX-26"/> <tt class="literal">users</tt>
+option. An example follows:</p>
+
+<blockquote><pre class="code">[sales]
+        path = /home/sales
+        comment = Sedona Real Estate Sales Data
+        writable = yes
+        valid users = sofie shelby adilia
+        admin users = mike</pre></blockquote>
+
+<p>This option takes both group names and usernames. In addition, you
+can specify NIS netgroups by preceding them with an
+<tt class="literal">@</tt> as well; if the netgroup is not found, Samba
+will assume that you are referring to a standard Unix group.</p>
+
+<p>Be careful if you assign administrative privileges to a share for an
+entire group. The Samba Team highly recommends you avoid using this
+option, as it essentially gives root access to the specified users or
+groups for that share.</p>
+
+<p>If you wish to force read-only or read/write access on users who
+access a share, you can do so with the
+<tt class="literal">read</tt><a name="INDEX-27"/> <tt class="literal">list</tt> and
+<tt class="literal">write</tt> <tt class="literal">list</tt> options,
+respectively. These options can be used on a per-share basis to
+restrict a writable share or to grant write access to specific users
+in a read-only share, respectively. For example:</p>
+
+<blockquote><pre class="code">[sales]
+        path = /home/sales
+        comment = Sedona Real Estate Sales Data
+        read only = yes
+        write list = sofie shelby</pre></blockquote>
+
+<p>The <tt class="literal">write</tt><a name="INDEX-28"/> <tt class="literal">list</tt> option
+cannot override Unix permissions. If you've created
+the share without giving the <tt class="literal">write-list</tt> user write
+permission on the Unix system, she will be denied write access
+regardless of the setting of <tt class="literal">write</tt>
+<tt class="literal">list</tt>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-2.1"/>
+
+<h3 class="head2">Guest Access</h3>
+
+<p><a name="INDEX-29"/>As mentioned
+earlier, you can configure a share using
+<tt class="literal">guest</tt><a name="INDEX-30"/> <tt class="literal">ok</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> to allow access to guest
+users. This works only when using share-level security, which we will
+cover later in this chapter. When a user connects as a guest,
+authenticating with a username and password is unnecessary, but Samba
+still needs a way to map the connected client to a user on the local
+system. The <tt class="literal">guest</tt><a name="INDEX-31"/>
+<tt class="literal">account</tt> parameter can be used in the share to
+specify the Unix account that guest users should be assigned when
+connecting to the Samba server. The default value for this is set
+during compilation and is typically <tt class="literal">nobody</tt>, which
+works well with most Unix versions. However, on some systems the
+<tt class="literal">nobody</tt><a name="INDEX-32"/> account is not allowed to access some
+services (e.g., printing), and you might need to set the guest user
+to <tt class="literal">ftp</tt> or some other account instead.</p>
+
+<p>If you wish to restrict access in a share only to guests&mdash;in
+other words, all clients connect as the guest account when accessing
+the share&mdash;you can use the <tt class="literal">guest</tt>
+<tt class="literal">only</tt> option in conjunction with the
+<tt class="literal">guest</tt> <tt class="literal">ok</tt> option, as shown in
+the following example:</p>
+
+<blockquote><pre class="code">[sales]
+        path = /home/sales
+        comment = Sedona Real Estate Sales Data
+        writable = yes
+        guest ok = yes
+        guest account = ftp
+        guest only = yes</pre></blockquote>
+
+<p>Make sure you specify <tt class="literal">yes</tt> for both
+<tt class="literal">guest</tt> <tt class="literal">only</tt> and
+<tt class="literal">guest</tt> <tt class="literal">ok</tt>; otherwise, Samba will
+not use the guest account that you specify.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-2.2"/>
+
+<h3 class="head2">Access Control Options</h3>
+
+<p><a href="ch09.html#samba2-CHP-9-TABLE-1">Table 9-1</a> <a name="INDEX-33"/><a name="INDEX-34"/>summarizes the options that you can use
+to control access to shares.</p>
+
+<a name="samba2-CHP-9-TABLE-1"/><h4 class="head4">Table 9-1. Share-level access options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">admin users</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who can perform operations as root</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">valid users</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who can connect to a share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">invalid users</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who will be denied access to a share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">read list</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who have read-only access to a writable share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">write list</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who have read/write access to a read-only share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max connections</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum number of connections for a share at a given time</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">guest only</tt> <tt class="literal">(only guest)</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows only guest access</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">guest account</tt></p>
+</td>
+<td>
+<p>string (name of account)</p>
+</td>
+<td>
+<p>Unix account that will be used for guest access</p>
+</td>
+<td>
+<p><tt class="literal">nobody</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.1"/>
+
+<a name="INDEX-35"/><h3 class="head3">admin users</h3>
+
+<p>This option specifies a list of users that perform file operations as
+if they were <tt class="literal">root</tt>. This means that they can modify
+or destroy any other user's files, regardless of the
+permissions. Any files that they create will have root ownership and
+will use the default group of the admin user. The
+<tt class="literal">admin</tt> <tt class="literal">users</tt> option allows PC
+users to act as administrators for particular shares. Be very careful
+when using this option, and make sure good password and other
+security policies are in place.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.2"/>
+
+<a name="INDEX-36"/><a name="INDEX-37"/><h3 class="head3">valid users, invalid users</h3>
+
+<p>These two options let you enumerate the users and groups who are
+granted or denied access to a particular share. You can enter a list
+of user and/or group names. If a name is prefixed by an at sign
+(<tt class="literal">@</tt>), it is interpreted as a group name&mdash;with
+NIS groups searched before Unix groups. If the name is prefixed by a
+plus sign (<tt class="literal">+</tt>), it is interpreted as the name of a
+Unix group, and NIS is not searched. If the name is prefixed by an
+ampersand (<tt class="literal">&amp;</tt>), it is interpreted as an NIS
+group name rather than as a Unix group name. The plus sign and
+ampersand can be used together to specify whether NIS or Unix groups
+are searched first. For example:</p>
+
+<blockquote><pre class="code">[database]
+    valid users = mary ellen sue &amp;sales +marketing @dbadmin
+    invalid users = gavin syd dana &amp;techies +&amp;helpdesk</pre></blockquote>
+
+<p>In the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter,
+users <tt class="literal">mary</tt>, <tt class="literal">ellen</tt>, and
+<tt class="literal">sue</tt> are allowed access to the
+<tt class="literal">[database]</tt> share, as are the members of the Unix
+group <tt class="literal">marketing</tt> and NIS/Unix group
+<tt class="literal">dbadmin</tt>. The <tt class="literal">invalid</tt>
+<tt class="literal">users</tt> parameter denies access to the share by
+users <tt class="literal">gavin</tt>, <tt class="literal">syd</tt>, and
+<tt class="literal">dana</tt>, as well as members of the NIS group
+<tt class="literal">techies</tt> and Unix/NIS group
+<tt class="literal">helpdesk</tt>. In this last case, the list of Unix
+groups is searched first for the <tt class="literal">helpdesk</tt> group,
+and if it is not found there, the list of NIS groups is searched.</p>
+
+<p>The important rule to remember with these options is that any name or
+group in the <tt class="literal">invalid</tt> <tt class="literal">users</tt> list
+will <em class="emphasis">always</em> be denied access, even if it is
+included (in any form) in the <tt class="literal">valid</tt>
+<tt class="literal">users</tt> list.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.3"/>
+
+<a name="INDEX-38"/><a name="INDEX-39"/><h3 class="head3">read list, write list</h3>
+
+<p>Like the <tt class="literal">valid</tt> <tt class="literal">users</tt>
+<tt class="literal">and</tt> <tt class="literal">invalid</tt>
+<tt class="literal">users</tt> options, this pair of options specifies
+which users have read-only access to a writable share and read/write
+access to a read-only share, respectively. The value of either
+options is a list of users. The <tt class="literal">read</tt>
+<tt class="literal">list</tt> parameter overrides any other Samba
+permissions granted&mdash;as well as Unix file permissions on the
+server system&mdash;to deny users write access.
+<tt class="literal">The</tt> <tt class="literal">write</tt>
+<tt class="literal">list</tt> parameter overrides other Samba permissions
+to grant write access, but cannot grant write access if the user
+lacks write permissions for the file on the Unix system. You can
+specify NIS or Unix group names by prefixing the name with an at sign
+(such as <tt class="literal">@users</tt>). Neither configuration option has
+a default value associated with it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.4"/>
+
+<a name="INDEX-40"/><h3 class="head3">max connections</h3>
+
+<p>This option specifies the maximum number of client connections that a
+share can have at any given time. Any connections that are attempted
+after the maximum is reached will be rejected. The default value is
+<tt class="literal">0</tt>, which is a special case that allows an
+unlimited number of connections. You can override it per share as
+follows:</p>
+
+<blockquote><pre class="code">[accounting]
+    max connections = 30</pre></blockquote>
+
+<p>This option is useful in the event that you need to limit the number
+of users who are accessing a licensed program or piece of data
+concurrently.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.5"/>
+
+<a name="INDEX-41"/><h3 class="head3">guest only</h3>
+
+<p>This share-level option (also called <tt class="literal">only</tt>
+<tt class="literal">guest</tt>) forces a connection to a share to be
+performed with the user specified by the <tt class="literal">guest</tt>
+<tt class="literal">account</tt> option. The share to which this is applied
+must explicitly specify <tt class="literal">guest</tt>
+<tt class="literal">ok</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt> for
+this option to be recognized by Samba. The default value for this
+option is <tt class="literal">no</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.6"/>
+
+<a name="INDEX-42"/><h3 class="head3">guest account</h3>
+
+<p>This option specifies the name of the account to be used for guest
+access to shares in Samba. The default for this option varies from
+system to system, but it is often set to <tt class="literal">nobody</tt>.
+Some default user accounts have trouble connecting as guest users. If
+that occurs on your system, the Samba Team recommends using the
+<tt class="literal">ftp</tt> account as the guest user. <a name="INDEX-43"/> <a name="INDEX-44"/><a name="INDEX-45"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-2.3"/>
+
+<h3 class="head2">Username Options</h3>
+
+<p><a href="ch09.html#samba2-CHP-9-TABLE-2">Table 9-2</a> shows two additional options that Samba
+can use to correct for incompatibilities in usernames between Windows
+and Unix.</p>
+
+<a name="samba2-CHP-9-TABLE-2"/><h4 class="head4">Table 9-2. Username options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">username</tt> <tt class="literal">map</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Sets the name of the username mapping file</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">username</tt> <tt class="literal">level</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Indicates the number of capital letters to use when trying to match a
+username</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.1"/>
+
+<a name="INDEX-46"/><h3 class="head3">username map</h3>
+
+<p>Client usernames on an SMB network can be relatively long (up to 255
+characters), while usernames on a Unix network often cannot be longer
+than eight characters. This means that an individual user can have
+one username on a client and another (shorter) one on the Samba
+server. You can get past this issue by<em class="firstterm">
+</em><a name="INDEX-47"/>mapping a free-form client
+username to a Unix username of eight or fewer characters. It is
+placed in a standard text file, using a format that
+we'll describe shortly. You can then specify the
+pathname to Samba with the global <tt class="literal">username</tt>
+<tt class="literal">map</tt> option. Be sure to restrict access to this
+file; make the root user the file's owner and deny
+write access to others (with octal permissions of 744 or 644).
+Otherwise, an untrusted user with access to the file can easily map
+his client username to the root user of the Samba server.</p>
+
+<p>You can specify this option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    username map = /usr/local/samba/private/usermap.txt</pre></blockquote>
+
+<p>Each entry in the username map file should be listed as follows: the
+Unix username, followed by an equal sign (<tt class="literal">=</tt>),
+followed by one or more whitespace-separated SMB client usernames.
+Note that unless instructed otherwise (i.e., a guest connection),
+Samba will expect both the client and the server user to have the
+same password. You can also map NT groups to one or more specific
+Unix groups using the <tt class="literal">@</tt> sign. Here are some
+examples:</p>
+
+<blockquote><pre class="code">jarwin = JosephArwin
+manderso = MarkAnderson
+users = @account</pre></blockquote>
+
+<p>You can also use the asterisk to specify a wildcard that matches any
+free-form client username as an entry in the username map file:</p>
+
+<blockquote><pre class="code">nobody = *</pre></blockquote>
+
+<p>Comments can be placed in the file by starting the line with a hash
+mark (<tt class="literal">#</tt>) or a semicolon (<tt class="literal">;</tt>).</p>
+
+<p>Note that you can also use this file to redirect one Unix user to
+another user. Be careful, though, as Samba and your client might not
+notify the user that the mapping has been made and Samba might be
+expecting a different password.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.2"/>
+
+<a name="INDEX-48"/><h3 class="head3">username level</h3>
+
+<p>SMB clients (such as Windows) will often send usernames in SMB
+connection requests entirely in capital letters; in other words,
+client usernames are not necessarily case-sensitive. On a Unix
+server, however, usernames <em class="emphasis">are</em> case-sensitive:
+the user <tt class="literal">ANDY</tt> is different from the user
+<tt class="literal">andy</tt>. By default, Samba attacks this problem by
+doing the following:</p>
+
+<ol><li>
+<p>Checking for a user account with the exact name sent by the client</p>
+</li><li>
+<p>Testing the username in all lowercase letters</p>
+</li><li>
+<p>Testing the username in lowercase letters with only the first letter
+capitalized</p>
+</li></ol>
+<p>If you wish to have Samba attempt more combinations of upper- and
+lowercase letters, you can use the <tt class="literal">username</tt>
+<tt class="literal">level</tt> global configuration option. This option
+takes an integer value that specifies how many letters in the
+username should be capitalized when attempting to connect to a share.
+You can specify this option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    username level = 3</pre></blockquote>
+
+<p>In this case, Samba attempts all possible permutations of usernames
+having three capital letters. The larger the number, the more
+computations Samba has to perform to match the username, and the
+longer the authentication will take.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-3"/>
+
+<h2 class="head1">Authentication of Clients</h2>
+
+<p><a name="INDEX-49"/>At
+this point, we should discuss how Samba authenticates users. Each
+user who attempts to connect to a share not allowing guest access
+must provide a password to
+<a name="INDEX-50"/>make a successful connection. What
+Samba does with that password&mdash;and consequently the strategy
+Samba will use to handle user authentication&mdash;is the arena of
+the <tt class="literal">security</tt> configuration option. Samba currently
+supports <a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>four
+<a name="INDEX-54"/>security levels on its network:
+<em class="firstterm">share</em>, <em class="firstterm">user</em>,
+<em class="firstterm">server</em>, and <em class="firstterm">domain</em>.</p>
+
+<dl>
+<dt><b><a name="INDEX-55"/>Share-level security</b></dt>
+<dd>
+<p>Each share in the workgroup has one or more passwords associated with
+it. Anyone who knows a valid password for the share can access it.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-56"/>User-level security</b></dt>
+<dd>
+<p>Each share in the workgroup is configured to allow access from
+certain users. With each initial tree connection, the Samba server
+verifies users and their passwords to allow them access to the share.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-57"/>Server-level security</b></dt>
+<dd>
+<p>This is the same as user-level security, except that the Samba server
+uses another server to validate users and their passwords before
+granting access to the share.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-58"/>Domain-level security</b></dt>
+<dd>
+<p>Samba becomes a member of a Windows NT domain and uses one of the
+domain's domain controllers&mdash;either the PDC or
+a BDC&mdash;to perform authentication. Once authenticated, the user
+is given a special token that allows her access to any share with
+appropriate access rights. With this token, the domain controller
+will not have to revalidate the user's password each
+time she attempts to access another share within the domain. The
+domain controller can be a Windows NT/2000 PDC or BDC, or Samba
+acting as a Windows NT PDC.</p>
+</dd>
+
+</dl>
+
+<p>Each security policy can be implemented with the global
+<tt class="literal">security</tt> option, as shown in <a href="ch09.html#samba2-CHP-9-TABLE-3">Table 9-3</a>.</p>
+
+<a name="samba2-CHP-9-TABLE-3"/><h4 class="head4">Table 9-3. Security option</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">security</tt><a name="INDEX-59"/></p>
+</td>
+<td>
+<p><tt class="literal">domain</tt>, <tt class="literal">server</tt>,
+<tt class="literal">share</tt>, or <tt class="literal">user</tt></p>
+</td>
+<td>
+<p>Indicates the type of security that the Samba server will use</p>
+</td>
+<td>
+<p><tt class="literal">user</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.1"/>
+
+<h3 class="head2">Share-Level Security</h3>
+
+<p>With share-level security, each share has one or more passwords
+associated with it, with the client being authenticated when first
+connecting to the share. This differs from the other modes of
+security in that there are no restrictions as to whom can access a
+share, as long as that individual knows the correct password. Shares
+often have multiple passwords. For example, one password might grant
+read-only access, while another might grant read/write access.
+Security is maintained as long as unauthorized users do not discover
+the password for a share to which they shouldn't
+have access.</p>
+
+<p>OS/2 and Windows 95/98/Me both support share-level security on their
+resources. You can set up share-level security with Windows 95/98/Me
+by first enabling share-level security using the Access Control tab
+of the Network Control Panel dialog. Then select the
+&quot;Share-level access control&quot; radio
+button (which deselects the &quot;User-level access
+control&quot; radio button), as shown in <a href="ch09.html#samba2-CHP-9-FIG-1">Figure 9-1</a>, and click the OK button. Reboot as requested.</p>
+
+<div class="figure"><a name="samba2-CHP-9-FIG-1"/><img src="figs/sam2_0901.gif"/></div><h4 class="head4">Figure 9-1. Selecting share-level security on a Windows 95/98/Me system</h4>
+
+<p>Next, right-click a resource&mdash;such as a hard drive or a
+CD-ROM&mdash;and select the Properties menu item. This will bring up
+the Resource Properties dialog box. Select the Sharing tab at the top
+of the dialog box, and enable the resource as Shared As. From here,
+you can configure how the shared resource will appear to individual
+users, as well as assign whether the resource will appear as
+read-only, read/write, or a mix, depending on the password that is
+supplied.</p>
+
+<p>You might be thinking that this security model is not a good fit for
+Samba&mdash;and you would be right. In fact, if you set the
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">share</tt> option in the Samba configuration file,
+Samba will still reuse the username/password combinations in the
+system password files to authenticate access. More precisely, Samba
+will take the following steps when a client requests a connection
+using share-level security:</p>
+
+<ol><li>
+<p>When a connection is requested, Samba will accept the password and
+(if sent) the username of the client.</p>
+</li><li>
+<p>If the share is <tt class="literal">guest</tt> <tt class="literal">only</tt> ,
+the user is immediately granted access to the share with the rights
+of the user specified by the <tt class="literal">guest</tt>
+<tt class="literal">account</tt> parameter; no password checking is
+performed.</p>
+</li><li>
+<p>For other shares, Samba appends the username to a list of users who
+are allowed access to the share. It then attempts to validate the
+password given in association with that username. If successful,
+Samba grants the user access to the share with the rights assigned to
+that user. The user will not need to authenticate again unless a
+<tt class="literal">revalidate</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> option has been set inside the share.</p>
+</li><li>
+<p>If the authentication is unsuccessful, Samba attempts to validate the
+password against the list of users previously compiled during
+attempted connections, as well as those specified under the share in
+the configuration file. If the password matches that of any username
+(as specified in the system password file, typically
+<em class="filename">/etc/passwd </em>), the user is granted access to the
+share under that username.</p>
+</li><li>
+<p>However, if the share has a <tt class="literal">guest</tt>
+<tt class="literal">ok</tt> or <tt class="literal">public</tt> option set, the
+user will default to access with the rights of the user specified by
+the <tt class="literal">guest</tt> <tt class="literal">account</tt> option.</p>
+</li></ol>
+<p>You can indicate in the configuration file which users should be
+initially placed on the share-level security user list by using the
+<tt class="literal">username</tt> configuration option, as shown here:</p>
+
+<blockquote><pre class="code">[global]
+    security = share
+
+[accounting1]
+    path = /home/samba/accounting1
+    guest ok = no
+    writable = yes
+    username = davecb, pkelly, andyo</pre></blockquote>
+
+<p>Here, when a user attempts to connect to a share, Samba verifies the
+sent password against each user in its own list, in addition to the
+passwords of users <tt class="literal">davecb</tt>,
+<tt class="literal">pkelly</tt>, and <tt class="literal">andyo</tt>. If any of
+the passwords match, the connection is verified, and the user is
+allowed. Otherwise, connection to the specific share will fail.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.2"/>
+
+<h3 class="head2">Share-Level Security Options</h3>
+
+<p><a href="ch09.html#samba2-CHP-9-TABLE-4">Table 9-4</a> shows the options typically associated
+with <em class="firstterm">share-level
+security</em><a name="INDEX-60"/>.</p>
+
+<a name="samba2-CHP-9-TABLE-4"/><h4 class="head4">Table 9-4. Share-level access options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">only user</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, usernames specified by
+<tt class="literal">username</tt> are the only ones allowed</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">username</tt> (<tt class="literal">user</tt> or
+<tt class="literal">users</tt>)</p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users against which a client's password is tested</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.1"/>
+
+<a name="INDEX-61"/><h3 class="head3">only user</h3>
+
+<p>This Boolean option indicates whether Samba will allow connections to
+a share using share-level security based solely on the individuals
+specified in the <tt class="literal">username</tt> option, instead of those
+users compiled on Samba's internal list. The default
+value for this option is <tt class="literal">no</tt>. You can override it
+per share as follows:</p>
+
+<blockquote><pre class="code">[global]
+    security = share
+[data]
+    username = andy, peter, valerie
+    only user = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.2"/>
+
+<a name="INDEX-62"/><h3 class="head3">username</h3>
+
+<p>This option presents a list of usernames and/or group names against
+which Samba tests a connection password to allow access. It is
+typically used with clients that have share-level security to allow
+connections to a particular service based solely on a qualifying
+password&mdash;in this case, one that matches a password set up for a
+specific user:</p>
+
+<blockquote><pre class="code">[global]
+    security = share
+[data]
+    username = andy, peter, terry</pre></blockquote>
+
+<p>You can enter a list of usernames and/or group names. If a name is
+prefixed by an at sign (<tt class="literal">@</tt>), it is interpreted as a
+group name, with NIS groups searched before Unix groups. If the name
+is prefixed by a plus sign (<tt class="literal">+</tt>), it is interpreted
+as the name of a Unix group, and NIS is not searched. If the name is
+prefixed by an ampersand (<tt class="literal">&amp;</tt>), it is
+interpreted as an NIS group name rather than a Unix group name. The
+plus sign and ampersand can be used together to specify whether NIS
+or Unix groups are searched first. When Samba encounters a group name
+in this option, it attempts to authenticate each user in the group
+until if finds one that succeeds. Beware that this can be very
+inefficient.</p>
+
+<p>We recommend against using this option unless you are implementing a
+Samba server with share-level security.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.3"/>
+
+<h3 class="head2">User-Level Security</h3>
+
+<p>The default mode of security with Samba is <em class="firstterm">user-level
+security</em><a name="INDEX-63"/>. With this method, each share is
+assigned specific users that can access it. When a user requests a
+connection to a share, Samba authenticates by validating the given
+username and password with the authorized users in the configuration
+file and the passwords in the password database of the Samba server.
+As mentioned earlier in the chapter, one way to isolate which users
+are allowed access to a specific share is by using the
+<tt class="literal">valid</tt> <tt class="literal">users</tt> option for each
+share:</p>
+
+<blockquote><pre class="code">[global]
+    security = user
+
+[accounting1]
+    writable = yes
+    valid users = bob, joe, sandy</pre></blockquote>
+
+<p>Each user listed can connect to the share if the password provided
+matches the password stored in the system password database on the
+server. Once the initial authentication succeeds, the client will not
+need to supply a password again to access that share unless the
+<tt class="literal">revalidate</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> option has been set.</p>
+
+<p>Passwords can be sent to the Samba server in either an encrypted or a
+nonencrypted format. If you have both types of systems on your
+network, you should ensure that the passwords represented by each
+user are stored both in a traditional account database and
+Samba's encrypted password database. This way,
+authorized users can gain access to their shares from any type of
+client.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> However, we recommend that you
+move your system to encrypted passwords and abandon nonencrypted
+passwords if security is an issue. <a href="ch09.html#samba2-CHP-9-SECT-4">Section 9.4</a> of this chapter
+explains how to use encrypted as well as nonencrypted passwords.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.4"/>
+
+<h3 class="head2">Server-Level Security</h3>
+
+<p><em class="firstterm">Server-level
+security</em><a name="INDEX-64"/> is similar to user-level security.
+However, with server-level security, Samba delegates password
+authentication to another SMB password server&mdash;typically another
+Samba server or a Windows NT/2000 server acting as a PDC on the
+network. Note that Samba still maintains its list of shares and their
+configuration in its <em class="filename">smb.conf</em> file. When a
+client attempts to make a connection to a particular share, Samba
+validates that the user is indeed authorized to connect to the share.
+Samba then attempts to validate the password by passing the username
+and password to the SMB password server. If the password is accepted,
+a session is established with the client. See <a href="ch09.html#samba2-CHP-9-FIG-2">Figure 9-2</a> for an illustration of this setup.</p>
+
+<div class="figure"><a name="samba2-CHP-9-FIG-2"/><img src="figs/sam2_0902.gif"/></div><h4 class="head4">Figure 9-2. A typical system setup using server-level security</h4>
+
+<p>You can configure Samba to use a separate password server under
+server-level security with the use of the
+<tt class="literal">password</tt><a name="INDEX-65"/> <tt class="literal">server</tt>
+global configuration option, as follows:</p>
+
+<blockquote><pre class="code">[global]
+    security = server
+    password server = mixtec toltec</pre></blockquote>
+
+<p>Note that you can specify more than one machine as the target of the
+<tt class="literal">password</tt> <tt class="literal">server</tt>; Samba moves
+down the list of servers in the event that its first choice is
+unreachable. The servers identified by the
+<tt class="literal">password</tt> <tt class="literal">server</tt> option are
+given as NetBIOS names, not their DNS names or equivalent IP
+addresses. Also, if any of the servers reject the given password, the
+connection automatically fails&mdash;Samba will not attempt another
+server.</p>
+
+<p>One caveat: when using this option, you still need an account
+representing that user on the regular Samba server. This is because
+the Unix operating system needs a username to perform various I/O
+operations. The preferable method of handling this is to give the
+user an account on the Samba server but disable the
+account's password by replacing it in the system
+password file (e.g., <em class="filename">/etc/passwd </em>) with an
+asterisk (*).</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.5"/>
+
+<h3 class="head2">Domain-Level Security</h3>
+
+<p>With <em class="firstterm">domain-level
+security</em><a name="INDEX-66"/>, the Samba server acts as a member of
+a Windows domain. Recall from <a href="ch01.html">Chapter 1</a> that each
+domain has a primary domain controller, which can be a Windows
+NT/2000 or Samba server offering password authentication. The domain
+controller keeps track of users and passwords in its own database and
+authenticates each user when she first logs on and wishes to access
+another machine's shares.</p>
+
+<p>As mentioned earlier in this chapter, Samba has a similar ability to
+offer user-level security, but that option is Unix-centric and
+assumes that the authentication occurs via Unix password files. If
+the Unix machine is part of an NIS or NIS+ domain, Samba
+authenticates users transparently against a shared password file in
+typical Unix fashion. Samba then provides access to the NIS or NIS+
+domain from Windows. There is, of course, no relationship between the
+NIS concept of a domain and a Windows NT domain.</p>
+
+<p>Configuring Samba for domain-level security is covered in <a href="ch04.html">Chapter 4</a> in <a href="ch04.html#samba2-CHP-4-SECT-7">Section 4.7</a>. <a name="INDEX-67"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-4"/>
+
+<h2 class="head1">Passwords</h2>
+
+<p><a name="INDEX-68"/>Passwords
+are a thorny issue with Samba. So much so, in fact, that they are
+often the first major problem that users encounter when they install
+Samba. At this point, we need to delve deeper into Samba to discover
+what is happening on the network.</p>
+
+<p>Passwords sent from individual clients can be either encrypted or
+nonencrypted. Encrypted passwords are, of course, more secure. A
+nonencrypted, plain-text password can be easily read with a
+packet-sniffing program, such as the modified
+<em class="emphasis">tcpdump</em> program for Samba that we used in <a href="ch01.html">Chapter 1</a>. Whether passwords are encrypted by default
+depends on the operating system that the client is using to connect
+to the Samba server. <a href="ch09.html#samba2-CHP-9-TABLE-5">Table 9-5</a> lists which
+<a name="INDEX-69"/>Windows operating
+systems encrypt their passwords and which send plain-text passwords
+by default.</p>
+
+<a name="samba2-CHP-9-TABLE-5"/><h4 class="head4">Table 9-5. Windows operating systems with encrypted passwords</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Operating system</p>
+</th>
+<th>
+<p>Encrypted or plain text</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Windows for Workgroups</p>
+</td>
+<td>
+<p>Plain text</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95</p>
+</td>
+<td>
+<p>Plain text</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95 with SMB Update</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 98</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows Me</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT 3.x</p>
+</td>
+<td>
+<p>Plain text</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT 4.0 before SP <tt class="literal">3</tt></p>
+</td>
+<td>
+<p>Plain text</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT 4.0 after SP 3</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 2000</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows XP</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+
+</table>
+
+<p>Three different encryption methods are used. Windows 95/98/Me clients
+use a method inherited from Microsoft's LAN Manager
+network software. Windows NT/2000/XP systems use a newer system,
+called NT LAN Manager, or NTLM. A newer version of this (called NT
+LAN Manager Version 2, or NTLMv2) uses a different method for
+password hashing.</p>
+
+<p>If encrypted passwords are supported, Samba stores the encrypted
+passwords in a file called <em class="filename">smbpasswd</em>. By
+default, this file is located in the <em class="filename">private</em>
+directory of the Samba distribution (typically
+<em class="filename">/usr/local/samba/private</em>). At the same time, the
+client stores an encrypted version of a user's
+password on its own system. The plain-text password is never stored
+on either system. Each system encrypts the password automatically
+using a standard algorithm when the password is set or changed.</p>
+
+<p>When a client requests a connection to an SMB server that supports
+encrypted passwords (such as Samba or Windows NT/2000/XP), the two
+computers undergo the following negotiations:</p>
+
+<ol><li>
+<p>The client attempts to negotiate a protocol with the server.</p>
+</li><li>
+<p>The server responds with a protocol and indicates that it supports
+encrypted passwords. At this time, it sends back a randomly generated
+8-byte challenge string.</p>
+</li><li>
+<p>The client uses the challenge string as a key to encrypt its already
+encrypted password using an algorithm predefined by the negotiated
+protocol. It then sends the result to the server.</p>
+</li><li>
+<p>The server does the same thing with the encrypted password stored in
+its database. If the results match, the passwords are equivalent, and
+the user is authenticated.</p>
+</li></ol>
+<p>Note that even though the original passwords are not involved in the
+authentication process, you need to be very careful that the
+encrypted passwords located inside the <em class="filename">smbpasswd</em>
+file are guarded from unauthorized users. If they are compromised, an
+unauthorized user can break into the system by replaying the steps of
+the previous algorithm. The encrypted passwords are just as sensitive
+as the plain-text passwords&mdash;this is known as
+<em class="firstterm">plain-text-equivalent</em> data in the cryptography
+world. Of course, your local security policy should require that the
+clients safeguard their plain-text-equivalent passwords as well.</p>
+
+<p>You can configure Samba to accept encrypted passwords with the
+following global additions to <em class="filename">smb.conf</em>. Note
+that we explicitly name the location of the Samba password file:</p>
+
+<blockquote><pre class="code">[global]
+    security = user
+    encrypt passwords = yes
+    smb passwd file = /usr/local/samba/private/smbpasswd</pre></blockquote>
+
+<p>Samba, however, will not accept any users until the
+<em class="filename">smbpasswd</em> file has been created and the users
+have been added to it with the <em class="emphasis">smbpasswd</em>
+command, as we showed you in <a href="ch02.html">Chapter 2</a>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-4.1"/>
+
+<h3 class="head2">Disabling Encrypted Passwords on the Client</h3>
+
+<p><a name="INDEX-70"/><a name="INDEX-71"/>While Unix authentication has been
+in use for decades&mdash;including the use of
+<em class="emphasis">telnet</em> and <em class="emphasis">rlogin</em> access
+across the Internet&mdash;it embodies well-known security risks.
+Plaintext passwords are sent over the Internet and can be retrieved
+from TCP packets by malicious snoopers. However, if you feel that
+your network is secure and you wish to use standard Unix
+<em class="filename">/etc/passwd</em> authentication for all clients, you
+can do so, but you must disable encrypted passwords on those Windows
+clients that default to using them.</p>
+
+<p>To do this, you must modify the Windows registry on each client
+system. The Samba distribution includes the <em class="filename">.reg</em>
+files you need for this, located in the source
+distribution's <em class="filename">/docs/Registry</em>
+directory. Depending on the platform, you use one of the following
+files:</p>
+
+<blockquote class="simplelist">
+
+<p><em class="filename">Win95_PlainPassword.reg</em></p>
+
+<p><em class="filename">Win98_PlainPassword.reg</em></p>
+
+<p><em class="filename">WinME_PlainPassword.reg</em></p>
+
+<p><em class="filename">NT_PlainPassword.reg</em></p>
+
+<p><em class="filename">Win2000_PlainPassword.reg</em></p>
+
+</blockquote>
+
+<p>(For Windows XP, use the <em class="filename">.reg</em> file for Windows
+2000.) You can perform the installation by copying the appropriate
+<em class="filename">.reg</em> file to a DOS floppy, inserting the floppy
+in the client's floppy drive, and running the
+<em class="filename">.reg</em> file from the Run menu item in the
+client's Start menu. (Or you can just double-click
+the file's icon.)</p>
+
+<p>After you reboot the machine, the client will not encrypt its hashed
+passwords before sending them to the server. This means that the
+plain-text passwords can been seen in the TCP packets that are
+broadcast across the network. Again, we encourage you not to do this
+unless you are absolutely sure that your network is secure.</p>
+
+<p>If passwords are not encrypted, use these two lines in your Samba
+configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    security = user
+    encrypt passwords = no</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-4.2"/>
+
+<h3 class="head2">The smbpasswd File</h3>
+
+<p>Samba stores its encrypted passwords in a file called
+<em class="filename">smbpasswd</em><a name="INDEX-72"/>,
+which by default resides in the
+<em class="filename">/usr/local/samba/private</em> directory. The
+<em class="filename">smbpasswd</em> file should be guarded as closely as
+the Unix system's password file (either
+<em class="filename">/etc/passwd</em> or
+<em class="filename">/etc/shadow</em>). Only the root user should have
+read/write access to the <em class="filename">private</em> directory, and
+no other users should have access to it at all. In addition, the
+<em class="filename">smbpasswd</em> file should have all access denied to
+all users except for root. When things are set up for good security,
+long listings of the <em class="filename">private</em> directory and
+<em class="filename">smbpasswd</em> file look like the following:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ls -ld /usr/local/samba/private</b></tt>
+drwx- - - - - -   2 root   root   4096 Nov 26 01:11 /usr/local/samba/private
+# <tt class="userinput"><b>ls -l /usr/local/samba/private/smbpasswd</b></tt>
+-rw- - - - - - -   1 root   root    204 Nov 26 01:11 /usr/local/samba/private/smbpasswd</pre></blockquote>
+
+<p>Before you can use encrypted passwords, you need to create an entry
+for each Unix user in the <em class="filename">smbpasswd</em> file. The
+structure of the file is somewhat similar to a Unix
+<em class="filename">passwd</em> file, but has different fields. <a href="ch09.html#samba2-CHP-9-FIG-3">Figure 9-3</a> illustrates the layout of the
+<em class="filename">smbpasswd</em> file; the entry shown is actually one
+line in the file.</p>
+
+<div class="figure"><a name="samba2-CHP-9-FIG-3"/><img src="figs/sam2_0903.gif"/></div><h4 class="head4">Figure 9-3. Structure of the smbpasswd file entry (actually one line)</h4>
+
+<p>Normally, entries in the <em class="filename">smbpasswd</em> file are
+created automatically by the <em class="emphasis">smbpasswd</em> command.
+Still, you might like to know how to interpret data within the
+<em class="filename">smbpasswd</em> file, in case you'd
+like to see what accounts are stored in it or even modify it
+manually. Here is a breakdown of the individual fields:</p>
+
+<dl>
+<dt><b>Username</b></dt>
+<dd>
+<p>This is the username of the account. It is taken directly from the
+system password file.</p>
+</dd>
+
+
+
+<dt><b>UID</b></dt>
+<dd>
+<p>This is the user ID (UID) of the account. Like the username, it is
+taken directly from the system password file and must match the UID
+there.</p>
+</dd>
+
+
+
+<dt><b>LAN Manager Password Hash</b></dt>
+<dd>
+<p>This is a 32-bit hexadecimal sequence that represents the password
+Windows 95/98/Me clients will use. It is derived by splitting the
+password into two 7-character strings, with all lowercase letters
+forced into uppercase. If fewer than 14 characters are in the
+password, the strings are padded with nulls. Then each 7-character
+string is converted to a 56-bit DES key and used to encrypt the
+constant string <tt class="literal">KGS!@#$%</tt>. The two 64-bit results
+are concatenated and stored as the password hash.</p>
+
+
+<p>If there is currently no password for the user, the first 11
+characters of the hash will consist of the sequence
+<tt class="literal">NO</tt> <tt class="literal">PASSWORD</tt> followed by
+<tt class="literal">X</tt> characters for the remainder. If the password
+has been disabled, it will consist of 32 <tt class="literal">X</tt>
+characters.</p>
+</dd>
+
+
+<dt><b>NT LAN Manager (NTLM) Password Hash</b></dt>
+<dd>
+<p>This is a 32-bit hexadecimal sequence that represents the password
+Windows NT/2000/XP clients will use. It is derived by hashing the
+user's password (represented as a 16-bit
+little-endian Unicode sequence) with an MD4 hash. The password is not
+converted to uppercase letters first.</p>
+</dd>
+
+
+
+<dt><b>Account Flags</b></dt>
+<dd>
+<p>This field consists of 11 characters between two braces ( [ ] ). Any
+of the following characters can appear in any order; the remaining
+characters should be spaces:</p>
+
+
+<dl>
+<dt><b>U</b></dt>
+<dd>
+<p>This account is a standard user account.</p>
+</dd>
+
+
+
+<dt><b>D</b></dt>
+<dd>
+<p>This account is currently disabled, and Samba should not allow any
+logins.</p>
+</dd>
+
+
+
+<dt><b>N</b></dt>
+<dd>
+<p>This account has no password associated with it.</p>
+</dd>
+
+
+
+<dt><b>W</b></dt>
+<dd>
+<p>This is a workstation trust account that can be used to configure
+Samba as a PDC when allowing Windows NT machines to join its domain.</p>
+</dd>
+
+</dl>
+</dd>
+
+
+<dt><b>Last Change Time</b></dt>
+<dd>
+<p>This code consists of the characters <tt class="literal">LCT-</tt> followed
+by a hexadecimal representation of the number of seconds since the
+epoch (midnight on January 1, 1970) that the entry was last changed.
+<a name="INDEX-73"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-4.3"/>
+
+<h3 class="head2">Password Synchronization</h3>
+
+<p><a name="INDEX-74"/><a name="INDEX-75"/>Having a regular password (either in
+<em class="filename">/etc/passwd</em> or <em class="filename">/etc/shadow</em>)
+and an encrypted version of the same password (in the
+<em class="filename">smbpasswd</em> file) can be troublesome when you need
+to change both of them. Luckily, Samba affords you a limited ability
+to keep your passwords synchronized. Samba has a pair of
+configuration options to update a user's regular
+Unix password automatically when the encrypted password is changed on
+the system. The feature can be activated by specifying the
+<tt class="literal">unix</tt><a name="INDEX-76"/> <tt class="literal">password</tt>
+<tt class="literal">sync</tt> global configuration option:</p>
+
+<blockquote><pre class="code">[global]
+    unix password sync = yes</pre></blockquote>
+
+<p>With this option enabled, Samba attempts to change the
+user's regular password (as <tt class="literal">root</tt>)
+when the encrypted version is changed with
+<em class="filename">smbpasswd</em>. However, two other options have to be
+set correctly for this to work.</p>
+
+<p>The easier of the two is <tt class="literal">passwd</tt>
+<tt class="literal">program</tt>. This option simply specifies the Unix
+command used to change a user's standard system
+password. It is set to <tt class="literal">/bin/passwd</tt>
+<tt class="literal">%u</tt> by default. With some Unix systems, this is
+sufficient, and you do not need to change anything. Others, such as
+Red Hat Linux, use <em class="emphasis">/usr/bin/passwd</em> instead. In
+addition, you might want to change this to another program or script
+at some point in the future. For example, let's
+assume that you want to use a script called
+<em class="emphasis">changepass</em> to change a user's
+password. Recall that you can use the variable <tt class="literal">%u</tt>
+to represent the current Unix username. So the example becomes:</p>
+
+<blockquote><pre class="code">[global]
+    unix password sync = yes
+    passwd program = changepass %u</pre></blockquote>
+
+<p>Note that this program is called as the <tt class="literal">root</tt> user
+when the <tt class="literal">unix</tt> <tt class="literal">password</tt>
+<tt class="literal">sync</tt> option is set to <tt class="literal">yes</tt>. This
+is because Samba does not necessarily have the old plain-text
+password of the user.</p>
+
+<p>The harder option to configure is
+<tt class="literal">passwd</tt><a name="INDEX-77"/> <tt class="literal">chat</tt>. The
+<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option works like a
+Unix chat script. It specifies a series of strings to send, as well
+as responses to expect from the program specified by the
+<tt class="literal">passwd</tt> <tt class="literal">program</tt> option. For
+example, this is what the default <tt class="literal">passwd</tt>
+<tt class="literal">chat</tt> looks like. The delimiters are the spaces
+between each grouping of characters:</p>
+
+<blockquote><pre class="code">passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*</pre></blockquote>
+
+<p>The first grouping represents a response expected from the
+password-changing program. Note that it can contain wildcards
+(<tt class="literal">*</tt>), which help to generalize the chat programs to
+handle a variety of similar outputs. Here,
+<tt class="literal">*old*password*</tt> indicates that Samba is expecting
+any line from the password program containing the letters
+<tt class="literal">old</tt> followed by the letters
+<tt class="literal">password</tt>, without regard for what comes before,
+after, or between them. If Samba does not receive the expected
+response, the password change will fail.</p>
+
+<p>The second grouping indicates what Samba should send back once the
+data in the first grouping has been matched. In this case, you see
+<tt class="literal">%o\n</tt>. This response is actually two items: the
+variable <tt class="literal">%o</tt> represents the old password, while the
+<tt class="literal">\n</tt> is a newline character. So, in effect, this
+will &quot;type&quot; the old password into
+the standard input of the password-changing program, and then
+&quot;press&quot; Enter.</p>
+
+<p>Following that is another response grouping, followed by data that
+will be sent back to the password-changing program. (In fact, this
+response/send pattern continues indefinitely in any standard Unix
+<em class="emphasis">chat</em> script.) The script continues until the
+final pattern is matched.</p>
+
+<p>You can help match the response strings sent from the password
+program with the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-6">Table 9-6</a>.
+In addition, you can use the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-7">Table 9-7</a> to help formulate your response.</p>
+
+<a name="samba2-CHP-9-TABLE-6"/><h4 class="head4">Table 9-6. Password chat response characters</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Character</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">*</tt></p>
+</td>
+<td>
+<p>Zero or more occurrences of any character.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>&quot;<tt class="literal"> </tt>&quot;</p>
+</td>
+<td>
+<p>Allows you to include matching strings that contain spaces. Asterisks
+are still considered wildcards even inside of quotes, and you can
+represent a null response with empty quotes.</p>
+</td>
+</tr>
+
+</table>
+
+<a name="samba2-CHP-9-TABLE-7"/><h4 class="head4">Table 9-7. Password chat send characters</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Character</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">%o</tt></p>
+</td>
+<td>
+<p>The user's old password</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%n</tt></p>
+</td>
+<td>
+<p>The user's new password</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">\n</tt></p>
+</td>
+<td>
+<p>The linefeed character</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">\r</tt></p>
+</td>
+<td>
+<p>The carriage-return character</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">\t</tt></p>
+</td>
+<td>
+<p>The tab character</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">\s</tt></p>
+</td>
+<td>
+<p>A space</p>
+</td>
+</tr>
+
+</table>
+
+<p>For example, you might want to change your password chat to the
+following entry. This handles scenarios in which you do not have to
+enter the old password. In addition, this also handles the new
+<tt class="literal">all</tt> <tt class="literal">tokens</tt>
+<tt class="literal">updated</tt> <tt class="literal">successfully</tt> string
+that Red Hat Linux sends:</p>
+
+<blockquote><pre class="code">passwd chat = *New password* %n\n *new password* %n\n *success*</pre></blockquote>
+
+<p>Again, the default chat should be sufficient for many Unix systems.
+If it isn't, you can use the
+<tt class="literal">passwd</tt> <tt class="literal">chat</tt>
+<tt class="literal">debug</tt> global option to set up a new chat script
+for the password change program. The <tt class="literal">passwd</tt>
+<tt class="literal">chat</tt> <tt class="literal">debug</tt> option logs
+everything during a password chat. This option is a simple Boolean,
+as shown here:</p>
+
+<blockquote><pre class="code">[global]
+    unix password sync = yes
+    passwd chat debug = yes
+    log level = 100</pre></blockquote>
+
+<p>After you activate the password chat debug feature, all I/O received
+by Samba through the password chat can be sent to the
+<em class="filename">log.smbd</em> Samba log file with a debug level of
+100, which is why we entered a new <tt class="literal">log</tt>
+<tt class="literal">level</tt> option as well. As this can often generate
+multitudes of error logs, it can be more efficient to use your own
+script&mdash;by setting the <tt class="literal">passwd</tt>
+<tt class="literal">program</tt> option&mdash;in place of
+<em class="filename">/bin/passwd</em> to record what happens during the
+exchange. Be careful because the log file contains the passwords in
+plain text. Keeping files containing plain-text passwords can (or
+<em class="emphasis">should</em>) be against local security policy in your
+organization, and it also might raise serious legal issues. Make sure
+to protect your log files with strict file permissions and to delete
+them as soon as you've grabbed the information you
+need. If possible, use the <tt class="literal">passwd</tt>
+<tt class="literal">chat</tt> <tt class="literal">debug</tt> option only while
+your own password is being changed.</p>
+
+<p>The operating system on which Samba is running might have strict
+requirements for valid passwords to make them more impervious to
+dictionary attacks and the like. Users should be made aware of these
+restrictions when changing their passwords.</p>
+
+<p>Earlier we said that password synchronization is limited. This is
+because there is no reverse synchronization of the encrypted
+<em class="filename">smbpasswd</em> file when a standard Unix password is
+updated by a user. There are various strategies to get around this,
+including NIS and freely available implementations of the Pluggable
+Authentication Modules (PAM) standard, but none of them really solves
+all the problems.</p>
+
+<p>More information regarding passwords can be found in the in the Samba
+source distribution file
+<em class="filename">docs/htmldocs/ENCRYPTION.html</em>.<a name="INDEX-80"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-4.4"/>
+
+<h3 class="head2">Password Configuration Options</h3>
+
+<p><a name="INDEX-81"/><a name="INDEX-82"/>The options in <a href="ch09.html#samba2-CHP-9-TABLE-8">Table 9-8</a> will help you work with passwords in Samba.</p>
+
+<a name="samba2-CHP-9-TABLE-8"/><h4 class="head4">Table 9-8. Password configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">encrypt</tt> <tt class="literal">passwords</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, enables encrypted passwords.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">unix password</tt> <tt class="literal">sync</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, updates the standard Unix password
+database when a user changes his encrypted password.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">passwd chat</tt></p>
+</td>
+<td>
+<p>string (chat commands)</p>
+</td>
+<td>
+<p>Sequence of commands sent to the password program.</p>
+</td>
+<td>
+<p>See earlier section on this option</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">passwd chat</tt> <tt class="literal">debug</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, sends debug logs of the password-change
+process to the log files with a level of 100.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">passwd program</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Program to be used to change passwords.</p>
+</td>
+<td>
+<p><tt class="literal">/bin/passwd</tt> <tt class="literal">%u</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">password level</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Number of capital-letter permutations to attempt when matching a
+client's password.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">update</tt> <tt class="literal">encrypted</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, updates the encrypted password file when a
+client connects to a share with a plain-text password.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">null passwords</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows access for users with null
+passwords.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">smb passwd file</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Name of the encrypted password file.</p>
+</td>
+<td>
+<p><tt class="literal">/usr/local/samba/private/smbpasswd</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">hosts equiv</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Name of a file that contains hosts and users that can connect without
+using a password.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">use rhosts</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Name of a .<em class="emphasis">rhosts</em> file that allows users to
+connect without using a password.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.1"/>
+
+<h3 class="head3">encrypt passwords</h3>
+
+<p>The <tt class="literal">encrypt</tt><a name="INDEX-83"/>
+<tt class="literal">passwords</tt> global option switches Samba from using
+plain-text passwords to encrypted passwords for authentication.
+Encrypted passwords will be expected from clients if the option is
+set to <tt class="literal">yes</tt>:</p>
+
+<blockquote><pre class="code">encrypt passwords = yes</pre></blockquote>
+
+<p>In Samba 2.2.x versions and with previous versions, encrypted
+passwords are disabled by default. This was changed in Samba 3.0 to
+make encrypted passwords enabled by default.</p>
+
+<p>If you use encrypted passwords, you must have a valid
+<em class="filename">smbpasswd</em> file in place and populated with
+usernames that authenticate with encrypted passwords. (See <a href="ch09.html#samba2-CHP-9-SECT-4.2">Section 9.4.2</a> earlier in
+this chapter.) In addition, Samba must know the location of the
+<em class="filename">smbpasswd</em> file; if it is not in the default
+location (typically
+<em class="filename">/usr/local/samba/private/smbpasswd</em> ), you can
+explicitly name it using the <tt class="literal">smb</tt>
+<tt class="literal">passwd</tt> <tt class="literal">file</tt> option.</p>
+
+<p>If you wish, you can use <tt class="literal">update</tt>
+<tt class="literal">encrypted</tt> to force Samba to update the
+<em class="filename">smbpasswd</em> file with encrypted passwords each
+time a client connects using a nonencrypted password.</p>
+
+<p>If you have a mixture of clients on your network, with some of them
+using encrypted passwords and others using plain-text passwords, you
+can use the <tt class="literal">include</tt> option to make Samba treat
+each client appropriately. To do this, create individual
+configuration files based on the client name (<tt class="literal">%m</tt>).
+These host-specific configuration files can contain an
+<tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option that activates
+only when those clients are connecting to the server.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.2"/>
+
+<a name="INDEX-84"/><h3 class="head3">unix password sync</h3>
+
+<p>The <tt class="literal">unix</tt> <tt class="literal">password</tt>
+<tt class="literal">sync</tt> global option allows Samba to update the
+standard Unix password file when a user changes her encrypted
+password. The encrypted password is stored on a Samba server in the
+<em class="filename">smbpasswd</em> file, which is located by default in
+<em class="filename">/usr/local/samba/private</em>. You can activate this
+feature as follows:</p>
+
+<blockquote><pre class="code">[global]
+    unix password sync = yes</pre></blockquote>
+
+<p>If this option is enabled, Samba changes the encrypted password and,
+in addition, attempts to change the standard Unix password by passing
+the username and new password to the program specified by the
+<tt class="literal">passwd</tt> <tt class="literal">program</tt> option
+(described earlier). Note that Samba does not necessarily have access
+to the plain-text password for this user, so the password changing
+program must be invoked as <tt class="literal">root</tt>.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> If the Unix password change does not
+succeed, for whatever reason, the SMB password is not changed either.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.3"/>
+
+<a name="INDEX-85"/><h3 class="head3">passwd chat</h3>
+
+<p>This option specifies a series of send/response strings similar to a
+Unix chat script, which interface with the password-changing program
+on the Samba server. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
+chapter covers this option in detail.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.4"/>
+
+<h3 class="head3">passwd chat debug</h3>
+
+<p>If set to <tt class="literal">yes</tt>, the
+<tt class="literal">passwd</tt><a name="INDEX-86"/> <tt class="literal">chat</tt>
+<tt class="literal">debug</tt> global option logs everything sent or
+received by Samba during a password chat. All the I/O received by
+Samba through the password chat is sent to the Samba logs with a
+debug level of 100; you must specify <tt class="literal">log</tt>
+<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">100</tt>
+for the information to be recorded. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
+chapter describes this option in more detail. Be aware that if you do
+set this option, the plain-text passwords will be visible in the
+debugging logs, which could be a security hazard if they are not
+properly secured. It is against the security policy of some
+organizations for system administrators to have access to
+users' passwords.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.5"/>
+
+<h3 class="head3">passwd program</h3>
+
+<p>The <tt class="literal">passwd</tt><a name="INDEX-87"/>
+<tt class="literal">program</tt> option specifies a program on the Unix
+Samba server that Samba can use to update the standard system
+password file when the encrypted password file is updated. This
+option defaults to the standard <em class="emphasis">passwd</em> program,
+usually located in the <em class="filename">/bin</em> directory. The
+<tt class="literal">%u</tt> variable is typically used as the requesting
+user when the command is executed. The actual handling of input and
+output to this program during execution is handled through the
+<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
+chapter covers this option in detail.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.6"/>
+
+<a name="INDEX-88"/><h3 class="head3">password level</h3>
+
+<p>With SMB, nonencrypted (or plain-text) passwords are sent with
+capital letters, just like the usernames mentioned previously. Many
+Unix users, however, choose passwords with both upper- and lowercase
+letters. Samba, by default, only attempts to match the password
+entirely in lowercase letters and not capitalizing the first letter.</p>
+
+<p>Like <tt class="literal">username</tt> <tt class="literal">level</tt>, a
+<tt class="literal">password</tt> <tt class="literal">level</tt> option can be
+used to attempt various permutations of the password with capital
+letters. This option takes an integer value that specifies how many
+letters in the password should be capitalized when attempting to
+connect to a share. You can specify this option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    password level = 3</pre></blockquote>
+
+<p>In this case, Samba then attempts all permutations of the password it
+can compute having three capital letters. The larger the number, the
+more computations Samba has to perform to match the password, and the
+longer a connection to a specific share might take.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.7"/>
+
+<a name="INDEX-89"/><h3 class="head3">update encrypted</h3>
+
+<p>For sites switching over to the encrypted password format, Samba
+provides an option that should help with the transition. The
+<tt class="literal">update</tt> <tt class="literal">encrypted</tt> option allows
+a site to ease into using encrypted passwords from plain-text
+passwords. You can activate this option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    update encrypted = yes</pre></blockquote>
+
+<p>This instructs Samba to create an encrypted version of each
+user's Unix password in the
+<em class="filename">smbpasswd</em> file each time she connects to a
+share. When this option is enabled, you must have the
+<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> option set to
+<tt class="literal">no</tt> so that the client passes plain-text passwords
+to Samba to update the files. Once each user has connected at least
+once, you can set <tt class="literal">encrypted</tt>
+<tt class="literal">passwords</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt>, allowing you to use only the encrypted
+passwords. The user must already have a valid entry in the
+<em class="filename">smbpasswd</em> file for this option to work.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.8"/>
+
+<a name="INDEX-90"/><h3 class="head3">null passwords</h3>
+
+<p>This global option tells Samba whether to allow access from users
+that have null passwords (encrypted or nonencrypted) set in their
+accounts. The default value is <tt class="literal">no</tt>. You can
+override it as follows:</p>
+
+<blockquote><pre class="code">null passwords = yes</pre></blockquote>
+
+<p>We highly recommend against doing so because of the security risks
+this option can present to your system, including inadvertent access
+to system users (such as <tt class="literal">bin</tt>) in the system
+password file who have null passwords set.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.9"/>
+
+<a name="INDEX-91"/><h3 class="head3">smb passwd file</h3>
+
+<p>This global option identifies the location of the encrypted password
+database. By default, it is set to
+<em class="filename">/usr/local/samba/private/smbpasswd</em>. You can
+override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    smb passwd file = /etc/samba/smbpasswd</pre></blockquote>
+
+<p>This location, for example, is common on many Red Hat distributions
+on which Samba has been installed using an RPM package.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.10"/>
+
+<a name="INDEX-92"/><h3 class="head3">hosts equiv</h3>
+
+<p>This global option specifies the name of a standard Unix
+<em class="filename">hosts.equiv</em> file that allows hosts or users to
+access shares without specifying a password. You can specify the
+location of such a file as follows:</p>
+
+<blockquote><pre class="code">[global]
+    hosts equiv = /etc/hosts.equiv</pre></blockquote>
+
+<p>The default value for this option does not specify any
+<em class="filename">hosts.equiv</em> file. Because using a
+<em class="filename">hosts.equiv</em> file is a huge security risk, we
+strongly recommend against using this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.11"/>
+
+<a name="INDEX-93"/><h3 class="head3">use rhosts</h3>
+
+<p>This global option specifies the name of a standard Unix
+user's <em class="filename">.rhosts</em> file that allows
+foreign hosts to access shares without specifying a password. You can
+specify the location of such a file as follows:</p>
+
+<blockquote><pre class="code">[global]
+    use rhosts = /home/dave/.rhosts</pre></blockquote>
+
+<p>The default value for this option does not specify any
+<em class="filename">.rhosts</em> file. Like the <tt class="literal">hosts</tt>
+<tt class="literal">equiv</tt> option discussed earlier, using such a file
+is a security risk. We highly recommend that you do not use this
+option unless you are confident in the security of your network.
+<a name="INDEX-94"/>
+<a name="INDEX-95"/><a name="INDEX-96"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-5"/>
+
+<h2 class="head1">Authentication with winbind</h2>
+
+<p><a name="INDEX-97"/><a name="INDEX-98"/>In <a href="ch03.html">Chapter 3</a>, we
+showed you how to add Windows clients to a network in which user
+accounts were maintained on the Samba server. We added a user account
+to the Windows client using the same username and password as an
+account on the Unix system. This method works well in many computing
+environments. However, if a Samba server is added to a Windows
+network that already has a Windows NT/2000 primary domain controller,
+the PDC has a preexisting database of user accounts and group
+information that is used for authentication. It can be a big chore to
+transfer that database manually to the Unix server, and later
+maintain and synchronize the Unix and Windows databases.</p>
+
+<p>In <a href="ch04.html">Chapter 4</a>, we showed you how to add a Samba
+server as a domain member server to a network having a Windows
+NT/2000 primary domain controller. We set <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">domain</tt> in the Samba
+configuration file to have the Samba server hand off authentication
+to the Windows PDC. Using that method, passwords are kept only on the
+PDC, but it is still necessary to set up user accounts on the Unix
+side to make sure each client has a valid Unix UID and group ID
+(GID). This is necessary for maintaining the file ownerships and
+permissions of the Unix security model. Whenever Samba performs an
+operation on the Unix filesystem on behalf of the Windows client, the
+user must have a valid UID and GID on the local Unix system.</p>
+
+<p>A facility that has recently been added to Samba, winbind, allows the
+Windows <a name="INDEX-99"/>PDC to handle
+not only authentication, but the user and group information as well.
+Winbind works by extending the Unix user and group databases beyond
+the standard <em class="filename">/etc/passwd</em> and
+<em class="filename">/etc/group</em> files such that users and groups on
+the Windows PDC also exist as valid users and groups on the Unix
+system. The extension applies to the entire Unix system and allows
+users who are members of a Windows domain to perform any action on
+the Unix system that a local user would, including logging in to the
+Unix system by <em class="emphasis">telnet</em> or even on the local
+system, using their domain usernames and passwords.</p>
+
+<p>When winbind is in use, administration of user accounts can be done
+on the Windows PDC, without having to repeat the tasks on the Unix
+side. This includes password expiration and allowing users to change
+their passwords, which would otherwise not be practical. Aside from
+simplifying domain administration and being a great time saver,
+winbind lets Samba be used in computing environments where it
+otherwise might not be allowed.</p>
+<a name="samba2-CHP-9-NOTE-143"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Because this is a chapter on security, we want to point out that some
+issues might relate to allowing a Windows system to authenticate
+users accessing a Unix system! Whatever you might think of the
+relative merits of Unix and Windows security models (and even more
+importantly, their <em class="emphasis">implementations</em>), one thing
+is certain: adding winbind support to your Samba server greatly
+complicates the authentication system overall&mdash;and quite
+possibly allows more opportunities for crackers.</p>
+
+<p>We present winbind in this chapter not as a means of improving
+security, but rather as a further example of Samba's
+ability to integrate itself into a modern Windows environment.</p>
+</blockquote>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.1"/>
+
+<h3 class="head2">Installing winbind</h3>
+
+<p><a name="INDEX-100"/>Installing
+and configuring winbind is fairly complicated and involves the
+following steps:</p>
+
+<ol><li>
+<p>Reconfigure, recompile, and reinstall Samba&mdash;to add support for
+winbind.</p>
+</li><li>
+<p>Configure the Unix name server switch.</p>
+</li><li>
+<p>Modify the Samba configuration file.</p>
+</li><li>
+<p>Start and test the <em class="emphasis">winbindd</em> daemon.</p>
+</li><li>
+<p>Configure the system to start and stop the
+<em class="emphasis">winbindd</em> daemon automatically.</p>
+</li><li>
+<p>Optionally, configure PAM for use with winbind.</p>
+</li></ol>
+<p>At the time this book was written, winbind was supported only on
+Linux, so all of the following directions are specific to it. Other
+Unix flavors might be supported at a later time. In addition, we
+assume you have a Windows NT/2000 primary domain controller running
+on your network.</p>
+
+<p>First, you will need to configure and compile Samba using the
+<tt class="literal">--with-winbind</tt> configure option. Directions for
+doing this are included in <a href="ch02.html">Chapter 2</a> in <a href="ch02.html#samba2-CHP-2-SECT-3">Section 2.3</a>. As usual, run
+<em class="emphasis">make install</em> to reinstall the Samba binaries.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.2"/>
+
+<h3 class="head2">Configuring nsswitch</h3>
+
+<p><a name="INDEX-101"/>When
+Samba is compiled after being configured with the
+<tt class="literal">--with-winbind</tt> option, the compilation process
+produces a library called
+<em class="filename">libnss_winbind.so</em><a name="INDEX-102"/> in the
+<em class="filename">source/nsswitch</em> directory. This library needs to
+be copied to the <em class="filename">/lib</em> directory:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cp nsswitch/libnss_winbind.so /lib</b></tt></pre></blockquote>
+
+<p>Also, a symbolic link must be created for winbind to be fully
+functional:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</b></tt></pre></blockquote>
+
+<a name="samba2-CHP-9-NOTE-144"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The name of this symbolic link is correct for Samba 2.2.3 and Red Hat
+7.1. The name might change&mdash;with a higher version number in the
+extension&mdash;in future releases. See the
+<em class="emphasis">winbindd</em> manual page for details.</p>
+</blockquote>
+
+<p>Next, we need to modify <em class="filename">/etc/nsswitch.conf</em> to
+make the lines for <tt class="literal">passwd</tt> and
+<tt class="literal">group</tt> look like this:</p>
+
+<blockquote><pre class="code">passwd:     files winbind
+group:      files winbind</pre></blockquote>
+
+<p>Then activate these changes by issuing the following command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/sbin/ldconfig</b></tt></pre></blockquote>
+
+<p>What we've just done is reconfigure the Linux name
+service switch, which allows name service and other tasks to be
+configured to use the traditional method (files in the
+<em class="filename">/etc</em> directory) or an extension coded in a
+library, such as the <em class="filename">libnss_winbind.so</em> library
+we've just installed. We've
+specified in our configuration that Samba will search for user and
+group information first in the <em class="filename">/etc/passwd</em> and
+<em class="filename">/etc/group files</em>, and if they are not found
+there, in the winbind service.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.3"/>
+
+<h3 class="head2">Modifying smb.conf</h3>
+
+<p><a name="INDEX-103"/><a name="INDEX-104"/>To use winbind, we must have our Samba
+server added to the Windows NT domain as a domain member server (as
+we described in <a href="ch04.html">Chapter 4</a>) and also add some
+parameters to the Samba configuration file to configure winbind. In
+addition to the options required to configure Samba as a domain
+member server, we need:</p>
+
+<blockquote><pre class="code">[global]
+    winbind uid = 10000-20000
+    winbind gid = 10000-20000</pre></blockquote>
+
+<p>The <tt class="literal">winbind</tt> <tt class="literal">uid</tt> and
+<tt class="literal">winbind</tt> <tt class="literal">gid</tt> options tell
+winbind how to map between Windows relative identifiers (RIDs) and
+Unix UIDs and GIDs. Windows uses RIDs to identify users and groups
+within the domain, and to function, the Unix system must have a UID
+and GID associated with every user and group RID that is received
+from the Windows primary domain controller. The
+<tt class="literal">winbind</tt> <tt class="literal">uid</tt> and
+<tt class="literal">winbind</tt> <tt class="literal">gid</tt> parameters simply
+provide winbind with a range of UIDs and GIDs, respectively, that are
+allocated by the system administrator for Windows NT domain users and
+groups. You can use whatever range you want for each; just make sure
+the lowest number in the range does not conflict with any entries in
+your <em class="filename">/etc/passwd</em> or
+<em class="filename">/etc/group</em> files at any time, either now or in
+the future. It is important to be conservative about this. Once
+winbind adds an RID to UID/GID mapping to its database, it is very
+difficult to modify the mapping.</p>
+<a name="samba2-CHP-9-NOTE-145"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p><a name="INDEX-105"/>The file
+<em class="filename">/usr/local/samba/locks/winbindd_idmap.tdb</em>
+contains winbind's RID mapping file by default. We
+suggest you regard this file as extremely sensitive and make sure to
+guard it carefully against any kind of harm or loss. If you lose it,
+you will have to re-create it manually, which can be a very
+labor-intensive task.</p>
+</blockquote>
+
+<a name="samba2-CHP-9-NOTE-145a"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Be careful when adding local users after domain users have started
+accessing the Samba server. The domain users will have entries
+created for them by winbind in <em class="filename">/etc/passwd,</em> with
+UIDs in the range you specify. If you are using a method of creating
+new accounts that automatically assigns UIDs, it might choose UIDs by
+adding 1 to the highest UID assigned thus far, which will be the most
+recent UID added by winbind. (This is the case on Red Hat Linux, with
+the <em class="emphasis">useradd</em> script, for example.) The UID for
+the new local user will be within the range allocated for winbind,
+which will have undesired effects. Make sure to add new local users
+using a method that assigns them UIDs in the proper range. For
+example, you can use the <em class="emphasis">-u</em> option of
+<em class="emphasis">useradd</em> to specify the UID to assign to the new
+user.</p>
+</blockquote>
+
+<p>Restart the Samba daemons to put your changes to the configuration
+file into effect. If you have not already done so while adding your
+Samba server as a domain member server, you must issue the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j </b></tt><em class="replaceable">domain</em><tt class="userinput"><b> -r </b></tt><em class="replaceable">pdc</em><tt class="userinput"><b> -U Administrator</b></tt></pre></blockquote>
+
+<p>as we described in <a href="ch04.html">Chapter 4</a>. At this point, you
+can start the <em class="emphasis">winbindd</em> daemon:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>winbindd</b></tt></pre></blockquote>
+
+<p><a name="INDEX-106"/>You might want to
+run a <em class="emphasis">ps ax</em> command to see that the
+<em class="emphasis">winbindd</em> daemon is running. Now, to make sure
+everything we've done up to this point works, we can
+use Samba's <em class="emphasis">wbinfo</em> command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -u</b></tt>
+METRAN\Administrator
+METRAN\bebe
+METRAN\Guest
+METRAN\jay
+METRAN\linda
+$ <tt class="userinput"><b>wbinfo -g</b></tt>
+METRAN\Domain Admins
+METRAN\Domain Guests
+METRAN\Domain Users</pre></blockquote>
+
+<p>The <em class="emphasis">-u</em> option queries the domain controller for
+a list of domain users, and the <em class="emphasis">-g</em> option asks
+for the list of groups. The output shows that the Samba host system
+can query the Windows PDC through winbind.</p>
+
+<p>Another thing to check is the list of users and groups, using the
+<em class="emphasis">getent</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>getent passwd</b></tt>
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:
+daemon:x:2:2:daemon:/sbin:
+    <i class="lineannotation">... deleted ...</i>
+jay:x:500:500:Jay Ts:/home/jay:/bin/bash
+rik:x:501:501::/home/rik:/bin/bash
+METRAN\Administrator:x:10000:10000::/home/METRAN/administrator:/bin/bash
+METRAN\bebe:x:10001:10000:Bebe Larta:/home/METRAN/bebe:/bin/bash
+METRAN\Guest:x:10002:10000::/home/METRAN/guest:/bin/bash
+METRAN\jay:x:10003:10000:Jay Ts:/home/METRAN/jay:/bin/bash
+METRAN\linda:x:10004:10000:Linda Lewis:/home/METRAN/linda:/bin/bash
+
+# getent group
+root:x:0:root
+bin:x:1:root,bin,daemon
+daemon:x:2:root,bin,daemon
+    <i class="lineannotation">... deleted ...</i>
+jay:x:500:
+rik:x:501:
+METRAN\Domain Admins:x:10001:METRAN\Administrator
+METRAN\Domain Guests:x:10002:METRAN\Guest
+METRAN\Domain Users:x:10000:METRAN\Administrator,METRAN\jay,METRAN\linda,METRAN\bebe</pre></blockquote>
+
+<p>This shows that the Linux system is finding the domain users and
+groups through winbind, in addition to those in the
+<em class="filename">/etc/passwd</em> and <em class="filename">/etc/group</em>
+files. If this part doesn't work as shown earlier,
+with the domain users and groups listed after the local ones, check
+to make sure you made the symbolic link to
+<em class="filename">libnss_winbind.so</em> in <em class="filename">/lib</em>
+correctly.</p>
+
+<p>Now you can try connecting to a Samba share from a Windows system
+using a domain account. You can either log on to the domain from a
+Windows NT/2000/XP workstation or use <em class="emphasis">smbclient</em>
+with the <em class="emphasis">-U</em> option to specify a username.</p>
+
+<a name="samba2-CHP-9-NOTE-147"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>If you get errors while attempting to log on to the domain, it is
+probably because you had previously configured the client system with
+a computer account on another domain controller. Commonly, you get a
+dialog box that says, &quot;The domain
+<em class="replaceable">NAME</em> is not available.&quot;
+On a Windows 2000 system, the fix is to log in to the system as an
+administrative user and open the Control Panel, double-click the
+System icon, click the Network Identification tab, then click the
+Properties button. In the dialog that comes up, click the
+&quot;Workgroup:&quot; radio button and fill
+in the name of the workgroup (you can use the same name as the
+domain). Click the OK buttons in the dialogs, and reboot if
+requested.</p>
+
+<p>This removes the computer account from the primary domain controller.
+Now log in again as the administrative user and repeat the previous
+directions, but change from the workgroup back to the domain. This
+creates a new computer account that
+&quot;fits&quot; the workstation to the new
+primary domain controller. If your network has backup domain
+controllers, it will take up to 15 minutes for the new computer
+account to propagate to the BDCs.</p>
+
+<p>If you are using Windows NT/XP, the method is slightly different. For
+the exact procedure, see the section in <a href="ch04.html">Chapter 4</a>
+that is specific to your Windows version.</p>
+</blockquote>
+
+<p>After logging in as a domain user, try creating a file or two in a
+Samba share. (You might need to change the permissions on the shared
+directory&mdash;say, to 777&mdash;to allow this access. This is very
+permissive, but after you finish reading this section, you will
+understand how to change ownership and permissions on the directory
+to restrict access to selected domain users.) After
+you've created files by one or more domain users,
+take a look at the directory's contents from a Linux
+shell. You will see something like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /u</b></tt>
+-rwxrw-rw-    1 METRAN\b METRAN\D        0 Apr 13 00:00 bebes-file.doc
+-rwxrw-rw-    1 METRAN\l METRAN\D        0 Apr 12 23:58 lindas-file.doc
+drwxrwxr-x    6 jay      jay          4096 Jan 15 05:12 snd
+<b class="emphasis-bold">$ ls -ln /u</b>
+total 4
+-rwxrw-rw-    1 10001    10000           0 Apr 13 00:00 bebes-file.doc
+-rwxrw-rw-    1 10004    10000           0 Apr 12 23:58 lindas-file.doc
+drwxrwxr-x    6 500      500          4096 Jan 15 05:12 snd</pre></blockquote>
+
+<p>We can even use the domain usernames and groups from the Linux shell:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /u</b></tt>
+# <tt class="userinput"><b>ls -ldu /u</b></tt>
+drwxrwxrwx    3 METRAN\l METRAN\D     4096 Apr 13 00:44 /u
+# <tt class="userinput"><b>ls -ldn /u</b></tt>
+drwxrwxrwx    3 10004    10000        4096 Apr 13 00:00 /u</pre></blockquote>
+
+<p>Notice how the owner and group are listed as being those of the
+domain user and group. Unfortunately, the GNU <em class="emphasis">ls</em>
+command won't show the full names of the domain
+users and groups, but we can use the <em class="emphasis">-ln</em> listing
+to show the UIDs and GIDs and then translate with the
+<em class="emphasis">wbinfo</em> command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -s `wbinfo -U 10004`</b></tt>
+METRAN\LINDA 1
+$ <tt class="userinput"><b>wbinfo -s `wbinfo -G 10000`</b></tt>
+METRAN\Domain Users 2</pre></blockquote>
+
+<p>(It's a bit messy, but it works, and it shows that
+the winbind system is working!) At this point, you might want to
+modify your <em class="filename">/etc/rc.d/init.d/smb</em> script to start
+and stop the <em class="emphasis">winbindd</em> daemon automatically along
+with the <em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>
+daemons. Starting with the script we presented in <a href="ch02.html">Chapter 2</a>, we first add this code to the
+<em class="emphasis">start( )</em> function:</p>
+
+<blockquote><pre class="code">echo -n $&quot;Starting WINBIND services: &quot;
+/usr/local/samba/bin/winbindd
+ERROR2=$?
+if [ $ERROR2 -ne 0 ]
+then
+    ERROR=1
+fi
+echo</pre></blockquote>
+
+<p>The previous code should be located after the code that starts
+<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em>
+statement.</p>
+
+<a name="samba2-CHP-9-NOTE-148"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>We start <em class="emphasis">winbindd</em> after
+<em class="emphasis">nmbd</em> because <em class="emphasis">winbindd</em> needs
+<em class="emphasis">nmbd</em> to be running to work properly.</p>
+</blockquote>
+
+<p>In the <tt class="function">stop( )</tt> function, we add the following:</p>
+
+<blockquote><pre class="code">echo -n $&quot;Shutting down WINBIND services: &quot;
+/bin/kill -TERM -a winbindd
+ERROR2=$?
+if [ $ERROR2 -ne 0 ]
+then
+    ERROR=1
+fi
+echo</pre></blockquote>
+
+<p>Again, this code should be located after the code that stops
+<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em>
+statement. <a name="INDEX-107"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.4"/>
+
+<h3 class="head2">Configuring PAM</h3>
+
+<p><a name="INDEX-108"/>Most
+popular Linux distributions use <a name="INDEX-109"/>Pluggable
+Authentication Modules (PAM), a suite of shared libraries that
+provide a centralized source of authentication for applications
+running on the Unix system. PAM can be configured differently for
+each application (or service) that uses it, without needing to
+recompile the application. As a hypothetical example, if an
+organization's security policy mandated the use of
+passwords exactly 10 characters in length, a PAM module could be
+written to check the length of passwords submitted by users and
+reject any attempts to use a longer or shorter password. PAM would
+then be reconfigured to include the new module for services such as
+<em class="emphasis">ftp</em>, console login, and GUI login that call upon
+PAM to authenticate users.</p>
+
+<p>If you are not already familiar with PAM, we suggest you read the
+documentation provided with the Linux PAM package before continuing.
+On most Linux systems, it is located in the
+<em class="filename">/usr/share/doc</em> directory hierarchy. Another
+resource is the <em class="citetitle">Linux-PAM System
+Administrator's
+Guide</em><a name="INDEX-110"/>, which you can find
+on the Internet at <a href="http://www.kernel.org/pub/linux/libs/pam">http://www.kernel.org/pub/linux/libs/pam</a>.</p>
+
+<p>The rest of this section is about using the PAM module provided in
+the Samba distribution to enable Windows domain users to authenticate
+on the Linux system hosting Samba. Depending on which services you
+choose to configure, this allows Windows domain users to log in on a
+local console (or through <em class="emphasis">telnet</em>), log in to a
+GUI desktop on the Linux system, authenticate with an FTP server
+running on the Linux system, or use other services normally limited
+to users who have an account on the Linux system. The PAM module
+authenticates Windows domain users by querying winbind, which passes
+the authentication off to a Windows NT domain controller.</p>
+
+<p>As an example, we will show how to allow Windows domain users to log
+in to a text console on the Linux system and get a command shell and
+home directory. The method used in our example can be applied (with
+variations) to other services.</p>
+
+<p>All users who can log in to the Linux system need a shell and a home
+directory. Unix and Linux keep this user information in the password
+file (<em class="filename">/etc/passwd</em> ), but information about
+Windows users isn't located there. Instead, in the
+Samba configuration file, we add the following to notify winbind what
+the shell and home directory for Windows domain users will be:</p>
+
+<blockquote><pre class="code">[global]
+    template shell = /bin/bash
+    template homedir = /home/%D/%U</pre></blockquote>
+
+<p>The first line sets the
+<tt class="literal">template</tt><a name="INDEX-111"/> <tt class="literal">shell</tt>
+parameter, which tells winbind what shell to use for domain users
+that are logging in to the Unix host. The
+<tt class="literal">template</tt><a name="INDEX-112"/>
+<tt class="literal">homedir</tt> parameter specifies the location of
+users' home directories. The <tt class="literal">%D</tt>
+variable is replaced by the name of the domain in which the
+user's account resides, and <tt class="literal">%U</tt> is
+replaced by the user's username in that domain.</p>
+
+<p>Before the domain users can successfully log in, their home
+directories must be created manually. To add a single account for
+<tt class="literal">linda</tt> in the METRAN domain, we would use these
+commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/METRAN</b></tt>
+# <tt class="userinput"><b>chmod 755 /home/METRAN</b></tt>
+
+# <tt class="userinput"><b>mkdir /home/METRAN/linda</b></tt>
+# <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /home/METRAN/linda</b></tt>
+# <tt class="userinput"><b>chmod 700 /home/METRAN/linda</b></tt></pre></blockquote>
+<a name="samba2-CHP-9-NOTE-149"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>One side effect of creating the home directories is that if the Samba
+server is configured with a <tt class="literal">[homes]</tt> share, the
+domain users can see and access their home directories through
+Samba's file sharing.</p>
+</blockquote>
+
+<p>Next, we need to compile and install the PAM module in the Samba
+distribution. From the source directory in the Samba distribution,
+issue the following commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>make nsswitch/pam_winbind.so</b></tt>
+# <tt class="userinput"><b>cp nsswitch/pam_winbind.so /lib/security</b></tt></pre></blockquote>
+
+<p>and check that it was copied over correctly:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ls /lib/security/pam_winbind.so</b></tt>
+/lib/security/pam_winbind.so</pre></blockquote>
+
+<p>On Red Hat Linux, the PAM configuration files reside in
+<em class="filename">/etc/pam.d</em>. Before making any modifications, we
+strongly advise making a backup of this directory:</p>
+
+<blockquote><pre class="code"># cp -pR /etc/pam.d /etc/pam.d.backup</pre></blockquote>
+
+<p>The reason for this is that we will be modifying the Linux
+system's means of authenticating logins, and if our
+configuration goes awry, all users (including
+<tt class="literal">root</tt>) will be locked out of the system. In case
+the worst happens, we would reboot into single-user mode (by typing
+<tt class="literal">linux</tt> <tt class="literal">single</tt> at the LILO:
+prompt) or boot a rescue disk, and then we would issue these two
+commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mv /etc/pam.d /etc/pam.d.bad</b></tt>
+# <tt class="userinput"><b>mv /etc/pam.d.backup /etc/pam.d</b></tt></pre></blockquote>
+
+<p>Be very careful to make sure you can recover from any errors you make
+because when PAM encounters any configuration information it
+doesn't understand, its action is not to allow
+access. This means you must be sure to enter everything correctly!
+You might want to leave yourself logged in as root on a spare virtual
+terminal while you are modifying your PAM configuration to ensure
+yourself a means of easy recovery.</p>
+
+<p>In the <em class="filename">/etc/pam.d</em> directory, you will encounter
+a file for each service that uses PAM. We are interested only in the
+file corresponding to the login service, which is called
+<em class="filename">login</em>. It contains the following lines:</p>
+
+<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
+auth       required     /lib/security/pam_stack.so service=system-auth
+auth       required     /lib/security/pam_nologin.so
+account    required     /lib/security/pam_stack.so service=system-auth
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so</pre></blockquote>
+
+<p>The lines starting with <tt class="literal">auth</tt> are related to the
+function of authentication&mdash;that is, printing a password prompt,
+accepting the password, verifying that it is correct, and matching
+the user to a valid user and group ID. The line starting with
+<tt class="literal">account</tt> is for account management, which allows
+access to be controlled by other factors, such as what times during
+the day a user is allowed access. We are not concerned with the lines
+starting with <tt class="literal">password</tt> or
+<tt class="literal">session</tt> because winbind does not add to either of
+those functions.</p>
+
+<p>The third column lists the PAM module, possibly with arguments, that
+is called in for the task. The
+<em class="filename">pam_stack.so</em><a name="INDEX-113"/> module has been added by Red Hat to act
+somewhat like a macro or a subroutine. It calls the file in the
+<em class="filename">pam.d</em> directory named by the service argument.
+In this case, the file <em class="filename">/etc/pam.d/system-auth</em>
+contains a common set of lines that are used as a default for many
+services. Because we want to customize the login service for winbind,
+we first replace the <em class="filename">pam_stack.so</em> lines for
+<tt class="literal">auth</tt> and <tt class="literal">account</tt> with the
+<tt class="literal">auth</tt> and <tt class="literal">account</tt> lines from
+<em class="filename">/etc/pam.d/system-auth</em>. This yields:</p>
+
+<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
+<b class="emphasis-bold">auth       required     /lib/security/pam_env.so</b>
+<b class="emphasis-bold">auth       sufficient   /lib/security/pam_unix.so likeauth nullok</b>
+<b class="emphasis-bold">auth       required     /lib/security/pam_deny.so</b>
+auth       required     /lib/security/pam_nologin.so
+<b class="emphasis-bold">account    required     /lib/security/pam_unix.so</b>
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so</pre></blockquote>
+
+<p>To add winbind support, we need to add a line in both the
+<tt class="literal">auth</tt> and <tt class="literal">account</tt> sections to
+call the
+<em class="filename">pam_winbind.so</em><a name="INDEX-114"/> module:</p>
+
+<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
+auth       required     /lib/security/pam_env.so
+<b class="emphasis-bold">auth       sufficient   /lib/security/pam_winbind.so</b>
+auth       sufficient   /lib/security/pam_unix.so <b class="emphasis-bold">use_first_pass</b> likeauth nullok
+auth       required     /lib/security/pam_deny.so
+auth       required     /lib/security/pam_nologin.so
+<b class="emphasis-bold">account    sufficient   /lib/security/pam_winbind.so</b>
+account    required     /lib/security/pam_unix.so
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so</pre></blockquote>
+
+<p>The keywords <tt class="literal">required</tt> and
+<tt class="literal">sufficient</tt> in the second column are significant.
+The keyword <tt class="literal">required</tt> specifies that the result
+returned by the module (either to pass or fail the authentication)
+must be taken into account, whereas the keyword
+<tt class="literal">sufficient</tt> specifies that if the module
+successfully authenticates the user, no further lines need to be
+processed. By specifying <tt class="literal">sufficient</tt> for the
+<em class="filename">pam_winbind.so</em> module, we let winbind attempt to
+authenticate users, and if it succeeds, the PAM system returns to the
+application. If the <em class="filename">pam_winbind.so</em> module
+doesn't find the user or the password does not
+match, the PAM system continues with the next line, which performs
+authentication according to the usual Linux user authentication. This
+way, both domain users and local users can log in.</p>
+
+<p>Notice that we also added the <tt class="literal">use_first_pass</tt>
+argument to the <em class="filename">pam_unix.so</em> module in the
+<tt class="literal">auth</tt> section. By default, both the
+<em class="filename">pam_winbind.so</em> and
+<em class="filename">pam_unix.so</em> modules print a password prompt and
+accept a password. In cases where users are logging in to the Linux
+system using their local accounts, this would require them to enter
+their password twice. The <tt class="literal">user_first_pass</tt> argument
+tells the <em class="filename">pam_unix.so</em> module to reuse the
+password that was given to the <em class="filename">pam_winbind.so</em>
+module, which results in users having to enter the password only
+once.</p>
+
+<p>After modifying the <em class="filename">login</em> configuration file,
+switch to a spare virtual console and make sure you can still log in
+using a regular Linux account. If not, check your modifications
+carefully and try again until you get it right. Then log in using a
+domain user account from the Windows PDC database to check that the
+winbind authentication works. You will need to specify the username
+in <em class="replaceable">DOMAIN</em>\<em class="replaceable">user</em>
+format, like this:</p>
+
+<blockquote><pre class="code">login: METRAN\linda
+Password:</pre></blockquote>
+
+<p>More information on configuring winbind can be found in the Samba
+source distribution file
+<em class="filename">docs/htmldocs/winbind.html</em>, and in the
+<em class="emphasis">winbindd</em> manual page. If you would like to learn
+more about configuring PAM, we recommend the web page <a href="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</a> as
+a starting place. Some of the documentation for Linux PAM, including
+Red Hat's extensions, can also be found on Red Hat
+Linux in
+<em class="filename">/usr/share/doc/pam-</em><em class="replaceable">version</em>.
+<a name="INDEX-115"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.5"/>
+
+<h3 class="head2">winbind Configuration Options</h3>
+
+<p><a href="ch09.html#samba2-CHP-9-TABLE-9">Table 9-9</a> <a name="INDEX-116"/><a name="INDEX-117"/>summarizes some commonly used options
+that you can use to configure winbind.</p>
+
+<a name="samba2-CHP-9-TABLE-9"/><h4 class="head4">Table 9-9. winbind options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">winbind</tt> <tt class="literal">separator</tt></p>
+</td>
+<td>
+<p>string (single character)</p>
+</td>
+<td>
+<p>Character to use as a separator in domain usernames and group names</p>
+</td>
+<td>
+<p>Backslash (<tt class="literal">\</tt>)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">winbind uid</tt></p>
+</td>
+<td>
+<p>string (numeric range)</p>
+</td>
+<td>
+<p>Range of UIDs for RID-to-UID mapping</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">winbind gid</tt></p>
+</td>
+<td>
+<p>string (numeric range)</p>
+</td>
+<td>
+<p>Range of GIDs for RID-to-GID mapping</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">winbind cache time</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Number of seconds the <em class="emphasis">winbindd</em> daemon caches
+user and group data</p>
+</td>
+<td>
+<p><tt class="literal">15</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">template</tt> <tt class="literal">homedir</tt></p>
+</td>
+<td>
+<p>string (directory name)</p>
+</td>
+<td>
+<p>Directory to be used as the home directory of the logged-in domain
+user</p>
+</td>
+<td>
+<p><tt class="literal">/home/%D/%U</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">template</tt> <tt class="literal">shell</tt></p>
+</td>
+<td>
+<p>string (command name)</p>
+</td>
+<td>
+<p>The program to use as the logged-in domain user's
+shell</p>
+</td>
+<td>
+<p><tt class="literal">/bin/false</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.1"/>
+
+<a name="INDEX-118"/><h3 class="head3">winbind separator</h3>
+
+<p>On Windows systems, the backslash (<tt class="literal">\</tt>) is commonly
+used as a separator in file names, UNCs, and the names of domain
+users and groups. For example, an account in the METRAN domain with a
+username of <tt class="literal">linda</tt> would be written as
+<tt class="literal">METRAN\linda</tt>. On Unix systems, the backslash is
+commonly used as a metacharacter for quoting, so the account would
+have to be specified as <tt class="literal">METRAN\\linda</tt> or
+'<tt class="literal">METRAN\linda</tt>'. The winbind separator parameter
+allows another character to be used instead of the backslash
+character, making it much easier to type in domain user and group
+names. For example, with:</p>
+
+<blockquote><pre class="code">[global]
+    winbind separator = +</pre></blockquote>
+
+<p>the aforementioned account could be written simply as
+<tt class="literal">METRAN+linda</tt> on the Unix host, making it
+unnecessary to use additional backslashes or single quotes. Winbind
+then uses the same format for reporting domain user and group names.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.2"/>
+
+<a name="INDEX-119"/><h3 class="head3">winbind uid</h3>
+
+<p>As part of <em class="emphasis">winbindd</em> 's task of
+letting Windows NT domain users function as local users on the Unix
+host, <em class="emphasis">winbindd</em> supplies a Unix UID that is
+linked to the Windows RID of the domain user. The
+<tt class="literal">winbind</tt> <tt class="literal">uid</tt> parameter allows
+the Unix system administrator to allocate a range of UIDs for this
+purpose. It is very important that this range not overlap any UIDs
+used for other purposes on the Unix system, so we recommend you begin
+your range at a very high number, one much larger than the number of
+local users and NIS users that will ever exist. For example,
+<tt class="literal">winbind</tt> <tt class="literal">uid</tt> might be defined
+as:</p>
+
+<blockquote><pre class="code">[global]
+    winbind uid = 10000-15000</pre></blockquote>
+
+<p>on a system that would never have more than 9,999 local and NIS
+users, or for that matter, any other entries in
+<em class="filename">/etc/passwd</em> that would use up another UID.
+Because the example allocates 5,000 UIDs to
+<em class="emphasis">winbindd</em>, the assumption is that there will
+never be more than 5,000 domain users accessing the Samba host.</p>
+
+<p>If your method for adding new local users to the system assigns UIDs
+automatically, make sure it does not assign them within the range of
+UIDs allocated to winbind. This might happen if the algorithm used
+adds 1 to the highest UID assigned thus far.</p>
+
+<p>There is no default for <tt class="literal">winbind</tt>
+<tt class="literal">uid</tt>, so you must specify it in your Samba
+configuration file for winbind to work.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.3"/>
+
+<a name="INDEX-120"/><h3 class="head3">winbind gid</h3>
+
+<p>This option works like <tt class="literal">winbind</tt>
+<tt class="literal">uid</tt>, except that it is for allocating a range of
+GIDs for use with <em class="emphasis">winbindd</em>. You might not need
+to allocate as many GIDs as UIDs because you probably have relatively
+few domain groups that need corresponding GIDs. (In many cases, users
+are all members of the Domain Users group, requiring only one GID.)
+However, it is best to play it safe, so make sure to allocate many
+more GIDs than you think you will need.</p>
+
+<p>As with <tt class="literal">winbind</tt> <tt class="literal">uid</tt>, if you are
+using a method of adding new local users to your Unix host that
+automatically assigns GIDs, either make sure the method used
+doesn't conflict with winbind or set the GIDs
+manually.</p>
+
+<p>There is no default for <tt class="literal">winbind</tt>
+<tt class="literal">gid</tt>, so you must specify it in your Samba
+configuration file for winbind to work.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.4"/>
+
+<a name="INDEX-121"/><h3 class="head3">winbind cache time</h3>
+
+<p>The <em class="emphasis">winbindd</em> daemon maintains a cache of user
+and group data that has been retrieved from the Windows PDC to reduce
+network queries and increase performance. The
+<tt class="literal">winbind</tt> <tt class="literal">cache</tt>
+<tt class="literal">time</tt> parameter allows the amount of time (in
+seconds) <em class="emphasis">winbindd</em> can use the cached data before
+querying the PDC to check for an update. By default, this interval is
+set to 15 seconds. This means that when any part of a user or group
+account on the PDC is modified, it can take up to 15 seconds for
+<em class="emphasis">winbindd</em> to update its own database.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.5"/>
+
+<a name="INDEX-122"/><h3 class="head3">template homedir</h3>
+
+<p>When the local Unix system is configured to allow domain users to log
+in, the user must be provided with a home directory for many
+programs, including command shells, to function properly. The
+<tt class="literal">template</tt> <tt class="literal">homedir</tt> option is used
+to set the name of the home directory. In the name of the directory,
+<tt class="literal">%D</tt> is replaced by the name of the Windows NT
+domain the user is in, and <tt class="literal">%U</tt> is replaced by his
+username. By default, <tt class="literal">template</tt>
+<tt class="literal">homedir</tt> is set to <tt class="literal">/home/%D/%U</tt>,
+which works fine for a network in which there might be more than one
+Windows NT domain, and it is possible for different people in
+different domains to have the same username. If you are sure you will
+never have more than one Windows NT domain on your network, or you
+have more than one domain but know for sure that unique users have
+identical usernames in each multiple domain, you might prefer to set
+<tt class="literal">template</tt> <tt class="literal">homedir</tt> like this:</p>
+
+<blockquote><pre class="code">[global]
+    template homedir = /home/%U</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.6"/>
+
+<a name="INDEX-123"/><h3 class="head3">template shell</h3>
+
+<p>This option specifies the program to use as the shell for domain
+users who are logged in to the Unix host. By default, it is set to
+<em class="emphasis">/bin/false</em>, which effectively denies domain
+users to log in. If you wish to allow logins for domain users, set
+<tt class="literal">template</tt> <tt class="literal">shell</tt> to a valid
+command shell (or other program) that you want to act as the textual
+interface the domain users will receive when logged in. A common
+setting on Linux would be:</p>
+
+<blockquote><pre class="code">[global]
+    template shell = /bin/bash</pre></blockquote>
+
+<p>which would give users the Bash shell for their interactive login
+sessions. <a name="INDEX-124"/><a name="INDEX-125"/> <a name="INDEX-126"/><a name="INDEX-127"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Having both encrypted and nonencrypted
+password clients on your network is one of the reasons why Samba
+allows you to include (or not include) various options in the Samba
+configuration file based on the client operating system or machine
+name variables.</p> <a name="FOOTNOTE-2"/>
+<p><a href="#FNPTR-2">[2]</a> This is because the Unix <em class="emphasis">passwd</em> program,
+which is the usual target for this operation, allows
+<tt class="literal">root</tt> to change a user's password
+without the security restriction that requests the old password of
+that user.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch10.html b/docs/htmldocs/using_samba/ch10.html
new file mode 100644
index 0000000000..7ba29b1e95
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch10.html
@@ -0,0 +1,1695 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 10. Printing</h1>
+
+
+
+<p><a name="INDEX-1"/>This
+chapter tackles the topic of setting up printers for use with Samba.
+Aside from the &quot;coolness factor&quot; of
+seeing documents from Windows word processing and graphics
+applications appearing in the output tray of the Unix printer, this
+facility can greatly increase the usefulness of your Samba server. In
+many organizations, using a Unix system as the print server has led
+to happier system administrators and users alike, due to the reduced
+frequency of problems.</p>
+
+<p>Samba allows client machines to share printers connected to the Samba
+host system, and Samba can also send Unix documents to printers
+shared by Windows systems. In this chapter, we discuss how to get
+printers configured to work in either direction.</p>
+
+<p>We focus in this chapter on getting Samba to serve up printers that
+are already functioning on the Unix host. We include just a few
+basics about setting up printers on Unix. Good references for this
+topic include <em class="citetitle">Network Printing</em>,
+<em class="citetitle">Essential System Administration</em>, and
+<em class="citetitle">Running Linux</em>, all by
+O'Reilly and Associates.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-10-SECT-1"/>
+
+<h2 class="head1">Sending Print Jobs to Samba</h2>
+
+<p><a name="INDEX-2"/>A
+printer shared by the Samba server shows up in the list of shares
+offered in the Network Neighborhood. If the printer is registered on
+the client machine and the client has the correct printer driver
+installed, the client can effortlessly send print jobs to a printer
+attached to a Samba server. <a href="ch10.html#samba2-CHP-10-FIG-1">Figure 10-1</a> shows a
+Samba printer as it appears in the Network Neighborhood of a Windows
+client.</p>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-1"/><img src="figs/sam2_1001.gif"/></div><h4 class="head4">Figure 10-1. A Samba printer in the Network Neighborhood</h4>
+
+<p>To administer printers with Samba, you should understand the basic
+process by which
+<a name="INDEX-3"/>printing
+takes place on a network. On the client system, the application
+software prints by utilizing the system's printer
+driver for the printer that will be creating the actual output. It is
+the printer driver software running on the client system that
+translates the application's high-level calls into a
+stream of binary data specific to the model of printer in use. In the
+case of a serial, parallel, or USB printer, the data is stored in a
+temporary file in the local system's printer queue
+and then sent through the respective port directly to the printer.
+For a network printer, the file is sent over the network.</p>
+
+<a name="samba2-CHP-10-NOTE-150"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Because the data has already been processed through a printer driver
+by the time it reaches the Samba host, make sure the printer on the
+Unix system is configured without any printer driver and that it will
+print whatever data it receives in raw form. If you already have the
+printer configured for use by Unix applications, you might need to
+set up another queue for it to print documents received from Windows
+clients correctly.</p>
+</blockquote>
+
+<p>Sending a <a name="INDEX-4"/>print job to a printer on a
+<a name="INDEX-5"/>Samba server involves four steps:</p>
+
+<ol><li>
+<p>Opening and authenticating a connection to the printer share</p>
+</li><li>
+<p>Copying the file over the network</p>
+</li><li>
+<p>Closing the connection</p>
+</li><li>
+<p>Printing and deleting the copy of the file</p>
+</li></ol>
+<p>When a print job arrives at a Samba server, the print data is
+temporarily written to disk in the directory specified by the
+<tt class="literal">path</tt> option of the printer share. Samba then
+executes a Unix print command to send that datafile to the printer.
+The job is then printed as the authenticated user of the share. Note
+that this can be the guest user, depending on how the share is
+configured.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.1"/>
+
+<h3 class="head2">Print Commands</h3>
+
+<p><a name="INDEX-6"/>To print the
+document, you'll need to inform Samba of the command
+used to print and delete a file. On Linux, which uses a BSD-style
+printing system, a command that does this is:</p>
+
+<blockquote><pre class="code">lpr -r -P<em class="replaceable">printer</em> <em class="replaceable">file</em></pre></blockquote>
+
+<p>This command tells <a name="INDEX-7"/><em class="emphasis">lpr</em> to retrieve the
+name of the printer in the system configuration file
+(<em class="filename">/etc/printcap</em>) and interpret the rules it finds
+there to decide how to process the data and which physical device to
+send it to. Note that because the <em class="emphasis">-r</em> option has
+been specified, the file will be deleted after it has been printed.
+Of course, the file removed is just a copy stored on the Samba
+server; the original document on the client is unaffected.</p>
+
+<p>The process is similar on System V Unix. Here, printing and deleting
+become a compound command:</p>
+
+<blockquote><pre class="code">lp -d<em class="replaceable">printer</em> -s <em class="replaceable">file</em>; rm <em class="replaceable">file</em></pre></blockquote>
+
+<p>In this case, the <em class="filename">/etc/printcap</em> file is replaced
+with a different set of configuration files residing in
+<em class="filename">/usr/spool/lp</em>. Because the
+<em class="emphasis">lp</em> command has no option to delete the file
+after it is printed, we have added the <em class="emphasis">rm</em>
+command.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.2"/>
+
+<h3 class="head2">A Minimal Printing Setup</h3>
+
+<p>Let's start with a simple yet illustrative
+<a name="INDEX-8"/>printing
+share. Assuming that you're on a Linux system and
+you have a printer called <tt class="literal">netprinter</tt> listed in the
+printer capabilities file, the following addition to your
+<em class="filename">smb.conf</em> file makes the printer accessible
+through the network:</p>
+
+<blockquote><pre class="code">[printer1]
+    printable = yes
+    print command = /usr/bin/lpr -P%p -r %s
+    printer = netprinter
+    printing = BSD
+    path = /var/tmp</pre></blockquote>
+
+<p>The variable <tt class="literal">%s</tt> in the
+<tt class="literal">print</tt><a name="INDEX-9"/> <tt class="literal">command</tt>
+option is replaced with the name of the file to be printed when Samba
+executes the command. There are four Samba configuration-file
+variables specifically for use with
+<a name="INDEX-10"/>printing
+options. They are shown in <a href="ch10.html#samba2-CHP-10-TABLE-1">Table 10-1</a>.</p>
+
+<a name="samba2-CHP-10-TABLE-1"/><h4 class="head4">Table 10-1. Printing variables</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Variable</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">%s</tt></p>
+</td>
+<td>
+<p>The full pathname of the file on the Samba server to be printed</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%f</tt></p>
+</td>
+<td>
+<p>The name of the file itself (without the preceding path) on the Samba
+server to be printed</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%p</tt></p>
+</td>
+<td>
+<p>The name of the Unix printer to use</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%j</tt></p>
+</td>
+<td>
+<p>The number of the print job (for use with <tt class="literal">lprm</tt>,
+<tt class="literal">lppause</tt>, and <tt class="literal">lpresume</tt>)</p>
+</td>
+</tr>
+
+</table>
+
+<p>For other flavors of Unix, it is necessary to modify both the
+<tt class="literal">printing</tt> and <tt class="literal">print</tt>
+<tt class="literal">command</tt> options. For System V Unix, we would
+specify:</p>
+
+<blockquote><pre class="code">[printer1]
+    printing = SYSV
+    print command = lp -d%p -s %s; rm %s</pre></blockquote>
+
+<p>With the <tt class="literal">printing</tt> <tt class="literal">=</tt>
+<tt class="literal">SYSV</tt> parameter, we notify Samba that the local
+printing system uses the System V Unix method. As mentioned earlier,
+the <tt class="literal">%p</tt> variable resolves to the name of the
+printer, while the <tt class="literal">%s</tt> variable resolves to the
+name of the file.</p>
+
+<p>Clients might need to request the status of a print job sent to the
+Samba server. Because Samba sends print jobs to the Unix printing
+system for spooling, there might be a number of jobs in the queue at
+any given time. Consequently, Samba needs to communicate to the
+client not only the status of the current printing job, but also
+which documents are waiting to be printed on that printer. Samba also
+has to provide the client the ability to pause print jobs, resume
+print jobs, and remove print jobs from the printing queue. Samba
+provides options for each of these tasks. As you might expect, they
+borrow functionality from the following existing Unix commands:</p>
+
+<ul><li>
+<p><tt class="literal">lpq</tt><a name="INDEX-11"/></p>
+</li><li>
+<p><tt class="literal">lprm</tt><a name="INDEX-12"/></p>
+</li><li>
+<p><tt class="literal">lppause</tt><a name="INDEX-13"/></p>
+</li><li>
+<p><tt class="literal">lpresume</tt><a name="INDEX-14"/></p>
+</li></ul>
+<p>We cover these options in more detail later in this chapter. For the
+most part, Samba provides reasonable default values for them based on
+the value of the <tt class="literal">printing</tt> configuration option, so
+you can probably get by without having to formulate your own commands
+for them.</p>
+
+<p>Here are a few important items to remember about
+<a name="INDEX-15"/>printing shares:</p>
+
+<ul><li>
+<p>You must put
+<tt class="literal">printable</tt><a name="INDEX-16"/> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> in all printer shares (even
+<tt class="literal">[printers]</tt>) so that Samba knows they are printer
+shares. If you forget, the shares will be unusable for printing and
+will instead be treated as disk shares.</p>
+</li><li>
+<p>If you set the <tt class="literal">path</tt> configuration option in the
+printer section, any files sent to the printer(s) will be copied to
+the directory you specify instead of to the default location of
+<em class="filename">/tmp</em>. Because the amount of disk space allocated
+to <em class="filename">/tmp</em> can be relatively small in some Unix
+operating systems, many administrators prefer to use
+<em class="filename">/var/tmp, /var/spool/tmp</em>, or some other
+directory instead.</p>
+</li><li>
+<p>If you set <tt class="literal">guest</tt> <tt class="literal">ok</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in a printer share and
+Samba is configured for share-level security, anyone can send data to
+the printer as the <tt class="literal">guest</tt>
+<tt class="literal">account</tt> user.</p>
+</li></ul>
+<p>Using one or more Samba machines as a print server gives you a great
+deal of flexibility on your LAN. You can easily partition your
+available printers, restricting some to members of one department, or
+you can maintain a bank of printers available to all. In addition,
+you can restrict a printer to a select few by adding the
+<tt class="literal">valid</tt> <tt class="literal">users</tt> option to its share
+definition:</p>
+
+<blockquote><pre class="code">[deskjet]
+    printable = yes
+    path = /var/spool/samba/print
+    valid users = elizabeth cozy jack heather alexander lina emerald</pre></blockquote>
+
+<p>All the other share accessibility options work for printing shares as
+well.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.3"/>
+
+<h3 class="head2">The [printers] Share</h3>
+
+<p>If a share named
+<tt class="literal">[printers]</tt><a name="INDEX-17"/> is in the configuration file,
+Samba will automatically read in your printer capabilities file and
+create a printing share for each printer that appears in the file.
+For example, if the Samba server had <tt class="literal">lp</tt>,
+<tt class="literal">pcl</tt>, and <tt class="literal">ps</tt> printers in its
+printer capabilities file, Samba would provide three printer shares
+with those names, each configured with the options in the
+<tt class="literal">[printers]</tt> share.</p>
+
+<p>Recall that Samba obeys the following rules when a client requests a
+share that has not been created with an explicit share definition in
+the <em class="filename">smb.conf</em> file:</p>
+
+<ul><li>
+<p>If the share name matches a username in the system password file and
+a <tt class="literal">[homes]</tt> share exists, a new share is created
+with the name of the user and is initialized using the values given
+in the <tt class="literal">[homes]</tt> and <tt class="literal">[global]</tt>
+sections.</p>
+</li><li>
+<p>Otherwise, if the name matches a printer in the system printer
+capabilities file and a <tt class="literal">[printers]</tt> share exists, a
+new share is created with the name of the printer and initialized
+using the values given in the <tt class="literal">[printers]</tt> section.
+(Variables in the <tt class="literal">[global]</tt> section do not apply
+here.)</p>
+</li><li>
+<p>If neither of those succeeds, Samba looks for a
+<tt class="literal">default</tt> <tt class="literal">service</tt> share. If none
+is found, it returns an error.</p>
+</li></ul>
+<p>This brings to light an important point: be careful that you do not
+give a printer the same name as a user. Otherwise, users end up
+connecting to a disk share when they might have wanted a printer
+share instead.</p>
+
+<p>Here is an example
+<tt class="literal">[printers]</tt><a name="INDEX-18"/> share for a Linux system. Some of
+these options are already defaults; however, we have listed them
+anyway for illustrative purposes:</p>
+
+<blockquote><pre class="code">[printers]
+    printable = yes
+    printing = BSD
+    printcap name = /etc/printcap
+    print command = /usr/bin/lpr -P%p -r %s
+    path = /var/spool/lpd/tmp
+    min print space = 2000</pre></blockquote>
+
+<p>Here, we've given Samba global options that specify
+the printing type (BSD), a print command to send data to the printer
+and later remove the temporary file, the location of our printer
+capabilities file, and a minimum disk space for printing of 2MB.</p>
+
+<p>In addition, we've created a
+<tt class="literal">[printers]</tt> share for each system printer. Our
+temporary spooling directory is specified by the
+<tt class="literal">path</tt> option:
+<em class="filename">/var/spool/lpd/tmp</em>. Each share is marked as
+printable&mdash;this is a necessary option, even in the
+<tt class="literal">[printers]</tt> section.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.4"/>
+
+<h3 class="head2">Testing the Configuration</h3>
+
+<p><a name="INDEX-19"/>After running
+<em class="emphasis">testparm</em> and restarting the Samba daemons, you
+can check to make sure everything is set up correctly by using
+<em class="emphasis">smbclient</em><a name="INDEX-20"/><a name="INDEX-21"/> to send a file to the printer.
+Connect to the printer using the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient /</b></tt><em class="replaceable">server</em><tt class="userinput"><b>/</b></tt><em class="replaceable">printshare</em></pre></blockquote>
+
+<p>and then use the <em class="emphasis">print</em> command to print a file:</p>
+
+<blockquote><pre class="code">smb: /&gt; <tt class="userinput"><b>print </b></tt><em class="replaceable">textfile</em></pre></blockquote>
+
+<a name="samba2-CHP-10-NOTE-151"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you connect to a print share served by a Windows 95/98/Me system
+configured to use user-mode security and cannot authenticate using
+what you know to be a correct username and password, try
+reconfiguring the Windows system to use share-mode security.</p>
+</blockquote>
+
+<p>When you print something through the Samba server via
+<em class="emphasis">smbclient</em>, the following actions should occur:</p>
+
+<ul><li>
+<p>The job appears (briefly) in the Samba spool directory specified by
+the path.</p>
+</li><li>
+<p>The job shows up in your print system's spool
+directory.</p>
+</li><li>
+<p>The job disappears from the spool directory that Samba used.</p>
+</li></ul>
+<p>If <em class="emphasis">smbclient</em> cannot print, you can reset the
+<tt class="literal">print</tt> <tt class="literal">command</tt> option to collect
+debugging information:</p>
+
+<blockquote><pre class="code">print command = echo &quot;printed %s on %p&quot; &gt;&gt;/tmp/printlog</pre></blockquote>
+
+<p>A <a name="INDEX-22"/>common
+problem with Samba printer configuration is forgetting to use the
+full pathnames for commands. Another frequent problem is not having
+the correct permissions on the spooling directory.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> As usual,
+check your Samba log files and system log files for error messages.
+If you use BSD printing, you can change the <tt class="literal">lp</tt>
+keyword in the printer's printcap entry to something
+other than <em class="filename">/dev/null</em>, allowing you to collect
+error messages from the printing system.</p>
+
+<a name="samba2-CHP-10-NOTE-152"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>More information on
+<a name="INDEX-23"/>debugging printers is in the file
+<em class="filename">docs/textdocs/Printing.txt</em> in the Samba source
+distribution. The Unix print systems are covered in detail in
+<a name="INDEX-24"/>&AElig;leen
+Frisch's <em class="emphasis">Essential Systems
+Administration</em> (published by O'Reilly).</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.5"/>
+
+<h3 class="head2">Enabling SMB Printer Sharing in Mac OS X</h3>
+
+<p>With Samba preinstalled with
+<a name="INDEX-25"/><a name="INDEX-26"/>Mac OS X, sharing access to a printer
+among Windows clients is easy. First, of course, you should set up
+local access using the Print Center application (located in
+<em class="filename">/Applications/Utilities</em>). Under the Printers
+menu, select Add Printer..., and make the appropriate selection from
+the pop-up menu. For example, if the printer is directly attached,
+select USB; if the printer is powered on, it should appear in the
+list. Choose the printer, and press the Add button.</p>
+
+<p>Edit <em class="filename">/etc/smb.conf</em>, uncommenting the
+<tt class="literal">[printers]</tt> share and making any additional
+configuration changes you feel are necessary. Finally, enable the
+Samba startup item as described in <a href="ch02.html">Chapter 2</a>,
+either by checking Windows File Sharing in Sharing Preferences or by
+manually editing <em class="filename">/etc/hostconfig</em>. Now your
+printer can be used by remote Windows clients.</p>
+
+<p>On Mac OS X and some other BSD-based systems, you can test your
+configuration using
+<em class="emphasis">smbutil</em><a name="INDEX-27"/>. The following will send the
+file named <em class="filename">print_test_file</em> to the printer named
+<em class="filename">printshare</em> on the server
+<em class="emphasis">bsdserver</em> :</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil print //bsdserver/printshare print_test_file</b></tt></pre></blockquote>
+
+<p>See <a href="ch05.html">Chapter 5</a> for more information on using
+<em class="emphasis">smbutil</em>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.6"/>
+
+<h3 class="head2">Setting Up and Testing a Windows Client</h3>
+
+<p><a name="INDEX-28"/>Now that Samba is
+offering a workable printer, you can set up your access to it on a
+Windows client. Browse through the Samba server in the Network
+Neighborhood. It should now show each printer that is available. For
+example, in <a href="ch10.html#samba2-CHP-10-FIG-1">Figure 10-1</a>, we saw a printer called
+<tt class="literal">lp</tt>.</p>
+
+<p>Next, you need to have the Windows client recognize the printer.
+Double-click the printer icon to get started. If you try to select an
+uninstalled printer (as you just did), Windows will ask you if it
+should help configure it for the Windows system. Click the Yes or OK
+button, and the Printer Wizard will open.</p>
+
+<p>If you are installing a printer on Windows 95/98/Me, the first thing
+the wizard will ask is whether you need to print from DOS.
+Let's assume you don't, so choose
+the &quot;No&quot; radio button and press the
+Next &gt; button to get to the manufacturer/model window, as shown in
+<a href="ch10.html#samba2-CHP-10-FIG-2">Figure 10-2</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-2"/><img src="figs/sam2_1002.gif"/></div><h4 class="head4">Figure 10-2. Setting the manufacturer and model of the printer</h4>
+
+<p>In this dialog box, you should see a large list of manufacturers and
+models for a huge number of printers. Select the manufacturer of your
+printer in the left side of the dialog box, and then the exact model
+of the printer in the list on the right side.</p>
+
+<p>In some cases, you might not find your printer in the list, or the
+version of the printer driver included with Windows might be out of
+date. In cases such as these, consult the printer
+manufacturer's documentation on how to install the
+driver. Typically, you will click the Have Disk... button to install
+the driver from a CD-ROM or disk file.</p>
+
+<p>If you don't see your printer on the list, but you
+know it's a PostScript printer, select Apple as the
+manufacturer and Apple LaserWriter as the model. This will give you
+the most basic PostScript printer setup&mdash;and arguably one of the
+most reliable. If you already have PostScript printers attached, you
+will be asked about replacing or reusing the existing driver. Be
+aware that if you replace it with a new one, you might make your
+other printers fail. Therefore, we recommend you keep using your
+existing printer drivers as long as they're working
+properly.</p>
+
+<p>Click the Next &gt; or OK button. On Windows 95/98/Me, the Printer
+Wizard asks you to name the printer. On Windows NT/2000/XP, you need
+to right-click the printer's icon and select
+Properties to assign the printer a name. <a href="ch10.html#samba2-CHP-10-FIG-3">Figure 10-3</a>
+shows how we've named our printer to show that
+it's shared by the <tt class="literal">mixtec</tt> Samba
+server.</p>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-3"/><img src="figs/sam2_1003.gif"/></div><h4 class="head4">Figure 10-3. Setting the printer name</h4>
+
+<p>Finally, on Windows 95/98/Me the Printing Wizard asks if it should
+print a test page. Click the &quot;Yes&quot;
+radio button, then the Finish button, and you should be presented
+with the dialog box shown in <a href="ch10.html#samba2-CHP-10-FIG-4">Figure 10-4</a>. On Windows
+NT/2000/XP, the printer test function is also accessed through the
+printer's Properties dialog box.</p>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-4"/><img src="figs/sam2_1004.gif"/></div><h4 class="head4">Figure 10-4. Sending a test page to the printer</h4>
+
+<p>If the test printing was unsuccessful, click the No button and the
+Printing Wizard will walk you through some debugging steps for the
+client side of the process. If the test printing does work, the
+remote printer will now be available to all Windows applications
+through the File and Print menu items.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-10-SECT-2"/>
+
+<h2 class="head1">Printing to Windows Printers</h2>
+
+<p><a name="INDEX-29"/>If you have printers
+connected to systems running Windows 95/98/Me or Windows NT/2000/XP,
+the printers can also be accessed from your Unix system using tools
+that are part of the Samba distribution. First, it is necessary to
+create a printer share on the Windows system. Then set up the printer
+on the Unix side by configuring a new printer and using a Samba
+printing program as the printer's filter.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-2.1"/>
+
+<h3 class="head2">Sharing Windows Printers</h3>
+
+<p>Sharing printers on Windows is not unlike sharing files. In fact, it
+is a little simpler. Open the Control Panel, then double-click the
+Printers icon to open the Printers window. Right-click the icon for
+the printer you want to share, and select Sharing.... This opens the
+dialog box shown in <a href="ch10.html#samba2-CHP-10-FIG-5">Figure 10-5</a> for a Windows 98
+system, or <a href="ch10.html#samba2-CHP-10-FIG-6">Figure 10-6</a> on a Windows 2000 system.
+(The dialog box appears slightly different on other Windows versions,
+but functions almost identically.)</p>
+
+<a name="samba2-CHP-10-NOTE-153"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>On Windows 95/98/Me systems, you may need to run file sharing in
+share-level (rather than user-level) access control mode to access a
+shared printer from Samba. To check or set this mode, go to Control
+Panel, then double-click on Network, then click on the Access Control
+tab. More detailed information on this can be found in <a href="ch05.html">Chapter 5</a>.</p>
+</blockquote>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-5"/><img src="figs/sam2_1005.gif"/></div><h4 class="head4">Figure 10-5. Sharing printers on Windows 98</h4>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-6"/><img src="figs/sam2_1006.gif"/></div><h4 class="head4">Figure 10-6. Sharing printers on Windows 2000</h4>
+
+<p>Click the &quot;Shared as&quot; radio button,
+then click the OK button. The printer is now accessible by other
+systems on the network.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-2.2"/>
+
+<h3 class="head2">Adding a Unix Printer</h3>
+
+<p><a name="INDEX-30"/>The Samba distribution comes with
+three programs that assist with printing on shared printers. The
+<em class="emphasis">smbprint</em><a name="INDEX-31"/> program works with systems that use the
+BSD printing system,
+<em class="emphasis">smbprint.sysv</em><a name="INDEX-32"/>
+works with systems that use System V printing, and
+<em class="emphasis">smbspool</em><a name="INDEX-33"/>
+works with systems that use the Common Unix Printing System (CUPS).
+In the following sections we show you how to install printers for
+each system.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.1"/>
+
+<h3 class="head3">BSD printers</h3>
+
+<p><a name="INDEX-34"/><a name="INDEX-35"/>The
+BSD printing system is used by many Unix variants, including Red Hat
+Linux. With BSD printing, all the printers on the system have an
+entry in the <em class="filename">/etc/printcap</em> file, which is the
+database of printer capabilities used by the <em class="emphasis">lpd</em>
+line printer daemon and other programs that assist with printing. The
+Red Hat Linux implementation is a bit different in that
+<em class="filename">/etc/printcap</em> is a machine-generated file, which
+is re-created every time the <em class="emphasis">lpd</em> daemon is
+restarted by the <em class="emphasis">/etc/rc.d/init.d/lpd</em> script.
+Instead of editing <em class="filename">/etc/printcap</em>, we will add an
+entry for our printer in <em class="filename">/etc/printcap.local</em>,
+which the system automatically includes verbatim when creating
+<em class="filename">/etc/printcap</em>.</p>
+
+<a name="samba2-CHP-10-NOTE-154"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you are using the version of Samba installed from an RPM file as
+on Red Hat Linux, you might be able to skip these directions and use
+the <em class="emphasis">printconf</em> tool, which has support for SMB
+printers. Unfortunately, this tool might not work correctly if you
+have installed Samba from the Samba source distribution.</p>
+</blockquote>
+
+<p>Here is the entry we added to our
+<em class="filename">/etc/printcap.local</em><a name="INDEX-36"/><a name="INDEX-37"/> file to support our Hewlett-Packard
+DeskJet 932C printer, which is shared by <tt class="literal">maya</tt>, a
+Windows 98 system:</p>
+
+<blockquote><pre class="code">lp|maya-hp932c:\
+    :cm=HP 932C on maya:\
+    :sd=/var/spool/lpd/maya:\
+    :af=/var/spool/lpd/maya/acct:\
+    :if=/usr/local/samba/bin/smbprint:\
+    :mx=0:\
+    :lp=/dev/null:</pre></blockquote>
+
+<p>The first line creates names for the printer. We are calling it both
+<tt class="literal">maya-hp932c</tt>, to describe its location on the
+network and the type of printer, and <tt class="literal">lp</tt> so that
+programs will use it as the default printer. The rest of the lines
+specify keywords and values. The <tt class="literal">cm</tt> keyword allows
+us to assign a comment string to the printer. The
+<tt class="literal">sd</tt> and <tt class="literal">af</tt> keywords assign the
+printer's spool directory and accounting files,
+respectively. The <tt class="literal">if</tt> keyword assigns the print
+filter. We are using the <em class="emphasis">smbprint</em> command to
+send the output to the shared SMB printer. The <tt class="literal">mx</tt>
+keyword is set to zero to allow any size file to be printed, and
+<tt class="literal">lp</tt> is set to <em class="filename">/dev/null</em> to
+discard error messages.</p>
+
+<p>You can follow our model to create an entry for your own printer. If
+you want to go beyond the capabilities we used, refer to your
+system's <em class="emphasis">printcap(5)</em> manual
+page for a complete listing of keywords.</p>
+
+<p>Go to your Samba source distribution's root
+directory, and install the <em class="emphasis">smbprint</em> program like
+this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cp examples/printing/smbprint /usr/local/samba/bin</b></tt></pre></blockquote>
+
+<p>We next create the printer's spool directory:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cd /var/spool/lpd</b></tt>
+# <tt class="userinput"><b>mkdir maya</b></tt>
+# <tt class="userinput"><b>chown lp:lp maya</b></tt>
+# <tt class="userinput"><b>chmod 700 maya</b></tt></pre></blockquote>
+
+<p>The <em class="emphasis">smbprint</em> program looks for a file named
+<em class="filename">.config</em> in the printer's spool
+directory, which contains information on how to connect to the
+printer share. We create this file and then fill in the required
+information:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cd maya</b></tt>
+# <tt class="userinput"><b>&gt;.config</b></tt>
+# <tt class="userinput"><b>chown lp:lp .config</b></tt>
+# <tt class="userinput"><b>chmod 600 .config</b></tt></pre></blockquote>
+
+<p>Use your preferred text editor to edit the
+<em class="filename">.config</em> file, and enter three lines, like this:</p>
+
+<blockquote><pre class="code">server=maya
+service=hp
+password=&quot;&quot;</pre></blockquote>
+
+<p>This is for our shared printer having a UNC of
+<em class="filename">\\maya\hp</em>. When we created the printer share, we
+did not give it a password, so we use a null password here. If your
+printer share is on a Windows NT/2000/XP system, use your domain
+password.</p>
+
+<p>Finally, restart the printer daemon:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/lpd restart</b></tt></pre></blockquote>
+
+<p>You can now try printing something. Run the following command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>lpr textfile</b></tt></pre></blockquote>
+
+<p>If you have everything set up correctly, the file prints on the
+shared printer. If you get &quot;stair
+stepping&quot; of text, caused by the printer not
+returning to the left margin at the beginning of every line, modify
+the <tt class="literal">if</tt> keyword in your printcap entry to run
+<em class="emphasis">smbprint</em> with the <em class="emphasis">-t</em>
+option. <a name="INDEX-38"/><a name="INDEX-39"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.2"/>
+
+<h3 class="head3">System V printers</h3>
+
+<p><a name="INDEX-40"/><a name="INDEX-41"/>Sending print jobs from a System V Unix
+system is a little easier than with the BSD system. Here, you need to
+edit the <em class="filename">smbprint.sysv</em> script in the
+<em class="filename">examples/printing</em> directory of the Samba
+distribution and do the following:</p>
+
+<ol><li>
+<p>Change the <tt class="literal">server</tt>, <tt class="literal">service</tt>, and
+<tt class="literal">password</tt> parameters in the script to match the
+NetBIOS computer name, its shared printer service, and its password,
+respectively. For example, the following entries would be correct for
+the service in the previous example:</p>
+
+<blockquote><pre class="code">server = maya
+service = hp
+password = &quot;&quot;</pre></blockquote>
+</li>
+<li>
+<p>Run the following commands, which create a reference for the new
+printer (which we are naming <tt class="literal">hp_printer</tt>) in the
+printer capabilities file:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>lpadmin -p hp_printer -v /dev/null -i./smbprint.sysv</b></tt>
+# <tt class="userinput"><b>enable hp_printer</b></tt>
+# <tt class="userinput"><b>accept hp_printer</b></tt></pre></blockquote>
+</li></ol>
+<p>After you've done that, restart the Samba daemons
+and try printing to <tt class="literal">hp_printer</tt> using any standard
+Unix program.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.3"/>
+
+<h3 class="head3">CUPS printers</h3>
+
+<p><a name="INDEX-42"/><a name="INDEX-43"/><a name="INDEX-44"/>CUPS<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> uses
+a set of modules, called
+<em class="firstterm">backends</em><a name="INDEX-45"/>, to send print jobs to various
+destinations, such as local printers attached to parallel, serial, or
+Universal Serial Bus (USB) ports, or over the network using Unix line
+printer daemon (LPD) protocol, Internet Printing Protocol (IPP),
+AppleTalk Printer Access Protocol (PAP), and so on. The software
+package does not come with a backend for SMB; the Samba suite
+includes the <em class="emphasis">smbspool</em>
+<a name="INDEX-46"/>utility for this purpose.</p>
+
+<p>To enable printing to remote SMB printers using CUPS, create a
+symbolic link named <em class="filename">smb</em> in the CUPS backend
+directory pointing to <em class="emphasis">smbspool</em>. Depending on
+installation options, these could be in a number of places in the
+directory hierarchy, so be sure to check your system. Using a common
+default installation, the command would look like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /usr/local/samba/bin/smbspool /usr/lib/cups/backend/smb</b></tt></pre></blockquote>
+
+<p>Issue a HUP signal to the CUPS daemon, <em class="emphasis">cupsd</em>,
+and check for the existence of SMB support with the <em class="emphasis">lpinfo
+-v</em> command. Its output should now include a line that says
+<tt class="literal">network</tt> <tt class="literal">smb</tt>.</p>
+
+<p>To add a printer, use the CUPS web interface, accessible on the local
+system at <em class="emphasis">http://localhost:631/</em>,
+or use the <em class="emphasis">lpadmin</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>lpadmin -p hp932c -E -v smb://maya/hp932c -D &quot;HP 932C on maya&quot;</b></tt></pre></blockquote>
+
+<p>This creates and enables the new print spool called
+<tt class="literal">hp932c</tt>. The <em class="emphasis">-v</em> argument
+specifies the printer device, which in this case is accessed over the
+network using an SMB URI. If the printer is not guest-accessible,
+you'll need to provide a username and password in
+the URI. The full format is as follows:</p>
+
+<blockquote><pre class="code">smb://[<em class="replaceable">username</em>[:<em class="replaceable">password</em>]@][<em class="replaceable">workgroup</em>/]<em class="replaceable">server</em>/<em class="replaceable">printshare</em></pre></blockquote>
+
+<p>The <em class="emphasis">lpadmin</em><a name="INDEX-47"/> command makes changes to
+<em class="filename">/etc/cups/printers.conf</em> and sends a HUP signal
+to the <em class="emphasis">cupsd</em> daemon, resulting in the creation
+of a local raw printer spool. In this example, print data is passed
+in raw format to the Windows system, which has the necessary printer
+drivers and printer description files to format the data
+appropriately. The <em class="emphasis">-D</em> option is used to give the
+printer a comment string.</p>
+
+<p>Once you have the printer set up, it's time to test
+it out. CUPS understands both BSD-style and System V-style printing
+commands, so you can use whichever is more comfortable. Using the BSD
+<em class="emphasis">lpr</em> command, try something like:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>lpr -P hp932c textfile</b></tt></pre></blockquote>
+
+<p>You should now be set up to use the printer from any application on
+the Unix system. <a name="INDEX-48"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-2.3"/>
+
+<h3 class="head2">Samba Printing Options</h3>
+
+<p><a href="ch10.html#samba2-CHP-10-TABLE-2">Table 10-2</a> summarizes the Samba <a name="INDEX-49"/><a name="INDEX-50"/>printing
+options.</p>
+
+<a name="samba2-CHP-10-TABLE-2"/><h4 class="head4">Table 10-2. Printing configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">printing</tt></p>
+</td>
+<td>
+<p><tt class="literal">bsd</tt>, <tt class="literal">sysv</tt>,
+<tt class="literal">cups</tt>, <tt class="literal">hpux</tt>,
+<tt class="literal">aix</tt>, <tt class="literal">qnx</tt>,
+<tt class="literal">plp</tt>, <tt class="literal">softq</tt>, or
+<tt class="literal">lprng</tt></p>
+</td>
+<td>
+<p>Printing system type of the Samba host</p>
+</td>
+<td>
+<p>System-dependent</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">printable</tt> <tt class="literal">(print ok)</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>Marks a share as a printing share</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">printer</tt> <tt class="literal">(printer name)</tt></p>
+</td>
+<td>
+<p>string (Unix printer name)</p>
+</td>
+<td>
+<p>Name for the printer that is shown to clients</p>
+</td>
+<td>
+<p>System-dependent</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpq cache time</tt></p>
+</td>
+<td>
+<p>numeric (time in seconds)</p>
+</td>
+<td>
+<p>Amount of time in seconds that Samba will cache the printer queue
+status</p>
+</td>
+<td>
+<p><tt class="literal">10</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">postscript</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>Treats all print jobs as PostScript by prefixing
+<tt class="literal">%!</tt> at the beginning of each file</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">load printers</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, automatically loads each printer in the
+<em class="emphasis">printcap</em> file as printing shares</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">print command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to perform printing</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpq command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to return the status of the printing queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lprm command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to remove a job from the printing queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lppause command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to pause a job on the printing queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpresume</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to resume a paused job on the printing queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">printcap name</tt></p>
+
+<p><tt class="literal">(printcap)</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Location of the printer capabilities file</p>
+</td>
+<td>
+<p>System-dependent</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">min print space</tt></p>
+</td>
+<td>
+<p>numeric (size in kilobytes)</p>
+</td>
+<td>
+<p>Minimum amount of free disk space that must be present to print</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">queuepause</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to pause a queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">queueresume</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to resume a queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.1"/>
+
+<h3 class="head3">printing</h3>
+
+<p>The <tt class="literal">printing</tt><a name="INDEX-51"/> configuration option tells
+Samba which <a name="INDEX-52"/>printing system to use. There are
+several different families of commands to control printing and print
+statusing. Samba supports seven different types, as shown in <a href="ch10.html#samba2-CHP-10-TABLE-3">Table 10-3</a>.</p>
+
+<a name="samba2-CHP-10-TABLE-3"/><h4 class="head4">Table 10-3. Printing system types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Variable</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>BSD</p>
+</td>
+<td>
+<p>Berkeley Unix system</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>SYSV</p>
+</td>
+<td>
+<p>System V</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>CUPS</p>
+</td>
+<td>
+<p>Common Unix Printing System</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>AIX</p>
+</td>
+<td>
+<p>IBM's AIX operating system</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>HPUX</p>
+</td>
+<td>
+<p>Hewlett-Packard Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>QNX</p>
+</td>
+<td>
+<p>QNX Realtime Operating System</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>LPRNG</p>
+</td>
+<td>
+<p>LPR Next Generation</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>SOFTQ</p>
+</td>
+<td>
+<p>SOFTQ system</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>PLP</p>
+</td>
+<td>
+<p>Portable Line Printer</p>
+</td>
+</tr>
+
+</table>
+
+<p>The value for this option must be one of these seven selections. For
+example:</p>
+
+<blockquote><pre class="code">printing = SYSV</pre></blockquote>
+
+<p>The default value of this option is system-dependent and is
+configured when Samba is first compiled. For most systems, the
+<em class="filename">configure</em> script automatically detects the
+printing system to be used and configures it properly in the Samba
+makefile. However, if your system is a PLP, LPRNG, or QNX printing
+system, you need to specify this explicitly in the makefile or the
+printing share.</p>
+
+<p>The most common system types are BSD, SYSV, and CUPS. Each printer on
+a BSD Unix server is described in the printer capabilities
+file&mdash;normally <em class="filename">/etc/printcap</em>. See the
+section on the <tt class="literal">printcap</tt> <tt class="literal">file</tt>
+parameter for more information on this topic.</p>
+
+<p>Setting the <tt class="literal">printing</tt> configuration option
+automatically sets at least three other printing options for the
+service in question: <tt class="literal">print</tt>
+<tt class="literal">command</tt>, <tt class="literal">lpq</tt>
+<tt class="literal">command</tt>, and <tt class="literal">lprm</tt>
+<tt class="literal">command</tt>. If you are running Samba on a system that
+doesn't support any of the printing styles listed in
+<a href="ch10.html#samba2-CHP-10-TABLE-3">Table 10-3</a>, simply set the commands for each of
+these manually.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.2"/>
+
+<h3 class="head3">printable</h3>
+
+<p>The <tt class="literal">printable</tt><a name="INDEX-53"/> option must be set to
+<tt class="literal">yes</tt> to flag a share as a printing service. If this
+option is not set, the share will be treated as a disk share instead.
+You can set the option as follows:</p>
+
+<blockquote><pre class="code">[printer1]
+    printable = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.3"/>
+
+<a name="INDEX-54"/><h3 class="head3">printer</h3>
+
+<p>The option, also called
+<tt class="literal">printer</tt><a name="INDEX-55"/> <tt class="literal">name</tt>,
+specifies the name of the printer on the server to which the share
+points. This option has no default and should be set explicitly in
+the configuration file, even though Unix systems themselves often
+recognize a default name such as <tt class="literal">lp</tt> for a printer.
+For example:</p>
+
+<blockquote><pre class="code">[deskjet]
+    printer = hpdkjet1</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.4"/>
+
+<h3 class="head3">lpq cache time</h3>
+
+<p>The global <tt class="literal">lpq</tt><a name="INDEX-56"/> <tt class="literal">cache</tt>
+<tt class="literal">time</tt> option allows you to set the number of
+seconds for which Samba will remember the current printer status.
+After this time elapses, Samba will issue an <em class="emphasis">lpq</em>
+command (or whatever command you specify with the
+<tt class="literal">lpq</tt> <tt class="literal">command</tt> option) to get a
+more up-to-date status that it can report to users. This defaults to
+10 seconds, but can be increased if your <tt class="literal">lpq</tt>
+<tt class="literal">command</tt> takes an unusually long time to run or you
+have lots of clients. A time setting of 0 disables caching of queue
+status. The following example resets the time to 30 seconds:</p>
+
+<blockquote><pre class="code">[deskjet]
+    lpq cache time = 30</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.5"/>
+
+<h3 class="head3">postscript</h3>
+
+<p>The <tt class="literal">postscript</tt><a name="INDEX-57"/> option forces the
+printer to treat all data sent to it as PostScript. It does this by
+prefixing the characters <tt class="literal">%!</tt> to the beginning of
+the first line of each job. It is normally used with PCs that insert
+a <tt class="literal">^D</tt> (control-D or
+&quot;end-of-file&quot; mark) in front of the
+first line of a PostScript file. It will not, obviously, turn a
+non-PostScript printer into a PostScript one. The default value of
+this options is <tt class="literal">no</tt>. You can override it as
+follows:</p>
+
+<blockquote><pre class="code">[deskjet]
+    postscript = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.6"/>
+
+<h3 class="head3">load printers</h3>
+
+<p>The <tt class="literal">load</tt><a name="INDEX-58"/> <tt class="literal">printers</tt>
+option tells Samba to create shares for all known printer names and
+load those shares into the browse list. Samba will create and list a
+printer share for each printer name in
+<em class="filename">/etc/printcap</em> (or the system equivalent). For
+example, if your
+<em class="filename">printcap</em><a name="INDEX-59"/> file looks
+like this:<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a></p>
+
+<blockquote><pre class="code">lp:\
+  :sd=/var/spool/lpd/lp:\            <i class="lineannotation">spool directory</i>
+  :mx#0:\                            <i class="lineannotation">maximum file size (none)</i>
+  :sh:\                              <i class="lineannotation">supress burst header (no)</i>
+  :lp=/dev/lp1:\                     <i class="lineannotation">device name for output</i>
+  :if=/var/spool/lpd/lp/filter:      <i class="lineannotation">text filter</i>
+
+laser:\
+  :sd=/var/spool/lpd/laser:\         <i class="lineannotation">spool directory</i>
+  :mx#0:\                            <i class="lineannotation">maximum file size (none)</i>
+  :sh:\                              <i class="lineannotation">supress burst header (no)</i>
+  :lp=/dev/laser:\                   <i class="lineannotation">device name for output</i>
+  :if=/var/spool/lpd/lp/filter:      <i class="lineannotation">text filter</i></pre></blockquote>
+
+<p>the shares <tt class="literal">[lp]</tt> and <tt class="literal">[laser]</tt> are
+automatically created as valid print shares when Samba is started.
+Both shares borrow the configuration options specified in the
+<tt class="literal">[printers]</tt> section to configure themselves and are
+available in the browse list for the Samba server. The default value
+for this option is <tt class="literal">yes</tt>. If you prefer to specify
+each printer explicitly in your configuration file, use the
+following:</p>
+
+<blockquote><pre class="code">[global]
+    load printers = no</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.7"/>
+
+<a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/><a name="INDEX-64"/><h3 class="head3">print command, lpq command, lprm command,lppause command, lpresume command</h3>
+
+<p>These options tell Samba which Unix commands control and send data to
+the printer. The Unix commands involved are: <em class="emphasis">lpr</em>
+(send to Line PRinter), <em class="emphasis">lpq</em> (List Printer
+Queue), <em class="emphasis">lprm</em> (Line Printer ReMove), and
+optionally <em class="emphasis">lppause</em> and
+<em class="emphasis">lpresume</em>. Samba provides an option named after
+each command, in case you need to override any of the system
+defaults. For example, consider the following:</p>
+
+<blockquote><pre class="code">lpq command = /usr/ucb/lpq %p</pre></blockquote>
+
+<p>This would set <tt class="literal">lpq</tt> <tt class="literal">command</tt> to
+use <em class="filename">/usr/ucb/lpq</em>. Similarly:</p>
+
+<blockquote><pre class="code">lprm command = /usr/local/bin/lprm -P%p %j</pre></blockquote>
+
+<p>would set the Samba printer remove command to
+<em class="filename">/usr/local/bin/lprm</em> and provide it the print job
+number using the <tt class="literal">%j</tt> variable.</p>
+
+<p>The default values for each option are dependent on the value of the
+<tt class="literal">printing</tt> option. <a href="ch10.html#samba2-CHP-10-TABLE-4">Table 10-4</a>
+shows the default commands for each printing option. The most popular
+printing system is BSD.</p>
+
+<a name="samba2-CHP-10-TABLE-4"/><h4 class="head4">Table 10-4. Default commands for various printing options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>BSD, AIX, PLP, LPRNG</p>
+</th>
+<th>
+<p>SYSV, HPUX</p>
+</th>
+<th>
+<p>QNX</p>
+</th>
+<th>
+<p>SOFTQ</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">print</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpr -r -P%p %s</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -c -d%p %s; rm</tt> <tt class="literal">%s</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -r -P%p %s</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -d%p -s %s; rm %s</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpq</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpq -P%p</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpstat -o%p</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpq -P%p</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpstat -o%p</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lprm</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lprm -P%p %j</tt></p>
+</td>
+<td>
+<p><tt class="literal">cancel %p-%j</tt></p>
+</td>
+<td>
+<p><tt class="literal">cancel %p-%j</tt></p>
+</td>
+<td>
+<p><tt class="literal">cancel %p-%j</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lppause</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -i %p-%j -H</tt> <tt class="literal">hold</tt></p>
+
+<p>(SYSV only)</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>None</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpresume</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -i %p-%j -H</tt> <tt class="literal">resume</tt></p>
+
+<p>(SYSV only)</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p><tt class="literal">qstat -s -j%j -r</tt></p>
+</td>
+</tr>
+
+</table>
+
+<p>It is usually unnecessary to reset these options in Samba, with the
+possible exception of the <tt class="literal">print</tt>
+<tt class="literal">command</tt>. This option might need to be set
+explicitly if your printing system doesn't have a
+<em class="emphasis">-r</em> (remove after printing) option on the
+printing command. For example:</p>
+
+<blockquote><pre class="code">print command = /usr/local/lpr -P%p %s; /bin/rm %s</pre></blockquote>
+
+<p>With a bit of judicious programming, these
+<em class="filename">smb.conf</em> options can also be used for debugging:</p>
+
+<blockquote><pre class="code">print command = cat %s &gt;&gt;/tmp/printlog; lpr -r -P%p %s</pre></blockquote>
+
+<p>Using the previous configuration, it is possible to verify that files
+are actually being delivered to the Samba server. If they are, their
+contents will show up in the file <em class="filename">/tmp/printlog</em>.</p>
+
+<p>After BSD, the next most popular kind of printing system is SYSV (or
+System V) printing, plus some SYSV variants for
+IBM's AIX and Hewlett-Packard's
+HP-UX. These systems do not have an
+<em class="filename">/etc/printcap</em> file. Instead, the
+<tt class="literal">printcap</tt> <tt class="literal">file</tt> option can be set
+to an appropriate <em class="emphasis">lpstat</em> command for the system.
+This tells Samba to get a list of printers from the
+<em class="emphasis">lpstat</em> command. Alternatively, you can set the
+global configuration option <tt class="literal">printcap</tt>
+<tt class="literal">name</tt> to the name of a dummy
+<em class="filename">printcap</em> file you provide. In the latter case,
+the file must contain a series of lines such as:</p>
+
+<blockquote><pre class="code">lp|print1|My Printer 1
+print2|My Printer 2
+print3|My Printer 3</pre></blockquote>
+
+<p>Each line names a printer followed by aliases for it. In this
+example, the first printer is called <tt class="literal">lp</tt>,
+<tt class="literal">print1</tt>, or <tt class="literal">My</tt>
+<tt class="literal">Printer</tt> <tt class="literal">1</tt>, whichever the user
+prefers to use. The first name is used in place of
+<tt class="literal">%p</tt> in any command Samba executes for that printer.</p>
+
+<p>Two additional printer types are also supported by Samba: LPRNG (LPR
+New Generation) and PLP (Public Line Printer). These are public
+domain and open source printing systems and are used by many sites to
+overcome problems with vendor-supplied software. Samba also supports
+the printing systems of the SOFTQ and QNX real-time operating
+systems.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.8"/>
+
+<h3 class="head3">printcap name</h3>
+
+<p>If the <tt class="literal">printcap</tt><a name="INDEX-65"/><a name="INDEX-66"/>
+<tt class="literal">name</tt> option (also called
+<tt class="literal">printcap</tt>) appears in a printing share, Samba uses
+the file specified as the system printer capabilities file (normally
+<em class="filename">/etc/printcap</em>). However, you can reset it to a
+file consisting of only the printers you want to share over the
+network. The value must be the filename (with its complete path
+specified) of a printer capabilities file on the server:</p>
+
+<blockquote><pre class="code">[deskjet]
+    printcap name = /usr/local/samba/lib/printcap</pre></blockquote>
+
+<p>The CUPS printing system uses its own method of determining printer
+capabilities, rather than the standard <em class="filename">printcap</em>
+file. In this case, set <tt class="literal">printcap</tt>
+<tt class="literal">name</tt> as follows:</p>
+
+<blockquote><pre class="code">[global]
+    printing = cups
+    printcap name = cups</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.9"/>
+
+<h3 class="head3">min print space</h3>
+
+<p>The <tt class="literal">min</tt><a name="INDEX-67"/> <tt class="literal">print</tt>
+<tt class="literal">space</tt> option sets the amount of space that must be
+available on the disk that contains the spool directory if printing
+is to be allowed. Setting it to zero (the default) turns the check
+off; setting it to any other number sets the amount of free space in
+kilobytes required. This option helps to avoid having print jobs fill
+up the remaining disk space on the server, which can cause other
+processes to fail:</p>
+
+<blockquote><pre class="code">[deskjet]
+    min print space = 4000</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.10"/>
+
+<a name="INDEX-68"/><h3 class="head3">queuepause command</h3>
+
+<p>This configuration option specifies a command that tells Samba how to
+pause an entire print queue, as opposed to a single job on the queue.
+The default value depends on the printing type chosen. You should not
+need to alter this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.11"/>
+
+<a name="INDEX-69"/><h3 class="head3">queueresume command</h3>
+
+<p>This configuration option specifies a command that tells Samba how to
+resume a paused print queue, as opposed to resuming a single job on
+the print queue. The default value depends on the printing type
+chosen. You should not need to alter this option. <a name="INDEX-70"/> <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> If
+you are using Linux, you can use the <em class="emphasis">checkpc</em>
+command to check for this type of error.</p> <a name="FOOTNOTE-2"/>
+<p><a href="#FNPTR-2">[2]</a> CUPS is open source software (<a href="http://www.opensource.org">http://www.opensource.org</a>) developed by Easy
+Software Products. For more information, visit <a href="http://www.cups.org">http://www.cups.org</a>.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> We have placed annotated comments off to
+the right in case you've never dealt with this file
+before.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch11.html b/docs/htmldocs/using_samba/ch11.html
new file mode 100644
index 0000000000..026879db40
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch11.html
@@ -0,0 +1,2123 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 11. Additional Samba Information</h1>
+
+
+<p>This chapter wraps up our coverage of the
+<em class="filename">smb.conf</em> configuration file with some
+miscellaneous options that can perform a variety of tasks. We talk
+briefly about options for time synchronization, internationalization,
+messages, and common Windows bugs. For the most part, you will use
+these options only in isolated circumstances.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-1"/>
+
+<h2 class="head1">Time Synchronization</h2>
+
+<p>In a network of computers, the systems on the network must agree on
+the current time and also on what time files have been modified. One
+example of the importance of synchronization is the
+<a name="INDEX-1"/>roaming profiles we covered in
+<a href="ch04.html">Chapter 4</a>. It is vital for all clients accessing a
+roaming profile to agree on what time it is and which client last
+modified the user's profile.</p>
+
+<p><a name="INDEX-2"/>Time synchronization can also be
+very important to programmers. A useful group of settings consists of
+the following options:</p>
+
+<blockquote><pre class="code">[global]
+    time server = yes
+    dos filetimes = yes
+    fake directory create times = yes
+    dos filetime resolution = yes
+    delete readonly = yes</pre></blockquote>
+
+<p>If you set these options, Samba shares will provide compatibility of
+file-modification times that Visual C++, <em class="emphasis">nmake</em>,
+and other Microsoft programming tools require. Otherwise, PC
+<em class="emphasis">make</em> programs might think that all the files in
+a directory need to be recompiled every time. Obviously, this is not
+the behavior you want.</p>
+
+<p>In <a href="ch04.html">Chapter 4</a>, we showed you how to create a logon
+script that used the <em class="emphasis">net
+time</em><a name="INDEX-3"/> command to synchronize
+clients' clocks automatically when they log on to
+the domain. If your network is configured as a workgroup rather than
+a domain, you can still make use of <em class="emphasis">net time</em> by
+placing the command:</p>
+
+<blockquote><pre class="code">net time \\<em class="replaceable">sambaserver</em> /set /yes</pre></blockquote>
+
+<p>in a startup script on each client that is run when the system boots.
+Samba always provides time service&mdash;regardless of whether it is
+running as a primary domain controller&mdash;or the
+<tt class="literal">time</tt> <tt class="literal">service</tt> configuration file
+parameter is set.</p>
+
+<p>Assuming that domain users log on to the domain at least once per day
+and workgroup clients reboot frequently, the <em class="emphasis">net
+time</em> command can keep client systems'
+clocks fairly well synchronized. However, sometimes domain users stay
+logged on for longer periods, and workgroup clients can run for days
+between reboots. In the meantime, the systems'
+hardware clocks can wander enough to become a problem. It might be
+possible to work around this, depending on the version of Windows the
+client system is running. On Windows 98/Me, you can use the Task
+Scheduler to run the <em class="emphasis">net time</em> command at regular
+intervals. Likewise, on Windows 2000/XP you can use the MS-DOS
+<em class="emphasis">at</em> command. However, a better way to deal with
+this issue is to use Network Time Protocol, which we will discuss
+shortly.</p>
+
+<p>Proper time synchronization is also important when operating in an
+Active Directory domain because Active Directory uses
+<a name="INDEX-4"/>Kerberos authentication.
+When a Kerberos domain controller creates an authentication ticket
+for a client, the time is encoded into the challenge-and-response
+exchanges between the client and domain controller. If the
+client's clock disagrees with the
+server's clock, authentication can fail.</p>
+
+<p>To provide proper time synchronization in <a name="INDEX-5"/>Active Directory domains, Microsoft has
+adopted <a name="INDEX-6"/>Network Time Protocol (NTP), using the
+name Windows Time Service for its implementation. For further
+information, the Microsoft white paper entitled <em class="citetitle">The
+Windows Time Service</em> can be downloaded from <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
+
+<p>The nice thing about this is that NTP is the standard method for
+synchronizing Unix hosts on a network, so you can synchronize all
+your Unix systems (including the Samba server) and Windows systems
+with the following method:</p>
+
+<ol><li>
+<p>Run NTP on the Unix systems in your network. For more information on
+using NTP, refer to <a href="http://www.ntp.org">http://www.ntp.org</a>.</p>
+</li><li>
+<p>Use one of the Unix systems (such as the Samba host system) as an NTP
+server to serve Windows 2000/XP clients.</p>
+</li><li>
+<p>For other Windows clients, you might have to download an update from
+Microsoft to add <a name="INDEX-7"/><a name="INDEX-8"/>Windows Time Service client support or
+use a third-party application such as the free
+<a name="INDEX-9"/>analogX Atomic TimeSync (<a href="http://www.analogx.com">http://www.analogx.com</a>). Or you can use the
+<em class="emphasis">net time</em> command to update the
+client's clock periodically, as discussed
+previously.</p>
+</li></ol>
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-1.1"/>
+
+<h3 class="head2">Time-Synchronization Options</h3>
+
+<p>To support roaming profiles, programmers accessing your Samba server,
+and other time-sensitive functions on your network,
+you'll want to be aware of the options listed in
+<a href="ch11.html#samba2-CHP-11-TABLE-1">Table 11-1</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-1"/><h4 class="head4">Table 11-1. Time-synchronization options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">time server</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, announces <em class="emphasis">nmbd</em> as an
+SMB time service to Windows clients</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">time offset</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Adds a specified number of minutes to the reported time</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dos filetimes</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Allows non-owners of a file to change its time if they can write to it</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dos filetime</tt></p>
+
+<p><tt class="literal">resolution</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Causes file times to be rounded to the next even second</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">fake directory</tt> <tt class="literal">create times</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Sets directory times to avoid an MS <em class="emphasis">nmake</em> bug</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.1"/>
+
+<a name="INDEX-12"/><h3 class="head3">time server</h3>
+
+<p>Samba always operates as an SMB time server, matching the behavior of
+Windows systems. However, Samba's default is not to
+advertise itself as a time server to the network. When this option is
+set to <tt class="literal">yes</tt>, Samba advertises itself as an SMB time
+server:</p>
+
+<blockquote><pre class="code">[global]
+    time service = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.2"/>
+
+<a name="INDEX-13"/><h3 class="head3">time offset</h3>
+
+<p>To deal with clients that don't properly process
+daylight savings time, Samba provides the <tt class="literal">time</tt>
+<tt class="literal">offset</tt> option. If set, it adds the specified
+number of minutes to the current time. This is handy if
+you're in Newfoundland and Windows
+doesn't know about the 30-minute time difference
+there:</p>
+
+<blockquote><pre class="code">[global]
+    time offset = 30</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.3"/>
+
+<a name="INDEX-14"/><h3 class="head3">dos filetimes</h3>
+
+<p>Traditionally, only the root user and the owner of a file can change
+its last-modified date on a Unix system. The share-level
+<tt class="literal">dos</tt> <tt class="literal">filetimes</tt> option allows the
+Samba server to mimic the characteristics of a DOS or Windows system:
+any user can change the last-modified date on a file in that share if
+she has write permission to it. To do this, Samba uses its root
+privileges to modify the timestamp on the file.</p>
+
+<p>By default, this option is disabled. Setting this option to
+<tt class="literal">yes</tt> is often necessary to allow PC
+<em class="emphasis">make</em> programs to work properly. Without it, they
+cannot change the last-modified date themselves. This often results
+in the program thinking <em class="emphasis">all</em> files need
+recompiling when they really don't.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.4"/>
+
+<h3 class="head3">dos filetime resolution</h3>
+
+<p>The <tt class="literal">dos</tt><a name="INDEX-15"/>
+<tt class="literal">filetime</tt> <tt class="literal">resolution</tt> parameter
+is a share-level option. If set to <tt class="literal">yes</tt>, Samba
+rounds file times to the closest 2-second boundary. This option
+exists primarily to satisfy a quirk in Windows that prevents Visual
+C++ from correctly recognizing that a file has not changed. You can
+enable it as follows:</p>
+
+<blockquote><pre class="code">[data]
+    dos filetime resolution = yes</pre></blockquote>
+
+<p>We recommend using this option only if you are using Microsoft Visual
+C++ on a Samba share that supports opportunistic locking.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.5"/>
+
+<h3 class="head3">fake directory create times</h3>
+
+<p>The <tt class="literal">fake</tt><a name="INDEX-16"/>
+<tt class="literal">directory</tt> <tt class="literal">create</tt>
+<tt class="literal">times</tt> option exists to keep PC
+<em class="emphasis">make</em> programs sane. VFAT and NTFS filesystems
+record the creation date of a specific directory, while Unix does
+not. Without this option, Samba takes the earliest recorded date it
+has for the directory (often the last-modified date of a file) and
+returns it to the client. If this is not sufficient, set the
+following option under a share definition:</p>
+
+<blockquote><pre class="code">[data]
+    fake directory create times = yes</pre></blockquote>
+
+<p>If set, Samba will adjust the directory create time it reports to the
+hardcoded value January 1, 1980. This is primarily used to convince
+the Visual C++ <em class="emphasis">nmake</em> program that any object
+files in its build directories are indeed younger than the creation
+date of the directory itself and need to be recompiled. <a name="INDEX-17"/> <a name="INDEX-18"/><a name="INDEX-19"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-2"/>
+
+<h2 class="head1">Magic Scripts</h2>
+
+<p><em class="firstterm">Magic scripts</em> are a method of running programs
+on Unix and redirecting the output back to the SMB client. These are
+essentially an experimental hack. However, some users and their
+programs still rely on these two options for their programs to
+function correctly. Magic scripts are not widely trusted, and their
+use is highly discouraged by the Samba Team.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-2.1"/>
+
+<h3 class="head2">Magic Script Options</h3>
+
+<p><a href="ch11.html#samba2-CHP-11-TABLE-2">Table 11-2</a> lists the options that deal with
+<a name="INDEX-20"/>magic scripts
+on the Samba server.</p>
+
+<a name="samba2-CHP-11-TABLE-2"/><h4 class="head4">Table 11-2. Magic script options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">magic</tt> <tt class="literal">script</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>File to be executed by Samba, as the logged-on user, when closed</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">magic</tt> <tt class="literal">output</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>File to log output from the magic file</p>
+</td>
+<td>
+<p><em class="emphasis">scriptname.out</em></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-2.1.1"/>
+
+<h3 class="head3">magic script</h3>
+
+<p>If the <tt class="literal">magic</tt><a name="INDEX-21"/>
+<tt class="literal">script</tt> option is set to a filename and the client
+creates a file by that name in that share, Samba will run the file as
+soon as the user has opened and closed it. For example,
+let's assume that the following option was created
+in the share <tt class="literal">[accounting]</tt>:</p>
+
+<blockquote><pre class="code">[accounting]
+    magic script = tally.sh</pre></blockquote>
+
+<p>Samba continually monitors the files in that share. If one by the
+name of <em class="emphasis">tally.sh</em> is closed (after being opened)
+by a user, Samba will execute the contents of that file locally. The
+file will be passed to the shell to execute; it must therefore be a
+legal Unix shell script. This means that it must have newline
+characters as line endings instead of Windows CRLFs. In addition, you
+need to use the <tt class="literal">#!</tt> directive at the beginning of
+the file to indicate under which shell or interpreter the script
+should run, unless the script is for the default shell on your
+system.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-2.1.2"/>
+
+<a name="INDEX-22"/><h3 class="head3">magic output</h3>
+
+<p>This option specifies an output file to which the script specified by
+the <tt class="literal">magic</tt> <tt class="literal">script</tt> option will
+send output. You must specify a filename in a writable directory:</p>
+
+<blockquote><pre class="code">[accounting]
+    magic script = tally.sh
+    magic output = /var/log/magicoutput</pre></blockquote>
+
+<p>If this option is omitted, the default output file is the name of the
+script (as stated in the <tt class="literal">magic</tt>
+<tt class="literal">script</tt> option) with the extension
+<em class="emphasis">.out</em> appended onto it.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-3"/>
+
+<h2 class="head1">Internationalization</h2>
+
+<p><a name="INDEX-23"/><a name="INDEX-24"/>Starting
+with Samba 3.0, Samba supports Unicode &quot;on the
+wire,&quot; requiring no additional effort on your part
+to support filenames and other text containing characters in
+international character sets.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-3.1"/>
+
+<h3 class="head2">Internationalization Options</h3>
+
+<p>Samba 2.2.x has a limited ability to speak foreign tongues: if you
+need to support filenames containing characters that
+aren't in standard ASCII, some options that can help
+you are shown in <a href="ch11.html#samba2-CHP-11-TABLE-3">Table 11-3</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-3"/><h4 class="head4">Table 11-3. Internationalization options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">client code</tt> <tt class="literal">page</tt></p>
+</td>
+<td>
+<p>Described in this section</p>
+</td>
+<td>
+<p>Sets a code page to expect from clients</p>
+</td>
+<td>
+<p>850</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">character set</tt></p>
+</td>
+<td>
+<p>Described in this section</p>
+</td>
+<td>
+<p>Translates code pages into alternate Unix character sets</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">coding system</tt></p>
+</td>
+<td>
+<p>Described in this section</p>
+</td>
+<td>
+<p>Translates code page 932 into an Asian character set</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">valid chars</tt></p>
+</td>
+<td>
+<p>string (set of characters)</p>
+</td>
+<td>
+<p>Adds individual characters to a code page</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.1"/>
+
+<h3 class="head3">client code page</h3>
+
+<p>The character sets on Windows platforms hark back to the original
+concept of a <em class="emphasis">code page</em><a name="INDEX-25"/>. These code pages are used by DOS and
+Windows clients to determine rules for mapping lowercase letters to
+uppercase letters. Samba can be instructed to use a variety of code
+pages through the use of the global
+<tt class="literal">client</tt><a name="INDEX-26"/> <tt class="literal">code</tt>
+<tt class="literal">page</tt> option to match the corresponding code page
+in use on the client. This option loads a code page definition file
+and can take the values specified in <a href="ch11.html#samba2-CHP-11-TABLE-4">Table 11-4</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-4"/><h4 class="head4">Table 11-4. Valid code pages with Samba 2.0</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Code page</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">437</tt></p>
+</td>
+<td>
+<p>MS-DOS Latin (United States)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">737</tt></p>
+</td>
+<td>
+<p>Windows 95 Greek</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">850</tt></p>
+</td>
+<td>
+<p>MS-DOS Latin 1 (Western European)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">852</tt></p>
+</td>
+<td>
+<p>MS-DOS Latin 2 (Eastern European)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">861</tt></p>
+</td>
+<td>
+<p>MS-DOS Icelandic</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">866</tt></p>
+</td>
+<td>
+<p>MS-DOS Cyrillic (Russian)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">932</tt></p>
+</td>
+<td>
+<p>MS-DOS Japanese Shift-JIS</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">936</tt></p>
+</td>
+<td>
+<p>MS-DOS Simplified Chinese</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">949</tt></p>
+</td>
+<td>
+<p>MS-DOS Korean Hangul</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">950</tt></p>
+</td>
+<td>
+<p>MS-DOS Traditional Chinese</p>
+</td>
+</tr>
+
+</table>
+
+<p>You can set the client code page as follows:</p>
+
+<blockquote><pre class="code">[global]
+    client code page = 852</pre></blockquote>
+
+<p>The default value of this option is 850, for MS-DOS Latin 1. You can
+use the <em class="emphasis">make_smbcodepage</em> tool that comes with
+Samba (by default in <em class="filename">/usr/local/samba/bin</em> ) to
+create your own SMB code pages, in the event that those listed
+earlier are not sufficient.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.2"/>
+
+<h3 class="head3">character set</h3>
+
+<p>The global <tt class="literal">character</tt><a name="INDEX-27"/>
+<tt class="literal">set</tt> option can be used to convert filenames
+offered through a DOS code page (see the previous section, <a href="ch11.html#samba2-CHP-11-SECT-3.1.1">Section 11.3.1.1</a>) to equivalents that can be
+represented by Unix character sets other than those in the United
+States. For example, if you want to convert the Western European
+MS-DOS character set on the client to a Western European Unix
+character set on the server, you can use the following in your
+configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    client code page = 850
+    character set = ISO8859-1</pre></blockquote>
+
+<p>Note that you must include a <tt class="literal">client</tt>
+<tt class="literal">code</tt> <tt class="literal">page</tt> option to specify the
+character set from which you are converting. The valid character sets
+(and their matching code pages) that Samba accepts are listed in
+<a href="ch11.html#samba2-CHP-11-TABLE-5">Table 11-5</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-5"/><h4 class="head4">Table 11-5. Valid character sets</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Character set</p>
+</th>
+<th>
+<p>Matching code page</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">ISO8859-1</tt></p>
+</td>
+<td>
+<p><tt class="literal">850</tt></p>
+</td>
+<td>
+<p>Western European Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ISO8859-2</tt></p>
+</td>
+<td>
+<p><tt class="literal">852</tt></p>
+</td>
+<td>
+<p>Eastern European Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ISO8859-5</tt></p>
+</td>
+<td>
+<p><tt class="literal">866</tt></p>
+</td>
+<td>
+<p>Russian Cyrillic Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ISO8859-7</tt></p>
+</td>
+<td>
+<p>737</p>
+</td>
+<td>
+<p>Greek Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">KOI8-R</tt></p>
+</td>
+<td>
+<p><tt class="literal">866</tt></p>
+</td>
+<td>
+<p>Alternate Russian Cyrillic Unix</p>
+</td>
+</tr>
+
+</table>
+
+<p>Normally, the <tt class="literal">character</tt> <tt class="literal">set</tt>
+option is disabled completely.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.3"/>
+
+<h3 class="head3">coding system</h3>
+
+<p>The <tt class="literal">coding</tt><a name="INDEX-28"/> <tt class="literal">system</tt>
+option is similar to the <tt class="literal">character</tt>
+<tt class="literal">set</tt> option. However, its purpose is to determine
+how to convert a Japanese Shift JIS code page into an appropriate
+Unix character set. To use this option, the <tt class="literal">client</tt>
+<tt class="literal">code</tt> <tt class="literal">page</tt> option described
+previously must be set to page <tt class="literal">932</tt>. The valid
+coding systems that Samba accepts are listed in <a href="ch11.html#samba2-CHP-11-TABLE-6">Table 11-6</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-6"/><h4 class="head4">Table 11-6. Valid coding-system parameters</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Character set</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">SJIS</tt></p>
+</td>
+<td>
+<p>Standard Shift JIS</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JIS8</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8BB</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8BH</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8@B</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8@J</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8@H</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JIS7</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7BB</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7BH</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7@B</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7@J</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7@H</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JUNET</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JUBB</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JUBH</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JU@B</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JU@J</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JU@H</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">EUC</tt></p>
+</td>
+<td>
+<p>EUC codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">HEX</tt></p>
+</td>
+<td>
+<p>Three-byte hexadecimal code</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">CAP</tt></p>
+</td>
+<td>
+<p>Three-byte hexadecimal code (Columbia AppleTalk Program)</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.4"/>
+
+<h3 class="head3">valid chars</h3>
+
+<p>The <tt class="literal">valid</tt><a name="INDEX-29"/> <tt class="literal">chars</tt> option
+can be used to add individual characters to a code page. You can use
+this option as follows:</p>
+
+<blockquote><pre class="code">valid chars = &Icirc;
+valid chars = 0450:0420 0x0A20:0x0A00
+valid chars = A:a</pre></blockquote>
+
+<p>Each character in the list specified should be separated by spaces.
+If there is a colon between two characters or a numerical equivalent,
+the data to the left of the colon is considered an uppercase
+character, while the data to the right is considered the lowercase
+character. You can represent characters both by literals (if you can
+type them) and by octal, hexadecimal, or decimal Unicode equivalents.</p>
+
+<p>If you use this option, it must be listed after the
+<tt class="literal">client</tt> <tt class="literal">code</tt>
+<tt class="literal">page</tt> to which you wish to add the character.
+<a name="INDEX-30"/><a name="INDEX-31"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-4"/>
+
+<h2 class="head1">Windows Messenger Service</h2>
+
+<p>One of the odd features of SMB protocol is its ability to send text
+messages between computers. Although both the name and functionality
+are similar to that of Windows Messenger, the two are not the same.
+<a name="INDEX-32"/><a name="INDEX-33"/><a name="INDEX-34"/>Windows Messenger (also called MSN
+Messenger) is an Internet-oriented instant messenging service, while
+Windows Messenger Service is an older and simpler LAN-oriented
+service. Using the Windows Messenger Service, messages can be
+addressed to users, individual computers, or entire workgroups on the
+network.</p>
+
+<p>The <a name="INDEX-35"/>WinPopup
+tool (<em class="filename">Winpopup.exe</em>), shown in <a href="ch11.html#samba2-CHP-11-FIG-1">Figure 11-1</a>, can be used on Windows 95/98/Me to send or
+receive messages. WinPopup is a handy tool for sending messages.
+However, to receive messages, it must already be running when the
+message is sent from the remote system.</p>
+
+<div class="figure"><a name="samba2-CHP-11-FIG-1"/><img src="figs/sam2_1101.gif"/></div><h4 class="head4">Figure 11-1. Sending a message from a Windows 95/98/Me system (left); receiving a message (right)</h4>
+
+<p>On Windows NT/2000/XP, the messenger service lets you receive
+messages without having an application already running; messages will
+automatically appear in a small dialog box on the screen when
+received, as shown in <a href="ch11.html#samba2-CHP-11-FIG-2">Figure 11-2</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-11-FIG-2"/><img src="figs/sam2_1102.gif"/></div><h4 class="head4">Figure 11-2. Receiving a message on a Windows 2000 system</h4>
+
+<p>To send messages, it is necessary to use the <em class="emphasis">net
+send</em> command from a command-prompt window, like this:</p>
+
+<blockquote><pre class="code">C:\&gt; <tt class="userinput"><b>net send maya &quot;Who's There?&quot;</b></tt>
+The message was successfully sent to MAYA.</pre></blockquote>
+
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-4.1"/>
+
+<h3 class="head2">Windows Messenger Service Configuration Option</h3>
+
+<p>Samba has a single option to handle Windows Messenger Service,
+<tt class="literal">message</tt> <tt class="literal">command</tt>, as shown in
+<a href="ch11.html#samba2-CHP-11-TABLE-7">Table 11-7</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-7"/><h4 class="head4">Table 11-7. Windows Messenger Service configuration option</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameter</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">message</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Sets a command to run on Unix when a WinPopup message is received</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-4.1.1"/>
+
+<h3 class="head3">message command</h3>
+
+<p>Samba's
+<tt class="literal">message</tt><a name="INDEX-36"/> <tt class="literal">command</tt>
+option defines the command that will run on the server when a Windows
+Messenger Service message arrives. The command will be executed as
+the <tt class="literal">guest</tt> <tt class="literal">account</tt> user. What to
+do with messages is questionable because most Samba hosts run as
+unattended servers. One solution is to mail the messages to root like
+this:</p>
+
+<blockquote><pre class="code">[global]
+    message command = /bin/mail -s &quot;SMB Message From %f on %m&quot; root &lt;%s; rm %s</pre></blockquote>
+
+<p>Note the use of variables here. The <tt class="literal">%s</tt> variable
+will be replaced by the name of the file in which the message
+resides. This file should be deleted when the command is finished
+with it; otherwise, a buildup of message files will collect on the
+Samba server. In addition, the command must either exit quickly or
+fork its own process (using an <tt class="literal">&amp;</tt> after the
+command); otherwise, the client might suspend and wait for
+notification that the command was sent successfully before
+continuing.</p>
+
+<p>In addition to the standard variables, <a href="ch11.html#samba2-CHP-11-TABLE-8">Table 11-8</a>
+shows the three unique variables that you can use in a
+<tt class="literal">message</tt> <tt class="literal">command</tt>.</p>
+
+<a name="samba2-CHP-11-TABLE-8"/><h4 class="head4">Table 11-8. message command variables</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Variable</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">%s</tt></p>
+</td>
+<td>
+<p>The name of the file in which the message resides</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%f</tt></p>
+</td>
+<td>
+<p>The name of the system that sent the message</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%t</tt></p>
+</td>
+<td>
+<p>The name of the system that is the destination of the message
+<a name="INDEX-37"/><a name="INDEX-38"/><a name="INDEX-39"/></p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-5"/>
+
+<h2 class="head1">Miscellaneous Options</h2>
+
+<p>Many Samba options are available to deal with operating system issues
+on either Unix or Windows. In particular, some of these options are
+used for setting limits for clients' use of
+resources on the Unix server. The options shown in <a href="ch11.html#samba2-CHP-11-TABLE-9">Table 11-9</a> deal with some of these issues.</p>
+
+<a name="samba2-CHP-11-TABLE-9"/><h4 class="head4">Table 11-9. Miscellaneous options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">deadtime</tt></p>
+</td>
+<td>
+<p>numeric (minutes)</p>
+</td>
+<td>
+<p>Number of minutes of inactivity before a connection should be
+terminated.</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dfree command</tt></p>
+</td>
+<td>
+<p>string (command)</p>
+</td>
+<td>
+<p>Used to specify a command that returns free disk space in a format
+recognized by Samba.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">fstype</tt></p>
+</td>
+<td>
+<p><tt class="literal">NTFS</tt>, <tt class="literal">FAT</tt>, or
+<tt class="literal">Samba</tt></p>
+</td>
+<td>
+<p>Filesystem type reported by the server to the client.</p>
+</td>
+<td>
+<p><tt class="literal">NTFS</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">keepalive</tt></p>
+</td>
+<td>
+<p>numeric (seconds)</p>
+</td>
+<td>
+<p>Number of seconds between checks for an inoperative client.</p>
+</td>
+<td>
+<p><tt class="literal">300</tt> (none)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max disk size</tt></p>
+</td>
+<td>
+<p>numeric (MB)</p>
+</td>
+<td>
+<p>Largest disk size to return to a client, some of which have limits.
+Does not affect actual operations on the disk.</p>
+</td>
+<td>
+<p><tt class="literal">0</tt> (infinity)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max mux</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum number of simultaneous SMB operations that clients can make.</p>
+</td>
+<td>
+<p><tt class="literal">50</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max open files</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Limits number of open files to be below Unix limits.</p>
+</td>
+<td>
+<p><tt class="literal">10000</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max xmit</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Specifies the maximum packet size that Samba will send.</p>
+</td>
+<td>
+<p><tt class="literal">65535</tt> or <tt class="literal">16644</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">nt pipe support</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Turns off an NT/2000/XP support feature; for benchmarking or in case
+of an error.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">nt smb support</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Turns off an NT/2000/XP support feature; for benchmarking or in case
+of an error.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ole locking</tt> <tt class="literal">compatibility</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Remaps out-of-range lock requests used on Windows to fit in allowable
+range on Unix. Turning it off causes Unix lock errors.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">panic action</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Command to run if Samba server fails; for debugging.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">set directory</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows VMS clients to issue
+<tt class="literal">set</tt> <tt class="literal">dir</tt> commands.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">status</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to monitor status for
+<tt class="literal">smbstatus</tt> command.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">strict sync</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">no</tt>, ignores Windows application requests to
+perform a sync-to-disk.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">sync always</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, forces all client writes to be committed
+to disk before returning from the call.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">strip dot</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, strips trailing dots from Unix filenames.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">change notify timeout</tt></p>
+</td>
+<td>
+<p>numeric (seconds)</p>
+</td>
+<td>
+<p>Interval between checks when a client asks to wait for a change in a
+specified directory.</p>
+</td>
+<td>
+<p><tt class="literal">60</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">stat cache</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, Samba will cache recent name mappings.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">stat cache size</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Number of entries in the stat cache.</p>
+</td>
+<td>
+<p><tt class="literal">50</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-5.1"/>
+
+<a name="INDEX-40"/><h3 class="head2">deadtime</h3>
+
+<p>This global option sets the number of minutes that Samba will wait
+for an inactive client before closing its session with the Samba
+server. A client is considered inactive when it has no open files and
+no data is being sent from it. The default value for this option is
+0, which means that Samba never closes any connection, regardless of
+how long they have been inactive. This can lead to unnecessary
+consumption of the server's resources by inactive
+clients. We recommend that you override the default as follows:</p>
+
+<blockquote><pre class="code">[global]
+    deadtime = 10</pre></blockquote>
+
+<p>This tells Samba to terminate any inactive client sessions after 10
+minutes. For most networks, setting this option as such will not
+inconvenience users because reconnections from the client are
+generally performed transparently to the user. See also the
+<tt class="literal">keepalive</tt> parameter.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.1"/>
+
+<a name="INDEX-41"/><h3 class="head3">dfree command</h3>
+
+<p>This global option is used on systems that incorrectly determine the
+free space left on the disk. So far, the only confirmed system that
+needs this option set is Ultrix. There is no default value for this
+option, which means that Samba already knows how to compute the free
+disk space on its own and the results are considered reliable. You
+can override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    dfree command = /usr/local/bin/dfree</pre></blockquote>
+
+<p>This option should point to a script that returns the total disk
+space in a block and the number of available blocks. The Samba
+documentation recommends the following as a usable script:</p>
+
+<blockquote><pre class="code">#!/bin/sh
+df $1 | tail -1 | awk '{print $2&quot; &quot;$4}'</pre></blockquote>
+
+<p>On System V machines, the following will work:</p>
+
+<blockquote><pre class="code">#!/bin/sh
+/usr/bin/df $1 | tail -1 | awk '{print $3&quot; &quot;$5}'</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.2"/>
+
+<a name="INDEX-42"/><h3 class="head3">fstype</h3>
+
+<p>This share-level option sets the type of filesystem that Samba
+reports when queried by the client. Three strings can be used as a
+value to this configuration option, as listed in <a href="ch11.html#samba2-CHP-11-TABLE-10">Table 11-10</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-10"/><h4 class="head4">Table 11-10. Filesystem types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Value</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>NTFS</p>
+</td>
+<td>
+<p>Microsoft Windows NT filesystem</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>FAT</p>
+</td>
+<td>
+<p>DOS FAT filesystem</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Samba</p>
+</td>
+<td>
+<p>Samba filesystem</p>
+</td>
+</tr>
+
+</table>
+
+<p>The default value for this option is <tt class="literal">NTFS</tt>, which
+represents a Windows NT filesystem. There probably
+isn't a need to specify any other type of
+filesystem. However, if you need to, you can override the default
+value per share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    fstype = FAT</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.3"/>
+
+<a name="INDEX-43"/><h3 class="head3">keepalive</h3>
+
+<p>This global option specifies the number of seconds that Samba waits
+between sending NetBIOS <em class="emphasis">keepalive packets</em>. These
+packets are used to ping a client to detect whether it is still alive
+and on the network. The default value for this option is
+<tt class="literal">300</tt> (5 minutes), which you can override as
+follows:</p>
+
+<blockquote><pre class="code">[global]
+    keepalive = 600</pre></blockquote>
+
+<p>The value of <tt class="literal">600</tt> (10 minutes) is good for networks
+populated by reliable clients. If your network contains relatively
+unreliable clients, you might prefer to set
+<tt class="literal">keepalive</tt> to a lower value, such as
+<tt class="literal">30</tt>. If <tt class="literal">keepalive</tt> is set to 0,
+no NetBIOS keepalive packets will be sent. See also the
+<tt class="literal">deadtime</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.4"/>
+
+<a name="INDEX-44"/><h3 class="head3">max disk size</h3>
+
+<p>This global option specifies an illusory limit, in megabytes, for
+each share that Samba is offering. It only affects how much disk
+space Samba reports the share as having and does not prevent more
+disk space from actually being available for use. You would typically
+set this option to prevent clients with older operating
+systems&mdash;or running buggy applications&mdash;from being confused
+by large disk spaces. For example, some older Windows applications
+become confused when they encounter a share larger than 1 gigabyte.
+To work around this problem, <tt class="literal">max</tt>
+<tt class="literal">disk</tt> <tt class="literal">size</tt> can be set as
+follows:</p>
+
+<blockquote><pre class="code">[global]
+    max disk size = 1000</pre></blockquote>
+
+<p>The default value for this option is <tt class="literal">0</tt>, which
+means there is no upper limit.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.5"/>
+
+<a name="INDEX-45"/><h3 class="head3">max mux</h3>
+
+<p>This global option specifies the maximum number of concurrent SMB
+operations Samba allows. The default value for this option is
+<tt class="literal">50</tt>. You can override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    max mux = 100</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.6"/>
+
+<a name="INDEX-46"/><h3 class="head3">max open files</h3>
+
+<p>This global option specifies the maximum number of open files that
+Samba should allow at any given time for all processes. This value
+must be equal to or less than the amount allowed by the operating
+system, which varies from system to system. The default value for
+this option is <tt class="literal">10000</tt>. You can override it as
+follows:</p>
+
+<blockquote><pre class="code">[global]
+    max open files = 8000</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.7"/>
+
+<a name="INDEX-47"/><h3 class="head3">max xmit</h3>
+
+<p>This global option sets the maximum size of packets that Samba
+exchanges with a client. In rare cases, setting a smaller maximum
+packet size can increase performance, especially with Windows for
+Workgroups. In Samba versions up to 2.2.5, the default value for this
+option is <tt class="literal">65535</tt>. In 2.2.7 and later versions, the
+default was changed to <tt class="literal">16644</tt> to match the behavior
+of Windows 2000 and improve support for Windows NT 4.0. You can
+override the default as follows:</p>
+
+<blockquote><pre class="code">[global]
+    max xmit = 4096</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.8"/>
+
+<a name="INDEX-48"/><h3 class="head3">nt pipe support</h3>
+
+<p>This global option is used by developers to allow or disallow Windows
+NT/2000/XP clients the ability to make connections to
+<a name="INDEX-49"/>NT-specific SMB IPC$ pipes. As a user, you
+should never need to override the default:</p>
+
+<blockquote><pre class="code">[global]
+    nt pipe support = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.9"/>
+
+<a name="INDEX-50"/><h3 class="head3">nt smb support</h3>
+
+<p>This global option is used by developers to negotiate NT-specific SMB
+options with Windows NT/2000/XP clients. The Samba Team has
+discovered that slightly better performance comes from setting this
+value to <tt class="literal">no</tt>. However, as a user, you should
+probably not override the default:</p>
+
+<blockquote><pre class="code">[global]
+    nt smb support = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.10"/>
+
+<a name="INDEX-51"/><h3 class="head3">ole locking compatibility</h3>
+
+<p>This global option turns off Samba's internal
+byte-range locking manipulation in files, which gives compatibility
+with Object Linking and Embedding (OLE) applications that use high
+byte-range locks as a method of interprocess communication. The
+default value for this option is <tt class="literal">yes</tt>. If you trust
+your Unix locking mechanisms, you can override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    ole locking compatibility = no</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.11"/>
+
+<a name="INDEX-52"/><h3 class="head3">panic action</h3>
+
+<p>This global option specifies a command to execute in the event that
+Samba encounters a fatal error when loading or running. There is no
+default value for this option. You can specify an action as follows:</p>
+
+<blockquote><pre class="code">[global]
+    panic action = /bin/csh -c
+          'xedit &lt;&lt;: &quot;Samba has shutdown unexpectedly&quot;;:'</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.12"/>
+
+<a name="INDEX-53"/><h3 class="head3">set directory</h3>
+
+<p>This Boolean share-level option allows <a name="INDEX-54"/>Digital Pathworks clients to
+use the <em class="emphasis">setdir</em> command to change directories on
+the server. If you are not using the Digital Pathworks client, you
+should not need to alter this option. The default value for this
+option is <tt class="literal">no</tt>. You can override it per share as
+follows:</p>
+
+<blockquote><pre class="code">[data]
+    set directory = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.13"/>
+
+<a name="INDEX-55"/><h3 class="head3">status</h3>
+
+<p>This global option indicates whether Samba should log all active
+connections to a status file. This file is used only by the
+<em class="emphasis">smbstatus</em> command. If you have no intentions of
+using this command, you can set this option to <tt class="literal">no</tt>,
+which can result in a small increase of speed on the server. The
+default value for this option is <tt class="literal">yes</tt>. You can
+override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    status = no</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.14"/>
+
+<a name="INDEX-56"/><h3 class="head3">strict sync</h3>
+
+<p>This share-level option determines whether Samba honors all requests
+to perform a disk sync when requested to do so by a client. Many
+Windows clients request a disk sync when they are really just trying
+to flush data to their own open files. In this case, a disk sync is
+generally unnecessary on Unix due to its high reliability, and it
+mostly has the effect of substantially reducing the performance of
+the Samba host system. The default value for this option is
+<tt class="literal">no</tt>, which allows the superfluous disk sync
+requests to be ignored. You can override the default as follows:</p>
+
+<blockquote><pre class="code">[data]
+    strict sync = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.15"/>
+
+<a name="INDEX-57"/><h3 class="head3">sync always</h3>
+
+<p>This share-level option decides whether every write to disk should be
+followed by a disk synchronization before the write call returns
+control to the client. Even if the value of this option is
+<tt class="literal">no</tt>, clients can request a disk synchronization;
+see the earlier <tt class="literal">strict</tt> <tt class="literal">sync</tt>
+option. The default value for this option is <tt class="literal">no</tt>.
+You can override it per share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    sync always = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.16"/>
+
+<a name="INDEX-58"/><h3 class="head3">strip dot</h3>
+
+<p>This global option determines whether to remove the trailing dot from
+Unix filenames that are formatted with a dot at the end. The default
+value for this option is <tt class="literal">no</tt>. You can override it
+per share as follows:</p>
+
+<blockquote><pre class="code">[global]
+    strip dot = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.17"/>
+
+<h3 class="head3">change notify timeout</h3>
+
+<p>The <tt class="literal">change</tt><a name="INDEX-59"/>
+<tt class="literal">notify</tt> <tt class="literal">timeout</tt> global option
+emulates a Windows NT/2000 SMB feature called <em class="firstterm">change
+notification</em><a name="INDEX-60"/>. This allows a client to request
+that a Windows NT/2000 server periodically monitor a specific
+directory on a share for any changes. If changes occur, the server
+will notify the client.</p>
+
+<p>Samba performs this function for its clients at an interval that
+defaults to 1 minute (60 seconds). Performing these checks too often
+can slow down the server considerably; however, you can use this
+option to specify an alternate time that Samba should wait between
+performing checks:</p>
+
+<blockquote><pre class="code">[global]
+    change notify timeout = 30</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.18"/>
+
+<h3 class="head3">stat cache</h3>
+
+<p>The <tt class="literal">stat</tt><a name="INDEX-61"/> <tt class="literal">cache</tt> global
+option turns on caching of recent case-insensitive name mappings. The
+default is <tt class="literal">yes</tt>. The Samba Team recommends that you
+never change this parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.19"/>
+
+<h3 class="head3">stat cache size</h3>
+
+<p>The <tt class="literal">stat</tt><a name="INDEX-62"/> <tt class="literal">cache</tt>
+<tt class="literal">size</tt> global option sets the number of cache
+entries to be used for the <tt class="literal">stat</tt>
+<tt class="literal">cache</tt> option. The default here is
+<tt class="literal">50</tt>. Again, the Samba Team recommends that you
+never change this parameter.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch12.html b/docs/htmldocs/using_samba/ch12.html
new file mode 100644
index 0000000000..6ba643fe73
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch12.html
@@ -0,0 +1,3341 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 12. Troubleshooting Samba</h1>
+
+
+<p><a name="INDEX-1"/><a name="INDEX-2"/>Samba is extremely robust. Once you have
+everything set up the way you want, you'll probably
+forget that it is running. When trouble occurs, it's
+typically during installation or when you're trying
+to reconfigure the server. Fortunately, a wide variety of resources
+are available to diagnose these troubles. While we
+can't describe in detail the solution to every
+problem you might encounter, you should be able to get a good start
+at resolving the problem by following the advice given in this
+chapter.</p>
+
+<p>The first section of this chapter lists the tool bag, a collection of
+tools available for troubleshooting Samba; the second section is a
+detailed how-to; the last section lists extra resources to track down
+particularly stubborn problems.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-1"/>
+
+<h2 class="head1">The Tool Box</h2>
+
+<p><a name="INDEX-3"/><a name="INDEX-4"/>Sometimes Unix
+seems to be made up of a grab bag of applications and tools. There
+are tools to troubleshoot tools. And of course, there are several
+ways to accomplish the same task. When trying to solve a problem
+related to Samba, a good plan of attack is to use the following:</p>
+
+<ul><li>
+<p>Samba logs</p>
+</li><li>
+<p>Samba test utilities</p>
+</li><li>
+<p>Unix utilities</p>
+</li><li>
+<p>Fault tree</p>
+</li><li>
+<p>Documentation and FAQs</p>
+</li><li>
+<p>Samba newsgroups</p>
+</li><li>
+<p>Searchable mailing list archives</p>
+</li></ul>
+<p>Let's go over each of these one-by-one in the
+following sections.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.1"/>
+
+<h3 class="head2">Samba Logs</h3>
+
+<p><a name="INDEX-5"/><a name="INDEX-6"/>Your first line of attack should always
+be to check the log files. The Samba log files can help diagnose the
+vast majority of the problems faced by beginning- to
+intermediate-level Samba administrators. Samba is quite flexible when
+it comes to logging. You can set up the server to log as little or as
+much information as you want. Using substitution variables in the
+Samba configuration file allows you to isolate individual logs for
+each system, share, or combination thereof.</p>
+
+<p>Logs are placed in <em class="filename">/usr/local/samba/var/smbd.log</em>
+and <em class="filename">/usr/local/samba/var/nmbd.log</em> by default.
+You can specify a log directory to use with the
+<em class="emphasis">-l</em> flag on the command line when starting the
+Samba daemons. For example:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbd -l /var/log/samba</b></tt>
+# <tt class="userinput"><b>nmbd -l /var/log/samba</b></tt></pre></blockquote>
+
+<p>Alternatively, you can override the location and name using the
+<tt class="literal">log</tt><a name="INDEX-7"/> <tt class="literal">file</tt> configuration
+option in <em class="filename">smb.conf</em>. This option accepts all the
+substitution variables, so you could easily have the server keep a
+separate log for each connecting client system by specifying the
+following:</p>
+
+<blockquote><pre class="code">[global]
+    log file = %m.log</pre></blockquote>
+
+<p>Another useful trick is to have the server keep a log for each
+service (share) that is offered, especially if you suspect a
+particular share is causing trouble. To do this, use the
+<tt class="literal">%S</tt> variable, like this:</p>
+
+<blockquote><pre class="code">[global]
+    log file = %S.log</pre></blockquote>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.1"/>
+
+<h3 class="head3">Log levels</h3>
+
+<p><a name="INDEX-8"/>The level of logging that Samba uses
+can be set in the <em class="filename">smb.conf</em> file using the global
+<tt class="literal">log</tt> <tt class="literal">level</tt> or
+<tt class="literal">debug</tt> <tt class="literal">level</tt> option; they are
+equivalent. The logging level is an integer that can range from 0 to
+10. At level 0, no logging is done. Higher values result in more
+voluminous logging. For example, let's assume that
+we will use a Windows client to browse a directory on a Samba server.
+For a small amount of log information, you can use
+<tt class="literal">log</tt> <tt class="literal">level</tt> <tt class="literal">=</tt>
+<tt class="literal">1</tt>, which instructs Samba to show only cursory
+information, in this case only the connection itself:</p>
+
+<blockquote><pre class="code">05/25/02 22:02:11 server (192.168.236.86) connect to service public as user pcguest 
+(uid=503,gid=100) (pid 3377)</pre></blockquote>
+
+<p>Higher debug levels produce more detailed information. Usually, you
+won't need more than level 3, which is fully
+adequate for most Samba administrators. Levels above 3 are used by
+the developers and dump enormous amounts of cryptic information.</p>
+
+<p>Here is an example of output at levels 2 and 3 for the same
+operation. Don't worry if you don't
+understand the intricacies of an SMB connection; the point is simply
+to show you what types of information are shown at the different
+<a name="INDEX-9"/>logging levels:</p>
+
+<blockquote><pre class="code"> /* Level 2 */
+Got SIGHUP
+Processing section &quot;[homes]&quot;
+Processing section &quot;[public]&quot;
+Processing section &quot;[temp]&quot;
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/
+
+
+/* Level 3 */
+05/25/02 22:15:09 Transaction 63 of length 67
+switch message SMBtconX (pid 3377)
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
+ACCEPTED: guest account and guest ok
+found free connection number 105
+Connect path is /tmp
+chdir to /tmp
+chdir to /
+05/25/02 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest 
+(uid=503,gid=100) (pid 3377)
+05/25/02 22:15:09 tconX service=ipc$ user=pcguest cnum=105
+05/25/02 22:15:09 Transaction 64 of length 99
+switch message SMBtrans (pid 3377)
+chdir to /tmp
+trans &lt;\PIPE\LANMAN&gt; data=0 params=19 setup=0
+Got API command 0 of form &lt;WrLeh&gt; &lt;B13BWz&gt; (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
+Doing RNetShareEnum
+RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
+05/25/02 22:15:11 Transaction 65 of length 99
+switch message SMBtrans (pid 3377)
+chdir to /
+chdir to /tmp
+trans &lt;\PIPE\LANMAN&gt; data=0 params=19 setup=0
+Got API command 0 of form &lt;WrLeh&gt; &lt;B13BWz&gt; (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
+Doing RNetShareEnum
+RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
+05/25/02 22:15:11 Transaction 66 of length 95
+switch message SMBtrans2 (pid 3377)
+chdir to /
+chdir to /pcdisk/public
+call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end 
+= 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432
+unix_clean_name [./DESKTOP.INI]
+unix_clean_name [desktop.ini]
+unix_clean_name [./]
+creating new dirptr 1 for path ./, expect_close = 1
+05/25/02 22:15:11 Transaction 67 of length 53
+switch message SMBgetatr (pid 3377)
+chdir to /
+
+<i class="lineannotation">[... deleted ...]</i></pre></blockquote>
+
+<p>We cut off this listing after the first packet because it runs on for
+many pages. However, be aware that log levels above 3 will quickly
+consume disk space with megabytes of excruciating detail concerning
+Samba's internal operations. Log level 3 is
+extremely useful for following exactly what the server is doing, and
+most of the time it will be obvious where an error occurs by glancing
+through the log file.</p>
+
+<p>Using a high log level (3 or above) will
+<em class="emphasis">seriously</em> slow down the Samba server. Remember
+that every log message generated causes a write to disk (an
+inherently slow operation) and log levels greater than 2 produce
+massive amounts of data. Essentially, you should turn on logging
+level 3 only when you're actively tracking a problem
+in the Samba server. <a name="INDEX-10"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.2"/>
+
+<h3 class="head3">Activating and deactivating logging</h3>
+
+<p><a name="INDEX-11"/><a name="INDEX-12"/>To turn logging on and off,
+set the appropriate level in the <tt class="literal">[global]</tt> section
+of <em class="filename">smb.conf</em>. Then, you can either restart Samba
+or force the current daemon to reprocess the configuration file by
+sending it a hangup (HUP) signal. You also can send the
+<em class="emphasis">smbd</em> process a SIGUSR1 signal to increase its
+log level by one while it's running, like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR1 1234</b></tt></pre></blockquote>
+
+<p>or a SIGUSR2 signal to decrease it by one:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR2 1234</b></tt></pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.3"/>
+
+<h3 class="head3">Logging by individual client systems or users</h3>
+
+<p>An effective way to diagnose problems without hampering other users
+is to assign different log levels for different systems in the
+<tt class="literal">[global]</tt> section of the
+<em class="filename">smb.conf</em> file. We can do this by building on the
+strategy we presented earlier:</p>
+
+<blockquote><pre class="code">[global]
+    log level = 0
+    log file = /usr/local/samba/var/log.%m
+    include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
+
+<p>These options instruct Samba to use unique configuration and log
+files for each client that connects. Now all you have to do is create
+an <em class="filename">smb.conf</em> file for a specific client system
+with a <tt class="literal">log</tt> <tt class="literal">level</tt>
+<tt class="literal">=</tt> <tt class="literal">3</tt> entry in it (the others
+will pick up the default log level of 0) and use that log file to
+track down the problem.</p>
+
+<p>Similarly, if only particular users are experiencing a
+problem&mdash;and it travels from system to system with
+them&mdash;you can isolate logging to a specific user by adding the
+following to the <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+    log level = 0
+    log file = /usr/local/samba/var/log.%u
+    include = /usr/local/samba/lib/smb.conf.%u</pre></blockquote>
+
+<p>Then you can create a unique <em class="filename">smb.conf</em> file for
+each user you wish to monitor (e.g.,
+<em class="filename">/usr/local/samba/lib/smb.conf.tim</em>). Files
+containing the configuration option <tt class="literal">log</tt>
+<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">3</tt>
+and only those users will get more detailed logging.<a name="INDEX-13"/><a name="INDEX-14"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.2"/>
+
+<h3 class="head2">Samba Test Utilities</h3>
+
+<p><a name="INDEX-15"/><a name="INDEX-16"/>A rigorous set of tests that exercise
+the major parts of Samba are described in various files in the
+<em class="emphasis">/docs/textdocs</em> directory of the Samba
+distribution kit, starting with <em class="emphasis">DIAGNOSIS.txt</em>.
+The fault tree in this chapter is a more detailed version of the
+basic tests suggested by the Samba Team, but it covers only
+installation and reconfiguration diagnosis, such as
+<em class="emphasis">DIAGNOSIS.txt</em>. The other files in the
+<em class="emphasis">/docs</em> subdirectories address specific problems
+and instruct you how to troubleshoot items not included in this book.
+If the fault tree doesn't suffice, be sure to look
+at
+<em class="emphasis">DIAGNOSIS.txt</em><a name="INDEX-17"/>
+and its friends.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.3"/>
+
+<h3 class="head2">Unix Utilities</h3>
+
+<p>Sometimes it's useful to use a tool outside the
+Samba suite to examine what's happening inside the
+server. Three diagnostic tools can be of particular help in debugging
+Samba troubles: <em class="emphasis">trace</em>,
+<em class="emphasis">tcpdump</em>, and <em class="emphasis">Ethereal</em>.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.1"/>
+
+<h3 class="head3">Using trace</h3>
+
+<p>The <em class="emphasis">trace</em><a name="INDEX-18"/> command masquerades under several
+different names, depending on the operating system you are using. On
+Linux it will be
+<em class="emphasis">strace</em><a name="INDEX-19"/>; on Solaris you'll use
+<em class="emphasis">truss</em><a name="INDEX-20"/>; SGI will have
+<em class="emphasis">padc</em><a name="INDEX-21"/> and
+<em class="emphasis">par</em><a name="INDEX-22"/>; and HP-UX will have
+<em class="emphasis">trace</em> or
+<em class="emphasis">tusc</em><a name="INDEX-23"/>. All have essentially the same
+function, which is to display each operating system function call as
+it is executed. This allows you to follow the execution of a program,
+such as the Samba server, and often pinpoints the exact call that is
+causing the difficulty.</p>
+
+<p>One problem that <em class="emphasis">trace</em> can highlight is an
+incorrect version of a dynamically linked library. This can happen if
+you've downloaded prebuilt binaries of Samba.
+You'll typically see the offending call at the end
+of the <em class="emphasis">trace</em>, just before the program
+terminates.</p>
+
+<p>A sample <em class="emphasis">strace</em> output for the Linux operating
+system follows. This is a small section of a larger file created
+during the opening of a directory on the Samba server. Each line
+lists a system call and includes its parameters and the return value.
+If there was an error, the error value (e.g.,
+<tt class="literal">ENOENT</tt>) and its explanation are also shown. You
+can look up the parameter types and the errors that can occur in the
+appropriate <em class="emphasis">trace</em> manual page for the operating
+system you are using.</p>
+
+<blockquote><pre class="code">chdir(&quot;/pcdisk/public&quot;)                 = 0
+stat(&quot;mini/desktop.ini&quot;, 0xbffff7ec)    = -1 ENOENT (No such file or directory)
+stat(&quot;mini&quot;, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
+stat(&quot;mini/desktop.ini&quot;, 0xbffff7ec)    = -1 ENOENT (No such file or directory)
+open(&quot;mini&quot;, O_RDONLY)                  = 5
+fcntl(5, F_SETFD, FD_CLOEXEC)           = 0
+fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
+lseek(5, 0, SEEK_CUR)                   = 0
+SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196
+lseek(5, 0, SEEK_CUR)                   = 1024
+SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0
+close(5)                                = 0
+stat(&quot;mini/desktop.ini&quot;, 0xbffff86c)    = -1 ENOENT (No such file or directory)
+write(3, &quot;\0\0\0#\377SMB\10\1\0\2\0\200\1\0&quot;..., 39) = 39
+SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1
+read(3, &quot;\0\0\0?&quot;, 4)                   = 4
+read(3, &quot;\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0&quot;..., 63) = 63
+time(NULL)                              = 896143871</pre></blockquote>
+
+<p>This example shows several <em class="emphasis">stat() calls</em> failing
+to find the files they were expecting. You don't
+have to be an expert to see that the file
+<em class="emphasis">desktop.ini</em> is missing from that directory. In
+fact, many difficult problems can be identified by looking for
+obvious, repeatable errors with <em class="emphasis">trace</em>. Often,
+you need not look further than the last message before a crash.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.2"/>
+
+<h3 class="head3">Using tcpdump</h3>
+
+<p>The <em class="emphasis">tcpdump</em><a name="INDEX-24"/> program, as extended by Andrew
+<a name="INDEX-25"/>Tridgell,
+allows you to monitor SMB <a name="INDEX-26"/>network
+traffic in real time. A variety of output formats are available, and
+you can filter the output to look at only a particular type of
+traffic. You can examine all conversations between client and server,
+including SMB and NMB broadcast messages. While its troubleshooting
+capabilities lie mainly at the OSI network layer, you can still use
+its output to get a general idea of what the server and client are
+attempting to do.</p>
+
+<p>A sample <em class="emphasis">tcpdump</em> log follows. In this instance,
+the client has requested a directory listing, and the server has
+responded appropriately, giving the directory names
+<tt class="literal">homes</tt>, <tt class="literal">public</tt>,
+<tt class="literal">IPC$</tt>, and <tt class="literal">temp</tt>
+(we've added a few explanations on the right):</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>tcpdump -v -s 255 -i eth0 port not telnet</b></tt>
+SMB PACKET: SMBtrans (REQUEST)                <i class="lineannotation"> Request packet</i>
+SMB Command   =  0x25                         <i class="lineannotation">Request was ls or dir</i>
+
+[000] 01 00 00 10                             <i class="lineannotation">....</i>
+
+
+&gt;&gt;&gt; NBT Packet                                <i class="lineannotation">Outer frame of SMB packet</i>
+NBT Session Packet
+Flags=0x0
+Length=226
+[lines skipped]
+                         
+SMB PACKET: SMBtrans (REPLY)                  <i class="lineannotation">Beginning of a reply to  request</i>
+SMB Command   =  0x25                         <i class="lineannotation">Command was an ls or dir</i>
+Error class   =  0x0             
+Error code    =  0                            <i class="lineannotation">No errors</i>
+Flags1        =  0x80
+Flags2        =  0x1
+Tree ID       =  105
+Proc ID       =  6075
+UID           =  100
+MID           =  30337
+Word Count    =  10
+TotParamCnt=8 
+TotDataCnt=163 
+Res1=0
+ParamCnt=8 
+ParamOff=55 
+Res2=0 
+DataCnt=163 
+DataOff=63 
+Res3=0
+Lsetup=0
+Param Data: (8 bytes)
+[000] 00 00 00 00 05 00 05 00                           ........ 
+
+Data Data: (135 bytes)                        <i class="lineannotation">Actual directory contents:</i>
+[000] 68 6F 6D 65 73 00 00 00  00 00 00 00 00 00 00 00  homes... ........
+[010] 64 00 00 00 70 75 62 6C  69 63 00 00 00 00 00 00  d...publ ic......
+[020] 00 00 00 00 75 00 00 00  74 65 6D 70 00 00 00 00  ....u... temp....
+[030] 00 00 00 00 00 00 00 00  76 00 00 00 49 50 43 24  ........ v...IPC$
+[040] 00 00 00 00 00 00 00 00  00 00 03 00 77 00 00 00  ........ ....w...
+[050] 64 6F 6E 68 61 6D 00 00  00 00 00 00 00 00 00 00  donham.. ........
+[060] 92 00 00 00 48 6F 6D 65  20 44 69 72 65 63 74 6F  ....Home  Directo
+[070] 72 69 65 73 00 00 00 49  50 43 20 53 65 72 76 69  ries...I PC Servi
+[080] 63 65 20 28 53 61 6D                              ce (Sam</pre></blockquote>
+
+<p>This is more of the same debugging session as we saw before with the
+<em class="emphasis">trace</em> command: the listing of a directory. The options
+we used were <em class="emphasis">-v</em> (verbose), <em class="emphasis">-i
+eth0</em> to tell <em class="emphasis">tcpdump</em> on which
+interface to listen (an Ethernet port), and <em class="emphasis">-s
+255</em> to tell it to save the first 255 bytes of each packet
+instead of the default: the first 68. The option
+<tt class="literal">port</tt> <tt class="literal">not</tt>
+<tt class="literal">telnet</tt> is used to avoid screens of telnet traffic,
+because we were logged in to the server remotely. The
+<em class="emphasis">tcpdump</em> program actually has quite a number of
+options to filter just the traffic you want to look at. If
+you've used <em class="emphasis">snoop</em> or
+<em class="emphasis">etherdump</em>, it will look vaguely familiar.</p>
+
+<p>You can download the modified <em class="emphasis">tcpdump</em> from the
+Samba FTP server, located at
+<a href="ftp://samba.anu.edu.au/pub/samba/tcpdump-smb">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</a>.
+Other versions might not include support for the SMB protocol; if you
+don't see output such as that shown in the example,
+you'll need to use the SMB-enabled version.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.3"/>
+
+<h3 class="head3">Using Ethereal</h3>
+
+<p><a name="INDEX-27"/>Ethereal (<a href="http://www.ethereal.com">http://www.ethereal.com</a>) is a GUI-based
+utility that performs the same basic function as
+<em class="emphasis">tcpdump</em>. You might prefer Ethereal because it is
+much easier to use. Once you have Ethereal running, just do the
+following:</p>
+
+<ol><li>
+<p>Select Start from the Capture menu.</p>
+</li><li>
+<p>Click the OK button in the dialog box that appears. This will bring
+up a dialog box showing how many packets Ethereal has seen. Perform
+the actions on the system(s) in your network to reproduce the problem
+you are analyzing.</p>
+</li><li>
+<p>Click the Stop button in the Ethereal dialog box to make it finish
+collecting data.</p>
+</li><li>
+<p>In the main Ethereal window, click any item in the upper window to
+view it in the lower window. In the lower window, click any of the
+boxes containing a plus sign (<tt class="literal">+</tt>) to expand the
+view.</p>
+</li></ol>
+<p>Ethereal does a good job of translating the content of the packets it
+encounters into human-readable format, and you should have little
+trouble seeing what happened on the network during the capture
+period. <a name="INDEX-28"/><a name="INDEX-29"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-2"/>
+
+<h2 class="head1">The Fault Tree</h2>
+
+<p><a name="INDEX-30"/><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>The fault
+tree presented in this section is for diagnosing and fixing problems
+that occur when you're installing and reconfiguring
+Samba. It's an expanded form of the trouble and
+diagnostic document <em class="filename">DIAGNOSIS.txt</em>, which is part
+of the Samba distribution.</p>
+
+<p>Before you set out to troubleshoot any part of the Samba suite, you
+should know the following information:</p>
+
+<ul><li>
+<p>Your client IP address (we use 192.168.236.10)</p>
+</li><li>
+<p>Your server IP address (we use 192.168.236.86)</p>
+</li><li>
+<p>The netmask for your network (typically 255.255.255.0)</p>
+</li><li>
+<p>Whether the systems are all on the same subnet (ours are)</p>
+</li></ul>
+<p>For clarity, we've renamed the server in the
+following examples to <tt class="literal">server.example.com</tt>, and the
+client system to <tt class="literal">client.example.com</tt>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.1"/>
+
+<h3 class="head2">How to Use the Fault Tree</h3>
+
+<p>Start the tests here, without skipping forward; it
+won't take long (about 5 minutes) and might actually
+save you time backtracking. Whenever a test succeeds, you will be
+given a name of a section to which you can safely skip.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.2"/>
+
+<h3 class="head2">Troubleshooting Low-Level IP</h3>
+
+<p><a name="INDEX-34"/>The
+first series of tests is that of the low-level services that Samba
+needs to run. The tests in this section verify that:</p>
+
+<ul><li>
+<p>The IP software works</p>
+</li><li>
+<p>The Ethernet hardware works</p>
+</li><li>
+<p>Basic name service is in place</p>
+</li></ul>
+<p>Subsequent sections add TCP software, the Samba daemons
+<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>, host-based
+access control, authentication and per-user access control, file
+services, and browsing. The tests are described in considerable
+detail to make them understandable by both technically oriented end
+users and experienced systems and network administrators.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.1"/>
+
+<h3 class="head3">Testing the networking software with ping</h3>
+
+<p><a name="INDEX-35"/>The first command to enter
+on both the server and the client is
+<tt class="literal">ping</tt><a name="INDEX-36"/><a name="INDEX-37"/>
+<tt class="literal">127.0.0.1</tt>. This pings the loopback address and
+indicates whether any networking support is functioning. On Unix, you
+can use <tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> with the
+statistics option and interrupt it after a few lines. On Sun
+workstations, the command is typically
+<tt class="literal">/usr/etc/ping</tt> <tt class="literal">-s</tt>
+<tt class="literal">127.0.0.1</tt>; on Linux, just <tt class="literal">ping</tt>
+<tt class="literal">127.0.0.1</tt>. On Windows clients, run
+<tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> in an MS-DOS
+(command prompt) window, and it will stop by itself after four lines.</p>
+
+<p>Here is an example on a Linux server:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping 127.0.0.1 </b></tt>
+PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): 
+icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1): 
+icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): 
+icmp-seq=2. time=1. ms ^C 
+----127.0.0.1 PING Statistics---- 
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If you get &quot;ping: no answer from . . .
+&quot; or &quot;100% packet
+loss,&quot; you have no IP networking installed on the
+system. The address <tt class="literal">127.0.0.1</tt> is the internal
+loopback address and doesn't depend on the computer
+being physically connected to a network. If this test fails, you have
+a serious local problem. TCP/IP either isn't
+installed or is seriously misconfigured. See your operating system
+documentation if it's a Unix server. If
+it's a Windows client, follow the instructions in
+<a href="ch03.html">Chapter 3</a> to install networking support.</p>
+
+<a name="samba2-CHP-12-NOTE-155"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If <em class="emphasis">you're</em> the network manager,
+some good references are Craig Hunt's
+<em class="emphasis">TCP/IP Network Administration</em>, Chapter 11, and Craig Hunt and Robert Bruce
+Thompson's <em class="emphasis">Windows NT TCP/IP Network
+Administration</em>, both published by
+O'Reilly.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.2"/>
+
+<h3 class="head3">Testing local name services with ping</h3>
+
+<p><a name="INDEX-38"/>Next, try to ping
+<tt class="literal">localhost</tt> on the Samba server. The
+<tt class="literal">localhost</tt> hostname is the conventional hostname
+for the <tt class="literal">127.0.0.1</tt> loopback interface, and it
+should resolve to that address. After typing <tt class="literal">ping</tt>
+<tt class="literal">localhost</tt>, you should see output similar to the
+following:</p>
+
+<blockquote><pre class="code">$  <tt class="userinput"><b>ping localhost  </b></tt>
+PING localhost: 56 data bytes  64 bytes from localhost (127.0.0.1):
+icmp-seq=0. time=0. ms  64 bytes from localhost (127.0.0.1): 
+icmp-seq=1. time=0. ms  64 bytes from localhost (127.0.0.1): 
+icmp-seq=2. time=0. ms  ^C</pre></blockquote>
+
+<p>If this succeeds, try the same test on the client. Otherwise:</p>
+
+<ul><li>
+<p>If you get &quot;unknown host:
+localhost,&quot; there is a problem resolving the
+hostname <em class="filename">localhost</em> into a valid IP address.
+(This might be as simple as a missing entry in a local
+<em class="emphasis">hosts</em> file.) From here, skip down to
+<a href="ch03.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a> later in this chapter.</p>
+</li><li>
+<p>If you get &quot;ping: no answer,&quot; or
+&quot;100% packet loss,&quot; but pinging
+<tt class="literal">127.0.0.1</tt> worked, name services is resolving to an
+address, but it isn't the correct one. Check the
+file or database (typically <em class="filename">/etc/hosts</em> on a Unix
+system) that the name service is using to resolve addresses to ensure
+that the entry is correct.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.3"/>
+
+<h3 class="head3">Testing the networking hardware with ping</h3>
+
+<p><a name="INDEX-39"/>Next, ping the
+server's network IP address from itself. This should
+get you exactly the same results as pinging
+<tt class="literal">127.0.0.1</tt>:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping 192.168.236.86 </b></tt>
+PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86): 
+icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86): 
+icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86): 
+icmp-seq=2. time=1. ms ^C 
+----192.168.236.86 PING Statistics---- 
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If this works on the server, repeat it for the client. Otherwise:</p>
+
+<ul><li>
+<p>If <tt class="literal">ping</tt> <em class="replaceable">network_ip</em>
+fails on either the server or client, but <tt class="literal">ping</tt>
+<tt class="literal">127.0.0.1</tt> works on that system, you have a TCP/IP
+problem that is specific to the Ethernet network interface card on
+the computer. Check with the documentation for the network card or
+host operating system to determine how to configure it correctly.
+However, be aware that on some operating systems, the
+<em class="emphasis">ping</em> command appears to work even if the network
+is disconnected, so this test doesn't always
+diagnose all hardware problems.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.4"/>
+
+<h3 class="head3">Testing connections with ping</h3>
+
+<p><a name="INDEX-40"/>Now, ping the server by name (instead
+of its IP address)&mdash;once from the server and once from the
+client. This is the general test for working network hardware:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping server </b></tt>
+PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86): 
+icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86): 
+icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86): 
+icmp-seq=2. time=1. ms ^C 
+----server.example.com PING Statistics---- 
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If successful, this test tells us five things:</p>
+
+<ul><li>
+<p>The hostname (e.g., <tt class="literal">server</tt>) is being found by your
+local name server.</p>
+</li><li>
+<p>The hostname has been expanded to the full name (e.g.,
+<tt class="literal">server.example.com</tt>).</p>
+</li><li>
+<p>Its address is being returned (<tt class="literal">192.168.236.86</tt>).</p>
+</li><li>
+<p>The client has sent the Samba server four 56-byte UDP/IP packets.</p>
+</li><li>
+<p>The Samba server has replied to all four packets.</p>
+</li></ul>
+<p>If this test isn't successful, one of several things
+can be wrong with the network:</p>
+
+<ul><li>
+<p>First, if you get <tt class="literal">ping</tt>: <tt class="literal">no</tt>
+<tt class="literal">answer</tt>, or <tt class="literal">100%</tt>
+<tt class="literal">packet</tt> <tt class="literal">loss</tt>,
+you're not connecting to the network, the other
+system isn't connecting, or one of the addresses is
+incorrect. Check the addresses that the <em class="emphasis">ping</em>
+command reports on each system, and ensure that they match the ones
+you set up initially.</p>
+
+<p>If not, there is at least one mismatched address between the two
+systems. Try entering the command <tt class="literal">arp</tt>
+<tt class="literal">-a</tt>, and see if there is an entry for the other
+system. (The <em class="emphasis">arp</em> command stands for the Address
+Resolution Protocol. The <tt class="literal">arp</tt> <tt class="literal">-a</tt>
+command lists all the addresses known on the local system.) Here are
+some things to try:</p>
+<ul><li>
+<p>If you receive a message like <tt class="literal">192.168.236.86</tt>
+<tt class="literal">at</tt> <tt class="literal">(incomplete)</tt>, the Ethernet
+address of 192.168.236.86 is unknown. This indicates a complete lack
+of connectivity, and you're likely having a problem
+at the very bottom of the TCP/IP protocol stack&mdash;the Ethernet
+interface layer. This is discussed in Chapters 5 and 6 of
+<em class="citetitle">TCP/IP Network Administration
+</em>(O'Reilly).</p>
+</li><li>
+<p>If you receive a response similar to server
+<tt class="literal">(192.168.236.86)</tt> <tt class="literal">at</tt>
+<tt class="literal">8:0:20:12:7c:94</tt>, the server has been reached at
+some time, or another system is answering on its behalf. However,
+this means that <em class="emphasis">ping</em> should have worked: you may
+have an intermittent networking or ARP problem.</p>
+</li><li>
+<p>If the IP address from ARP doesn't match the
+addresses you expected, investigate and correct the addresses
+manually.</p>
+</li>
+</ul>
+</li>
+
+<li>
+<p>If each system can ping itself but not another, something is wrong on
+the network between them.</p>
+</li><li>
+<p>If you get <tt class="literal">ping</tt>: <tt class="literal">network</tt>
+<tt class="literal">unreachable</tt> or <tt class="literal">ICMP</tt>
+<tt class="literal">Host</tt> <tt class="literal">Unreachable</tt>,
+you're not receiving an answer, and more than one
+network is probably involved.</p>
+
+<p>In principle, you shouldn't try to troubleshoot SMB
+clients and servers on different networks. Try to test a server and
+client that are on the same network:</p>
+
+<ol><li>
+<p>First, perform the tests for <tt class="literal">ping</tt>:
+<tt class="literal">no</tt> <tt class="literal">answer</tt> described earlier in
+this section. If this doesn't identify the problem,
+the remaining possibilities are the following: an address is wrong,
+your netmask is wrong, a network is down, or the packets have been
+stopped by a firewall.</p>
+</li>
+<li>
+<p>Check both the address and the netmasks on source and destination
+systems to see if something is obviously wrong. Assuming both systems
+really are on the same network, they both should have the same
+netmasks, and <em class="emphasis">ping</em> should report the correct
+addresses. If the addresses are wrong, you'll need
+to correct them. If they are correct, the programs might be confused
+by an incorrect netmask. See <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter.</p>
+</li>
+<li>
+<p>If the commands are still reporting that the network is unreachable
+and neither of the previous two conditions are in error, one network
+really might be unreachable from the other. This, too, is an issue
+for the network manager.</p>
+</li></ol>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt>
+<tt class="literal">Administratively</tt> <tt class="literal">Prohibited</tt>,
+you've struck a firewall of some sort or a
+misconfigured router. You will need to speak to your network security
+officer.</p>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
+<tt class="literal">redirect</tt> and <em class="emphasis">ping</em> reports
+packets getting through, this is generally harmless:
+you're simply being rerouted over the network.</p>
+</li><li>
+<p>If you get a host redirect and no <em class="emphasis">ping</em>
+responses, you are being redirected, but no one is responding. Treat
+this just like the <tt class="literal">Network</tt>
+<tt class="literal">unreachable</tt> response, and check your addresses and
+netmasks.</p>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
+<tt class="literal">Unreachable</tt> <tt class="literal">from</tt>
+<tt class="literal">gateway</tt> <tt class="literal">gateway</tt>
+<tt class="literal">name</tt>, ping packets are being routed to another
+network, but the other system isn't responding and
+the router is reporting the problem on its behalf. Again, treat this
+like a <tt class="literal">Network</tt> <tt class="literal">unreachable</tt>
+response, and start checking addresses and netmasks.</p>
+</li><li>
+<p>If you get <tt class="literal">ping</tt>: <tt class="literal">unknown</tt>
+<tt class="literal">host</tt> <tt class="literal">hostname</tt>, your
+system's name is not known. This tends to indicate a
+name service problem, which didn't affect
+<tt class="literal">localhost</tt>. Have a look at <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If you get a partial success&mdash;with some pings failing but others
+succeeding&mdash;you have either an intermittent problem between the
+systems or an overloaded network. Ping a bit longer, and see if more
+than about three percent of the packets fail. If so, check it with
+your network manager: a problem might just be starting. However, if
+only a few fail, or if you happen to know some massive network
+program is running, don't worry unduly. The ICMP
+(and UDP) protocols used by <em class="emphasis">ping</em> are allowed to
+drop occasional packets.</p>
+</li><li>
+<p>If you get a response such as <tt class="literal">smtsvr.antares.net</tt>
+<tt class="literal">is</tt> <tt class="literal">alive</tt> when you actually
+pinged <tt class="literal">client.example.com</tt>, either
+you're using someone else's address
+or the system has multiple names and addresses. If the address is
+wrong, the name service is clearly the culprit;
+you'll need to change the address in the name
+service database to refer to the correct system. This is discussed in
+<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this
+chapter.</p>
+
+<p>Servers are often <em class="emphasis">multihomed</em> &mdash;i.e.,
+connected to more than one network, with different names on each net.
+If you are getting a response from an unexpected name on a multihomed
+server, look at the address and see if it's on your
+network (see <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter). If
+so, you should use that address, rather than one on a different
+network, for both performance and reliability reasons.</p>
+
+<p>Servers can also have multiple names for a single Ethernet address,
+especially if they are web servers. This is harmless, albeit
+startling. You probably will want to use the official (and permanent)
+name, rather than an alias that might change.</p>
+</li><li>
+<p>If everything works but the IP address reported is
+<tt class="literal">127.0.0.1</tt>, you have a name service error. This
+typically occurs when an operating-system installation program
+generates an <em class="filename">/etc/hosts</em> line similar to
+<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
+<em class="emphasis">hostname.domainname</em>. The localhost line should
+say <tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> or
+<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
+<tt class="literal">loghost</tt>. Correct it, lest it cause failures to
+negotiate who is the master browse list holder and who is the master
+browser. It can also cause (ambiguous) errors in later tests.</p>
+</li></ul>
+<p>If this worked from the server, repeat it from the client. <a name="INDEX-41"/>
+<a name="INDEX-42"/><a name="INDEX-43"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.3"/>
+
+<h3 class="head2">Troubleshooting TCP</h3>
+
+<p><a name="INDEX-44"/><a name="INDEX-45"/>Now that
+you've tested IP, UDP, and a name service with
+<em class="emphasis">ping</em>, it's time to test TCP.
+Browsing and <em class="emphasis">ping</em> use ICMP and UDP; file and
+print services (shares) use TCP. Both depend on IP as a lower layer,
+and all four depend on name services. Testing TCP is most
+conveniently done using the FTP program.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.3.1"/>
+
+<h3 class="head3">Testing TCP with FTP</h3>
+
+<p>Try connecting via FTP, once from the server to itself, and once from
+the client to the server:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ftp server</b></tt>
+Connected to server.example.com. 
+220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready.
+ Name (server:davecb): 
+331 Password required for davecb. 
+Password: 
+230 User davecb logged in.
+ ftp&gt;<tt class="userinput"><b> quit </b></tt>
+221 Goodbye.</pre></blockquote>
+
+<p>If this worked, skip to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you received the message <tt class="literal">server</tt>:
+<tt class="literal">unknown</tt> <tt class="literal">host</tt>, name service has
+failed. Go back to the corresponding <em class="emphasis">ping</em> step,
+<a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>, and rerun those tests
+to see why name lookup failed.</p>
+</li><li>
+<p>If you received <tt class="literal">ftp</tt>: <tt class="literal">connect</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the system
+isn't running an FTP daemon. This is mildly unusual
+on Unix servers. Optionally, you might try this test by connecting to
+the system using <em class="emphasis">telnet</em> instead of
+<em class="emphasis">ftp</em>; the messages are very similar, and
+<em class="emphasis">telnet</em> uses TCP as well.</p>
+</li><li>
+<p>If there was a long pause, and then <tt class="literal">ftp</tt>:
+<tt class="literal">connect</tt>: <tt class="literal">Connection</tt>
+<tt class="literal">timed</tt> <tt class="literal">out</tt>, the system
+isn't reachable. Return to <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>.</p>
+</li><li>
+<p>If you received <tt class="literal">530</tt> <tt class="literal">Logon</tt>
+<tt class="literal">Incorrect</tt>, you connected successfully, but
+you've just found a different problem. You likely
+provided an incorrect username or password. Try again, making sure
+you use your username from the Unix server and type your password
+correctly.</p>
+</li></ul>
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.4"/>
+
+<h3 class="head2">Troubleshooting Server Daemons</h3>
+
+<p><a name="INDEX-46"/>Once
+you've confirmed that TCP networking is working
+properly, the next step is to make sure the daemons are running on
+the server. This takes three separate tests because no single one of
+the following will decisively prove that they're
+working correctly.</p>
+
+<p>To be sure they're running, you need to find out
+whether the daemons:</p>
+
+<ol><li>
+<p>Have started</p>
+</li><li>
+<p>Are registered or bound to a TCP/IP port by the operating system</p>
+</li><li>
+<p>Are actually paying attention</p>
+</li></ol>
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.1"/>
+
+<h3 class="head3">Tracking daemon startup</h3>
+
+<p><a name="INDEX-47"/>First, check the Samba logs. If
+you've started the daemons, the message
+<tt class="literal">smbd</tt> <tt class="literal">version</tt>
+<tt class="literal">number</tt> <tt class="literal">started</tt> should appear.
+If it doesn't, you need to restart the Samba
+daemons.</p>
+
+<p>If the daemon reports that it has indeed started, look out for
+<tt class="literal">bind</tt> <tt class="literal">failed</tt>
+<tt class="literal">on</tt> <tt class="literal">port</tt> <tt class="literal">139</tt>
+<tt class="literal">socket_addr=0</tt> <tt class="literal">(Address</tt>
+<tt class="literal">already</tt> <tt class="literal">in</tt>
+<tt class="literal">use)</tt>. This means another daemon has been started
+on port 139 (<em class="emphasis">smbd</em> ). Also,
+<em class="emphasis">nmbd</em> will report a similar failure if it cannot
+bind to port 137. Either you've started them twice,
+or the <em class="emphasis">inetd</em> server has tried to provide a
+daemon for you. If it's the latter,
+we'll diagnose that in a moment.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.2"/>
+
+<h3 class="head3">Looking for daemon processes with ps</h3>
+
+<p><a name="INDEX-48"/>Another way to make sure the daemons are
+running is to check their processes on the system. Use the
+<em class="emphasis">ps</em><a name="INDEX-49"/> command on the server with the
+&quot;long&quot; option for your system type
+(commonly <tt class="literal">ps</tt> <tt class="literal">ax</tt> or
+<tt class="literal">ps</tt> <tt class="literal">-ef</tt>), and see whether
+<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> are already
+running. This often looks like the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ps ax</b></tt>
+ PID TTY STAT TIME   COMMAND
+ 1   ?   S    0:03   init [2] 
+ 2   ?   SW   0:00   (kflushd)
+<i class="lineannotation">(...many lines of processes...) </i>
+ 234 ?   S    0:14   nmbd -D3
+ 237 ?   S    0:11   smbd -D3
+<i class="lineannotation">(...more lines, possibly including more smbd lines...)</i></pre></blockquote>
+
+<p>This example illustrates that <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> have already started as standalone daemons
+(the <em class="emphasis">-D</em> option) at log level 3.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.3"/>
+
+<h3 class="head3">Looking for daemons bound to ports</h3>
+
+<p><a name="INDEX-50"/>Next, the daemons have to be registered
+with the operating system so that they can get access to TCP/IP
+ports. The <em class="emphasis">netstat</em> command will tell you if this
+has been done. Run the command <tt class="literal">netstat</tt>
+<tt class="literal">-a</tt> on the server, and look for lines mentioning
+<tt class="literal">netbios</tt>, <tt class="literal">137</tt>, or
+<tt class="literal">139</tt>:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>netstat -a </b></tt>
+Active Internet connections (including servers) 
+Proto Recv-Q Send-Q  Local Address          Foreign Address        (state) 
+udp   0      0       *.137                  *.* 
+tcp   0      0       *.139                  *.*                    LISTEN 
+tcp   8370   8760    server.139             client.1439            ESTABLISHED</pre></blockquote>
+
+<p>Among similar lines, there should be at least one UDP line for
+<tt class="literal">*.netbios-</tt> or <tt class="literal">*.137</tt>. This
+indicates that the <em class="emphasis">nmbd</em> server is registered and
+(we hope) is waiting to answer requests. There should also be at
+least one TCP line mentioning <tt class="literal">*.netbios-</tt> or
+<tt class="literal">*.139</tt>, and it will probably be in the LISTEN
+state. This means that <em class="emphasis">smbd</em> is up and listening
+for connections.</p>
+
+<p>There might be other TCP lines indicating connections from
+<em class="emphasis">smbd</em> to clients, one for each client. These are
+usually in the ESTABLISHED state. If there are
+<em class="emphasis">smbd</em> lines in the ESTABLISHED state,
+<em class="emphasis">smbd</em> is definitely running. If there is only one
+line in the LISTEN state, we're not sure yet. If
+both of the lines are missing, a daemon has not succeeded in
+starting, so it's time to check the logs and then go
+back to <a href="ch02.html">Chapter 2</a>.</p>
+
+<p>If there is a line for each client, it might be coming either from a
+Samba daemon or from the master IP daemon,
+<em class="emphasis">inetd</em>. It's quite possible that
+your <em class="emphasis">inetd</em> startup file contains lines that
+start Samba daemons without your realizing it; for instance, the
+lines might have been placed there if you installed Samba as part of
+a Linux distribution. The daemons started by
+<em class="emphasis">inetd</em> prevent ours from running. This problem
+typically produces log messages such as <tt class="literal">bind</tt>
+<tt class="literal">failed</tt> <tt class="literal">on</tt>
+<tt class="literal">port</tt> <tt class="literal">139</tt>
+<tt class="literal">socket</tt> <tt class="literal">addr=0</tt>
+<tt class="literal">(Address</tt> <tt class="literal">already</tt>
+<tt class="literal">in</tt> <tt class="literal">use)</tt>.</p>
+
+<p>Check your <em class="filename">/etc/inetd.conf</em> ; unless
+you're intentionally starting the daemons from
+there, <tt class="literal">netbios-ns</tt> (UDP port 137) or
+<tt class="literal">netbios-ssn</tt> (tcp port 139) servers should be
+mentioned there. If your system is providing an SMB daemon via
+<em class="emphasis">inetd</em>, lines such as the following will appear
+in the <em class="filename">inetd.conf</em> file:</p>
+
+<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
+netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></blockquote>
+
+<p>If your system uses <em class="emphasis">xinetd</em> instead of
+<em class="emphasis">inetd</em>, see <a href="ch02.html">Chapter 2</a> for
+details concerning its configuration.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.4"/>
+
+<h3 class="head3">Checking smbd with telnet</h3>
+
+<p><a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>Ironically, the easiest way to test that
+the <em class="emphasis">smbd</em> server is actually working is to send
+it a meaningless message and see if it is rejected. Try something
+such as the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>echo &quot;hello&quot; | telnet localhost 139 </b></tt>
+Trying
+Trying 192.168.236.86 ... 
+Connected to localhost. Escape character is '^]'. 
+Connection closed by foreign host.</pre></blockquote>
+
+<p>This sends an erroneous but harmless message to
+<em class="emphasis">smbd</em>. If you get a <tt class="literal">Connected</tt>
+message followed by a <tt class="literal">Connection</tt>
+<tt class="literal">closed</tt> message, the test was a success. You have
+an <em class="emphasis">smbd</em> daemon listening on the port and
+rejecting improper connection messages. On the other hand, if you get
+<tt class="literal">telnet</tt>: <tt class="literal">connect</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, most likely
+no daemon is present. Check the logs and go back to <a href="ch02.html">Chapter 2</a>.</p>
+
+<p>Regrettably, there isn't an easy test for
+<em class="emphasis">nmbd</em>. If the <em class="emphasis">telnet</em> test
+and the <em class="emphasis">netstat</em> test both say that an
+<em class="emphasis">smbd</em> is running, there is a good chance that
+<em class="emphasis">netstat</em> will also be correct about
+<em class="emphasis">nmbd</em> running.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.5"/>
+
+<h3 class="head3">Testing daemons with testparm</h3>
+
+<p><a name="INDEX-54"/><a name="INDEX-55"/>Once you know
+there's a daemon, you should always run
+<em class="emphasis">testparm</em>, in hopes of getting something such as
+the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>testparm </b></tt>
+Load smb config files from /opt/samba/lib/smb.conf
+Processing section &quot;[homes]&quot; 
+Processing section &quot;[printers]&quot; ... 
+Processing section &quot;[tmp]&quot; 
+Loaded services file OK. ...</pre></blockquote>
+
+<p>The <em class="emphasis">testparm</em> program normally reports the
+processing of a series of sections and responds with
+<tt class="literal">Loaded</tt> <tt class="literal">services</tt>
+<tt class="literal">file</tt> <tt class="literal">OK</tt> if it succeeds. If not,
+it reports one or more of the following messages, which also appear
+in the logs as noted:</p>
+
+<dl>
+<dt><b>Allow/Deny connection from account (n) to service</b></dt>
+<dd>
+<p>A <em class="emphasis">testparm</em>-only message produced if you have
+<tt class="literal">valid</tt> <tt class="literal">user</tt> or
+<tt class="literal">invalid</tt> <tt class="literal">user</tt> options set in
+your <em class="emphasis">smb.conf</em>. You will want to make sure that
+you are on the valid user list, and that <tt class="literal">root</tt>,
+<tt class="literal">bin</tt>, etc., are on the invalid user list. If you
+don't, you will not be able to connect, or users who
+shouldn't <em class="emphasis">will</em> be able to.</p>
+</dd>
+
+
+
+<dt><b>Warning: You have some share names that are longer than eight chars</b></dt>
+<dd>
+<p>For anyone using Windows for Workgroups and older clients. They fail
+to connect to shares with long names, producing an overflow message
+that sounds confusingly like a memory overflow.</p>
+</dd>
+
+
+
+<dt><b>Warning: [name] service MUST be printable!</b></dt>
+<dd>
+<p>A printer share lacks a <tt class="literal">printable</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option.</p>
+</dd>
+
+
+
+<dt><b>No path in service name using [name]</b></dt>
+<dd>
+<p>A file share doesn't know which directory to provide
+to the user, or a print share doesn't know which
+directory to use for spooling. If no path is specified, the service
+will try to run with a path of <em class="emphasis">/tmp</em>, which might
+not be what you want.</p>
+</dd>
+
+
+
+<dt><b>Note: Servicename is flagged unavailable</b></dt>
+<dd>
+<p>Just a reminder that you have used the <tt class="literal">available</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> option in a share.</p>
+</dd>
+
+
+
+<dt><b>Can't find include file [name] </b></dt>
+<dd>
+<p>A configuration file referred to by an <tt class="literal">include</tt>
+option did not exist. If you were including the file unconditionally,
+this is an error and probably a serious one: the share will not have
+the configuration you intended. If you were including it based on one
+of the <tt class="literal">%</tt> variables, such as <tt class="literal">%a</tt>
+(architecture), you will need to decide whether, for example, a
+missing Windows for Workgroups configuration file is a problem. It
+often isn't.</p>
+</dd>
+
+
+
+<dt><b>Can't copy service name, unable to copy to itself</b></dt>
+<dd>
+<p>You tried to copy an <em class="filename">smb.conf</em> section into
+itself.</p>
+</dd>
+
+
+
+<dt><b>Unable to copy service&mdash;source not found: [name]</b></dt>
+<dd>
+<p>Indicates a missing or misspelled section in a
+<tt class="literal">copy</tt> <tt class="literal">=</tt> option.</p>
+</dd>
+
+
+
+<dt><b>Ignoring unknown parameter name </b></dt>
+<dd>
+<p>Typically indicates an obsolete, misspelled, or unsupported option.</p>
+</dd>
+
+
+
+<dt><b>Global parameter name found in service section </b></dt>
+<dd>
+<p>Indicates that a global-only parameter has been used in an individual
+share. Samba ignores the parameter.</p>
+</dd>
+
+</dl>
+
+<p>After the <em class="emphasis">testparm</em> test, repeat it with
+(exactly) three parameters: the name of your
+<em class="filename">smb.conf</em> file, the name of your client, and its
+IP address:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>testparm /usr/local/samba/lib/smb.conf client 192.168.236.10</b></tt></pre></blockquote>
+
+<p>This will run one more test that checks the hostname and address
+against <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options and might
+produce the <tt class="literal">Allow</tt> <tt class="literal">connection</tt>
+<tt class="literal">from</tt> <tt class="literal">hostname</tt>
+<tt class="literal">to</tt> <tt class="literal">service</tt> and/or
+<tt class="literal">Deny</tt> <tt class="literal">connection</tt>
+<tt class="literal">from</tt> <tt class="literal">hostname</tt>
+<tt class="literal">to</tt> <tt class="literal">service</tt> messages for the
+client system. These messages indicate that you have
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and/or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options in your
+<em class="filename">smb.conf</em>, and they prohibit access from the
+client system. <a name="INDEX-56"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.5"/>
+
+<h3 class="head2">Troubleshooting SMB Connections</h3>
+
+<p><a name="INDEX-57"/><a name="INDEX-58"/>Now
+that you know the servers are up, you need to make sure
+they're running properly. We start by placing a
+simple <em class="filename">smb.conf</em> file in the
+<em class="filename">/usr/local/samba/lib</em> directory.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.1"/>
+
+<h3 class="head3">A minimal smb.conf file</h3>
+
+<p>In the following tests, we assume you have a
+<tt class="literal">[temp]</tt> share suitable for testing, plus at least
+one account. An <em class="filename">smb.conf</em> file that includes just
+these is as follows:</p>
+
+<blockquote><pre class="code">[global] 
+    workgroup = <em class="replaceable">EXAMPLE</em> 
+    security = user
+    browsable = yes 
+    local master = yes 
+[homes] 
+    guest ok = no 
+    browsable = no
+[temp] 
+    path = /tmp 
+    public = yes</pre></blockquote>
+<a name="samba2-CHP-12-NOTE-156"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>The <tt class="literal">public</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> option in the <tt class="literal">[temp]</tt> share
+is just for testing. You probably don't want people
+without accounts storing things on your Samba server, so you should
+comment it out when you're done.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.2"/>
+
+<h3 class="head3">Testing locally with smbclient</h3>
+
+<p><a name="INDEX-59"/><a name="INDEX-60"/>The first test is to ensure that the
+server can list its own services (shares). Run the command
+<tt class="literal">smbclient</tt> <em class="emphasis">-L</em>
+<tt class="literal">localhost</tt> <tt class="literal">-U%</tt> to connect to the
+server from itself, and specify the guest user. You should see the
+following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L localhost -U% </b></tt>
+Server time is Wed May 27 17:57:40 2002 Timezone is UTC-4.0
+Server=[localhost] 
+User=[davecb] 
+Workgroup=[EXAMPLE] 
+Domain=[EXAMPLE]
+    Sharename      Type      Comment 
+    ---------      -----     ----------
+    temp           Disk
+    IPC$           IPC       IPC Service (Samba 1.9.18) 
+    homes          Disk      Home directories
+This machine does not have a browse list</pre></blockquote>
+
+<p>If you received this output, move on to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>. On the other hand, if you
+receive an error, check the following:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Get_hostbyname</tt>:
+<tt class="literal">unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">localhost</tt>, either you've spelled
+its name wrong or there actually is a problem (which should have been
+seen back in <a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>). In the
+latter case, move on to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If you get <tt class="literal">Connect</tt> <tt class="literal">error</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the server
+was found, but it wasn't running an
+<em class="emphasis">nmbd</em> daemon. Skip back to
+<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>,
+earlier in this chapter, and retest the daemons.</p>
+</li><li>
+<p>If you get the message <tt class="literal">Your</tt>
+<tt class="literal">server</tt> <tt class="literal">software</tt>
+<tt class="literal">is</tt> <tt class="literal">being</tt>
+<tt class="literal">unfriendly</tt>, the initial session request packet got
+a garbage response from the server. The server might have crashed or
+started improperly. The common causes of this can be discovered by
+scanning the logs for the following:</p>
+<ul><li>
+<p>Invalid command-line parameters to <em class="emphasis">smbd</em> ; see
+the <em class="emphasis">smbd</em> manual page.</p>
+</li><li>
+<p>A fatal problem with the <em class="filename">smb.conf</em> file that
+prevents the startup of <em class="emphasis">smbd</em>. Always check your
+changes with <em class="emphasis">testparm</em>, as was done in <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>, earlier in this chapter.</p>
+</li><li>
+<p>Missing directories where Samba is supposed to keep its log and lock
+files.</p>
+</li><li>
+<p>The presence of a server already on the port (139 for
+<em class="emphasis">smbd</em>, 137 for <em class="emphasis">nmbd</em> ),
+preventing the daemon from starting.</p>
+</li></ul>
+</li>
+<li>
+<p>If you're using <em class="emphasis">inetd</em> (or
+xinetd ) instead of standalone daemons, be sure to check your
+<em class="filename">/etc/inetd.conf</em> (or xinetd configuration files)
+and <em class="filename">/etc/services</em> entries against their manual
+pages for errors as well.</p>
+</li><li>
+<p>If you get a <tt class="literal">Password</tt>: prompt, your guest account
+is not set up properly. The <em class="emphasis">-U%</em> option tells
+<em class="emphasis">smbclient</em> to do a &quot;null
+login,&quot; which requires that the guest account be
+present but does not require it to have any privileges.</p>
+</li><li>
+<p>If you get the message <tt class="literal">SMBtconX</tt>
+<tt class="literal">failed</tt>. <tt class="literal">ERRSRV--ERRaccess</tt>, you
+aren't permitted access to the server. This normally
+means you have a <tt class="literal">hosts</tt> <tt class="literal">allow</tt>
+option that doesn't include the server or a
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.
+Recheck with the command <tt class="literal">testparm</tt>
+<tt class="literal">smb.conf</tt> <em class="replaceable">your_hostname</em>
+<em class="replaceable">your_ip_address</em> (see
+<a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>),
+and correct any unintended prohibitions.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.3"/>
+
+<h3 class="head3">Testing connections with smbclient</h3>
+
+<p><a name="INDEX-61"/><a name="INDEX-62"/>Run the command
+<tt class="literal">smbclient</tt>
+<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
+to connect to the server's <tt class="literal">[temp]</tt>
+share and to see if you can connect to a file service. You should get
+the following response:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient '\\server\temp' </b></tt>
+Server time is Tue May  5 09:49:32 2002 Timezone is UTC-4.0 Password:
+<b class="emphasis-bold">smb: \&gt; quit</b></pre></blockquote>
+<p>You might receive the following errors:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, <tt class="literal">Connect</tt>
+<tt class="literal">error</tt>: <tt class="literal">Connection</tt>
+<tt class="literal">refused</tt>, or <tt class="literal">Your</tt>
+<tt class="literal">server</tt> <tt class="literal">software</tt>
+<tt class="literal">is</tt> <tt class="literal">being</tt>
+<tt class="literal">unfriendly</tt>, see the previous section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, for
+the diagnoses.</p>
+</li><li>
+<p>If you get the message <tt class="literal">servertemp</tt>:
+<tt class="literal">Not</tt> <tt class="literal">enough</tt>
+<tt class="literal">`\</tt>'
+<tt class="literal">characters</tt> <tt class="literal">in</tt>
+<tt class="literal">service</tt>, you likely didn't quote
+the address, so Unix stripped off backslashes. You can also write the
+command:</p>
+
+<blockquote><pre class="code">smbclient \\\\<em class="replaceable">server</em>\\temp</pre></blockquote>
+
+<p>or:</p>
+<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/temp</pre></blockquote>
+</li>
+</ul>
+<p>Now, provide your Unix account password to the
+<tt class="literal">Password</tt>: prompt. If you then get an
+<tt class="literal">smb</tt>: <tt class="literal">\&gt;</tt> prompt, it worked.
+Enter <tt class="literal">quit</tt> and continue on to the next section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If
+you got <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
+<tt class="literal">ERRSRV--ERRinvnetname</tt>, the problem can be any of
+the following:</p>
+
+<ul><li>
+<p>A wrong share name: you might have spelled it wrong, it might be too
+long, it might be in mixed case, or it might not be available. Check
+that it's what you expect with
+<em class="emphasis">testparm</em> (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>A <tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">share</tt> parameter in your Samba configuration file,
+in which case you might have to add <tt class="literal">-U</tt>
+<em class="replaceable">your_account</em> to the
+<em class="emphasis">smbclient</em> command.</p>
+</li><li>
+<p>An erroneous username.</p>
+</li><li>
+<p>An erroneous password.</p>
+</li><li>
+<p>An <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> option in your
+<em class="emphasis">smb.conf</em> file that doesn't
+allow your account to connect. Recheck using
+<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
+<em class="replaceable">your_hostname your_ip_address</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>A <tt class="literal">valid</tt> <tt class="literal">hosts</tt> option that
+doesn't include the server, or an
+<tt class="literal">invalid</tt> <tt class="literal">hosts</tt> option that does.
+Also test this with <em class="emphasis">testparm</em>.</p>
+</li><li>
+<p>A problem in authentication, such as if shadow passwords or the
+Password Authentication Module (PAM) is used on the server, but Samba
+is not compiled to use it. This is rare, but it occasionally happens
+when a SunOS 4 Samba binary (with no shadow passwords) is run without
+recompilation on a Solaris system (with shadow passwords).</p>
+</li><li>
+<p>The <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option is in the
+configuration file, but no password for your account is in the
+<em class="emphasis">smbpasswd</em> file.</p>
+</li><li>
+<p>You have a null password entry, either in Unix
+<em class="filename">/etc/passwd</em> or in the
+<em class="emphasis">smbpasswd</em> file.</p>
+</li><li>
+<p>You are connecting to <tt class="literal">[temp]</tt>, and you do not have
+the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option in the
+<tt class="literal">[temp]</tt> section of the
+<em class="emphasis">smb.conf</em> file.</p>
+</li><li>
+<p>You are connecting to <tt class="literal">[temp]</tt> before connecting to
+your home directory, and your guest account isn't
+set up correctly. If you can connect to your home directory and then
+connect to <tt class="literal">[temp]</tt>, that's the
+problem. See <a href="ch02.html">Chapter 2</a> for more information on
+creating a basic Samba configuration file.</p>
+
+<p>A bad guest account will also prevent you from printing or browsing
+until after you've logged in to your home directory.</p>
+</li></ul>
+<p>There is one more reason for this failure that has nothing at all to
+do with passwords: the <tt class="literal">path</tt> parameter in your
+<em class="filename">smb.conf</em> file might point somewhere that
+doesn't exist. This will not be diagnosed by
+<em class="emphasis">testparm</em>, and most SMB clients
+can't distinguish it from other types of bad user
+accounts. You will have to check it manually.</p>
+
+<p>Once you have connected to <tt class="literal">[temp]</tt> successfully,
+repeat the test, this time logging in to your home directory (e.g.,
+map network drive
+<em class="replaceable">server</em><tt class="literal">\davecb</tt>). If you
+have to change anything to get that to work, retest
+<tt class="literal">[temp]</tt> again afterward.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.4"/>
+
+<h3 class="head3">Testing connections with net use</h3>
+
+<p><a name="INDEX-63"/><a name="INDEX-64"/>Run the command
+<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">*</tt>
+<tt class="literal">\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
+on the Windows client to see if it can connect to the server. You
+should be prompted for a password, then receive the response
+<tt class="literal">The</tt> <tt class="literal">command</tt>
+<tt class="literal">was</tt> <tt class="literal">completed</tt>
+<tt class="literal">successfully</tt>.</p>
+
+<p>If that worked, continue with the steps in the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.5">Section 12.2.5.5</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
+<tt class="literal">shared</tt> <tt class="literal">directory</tt>
+<tt class="literal">cannot</tt> <tt class="literal">be</tt>
+<tt class="literal">found</tt>, or <tt class="literal">Cannot</tt>
+<tt class="literal">locate</tt> <tt class="literal">specified</tt>
+<tt class="literal">share</tt> <tt class="literal">name</tt>, the directory name
+is either misspelled or not in the <em class="emphasis">smb.conf</em>
+file. This message can also warn of a name that is in mixed case,
+including spaces, or that is longer than eight characters.</p>
+</li><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">computer</tt>
+<tt class="literal">name</tt> <tt class="literal">specified</tt>
+<tt class="literal">in</tt> <tt class="literal">the</tt>
+<tt class="literal">network</tt> <tt class="literal">path</tt>
+<tt class="literal">cannot</tt> <tt class="literal">be</tt>
+<tt class="literal">located</tt> or <tt class="literal">Cannot</tt>
+<tt class="literal">locate</tt> <tt class="literal">specified</tt>
+<tt class="literal">computer</tt>, the directory name has been misspelled,
+the name service has failed, there is a networking problem, or the
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option includes your
+host.</p>
+<ul><li>
+<p>If it is not a spelling mistake, you need to double back at least to
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a> to
+investigate why it doesn't connect.</p>
+</li><li>
+<p>If <em class="emphasis">smbclient</em> does work, there is a name service
+problem with the client name service, and you need to go forward to
+<a href="ch12.html#samba2-CHP-12-SECT-2.6.2">Section 12.2.6.2</a> and see if
+you can look up both the client and server with
+<em class="emphasis">nmblookup</em>.</p>
+</li>
+</ul>
+</li>
+
+<li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
+<tt class="literal">is</tt> <tt class="literal">invalid</tt>
+<tt class="literal">for</tt> <tt class="literal">\server\username</tt>, your
+locally cached copy on the client doesn't match the
+one on the server. You will be prompted for a replacement.</p>
+
+<a name="samba2-CHP-12-NOTE-157"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Each Windows 95/98/Me client keeps a local
+<em class="emphasis">password</em> file, but it's really
+just a cached copy of the password it sends to Samba and NT/2000/XP
+servers to authenticate you. That's what is being
+prompted for here. You can still log on to a Windows system without a
+password (but not to NT/2000/XP).</p>
+</blockquote>
+
+<p>If you provide your password and it still fails, your password is not
+being matched on the server, you have a <tt class="literal">valid</tt>
+<tt class="literal">users</tt> or <tt class="literal">invalid</tt>
+<tt class="literal">users</tt> list denying you permission, NetBEUI is
+interfering, or the encrypted password problem described in the next
+paragraph exists.</p>
+</li><li>
+<p>If your client is Windows NT 4.0, NT 3.5 with Patch 3, Windows 95
+with Patch 3, Windows 98, any of these with Internet Explorer 4.0, or
+any subsequent version of Windows, the system will default to
+Microsoft encryption for passwords. In general, if you have installed
+a major Microsoft product on any of the older Windows versions, you
+might have applied an update and turned on encrypted passwords. If
+the client is defaulting to encrypted passwords, you will need to
+specify <tt class="literal">encrypt</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in your Samba
+configuration file if you are using a version of Samba prior to Samba
+3.0.</p>
+
+<a name="samba2-CHP-12-NOTE-158"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Because of Internet Explorer's willingness to honor
+URLs such as <em class="filename">file://somehost/somefile</em> by making
+SMB connections, clients up to and including Windows 95 Patch Level 2
+would happily send your password, in plain text, to SMB servers
+anywhere on the Internet. This was considered a bad idea, and
+Microsoft switched to using only encrypted passwords in the SMB
+protocol. All subsequent releases of Microsoft's
+products have included this correction.</p>
+</blockquote>
+</li>
+
+<li>
+<p>If you have a mixed-case password on Unix, the client is probably
+sending it in all one case. If changing your password to all one case
+works, this was the problem. Regrettably, all but the oldest clients
+support uppercase passwords, so Samba will try once with the password
+in uppercase and once in lowercase. If you wish to use mixed-case
+passwords, see the <tt class="literal">password</tt>
+<tt class="literal">level</tt> option in <a href="ch09.html">Chapter 9</a> for a
+workaround.</p>
+</li><li>
+<p>You might have a <tt class="literal">valid</tt> <tt class="literal">users</tt>
+problem, as tested with <em class="emphasis">smbclient</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>).</p>
+</li><li>
+<p>You might have the NetBEUI protocol bound to the Microsoft client.
+This often produces long timeouts and erratic failures and is known
+to have caused failures to accept passwords in the past. Unless you
+absolutely need the NetBEUI protocol, remove it.</p>
+</li></ul>
+<a name="samba2-CHP-12-NOTE-159"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The term &quot;bind&quot; is used here to
+mean connecting one piece of software to another. When configured
+correctly, the Microsoft SMB client is &quot;bound
+to&quot; TCP/IP in the bindings section of the TCP/IP
+properties panel under the Windows 95/98/Me Network icon in the
+Control Panel. TCP/IP in turn is bound to an Ethernet card. This is
+not the same sense of the word as binding an SMB daemon to a TCP/IP
+port.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.5"/>
+
+<h3 class="head3">Testing connections with Windows Explorer</h3>
+
+<p><a name="INDEX-65"/><a name="INDEX-66"/>Start Windows Explorer
+(not Internet Explorer), select Map Network Drive from the Tools
+menu, and specify the UNC for one of your shares on the Samba server
+to see if you can make Explorer connect to it. If so,
+you've succeeded and can skip to the next section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.6">Section 12.2.6</a>.</p>
+
+<p>Windows Explorer is a rather poor diagnostic tool: it tells you that
+something's wrong, but rarely what it is. If you get
+a failure, you'll need to track it down with the
+Windows <em class="emphasis">net use</em> command, which has far superior
+error reporting:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
+<tt class="literal">for</tt> <tt class="literal">this</tt>
+<tt class="literal">connection</tt> <tt class="literal">that</tt>
+<tt class="literal">is</tt> <tt class="literal">in</tt> <tt class="literal">your</tt>
+<tt class="literal">password</tt> <tt class="literal">file</tt>
+<tt class="literal">is</tt> <tt class="literal">no</tt> <tt class="literal">longer</tt>
+<tt class="literal">correct</tt>, you might have any of the following:</p>
+<ul><li>
+<p>Your locally cached copy on the client doesn't match
+the one on the server.</p>
+</li><li>
+<p>You didn't provide a username and password when
+logging on to the client. Some versions of Explorer will continue to
+send a null username and password, even if you provide a password.</p>
+</li><li>
+<p>You have misspelled the password.</p>
+</li><li>
+<p>You have an <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> list denying
+permission.</p>
+</li><li>
+<p>Your client is defaulting to encrypted passwords, but Samba is
+configured with the <tt class="literal">encrypt</tt>
+<tt class="literal">passwords</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> configuration file parameter.</p>
+</li><li>
+<p>You have a mixed-case password, which the client is supplying in all
+one case.</p>
+</li>
+</ul>
+</li>
+<li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">network</tt>
+<tt class="literal">name</tt> <tt class="literal">is</tt>
+<tt class="literal">either</tt> <tt class="literal">incorrect</tt>,
+<tt class="literal">or</tt> <tt class="literal">a</tt> <tt class="literal">network</tt>
+<tt class="literal">to</tt> <tt class="literal">which</tt> <tt class="literal">you</tt>
+<tt class="literal">do</tt> <tt class="literal">not</tt> <tt class="literal">have</tt>
+<tt class="literal">full</tt> <tt class="literal">access</tt>, or
+<tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
+<tt class="literal">specified</tt> <tt class="literal">computer</tt>, you might
+have any of the following:</p>
+<ul><li>
+<p>Misspelled name</p>
+</li><li>
+<p>Malfunctioning service</p>
+</li><li>
+<p>Failed share</p>
+</li><li>
+<p>Networking problem</p>
+</li><li>
+<p>Bad <tt class="literal">path</tt> parameter in
+<em class="filename">smb.conf</em></p>
+</li><li>
+<p><tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that excludes
+you</p>
+</li>
+</ul>
+</li>
+<li>
+<p>If you get <tt class="literal">You</tt> <tt class="literal">must</tt>
+<tt class="literal">supply</tt> <tt class="literal">a</tt>
+<tt class="literal">password</tt> <tt class="literal">to</tt>
+<tt class="literal">make</tt> <tt class="literal">this</tt>
+<tt class="literal">connection</tt>, the password on the client is out of
+synchronization with the server, or this is the first time
+you've tried from this client system and the client
+hasn't cached it locally yet.</p>
+</li><li>
+<p>If you get <tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
+<tt class="literal">specified</tt> <tt class="literal">share</tt>
+<tt class="literal">name</tt>, you have a wrong share name or a syntax
+error in specifying it, a share name longer than eight characters, or
+one containing spaces or in mixed case.</p>
+</li></ul>
+<p>Once you can reliably connect to the share, try again, this time
+using your home directory. If you have to change something to get
+home directories working, retest with the first share, and vice
+versa, as we showed in the earlier section, &quot;Testing
+connections with net use.&quot; As always, if Explorer
+fails, drop back to that section and debug the connection there.
+<a name="INDEX-67"/><a name="INDEX-68"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.6"/>
+
+<h3 class="head2">Troubleshooting Browsing</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>Finally, we
+come to browsing. We've left this for last, not
+because it is the most difficult, but because it's
+both optional and partially dependent on a protocol that
+doesn't guarantee delivery of a packet. Browsing is
+hard to diagnose if you don't already know that all
+the other services are running.</p>
+
+<p>Browsing is purely optional: it's just a way to find
+the servers on your network and the shares that they provide. Unix
+has nothing of the sort and happily does without. Browsing also
+assumes all your systems are on a local area network (LAN) where
+broadcasts are allowable.</p>
+
+<p>First, the browsing mechanism identifies a system using the
+unreliable UDP protocol; it then makes a normal (reliable) TCP/IP
+connection to list the shares the system provides.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.1"/>
+
+<h3 class="head3">Testing browsing with smbclient</h3>
+
+<p><a name="INDEX-71"/><a name="INDEX-72"/>We'll start with
+testing the reliable connection first. From the server, try listing
+its own shares using <em class="emphasis">smbclient</em> with a
+<tt class="literal">-L</tt> option and your server's name.
+You should get something resembling the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L server</b></tt> 
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server 
+time is Tue Apr 28 09:57:28 2002 Timezone is UTC-4.0 
+Password: 
+Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.5]
+
+   Sharename      Type      Comment    
+   ---------      ----      -------    
+    cdrom          Disk      CD-ROM    
+    cl             Printer   Color Printer 1    
+    davecb         Disk      Home Directories
+
+   Server         Comment    
+   ---------      -------    
+   SERVER         Samba 2.2.5
+
+   Workgroup      Master    
+   ---------      -------    
+   EXAMPLE        SERVER</pre></blockquote>
+
+<ul><li>
+<p>If you didn't get a Sharename list, the server is
+not allowing you to browse any shares. This should not be the case if
+you've tested any of the shares with Windows
+Explorer or the <em class="emphasis">net use</em> command. If you
+haven't done the <tt class="literal">smbclient</tt>
+<tt class="literal">-L</tt> <tt class="literal">localhost</tt>
+<tt class="literal">-U%</tt> test yet (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), do it now. An erroneous
+guest account can prevent the shares from being seen. Also, check the
+<em class="filename">smb.conf</em> file to make sure you do not have the
+option <tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> anywhere in it: we suggest using a minimal
+<em class="filename">smb.conf</em> file (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.1">Section 12.2.5.1</a>). You need to have
+<tt class="literal">browsable</tt> enabled (which is the default) to see
+the share.</p>
+</li><li>
+<p>If you didn't get a browse list, the server is not
+providing information about the systems on the network. At least one
+system on the net must support browse lists. Make sure you have
+<tt class="literal">local</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="filename">smb.conf</em> file if you want Samba to be the local
+master browser.</p>
+</li><li>
+<p>If you got a browse list but didn't get
+<em class="emphasis">/tmp</em>, you probably have a
+<em class="filename">smb.conf</em> problem. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>.</p>
+</li><li>
+<p>If you didn't get a workgroup list with your
+workgroup name in it, it is possible that your workgroup is set
+incorrectly in the <em class="filename">smb.conf</em> file.</p>
+</li><li>
+<p>If you didn't get a workgroup list at all, ensure
+that <tt class="literal">workgroup</tt> <tt class="literal">=</tt>
+<tt class="literal">EXAMPLE</tt> is present in the
+<em class="filename">smb.conf</em> file.</p>
+</li><li>
+<p>If you get nothing, try once more with the options
+<tt class="literal">-I</tt> <em class="emphasis">ip_address</em>
+<tt class="literal">-n</tt> <em class="emphasis">netbios_name</em>
+<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>
+<tt class="literal">-d3</tt> with the NetBIOS and workgroup name in
+uppercase. (The <tt class="literal">-d3</tt> option sets the log /debugging
+level to 3.) Then check the Samba logs for clues.</p>
+</li></ul>
+<p>If you're still getting nothing, you
+shouldn't have gotten this far; double back to at
+least <a href="ch12.html#samba2-CHP-12-SECT-2.3.1">Section 12.2.3.1</a>, or perhaps
+<a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. On the other hand:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
+<tt class="literal">ERRSRV--ERRaccess</tt>, you aren't
+permitted access to the server. This normally means you have a
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option that
+doesn't include the server or a
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.</p>
+</li><li>
+<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>, you
+presumably have one of the following:</p>
+<ul><li>
+<p>An incorrect <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line</p>
+</li><li>
+<p>An incorrect <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> line</p>
+</li><li>
+<p>A lowercase password and OS/2 or Windows for Workgroups clients</p>
+</li><li>
+<p>A missing or invalid guest account</p>
+</li></ul>
+<p>Check what your guest account is (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), change or comment out any
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt>,
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt>,
+<tt class="literal">valid</tt> <tt class="literal">users</tt>, or
+<tt class="literal">invalid</tt> <tt class="literal">users</tt> lines, and verify
+your <em class="filename">smb.conf</em> file with
+<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
+<em class="replaceable">your_hostname your_ip_address</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>If you get <tt class="literal">Connection</tt> <tt class="literal">refused</tt>,
+the <em class="emphasis">smbd</em> server is not running or has crashed.
+Check that it's up, running, and listening to the
+network with <em class="emphasis">netstat</em>. See the earlier section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, you've made a spelling
+error, there is a mismatch between the Unix and NetBIOS hostname, or
+there is a name service problem. Start name service debugging as
+discussed in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If this works, suspect a
+name mismatch, and go to the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">Session</tt> <tt class="literal">request</tt>
+<tt class="literal">failed</tt>, the server refused the connection. This
+usually indicates an internal error, such as insufficient memory to
+fork a process.</p>
+</li><li>
+<p>If you get <tt class="literal">Your</tt> <tt class="literal">server</tt>
+<tt class="literal">software</tt> <tt class="literal">is</tt>
+<tt class="literal">being</tt> <tt class="literal">unfriendly</tt>, the initial
+session request packet received a garbage response from the server.
+The server might have crashed or started improperly. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, where the
+problem is first analyzed.</p>
+</li><li>
+<p>If you suspect the server is not running, go back to
+<a href="ch12.html#samba2-CHP-12-SECT-2.4.2">Section 12.2.4.2</a> to see why the server
+daemon isn't responding.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.2"/>
+
+<h3 class="head3">Testing the server with nmblookup</h3>
+
+<p><a name="INDEX-73"/><a name="INDEX-74"/>This will test the
+&quot;advertising&quot; system used for
+Windows name services and browsing. Advertising works by broadcasting
+one's presence or willingness to provide services.
+It is the part of browsing that uses an unreliable protocol (UDP) and
+works only on broadcast networks such as Ethernets. The
+<em class="emphasis">nmblookup</em> program broadcasts name queries for
+the hostname you provide and returns its IP address and the name of
+the system, much as <em class="emphasis">nslookup</em> does with DNS.
+Here, the <em class="emphasis">-d</em> (debug or log-level) and
+<em class="emphasis">-B</em> (broadcast address) options direct queries to
+specific systems.</p>
+
+<p>First, we check the server from itself. Run
+<em class="emphasis">nmblookup</em> with a <em class="emphasis">-B</em> option
+of your server's name (to tell it to send the query
+to the Samba server) and a parameter of <tt class="literal">_ _SAMBA_
+_</tt> as the symbolic name to look up. You should get:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -B server _ _SAMBA_ _</b></tt>
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 
+Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre></blockquote>
+
+<p>You should get the IP address of the server, followed by the name
+<tt class="literal">_ _SAMBA_ _</tt> , which means that the server has
+successfully advertised that it has a service called <tt class="literal">_
+_SAMBA_ _</tt> , and therefore at least part of NetBIOS name
+service works.</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Name_query</tt> <tt class="literal">failed</tt>
+<tt class="literal">to</tt> <tt class="literal">find</tt> <tt class="literal">name</tt>
+<tt class="literal">_ _SAMBA_ _</tt>, you might have specified the server
+name to the <em class="emphasis">-B</em> option, or
+<em class="emphasis">nmbd</em> is not running. The <em class="emphasis">-B</em>
+option actually takes a broadcast address: we're
+using a computer name to get a unicast address and to ask the server
+if it has claimed <tt class="literal">_ _SAMBA_ _</tt>. Try again with
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">ip_address</em>, and if that fails too,
+<em class="emphasis">nmbd</em> isn't claiming the name.
+Go back briefly to the earlier section, &quot;Testing
+daemons with testparm,&quot; to see if
+<em class="emphasis">nmbd</em> is running. If so, it might not be claiming
+names; this means that Samba is not providing the browsing
+service&mdash;a configuration problem. If that is the case, make sure
+that <em class="filename">smb.conf</em> doesn't contain
+the option <tt class="literal">browsing</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt>.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.3"/>
+
+<h3 class="head3">Testing the client with nmblookup</h3>
+
+<p><a name="INDEX-75"/><a name="INDEX-76"/>Next, check the IP address of the
+client from the server with <em class="emphasis">nmblookup</em> using the
+<tt class="literal">-B</tt> option for the client's name
+and a parameter of '<tt class="literal">*</tt>' meaning
+&quot;anything,&quot; as shown here:</p>
+
+<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -B client '*</b>' 
+Sending queries to 192.168.236.10 192.168.236.10 *
+Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre></blockquote>
+
+<p>You might get the following error:</p>
+
+<ul><li>
+<p>If you receive <tt class="literal">Name-query</tt>
+<tt class="literal">failed</tt> <tt class="literal">to</tt>
+<tt class="literal">find</tt> <tt class="literal">name</tt> <tt class="literal">*</tt>,
+you have made a spelling mistake, or the client software on the PC
+isn't installed, started, or bound to TCP/IP. Double
+back to <a href="ch03.html">Chapter 3</a> and ensure that you have a
+client installed that is listening to the network.</p>
+</li></ul>
+<p>Repeat the command with the following options if you had any failures:</p>
+
+<ul><li>
+<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_IP_address</em> succeeds but
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_name</em> fails, there is a name service
+problem with the client's name; go to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<tt class="literal">127.0.0.1</tt> '<tt class="literal">*</tt>' succeeds, but
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_IP_address</em> fails, there is a
+hardware problem, and <em class="emphasis">ping</em> should have failed.
+See your network manager.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.4"/>
+
+<h3 class="head3">Testing the network with nmblookup</h3>
+
+<p><a name="INDEX-77"/><a name="INDEX-78"/>Run the command
+<em class="emphasis">nmblookup</em> again with a <em class="emphasis">-d2</em>
+option (for a debug level of 2) and a parameter of
+'<tt class="literal">*</tt>'. This time we are testing the ability of
+programs (such as <em class="emphasis">nmbd</em> ) to use broadcast.
+It's essentially a connectivity test, done via a
+broadcast to the default broadcast address.</p>
+
+<p>A number of NetBIOS over TCP/IP hosts on the network should respond
+with <tt class="literal">got</tt> <tt class="literal">a</tt>
+<tt class="literal">positive</tt> <tt class="literal">name</tt>
+<tt class="literal">query</tt> <tt class="literal">response</tt> messages. Samba
+might not catch all the responses in the short time it listens, so
+you won't always see all the SMB clients on the
+network. However, you should see most of them:</p>
+
+<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -d 2 '*</b>' 
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending 
+queries to 192.168.236.255 
+Got a positive name query response from 192.168.236.191 (192.168.236.191) 
+Got a positive name query response from 192.168.236.228 (192.168.236.228) 
+Got a positive name query response from 192.168.236.75 (192.168.236.75) 
+Got a positive name query response from 192.168.236.79 (192.168.236.79) 
+Got a positive name query response from 192.168.236.206 (192.168.236.206) 
+Got a positive name query response from 192.168.236.207 (192.168.236.207) 
+Got a positive name query response from 192.168.236.217 (192.168.236.217) 
+Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre></blockquote>
+
+<p>However:</p>
+
+<ul><li>
+<p>If this doesn't give at least the client address you
+previously tested, the default broadcast address is wrong. Try
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<tt class="literal">255.255.255.255</tt> <tt class="literal">-d</tt>
+<tt class="literal">2</tt> '<tt class="literal">*</tt>', which is a last-ditch
+variant (using a broadcast address of all 1s). If this draws
+responses, the broadcast address you've been using
+before is wrong. Troubleshooting these is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
+chapter.</p>
+</li><li>
+<p>If the address 255.255.255.255 fails too, check your notes to see if
+your PC and server are on different subnets, as discovered in the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. You
+should try to diagnose this step with a server and client on the same
+subnet, but if you can't, you can try specifying the
+remote subnet's broadcast address with
+<em class="emphasis">-B</em>. Finding that address is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
+chapter. The <em class="emphasis">-B</em> option will work if your router
+supports directed broadcasts; if it doesn't, you
+might be forced to test with a client on the same network.</p>
+</li></ul>
+<p>As usual, you can check the Samba log files for additional clues.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.5"/>
+
+<h3 class="head3">Testing client browsing with net view</h3>
+
+<p><a name="INDEX-79"/><a name="INDEX-80"/>On the client, run the
+command <em class="replaceable">net view \\server</em> in an MS-DOS
+(command prompt) window to see if you can connect to the client and
+ask what shares it provides. You should get back a list of available
+shares on the server.</p>
+
+<p>If this works, continue with the later section <a href="ch12.html#samba2-CHP-12-SECT-3.1">Section 12.3.1</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Network</tt> <tt class="literal">name</tt>
+<tt class="literal">not</tt> <tt class="literal">found</tt> for the name you just
+tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.3">Section 12.2.6.3</a>, there is a problem with the
+client software itself. Double-check this by running
+<em class="emphasis">nmblookup</em> on the client; if it works and
+<em class="emphasis">net view</em> doesn't, the client is
+at fault.</p>
+</li><li>
+<p>If <em class="emphasis">nmblookup</em> fails, there is a NetBIOS name
+service problem, as discussed in the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">You</tt> <tt class="literal">do</tt>
+<tt class="literal">not</tt> <tt class="literal">have</tt> <tt class="literal">the</tt>
+<tt class="literal">necessary</tt> <tt class="literal">access</tt>
+<tt class="literal">rights</tt>, or <tt class="literal">This</tt>
+<tt class="literal">server</tt> <tt class="literal">is</tt>
+<tt class="literal">not</tt> <tt class="literal">configured</tt>
+<tt class="literal">to</tt> <tt class="literal">list</tt>
+<tt class="literal">shared</tt> <tt class="literal">resources</tt>, either your
+guest account is misconfigured (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>) or you have a
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that prohibits
+connections from your system. These problems should have been
+detected by the <em class="emphasis">smbclient</em> tests starting in the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.1">Section 12.2.6.1</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
+<tt class="literal">computer</tt> <tt class="literal">is</tt>
+<tt class="literal">not</tt> <tt class="literal">receiving</tt>
+<tt class="literal">requests</tt>, you have misspelled the name, the system
+is unreachable by broadcast (tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.4">Section 12.2.6.4</a>), or it's
+not running <em class="emphasis">nmbd</em>.</p>
+</li><li>
+<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>
+<tt class="literal">error</tt>, you're probably
+encountering the Microsoft-encrypted password problem, as discussed
+earlier in this chapter and in <a href="ch09.html">Chapter 9</a>, with its
+corrections.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.6"/>
+
+<h3 class="head3">Browsing the server from the client</h3>
+
+<p><a name="INDEX-81"/><a name="INDEX-82"/>From the Windows Network
+Neighborhood (or My Network Places in newer releases), try to browse
+the server. Your Samba server should appear in the browse list of
+your local workgroup. You should be able to double-click the name of
+the server to get a list of shares.</p>
+
+<ul><li>
+<p>If you get an <tt class="literal">Invalid</tt> <tt class="literal">password</tt>
+error, it's most likely the encryption problem
+again.</p>
+</li><li>
+<p>If you receive an <tt class="literal">Unable</tt> <tt class="literal">to</tt>
+<tt class="literal">browse</tt> <tt class="literal">the</tt>
+<tt class="literal">network</tt> error, one of the following has occurred:</p>
+<ul><li>
+<p>You have looked too soon, before the broadcasts and updates have
+completed. Wait 30 seconds and try again.</p>
+</li><li>
+<p>There is a network problem you've not yet diagnosed.</p>
+</li><li>
+<p>There is no browse master. Add the configuration option
+<tt class="literal">local</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> to your
+<em class="emphasis">smb.conf</em> file.</p>
+</li><li>
+<p>No shares are made browsable in the <em class="emphasis">smb.conf</em>
+file.</p>
+</li></ul>
+</li>
+<li>
+<p>If you receive the message <tt class="literal">\\server</tt>
+<tt class="literal">is</tt> <tt class="literal">not</tt>
+<tt class="literal">accessible</tt> then:</p>
+<ul><li>
+<p>You have the encrypted password problem.</p>
+</li><li>
+<p>The system really isn't accessible.</p>
+</li><li>
+<p>The system doesn't support browsing.</p>
+</li></ul>
+</li>
+</ul>
+
+<p>If you've made it this far and the problem is not
+yet solved, either the problem is one we've not yet
+seen, or it is a problem related to a topic we have already covered,
+and further analysis is required. Name resolution is often related to
+difficulties with Samba, so we cover it in more detail in the next
+sections. If you know your problem is not related to name resolution,
+skip to the <a href="ch12.html#samba2-CHP-12-SECT-3">Section 12.3</a> at the end of the chapter. <a name="INDEX-83"/><a name="INDEX-84"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.7"/>
+
+<h3 class="head2">Troubleshooting Name Services</h3>
+
+<p><a name="INDEX-85"/><a name="INDEX-86"/>This
+section looks at simple troubleshooting of all the name services
+you'll encounter, but only for the common problems
+that affect Samba.</p>
+
+<p>There are several good references for troubleshooting particular name
+services: Paul <a name="INDEX-87"/>Albitz and Cricket <a name="INDEX-88"/>Liu's <em class="emphasis">DNS and
+Bind</em> (O'Reilly) covers the DNS, Hal
+<a name="INDEX-89"/>Stern's <em class="emphasis">NFS and
+NIS</em> (O'Reilly) covers NIS
+(&quot;Yellow pages&quot;), while Windows
+Internet Name Service (WINS), <em class="filename">hosts/LMHOSTS</em>
+files, and NIS+ are best covered by their respective
+vendors' manuals.</p>
+
+<p>The problems addressed in this section are as follows:</p>
+
+<ul><li>
+<p>Name services are identified.</p>
+</li><li>
+<p>A hostname can't be looked up.</p>
+</li><li>
+<p>The long (FQDN) form of a hostname works but the short form
+doesn't.</p>
+</li><li>
+<p>The short form of the name works, but the long form
+doesn't.</p>
+</li><li>
+<p>A long delay occurs before the expected result.</p>
+</li></ul>
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.1"/>
+
+<h3 class="head3">Identifying what's in use</h3>
+
+<p><a name="INDEX-90"/>First, see if both the
+server and the client are using DNS, WINS, NIS, or
+<em class="filename">hosts</em> files to look up IP addresses when you
+give them a name. Each kind of system has a different preference:</p>
+
+<ul><li>
+<p>Windows 95/98/Me tries WINS and the <em class="filename">LMHOSTS</em> file
+first, then broadcast, and finally DNS and <em class="filename">HOSTS</em>
+files.</p>
+</li><li>
+<p>Windows NT/2000/XP tries WINS, then broadcast, then the
+<em class="filename">LMHOSTS</em> file, and finally
+<em class="filename">HOSTS</em> and DNS.</p>
+</li><li>
+<p>Windows programs using the WINSOCK standard use the HOSTS file, DNS,
+WINS, and then broadcast. Don't assume that if a
+different program's name service works, the SMB
+client program's name service will!</p>
+</li><li>
+<p>Samba daemons use <em class="filename">lmhosts</em>, WINS, the Unix
+system's name resolution, and then broadcast.</p>
+</li><li>
+<p>Unix systems can be configured to use any combination of DNS,
+<em class="filename">HOSTS</em> files, NIS or NIS+, and winbind, generally
+in any order.</p>
+</li></ul>
+<p>We recommend that the client systems be configured to use WINS and
+DNS, the Samba daemons to use WINS and DNS, and the Unix server to
+use DNS, <em class="filename">hosts</em> files, and perhaps NIS+.
+You'll have to look at your notes and the actual
+systems to see which is in use.</p>
+
+<p>On the clients, the name services are all set in the TCP/IP
+Properties panel of the Networking Control Panel, as discussed in
+<a href="ch03.html">Chapter 3</a>. You might need to check there to see
+what you've actually turned on. On the server, see
+if a <em class="filename">/etc/resolv.conf</em> file exists. If it does,
+you're using DNS. You might be using the others as
+well, though. You'll need to check for NIS and
+combinations of services.</p>
+
+<p>Check for a <em class="filename">/etc/nsswitch.conf</em> file on Solaris
+and other System V Unix operating systems. If you have one, look for
+a line that begins with <tt class="literal">host</tt>: followed by one or
+more of <tt class="literal">files</tt>, <tt class="literal">bind</tt>,
+<tt class="literal">nis</tt>, or <tt class="literal">nis+</tt>. These are the
+name services to use, in order, with optional extra material in
+square brackets. The <tt class="literal">files</tt> keyword is for
+using <em class="emphasis">HOSTS</em> files, while <tt class="literal">bind</tt>
+(the Berkeley Internet Name Daemon) refers to using DNS.</p>
+
+<p>If the client and server differ, the first thing to do is to get them
+in sync. Clients can use DNS, WINS, <em class="emphasis">HOSTS</em>, and
+<em class="emphasis">LMHOSTS</em> files, but not NIS or NIS+. Servers can
+use <em class="emphasis">HOSTS</em> and <em class="filename">LMHOSTS</em>
+files, DNS, NIS or NIS+, and winbind, but not WINS&mdash;even if your
+Samba server provides WINS services. If you can't
+get all the systems to use the same services, you'll
+have to check the server and the client carefully for the same data.</p>
+
+<p>You can also make use of the <em class="emphasis">-R</em> (resolve order)
+option for <em class="emphasis">smbclient</em>. If you want to
+troubleshoot WINS, for example, you'd say:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L </b></tt><em class="replaceable">server</em> <tt class="userinput"><b>-R wins</b></tt></pre></blockquote>
+
+<p>The possible settings are <tt class="literal">hosts</tt> (which means
+whatever the Unix system is using, not just<em class="filename">
+/etc/hosts</em> files), <tt class="literal">lmhosts</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt> (broadcast).</p>
+
+<p>In the following sections, we use the term <em class="emphasis">long
+name</em> for a fully qualified domain name (FQDN), such as
+<tt class="literal">server.example.com</tt> , and the term <em class="emphasis">short
+name</em> for the host part of an FQDN, such as
+<tt class="literal">server</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.2"/>
+
+<h3 class="head3">Cannot look up hostnames</h3>
+
+<p><a name="INDEX-91"/>Try the
+following:</p>
+
+<dl>
+<dt><b>DNS</b></dt>
+<dd>
+<p>Run <tt class="literal">nslookup</tt> <em class="replaceable">name</em>. If
+this fails, look for a <em class="filename">resolv.conf</em> error, a
+downed DNS server, or a short/long name problem (see the next
+section). Try the following:</p>
+
+
+<ul><li>
+<p>Your <em class="filename">/etc/resolv.conf</em> file should contain one or
+more <tt class="literal">nameserver</tt> lines, each with an IP address.
+These are the addresses of your DNS servers.</p>
+</li><li>
+<p>Ping each server address you find. If this fails for one, suspect the
+system. If it fails for each, suspect your network.</p>
+</li><li>
+<p>Retry the lookup using the full domain name (e.g.,
+<tt class="literal">server.example.com</tt>) if you tried the short name
+first, or the short name if you tried the long name first. If results
+differ, skip to the next section.</p>
+</li></ul>
+</dd>
+
+
+
+<dt><b>Broadcast/ WINS</b></dt>
+<dd>
+<p>Broadcast/ WINS does only short names such as
+<tt class="literal">server</tt>, and not long ones, such as
+<tt class="literal">server.example.com</tt>. Run
+<tt class="literal">nmblookup</tt> <tt class="literal">-S</tt>
+<em class="replaceable">server</em>. This reports everything broadcast
+has registered for the name. In our example, it looks like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S server</b></tt>
+Looking up status of 192.168.236.86
+received 10 names
+        SERVER           &lt;00&gt; -         M &lt;ACTIVE&gt; 
+        SERVER           &lt;03&gt; -         M &lt;ACTIVE&gt; 
+        SERVER           &lt;1f&gt; -         M &lt;ACTIVE&gt; 
+        SERVER           &lt;20&gt; -         M &lt;ACTIVE&gt; 
+        ..__MSBROWSE__.  &lt;01&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;00&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;1b&gt; -         M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;1c&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;1d&gt; -         M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;1e&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;</pre></blockquote>
+
+<p>The required entry is <tt class="literal">SERVER</tt>
+<tt class="literal">&lt;00&gt;</tt>, which identifies
+<em class="replaceable">server</em> as being this
+system's NetBIOS name. You should also see your
+workgroup mentioned one or more times. If these lines are missing,
+Broadcast/WINS cannot look up names and will need attention.</p>
+
+<a name="samba2-CHP-12-NOTE-160"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The numbers in angle brackets in the previous output identify NetBIOS
+names as being workgroups, workstations, and file users of the
+messenger service, master browsers, domain master browsers, domain
+controllers, and a plethora of others. We primarily use
+<tt class="literal">&lt;00&gt;</tt> to identify system and workgroup names
+and <tt class="literal">&lt;20&gt;</tt> to identify systems as servers. The
+complete list is available at <a href="http://support.microsoft.com/support/kb/articles/q163/4/09.asp">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</a>.</p>
+</blockquote>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>Try <tt class="literal">ypmatch</tt> <tt class="literal">name</tt>
+<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
+NIS server's name by running
+<em class="emphasis">ypwhich</em>, and ping the system to see if
+it's accessible.</p>
+</dd>
+
+
+
+<dt><b>NIS+</b></dt>
+<dd>
+<p>If you're running NIS+, try
+<tt class="literal">nismatch</tt> <tt class="literal">name</tt>
+<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
+NIS+ server's name by running
+<em class="emphasis">niswhich</em>, and ping that system to see if
+it's accessible.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS files</b></dt>
+<dd>
+<p>Inspect the <em class="filename">HOSTS</em> file on the client
+(<em class="filename">C:\Windows\ Hosts</em> on Windows 95/98/Me, and
+<em class="filename">C:\WINNT \system32\drivers\etc\hosts</em> on Windows
+NT/2000/XP). Each line should have an IP number and one or more
+names, the primary name first, then any optional aliases. An example
+follows:</p>
+
+
+<blockquote><pre class="code">127.0.0.1         localhost
+192.168.236.1     dns.svc.example.com 
+192.168.236.10    client.example.com client 
+192.168.236.11    backup.example.com loghost 
+192.168.236.86    server.example.com server 
+192.168.236.254   router.svc.example.com</pre></blockquote>
+
+<p>On Unix, <tt class="literal">localhost</tt> should always be 127.0.0.1,
+although it might be just an alias for a hostname on the PC. On the
+client, check that there are no <tt class="literal">#XXX</tt> directives at
+the ends of the lines; these are LAN Manager/NetBIOS directives and
+should appear only in <em class="emphasis">LMHOSTS</em> files.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS files</b></dt>
+<dd>
+<p>This file is a local source for LAN Manager (NetBIOS) names. It has a
+format similar to <em class="filename">hosts</em> files, but it does not
+support long-form domain names (e.g.,
+<tt class="literal">server.example.com</tt>) and can have a number of
+optional <tt class="literal">#XXX</tt> directives following the NetBIOS
+names. There is usually an <em class="emphasis">lmhosts.sam</em> (for
+sample) file located in <em class="filename">C:\Windows</em> on Windows
+95/98/Me, and in <em class="filename">C:\WINNT\system32\drivers\etc</em>
+on Windows NT/2000/XP, but it's not used unless it
+is renamed to <em class="emphasis">Lmhosts</em> in the same directory.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.3"/>
+
+<h3 class="head3">Long and short hostnames</h3>
+
+<p><a name="INDEX-92"/>Where the long (FQDN) form of a hostname
+works but the short name doesn't (for example,
+<tt class="literal">client.example.com</tt> works but
+<tt class="literal">client</tt> doesn't), consider the
+following:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>This usually indicates that there is no default domain in which to
+look up the short names. Look for a <tt class="literal">default</tt> line
+in <em class="filename">/etc/resolv.conf</em> on the Samba server with
+your domain in it, or look for a <tt class="literal">search</tt> line with
+one or more domains in it. One or the other might need to be present
+to make short names usable; which one depends on the vendor and
+version of the DNS resolver. Try adding <tt class="literal">domain</tt>
+<em class="replaceable">your_domain</em> to
+<em class="filename">resolv.conf</em>, and ask your network or DNS
+administrator what should be in the file.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS </b></dt>
+<dd>
+<p>Broadcast/WINS doesn't support long names; it
+won't suffer from this problem.</p>
+</dd>
+
+
+
+<dt><b>NIS </b></dt>
+<dd>
+<p>Try the command <tt class="literal">ypmatch</tt>
+<em class="replaceable">hostname</em> <tt class="literal">hosts</tt>. If you
+don't get a match, your tables
+don't include short names. Speak to your network
+manager; short names might be missing by accident or might be
+unsupported as a matter of policy. Some sites don't
+ever use (ambiguous) short names.</p>
+</dd>
+
+
+
+<dt><b>NIS+</b></dt>
+<dd>
+<p>Try <tt class="literal">nismatch</tt> <em class="replaceable">hostname</em>
+<tt class="literal">hosts</tt>, and treat failure exactly as with NIS.</p>
+</dd>
+
+
+
+<dt><b>hosts </b></dt>
+<dd>
+<p>If the short name is not in <em class="filename">/etc/hosts</em>, consider
+adding it as an alias. Avoid, if you can, short names as primary
+names (the first one on a line). Have them as aliases if your system
+permits.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS </b></dt>
+<dd>
+<p>LAN Manager doesn't support long names, so it
+won't suffer from this problem.</p>
+</dd>
+
+</dl>
+
+<p>On the other hand, if the short form of the name works and the long
+form doesn't, consider the following:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>This is bizarre; see your network or DNS administrator, as this is
+probably a DNS setup error.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS </b></dt>
+<dd>
+<p>This is normal; Broadcast/WINS can't use the long
+form. Optionally, consider DNS. (Be aware that Microsoft has stated
+that it will eventually switch entirely to DNS, even though DNS does
+not provide name types such as &lt;00&gt;.)</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>If you can use <em class="emphasis">ypmatch</em> to look up the short form
+but not the long, consider adding the long form to the table as at
+least an alias.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>Same as NIS, except you use <em class="emphasis">nismatch</em> instead of
+<em class="emphasis">ypmatch</em> to look up names.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>Add the long name as at least an alias, and preferably as the primary
+form. Also consider using DNS if it's practical.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS </b></dt>
+<dd>
+<p>This is normal. LAN Manager can't use the long form;
+consider switching to DNS or <em class="filename">hosts</em>.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.4"/>
+
+<h3 class="head3">Unusual delays</h3>
+
+<p><a name="INDEX-93"/>When there is a long delay before the
+expected result:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>Test the same name with the <em class="emphasis">nslookup</em> command on
+the system that is slow (client or server). If
+<em class="emphasis">nslookup</em> is also slow, you have a DNS problem.
+If it's slower on a client, you might have too many
+protocols bound to the Ethernet card. Eliminate NetBEUI, which is
+infamously slow, and, optionally, Novell&mdash;assuming you
+don't need them. This is especially important on
+Windows 95, which is particularly sensitive to excess protocols.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/ WINS</b></dt>
+<dd>
+<p>Test the client using <em class="emphasis">nmblookup</em>; if
+it's faster, you probably have the protocols problem
+as mentioned in the previous item.</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>Try <em class="emphasis">ypmatch</em>; if it's slow,
+report the problem to your network manager.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>Try <em class="emphasis">nismatch</em>, similarly.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>The <em class="emphasis">hosts</em> files, if of reasonable size, are
+always fast. You probably have the protocols problem mentioned
+previously under DNS.</p>
+</dd>
+
+
+
+<dt><b>lmhosts and LMHOSTS</b></dt>
+<dd>
+<p>This is not a name lookup problem; <em class="emphasis">LMHOSTS</em> files
+are as fast as <em class="emphasis">hosts</em> and
+<em class="filename">HOSTS</em> files.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.5"/>
+
+<h3 class="head3">Localhost issues</h3>
+
+<p><a name="INDEX-94"/>When a localhost isn't
+127.0.0.1, try the following:</p>
+
+<dl>
+<dt><b>DNS</b></dt>
+<dd>
+<p>There is probably no record for <tt class="literal">localhost</tt>.
+<tt class="literal">A</tt> <tt class="literal">127.0.0.1</tt>. Arrange to add
+one, as well as a reverse entry,
+<tt class="literal">1.0.0.127.IN-ADDR.ARPA</tt> <tt class="literal">PTR</tt>
+<tt class="literal">127.0.0.1</tt>.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS</b></dt>
+<dd>
+<p>Not applicable.</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>If <tt class="literal">localhost</tt> isn't in the table,
+add it.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>If <tt class="literal">localhost</tt> isn't in the table,
+add it.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>Add a line that says <tt class="literal">127.0.0.1</tt>
+<tt class="literal">localhost</tt>.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS</b></dt>
+<dd>
+<p>Not applicable. <a name="INDEX-95"/><a name="INDEX-96"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.8"/>
+
+<h3 class="head2">Troubleshooting Network Addresses</h3>
+
+<p><a name="INDEX-97"/><a name="INDEX-98"/>A
+number of common problems are caused by incorrect routing of Internet
+addresses or by the incorrect assignment of addresses. This section
+helps you determine what your addresses are.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.1"/>
+
+<h3 class="head3">Netmasks</h3>
+
+<p>Using the <a name="INDEX-99"/>netmask, it is possible to
+determine which addresses can be reached directly (i.e., which are on
+the local network) and which addresses require forwarding packets
+through a router. If the netmask is wrong, the systems will make one
+of two mistakes. One is to route local packets via a router, which is
+an expensive waste of time&mdash;it might work reasonably fast, it
+might run slowly, or it might fail utterly. The second mistake is to
+fail to send packets from a remote system to the router, which will
+prevent them from being forwarded to the remote system.</p>
+
+<p>The netmask is a number like an IP address, with one-bits for the
+network part of an address and zero-bits for the host portion. It is
+used as a bitmask to mask off parts of the address inside the TCP/IP
+code. If the mask is 255.255.0.0, the first 2 bytes are the network
+part and the last 2 are the host part. More common is 255.255.255.0,
+in which the first 3 bytes are the network part and the last one is
+the host part.</p>
+
+<p>For example, let's say your IP address is
+192.168.0.10 and the Samba server is 192.168.236.86. If your netmask
+happens to be 255.255.255.0, the network part of the address is the
+first 3 bytes, and the host part is the last byte. In this case, the
+network parts are different, and the systems are on different
+networks:</p>
+
+<a name="ch12-37-fm2xml"/><table border="1">
+
+
+
+<tr>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>192 168 000</p>
+</td>
+<td>
+<p>10</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>192 168 235</p>
+</td>
+<td>
+<p>86</p>
+</td>
+</tr>
+
+</table>
+
+<p>If your netmask happens to be 255.255.0.0, the network part is just
+the first 2 bytes. In this case, the network parts match, and so the
+two systems are on the same network:</p>
+
+<a name="ch12-38-fm2xml"/><table border="1">
+
+
+
+<tr>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>192 168</p>
+</td>
+<td>
+<p>000 10</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>192 168</p>
+</td>
+<td>
+<p>236 86</p>
+</td>
+</tr>
+
+</table>
+
+<p>Make sure the netmask in use on each system matches the structure of
+your network. On every subnet, the netmask should be identical on
+each system.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.2"/>
+
+<h3 class="head3">Broadcast addresses</h3>
+
+<p>The <a name="INDEX-100"/>broadcast address is a normal address,
+with the hosts part all one-bits. It means &quot;all
+hosts on your network.&quot; You can compute it easily
+from your netmask and address: take the address and put one-bits in
+it for all the bits that are zero at the end of the netmask (the host
+part). The following table illustrates this:</p>
+
+<a name="ch12-39-fm2xml"/><table border="1">
+
+
+
+
+<tr>
+<th>
+</th>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>IP address</p>
+</td>
+<td>
+<p>192 168 236</p>
+</td>
+<td>
+<p>86</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Netmask</p>
+</td>
+<td>
+<p>255 255 255</p>
+</td>
+<td>
+<p>000</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Broadcast</p>
+</td>
+<td>
+<p>192 168 236</p>
+</td>
+<td>
+<p>255</p>
+</td>
+</tr>
+
+</table>
+
+<p>In this example, the broadcast address on the 192.168.236 network is
+192.168.236.255. There is also an old
+&quot;universal&quot; broadcast address,
+255.255.255.255. Routers are prohibited from forwarding these, but
+most systems on your local network will respond to broadcasts to this
+address.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.3"/>
+
+<h3 class="head3">Network address ranges</h3>
+
+<p>A <a name="INDEX-101"/>number of address ranges have been
+reserved for testing and for nonconnected networks; we use these for
+the examples in this book. If you don't have an
+address yet, feel free to use one of these to start. They include one
+class A network, 10.*.*.*, a range of class B network addresses,
+172.16.*.* through 172.31.*.*, and 254 class C networks, 192.168.1.*
+through 192.168.254.*. The domain <tt class="literal">example.com</tt> is
+also reserved for unconnected networks, explanatory examples, and
+books.</p>
+
+<p>If you're actually connecting to the Internet,
+you'll need to get an appropriate IP address and a
+domain name, probably through the same company that provides your
+connection.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.4"/>
+
+<h3 class="head3">Finding your network address</h3>
+
+<p><a name="INDEX-102"/>If you
+haven't recorded your IP address, you can learn it
+through the <em class="emphasis">ifconfig</em><a name="INDEX-103"/> command on Unix or the
+<em class="emphasis">ipconfig</em> <a name="INDEX-104"/>command on Windows. (Check your manual
+pages for any options required by your brand of Unix. For example,
+<tt class="literal">ifconfig</tt> <tt class="literal">-a</tt> works on Solaris.)
+You should see output similar to the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ifconfig -a</b></tt> 
+le0: flags=63&lt;UP,BROADCAST,NOTRAILERS,RUNNING &gt; 
+      inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255 
+lo0: flags=49&lt;&amp;lt&gt;UP,LOOPBACK,RUNNING&lt;&amp;gt&gt;         
+      inet 127.0.0.1 netmask ff000000</pre></blockquote>
+
+<p>One of the interfaces will be loopback (in our examples,
+<tt class="literal">lo0</tt>), and the other will be the regular IP
+interface. The flags should show that the interface is running, and
+Ethernet interfaces will also say they support broadcasts (PPP
+interfaces don't). The other places to look for IP
+addresses are <em class="filename">/etc/hosts</em> files, Windows
+<em class="emphasis">HOSTS</em> files, Windows
+<em class="emphasis">LMHOSTS</em> files, NIS, NIS+, and DNS. <a name="INDEX-105"/><a name="INDEX-106"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.9"/>
+
+<h3 class="head2">Troubleshooting NetBIOS Names</h3>
+
+<p><a name="INDEX-107"/><a name="INDEX-108"/>Historically, SMB protocols have
+depended on the NetBIOS name system, also called the LAN Manager name
+system. This was a simple scheme where each system had a unique
+20-character name and broadcast it on the LAN for everyone to know.
+With TCP/IP, we tend to use names such as
+<tt class="literal">client.example.com</tt>, stored in
+<em class="filename">/etc/hosts</em> files through DNS or WINS.</p>
+
+<p>The usual mapping of domain names such as
+<tt class="literal">server.example.com</tt> to NetBIOS names simply uses
+the <tt class="literal">server</tt> part as the NetBIOS name and converts
+it to uppercase. Alas, this doesn't always work,
+especially if you have a system with a 21-character name; not
+everyone uses the same NetBIOS and DNS names. For example,
+<tt class="literal">corpvm1</tt> along with <tt class="literal">vm1.corp.com</tt>
+is not unusual.</p>
+
+<p>A system with a different NetBIOS name and domain name is confusing
+when you're troubleshooting; we recommend that you
+try to avoid this wherever possible. NetBIOS names are discoverable
+with <em class="emphasis">smbclient</em> :</p>
+
+<ul><li>
+<p>If you can list shares on your Samba server with
+<tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
+<tt class="literal">short_name</tt>, the short name is the NetBIOS name.</p>
+</li><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, there is probably a mismatch. Check in the
+<em class="filename">smb.conf</em> file to see if the NetBIOS name is
+explicitly set.</p>
+</li><li>
+<p>Try to list shares again, specifying <tt class="literal">-I</tt> and the IP
+address of the Samba server (e.g., <tt class="literal">smbclient</tt>
+<tt class="literal">-L</tt> <tt class="literal">server</tt> <tt class="literal">-I</tt>
+<tt class="literal">192.168.236.86</tt>). This overrides the name lookup
+and forces the packets to go to the IP address. If this works, there
+was a mismatch.</p>
+</li><li>
+<p>Try with <tt class="literal">-I</tt> and the full domain name of the server
+(e.g., <tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
+<tt class="literal">server</tt> <tt class="literal">-I</tt>
+<tt class="literal">server.example.com</tt>). This tests the lookup of the
+domain name, using whatever scheme the Samba server uses (e.g., DNS).
+If it fails, you have a name service problem. You should reread the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>,
+after you finish troubleshooting the NetBIOS names.</p>
+</li><li>
+<p>Try with the <tt class="literal">-n</tt> (NetBIOS name) option, giving it
+the name you expect to work (e.g., <tt class="literal">smbclient</tt>
+<tt class="literal">-n</tt> <tt class="literal">server</tt> <tt class="literal">-L</tt>
+<tt class="literal">server-12</tt>), but without overriding the IP address
+through <tt class="literal">-I</tt>. If this works, the name you specified
+with <tt class="literal">-n</tt> is the actual NetBIOS name of the server.
+If you receive <tt class="literal">Get-Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">SERVER</tt>, it's not the right server
+yet.</p>
+</li><li>
+<p>If nothing is working so far, repeat the tests specifying
+<tt class="literal">-U</tt> <em class="emphasis">username</em> and
+<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>, with the
+username and workgroup in uppercase, to make sure
+you're not being derailed by a user or workgroup
+mismatch.</p>
+</li><li>
+<p>If still nothing works and you had evidence of a name service
+problem, troubleshoot the name service (see the earlier section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>) and then return to
+the NetBIOS name service. <a name="INDEX-109"/><a name="INDEX-110"/></p>
+</li></ul>
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-3"/>
+
+<h2 class="head1">Extra Resources</h2>
+
+<p>At some point during your work with Samba, you'll
+want to turn to online or printed resources for news, updates, and
+aid.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.1"/>
+
+<h3 class="head2">Documentation and FAQs</h3>
+
+<p>It's OK to read the <a name="INDEX-111"/><a name="INDEX-112"/>documentation. Really. Nobody can see you,
+and we won't tell. In fact, Samba ships with a large
+set of documentation files, and it is well worth the effort to at
+least browse through them, either in the distribution directory on
+your computer under <em class="filename">/docs</em> or online at the Samba
+web site: <a href="http://www.samba.org">http://www.samba.org</a>. The most current
+FAQ list, bug information, and distribution locations are located at
+the web site, with links to all the Samba manual pages and HOWTOs.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.2"/>
+
+<h3 class="head2">Samba Newsgroups</h3>
+
+<p><a name="INDEX-113"/>Usenet
+newsgroups have always been a great place to get advice on just about
+any topic. In the past few years, though, this vast pool of knowledge
+has developed something that has made it into an invaluable resource:
+a memory. Archival and search sites such as the one at
+<a name="INDEX-114"/>Google (<a href="http://groups.google.com/advanced_group_search">http://groups.google.com/advanced_group_search</a>)
+have made sifting through years of valuable solutions as simple as a
+few mouse clicks.</p>
+
+<p>The primary newsgroup for Samba is
+<em class="emphasis">comp.protocols.smb</em><a name="INDEX-115"/>. This should always be your first
+stop when there's a problem. More often than not,
+spending 5 minutes researching an error here will save hours of
+frustration while trying to debug something yourself.</p>
+
+<p>When searching a newsgroup, try to be as specific as possible, but
+not too wordy. Searching on actual error messages is best. If you
+don't find an answer immediately in the newsgroup,
+resist the temptation to post a request for help until
+you've done a bit more work on the problem. You
+might find that the answer is in a FAQ or one of the many
+documentation files that ship with Samba, or a solution might become
+evident when you run one of Samba's diagnostic
+tools. If nothing works, post a request in
+<em class="emphasis">comp.protocols.smb</em>, and be as specific as
+possible about what you have tried and what you are seeing. Include
+any error messages that appear. It might be days before you receive
+help, so be patient and keep trying things while you wait.</p>
+
+<a name="samba2-CHP-12-NOTE-161"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Once you post a request for help, keep poking at the problem
+yourself. Most of us have had the experience of posting a Usenet
+article containing hundreds of lines of intricate detail, only to
+solve the problem an hour later after the article has blazed its way
+across several continents. The rule of thumb goes something like
+this: the more folks who have read your request, the simpler the
+solution. Usually this means that once everyone in the Unix community
+has seen your article, the solution will be something simple such as,
+&quot;Plug the power cord into the wall
+socket.&quot;</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.3"/>
+
+<h3 class="head2">Samba Mailing Lists</h3>
+
+<p>The following are <a name="INDEX-116"/>mailing lists for support with Samba. See
+the Samba home page, <a href="http://www.samba.org/">http://www.samba.org/</a>, for
+information on subscribing and unsubscribing to these mailing lists:</p>
+
+<dl>
+<dt><b>samba@samba.org</b></dt>
+<dd>
+<p>This is the primary mailing list for general questions and discussion
+regarding Samba.</p>
+</dd>
+
+
+
+<dt><b>samba-announce@samba.org</b></dt>
+<dd>
+<p>This list is for receiving news regarding Samba, such as
+announcements of new releases.</p>
+</dd>
+
+
+
+<dt><b>samba-cvs@samba.org</b></dt>
+<dd>
+<p>By subscribing to this list, you can automatically receive a message
+every time one of the Samba developers updates the Samba source code
+in the CVS repository. You might want to do this if you are waiting
+for a specific bug fix or feature to be applied. To avoid congesting
+your email inbox, we suggest using the digest feature, which
+consolidates messages into a smaller number of emails.</p>
+</dd>
+
+
+
+<dt><b>samba-docs@samba.org</b></dt>
+<dd>
+<p>This list is for discussing Samba documentation.</p>
+</dd>
+
+
+
+<dt><b>samba-vms@samba.org</b></dt>
+<dd>
+<p>This mailing list is for people who are running Samba on the VMS
+operating system.</p>
+</dd>
+
+
+
+<dt><b>samba-binaries@samba.org</b></dt>
+<dd>
+<p>This is a list for developers to use when discussing precompiled
+Samba distributions.</p>
+</dd>
+
+
+
+<dt><b>samba-technical@samba.org</b></dt>
+<dd>
+<p>This mailing list is for developer discussion of the Samba code.</p>
+</dd>
+
+</dl>
+
+<p>Searchable versions of the Samba mailing list archives can be found
+at <a href="http://marc.theaimsgroup.com">http://marc.theaimsgroup.com</a>.</p>
+
+<p>When posting messages to the Samba mailing lists, keep in mind that
+you are sending your message to a large audience. The notes in the
+previous section regarding Usenet postings also apply here. A
+well-formulated question or comment is more likely to be answered,
+and a poorly conceived message is <em class="emphasis">very</em> likely to
+be ignored!</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.4"/>
+
+<h3 class="head2">Further Reading</h3>
+
+<ol><li>
+<p>Hunt, Craig. <em class="emphasis">TCP/IP Network Administration</em>,
+Third Edition. Sebastopol, CA: O'Reilly
+&amp; Associates, 1997.</p>
+</li>
+<li>
+<p>Hunt, Craig, and Robert Bruce Thompson. <em class="emphasis">Windows NT TCP/IP
+Network Administration</em>. Sebastopol, CA:
+O'Reilly &amp; Associates, 1998.</p>
+</li>
+<li>
+<p>Albitz, Paul, and Cricket Liu. <em class="emphasis">DNS and Bind</em>,
+Fourth Edition. Sebastopol, CA: O'Reilly
+&amp; Associates, 1998.</p>
+</li>
+<li>
+<p>Stern, Hal. <em class="emphasis">Managing NFS and NIS</em>, Second
+Edition. Sebastopol, CA: O'Reilly &amp; Associates,
+1991.<a name="INDEX-117"/></p>
+</li></ol>
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/figs/sam.0101.gif b/docs/htmldocs/using_samba/figs/sam.0101.gif
deleted file mode 100644
index 2fd7ffe480..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0101.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0102.gif b/docs/htmldocs/using_samba/figs/sam.0102.gif
deleted file mode 100644
index 02f885b37c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0102.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0103.gif b/docs/htmldocs/using_samba/figs/sam.0103.gif
deleted file mode 100644
index 907f8b480a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0103.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0104.gif b/docs/htmldocs/using_samba/figs/sam.0104.gif
deleted file mode 100644
index 7629fddedb..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0104.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0105.gif b/docs/htmldocs/using_samba/figs/sam.0105.gif
deleted file mode 100644
index 129fde33f8..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0105.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0106.gif b/docs/htmldocs/using_samba/figs/sam.0106.gif
deleted file mode 100644
index b424ef30ec..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0106.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0107.gif b/docs/htmldocs/using_samba/figs/sam.0107.gif
deleted file mode 100644
index 325622a79f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0107.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0108.gif b/docs/htmldocs/using_samba/figs/sam.0108.gif
deleted file mode 100644
index 6e54912097..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0108.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0109.gif b/docs/htmldocs/using_samba/figs/sam.0109.gif
deleted file mode 100644
index ee281d6504..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0109.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0110.gif b/docs/htmldocs/using_samba/figs/sam.0110.gif
deleted file mode 100644
index 5af69ba75e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0110.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0111.gif b/docs/htmldocs/using_samba/figs/sam.0111.gif
deleted file mode 100644
index 4c1ed81044..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0111.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0112.gif b/docs/htmldocs/using_samba/figs/sam.0112.gif
deleted file mode 100644
index 4f559e0d0f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0112.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0113.gif b/docs/htmldocs/using_samba/figs/sam.0113.gif
deleted file mode 100644
index 16a884284c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0113.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0114.gif b/docs/htmldocs/using_samba/figs/sam.0114.gif
deleted file mode 100644
index 52f3416d9e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0114.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0201.gif b/docs/htmldocs/using_samba/figs/sam.0201.gif
deleted file mode 100644
index 9a601f47d3..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0201.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0202.gif b/docs/htmldocs/using_samba/figs/sam.0202.gif
deleted file mode 100644
index b6e687efa4..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0202.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0203.gif b/docs/htmldocs/using_samba/figs/sam.0203.gif
deleted file mode 100644
index 2737654f30..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0203.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0204.gif b/docs/htmldocs/using_samba/figs/sam.0204.gif
deleted file mode 100644
index 87c08e0b40..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0204.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0301.gif b/docs/htmldocs/using_samba/figs/sam.0301.gif
deleted file mode 100644
index cb3922ba5c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0301.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0302.gif b/docs/htmldocs/using_samba/figs/sam.0302.gif
deleted file mode 100644
index 9b9dd5d853..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0302.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0303.gif b/docs/htmldocs/using_samba/figs/sam.0303.gif
deleted file mode 100644
index b5cc6f08f1..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0303.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0304.gif b/docs/htmldocs/using_samba/figs/sam.0304.gif
deleted file mode 100644
index e5fdd94da9..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0304.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0305.gif b/docs/htmldocs/using_samba/figs/sam.0305.gif
deleted file mode 100644
index b297326a8e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0305.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0306.gif b/docs/htmldocs/using_samba/figs/sam.0306.gif
deleted file mode 100644
index b7854c230c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0306.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0307.gif b/docs/htmldocs/using_samba/figs/sam.0307.gif
deleted file mode 100644
index d8da9c2803..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0307.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0308.gif b/docs/htmldocs/using_samba/figs/sam.0308.gif
deleted file mode 100644
index e913cf164f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0308.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0309.gif b/docs/htmldocs/using_samba/figs/sam.0309.gif
deleted file mode 100644
index f8bc5223e0..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0309.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0310.gif b/docs/htmldocs/using_samba/figs/sam.0310.gif
deleted file mode 100644
index 38a8041f66..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0310.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0311.gif b/docs/htmldocs/using_samba/figs/sam.0311.gif
deleted file mode 100644
index 097de50a00..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0311.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0312.gif b/docs/htmldocs/using_samba/figs/sam.0312.gif
deleted file mode 100644
index 51dc80fc06..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0312.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0313.gif b/docs/htmldocs/using_samba/figs/sam.0313.gif
deleted file mode 100644
index b18999f496..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0313.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0314.gif b/docs/htmldocs/using_samba/figs/sam.0314.gif
deleted file mode 100644
index a49e7f403c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0314.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0315.gif b/docs/htmldocs/using_samba/figs/sam.0315.gif
deleted file mode 100644
index 68515e580d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0315.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0316.gif b/docs/htmldocs/using_samba/figs/sam.0316.gif
deleted file mode 100644
index 1febc01768..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0316.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0317.gif b/docs/htmldocs/using_samba/figs/sam.0317.gif
deleted file mode 100644
index 638b7a3646..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0317.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0318.gif b/docs/htmldocs/using_samba/figs/sam.0318.gif
deleted file mode 100644
index 2027e025d4..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0318.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0319.gif b/docs/htmldocs/using_samba/figs/sam.0319.gif
deleted file mode 100644
index aa2ead8c4a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0319.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0320.gif b/docs/htmldocs/using_samba/figs/sam.0320.gif
deleted file mode 100644
index 81bebab8a0..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0320.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0321.gif b/docs/htmldocs/using_samba/figs/sam.0321.gif
deleted file mode 100644
index 65cee014f7..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0321.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0322.gif b/docs/htmldocs/using_samba/figs/sam.0322.gif
deleted file mode 100644
index 0e1eca6cec..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0322.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0323.gif b/docs/htmldocs/using_samba/figs/sam.0323.gif
deleted file mode 100644
index a2531501bd..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0323.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0324.gif b/docs/htmldocs/using_samba/figs/sam.0324.gif
deleted file mode 100644
index eded928dd8..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0324.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0325.gif b/docs/htmldocs/using_samba/figs/sam.0325.gif
deleted file mode 100644
index 7b6bd32b00..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0325.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0326.gif b/docs/htmldocs/using_samba/figs/sam.0326.gif
deleted file mode 100644
index a6384081b0..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0326.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0327.gif b/docs/htmldocs/using_samba/figs/sam.0327.gif
deleted file mode 100644
index 270c8caf11..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0327.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0328.gif b/docs/htmldocs/using_samba/figs/sam.0328.gif
deleted file mode 100644
index e754a9ce13..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0328.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0401.gif b/docs/htmldocs/using_samba/figs/sam.0401.gif
deleted file mode 100644
index e7d7a9933f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0401.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0402.gif b/docs/htmldocs/using_samba/figs/sam.0402.gif
deleted file mode 100644
index 826ae22b02..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0402.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0403.gif b/docs/htmldocs/using_samba/figs/sam.0403.gif
deleted file mode 100644
index 4cf6a17526..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0403.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0404.gif b/docs/htmldocs/using_samba/figs/sam.0404.gif
deleted file mode 100644
index 9e3d744d5a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0404.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0405.gif b/docs/htmldocs/using_samba/figs/sam.0405.gif
deleted file mode 100644
index 2e567a4c25..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0405.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0406.gif b/docs/htmldocs/using_samba/figs/sam.0406.gif
deleted file mode 100644
index d1a7754f91..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0406.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0407.gif b/docs/htmldocs/using_samba/figs/sam.0407.gif
deleted file mode 100644
index d19dd4273a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0407.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0501.gif b/docs/htmldocs/using_samba/figs/sam.0501.gif
deleted file mode 100644
index e973c784ea..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0501.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0502.gif b/docs/htmldocs/using_samba/figs/sam.0502.gif
deleted file mode 100644
index e6018918fc..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0502.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0503.gif b/docs/htmldocs/using_samba/figs/sam.0503.gif
deleted file mode 100644
index 596db84611..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0503.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0504.gif b/docs/htmldocs/using_samba/figs/sam.0504.gif
deleted file mode 100644
index 96893237cd..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0504.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0505.gif b/docs/htmldocs/using_samba/figs/sam.0505.gif
deleted file mode 100644
index de9c07baab..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0505.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0506.gif b/docs/htmldocs/using_samba/figs/sam.0506.gif
deleted file mode 100644
index c5bb495d67..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0506.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0507.gif b/docs/htmldocs/using_samba/figs/sam.0507.gif
deleted file mode 100644
index 7c77c94c8d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0507.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0508.gif b/docs/htmldocs/using_samba/figs/sam.0508.gif
deleted file mode 100644
index fc364d5d05..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0508.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0601.gif b/docs/htmldocs/using_samba/figs/sam.0601.gif
deleted file mode 100644
index aa9eb28baf..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0601.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0602.gif b/docs/htmldocs/using_samba/figs/sam.0602.gif
deleted file mode 100644
index 1ee0ac78b8..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0602.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0603.gif b/docs/htmldocs/using_samba/figs/sam.0603.gif
deleted file mode 100644
index f23cdf877d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0603.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0604.gif b/docs/htmldocs/using_samba/figs/sam.0604.gif
deleted file mode 100644
index 75460ba4b4..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0604.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0605.gif b/docs/htmldocs/using_samba/figs/sam.0605.gif
deleted file mode 100644
index 96f2bb56f3..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0605.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0606.gif b/docs/htmldocs/using_samba/figs/sam.0606.gif
deleted file mode 100644
index c47c4c9b51..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0606.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0701.gif b/docs/htmldocs/using_samba/figs/sam.0701.gif
deleted file mode 100644
index 3c7693929b..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0701.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0702.gif b/docs/htmldocs/using_samba/figs/sam.0702.gif
deleted file mode 100644
index c1160e2838..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0702.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0703.gif b/docs/htmldocs/using_samba/figs/sam.0703.gif
deleted file mode 100644
index 9967b58e0b..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0703.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0704.gif b/docs/htmldocs/using_samba/figs/sam.0704.gif
deleted file mode 100644
index 5808a87530..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0704.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0705.gif b/docs/htmldocs/using_samba/figs/sam.0705.gif
deleted file mode 100644
index 155498ca33..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0705.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0706.gif b/docs/htmldocs/using_samba/figs/sam.0706.gif
deleted file mode 100644
index 536997665b..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0706.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0707.gif b/docs/htmldocs/using_samba/figs/sam.0707.gif
deleted file mode 100644
index 6049b66752..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0707.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0708.gif b/docs/htmldocs/using_samba/figs/sam.0708.gif
deleted file mode 100644
index 013674af64..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0708.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0709.gif b/docs/htmldocs/using_samba/figs/sam.0709.gif
deleted file mode 100644
index bae978dc86..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0709.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0801.gif b/docs/htmldocs/using_samba/figs/sam.0801.gif
deleted file mode 100644
index 243c3bfa57..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0801.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0802.gif b/docs/htmldocs/using_samba/figs/sam.0802.gif
deleted file mode 100644
index ae8b40dd58..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0802.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0803.gif b/docs/htmldocs/using_samba/figs/sam.0803.gif
deleted file mode 100644
index 375e1000dd..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0803.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0804.gif b/docs/htmldocs/using_samba/figs/sam.0804.gif
deleted file mode 100644
index 0c17d6a6f6..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0804.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0805.gif b/docs/htmldocs/using_samba/figs/sam.0805.gif
deleted file mode 100644
index 271291801d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0805.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0901.gif b/docs/htmldocs/using_samba/figs/sam.0901.gif
deleted file mode 100644
index 695b93786f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0901.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0902.gif b/docs/htmldocs/using_samba/figs/sam.0902.gif
deleted file mode 100644
index d45787d245..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0902.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0903.gif b/docs/htmldocs/using_samba/figs/sam.0903.gif
deleted file mode 100644
index c28000d7fb..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0903.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0904.gif b/docs/htmldocs/using_samba/figs/sam.0904.gif
deleted file mode 100644
index f1fe5b4ecf..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0904.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.0905.gif b/docs/htmldocs/using_samba/figs/sam.0905.gif
deleted file mode 100644
index f958389c42..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.0905.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.aa01.gif b/docs/htmldocs/using_samba/figs/sam.aa01.gif
deleted file mode 100644
index 78964348c3..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.aa01.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.ab01.gif b/docs/htmldocs/using_samba/figs/sam.ab01.gif
deleted file mode 100644
index 8abcb431ee..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.ab01.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam.ab02.gif b/docs/htmldocs/using_samba/figs/sam.ab02.gif
deleted file mode 100644
index a2bce6399f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam.ab02.gif
+++ /dev/null
diff --git a/docs/htmldocs/using_samba/figs/sam2_0101.gif b/docs/htmldocs/using_samba/figs/sam2_0101.gif
new file mode 100644
index 0000000000..195326a205
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0101.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0102.gif b/docs/htmldocs/using_samba/figs/sam2_0102.gif
new file mode 100644
index 0000000000..e453dbf023
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0102.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0103.gif b/docs/htmldocs/using_samba/figs/sam2_0103.gif
new file mode 100644
index 0000000000..ed50af69af
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0103.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0104.gif b/docs/htmldocs/using_samba/figs/sam2_0104.gif
new file mode 100644
index 0000000000..e903a0f22e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0104.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0105.gif b/docs/htmldocs/using_samba/figs/sam2_0105.gif
new file mode 100644
index 0000000000..0fec77125d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0105.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0106.gif b/docs/htmldocs/using_samba/figs/sam2_0106.gif
new file mode 100644
index 0000000000..32cbfdbee4
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0106.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0107.gif b/docs/htmldocs/using_samba/figs/sam2_0107.gif
new file mode 100644
index 0000000000..2d8b8e66b7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0107.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0108.gif b/docs/htmldocs/using_samba/figs/sam2_0108.gif
new file mode 100644
index 0000000000..9d26856e38
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0108.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0109.gif b/docs/htmldocs/using_samba/figs/sam2_0109.gif
new file mode 100644
index 0000000000..2c7db9617a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0109.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0110.gif b/docs/htmldocs/using_samba/figs/sam2_0110.gif
new file mode 100644
index 0000000000..2d7d50a702
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0110.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0111.gif b/docs/htmldocs/using_samba/figs/sam2_0111.gif
new file mode 100644
index 0000000000..f6be700fa5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0111.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0112.gif b/docs/htmldocs/using_samba/figs/sam2_0112.gif
new file mode 100644
index 0000000000..4eddb82069
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0112.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0113.gif b/docs/htmldocs/using_samba/figs/sam2_0113.gif
new file mode 100644
index 0000000000..1886bbcb5a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0113.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0114.gif b/docs/htmldocs/using_samba/figs/sam2_0114.gif
new file mode 100644
index 0000000000..75cf0a750a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0114.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0201.gif b/docs/htmldocs/using_samba/figs/sam2_0201.gif
new file mode 100644
index 0000000000..7dc140530c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0201.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0202.gif b/docs/htmldocs/using_samba/figs/sam2_0202.gif
new file mode 100644
index 0000000000..ccbaeed4fe
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0202.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0203.gif b/docs/htmldocs/using_samba/figs/sam2_0203.gif
new file mode 100644
index 0000000000..127705fd38
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0203.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0204.gif b/docs/htmldocs/using_samba/figs/sam2_0204.gif
new file mode 100644
index 0000000000..5359423fd5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0204.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0301.gif b/docs/htmldocs/using_samba/figs/sam2_0301.gif
new file mode 100644
index 0000000000..30759463cf
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0301.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0302.gif b/docs/htmldocs/using_samba/figs/sam2_0302.gif
new file mode 100644
index 0000000000..5576573e83
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0302.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0303.gif b/docs/htmldocs/using_samba/figs/sam2_0303.gif
new file mode 100644
index 0000000000..76b8dd36bb
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0303.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0304.gif b/docs/htmldocs/using_samba/figs/sam2_0304.gif
new file mode 100644
index 0000000000..b309fc9968
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0304.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0305.gif b/docs/htmldocs/using_samba/figs/sam2_0305.gif
new file mode 100644
index 0000000000..5a9fd77443
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0305.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0306.gif b/docs/htmldocs/using_samba/figs/sam2_0306.gif
new file mode 100644
index 0000000000..47b15548f3
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0306.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0307.gif b/docs/htmldocs/using_samba/figs/sam2_0307.gif
new file mode 100644
index 0000000000..7874ccb889
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0307.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0308.gif b/docs/htmldocs/using_samba/figs/sam2_0308.gif
new file mode 100644
index 0000000000..23d4fccd65
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0308.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0309.gif b/docs/htmldocs/using_samba/figs/sam2_0309.gif
new file mode 100644
index 0000000000..2e27a2f407
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0309.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0310.gif b/docs/htmldocs/using_samba/figs/sam2_0310.gif
new file mode 100644
index 0000000000..846b228eff
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0310.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0311.gif b/docs/htmldocs/using_samba/figs/sam2_0311.gif
new file mode 100644
index 0000000000..acb82fa77b
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0311.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0312.gif b/docs/htmldocs/using_samba/figs/sam2_0312.gif
new file mode 100644
index 0000000000..2a96425312
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0312.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0313.gif b/docs/htmldocs/using_samba/figs/sam2_0313.gif
new file mode 100644
index 0000000000..4482a8b27b
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0313.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0314.gif b/docs/htmldocs/using_samba/figs/sam2_0314.gif
new file mode 100644
index 0000000000..02b8bcd2c7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0314.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0315.gif b/docs/htmldocs/using_samba/figs/sam2_0315.gif
new file mode 100644
index 0000000000..bd747a23a9
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0315.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0316.gif b/docs/htmldocs/using_samba/figs/sam2_0316.gif
new file mode 100644
index 0000000000..a12e20e8b4
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0316.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0317.gif b/docs/htmldocs/using_samba/figs/sam2_0317.gif
new file mode 100644
index 0000000000..1957fc09e6
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0317.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0318.gif b/docs/htmldocs/using_samba/figs/sam2_0318.gif
new file mode 100644
index 0000000000..2c90ee6523
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0318.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0319.gif b/docs/htmldocs/using_samba/figs/sam2_0319.gif
new file mode 100644
index 0000000000..ceb8041299
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0319.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0320.gif b/docs/htmldocs/using_samba/figs/sam2_0320.gif
new file mode 100644
index 0000000000..766c0ec4ba
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0320.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0321.gif b/docs/htmldocs/using_samba/figs/sam2_0321.gif
new file mode 100644
index 0000000000..b1dac33f23
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0321.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0322.gif b/docs/htmldocs/using_samba/figs/sam2_0322.gif
new file mode 100644
index 0000000000..fa0c2a3ed2
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0322.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0323.gif b/docs/htmldocs/using_samba/figs/sam2_0323.gif
new file mode 100644
index 0000000000..9678a4b0da
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0323.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0324.gif b/docs/htmldocs/using_samba/figs/sam2_0324.gif
new file mode 100644
index 0000000000..f1fd719fc2
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0324.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0325.gif b/docs/htmldocs/using_samba/figs/sam2_0325.gif
new file mode 100644
index 0000000000..3887d36b94
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0325.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0326.gif b/docs/htmldocs/using_samba/figs/sam2_0326.gif
new file mode 100644
index 0000000000..26047eb48e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0326.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0327.gif b/docs/htmldocs/using_samba/figs/sam2_0327.gif
new file mode 100644
index 0000000000..f8b661bce8
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0327.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0328.gif b/docs/htmldocs/using_samba/figs/sam2_0328.gif
new file mode 100644
index 0000000000..9f767a156e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0328.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0329.gif b/docs/htmldocs/using_samba/figs/sam2_0329.gif
new file mode 100644
index 0000000000..4cfa231e86
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0329.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0330.gif b/docs/htmldocs/using_samba/figs/sam2_0330.gif
new file mode 100644
index 0000000000..4c90f3b8c7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0330.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0331.gif b/docs/htmldocs/using_samba/figs/sam2_0331.gif
new file mode 100644
index 0000000000..bc1fc19721
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0331.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0332.gif b/docs/htmldocs/using_samba/figs/sam2_0332.gif
new file mode 100644
index 0000000000..a507e19018
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0332.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0333.gif b/docs/htmldocs/using_samba/figs/sam2_0333.gif
new file mode 100644
index 0000000000..6b1b2a7dd5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0333.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0334.gif b/docs/htmldocs/using_samba/figs/sam2_0334.gif
new file mode 100644
index 0000000000..ff408ecd6c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0334.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0335.gif b/docs/htmldocs/using_samba/figs/sam2_0335.gif
new file mode 100644
index 0000000000..fdf01219e1
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0335.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0336.gif b/docs/htmldocs/using_samba/figs/sam2_0336.gif
new file mode 100644
index 0000000000..a44851c340
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0336.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0337.gif b/docs/htmldocs/using_samba/figs/sam2_0337.gif
new file mode 100644
index 0000000000..219afbd147
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0337.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0338.gif b/docs/htmldocs/using_samba/figs/sam2_0338.gif
new file mode 100644
index 0000000000..8f1ba6e36f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0338.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0339.gif b/docs/htmldocs/using_samba/figs/sam2_0339.gif
new file mode 100644
index 0000000000..f42c1b57ec
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0339.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0340.gif b/docs/htmldocs/using_samba/figs/sam2_0340.gif
new file mode 100644
index 0000000000..76c5a1b347
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0340.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0341.gif b/docs/htmldocs/using_samba/figs/sam2_0341.gif
new file mode 100644
index 0000000000..634b847d04
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0341.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0342.gif b/docs/htmldocs/using_samba/figs/sam2_0342.gif
new file mode 100644
index 0000000000..51284782a3
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0342.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0343.gif b/docs/htmldocs/using_samba/figs/sam2_0343.gif
new file mode 100644
index 0000000000..0618a841cf
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0343.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0344.gif b/docs/htmldocs/using_samba/figs/sam2_0344.gif
new file mode 100644
index 0000000000..7d40dbcdf1
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0344.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0345.gif b/docs/htmldocs/using_samba/figs/sam2_0345.gif
new file mode 100644
index 0000000000..0b36aa6da3
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0345.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0346.gif b/docs/htmldocs/using_samba/figs/sam2_0346.gif
new file mode 100644
index 0000000000..36c3999ad1
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0346.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0347.gif b/docs/htmldocs/using_samba/figs/sam2_0347.gif
new file mode 100644
index 0000000000..db6c3e10ce
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0347.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0348.gif b/docs/htmldocs/using_samba/figs/sam2_0348.gif
new file mode 100644
index 0000000000..16457a3421
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0348.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0349.gif b/docs/htmldocs/using_samba/figs/sam2_0349.gif
new file mode 100644
index 0000000000..6445cdd3bc
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0349.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0350.gif b/docs/htmldocs/using_samba/figs/sam2_0350.gif
new file mode 100644
index 0000000000..08ee35b8e7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0350.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0351.gif b/docs/htmldocs/using_samba/figs/sam2_0351.gif
new file mode 100644
index 0000000000..b30b603818
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0351.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0352.gif b/docs/htmldocs/using_samba/figs/sam2_0352.gif
new file mode 100644
index 0000000000..bfab1e0031
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0352.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0353.gif b/docs/htmldocs/using_samba/figs/sam2_0353.gif
new file mode 100644
index 0000000000..4c1e84f37e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0353.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0354.gif b/docs/htmldocs/using_samba/figs/sam2_0354.gif
new file mode 100644
index 0000000000..3519397705
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0354.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0355.gif b/docs/htmldocs/using_samba/figs/sam2_0355.gif
new file mode 100644
index 0000000000..8559956df8
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0355.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0356.gif b/docs/htmldocs/using_samba/figs/sam2_0356.gif
new file mode 100644
index 0000000000..9cffddf4b2
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0356.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0357.gif b/docs/htmldocs/using_samba/figs/sam2_0357.gif
new file mode 100644
index 0000000000..f1a7043858
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0357.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0358.gif b/docs/htmldocs/using_samba/figs/sam2_0358.gif
new file mode 100644
index 0000000000..58073c2d19
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0358.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0359.gif b/docs/htmldocs/using_samba/figs/sam2_0359.gif
new file mode 100644
index 0000000000..1fe90edca6
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0359.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0360.gif b/docs/htmldocs/using_samba/figs/sam2_0360.gif
new file mode 100644
index 0000000000..c306296f08
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0360.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0361.gif b/docs/htmldocs/using_samba/figs/sam2_0361.gif
new file mode 100644
index 0000000000..7b6cc3c878
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0361.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0401.gif b/docs/htmldocs/using_samba/figs/sam2_0401.gif
new file mode 100644
index 0000000000..68c4ec949e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0401.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0402.gif b/docs/htmldocs/using_samba/figs/sam2_0402.gif
new file mode 100644
index 0000000000..817622adee
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0402.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0403.gif b/docs/htmldocs/using_samba/figs/sam2_0403.gif
new file mode 100644
index 0000000000..8d2bf580e6
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0403.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0404.gif b/docs/htmldocs/using_samba/figs/sam2_0404.gif
new file mode 100644
index 0000000000..5f93a6715c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0404.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0405.gif b/docs/htmldocs/using_samba/figs/sam2_0405.gif
new file mode 100644
index 0000000000..67925c1db5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0405.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0406.gif b/docs/htmldocs/using_samba/figs/sam2_0406.gif
new file mode 100644
index 0000000000..f6b3924711
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0406.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0407.gif b/docs/htmldocs/using_samba/figs/sam2_0407.gif
new file mode 100644
index 0000000000..486a629e9e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0407.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0408.gif b/docs/htmldocs/using_samba/figs/sam2_0408.gif
new file mode 100644
index 0000000000..dbc31bb54d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0408.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0409.gif b/docs/htmldocs/using_samba/figs/sam2_0409.gif
new file mode 100644
index 0000000000..b9d31f2a4d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0409.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0410.gif b/docs/htmldocs/using_samba/figs/sam2_0410.gif
new file mode 100644
index 0000000000..83e4c9cb89
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0410.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0411.gif b/docs/htmldocs/using_samba/figs/sam2_0411.gif
new file mode 100644
index 0000000000..c6684d625c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0411.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0412.gif b/docs/htmldocs/using_samba/figs/sam2_0412.gif
new file mode 100644
index 0000000000..4706a99f51
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0412.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0413.gif b/docs/htmldocs/using_samba/figs/sam2_0413.gif
new file mode 100644
index 0000000000..71bf8690f8
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0413.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0414.gif b/docs/htmldocs/using_samba/figs/sam2_0414.gif
new file mode 100644
index 0000000000..2056eb45bb
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0414.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0415.gif b/docs/htmldocs/using_samba/figs/sam2_0415.gif
new file mode 100644
index 0000000000..0c8eb01774
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0415.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0416.gif b/docs/htmldocs/using_samba/figs/sam2_0416.gif
new file mode 100644
index 0000000000..c2b2fecf3d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0416.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0417.gif b/docs/htmldocs/using_samba/figs/sam2_0417.gif
new file mode 100644
index 0000000000..a84d217c1f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0417.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0501.gif b/docs/htmldocs/using_samba/figs/sam2_0501.gif
new file mode 100644
index 0000000000..eda8e934d7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0501.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0502.gif b/docs/htmldocs/using_samba/figs/sam2_0502.gif
new file mode 100644
index 0000000000..1f996e1b63
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0502.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0503.gif b/docs/htmldocs/using_samba/figs/sam2_0503.gif
new file mode 100644
index 0000000000..0d7e3654ec
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0503.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0504.gif b/docs/htmldocs/using_samba/figs/sam2_0504.gif
new file mode 100644
index 0000000000..9c60c26ef5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0504.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0505.gif b/docs/htmldocs/using_samba/figs/sam2_0505.gif
new file mode 100644
index 0000000000..346409e3e6
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0505.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0506.gif b/docs/htmldocs/using_samba/figs/sam2_0506.gif
new file mode 100644
index 0000000000..78f5d54da2
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0506.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0507.gif b/docs/htmldocs/using_samba/figs/sam2_0507.gif
new file mode 100644
index 0000000000..e6ff6f14bd
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0507.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0508.gif b/docs/htmldocs/using_samba/figs/sam2_0508.gif
new file mode 100644
index 0000000000..28dcb6227a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0508.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0601.gif b/docs/htmldocs/using_samba/figs/sam2_0601.gif
new file mode 100644
index 0000000000..006fa95580
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0601.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0602.gif b/docs/htmldocs/using_samba/figs/sam2_0602.gif
new file mode 100644
index 0000000000..598a7015dc
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0602.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0603.gif b/docs/htmldocs/using_samba/figs/sam2_0603.gif
new file mode 100644
index 0000000000..62a8054c6f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0603.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0604.gif b/docs/htmldocs/using_samba/figs/sam2_0604.gif
new file mode 100644
index 0000000000..9327385eed
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0604.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0605.gif b/docs/htmldocs/using_samba/figs/sam2_0605.gif
new file mode 100644
index 0000000000..236badf15f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0605.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0701.gif b/docs/htmldocs/using_samba/figs/sam2_0701.gif
new file mode 100644
index 0000000000..b0b16d458c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0701.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0801.gif b/docs/htmldocs/using_samba/figs/sam2_0801.gif
new file mode 100644
index 0000000000..5f9d87b206
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0801.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0802.gif b/docs/htmldocs/using_samba/figs/sam2_0802.gif
new file mode 100644
index 0000000000..fde794c19a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0802.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0803.gif b/docs/htmldocs/using_samba/figs/sam2_0803.gif
new file mode 100644
index 0000000000..13baa02ed4
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0803.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0804.gif b/docs/htmldocs/using_samba/figs/sam2_0804.gif
new file mode 100644
index 0000000000..fc42ebf685
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0804.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0805.gif b/docs/htmldocs/using_samba/figs/sam2_0805.gif
new file mode 100644
index 0000000000..015ca5df19
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0805.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0806.gif b/docs/htmldocs/using_samba/figs/sam2_0806.gif
new file mode 100644
index 0000000000..f11b8a18c9
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0806.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0807.gif b/docs/htmldocs/using_samba/figs/sam2_0807.gif
new file mode 100644
index 0000000000..1ffc3eac39
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0807.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0808.gif b/docs/htmldocs/using_samba/figs/sam2_0808.gif
new file mode 100644
index 0000000000..36839a754c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0808.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0809.gif b/docs/htmldocs/using_samba/figs/sam2_0809.gif
new file mode 100644
index 0000000000..3145d367ce
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0809.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0810.gif b/docs/htmldocs/using_samba/figs/sam2_0810.gif
new file mode 100644
index 0000000000..cd76217d1f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0810.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0811.gif b/docs/htmldocs/using_samba/figs/sam2_0811.gif
new file mode 100644
index 0000000000..e7add2a0e7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0811.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0901.gif b/docs/htmldocs/using_samba/figs/sam2_0901.gif
new file mode 100644
index 0000000000..6ac1e9c966
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0901.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0902.gif b/docs/htmldocs/using_samba/figs/sam2_0902.gif
new file mode 100644
index 0000000000..f30bd1037d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0902.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0903.gif b/docs/htmldocs/using_samba/figs/sam2_0903.gif
new file mode 100644
index 0000000000..0a073278dd
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0903.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1001.gif b/docs/htmldocs/using_samba/figs/sam2_1001.gif
new file mode 100644
index 0000000000..491cbaf8eb
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1001.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1002.gif b/docs/htmldocs/using_samba/figs/sam2_1002.gif
new file mode 100644
index 0000000000..2b3177c433
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1002.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1003.gif b/docs/htmldocs/using_samba/figs/sam2_1003.gif
new file mode 100644
index 0000000000..39077e86ad
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1003.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1004.gif b/docs/htmldocs/using_samba/figs/sam2_1004.gif
new file mode 100644
index 0000000000..9e81522a65
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1004.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1005.gif b/docs/htmldocs/using_samba/figs/sam2_1005.gif
new file mode 100644
index 0000000000..5d9fe6f72a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1005.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1006.gif b/docs/htmldocs/using_samba/figs/sam2_1006.gif
new file mode 100644
index 0000000000..34fcb1054b
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1006.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1101.gif b/docs/htmldocs/using_samba/figs/sam2_1101.gif
new file mode 100644
index 0000000000..0a8afebd6a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1101.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1102.gif b/docs/htmldocs/using_samba/figs/sam2_1102.gif
new file mode 100644
index 0000000000..5bfc6b5521
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1102.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af01.gif b/docs/htmldocs/using_samba/figs/sam2_af01.gif
new file mode 100644
index 0000000000..290cc7f491
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af01.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af02.gif b/docs/htmldocs/using_samba/figs/sam2_af02.gif
new file mode 100644
index 0000000000..2bc59dab69
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af02.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af03.gif b/docs/htmldocs/using_samba/figs/sam2_af03.gif
new file mode 100644
index 0000000000..5bff6142f8
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af03.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af04.gif b/docs/htmldocs/using_samba/figs/sam2_af04.gif
new file mode 100644
index 0000000000..f1ee885f32
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af04.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af05.gif b/docs/htmldocs/using_samba/figs/sam2_af05.gif
new file mode 100644
index 0000000000..ef15448708
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af05.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af06.gif b/docs/htmldocs/using_samba/figs/sam2_af06.gif
new file mode 100644
index 0000000000..756a6b1c99
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af06.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af07.gif b/docs/htmldocs/using_samba/figs/sam2_af07.gif
new file mode 100644
index 0000000000..dfe2199484
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af07.gif
diff --git a/docs/htmldocs/using_samba/inx.html b/docs/htmldocs/using_samba/inx.html
new file mode 100644
index 0000000000..cc01eeb56c
--- /dev/null
+++ b/docs/htmldocs/using_samba/inx.html
@@ -0,0 +1,1814 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h2>Index</h2>
+
+<A HREF="#Symbols">[&nbsp;Symbols&nbsp;]</A>, 
+<A HREF="#Numbers">[&nbsp;Numbers&nbsp;]</A>, 
+<A HREF="#A">[&nbsp;A&nbsp;]</A>, 
+<A HREF="#B">[&nbsp;B&nbsp;]</A>, 
+<A HREF="#C">[&nbsp;C&nbsp;]</A>, 
+<A HREF="#D">[&nbsp;D&nbsp;]</A>, 
+<A HREF="#E">[&nbsp;E&nbsp;]</A>, 
+<A HREF="#F">[&nbsp;F&nbsp;]</A>, 
+<A HREF="#G">[&nbsp;G&nbsp;]</A>, 
+<A HREF="#H">[&nbsp;H&nbsp;]</A>, 
+<A HREF="#I">[&nbsp;I&nbsp;]</A>, 
+<A HREF="#K">[&nbsp;K&nbsp;]</A>, 
+<A HREF="#L">[&nbsp;L&nbsp;]</A>, 
+<A HREF="#M">[&nbsp;M&nbsp;]</A>, 
+<A HREF="#N">[&nbsp;N&nbsp;]</A>, 
+<A HREF="#O">[&nbsp;O&nbsp;]</A>, 
+<A HREF="#P">[&nbsp;P&nbsp;]</A>, 
+<A HREF="#Q">[&nbsp;Q&nbsp;]</A>, 
+<A HREF="#R">[&nbsp;R&nbsp;]</A>, 
+<A HREF="#S">[&nbsp;S&nbsp;]</A>, 
+<A HREF="#T">[&nbsp;T&nbsp;]</A>, 
+<A HREF="#U">[&nbsp;U&nbsp;]</A>, 
+<A HREF="#V">[&nbsp;V&nbsp;]</A>, 
+<A HREF="#W">[&nbsp;W&nbsp;]</A>, 
+<A HREF="#X">[&nbsp;X&nbsp;]</A> 
+
+
+<P><A NAME="Symbols"><B>Symbols</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>_ _MSBROWSE _ _ resource entry, 16, 229
+<BR>. (period)
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS names and, 14
+<BR> &nbsp; &nbsp; &nbsp;   (see also dot files)
+<BR>%$ variable, 192
+<P><A NAME="Numbers"><B>Numbers</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>127.0.0.1 (localhost), 73
+<BR> &nbsp; &nbsp; &nbsp;   bind interfaces only option, 208
+<P><A NAME="A"><B>A</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%a variable, 143, 192
+<BR> &nbsp; &nbsp; &nbsp;   variable substitution, 191
+<BR>abort shutdown script option (smb.conf file), 401
+<BR>Access Control Entries (ACEs), 31, 253
+<BR>Access Control Lists (see ACLs)
+<BR>access control options, 287-288
+<BR>access, controlling (see ACLs; controlling access to shares)
+<BR>accounts (see computer accounts, adding; users)
+<BR>ACLs, 30
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 260-262
+<BR> &nbsp; &nbsp; &nbsp;   inheriting, 416
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 495
+<BR> &nbsp; &nbsp; &nbsp;   mapping to Unix permissions, 426
+<BR> &nbsp; &nbsp; &nbsp;   POSIX.1e, 259
+<BR> &nbsp; &nbsp; &nbsp;   support in Samba 2.2, 37
+<BR> &nbsp; &nbsp; &nbsp;   Unix, 259
+<BR> &nbsp; &nbsp; &nbsp;   versus Unix file permissions, 31
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT/2000/XP, 165, 253-262
+<BR>Active Directory
+<BR> &nbsp; &nbsp; &nbsp;   Samba 2.2, 34, 121
+<BR> &nbsp; &nbsp; &nbsp;   Samba 3.0, 34
+<BR> &nbsp; &nbsp; &nbsp;   server, specifying, 402
+<BR> &nbsp; &nbsp; &nbsp;   time synchronization and, 340
+<BR>adapters, 69
+<BR>add machine script option (smb.conf file), 402
+<BR>add printer command option (smb.conf file), 401
+<BR>add share command option (smb.conf file), 402
+<BR>add user script option (smb.conf file), 159, 402
+<BR>admin users option (smb.conf file), 285, 287, 402
+<BR>admin users (see root accounts)
+<BR>administrator (see domain administrator)
+<BR>ads server option (smb.conf file), 402
+<BR>AFS (Andrew Filesystem), installing Samba with support for, 495
+<BR>Albitz, Paul, 383
+<BR>algorithmic rid base option (smb.conf file), 402
+<BR>allow hosts option (smb.conf file), 403
+<BR>allow trusted domains option (smb.conf file), 403
+<BR>analogX Atomic TimeSync, 340
+<BR>announce as option (smb.conf file), 234, 403
+<BR>announce version option (smb.conf file), 235, 403
+<BR>anonymous
+<BR> &nbsp; &nbsp; &nbsp;   restricting access, 434
+<BR> &nbsp; &nbsp; &nbsp;   (see also guest access)
+<BR>ANSI C compiler required by Samba source, 44
+<BR>auth methods option (smb.conf file), 403
+<BR>authentication
+<BR> &nbsp; &nbsp; &nbsp;   client, 290-296
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting method of, 436
+<BR> &nbsp; &nbsp; &nbsp;   defined, 30
+<BR> &nbsp; &nbsp; &nbsp;   enabling Samba as WINS server, configuration file example, 395
+<BR> &nbsp; &nbsp; &nbsp;   files, specifying where Samba keeps, 497
+<BR> &nbsp; &nbsp; &nbsp;   methods, specifying, 403
+<BR> &nbsp; &nbsp; &nbsp;   overview, 31
+<BR> &nbsp; &nbsp; &nbsp;   pass-through, 33
+<BR> &nbsp; &nbsp; &nbsp;   Samba security levels, 290
+<BR> &nbsp; &nbsp; &nbsp;   Samba's default user-level versus Windows, 74
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 28
+<BR> &nbsp; &nbsp; &nbsp;   with winbind, 307-319
+<BR> &nbsp; &nbsp; &nbsp;   (see also passwords)
+<BR>auto services option (smb.conf file), 233, 235, 403
+<BR>automounting shares, 495
+<BR>available option (smb.conf file), 403
+<P><A NAME="B"><B>B</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>backends (CUPS modules), 332
+<BR>backup browsers, 27, 226
+<BR>backup domain controllers (BDCs), 31
+<BR> &nbsp; &nbsp; &nbsp;   Samba 2.2's inability to work with, 122
+<BR> &nbsp; &nbsp; &nbsp;   (see also primary domain controllers)
+<BR>backups, creating and restoring using smbclient, 172-174
+<BR>.bak files, 251
+<BR>.bat files, 138
+<BR>bind interfaces only option (smb.conf file), 208, 403
+<BR>bindings, 69
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 100
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 80
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 93
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 110
+<BR>--bindir (configure script option), 48
+<BR>bitmasks, 176
+<BR> &nbsp; &nbsp; &nbsp;   CIDR format, 208
+<BR>block size option (smb.conf file), 404
+<BR>blocking locks option (smb.conf file), 404
+<BR>b-node (NetBios node type), 13
+<BR>broadcast
+<BR> &nbsp; &nbsp; &nbsp;   name resolution, 71
+<BR> &nbsp; &nbsp; &nbsp;   versus NBNS name registration, 11
+<BR>broadcast address, 389
+<BR>broadcasting, 12
+<BR>browsable option (smb.conf file), 233, 235, 284, 404
+<BR>browse list option (smb.conf file), 235, 404
+<BR>browse lists, 27, 224
+<BR> &nbsp; &nbsp; &nbsp;   invisible shares, 233
+<BR> &nbsp; &nbsp; &nbsp;   printer names, 419
+<BR> &nbsp; &nbsp; &nbsp;   specifying list of shares, 431
+<BR> &nbsp; &nbsp; &nbsp;   specifying shares in, 403, 404
+<BR> &nbsp; &nbsp; &nbsp;   specifying the directory where Samba keeps, 497
+<BR> &nbsp; &nbsp; &nbsp;   synchronizing with all domain master browsers, 411
+<BR>browse master (see local master browser)
+<BR>browse server (see local master browser)
+<BR>browseable option (smb.conf file) (see browsable option (smb.conf file))
+<BR>browser elections, 28, 226-229, 419
+<BR>browsers
+<BR> &nbsp; &nbsp; &nbsp;   backup (see backup browsers)
+<BR> &nbsp; &nbsp; &nbsp;   domain master browser (see domain master browser)
+<BR> &nbsp; &nbsp; &nbsp;   local master (see local master browser)
+<BR>browsing, 216, 224-239
+<BR> &nbsp; &nbsp; &nbsp;   a list of computers and shared resources, defined, 26
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba for, 229
+<BR> &nbsp; &nbsp; &nbsp;   cross-subnet, 231
+<BR> &nbsp; &nbsp; &nbsp;   in a Windows network, 224-229
+<BR> &nbsp; &nbsp; &nbsp;   invisible shares, 233
+<BR> &nbsp; &nbsp; &nbsp;   options, 233-239
+<BR> &nbsp; &nbsp; &nbsp;   overview, 26-28
+<BR> &nbsp; &nbsp; &nbsp;   server from the client, 382
+<BR> &nbsp; &nbsp; &nbsp;   shared resource of a specific computer, 26
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting problems, 377-383
+<BR>Browsing and Windows 95 Networking and CIFS/E Browser Protocol, 229
+<BR>BROWSING.txt and BROWSING-Config.txt, 229
+<BR>BSD Unix
+<BR> &nbsp; &nbsp; &nbsp;   automatically starting Samba daemons, 61
+<BR> &nbsp; &nbsp; &nbsp;   printers, 330-331
+<P><A NAME="C"><B>C</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>caching policy, client-side, 406
+<BR>case sensitive option (smb.conf file), 265, 404
+<BR>case sensitivity, 262-267
+<BR> &nbsp; &nbsp; &nbsp;   how Samba handles, 264
+<BR> &nbsp; &nbsp; &nbsp;   preserving case of filename, 431
+<BR>casesignames option (smb.conf file), 404
+<BR>change notification, 354
+<BR>change notify timeout option (smb.conf file), 354, 405
+<BR>change share command option (smb.conf file), 405
+<BR>character set option (smb.conf file), 344, 405
+<BR>character sets, translating, 405
+<BR>checking (message from configure script), 48
+<BR>CIDR format bitmask, 208
+<BR>CIFS, 21
+<BR> &nbsp; &nbsp; &nbsp;   Unix extensions, 37, 442
+<BR> &nbsp; &nbsp; &nbsp;   (see also SMB)
+<BR>CIFS Technical Reference, 20
+<BR>client code page option (smb.conf file), 344, 405
+<BR>clustered environment, Samba in, 437
+<BR> &nbsp; &nbsp; &nbsp;   (see also multihomed system; multiple subnets), 437
+<BR>.cmd files, 138
+<BR>code page directory option (smb.conf file), 405
+<BR>code pages, 344
+<BR>coding system option (smb.conf file), 345, 405
+<BR>command-line options, parsing, 495
+<BR>comment option (smb.conf file), 203, 406
+<BR>Common Internet File System (see CIFS)
+<BR>compiling Samba, 49-52
+<BR>components, Windows, 69
+<BR>comp.protocols.smb newsgroup, 392
+<BR>computer accounts, adding, 126
+<BR>computer names
+<BR> &nbsp; &nbsp; &nbsp;   name resolution (see name resolution)
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 103
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 81
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 93
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 113
+<BR>computers, adding to domains, 402
+<BR>Concurrent Versions System (CVS), 491
+<BR>config file option (smb.conf file), 196, 406
+<BR>config.log file, 49
+<BR>config.pol file, 155
+<BR>config.status file, 51
+<BR>configuration file
+<BR> &nbsp; &nbsp; &nbsp;   Samba's main (see smb.conf file)
+<BR> &nbsp; &nbsp; &nbsp;   selecting new, 406
+<BR> &nbsp; &nbsp; &nbsp;   variables (see smb.conf file, variables)
+<BR> &nbsp; &nbsp; &nbsp;   (see also configuring Samba)
+<BR>configuration management tool (see CVS)
+<BR>configuration value types, 448-449
+<BR>configure script, 46
+<BR> &nbsp; &nbsp; &nbsp;   options, 493-499
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --bindir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --datadir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --eprefix, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --include dir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --infodir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --libdir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --libexec dir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --mandir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --prefix, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --sbindir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      with feature, 47
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-acl-support, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-afs, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-automount, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-codepagedir, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-configdir, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-dce-dfs, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-fhs, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-included-popt, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-krb4, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-krb5, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-ldapsam, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-libiconv, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-libsmbclient, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-lockdir, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-logfilebase, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-manpages-langs, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-msdfs, 47, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-nisplus-home, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-nisplussam, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      without feature, 47
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-pam, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-pam_smbpass, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-piddir, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-privatedir, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-profiling-data, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-quotas, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-readline, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-sendfile-support, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-smbmount, 47, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-smbwrapper, 47, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-spinlocks, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-ssl, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-sslinc, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-ssllib, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-swatdir, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-syslog, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-tdbsam, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-utmp, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-winbind, 499
+<BR> &nbsp; &nbsp; &nbsp;   sample execution, 48
+<BR>configuring Samba, 46-49
+<BR> &nbsp; &nbsp; &nbsp;   configuration file (see smb.conf file)
+<BR> &nbsp; &nbsp; &nbsp;   for browsing, 229
+<BR> &nbsp; &nbsp; &nbsp;   for installation (see configure script)
+<BR> &nbsp; &nbsp; &nbsp;   for roaming profiles, 143-147
+<BR> &nbsp; &nbsp; &nbsp;   identifying options used in previous installations, 51
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting problems (see troubleshooting Samba, fault tree)
+<BR>connection scripts, 274-277
+<BR> &nbsp; &nbsp; &nbsp;   monitoring directory contents, 275
+<BR> &nbsp; &nbsp; &nbsp;   options, 275-277
+<BR>connections
+<BR> &nbsp; &nbsp; &nbsp;   denying, 409
+<BR> &nbsp; &nbsp; &nbsp;   specifying time limits for unused, 407
+<BR>controlling access to shares, 285-288
+<BR>copy option (smb.conf file), 197, 406
+<BR>Core and Core Plus, 20
+<BR>create mask option (smb.conf file), 248, 250, 406
+<BR>create mode option (smb.conf file), 284, 406
+<BR>creating (message from configure script), 48
+<BR>creation masks, 247-250
+<BR>csc policy option (smb.conf file), 406
+<BR>CVS (Concurrent Versions System), 491
+<P><A NAME="D"><B>D</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%d variable, 192
+<BR>daemons (see inetd daemon; nmbd daemon; smbd daemon; xinetd daemon)
+<BR>Darwin, automatically starting Samba daemons, 64
+<BR>.dat files
+<BR> &nbsp; &nbsp; &nbsp;   changing to .man files, 150
+<BR> &nbsp; &nbsp; &nbsp;   NTUSER.DAT, 141
+<BR> &nbsp; &nbsp; &nbsp;   USER.DAT, 141
+<BR>--datadir (configure script option), 48
+<BR>datagram primitives, 17
+<BR>datagram services, defined, 10
+<BR>datagram services (NBT)
+<BR> &nbsp; &nbsp; &nbsp;   defined, 16
+<BR> &nbsp; &nbsp; &nbsp;   tips, 18
+<BR>deadtime option (smb.conf file), 349, 407
+<BR>debug hires timestamp option (smb.conf file), 407
+<BR>debug pid option (smb.conf file), 407
+<BR>debug timestamp option (smb.conf file), 214, 407
+<BR>debug uid option (smb.conf file), 407
+<BR>debuglevel option (smb.conf file), 407
+<BR>default case option (smb.conf file), 264, 265, 408
+<BR>default device mode, setting, 408
+<BR>default devmode option (smb.conf file), 408
+<BR>default option (smb.conf file), 407
+<BR>default service option (smb.conf file), 236, 408
+<BR>defending the hostname, 12
+<BR>delete printer command option (smb.conf file), 408
+<BR>delete readonly option (smb.conf file), 250, 251, 408
+<BR>delete share command option (smb.conf file), 408
+<BR>delete user script option (smb.conf file), 159, 409
+<BR>delete veto files option (smb.conf file), 241, 245, 409
+<BR>deny hosts option (smb.conf file), 409
+<BR>dfree command option (smb.conf file), 350, 409
+<BR>Dfs (Microsoft's Distributed filesystem), 277-280
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba as Dfs server, 278-279
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 496
+<BR> &nbsp; &nbsp; &nbsp;   providing services, 415
+<BR> &nbsp; &nbsp; &nbsp;   support in Samba 2.2, 36
+<BR> &nbsp; &nbsp; &nbsp;   Windows clients, 278
+<BR>DHCP and IP addresses, 70
+<BR>DIAGNOSIS.txt, 359
+<BR>dig command (Unix), 73
+<BR>Digital Pathworks clients, 353
+<BR>directories
+<BR> &nbsp; &nbsp; &nbsp;   caching for performance, 414
+<BR> &nbsp; &nbsp; &nbsp;   connecting to drive letter, 138
+<BR> &nbsp; &nbsp; &nbsp;   creating on the Samba server, 125
+<BR> &nbsp; &nbsp; &nbsp;   deleting when vetoed files are present, 241, 409
+<BR> &nbsp; &nbsp; &nbsp;   home, setting, 420
+<BR> &nbsp; &nbsp; &nbsp;   monitoring contents, 275
+<BR> &nbsp; &nbsp; &nbsp;   setting maximum allowable permissions, 409
+<BR> &nbsp; &nbsp; &nbsp;   setting paths, 409
+<BR>directory mask option (smb.conf file), 249, 251, 409
+<BR>directory mode option (smb.conf file), 284, 410
+<BR>directory option (smb.conf file), 409
+<BR>directory permissions, 416
+<BR> &nbsp; &nbsp; &nbsp;   options, 250-253
+<BR>directory recursion, 171
+<BR>directory security mask option (smb.conf file), 261, 262, 410
+<BR>disable spools option (smb.conf file), 410
+<BR>disk services, example of sharing, 4-7
+<BR>disk share configuration, 201-203
+<BR>disk-quota support, 497
+<BR>Distributed Computing Environment Distributed Filesystem (DCE/DFS), 495
+<BR>Distributed filesystem (see Dfs)
+<BR>dmask option, 176
+<BR>DNS, 70
+<BR> &nbsp; &nbsp; &nbsp;   configuration
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 2000, 101
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me, 79
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT, 92
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows XP, 111
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS names
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      translating between DNS names and, 182
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      versus hostnames versus, 14
+<BR> &nbsp; &nbsp; &nbsp;   overview, 73
+<BR> &nbsp; &nbsp; &nbsp;   servers, name resolution and, 217
+<BR>DNS proxy, configuring on WINS server, 220
+<BR>dns proxy option (smb.conf file), 220, 223, 410
+<BR>documentation, Samba, 45, 391
+<BR>domain admin group option (smb.conf file), 160, 410
+<BR>domain administrator, 126, 410
+<BR>Domain Admins group, 410
+<BR>domain controllers, 30
+<BR> &nbsp; &nbsp; &nbsp;   backup (see backup domain controllers)
+<BR> &nbsp; &nbsp; &nbsp;   primary (see primary domain controllers)
+<BR>Domain Guest group, 410
+<BR>domain guest group option (smb.conf file), 410
+<BR>domain logons
+<BR> &nbsp; &nbsp; &nbsp;   configuring Windows clients for, 128-137
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 133-135
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 128-131
+<BR> &nbsp; &nbsp; &nbsp;   Windows complains that you are already logged on, 129
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 131-133
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP Professional, 135-137
+<BR>domain logons option (smb.conf file), 159, 410
+<BR>domain master browser, 35, 226
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba as both local master browser and, 124
+<BR> &nbsp; &nbsp; &nbsp;   forcing Samba to be, 237, 411
+<BR> &nbsp; &nbsp; &nbsp;   problems with, 35
+<BR> &nbsp; &nbsp; &nbsp;   Samba as, 230
+<BR> &nbsp; &nbsp; &nbsp;   synchronizing browse lists with all, 411
+<BR> &nbsp; &nbsp; &nbsp;   verifying Samba as, 231
+<BR>domain master option (smb.conf file), 159, 237, 411
+<BR>domain member server, 34
+<BR> &nbsp; &nbsp; &nbsp;   Samba as, 156-157
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      smb.conf file example, 400
+<BR>domain membership, 126
+<BR>Domain Name System (see DNS)
+<BR>domain-level security, 291, 296
+<BR>domains
+<BR> &nbsp; &nbsp; &nbsp;   adding computers to, 402
+<BR> &nbsp; &nbsp; &nbsp;   advantages of, 120
+<BR> &nbsp; &nbsp; &nbsp;   more information on how to set up, 122
+<BR> &nbsp; &nbsp; &nbsp;   trust relationships, 33
+<BR> &nbsp; &nbsp; &nbsp;   trusted, 403
+<BR> &nbsp; &nbsp; &nbsp;   (see also Windows NT domain options)
+<BR>dont descend option (smb.conf file), 241, 243, 411
+<BR>dos filemode option (smb.conf file), 411
+<BR>dos filetime resolution option (smb.conf file), 342, 411
+<BR>dos filetimes option (smb.conf file), 341, 411
+<BR>dos2unix command, 170
+<BR>dot files, 240
+<BR> &nbsp; &nbsp; &nbsp;   hiding, 414
+<BR> &nbsp; &nbsp; &nbsp;   (see also hiding files)
+<BR>drive letter, connecting a directory to, 6, 138
+<P><A NAME="E"><B>E</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>emacs text editor, 139
+<BR>encrypt passwords option (smb.conf file), 304, 411
+<BR>encrypted passwords
+<BR> &nbsp; &nbsp; &nbsp;   disabling, 298
+<BR> &nbsp; &nbsp; &nbsp;   managing, 483
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      (see also smbpasswd program)
+<BR> &nbsp; &nbsp; &nbsp;   smb.conf file and, 55
+<BR> &nbsp; &nbsp; &nbsp;   (see also passwords)
+<BR>enhanced browsing option (smb.conf file), 411
+<BR>enumports command option (smb.conf file), 412
+<BR>environment variables, forcing Samba to read list of, 437
+<BR>--eprefix (configure script option), 48
+<BR>error messages from configure script, 48
+<BR>/etc/fstab file, warning about editing, 177
+<BR>/etc/group, 283
+<BR>/etc/hosts file, 70
+<BR>/etc/nsswitch.conf file, 71
+<BR>/etc/passwd file, creating entries manually, 127
+<BR>/etc/printcap.local file, 330
+<BR>/etc/resolv.conf file, 73, 220
+<BR>Ethereal (SMB sniffer), 20, 361
+<BR>exec option (smb.conf file), 412
+<BR>executable file permission bit, 248
+<BR>ext2/ext3 filesystem, 37
+<P><A NAME="F"><B>F</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>fake directory create times option (smb.conf file), 342, 412
+<BR>fake oplocks option (smb.conf file), 273, 412
+<BR>FAQs, Samba, 391
+<BR>fault tree, troubleshooting Samba, 362-391
+<BR>file locking (see locks and oplocks)
+<BR>file permissions
+<BR> &nbsp; &nbsp; &nbsp;   executable bit, 248
+<BR> &nbsp; &nbsp; &nbsp;   on MS-DOS and Unix, 245-253
+<BR> &nbsp; &nbsp; &nbsp;   options, 250-253
+<BR> &nbsp; &nbsp; &nbsp;   setting in Windows NT/2000/XP, 165
+<BR> &nbsp; &nbsp; &nbsp;   setting maximum allowable, 406
+<BR> &nbsp; &nbsp; &nbsp;   Unix permission bits summary, 247
+<BR> &nbsp; &nbsp; &nbsp;   Unix permissions versus ACLs, 31
+<BR> &nbsp; &nbsp; &nbsp;   versus ACLs, 31
+<BR>file transfer using smbclient, 170
+<BR>filenames
+<BR> &nbsp; &nbsp; &nbsp;   conventions, 262
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      (see also name mangling)
+<BR> &nbsp; &nbsp; &nbsp;   representing and resolving in Samba, 264
+<BR>Filesystem Hierarchy Standard, 495
+<BR>filesystem options, 243-245
+<BR>findsmb program, 40, 455
+<BR>firewall configuration, 60
+<BR>fmask option (sbmount), 176
+<BR>follow symlinks option (smb.conf file), 242, 243, 412
+<BR>force create mode option (smb.conf file), 251, 412
+<BR>force directory mode option (smb.conf file), 251, 413
+<BR>force directory security mode option (smb.conf file), 262, 413
+<BR>force group option (smb.conf file), 249, 251, 413
+<BR>force security mode option (smb.conf file), 261, 413
+<BR>force unknown acl user option (smb.conf file), 413
+<BR>force user option (smb.conf file), 249, 251, 413
+<BR>Frisch, Æleen, 325
+<BR>fstab file, warning about editing, 177
+<BR>fstype option (smb.conf file), 350, 413
+<P><A NAME="G"><B>G</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%G variable, 192
+<BR>%g variable, 192
+<BR>gcc binaries, 44
+<BR>get command, 170
+<BR>getwd cache option (smb.conf file), 243, 414
+<BR>[global] section (smb.conf file), 193
+<BR>GNU configure script (see configure script)
+<BR>GNU Free Documentation License, 511-518
+<BR>Google, 392
+<BR>group ID (GID), 31
+<BR>group option (smb.conf file), 414
+<BR>grouppol.inf file, 153
+<BR>groups
+<BR> &nbsp; &nbsp; &nbsp;   additional information, 16
+<BR> &nbsp; &nbsp; &nbsp;   overriding a user's normal group membership, 413
+<BR> &nbsp; &nbsp; &nbsp;   setting a group share in smb.conf file, 283
+<BR> &nbsp; &nbsp; &nbsp;   system group file, 283
+<BR> &nbsp; &nbsp; &nbsp;   (see also workgroups; SMB, groups)
+<BR>guest access, 286
+<BR>guest account option (smb.conf file), 286, 288, 414
+<BR>guest ok option (smb.conf file), 286, 414
+<BR>guest only option (smb.conf file), 288, 414
+<P><A NAME="H"><B>H</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%H variable, 192, 283
+<BR>%h variable, 192
+<BR>hide dot files option (smb.conf file), 240, 244, 414
+<BR>hide files option (smb.conf file), 241, 244, 414
+<BR>hide local users option (smb.conf file), 415
+<BR>hide unreadable option (smb.conf file), 415
+<BR>hiding files, 240-242
+<BR>h-node (NetBios node type), 13
+<BR>home directory, setting, 420
+<BR>homedir map option (smb.conf file), 281, 415
+<BR>[homes] share (smb.conf file), 125, 194, 233, 284
+<BR> &nbsp; &nbsp; &nbsp;   peculiarities with, 284
+<BR>host msdfs option (smb.conf file), 280, 415
+<BR>hostname, defending, 12
+<BR>hosts allow option (smb.conf file), 204-207, 415
+<BR>hosts deny option (smb.conf file), 204-207, 415
+<BR>hosts equiv option (smb.conf file), 307, 415
+<BR>HOSTS file, 70, 74
+<BR>hosts.sam file, 74
+<BR>Hunt, Craig, 87
+<P><A NAME="I"><B>I</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%I variable, 192
+<BR>iconv( ) function, 496
+<BR>ifconfig command, 390
+<BR>Implementing Policies and Profiles for Windows NT 4.0, 141
+<BR>--include dir (configure script option), 48
+<BR>include option (smb.conf file), 193, 197, 416
+<BR>inetd daemon, 53
+<BR> &nbsp; &nbsp; &nbsp;   starting smbd and nmbd daemons, 66
+<BR>--infodir (configure script option), 48
+<BR>inherit acls option (smb.conf file), 416
+<BR>inherit permissions option (smb.conf file), 253, 416
+<BR>.ini files, 187
+<BR>installation directories for Samba, 50
+<BR>installing Samba, 49-52
+<BR> &nbsp; &nbsp; &nbsp;   on a Unix system, 42-67
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ANSI C compiler required by Samba source, 44
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      binary versus source, 43
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      bundled versions, 42-45
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      configuration (see configure script)
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      source, overview of steps, 44
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting problems (see troubleshooting Samba, fault tree)
+<BR>interfaces list, 403
+<BR>interfaces option (smb.conf file), 207, 416
+<BR>internationalization, 343-346
+<BR> &nbsp; &nbsp; &nbsp;   features of Samba 2.2, 456
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 495
+<BR>invalid users option (smb.conf file), 284, 285, 287, 416
+<BR>invalid users, specifying list of, 285
+<BR>IP addresses, 70
+<BR> &nbsp; &nbsp; &nbsp;   127.0.0.1 (localhost), 73
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      bind interfaces only option, 208
+<BR> &nbsp; &nbsp; &nbsp;   translating between NetBIOS names and, 182
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 100
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me networks, 78
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 90
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 111
+<BR>IPC$ password, 75
+<BR>ipconfig /all command (Windows NT/2000/XP), 13
+<BR>ipconfig command, 390
+<P><A NAME="K"><B>K</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>keepalive option (smb.conf file), 351, 416
+<BR>Kerberos authentication, 38
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 495
+<BR> &nbsp; &nbsp; &nbsp;   Samba 2.2 and, 121
+<BR> &nbsp; &nbsp; &nbsp;   time synchronization and, 340
+<BR>kernel oplocks option (smb.conf file), 272, 417
+<P><A NAME="L"><B>L</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%L variable, 140, 144, 192
+<BR>LAN Manager host announcements, 236
+<BR>LAN Manager versions 1.0, 2.0, and 2.1, 20
+<BR>lanman auth option (smb.conf file), 417
+<BR>large readwrite option (smb.conf file), 417
+<BR>LDAP, 34, 38
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 496
+<BR> &nbsp; &nbsp; &nbsp;   Samba 2.2 and, 121
+<BR>ldap admin dn option (smb.conf file), 417
+<BR>ldap filter option (smb.conf file), 417
+<BR>ldap port option (smb.conf file), 417
+<BR>ldap server option (smb.conf file), 418
+<BR>ldap ssl option (smb.conf file), 418
+<BR>ldap suffix option (smb.conf file), 418
+<BR>level2 oplocks option (smb.conf file), 272, 418
+<BR>--libdir (configure script option), 48
+<BR>--libexec dir (configure script option), 48
+<BR>libnss_winbind.so library, 309
+<BR>Linux-PAM System Administrator's Guide, 314
+<BR>Liu, Cricket, 383
+<BR>lm announce option (smb.conf file), 236, 418
+<BR>lm interval option (smb.conf file), 237, 418
+<BR>LMHOSTS file, 72
+<BR> &nbsp; &nbsp; &nbsp;   name resolution and, 218
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 102
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 80
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 92
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 112
+<BR>load balancing and Dfs, 277, 279
+<BR>load printers option (smb.conf file), 336, 419
+<BR>local master browser, 27, 224
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba as both domain master browser and, 124
+<BR>local master option (smb.conf file), 230, 236, 419
+<BR>local profiles, 141
+<BR>localhost address (see 127.0.0.1 (localhost))
+<BR>lock dir option (smb.conf file), 419
+<BR>lock directory option (smb.conf file), 274, 419
+<BR>lock spin count option (smb.conf file), 419
+<BR>lock spin time option (smb.conf file), 419
+<BR>locking files (see locks and oplocks)
+<BR>locking option (smb.conf file), 271, 419
+<BR>locks and oplocks, 268-274
+<BR> &nbsp; &nbsp; &nbsp;   advanced tuning parameter, 428
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      release an oplock, 427
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 270-274
+<BR> &nbsp; &nbsp; &nbsp;   oplock failure, 269
+<BR> &nbsp; &nbsp; &nbsp;   opportunistic locking process, 268
+<BR> &nbsp; &nbsp; &nbsp;   setting file locking, 419
+<BR> &nbsp; &nbsp; &nbsp;   specifying directory where Samba keeps lock files, 496
+<BR> &nbsp; &nbsp; &nbsp;   spin locks, 498
+<BR> &nbsp; &nbsp; &nbsp;   Unix and oplocks, 270
+<BR>log file option (smb.conf file), 213, 356, 419
+<BR>log files, 67
+<BR> &nbsp; &nbsp; &nbsp;   changing timestamps, 407
+<BR> &nbsp; &nbsp; &nbsp;   example, 210
+<BR> &nbsp; &nbsp; &nbsp;   levels of logging, 356-358
+<BR> &nbsp; &nbsp; &nbsp;   nmbd, 231
+<BR> &nbsp; &nbsp; &nbsp;   sample output of levels 2 and 3, 356
+<BR> &nbsp; &nbsp; &nbsp;   setting location of, 419
+<BR> &nbsp; &nbsp; &nbsp;   setting maximum size, 423
+<BR> &nbsp; &nbsp; &nbsp;   specifying the directory where Samba keeps, 496
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting with, 356-359
+<BR> &nbsp; &nbsp; &nbsp;   (see also logging)
+<BR>log level option (smb.conf file), 213, 420
+<BR>logging
+<BR> &nbsp; &nbsp; &nbsp;   activating and deactivating, 358
+<BR> &nbsp; &nbsp; &nbsp;   adding process ID, 407
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 210-215
+<BR> &nbsp; &nbsp; &nbsp;   debugging particular user, 407
+<BR> &nbsp; &nbsp; &nbsp;   (see also log files)
+<BR>login parameters, setting, 24
+<BR>logon drive option (smb.conf file), 151, 420
+<BR>logon home line (smb.conf file), 144
+<BR>logon home option (smb.conf file), 152, 420
+<BR>logon path line (smb.conf file), 144
+<BR>logon path option (smb.conf file), 151, 420
+<BR>logon path, supporting roaming profiles for Windows NT/2000/XP clients, 124
+<BR>logon script option (smb.conf file), 151, 420
+<BR>logon scripts, 120, 137-140
+<BR> &nbsp; &nbsp; &nbsp;   checking the format, 139
+<BR> &nbsp; &nbsp; &nbsp;   creating, 138-140
+<BR> &nbsp; &nbsp; &nbsp;   more information regarding, 140
+<BR> &nbsp; &nbsp; &nbsp;   options, 150
+<BR> &nbsp; &nbsp; &nbsp;   using variables inside, 139
+<BR>logon.bat, 138
+<BR>log.smb file, 67
+<BR>lpadmin command (Unix), 333
+<BR>lppause command option (smb.conf file), 336, 420
+<BR>lppause command (Unix), 323
+<BR>lpq cache time option (smb.conf file), 335, 420
+<BR>lpq command option (smb.conf file), 336, 421
+<BR>lpq command (Unix), 323
+<BR>lpr command (Unix), 322
+<BR>lpresume command option (smb.conf file), 336, 421
+<BR>lpresume command (Unix), 323
+<BR>lprm command option (smb.conf file), 336, 421
+<BR>lprm command (Unix), 323
+<P><A NAME="M"><B>M</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%M variable, 192
+<BR>%m variable, 140, 143, 192
+<BR>Mac OS X
+<BR> &nbsp; &nbsp; &nbsp;   automatically starting Samba daemons, 64
+<BR> &nbsp; &nbsp; &nbsp;   configuration details, 506-509
+<BR> &nbsp; &nbsp; &nbsp;   enabling SMB printer sharing, 325
+<BR> &nbsp; &nbsp; &nbsp;   monitoring services, 505
+<BR> &nbsp; &nbsp; &nbsp;   Password Server, 504
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      activating, 504
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      enabling, 505
+<BR> &nbsp; &nbsp; &nbsp;   smbutil and mount_smbfs, 184-186
+<BR>Mac OS X Server
+<BR> &nbsp; &nbsp; &nbsp;   configuration settings, 508
+<BR> &nbsp; &nbsp; &nbsp;   configuring and activating services, 503
+<BR> &nbsp; &nbsp; &nbsp;   running Samba on, 500-510
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 501
+<BR> &nbsp; &nbsp; &nbsp;   sharing printers, 501
+<BR>Mac OS X Server Administrator's Guide, 500
+<BR>machine password timeout option (smb.conf file), 160, 421
+<BR>magic output option (smb.conf file), 343, 421
+<BR>magic script option (smb.conf file), 343, 421
+<BR>magic scripts, 342
+<BR>mailing lists, Samba, 392
+<BR> &nbsp; &nbsp; &nbsp;   archives, 45
+<BR>make install command (Unix), 50
+<BR> &nbsp; &nbsp; &nbsp;   upgrading installations, 52
+<BR>make revert command (Unix), 50
+<BR>make utility (Unix), 49
+<BR>makefile, generating for Samba configuration, 46
+<BR>make_smbcodepage program, 40, 456
+<BR>make_unicodemap program, 40, 456
+<BR>.man files, changing from .dat files, 150
+<BR>man pages (see manual pages)
+<BR>managing connections to shares (see connection scripts)
+<BR>mandatory profiles, 149
+<BR> &nbsp; &nbsp; &nbsp;   changing from roaming profiles, 150
+<BR>--mandir (configure script option), 48
+<BR>mangle case option (smb.conf file), 267, 421
+<BR>mangled map option (smb.conf file), 267, 422
+<BR>mangled names option (smb.conf file), 266, 422
+<BR>mangled stack option (smb.conf file), 267, 422
+<BR>mangling char option (smb.conf file), 267, 422
+<BR>mangling method option (smb.conf file), 422
+<BR>MANPATH environment variable, 52
+<BR>manual pages, 52
+<BR> &nbsp; &nbsp; &nbsp;   in different languages, 496
+<BR>map archive option (smb.conf file), 247, 252, 422
+<BR>map hidden option (smb.conf file), 247, 252, 422
+<BR>map system option (smb.conf file), 247, 252, 422
+<BR>map to guest option (smb.conf file), 423
+<BR>mapping a free-form client username to a Unix username, 289
+<BR>mapping a network drive (see drive letter, connecting a directory to)
+<BR>master browser (see local master browser)
+<BR>max connections option (smb.conf file), 288, 423
+<BR>max disk size option (smb.conf file), 351, 423
+<BR>max log size option (smb.conf file), 213, 423
+<BR>max mux option (smb.conf file), 351, 423
+<BR>max open files option (smb.conf file), 423
+<BR>max open files (smb.conf file), 351
+<BR>max print jobs option (smb.conf file), 424
+<BR>max protocol option (smb.conf file), 424
+<BR>max smbd processes option (smb.conf file), 424
+<BR>max ttl option (smb.conf file), 224, 424
+<BR>max wins ttl option (smb.conf file), 224, 424
+<BR>max xmit option (smb.conf file), 352, 424
+<BR>message command option (smb.conf file), 348, 424
+<BR>messenger service, 346-348
+<BR>mget command, 170
+<BR>Microsoft Distributed filesystem (see Dfs)
+<BR>min passwd length option (smb.conf file), 425
+<BR>min password length option (smb.conf file), 425
+<BR>min print space option (smb.conf file), 338, 425
+<BR>min protocol option (smb.conf file), 425
+<BR>min wins ttl option (smb.conf file), 224, 425
+<BR>m-node (NetBios node type), 13
+<BR>mount_smbfs program, 161, 182
+<BR> &nbsp; &nbsp; &nbsp;   options, 183
+<BR>mput command, 170
+<BR>msdfs root option (smb.conf file), 280, 425
+<BR>MS-DOS file permissions, 245-253
+<BR>MSN Messenger, 346-348
+<BR>multihomed system
+<BR> &nbsp; &nbsp; &nbsp;   running Samba on, 204
+<BR> &nbsp; &nbsp; &nbsp;   (see also clustered environment, Samba in; multiple subnets)
+<BR>multiple subnets
+<BR> &nbsp; &nbsp; &nbsp;   cross-subnet browsing, 232
+<BR> &nbsp; &nbsp; &nbsp;   with Samba servers, 232
+<BR> &nbsp; &nbsp; &nbsp;   (see also clustered environment, Samba in; multihomed system)
+<BR>My Network Places, 26
+<BR> &nbsp; &nbsp; &nbsp;   (see also Network Neighborhood)
+<P><A NAME="N"><B>N</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%N variable, 192
+<BR>name mangling, 262-267
+<BR> &nbsp; &nbsp; &nbsp;   how Samba mangles a long filename into a 8.3 filename, 263
+<BR> &nbsp; &nbsp; &nbsp;   options, 265-267, 421
+<BR>name registration, 11-13
+<BR>name resolution, 11-13, 70, 216-224
+<BR> &nbsp; &nbsp; &nbsp;   broadcast method, 71
+<BR> &nbsp; &nbsp; &nbsp;   configuring in Samba, 219
+<BR> &nbsp; &nbsp; &nbsp;   methods, 217
+<BR> &nbsp; &nbsp; &nbsp;   using broadcast packets, 217
+<BR>name resolve order option (smb.conf file), 219, 223, 425
+<BR>name services
+<BR> &nbsp; &nbsp; &nbsp;   defined, 10
+<BR> &nbsp; &nbsp; &nbsp;   identifying what's in use, 383
+<BR> &nbsp; &nbsp; &nbsp;   switching, 71
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting, 383-388
+<BR>name-resolution configuration options, 221-224
+<BR>NBNS name registration
+<BR> &nbsp; &nbsp; &nbsp;   versus broadcast, 11
+<BR>NBT, 10, 69
+<BR> &nbsp; &nbsp; &nbsp;   services, 16
+<BR>NBT Standard, 10
+<BR>nbtstat utility, 228
+<BR> &nbsp; &nbsp; &nbsp;   examples, 14, 15
+<BR>net program, 40, 457-462
+<BR>net time command, 138, 339
+<BR>net use command, 138, 144
+<BR> &nbsp; &nbsp; &nbsp;   testing connections with, 374
+<BR>net view program, 225
+<BR> &nbsp; &nbsp; &nbsp;   testing client browsing, 381
+<BR>NetBEUI protocol, 10
+<BR> &nbsp; &nbsp; &nbsp;   running at same time as NetBIOS over TCP/IP, 69
+<BR>NetBIOS
+<BR> &nbsp; &nbsp; &nbsp;   group resource types, 16
+<BR> &nbsp; &nbsp; &nbsp;   names
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      translating between IP address or DNS names and, 182
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      troubleshooting, 390
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      versus DNS hostnames, 14
+<BR> &nbsp; &nbsp; &nbsp;   node types, 13
+<BR> &nbsp; &nbsp; &nbsp;   overview, 9
+<BR> &nbsp; &nbsp; &nbsp;   resource names and types, 14
+<BR> &nbsp; &nbsp; &nbsp;   session, establishing, 22
+<BR> &nbsp; &nbsp; &nbsp;   unique resource types, 15
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 80
+<BR>netbios aliases option (smb.conf file), 209, 426
+<BR>netbios name option (smb.conf file), 200, 426
+<BR>NetBIOS over TCP/IP (see NBT)
+<BR>netbios scope option (smb.conf file), 426
+<BR>[netlogon] share (smb.conf file), 125, 138, 233
+<BR>netmask, using to troubleshoot, 388
+<BR>network adapters, 69
+<BR>network addresses
+<BR> &nbsp; &nbsp; &nbsp;   finding your specific address, 390
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting, 388-390
+<BR>Network Information Service (see NIS)
+<BR>Network Neighborhood, 27
+<BR> &nbsp; &nbsp; &nbsp;   (see also My Network Places)
+<BR>Network Time Protocol (NTP), 340
+<BR>network traffic, monitoring (see tcpdump program)
+<BR>networking
+<BR> &nbsp; &nbsp; &nbsp;   components
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 2000, 99
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows XP, 109
+<BR> &nbsp; &nbsp; &nbsp;   concepts, Windows (see Windows, networking concepts)
+<BR> &nbsp; &nbsp; &nbsp;   options, 204-208
+<BR>new features
+<BR> &nbsp; &nbsp; &nbsp;   in Samba 2.2, 36
+<BR> &nbsp; &nbsp; &nbsp;   in Samba 3.0, 38
+<BR>news, Samba, 45
+<BR>newsgroups, Samba, 391
+<BR>NFS, installing Samba with support for, 495
+<BR>NIS+
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 496
+<BR> &nbsp; &nbsp; &nbsp;   server, installing Samba with support for locating, 496
+<BR>nis homedir option (smb.conf file), 281, 426
+<BR>NIS (Network Information Service), 71, 280
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 280
+<BR> &nbsp; &nbsp; &nbsp;   server, 30
+<BR>nmake command, 412
+<BR>nmap command (Unix), 73
+<BR>nmbd daemon, 3, 39, 61, 453
+<BR> &nbsp; &nbsp; &nbsp;   starting automatically, 61-65
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      BSD Unix, 61
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Darwin and Mac OS X, 64
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      System V Unix, 61
+<BR> &nbsp; &nbsp; &nbsp;   starting from inetd, 66
+<BR> &nbsp; &nbsp; &nbsp;   starting manually, 61
+<BR> &nbsp; &nbsp; &nbsp;   testing, 66
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      automatic startup, 65
+<BR> &nbsp; &nbsp; &nbsp;   time service, 442
+<BR>nmbd log file, 231
+<BR>nmblookup program, 40, 229, 231, 462
+<BR> &nbsp; &nbsp; &nbsp;   testing clients, 380
+<BR> &nbsp; &nbsp; &nbsp;   testing network, 381
+<BR> &nbsp; &nbsp; &nbsp;   testing servers, 379
+<BR>nobody account, 286
+<BR>node types, 13
+<BR>non unix account range option (smb.conf file), 426
+<BR>nslookup command (Unix), 73
+<BR>nsmb.conf file, 181
+<BR>.nsmbrc files, 181
+<BR>nsswitch, configuring, 309
+<BR>nsswitch.conf file, 71
+<BR>nt acl support option (smb.conf file), 260, 426
+<BR>NT LAN Manager 1.0, 21
+<BR>nt pipe support option (smb.conf file), 352, 426
+<BR>nt smb support option (smb.conf file), 352, 427
+<BR>nt status support option (smb.conf file), 427
+<BR>ntconfig.pol file, 155
+<BR>NT-specific SMB IPC$ pipes, 352
+<BR>NTUSER.DAT file, 141
+<BR>null passwords option (smb.conf file), 306, 427
+<BR>number of address ranges, 389
+
+<P><A NAME="O"><B>O</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>obey pam restrictions option (smb.conf file), 427
+<BR>od command, 139
+<BR>.old files, 50
+<BR>ole locking compatibility (smb.conf file), 352
+<BR>only guest option (smb.conf file), 427
+<BR>only user option (smb.conf file), 293, 427
+<BR>Open Directory Password Server, 504
+<BR>oplock break wait time option (smb.conf file), 427
+<BR>oplock contention limit option (smb.conf file), 428
+<BR>oplocks option (smb.conf file), 272, 428
+<BR>opportunistic locking (see locks and oplocks)
+<BR>os level option (smb.conf file), 230, 238, 428
+<BR>os2 driver map option (smb.conf file), 428
+<BR>overwriting files (see locks and oplocks)
+
+<P><A NAME="P"><B>P</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%P variable, 192
+<BR>%p variable, 192
+<BR>padc command, 359
+<BR>pam password change option (smb.conf file), 428
+<BR>PAM (Pluggable Authentication Modules), 38
+<BR> &nbsp; &nbsp; &nbsp;   configuring, 313-317
+<BR>pam_stack.so module, 316
+<BR>pam_winbind.so module, 316
+<BR>panic action option (smb.conf file), 352, 428
+<BR>par command, 359
+<BR>passdb backend option (smb.conf file), 429
+<BR>pass-through authentication, 33
+<BR>passwd chat debug option (smb.conf file), 305, 429
+<BR>passwd chat option (smb.conf file), 301, 305, 429
+<BR>PASSWD environment variable, 167
+<BR>passwd file, creating entries manually, 127
+<BR>passwd program option (smb.conf file), 305, 429
+<BR>password chat response characters, 302
+<BR>password chat send characters, 302
+<BR>password level option (smb.conf file), 305, 429
+<BR>Password Server (Mac OS X), 504
+<BR> &nbsp; &nbsp; &nbsp;   activating, 504
+<BR> &nbsp; &nbsp; &nbsp;   enabling, 505
+<BR>password server option (smb.conf file), 160, 295, 429
+<BR>passwords, 74, 296-307
+<BR> &nbsp; &nbsp; &nbsp;   adding to smb.conf file, 75
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 303-307
+<BR> &nbsp; &nbsp; &nbsp;   disabling encrypted, 298
+<BR> &nbsp; &nbsp; &nbsp;   encrypted (see encrypted passwords)
+<BR> &nbsp; &nbsp; &nbsp;   IPC$, 75
+<BR> &nbsp; &nbsp; &nbsp;   limiting length of, 425
+<BR> &nbsp; &nbsp; &nbsp;   plain-text versus encrypted, 74
+<BR> &nbsp; &nbsp; &nbsp;   setting on Windows 95/98/Me, 83
+<BR> &nbsp; &nbsp; &nbsp;   setting servers that validate, 429
+<BR> &nbsp; &nbsp; &nbsp;   synchronization, 300-303
+<BR> &nbsp; &nbsp; &nbsp;   Windows versus Unix, 29
+<BR> &nbsp; &nbsp; &nbsp;   (see also authentication)
+<BR>PATH environment variable, 52
+<BR>path option (smb.conf file), 202, 430
+<BR>pdbedit program, 40, 464
+<BR>PDC emulator, 121
+<BR>PDCs (see primary domain controllers)
+<BR>Pearce, Eric, 16, 160
+<BR>performance, caching directories, 414
+<BR>period (.)
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS names and, 14
+<BR> &nbsp; &nbsp; &nbsp;   (see also dot files)
+<BR>permissions
+<BR> &nbsp; &nbsp; &nbsp;   mapping to Windows NT ACLs, 426
+<BR> &nbsp; &nbsp; &nbsp;   (see also file permissions; directory permissions)
+<BR>pid directory option (smb.conf file), 430
+<BR>PIDs, adding to log lines, 407
+<BR>ping, troubleshooting with, 363-367
+<BR>Pluggable Authentication Modules (see PAM)
+<BR>p-node (NetBios node type), 13
+<BR>point-to-point communication, 12
+<BR>policies, defined, 120
+<BR>port names, customized, 412
+<BR>POSIX ACL support, 416
+<BR>posix locking option (smb.conf file), 272, 430
+<BR>POSIX.1e ACLs, 259
+<BR>postexec option (smb.conf file), 277, 430
+<BR>postscript option (smb.conf file), 335, 430
+<BR>preexec close option (smb.conf file), 277, 430
+<BR>preexec option (smb.conf file), 274, 276, 430
+<BR>preferred master option (smb.conf file), 237, 431
+<BR>preferred master parameter (smb.conf file), 230
+<BR>--prefix (configure script option), 48
+<BR>preload option (smb.conf file), 235, 431
+<BR>preserve case option (smb.conf file), 264, 266, 431
+<BR>preventing file overwrites (see locks and oplocks)
+<BR>primary domain controllers (PDCs), 31, 226
+<BR> &nbsp; &nbsp; &nbsp;   handling authentication (see winbind)
+<BR> &nbsp; &nbsp; &nbsp;   modifying smb.conf file, 122-125
+<BR> &nbsp; &nbsp; &nbsp;   Samba as, 121-126
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      smb.conf file example, 397-399
+<BR>primary WINS server, 32
+<BR> &nbsp; &nbsp; &nbsp;   synchronization problems with Samba 2.2, 33
+<BR>print command option (smb.conf file), 322, 336, 431
+<BR>print commands, 321
+<BR>print jobs
+<BR> &nbsp; &nbsp; &nbsp;   deleting, 421
+<BR> &nbsp; &nbsp; &nbsp;   limiting number of, 424
+<BR> &nbsp; &nbsp; &nbsp;   pausing, 420
+<BR> &nbsp; &nbsp; &nbsp;   resuming, 421
+<BR> &nbsp; &nbsp; &nbsp;   sending over Samba, 321
+<BR>print ok option (smb.conf file), 433
+<BR>printable option (smb.conf file), 323, 335, 431
+<BR>printcap file, 419
+<BR> &nbsp; &nbsp; &nbsp;   example, 336
+<BR>printcap name option (smb.conf file), 338, 431
+<BR>printcap option (smb.conf file), 338
+<BR>printcap.local file, 330
+<BR>printer admin option (smb.conf file), 432
+<BR>printer driver file option (smb.conf file), 432
+<BR>printer driver location option (smb.conf file), 432
+<BR>printer driver option (smb.conf file), 432
+<BR>printer name option (smb.conf file), 335, 432
+<BR>printer option (smb.conf file), 335, 432
+<BR>printer status, setting command for, 421
+<BR>printers
+<BR> &nbsp; &nbsp; &nbsp;   adding new to system, 401
+<BR> &nbsp; &nbsp; &nbsp;   BSD, 330-331
+<BR> &nbsp; &nbsp; &nbsp;   CUPS, 332
+<BR> &nbsp; &nbsp; &nbsp;   example of sharing, 8
+<BR> &nbsp; &nbsp; &nbsp;   names in browse lists, 419
+<BR> &nbsp; &nbsp; &nbsp;   removing from system, 408
+<BR> &nbsp; &nbsp; &nbsp;   sending files using smbclient, 325
+<BR> &nbsp; &nbsp; &nbsp;   setting default device mode, 408
+<BR> &nbsp; &nbsp; &nbsp;   setting up from Windows, 8
+<BR> &nbsp; &nbsp; &nbsp;   sharing, 320
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      on Mac OS X, 501
+<BR> &nbsp; &nbsp; &nbsp;   System V, 331
+<BR> &nbsp; &nbsp; &nbsp;   (see also printing)
+<BR>[printers] share (smb.conf file), 195, 324
+<BR> &nbsp; &nbsp; &nbsp;   example for a Linux system, 324
+<BR>printing, 320-338
+<BR> &nbsp; &nbsp; &nbsp;   adding a Unix printer, 330-333
+<BR> &nbsp; &nbsp; &nbsp;   common problem with Samba printer configuration, 325
+<BR> &nbsp; &nbsp; &nbsp;   CUPS-compatible, 486
+<BR> &nbsp; &nbsp; &nbsp;   debugging printers, 325
+<BR> &nbsp; &nbsp; &nbsp;   Mac OS X environment, 325
+<BR> &nbsp; &nbsp; &nbsp;   network, 320
+<BR> &nbsp; &nbsp; &nbsp;   options, 333-338
+<BR> &nbsp; &nbsp; &nbsp;   setting up and testing a Windows client, 326
+<BR> &nbsp; &nbsp; &nbsp;   shares
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      example, 322
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      important information about, 323
+<BR> &nbsp; &nbsp; &nbsp;   system types, 334
+<BR> &nbsp; &nbsp; &nbsp;   testing the configuration, 325
+<BR> &nbsp; &nbsp; &nbsp;   to Windows from Unix, 327-338
+<BR> &nbsp; &nbsp; &nbsp;   variables, 322
+<BR> &nbsp; &nbsp; &nbsp;   (see also printers)
+<BR>printing option (smb.conf file), 334, 432
+<BR>private directory option (smb.conf file), 433
+<BR>process IDs, adding to log lines, 407
+<BR>processes, viewing in Unix, 8
+<BR>[profiles] share (smb.conf file), 125
+<BR>prompt command, 171
+<BR>protocol option (smb.conf file), 433
+<BR>ps command (Unix), 8
+<BR> &nbsp; &nbsp; &nbsp;   looking for daemon processes with, 368
+<BR>public option (smb.conf file), 433
+<BR>put command, 170
+<BR>.pwl files, 29
+<P><A NAME="Q"><B>Q</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>queuepause command option (smb.conf file), 338, 433
+<BR>queueresume command option (smb.conf file), 338, 433
+<P><A NAME="R"><B>R</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%R variable, 192
+<BR>read bmpx option (smb.conf file), 433
+<BR>read list option (smb.conf file), 286, 288, 433
+<BR>read only option (smb.conf file), 203, 434
+<BR>read raw option (smb.conf file), 434
+<BR>read size option (smb.conf file), 434
+<BR>readline( ) support, 497
+<BR>read-only access, specifying users, 433
+<BR>realm option (smb.conf file), 434
+<BR>reconfiguring Samba, 52
+<BR>recurse command, 171
+<BR>registry files, 141
+<BR> &nbsp; &nbsp; &nbsp;   settings and passwords, 74
+<BR>relative identifier (RID), 30
+<BR>remote announce option (smb.conf file), 232, 238, 434
+<BR>remote browse sync option (smb.conf file), 238, 434
+<BR>remote logons (see roaming profiles)
+<BR>resolv.conf file, 73, 220
+<BR>resource names and types (NetBIOS), 14
+<BR>restrict anonymous option (smb.conf file), 434
+<BR>roaming profiles, 120, 140-152
+<BR> &nbsp; &nbsp; &nbsp;   changing to mandatory profiles, 150
+<BR> &nbsp; &nbsp; &nbsp;   configuring
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Samba for, 143-147
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me for, 147
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT/2000/XP for, 148
+<BR> &nbsp; &nbsp; &nbsp;   defining a logon path for Windows NT/2000/XP clients, 124
+<BR> &nbsp; &nbsp; &nbsp;   definitive documentation, 141
+<BR> &nbsp; &nbsp; &nbsp;   how they work, 141
+<BR> &nbsp; &nbsp; &nbsp;   options, 150
+<BR> &nbsp; &nbsp; &nbsp;   possible problems, 142
+<BR> &nbsp; &nbsp; &nbsp;   restricting users from editing their own, 149
+<BR> &nbsp; &nbsp; &nbsp;   setting path to directory (Windows NT/2000/XP), 420
+<BR> &nbsp; &nbsp; &nbsp;   smb.conf file, 138
+<BR> &nbsp; &nbsp; &nbsp;   Temporary Internet Files folder, 143
+<BR> &nbsp; &nbsp; &nbsp;   time synchronization, 339
+<BR> &nbsp; &nbsp; &nbsp;   users logged onto multiple clients, 142
+<BR> &nbsp; &nbsp; &nbsp;   warning, 141
+<BR> &nbsp; &nbsp; &nbsp;   (see also mandatory profiles)
+<BR>root access, 285
+<BR>root accounts
+<BR> &nbsp; &nbsp; &nbsp;   adding root user to Samba's password database, 126
+<BR> &nbsp; &nbsp; &nbsp;   (see also domain administrator)
+<BR> &nbsp; &nbsp; &nbsp;   specifying users with root permissions, 402
+<BR>root dir option (smb.conf file), 435
+<BR>root directory option (smb.conf file), 435
+<BR>root option (smb.conf file), 435
+<BR>root postexec option (smb.conf file), 277, 435
+<BR>root preexec close option (smb.conf file), 276, 435
+<BR>root preexec option (smb.conf file), 275, 276, 435
+<BR>roving profiles (see roaming profiles)
+<BR>rpcclient commands, 467-470
+<BR>rpcclient program, 40, 465
+<BR>rpm command (Unix), 43
+<P><A NAME="S"><B>S</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%S variable, 192
+<BR>SAM (Security Account Manager), 30
+<BR> &nbsp; &nbsp; &nbsp;   database, 126
+<BR>Samba
+<BR> &nbsp; &nbsp; &nbsp;   advantages of using, 3
+<BR> &nbsp; &nbsp; &nbsp;   allowing outside applications to access Samba features, 496
+<BR> &nbsp; &nbsp; &nbsp;   compiling (see compiling Samba)
+<BR> &nbsp; &nbsp; &nbsp;   configuration file (see smb.conf file)
+<BR> &nbsp; &nbsp; &nbsp;   configuring (see configuring Samba)
+<BR> &nbsp; &nbsp; &nbsp;   defined, 2
+<BR> &nbsp; &nbsp; &nbsp;   distribution, overview, 39
+<BR> &nbsp; &nbsp; &nbsp;   as domain member server, 34
+<BR> &nbsp; &nbsp; &nbsp;   downloading, 45
+<BR> &nbsp; &nbsp; &nbsp;   examples
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      sharing a printer, 8
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      sharing disk service, 4-7
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      simple network, 4
+<BR> &nbsp; &nbsp; &nbsp;   in a clustered environment, 437
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      (see also multihomed system; multiple subnets), 437
+<BR> &nbsp; &nbsp; &nbsp;   installing (see installing Samba)
+<BR> &nbsp; &nbsp; &nbsp;   manual pages, 52
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      in different languages, 496
+<BR> &nbsp; &nbsp; &nbsp;   obtaining, 41
+<BR> &nbsp; &nbsp; &nbsp;   overview, 1-41
+<BR> &nbsp; &nbsp; &nbsp;   running on a multihomed system, 204
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting (see troubleshooting Samba)
+<BR> &nbsp; &nbsp; &nbsp;   upgrading installations, 51
+<BR> &nbsp; &nbsp; &nbsp;   variables (see smb.conf file, variables)
+<BR> &nbsp; &nbsp; &nbsp;   web site, 41
+<BR>Samba 2.2
+<BR> &nbsp; &nbsp; &nbsp;   in a domain hosted by native mode Windows 2000 server, 34
+<BR> &nbsp; &nbsp; &nbsp;   issues with Active Directory, 34, 121
+<BR> &nbsp; &nbsp; &nbsp;   new features, 36
+<BR>Samba 3.0
+<BR> &nbsp; &nbsp; &nbsp;   new features, 38
+<BR> &nbsp; &nbsp; &nbsp;   obsolete options
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      blocksize, 404
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      character set, 405
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      client code page, 405
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      code page directory, 405
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      coding system, 405
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      domain guest group, 410
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      force unknown acl user, 413
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap admin dn, 417
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap filter, 417
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap port, 417
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap server, 418
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap ssl, 418
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap suffix, 418
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      nt smb support, 427
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      related to SSL, 438-440
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      status, 440
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      unix extensions, 442
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      userhosts, 443
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      valid chars, 444
+<BR> &nbsp; &nbsp; &nbsp;   roles, 38
+<BR>Samba server
+<BR> &nbsp; &nbsp; &nbsp;   adding to workgroup, configuration file example, 396
+<BR> &nbsp; &nbsp; &nbsp;   connecting from
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 2000, 107
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me, 84
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT, 96
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows XP, 116
+<BR> &nbsp; &nbsp; &nbsp;   connection listings (see smbstatus program)
+<BR> &nbsp; &nbsp; &nbsp;   creating directories on, 125
+<BR> &nbsp; &nbsp; &nbsp;   restarting, 126
+<BR> &nbsp; &nbsp; &nbsp;   sending a print job, 321
+<BR> &nbsp; &nbsp; &nbsp;   services, 2
+<BR>Samba Web Administration Tool (see SWAT)
+<BR>Samba-BDC-HOWTO.html, 122
+<BR>Samba-PDC-HOWTO.html, 122
+<BR>Samba's NT LM 0.12, 21
+<BR>SASL (Simple Authentication and Security Layer) standard, 504
+<BR>--sbindir (configure script option), 48
+<BR>scope ID (SMB packet), 16
+<BR>search paths, setting, 52
+<BR>secrets.tdb file, 156
+<BR>security
+<BR> &nbsp; &nbsp; &nbsp;   Samba security levels
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      domain (see domain-level security)
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      server (see server-level security)
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      share (see share-level security)
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      user (see user-level security)
+<BR> &nbsp; &nbsp; &nbsp;   user-level for Windows 95/98/Me, 129
+<BR> &nbsp; &nbsp; &nbsp;   (see also authentication)
+<BR>Security Access Token (SAT), 31
+<BR>Security Account Manager (SAM), 30
+<BR>security identifiers (SIDs), 30
+<BR>security issues
+<BR> &nbsp; &nbsp; &nbsp;   creating entries for /etc/passwd and smbpasswd manually, 127
+<BR> &nbsp; &nbsp; &nbsp;   disabling oplocks in smb.conf file, 58
+<BR>security mask option (smb.conf file), 261, 436
+<BR>security models, Unix versus Windows, 253
+<BR>security option (smb.conf file), 291, 436
+<BR>sendfile( ) system call, 497
+<BR>server announcements, 229
+<BR>Server Message Block (SMB) protocol (see SMB)
+<BR>server string option (smb.conf file), 200, 436
+<BR>server-level security, 291, 295
+<BR>session parameters, setting, 24
+<BR>session primitives, 17
+<BR>session service, defined, 10
+<BR>session services (NBT)
+<BR> &nbsp; &nbsp; &nbsp;   defined, 16
+<BR> &nbsp; &nbsp; &nbsp;   tips, 18
+<BR>set directory option (smb.conf file), 353, 436
+<BR>share modes option (smb.conf file), 436
+<BR>share-level security, 290
+<BR> &nbsp; &nbsp; &nbsp;   options, 293
+<BR> &nbsp; &nbsp; &nbsp;   versus user-level security, 162
+<BR>shares
+<BR> &nbsp; &nbsp; &nbsp;   adding new, 402
+<BR> &nbsp; &nbsp; &nbsp;   allowing and denying, 415
+<BR> &nbsp; &nbsp; &nbsp;   copying configurations, 406
+<BR> &nbsp; &nbsp; &nbsp;   deleting, 408
+<BR> &nbsp; &nbsp; &nbsp;   denying access to, 403
+<BR> &nbsp; &nbsp; &nbsp;   invisible, 233
+<BR> &nbsp; &nbsp; &nbsp;   managing connections to (see connection scripts)
+<BR> &nbsp; &nbsp; &nbsp;   modifying, 405
+<BR> &nbsp; &nbsp; &nbsp;   printers, setting default device mode, 408
+<BR> &nbsp; &nbsp; &nbsp;   sections in smb.conf file, 125
+<BR> &nbsp; &nbsp; &nbsp;   setting maximum number, 423
+<BR> &nbsp; &nbsp; &nbsp;   specifying in browse lists, 403, 404, 431
+<BR> &nbsp; &nbsp; &nbsp;   specifying systems that may connect to, 403
+<BR>sharing
+<BR> &nbsp; &nbsp; &nbsp;   disk services example, 4-7
+<BR> &nbsp; &nbsp; &nbsp;   files
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Mac OS X, 501
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me, 162
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT/2000/XP, 163, 165
+<BR> &nbsp; &nbsp; &nbsp;   printers (see printers, sharing)
+<BR>Sharpe, Richard, 19
+<BR>short preserve case option (smb.conf file), 264, 266, 436
+<BR>show add printer wizard option (smb.conf file), 437
+<BR>shutdown script option (smb.conf file), 437
+<BR>SIDs (security identifiers), 30
+<BR>SMB, 2
+<BR> &nbsp; &nbsp; &nbsp;   CIFS and, 21
+<BR> &nbsp; &nbsp; &nbsp;   clients, 21
+<BR> &nbsp; &nbsp; &nbsp;   command format, 19
+<BR> &nbsp; &nbsp; &nbsp;   connections, troubleshooting, 371-377
+<BR> &nbsp; &nbsp; &nbsp;   groups, 15
+<BR> &nbsp; &nbsp; &nbsp;   header fields, 19
+<BR> &nbsp; &nbsp; &nbsp;   header format, 19
+<BR> &nbsp; &nbsp; &nbsp;   message format, 19
+<BR> &nbsp; &nbsp; &nbsp;   network, overview, 9-18
+<BR> &nbsp; &nbsp; &nbsp;   online summary, 19
+<BR> &nbsp; &nbsp; &nbsp;   packets, 16
+<BR> &nbsp; &nbsp; &nbsp;   protocol
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      additional information, 20
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      negotiating a protocol variant, 22
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      overview, 18-26
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      versions, 20
+<BR> &nbsp; &nbsp; &nbsp;   servers, 21
+<BR> &nbsp; &nbsp; &nbsp;   simple connection, 22
+<BR>smb passwd file option (smb.conf file), 306, 437
+<BR>SMB sniffer (Ethereal), 20
+<BR>smbcacls program, 40, 470
+<BR>smbclient commands, 168
+<BR>smbclient program, 40, 67, 161, 165-174, 472-478
+<BR> &nbsp; &nbsp; &nbsp;   authenticating with, 167
+<BR> &nbsp; &nbsp; &nbsp;   compared to smbfs and smbsh, 165
+<BR> &nbsp; &nbsp; &nbsp;   creating and restoring backups, 172-174
+<BR> &nbsp; &nbsp; &nbsp;   file transfer, 170
+<BR> &nbsp; &nbsp; &nbsp;   interactive session, 168-171
+<BR> &nbsp; &nbsp; &nbsp;   listing services, 165
+<BR> &nbsp; &nbsp; &nbsp;   programming with, 171
+<BR> &nbsp; &nbsp; &nbsp;   security and, 168
+<BR> &nbsp; &nbsp; &nbsp;   sending a file to the printer, 325
+<BR> &nbsp; &nbsp; &nbsp;   testing
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      browsing, 377
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with, 373
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      locally with, 372
+<BR>smb.conf file, 187-215
+<BR> &nbsp; &nbsp; &nbsp;   adding user passwords, 75
+<BR> &nbsp; &nbsp; &nbsp;   bracketed names, 188
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      (see also shares, sections in smb.conf file)
+<BR> &nbsp; &nbsp; &nbsp;   capitalization, 189
+<BR> &nbsp; &nbsp; &nbsp;   comments, 190
+<BR> &nbsp; &nbsp; &nbsp;   configuring winbind, 309
+<BR> &nbsp; &nbsp; &nbsp;   creating and modifying (see SWAT)
+<BR> &nbsp; &nbsp; &nbsp;   disabling oplocks, 58
+<BR> &nbsp; &nbsp; &nbsp;   encrypted passwords and, 55
+<BR> &nbsp; &nbsp; &nbsp;   examples, 187
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      configuring Samba to use another WINS server, 396
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      disk share, 201-203
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      enabling Samba as WINS server, 395
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      server configuration file, 198-201
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting Samba as domain member server, 400
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting Samba as PDC, 397-399
+<BR> &nbsp; &nbsp; &nbsp;   file structure, 188-191
+<BR> &nbsp; &nbsp; &nbsp;   getting started, 54-60
+<BR> &nbsp; &nbsp; &nbsp;   [global] section, 193
+<BR> &nbsp; &nbsp; &nbsp;   include option, 193
+<BR> &nbsp; &nbsp; &nbsp;   line continuation, 189
+<BR> &nbsp; &nbsp; &nbsp;   location from bundled installation, 42
+<BR> &nbsp; &nbsp; &nbsp;   logon scripts (see logon scripts)
+<BR> &nbsp; &nbsp; &nbsp;   Mac OS X, 509
+<BR> &nbsp; &nbsp; &nbsp;   making significant changes, 190
+<BR> &nbsp; &nbsp; &nbsp;   modifying Samba to be a PDC, 122-125
+<BR> &nbsp; &nbsp; &nbsp;   modifying Samba to be domain member server, 157
+<BR> &nbsp; &nbsp; &nbsp;   name resolution, 219
+<BR> &nbsp; &nbsp; &nbsp;   options, 188, 195-198
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      access control, 287-288
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ACLs, 260-262
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      browsing, 233-239
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connection scripts, 275-277
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      disk share, 202
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      dot files, 240
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      file and directory permissions, 250-253
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      filesystem, 243-245
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      internationalization, 343-346
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      locks and oplocks, 270-274
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      logging, 210-215
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      name mangling, 265-267
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      name resolution, 221-224
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      networking, 204-208
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      NIS, 280
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      password, 303-307
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      printing, 333-338
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      server, 199
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      time synchronization, 341-342
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      virtual servers, 209
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      winbind, 317-319
+<BR> &nbsp; &nbsp; &nbsp;   [printers] section, 195
+<BR> &nbsp; &nbsp; &nbsp;   roaming profiles, 138
+<BR> &nbsp; &nbsp; &nbsp;   runtime changes, 190
+<BR> &nbsp; &nbsp; &nbsp;   shares, 125, 194
+<BR> &nbsp; &nbsp; &nbsp;   smbmount program and, 174
+<BR> &nbsp; &nbsp; &nbsp;   smbsh and, 179
+<BR> &nbsp; &nbsp; &nbsp;   testing, 59
+<BR> &nbsp; &nbsp; &nbsp;   variables, 191-193
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      example of use, 193
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      table, 192
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      used at runtime, 140
+<BR> &nbsp; &nbsp; &nbsp;   WINS support, 71
+<BR>smbcontrol program, 40, 478
+<BR>smbd daemon, 3, 39, 61, 451
+<BR> &nbsp; &nbsp; &nbsp;   checking with telnet, 369
+<BR> &nbsp; &nbsp; &nbsp;   starting automatically, 61-65
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      BSD Unix, 61
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Darwin and Mac OS X, 64
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      System V Unix, 61
+<BR> &nbsp; &nbsp; &nbsp;   starting from inetd, 66
+<BR> &nbsp; &nbsp; &nbsp;   starting manually, 61
+<BR> &nbsp; &nbsp; &nbsp;   testing, 66
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      automatic startup, 65
+<BR>smbfs filesystem, 161, 174-178
+<BR> &nbsp; &nbsp; &nbsp;   compared to smbclient, 165
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 498
+<BR> &nbsp; &nbsp; &nbsp;   mounting automatically, 177
+<BR>smbgroupedit program, 40, 479
+<BR>smbmnt program, 40, 174, 480
+<BR>smbmount program, 40, 175, 481
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 498
+<BR> &nbsp; &nbsp; &nbsp;   options, 178
+<BR> &nbsp; &nbsp; &nbsp;   smb.conf file, 174
+<BR>SMBnegprot request, 23
+<BR>smbpasswd file, 126, 299-300
+<BR> &nbsp; &nbsp; &nbsp;   creating entries manually, 127
+<BR>smbpasswd program, 41, 55, 483
+<BR>smbprint program, 330
+<BR>smbprint.sysv, 330
+<BR>SMBSesssetupX command, 24
+<BR>smbsh program, 41, 161, 179, 485
+<BR> &nbsp; &nbsp; &nbsp;   compared to smbclient, 165
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 498
+<BR> &nbsp; &nbsp; &nbsp;   interactive session, 179
+<BR> &nbsp; &nbsp; &nbsp;   smb.conf file, 179
+<BR>smbspool, 330
+<BR>smbspool program, 41, 486
+<BR>smbspool utility, 332
+<BR>smbstatus program, 8, 41, 487
+<BR>smbtar program, 41, 487
+<BR>SMBtconX message, 25
+<BR>smbumount program, 41, 488
+<BR>smbutil program, 161, 181
+<BR> &nbsp; &nbsp; &nbsp;   options, 183
+<BR> &nbsp; &nbsp; &nbsp;   testing print configuration, 326
+<BR>smbwrapper library, 179, 498
+<BR>socket address option (smb.conf file), 437
+<BR>socket options option (smb.conf file), 437
+<BR>source environment option (smb.conf file), 437
+<BR>source/config.status file, 51
+<BR>spin locks, 498
+<BR>SSL
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba to support, 498
+<BR> &nbsp; &nbsp; &nbsp;   options, 438-440
+<BR>ssl CA certDir option (smb.conf file), 438
+<BR>ssl CA certFile option (smb.conf file), 438
+<BR>ssl ciphers option (smb.conf file), 438
+<BR>ssl client cert option (smb.conf file), 438
+<BR>ssl client key option (smb.conf file), 438
+<BR>ssl compatibility option (smb.conf file), 439
+<BR>ssl hosts option (smb.conf file), 439
+<BR>ssl hosts resign option (smb.conf file), 439
+<BR>ssl option (smb.conf file), 438
+<BR>ssl require clientcert option (smb.conf file), 439
+<BR>ssl require servercert option (smb.conf file), 439
+<BR>ssl server cert option (smb.conf file), 439
+<BR>ssl server key option (smb.conf file), 440
+<BR>ssl version option (smb.conf file), 440
+<BR>stat cache option (smb.conf file), 354, 440
+<BR>stat cache size option (smb.conf file), 354, 440
+<BR>status option (smb.conf file), 440
+<BR>status (smb.conf file), 353
+<BR>Stern, Hal, 383
+<BR>strace command, 359
+<BR>strict allocate option (smb.conf file), 440
+<BR>strict locking option (smb.conf file), 271, 441
+<BR>strict sync option (smb.conf file), 353, 441
+<BR>strip dot option (smb.conf file), 353, 441
+<BR>subnets, workgroups spanning multiple, 34
+<BR>superuser (root) access, 285
+<BR>SWAT
+<BR> &nbsp; &nbsp; &nbsp;   enabling, 52
+<BR> &nbsp; &nbsp; &nbsp;   login, 56
+<BR> &nbsp; &nbsp; &nbsp;   specifying where to install files for, 498
+<BR> &nbsp; &nbsp; &nbsp;   using, 56-58
+<BR>symbolic links, 242
+<BR> &nbsp; &nbsp; &nbsp;   creating before clients are added to network, 147
+<BR> &nbsp; &nbsp; &nbsp;   in file shares, 412
+<BR>symlinks option (smb.conf file), 242
+<BR>sync always option (smb.conf file), 353, 441
+<BR>synchronization, password (see passwords, synchronization)
+<BR>synchronization problems with WINS servers in Samba, 33, 71
+<BR>syslog, 211
+<BR> &nbsp; &nbsp; &nbsp;   error logging, installing Samba to support, 498
+<BR>syslog only option (smb.conf file), 215, 441
+<BR>syslog option (smb.conf file), 214, 441
+<BR>syslog.conf file, 212
+<BR>system group file, 283
+<BR>system policies, 152-156
+<BR> &nbsp; &nbsp; &nbsp;   Windows Me, 155
+<BR>System Policy Editor, 152-156
+<BR>System V Unix
+<BR> &nbsp; &nbsp; &nbsp;   automatically starting Samba daemons, 61
+<BR> &nbsp; &nbsp; &nbsp;   printers, 331
+
+<P><A NAME="T"><B>T</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%T variable, 192
+<BR>TCP, troubleshooting, 367
+<BR>tcpdump program, 360
+<BR> &nbsp; &nbsp; &nbsp;   download, 22
+<BR> &nbsp; &nbsp; &nbsp;   example, 22
+<BR>TCP/IP
+<BR> &nbsp; &nbsp; &nbsp;   adding to Windows 95/98/Me network, 76
+<BR> &nbsp; &nbsp; &nbsp;   configuring for Windows 2000, 100
+<BR> &nbsp; &nbsp; &nbsp;   configuring for Windows 95/98/Me, 78
+<BR> &nbsp; &nbsp; &nbsp;   configuring for Windows NT, 89
+<BR> &nbsp; &nbsp; &nbsp;   configuring for Windows XP, 110
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 88
+<BR>telnet, checking smbd with, 369
+<BR>template homedir option (smb.conf file), 314, 319, 441
+<BR>template shell option (smb.conf file), 314, 319, 442
+<BR>Temporary Internet Files folder, 143
+<BR>test utilities, troubleshooting with, 359-362
+<BR>testing Samba (see testparm program; troubleshooting Samba)
+<BR>testparm program, 41, 59, 125, 489
+<BR> &nbsp; &nbsp; &nbsp;   testing daemons with, 370
+<BR>testprns program, 41, 489
+<BR>Thompson, Robert Bruce, 87
+<BR>time offset option (smb.conf file), 341, 442
+<BR>time server option (smb.conf file), 341, 442
+<BR>time service, 340
+<BR> &nbsp; &nbsp; &nbsp;   configuring in Samba for network use, 124
+<BR>time synchronization, 339-342
+<BR>time to live (TTL), 424, 425
+<BR>timestamp logs option (smb.conf file), 214, 442
+<BR>timestamps
+<BR> &nbsp; &nbsp; &nbsp;   changing in logs, 407
+<BR> &nbsp; &nbsp; &nbsp;   importance of, 142
+<BR>time-synchronization options, 341-342
+<BR>total print jobs option (smb.conf file), 442
+<BR>trace command, 359
+<BR>translating between IP addresses or DNS names and NetBIOS names, 182
+<BR>tree identifier (TID), defined, 22
+<BR>Tridgell, Andrew, 2, 360
+<BR>troubleshooting Samba, 355-393
+<BR> &nbsp; &nbsp; &nbsp;   browsing, 377-383
+<BR> &nbsp; &nbsp; &nbsp;   fault tree, 362-391
+<BR> &nbsp; &nbsp; &nbsp;   hostnames, 384
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      long and short, 386
+<BR> &nbsp; &nbsp; &nbsp;   localhost issues, 388
+<BR> &nbsp; &nbsp; &nbsp;   low-level IP, 362-367
+<BR> &nbsp; &nbsp; &nbsp;   name services, 383-388
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS names, 390
+<BR> &nbsp; &nbsp; &nbsp;   network addresses, 388-390
+<BR> &nbsp; &nbsp; &nbsp;   server daemons, 368-371
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      checking smbd with telnet, 369
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      looking for daemon processes with ps, 368
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      looking for daemons bound to ports, 369
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      testing daemons with testparm, 370
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      tracking daemon startup, 368
+<BR> &nbsp; &nbsp; &nbsp;   SMB connections, 371-377
+<BR> &nbsp; &nbsp; &nbsp;   TCP, 367
+<BR> &nbsp; &nbsp; &nbsp;   testing
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      browsing the server from the client, 382
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      browsing with smbclient, 377
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      client browsing with net view, 381
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      clients with nmblookup, 380
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with net use, 374
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with ping, 364
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with smbclient, 373
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with Windows Explorer, 376
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      locally with smbclient, 372
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      name services with ping, 363
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      network software with ping, 363
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      network with nmblookup, 381
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      networking hardware with ping, 364
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      servers with nmblookup, 379
+<BR> &nbsp; &nbsp; &nbsp;   tools, 355
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      log files, 356-359
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ping, 363-367
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      test utilities, 359-362
+<BR> &nbsp; &nbsp; &nbsp;   unusual delays, 387
+<BR>truss command, 359
+<BR>trust relationships, 33
+<BR>trusted domains, 403
+<BR>tusc command, 359
+<BR>tutorials, Samba, 45
+<P><A NAME="U"><B>U</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%U variable, 192, 283
+<BR>%u variable, 140, 144, 192, 283
+<BR>umasks, 247
+<BR>UNC (Universal Naming Convention) defined, 6
+<BR>Unicode, 456
+<BR>uniform resource locators (see URLs)
+<BR>Unix
+<BR> &nbsp; &nbsp; &nbsp;   ACLs, 259
+<BR> &nbsp; &nbsp; &nbsp;   CIFS extensions, 37
+<BR> &nbsp; &nbsp; &nbsp;   configuring clients to access shared resources, 161-186
+<BR> &nbsp; &nbsp; &nbsp;   file permissions, 245-253
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      versus ACLs, 31
+<BR> &nbsp; &nbsp; &nbsp;   permission bits summary, 247
+<BR> &nbsp; &nbsp; &nbsp;   viewing processes, 8
+<BR>unix extensions option (smb.conf file), 442
+<BR>unix password sync option (smb.conf file), 300, 304, 442
+<BR>unix2dos program, 139, 170
+<BR>update encrypted option (smb.conf file), 306, 443
+<BR>upgrading Samba, 50, 51
+<BR>URLs, defined, 6
+<BR>use client driver option (smb.conf file), 443
+<BR>use mmap option (smb.conf file), 443
+<BR>use rhosts option (smb.conf file), 307, 443
+<BR>use sendfile option (smb.conf file), 443
+<BR>user accounting, 498
+<BR>USER environment variable, 167
+<BR>user ID (UID), 31
+<BR>user option (smb.conf file), 443
+<BR>USER.DAT file, 141
+<BR>user-level security, 290, 294
+<BR> &nbsp; &nbsp; &nbsp;   for Windows 95/98/Me, 129
+<BR> &nbsp; &nbsp; &nbsp;   versus share-level security, 162
+<BR>username level option (smb.conf file), 290, 444
+<BR>username map option (smb.conf file), 289, 444
+<BR>username option (smb.conf file), 293, 443
+<BR>users
+<BR> &nbsp; &nbsp; &nbsp;   account files in Windows, 29
+<BR> &nbsp; &nbsp; &nbsp;   adding new, 402
+<BR> &nbsp; &nbsp; &nbsp;   adding to
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 2000, 104
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me, 83
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT, 95
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows XP, 115
+<BR> &nbsp; &nbsp; &nbsp;   debugging particular, 407
+<BR> &nbsp; &nbsp; &nbsp;   deleting account automatically, 409
+<BR> &nbsp; &nbsp; &nbsp;   group membership, overriding, 413
+<BR> &nbsp; &nbsp; &nbsp;   multiple, adding in Unix, 284-285
+<BR> &nbsp; &nbsp; &nbsp;   single, adding in Unix, 282-284
+<BR> &nbsp; &nbsp; &nbsp;   specifying read-only access, 433
+<BR>users option (smb.conf file), 444
+<BR>/usr/local/etc/nsmb.conf file, 181
+<BR>utmp directory option (smb.conf file), 444
+<BR>utmp file, 498
+<BR>utmp option (smb.conf file), 444
+<P><A NAME="V"><B>V</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%v variable, 192
+<BR>valid chars option (smb.conf file), 346, 444
+<BR>valid users option (smb.conf file), 282, 287, 444
+<BR>variables used at runtime in smb.conf file (see smb.conf file, variables)
+<BR>veto files option (smb.conf file), 241, 244, 445
+<BR>veto oplock files option (smb.conf file), 269, 270, 273, 445
+<BR>vetoing files, 240-242
+<BR>vfs object option (smb.conf file), 445
+<BR>vfs options option (smb.conf file), 445
+<BR>vi text editor, 139
+<BR>vim text editor, 139
+<BR>virtual servers, 208
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 209
+<BR>volume option (smb.conf file), 203, 445
+<BR>VPN (virtual private network), 498
+
+<P><A NAME="W"><B>W</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>wbinfo program, 41, 489
+<BR>wide links option (smb.conf file), 242, 244, 445
+<BR>winbind, 37
+<BR> &nbsp; &nbsp; &nbsp;   authentication with, 307-319
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 317-319
+<BR> &nbsp; &nbsp; &nbsp;   configuring in smb.conf file, 309
+<BR> &nbsp; &nbsp; &nbsp;   installing, 308
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba to support, 499
+<BR> &nbsp; &nbsp; &nbsp;   RID mapping file, 310
+<BR> &nbsp; &nbsp; &nbsp;   verifying it's working properly, 310-313
+<BR>winbind cache time option (smb.conf file), 319, 445
+<BR>winbind enum groups option (smb.conf file), 446
+<BR>winbind enum users option (smb.conf file), 445
+<BR>winbind gid option (smb.conf file), 318, 446
+<BR>winbind separator option (smb.conf file), 317, 446
+<BR>winbind uid option (smb.conf file), 318, 446
+<BR>winbindd daemon, 39, 41, 454
+<BR>Windows
+<BR> &nbsp; &nbsp; &nbsp;   components, 69
+<BR> &nbsp; &nbsp; &nbsp;   configuring clients to access shared resources, 68-119
+<BR> &nbsp; &nbsp; &nbsp;   domain with a local master and local backup browser (diagram), 33
+<BR> &nbsp; &nbsp; &nbsp;   .ini files, 187
+<BR> &nbsp; &nbsp; &nbsp;   networking concepts, 68-76
+<BR> &nbsp; &nbsp; &nbsp;   operating systems and password format defaults, 296
+<BR> &nbsp; &nbsp; &nbsp;   printers, setting up, 8
+<BR> &nbsp; &nbsp; &nbsp;   registry settings and passwords, 74
+<BR> &nbsp; &nbsp; &nbsp;   user account files, 29
+<BR>Windows 2000
+<BR> &nbsp; &nbsp; &nbsp;   ACLs, 253-262
+<BR> &nbsp; &nbsp; &nbsp;   adding users, 104
+<BR> &nbsp; &nbsp; &nbsp;   bindings, 100
+<BR> &nbsp; &nbsp; &nbsp;   client connecting to Samba server, 107
+<BR> &nbsp; &nbsp; &nbsp;   computer names, 103
+<BR> &nbsp; &nbsp; &nbsp;   configuring for roaming profiles, 148
+<BR> &nbsp; &nbsp; &nbsp;   configuring TCP/IP, 100
+<BR> &nbsp; &nbsp; &nbsp;   DNS configuration, 101
+<BR> &nbsp; &nbsp; &nbsp;   domain logons, 133-135
+<BR> &nbsp; &nbsp; &nbsp;   identify node type, ipconfig /all command, 13
+<BR> &nbsp; &nbsp; &nbsp;   IP addresses, 100
+<BR> &nbsp; &nbsp; &nbsp;   LMHOSTS file, 102
+<BR> &nbsp; &nbsp; &nbsp;   networking components, 99
+<BR> &nbsp; &nbsp; &nbsp;   registry file, 141
+<BR> &nbsp; &nbsp; &nbsp;   security model (see ACLs)
+<BR> &nbsp; &nbsp; &nbsp;   servers
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      operating in native mode, 34
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      PDC emulation mode, 34
+<BR> &nbsp; &nbsp; &nbsp;   setting path to directory of roaming profiles, 420
+<BR> &nbsp; &nbsp; &nbsp;   setting up, 98-108
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 163
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting permissions, 165
+<BR> &nbsp; &nbsp; &nbsp;   WINS server, 101
+<BR> &nbsp; &nbsp; &nbsp;   workgroups, 103
+<BR>Windows 95/98/Me
+<BR> &nbsp; &nbsp; &nbsp;   accessing Samba server, 84
+<BR> &nbsp; &nbsp; &nbsp;   adding TCP/IP, 76
+<BR> &nbsp; &nbsp; &nbsp;   authentication, 28
+<BR> &nbsp; &nbsp; &nbsp;   bindings, 80
+<BR> &nbsp; &nbsp; &nbsp;   configuring for roaming profiles, 147
+<BR> &nbsp; &nbsp; &nbsp;   configuring TCP/IP, 78
+<BR> &nbsp; &nbsp; &nbsp;   DNS configuration, 79
+<BR> &nbsp; &nbsp; &nbsp;   domain logons, 128-131
+<BR> &nbsp; &nbsp; &nbsp;   identify node type, 13
+<BR> &nbsp; &nbsp; &nbsp;   IP addresses, 78
+<BR> &nbsp; &nbsp; &nbsp;   LMHOSTS file, 80
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS, 80
+<BR> &nbsp; &nbsp; &nbsp;   registry file, 141
+<BR> &nbsp; &nbsp; &nbsp;   security model, 253
+<BR> &nbsp; &nbsp; &nbsp;   setting computer name, 81
+<BR> &nbsp; &nbsp; &nbsp;   setting up, 76-87
+<BR> &nbsp; &nbsp; &nbsp;   setting workgroup, 81
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 162
+<BR> &nbsp; &nbsp; &nbsp;   system policies, 155
+<BR> &nbsp; &nbsp; &nbsp;   user-level security for, 129
+<BR> &nbsp; &nbsp; &nbsp;   username and password, 83
+<BR> &nbsp; &nbsp; &nbsp;   WINS configuration, 78
+<BR> &nbsp; &nbsp; &nbsp;   (see also Windows)
+<BR>Windows Explorer, testing connections with, 376
+<BR>Windows Internet Name Service (see WINS)
+<BR>Windows Internet Naming Service (WINS) Architecture and Capacity Planning, 218
+<BR>Windows Messenger Service, 346-348
+<BR>Windows NT
+<BR> &nbsp; &nbsp; &nbsp;   ACLs, 253-262
+<BR> &nbsp; &nbsp; &nbsp;   adding a user, 95
+<BR> &nbsp; &nbsp; &nbsp;   basic configuration, 87
+<BR> &nbsp; &nbsp; &nbsp;   bindings, 93
+<BR> &nbsp; &nbsp; &nbsp;   computer names, 93
+<BR> &nbsp; &nbsp; &nbsp;   configuring for roaming profiles, 148
+<BR> &nbsp; &nbsp; &nbsp;   configuring TCP/IP, 89
+<BR> &nbsp; &nbsp; &nbsp;   connecting to a Samba server, 96
+<BR> &nbsp; &nbsp; &nbsp;   DNS configuration, 92
+<BR> &nbsp; &nbsp; &nbsp;   domains, 120-160
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      logons, 131-133
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      overview, 29-34
+<BR> &nbsp; &nbsp; &nbsp;   identify node type, ipconfig /all command, 13
+<BR> &nbsp; &nbsp; &nbsp;   installing Workstation service, 89
+<BR> &nbsp; &nbsp; &nbsp;   IP addresses, 90
+<BR> &nbsp; &nbsp; &nbsp;   LMHOSTS file, 92
+<BR> &nbsp; &nbsp; &nbsp;   registry file, 141
+<BR> &nbsp; &nbsp; &nbsp;   security model, 30
+<BR> &nbsp; &nbsp; &nbsp;   security model (see ACLs)
+<BR> &nbsp; &nbsp; &nbsp;   setting path to directory of roaming profiles, 420
+<BR> &nbsp; &nbsp; &nbsp;   setting up, 87-98
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 163
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting permissions, 165
+<BR> &nbsp; &nbsp; &nbsp;   TCP/IP installing, 88
+<BR> &nbsp; &nbsp; &nbsp;   WINS server, 90
+<BR> &nbsp; &nbsp; &nbsp;   workgroups, 93
+<BR>Windows NT domain options, 158
+<BR>Windows Time Service, 340
+<BR>Windows Workgroups (see workgroups)
+<BR>Windows XP
+<BR> &nbsp; &nbsp; &nbsp;   ACLs, 253-262
+<BR> &nbsp; &nbsp; &nbsp;   adding users, 115
+<BR> &nbsp; &nbsp; &nbsp;   bindings, 110
+<BR> &nbsp; &nbsp; &nbsp;   computer names, 113
+<BR> &nbsp; &nbsp; &nbsp;   configuring for roaming profiles, 148
+<BR> &nbsp; &nbsp; &nbsp;   configuring TCP/IP, 110
+<BR> &nbsp; &nbsp; &nbsp;   connecting to Samba server, 116
+<BR> &nbsp; &nbsp; &nbsp;   DNS configuration, 111
+<BR> &nbsp; &nbsp; &nbsp;   domain logons, 135-137
+<BR> &nbsp; &nbsp; &nbsp;   Home version, problems in a domain environment, 135
+<BR> &nbsp; &nbsp; &nbsp;   identify node type, ipconfig /all command, 13
+<BR> &nbsp; &nbsp; &nbsp;   IP addresses, 111
+<BR> &nbsp; &nbsp; &nbsp;   LMHOSTS file, 112
+<BR> &nbsp; &nbsp; &nbsp;   networking components, 109
+<BR> &nbsp; &nbsp; &nbsp;   registry file, 141
+<BR> &nbsp; &nbsp; &nbsp;   security model (see ACLs)
+<BR> &nbsp; &nbsp; &nbsp;   setting path to directory of roaming profiles, 420
+<BR> &nbsp; &nbsp; &nbsp;   setting up, 109-119
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 163
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting permissions, 165
+<BR> &nbsp; &nbsp; &nbsp;   WINS server, 112
+<BR> &nbsp; &nbsp; &nbsp;   workgroups, 113
+<BR>winipcfg command (Windows 95/98/Me), 13
+<BR>WinPopup tool, 346
+<BR>.win_profile directory, 144
+<BR> &nbsp; &nbsp; &nbsp;   example, 145
+<BR>WINS, 32
+<BR> &nbsp; &nbsp; &nbsp;   client and a server interaction, 218
+<BR> &nbsp; &nbsp; &nbsp;   configuration, Windows 95/98/Me, 78
+<BR> &nbsp; &nbsp; &nbsp;   proxy, configuring, 221
+<BR> &nbsp; &nbsp; &nbsp;   replication, 38
+<BR> &nbsp; &nbsp; &nbsp;   support, smb.conf file, 71
+<BR>wins hook option (smb.conf file), 223, 446
+<BR>wins proxy option (smb.conf file), 221, 222, 446
+<BR>wins server option (smb.conf file), 220, 222, 446
+<BR>WINS servers
+<BR> &nbsp; &nbsp; &nbsp;   configuring a DNS proxy, 220
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba to use another, 220
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      configuration file example, 396
+<BR> &nbsp; &nbsp; &nbsp;   enabling Samba as, configuration file example, 395
+<BR> &nbsp; &nbsp; &nbsp;   multiple, 32
+<BR> &nbsp; &nbsp; &nbsp;   primary (see primary WINS server)
+<BR> &nbsp; &nbsp; &nbsp;   setting Samba as, 220
+<BR> &nbsp; &nbsp; &nbsp;   synchronization problems in Samba, 71
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 101
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 90
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 112
+<BR>wins support option (smb.conf file), 222, 447
+<BR>wins support parameter (smb.conf file), 220
+<BR>with feature option, configuring Samba, 47
+<BR>--with-acl-support (configure script option), 495
+<BR>--with-afs (configure script option), 495
+<BR>--with-automount (configure script option), 495
+<BR>--with-codepagedir (configure script option), 495
+<BR>--with-configdir (configure script option), 495
+<BR>--with-dce-dfs (configure script option), 495
+<BR>--with-fhs (configure script option), 495
+<BR>--with-included-popt (configure script option), 495
+<BR>--with-krb4 (configure script option), 495
+<BR>--with-krb5 (configure script option), 495
+<BR>--with-ldapsam (configure script option), 496
+<BR>--with-libiconv (configure script option), 496
+<BR>--with-libsmbclient (configure script option), 496
+<BR>--with-lockdir (configure script option), 496
+<BR>--with-logfilebase (configure script option), 496
+<BR>--with-manpages-langs (configure script option), 496
+<BR>--with-msdfs (configure script option), 47, 496
+<BR>--with-nisplus-home (configure script option), 496
+<BR>--with-nisplussam (configure script option), 496
+<BR>without feature option, configuring Samba, 47
+<BR>--with-pam (configure script option), 497
+<BR>--with-pam_smbpass (configure script option), 497
+<BR>--with-piddir (configure script option), 497
+<BR>--with-privatedir (configure script option), 497
+<BR>--with-profiling-data (configure script option), 497
+<BR>--with-quotas (configure script option), 497
+<BR>--with-readline (configure script option), 497
+<BR>--with-sendfile-support (configure script option), 497
+<BR>--with-smbmount (configure script option), 47, 498
+<BR>--with-smbwrapper (configure script option), 47, 498
+<BR>--with-spinlocks (configure script option), 498
+<BR>--with-ssl (configure script option), 498
+<BR>--with-sslinc (configure script option), 498
+<BR>--with-ssllib (configure script option), 498
+<BR>--with-swatdir (configure script option), 498
+<BR>--with-syslog (configure script option), 498
+<BR>--with-tdbsam (configure script option), 498
+<BR>--with-utmp (configure script option), 498
+<BR>--with-winbind (configure script option), 499
+<BR>workgroup option (smb.conf file), 447
+<BR>workgroup parameter (smb.conf file), 200
+<BR>workgroups, 26-29
+<BR> &nbsp; &nbsp; &nbsp;   adding first Samba server to, 396
+<BR> &nbsp; &nbsp; &nbsp;   defined, 15
+<BR> &nbsp; &nbsp; &nbsp;   problems related to, 29
+<BR> &nbsp; &nbsp; &nbsp;   spanning multiple subnets, 34
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 103
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 81
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 93
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 113
+<BR>Workstation service, installing on Windows NT, 89
+<BR>writable option (smb.conf file), 203, 447
+<BR>write cache size option (smb.conf file), 447
+<BR>write list option (smb.conf file), 286, 288, 447
+<BR>write ok option (smb.conf file), 203, 447
+<BR>write raw option (smb.conf file), 448
+<BR>writeable option (smb.conf file), 203, 447
+<P><A NAME="X"><B>X</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>XFS filesystem, 37
+<BR>xinetd daemon, 53
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+
+</body></html>
diff --git a/docs/htmldocs/using_samba/samba2_s.gif b/docs/htmldocs/using_samba/samba2_s.gif
new file mode 100644
index 0000000000..23d7e5ee64
--- /dev/null
+++ b/docs/htmldocs/using_samba/samba2_s.gif
diff --git a/docs/htmldocs/using_samba/samba2_xs.gif b/docs/htmldocs/using_samba/samba2_xs.gif
new file mode 100644
index 0000000000..e489480df6
--- /dev/null
+++ b/docs/htmldocs/using_samba/samba2_xs.gif
diff --git a/docs/htmldocs/using_samba/toc.html b/docs/htmldocs/using_samba/toc.html
new file mode 100644
index 0000000000..54d5c3f55f
--- /dev/null
+++ b/docs/htmldocs/using_samba/toc.html
@@ -0,0 +1,138 @@
+<html>
+<body bgcolor="#ffffff">
+
+<table border="0" cellpadding="4" cellspacing="4">
+<tr>
+<td>
+<img src="samba2_s.gif" border="0" height="190" width="145" alt="Using Samba, 
+2nd Edition" />
+</td>
+<td>
+<h2>Using Samba, 2nd Edition</h2>
+By Jay Ts, Robert Eckstein, and David Collier-Brown<br />
+2nd Edition, February 2003 <br />
+O'Reilly &amp; Associates, ISBN: 0-596-00256-4<br />
+<a href="http://www.oreilly.com/catalog/samba2/"><b>www.oreilly.com/catalog/samba2/</b></a>
+</td>
+</tr>
+</table>
+
+<blockquote>
+<h2>Table of Contents</h2>
+
+<P><B><a href="ch00.html">Preface</a></B>
+
+<P><B><a href="ch01.html">1. Learning the Samba</a></B>
+<BR> &nbsp; &nbsp; &nbsp;What Is Samba? 
+<BR> &nbsp; &nbsp; &nbsp;What Can Samba Do for Me? 
+<BR> &nbsp; &nbsp; &nbsp;Getting Familiar with an SMB Network 
+<BR> &nbsp; &nbsp; &nbsp;An Introduction to the SMB Protocol 
+<BR> &nbsp; &nbsp; &nbsp;Windows Workgroups and Domains 
+<BR> &nbsp; &nbsp; &nbsp;What's New in Samba 2.2? 
+<BR> &nbsp; &nbsp; &nbsp;What's New in Samba 3.0? 
+<BR> &nbsp; &nbsp; &nbsp;What Can Samba Do? 
+<BR> &nbsp; &nbsp; &nbsp;An Overview of the Samba Distribution 
+<BR> &nbsp; &nbsp; &nbsp;How Can I Get Samba? 
+
+<P><B><a href="ch02.html">2. Installing Samba on a Unix System</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Bundled Versions 
+<BR> &nbsp; &nbsp; &nbsp;Downloading the Samba Distribution 
+<BR> &nbsp; &nbsp; &nbsp;Configuring Samba 
+<BR> &nbsp; &nbsp; &nbsp;Compiling and Installing Samba 
+<BR> &nbsp; &nbsp; &nbsp;Enabling SWAT 
+<BR> &nbsp; &nbsp; &nbsp;A Basic Samba Configuration File 
+<BR> &nbsp; &nbsp; &nbsp;Firewall Configuration 
+<BR> &nbsp; &nbsp; &nbsp;Starting the Samba Daemons 
+<BR> &nbsp; &nbsp; &nbsp;Testing the Samba Daemons 
+
+<P><B><a href="ch03.html">3. Configuring Windows Clients</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Windows Networking Concepts 
+<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows 95/98/Me Computers 
+<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows NT 4.0 Computers 
+<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows 2000 Computers 
+<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows XP Computers 
+
+<P><B><a href="ch04.html">4. Windows NT Domains</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Samba as the Primary Domain Controller 
+<BR> &nbsp; &nbsp; &nbsp;Adding Computer Accounts 
+<BR> &nbsp; &nbsp; &nbsp;Configuring Windows Clients for Domain Logons 
+<BR> &nbsp; &nbsp; &nbsp;Logon Scripts 
+<BR> &nbsp; &nbsp; &nbsp;Roaming Profiles 
+<BR> &nbsp; &nbsp; &nbsp;System Policies 
+<BR> &nbsp; &nbsp; &nbsp;Samba as a Domain Member Server 
+<BR> &nbsp; &nbsp; &nbsp;Windows NT Domain Options 
+
+<P><B><a href="ch05.html">5. Unix Clients</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Sharing Files on Windows 95/98/Me 
+<BR> &nbsp; &nbsp; &nbsp;Sharing Files on Windows NT/2000/XP 
+<BR> &nbsp; &nbsp; &nbsp;smbclient 
+<BR> &nbsp; &nbsp; &nbsp;smbfs 
+<BR> &nbsp; &nbsp; &nbsp;smbsh 
+<BR> &nbsp; &nbsp; &nbsp;smbutil and mount_smbfs 
+
+<P><B><a href="ch06.html">6. The Samba Configuration File</a></B>
+<BR> &nbsp; &nbsp; &nbsp;The Samba Configuration File 
+<BR> &nbsp; &nbsp; &nbsp;Special Sections 
+<BR> &nbsp; &nbsp; &nbsp;Configuration Options 
+<BR> &nbsp; &nbsp; &nbsp;Server Configuration 
+<BR> &nbsp; &nbsp; &nbsp;Disk Share Configuration 
+<BR> &nbsp; &nbsp; &nbsp;Networking Options with Samba 
+<BR> &nbsp; &nbsp; &nbsp;Virtual Servers 
+<BR> &nbsp; &nbsp; &nbsp;Logging Configuration Options 
+
+<P><B><a href="ch07.html">7. Name Resolution and Browsing</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Name Resolution 
+<BR> &nbsp; &nbsp; &nbsp;Browsing 
+
+<P><B><a href="ch08.html">8. Advanced Disk Shares</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Filesystem Differences 
+<BR> &nbsp; &nbsp; &nbsp;File Permissions and Attributes on MS-DOS and Unix 
+<BR> &nbsp; &nbsp; &nbsp;Windows NT/2000/XP ACLs 
+<BR> &nbsp; &nbsp; &nbsp;Name Mangling and Case 
+<BR> &nbsp; &nbsp; &nbsp;Locks and Oplocks 
+<BR> &nbsp; &nbsp; &nbsp;Connection Scripts 
+<BR> &nbsp; &nbsp; &nbsp;Microsoft Distributed Filesystems 
+<BR> &nbsp; &nbsp; &nbsp;Working with NIS 
+
+<P><B><a href="ch09.html">9. Users and Security</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Users and Groups 
+<BR> &nbsp; &nbsp; &nbsp;Controlling Access to Shares 
+<BR> &nbsp; &nbsp; &nbsp;Authentication of Clients 
+<BR> &nbsp; &nbsp; &nbsp;Passwords 
+<BR> &nbsp; &nbsp; &nbsp;Authentication with winbind 
+
+<P><B><a href="ch10.html">10. Printing</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Sending Print Jobs to Samba 
+<BR> &nbsp; &nbsp; &nbsp;Printing to Windows Printers 
+
+<P><B><a href="ch11.html">11. Additional Samba Information</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Time Synchronization 
+<BR> &nbsp; &nbsp; &nbsp;Magic Scripts 
+<BR> &nbsp; &nbsp; &nbsp;Internationalization 
+<BR> &nbsp; &nbsp; &nbsp;Windows Messenger Service 
+<BR> &nbsp; &nbsp; &nbsp;Miscellaneous Options 
+
+<P><B><a href="ch12.html">12. Troubleshooting Samba</a></B>
+<BR> &nbsp; &nbsp; &nbsp;The Tool Box 
+<BR> &nbsp; &nbsp; &nbsp;The Fault Tree 
+<BR> &nbsp; &nbsp; &nbsp;Extra Resources 
+
+<P><B><a href="appa.html">Appendix A. Example Configuration Files</a></B>
+
+<P><B><a href="appb.html">Appendix B. Samba Configuration Option Quick Reference</a></B>
+
+<P><B><a href="appc.html">Appendix C. Summary of Samba Daemons and Commands</a></B>
+
+<P><B><a href="appd.html">Appendix D. Downloading Samba with CVS</a></B>
+
+<P><B><a href="appe.html">Appendix E. Configure Options</a></B>
+
+<P><B><a href="appf.html">Appendix F. Running Samba on Mac OS X Server</a></B>
+
+<P><B><a href="appg.html">Appendix G. GNU Free Documentation License</a></B>
+
+<P><B><a href="inx.html">Index</a></B>
+</blockquote>
+
+</body>
+</html>