summaryrefslogtreecommitdiff
path: root/docs/htmldocs/using_samba
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/using_samba')
-rw-r--r--docs/htmldocs/using_samba/appa.html362
-rw-r--r--docs/htmldocs/using_samba/appb.html1840
-rw-r--r--docs/htmldocs/using_samba/appc.html4534
-rw-r--r--docs/htmldocs/using_samba/appd.html82
-rw-r--r--docs/htmldocs/using_samba/appe.html826
-rw-r--r--docs/htmldocs/using_samba/appf.html780
-rw-r--r--docs/htmldocs/using_samba/appg.html500
-rw-r--r--docs/htmldocs/using_samba/ch00.html368
-rw-r--r--docs/htmldocs/using_samba/ch01.html3193
-rw-r--r--docs/htmldocs/using_samba/ch02.html1849
-rw-r--r--docs/htmldocs/using_samba/ch03.html2086
-rw-r--r--docs/htmldocs/using_samba/ch04.html2556
-rw-r--r--docs/htmldocs/using_samba/ch05.html1779
-rw-r--r--docs/htmldocs/using_samba/ch06.html2727
-rw-r--r--docs/htmldocs/using_samba/ch07.html2139
-rw-r--r--docs/htmldocs/using_samba/ch08.html3744
-rw-r--r--docs/htmldocs/using_samba/ch09.html3448
-rw-r--r--docs/htmldocs/using_samba/ch10.html1695
-rw-r--r--docs/htmldocs/using_samba/ch11.html2123
-rw-r--r--docs/htmldocs/using_samba/ch12.html3341
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0101.gifbin7665 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0102.gifbin21795 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0103.gifbin10700 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0104.gifbin13928 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0105.gifbin18031 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0106.gifbin17191 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0107.gifbin11492 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0108.gifbin18629 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0109.gifbin18727 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0110.gifbin4794 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0111.gifbin5251 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0112.gifbin7330 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0113.gifbin10850 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0114.gifbin22017 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0201.gifbin8734 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0202.gifbin35825 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0203.gifbin35921 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0204.gifbin73792 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0301.gifbin7580 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0302.gifbin5703 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0303.gifbin14966 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0304.gifbin10735 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0305.gifbin14728 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0306.gifbin18300 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0307.gifbin13970 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0308.gifbin14879 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0309.gifbin15071 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0310.gifbin11721 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0311.gifbin11759 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0312.gifbin17058 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0313.gifbin8350 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0314.gifbin12776 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0315.gifbin15011 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0316.gifbin20310 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0317.gifbin15084 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0318.gifbin17269 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0319.gifbin15653 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0320.gifbin9507 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0321.gifbin10245 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0322.gifbin11067 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0323.gifbin10528 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0324.gifbin13707 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0325.gifbin12024 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0326.gifbin13686 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0327.gifbin16603 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0328.gifbin8453 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0329.gifbin14858 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0330.gifbin17140 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0331.gifbin10450 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0332.gifbin7011 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0333.gifbin3784 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0334.gifbin5820 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0335.gifbin5928 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0336.gifbin16622 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0337.gifbin17157 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0338.gifbin15670 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0339.gifbin12941 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0340.gifbin10493 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0341.gifbin9531 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0342.gifbin16674 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0343.gifbin17796 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0344.gifbin20926 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0345.gifbin19423 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0346.gifbin15320 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0347.gifbin7563 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0348.gifbin7634 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0349.gifbin26522 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0350.gifbin35358 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0351.gifbin29480 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0352.gifbin25568 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0353.gifbin22024 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0354.gifbin18138 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0355.gifbin47008 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0356.gifbin20807 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0357.gifbin33800 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0358.gifbin24628 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0359.gifbin24233 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0360.gifbin13343 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0361.gifbin13356 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0401.gifbin24274 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0402.gifbin11721 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0403.gifbin8500 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0404.gifbin10769 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0405.gifbin14430 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0406.gifbin10133 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0407.gifbin24997 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0408.gifbin11005 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0409.gifbin17776 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0410.gifbin22502 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0411.gifbin28112 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0412.gifbin17096 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0413.gifbin16881 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0414.gifbin7370 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0415.gifbin15906 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0416.gifbin10504 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0417.gifbin18004 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0501.gifbin11580 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0502.gifbin12753 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0503.gifbin11949 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0504.gifbin16743 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0505.gifbin16510 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0506.gifbin32191 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0507.gifbin25309 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0508.gifbin40920 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0601.gifbin6044 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0602.gifbin13383 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0603.gifbin13631 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0604.gifbin8752 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0605.gifbin14388 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0701.gifbin13517 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0801.gifbin35667 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0802.gifbin6906 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0803.gifbin17604 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0804.gifbin17326 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0805.gifbin19273 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0806.gifbin14242 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0807.gifbin15799 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0808.gifbin15894 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0809.gifbin19323 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0810.gifbin20065 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0811.gifbin12228 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0901.gifbin11925 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0902.gifbin6760 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_0903.gifbin4640 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_1001.gifbin12687 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_1002.gifbin15746 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_1003.gifbin26173 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_1004.gifbin8851 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_1005.gifbin11687 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_1006.gifbin13955 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_1101.gifbin14447 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_1102.gifbin5408 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_af01.gifbin54745 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_af02.gifbin42621 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_af03.gifbin32704 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_af04.gifbin57137 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_af05.gifbin46773 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_af06.gifbin53929 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/figs/sam2_af07.gifbin50762 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/inx.html1814
-rw-r--r--docs/htmldocs/using_samba/samba2_s.gifbin9733 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/samba2_xs.gifbin4172 -> 0 bytes
-rw-r--r--docs/htmldocs/using_samba/toc.html138
163 files changed, 0 insertions, 41924 deletions
diff --git a/docs/htmldocs/using_samba/appa.html b/docs/htmldocs/using_samba/appa.html
deleted file mode 100644
index 9f3dc4b56f..0000000000
--- a/docs/htmldocs/using_samba/appa.html
+++ /dev/null
@@ -1,362 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-<h1 class="head0">Appendix A. Example Configuration Files</h1>
-
-
-<p>Earlier in this book, we provided information on how to set
-parameters inside the Samba configuration file, but rarely have we
-shown an example of a complete file that can actually be used to run
-a server. In this appendix, we provide examples of complete
-configuration files for running Samba in the various modes
-we've discussed. Using one of these examples, you
-can run Samba as a workgroup authentication server, workgroup server,
-primary domain controller, or domain member server.</p>
-
-<p>We have kept the examples simple so that they have the most universal
-application. They can be used as starting templates, which you can
-easily modify to fit your own needs, to get a Samba server up and
-running with minimal delay. The comments inside the files indicate
-what needs to be changed, and how, to work on a particular system on
-your network.</p>
-
-
-
-<div class="sect1"><a name="samba2-APP-A-SECT-1"/>
-
-<h2 class="head1">Samba in a Workgroup</h2>
-
-<p>If your network is configured as a workgroup, adding a Samba server
-is pretty simple. Samba even lets you add features, such as
-user-level security and WINS, that would normally require an
-expensive Windows NT/2000 Server.</p>
-
-
-<div class="sect2"><a name="samba2-APP-A-SECT-1.1"/>
-
-<h3 class="head2">Authentication and WINS Server</h3>
-
-<p>In a workgroup environment, Samba can be set up with share-level
-security and without offering WINS name service. This works and is
-simple, but we generally recommend that user-level security be
-enabled to allow Windows 95/98/Me systems to make use of it. Also, it
-only takes a single parameter to enable Samba as a WINS server,
-resulting in far better network efficiency.
-<a name="INDEX-1"/><a name="INDEX-2"/><a name="INDEX-3"/>Here is the configuration file
-that does it:</p>
-
-<blockquote><pre class="code">[global]
- # replace &quot;toltec&quot; with your system's hostname
-
- netbios name = toltec
-
- # replace &quot;METRAN&quot; with the name of your workgroup
-
- workgroup = METRAN
-
- security = user
- encrypt passwords = yes
-
- # Run a WINS server
-
- wins support = yes
-
- # The following three lines ensure that the Samba
- # server will maintain the role of master browser.
- # Make sure no other Samba server has its OS level
- # set higher than it is here.
-
- local master = yes
- preferred master = yes
- os level = 65
-
-# Make home directories on the server available to users.
-
-[homes]
- comment = %u's Home Directory
- browsable = no
- read only = no
- map archive = yes
-
-# This is a shared directory, accessible by all
-# users. Use your own share name and path.
-
-[d]
- path = /d
- create mask = 0700
- read only = no</pre></blockquote>
-
-<p>Generally, you will use a configuration file similar to this one when
-<a name="INDEX-4"/><a name="INDEX-5"/>adding your first Samba server to the
-workgroup.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-A-SECT-1.2"/>
-
-<h3 class="head2">Workgroup Server</h3>
-
-<p><a name="INDEX-6"/><a name="INDEX-7"/>Things are a
-little different if another system&mdash;either a Samba server or
-Windows NT/2000 server&mdash;is already handling WINS and/or
-authentication. In this case, Samba is configured to use that server
-for WINS. Here is a configuration file that does this:</p>
-
-<blockquote><pre class="code">[global]
- # replace &quot;mixtec&quot; with your system's hostname
-
- netbios name = mixtec
-
- # replace &quot;METRAN&quot; with your workgroup name
-
- workgroup = METRAN
-
- security = user
- encrypt passwords = yes
-
- # Replace &quot;172.16.1.1&quot; with the IP address
- # of your WINS server. If there is none,
- # omit this line.
-
- wins server = 172.16.1.1
-
- # The OS level is set to 17 to allow
- # this system to win over all Windows
- # versions, but not the Samba server
- # that uses the configuration file
- # in the previous section.
-
- os level = 17
-
-[homes]
- comment = %u's Home Directory
- browsable = no
- read only = no
-
-# This is a shared directory, accessible by all
-# users. Use your own share name and path.
-
-[d]
- path = /d
- create mask = 0700
- read only = no</pre></blockquote>
-
-<p>Once you have a server in your workgroup handling authentication and
-WINS, this is the configuration file to use when adding additional
-Samba servers to the workgroup.</p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-APP-A-SECT-2"/>
-
-<h2 class="head1">Samba in a Windows NT Domain</h2>
-
-<p>When operating in a Windows NT domain, Samba can act either as a
-primary domain controller or as a domain member server.</p>
-
-
-<div class="sect2"><a name="samba2-APP-A-SECT-2.1"/>
-
-<h3 class="head2">Primary Domain Controller</h3>
-
-<p><a name="INDEX-8"/><a name="INDEX-9"/>Setting up Samba as a primary domain
-controller is more complicated than the other configurations.
-However, the extra difficulty is offset by having a more secure
-network and additional features such as logon scripts and roaming
-profiles. In the following configuration file, we also include
-support for a Microsoft Dfs share:</p>
-
-<blockquote><pre class="code">[global]
- # Replace &quot;toltec&quot; with the hostname of your system.
-
- netbios name = toltec
-
- # Replace &quot;METRAN&quot; with the name of your Windows NT domain.
-
- workgroup = METRAN
-
- # Run a WINS server
-
- wins support = yes
-
- # Always act as the local master browser
- # and domain master browser. Do not allow
- # any other system to take over these roles!
-
- domain master = yes
- local master = yes
- preferred master = yes
- os level = 255
-
- # Perform domain authentication.
-
- security = user
- encrypt passwords = yes
- domain logons = yes
-
- # The location of user profiles for Windows NT/2000/XP.
-
- logon path = \\%L\profiles\%u\%m
-
- # Users' Windows home directories and storage of Win95/98/Me roaming profiles.
-
- logon drive = G:
- logon home = \\toltec\%u\.win_profile\%m
-
- # The following line is optional because
- # Samba always offers NetBIOS time service.
- # This causes it to also be advertised:
-
- time server = yes
-
- # The logon script used for all users,
- # Relative to [netlogon] share directory.
-
- logon script = logon.bat
-
- # The group identifying administrative users.
- # If you have domain users in the Domain Admins
- # group, use them here instead of &quot;jay&quot;.
-
- domain admin group = root jay
-
- # For adding machine accounts automatically.
- # This example works on Linux. For other host
- # operating systems, you might need a different
- # command.
-
- add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
-
- # Provide Microsoft Dfs support.
-
- host msdfs = yes
-
-# The netlogon share is required for
-# functioning as the primary domain controller.
-# Make sure the directory used for the path exists.
-
-[netlogon]
- path = /usr/local/samba/lib/netlogon
- writable = no
- browsable = no
-
-# The profiles share is for storing
-# Windows NT/2000/XP roaming profiles.
-# Use your own path, and make sure
-# the directory exists.
-
-[profiles]
- path = /home/samba-ntprof
- writable = yes
- create mask = 0600
- directory mask = 0700
- browsable = no
-
-[homes]
- comment = Home Directory
- browsable = no
- read only = no
- map archive = yes
-
-# The Dfs share.
-# Use your own path, making
-# sure the directory exists.
-
-[dfs]
- comment = Dfs share
- path = /usr/local/samba/dfs
- msdfs root = yes
-
-# A shared directory, accessible by all domain users.
-# Use your own share name and path.
-
-[d]
- comment = %u's Home Directory
- path = /d
- create mask = 0700
- read only = no</pre></blockquote>
-
-<p>See <a href="ch04.html">Chapter 4</a> for more information on configuring
-Samba as a primary domain controller, and see <a href="ch08.html">Chapter 8</a> for more information about setting up a
-Microsoft Dfs share. <a name="INDEX-10"/><a name="INDEX-11"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-A-SECT-2.2"/>
-
-<h3 class="head2">Domain Member Server</h3>
-
-<p><a name="INDEX-12"/><a name="INDEX-13"/>In a domain that
-already has either a Samba PDC or Windows NT/2000 Server PDC,
-additional Samba servers can be added as domain member servers using
-the following configuration file:</p>
-
-<blockquote><pre class="code">[global]
- # Replace &quot;mixtec&quot; with the system's hostname.
-
- netbios name = mixtec
-
- # Replace &quot;METRAN&quot; with the name of your domain.
-
- workgroup = METRAN
-
- # Replace &quot;172.16.1.1&quot; with the
- # IP address of your WINS server.
-
- wins server = 172.16.1.1
-
- os level = 33
-
- security = domain
- encrypt passwords = yes
- password server = *
-
-# Home directories.
-
-[homes]
- comment = %u's Home Directory
- browsable = no
- read only = no
- map archive = yes
-
-# This is an example printers
-# share, which works for Linux.
-
-[printers]
- printable = yes
- printing = BSD
- print command = /usr/bin/lpr -P%p %s
- path = /var/tmp
- min print space = 2000
-
-# A shared directory, accessible by all domain users.
-# Use your own share name and path.
-
-[d]
- path = /d
- create mask = 0755
- read only = no</pre></blockquote>
-
-<p>See <a href="ch10.html">Chapter 10</a> for more information on sharing
-printers with Samba.</p>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-</body></html>
diff --git a/docs/htmldocs/using_samba/appb.html b/docs/htmldocs/using_samba/appb.html
deleted file mode 100644
index 9cb6d957a8..0000000000
--- a/docs/htmldocs/using_samba/appb.html
+++ /dev/null
@@ -1,1840 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Appendix B. Samba Configuration Option Quick Reference</h1>
-
-
-<p>The first section of this appendix lists each option that can be used
-in a Samba configuration file, which is usually named
-<em class="filename">smb.conf</em>. Most configuration files contain a
-global section of options that apply to all services (shares) and a
-separate section for various individual shares. If an option applies
-only to the global section, <tt class="literal">[global]</tt> appears to
-the right of its name in the following reference section.</p>
-
-<p>Except where noted, when specifying elements of a list, the elements
-can be separated by spaces, tabs, commas, semicolons, escaped
-newlines, or escaped carriage returns.</p>
-
-<p>Following this reference section is a glossary of value types, and a
-list of variables Samba recognizes.</p>
-
-
-
-<div class="sect1"><a name="samba2-APP-B-SECT-1"/>
-
-<h2 class="head1">Configuration File Options</h2>
-
-</div>
-
-
-<a name="INDEX-1"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>abort shutdown script = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that stops the shutdown procedure started by
-<tt class="literal">shutdown script</tt>. The command will be run with the
-UID of the connected user. New in Samba 3.0.</p></div>
-<a name="INDEX-2"/><a name="INDEX-3"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add printer command = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
-<a name="INDEX-3"/>printer on the system hosting the Samba
-server. This command runs as <tt class="literal">root</tt> when the Windows
-NT/2000/XP Add Printer Wizard is run. The command will be passed a
-printer name, share name, port name, driver name, Windows NT/2000/XP
-driver location, and Windows 95/98/Me driver location, in that order.
-It will need to add the printer to the system and a share definition
-for the printer to <em class="filename">smb.conf.</em> See also
-<tt class="literal">add printer wizard</tt>, <tt class="literal">printing</tt>,
-and <tt class="literal">show add printer wizard</tt>.</p></div>
-<a name="INDEX-4"/><a name="INDEX-5"/><a name="INDEX-6"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add machine script = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that adds a computer to the Samba
-server's <a name="INDEX-5"/><a name="INDEX-6"/>domain. New in Samba 3.0.</p></div>
-<a name="INDEX-7"/><a name="INDEX-8"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add share command = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
-<a name="INDEX-8"/>share on the Samba server. This command
-runs as <tt class="literal">root</tt> when a share is created using the
-Windows NT/2000/XP Server Manager. The client user must be logged on
-as the <tt class="literal">root</tt> user. The command will be passed the
-name of the Samba configuration file, the name of the share to be
-created, the full pathname of a directory on the Samba server (which
-must already exist), and a string to use as a comment for the share,
-in that order. The command must add a share definition for the share
-to <em class="filename">smb.conf.</em> See also <tt class="literal">add printer
-command</tt>, for adding a print share.</p></div>
-<a name="INDEX-9"/><a name="INDEX-10"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add user script = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
-<a name="INDEX-10"/>user on the system hosting the Samba
-server. This command runs as <tt class="literal">root</tt> when access to a
-Samba share is attempted by a Windows user who does not have an
-account on the hosting system, but does have an account maintained by
-a primary domain controller on a different system. The command should
-accept the name of the user as a single argument that matches the
-behavior of typical <em class="emphasis">adduser</em> commands. Samba
-honors the <tt class="literal">%u</tt> value (username) as the argument to
-the command. Requires <tt class="literal">security</tt>
-<tt class="literal">=</tt> <tt class="literal">server</tt> or
-<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">domain</tt>. See also <tt class="literal">delete user</tt>
-<tt class="literal">script</tt>.</p></div>
-<a name="INDEX-11"/><a name="INDEX-12"/><a name="INDEX-13"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>admin users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p><a name="INDEX-12"/>Specifies users who will be granted
-<a name="INDEX-13"/><tt class="literal">root</tt>
-permissions on the share by Samba.</p></div>
-<a name="INDEX-14"/><a name="INDEX-15"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ads server = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: DNS hostname or IP address</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies the <a name="INDEX-15"/>Active Directory server, used by
-Samba 3.0 for authenticating clients. Requires
-<tt class="literal">security</tt> <tt class="literal">= ads</tt>. New in Samba
-3.0.</p></div>
-<a name="INDEX-16"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>algorithmic rid base = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 1000</p><p>Specifies the base value that Samba uses when calculating Windows
-domain security identifier equivalents to Unix UIDs. See also
-<tt class="literal">non unix account range</tt>. New in Samba 3.0.</p></div>
-<a name="INDEX-17"/><a name="INDEX-18"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>allow hosts = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies systems that can connect to the share or
-<a name="INDEX-18"/>shares. If NULL, any
-system can access the share unless there is a <tt class="literal">hosts
-deny</tt> option. Synonym for <tt class="literal">hosts</tt>
-<tt class="literal">allow</tt>.</p></div>
-<a name="INDEX-19"/><a name="INDEX-20"/><a name="INDEX-21"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>allow trusted domains = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows access to users who lack accounts on the Samba server but have
-accounts in another, trusted <a name="INDEX-20"/><a name="INDEX-21"/>domain.
-Requires <tt class="literal">security</tt> <tt class="literal">= server</tt> or
-<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">domain</tt>.</p></div>
-<a name="INDEX-22"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>announce as = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NT, Win95, Wf W</p><p><b class="emphasis-bold">Default</b>: NT</p><p>Has Samba announce itself as something other than an NT server.
-Discouraged because it interferes with serving browse lists.</p></div>
-<a name="INDEX-23"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>announce version = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: two numbers separated by a dot character</p><p><b class="emphasis-bold">Default</b>: 4.5</p><p>Instructs Samba to announce itself as a different version SMB server.
-Discouraged.</p></div>
-<a name="INDEX-24"/><a name="INDEX-25"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>auth methods = list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: guest, sam, ntdomain</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies what methods Samba tries in turn to
-<a name="INDEX-25"/>authenticate users. New in Samba
-3.0.</p></div>
-<a name="INDEX-26"/><a name="INDEX-27"/><a name="INDEX-28"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>auto services = service list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: service list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of <a name="INDEX-27"/><a name="INDEX-28"/>shares that always appear in
-browse lists. Also called <tt class="literal">preload</tt>.</p></div>
-<a name="INDEX-29"/><a name="INDEX-30"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>available = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, denies access to a share. The
-<a name="INDEX-30"/>share appears in the browse list, but
-attempts to access it will fail.</p></div>
-<a name="INDEX-31"/><a name="INDEX-32"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>bind interfaces only = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, shares and browsing are provided only on interfaces in
-an <a name="INDEX-32"/>interfaces list (see
-<tt class="literal">interfaces</tt>). If you set this option to YES, be
-sure to add 127.0.0.1 to the interfaces list to allow
-<em class="emphasis">smbpasswd</em> to connect to the local system to
-change passwords. This is a convenience option; it does not improve
-security.</p></div>
-<a name="INDEX-33"/><a name="INDEX-34"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>block size = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 1024</p><p>Sets the size of disk blocks as reported by <em class="emphasis">smbd</em>
-to the client. <a name="INDEX-34"/>Obsolete
-starting with Samba 3.0.</p></div>
-<a name="INDEX-35"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>blocking locks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, honors byte range lock requests with time limits. Samba will
-queue the requests and retry them until the time period expires.</p></div>
-<a name="INDEX-36"/><a name="INDEX-37"/><a name="INDEX-38"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browsable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p><a name="INDEX-37"/><a name="INDEX-38"/>Allows a share to be announced
-in browse lists. Also called <tt class="literal">browseable</tt>.</p></div>
-<a name="INDEX-39"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browse list = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, serves the browse list to other systems on the network. Avoid
-changing.</p></div>
-<a name="INDEX-40"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browseable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">browsable</tt>.</p></div>
-<a name="INDEX-41"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>case sensitive = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, uses the exact case the client supplied when trying to
-resolve a filename. If NO, matches either upper- or lowercase name.
-Avoid changing. Also called <tt class="literal">casesignames</tt>.</p></div>
-<a name="INDEX-42"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>casesignames = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Synonym for <tt class="literal">case</tt> <tt class="literal">sensitive</tt>.</p></div>
-<a name="INDEX-43"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>change notify timeout = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive number</p><p><b class="emphasis-bold">Default</b>: 60</p><p>Sets the number of seconds between checks when a client asks for
-notification of changes in a directory. Avoid lowering.</p></div>
-<a name="INDEX-44"/><a name="INDEX-45"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>change share command = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that modifies a
-<a name="INDEX-45"/>share
-definition on the Samba server. This command runs as
-<tt class="literal">root</tt> when a share is created using the Windows
-NT/2000/XP Server Manager. The client user must be logged on as the
-<tt class="literal">root</tt> user. The command is passed the name of the
-Samba configuration file, the name of the share to be modified, the
-full pathname of a directory on the Samba server (which must already
-exist), and a string to use as a comment for the share, in that
-order. The command modifies the share definition for the share in
-<em class="filename">smb.conf.</em> See also <tt class="literal">add share
-command</tt> and <tt class="literal">delete share command</tt>.</p></div>
-<a name="INDEX-46"/><a name="INDEX-47"/><a name="INDEX-48"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>character set = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ISO8859-1, ISO8859-2, ISO8859-5, KOI8-R</p><p><b class="emphasis-bold">Default</b>: NULL</p><p><a name="INDEX-47"/>If set, translates from DOS code
-pages to the Western European (ISO8859-1), Eastern European
-(ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian
-(KOI8-R) character set. The <tt class="literal">client</tt>
-<tt class="literal">code</tt> <tt class="literal">page</tt> option must be set to
-850. <a name="INDEX-48"/>Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-49"/><a name="INDEX-50"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>client code page = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: see <a href="ch11.html#samba2-CHP-11-TABLE-4">Table 11-4</a> in <a href="ch11.html">Chapter 11</a></p><p><b class="emphasis-bold">Default</b>: 850 (MS-DOS Latin 1)</p><p>Sets the DOS code page explicitly, overriding any previous
-<tt class="literal">valid</tt> <tt class="literal">chars</tt> settings. Examples
-of values are 850 for Western European, 437 for the U.S. standard,
-and 932 for Japanese Shift-JIS. <a name="INDEX-50"/>Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-51"/><a name="INDEX-52"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>code page directory = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full directory name</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/lib/codepages</em></p><p>Specifies the directory that stores code pages.
-<a name="INDEX-52"/>Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-53"/><a name="INDEX-54"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>coding system = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: euc, cap, hex, hexN, sjis, j8bb, j8bj, jis8, j8bh,
-j8@b, j8@j,j8@h, j7bb, j7bj, jis7, j7bh, j7@b, j7@j, j7@h, jubb,
-jubj, junet, jubh, ju@b, ju@j, ju@h</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the coding system used, notably for Kanji. This is employed for
-filenames and should correspond to the code page in use. The
-<tt class="literal">client</tt> <tt class="literal">code</tt>
-<tt class="literal">page</tt> option must be set to 932 ( Japanese
-Shift-JIS). <a name="INDEX-54"/>Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-55"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>comment = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the comment corresponding to a share. The comment appears in
-places such as a <em class="emphasis">net view</em> listing or through the
-Network Neighborhood. See also the <tt class="literal">server</tt>
-<tt class="literal">string</tt> configuration option.</p></div>
-<a name="INDEX-56"/><a name="INDEX-57"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>config file = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: \filename</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Selects a new Samba <a name="INDEX-57"/>configuration file to read instead of the
-current one. Used to relocate the configuration file or used with
-<tt class="literal">%</tt> variables to select custom configuration files
-for some users or systems.</p></div>
-<a name="INDEX-58"/><a name="INDEX-59"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>copy = section name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: existing section's name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Copies the configuration of an already defined share into the
-<a name="INDEX-59"/>share in which this option
-appears. Used with <tt class="literal">%</tt> variables to select custom
-configurations for systems, architectures, and users. Each option
-specified or copied takes precedence over earlier specifications of
-the option.</p></div>
-<a name="INDEX-60"/><a name="INDEX-61"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>create mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0744</p><p>Sets the maximum allowable <a name="INDEX-61"/>permissions for new files (e.g.,
-0755). See also <tt class="literal">directory</tt> <tt class="literal">mask</tt>.
-To require certain permissions to be set, see
-<tt class="literal">force</tt> <tt class="literal">create</tt>
-<tt class="literal">mask</tt> and <tt class="literal">force</tt>
-<tt class="literal">directory</tt> <tt class="literal">mask</tt>. Also called
-<tt class="literal">create</tt> <tt class="literal">mode</tt>.</p></div>
-<a name="INDEX-62"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>create mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0744</p><p>Synonym for <tt class="literal">create</tt> <tt class="literal">mask</tt>.</p></div>
-<a name="INDEX-63"/><a name="INDEX-64"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>csc policy = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: manual, documents, programs, or disable</p><p><b class="emphasis-bold">Default</b>: manual</p><p>Sets the client-side <a name="INDEX-64"/>caching policy, telling them how to
-cache files offline if they are capable of doing so.</p></div>
-<a name="INDEX-65"/><a name="INDEX-66"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>deadtime = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the time in minutes before an unused
-<a name="INDEX-66"/>connection will be
-terminated. Zero means never. Used to keep clients from tying up
-server resources for long periods of time. If used, clients must
-autoreconnect after the specified period of inactivity. See also
-<tt class="literal">keepalive</tt>.</p></div>
-<a name="INDEX-67"/><a name="INDEX-68"/><a name="INDEX-69"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug hires timestamp = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Changes the <a name="INDEX-68"/><a name="INDEX-69"/>timestamps in log entries from seconds
-to microseconds. Useful for measuring performance.</p></div>
-<a name="INDEX-70"/><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug pid = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Adds the process ID of the Samba server to <a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/>log lines, making it easier to
-debug a particular server. Requires debug <tt class="literal">timestamp =
-yes</tt> to work.</p></div>
-<a name="INDEX-74"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug timestamp = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Timestamps all log messages. Can be turned off when
-it's not useful (e.g., in debugging ). Also called
-<tt class="literal">timestamp</tt> <tt class="literal">logs</tt>.</p></div>
-<a name="INDEX-75"/><a name="INDEX-76"/><a name="INDEX-77"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug uid = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-76"/><a name="INDEX-77"/>Adds the real and effective
-user ID and group ID of the user being served to the logs, making it
-easier to debug one particular user.</p></div>
-<a name="INDEX-78"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debuglevel = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the logging level used. Values of 3 or more slow Samba
-noticeably. Also called <tt class="literal">log</tt>
-<tt class="literal">level</tt>. Recommended value is 1.</p></div>
-<a name="INDEX-79"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default = service name</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the name of a service (share) to provide if someone
-requests a service he doesn't have permission to use
-or that doesn't exist. The path is set from the name
-the client specified, with any underscore ( _ ) characters changed to
-slash ( / ) characters, allowing access to any directory on the Samba
-server. Use is discouraged. See also <tt class="literal">load
-printers</tt>. Also called <tt class="literal">default service</tt>.</p></div>
-<a name="INDEX-80"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default case = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: LOWER, UPPER</p><p><b class="emphasis-bold">Default</b>: LOWER</p><p>Sets the case in which to store new filenames. LOWER indicates
-lowercase, and UPPER indicates uppercase.</p></div>
-<a name="INDEX-81"/><a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default devmode = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Used with printer shares being accessed by Windows NT/2000/XP clients
-to set a default device mode for the
-<a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/>printer. Can be
-problematic. Use with care.</p></div>
-<a name="INDEX-85"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default service = share name</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">default</tt>.</p></div>
-<a name="INDEX-86"/><a name="INDEX-87"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete printer command = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that removes a
-<a name="INDEX-87"/>printer from the system hosting the
-Samba server and deletes its service definition from
-<em class="filename">smb.conf</em>. The command is passed a printer name
-as its only argument. See also <tt class="literal">add printer
-command</tt>, <tt class="literal">printing</tt>, and <tt class="literal">show add
-printer wizard</tt>.</p></div>
-<a name="INDEX-88"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete readonly = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NO, YES</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allows delete requests to remove read-only files. This
-is not allowed in MS-DOS/Windows, but it is normal in Unix, which has
-separate directory permissions. Used with programs such as RCS.</p></div>
-<a name="INDEX-89"/><a name="INDEX-90"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete share command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that deletes a
-<a name="INDEX-90"/>share
-from the Samba server. The command runs when a user logged in as the
-<tt class="literal">root</tt> user on a Windows NT/2000/XP system deletes a
-share using Server Manager. The command is passed the name of the
-Samba configuration file and the name of the share to be deleted. The
-command must remove the definition of the share from the
-configuration file. See also <tt class="literal">add share command</tt> and
-<tt class="literal">change share command</tt>.</p></div>
-<a name="INDEX-91"/><a name="INDEX-92"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete user script = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run as <tt class="literal">root</tt> when a user
-connects who no longer has an account on the
-domain's PDC. Honors <tt class="literal">%u</tt>. Can be
-used to delete the
-<a name="INDEX-92"/>user account automatically from
-the Samba server's host. Requires
-<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">domain</tt> or <tt class="literal">security = user</tt>. Use
-with caution. See also <tt class="literal">add user script</tt>.</p></div>
-<a name="INDEX-93"/><a name="INDEX-94"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete veto files = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NO, YES</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allows delete requests for a
-<a name="INDEX-94"/>directory containing
-files or subdirectories the user can't see due to
-the <tt class="literal">veto</tt> <tt class="literal">files</tt> option. If set
-to NO, the directory is not deleted and still contains invisible
-files.</p></div>
-<a name="INDEX-95"/><a name="INDEX-96"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>deny hosts = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems from which to refuse
-<a name="INDEX-96"/>connections.
-Also called <tt class="literal">hosts</tt> <tt class="literal">deny</tt>.</p></div>
-<a name="INDEX-97"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dfree command = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Specifies a command to run on the server to return free disk space.
-Not needed unless the Samba host system's
-<em class="emphasis">dfree</em> command does not work properly.</p></div>
-<a name="INDEX-98"/><a name="INDEX-99"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Unix directory name</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the path to the
-<a name="INDEX-99"/>directory provided by a file share or
-used by a printer share. If the option is omitted in the
-<tt class="literal">[homes]</tt> share, it is set automatically to the
-user's home directory; otherwise, it defaults
-to<em class="filename"> /tmp</em>. For a printer share, the directory is
-used to spool printer files. Honors the <tt class="literal">%u</tt> (user)
-and <tt class="literal">%m</tt> (machine) variables. Synonym for
-<tt class="literal">path</tt>.</p></div>
-<a name="INDEX-100"/><a name="INDEX-101"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0755</p><p>Sets the maximum allowable permissions for newly created
-<a name="INDEX-101"/>directories. To require
-that certain permissions be set, see the <tt class="literal">force</tt>
-<tt class="literal">create</tt> <tt class="literal">mask</tt> and
-<tt class="literal">force</tt> <tt class="literal">directory</tt>
-<tt class="literal">mask</tt> options. Also called
-<tt class="literal">directory</tt> <tt class="literal">mode</tt>.</p></div>
-<a name="INDEX-102"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0755</p><p>Synonym for <tt class="literal">directory</tt> <tt class="literal">mask</tt>.</p></div>
-<a name="INDEX-103"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory security mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: same as <tt class="literal">directory</tt> <tt class="literal">mode</tt></p><p>Controls which permission bits can be changed if a user edits the
-Unix permissions of directories on the Samba server from a Windows
-system. Any bit that is set in the mask can be changed by the user;
-any bit that is clear remains the same on the directory even if the
-user tries to change it. Requires <tt class="literal">nt</tt>
-<tt class="literal">acl</tt> <tt class="literal">support</tt>
-<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
-<a name="INDEX-104"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>disable spools = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Windows NT/2000/XP systems will downgrade to
-Lanman-style printing. Prevents printer driver uploading and
-downloading from working. Use with care. See also <tt class="literal">use client
-driver</tt>.</p></div>
-<a name="INDEX-105"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dns proxy = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES and if <tt class="literal">wins</tt>
-<tt class="literal">server</tt> <tt class="literal">=</tt>
-<tt class="literal">YES</tt>, looks up hostnames in DNS when they are not
-found using WINS.</p></div>
-<a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain admin group = user list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: usernames and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies users who are in the <a name="INDEX-107"/>Domain Admins group and have
-<a name="INDEX-108"/>domain
-administrator authority when Samba is the PDC. See also
-<tt class="literal">domain guest group</tt> and <tt class="literal">domain
-logons</tt>. Useful in Samba 2.2 only. Obsolete in Samba 3.0.</p></div>
-<a name="INDEX-109"/><a name="INDEX-110"/><a name="INDEX-111"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain guest group = user/group list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of usernames and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies users who are in the <a name="INDEX-110"/>Domain Guest group when Samba is the PDC.
-See also <tt class="literal">domain admin group</tt> and <tt class="literal">domain
-logons</tt>. Useful in Samba 2.2 only. <a name="INDEX-111"/>Obsolete in Samba 3.0.</p></div>
-<a name="INDEX-112"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain logons = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Causes Samba to serve domain logons. This is one of the basic
-functions required when Samba is acting as the PDC.</p></div>
-<a name="INDEX-113"/><a name="INDEX-114"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain master = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: automatic</p><p>Makes Samba a <a name="INDEX-114"/>domain master browser for its domain. When
-domain logons are enabled, <tt class="literal">domain master</tt> defaults
-to YES. Otherwise, it defaults to NO.</p></div>
-<a name="INDEX-115"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dont descend = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of directories</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Prohibits a change directory or search in the directories specified.
-This is a browsing-convenience option; it doesn't
-provide any extra security.</p></div>
-<a name="INDEX-116"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filemode = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows anyone with write permissions to change permissions on a file,
-as allowed by MS-DOS.</p></div>
-<a name="INDEX-117"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filetime resolution = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets file times on Unix to match MS-DOS standards (rounding to the
-next even second). Recommended if using Visual C++ or a PC
-<em class="emphasis">make</em> program to avoid remaking the programs
-unnecessarily. Use with the <tt class="literal">dos</tt>
-<tt class="literal">filetimes</tt> option.</p></div>
-<a name="INDEX-118"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filetimes = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows nonowners to change file times if they can write to the files,
-matching the behavior of MS-DOS and Windows. See also
-<tt class="literal">dos</tt> <tt class="literal">filetime</tt>
-<tt class="literal">resolution</tt>.</p></div>
-<a name="INDEX-119"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>encrypt passwords = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO in Samba 2.2, YES in Samba 3.0</p><p>If enabled, Samba will use password encryption. Requires an
-<em class="filename">smbpasswd</em> file on the Samba server.</p></div>
-<a name="INDEX-120"/><a name="INDEX-121"/><a name="INDEX-122"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>enhanced browsing = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Automatically synchronizes <a name="INDEX-121"/><a name="INDEX-122"/>browse lists with all domain master
-browsers known to the WINS server. Makes cross-subnet browsing more
-reliable, but also can cause empty workgroups to persist forever in
-browse lists.</p></div>
-<a name="INDEX-123"/><a name="INDEX-124"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>enumports command = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Allows for a command to provide clients with customized
-MS-DOS/Windows <a name="INDEX-124"/>port names (e.g., PRN:) corresponding
-to printers. Samba's default behavior is to return
-<tt class="literal">Samba Printer Port</tt>. The command must return a
-series of lines, with one port name per line.</p></div>
-<a name="INDEX-125"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>exec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user before connecting to the share.
-Synonym for <tt class="literal">preexec</tt>. See also the
-<tt class="literal">postexec</tt>, <tt class="literal">root</tt>
-<tt class="literal">preexec</tt>, and <tt class="literal">root postexec</tt>
-options.</p></div>
-<a name="INDEX-126"/><a name="INDEX-127"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fake directory create times = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>A bug fix for users of Microsoft
-<em class="emphasis">nmake</em><a name="INDEX-127"/>. If YES, Samba sets directory create
-times such that <em class="emphasis">nmake</em> won't
-remake all files every time.</p></div>
-<a name="INDEX-128"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fake oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, returns YES whenever a client asks if it can lock a file and
-cache it locally but does not enforce the lock on the server. Results
-in performance improvement for read-only shares. <em class="emphasis">Never use
-with read/write shares!</em> See also
-<tt class="literal">oplocks</tt> and <tt class="literal">veto</tt>
-<tt class="literal">oplock</tt> <tt class="literal">files</tt>.</p></div>
-<a name="INDEX-129"/><a name="INDEX-130"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>follow symlinks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, Samba follows <a name="INDEX-130"/>symlinks in a file share(s). See the
-<tt class="literal">wide</tt> <tt class="literal">links</tt> option if you want
-to restrict symlinks to just the current share.</p></div>
-<a name="INDEX-131"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force create mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Takes effect when a user on a Windows client creates a file that
-resides on the Samba server. This option ensures that bits set in
-this mask will always be set on the new file. Used with the
-<tt class="literal">create mask</tt> configuration option.</p></div>
-<a name="INDEX-132"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force directory mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Takes effect when a user on a Windows client creates a directory on
-the Samba server. This option ensures that bits set in the mask will
-be set on every newly created directory. Used with <tt class="literal">directory
-mask</tt>.</p></div>
-<a name="INDEX-133"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force directory security mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: same as <tt class="literal">force</tt>
-<tt class="literal">directory</tt> <tt class="literal">mode</tt></p><p>Takes effect when a user on a Windows client edits the Unix
-permissions of a directory on the Samba server. This option ensures
-that bits set in this mask will be set on the directory. Requires
-<tt class="literal">nt</tt> <tt class="literal">acl</tt>
-<tt class="literal">support</tt> <tt class="literal">=</tt>
-<tt class="literal">YES</tt>.</p></div>
-<a name="INDEX-134"/><a name="INDEX-135"/><a name="INDEX-136"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force group = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a Unix group name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the effective group name assigned to all users accessing a
-share. Used to override a
-<a name="INDEX-135"/><a name="INDEX-136"/>user's
-normal group memberships.</p></div>
-<a name="INDEX-137"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force security mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: same as <tt class="literal">force</tt> <tt class="literal">create</tt>
-<tt class="literal">mode</tt></p><p>Takes effect when a user on a Windows client edits the Unix
-permissions of a file on the Samba server. This option ensures that
-bits set in the mask will always be set on the file. Requires
-<tt class="literal">nt</tt> <tt class="literal">acl</tt>
-<tt class="literal">support</tt> <tt class="literal">=</tt>
-<tt class="literal">YES</tt>. See also <tt class="literal">force directory security
-mode</tt> for directories.</p></div>
-<a name="INDEX-138"/><a name="INDEX-139"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force unknown acl user = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>When set, unknown users or groups in Windows NT ACLs will be mapped
-to the user or group of the connected user. <a name="INDEX-139"/>Obsolete starting with Samba
-3.0.</p></div>
-<a name="INDEX-140"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force user = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a single username</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the effective username assigned to all users accessing a share.
-Discouraged.</p></div>
-<a name="INDEX-141"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fstype = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NTFS, FAT, Samba</p><p><b class="emphasis-bold">Default</b>: NTFS</p><p>Sets the filesystem type reported to the client. Avoid changing.</p></div>
-<a name="INDEX-142"/><a name="INDEX-143"/><a name="INDEX-144"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>getwd cache = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Caches the current <a name="INDEX-143"/><a name="INDEX-144"/>directory for performance.
-Recommended with the <tt class="literal">wide</tt> <tt class="literal">links</tt>
-option.</p></div>
-<a name="INDEX-145"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>group = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a Unix group name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">force</tt> <tt class="literal">group</tt>.</p></div>
-<a name="INDEX-146"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest account = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a single username</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the name of the unprivileged Unix account to use for tasks such
-as printing and for accessing shares marked with
-<tt class="literal">guest</tt> <tt class="literal">ok</tt>. The default is
-specified at compile time and is usually set to
-<tt class="literal">nobody</tt>.</p></div>
-<a name="INDEX-147"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, doesn't need passwords for this
-share. Used with <tt class="literal">security = share</tt>. Synonym for
-<tt class="literal">public</tt>.</p></div>
-<a name="INDEX-148"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest only = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces users of a share to log on as the guest account. Requires
-<tt class="literal">guest</tt> <tt class="literal">ok</tt> or
-<tt class="literal">public</tt> to be YES. Also called
-<tt class="literal">only</tt> <tt class="literal">guest</tt>.</p></div>
-<a name="INDEX-149"/><a name="INDEX-150"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide dot files = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Treats files with names beginning with a dot as if they had the
-MS-DOS <a name="INDEX-150"/>hidden
-attribute set. The files are either not displayed on a Windows client
-or appear grayed-out, depending on the settings on the client.</p></div>
-<a name="INDEX-151"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: patterns, separated by <tt class="literal">/</tt>
-characters</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of file or directory names on which to set the
-MS-DOS hidden attribute. Names can contain <tt class="literal">?</tt> or
-<tt class="literal">*</tt> pattern characters and <tt class="literal">%</tt>
-variables. See also <tt class="literal">hide</tt> <tt class="literal">dot</tt>
-<tt class="literal">files</tt> and <tt class="literal">veto</tt>
-<tt class="literal">files</tt>.</p></div>
-<a name="INDEX-152"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide local users = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, hides Unix-specific dummy accounts
-(<tt class="literal">root</tt>, <tt class="literal">wheel</tt>,
-<tt class="literal">floppy</tt>, etc.) from clients.</p></div>
-<a name="INDEX-153"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide unreadable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, hides all unreadable files.</p></div>
-<a name="INDEX-154"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>homedir map = name</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NIS map name</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Used with <tt class="literal">nis</tt> <tt class="literal">homedir</tt> to locate
-a user's Unix home directory from Sun NIS (not
-NIS+).</p></div>
-<a name="INDEX-155"/><a name="INDEX-156"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>host msdfs = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-156"/>If set to YES and Samba was
-configured with the <tt class="literal">--with-msdfs</tt> option, provides
-Microsoft Distributed filesystem (Dfs) service, allowing Dfs-capable
-clients to browse Dfs trees on the Samba server. See also
-<tt class="literal">msdfs root</tt>.</p></div>
-<a name="INDEX-157"/><a name="INDEX-158"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts allow = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems that can access the
-<a name="INDEX-158"/>share. If NULL, any system can access
-the share unless there is a <tt class="literal">hosts</tt>
-<tt class="literal">deny</tt> option. Synonym for <tt class="literal">allow</tt>
-<tt class="literal">hosts</tt>.</p></div>
-<a name="INDEX-159"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts deny = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems that cannot connect to the share. Synonym
-for <tt class="literal">deny</tt> <tt class="literal">hosts</tt>.</p></div>
-<a name="INDEX-160"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts equiv = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the path to a file of trusted systems from which
-passwordless logons are allowed. Strongly discouraged because Windows
-NT/2000/XP users can always override the username&mdash;the only
-security in this scheme.</p></div>
-<a name="INDEX-161"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>include = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Includes the named file in <em class="filename">smb.conf</em> at the line
-where it appears. This option accepts most variables, but not
-<tt class="literal">%u</tt> (user), <tt class="literal">%P</tt> (current
-share's <tt class="literal">root</tt> directory), or
-<tt class="literal">%S</tt> (current share's name) because
-they are not set at the time the file is read.</p></div>
-<a name="INDEX-162"/><a name="INDEX-163"/><a name="INDEX-164"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>inherit acls = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, files and subdirectories are created with the same
-<a name="INDEX-163"/>ACLs
-as their parent directories. Directories are given Unix permissions
-of 0777 (full permissions) ensuring that the ACL on the directory
-will govern the actual permissions given to clients. Requires
-<a name="INDEX-164"/>POSIX ACL
-support to be provided on the Samba host system.</p></div>
-<a name="INDEX-165"/><a name="INDEX-166"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>inherit permissions = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, files and subdirectories are created with the same
-<a name="INDEX-166"/>permissions as their parent
-directories. This allows Unix directory permissions to be propagated
-automatically to new files and subdirectories, especially in the
-<tt class="literal">[homes]</tt> share. This option overrides
-<tt class="literal">create</tt> <tt class="literal">mask</tt>,
-<tt class="literal">directory</tt> <tt class="literal">mask</tt>,
-<tt class="literal">force</tt> <tt class="literal">create</tt>
-<tt class="literal">mode</tt>, and <tt class="literal">force</tt>
-<tt class="literal">directory</tt> <tt class="literal">mode</tt>, but not
-<tt class="literal">map</tt> <tt class="literal">archive</tt>,
-<tt class="literal">map</tt> <tt class="literal">hidden</tt>, or
-<tt class="literal">map</tt> <tt class="literal">system</tt>. Samba never sets
-the <tt class="literal">setuid</tt> bit when creating a file or directory.</p></div>
-<a name="INDEX-167"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>interfaces = interface list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: interface list</p><p><b class="emphasis-bold">Default</b>: NULL (all interfaces except 127.0.0.1)</p><p>Sets the interfaces to which Samba will respond. The default is the
-system's primary interface only. Recommended on
-multihomed systems or to override erroneous addresses and netmasks.
-Allows interface names such as <tt class="literal">eth0</tt>, DNS names,
-address/netmask pairs, and broadcast/netmask pairs. See also
-<tt class="literal">bind interfaces only</tt>.</p></div>
-<a name="INDEX-168"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>invalid users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of users not permitted access to the share.</p></div>
-<a name="INDEX-169"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>keepalive = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 300</p><p>Sets the number of seconds between checks for a crashed client. The
-value of 0 causes no checks to be performed. Setting
-<tt class="literal">keepalive = 3600</tt> will turn on checks every hour. A
-value of 600 (every 10 minutes) is recommended if you want more
-frequent checks. See also <tt class="literal">socket</tt>
-<tt class="literal">options</tt> for another approach.</p></div>
-<a name="INDEX-170"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>kernel oplocks = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Breaks the oplock when a local Unix process or NFS operation accesses
-an oplocked file, thus preventing corruption. This works only on
-operating systems that support kernel-based oplocks, such as Linux
-2.4 and Irix. Avoid changing. See also <tt class="literal">oplocks</tt> and
-<tt class="literal">level2</tt> <tt class="literal">oplocks</tt>.</p></div>
-<a name="INDEX-171"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lanman auth = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, allows clients to use the (weak) LANMAN password hash
-used by Windows 95/98/Me. If set to NO, allows only the better NT1
-hash used by Windows NT/2000/XP.</p></div>
-<a name="INDEX-172"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>large readwrite = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO in Samba 2.2, YES in Samba 3.0</p><p>If set to YES, allows Windows 2000/XP to read and write 64KB at a
-time to improve performance. Requires Samba to be hosted by a 64-bit
-OS, such as Linux 2.4, Irix, or Solaris. Somewhat experimental.</p></div>
-<a name="INDEX-173"/><a name="INDEX-174"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap admin dn = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Distinguished Name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the Distinguished Name used by Samba when contacting the LDAP
-server. Requires Samba to be configured with the
-<tt class="literal">--with-ldapsam</tt> configuration option. Experimental
-option added in Samba 2.2.3 and <a name="INDEX-174"/>obsolete in Samba 3.0.</p></div>
-<a name="INDEX-175"/><a name="INDEX-176"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap filter = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: LDAP search filter</p><p><b class="emphasis-bold">Default</b>: <tt class="literal">(&amp;(uid=%u)(objectclass=sambaAccount))</tt></p><p>Sets the LDAP search filter. Requires that Samba be configured with
-the <tt class="literal">--with-ldapsam</tt> configuration option.
-Experimental option added in Samba 2.2.3 and
-<a name="INDEX-176"/>obsolete in Samba 3.0.</p></div>
-<a name="INDEX-177"/><a name="INDEX-178"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap port = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: In Samba 2.2, 636 if <tt class="literal">ldap ssl = on</tt>;
-otherwise 389</p><p>Sets the TCP port number for contacting the LDAP server. Requires
-that Samba be configured with the <tt class="literal">--with-ldapsam</tt>
-configuration option. Experimental option added in Samba 2.2.3 and
-<a name="INDEX-178"/>obsolete
-starting with Samba 3.0. See also <tt class="literal">ldap ssl</tt>.</p></div>
-<a name="INDEX-179"/><a name="INDEX-180"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap server = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: fully qualified domain name</p><p><b class="emphasis-bold">Default</b>: localhost</p><p>Sets the domain name of the LDAP server. Requires that Samba be
-configured with the <tt class="literal">--with-ldapsam</tt> configuration
-option. Experimental option added in Samba 2.2.3 and
-<a name="INDEX-180"/>obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-181"/><a name="INDEX-182"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap ssl = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ON, OFF, START TLS</p><p><b class="emphasis-bold">Default</b>: ON</p><p>Sets whether Samba uses SSL to contact the LDAP server. ON and OFF
-turn SSL encryption on or off. The START TLS setting causes Samba to
-use LDAPv3 StartTLS extended operation. Requires that Samba be
-configured with the <tt class="literal">--with-ldapsam</tt> configuration
-option. Experimental option added in Samba 2.2.3 and
-<a name="INDEX-182"/>obsolete
-in Samba 3.0.</p></div>
-<a name="INDEX-183"/><a name="INDEX-184"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap suffix = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Distinguished Name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the base Distinguished Name to use for LDAP searches. Requires
-that Samba be configured with the <tt class="literal">--with-ldapsam</tt>
-configuration option. Experimental option added in Samba 2.2.3 and
-<a name="INDEX-184"/>obsolete in Samba 3.0.</p></div>
-<a name="INDEX-185"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>level2 oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows files to be cached read-only on the client when multiple
-clients have opened the file. This allows executables to be cached
-locally, improving performance.</p></div>
-<a name="INDEX-186"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lm announce = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: AUTO, YES, NO</p><p><b class="emphasis-bold">Default</b>: AUTO</p><p>Produces OS/2 SMB broadcasts at an interval specified by the
-<tt class="literal">lm</tt> <tt class="literal">interval</tt> option. YES/NO
-turns them on/off unconditionally. AUTO causes the Samba server to
-wait for a LAN manager announcement from another client before
-sending one out. Required for OS/2 client browsing.</p></div>
-<a name="INDEX-187"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lm interval = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 60</p><p>Sets the time period, in seconds, between OS/2 SMB broadcast
-announcements.</p></div>
-<a name="INDEX-188"/><a name="INDEX-189"/><a name="INDEX-190"/><a name="INDEX-191"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>load printers = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Loads all printer names from the system's
-<em class="emphasis">printcap</em><a name="INDEX-189"/> file into the
-<a name="INDEX-190"/><a name="INDEX-191"/>browse
-list. Uses configuration options from the
-<tt class="literal">[printers]</tt> section.</p></div>
-<a name="INDEX-192"/><a name="INDEX-193"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>local master = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows Samba to participate in <a name="INDEX-193"/>elections for the local master
-browser. See also <tt class="literal">domain</tt> <tt class="literal">master</tt>
-and <tt class="literal">os</tt> <tt class="literal">level</tt>.</p></div>
-<a name="INDEX-194"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock dir = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/var/locks</em></p><p>Synonym for <tt class="literal">lock</tt> <tt class="literal">directory</tt>.</p></div>
-<a name="INDEX-195"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock directory = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/var/locks</em></p><p>Sets a directory in which to keep lock files. The directory must be
-writable by Samba and readable by everyone. Also called
-<tt class="literal">lock</tt> <tt class="literal">dir</tt>.</p></div>
-<a name="INDEX-196"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock spin count = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 2</p><p>Sets the number of attempts to attain a byte range lock. See also
-<tt class="literal">lock spin time</tt>.</p></div>
-<a name="INDEX-197"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock spin time = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of microseconds</p><p><b class="emphasis-bold">Default</b>: 10</p><p>Sets the number of microseconds between attempts to attain a lock.
-See also <tt class="literal">lock</tt> <tt class="literal">spin</tt>
-<tt class="literal">count</tt>.</p></div>
-<a name="INDEX-198"/><a name="INDEX-199"/><a name="INDEX-200"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Performs <a name="INDEX-199"/><a name="INDEX-200"/>file locking. If set to NO, Samba
-accepts lock requests but won't actually lock
-resources. Turn off for read-only filesystems.</p></div>
-<a name="INDEX-201"/><a name="INDEX-202"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>log file = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the name and location of the <a name="INDEX-202"/>log file. Allows all <tt class="literal">%</tt>
-variables.</p></div>
-<a name="INDEX-203"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>log level = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the logging level used. Values of 3 or more slow the system
-noticeably. Recommended value is 1. Synonym for
-<tt class="literal">debug</tt> <tt class="literal">level</tt>.</p></div>
-<a name="INDEX-204"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon drive = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: MS-DOS drive name</p><p><b class="emphasis-bold">Default</b>: Z:</p><p>Sets the drive to be used as a home directory for domain logons by
-Windows NT/2000/XP clients. See also <tt class="literal">logon</tt>
-<tt class="literal">home</tt>.</p></div>
-<a name="INDEX-205"/><a name="INDEX-206"/><a name="INDEX-207"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon home = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ %N \ %U</em></p><p>Sets the home <a name="INDEX-206"/><a name="INDEX-207"/>directory of a Windows 95/98/Me or
-NT/2000/XP user. Allows <tt class="literal">NET</tt> <tt class="literal">USE</tt>
-<tt class="literal">H:/HOME</tt> from the command prompt if Samba is acting
-as a logon server. Append <tt class="literal">\profile</tt> or other
-directory to the value of this parameter if storing Windows 95/98/Me
-profiles in a subdirectory of the user's home
-directory. See <tt class="literal">logon path</tt> for Windows NT/2000/XP
-roaming profiles.</p></div>
-<a name="INDEX-208"/><a name="INDEX-209"/><a name="INDEX-210"/><a name="INDEX-211"/><a name="INDEX-212"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon path = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ %N \ %U \ profile</em></p><p>Sets the path to the directory where Windows NT/2000/XP
-<a name="INDEX-209"/><a name="INDEX-210"/><a name="INDEX-211"/><a name="INDEX-212"/>roaming profiles are stored. See
-also <tt class="literal">logon home</tt> for Windows 95/98/Me roaming
-profiles.</p></div>
-<a name="INDEX-213"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon script = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the pathname (relative to the <tt class="literal">[netlogon]</tt>
-share) of an MS-DOS/NT command to run on the client at logon time.
-Allows all <tt class="literal">%</tt> variables.</p></div>
-<a name="INDEX-214"/><a name="INDEX-215"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lppause command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to pause a <a name="INDEX-215"/>print job.
-Honors the <tt class="literal">%p</tt> (printer name) and
-<tt class="literal">%j</tt> (job number) variables.</p></div>
-<a name="INDEX-216"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpq cache time = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 10</p><p>Sets how long to keep print queue status cached, in seconds.</p></div>
-<a name="INDEX-217"/><a name="INDEX-218"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpq command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to get <a name="INDEX-218"/>printer status. Usually
-initialized to a default value by the <tt class="literal">printing</tt>
-option. Honors the <tt class="literal">%p</tt> (printer name) variable.</p></div>
-<a name="INDEX-219"/><a name="INDEX-220"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpresume command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to resume a paused <a name="INDEX-220"/>print job.
-Honors the <tt class="literal">%p</tt> (printer name) and
-<tt class="literal">%j</tt> ( job number) variables.</p></div>
-<a name="INDEX-221"/><a name="INDEX-222"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lprm command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to delete a <a name="INDEX-222"/>print job.
-Usually initialized to a default value by the
-<tt class="literal">printing</tt> option. Honors the <tt class="literal">%p</tt>
-(printer name) and <tt class="literal">%j</tt> (job number) variables.</p></div>
-<a name="INDEX-223"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>machine password timeout = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 604800 (1 week)</p><p>Sets the period between (NT domain) computer account password changes.</p></div>
-<a name="INDEX-224"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>magic output = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="replaceable">command</em><em class="emphasis">.out</em></p><p>Sets the output file for the <tt class="literal">magic</tt>
-<tt class="literal">scripts</tt> option. Default is the command name,
-followed by the <em class="emphasis">.out</em> extension.</p></div>
-<a name="INDEX-225"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>magic script = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a filename for execution via a shell whenever the file is closed
-from the client, allowing clients to run commands on the server. The
-scripts will be deleted on completion, if permissions allow. Use is
-discouraged.</p></div>
-<a name="INDEX-226"/><a name="INDEX-227"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangle case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-227"/>Mangles a
-name if it is in mixed case.</p></div>
-<a name="INDEX-228"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled map = map list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of to/from pairs</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets up a table of names to remap (e.g., <em class="emphasis">.html</em>
-to <em class="emphasis">.htm</em>).</p></div>
-<a name="INDEX-229"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled names = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Sets Samba to abbreviate to the MS-DOS 8.3 style names that are too
-long or have unsupported characters.</p></div>
-<a name="INDEX-230"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled stack = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Sets the size of the cache of recently mangled filenames.</p></div>
-<a name="INDEX-231"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangling char = character</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: character</p><p><b class="emphasis-bold">Default</b>: ~</p><p>Sets the unique mangling character used in all mangled names.</p></div>
-<a name="INDEX-232"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangling method = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hash, hash2</p><p><b class="emphasis-bold">Default</b>: hash</p><p>Sets the algorithm used to mangle filenames. The
-<tt class="literal">hash2</tt> method is a newer method introduced in Samba
-2.2.x, and it creates different filenames than the
-<tt class="literal">hash</tt> method.</p></div>
-<a name="INDEX-233"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map archive = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, Samba sets the executable-by-user (0100) bit on Unix files if
-the MS-DOS archive attribute is set. If used, the
-<tt class="literal">create</tt> <tt class="literal">mask</tt> must contain the
-0100 bit.</p></div>
-<a name="INDEX-234"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map hidden = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, Samba sets the executable-by-other (0001) bit on Unix files
-if the MS-DOS hidden attribute is set. If used, the <tt class="literal">create
-mask</tt> option must contain the 0001 bit.</p></div>
-<a name="INDEX-235"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map system = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, Samba sets the executable-by-group (0010) bit on Unix files
-if the MS-DOS system attribute is set. If used, the
-<tt class="literal">create</tt> <tt class="literal">mask</tt> must contain the
-0010 bit.</p></div>
-<a name="INDEX-236"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map to guest = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Never, Bad User, Bad Password</p><p><b class="emphasis-bold">Default</b>: Never</p><p>If set to Bad User, allows users without accounts on the Samba system
-to log in and be assigned the guest account. This option can be used
-as part of making public shares for anyone to use. If set to Bad
-Password, users who mistype their passwords will be logged in to the
-guest account instead of their own. Because no warning is given, the
-Bad Password value can be extremely confusing: we recommend against
-it. The default setting of Never prevents users without accounts from
-logging in.</p></div>
-<a name="INDEX-237"/><a name="INDEX-238"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max connections = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0 (infinity)</p><p>Sets the maximum number of
-<a name="INDEX-238"/>share connections allowed from each
-client system.</p></div>
-<a name="INDEX-239"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max disk size = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in MB</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Sets the maximum disk size/free-space size (in megabytes) to return
-to the client. Some clients or applications can't
-understand large maximum disk sizes.</p></div>
-<a name="INDEX-240"/><a name="INDEX-241"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max log size = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in KB</p><p><b class="emphasis-bold">Default</b>: 5000</p><p>Sets the size (in kilobytes) at which Samba will start a new
-<a name="INDEX-241"/>log file. The current log file will be
-renamed with a <em class="emphasis">.old</em> extension, replacing any
-existing file with that name.</p></div>
-<a name="INDEX-242"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max mux = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Sets the number of simultaneous SMB operations that Samba clients can
-make. Avoid changing.</p></div>
-<a name="INDEX-243"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max open files = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 10000</p><p>Limits the number of files a Samba process will try to keep open at
-one time. Samba allows you to set this to less than the maximum
-imposed by the Unix host operating system. Avoid changing.</p></div>
-<a name="INDEX-244"/><a name="INDEX-245"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max print jobs = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 1000</p><p>Limits the number of jobs that can be in the queue for this
-<a name="INDEX-245"/>printer share at any one time. The printer
-will report <tt class="literal">out of space</tt> if the limit is exceeded.
-See also <tt class="literal">total print jobs</tt>.</p></div>
-<a name="INDEX-246"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max protocol = name</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: CORE, COREPLUS, LANMAN1, LANMAN2, NT1</p><p><b class="emphasis-bold">Default</b>: NT1</p><p>If set, limits the negotiation to the protocol specified, or older.
-See <tt class="literal">min protocol</tt>. Avoid using.</p></div>
-<a name="INDEX-247"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max smbd processes = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Limits the number of users who can connect to the server. Used to
-prevent degraded service under an overload, at the cost of refusing
-services entirely.</p></div>
-<a name="INDEX-248"/><a name="INDEX-249"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max ttl = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 259200 (3 days)</p><p>Sets the <a name="INDEX-249"/>time to live (TTL) of NetBIOS names in the
-<em class="emphasis">nmbd</em> WINS cache. Avoid changing.</p></div>
-<a name="INDEX-250"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max wins ttl = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 518400 (6 days)</p><p>Limits the TTL, in seconds, of a NetBIOS name in the
-<em class="emphasis">nmbd</em> WINS cache. Avoid changing. See also
-<tt class="literal">min wins ttl</tt>.</p></div>
-<a name="INDEX-251"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max xmit = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in bytes</p><p><b class="emphasis-bold">Default</b>: 65535</p><p>Sets the maximum packet size negotiated by Samba. This is a tuning
-parameter for slow links and bugs in older clients. Values less than
-2048 are discouraged.</p></div>
-<a name="INDEX-252"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>message command = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run on the server when a WinPopup message arrives
-from a client. If it does not complete quickly, the command must end
-in <tt class="literal">&amp;</tt> to allow immediate return. Honors all
-<tt class="literal">%</tt> variables except <tt class="literal">%u</tt> (user)
-and supports the extra variables <tt class="literal">%s</tt> (filename the
-message is in), <tt class="literal">%t</tt> (destination system), and
-<tt class="literal">%f</tt> (from).</p></div>
-<a name="INDEX-253"/><a name="INDEX-254"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min passwd length = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 5</p><p><a name="INDEX-254"/>Synonym for <tt class="literal">min</tt>
-<tt class="literal">password</tt> <tt class="literal">length</tt>.</p></div>
-<a name="INDEX-255"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min password length = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 5</p><p>Sets the shortest Unix password allowed by Samba when updating a
-user's password on its system. Also called
-<tt class="literal">min</tt> <tt class="literal">passwd</tt>
-<tt class="literal">length</tt>.</p></div>
-<a name="INDEX-256"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min print space = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: space in kilobytes</p><p><b class="emphasis-bold">Default</b>: 0 (unlimited)</p><p>Sets the minimum spool space required before accepting a print
-request.</p></div>
-<a name="INDEX-257"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min protocol = name</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: CORE, COREPLUS, LANMAN1, LANMAN2, NT1</p><p><b class="emphasis-bold">Default</b>: CORE</p><p>If set, prevents use of old (less secure) protocols. Using NT1
-disables MS-DOS clients. See also <tt class="literal">lanman auth</tt>.</p></div>
-<a name="INDEX-258"/><a name="INDEX-259"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min wins ttl = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 21600 (6 hours)</p><p>Sets the minimum <a name="INDEX-259"/>TTL, in seconds, of a NetBIOS name in the
-<em class="emphasis">nmbd</em> WINS cache. Avoid changing.</p></div>
-<a name="INDEX-260"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>msdfs root = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Makes the share a Dfs <tt class="literal">root</tt>. Requires the
-<tt class="literal">--with-msdfs</tt> configure option. Any symbolic links
-of the form <tt class="literal">msdfs:server\share</tt> will be seen as Dfs
-links. See also <tt class="literal">host msdfs</tt>.</p></div>
-<a name="INDEX-261"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>name resolve order = list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: lmhosts, wins, host, bcast</p><p><b class="emphasis-bold">Default</b>: lmhosts, host, wins, bcast</p><p>Sets the order of lookup when trying to get IP addresses from names.
-The host parameter carries out a regular name lookup using the
-server's normal sources:
-<em class="emphasis">/etc/hosts</em>, DNS, NIS, or a combination of these.</p></div>
-<a name="INDEX-262"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios aliases = list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of NetBIOS names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds additional NetBIOS names by which the Samba server will
-advertise itself.</p></div>
-<a name="INDEX-263"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios name = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: local hostname</p><p><b class="emphasis-bold">Default</b>: DNS name of system</p><p>Sets the NetBIOS name by which a Samba server is known, or the
-primary name if NetBIOS aliases exist. See also <tt class="literal">netbios
-aliases</tt>.</p></div>
-<a name="INDEX-264"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios scope = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the NetBIOS scope string, an early predecessor of workgroups.
-Samba will not communicate with a system with a different scope. This
-option is not recommended.</p></div>
-<a name="INDEX-265"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nis homedir = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, the <tt class="literal">homedir</tt> <tt class="literal">map</tt> is used
-to look up the server hosting the user's home
-directory and return it to the client. The client will contact that
-system to connect to the share. This avoids mounting from a system
-that doesn't actually have the directory, which
-would cause the data to be transmitted twice. The system with the
-home directories must be an SMB server.</p></div>
-<a name="INDEX-266"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>non unix account range = numeric range</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: range of positive integers</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies a range of Unix UIDs for Samba to use for user accounts and
-computer accounts that are maintained outside of
-<em class="filename">/etc/passwd</em>. The UIDs in this range must not
-overlap those of regular Unix users in
-<em class="filename">/etc/passwd</em>. See also <tt class="literal">algorithmic rid
-base</tt>. New in Samba 3.0.</p></div>
-<a name="INDEX-267"/><a name="INDEX-268"/><a name="INDEX-269"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt acl support = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Causes the Samba server to map Unix
-<a name="INDEX-268"/><a name="INDEX-269"/>permissions to Windows NT
-ACLs.</p></div>
-<a name="INDEX-270"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt pipe support = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows turning off of NT-specific pipe calls. This is a
-developer/benchmarking option and might be removed in the future.
-Avoid changing.</p></div>
-<a name="INDEX-271"/><a name="INDEX-272"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt smb support = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, allows the use of NT-specific SMBs. This is a
-developer/benchmarking option that is <a name="INDEX-272"/>obsolete in Samba 3.0. Avoid changing.</p></div>
-<a name="INDEX-273"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt status support = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, allows the use of NT-specific status messages. This is a
-developer/benchmarking option and might be removed in the future.
-Avoid changing.</p></div>
-<a name="INDEX-274"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>null passwords = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, allows access to accounts that have null passwords. Strongly
-discouraged.</p></div>
-<a name="INDEX-275"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>obey pam restrictions = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, Samba will adhere to the PAM's account and
-session restrictions. Requires <tt class="literal">--with-pam</tt>
-configuration option.</p></div>
-<a name="INDEX-276"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>only guest = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces users of a share to log on as the guest account. Synonym for
-<tt class="literal">guest</tt> <tt class="literal">only</tt>. Requires
-<tt class="literal">guest</tt> <tt class="literal">ok</tt> or
-<tt class="literal">public</tt> to be YES.</p></div>
-<a name="INDEX-277"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>only user = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Requires that users of the share be in the list specified by the
-<tt class="literal">user</tt> option.</p></div>
-<a name="INDEX-278"/><a name="INDEX-279"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplock break wait time = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p><a name="INDEX-279"/>This is an advanced tuning parameter and
-is recommended only for experts who know how Samba handles oplocks.
-This option might need to be set if a Windows system fails to release
-an oplock in response to a break request from the Samba server. Due
-to bugs on some Windows systems, they might fail to respond if Samba
-responds too quickly; the default on this option can be lengthened in
-such cases.</p></div>
-<a name="INDEX-280"/><a name="INDEX-281"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplock contention limit = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of milliseconds</p><p><b class="emphasis-bold">Default</b>: 2</p><p><a name="INDEX-281"/>This is an advanced tuning
-parameter and is recommended only for experts who know how Samba
-handles oplocks. It causes Samba to refuse to grant an oplock if the
-number of clients contending for a file exceeds the specified value.</p></div>
-<a name="INDEX-282"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, supports local caching of oplocked files on the client. This
-option is recommended because it improves performance by about 30%.
-See also <tt class="literal">fake</tt> <tt class="literal">oplocks</tt> and
-<tt class="literal">veto</tt> <tt class="literal">oplock</tt>
-<tt class="literal">files</tt>.</p></div>
-<a name="INDEX-283"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>os level = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 20</p><p>Sets the candidacy of the server when electing a browse master. Used
-with the <tt class="literal">domain</tt> <tt class="literal">master</tt> or
-<tt class="literal">local</tt> <tt class="literal">master</tt> options. You can
-set a higher value than a competing operating system if you want
-Samba to win. Windows for Workgroups and Windows 95/98/Me use 1.
-Windows NT/2000/XP, when not acting as a PDC, use 16 and, when acting
-as a PDC, use 32. Warning: this can override non-Samba browse masters
-unexpectedly.</p></div>
-<a name="INDEX-284"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>os2 driver map = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing mappings of Windows NT printer driver
-names to OS/2 printer driver names.</p></div>
-<a name="INDEX-285"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pam password change = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, and if Samba is configured with
-<tt class="literal">--with-pam</tt>, PAM is allowed to handle password
-changes from clients, instead of using the program defined by the
-<tt class="literal">passwd</tt> <tt class="literal">program</tt> parameter.</p></div>
-<a name="INDEX-286"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>panic action = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run when Samba panics. Honors all
-<tt class="literal">%</tt> variables. For Samba developers and testers,
-<tt class="literal">/usr/bin/X11/xterm</tt> <tt class="literal">-display</tt>
-<tt class="literal">:0</tt> <tt class="literal">-e</tt> <tt class="literal">gdb</tt>
-<tt class="literal">/samba/bin/smbd</tt> <tt class="literal">%d</tt> is a
-possible value.</p></div>
-<a name="INDEX-287"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passdb backend = list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: smbpasswd, smbpasswd_nua, tdbsam, tdbsam_nua, plugin</p><p><b class="emphasis-bold">Default</b>: smbpasswd</p><p>Specifies methods Samba uses to store and retrieve passwords when
-using a method other than the Unix system's
-<em class="filename">/etc/passwd</em>. See also <tt class="literal">non unix account
-range</tt>. New in Samba 3.0.</p></div>
-<a name="INDEX-288"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd chat = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: sequence of strings</p><p><b class="emphasis-bold">Default</b>: compiled-in value</p><p>Sets the chat strings used to change passwords on the server.
-Supports the variables <tt class="literal">%o</tt> (old password) and
-<tt class="literal">%n</tt> (new password) and allows the escapes
-<tt class="literal">\r</tt>, <tt class="literal">\n</tt>, <tt class="literal">\t</tt>,
-and <tt class="literal">\s</tt> (space) in the sequence. See also
-<tt class="literal">unix password sync</tt>, <tt class="literal">passwd
-program</tt>, <tt class="literal">passwd chat debug</tt>, and
-<tt class="literal">pam</tt> <tt class="literal">password change</tt>.</p></div>
-<a name="INDEX-289"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd chat debug = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Logs an entire password chat, including passwords passed, with a log
-level of 100. For debugging only. See also <tt class="literal">passwd
-chat</tt>, <tt class="literal">pam password change</tt>, and
-<tt class="literal">passwd program</tt>.</p></div>
-<a name="INDEX-290"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd program = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/bin/passwd</em></p><p>Sets the command used to change a user's password.
-Will be run as <tt class="literal">root</tt>. Supports
-<tt class="literal">%u</tt> (user). See also <tt class="literal">unix password
-sync</tt>.</p></div>
-<a name="INDEX-291"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>password level = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the number of uppercase-letter permutations used to match
-passwords. A workaround for clients that change passwords to a single
-case before sending them to the Samba server. Causes repeated login
-attempts with mixed-case passwords, which can trigger account
-lockouts. Required for Windows 95/98/Me, plain-text passwords, and
-mixed-case passwords. Try to avoid using.</p></div>
-<a name="INDEX-292"/><a name="INDEX-293"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>password server = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of NetBIOS names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of SMB servers that validate
-<a name="INDEX-293"/>passwords. Used with a Windows
-NT/2000 password server (PDC or BDC) and the
-<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">server</tt> or <tt class="literal">security</tt>
-<tt class="literal">=</tt> <tt class="literal">domain</tt> configuration options.
-Caution: a Windows NT/2000 password server must allow logins from the
-Samba server. If set to <tt class="literal">*</tt>, Samba will look up the
-PDC by resolving the NetBIOS name WORKGROUP&lt;1C&gt;.</p></div>
-<a name="INDEX-294"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>path = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the path to the directory provided by a file share or used by a
-printer share. If the option is omitted, it is set automatically in
-the <tt class="literal">[homes]</tt> share to the user's
-home directory; otherwise, defaults to<em class="filename"> /tmp</em>.
-Honors the <tt class="literal">%u</tt> (user) and <tt class="literal">%m</tt>
-(machine) variables.</p></div>
-<a name="INDEX-295"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pid directory = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/var/locks</em></p><p>Sets the path to the directory where PID files are located.</p></div>
-<a name="INDEX-296"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>posix locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, Samba will map file locks owned by SMB clients to
-POSIX locks. Avoid changing.</p></div>
-<a name="INDEX-297"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>postexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user after disconnecting from the share.
-See also the <tt class="literal">preexec</tt>, <tt class="literal">root</tt>
-<tt class="literal">preexec</tt>, and <tt class="literal">root</tt>
-<tt class="literal">postexec</tt> options.</p></div>
-<a name="INDEX-298"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>postscript = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces a printer to recognize a file as PostScript by inserting
-<tt class="literal">%!</tt> as the first line. Works only if the printer is
-actually PostScript-compatible.</p></div>
-<a name="INDEX-299"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user before connecting to the share.
-Synonym for <tt class="literal">exec</tt>. See also the
-<tt class="literal">postexec</tt>, <tt class="literal">root</tt>
-<tt class="literal">preexec</tt>, and <tt class="literal">root</tt>
-<tt class="literal">postexec</tt> options.</p></div>
-<a name="INDEX-300"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preexec close = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, allows the <tt class="literal">preexec</tt> command to decide if
-the share can be accessed by the user. If the command returns a
-nonzero return code, the user is denied permission to connect.</p></div>
-<a name="INDEX-301"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preferred master = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: auto</p><p>If YES, Samba is the preferred master browser. Causes Samba to call a
-browsing election when it comes online. See also <tt class="literal">os
-level</tt>.</p></div>
-<a name="INDEX-302"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>prefered master = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: auto</p><p>Synonym for <tt class="literal">preferred master</tt>.</p></div>
-<a name="INDEX-303"/><a name="INDEX-304"/><a name="INDEX-305"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preload = service list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of shares</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of shares that always appears in
-<a name="INDEX-304"/><a name="INDEX-305"/>browse lists. Synonym for
-<tt class="literal">auto</tt> <tt class="literal">services</tt>. See also
-<tt class="literal">load printers</tt>.</p></div>
-<a name="INDEX-306"/><a name="INDEX-307"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preserve case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p><a name="INDEX-307"/>Leaves filenames in the case
-sent by the client. If NO, it forces filenames to the case specified
-by the <tt class="literal">default</tt> <tt class="literal">case</tt> option. See
-also <tt class="literal">short</tt> <tt class="literal">preserve</tt>
-<tt class="literal">case</tt>.</p></div>
-<a name="INDEX-308"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets a share to be a print share. Required for all printers. Synonym
-for <tt class="literal">print</tt> <tt class="literal">ok</tt>.</p></div>
-<a name="INDEX-309"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printcap name = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/etc/printcap</em></p><p>Sets the path to the printer capabilities file used by the
-<tt class="literal">[printers]</tt> share. The default value changes to
-<em class="filename">/etc/qconfig</em> under AIX and
-<em class="filename">lpstat</em> on System V. Also called
-<tt class="literal">printcap</tt>.</p></div>
-<a name="INDEX-310"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>print command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to send a spooled file to the printer. Usually
-initialized to a default value corresponding to the
-<tt class="literal">printing</tt> option. This option honors the
-<tt class="literal">%p</tt> (printer name), <tt class="literal">%s</tt> (spool
-file), and <tt class="literal">%f</tt> (spool file as a relative path)
-variables. The command must delete the spool file.</p></div>
-<a name="INDEX-311"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: printer name</p><p><b class="emphasis-bold">Default</b>: lp</p><p>Sets the name of the Unix printer used by the share. Also called
-<tt class="literal">printer</tt> <tt class="literal">name</tt>.</p></div>
-<a name="INDEX-312"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer admin = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies users who can administer a printer using the remote printer
-administration interface on a Windows system. The
-<tt class="literal">root</tt> user always has these privileges.</p></div>
-<a name="INDEX-313"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: exact printer driver string used by Windows</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the string to pass to Windows when asked which driver to use to
-prepare files for a printer share. Note that the value is
-case-sensitive. Part of pre-2.2 printing system. Deprecated.</p></div>
-<a name="INDEX-314"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver file = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/printers/printers.def</em></p><p>Sets the location of a <em class="emphasis">msprint.def</em> file. Usable
-by Windows 95/98/Me. Part of pre-2.2 printing system. Deprecated.</p></div>
-<a name="INDEX-315"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver location = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ server\ PRINTER$</em></p><p>Sets the location of the driver for a particular printer. The value
-is the pathname of the share that stores the printer driver files.
-Part of pre-2.2 printing system. Deprecated.</p></div>
-<a name="INDEX-316"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer name = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">printer</tt>.</p></div>
-<a name="INDEX-317"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printing = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: bsd, sysv, hpux, aix, qnx, plp, softq, lprng, cups</p><p><b class="emphasis-bold">Default</b>: bsd</p><p>Sets the printing style to a value other than that in which
-you've compiled. This sets initial values of at
-least <tt class="literal">print</tt> <tt class="literal">command</tt> ,
-<tt class="literal">lpq</tt> <tt class="literal">command</tt> , and
-<tt class="literal">lprm</tt> <tt class="literal">command</tt>.</p></div>
-<a name="INDEX-318"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>print ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Synonym for <tt class="literal">printable</tt>.</p></div>
-<a name="INDEX-319"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>private directory = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/private</em></p><p>Specifies the directory used for storing security-sensitive files
-such as <em class="filename">smbpasswd</em> and
-<em class="filename">secrets.tdb</em>. New in Samba 3.0.</p></div>
-<a name="INDEX-320"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>protocol = name</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NT1, LANMAN2, LANMAN1, COREPLUS, CORE</p><p><b class="emphasis-bold">Default</b>: NT1</p><p>Synonym for <tt class="literal">max protocol</tt>.</p></div>
-<a name="INDEX-321"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>public = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, passwords are not needed for this share. Also called
-<tt class="literal">guest</tt> <tt class="literal">ok</tt>.</p></div>
-<a name="INDEX-322"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>queuepause command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to pause a print queue. Usually initialized to
-a default value by the <tt class="literal">printing</tt> option.</p></div>
-<a name="INDEX-323"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>queueresume command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to resume a print queue. Usually initialized to
-a default value by the <tt class="literal">printing</tt> option.</p></div>
-<a name="INDEX-324"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read bmpx = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, supports the &quot;Read Block
-Multiplex&quot; message. Avoid changing.</p></div>
-<a name="INDEX-325"/><a name="INDEX-326"/><a name="INDEX-327"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read list = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of user and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of <a name="INDEX-326"/><a name="INDEX-327"/>users given read-only access
-to a writable share.</p></div>
-<a name="INDEX-328"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read only = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets a share to read-only. Antonym of <tt class="literal">writable</tt>,
-<tt class="literal">writeable</tt>, and <tt class="literal">write ok</tt>.</p></div>
-<a name="INDEX-329"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read raw = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows clients to read data using a 64K packet size. Recommended.</p></div>
-<a name="INDEX-330"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read size = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 16384</p><p>Allows disk reads and writes to overlap network reads and writes. A
-tuning parameter. Do not set larger than the default.</p></div>
-<a name="INDEX-331"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>realm = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Kerberos realm name</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies the realm name for Kerberos 5 authentication. Requires the
-<tt class="literal">--with-krb5</tt> configure option. New in Samba 3.0.</p></div>
-<a name="INDEX-332"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>remote announce = remote list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of remote addresses</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds workgroups to the list on which the Samba server will announce
-itself. Specified as an IP address and optional workgroup (for
-instance, 192.168.220.215/SIMPLE) with multiple entries separated by
-spaces. Addresses can be the specific address of the browse master on
-a subnet or on directed broadcasts (i.e., ###.###.###.255). The
-server will appear on those workgroups' browse
-lists. Does not require WINS.</p></div>
-<a name="INDEX-333"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>remote browse sync = list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: IP addresses</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Perform browse list synchronization with other Samba local master
-browsers. Addresses can be specific addresses or directed broadcasts
-(i.e., ###.###.###.255). The latter causes Samba to locate the local
-master browser on that subnet.</p></div>
-<a name="INDEX-334"/><a name="INDEX-335"/><a name="INDEX-336"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>restrict anonymous = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-335"/><a name="INDEX-336"/>Denies access to users who do not
-supply a username. This is disabled by default because when the Samba
-server acts as the domain's PDC, the option can keep
-a client from revalidating its computer account when someone new logs
-in. Use of the option is recommended only when all clients are
-Windows NT/2000/XP systems.</p></div>
-<a name="INDEX-337"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">root</tt> <tt class="literal">directory</tt>.</p></div>
-<a name="INDEX-338"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root dir = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">root</tt> <tt class="literal">directory</tt>.</p></div>
-<a name="INDEX-339"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root directory = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: /</p><p>Specifies a directory to <em class="emphasis">chroot( )</em> before
-starting daemons. Prevents any access outside that directory tree.
-See also the <tt class="literal">wide</tt> <tt class="literal">links</tt>
-configuration option. Also called <tt class="literal">root</tt> and
-<tt class="literal">root</tt> <tt class="literal">dir</tt>.</p></div>
-<a name="INDEX-340"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root postexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as <tt class="literal">root</tt> after disconnecting
-from the share. See also the <tt class="literal">preexec</tt>,
-<tt class="literal">postexec</tt>, and <tt class="literal">root</tt>
-<tt class="literal">preexec</tt> configuration options. Runs after the
-user's <tt class="literal">postexec</tt> command. Use with
-caution.</p></div>
-<a name="INDEX-341"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root preexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as <tt class="literal">root</tt> before connecting to
-the share. See also the <tt class="literal">preexec</tt>,
-<tt class="literal">postexec</tt>, and <tt class="literal">root</tt>
-<tt class="literal">postexec</tt> configuration options. Runs before the
-user's <tt class="literal">preexec</tt> command. Use with
-caution.</p></div>
-<a name="INDEX-342"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root preexec close = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, allows the <tt class="literal">root</tt> <tt class="literal">preexec</tt>
-command to decide if the share can be accessed by the user. If the
-command returns a nonzero return code, the user will be denied
-permission to connect.</p></div>
-<a name="INDEX-343"/><a name="INDEX-344"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>security = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share, user, server, domain</p><p><b class="emphasis-bold">Default</b>: user</p><p>Sets the client
-<a name="INDEX-344"/>authentication method. If
-<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">share</tt>, services are password-protected, available
-to everyone who knows the password. If <tt class="literal">security</tt>
-<tt class="literal">=</tt> <tt class="literal">user</tt>, users have accounts and
-passwords, and are required to authenticate with the server before
-accessing services. If <tt class="literal">security</tt>
-<tt class="literal">=</tt> <tt class="literal">server</tt>, users have accounts
-and passwords as with <tt class="literal">security = user</tt>, and a
-separate system authenticates them for Samba. If
-<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">domain</tt>, Windows NT domain authentication is
-implemented using a Windows NT/2000 or other Samba server to validate
-accounts. See also the <tt class="literal">password server</tt> and
-<tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
-configuration options.</p></div>
-<a name="INDEX-345"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>security mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0777</p><p>Controls which permission bits can be changed if a user on a Windows
-NT/2000/XP system edits the Unix permissions of files on the Samba
-server using the Windows system's ACL editing dialog
-box. Any bit that is set in the mask can be changed by the user; any
-bit that is clear remains the same on the file even if the user tries
-to change it. Requires <tt class="literal">nt</tt> <tt class="literal">acl</tt>
-<tt class="literal">support</tt> <tt class="literal">=</tt>
-<tt class="literal">YES</tt>. Note that some rarely used bits map to the
-DOS system, hidden, and archive bits in the file attributes in a
-nonintuitive way.</p></div>
-<a name="INDEX-346"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>server string = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: Samba <tt class="literal">%v</tt></p><p>Sets the name that corresponds to the Samba server in browse lists.
-Honors the <tt class="literal">%v</tt> (Samba version number) and
-<tt class="literal">%h</tt> (hostname) variables.</p></div>
-<a name="INDEX-347"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>set directory = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows the DEC Pathworks client to use the <em class="emphasis">set
-dir</em> command.</p></div>
-<a name="INDEX-348"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>share modes = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Directs Samba to support Windows-style whole-file (deny mode) locks.
-Do not change.</p></div>
-<a name="INDEX-349"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>short preserve case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, leaves mangled 8.3-style filenames in the case sent by
-the client. If NO, forces the case to that specified by the
-<tt class="literal">default</tt> <tt class="literal">case</tt> option. See also
-<tt class="literal">preserve</tt> <tt class="literal">case</tt>.</p></div>
-<a name="INDEX-350"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>show add printer wizard = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set, tells clients that the Add Printer Wizard can be used to add
-a Samba printer from Windows NT/2000/XP clients. See also
-<tt class="literal">add printer command</tt>, <tt class="literal">delete
-printer</tt> <tt class="literal">comamnd</tt>, and <tt class="literal">printer
-admin</tt>.</p></div>
-<a name="INDEX-351"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>shutdown script = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies a command that initiates a system shutdown. The command is
-run with the UID of the connected user. The <tt class="literal">%m</tt>
-(message), <tt class="literal">%t</tt> (delay time), <tt class="literal">%r</tt>
-(reboot), and <tt class="literal">%f</tt> (force) options are supported.
-See also <tt class="literal">abort shutdown script</tt>. New in Samba 3.0.</p></div>
-<a name="INDEX-352"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smb passwd file = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/private/smbpasswd</em></p><p>Overrides the compiled-in path to the encrypted password file. See
-also <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt> and
-<tt class="literal">private dir</tt>.</p></div>
-<a name="INDEX-353"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>socket address = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: IP address</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the address on which to listen for connections. Default is to
-listen to all addresses.</p></div>
-<a name="INDEX-354"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>socket options = list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: socket option list</p><p><b class="emphasis-bold">Default</b>: TCP_NODELAY</p><p>Sets OS-specific socket options. SO_KEEPALIVE makes TCP check clients
-every four hours to see if they are still accessible. TCP_NODELAY
-sends even tiny packets to keep delay low. Both are recommended
-wherever the operating system supports them.</p></div>
-<a name="INDEX-355"/><a name="INDEX-356"/><a name="INDEX-357"/><a name="INDEX-358"/><a name="INDEX-359"/><a name="INDEX-360"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>source environment = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Causes Samba to read a list of <a name="INDEX-356"/>environment variables from a file upon
-startup. This can be useful when setting up Samba in a
-<a name="INDEX-357"/><a name="INDEX-358"/><a name="INDEX-359"/><a name="INDEX-360"/>clustered environment. The
-filename can begin with a &quot;|&quot;
-(pipe) character, in which case it causes Samba to run the file as a
-command to obtain the variables.</p><p>The file must be owned by <tt class="literal">root</tt> and must not be
-world-writable. If the filename begins with a
-&quot;|&quot; character, it must point to a
-command that is neither world-writable nor resides in a
-world-writable directory.</p><p>The data should be in the form of lines such as
-SAMBA_NETBIOS_NAME=<em class="replaceable">myhostname</em>. This value
-will then be available in the <em class="filename">smb.conf</em> files as
-%$SAMBA_NETBIOS_NAME.</p></div>
-<a name="INDEX-361"/><a name="INDEX-362"/><a name="INDEX-363"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-362"/><a name="INDEX-363"/>Makes
-Samba use SSL for data exchange with some or all hosts. Requires
-<tt class="literal">--with-ssl</tt> configure option.Obsolete starting with
-Samba 3.0.</p></div>
-<a name="INDEX-364"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl CA certDir = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs</em></p><p>Specifies a directory containing a file for each Certification
-Authority (CA) that the Samba server trusts so that Samba can verify
-client certificates. Part of SSL support. Requires
-<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
-with Samba 3.0.</p></div>
-<a name="INDEX-365"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl CA certFile = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs/trustedCAs.pem</em></p><p>Specifies a file that contains information for each CA that the Samba
-server trusts so that Samba can verify client certificates. Part of
-SSL support. Requires <tt class="literal">--with-ssl</tt> configure option.
-Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-366"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl ciphers = list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of ciphers</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies which ciphers should be offered during SSL negotiation. Not
-recommended. Requires <tt class="literal">--with-ssl</tt> configure option.
-Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-367"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl client cert = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs/smbclient.pem</em></p><p>Specifies a file containing the server's SSL
-certificate, for use by <em class="emphasis">smbclient</em> if
-certificates are required in this environment. Requires
-<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
-with Samba 3.0.</p></div>
-<a name="INDEX-368"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl client key = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/private/smbclient.pem</em></p><p>Specifies a file containing the server's private SSL
-key, for use by <em class="emphasis">smbclient</em>. Requires
-<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
-with Samba 3.0.</p></div>
-<a name="INDEX-369"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl compatibility = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Determines whether SSLeay should be configured for bug compatibility
-with other SSL implementations. Not recommended. Requires
-<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
-with Samba 3.0.</p></div>
-<a name="INDEX-370"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl hosts = host list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Requires that SSL be used with the hosts listed. By default, if the
-<tt class="literal">ssl</tt> option is set, the server requires SSL with
-all hosts. Requires <tt class="literal">--with-ssl</tt> configure option.
-Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-371"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl hosts resign = host list</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Suppresses the use of SSL with the hosts listed. By default, if the
-<tt class="literal">ssl</tt> option is set, the server requires SSL with
-all hosts. Requires <tt class="literal">--with-ssl</tt> configure option.
-Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-372"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl require clientcert = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Requires clients to use certificates when SSL is in use. This option
-is recommended if SSL is used. Requires <tt class="literal">--with-ssl</tt>
-configure option. Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-373"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl require servercert = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>When SSL is in use, <em class="emphasis">smbclient</em> requires servers
-to use certificates. This option is recommended if SSL is used.
-Requires <tt class="literal">--with-ssl</tt> configure option. Obsolete
-starting with Samba 3.0.</p></div>
-<a name="INDEX-374"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl server cert = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing the server's SSL
-certificate. Requires <tt class="literal">--with-ssl</tt> configure option.
-Obsolete starting with Samba 3.0.</p></div>
-<a name="INDEX-375"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl server key = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing the server's private SSL
-key. If no file is specified and SSL is in use, the server looks up
-its key in its server certificate. Requires
-<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
-with Samba 3.0.</p></div>
-<a name="INDEX-376"/><a name="INDEX-377"/><a name="INDEX-378"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl version = string</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: &quot;ssl2&quot;,
-&quot;ssl3&quot;,
-&quot;ssl2or3&quot;,
-&quot;tls1&quot;</p><p><b class="emphasis-bold">Default</b>: &quot;ssl2or3&quot;</p><p>Defines which versions of the SSL protocol the server can use:
-Version 2 only (&quot;ssl2&quot;), Version 3
-only (&quot;ssl3&quot;), Version 2 or 3
-dynamically negotiated (&quot;ssl2or3&quot;),
-or Transport Layer Security
-(&quot;tls1&quot;). Requires
-<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
-with Samba 3.0.<a name="INDEX-377"/><a name="INDEX-378"/></p></div>
-<a name="INDEX-379"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>stat cache = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Makes the Samba server cache client names for faster resolution.
-Should not be changed.</p></div>
-<a name="INDEX-380"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>stat cache size = number </i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Determines the number of client names cached for faster resolution.
-Should not be changed.</p></div>
-<a name="INDEX-381"/><a name="INDEX-382"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>status = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, logs connections to a file (or shared memory)
-accessible to <em class="filename">smbstatus</em>.
-<a name="INDEX-382"/>Obsolete
-starting with Samba 3.0.</p></div>
-<a name="INDEX-383"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict allocate = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allocates all disk blocks when creating or extending
-the size of files, instead of using the normal sparse file allocation
-used on Unix. This slows the server, but results in behavior that
-matches that of Windows and helps Samba correctly report
-&quot;out of quota&quot; messages.</p></div>
-<a name="INDEX-384"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, checks locks on every access, not just on demand and
-at open time. Not recommended.</p></div>
-<a name="INDEX-385"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict sync = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Samba synchronizes to disk whenever the client sets
-the sync bit in a packet. If set to NO, Samba flushes data to disk
-whenever buffers fill. Defaults to NO because Windows 98 Explorer
-sets the bit (incorrectly) in all packets.</p></div>
-<a name="INDEX-386"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strip dot = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Removes trailing dots from filenames. Dysfunctional in Samba 2.2; use
-<tt class="literal">mangled</tt> <tt class="literal">map</tt> instead.</p></div>
-<a name="INDEX-387"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>sync always = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Samba forces the data to disk through <em class="emphasis">fsync</em>
-(3) after every write. Avoid except to debug crashing
-servers.</p></div>
-<a name="INDEX-388"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>syslog = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 1</p><p>Sets the level of Samba log messages to send to
-<em class="filename">syslog</em>. Higher is more verbose. The
-<em class="filename">syslog.conf</em> file must have suitable logging
-enabled.</p></div>
-<a name="INDEX-389"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>syslog only = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, logs only to <em class="emphasis">syslog</em> instead of
-the standard Samba log files.</p></div>
-<a name="INDEX-390"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>template homedir = path</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to directory</p><p><b class="emphasis-bold">Default</b>: /home/<tt class="literal">%D</tt>/<tt class="literal">%U</tt></p><p>Sets the home directory for Unix login sessions for users
-authenticated through winbind. <tt class="literal">%D</tt> will be replaced
-with user's domain name; <tt class="literal">%U</tt> by
-the username.</p></div>
-<a name="INDEX-391"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>template shell = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to shell</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/bin/false</em></p><p>Sets the shell for Unix login sessions for users authenticated
-through winbind. The default value prevents all Windows domain user
-logins.</p></div>
-<a name="INDEX-392"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>time offset = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of minutes</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the number of minutes to add to the system time-zone
-calculation. Provided to fix a client daylight-savings bug. Not
-recommended.</p></div>
-<a name="INDEX-393"/><a name="INDEX-394"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>time server = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, <em class="emphasis">nmbd</em><a name="INDEX-394"/>
-advertises itself as a provider of SMB time service to clients. This
-option only affects whether the time service is advertised. It does
-not enable or disable time service.</p></div>
-<a name="INDEX-395"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>timestamp logs = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">debug</tt> <tt class="literal">timestamp</tt>.</p></div>
-<a name="INDEX-396"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>total print jobs = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Limits total number of current print jobs on server. See also
-<tt class="literal">max print jobs</tt>.</p></div>
-<a name="INDEX-397"/><a name="INDEX-398"/><a name="INDEX-399"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>unix extensions = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, supports
-<a name="INDEX-398"/>CIFS Unix extensions, providing
-better filesystem support for Unix clients. <a name="INDEX-399"/>Obsolete in Samba 3.0, which always
-offers support.</p></div>
-<a name="INDEX-400"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>unix password sync = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, attempts to change the user's Unix
-password whenever the user changes her SMB password. Used to ease
-synchronization of Unix and Microsoft password databases. See also
-<tt class="literal">password program</tt> and <tt class="literal">passwd</tt>
-<tt class="literal">chat</tt>.</p></div>
-<a name="INDEX-401"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>update encrypted = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Updates the encrypted password file when a user logs on with an
-unencrypted password. Provided to ease conversion from unencrypted to
-encrypted passwords.</p></div>
-<a name="INDEX-402"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use client driver = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Used for avoiding <tt class="literal">Access Denied; Unable to connect</tt>
-messages when connecting to a Samba printer from Windows NT/2000/XP
-clients. Necessary only when the client has a local printer driver
-for the Samba printer.</p></div>
-<a name="INDEX-403"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use mmap = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Tells Samba whether the <em class="emphasis">mmap( )</em> system call
-works correctly on the Samba host. Default is automatically set
-correctly. Do not change.</p></div>
-<a name="INDEX-404"/><a name="INDEX-405"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use rhosts = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, users' <em class="filename">~/.rhosts</em>
-files will be used to identify systems from which users can connect
-without providing a password. Discouraged. <a name="INDEX-405"/>Obsolete
-in Samba 3.0.</p></div>
-<a name="INDEX-406"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use sendfile = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If yes, Samba will perform some data transfers for exclusively
-oplocked files using the <em class="emphasis">sendfile( )</em> system
-call, which results in significant performance improvements. This is
-available if Samba has been configured with the
-<tt class="literal">--with-sendfile-support</tt> option. This is an
-experimental option and is new in Samba 2.2.5.</p></div>
-<a name="INDEX-407"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>user = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">username</tt>.</p></div>
-<a name="INDEX-408"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a list of users that are tried when logging on with share-level
-security in effect. Also called <tt class="literal">user</tt> or
-<tt class="literal">users</tt>. Discouraged. Use <tt class="literal">NET</tt>
-<tt class="literal">USE</tt>
-<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\</tt><em class="replaceable">share
-</em><tt class="literal">%</tt><em class="replaceable">user</em>
-from the client instead.</p></div>
-<a name="INDEX-409"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username level = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the number of uppercase-letter permutations allowed to
-match Unix usernames. A workaround for Windows'
-single-case usernames. Use is discouraged.</p></div>
-<a name="INDEX-410"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username map = filename</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Names a file of Unix-to-Windows name pairs; used to map different
-spellings of account names and Windows usernames longer than eight
-characters.</p></div>
-<a name="INDEX-411"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">username</tt>.</p></div>
-<a name="INDEX-412"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>utmp = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>This is available if Samba has been configured with the
-<tt class="literal">--with-utmp</tt> option. If set, Samba adds
-<em class="emphasis">utmp</em>/<em class="emphasis">utmpx</em> records whenever
-a connection is made to a Samba server. Sites can use this option to
-record each connection to a Samba share as a system login.</p></div>
-<a name="INDEX-413"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>utmp directory = directory</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>This is available if Samba has been configured with the
-<tt class="literal">--with-utmp</tt> option. If this option and
-<tt class="literal">utmp</tt> are set, Samba will look in the specified
-directory rather than the default system directory for
-<em class="filename">utmp</em>/<em class="filename">utmpx</em> files.</p></div>
-<a name="INDEX-414"/><a name="INDEX-415"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>valid chars = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of numeric values</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds national characters to a character set map. See also
-<tt class="literal">client</tt> <tt class="literal">code</tt>
-<tt class="literal">page</tt>. <a name="INDEX-415"/>Obsolete in Samba 3.0.</p></div>
-<a name="INDEX-416"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>valid users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL (allows everyone)</p><p>Specifies a list of users that can connect to a share. See also
-<tt class="literal">invalid users</tt>.</p></div>
-<a name="INDEX-417"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>veto files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: slash-separated list of filenames</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of files that the client will not see when listing a
-directory's contents. See also
-<tt class="literal">delete</tt> <tt class="literal">veto</tt>
-<tt class="literal">files</tt> and <tt class="literal">hide files</tt>.</p></div>
-<a name="INDEX-418"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>veto oplock files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: slash-separated list of filenames</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of files not to oplock (and cache on clients). See
-also <tt class="literal">oplocks</tt> and <tt class="literal">fake</tt>
-<tt class="literal">oplocks</tt>.</p></div>
-<a name="INDEX-419"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>vfs object = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to shared library</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the shared library to use for Samba's
-Virtual File System (VFS). Requires the <tt class="literal">--with-vfs</tt>
-configure option.</p></div>
-<a name="INDEX-420"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>vfs options = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: space-separated list of options</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies parameters to the VFS. Requires the
-<tt class="literal">--with-vfs</tt> configure option. See <tt class="literal">vfs
-object</tt>.</p></div>
-<a name="INDEX-421"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>volume = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the volume label of a disk share. Especially useful with shared
-CD-ROMs.</p></div>
-<a name="INDEX-422"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wide links = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set, Samba follows symlinks out of the disk share. See also the
-<tt class="literal">root</tt> <tt class="literal">dir</tt> and
-<tt class="literal">follow</tt> <tt class="literal">symlinks</tt> options.</p></div>
-<a name="INDEX-423"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind cache time = number</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 15</p><p>Sets the amount of time that the <em class="emphasis">winbindd</em> daemon
-caches user and group information.</p></div>
-<a name="INDEX-424"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind enum users = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES/NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, enumeration of users is suppressed by winbind.
-Discouraged.</p></div>
-<a name="INDEX-425"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind enum groups = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES/NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, enumeration of groups is suppressed by winbind.
-Discouraged.</p></div>
-<a name="INDEX-426"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind gid = numeric range</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer-integer</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the group ID range winbind uses for Windows NT domain users
-connecting to Samba.</p></div>
-<a name="INDEX-427"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind separator = character</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ASCII character</p><p><b class="emphasis-bold">Default</b>: \</p><p>Specifies the character winbind uses to separate a domain name and
-username.</p></div>
-<a name="INDEX-428"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind uid = numeric range</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer-integer</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the user ID range winbind will use for Windows NT domain
-users connecting to Samba.</p></div>
-<a name="INDEX-429"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins hook = command</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command to run whenever the WINS server updates its
-database. Allows WINS to be synchronized with DNS or other services.
-The command is passed one of the arguments <tt class="literal">add</tt>,
-<tt class="literal">delete</tt>, or <tt class="literal">refresh</tt>, followed by
-the NetBIOS name, the name type (two hexadecimal digits), the TTL in
-seconds, and the IP addresses corresponding to the NetBIOS name.
-Requires <tt class="literal">wins</tt> <tt class="literal">service</tt>
-<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
-<a name="INDEX-430"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins proxy = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, <em class="emphasis">nmbd</em> proxies resolution requests
-to WINS servers on behalf of old clients, which use broadcasts. The
-WINS server is typically on another subnet.</p></div>
-<a name="INDEX-431"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins server = value</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hostname or IP address</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the DNS name or IP address of the WINS server.</p></div>
-<a name="INDEX-432"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins support = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, activates the WINS service. The
-<tt class="literal">wins</tt> <tt class="literal">server</tt> option must not be
-set if <tt class="literal">wins</tt> <tt class="literal">support</tt>
-<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
-<a name="INDEX-433"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>workgroup = name</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: workgroup name</p><p><b class="emphasis-bold">Default</b>: compiled-in</p><p>Sets the workgroup or domain to which the Samba server belongs.
-Overrides the compiled-in default of WORKGROUP. Choosing a name other
-than WORKGROUP is highly recommended.</p></div>
-<a name="INDEX-434"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>writable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Antonym for <tt class="literal">read</tt> <tt class="literal">only</tt>;
-<tt class="literal">writeable</tt> and <tt class="literal">write</tt>
-<tt class="literal">ok</tt> are synonyms.</p></div>
-<a name="INDEX-435"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>writeable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Antonym for <tt class="literal">read</tt> <tt class="literal">only</tt>;
-<tt class="literal">writable</tt> and <tt class="literal">write</tt>
-<tt class="literal">ok</tt> are synonyms.</p></div>
-<a name="INDEX-436"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write cache size = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: decimal number of bytes</p><p><b class="emphasis-bold">Default</b>: 0 (disabled)</p><p>Allocates a write buffer of the specified size in which Samba
-accumulates data before a write to disk. This option can be used to
-ensure that each write has the optimal size for a given filesystem.
-It is typically used with RAID drives, which have a preferred write
-size, and with systems that have large memory and slow disks.</p></div>
-<a name="INDEX-437"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write list = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of users that are given read/write access to a
-read-only share. See also <tt class="literal">read</tt>
-<tt class="literal">list</tt>.</p></div>
-<a name="INDEX-438"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">writable</tt>.</p></div>
-<a name="INDEX-439"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write raw = boolean</i></b></font></td><td align="right"><i>[global]
-</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows fast-streaming writes over TCP using 64KB buffers. Recommended.</p></div>
-
-
-
-<div class="sect1"><a name="samba2-APP-B-SECT-2"/>
-
-<h2 class="head1">Glossary of Configuration Value Types</h2>
-
-<dl>
-<dt><b><a name="INDEX-440"/><em class="emphasis">boolean</em></b></dt>
-<dd>
-<p>One of two values, either YES or NO.</p>
-</dd>
-
-
-
-<dt><b>character</b></dt>
-<dd>
-<p>A single ASCII character.</p>
-</dd>
-
-
-
-<dt><b>command</b></dt>
-<dd>
-<p>A Unix script or compiled program, with an absolute path specified
-for the executable and parameters.</p>
-</dd>
-
-
-
-<dt><b>directory</b></dt>
-<dd>
-<p>An absolute path specification to a directory. For example:</p>
-
-<blockquote><pre class="code">/usr/local/samba/lib</pre></blockquote>
-</dd>
-
-</dl>
-
-<dl>
-<dt><b>filename</b></dt>
-<dd>
-<p>An absolute path specification to a file. For example:</p>
-
-<blockquote><pre class="code">/etc/printcap</pre></blockquote>
-</dd>
-
-
-<dt><b>host list</b></dt>
-<dd>
-<p>A list of hosts. Allows IP addresses, address masks, domain names,
-ALL, and EXCEPT.</p>
-</dd>
-
-
-
-<dt><b>interface list</b></dt>
-<dd>
-<p>A list of interfaces, in either address/netmask or address/n-bits
-format. For example:</p>
-
-
-<blockquote><pre class="code">192.168.2.10/255.255.255.0, 192.168.2.10/24</pre></blockquote>
-</dd>
-
-
-<dt><b>map list</b></dt>
-<dd>
-<p>A list of filename remapping strings such as
-<tt class="literal">(*.html</tt> <tt class="literal">*.htm)</tt>.</p>
-</dd>
-
-
-
-<dt><b>name</b></dt>
-<dd>
-<p>A single name of a type of object, as specified in the
-option's description.</p>
-</dd>
-
-
-
-<dt><b>number</b></dt>
-<dd>
-<p>A positive integer.</p>
-</dd>
-
-
-
-<dt><b>numeric range</b></dt>
-<dd>
-<p>Two numbers separated by a dash, specifying a minimum and a maximum
-value. For example:</p>
-
-
-<blockquote><pre class="code">100-250</pre></blockquote>
-</dd>
-
-
-<dt><b>remote list</b></dt>
-<dd>
-<p>A list of subnet-broadcast-address/workgroup pairs. For example:</p>
-
-<blockquote><pre class="code">192.168.2.255/SERVERS 192.168.4.255/STAFF</pre></blockquote>
-</dd>
-
-
-<dt><b>service (share) list</b></dt>
-<dd>
-<p>A list of service (share) names, without the enclosing parentheses.</p>
-</dd>
-
-
-
-<dt><b>slash-separated list</b></dt>
-<dd>
-<p>A list of filenames, separated by
-&quot;/&quot; characters to allow embedded
-spaces. For example:</p>
-
-
-<blockquote><pre class="code">/.*/My Documents/*.doc/</pre></blockquote>
-</dd>
-
-
-<dt><b>string</b></dt>
-<dd>
-<p>One line of arbitrary text.</p>
-</dd>
-
-
-
-<dt><b>user list</b></dt>
-<dd>
-<p>A list of usernames and/or group names.
-<tt class="literal">@</tt><em class="replaceable">group_name</em> includes
-whomever is in the NIS netgroup
-<em class="replaceable">group_name</em>, if one exists, or otherwise
-whomever is in the Unix group <em class="replaceable">group_name</em>.
-In addition,
-<tt class="literal">+</tt><em class="replaceable">group_name</em> is a Unix
-group, <tt class="literal">&amp;</tt><em class="replaceable">group_name</em>
-is an NIS netgroup, and <tt class="literal">&amp;+</tt> and
-<tt class="literal">+&amp;</tt> cause an ordered search of both Unix and
-NIS groups.</p>
-</dd>
-
-
-
-<dt><b>value</b></dt>
-<dd>
-<p>A value of some miscellaneous type, as specified in the
-option's description.<a name="INDEX-441"/></p>
-</dd>
-
-</dl>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-APP-B-SECT-3"/>
-
-<h2 class="head1">Configuration File Variables</h2>
-
-<p><a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> lists the Samba configuration file
-variables.</p>
-
-<a name="samba2-APP-B-TABLE-1"/><h4 class="head4">Table B-1. Configuration file variables</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Name</p>
-</th>
-<th>
-<p>Meaning</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">%a</tt></p>
-</td>
-<td>
-<p>Client's architecture (Samba, WfWg, WinNT, Win95, or
-UNKNOWN)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%d</tt></p>
-</td>
-<td>
-<p>Current server process's process ID</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%D</tt></p>
-</td>
-<td>
-<p>User's Windows NT Domain</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%f</tt></p>
-</td>
-<td>
-<p>Printer spool file as a relative path (printing only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%f</tt></p>
-</td>
-<td>
-<p>User from which a message was sent (messages only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%G</tt></p>
-</td>
-<td>
-<p>Primary group name of <tt class="literal">%U</tt> (requested username)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%g</tt></p>
-</td>
-<td>
-<p>Primary group name of <tt class="literal">%u</tt> (actual username)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%H</tt></p>
-</td>
-<td>
-<p>Home directory of <tt class="literal">%u</tt> (actual username)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%h</tt></p>
-</td>
-<td>
-<p>Samba server's (Internet) hostname</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%I</tt></p>
-</td>
-<td>
-<p>Client's IP address</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%j</tt></p>
-</td>
-<td>
-<p>Print job number (printing only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%L</tt></p>
-</td>
-<td>
-<p>Samba server's NetBIOS name (virtual servers have
-multiple names)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%M</tt></p>
-</td>
-<td>
-<p>Client's (Internet) hostname</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%m</tt></p>
-</td>
-<td>
-<p>Client's NetBIOS name</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%N</tt></p>
-</td>
-<td>
-<p>Name of the NIS home directory server (without NIS, same as
-<tt class="literal">%L</tt>)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%n</tt></p>
-</td>
-<td>
-<p>New password (password change only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%o</tt></p>
-</td>
-<td>
-<p>Old password (password change only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%P</tt></p>
-</td>
-<td>
-<p>Current share's root directory (actual)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%p</tt></p>
-</td>
-<td>
-<p>Current share's root directory (in an NIS homedir
-map)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%p</tt></p>
-</td>
-<td>
-<p>Print filename (printing only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%R</tt></p>
-</td>
-<td>
-<p>Protocol level in use (CORE, COREPLUS, LANMAN1, LANMAN2, or NT1)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%S</tt></p>
-</td>
-<td>
-<p>Current share's name</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%s</tt></p>
-</td>
-<td>
-<p>Name of the file in which the message resides (messages only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%s</tt></p>
-</td>
-<td>
-<p>Printer spool filename (printing only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%T</tt></p>
-</td>
-<td>
-<p>Current date and time</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%t</tt></p>
-</td>
-<td>
-<p>Destination system (messages only)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%U</tt></p>
-</td>
-<td>
-<p>Requested username for current share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%u</tt></p>
-</td>
-<td>
-<p>Current share's username</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%v</tt></p>
-</td>
-<td>
-<p>Samba version</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>%$<em class="replaceable">name</em></p>
-</td>
-<td>
-<p>Value of environment variable <em class="replaceable">name</em></p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-
-</body></html>
diff --git a/docs/htmldocs/using_samba/appc.html b/docs/htmldocs/using_samba/appc.html
deleted file mode 100644
index 22ec5a5115..0000000000
--- a/docs/htmldocs/using_samba/appc.html
+++ /dev/null
@@ -1,4534 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Appendix C. Summary of Samba Daemons and Commands</h1>
-
-
-<p>This appendix is a reference listing of command-line options and
-other information to help you use the programs that come with the
-Samba distribution.</p>
-
-
-
-<div class="sect1"><a name="samba2-APP-C-SECT-1"/>
-
-<h2 class="head1">Samba Daemons</h2>
-
-<p>The following sections provide information about the command-line
-parameters for <em class="emphasis">smbd</em>, <em class="emphasis">nmbd</em>,
-and <em class="emphasis">winbindd</em>.</p>
-
-</div>
-
-
-<a name="INDEX-1"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbd</em> program provides
-Samba's file and printer services, using one TCP/IP
-stream and one daemon per client. It is controlled from
-<em class="filename">/usr/local/samba/lib/smb.conf</em>, the default
-configuration file, which can be overridden by command-line options.</p><p>The configuration file is automatically reevaluated every minute. If
-it has changed, most new options are immediately effective. You can
-force Samba to reload the configuration file immediately by sending a
-SIGHUP signal to <em class="emphasis">smbd</em>. Reloading the
-configuration file does not affect any clients that are already
-connected. To escape this condition, a client would need to
-disconnect and reconnect, or the server itself would have to be
-restarted, forcing all clients to reconnect.</p>
-<div class="sect1"><a name="appc-5-fm2xml"/>
-
-<h4 class="refsect1">Other Signals</h4>
-<p>To shut down an <em class="emphasis">smbd</em> process, send it the
-termination signal SIGTERM (15), which allows it to die gracefully,
-instead of a SIGKILL (9). With Samba versions prior to 2.2, the
-debugging level could be raised or lowered using SIGUSR1 or SIGUSR2.
-This is no longer supported. Use <em class="emphasis">smbcontrol</em>
-instead.</p>
-
-</div>
-
-<div class="sect1"><a name="appc-6-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbd <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-7-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-a</tt></b></dt>
-<dd>
-<p>Causes each new connection to the Samba server to append all logging
-messages to the log file. This option is the opposite of
-<tt class="literal">-o</tt> and is the default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-D</tt></b></dt>
-<dd>
-<p>Runs the <em class="emphasis">smbd</em> program as a daemon. This is the
-recommended way to use <em class="emphasis">smbd</em>. It is also the
-default action when <em class="emphasis">smbd</em> is run from an
-interactive command line. In addition, <em class="emphasis">smbd</em> can
-be run from <em class="emphasis">inetd</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
-<dd>
-<p>Sets the debug (sometimes called logging) level. The level can range
-from 0 to 10. Specifying the value on the command line overrides the
-value specified in the <em class="filename">smb.conf</em> file. Debug
-level 0 logs only the most important messages; level 1 is normal;
-levels 3 and above are primarily for debugging and slow
-<em class="emphasis">smbd</em> considerably.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt> </b></dt>
-<dd>
-<p>Prints usage information for the <em class="emphasis">smbd</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-i</tt></b></dt>
-<dd>
-<p>Runs <em class="emphasis">smbd</em> interactively, rather than as a
-daemon. This option is used to override the default daemon mode when
-<em class="emphasis">smbd</em> is run from the command line.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ directory</em></b></dt>
-<dd>
-<p>Sends the log messages to somewhere other than the location compiled
-into the executable or specified in the <em class="filename">smb.conf</em>
-file. The default is often
-<em class="filename">/usr/local/samba/var/</em>,
-<em class="filename">/usr/samba/var/</em>, or
-<em class="filename">/var/log/</em>. The log file is placed in the
-specified directory and named <em class="filename">log.smbd</em>. If the
-directory does not exist, Samba's compiled-in
-default will be used.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
-<dd>
-<p>Sets the TCP/IP socket options, using the same parameters as the
-<tt class="literal">socket options</tt> configuration option. Often used
-for performance tuning and testing.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-o</tt></b></dt>
-<dd>
-<p>Causes log files to be overwritten when opened (the opposite of
-<tt class="literal">-a</tt>). Using this option saves you from hunting for
-the right log entries if you are performing a series of tests and
-inspecting the log file each time.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
-<dd>
-<p>Sets the TCP/IP port number from which the server will accept
-requests. All Microsoft clients send to the default port of 139,
-except for Windows 2000/XP, which can use port 445 for SMB
-networking, without the NetBIOS protocol layer.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-P</tt></b></dt>
-<dd>
-<p>Causes <em class="emphasis">smbd</em> to run in
-&quot;passive&quot; mode, in which it just
-listens, and does not transmit any network traffic. This is useful
-only for debugging by developers.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
-<dd>
-<p>Specifies the location of the Samba configuration file. Although the
-file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
-you can override it on the command line. Typically used for
-debugging.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-v</tt></b></dt>
-<dd>
-<p>Prints the current version of Samba.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-2"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nmbd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">nmbd</em> program is Samba's
-NetBIOS name service and browsing daemon. It replies to NetBIOS over
-TCP/IP (also called NetBT or NBT) name-service requests broadcast
-from SMB clients, and optionally to Microsoft's
-Windows Internet Name Service (WINS) requests. Both are versions of
-the name-to-address lookup required by SMB clients. The broadcast
-version uses UDP broadcast on the local subnet only, while WINS uses
-TCP, which can be routed. If running as a WINS server,
-<em class="emphasis">nmbd</em> keeps a current name and address database
-in the file <em class="filename">/usr/local/samba/var/locks/wins.dat</em>.</p><p>An active <em class="emphasis">nmbd</em> daemon also responds to browsing
-protocol requests used by the Windows Network Neighborhood. This
-protocol provides a dynamic directory of servers, as well as the
-disks and printers that the servers are providing. As with WINS, this
-was initially done by making UDP broadcasts on the local subnet. With
-the addition of the local master browser to the network architecture,
-it is done by making TCP connections to a server. If
-<em class="emphasis">nmbd</em> is acting as a local master browser, it
-stores the browsing database in the file
-<em class="filename">/usr/local/samba/var/locks/browse.dat</em>.</p><p>Some clients (especially older ones) cannot use the WINS protocol. To
-support these clients, <em class="emphasis">nmbd</em> can act as a WINS
-proxy, accepting broadcast requests from the non-WINS clients,
-contacting a WINS server on their behalf, and returning the WINS
-server's response to them.</p>
-<div class="sect1"><a name="appc-9-fm2xml"/>
-
-<h4 class="refsect1">Signals</h4>
-<p>Like <em class="emphasis">smbd</em>, the <em class="emphasis">nmbd</em> program
-responds to several Unix signals. Sending <em class="emphasis">nmbd</em> a
-SIGHUP signal causes it to dump the names it knows about to the
-<em class="filename">/usr/local/samba/var/locks/namelist.debug</em> file.
-To shut down an <em class="emphasis">nmbd</em> process and allow it to die
-gracefully, send it a SIGTERM (15) signal, rather than a SIGKILL (9).
-With Samba versions prior to 2.2, the debugging level could be raised
-or lowered using SIGUSR1 or SIGUSR2. This is no longer supported. Use
-<em class="emphasis">smbcontrol</em> instead.</p>
-
-</div>
-
-<div class="sect1"><a name="appc-10-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">nmbd <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-11-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-a</tt></b></dt>
-<dd>
-<p>Causes each new connection to the Samba server to append all logging
-messages to the log file. This option is the opposite of
-<tt class="literal">-o</tt> and is the default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
-<dd>
-<p>Sets the debug (sometimes called logging) level. The level can range
-from 0 to 10. Specifying the value on the command line overrides the
-value specified in the <em class="filename">smb.conf</em> file. Debug
-level 0 logs only the most important messages; level 1 is normal;
-levels 3 and above are primarily for debugging and slow
-<em class="emphasis">nmbd</em> considerably.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-D</tt></b></dt>
-<dd>
-<p>Instructs the <em class="emphasis">nmbd</em> program to run as a daemon.
-This is the recommended way to use <em class="emphasis">nmbd</em> and is
-the default when <em class="emphasis">nmbd</em> is run from an interactive
-shell. In addition, <em class="emphasis">nmbd</em> can be run from
-<em class="emphasis">inetd</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt> </b></dt>
-<dd>
-<p>Prints usage information for the <em class="emphasis">nmbd</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-H</tt> <em class="replaceable">lmhosts_ file</em></b></dt>
-<dd>
-<p>Specifies the location of the <em class="emphasis">lmhosts</em> file for
-name resolution. This file is used only to resolve names for the
-local server, and not to answer queries from remote systems. The
-compiled-in default is commonly
-<em class="filename">/usr/local/samba/lib/lmhosts</em>,
-<em class="filename">/usr/samba/lib/lmhosts</em>, or
-<em class="filename">/etc/lmhosts</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-i</tt></b></dt>
-<dd>
-<p>Runs <em class="emphasis">nmbd</em> interactively, rather than as a
-daemon. This option is used to override the default daemon mode when
-<em class="emphasis">nmbd</em> is run from the command line.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ file</em></b></dt>
-<dd>
-<p>Sends the log messages to somewhere other than the location compiled
-into the executable or specified in the <em class="filename">smb.conf</em>
-file. The default is often
-<em class="filename">/usr/local/samba/var/log.nmbd</em>,
-<em class="emphasis">/usr/samba/var/log.nmbd</em>, or <em class="emphasis">/var/log
-/log.nmbd</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-n</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
-<dd>
-<p>Allows you to override the NetBIOS name by which the daemon
-advertises itself. Specifying this option on the command line
-overrides the <tt class="literal">netbios name</tt> option in the Samba
-configuration file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
-<dd>
-<p>Sets the TCP/IP socket options, using the same parameters as the
-<tt class="literal">socket options</tt> configuration option. Often used
-for performance tuning and testing.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-o</tt></b></dt>
-<dd>
-<p>Causes log files to be overwritten when opened (the opposite of
-<tt class="literal">-a</tt>). This option saves you from hunting for the
-right log entries if you are performing a series of tests and
-inspecting the log file each time.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
-<dd>
-<p>Sets the UDP port number from which the server accepts requests.
-Currently, all Microsoft clients use only the default port, 137.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
-<dd>
-<p>Specifies the location of the Samba configuration file. Although the
-file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
-you can override it here on the command line. Typically used for
-debugging.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-v</tt></b></dt>
-<dd>
-<p>Prints the current version of Samba.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-3"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbindd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">winbindd</em> daemon is part of the winbind
-service and is used to allow Unix systems to obtain user and group
-information from a Windows NT/2000 server. Winbind maps Windows
-relative IDs (RIDs) to Unix UIDs and GIDs and allows accounts stored
-on the Windows server to be used for Unix authentication. Its purpose
-is to ease integration of Microsoft and Unix networks when a
-preexisting Windows domain controller is set up to handle user and
-computer accounts.</p><p>The daemon is accessed by users via the name service switch and PAM.
-The name service switch calls a library
-(<em class="filename">/lib/libnss_winbind.so</em>), which calls the
-daemon, which in turn calls the Windows NT/2000 server using
-Microsoft RPC. The PAM module for winbind can call the daemon
-similarly, allowing users whose accounts are stored on the Windows
-server to log in to the Unix system and run an interactive shell,
-FTP, or any other program that authenticates users through PAM.</p><p>The winbind subsystem is currently available only for the Linux
-operating system and a few other systems that use shared libraries,
-nsswitch and PAM.</p>
-<div class="sect1"><a name="appc-13-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">winbindd <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-14-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
-<dd>
-<p>Sets the debug (sometimes called logging) level. The level can range
-from 0 to 10. Specifying the value on the command line overrides the
-value specified in the <em class="filename">smb.conf</em> file. Debug
-level 0 logs only the most important messages; level 1 is normal;
-levels 3 and above are primarily for debugging.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-i</tt></b></dt>
-<dd>
-<p>Runs <em class="emphasis">winbindd</em> interactively. This option is used
-to override the default, which is for winbindd to detach and run as a
-daemon.</p>
-</dd>
-
-</dl>
-
-</div>
-</div>
-
-
-
-
-
-<div class="sect1"><a name="samba2-APP-C-SECT-2"/>
-
-<h2 class="head1">Samba Distribution Programs</h2>
-
-<p>This section lists the command-line options and subcommands provided
-by each nondaemon program in the Samba distribution.</p>
-
-</div>
-
-
-
-<a name="INDEX-4"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>findsmb</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This Perl script reports information about systems on the subnet that
-respond to SMB name-query requests. The report includes the IP
-address, NetBIOS name, workgroup/domain, and operating system of each
-system.</p>
-<div class="sect1"><a name="appc-17-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">findsmb <em class="replaceable">[subnet_broadcast_address]</em></pre></blockquote>
-<p>If a different subnet's broadcast address is
-provided, it will find SMB servers on that subnet. If no subnet
-broadcast address is supplied, <em class="emphasis">findsmb</em> will look
-on the local subnet.</p>
-
-<p>The output from <em class="emphasis">findsmb</em> looks like this:</p>
-<blockquote><pre class="code">$ <tt class="userinput"><b>findsmb</b></tt>
- *=DMB
- +=LMB
-IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
----------------------------------------------------------------------
-172.16.1.1 TOLTEC *[METRAN] [Unix] [Samba 2.2.6]
-172.16.1.3 MIXTEC +[METRAN] [Unix] [Samba 2.2.6]
-172.16.1.4 ZAPOTEC [METRAN] [Windows 5.0] [Windows 2000 LAN Manager]
-172.16.1.5 HUASTEC [ METRAN ]
-172.16.1.6 MAYA [ METRAN ]
-172.16.1.7 OLMEC [METRAN] [Windows 5.1] [Windows 2000 LAN Manager]
-172.16.1.10 UTE [ METRAN ]
-172.16.1.13 DINE [METRAN] [Windows NT 4.0] [NT LAN Manager 4.0]</pre></blockquote>
-<p>The system with an asterisk (<tt class="literal">*</tt>) in front of its
-workgroup name is the domain master browser for the workgroup/domain,
-and the system with a plus sign (+) preceding its workgroup name is
-the local master browser.</p>
-
-<p>The <em class="emphasis">findsmb</em> command was introduced during the
-development of Samba 2.2 and is installed by default in Samba
-Versions 2.2.5 and later.</p>
-
-</div>
-</div>
-
-<a name="INDEX-5"/><a name="INDEX-6"/><a name="INDEX-7"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>make_smbcodepage</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program is part of the
-<a name="INDEX-6"/>internationalization features of
-Samba 2.2 and is obsolete in Samba 3.0, which supports
-<a name="INDEX-7"/>Unicode
-automatically. The <em class="emphasis">make_smbcodepage</em> program
-compiles a binary codepage file from a text-format codepage
-definition. It can also perform the reverse operation, decompiling a
-binary codepage file into a text version. Examples of text-format
-codepage files can be found in the Samba distribution in the
-<em class="filename">source/codepages</em> directory. After Samba has been
-installed, examples of binary codepages can be found in the directory
-<em class="filename">/usr/local/samba/lib/codepages</em>.</p>
-<div class="sect1"><a name="appc-19-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">make_smbcodepage <em class="replaceable">c|d codepage_number input_file output_file</em></pre></blockquote>
-<p>For the first argument, use <tt class="literal">c</tt> to compile a
-codepage and <tt class="literal">d</tt> to decompile a codepage file. The
-<em class="replaceable">codepage_number</em> argument is the number of
-the codepage being processed (e.g., 850). The
-<em class="replaceable">input_file</em> and
-<em class="replaceable">output_file</em> are the text- and
-binary-format codepages, with the types dependent on the operation
-(compiling or decompiling) that is being performed.</p>
-
-</div>
-</div>
-
-<a name="INDEX-8"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>make_unicodemap</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program is part of the internationalization features of Samba
-2.2 and is obsolete in Samba 3.0, which supports Unicode
-automatically. The <em class="emphasis">make_unicodemap</em> command
-compiles binary Unicode maps from text files, so Samba can display
-non-ASCII characters in file and directory names via the Unicode
-international alphabets. Examples of input mapping files can be found
-in the directory <em class="filename">source/codepages</em> in the Samba
-source distribution.</p>
-<div class="sect1"><a name="appc-21-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">make_unicodemap <em class="replaceable">codepage_number inputfile outputfile</em></pre></blockquote>
-<p>The input file is an ASCII map; the output file is a binary file
-loadable by Samba. The codepage is the number of the DOS codepage
-(e.g., 850) for the map.</p>
-
-</div>
-</div>
-
-<a name="INDEX-9"/><a name="INDEX-10"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>net</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">net</em> command, new to Samba 3.0, is a program
-with a syntax similar to the MS-DOS/Windows command of the same name.
-It is used for performing various administrative functions related to
-Windows networking, which can be executed either locally or on a
-remote system.</p>
-<div class="sect1"><a name="appc-23-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">net <em class="replaceable">[method] function [misc_options] [target_options]</em></pre></blockquote>
-<p>The <em class="replaceable">function</em> argument is made up of one or
-more space-separated words. In Windows terminology, it is sometimes
-referred to as a function with options. Here we list every function
-in its complete form, including multiple words.</p>
-
-<p>By default, the action is performed on the local system. The
-<em class="replaceable">target_options</em> argument can be used to
-specify a remote system (either by hostname or IP address), a domain,
-or a workgroup.</p>
-
-<p>Depending on the function, the <em class="replaceable">method</em>
-argument can be optional, required, or disallowed. It specifies one
-of three methods for performing the operation specified by the rest
-of the command. It can be <tt class="literal">ads</tt> (Active Directory),
-<tt class="literal">rpc</tt> (Microsoft's DCE/RPC), or
-<tt class="literal">rap</tt> (Microsoft's original SMB
-remote procedure call). To determine which methods (if any) can be
-used with a function, the <tt class="literal">net help ads</tt>,
-<tt class="literal">net help rap</tt>, and <tt class="literal">net help rpc</tt>
-commands can be used to list the functions for each method.</p>
-
-</div>
-
-<div class="sect1"><a name="appc-24-fm2xml"/>
-
-<h4 class="refsect1">Miscellaneous options</h4>
-
-<dl>
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">level</em></b></dt>
-<dt><b><tt class="literal">--debug=l</tt><em class="replaceable">evel</em></b></dt>
-<dd>
-<p>Sets the debug (sometimes called logging) level. The level can range
-from 0 to 10.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-l</tt></b></dt>
-<dt><b><tt class="literal">--long</tt></b></dt>
-<dd>
-<p><tt class="literal">S</tt>pecifies the long listing mode. This is provided
-for functions that print informational listings.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-n</tt> <em class="replaceable">name</em></b></dt>
-<dt><b><tt class="literal">--myname</tt><em class="emphasis">=</em><em class="replaceable">name</em></b></dt>
-<dd>
-<p>Specifies the NetBIOS name for the client.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-p</tt> <em class="replaceable">port</em></b></dt>
-<dt><b><tt class="literal">--port</tt><em class="emphasis">=</em><em class="replaceable">port</em></b></dt>
-<dd>
-<p>Specifies the port number to use.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
-<dt><b><tt class="literal">--conf</tt><em class="emphasis">=</em><em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies the name of the Samba configuration file, overriding the
-compiled-in default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
-<dt><b><tt class="literal">--user</tt><em class="emphasis">=</em><em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
-<dd>
-<p>Specifies the username and, optionally, the password to use for
-functions that require authentication.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-W</tt> <em class="replaceable">name</em></b></dt>
-<dt><b><tt class="literal">--myworkgroup</tt>=<em class="replaceable">name</em></b></dt>
-<dd>
-<p>Specifies the name of the client's workgroup,
-overriding the definition of the <tt class="literal">workgroup</tt>
-parameter in the Samba configuration file.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-25-fm2xml"/>
-
-<h4 class="refsect1">Target options</h4>
-
-<dl>
-<dt><b><tt class="literal">-S</tt> <em class="replaceable">hostname</em></b></dt>
-<dd>
-<p>Specifies the remote system using a hostname or NetBIOS name.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-I</tt> <em class="replaceable">ip_address</em></b></dt>
-<dd>
-<p>Specifies the remote system using its IP address.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-w</tt> <em class="replaceable">workgroup</em></b></dt>
-<dd>
-<p>Specifies the name of the target domain or workgroup.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-26-fm2xml"/>
-
-<h4 class="refsect1">Functions</h4>
-
-<dl>
-<dt><b><tt class="literal">abortshutdown</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">rpc</tt> <tt class="literal">abortshutdown</tt>
-function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads</tt> <tt class="literal">info</tt></b></dt>
-<dd>
-<p>Prints information about the Active Directory server. The method
-(<tt class="literal">ads</tt>) must be specified to differentiate this
-function from the <tt class="literal">rpc info</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads</tt> <tt class="literal">join</tt> <em class="replaceable">OU</em></b></dt>
-<dd>
-<p>Joins the local system to the Active Directory realm (organizational
-unit) specified by OU. The method (<tt class="literal">ads</tt>) must be
-specified to differentiate this function from the <tt class="literal">rpc
-join</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads</tt> <tt class="literal">leave</tt></b></dt>
-<dd>
-<p>Removes the local system from the Active Directory realm.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads password</tt> <em class="replaceable">username</em><tt class="literal">@</tt><em class="replaceable">REALM</em> <tt class="literal">-U</tt><em class="replaceable">admin_username</em><tt class="literal">@</tt><em class="replaceable">REALM</em><tt class="literal">%admin_</tt><em class="replaceable">password</em></b></dt>
-<dd>
-<p>Changes the Active Directory password for the user specified by
-<em class="replaceable">username</em><tt class="literal">@</tt><em class="replaceable">REALM</em>.
-The administrative account authentication information is specified
-with the <tt class="literal">-U</tt> option. The Active Directory realm
-must be supplied in all uppercase.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads printer info</tt> <em class="replaceable">[printer] [server]</em></b></dt>
-<dd>
-<p>Prints information on the specified printer on the specified server.
-The <em class="replaceable">printer</em> argument defaults to an
-asterisk (<tt class="literal">*</tt>), meaning all printers, and the
-<em class="replaceable">server</em> argument defaults to
-<tt class="literal">localhost</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads printer publish</tt> <em class="replaceable">printer_name</em></b></dt>
-<dd>
-<p>Publishes the specified printer in Active Directory.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads printer remove</tt> <em class="replaceable">printer_name</em></b></dt>
-<dd>
-<p>Removes the specified printer from Active Directory.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads search</tt> <em class="replaceable">expr attrib</em></b></dt>
-<dd>
-<p>Performs a raw Active Directory search, using the standard LDAP
-search expression and attributes specified by the
-<em class="replaceable">expr</em> and <em class="replaceable">attrib</em>
-arguments, respectively.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ads status</tt></b></dt>
-<dd>
-<p>Prints details about the Active Directory computer account of the
-system.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">change localhost pass</tt></b></dt>
-<dd>
-<p>Changes the Active Directory password for the local
-system's computer trust account.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">domain</tt></b></dt>
-<dd>
-<p>Lists the domains or workgroups on the network.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">file</tt></b></dt>
-<dd>
-<p>Lists open files on the server.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">file close</tt> <em class="replaceable">file_id</em></b></dt>
-<dd>
-<p>Closes the specified file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">file info</tt> <em class="replaceable">file_id</em></b></dt>
-<dd>
-<p>Prints information about the specified file, which must be open.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">file user</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Lists all files opened on the server by the user specified by
-<em class="replaceable">username</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">group add</tt> <em class="replaceable">group_name</em></b></dt>
-<dd>
-<p>Adds the specified group. This function accepts the miscellaneous
-option <tt class="literal">-C</tt> <em class="replaceable">comment</em>
-(which can also be specified as <tt class="literal">-
--comment=</tt><em class="replaceable">string</em>) to set the
-descriptive comment for the group.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">group delete</tt> <em class="replaceable">group_name</em></b></dt>
-<dd>
-<p>Deletes the specified group.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">groupmember add</tt> <em class="replaceable">group_name username</em></b></dt>
-<dd>
-<p>Adds the user specified by <em class="replaceable">username</em> to the
-group specified by <em class="replaceable">group_name</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">groupmember delete</tt> <em class="replaceable">group_name username</em></b></dt>
-<dd>
-<p>Deletes the user specified by <em class="replaceable">username</em>
-from the group specified by <em class="replaceable">group_name</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">groupmember list</tt> <em class="replaceable">group_name</em></b></dt>
-<dd>
-<p>Lists the users who are members of the specified group.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">help</tt></b></dt>
-<dd>
-<p>Prints a help message for the <em class="emphasis">net</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">help</tt> <em class="replaceable">method</em></b></dt>
-<dd>
-<p>Prints a help message for <em class="replaceable">method</em>, which
-can be <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
-<tt class="literal">rpc</tt>. This lists the functions that can use the
-method, along with a brief description.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">help</tt> <em class="replaceable">function</em></b></dt>
-<dd>
-<p>Prints a help message for the specified function, which can be more
-than one word.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">info</tt></b></dt>
-<dd>
-<p>Must be preceded by a method. See the <tt class="literal">ads</tt>
-<tt class="literal">info</tt> and <tt class="literal">rpc</tt>
-<tt class="literal">info</tt> functions.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">join</tt></b></dt>
-<dd>
-<p>Joins the computer to a Windows NT domain or Active Directory realm.
-If the method argument is not specified, a check is made to determine
-if Active Directory is in use, and if so, <tt class="literal">ads join</tt>
-is performed. Otherwise, <tt class="literal">rpc join</tt> is run. See also
-the <tt class="literal">ads join</tt> and <tt class="literal">rpc join</tt>
-functions.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">leave</tt></b></dt>
-<dd>
-<p>Must be preceded by a method. See the <tt class="literal">ads</tt>
-<tt class="literal">leave</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lookup dc</tt> <em class="replaceable">[domain]</em></b></dt>
-<dd>
-<p>Prints the IP address of the specified domain's
-domain controllers. The domain defaults to the value of the
-<tt class="literal">workgroup</tt> parameter in the Samba configuration
-file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lookup host</tt> <em class="replaceable">hostname [type]</em></b></dt>
-<dd>
-<p>Prints the IP address of the specified host.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lookup kdc</tt> <em class="replaceable">[realm]</em></b></dt>
-<dd>
-<p>Prints the IP address of the specified realm's
-Kerberos domain controller. If <em class="replaceable">realm</em> is
-not specified, it defaults to the value of the
-<tt class="literal">realm</tt> parameter in the Samba configuration file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lookup ldap</tt> <em class="replaceable">[domain]</em></b></dt>
-<dd>
-<p>Prints the IP address of the specified domain's LDAP
-server. If <em class="replaceable">domain</em> is not specified, it
-defaults to the value of the <tt class="literal">workgroup</tt> parameter
-in the Samba configuration file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lookup master</tt> <em class="replaceable">[domain]</em></b></dt>
-<dd>
-<p>Prints the IP address of the master browser of the specified domain
-or workgroup. If <em class="replaceable">domain</em> is not specified,
-it defaults to the value of the <tt class="literal">workgroup</tt>
-parameter in the Samba configuration file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">password</tt> <em class="replaceable">username old_password new_password</em></b></dt>
-<dd>
-<p>Changes the password for the user specified by the
-<em class="replaceable">username</em> argument. The
-user's old and new passwords are provided in plain
-text as part of the command. Be careful regarding security issues.
-See also the <tt class="literal">ads password</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">printer info</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">ads printer info</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">printer publish</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">ads printer publish</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">printer remove</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">ads printer remove</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">printq</tt></b></dt>
-<dd>
-<p>Prints information (including the job IDs) about printer queues on
-the server.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">printq delete</tt> <em class="replaceable">queue_name</em></b></dt>
-<dd>
-<p>Deletes the specified printer queue. The
-<tt class="literal">-j</tt>
-<em class="replaceable">job_id</em> (which can also be
-specified as
-<tt class="literal">--jobid</tt><em class="emphasis">=</em><em class="replaceable">job_id</em>
-) option may be used to specify the job ID of the queue.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rpc abortshutdown</tt></b></dt>
-<dd>
-<p>Aborts the shutdown of a remote server.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rpc info</tt></b></dt>
-<dd>
-<p>Prints information about the server's domain. The
-method (<tt class="literal">rpc</tt>) must be specified to differentiate
-this function from the <tt class="literal">ads</tt> <tt class="literal">info</tt>
-function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rpc join</tt> </b></dt>
-<dd>
-<p>Joins a computer to a Windows NT domain. If the <tt class="literal">-U</tt>
-<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
-option is included, the specified username and password will be used
-as the administrative account required for authenticating with the
-PDC. If the <tt class="literal">-U</tt> option is not included, this
-function can be used only to join the computer to the domain after
-the computer account has been created using the Server Manager. The
-method (<tt class="literal">rpc</tt>) must be specified to differentiate
-this function from the <tt class="literal">ads</tt> <tt class="literal">join</tt>
-function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rpc shutdown</tt></b></dt>
-<dd>
-<p>Shuts down a server. This function accepts the <tt class="literal">-r</tt>,
-<tt class="literal">-f</tt>, <tt class="literal">-t</tt>, and
-<tt class="literal">-c</tt> miscellaneous options. The
-<tt class="literal">-r</tt> option (which can also be specified as
-<tt class="literal">--reboot</tt>) requests that the system reboot after
-shutting down. The <tt class="literal">-f</tt> option (which can also be
-specified as <tt class="literal">--force</tt>) forces a shutdown. The
-<tt class="literal">-t</tt> <em class="replaceable">timeout</em> option
-(which can also be specified as <tt class="literal">-
--timeout=</tt><em class="replaceable">number</em>) specifies the
-number of seconds to wait before shutting down, and the
-<tt class="literal">-c</tt> <em class="replaceable">comment</em> option
-(which can also be specified as <tt class="literal">-
--comment=</tt><em class="replaceable">string</em>) can be used to
-specify a message to the client user. On Windows, the comment appears
-in the Message area in the System Shutdown dialog box.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rpc trustdom add</tt> <em class="replaceable">domain_name</em></b></dt>
-<dd>
-<p>Adds an account for the trust relationship with the specified Windows
-NT domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rpc trustdom establish</tt> <em class="replaceable">domain_name</em></b></dt>
-<dd>
-<p>Establishes a trust relationship with the specified Windows NT domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rpc trustdom revoke</tt> <em class="replaceable">domain_name</em></b></dt>
-<dd>
-<p>Revokes the trust relationship with the specified Windows NT domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">search</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">ads search</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">server</tt></b></dt>
-<dd>
-<p>Lists servers in the domain or workgroup, which defaults to the value
-of the <tt class="literal">workgroup</tt> parameter in the Samba
-configuration file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">session</tt></b></dt>
-<dd>
-<p>Lists clients with open sessions to the server.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">session delete NetBIOS_</tt><em class="replaceable">name</em></b></dt>
-<dd>
-<p>Closes the session to the server from the specified client. A synonym
-is <tt class="literal">session</tt> <tt class="literal">close</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">session close</tt></b></dt>
-<dd>
-<p>A synonym for <tt class="literal">session delete</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">share</tt></b></dt>
-<dd>
-<p>Lists the shares offered by the server. When a Windows 95/98/Me
-server is the target system, it might be necessary to specify the
-method as <tt class="literal">rap</tt> for this to work properly.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">share add</tt> <em class="replaceable">share_name</em><tt class="literal">=</tt><em class="replaceable">server_path</em></b></dt>
-<dd>
-<p>Adds a share on the target server. The name of the share and the
-folder to be shared are specified by the
-<em class="replaceable">share_name</em><tt class="literal">=</tt><em class="replaceable">server_path</em>
-argument, with <em class="replaceable">server_path</em> the Windows
-directory name, with spaces and other special characters (if any)
-quoted and with the backslashes escaped (e.g.,
-&quot;<tt class="literal">data=C:\\Documents</tt> <tt class="literal">and</tt>
-<tt class="literal">Settings\\jay\\Desktop\\data</tt>&quot;). The
-<tt class="literal">-C</tt> <em class="replaceable">comment</em> option
-(which can also be specified as <tt class="literal">-
--comment=</tt><em class="replaceable">string</em>) can be used to
-define a description for the share. The <tt class="literal">-M</tt>
-<em class="replaceable">number</em> option (which can also be specified
-as <tt class="literal">--maxusers=</tt><em class="replaceable">number</em>)
-can be used to set the maximum number of users that can connect to
-the share. The method (<tt class="literal">rap</tt> or
-<tt class="literal">rpc</tt>) might need to be specified for this function
-to work. The regular folder icon cannot change into a
-&quot;shared folder&quot; icon in Windows
-Explorer until the display is refreshed.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">share delete</tt> <em class="replaceable">share_name</em></b></dt>
-<dd>
-<p>Deletes a share from the target server. The
-<em class="replaceable">share_name</em> argument is simply the name of
-the share on the target server, not a UNC. The method
-(<tt class="literal">rap</tt> or <tt class="literal">rpc</tt>) might need to be
-specified for this function to work. The &quot;shared
-folder&quot; icon in Windows Explorer cannot change back
-to the regular folder icon until the display is refreshed.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">shutdown</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">rpc shutdown</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">status</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">ads status</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">time</tt></b></dt>
-<dd>
-<p>Displays the system time&mdash;in Unix <em class="emphasis">date</em>
-command format&mdash;on the target system.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">time set</tt></b></dt>
-<dd>
-<p>Sets the local system's hardware clock using the
-time obtained from the operating system.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">time system</tt></b></dt>
-<dd>
-<p>Sets the time on the local system using the time obtained from the
-remote system.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">time zone</tt></b></dt>
-<dd>
-<p>Prints the time zone (in hours from GMT) in use on the system.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">trustdom add</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">rpc trustdom add</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">trustdom establish</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">rpc trustdom establish</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">trustdom revoke</tt></b></dt>
-<dd>
-<p>See the <tt class="literal">rpc trustdom revoke</tt> function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">user</tt></b></dt>
-<dd>
-<p>Lists user accounts. The method can be specified as
-<tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
-<tt class="literal">rpc</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">user add</tt> <em class="replaceable">username [password]</em></b></dt>
-<dd>
-<p>Adds a user account for the user specified by
-<em class="replaceable">username</em>. The <tt class="literal">-c</tt>
-<em class="replaceable">comment</em> option (which can also be
-specified as <tt class="literal">-
--comment=</tt><em class="replaceable">string</em>) can be used to
-set a comment for the account. The <tt class="literal">-F</tt>
-<em class="replaceable">user_flags</em> option can be used to set flags
-(specified in numeric format) for the account. The method can be
-specified as <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
-<tt class="literal">rpc</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">user delete</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Deletes the specified user's account. The method can
-be specified as <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
-<tt class="literal">rpc</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">user info</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Lists the domain groups to which the specified user belongs. The
-method can be specified as <tt class="literal">ads</tt>,
-<tt class="literal">rap</tt>, or <tt class="literal">rpc</tt>. <a name="INDEX-10"/></p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-11"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nmblookup</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">nmblookup</em> program is a client program that
-allows command-line access to NetBIOS name service for resolving
-NetBIOS computer names into IP addresses. The program works by
-broadcasting its queries on the local subnet until a machine with the
-specified name responds. You can think of it as a Windows analog of
-<em class="emphasis">nslookup</em> or <em class="emphasis">dig</em>. This is
-useful for looking up regular computer names, as well as
-special-purpose names, such as _ _MSBROWSE_ _ . If you wish to query
-for a particular type of NetBIOS name, add the NetBIOS type to the
-end of the name, using the format
-<em class="replaceable">netbios_name</em><tt class="literal">#&lt;</tt><em class="replaceable">dd</em><tt class="literal">&gt;</tt>.</p>
-<div class="sect1"><a name="appc-28-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">nmblookup <em class="replaceable">[options] netbios_name</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-29-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-A</tt></b></dt>
-<dd>
-<p>Interprets <em class="replaceable">netbios_name</em> as an IP address
-and does a node status query on it.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-B</tt> <em class="replaceable">broadcast_address</em></b></dt>
-<dd>
-<p>Sends the query to the given broadcast address. The default is to
-send the query to the broadcast address of the primary network
-interface.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
-<dd>
-<p>Sets the debug (sometimes called logging) level. The level can range
-from 0 to 10. Debug level 0 logs only the most important messages.
-Level 1 is normal; levels 3 and above are primarily used by
-developers for debugging the <em class="emphasis">nmblookup</em> program
-itself and slow the program considerably.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-f</tt></b></dt>
-<dd>
-<p>Prints the flags in the packet headers.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt></b></dt>
-<dd>
-<p>Prints command-line usage information for the program.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-i</tt> <em class="replaceable">scope</em></b></dt>
-<dd>
-<p>Sets a NetBIOS scope identifier. NetBIOS scope is a rarely used
-precursor to workgroups.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-M</tt></b></dt>
-<dd>
-<p>Searches for a local master browser by looking up
-<em class="replaceable">netbios_name</em><tt class="literal">&lt;1d&gt;</tt>.
-If <em class="replaceable">netbios_name</em> is specified as a dash
-(<tt class="literal">-</tt>), a lookup is done on the special name _
-_MSBROWSE_ _ .</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-R</tt></b></dt>
-<dd>
-<p>Sets the &quot;recursion desired&quot; bit in
-the packet. This causes the system that responds to try a WINS lookup
-and return the address and any other information the WINS server has
-saved.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-r</tt></b></dt>
-<dd>
-<p>Uses the <tt class="literal">root</tt> port of 137. This option exists as a
-bug workaround for Windows 95. This option might require the user to
-be superuser.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-S</tt></b></dt>
-<dd>
-<p>Performs a node status query once the name query has returned an IP
-address. This returns all the resource types that the system knows
-about, including their numeric attributes. For example:</p>
-
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S toltec</b></tt>
-querying toltec on 172.16.1.255
-172.16.1.1 toltec&lt;00&gt;
-Looking up status of 172.16.1.1
- TOLTEC &lt;00&gt; - M &lt;ACTIVE&gt;
- TOLTEC &lt;03&gt; - M &lt;ACTIVE&gt;
- TOLTEC &lt;20&gt; - M &lt;ACTIVE&gt;
- ..__MSBROWSE__. &lt;01&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
- METRAN &lt;00&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
- METRAN &lt;1b&gt; - M &lt;ACTIVE&gt;
- METRAN &lt;1c&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
- METRAN &lt;1d&gt; - M &lt;ACTIVE&gt;
- METRAN &lt;1e&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;</pre></blockquote>
-</dd>
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
-<dd>
-<p>Specifies the location of the Samba configuration file. Although the
-file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
-you can override it here on the command line. Normally used for
-debugging.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-T</tt></b></dt>
-<dd>
-<p>Translates IP addresses into resolved names.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-U</tt> <em class="replaceable">unicast_address</em></b></dt>
-<dd>
-<p>Performs a unicast query to the specified address. Used with
-<tt class="literal">-R</tt> to query WINS servers.</p>
-</dd>
-
-</dl>
-
-
-<p>Note that <em class="emphasis">nmblookup</em> has no option for setting
-the workgroup. You can get around this by putting
-<tt class="literal">workgroup</tt> <tt class="literal">=</tt>
-<em class="replaceable">workgroup_name</em> in a file and passing it to
-<em class="emphasis">nmblookup</em> with the
-<tt class="literal">-s</tt> option.</p>
-
-</div>
-</div>
-
-<a name="INDEX-12"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pdbedit</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program, new to Samba 3.0, can be used to manage accounts that
-are held in a SAM database. The implementation of the database can be
-any of the types supported by Samba, including the
-<em class="filename">smbpasswd</em> file, LDAP, NIS+ and the
-<em class="filename">tdb</em> database library. The user must be the
-superuser to use this tool.</p>
-<div class="sect1"><a name="appc-31-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">pdbedit <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-32-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-a</tt></b></dt>
-<dd>
-<p>Adds the user specified by the <tt class="literal">-u</tt> option to the
-SAM database. The command issues a prompt for the
-user's password.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">drive_letter</em></b></dt>
-<dd>
-<p>Sets the Windows drive letter to which to map the
-user's home directory. The drive letter should be
-specified as a letter followed by a colon&mdash;e.g.,
-<tt class="literal">H</tt>:.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-D</tt> <em class="replaceable">debug_level</em></b></dt>
-<dd>
-<p>Sets the debug (sometimes called logging) level. The level can range
-from 0 to 10. Debug level 0 logs only the most important messages.
-Level 1 is normal, and levels 3 and above are primarily for
-debugging.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-e</tt> <em class="replaceable">pwdb_backend</em></b></dt>
-<dd>
-<p>Exports the user account database to another format, written to the
-specified location. Used for migrating from one type of account
-database to another. The <em class="replaceable">pwdb_backend</em>
-argument is specified in the format of a database type, followed by a
-colon, then the location of the database. For example, to export the
-existing account database to an <em class="filename">smbpasswd</em>
-database in the file
-<em class="filename">/usr/local/samba/private/smbpw</em>,
-<em class="replaceable">pwdb_backend</em> would be specified as
-<tt class="literal">smbpasswd:/usr/local/samba/private/smbpw</tt>. The
-allowable database types are <tt class="literal">smbpasswd</tt>,
-<tt class="literal">smbpasswd nua</tt>, <tt class="literal">tdbsam</tt>,
-<tt class="literal">tdbsam nua</tt>, <tt class="literal">ldapsam</tt>,
-<tt class="literal">ldapsam_nua</tt>, and <tt class="literal">plugin</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-f</tt> <em class="replaceable">full_name</em></b></dt>
-<dd>
-<p>Sets the full name of the user specified with the
-<tt class="literal">-u</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt> <em class="replaceable">unc</em></b></dt>
-<dd>
-<p>Sets the home directory path (as a UNC) for the user specified with
-the <tt class="literal">-u</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-i</tt> <em class="replaceable">pwdb_backend</em></b></dt>
-<dd>
-<p>Specifies a password database backend from which to retrieve account
-information, overriding the one specified by the <tt class="literal">passdb
-backend</tt> parameter in the Samba configuration file. This,
-along with the <tt class="literal">-e</tt> option, is useful for migrating
-user accounts from one type of account database to another. See the
-<tt class="literal">-e</tt> option regarding how to specify the
-<em class="replaceable">pwdb_backend</em> argument.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-l</tt></b></dt>
-<dd>
-<p>Lists the user accounts in the database. See also the
-<tt class="literal">-v</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-m</tt></b></dt>
-<dd>
-<p>Indicates that the account is a computer account rather than a user
-account. Used only with the <tt class="literal">-a</tt> option when
-creating the account. In this case, the <tt class="literal">-u</tt> option
-specifies the computer name rather than a username.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-p</tt> <em class="replaceable">unc</em></b></dt>
-<dd>
-<p>Sets the directory in which the user's profile is
-kept. The directory is specified as a UNC.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">unc</em></b></dt>
-<dd>
-<p>Specifies the UNC of the user's logon script.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Specifies the username of the account to add (with the
-<tt class="literal">-a</tt> option), delete (with the <tt class="literal">-x</tt>
-option), or modify.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-v</tt></b></dt>
-<dd>
-<p>Selects verbose mode when listing accounts with the
-<tt class="literal">-l</tt> option. The account fields will be printed.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-w</tt></b></dt>
-<dd>
-<p>Selects the <tt class="literal">smbpasswd</tt> listing mode, for use with
-the <tt class="literal">-l</tt> option, which prints information in the
-same format as it would appear in an <em class="filename">smbpasswd</em>
-file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-x</tt></b></dt>
-<dd>
-<p>Deletes the user (specified with the <tt class="literal">-u</tt> option)
-from the account database.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-13"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>rpcclient</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a program for issuing administrative commands that are
-implemented using Microsoft RPCs. It provides access to the RPCs that
-Windows administrative GUIs use for system management. The
-<em class="emphasis">rpcclient</em> command is mainly for use by advanced
-users who understand the RPCs. More information on these can be found
-in Microsoft's Platform Software Development Kit
-(SDK), available for download from the Microsoft web site at
-<a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p><p>You can run a single <em class="emphasis">rpcclient</em> command by using
-the <tt class="literal">-c command string</tt> option, or interactively
-with <em class="emphasis">rpcclient</em> prompting for commands.</p>
-<div class="sect1"><a name="appc-34-fm2xml"/>
-
-<h4 class="refsect1">Command Synopsis</h4>
-
-<p>rpcclient <em class="replaceable">server [options]</em></p>
-
-
-</div>
-
-<div class="sect1"><a name="appc-35-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-A</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies a file from which to read the authentication values used in
-the connection. The format of the file is as follows:</p>
-
-<blockquote><pre class="code">username = <em class="replaceable">value</em>
-password = <em class="replaceable">value</em>
-domain = <em class="replaceable">value</em></pre></blockquote>
-
-<p>This option is used to avoid password prompts or to have the password
-appear in plain text inside scripts. The permissions on the file
-should be very restrictive (0600, for example) to prevent access from
-unwanted users.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-c</tt> <em class="replaceable">command_string</em></b></dt>
-<dd>
-<p>Executes a sequence of semicolon-separated commands. Commands are
-listed in the following section.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
-<dd>
-<p>Sets the debug (sometimes called logging) level. The level can range
-from 0 to 10. Specifying the value on the command line overrides the
-value specified in the <em class="filename">smb.conf</em> file. Debug
-level 0 logs only the most important messages; level 1 is normal;
-levels 3 and above are primarily for debugging and slow the program
-considerably.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt></b></dt>
-<dd>
-<p>Prints a summary of options.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-l</tt> <em class="replaceable">logbasename</em></b></dt>
-<dd>
-<p>Sets the filename for log/debug files. The extension
-<em class="filename">.client</em> is appended to the filename.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-N</tt></b></dt>
-<dd>
-<p>Does not prompt for a password. This is used when Samba is configured
-for share-mode security and a service with no password is being
-accessed.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies the location of the Samba configuration file, which by
-default is usually
-<em class="filename">/usr/local/samba/lib/smb.conf</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
-<dd>
-<p>Sets the SMB username or username and password to use. Be careful
-when specifying the password with
-<tt class="literal">%</tt><em class="replaceable">password</em>; this is a
-major security risk. If
-<tt class="literal">%</tt><em class="replaceable">password</em> is not
-specified, the user will be prompted for the password, which will not
-be echoed. Normally the user is set from the USER or LOGNAME
-environment variable. The <tt class="literal">-U</tt> option by itself
-means to use the guest account. See also <tt class="literal">-A</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-W</tt> <em class="replaceable">domain</em></b></dt>
-<dd>
-<p>Sets the domain, overriding the <tt class="literal">workgroup</tt>
-parameter in the Samba configuration file. If the domain is the
-server's NetBIOS name, it causes the client to log
-on using the server's local SAM database rather than
-the SAM of the domain.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-14"/><a name="INDEX-15"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>rpcclient commands</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>Aside from a few miscellaneous commands, the
-<em class="emphasis">rpclient</em> commands fall into three groups:
-LSARPC, SAMR, and SPOOLSS. The function names mentioned in some of
-the commands are those documented in the Microsoft Platform SDK.</p>
-<div class="sect1"><a name="appc-37-fm2xml"/>
-
-<h4 class="refsect1">General commands</h4>
-
-<dl>
-<dt><b><tt class="literal">debuglevel</tt> <em class="replaceable">level</em></b></dt>
-<dd>
-<p>Sets the debugging level to <em class="replaceable">level</em>. With no
-argument, the current debugging level is printed.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">help</tt></b></dt>
-<dd>
-<p>Prints help on the commands.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">quit</tt></b></dt>
-<dd>
-<p>Exits <em class="emphasis">rpcclient</em>. A synonym is
-<tt class="literal">exit</tt>.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-38-fm2xml"/>
-
-<h4 class="refsect1">Local Security Authority Remote Procedure Calls (LSARPC) commands</h4>
-
-<dl>
-<dt><b><tt class="literal">enumprivs</tt></b></dt>
-<dd>
-<p>Lists the types of privileges known to this domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">enumtrust</tt></b></dt>
-<dd>
-<p>Lists the domains trusted by this domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">getdispname</tt> <em class="replaceable">priv_name</em></b></dt>
-<dd>
-<p>Prints information on the privilege named
-<em class="replaceable">priv_name</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lookupsids</tt> <em class="replaceable">name</em></b></dt>
-<dd>
-<p>Finds a name that corresponds to a security identifier (SID).</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lookupnames</tt> <em class="replaceable">sid</em></b></dt>
-<dd>
-<p>Finds the SID for one or more names.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lsaquery</tt></b></dt>
-<dd>
-<p>Queries the LSA object.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lsaenumsid</tt></b></dt>
-<dd>
-<p>Lists SIDs for the local LSA.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lsaquerysecobj</tt></b></dt>
-<dd>
-<p>Prints information on security objects for the LSA.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-39-fm2xml"/>
-
-<h4 class="refsect1">Security Access Manager RPC (SAMR) commands</h4>
-
-<dl>
-<dt><b><tt class="literal">createdomuser</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Adds a new user in the domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">deletedomuser</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Removes a user from the domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">enumalsgroups</tt> <em class="replaceable">type</em></b></dt>
-<dd>
-<p>Lists alias groups in the domain, along with their group RIDs. The
-<em class="replaceable">type</em> argument can be either
-<tt class="literal">builtin</tt>, to list Windows built-in groups such as
-<tt class="literal">Administrators</tt> and <tt class="literal">Power</tt>
-<tt class="literal">Users</tt>, or <tt class="literal">domain</tt>, to list
-groups in the domain. See also the
-<em class="emphasis">queryuseraliases</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">enumdomgroups</tt></b></dt>
-<dd>
-<p>Lists the groups in the domain, along with their group RIDs.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">queryaliasmem</tt> <em class="replaceable">user_rid</em></b></dt>
-<dd>
-<p>Prints information regarding alias membership. See also the
-<em class="emphasis">queryuseraliases</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">querydispinfo</tt></b></dt>
-<dd>
-<p>Prints out the account database. The information printed includes the
-RID, username, and full name of each user. The RID is printed in
-hexadecimal notation and can be used in this form for commands that
-take a RID as an argument.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">querydominfo</tt></b></dt>
-<dd>
-<p>Prints information regarding the domain. This includes the name of
-the domain, as well as the number of users, groups, and aliases.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">querygroup</tt> <em class="replaceable">group_rid</em></b></dt>
-<dd>
-<p>Given a group RID, prints the group name, description, number of
-members, and group description.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">queryuser</tt> <em class="replaceable">user_rid</em></b></dt>
-<dd>
-<p>Given a user RID, prints the corresponding username, full name, and
-other information pertaining to the user.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">queryuseraliases</tt> <em class="replaceable">type</em> <em class="replaceable">user_rid</em></b></dt>
-<dd>
-<p>Prints aliases for the user. The <em class="replaceable">type</em>
-argument can be either <tt class="literal">builtin</tt> or
-<tt class="literal">domain</tt>. Aliases are used with the Windows
-messaging service and act like usernames, but they can be attached to
-a computer rather than a user. This allows messages intended for a
-user to be sent to a computer on which the user is either not logged
-on, or logged on under another username.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">queryusergroups</tt> <em class="replaceable">user_rid</em></b></dt>
-<dd>
-<p>Prints information on each group inhabited by the user.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">querygroupmem</tt> <em class="replaceable">group_rid</em></b></dt>
-<dd>
-<p>Prints the RID and attributes for each member of the group.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">samlookupnames</tt> <em class="replaceable">type username</em></b></dt>
-<dd>
-<p>Looks up the <em class="replaceable">username</em> in the SAM database
-and prints its associated RID. The <em class="replaceable">type</em>
-argument can be either <tt class="literal">builtin</tt>, to look up
-built-in Windows usernames, or <tt class="literal">domain</tt>, to look up
-names in the domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">samlookuprids</tt> <em class="replaceable">type rid</em></b></dt>
-<dd>
-<p>Looks up <em class="replaceable">rid</em> in the SAM database and
-prints its associated group or username. The
-<em class="replaceable">type</em> argument can be either
-<tt class="literal">builtin</tt>, to look up built-in Windows usernames, or
-<tt class="literal">domain</tt>, to look up names in the domain. The RID
-argument can be given in either 0xDDD hexadecimal notation or
-decimal.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">samquerysecobj</tt></b></dt>
-<dd>
-<p>Prints information on security objects (such as ACLs) in the SAM
-database.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-40-fm2xml"/>
-
-<h4 class="refsect1">Windows NT/2000/XP Printing Services (SPOOLSS) commands</h4>
-
-<dl>
-<dt><b><tt class="literal">adddriver</tt> <em class="replaceable">arch config_file</em> </b></dt>
-<dd>
-<p>Adds a printer driver to the server. The driver files must already
-exist in the directory returned by <em class="emphasis">getdriverdir</em>.
-The <em class="replaceable">arch</em> argument can be one of
-<tt class="literal">Windows 4.0</tt> for Windows 95/98/Me, or
-<tt class="literal">Windows NT x86</tt>, <tt class="literal">Windows NT
-PowerPC</tt>, <tt class="literal">Windows Alpha_AXP</tt>, and
-<tt class="literal">Windows NT R4000</tt>. Others might be introduced in
-the future.</p>
-
-
-<p>The <em class="replaceable">config_file</em> should contain:</p>
-
-<blockquote><pre class="code">Long Printer Name:\
-Driver File Name:\
-Data File Name:\
-Config File Name:\
-Help File Name:\
-NULL:\
-Default Data Type:\</pre></blockquote>
-
-<p>followed by a comma-separated list of files. Any empty fields should
-contain the string <tt class="literal">NULL</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">addprinter</tt> <em class="replaceable">printername sharename drivername port</em> </b></dt>
-<dd>
-<p>Adds a printer on the remote server as
-<em class="replaceable">sharename</em>. The printer driver must already
-be installed on the server with <em class="emphasis">adddriver</em>, and
-the port must be a valid port name returned by
-<em class="emphasis">enumports</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">deldriver</tt> <em class="replaceable">drivername</em></b></dt>
-<dd>
-<p>Deletes a printer driver (for all architectures) from the
-server's list of printer drivers.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">enumports</tt> <em class="replaceable">[level]</em></b></dt>
-<dd>
-<p>Prints information regarding the printer ports on the server. The
-<em class="replaceable">level</em> argument can be <tt class="literal">1</tt>
-or <tt class="literal">2</tt>. Level 1 is the default and prints out only
-the Port Name. Information level 2 is the Port Name, Monitor Name,
-Description, and Port Type.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">enumdrivers</tt> <em class="replaceable">[level]</em> </b></dt>
-<dd>
-<p>Lists all the printer drivers on the system. The
-<em class="replaceable">level</em> argument specifies the information
-level. Level 1 is the default and prints the Driver Name(s). Level 2
-prints the Version, Driver Name, Architecture, Driver Path, Data
-File, and Config File. Level 3 prints the contents of Level 2, plus
-the Help File, one or more Dependent Files, Monitor Name, and Default
-Data Type.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">enumprinters</tt> <em class="replaceable">[level]</em></b></dt>
-<dd>
-<p>Lists all installed printers, regardless of whether they are shared.
-The <em class="replaceable">level</em> argument specifies the
-information level. Level 1 is the default, and prints Flags, Name,
-Description, and Comment. Level 2 prints the Server Name, Printer
-Name, Share Name, Port Name, Driver Name, Comment, Location,
-Separator File, Print Processor, Data Type, Parameters, Attributes,
-Priority, Default Priority, Start Time, Until Time, Status, Current
-Jobs, Average PPM (pages per minute), and a Security Descriptor.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">getdriver</tt> <em class="replaceable">[level] printername</em></b></dt>
-<dd>
-<p>Prints the printer driver information for the given printer. The
-<em class="replaceable">level</em> argument specifies the information
-level.</p>
-
-
-<p>Level 1 is the default, and prints the Driver Name. Level 2 prints
-the Version, Driver Name, Architecture, Driver Path, Data File, and
-Config File. Level 3 prints the contents of level 2, plus the Help
-File, one or more Dependent Files, Monitor Name, and Default Data
-Type.</p>
-</dd>
-
-
-<dt><b><tt class="literal">getdriverdir</tt> <em class="replaceable">arch</em></b></dt>
-<dd>
-<p>Retrieves the share name and directory for storing printer driver
-files for a given architecture. Possible values for
-<em class="replaceable">arch</em> are &quot;<tt class="literal">Windows</tt>
-<tt class="literal">4.0</tt>&quot; for Windows 95/98/Me,
-&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
-<tt class="literal">x86</tt>&quot; for Windows NT on Intel,
-&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
-<tt class="literal">PowerPC</tt>&quot; for Windows NT on PowerPC,
-&quot;<tt class="literal">Windows</tt> <tt class="literal">Alpha</tt>
-<tt class="literal">AXP</tt>&quot; for Windows NT on Alpha, and
-&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
-<tt class="literal">R4000</tt>&quot; for Windows NT on MIPS. Include the quote
-marks in the command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">getprinter</tt> <em class="replaceable">printername</em></b></dt>
-<dd>
-<p>Prints the current printer information. The
-<em class="replaceable">level</em> argument specifies the information
-level.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">openprinter</tt> <em class="replaceable">printername</em></b></dt>
-<dd>
-<p>Attempts to open and close a specified printer and reports whether it
-was successful.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">setdriver</tt> <em class="replaceable">printername drivername</em></b></dt>
-<dd>
-<p>Unconditionally updates the printer driver used by an installed
-printer. Both the printer and printer driver must already be
-correctly installed on the print server.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">setprinter</tt> <em class="replaceable">printername comment</em></b></dt>
-<dd>
-<p>Assigns a comment string to a printer.<a name="INDEX-15"/></p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-16"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbcacls</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program provides a way of modifying Windows NT ACLs on files and
-directories shared by the Samba server.</p>
-<div class="sect1"><a name="appc-42-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbcacls //<em class="replaceable">server</em>/<em class="replaceable">share filename</em> <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-43-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-A</tt> <em class="replaceable">acls</em></b></dt>
-<dd>
-<p>Adds one or more ACLs to the file or directory. Any ACLs already
-existing for the file or directory are unchanged.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-M</tt> <em class="replaceable">acls</em></b></dt>
-<dd>
-<p>Modifies the <em class="replaceable">mask</em> of the ACLs specified.
-Refer to the following section, &quot;Specifying
-ACLs,&quot; for details.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-D</tt> <em class="replaceable">acls</em></b></dt>
-<dd>
-<p>Deletes the specified ACLs.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-S</tt> <em class="replaceable">acls</em></b></dt>
-<dd>
-<p>Sets the specified ACLs, deleting any ACLs previously set on the file
-or directory. The ACLs must contain at least a revision, type, owner,
-and group.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-U</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Sets the username used to connect to the specified service. The user
-is prompted for a password unless the argument is specified as
-<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>.
-(Specifying the password on the command line is a security risk.) If
-<tt class="literal">-U</tt>
-<em class="replaceable">domain</em><tt class="literal">\\</tt><em class="replaceable">username</em>
-is specified, the specified domain or workgroup will be used in place
-of the one specified in the <em class="filename">smb.conf</em> file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-C</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Changes the owner of the file or directory. This is a shortcut for
-<tt class="literal">-M</tt>
-<tt class="literal">OWNER</tt>:<em class="replaceable">username</em>. The
-<em class="replaceable">username</em> argument can be given as a
-username or a SID in the form
-<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-G</tt> <em class="replaceable">groupname</em></b></dt>
-<dd>
-<p>Changes the group of the file or directory. This is a shortcut for
-<tt class="literal">-M</tt>
-<tt class="literal">GROUP</tt>:<em class="replaceable">groupname</em>. The
-<em class="replaceable">groupname</em> argument can be given as a group
-name or a SID in the form
-<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-n</tt></b></dt>
-<dd>
-<p>Causes all ACL information to be displayed in numeric format rather
-than in readable strings.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt></b></dt>
-<dd>
-<p>Prints a help message.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-44-fm2xml"/>
-
-<h4 class="refsect1">Specifying ACLs</h4>
-<p>In the previous options, the same format is always used when
-specifying ACLs. An ACL is made up of one or more Access Control
-Entries (ACEs), separated by either commas or escaped newlines. An
-ACE can be one of the following:</p>
-
-<blockquote class="simplelist">
-
-<p><tt class="literal">REVISION</tt>:<em class="replaceable">revision_number</em></p>
-
-
-
-
-<p><tt class="literal">OWNER</tt>:<em class="replaceable">username_or_SID</em></p>
-
-
-
-
-<p><tt class="literal">GROUP</tt>:<em class="replaceable">group_name_or_SID</em></p>
-
-
-
-
-<p><tt class="literal">ACL</tt>:<em class="replaceable">name_or_SID</em>:<em class="replaceable">type</em>/<em class="replaceable">flags</em>/<em class="replaceable">mask</em></p>
-
-</blockquote>
-
-
-<p>The <em class="replaceable">revision_number</em> should always be 1.
-The <tt class="literal">OWNER</tt> and <tt class="literal">GROUP</tt> entries can
-be used to set the owner and group for the file or directory. The
-names can be the textual ones or SIDs in the form
-<tt class="literal">S-1-</tt><em class="replaceable">N</em><tt class="literal">-</tt><em class="replaceable">N</em><tt class="literal">-</tt><em class="replaceable">D</em><tt class="literal">-</tt><em class="replaceable">D-D-R</em>.</p>
-
-<p>The <tt class="literal">ACL</tt> entry specifies what access rights to
-apply to the file or directory. The
-<em class="replaceable">name_or_SID</em> field specifies to which user
-or group the permissions apply and can be supplied either as a
-textual name or a SID. An ACE can be used to either allow or deny
-access. The <em class="replaceable">type</em> field is set to
-<tt class="literal">1</tt> to specify a permission to be allowed or
-<tt class="literal">0</tt> for specifying a permission to deny. The
-<em class="replaceable">mask</em> field is the name of the permission
-and is one of the following:</p>
-
-<dl>
-<dt><b><tt class="literal">R</tt></b></dt>
-<dd>
-<p>Read access.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">W</tt></b></dt>
-<dd>
-<p>Write access.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">X</tt></b></dt>
-<dd>
-<p>Execute permission.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">D</tt></b></dt>
-<dd>
-<p>Permission to delete.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">P</tt></b></dt>
-<dd>
-<p>Change permissions on the object.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">O</tt></b></dt>
-<dd>
-<p>Take ownership.</p>
-</dd>
-
-</dl>
-
-
-<p>The following combined permissions can also be specified:</p>
-
-<dl>
-<dt><b><tt class="literal">READ</tt></b></dt>
-<dd>
-<p>Equivalent to RX permissions</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">CHANGE</tt></b></dt>
-<dd>
-<p>Equivalent to RWXD permissions</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">FULL</tt></b></dt>
-<dd>
-<p>Equivalent to RWXDPO permissions</p>
-</dd>
-
-</dl>
-
-
-<p>The <em class="replaceable">flags</em> field is for specifying how
-objects in directories are to inherit their default permissions from
-their parent directory. For files, <em class="replaceable">flags</em>
-is normally set to <tt class="literal">0</tt>. For directories,
-<em class="replaceable">flags</em> is usually set to either
-<tt class="literal">9</tt> or <tt class="literal">2</tt>.</p>
-
-</div>
-</div>
-
-<a name="INDEX-17"/><a name="INDEX-18"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbclient</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbclient</em> program is the
-&quot;Swiss army knife&quot; of the Samba
-suite. Initially developed as a testing tool, it has become a command
-shell capable of acting as a general-purpose Unix client, with a
-command set very similar to that of <em class="emphasis">ftp</em>. It
-offers the following set of functions:</p><ul><li>
-<p>Interactive file transfer, similar to <em class="emphasis">ftp</em></p>
-</li>
-<li>
-<p>Interactive printing to shared SMB printers</p>
-</li>
-<li>
-<p>Interactive tar format archiving</p>
-</li>
-<li>
-<p>Sending messages on the SMB network</p>
-</li>
-<li>
-<p>Batch mode tar format archiving</p>
-</li>
-<li>
-<p>&quot;What services do you have?&quot;
-querying</p>
-</li>
-<li>
-<p>Debugging</p>
-</li></ul>
-<div class="sect1"><a name="appc-45-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/<em class="replaceable">share</em> <em class="replaceable">[ password] [options]</em></pre></blockquote>
-<p>It is possible to run <em class="emphasis">smbclient</em>
-noninteractively, for use in scripts, by specifying the
-<tt class="literal">-c</tt> option along with a list of commands to
-execute. Otherwise, <em class="emphasis">smbclient</em> runs in
-interactive mode, prompting for commands such as this:</p>
-
-<blockquote><pre class="code">smb:\&gt;</pre></blockquote>
-<p>The backslash in the prompt is replaced by the current directory
-within the share as you change your working directory with
-<em class="emphasis">smbclient</em>'s
-<em class="emphasis">cd</em> command.</p>
-
-</div>
-
-<div class="sect1"><a name="appc-46-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-A</tt> <em class="replaceable">authfile</em></b></dt>
-<dd>
-<p>Specifies a file from which to read the username and password used
-for the connection. The format of the file is as follows:</p>
-
-
-<blockquote><pre class="code">username = <em class="replaceable">value</em>
-password = <em class="replaceable">value</em>
-domain = <em class="replaceable">value</em></pre></blockquote>
-
-<p>This is to avoid having the password prompted for or have it appear
-in plain text in scripts. The permissions on the file should be very
-restrictive (0600, for example) to prevent access by unwanted users.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-b</tt> <em class="replaceable">buffer_size</em></b></dt>
-<dd>
-<p>Sets the size of the buffer used when transferring files. It defaults
-to 65520 bytes and can be changed as a tuning measure. Generally it
-should be quite large or set to match the size of the buffer on the
-remote system. It can be set smaller to work around Windows bugs:
-some Windows 98 systems work best with a buffer size of 1200.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-B</tt> <em class="replaceable">IP_addr</em></b></dt>
-<dd>
-<p>Sets the broadcast address.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-c</tt> <em class="replaceable">command_string</em> </b></dt>
-<dd>
-<p>Passes a command string to the <em class="emphasis">smbclient</em> command
-interpreter. The argument consists of a semicolon-separated list of
-commands to be executed.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">-d</em> <em class="replaceable">debug_level</em></b></dt>
-<dd>
-<p>Sets the debug (logging) level, from 0 to 10, with A for all.
-Overrides the value in <em class="filename">smb.conf</em>. Debug level 0
-logs only the most important messages; level 1 is normal; debug
-levels 3 and above are for debugging and slow
-<em class="emphasis">smbclient</em> considerably.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-D</tt> <em class="replaceable">init_dir</em></b></dt>
-<dd>
-<p>Upon starting up, causes <em class="emphasis">smbclient</em> to change its
-working directory to <em class="replaceable">init_dir</em> on the
-remote host.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-E</tt></b></dt>
-<dd>
-<p>Sends output from commands to <em class="emphasis">stderr</em> instead of
-<em class="emphasis">stdout</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt></b></dt>
-<dd>
-<p>Prints the command-line help information (usage) for
-<em class="emphasis">smbclient</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-I</tt> <em class="replaceable">IP_address</em></b></dt>
-<dd>
-<p>Sets the IP address of the server to which the client connects.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-i</tt> <em class="replaceable">scope</em></b></dt>
-<dd>
-<p>Sets a NetBIOS scope identifier.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ file</em></b></dt>
-<dd>
-<p>Sends the log messages to <em class="replaceable">log_file</em> rather
-than to the log file specified in the Samba configuration file or the
-compiled-in default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-L</tt> <em class="replaceable">server</em></b></dt>
-<dd>
-<p>Lists services (shares) offered by the server. This can be used as a
-quick way to test an SMB server to see if it is working. If there is
-a name-service problem, use the <tt class="literal">-I</tt> option to
-specify the server.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-M</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
-<dd>
-<p>Allows you to send messages using the Windows messaging protocol.
-Once a connection is established, you can type your message, pressing
-Ctrl-D to end. The <tt class="literal">-U</tt> and <tt class="literal">-I</tt>
-options can be used to control the
-&quot;From&quot; and
-&quot;To&quot; parts of the message.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-N</tt></b></dt>
-<dd>
-<p>Suppresses the password prompt. Useful when using share mode security
-and accessing a service that has no password.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-n</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
-<dd>
-<p>Allows you to override the NetBIOS name by which
-<em class="emphasis">smbclient</em> will advertise itself.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
-<dd>
-<p>Sets the TCP/IP socket options using the same parameters as the
-<tt class="literal">socket options</tt> configuration option. Often used
-for performance tuning and testing.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
-<dd>
-<p>Sets the port number with which <em class="emphasis">smbclient</em> will
-connect.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order</em></b></dt>
-<dd>
-<p>Sets the resolve order of the name servers. This option is similar to
-the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
-option and can take any of the four parameters
-<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
-<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
-If more than one is specified, the argument is specified as a
-space-separated list. This option can be used to test name service by
-specifying only the name service to be tested.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies the location of the Samba configuration file. Used for
-debugging.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-t</tt> <em class="replaceable">terminal_code</em></b></dt>
-<dd>
-<p>Sets the terminal code for Asian languages.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-T</tt> <em class="replaceable">command_string tarfile</em></b></dt>
-<dd>
-<p>Runs the tar archiver, which is <em class="emphasis">gtar</em> compatible.
-The tar file that is written to or read from is specified by
-<em class="replaceable">tarfile</em>. The two main commands are
-<tt class="literal">c</tt> (create) and <tt class="literal">x</tt> (extract),
-which can be followed by any of these:</p>
-
-<dl>
-<dt><b><tt class="literal">a</tt></b></dt>
-<dd>
-<p>Resets the archive attribute on files after they have been saved. See
-also the <tt class="literal">g</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">b</tt> <em class="replaceable">size</em></b></dt>
-<dd>
-<p>Sets the block size for writing the tar file, in 512-byte units.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">g</tt></b></dt>
-<dd>
-<p>Backs up only files that have their archive bit set. See also the
-<tt class="literal">a</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">I</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Includes files and directories. This is the default, so specifying
-this is redundant. To perform pattern matching, see also the
-<tt class="literal">r</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">N</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Backs up only those files newer than <em class="replaceable">file</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">q</tt></b></dt>
-<dd>
-<p>Suppresses diagnostics.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">r</tt></b></dt>
-<dd>
-<p>Performs regular expression matching, which can be used along with
-the <tt class="literal">I</tt> or <tt class="literal">E</tt> option to include or
-exclude files.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">X</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Excludes files and directories.</p>
-</dd>
-
-</dl>
-</dd>
-
-
-
-<dt><b><tt class="literal">-U</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Sets the username and, optionally, the password used for
-authentication when connecting to the share.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-W</tt> <em class="replaceable">workgroup</em></b></dt>
-<dd>
-<p>Specifies the workgroup/domain in which
-<em class="emphasis">smbclient</em> will claim to be a member.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-47-fm2xml"/>
-
-<h4 class="refsect1">smbclient commands</h4>
-
-<dl>
-<dt><b><tt class="literal">help</tt> <em class="replaceable">[smbclient_command]</em></b></dt>
-<dd>
-<p>With no command specified, prints a list of available commands. If a
-command is specified as an argument, a brief help message will be
-printed for it.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">!</tt> <em class="replaceable">[shell_command]</em></b></dt>
-<dd>
-<p>Shell escape. With no command specified, runs a Unix shell. If a
-command is specified, runs the command in a Unix shell.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">altname</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Causes <em class="emphasis">smbclient</em> to request from the server and
-then print the old-style, 8.3-format filename for the specified file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">cancel</tt> <em class="replaceable">print_jobid [...]</em></b></dt>
-<dd>
-<p>Causes <em class="emphasis">smbclient</em> to request the server to cancel
-one or more print jobs, as specified by the numeric job IDs provided
-as arguments. See also the <em class="emphasis">queue</em> command, which
-prints job IDs.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">chmod</tt> <em class="replaceable">filename octal_mode</em></b></dt>
-<dd>
-<p>Requests that the server change the Unix file permissions on
-<em class="replaceable">filename</em> to
-<em class="replaceable">octal_mode</em>, specified in octal numeric
-format. Works only if the server supports Unix CIFS extensions.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">chown</tt> <em class="replaceable">filename UID GID</em></b></dt>
-<dd>
-<p>Requests that the server change the owner and group of the file
-specified by <em class="replaceable">filename</em> to those provided as
-decimal numeric arguments <em class="replaceable">UID</em> and
-<em class="replaceable">GID</em>. Works only if the server supports
-Unix CIFS extensions.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">cd</tt> <em class="replaceable">[directory]</em></b></dt>
-<dd>
-<p>With no argument, prints the current working directory on the remote
-system. If a directory name is supplied as an argument, changes the
-working directory on the remote system to that specified.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">del</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Requests that the server delete one or more files, as specified by
-the argument, from the current working directory. The argument can be
-a filename globbing pattern using the * and ? characters.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">dir</tt> [<em class="replaceable">filename]</em></b></dt>
-<dd>
-<p>With no arguments, prints a list of files and directories in the
-working directory on the server. If an argument is provided, only
-files and directories whose names match the argument will be listed.
-The argument can be a filename globbing pattern using the * and ?
-characters.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">exit</tt></b></dt>
-<dd>
-<p>Quits the <em class="emphasis">smbclient</em> program after terminating
-the SMB connection to the server.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">get</tt> <em class="replaceable">remote_file [local_file]</em></b></dt>
-<dd>
-<p>Copies the file specified by <em class="replaceable">remote_file</em>
-from the server to the local system. If no
-<em class="replaceable">local_file</em> argument is specified,
-<em class="emphasis">smbclient</em> will name the local file the same as
-it is named on the server. If <em class="replaceable">local_file</em>
-is specified, it will be used as the name of the local copy. See also
-the <em class="emphasis">lowercase</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">help</tt> <em class="replaceable">[command]</em></b></dt>
-<dd>
-<p>A synonym for the <em class="emphasis">?</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lcd</tt> <em class="replaceable">[directory]</em></b></dt>
-<dd>
-<p>If no argument is provided, prints the name of
-<em class="emphasis">smbclient</em>'s working directory
-on the local system. If a directory name is provided as an argument,
-changes <em class="emphasis">smbclient</em>'s working
-directory to the directory specified.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">link</tt> <em class="replaceable">link_name filename</em></b></dt>
-<dd>
-<p>Requests that the server create a hard link to
-<em class="replaceable">filename</em> and name it
-<em class="replaceable">link_name</em>. This command works only if the
-server supports Unix CIFS extensions.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">lowercase</tt></b></dt>
-<dd>
-<p>Toggles the boolean lowercasing setting. When this setting is on,
-names of files copied from the server with the
-<em class="emphasis">get</em> and <em class="emphasis">mget</em> commands will
-be changed to all lowercase. This is mainly used for accessing
-servers that report filenames in all uppercase only.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ls</tt> <em class="replaceable">[filename]</em></b></dt>
-<dd>
-<p>A synonym for <em class="emphasis">dir</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">mask</tt> <em class="replaceable">[globbing_pattern]</em></b></dt>
-<dd>
-<p>Sets the filename globbing pattern for use with the
-<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands when
-recursion is turned on. (When recursion is off, the setting has no
-effect.) Both <em class="emphasis">mget</em> and <em class="emphasis">mput</em>
-accept a globbing pattern as arguments; however, those patterns apply
-only to the current directory. This command specifies the pattern
-used for all subdirectories that are recursively traversed. The
-pattern stays in effect until it is changed with another
-<em class="emphasis">mask</em> command. To return the setting to its
-original default, specify a
-<em class="replaceable">globbing_pattern</em> of an asterisk
-(<tt class="literal">*</tt>), which matches all files. See also the
-<em class="emphasis">mget</em>, <em class="emphasis">mput</em>, and
-<em class="emphasis">recurse</em> commands.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">mdir</tt> <em class="replaceable">directory</em></b></dt>
-<dd>
-<p>A synonym for the <em class="emphasis">mkdir</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">mget</tt> <em class="replaceable">pattern</em></b></dt>
-<dd>
-<p>When recursion is turned off, copies files matching the file-globbing
-pattern, as specified by the argument, from the current working
-directory on the server to the local system. When recursion is on,
-the <em class="replaceable">pattern</em> argument is used to match
-directories in the current working directory, and the pattern
-specified by the <em class="emphasis">mask</em> command is used for
-matching files within each directory and all subdirectories. See also
-the <em class="emphasis">lowercase</em>, <em class="emphasis">mask</em>, and
-<em class="emphasis">recurse</em> commands.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">print</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Prints the specified file. This requires that
-<em class="emphasis">smbclient</em> be connected to a print share. See
-also the <em class="emphasis">printmode</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">printmode</tt> <em class="replaceable">mode</em></b></dt>
-<dd>
-<p>Sets the mode that is used by the <em class="emphasis">print</em> command.
-The mode can be either <tt class="literal">text</tt>, for printing text
-files such as the ASCII files commonly found on Unix, or
-<tt class="literal">graphics</tt>, for printing binary files.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">prompt</tt></b></dt>
-<dd>
-<p>Toggles the prompting mode. When prompting is on (the default), the
-<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands will
-interactively prompt the user for permission to transfer each file.
-The user can answer either <tt class="literal">y</tt> (yes) or
-<tt class="literal">n</tt> (no), followed by a newline, to this prompt.
-When prompting is off, all the files will be transferred with no
-prompts issued.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">put</tt> <em class="replaceable">local_file [remote_file]</em></b></dt>
-<dd>
-<p>Copies the file specified by <em class="replaceable">local_file</em>
-from the local to the remote system. If no
-<em class="replaceable">remote_file</em> argument is specified,
-<em class="emphasis">smbclient</em> will name the remote file the same as
-it is named on the local system. If
-<em class="replaceable">remote_file</em> is specified, it will be used
-as the name of the remote copy. See also the
-<em class="emphasis">lowercase</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">queue</tt></b></dt>
-<dd>
-<p>Prints information on the print queue on the server. This requires
-that <em class="emphasis">smbclient</em> is connected to a print share.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">quit</tt></b></dt>
-<dd>
-<p>A synonym for <em class="emphasis">exit</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rd</tt> <em class="replaceable">directory</em></b></dt>
-<dd>
-<p>A synonym for <em class="emphasis">rmdir</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">recurse</tt></b></dt>
-<dd>
-<p>Toggles the recursion mode, which affects the
-<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands.
-When recursion is off (the default), the <em class="emphasis">mget</em>
-and <em class="emphasis">mput</em> commands will copy only files from the
-current working directory that match the file-globbing pattern
-specified as an argument to the command, and the pattern set by the
-<em class="emphasis">mask</em> command is ignored. When recursion is
-turned on, the <em class="emphasis">mget</em> and
-<em class="emphasis">mput</em> commands recursively traverse any
-directories that match the pattern specified as the argument to the
-command, and the pattern set by the <em class="emphasis">mask</em> command
-is used to match files in those directories.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rm</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>A synonym for <em class="emphasis">del</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rmdir</tt> <em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Requests that the server remove the specified directory.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">setmode</tt> <em class="replaceable">filename attributes</em></b></dt>
-<dd>
-<p>Requests that the server assign the specified MS-DOS file attributes
-on the specified file. The <em class="replaceable">attributes</em>
-argument has the format of a leading plus sign (<tt class="literal">+</tt>)
-or minus sign (<tt class="literal">-</tt>) either to set or to unset the
-attribute(s), respectively, followed by one or more of the characters
-<tt class="literal">r</tt> (read), <tt class="literal">s</tt> (system),
-<tt class="literal">h</tt> (hidden), or <tt class="literal">a</tt> (archive).</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">symlink</tt> <em class="replaceable">link_name filename</em></b></dt>
-<dd>
-<p>Requests that the server create a symbolic link named
-<em class="replaceable">link_name</em> to
-<em class="replaceable">filename</em>. This command works only if the
-server supports Unix CIFS extensions. The server will not create a
-link that refers to a file not in the share to which
-<em class="emphasis">smbclient</em> is connected.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">tar</tt> <em class="replaceable">cmd_str</em></b></dt>
-<dd>
-<p>Performs an archiving operation using the tar format. This is the
-interactive form of the <tt class="literal">-T</tt> command-line operation,
-and the <em class="replaceable">cmd_str</em> argument is specified in
-the same manner. See also the <em class="emphasis">tarmode</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">blocksize</tt> <em class="replaceable">size</em></b></dt>
-<dd>
-<p>Sets the block size, in units of 512 bytes, for files written by the
-<em class="emphasis">tar</em> command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">tarmode</tt> <em class="replaceable">mode ...</em></b></dt>
-<dd>
-<p>Specifies how the <em class="emphasis">tar</em> command performs its
-archiving, including how it handles the archive attribute on files.
-Multiple <em class="replaceable">mode</em> arguments can be provided,
-chosen from the following:</p>
-
-<dl>
-<dt><b><tt class="literal">full</tt></b></dt>
-<dd>
-<p>All files will be included, regardless of whether their
-<tt class="literal">archive</tt> attribute is set. This is the default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">inc</tt></b></dt>
-<dd>
-<p>Only files that have the <tt class="literal">archive</tt> attribute set
-will be included in the backup.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">reset</tt></b></dt>
-<dd>
-<p>The <tt class="literal">archive</tt> attribute will be unset by
-<em class="emphasis">tar</em> after the file is included in the archive.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">noreset</tt></b></dt>
-<dd>
-<p>The <tt class="literal">archive</tt> attribute will be left unchanged. This
-is the default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">system</tt></b></dt>
-<dd>
-<p>Files with the <tt class="literal">system</tt> attribute set will be
-included in the archive. This is the default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">nosystem</tt></b></dt>
-<dd>
-<p>Files with the <tt class="literal">system</tt> attribute set will not be
-included in the archive.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">hidden</tt></b></dt>
-<dd>
-<p>Files with the <tt class="literal">hidden</tt> attribute set will be
-included in the archive. This is the default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">nohidden</tt></b></dt>
-<dd>
-<p>Files with the <tt class="literal">hidden</tt> attribute set will not be
-included in the archive.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">verbose</tt></b></dt>
-<dd>
-<p>As files are included in the archive (when creating the archive) or
-are read from the archive (when extracting it), the name of each file
-will be printed. This is the default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">noverbose</tt></b></dt>
-<dd>
-<p>This turns verbose mode off, causing <em class="emphasis">tar</em> to
-perform its work quietly.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">quiet</tt></b></dt>
-<dd>
-<p>An antonym for the <tt class="literal">verbose</tt> mode. When quiet is on,
-verbose is off, and vice versa.<a name="INDEX-18"/></p>
-</dd>
-
-</dl>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-19"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbcontrol</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbcontrol</em> command sends control messages to
-running <em class="emphasis">smbd</em> or <em class="emphasis">nmbd</em>
-processes.</p>
-<div class="sect1"><a name="appc-49-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbcontrol -i<em class="replaceable"> [options]</em></pre></blockquote>
-<p>or:</p>
-
-<blockquote><pre class="code">smbcontrol <em class="replaceable">[options] process message-type [parameters]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-50-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-i</tt></b></dt>
-<dd>
-<p>Runs <em class="emphasis">smbcontrol</em> interactively, executing
-commands until a blank line or &quot;q&quot;
-is read. The user must have superuser privileges.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies the location of the Samba configuration file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
-<dd>
-<p>Sets the debugging level for logging. The debug level can be set from
-to 10.</p>
-</dd>
-
-</dl>
-
-
-<p>Whether <em class="emphasis">smbcontrol</em> commands are issued in
-interactive mode or from the command line, the commands are in the
-same format. Each command has up to three parts:</p>
-
-<dl>
-<dt><b><em class="replaceable">process</em></b></dt>
-<dd>
-<p>Specifies the process or group of processes to which to send the
-message. If <em class="replaceable">process</em> is
-<tt class="literal">smbd</tt>, all <em class="emphasis">smbd</em> processes will
-receive the message. If <em class="replaceable">process</em> is
-<tt class="literal">nmbd</tt>, only the main <em class="emphasis">nmbd</em>
-process (identified by Samba's
-<em class="filename">nmbd.pid</em> file) receives the message. If
-<em class="replaceable">process</em> is the numeric PID of a running
-process on the system, that process will receive the message.</p>
-</dd>
-
-
-
-<dt><b><em class="replaceable">message-type</em></b></dt>
-<dd>
-<p>Specifies the type of message that is sent. For more information, see
-<a href="appc.html#appc-51-fm2xml">smbcontrol message
-types</a> that follows.</p>
-</dd>
-
-
-
-<dt><b><em class="replaceable">parameters</em></b></dt>
-<dd>
-<p>Specifies additional parameters required by some messages.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-51-fm2xml"/>
-
-<h4 class="refsect1">smbcontrol message types</h4>
-
-<dl>
-<dt><b><tt class="literal">close-share</tt> <em class="replaceable">share_name</em></b></dt>
-<dd>
-<p>Closes the connection to a share or shares. If
-<em class="replaceable">share_name</em> is specified as an asterisk
-(<tt class="literal">*</tt>), connections to all shares will be closed. To
-close a single connection, <em class="replaceable">share_name</em> is
-given as the name of a share, as specified in the Samba configuration
-file, not including the enclosing brackets. Warning: no message is
-printed if there is an error in specifying
-<em class="replaceable">share_name</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">debug</tt> <em class="replaceable">num</em></b></dt>
-<dd>
-<p>Sets the debugging level. The <em class="replaceable">num</em>
-parameter specifies the level, which can be from 0 to 10.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">debuglevel</tt></b></dt>
-<dd>
-<p>Prints the current debugging level.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">force-election</tt></b></dt>
-<dd>
-<p>Can be used only with <em class="emphasis">nmbd</em>, telling it to force
-a master browser election.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ping</tt> <em class="replaceable">number</em></b></dt>
-<dd>
-<p>Sends <em class="emphasis">number</em> of pings and reports when they
-receive a reply or timeout. Used for connectivity testing.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">profile</tt> <em class="replaceable">mode</em></b></dt>
-<dd>
-<p>Controls profiling statistics collection. If
-<em class="replaceable">mode</em> is <tt class="literal">on</tt>, profile
-statistics will be collected. If <em class="replaceable">mode</em> is
-<tt class="literal">off</tt>, collection of statistics is turned off. If
-<em class="replaceable">mode</em> is specified as
-<tt class="literal">count</tt>, only counting statistics are collected (and
-not timing statistics). If <em class="replaceable">mode</em> is
-<tt class="literal">flush</tt>, the data set is cleared (initialized).</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">profilelevel</tt></b></dt>
-<dd>
-<p>Prints the current profiling level.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">printer-notify</tt> <em class="replaceable">printer_name</em></b></dt>
-<dd>
-<p>Sends a printer notify message to Windows NT/2000/XP for the
-specified printer. This message can be sent only to
-<em class="emphasis">smbd</em>. Warning: no message is printed if the
-<em class="replaceable">printer_name</em> parameter is specified
-incorrectly.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-20"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbgroupedit</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This command, new to Samba 3.0, sets up mappings between Unix groups
-and Windows NT/2000/XP groups and also allows a Unix group to become
-a domain group. This command must be run by the superuser.</p>
-<div class="sect1"><a name="appc-53-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbgroupedit <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-54-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-a</tt> <em class="replaceable">Unix_group_name</em></b></dt>
-<dd>
-<p>Adds a mapping for the specified Unix group. The
-<tt class="literal">-n</tt> option is used along with this option to
-specify the Windows NT group to which the Unix group is mapped.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-c</tt> <em class="replaceable">SID</em></b></dt>
-<dd>
-<p>Changes a mapping between a Windows NT group and a Unix group. The
-Windows NT group is specified as a SID with this option, and the Unix
-group is specified with the <tt class="literal">-u</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">description</em></b></dt>
-<dd>
-<p>Specifies a comment for the mapping, which will be stored along with
-it.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-l</tt></b></dt>
-<dd>
-<p>When used with the <tt class="literal">-v</tt> option, prints a long
-listing. This is the default. The information printed includes the
-name of the Windows NT group, its SID, its corresponding Unix group
-(if a mapping has been defined), the group type, the comment, and the
-privileges of the group.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-n</tt> <em class="replaceable">Windows_group_name</em></b></dt>
-<dd>
-<p>Specifies the name of the Windows NT group. Used with the
-<tt class="literal">-a</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-p</tt> <em class="replaceable">privilege</em></b></dt>
-<dd>
-<p>Used along with the <tt class="literal">-a</tt> option to specify a Windows
-NT privilege to be given to the Unix group.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt></b></dt>
-<dd>
-<p>When used with the <tt class="literal">-v</tt> option, prints a short
-listing. The information printed includes just the name of the
-Windows NT group, its SID, and, if a mapping has been defined, its
-corresponding Unix group. This option is useful for determining the
-SID of a group, for use with the <tt class="literal">-c</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-t</tt> <em class="replaceable">TYPE</em></b></dt>
-<dd>
-<p>Assigns a Windows group type to the group.
-<em class="replaceable">TYPE</em> is a single character, and is one of
-<tt class="literal">b</tt> (built-in), <tt class="literal">d</tt> (domain), or
-<tt class="literal">l</tt> (local).</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-u</tt> <em class="replaceable">Unix_group_name</em></b></dt>
-<dd>
-<p>Specifies the name of the Unix group to map to the Windows NT group.
-Used with the <tt class="literal">-c</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-v</tt></b></dt>
-<dd>
-<p>Prints a list of groups in the Windows NT domain in which the Samba
-server is operating. See also the <tt class="literal">-l</tt> and
-<tt class="literal">-s</tt> options.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-x</tt> <em class="replaceable">Unix_group_name</em></b></dt>
-<dd>
-<p>Deletes the mapping for the Unix group specified.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-21"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbmnt</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a low-level helper program for mounting smbfs filesystems. It
-used by <em class="emphasis">smbmount</em> to do the privileged part of
-the mount operation on behalf of an ordinary user. Generally, users
-should not run this command directly.</p>
-<div class="sect1"><a name="appc-56-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbmnt mnt_point <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-57-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-r</tt></b></dt>
-<dd>
-<p>Mounts the filesystem as read-only.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-u</tt> <em class="replaceable">uid</em> </b></dt>
-<dd>
-<p>Specifies the UID to use for the owner of the files.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-g</tt> <em class="replaceable">gid</em></b></dt>
-<dd>
-<p>Specifies the GID to use for the group of the files.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-f</tt> <em class="replaceable">mask</em></b></dt>
-<dd>
-<p>Specifies the octal file mask.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">mask</em></b></dt>
-<dd>
-<p>Specifies the octal directory mask.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-o</tt> <em class="replaceable">options</em></b></dt>
-<dd>
-<p>Specifies the list of options that are passed to the smbfs module.</p>
-</dd>
-
-</dl>
-
-
-<p>To allow users to mount SMB shares without help from an
-administrator, set the &quot;set user
-ID&quot; permission on the <em class="emphasis">smbmnt</em>
-executable. However, note that this can raise security issues.</p>
-
-</div>
-</div>
-
-<a name="INDEX-22"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbmount</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program mounts an smbfs filesystem on a mount point in the Unix
-filesystem. It is typically called as <em class="emphasis">mount.smb</em>
-from <em class="emphasis">mount</em>, although it can also be run directly
-by users. After mounting the smbfs filesystem,
-<em class="emphasis">smbmount</em> continues to run as a daemon as long as
-the filesystem is mounted. It logs events in the file
-<em class="filename">log.smbmount</em> in the same directory as the other
-Samba log files (which is commonly
-<em class="filename">/usr/local/samba/var</em> by default). The logging
-level is controlled by the <tt class="literal">debug level</tt> parameter
-in the Samba configuration file.</p>
-<div class="sect1"><a name="appc-59-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbmount <em class="replaceable">service mount_point [-o options]</em></pre></blockquote>
-<p>The service argument specifies the SMB share to mount, given as a
-UNC. The <em class="replaceable">mount_point</em> argument specifies a
-directory to use as the mount point. The options to
-<em class="emphasis">smbmount</em> are specified as a comma-separated list
-of
-<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
-pairs. The documented options are as follows. Others can be passed if
-the kernel supports them.</p>
-
-</div>
-
-<div class="sect1"><a name="appc-60-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">username=</tt><em class="replaceable">name</em></b></dt>
-<dd>
-<p>Specifies the username to connect as. If this is not provided, the
-environment variable USER will be tried. The name can be specified as
-<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>,
-<em class="replaceable">user</em><tt class="literal">/</tt><em class="replaceable">workgroup</em>,
-or
-<em class="replaceable">user</em><tt class="literal">/</tt><em class="replaceable">workgroup</em><tt class="literal">%</tt><em class="replaceable">password</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">password=</tt><em class="replaceable">string</em></b></dt>
-<dd>
-<p>Specifies the SMB password. If no password is provided using this
-option, the <em class="emphasis">username</em> option, or the
-<em class="emphasis">credentials</em> option, the environment variable
-PASSWD is used. If that also does not exist,
-<em class="emphasis">smbmount</em> will prompt interactively for a
-password.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">credentials=</tt><em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies a file that contains a username and password in the
-following format:</p>
-
-
-<blockquote><pre class="code">username = <em class="replaceable">value</em>
-password = <em class="replaceable">value</em></pre></blockquote>
-</dd>
-
-
-<dt><b><tt class="literal">uid=</tt><em class="replaceable">number</em></b></dt>
-<dd>
-<p>Sets the Unix user ID to be used as the owner of all files in the
-mounted filesystem. It can be specified as a username or numeric UID.
-Defaults to the UID of the user running
-<em class="emphasis">smbmount</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">gid=</tt><em class="replaceable">number</em></b></dt>
-<dd>
-<p>Sets the Unix group ID to be used as the group for all files in the
-mounted filesystem. It can be specified as a group name or a numeric
-GID. Defaults to the GID of the user running
-<em class="emphasis">smbmount</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">port=</tt><em class="replaceable">number</em></b></dt>
-<dd>
-<p>Sets the TCP port number. This is 139, which is required by most
-Windows versions.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">fmask=</tt><em class="replaceable">octal_mask</em> </b></dt>
-<dd>
-<p>Sets the Unix permissions of all files in the mounted filesystem.
-Defaults to the user's current umask.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">dmask=</tt><em class="replaceable">octal_mask</em></b></dt>
-<dd>
-<p>Sets the Unix permissions of all directories in the mounted
-filesystem. Defaults to the current umask.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">debug=</tt><em class="replaceable">number</em></b></dt>
-<dd>
-<p>Sets the debugging level.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ip=</tt><em class="replaceable">host</em></b></dt>
-<dd>
-<p>Sets the destination hostname or IP address.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">netbiosname=</tt><em class="replaceable">name</em></b></dt>
-<dd>
-<p>Sets the computer name to connect as. This defaults to the hostname
-of the local system.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">workgroup=</tt><em class="replaceable">name</em></b></dt>
-<dd>
-<p>Sets the workgroup or domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">sockopt=</tt><em class="replaceable">opts</em></b></dt>
-<dd>
-<p>Sets TCP socket options.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">scope=</tt><em class="replaceable">num</em></b></dt>
-<dd>
-<p>Sets the NetBIOS scope.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">guest</tt></b></dt>
-<dd>
-<p>Don't expect or prompt for a password.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ro</tt></b></dt>
-<dd>
-<p>Mounts the share read-only.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">rw</tt></b></dt>
-<dd>
-<p>Mounts the share read-write.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">iocharset=</tt><em class="replaceable">charset</em></b></dt>
-<dd>
-<p>Sets the charset used by the Linux machine for codepage-to-charset
-translation. See also the <em class="emphasis">codepage</em> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">codepage=</tt><em class="replaceable">page</em></b></dt>
-<dd>
-<p>Sets the DOS code page. See also the <em class="emphasis">iocharset</em>
-option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">ttl=</tt><em class="replaceable">milliseconds</em></b></dt>
-<dd>
-<p>Sets the time to live, in milliseconds, for entries in the directory
-cache. A higher value gives better performance on large directories
-and/or slower connections. The default is 1000ms. Try 10000ms (10
-seconds) as a starting value if directory operations are visibly
-slow.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-23"/><a name="INDEX-24"/><a name="INDEX-25"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbpasswd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbpasswd</em> program provides the general
-function of managing <a name="INDEX-24"/><a name="INDEX-25"/>encrypted
-passwords. How it works depends on whether it is run by the superuser
-or an ordinary user.</p><p>For the superuser, <em class="emphasis">smbpasswd</em> can be used to
-maintain Samba's <em class="filename">smbpasswd</em>
-file. It can add or delete users, change their passwords, and modify
-other attributes pertaining to the user that are held in the
-<em class="filename">smbpasswd</em> file.</p><p>When run by ordinary users, <em class="emphasis">smbpasswd</em> can be
-used only to change their encrypted passwords. In this mode of
-operation, <em class="emphasis">smbpasswd</em> acts as a client to the
-<em class="emphasis">smbd</em> daemon. The program will fail if
-<em class="emphasis">smbd</em> is not operating, if the <tt class="literal">hosts
-allow</tt> or <tt class="literal">hosts deny</tt> parameters in the
-Samba configuration file do not permit connections from localhost (IP
-address 127.0.0.1), or if the <tt class="literal">encrypted passwords</tt>
-option is set to <tt class="literal">no</tt>. It is also possible for
-<em class="emphasis">smbpasswd</em> to change a user's
-password when it is maintained on a remote system, including a
-Windows NT domain controller.</p>
-<div class="sect1"><a name="appc-62-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-<p>When run by the superuser:</p>
-
-<blockquote><pre class="code">smbpasswd <em class="replaceable">[options] [username] [password]</em></pre></blockquote>
-<p>In this case, the username of the user whose
-<em class="emphasis">smbpasswd</em> entry is to be modified is provided as
-the second argument.</p>
-
-<p>Otherwise:</p>
-
-<blockquote><pre class="code">smbpasswd <em class="replaceable">[options] [password]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-63-fm2xml"/>
-
-<h4 class="refsect1">Superuser-only options</h4>
-
-<dl>
-<dt><b><tt class="literal">-a</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Adds a user to the encrypted password file. The user must already
-exist in the system password file (<em class="filename">/etc/passwd</em>
-). If the user already exists in the <em class="filename">smbpasswd</em>
-file, the <tt class="literal">-a</tt> option changes the existing password.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Disables a user in the encrypted password file. The
-user's entry in the file will remain, but will be
-marked with a flag disabling the user from authenticating.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-e</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Enables a disabled user in the encrypted password file. This
-overrides the effect of the <tt class="literal">-d</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-j</tt> <em class="replaceable">domain</em></b></dt>
-<dd>
-<p>Joins the Samba server to a Windows NT domain as a domain member
-server. The <em class="replaceable">domain</em> argument is the NetBIOS
-name of the Windows NT domain that is being joined. See also the
-<tt class="literal">-r</tt> and <tt class="literal">-U</tt> options.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-m</tt></b></dt>
-<dd>
-<p>Indicates that the account is a computer account in a Windows NT
-domain rather than a domain user account.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-n</tt></b></dt>
-<dd>
-<p>Sets the user's password to a null password. For the
-user to authenticate, the parameter <tt class="literal">null</tt>
-<tt class="literal">passwords</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt> must exist in the <tt class="literal">[global]</tt>
-section of the Samba configuration file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order_list</em></b></dt>
-<dd>
-<p>Sets the resolve order of the name servers. This option is similar to
-the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
-option and can take any of the four parameters
-<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
-<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
-If more than one is specified, the argument is specified as a
-space-separated list.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-w</tt> <em class="replaceable">password</em></b></dt>
-<dd>
-<p>For use when Samba has been compiled with the
-<tt class="literal">--with-ldapsam</tt> configure option. Specifies the
-password that goes with the value of the <tt class="literal">ldap admin
-dn</tt> Samba configuration file parameter.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-x</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Deletes the user from the <em class="filename">smbpasswd</em> file. This
-is a one-way operation, and all information associated with the entry
-is lost. To disable the account without deleting the
-user's entry in the file, see the
-<tt class="literal">-d</tt> option.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-<div class="sect1"><a name="appc-64-fm2xml"/>
-
-<h4 class="refsect1">Other options</h4>
-
-<dl>
-<dt><b><tt class="literal">-c</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies the Samba configuration file, overriding the compiled-in
-default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-D</tt> <em class="replaceable">debug_level</em></b></dt>
-<dd>
-<p>Sets the debug (also called logging) level. The level can range from
-to 10. Debug level 0 logs only the most important messages; level 1
-is normal; levels 3 and above are primarily for debugging and slow
-the program considerably.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt></b></dt>
-<dd>
-<p>Prints command-line usage information.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-L</tt></b></dt>
-<dd>
-<p>Causes <em class="emphasis">smbpasswd</em> to run in local mode, in which
-ordinary users are allowed to use the superuser-only options. This
-requires that the <em class="filename">smbpasswd</em> file be made
-readable and writable by the user. This is for testing purposes.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-r</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
-<dd>
-<p>Specifies on which machine the password should change. If changing a
-Windows NT domain password, the remote system specified by
-<em class="replaceable">NetBIOS_name</em> must be the PDC for the
-domain. The user's username on the local system is
-used by default. See also the <tt class="literal">-U</tt> option for use
-when the user's Samba username is different from the
-local username.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order</em></b></dt>
-<dd>
-<p>Sets the resolve order of the name servers. This option is similar to
-the resolve order configuration option and can take any of the four
-parameters <tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
-<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
-If more than one is specified, the argument is specified as a
-space-separated list.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Causes <em class="emphasis">smbpasswd</em> not to prompt for passwords
-from <em class="filename">/dev/tty</em>, but instead to read the old and
-new passwords from the standard input. This is useful when calling
-<em class="emphasis">smbpasswd</em> from a script.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-S</tt></b></dt>
-<dd>
-<p>Queries the domain controller of the domain, as specified by the
-<tt class="literal">workgroup</tt> parameter in the Samba configuration
-file, and retrieves the domain's SID. This will then
-be used as the SID for the local system. A specific PDC can be
-selected by combining this option with the <tt class="literal">-r</tt>
-option, and its domain's SID will be used. This
-option is for migrating domain accounts from a Windows NT primary
-domain controller to a Samba PDC.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
-<dd>
-<p>Changes the password for <em class="replaceable">username</em> on the
-remote system. This is to handle instances in which the remote
-username and local username are different. This option requires that
-<tt class="literal">-r</tt> also be used. Often used with
-<tt class="literal">-j</tt> to provide the username of the administrative
-user on the primary domain controller for adding computer accounts.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-26"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbsh</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbsh</em> program allows SMB shares to be
-accessed from a Unix system. When <em class="emphasis">smbsh</em> is run,
-an extra directory tree called <em class="filename">/smb </em>becomes
-available to dynamically linked shell commands. The first level of
-directories under <em class="filename">/smb</em> represent available
-workgroups, the next level of subdirectories represent the SMB
-servers in each workgroup, and the third level of subdirectories
-represent the disk and printer shares of each server.</p><p>Samba must be compiled with the <tt class="literal">--with-smbwrappers</tt>
-option to enable <em class="emphasis">smbsh</em>.</p>
-<div class="sect1"><a name="appc-66-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><em class="emphasis">-d</em> <em class="replaceable">debug_level</em></b></dt>
-<dd>
-<p>Sets the debug (sometimes called logging) level. The level can range
-from 0, the default, to 10. Debug level 0 logs only the most
-important messages; level 1 is normal; levels 3 and above are
-primarily for debugging and slow <em class="emphasis">smbsh</em>
-considerably.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">-l</em> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Sets the name of the logging file. By default, messages are sent to
-<em class="emphasis">stderr</em>.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">-L</em> <em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the location of
-<em class="emphasis">smbsh</em>'s shared libraries,
-overriding the compiled-in default.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">-P</em> <em class="replaceable">prefix</em></b></dt>
-<dd>
-<p>Sets the name of the <tt class="literal">root</tt> directory to use for the
-SMB filesystem. The default is <em class="filename">/smb</em>.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">-R</em> <em class="replaceable">resolve_order</em></b></dt>
-<dd>
-<p>Sets the resolve order of the name servers. This option is similar to
-the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
-option and can take any of the four parameters
-<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
-<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
-If more than one is specified, the argument is specified as a
-space-separated list.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">-U</em> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Provides the username, and optionally the password, for
-authenticating the connection to the SMB server. The password can be
-supplied using the
-<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
-format. If either or both the username and password are not provided,
-<em class="emphasis">smbsh</em> will prompt interactively for them.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">-W</em> <em class="replaceable">workgroup</em></b></dt>
-<dd>
-<p>Specifies the NetBIOS workgroup or domain to which the client will
-connect. This overrides the workgroup parameter in the Samba
-configuration file and is sometimes necessary to connect to some
-servers.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-27"/><a name="INDEX-28"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbspool</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbspool</em> program provides a
-<a name="INDEX-28"/>CUPS-compatible
-interface to Samba printing by providing a way to send a print job to
-an SMB printer using the command-line format specified by CUPS
-printers. Although <em class="emphasis">smbspool</em> is designed to work
-best with CUPS printers, it can be used to send print jobs to
-non-CUPS Samba printers as well.</p>
-<div class="sect1"><a name="appc-68-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbspool <em class="replaceable">job user title copies options filename</em></pre></blockquote>
-<p>The arguments for <em class="emphasis">smbspool</em>, as shown here, are
-those used in the CUPS printing system. However, some of the
-arguments are currently ignored because they don't
-correspond to the Samba printing system. These arguments must be
-supplied in the command and can be filled in with
-&quot;dummy&quot; values.</p>
-
-<p>The <em class="replaceable">job</em> argument refers to the job number
-and is currently ignored. The <em class="replaceable">user</em>
-argument is the name of the user who submitted the print job and is
-also ignored. The <em class="replaceable">title</em> argument is the
-name of the print job and must be supplied. It is used as the name of
-the remote print file. The <em class="replaceable">copies</em> argument
-is the number of copies that will be printed. This number is used
-only if the (optional) <em class="filename">filename</em> argument is
-supplied. Otherwise, only one copy is printed. The
-<em class="replaceable">options</em> argument, for specifying printing
-options, is ignored. The <em class="replaceable">filename</em> argument
-is used for specifying the name of the file to be printed. If it is
-not provided, the standard input will be used.</p>
-
-<p>The printer that the job is to be sent to is specified in the
-DEVICE_URI environment variable. The format for the printer name is a
-device Universal Resource Indicator, which can be in any of the
-following formats:</p>
-
-<blockquote class="simplelist">
-
-<p><em class="emphasis">smb://server/printer</em></p>
-
-
-
-
-<p><em class="emphasis">smb://workgroup/server/printer</em></p>
-
-
-
-
-<p><em class="emphasis">smb://username:password@server/printer</em></p>
-
-
-
-
-<p><em class="emphasis">smb://username:password@workgroup/server/printer</em></p>
-
-</blockquote>
-
-
-</div>
-</div>
-
-<a name="INDEX-29"/><a name="INDEX-30"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbstatus</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program lists the current connections on a Samba server.</p>
-<div class="sect1"><a name="appc-70-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-b</tt></b></dt>
-<dd>
-<p>Causes <em class="emphasis">smbstatus</em> to produce brief output. This
-includes the version of Samba and auditing information about the
-users that are connected to the server.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt></b></dt>
-<dd>
-<p>Gives verbose output, which includes a list of services, a list of
-locked files, and memory usage statistics. This is the default.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-L</tt></b></dt>
-<dd>
-<p>Prints only the list of current file locks.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-p</tt></b></dt>
-<dd>
-<p>Prints only a list of <em class="emphasis">smbd</em> process IDs.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-P</tt></b></dt>
-<dd>
-<p>Prints only the contents of the profiling memory area. Requires that
-Samba has been compiled with the profiling option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-S</tt></b></dt>
-<dd>
-<p>Prints only a list of shares and their connections.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies the Samba configuration file to use when processing this
-command.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Limits the report to the activity of a single user.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-31"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbtar</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbtar</em> program is a shell-script wrapper
-around <em class="emphasis">smbclient</em> for doing tar-format archiving
-operations. It is functionally very similar to the Unix
-<em class="emphasis">tar</em> program.</p>
-<div class="sect1"><a name="appc-72-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbtar <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-73-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-a</tt></b></dt>
-<dd>
-<p>Resets (clears) the archive attribute on files after they are backed
-up. The default is to leave the archive attribute unchanged.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-b</tt> <em class="replaceable">blocksize</em></b></dt>
-<dd>
-<p>Sets block size, in units of 512 bytes, for reading or writing the
-archive file. Defaults to 20, which results in a block size of 10240
-bytes.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-d</tt> <em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Changes the working directory on the remote system to
-<em class="replaceable">directory</em> before starting the restore or
-backup operation.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-i</tt></b></dt>
-<dd>
-<p>Specifies incremental mode; files are backed up only if they have the
-DOS archive attribute set. The archive attribute is reset (cleared)
-after each file is read.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_level</em></b></dt>
-<dd>
-<p>Sets the logging level. This corresponds to the <tt class="literal">-d</tt>
-option of <em class="emphasis">smbclient</em> and other Samba programs.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-N</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Backs up only files newer than <em class="filename">filename</em>. For
-incremental backups.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-p</tt> <em class="replaceable">password</em></b></dt>
-<dd>
-<p>Specifies the password to use to access a share. An alternative to
-using the
-<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
-format with the <tt class="literal">-u</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-r</tt></b></dt>
-<dd>
-<p>Restores files to the share from the tar file.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">server</em></b></dt>
-<dd>
-<p>Specifies the SMB server. See also the <tt class="literal">-x</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-t</tt> <em class="replaceable">filename</em></b></dt>
-<dd>
-<p>Specifies the file or Unix device to use as the archiving medium. The
-default is <em class="filename">tar.out</em> or the value of the TAPE
-environment variable, if it has been set.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Specifies the user account to use when connecting to the share. You
-can specify the password as well, in the format
-<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>.
-The username defaults to the user's Unix username.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-v</tt></b></dt>
-<dd>
-<p>Operates in verbose mode, printing error messages and additional
-information that can be used in debugging and monitoring. Backup and
-restore operations will list each file as it is processed.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-x</tt> <em class="replaceable">share</em></b></dt>
-<dd>
-<p>States the name of the share on the server to which to connect. The
-default is <tt class="literal">backup</tt>. See also the
-<tt class="literal">-s</tt> option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-X</tt> <em class="replaceable">file_list</em></b></dt>
-<dd>
-<p>Tells <em class="emphasis">smbtar</em> to exclude the specified files from
-the backup or restore operation.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-32"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbumount</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbumount</em> command exists to allow an
-ordinary (nonsuperuser) user to unmount a smbfs filesystem, which the
-user had previously mounted using <em class="emphasis">smbmount</em>.</p>
-<div class="sect1"><a name="appc-75-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">smbumount <em class="replaceable">mount_point</em></pre></blockquote>
-<p>For ordinary users to issue the command,
-<em class="emphasis">smbumount</em> must be made suid
-<tt class="literal">root</tt>.</p>
-
-</div>
-</div>
-
-<a name="INDEX-33"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>testparm</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">testparm</em> program checks a Samba
-configuration file for obvious errors.</p>
-<div class="sect1"><a name="appc-77-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">testparm <em class="replaceable">[options] [filename] [hostname IP_addr]</em></pre></blockquote>
-<p>If the configuration file is not provided using the
-<em class="filename">filename</em> argument, then it defaults to
-<em class="filename">/usr/local/samba/lib/smb.conf</em>. If the hostname
-and an IP address of a system are included, an extra check is made to
-ensure that the system is allowed to connect to each service defined
-in the configuration file. This is done by comparing the hostname and
-IP address to the definitions of the <tt class="literal">hosts allow</tt>
-and <tt class="literal">hosts deny</tt> parameters.</p>
-
-</div>
-
-<div class="sect1"><a name="appc-78-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-h</tt></b></dt>
-<dd>
-<p>Prints usage information for the program.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-L</tt> <em class="replaceable">server_name</em></b></dt>
-<dd>
-<p>Sets the <tt class="literal">%L</tt> configuration variable to the
-specified server name.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt></b></dt>
-<dd>
-<p>Disables the default behavior of prompting for the Enter key to be
-pressed before printing the list of configuration options for the
-server.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-<a name="INDEX-34"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>testprns</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a very simple program that checks to see if a specified
-printer name exists in the system printer capabilities (printcap)
-file.</p>
-<div class="sect1"><a name="appc-80-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">testprns <em class="replaceable">printername [printcapname]</em></pre></blockquote>
-<p>If <em class="replaceable">printcapname</em> isn't
-specified, Samba attempts to use the one specified in the Samba
-configuration file with the <tt class="literal">printcap name</tt>
-parameter. If none is specified there, Samba will try
-<em class="filename">/etc/printcap</em>.</p>
-
-</div>
-</div>
-
-<a name="INDEX-35"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wbinfo</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program retrieves and prints information from the
-<em class="emphasis">winbindd</em> daemon, which must be running for
-<em class="emphasis">wbinfo</em> to function.</p>
-<div class="sect1"><a name="appc-82-fm2xml"/>
-
-<h4 class="refsect1">Command synopsis</h4>
-
-<blockquote><pre class="code">wbinfo <em class="replaceable">[options]</em></pre></blockquote>
-
-
-</div>
-
-<div class="sect1"><a name="appc-83-fm2xml"/>
-
-<h4 class="refsect1">Options</h4>
-
-<dl>
-<dt><b><tt class="literal">-u</tt> </b></dt>
-<dd>
-<p>Prints all usernames that have been mapped from the Windows NT domain
-to Unix users. Users in all trusted domains are also listed.</p>
-</dd>
-
-
-
-<dt><b> <tt class="literal">-</tt><em class="emphasis">g</em> </b></dt>
-<dd>
-<p>Prints all group names that have been mapped from the Windows NT
-domain to Unix groups. Groups in all trusted domains are also
-reported.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-h</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
-<dd>
-<p>Queries the WINS server and prints the IP address of the specified
-system.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-n</tt> <em class="replaceable">name</em> </b></dt>
-<dd>
-<p>Prints the SID corresponding to the name specified. The argument can
-be specified as <em class="replaceable">DOMAIN/name</em> (or by using a
-character other than the slash, as defined by the winbind separator
-character) to specify both the domain and the name. If the domain and
-separator are omitted, the value of the <tt class="literal">workgroup</tt>
-parameter in the Samba configuration file is used as the name of the
-domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-s</tt> <em class="replaceable">SID</em> </b></dt>
-<dd>
-<p>Prints the name mapped to a SID, which is specified in the format
-<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-U</tt> <em class="replaceable">UID</em></b></dt>
-<dd>
-<p>Prints the SID mapped to a Unix UID, if one exists in the current
-domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-G</tt> <em class="replaceable">gid</em></b></dt>
-<dd>
-<p>Prints the SID mapped to a Unix group ID, if one exists in the
-current domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-S</tt> <em class="replaceable">SID</em></b></dt>
-<dd>
-<p>Prints the Unix UID that winbind has mapped to the specified SID, if
-one exists.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-Y</tt> <em class="replaceable">SID</em></b></dt>
-<dd>
-<p>Prints the Unix group ID that winbind has mapped to the specified
-SID, if one exists.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-t</tt></b></dt>
-<dd>
-<p>Tests to see that the workstation trust account for the Samba server
-is valid.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-m</tt> </b></dt>
-<dd>
-<p>Prints a list of Windows NT domains trusted by the Windows server.
-This does not include the PDC's domain.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-r</tt> <em class="replaceable">username</em></b></dt>
-<dd>
-<p>Prints the list of Unix group IDs to which the user belongs. This
-works only if the user's account is maintained on a
-domain controller.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-a</tt> <em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em></b></dt>
-<dd>
-<p>Checks to see if a user can authenticate through
-<em class="emphasis">winbindd</em> using the specified username and
-password.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">-A</tt> <em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em></b></dt>
-<dd>
-<p>Saves the username and password used by <em class="emphasis">winbindd</em>
-to the domain controller. For use when operating in a Windows 2000
-domain.</p>
-</dd>
-
-</dl>
-
-
-</div>
-</div>
-
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-
-</body></html>
diff --git a/docs/htmldocs/using_samba/appd.html b/docs/htmldocs/using_samba/appd.html
deleted file mode 100644
index 0e2a8822f8..0000000000
--- a/docs/htmldocs/using_samba/appd.html
+++ /dev/null
@@ -1,82 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Appendix D. Downloading Samba with CVS</h1>
-
-
-<p>In <a href="ch02.html">Chapter 2</a> we showed you how to download the
-latest stable version of Samba published by the Samba developers. For
-most purposes (including virtually all production servers) this
-procedure will meet your needs. However, sometimes you might want to
-run a version of Samba that includes the latest bug fixes and
-features, maybe for research and testing purposes, or just to see
-what the Samba developers have been up to lately.</p>
-
-<p>The Samba team keeps the latest updates of the Samba source code in a
-<a name="INDEX-1"/><a name="INDEX-2"/>Concurrent Versions System
-(CVS) repository. CVS is a freely available
-<a name="INDEX-3"/>configuration management tool
-and is distributed under the GNU General Public License. You can
-download the latest copy from <a href="http://www.cvshome.org/">http://www.cvshome.org/</a>. The Samba team
-describes various ways to access its CVS repository at <a href="http://www.samba.org/samba/cvs.html">http://www.samba.org/samba/cvs.html</a>.</p>
-
-<a name="samba2-APP-D-NOTE-162"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Although the CVS code contains the latest features, it also contains
-the latest bugs and sometimes won't even compile
-properly! If you prefer a less &quot;bleeding
-edge&quot; release, try looking in the
-<em class="filename">alpha</em> and <em class="filename">pre</em> directories
-on the Samba FTP server. The <em class="filename">alpha</em> directory
-contains alpha releases, and the <em class="emphasis">pre</em> directory
-contains (usually more stable) prerelease versions. (See <a href="ch02.html">Chapter 2</a> for information on downloading via FTP.) Alpha
-releases might be a little behind the latest CVS code, but are less
-buggy and usually compile properly on the more common Unix versions.</p>
-</blockquote>
-
-<p>One of the nicest things about CVS is its ability to handle remote
-logins. This means that people across the globe on the Internet can
-download and update various source files for any project that uses a
-CVS repository. Such is the case with Samba. Once you have CVS
-installed on your system, you must first log in to the Samba source
-server with the following command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login</b></tt></pre></blockquote>
-
-<p>When you are prompted for a password, enter <tt class="literal">cvs</tt>.
-You are connected to the CVS server at
-<tt class="literal">pserver.samba.org</tt>. Once you are connected, you can
-download the latest source tree with the following command:<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>cvs -z5 -d :pserver:pserver@pserver.samba.org:/cvsroot co samba</b></tt></pre></blockquote>
-
-<p>This downloads the entire Samba distribution (file by file) into a
-directory called <em class="filename">samba</em>, created in your current
-directory. The <em class="filename">samba</em> directory has the same
-structure as the Samba source distribution described in <a href="ch02.html">Chapter 2</a>, except that it has additional directories
-named <em class="filename">CVS</em> throughout the source tree. These
-directories are used by CVS to store information about each file in
-the source tree and how to update them. After the download is
-completed, you can follow the instructions in <a href="ch02.html">Chapter 2</a> to configure, compile, and install your new
-Samba release.</p>
-
-<p>The Samba developers typically update the Samba source code one or
-more times per day. Whenever you want to catch up to the latest
-changes, simply <em class="emphasis">cd</em> to the
-<em class="filename">samba</em> directory and run the following command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>cvs update -d -P</b></tt></pre></blockquote>
-
-<p>Each time you do this, you will need to reconfigure, recompile, and
-reinstall to update your installation as we showed you in <a href="ch02.html">Chapter 2</a>.</p>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
-<p><a href="#FNPTR-1">[1]</a> The <tt class="literal">-z</tt> option causes the transfer to be made
-in GNU gzip compressed format and requires the
-<em class="filename">gzip</em> program to be installed on your system to
-work. If you do not have <em class="filename">gzip</em>, omit the
-<tt class="literal">-z</tt> option.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-
-</body></html>
diff --git a/docs/htmldocs/using_samba/appe.html b/docs/htmldocs/using_samba/appe.html
deleted file mode 100644
index d3263eb3cb..0000000000
--- a/docs/htmldocs/using_samba/appe.html
+++ /dev/null
@@ -1,826 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Appendix E. Configure Options</h1>
-
-
-<p><a name="INDEX-1"/>As we
-explained in <a href="ch02.html">Chapter 2</a>, the
-<em class="emphasis">configure</em> program is run before the Samba source
-code is compiled to fit the compilation process to the local
-architecture. At this stage, it is possible to specify options to
-customize Samba's behavior further and include or
-exclude features. This is an example of specifying configure options:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>./configure --with-smbmount --with-configdir=/etc/samba --with-manpages-langs=ja</b></tt></pre></blockquote>
-
-<p>This example configures the Samba installation to support mounting
-SMB filesystems, look for the Samba configuration file in
-<em class="filename">/etc/samba</em> (instead of the default location of
-<em class="filename">/usr/local/samba/lib</em>), and install
-Japanese-language manual pages. We have picked these three configure
-options because they illustrate the usage of the three types of
-options that are included up to Samba 3.0. The
-<tt class="literal">--with-smbmount</tt> option is a Boolean option, which
-can take a value of <tt class="literal">yes</tt> or <tt class="literal">no</tt>.
-All the Boolean options are set to <tt class="literal">no</tt> by default,
-and it is only necessary to provide the option to turn it on. If you
-want to be more explicit, you can specify
-<tt class="literal">--with-smbmount=yes</tt>. To turn an option off
-explicitly, you can also specify
-<tt class="literal">--without-</tt><em class="replaceable">feature</em>
-rather than
-<tt class="literal">--with-</tt><em class="replaceable">feature</em><tt class="literal">=no</tt>.</p>
-
-<p>In the case of the other two options we have shown, an argument must
-be supplied after the equals (<tt class="literal">=</tt>) sign. Some of the
-options are used to specify the directories that Samba uses for
-various purposes. Only one option is in the last group, where
-something other than a directory is specified as an option argument.</p>
-
-<p>The supported configure options vary from release to release. For
-example, between Samba 2.2.x and Samba 3.0, many options were
-dropped, and a few were added. To get a list of the configure options
-for your release, use the following command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>./configure --help</b></tt></pre></blockquote>
-
-<p><a href="appe.html#samba2-APP-E-TABLE-1">Table E-1</a> lists Samba's configure
-options.</p>
-
-<a name="samba2-APP-E-TABLE-1"/><h4 class="head4">Table E-1. Configuration options</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Configuration option</p>
-</th>
-<th>
-<p>Description</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">--with-acl-support</tt></p>
-</td>
-<td>
-<p>Support Windows NT/2000/XP ACLs</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-afs</tt></p>
-</td>
-<td>
-<p>Support the Andrew Filesystem (AFS)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-automount</tt></p>
-</td>
-<td>
-<p>Support the NFS automounter</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-codepagedir=</tt><em class="replaceable">dir</em></p>
-</td>
-<td>
-<p>Location of codepage files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-configdir=</tt><em class="replaceable">dir</em></p>
-</td>
-<td>
-<p>Location of configuration files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-dce-dfs</tt></p>
-</td>
-<td>
-<p>Support DCE/DFS</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-fhs</tt></p>
-</td>
-<td>
-<p>Use FHS-compliant locations of files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-included-popt</tt></p>
-</td>
-<td>
-<p>Use Samba's <em class="emphasis">popt( )</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-krb4=base-</tt><em class="replaceable">dir</em></p>
-</td>
-<td>
-<p>Support Kerberos 4</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-krb5=base-</tt><em class="replaceable">dir</em></p>
-</td>
-<td>
-<p>Support Kerberos 5 (Microsoft ADS)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-ldapsam</tt></p>
-</td>
-<td>
-<p>Support LDAP SAM</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-libiconv=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Specify <em class="filename">iconv</em> library</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-libsmbclient</tt></p>
-</td>
-<td>
-<p>Build <em class="filename">smbclient</em> library</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-lockdir=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Location of lock files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-logfilebase=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Location of log files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-manpages-langs=</tt><em class="replaceable">language</em></p>
-</td>
-<td>
-<p>Specify language for manual pages</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-msdfs</tt></p>
-</td>
-<td>
-<p>Support Microsoft Dfs</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-nisplus-home</tt></p>
-</td>
-<td>
-<p>Support NIS+ home directories</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-nisplussam</tt></p>
-</td>
-<td>
-<p>Support NIS+ SAM</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-pam</tt></p>
-</td>
-<td>
-<p>Support PAM restrictions</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-pam_smbpass</tt></p>
-</td>
-<td>
-<p>Build <em class="filename">pam_smbpass.so</em> PAM module</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-piddir=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Location of PID files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-privatedir=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Location of <em class="filename">smbpasswd</em> file</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-profiling-data</tt></p>
-</td>
-<td>
-<p>Support gathering of profiling information</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-quotas</tt></p>
-</td>
-<td>
-<p>Support disk quotas</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-readline=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Specify readline library</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-sendfile-support</tt></p>
-</td>
-<td>
-<p>Support <em class="emphasis">sendfile</em>( ) system call</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-smbmount</tt></p>
-</td>
-<td>
-<p>Support <em class="emphasis">smbmount</em> and smbfs</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-smbwrapper</tt></p>
-</td>
-<td>
-<p>Build <em class="filename">smbwrapper</em> library for
-<em class="emphasis">smbsh</em> support</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-spinlocks</tt></p>
-</td>
-<td>
-<p>Use spinlocks instead of fcntl locks</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-ssl</tt></p>
-</td>
-<td>
-<p>Support SSL</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-sslinc=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Location of SSL include files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-ssllib=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Location of SSL libraries</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-swatdir=</tt><em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Location of SWAT files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-syslog</tt></p>
-</td>
-<td>
-<p>Support syslog message logging</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-tdbsam</tt></p>
-</td>
-<td>
-<p>Support TDB database files for SAM</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-utmp</tt></p>
-</td>
-<td>
-<p>Support utmp file accounting</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--with-winbind</tt></p>
-</td>
-<td>
-<p>Build winbind</p>
-</td>
-</tr>
-
-</table>
-
-<dl>
-<dt><b><tt class="literal">--with-acl-support</tt><a name="INDEX-2"/><a name="INDEX-3"/></b></dt>
-<dd>
-<p>Includes support for Windows NT/2000/XP access control lists
-(<a name="INDEX-4"/>ACLs). For this to work, you need
-to have POSIX ACL support in the host operating system. See <a href="ch08.html">Chapter 8</a> for details.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-afs</tt><a name="INDEX-5"/><a name="INDEX-6"/></b></dt>
-<dd>
-<p>Includes support for the <a name="INDEX-7"/>Andrew
-Filesystem (AFS), for authenticating users who are accessing files
-through AFS.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-automount</tt><a name="INDEX-8"/><a name="INDEX-9"/></b></dt>
-<dd>
-<p>Includes support for the automounter, a feature often used in
-conjunction with NFS, to mount <a name="INDEX-10"/><a name="INDEX-11"/>NFS shares automatically at the
-first attempt to access them. You might wish to enable this feature
-if any of the directories shared by your Samba server are (or
-include) NFS-mounted directories.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-codepagedir</tt><a name="INDEX-12"/><a name="INDEX-13"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the directory in which to put codepage files for
-<a name="INDEX-14"/>internationalization
-support. See the
-&quot;Internationalization&quot; section
-earlier in this chapter for more information on this feature. By
-default, this directory is
-<em class="filename">/usr/local/samba/lib/codepages</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-configdir</tt><a name="INDEX-15"/><a name="INDEX-16"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the directory in which Samba keeps its configuration file,
-usually called <em class="filename">smb.conf</em>. By default, this is
-<em class="filename">/usr/local/samba/lib</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-dce-dfs</tt><a name="INDEX-17"/><a name="INDEX-18"/></b></dt>
-<dd>
-<p>Includes support for the <a name="INDEX-19"/>Distributed Computing Environment
-Distributed Filesystem (DCE/DFS). This is a distributed filesystem
-included in some Unix variants and is not the same as
-Microsoft's Distributed Filesystem (Dfs).</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-fhs</tt><a name="INDEX-20"/><a name="INDEX-21"/></b></dt>
-<dd>
-<p>Adheres to the <a name="INDEX-22"/>Filesystem Hierarchy Standard when
-locating files. For details, see <a href="http://www.pathname.com/fhs">http://www.pathname.com/fhs</a>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-included-popt</tt><a name="INDEX-23"/><a name="INDEX-24"/></b></dt>
-<dd>
-<p>Includes Samba's own support for parsing
-<a name="INDEX-25"/>command-line options, instead of using
-the local system's <em class="emphasis">popt( )</em>
-C-library function.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-krb4</tt><a name="INDEX-26"/><a name="INDEX-27"/>=<em class="replaceable">base-dir</em></b></dt>
-<dd>
-<p>Includes support for <a name="INDEX-28"/>Kerberos Version 4.0, specifying the base
-directory of the Kerberos distribution. Kerberos is an authentication
-protocol developed at MIT that uses private-key cryptography to
-provide strong security between nodes. This version is not the same
-as Microsoft's adaptation of Kerberos in Active
-Directory, which is the preferred version for use with Samba. This
-option exists only in versions of Samba earlier than 3.0.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-krb5</tt><a name="INDEX-29"/><a name="INDEX-30"/>=<em class="replaceable">base-dir</em></b></dt>
-<dd>
-<p>Includes support for Kerberos Version 5.0, specifying the base
-directory of the Kerberos distribution. This version of Kerberos is
-compatible with the Kerberos authentication in
-Microsoft's Active Directory used in Windows 2000
-and Windows XP.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-ldapsam</tt><a name="INDEX-31"/><a name="INDEX-32"/></b></dt>
-<dd>
-<p>Includes support for using
-<a name="INDEX-33"/>LDAP instead of the
-<em class="filename">smbpasswd</em> file for maintaining
-Samba's equivalent to the Windows NT SAM database.
-This option is necessary to use the parameters
-<tt class="literal">ldap</tt> <tt class="literal">admin</tt>
-<tt class="literal">dn</tt>, <tt class="literal">ldap</tt>
-<tt class="literal">filter</tt>, <tt class="literal">ldap</tt>
-<tt class="literal">port</tt>, <tt class="literal">ldap</tt>
-<tt class="literal">server</tt>, <tt class="literal">ldap</tt>
-<tt class="literal">ssl</tt>, and <tt class="literal">ldap</tt>
-<tt class="literal">suffix</tt> in the Samba configuration file. It is
-necessary to specify <tt class="literal">--with-ldapsam</tt> only in Samba
-versions prior to 3.0.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-libiconv</tt><a name="INDEX-34"/><a name="INDEX-35"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies a location for <em class="emphasis">iconv( )</em> support. The
-<a name="INDEX-36"/><em class="emphasis">iconv( )</em> function
-exists in the C library to perform conversion between different
-character sets. This option allows Samba's default
-method of determining the location of the <em class="emphasis">iconv()</em>
-library to be overridden. Ordinarily, the configuration
-process checks for support in the C library on the system and, if not
-found, uses code included in the Samba source tree. Using
-<tt class="literal">--with-libiconv</tt>, it is possible to specify
-explicitly where the support is located. The include files are
-assumed to be in
-<em class="replaceable">directory</em><em class="filename">/include</em>,
-and library files are assumed to be in
-<em class="replaceable">directory</em><em class="filename">/lib</em>. This
-option is new in Samba 3.0.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-libsmbclient</tt><a name="INDEX-37"/><a name="INDEX-38"/></b></dt>
-<dd>
-<p>Allows applications outside the
-<a name="INDEX-39"/>Samba
-suite to access Samba's features. When
-<tt class="literal">--with-libsmbclient</tt> is specified, the library is
-built during the compilation process.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-lockdir</tt><a name="INDEX-40"/><a name="INDEX-41"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the directory in which Samba keeps
-<a name="INDEX-42"/>lock
-files. By default this directory is
-<em class="filename">/usr/local/samba/var/locks</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-logfilebase</tt><a name="INDEX-43"/><a name="INDEX-44"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the directory in which Samba keeps <a name="INDEX-45"/>log files for the
-<em class="emphasis">smbd</em>, <em class="emphasis">nmbd</em>, and
-<em class="emphasis">winbindd</em> daemons. This defaults to
-<em class="filename">/usr/local/samba/var</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-manpages-langs</tt><a name="INDEX-46"/><a name="INDEX-47"/>=<em class="replaceable">language</em></b></dt>
-<dd>
-<p>Starting with Samba 3.0, <a name="INDEX-48"/><a name="INDEX-49"/>Samba's manual pages
-are available in different languages. The default is
-<tt class="literal">en</tt> for English, and the language can be specified
-as <tt class="literal">ja</tt> for Japanese or <tt class="literal">pl</tt> for
-Polish.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-msdfs</tt><a name="INDEX-50"/><a name="INDEX-51"/></b></dt>
-<dd>
-<p>Includes support for Microsoft Distributed Filesystem
-(<a name="INDEX-52"/>Dfs). See <a href="ch08.html">Chapter 8</a> for
-more information on this feature. Specifying this option is necessary
-only in Samba versions prior to 3.0.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-nisplus-home</tt><a name="INDEX-53"/><a name="INDEX-54"/></b></dt>
-<dd>
-<p>Includes support for locating the
-<a name="INDEX-55"/>NIS+ server that is
-serving a particular user's home directory and
-telling the client to connect to it. Use
-<tt class="literal">--with-automount</tt> along with this option.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-nisplussam</tt><a name="INDEX-56"/><a name="INDEX-57"/></b></dt>
-<dd>
-<p>Includes support for integrating
-<a name="INDEX-58"/>NIS+ into Samba's
-equivalent of the Windows NT password database.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-pam</tt><a name="INDEX-59"/><a name="INDEX-60"/></b></dt>
-<dd>
-<p>When this configure option is specified and the parameter
-<tt class="literal">obey</tt> <tt class="literal">pam</tt>
-<tt class="literal">restrictions</tt> in the Samba configuration file is
-set to <tt class="literal">yes</tt>, obeys PAM's
-configuration regarding account and session management. When
-encrypted passwords are in use, Samba uses the
-<em class="filename">smbpasswd</em> file for authentication, bypassing the
-PAM subsystem. Therefore, this option works only when
-<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> is set to
-<tt class="literal">no</tt>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-pam_smbpass</tt><a name="INDEX-61"/><a name="INDEX-62"/></b></dt>
-<dd>
-<p>When this option is specified, the compilation process builds a PAM
-module called <em class="filename">pam_smbpass.so</em> and places it in
-the <em class="filename">source/bin</em> directory. This module allows
-applications outside of the Samba suite to authenticate users with
-Samba's <em class="filename">smbpasswd</em> file. For
-more information, see the <em class="filename">README</em> file in the
-<em class="filename">source/pam_smbpass</em> directory of the Samba
-distribution and the file
-<em class="filename">PAM-Authentication-And-Samba.html</em> in the
-<em class="filename">docs/html</em> directory.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-piddir</tt><a name="INDEX-63"/><a name="INDEX-64"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the directory in which Samba keeps files such as
-<a name="INDEX-65"/>browse lists, WINS
-data, and PID files for keeping track of the process IDs of the Samba
-daemons. The default is
-<em class="filename">/usr/local/samba/var/locks</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-privatedir</tt><a name="INDEX-66"/><a name="INDEX-67"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the directory in which Samba keeps the
-<em class="filename">smbpasswd</em>, <em class="filename">secrets.tdb,</em> and
-related files for
-<a name="INDEX-68"/>authentication.
-The default is <em class="filename">/usr/local/samba/private</em>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-profiling-data</tt><a name="INDEX-69"/><a name="INDEX-70"/></b></dt>
-<dd>
-<p>Includes support for analyzing the execution time of
-Samba's internal code. This is normally used only by
-the Samba developers.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-quotas</tt><a name="INDEX-71"/><a name="INDEX-72"/></b></dt>
-<dd>
-<p>Includes <a name="INDEX-73"/>disk-quota support. This is classified
-as an experimental option by the Samba developers.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-readline</tt><a name="INDEX-74"/><a name="INDEX-75"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies a location for
-<a name="INDEX-76"/><em class="emphasis">readline( )</em>
-support. The <em class="emphasis">readline( )</em> function exists in the
-C library to accept a line of input from an interactive user and
-provide support for editing and history. Samba uses these functions
-in <em class="emphasis">smbclient</em> and <em class="emphasis">rpcclient</em>.</p>
-
-<p>This option allows Samba's default method of
-determining the location of the <tt class="function">readline( )</tt>
-library to be overridden. Ordinarily, the configuration process
-checks for support in the C library on the system and, if not found,
-uses code included in the Samba source tree. Using
-<tt class="literal">--with-readline</tt>, it is possible to specify the
-directory explicitly in which the library containing
-<em class="emphasis">readline( )</em> is located.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-sendfile-support</tt><a name="INDEX-77"/><a name="INDEX-78"/></b></dt>
-<dd>
-<p>Checks to see if the Samba host operating system supports the
-<a name="INDEX-79"/><em class="emphasis">sendfile( )</em> system
-call, which speeds up file transfers by copying data directly to and
-from kernel buffers, avoiding the overhead of copying to and from
-buffers in user space. If the operating system has the
-<em class="emphasis">sendfile( )</em> system call, support is included in
-Samba for the <tt class="literal">use</tt> <tt class="literal">sendfile</tt>
-configuration file option. This is an experimental option included in
-Samba 2.2.5 and later versions.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-smbmount</tt><a name="INDEX-80"/><a name="INDEX-81"/></b></dt>
-<dd>
-<p>Must be specified if you want to mount SMB shares in your Unix
-filesystem using the <em class="filename"/><a name="INDEX-82"/>smbfs</em> filesystem and the
-<em class="emphasis">smbmount</em><a name="INDEX-83"/> command, as discussed in <a href="ch05.html">Chapter 5</a>. Currently, this works only with Linux.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-smbwrapper</tt><a name="INDEX-84"/><a name="INDEX-85"/></b></dt>
-<dd>
-<p>To use <a name="INDEX-86"/>smbsh to access SMB shares from Unix (as
-discussed in <a href="ch05.html">Chapter 5</a>), use this option to
-include the
-<em class="filename">smbwrapper</em><a name="INDEX-87"/> library.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-spinlocks</tt><a name="INDEX-88"/><a name="INDEX-89"/></b></dt>
-<dd>
-<p>Uses <a name="INDEX-90"/><a name="INDEX-91"/>spin locks instead of the normal method of
-file locking that uses the <em class="emphasis">fcntl( )</em> C-library
-function. Using this option results in a Samba installation that
-consumes much more CPU time on the host system. Use it only when
-absolutely necessary.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-ssl</tt><a name="INDEX-92"/><a name="INDEX-93"/></b></dt>
-<dd>
-<p>Includes support for running Samba with
-<a name="INDEX-94"/>SSL encryption. This little-used
-feature was dropped for Samba 3.0. It still works with Samba 2.2.x
-and before, but a better method is to use a <a name="INDEX-95"/>virtual private
-network (VPN).</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-sslinc</tt><a name="INDEX-96"/><a name="INDEX-97"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the location of the SSL include files.
-<em class="filename">/usr/local/ssl/include</em> is the default location.
-This option exists in versions prior to Samba 3.0.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-ssllib</tt><a name="INDEX-98"/><a name="INDEX-99"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies the location of the SSL libraries. The default location is
-<em class="filename">/usr/local/ssl/lib</em>. This option exists in
-versions prior to Samba 3.0.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-swatdir</tt><a name="INDEX-100"/><a name="INDEX-101"/>=<em class="replaceable">directory</em></b></dt>
-<dd>
-<p>Specifies where to install the files for
-<a name="INDEX-102"/>SWAT.
-<em class="filename">/usr/local/samba/swat</em> is the default location.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-syslog</tt><a name="INDEX-103"/><a name="INDEX-104"/></b></dt>
-<dd>
-<p>Includes support for
-<a name="INDEX-105"/>syslog error
-logging. This option must be specified for the Samba configuration
-file parameters <tt class="literal">syslog</tt> and
-<tt class="literal">syslog</tt> <tt class="literal">only</tt> to work. This
-option is widely supported, but might not work correctly on all Samba
-host systems.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-tdbsam</tt><a name="INDEX-106"/><a name="INDEX-107"/></b></dt>
-<dd>
-<p>Includes support for keeping Samba's equivalent of
-the Windows NT SAM in a <em class="filename">.tdb</em> database file
-rather than in the <em class="filename">smbpasswd</em> file. This is an
-experimental feature.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-utmp</tt><a name="INDEX-108"/><a name="INDEX-109"/></b></dt>
-<dd>
-<p>Includes support for <a name="INDEX-110"/>user accounting in the
-system's
-<em class="filename">utmp</em><a name="INDEX-111"/> file. It is necessary for the
-<tt class="literal">utmp</tt> and <tt class="literal">utmp</tt>
-<tt class="literal">directory</tt> Samba configuration file options to
-work. This option is widely supported, but might not work correctly
-on all Samba host systems.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-winbind</tt><a name="INDEX-112"/><a name="INDEX-113"/></b></dt>
-<dd>
-<p>Includes <a name="INDEX-114"/>winbind support in Samba.
-Instead of defaulting to <tt class="literal">no</tt>, as with other boolean
-options, <tt class="literal">--with-winbind</tt> is
-automatically set to <tt class="literal">yes</tt> on systems that support
-winbind functionality. The only time you would need to specify this
-option is to turn it off, like this:</p>
-
-
-<blockquote><pre class="code"># <tt class="userinput"><b>configure --without-winbind</b></tt></pre></blockquote>
-
-<p>This excludes winbind functionality from Samba even when the local
-operating system can support it. For more information on winbind, see
-<a href="ch09.html">Chapter 9</a>. <a name="INDEX-115"/></p>
-</dd>
-
-</dl>
-
-
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-</body></html>
diff --git a/docs/htmldocs/using_samba/appf.html b/docs/htmldocs/using_samba/appf.html
deleted file mode 100644
index c3eb7d4d81..0000000000
--- a/docs/htmldocs/using_samba/appf.html
+++ /dev/null
@@ -1,780 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Appendix F. Running Samba on Mac OS X Server</h1>
-
-
-
-<p><a name="INDEX-1"/>Mac OS X Server is an Apple
-operating-system product based on Mac OS X, with the addition of
-administrative tools and server software. One area in which it
-differs from Mac OS X is in the configuration of Samba-based
-services. In this appendix, we'll tell you how to
-set up SMB file and printer shares, enable client user access, and
-monitor activity. Our specific focus is on Mac OS X Server 10.2.</p>
-
-
-
-<div class="sect1"><a name="samba2-APP-F-SECT-1"/>
-
-<h2 class="head1">Setup Procedures</h2>
-
-<p>The first thing to note is that the procedure described in <a href="ch02.html">Chapter 2</a> using System Preferences to enable Samba does
-not apply to Mac OS X Server. Unlike Mac OS X, the Sharing pane of
-System Preferences does not include an option to turn on Windows File
-Sharing. Instead, there is a set of applications to configure,
-activate, and monitor services: Workgroup Manager, Server Settings,
-Server Status, and Open Directory Assistant, all located in the
-directory <em class="filename">/Applications/Utilities</em>.</p>
-
-<a name="samba2-APP-F-NOTE-163"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
-<p>In addition to being installed with Mac OS X Server, these and other
-administrative applications are included on a separate installation
-CD-ROM sold with the operating system. They can be used to manage Mac
-OS X Server systems remotely from any Mac OS X machine.</p>
-
-<p>For more information, refer to the <em class="citetitle">Mac OS X Server
-Administrator's
-Guide</em><a name="INDEX-2"/>, included as a PDF
-file in the <em class="filename">/Library/Documentation/MacOSXServer</em>
-directory, and also downloadable from Apple
-Computer's web site at <a href="http://www.apple.com/server/">http://www.apple.com/server/</a>.</p>
-</blockquote>
-
-<p>Briefly, the procedure for setting up SMB file and printer shares is
-as follows:</p>
-
-<ol><li>
-<p>Designate share points in Workgroup Manager for file sharing.</p>
-</li><li>
-<p>Set up print queues in Server Settings for printer sharing, and
-activate Printer Service.</p>
-</li><li>
-<p>Configure and activate Windows Services in Server Settings.</p>
-</li><li>
-<p>Activate Password Server and enable SMB authentication in Open
-Directory Assistant.</p>
-</li><li>
-<p>Enable Password Server authentication for user accounts in Workgroup
-Manager.</p>
-</li><li>
-<p>Monitor file and print services with Server Status.</p>
-</li></ol>
-
-<div class="sect2"><a name="samba2-APP-F-SECT-1.1"/>
-
-<h3 class="head2">Sharing Files</h3>
-
-<p><a name="INDEX-3"/><a name="INDEX-4"/>The
-first step to enable SMB file sharing is to designate one or more
-<em class="firstterm">share points</em>. Share points are folders that
-form the root of shared volumes for any of the protocols supported by
-Mac OS X Server: Apple Filesharing Protocol (AFP), Network Filesystem
-(NFS), File Transfer Protocol (FTP), and SMB.</p>
-
-<p>To designate a share point, launch Workgroup Manager. You will be
-prompted for the local or remote server's hostname
-or IP address, as well as for a username and password; this process
-is required by all the Mac OS X Server administrative applications.
-Once Workgroup Manager is open, click the Sharing button in the
-toolbar. The list on the left, under the Share Points tab, displays
-currently defined share points. To add a new one, click the All tab,
-and navigate to the folder you want to share.</p>
-
-<p>On the right, under the General tab, check the box labeled Share this
-item and its contents, change the ownership and permissions if
-desired, then click the Save button. Next, under the Protocols tab,
-select Windows File Settings from the pop-up menu, and ensure that
-the box labeled Share this item using SMB is checked. At this point,
-you can also decide whether to allow guest access to the share,
-change the name of the share displayed to SMB clients, or set
-permissions for files and folders created by SMB clients. Click the
-Save button when you're finished making changes. See
-<a href="appf.html#samba2-APP-F-FIG-1">Figure F-1</a>.</p>
-
-<div class="figure"><a name="samba2-APP-F-FIG-1"/><img src="figs/sam2_af01.gif"/></div><h4 class="head4">Figure F-1. Workgroup Manager: Share Points and Windows File Settings</h4>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-F-SECT-1.2"/>
-
-<h3 class="head2">Sharing Printers</h3>
-
-<p><a name="INDEX-5"/><a name="INDEX-6"/>Printer shares are set up
-differently. First, launch Server Settings; under the File &amp;
-Print tab, select Print, then Configure Print Service.... Check the
-box labeled Automatically share new queues for Windows printing.
-Next, click the Print icon again and then Show Print Monitor. Make
-sure the printers you want to share are listed. Printers directly
-attached to the server should have queues created automatically, but
-remote printers you wish to reshare must be added by clicking New
-Queue and discovering or specifying the printers. When
-you're finished, click Save, select the Print icon
-one more time, and select Start Print Service. See <a href="appf.html#samba2-APP-F-FIG-2">Figure F-2</a>.</p>
-
-<div class="figure"><a name="samba2-APP-F-FIG-2"/><img src="figs/sam2_af02.gif"/></div><h4 class="head4">Figure F-2. Server Settings: Print Service</h4>
-
-<a name="samba2-APP-F-NOTE-164"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Server Settings will make local printers available for sharing only
-if they're PostScript compatible. Unfortunately,
-many printers, including consumer-grade USB inkjet printers,
-aren't. If you want to make one of these printers
-available to SMB clients, you can still add the share to
-<em class="filename">/etc/smb.conf</em> yourself with a text editor. See
-&quot;Rolling Your Own&quot; later in this
-chapter for instructions and caveats related to making manual changes
-to <em class="filename">smb.conf</em>.</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-F-SECT-1.3"/>
-
-<h3 class="head2">Configuring and Activating Services</h3>
-
-<p><a name="INDEX-7"/>At this point, neither
-the file shares nor the printer shares are available to SMB clients.
-To activate them, click the Windows icon in Server Settings, and
-click Configure Windows Services.... Under the General tab, you can
-set the server's NetBIOS hostname, the workgroup or
-Windows NT domain in which the server resides, and the description
-that gets displayed in a browse list. You can also specify the code
-page for an alternate character set. Finally, you can enable
-boot-time startup of Samba. See <a href="appf.html#samba2-APP-F-FIG-3">Figure F-3</a>.</p>
-
-<div class="figure"><a name="samba2-APP-F-FIG-3"/><img src="figs/sam2_af03.gif"/></div><h4 class="head4">Figure F-3. Server Settings: Windows Services</h4>
-
-<p>The Windows Services Access tab offers options to enable guest access
-and limit the number of simultaneous client connections; under the
-Logging tab, you can specify the verbosity of your logging. With
-options under the Neighborhood tab, you can configure your machine as
-a WINS client or server or have it provide browser services locally
-or across subnets.</p>
-
-<a name="samba2-APP-F-SIDEBAR-1"/><blockquote><table border="1" cellpadding="6"><tr><td>
-<h4 class="head4">Password Server</h4>
-
-<p><a name="INDEX-8"/><a name="INDEX-9"/>Password Server is a feature
-introduced with Mac OS X Server 10.2. In prior versions of Mac OS X
-Server, Windows authentication was handled with Authentication
-Manager, which stored a user's Windows password in
-the <tt class="literal">tim_password</tt> property of the
-user's NetInfo record. This can still be done in
-Version 10.2, although it's strongly discouraged
-because the encrypted password is visible to other users with access
-to the NetInfo domain and can potentially be decrypted.</p>
-
-<p>If you need to use Authentication Manager, use the following
-procedure to enable it:</p>
-
-<ol><li>
-<p>On every machine hosting a domain that will bind into the NetInfo
-hierarchy, execute the command <tt class="literal">tim -init -auto</tt>
-<em class="replaceable">tag</em> for each domain, where
-<em class="replaceable">tag</em> is the name of the
-domain's database.</p>
-</li>
-<li>
-<p>When prompted, provide a password to be used as the encryption key
-for the domain. This key is used to decrypt the Windows passwords and
-is stored in an encrypted file readable only by root,
-<em class="filename">/var/db/netinfo/.tag.tim</em>.</p>
-</li>
-<li>
-<p>Set <tt class="literal">AUTHSERVER=-YES-</tt> in
-<em class="filename">/etc/hostconfig</em>.</p>
-</li>
-<li>
-<p>Start Authentication Manager by invoking <em class="emphasis">tim</em>.
-This is also executed during the boot sequence by the AuthServer
-startup item.</p>
-</li>
-<li>
-<p>Reset the password of each user requiring SMB client access. In Mac
-OS X Server 10.2 or later, make sure the user is set up for Basic
-authentication, not Password Server authentication.</p>
-</li></ol></td></tr></table></blockquote>
-
-<p>When you've finished configuring Windows Services,
-click the Save button, then click the Windows icon in Server
-Settings, and select Start Windows Services. This starts the Samba
-daemons, enabling access from SMB clients.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-F-SECT-1.4"/>
-
-<h3 class="head2">Activating Password Server</h3>
-
-<p><a name="INDEX-10"/><a name="INDEX-11"/>Now that
-you've set up file and printer shares, you need to
-make sure users can properly authenticate to access them. In Mac OS X
-Server, this is accomplished with the <a name="INDEX-12"/>Open Directory
-Password Server, a service based on the <a name="INDEX-13"/>Simple Authentication and Security
-Layer (SASL) standard and usable with many different authentication
-protocols, including the LAN Manager and Windows NT LAN Manager
-(NTLM) protocols. This section describes how to support SMB client
-authentication, but for more information on what Password Server does
-and how it works, see the Mac OS X Server
-Administrator's Guide.</p>
-
-<p>To enable Password Server or merely check its settings, start the
-Open Directory Assistant. Unless you wish to change any of the
-settings, just click the right arrow button in the lower-right corner
-of the window until you get to the first Security step. At this
-point, activate Password Server by selecting the option marked
-Password and authentication information will be provided to other
-systems. The next step displays the main administrative account, and
-the one after that gives you a choice of authentication protocols to
-enable (see <a href="appf.html#samba2-APP-F-FIG-4">Figure F-4</a>). Make sure that SMB-NT is
-checked, and check SMB-Lan Manager if you have Windows 95/98/Me or
-older clients. The final step saves the Password Server configuration
-and prompts you to reboot.</p>
-
-<div class="figure"><a name="samba2-APP-F-FIG-4"/><img src="figs/sam2_af04.gif"/></div><h4 class="head4">Figure F-4. Password Server authentication protocols</h4>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-F-SECT-1.5"/>
-
-<h3 class="head2">Enabling Password Server</h3>
-
-<p><a name="INDEX-14"/><a name="INDEX-15"/>To enable the
-use of Password Server for a user account, launch Workgroup Manager,
-and click the Accounts button in the toolbar. Under the Users tab on
-the far left (with the silhouette of a single person), select the
-account, and under the Advanced tab on the right, select Password
-Server for the User Password Type (see <a href="appf.html#samba2-APP-F-FIG-5">Figure F-5</a>).
-You are prompted to enter a new user password to be stored in the
-Password Server database. After saving the account configuration, the
-user can authenticate and access shares from an SMB client.</p>
-
-<div class="figure"><a name="samba2-APP-F-FIG-5"/><img src="figs/sam2_af05.gif"/></div><h4 class="head4">Figure F-5. Workgroup Manager: Enabling Password Server authentication</h4>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-F-SECT-1.6"/>
-
-<h3 class="head2">Monitoring Services</h3>
-
-<p><a name="INDEX-16"/>Once you've got
-everything working, you'll want to keep an eye on
-things. The Server Status application gives you views into the
-various services provided by Mac OS X Server. For Windows Services,
-you can see the current state of the service, browse the logs
-(located in the directory
-<em class="filename">/Library/Logs/WindowsServices</em>), display and
-terminate individual connections, and view a graph of connections
-over time (see <a href="appf.html#samba2-APP-F-FIG-6">Figure F-6</a>). Similar information is
-provided for Print Service.</p>
-
-<div class="figure"><a name="samba2-APP-F-FIG-6"/><img src="figs/sam2_af06.gif"/></div><h4 class="head4">Figure F-6. Server Status: Windows Services</h4>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-APP-F-SECT-2"/>
-
-<h2 class="head1">Configuration Details</h2>
-
-<p><a name="INDEX-17"/>Underneath the GUI, a lot of activity
-takes place to offer Windows Services. In the non-Server version of
-Mac OS X, selecting Windows File Sharing sets the
-<tt class="literal">SMBSERVER</tt> parameter in
-<em class="filename">/etc/hostconfig</em> and triggers the Samba startup
-item. In Mac OS X Server, under normal circumstances the Samba
-startup item and the <tt class="literal">SMBSERVER</tt> parameter are never
-used.</p>
-
-<p>Instead, a process named <em class="emphasis">sambadmind</em> generates
-<em class="filename">/etc/smb.conf</em> from the configuration specified
-in Server Settings and Workgroup Manager and handles starting and
-restarting the Samba daemons as necessary. The
-<em class="emphasis">sambadmind</em> process is in turn monitored by
-<em class="emphasis">watchdog</em>, which keeps an eye on certain
-processes and restarts those which fail. The
-<em class="emphasis">watchdog</em> utility is configured in
-<em class="filename">/etc/watchdog.conf</em>, a file similar to a System V
-<em class="filename">inittab</em>, which specifies how the services under
-<em class="emphasis">watchdog</em>'s purview are to be
-treated. For example, the line for <em class="emphasis">sambadmind</em>
-looks like this:</p>
-
-<blockquote><pre class="code">sambadmin:respawn:/usr/sbin/sambadmind -d # SMB Admin daemon</pre></blockquote>
-
-<p>Using a <em class="emphasis">watchdog</em>-monitored process such as
-<em class="emphasis">sambadmind</em> to start the Samba daemons, instead
-of a one-time execution of a startup item, results in more reliable
-service. In Mac OS X Server, if a Samba daemon dies unexpectedly, it
-is quickly restarted. (Examples of other services monitored by
-<em class="emphasis">watchdog</em> are Password Server, Print Service, and
-the Server Settings daemon that allows remote management.)</p>
-
-<p>There's another wrinkle in Mac OS X Server: the
-Samba configuration settings are not written directly to
-<em class="filename">/etc/smb.conf</em>, as they are in the non-Server
-version of Mac OS X. Instead, they're stored in the
-server's local Open Directory domain,<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> from which <em class="emphasis">sambadmind</em> retrieves them
-and regenerates <em class="filename">smb.conf</em>. For example, the Samba
-global parameters are stored in
-<em class="filename">/config/SMBServer</em> (see <a href="appf.html#samba2-APP-F-FIG-7">Figure F-7</a>). Share point information is also kept in Open
-Directory, under <em class="filename">/config/SharePoints</em>, while CUPS
-takes responsibility for printer configuration in
-<em class="filename">/etc/cups/printers.conf</em> (also creating stub
-entries used by Samba in <em class="filename">/etc/printcap</em>).</p>
-
-<div class="figure"><a name="samba2-APP-F-FIG-7"/><img src="figs/sam2_af07.gif"/></div><h4 class="head4">Figure F-7. NetInfo Manager: SMBServer properties</h4>
-
-<p><a href="appf.html#samba2-APP-F-TABLE-1">Table F-1</a> summarizes the association of Windows
-Services settings in the Server Settings application, properties
-stored in Open Directory, and parameters in
-<em class="filename">/etc/smb.conf</em>.</p>
-
-<a name="samba2-APP-F-TABLE-1"/><h4 class="head4">Table F-1. Samba configuration settings in Mac OS X Server</h4><table border="1">
-
-
-
-
-<tr>
-<th>
-<p>Server Settings graphical element in Windows Services</p>
-</th>
-<th>
-<p>Open Directory property in <em class="filename">/config/SMBServer</em></p>
-</th>
-<th>
-<p>Samba global parameter in<em class="filename">/etc/smb.conf</em></p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>General &rarr; Server Name</p>
-</td>
-<td>
-<p><tt class="literal">netbios_name</tt></p>
-</td>
-<td>
-<p><tt class="literal">netbios name</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>General &rarr; Workgroup</p>
-</td>
-<td>
-<p><tt class="literal">workgroup</tt></p>
-</td>
-<td>
-<p><tt class="literal">workgroup</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>General &rarr; Description</p>
-</td>
-<td>
-<p><tt class="literal">description</tt></p>
-</td>
-<td>
-<p><tt class="literal">server string</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>General &rarr; Code Page</p>
-</td>
-<td>
-<p><tt class="literal">code_page</tt></p>
-</td>
-<td>
-<p><tt class="literal">client code page</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>General &rarr; Start Windows Services on system startup</p>
-</td>
-<td>
-<p><tt class="literal">auto_start</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Access &rarr; Allow Guest Access</p>
-</td>
-<td>
-<p><tt class="literal">guest_access</tt>, <tt class="literal">map_to_guest</tt></p>
-</td>
-<td>
-<p><tt class="literal">map to guest</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">guest_account</tt></p>
-</td>
-<td>
-<p><tt class="literal">guest account</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Access &rarr; Maximum client connections</p>
-</td>
-<td>
-<p><tt class="literal">max_connections</tt></p>
-</td>
-<td>
-<p><tt class="literal">max smbd processes</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Logging &rarr; Detail Level</p>
-</td>
-<td>
-<p><tt class="literal">logging</tt></p>
-</td>
-<td>
-<p><tt class="literal">log level</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Neighborhood &rarr; WINS Registration &rarr;
-Off</p>
-</td>
-<td>
-<p><tt class="literal">WINS_enabled</tt>, <tt class="literal">WINS_register</tt></p>
-</td>
-<td>
-<p><tt class="literal">wins support</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Neighborhood &rarr; WINS Registration &rarr;
-Enable WINS server</p>
-</td>
-<td>
-<p><tt class="literal">WINS_enabled</tt></p>
-</td>
-<td>
-<p><tt class="literal">wins support</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Neighborhood &rarr; WINS Registration &rarr;
-Register with WINS server</p>
-</td>
-<td>
-<p><tt class="literal">WINS_register</tt>, <tt class="literal">WINS_address</tt></p>
-</td>
-<td>
-<p><tt class="literal">wins server</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Neighborhood &rarr; Workgroup/Domain Services
-&rarr; Master Browser</p>
-</td>
-<td>
-<p><tt class="literal">Local_Master</tt></p>
-</td>
-<td>
-<p><tt class="literal">local master</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Neighborhood &rarr; Workgroup/Domain Services
-&rarr; Domain Master Browser</p>
-</td>
-<td>
-<p><tt class="literal">Domain_Master</tt></p>
-</td>
-<td>
-<p><tt class="literal">domain master</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Print &rarr; Start Print Service</p>
-</td>
-<td>
-<p><tt class="literal">printing</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">lprm_command</tt></p>
-</td>
-<td>
-<p><tt class="literal">lprm command</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">lppause_command</tt></p>
-</td>
-<td>
-<p><tt class="literal">lppause command</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">lpresume_command</tt></p>
-</td>
-<td>
-<p><tt class="literal">lpresume command</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">printer_admin</tt></p>
-</td>
-<td>
-<p><tt class="literal">printer admin</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">encryption</tt></p>
-</td>
-<td>
-<p><tt class="literal">encrypt passwords</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">coding_system</tt></p>
-</td>
-<td>
-<p><tt class="literal">coding system</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">log_dir</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">smb_log</tt></p>
-</td>
-<td>
-<p><tt class="literal">log file</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">nmb_log</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">samba_sbindir</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">samba_bindir</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">samba_libdir</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">samba_lockdir</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">samba_vardir</tt></p>
-</td>
-<td>
-<p>N/A</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>N/A</p>
-</td>
-<td>
-<p><tt class="literal">stop_time</tt></p>
-</td>
-<td>
-<p>N/A <a name="INDEX-19"/></p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-APP-F-SECT-3"/>
-
-<h2 class="head1">Rolling Your Own</h2>
-
-<p><a name="INDEX-20"/>When making manual changes to the Samba
-configuration file, take care to block changes initiated from
-graphical applications by invoking this command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>chflags uchg /etc/smb.conf</b></tt></pre></blockquote>
-
-<p>From that point on, the GUI will be useful only for starting,
-stopping, and monitoring the service&mdash;not for configuring it.</p>
-
-<p>If you install your own version of Samba, you can still manage it
-from Server Settings by changing some of the Open Directory
-properties in <em class="filename">/config/SMBServer</em>.</p>
-
-<p>To do this, open NetInfo Manager and modify the
-<tt class="literal">samba_sbindir</tt> and <tt class="literal">samba_bindir</tt>
-properties to match the location of your Samba installation.
-Optionally, you can modify <tt class="literal">samba_libdir</tt>,
-<tt class="literal">samba_vardir</tt>, and
-<tt class="literal">samba_lockdir</tt>. Assuming a default Samba
-installation, you can also change these at the command line with the
-following commands:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>nicl . -create /config/SMBServer samba_sbindir /usr/local/samba/bin</b></tt>
-# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_bindir /usr/local/samba/bin</b></tt>
-# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_libdir /usr/local/samba/lib</b></tt>
-# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_vardir /usr/local/samba/var</b></tt>
-# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_lockdir /usr/local/samba/var/locks</b></tt></pre></blockquote>
-
-<p>You can check your settings with this command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>nicl . -read /config/SMBServer</b></tt></pre></blockquote>
-
-<p>In Server Settings, select Stop Windows Services, then run this
-command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>killall sambadmind</b></tt></pre></blockquote>
-
-<p>The <em class="emphasis">watchdog</em> utility restarts
-<em class="emphasis">sambadmind</em> within seconds. Finally, go back to
-Server Settings, and select Start Windows Services.</p>
-
-<p>If you don't modify Open Directory properties to
-match your active Samba installation (because you wish to manage your
-configuration another way), be sure never to activate Windows
-Services from the Server Settings application, or
-you'll wind up with two sets of Samba daemons
-running concurrently. <a name="INDEX-21"/></p>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
-<p><a href="#FNPTR-1">[1]</a> In versions of Mac OS X prior to 10.2, Open Directory domains
-were called NetInfo domains. NetInfo Manager (located in
-<em class="filename">/Applications/Utilities</em>) provides a graphical
-interface to view and modify the contents of Open Directory
-databases. For more information, see the <em class="citetitle">Mac OS X Server
-Administrator's Guide</em>, as well as
-<em class="citetitle">Understanding and Using NetInfo</em>, downloadable
-from the Mac OS X Server resources web page at <a href="http://www.apple.com/server/resources.html">http://www.apple.com/server/resources.html</a>.</p>
-</blockquote>
-
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-</body></html>
diff --git a/docs/htmldocs/using_samba/appg.html b/docs/htmldocs/using_samba/appg.html
deleted file mode 100644
index 779f68034f..0000000000
--- a/docs/htmldocs/using_samba/appg.html
+++ /dev/null
@@ -1,500 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Appendix G. GNU Free Documentation License</h1>
-
-
-<div class="sect1"><a name="samba2-APP-G-SECT-1"/>
-
-<a name="INDEX-1"/><h2 class="head1">GNU Free Documentation License</h2>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.1"/>
-
-<h3 class="head2">Version 1.2, November 2002</h3>
-
-<p>Copyright &copy; 2000, 2001, 2002 Free Software Foundation, Inc.</p>
-
-<p>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</p>
-
-<p>Everyone is permitted to copy and distribute verbatim copies of this
-license document, but changing it is not allowed.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.2"/>
-
-<h3 class="head2">0. PREAMBLE</h3>
-
-<p>The purpose of this License is to make a manual, textbook, or other
-functional and useful document
-&quot;free&quot; in the sense of freedom: to
-assure everyone the effective freedom to copy and redistribute it,
-with or without modifying it, either commercially or noncommercially.
-Secondarily, this License preserves for the author and publisher a
-way to get credit for their work, while not being considered
-responsible for modifications made by others.</p>
-
-<p>This License is a kind of
-&quot;copyleft&quot;, which means that
-derivative works of the document must themselves be free in the same
-sense. It complements the GNU General Public License, which is a
-copyleft license designed for free software.</p>
-
-<p>We have designed this License in order to use it for manuals for free
-software, because free software needs free documentation: a free
-program should come with manuals providing the same freedoms that the
-software does. But this License is not limited to software manuals;
-it can be used for any textual work, regardless of subject matter or
-whether it is published as a printed book. We recommend this License
-principally for works whose purpose is instruction or reference.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.3"/>
-
-<h3 class="head2">1. APPLICABILITY AND DEFINITIONS</h3>
-
-<p>This License applies to any manual or other work, in any medium, that
-contains a notice placed by the copyright holder saying it can be
-distributed under the terms of this License. Such a notice grants a
-world-wide, royalty-free license, unlimited in duration, to use that
-work under the conditions stated herein. The
-&quot;Document&quot;, below, refers to any
-such manual or work. Any member of the public is a licensee, and is
-addressed as &quot;you&quot;. You accept the
-license if you copy, modify or distribute the work in a way requiring
-permission under copyright law.</p>
-
-<p>A &quot;Modified Version&quot; of the
-Document means any work containing the Document or a portion of it,
-either copied verbatim, or with modifications and/or translated into
-another language.</p>
-
-<p>A &quot;Secondary Section&quot; is a named
-appendix or a front-matter section of the Document that deals
-exclusively with the relationship of the publishers or authors of the
-Document to the Document's overall subject (or to
-related matters) and contains nothing that could fall directly within
-that overall subject. (Thus, if the Document is in part a textbook of
-mathematics, a Secondary Section may not explain any mathematics.)
-The relationship could be a matter of historical connection with the
-subject or with related matters, or of legal, commercial,
-philosophical, ethical or political position regarding them.</p>
-
-<p>The &quot;Invariant Sections&quot; are
-certain Secondary Sections whose titles are designated, as being
-those of Invariant Sections, in the notice that says that the
-Document is released under this License. If a section does not fit
-the above definition of Secondary then it is not allowed to be
-designated as Invariant. The Document may contain zero Invariant
-Sections. If the Document does not identify any Invariant Sections
-then there are none.</p>
-
-<p>The &quot;Cover Texts&quot; are certain short
-passages of text that are listed, as Front-Cover Texts or Back-Cover
-Texts, in the notice that says that the Document is released under
-this License. A Front-Cover Text may be at most 5 words, and a
-Back-Cover Text may be at most 25 words.</p>
-
-<p>A &quot;Transparent&quot; copy of the
-Document means a machine-readable copy, represented in a format whose
-specification is available to the general public, that is suitable
-for revising the document straightforwardly with generic text editors
-or (for images composed of pixels) generic paint programs or (for
-drawings) some widely available drawing editor, and that is suitable
-for input to text formatters or for automatic translation to a
-variety of formats suitable for input to text formatters. A copy made
-in an otherwise Transparent file format whose markup, or absence of
-markup, has been arranged to thwart or discourage subsequent
-modification by readers is not Transparent. An image format is not
-Transparent if used for any substantial amount of text. A copy that
-is not &quot;Transparent&quot; is called
-&quot;Opaque&quot;.</p>
-
-<p>Examples of suitable formats for Transparent copies include plain
-ASCII without markup, T<sup class="superscript">E</sup>Xinfo input
-format, L<sup class="superscript">A</sup>T<sup class="superscript">E</sup>X
-input format, SGML or XML using a publicly available DTD, and
-standard-conforming simple HTML, PostScript or PDF designed for human
-modification. Examples of transparent image formats include PNG, XCF
-and JPG. Opaque formats include proprietary formats that can be read
-and edited only by proprietary word processors, SGML or XML for which
-the DTD and/or processing tools are not generally available, and the
-machine-generated HTML, PostScript or PDF produced by some word
-processors for output purposes only.</p>
-
-<p>The &quot;Title Page&quot; means, for a
-printed book, the title page itself, plus such following pages as are
-needed to hold, legibly, the material this License requires to appear
-in the title page. For works in formats which do not have any title
-page as such, &quot;Title Page&quot; means
-the text near the most prominent appearance of the
-work's title, preceding the beginning of the body of
-the text.</p>
-
-<p>A section &quot;Entitled XYZ&quot; means a
-named subunit of the Document whose title either is precisely XYZ or
-contains XYZ in parentheses following text that translates XYZ in
-another language. (Here XYZ stands for a specific section name
-mentioned below, such as
-&quot;Acknowledgments&quot;,
-&quot;Dedications&quot;,
-&quot;Endorsements&quot;, or
-&quot;History&quot;.) To
-&quot;Preserve the Title&quot; of such a
-section when you modify the Document means that it remains a section
-&quot;Entitled XYZ&quot; according to this
-definition.</p>
-
-<p>The Document may include Warranty Disclaimers next to the notice
-which states that this License applies to the Document. These
-Warranty Disclaimers are considered to be included by reference in
-this License, but only as regards disclaiming warranties: any other
-implication that these Warranty Disclaimers may have is void and has
-no effect on the meaning of this License.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.4"/>
-
-<h3 class="head2">2. VERBATIM COPYING</h3>
-
-<p>You may copy and distribute the Document in any medium, either
-commercially or noncommercially, provided that this License, the
-copyright notices, and the license notice saying this License applies
-to the Document are reproduced in all copies, and that you add no
-other conditions whatsoever to those of this License. You may not use
-technical measures to obstruct or control the reading or further
-copying of the copies you make or distribute. However, you may accept
-compensation in exchange for copies. If you distribute a large enough
-number of copies you must also follow the conditions in section 3.</p>
-
-<p>You may also lend copies, under the same conditions stated above, and
-you may publicly display copies.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.5"/>
-
-<h3 class="head2">3. COPYING IN QUANTITY</h3>
-
-<p>If you publish printed copies (or copies in media that commonly have
-printed covers) of the Document, numbering more than 100, and the
-Document's license notice requires Cover Texts, you
-must enclose the copies in covers that carry, clearly and legibly,
-all these Cover Texts: Front-Cover Texts on the front cover, and
-Back-Cover Texts on the back cover. Both covers must also clearly and
-legibly identify you as the publisher of these copies. The front
-cover must present the full title with all words of the title equally
-prominent and visible. You may add other material on the covers in
-addition. Copying with changes limited to the covers, as long as they
-preserve the title of the Document and satisfy these conditions, can
-be treated as verbatim copying in other respects.</p>
-
-<p>If the required texts for either cover are too voluminous to fit
-legibly, you should put the first ones listed (as many as fit
-reasonably) on the actual cover, and continue the rest onto adjacent
-pages.</p>
-
-<p>If you publish or distribute Opaque copies of the Document numbering
-more than 100, you must either include a machine-readable Transparent
-copy along with each Opaque copy, or state in or with each Opaque
-copy a computer-network location from which the general network-using
-public has access to download using public-standard network protocols
-a complete Transparent copy of the Document, free of added material.
-If you use the latter option, you must take reasonably prudent steps,
-when you begin distribution of Opaque copies in quantity, to ensure
-that this Transparent copy will remain thus accessible at the stated
-location until at least one year after the last time you distribute
-an Opaque copy (directly or through your agents or retailers) of that
-edition to the public.</p>
-
-<p>It is requested, but not required, that you contact the authors of
-the Document well before redistributing any large number of copies,
-to give them a chance to provide you with an updated version of the
-Document.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.6"/>
-
-<h3 class="head2">4. MODIFICATIONS</h3>
-
-<p>You may copy and distribute a Modified Version of the Document under
-the conditions of sections 2 and 3 above, provided that you release
-the Modified Version under precisely this License, with the Modified
-Version filling the role of the Document, thus licensing distribution
-and modification of the Modified Version to whoever possesses a copy
-of it. In addition, you must do these things in the Modified Version:</p>
-
-<ol><li>
-<p>Use in the Title Page (and on the covers, if any) a title distinct
-from that of the Document, and from those of previous versions (which
-should, if there were any, be listed in the History section of the
-Document). You may use the same title as a previous version if the
-original publisher of that version gives permission.</p>
-</li><li>
-<p>List on the Title Page, as authors, one or more persons or entities
-responsible for authorship of the modifications in the Modified
-Version, together with at least five of the principal authors of the
-Document (all of its principal authors, if it has fewer than five),
-unless they release you from this requirement.</p>
-</li><li>
-<p>State on the Title page the name of the publisher of the Modified
-Version, as the publisher.</p>
-</li><li>
-<p>Preserve all the copyright notices of the Document.</p>
-</li><li>
-<p>Add an appropriate copyright notice for your modifications adjacent
-to the other copyright notices.</p>
-</li><li>
-<p>Include, immediately after the copyright notices, a license notice
-giving the public permission to use the Modified Version under the
-terms of this License, in the form shown in the Addendum below.</p>
-</li><li>
-<p>Preserve in that license notice the full lists of Invariant Sections
-and required Cover Texts given in the Document's
-license notice.</p>
-</li><li>
-<p>Include an unaltered copy of this License.</p>
-</li><li>
-<p>Preserve the section Entitled
-&quot;History&quot;, Preserve its Title, and
-add to it an item stating at least the title, year, new authors, and
-publisher of the Modified Version as given on the Title Page. If
-there is no section Entitled
-&quot;History&quot; in the Document, create
-one stating the title, year, authors, and publisher of the Document
-as given on its Title Page, then add an item describing the Modified
-Version as stated in the previous sentence.</p>
-</li><li>
-<p>Preserve the network location, if any, given in the Document for
-public access to a Transparent copy of the Document, and likewise the
-network locations given in the Document for previous versions it was
-based on. These may be placed in the
-&quot;History&quot; section. You may omit a
-network location for a work that was published at least four years
-before the Document itself, or if the original publisher of the
-version it refers to gives permission.</p>
-</li><li>
-<p>For any section Entitled
-&quot;Acknowledgments&quot; or
-&quot;Dedications&quot;, Preserve the Title
-of the section, and preserve in the section all the substance and
-tone of each of the contributor acknowledgments and/or dedications
-given therein.</p>
-</li><li>
-<p>Preserve all the Invariant Sections of the Document, unaltered in
-their text and in their titles. Section numbers or the equivalent are
-not considered part of the section titles.</p>
-</li><li>
-<p>Delete any section Entitled
-&quot;Endorsements&quot;. Such a section may
-not be included in the Modified Version.</p>
-</li><li>
-<p>Do not retitle any existing section to be Entitled
-&quot;Endorsements&quot; or to conflict in
-title with any Invariant Section.</p>
-</li><li>
-<p>Preserve any Warranty Disclaimers.</p>
-
-<p>If the Modified Version includes new front-matter sections or
-appendices that qualify as Secondary Sections and contain no material
-copied from the Document, you may at your option designate some or
-all of these sections as invariant. To do this, add their titles to
-the list of Invariant Sections in the Modified
-Version's license notice. These titles must be
-distinct from any other section titles.</p>
-
-<p>You may add a section Entitled
-&quot;Endorsements&quot;, provided it
-contains nothing but endorsements of your Modified Version by various
-parties&mdash;for example, statements of peer review or that the text
-has been approved by an organization as the authoritative definition
-of a standard.</p>
-
-<p>You may add a passage of up to five words as a Front-Cover Text, and
-a passage of up to 25 words as a Back-Cover Text, to the end of the
-list of Cover Texts in the Modified Version. Only one passage of
-Front-Cover Text and one of Back-Cover Text may be added by (or
-through arrangements made by) any one entity. If the Document already
-includes a cover text for the same cover, previously added by you or
-by arrangement made by the same entity you are acting on behalf of,
-you may not add another; but you may replace the old one, on explicit
-permission from the previous publisher that added the old one.</p>
-
-<p>The author(s) and publisher(s) of the Document do not by this License
-give permission to use their names for publicity for or to assert or
-imply endorsement of any Modified Version.</p>
-</li></ol>
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.7"/>
-
-<h3 class="head2">5. COMBINING DOCUMENTS</h3>
-
-<p>You may combine the Document with other documents released under this
-License, under the terms defined in section 4 above for modified
-versions, provided that you include in the combination all of the
-Invariant Sections of all of the original documents, unmodified, and
-list them all as Invariant Sections of your combined work in its
-license notice, and that you preserve all their Warranty Disclaimers.</p>
-
-<p>The combined work need only contain one copy of this License, and
-multiple identical Invariant Sections may be replaced with a single
-copy. If there are multiple Invariant Sections with the same name but
-different contents, make the title of each such section unique by
-adding at the end of it, in parentheses, the name of the original
-author or publisher of that section if known, or else a unique
-number. Make the same adjustment to the section titles in the list of
-Invariant Sections in the license notice of the combined work.</p>
-
-<p>In the combination, you must combine any sections Entitled
-&quot;History&quot; in the various original
-documents, forming one section Entitled
-&quot;History&quot;; likewise combine any
-sections Entitled
-&quot;Acknowledgements&quot;, and any
-sections Entitled &quot;Dedications&quot;.
-You must delete all sections Entitled
-&quot;Endorsements&quot;.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.8"/>
-
-<h3 class="head2">6. COLLECTIONS OF DOCUMENTS</h3>
-
-<p>You may make a collection consisting of the Document and other
-documents released under this License, and replace the individual
-copies of this License in the various documents with a single copy
-that is included in the collection, provided that you follow the
-rules of this License for verbatim copying of each of the documents
-in all other respects.</p>
-
-<p>You may extract a single document from such a collection, and
-distribute it individually under this License, provided you insert a
-copy of this License into the extracted document, and follow this
-License in all other respects regarding verbatim copying of that
-document.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.9"/>
-
-<h3 class="head2">7. AGGREGATION WITH INDEPENDENT WORKS</h3>
-
-<p>A compilation of the Document or its derivatives with other separate
-and independent documents or works, in or on a volume of a storage or
-distribution medium, is called an
-&quot;aggregate&quot; if the copyright
-resulting from the compilation is not used to limit the legal rights
-of the compilation's users beyond what the
-individual works permit. When the Document is included as an
-aggregate, this License does not apply to the other works in the
-aggregate which are not themselves derivative works of the Document.</p>
-
-<p>If the Cover Text requirement of section 3 is applicable to these
-copies of the Document, then if the Document is less than one half of
-the entire aggregate, the Document's Cover Texts may
-be placed on covers that bracket the Document within the aggregate,
-or the electronic equivalent of covers if the Document is in
-electronic form. Otherwise they must appear on printed covers that
-bracket the whole aggregate.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.10"/>
-
-<h3 class="head2">8. TRANSLATION</h3>
-
-<p>Translation is considered a kind of modification, so you may
-distribute translations of the Document under the terms of section 4.
-Replacing Invariant Sections with translations requires special
-permission from their copyright holders, but you may include
-translations of some or all Invariant Sections in addition to the
-original versions of these Invariant Sections. You may include a
-translation of this License, and all the license notices in the
-Document, and any Warranty Disclaimers, provided that you also
-include the original English version of this License and the original
-versions of those notices and disclaimers. In case of a disagreement
-between the translation and the original version of this License or a
-notice or disclaimer, the original version will prevail.</p>
-
-<p>If a section in the Document is Entitled
-&quot;Acknowledgements&quot;,
-&quot;Dedications&quot;, or
-&quot;History&quot;, the requirement (section
-4) to Preserve its Title (section 1) will typically require changing
-the actual title.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.11"/>
-
-<h3 class="head2">9. TERMINATION</h3>
-
-<p>You may not copy, modify, sublicense, or distribute the Document
-except as expressly provided for under this License. Any other
-attempt to copy, modify, sublicense or distribute the Document is
-void, and will automatically terminate your rights under this
-License. However, parties who have received copies, or rights, from
-you under this License will not have their licenses terminated so
-long as such parties remain in full compliance.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-APP-G-SECT-1.12"/>
-
-<h3 class="head2">10. FUTURE REVISIONS OF THIS LICENSE</h3>
-
-<p>The Free Software Foundation may publish new, revised versions of the
-GNU Free Documentation License from time to time. Such new versions
-will be similar in spirit to the present version, but may differ in
-detail to address new problems or concerns. See <a href="http://www.gnu.org/copyleft/">http://www.gnu.org/copyleft/</a>.</p>
-
-<p>Each version of the License is given a distinguishing version number.
-If the Document specifies that a particular numbered version of this
-License &quot;or any later version&quot;
-applies to it, you have the option of following the terms and
-conditions either of that specified version or of any later version
-that has been published (not as a draft) by the Free Software
-Foundation. If the Document does not specify a version number of this
-License, you may choose any version ever published (not as a draft)
-by the Free Software Foundation. <a name="INDEX-2"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-</body></html>
diff --git a/docs/htmldocs/using_samba/ch00.html b/docs/htmldocs/using_samba/ch00.html
deleted file mode 100644
index 5a2c89feb8..0000000000
--- a/docs/htmldocs/using_samba/ch00.html
+++ /dev/null
@@ -1,368 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Preface</h1>
-
-
-<p>You are reading a book about Samba, a software suite that networks
-Windows, Unix, and other operating systems using
-Windows' native networking protocol. Samba allows
-Unix servers to offer Windows networking services by matching the
-filesystem and networking models of Unix to those of Windows. Samba
-acts as a bridge between the two systems, connecting the
-corresponding parts of their architectures and providing a
-translation wherever necessary.</p>
-
-<p>Bridging the gap between systems as dissimilar as Windows and Unix is
-a complex task, which Samba handles surprisingly well. To be a good
-Samba administrator, your abilities must parallel
-Samba's. For starters, you need to know basic Unix
-system and network administration and have a good understanding of
-Windows filesystems and networking fundamentals. In addition, you
-need to learn how Samba fills in the &quot;gray
-area&quot; between Unix and Windows. Once you know how
-everything fits together, you'll find it easy to
-configure a Samba server to provide your network with reliable and
-high-performance computational resources.</p>
-
-<p>Our job is to make all of that easier for you. We do this by starting
-out with a quick and yet comprehensive tour of Windows networking in
-<a href="ch01.html">Chapter 1</a>, followed by tutorially-oriented
-<a href="ch02.html">Chapter 2</a> and <a href="ch03.html">Chapter 3</a>, which tell you how to set up a minimal Samba server
-and configure Windows clients to work with it. Most likely, you will
-be surprised how quickly you can complete the required tasks.</p>
-
-<p>We believe that a hands-on approach is the most effective, and you
-can use the Samba server you build in <a href="ch02.html">Chapter 2</a> and <a href="ch03.html">Chapter 3</a> as a test
-system for trying out examples that we show and describe throughout
-the book. You can jump around from chapter to chapter if you like,
-but if you continue sequentially from <a href="ch04.html">Chapter 4</a>
-onward, by the time you finish the book you will have a
-well-configured production Samba server ready for use. All you have
-to do is add the appropriate support for your intended purpose as we
-explain how to use each feature.</p>
-
-
-
-<div class="sect1"><a name="samba2-PREFACE-2-SECT-1"/>
-
-<h2 class="head1">Audience for This Book</h2>
-
-<p>This book is primarily intended for Unix administrators who need to
-support Windows clients on their network, as well as anyone who needs
-to access the resources of a Windows network environment from a Unix
-client. While we assume you are familiar with basic Unix system
-administration, we do <em class="emphasis">not</em> assume you are a
-networking expert. We do our best along the way to help out with
-unusual definitions and terms.</p>
-
-<p>Furthermore, we don't assume that you are an expert
-in Microsoft Windows. We carefully explain all the essential concepts
-related to Windows networking, and we go through the Windows side of
-the installation task in considerable detail, providing examples for
-both Windows 95/98/Me and Windows NT/2000/XP, which are significantly
-different. For the Unix side, we give examples that work with common
-Unix operating systems, such as Linux, Solaris, FreeBSD, and Mac OS
-X.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-PREFACE-2-SECT-2"/>
-
-<h2 class="head1">Organization</h2>
-
-<p>Here is a quick description of each chapter:</p>
-
-<p><a href="ch01.html">Chapter 1</a> introduces Samba and its capabilities,
-then describes the most important concepts of NetBIOS and SMB/CIFS
-networking. Finally, we give you a quick overview of the daemons and
-utilities that are included in the Samba distribution.</p>
-
-<p><a href="ch02.html">Chapter 2</a> covers configuring, compiling,
-installing, setting up, and testing the Samba server on a Unix
-platform.</p>
-
-<p><a href="ch03.html">Chapter 3</a> explains how to configure Microsoft
-Windows 95/98/Me and Windows NT/2000/XP clients to participate in an
-SMB network.</p>
-
-<p><a href="ch04.html">Chapter 4</a> explains the ins and outs of Windows NT
-domains and how to configure Samba to work in a network set up as a
-Windows NT domain.</p>
-
-<p><a href="ch05.html">Chapter 5</a> describes methods for accessing SMB
-shares on the network from Unix client systems.</p>
-
-<p><a href="ch06.html">Chapter 6</a>
-gets you up to speed on the structure of the Samba
-configuration file and shows you how to take control of file-sharing
-services.</p>
-
-<p><a href="ch07.html">Chapter 7</a> introduces name resolution, which is
-used to convert NetBIOS computer names into IP addresses, and
-browsing, the method used in SMB networking to find what resources
-are being shared on the network.</p>
-
-<p><a href="ch08.html">Chapter 8</a> continues the discussion of file-sharing options, and
-covers more advanced functions such as permissions, access control
-lists, opportunistic locks, and setting up a Distributed filesystem
-tree.</p>
-
-<p><a href="ch09.html">Chapter 9</a> discusses how
-to set up Samba users, introduces you to Samba security, and shows
-you how to work with encrypted and nonencrypted passwords.</p>
-
-<p><a href="ch10.html">Chapter 10</a>
-discusses printer setup for sharing Unix printers on the
-SMB network, and allowing Unix workstations to access SMB shared
-printers.</p>
-
-<p><a href="ch11.html">Chapter 11</a>
-bundles several miscellaneous topics associated with
-Samba, such as configuring Samba shares for programmers and
-internationalization issues.</p>
-
-<p><a href="ch12.html">Chapter 12</a> details what to do if
-you have problems installing Samba. This comparatively
-large chapter is packed with troubleshooting hints and strategies for
-identifying what is going wrong.</p>
-
-<p><a href="appa.html">Appendix A</a> provides working examples of
-<em class="filename">smb.conf</em> files for use in configuring Samba for
-its more common applications. You can easily modify the examples for
-use in a wide variety of circumstances.</p>
-
-<p><a href="appb.html">Appendix B</a> covers each option that can be used in
-the Samba configuration file.</p>
-
-<p><a href="appc.html">Appendix C</a> is a quick reference that covers each
-server daemon and tool that make up the Samba suite.</p>
-
-<p><a href="appd.html">Appendix D</a> explains how to download the latest
-development version of the Samba source code using CVS.</p>
-
-<p><a href="appe.html">Appendix E</a> documents each option that can be used
-with the <em class="emphasis">configure</em> command before compiling the
-Samba source code.</p>
-
-<p><a href="appf.html">Appendix F</a> includes directions for sharing files
-and printers with the Server edition of Mac OS X.</p>
-
-<p><a href="appg.html">Appendix G</a> is the copyright license under which
-this book is published.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-PREFACE-2-SECT-3"/>
-
-<h2 class="head1">Conventions Used in This Book</h2>
-
-<p>The following font conventions are followed throughout this book:</p>
-
-<dl>
-<dt><b>Italic </b></dt>
-<dd>
-<p>Filenames, file extensions, URLs, executable files, command options,
-and emphasis.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">Constant</tt> <tt class="literal">width</tt> </b></dt>
-<dd>
-<p>Samba configuration options, computer names, user and group names,
-hostnames, domain names, other code that appears in the text, and
-command-line information that should be typed verbatim on the screen.</p>
-</dd>
-
-
-
-<dt><b><tt class="userinput"><b>Constant width bold</b></tt> </b></dt>
-<dd>
-<p>Commands that are entered by the user and new configuration options
-that we wish to bring to the attention of the reader.</p>
-</dd>
-
-
-
-<dt><b><em class="replaceable">Constant width italic</em></b></dt>
-<dd>
-<p>Replaceable content in code and command-line information.</p>
-</dd>
-
-</dl>
-
-<a name="samba2-PREFACE-2-NOTE-82"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>This designates a note, which is an important aside to the nearby
-text.</p>
-</blockquote>
-<a name="samba2-PREFACE-2-NOTE-83"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>This designates a warning related to the nearby text.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-PREFACE-2-SECT-4"/>
-
-<h2 class="head1">How to Contact Us</h2>
-
-<p>We have tested and verified the information in this book to the best
-of our ability, but you might find that features have changed (or
-even that we have made mistakes!). Please let us know about any
-errors you find, as well as your suggestions for future editions, by
-writing to:</p>
-
-<blockquote class="simplelist">
-
-<p>O'Reilly &amp; Associates, Inc.</p>
-
-<p>1005 Gravenstein Highway North</p>
-
-<p>Sebastopol, CA 95472</p>
-
-<p>(800) 998-9938 (in the United States or Canada)</p>
-
-<p>(707) 829-0515 (international/local)</p>
-
-<p>(707) 829-0104 (fax)</p>
-
-</blockquote>
-
-<p>To ask technical questions or comment on the book, send email to:</p>
-
-<blockquote class="simplelist">
-
-<p><em class="email">bookquestions@oreilly.com</em></p>
-
-</blockquote>
-
-<p>We have a web page for this book where we list examples and any plans
-for future editions. You can access this information at:</p>
-
-<blockquote class="simplelist">
-
-<p><a href="http://www.oreilly.com/catalog/samba2">http://www.oreilly.com/catalog/samba2</a></p>
-
-</blockquote>
-
-<p>You can also contact Jay Ts, the lead author of this edition, through
-his web site at:</p>
-
-<blockquote class="simplelist">
-
-<p><a href="http://www.jayts.com">http://www.jayts.com</a></p>
-
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-PREFACE-2-SECT-5"/>
-
-<h2 class="head1">Acknowledgments</h2>
-
-<p>We thank Leon Towns-von Stauber for thoroughly researching the use of
-Samba on Mac OS X and writing material that appears in <a href="ch02.html">Chapter 2</a>, <a href="ch05.html">Chapter 5</a>, and <a href="ch10.html">Chapter 10</a>, as well as the entire <a href="appf.html">Appendix F</a>. We also thank our technical reviewers Sam
-Johnston, Matthew Temple, Marty Leisner, and Don McCall.</p>
-
-
-<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.1"/>
-
-<h3 class="head2">Jay Ts</h3>
-
-<p>This book would have been extremely difficult to write if it
-hadn't been for the copy of VMware Workstation
-graciously provided by VMware, Inc. I want to thank Rik Farrow for
-his clarifying comments on security topics related to Samba and
-Windows, and both him and Rose Moon for their supportive friendship.
-Thanks also go to Mark Watson for his encouragement and advice on the
-topic of authoring technical books. Additionally,
-I'd like to express my appreciation to Andy Oram at
-O'Reilly for being a supportive, friendly, and
-easygoing editor, and for offering me terms that I could say yes
-to&mdash;something that a few other publishers
-didn't even approach. SuSE, Inc. generously provided
-a copy of SuSE Linux 8.1 Professional.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.2"/>
-
-<h3 class="head2">Robert Eckstein</h3>
-
-<p>I'd first like to recognize Dave Collier-Brown and
-Peter Kelly for all their help in the creation of this book.
-I'd also like to thank each technical reviewer who
-helped polish this book into shape on such short notice: Matthew
-Temple, Jeremy Allison, and of course Andrew Tridgell. Andrew and
-Jeremy deserve special recognition, not only for creating such a
-wonderful product, but also for providing a tireless amount of
-support in the final phase of this book&mdash;hats off to you, guys!
-A warm hug goes out to my wife Michelle, who once again put up with a
-husband loaded down with too much caffeine and a tight schedule.
-Thanks to Dave Sifry and the people at LinuxCare, San Francisco, for
-hosting me on such short notice for Andrew
-Tridgell's visit. And finally, a huge amount of
-thanks to our editor, Andy Oram, who (very) patiently helped guide
-this book through its many stages until we got it right.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.3"/>
-
-<h3 class="head2">David Collier-Brown</h3>
-
-<p>I'd particularly like to thank Joyce, who put up
-with me during the sometimes exciting development of the book. My
-thanks to Andy Oram, who was kind enough to provide the criticism
-that allowed me to contribute; the crew at ACE (Opcom) who humored
-the obvious madman in their midst; and Ian MacMillan, who voluntarily
-translated several of my early drafts from nerd to English. I would
-also like to give special thanks to Perry Donham, Drew Sullivan, and
-Jerry DeRoo for starting and sustaining this mad project. Finally,
-I'd like to thank Bob Eckstein for a final,
-sustained, and professional effort that lifted the whole book up to
-the level that Andy needed.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.4"/>
-
-<h3 class="head2">All</h3>
-
-<p>We would especially like to give thanks to Perry Donham and Peter
-Kelly for helping mold the first draft of this book. Although Perry
-was unable to contribute to subsequent drafts, his material was
-essential to getting this book off on the right foot. In addition,
-some of the browsing material came from text originally written by
-Dan Shearer for O'Reilly.</p>
-
-
-</div>
-
-
-</div>
-
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-</body></html>
diff --git a/docs/htmldocs/using_samba/ch01.html b/docs/htmldocs/using_samba/ch01.html
deleted file mode 100644
index 98a687f08e..0000000000
--- a/docs/htmldocs/using_samba/ch01.html
+++ /dev/null
@@ -1,3193 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 1. Learning the Samba</h1>
-
-
-<p><a name="INDEX-1"/>Samba
-is an extremely useful networking tool for anyone who has both
-Windows and Unix systems on his network. Running on a Unix system, it
-allows Windows to share files and printers on the Unix host, and it
-also allows Unix users to access resources shared by Windows systems.</p>
-
-<p>Although it might seem natural to use a Windows server to serve files
-and printers to a network containing Windows clients, there are good
-reasons for preferring a Samba server for this duty. Samba is
-reliable software that runs on reliable Unix operating systems,
-resulting in fewer problems and a low cost of maintenance. Samba also
-offers better performance under heavy loads, outperforming Windows
-2000 Server by a factor of 2 to 1 on identical PC hardware, according
-to published third-party benchmarks. When common, inexpensive PC
-hardware fails to meet the demands of a huge client load, the Samba
-server can easily be moved to a proprietary &quot;big
-iron&quot; Unix mainframe, which can outperform Windows
-running on a PC many times. If all that weren't
-enough, Samba has a very nice cost advantage: it's
-free. Not only is the software itself freely available, but also no
-client licenses are required, and it runs on high-quality, free
-operating systems such as Linux and FreeBSD.</p>
-
-<p>After reading the previous paragraph, you might come to the
-conclusion that Samba is commonly used by large organizations with
-thousands of users on their networks&mdash;and you'd
-be right! But Samba's user base includes
-organizations all over the planet, of all types and sizes: from
-international corporations, to medium and small businesses, to
-individuals who run Samba on their Linux laptops. In the last case, a
-tool such as VMware is used to run Windows on the same computer, with
-Samba enabling the two operating systems to share files.</p>
-
-<p>The types of users vary even more&mdash;Samba is used by
-corporations, banks and other financial institutions, government and
-military organizations, schools, public libraries, art galleries,
-families, and even authors! This book was developed on a Linux system
-running VMware and Windows 2000, with Adobe FrameMaker running on
-Windows and the document files served by Samba from the Linux
-filesystem.</p>
-
-<p>Does all this whet your technological appetite? If so, we encourage
-you to keep reading, learn about Samba, and follow our examples to
-set up a Samba server of your own. In this and upcoming chapters, we
-will tell you exactly how to get started.</p>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-1"/>
-
-<h2 class="head1">What Is Samba?</h2>
-
-<p><a name="INDEX-2"/>Samba
-is a suite of Unix applications that speak the
-<a name="INDEX-3"/><a name="INDEX-4"/>Server
-Message Block (SMB) protocol. Microsoft Windows operating systems and
-the OS/2 operating system use SMB to perform client-server networking
-for file and printer sharing and associated operations. By supporting
-this protocol, Samba enables computers running Unix to get in on the
-action, communicating with the same networking protocol as Microsoft
-Windows and appearing as another Windows system on the network from
-the perspective of a Windows client. A <a name="INDEX-5"/>Samba
-server offers the following services:</p>
-
-<ul><li>
-<p>Share one or more directory trees</p>
-</li><li>
-<p>Share one or more Distributed filesystem (Dfs) trees</p>
-</li><li>
-<p>Share printers installed on the server among Windows clients on the
-network</p>
-</li><li>
-<p>Assist clients with network browsing</p>
-</li><li>
-<p>Authenticate clients logging onto a Windows domain</p>
-</li><li>
-<p>Provide or assist with Windows Internet Name Service (WINS)
-name-server resolution</p>
-</li></ul>
-<p>The Samba suite also includes client tools that allow users on a Unix
-system to access folders and printers that Windows systems and Samba
-servers offer on the network.</p>
-
-<p>Samba is the brainchild of Andrew <a name="INDEX-6"/>Tridgell, who currently heads the Samba
-development team. Andrew started the project in 1991, while working
-with a Digital Equipment Corporation (DEC) software suite called
-Pathworks, created for connecting DEC VAX computers to computers made
-by other companies. Without knowing the significance of what he was
-doing, Andrew created a file-server program for an odd protocol that
-was part of Pathworks. That protocol later turned out to be SMB. A
-few years later, he expanded upon his custom-made SMB server and
-began distributing it as a product on the Internet under the name
-&quot;SMB Server.&quot; However, Andrew
-couldn't keep that name&mdash;it already belonged to
-another company's product&mdash;so he tried the
-following Unix renaming approach:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>grep -i '^s.*m.*b' /usr/dict/words</b></tt></pre></blockquote>
-
-<p>And the response was:</p>
-
-<blockquote><pre class="code">salmonberry
-samba
-sawtimber
-scramble</pre></blockquote>
-
-<p>Thus, the name &quot;Samba&quot; was born.</p>
-
-<p>Today, the Samba suite revolves around a pair of Unix daemons that
-provide shared resources&mdash;called <em class="firstterm">shares
-</em>or s<em class="firstterm">ervices</em>&mdash;to SMB clients
-on the network. These are:</p>
-
-<dl>
-<dt><b><a name="INDEX-7"/>smbd</b></dt>
-<dd>
-<p>A daemon that handles file and printer sharing and provides
-authentication and authorization for SMB clients.</p>
-</dd>
-
-
-
-<dt><b><a name="INDEX-8"/>nmbd</b></dt>
-<dd>
-<p>A daemon that supports NetBIOS Name Service and WINS, which is
-Microsoft's implementation of a NetBIOS Name Server
-(NBNS). It also assists with network browsing.</p>
-</dd>
-
-</dl>
-
-<p>Samba is currently maintained and extended by a group of volunteers
-under the active supervision of Andrew Tridgell. Like the Linux
-operating system, Samba is distributed as open source software
-(<a href="http://opensource.org">http://opensource.org</a>) by its
-authors and is distributed under the GNU General Public License
-(GPL). Since its inception, development of Samba has been sponsored
-in part by the Australian National University, where Andrew Tridgell
-earned his Ph.D. Since then, many other organizations have sponsored
-Samba developers, including LinuxCare, VA Linux Systems,
-Hewlett-Packard, and IBM. It is a true testament to Samba that both
-commercial and noncommercial entities are prepared to spend money to
-support an open source effort.</p>
-
-<p>Microsoft has also contributed by offering its definition of the SMB
-protocol to the Internet Engineering Task Force (IETF) in 1996 as the
-<a name="INDEX-9"/><a name="INDEX-10"/>Common
-Internet File System (CIFS). Although we prefer to use the term
-&quot;SMB&quot; in this book, you will also
-often find the protocol being referred to as
-&quot;CIFS.&quot; This is especially true on
-Microsoft's web site.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-2"/>
-
-<h2 class="head1">What Can Samba Do for Me?</h2>
-
-<p><a name="INDEX-11"/>As explained earlier, Samba can help
-Windows and Unix computers coexist in the same network. However,
-there are some specific reasons why you might want to set up a Samba
-server on your network:</p>
-
-<ul><li>
-<p>You don't want to pay for&mdash;or
-can't afford&mdash;a full-fledged Windows server,
-yet you still need the functionality that one provides.</p>
-</li><li>
-<p>The Client Access Licenses (CALs) that Microsoft requires for each
-Windows client to access a Windows server are unaffordable.</p>
-</li><li>
-<p>You want to provide a common area for data or user directories to
-transition from a Windows server to a Unix one, or vice versa.</p>
-</li><li>
-<p>You want to share printers among Windows and Unix workstations.</p>
-</li><li>
-<p>You are supporting a group of computer users who have a mixture of
-Windows and Unix computers.</p>
-</li><li>
-<p>You want to integrate Unix and Windows authentication, maintaining a
-single database of user accounts that works with both systems.</p>
-</li><li>
-<p>You want to network Unix, Windows, Macintosh (OS X), and other
-systems using a single protocol.</p>
-</li></ul>
-<p>Let's take a quick tour of
-<a name="INDEX-12"/>Samba in action. Assume that we have
-the following basic network configuration: a Samba-enabled Unix
-system, to which we will assign the name <tt class="literal">toltec</tt>,
-and a pair of Windows clients, to which we will assign the names
-<tt class="literal">maya</tt> and <tt class="literal">aztec</tt>, all connected
-via a local area network (LAN). Let's also assume
-that <tt class="literal">toltec</tt> also has a local inkjet printer
-connected to it, <tt class="literal">lp</tt>, and a disk share named
-<tt class="literal">spirit</tt>&mdash;both of which it can offer to the
-other two computers. A graphic of this network is shown in <a href="ch01.html#samba2-CHP-1-FIG-1">Figure 1-1</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-1"/><img src="figs/sam2_0101.gif"/></div><h4 class="head4">Figure 1-1. A simple network set up with a Samba server</h4>
-
-<p>In this network, each computer listed shares the same
-<em class="firstterm">workgroup</em>. A workgroup is a group name tag
-that identifies an arbitrary collection of computers and their
-resources on an SMB network. Several workgroups can be on the network
-at any time, but for our basic network example,
-we'll have only one: the METRAN workgroup.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-2.1"/>
-
-<h3 class="head2">Sharing a Disk Service</h3>
-
-<p><a name="INDEX-13"/><a name="INDEX-14"/><a name="INDEX-15"/>If everything is properly
-configured, we should be able to see the Samba server,
-<tt class="literal">toltec</tt>, through the Network Neighborhood of the
-<tt class="literal">maya</tt> Windows desktop. In fact, <a href="ch01.html#samba2-CHP-1-FIG-2">Figure 1-2</a> shows the Network Neighborhood of the
-<tt class="literal">maya</tt> computer, including <tt class="literal">toltec</tt>
-and each computer that resides in the METRAN workgroup. Note the
-Entire Network icon at the top of the list. As we just mentioned,
-more than one workgroup can be on an SMB network at any given time.
-If a user clicks the Entire Network icon, she will see a list of all
-the workgroups that currently exist on the network.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-2"/><img src="figs/sam2_0102.gif"/></div><h4 class="head4">Figure 1-2. The Network Neighborhood directory</h4>
-
-<p>We can take a closer look at the <tt class="literal">toltec</tt> server by
-double-clicking its icon. This contacts <tt class="literal">toltec</tt>
-itself and requests a list of its
-<em class="firstterm">shares</em>&mdash;the file and printer
-resources&mdash;that the computer provides. In this case, a printer
-named <tt class="literal">lp</tt>, a home directory named
-<tt class="literal">jay</tt>, and a disk share named
-<tt class="literal">spirit</tt> are on the server, as shown in <a href="ch01.html#samba2-CHP-1-FIG-3">Figure 1-3</a>. Note that the Windows display shows hostnames
-in mixed case (Toltec). Case is irrelevant in hostnames, so you might
-see toltec, Toltec, and TOLTEC in various displays or command output,
-but they all refer to a single system. Thanks to Samba, Windows 98
-sees the Unix server as a valid SMB server and can access the
-<tt class="literal">spirit</tt> folder as if it were just another system
-folder.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-3"/><img src="figs/sam2_0103.gif"/></div><h4 class="head4">Figure 1-3. Shares available on the Toltec server as viewed from maya</h4>
-
-<p>One popular Windows feature is the ability to map a drive letter
-(such as E:, F:, or Z:) to a shared directory on the network using
-the Map Network Drive option in Windows Explorer.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a>
-Once you do so, your applications can access the folder across the
-network using the drive letter. You can store data on it, install and
-run programs from it, and even password-protect it against unwanted
-visitors. See <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a> for an example of mapping
-a <a name="INDEX-16"/><a name="INDEX-17"/>drive letter to a network
-directory.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-4"/><img src="figs/sam2_0104.gif"/></div><h4 class="head4">Figure 1-4. Mapping a network drive to a Windows drive letter</h4>
-
-<p>Take a look at the Path: entry in the dialog box of <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a>. An equivalent way to represent a directory on
-a network computer is by using two backslashes, followed by the name
-of the networked computer, another backslash, and the networked
-directory of the computer, as shown here:</p>
-
-<blockquote><pre class="code">\\<em class="replaceable">network-computer</em>\<em class="replaceable">directory</em></pre></blockquote>
-
-<p>This is known as the <em class="firstterm"/><a name="INDEX-18"/>Universal
-Naming Convention (UNC)</em> in the Windows world. For example, the dialog
-box in <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a> represents the network directory
-on the <tt class="literal">toltec</tt> server as:</p>
-
-<blockquote><pre class="code">\\toltec\spirit</pre></blockquote>
-
-<p>If this looks somewhat familiar to you, you're
-probably thinking of <em class="firstterm">uniform resource
-locators</em><a name="INDEX-19"/><a name="INDEX-20"/> (URLs), which are addresses that web
-browsers such as Netscape Navigator and Internet Explorer use to
-resolve systems across the Internet. Be sure not to confuse the two:
-URLs such as <a href="http://www.oreilly.com">http://www.oreilly.com</a> use forward slashes
-instead of backslashes, and they precede the initial slashes with the
-data transfer protocol (i.e., ftp, http) and a colon (:). In reality,
-URLs and UNCs are two completely separate things, although sometimes
-you can specify an SMB share using a URL rather than a UNC. As a URL,
-the <em class="filename">\\toltec\spirit</em> share would be specified as
-<em class="filename">smb://toltec/spirit</em>.</p>
-
-<p>Once the network drive is set up, Windows and its programs behave as
-if the networked directory were a local disk. If you have any
-applications that support multiuser functionality on a network, you
-can install those programs on the network drive.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> <a href="ch01.html#samba2-CHP-1-FIG-5">Figure 1-5</a> shows the
-resulting network drive as it would appear with other storage devices
-in the Windows 98 client. Note the pipeline attachment in the icon
-for the J: drive; this indicates that it is a network drive rather
-than a fixed drive.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-5"/><img src="figs/sam2_0105.gif"/></div><h4 class="head4">Figure 1-5. The Network directory mapped to the client drive letter J</h4>
-
-<p>My Network Places, found in Windows Me, 2000, and XP, works
-differently from Network Neighborhood. It is necessary to click a few
-more icons, but eventually we can get to the view of the
-<tt class="literal">toltec</tt> server as shown in <a href="ch01.html#samba2-CHP-1-FIG-6">Figure 1-6</a>. This is from a Windows 2000 system. Setting
-up the network drive using the Map Network Drive option in Windows
-2000 works similarly to other Windows versions. <a name="INDEX-21"/><a name="INDEX-22"/><a name="INDEX-23"/></p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-6"/><img src="figs/sam2_0106.gif"/></div><h4 class="head4">Figure 1-6. Shares available on Toltec (viewed from dine)</h4>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-2.2"/>
-
-<h3 class="head2">Sharing a Printer</h3>
-
-<p><a name="INDEX-24"/><a name="INDEX-25"/><a name="INDEX-26"/>You probably noticed that the printer
-<tt class="literal">lp</tt> appeared under the available shares for
-<tt class="literal">toltec</tt> in <a href="ch01.html#samba2-CHP-1-FIG-3">Figure 1-3</a>. This
-indicates that the Unix server has a printer that can be shared by
-the various SMB clients in the workgroup. Data sent to the printer
-from any of the clients will be spooled on the Unix server and
-printed in the order in which it is received.</p>
-
-<p><a name="INDEX-27"/><a name="INDEX-28"/>Setting up a Samba-enabled
-printer on the Windows side is even easier than setting up a disk
-share. By double-clicking the printer and identifying the
-manufacturer and model, you can install a driver for this printer on
-the Windows client. Windows can then properly format any information
-sent to the network printer and access it as if it were a local
-printer. On Windows 98, double-clicking the Printers icon in the
-Control Panel opens the Printers window shown in <a href="ch01.html#samba2-CHP-1-FIG-7">Figure 1-7</a>. Again, note the pipeline attachment below the
-printer, which identifies it as being on a network.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-7"/><img src="figs/sam2_0107.gif"/></div><h4 class="head4">Figure 1-7. A network printer available on Toltec</h4>
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-2.2.1"/>
-
-<h3 class="head3">Seeing things from the Unix side</h3>
-
-<p><a name="INDEX-29"/><a name="INDEX-30"/>As mentioned earlier, Samba
-appears in Unix as a set of daemon programs. You can view them with
-the Unix <a name="INDEX-31"/><em class="emphasis">ps</em> command; you can
-read any messages they generate through custom debug files or the
-Unix <em class="emphasis">syslog</em> (depending on how Samba is set up);
-and you can configure them from a single Samba configuration file:
-<em class="emphasis">smb.conf</em>. In addition, if you want to get an idea of
-what the daemons are doing, Samba has a program called
-<em class="emphasis">smbstatus</em><a name="INDEX-32"/> that will lay it all on the line. Here
-is how it works:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbstatus</b></tt>
-Processing section &quot;[homes]&quot;
-Processing section &quot;[printers]&quot;
-Processing section &quot;[spirit]&quot;
-
-Samba version 2.2.6
-Service uid gid pid machine
------------------------------------------
-spirit jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:17:14 2002
-spirit jay jay 7779 aztec (172.16.1.2) Sun Aug 12 12:49:11 2002
-jay jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:56:19 2002
-
-Locked files:
-Pid DenyMode R/W Oplock Name
---------------------------------------------------
-7735 DENY_WRITE RDONLY NONE /u/RegClean.exe Sun Aug 12 13:01:22 2002
-
-Share mode memory usage (bytes):
- 1048368(99%) free + 136(0%) used + 72(0%) overhead = 1048576(100%) total</pre></blockquote>
-
-<p>The Samba status from this output provides three sets of data, each
-divided into separate sections. The first section tells which systems
-have connected to the Samba server, identifying each client by its
-machine name (<tt class="literal">maya</tt> and <tt class="literal">aztec</tt>)
-and IP (Internet Protocol) address. The second section reports the
-name and status of the files that are currently in use on a share on
-the server, including the read/write status and any locks on the
-files. Finally, Samba reports the amount of memory it has currently
-allocated to the shares that it administers, including the amount
-actively used by the shares plus additional overhead. (Note that this
-is not the same as the total amount of memory that the
-<em class="emphasis">smbd</em> or <em class="emphasis">nmbd</em> processes are
-using.)</p>
-
-<p>Don't worry if you don't understand
-these statistics; they will become easier to understand as you move
-through the book.</p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-3"/>
-
-<h2 class="head1">Getting Familiar with an SMB Network</h2>
-
-<p><a name="INDEX-33"/>Now that you have had a brief tour of
-Samba, let's take some time to get familiar with
-Samba's adopted environment: an SMB network.
-Networking with SMB is significantly different from working with
-common TCP/IP protocols such as FTP and Telnet because there are
-several new concepts to learn and a lot of information to cover.
-First, we will discuss the basic concepts behind an SMB network,
-followed by some Microsoft implementations of it, and finally we will
-show you where a Samba server can and cannot fit into the picture.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-3.1"/>
-
-<h3 class="head2">Understanding NetBIOS</h3>
-
-<p>To begin, let's step back in time. In 1984, IBM
-authored a simple application programming interface (API) for
-networking its computers, called the <em class="firstterm">Network Basic
-Input/Output System
-</em>(<a name="INDEX-34"/>NetBIOS).
-The NetBIOS API provided a rudimentary design for an application to
-connect and share data with other computers.</p>
-
-<p>It's helpful to think of the NetBIOS API as
-networking extensions to the standard BIOS API calls. The BIOS
-contains low-level code for performing filesystem operations on the
-local computer. NetBIOS originally had to exchange instructions with
-computers across IBM PC or Token Ring networks. It therefore required
-a low-level transport protocol to carry its requests from one
-computer to the next.</p>
-
-<p>In late 1985, IBM released one such protocol, which it merged with
-the NetBIOS API to become the <em class="firstterm">NetBIOS Extended User
-Interface</em> (<em class="emphasis">NetBEUI</em> ).
-<a name="INDEX-35"/>NetBEUI was
-designed for small LANs, and it let each computer claim a name (up to
-15 characters) that wasn't already in use on the
-network. By a &quot;small LAN,&quot; we mean
-fewer than 255 nodes on the network&mdash;which was considered a
-generous number in 1985!</p>
-
-<p>The NetBEUI protocol was very popular with networking applications,
-including those running under Windows for Workgroups. Later,
-implementations of NetBIOS over Novell's IPX
-networking protocols also emerged, which competed with NetBEUI.
-However, the networking protocols of choice for the burgeoning
-Internet community were TCP/IP and UDP/IP, and implementing the
-NetBIOS APIs over those protocols soon became a necessity.</p>
-
-<p>Recall that TCP/IP uses numbers to represent computer addresses
-(192.168.220.100, for instance) while NetBIOS uses only names. This
-was a major issue when trying to mesh the two protocols together. In
-1987, the IETF published standardization documents, titled RFC 1001
-and 1002, that outlined how NetBIOS would work over a TCP/UDP
-network. This set of documents still governs each implementation that
-exists today, including those provided by Microsoft with its Windows
-operating systems, as well as the Samba suite.</p>
-
-<p>Since then, the standard that this document governs has become known
-as <em class="firstterm">NetBIOS over
-TCP/IP</em><a name="INDEX-36"/><a name="INDEX-37"/><a name="INDEX-38"/>, or NBT for short.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> </p>
-
-<p>The NBT standard (RFC 1001/1002)
-currently outlines a trio of services on a network:</p>
-
-<ul><li>
-<p>A name service</p>
-</li><li>
-<p>Two communication services:</p>
-<ul><li>
-<p>Datagrams</p>
-</li>
-
-<li>
-<p>Sessions</p>
-</li></ul>
-</li>
-</ul>
-
-<p>The <a name="INDEX-39"/>name
-service solves the name-to-address problem mentioned earlier; it
-allows each computer to declare a specific name on the network that
-can be translated to a machine-readable IP address, much like
-today's Domain Name System (DNS) on the Internet.
-The <a name="INDEX-40"/>datagram and <a name="INDEX-41"/>session services are both
-secondary communication protocols used to transmit data back and
-forth from NetBIOS computers across the network.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-3.2"/>
-
-<h3 class="head2">Getting a Name</h3>
-
-<p><a name="INDEX-42"/><a name="INDEX-43"/>In the NetBIOS world, when each
-computer comes online, it wants to claim a name for itself; this is
-called <em class="firstterm">name registration</em>. However, no two
-computers in the same workgroup should be able to claim the same
-name; this would cause endless confusion for any computer that wanted
-to communicate with either of them. There are two different
-approaches to ensuring that this doesn't happen:</p>
-
-<ul><li>
-<p>Use an <em class="firstterm"/>NBNS</em> to keep track of which hosts have
-registered a NetBIOS name.</p>
-</li><li>
-<p>Allow each computer on the network to defend its name in the event
-that another computer attempts to use it.</p>
-</li></ul>
-<p><a href="ch01.html#samba2-CHP-1-FIG-8">Figure 1-8</a> illustrates a (failed) name
-registration, with and without an NBNS.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-8"/><img src="figs/sam2_0108.gif"/></div><h4 class="head4">Figure 1-8. Broadcast versus NBNS name registration</h4>
-
-<p><a name="INDEX-44"/><a name="INDEX-45"/>As mentioned earlier,
-there must be a way to resolve a NetBIOS name to a specific IP
-address; this is known as <em class="firstterm">name resolution</em>.
-There are two different approaches with NBT here as well:</p>
-
-<ul><li>
-<p>Have each computer report back its IP address when it
-&quot;hears&quot; a broadcast request for its
-NetBIOS name.</p>
-</li><li>
-<p>Use an NBNS to help resolve NetBIOS names to IP addresses.</p>
-</li></ul>
-<p><a href="ch01.html#samba2-CHP-1-FIG-9">Figure 1-9</a> illustrates the two types of name
-resolution.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-9"/><img src="figs/sam2_0109.gif"/></div><h4 class="head4">Figure 1-9. Broadcast versus NBNS name resolution</h4>
-
-<p>As you might expect, having an NBNS on your network can help out
-tremendously. To see exactly why, let's look at the
-broadcast method.</p>
-
-<p>Here, when a client computer boots, it will
-<a name="INDEX-46"/>broadcast a
-message declaring that it wishes to register a specified NetBIOS name
-as its own. If nobody objects to the use of the name, it keeps the
-name. On the other hand, if another computer on the local subnet is
-currently using the requested name, it will send a message back to
-the requesting client that the name is already taken. This is known
-as <em class="firstterm">defending</em><a name="INDEX-47"/><a name="INDEX-48"/> the hostname. This type of system
-comes in handy when one client has unexpectedly dropped off the
-network&mdash;another can take its name unchallenged&mdash;but it
-does incur an inordinate amount of traffic on the network for
-something as simple as name registration.</p>
-
-<p>With an NBNS, the same thing occurs, except the communication is
-confined to the requesting computer and the NBNS. No broadcasting
-occurs when the computer wishes to register the name; the
-registration message is simply sent directly from the client to the
-NBNS, and the NBNS replies regardless of whether the name is already
-taken. This is known as <em class="firstterm">point-to-point
-communication</em><a name="INDEX-49"/>, and it is often beneficial on
-networks with more than one subnet. This is because routers are
-generally configured to block incoming packets that are broadcast to
-all computers in the subnet.</p>
-
-<p>The same principles apply to name resolution. Without an NBNS,
-NetBIOS name resolution would also be done with a broadcast
-mechanism. All request packets would be sent to each computer in the
-network, with the hope that one computer that might be affected will
-respond directly back to the computer that asked. Using an NBNS and
-point-to-point communication for this purpose is far less taxing on
-the network than flooding the network with broadcasts for every
-name-resolution request.</p>
-
-<p>It can be argued that broadcast packets do not cause significant
-problems in modern, high-bandwidth networks of hosts with fast CPUs,
-if only a small number of hosts are on the network, or the demand for
-bandwidth is low. There are certainly cases where this is true;
-however, our advice throughout this book is to avoid relying on
-broadcasts as much as possible. This is a good rule to follow for
-large, busy networks, and if you follow our advice when configuring a
-small network, your network will be able to grow without encountering
-problems later on that might be difficult to diagnose. <a name="INDEX-50"/><a name="INDEX-51"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-3.3"/>
-
-<h3 class="head2">Node Types</h3>
-
-<p><a name="INDEX-52"/><a name="INDEX-53"/>How can you tell what strategy each
-client on your network will use when performing name registration and
-resolution? Each computer on an NBT network earns one of the
-following designations, depending on how it handles name registration
-and resolution: <a name="INDEX-54"/><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>b-node, p-node, m-node, and h-node. The
-behaviors of each type of node are summarized in <a href="ch01.html#samba2-CHP-1-TABLE-1">Table 1-1</a>.</p>
-
-<a name="samba2-CHP-1-TABLE-1"/><h4 class="head4">Table 1-1. NetBIOS node types</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Role</p>
-</th>
-<th>
-<p>Value</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>b-node</p>
-</td>
-<td>
-<p>Uses broadcast registration and resolution only.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>p-node</p>
-</td>
-<td>
-<p>Uses point-to-point registration and resolution only.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>m-node (mixed)</p>
-</td>
-<td>
-<p>Uses broadcast for registration. If successful, it notifies the NBNS
-of the result. Uses broadcast for resolution; uses the NBNS if
-broadcast is unsuccessful.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>h-node (hybrid)</p>
-</td>
-<td>
-<p>Uses the NBNS for registration and resolution; uses broadcast if the
-NBNS is unresponsive or inoperative.</p>
-</td>
-</tr>
-
-</table>
-
-<p>In the case of Windows clients, you will usually find them listed as
-h-nodes or hybrid nodes. The first three node types appear in RFC
-1001/1002, and h-nodes were invented later by Microsoft, as a more
-fault-tolerant method.</p>
-
-<p>You can find the node type of a Windows 95/98/Me computer by running
-the <em class="emphasis">winipcfg</em><a name="INDEX-58"/><a name="INDEX-59"/> command from the Start
-&rarr; Run dialog (or from an MS-DOS prompt) and clicking
-the More Info&gt;&gt; button. On Windows NT/2000/XP, you can use the
-<tt class="literal">ipconfig</tt><a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/>
-<tt class="literal">/all</tt> command in a command-prompt window. In either
-case, search for the line that says <tt class="literal">Node Type</tt>.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-3.4"/>
-
-<h3 class="head2">What's in a Name?</h3>
-
-<p>The names <a name="INDEX-64"/><a name="INDEX-65"/>NetBIOS uses are quite different
-from the DNS hostnames you might be familiar with. First, NetBIOS
-names exist in a flat namespace. In other words, there are no
-hierarchical levels, such as in <tt class="literal">oreilly.com</tt> (two
-levels) or <em class="emphasis">ftp</em><em class="emphasis">.samba.org</em> (three
-levels). NetBIOS names consist of a single unique string such as
-<tt class="literal">navaho</tt> or <tt class="literal">hopi</tt> within each
-workgroup or domain. Second, NetBIOS names are allowed to be only 15
-characters and can consist only of standard alphanumeric characters
-(a-z, A-Z, 0-9) and the following:</p>
-
-<blockquote><pre class="code">! @ # $ % ^ &amp; ( ) - ' { } . ~</pre></blockquote>
-
-<p>Although you are allowed to use a <a name="INDEX-66"/><a name="INDEX-67"/><a name="INDEX-68"/>period (.) in a NetBIOS name, we recommend
-against it because those names are not guaranteed to work in future
-versions of NBT.</p>
-
-<p>It's not a coincidence that all valid DNS names are
-also valid NetBIOS names. In fact, the unqualified DNS name for a
-Samba server is often reused as its NetBIOS name. For example, if you
-had a system with a hostname of <tt class="literal">mixtec.ora.com</tt> ,
-its NetBIOS name would likely be MIXTEC (followed by 9 spaces).</p>
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.1"/>
-
-<h3 class="head3">Resource names and types</h3>
-
-<p><a name="INDEX-69"/><a name="INDEX-70"/>With NetBIOS, a computer not
-only advertises its presence, but also tells others what types of
-services it offers. For example, <tt class="literal">mixtec</tt> can
-indicate that it's not just a workstation, but that
-it's also a file server and can receive Windows
-Messenger messages. This is done by adding a 16th byte to the end of
-the machine (resource) name, called the <em class="firstterm">resource
-type</em>, and registering the name multiple times, once for
-each service that it offers. See <a href="ch01.html#samba2-CHP-1-FIG-10">Figure 1-10</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-10"/><img src="figs/sam2_0110.gif"/></div><h4 class="head4">Figure 1-10. The structure of NetBIOS names</h4>
-
-<p>The 1-byte resource type indicates a unique service that the named
-computer provides. In this book, you will often see the resource type
-shown in angled brackets (&lt;&gt;) after the NetBIOS name, such as:</p>
-
-<blockquote><pre class="code">MIXTEC&lt;00&gt;</pre></blockquote>
-
-<p>You can see which names are registered for a particular NBT computer
-using the Windows command-line
-<em class="emphasis">nbtstat</em><a name="INDEX-71"/> utility.
-Because these services are unique (i.e., there cannot be more than
-one registered), you will see them listed as type UNIQUE in the
-output. For example, the following partial output describes the
-<tt class="literal">toltec</tt> server:</p>
-
-<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>nbtstat -a toltec</b></tt>
-
- NetBIOS Remote Machine Name Table
- Name Type Status
----------------------------------------------
-TOLTEC &lt;00&gt; UNIQUE Registered
-TOLTEC &lt;03&gt; UNIQUE Registered
-TOLTEC &lt;20&gt; UNIQUE Registered
-...</pre></blockquote>
-
-<p>This says the server has registered the NetBIOS name
-<tt class="literal">toltec</tt> as a machine (computer) name, as a
-recipient of messages from the Windows Messenger service, and as a
-file server. Some possible attributes a name can have are listed in
-<a href="ch01.html#samba2-CHP-1-TABLE-2">Table 1-2</a>.</p>
-
-<a name="samba2-CHP-1-TABLE-2"/><h4 class="head4">Table 1-2. NetBIOS unique resource types</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Named resource</p>
-</th>
-<th>
-<p>Hexadecimal byte value</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Standard Workstation Service</p>
-</td>
-<td>
-<p>00</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Messenger Service</p>
-</td>
-<td>
-<p>03</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>RAS Server Service</p>
-</td>
-<td>
-<p>06</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Domain Master Browser Service (associated with primary domain controller)</p>
-</td>
-<td>
-<p>1B</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Master Browser name</p>
-</td>
-<td>
-<p>1D</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>NetDDE Service</p>
-</td>
-<td>
-<p>1F</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Fileserver (including printer server)</p>
-</td>
-<td>
-<p>20</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>RAS Client Service</p>
-</td>
-<td>
-<p>21</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Network Monitor Agent</p>
-</td>
-<td>
-<p>BE</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Network Monitor Utility</p>
-</td>
-<td>
-<p>BF</p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.2"/>
-
-<h3 class="head3">Group names and types</h3>
-
-<p>SMB also uses the concept of groups, with which computers can
-register themselves. Earlier we mentioned that the computers in our
-example belonged to a
-<em class="firstterm">workgroup</em><a name="INDEX-73"/>,
-which is a partition of computers on the same network. For example, a
-business might very easily have an ACCOUNTING and a SALES workgroup,
-each with different servers and printers. In the Windows world, a
-workgroup and an
-<a name="INDEX-74"/>SMB
-group are the same thing.</p>
-
-<p>Continuing our
-<em class="emphasis">nbtstat</em><a name="INDEX-75"/> example,
-the <tt class="literal">toltec</tt> Samba server is also a member of the
-METRAN workgroup (the GROUP attribute hex 00) and will participate in
-elections for the browse master (GROUP attribute 1E). Here is the
-remainder of the <em class="emphasis">nbtstat</em> output:</p>
-
-<blockquote><pre class="code"> NetBIOS Remote Machine Name Table
- Name Type Status
----------------------------------------------
-METRAN &lt;00&gt; GROUP Registered
-METRAN &lt;1E&gt; GROUP Registered
-..__MSBROWSE__.&lt;01&gt; GROUP Registered</pre></blockquote>
-
-<p>The possible group attributes a computer can have are illustrated in
-<a href="ch01.html#samba2-CHP-1-TABLE-3">Table 1-3</a>. More
-<a name="INDEX-76"/><a name="INDEX-77"/>information
-is available in <em class="emphasis">Windows NT in a Nutshell</em> by Eric
-<a name="INDEX-78"/>Pearce, also
-published by O'Reilly.</p>
-
-<a name="samba2-CHP-1-TABLE-3"/><h4 class="head4">Table 1-3. NetBIOS group resource types</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Named resource</p>
-</th>
-<th>
-<p>Hexadecimal byte value</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Standard Workstation group</p>
-</td>
-<td>
-<p>00</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Logon server</p>
-</td>
-<td>
-<p>1C</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Master Browser name</p>
-</td>
-<td>
-<p>1D</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Normal Group name (used in browser elections)</p>
-</td>
-<td>
-<p>1E</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Internet Group name (administrative)</p>
-</td>
-<td>
-<p>20</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">&lt;01&gt;&lt;02&gt;_ _MSBROWSE_ _&lt;02&gt;</tt></p>
-</td>
-<td>
-<p>01</p>
-</td>
-</tr>
-
-</table>
-
-<p>The final entry, <tt class="literal">_ _ MSBROWSE _ _</tt>
-<a name="INDEX-80"/>, is used to announce a group to other
-master browsers. The nonprinting characters in the name show up as
-dots in an <em class="emphasis">nbtstat</em> printout.
-Don't worry if you don't understand
-all of the resource or group types. Some of them you will not need
-with Samba, and others you will pick up as you move through the rest
-of the chapter. The important thing to remember here is the logistics
-of the naming mechanism.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.3"/>
-
-<h3 class="head3">Scope ID</h3>
-
-<p>In the dark ages of SMB networking before NetBIOS groups were
-introduced, you could use a very primitive method to isolate groups
-of computers from the rest of the network. Each SMB packet contains a
-field called the <em class="firstterm">scope
-ID</em><a name="INDEX-81"/><a name="INDEX-82"/>, with the idea being that
-systems on the network could be configured to accept only packets
-with a scope ID matching that of their configuration. This feature
-was hardly ever used and unfortunately lingers in modern
-implementations. Some of the utilities included in the Samba
-distribution allow the scope ID to be set. Setting the scope ID in a
-network is likely to cause problems, and we are mentioning scope ID
-only so that you will not be confused by it when you later encounter
-it in various places.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-3.5"/>
-
-<h3 class="head2">Datagrams and Sessions</h3>
-
-<p>At this point, let's digress to discuss the
-responsibility of NBT: to provide connection services between two
-NetBIOS computers.
-<a name="INDEX-83"/>NBT
-offers two services: the <em class="firstterm">session
-service</em><a name="INDEX-84"/> and the
-<em class="firstterm">datagram service</em><a name="INDEX-85"/>.
-Understanding how these two services work is not essential to using
-Samba, but it does give you an idea of how NBT works and how to
-troubleshoot Samba when it doesn't work.</p>
-
-<p>The datagram service has no stable connection between computers.
-Packets of data are simply sent or broadcast from one computer to
-another, without regard to the order in which they arrive at the
-destination, or even if they arrive at all. The use of datagrams
-requires less processing overhead than sessions, although the
-reliability of the connection can suffer. Datagrams, therefore, are
-used for quickly sending nonvital blocks of data to one or more
-computers. The datagram service communicates using the simple
-primitives shown in <a href="ch01.html#samba2-CHP-1-TABLE-4">Table 1-4</a>.</p>
-
-<a name="samba2-CHP-1-TABLE-4"/><h4 class="head4">Table 1-4. Datagram primitives</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Primitive</p>
-</th>
-<th>
-<p>Description</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Send Datagram</p>
-</td>
-<td>
-<p>Send datagram packet to computer or groups of computers.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Send Broadcast Datagram</p>
-</td>
-<td>
-<p>Broadcast datagram to any computer waiting with a Receive Broadcast
-datagram.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Receive Datagram</p>
-</td>
-<td>
-<p>Receive a datagram from a computer.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Receive Broadcast Datagram</p>
-</td>
-<td>
-<p>Wait for a Broadcast datagram.</p>
-</td>
-</tr>
-
-</table>
-
-<p>The session service is more complex. Sessions are a communication
-method that, in theory, offers the ability to detect problematic or
-inoperable connections between two NetBIOS applications. It helps to
-think of an NBT session as being similar to a telephone call, an
-analogy that obviously influenced the design of the CIFS standard.</p>
-
-<p>Once the connection is made, it remains open throughout the duration
-of the conversation, each side knows who the caller and the called
-computer are, and each can communicate with the simple primitives
-shown in <a href="ch01.html#samba2-CHP-1-TABLE-5">Table 1-5</a>.</p>
-
-<a name="samba2-CHP-1-TABLE-5"/><h4 class="head4">Table 1-5. Session primitives</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Primitive</p>
-</th>
-<th>
-<p>Description</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Call</p>
-</td>
-<td>
-<p>Initiate a session with a computer listening under a specified name.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Listen</p>
-</td>
-<td>
-<p>Wait for a call from a known caller or any caller.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Hang-up</p>
-</td>
-<td>
-<p>Exit a call.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Send</p>
-</td>
-<td>
-<p>Send data to the other computer.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Receive</p>
-</td>
-<td>
-<p>Receive data from the other computer.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Session Status</p>
-</td>
-<td>
-<p>Get information on requested sessions.</p>
-</td>
-</tr>
-
-</table>
-
-<p>Sessions are the backbone of resource sharing on an NBT network. They
-are typically used for establishing stable connections from client
-computers to disk or printer shares on a server. The client
-&quot;calls&quot; the server and starts
-trading information such as which files it wishes to open, which data
-it wishes to exchange, etc. These calls can last a long
-time&mdash;hours, even days&mdash;and all of this occurs within the
-context of a single connection. If there is an error, the session
-software (TCP) will retransmit until the data is received properly,
-unlike the &quot;punt-and-pray&quot; approach
-of the datagram service (UDP).</p>
-
-<p>In truth, while sessions are supposed to handle problematic
-communications, they sometimes don't. If the
-connection is interrupted, session information that is open between
-the two computers might become invalid. If that happens, the only way
-to regain the session information is for the same two computers to
-call each other again and start over.</p>
-
-<p>If you want more information on each service, we recommend you look
-at RFC 1001. However, there are two important things to remember
-here:</p>
-
-<ul><li>
-<p><a name="INDEX-88"/>Sessions always
-occur between two NetBIOS computers. If a session service is
-interrupted, the client is supposed to store sufficient state
-information for it to reestablish the connection. However, in
-practice, this often does not happen.</p>
-</li><li>
-<p><a name="INDEX-89"/>Datagrams can
-be broadcast to multiple computers, but they are unreliable. In other
-words, there is no way for the source to know that the datagrams it
-sent have indeed arrived at their destinations. <a name="INDEX-90"/></p>
-</li></ul>
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-4"/>
-
-<h2 class="head1">An Introduction to the SMB Protocol</h2>
-
-<p><a name="INDEX-91"/>Now
-we're going to cover some low-level technical
-details and explore the elementals of the SMB protocol. You probably
-don't need to know much about this to implement a
-simple Samba network, and therefore you might want to skip or skim
-over this section and go on to the next one
-(&quot;Windows Workgroups and Domains&quot;)
-on your first reading. However, assuming you are going to be
-responsible for long-term maintenance of a Samba network, it will
-help if you understand how it actually works. You will more easily be
-able to diagnose and correct any odd problems that pop up.</p>
-
-<p>At a high level, the SMB protocol suite is relatively simple. It
-includes commands for all the file and print operations that you
-might perform on a local disk or printer, such as:</p>
-
-<ul><li>
-<p>Opening and closing files</p>
-</li><li>
-<p>Creating and deleting files and directories</p>
-</li><li>
-<p>Reading and writing files</p>
-</li><li>
-<p>Searching for files</p>
-</li><li>
-<p>Queueing and dequeueing files in a print spool</p>
-</li></ul>
-<p>Each operation can be encoded into an SMB message and transmitted to
-and from a server. The original name
-&quot;SMB&quot; comes from the way in which
-the commands are formatted: they are versions of the standard DOS
-system-call data structures, or <em class="firstterm">Server Message
-Blocks</em>, redesigned for transmitting to another computer
-across a network.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-4.1"/>
-
-<h3 class="head2">SMB Format</h3>
-
-<p>Richard <a name="INDEX-92"/>Sharpe of the Samba team defines SMB as
-a <em class="firstterm">request-response</em> protocol.<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> In effect,
-this means that a client sends an SMB request to a server and the
-server sends an SMB response back to the client. In only one rare
-circumstance does a server send a message that is not in response to
-a client.</p>
-
-<p>An <a name="INDEX-94"/>SMB message is not as complex as you
-might think. Let's take a closer look at the
-internal structure of such a message. It can be broken down into two
-parts: the <em class="firstterm">header</em>, which is a fixed size, and
-the <em class="firstterm">command string</em>, whose size can vary
-dramatically based on the contents of the message.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.1"/>
-
-<h3 class="head3">SMB header format</h3>
-
-<p><a href="ch01.html#samba2-CHP-1-TABLE-6">Table 1-6</a> shows the format of an
-<a name="INDEX-95"/>SMB header. The COM field identifies
-the command being performed. SMB commands are not required to use all
-the fields in the SMB header. For example, when a client first
-attempts to connect to a server, it does not yet have a tree
-identifier (TID) value&mdash;one is assigned after it successfully
-connects&mdash;so a null TID is placed in its header field. Other
-fields can be padded with zeros when not used.</p>
-
-<p>The <a name="INDEX-96"/>SMB header fields are listed in <a href="ch01.html#samba2-CHP-1-TABLE-6">Table 1-6</a>.</p>
-
-<a name="samba2-CHP-1-TABLE-6"/><h4 class="head4">Table 1-6. SMB header fields</h4><table border="1">
-
-
-
-
-<tr>
-<th>
-<p>Field</p>
-</th>
-<th>
-<p>Size (bytes)</p>
-</th>
-<th>
-<p>Description</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">0xFF 'SMB</tt>'</p>
-</td>
-<td>
-<p><tt class="literal">1</tt></p>
-</td>
-<td>
-<p>Protocol identifier</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">COM</tt></p>
-</td>
-<td>
-<p><tt class="literal">1</tt></p>
-</td>
-<td>
-<p>Command code, from 0x00 to 0xFF</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">RCLS</tt></p>
-</td>
-<td>
-<p><tt class="literal">1</tt></p>
-</td>
-<td>
-<p>Error class</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">REH</tt></p>
-</td>
-<td>
-<p><tt class="literal">1</tt></p>
-</td>
-<td>
-<p>Reserved</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">ERR</tt></p>
-</td>
-<td>
-<p><tt class="literal">2</tt></p>
-</td>
-<td>
-<p>Error code</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">REB</tt></p>
-</td>
-<td>
-<p><tt class="literal">1</tt></p>
-</td>
-<td>
-<p>Reserved</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">RES</tt></p>
-</td>
-<td>
-<p><tt class="literal">14</tt></p>
-</td>
-<td>
-<p>Reserved</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">TID</tt></p>
-</td>
-<td>
-<p><tt class="literal">2</tt></p>
-</td>
-<td>
-<p>TID; a unique ID for a resource in use by the client</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">PID</tt></p>
-</td>
-<td>
-<p><tt class="literal">2</tt></p>
-</td>
-<td>
-<p>Caller process ID</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">UID</tt></p>
-</td>
-<td>
-<p><tt class="literal">2</tt></p>
-</td>
-<td>
-<p>User identifier</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">MID</tt></p>
-</td>
-<td>
-<p><tt class="literal">2</tt></p>
-</td>
-<td>
-<p>Multiplex identifier; used to route requests inside a process</p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.2"/>
-
-<h3 class="head3">SMB command format</h3>
-
-<p>Immediately after the header is a variable number of bytes that
-constitute an <a name="INDEX-97"/>SMB command or reply. Each command,
-such as Open File (COM field identifier: <tt class="literal">SMBopen</tt>)
-or Get Print Queue (<tt class="literal">SMBsplretq</tt> ), has its own set
-of parameters and data. Like the SMB header fields, not all of the
-command fields need to be filled, depending on the specific command.
-For example, the Get Server Attributes
-(<tt class="literal">SMBdskattr</tt>) command sets the WCT and BCC fields
-to zero. The fields of the command segment are shown in <a href="ch01.html#samba2-CHP-1-TABLE-7">Table 1-7</a>.</p>
-
-<a name="samba2-CHP-1-TABLE-7"/><h4 class="head4">Table 1-7. SMB command contents</h4><table border="1">
-
-
-
-
-<tr>
-<th>
-<p>Field</p>
-</th>
-<th>
-<p>Size (bytes)</p>
-</th>
-<th>
-<p>Description</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">WCT</tt></p>
-</td>
-<td>
-<p><tt class="literal">1</tt></p>
-</td>
-<td>
-<p>Word count</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">VWV</tt></p>
-</td>
-<td>
-<p>Variable</p>
-</td>
-<td>
-<p>Parameter words (size given by WCT)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">BCC</tt></p>
-</td>
-<td>
-<p><tt class="literal">2</tt></p>
-</td>
-<td>
-<p>Parameter byte count</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">DATA</tt></p>
-</td>
-<td>
-<p>Variable</p>
-</td>
-<td>
-<p>Data (size given by BCC)</p>
-</td>
-</tr>
-
-</table>
-
-<p>Don't worry if you don't understand
-each field; they are not necessary for using Samba at an
-administrator level. However, they do come in handy when debugging
-system messages. We will show you some of the more common SMB
-messages that clients and servers send using a modified version of
-<em class="filename">tcpdump</em> later in this section. (If you prefer an
-<a name="INDEX-98"/><a name="INDEX-99"/>SMB sniffer with a graphical
-interface, try Ethereal, which uses the GTK libraries; see
-<a href="http://www.ethereal.com">http://www.ethereal.com</a> for more
-information on this tool.)</p>
-
-<a name="samba2-CHP-1-NOTE-84"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>For more information on each command in the
-<a name="INDEX-100"/>SMB protocol, see the
-<em class="citetitle">CIFS Technical
-Reference</em><a name="INDEX-101"/> at <a href="http://www.snia.org/tech_activities/CIFS">http://www.snia.org/tech_activities/CIFS</a>.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.3"/>
-
-<h3 class="head3">SMB variations</h3>
-
-<p>The SMB protocol has been extended with new commands several times
-since its inception. Each new version is backward-compatible with the
-previous versions, so it is possible for a LAN to have clients and
-servers concurrently running different versions of the SMB protocol.</p>
-
-<p><a href="ch01.html#samba2-CHP-1-TABLE-8">Table 1-8</a> outlines the major versions of the
-<a name="INDEX-102"/>SMB
-protocol. Within each &quot;dialect&quot; of
-SMB are many sub-versions that include commands supporting particular
-releases of major operating systems. The ID string in column 2 is
-used by clients and servers to determine in which level of the
-protocol they will speak to each other.</p>
-
-<a name="samba2-CHP-1-TABLE-8"/><h4 class="head4">Table 1-8. SMB protocol dialects</h4><table border="1">
-
-
-
-
-<tr>
-<th>
-<p>Protocol name</p>
-</th>
-<th>
-<p>ID string</p>
-</th>
-<th>
-<p>Used by</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Core</p>
-</td>
-<td>
-<p><tt class="literal">PC NETWORK PROGRAM 1.0</tt></p>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<p><a name="INDEX-103"/>Core Plus</p>
-</td>
-<td>
-<p><tt class="literal">MICROSOFT NETWORKS 1.03</tt></p>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<p><a name="INDEX-104"/>LAN Manager 1.0</p>
-</td>
-<td>
-<p><tt class="literal">LANMAN1.0</tt></p>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<p>LAN Manager 2.0</p>
-</td>
-<td>
-<p><tt class="literal">LM1.2X002</tt></p>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<p>LAN Manager 2.1</p>
-</td>
-<td>
-<p><tt class="literal">LANMAN2.1</tt></p>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<p><a name="INDEX-105"/>NT LAN
-Manager 1.0</p>
-</td>
-<td>
-<p><tt class="literal">NT LM 0.12</tt></p>
-</td>
-<td>
-<p>Windows NT 4.0</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><a name="INDEX-106"/>Samba's NT LM 0.12</p>
-</td>
-<td>
-<p><tt class="literal">Samba</tt></p>
-</td>
-<td>
-<p>Samba</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><a name="INDEX-107"/><a name="INDEX-108"/>Common
-Internet File System</p>
-</td>
-<td>
-<p><tt class="literal">CIFS 1.0</tt></p>
-</td>
-<td>
-<p>Windows 2000/XP</p>
-</td>
-</tr>
-
-</table>
-
-<p>Samba implements the NT LM 0.12 specification for NT LAN Manager 1.0.
-It is backward-compatible with all the other SMB variants. The CIFS
-specification is, in reality, LAN Manager 0.12 with a few specific
-additions.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-4.2"/>
-
-<h3 class="head2">SMB Clients and Servers</h3>
-
-<p><a name="INDEX-109"/><a name="INDEX-110"/>As
-mentioned earlier, SMB is a client/server protocol. In the purest
-sense, this means that a client sends a request to a server, which
-acts on the request and returns a reply. However, the client/server
-roles can often be reversed, sometimes within the context of a single
-SMB session. For example, consider the two Windows 95/98/Me computers
-in <a href="ch01.html#samba2-CHP-1-FIG-11">Figure 1-11</a>. The computer named
-<tt class="literal">maya</tt> shares a printer to the network, and the
-computer named <tt class="literal">toltec</tt> shares a disk directory.
-<tt class="literal">maya</tt> is in the client role when accessing
-<tt class="literal">toltec</tt>'s network drive and in the
-server role when printing a job for <tt class="literal">toltec</tt>.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-11"/><img src="figs/sam2_0111.gif"/></div><h4 class="head4">Figure 1-11. Two computers that both have resources to share</h4>
-
-<p>This brings out an important point in Samba terminology:</p>
-
-<ul><li>
-<p>A <em class="firstterm">server</em> is a computer with a resource to
-share.</p>
-</li><li>
-<p>A <em class="firstterm">client</em> is a computer that wishes to use that
-resource.</p>
-</li><li>
-<p>A computer can be a client, a server, or both, or it can be neither
-at any given time.</p>
-</li></ul>
-<p>Microsoft Windows products have both the SMB client and server built
-into the operating system, and it is common to find Windows acting as
-a server, client, both, or neither at any given time in a production
-network. Although Samba has been developed primarily to function as a
-server, there are also ways that it and associated software can act
-as an SMB client. As with Windows, it is even possible to set up a
-Unix system to act as an SMB client and not as a server. See <a href="ch05.html">Chapter 5</a> for more details on this topic.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-4.3"/>
-
-<h3 class="head2">A Simple SMB Connection</h3>
-
-<p><a name="INDEX-111"/>The client and server must complete
-three steps to establish a connection to a resource:</p>
-
-<ol><li>
-<p>Establish a NetBIOS session.</p>
-</li><li>
-<p>Negotiate the protocol variant.</p>
-</li><li>
-<p>Set session parameters, and make a tree connection to a resource.</p>
-</li></ol>
-<p>We will examine each step through the eyes of a useful tool that we
-mentioned earlier: the modified
-<em class="filename">tcpdump</em><a name="INDEX-112"/> that is
-available from the Samba web site.</p>
-
-<a name="samba2-CHP-1-NOTE-85"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>You can download the tcpdump program at <a href="http://www.samba.org">http://www.samba.org</a> in the
-<em class="filename">samba/ftp/tcpdump-smb</em> directory; the latest
-version as of this writing is 3.4-10. Use this program as you would
-use the standard <em class="filename">tcpdump</em> application, but add
-the <tt class="literal">-s 1500</tt> switch to ensure that you get the
-whole packet and not just the first few bytes.</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-4.4"/>
-
-<h3 class="head2">Establishing a NetBIOS Session</h3>
-
-<p><a name="INDEX-113"/>When a user first makes a request
-to access a network disk or send a print job to a remote printer,
-NetBIOS takes care of making a connection at the session layer. The
-result is a bidirectional channel between the client and server. The
-client and server need only two messages to establish this
-connection. This is shown in the following example session request
-and response, as captured by <em class="filename">tcpdump</em> .</p>
-
-<p>First, the client sends a request to open a session, and
-<em class="filename">tcpdump </em><a name="INDEX-114"/>reports:</p>
-
-<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
-NBT Session Request
-Flags=0x81000044
-Destination=TOLTEC NameType=0x20 (Server)
-Source=MAYA NameType=0x00 (Workstation)</pre></blockquote>
-
-<p>Then the server responds, granting a session to the client:</p>
-
-<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
-NBT Session Granted
-Flags=0x82000000</pre></blockquote>
-
-<p>At this point, there is an open channel between the client and server.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-4.5"/>
-
-<h3 class="head2">Negotiating the Protocol Variant</h3>
-
-<p>Next, the client sends a message to the server to negotiate an
-<a name="INDEX-115"/>SMB protocol. As mentioned
-earlier, the client sets its <a name="INDEX-116"/>tree identifier (TID) field to
-zero, because it does not yet know what TID to use. A <em class="emphasis">tree
-identifier</em> is a number that represents a connection to a
-share on a server.</p>
-
-<p>The command in the message is <tt class="literal">SMBnegprot</tt>, a
-request to negotiate a protocol variant that will be used for the
-entire session. Note that the client sends to the server a list of
-all the variants that it can speak, not vice versa:</p>
-
-<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
-NBT Session Packet
-Flags=0x0
-Length=154
-
-SMB PACKET: SMBnegprot (REQUEST)
-SMB Command = 0x72
-Error class = 0x0
-Error code = 0
-Flags1 = 0x0
-Flags2 = 0x0
-Tree ID = 0
-Proc ID = 5315
-UID = 0
-MID = 257
-Word Count = 0
-Dialect=PC NETWORK PROGRAM 1.0
-Dialect=MICROSOFT NETWORKS 3.0
-Dialect=DOS LM1.2X002
-Dialect=DOS LANMAN2.1
-Dialect=Windows for Workgroups 3.1a
-Dialect=NT LM 0.12</pre></blockquote>
-
-<p>The server responds to the
-<tt class="literal">SMBnegprot</tt><a name="INDEX-117"/> request with an index (with counting
-starting at 0) into the list of variants that the client offered, or
-with the value 0xFF if none of the protocol variants is acceptable:</p>
-
-<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
-NBT Session Packet
-Flags=0x0
-Length=84
-
-SMB PACKET: SMBnegprot (REPLY)
-SMB Command = 0x72
-Error class = 0x0
-Error code = 0
-Flags1 = 0x80
-Flags2 = 0x1
-Tree ID = 0
-Proc ID = 5315
-UID = 0
-MID = 257
-Word Count = 17
-NT1 Protocol
-DialectIndex=5
-[...]</pre></blockquote>
-
-<p>In this example, the server responds with the value 5, which
-indicates that the <tt class="literal">NT</tt> <tt class="literal">LM</tt>
-<tt class="literal">0.12</tt> dialect will be used for the remainder of the
-session.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-4.6"/>
-
-<h3 class="head2">Set Session and Login Parameters</h3>
-
-<p><a name="INDEX-118"/><a name="INDEX-119"/>The next step is to transmit session and
-login parameters for the session, which you do using the
-<a name="INDEX-120"/><tt class="literal">SMBSesssetupX</tt>
-command. The parameters include the following:</p>
-
-<ul><li>
-<p>The account name and password (if there is one)</p>
-</li><li>
-<p>The workgroup name</p>
-</li><li>
-<p>The maximum size of data that can be transferred</p>
-</li><li>
-<p>The number of pending requests that can be in the queue at a time</p>
-</li></ul>
-<p>The resulting output from <em class="filename">tcpdump </em>is:</p>
-
-<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
-NBT Session Packet
-Flags=0x0
-Length=150
-
-SMB PACKET: SMBsesssetupX (REQUEST)
-SMB Command = 0x73
-Error class = 0x0
-Error code = 0
-Flags1 = 0x10
-Flags2 = 0x0
-Tree ID = 0
-Proc ID = 5315
-UID = 1
-MID = 257
-Word Count = 13
-Com2=0x75
-Res1=0x0
-Off2=120
-MaxBuffer=2920
-MaxMpx=50
-VcNumber=0
-SessionKey=0x1380
-CaseInsensitivePasswordLength=24
-CaseSensitivePasswordLength=0
-Res=0x0
-Capabilities=0x1
-Pass1&amp;Pass2&amp;Account&amp;Domain&amp;OS&amp;LanMan=
- JAY METRAN Windows 4.0 Windows 4.0
-
-SMB PACKET: SMBtconX (REQUEST) (CHAINED)
-smbvwv[]=
-Com2=0xFF
-Off2=0
-Flags=0x2
-PassLen=1
-Passwd&amp;Path&amp;Device=
-smb_bcc=23
-smb_buf[]=\\TOLTEC\SPIRIT</pre></blockquote>
-
-<p>In this example, the <tt class="literal">SMBsesssetupX</tt> Session Setup
-command allows for an additional SMB command to be piggybacked onto
-it (indicated by the letter X at the end of the command name). The
-hexadecimal code of the second command is given in the
-<tt class="literal">Com2</tt> field. In this case the command is
-<tt class="literal">0x75</tt>, which is the <tt class="literal">SMBtconX</tt>
-<tt class="literal">(</tt>Tree Connect and X) command. The
-<tt class="literal">SMBtconX</tt><a name="INDEX-121"/> message looks for the name of the
-resource in the <em class="emphasis">smb_buf</em> buffer. In this example,
-<em class="emphasis">smb_buf</em> contains the string
-<tt class="literal">\\TOLTEC\SPIRIT</tt>, which is the full pathname to a
-shared directory on <tt class="literal">toltec</tt>. Using the
-&quot;and X&quot; commands like this speeds
-up each transaction because the server doesn't have
-to wait on the client to make a second request.</p>
-
-<p>Note that the TID is still zero. Finally, the server returns a TID to
-the client, indicating that the user has been authorized access and
-that the resource is ready to be used:</p>
-
-<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
-NBT Session Packet
-Flags=0x0
-Length=85
-
-SMB PACKET: SMBsesssetupX (REPLY)
-SMB Command = 0x73
-Error class = 0x0
-Error code = 0
-Flags1 = 0x80
-Flags2 = 0x1
-Tree ID = 1
-Proc ID = 5315
-UID = 100
-MID = 257
-Word Count = 3
-Com2=0x75
-Off2=68
-Action=0x1
-[000] Unix Samba 2.2.6
-[010] METRAN
-
-SMB PACKET: SMBtconX (REPLY) (CHAINED)
-smbvwv[]=
-Com2=0xFF
-Off2=0
-smbbuf[]=
-ServiceType=A:</pre></blockquote>
-
-<p>The <em class="emphasis">ServiceType</em> field is set to
-&quot;A&quot; to indicate that this is a file
-service. Available service types are:</p>
-
-<ul><li>
-<p>&quot;A&quot; for a disk or file</p>
-</li><li>
-<p>&quot;LPT1&quot; for a spooled output</p>
-</li><li>
-<p>&quot;COMM&quot; for a direct-connect printer
-or modem</p>
-</li><li>
-<p>&quot;IPC&quot; for a named pipe</p>
-</li></ul>
-<p>Now that a TID has been assigned, the client can use it as a handle
-to perform any operation that it would use on a local disk drive. It
-can open files, read and write to them, delete them, create new
-files, search for filenames, and so on. <a name="INDEX-122"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-5"/>
-
-<h2 class="head1">Windows Workgroups and Domains</h2>
-
-<p>Up to now, we've covered basic SMB technology, which
-is all you would need if you had nothing more advanced than MS-DOS
-clients on your network. We do assume you want to support Windows
-clients, especially the more recent versions, so next
-we'll describe the enhancements Microsoft has added
-to SMB networking&mdash;namely, Windows for Workgroups and Windows
-domains.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-5.1"/>
-
-<h3 class="head2">Windows Workgroups</h3>
-
-<p><a name="INDEX-123"/><a name="INDEX-124"/>Windows
-Workgroups are very similar to the SMB groups already described. You
-need to know just a few additional things.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.1"/>
-
-<h3 class="head3">Browsing</h3>
-
-<p><a name="INDEX-125"/>Browsing
-is the process of finding the other computers and shared resources in
-the Windows network. Note that there is no connection with a World
-Wide Web browser, apart from the general idea of
-&quot;discovering what's
-there.&quot; On the other hand, browsing the Windows
-network is like the Web in that what's out there can
-change without warning.</p>
-
-<p>Before browsing existed, users had to know the name of the computer
-they wanted to connect to on the network and then manually enter a
-UNC such as the following into an application or file manager to
-access resources:</p>
-
-<blockquote><pre class="code">\\toltec\spirit\</pre></blockquote>
-
-<p>Browsing is much more convenient, making it possible to examine the
-contents of a network by using the point-and-click GUI interface of
-the Network Neighborhood (or My Network Places<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a>) on a Windows client.</p>
-
-<p>You will encounter two types of browsing in an SMB network:</p>
-
-<ul><li>
-<p><a name="INDEX-129"/>Browsing a list
-of computers and shared resources</p>
-</li><li>
-<p><a name="INDEX-130"/>Browsing the shared resource
-of a specific computer</p>
-</li></ul>
-<p>Let's look at the first one. On each LAN (or subnet)
-with a Windows workgroup or domain, one computer has the
-responsibility of maintaining a list of the computers that are
-currently accessible through the network. This computer is called the
-<em class="firstterm">local master
-browser</em><a name="INDEX-131"/><a name="INDEX-132"/>, and the list that it maintains is
-called the <em class="firstterm">browse
-list</em><a name="INDEX-133"/>. Computers on a subnet use the browse
-list to cut down on the amount of network traffic generated while
-browsing. Instead of each computer dynamically polling to determine a
-list of the currently available computers, the computer can simply
-query the local master browser to obtain a complete, up-to-date list.</p>
-
-<p>To browse the resources on a computer, a user must connect to the
-specific computer; this information cannot be obtained from the
-browse list. Browsing the list of resources on a computer can be done
-by double-clicking the computer's icon when it is
-presented in the Network Neighborhood. As you saw at the opening of
-the chapter, the computer will respond with a list of shared
-resources that can be accessed after the user is successfully
-authenticated.</p>
-
-<p>Each server on a Windows workgroup is required to announce its
-presence to the local master browser after it has registered a
-NetBIOS name, and (theoretically) announce that it is leaving the
-workgroup when it is shut down. It is the local master
-browser's responsibility to record what the servers
-have announced.</p>
-<a name="samba2-CHP-1-NOTE-86"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>The Windows <a name="INDEX-134"/>Network Neighborhood can behave
-oddly: until you select a particular computer to browse, the Network
-Neighborhood window might contain data that is not up-to-date. That
-means the Network Neighborhood window can be showing computers that
-have crashed or can be missing computers that
-haven't been noticed yet. Put succinctly, once
-you've selected a server and connected to it, you
-can be a lot more confident that the shares and printers really exist
-on the network.</p>
-</blockquote>
-
-<p>Unlike the roles you've seen earlier, almost any
-Windows system (including Windows for Workgroups and Windows 95/98/Me
-or NT/2000/XP) can act as a local master browser. The local master
-browser can have one or more
-<em class="firstterm"/><a name="INDEX-135"/><a name="INDEX-136"/>backup
-browsers</em> on the local subnet
-that will take over in the event that the local master browser fails
-or becomes inaccessible. To ensure fluid operation, the local backup
-browsers will frequently synchronize their browse list with the local
-master browser.</p>
-
-<p>Here is how to calculate the minimum number of backup browsers that
-will be allocated on a workgroup:</p>
-
-<ul><li>
-<p>If up to 32 Windows NT/2000/XP workstations are on the network, or up
-to 16 Windows 95/98/Me computers are on the network, the local master
-browser allocates one backup browser in addition to the local master
-browser.</p>
-</li><li>
-<p>If the number of Windows NT/2000/XP workstations falls between 33 and
-64, or the number of Windows 95/98/Me workstations falls between 17
-and 32, the local master browser allocates two backup browsers.</p>
-</li><li>
-<p>For each group of 32 NT/2000/XP workstations or 16 Windows 95/98/Me
-computers beyond this, the local master browser allocates another
-backup browser.</p>
-</li></ul>
-<p>There is currently no upper limit on the number of backup browsers
-that can be allocated by the local master browser.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.2"/>
-
-<h3 class="head3">Browsing elections</h3>
-
-<p><a name="INDEX-137"/>Browsing
-is a critical aspect of any Windows workgroup. However, not
-everything runs perfectly on any network. For example,
-let's say that a computer running Windows on the
-desk of a small company's CEO is the local master
-browser&mdash;that is, until he switches it off while plugging in his
-massage chair. At this point the Windows NT Workstation in the spare
-parts department might agree to take over the job. However, that
-computer is currently running a large, poorly written program that
-has brought its processor to its knees. The moral: browsing has to be
-very tolerant of servers coming and going. Because nearly every
-Windows system can serve as a browser, there has to be a way of
-deciding at any time who will take on the job. This decision-making
-process is called an <em class="firstterm">election</em>.</p>
-
-<p>An election algorithm is built into nearly all Windows operating
-systems such that they can each agree who is going to be a local
-master browser and who will be local backup browsers. An election can
-be forced at any time. For example, let's assume
-that the CEO has finished his massage and reboots his server. As the
-server comes online, it will announce its presence, and an election
-will take place to see if the PC in the spare parts department should
-still be the master browser.</p>
-
-<p>When an election is performed, each computer broadcasts information
-about itself via datagrams. This information includes the following:</p>
-
-<ul><li>
-<p>The version of the election protocol used</p>
-</li><li>
-<p>The operating system on the computer</p>
-</li><li>
-<p>The amount of time the client has been on the network</p>
-</li><li>
-<p>The hostname of the client</p>
-</li></ul>
-<p>These values determine which operating system has seniority and will
-fulfill the role of the local master browser. (<a href="ch07.html">Chapter 7</a> describes the election process in more
-detail.) The architecture developed to achieve this is not elegant
-and has built-in security problems. While a browsing domain can be
-integrated with domain security, the election algorithm does not take
-into consideration which computers become browsers. Thus it is
-possible for any computer running a browser service to register
-itself as participating in the browsing election and (after winning)
-being able to change the browse list. Nevertheless, browsing is a key
-feature of Windows networking, and backward-compatibility
-requirements will ensure that it is in use for years to come.
-<a name="INDEX-138"/></p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.3"/>
-
-<h3 class="head3">Windows 95/98/Me authentication</h3>
-
-<p>Three types of passwords arise when
-<a name="INDEX-139"/><a name="INDEX-140"/>Windows
-95/98/Me is operating in a Windows workgroup:</p>
-
-<ul><li>
-<p>A Windows password</p>
-</li><li>
-<p>A Windows Networking password</p>
-</li><li>
-<p>A password for each shared resource that has been assigned password
-protection</p>
-</li></ul>
-<p>The Windows <a name="INDEX-141"/>password functions in a manner
-that might be a source of confusion for Unix system administrators.
-It is not there to prevent unauthorized users from using the
-computer. (If you don't believe that, try clicking
-the Cancel button on the password dialog box and see what happens!)
-Instead, the Windows password is used to gain access to a file that
-contains the Windows Networking and network resource passwords. There
-is one such file per registered user of the system, and they can be
-found in the <em class="filename">C:\Windows</em> directory with a name
-composed of the user's account name, followed by a
-<em class="filename">.pwl</em><a name="INDEX-142"/><a name="INDEX-143"/><a name="INDEX-144"/> extension. For example, if the
-user's account name is
-&quot;sarah,&quot; the file will be
-<em class="filename">C:\Windows\sarah.pwl</em>. This file is encrypted
-using the Windows password as the encryption key.</p>
-
-<a name="samba2-CHP-1-NOTE-87"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>As a security measure, you might want to check for junk
-<em class="filename">.pwl</em> files on Windows 95/98/Me clients, which
-might have been created by mistakes users made while attempting to
-log on. A <em class="filename">.pwl</em> file is easily cracked and can
-contain valid passwords for Samba accounts and network shares.</p>
-</blockquote>
-
-<p>The first time the network is accessed, Windows attempts to use the
-Windows password as the Windows Networking password. If this is
-successful, the user will not be prompted for two separate passwords,
-and subsequent logins to the Windows system will automatically result
-in logging on to the Windows network as well, making things much
-simpler for the user.</p>
-
-<p>Shared network resources in the workgroup can also have passwords
-assigned to them to limit their accessibility. The first time a user
-attempts to access the resource, she is asked for its password, and a
-checkbox in the password dialog box gives the user the option to add
-the password to her password list. This is the default; if it is
-accepted, Windows will store the password in the
-user's <em class="filename">.pwl</em> file, and all
-further authentication to the resource will be handled automatically
-by Windows.</p>
-
-<p>Samba's approach to workgroup authentication is a
-little different, which is a result of blending the Windows workgroup
-model with that of the Unix host upon which Samba runs. This will be
-discussed further in <a href="ch09.html">Chapter 9</a>. <a name="INDEX-145"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-5.2"/>
-
-<h3 class="head2">Windows NT Domains</h3>
-
-<p><a name="INDEX-146"/>The
-peer-to-peer networking model of
-<a name="INDEX-147"/>workgroups functions fairly well as long as
-the number of computers on the network is small and there is a
-close-knit community of users. However, in larger networks the
-simplicity of workgroups becomes a limiting factor. Workgroups offer
-only the most basic level of security, and because each resource can
-have its own password, it is inconvenient (to say the least) for
-users to remember the password for each resource in a large network.
-Even if that were not a problem, many people find it frustrating to
-have to interrupt their creative workflow to enter a shared password
-into a dialog box every time another network resource is accessed.</p>
-
-<p>To support the needs of larger networks, such as those found in
-departmental computing environments, Microsoft introduced domains
-with Windows NT 3.51. A <em class="firstterm">Windows NT domain</em> is
-essentially a workgroup of SMB computers that has one addition: a
-server acting as a <em class="firstterm">domain
-controller</em><a name="INDEX-148"/> (see <a href="ch01.html#samba2-CHP-1-FIG-12">Figure 1-12</a>).</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-12"/><img src="figs/sam2_0112.gif"/></div><h4 class="head4">Figure 1-12. A simple Windows domain</h4>
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.1"/>
-
-<h3 class="head3">Domain controllers</h3>
-
-<p>A domain controller in a Windows NT domain functions much like a
-<a name="INDEX-149"/><a name="INDEX-150"/>Network
-Information Service (NIS) server in a Unix network, maintaining a
-domain-wide database of user and group information, as well as
-performing related services. The responsibilities of a domain
-controller are mainly centered around security, including
-<em class="firstterm">authentication</em><a name="INDEX-151"/>,
-the process of granting or denying a user access to the resources of
-the domain. This is typically done through the use of a username and
-password. The service that maintains the database on the domain
-controllers is called the <a name="INDEX-152"/><a name="INDEX-153"/>Security Account Manager (SAM).</p>
-
-<p>The <a name="INDEX-154"/>Windows NT security model revolves
-around <em class="firstterm">security
-identifiers</em><a name="INDEX-155"/><a name="INDEX-156"/> (SIDs) and <em class="firstterm">access
-control lists</em><a name="INDEX-157"/><a name="INDEX-158"/>
-(ACLs). Security identifiers are used to represent objects in the
-domain, which include (but are not limited to) users, groups,
-computers, and processes. SIDs are commonly written in ASCII form as
-hyphen-separated fields, like this:</p>
-
-<blockquote><pre class="code">S-1-5-21-1638239387-7675610646-9254035128-545</pre></blockquote>
-
-<p>The part of the SID starting with the
-&quot;S&quot; and leading up to the rightmost
-hyphen identifies a domain. The number after the rightmost hyphen is
-called a <a name="INDEX-159"/>relative identifier (RID) and is a unique
-number within the domain that identifies the user, group, computer,
-or other object. The RID is the analog of a <a name="INDEX-160"/>user ID (UID) or
-<a name="INDEX-161"/>group ID
-(GID) on a Unix system or within an NIS domain.</p>
-
-<p>ACLs supply the same function as
-&quot;rwx&quot;
-<a name="INDEX-162"/><a name="INDEX-163"/><a name="INDEX-164"/><a name="INDEX-165"/><a name="INDEX-166"/>file permissions that are common in Unix
-systems. However, ACLs are more versatile. Unix file permissions only
-set permissions for the owner and group to which the file belongs,
-and &quot;other,&quot; meaning everyone else.
-Windows NT/2000/XP ACLs allow permissions to be set individually for
-any number of arbitrary users and/or groups. ACLs are made up of one
-or more <em class="firstterm">access control
-entries</em><a name="INDEX-167"/> (ACEs), each of which contains an SID
-and the access rights associated with it.</p>
-
-<p>ACL support has been added as a standard feature for some Unix
-variants and is available as an add-on for others. Samba supports
-mappings between Windows and Unix ACLs, and this will be covered in
-<a href="ch08.html">Chapter 8</a>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.2"/>
-
-<h3 class="head3">Primary and backup domain controllers</h3>
-
-<p>You've already read about master and backup
-browsers. Domain controllers are similar in that a domain has a
-<em class="firstterm">primary domain
-controller</em><a name="INDEX-168"/><a name="INDEX-169"/><a name="INDEX-170"/> (PDC) and can have
-one or more <em class="firstterm">backup domain
-controllers</em><a name="INDEX-171"/> (BDCs) as well. If the PDC fails or
-becomes inaccessible, its duties are automatically taken over by one
-of the BDCs. BDCs frequently synchronize their SAM data with the PDC
-so if the need arises, any one of them can immediately begin
-performing domain-controller services without impacting the clients.
-However, note that BDCs have read-only copies of the SAM database;
-they can update their data only by synchronizing with a PDC. A server
-in a Windows domain can use the SAM of any PDC or BDC to authenticate
-a user who attempts to access its resources and log on to the domain.</p>
-
-<p>All recent versions of Windows can log on to a domain as clients to
-access the resources of the domain servers. The systems that are
-considered members of the domain are a more exclusive class, composed
-of the PDC and BDCs, as well as domain member servers, which are
-systems that have joined a domain as members, and are known to the
-domain controllers by having a computer account in the SAM database.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.3"/>
-
-<h3 class="head3">Authentication</h3>
-
-<p><a name="INDEX-172"/>When
-a user logs on to a Windows domain by typing in a username and
-password, a secure challenge and response protocol is invoked between
-the client computer and a domain controller to verify that the
-username and password are valid. Then the domain controller sends a
-SID back to the client, which uses it to create a
-<a name="INDEX-173"/>Security Access Token (SAT) that is valid
-only for that system, to be used for further authentication. This
-access token has information about the user coded into it, including
-the username, the group, and the rights the user has within the
-domain. At this point, the user is logged on to the domain.</p>
-
-<p>Subsequently, when the client attempts to access a shared resource
-within the domain, the client system enters into a secure challenge
-and response exchange with the server of the resource. The server
-then enters into another secure challenge and response conversation
-with a domain controller to check that the client is valid. (What
-actually happens is that the server uses information it gets from the
-client to pretend to be the client and authenticate itself with the
-domain controller. If the domain controller validates the
-credentials, it sends an SID back to the server, which uses the SID
-to create its own SAT for the client to enable access to its local
-resources on the client's behalf.) At this point,
-the client is authenticated for resources on the server and is
-allowed to access them. The server then uses the SID in the access
-token to determine what permissions the client has to use and modify
-the requested resource by comparing them to entries in the ACL of the
-resource.</p>
-
-<p>Although this method of authentication might seem overly complicated,
-it allows clients to authenticate without having plain-text passwords
-travel through the network, and it is much more difficult to crack
-than the relatively weak workgroup security we described earlier.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.4"/>
-
-<h3 class="head3">Name service with WINS and DNS</h3>
-
-<p>The <a name="INDEX-174"/><a name="INDEX-175"/>Windows
-Internet Name Service (WINS) is Microsoft's
-implementation of a NetBIOS name server (NBNS). As such, WINS
-inherits much of NetBIOS's characteristics. First,
-WINS is flat; you can have only simple machine names such as
-<tt class="literal">inca</tt>, <tt class="literal">mixtec</tt>, or
-<tt class="literal">navaho</tt>, and workgroups such as PERU, MEXICO, or
-USA. In addition, WINS is dynamic: when a client first comes online,
-it is required to report its hostname, its address, and its workgroup
-to the local WINS server. This WINS server will retain the
-information so long as the client periodically refreshes its WINS
-registration, which indicates that it's still
-connected to the network. Note that WINS servers are not workgroup-
-or domain-specific; they can contain information for multiple domains
-and/or workgroups, which might exist on more than one subnet.</p>
-
-<p>Multiple <a name="INDEX-176"/>WINS
-servers can be set to synchronize with each other. This allows
-entries for computers that come online and go offline in the network
-to propagate from one WINS server to another. While in theory this
-seems efficient, it can quickly become cumbersome if several WINS
-servers are covering a network. Because WINS services can cross
-multiple subnets (you'll either hardcode the address
-of a WINS server in each of your clients or obtain it via DHCP), it
-is often more efficient to have each Windows client, regardless of
-the number of Windows domains, point themselves to the same WINS
-server. That way, only one authoritative WINS server will have the
-correct information, instead of several WINS servers continually
-struggling to synchronize themselves with the most recent changes.</p>
-
-<p>The currently active WINS server is known as the <em class="firstterm">primary
-WINS server</em><a name="INDEX-177"/><a name="INDEX-178"/>. You can also install a secondary WINS
-server, which will take over if the primary WINS server fails or
-becomes inaccessible. Both the primary and any other WINS servers
-will synchronize their address databases on a periodic basis.</p>
-
-<p>In the Windows family of operating systems, only a server edition of
-Windows NT/2000 can act as a WINS server. Samba 2.2 can function as a
-primary WINS server, but cannot <a name="INDEX-179"/><a name="INDEX-180"/>synchronize
-its database with other WINS servers. It therefore cannot act as a
-secondary WINS server or as a primary WINS server for a Windows
-secondary WINS server.</p>
-
-<p>WINS handles name service by default, although Microsoft added DNS
-starting with Windows NT 4 Server. It is compatible with DNS that is
-standard on virtually every Unix system, and a Unix server (such as
-the Samba host) can also be used for DNS.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.5"/>
-
-<h3 class="head3">Trust relationships</h3>
-
-<p>One additional aspect of Windows NT domains not yet supported in
-Samba 2.2 is that it is possible to set up a <em class="emphasis">trust
-relationship</em><a name="INDEX-181"/><a name="INDEX-182"/><a name="INDEX-183"/> between domains, allowing clients
-within one domain to access the resources within another without the
-user having to go through additional authentication. The protocol
-that is followed is called <em class="emphasis">pass-through authentication</em>,
-<a name="INDEX-184"/><a name="INDEX-185"/>in which the
-user's credentials are passed from the client system
-in the first domain to the server in the second domain, which
-consults a domain controller in the first (trusted) domain to check
-that the user is valid before granting access to the resource.</p>
-
-<p>Note that in many aspects, the behaviors of a Windows workgroup and a
-Windows NT domain overlap. For example, the master and backup
-browsers in a domain are always the PDC and BDC, respectively.
-Let's update our Windows domain diagram to include
-both a local master and local backup browser. The result is shown in
-<a href="ch01.html#samba2-CHP-1-FIG-13">Figure 1-13</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-13"/><a name="INDEX-186"/><img src="figs/sam2_0113.gif"/></div><h4 class="head4">Figure 1-13. A Windows domain with a local master and local backup browser</h4>
-
-<p>The similarity between workgroups and NT domains is not accidental
-because the concept of Windows domains did not evolve until Windows
-NT 3.5 was introduced, and Windows domains were forced to remain
-backward-compatible with the workgroups present in Windows for
-Workgroups.</p>
-
-<p>Samba can function as a primary domain controller for Windows
-95/98/Me and Windows NT/2000/XP clients with the limitation that it
-can act as a PDC only, and not as a BDC.</p>
-
-<p>Samba can also function as a <em class="firstterm">domain member
-server</em><a name="INDEX-187"/><a name="INDEX-188"/>, meaning that it has a computer account
-in the PDC's account database and is therefore
-recognized as being part of the domain. A domain member server does
-not authenticate users logging on to the domain, but still handles
-security functions (such as file permissions) for domain users
-accessing its resources.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-5.3"/>
-
-<h3 class="head2">Active Directory Domains</h3>
-
-<p>Starting with Windows 2000, Microsoft has introduced
-<a name="INDEX-189"/><a name="INDEX-190"/>Active
-Directory, the next step beyond Windows NT domains. We
-won't go into much detail concerning Active
-Directory because it is a huge topic. <a name="INDEX-191"/>Samba 2.2 doesn't
-support Active Directory at all, and support in Samba 3.0 is limited
-to acting as a client. For now, be aware that with Active Directory,
-the authentication model is centered around
-<a name="INDEX-192"/>Lightweight Directory
-Access Protocol (LDAP), and name service is provided by DNS instead
-of WINS. Domains in Active Directory can be organized in a
-hierarchical tree structure, in which each domain controller operates
-as a peer, with no distinction between primary and backup controllers
-as in Windows NT domains.</p>
-
-<p>Windows 2000/XP systems can be set up as simple workgroup or Windows
-NT domain clients (which will function with Samba). The server
-editions of Windows 2000 can be set up to run Active Directory and
-support Windows NT domains for backward compatibility
-(<em class="firstterm">mixed mode</em>). In this case, Samba 2.2 works
-with Windows 2000 servers in the same way it works with Windows NT
-4.0 servers. When set up to operate in <em class="firstterm">native mode,
-</em><a name="INDEX-193"/>Windows 2000 servers support only
-Active Directory. Even so, <a name="INDEX-194"/>Samba 2.2 can operate as a server
-in a domain hosted by a native-mode Windows 2000 server, using the
-<a name="INDEX-195"/>Windows 2000 server's
-<em class="firstterm">PDC emulation mode</em>. However, it is not
-possible for Samba 2.2 or 3.0 to operate as a domain controller in a
-Windows 2000 Active Directory domain.</p>
-
-<p>If you want to know more about Active Directory, we encourage you to
-obtain a copy of the O'Reilly book,
-<em class="emphasis">Windows 2000 Active Directory</em>. <a name="INDEX-196"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-5.4"/>
-
-<h3 class="head2">Can a Windows Workgroup Span Multiple Subnets?</h3>
-
-<p><a name="INDEX-197"/><a name="INDEX-198"/>Yes, but most people who have
-done it have had their share of headaches. Spanning multiple subnets
-was not part of the initial design of Windows NT 3.5 or Windows for
-Workgroups. As a result, a Windows domain that spans two or more
-subnets is, in reality, the
-&quot;gluing&quot; together of two or more
-workgroups that share an identical name. The good news is that you
-can still use a PDC to control authentication across each subnet. The
-bad news is that things are not as simple with browsing.</p>
-
-<p>As mentioned previously, each subnet must have its own local master
-browser. When a Windows domain spans multiple subnets, a system
-administrator will have to assign one of the computers as the
-<em class="firstterm">domain master
-browser</em><a name="INDEX-199"/><a name="INDEX-200"/>. The domain master browser will keep a
-browse list for the entire Windows domain. This browse list is
-created by periodically synchronizing the browse lists of each local
-master browser with the browse list of the domain master browser.
-After the synchronization, the local master browser and the domain
-master browser should contain identical entries. See <a href="ch01.html#samba2-CHP-1-FIG-14">Figure 1-14</a> for an illustration.</p>
-
-<div class="figure"><a name="samba2-CHP-1-FIG-14"/><img src="figs/sam2_0114.gif"/></div><h4 class="head4">Figure 1-14. A workgroup that spans more than one subnet</h4>
-
-<p>Sound good? <a name="INDEX-201"/>Well, it's not quite
-nirvana for the following reasons:</p>
-
-<ul><li>
-<p>If it exists, a PDC always plays the role of the domain master
-browser. By Microsoft design, the two always share the NetBIOS
-resource type <tt class="literal">&lt;1B&gt;</tt> and (unfortunately)
-cannot be separated.</p>
-</li><li>
-<p>Windows 95/98/Me computers cannot become <em class="emphasis">or</em>
-<em class="emphasis">even contact</em> a domain master browser. This means
-that it is necessary to have at least one Windows NT/2000/XP system
-(or Samba server) on each subnet of a multisubnet workgroup.</p>
-</li></ul>
-<p>Each subnet's local master browser continues to
-maintain the browse list for its subnet, for which it becomes
-authoritative. So if a computer wants to see a list of servers within
-its own subnet, the local master browser of that subnet will be
-queried. If a computer wants to see a list of servers outside the
-subnet, it can still go only as far as the local master browser. This
-works because at appointed intervals, the authoritative browse list
-of a subnet's local master browser is synchronized
-with the domain master browser, which is synchronized with the local
-master browser of the other subnets in the domain. This is called
-<em class="firstterm">browse list propagation</em>.</p>
-
-<p>Samba can act as a domain master browser in a Windows NT domain, or
-it can act as a local master browser for a subnet, synchronizing its
-browse list with the domain master browser.</p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-6"/>
-
-<h2 class="head1">What's New in Samba 2.2?</h2>
-
-<p><a name="INDEX-202"/><a name="INDEX-203"/>In
-Version 2.2, Samba has more advanced support for Windows networking,
-including the ability to perform the more important tasks necessary
-for acting in a Windows NT domain. In addition, Samba 2.2 has some
-support for technologies that Microsoft introduced in Windows 2000,
-although the Samba team has saved Active Directory support for
-Version 3.0.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-6.1"/>
-
-<h3 class="head2">PDC Support for Windows 2000/XP Clients</h3>
-
-<p>Samba previously could act as a PDC to authenticate Windows 95/98/Me
-and Windows NT 4 systems. This functionality has been extended in
-Release 2.2 to include Windows 2000 and Windows XP. Thus, it is
-possible to have a Samba server supporting domain logons for a
-network of Windows clients, including the most recent releases from
-Microsoft. This can result in a very stable, high-performance, and
-more secure network, and gives you the added benefit of not having to
-purchase per-seat Windows CALs from Microsoft.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-6.2"/>
-
-<h3 class="head2">Microsoft Dfs Support</h3>
-
-<p><a name="INDEX-204"/>Microsoft Dfs allows shared resources that
-are dispersed among a number of servers in the network to be gathered
-together and appear to users as if they all exist in a single
-directory tree on one server. This method of organization makes life
-much simpler for users. Instead of having to browse around the
-network on a treasure hunt to locate the resource they want to use,
-they can go directly to the Dfs server and grab what they want. Samba
-2.2 offers support for serving Dfs, so a Windows server is no longer
-needed for this purpose.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-6.3"/>
-
-<h3 class="head2">Windows NT/2000/XP Printing Support</h3>
-
-<p>Windows NT/2000/XP has a different Remote Procedure Call (RPC)-based
-printer interface than Windows 95/98/Me does. In Samba 2.2, the
-Windows NT/2000/XP interface is supported. Along with this, the Samba
-team has been adding support for automatically downloading the
-printer driver from the Samba server while adding a new printer to a
-Windows client.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-6.4"/>
-
-<h3 class="head2">ACLs</h3>
-
-<p>Samba now supports
-<a name="INDEX-205"/>ACLs on its Unix host for Unix variants
-that support them. The list includes Solaris 2.6, 7, and 8, Irix,
-AIX, Linux (with either the ACL patch for the
-<a name="INDEX-206"/>ext2/ext3 filesystem from <a href="http://acl.bestbits.at">http://acl.bestbits.at</a> or when using the
-<a name="INDEX-207"/>XFS
-filesystem), and FreeBSD (Version 5.0 and later). When using ACL
-support, Samba translates between Unix ACLs and Windows NT/2000/XP
-ACLs, making the Samba host look and act more like a Windows
-NT/2000/XP server from the point of view of Windows clients.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-6.5"/>
-
-<h3 class="head2">Support for Windows Client Administration Tools</h3>
-
-<p>Windows comes with tools that can be used from a client to manage
-shared resources remotely on a Windows server. Samba 2.2 allows these
-tools to operate on shares on the Samba server as well.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-6.6"/>
-
-<h3 class="head2">Integration with Winbind</h3>
-
-<p><a name="INDEX-208"/>Winbind is a
-facility that allows users whose account information is stored in a
-Windows domain database to authenticate on a Unix system. The result
-is a unified logon environment, in which a user account can be kept
-on either the Unix system or a Windows NT/2000 domain controller.
-This greatly facilitates account management because administrators no
-longer need to keep the two systems synchronized, and it is possible
-for users whose accounts are held in a Windows domain to authenticate
-when accessing Samba shares.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-6.7"/>
-
-<h3 class="head2">Unix CIFS Extensions</h3>
-
-<p>The <a name="INDEX-209"/><a name="INDEX-210"/>Unix CIFS extensions were developed
-at Hewlett-Packard and introduced in Samba 2.2.4. They allow Samba
-servers to support Unix filesystem attributes, such as links and
-permissions, when sharing files with other Unix systems. This allows
-Samba to be used as an alternative to network file sharing (NFS) for
-Unix-to-Unix file sharing. An advantage of using Samba is that it
-authenticates individual users, whereas NFS authenticates only
-clients (based on their IP addresses, which is a poor security
-model). This gives Samba an edge in the area of security, along with
-its much greater configurability. See <a href="ch05.html">Chapter 5</a>
-for information on how to operate Unix systems as Samba clients.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-1-SECT-6.8"/>
-
-<h3 class="head2">And More...</h3>
-
-<p>As usual, the code has numerous improvements that do not show up at
-the administrative level in an immediate or obvious way. Samba now
-functions better on systems that employ <a name="INDEX-211"/>PAM
-(Pluggable Authentication Modules), and there is new support for
-profiling. Samba's support for oplocks has been
-strengthened, offering better integration with NFS server-terminated
-leases (currently on Irix and Linux only) and in the local filesystem
-with SMB locks mapped to POSIX locks (which is dependent on each Unix
-variant's implementation of POSIX locks). And of
-course there have been the usual bug fixes.</p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-7"/>
-
-<h2 class="head1">What's New in Samba 3.0?</h2>
-
-<p>The main distinguishing feature of <a name="INDEX-212"/><a name="INDEX-213"/>Samba 3.0
-is that it includes support for <a name="INDEX-214"/>Kerberos 5 authentication and
-<a name="INDEX-215"/>LDAP, which are
-required to act as clients in an Active Directory domain. Another
-feature that appeared in Samba 3.0 is support for Unicode, which
-greatly simplifies supporting international languages.</p>
-
-<p>In later Version 3 releases, the Samba team plans to develop support
-for
-<a name="INDEX-216"/>WINS
-replication, allowing Samba to act as a secondary WINS server or as a
-primary WINS server with Windows or Samba secondary WINS servers.
-Also planned are support for acting as a Windows NT BDC and support
-for Windows NT domain trust relationships.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-8"/>
-
-<h2 class="head1">What Can Samba Do?</h2>
-
-<p>Now let's wrap up by showing where Samba can help
-out and where it is limited. <a href="ch01.html#samba2-CHP-1-TABLE-9">Table 1-9</a> summarizes
-which roles Samba can and cannot play in a Windows NT or Active
-Directory domain or a Windows workgroup. Many of the Windows domain
-protocols are proprietary and have not been documented by Microsoft
-and therefore must be reverse-engineered by the Samba team before
-Samba can support them. As of Version 3.0, Samba cannot act as a
-backup in most roles and does not yet fully support Active Directory.</p>
-
-<a name="samba2-CHP-1-TABLE-9"/><h4 class="head4">Table 1-9. Samba roles (as of Version 3.0)</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Role</p>
-</th>
-<th>
-<p>Can perform?</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><a name="INDEX-217"/>File server</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Printer server</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Microsoft Dfs server</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Primary domain controller</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Backup domain controller</p>
-</td>
-<td>
-<p>No</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Active Directory domain controller</p>
-</td>
-<td>
-<p>No</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 95/98/Me authentication</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows NT/2000/XP authentication</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Local master browser</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Local backup browser</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Domain master browser</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Primary WINS server</p>
-</td>
-<td>
-<p>Yes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Secondary WINS server</p>
-</td>
-<td>
-<p>No</p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-9"/>
-
-<h2 class="head1">An Overview of the Samba Distribution</h2>
-
-<p><a name="INDEX-218"/>As mentioned earlier, Samba actually
-contains several programs that serve different but related purposes.
-These programs are documented more fully in <a href="appc.html">Appendix C</a>. For now, we will introduce each of them
-briefly and describe how they work together.</p>
-
-<p>The majority of the programs that come with Samba center on its two
-daemons. Let's take a refined look at the
-responsibilities of each daemon:</p>
-
-<dl>
-<dt><b><em class="emphasis">nmbd</em></b></dt>
-<dd>
-<p>The <em class="emphasis">nmbd</em><a name="INDEX-219"/> daemon is a simple name server that
-supplies WINS functionality. This daemon listens for name-server
-requests and provides the appropriate IP addresses when called upon.
-It also provides browse lists for the Network Neighborhood and
-participates in browsing elections.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbd</em></b></dt>
-<dd>
-<p>The <em class="emphasis">smbd</em><a name="INDEX-220"/> daemon manages the shared resources
-between the Samba server and its clients. It provides file, print,
-and browse services to <span class="acronym">SMB</span> clients across one or
-more networks and handles all notifications between the Samba server
-and the network clients. In addition, it is responsible for user
-authentication, resource locking, and data sharing through the
-<span class="acronym">SMB</span> protocol.</p>
-</dd>
-
-</dl>
-
-<p>New with Version 2.2, there is an additional daemon:</p>
-
-<dl>
-<dt><b><a name="INDEX-221"/><em class="emphasis">winbindd</em></b></dt>
-<dd>
-<p>This daemon is used along with the name service switch to get
-information on users and groups from a Windows NT server and allows
-Samba to authorize users through a Windows NT/2000 server.</p>
-</dd>
-
-</dl>
-
-<p>The Samba distribution also comes with a small set of Unix
-command-line tools:</p>
-
-<dl>
-<dt><b><em class="emphasis">findsmb</em><a name="INDEX-222"/></b></dt>
-<dd>
-<p>A program that searches the local network for computers that respond
-to SMB protocol and prints information on them.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">make_smbcodepage</em><a name="INDEX-223"/></b></dt>
-<dd>
-<p>A program used when working with Samba's
-internationalization features for telling Samba how to convert
-between upper- and lowercase in different character sets.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">make_unicodemap</em><a name="INDEX-224"/></b></dt>
-<dd>
-<p>Another internationalization program used with Samba for compiling
-Unicode map files that Samba uses to translate DOS codepages or Unix
-character sets into 16-bit unicode.</p>
-</dd>
-
-
-
-<dt><b><a name="INDEX-225"/><em class="emphasis">net</em></b></dt>
-<dd>
-<p>A new program distributed with Samba 3.0 that can be used to perform
-remote administration of servers.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">nmblookup</em><a name="INDEX-226"/></b></dt>
-<dd>
-<p>A program that provides NBT name lookups to find a
-computer's IP address when given its machine name.</p>
-</dd>
-
-
-
-<dt><b><a name="INDEX-227"/><em class="emphasis">pdbedit</em></b></dt>
-<dd>
-<p>A new program distributed with Samba 3.0 that is helpful for managing
-user accounts held in SAM databases.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">rpcclient</em><a name="INDEX-228"/></b></dt>
-<dd>
-<p>A program that can be used to run MS-RPC functions on Windows clients.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbcacls</em><a name="INDEX-229"/></b></dt>
-<dd>
-<p>A program that is used to set or show ACLs on Windows NT filesystems.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbclient</em><a name="INDEX-230"/></b></dt>
-<dd>
-<p>An <em class="emphasis">ftp</em>-like Unix client that can be used to connect to
-SMB shares and operate on them. The <em class="emphasis">smbclient</em>
-command is discussed in detail in <a href="ch05.html">Chapter 5</a>.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbcontrol</em><a name="INDEX-231"/></b></dt>
-<dd>
-<p>A simple administrative utility that sends messages to <em class="emphasis">nmbd</em>
-or <em class="emphasis">smbd</em>.</p>
-</dd>
-
-
-
-<dt><b><a name="INDEX-232"/><em class="emphasis">smbgroupedit</em></b></dt>
-<dd>
-<p>A command that can be used to define mappings between Windows NT
-groups and Unix groups. It is new in Samba 3.0.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbmnt</em><a name="INDEX-233"/></b></dt>
-<dd>
-<p>A helper utility used along with <em class="emphasis">smbmount.</em></p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbmount</em><a name="INDEX-234"/></b></dt>
-<dd>
-<p>A program that mounts an smbfs filesystem, allowing remote SMB shares
-to be mounted in the filesystem of the Samba host.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbpasswd</em><a name="INDEX-235"/></b></dt>
-<dd>
-<p>A program that allows an administrator to change the passwords used
-by Samba.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbsh</em><a name="INDEX-236"/></b></dt>
-<dd>
-<p>A tool that functions like a command shell to allow access to a
-remote SMB filesystem and allow Unix utilities to operate on it. This
-command is covered in <a href="ch05.html">Chapter 5</a>.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbspool</em><a name="INDEX-237"/></b></dt>
-<dd>
-<p>A print-spooling program used to send files to remote printers that
-are shared on the SMB network.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbstatus</em><a name="INDEX-238"/></b></dt>
-<dd>
-<p>A program that reports the current network connections to the shares
-on a Samba server.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbtar</em><a name="INDEX-239"/></b></dt>
-<dd>
-<p>A program similar to the Unix <em class="filename">tar</em> command, for
-backing up data in SMB shares.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">smbumount</em><a name="INDEX-240"/></b></dt>
-<dd>
-<p>A program that works along with <em class="emphasis">smbmount</em> to unmount
-smbfs filesystems.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">testparm</em><a name="INDEX-241"/></b></dt>
-<dd>
-<p>A simple program for checking the Samba configuration file.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">testprns</em><a name="INDEX-242"/></b></dt>
-<dd>
-<p>A program that tests whether printers on the Samba host are
-recognized by the <em class="filename">smbd</em> daemon.</p>
-</dd>
-
-
-
-<dt><b><em class="emphasis">wbinfo</em><a name="INDEX-243"/></b></dt>
-<dd>
-<p>A utility used to query the <em class="filename">winbindd
-</em><a name="INDEX-244"/>daemon.</p>
-</dd>
-
-</dl>
-
-<p>Each major release of Samba goes through an exposure test before
-it's announced. In addition, it is quickly updated
-afterward if problems or unwanted side effects are found. The latest
-stable distribution as of this writing is Samba 2.2.6, and this book
-focuses mainly on the functionality supported in Samba 2.2.6, as
-opposed to older versions of Samba.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-1-SECT-10"/>
-
-<h2 class="head1">How Can I Get Samba?</h2>
-
-<p><a name="INDEX-245"/><a name="INDEX-246"/>Source
-and binary distributions of Samba are available from mirror sites
-across the Internet. The primary web site for Samba is located at
-<a href="http://www.samba.org/">http://www.samba.org/</a>. From there, you
-can select a mirror site that is geographically near you.</p>
-
-<p>Most Linux and many Unix vendors provide binary packages. These can
-be more convenient to install and maintain than the Samba
-team's source or binary packages, due to the
-vendor's efforts to supply a package that matches
-its specific products. <a name="INDEX-247"/></p>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> You
-can also right-click the shared resource in the Network Neighborhood
-and then select the Map Network Drive menu item.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Be
-warned that many end-user license agreements forbid installing a
-program on a network so that multiple clients can access it. Check
-the legal agreements that accompany the product to be absolutely
-sure.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> You
-might also see the abbreviation NetBT, which is common in Microsoft
-literature.</p> <a name="FOOTNOTE-4"/>
-<p><a href="#FNPTR-4">[4]</a> See
-<a href="http://www.samba.org/cifs/docs/what-is-smb.html">http://www.samba.org/cifs/docs/what-is-smb.html</a>
-for Richard's excellent summary of
-<a name="INDEX-93"/>SMB.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This
-was originally called <a name="INDEX-126"/><a name="INDEX-127"/><a name="INDEX-128"/>Network Neighborhood in Windows 95/98/NT,
-but Microsoft has changed the name to My Network Places in the more
-recent Windows Me/2000/XP. We will continue to call it Network
-Neighborhood, and if you're using a new version of
-Windows, be aware that My Network Places can act a little differently
-in some ways.</p> </blockquote>
-
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-</body></html>
diff --git a/docs/htmldocs/using_samba/ch02.html b/docs/htmldocs/using_samba/ch02.html
deleted file mode 100644
index ecefb2fb7d..0000000000
--- a/docs/htmldocs/using_samba/ch02.html
+++ /dev/null
@@ -1,1849 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 2. Installing Samba on a Unix System</h1>
-
-<p><a name="INDEX-1"/>Now
-that you know what Samba can do for you and your users,
-it's time to get your own network set up.
-Let's start with the installation of Samba. When
-dancing the samba, one learns by taking small steps.
-It's just the same when installing Samba; we need to
-teach it step by step. This chapter will help you start off on the
-right foot.</p>
-
-<p>For illustrative purposes, we will be installing the 2.2.6 version of
-the Samba server on a Linux system running Version 2.4 of the kernel.
-However, the installation steps are essentially the same for all the
-platforms Samba supports.</p>
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-1"/>
-
-<h2 class="head1">Bundled Versions</h2>
-
-<p><a name="INDEX-2"/><a name="INDEX-3"/>Samba is in such
-popular use that many Unix distributions come with it already
-installed. If you choose to use a bundled version of Samba, you can
-breeze through most of this chapter, but you'll be
-stuck with the Samba version and compile-time options your vendor
-selected for you. That version of Samba can't be any
-newer than the operating system release, so you're
-likely to be pretty far behind the latest developments. On the other
-hand, you can be fairly sure that a bundled version has been
-installed properly, and perhaps it will take only a few simple
-modifications to your <em class="emphasis">smb.conf</em> file for you to
-be off and running. Samba is mature enough that you probably
-don't need the latest release to meet your basic
-needs, so you might be perfectly happy running a bundled version.</p>
-
-<p>If you choose this option, be aware that your Samba files, including
-the very important
-<em class="emphasis">smb.conf</em>,<a name="INDEX-4"/> might be in different places
-than they would be if you were to install from a binary or source
-distribution. For example, with the Red Hat, Debian, and Mandrake
-Linux distributions, <em class="emphasis">smb.conf</em> and some other
-Samba-related files are in the <em class="emphasis">/etc/samba</em>
-directory.</p>
-
-<p>If Samba is already installed on your system, you can check to see
-what version you have by using the command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbd -V</b></tt>
-Version 2.2.6</pre></blockquote>
-
-<p>(If this doesn't work, it might be because
-<em class="emphasis">smbd</em> is not in your shell's
-search path. If you have the <em class="emphasis">locate</em> or
-<em class="emphasis">whereis</em> command in your Unix variant, you can
-use it to locate the <em class="emphasis">smbd</em> executable.)</p>
-
-<p>You might also be able to use a system-specific tool to query a
-software-package maintenance utility. On Red Hat Linux, you can use
-the <em class="emphasis">rpm</em><a name="INDEX-5"/> command to query the installed packages
-for Samba:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>rpm -qa | grep samba</b></tt>
-samba-client-2.0.8-1.7.1
-samba-2.0.8-1.7.1
-samba-common-2.0.8-1.7.1</pre></blockquote>
-
-<p>This shows we have Samba 2.0.8, divided into three Red Hat Package
-Manager (RPM) packages, bundled with Red Hat 7.1. If your version of
-Samba is old, you might at the very least want to check with your
-vendor for an update.</p>
-
-<p>Otherwise, if you're sure you are going to install
-from a binary or source distribution, you can remove the RPM packages
-as follows:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>rpm -e samba</b></tt>
-# <tt class="userinput"><b>rpm -e samba-client</b></tt>
-# <tt class="userinput"><b>rpm -e samba-common</b></tt></pre></blockquote>
-
-<p>If you are not using Red Hat Linux, consult your
-system's documentation to find the method that works
-for you.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-1.1"/>
-
-<h3 class="head2">Binary or Source?</h3>
-
-<p><a name="INDEX-6"/>Precompiled
-&quot;binary&quot; packages are also
-available for a large number of Unix platforms. These packages
-contain binaries for each Samba executable, as well as the standard
-Samba documentation. Note that while installing a binary distribution
-can save you a fair amount of time and trouble, you should keep a
-couple of issues in mind when deciding whether to use the binary or
-compile the source yourself:</p>
-
-<ul><li>
-<p>The binary packages can lag behind the latest version of the software
-by one or two (maybe more) minor releases, especially after a series
-of small changes and for less popular platforms. Compare the release
-notes for the source and binary packages to make sure there
-aren't any new features that you need on your
-platform.</p>
-</li><li>
-<p>If you use a precompiled binary that is dynamically linked, you will
-need to ensure that you have the correct libraries required by the
-executables. If your system does not already have the required
-version of a library, you might have to install a new version. The
-<em class="filename">README</em> file or <em class="filename">makefile</em>
-that accompanies the binary distribution should list any special
-requirements.</p>
-
-<p>Many systems with shared libraries come with a nifty tool called
-<em class="emphasis">ldd</em>. This tool will tell you which libraries a
-specific binary requires and which libraries on the system satisfy
-that requirement. For example, checking the <em class="emphasis">smbd</em>
-program on our test machine gave us:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ldd smbd</b></tt>
- libdl.so.2 =&gt; /lib/libdl.so.2 (0x40026000)
- libnsl.so.1 =&gt; /lib/libnsl.so.1 (0x4002a000)
- libpam.so.0 =&gt; /lib/libpam.so.0 (0x40041000)
- libc.so.6 =&gt; /lib/libc.so.6 (0x40049000)
- /lib/ld-linux.so.2 =&gt; /lib/ld-linux.so.2 (0x40000000)</pre></blockquote>
-
-<p>If there are any incompatibilities between Samba and specific
-libraries on your machine, the distribution-specific documentation
-should highlight them.</p>
-</li><li>
-<p>If your precompiled binary is statically linked, it is still possible
-to have problems. There have been cases in which the statically
-linked C library calls in Samba programs have been out of sync with
-the operating-system kernel, even though this is
-&quot;not supposed to happen.&quot;</p>
-</li><li>
-<p>Keep in mind that each binary distribution carries preset values
-about the target platform, such as default directories and
-configuration option values. Again, check the documentation and the
-makefile included in the source directory to see which directives and
-variables were used when the binary was compiled. In some cases,
-these will not be appropriate for your situation.</p>
-
-<p>A few configuration items can be reset with command-line options at
-runtime rather than at compile time. For example, if your binary
-tries to place any log, lock, or status files in the
-&quot;wrong&quot; place (for example, in
-<em class="filename">/usr/local</em> ), you can override this without
-recompiling.</p>
-</li></ul>
-<p>One point worth mentioning is that the Samba source requires an
-<a name="INDEX-7"/><a name="INDEX-8"/><a name="INDEX-9"/>ANSI C
-compiler. If you are on a legacy platform with a non-ANSI compiler,
-such as the <em class="emphasis">cc</em> compiler on SunOS Version 4,
-you'll have to install an ANSI-compliant compiler
-such as <em class="emphasis">gcc</em> <a name="INDEX-10"/>before you do anything else.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a>
-If installing a compiler isn't something you want to
-wrestle with, you can start off with a binary package. However, for
-the most flexibility and compatibility on your system, we always
-recommend compiling from the latest stable or production source.</p>
-
-<p>A typical installation will take about an hour to complete, including
-downloading the source files and compiling them, setting up the
-configuration files, and testing the server.</p>
-
-<p>Here is an overview of the steps:</p>
-
-<ol><li>
-<p><a name="INDEX-11"/>Download the source or binary files.</p>
-</li><li>
-<p>Read the installation documentation.</p>
-</li><li>
-<p>Configure a makefile.</p>
-</li><li>
-<p>Compile the server and utility programs.</p>
-</li><li>
-<p>Install the server files.</p>
-</li><li>
-<p>Create a Samba configuration file.</p>
-</li><li>
-<p>Test the configuration file.</p>
-</li><li>
-<p>Start the Samba daemons.</p>
-</li><li>
-<p>Test the Samba daemons. <a name="INDEX-12"/></p>
-</li></ol>
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-2"/>
-
-<h2 class="head1">Downloading the Samba Distribution</h2>
-
-<p><a name="INDEX-13"/>If
-you would like to download the latest version of the Samba software,
-the primary web site is <a href="http://www.samba.org">http://www.samba.org</a>. Once connected to this
-page, you'll see links to several Samba mirror sites
-across the world, both for the standard Samba web pages and for sites
-devoted exclusively to downloading Samba. For the best performance,
-choose a site that is closest to your own geographic location.</p>
-
-<p>The standard Samba web sites have Samba
-<a name="INDEX-14"/>documentation and
-<a name="INDEX-15"/>tutorials,
-<a name="INDEX-16"/>mailing-list
-archives, and the latest Samba <a name="INDEX-17"/>news, as well as source and binary
-distributions of Samba. The download sites (sometimes called
-<em class="emphasis">F T P sites</em>) have only the source and binary
-distributions. Unless you specifically want an older version of the
-Samba server or are going to install a binary distribution, download
-the latest source distribution from the closest mirror site. This
-distribution is always named:</p>
-
-<blockquote><pre class="code">samba-latest.tar.gz</pre></blockquote>
-
-<p>which for the 2.2.6 release is an approximately 5MB file.</p>
-
-<p>The source distribution has been archived with
-<em class="emphasis">tar</em> and then compressed with the GNU
-<em class="emphasis">gzip</em> program. To unpack it, move the file to the
-directory in which you want the Samba source directory to be located,
-then <em class="emphasis">cd</em> to that directory and run the command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>tar xvfz samba-latest.tar.gz</b></tt></pre></blockquote>
-
-<p>Or, if you do not have the GNU <em class="emphasis">tar</em> program
-(which also handles the unzipping):</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>gunzip samba-latest.tar.gz</b></tt>
-$ <tt class="userinput"><b>tar xvf samba-latest.tar</b></tt></pre></blockquote>
-
-<p>In that latter case, you might need to install the GNU
-<em class="emphasis">gunzip</em> program first. While the
-<em class="emphasis">tar</em> command runs, it will print out a list of
-the files it installs.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-2.1"/>
-
-<h3 class="head2">Read the Documentation</h3>
-
-<p><a name="INDEX-18"/>This
-part might seem obvious, but at one time or other you probably
-uncompressed a package, blindly typed:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>configure; make; make install</b></tt></pre></blockquote>
-
-<p>and walked away to get another cup of coffee. Do yourself a favor and
-be a little more careful this time.</p>
-
-<p>In the top-level directory that you just installed, there is a file
-named <em class="filename">WHATSNEW.txt</em>, which contains the latest
-news about the release. If you are upgrading, you can find important
-information about bug fixes or configuration parameters that have
-been added or are no longer supported.</p>
-
-<p>With both source and binary packages you'll find a
-large number of documents in the <em class="filename">docs</em> directory,
-in a variety of formats. One file is especially important:</p>
-
-<blockquote><pre class="code">docs/htmldocs/UNIX_INSTALL.html</pre></blockquote>
-
-<p>This is the Samba Team's official instructions on
-installing Samba on a Unix system, which you might like to use as
-another perspective besides what we are telling you here.</p>
-
-<p>In general, we expect you'll find to be most useful
-the files in the following directories:</p>
-
-<dl>
-<dt><b>docs/faq</b></dt>
-<dd>
-<p>This is the Samba Frequently Asked Questions (FAQ) files.</p>
-</dd>
-
-
-
-<dt><b>docs/htmldocs</b></dt>
-<dd>
-<p>This is the miscellaneous documentation in HTML format.</p>
-</dd>
-
-
-
-<dt><b>docs/textdocs</b></dt>
-<dd>
-<p>Here is more documentation, in simple text format.</p>
-</dd>
-
-
-
-<dt><b>docs/manpages</b></dt>
-<dd>
-<p>You don't need to worry about these yet; during the
-installation, the files will be installed so that you can use the
-<em class="emphasis">man</em> command to read them. But you can take a
-look in the directory to see which manpages are available.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-3"/>
-
-<h2 class="head1">Configuring Samba</h2>
-
-<p><a name="INDEX-19"/><a name="INDEX-20"/>Samba automatically configures itself
-prior to compilation. This reduces the likelihood of a
-machine-specific problem, but you might end up wishing for an option
-after Samba has been installed.</p>
-
-<p>The source distribution of Samba 2.2 and above
-doesn't initially have a
-<a name="INDEX-21"/>makefile. Instead, one is
-generated through a <a name="INDEX-22"/><a name="INDEX-23"/>GNU <em class="filename">configure</em>
-script, which is located in the <em class="filename">samba-2.2.x
-/source/</em> directory. The <em class="firstterm">configure</em>
-script takes care of the machine-specific issues of building Samba.</p>
-
-<a name="samba2-CHP-2-NOTE-88"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
-
-
-
-<p>Before running the <em class="filename">configure</em> script, it is
-important that you become the root user on the system. Otherwise, you
-might get a warning such as:</p>
-
-
-<blockquote><pre class="code">configure: warning: running as non-root will disable some tests</pre></blockquote>
-
-
-<p>You don't want any test to be disabled when the
-Samba makefile is being created; it would leave the potential for
-errors down the road when compiling or running Samba on your system.</p>
-</blockquote>
-
-<p>When the <em class="filename">configure </em>script is run, it prints out
-messages telling what it is doing, and error messages might be mixed
-in. To make sure you see those very important error messages, we
-suggest you run <em class="filename">configure </em>with its standard
-output passed through some filter to capture the output and keep it
-from scrolling out of sight. One method is using the
-<em class="filename">more</em> command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>./configure | more</b></tt></pre></blockquote>
-
-<p>We will show you another in a moment.</p>
-
-<p>Although you can run <em class="filename">configure </em>as previously
-with no options, you might want to add support for extra features by
-passing options on the command line. For example:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>./configure --with-winbind</b></tt></pre></blockquote>
-
-<p>will configure the Samba makefile with support for winbind
-authentication. If you would like a complete list of options, type
-the following:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>./configure --help</b></tt></pre></blockquote>
-
-<p>Each option enables or disables various features. You typically
-enable a feature by specifying the
-<tt class="literal">--</tt><a name="INDEX-24"/><a name="INDEX-25"/><a name="INDEX-26"/><a name="INDEX-27"/><tt class="literal">with-</tt><em class="replaceable">feature</em>
-option, which will cause the feature to be compiled and installed.
-Likewise, if you specify a
-<tt class="literal">--without-</tt><em class="replaceable">feature</em>
-option, the feature will be disabled. A full list of configuration
-options is provided in <a href="appe.html">Appendix E</a>, but for now we
-want to point out three of them, which are features we cover later in
-this book:</p>
-
-<dl>
-<dt><b><tt class="literal">--with-msdfs</tt><a name="INDEX-28"/><a name="INDEX-29"/></b></dt>
-<dd>
-<p>Include support for Microsoft Distributed filesystem (Dfs), which
-allows dispersed network resources to be clumped together into one
-easy-to-navigate directory tree. See <a href="ch08.html">Chapter 8</a>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-smbwrapper</tt><a name="INDEX-30"/><a name="INDEX-31"/></b></dt>
-<dd>
-<p>Include SMB wrapper support, which allows programs running on the
-Unix host to access SMB shared folders as if they were Unix
-filesystems. We recommend using this option. See <a href="ch05.html">Chapter 5</a>.</p>
-</dd>
-
-
-
-<dt><b><tt class="literal">--with-smbmount</tt><a name="INDEX-32"/><a name="INDEX-33"/></b></dt>
-<dd>
-<p>Include <em class="emphasis">smbmount</em> support, which allows SMB
-shared folders to be mounted in the Unix filesystem. At the time of
-this writing, support for this feature exists only for Linux. This is
-also covered in <a href="ch05.html">Chapter 5</a>.</p>
-</dd>
-
-</dl>
-
-<p>Each option is disabled by default, and none of the features is
-essential to Samba. However, you may want to include them in your
-configuration (as we will in our example) at least to be able to try
-out the options in later chapters.</p>
-
-<p>In addition, <a href="ch02.html#samba2-CHP-2-TABLE-1">Table 2-1</a> shows some other parameters
-that you can give the <em class="filename">configure</em> script if you
-wish to store parts of the Samba distribution in different places,
-perhaps to make use of multiple disks or partitions. Note that the
-defaults sometimes refer to a prefix specified earlier in the table.</p>
-
-<a name="samba2-CHP-2-TABLE-1"/><h4 class="head4">Table 2-1. Additional configure options</h4><table border="1">
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Meaning</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">--prefix</tt><a name="INDEX-34"/><a name="INDEX-35"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install architecture-independent files at the base directory
-specified.</p>
-</td>
-<td>
-<p><em class="filename">/usr/local/samba</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--eprefix</tt><a name="INDEX-36"/><a name="INDEX-37"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install architecture-dependent files at the base directory specified.</p>
-</td>
-<td>
-<p><em class="filename">/usr/local/samba</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--bindir</tt><a name="INDEX-38"/><a name="INDEX-39"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install user executables in the directory specified.</p>
-</td>
-<td>
-<p><em class="replaceable">eprefix</em><em class="filename">/bin</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--sbindir</tt><a name="INDEX-40"/><a name="INDEX-41"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install administrator executables in the directory specified.</p>
-</td>
-<td>
-<p><em class="replaceable">eprefix</em><em class="filename">/bin</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--libexecdir</tt><a name="INDEX-42"/><a name="INDEX-43"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install program executables in the directory specified.</p>
-</td>
-<td>
-<p><em class="replaceable">eprefix</em><em class="filename">/libexec</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--datadir</tt><a name="INDEX-44"/><a name="INDEX-45"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install read-only architecture-independent data in the directory
-specified.</p>
-</td>
-<td>
-<p><em class="replaceable">prefix</em><em class="filename">/share</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--libdir</tt><a name="INDEX-46"/><a name="INDEX-47"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install program libraries in the directory specified.</p>
-</td>
-<td>
-<p><em class="replaceable">eprefix</em><em class="filename">/lib</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--includedir</tt><a name="INDEX-48"/><a name="INDEX-49"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install package-include files in the directory specified.</p>
-</td>
-<td>
-<p><em class="replaceable">prefix</em><em class="filename">/include</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--infodir</tt><a name="INDEX-50"/><a name="INDEX-51"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install additional information files in the directory specified.</p>
-</td>
-<td>
-<p><em class="replaceable">prefix</em><em class="filename">/info</em></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">--mandir</tt><a name="INDEX-52"/><a name="INDEX-53"/>=<em class="replaceable">directory</em></p>
-</td>
-<td>
-<p>Install manual pages in the directory specified.</p>
-</td>
-<td>
-<p><em class="replaceable">prefix</em><em class="filename">/man</em></p>
-</td>
-</tr>
-
-</table>
-
-<p>Here is a sample execution of the
-<em class="filename">configure</em><a name="INDEX-54"/>
-script, which creates a Samba 2.2.6 makefile for the Linux platform.
-Note that you must run the configure script in the
-<em class="emphasis">source</em> directory and that we are showing you yet
-another way to capture the output of the script:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>cd samba-2.2.6/source/</b></tt>
-$ <tt class="userinput"><b>su</b></tt>
-Password:
-# <tt class="userinput"><b>./configure --with-smbwrapper --with-smbmount \</b></tt>
-<tt class="userinput"><b>--with-msdfs --with-syslog --with-utmp 2&gt;&amp;1 | tee config.my.log</b></tt>
-loading cache ./config.cache
-checking for gcc... (cached) gcc
-checking whether the C compiler (gcc -O ) works... yes
-checking whether the C compiler (gcc -O ) is a cross-compiler... no
-checking whether we are using GNU C... (cached) yes
-checking whether gcc accepts -g... (cached) yes
-checking for a BSD-compatible install... (cached) /usr/bin/install -c
-
-<i class="lineannotation">...(content omitted)...</i>
-
-checking configure summary
-configure OK
-creating ./config.status
-creating include/stamp-h
-creating Makefile
-creating include/config.h</pre></blockquote>
-
-<p>In general, any message from <em class="filename">configure</em> that
-doesn't begin with the words
-<tt class="literal">checking</tt><a name="INDEX-55"/> or
-<tt class="literal">creating</tt><a name="INDEX-56"/> is an
-<a name="INDEX-57"/>error; it often helps to redirect the
-output of the configure script to a file so that you can quickly
-search for errors, as we did with the <em class="filename">tee</em>
-command earlier. If there was an error during configuration, more
-detailed information about it can be found in the
-<em class="filename">config.log</em><a name="INDEX-58"/> file, which is written to the local
-directory by the <em class="filename">configure</em> script, as well as in
-the <em class="filename">config.my.log</em> file, which we created by
-piping through the <em class="filename">tee</em> command. These files are
-very similar in both name and content, but be careful to check both
-of them for error messages before continuing!</p>
-
-<p>If the configuration works, you'll see a
-<tt class="literal">checking</tt> <tt class="literal">configure</tt>
-<tt class="literal">summary</tt> message followed by a
-<tt class="literal">configure</tt> <tt class="literal">OK</tt> message and four
-or five file-creation messages. So far, so good. <a name="INDEX-59"/></p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-4"/>
-
-<h2 class="head1">Compiling and Installing Samba</h2>
-
-<p><a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/>At this point you should be ready to build
-the Samba executables. Compiling is also easy: in the
-<em class="filename">source</em> directory, type <tt class="literal">make</tt>
-on the command line. The
-<em class="filename">make</em><a name="INDEX-64"/> utility will produce a stream of
-explanatory and success messages, beginning with:</p>
-
-<blockquote><pre class="code">Using FLAGS = -O -Iinclude ...</pre></blockquote>
-
-<p>This build includes compiles for both <em class="emphasis">smbd</em> and
-<em class="emphasis">nmbd</em> and ends in a linking command for
-<em class="filename">bin/nmblookup</em>. For example, here is a sample
-make of Samba Version 2.2.6 on a Linux server:</p>
-
-<blockquote><pre class="code"># make 2&gt;&amp;1 | tee make.log
-Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE64
-_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLOGFILEBASE=&quot;/usr/local/samba/va
-r&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot; -DLMHOSTSFILE=&quot;/usr/local/samba/
-lib/lmhosts&quot; -DSWATDIR=&quot;/usr/local/samba/swat&quot; -DSBINDIR=&quot;/usr/local/samba/bin
-&quot; -DLOCKDIR=&quot;/usr/local/samba/var/locks&quot; -DCODEPAGEDIR=&quot;/usr/local/samba/lib/cod
-epages&quot; -DDRIVERFILE=&quot;/usr/local/samba/lib/printers.def&quot; -DBINDIR=&quot;/usr/local/sa
-mba/bin&quot; -DHAVE_INCLUDES_H -DPASSWD_PROGRAM=&quot;/bin/passwd&quot; -DSMB_PASSWD_FILE=&quot;/u
-sr/local/samba/private/smbpasswd&quot; -DTDB_PASSWD_FILE=&quot;/usr/local/samba/private/sm
-bpasswd.tdb&quot;
-Using FLAGS32 = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE
-64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLOGFILEBASE=&quot;/usr/local/samba/
-var&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot; -DLMHOSTSFILE=&quot;/usr/local/samb
-a/lib/lmhosts&quot; -DSWATDIR=&quot;/usr/local/samba/swat&quot; -DSBINDIR=&quot;/usr/local/samba/b
-in&quot; -DLOCKDIR=&quot;/usr/local/samba/var/locks&quot; -DCODEPAGEDIR=&quot;/usr/local/samba/lib/c
-odepages&quot; -DDRIVERFILE=&quot;/usr/local/samba/lib/printers.def&quot; -DBINDIR=&quot;/usr/local/
-samba/bin&quot; -DHAVE_INCLUDES_H -DPASSWD_PROGRAM=&quot;/bin/passwd&quot; -DSMB_PASSWD_FILE=&quot;
-/usr/local/samba/private/smbpasswd&quot; -DTDB_PASSWD_FILE=&quot;/usr/local/samba/private/
-smbpasswd.tdb&quot;
-Using LIBS = -ldl -lnsl -lpam
-Compiling smbd/server.c
-Compiling smbd/files.c
-Compiling smbd/chgpasswd.c
-Compiling smbd/connection.c
-Compiling smbd/utmp.c
-Compiling smbd/session.c
-Compiling smbd/dfree.c
-Compiling smbd/dir.c
-
-<i class="lineannotation">...(content omitted)...</i>
-
-Compiling rpc_server/srv_srvsvc.c
-Compiling rpc_server/srv_srvsvc_nt.c
-Compiling rpc_server/srv_util.c
-Compiling rpc_server/srv_wkssvc.c
-Compiling rpc_server/srv_wkssvc_nt.c
-Compiling rpc_server/srv_pipe.c
-Compiling rpc_server/srv_dfs.c
-Compiling rpc_server/srv_dfs_nt.c
-Compiling rpc_server/srv_spoolss.c
-Compiling rpc_server/srv_spoolss_nt.c
-Compiling lib/util_getent.c
-Compiling rpc_parse/parse_lsa.c
-Compiling rpc_parse/parse_net.c
-Compiling rpc_parse/parsen/smbmount
-Compiling client/smbmnt.c
-Linking bin/smbmnt
-Compiling client/smbumount.c
-Linking bin/smbumount
-Compiling utils/nmblookup.c
-Linking bin/nmblookup</pre></blockquote>
-
-<p>If you encounter a problem when compiling, first check the Samba
-documentation to see if it is easily fixable. Another possibility is
-to search or post to the Samba mailing lists, which are given at the
-end of <a href="ch12.html">Chapter 12</a> and on the Samba home page. Most
-compilation issues are system-specific and almost always easy to
-overcome.</p>
-
-<p>Now that the files have been compiled, you can install them into the
-directories you identified with the command:</p>
-
-<blockquote><pre class="code">#<tt class="userinput"><b> make install</b></tt></pre></blockquote>
-
-<p>If you happen to be <a name="INDEX-65"/>upgrading, your old Samba files will be
-saved with the extension
-<em class="emphasis">.old</em>,<a name="INDEX-66"/> and you can go back to that previous
-version with the command
-<tt class="literal">make</tt><a name="INDEX-67"/> <tt class="literal">revert</tt>. After doing a
-<tt class="literal">make</tt><a name="INDEX-68"/> <tt class="literal">install</tt>, you should
-copy the <em class="emphasis">.old</em> files (if they exist) to a new
-location or name. Otherwise, the next time you install Samba, the
-original <em class="emphasis">.old</em> will be overwritten without
-warning and you could lose your earlier version. If you configured
-Samba to use the default locations for files, the new files will be
-installed in the directories listed in <a href="ch02.html#samba2-CHP-2-TABLE-2">Table 2-2</a>.
-Remember that you need to perform the installation from an account
-that has write privileges on these target directories; this is
-typically the root account.</p>
-
-<a name="samba2-CHP-2-TABLE-2"/><h4 class="head4">Table 2-2. Samba installation directories</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Directory</p>
-</th>
-<th>
-<p>Description</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><em class="emphasis">/usr/local/samba</em></p>
-</td>
-<td>
-<p>Main tree</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><em class="emphasis">/usr/local/samba/bin</em></p>
-</td>
-<td>
-<p>Binaries</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><em class="emphasis">/usr/local/samba/lib</em></p>
-</td>
-<td>
-<p><em class="emphasis">smb.conf</em>, <em class="emphasis">lmhosts</em>,
-configuration files, etc.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><em class="emphasis">/usr/local/samba/man</em></p>
-</td>
-<td>
-<p>Samba documentation</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><em class="emphasis">/usr/local/samba/private</em></p>
-</td>
-<td>
-<p>Samba-encrypted password file</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><em class="emphasis">/usr/local/samba/swat</em></p>
-</td>
-<td>
-<p>SWAT files</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><em class="emphasis">/usr/local/samba/var</em></p>
-</td>
-<td>
-<p>Samba log files, lock files, browse list info, shared memory files,
-process ID files</p>
-</td>
-</tr>
-
-</table>
-
-<p>Throughout the remainder of the book, we occasionally refer to the
-location of the main tree as <em class="filename">/usr/local/samba</em>.
-In most configurations, this is the base directory of the installed
-Samba package; however, it can vary from system to system<em class="filename">
-</em>.</p>
-
-<a name="samba2-CHP-2-NOTE-90"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Watch out if you've made <em class="filename">/usr</em> a
-read-only partition. You will want to put the logs, locks, and
-password files somewhere else.</p>
-</blockquote>
-
-<p>Here is the installation that we performed on our machine. You can
-see that we used <em class="filename">/usr/local/samba</em> as the base
-directory for the distribution:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>make install 2&gt;&amp;1 | tee make-install.log</b></tt>
-Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE64
-_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLOGFILEBASE=&quot;/usr/local/samba/va
-r&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot;
-
-<i class="lineannotation">...(content omitted)...</i>
-
-The binaries are installed. You can restore the old binaries (if there
-were any) using the command &quot;make revert&quot;. You can uninstall the binaries
-using the command &quot;make uninstallbin&quot; or &quot;make uninstall&quot; to uninstall
-binaries, manpages and shell scripts.
-
-<i class="lineannotation">...(content omitted)...</i>
-
-======================================================================
-The SWAT files have been installed. Remember to read the swat/README
-for information on enabling and using SWAT.
-======================================================================</pre></blockquote>
-
-<p>If the last message is about SWAT, you've
-successfully installed all the files. Congratulations! You now have
-Samba on your system!</p>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-4.1"/>
-
-<h3 class="head2">Upgrading Your Installation</h3>
-
-<p><a name="INDEX-70"/><a name="INDEX-71"/>Eventually a new version of
-Samba will be released, and you will want to upgrade. This is simple;
-just repeat the same steps you used to install your current version.
-Download the source distribution from the Samba web site and install
-it, then run the <tt class="literal">./configure</tt>,
-<tt class="literal">make</tt>, and <tt class="literal">make</tt>
-<tt class="literal">install</tt> commands as before. If
-you've forgotten which options you used with the
-<a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/><a name="INDEX-75"/><em class="emphasis">configure</em>
-script, take a look at the
-<em class="filename">source/config.status</em><a name="INDEX-76"/><a name="INDEX-77"/> file in your previous
-version's source distribution. The first few lines
-of this file show the options used the last time
-<em class="emphasis">configure</em> was run.</p>
-
-<p>When you run the <tt class="literal">make
-install</tt><a name="INDEX-78"/> command to install your new
-version, the files of the previous version are replaced with the new
-ones, and then all you have to do is restart the Samba daemons to get
-your new version running. See <a href="ch02.html#samba2-CHP-2-SECT-8">Section 2.8</a> later in this chapter for directions on how to do this.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-4.2"/>
-
-<h3 class="head2">Reconfiguring Samba</h3>
-
-<p><a name="INDEX-79"/>If you
-have already compiled Samba and wish to recompile the same source
-code with different <em class="emphasis">configure</em> options, you
-should run the following three commands in the
-<em class="emphasis">source</em> directory before rerunning the
-<em class="emphasis">configure</em> script:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>autoconf</b></tt>
-# <tt class="userinput"><b>make clean</b></tt>
-# <tt class="userinput"><b>rm config.cache</b></tt></pre></blockquote>
-
-<p>This ensures that you are starting with a clean slate and that your
-previous <em class="emphasis">configure</em> command does not leave any
-data around that can affect your new build. From here, you can rerun
-<tt class="literal">./configure</tt> and then <tt class="literal">make</tt> and
-<tt class="literal">make install</tt>.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-4.3"/>
-
-<h3 class="head2">Setting Search Paths</h3>
-
-<p><a name="INDEX-80"/>You
-will probably want to run commands included in the Samba distribution
-without having to specify their full directory paths. For that to
-work, the directory in which the Samba executables are located,
-<em class="filename">/usr/local/samba/bin</em> by default, must be added
-to your shell's <a name="INDEX-81"/>PATH environment variable. This
-environment variable is usually set in one or more of the
-shell's startup files, which in the case of
-<em class="emphasis">bash</em> are <em class="filename">/etc/profile</em>
-(systemwide) and the <em class="filename">.bash_profile</em> and
-<em class="filename">.bashrc</em> files in each user's
-home directory.</p>
-
-<p>To be able to read the <a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/>Samba manual pages using the
-<em class="emphasis">man</em> command, the directory where
-Samba's manual pages reside,
-<em class="filename">/usr/local/samba/man</em> by default, must be in your
-<a name="INDEX-85"/>MANPATH environment variable. On Red
-Hat Linux, this can be accomplished by adding the following two lines
-to <em class="filename">/etc/man.config</em>:</p>
-
-<a name="INDEX-86"/><a name="INDEX-87"/><blockquote><pre class="code">
-MANPATH /usr/local/samba/man
-MANPATH_MAP /usr/local/samba/bin /usr/local/samba/man</pre></blockquote>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-5"/>
-
-<h2 class="head1">Enabling SWAT</h2>
-
-<p>The <a name="INDEX-88"/><a name="INDEX-89"/>Samba
-Web Administration Tool (SWAT) runs as a daemon under
-<em class="emphasis">inetd</em> or <em class="filename">xinetd </em>and
-provides a forms-based editor in your web browser for creating and
-modifying <a name="INDEX-90"/>Samba's
-configuration file. For SWAT to work, entries must be added for it in
-the <em class="filename">/etc/services</em> and
-<em class="filename">/etc/inetd.conf</em> (or
-<em class="filename">/etc/xinetd.d/swat) </em>configuration files. To add
-the entries, follow these two steps:</p>
-
-<ol><li>
-<p>Check your <em class="filename">/etc/services</em> file, and if it does
-not contain the following line, add it to the end of the file:</p>
-
-<blockquote><pre class="code">swat 901/tcp</pre></blockquote>
-</li>
-<li>
-<p>Now for <em class="filename">inetd </em><a name="INDEX-91"/>or <em class="filename">xinetd.
-</em><a name="INDEX-92"/>These are &quot;Internet
-super daemons&quot; that handle starting daemons on
-demand, instead of letting them sit around in memory consuming system
-resources. Most systems use <em class="filename">inetd, </em>but
-<em class="filename">xinetd </em>is also used in some versions of Unix,
-notably the Red Hat Linux (Versions 7 and newer) that we use in our
-examples. You can use the <em class="emphasis">ps</em> command to see
-which of the two your system is running.</p>
-</li></ol>
-<p>For <em class="filename">inetd, </em>add a line to the
-<em class="emphasis">/etc/</em><em class="filename">inetd.conf </em>file.
-(Check your <em class="filename">inetd.conf</em> manual page to see the
-exact format of the<em class="filename"> inetd.conf</em> file if it
-differs from the following example.) Don't forget to
-change the path to the SWAT binary if you installed it in a different
-location from the default <em class="filename">/usr/local/samba</em>:</p>
-
-<blockquote><pre class="code">swat stream tcp nowait root /usr/local/samba/bin/swat swat</pre></blockquote>
-
-<p>Then force <em class="filename">inetd</em> to reread its configuration
-file by sending it a SIGHUP (hangup) signal:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -HUP -a inetd</b></tt></pre></blockquote>
-
-<p>Notice that we are using a version of the <em class="emphasis">kill</em>
-command that supports the <em class="emphasis">-a</em> option, so as to
-allow us to specify the process by name. On FreeBSD and Linux, you
-can use the <em class="emphasis">killall</em> command<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> as follows:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>killall -HUP inetd</b></tt></pre></blockquote>
-
-<p>If you are not running Linux or FreeBSD and your version of
-<em class="emphasis">kill</em> doesn't have the
-<em class="emphasis">-a</em> option, you will need to use the
-<em class="emphasis">ps</em> command to find the process ID and then
-supply that to <em class="emphasis">kill</em>:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>ps ax | grep inetd</b></tt>
- 780 ? S 0:00 inetd
- 1981 pts/4 S 0:00 grep inetd
-# <tt class="userinput"><b>kill -HUP 780</b></tt></pre></blockquote>
-
-<p>If your system is using <em class="filename">xinet, </em>add a file named
-<em class="emphasis">swat</em> in your <em class="filename">/etc/xinetd.d
-</em>directory, containing the following:</p>
-
-<blockquote><pre class="code"># description: swat is the Samba Web Administration Tool, which
-# allows an administrator to configure Samba using a web
-# browser interface, with the URL http://localhost:901
-service swat.
-{
- socket_type = stream
- wait = no
- protocol = tcp
- only_from = localhost
- user = root
- log_on_failure += USERID
- server = /usr/local/samba/bin/swat
- port = 901
- disable = no
-}</pre></blockquote>
-
-<p>Then <em class="emphasis">xinetd</em> needs to be sent a signal<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> to make it reread its configuration files:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -HUP -a xinetd</b></tt></pre></blockquote>
-
-<p>And that's pretty much it for the installation.
-Before you can start up Samba, however, you need to create a
-configuration file for it.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-6"/>
-
-<h2 class="head1">A Basic Samba Configuration File</h2>
-
-<p><a name="INDEX-93"/>The
-key to configuring Samba is its configuration file,
-<em class="filename">smb.conf</em>. This configuration file can be very
-simple or extremely complex, and the rest of this book is devoted to
-helping you get deeply personal with this file. For now, however,
-we'll show you how to set up a single file service,
-which will allow you to fire up the Samba daemons and see that
-everything is running as it should be. In later chapters, you will
-see how to configure Samba for more complicated and interesting
-tasks.</p>
-
-<p>The installation process does not automatically create an
-<em class="filename">smb.conf</em> configuration file, although several
-example files are included in the Samba distribution. To test the
-server software, though, we'll use the following
-file, which you can create in a text editor. It should be named
-<em class="filename">smb.conf</em> and placed in the
-<em class="emphasis">/usr/local/samba/lib</em> directory:<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a></p>
-
-<blockquote><pre class="code">[global]
- workgroup = METRAN
-[test]
- comment = For testing only, please
- path = /usr/local/samba/tmp
- read only = no
- guest ok = yes</pre></blockquote>
-
-<p>This brief configuration file tells the Samba server to offer the
-<em class="filename">/usr/local/samba/tmp</em> directory on the server as
-an SMB share called <em class="emphasis">test</em>. The server also
-becomes part of the METRAN workgroup, of which each client must also
-be a part. If you have already chosen a name for your own workgroup,
-use the name of your workgroup instead of METRAN in the previous
-example. In case you are connecting your Samba system into an
-existing network and need to know the workgroup name, you can ask
-another system administrator or go to a Windows system in the
-workgroup and follow these instructions:</p>
-
-<ul><li>
-<p>Windows 95/98/Me/NT: open the Control Panel, then double-click the
-Network icon. Click the Identification tab, and look for the
-&quot;Workgroup:&quot; label.</p>
-</li><li>
-<p>Windows 2000: open the Control Panel and double-click the System
-icon. Click the Network Identification tab. The workgroup name will
-appear below the computer name.</p>
-</li><li>
-<p>Windows XP: open the Control Panel in Classic View mode and
-double-click the System icon. Then click the Computer Name tab.</p>
-</li></ul>
-<p>We'll use the <tt class="literal">[test]</tt> share in the
-next chapter to set up the Windows clients. For now, you can complete
-the setup by performing the following commands as root on your Unix
-server:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/tmp</b></tt>
-# <tt class="userinput"><b>chmod 777 /usr/local/samba/tmp</b></tt></pre></blockquote>
-
-<p>You might also want to put a file or two in the
-<em class="filename">/usr/local/samba/tmp</em> directory so that after
-your Windows systems are initially configured, you will have
-something to use to check that everything works.</p>
-
-<p>We should point out that in terms of system security, this is the
-worst setup possible. For the moment, however, we only wish to test
-Samba, so we'll leave security out of the picture.
-In addition, we will encounter some encrypted password issues with
-Windows clients later on, so this setup will afford us the least
-amount of headaches.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-6.1"/>
-
-<h3 class="head2">Encrypted Passwords</h3>
-
-<p><a name="INDEX-94"/><a name="INDEX-95"/><a name="INDEX-96"/>If your Windows clients are using Windows
-98 or Windows NT 4 Service Pack 3 or above (including Windows 2000
-and Windows XP) and you are using a version of Samba earlier than
-3.0, you must add the following entry to the
-<tt class="literal">[global]</tt> section of the Samba configuration file:</p>
-
-<blockquote><pre class="code">[global]
- encrypt passwords = yes</pre></blockquote>
-
-<p>In addition, you must use the
-<em class="filename">smbpasswd</em><a name="INDEX-97"/> program (typically located in the
-directory <em class="filename">/usr/local/samba/bin/ </em>) to enter the
-username/password combinations of the Samba users into
-Samba's encrypted password database. For example, if
-you wanted to allow Unix user <tt class="literal">steve</tt> to access
-shares from a client system, you would use this command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a steve</b></tt>
-New SMB password:
-Retype new SMB password:
-Added user steve.</pre></blockquote>
-
-<p>When the first user is added, the program will output a message
-saying that the encrypted password database does not exist.
-Don't worry: it will then create the database for
-you. Make sure that the username/password combinations you add to the
-encrypted database match the usernames and passwords you intend to
-use on the Windows client side. You must run
-<em class="emphasis">smbpasswd</em> for each client user.</p>
-
-<p>In Samba 3.0, passwords are encrypted by default, so the
-<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> parameter in the
-configuration file is optional. However, you will still need to run
-the <em class="emphasis">smbpasswd</em> command to add users to the
-encrypted password file.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-6.2"/>
-
-<h3 class="head2">Using SWAT</h3>
-
-<p><a name="INDEX-98"/>Creating
-a configuration file with SWAT is even easier than writing a
-configuration file by hand. To invoke SWAT, use your web browser to
-connect to <em class="emphasis">http://localhost:901</em>, and log on as
-root with the root password, as shown in <a href="ch02.html#samba2-CHP-2-FIG-1">Figure 2-1</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-2-FIG-1"/><a name="INDEX-99"/><img src="figs/sam2_0201.gif"/></div><h4 class="head4">Figure 2-1. SWAT login</h4>
-
-<p>After logging in, click the GLOBALS button at the top of the screen.
-You should see the Global Variables page shown in <a href="ch02.html#samba2-CHP-2-FIG-2">Figure 2-2</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-2-FIG-2"/><img src="figs/sam2_0202.gif"/></div><h4 class="head4">Figure 2-2. SWAT Global Variables page</h4>
-
-<p>In this example, notice that SWAT retrieved the workgroup name from
-the <em class="emphasis">smb.conf</em> file that you created. (If it
-didn't, go back and perform that step correctly.)
-Make sure that the <tt class="literal">security</tt> field is set to
-<tt class="literal">USER</tt>.</p>
-
-<p>If you are running Samba 2.2 and your Windows clients are at least
-Windows 98 or Windows NT 4 SP 3 or later versions, find
-<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> in the
-Security Options section and select <tt class="literal">yes</tt>.</p>
-
-<p>The only other option you need to change from the menu is one
-determining which system on the LAN resolves NetBIOS addresses; this
-system is called the <em class="emphasis">WINS server</em>. At the very
-bottom of the page, set the <tt class="literal">wins</tt>
-<tt class="literal">support</tt> field to <tt class="literal">Yes</tt>, unless
-you already have a WINS server on your network. If you do, put the
-WINS server's IP address in the
-<tt class="literal">wins</tt> <tt class="literal">server</tt> field instead. Then
-return to the top of the screen, and press the Commit Changes button
-to write the changes out to the <em class="emphasis">smb.conf</em> file.</p>
-
-<p>Next, click the SHARES icon. You should see a page similar to <a href="ch02.html#samba2-CHP-2-FIG-3">Figure 2-3</a>. Select <tt class="literal">test</tt> (to the right
-of the Choose Share button), and click the Choose Share button. You
-will see the Share Parameters screen, as shown in <a href="ch02.html#samba2-CHP-2-FIG-3">Figure 2-3</a>, with the <tt class="literal">comment</tt> and
-<tt class="literal">path</tt> fields filled in from your
-<em class="emphasis">smb.conf</em> file.</p>
-
-<div class="figure"><a name="samba2-CHP-2-FIG-3"/><img src="figs/sam2_0203.gif"/></div><h4 class="head4">Figure 2-3. SWAT Share Parameters screen</h4>
-
-<p>If you specified that you want to use encrypted passwords on the
-GLOBALS page, click the PASSWORD button. Near the top of the screen,
-you will see the Server Password Management section. Enter your Unix
-username and password in the spaces, and click the Add New User
-button. This functions the same as the <em class="emphasis">smbpasswd</em>
-utility and creates an entry in the
-<em class="emphasis">/usr/local/samba/private/smbpasswd</em> file to allow
-you to authenticate from a Windows client.</p>
-
-<p>Now click the VIEW button at the top, and SWAT shows you the
-following <em class="filename">smb.conf</em> file:</p>
-
-<blockquote><pre class="code"># Samba config file created using SWAT
-# from localhost (127.0.0.1)
-# Date: 2002/09/05 04:56:43
-
-# Global parameters
- workgroup = METRAN
- encrypt passwords = Yes
- wins support = Yes
-
-[test]
- comment = For testing only!
- path = /usr/local/samba/tmp
- read only = No</pre></blockquote>
-
-<p>Once this configuration file is completed, you can skip the next step
-because the output of SWAT is guaranteed to be syntactically correct.
-<a name="INDEX-100"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-6.3"/>
-
-<h3 class="head2">Disabling Oplocks</h3>
-
-<p>The <em class="filename">smb.conf</em><a name="INDEX-101"/><a name="INDEX-102"/>
-file you have just created is certainly good enough for the purpose
-of initial setup and testing, and you can use it as a starting point
-from which to develop the configuration of your production Samba
-server. But before you get too far with that, we want to bring one
-thing to your attention.</p>
-
-<p>If you are the type of administrator who is highly concerned about
-data integrity, you might want to make the following modification to
-your <em class="filename">smb.conf</em> file before continuing:</p>
-
-<blockquote><pre class="code">[global]
- oplocks = no</pre></blockquote>
-
-<p>That is, use a text editor to add the line <tt class="literal">oplocks</tt>
-<tt class="literal">=</tt> <tt class="literal">no</tt> to the
-<tt class="literal">[global]</tt> section of your
-<em class="filename">smb.conf</em> file. With this example, as with other
-examples we will present throughout this book, you do not need to
-enter the <tt class="literal">[global]</tt> line again in your
-configuration file. We include it only to indicate in which section
-the parameter belongs.</p>
-
-<p>The <tt class="literal">oplocks</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt> parameter disables opportunistic locking by
-clients. This will result in significantly poorer performance, but
-will help ensure that flaky Windows clients and/or unreliable network
-hardware will not lead to corrupted files on the Samba server.</p>
-
-<p>We will cover opportunistic locking (oplocks) in more detail in the
-section &quot;Locks and Oplocks&quot; in
-<a href="ch08.html">Chapter 8</a>, and recommend that you understand the
-ideas presented there before implementing a production Samba server
-that serves database files or other valuable data.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-6.4"/>
-
-<h3 class="head2">Testing the Configuration File</h3>
-
-<p><a name="INDEX-103"/>If you
-didn't use SWAT to create your configuration file,
-you should probably test it to ensure that it is syntactically
-correct. It might seem silly to run a test program against an
-eight-line configuration file, but it's good
-practice for the real ones that we'll be writing
-later on.</p>
-
-<p>The test parser,
-<em class="filename">testparm</em><a name="INDEX-104"/>, examines an
-<em class="filename">smb.conf</em> file for syntax errors and reports any
-it finds along with a list of the services enabled on your machine.
-An example follows; you'll notice that in our haste
-to get the server running we mistyped <tt class="literal">workgroup</tt> as
-<tt class="literal">workgrp</tt> (the output is often lengthy, so we
-recommend capturing it with the <em class="emphasis">tee</em> command):</p>
-
-<blockquote><pre class="code">Load smb config files from smb.conf
-Unknown parameter encountered: &quot;workgrp&quot;
-Ignoring unknown parameter &quot;workgrp&quot;
-Processing section &quot;[test]&quot;
-Loaded services file OK.
-Press Enter to see a dump of your service definitions
-# Global parameters
-[global]
- workgroup = WORKGROUP
- netbios name =
- netbios aliases =
- server string = Samba 2.2.6
- interfaces =
- bind interfaces only = No
-
-<i class="lineannotation">...(content omitted)...</i>
-
-[test]
- comment = For testing only!
- path = /usr/local/samba/tmp
- read only = No</pre></blockquote>
-
-<p>The interesting parts are at the top and bottom. The top of the
-output will flag any syntax errors that you might have made, and the
-bottom lists the services that the server thinks it should offer. A
-word of advice: make sure you and the server have the same
-expectations. <a name="INDEX-105"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-7"/>
-
-<h2 class="head1">Firewall Configuration</h2>
-
-<p><a name="INDEX-106"/>As
-with any services that run on TCP/IP, the SMB networking services
-offered by Samba can be accessed from across the Internet unless your
-organization's firewall is properly configured. The
-following ports are used by Samba for SMB networking and SWAT:</p>
-
-<dl>
-<dt><b>Port 137</b></dt>
-<dd>
-<p>Used for NetBIOS network browsing</p>
-</dd>
-
-
-
-<dt><b>Port 138</b></dt>
-<dd>
-<p>Used for NetBIOS name service</p>
-</dd>
-
-
-
-<dt><b>Port 139</b></dt>
-<dd>
-<p>Used for file and printer sharing and other operations</p>
-</dd>
-
-
-
-<dt><b>Port 445</b></dt>
-<dd>
-<p>Used by Windows 2000/XP when NetBIOS over TCP/IP is disabled</p>
-</dd>
-
-
-
-<dt><b>Port 901</b></dt>
-<dd>
-<p>Used by SWAT</p>
-</dd>
-
-</dl>
-
-<p>At the minimum, your organization's Internet
-firewall should shut down all the ports in the list to traffic in
-both directions. Do not assume that preventing incoming connections
-is sufficient; there are cracks that trick Windows clients into
-sending data out of the local area network and into the Internet by
-SMB protocol, even from a local network that uses private IP
-addresses not forwarded by routers. If you want SMB traffic to travel
-across the Internet to remote sites, the best way is to use a virtual
-private network (VPN). See the O'Reilly book,
-<em class="citetitle">Virtual Private Networks</em>, for more information
-on this subject.</p>
-
-<p>In addition, you might wish to configure a firewall on the Samba host
-system to keep SMB packets from traveling further than necessary
-within your organization's network. For example,
-port 901 can be shut down for remote accesses so that SWAT can be run
-only on the Samba host system. If you are using Samba to serve only a
-fraction of the client systems within your organization, consider
-allowing SMB packets (i.e., packets on ports 137-139 and 445) to go
-to or come from only those clients.</p>
-
-<p>For more information on configuring firewalls, see the
-O'Reilly book <em class="citetitle">Building Internet
-Firewalls</em>.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-8"/>
-
-<h2 class="head1">Starting the Samba Daemons</h2>
-
-<p>Two Samba processes,
-<em class="emphasis">smbd</em><a name="INDEX-107"/> and
-<em class="emphasis">nmbd</em><a name="INDEX-108"/>, need to be running for Samba to work
-correctly. There are three ways to start them:</p>
-
-<ul><li>
-<p>Manually</p>
-</li><li>
-<p>Automatically, during system boot</p>
-</li><li>
-<p>From <em class="emphasis">inetd or xinetd</em></p>
-</li></ul>
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-8.1"/>
-
-<h3 class="head2">Starting the Daemons Manually</h3>
-
-<p><a name="INDEX-109"/><a name="INDEX-110"/>If you're in a
-hurry, you can start the Samba daemons by hand. As root, simply enter
-the following commands:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/usr/local/samba/bin/smbd -D</b></tt>
-# <tt class="userinput"><b>/usr/local/samba/bin/nmbd -D</b></tt></pre></blockquote>
-
-<p>Samba will now be running on your system and is ready to accept
-connections. However, keep in mind that if either of the daemons exit
-for any reason (including system reboots), they will need to be
-restarted manually.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-8.2"/>
-
-<h3 class="head2">Automatic Startup</h3>
-
-<p><a name="INDEX-111"/><a name="INDEX-112"/>To have the Samba daemons
-started automatically when the system boots, you need to add the
-commands listed in the previous section to your standard Unix startup
-scripts. The exact method varies depending on the flavor of Unix
-you're using.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.1"/>
-
-<h3 class="head3">BSD Unix</h3>
-
-<p><a name="INDEX-113"/><a name="INDEX-114"/><a name="INDEX-115"/>With a BSD-style Unix, you need to append
-the following code to the <em class="filename">rc.local </em>file, which
-is typically found in the <em class="filename">/etc</em> or
-<em class="filename">/etc/rc.d</em> directories:</p>
-
-<blockquote><pre class="code">if [ -x /usr/local/samba/bin/smbd]; then
- echo &quot;Starting smbd...&quot;
- /usr/local/samba/bin/smbd -D
- echo &quot;Starting nmbd...&quot;
- /usr/local/samba/bin/nmbd -D
-fi</pre></blockquote>
-
-<p>This code is very simple: it checks to see if the
-<em class="filename">smbd</em> file exists and has execute permissions,
-and if it does, it starts up both of the Samba daemons on system
-boot.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.2"/>
-
-<h3 class="head3">System V Unix</h3>
-
-<p><a name="INDEX-116"/><a name="INDEX-117"/><a name="INDEX-118"/>With System V, things can get a little
-more complex. Depending on your Unix version, you might be able to
-get away with making a simple change to an
-<em class="filename">rc.local</em> file as with BSD Unix, but System V
-typically uses directories containing links to scripts that control
-daemons on the system. Hence, you need to instruct the system how to
-start and stop the Samba daemons. The first step to implement this is
-to modify the contents of the <em class="filename">/etc/rc.d/init.d</em>
-directory by adding something similar to the following shell script,
-which for this example we will name <em class="filename">smb </em>:</p>
-
-<blockquote><pre class="code">#!/bin/sh
-
-# Check that the Samba configuration file exists
-[ -f /usr/local/samba/lib/smb.conf ] || exit 0
-
-start( )
-{
- echo -n &quot;Starting SMB services: &quot;
- /usr/local/samba/bin/smbd -D
- ERROR=$?
- echo
-
- echo -n &quot;Starting NMB services: &quot;
- /usr/local/samba/bin/nmbd -D
- ERROR2=$?
- if [ $ERROR2 -ne 0 ]
- then
- ERROR=1
- fi
- echo
-
- return $ERROR
-}
-
-stop( )
-{
- echo -n &quot;Shutting down SMB services: &quot;
- /bin/kill -TERM -a smbd
- ERROR=$?
- echo
-
- echo -n &quot;Shutting down NMB services: &quot;
- /bin/kill -TERM -a nmbd
- ERROR2=$?
- if [ $ERROR2 -ne 0 ]
- then
- ERROR=1
- fi
- echo
-
- return $ERROR
-}
-
-case &quot;$1&quot; in
- start)
- start
- ;;
- stop)
- stop
- ;;
- *)
- echo &quot;Usage: $0 {start|stop}&quot;
- exit 1
-esac
-
-exit $?</pre></blockquote>
-
-<p>With this script, you can start and stop <em class="emphasis">smbd</em>
-and <em class="emphasis">nmbd</em> like this:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/smb start</b></tt>
-Starting SMB services:
-Starting NMB services:
-# <tt class="userinput"><b>ps ax | grep mbd</b></tt>
- 1268 ? S 0:00 /usr/local/samba/bin/smbd -D
- 1270 ? S 0:00 /usr/local/samba/bin/nmbd -D
- 1465 pts/2 S 0:00 grep mbd
-# <tt class="userinput"><b>/etc/rc.d/init.d/smb stop</b></tt>
-Shutting down SMB services:
-Shutting down NMB services:</pre></blockquote>
-
-<p>If you are having trouble writing a startup script for your system,
-check to see if there is a packaged release of Samba (available from
-your Unix vendor or the Samba FTP site). If so, you might be able to
-extract a startup script from it to use as a starting point.
-Typically, this script doesn't change much (if at
-all) from release to release, so using a script from an older Samba
-version should not be a problem. Another possibility is to check the
-<em class="filename">packaging</em> directory in the Samba source
-distribution. In that directory, there are subdirectories for many
-Unix versions in which you can find a startup script for those
-versions. Even if your version isn't included, you
-can probably find a startup script for a similar version to use as a
-starting point.</p>
-
-<p>Finally, we need to add symbolic links to the
-<em class="filename">smb</em> script in the
-<em class="emphasis">/etc/rc.d/rcX.d</em> directories:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc3.d/S35smb</b></tt>
-# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc5.d/S35smb</b></tt>
-
-# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc0.d/K35smb</b></tt>
-# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc1.d/K35smb</b></tt>
-# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc2.d/K35smb</b></tt>
-# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc4.d/K35smb</b></tt>
-# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc6.d/K35smb</b></tt></pre></blockquote>
-
-<p>The first two commands, with link names starting with an
-&quot;S&quot;, cause Samba to be started when
-entering runlevels 3 or 5, which are the runlevels in which network
-file sharing (NFS) is normally enabled. The second group of commands,
-with link names starting with a
-&quot;K&quot;, cause Samba to be shut down
-when entering any of the other runlevels (0, 1, 2, 4, or 6).</p>
-
-<p>The links starting with &quot;S&quot; are
-used to start the daemons, and the links starting with
-&quot;K&quot; are used for killing them. When
-the runlevel is changed, the links starting with
-&quot;K&quot; in the corresponding directory
-(e.g., the <em class="filename">rc3.d</em> directory for runlevel 3) are
-executed, followed by the links starting with
-&quot;S&quot;. If we wanted, we could have
-Samba restarted when switching between runlevels 3 and 5 by adding a
-<em class="filename">K35smb</em> link to each <em class="filename">rc3.d</em>
-and <em class="filename">rc5.d </em>directory.</p>
-
-<p>The number after the K or S in the link names is used to set the
-order in which all the daemons with links in the directory are
-started or killed off. Get a long listing of the
-<em class="emphasis">rc3.d</em> or <em class="emphasis">rc5.d</em> directories
-to see how this is set up on your system. We use 35 to match the
-behavior of Red Hat's Samba RPM package. The
-important thing is to make sure when starting Samba that all services
-it requires are started before it. When shutting down, it is a good
-idea to shut down Samba before services it requires to avoid excess
-error messages in the log files, but the order is not as crucial.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.3"/>
-
-<h3 class="head3">Darwin and Mac OS X</h3>
-
-<p><a name="INDEX-119"/><a name="INDEX-120"/><a name="INDEX-121"/><a name="INDEX-122"/>An installation of Samba is bundled with the
-Darwin distribution, which is included in Mac OS X.<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> </p>
-
-<p>The Samba daemons are started during system
-boot by the script
-<em class="filename">/System/Library/StartupItems/Samba/Samba</em>. To
-trigger the execution of this script, edit the file
-<em class="filename">/etc/hostconfig</em> and change the SMBSERVER
-parameter to look like this:</p>
-
-<blockquote><pre class="code">SMBSERVER=-YES-</pre></blockquote>
-
-<p>On Mac OS X, the graphical user interface (GUI) provides an
-alternative to using the command line. Launch the System Preferences
-application, and select Sharing (see <a href="ch02.html#samba2-CHP-2-FIG-4">Figure 2-4</a>).
-Under the Services tab, turn on Windows File Sharing. This will make
-the aforementioned change to <em class="filename">/etc/hostconfig</em> and
-immediately execute the startup item.</p>
-
-<div class="figure"><a name="samba2-CHP-2-FIG-4"/><img src="figs/sam2_0204.gif"/></div><h4 class="head4">Figure 2-4. Mac OS X sharing preferences</h4>
-
-<p>If you decide to install Samba yourself on Mac OS X,
-it's best not to stomp on the installation provided
-with the OS. Use the procedures detailed earlier in this chapter to
-install the software into <em class="filename">/usr/local/samba</em> or
-some other area unaffected by OS upgrades. (Remember to set up users
-with <em class="emphasis">smbpasswd</em> if you're using
-encrypted passwords, as described earlier in this chapter. This step
-is handled automatically with entries in
-<em class="filename">/var/db/samba/hash</em> if you're
-using the built-in server on Mac OS X.) Once you've
-got that working, you can edit the Samba startup item script to refer
-to your installation, like this:</p>
-
-<blockquote><pre class="code"> #!/bin/sh
- # Start Samba
-
- . /etc/rc.common
-
- if [ &quot;${SMBSERVER:=-NO-}&quot; = &quot;-YES-&quot; ]; then
- ConsoleMessage &quot;Starting SMB server&quot;
-
- if [ -f /usr/local/samba/lib/smb.conf ]; then
- /usr/local/samba/bin/smbd -D
- /usr/local/samba/bin/nmbd -D
- fi
- fi</pre></blockquote>
-
-<p>However, beware of OS updates, which can wipe out your changes. One
-solution is to make the script immutable, like this:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>chflags uchg /System/Library/StartupItems/Samba/Samba</b></tt></pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.4"/>
-
-<h3 class="head3">Testing automatic startup</h3>
-
-<p><a name="INDEX-123"/><a name="INDEX-124"/>If you can afford a few minutes of
-downtime, reboot your system and again use the
-<em class="emphasis">ps</em> command to check that the
-<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> daemons are
-running. And if you are managing a 24/7 server, we highly recommend
-that you find some downtime in which to reboot and perform this
-check. Otherwise, your next unscheduled downtime might surprise you
-with a mysterious absence of SMB networking services when the system
-comes up again! <a name="INDEX-125"/><a name="INDEX-126"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-2-SECT-8.3"/>
-
-<h3 class="head2">Starting from inetd</h3>
-
-<p><a name="INDEX-127"/><a name="INDEX-128"/><a name="INDEX-129"/>The <em class="emphasis">inetd</em>
-<em class="emphasis"><a name="FNPTR-6"/><a href="#FOOTNOTE-6">[6]</a></em> daemon is a Unix
-system's Internet &quot;super
-daemon.&quot; It listens on ports defined in
-<em class="filename">/etc/services</em> and executes the appropriate
-program for each port, which is defined in
-<em class="filename">/etc/inetd.conf</em>. The advantage of this scheme is
-that you can have a large number of daemons ready to answer queries,
-but they don't all have to be running all the time.
-Instead, <em class="emphasis">inetd</em> listens for connection requests
-and starts the appropriate daemon when it is needed. The penalty is a
-small overhead cost of creating a new daemon process, as well as the
-fact that you need to edit two files rather than one to set things
-up. The <em class="emphasis">inetd</em> daemon is handy if you have only
-one or two Samba users or your machine is running too many daemons
-already. It's also easier to perform an upgrade
-without disturbing an existing connection.</p>
-
-<p>If you wish to start from <em class="filename">inetd</em>, first open
-<em class="filename">/etc/services</em> in your text editor. If you
-don't already have them defined, add the following
-two lines:</p>
-
-<blockquote><pre class="code">netbios-ssn 139/tcp
-netbios-ns 137/udp</pre></blockquote>
-
-<p>Next, edit <em class="filename">/etc/inetd.conf</em>. Look for the
-following two lines and add them if they don't
-exist. If you already have <tt class="literal">smbd</tt> and
-<tt class="literal">nmbd</tt> lines in the file, edit them to point at the
-new <em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>
-you've installed. Your brand of Unix might use a
-slightly different syntax in this file; use the existing entries and
-the <em class="filename">inetd.conf </em> manual
-page as a guide:</p>
-
-<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
-netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></blockquote>
-
-<p>Finally, kill any <em class="emphasis">smbd</em> or
-<em class="emphasis">nmbd</em> processes and send the
-<em class="emphasis">inetd</em> process a hangup (HUP) signal to tell it
-to reread its configuration file:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -TERM -a smbd</b></tt>
-# <tt class="userinput"><b>/bin/kill -TERM -a nmbd</b></tt>
-# <tt class="userinput"><b>/bin/kill -HUP -a inetd</b></tt></pre></blockquote>
-
-<p>After that, Samba should be up and running.</p>
-
-<p>As we've pointed out before, Red Hat and perhaps
-other Unix vendors supply <em class="emphasis">xinetd</em> rather than
-<em class="emphasis">inetd</em>. If you need to use
-<em class="emphasis">xinetd</em>, you will need to supply a configuration
-file in the <em class="emphasis">/etc/xinetd.d</em> directory.
-<a name="INDEX-130"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-2-SECT-9"/>
-
-<h2 class="head1">Testing the Samba Daemons</h2>
-
-<p><a name="INDEX-131"/><a name="INDEX-132"/>We're
-nearly done with the Samba server setup. All that's
-left to do is to make sure everything is working as we think it
-should. A convenient way to do this is to use the
-<em class="filename">smbclient</em><a name="INDEX-133"/> program to examine what the server is
-offering to the network. If everything is set up properly, you should
-be able to do the following:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/usr/local/samba/bin/smbclient -U% -L localhost</b></tt>
-added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
-Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.6]
-
- Sharename Type Comment
- --------- ---- -------
- test Disk For testing only, please
- IPC$ IPC IPC Service (Samba 2.2.6)
- ADMIN$ Disk IPC Service (Samba 2.2.6)
-
- Server Comment
- --------- -------
- TOLTEC Samba 2.2.6 on toltec
-
- Workgroup Master
- --------- -------
- METRAN TOLTEC</pre></blockquote>
-
-<p>If there is a problem, don't panic! Try to start the
-daemons manually, and check the system output or the debug files at
-<em class="filename">/usr/local/samba/var/log.smb</em><a name="INDEX-134"/><a name="INDEX-135"/><a name="INDEX-136"/> to see if you can determine what happened.
-If you think it might be a more serious problem, skip to <a href="ch12.html">Chapter 12</a> for help on troubleshooting the Samba daemons.</p>
-
-<p>If it worked, congratulations! You now have successfully set up the
-Samba server with a disk share. It's a simple one,
-but we can use it to set up and test the Windows 95/98/Me and
-NT/2000/XP clients in the next chapter. Then we will start making it
-more interesting by adding services such as home directories,
-printers, and security, and by seeing how to integrate the server
-into a larger Windows domain. <a name="INDEX-137"/></p>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
-<p><a href="#FNPTR-1">[1]</a> <em class="emphasis">gcc</em> binaries are available for almost
-every modern machine. See <a href="http://www.gnu.org/">http://www.gnu.org/</a> for a list of sites with
-<em class="emphasis">gcc</em> and other GNU software.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Do
-not confuse this with the Solaris <em class="emphasis">killall</em>
-command, which performs part of the system shutdown sequence!</p>
-<a name="FOOTNOTE-3"/>
-<p><a href="#FNPTR-3">[3]</a> Depending on the version of <em class="emphasis">xinetd</em> you
-have and how it was compiled, you might need to send a USR1 or some
-other signal rather than the HUP signal. Check the manual page for
-<em class="emphasis">xinetd (8)</em> on your system for details.</p>
-<a name="FOOTNOTE-4"/>
-<p><a href="#FNPTR-4">[4]</a> If you did not compile Samba, but instead downloaded a binary,
-check with the documentation for the package to find out where it
-expects the <em class="filename">smb.conf</em> file to be. Or, try running
-the <em class="emphasis">testparm</em> program and look for the location
-of <em class="filename">smb.conf</em> in the first line of output. If
-Samba came preinstalled with your Unix system, an
-<em class="filename">smb.conf</em> file is probably already somewhere on
-your system.</p> <a name="FOOTNOTE-5"/>
-<p><a href="#FNPTR-5">[5]</a> In this book, we cover Darwin Version 6.0 and OS X Version
-10.2.</p> <a name="FOOTNOTE-6"/> <p><a href="#FNPTR-6">[6]</a> With early releases of Samba 2.2, there were reports
-of intermittent errors when starting from <em class="emphasis">inetd</em>.
-We provide this information so that it will be available for later
-releases when the problem will hopefully have been identified and
-corrected.</p> </blockquote>
-
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-</body></html>
diff --git a/docs/htmldocs/using_samba/ch03.html b/docs/htmldocs/using_samba/ch03.html
deleted file mode 100644
index 16e86f4f6d..0000000000
--- a/docs/htmldocs/using_samba/ch03.html
+++ /dev/null
@@ -1,2086 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 3. Configuring Windows Clients</h1>
-
-
-<p><a name="INDEX-1"/><a name="INDEX-2"/>Configuring Windows to use
-your new Samba server is really quite simple. SMB is
-Microsoft's native language for resource sharing on
-a local area network, so much of the installation and setup on the
-Windows client side have been taken care of already.</p>
-
-
-<div class="sect1"><a name="samba2-CHP-3-SECT-1"/>
-
-<h2 class="head1">Windows Networking Concepts</h2>
-
-<p><a name="INDEX-3"/><a name="INDEX-4"/>Windows is different from Unix in
-many ways, including how it supports networking. Before we get into
-the hands-on task of clicking our way through the dialog boxes to
-configure each version of Windows, we need to provide you with a
-common foundation of networking technologies and concepts that apply
-to the entire family of Windows operating systems.</p>
-
-<p>For each Windows version, these are the main issues we will be
-dealing with:</p>
-
-<ul><li>
-<p>Making sure required networking components are installed and bound to
-the network adapter</p>
-</li><li>
-<p>Configuring networking with a valid IP address, netmask and gateway,
-and WINS and DNS name servers</p>
-</li><li>
-<p>Assigning workgroup and computer names</p>
-</li><li>
-<p>Setting the username(s) and password(s)</p>
-</li></ul>
-<p>In addition, some minor issues involving communication and
-coordination between Windows and Unix are different among Windows
-versions.</p>
-
-<p>One can go crazy thinking about the ways in which Unix is different
-from Windows, or the ways in which members of the Windows family are
-different from each other in underlying technology, behavior, or
-appearance. For now let's just focus on their
-similarities and see if we can find some common ground.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-1.1"/>
-
-<h3 class="head2">Components</h3>
-
-<p><a name="INDEX-5"/><a name="INDEX-6"/>Unix
-systems historically have been monolithic in nature, requiring
-recompilation or relinking to create a kernel with a customized
-feature set. However, modern versions have the ability to load or
-unload device drivers or various other operating-system features as
-modules while the system is running, without even needing to reboot.</p>
-
-<p>Windows allows for configuration by installing or uninstalling
-<em class="firstterm">components</em>. As far as networking goes,
-components can be one of three things:<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
-
-<ul><li>
-<p>Protocols</p>
-</li><li>
-<p>Clients</p>
-</li><li>
-<p>Services</p>
-</li></ul>
-<p>Since Samba works using the TCP/IP protocol, of course
-we'll want to have that installed. In some cases, we
-also will want to find protocols to <em class="emphasis">uninstall</em>.
-For example, if Netware protocol (IPX/SPX) is not required on the
-network, it might as well be removed.</p>
-
-<p><a name="INDEX-7"/><a name="INDEX-8"/>NetBEUI protocol should be removed if
-possible. Having NetBEUI running at the same time as NetBIOS over
-TCP/IP causes the system to look for services under two different
-protocols, only one of which is likely to be in use. When Windows is
-configured with one or more unused protocols, 30-second delays will
-result when Windows tries to communicate with the unused protocol.
-Eventually, it times out and tries another one, until it finds one
-that works. This fruitless searching results in terrible performance.</p>
-
-<p>The other two items in the list, client and service components, are
-pretty much what you'd expect. Client components
-perform tasks related to connecting with network servers, and service
-components are for making the local system into a server of resources
-on the network. In <a href="ch01.html">Chapter 1</a> we told you that SMB
-systems can act as both clients and servers, offering resources on
-the network at the same time they request resources. In accordance
-with that, it is possible to install a component for SMB client
-services and, separately, a service component that allows file and
-printer shares on the local system to be accessible from other
-systems on the network.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-1.1.1"/>
-
-<h3 class="head3">Bindings</h3>
-
-<p><a name="INDEX-9"/><a name="INDEX-10"/><a name="INDEX-11"/>Once
-a networking component is installed, it must be
-<em class="firstterm">bound</em> to a hardware interface, or
-<em class="firstterm">adapter</em>, to be used on the network. At first
-this might seem like an odd complication; however, it is a conceptual
-model that allows the associations between hardware and software to
-be clearly displayed and easily modified through a graphical
-interface.</p>
-
-<p>We will want to make sure that your Windows client has both TCP/IP
-and the client component for SMB networking installed and also that
-it is bound to the network adapter that connects to our Samba
-network, which in most cases will be an Ethernet adapter.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-1.2"/>
-
-<h3 class="head2">IP Address</h3>
-
-<p>Just like any Unix system (or any other system that is using TCP/IP),
-your Windows systems will need an <a name="INDEX-12"/>IP address. If you are using
-<a name="INDEX-13"/>DHCP
-on your network, you can configure Windows to obtain its IP address
-automatically by using a DHCP server. Otherwise, you will need to
-assign a static IP address manually along with a netmask.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a></p>
-
-<p>If you are on a private network where you have the authority to
-assign your own IP addresses, you can select from addresses in one of
-three ranges:<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a></p>
-
-<ul><li>
-<p>10.0.0.1 through 10.255.255.254</p>
-</li><li>
-<p>172.16.0.1 through 172.31.255.254</p>
-</li><li>
-<p>192.168.0.1 through 192.168.255.254</p>
-</li></ul>
-<p>These address ranges are reserved for private networks not directly
-connected to the Internet. For more information on using these
-private network addresses, see RFC 1918.</p>
-
-<p>If you're not maintaining your own separate network,
-see your system administrator for some available addresses on your
-network, as well as for the proper netmask to use.</p>
-
-<p>You should also be prepared to enter the IP address of the default
-gateway for the network. In some networks, the default gateway is the
-system or router that connects the LAN to the Internet. In other
-cases, the default gateway connects a subnet into a larger
-departmental or enterprise network.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-1.3"/>
-
-<h3 class="head2">Name Resolution</h3>
-
-<p><a name="INDEX-14"/><a name="INDEX-15"/>Name resolution is the function of
-translating human-friendly hostnames, such as
-<em class="emphasis">hopi</em>, or fully qualified domain names (FQDNs),
-such as <tt class="literal">mixtec.metran.cx</tt>, into IP addresses, such
-as 172.16.1.11 or 172.16.1.7.</p>
-
-<p>Unix systems can perform name resolution using an
-<em class="filename">/etc/hosts</em><a name="INDEX-16"/><a name="INDEX-17"/> file at the minimum, and more commonly can
-also incorporate services such as
-<a name="INDEX-18"/>DNS (Domain Name System)
-and <a name="INDEX-19"/>NIS (Network Information Service).
-Thus, name resolution is not necessarily performed by one isolated
-part of the operating system or one daemon, but is a system that can
-have a number of dispersed parts (although the
-<a name="INDEX-20"/>name
-service switch, with its
-<em class="filename">/etc/nsswitch.conf</em><a name="INDEX-21"/><a name="INDEX-22"/> configuration file, helps to tie them
-together).</p>
-
-<p>Although the specific implementation is different, name resolution in
-Windows is also performed by querying a number of resources, some of
-which are similar (or even identical) to their Unix counterparts.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.1"/>
-
-<h3 class="head3">Broadcast name resolution</h3>
-
-<p>On the other hand, there is one way in which Windows is not at all
-similar to Unix. If a Windows workstation is set up with no WINS name
-server, it will use the broadcast method of
-<a name="INDEX-23"/><a name="INDEX-24"/>name resolution, as described in <a href="ch01.html">Chapter 1</a>,<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> probably resulting in a
-very busy network. And even if you provide name servers for your
-Windows system to use, it might still resort to broadcast name
-resolution if it is unsuccessful at querying the name servers. For
-this reason, we recommend that you provide multiple reliable name
-servers for your Windows computers on the network.</p>
-
-<p>If that weren't enough to get you interested in
-setting up WINS and DNS servers, broadcast name resolution is usually
-limited to working on the local subnet because routers are usually
-configured not to forward broadcast packets to other networks.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.2"/>
-
-<h3 class="head3">WINS</h3>
-
-<p>We've already told you about WINS in <a href="ch01.html">Chapter 1</a>, and we don't have much more
-to say about it here. WINS can translate simple NetBIOS computer
-names such as <em class="emphasis">huastec</em> or
-<em class="emphasis">navajo</em> into IP addresses, as required on an SMB
-network. Of course, the interesting thing here is that Samba can act
-as a WINS server if you include the line:</p>
-
-<blockquote><pre class="code">wins support = yes</pre></blockquote>
-
-<p>in your Samba server's
-<em class="filename">smb.conf</em><a name="INDEX-25"/><a name="INDEX-26"/> file.
-This can be a good thing, to be sure, and we highly recommend it. Not
-only will you have a reliable WINS server to reduce the number of
-broadcast packets, but you won't need to run Windows
-NT/2000/XP to get it.</p>
-<a name="samba2-CHP-3-NOTE-91"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>One caveat about using Samba as a <a name="INDEX-27"/><a name="INDEX-28"/>WINS server is that Samba (up to Version
-2.2, at least) cannot synchronize with other WINS servers. So if you
-specify a Samba server as your Windows system's WINS
-server, you must be careful not to specify any additional (i.e.,
-secondary) WINS servers. If you do, you are likely to run into
-problems because the servers will not be able to synchronize their
-databases with each other. In Samba's defense, if
-you are using a Samba WINS server (running on a typically reliable
-Unix host), you will probably have little need for a secondary WINS
-server anyway.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.3"/>
-
-<h3 class="head3">LMHOSTS</h3>
-
-<p>All Windows versions support a backup method of name resolution, in
-the form of a file called
-<em class="filename">LMHOSTS</em><a name="INDEX-29"/> <em class="emphasis"><a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a></em>
-that contains a lookup table of computer names and IP addresses. This
-exists for &quot;historical purposes,&quot;
-and is a rather awkward method of name resolution because it requires
-the administrator (i.e., you!) to keep copies of
-<em class="filename">LMHOSTS</em> up to date on every single Windows
-system on the network. To be fully effective,
-<em class="filename">LMHOSTS</em> would have to be updated every time a
-new system were added to (or removed from) the network. Of course,
-there might be ways to automate that process, but a better option
-would be simply to run a WINS name server that is intentionally
-designed to solve that specific problem.</p>
-
-<p>There are perhaps a couple of reasons why you might want to bother
-with <em class="filename">LMHOSTS</em> files. In rare situations, there
-might be no WINS server on the network. Or maybe a WINS server
-exists, but it's unreliable. In both cases, if the
-Windows system has a valid <em class="filename">LMHOSTS</em> file, it can
-help to avoid your network bogging down from those dreaded broadcast
-name queries.</p>
-
-<p>The format of the <em class="filename">LMHOSTS</em> file is simple and
-similar to the <em class="filename">/etc/hosts</em> file with which you
-might be familiar from running Unix systems. Here are the contents of
-a sample <em class="filename">LMHOSTS</em> file:</p>
-
-<blockquote><pre class="code">172.16.1.1 toltec
-172.16.1.2 aztec
-172.16.1.3 mixtec
-172.16.1.4 zapotec
-172.16.1.5 huastec
-172.16.1.6 maya
-172.16.1.7 olmec
-172.16.1.8 chichimec
-172.16.1.11 hopi
-172.16.1.12 zuni
-172.16.1.13 dine
-172.16.1.14 pima
-172.16.1.15 apache
-172.16.1.21 inca
-172.16.1.22 qero</pre></blockquote>
-
-<p>As you can see, the format is like that of
-<em class="filename">/etc/hosts</em>, except that instead of an FQDN
-(e.g., <tt class="literal">toltec.metran.cx</tt>), only a NetBIOS computer
-name (<tt class="literal">toltec</tt>) is given. One way to create an
-<em class="filename">LMHOSTS</em> file for your Windows systems is to copy
-a <em class="filename">/etc/hosts</em> file and edit out the parts you
-don't need. This will work great if your network
-doesn't have a DNS (or NIS) name server and the Unix
-system is dependent on <em class="filename">/etc/hosts</em> for its own
-name service. But if your Unix system is querying a DNS server (which
-is the most frequent case on anything larger than the very smallest
-networks), you would be better advised to look in the DNS
-server's configuration files for your source of
-computer names and IP addresses.</p>
-
-<p>If you do not have administrative access to your
-network's DNS server, you might be able to use tools
-such as <em class="emphasis">nslookup</em><a name="INDEX-30"/>,
-<em class="emphasis">nmap</em><a name="INDEX-31"/>, and
-<em class="emphasis">dig</em><a name="INDEX-32"/> to query the server and obtain the
-information you need.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.4"/>
-
-<h3 class="head3">DNS</h3>
-
-<p>The <a name="INDEX-33"/><a name="INDEX-34"/>DNS
-is responsible for translating human-readable, Internet-style
-hostnames such as <tt class="literal">pima.metran.cx</tt> or
-<tt class="literal">sales.oreilly.com</tt> into IP addresses.</p>
-
-<p>On your first reading of this section, you might be wondering what a
-section on DNS is doing in a book about NetBIOS and SMB networking.
-Remember, we told you that Windows can use more than WINS (NetBIOS
-Name Service) in its strategy for performing name resolution. Because
-DNS is also able to supply IP addresses for simple hostnames (which
-are usually the same as NetBIOS computer names), it can be helpful to
-configure Windows to know about a DNS server on your network. This is
-slightly more important for newer Windows versions than older ones,
-and more so for Windows NT/2000/XP than for Windows 95/98/Me, because
-nowadays Microsoft is focusing more on TCP/IP as the standard
-protocol and DNS as the primary name service.</p>
-
-<p>To find the address of your DNS server, look at the file
-<em class="emphasis">/etc/resolv.conf</em><a name="INDEX-35"/><a name="INDEX-36"/> on your Samba server or any other Unix
-system on the local network that is using DNS. It looks like the
-following:</p>
-
-<blockquote><pre class="code">#resolv.conf
-domain metran.cx
-nameserver 127.0.0.1
-nameserver 172.16.1.53</pre></blockquote>
-
-<p>In this example, the first name server in the list is 127.0.0.1,
-which indicates that the Samba server is also a DNS server for this
-LAN.<a name="FNPTR-6"/><a href="#FOOTNOTE-6">[6]</a> In that case, you would use its network IP
-address (not <a name="INDEX-37"/><a name="INDEX-38"/>127.0.0.1, its localhost address)
-for your DNS server when configuring Windows. Otherwise, use the
-other addresses you find in the lines beginning with
-<tt class="literal">nameserver</tt>. Try to select ones on your own
-network. Any name servers listed in
-<em class="emphasis">/etc/resolv.conf</em> should work, but
-you'll get better performance by using a server
-nearby.</p>
-
-<p>All versions of Windows can be configured to know of multiple domain
-name servers, and you might wish to take advantage of this for
-increased reliability. If the first domain name server does not
-respond, Windows can try others in its list.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.5"/>
-
-<h3 class="head3"><em class="filename">HOSTS</em></h3>
-
-<p>Similar to how the <em class="filename">LMHOSTS</em> file can be added to
-supplement WINS, the
-<em class="filename">HOSTS</em><a name="INDEX-39"/> file on a Windows system can be optionally
-added to supplement DNS name resolution. Most of our comments
-regarding <em class="filename">LMHOSTS</em> also apply here.</p>
-
-<p>This time the format of the file is not just similar to that of
-<em class="filename">/etc/hosts</em> found on Unix&mdash;the format is
-<em class="emphasis">exactly</em> the same. You can simply copy
-<em class="filename">/etc/hosts</em> from your Samba server or other Unix
-system to the proper directory on your Windows system.</p>
-
-<p>On Windows 95/98/Me, the <em class="filename">HOSTS</em> file goes in the
-Windows installation directory, which is usually
-<em class="filename">C:\Windows</em>. Note that a file called
-<em class="filename">hosts.sam</em><a name="INDEX-40"/> is already there, which is a sample
-<em class="filename">HOSTS</em> file provided by Microsoft.</p>
-
-<p>On Windows NT/2000/XP, the <em class="filename">HOSTS</em> file goes in
-the <em class="filename">\system32\drivers\etc</em> directory under the
-Windows installation directory, which is usually
-<em class="filename">C:\WINNT</em>.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-1.4"/>
-
-<h3 class="head2">Passwords</h3>
-
-<p><a name="INDEX-41"/><a name="INDEX-42"/><a name="INDEX-43"/>Unix systems use
-username and password pairs to authenticate users either on a local
-system or in an NIS domain. Windows NT/2000/XP are very similar; a
-user supplies his username and password to log on to the local system
-or to a Windows domain.</p>
-
-<p>When the SMB network is set up as a workgroup, things are different.
-There is no domain to log on to, although shares on the network can
-be password-protected. In this case, one password is associated with
-each password-protected share, rather than with individual users.</p>
-
-<p>Samba's default user-level
-<a name="INDEX-44"/>authentication in a workgroup is
-different from that of Windows. To access shares on the Samba host,
-users are required to supply a valid username and password for an
-account on the Samba host. This will be discussed in more detail in
-<a href="ch09.html">Chapter 9</a>.</p>
-
-<p><a name="INDEX-45"/>An unfortunate
-complication arises with passwords. In the first release of Windows
-95 and in Windows NT 4.0 with Service Pack 2 (SP2) or less, as well
-as in all previous versions of Windows, passwords are allowed to be
-sent over the network in plain text. But in Windows 95 with the
-network redirector update,<a name="FNPTR-7"/><a href="#FOOTNOTE-7">[7]</a></p>
-
-<p>Windows NT 4.0 SP3 or later, and all subsequent releases of Windows,
-a registry setting must be <a name="INDEX-46"/><a name="INDEX-47"/><a name="INDEX-48"/>modified to enable plain-text
-passwords. These more modern versions of Windows prefer to send
-encrypted passwords, and if you are working with one of them (and
-don't want to have to modify the registry), you must
-have the line:</p>
-
-<blockquote><pre class="code">encrypt passwords = yes</pre></blockquote>
-
-<p>in the <tt class="literal">[global]</tt> section of your
-<em class="filename">smb.conf</em><a name="INDEX-49"/><a name="INDEX-50"/> file. In addition, you must run the
-command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a <em class="replaceable">username</em></b></tt></pre></blockquote>
-
-<p>for each user on the Samba host to add their passwords to
-Samba's collection of encrypted passwords. We showed
-you how to do this in <a href="ch02.html">Chapter 2</a>.</p>
-
-<p>If your first attempt to access a Samba share results in a dialog box
-asking for a password for
-<tt class="literal">IPC$</tt><a name="INDEX-51"/><a name="INDEX-52"/>, as shown in <a href="ch03.html#samba2-CHP-3-FIG-1">Figure 3-1</a>, it is probably because you neglected either
-or both of these two steps, and the Samba server did not recognize
-the encrypted password that the Windows system sent to it. Another
-possible dialog box that might come up is the one shown in <a href="ch03.html#samba2-CHP-3-FIG-2">Figure 3-2</a>, which was presented by a Windows 2000 client.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-1"/><img src="figs/sam2_0301.gif"/></div><h4 class="head4">Figure 3-1. Windows 98 asking for IPC$ password</h4>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-2"/><img src="figs/sam2_0302.gif"/></div><h4 class="head4">Figure 3-2. Windows 2000 logon error dialog</h4>
-
-<p>The rest of this chapter is divided into four sections. The first
-section covers setting up Windows 95/98/Me computers, and the rest of
-the sections cover Windows NT 4.0, Windows 2000, and Windows XP
-individually. Each section roughly parallels the order in which
-we've introduced networking concepts in this
-section. You need to read only the section that applies to the
-Windows version with which you are working, and once you have
-finished reading it, you can continue at the beginning of the next
-chapter where we will start covering more advanced Samba features and
-networking issues.</p>
-
-<a name="samba2-CHP-3-NOTE-92"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Keep in mind that we are continuing our example from <a href="ch02.html">Chapter 2</a>, in which we are setting up a very simple
-prototype network using a workgroup that has very lax security. After
-you have the basics working, we recommend you continue with later
-chapters to learn how to implement both better security and a Samba
-domain. <a name="INDEX-53"/></p>
-</blockquote>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-3-SECT-2"/>
-
-<h2 class="head1">Setting Up Windows 95/98/Me Computers</h2>
-
-<p>The <a name="INDEX-54"/>Windows 95/98/Me operating systems are very
-similar to each other, and as far as this chapter is concerned, it is
-possible to treat them with a common set of directions.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-2.1"/>
-
-<h3 class="head2">Setting Up the Network</h3>
-
-<p>Samba uses TCP/IP to communicate with clients on the network, so you
-will need to make sure there is support for TCP/IP on each Windows
-client. Unlike Unix operating systems, Windows does not necessarily
-have support for TCP/IP installed. However, when Windows is installed
-on a computer with a network card or a network card is added to a
-system already running Windows, TCP/IP support is installed by
-default, along with the Client for Microsoft Networks, which supports
-SMB file and printer sharing.</p>
-
-<p>To make sure both services are installed on your Windows system,
-double-click the Network icon in the Control Panel to open the
-Network dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-3">Figure 3-3</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-3"/><img src="figs/sam2_0303.gif"/></div><h4 class="head4">Figure 3-3. The Windows 95/98/Me Network dialog</h4>
-
-<p>You should see at least the Client for Microsoft Networks component
-installed on the system, and hopefully a networking device
-(preferably an Ethernet card) bound to the TCP/IP protocol. If there
-is only one networking hardware device, you'll see
-the TCP/IP protocol listed below the device to which it is bound, as
-shown in <a href="ch03.html#samba2-CHP-3-FIG-1">Figure 3-1</a>.</p>
-
-<p>You might also see &quot;File and printer sharing for
-Microsoft Networks,&quot; which is used to make the
-system into a server. In addition, you might see NetBEUI or Novell
-Networking. Definitely remove NetBEUI unless you are sure you need
-it, and if you don't have any Novell servers on your
-network, you can remove Novell (IPX/SPX) as well. To remove a
-service, simply click its name and then click the Remove button.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.1"/>
-
-<h3 class="head3">Adding TCP/IP</h3>
-
-<p><a name="INDEX-55"/><a name="INDEX-56"/>If
-you don't see TCP/IP listed, you'll
-need to install the protocol.</p>
-
-<p>You can add the protocol by inserting the Windows distribution CD-ROM
-in your CD-ROM drive and clicking the Add button below the component
-window. Indicate that you wish to add a protocol by selecting
-Protocol and clicking &quot;Add...&quot; on
-the following dialog box, which should look similar to <a href="ch03.html#samba2-CHP-3-FIG-4">Figure 3-4</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-4"/><img src="figs/sam2_0304.gif"/></div><h4 class="head4">Figure 3-4. Selecting a component type</h4>
-
-<p>After that, select manufacturer Microsoft, then protocol TCP/IP, as
-shown in <a href="ch03.html#samba2-CHP-3-FIG-3">Figure 3-3</a>, then click OK. After doing so,
-you will be returned to the network dialog. Click OK to close the
-dialog box, and Windows will install the necessary components from
-the CD-ROM and request that the system be rebooted. Go ahead and
-reboot the system, and you're set.</p>
-
-<p>If Client for Microsoft Networks is not in the list, you can add it
-similarly. The only significant difference is that you are adding a
-client instead of a protocol, so make sure to select
-&quot;Client&quot; rather than
-&quot;Protocol&quot; when asked.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.2"/>
-
-<h3 class="head3">Configuring TCP/IP</h3>
-
-<p><a name="INDEX-57"/><a name="INDEX-58"/>If you have more than one networking
-device (for example, both an Ethernet card and a modem for dial-up
-networking), the protocol to hardware bindings will be indicated by
-arrows, as shown in <a href="ch03.html#samba2-CHP-3-FIG-5">Figure 3-5</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-5"/><img src="figs/sam2_0305.gif"/></div><h4 class="head4">Figure 3-5. Selecting a protocol to install</h4>
-
-<p>Select the TCP/IP protocol linked to the networking device that will
-be accessing the Samba network. If you have only one networking
-device, simply click the TCP/IP item. Now click the Properties button
-to open the TCP/IP Properties dialog. You should see something
-similar to <a href="ch03.html#samba2-CHP-3-FIG-6">Figure 3-6</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-6"/><img src="figs/sam2_0306.gif"/></div><h4 class="head4">Figure 3-6. Selecting the correct TCP/IP protocol</h4>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.3"/>
-
-<h3 class="head3">IP Address tab</h3>
-
-<p><a name="INDEX-59"/><a name="INDEX-60"/>The
-IP Address tab is shown in <a href="ch03.html#samba2-CHP-3-FIG-7">Figure 3-7</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-7"/><img src="figs/sam2_0307.gif"/></div><h4 class="head4">Figure 3-7. The IP Address tab</h4>
-
-<p>If you use DHCP on your network to provide IP addresses automatically
-to Windows systems, select the &quot;Obtain an IP address
-automatically&quot; radio button. Otherwise, click the
-&quot;Specify an IP address&quot; radio
-button and enter the client's address and subnet
-mask in the space provided. You or your network manager should have
-selected an address for the client on the same subnet (LAN) as the
-Samba server.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.4"/>
-
-<h3 class="head3">WINS Configuration tab</h3>
-
-<p><a name="INDEX-61"/><a name="INDEX-62"/>If you've
-enabled WINS on Samba or are choosing to make use of another WINS
-server on your network, you must tell Windows the
-server's address. After selecting the WINS
-Configuration tab, you will see the dialog box shown in <a href="ch03.html#samba2-CHP-3-FIG-8">Figure 3-8</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-8"/><img src="figs/sam2_0308.gif"/></div><h4 class="head4">Figure 3-8. The WINS Configuration tab</h4>
-
-<p>This is for Windows 98/Me; Windows 95 is just a little different,
-having separate spaces for the primary and backup WINS server IP
-addresses.</p>
-
-<p>Select the &quot;Enable WINS Resolution&quot;
-radio button, and enter the WINS server's address in
-the space provided, then click the Add button. Do not enter anything
-in the Scope ID field.</p>
-<a name="samba2-CHP-3-NOTE-93"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>A bug in Windows 95/98 sometimes causes the IP address of the WINS
-server to disappear after the OK button is clicked. This happens only
-when only a primary WINS server has been specified. The workaround is
-to fill in the fields for both primary and secondary WINS servers,
-using the same IP address for each.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.5"/>
-
-<h3 class="head3">DNS Configuration tab</h3>
-
-<p><a name="INDEX-63"/><a name="INDEX-64"/>Unless you are using DHCP, you
-will need to provide the IP address of one or more DNS servers. Click
-the DNS tab, then click the &quot;Enable
-DNS&quot; radio button, and type the IP address of one or
-more DNS servers into the appropriate field, shown in <a href="ch03.html#samba2-CHP-3-FIG-9">Figure 3-9</a>, to add the server's address
-to the top DNS Server Search Order field.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-9"/><img src="figs/sam2_0309.gif"/></div><h4 class="head4">Figure 3-9. The DNS Configuration tab</h4>
-
-<p>Also, provide the hostname (which is the same as the NetBIOS computer
-name) of the Windows 95/98/Me computer and your Internet domain. (You
-will need to enter the computer name again later, along with the
-workgroup. Make sure to enter the same name each time.) You can
-safely ignore the Domain Suffix Search Order field for anything
-related to Samba.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.6"/>
-
-<h3 class="head3">LMHOSTS file</h3>
-
-<p><a name="INDEX-65"/><a name="INDEX-66"/>If
-you want to install an <em class="filename">LMHOSTS</em> file, it must be
-placed in your Windows installation directory (usually
-<em class="filename">C:\Windows</em>). In the same directory, Microsoft
-has provided a sample <em class="filename">LMHOSTS</em> file named
-<em class="filename">lmhosts.sam</em>, which you might want to look at for
-further information on the file's format.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.7"/>
-
-<h3 class="head3">NetBIOS tab</h3>
-
-<p><a name="INDEX-67"/><a name="INDEX-68"/>This tab
-appears in Windows 98/Me, but not in Windows 95. All you need to do
-here is make sure the checkbox is checked, enabling NetBIOS over
-TCP/IP. If TCP/IP is your only protocol installed (as we recommended
-earlier), the selection will be grayed out, with the box checked so
-that you couldn't uncheck it even if you wanted to.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.8"/>
-
-<h3 class="head3">Bindings tab</h3>
-
-<p><a name="INDEX-69"/><a name="INDEX-70"/>The
-final tab to look at is Bindings, as shown in <a href="ch03.html#samba2-CHP-3-FIG-10">Figure 3-10</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-10"/><img src="figs/sam2_0310.gif"/></div><h4 class="head4">Figure 3-10. The Bindings tab</h4>
-
-<p>You should have a check beside Client for Microsoft Networks,
-indicating that it's using TCP/IP. If you have
-&quot;File and printer sharing for Microsoft
-Networks&quot; in the dialog, it should also be checked,
-as shown in <a href="ch03.html#samba2-CHP-3-FIG-10">Figure 3-10</a>.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-2.2"/>
-
-<h3 class="head2">Setting the Computer Name and Workgroup</h3>
-
-<p><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/>Finally, click the OK button in the
-TCP/IP configuration dialog, and you'll be taken
-back to the Network Configuration dialog. Then select the
-Identification tab, which will take you to the dialog box shown in
-<a href="ch03.html#samba2-CHP-3-FIG-11">Figure 3-11</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-11"/><img src="figs/sam2_0311.gif"/></div><h4 class="head4">Figure 3-11. The Identification tab</h4>
-
-<p>This is where you set your system's NetBIOS name
-(which Microsoft likes to call &quot;computer
-name&quot;). Usually, it is best to make this the same as
-your DNS hostname, if you are going to have one for this system. For
-example, if the system's DNS name is
-<tt class="literal">huastec.metran.cx</tt>, give the computer a NetBIOS
-name of <tt class="literal">huastec</tt> on this tab.</p>
-
-<p>You also set your workgroup name here. In our case,
-it's METRAN, but if you used a different one in
-<a href="ch02.html">Chapter 2</a>, when creating the Samba configuration
-file, use that instead. Just don't call it WORKGROUP
-(the default workgroup name) or you'll be in the
-same workgroup as every misconfigured Windows computer on the planet!</p>
-
-<p>You can also enter a comment string for this computer. See if you can
-come up with some way of describing it that will remind you of what
-and where it is when you see the comment in a list displayed on
-another computer. Everyone on the network will be able to see your
-comment, so be careful not to include any information that might be
-useful to crackers.</p>
-
-<p>Finally, click the OK button and follow whatever instructions Windows
-provides. (You might have to insert your Windows distribution CD-ROM
-and/or reboot.)</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-2.3"/>
-
-<h3 class="head2">Username and Password</h3>
-
-<p><a name="INDEX-75"/><a name="INDEX-76"/><a name="INDEX-77"/>You have probably already given
-Windows a username and password by now. However, to authenticate with
-the Samba server, your Windows username and password must match with
-a valid account on the Samba server.</p>
-
-<p>It is simple to add a new user and password to a Windows 95/98/Me
-system. Just reboot or log out, and when you are prompted for a
-username and password, enter your Unix username and password. (If you
-are using encrypted passwords, you must run
-<em class="emphasis">smbpasswd</em> on the Unix host to enter them into
-Samba's password database, if you have not already
-done so.) You can use this method to add as many users as you want,
-so as to allow more than one user to use the Windows system to gain
-access to the Samba shares.</p>
-
-<p>If you mistakenly entered the wrong password or your Unix password
-changes, you can change your password on the Windows system by going
-to the Control Panel and double-clicking the Passwords icon. This
-will bring up the Passwords Properties dialog. Click the Change
-Passwords tab, and you will see the dialog shown in <a href="ch03.html#samba2-CHP-3-FIG-12">Figure 3-12</a>. Now click the &quot;Change
-Windows Password...&quot; button, which will bring up the
-Change Windows Password dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-13">Figure 3-13</a>. As indicated by the text entry fields in the
-dialog, enter your old password, and then the new password, and again
-to confirm it. Click the OK button and then the Close button on the
-Password Properties dialog box. Reboot or log out, and use your new
-password when you log in again.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-12"/><img src="figs/sam2_0312.gif"/></div><h4 class="head4">Figure 3-12. The Password Properties dialog</h4>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-13"/><img src="figs/sam2_0313.gif"/></div><h4 class="head4">Figure 3-13. The Change Windows Password dialog</h4>
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.1"/>
-
-<h3 class="head3">Logging in for the first time</h3>
-
-<p>If you don't have a Change Passwords tab in the
-Passwords Properties window, it is because networking is not fully
-set up yet. Assuming you've followed all the
-directions given so far, you just need to reboot; when the system
-comes up, it will ask you to log in with a username and a password.</p>
-
-<p>Now for the big moment. Your Samba server is running, and you have
-set up your Windows 95/98/Me client to communicate with it.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.2"/>
-
-<h3 class="head3">Accessing the Samba Server from Windows 95/98</h3>
-
-<p><a name="INDEX-78"/><a name="INDEX-79"/>Double-click the Network Neighborhood
-icon on the desktop. You should see your Samba server listed as a
-member of the workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-14">Figure 3-14</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-14"/><img src="figs/sam2_0314.gif"/></div><h4 class="head4">Figure 3-14. Windows 95/98 Network Neighborhood</h4>
-
-<p>Double-clicking the server name will show the resources that the
-server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-15">Figure 3-15</a> (in this case, the <em class="emphasis">test</em>
-directory).</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-15"/><img src="figs/sam2_0315.gif"/></div><h4 class="head4">Figure 3-15. The test shared folder on the Toltec server</h4>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.3"/>
-
-<h3 class="head3">Accessing the Samba Server from Windows Me</h3>
-
-<p>Double-click the My Network Places icon on the desktop. You should
-see the test shared directory as shown in <a href="ch03.html#samba2-CHP-3-FIG-16">Figure 3-16</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-16"/><img src="figs/sam2_0316.gif"/></div><h4 class="head4">Figure 3-16. My Network Places on Windows Me</h4>
-
-<p>Double-click the Entire Network icon, and you should see an icon for
-your workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-17">Figure 3-17</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-17"/><img src="figs/sam2_0317.gif"/></div><h4 class="head4">Figure 3-17. Entire Network window, showing the Metran workgroup</h4>
-
-<p>Double-clicking the workgroup icon will bring up a window showing
-every computer in the workgroup, which should include your Samba
-server, as shown in <a href="ch03.html#samba2-CHP-3-FIG-18">Figure 3-18</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-18"/><img src="figs/sam2_0318.gif"/></div><h4 class="head4">Figure 3-18. Computers in Metran workgroup</h4>
-
-<p>Double-click the Samba server's icon, and you will
-get a window showing its shared resources (in this case, the test
-directory) as shown in <a href="ch03.html#samba2-CHP-3-FIG-19">Figure 3-19</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-19"/><img src="figs/sam2_0319.gif"/></div><h4 class="head4">Figure 3-19. View of shares on the Toltec server</h4>
-
-<p>If you don't see the server listed, it might be that
-browsing is not working correctly or maybe the server is just taking
-a few minutes to show up in the browse list. In either case, you can
-click the Start button, then select
-&quot;Run...&quot;. This will give you a
-dialog box into which you can type the name of your server and the
-share name <em class="emphasis">test</em> in the Windows UNC format
-<em class="filename">\\</em><em class="replaceable">server</em><em class="filename">\test</em>,
-as we did in <a href="ch01.html">Chapter 1</a>. This should open a window
-on the desktop showing the contents of the folder. If this does not
-work, there is likely a problem with name resolution, and you can try
-using the server's IP address instead of its
-computer name, like this:</p>
-
-<blockquote><pre class="code">\\172.16.1.1\test</pre></blockquote>
-
-<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
-with the network.</p>
-
-<p>If it works, congratulations! Try copying files to and from the
-server using the Windows drag-and-drop functionality. You might be
-pleasantly surprised how seamlessly everything works. <a name="INDEX-80"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-3-SECT-3"/>
-
-<h2 class="head1">Setting Up Windows NT 4.0 Computers</h2>
-
-<p>Configuring <a name="INDEX-81"/>Windows NT
-is a little different than configuring Windows 95/98/Me. To use Samba
-with Windows NT, you will need both the Workstation service and the
-TCP/IP protocol. Both come standard with NT, but
-we'll work through installing and configuring them
-to make sure they are configured correctly.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-3.1"/>
-
-<h3 class="head2">Basic Configuration</h3>
-
-<p><a name="INDEX-82"/>This section presents the steps
-to follow for TCP/IP-related configuration on Windows NT to get it to
-cooperate with Samba. If you need more details on Windows NT network
-administration, refer to Craig <a name="INDEX-83"/>Hunt and Robert Bruce
-<a name="INDEX-84"/>Thompson's
-<em class="citetitle">Windows NT TCP/IP Network Administration
-</em>(O'Reilly), an excellent guide.</p>
-
-<p>You should perform the following steps as the
-<tt class="literal">Administrator</tt> or another user in the
-<tt class="literal">Administrators</tt> group.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.1"/>
-
-<h3 class="head3">Installing the TCP/IP protocol</h3>
-
-<p><a name="INDEX-85"/><a name="INDEX-86"/>From
-the Control Panel, double-click the Network icon, click the Protocols
-tab in the Network dialog box, and look to see if you have the TCP/IP
-protocol installed, as shown in <a href="ch03.html#samba2-CHP-3-FIG-20">Figure 3-20</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-20"/><img src="figs/sam2_0320.gif"/></div><h4 class="head4">Figure 3-20. The Protocols tab</h4>
-
-<p>If the protocol is not installed, you need to add it. Click the Add
-button, which will display the Select Network Protocol dialog box
-shown in <a href="ch03.html#samba2-CHP-3-FIG-21">Figure 3-21</a>. You should immediately see the
-TCP/IP protocol as one of the last protocols listed.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-21"/><img src="figs/sam2_0321.gif"/></div><h4 class="head4">Figure 3-21. Select Network Protocol dialog box</h4>
-
-<p>Select TCP/IP as the protocol and confirm it. If
-possible, install only the TCP/IP protocol. If you see anything other
-than TCP/IP listed in the Protocols tab and it is not a protocol that
-you need, you can remove it. If you try to remove a protocol and get
-an error message saying that the protocol is being used by another
-service, you need to click the Services tab and remove that service
-before you can remove the protocol. For example, to remove the NWLink
-IPX/SPX Compatible Transport protocol, you would need to remove the
-Client Service for Netware first.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.2"/>
-
-<h3 class="head3">Installing the Workstation service</h3>
-
-<p><a name="INDEX-87"/><a name="INDEX-88"/>After installing TCP/IP, click the
-Services tab in the Network dialog, and check that you have a
-Workstation service, as shown at the end of the list in <a href="ch03.html#samba2-CHP-3-FIG-22">Figure 3-22</a>.<a name="FNPTR-8"/><a href="#FOOTNOTE-8">[8]</a></p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-22"/><img src="figs/sam2_0322.gif"/></div><h4 class="head4">Figure 3-22. Network Services tab</h4>
-
-<p>This service is actually the Microsoft Networking Client, which
-allows the computer to access SMB services. The Workstation service
-is mandatory. The service is installed by default on both Windows NT
-Workstation 4.0 and NT Server 4.0. If it's not
-there, you can install it much like TCP/IP. In this case you need to
-click the Add button and then select Workstation Service, as shown in
-<a href="ch03.html#samba2-CHP-3-FIG-23">Figure 3-23</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-23"/><img src="figs/sam2_0323.gif"/></div><h4 class="head4">Figure 3-23. Select Network Service dialog box</h4>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.3"/>
-
-<h3 class="head3">Configuring TCP/IP</h3>
-
-<p><a name="INDEX-89"/><a name="INDEX-90"/>After you've installed
-the Workstation service, return to the Protocols tab and select the
-TCP/IP Protocol entry in the window. Then click the Properties button
-below the window. The Microsoft TCP/IP Protocol dialog will be
-displayed. There are five tabs in the dialog, and you will need to
-work with four of them:</p>
-
-<ul><li>
-<p>IP Address</p>
-</li><li>
-<p>WINS Address</p>
-</li><li>
-<p>DNS</p>
-</li><li>
-<p>Bindings</p>
-</li></ul>
-
-<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.1"/>
-
-<h4 class="head4">IP Address tab</h4>
-
-<p><a name="INDEX-91"/><a name="INDEX-92"/>The IP
-Address tab is shown in <a href="ch03.html#samba2-CHP-3-FIG-24">Figure 3-24</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-24"/><img src="figs/sam2_0324.gif"/></div><h4 class="head4">Figure 3-24. Microsoft TCP/IP Properties dialog for Windows NT</h4>
-
-<p>Select the &quot;Specify an IP address&quot;
-radio button, and enter the computer's IP address
-and netmask in the space provided for the proper adapter (Ethernet
-card). You or your network manager should have selected an address
-for the client on the same subnet (LAN) as the Samba server. For
-example, if the server's address is 172.16.1.1 and
-its network mask is 255.255.255.0, you might use the address
-172.16.1.13 (if it is available) for the NT workstation, along with
-the same netmask. If you use DHCP on your network, select the
-&quot;Obtain an IP Address from a DHCP
-server&quot; button instead.</p>
-
-<p>The gateway field refers to a system typically known as a
-<em class="emphasis">router</em>. If you have routers connecting multiple
-networks, you should enter the IP address of the one on your subnet.
-In our example, the gateway happens to be the same system as the
-Samba server, but they do not by any means have to be the same.</p>
-
-
-</div>
-
-
-
-<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.2"/>
-
-<h4 class="head4">WINS Address tab</h4>
-
-<p><a name="INDEX-93"/><a name="INDEX-94"/>Click the
-WINS Address tab, shown in <a href="ch03.html#samba2-CHP-3-FIG-25">Figure 3-25</a>, and you can
-begin to enter information about name servers. Enter the address of
-your WINS server in the space labeled Primary WINS Server. If your
-Samba server is providing WINS service (in other words, you have the
-line <tt class="literal">wins</tt> <tt class="literal">support</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
-<em class="emphasis">smb.conf</em> file of your Samba server), provide the
-Samba server's IP address here. Otherwise, provide
-the address of another WINS server on your network.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-25"/><img src="figs/sam2_0325.gif"/></div><h4 class="head4">Figure 3-25. The WINS Address tab</h4>
-
-<p>You probably noticed that there is a field here for the network
-adapter. This field must specify the Ethernet adapter on which
-you're running TCP/IP so that WINS will provide name
-service on the correct network. For example, if you have both a LAN
-and a dial-up adapter, make sure you have the LAN's
-network card specified here.</p>
-
-<p>The checkboxes in the lower half of the dialog are for enabling two
-other methods of name resolution that Windows can incorporate into
-its name service. Samba doesn't require either of
-them, but you might want to enable them to increase the reliability
-or functionality of name service for your client. See <a href="ch07.html">Chapter 7</a> for further information on name resolution
-issues.</p>
-
-<p>If you'd like to use a DNS server, select the Enable
-DNS for Windows Resolution checkbox. In addition, you will need to do
-some configuration to allow the Windows system to find the DNS
-server, unless you're using DHCP.</p>
-
-
-</div>
-
-
-
-<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.3"/>
-
-<h4 class="head4">DNS tab</h4>
-
-<p><a name="INDEX-95"/><a name="INDEX-96"/>Click
-the tab for DNS, as shown in <a href="ch03.html#samba2-CHP-3-FIG-26">Figure 3-26</a>. Enter the
-IP addresses for one or more DNS servers in the space provided. Also,
-enter the hostname (which should be the same as the NetBIOS computer
-name). You will enter this again later in another control panel, so
-make sure they match. Finally, enter the DNS domain on which this
-system resides. For example, if your workstation has a domain name
-such as <em class="emphasis">metran.cx</em>, enter it here. You can safely
-ignore the other options.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-26"/><img src="figs/sam2_0326.gif"/></div><h4 class="head4">Figure 3-26. The DNS tab</h4>
-
-
-</div>
-
-
-
-<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.4"/>
-
-<h4 class="head4">The LMHOSTS file</h4>
-
-<p>If you want to install an
-<em class="filename">LMHOSTS</em><a name="INDEX-97"/><a name="INDEX-98"/> file, it
-must be placed in the directory
-<em class="filename">\system32\drivers\etc</em> under your Windows
-installation directory (usually <em class="filename">C:\WINNT</em>). The
-easy way to make sure it gets to the proper location is to use the
-Import LMHOSTS button on the WINS Address tab. (But if you want to do
-it over the network, you will have to do that after file sharing is
-configured!) Remember to click the Enable LMHOSTS Lookup checkbox on
-the WINS Address tab to enable this functionality.</p>
-
-<p>When you are satisfied with your settings for IP Address, WINS
-Address, and DNS, click OK to return to the Network dialog box.</p>
-
-
-</div>
-
-
-
-<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.5"/>
-
-<h4 class="head4">Bindings</h4>
-
-<p><a name="INDEX-99"/><a name="INDEX-100"/>Now click the
-Bindings tab, and check the bindings of network hardware, services,
-and protocols. Set the &quot;Show Bindings
-for&quot; field to &quot;all
-services,&quot; and click all the + buttons in the tree.
-You should see a display similar to <a href="ch03.html#samba2-CHP-3-FIG-27">Figure 3-27</a>,
-which shows that the NetBIOS, Server, and Workstation interface
-services are connected to the WINS client running TCP/IP protocol,
-and that the WINS client is bound to the Ethernet adapter of the
-local area network.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-27"/><img src="figs/sam2_0327.gif"/></div><h4 class="head4">Figure 3-27. The Bindings tab</h4>
-
-<p>You can safely leave the default values for the remainder of the tabs
-in the Network dialog box. Click the OK button to complete the
-configuration. Once the proper files are loaded (if any), you might
-need to reboot for your changes to take effect.</p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-3.2"/>
-
-<h3 class="head2">Computer Name and Workgroup</h3>
-
-<p><a name="INDEX-101"/><a name="INDEX-102"/><a name="INDEX-103"/><a name="INDEX-104"/>The next
-thing you need to do is to give the system a NetBIOS computer name.
-From the Control Panel, double-click the Network icon to open the
-Network dialog box. The first tab in this dialog box should be the
-Identification tab, as illustrated in <a href="ch03.html#samba2-CHP-3-FIG-28">Figure 3-28</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-28"/><img src="figs/sam2_0328.gif"/></div><h4 class="head4">Figure 3-28. The Identification tab</h4>
-
-<p>Here, you need to identify your computer with a name and change the
-default workgroup to the one you specified in the
-<em class="emphasis">smb.conf</em> file of your Samba server. Click the
-Change button below the two text fields. This will open an
-Identification Changes dialog box, where you can set the workgroup
-and the computer name, as shown in <a href="ch03.html#samba2-CHP-3-FIG-29">Figure 3-29</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-29"/><img src="figs/sam2_0329.gif"/></div><h4 class="head4">Figure 3-29. The Identification Changes dialog</h4>
-<a name="samba2-CHP-3-NOTE-94"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>You entered the computer name earlier as a DNS hostname while
-configuring TCP/IP, so be sure that the two names match. The name you
-set here is the NetBIOS name. You're allowed to make
-it different from the TCP/IP hostname, but doing so is usually not a
-good idea. Don't worry that Windows NT forces the
-computer name and the workgroup to be all capital letters;
-it's smart enough to figure out what you mean when
-it connects to the network.</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-3.3"/>
-
-<h3 class="head2">Adding a User</h3>
-
-<p><a name="INDEX-105"/><a name="INDEX-106"/>In all
-the previous steps, you were logged into your Windows NT system as
-<tt class="literal">Administrator</tt> or another user in the
-<tt class="literal">Administrators</tt> group. To access resources on the
-Samba server, you will need to have a username and password that the
-Samba server recognizes as valid. Generally, the best way to do this
-is to add a user to your NT system, with the same username and
-password as a user on the Samba host system.</p>
-
-<a name="samba2-CHP-3-NOTE-95"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>The directions in this section assume that your network is set up as
-a workgroup. If you have already set up your network as a domain, as
-we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
-follow the instructions here for adding a local user on the Windows
-NT client system. Simply log on to the domain from the client using a
-username and password in Samba's
-<em class="filename">smbpasswd</em> account database, and continue with
-the next section, <a href="ch03.html#samba2-CHP-3-SECT-3.4">Section 3.3.4</a>.</p>
-</blockquote>
-
-<p>To add a new user, open the Start menu, navigate through the Programs
-submenu to Administrative Tools (Common), and select User Manager for
-Domains. Click the User menu and select the first item, Add User...,
-shown in <a href="ch03.html#samba2-CHP-3-FIG-30">Figure 3-30</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-30"/><img src="figs/sam2_0330.gif"/></div><h4 class="head4">Figure 3-30. User Manager for Domains window</h4>
-
-<p>This brings up the New User dialog box shown in <a href="ch03.html#samba2-CHP-3-FIG-31">Figure 3-31</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-31"/><img src="figs/sam2_0331.gif"/></div><h4 class="head4">Figure 3-31. The New User dialog</h4>
-
-<p>Fill it out as shown, using the username and password that were added
-in the previous chapter, and make sure that only the checkbox labeled
-Password Never Expires is checked. (This is not the default!) Click
-the Add button to add the user, and then click the Close button. You
-should now see your new account added to the list in the User Manager
-dialog box.</p>
-
-<p>Now open the Start menu, select Shut Down, and select the
-&quot;Close all programs and log on as a different
-user?&quot; radio button. Click the Yes button, then log
-in as the user you just added.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-3.4"/>
-
-<h3 class="head2">Connecting to the Samba Server</h3>
-
-<p>Now for the big moment. Your <a name="INDEX-107"/><a name="INDEX-108"/>Samba
-server is running, and you have set up your NT client to communicate
-with it. Double-click the Network Neighborhood icon on the desktop,
-and you should see your Samba server listed as a member of the
-workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-32">Figure 3-32</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-32"/><img src="figs/sam2_0332.gif"/></div><h4 class="head4">Figure 3-32. The Windows NT Network Neighborhood</h4>
-
-<p>Double-clicking the server name will show the resources that the
-server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-33">Figure 3-33</a>. In this case, the <em class="filename">test</em>
-directory and the default printer are offered to the Windows NT
-workstation.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-33"/><img src="figs/sam2_0333.gif"/></div><h4 class="head4">Figure 3-33. Shares offered by the Toltec server</h4>
-
-<p>If you don't see the server listed,
-don't panic. Select Run... from the Start menu. A
-dialog box appears that allows you to type the name of your server
-and its share directory in Windows format. For example, you would
-enter
-<em class="filename">\\</em>toltec<em class="filename">\</em><tt class="literal">test</tt>,
-as shown in <a href="ch03.html#samba2-CHP-3-FIG-34">Figure 3-34</a>, and use your
-server's hostname instead of
-&quot;toltec&quot;.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-34"/><img src="figs/sam2_0334.gif"/></div><h4 class="head4">Figure 3-34. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
-
-<p>This will work even if browsing services are not set up right, which
-is a common problem. You can also work around a name-service problem
-by entering the server's IP Address (such as
-172.16.1.1 in our example) instead of the Samba
-server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-35">Figure 3-35</a>. Go back and check your configuration, and if
-things still aren't right, go to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong with the
-network.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-35"/><img src="figs/sam2_0335.gif"/></div><h4 class="head4">Figure 3-35. Opening a shared directory, using the server's IP address in the UNC</h4>
-
-<p>If it works, congratulations! Try copying files to and from the
-server by dragging their icons to and from the folder on the Samba
-share. You might be pleasantly surprised how seamlessly everything
-works. <a name="INDEX-109"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-3-SECT-4"/>
-
-<h2 class="head1">Setting Up Windows 2000 Computers</h2>
-
-<p><a name="INDEX-110"/>Although
-Windows 2000 is based on NT technology and is similar to Windows NT
-in many respects, configuring it for use with Samba is quite
-different.</p>
-
-<p>You should perform the following steps as the
-<tt class="literal">Administrator</tt> or another user in the
-<tt class="literal">Administrators</tt> group.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-4.1"/>
-
-<h3 class="head2">Networking Components</h3>
-
-<p><a name="INDEX-111"/><a name="INDEX-112"/>Go to the Control Panel and
-double-click the Network and Dial-up Connections icon. You should see
-at least one Local Area Connection icon. If there is more than one,
-identify the one that corresponds to the network adapter that is
-connected to your Samba network. Right-click the Local Area
-Connection icon, and click the Properties button. (Or double-click
-the Local Area Connection icon, and then click the Properties button
-in the dialog box that comes up.) You should now be looking at the
-Local Area Connection Properties dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-36">Figure 3-36</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-36"/><img src="figs/sam2_0336.gif"/></div><h4 class="head4">Figure 3-36. Windows 2000 Local Area Connection Properties dialog</h4>
-
-<p>First of all, you might want to click the Configure button under the
-field for the network adapter, to make sure you see the message
-&quot;This device is working properly&quot;
-in the Device status window. If there is a problem, make sure to
-correct it before continuing. You should also see the message
-&quot;Use this device (enable)&quot; in the
-Device usage field of the dialog box. Make sure to set it this way if
-it is not already. Click OK or Cancel to get back to the Local Area
-Connection Properties dialog box.</p>
-
-<p>You should see at least the following two components:</p>
-
-<ul><li>
-<p>Client for Microsoft Networks</p>
-</li><li>
-<p>Internet Protocol (TCP/IP)</p>
-</li></ul>
-<p>If you do not see either Client for Microsoft Networks or Internet
-Protocol (TCP/IP) in your list, you will need to add them. For
-either, the method is to click the Install... button, click the type
-of component (Client or Protocol), and then click the Add... button.
-Next, click the component you want to add, and click the OK button.
-You should see the component added to the list with the others.</p>
-
-<p>Some components should be removed if you see them in the list:</p>
-
-<ul><li>
-<p>NetBEUI Protocol</p>
-</li><li>
-<p>NWLink NetBIOS</p>
-</li><li>
-<p>NWLink IPX/SPX/NetBIOS Compatible Transport Protocol</p>
-</li><li>
-<p>Client Service for Netware</p>
-</li></ul>
-<p>If you see anything other than TCP/IP listed as a protocol, and it is
-not a protocol that you need, you can remove it. Uninstall NetBEUI,
-unless you are sure you need it, and the other three if you do not
-need to support Netware. If you try to remove a protocol and get an
-error message saying that the protocol is being used by another
-service, you need to remove that service before you can remove the
-protocol. For example, to remove the NWLink IPX/SPX Compatible
-Transport Protocol, you would need to remove the Client Service for
-Netware first.</p>
-
-<p>To remove a component, click the component in the list, click the
-Uninstall button, and then click Yes in the dialog box that pops up.
-In some cases, Windows might need to reboot to put the change into
-effect.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-4.2"/>
-
-<h3 class="head2">Bindings</h3>
-
-<p><a name="INDEX-113"/><a name="INDEX-114"/>Next to each
-client, service, or protocol listed in the window in the Local Area
-Connections Properties dialog box, you will see a checkbox. Make sure
-the checkbox is checked for both Client for Microsoft Networks and
-Internet Protocol (TCP/IP). The check marks indicate the networking
-components are bound to the network adapter shown at the top of the
-dialog box.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-4.3"/>
-
-<h3 class="head2">Configuring TCP/IP</h3>
-
-<p><a name="INDEX-115"/><a name="INDEX-116"/>Now click Internet Protocol (TCP/IP),
-and then click Properties to open the Internet Protocol (TCP/IP)
-Properties dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-37">Figure 3-37</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-37"/><img src="figs/sam2_0337.gif"/></div><h4 class="head4">Figure 3-37. Internet Protocol (TCP/IP) Properties dialog</h4>
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.1"/>
-
-<h3 class="head3">IP address</h3>
-
-<p><a name="INDEX-117"/><a name="INDEX-118"/>If
-you are using DHCP on your network to assign IP addresses
-dynamically, select the &quot;Obtain IP address
-automatically&quot; radio button. Otherwise, select the
-&quot;Use the following address:&quot; radio
-button, and fill in the computer's IP address and
-netmask in the spaces provided. You or your network manager should
-have selected an address for the client on the same subnet (LAN) as
-the Samba server. For example, if the server's
-address is 172.16.1.1 and its network mask is 255.255.255.0, you
-might use the address 172.16.1.14, if it is available, along with the
-same netmask. You can also fill in the IP address of the default
-gateway.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.2"/>
-
-<h3 class="head3">DNS server</h3>
-
-<p><a name="INDEX-119"/><a name="INDEX-120"/>In
-the lower part of the dialog box, click the &quot;Use the
-following DNS server addresses:&quot; radio button, and
-fill in the IP address of your DNS server.</p>
-
-<p>Now click the Advanced... button to bring up the Advanced TCP/IP
-Settings dialog box, and then click the WINS tab.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.3"/>
-
-<h3 class="head3">WINS server</h3>
-
-<p><a name="INDEX-121"/><a name="INDEX-122"/>Enter the
-address of your WINS server in the space labeled
-&quot;WINS addresses, in order of use:&quot;.
-If your Samba server is providing WINS service (in other words, you
-have the line <tt class="literal">wins</tt> <tt class="literal">service</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
-<em class="emphasis">smb.conf</em> file of your Samba server), provide the
-Samba server's IP address here. Otherwise, provide
-the address of another WINS server on your network.</p>
-
-<p>Near the bottom of the dialog box, select the radio button labeled
-&quot;Enable NetBIOS over TCP/IP&quot;. <a href="ch03.html#samba2-CHP-3-FIG-38">Figure 3-38</a> shows what your Advanced TCP/IP Settings
-dialog box should look like at this point.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-38"/><img src="figs/sam2_0338.gif"/></div><h4 class="head4">Figure 3-38. Advanced TCP/IP Settings dialog, showing WINS tab</h4>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.4"/>
-
-<h3 class="head3">The LMHOSTS file</h3>
-
-<p>If you want to install an
-<em class="filename">LMHOSTS</em><a name="INDEX-123"/><a name="INDEX-124"/> file,
-it must be placed in the <em class="filename">\system32\drivers\etc</em>
-directory under your Windows installation directory (usually
-<em class="filename">C:\WINNT</em> ). The easy way to make sure it gets to
-the proper location is to use the Import LMHOSTS... button on the
-WINS Address tab. (But if you want to do it over the network, you
-will have to do that after file sharing is configured!) Remember to
-click the Enable LMHOSTS Lookup checkbox on the WINS Address tab to
-enable this functionality.</p>
-
-<p>When you are satisfied with your settings for IP Address, WINS
-Address, and DNS, click the OK buttons in each open dialog box to
-complete the configuration. Windows might need to load some files
-from the Windows 2000 distribution CD-ROM, and you might need to
-reboot for your changes to take effect.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-4.4"/>
-
-<h3 class="head2">Computer and Workgroup Names</h3>
-
-<p><a name="INDEX-125"/><a name="INDEX-126"/><a name="INDEX-127"/><a name="INDEX-128"/>From
-the Control Panel, double-click the System icon to open the System
-Properties dialog box. Click the Network Identification tab, and your
-System Properties dialog box will look similar to <a href="ch03.html#samba2-CHP-3-FIG-39">Figure 3-39</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-39"/><img src="figs/sam2_0339.gif"/></div><h4 class="head4">Figure 3-39. System Properties dialog, showing Network Identification tab</h4>
-
-<p>To give your system computer a name and a workgroup, click the
-Properties button, which will bring up the Identification Changes
-dialog box, as in <a href="ch03.html#samba2-CHP-3-FIG-40">Figure 3-40</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-40"/><img src="figs/sam2_0340.gif"/></div><h4 class="head4">Figure 3-40. Identification Changes dialog</h4>
-
-<p>You need to identify your computer with a name and change the
-workgroup to the one you specified in the
-<em class="emphasis">smb.conf</em> file of your Samba server.
-Don't worry that Windows forces the computer name
-and the workgroup to be all capital letters; it's
-smart enough to figure out what you mean when it connects to the
-network.</p>
-
-<p>Click the More... button to bring up the DNS Suffix and NetBIOS
-Computer Name dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-41">Figure 3-41</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-41"/><img src="figs/sam2_0341.gif"/></div><h4 class="head4">Figure 3-41. DNS Suffix and NetBIOS Computer Name dialog</h4>
-
-<p>Enter the DNS domain name of this computer in the text field labeled
-Primary DNS Suffix for this computer:, and then click OK. You should
-now see the FQDN of this system underneath the label
-&quot;Full computer name:&quot;. Click the OK
-button and then reboot when requested to put your configuration
-changes into effect. Once again, log in using your administrative
-account.</p>
-<a name="samba2-CHP-3-NOTE-96"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>There have been reports of authentication problems with Samba when a
-username on a Windows 2000 system is the same as its computer name.</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-4.5"/>
-
-<h3 class="head2">Adding a Samba-Enabled User</h3>
-
-<p><a name="INDEX-129"/><a name="INDEX-130"/>So far,
-you have been logged into your Windows 2000 system as a user in the
-<tt class="literal">Administrators</tt> group. To access resources on the
-Samba server, you will need a username and password that the Samba
-server recognizes as valid. If your administrative account has such a
-username and password, you can use it, but you might want to access
-your system and the network from a nonadministrative user account
-instead.</p>
-<a name="samba2-CHP-3-NOTE-97"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>The directions in this section assume that your network is set up as
-a workgroup. If you have already set up your network as a domain, as
-we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
-follow the instructions here for adding a local user on the Windows
-2000 client system. Simply log on to the domain from the client using
-a username and password in Samba's
-<em class="filename">smbpasswd</em> account database, and continue with
-the next section, <a href="ch03.html#samba2-CHP-3-SECT-4.6">Section 3.4.6</a>.</p>
-</blockquote>
-
-<p>To add a new user, open the Control Panel, and double-click the Users
-and Passwords icon to open the Users and Passwords dialog box, shown
-in <a href="ch03.html#samba2-CHP-3-FIG-42">Figure 3-42</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-42"/><img src="figs/sam2_0342.gif"/></div><h4 class="head4">Figure 3-42. Users and Passwords dialog</h4>
-
-<p>The first thing to do is make sure the checkbox labeled
-&quot;Users must enter a user name and password to use
-this computer.&quot; is checked. Next, click the Add...
-button to bring up the first dialog box of the User Wizard, shown in
-<a href="ch03.html#samba2-CHP-3-FIG-43">Figure 3-43</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-43"/><img src="figs/sam2_0343.gif"/></div><h4 class="head4">Figure 3-43. Adding a new user</h4>
-
-<p>Fill out the fields, using the username of a valid user account on
-the Samba host, and then click the Next &gt; button to enter and
-confirm the user's password. This password must be
-the same as the user's password on the Samba host.
-If you are using encrypted passwords, make sure this username and
-password are the same as what you used when you ran the
-<em class="emphasis">smbpasswd</em> program. Click the Next &gt; button,
-which brings up the final dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-44">Figure 3-44</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-44"/><img src="figs/sam2_0344.gif"/></div><h4 class="head4">Figure 3-44. Specifying a group for the new user</h4>
-
-<p>Pick a group for the user (the default Standard User should do), and
-click the Finish button. You should now see your new account added to
-the list in the Users and Passwords dialog box. Click the OK button
-to complete the process.</p>
-
-<p>Now return to the Users and Passwords control panel window, click the
-Advanced tab, then click on the Advanced button. Click the Users
-folder in the left side of the Local Users and Groups window that
-appears, and then double-click the account you just added in the
-right side of the window. In the Properties window that opens, click
-the checkbox labeled Password never expires. You are done! Click the
-OK buttons in all the dialog boxes, and close all open windows.</p>
-
-<p>Open the Start menu, select Shut Down, and select Log off
-<em class="emphasis">username</em> from the drop-down menu. Click the OK
-button, then log on with the username and password you just added.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-4.6"/>
-
-<h3 class="head2">Connecting to the Samba Server</h3>
-
-<p>Now for the big moment. Your Samba server is running, and you have
-set up your <a name="INDEX-131"/><a name="INDEX-132"/>Windows 2000 client to communicate with
-it. Double-click the My Network Places icon on the desktop, and then
-double-click the Computers Near Me icon to browse the workgroup. You
-should see your Samba server listed as a member of the workgroup, as
-shown in <a href="ch03.html#samba2-CHP-3-FIG-45">Figure 3-45</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-45"/><img src="figs/sam2_0345.gif"/></div><h4 class="head4">Figure 3-45. The Computers Near Me window, showing computers in the workgroup</h4>
-
-<p>Double-clicking the server name will show the resources that the
-server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-46">Figure 3-46</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-46"/><img src="figs/sam2_0346.gif"/></div><h4 class="head4">Figure 3-46. Shares offered by the Toltec server</h4>
-
-<p>In this case, the <em class="filename">test</em> directory and the default
-printer are offered to the Windows 2000 workstation. If you
-don't see the server listed, don't
-panic. Select Run from the Start menu. A dialog box appears that
-allows you to type the name of your server and its share directory in
-Windows format. For example, you would enter
-<em class="filename">\\toltec\</em><tt class="literal">test</tt>, as shown in
-<a href="ch03.html#samba2-CHP-3-FIG-47">Figure 3-47</a>, and use your server's
-hostname instead of &quot;toltec&quot;.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-47"/><img src="figs/sam2_0347.gif"/></div><h4 class="head4">Figure 3-47. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
-
-<p>This will work even if browsing services are not set up right, which
-is a common problem. You can also work around a name-service problem
-by entering the server's IP address (such as
-172.16.1.1 in our example) instead of the Samba
-server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-48">Figure 3-48</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-48"/><img src="figs/sam2_0348.gif"/></div><h4 class="head4">Figure 3-48. Opening a shared directory, using the server's IP address in the UNC</h4>
-
-<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
-with the network.</p>
-
-<p>If it works, congratulations! Try copying files to and from the
-server. You will be pleasantly surprised how seamlessly everything
-works. Now that you've finished setting up the Samba
-server and its clients, you can proceed to the next chapter.
-<a name="INDEX-133"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-3-SECT-5"/>
-
-<h2 class="head1">Setting Up Windows XP Computers</h2>
-
-<p>Although <a name="INDEX-134"/>Windows XP
-is very similar to Windows 2000, it has a very different user
-interface, and there are a number of subtle differences. For example,
-getting to the Control Panel is different than in any previous
-version of Windows&mdash;one must click the Control Panel item from
-the Start menu (there is no Settings item in the Start menu in XP).
-By default, XP will display the Control Panel in Category View mode.
-If you see this, click the Switch to Classic View item in the
-upper-left corner of the window. All of our directions are for using
-the Control Panel in Classic View mode.</p>
-
-<p>You should perform the following steps as the
-<tt class="literal">Administrator</tt> or another user in the
-Administrators group.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-5.1"/>
-
-<h3 class="head2">Networking Components</h3>
-
-<p><a name="INDEX-135"/><a name="INDEX-136"/>Go to the Control Panel and
-double-click the Network and Dial-up Connections icon. You should see
-at least one Local Area Connection icon. If there is more than one,
-identify the one that corresponds to the network adapter that is
-connected to your Samba network. Right-click the Local Area
-Connection icon and click the Properties button. (Or double-click the
-Local Area Connection icon and then click the Properties button in
-the dialog box that comes up.) You should now be looking at the Local
-Area Connection Properties dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-49">Figure 3-49</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-49"/><img src="figs/sam2_0349.gif"/></div><h4 class="head4">Figure 3-49. The Local Area Connection Properties dialog</h4>
-
-<p>First of all, you might want to click the Configure button under the
-field for the network adapter to make sure you see the message
-&quot;This device is working properly&quot;
-in the Device status window. If there is a problem, make sure to
-correct it before continuing. You should also see the message
-&quot;Use this device (enable)&quot; in the
-Device usage field of the dialog box. Make sure to set it this way if
-it is not already. Click OK or Cancel to close this dialog box, then
-reopen the Local Area Connection Properties dialog box.</p>
-
-<p>You should see at least the following two components:</p>
-
-<ul><li>
-<p>Client for Microsoft Networks</p>
-</li><li>
-<p>Internet Protocol (TCP/IP)</p>
-</li></ul>
-<p>If you do not see either Client for Microsoft Networks or Internet
-Protocol (TCP/IP) in your list, you will need to add them. For
-either, the method is to click the Install... button, click the type
-of component (Client or Protocol), and then click the Add... button.
-Next, click the component you want to add, and click the OK button.
-You should see the component added to the list with the others.</p>
-
-<p>If you see anything other than TCP/IP listed as a protocol, and it is
-not a protocol that you need, you can remove it. If NetBEUI appears
-in the list, uninstall it if you possibly can. Also uninstall any
-Netware-related components if you do not need to support Netware. If
-you try to remove a protocol and get an error message saying that the
-protocol is being used by another service, you need to remove that
-service before you can remove the protocol. For example, to remove
-the NWLink IPX/SPX Compatible Transport Protocol, you would need to
-remove the Client Service for Netware first.</p>
-
-<p>To remove a component, click the component in the list, click the
-Uninstall button, and then click Yes in the dialog box that pops up.
-In some cases, Windows might need to reboot to put the change into
-effect.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-5.1.1"/>
-
-<h3 class="head3">Bindings</h3>
-
-<p><a name="INDEX-137"/><a name="INDEX-138"/>Next to each client, service, or protocol
-listed in the window in the Local Area Connections Properties dialog
-box, you will see a checkbox. Make sure the checkbox is checked for
-both Client for Microsoft Networks and Internet Protocol (TCP/IP).
-The check marks indicate that the networking components are bound to
-the network adapter shown at the top of the dialog box.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-5.2"/>
-
-<h3 class="head2">Configuring TCP/IP</h3>
-
-<p><a name="INDEX-139"/><a name="INDEX-140"/>Now click Internet Protocol
-(TCP/IP) and then click Properties to open the Internet Protocol
-(TCP/IP) Properties dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-50">Figure 3-50</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-50"/><img src="figs/sam2_0350.gif"/></div><h4 class="head4">Figure 3-50. The Internet Protocol (TCP/IP) Properties dialog</h4>
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.1"/>
-
-<h3 class="head3">IP address</h3>
-
-<p><a name="INDEX-141"/><a name="INDEX-142"/>If
-you are using DHCP on your network to assign IP addresses
-dynamically, select the &quot;Obtain IP address
-automatically&quot; radio button. Otherwise, select the
-&quot;Use the following address:&quot; radio
-button, and fill in the computer's IP address and
-netmask in the spaces provided. You or your network manager should
-have selected an address for the client on the same subnet (LAN) as
-the Samba server. For example, if the server's
-address is 172.16.1.1 and its network mask is 255.255.255.0, you
-might use the address 172.16.1.12 (if it is available) along with the
-same netmask. You can also fill in the IP address of the default
-gateway.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.2"/>
-
-<h3 class="head3">DNS server</h3>
-
-<p><a name="INDEX-143"/><a name="INDEX-144"/>In the lower part of the dialog box, click
-the &quot;Use the following DNS server
-addresses:&quot; radio button, and fill in the IP address
-of your DNS server.</p>
-
-<p>Now click the Advanced... button to bring up the Advanced TCP/IP
-Settings dialog box, and then click the WINS tab.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.3"/>
-
-<h3 class="head3">WINS server</h3>
-
-<p><a name="INDEX-145"/><a name="INDEX-146"/>Enter
-the address of your WINS server in the space labeled
-&quot;WINS addresses, in order of use:&quot;.
-If your Samba server is providing WINS service (in other words, you
-have the line <tt class="literal">wins</tt> <tt class="literal">support</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
-<em class="emphasis">smb.conf</em> file of your Samba server), provide the
-Samba server's IP address here. Otherwise, provide
-the address of another WINS server on your network.</p>
-
-<p>Near the bottom of the dialog box, select the radio button labeled
-Enable NetBIOS over TCP/IP. <a href="ch03.html#samba2-CHP-3-FIG-51">Figure 3-51</a> shows what
-your Advanced TCP/IP Settings dialog box should look like at this
-point.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-51"/><img src="figs/sam2_0351.gif"/></div><h4 class="head4">Figure 3-51. The Advanced TCP/IP Settings dialog, showing the WINS tab</h4>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.4"/>
-
-<h3 class="head3">The LMHOSTS file</h3>
-
-<p>If you want to install an
-<em class="filename">LMHOSTS</em><a name="INDEX-147"/><a name="INDEX-148"/> file, it
-must be placed in the <em class="filename">\system32\drivers\etc</em>
-directory under your Windows installation directory (usually
-<em class="filename">C:\WINNT</em> ). The easy way to make sure it gets to
-the proper location is to use the Import LMHOSTS... button on the
-WINS Address tab. (But if you want to do it over the network, you
-will have to do that after file sharing is configured!) Remember to
-click the Enable LMHOSTS Lookup checkbox on the WINS Address tab to
-enable this functionality.</p>
-
-<p>When you are satisfied with your settings for IP Address, WINS
-Address, and DNS, click the OK buttons in each open dialog box (and
-the Close button in the Local Area Connection Properties dialog box)
-to complete the configuration. Windows might need to load some files
-from the Windows XP distribution CD-ROM, and you might need to reboot
-for your changes to take effect.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-5.3"/>
-
-<h3 class="head2">Computer and Workgroup Names</h3>
-
-<p><a name="INDEX-149"/><a name="INDEX-150"/><a name="INDEX-151"/><a name="INDEX-152"/>From the
-Control Panel, double-click the System icon to open the System
-Properties dialog box. Click the Computer Name tab, and your System
-Properties dialog box will look similar to <a href="ch03.html#samba2-CHP-3-FIG-52">Figure 3-52</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-52"/><img src="figs/sam2_0352.gif"/></div><h4 class="head4">Figure 3-52. The System Properties dialog, showing the Computer Name tab</h4>
-
-<p>To give your system computer a name and a workgroup, click the
-Change... button, which will bring up the Computer Name Changes
-dialog box, as in <a href="ch03.html#samba2-CHP-3-FIG-53">Figure 3-53</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-53"/><img src="figs/sam2_0353.gif"/></div><h4 class="head4">Figure 3-53. The Computer Name Changes dialog</h4>
-
-<p>You need to identify your computer with a name and change the
-workgroup to the one you specified in the
-<em class="emphasis">smb.conf</em> file of your Samba server.
-Don't worry that Windows forces the workgroup to be
-all capital letters; it's smart enough to figure out
-what you mean when it connects to the network.</p>
-
-<p>Click the More... button to bring up the DNS Suffix and NetBIOS
-Computer Name dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-54">Figure 3-54</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-54"/><img src="figs/sam2_0354.gif"/></div><h4 class="head4">Figure 3-54. The DNS Suffix and NetBIOS Computer Name dialog</h4>
-
-<p>Enter the DNS domain name of this computer in the text field labeled
-Primary DNS Suffix for this computer:, and then click OK. You should
-now see the FQDN of this system underneath the label Full computer
-name: in the Computer Name Changes dialog box. Click the OK button
-and then reboot when requested to put your configuration changes into
-effect. Once again, log in using your administrative account.</p>
-<a name="samba2-CHP-3-NOTE-98"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>There have been reports of authentication problems with Samba when a
-username on a Windows XP system is the same as its computer name.</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-5.4"/>
-
-<h3 class="head2">Adding a Samba-Enabled User</h3>
-
-<p><a name="INDEX-153"/><a name="INDEX-154"/>So far,
-you have been logged into your Windows XP system as a user in the
-Administrators group. To access resources on the Samba server, you
-will need to have a username and password that the Samba server
-recognizes as valid. If your administrative account has such a
-username and password, you can use it, but you might want to access
-your system and the network from a nonadministrative user account
-instead.</p>
-
-<a name="samba2-CHP-3-NOTE-99"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>The directions in this section assume that your network is set up as
-a workgroup. If you have already set up your network as a domain, as
-we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
-follow the instructions here for adding a local user on the Windows
-XP client system. Simply log on to the domain from the client using a
-username and password in Samba's
-<em class="filename">smbpasswd</em> account database, and continue with
-the next section, <a href="ch03.html#samba2-CHP-3-SECT-5.5">Section 3.5.5</a>.</p>
-</blockquote>
-
-<p>To add a new user, open the Control Panel, and double-click the Users
-Accounts icon to open the User Accounts window, shown in <a href="ch03.html#samba2-CHP-3-FIG-55">Figure 3-55</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-55"/><img src="figs/sam2_0355.gif"/></div><h4 class="head4">Figure 3-55. The User Accounts window</h4>
-
-<p>Click the Create a new account task, which will bring up the window
-shown in <a href="ch03.html#samba2-CHP-3-FIG-56">Figure 3-56</a>. Enter the username, then click
-the Next &gt; button.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-56"/><img src="figs/sam2_0356.gif"/></div><h4 class="head4">Figure 3-56. Entering the username</h4>
-
-<p>Click the radio button labeled
-&quot;Limited&quot;, as shown in <a href="ch03.html#samba2-CHP-3-FIG-57">Figure 3-57</a>.</p>
-
-<p>Click the Create Account button, and you will see the username you
-added next to a picture at the bottom of the User Accounts window. We
-still need to assign a password to the account. Click the account to
-bring up the &quot;What do you want to change about
-<em class="emphasis">username</em>'s
-account?&quot; window, and then click Create a password.
-Enter the password, and enter it again to confirm it.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-57"/><img src="figs/sam2_0357.gif"/></div><h4 class="head4">Figure 3-57. Setting the account type</h4>
-
-<p>This password must be the same as the user's
-password on the Samba host. If you are using encrypted passwords,
-make sure this username and password are the same as what you used
-when you ran the <em class="emphasis">smbpasswd</em> program. Click the
-Create Password button, and you're done adding the
-account.</p>
-
-<p>Now open the Start menu and click the Log Off button. In the Log Off
-Windows dialog box that pops up, again click the Log Off button. When
-Windows displays the login screen, click the user you just added, and
-type in the password to log in.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-3-SECT-5.5"/>
-
-<h3 class="head2">Connecting to the Samba Server</h3>
-
-<p><a name="INDEX-155"/><a name="INDEX-156"/>Now for
-the big moment. Your Samba server is running, and you have set up
-your Windows XP client to communicate with it. In the Start menu,
-select My Computer<a name="FNPTR-9"/><a href="#FOOTNOTE-9">[9]</a> to open the My Computer window. Click My
-Network Places, in the Other Places box in the left part of the
-window. You should see a folder icon for the
-<em class="filename">test</em> directory, as shown in <a href="ch03.html#samba2-CHP-3-FIG-58">Figure 3-58</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-58"/><img src="figs/sam2_0358.gif"/></div><h4 class="head4">Figure 3-58. The My Network Places window</h4>
-
-<p>Now click View workgroup computers in the Network Tasks box at the
-left of the window. You should see your Samba server listed as a
-member of the workgroup. Double-click its icon, and you will see a
-window that looks like <a href="ch03.html#samba2-CHP-3-FIG-59">Figure 3-59</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-59"/><img src="figs/sam2_0359.gif"/></div><h4 class="head4">Figure 3-59. Shares offered by the Toltec server</h4>
-
-<p>If you don't see the server listed in the workgroup,
-don't panic. Select Run... from the Start menu. A
-dialog box appears that allows you to type the name of your server
-and its share directory in Windows format. For example, you would
-enter <em class="filename">\\toltec\</em><tt class="literal">test</tt>, as shown
-in <a href="ch03.html#samba2-CHP-3-FIG-60">Figure 3-60</a>, and use your
-server's hostname instead of
-&quot;toltec&quot;.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-60"/><img src="figs/sam2_0360.gif"/></div><h4 class="head4">Figure 3-60. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
-
-<p>This will work even if browsing services are not set up right, which
-is a common problem. You can also work around a name-service problem
-by entering the server's IP Address (such as
-172.16.1.1 in our example) instead of the Samba
-server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-61">Figure 3-61</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-3-FIG-61"/><img src="figs/sam2_0361.gif"/></div><h4 class="head4">Figure 3-61. Opening a shared directory, using the server's IP address in the UNC</h4>
-
-<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
-with the network.</p>
-
-<p>If it works, congratulations! Try copying files to and from the
-server by dragging their icons to and from the Samba
-server's <em class="filename">test</em> folder. You might
-be pleasantly surprised how seamlessly everything works. <a name="INDEX-157"/> <a name="INDEX-158"/></p>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> We are
-intentionally omitting device drivers because they are
-hardware-specific, and we assume you are getting installation
-directions from the manufacturer.</p> <a name="FOOTNOTE-2"/>
-<p><a href="#FNPTR-2">[2]</a> Make sure to use the same netmask as all other systems on the
-network. You can find the netmask in use by checking with Unix or
-Windows systems that have already been configured.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> Keep in mind that IP addresses ending
-in .0 are reserved for network addresses and that ones ending in .255
-are for broadcast addresses. These should never be assigned to any
-system on the network.</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> To be more explicit about
-this, the system will identify itself to the network as a b-node
-rather than an h-node.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> We put the
-names of the <em class="filename">LMHOSTS</em> and
-<em class="filename">HOSTS</em> files in uppercase for additional
-clarity&mdash;to remind you that we are referring to the files on
-Windows rather than on Unix, and because that's the
-way we see them in other books on Windows. The case of the letters in
-the two names actually does not matter.</p> <a name="FOOTNOTE-6"/> <p><a href="#FNPTR-6">[6]</a> The address 127.0.0.1 is known as the
-<em class="emphasis">localhost</em> address and always refers to itself.
-For example, if you type <tt class="literal">ping</tt>
-<tt class="literal">127.0.0.1</tt> on a Unix server, you should always get
-a response, because you're pinging the host
-itself.</p> <a name="FOOTNOTE-7"/> <p><a href="#FNPTR-7">[7]</a> This update is supplied in
-various update packages issued by Microsoft.</p> <a name="FOOTNOTE-8"/> <p><a href="#FNPTR-8">[8]</a> Notice how in Windows NT,
-some clients are called &quot;services&quot;!
-In these directions, we will conform to Microsoft's
-terminology.</p> <a name="FOOTNOTE-9"/> <p><a href="#FNPTR-9">[9]</a> If there is a My Network Places
-item in the Start menu at this point, you can save yourself a little
-time and just click that. If you don't see it,
-don't worry; it will appear automatically
-later.</p> </blockquote>
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-</body></html>
diff --git a/docs/htmldocs/using_samba/ch04.html b/docs/htmldocs/using_samba/ch04.html
deleted file mode 100644
index 02cc979284..0000000000
--- a/docs/htmldocs/using_samba/ch04.html
+++ /dev/null
@@ -1,2556 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 4. Windows NT Domains</h1>
-
-
-
-<p><a name="INDEX-1"/>In previous
-chapters, we've focused on workgroup networking to
-keep things simple and introduce you to networking with Samba in the
-most painless manner we could find. However, workgroup computing has
-its drawbacks, and for many computing environments, the greater
-security and single logon of the Windows NT domain make it worthwhile
-to spend the extra effort to implement a domain.</p>
-
-<p>In addition to the domain features of
-<a name="INDEX-2"/>that we discussed in <a href="ch01.html">Chapter 1</a>, having a domain makes it possible to use
-<em class="firstterm">logon scripts</em><a name="INDEX-3"/> and <em class="firstterm">roaming profiles
-</em><a name="INDEX-4"/>(also called<em class="firstterm"> roving
-profiles</em><a name="INDEX-5"/>). A logon
-script is a text file of commands that are run during startup, and a
-profile is a collection of information regarding the desktop
-environment, including the contents of the Start menu, icons that
-appear on the desktop, and other characteristics about the GUI
-environment that users are allowed to customize. A roaming profile
-can follow its owner from computer to computer, allowing her to have
-the same familiar interface appear wherever she logs on.</p>
-
-<p>A Windows NT domain offers centralized control over the network.
-<em class="firstterm">Policies</em><a name="INDEX-6"/> can be set up by an administrator to
-define aspects of the users' environment and limit
-the amount of control they have over the network and their computers.
-It is also possible for administrators to perform remote
-administration of the domain controllers from any Windows NT/2000/XP
-workstation.</p>
-
-<p>Samba 2.2 has the ability to act as a primary domain controller,
-supporting domain logons from Windows 95/98/Me/NT/2000/XP computers
-and allowing Windows NT/2000/XP<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> systems to join the domain as domain
-member servers. Samba can also join a domain as a member server,
-allowing the primary domain controller to be a Windows NT/2000 system
-or another Samba server.</p>
-
-<a name="samba2-CHP-4-NOTE-100"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Samba 2.2 does not support <a name="INDEX-7"/><a name="INDEX-8"/><a name="INDEX-9"/>LDAP and <a name="INDEX-10"/>Kerberos authentication of Active
-Directory, so it cannot act as a Windows 2000 Active Directory domain
-controller. However, Samba can be added to an Active Directory domain
-as a member server, with the Windows 2000 domain controllers running
-in either mixed or native mode. The Windows 2000 server (even if it
-is running in native mode) supports the Samba server by acting as a
-<a name="INDEX-11"/><a name="INDEX-12"/>PDC emulator, using the Windows NT
-style of authentication rather than the Kerberos style.</p>
-</blockquote>
-
-<p>If you're adding a Samba server to a network that
-has already been set up, you won't have to decide
-whether to use a workgroup or a domain; you will simply have to be
-compatible with what's already in place. If you do
-have a choice, we suggest you evaluate both workgroup and domain
-computing carefully before rolling out a big installation. You will
-have a lot of work to do if you later need to convert one to the
-other. One last thought on this matter is that Microsoft is
-developing Windows in the direction of increased use of domains and
-is intending that eventually Windows networks be composed solely of
-Active Directory domains. If you implement a Windows NT domain now,
-you'll be in a better position to transition to
-Active Directory later, after Samba has better support for it.</p>
-
-<p>In this chapter, we cover various topics directly related to using
-Samba in a Windows NT domain, including:</p>
-
-<ul><li>
-<p>Configuring and using Samba as the primary domain controller</p>
-</li><li>
-<p>Setting up Windows 95/98/Me systems to log on to the domain</p>
-</li><li>
-<p>Implementing user-level security on Windows 95/98/Me</p>
-</li><li>
-<p>Adding Windows NT/2000/XP systems to the domain</p>
-</li><li>
-<p>Configuring logon scripts, roaming profiles, and system policies</p>
-</li><li>
-<p>Adding a Samba server to a domain as a member server</p>
-</li></ul>
-
-
-
-
-<div class="sect1"><a name="samba2-CHP-4-SECT-1"/>
-
-<h2 class="head1">Samba as the Primary Domain Controller</h2>
-
-<p><a name="INDEX-13"/>Samba 2.2
-is able to handle the most desired functions of a primary domain
-controller in a Windows NT domain, handling domain logons and
-authentication for accessing shared resources, as well as supporting
-logon scripts, roaming profiles, and system policies.</p>
-
-<a name="samba2-CHP-4-NOTE-101"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>You will need to use at least Samba 2.2 to ensure that PDC
-functionality for Windows NT/2000/XP clients is present. Prior to
-Samba 2.2, only limited user authentication for NT clients was
-present.</p>
-</blockquote>
-
-<p>In this section, we will show you how to configure Samba as a PDC for
-use with Windows 95/98/Me and Windows NT/2000/XP clients. The two
-groups of Windows versions interact differently within domains, and
-in some cases are supported in slightly different ways. If you know
-you are going to be using only Windows 95/98/Me or Windows
-NT/2000/XP, you can set up Samba to support only that group. However,
-there isn't any harm in supporting both at the same
-time.</p>
-
-<a name="samba2-CHP-4-NOTE-102"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you would like more information on how to set up
-<a name="INDEX-14"/>domains, see the file
-<em class="filename">Samba-PDC-HOWTO.html</em><a name="INDEX-15"/>
-in the <em class="filename">docs/htmldocs</em> directory of the Samba
-source distribution.</p>
-</blockquote>
-
-<p>Samba must be the only domain controller for the domain. Make sure
-that a PDC isn't already active, and that there are
-no backup domain controllers. Samba 2.2 is not able to communicate
-with backup domain controllers, and having domain controllers in your
-domain with unsynchronized data would result in a very dysfunctional
-network.</p>
-
-<a name="samba2-CHP-4-NOTE-103"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Although Samba 2.2 cannot function as, or work with, a Windows NT
-<a name="INDEX-16"/><a name="INDEX-17"/>BDC, it is possible to set up
-another Samba server to act as a backup for a Samba PDC. For further
-information, see the file
-<em class="filename">Samba-BDC-HOWTO.html</em><a name="INDEX-18"/>
-in the <em class="filename">docs/htmldocs</em> directory of the Samba
-source distribution.</p>
-</blockquote>
-
-<p>Configuring Samba to be a PDC is a matter of modifying the
-<em class="filename">smb.conf</em> file, creating some directories, and
-restarting the server.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-1.1"/>
-
-<h3 class="head2">Modifying smb.conf</h3>
-
-<p>First you will need to start with an
-<em class="filename">smb.conf</em><a name="INDEX-19"/><a name="INDEX-20"/> file that correctly configures Samba for
-workgroup computing, such as the one we created in <a href="ch02.html">Chapter 2</a>, and insert the following lines into the
-<tt class="literal">[global]</tt> section:</p>
-
-<blockquote><pre class="code">[global]
- ; use the name of your Samba server instead of toltec
- ; and your own workgroup instead of METRAN
- netbios name = toltec
- workgroup = METRAN
- encrypt passwords = yes
-
- domain master = yes
- local master = yes
- preferred master = yes
- os level = 65
-
- security = user
- domain logons = yes
-
- ; logon path tells Samba where to put Windows NT/2000/XP roaming profiles
- logon path = \\%L\profiles\%u\%m
- logon script = logon.bat
-
- logon drive = H:
- ; logon home is used to specify home directory and
- ; Windows 95/98/Me roaming profile location
- logon home = \\%L\%u\.win_profile\%m
-
- time server = yes
-
- ; instead of jay, use the names of all users in the Windows NT/2000/XP
- ; Administrators group who log on to the domain
- domain admin group = root jay
-
- ; the below works on Red Hat Linux - other OSs might need a different command
- add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote>
-
-<p>And after the <tt class="literal">[global]</tt> section, add these three
-new shares:</p>
-
-<blockquote><pre class="code">[netlogon]
- path = /usr/local/samba/lib/netlogon
- writable = no
- browsable = no
-
-[profiles]
- ; you might wish to use a different directory for your
- ; Windows NT/2000/XP roaming profiles
- path = /home/samba-ntprof
- browsable = no
- writable = yes
- create mask = 0600
- directory mask = 0700
-
-[homes]
- read only = no
- browsable = no
- guest ok = no
- map archive = yes</pre></blockquote>
-
-<p>Now for the explanation. If you are comparing this example to the
-configuration file presented in <a href="ch02.html">Chapter 2</a>, you
-will notice that the first three parameter settings are similar. We
-start out in the <tt class="literal">[global]</tt> section by setting the
-NetBIOS name of the Samba server. We are using the default, which is
-the DNS hostname, but are being explicit because the NetBIOS name is
-used in UNCs that appear later in <em class="filename">smb.conf</em>. The
-next two lines, setting the workgroup name and choosing to use
-encrypted passwords, are identical to our
-<em class="filename">smb.conf</em> file from <a href="ch02.html">Chapter 2</a>.
-However, things are now a little different: even though it still
-reads &quot;workgroup&quot;, we are actually
-setting the name of the domain. For a workgroup, using encrypted
-passwords is optional; when using a domain, they are required.</p>
-
-<p>The next four lines set up our Samba PDC to handle browsing services.
-The line <tt class="literal">domain</tt> <tt class="literal">master</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to be the
-domain master browser, which handles browsing services for the domain
-across multiple subnets if necessary. Although it looks very similar,
-<tt class="literal">local</tt> <tt class="literal">master</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> does not cause Samba to
-be the master browser on the subnet, but merely tells it to
-participate in browser elections and allow itself to win. (These two
-lines are yet more default settings that we include to be clear.) The
-next two lines ensure that Samba wins the elections. Setting the
-<tt class="literal">preferred</tt> <tt class="literal">master</tt> parameter
-makes Samba force an election when it starts up. The
-<tt class="literal">os</tt> <tt class="literal">level</tt> parameter is set
-higher than that of any other system, which results in Samba winning
-that election. (At the time of this writing, an <tt class="literal">os</tt>
-level of 65 was sufficient to win over all versions of
-Windows&mdash;but make sure no other Samba server is set higher!) We
-make sure Samba is both the <a name="INDEX-21"/><a name="INDEX-22"/>domain and local master browser
-because Windows NT/2000 PDCs always reserve the domain master browser
-role for themselves and because Windows clients require things to be
-that way to find the primary domain controller. It is possible to
-allow another computer on the network to win the role of local master
-browser, but having the same server act as both domain and local
-masters is simpler and more efficient.</p>
-
-<p>The next two lines in the <tt class="literal">[global]</tt> section set up
-Samba to handle the actual domain logons. We set
-<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">user</tt> so that Samba will require a username and
-password. This is actually the same as in the workgroup setup we
-covered in <a href="ch01.html">Chapter 1</a> and <a href="ch02.html">Chapter 2</a> because it is the default. The only
-reason we're including it explicitly is to avoid
-confusion: another valid setting is <tt class="literal">security</tt>
-<tt class="literal">=</tt> <tt class="literal">domain</tt>, but that is for
-having another (Windows or Samba) domain controller handle the logons
-and should never be found in the <em class="filename">smb.conf</em> of a
-Samba PDC. The next line, <tt class="literal">domain</tt>
-<tt class="literal">logons</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt>, is what tells Samba we want this server to
-handle domain logons.</p>
-
-<p>Defining a logon path is necessary for supporting
-<a name="INDEX-23"/><a name="INDEX-24"/>roaming profiles for
-Windows NT/2000/XP clients. The UNC
-<tt class="literal">\\%L\profiles\%u</tt> refers to a share held on the
-Samba server where the profiles are kept. The variables
-<tt class="literal">%L</tt> and <tt class="literal">%u</tt> are replaced by Samba
-with the name of the server and the username of the logged on user,
-respectively. The section in <em class="filename">smb.conf</em> defining
-the <tt class="literal">[profiles]</tt> share contains the definition of
-exactly where the profiles are kept on the server.
-We'll get back to this topic a bit later in this
-chapter.</p>
-
-<p>The <tt class="literal">logon</tt> <tt class="literal">script</tt>
-<tt class="literal">=</tt> <tt class="literal">logon.bat</tt> line specifies the
-name of an MS-DOS batch file that will be executed when the client
-logs on to the domain. The path specified here is relative to the
-<tt class="literal">[netlogon]</tt> share that is defined later in the
-<em class="filename">smb.conf</em> file.</p>
-
-<p>The settings of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and
-<tt class="literal">logon</tt> <tt class="literal">home</tt> have a couple of
-purposes. Setting <tt class="literal">logon</tt> <tt class="literal">drive</tt>
-<tt class="literal">=</tt> <tt class="literal">H</tt>: allows the home directory
-of the user to be connected to drive letter H on the client. The
-<tt class="literal">logon</tt> <tt class="literal">home</tt> parameter is set to
-the location of the home directory on the server, and again,
-<tt class="literal">%u</tt> is replaced at runtime by the logged on
-user's username. The home directory is used to store
-roaming profiles for Windows 95/98/Me clients. These parameters tie
-into the <tt class="literal">[homes]</tt> share that we are adding, as we
-will explain a bit later.</p>
-
-<p>Setting <tt class="literal">time</tt> <tt class="literal">server</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to advertise
-itself as a <a name="INDEX-25"/>time service for the network. This is
-optional.</p>
-
-<p>The <tt class="literal">domain</tt> <tt class="literal">admin</tt>
-<tt class="literal">group</tt> parameter exists as a short-term measure in
-Samba 2.2 to give Samba a list of users who have administrative
-privileges in the domain. The list should contain any Samba users who
-log on from Windows NT/2000/XP systems and are members of the
-Administrators or Domain Admins groups, if roaming profiles are to
-work correctly.</p>
-
-<p>The last parameter to add to the <tt class="literal">[global]</tt> section
-is <tt class="literal">add</tt> <tt class="literal">user</tt>
-<tt class="literal">script</tt>, and you will need it only if one or more
-of your clients is a Windows NT/2000/XP system. We will tell you more
-about this in <a href="ch04.html#samba2-CHP-4-SECT-2">Section 4.2</a> later in this chapter.</p>
-
-<p>The rest of the additions to <em class="filename">smb.conf</em> are the
-definitions for three <a name="INDEX-26"/><a name="INDEX-27"/>shares. The
-<tt class="literal">[netlogon]</tt><a name="INDEX-28"/> share is necessary for Samba to
-handle domain logons because Windows clients need to connect to it
-during the logon process and will fail if the share does not exist.
-Other than that, the only function of <tt class="literal">[netlogon]</tt>
-is to be a repository for logon scripts and system-policy files,
-which we shall cover in detail later in this chapter. The path to a
-directory on the Samba server is given, and because the clients only
-read logon scripts and system-policy files from the share, the
-<tt class="literal">writable</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt> definition is used to make the share read-only.
-Users do not need to see the share, so we set
-<tt class="literal">browsable</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt> to make the share invisible.</p>
-
-<p>The <tt class="literal">[profiles]</tt><a name="INDEX-29"/> share is needed for use with
-Windows NT/2000/XP roaming profiles. The path points to a directory
-on the Samba server where the profiles are kept, and in this case,
-the clients must be able to read and write the profile data. The
-<tt class="literal">create</tt> <tt class="literal">mask</tt> (read and write
-permitted for the owner only) and <tt class="literal">directory</tt>
-<tt class="literal">mask</tt> (read, write, and search permitted for the
-owner only) are set up such that a user's profile
-data can be read and written only by the user and not accessed or
-modified by anyone else.</p>
-
-<p>The <tt class="literal">[homes]</tt><a name="INDEX-30"/> share is necessary for our
-definitions of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and
-<tt class="literal">logon</tt> <tt class="literal">home</tt> to work. Samba uses
-the <tt class="literal">[homes]</tt> share to add the home directory of the
-user (found in <em class="filename">/etc/passwd</em> ) as a share. Instead
-of appearing as &quot;homes&quot;, the share
-will be accessible on the client through a folder having the same
-name as the user's username. We will cover this
-topic in more detail in <a href="ch09.html">Chapter 9</a>.</p>
-
-<p>At this point, you might want to run
-<em class="filename">testparm</em><a name="INDEX-31"/> to check your
-<em class="filename">smb.conf</em> file. <a name="INDEX-32"/><a name="INDEX-33"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-1.2"/>
-
-<h3 class="head2">Creating Directories on the Samba Server</h3>
-
-<p><a name="INDEX-34"/><a name="INDEX-35"/>The
-<tt class="literal">[netlogon]</tt> and <tt class="literal">[profiles]</tt>
-shares defined in our new <em class="filename">smb.conf</em> file
-reference directories on the Samba server, and it is necessary to
-create those directories with the proper permissions:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/lib/netlogon</b></tt>
-# <tt class="userinput"><b>chmod 775 /usr/local/samba/lib/netlogon</b></tt>
-# <tt class="userinput"><b>mkdir /home/samba-ntprof</b></tt>
-# <tt class="userinput"><b>chmod 777 /home/samba-ntprof</b></tt></pre></blockquote>
-
-<p>The directory names we use are just examples. You are free to choose
-your own.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-1.3"/>
-
-<h3 class="head2">Restarting the Samba Server</h3>
-
-<p><a name="INDEX-36"/>At this
-point, the only thing left to do is restart the Samba server, and the
-changes will be put into effect:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/smb restart</b></tt></pre></blockquote>
-
-<p>(or use whatever method works on your system, as discussed in <a href="ch02.html">Chapter 2</a>.) The server is now ready to accept domain
-logons. <a name="INDEX-37"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-4-SECT-2"/>
-
-<h2 class="head1">Adding Computer Accounts</h2>
-
-<p>To interact in a domain, a Windows NT/2000/XP system must be a member
-of the domain. <a name="INDEX-38"/>Domain membership is implemented
-using <em class="firstterm">computer
-accounts,</em><a name="INDEX-39"/><a name="INDEX-40"/> which are similar to user
-accounts and allow a domain controller to keep information with which
-to authenticate computers on the network. That is, the domain
-controller must be able to tell if requests that arrive from a
-computer are coming from a computer that it
-&quot;knows&quot; as being part of the
-domain. Each Windows NT/2000/XP system in the domain has a computer
-account in the domain controllers' database, which
-on a Windows NT/2000 hosted domain is the <a name="INDEX-41"/>SAM
-database. Although Samba uses a different method (involving the
-<em class="filename">smbpasswd</em><a name="INDEX-42"/> file), it also treats computer accounts
-similarly to user accounts.</p>
-
-<p>To create a computer account, an administrator configures a Windows
-NT/2000/XP system to be part of the domain. For Samba 2.2, the
-&quot;<a name="INDEX-43"/><a name="INDEX-44"/>domain
-administrator&quot; is the <a name="INDEX-45"/><a name="INDEX-46"/>root account on the Samba
-server, and you will need to run the command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a root</b></tt></pre></blockquote>
-
-<p>to add the root user to Samba's password database.
-In this case, do not provide <em class="filename">smbpasswd</em> with the
-same password as the actual root account on the server. Create a
-different password to be used solely for creating computer accounts.
-This will reduce the possibility of compromising the root password.</p>
-
-<p>When the computer account is created, two things must happen on the
-Samba server. An entry is added to the <em class="filename">smbpasswd</em>
-file, with a &quot;username&quot; that is the
-NetBIOS name of the computer with a dollar sign
-(<tt class="literal">$</tt>) appended to it. This part is handled by the
-<em class="emphasis">smbpasswd</em> command, and you do not need to
-perform any additional action to implement it.</p>
-
-<p>With Samba 2.2, an entry is also required in the
-<em class="filename">/etc/passwd</em> file<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> to give the computer account a
-user ID (UID) on the Samba server.</p>
-
-<p>This account will never be used to
-log in to the Unix system, so it should not be given a valid home
-directory or login shell. To make this part work, you must set the
-<tt class="literal">add</tt> <tt class="literal">user</tt>
-<tt class="literal">script</tt> parameter in your Samba configuration file,
-using a command that adds the entry in the proper manner. On our Red
-Hat Linux system, we set <tt class="literal">add</tt>
-<tt class="literal">user</tt> <tt class="literal">script</tt> to:</p>
-
-<blockquote><pre class="code">/usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote>
-
-<p>This command adds an entry in <em class="filename">/etc/passwd</em>
-similar to the following:</p>
-
-<blockquote><pre class="code">aztec$:x:505:100::/dev/null:/bin/false</pre></blockquote>
-
-<p>Again, notice that the username ends in a dollar sign. The user
-account shown has a &quot;home
-directory&quot; of <em class="filename">/dev/null</em>, a
-group ID (GID) of 100, and a &quot;login
-shell&quot; of <em class="filename">/bin/false</em>. The
-<em class="emphasis">-M</em> flag in our <em class="emphasis">useradd</em>
-command prevents it from creating the home directory. Samba replaces
-the <tt class="literal">%u</tt> variable in the
-<em class="emphasis">useradd</em> command with the NetBIOS name of the
-computer, including the trailing dollar sign. The basic idea here is
-to create an entry with a valid username and UID. These are the only
-parts that Samba uses. It is important that the UID be unique, not
-also used for other accounts&mdash;especially ones that are
-associated with Samba users.</p>
-
-<p>If you are using some other variety of Unix, you will need to replace
-our <em class="emphasis">useradd</em> command with a command that performs
-the same function on your system. If a command such as
-<em class="emphasis">useradd</em> does not come with your system, you can
-write a shell script yourself that performs the same function. In any
-case, the command should add a password hash that does not correspond
-to any valid password. For example, in the<em class="filename">
-/etc/shadow</em> file of our Linux server, we find the
-following two lines:</p>
-
-<blockquote><pre class="code">jay:%1%zQ7j7ok8$D/IubyRAY5ovM3bTrpUCn1:11566:0:99999:7:::
-zapotec$:!!:11625:0:99999:7:::</pre></blockquote>
-
-<p>The first line is for <tt class="literal">jay</tt>'s user
-account. The second field is the password hash&mdash;the long string
-between the first and second colons. The second line is for the
-computer account of <tt class="literal">zapotec</tt>, a domain member
-server. Its &quot;username&quot; ends with a
-dollar sign (<tt class="literal">$</tt>), and the second field in this case
-has been set to &quot;!!&quot;, which is an
-arbitrary string not produced from any password. Therefore, there is
-no valid password for this account on the Linux host. Just about any
-ASCII string can be used instead of
-&quot;!!&quot;. For example, you could use
-&quot;DISABLED&quot; instead.</p>
-
-<a name="samba2-CHP-4-NOTE-104"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>It is possible to <a name="INDEX-47"/><a name="INDEX-48"/><a name="INDEX-49"/><a name="INDEX-50"/>create the entries for
-<em class="filename">/etc/passwd</em> and <em class="filename">smbpasswd</em>
-manually; however, we suggest this method be used very carefully, and
-only for initial testing, or as a last resort. The reason for this is
-to maintain security. After the computer account has been created on
-the server, the next Windows NT/2000/XP system on the network with a
-matching NetBIOS name to log on to the domain will be associated with
-this account. This allows crackers a window of opportunity to take
-over computer accounts for their own purposes.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-4-SECT-3"/>
-
-<h2 class="head1">Configuring Windows Clients for Domain Logons</h2>
-
-<p><a name="INDEX-51"/>The client-side configuration for Windows
-clients is really simple. All you have to do is switch from workgroup
-to domain networking by enabling domain logons, and in the case of
-Windows NT/2000/XP, also provide the root password you gave
-<em class="filename">smbpasswd</em> for creating computer accounts. This
-results in the Windows NT/2000/XP system becoming a member of the
-domain.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-3.1"/>
-
-<h3 class="head2">Windows 95/98/Me</h3>
-
-<p><a name="INDEX-52"/><a name="INDEX-53"/>To
-enable domain logons with Windows 95/98/Me, open the Control Panel
-and double-click the Network icon. Then click Client for Microsoft
-Networks, and click the Properties button. At this point, you should
-see a dialog box similar to <a href="ch04.html#samba2-CHP-4-FIG-1">Figure 4-1</a>. Select the
-Logon to Windows Domain checkbox at the top of the dialog box, and
-enter the name of the domain as you have defined it with the
-<tt class="literal">workgroup</tt> parameter in the Samba configuration
-file. Then click OK, and reboot the machine when asked.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-1"/><img src="figs/sam2_0401.gif"/></div><h4 class="head4">Figure 4-1. Configuring a Windows 95/98 client for domain logons</h4>
-<a name="samba2-CHP-4-NOTE-105"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>If <a name="INDEX-54"/>Windows complains that you are already
-logged into the domain, you probably have an active connection to a
-share in the workgroup (such as a mapped network drive). Simply
-disconnect the resource temporarily by right-clicking its icon and
-choosing the Disconnect pop-up menu item.</p>
-</blockquote>
-
-<p>When Windows reboots, you should see the standard logon dialog with
-an addition: a field for a domain. The domain name should already be
-filled in, so simply enter your password and click the OK button. At
-this point, Windows should consult the primary domain controller
-(Samba) to see if the password is correct. (You can check the log
-files if you want to see this in action.) If it worked,
-congratulations! You have properly configured Samba to act as a
-domain controller for Windows 95/98/Me machines, and your client is
-successfully connected.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-3.2"/>
-
-<h3 class="head2">User-Level Security for Windows 95/98/Me</h3>
-
-<p><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>Now that you have a primary domain
-controller to authenticate users, you can implement much better
-security for shares that reside on Windows 95/98/Me
-systems.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> To enable this functionality, open the
-Control Panel, double-click the Network icon, and click the Access
-Control tab in the dialog box. The window should now look like <a href="ch04.html#samba2-CHP-4-FIG-2">Figure 4-2</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-2"/><img src="figs/sam2_0402.gif"/></div><h4 class="head4">Figure 4-2. Setting user-level access control</h4>
-
-<p>Click the User-level access control radio button, and type in the
-name of your domain in the text area. Click the OK button. If you get
-the dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-3">Figure 4-3</a>, it means that
-shares are already on the system.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-3"/><img src="figs/sam2_0403.gif"/></div><h4 class="head4">Figure 4-3. Error dialog while changing to user-level access control</h4>
-
-<p>In that case, you might want to cancel the operation and make a
-record of each of the computer's shares, making it
-easier to re-create them, and then redo this part. (To get a list of
-shares, open an MS-DOS prompt window and run the
-<tt class="literal">net</tt> <tt class="literal">view</tt>
-<tt class="literal">\\</tt><em class="replaceable">computer_name</em>
-command.) Otherwise, you will get a message asking you to reboot to
-put the change in configuration into effect.</p>
-
-<p>After rebooting, you can create shares with user-level access
-control. To do this, right-click the folder you wish to share, and
-select Sharing.... This will bring up the Shared Properties dialog
-box, shown in <a href="ch04.html#samba2-CHP-4-FIG-4">Figure 4-4</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-4"/><img src="figs/sam2_0404.gif"/></div><h4 class="head4">Figure 4-4. The Shared Properties dialog</h4>
-
-<p>Click the Shared As: radio button, and give the share a name and
-comment. Then click the Add... button, and you will see the Add Users
-dialog box, shown in <a href="ch04.html#samba2-CHP-4-FIG-5">Figure 4-5</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-5"/><img src="figs/sam2_0405.gif"/></div><h4 class="head4">Figure 4-5. The Add Users dialog</h4>
-
-<p>What has happened is that Windows has contacted the primary domain
-controller (in this case, Samba) and requested a list of domain users
-and groups. You can now select a user or group and add it to one or
-more of the three lists on the righthand side of the window&mdash;for
-Read Only, Full Access, or Custom Control&mdash;by clicking the
-buttons in the middle of the window. When you are done, click the OK
-button. If you added any users or groups to the Custom Control list,
-you will be presented with the Change Access Rights dialog box, shown
-in <a href="ch04.html#samba2-CHP-4-FIG-6">Figure 4-6</a>, in which you can specify the rights
-you wish to allow. Then click the OK button to close the dialog box.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-6"/><img src="figs/sam2_0406.gif"/></div><h4 class="head4">Figure 4-6. The Change Access Rights dialog</h4>
-
-<p>You are now returned to the Shared Properties dialog box, where you
-will see the Name: and Access Rights: columns filled in with the
-permissions that you just created. Click the OK button to finalize
-the process. Remember, you will have to perform these actions on any
-folders that you had previously shared using share-level security.
-<a name="INDEX-58"/><a name="INDEX-59"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-3.3"/>
-
-<h3 class="head2">Windows NT 4.0</h3>
-
-<p><a name="INDEX-60"/><a name="INDEX-61"/>To
-configure Windows NT for domain logons, log in to the computer as
-Administrator or another user in the Administrators group, open the
-Control Panel, and double-click the Network icon. If it
-isn't already selected, click on the Network
-Identification tab.</p>
-
-<p>Click the Change... button, and you should see the dialog box shown
-in <a href="ch04.html#samba2-CHP-4-FIG-7">Figure 4-7</a>. In this dialog box, you can choose
-to have the Windows NT client become a member of the domain by
-clicking the checkbox marked Domain: in the Member of box. Then type
-in the name of the domain to which you wish the client to log on; it
-should be the same as the one you specified using the
-<tt class="literal">workgroup</tt> parameter in the Samba configuration
-file. Click the checkbox marked Create a Computer Account in the
-Domain, and fill in &quot;root&quot; for the
-text area labeled User Name:. In the Password: text area, fill in the
-root password you gave <em class="emphasis">smbpasswd</em> for creating
-computer accounts.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-7"/><img src="figs/sam2_0407.gif"/></div><h4 class="head4">Figure 4-7. Configuring a Windows NT client for domain logons</h4>
-<a name="samba2-CHP-4-NOTE-106"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>If Windows complains that you are already logged in, you probably
-have an active connection to a share in the workgroup (such as a
-mapped network drive). Disconnect the resource temporarily by
-right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
-</blockquote>
-
-<p>After you press the OK button, Windows should present you with a
-small dialog box welcoming you to the domain. Click the Close button
-in the Network dialog box, and reboot the computer as requested. When
-the system comes up again, the machine will automatically present you
-with a logon screen similar to the one for Windows 95/98/Me clients,
-except that the domain text area has a drop-down menu so that you can
-opt to log on to either the local system or the domain. Make sure
-your domain is selected, and log on to the domain using any
-Samba-enabled user account on the Samba server.</p>
-<a name="samba2-CHP-4-NOTE-107"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Be sure to select the correct domain in the Windows NT logon dialog
-box. Once it is selected, it might take a moment for Windows NT to
-build the list of available domains.</p>
-</blockquote>
-
-<p>After you enter the password, Windows NT should consult the primary
-domain controller (Samba) to see if the password is correct. Again,
-you can check the log files if you want to see this in action. If it
-worked, you have successfully configured Samba to act as a domain
-controller for Windows NT machines. <a name="INDEX-62"/><a name="INDEX-63"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-3.4"/>
-
-<h3 class="head2">Windows 2000</h3>
-
-<p><a name="INDEX-64"/><a name="INDEX-65"/>To
-configure Windows 2000 for domain logons, log in to the computer as
-Administrator or another user in the Administrators group, open the
-Control Panel, and double-click the System icon to open the System
-Properties dialog box. Click the Network Identification tab, and then
-click the Properties button. You should now see the Identification
-Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-8">Figure 4-8</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-8"/><img src="figs/sam2_0408.gif"/></div><h4 class="head4">Figure 4-8. The Identification Changes dialog</h4>
-
-<p>Click the radio button labeled
-&quot;Domain:&quot; and fill in the name of
-your domain in the text-entry area. Then click the OK button. This
-will bring up the Domain Username and Password dialog box. Enter
-&quot;root&quot; for the username. For the
-password, use the password that you gave to
-<em class="emphasis">smbpasswd</em> for the root account.</p>
-<a name="samba2-CHP-4-NOTE-108"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>If Windows complains that you are already logged in, you probably
-have an active connection to a share in the workgroup (such as a
-mapped network drive). Disconnect the resource temporarily by
-right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
-</blockquote>
-
-<p>After you press the OK button, Windows should present you with a
-small dialog box welcoming you to the domain. When you click the OK
-button in this dialog box, you will be told that you need to reboot
-the computer. Click the OK button in the System Properties dialog
-box, and reboot the computer as requested. When the system comes up
-again, the machine will automatically present you with a Log On to
-Windows dialog box similar to the one shown in <a href="ch04.html#samba2-CHP-4-FIG-9">Figure 4-9</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-9"/><img src="figs/sam2_0409.gif"/></div><h4 class="head4">Figure 4-9. The Windows 2000 logon window</h4>
-
-<p>If you do not see the Log on to: drop-down menu, click the Options
-&lt;&lt; button and it will appear. Select your domain, rather than
-the local computer, from the menu.</p>
-<a name="samba2-CHP-4-NOTE-109"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Be sure to select the correct domain in the logon dialog box. Once it
-is selected, it might take a moment for Windows to build the list of
-available domains.</p>
-</blockquote>
-
-<p>Enter the username and password of any Samba-enabled user in the User
-name: and Password: fields, and either press the Enter key or click
-the OK button. If it worked, your Windows session will start up with
-no error dialogs. <a name="INDEX-66"/><a name="INDEX-67"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-3.5"/>
-
-<h3 class="head2">Windows XP Home</h3>
-
-<p><a name="INDEX-68"/>You have our
-condolences if you are trying to use the Home edition of Windows XP
-in a domain environment! Microsoft has omitted support for Windows NT
-domains from Windows XP Home, resulting in a product that is
-ill-suited for use in a domain-based network.</p>
-
-<p>On the client side, Windows XP Home users cannot log on to a Windows
-NT domain. Although it is still possible to access domain resources,
-a username and password must be supplied each time the user connects
-to a resource, rather than the &quot;single
-signon&quot; of a domain logon. Domain features such as
-logon scripts and roaming profiles are not supported.</p>
-
-<p>As a server, Windows XP Home cannot join a Windows NT domain as a
-domain member server. It can serve files and printers, but only using
-share-mode (&quot;workgroup&quot;) security.
-It can't even use user-mode security, as Windows
-95/98/Me can.</p>
-
-<p>Considering these limitations, we do not recommend Windows XP Home
-for any kind of local area network computing.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-3.6"/>
-
-<h3 class="head2">Windows XP Professional</h3>
-
-<p><a name="INDEX-69"/><a name="INDEX-70"/>To configure Windows XP
-Professional for domain logons, log in to the computer as
-Administrator or another user in the Administrators group, open the
-Control Panel in Classic View, and double-click the System icon to
-open the System Properties dialog box. Click the Computer Name tab
-and then click the Change... button. You should now see the Computer
-Name Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-10">Figure 4-10</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-10"/><img src="figs/sam2_0410.gif"/></div><h4 class="head4">Figure 4-10. The Computer Name Changes dialog</h4>
-
-<p>Click the radio button labeled
-&quot;Domain:&quot;, and fill in the name of
-your domain in the text-entry area. Then click the OK button. This
-will bring up the Domain Username and Password dialog box. Enter
-&quot;root&quot; for the username. For the
-password, use the password that you gave to
-<em class="emphasis">smbpasswd</em> for the root account.</p>
-<a name="samba2-CHP-4-NOTE-110"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>If Windows complains that you are already logged in, you probably
-have an active connection to a share in the workgroup (such as a
-mapped network drive). Disconnect the resource temporarily by
-right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
-</blockquote>
-
-<p>After you press the OK button, Windows should present you with a
-small dialog box welcoming you to the domain. When you click the OK
-button in this dialog box, you will be told that you need to reboot
-the computer to put the changes into effect. Click the OK buttons in
-the dialog boxes to close them, and reboot the computer as requested.
-When the system comes up again, the machine will automatically
-present you with a Log On to Windows dialog box similar to the one
-shown in <a href="ch04.html#samba2-CHP-4-FIG-11">Figure 4-11</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-11"/><img src="figs/sam2_0411.gif"/></div><h4 class="head4">Figure 4-11. The Windows XP logon window</h4>
-
-<p>If you get a dialog box at this point that tells you the domain
-controller cannot be found, the solution is to change a registry
-setting as follows.</p>
-
-<p>Open the Start Menu and click the Run... menu item. In the text area
-in the dialog box that opens, type in
-&quot;regedit&quot; and click the OK button
-to start the Registry Editor. You will be editing the registry, so
-follow the rest of the directions very carefully. Click the
-&quot;<tt class="literal">+</tt>&quot; button next
-to the HKEY_LOCAL_MACHINE folder, and in the contents that open up,
-click the &quot;<tt class="literal">+</tt>&quot;
-button next to the SYSTEM folder. Continue in the same manner to open
-CurrentControlSet, then Services, then Netlogon. (You will have to
-scroll down many times to find Netlogon in the list of services.)
-Then click the Parameters folder, and you will see items appear in
-the right side of the window. Double-click
-&quot;requiresignorseal&quot;, and a dialog
-box will open. In the Value data: text area, change the
-&quot;1&quot; to a
-&quot;0&quot; (zero), and click the OK
-button, which modifies the registry both in memory and on disk. Now
-close the Registry Editor and log off and back on again.</p>
-
-<p>If you do not see the Log on to: drop-down menu, click the Options
-&lt;&lt; button and it will appear. Select your domain from the menu,
-rather than the local computer.</p>
-<a name="samba2-CHP-4-NOTE-111"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Be sure to select the correct domain in the logon dialog box. Once it
-is selected, it might take a moment for Windows to build the list of
-available domains.</p>
-</blockquote>
-
-<p>Enter the username and password of any Samba-enabled user in the User
-name: and Password: fields, and either press the Enter key or click
-the OK button. If it worked, your Windows session will start up with
-no error dialogs. <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-4-SECT-4"/>
-
-<h2 class="head1">Logon Scripts</h2>
-
-<p><a name="INDEX-74"/>After a Windows client connects with a
-domain controller (either to authenticate a user, in the case of
-Windows 95/98/Me, or to log on to the domain, in the case of Windows
-NT/2000/XP), the client downloads an MS-DOS batch file to run. The
-domain controller supplies the file assuming one has been made
-available for it. This batch file is the logon script and is useful
-in setting up an initial environment for the user.</p>
-
-<p>In a Unix environment, the ability to run such a script might lead to
-a very complex initialization and deep customization. However, the
-Windows environment is mainly oriented to the GUI, and the
-command-line functions are more limited. Most commonly, the logon
-script is used to run a <em class="emphasis">net</em> command, such as
-<em class="emphasis">net use</em><a name="INDEX-75"/>, to connect a network drive letter,
-like this:</p>
-
-<blockquote><pre class="code">net use T: \\toltec\test</pre></blockquote>
-
-<p>This command will make our <tt class="literal">[test]</tt> share (from
-<a href="ch02.html">Chapter 2</a>) show up as the T: drive in My Computer.
-This will happen automatically, and T: will be available to the user
-at the beginning of her session, instead of requiring her to run the
-<em class="emphasis">net use</em> command or connect the T: drive using
-the Map Network Drive function of Windows Explorer.</p>
-
-<p>Another useful command is:</p>
-
-<blockquote><pre class="code">net use H: /home</pre></blockquote>
-
-<p>which <a name="INDEX-76"/><a name="INDEX-77"/>connects the
-user's home directory to a drive letter (which can
-be H:, as shown here, or some other letter, as defined by
-<tt class="literal">logon</tt> <tt class="literal">drive</tt>). For this to work,
-you must have a <tt class="literal">[homes]</tt> share defined in your
-<em class="filename">smb.conf</em> file.</p>
-
-<p>If you are using <a name="INDEX-78"/><a name="INDEX-79"/>roaming profiles, you should definitely
-have:</p>
-
-<a name="INDEX-80"/><blockquote><pre class="code">net time \\<em class="replaceable">toltec</em> /set /yes</pre></blockquote>
-
-<p>in your logon script. (As usual, replace
-&quot;toltec&quot; with the name of your
-Samba PDC.) This will make sure the clocks of the Windows clients are
-synchronized with the PDC, which is important for roaming profiles to
-work correctly.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-4.1"/>
-
-<h3 class="head2">Creating a Logon Script</h3>
-
-<p><a name="INDEX-81"/>In our
-<em class="filename">smb.conf</em> file, we have the line:</p>
-
-<a name="INDEX-82"/><blockquote><pre class="code">logon script = logon.bat</pre></blockquote>
-
-<p>This defines the location and name of the logon script batch file on
-the Samba server. The path is relative to the
-<tt class="literal">[netlogon]</tt><a name="INDEX-83"/> share, defined later in the
-file like this:</p>
-
-<blockquote><pre class="code">[netlogon]
- path = /usr/local/samba/lib/netlogon
- writable = no
- browsable = no</pre></blockquote>
-
-<p>With this example, the logon script is
-<em class="filename">/user/local/samba/lib/netlogon/logon.bat</em>. We
-include the directives <tt class="literal">writable</tt>
-<tt class="literal">=</tt> <tt class="literal">no</tt>, to make sure network
-clients cannot change anything in the <tt class="literal">[netlogon]</tt>
-share, and also <tt class="literal">browsable</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt>, which keeps them from even seeing the share
-when they browse the contents of the server. Nothing in
-<tt class="literal">[netlogon]</tt> should ever be modified by
-nonadministrative users. Also, the permissions on the directory for
-<tt class="literal">[netlogon]</tt> should be set appropriately (no write
-permissions for &quot;other&quot; users), as
-we showed you earlier in this chapter.</p>
-
-<p>Notice also that the extension of our logon script is
-<em class="filename">.bat</em><a name="INDEX-84"/>. Be careful about this&mdash;an extension
-of <em class="filename">.cmd</em><a name="INDEX-85"/> will work for Windows NT/2000/XP clients,
-but will result in errors for Windows 95/98/Me clients, which do not
-recognize <em class="filename">.cmd</em> as an extension for batch files.</p>
-
-<p>Because the logon script will be executed on a Windows system, it
-must be in MS-DOS text-file format, with the end of line composed of
-a carriage return followed by a linefeed. The Unix convention is a
-newline, which is simply a linefeed character, so if you use a Unix
-text editor to create your logon script, you must somehow make it use
-the appropriate characters. With
-<em class="emphasis">vim</em><a name="INDEX-86"/><a name="INDEX-87"/> (a clone of the <em class="emphasis">vi</em>
-editor that is distributed with Red Hat Linux), the method is to
-create a new file and use the command:</p>
-
-<blockquote><pre class="code">:se ff=dos</pre></blockquote>
-
-<p>to set the file format to MS-DOS style before typing in any text.
-With <em class="emphasis">emacs</em><a name="INDEX-88"/>, the same can be done using the command:</p>
-
-<blockquote><pre class="code">^X <em class="replaceable">Enter</em> f dos <em class="replaceable">Enter</em></pre></blockquote>
-
-<p>where <tt class="literal">^X</tt> is a Control-X character and
-<tt class="literal">Enter</tt> is a press of the Enter key. Another method
-is to create a Unix-format file in any text editor and then convert
-it to MS-DOS format using the
-<em class="emphasis">unix2dos</em><a name="INDEX-89"/> program:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos unix_file &gt;logon.bat</b></tt></pre></blockquote>
-
-<p>If your system does not have <em class="emphasis">unix2dos</em>,
-don't worry. You can implement it yourself with the
-following two-line Perl script:</p>
-
-<blockquote><pre class="code">#!/usr/bin/perl
-open FILE, $ARGV[0];
-while (&lt;FILE&gt;) { s/$/\r/; print }</pre></blockquote>
-
-<p>Or, you can use Notepad on a Windows system to write your script and
-then drag the logon script over to a folder on the Samba server. In
-any case, you can <a name="INDEX-90"/>check the format of your script using
-the <em class="emphasis">od</em><a name="INDEX-91"/> command, like this:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>od -c logon.bat</b></tt></pre></blockquote>
-
-<p>You should see output resembling this:</p>
-
-<blockquote><pre class="code">0000000 n e t u s e T : \ \ t o l
-0000020 t e c \ t e s t \r \n
-0000032</pre></blockquote>
-
-<p>The important detail here is that at the end of each line is a
-<tt class="literal">\r</tt> <tt class="literal">\n</tt>, which is a carriage
-return followed by a linefeed.</p>
-
-<p>Our example logon script, containing a single <em class="emphasis">net
-use</em> command, was created and set up in a way that allows
-it to be run successfully on any Windows client, regardless of which
-Windows version is installed on the client and which user is
-authenticating or logging on to the domain. But what if we need to
-have different users, computers, or Windows versions running
-different logon scripts?</p>
-
-<p>One method is to use variables inside the <a name="INDEX-92"/>logon script that cause commands to be
-conditionally executed. For details on how to do this, you can
-consult a reference on batch-file programming for MS-DOS and Windows
-NT command language. One such reference is <em class="citetitle">Windows NT
-System Administration</em>, published by
-O'Reilly.</p>
-
-<p>Windows batch-command language is very limited in functionality.
-Fortunately, Samba also supports a means by which customization can
-be handled. The
-<em class="filename">smb.conf</em><a name="INDEX-93"/><a name="INDEX-94"/> file contains variables that can be
-used to insert (at runtime) the name of the server
-(<tt class="literal">%L</tt><a name="INDEX-95"/>), the username of the person who is
-accessing the server's resources
-(<tt class="literal">%u</tt><a name="INDEX-96"/>), or the computer name of the client
-system (<tt class="literal">%m</tt><a name="INDEX-97"/>). To give an example, if we set up the
-path to the logon script as:</p>
-
-<blockquote><pre class="code">logon script = %u/logon.bat</pre></blockquote>
-
-<p>we would then put a directory for each user in the
-<tt class="literal">[netlogon]</tt> share, with each directory named the
-same as the user's username, and in each directory
-we would put a customized <em class="filename">logon.bat</em> file. Then
-each user would have his own custom logon script. We will give you a
-better example of how to do this kind of thing in the next section,
-<a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a>.</p>
-
-<a name="samba2-CHP-4-NOTE-112"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>For more information on Samba configuration file variables, such as
-the <tt class="literal">%L</tt>, <tt class="literal">%u</tt>, and
-<tt class="literal">%m</tt> variables we just used, see <a href="ch06.html">Chapter 6</a> and <a href="appb.html">Appendix B</a>.</p>
-</blockquote>
-
-<p>When modifying and testing your logon script, don't
-just log off of your Windows session and log back on to make your
-script run. Instead, restart (reboot) your system before logging back
-on. Because Windows often keeps the <tt class="literal">[netlogon]</tt>
-share open across logon sessions, the reboot ensures that Windows and
-Samba have completely released and reconnected the
-<tt class="literal">[netlogon]</tt> share, and the new version of the logon
-script is being run while logging on.</p>
-
-<p>More information regarding <a name="INDEX-98"/>logon scripts can be found in the
-O'Reilly book, <em class="emphasis">Managing Windows NT
-Logons</em>. <a name="INDEX-99"/> <a name="INDEX-100"/><a name="INDEX-101"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-4-SECT-5"/>
-
-<h2 class="head1">Roaming Profiles</h2>
-
-<p><a name="INDEX-102"/>One benefit of the centralized
-authentication of Windows NT domains is that a user
-<a name="INDEX-103"/>can log on from more than just one
-computer. To help users feel more &quot;at
-home&quot; when logged on at a computer other than their
-usual one, Microsoft has added the ability for
-users' personal settings to
-&quot;roam&quot; from one computer to
-another.</p>
-
-<p>All Windows versions can be configured individually for each user of
-the computer. Windows NT/2000/XP supports the ability to handle
-multiple user accounts, and Windows 95/98/Me can be configured for
-use by multiple users, keeping the configuration settings for each
-user separate. Each user can configure the
-computer's settings to her liking, and the system
-saves these settings as the user's
-<em class="firstterm">profile</em>, such that upon logging on to the
-system, the user is presented with her familiar desktop.</p>
-
-<p>Some of the settings, such as folder options or the image used for
-the desktop background, are held in the registry. Others, including
-the documents and folders appearing on the desktop and the contents
-of the Start menu, are stored as folders and files in the filesystem.</p>
-
-<p>When the profile is stored on the local system, it is called a
-<em class="firstterm">local profile</em><a name="INDEX-104"/>. On Windows NT, local profiles are
-stored in <em class="filename">C:\winnt\profiles</em>. On Windows 2000/XP,
-they can be found in <em class="filename">C:\Documents and Settings.
-</em>On Windows 95/98/Me, when configured for a single user
-(the default case), the local profile is scattered in places such as
-the registry and directories such as
-<em class="filename">C:\Windows\Desktop</em> and
-<em class="filename">C:\Windows\Start Menu</em>. When Windows 95/98/Me is
-configured for multiple users, the local profile of the preexisting
-user is moved to a folder in <em class="filename">C:\Windows\Profiles</em>
-that has the same name as the user, and any users that are
-subsequently added to the computer have their local profiles created
-in that directory as well. You can browse through the local profiles
-to see their structure&mdash;each has a <a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><a name="INDEX-109"/>registry file
-(<em class="filename">USER.DAT</em><a name="INDEX-110"/><a name="INDEX-111"/> for Windows 95/98/Me and
-<em class="filename">NTUSER.DAT</em><a name="INDEX-112"/><a name="INDEX-113"/> for Windows NT/2000/XP) and some folders
-that contain shortcuts and documents.</p>
-
-<p>A roaming profile is a user profile that is stored on a server and
-&quot;follows&quot; its owner around the
-network so that when the user logs on to the domain from another
-computer, his profile is downloaded from the server and his familiar
-desktop appears on that computer as well.</p>
-<a name="samba2-CHP-4-NOTE-113"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p><a name="INDEX-114"/>Samba can
-support roaming profiles, and it is a fairly simple matter to
-configure it for them. However, this is one feature that we recommend
-you <em class="emphasis">do not</em> use, at least until you are sure you
-understand roaming profiles well and are very confident that you can
-implement them with no harm incurred. If you want to (or are required
-to) implement roaming profiles for your Windows clients, we suggest
-you first set up a small domain with a Samba server and a few Windows
-clients exclusively for the purposes of research and testing.
-<em class="emphasis">Under no circumstances should you attempt to implement
-roaming profiles in a careless or frivolous manner</em>.</p>
-</blockquote>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-5.1"/>
-
-<h3 class="head2">How Roaming Profiles work</h3>
-
-<p><a name="INDEX-115"/>We will start out by explaining to you
-how roaming profiles work when set up correctly. You will need a
-clear understanding of them to tell the difference between when they
-are working as they are designed and when they are not. In addition,
-roaming profiles can be a source of confusion for your users in many
-ways, and you should know how to detect when a problem with a client
-is related to roaming profile function or dysfunction.</p>
-
-<a name="samba2-CHP-4-NOTE-114"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p><a name="INDEX-116"/>A definitive source of
-documentation on Windows NT roaming profiles is the Microsoft white
-paper <em class="citetitle">Implementing Policies and Profiles for Windows NT
-4.0</em><a name="INDEX-117"/>, which can be found at
-<a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>
-</blockquote>
-
-<p>During the domain logon process, the roaming profile is copied from
-the domain controller and used as a local profile during the
-user's logon session. When the user logs off the
-domain, the local profile is copied back to the domain controller and
-stored as the new roaming profile. When the local profile is changed,
-the server does not receive an update until the user logs off the
-domain or shuts down or reboots the client. The client does not send
-an update to the server during the logon session, and a client does
-not receive an update of a setting changed on another client during a
-logon session. When the user does log off, changes in the
-configuration settings in the local profile are sent to the server,
-and the updates of the roaming profile are available for the next
-logon session.</p>
-
-<p>This simple behavior can lead to unexpected results when users are
-<a name="INDEX-118"/>logged on to the domain
-on more than one client at a time. If a user makes a change to the
-configuration settings on one client and then logs off, the settings
-can result in the roaming profile being modified accordingly. But the
-next client that logs off might cause those changes to be
-overwritten, and if so, the settings from the first client will be
-lost. The behavior of different Windows versions varies with regard
-to this, and we've seen a wide variety of
-behaviors&mdash;not always in alignment with
-Microsoft's documentation or even working the same
-way on separate occasions. Sometimes Windows will refuse to overwrite
-a profile, perhaps giving an &quot;access
-denied&quot; error, and at other times it will seem to
-work while producing odd side effects. A common source of confusion
-is what happens if a file is added to or deleted from the desktop,
-which is by default configured to be part of the profile. A deleted
-file might later reappear, and it is even possible for a file to
-irrecoverably disappear without warning (on Windows 95/98). Or maybe
-a file that is added to the desktop on one client never gets added to
-the roaming profile and fails to propagate to other clients. This
-behavior is somewhat improved on Windows 2000/XP, which attempts to
-merge items into the profile that are added on concurrently logged-on
-clients.</p>
-
-<p>One factor that comes into play is that Windows compares the
-<a name="INDEX-119"/>timestamps of the local and roaming
-profiles and can refuse to overwrite a roaming profile if it is newer
-than the local profile on the client, or vice versa. For this reason,
-it is important to keep the clocks of the Windows clients and the
-Samba PDC synchronized. We have already shown you how to do this,
-using the <em class="emphasis">net time
-\\</em><em class="replaceable">server</em>
-<em class="emphasis">/set</em> <em class="emphasis">/yes</em> command in the
-logon script.</p>
-
-<p><a name="INDEX-120"/>Even when the server and clients are
-correctly configured, a number of things that can happen make things
-seem &quot;broken.&quot; The most common
-occurrence is that some shortcuts on clients other than the one that
-created the roaming profile will not work. These shortcuts can exist
-on the desktop or as items in the Start menu. This behavior is a
-result of applications or files that exist on one computer but not
-others. Windows will display these shortcuts, but if they appear on
-the desktop, they will have a generic icon and will bring up an error
-message if a user double-clicks them.</p>
-
-<a name="samba2-CHP-4-NOTE-115"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Because profiles can and usually do include the contents of the
-desktop and other folders, it is possible for the roaming profile to
-grow to a huge size due to actions of a user, such as creating new
-files on the desktop or copying files there. By default, Internet
-Explorer keeps its disk cache in the <em class="filename">Temporary Internet
-Files</em><a name="INDEX-121"/><a name="INDEX-122"/> folder in the profile and has been
-known to populate this directory with thousands of files. This can
-result in a huge roaming profile that causes network congestion and
-very large delays while users are logging on to the domain. (A fix
-for this can be found in article Q185255 in the Microsoft Knowledge
-Base.)</p>
-</blockquote>
-
-<p>One behavior we've seen a few times is that if, for
-some reason (e.g., a network error or misconfiguration), the roaming
-profile is not available during the logon process, Windows will use
-the local profile on the client instead. When this happens, the user
-might receive an unfamiliar profile, and all the benefits of roaming
-profiles are lost for that logon session.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-5.2"/>
-
-<h3 class="head2">Configuring Samba for Roaming Profiles</h3>
-
-<p><a name="INDEX-123"/><a name="INDEX-124"/>In an ideal world, different Windows
-versions would share the same roaming profile, allowing users to log
-on to the domain from any Windows client system, ranging from Windows
-95 to Windows XP, and enjoy their familiar settings. It would even be
-possible to be logged on concurrently from multiple clients, and a
-change made to the profile on any of them would quickly propagate to
-all the others. Settings in a roaming profile made on a client that
-didn't apply to another would be handled sanely.</p>
-
-<p>Unfortunately, this scenario does not work in reality, and it is
-important to maintain separate roaming profiles to prevent different
-Windows versions from using or modifying a roaming profile created
-by, and/or in use by, another version.</p>
-
-<p>We do this by using configuration file variables to point to
-different profile directories. If you look at <a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> in <a href="appb.html#samba2-APP-B#samba2-APP-B">Appendix B</a>, which shows
-the variables that can be used, you might be tempted to use the
-<a name="INDEX-125"/><tt class="literal">%a</tt> variable, which
-is replaced by the name of the operating system the client is
-running. However, this does not work because all of Windows 95/98/Me
-will be seen as the same operating system, and likewise for Windows
-2000/XP. So, we use <a name="INDEX-126"/><tt class="literal">%m</tt> to get the
-NetBIOS name of the client, and combine that with a symbolic link to
-point to the directory containing the profile for the Windows version
-that particular client is running.</p>
-
-<p>Our additions to <em class="filename">smb.conf</em> that appeared earlier
-in this chapter included the two lines:</p>
-
-<blockquote><pre class="code">logon path = \\%L\profiles\%u\%m
-logon home = \\%L\%u\.win_profile\%m</pre></blockquote>
-
-<p>The first line specifies where the roaming profiles for Windows
-NT/2000/XP clients are kept, and the second line performs the same
-function for Windows 95/98/Me clients. In both cases, the location is
-specified as a UNC, but
-<tt class="literal">logon</tt><a name="INDEX-127"/> <tt class="literal">path</tt> (for Windows
-NT/2000/XP) is specified relative to the
-<tt class="literal">[profiles]</tt> share, while
-<tt class="literal">logon</tt><a name="INDEX-128"/> <tt class="literal">home</tt> (for Windows
-95/98/Me) is specified relative to the user's home
-directory. This is done to comply with Samba's
-emulation of Windows NT/2000 PDC behavior.</p>
-
-<p>The <tt class="literal">logon</tt> <tt class="literal">home</tt> UNC must begin
-by specifying the user's home directory, which in
-our previous example would be <tt class="literal">\\%L\%u</tt>. The
-variable <tt class="literal">%L</tt><a name="INDEX-129"/> expands to the NetBIOS name of the
-server (in this case, toltec), and
-<tt class="literal">%u</tt><a name="INDEX-130"/> expands to the name of the user. This
-must be done to allow the command:</p>
-
-<a name="INDEX-131"/><blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net use h: /home</b></tt></pre></blockquote>
-
-<p>to function correctly to connect the user's home
-directory to drive letter H: on all Windows clients. (The drive
-letter used for this purpose is defined by <tt class="literal">logon</tt>
-<tt class="literal">drive</tt>.) We add the directory
-<em class="filename">.win_profile</em><a name="INDEX-132"/> to the UNC to put the Windows
-95/98/Me roaming profile in a subdirectory of the
-user's home directory.</p>
-<a name="samba2-CHP-4-NOTE-116"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Note that in both <tt class="literal">logon path</tt> and <tt class="literal">logon
-home</tt>, we absolutely avoid making the profile directory the
-same as the user's home directory, and the directory
-that contains the profile is not used for any other purpose. This is
-because when the roaming profile is updated, all directories and
-files in the roaming-profile directory that are not part of the
-roaming profile are deleted.</p>
-</blockquote>
-
-<p>In the <tt class="literal">logon</tt> <tt class="literal">path</tt> line in
-<em class="filename">smb.conf</em>, we use <tt class="literal">%u</tt> to put
-the profiles directory in a subdirectory in the
-<tt class="literal">[profiles]</tt> share, such that each user gets her own
-directory that holds her roaming profiles.</p>
-
-<p>We define the <tt class="literal">[profiles]</tt> share like this:</p>
-
-<blockquote><pre class="code">[profiles]
- writable = yes
- create mask = 0600
- directory mask = 0700
- browsable = no
- path = /home/samba-ntprof</pre></blockquote>
-
-<p>The first four parameters in the previous share definition specify to
-allow roaming profiles to be written with the users'
-permissions, to create files with read and write permissions for the
-owner, and to create directories with read, write, and search
-permissions for the owner and no access allowed for other users. As
-with the <tt class="literal">[netlogon]</tt> share, we set
-<tt class="literal">browsable</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt> so that the share will not show up on the
-clients in Windows Explorer.</p>
-
-<p>We've decided to put our Windows NT/2000/XP profiles
-in <em class="filename">/home</em>, the default location of the home
-directories on Linux. This will make it simple to include the roaming
-profiles in backups of the home directories. You can use another
-directory if you like.</p>
-
-<p>Notice that in both <tt class="literal">logon</tt> <tt class="literal">path</tt>
-and <tt class="literal">logon</tt> <tt class="literal">home</tt>, the directory
-we specify ends in <tt class="literal">%m</tt>, which Samba replaces with
-the NetBIOS name of the client. We are using the
-client's computer name to identify indirectly which
-version of Windows it is running.</p>
-
-<p>Initially, the directories you specify to hold the roaming profiles
-will be empty and will become populated as clients log off for the
-first time. (Samba will even create the directories if they do not
-already exist.) At first, the directories will simply contain
-profiles that are identical to the clients' local
-profiles, and we highly recommend that you make a backup at this
-point before things get complicated. A listing of the roaming profile
-directory for user <tt class="literal">iman</tt>, after she has logged off
-from Windows 98 clients <tt class="literal">mixtec</tt> and
-<tt class="literal">pueblo</tt> and Windows Me clients
-<tt class="literal">huastec</tt> and <tt class="literal">navajo</tt>, might look
-something like the following:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>
-total 4
-drwx------ 6 iman iman 4096 Dec 8 18:09 huastec
-drwx------ 9 iman iman 4096 Dec 7 03:47 mixtec
-drwx------ 11 iman iman 4096 Dec 7 03:05 navajo
-drwx------ 11 iman iman 4096 Dec 7 03:05 pueblo</pre></blockquote>
-
-<p>If things were left like this, the clients would not share their
-roaming profiles, so next we change from using separate directories
-to having symbolic links point to common directories:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mv mixtec Win98</b></tt>
-# <tt class="userinput"><b>mv navajo WinMe</b></tt>
-# <tt class="userinput"><b>rm huastec pueblo</b></tt>
-# <tt class="userinput"><b>ln -s Win98 pueblo</b></tt>
-# <tt class="userinput"><b>ln -s WinMe huastec</b></tt>
-# <tt class="userinput"><b>chown iman:iman *</b></tt>
-# <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>
-total 6
-lrwxrwxrwx 1 iman iman 5 Nov 16 01:40 huastec -&gt; WinMe
-lrwxrwxrwx 1 iman iman 5 Nov 16 01:40 mixtec -&gt; Win98
-lrwxrwxrwx 1 iman iman 5 Nov 21 17:24 navajo -&gt; WinMe
-lrwxrwxrwx 1 iman iman 5 Nov 23 01:16 pueblo -&gt; Win98
-drwx------ 9 iman iman 4096 Dec 7 03:47 Win98
-drwx------ 11 iman iman 4096 Dec 7 03:05 WinMe</pre></blockquote>
-
-<p>Now when <tt class="literal">iman</tt> logs on to the domain from either
-Windows 98 system, the client from which she is logging on will get
-the profile stored in the <em class="filename">Win98</em> directory (that
-started out as her local profile on <tt class="literal">mixtec</tt>). This
-works likewise for the Windows Me clients.</p>
-
-<p>To show a more complete example, here is a listing of a fully
-operational Windows 95/98/Me profiles directory:</p>
-
-<a name="INDEX-133"/><blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/jay/.win_profile</b></tt>
-total 12
-lrwxrwxrwx 1 jay jay 9 Nov 16 22:14 aztec -&gt; /home/jay
-lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 hopi -&gt; Win95
-lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 huastec -&gt; WinMe
-lrwxrwxrwx 1 jay jay 5 Nov 16 01:38 maya -&gt; Win98
-lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 mixtec -&gt; Win98
-lrwxrwxrwx 1 jay jay 5 Nov 21 17:24 navajo -&gt; WinMe
-lrwxrwxrwx 1 jay jay 5 Nov 23 01:16 pueblo -&gt; Win98
-lrwxrwxrwx 1 jay jay 5 Nov 22 02:06 ute -&gt; Win95
-drwx------ 6 jay jay 4096 Dec 8 18:09 Win95
-drwx------ 9 jay jay 4096 Dec 7 03:47 Win98
-drwx------ 11 jay jay 4096 Dec 7 03:05 WinMe
-lrwxrwxrwx 1 jay jay 5 Nov 21 22:48 yaqui -&gt; Win98
-lrwxrwxrwx 1 jay jay 9 Nov 16 22:14 zuni -&gt; /home/jay</pre></blockquote>
-
-<p>Again, the computer name of each client exists in this directory as a
-symbolic link that points to the directory containing the actual
-roaming profile. For example, <tt class="literal">maya</tt>, a client that
-runs Windows 98, has a symbolic link named <em class="filename">maya</em>
-to the <em class="filename">Win98</em> directory. A listing of
-<em class="filename">Win98</em> shows:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l Win98</b></tt>
-total 148
-drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 Application Data
-drwxr-xr-x 2 jay jay 4096 Nov 23 01:30 Cookies
-drwxr-xr-x 3 jay jay 4096 Dec 7 03:47 Desktop
-drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 History
-drwxr-xr-x 2 jay jay 4096 Nov 23 01:30 NetHood
-drwxr-xr-x 2 jay jay 4096 Dec 7 03:47 Recent
-drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 Start Menu
--rw-r--r-- 1 jay jay 114720 Dec 7 03:46 USER.DAT</pre></blockquote>
-
-<p>The contents of the <em class="filename">Win95</em> and
-<em class="filename">WinMe</em> directories appear similar and contain
-roaming profiles that work exactly as they should on their respective
-operating systems.</p>
-
-<p>Notice in the previous listing that <em class="filename">aztec</em> and
-<em class="filename">zuni</em> are symbolic links to
-<em class="filename">/home/jay</em>. We've cautioned you
-never to configure a roaming profile directory to be a
-user's home directory, but this is to handle
-something different. The clients <tt class="literal">aztec</tt> and
-<tt class="literal">zuni</tt> are Windows XP systems, which handle
-<tt class="literal">logon</tt> <tt class="literal">home</tt> differently than
-other versions of Windows. We have set <tt class="literal">logon</tt>
-<tt class="literal">home</tt> <tt class="literal">=</tt>
-<tt class="literal">\\%L\%u\</tt>.<tt class="literal">win</tt>
-<tt class="literal">profile</tt>, and all versions of Windows except for
-Windows XP strip off everything after <tt class="literal">\\%L\%u</tt> and
-correctly locate the home directory&mdash;in this case,
-<em class="filename">/home/jay</em>. Windows XP uses the full UNC, so we
-simply add a symbolic link to redirect it to the correct directory to
-get the <em class="emphasis">net use H: /home</em> command to work as it
-should. The roaming profiles for Windows XP systems are not affected
-by this and are kept with the other roaming profiles in the Windows
-NT/2000/XP family, as shown in this listing:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/samba-ntprof/jay</b></tt>
-total 16
-lrwxrwxrwx 1 jay jay 5 Nov 20 03:45 apache -&gt; Win2K
-lrwxrwxrwx 1 jay jay 5 Nov 13 12:35 aztec -&gt; WinXP
-lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 dine -&gt; WinNT
-lrwxrwxrwx 1 jay jay 5 Nov 24 03:44 inca -&gt; Win2K
-lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 pima -&gt; Win2K
-drwx------ 13 jay jay 4096 Dec 3 15:24 qero
-drwx------ 13 jay jay 4096 Dec 1 20:31 Win2K
-drwx------ 12 jay jay 4096 Nov 30 17:04 WinNT
-drwx------ 13 jay jay 4096 Nov 20 01:23 WinXP
-lrwxrwxrwx 1 jay jay 5 Nov 20 06:09 yavapai -&gt; WinXP
-lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 zapotec -&gt; Win2K
-lrwxrwxrwx 1 jay jay 5 Nov 13 12:35 zuni -&gt; WinXP</pre></blockquote>
-
-<p>As you can see, we are using a similar method for the Windows
-NT/2000/XP roaming profiles. In the listing,
-<em class="filename">qero</em> is not a symbolic link, but rather a
-directory that holds the roaming profile for <tt class="literal">qero</tt>,
-a Windows 2000 client that has recently been added. We had not
-created a symbolic link called <em class="filename">qero</em> before
-installing Windows 2000, so when jay logged off for the first time,
-Samba created a directory named <em class="filename">qero</em> and copied
-the roaming profile received from the client to the new directory.
-Because this is a separate directory from <em class="filename">Win2K</em>,
-which all other Windows 2000 clients are using to share their roaming
-profiles, the roaming profile for <tt class="literal">qero</tt> works like
-a local profile, except that it is stored on the primary domain
-controller.</p>
-
-<p>This might seem like an odd thing to do, but it has some purpose.
-Sometimes you might wish to isolate a client in this manner,
-especially while the operating system is being installed and
-initially configured. Remember, if that client, with its default
-local profile, is logged off the domain, the local profile will be
-written to the roaming profile directory. If the client were using
-the shared roaming profile directory, the effect could be
-undesirable, to say the least. Using our method, the
-<em class="filename">qero</em> directory can later be renamed to make it
-into an archival backup, or it can just be deleted. Then a new
-symlink named <em class="filename">qero</em> can be created to point to
-the <em class="filename">Win2K</em> directory, and <tt class="literal">qero</tt>
-will share the roaming profile in <em class="filename">Win2K</em> with the
-other Windows 2000 clients.</p>
-
-<p>An alternative method is simply to create the
-<a name="INDEX-134"/>symbolic
-links before the clients are added to the network. After you become
-more comfortable with the way roaming profiles work, you might find
-this method to be simpler and quicker.</p>
-
-<p>Again, we urge you to be careful about letting different versions of
-Windows share the same roaming profile. The method of configuring
-roaming profiles we've shown you here allows you to
-test a configuration for a few clients at a time without affecting
-your whole network of clients. For example, we could install a small
-number of Windows 2000 and Windows XP systems in the domain for
-testing purposes and then create symlinks for them that point to a
-directory called <em class="filename">Win2KXP</em> to find out if sharing
-roaming profiles between our Windows 2000 and Windows XP systems
-meets our expectations. The <em class="filename">Win2KXP</em> directory
-could be created as an empty directory, in which case it would have a
-roaming profile written to it by the first of the clients to log off.
-Or, <em class="filename">Win2KXP</em> could simply be a renamed roaming
-profile directory that was created by one of the clients when it was
-added to the domain. <a name="INDEX-135"/><a name="INDEX-136"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-5.3"/>
-
-<h3 class="head2">Configuring Windows 95/98/Me for Roaming Profiles</h3>
-
-<p><a name="INDEX-137"/><a name="INDEX-138"/>For roaming profiles to work on
-Windows 95/98/Me clients, all you need to do is change one setting to
-allow each user to have a separate local profile. This has the side
-effect of enabling roaming profiles as well.</p>
-
-<p>Open the Control Panel and double-click the Passwords icon to open
-the Passwords Properties dialog box. Click the User Profiles tab, and
-the dialog box will appear as shown in <a href="ch04.html#samba2-CHP-4-FIG-12">Figure 4-12</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-12"/><img src="figs/sam2_0412.gif"/></div><h4 class="head4">Figure 4-12. The Windows 98 Passwords Properties dialog</h4>
-
-<p>Click the button labeled &quot;Users can customize their
-preferences and desktop settings.&quot; In the User
-profile settings box, you can check the options you prefer. When
-done, click the OK button and reboot as requested. During this first
-reboot, Windows will copy the local profile data to
-<em class="filename">C:\windows\profiles</em> but will not attempt to copy
-the roaming profile from the server. The next time the system is shut
-down, the local profile will be copied to the server, and when
-Windows reboots, it will copy the roaming profile from the server.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-5.4"/>
-
-<h3 class="head2">Configuring Windows NT/2000/XP for Roaming Profiles</h3>
-
-<p><a name="INDEX-139"/><a name="INDEX-140"/><a name="INDEX-141"/><a name="INDEX-142"/>Roaming profiles are enabled by
-default on Windows NT/2000/XP. In case you would like to check or
-modify your settings, follow these directions.</p>
-
-<p>Make sure you are logged in to the local system as Administrator or
-another user in the Administrators group. Open the Control Panel and
-double-click the System icon. On Windows NT/2000, click the User
-Profiles tab, or on Windows XP, click the Advanced tab and then the
-Settings button in the User Profiles box. You should see the dialog
-box in <a href="ch04.html#samba2-CHP-4-FIG-13">Figure 4-13</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-13"/><img src="figs/sam2_0413.gif"/></div><h4 class="head4">Figure 4-13. The Windows 2000 System Properties, User Profiles tab</h4>
-
-<p>Notice in the figure that there are two entries for the username
-<tt class="literal">jay</tt>. The entry ZAPOTEC\jay refers to the account
-on the local system, and METRAN\jay refers to the domain account.
-Recall that when a user logs on, a drop-down menu in the dialog box
-allows him to log on to a domain or log in to the local system. When
-<tt class="literal">jay</tt> logs in to the local machine, only the local
-profile is used. When logged on to the domain, the configuration
-shown will use the roaming profile. To switch a
-user's profile type for a domain logon account,
-click the account name to select it, then click the Change Type...
-button near the bottom of the dialog box. The Change Profile Type
-dialog box will appear. Click the radio button for either roaming or
-local profile, and then click the OK buttons for each dialog box.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-5.5"/>
-
-<h3 class="head2">Mandatory Profiles</h3>
-
-<p><a name="INDEX-143"/>With a simple
-modification, a <a name="INDEX-144"/>roaming profile can be made into a
-<a name="INDEX-145"/>mandatory
-profile, which has the quality of being unmodifiable by its owner.
-Mandatory profiles are used in some computing environments to
-simplify administration. The theory is that if users cannot modify
-their profiles, less can go wrong, and it is also possible to use the
-same standardized profile for all users.</p>
-
-<p>In practice, some issues come up. Because the users can still modify
-the configuration settings in their local profile during their logon
-session, confusion can result the next time they log on to the domain
-and discover their changes have been
-&quot;lost.&quot; If the user of a client
-reinstalls an application in a different place, the shortcuts to the
-program on the desktop, in the Start menu, or in a Quick Launch bar
-cannot be permanently deleted. They will reappear every time the user
-logs back on to the domain. Essentially, a mandatory profile is a
-roaming profile that always fails to update to the server upon
-logging off!</p>
-
-<p>Another complication is that different versions of Windows behave
-differently with mandatory profiles. If a user who has a mandatory
-profile creates a new file on her desktop, the file might be missing
-the next time the user logs off and on again or reboots. Some Windows
-versions preserve desktop files in the local profile (even if the
-file does not exist in the mandatory profile), whereas others do not.</p>
-
-<p>To change a <a name="INDEX-146"/><a name="INDEX-147"/>roaming profile to a mandatory
-profile, all you have to do is rename the
-<em class="filename">.dat</em><a name="INDEX-148"/><a name="INDEX-149"/> file in the roaming profile directory
-on the server to have a <em class="filename">.man</em> extension instead.
-For a Windows 95/98/Me roaming profile, you would rename
-<em class="filename">USER.DAT</em> to <em class="filename">USER.MAN</em>, and
-for a Windows NT/2000/XP roaming profile, you would rename
-<em class="filename">NTUSER.DAT</em> to <em class="filename">NTUSER.MAN</em>.
-Also, you might want to make the roaming-profile directory and its
-contents read-only, to make sure that a user can't
-change it by logging into his Unix user account on the Samba host
-system.</p>
-
-<p>If you want to have all your users share a mandatory profile, you can
-change the definitions of <tt class="literal">logon</tt>
-<tt class="literal">path</tt> and <tt class="literal">logon</tt>
-<tt class="literal">home</tt> in your <em class="filename">smb.conf</em> file to
-point to a shared mandatory profile on the server and adjust your
-directory structure and symbolic links accordingly. For example,
-<tt class="literal">logon</tt> <tt class="literal">path</tt> and
-<tt class="literal">logon</tt> <tt class="literal">home</tt> might be defined
-like this:</p>
-
-<blockquote><pre class="code">logon path = \\%L\profiles\%m
-logon home = \\%L\%u\.win_profile\%m</pre></blockquote>
-
-<p>Notice that we've removed the <tt class="literal">%u</tt>
-part of the path for <tt class="literal">logon</tt>
-<tt class="literal">path</tt>, and we would also change the directory
-structure on the server to do away with the separation of the
-profiles by username and have just one profile for each Windows
-NT/2000/XP version.</p>
-
-<p>We cannot use the same treatment for <tt class="literal">logon</tt>
-<tt class="literal">home</tt> because it is also used to specify the home
-directory. In this case, we would change the symbolic links in each
-user's <em class="filename">.win_profile</em> directory
-to point to a common mandatory profile directory containing the
-mandatory profiles for each of Windows 95/98/Me. Again, check the
-ownership and permissions on the files in the directory, and modify
-them if necessary to make sure a user can't modify
-any files by logging into her Unix account on the Samba host system.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-5.6"/>
-
-<h3 class="head2">Logon Script and Roaming-Profile Options</h3>
-
-<p><a href="ch04.html#samba2-CHP-4-TABLE-1">Table 4-1</a> summarizes the options commonly used in
-association with Windows NT domain <a name="INDEX-150"/><a name="INDEX-151"/>logon
-scripts and roaming profiles.</p>
-
-<a name="samba2-CHP-4-TABLE-1"/><h4 class="head4">Table 4-1. Logon-script options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">logon</tt> <tt class="literal">script</tt></p>
-</td>
-<td>
-<p>string (MS-DOS path)</p>
-</td>
-<td>
-<p>Name of logon script batch file</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">logon</tt> <tt class="literal">path</tt></p>
-</td>
-<td>
-<p>string (UNC server and share name)</p>
-</td>
-<td>
-<p>Location of roaming profile</p>
-</td>
-<td>
-<p><tt class="literal">\\%N\%U\profile</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">logon</tt> <tt class="literal">drive</tt></p>
-</td>
-<td>
-<p>string (drive letter)</p>
-</td>
-<td>
-<p>Specifies the logon drive for a home directory</p>
-</td>
-<td>
-<p><tt class="literal">Z</tt>:</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">logon</tt> <tt class="literal">home</tt></p>
-</td>
-<td>
-<p>string (UNC server and share name)</p>
-</td>
-<td>
-<p>Specifies a location for home directories for clients logging on to
-the domain</p>
-</td>
-<td>
-<p><tt class="literal">\\%N\%U</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.1"/>
-
-<a name="INDEX-152"/><h3 class="head3">logon script</h3>
-
-<p>This option specifies a Windows batch file that will be executed on
-the client after a user has logged on to the domain. Each logon
-script should be stored in the root directory of the
-<tt class="literal">[netlogon]</tt> share or a subdirectory. This option
-frequently uses the <tt class="literal">%U</tt> or <tt class="literal">%m</tt>
-variables (user or NetBIOS name) to point to an individual script.
-For example:</p>
-
-<blockquote><pre class="code">[global]
- logon script = %U.bat</pre></blockquote>
-
-<p>will execute a script based on the username. If the user who is
-connecting is <tt class="literal">fred</tt> and the path of the
-<tt class="literal">[netlogon]</tt> share maps to the directory
-<em class="filename">/export/samba/netlogon</em>, the script should be
-<em class="filename">/export/samba/netlogon/fred.bat</em>. Because these
-scripts are downloaded to the client and executed on the Windows
-side, they must have MS-DOS-style newline characters rather than Unix
-newlines.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.2"/>
-
-<a name="INDEX-153"/><h3 class="head3">logon path</h3>
-
-<p>This option specifies the location where roaming profiles are kept.
-When the user logs on, a roaming profile will be downloaded from the
-server to the client and used as the local profile during the logon
-session. When the user logs off, the contents of the local profile
-will be uploaded back to the server until the next time the user
-connects.</p>
-
-<p>It is often more secure to create a separate share exclusively for
-storing user profiles:</p>
-
-<blockquote><pre class="code">[global]
- logon path = \\hydra\profile\%U</pre></blockquote>
-
-<p>For more information on this option, see <a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a> earlier in this chapter.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.3"/>
-
-<a name="INDEX-154"/><h3 class="head3">logon drive</h3>
-
-<p>This option specifies the drive letter on a Windows NT/2000/XP client
-to which the home directory specified with the
-<tt class="literal">logon</tt> <tt class="literal">home</tt> option will be
-mapped. Note that this option will work with Windows NT/2000/XP
-clients only. For example:</p>
-
-<blockquote><pre class="code">[global]
- logon drive = I:</pre></blockquote>
-
-<p>You should always use drive letters that will not conflict with fixed
-drives on the client machine. The default is Z:, which is a good
-choice because it is as far away from A:, C:, and D: as possible.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.4"/>
-
-<a name="INDEX-155"/><h3 class="head3">logon home</h3>
-
-<p>This option specifies the location of a user's home
-directory for use by the MS-DOS <em class="emphasis">net</em> commands.
-For example, to specify a home directory as a share on a Samba
-server, use the following:</p>
-
-<blockquote><pre class="code">[global]
- logon home = \\hydra\%U</pre></blockquote>
-
-<p>Note that this works nicely with the <tt class="literal">[homes]</tt>
-service, although you can specify any directory you wish. Home
-directories can be mapped with a logon script using the following
-command:</p>
-
-<a name="INDEX-156"/><blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net use i: /home </b></tt></pre></blockquote>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-4-SECT-6"/>
-
-<h2 class="head1">System Policies</h2>
-
-<p>A <a name="INDEX-157"/>system policy can be used in a Windows
-NT domain as a remote administration tool for implementing a similar
-computing environment on all clients and limiting the abilities of
-users to change configuration settings on their systems or allowing
-them to run only a limited set of programs. One application of system
-policies is to use them along with mandatory profiles to implement a
-collection of computers for public use, such as in a library, school,
-or Internet cafe.</p>
-
-<p>A system policy is a collection of registry settings that is stored
-in a file on the PDC and is automatically downloaded to the clients
-when users log on to the domain. The file containing the settings is
-created on a Windows system using the <a name="INDEX-158"/>System Policy Editor. Because the format
-of the registry is different between Windows 95/98/Me and Windows
-NT/2000/XP, it is necessary to make sure that the file that is
-created is in the proper format. This is a very simple matter because
-when the System Policy Editor runs on Windows 95/98/Me, it will
-create a file in the format for Windows 95/98/Me, and if it is run on
-Windows NT/2000/XP, it will use the format needed by those versions.
-After the policy file is created with the System Policy Editor, it is
-stored on the primary domain controller and is automatically
-downloaded by the clients during the logon process, and the policies
-are applied to the client system.</p>
-
-<p>On Windows NT 4.0 Server, you can run the System Policy Editor by
-logging in to the system as Administrator or another user in the
-Administrators group, opening the Start menu, and selecting Programs,
-then Administrative Tools, then System Policy Editor. On Windows 2000
-Advanced Server, open the Start menu and click Run . . . . In the
-dialog box that comes up, type in
-<tt class="literal">C:\winnt\poledit.exe</tt>, and click the OK button.</p>
-
-<p>If you are using a Windows version other than NT Server or Windows
-2000 Advanced Server, you must install the System Policy Editor, and
-getting a copy of it can be a little tricky. If you are running
-Windows NT 4.0 Workstation or Windows 2000 Professional and have a
-Windows NT 4.0 Server installation CD-ROM, you can run the file
-<em class="filename">\Clients\Svrtools\Winnt\Setup.bat</em> from that CD
-to install the Client-based Network Administration Tools, which
-includes <em class="emphasis">poledit.exe</em>. Then open the Start menu,
-click Run..., type <tt class="literal">C:\winnt\system32\poledit.exe</tt>
-into the text area, and click the OK button.</p>
-
-<p>If you are using Windows 95/98, insert a Windows 95 or Windows 98
-distribution CD-ROM<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> into your CD-ROM drive,
-then open the Control Panel and double-click the Add/Remove Programs
-button.</p>
-
-<p>Click the Windows Setup tab, and then click the Have Disk...
-button. In the new dialog box that appears, click the Browse...
-button, then select the CD-ROM drive from the Drives drop-down menu.
-Then:</p>
-
-<ul><li>
-<p>If you are using a Windows 95 installation CD-ROM, double-click the
-admin, then apptools, then poledit folder icons.</p>
-</li><li>
-<p>If you are using a Windows 98 installation CD-ROM, double-click the
-tools, then reskit, then netadmin, then poledit folder icons.</p>
-</li></ul>
-<p>You should see &quot;<a name="INDEX-159"/>grouppol.inf&quot; appear in
-the File name: text area on the left of the dialog box. Click the OK
-buttons in two dialog boxes, and you will be presented with a dialog
-box in which you should select both the Group Policies and System
-Policy Editor checkboxes. Then click the Install button. Close the
-remaining dialog box, and you can now run the System Policy Editor by
-opening the Start menu and selecting Programs, then Accessories, then
-System Tools, then System Policy Editor. Or click the Run... item in
-the Start Menu, and enter <tt class="literal">C:\Windows\Poledit</tt>.</p>
-
-<p>When the System Policy Editor starts up, select New Policy from the
-File menu, and you will see a window similar to that in <a href="ch04.html#samba2-CHP-4-FIG-14">Figure 4-14</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-14"/><img src="figs/sam2_0414.gif"/></div><h4 class="head4">Figure 4-14. The System Policy Editor window</h4>
-
-<p>The next step is to make a selection from the File menu to add
-policies for users, groups, and computers. For each item you add, you
-will be asked for the username, or name of the group or computer, and
-a new icon will appear in the window. Double-clicking one of the
-icons will bring up the Properties dialog box, such as the one shown
-in <a href="ch04.html#samba2-CHP-4-FIG-15">Figure 4-15</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-15"/><img src="figs/sam2_0415.gif"/></div><h4 class="head4">Figure 4-15. The Properties dialog of System Policy Editor</h4>
-
-<p>The upper window in the dialog shows the registry settings that can
-be modified as part of the system policy, and the lower window shows
-descriptive information or more settings pertaining to the one
-selected in the upper window. Notice in the figure that there are
-three checkboxes and that they are all in different states:</p>
-
-<dl>
-<dt><b>Checked</b></dt>
-<dd>
-<p>Meaning that the registry setting is enabled in the policy</p>
-</dd>
-
-
-
-<dt><b>White (unchecked)</b></dt>
-<dd>
-<p>Which clears the registry setting</p>
-</dd>
-
-
-
-<dt><b>Gray</b></dt>
-<dd>
-<p>Which causes the registry setting on the client to be unmodified</p>
-</dd>
-
-</dl>
-
-<p>Basically, if all the items are left gray (the default), the system
-policy will have no effect. The registry of the logged-on client will
-not be modified. However, if any of the items are either checked or
-unchecked (white), the registry on the client will be modified to
-enable the setting or clear it.</p>
-<a name="samba2-CHP-4-NOTE-117"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>In this section, we are giving you enough information on using the
-System Policy Editor to get you started&mdash;or, should we say,
-enough rope with which to hang yourself. Remember that a system
-policy, once put into action, will be modifying the registries of all
-clients who log on to the domain. The usual warnings about editing a
-Windows registry apply here with even greater importance. Consider
-how difficult (or even impossible) it will be for you to restore the
-registries on all those clients if anything happens to go wrong.
-<em class="emphasis">As with roaming profiles, casual or careless implementation
-of system policies can easily lead to domain-wide
-disaster</em>.</p>
-
-<p>Creating a good system policy file is a complex topic, which we
-cannot cover in detail here. It would take a whole book, and yes,
-there happens to be an O'Reilly book on the subject,
-<em class="citetitle">Windows System Policy Editor</em>. Another
-definitive source of documentation on Windows NT system policies and
-the System Policy Editor is the Microsoft white paper
-<em class="citetitle">Implementing Policies and Profiles for Windows NT
-4.0</em>, which can be found at <a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>
-</blockquote>
-
-<p>Once you have created a policy, click the OK button and use the Save
-As... item from the File menu to save it. Use the filename
-<em class="filename">config.pol</em><a name="INDEX-160"/> for a Windows 95/98 system policy and
-<em class="filename">ntconfig.pol</em><a name="INDEX-161"/> for a policy that will be used on Windows
-NT/2000/XP clients. Finally, copy the <em class="filename">.pol</em> file
-to the directory used for the <tt class="literal">[netlogon]</tt> share on
-the Samba PDC. The <em class="filename">config.pol</em> and
-<em class="filename">ntconfig.pol</em> files must go in this
-directory&mdash;unlike roaming profiles and logon scripts, there is
-no way to specify the location of the system policy files in
-<em class="filename">smb.conf</em>. If you want to have different system
-policies for different users or computers, you must perform that part
-of the configuration within the System Policy Editor.</p>
-
-<a name="samba2-CHP-4-NOTE-118"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you have, or will have, any <a name="INDEX-162"/><a name="INDEX-163"/>Windows Me clients on your network,
-be careful. Microsoft has stated that Windows Me does not support
-system policies. The odd thing about this is that it will download
-the policy from a <em class="filename">config.pol</em> file on the PDC,
-but there is no guarantee that the results will be what was intended.
-Check the effect of your system policy carefully on your Windows Me
-clients to make sure it is working how you want.</p>
-</blockquote>
-
-<p>When a user logs on to the domain, her Windows client will download
-the <em class="filename">.pol</em> file from the server, and the settings
-in it (that is, the items either checked or cleared in the System
-Policy Editor) will override the client's settings.</p>
-
-<p>If things &quot;should work&quot; but
-don't, try shutting down the Windows client and
-restarting, rather than just logging off and on again. Windows
-sometimes will hold the <tt class="literal">[netlogon]</tt> share open
-across logon sessions, and this can prevent the client from getting
-the updated <em class="filename">.pol</em> file from the server.
-<a name="INDEX-164"/>
-<a name="INDEX-165"/></p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-4-SECT-7"/>
-
-<h2 class="head1">Samba as a Domain Member Server</h2>
-
-<p><a name="INDEX-166"/>Up to now,
-we've focused on configuring and using Samba as the
-primary domain controller. If you already have a domain controller on
-your network, either a Windows NT/2000 Server system or a Samba PDC,
-you can add a Samba server to the domain as a domain member server.
-This involves setting up the Samba server to have a computer account
-with the primary domain controller, in a similar way that Windows
-NT/2000/XP clients can have computer accounts on a Samba PDC. When a
-client accesses shares on the Samba domain member server, Samba will
-pass off the authentication to the domain controller rather than
-performing the task on the local system. If the PDC is a Windows
-server, any number of Windows BDCs might exist that can handle the
-authentication instead of the PDC.</p>
-
-<p>The first step is to add the Samba server to the domain by creating a
-computer account for it on the primary domain controller. You can do
-this using the <em class="emphasis">smbpasswd</em> command, as follows:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j <em class="replaceable">DOMAIN</em> -r <em class="replaceable">PDCNAME</em> -U<em class="replaceable">admin_acct</em>%<em class="replaceable">password</em></b></tt></pre></blockquote>
-
-<p>In this command, <em class="replaceable">DOMAIN</em> is replaced by the
-name of the domain the Samba host is joining,
-<em class="replaceable">PDCNAME</em> is replaced by the computer name
-of the primary domain controller,
-<em class="replaceable">admin_acct</em> is replaced by the username of
-an administrative account on the domain controller (either
-Administrator&mdash;or another user in the Administrators
-group&mdash;on Windows NT/2000, and root on Samba), and
-<em class="replaceable">password</em> is replaced with the password of
-that user. To give a more concrete example, on our domain that has a
-Windows NT 4 Server primary domain controller or a Windows 2000
-Active Directory domain controller named <tt class="literal">SINAGUA</tt>,
-the command would be:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r SINAGUA -UAdministrator%hup8ter</b></tt></pre></blockquote>
-
-<p>and if the PDC is a Samba system, we would use the command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r toltec -Uroot%jwun83jb</b></tt></pre></blockquote>
-
-<p>where <tt class="literal">jwun83jb</tt> is the password for the root user
-that is contained in the<em class="filename"> smbpasswd</em> file, as we
-explained earlier in this chapter.</p>
-
-<p>If you did it right, <em class="emphasis">smbpasswd</em> will respond with
-a message saying the domain has been joined. The security
-identifier<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> returned to Samba from the PDC is kept in
-the file <em class="filename">/usr/local/samba/private/secrets.tdb</em>.
-The information in
-<em class="filename">secrets.tdb</em><a name="INDEX-167"/> is security-sensitive, so make sure to
-protect <em class="filename">secrets.tdb</em> in the same way you would
-treat Samba's password file.</p>
-
-<p>The next step is to modify the
-<em class="filename">smb.conf</em><a name="INDEX-168"/> file. Assuming you are starting with a
-valid <em class="filename">smb.conf</em> file that correctly configures
-Samba to function in a workgroup, such as the one we used in <a href="ch02.html">Chapter 2</a>, it is simply a matter of adding the following
-three lines to the <tt class="literal">[global]</tt> section:</p>
-
-<blockquote><pre class="code">workgroup = METRAN
-security = domain
-password server = *</pre></blockquote>
-
-<p>The first line establishes the name of the domain (even though it
-says &quot;workgroup&quot;). Instead of
-METRAN, use the name of the domain you are joining. Setting security
-to &quot;domain&quot; causes Samba to hand
-off authentication to a domain controller, and the
-<tt class="literal">password</tt> <tt class="literal">server</tt>
-<tt class="literal">=</tt> <tt class="literal">*</tt> line tells Samba to find
-the domain controller for authentication (which could be the primary
-domain controller or a backup domain controller) by querying the WINS
-server or using broadcast packets if a WINS server is not available.</p>
-
-<p>At this point, it would be prudent to run
-<em class="emphasis">testparm</em> to check that your
-<em class="filename">smb.conf</em> is free of errors. Then restart the
-Samba daemons.</p>
-
-<p>If the PDC is a Windows NT system, you can use Server Manager to
-check that the Samba server has been added successfully. Open the
-Start menu, then select Programs, then Administrative Tools (Common),
-and then Server Manager. Server Manager starts up with a window that
-looks like <a href="ch04.html#samba2-CHP-4-FIG-16">Figure 4-16</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-16"/><img src="figs/sam2_0416.gif"/></div><h4 class="head4">Figure 4-16. The Windows NT Server Manager window</h4>
-
-<p>As you can see, we've added both
-<tt class="literal">toltec</tt> and <tt class="literal">mixtec</tt> to a domain
-for which the Windows NT 4.0 Server system,
-<tt class="literal">sinagua</tt>, is the primary domain controller.</p>
-
-<p>You can check your setup on Windows 2000 Advanced Server by opening
-the Start menu and selecting Programs, then Administrative Tools,
-then Active Directory Users and Computers. The window that opens up
-will look like <a href="ch04.html#samba2-CHP-4-FIG-17">Figure 4-17</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-4-FIG-17"/><img src="figs/sam2_0417.gif"/></div><h4 class="head4">Figure 4-17. The Windows 2000 Active Directory Users and Computers window</h4>
-
-<p>Click Computers in the left side of the window with the Tree tab. You
-should see your Samba system listed in the right pane of the window.
-<a name="INDEX-169"/></p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-4-SECT-8"/>
-
-<h2 class="head1">Windows NT Domain Options</h2>
-
-<p><a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a> shows the options that are commonly used
-in association with Samba on a Windows NT domain.</p>
-
-<a name="samba2-CHP-4-TABLE-2"/><h4 class="head4">Table 4-2. Windows NT domain options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">domain logons</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>Indicates whether Windows domain logons are to be used</p>
-</td>
-<td>
-<p><tt class="literal">No</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">domain master</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>For telling Samba to take the role of domain master browser</p>
-</td>
-<td>
-<p>Auto</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">add user script</tt></p>
-</td>
-<td>
-<p>string (command)</p>
-</td>
-<td>
-<p>Script to run to add a user or computer account</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">delete user</tt> <tt class="literal">script</tt></p>
-</td>
-<td>
-<p>string (command)</p>
-</td>
-<td>
-<p>Script to run to delete a user or computer account</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">domain admin group</tt></p>
-</td>
-<td>
-<p>string (list of users)</p>
-</td>
-<td>
-<p>Users that are in the Domain Admins group</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">domain guest group</tt></p>
-</td>
-<td>
-<p>string (list of users)</p>
-</td>
-<td>
-<p>Users that are in the Domain Guests group</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">password server</tt></p>
-</td>
-<td>
-<p>string (list of computers)</p>
-</td>
-<td>
-<p>List of domain controllers used for authentication when Samba is
-running as a domain member server</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">machine password timeout</tt></p>
-</td>
-<td>
-<p>numeric (seconds)</p>
-</td>
-<td>
-<p>Sets the renewal interval for NT domain machine passwords</p>
-</td>
-<td>
-<p><tt class="literal">604,800</tt> (1 week )</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-<p>Here are detailed explanations of each <a name="INDEX-170"/>Windows NT domain option listed
-in <a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a>.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-4-SECT-8.1"/>
-
-<a name="INDEX-171"/><h3 class="head2">domain logons</h3>
-
-<p>This option configures Samba to accept domain logons as a primary
-domain controller. When a client successfully logs on to the domain,
-Samba will return a special token to the client that allows the
-client to access domain shares without consulting the PDC again for
-authentication. Note that the Samba machine must employ user-level
-security (<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">user</tt>) and must be the PDC for this option to
-function. In addition, Windows machines will expect a
-<tt class="literal">[netlogon]</tt> share to exist on the Samba server.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.1"/>
-
-<a name="INDEX-172"/><h3 class="head3">domain master</h3>
-
-<p>In a Windows network, a local master browser handles browsing within
-a subnet. A Windows domain can be made up of a number of subnets,
-each of which has its own local master browser. The primary domain
-controller serves the function of domain master browser, collecting
-the browse lists from the local master browser of each subnet. Each
-local master browser queries the domain master browser and adds the
-information about other subnets to their own browse lists. When Samba
-is configured as a primary domain controller, it automatically sets
-<tt class="literal">domain</tt> <tt class="literal">master</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt>, making itself the domain
-master browser.</p>
-
-<p>Because Windows NT PDCs always claim the role of domain master
-browser, Samba should never be allowed to be domain master if there
-is a Windows PDC in the domain.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.2"/>
-
-<a name="INDEX-173"/><h3 class="head3">add user script</h3>
-
-<p>There are two ways in which <tt class="literal">add</tt>
-<tt class="literal">user</tt> <tt class="literal">script</tt> can be used. When
-the Samba server is set up as a primary domain controller, it can be
-assigned to a command that will run on the Samba server to add a
-Windows NT/2000/XP computer account to Samba's
-password database. When the user on the Windows system changes the
-computer's settings to join a domain, he is asked
-for the username and password of a user who has administrative rights
-on the domain controller. Samba authenticates this user and then runs
-the <tt class="literal">add</tt> <tt class="literal">user</tt>
-<tt class="literal">script</tt> with root permissions.</p>
-
-<p>When Samba is configured as a domain member server, the
-<tt class="literal">add</tt> <tt class="literal">user</tt>
-<tt class="literal">script</tt> can be assigned to a command to add a user
-to the system. This allows Windows clients to add users that can
-access shares on the Samba system without requiring an administrator
-to create the account manually on the Samba host.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.3"/>
-
-<a name="INDEX-174"/><h3 class="head3">delete user script</h3>
-
-<p>There are times when users are automatically deleted from the domain,
-and the <tt class="literal">delete</tt> <tt class="literal">user</tt>
-<tt class="literal">script</tt> can be assigned to a command that removes a
-user from the Samba host as a Windows server would do. However, you
-might not want this to happen, because the Unix user might need the
-account for reasons other than use with Samba. Therefore, we
-recommend that you be very careful about using this option.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.4"/>
-
-<a name="INDEX-175"/><h3 class="head3">domain admin group</h3>
-
-<p>In a domain of Windows systems, it is possible for a server to get a
-list of the members of the Domain Admins group from a domain
-controller. Samba 2.2 does not have the ability to handle this, and
-the <tt class="literal">domain</tt> <tt class="literal">admin</tt>
-<tt class="literal">group</tt> parameter exists as a manual means of
-informing Samba who is in the group. The list should contain root
-(necessary for adding computer accounts) and any users on Windows
-NT/2000/XP clients in the domain who are in the Domain Admins group.
-These users must be recognized by the primary controller in order for
-them to perform some administrative duties such as adding users to
-the domain.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.5"/>
-
-<a name="INDEX-176"/><h3 class="head3">password server</h3>
-
-<p>In a Windows domain in which the domain controllers are a Windows
-primary domain controller, along with any number of Windows backup
-domain controllers, clients and domain member servers authenticate
-users by querying either the PDC or any of the BDCs. When Samba is
-configured as a domain member server, the <tt class="literal">password</tt>
-<tt class="literal">server</tt> parameter allows some control over how
-Samba finds a domain controller. Earlier versions of Samba could not
-use the same method that Windows systems use, and it was necessary to
-specify a list of systems to try. When you set
-<tt class="literal">password</tt> <tt class="literal">server</tt>
-<tt class="literal">=</tt> <tt class="literal">*</tt>, Samba 2.2 is able to find
-the domain controller in the same manner that Windows does, which
-helps to spread the requests over several backup domain controllers,
-minimizing the possibility of them becoming overloaded with
-authentication requests. We recommend that you use this method.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.6"/>
-
-<a name="INDEX-177"/><h3 class="head3">machine password timeout</h3>
-
-<p>The <tt class="literal">machine</tt> <tt class="literal">password</tt>
-<tt class="literal">timeout</tt> global option sets a retention period for
-Windows NT domain machine passwords. The default is currently set to
-the same time period that Windows NT 4.0 uses: 604,800 seconds (one
-week). Samba will periodically attempt to change the
-<em class="firstterm">machine account password</em>, which is a password
-used specifically by another server to report changes to it. This
-option specifies the number of seconds that Samba should wait before
-attempting to change that password. The timeout period can be changed
-to a single day by specifying the following:</p>
-
-<blockquote><pre class="code">[global]
- machine password timeout = 86400</pre></blockquote>
-
-<a name="samba2-CHP-4-NOTE-119"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you would like more information on how Windows NT uses domain
-usernames and groups, we recommend Eric <a name="INDEX-178"/>Pearce's
-<em class="citetitle">Windows NT in a Nutshell</em>, published by
-O'Reilly. <a name="INDEX-179"/></p>
-</blockquote>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> When we include
-Windows XP in discussions of Windows NT domains in this book, we are
-referring to Windows XP Professional and not to the Home edition. The
-reason for this is explained in the section on Windows XP later in
-this chapter.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> The entry in
-<em class="filename">/etc/passwd</em> might not be required in future
-Samba versions.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> If you want to follow our example in this
-section, and your network doesn't have any Windows
-systems offering shares, see <a href="ch05.html">Chapter 5</a> for
-directions on how to create one. Make sure you understand how to set
-up shares before continuing with the directions presented
-here!</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> The version of the System Policy
-Editor distributed with Windows 98 is an update of the version
-shipped with Windows 95. Use the version from the Windows 98
-distribution if you can.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This security identifier (SID) is part of
-an access token that allows the PDC to identify and authenticate the
-client.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch05.html b/docs/htmldocs/using_samba/ch05.html
deleted file mode 100644
index 07a65cd08a..0000000000
--- a/docs/htmldocs/using_samba/ch05.html
+++ /dev/null
@@ -1,1779 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 5. Unix Clients</h1>
-
-<p><a name="INDEX-1"/>In <a href="ch03.html">Chapter 3</a> we showed you how to configure Windows systems
-to access shared resources on both Windows and Samba servers. This
-has probably opened up a whole new world of computing for
-you&mdash;one in which you have to run to a Windows system every time
-you want to copy a file between Unix and Windows! In this chapter, we
-will show you the &quot;other
-side&quot;&mdash;how to access SMB shares from your
-favorite Unix system.</p>
-
-<p>You can access SMB resources from Unix in three ways, depending on
-your version of Unix. A program included with the Samba distribution
-called <em class="emphasis">smbclient</em><a name="INDEX-2"/> can be used to connect with a share on
-the network in a manner similar to using <em class="emphasis">ftp</em>
-when transferring files to or from an FTP site.</p>
-
-<p>If your system is running Linux, you can use the
-<a name="INDEX-3"/>smbfs
-filesystem to mount SMB shares right onto your Linux filesystem, just
-as you would mount a disk partition or NFS filesystem. The SMB shares
-can then be accessed and manipulated by all programs running on the
-Linux system: command shells, desktop GUI interfaces, and application
-software.</p>
-
-<p>On some BSD-based systems, including Mac OS X, a pair of utilities
-named <em class="emphasis">smbutil</em> <a name="INDEX-4"/>and <em class="emphasis">mount_smbfs</em>
-<a name="INDEX-5"/>can be used to query SMB servers and
-mount shares.</p>
-
-<p>For other Unix variants,
-<em class="emphasis">smbsh</em><a name="INDEX-6"/> can be run to enable common shell
-commands such as <em class="emphasis">cd</em>, <em class="emphasis">ls</em>,
-<em class="emphasis">mv, wc</em>, and <em class="emphasis">grep</em> to access
-and manipulate files and directories on SMB shares. This effectively
-extends the reach of the Unix shell and utilities beyond the Unix
-filesystem and into the SMB network.</p>
-
-<p>All the Unix clients can access shares offered by either Windows
-systems or Samba servers. We have already shown you how to set up a
-share on a Samba server and could use that as an example to work
-with. But it's much more fun to use the Unix clients
-with shares served by Windows systems. So before we start covering
-the Unix clients in detail, we will take a quick detour and show you
-how to set up file shares on both Windows 95/98/Me and Windows
-NT/2000/XP systems.</p>
-
-
-<div class="sect1"><a name="samba2-CHP-5-SECT-1"/>
-
-<h2 class="head1">Sharing Files on Windows 95/98/Me</h2>
-
-<p>When <a name="INDEX-7"/><a name="INDEX-8"/>sharing files on Windows 95/98/Me, you
-can authenticate users in two different ways.
-<a name="INDEX-9"/><a name="INDEX-10"/>Share-level security is the default
-and is easy to use. However, it is not as secure and can require
-users to type in passwords when connecting to shares. User-level
-security offers a better security model and can be used if you have
-either a Samba or Windows NT/2000 server on your network performing
-user authentication.</p>
-
-<p>To configure the type of access control for your system, open the
-Control Panel, double-click the Network icon, then click the Access
-Control tab. You should see the dialog box shown in <a href="ch05.html#samba2-CHP-5-FIG-1">Figure 5-1</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-5-FIG-1"/><img src="figs/sam2_0501.gif"/></div><h4 class="head4">Figure 5-1. The Access Control tab of the Windows 98 Network Control Panel window</h4>
-
-<p>Click the &quot;Share-level access
-control&quot; or &quot;User-level access
-control&quot; radio button, depending on which you want
-to use. When using user-level access control, you will also need to
-fill in the name of your workgroup or Windows NT domain. Reboot as
-requested.</p>
-
-<p>To share a folder, right-click the folder's icon and
-select Sharing . . . . This will open the Sharing tab of the
-folder's Properties dialog box. Click the
-&quot;Shared As:&quot; radio button, and fill
-in a name for the share (which defaults to the
-folder's name) and a description, which will be
-visible to client users. If you don't want the share
-to be visible in the Network Neighborhood view of other Windows
-clients, pick a name for the share that ends in a dollar sign
-(<tt class="literal">$</tt>).</p>
-
-<p><a href="ch05.html#samba2-CHP-5-FIG-2">Figure 5-2</a> shows what the Sharing tab of the
-folder's Properties dialog box will look like when
-using share-level security. The security settings are very simple.
-You can select a radio button for read-only access or full
-(read/write) access, or have the user's permissions
-(either read-only or read/write) depend on which password they use.
-In accordance with which you select, you will be asked to assign
-either or both of the read-only and full-access passwords for the
-share.</p>
-
-<div class="figure"><a name="samba2-CHP-5-FIG-2"/><img src="figs/sam2_0502.gif"/></div><h4 class="head4">Figure 5-2. The Sharing tab of the folder's Properties dialog, with share-level security</h4>
-
-<p>If your system is configured with user-level security, the Sharing
-tab of the folder's Properties dialog box will look
-like <a href="ch05.html#samba2-CHP-5-FIG-3">Figure 5-3</a>. As you can see,
-we've created a share named
-&quot;DATA&quot;, and used the Add . . .
-button to create permissions that allow read-only access for all
-domain users and read/write (full access) for <tt class="literal">jay</tt>.</p>
-
-<div class="figure"><a name="samba2-CHP-5-FIG-3"/><img src="figs/sam2_0503.gif"/></div><h4 class="head4">Figure 5-3. The Sharing tab of the folder Properties dialog, with user-level security</h4>
-
-<p>When you are done specifying your settings for the share, click on
-the OK button, and the share will become available to users on
-network clients. Unless you chose a share name ending in a dollar
-sign, you can see it in the Network Neighborhood or My Network Places
-of Windows clients on the network. You can also now use the Unix
-clients described in this chapter to connect to the share.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-5-SECT-2"/>
-
-<h2 class="head1">Sharing Files on Windows NT/2000/XP</h2>
-
-<p>To create a file share on <a name="INDEX-11"/><a name="INDEX-12"/><a name="INDEX-13"/><a name="INDEX-14"/>Windows NT/2000/XP, you first must
-log in to the system as any member of the Administrators, Power
-Users, or Server Operators groups. Right-click the icon of a folder
-you wish to share, and click Sharing . . . in the pop-up menu. The
-Sharing tab of the folder's Properties dialog box
-will appear, as shown in <a href="ch05.html#samba2-CHP-5-FIG-4">Figure 5-4</a>. Click the
-&quot;Share this folder&quot; radio button.</p>
-
-<div class="figure"><a name="samba2-CHP-5-FIG-4"/><img src="figs/sam2_0504.gif"/></div><h4 class="head4">Figure 5-4. The Sharing tab of the folder's Properties dialog on Windows 2000</h4>
-
-<p>Share name: will default to the name of the folder, and you can
-change it if you want. One reason you might want to use a different
-name for the share is to make the share not appear in browse lists
-(as displayed by the Network Neighborhood, for example). This can be
-done by using a share name ending in a dollar sign
-(<tt class="literal">$</tt>). You can also add a description of the share
-in the Comment: text area. The description will appear to users of
-network clients and can help them understand the contents of the
-share.</p>
-
-<p><a name="INDEX-15"/><a name="INDEX-16"/><a name="INDEX-17"/><a name="INDEX-18"/><a name="INDEX-19"/>By clicking the Permissions button,
-you can set permissions for the share on a user-by-user basis. This
-is equivalent to the user-level security of Windows 95/98/Me file
-sharing. On Windows NT/2000/XP, Microsoft recommends that share
-permissions be set to allow full access by everyone, with the
-permissions controlled on a file-by-file basis using filesystem
-access control lists
-(<a name="INDEX-20"/>ACLs). The actual permissions given
-to network clients are a combination of the share permissions and
-file access permissions. To edit the ACL for the folder, click the
-Security tab. For more information on ACLs, see <a href="ch08.html#samba2-CHP-8-SECT-3">Section 8.3</a> in <a href="ch08.html">Chapter 8</a>.</p>
-
-<p>If you want, you can limit the number of users who can concurrently
-connect to the share using the &quot;User
-limit:&quot; radio button. The New Share button allows
-you to create multiple file shares for the same folder, each having
-its own name, comment, user limit, and other parameters.</p>
-
-<p>When you are done, click the OK button, and the folder will be
-accessible from clients on the network.</p>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-5-SECT-3"/>
-
-<h2 class="head1">smbclient</h2>
-
-<p>The Samba Team supplies <em class="emphasis">smbclient</em><a name="INDEX-21"/> as a basic part of the Samba suite. At
-first, it might seem to be a primitive interface to the SMB network,
-but <em class="emphasis">smbclient</em> is actually a versatile tool. It
-can be used for browsing shares on servers, testing configurations,
-debugging, accessing shared printers, backing up shared data, and
-automating administrative tasks in shell scripts. And unlike
-<tt class="literal">smbfs</tt><a name="INDEX-22"/><a name="INDEX-23"/><a name="INDEX-24"/> and <em class="emphasis">smbsh</em>,
-<em class="emphasis">smbclient</em> works on all Unix variants that
-support Samba.</p>
-
-<p>In this chapter we'll focus mostly on running
-<em class="emphasis">smbclient</em> as an interactive shell, using its
-<em class="emphasis">ftp</em>-like commands to access shared directories
-on the network. Using <em class="emphasis">smbclient</em> to access
-printers and perform backups will be covered in <a href="ch10.html">Chapter 10</a>.</p>
-
-<p>A complete reference to <em class="emphasis">smbclient</em> is found in
-<a href="appc.html">Appendix C</a>.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-3.1"/>
-
-<h3 class="head2">Listing Services</h3>
-
-<p><a name="INDEX-25"/>The <em class="emphasis">-L</em> option
-can be used with <em class="emphasis">smbclient</em> to list the resources
-on a single computer. Assuming the Samba server is configured to take
-the role of the master browser, we can obtain a list of the computers
-in the domain or workgroup like this:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L toltec</b></tt>
-added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
-Password:
-Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.5]
-
- Sharename Type Comment
- --------- ---- -------
- test Disk For testing only, please
- IPC$ IPC IPC Service (Samba 2.2.5)
- ADMIN$ Disk IPC Service (Samba 2.2.5)
-
- Server Comment
- --------- -------
- MAYA Windows 98
- MIXTEC Samba 2.2.5
- TOLTEC Samba 2.2.5
- ZAPOTEC
-
- Workgroup Master
- --------- -------
- METRAN TOLTEC</pre></blockquote>
-
-<p>In the column labeled &quot;Server&quot;,
-<tt class="literal">maya</tt>, <tt class="literal">mixtec</tt>, and
-<tt class="literal">zapotec</tt> are shown along with toltec, the Samba
-server. The services on <tt class="literal">toltec</tt> are listed under
-&quot;Sharename&quot;. The IPC$ and ADMIN$
-shares are standard Windows services that are used for network
-communication and administrative purposes, and
-<em class="filename">test</em> is the directory we added as a share in
-<a href="ch02.html">Chapter 2</a>.</p>
-
-<p>Now that we know the names of computers in the domain, we can list
-services on any of those computers. For example, here is how we would
-list the services offered by <tt class="literal">maya</tt>, a Windows 98
-workstation:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L maya</b></tt>
-added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
-Password:
-
-
- Sharename Type Comment
- --------- ---- -------
- PRINTER$ Disk
- HP Printer HP 932C on Maya
- D Disk D: on Maya
- E Disk E: on Maya
-
- ADMIN$ Disk
- IPC$ IPC Remote Inter Process Communication
-
- Server Comment
- --------- -------
-
- Workgroup Master
- --------- -------</pre></blockquote>
-
-<p>A shared printer is attached to <tt class="literal">maya</tt>, so we see
-the PRINTER$ administrative service, along with the HP share for the
-printer itself. Also on <tt class="literal">maya</tt> are the D and E
-shares, which allow access across the network to
-<tt class="literal">maya</tt>'s D: and E: drives. It is
-normal for the Server and Workgroup sections to be empty when listing
-services on a Windows client.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-3.2"/>
-
-<h3 class="head2">Authenticating with smbclient</h3>
-
-<p><a name="INDEX-26"/>As with any other SMB client,
-<em class="emphasis">smbclient</em> needs to supply a username and
-password if it is authenticating in a domain environment or if it is
-contacting a Samba server that is set up with user-level security. In
-a workgroup environment, it will at least need a password to use when
-connecting with a password-protected resource.</p>
-
-<p>By default, <em class="emphasis">smbclient</em> uses the username of the
-user who runs it and then prompts for a password. If you are using
-<em class="emphasis">smbclient</em> a lot, you might tire of entering your
-password every time.</p>
-
-<p><em class="emphasis">smbclient</em> supports some alternate methods of
-entering a username and password. The password can be entered on the
-command line, like this:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e jayspassword</b></tt></pre></blockquote>
-
-<p>Or both the username and password can be supplied by using the
-<em class="emphasis">-U</em> option, including the username and password
-separated by a percent (<tt class="literal">%</tt>) character:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -U kelly%kellyspassword</b></tt></pre></blockquote>
-
-<p>This method is useful if you are logged in to the system under an
-account that is not Samba-enabled or you are testing your
-configuration to see how it treats another user. With either method,
-you can avoid having to enter the username and/or password each time
-you run <em class="emphasis">smbclient</em> by creating an alias for the
-command or creating a shell function or shell script. For example,
-with the <em class="emphasis">bash</em> shell, it is possible to define a
-function like this:</p>
-
-<blockquote><pre class="code">smbcl( )
-{
- smbclient $* -U jay%jayspassword
-}</pre></blockquote>
-
-<p>Adding the definition to the shell's startup script
-(which would be <em class="filename">~/.bash_profile</em> for
-<em class="emphasis">bash</em>) would result in the definition affecting
-all subsequent shell invocations.</p>
-
-<p>Another method that can be used to supply both the username and
-password is to set the USER and <a name="INDEX-27"/><a name="INDEX-28"/>PASSWD environment variables. Either
-set the USER environment variable using the
-<em class="replaceable">username</em>%<em class="replaceable">password</em>
-format, or set the USER environment variable to the username, and set
-PASSWD to the user's password.</p>
-
-<p>It is also possible to create a credentials file containing the
-username on the first line and the password on the second line, like
-this:</p>
-
-<blockquote><pre class="code">username = jay
-password = jayspassword</pre></blockquote>
-
-<p>Then, <em class="emphasis">smbclient</em> is run using the
-<em class="emphasis">-A</em> option to specify the name of the file:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -A ~/.smbpw</b></tt></pre></blockquote>
-
-<a name="samba2-CHP-5-NOTE-120"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
-<p>Of the methods we described in this section, the only one that is
-really secure is the default method of allowing
-<em class="emphasis">smbclient</em><a name="INDEX-29"/> to
-prompt for the password and typing in the password without echoing.</p>
-
-<p>If security is a concern, you definitely should avoid providing your
-password on the command line because it is very easy for
-&quot;shoulder surfers&quot; to obtain, as
-well as anyone who looks through your shell's
-command history.</p>
-
-<p>If you keep your Samba password in a credentials file, shell startup
-file, or shell script, make sure the file's
-permissions prohibit other users from reading or writing it. (Use an
-octal permissions mode of 0600.) Security experts never keep
-passwords in files owned by nonroot users or accessible by anyone
-other than the superuser. As part of their security policy, some
-organizations do not permit passwords to be stored in files, so you
-might want to check first before using this method.</p>
-
-<p>The authentication method that uses the USER and PASSWD environment
-variables isn't any more secure. Environment
-variables are usually set either on the command line or in one or
-more of the shell's startup files, so this method
-suffers from the same weaknesses we've just
-discussed. In addition, any program run by the user has access to the
-shell's environment variables, making a Trojan horse
-attack on the PASSWD variable really easy!</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-3.3"/>
-
-<h3 class="head2">An Interactive smbclient Session</h3>
-
-<p><a name="INDEX-30"/>A common use for
-<em class="emphasis">smbclient</em> is to use it as an
-<em class="emphasis">ftp</em>-like shell to access SMB resources on the
-network. To begin a session, <em class="emphasis">smbclient</em> must be
-provided with the UNC of a resource (which you can find using the
-<em class="emphasis">-L</em> option) on the command line, like this:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e</b></tt>
-added interface ip=172.16.1.3 bcast=172.16.1.255 nmask=255.255.255.0
-Password:
-smb: \&gt;</pre></blockquote>
-
-<p>Forward slashes are accepted by <em class="emphasis">smbclient</em> for
-the share's UNC, which makes entering the UNC on the
-command line easier. Backslashes can also be used, but they must be
-quoted or escaped, and it is somewhat more difficult to type
-'<tt class="literal">\\maya\e</tt>' or <tt class="literal">\\\\maya\\e</tt>.
-After connecting to the share, <em class="emphasis">smbclient</em>
-displays the <tt class="literal">smb: \&gt;</tt> prompt, waiting for a
-command to be entered. Commands are similar to those with which you
-might be familiar in <em class="emphasis">ftp</em> and are also somewhat
-similar to Unix shell commands. To get a list of
-<em class="emphasis">smbclient</em><a name="INDEX-31"/> commands, use the
-<em class="emphasis">help</em> command:</p>
-
-<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>help</b></tt>
-ls dir du lcd cd
-pwd get mget put mput
-rename more mask del open
-rm mkdir md rmdir rd
-prompt recurse translate lowercase print
-printmode queue cancel quit q
-exit newer archive tar blocksize
-tarmode setmode help ? history
-!</pre></blockquote>
-
-<p>Some commands in the previous list are synonyms for other commands.
-For example, the <em class="emphasis">?</em> command is a synonym for
-<em class="emphasis">help</em>. You can give this command the name of
-another command as an argument to get a concise reminder of what the
-command does and how to use it:</p>
-
-<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>? ls</b></tt>
-HELP ls:
- &lt;mask&gt; list the contents of the current directory</pre></blockquote>
-
-<p>The term <tt class="literal">&lt;mask&gt;</tt> refers to a file-matching
-pattern as commonly found in Unix shells and utilities. For example:</p>
-
-<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>ls *doc</b></tt>
- ms-ProfPol-wp.doc A 131 Tue Dec 18 09:12:34 2002
- smbclient.doc A 33969 Mon Dec 10 20:22:24 2002
- smbmount.doc A 7759 Mon Dec 10 20:20:00 2002
-
- 48590 blocks of size 524288. 40443 blocks available</pre></blockquote>
-
-<p>lists all files ending in &quot;doc&quot; in
-the current directory on the remote system. In the listing, the
-leftmost column shows the filename. Moving left to right, we see the
-file's MS-DOS attributes, then its size, and the
-time it was last modified.</p>
-
-<p>As with any other Unix utility, <em class="emphasis">smbclient</em> has a
-working directory on the local host. It also has another current
-directory on the remote SMB share. With
-<em class="citetitle">smbclient</em>, the <em class="emphasis">cd</em> command
-is used to move around on the remote system:</p>
-
-<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>cd trans </b></tt>
-smb: \trans\&gt;</pre></blockquote>
-
-<p>Notice how the prompt changes to reflect the new current working
-directory. To change your current directory on the local system, use
-the <em class="emphasis">lcd</em> command:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>lcd /u/snd</b></tt>
-the local directory is now /u/snd</pre></blockquote>
-
-<p>Most of <em class="emphasis">smbclient</em>'s commands
-are for performing operations on remote files and directories. There
-is no command for listing the contents of the local directory.
-However, <em class="emphasis">smbclient</em> allows a shell escape. Any
-command preceded by an exclamation point (<tt class="literal">!</tt>) is
-interpreted as a shell command and is run in a subshell on the local
-system. For example:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>! ls -l</b></tt>
-total 16
-drwxrwxr-x 2 jay jay 4096 Jan 10 14:46 dr220-fet
-drwxrwxr-x 2 jay jay 4096 Sep 22 12:16 dr220-tube
--rw-rw-r-- 1 jay jay 131 Jan 10 02:22 readme.txt
-drwxrwxr-x 7 jay jay 4096 Jan 10 02:19 xl1</pre></blockquote>
-
-<p>lists the contents of <em class="filename">/u/snd</em>. By using
-<em class="emphasis">smbclient</em>'s commands to operate
-on the remote system&mdash;and shell-escaped commands to operate on
-the local system&mdash;it is possible to manipulate data on both
-systems without having to exit <em class="emphasis">smbclient</em> or open
-another shell window.</p>
-
-<p><a name="INDEX-32"/><a name="INDEX-33"/>File transfer is performed using
-the <em class="emphasis">get</em> and
-<em class="emphasis">put</em><a name="INDEX-34"/><a name="INDEX-35"/> commands. The <em class="emphasis">get</em>
-command transfers a single file from the remote to the local system,
-and the <em class="emphasis">put</em> command copies a file from the local
-to the remote system. For example, the following command copies the
-file <em class="filename">readme.txt</em> to the SMB share:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>put readme.txt</b></tt>
-putting file readme.txt as \trans\readme.txt (127.9 kb/s) (average 10.7 kb/s)</pre></blockquote>
-
-<a name="samba2-CHP-5-NOTE-121"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
-<p>Unlike <em class="emphasis">ftp</em>, <em class="emphasis">smbclient</em> does
-not have <em class="emphasis">ascii</em> and <em class="emphasis">binary</em>
-commands to set the type of the file that is being transferred.
-Before transferring a text file from a Unix system to a Windows or
-Macintosh system, you might want to use the GNU
-<em class="emphasis">unix2dos</em><a name="INDEX-36"/> command to reformat newlines in the
-file to work with the carriage return linefeed (CRLF) standard:</p>
-
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos text_file &gt;text_file.txt</b></tt></pre></blockquote>
-
-
-<p>and then transfer the CRLF-formatted version. After transferring a
-text file from a Windows or Macintosh system to Unix, you can use the
-GNU <em class="emphasis">dos2unix</em><a name="INDEX-37"/> command to perform the inverse
-operation:</p>
-
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>dos2unix text_file.txt &gt;text_file</b></tt></pre></blockquote>
-</blockquote>
-
-<p>To transfer more than one file with a single command, you can use the
-<em class="emphasis">mget</em><a name="INDEX-38"/><a name="INDEX-39"/> and <em class="emphasis">mput</em> commands,
-which accept a list of filenames in the command line. The list can be
-provided by typing in the filenames on the command line separated by
-spaces, or the group of files can be specified with a pattern as one
-would use in Unix shell commands. The command:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget plain/*</b></tt></pre></blockquote>
-
-<p>copies all the files in the directory <em class="filename">plain</em> on
-the SMB share to the current directory on the local system. By
-default, <em class="emphasis">smbclient</em> prompts for each file, asking
-if you want to copy it:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget plain/*</b></tt>
-Get file tomm.wav? n
-Get file toml.wav? n
-Get file tomh.wav? n
-Get file snare.wav? n
-Get file rim.wav? n
-Get file handclap.wav? n
-Get file bassdrum.wav? n</pre></blockquote>
-
-<p>If you are sure you want to copy all the files, you can turn off
-prompting with the <em class="emphasis">prompt</em> command, like this:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>prompt</b></tt>
-prompting is now off</pre></blockquote>
-
-<p>By default, if you specify the name of a directory,
-<em class="emphasis">smbclient</em> will not copy the contents of the
-directory. To transfer the entire contents of directories listed in
-the <em class="emphasis">mput</em> or <em class="emphasis">mget</em> command,
-you must first use the <em class="emphasis">recurse</em> command:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>recurse</b></tt>
-directory recursion is now on</pre></blockquote>
-
-<p>After setting things up with the
-<em class="emphasis">prompt</em><a name="INDEX-40"/><a name="INDEX-41"/> and <em class="emphasis">recurse</em>
-commands, we can copy a directory like this:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget acc</b></tt>
-getting file tomm.wav of size 55494 as tomm.wav (2580.6 kb/s) (average 2087.3 kb/s)
-getting file toml.wav of size 57220 as toml.wav (2660.9 kb/s) (average 2167.6 kb/s)
-getting file tomh.wav of size 55936 as tomh.wav (2601.2 kb/s) (average 2220.8 kb/s)
-getting file snare.wav of size 22132 as snare.wav (1200.7 kb/s) (average 2123.7 kb/s)
-getting file rim.wav of size 8314 as rim.wav (1623.8 kb/s) (average 2110.8 kb/s)
-getting file handclap.wav of size 14180 as handclap.wav (1978.2 kb/s) (average 2106.2
-kb/s)
-getting file bassdrum.wav of size 6950 as bassdrum.wav (2262.3 kb/s) (average 2108.5
-kb/s)</pre></blockquote>
-
-<p><a name="INDEX-42"/>Directory recursion applies to all
-commands, so if an <em class="emphasis">ls</em> command is used while
-directory recursion is on, all files in the directory tree are
-listed. To turn directory recursion off again, simply re-enter the
-command. At the same time, you might also wish to toggle prompting
-back to its initial state:</p>
-
-<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>recurse</b></tt>
-directory recursion is now off
-smb: \trans\&gt; <tt class="userinput"><b>prompt</b></tt>
-prompting is now on</pre></blockquote>
-
-<p>There are other <em class="emphasis">smbclient</em> commands that you
-might find useful. The <em class="emphasis">mkdir</em> command can be used
-to create a directory; <em class="emphasis">rmdir</em> removes a
-directory; <em class="emphasis">rm</em> deletes a file; and
-<em class="emphasis">rename</em> changes a file's name.
-These behave very similarly to their Unix shell counterparts. <a href="appc.html">Appendix C</a> contains a complete reference to
-<em class="emphasis">smbclient</em> and its command set.</p>
-
-<p>To exit <em class="emphasis">smbclient</em>, use the
-<em class="emphasis">exit</em> or <em class="emphasis">quit</em> command:</p>
-
-<a name="INDEX-43"/><blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>quit </b></tt></pre></blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-3.4"/>
-
-<h3 class="head2">Programming with smbclient</h3>
-
-<p><a name="INDEX-44"/>The <em class="emphasis">-c</em> option
-<em class="emphasis">of smbclient</em> allows a list of commands to be
-passed on the command line. To copy the file
-<em class="filename">\\maya\e\trans\readme.txt</em> to
-<em class="filename">/u/snd/readme.txt</em>, we might use the command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -c &quot;lcd /u/snd; cd trans; get readme.txt&quot; -A ~/.smbpw</b></tt></pre></blockquote>
-
-<p>Everything that <em class="emphasis">smbclient</em> needs to know to
-perform the operation has been specified in the command. There is no
-interactive session, so a command such as this can be placed inside a
-shell script or a program in some other programming language.</p>
-
-<p>By using <em class="emphasis">smbclient</em> in this manner, it is
-possible to create customized commands using shell functions, scripts
-or aliases. For example, suppose we wanted a command to print a short
-listing of files in a shared directory, showing just the names of the
-files. Using a <em class="emphasis">bash</em> function, we could define a
-command <em class="emphasis">smbls</em> as follows:</p>
-
-<blockquote><pre class="code">smbls( )
-{
- share=`echo $1 | cut -d '/' -f '1-4'`
- dir=`echo $1 | cut -d '/' -f '5-'`
- smbclient $share -c &quot;cd $dir; ls&quot; -A ~/.smbpw | \
- grep &quot;^ &quot; | cut -d ' ' -f 3 - | sort
-}</pre></blockquote>
-
-<p>After defining this function, we can use <em class="emphasis">smbls</em>
-like this:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbls //maya/e</b></tt>
-CD-images
-lectures
-ms-ProfPol-wp.doc
-profile-map
-readme.txt
-RECYCLED
-smbclient.doc
-smbmount.doc
-smbsh.txt
-trans
-$ <tt class="userinput"><b>smbls //maya/e/lectures</b></tt>
-.
-..
-lecture1.mp3
-lecture2.mp3
-lecture3.mp3
-lecture4.mp3
-lecture5.mp3
-lecture6.mp3
-lecture7.mp3
-lecture8.mp3
-lecture9.mp3</pre></blockquote>
-
-<p>Another use for <em class="emphasis">smbclient</em> in scripts is
-performing administrative tasks. Suppose a group of users on Windows
-clients are sharing a set of files as part of a project on which they
-are working. Instead of expecting them to coordinate making daily
-backups, we could write a script that copies the share to the Samba
-server and run the script nightly as a cron job. The directory on the
-Samba server could be shared as well, allowing any of the users to
-retrieve a backup file on their own, without having to bother an
-administrator.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-3.5"/>
-
-<h3 class="head2">Backups with smbclient</h3>
-
-<p>A major use of <em class="emphasis">smbclient</em><a name="INDEX-45"/><a name="INDEX-46"/> is to create and restore backups of
-SMB file shares. The backup files <em class="emphasis">smbclient</em>
-writes are in tar format, making them easy to work with and portable
-among all Unix versions. Using <em class="emphasis">smbclient</em> on a
-Unix server to run network backups can result in a more centralized
-and easily managed solution for providing data integrity because both
-SMB shares and NFS filesystems can be backed up on the same system.</p>
-
-<p>You can use <em class="emphasis">smbclient</em> to perform backups in two
-ways. When backing up an entire share, the simplest method is to use
-the <em class="emphasis">-Tc</em> option on the command line:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -Tc &gt;maya-e.tar</b></tt></pre></blockquote>
-
-<p>This will create a tar archive of the <em class="filename">\\maya\e</em>
-share in the file <em class="filename">maya-e.tar</em>. By using the
-<em class="emphasis">-D</em> option, it is possible to back up a directory
-in the share, rather than the whole share:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -D trans -Tc &gt;maya-e.tar</b></tt></pre></blockquote>
-
-<p>This causes <em class="emphasis">smbclient</em> to change its working
-directory to the <em class="filename">trans</em> directory of the
-<em class="filename">\\maya\e</em> share before starting the backup. It is
-also possible to use
-<em class="emphasis">smbclient</em>'s
-<em class="emphasis">tar</em> command in interactive mode, like this:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e </b></tt>
-added interface ip=172.16.1.3 bcast=172.16.1.255 nmask=255.255.255.0
-Password:
-smb: \&gt; <tt class="userinput"><b>cd trans</b></tt>
-smb: \trans\&gt; <tt class="userinput"><b>tarmode full hidden system quiet</b></tt>
-smb: \trans\&gt; <tt class="userinput"><b>tar c maya-e-trans.tar</b></tt></pre></blockquote>
-
-<p>With the previous code, only the <em class="emphasis">trans</em>
-subdirectory in the <em class="emphasis">\\maya\e</em> share will be
-backed up, using the settings specified in the
-<em class="emphasis">tarmode</em> command. To have this type of backup run
-automatically from a script, use the <em class="emphasis">-c</em> option:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -c &quot;cd trans; tarmode full hidden \</b></tt>
-<tt class="userinput"><b> system quiet; tar &gt;maya-e-trans.tar&quot;</b></tt></pre></blockquote>
-
-<p>Using either the <em class="emphasis">-T</em> command-line option or
-<em class="emphasis">smbclient</em>'s
-<em class="emphasis">tar</em> command, additional options can be supplied.
-It is necessary to specify either the <em class="emphasis">c</em> option
-to create a backup archive or the <em class="emphasis">x</em> option to
-extract (restore) one.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> </p>
-
-<p>The other options can be appended to the option string
-and are explained in the section on <em class="emphasis">smbclient</em> in
-<a href="appc.html">Appendix C</a>. They allow you to create incremental
-backups, specify which files to include or exclude from the backup,
-and specify a few other miscellaneous settings. For example, suppose
-we wish to create an incremental backup of a share and reset the
-archive bit on the files to set things up for the next incremental
-backup. Instead of using the interactive commands:</p>
-
-<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>tarmode inc reset quiet</b></tt>
-smb: \&gt; <tt class="userinput"><b>tar c backup.tar</b></tt></pre></blockquote>
-
-<p>we could either use the interactive command:</p>
-
-<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>tar cgaq backup.tar</b></tt></pre></blockquote>
-
-<p>or specify the <em class="emphasis">-Tcgaq</em> option on the
-<em class="emphasis">smbclient</em> command line.</p>
-
-<p>Your best strategy for using <em class="emphasis">smbclient</em> for
-network backups depends on your local configuration. If you have only
-a few Windows systems sharing a small amount of data, you might
-create a script containing <em class="emphasis">smbclient -Tc</em>
-commands to back up each share to a separate tar file, placing the
-files in a directory that is included with regular backups of the
-Unix system. If you have huge SMB shares on your network, you might
-prefer to write the backup directly to a tape drive. You can do this
-with <em class="emphasis">smbclient</em> just as you would with a Unix
-<em class="emphasis">tar</em> command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/d -A samba-domain-pw -Tc &gt;/dev/tape</b></tt></pre></blockquote>
-
-<p>After you have become more familiar with
-<em class="emphasis">smbclient</em> and have an automated backup system in
-place, you might find that using Samba has dramatically decreased
-your anxiety regarding the integrity of your
-network's data. The authors of this book are
-experienced Unix system administrators, and we highly recommend
-having a backup strategy that has been carefully planned,
-implemented, and most importantly, <em class="emphasis">tested and known to work
-as it is supposed to</em>.</p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-5-SECT-4"/>
-
-<h2 class="head1">smbfs</h2>
-
-<p>On Linux, the <a name="INDEX-47"/>smbfs filesystem can be used to mount
-SMB shares onto the Linux filesystem in a manner similar to mounting
-disk partitions on NFS filesystems. The result is so transparent that
-users on the Linux system might never be aware that they are
-accessing files through a Windows or Samba server. Files and
-directories appear as any other files or directories on the local
-Linux system, although there are a few differences in behavior
-relating to ownership and permissions.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a></p>
-
-<p>Although smbfs is based on the Samba code, it is not itself part of
-the Samba distribution. Instead, it is included with Linux as a
-standard part of the Linux filesystem support.</p>
-
-<p>The <em class="emphasis">smbmount</em> and
-<em class="emphasis">smbmnt</em><a name="INDEX-48"/> programs are part of the Samba
-distribution and are needed on the client to mount smbfs filesystems.
-Samba must be compiled with the <tt class="literal">--with-smbmount</tt>
-configure option to make sure these programs are compiled. They refer
-to <em class="filename">smb.conf</em> for information they need regarding
-the local system and network configuration, so you will need a
-working <em class="filename">smb.conf</em><a name="INDEX-49"/><a name="INDEX-50"/>
-file on the system, even if it is not acting as a Samba server.
- <a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/></p>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-4.1"/>
-
-<h3 class="head2">Mounting an smbfs Filesystem</h3>
-
-<p>The <em class="emphasis">smbmount</em><a name="INDEX-54"/> command is used to mount an smbfs
-filesystem into the Linux filesystem. The basic usage is:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbmount </b></tt><em class="replaceable">Share-UNC mount-point</em><tt class="userinput"><b> -o </b></tt><em class="replaceable">options</em></pre></blockquote>
-
-<p>Replace <em class="replaceable">Share-UNC</em> with the UNC for the SMB
-share, and <em class="replaceable">mount-point</em> with the full path
-to the directory in the Linux filesystem to use as the mount point.
-The <em class="replaceable">options</em> argument is used to set the
-exact manner in which the share is mounted. Let's
-look at an example of a <em class="emphasis">smbmount</em> command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbmount //maya/e /smb/e \</b></tt>
-<tt class="userinput"><b> -o &quot;credentials=/home/jay/.smbpw,uid=jay,gid=jay,fmask=664,dmask=775&quot;</b></tt></pre></blockquote>
-
-<p>Here we are mounting share <em class="filename">\\maya\e</em> from a
-Windows 98 system on the mount point <em class="filename">/smb/e</em> on
-the Linux system.</p>
-
-<a name="samba2-CHP-5-NOTE-122"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
-<p>If your Linux kernel doesn't include smbfs support,
-you will get the error message:</p>
-
-<blockquote><pre class="code">ERROR: smbfs filesystem not supported by the kernel</pre></blockquote>
-
-
-<p>In this case, you must configure and compile a new kernel to include
-support for smbfs. When smbfs is installed, and an SMB share is
-mounted, you can run the command:</p>
-
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>cat /proc/filesystems</b></tt></pre></blockquote>
-
-<p>and see a line that looks like:</p>
-
-<blockquote><pre class="code">nodev smbfs</pre></blockquote>
-
-
-<p>in the command's output.</p>
-</blockquote>
-
-<p>The mount point must exist before <em class="emphasis">smbmount</em> is
-run and can be created using the <em class="emphasis">mkdir</em> command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /smb/e</b></tt></pre></blockquote>
-
-<p>The argument to the <em class="emphasis">-o</em> option might look a
-little complex. It is a comma-separated list of
-<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
-pairs. The <tt class="literal">credentials</tt> key is set to the name of
-the credentials file, which is used to give
-<em class="emphasis">smbmount</em> a valid username and password with
-which to authenticate while connecting to the share. The format is
-identical to that used by <em class="emphasis">smbclient</em> (as
-explained in the previous section), so you can use the same
-credentials file for both clients. If you want, you can use the
-<em class="replaceable">key</em>=<em class="replaceable">value</em> pair
-<tt class="literal">username</tt>=<em class="replaceable">name</em>%<em class="replaceable">password</em>
-to specify the username and password directly in the
-<em class="emphasis">smbmount</em> command, although this is considerably
-less secure.</p>
-
-<a name="samba2-CHP-5-NOTE-123"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>The <em class="emphasis">smbmount</em> command accepts the same
-authentication methods as <em class="emphasis">smbclient</em>. The
-comments in the section on <em class="emphasis">smbclient</em> regarding
-supplying passwords on the command line&mdash;and keeping passwords
-in files and environment variables&mdash;also apply here.</p>
-</blockquote>
-
-<p>The rest of the options tell <em class="emphasis">smbmount</em> how to
-translate between the SMB filesystem and the Unix filesystem, which
-differ in their handling of ownership and permissions. The
-<em class="emphasis">uid</em> and <em class="emphasis">gid</em> options specify
-the owner and group to be assigned to all directories and files in
-the mounted share.</p>
-
-<p>The <em class="emphasis">fmask</em><a name="INDEX-55"/> and
-<em class="emphasis">dmask</em><a name="INDEX-56"/> options specify
-<a name="INDEX-57"/>bitmasks for
-permissions of files and directories, respectively. These bitmasks
-are logically ANDed with whatever permissions are granted by the
-server to create the effective permissions on the client Unix system.
-On the server side, the permissions granted depend on the
-server's operating system. For a Windows 95/98/Me
-server using share-mode security, the MS-DOS read-only attribute can
-be set on individual files and directories and combined with the Full
-Access or Read Only permissions on the share as a whole. In
-user-level security mode, Windows 95/98/Me can have ACL-like
-permissions applied to the entire share, as discussed in <a href="ch04.html">Chapter 4</a>. Windows NT/2000/XP support ACLs on individual
-files and directories, with Full Control, Change, or Read permissions
-that can be applied to the entire share. If the server is a Samba
-server, the permissions are whatever is defined by the Samba share
-and the local Unix system for the individual files and directories.
-In every case, the permissions applied to the share act to further
-limit access, beyond what is specified for the individual files and
-directories.</p>
-
-<a name="samba2-CHP-5-NOTE-124"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>You might think that the <em class="emphasis">fmask</em> and
-<em class="emphasis">dmask</em> permission masks can be used only to
-reduce the effective permissions on files and directories, but this
-is not always the case. For example, suppose that a file is being
-shared by a Windows 95/98/Me server using share-mode security and
-that some number of users have been given the Full Access password
-for the share. If the share is mounted with
-<em class="emphasis">smbmount</em> using an <em class="emphasis">fmask</em> of
-666, read/write permissions are granted on the Unix system not only
-for the owner, but for everyone else on the Unix system as well!</p>
-</blockquote>
-
-<p>After mounting the <em class="filename">\\maya\d</em> share to
-<em class="filename">/smb/e</em>, here is what the contents of
-<em class="filename">/smb/e</em> look like:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>cd /smb/e ; ls -l</b></tt>
-total 47
-drwxrwxr-x 1 jay jay 512 Jan 8 20:21 CD-images
-drwxrwxr-x 1 jay jay 512 Jan 6 21:50 lectures
--rw-rw-r-- 1 jay jay 131 Dec 18 09:12 ms-ProfPol-wp.doc
--rw-rw-r-- 1 jay jay 59 Dec 18 09:12 profile-map
--rw-rw-r-- 1 jay jay 131 Jan 15 05:01 readme.txt
-drwxrwxr-x 1 jay jay 512 Feb 4 2002 RECYCLED
--rw-rw-r-- 1 jay jay 33969 Dec 10 20:22 smbclient.doc
--rw-rw-r-- 1 jay jay 7759 Dec 10 20:20 smbmount.doc
--rw-rw-r-- 1 jay jay 1914 Dec 10 20:17 smbsh.txt
-drwxrwxr-x 1 jay jay 512 Jan 10 03:54 trans</pre></blockquote>
-
-<p>For the most part, the files and directories contained in the mounted
-smbfs filesystem will work just like any others, except for
-limitations imposed by the nature of SMB networking. For example, not
-even the superuser can perform the operation:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>chown root lectures</b></tt>
-chown: changing ownership of 'lectures': Operation not permitted</pre></blockquote>
-
-<p>because SMB shares do not intrinsically support the idea of
-ownership. Some odd behaviors can result from this. For example, the
-command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>chmod 777 readme.txt</b></tt></pre></blockquote>
-
-<p>does not produce an error message, although nothing has been changed.
-The file <em class="filename">readme.txt</em> still has permissions set to
-664:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>ls -l readme.txt</b></tt>
--rw-rw-r-- 1 jay jay 131 Jan 15 05:01 readme.txt</pre></blockquote>
-
-<p>Aside from little things such as these, the mounted smbfs filesystem
-can be used in conjunction with virtually any application, and you
-might be pleasantly surprised at how nicely it integrates with your
-Linux-based computing environment. You can even create symbolic links
-in the Unix filesystem, pointing to files and directories inside SMB
-shares. However, unless the server is a Samba server that supports
-Unix CIFS extensions, you will not be able to create a symbolic link
-inside the mounted smbfs filesystem.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-4.2"/>
-
-<h3 class="head2">Mounting smbfs Filesystems Automatically</h3>
-
-<p><a name="INDEX-58"/>As with other types of
-filesystems, an smbfs filesystem can be mounted automatically during
-system bootup by creating an entry for it in
-<em class="filename">/etc/fstab</em>. The format for the entry is as
-follows:</p>
-
-<blockquote><pre class="code"><em class="replaceable">Share-UNC mount-point</em> smbfs <em class="replaceable">options</em> 0 0</pre></blockquote>
-
-<p>Replace <em class="replaceable">Share-UNC</em> with the UNC of the
-share (using the forward slash format), and replace
-<em class="replaceable">mount-point</em> with the name of the directory
-in the Linux filesystem on which the share will be mounted. In place
-of <em class="replaceable">options</em>, simply use the string that you
-used with the <em class="emphasis">-o</em> flag in the
-<em class="emphasis">smbmount</em> command.</p>
-
-<p>Once you have found the arguments to use with the
-<em class="emphasis">smbmount</em> command to mount the share the way you
-like it, it is a very simple matter to create the entry for
-<em class="filename">/etc/fstab</em>. The <em class="emphasis">smbmount</em>
-command we used to mount the share <em class="filename">\\maya\e</em> on
-<em class="filename">/smb/e</em> would translate to this
-<em class="filename">/etc/fstab</em> entry:</p>
-
-<blockquote><pre class="code">//maya/e /smb/e smbfs
-credentials=/home/jay/.smbpw,uid=jay,gid=jay,fmask=664,dmask=775 0 0
-
-<i class="lineannotation">(Please note that this should all go on one line.)</i></pre></blockquote>
-<a name="samba2-CHP-5-NOTE-125"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>If you make a mistake in modifying
-<em class="filename">/etc/fstab</em><a name="INDEX-59"/><a name="INDEX-60"/>, your system might not
-reboot properly, and you might be forced to boot into single-user
-mode to fix the problem. Before you edit
-<em class="filename">/etc/fstab</em>, be sure to make a backup copy of it,
-and be prepared to recover your system if anything goes wrong.</p>
-</blockquote>
-
-<p>Once the entry has been added, the system will automatically mount
-the share when booting. Or, the system administrator can manually
-mount or unmount the share with commands such as these:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mount /smb/e</b></tt>
-# <tt class="userinput"><b>umount /smb/e</b></tt></pre></blockquote>
-
-<a name="samba2-CHP-5-NOTE-126"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>It is possible to use <em class="emphasis">mount</em> and
-<em class="emphasis">umount</em> by giving them the UNC for the share
-using forward slashes, as in our <em class="filename">/etc/fstab</em>
-entry. However, be careful about this. A share might be listed more
-than once in <em class="filename">/etc/fstab</em> so that it can be
-mounted at more than one place in the Linux filesystem. If you use
-the UNC to specify the share you wish to mount or unmount, you might
-cause it to be mounted or unmounted at another mount point from the
-one you intended.</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-4.3"/>
-
-<h3 class="head2">Common smbmount Options</h3>
-
-<p><a href="ch05.html#samba2-CHP-5-TABLE-1">Table 5-1</a> lists
-<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
-pairs that can be used with the <em class="emphasis">-o</em> option of
-<em class="emphasis">smbmount</em> or in the options field of the
-<em class="filename">/etc/fstab</em> entry for the smbfs filesystem. See
-the <em class="emphasis">smbmount</em> manual page for a complete list of
-options.</p>
-
-<a name="samba2-CHP-5-TABLE-1"/><h4 class="head4">Table 5-1. smbmount options</h4><table border="1">
-
-
-
-
-<tr>
-<th>
-<p>Key</p>
-</th>
-<th>
-<p>Value</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">username</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Provides the username, and optionally the password and workgroup, for
-authentication.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">password</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Provides the share or domain password, if it hasn't
-been supplied by another means.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">credentials</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Name of file containing the username and password.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">uid</tt></p>
-</td>
-<td>
-<p>string or numeric</p>
-</td>
-<td>
-<p>User ID to apply to all files and directories of the mounted share.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">gid</tt></p>
-</td>
-<td>
-<p>string or numeric</p>
-</td>
-<td>
-<p>Group ID to apply to all files and directories of the mounted share.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">fmask</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Permissions to apply to files. Default is based on current umask.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">dmask</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Permissions to apply to directories. Default is based on current
-umask.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">debug</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Debug level.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">workgroup</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Name of workgroup of remote server.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">guest</tt></p>
-</td>
-<td>
-<p>(none)</p>
-</td>
-<td>
-<p>Suppresses password prompt.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">ro</tt></p>
-</td>
-<td>
-<p>(none)</p>
-</td>
-<td>
-<p>Mount read-only.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">rw</tt></p>
-</td>
-<td>
-<p>(none)</p>
-</td>
-<td>
-<p>Mount read/write. This is the default.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">ttl</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Amount of time to cache the contents of directories. Defaults to 1000
-ms <a name="INDEX-62"/>.</p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-5-SECT-5"/>
-
-<h2 class="head1">smbsh</h2>
-
-<p>The <em class="emphasis">smbsh</em><a name="INDEX-63"/> program is part of the Samba suite and
-works on some, but not all, Unix variants.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> Effectively, it adds a wrapper around the
-user's command shell, enabling it and common Unix
-utilities to work on files and directories in SMB shares, in addition
-to files and directories in the local Unix filesystem. From the
-user's perspective, the effect is that of a
-simulated mount of the SMB shares onto the Unix filesystem.</p>
-
-<p><em class="emphasis">smbsh</em> works by running the shell and programs
-run from it in an environment in which calls to the standard C
-library are redirected to the
-<em class="emphasis">smbwrapper</em><a name="INDEX-64"/> library, which has support for
-operating on SMB shares. This redirection can work only if the
-program being run is dynamically linked. Fortunately, modern Unix
-versions ship with most common utilities linked dynamically rather
-than statically.</p>
-
-<a name="samba2-CHP-5-NOTE-127"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>To determine whether a program is dynamically or statically linked,
-try using the <em class="emphasis">file</em> command.</p>
-</blockquote>
-
-<p>To use <em class="emphasis">smbsh</em>, your Samba installation must be
-configured using the configure option
-<tt class="literal">--with-smbwrapper</tt>.</p>
-
-<p>If you have a number of Unix systems with the same host operating
-system and architecture and don't want to bother
-with a full Samba installation, you can simply move the following
-files to the other systems:</p>
-
-<blockquote><pre class="code">/usr/local/samba/bin/smbsh
-/usr/local/samba/bin/smbwrapper.so
-/usr/local/samba/lib/smb.conf</pre></blockquote>
-
-<p>Make sure that <em class="filename">/usr/local/samba/bin</em> is in your
-shell's search path. The
-<em class="filename">smb.conf</em><a name="INDEX-65"/><a name="INDEX-66"/> file is
-needed only for <em class="emphasis">smbsh</em> to determine the workgroup
-or domain and does not need to be as elaborate as your Samba
-server's configuration file.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-5.1"/>
-
-<h3 class="head2">An Interactive Session with smbsh</h3>
-
-<p><a name="INDEX-67"/>To start <em class="emphasis">smbsh</em>,
-simply type in the <em class="emphasis">smbsh</em> command at the shell
-prompt. You will be prompted for a username and password with which
-to authenticate on the SMB network:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbsh</b></tt>
-Username: davecb
-Password:
-smbsh$</pre></blockquote>
-
-<p>While working within the <em class="emphasis">smbsh</em> shell, you have a
-virtual <em class="filename">/smb</em> directory. This does not actually
-exist in the Unix filesystem and is supported within
-<em class="emphasis">smbsh</em> only to help organize the SMB shares in a
-structure familiar to Unix users. You can list the contents of the
-<em class="filename">/smb</em> virtual directory and get a list of
-workgroups in the local network, which are also presented as virtual
-directories:</p>
-
-<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd /smb ; ls</b></tt>
-ZOOL PLANK BACIL</pre></blockquote>
-
-<p>You can change your working directory to one of the workgroup virtual
-directories, and listing one of them will show the computers in the
-workgroup:</p>
-
-<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd ZOOL ; ls</b></tt>
-ANTILLES DODO MILO SEAL
-ARGON HANGGLIDE OSTRICH SPARTA
-BALLET INFUSION PLAQUE THEBES
-CHABLIS JAZ PRAETORIAN TJ
-COBRA KIKO RAYOPCI TRANCE
-COUGUR MACHINE-HEADPCI RUMYA VIPERPCI
-CRUSTY MATHUMA SCOT</pre></blockquote>
-
-<p>Likewise, you can change your current directory to, and list the
-contents of, a computer virtual directory, and then you can see a
-listing of shares offered by that computer:</p>
-
-<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd scot ; ls</b></tt>
-ADMIN$ davecb nc np2s pl
-ace dhcp-mrk03 np nps xp
-cl ep np2 opcom</pre></blockquote>
-
-<p>This is the lowest level of
-<em class="emphasis">smbsh</em>'s virtual directory
-system. Once you <em class="emphasis">cd</em> into a share, you are within
-the SMB share on the remote computer:</p>
-
-<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd davecb ; ls</b></tt>
-Mail mkanalysis_dirs.idx
-SUNWexplo nfs.ps
-Sent nsmail
-allsun.html projects.txt
-bin sumtimex</pre></blockquote>
-
-<p>Once in a remote share, most of the Unix shell utilities will work,
-and you can operate on files and directories much as you would on any
-Unix system. You can even create symbolic links in the Unix
-filesystem pointing to files and directories in the SMB share.
-However, attempts to create symbolic links in the SMB share will fail
-unless the share is being served by Samba with support for Unix CIFS
-extensions.</p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-5-SECT-6"/>
-
-<h2 class="head1">smbutil and mount_smbfs</h2>
-
-<p>The <em class="emphasis">smbutil</em> and <em class="emphasis">mount_smbfs</em>
-programs provide SMB client functionality for FreeBSD, Darwin, and
-Mac OS X. Neither of the programs is part of the Samba distribution;
-however, we are including them to give you a little additional
-support in case you have BSD-related Unix systems on your network.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-6.1"/>
-
-<h3 class="head2">smbutil</h3>
-
-<p>The <em class="emphasis">smbutil</em><a name="INDEX-68"/> program provides functionality similar
-to some of the Samba suite's command-line utilities.
-It can be used to list the shares available on an SMB server or
-perform NetBIOS name lookups.</p>
-
-<p>The first argument given to <em class="emphasis">smbutil</em> is one of a
-number of subcommands and is usually followed by arguments specific
-to the subcommand. For example, to list the resources offered by a
-server, use the <em class="emphasis">view</em> subcommand, and enter your
-server password when prompted:</p>
-
-<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //vamana</b></tt>
-Password:
-Share Type Comment
--------------------------------------------------------------
-public disk
-SS2500 printer Stylus Scan 2500
-IPC$ pipe IPC Service (Samba 2.2.5)
-ADMIN$ disk IPC Service (Samba 2.2.5)
-leonvs disk User Home Directories
-
-5 shares listed from 5 available</pre></blockquote>
-
-<p>If you wish to connect to the server with a username that differs
-from that on your client, you can specify it on the command line by
-preceding the name of the server with the username and using an at
-sign (<tt class="literal">@</tt>) as a separator:</p>
-
-<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //leonvs@vamana</b></tt></pre></blockquote>
-
-<p>You can also include the password after the username, using a colon
-(:) as a separator, to avoid being prompted for
-it:</p>
-
-<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //leonvs:leonspassword@vamana</b></tt></pre></blockquote>
-
-<p>Typing your password in the open like this is strongly discouraged.
-It's a little better if you use an encrypted
-password, which you can generate using
-<em class="emphasis">smbutil</em>'s
-<em class="emphasis">crypt</em> subcommand:</p>
-
-<blockquote><pre class="code">% <tt class="userinput"><b>smbutil crypt leonspassword</b></tt>
-$$1625a5723293f0710e5faffcfc6</pre></blockquote>
-
-<p>This can then be used in place of a clear-text password. However, the
-encryption is not particularly strong and will foil only the most
-casual inspection. As noted earlier, the only reasonably secure
-method of providing a password is to be prompted for it.</p>
-
-<p>While starting up, <em class="emphasis">smbutil</em> reads the file
-<em class="filename">.nsmbrc</em><a name="INDEX-69"/> in the user's home
-directory. Also, the file
-<em class="filename">/usr/local/etc/nsmb.conf</em><a name="INDEX-70"/><a name="INDEX-71"/> is read, and directives in that file
-override those in users'
-<em class="filename">~/.nsmbrc</em> files. This is to allow administrators
-to apply mandatory settings to all users. Directives can be placed in
-this file using the section and parameter format similar to that of
-the Samba configuration file. A list of common configuration
-parameters is given in <a href="ch05.html#samba2-CHP-5-TABLE-2">Table 5-2</a>.</p>
-
-<p>For example, to keep your password in your
-<em class="filename">~/.nsmbrc</em> file, you can create an entry in the
-file such as the following:</p>
-
-<blockquote><pre class="code">[VAMANA:LEONVS]
- password=$$1625a5723293f0710e5faffcfc6</pre></blockquote>
-
-<p>The section heading in brackets specifies the SMB
-server's NetBIOS name and the username to which the
-subsequent parameter settings apply. (The hostname and username
-should be supplied in uppercase characters.) Section headings can
-also consist of just a hostname or can contain a share name as a
-third element for specifying parameters applicable to a single share.
-Finally, if a <tt class="literal">[default]</tt> section is present, the
-settings in it apply to all connections.</p>
-
-<p>The following example <em class="filename">.nsmbrc</em> shows some of the
-other parameters you might use:</p>
-
-<blockquote><pre class="code">[default]
- username=leonvs
- # NetBIOS name server
- nbns=192.168.1.3
-
-[VAMANA]
- # server IP address
- addr=192.168.1.6
- workgroup=TEST
-
-[VAMANA:LEONVS]
- password=$$1625a5723293f0710e5faffcfc6</pre></blockquote>
-
-<p>Another thing you can do with <em class="emphasis">smbutil</em> is
-<a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/>translate between IP addresses or DNS
-names and
-<a name="INDEX-75"/>NetBIOS
-names. For example, the <em class="emphasis">status</em> subcommand takes
-an IP address or DNS hostname as an argument and returns the
-corresponding SMB server's NetBIOS name and
-workgroup:</p>
-
-<blockquote><pre class="code">% <tt class="userinput"><b>smbutil status 192.168.1.6</b></tt>
-Workgroup: TEST
-Server: VAMANA</pre></blockquote>
-
-<p>The <em class="emphasis">lookup</em> subcommand returns the IP address
-associated with a given NetBIOS hostname. A NetBIOS name server can
-be optionally specified with the <em class="emphasis">-w</em> argument:</p>
-
-<blockquote><pre class="code">% <tt class="userinput"><b>smbutil lookup -w 192.168.1.3 VAMANA</b></tt>
-Got response from 192.168.1.3
-IP address of VAMANA: 192.168.1.6</pre></blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-6.2"/>
-
-<h3 class="head2">mount_smbfs</h3>
-
-<p>The <em class="emphasis">mount_smbfs</em><a name="INDEX-76"/> program performs essentially the same
-function as <em class="emphasis">smbmount</em> on Linux. It mounts an SMB
-share on a directory in the local filesystem. The SMB share can then
-be accessed just like any other directory, subject to some behavioral
-differences noted earlier in <a href="ch05.html#samba2-CHP-5-SECT-4.1">Section 5.4.1</a>.</p>
-
-<p>The command synopsis for <em class="emphasis">mount_smbfs</em> is:</p>
-
-<blockquote><pre class="code">mount_smbfs <em class="replaceable">[options]</em> <em class="replaceable">Share-UNC</em> <em class="replaceable">mount-point</em></pre></blockquote>
-
-<p>where <em class="replaceable">Share-UNC</em> is of the form:</p>
-
-<blockquote><pre class="code">//[<em class="replaceable">workgroup</em>;][<em class="replaceable">username</em>[:<em class="replaceable">password</em>]@]<em class="replaceable">server</em>[/<em class="replaceable">share</em>]</pre></blockquote>
-
-<p>For example:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mount_smbfs '//TEST;leonvs:$$1625a5723293f0710e5faffcfc6@vamana/leonvs' /</b></tt>
-\<tt class="userinput"><b>Volumes/leonvs</b></tt></pre></blockquote>
-
-<p>The ownership and permissions of the mount point determine the
-default ownership and permissions for files and directories in the
-mounted share. These can be modified with command-line arguments,
-like this:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mount_smbfs -u leonvs -g admin -f 0750 -d 0755 //leonvs@vamana/leonvs </b></tt>
-\<tt class="userinput"><b>/Volumes/leonvs</b></tt></pre></blockquote>
-
-<p>In this example, the files and directories in the mounted share will
-be owned by the user leonvs and the group admin, with files and
-directories having permissions 750 and 755, respectively. (As usual,
-the permissions are specified in the octal format used by the Unix
-<em class="emphasis">chmod</em> command.)</p>
-
-<p>The <em class="emphasis">mount_smbfs</em><a name="INDEX-77"/><a name="INDEX-78"/> command
-also makes use of settings in
-<em class="filename">/usr/local/etc/nsmb.conf</em> and
-<em class="filename">~/.nsmbrc</em>, as described earlier. A list of
-common configuration parameters and command-line options is provided
-in <a href="ch05.html#samba2-CHP-5-TABLE-2">Table 5-2</a>.</p>
-
-<a name="samba2-CHP-5-TABLE-2"/><h4 class="head4">Table 5-2. Common smbutil and mount_smbfs options</h4><table border="1">
-
-
-
-
-<tr>
-<th>
-<p>Command-line option</p>
-</th>
-<th>
-<p>Configuration file parameter</p>
-</th>
-<th>
-<p>Description</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">-I</tt> <em class="replaceable">hostname</em></p>
-</td>
-<td>
-<p><tt class="literal">addr</tt></p>
-</td>
-<td>
-<p>Avoid NetBIOS name resolution and connect to the server using the
-specified DNS hostname or IP address.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-N</p>
-</td>
-<td>
-<p><em class="emphasis">none</em></p>
-</td>
-<td>
-<p>Do not prompt for a password.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-R <em class="replaceable">count</em></p>
-</td>
-<td>
-<p><tt class="literal">retry_count</tt></p>
-</td>
-<td>
-<p>Number of times to retry connection before giving up.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-T <em class="replaceable">seconds</em></p>
-</td>
-<td>
-<p><tt class="literal">timeout</tt></p>
-</td>
-<td>
-<p>Timeout, in seconds, per connection request.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-U <em class="replaceable">username</em></p>
-</td>
-<td>
-<p><tt class="literal">username</tt></p>
-</td>
-<td>
-<p>Username to use for authentication. Defaults to Unix username.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-W <em class="replaceable">workgroup</em></p>
-</td>
-<td>
-<p><tt class="literal">workgroup</tt></p>
-</td>
-<td>
-<p>Name of workgroup of remote server.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-d <em class="replaceable">mode</em></p>
-</td>
-<td>
-<p><em class="emphasis">none</em></p>
-</td>
-<td>
-<p>Permissions to apply to directories in the mounted share. Defaults to
-the same as the file permissions, plus an execute (search) bit
-whenever the read bit is set.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-f <em class="replaceable">mode</em></p>
-</td>
-<td>
-<p><em class="filename">none</em></p>
-</td>
-<td>
-<p>Permissions to apply to files in the mounted share. Defaults to the
-same as the permissions set on the directory used as the mount point.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-g <em class="replaceable">group</em></p>
-</td>
-<td>
-<p><em class="emphasis">none</em></p>
-</td>
-<td>
-<p>Name or numeric GID to apply to all files and directories in the
-mounted share. Defaults to the group of the directory used as the
-mount point.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-n <em class="replaceable">long</em></p>
-</td>
-<td>
-<p><em class="emphasis">none</em></p>
-</td>
-<td>
-<p>Disable support for long filenames. Restrict filenames to 8.3 naming
-standard.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-u <em class="replaceable">username</em></p>
-</td>
-<td>
-<p><em class="emphasis">none</em></p>
-</td>
-<td>
-<p>Username or numeric UID to apply as the owner of all files and
-directories in the mounted share. Defaults to the owner of the
-directory used as the mount point.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>-w <em class="replaceable">hostname</em></p>
-</td>
-<td>
-<p><tt class="literal">nbns</tt></p>
-</td>
-<td>
-<p>Hostname or IP address of the NetBIOS name server.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><em class="emphasis">none</em></p>
-</td>
-<td>
-<p><tt class="literal">password</tt></p>
-</td>
-<td>
-<p>Password to use for authentication.</p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-5-SECT-6.3"/>
-
-<h3 class="head2">Mac OS X</h3>
-
-<p><a name="INDEX-79"/>In addition to
-<em class="emphasis">smbutil</em> and <em class="emphasis">mount_smbfs</em>, OS
-X includes a graphical interface to the functionality they provide.
-To use this interface, open the Go menu and select the Connect to
-Server . . . menu item. Instead of using a UNC, specify the share in
-the form of a Uniform Resource Identifier (URI) with a prefix of
-<tt class="literal">smb://</tt> entered in the Address field, as shown in
-<a href="ch05.html#samba2-CHP-5-FIG-5">Figure 5-5</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-5-FIG-5"/><img src="figs/sam2_0505.gif"/></div><h4 class="head4">Figure 5-5. OS X Connect to Server dialog</h4>
-
-<p>You can specify a server, share, workgroup, username, and password
-(optionally encrypted with <em class="emphasis">smbutil crypt</em>) in the
-URI, in the same format as the UNC argument to
-<em class="emphasis">mount_smbfs</em>. If you don't
-specify a share name in the URI, you will be shown a window that lets
-you choose from a list of shares available to mount. See <a href="ch05.html#samba2-CHP-5-FIG-6">Figure 5-6</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-5-FIG-6"/><img src="figs/sam2_0506.gif"/></div><h4 class="head4">Figure 5-6. Selecting a share to mount</h4>
-
-<p>Only guest-accessible shares will show up in the list until
-you've authenticated. After pressing the
-Authenticate button, you'll be prompted for a
-workgroup, username, and password, as shown in <a href="ch05.html#samba2-CHP-5-FIG-7">Figure 5-7</a>. You'll also see this dialog
-if you provide a share name in the URI, but not a username and
-password.<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a></p>
-
-<div class="figure"><a name="samba2-CHP-5-FIG-7"/><img src="figs/sam2_0507.gif"/></div><h4 class="head4">Figure 5-7. Client authentication</h4>
-
-<p>As usual for Mac OS X, shares are mounted under
-<em class="filename">/Volumes</em>, but show up in the root of the Finder
-hierarchy.</p>
-
-<p>If you have a WINS server on your network, you can provide the
-server's IP address in the Directory Access
-application, or by using the <tt class="literal">wins</tt>
-<tt class="literal">server</tt> parameter in
-<em class="filename">/etc/smb.conf</em>.</p>
-
-<p>If you don't know the name of a server to which you
-wish to connect, you can look for it in the browse list, using the
-graphical frontend to the <em class="emphasis">nmblookup</em> command
-provided with Samba. Click the downward-pointing arrow in the Connect
-to Server . . . dialog box to show a hierarchical, column-based view
-of available workgroups and servers, similar to that shown in <a href="ch05.html#samba2-CHP-5-FIG-8">Figure 5-8</a>. If your client is also acting as an SMB file
-server, it won't show up in its own browse
-list.<a name="INDEX-80"/></p>
-
-<div class="figure"><a name="samba2-CHP-5-FIG-8"/><a name="INDEX-81"/><img src="figs/sam2_0508.gif"/></div><h4 class="head4">Figure 5-8. Browsing the network</h4>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> An alternative to extracting
-the tar archive directly to the SMB share is to use the Unix
-system's <em class="emphasis">tar</em> command to extract
-it to a directory on the Unix server, then copy the desired file(s)
-to a shared directory. This allows a greater amount of control over
-the restoration process, as when correcting for an accidental file
-deletion or reverting a set of files to a previous condition.</p>
-<a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Samba Versions
-2.2.4 and later have support for Unix CIFS extensions developed by
-Hewlett-Packard, which add full support for Unix ownership, group,
-and permissions in smbfs filesystems when shared between two Samba
-systems. You will also need a recent version of smbfs in your Linux
-kernel.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> At the
-time of this writing, <em class="emphasis">smbsh</em> does not work on
-HP/UX or Linux. However, Linux support might return in the
-future.</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> If you've previously
-stored your authentication information in a Keychain, you will
-instead be prompted for your Keychain password.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch06.html b/docs/htmldocs/using_samba/ch06.html
deleted file mode 100644
index a507b7c9d9..0000000000
--- a/docs/htmldocs/using_samba/ch06.html
+++ /dev/null
@@ -1,2727 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 6. The Samba Configuration File</h1>
-
-
-<p><a name="INDEX-1"/>In
-previous chapters, we showed you how to install Samba on a Unix
-server and set up Windows clients to use a simple disk share. This
-chapter will show you how Samba can assume more productive roles on
-your network.</p>
-
-<p>Samba's daemons, <em class="emphasis">smbd</em> and
-<em class="emphasis">nmbd</em>, are controlled through a single ASCII
-file, <em class="filename">smb.conf</em>, that can contain over 300 unique
-options (also called parameters). Some of these options you will use
-and change frequently; others you might never use, depending on how
-much functionality you want Samba to offer its clients.</p>
-
-<p>This chapter introduces the structure of the Samba configuration file
-and shows you how to use options to create and modify disk shares.
-Subsequent chapters will discuss browsing, how to configure users,
-security, printing, and other topics related to implementing Samba on
-your network.</p>
-
-
-
-<div class="sect1"><a name="samba2-CHP-6-SECT-1"/>
-
-<h2 class="head1">The Samba Configuration File</h2>
-
-<p>The Samba configuration file, called <em class="filename">smb.conf</em> by
-default, uses the same format as Windows
-<em class="filename">.ini</em><a name="INDEX-2"/><a name="INDEX-3"/> files. If you have ever worked with a
-<em class="filename">.ini</em> file, you will find
-<em class="filename">smb.conf</em> easy to create and modify. Even if you
-haven't, you will find the format to be simple and
-easy to learn. Here is an example of a Samba
-<a name="INDEX-4"/>configuration
-file:</p>
-
-<blockquote><pre class="code">[global]
- workgroup = METRAN
- encrypt passwords = yes
- wins support = yes
- log level = 1
- max log size = 1000
- read only = no
-[homes]
- browsable = no
- map archive = yes
-[printers]
- path = /var/tmp
- printable = yes
- min print space = 2000
-[test]
- browsable = yes
- read only = yes
- path = /usr/local/samba/tmp</pre></blockquote>
-
-<p>This configuration file is based on the one we created in <a href="ch02.html">Chapter 2</a> and sets up a workgroup in which Samba
-authenticates users using encrypted passwords and the default
-user-level security method. Samba is providing WINS name server
-support. We've configured very basic event logging
-to use a log file not to exceed 1MB in size. The
-<tt class="literal">[homes]</tt> share has been added to allow Samba to
-create a disk share for the home directory of each user who has a
-standard Unix account on the server. In addition, each printer
-registered on the server will be publicly available, as will a single
-read-only share that maps to the
-<em class="filename">/usr/local/samba/tmp</em> directory.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-1.1"/>
-
-<h3 class="head2">Configuration File Structure</h3>
-
-<p><a name="INDEX-5"/>Let's take another
-look at this configuration file, this time from a higher level:</p>
-
-<blockquote><pre class="code">[global]
- ...
-[homes]
- ...
-[printers]
- ...
-[test]
- ...</pre></blockquote>
-
-<p><a name="INDEX-6"/><a name="INDEX-7"/>The
-names inside the square brackets delineate unique
-<em class="firstterm">sections</em> of the <em class="filename">smb.conf</em>
-file; each section names the share (or service) to which the section
-refers. For example, the <tt class="literal">[test]</tt> and
-<tt class="literal">[homes]</tt> sections are unique disk shares; they
-contain options that map to specific directories on the Samba server.
-The <tt class="literal">[printers]</tt> share contains options that map to
-various printers on the server. All the sections defined in the
-<em class="filename">smb.conf</em> file, with the exception of the
-<tt class="literal">[global]</tt> section, will be available as a disk or
-printer share to clients connecting to the Samba server.</p>
-
-<p>The remaining lines are individual configuration options for that
-share. These options will continue until a new section is encountered
-or until the end of the file is reached. Each configuration option
-follows a simple format:</p>
-
-<blockquote><pre class="code"><em class="replaceable">option</em> = <em class="replaceable">value</em></pre></blockquote>
-
-<p><a name="INDEX-8"/>Options in
-the <em class="filename">smb.conf</em> file are set by assigning a value
-to them. We should warn you up front that some of the option names in
-Samba are poorly chosen. For example, <tt class="literal">read</tt>
-<tt class="literal">only</tt> is self-explanatory and is typical of many
-recent Samba options. The <tt class="literal">public</tt> option is an
-older option and is vague. It now has a less-confusing synonym
-<tt class="literal">guest</tt> <tt class="literal">ok</tt> (meaning it can be
-accessed by guests). <em class="emphasis">Appendix B</em> contains an
-alphabetical index of all the configuration options and their
-meanings.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.1"/>
-
-<h3 class="head3">Whitespace, quotes, and commas</h3>
-
-<p>An important item to remember about configuration options is that all
-whitespace within the <em class="replaceable">value</em> is
-significant. For example, consider the following option:</p>
-
-<blockquote><pre class="code">volume = The Big Bad Hard Drive Number 3543</pre></blockquote>
-
-<p>Samba strips away the spaces up to the first <tt class="literal">T</tt> in
-<tt class="literal">The</tt>. These whitespaces are insignificant. The rest
-of the whitespaces are significant and will be recognized and
-preserved by Samba when reading in the file. Space is not significant
-in option names (such as <tt class="literal">read</tt>
-<tt class="literal">only</tt>), but we recommend you follow convention and
-keep spaces between the words of options.</p>
-
-<p>If you feel safer including quotation marks at the beginning and end
-of a configuration option's value, you can do so.
-Samba will ignore these quotation marks when it encounters them.
-Never use quotation marks around an option name; Samba will treat
-this as an error.</p>
-
-<p>Usually, you can use whitespaces or commas to separate a series of
-values in a list. These two options are equivalent:</p>
-
-<blockquote><pre class="code">netbios aliases = sales, accounting, payroll
-netbios aliases = sales accounting payroll</pre></blockquote>
-
-<p>In some cases, you must use one form of separation&mdash;sometimes
-spaces are required, and sometimes commas.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.2"/>
-
-<h3 class="head3">Capitalization</h3>
-
-<p><a name="INDEX-9"/>Capitalization
-is not important in the Samba configuration file except in locations
-where it would confuse the underlying operating system. For example,
-let's assume that you included the following option
-in a share that pointed to <em class="filename">/export/samba/simple
-</em>:</p>
-
-<blockquote><pre class="code">PATH = /EXPORT/SAMBA/SIMPLE</pre></blockquote>
-
-<p>Samba would have no problem with the <tt class="literal">path</tt>
-configuration option appearing entirely in capital letters. However,
-when it tries to connect to the given directory, it would be
-unsuccessful because the Unix filesystem <em class="emphasis">is</em>
-case-sensitive. Consequently, the path listed would not be found, and
-clients could not connect to the share.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.3"/>
-
-<h3 class="head3">Line continuation</h3>
-
-<p><a name="INDEX-10"/>You can continue a line in the
-Samba configuration file using the backslash, like this:</p>
-
-<blockquote><pre class="code">comment = The first share that has the primary copies \
- of the new Teamworks software product.</pre></blockquote>
-
-<p>Because of the backslash, these two lines will be treated as one line
-by Samba. The second line begins at the first nonwhitespace character
-that Samba encounters; in this case, the <tt class="literal">o</tt> in
-<tt class="literal">of</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.4"/>
-
-<h3 class="head3">Comments</h3>
-
-<p><a name="INDEX-11"/>You can
-insert comments in the <em class="filename">smb.conf</em> configuration
-file by starting a line with either a hash (<tt class="literal">#</tt>) or
-a semicolon ( <tt class="literal">;</tt> ). For this purpose, both
-characters are equivalent. For example, the first three lines in the
-following example would be considered comments:</p>
-
-<blockquote><pre class="code"># This is the printers section. We have given a minimum print
-; space of 2000 to prevent some errors that we've seen when
-; the spooler runs out of space.
-
-[printers]
- public = yes
- min print space = 2000</pre></blockquote>
-
-<p>Samba will ignore all comment lines in its configuration file; there
-are no limitations to what can be placed on a comment line after the
-initial hash mark or semicolon. Note that the line continuation
-character (<tt class="literal">\</tt>) will <em class="emphasis">not</em> be
-honored on a commented line. Like the rest of the line, it is
-ignored.</p>
-<a name="samba2-CHP-6-NOTE-128"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Samba does not allow mixing of comment lines and parameters. Be
-careful not to put comments on the same line as anything else, such
-as:</p>
-
-
-<blockquote><pre class="code">path = /d # server's data partition</pre></blockquote>
-
-
-<p>Errors such as this, where the parameter value is defined with a
-string, can be tricky to notice. The <em class="emphasis">testparm</em>
-program won't complain, and the only clues
-you'll receive are that
-<em class="emphasis">testparm</em> reports the <tt class="literal">path</tt>
-parameter set to <tt class="literal">/d # server's data partition</tt>, and
-the failures that result when clients attempt to access the share.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.5"/>
-
-<h3 class="head3">Changes at runtime</h3>
-
-<p><a name="INDEX-12"/>You can modify the
-<em class="filename">smb.conf</em> configuration file and any of its
-options at any time while the Samba daemons are running. By default,
-Samba checks the configuration file every 60 seconds. If it finds any
-changes, they are immediately put into effect.</p>
-
-<a name="samba2-CHP-6-NOTE-129"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Having Samba check the configuration file automatically can be
-convenient, but it also means that if you edit
-<em class="filename">smb.conf</em> directly, you might be immediately
-changing your network's <a name="INDEX-13"/>configuration every time you save the
-file. If you're making anything more than a minor
-change, it may be wiser to copy <em class="filename">smb.conf</em> to a
-temporary file, edit that, run <tt class="literal">testparm</tt>
-<em class="replaceable">filename</em> to check it, and then copy the
-temporary file back to <em class="filename">smb.conf</em>. That way, you
-can be sure to put all your changes into effect at once, and only
-after you are confident that you have created the exact configuration
-you wish to implement.</p>
-</blockquote>
-
-<p>If you don't want to wait for the configuration file
-to be reloaded automatically, you can force a reload either by
-sending a hangup signal to the <em class="emphasis">smbd</em> and
-<em class="emphasis">nmbd</em> processes or simply by restarting the
-daemons. Actually, it can be a good idea to restart the daemons
-because it forces the clients to disconnect and reconnect, ensuring
-that the new configuration is applied to all clients. We showed you
-how to restart the daemons in <a href="ch02.html">Chapter 2</a>, and
-sending them a hangup (HUP) signal is very similar. On Linux, it can
-be done with the command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>killall -HUP smbd nmbd</b></tt></pre></blockquote>
-
-<p>In this case, not all changes will be immediately recognized by
-clients. For example, changes to a share that is currently in use
-will not be registered until the client disconnects and reconnects to
-that share. In addition, server-specific parameters such as the
-workgroup or NetBIOS name of the server will not go into effect
-immediately either. (This behavior was implemented intentionally
-because it keeps active clients from being suddenly disconnected or
-encountering unexpected access problems while a session is open.)
-<a name="INDEX-14"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-1.2"/>
-
-<h3 class="head2">Variables</h3>
-
-<p><a name="INDEX-15"/>Because a
-new copy of the<em class="filename"> </em><em class="emphasis">smbd</em> daemon
-is created for each connecting client, it is possible for each client
-to have its own customized configuration file. Samba allows a
-limited, yet useful, form of variable substitution in the
-configuration file to allow information about the Samba server and
-the client to be included in the configuration at the time the client
-connects. Inside the configuration file, a variable begins with a
-percent sign (<tt class="literal">%</tt>), followed by a single upper- or
-lowercase letter, and can be used only on the right side of a
-configuration option (i.e., after the equal sign). An example is:</p>
-
-<blockquote><pre class="code">[pub]
- path = /home/ftp/pub/%a</pre></blockquote>
-
-<p>The <tt class="literal">%a</tt><a name="INDEX-16"/> stands for the client
-system's architecture and will be replaced as shown
-in <a href="ch06.html#samba2-CHP-6-TABLE-1">Table 6-1</a>.</p>
-
-<a name="samba2-CHP-6-TABLE-1"/><h4 class="head4">Table 6-1. %a substitution</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Client operating system
-(&quot;architecture&quot;)</p>
-</th>
-<th>
-<p>Replacement string</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Windows for Workgroups</p>
-</td>
-<td>
-<p><tt class="literal">WfWg</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 95 and Windows 98</p>
-</td>
-<td>
-<p><tt class="literal">Win95</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows NT</p>
-</td>
-<td>
-<p><tt class="literal">WinNT</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 2000 and Windows XP</p>
-</td>
-<td>
-<p><tt class="literal">Win2K</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Samba</p>
-</td>
-<td>
-<p><tt class="literal">Samba</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Any OS not listed earlier</p>
-</td>
-<td>
-<p><tt class="literal">UNKNOWN</tt></p>
-</td>
-</tr>
-
-</table>
-
-<p>In this example, Samba will assign a unique path for the
-<tt class="literal">[pub]</tt> share to client systems based on what
-operating system they are running. The paths that each client would
-see as its share differ according to the client's
-architecture:</p>
-
-<blockquote><pre class="code">/home/ftp/pub/WfwG
-/home/ftp/pub/Win95
-/home/ftp/pub/WinNT
-/home/ftp/pub/Win2K
-/home/ftp/pub/Samba
-/home/ftp/pub/UNKNOWN</pre></blockquote>
-
-<p>Using variables in this manner comes in handy if you wish to have
-different users run custom configurations based on their own unique
-characteristics or conditions.
-<a name="INDEX-17"/><a name="INDEX-18"/>Samba
-has 20 variables, as shown in <a href="ch06.html#samba2-CHP-6-TABLE-2">Table 6-2</a>.</p>
-
-<a name="samba2-CHP-6-TABLE-2"/><h4 class="head4">Table 6-2. Samba variables</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Variable</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><b class="emphasis-bold">Client variables</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%a</tt><a name="INDEX-19"/></p>
-</td>
-<td>
-<p>Client's architecture (see <a href="ch06.html#samba2-CHP-6-TABLE-1">Table 6-1</a>)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%I</tt><a name="INDEX-20"/></p>
-</td>
-<td>
-<p>Client's IP address (e.g., 172.16.1.2)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%m</tt><a name="INDEX-21"/></p>
-</td>
-<td>
-<p>Client's NetBIOS name</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%M</tt><a name="INDEX-22"/></p>
-</td>
-<td>
-<p>Client's DNS name</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b class="emphasis-bold">User variables</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%u</tt><a name="INDEX-23"/></p>
-</td>
-<td>
-<p>Current Unix username</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%U</tt><a name="INDEX-24"/></p>
-</td>
-<td>
-<p>Requested client username (not always used by Samba)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%H</tt><a name="INDEX-25"/></p>
-</td>
-<td>
-<p>Home directory of <tt class="literal">%u</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%g</tt><a name="INDEX-26"/></p>
-</td>
-<td>
-<p>Primary group of <tt class="literal">%u</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%G</tt><a name="INDEX-27"/></p>
-</td>
-<td>
-<p>Primary group of <tt class="literal">%U</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b class="emphasis-bold">Share variables</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%S</tt><a name="INDEX-28"/></p>
-</td>
-<td>
-<p>Current share's name</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%P</tt><a name="INDEX-29"/></p>
-</td>
-<td>
-<p>Current share's root directory</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%p</tt><a name="INDEX-30"/></p>
-</td>
-<td>
-<p>Automounter's path to the share's
-root directory, if different from <tt class="literal">%P</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b class="emphasis-bold">Server variables</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%d</tt><a name="INDEX-31"/></p>
-</td>
-<td>
-<p>Current server process ID</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%h</tt><a name="INDEX-32"/></p>
-</td>
-<td>
-<p>Samba server's DNS hostname</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%L</tt><a name="INDEX-33"/></p>
-</td>
-<td>
-<p>Samba server's NetBIOS name</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%N</tt><a name="INDEX-34"/></p>
-</td>
-<td>
-<p>Home directory server, from the automount map</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%v</tt><a name="INDEX-35"/></p>
-</td>
-<td>
-<p>Samba version</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><b class="emphasis-bold">Miscellaneous variables</b></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%R</tt><a name="INDEX-36"/></p>
-</td>
-<td>
-<p>The SMB protocol level that was negotiated</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%T</tt><a name="INDEX-37"/></p>
-</td>
-<td>
-<p>The current date and time</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><a name="INDEX-38"/>%$<em class="replaceable">var</em></p>
-</td>
-<td>
-<p>The value of environment variable <tt class="literal">var</tt></p>
-</td>
-</tr>
-
-</table>
-
-<p>Here's another example of using
-<a name="INDEX-39"/><a name="INDEX-40"/><a name="INDEX-41"/>variables: let's say there
-are five clients on your network, but one client,
-<tt class="literal">maya</tt>, requires a slightly different
-<tt class="literal">[homes]</tt> configuration. With Samba,
-it's simple to handle this:</p>
-
-<blockquote><pre class="code">[homes]
- ...
- include = /usr/local/samba/lib/smb.conf.%m
- ...</pre></blockquote>
-
-<p>The <tt class="literal">include</tt> option here causes a separate
-configuration file for each particular NetBIOS machine
-(<tt class="literal">%m</tt>) to be read in addition to the current file.
-If the hostname of the client system is <tt class="literal">maya</tt>, and
-if a <em class="filename">smb.conf.maya</em> file exists in the
-<em class="filename">/usr/local/samba/lib</em> directory, Samba will
-insert that configuration file into the default one. If any
-configuration options are restated in
-<em class="filename">smb.conf.maya</em>, those values will override any
-options previously encountered in that share. Note that we say
-&quot;previously.&quot; If any options are
-restated in the main configuration file after the
-<tt class="literal">include</tt> option, Samba will honor those restated
-values for the share in which they are defined.</p>
-
-<p>If the file specified by the <tt class="literal">include</tt> parameter
-does not exist, Samba will not generate an error. In fact, it
-won't do anything at all. This allows you to create
-only one extra configuration file for <tt class="literal">maya</tt> when
-using this strategy, instead of one for each client that is on the
-network.</p>
-
-<p>Client-specific configuration files can be used to customize
-particular clients. They also can be used to make debugging Samba
-easier. For example, if we have one client with a problem, we can use
-this approach to give it a private log file with a more verbose
-logging level. This allows us to see what Samba is doing without
-slowing down all the other clients or overflowing the disk with
-useless logs.</p>
-
-<p>You can use the variables in <a href="ch06.html#samba2-CHP-6-TABLE-2">Table 6-2</a> to give
-custom values to a variety of Samba options. We will highlight
-several of these options as we move through the next few chapters.
-<a name="INDEX-42"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-6-SECT-2"/>
-
-<h2 class="head1">Special Sections</h2>
-
-<p>Now that we've gotten our feet wet with variables,
-there are a few special sections of the Samba configuration file that
-we should talk about. Again, don't worry if you do
-not understand every configuration option listed here;
-we'll go over each of them in the upcoming chapters.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-2.1"/>
-
-<h3 class="head2">The [ global] Section</h3>
-
-<p>The <tt class="literal">[global]</tt><a name="INDEX-43"/><a name="INDEX-44"/> section appears in virtually
-every Samba configuration file, even though it is not mandatory.
-There are two purposes for the <tt class="literal">[global]</tt> section.
-Server-wide settings are defined here, and any options that apply to
-shares will be used as a default in all share definitions, unless
-overridden within the share definition.</p>
-
-<p>To illustrate this, let's again look at the example
-at the beginning of the chapter:</p>
-
-<blockquote><pre class="code">[global]
- workgroup = METRAN
- encrypt passwords = yes
- wins support = yes
- log level = 1
- max log size = 1000
- read only = no
-[homes]
- browsable = no
- map archive = yes
-[printers]
- path = /var/tmp
- printable = yes
- min print space = 2000
-[test]
- browsable = yes
- read only = yes
- path = /usr/local/samba/tmp</pre></blockquote>
-
-<p>When a client connects to the <tt class="literal">[test]</tt> share, Samba
-first reads the <tt class="literal">[global]</tt> section and sets the
-option <tt class="literal">read</tt> <tt class="literal">only</tt>
-<tt class="literal">=</tt> <tt class="literal">no</tt> as the global default for
-each share it encounters throughout the configuration file. This
-includes the <tt class="literal">[homes]</tt> and <tt class="literal">[test]</tt>
-shares. When it reads the definition of the <tt class="literal">[test]</tt>
-share, it then finds the configuration option <tt class="literal">read</tt>
-<tt class="literal">only</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt>
-and overrides the default from the <tt class="literal">[global]</tt>
-section with the value <tt class="literal">yes</tt>.</p>
-
-<p>Any option that appears before the first marked section is assumed to
-be a global option. This means that the <tt class="literal">[global]</tt>
-section heading is not absolutely required; however, we suggest you
-always include it for clarity and to ensure future compatibility.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-2.2"/>
-
-<h3 class="head2">The [ homes] Section</h3>
-
-<p>If a client attempts to connect to a share that
-doesn't appear in the <em class="filename">smb.conf</em>
-file, Samba will search for a
-<tt class="literal">[homes]</tt><a name="INDEX-45"/><a name="INDEX-46"/> share in the
-configuration file. If a <tt class="literal">[homes]</tt> share exists, the
-unresolved share name is assumed to be a Unix username. If that
-username appears in the password database on the Samba server, Samba
-assumes the client is a Unix user trying to connect to her home
-directory on the server.</p>
-
-<p>For example, assume a client system is connecting to the Samba server
-<tt class="literal">toltec</tt> for the first time and tries to connect to
-a share named <tt class="literal">[alice]</tt>. There is no
-<tt class="literal">[alice]</tt> share defined in the
-<em class="filename">smb.conf</em> file, but there is a
-<tt class="literal">[homes]</tt>, so Samba searches the password database
-file and finds an <tt class="literal">alice</tt> user account is present on
-the system. Samba then checks the password provided by the client
-against user <tt class="literal">alice</tt>'s Unix
-password&mdash;either with the password database file if
-it's using nonencrypted passwords or with
-Samba's <em class="filename">smbpasswd</em> file if
-encrypted passwords are in use. If the passwords match, Samba knows
-it has guessed right: the user <tt class="literal">alice</tt> is trying to
-connect to her home directory. Samba will then create a share called
-<tt class="literal">[alice]</tt> for her, with the share's
-path set to <tt class="literal">alice</tt>'s home
-directory.</p>
-
-<p>The process of using the <tt class="literal">[homes]</tt> section to create
-users (and dealing with their passwords) is discussed in more detail
-in <a href="ch09.html">Chapter 9</a>.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-2.3"/>
-
-<h3 class="head2">The [printers] Section</h3>
-
-<p>The third special section is called
-<tt class="literal">[printers]</tt><a name="INDEX-47"/><a name="INDEX-48"/> and is similar to
-<tt class="literal">[homes]</tt>. If a client attempts to connect to a
-share that isn't in the
-<em class="filename">smb.conf</em> file and its name
-can't be found in the password file, Samba will
-check to see if it is a printer share. Samba does this by reading the
-printer capabilities file (usually
-<em class="filename">/etc/printcap</em>) to see if the share name appears
-there.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> If it does, Samba creates a share named after the
-printer.</p>
-
-<p>This means that as with <tt class="literal">[homes]</tt>, you
-don't have to maintain a share for each system
-printer in the <em class="filename">smb.conf</em> file. Instead, Samba
-honors the Unix printer registry if you ask it to, and it provides
-the registered printers to the client systems. However, there is a
-potential difficulty: if you have an account named
-<tt class="literal">fred</tt> and a printer named <tt class="literal">fred</tt>,
-Samba will always find the user account first, even if the client
-really needed to connect to the printer.</p>
-
-<p>The process of setting up the <tt class="literal">[printers]</tt> share is
-discussed in more detail in <a href="ch10.html">Chapter 10</a>.</p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-6-SECT-3"/>
-
-<h2 class="head1">Configuration Options</h2>
-
-<p><a name="INDEX-49"/>Options in
-the Samba configuration files fall into one of two categories:
-<em class="firstterm">global</em> options or <em class="firstterm">share</em>
-options. Each category dictates where an option can appear in the
-configuration file.</p>
-
-<dl>
-<dt><b>Global options</b></dt>
-<dd>
-<p>Global options must appear in the <tt class="literal">[global]</tt> section
-and nowhere else. These are options that typically apply to the
-behavior of the Samba server itself and not to any of its shares.</p>
-</dd>
-
-
-
-<dt><b>Share options</b></dt>
-<dd>
-<p>Share options can appear in share definitions, the
-<tt class="literal">[global]</tt> section, or both. If they appear in the
-<tt class="literal">[global]</tt> section, they will define a default
-behavior for all shares unless a share overrides the option with a
-value of its own.</p>
-</dd>
-
-</dl>
-
-<p>In addition, configuration options can take three kinds of values.
-They are as follows:</p>
-
-<dl>
-<dt><b>Boolean</b></dt>
-<dd>
-<p>These are simply yes or no values, but can be represented by any of
-the following: <tt class="literal">yes</tt>, <tt class="literal">no</tt>,
-<tt class="literal">true</tt>, <tt class="literal">false</tt>,
-<tt class="literal">1</tt>, or <tt class="literal">0</tt>. The values are
-case-insensitive: <tt class="literal">YES</tt> is the same as
-<tt class="literal">yes</tt>.</p>
-</dd>
-
-
-
-<dt><b>Numeric</b></dt>
-<dd>
-<p>This is a decimal, hexadecimal, or octal number. The standard
-<tt class="literal">0x</tt><em class="emphasis">nn</em> syntax is used for
-hexadecimal and <tt class="literal">0</tt><em class="emphasis">nnn</em> for
-octal.</p>
-</dd>
-
-
-
-<dt><b>String</b></dt>
-<dd>
-<p>This is a string of case-sensitive characters, such as a filename or
-a username.</p>
-</dd>
-
-</dl>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-3.1"/>
-
-<h3 class="head2">Configuration File Options</h3>
-
-<p>You can instruct Samba to include or replace configuration options as
-it is processing them. The options to do this are summarized in <a href="ch06.html#samba2-CHP-6-TABLE-3">Table 6-3</a>.</p>
-
-<a name="samba2-CHP-6-TABLE-3"/><h4 class="head4">Table 6-3. Configuration file options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">config</tt> <tt class="literal">file</tt></p>
-</td>
-<td>
-<p>string (name of file)</p>
-</td>
-<td>
-<p>Sets the location of a configuration file to use instead of the
-current one</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">include</tt></p>
-</td>
-<td>
-<p>string (name of file)</p>
-</td>
-<td>
-<p>Specifies an additional set of configuration options to be included
-in the configuration file</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">copy</tt></p>
-</td>
-<td>
-<p>string (name of share)</p>
-</td>
-<td>
-<p>Allows you to clone the configuration options of another share in the
-current share</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.1"/>
-
-<h3 class="head3">config file</h3>
-
-<p>The global <tt class="literal">config</tt><a name="INDEX-50"/> <tt class="literal">file</tt>
-option specifies a replacement configuration file that will be loaded
-when the option is encountered. If the target file exists, the
-remainder of the current configuration file, as well as the options
-encountered so far, will be discarded, and Samba will configure
-itself entirely with the options in the new file. Variables can be
-used with the <tt class="literal">config</tt> <tt class="literal">file</tt>
-option, which is useful in the event that you want to use a special
-configuration file based on the NetBIOS machine name or user of the
-client that is connecting.</p>
-
-<p>For example, the following line instructs Samba to use a
-configuration file specified by the NetBIOS name of the client
-connecting, if such a file exists. If it does, options specified in
-the original configuration file are ignored:</p>
-
-<blockquote><pre class="code">[global]
- config file = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
-
-<p>If the configuration file specified does not exist, the option is
-ignored, and Samba will continue to configure itself based on the
-current file. This allows a default configuration file to serve most
-clients, while providing for exceptions with customized configuration
-files.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.2"/>
-
-<h3 class="head3">include</h3>
-
-<p>This <a name="INDEX-51"/>option, discussed in greater detail
-earlier, copies the target file into the current configuration file
-at the point specified, as shown in <a href="ch06.html#samba2-CHP-6-FIG-1">Figure 6-1</a>.
-This option also can be used with variables. You can use this option
-as follows:</p>
-
-<blockquote><pre class="code">[global]
- include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
-
-<p>If the configuration file specified does not exist, the option is
-ignored. Options in the include file override any option specified
-previously, but not options that are specified later. In <a href="ch06.html#samba2-CHP-6-FIG-1">Figure 6-1</a>, all three options will override their
-previous values.</p>
-
-<div class="figure"><a name="samba2-CHP-6-FIG-1"/><img src="figs/sam2_0601.gif"/></div><h4 class="head4">Figure 6-1. The include option in a Samba configuration file</h4>
-
-<p>The <tt class="literal">include</tt> option does not work with the
-variables <tt class="literal">%u</tt> (user), <tt class="literal">%P</tt>
-(current share's root directory), or
-<tt class="literal">%S</tt> (current share's name) because
-they are not set at the time the <tt class="literal">include</tt> parameter
-is processed.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.3"/>
-
-<h3 class="head3">copy</h3>
-
-<p>The <tt class="literal">copy</tt><a name="INDEX-52"/> configuration option allows you to clone
-the configuration options of the share name that you specify in the
-current share. The target share must appear earlier in the
-configuration file than the share that is performing the copy. For
-example:</p>
-
-<blockquote><pre class="code">[template]
- writable = yes
- browsable = yes
- valid users = andy, dave, jay
-
-[data]
- path = /usr/local/samba
- copy = template</pre></blockquote>
-
-<p>Note that any options in the share that invoked the
-<tt class="literal">copy</tt> directive will override those in the cloned
-share; it does not matter whether they appear before or after the
-<tt class="literal">copy</tt> directive. <a name="INDEX-53"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-6-SECT-4"/>
-
-<h2 class="head1">Server Configuration</h2>
-
-<p><a name="INDEX-54"/>We will now start from
-scratch and build a configuration file for our Samba server. First we
-will introduce three basic configuration options that can appear in
-the <tt class="literal">[global]</tt> section of the
-<em class="filename">smb.conf</em> file:</p>
-
-<blockquote><pre class="code">[global]
- # Server configuration parameters
- netbios name = toltec
- server string = Samba %v on %L
- workgroup = METRAN
- encrypt passwords = yes</pre></blockquote>
-
-<p>This configuration file is pretty simple; it advertises the Samba
-server under the NetBIOS name <tt class="literal">toltec</tt>. In addition,
-it places the system in the METRAN workgroup and displays a
-description to clients that includes the Samba version number, as
-well as the NetBIOS name of the Samba server.</p>
-
-<a name="samba2-CHP-6-NOTE-130"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you used the line <tt class="literal">encrypt passwords = yes</tt> in
-your earlier configuration file, you should do so here as well.</p>
-</blockquote>
-
-<p>If you like, you can go ahead and try this configuration file. Create
-a file named <em class="filename">smb.conf</em> under the
-<em class="filename">/usr/local/samba/lib</em> directory with the text
-listed earlier. Then restart the Samba server and use a Windows
-client to verify the results. Be sure that your Windows clients are
-in the METRAN workgroup as well. After double-clicking the Network
-Neighborhood on a Windows client, you should see a window similar to
-<a href="ch06.html#samba2-CHP-6-FIG-2">Figure 6-2</a>. (In this figure,
-<tt class="literal">Mixtec</tt> is another Samba server,
-<tt class="literal">a</tt>nd <tt class="literal">Zapotec</tt> is a Windows
-client.)</p>
-
-<div class="figure"><a name="samba2-CHP-6-FIG-2"/><img src="figs/sam2_0602.gif"/></div><h4 class="head4">Figure 6-2. Network Neighborhood showing Toltec, the Samba server</h4>
-
-<p>You can verify the <tt class="literal">server</tt>
-<tt class="literal">string</tt> by listing the details of the Network
-Neighborhood window (select Details in the View menu). You should see
-a window similar to <a href="ch06.html#samba2-CHP-6-FIG-3">Figure 6-3</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-6-FIG-3"/><img src="figs/sam2_0603.gif"/></div><h4 class="head4">Figure 6-3. Network Neighborhood details listing</h4>
-
-<p>If you were to click the <em class="filename">toltec</em> icon, a window
-should appear that shows the services that it provides. In this case,
-the window would be completely empty because there are no shares on
-the server yet.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-4.1"/>
-
-<h3 class="head2">Server Configuration Options</h3>
-
-<p><a href="ch06.html#samba2-CHP-6-TABLE-4">Table 6-4</a> summarizes the server configuration
-options introduced previously. All three of these options are global
-in scope, so they must appear in the <tt class="literal">[global]</tt>
-section of the configuration file.<a name="INDEX-55"/></p>
-
-<a name="samba2-CHP-6-TABLE-4"/><h4 class="head4">Table 6-4. Server configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">netbios</tt> <tt class="literal">name</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>NetBIOS name of the Samba server</p>
-</td>
-<td>
-<p>Server's unqualified DNS hostname</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">workgroup</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>NetBIOS group to which the server belongs</p>
-</td>
-<td>
-<p>Defined at compile time</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">server</tt> <tt class="literal">string</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Descriptive string for the Samba server</p>
-</td>
-<td>
-<p><tt class="literal">Samba %v</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.1"/>
-
-<h3 class="head3">netbios name</h3>
-
-<p>The <tt class="literal">netbios</tt><a name="INDEX-56"/> <tt class="literal">name</tt> option
-allows you to set the NetBIOS name of the server. For example:</p>
-
-<blockquote><pre class="code">netbios name = YORKVM1</pre></blockquote>
-
-<p>The default value for this configuration option is the
-server's hostname&mdash;that is, the first part of
-its fully qualified domain name. For example, a system with the DNS
-name <tt class="literal">ruby.ora.com</tt> would be given the NetBIOS name
-<tt class="literal">RUBY</tt> by default. While you can use this option to
-restate the system's NetBIOS name in the
-configuration file (as we did previously), it is more commonly used
-to assign the Samba server a NetBIOS name other than its current DNS
-name. Remember that the name given must follow the rules for valid
-NetBIOS machine names as outlined in <a href="ch01.html">Chapter 1</a>.</p>
-
-<p>Changing the NetBIOS name of the server is not recommended unless you
-have a good reason. One such reason might be if the hostname of the
-system is not unique because the LAN is divided over two or more DNS
-domains. For example, YORKVM1 is a good NetBIOS candidate for
-<tt class="literal">vm1.york.example.com</tt> to differentiate it from
-<tt class="literal">vm1.falkirk.example.com</tt>, which has the same
-hostname but resides in a different DNS domain.</p>
-
-<p>Another use of this option is for relocating SMB services from a dead
-or retired system. For example, if <tt class="literal">SALES</tt> is the
-SMB server for the department and it suddenly dies, you could
-immediately reset <tt class="literal">netbios</tt> <tt class="literal">name</tt>
-<tt class="literal">=</tt> <tt class="literal">SALES</tt> on a backup Samba
-server that's taking over for it. Users
-won't have to change their drive mappings to a
-different server; new connections to <tt class="literal">SALES</tt> will
-simply go to the new server.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.2"/>
-
-<h3 class="head3">workgroup</h3>
-
-<p>The <tt class="literal">workgroup</tt><a name="INDEX-57"/> parameter sets the
-current workgroup (or domain) in which the Samba server will
-advertise itself. Clients that wish to access shares on the Samba
-server should be in the same NetBIOS group. Remember that workgroups
-are really just NetBIOS group names and must follow the standard
-NetBIOS naming conventions outlined in <a href="ch01.html">Chapter 1</a>.</p>
-
-<p>The default option for this parameter is set at compile time to
-<tt class="literal">WORKGROUP</tt>. Because this is the default workgroup
-name of every unconfigured Windows and Samba system, we recommend
-that you always set your workgroup name in the Samba configuration
-file. When choosing your workgroup name, try to avoid making it the
-same name as a server or user. This will avoid possible problems with
-WINS name resolution.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.3"/>
-
-<h3 class="head3">server string</h3>
-
-<p>The <tt class="literal">server</tt><a name="INDEX-58"/> <tt class="literal">string</tt>
-parameter defines a comment string that will appear next to the
-server name in both the Network Neighborhood (when shown with the
-Details view) and the comment entry of the Microsoft Windows printer
-manager.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> </p>
-
-<p>You can use variables to provide
-information in the description. For example, our entry earlier was:</p>
-
-<blockquote><pre class="code">[global]
- server string = Samba %v on (%h)</pre></blockquote>
-
-<p>The default for this option simply presents the current version of
-Samba and is equivalent to:</p>
-
-<a name="INDEX-59"/><blockquote><pre class="code">server string = Samba %v</pre></blockquote>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-6-SECT-5"/>
-
-<h2 class="head1">Disk Share Configuration</h2>
-
-<p><a name="INDEX-60"/><a name="INDEX-61"/>We mentioned in the previous section that
-there were no disk shares on the <tt class="literal">toltec</tt> server.
-Let's continue building the configuration file and
-create an empty disk share called <tt class="literal">[data]</tt>. Here are
-the additions that will do it:</p>
-
-<blockquote><pre class="code">[data]
- path = /export/samba/data
- comment = Data Drive
- volume = Sample-Data-Drive
- writable = yes</pre></blockquote>
-
-<p>The <tt class="literal">[data]</tt> share is typical for a Samba disk
-share. The share maps to the directory <em class="filename">/export/samba/data
-</em>on the Samba server. We've also provided
-a comment that describes the share as a <tt class="literal">Data</tt>
-<tt class="literal">Drive</tt>, as well as a volume name for the share
-itself.</p>
-
-<p>Samba's default is to create a read-only share. As a
-result, the <tt class="literal">writable</tt> option needs to be explicitly
-set for each disk share you wish to make writable.</p>
-
-<p>We will also need to create the
-<em class="filename">/export/samba/data</em> directory on the Samba server
-with the following commands:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /export/samba/data</b></tt>
-# <tt class="userinput"><b>chmod 777 /export/samba/data</b></tt></pre></blockquote>
-
-<p>Now, if we connect to the <tt class="literal">toltec</tt> server again by
-double-clicking its icon in the Windows Network Neighborhood, we will
-see a single share entitled <tt class="literal">data</tt>, as shown in
-<a href="ch06.html#samba2-CHP-6-FIG-4">Figure 6-4</a>. This share has read/write access, so
-files can be copied to or from it.</p>
-
-<div class="figure"><a name="samba2-CHP-6-FIG-4"/><img src="figs/sam2_0604.gif"/></div><h4 class="head4">Figure 6-4. The initial data share on the Samba server</h4>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-5.1"/>
-
-<h3 class="head2">Disk Share Configuration Options</h3>
-
-<p>The basic Samba configuration options for disk shares previously
-introduced are listed in <a href="ch06.html#samba2-CHP-6-TABLE-5">Table 6-5</a>.</p>
-
-<a name="samba2-CHP-6-TABLE-5"/><h4 class="head4">Table 6-5. Basic share configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">path</tt> <tt class="literal">(directory)</tt></p>
-</td>
-<td>
-<p>string (directory name)</p>
-</td>
-<td>
-<p>Sets the Unix directory that will be provided for a disk share or
-used for spooling by a printer share.</p>
-</td>
-<td>
-<p><tt class="literal">/tmp</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">comment</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Sets the comment that appears with the share.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">volume</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Sets the MS-DOS volume name for the share.</p>
-</td>
-<td>
-<p>Share name</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">read only</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows read-only access to a share.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">writable</tt> <tt class="literal">(write ok or writeable)</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">no</tt>, allows read-only access to a share. If
-<tt class="literal">yes</tt>, both reading and writing are allowed.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.1"/>
-
-<h3 class="head3">path</h3>
-
-<p>This <a name="INDEX-63"/>option, which has the synonym
-<tt class="literal">directory</tt>, indicates the pathname for the root of
-the shared directory or printer. You can choose any directory on the
-Samba server, so long as the owner of the Samba process that is
-connecting has read and write access to that directory. If the path
-is for a printing share, it should point to a temporary directory
-where files can be written on the server before being spooled to the
-target printer ( <em class="filename"> /tmp</em> and
-<em class="filename">/var/spool</em> are popular choices). If this path is
-for a disk share, the contents of the folder representing the share
-name on the client will match the contents of the directory on the
-Samba server.</p>
-
-<p>The directory specified as the value for <tt class="literal">path</tt> can
-be given as a relative path, in which case it will be relative to the
-directory specified by the <tt class="literal">root</tt>
-<tt class="literal">directory</tt> parameter. Because
-<tt class="literal">root</tt> <tt class="literal">directory</tt> defaults to root
-(<em class="filename">/</em> ), it is generally a good idea to use
-absolute paths for the <tt class="literal">path</tt> parameter, unless
-<tt class="literal">root</tt> <tt class="literal">directory</tt> has been set to
-something other than the default.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.2"/>
-
-<h3 class="head3">comment</h3>
-
-<p>The <tt class="literal">comment</tt><a name="INDEX-64"/> option allows you to enter a
-comment that will be sent to the client when it attempts to browse
-the share. The user can see the comment by using the Details view on
-the share folder or with the <em class="emphasis">net view</em> command at
-an MS-DOS prompt. For example, here is how you might insert a comment
-for a share:</p>
-
-<blockquote><pre class="code">[network]
- comment = Network Drive
- path = /export/samba/network</pre></blockquote>
-
-<p>Be sure not to confuse the <tt class="literal">comment</tt> option, which
-documents a Samba server's shares, with the
-<tt class="literal">server</tt> <tt class="literal">string</tt> option, which
-documents the server itself.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.3"/>
-
-<h3 class="head3">volume</h3>
-
-<p>This <a name="INDEX-65"/>option allows you to specify the volume
-name of the share, which would otherwise default to the name of the
-share given in the <em class="filename">smb.conf</em> file.</p>
-
-<p>Some software installation programs check the volume name of the
-distribution CD-ROM to make sure the correct CD-ROM is in the drive
-before attempting to install from it. If you copy the contents of the
-CD-ROM into a network share and wish to install from there, you can
-use this option to make sure the installation program sees the
-correct volume name:</p>
-
-<blockquote><pre class="code">[network]
- comment = Network Drive
- volume = ASVP-102-RTYUIKA
- path = /home/samba/network</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.4"/>
-
-<h3 class="head3">read only, writable</h3>
-
-<p>The options <tt class="literal">read</tt><a name="INDEX-66"/> <tt class="literal">only</tt>
-and <tt class="literal">writable</tt><a name="INDEX-67"/> (also called
-<tt class="literal">writeable</tt><a name="INDEX-68"/> or
-<tt class="literal">write</tt><a name="INDEX-69"/> <tt class="literal">ok</tt> ) are really two
-ways of saying the same thing, but they are approached from opposite
-ends. For example, you can set either of the following options in the
-<tt class="literal">[global]</tt> section or in an individual share:</p>
-
-<blockquote><pre class="code">read only = yes
-writable = no</pre></blockquote>
-
-<p>If either option is set as shown, data can be read from a share, but
-cannot be written to it. You might think you would need this option
-only if you were creating a read-only share. However, note that this
-read-only behavior is the <em class="emphasis">default</em> action for
-shares; if you want to be able to write data to a share, you must
-explicitly specify one of the following options in the configuration
-file for each share:</p>
-
-<blockquote><pre class="code">read only = no
-writable = yes</pre></blockquote>
-
-<p>If you specify more than one occurrence of either option, Samba will
-adhere to the last value it encounters for the share. <a name="INDEX-70"/><a name="INDEX-71"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-6-SECT-6"/>
-
-<h2 class="head1">Networking Options with Samba</h2>
-
-<p><a name="INDEX-72"/><a name="INDEX-73"/>If
-you're running <a name="INDEX-74"/><a name="INDEX-75"/>Samba on a multihomed
-system (on multiple subnets), you will need to configure Samba to use
-all the network interfaces. Another use for the options presented in
-this section is to implement better security by allowing or
-disallowing connections on the specified interfaces.</p>
-
-<p>Let's assume that our Samba server can access both
-the subnets 192.168.220.* and 134.213.233.*. Here are our additions
-to the configuration file to add the networking configuration
-options:</p>
-
-<blockquote><pre class="code">[global]
- # Networking configuration options
- hosts allow = 192.168.220. 134.213.233.
- hosts deny = 192.168.220.102
- interfaces = 192.168.220.100/255.255.255.0 \
- 134.213.233.110/255.255.255.0
- bind interfaces only = yes</pre></blockquote>
-
-<p>Take a look at the <tt class="literal">hosts</tt><a name="INDEX-76"/> <tt class="literal">allow</tt>
-and <tt class="literal">hosts</tt><a name="INDEX-77"/> <tt class="literal">deny</tt> options. If these
-options sound familiar, you're probably thinking of
-the <em class="filename">hosts.allow</em> and
-<em class="filename">hosts.deny</em> files that are found in the
-<em class="filename">/etc</em> directories of many Unix systems. The
-purpose of these options is identical to those files; they provide a
-means of security by allowing or denying the connections of other
-hosts based on their IP addresses. We could use the
-<em class="filename">hosts.allow</em> and <em class="filename">hosts.deny</em>
-files, but we are using this method instead because there might be
-services on the server that we want others to access without also
-giving them access to Samba's disk or printer
-shares.</p>
-
-<p>With the <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option,
-we've specified a 192.168.220 IP address, which is
-equivalent to saying: &quot;All hosts on the 192.168.220
-subnet.&quot; However, we've explicitly
-specified in a <tt class="literal">hosts</tt> <tt class="literal">deny</tt> line
-that 192.168.220.102 is not to be allowed access.</p>
-
-<p>You might be wondering why 192.168.220.102 will be denied even though
-it is still in the subnet matched by the <tt class="literal">hosts</tt>
-<tt class="literal">allow</tt> option. It is important to understand how
-Samba sorts out the rules specified by <tt class="literal">hosts</tt>
-<tt class="literal">allow</tt> and <tt class="literal">hosts</tt> <tt class="literal">deny</tt>
-:</p>
-
-<ol><li>
-<p>If no <tt class="literal">allow</tt> or <tt class="literal">deny</tt> options are
-defined anywhere in <em class="filename">smb.conf</em>, Samba will allow
-connections from any system.</p>
-</li><li>
-<p>If <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options are defined
-in the <tt class="literal">[global]</tt> section of
-<em class="filename">smb.conf</em>, they will apply to all shares, even if
-either option is defined in one or more of the shares.</p>
-</li><li>
-<p>If only a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option is
-defined for a share, only the hosts listed will be allowed to use the
-share. All others will be denied.</p>
-</li><li>
-<p>If only a <tt class="literal">hosts</tt> <tt class="literal">deny</tt> option is
-defined for a share, any client which is not on the list will be able
-to use the share.</p>
-</li><li>
-<p>If both a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option are defined,
-a host must appear in the allow list and not appear in the deny list
-(in any form) to access the share. Otherwise, the host will not be
-allowed.</p>
-</li></ol><a name="samba2-CHP-6-NOTE-131"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Take care that you don't explicitly allow a host to
-access a share, but then deny access to the entire subnet of which
-the host is part.</p>
-</blockquote>
-
-<p>Let's look at another example of that final item.
-Consider the following options:</p>
-
-<blockquote><pre class="code">hosts allow = 111.222.
-hosts deny = 111.222.333.</pre></blockquote>
-
-<p>In this case, only the hosts that belong to the subnet 111.222.*.*
-will be allowed access to the Samba shares. However, if a client
-belongs to the 111.222.333.* subnet, it will be denied access, even
-though it still matches the qualifications outlined by
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt>. The client must
-appear on the <tt class="literal">hosts</tt> <tt class="literal">allow</tt> list
-and <em class="emphasis">must not</em> appear on the
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> list to gain access
-to a Samba share.</p>
-
-<p>The other two options that we've specified are
-<tt class="literal">interfaces</tt> and <tt class="literal">bind</tt>
-<tt class="literal">interface</tt> <tt class="literal">only</tt>.
-Let's look at the <tt class="literal">interfaces</tt>
-option first. Samba, by default, sends data only from the primary
-network interface, which in our example is the 192.168.220.100
-subnet. If we would like it to send data to more than that one
-interface, we need to specify the complete list with the
-<tt class="literal">interfaces</tt> option. In the previous example,
-we've bound Samba to interface with both subnets
-(192.168.220 and 134.213.233) on which the system is operating by
-specifying the other network interface address: 134.213.233.100. If
-you have more than one interface on your computer, you should always
-set this option, as there is no guarantee that the primary interface
-that Samba chooses will be the right one.</p>
-
-<p>Finally, the <tt class="literal">bind</tt> <tt class="literal">interfaces</tt>
-<tt class="literal">only</tt> option instructs the
-<em class="filename">nmbd</em> process not to accept any broadcast
-messages other than on the subnets specified with the
-<tt class="literal">interfaces</tt> option. This is different from the
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options, which
-prevent clients from making connections to services, but not from
-receiving broadcast messages. Using the <tt class="literal">bind</tt>
-<tt class="literal">interfaces</tt> <tt class="literal">only</tt> option is a way
-to shut out all datagrams from foreign subnets. In addition, it
-instructs the <em class="emphasis">smbd</em> process to bind to only the
-interface list given by the <em class="emphasis">interfaces</em> option.
-This restricts the networks that Samba will serve.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-6.1"/>
-
-<h3 class="head2">Networking Options</h3>
-
-<p>The networking options we introduced earlier are summarized in <a href="ch06.html#samba2-CHP-6-TABLE-6">Table 6-6</a>.</p>
-
-<a name="samba2-CHP-6-TABLE-6"/><h4 class="head4">Table 6-6. Networking configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">hosts allow (allow</tt> <tt class="literal">hosts)</tt></p>
-</td>
-<td>
-<p>string (list of hostnames)</p>
-</td>
-<td>
-<p>Client systems that can connect to Samba.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">hosts deny (deny</tt> <tt class="literal">hosts)</tt></p>
-</td>
-<td>
-<p>string (list of hostnames)</p>
-</td>
-<td>
-<p>Client systems that cannot connect to Samba.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">interfaces</tt></p>
-</td>
-<td>
-<p>string (list of IP/netmask combinations)</p>
-</td>
-<td>
-<p>Network interfaces Samba will respond to. Allows correcting defaults.</p>
-</td>
-<td>
-<p>System-dependent</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">bind</tt></p>
-
-<p><tt class="literal">interfaces only</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, Samba will bind only to those
-interfaces specified by the <tt class="literal">interfaces</tt> option.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.1"/>
-
-<h3 class="head3">hosts allow</h3>
-
-<p>The <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option
-(sometimes written as <tt class="literal">allow</tt>
-<tt class="literal">hosts</tt>) specifies the clients that have permission
-to access shares on the Samba server, written as a comma- or
-space-separated list of hostnames of systems or their IP addresses.
-You can gain quite a bit of security by simply placing your
-LAN's subnet address in this option.</p>
-
-<p>You can specify any of the following formats for this option:</p>
-
-<ul><li>
-<p>Hostnames, such as <tt class="literal">ftp.example.com</tt> .</p>
-</li><li>
-<p>IP addresses, such as <tt class="literal">130.63.9.252</tt>.</p>
-</li><li>
-<p>Domain names, which can be differentiated from individual hostnames
-because they start with a dot. For example,
-<tt class="literal">.ora.com</tt> represents all systems within the
-<em class="emphasis">ora.com</em> domain.</p>
-</li><li>
-<p>Netgroups, which start with an at sign (<tt class="literal">@</tt>), such
-as <tt class="literal">@printerhosts</tt>. Netgroups are usually available
-only on systems running NIS or NIS+. If netgroups are supported on
-your system, there should be a <tt class="literal">netgroups</tt> manual
-page that describes them in more detail.</p>
-</li><li>
-<p>Subnets, which end with a dot. For example,
-<tt class="literal">130.63.9</tt>. means all the systems whose IP addresses
-begin with 130.63.9.</p>
-</li><li>
-<p>The keyword <tt class="literal">ALL</tt>, which allows any client access.</p>
-</li><li>
-<p>The keyword <tt class="literal">EXCEPT</tt> followed by one or more names,
-IP addresses, domain names, netgroups, or subnets. For example, you
-could specify that Samba allow all hosts except those on the
-192.168.110 subnet with <tt class="literal">hosts</tt>
-<tt class="literal">allow</tt> <tt class="literal">=</tt> <tt class="literal">ALL</tt>
-<tt class="literal">EXCEPT</tt> <tt class="literal">192.168.110</tt>. (remember
-to include the trailing dot).</p>
-</li></ul>
-<p>Using the <tt class="literal">ALL</tt> keyword by itself is almost always a
-bad idea because it means that crackers on any network can access
-your Samba server.</p>
-
-<p>The hostname <tt class="literal">localhost</tt>, for the loopback address
-127.0.0.1, is included in the <tt class="literal">hosts</tt>
-<tt class="literal">allow</tt> list by default and does not need to be
-listed explicitly unless you have specified the
-<tt class="literal">bind</tt> <tt class="literal">interfaces</tt>
-<tt class="literal">only</tt> parameter. This address is required for Samba
-to work properly.</p>
-
-<p>Other than that, there is no default value for the
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt> configuration
-option. The default course of action in the event that neither the
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option is specified
-in <em class="filename">smb.conf</em> is to allow access from all sources.</p>
-
-<a name="samba2-CHP-6-NOTE-132"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you specify <tt class="literal">hosts allow</tt> in the
-<tt class="literal">[global]</tt> section, that definition will override
-any <tt class="literal">hosts allow</tt> lines in the share definitions.
-This is the opposite of the usual behavior, which is for parameters
-set in share definitions to override default values set in the
-<tt class="literal">[global]</tt> section.<a name="INDEX-78"/></p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.2"/>
-
-<h3 class="head3">hosts deny</h3>
-
-<p>The <tt class="literal">hosts</tt> <tt class="literal">deny</tt> option
-(synonymous with <tt class="literal">deny</tt> <tt class="literal">hosts</tt>)
-specifies client systems that do not have permission to access a
-share, written as a comma- or space-separated list of hostnames or
-their IP addresses. Use the same format for specifying clients as the
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option earlier. For
-example, to restrict access to the server from everywhere but
-<tt class="literal">example.com</tt>, you could write:</p>
-
-<blockquote><pre class="code">hosts deny = ALL EXCEPT .example.com</pre></blockquote>
-
-<p>There is no default value for the <tt class="literal">hosts</tt>
-<tt class="literal">deny</tt> configuration option, although the default
-course of action in the event that neither option is specified is to
-allow access from all sources. Also, if you specify this option in
-the <tt class="literal">[global]</tt> section of the configuration file, it
-will override any <tt class="literal">hosts</tt> <tt class="literal">deny</tt>
-options defined in shares. If you wish to deny access to specific
-shares, omit both the <tt class="literal">hosts</tt>
-<tt class="literal">allow</tt> and <tt class="literal">hosts</tt>
-<tt class="literal">deny</tt> options from the <tt class="literal">[global]</tt>
-section of the configuration file.</p>
-
-<a name="samba2-CHP-6-NOTE-133"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
-<p>Never include the loopback address (<tt class="literal">localhost</tt> at
-IP address 127.0.0.1) in the <tt class="literal">hosts deny</tt> list. The
-<em class="filename">smbpasswd</em> program needs to connect through the
-loopback address to the Samba server as a client to change a
-user's encrypted password. If the loopback address
-is disabled, the locally generated packets requesting the change of
-the encrypted password will be discarded by Samba.</p>
-
-
-<p>In addition, both local browsing propagation and some functions of
-SWAT require access to the Samba server through the loopback address
-and will not work correctly if this address is disabled.
-<a name="INDEX-79"/></p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.3"/>
-
-<h3 class="head3">interfaces</h3>
-
-<p>The <tt class="literal">interfaces</tt><a name="INDEX-80"/> option specifies the
-networks that you want the Samba server to recognize and respond to.
-This option is handy if you have a computer that resides on more than
-one network subnet. If this option is not set, Samba searches for the
-primary network interface of the server (typically the first Ethernet
-card) upon startup and configures itself to operate on only that
-subnet. If the server is configured for more than one subnet and you
-do not specify this option, Samba will only work on the first subnet
-it encounters. You must use this option to force Samba to serve the
-other subnets on your network.</p>
-
-<p>The value of this option is one or more sets of IP address/netmask
-pairs, as in the following:</p>
-
-<blockquote><pre class="code">interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0</pre></blockquote>
-
-<p>You can optionally specify a
-<a name="INDEX-81"/><a name="INDEX-82"/>CIDR format bitmask, like this:</p>
-
-<blockquote><pre class="code">interfaces = 192.168.220.100/24 192.168.210.30/24</pre></blockquote>
-
-<p>The number after the slash specifies the number of bits that will be
-set in the netmask. For example, the number 24 means that the first
-24 (of 32) bits will be set in the bitmask, which is the same as
-specifying 255.255.255.0 as the netmask. Likewise, 16 would be
-equivalent to a netmask of 255.255.0.0, and 8 would be the same as a
-netmask of 255.0.0.0.</p>
-<a name="samba2-CHP-6-NOTE-135"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>This option might not work correctly if you are using DHCP.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.4"/>
-
-<h3 class="head3">bind interfaces only</h3>
-
-<p>The <tt class="literal">bind</tt><a name="INDEX-83"/>
-<tt class="literal">interfaces</tt> <tt class="literal">only</tt> option can be
-used to force the <em class="emphasis">smbd</em> and
-<em class="emphasis">nmbd</em> processes to respond only to those
-addresses specified by the <tt class="literal">interfaces</tt> option. The
-<em class="emphasis">nmbd</em> process normally binds to the all-addresses
-interface (0.0.0.0.) on ports 137 and 138, allowing it to receive
-broadcasts from anywhere. However, you can override this behavior
-with the following:</p>
-
-<blockquote><pre class="code">bind interfaces only = yes</pre></blockquote>
-
-<p>This will cause Samba to ignore any packets (including broadcast
-packets) whose source address does not correspond to any of the
-network interfaces specified by the <tt class="literal">interfaces</tt>
-option. You should avoid using this option if you want to allow
-temporary network connections, such as those created through SLIP or
-PPP. It's very rare that this option is needed, and
-it should be used only by experts.</p>
-
-<a name="samba2-CHP-6-NOTE-136"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you set <tt class="literal">bind interfaces only</tt> to <tt class="literal">yes</tt>
-, add the <a name="INDEX-84"/><a name="INDEX-85"/><a name="INDEX-86"/>local host
-address (127.0.01) to the
-&quot;interfaces&quot; list. Otherwise,
-<em class="emphasis">smbpasswd</em> will be unable to connect to the
-server using its default mode in order to change a password, local
-browse list propagation will fail, and some functions of swat will
-not work properly. <a name="INDEX-87"/><a name="INDEX-88"/></p>
-</blockquote>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-6-SECT-7"/>
-
-<h2 class="head1">Virtual Servers</h2>
-
-<p><a name="INDEX-89"/>Virtual
-servers can be used to create the illusion of having multiple servers
-on the network, when in reality there is only one. The technique is
-simple to implement: a system simply registers more than one NetBIOS
-name in association with its IP address. There are tangible benefits
-to doing this.</p>
-
-<p>For example, the accounting department might have an
-<tt class="literal">accounting</tt> server, and clients of it would see
-just the accounting disks and printers. The marketing department
-could have its own server, <tt class="literal">marketing</tt>, with its own
-reports, and so on. However, all the services would be provided by
-one medium-size Unix server (and one relaxed administrator) instead
-of having one small server per department.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-7.1"/>
-
-<h3 class="head2">Virtual Server Configuration Options</h3>
-
-<p><a name="INDEX-90"/><a name="INDEX-91"/>Samba will allow a server to use more
-than one NetBIOS name with the <tt class="literal">netbios</tt>
-<tt class="literal">aliases</tt> option. See <a href="ch06.html#samba2-CHP-6-TABLE-7">Table 6-7</a>.</p>
-
-<a name="samba2-CHP-6-TABLE-7"/><h4 class="head4">Table 6-7. Virtual server configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">netbios</tt> <tt class="literal">aliases</tt></p>
-</td>
-<td>
-<p>string (list of NetBIOS names)</p>
-</td>
-<td>
-<p>Additional NetBIOS names to respond to, for use with multiple
-&quot;virtual&quot; Samba servers</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-7.1.1"/>
-
-<h3 class="head3">netbios aliases</h3>
-
-<p>The <tt class="literal">netbios</tt><a name="INDEX-92"/>
-<tt class="literal">aliases</tt> option can be used to give the Samba
-server more than one NetBIOS name. Each NetBIOS name listed as a
-value will be displayed in the Network Neighborhood of Windows
-clients. When a connection is requested to any of the servers, it
-will connect to the same Samba server.</p>
-
-<p>This might come in handy, for example, if you're
-transferring three departments' data to a single
-Unix server with larger and faster disks and are retiring or
-reallocating the old Windows NT/2000 servers. If the three servers
-are called <tt class="literal">sales</tt>, <tt class="literal">accounting</tt>,
-and <tt class="literal">admin</tt>, you can have Samba represent all three
-servers with the following options:</p>
-
-<blockquote><pre class="code">[global]
- netbios aliases = sales accounting admin
- include = /usr/local/samba/lib/smb.conf.%L</pre></blockquote>
-
-<p>See <a href="ch06.html#samba2-CHP-6-FIG-5">Figure 6-5</a> for what the Network Neighborhood
-would display from a client. When a client attempts to connect to
-Samba, it will specify the name of the server to which
-it's trying to connect, which is made available in
-the configuration file through the <tt class="literal">%L</tt> variable. If
-the requested server is <tt class="literal">sales</tt>, Samba will include
-the file <em class="filename">/usr/local/samba/lib/smb.conf.sales</em>.
-This file might contain global and share declarations exclusively for
-the sales team, such as the following:</p>
-
-<blockquote><pre class="code">[global]
- workgroup = SALES
- hosts allow = 192.168.10.255
-
-[sales2003]
- path = /usr/local/samba/sales/sales2003/
-...</pre></blockquote>
-
-<p>This particular example would set the workgroup to SALES as well and
-set the IP address to allow connections only from the SALES subnet
-(192.168.10). In addition, it would offer shares specific to the
-sales department.</p>
-
-<div class="figure"><a name="samba2-CHP-6-FIG-5"/><img src="figs/sam2_0605.gif"/></div><h4 class="head4">Figure 6-5. Using NetBIOS aliases for a Samba server</h4>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-6-SECT-8"/>
-
-<h2 class="head1">Logging Configuration Options</h2>
-
-<p><a name="INDEX-93"/><a name="INDEX-94"/>Occasionally,
-we need to find out what Samba is up to. This is especially true when
-Samba is performing an unexpected action or is not performing at all.
-To find out this information, we need to check
-Samba's log files to see exactly why it did what it
-did.</p>
-
-<p>Samba <a name="INDEX-95"/>log files
-can be as brief or verbose as you like. Here is an example of what a
-Samba log file looks like:</p>
-
-<blockquote><pre class="code">[2002/07/21 13:23:25, 3] smbd/service.c:close_cnum(514)
- maya (172.16.1.6) closed connection to service IPC$
-[2002/07/21 13:23:25, 3] smbd/connection.c:yield_connection(40)
- Yielding connection to IPC$
-[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
- Transaction 923 of length 49
-[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
- switch message SMBread (pid 467)
-[2002/07/21 13:23:25, 3] lib/doscalls.c:dos_ChDir(336)
- dos_ChDir to /home/samba
-[2002/07/21 13:23:25, 3] smbd/reply.c:reply_read(2199)
- read fnum=4207 num=2820 nread=2820
-[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
- Transaction 924 of length 55
-[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
- switch message SMBreadbraw (pid 467)
-[2002/07/21 13:23:25, 3] smbd/reply.c:reply_readbraw(2053)
- readbraw fnum=4207 start=130820 max=1276 min=0 nread=1276
-[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
- Transaction 925 of length 55
-[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
- switch message SMBreadbraw (pid 467)</pre></blockquote>
-
-<p>Much of this information is of use only to Samba programmers.
-However, we will go over the meaning of some of these entries in more
-detail in <a href="ch12.html">Chapter 12</a>.</p>
-
-<p>Samba contains six options that allow users to describe how and where
-logging information should be written. Each of these are global
-options and cannot appear inside a share definition. Here is an
-example of some logging options that we are adding to our
-configuration file:</p>
-
-<blockquote><pre class="code">[global]
- log level = 2
- log file = /var/log/samba.log.%m
- max log size = 50
- debug timestamp = yes</pre></blockquote>
-
-<p>Here, we've added a custom log file that reports
-information up to debug level 2. This is a relatively light debugging
-level. The logging level ranges from 1 to 10, where level 1 provides
-only a small amount of information and level 10 provides a plethora
-of low-level information. Levels 2 or 3 will provide us with useful
-debugging information without wasting disk space on our server. In
-practice, you should avoid using log levels greater than 3 unless you
-are working on the Samba source code.</p>
-
-<p>The logging file is located in the <em class="filename">/var/log</em>
-directory thanks to the <tt class="literal">log</tt>
-<tt class="literal">file</tt> configuration option. However, we can use
-variable substitution to create log files specifically for individual
-users or clients, such as with the <tt class="literal">%m</tt> variable in
-the following line:</p>
-
-<blockquote><pre class="code">log file = /usr/local/logs/samba.log.%m</pre></blockquote>
-
-<p>Isolating the log messages can be invaluable in tracking down a
-network error if you know the problem is coming from a specific
-client system or user.</p>
-
-<p>We've added a precaution to the log files: no one
-log file can exceed 50 KB in size, as specified by the
-<tt class="literal">max</tt> <tt class="literal">log</tt> <tt class="literal">size</tt>
-option. If a log file exceeds this size, the contents are moved to a
-file with the same name but with the suffix <em class="emphasis">.old</em>
-appended. If the <em class="emphasis">.old</em> file already exists, it is
-overwritten and its contents are lost. The original file is cleared,
-waiting to receive new logging information. This prevents the hard
-drive from being overwhelmed with Samba log files during the life of
-the Samba daemons.</p>
-
-<p>We have decided to write the timestamps of the messages in the logs
-with the <tt class="literal">debug</tt> <tt class="literal">timestamp</tt>
-option, which is the default behavior. This will place a timestamp in
-each message written to the logging file. If we were not interested
-in this information, we could specify <tt class="literal">no</tt> for this
-option instead.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-8.1"/>
-
-<h3 class="head2">Using syslog</h3>
-
-<p>If you wish to use the system logger
-(<a name="INDEX-96"/>syslog<em class="filename">
-</em>) in addition to or in place of the standard Samba logging
-file, Samba provides options for this as well. However, to use
-syslog, the first thing you will have to do is make sure that Samba
-was built with the <tt class="literal">configure</tt>
-<tt class="literal">--with-syslog</tt> option. See <a href="ch02.html">Chapter 2</a> for more information on configuring and
-compiling Samba. See <a href="appe.html">Appendix E</a> for more
-information about the <tt class="literal">--with-syslog</tt> option.</p>
-
-<p>Once that is done, you will need to configure your
-<em class="filename">/etc/syslog.conf</em><a name="INDEX-97"/> to accept logging information from Samba.
-If there is not already a <tt class="literal">daemon.*</tt> entry in the
-<em class="filename">/etc/syslog.conf</em> file, add the following:</p>
-
-<blockquote><pre class="code">daemon.* /var/log/daemon.log</pre></blockquote>
-
-<p>This specifies that any logging information from system daemons will
-be stored in the <em class="filename">/var/log/daemon.log</em> file. This
-is where the Samba information will be stored as well. From there,
-you can set a value for the <tt class="literal">syslog</tt> parameter in
-your Samba configuration file to specify which logging messages are
-to be sent to syslog. Only messages that have debug levels lower than
-the value of the <tt class="literal">syslog</tt> parameter will be sent to
-syslog. For example, setting the following:</p>
-
-<blockquote><pre class="code">syslog = 3</pre></blockquote>
-
-<p>specifies that any logging messages with a level of 2 or below will
-be sent to both syslog and the Samba logging files. (The mappings to
-<em class="filename">syslog</em> priorities are described in the upcoming
-section &quot;syslog.&quot;) To continue the
-example, let's assume that we have set the
-<tt class="literal">log</tt> <tt class="literal">level</tt> option to 4. Logging
-messages with levels of 2 and 1 will be sent to both syslog and the
-Samba logging files, and messages with a level of 3 or 4 will be sent
-to the Samba logging files, but not to syslog. If the
-<tt class="literal">syslog</tt> value exceeds the <tt class="literal">log</tt>
-<tt class="literal">level</tt> value, nothing will be sent to syslog.</p>
-
-<p>If you want to specify that messages be sent only to syslog&mdash;and
-not to the standard Samba logging files&mdash;you can place this
-option in the configuration file:</p>
-
-<blockquote><pre class="code">syslog only = yes</pre></blockquote>
-
-<p>If this is the case, any logging information above the number
-specified in the <tt class="literal">syslog</tt> option will be discarded,
-as with the <tt class="literal">log</tt> <tt class="literal">level</tt> option.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-6-SECT-8.2"/>
-
-<h3 class="head2">Logging Configuration Options</h3>
-
-<p><a href="ch06.html#samba2-CHP-6-TABLE-8">Table 6-8</a> lists each logging configuration option
-that Samba can use.</p>
-
-<a name="samba2-CHP-6-TABLE-8"/><h4 class="head4">Table 6-8. Logging configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">log file</tt></p>
-</td>
-<td>
-<p>string (name of file)</p>
-</td>
-<td>
-<p>Name of the log file that Samba is to use. Works with all variables.</p>
-</td>
-<td>
-<p>Specified in Samba makefile</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">log level</tt></p>
-
-<p><tt class="literal">(debug level)</tt></p>
-</td>
-<td>
-<p>numeric (0-10)</p>
-</td>
-<td>
-<p>Amount of log/debug messages that are sent to the log file. 0 is
-none; 3 is considerable.</p>
-</td>
-<td>
-<p><tt class="literal">1</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">max log size</tt></p>
-</td>
-<td>
-<p>numeric (size in KB)</p>
-</td>
-<td>
-<p>Maximum size of log file.</p>
-</td>
-<td>
-<p><tt class="literal">5000</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">debug timestamp</tt> <tt class="literal">(timestamp logs)</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">no</tt>, doesn't timestamp logs,
-making them easier to read during heavy debugging.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">syslog</tt></p>
-</td>
-<td>
-<p>numeric (0-10)</p>
-</td>
-<td>
-<p>Level of messages sent to <em class="emphasis">syslog</em>. Those levels
-below <tt class="literal">syslog</tt> <tt class="literal">level</tt> will be sent
-to the system logger.</p>
-</td>
-<td>
-<p><tt class="literal">1</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">syslog only</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, uses <em class="emphasis">syslog</em> entirely
-and sends no output to the Samba log files.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.1"/>
-
-<h3 class="head3">log file</h3>
-
-<p>By default, Samba writes log information to text files in the
-<em class="filename">/usr/local/samba/var</em> directory. The
-<tt class="literal">log</tt><a name="INDEX-98"/> <tt class="literal">file</tt> option can be
-used to set the name of the log file to another location. For
-example, to put the Samba log information in
-<em class="filename">/usr/local/logs/samba.log</em>, you could use the
-following:</p>
-
-<blockquote><pre class="code">[global]
- log file = /usr/local/logs/samba.log</pre></blockquote>
-
-<p>You can use variable substitution to create log files specifically
-for individual users or clients.</p>
-
-<p>You can override the default log file location using the
-<em class="emphasis">-l</em> command-line switch when either daemon is
-started. However, this does not override the <tt class="literal">log</tt>
-<tt class="literal">file</tt> option. If you do specify this parameter,
-initial logging information will be sent to the file specified after
-<em class="emphasis">-l</em> (or the default specified in the Samba
-makefile) until the daemons have processed the
-<em class="filename">smb.conf</em> file and know to redirect it to a new
-log file.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.2"/>
-
-<h3 class="head3">log level</h3>
-
-<p>The <tt class="literal">log</tt><a name="INDEX-99"/> <tt class="literal">level</tt> option
-sets the amount of data to be logged. Normally this is set to 0 or 1.
-However, if you have a specific problem, you might want to set it at
-3, which provides the most useful debugging information you would
-need to track down a problem. Levels above 3 provide information
-that's primarily for the developers to use for
-chasing internal bugs, and it slows down the server considerably.
-Therefore, we recommend that for normal day-to-day operation, you
-avoid setting this option to anything above 3.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.3"/>
-
-<h3 class="head3">max log size</h3>
-
-<p>The <tt class="literal">max</tt><a name="INDEX-100"/> <tt class="literal">log</tt>
-<tt class="literal">size</tt> option sets the maximum size, in kilobytes,
-of the debugging log file that Samba keeps. When the log file exceeds
-this size, the current log file is renamed to add a
-<em class="filename">.old</em> extension (erasing any previous file with
-that name) and a new debugging log file is started with the original
-name. For example:</p>
-
-<blockquote><pre class="code">[global]
- log file = /usr/local/logs/samba.log.%m
- max log size = 1000</pre></blockquote>
-
-<p>Here, if the size of any log file exceeds 1MB, Samba renames the log
-file <em class="emphasis">samba.log</em>.
-<em class="replaceable">machine-name</em><em class="emphasis">.old</em>,
-and a new log file is generated. If there is already a file with the
-<em class="emphasis">.old</em> extension, Samba deletes it. We highly
-recommend setting this option in your configuration files because
-debug logging (even at lower levels) can quietly eat away at your
-available disk space. Using this option protects unwary
-administrators from suddenly discovering that most of the space on a
-disk or partition has been swallowed up by a single Samba log file.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.4"/>
-
-<h3 class="head3">debug timestamp or timestamp logs</h3>
-
-<p>If you happen to be debugging a network problem and you find that the
-timestamp information within the Samba log lines gets in the way, you
-can turn it off by giving either the
-<tt class="literal">timestamp</tt><a name="INDEX-101"/> <tt class="literal">logs</tt> or the
-synonymous <tt class="literal">debug</tt><a name="INDEX-102"/>
-<tt class="literal">timestamp</tt> option a value of <tt class="literal">no</tt>.
-For example, a regular Samba log file presents its output in the
-following form:</p>
-
-<blockquote><pre class="code">12/31/01 12:03:34 toltec (172.16.1.1) connect to server network as user jay</pre></blockquote>
-
-<p>With a <tt class="literal">no</tt> value for this option, the output would
-appear without the timestamp:</p>
-
-<blockquote><pre class="code">toltec (172.16.1.1) connect to server network as user jay</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.5"/>
-
-<h3 class="head3">syslog</h3>
-
-<p>The <tt class="literal">syslog</tt><a name="INDEX-103"/> option causes Samba log
-messages to be sent to the Unix system logger. The type of log
-information to be sent is specified as a numeric value. Like the
-<tt class="literal">log</tt> <tt class="literal">level</tt> option, it can be a
-number from 0 to 10. Logging information with a level less than the
-number specified will be sent to the system logger. Debug logs
-greater than or equal to the <tt class="literal">syslog</tt> level, but
-less than log level, will still be sent to the standard Samba log
-files. For example:</p>
-
-<blockquote><pre class="code">[global]
- log level = 3
- syslog = 1</pre></blockquote>
-
-<p>With this, all logging information with a level of 0 would be sent to
-the standard Samba logs and the system logger, while information with
-levels 1, 2, and 3 would be sent only to the standard Samba logs.
-Levels above 3 are not logged at all. All messages sent to the system
-logger are mapped to a priority level that the syslogd daemon
-understands, as shown in <a href="ch06.html#samba2-CHP-6-TABLE-9">Table 6-9</a>. The default
-level is 1.</p>
-
-<a name="samba2-CHP-6-TABLE-9"/><h4 class="head4">Table 6-9. syslog priority conversion</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Log level</p>
-</th>
-<th>
-<p>syslog priority</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>0</p>
-</td>
-<td>
-<p><tt class="literal">LOG_ERR</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>1</p>
-</td>
-<td>
-<p><tt class="literal">LOG_WARNING</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>2</p>
-</td>
-<td>
-<p><tt class="literal">LOG_NOTICE</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>3</p>
-</td>
-<td>
-<p><tt class="literal">LOG_INFO</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>4 and above</p>
-</td>
-<td>
-<p><tt class="literal">LOG_DEBUG</tt></p>
-</td>
-</tr>
-
-</table>
-
-<p>If you wish to use <em class="emphasis">syslog</em>, you will have to run
-<tt class="literal">configure</tt> <tt class="literal">--with-syslog</tt> when
-compiling Samba, and you will need to configure your
-<em class="filename">/etc/syslog.conf</em> to suit. (See <a href="ch06.html#samba2-CHP-6-SECT-8.1">Section 6.8.1</a>, earlier in this chapter.)</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.6"/>
-
-<h3 class="head3">syslog only</h3>
-
-<p>The <tt class="literal">syslog</tt><a name="INDEX-104"/> <tt class="literal">only</tt> option
-tells Samba not to use its own logging files at all and to use only
-the system logger. To enable this, specify the following option in
-the global section of the Samba configuration file:</p>
-
-<a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><blockquote><pre class="code">[global]
- syslog only = yes</pre></blockquote>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Depending on your system, this file might not
-be <em class="emphasis">/etc/printcap</em>. You can use the
-<em class="emphasis">testparm</em> command that comes with Samba to dump
-the parameter definitions and determine the value of the
-<tt class="literal">printcap</tt> <tt class="literal">name</tt> configuration
-option. The value assigned to it is the default value chosen when
-Samba was configured and compiled, which should be correct.</p>
-<a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> We are referring here to the window that
-opens when a printer icon in the Printers control panel is
-double-clicked.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch07.html b/docs/htmldocs/using_samba/ch07.html
deleted file mode 100644
index a6dc8d94b0..0000000000
--- a/docs/htmldocs/using_samba/ch07.html
+++ /dev/null
@@ -1,2139 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 7. Name Resolution and Browsing</h1>
-
-
-
-
-<p><a name="INDEX-1"/><em class="firstterm">Name
-resolution</em> is critical to Samba's
-operation because names are used to find the servers that share files
-or printers. <em class="firstterm">Browsing</em> takes the task of
-finding servers to a new level of sophistication by allowing a user
-to delve down into a hierarchy of networks, domains, hosts, and
-services offered by each server.</p>
-
-<p>While name resolution and
-<a name="INDEX-2"/>browsing are not
-difficult to configure, some complexity is introduced by the variety
-of available name-resolution systems. Historically, Unix and other
-TCP/IP users have moved from a flat hosts file to the Domain Name
-System, with the Network Information System being another popular
-choice. Meanwhile, Microsoft has moved from a broadcasting system to
-a simple, LAN-only name server called WINS and ultimately to DNS.</p>
-
-<p>The reason for going over that history is that all previous systems
-of name resolution are still in use today! Finding a host is so
-crucial to networking that sites want robust (if limited)
-name-resolution systems to fall back on in case the main system
-fails. Browsing is also complicated by the frequent need to show
-hosts in other subnets. This chapter shows you how to configure your
-network to handle name resolution and browsing any way you want.</p>
-
-<p>Some of the differences between Unix and Microsoft networking
-implementations are the result of fundamental design goals. Unix
-networking was originally designed largely to implement a relatively
-formal group of systems that were assumed to be small in number,
-well-maintained, and highly available, that have static IP addresses,
-and that wouldn't physically move around from place
-to place. Bringing a new server online was a labor-intensive task,
-but it did not have to be performed frequently. In contrast, Windows
-networking was originally developed as a peer-to-peer collection of
-small personal computers on a single subnet, having no centrally or
-hierarchically organized structure.</p>
-
-<p>SMB networking is dynamic. Computers are allowed to leave the network
-at any time, sometimes without warning, and also to join or rejoin
-the network at any time. Furthermore, any user in a Windows network
-can add a new shared resource to the network or remove a resource
-that he had previously added. The change in the
-network's configuration is handled automatically by
-the rest of the network without requiring a system administrator to
-take any action.</p>
-
-
-
-<div class="sect1"><a name="samba2-CHP-7-SECT-1"/>
-
-<h2 class="head1">Name Resolution</h2>
-
-<p>TCP/IP networks identify systems by IP addresses and always associate
-these addresses with more human-readable text names. In
-Microsoft's earliest networking implementations (for
-MS-DOS and Windows for Workgroups), the translation of names to
-network addresses was carried out in a manner that was very simple,
-yet very inefficient. When a system on the network needed an IP
-address corresponding to a name, it broadcasted the name to every
-other system on the network and waited for the system that owned the
-name to respond with its IP address.</p>
-
-<p>The main problem with performing <a name="INDEX-3"/>name resolution using broadcast
-packets is poor performance of the network as a whole, including CPU
-time consumed by each host on the network, which has to accept every
-broadcast packet and decide whether to respond to it. Also, broadcast
-packets usually aren't forwarded by routers,
-limiting name resolution to the local subnet.
-Microsoft's solution was to add WINS (Windows
-Internet Name Service) support to Windows NT so that the computers on
-the network can perform a direct query of the WINS server instead of
-using broadcast packets.</p>
-
-<p>Modern Windows clients use a variety of methods for translating
-hostnames into IP addresses. The exact method varies depending on the
-version of Windows the client is running, how the client is
-configured (i.e., whether DNS server and/or WINS server IP addresses
-are provided), and whether the application software is accessing the
-network through Microsoft's Winsock or TCP/IP API.
-In general, Windows uses some combination of the following
-methods:<a name="INDEX-4"/></p>
-
-<ul><li>
-<p>Looking up the name in its cache of recently resolved names</p>
-</li><li>
-<p>Querying DNS servers</p>
-</li><li>
-<p>Using the DNS <em class="filename">Hosts</em> file</p>
-</li><li>
-<p>Querying WINS servers</p>
-</li><li>
-<p>Using the WINS <em class="filename">LMHOSTS</em> file</p>
-</li><li>
-<p>Performing broadcast name resolution</p>
-</li></ul>
-<p>The first method is pretty much self-explanatory. A hostname is
-checked against a cache of hostnames that have been recently resolved
-to IP addresses. This helps to save time and network bandwidth for
-resolving names that are used frequently.</p>
-
-<p>When a Windows system is configured with the IP address of at least
-one <a name="INDEX-5"/>DNS server, it can use DNS to
-resolve fully qualified domain names, such as those for sites on the
-Internet. The DNS servers can be either Windows NT/2000 or Unix
-systems. You can learn more about DNS and DNS server configuration in
-the O'Reilly book <em class="citetitle">DNS and
-BIND</em>.</p>
-
-<p>In this chapter, we focus mainly on name resolution using WINS, which
-is supported by Samba with the <em class="emphasis">nmbd</em> daemon.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-1.1"/>
-
-<h3 class="head2">WINS Clients and Server Interaction</h3>
-
-<p>There are two types of interaction between a
-<a name="INDEX-6"/>WINS client and a server: the
-client keeps its own NetBIOS name<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> registered with the server and
-queries the server to get the IP address corresponding to the NetBIOS
-name of another system.</p>
-
-<p>When a WINS client joins the network, it registers its NetBIOS name
-with the WINS server, which stores it along with the
-client's IP address in the WINS database. This entry
-is marked <em class="firstterm">active</em>. The client is then expected
-to renew the registration of its name periodically (typically, every
-four days) to inform the server that it is still using the name. This
-period is called the <em class="firstterm">time to live</em>, or TTL.
-When the client leaves the network by being shut down gracefully, it
-informs the server, and the server marks the
-client's entry in its database as
-<em class="firstterm">released</em>.</p>
-
-<p>When a client leaves the network without telling the WINS server to
-release its name, the server waits until after it fails to receive
-the expected registration renewal from the client and then marks the
-entry as released.</p>
-
-<p>In either case, the released name is available for use by other
-clients joining the network. It might persist in the released state
-in the WINS database, and if it is not reregistered, the entry will
-eventually be deleted.</p>
-
-<p>More information on WINS can be found in the Microsoft white paper
-<em class="citetitle">Windows Internet Naming Service (WINS) Architecture and
-Capacity Planning</em><a name="INDEX-7"/>. It can be downloaded from the
-Microsoft web site at <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-1.2"/>
-
-<h3 class="head2">The lmhosts File</h3>
-
-<p>In <a href="ch03.html">Chapter 3</a> we showed you how to configure
-Windows systems to use the
-<em class="filename">LMHOSTS</em><a name="INDEX-8"/>
-file as an alternative to the WINS server for name resolution. Samba
-also can use an <em class="filename">LMHOSTS</em> file, which by default
-is <em class="filename">/usr/local/samba/lib/lmhosts</em>.
-Samba's <em class="filename">lmhosts</em> is the same
-format as the Windows version. A simple <em class="filename">lmhosts</em>
-file might look like this:</p>
-
-<blockquote><pre class="code">172.16.1.1 toltec
-172.16.1.6 maya</pre></blockquote>
-
-<p>The names on the right side of the entries are NetBIOS names, so you
-can assign resource types to them and add additional entries for
-computers:</p>
-
-<blockquote><pre class="code">172.16.1.1 toltec#20
-172.16.1.1 metran#1b
-172.16.1.6 maya#20</pre></blockquote>
-
-<p>Here, we've made <tt class="literal">toltec</tt> the
-primary domain controller of the <tt class="literal">METRAN</tt> domain on
-the second line. This line starts with
-<tt class="literal">toltec</tt>'s IP address, followed by
-the name metran and the resource type &lt;1B&gt;. The other lines are
-entries for <tt class="literal">toltec</tt> and <tt class="literal">maya</tt> as
-standard workstations.</p>
-
-<p>If you wish to place an <em class="emphasis">lmhosts</em> file somewhere
-other than the default location, you will need to notify the
-<em class="emphasis">nmbd</em> process upon startup using the
-<em class="emphasis">-H</em> option, followed by the name of your
-<em class="filename">lmhosts</em> file, as follows:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>nmbd -H /etc/samba/lmhosts -D</b></tt></pre></blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-1.3"/>
-
-<h3 class="head2">Configuring Name Resolution for the Samba Suite</h3>
-
-<p>Various daemons and tools in the Samba suite need to perform
-<a name="INDEX-9"/>name resolution. You can define the
-order in which the programs try each name-resolution method through
-the <tt class="literal">name</tt><a name="INDEX-10"/><a name="INDEX-11"/>
-<tt class="literal">resolve</tt> <tt class="literal">order</tt> parameter, like
-this:</p>
-
-<blockquote><pre class="code">[global]
- name resolve order = wins lmhosts hosts bcast</pre></blockquote>
-
-<p>The string used to define the parameter can take up to four values:</p>
-
-<dl>
-<dt><b>lmhosts</b></dt>
-<dd>
-<p>Uses the Samba server's local
-<em class="filename">lmhosts</em> file</p>
-</dd>
-
-
-
-<dt><b>hosts</b></dt>
-<dd>
-<p>Uses the standard Unix name-resolution methods, which can be
-<em class="emphasis">/etc/hosts</em>, DNS, NIS, or a combination,
-depending on how the local system is configured</p>
-</dd>
-
-
-
-<dt><b>wins</b></dt>
-<dd>
-<p>Uses the WINS server</p>
-</dd>
-
-
-
-<dt><b>bcast</b></dt>
-<dd>
-<p>Uses the broadcast method</p>
-</dd>
-
-</dl>
-
-<p>The order in which they are specified is the order in which name
-resolution will be attempted. In our example, Samba will attempt to
-use its WINS server first for name resolution, followed by the
-<em class="emphasis">lmhosts</em> file on the local system. Next, the
-<tt class="literal">hosts</tt> value tells it to use Unix name-resolution
-methods. The word <tt class="literal">hosts</tt> can be misleading; it
-covers not only the <em class="filename">/etc/hosts</em> file, but also
-the use of DNS or NIS (as configured on the Unix host). Finally, if
-those three do not work, it will perform a broadcast name resolution.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-1.4"/>
-
-<h3 class="head2">Setting Up Samba as a WINS Server</h3>
-
-<p>You can set up Samba as a <a name="INDEX-12"/>WINS server by setting the
-<tt class="literal">wins</tt><a name="INDEX-13"/> <tt class="literal">support</tt>
-parameter in the configuration file, like this:</p>
-
-<blockquote><pre class="code">[global]
- wins support = yes</pre></blockquote>
-
-<p>Believe it or not, that's all you need to do! The
-<tt class="literal">wins</tt> <tt class="literal">support</tt> option turns Samba
-into a WINS server. For most installations, Samba's
-default configuration is sufficient.</p>
-<a name="samba2-CHP-7-NOTE-137"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Remember, Samba cannot communicate with Windows WINS servers. If you
-are using Samba as your WINS server, you must make sure not to allow
-any Windows systems or other Samba servers on your network to be
-configured as WINS servers. If you do, their WINS databases will not
-synchronize, resulting in inconsistent name resolution.</p>
-</blockquote>
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.4.1"/>
-
-<h3 class="head3">Configuring a DNS proxy</h3>
-
-<p>A Samba <a name="INDEX-14"/><a name="INDEX-15"/>WINS server can check with the
-system's DNS server if a requested host cannot be
-found in its WINS database. With a typical Linux system, for example,
-you can find the IP address of the DNS server by searching the
-<em class="filename">/etc/resolv.conf</em><a name="INDEX-16"/><a name="INDEX-17"/> file. In it, you might see an entry such
-as the following:</p>
-
-<blockquote><pre class="code">nameserver 127.0.0.1
-nameserver 172.16.1.192</pre></blockquote>
-
-<p>This tells us that the Linux system is configured to use a DNS server
-located at 172.16.1.192. (The 127.0.0.1 is the
-<tt class="literal">localhost</tt> address and is never a valid DNS server
-address.)</p>
-
-<p>Now it is a simple matter of using the
-<tt class="literal">dns</tt><a name="INDEX-18"/> <tt class="literal">proxy</tt> option to tell
-Samba to use the DNS server:</p>
-
-<blockquote><pre class="code">[global]
- dns proxy = yes</pre></blockquote>
-
-<a name="samba2-CHP-7-NOTE-138"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Although this allows Windows clients to resolve fully qualified
-Internet domain names through the Samba WINS server, it will work
-only for domain names that fit within the 15-character limitation of
-NetBIOS names. For this reason, we recommend you use <tt class="literal">dns
-proxy</tt> only to act as a supplement to your WINS server,
-rather than as a replacement for a DNS server.</p>
-</blockquote>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-1.5"/>
-
-<h3 class="head2">Setting Up Samba to Use Another WINS Server</h3>
-
-<p>You can configure Samba to use a <a name="INDEX-19"/>WINS server somewhere else on the
-network by simply providing it with the IP address of the WINS
-server. This is done with the global
-<tt class="literal">wins</tt><a name="INDEX-20"/> <tt class="literal">server</tt>
-configuration option, as shown here:</p>
-
-<blockquote><pre class="code">[global]
- wins server = 172.16.1.1</pre></blockquote>
-
-<p>With this option enabled, Samba will direct all WINS requests to the
-server located at 172.16.1.1. Note that because the request is
-directed at a single machine, we don't have to worry
-about any of the problems inherent in broadcasting. However, Samba
-will not necessarily use the WINS server before other forms of name
-resolution. The order in which Samba attempts various name-resolution
-techniques is given with the <tt class="literal">name</tt>
-<tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
-option, which we discussed earlier.</p>
-
-<p>The <tt class="literal">wins</tt> <tt class="literal">support</tt> and the
-<tt class="literal">wins</tt> <tt class="literal">server</tt> parameters are
-mutually exclusive; you cannot simultaneously offer Samba as the WINS
-server and use another system as the server! Typically, one Samba
-server is set up as the WINS server using <tt class="literal">wins</tt>
-<tt class="literal">support</tt>, and all other Samba servers are
-configured with the <tt class="literal">wins</tt> <tt class="literal">server</tt>
-parameter pointing to the Samba WINS server.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.5.1"/>
-
-<h3 class="head3">Configuring a WINS proxy</h3>
-
-<p><a name="INDEX-21"/>If you have a Samba server on a
-subnet that doesn't have a WINS server, and the
-Samba server has been configured with a WINS server on another
-subnet, you can tell the Samba server to forward any name-resolution
-requests with the <tt class="literal">wins</tt><a name="INDEX-22"/>
-<tt class="literal">proxy</tt> option:</p>
-
-<blockquote><pre class="code">[global]
- wins server = 172.16.200.12
- wins proxy = yes</pre></blockquote>
-
-<p>Use this only in situations where the WINS server resides on another
-subnet. Otherwise, the broadcast will reach the WINS server
-regardless of any proxying.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-1.6"/>
-
-<h3 class="head2">Name-Resolution Configuration Options</h3>
-
-<p><a name="INDEX-23"/>Samba's <a name="INDEX-24"/>name-resolution options
-are shown in <a href="ch07.html#samba2-CHP-7-TABLE-1">Table 7-1</a>.</p>
-
-<a name="samba2-CHP-7-TABLE-1"/><h4 class="head4">Table 7-1. Name-resolution options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">wins support</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, allows Samba to act as a WINS server</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">wins server</tt></p>
-</td>
-<td>
-<p>string (IP address or DNS name)</p>
-</td>
-<td>
-<p>Identifies a WINS server for Samba to use for name registration and
-resolution</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">wins proxy</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>Allows Samba to act as a proxy to a WINS server on another subnet</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">wins hook</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Command to run when the WINS database changes</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">dns proxy</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, allows a Samba WINS server to
-search DNS if it cannot find a name in WINS</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">name resolve</tt> <tt class="literal">order</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>The order of methods used to resolve NetBIOS names</p>
-</td>
-<td>
-<p><tt class="literal">lmhosts</tt> <tt class="literal">hosts wins bcast</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">max ttl</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Maximum TTL in seconds for a requested NetBIOS name</p>
-</td>
-<td>
-<p><tt class="literal">259200</tt> ( 3 days)</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">max wins ttl</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Maximum TTL in seconds for NetBIOS names given out by Samba as a WINS
-server</p>
-</td>
-<td>
-<p><tt class="literal">518400</tt> (6 days)</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">min wins ttl</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Minimum TTL in seconds for NetBIOS names given out by Samba as a WINS
-server</p>
-</td>
-<td>
-<p><tt class="literal">21600</tt> (6 hours)</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.1"/>
-
-<a name="INDEX-25"/><h3 class="head3">wins support</h3>
-
-<p>Samba will provide WINS name service to all machines in the network
-if you set the following in the <tt class="literal">[global]</tt> section
-of the <em class="filename">smb.conf</em> file:</p>
-
-<blockquote><pre class="code">[global]
- wins support = yes</pre></blockquote>
-
-<p>The default value is <tt class="literal">no</tt>, which is typically used
-to allow a Windows NT/2000 server or another Samba server to be the
-WINS server. If you enable this option, remember that a Samba WINS
-server currently cannot exchange data with other WINS servers, so do
-not allow any other WINS servers on the network. When set to
-<tt class="literal">yes</tt>, this option is mutually exclusive with the
-<tt class="literal">wins</tt> <tt class="literal">server</tt> parameter.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.2"/>
-
-<a name="INDEX-26"/><h3 class="head3">wins server</h3>
-
-<p>Samba will use an existing WINS server on the network if you specify
-the <tt class="literal">wins</tt> <tt class="literal">server</tt> global option
-in your configuration file. The value of this option is either the IP
-address or DNS name (not NetBIOS name) of the WINS server. For
-example:</p>
-
-<blockquote><pre class="code">[global]
- wins server = 172.16.220.110</pre></blockquote>
-
-<p>or:</p>
-
-<blockquote><pre class="code">[global]
- wins server = wins.metran.cx</pre></blockquote>
-
-<p>For this option to work, the <tt class="literal">wins</tt>
-<tt class="literal">support</tt> option must be set to
-<tt class="literal">no</tt> (the default). Otherwise, Samba will report an
-error. You can specify only one WINS server using this option.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.3"/>
-
-<a name="INDEX-27"/><h3 class="head3">wins proxy</h3>
-
-<p>This option allows Samba to act as a proxy to another WINS server,
-and thus relay name registration and resolution requests from itself
-to the real WINS server, often outside the current subnet. The WINS
-server can be indicated through the <tt class="literal">wins</tt>
-<tt class="literal">server</tt> option. The proxy will then return the WINS
-response back to the client. You can enable this option by specifying
-the following in the <tt class="literal">[global]</tt> section:</p>
-
-<blockquote><pre class="code">[global]
- wins proxy = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.4"/>
-
-<a name="INDEX-28"/><h3 class="head3">wins hook</h3>
-
-<p>This option allows you to run a script or other program whenever the
-WINS database is modified. One application might be to set up another
-Samba server to act as a backup for another Samba WINS server. This
-is done by having the <tt class="literal">wins</tt> <tt class="literal">hook</tt>
-script call <em class="emphasis">rsync</em> to synchronize the WINS
-databases (<em class="filename">/usr/local/samba/var/locks/wins.dat</em>)
-on the two systems whenever an entry is added or deleted. The script
-would be specified in the Samba configuration file like this:</p>
-
-<blockquote><pre class="code">[global]
- wins hook = /usr/local/bin/sync_wins</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.5"/>
-
-<a name="INDEX-29"/><h3 class="head3">dns proxy</h3>
-
-<p>If you want the DNS to be used if a NetBIOS name
-isn't found in WINS, you can set the following
-option:</p>
-
-<blockquote><pre class="code">[global]
- dns proxy = yes</pre></blockquote>
-
-<p>This will permit <em class="filename">nmbd</em> to query the
-server's standard DNS. You might wish to deactivate
-this option if you do not have a permanent connection to your DNS
-server. This option should not be used in place of a DNS server on
-your network; it is intended for resolving NetBIOS names rather than
-fully qualified Internet domain names.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.6"/>
-
-<h3 class="head3">name resolve order</h3>
-
-<p>The global <tt class="literal">name</tt><a name="INDEX-30"/>
-<tt class="literal">resolve</tt> <tt class="literal">order</tt> option specifies
-the order of services that Samba will use in performing name
-resolution. The default order is to use the
-<em class="emphasis">lmhosts</em> file, followed by standard Unix
-name-resolution methods (some combination of
-<em class="filename">/etc/hosts</em>, DNS, and NIS), then to query a WINS
-server, and finally to use broadcasting to determine the address of a
-NetBIOS name. You can override this option by specifying something
-like the following:</p>
-
-<blockquote><pre class="code">[global]
- name resolve order = lmhosts wins hosts bcast</pre></blockquote>
-
-<p>This causes resolution to use the <em class="emphasis">lmhosts</em> file
-first, followed by a query to a WINS server, the
-<em class="filename">/etc/hosts</em> file, and finally broadcasting. You
-need not use all four options. This option is covered in more detail
-in <a href="ch07.html#samba2-CHP-7-SECT-1.4">Section 7.1.4</a>,
-earlier in this chapter.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.7"/>
-
-<a name="INDEX-31"/><h3 class="head3">max ttl</h3>
-
-<p>This option is used when Samba is not acting as a WINS server but is
-using another system on the network for its WINS server. It sets the
-maximum T T L for NetBIOS names registered by the Samba server with
-the WINS server. You should never need to alter this value.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.8"/>
-
-<a name="INDEX-32"/><h3 class="head3">max wins ttl</h3>
-
-<p>This option is used when Samba is providing WINS name service, and it
-sets the maximum T T L for NetBIOS names registered with Samba. You
-should never need to change this value from its default.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.9"/>
-
-<a name="INDEX-33"/><h3 class="head3">min wins ttl</h3>
-
-<p>This option is used when Samba is providing WINS name service, and it
-sets the minimum T T L for NetBIOS names registered with Samba. You
-should never need to alter this value from its default. <a name="INDEX-34"/> <a name="INDEX-35"/> <a name="INDEX-36"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-7-SECT-2"/>
-
-<h2 class="head1">Browsing</h2>
-
-<p><a name="INDEX-37"/>Browsing
-was developed by Microsoft to help users find shared resources on the
-network. In a networked computing environment where users can add or
-remove shares at any time, it is important to have some automatic
-means of keeping track of the shared resources and allowing users to
-&quot;browse&quot; through them to find the
-ones they wish to use.</p>
-
-<p>Before browsing was added to SMB networking, when anyone added a new
-share, the people with whom they wished to share the data or printer
-would have to be informed of the share's UNC, using
-some relatively low-tech method such as speaking to them in person or
-over the phone, or sending email. Already, this was very inconvenient
-in large organizations. To further complicate matters, the users
-working on client computers had to type in the
-share's UNC to connect to it. The only way to get
-around typing in the share's UNC every time it was
-used was to map a network drive to it, and with a large number of
-shares on the network, this could easily get out of hand.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-2.1"/>
-
-<h3 class="head2">Browsing in a Windows Network</h3>
-
-<p><a name="INDEX-38"/>To keep things simple, we will
-first describe network browsing in a network that contains only
-Windows systems and then show you how to add a Samba server.</p>
-
-<p>The basic way browsing works is that one computer in the network
-takes on the role of the <em class="firstterm">master
-browser</em><a name="INDEX-39"/> (also
-called <em class="firstterm">local master
-browser</em><a name="INDEX-40"/>,<em class="firstterm"> browse
-master</em><a name="INDEX-41"/>, or
-<em class="firstterm">browse server</em><a name="INDEX-42"/>) and
-keeps a list of all the computers on the local subnet that are acting
-as SMB servers. The list of computers is called the <em class="firstterm">browse
-list</em><a name="INDEX-43"/> and includes all Samba servers, Windows
-NT/2000/XP systems, and any Windows 95/98/Me systems that have the
-&quot;File and printer sharing for Microsoft
-Networks&quot; networking component installed. The browse
-list also contains the names of all workgroups and domains. At this
-level, browsing is limited to the local subnet because the browsing
-protocol depends on broadcast packets, which are typically not
-forwarded to other subnets by routers.</p>
-
-<p>A user at any Windows system can view the browse list by opening up
-the Network Neighborhood (or My Network Places), as we showed you in
-<a href="ch01.html">Chapter 1</a>. Or, the <em class="emphasis">net
-view</em><a name="INDEX-44"/> command can be used from a Windows
-command prompt:</p>
-
-<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net view</b></tt>
-Server Name Remark
-
--------------------------------------------------------------------------------
-\\MAYA Windows 98
-\\MIXTEC Samba 2.2.5
-\\OLMEC Windows XP Pro on Pentium/ASUS
-\\TOLTEC Samba 2.2.5
-\\YAQUI Windows 95 on mixtec/VMware
-\\ZAPOTEC
-The command completed successfully.</pre></blockquote>
-
-<p>Then, <em class="emphasis">net view</em> can be used with a computer name
-as an argument to contact a server directly and list the resources it
-is sharing:</p>
-
-<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net view \\maya</b></tt>
-Shared resources at \\maya
-
-Windows 98
-
-Share name Type Used as Comment
-
--------------------------------------------------------------------------------
-D Disk
-E Disk
-HP Print
-The command completed successfully.</pre></blockquote>
-
-<p>The computers on the network involved in browsing are more than just
-the master browser and its clients. There are also backup browsers,
-which maintain copies of the browse list and respond to client
-requests for it. Backup browsers are therefore able to take over the
-role of master browser seamlessly in case it fails. The master
-browser usually doesn't serve the browse list
-directly to clients. Instead, its job is mainly to keep the master
-copy of the browse list up-to-date, and also periodically update the
-backup browsers. Clients are expected to get their copies of the
-browse list from backup browsers, selecting among them randomly to
-help to distribute the load on the backup browsers more evenly.
-Ideally, the interaction between any client and the master browser is
-limited to the client announcing when it joins or leaves the network
-(if it is a server) and requesting a list of backup browsers.</p>
-
-<p>There can be more than one <a name="INDEX-45"/>backup browser. A workgroup will have a
-backup browser if two or more computers are running Windows 95/98/Me
-or Windows NT Workstation (or another nonserver version of Windows
-NT/2000/XP) on the subnet. For every 32 additional computers, another
-backup browser is added.</p>
-
-<p>In a Windows NT domain, the <a name="INDEX-46"/>primary domain controller is
-always the local master browser, and if it fails, another Windows
-NT/2000 server (if one exists) will take over the role of local
-master browser. Other versions of Windows can function as backup
-browsers, but will never become a master browser if a Windows NT/2000
-server is available.</p>
-
-<p>In addition to acting as the local master browser, the primary domain
-controller also acts as the <em class="firstterm">domain master
-browser</em><a name="INDEX-47"/>, which ties subnets together and allows
-browse lists to be shared between master and backup browsers on
-separate subnets. This is how browsing is extended to function beyond
-the local subnet. Each subnet functions as a separate browsing
-entity, and the domain master browser synchronizes the master
-browsers of each subnet. In a Windows-only network, browsing cannot
-function across subnets unless a Windows NT/2000 PDC exists on the
-network. Samba can act as a domain master browser and can perform
-that task even in a workgroup network, which means that the Windows
-PDC is not required for this task. (It is also possible to use the
-<tt class="literal">remote</tt> <tt class="literal">browse</tt>
-<tt class="literal">sync</tt> parameter to configure a Samba server to
-synchronize its browse list with a Samba server on another subnet. In
-this case, each server must be acting as the local master browser of
-its subnet.)</p>
-
-<p>Unless it is configured never to act as a browser, each computer on
-the subnet is considered a <em class="firstterm">potential browser</em>
-and can be ordered by the browse master to become a backup browser,
-or it can identify itself as a backup browser and accept the role on
-its own.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-2.2"/>
-
-<h3 class="head2">Browser Elections</h3>
-
-<p><a name="INDEX-48"/>When no master browser is running on
-the subnet, potential browsers choose a new master browser among
-themselves in a process called an <em class="firstterm">election</em>. An
-election is started by a computer in the subnet when it discovers
-that no master browser is currently running. If a master browser is
-shut down gracefully, it will broadcast an election request datagram,
-initiating an election by the remaining computers. If the master
-browser fails, the election can be started by a client computer that
-requests a list of backup browsers from the master browser or by a
-backup browser that requests to have its browse list updated from the
-master browser. In each case, the system fails to receive a reply
-from the master browser and initiates the election.</p>
-
-<p>Browser elections are decided in multiple rounds of self-elimination.
-During each round, potential browsers broadcast election request
-datagrams containing their qualifications to notify other potential
-browsers that an election is happening and that if the recipient is
-more qualified, it should also broadcast a bid. When a potential
-browser receives an election request datagram from a more qualified
-opponent, it drops out, disqualifying itself from becoming the master
-browser. Otherwise, it responds with its own election request
-datagram. After a few rounds, only one potential browser is left in
-the election. After an additional four rounds of sending out an
-election request datagram and receiving no response, it becomes the
-master browser and sends a broadcast datagram announcing itself as
-the local master browser for the subnet. It then assigns runners-up
-in the election as backup browsers, as needed.</p>
-
-<p>A potential browser's qualifications include the
-following:</p>
-
-<ul><li>
-<p>Whether it has recently lost an election</p>
-</li><li>
-<p>The version of the election protocol it is running</p>
-</li><li>
-<p>Its election criteria</p>
-</li><li>
-<p>The amount of time the system has been up</p>
-</li><li>
-<p>The computer's NetBIOS name</p>
-</li></ul>
-<p>If the potential browser has lost an election recently, it
-immediately disqualifies itself. The version of the election protocol
-it is running is checked, but so far, all Windows systems (and Samba)
-use the same election protocol, so the check is not very meaningful.
-The election criteria are usually what determine which computer
-becomes the local master browser. There are two parts to the election
-criteria, shown in Tables <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a> and <a href="ch07.html#samba2-CHP-7-TABLE-3">Table 7-3</a>.</p>
-
-<a name="samba2-CHP-7-TABLE-2"/><h4 class="head4">Table 7-2. Operating-system values in an election</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Operating system</p>
-</th>
-<th>
-<p>Value</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Windows NT/2000 Server, running as PDC</p>
-</td>
-<td>
-<p>32</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows NT/2000/XP, if not the PDC</p>
-</td>
-<td>
-<p>16</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 95/98/Me</p>
-</td>
-<td>
-<p>1</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows for Workgroups</p>
-</td>
-<td>
-<p>1</p>
-</td>
-</tr>
-
-</table>
-
-<a name="samba2-CHP-7-TABLE-3"/><h4 class="head4">Table 7-3. Computer-role settings in an election</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Role</p>
-</th>
-<th>
-<p>Value</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Domain master browser</p>
-</td>
-<td>
-<p>128</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>WINS client</p>
-</td>
-<td>
-<p>32</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Preferred master</p>
-</td>
-<td>
-<p>8</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Running master</p>
-</td>
-<td>
-<p>4</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Recent backup browser</p>
-</td>
-<td>
-<p>2</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Backup browser</p>
-</td>
-<td>
-<p>1</p>
-</td>
-</tr>
-
-</table>
-
-<p>The operating-system type is compared first, and the system with the
-highest value wins. The values have been chosen to cause the primary
-domain controller, if there is one, to become the local master
-browser. Otherwise, a Windows NT/2000/XP system will win over a
-Windows for Workgroups or Windows 95/98/Me system.</p>
-
-<p>When an operating-system type comparison results in a tie, the role
-of the computer is compared. A computer can have more than one of the
-values in <a href="ch07.html#samba2-CHP-7-TABLE-3">Table 7-3</a>, in which case the values are
-added.</p>
-
-<p>A domain master browser has a role value of 128 to weight the
-election so heavily in its favor that it will also become the local
-master browser on its own subnet. Although the primary domain
-controller (which is always the domain master browser) will win the
-election based solely on its operating system value, sometimes there
-is no primary domain controller on the network, and the domain master
-browser would not otherwise be distinguished from other potential
-browsers.</p>
-
-<p>Systems that are using a WINS server for name resolution are weighted
-heavily over ones that use broadcast name resolution with a role
-value of 32.</p>
-
-<p>A <em class="firstterm">preferred master</em> is a computer that has been
-selected and configured manually by a system administrator to be
-favored as the choice master browser. When a preferred master starts
-up, it forces a browser election, even if an existing master browser
-is still active. A preferred master has a role value of 8, and the
-existing master browser gets a value of 4.</p>
-
-<p>A backup browser that has recently been a master browser and still
-has an up-to-date browse list is given a role value of 2, and a
-potential browser that has been running as a backup browser gets a
-value of 1.</p>
-
-<p>If comparing the operating-system type and role results in a tie, the
-computer that has been running the longest wins. In the unlikely
-event that the two have been up for the same amount of time, the
-computer that wins is the one with the NetBIOS name that sorts first
-alphabetically.</p>
-
-<p>You can tell if a machine is a local master browser by using the
-Windows <em class="emphasis">nbtstat</em><a name="INDEX-49"/> command. Place the NetBIOS name of the
-machine you wish to check after the <em class="emphasis">-a</em> option:</p>
-
-<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>nbtstat -a toltec</b></tt>
-
-Local Area Connection:
-Node IpAddress: [172.16.1.4] Scope Id: []
-
- NetBIOS Remote Machine Name Table
-
- Name Type Status
- ---------------------------------------------
- TOLTEC &lt;00&gt; UNIQUE Registered
- TOLTEC &lt;03&gt; UNIQUE Registered
- TOLTEC &lt;20&gt; UNIQUE Registered
- ..__MSBROWSE__.&lt;01&gt; GROUP Registered
- METRAN &lt;00&gt; GROUP Registered
- METRAN &lt;1B&gt; UNIQUE Registered
- METRAN &lt;1C&gt; GROUP Registered
- METRAN &lt;1D&gt; UNIQUE Registered
- METRAN &lt;1E&gt; GROUP Registered
-
- MAC Address = 00-00-00-00-00-00</pre></blockquote>
-
-<p>The resource entry that you're looking for is
-<tt class="literal">.._ _MSBROWSE_ _.&lt;01&gt;</tt><a name="INDEX-50"/>. This indicates
-that the server is currently acting as the local master browser for
-the current subnet. If the machine is a Samba server, you can check
-the Samba <em class="filename">nmbd</em> log file for an entry such as:</p>
-
-<blockquote><pre class="code">nmbd/nmbd_become_lmb.c:become_local_master_stage2(406)
-*****
-Samba name server TOLTEC is now a local master browser for
-workgroup METRAN on subnet 172.16.1.0</pre></blockquote>
-
-<p>Or, you can use the
-<em class="emphasis">nmblookup</em><a name="INDEX-51"/> command with the
-<em class="emphasis">-M</em> option and the workgroup or domain name on
-any Samba server to find the IP address of the local master:</p>
-
-<a name="INDEX-52"/><blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -M metran</b></tt>
-querying metran on 172.16.1.255
-172.16.1.1 metran&lt;1d&gt;</pre></blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-2.3"/>
-
-<h3 class="head2">Server Announcements</h3>
-
-<p><a name="INDEX-53"/>After
-the master browser election is decided, each server on the network
-announces itself to the network to allow the master and backup
-browsers to build their browse lists. At first, the server
-announcements happen every minute, but the interval is gradually
-stretched out to every 12 minutes. When a server is shut down
-gracefully, it sends an announcement that it is going offline to
-allow the master and backup browsers to remove it from the browse
-list. However, when a server goes offline by crashing or by some
-other failure, the master browser notices its disappearance only
-because it stops receiving server announcements. The master browser
-waits for three of the server's announcement periods
-before deciding that it is offline, which can take up to 36 minutes.
-Because backup browsers have their browse lists updated from the
-master browser once every 15 minutes, it can take up to 51 minutes
-for clients to be informed of a failed server.</p>
-
-<p>For more detailed information on Microsoft's
-browsing protocols, consult the Microsoft documents
-<em class="citetitle">Browsing and Windows 95
-Networking</em><a name="INDEX-54"/> and
-<em class="citetitle">CIFS/E Browser Protocol</em>. You can find these by
-searching for the titles on the Microsoft web site at <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
-
-<p>More information on configuring Samba for browsing can be found in
-<em class="filename">BROWSING.txt</em><a name="INDEX-55"/> and
-<em class="filename">BROWSING-Config.txt</em> in the Samba
-distribution's <em class="filename">docs/textdocs</em>
-directory. <a name="INDEX-56"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-2.4"/>
-
-<h3 class="head2">Configuring Samba for Browsing</h3>
-
-<p><a name="INDEX-57"/><a name="INDEX-58"/><a name="INDEX-59"/>Samba has full support for browsing
-and can participate as a master browser, a backup browser, a domain
-master browser, a potential browser, or just a server that
-doesn't participate in browsing elections. If you
-want to make sure your Samba server never becomes a master or backup
-browser, simply set:</p>
-
-<a name="INDEX-60"/><blockquote><pre class="code">[global]
- local master = no</pre></blockquote>
-
-<p>Usually, you will want Samba to be available as a local master or at
-least a backup browser. In the simplest case, you
-don't need to do anything because
-Samba's default is to participate in browsing
-elections with its operating system value set to 20, which will beat
-any Windows system less than a Windows NT/2000 primary domain
-controller (see <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a>). The operating-system
-value Samba reports for itself in browser elections can be set using
-the <tt class="literal">os</tt><a name="INDEX-61"/> <tt class="literal">level</tt>
-parameter:</p>
-
-<blockquote><pre class="code">[global]
- os level = 33</pre></blockquote>
-
-<p>The preceding value will allow Samba to beat even a Windows 2000
-Advanced Server acting as a primary domain controller. As we show in
-the following section, though, forcing Samba to win this way is not
-recommended.</p>
-
-<p>If you want to allow a Windows XP Professional system to be the
-master browser, you would need to set Samba lower:</p>
-
-<blockquote><pre class="code">[global]
- os level = 8</pre></blockquote>
-
-<p>The maximum value for <tt class="literal">os</tt> <tt class="literal">level</tt>
-is 255 because it is handled as an 8-bit unsigned integer. Supposing
-we wanted to make absolutely sure our Samba server will be the local
-master browser at all times, we might say:</p>
-
-<blockquote><pre class="code">[global]
- local master = yes
- os level = 255
- preferred master = yes</pre></blockquote>
-
-<p>The addition of the
-<tt class="literal">preferred</tt><a name="INDEX-62"/>
-<tt class="literal">master</tt> parameter causes Samba to start a browser
-election as soon as it starts up, and the <tt class="literal">os</tt>
-<tt class="literal">level</tt> of 255 allows it to beat any other system on
-the network. This includes other Samba servers, assuming they are
-configured properly! If another server is using a similar
-configuration file (with <tt class="literal">os</tt>
-<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">255</tt>
-and <tt class="literal">preferred</tt> <tt class="literal">master</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt>), the two will fight each
-other for the master browser role, winning elections based on minor
-criteria, such as uptime or their current role. To avoid this, other
-Samba servers should be set with a lower <tt class="literal">os</tt>
-<tt class="literal">level</tt> and not configured to be the preferred
-master.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-2.5"/>
-
-<h3 class="head2">Samba as the Domain Master Browser</h3>
-
-<p><a name="INDEX-63"/>Previously we mentioned that for a Windows
-workgroup or domain to extend into multiple subnets, one system would
-have to take the role of the domain master browser. The domain master
-browser propagates browse lists across each subnet in the workgroup.
-This works because each local master browser periodically
-synchronizes its browse list with the domain master browser. During
-this synchronization, the local master browser passes on the name of
-any server that the domain master browser does not have in its browse
-list, and vice versa. Each local master browser eventually holds the
-browse list for the entire domain.</p>
-
-<p>There is no election to determine which machine assumes the role of
-the domain master browser. Instead, the administrator has to set it
-manually. By Microsoft design, however, the domain master browser and
-the PDC both register a resource type of &lt;1B&gt;, so the
-roles&mdash;and the machines&mdash;are inseparable.</p>
-
-<p>If you have a Windows NT server on the network acting as a PDC, we
-recommend that you do not try to use Samba to become the domain
-master browser. The reverse is true as well: if Samba is taking on
-the responsibilities of a PDC, we recommend making it the domain
-master browser as well. Although it is possible to split the roles
-with Samba, this is not a good idea. Using two different machines to
-serve as the PDC and the domain master browser can cause random
-errors to occur in a Windows workgroup.</p>
-
-<p>Samba can assume the role of a domain master browser for all subnets
-in the workgroup with the following options:</p>
-
-<blockquote><pre class="code">[global]
- domain master = yes
- preferred master = yes
- local master = yes
- os level = 255</pre></blockquote>
-
-<p>The final three parameters ensure that the server is also the local
-master browser, which is vital for it to work properly as the domain
-master browser. You can verify that a Samba machine is in fact the
-<a name="INDEX-64"/>domain master browser by checking the
-<em class="emphasis">nmbd</em><a name="INDEX-65"/><a name="INDEX-66"/> log file:</p>
-
-<blockquote><pre class="code">nmbd/nmbd_become_dmb.c:become_domain_master_stage2(118)
-*****
-Samba name server TOLTEC is now a domain master browser for
-workgroup METRAN on subnet 172.16.1.0</pre></blockquote>
-
-<p>Or you can use the
-<em class="emphasis">nmblookup</em><a name="INDEX-67"/> command that comes with the Samba
-distribution to query for a unique &lt;1B&gt; resource type in the
-workgroup:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>nmblookup METRAN#1B</b></tt>
-Sending queries to 172.16.1.255
-172.16.1.1 METRAN&lt;1b&gt;</pre></blockquote>
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.5.1"/>
-
-<h3 class="head3">Multiple subnets</h3>
-
-<p><a name="INDEX-68"/>You must
-remember three rules when creating a
-<a name="INDEX-69"/>workgroup/domain
-that spans more than one subnet:</p>
-
-<ul><li>
-<p>You must have either a Windows NT/2000 or Samba server acting as a
-local master browser on each subnet in the workgroup/domain.</p>
-</li><li>
-<p>You must have a Windows NT/2000 Server edition or a Samba server
-acting as a domain master browser somewhere in the workgroup/domain.</p>
-</li><li>
-<p>A WINS server should be on the network, with each system on the
-network configured to use it for name resolution.</p>
-</li></ul>
-<p>Samba has some additional features you can use if you
-don't have or want a domain master browser on your
-network and still need to have <a name="INDEX-70"/>cross-subnet browsing. Consider the
-subnets shown in <a href="ch07.html#samba2-CHP-7-FIG-1">Figure 7-1</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-7-FIG-1"/><a name="INDEX-71"/><a name="INDEX-72"/><img src="figs/sam2_0701.gif"/></div><h4 class="head4">Figure 7-1. Multiple subnets with Samba servers</h4>
-
-<p>First, a Samba server that is a local master browser can use the
-<tt class="literal">remote</tt><a name="INDEX-73"/> <tt class="literal">announce</tt>
-configuration option to make sure that computers in different subnets
-are sent broadcast announcements about the server. This has the
-effect of ensuring that the Samba server appears in the browse lists
-of foreign subnets. To achieve this, however, the directed broadcasts
-must reach the local master browser on the other subnet. Be aware
-that many routers do not allow directed broadcasts by default; you
-might have to change this setting on the router for the directed
-broadcasts to get through to its subnet.</p>
-
-<p>With the <tt class="literal">remote</tt> <tt class="literal">announce</tt>
-option, list the subnets and the workgroup that should receive the
-broadcast. For example, to ensure that machines in the 172.16.2 and
-172.16.3 subnets and the METRAN workgroup are sent broadcast
-information from our Samba server, we could specify the following:</p>
-
-<blockquote><pre class="code">[global]
- remote announce = 172.16.2.255/METRAN \
- 172.16.3.255/METRAN</pre></blockquote>
-
-<p>Instead of supplying a broadcast address of the remote subnet, you
-are allowed to specify the exact address where broadcasts should be
-sent if the local master browser on the foreign subnet is guaranteed
-to always have the same IP address.</p>
-
-<p>A Samba local master browser can synchronize its browse list directly
-with one or more Samba servers, each acting as a local master browser
-on a different subnet. This is another way to implement browsing
-across subnets. For example, let's assume that Samba
-is configured as a local master browser, and Samba local master
-browsers exist at 172.16.2.130 and 172.16.3.120. We can use the
-<tt class="literal">remote</tt> <tt class="literal">browse</tt>
-<tt class="literal">sync</tt> option to sync directly with the Samba
-servers, as follows:</p>
-
-<blockquote><pre class="code">[global]
- remote browse sync = 172.16.2.130 172.16.3.120</pre></blockquote>
-
-<p>For this to work, the other Samba machines must also be local master
-browsers. You can also use directed broadcasts with this option if
-you do not know specific IP addresses of local master browsers.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-2.6"/>
-
-<h3 class="head2">Making a Share Invisible</h3>
-
-<p><a name="INDEX-74"/><a name="INDEX-75"/><a name="INDEX-76"/>You can keep a share from being in the
-browse list by using the
-<tt class="literal">browsable</tt><a name="INDEX-77"/> option. This Boolean option
-prevents a share from being seen in the Network Neighborhood or My
-Network Places. For example, to prevent the <tt class="literal">[data]</tt>
-share from being visible, we could write:</p>
-
-<blockquote><pre class="code">[data]
- path = /export/samba/userdata
- browsable = no</pre></blockquote>
-
-<p>Although you typically don't want to do this to an
-ordinary disk share, the <tt class="literal">browsable</tt> option is
-useful in the event that you need to create a share with contents
-that you do not want others to see, such as a
-<tt class="literal">[netlogon]</tt><a name="INDEX-78"/> share for storing logon scripts
-for Windows domain control (see <a href="ch04.html">Chapter 4</a> for more
-information on logon scripts).</p>
-
-<p>Another example is the
-<tt class="literal">[homes]</tt><a name="INDEX-79"/> share. This share is often marked
-nonbrowsable so that a share named <tt class="literal">[homes]</tt>
-won't appear when its machine's
-resources are browsed. However, if a user <tt class="literal">alice</tt>
-logs on and looks at the machine's shares, an
-<tt class="literal">[alice]</tt> share will appear under the machine.</p>
-
-<p>What if we wanted to make sure
-<tt class="literal">alice</tt>'s share appeared to
-everyone before she logs on? This could be done with the global
-<tt class="literal">auto</tt><a name="INDEX-80"/> <tt class="literal">services</tt>
-option. This option preloads shares into the browse list to ensure
-that they are always visible:</p>
-
-<blockquote><pre class="code">[global]
- auto services = alice</pre></blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-7-SECT-2.7"/>
-
-<h3 class="head2">Browsing Options</h3>
-
-<p><a href="ch07.html#samba2-CHP-7-TABLE-4">Table 7-4</a> <a name="INDEX-81"/><a name="INDEX-82"/>shows
-options that define how Samba handles browsing tasks.</p>
-
-<a name="samba2-CHP-7-TABLE-4"/><h4 class="head4">Table 7-4. Browsing configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">announce as</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Operating system that Samba will announce itself as.</p>
-</td>
-<td>
-<p><tt class="literal">N T Server</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">announce</tt> <tt class="literal">version</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Version of the operating system that Samba will announce itself as.</p>
-</td>
-<td>
-<p><tt class="literal">4.5</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">browsable</tt> <tt class="literal">(browseable)</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Allows share to be displayed in list of machine resources.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">browse list</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows Samba to provide a browse list on
-this server.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">auto services</tt> <tt class="literal">(preload)</tt></p>
-</td>
-<td>
-<p>string (share list)</p>
-</td>
-<td>
-<p>List of shares that will always appear in the browse list.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">default</tt> <tt class="literal">service (default)</tt></p>
-</td>
-<td>
-<p>string (share name)</p>
-</td>
-<td>
-<p>Name of a share (service) that will be provided if the client
-requests a share not listed in <em class="emphasis">smb.conf</em>.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">local master</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows Samba to participate in browsing
-elections.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lm announce</tt></p>
-</td>
-<td>
-<p><tt class="literal">yes</tt>, <tt class="literal">no</tt>, or
-<tt class="literal">auto</tt></p>
-</td>
-<td>
-<p>Enables or disables LAN Manager-style host announcements.</p>
-</td>
-<td>
-<p><tt class="literal">auto</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lm interval</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Frequency in seconds that LAN Manager announcements will be made if
-activated.</p>
-</td>
-<td>
-<p><tt class="literal">60</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">preferred</tt> <tt class="literal">master (prefered
-master)</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows Samba to use the preferred master
-browser bit to attempt to become the local master browser.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">domain master</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows Samba to become the domain browser
-master for the workgroup or domain.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">os level</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Operating system level of Samba in an election for local master
-browser.</p>
-</td>
-<td>
-<p><tt class="literal">0</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">remote browse</tt> <tt class="literal">sync</tt></p>
-</td>
-<td>
-<p>string (list of IP addresses)</p>
-</td>
-<td>
-<p>Samba servers to synchronize browse lists with.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">remote</tt> <tt class="literal">announce</tt></p>
-</td>
-<td>
-<p>string (IP address/workgroup pairs)</p>
-</td>
-<td>
-<p>Subnets and workgroups to send directed broadcast packets to,
-allowing Samba to appear in their browse lists.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.1"/>
-
-<a name="INDEX-83"/><h3 class="head3">announce as</h3>
-
-<p>This global configuration option specifies the type of operating
-system that Samba announces to other machines on the network. The
-default value for this option is <tt class="literal">N T</tt>
-<tt class="literal">Server</tt>, which causes Samba to masquerade as a
-Windows NT Server operating system. Other possible values are
-<tt class="literal">NT</tt>, <tt class="literal">NT</tt>
-<tt class="literal">Workstation</tt>, <tt class="literal">Win95</tt>, and
-<tt class="literal">W f W</tt> for a Windows for Workgroup operating
-system. You can override the default value with the following:</p>
-
-<blockquote><pre class="code">[global]
- announce as = Win95</pre></blockquote>
-
-<p>We recommend against changing the default value of this configuration
-option.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.2"/>
-
-<a name="INDEX-84"/><h3 class="head3">announce version</h3>
-
-<p>This global option is frequently used with the
-<tt class="literal">announce</tt> <tt class="literal">as</tt> configuration
-option; it specifies the version of the operating system that Samba
-announces to other machines on the network. The default value of this
-option is 4.5, which places Samba above Windows NT Version 4.0, but
-below Windows 2000. You can specify a new value with a global entry
-such as the following:</p>
-
-<blockquote><pre class="code">[global]
- announce version = 4.3</pre></blockquote>
-
-<p>We recommend against changing the default value of this configuration
-option.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.3"/>
-
-<h3 class="head3">browsable</h3>
-
-<p>The <tt class="literal">browsable</tt><a name="INDEX-85"/> option (also spelled
-<tt class="literal">browseable</tt>) indicates whether the share referenced
-should appear in the list of available resources for the system on
-which it resides. This option is always set to <tt class="literal">yes</tt>
-by default. If you wish to prevent the share from being seen in a
-client's browser, you can reset this option to
-<tt class="literal">no</tt>.</p>
-
-<p>Note that this does not prevent someone from accessing the share
-using other means, such as specifying a UNC location (e.g.,
-<tt class="literal">\\server\accounting)</tt> in Windows Explorer. It only
-prevents the share from being listed under the
-system's resources when being browsed.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.4"/>
-
-<a name="INDEX-86"/><h3 class="head3">browse list</h3>
-
-<p>You should never need to change this parameter from its default value
-of <tt class="literal">yes</tt>. If your Samba server is acting as a local
-master browser (i.e., it has won the browsing election), you can use
-the global <tt class="literal">browse</tt> <tt class="literal">list</tt> option
-to instruct Samba to provide or withhold its browse list to all
-clients. By default, Samba always provides a browse list. You can
-withhold this information by specifying the following:</p>
-
-<blockquote><pre class="code">[global]
- browse list = no</pre></blockquote>
-
-<p>If you disable the browse list, clients cannot browse the names of
-other machines, their services, and other domains currently available
-on the network. Note that this won't make any
-particular machine inaccessible; if someone knows a valid machine
-name/address and a share on that machine, he can still connect to it
-explicitly using the Windows <em class="emphasis">net use</em> command or
-by mapping a drive letter to it using Windows Explorer. It simply
-prevents information in the browse list from being retrieved by any
-client that requests it.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.5"/>
-
-<h3 class="head3">auto services</h3>
-
-<p>The global <tt class="literal">auto</tt><a name="INDEX-87"/>
-<tt class="literal">services</tt> option, which is also called
-<tt class="literal">preload</tt> <a name="INDEX-88"/>, ensures that the specified
-shares are always visible in the browse list. One common use for this
-option is to advertise specific user or printer shares that are
-created by the <tt class="literal">[homes]</tt> or
-<tt class="literal">[printers]</tt> shares, but are not otherwise
-browsable.</p>
-
-<p>This option works best with disk shares. If you wish to force each of
-your system printers (i.e., those listed in the printer capabilities
-file) to appear in the browse list, we recommend using the
-<tt class="literal">load</tt> <tt class="literal">printers</tt> option instead.</p>
-
-<p>Shares listed with the <tt class="literal">auto</tt>
-<tt class="literal">services</tt> option will not be displayed if the
-<tt class="literal">browse</tt> <tt class="literal">list</tt> option is set to
-<tt class="literal">no</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.6"/>
-
-<h3 class="head3">default service</h3>
-
-<p>The global <tt class="literal">default</tt><a name="INDEX-89"/>
-<tt class="literal">service</tt> option (sometimes called
-<tt class="literal">default</tt>) names a
-&quot;last-ditch&quot; share. The value is
-set to an existing share name without the enclosing brackets. When a
-client requests a nonexistent disk or printer share, Samba will
-attempt to connect the user to the share specified by this option
-instead. The option is specified as follows:</p>
-
-<blockquote><pre class="code">[global]
- default service = helpshare</pre></blockquote>
-
-<p>When Samba redirects the requested, nonexistent service to the
-service specified by <tt class="literal">default</tt>
-<tt class="literal">service</tt>, the <tt class="literal">%S</tt> option takes on
-the value of the requested service, with any underscores (
-<tt class="literal">_</tt> ) in the requested service replaced by forward slashes
-(<tt class="literal">/</tt>).</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.7"/>
-
-<a name="INDEX-90"/><h3 class="head3">local master</h3>
-
-<p>This global option specifies whether Samba will attempt to become the
-local master browser for the subnet when it starts up. If this option
-is set to <tt class="literal">yes</tt>, Samba will participate in
-elections. However, setting this option by itself does not guarantee
-victory. (Other parameters, such as <tt class="literal">preferred</tt>
-<tt class="literal">master</tt> and <tt class="literal">os</tt>
-<tt class="literal">level</tt>, help Samba win browsing elections.) If this
-option is set to <tt class="literal">no</tt>, Samba will lose all browsing
-elections, regardless of which values are specified by the other
-configuration options. The default value is <tt class="literal">yes</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.8"/>
-
-<h3 class="head3">lm announce</h3>
-
-<p>The global <tt class="literal">lm</tt><a name="INDEX-91"/>
-<tt class="literal">announce</tt> option tells Samba's
-<em class="emphasis">nmbd</em> whether to send <a name="INDEX-92"/>LAN Manager host
-announcements on behalf of the server. These host announcements might
-be required by older clients, such as IBM's OS/2
-operating system. This announcement allows the server to be added to
-the browse lists of the client. If activated, Samba will announce
-itself repetitively at the number of seconds specified by the
-<tt class="literal">lm</tt> <tt class="literal">interval</tt> option.</p>
-
-<p>You can specify the option as follows:</p>
-
-<blockquote><pre class="code">[global]
- lm announce = yes</pre></blockquote>
-
-<p>This configuration option takes the standard Boolean values,
-<tt class="literal">yes</tt> and <tt class="literal">no</tt>, which enable or
-disable LAN Manager announcements, respectively. In addition, a third
-option, <tt class="literal">auto</tt>, causes <em class="emphasis">nmbd</em> to
-listen passively for LAN Manager announcements, but not to send any
-of its own initially. If LAN Manager announcements are detected for
-another machine on the network, <em class="emphasis">nmbd</em> will start
-sending its own LAN Manager announcements to ensure that it is
-visible. The default value is <tt class="literal">auto</tt>. You probably
-won't need to change this value from its default.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.9"/>
-
-<a name="INDEX-93"/><h3 class="head3">lm interval</h3>
-
-<p>This option, which is used in conjunction with <tt class="literal">lm</tt>
-<tt class="literal">announce</tt>, indicates the number of seconds
-<em class="emphasis">nmbd</em> will wait before repeatedly broadcasting
-LAN Manager-style announcements. LAN Manager announcements must be
-enabled for this option to work. The default value is 60 seconds. If
-you set this value to 0, Samba will not send any LAN Manager host
-announcements, regardless of the value of the <tt class="literal">lm</tt>
-<tt class="literal">announce</tt> option. You can reset the value of this
-option as follows:</p>
-
-<blockquote><pre class="code">[global]
- lm interval = 90</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.10"/>
-
-<h3 class="head3">preferred master</h3>
-
-<p>The <tt class="literal">preferred</tt><a name="INDEX-94"/>
-<tt class="literal">master</tt> option requests that Samba set the
-preferred master bit when participating in an election. This gives
-the server a higher preferred status in the workgroup than other
-machines at the same operating-system level. If you are configuring
-your Samba machine to become the local master browser, it is wise to
-set the following value:</p>
-
-<blockquote><pre class="code">[global]
- preferred master = yes</pre></blockquote>
-
-<p>Otherwise, you should leave it set to its default,
-<tt class="literal">no</tt>. If Samba is configured as a preferred master
-browser, it will force an election when it first comes online.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.11"/>
-
-<a name="INDEX-95"/><h3 class="head3">domain master</h3>
-
-<p>If Samba is the primary domain controller for your workgroup or NT
-domain, it should also be made the domain master browser. The domain
-master browser is a special machine that has the NetBIOS resource
-type &lt;1B&gt; and is used to propagate browse lists to and from
-each local master browser in individual subnets across the domain. To
-force Samba to become the <a name="INDEX-96"/>domain master browser, set the following in
-the <tt class="literal">[global]</tt> section of the
-<em class="filename">smb.conf</em>:</p>
-
-<blockquote><pre class="code">[global]
- domain master = yes</pre></blockquote>
-
-<p>If you have a Windows NT server on the network acting as a primary
-domain controller (PDC), we recommend that you do not use Samba to
-become the domain master browser. The reverse is true as well: if
-Samba is taking on the responsibilities of a PDC, we recommend making
-it the domain master browser. Splitting the PDC and the domain master
-browser will cause unpredictable errors to occur on the network.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.12"/>
-
-<h3 class="head3">os level</h3>
-
-<p>The global <tt class="literal">os</tt><a name="INDEX-97"/> <tt class="literal">level</tt> option
-defines the operating-system value with which Samba will masquerade
-during a browser election. If you wish to have Samba win an election
-and become the master browser, set the <tt class="literal">os</tt>
-<tt class="literal">level</tt> higher than that of any other system on the
-subnet. The values are shown in <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a>. The
-default level is 20, which means that Samba will win elections
-against all versions of Windows, except Windows NT/2000 if it is
-operating as the PDC. If you wish Samba to win all elections, you can
-set its operating system value as follows:</p>
-
-<blockquote><pre class="code">[global]
- os level = 255</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.13"/>
-
-<h3 class="head3">remote browse sync</h3>
-
-<p>The global <tt class="literal">remote</tt><a name="INDEX-98"/>
-<tt class="literal">browse</tt> <tt class="literal">sync</tt> option specifies
-that Samba should synchronize its browse lists with local master
-browsers in other subnets. However, the synchronization can occur
-only with other Samba servers and not with Windows computers. For
-example, if your Samba server were a master browser on the subnet
-172.16.235, and Samba local master browsers existed on other subnets
-located at 172.16.234.92 and 172.16.236.2, you would specify the
-following:</p>
-
-<blockquote><pre class="code">[global]
- remote browse sync = 172.16.234.92 172.16.236.2</pre></blockquote>
-
-<p>The Samba server would then directly contact the other machines on
-the address list and synchronize browse lists. You can also say:</p>
-
-<blockquote><pre class="code">[global]
- remote browse sync = 172.16.234.255 172.16.236.255</pre></blockquote>
-
-<p>This forces Samba to broadcast queries to determine the IP addresses
-of the local master browser on each subnet, with which it will then
-synchronize browse lists. This works, however, only if your router
-doesn't block directed broadcast requests ending in
-255.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.14"/>
-
-<h3 class="head3">remote announce</h3>
-
-<p>Samba servers are capable of providing browse lists to foreign
-subnets with the <tt class="literal">remote</tt><a name="INDEX-99"/>
-<tt class="literal">announce</tt> option. This is typically sent to the
-local master browser of the foreign subnet in question. However, if
-you do not know the address of the local master browser, you can do
-the following:</p>
-
-<blockquote><pre class="code">[global]
- remote announce = 172.16.234.255/ACCOUNTING \
- 172.16.236.255/ACCOUNTING</pre></blockquote>
-
-<p>With this, Samba will broadcast host announcements to all machines on
-subnets 172.16.234 and 172.16.236, which will hopefully reach the
-local master browser of the subnet.</p>
-
-<p>You can also specify exact IP addresses, if they are known, but this
-works only if the systems are guaranteed to maintain the role of
-master browser on their subnets. By appending a workgroup or domain
-name to the IP address, Samba announces that it is in that workgroup
-or domain. If this is left out, the workgroup set by the
-<tt class="literal">workgroup</tt> parameter is used. <a name="INDEX-100"/> <a name="INDEX-101"/><a name="INDEX-102"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> As we explained in
-<a href="ch01.html">Chapter 1</a>, a system can register under more than
-one NetBIOS name. We use the singular here only to keep our
-explanation simple.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch08.html b/docs/htmldocs/using_samba/ch08.html
deleted file mode 100644
index 001a86a4a3..0000000000
--- a/docs/htmldocs/using_samba/ch08.html
+++ /dev/null
@@ -1,3744 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 8. Advanced Disk Shares</h1>
-
-
-<p>This chapter continues our discussion of configuring Samba from <a href="ch06.html">Chapter 6</a>. We will cover some more advanced issues
-regarding the integration of Unix and Windows filesystems, including
-hidden files, Unix links, file permissions, name mangling, case
-sensitivity of filenames, file locking, opportunistic locking
-(oplocks), connection scripts, supporting Microsoft Dfs (Distributed
-filesystem) shares, and using NIS home directories.</p>
-
-
-<div class="sect1"><a name="samba2-CHP-8-SECT-1"/>
-
-<h2 class="head1">Filesystem Differences</h2>
-
-<p>One of the biggest issues for which Samba has to correct is the
-difference between Unix and Microsoft filesystems. This includes
-items such as handling symbolic links, hidden files, and dot files.
-In addition, file permissions can also be a headache if not properly
-accounted for.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-1.1"/>
-
-<h3 class="head2">Hiding and Vetoing Files</h3>
-
-<p><a name="INDEX-1"/><a name="INDEX-2"/>Sometimes you need to ensure that a user
-cannot see or access a file at all. Other times, you
-don't want to keep users from accessing a
-file&mdash;you just want to hide it when they view the contents of
-the directory. On Windows systems, an attribute of files allows them
-to be hidden from a folder listing. With Unix, the traditional way of
-hiding files in a directory is to use a <a name="INDEX-3"/><a name="INDEX-4"/>dot (.) as the first character in the
-filename. This prevents items such as configuration files from being
-seen when performing an ordinary <em class="emphasis">ls</em> command.
-Keeping a user from accessing a file at all, however, involves
-working with permissions on files and directories.</p>
-
-<p>The first option we should discuss is the Boolean
-<tt class="literal">hide</tt><a name="INDEX-5"/><a name="INDEX-6"/> <tt class="literal">dot</tt>
-<tt class="literal">files</tt>. When it is set to <tt class="literal">yes</tt>,
-Samba reports files beginning with a period (.) as having their
-hidden attribute set. If the user has chosen to show all hidden files
-while browsing (e.g., using the Folder Options menu item under the
-View menu in Windows 98), he will still be able to see the files,
-although his icons will appear
-&quot;ghosted,&quot; or slightly grayed-out.
-If the client is configured not to show hidden files, the files will
-not appear at all.</p>
-
-<p>Instead of simply hiding files beginning with a dot, you can also
-specify a string pattern to Samba for files to hide, using the
-<tt class="literal">hide</tt><a name="INDEX-7"/> <tt class="literal">files</tt>
-option. For example, let's assume you specified the
-following in our example <tt class="literal">[data]</tt> share:</p>
-
-<blockquote><pre class="code">[data]
- hide files = /*.java/*README*/</pre></blockquote>
-
-<p>Each entry for this option must begin, end, or be separated from
-another with a slash ( / ) character, even if only one pattern is
-listed. This convention allows spaces to appear in filenames. The
-slashes have nothing to do with Unix directories; they are instead
-acting as delimiters for the <tt class="literal">hide</tt>
-<tt class="literal">files</tt> values.</p>
-
-<p>If you want to prevent users from seeing files completely, you can
-instead use the <tt class="literal">veto</tt><a name="INDEX-8"/> <tt class="literal">files</tt>
-option. This option, which takes the same syntax as the
-<tt class="literal">hide</tt> <tt class="literal">files</tt> option, specifies a
-list of files that should never be seen by the user. For example,
-let's change the <tt class="literal">[data]</tt> share to
-the following:</p>
-
-<blockquote><pre class="code">[data]
- veto files = /*.java/*README*/</pre></blockquote>
-
-<p>The syntax of this option is identical to the <tt class="literal">hide</tt>
-<tt class="literal">files</tt> configuration option: each entry must begin,
-end, or be separated from another with a slash (<tt class="literal">/</tt>)
-character, even if only one pattern is listed. If you do so, files
-that match the pattern, such as <em class="filename">hello.java</em> and
-<em class="filename">README.txt,</em> will simply disappear from the
-directory, and the user cannot access them through SMB.</p>
-
-<p><a name="INDEX-9"/>We need to address
-one other question. What happens if the user tries to delete a
-directory that contains vetoed files? This is where the
-<tt class="literal">delete</tt><a name="INDEX-10"/> <tt class="literal">veto</tt>
-<tt class="literal">files</tt> option comes in. If this Boolean option is
-set to <tt class="literal">yes</tt>, the user can delete both the regular
-files and the vetoed files in the directory, and the directory itself
-is removed. If the option is set to <tt class="literal">no</tt>, the user
-cannot delete the vetoed files, and consequently the directory is not
-deleted either. From the user's perspective, the
-directory appears empty, but cannot be removed.</p>
-
-<p>The <tt class="literal">dont</tt><a name="INDEX-11"/> <tt class="literal">descend</tt>
-directive specifies a list of directories whose contents Samba should
-not make visible. Note that we say <em class="emphasis">contents</em>, not
-the directory itself. Users can enter a directory marked as such, but
-they are prohibited from descending the directory tree any
-farther&mdash;they always see an empty folder. For example,
-let's use this option with a more basic form of the
-share that we defined earlier in the chapter:</p>
-
-<blockquote><pre class="code">[data]
- dont descend = config defaults</pre></blockquote>
-
-<p>In addition, let's assume that the
-<em class="filename">/home/samba/data</em> directory has the following
-contents:</p>
-
-<blockquote><pre class="code">drwxr-xr-x 6 tom users 1024 Jun 13 09:24 .
-drwxr-xr-x 8 root root 1024 Jun 10 17:53 ..
--rw-r--r-- 2 tom users 1024 Jun 9 11:43 README
-drwxr-xr-x 3 tom users 1024 Jun 13 09:28 config
-drwxr-xr-x 3 tom users 1024 Jun 13 09:28 defaults
-drwxr-xr-x 3 tom users 1024 Jun 13 09:28 market</pre></blockquote>
-
-<p>If the user then connects to the share, she would see the directories
-in the share. However, the contents of the
-<em class="filename">/config</em> and <em class="filename">/defaults</em>
-directories would appear empty to her, even if other folders or files
-existed in them. In addition, users cannot write any data to the
-folder (which prevents them from creating a file or folder with the
-same name as one that is already there but invisible). If a user
-attempts to do so, she will receive an &quot;Access
-Denied&quot; message. The <tt class="literal">dont</tt>
-<tt class="literal">descend</tt> option is an administrative
-option&mdash;not a security option&mdash;and is not a substitute for
-good file permissions. <a name="INDEX-12"/><a name="INDEX-13"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-1.2"/>
-
-<h3 class="head2">Links</h3>
-
-<p><a name="INDEX-14"/>When a client
-tries to open a symbolic link on a Samba server share, Samba attempts
-to follow the link to find the real file and let the client open it,
-as if the user were on a Unix machine. If you don't
-want to allow this, set the <tt class="literal">follow</tt>
-<tt class="literal">symlinks</tt> option like this:</p>
-
-<blockquote><pre class="code">[data]
- follow symlinks = no</pre></blockquote>
-
-<p>You can test this by setting up and trying to access a symbolic link.
-Create a directory on the Unix server inside the share, acting as the
-user under which you will log in to Samba. Enter the following
-commands:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>echo &quot;This is a test&quot; &gt;hello.txt</b></tt>
-$ <tt class="userinput"><b>ln -s hello.txt hello-link.txt</b></tt></pre></blockquote>
-
-<p>This results in the text file <em class="filename">hello.txt</em> and a
-symbolic link to it called <em class="filename">hello-link.txt</em>.
-Normally, if you double-click either one, you will receive a file
-that has the text &quot;This is a test&quot;
-inside of it. However, with the <tt class="literal">follow</tt>
-<tt class="literal">symlinks</tt><a name="INDEX-15"/> option set to
-<tt class="literal">no</tt>, you will receive an error dialog if you
-double-click <em class="filename">hello-link.txt</em>.</p>
-
-<p>The <tt class="literal">wide</tt><a name="INDEX-16"/> <tt class="literal">links</tt>
-option, if set to <tt class="literal">no</tt>, prevents the client user
-from following symbolic links that point outside the shared directory
-tree. For example, let's assume that we modified the
-<tt class="literal">[data]</tt> share as follows:</p>
-
-<blockquote><pre class="code">[data]
- follow symlinks = yes
- wide links = no</pre></blockquote>
-
-<p>As long as the <tt class="literal">follow</tt><a name="INDEX-17"/>
-<tt class="literal">symlinks</tt> option is disabled, Samba will refuse to
-follow any symbolic links outside the current share tree. If we
-create a file outside the share (for example, in
-someone's home directory) and then create a link to
-it in the share as follows:</p>
-
-<blockquote><pre class="code">ln -s ~tom/datafile ./datafile</pre></blockquote>
-
-<p>the client cannot open the file in Tom's home
-directory.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-1.3"/>
-
-<h3 class="head2">Filesystem Options</h3>
-
-<p><a href="ch08.html#samba2-CHP-8-TABLE-1">Table 8-1</a> <a name="INDEX-18"/><a name="INDEX-19"/>shows a breakdown of the options we
-discussed earlier. We recommend the defaults for most, except those
-listed in the following descriptions.</p>
-
-<a name="samba2-CHP-8-TABLE-1"/><h4 class="head4">Table 8-1. Filesystem configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">dont descend</tt></p>
-</td>
-<td>
-<p>string (list of directories)</p>
-</td>
-<td>
-<p>Indicates a list of directories whose contents Samba should make
-invisible to clients.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">follow</tt> <tt class="literal">symlinks</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">no</tt>, will not honor symbolic links.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">getwd cache</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, will use a cache for
-<tt class="literal">getwd( )</tt> calls.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">wide links</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, will follow symbolic links outside
-the share.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">hide dot files</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, treats Unix hidden files as hidden
-files in Windows.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">hide files</tt></p>
-</td>
-<td>
-<p>string (list of files)</p>
-</td>
-<td>
-<p>List of file patterns to treat as hidden.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">veto files</tt></p>
-</td>
-<td>
-<p>string (list of files)</p>
-</td>
-<td>
-<p>List of file patterns to never show.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">delete veto</tt> <tt class="literal">files</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, will delete files matched by
-<tt class="literal">veto files</tt> when the directory they reside in is
-deleted.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.1"/>
-
-<h3 class="head3">dont descend</h3>
-
-<p>The <tt class="literal">dont</tt><a name="INDEX-20"/> <tt class="literal">descend</tt>
-option can be used to specify various directories that should appear
-empty to the client. Note that the directory itself will still
-appear. However, Samba will not show any of the contents of the
-directory to the client user. This is not a good option to use as a
-security feature; it is really meant only as a convenience to keep
-users from casually browsing into directories that might have
-sensitive files. See our example earlier in this section.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.2"/>
-
-<a name="INDEX-21"/><h3 class="head3">follow symlinks</h3>
-
-<p>This option controls whether Samba will follow a symbolic link in the
-Unix operating system to the target or if it should return an error
-to the client user. If the option is set to <tt class="literal">yes</tt>,
-the target of the link will be interpreted as the file. If set to
-<tt class="literal">no</tt>, an error will be generated if the symbolic
-link is accessed.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.3"/>
-
-<a name="INDEX-22"/><h3 class="head3">getwd cache</h3>
-
-<p>This global option specifies whether Samba should use a local cache
-for the Unix <em class="emphasis">getwd( )</em> ( get current working
-directory) system call. You can override the default value of
-<tt class="literal">yes</tt> as follows:</p>
-
-<blockquote><pre class="code">[global]
- getwd cache = no</pre></blockquote>
-
-<p>Setting this option to <tt class="literal">no</tt> can significantly
-increase the time it takes to resolve the working directory,
-especially if the <tt class="literal">wide</tt> <tt class="literal">links</tt>
-option is set to <tt class="literal">no</tt>. You should normally not need
-to alter this option.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.4"/>
-
-<a name="INDEX-23"/><h3 class="head3">wide links</h3>
-
-<p>This option specifies whether the client user can follow symbolic
-links that point outside the shared directory tree. This includes any
-files or directories at the other end of the link, as long as the
-permissions are correct for the user. The default value for this
-option is <tt class="literal">yes</tt>. Note that this option will not be
-honored if the <tt class="literal">follow</tt> <tt class="literal">symlinks</tt>
-options is set to <tt class="literal">no</tt>. Setting this option to
-<tt class="literal">no</tt> slows <em class="emphasis">smbd</em> considerably
-because it will have to check each link it encounters.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.5"/>
-
-<h3 class="head3">hide dot files</h3>
-
-<p>The <tt class="literal">hide</tt><a name="INDEX-24"/><a name="INDEX-25"/> <tt class="literal">dot</tt>
-<tt class="literal">files</tt> option hides any files on the server that
-begin with a dot (.) character to mimic the functionality behind
-several shell commands that are present on Unix systems. Like
-<tt class="literal">hide</tt> <tt class="literal">files</tt>, those files that
-begin with a dot have the DOS hidden attribute set, which
-doesn't guarantee that a client cannot view them.
-The default value for this option is <tt class="literal">yes</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.6"/>
-
-<h3 class="head3">hide files</h3>
-
-<p>The <tt class="literal">hide</tt><a name="INDEX-26"/> <tt class="literal">files</tt> option
-provides one or more directory or filename patterns to Samba. Any
-file matching this pattern will be treated as a hidden file from the
-perspective of the client. Note that this simply means that the DOS
-hidden attribute is set, which might or might not mean that the user
-can actually see it while browsing.</p>
-
-<p>Each entry in the list must begin, end, or be separated from another
-entry with a slash (<tt class="literal">/</tt>) character, even if only one
-pattern is listed. This allows spaces to appear in the list.
-Asterisks can be used as a wildcard to represent zero or more
-characters. Questions marks can be used to represent exactly one
-character. For example:</p>
-
-<blockquote><pre class="code">hide files = /.jav*/README.???/</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.7"/>
-
-<a name="INDEX-27"/><h3 class="head3">veto files</h3>
-
-<p>More stringent than the hidden files state is the state provided by
-the <tt class="literal">veto</tt> <tt class="literal">files</tt> configuration
-option. Samba won't even admit these files exist.
-You cannot list or open them from the client. This should not be used
-as a means of implementing security. It is actually a mechanism to
-keep PC programs from deleting special files, such as ones used to
-store the resource fork of a Macintosh file on a Unix filesystem. If
-both Windows and Macs are sharing the same files, this can prevent
-ill-advised power users from removing files the Mac users need.</p>
-
-<p>The syntax of this option is identical to that of the
-<tt class="literal">hide</tt> <tt class="literal">files</tt> configuration
-option: each entry must begin, end, or be separated from another with
-a slash ( / ) character, even if only one pattern is listed.
-Asterisks can be used as a wildcard to represent zero or more
-characters. Question marks can be used to represent exactly one
-character. For example:</p>
-
-<blockquote><pre class="code">veto files = /*config/*default?/</pre></blockquote>
-
-<p>This option is primarily administrative and is not a substitute for
-good file permissions.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.8"/>
-
-<a name="INDEX-28"/><h3 class="head3">delete veto files</h3>
-
-<p>This option tells Samba to delete vetoed files when a user attempts
-to delete the directory in which they reside. The default value is
-<tt class="literal">no</tt>. This means that if a user tries to delete a
-directory that contains a vetoed file, the file (and the directory)
-will not be deleted. Instead, the directory remains and appears empty
-from the perspective of the user. If set to <tt class="literal">yes</tt>,
-the directory and the vetoed files will be deleted. <a name="INDEX-29"/><a name="INDEX-30"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-8-SECT-2"/>
-
-<h2 class="head1">File Permissions and Attributes on MS-DOS and Unix</h2>
-
-<p><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>Originally, DOS was not intended to be a
-multiuser, networked operating system. Unix, on the other hand, was
-designed for multiple users from the start. Consequently, Samba must
-not only be aware of, but also provide special solutions for,
-inconsistencies and gaps in coverage between the two filesystems. One
-of the biggest gaps is how Unix and DOS handle permissions on files.</p>
-
-<p>Let's take a look at how Unix assigns permissions.
-All Unix files have read, write, and execute bits for three
-classifications of users: owner, group, and world. These permissions
-can be seen at the extreme lefthand side when an <em class="emphasis">ls
--al</em> command is issued in a Unix directory. For example:</p>
-
-<blockquote><pre class="code">-rwxr--r-- 1 tom users 2014 Apr 13 14:11 access.conf</pre></blockquote>
-
-<p>Windows, on the other hand, has four principal bits that it uses with
-any file: read-only, system, hidden, and archive. You can view these
-bits by right-clicking the file and choosing the Properties menu
-item. You should see a dialog similar to <a href="ch08.html#samba2-CHP-8-FIG-1">Figure 8-1</a>.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-1"/><img src="figs/sam2_0801.gif"/></div><h4 class="head4">Figure 8-1. DOS and Windows file properties</h4>
-
-<p>The definition of each bit follows:</p>
-
-<dl>
-<dt><b>Read-only</b></dt>
-<dd>
-<p>The file's contents can be read by a user but cannot
-be written to.</p>
-</dd>
-
-
-
-<dt><b>System</b></dt>
-<dd>
-<p>This file has a specific purpose required by the operating system.</p>
-</dd>
-
-
-
-<dt><b>Hidden</b></dt>
-<dd>
-<p>This file has been marked to be invisible to the user, unless the
-operating system is explicitly set to show it.</p>
-</dd>
-
-
-
-<dt><b>Archive</b></dt>
-<dd>
-<p>This file has been touched since the last DOS backup was performed on
-it.</p>
-</dd>
-
-</dl>
-
-<p>Note that there is no bit to specify that a file is executable. DOS
-and Windows NT filesystems identify executable files by giving them
-the extensions <em class="filename">.exe</em>, <em class="filename">.com</em>,
-<em class="filename">.cmd</em>, or <em class="filename">.bat</em>.</p>
-
-<p>Consequently, there is no use for any of the three Unix executable
-bits that are present on a file in a Samba disk share. DOS files,
-however, have their own attributes that need to be preserved when
-they are stored in a Unix environment: the archive, system, and
-hidden bits. Samba can preserve these bits by reusing the executable
-permission bits of the file on the Unix side&mdash;if it is
-instructed to do so. Mapping these bits, however, has an unfortunate
-side effect: if a Windows user stores a file in a Samba share, and
-you view it on Unix with the <em class="emphasis">ls -al</em> command,
-some of the executable bits won't mean what
-you'd expect them to.</p>
-
-<p>Three Samba options decide whether the bits are mapped:
-<tt class="literal">map</tt><a name="INDEX-34"/> <tt class="literal">archive</tt>,
-<tt class="literal">map</tt><a name="INDEX-35"/> <tt class="literal">system</tt> , and
-<tt class="literal">map</tt><a name="INDEX-36"/> <tt class="literal">hidden</tt>. These options
-map the archive, system, and hidden attributes to the owner, group,
-and world execute bits of the file, respectively. You can add these
-options to the <tt class="literal">[data]</tt> share, setting each of their
-values as follows:</p>
-
-<blockquote><pre class="code">[data]
- map archive = yes
- map system = yes
- map hidden = yes</pre></blockquote>
-
-<p>After that, try creating a file in the share under Unix&mdash;such as
-<em class="emphasis">hello.java</em>&mdash;and change the permissions of
-the file to 755. With these Samba options set, you should be able to
-check the permissions on the Windows side and see that each of the
-three values has been checked in the Properties dialog box. What
-about the read-only attribute? By default, Samba sets this whenever a
-file does not have the Unix owner write permission bit set. In other
-words, you can set this bit by changing the permissions of the file
-to 555.</p>
-
-<p>The default value of the <tt class="literal">map</tt>
-<tt class="literal">archive</tt> option is <tt class="literal">yes</tt>, while
-the other two options have a default value of <tt class="literal">no</tt>.
-This is because many programs do not work properly if the archive bit
-is not stored correctly for DOS and Windows files. The system and
-hidden attributes, however, are not critical for a
-program's operation and are left to the discretion
-of the administrator.</p>
-
-<p><a href="ch08.html#samba2-CHP-8-FIG-2">Figure 8-2</a> summarizes the <a name="INDEX-37"/><a name="INDEX-38"/>Unix permission bits and
-illustrates how Samba maps those bits to DOS attributes. Note that
-the group read/write and world read/write bits do not directly
-translate to a DOS attribute, but they still retain their original
-Unix definitions on the Samba server.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-2"/><img src="figs/sam2_0802.gif"/></div><h4 class="head4">Figure 8-2. How Samba and Unix view the permissions of a file</h4>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-2.1"/>
-
-<h3 class="head2">Creation Masks</h3>
-
-<p><a name="INDEX-39"/>File and directory creation masks are
-similar to <a name="INDEX-40"/>umasks you
-have probably encountered while working with Unix systems. They are
-used to help define the permissions that will be assigned to a file
-or directory at the time it is created. Samba's
-masks work differently in that the bits that can be set are set in
-the creation mask, while in Unix umasks, the bits
-<em class="emphasis">cannot</em> be set are set in the umask. We think you
-will find Samba's method to be much more intuitive.
-Once in a while you might need to convert between a Unix umask and
-the equivalent Samba mask. It is simple: one is just the bitwise
-complement of the other. For example, an octal umask of 0022 has the
-same effect as a Samba mask of 0755.</p>
-
-<p>Unix umasks are set on a user-by-user basis, usually while executing
-the GUI's or command-line shell's
-startup scripts. When users connect to a Samba share from a network
-client, these scripts are not executed, so Samba supplies the ability
-to set the creation masks for files and directories. By default, this
-is done on a share-by-share basis, although you can use the
-<tt class="literal">include</tt> parameter in the Samba configuration file
-(as explained in <a href="ch06.html">Chapter 6</a>) to assign masks on a
-user-by-user basis, thus matching conventional Unix behavior.</p>
-
-<p>To show how Samba's create masks work, suppose we
-have a Windows Me user connecting to his Unix home directory through
-Samba, and Samba is configured with <tt class="literal">create</tt>
-<tt class="literal">mask</tt> <tt class="literal">=</tt> <tt class="literal">777</tt>
-in the <tt class="literal">[homes]</tt> share. With this value,
-<tt class="literal">create</tt> <tt class="literal">mask</tt> will not affect the
-bits that are set on new files. If the user creates a file with
-Wordpad, it will appear in the Unix filesystem like this:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l file.doc</b></tt>
--rwxrw-rw- 1 jay jay 0 Sep 21 11:02 file.doc</pre></blockquote>
-
-<p>Wordpad created the file with read/write permissions (i.e., the
-MS-DOS read-only attribute was not set), so Samba mapped the MS-DOS
-attributes to Unix read/write permissions for user, group, and other.
-The <a name="INDEX-41"/><a name="INDEX-42"/>execute bit is set for the owner
-because by default, the <tt class="literal">map</tt>
-<tt class="literal">archive</tt> parameter is set to
-<tt class="literal">yes</tt>. The other execute bits are not set because
-<tt class="literal">map</tt> <tt class="literal">system</tt> and
-<tt class="literal">map</tt> <tt class="literal">hidden</tt> are set to
-<tt class="literal">no</tt> by default. You can customize this behavior as
-you see fit, and unless you do backups from MS-DOS or Windows
-systems, you might want to specify <tt class="literal">map</tt>
-<tt class="literal">archive</tt> <tt class="literal">=</tt> <tt class="literal">no</tt>
-to avoid Windows files from appearing as executables on the Unix
-system.</p>
-
-<p>Now suppose we set
-<tt class="literal">create</tt><a name="INDEX-43"/> <tt class="literal">mask</tt> to have
-an effect. For example:</p>
-
-<blockquote><pre class="code">[homes]
- create mask = 664</pre></blockquote>
-
-<p>This is equivalent to a Unix umask of 113. If the user creates the
-Wordpad document as before, it will show up as:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l file.doc</b></tt>
--rw-rw-r-- 1 jay jay 0 Sep 22 16:38 file.doc</pre></blockquote>
-
-<p>Comparing this to the previous example, notice that not only has the
-write permission for other disappeared as we expected, but so has the
-execute permission for owner. This happened because the value of
-<tt class="literal">create</tt> <tt class="literal">mask</tt> logically ANDs the
-owner's permissions with a 6, which has masked off
-the execute bit. The lesson here is that if you want to enable any of
-<tt class="literal">map</tt> <tt class="literal">archive</tt>,
-<tt class="literal">map</tt> <tt class="literal">system</tt>, or
-<tt class="literal">map</tt> <tt class="literal">hidden</tt>, you must be careful
-not to mask off the corresponding execute bit with your
-<tt class="literal">create</tt> <tt class="literal">mask</tt>.</p>
-
-<p>The <tt class="literal">directory</tt><a name="INDEX-44"/> <tt class="literal">mask</tt>
-option works similarly, masking permissions for newly created
-directories. The following example will allow the permissions of a
-newly created directory to be, at most, 755:</p>
-
-<blockquote><pre class="code">[data]
- directory mask = 755</pre></blockquote>
-
-<p>Also, you can force various bits with the <tt class="literal">force</tt>
-<tt class="literal">create</tt> <tt class="literal">mode</tt> and
-<tt class="literal">force</tt> <tt class="literal">directory</tt>
-<tt class="literal">mode</tt> options. These options will perform a logical
-OR against the file and directory creation masks, ensuring that those
-bits that are specified will always be set. You would typically set
-these options globally to ensure that group and world read/write
-permissions have been set appropriately for new files or directories
-in each share.</p>
-
-<p>In the same spirit, if you wish to set explicitly the Unix user and
-group attributes of a file created on the Windows side, you can use
-the <tt class="literal">force</tt><a name="INDEX-45"/> <tt class="literal">user</tt> and
-<tt class="literal">force</tt><a name="INDEX-46"/> <tt class="literal">group</tt>
-options. For example:</p>
-
-<blockquote><pre class="code">[data]
- create mask = 744
- directory mask = 755
- force user = joe
- force group = accounting</pre></blockquote>
-
-<p>These options assign the same Unix username and group to every client
-that connects to the share. However, this occurs
-<em class="emphasis">after</em> the client authenticates; it does not
-allow free access to a share. These options are frequently used for
-their side effects of assigning a specific user and group to each new
-file or directory that is created in a share. Use these options with
-discretion.</p>
-
-<p>Finally, one of the capabilities of Unix that DOS lacks is the
-ability to delete a read-only file from a writable directory. In
-Unix, if a directory is writable, a read-only file in that directory
-can still be removed. This could permit you to delete files in any of
-your directories, even if the file was left by someone else.</p>
-
-<p>DOS filesystems are not designed for multiple users, and so its
-designers decided that read-only means &quot;protected
-against accidental change, including deletion,&quot;
-rather than &quot;protected against some other user on a
-single-user machine.&quot; So the designers of DOS
-prohibited removal of a read-only file. Even today, Windows
-filesystems exhibit the same behavior.</p>
-
-<p>Normally, this is harmless. Windows programs don't
-try to remove read-only files because they know it's
-a bad idea. However, a number of source-code control
-programs&mdash;which were first written for Unix&mdash;run on Windows
-and require the ability to delete read-only files. Samba permits this
-behavior with the <tt class="literal">delete</tt><a name="INDEX-47"/>
-<tt class="literal">readonly</tt> option. To enable this functionality, set
-the option to <tt class="literal">yes</tt>:</p>
-
-<a name="INDEX-48"/><blockquote><pre class="code">[data]
- delete readonly = yes</pre></blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-2.2"/>
-
-<h3 class="head2">File and Directory Permission Options</h3>
-
-<p><a name="INDEX-49"/><a name="INDEX-50"/><a name="INDEX-51"/>The
-options for file and directory permissions are summarized in <a href="ch08.html#samba2-CHP-8-TABLE-2">Table 8-2</a>; each option is then described in detail.</p>
-
-<a name="samba2-CHP-8-TABLE-2"/><h4 class="head4">Table 8-2. File and directory permission options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">create mask</tt> <tt class="literal">(create mode)</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Maximum permissions for files created by Samba.</p>
-</td>
-<td>
-<p><tt class="literal">0744</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">directory mask</tt> <tt class="literal">(directory mode)</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Maximum permissions for directories created by Samba.</p>
-</td>
-<td>
-<p><tt class="literal">0744</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">force create mode</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Forces the specified permissions (bitwise <tt class="literal">or</tt>) for
-directories created by Samba.</p>
-</td>
-<td>
-<p><tt class="literal">0000</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">force directory</tt> <tt class="literal">mode</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Forces the specified permissions (bitwise <tt class="literal">or</tt>) for
-directories created by Samba.</p>
-</td>
-<td>
-<p><tt class="literal">0000</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">force group</tt> <tt class="literal">(group)</tt></p>
-</td>
-<td>
-<p>string ( group name)</p>
-</td>
-<td>
-<p>Effective group for a user accessing this share.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">force user</tt></p>
-</td>
-<td>
-<p>string (username)</p>
-</td>
-<td>
-<p>Effective username for a user accessing this share.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">delete readonly</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Allows a user to delete a read-only file from a writable directory.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">map archive</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Preserve DOS archive attribute in user execute bit (0100).</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">map system</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Preserve DOS system attribute in group execute bit (0010).</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">map hidden</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Preserve DOS hidden attribute in world execute bit (0001).</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">inherit permissions</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, permissions on new files and directories
-are inherited from parent directory.</p>
-</td>
-<td>
-<p>no</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.1"/>
-
-<a name="INDEX-52"/><h3 class="head3">create mask</h3>
-
-<p>The argument for this option is an octal number indicating which
-permission flags can be set at file creation by a client in a share.
-The default is 0744, which means that the Unix owner can at most
-read, write, and optionally execute her own files, while members of
-the user's group and others can only read or execute
-them. If you need to change it for nonexecutable files, we recommend
-0644, or <tt class="literal">rw-r--r--</tt>. Keep in mind that the execute
-bits can be used by the server to map certain DOS file attributes, as
-described earlier. If you're altering the create
-mask, those bits have to be part of the create mask as well.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.2"/>
-
-<a name="INDEX-53"/><h3 class="head3">directory mask</h3>
-
-<p>The argument for this option is an octal number indicating which
-permission flags can be set at directory creation by a client in a
-share. The default is 0744, which allows everyone on the Unix side
-to, at most, read and traverse the directories, but allows only you
-to modify them. We recommend the mask 0750, removing access by
-&quot;the world.&quot;</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.3"/>
-
-<a name="INDEX-54"/><h3 class="head3">force create mode</h3>
-
-<p>This option sets the permission bits that Samba will set when a file
-permission change is made. It's often used to force
-group permissions, as mentioned previously. It can also be used to
-preset any of the DOS attributes we mentioned: archive (0100), system
-(0010), or hidden (0001).</p>
-
-<a name="samba2-CHP-8-NOTE-139"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p><a name="INDEX-55"/>When saving
-documents, many Windows applications rename their datafiles with a
-<em class="filename">.bak</em> extension and create new ones. When the
-files are in a Samba share, this changes their ownership and
-permissions so that members of the same Unix group
-can't edit them. Setting <tt class="literal">force</tt>
-<tt class="literal">create mode = 0660</tt> will keep the new file editable
-by members of the group.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.4"/>
-
-<a name="INDEX-56"/><h3 class="head3">force directory mode</h3>
-
-<p>This option sets the permission bits that Samba will set when a
-directory permission change is made or a directory is created.
-It's often used to force group permissions, as
-mentioned previously. This option defaults to 0000 and can be used
-just like the <tt class="literal">force</tt> <tt class="literal">create</tt>
-<tt class="literal">mode</tt> to add group or other permissions if needed.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.5"/>
-
-<a name="INDEX-57"/><h3 class="head3">force group</h3>
-
-<p>This option, sometimes called <tt class="literal">group</tt>, assigns a
-static group ID that will be used on all connections to a share after
-the client has successfully authenticated. This assigns a specific
-group to each new file or directory created from an SMB client.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.6"/>
-
-<h3 class="head3">force user</h3>
-
-<p>The <tt class="literal">force</tt><a name="INDEX-58"/> <tt class="literal">user</tt> option
-assigns a static user ID that will be used on all connections to a
-share after the client has successfully authenticated. This assigns a
-specific user to each new file or directory created from an SMB
-client.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.7"/>
-
-<a name="INDEX-59"/><h3 class="head3">delete readonly</h3>
-
-<p>This option allows a user to delete a directory containing a
-read-only file. By default, DOS and Windows will not allow such an
-operation. You probably will want to leave this option turned off
-unless a program (for example, an RCS program) needs this capability;
-many Windows users would be appalled to find that
-they'd accidentally deleted a file that they had set
-as read-only.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.8"/>
-
-<a name="INDEX-60"/><h3 class="head3">map archive</h3>
-
-<p>The DOS archive bit is used to flag a file that has been changed
-since it was last archived (e.g., backed up with the DOS archive
-program). Setting the Samba option <tt class="literal">map</tt>
-<tt class="literal">archive</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt> maps the DOS archive flag to the Unix
-execute-by-owner (0100) bit. It's best to leave this
-option on if your Windows users are doing their own backups or are
-using programs that require the archive bit. Unix lacks the notion of
-an archive bit entirely. Backup programs typically keep a file that
-lists what files were backed up on what date, so comparing
-file-modification dates serves the same purpose.</p>
-
-<p>Setting this option to <tt class="literal">yes</tt> causes an occasional
-surprise on Unix when a user notices that a datafile is marked as
-executable, but rarely causes harm. If a user tries to run it, he
-will normally get a string of error messages as the shell tries to
-execute the first few lines as commands. The reverse is also
-possible; an executable Unix program looks like it
-hasn't been backed up recently on Windows. But
-again, this is rare and usually harmless.</p>
-
-<p>For map archive to work properly, the execute bit for owner must not
-be masked off with the <tt class="literal">create</tt>
-<tt class="literal">mask</tt> parameter.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.9"/>
-
-<a name="INDEX-61"/><h3 class="head3">map system</h3>
-
-<p>The DOS system attribute indicates files that are required by the
-operating system and should not be deleted, renamed, or moved without
-special effort. Set this option only if you need to store Windows
-system files on the Unix fileserver. Executable Unix programs will
-appear to be nonremovable, special Windows files when viewed from
-Windows clients. This might prove mildly inconvenient if you want to
-move or remove one. For most sites, however, this is fairly harmless.</p>
-
-<p>For map archive to work properly, the execute bit for group must not
-be masked off with the <tt class="literal">create</tt>
-<tt class="literal">mask</tt> parameter.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.10"/>
-
-<a name="INDEX-62"/><h3 class="head3">map hidden</h3>
-
-<p>DOS uses the hidden attribute to indicate that a file should not
-ordinarily be visible in directory listings. Unix
-doesn't have such a facility; it's
-up to individual programs (notably, the shell) to decide what to
-display and what not to display. Normally, you won't
-have any DOS files that need to be hidden, so the best thing to do is
-to leave this option turned off.</p>
-
-<p>Setting this option to <tt class="literal">yes</tt> causes the server to
-map the hidden flag onto the executable-by-others bit (0001). This
-feature can produce a rather startling effect. Any Unix program that
-is executable by world seems to vanish when you look for it from a
-Windows client. If this option is not set, however, and a Windows
-user attempts to mark a file hidden on a Samba share, it will not
-work&mdash;Samba has no place to store the hidden attribute!</p>
-
-<p>For map archive to work properly, the execute bit for other must not
-be masked off with the <tt class="literal">create</tt>
-<tt class="literal">mask</tt> parameter.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.11"/>
-
-<h3 class="head3">inherit permissions</h3>
-
-<p>When the <tt class="literal">inherit</tt><a name="INDEX-63"/>
-<tt class="literal">permissions</tt> option is set to
-<tt class="literal">yes</tt>, the <tt class="literal">create</tt>
-<tt class="literal">mask</tt>, <tt class="literal">directory</tt>
-<tt class="literal">mask</tt>, <tt class="literal">force</tt>
-<tt class="literal">create</tt> <tt class="literal">mode</tt>, and
-<tt class="literal">force</tt> <tt class="literal">directory</tt>
-<tt class="literal">mode</tt> are ignored. The normal behavior of setting
-the permissions on newly created files is overridden such that the
-new files and directories take on permissions from their parent
-directory. New directories will have exactly the same permissions as
-the parent, and new files will inherit the read and write bits from
-the parent directory, while the execute bits are determined as usual
-by the values of the <tt class="literal">map</tt>
-<tt class="literal">archive</tt>, <tt class="literal">map</tt>
-<tt class="literal">hidden</tt>, and <tt class="literal">map</tt>
-<tt class="literal">system</tt> parameters.</p>
-
-<p>By default, this option is set to <tt class="literal">no</tt>. <a name="INDEX-64"/><a name="INDEX-65"/><a name="INDEX-66"/> <a name="INDEX-67"/><a name="INDEX-68"/><a name="INDEX-69"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-8-SECT-3"/>
-
-<h2 class="head1">Windows NT/2000/XP ACLs</h2>
-
-<p><a name="INDEX-70"/><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/>Unix and Windows
-have different <a name="INDEX-74"/>security models, and Windows NT/2000/XP
-has a security model that is different from Windows 95/98/Me. One
-area in which this is readily apparent is file protections. On Unix
-systems, the method used has traditionally been the 9-bit
-&quot;user, group, other&quot; system, in
-which read, write, and execute bits can be set separately for the
-owner of the file, the groups to which the owner belongs, and
-everyone else, respectively.</p>
-
-<p><a name="INDEX-75"/>Windows 95/98/Me has a file-protection
-system that is essentially no protection at all. This family of
-operating systems was developed from MS-DOS, which was implemented as
-a non-networked, single-user system. Multiuser security simply was
-never added. One apparent exception to this is user-level security
-for shared files, which we will discuss in <a href="ch09.html">Chapter 9</a>. Here, separate access permissions can be
-assigned to individual network client users or groups. However,
-user-level security on Windows 95/98/Me systems requires a Windows
-NT/2000 or Samba server to perform the actual authentication.</p>
-
-<p>On <a name="INDEX-76"/><a name="INDEX-77"/><a name="INDEX-78"/>Windows NT/2000/XP,
-user-level security is an extension of the native file security
-model, which involves access control lists (ACLs). This system is
-somewhat more extensive than the Unix security model, allowing the
-access rights on individual files to be set separately for any number
-of individual users and/or any number of arbitrary groups of users.
-<a href="ch08.html#samba2-CHP-8-FIG-3">Figure 8-3</a>, <a href="ch08.html#samba2-CHP-8-FIG-4">Figure 8-4</a>,
-and <a href="ch08.html#samba2-CHP-8-FIG-5">Figure 8-5</a> show the dialog boxes on a Windows
-2000 system in which the ACL is set for a file. By right-clicking a
-file's icon and selecting Properties, then selecting
-the Security tab, we get to the dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-3">Figure 8-3</a>. Here, we can set the basic permissions for a
-file, which are similar to Unix permissions, although not identical.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-3"/><img src="figs/sam2_0803.gif"/></div><h4 class="head4">Figure 8-3. The Security tab of the file Properties dialog</h4>
-
-<p>By clicking the Advanced tab, we can bring up the dialog box shown in
-<a href="ch08.html#samba2-CHP-8-FIG-4">Figure 8-4</a>, which shows the list of
-<a name="INDEX-79"/>access control entries (ACEs) in the ACL.
-In this dialog, ACEs can be added to or deleted from the ACL, or an
-existing ACE can be viewed and modified. Each ACE either allows or
-denies a set of permissions for a specific user or group.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-4"/><img src="figs/sam2_0804.gif"/></div><h4 class="head4">Figure 8-4. The Permissions tab of the Access Control Settings dialog</h4>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-5"/><img src="figs/sam2_0805.gif"/></div><h4 class="head4">Figure 8-5. Permission Entry dialog, showing the settings of an ACE</h4>
-
-<p><a href="ch08.html#samba2-CHP-8-FIG-5">Figure 8-5</a> shows the dialog box for adding an ACE.
-As you can see, there are more options for permissions in an ACL than
-with the permission bits on typical Unix systems. You can learn more
-about these settings in <em class="citetitle">Essential Windows NT System
-Administration</em>, published by O'Reilly.</p>
-
-<p>In a networked environment where a Samba server is serving files to
-Windows NT/2000/XP clients, Samba has to map Unix permissions for
-files and directories to Windows NT/2000/XP access control lists.
-When a Windows NT/2000/XP client accesses a shared file or directory
-on a Samba server, Samba translates the object's
-ownership, group, and permissions into an ACL and returns them to the
-client.</p>
-
-<p><a href="ch08.html#samba2-CHP-8-FIG-6">Figure 8-6</a> shows the Properties dialog box for the
-file <em class="filename">shopping_list.doc</em> that resides on the Samba
-server.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-6"/><img src="figs/sam2_0806.gif"/></div><h4 class="head4">Figure 8-6. The Properties dialog for a file on the Samba server</h4>
-
-<p>From Unix, this file appears as:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l shopping_list.doc</b></tt>
--rw------- 1 adilia users 49 Mar 29 11:58 shopping_list.doc</pre></blockquote>
-
-<p>Notice that because the file has read permissions for the owner, the
-Read-only checkbox will show as cleared, even though the user on the
-Windows client (who is not <tt class="literal">adilia</tt> in this example)
-does not have read access permissions. The checkboxes here show only
-DOS attributes. By clicking the Security tab, we can start to examine
-the ACLs, as shown in <a href="ch08.html#samba2-CHP-8-FIG-7">Figure 8-7</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-7"/><img src="figs/sam2_0807.gif"/></div><h4 class="head4">Figure 8-7. The Security tab of the Properties dialog for a file on the Samba server</h4>
-
-<p>The owner of the file (<tt class="literal">adilia</tt>) is shown as one
-entry, while the group (<tt class="literal">users</tt>) and other
-permissions are presented as the groups called
-<tt class="literal">users</tt> and <tt class="literal">Everyone</tt>. Clicking
-one of the items in the upper windows causes the simplified view of
-the permissions in that item to appear in the bottom window. Here,
-the read/write permissions for <tt class="literal">adilia</tt> appear in a
-manner that makes the security model of Unix and Windows seem
-similar. However, clicking the Advanced . . . button brings up the
-additional dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-8">Figure 8-8</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-8"/><img src="figs/sam2_0808.gif"/></div><h4 class="head4">Figure 8-8. The Access Control Settings dialog for a file on the Samba server</h4>
-
-<p>In this dialog box, we see the actual ACL of the file. The ACEs for
-<tt class="literal">users</tt> and <tt class="literal">Everyone</tt> are listed
-with Take Ownership in the Permission column. This is a trick used by
-Samba for ACLs that have no permissions on the Unix side. On Windows,
-an ACL with nothing set results in no ACL at all, so Samba sets the
-Take Ownership permission to make sure that all the ACLs
-corresponding to the Unix &quot;user, group,
-other&quot; permissions will show up on Windows. The Take
-Ownership permission has no corresponding Unix attribute, so the
-setting on Windows does not affect the actual file on the Unix system
-in any way. Although Windows client users might be misled into
-thinking they can take ownership of the file (that is, change the
-ownership of the file to themselves), an actual attempt to do so will
-fail.</p>
-
-<p>The Permissions column for the <tt class="literal">adilia</tt> ACL is
-listed as Special because Samba reports permissions for the file that
-do not correspond to settings for which Windows has a more
-descriptive name. Clicking the entry and then clicking the View/Edit
-. . . button brings up the dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-9">Figure 8-9</a>, in which the details of the ACL permissions
-can be viewed and perhaps modified.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-9"/><img src="figs/sam2_0809.gif"/></div><h4 class="head4">Figure 8-9. Permission Entry dialog for a file served by Samba</h4>
-
-<p>We say &quot;perhaps&quot; here because
-checking or unchecking boxes in this dialog box might not result in
-settings that Samba is able to map back into the Unix security model.
-When a user attempts to modify a setting (either permissions or
-ownership) that she does not have authority to change, or does not
-correspond to a valid setting on the Unix system, Samba will respond
-with an error dialog or by quietly ignoring the unmappable settings.</p>
-
-<p>The ACLs for a directory are slightly different. <a href="ch08.html#samba2-CHP-8-FIG-10">Figure 8-10</a> shows the ACL view after clicking the Advanced
-button.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-10"/><img src="figs/sam2_0810.gif"/></div><h4 class="head4">Figure 8-10. The Access Control Settings dialog for a directory on the Samba server</h4>
-
-<p>Here, there are two ACLs each for <tt class="literal">users</tt> and
-<tt class="literal">Everyone</tt>. One ACL specifies the permissions for
-the directory itself, and the other specifies permissions for the
-directory's contents. When changing settings in the
-View/Edit... dialog, there is an extra drop-down menu to apply the
-settings either to just the directory or to some combination of the
-directory and the files and directories it contains. If settings are
-applied to more than just the directory, Samba will match the
-behavior of a Windows server and change the permissions on the
-contents of the directory, as specified in the dialog.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-3.1"/>
-
-<h3 class="head2">Unix ACLs</h3>
-
-<p><a name="INDEX-80"/><a name="INDEX-81"/>In
-most cases, users of Windows clients will find the Unix security
-model to be sufficient. However, in some cases, people might want the
-Samba server to support the full Windows ACL security model. Even if
-they don't need the fine-grained control over file
-and directory permissions, they might find Samba's
-translation between ACLs and Unix permissions to be a source of
-confusion or frustration.</p>
-
-<p>When the underlying Unix host operating system supports
-<a name="INDEX-82"/><a name="INDEX-83"/>POSIX.1e ACLs, Samba provides much better
-support of Windows NT/2000/XP ACLs. Versions of Unix that offer the
-necessary support include the following:</p>
-
-<ul><li>
-<p>Solaris 2.6 and later</p>
-</li><li>
-<p>SGI Irix</p>
-</li><li>
-<p>Linux, with Andreas Gr&uuml;nbacher's kernel
-patch from <a href="http://acl.bestbits.at">http://acl.bestbits.at</a>
-that adds ACL support to the Linux ext2 and ext3 filesystems</p>
-</li><li>
-<p>Linux, with the XFS filesystem</p>
-</li><li>
-<p>AIX</p>
-</li><li>
-<p>FreeBSD 5.0 and later</p>
-</li><li>
-<p>HP/UX 11.0 and later, with the JFS 3.3 filesystem layout Version 4</p>
-</li></ul>
-<p>If you are fortunate enough to have a Unix host operating system with
-ACL support already provided, all you need to do is recompile Samba
-using the <tt class="literal">--with-acl-support</tt> configure option, as
-we described in <a href="ch02.html">Chapter 2</a>. If you are running
-Linux and need to patch your kernel, things are much more
-complicated. We suggest you refer to the documentation that comes
-with the patch for details on using it.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-3.2"/>
-
-<h3 class="head2">Configuration Options for ACLs</h3>
-
-<p><a href="ch08.html#samba2-CHP-8-TABLE-3">Table 8-3</a> <a name="INDEX-84"/><a name="INDEX-85"/>shows the Samba configuration options
-for working with Windows NT/2000/XP access control lists.</p>
-
-<a name="samba2-CHP-8-TABLE-3"/><h4 class="head4">Table 8-3. ACL configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">nt acl support</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows users on Windows NT/2000/XP clients
-to modify ACL settings</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">security mask</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Bitmask that allows or denies permission settings on files</p>
-</td>
-<td>
-<p><tt class="literal">0777</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">force security</tt> <tt class="literal">mode</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Bits that are always set when modifying file permissions</p>
-</td>
-<td>
-<p><tt class="literal">0000</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">directory</tt> <tt class="literal">security mask</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Bitmask that allows or denies permission settings on directories</p>
-</td>
-<td>
-<p><tt class="literal">0777</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">force directory</tt> <tt class="literal">security mode</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Bits that are always set when modifying directory permissions</p>
-</td>
-<td>
-<p><tt class="literal">0000</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.1"/>
-
-<a name="INDEX-86"/><h3 class="head3">nt acl support</h3>
-
-<p>This parameter defaults to <tt class="literal">yes</tt>, which allows users
-on Windows NT/2000/XP clients to modify ACL settings for files on the
-Samba server. When set to <tt class="literal">no</tt>, files show up as
-owned by <tt class="literal">Everyone</tt>, with permissions appearing as
-&quot;Full Control&quot;. However,
-<em class="emphasis">actual</em> ownership and permissions are enforced as
-whatever they are set to on the Samba server, and the user on the
-Windows client cannot view or modify them with the dialog boxes used
-for managing ACLs.</p>
-
-<p>When enabled, support for Windows NT/2000/XP ACLs is limited to
-whatever ownerships and permissions can map into valid users and
-permissions on the Samba server. If the server supports ACLs (either
-&quot;out of the box&quot; or with an
-additional patch to enhance the filesystem), Samba's
-ACL support more closely matches that of a Windows NT/2000/XP server.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.2"/>
-
-<h3 class="head3">security mask</h3>
-
-<p>Using the <tt class="literal">security</tt><a name="INDEX-87"/>
-<tt class="literal">mask</tt> option, it is possible to define which file
-permissions users can modify from Windows NT/2000/XP clients. This is
-for files only and not directories, which are handled with the
-<tt class="literal">directory</tt><a name="INDEX-88"/>
-<tt class="literal">security</tt> <tt class="literal">mask</tt> option. The
-parameter is assigned a numeric value that is a Unix-style
-permissions mask. For bits in the mask that are set, the client can
-modify the corresponding bits in the files'
-permissions. If the bit is zero, the client cannot modify that
-permission. For example, if <tt class="literal">security</tt>
-<tt class="literal">mask</tt> is set as:</p>
-
-<blockquote><pre class="code">[data]
- security mask = 0777</pre></blockquote>
-
-<p>the client can modify all the user/group/other permissions for the
-files in the share. This is the default. A value of
-<tt class="literal">0</tt> would deny clients from changing any of the
-permissions, and setting <tt class="literal">security</tt>
-<tt class="literal">mask</tt> as:</p>
-
-<blockquote><pre class="code">[data]
- security mask = 0666</pre></blockquote>
-
-<p>would allow client users to modify the read and write permissions,
-but not the execute permissions.</p>
-
-<p>Do not count on <tt class="literal">security</tt> <tt class="literal">mask</tt>
-for complete control because if the user can access the files on the
-Samba server through any other means (for example, by logging
-directly into the Unix host), he can modify the permissions using
-that method.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.3"/>
-
-<h3 class="head3">force security mode</h3>
-
-<p>The <tt class="literal">force</tt><a name="INDEX-89"/>
-<tt class="literal">security</tt> <tt class="literal">mode</tt> option can be
-used to define a set of permissions that are always set whenever the
-user on a Windows NT/2000/XP client modifies a
-file's permissions. (See the
-<tt class="literal">force</tt> <tt class="literal">directory</tt>
-<tt class="literal">security</tt> <tt class="literal">mode</tt> option for
-handling directories.)</p>
-
-<p>Be careful to understand this properly. The mask given as the
-parameter's value is not necessarily equal to the
-resulting permissions on the file. The permissions that the client
-user attempts to modify are logically OR'd with the
-<tt class="literal">force</tt> <tt class="literal">security</tt>
-<tt class="literal">mode</tt> <tt class="literal">mask</tt> option, and any bits
-that are turned on will cause the file's
-corresponding permissions to be set. As an example, suppose
-<tt class="literal">force</tt> <tt class="literal">security</tt>
-<tt class="literal">mode</tt> is set in a share thusly:</p>
-
-<blockquote><pre class="code">[data]
- force security mode = 0440</pre></blockquote>
-
-<p>(This sets the read bit for owner and group, but not other.) If a
-user on a Windows NT/2000/XP client modifies an ACL on a file in the
-<tt class="literal">[data]</tt> share and attempts to remove all read
-permissions, the read permission for other
-(<tt class="literal">Everyone</tt>) will be removed, but the read
-permission for the owner and group will remain. Note that this
-parameter cannot force a permission bit to be turned off.</p>
-
-<p>As with the <tt class="literal">security</tt> <tt class="literal">mask</tt>
-option, if a user can access the files in the share through any means
-other than Samba, she can easily work around Samba's
-enforcement of this parameter.</p>
-
-<p>The default value of <tt class="literal">force</tt>
-<tt class="literal">security</tt> <tt class="literal">mode</tt> is
-<tt class="literal">0000</tt>, which allows users to remove any permission
-from files.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.4"/>
-
-<a name="INDEX-90"/><h3 class="head3">directory security mask</h3>
-
-<p>This option works exactly the same as the <tt class="literal">security</tt>
-<tt class="literal">mask</tt> option, except that it operates on
-directories rather than files. As with <tt class="literal">security</tt>
-<tt class="literal">mask</tt>, it has a default value of
-<tt class="literal">0777</tt>, which allows Windows NT/2000/XP client users
-to modify all Unix permissions on directories in the share.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.5"/>
-
-<a name="INDEX-91"/><h3 class="head3">force directory security mode</h3>
-
-<p>This option works exactly the same as the <tt class="literal">force</tt>
-<tt class="literal">security</tt> <tt class="literal">mode</tt> option, except
-that it operates on directories rather than files. It also has a
-default value of <tt class="literal">0000</tt>, which allows Windows
-NT/2000/XP client users to remove any permissions from directories in
-the share. <a name="INDEX-92"/><a name="INDEX-93"/><a name="INDEX-94"/><a name="INDEX-95"/> <a name="INDEX-96"/><a name="INDEX-97"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-8-SECT-4"/>
-
-<h2 class="head1">Name Mangling and Case</h2>
-
-<p><a name="INDEX-98"/><a name="INDEX-99"/><a name="INDEX-100"/><a name="INDEX-101"/>Back
-in the days of DOS and Windows 3.1, every filename was limited to
-eight uppercase characters, followed by a dot, and three more
-uppercase characters. This was known as the <em class="firstterm">8.3
-format</em> and was a huge nuisance. Windows 95/98/Me, Windows
-NT/2000/XP, and Unix have since relaxed this problem by allowing
-longer, sometimes case-sensitive, filenames. <a href="ch08.html#samba2-CHP-8-TABLE-4">Table 8-4</a> shows the current naming state of several
-popular operating systems.</p>
-
-<a name="samba2-CHP-8-TABLE-4"/><h4 class="head4">Table 8-4. Operating system filename limitations</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Operating system</p>
-</th>
-<th>
-<p>File-naming rules</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>DOS 6.22 or below</p>
-</td>
-<td>
-<p>Eight characters followed by a dot followed by a three-letter
-extension (8.3 format); case-insensitive</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 3.1 for Workgroups</p>
-</td>
-<td>
-<p>Eight characters followed by a dot followed by a three-letter
-extension (8.3 format); case-insensitive</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 95/98/Me</p>
-</td>
-<td>
-<p>255 characters; case-insensitive but case-preserving</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows NT/2000/XP</p>
-</td>
-<td>
-<p>255 characters; case-insensitive but case-preserving</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Unix</p>
-</td>
-<td>
-<p>255 characters; case-sensitive</p>
-</td>
-</tr>
-
-</table>
-
-<p>Samba still has to remain backward-compatible with network clients
-that store files in just the 8.3 format, such as Windows for
-Workgroups. If a user creates a file on a share called
-<em class="emphasis">antidisestablishmentarianism.txt</em>, a Windows for
-Workgroups client cannot tell it apart from another file in the same
-directory called <em class="emphasis">antidisease.txt</em>. Like Windows
-95/98/Me and Windows NT/2000/XP, Samba has to employ a special method
-for translating a long filename to an 8.3 filename in such a way that
-similar filenames will not cause collisions. This is called
-<em class="firstterm">name mangling</em>, and Samba deals with this in a
-manner that is similar, but not identical to, Windows 95 and its
-successors.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-4.1"/>
-
-<h3 class="head2">The Samba Mangling Operation</h3>
-
-<p><a name="INDEX-102"/>Here is how Samba mangles a long
-filename into an 8.3 filename:</p>
-
-<ul><li>
-<p>If the original filename does not begin with a dot, the first five
-characters before the dot (if there is one) are converted to
-uppercase. These characters are used as the first five characters of
-the 8.3 mangled filename.</p>
-</li><li>
-<p>If the original filename begins with a dot, the dot is removed and
-then the previous step is performed on what is left.</p>
-</li><li>
-<p>These characters are immediately followed by a special mangling
-character: by default, a tilde (~), although Samba allows you to
-change this character.</p>
-</li><li>
-<p>The base of the long filename before the last period is hashed into a
-two-character code; parts of the name after the last dot can be used
-if necessary. This two-character code is appended to the filename
-after the mangling character.</p>
-</li><li>
-<p>The first three characters after the last dot (if there is one) of
-the original filename are converted to uppercase and appended onto
-the mangled name as the extension. If the original filename began
-with a dot, three underscores ( <tt class="literal">_ _ _</tt> ) are used
-as the extension instead.</p>
-</li></ul>
-<p>Here are some examples:</p>
-
-<blockquote><pre class="code">virtuosity.dat VIRTU~F1.DAT
-.htaccess HTACC~U0._ _ _
-hello.java HELLO~1F.JAV
-team.config.txt TEAMC~04.TXT
-antidisestablishmentarianism.txt ANTID~E3.TXT
-antidisease.txt ANTID~9K.TXT</pre></blockquote>
-
-<p>Using these rules will allow Windows for Workgroups to differentiate
-the two files on behalf of the poor individual who is forced to see
-the network through the eyes of that operating system. Note that the
-same long filename should always hash to the same mangled name with
-Samba; this doesn't always happen with Windows. The
-downside of this approach is that there can still be collisions;
-however, the chances are greatly reduced.</p>
-
-<p>You generally want to use the mangling configuration options with
-only the oldest clients. We recommend doing this without disrupting
-other clients by adding an <tt class="literal">include</tt> directive to
-the <em class="filename">smb.conf</em> file:</p>
-
-<blockquote><pre class="code">[global]
- include = /usr/local/samba/lib/smb.conf.%a</pre></blockquote>
-
-<p>This resolves to <em class="filename">smb.conf.WfWg</em> when a Windows
-for Workgroups client attaches. Now you can create a file
-<em class="filename">/usr/local/samba/lib/smb.conf.WfWg</em>, which might
-contain these options:</p>
-
-<blockquote><pre class="code">[global]
- case sensitive = no
- default case = upper
- preserve case = no
- short preserve case = no
- mangle case = yes
- mangled names= yes</pre></blockquote>
-
-<p>If you are not using Windows for Workgroups, you probably do not need
-to change any of these options from their defaults.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.1.1"/>
-
-<h3 class="head3">Representing and resolving filenames with Samba</h3>
-
-<p><a name="INDEX-103"/>Another item that we should
-point out is that there is a difference between how an operating
-system <em class="emphasis">represents</em> a file and how it
-<em class="emphasis">resolves</em> it. For example, you have likely run
-across a file on a Windows system called
-<em class="filename">README.TXT</em>. The file can be represented by the
-operating system entirely in uppercase letters. However, if you open
-an MS-DOS command prompt and enter the command:</p>
-
-<blockquote><pre class="code">C:\&gt; <tt class="userinput"><b>notepad readme.txt</b></tt></pre></blockquote>
-
-<p>the all-caps file is loaded into the editing program, even though you
-typed the name in lowercase letters.</p>
-
-<p>This is because the Windows 95/98/Me and Windows NT/2000/XP families
-of operating systems resolve filenames in a case-insensitive manner,
-even though the files are represented in a case-sensitive manner.
-Unix-based operating systems, on the other hand, always resolve files
-in a case-sensitive manner; if you try to edit
-<em class="filename">README.TXT</em> with the command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>vi readme.txt</b></tt></pre></blockquote>
-
-<p>you will likely be editing the empty buffer of a new file.</p>
-
-<p><a name="INDEX-104"/>Here is how Samba handles case: if the
-<tt class="literal">preserve</tt><a name="INDEX-105"/> <tt class="literal">case</tt> is set
-to <tt class="literal">yes</tt>, Samba will always use the case provided by
-the operating system for representing (not resolving) filenames. If
-it is set to <tt class="literal">no</tt>, it will use the case specified by
-the <tt class="literal">default</tt><a name="INDEX-106"/> <tt class="literal">case</tt> option.
-The same is true for
-<tt class="literal">short</tt><a name="INDEX-107"/>
-<tt class="literal">preserve</tt> <tt class="literal">case</tt>. If this option
-is set to <tt class="literal">yes</tt>, Samba will use the default case of
-the operating system for representing 8.3 filenames; otherwise, it
-will use the case specified by the <tt class="literal">default</tt>
-<tt class="literal">case</tt> option. Finally, Samba will always resolve
-filenames in its shares based on the value of the
-<tt class="literal">case</tt> <tt class="literal">sensitive</tt> option.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-4.2"/>
-
-<h3 class="head2">Mangling Options</h3>
-
-<p><a name="INDEX-108"/><a name="INDEX-109"/>Samba
-allows more refined instructions on how it should perform name
-mangling, including those controlling the case sensitivity, the
-character inserted to form a mangled name, and the ability to map
-filenames manually from one format to another. These options are
-shown in <a href="ch08.html#samba2-CHP-8-TABLE-5">Table 8-5</a>.</p>
-
-<a name="samba2-CHP-8-TABLE-5"/><h4 class="head4">Table 8-5. Name-mangling options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">case sensitive</tt></p>
-
-<p><tt class="literal">(casesignames)</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, treats filenames as case-sensitive
-(Windows doesn't).</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">default case</tt></p>
-</td>
-<td>
-<p>string (<tt class="literal">upper</tt> or <tt class="literal">lower</tt>)</p>
-</td>
-<td>
-<p>Case to assume as default (used only when preserve case is
-<tt class="literal">no</tt>).</p>
-</td>
-<td>
-<p>Lower</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">preserve case</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, keep the case the client supplied (i.e.,
-do not convert to <tt class="literal">default</tt>
-<tt class="literal">case</tt>).</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">short preserve case</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, preserve case of 8.3-format names that the
-client provides.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">mangled names</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Mangles long names into 8.3 DOS format.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">mangle case</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Mangle a name if it is mixed case.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">mangling char</tt></p>
-</td>
-<td>
-<p>string (single character)</p>
-</td>
-<td>
-<p>Gives mangling character.</p>
-</td>
-<td>
-<p><tt class="literal">~</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">mangled stack</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Number of mangled names to keep on the local mangling stack.</p>
-</td>
-<td>
-<p><tt class="literal">50</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">mangled map</tt></p>
-</td>
-<td>
-<p>string (list of patterns)</p>
-</td>
-<td>
-<p>Allows mapping of filenames from one format into another.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.1"/>
-
-<a name="INDEX-110"/><h3 class="head3">case sensitive</h3>
-
-<p>This share-level option, which has the obtuse synonym
-<tt class="literal">casesignames</tt>, specifies whether Samba should
-preserve case when resolving filenames in a specific share. The
-default value for this option is <tt class="literal">no</tt>, which is how
-Windows handles file resolution. If clients are using an operating
-system that takes advantage of case-sensitive filenames, you can set
-this configuration option to <tt class="literal">yes</tt> as shown here:</p>
-
-<blockquote><pre class="code">[accounting]
- case sensitive = yes</pre></blockquote>
-
-<p>Otherwise, we recommend that you leave this option set to its default.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.2"/>
-
-<h3 class="head3">default case</h3>
-
-<p>The <tt class="literal">default</tt><a name="INDEX-111"/> <tt class="literal">case</tt> option
-is used with <tt class="literal">preserve</tt> <tt class="literal">case</tt>.
-This specifies the default case (upper or lower) Samba uses to create
-a file on one of its shares on behalf of a client. The default case
-is <tt class="literal">lower</tt>, which means that newly created files
-will have lowercase names. If you need to, you can override this
-global option by specifying the following:</p>
-
-<blockquote><pre class="code">[global]
- default case = upper</pre></blockquote>
-
-<p>If you specify this value, the names of newly created files are
-translated into uppercase and cannot be overridden in a program. We
-recommend that you use the default value unless you are dealing with
-a Windows for Workgroups or other 8.3 client, in which case it should
-be <tt class="literal">upper</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.3"/>
-
-<a name="INDEX-112"/><h3 class="head3">preserve case</h3>
-
-<p>This option specifies whether a file created by Samba on behalf of
-the client is created with the case provided by the client operating
-system or the case specified by the earlier
-<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
-option. The default value is <tt class="literal">yes</tt>, which uses the
-case provided by the client operating system. If it is set to
-<tt class="literal">no</tt>, the value of the <tt class="literal">default</tt>
-<tt class="literal">case</tt> option (upper or lower) is used.</p>
-
-<p>Note that this option does not handle 8.3 file requests sent from the
-client&mdash;see the upcoming <tt class="literal">short</tt>
-<tt class="literal">preserve</tt> <tt class="literal">case</tt> option. You might
-want to set this option to <tt class="literal">yes</tt>, for example, if
-applications that create files on the Samba server demand the file be
-all uppercase. If instead you want Samba to mimic the behavior of a
-Windows NT filesystem, you can leave this option set to its default,
-<tt class="literal">yes</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.4"/>
-
-<a name="INDEX-113"/><h3 class="head3">short preserve case</h3>
-
-<p>This option specifies whether an 8.3 filename created by Samba on
-behalf of the client is created with the default case of the client
-operating system or the case specified by the
-<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
-option. The default value is <tt class="literal">yes</tt>, which uses the
-case provided by the client operating system. You can let Samba
-choose the case through the <tt class="literal">default</tt>
-<tt class="literal">case</tt> option by setting it as follows:</p>
-
-<blockquote><pre class="code">[global]
- short preserve case = no</pre></blockquote>
-
-<p>If you want to force Samba to mimic the behavior of a Windows NT
-filesystem, you can leave this option set to its default,
-<tt class="literal">yes</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.5"/>
-
-<a name="INDEX-114"/><h3 class="head3">mangled names</h3>
-
-<p>This share-level option specifies whether Samba will mangle filenames
-for 8.3 clients. If the option is set to <tt class="literal">no</tt>, Samba
-will not mangle the names, and (depending on the client) they will
-either be invisible or appear truncated to those using 8.3 operating
-systems. The default value is <tt class="literal">yes</tt>. You can
-override it per share as follows:</p>
-
-<blockquote><pre class="code">[data]
- mangled names = no</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.6"/>
-
-<a name="INDEX-115"/><h3 class="head3">mangle case</h3>
-
-<p>This option tells Samba whether it should mangle filenames that are
-not composed entirely of the case specified using the
-<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
-option. The default for this option is <tt class="literal">no</tt>. If you
-set it to <tt class="literal">yes</tt>, you should be sure that all clients
-can handle the mangled filenames that result. You can override it per
-share as follows:</p>
-
-<blockquote><pre class="code">[data]
- mangle case = yes</pre></blockquote>
-
-<p>We recommend that you leave this option alone unless you have a
-well-justified need to change it.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.7"/>
-
-<a name="INDEX-116"/><h3 class="head3">mangling char</h3>
-
-<p>This share-level option specifies the mangling character used when
-Samba mangles filenames into the 8.3 format. The default character
-used is a tilde (~). You can reset it to whatever character you wish.
-For instance:</p>
-
-<blockquote><pre class="code">[data]
- mangling char = #</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.8"/>
-
-<a name="INDEX-117"/><h3 class="head3">mangled stack</h3>
-
-<p>Samba maintains a local stack of recently mangled 8.3 filenames; this
-stack can be used to reverse-map mangled filenames back to their
-original state. This is often needed by applications that create and
-save a file, close it, and need to modify it later. The default
-number of long filename/mangled filename pairs stored on this stack
-is 50. However, if you want to cut down on the amount of processor
-time used to mangle filenames, you can increase the size of the stack
-to whatever you wish, at the expense of memory and slightly slower
-file access:</p>
-
-<blockquote><pre class="code">[global]
- mangled stack = 100</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.9"/>
-
-<a name="INDEX-118"/><h3 class="head3">mangled map</h3>
-
-<p>If the default behavior of name mangling is not sufficient, you can
-give Samba further instructions on how to behave using the
-<tt class="literal">mangled</tt> <tt class="literal">map</tt> option. This option
-allows you to specify mapping patterns that can be used in place of
-name mangling performed by Samba. For example:</p>
-
-<blockquote><pre class="code">[data]
- mangled map =(*.database *.db) (*.class *.cls)</pre></blockquote>
-
-<p>Here, Samba is instructed to search each encountered file for
-characters that match the first pattern specified in the parenthesis
-and convert them to the modified second pattern in the parenthesis
-for display on an 8.3 client. This is useful in the event that name
-mangling converts the filename incorrectly or converts it to a format
-that the client cannot understand readily. Patterns are separated by
-whitespaces. <a name="INDEX-119"/><a name="INDEX-120"/> <a name="INDEX-121"/><a name="INDEX-122"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-8-SECT-5"/>
-
-<h2 class="head1">Locks and Oplocks</h2>
-
-<p><a name="INDEX-123"/><a name="INDEX-124"/><a name="INDEX-125"/><a name="INDEX-126"/>Concurrent
-writes to a single file are not desirable in any operating system. To
-prevent this, most operating systems use <em class="firstterm">locks</em>
-to guarantee that only one process can write to a file at a time.
-Operating systems traditionally lock entire files, although newer
-ones allow a range of bytes within a file to be locked. If another
-process attempts to write to a file (or section of one) that is
-already locked, it receives an error from the operating system and
-will have to wait until the lock is released.</p>
-
-<p>Samba supports the standard DOS and NT filesystem (deny-mode) locking
-requests&mdash;which allow only one process to write to an entire
-file on a server at a given time&mdash;as well as byte-range locking.
-In addition, Samba supports a locking mechanism known in the Windows
-NT world as <em class="firstterm">opportunistic locking,
-</em><a name="INDEX-127"/>or<em class="firstterm">
-</em><em class="emphasis">oplock</em> for short.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-5.1"/>
-
-<h3 class="head2">Opportunistic Locking</h3>
-
-<p>Opportunistic locking allows a client to notify the Samba server that
-it will not only be the exclusive writer of a file, but will also
-cache its changes to that file locally to speed up access by reducing
-network activity. This can result in a large performance
-gain&mdash;typically 30%&mdash;while at the same time reserving
-network bandwidth for other purposes.</p>
-
-<p>Because exclusive access can be obtained using regular file locks,
-the value of opportunistic locks is not so much to lock the file as
-it is to cache it. In fact, a better name for opportunistic locking
-might be <em class="firstterm">opportunistic caching</em>.</p>
-
-<p>When Samba knows that a file in one of its shares has been oplocked
-by a client, it marks its version as having an opportunistic lock and
-waits for the client to complete work on the file, at which point it
-expects the client to send its changes back to the Samba server for
-synchronization with the copy on the server.</p>
-
-<p>If a second client requests access to that file before the first
-client has finished working on it, Samba sends an oplock break
-request to the first client. This tells the client to stop caching
-its changes and return the current state of the file to the server so
-that the interrupting client can use it as it sees fit. An
-opportunistic lock, however, is not a replacement for a standard
-deny-mode lock. It is not unheard of for the interrupting process to
-be granted an oplock break only to discover that the original process
-also has a deny-mode lock on a file as well. <a href="ch08.html#samba2-CHP-8-FIG-11">Figure 8-11</a> illustrates this <a name="INDEX-128"/>opportunistic locking process.</p>
-
-<div class="figure"><a name="samba2-CHP-8-FIG-11"/><img src="figs/sam2_0811.gif"/></div><h4 class="head4">Figure 8-11. Opportunistic locking</h4>
-
-<p>In most cases, the extra performance resulting from the use of
-oplocks is highly desirable. However, allowing the client to cache
-data can be a big risk if either the client or network hardware are
-unreliable. Suppose a client opens a file for writing, creating an
-oplock on it. When another client also tries to open the file, an
-oplock break request is sent to the first client. If this request
-goes unfulfilled for any reason and the second client starts writing
-to the file, the file can be easily corrupted as a result of the two
-processes writing to it concurrently. Unfortunately, this scenario is
-very real. Uncoordinated behavior such as this has been observed many
-times among Windows clients in SMB networks (with files served by
-Windows NT/2000 or Samba). Typically, the affected files are database
-files, which multiple clients open concurrently for writing.</p>
-
-<p>A more concrete example of <a name="INDEX-129"/>oplock failure occurs when database
-files are very large. If a client is allowed to oplock this kind of
-file, there can be a huge delay while the client copies the entire
-file from the server to cache it, even though it might need to update
-only one record. The situation goes from bad to worse when another
-client tries to open the oplocked file. The first client might need
-to write the entire file back to the server before the second
-client's file open request can succeed. This results
-in another huge delay (for both clients), which in practice often
-results in a failed open due to a timeout on the second client,
-perhaps along with a message warning of possible database corruption!</p>
-
-<p>If you are having problems of this variety, you can turn off oplocks
-for the affected files by using the
-<tt class="literal">veto</tt><a name="INDEX-130"/> <tt class="literal">oplock</tt>
-<tt class="literal">files</tt> parameter:</p>
-
-<blockquote><pre class="code">[dbdata]
- veto oplock files = /*.dbm/</pre></blockquote>
-
-<p>Use the value of the parameter (a list of filename-matching patterns
-separated by slash characters) to match all the files in the share
-that might be a source of trouble. The syntax of this parameter is
-similar to that of the <tt class="literal">veto</tt>
-<tt class="literal">files</tt> parameter.</p>
-
-<p>If you want to be really careful and can live with reduced
-performance, you can turn off oplocks altogether, preventing the
-oplock break problem from ever occurring:</p>
-
-<blockquote><pre class="code">[global]
- oplocks = no</pre></blockquote>
-
-<p>This disables oplocks for all files in all shares served by the Samba
-server. If you wish to disable oplocks in just a specific share, you
-can specify the <tt class="literal">oplocks</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt> parameter in just that share:</p>
-
-<blockquote><pre class="code">[database]
- oplocks = no</pre></blockquote>
-
-<p>This example allows other shares, which might have less sensitive
-data, to attain better performance, while trading performance for
-better data integrity for files in the <tt class="literal">[database]</tt>
-share.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-5.2"/>
-
-<h3 class="head2">Unix and Oplocks</h3>
-
-<p><a name="INDEX-131"/>Most of the time, oplocks help Windows
-client systems cooperate to avoid overwriting each
-other's changes. Unix systems also have file-locking
-mechanisms to allow Unix processes to cooperate with each other. But
-if a file stored on a Samba system is accessed by both a Windows
-network client and a local Unix process&mdash;without an additional
-coordination between the two systems&mdash;the Unix process could
-easily ride roughshod over an oplock.</p>
-
-<p>Some Unix systems have enhanced kernels that understand the Windows
-oplocks maintained by Samba. Currently the support exists only in SGI
-Irix and Linux.</p>
-
-<p>If you leave oplocks enabled and your Unix system does not support
-kernel oplocks, you could end up with corrupted data when somebody
-runs a Unix process that reads or writes a file that Windows users
-also access. This is another case where the
-<tt class="literal">veto</tt><a name="INDEX-132"/> <tt class="literal">oplock</tt>
-<tt class="literal">files</tt> parameter can be used, assuming you can
-anticipate which Samba files are used by both Windows users and Unix
-users. For example, suppose the <tt class="literal">[usrfiles]</tt> share
-contains some ASCII text files with the <em class="filename">.txt</em>
-filename extension and OpenOffice word processor documents with the
-<em class="filename">.doc</em> filename extension, which Unix and Windows
-users both modify. We can use <tt class="literal">veto</tt>
-<tt class="literal">oplock</tt> <tt class="literal">files</tt> like this:</p>
-
-<blockquote><pre class="code">[usrfiles]
- veto oplock files = /*.txt/*.doc/</pre></blockquote>
-
-<p>This will suppress the use of oplocks on <em class="filename">.txt</em>
-and <em class="filename">.doc</em> files, which will suppress client
-caching, while allowing the Windows and Unix programs to use regular
-file locking to prevent concurrent writes to the same file.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-5.3"/>
-
-<h3 class="head2">Locks and Oplocks Configuration Options</h3>
-
-<p><a name="INDEX-133"/><a name="INDEX-134"/>Samba's options for
-locks and oplocks are given in <a href="ch08.html#samba2-CHP-8-TABLE-6">Table 8-6</a>.</p>
-
-<a name="samba2-CHP-8-TABLE-6"/><h4 class="head4">Table 8-6. Locks and oplocks configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">locking</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, turns on byte-range locks.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">strict</tt> <tt class="literal">locking</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, denies access to an entire file if a
-byte-range lock exists in it.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">posix locking</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, maps oplocks to POSIX locks on the local
-system.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">oplocks</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, turns on local caching of files on the
-client for this share.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">kernel</tt> <tt class="literal">oplocks</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, indicates that the kernel supports oplocks.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">level2 oplocks</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows oplocks to downgrade to read-only.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">fake oplocks</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, tells client the lock was obtained, but
-doesn't actually lock it.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">blocking</tt> <tt class="literal">locks</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Allows lock requestor to wait for the lock to be granted.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">veto oplock</tt> <tt class="literal">files</tt></p>
-</td>
-<td>
-<p>string (list of filenames)</p>
-</td>
-<td>
-<p>Does not oplock specified files.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lock</tt> <tt class="literal">directory</tt></p>
-</td>
-<td>
-<p>string (fully qualified pathname)</p>
-</td>
-<td>
-<p>Sets the location where various Samba files, including locks, are
-stored.</p>
-</td>
-<td>
-<p>As specified in Samba makefile</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.1"/>
-
-<h3 class="head3">locking</h3>
-
-<p>The <tt class="literal">locking</tt><a name="INDEX-135"/> option can be used to tell
-Samba to engage or disengage server-side byte-range locks on behalf
-of the client. Samba implements byte-range locks on the server side
-with normal Unix advisory locks and consequently prevents other
-properly behaved Unix processes from overwriting a locked byte range.</p>
-
-<p>This option can be specified per share as follows:</p>
-
-<blockquote><pre class="code">[accounting]
- locking = yes</pre></blockquote>
-
-<p>If the <tt class="literal">locking</tt> option is set to
-<tt class="literal">yes</tt>, the requestor is delayed until the holder of
-either type of lock releases it (or crashes). If, however, the option
-is set to <tt class="literal">no</tt>, no byte-range locks are kept for the
-files, although requests to lock and unlock files will appear to
-succeed. The option is set to <tt class="literal">yes</tt> by default;
-however, you can turn this option off if you have read-only media.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.2"/>
-
-<a name="INDEX-136"/><h3 class="head3">strict locking</h3>
-
-<p>This option checks every file access for a byte-range lock on the
-range of bytes being accessed. This is typically not needed if a
-client adheres to all the locking mechanisms in place. This option is
-set to <tt class="literal">no</tt> by default; however, you can reset it
-per share as follows:</p>
-
-<blockquote><pre class="code">[accounting]
- strict locking = yes</pre></blockquote>
-
-<p>If this option is set to <tt class="literal">yes</tt>, mandatory locks are
-enforced on any file with byte-range locks.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.3"/>
-
-<a name="INDEX-137"/><h3 class="head3">posix locking</h3>
-
-<p>On systems that support POSIX locking, Samba automatically maps
-oplocks to POSIX locks. This behavior can be disabled by setting
-<tt class="literal">posix</tt> <tt class="literal">locking</tt>
-<tt class="literal">=</tt> <tt class="literal">no</tt>. You should never need to
-change the default behavior, which is <tt class="literal">posix</tt>
-<tt class="literal">locking</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.4"/>
-
-<a name="INDEX-138"/><h3 class="head3">oplocks</h3>
-
-<p>This option enables or disables support for oplocks on the client.
-The option is enabled by default. However, you can disable it with
-the following command:</p>
-
-<blockquote><pre class="code">[data]
- oplocks = no</pre></blockquote>
-
-<p>If you are in an extremely unstable network environment or have many
-clients that cannot take advantage of opportunistic locking, it might
-be better to shut this Samba feature off. If the host operating
-system does not support kernel oplocks, oplocks should be disabled if
-users are accessing the same files from both Unix applications (such
-as <em class="emphasis">vi</em>) and SMB clients.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.5"/>
-
-<a name="INDEX-139"/><h3 class="head3">kernel oplocks</h3>
-
-<p>If a Unix application on the Samba host system (that is not part of
-the Samba suite) tries to open a file for writing that Samba has
-oplocked to a Windows client, it is likely to succeed (depending on
-the operating system), and both Samba and the client are never aware
-of it.</p>
-
-<p>Some versions of Unix have support for oplocks in the kernel that can
-work along with Samba's oplocks. In this case, the
-Unix process trying to open the file is suspended while Samba directs
-the client to write its copy back. After that has happened, the
-operating system allows the open to complete. At the time of this
-writing, this feature is supported only by SGI Irix and Linux.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.6"/>
-
-<a name="INDEX-140"/><h3 class="head3">level2 oplocks</h3>
-
-<p>Windows NT/2000/XP clients can downgrade their read-write oplocks to
-read-only oplocks when another client opens the same file. This can
-result in significant improvements in performance on files that are
-written infrequently or not at all&mdash;especially
-executables&mdash;because all clients can then maintain a read-ahead
-cache for the file. By default, <tt class="literal">level2</tt>
-<tt class="literal">oplocks</tt> is set to <tt class="literal">yes</tt>, and you
-probably won't need to change it.</p>
-
-<p>Currently, Samba cannot support level 2 oplocks along with kernel
-oplocks and automatically disables level 2 oplocks when kernel
-oplocks are in use. (This might change in future releases as improved
-support for oplocks is added by the Samba developers.) If you are
-running Samba on a host system that supports kernel oplocks, you must
-set <tt class="literal">kernel</tt> <tt class="literal">oplocks</tt>
-<tt class="literal">=</tt> <tt class="literal">no</tt> to enable support for
-level 2 oplocks.</p>
-
-<p>Disabling oplocks with <tt class="literal">oplocks</tt>
-<tt class="literal">=</tt> <tt class="literal">no</tt> also disables level 2
-oplocks.</p>
-
-<p>Samba can automatically detect its Unix host's
-support of kernel oplocks and will set the value of
-<tt class="literal">kernel</tt> <tt class="literal">oplocks</tt> automatically.
-You should never need to set this option in your Samba configuration
-file.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.7"/>
-
-<a name="INDEX-141"/><h3 class="head3">fake oplocks</h3>
-
-<p>When this option is set to <tt class="literal">yes</tt>, Samba pretends to
-allow oplocks rather than actually supporting them. If this option is
-enabled on a read-only share (such as a shared CD-ROM drive), all
-clients are told that the files are available for opportunistic
-locking and never warned of simultaneous access. As a result, Windows
-clients cache more of the file's data and obtain
-much better performance.</p>
-
-<p>This option was added to Samba before opportunistic-locking support
-was available, and it is now generally considered better to use real
-oplocks. Do not ever enable <tt class="literal">fake</tt>
-<tt class="literal">oplocks</tt> on a read/write share.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.8"/>
-
-<h3 class="head3">blocking locks</h3>
-
-<p>Samba also supports <em class="firstterm">blocking locks</em>, a minor
-variant of range locks. Here, if the range of bytes is not available,
-the client specifies an amount of time that it's
-willing to wait. The server then caches the lock request,
-periodically checking to see if the file is available. If it is, it
-notifies the client; however, if time expires, Samba will tell the
-client that the request has failed. This strategy prevents the client
-from continually polling to see if the lock is available.</p>
-
-<p>You can disable this option per share as follows:</p>
-
-<blockquote><pre class="code">[accounting]
- blocking locks = no</pre></blockquote>
-
-<p>When set to <tt class="literal">yes</tt>, blocking locks are enforced on
-the file. If this option is set to <tt class="literal">no</tt>, Samba
-behaves as if normal locking mechanisms are in place on the file. The
-default is <tt class="literal">yes</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.9"/>
-
-<a name="INDEX-142"/><h3 class="head3">veto oplock files</h3>
-
-<p>You can provide a list of filenames that are never granted
-opportunistic locks with the <tt class="literal">veto</tt>
-<tt class="literal">oplock</tt> <tt class="literal">files</tt> option. This
-option can be set either globally or on a per-share basis. For
-example:</p>
-
-<blockquote><pre class="code">veto oplock files = /*.bat/*.htm/</pre></blockquote>
-
-<p>The value of this option is a series of patterns. Each pattern entry
-must begin, end, or be separated from another with a slash ( / )
-character, even if only one pattern is listed. Asterisks can be used
-as a wildcard to represent zero or more characters. Questions marks
-can be used to represent exactly one character.</p>
-
-<p>We recommend that you disable oplocks on any files that are meant to
-be updated by Unix or are intended for simultaneous sharing by
-several processes.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.10"/>
-
-<a name="INDEX-143"/><h3 class="head3">lock directory</h3>
-
-<p>This option (sometimes called <tt class="literal">lock</tt>
-<tt class="literal">dir</tt>) specifies the location of a directory where
-Samba will store SMB deny-mode lock files. Samba stores other files
-in this directory as well, such as browse lists and its shared memory
-file. If WINS is enabled, the WINS database is written to this
-directory as well. The default for this option is specified in the
-Samba makefile; it is typically
-<em class="filename">/usr/local/samba/var/locks</em>. You can override
-this location as follows:</p>
-
-<blockquote><pre class="code">[global]
- lock directory = /usr/local/samba/locks</pre></blockquote>
-
-<p>You typically would not need to override this option, unless you want
-to move the lock files to a more standard location, such as
-<em class="filename">/var/spool/locks</em>. <a name="INDEX-144"/> <a name="INDEX-145"/><a name="INDEX-146"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-8-SECT-6"/>
-
-<h2 class="head1">Connection Scripts</h2>
-
-<p><a name="INDEX-147"/><a name="INDEX-148"/><a name="INDEX-149"/>Samba supports a mechanism called
-<em class="firstterm">connection scripts</em>, by which commands can be
-executed on the server as clients connect to a share or later
-disconnect from it. By using configuration file variables along with
-some custom programming, you can create connection scripts that
-perform a wide range of functions. As a simple example, here is a
-&quot;quick and dirty&quot; way to monitor
-connections to shares on the Samba server in real time. First, the
-value of the <tt class="literal">preexec</tt><a name="INDEX-150"/> parameter is set as
-follows:</p>
-
-<blockquote><pre class="code">[global]
- preexec = /bin/echo %u at %m connected to //%L/%S on %T &gt;&gt;/tmp/smblog</pre></blockquote>
-
-<p>This causes information about the user and the connection to be
-written to the file <em class="filename">/tmp/smblog</em> whenever any
-client connects to any share. To watch clients connect, run the
-following command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>tail -f /tmp/smblog</b></tt>
-jay at maya connected to //toltec/data on 2002/11/21 21:21:15
-david at apache connected to //toltec/techs on 2002/11/21 21:21:57
-sally at seminole connected to //toltec/payroll on 2002/11/21 21:22:16
-martha at dine connected to //toltec/profiles on 2002/11/21 21:23:38
-martha at dine connected to //toltec/netlogon on 2002/11/21 21:23:39
-martha at dine connected to //toltec/martha on 2002/11/21 21:23:40
-aaron at huastec connected to //toltec/netlogon on 2002/11/21 21:24:19
-aaron at huastec connected to //toltec/aaron on 2002/11/21 21:24:20</pre></blockquote>
-
-<p>With the <em class="emphasis">-f</em> option, the
-<em class="emphasis">tail</em> command monitors
-<em class="filename">/tmp/smblog</em> and prints additional output as new
-data is appended to the file. Every time a new connection is made, an
-additional line is printed, showing the output of the
-<tt class="literal">preexec</tt> command. Notice the lines resulting from
-connections by user <tt class="literal">martha</tt> and
-<tt class="literal">aaron</tt>. User <tt class="literal">martha</tt> logged on to
-the domain from a Windows NT client, which accessed the
-<tt class="literal">[profiles]</tt> share to download her profile, then the
-<tt class="literal">[netlogon]</tt> share to read the logon script, and
-then her home directory (because her logon script contains a
-<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">H</tt>:
-<tt class="literal">/home</tt> command) to connect her home directory to
-drive letter H. The connections from <tt class="literal">aaron</tt> are
-similar, except that he connected from a Windows 98 system, which
-does not use the <tt class="literal">[profiles]</tt> share. (See <a href="ch04.html">Chapter 4</a> for more information about domain logons.)</p>
-
-<p>A more advanced use of
-<a name="INDEX-151"/><a name="INDEX-152"/>connection scripts is to monitor the
-contents of users' home directories and/or other
-shared directories and perform checks ensuring that local
-administrative policies are followed. Checked items might include the
-following:</p>
-
-<ul><li>
-<p>Disk usage, on a per-share, per-directory, or per-file basis</p>
-</li><li>
-<p>Types of files stored on the server</p>
-</li><li>
-<p>Whether filenames follow naming guidelines</p>
-</li><li>
-<p>Whether viruses have copied themselves to the Samba server</p>
-</li></ul>
-<p>To handle this kind of task, a shell script or other program would be
-written to perform the checks and take appropriate actions, such as
-removing offending files. The <tt class="literal">root</tt>
-<tt class="literal">preexec</tt> parameter would be used to run the command
-as the root user, using configuration file variables to pass
-arguments. For example:</p>
-
-<blockquote><pre class="code">[homes]
- root preexec = admin_checks %S
- root preexec close = yes</pre></blockquote>
-
-<p>In this example, a specially written administrative checking program
-(<em class="emphasis">admin_checks</em>) is used to monitor
-users' home directories on the Samba server. The
-<tt class="literal">%S</tt> variable is used to pass the name of the home
-directory to the script. The
-<tt class="literal">root</tt><a name="INDEX-153"/> <tt class="literal">preexec</tt>
-<tt class="literal">close</tt> parameter has been set to
-<tt class="literal">yes</tt> so that if <em class="emphasis">admin_checks</em>
-detects a serious violation of local policy, it can exit with a
-nonzero status, and the client is prevented from connecting.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-6.1"/>
-
-<h3 class="head2">Connection Script Options</h3>
-
-<p><a href="ch08.html#samba2-CHP-8-TABLE-7">Table 8-7</a> introduces some of the configuration
-options provided for setting up users.</p>
-
-<a name="samba2-CHP-8-TABLE-7"/><h4 class="head4">Table 8-7. Connection script options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">root preexec</tt></p>
-</td>
-<td>
-<p>string (Unix command)</p>
-</td>
-<td>
-<p>Sets a Unix command to run as <tt class="literal">root</tt>, before
-connecting to the share.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">root preexec close</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, nonzero exit status of
-<tt class="literal">root preexec</tt> command will disconnect.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">preexec</tt> <tt class="literal">(exec)</tt></p>
-</td>
-<td>
-<p>string (Unix command)</p>
-</td>
-<td>
-<p>Sets a Unix command to run as the user before connecting to the share.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">preexec close</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If set to <tt class="literal">yes</tt>, nonzero exit status of
-<tt class="literal">preexec</tt> command will disconnect.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">postexec</tt></p>
-</td>
-<td>
-<p>string (Unix command)</p>
-</td>
-<td>
-<p>Sets a Unix command to run as the user after disconnecting from the
-share.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">root</tt> <tt class="literal">postexec</tt></p>
-</td>
-<td>
-<p>string (Unix command)</p>
-</td>
-<td>
-<p>Sets a Unix command to run as <tt class="literal">root</tt> after
-disconnecting from the share.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.1"/>
-
-<a name="INDEX-156"/><h3 class="head3">root preexec</h3>
-
-<p>This option specifies as its value a Unix command to be run
-<em class="emphasis">as the root user</em> before any connection to a
-share is completed. You should use this option specifically for
-performing actions that require root privilege.</p>
-
-<p>To ensure security, users should never be able to modify the target
-of the <tt class="literal">root</tt> <tt class="literal">preexec</tt> command. In
-addition, unless you explicitly redirect it, any information the
-command sends to standard output will be discarded. If you intend to
-use any <tt class="literal">preexec</tt> or <tt class="literal">postexec</tt>
-script, you should ensure that it will run correctly before having
-Samba invoke it.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.2"/>
-
-<a name="INDEX-157"/><h3 class="head3">root preexec close</h3>
-
-<p>Sometimes you might want the share to disconnect if the
-<tt class="literal">root</tt> <tt class="literal">preexec</tt> script fails,
-giving the client an error rather than allowing it to connect. For
-example, if you are using <tt class="literal">root</tt>
-<tt class="literal">preexec</tt> to mount a CD-ROM or filesystem, it would
-make no sense to connect the client to it in the event that the mount
-fails. If you specify <tt class="literal">root</tt>
-<tt class="literal">preexec</tt> <tt class="literal">close</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt>, the share will fail to
-connect if the <tt class="literal">root</tt> <tt class="literal">preexec</tt>
-script returns a nonzero exit status.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.3"/>
-
-<a name="INDEX-158"/><h3 class="head3">preexec</h3>
-
-<p>Sometimes just called <tt class="literal">exec</tt>, this option defines an
-ordinary unprivileged command run by Samba as the user specified by
-the variable <tt class="literal">%u</tt>. For example, a common use of this
-option is to perform logging, such as the following:</p>
-
-<blockquote><pre class="code">[homes]
- preexec = echo &quot;%u connected from %m (%I)\&quot; &gt;&gt;/tmp/.log</pre></blockquote>
-
-<p>You must redirect the standard output of the command if you want to
-use it. Otherwise, it is discarded. This warning also applies to the
-command's standard error output. If you intend to
-use a <tt class="literal">preexec</tt> script, you should ensure that it
-will run correctly before having Samba invoke it.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.4"/>
-
-<a name="INDEX-159"/><h3 class="head3">preexec close</h3>
-
-<p>This is similar to <tt class="literal">root</tt> <tt class="literal">preexec</tt>
-<tt class="literal">close</tt>, except that it goes with the
-<tt class="literal">preexec</tt> option. By setting
-<tt class="literal">preexec</tt> <tt class="literal">close</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt>, a
-<tt class="literal">preexec</tt> script that returns nonzero will cause the
-share to disconnect immediately.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.5"/>
-
-<a name="INDEX-160"/><h3 class="head3">postexec</h3>
-
-<p>Once the user disconnects from the share, the command specified with
-<tt class="literal">postexec</tt> is run as the user on the Samba server to
-do any necessary cleanup. This option is essentially the same as the
-<tt class="literal">preexec</tt> option. Again, remember that the command
-is run as the user represented by <tt class="literal">%u</tt>, and any
-information sent to standard output will be ignored.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.6"/>
-
-<a name="INDEX-161"/><h3 class="head3">root postexec</h3>
-
-<p>Following the <tt class="literal">postexec</tt> option, the
-<tt class="literal">root</tt> <tt class="literal">postexec</tt> command is run,
-if one has been specified. Again, this option specifies as its value
-a Unix command to be run <em class="emphasis">as the root user</em> before
-disconnecting from a share. You should use this option specifically
-for performing actions that require root privilege. <a name="INDEX-162"/> <a name="INDEX-163"/><a name="INDEX-164"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-8-SECT-7"/>
-
-<h2 class="head1">Microsoft Distributed Filesystems</h2>
-
-<p><a name="INDEX-165"/>In a
-large network where many shared folders are spread out over a large
-number of servers, it can be difficult for users to locate the
-resources they are trying to find. Browsing through Network
-Neighborhood or My Network Places can become an ordeal rather than a
-time-saving convenience. To mitigate this problem, Microsoft added an
-extension to file sharing called <em class="firstterm">Distributed
-filesystem</em><a name="INDEX-166"/><a name="INDEX-167"/> (Dfs). Using Dfs, it
-is possible to organize file shares on the network so that they
-appear to users as organized in a single directory tree on a single
-server, regardless of which servers on the network actually contain
-the resources. Instead of having to browse the entire network, users
-can go to the Dfs share and locate their data much more easily.</p>
-
-<p>Dfs can also help administrators because it provides a level of
-indirection between the name of a shared folder and its actual
-location. The Dfs share contains references to resources on the
-network, and when a resource is accessed, the Dfs server hands the
-client off to the actual server of the resource. When moving
-resources to another computer, the reference to the resource in the
-Dfs share can be redirected to the new location in one step, with the
-change being entirely seamless for users.</p>
-
-<p>To a limited extent, Dfs also can help improve performance for
-read-only shares because it provides <a name="INDEX-168"/>load balancing. It is possible
-to set up a Dfs reference to point to identical shares on two or more
-servers. The Dfs server then divides requests between the servers,
-dividing the client load among them. However, this works well only
-for static, read-only data because no provision is included in Dfs
-for synchronization among the servers when changes are made on any of
-them.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-7.1"/>
-
-<h3 class="head2">Windows Dfs Clients</h3>
-
-<p><a name="INDEX-169"/>Modern versions of Windows come with
-client-side support for Dfs, and no extra configuration is required.
-Support is more limited for older versions, however. Windows for
-Workgroups cannot function as a Dfs client at all. Windows NT 4.0
-must be upgraded to at least Service Pack 3 to act as a Dfs client,
-and the Dfs Client must be installed. Later service packs (such as
-Service Pack 6) include the Dfs Client. Windows 95 must also have the
-Dfs Client software installed to act as a Dfs client. Without the Dfs
-Client software, double-clicking a remote folder in a Dfs share will
-show an empty folder, and no error message will appear.</p>
-
-<a name="samba2-CHP-8-NOTE-140"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>To use the Dfs Client for Windows 95 or Windows NT, you must first
-download and install it. See the web page <a href="http://microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp">http://microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp</a>
-for a link to download the installation program and instructions on
-how to install the Dfs Client.</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-7.2"/>
-
-<h3 class="head2">Configuring Samba for Dfs</h3>
-
-<p><a name="INDEX-170"/>To act as a Dfs server, Samba 2.2 must
-be compiled with the <tt class="literal">--with-msdfs</tt> configure
-option. (See <a href="ch02.html">Chapter 2</a> for instructions on
-configuring and compiling Samba.) Samba 3.0 includes Dfs support by
-default and does not need to be compiled with the
-<tt class="literal">--with-msdfs</tt> configure option.</p>
-
-<p>Once a Dfs-enabled Samba server is running, there are just two steps
-to serving a Dfs share. First we will set up a Dfs root directory on
-the server, and then we will modify the <em class="filename">smb.conf</em>
-configuration file to enable the share.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-7.2.1"/>
-
-<h3 class="head3">Setting up the Dfs root</h3>
-
-<p>First we need to create a directory to act as the Dfs root:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/dfs</b></tt></pre></blockquote>
-
-<p>This can be any directory, but it is important that it be owned by
-root and given the proper permissions:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>chown root:root /usr/local/samba/dfs</b></tt>
-# <tt class="userinput"><b>chmod 755 /usr/local/samba/dfs</b></tt></pre></blockquote>
-
-<p>The Dfs directory tree can have subdirectories and files, just like
-any other shared directory. These will function just as they would in
-any other share, allowing clients to access the directories and files
-on the Samba server. The whole idea of Dfs, though, is to gather
-together shares on other servers by making references to them in the
-Dfs tree. The way this is implemented with Samba involves a clever
-use of symbolic links, which can be in the Dfs root directory or any
-subdirectory in the Dfs tree.</p>
-
-<p>You are probably familiar with using symbolic links to create
-references to files that exist on the same system, and perhaps
-crossing a local filesystem boundary (which ordinary Unix links
-cannot do). But maybe you didn't know that symbolic
-links have a more general functionality. Although we
-can't display its contents directly, as we could
-with a text or binary file, a symbolic link
-&quot;contains&quot; an ASCII text string
-naming what the link points to. For example, take a look at the
-listing for these symbolic links:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l wrdlnk alnk</b></tt>
-lrwxrwxrwx 1 jay jay 15 Mar 14 06:50 wrdlnk -&gt; /usr/dict/words
-lrwxrwxrwx 1 jay jay 9 Mar 14 06:53 alnk -&gt; dreamtime</pre></blockquote>
-
-<p>As you can infer from the size of the <em class="filename">wrdlnk</em>
-link (15 bytes), the string <tt class="literal">/usr/dict/words</tt> is
-encoded into it. The size of <em class="filename">alnk</em> (9 bytes) is
-smaller, corresponding to the shorter name of
-<em class="filename">dreamtime</em>.</p>
-
-<p>Now let's create a link in our Dfs root for an SMB
-share:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>cd /usr/local/samba/dfs</b></tt>
-# <tt class="userinput"><b>ln -s 'msdfs:maya\e' maya-e</b></tt>
-# <tt class="userinput"><b>ls -l maya-e</b></tt>
-lrwxrwxrwx 1 root root 12 Mar 13 17:34 maya-e -&gt; msdfs:maya\e</pre></blockquote>
-
-<p>This link might appear as a
-&quot;broken&quot; link in a directory
-listing because it points to something that isn't a
-file on the local system. For example, the <em class="emphasis">file</em>
-command will report:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>file maya-e</b></tt>
-maya-e: broken symbolic link to msdfs:maya\e</pre></blockquote>
-
-<p>However, <em class="filename">maya-e</em> is a valid reference to the
-<em class="filename">\\maya\e</em> share when used with
-Samba's Dfs support. When Samba encounters this
-file, it sees the leading <tt class="literal">msdfs</tt>: and interprets
-the rest as the name of a remote share. The client is then redirected
-to the remote share.</p>
-
-<p>When creating links in the Dfs root directory, simply follow the same
-format, which in general is
-<tt class="literal">msdfs</tt>:<em class="replaceable">server</em>\<em class="replaceable">share</em>.
-Note that this is similar to a UNC appended onto the
-<tt class="literal">msdfs</tt>: string, except that in this case, the two
-backslashes preceding the server's name are omitted.</p>
-
-<a name="samba2-CHP-8-NOTE-141"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>The names for the symbolic links in Dfs shares must be in all
-lowercase.</p>
-</blockquote>
-
-<p>In addition to regular network shares, you can use symbolic links of
-this type to reference Dfs shares on other Dfs servers. However,
-referencing printer shares does not work. Dfs is for sharing files
-only. <a name="INDEX-171"/></p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-7.2.2"/>
-
-<h3 class="head3">Load balancing</h3>
-
-<p><a name="INDEX-172"/>To
-set up a load-balancing Dfs share, create the symbolic link like
-this:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>ln -s 'msdfs:toltec\data,msdfs:mixtec\data' lb-data</b></tt></pre></blockquote>
-
-<p>That is, simply use a list of shares separated by commas as the
-reference. Remember, it is up to you to make sure the shared folders
-remain identical. Set up permissions on the servers to make the
-shares read-only to users.</p>
-
-<p>The last thing we need to do is to modify the
-<em class="filename">smb.conf</em> file to define the Dfs root share and
-add Dfs support. The Dfs root is added as a share definition:</p>
-
-<a name="INDEX-173"/><blockquote><pre class="code">[dfs]
- path = /usr/local/samba/dfs
- msdfs root = yes</pre></blockquote>
-
-<p>You can use any name you like for the share. The path is set to the
-Dfs root directory we just set up, and the parameter
-<tt class="literal">msdfs</tt> <tt class="literal">root</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt> tells Samba that this share is a Dfs root.</p>
-
-<p>To enable support for Dfs in the server, we need to add one line to
-the <tt class="literal">[global]</tt> section:</p>
-
-<a name="INDEX-174"/><blockquote><pre class="code">[global]
- host msdfs = yes</pre></blockquote>
-
-<p>Restart the Samba daemons&mdash;or just wait a minute for them to
-reread the configuration file&mdash;and you will see the new share
-from Windows clients. If you have trouble accessing any of the remote
-shares in the Dfs share, recheck your symbolic links to make sure
-they were created correctly. <a name="INDEX-175"/></p>
-
-<a name="samba2-CHP-8-NOTE-142"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you previously had a share by the same name as your Dfs share, you
-might need to reboot Windows clients before they can access the share
-as a Dfs share.</p>
-</blockquote>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-8-SECT-8"/>
-
-<h2 class="head1">Working with NIS</h2>
-
-<p>In networks where NIS and NFS are in use, it is common for
-users' home directories to be mounted over the
-network by NFS. If a Samba server being used to authenticate user
-logons is running on a system with NFS-mounted home directories
-shared with a <tt class="literal">[homes]</tt> share, the additional
-overhead can result in poor performance&mdash;about 30% of normal
-Samba speed.</p>
-
-<p>Samba has the ability to work with <a name="INDEX-176"/>NIS and NIS+ to find the
-server on which the home directories actually reside so that they can
-be shared directly from that server. For this to work, the server
-that holds the home directories must also have Samba running, with a
-<tt class="literal">[homes]</tt> share of its own.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-8-SECT-8.1"/>
-
-<h3 class="head2">NIS Configuration Options</h3>
-
-<p><a href="ch08.html#samba2-CHP-8-TABLE-8">Table 8-8</a> introduces the
-<a name="INDEX-177"/><a name="INDEX-178"/>NIS configuration options specifically
-for setting up users.</p>
-
-<a name="samba2-CHP-8-TABLE-8"/><h4 class="head4">Table 8-8. NIS options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">nis homedir</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, uses NIS instead of
-<em class="filename">/etc/passwd</em> to look up the path of a
-user's home directory.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">homedir map</tt></p>
-</td>
-<td>
-<p>string (NIS map name)</p>
-</td>
-<td>
-<p>Sets the NIS map to use to look up a user's home
-directory.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-8-SECT-8.1.1"/>
-
-<h3 class="head3">nis homedir, homedir map</h3>
-
-<p>The <tt class="literal">nis</tt><a name="INDEX-179"/> <tt class="literal">homedir</tt> and
-<tt class="literal">homedir</tt><a name="INDEX-180"/> <tt class="literal">map</tt> options
-are for Samba servers on network sites where Unix home directories
-are provided using NFS, the automounter, and NIS.</p>
-
-<p>The <tt class="literal">nis</tt> <tt class="literal">homedir</tt> option
-indicates that the home-directory server for the user needs to be
-looked up in NIS. The <tt class="literal">homedir</tt>
-<tt class="literal">map</tt> option tells Samba in which NIS map to look
-for the server that has the user's home directory.
-The server needs to be a Samba server so that the client can do an
-SMB connect to it, and the other Samba servers need to have NIS
-installed so that they can do the lookup.</p>
-
-<p>For example, if user <tt class="literal">joe</tt> asks for a share called
-<tt class="literal">[joe]</tt>, and the <tt class="literal">nis</tt>
-<tt class="literal">homedir</tt> option is set to <tt class="literal">yes</tt>,
-Samba will look in the file specified by <tt class="literal">homedir</tt>
-<tt class="literal">map</tt> for a home directory for
-<tt class="literal">joe</tt>. If it finds one, Samba will return the
-associated system name to the client. The client will then try to
-connect to that machine and get the share from there. Enabling NIS
-lookups looks like the following:</p>
-
-<blockquote><pre class="code">[globals]
- nis homedir = yes
- homedir map = amd.map</pre></blockquote>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> The system checkbox will
-probably be grayed for your file. Don't worry about
-that&mdash;you should still be able to see when the box is checked
-and when it isn't.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch09.html b/docs/htmldocs/using_samba/ch09.html
deleted file mode 100644
index bc2a5bb007..0000000000
--- a/docs/htmldocs/using_samba/ch09.html
+++ /dev/null
@@ -1,3448 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 9. Users and Security</h1>
-
-
-
-<p><a name="INDEX-1"/>In this chapter, we
-cover the basic concepts of managing security in Samba so that you
-can set up your Samba server with a security policy suited to your
-network.</p>
-
-<p>One of Samba's most complicated tasks lies in
-reconciling the security models of Unix and Windows systems. Samba
-must identify users by associating them with valid usernames and
-groups, authenticate them by checking their passwords, then control
-their access to resources by comparing their access rights to the
-permissions on files and directories. These are complex topics on
-their own, and it doesn't help that there are three
-different operating system types to deal with (Unix, Windows
-95/98/Me, and Windows NT/2000/XP) and that Samba supports multiple
-methods of handling user authentication.</p>
-
-
-
-<div class="sect1"><a name="samba2-CHP-9-SECT-1"/>
-
-<h2 class="head1">Users and Groups</h2>
-
-<p><a name="INDEX-2"/>Let's start
-out as simply as possible and add support for a single user. The
-easiest way to set up a client user is to create a Unix account (and
-home directory) for that individual on the server and notify Samba of
-the user's existence. You can do the latter by
-creating a disk share that maps to the user's home
-directory in the Samba configuration file and restricting access to
-that user with the <tt class="literal">valid</tt><a name="INDEX-3"/>
-<tt class="literal">users</tt> option. For example:</p>
-
-<blockquote><pre class="code">[dave]
- path = /home/dave
- comment = Dave's home directory
- writable = yes
- valid users = dave</pre></blockquote>
-
-<p>The <tt class="literal">valid</tt> <tt class="literal">users</tt> option lists
-the users allowed to access the share. In this case, only the user
-<tt class="literal">dave</tt> is allowed to access the share. In some
-situations it is possible to specify that any user can access a disk
-share by using the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
-parameter. Because we don't wish to allow guest
-access, that option is absent here. If you allow both authenticated
-users and guest users access to the same share, you can make some
-files accessible to guest users by assigning world-readable
-permissions to those files while restricting access to other files to
-particular users or groups.</p>
-
-<p>When client users access a Samba share, they have to pass two levels
-of restriction. Unix permissions on files and directories apply as
-usual, and configuration parameters specified in the Samba
-configuration file apply as well. In other words, a client must first
-pass Samba's security mechanisms (e.g.,
-authenticating with a valid username and password, passing the check
-for the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter
-and the <tt class="literal">read</tt> <tt class="literal">only</tt> parameter,
-etc.), as well as the normal Unix file and directory permissions of
-its Unix-side user, before it can gain read/write access to a share.</p>
-
-<p>Remember that you can abbreviate the user's home
-directory by using the <tt class="literal">%H</tt><a name="INDEX-4"/> variable. In addition, you can use the
-Unix username variable <tt class="literal">%u</tt><a name="INDEX-5"/> and/or the client username variable
-<tt class="literal">%U</tt><a name="INDEX-6"/> in your options as well. For
-example :</p>
-
-<blockquote><pre class="code">[dave]
- comment = %U home directory
- writable = yes
- valid users = dave
- path = %H</pre></blockquote>
-
-<p>With a single user accessing a home directory, access permissions are
-taken care of when the user account is created. The home directory is
-owned by the user, and permissions on it are set appropriately.
-However, if you're creating a shared directory for
-group access, you need to perform a few more steps.
-Let's take a stab at a
-<a name="INDEX-7"/>group share for the
-accounting department in the <em class="emphasis">smb.conf</em> file:</p>
-
-<blockquote><pre class="code">[accounting]
- comment = Accounting Department Directory
- writable = yes
- valid users = @account
- path = /home/samba/accounting
- create mode = 0660
- directory mode = 0770</pre></blockquote>
-
-<p>The first thing we did differently is to specify
-<tt class="literal">@account</tt> as the valid user instead of one or more
-individual usernames. This is shorthand for saying that the valid
-users are represented by the Unix group <tt class="literal">account</tt>.
-These users will need to be added to the group entry
-<tt class="literal">account</tt> in the
-<a name="INDEX-8"/><a name="INDEX-9"/>system group file (
-<em class="filename">/etc/group</em><a name="INDEX-10"/>
-or equivalent) to be recognized as part of the group. Once they are,
-Samba will recognize those users as valid users for the share.</p>
-
-<p>In addition, you need to create a shared directory that the members
-of the group can access and point to it with the
-<tt class="literal">path</tt> configuration option. Here are the Unix
-commands that create the shared directory for the accounting
-department (assuming <em class="emphasis">/home/samba</em> already
-exists):</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/samba/accounting</b></tt>
-# <tt class="userinput"><b>chgrp account /home/samba/accounting</b></tt>
-# <tt class="userinput"><b>chmod 770 /home/samba/accounting</b></tt></pre></blockquote>
-
-<p>There are two other options in this <em class="filename">smb.conf</em>
-example, both of which we saw in the previous chapter. These options
-are <tt class="literal">create</tt><a name="INDEX-11"/> <tt class="literal">mode</tt> and
-<tt class="literal">directory</tt><a name="INDEX-12"/> <tt class="literal">mode</tt>. These
-options set the maximum file and directory permissions that a new
-file or directory can have. In this case, we have denied all world
-access to the contents of this share. (This is reinforced by the
-<em class="emphasis">chmod</em> command, shown earlier.)<a name="INDEX-13"/></p>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-1.1"/>
-
-<h3 class="head2">Handling Multiple Individual Users</h3>
-
-<p><a name="INDEX-14"/>Let's return
-to user shares for a moment. If we have several users for whom to set
-up home directory shares, we probably want to use the special
-<tt class="literal">[homes]</tt> share that we introduced in <a href="ch08.html">Chapter 8</a>. With the
-<tt class="literal">[homes]</tt><a name="INDEX-15"/> share, all we need to say is:</p>
-
-<blockquote><pre class="code">[homes]
- browsable = no
- writable = yes</pre></blockquote>
-
-<p>The <tt class="literal">[homes]</tt> share is a special section of the
-Samba configuration file. If a user attempts to connect to an
-ordinary share that doesn't appear in the
-<em class="filename">smb.conf</em> file (such as specifying it with a UNC
-in Windows Explorer), Samba will search for a
-<tt class="literal">[homes]</tt> share. If one exists, the incoming share
-name is assumed to be a username and is queried as such in the
-password database ( <em class="filename">/etc/passwd</em> or equivalent)
-file of the Samba server. If it appears, Samba assumes the client is
-a Unix user trying to connect to his home directory.</p>
-
-<p>As an illustration, let's assume that
-<tt class="literal">sofia</tt> is attempting to connect to a share called
-<tt class="literal">[sofia]</tt> on the Samba server. There is no share by
-that name in the configuration file, but a <tt class="literal">[homes]</tt>
-share exists and user <tt class="literal">sofia</tt> is present in the
-password database, so Samba takes the following steps:</p>
-
-<ol><li>
-<p>Samba creates a new disk share called <tt class="literal">[sofia]</tt> with
-the <tt class="literal">path</tt> specified in the
-<tt class="literal">[homes]</tt> section. If no <tt class="literal">path</tt>
-option is specified in <tt class="literal">[homes]</tt>, Samba initializes
-it to her home directory.</p>
-</li><li>
-<p>Samba initializes the new share's options from the
-defaults in <tt class="literal">[globals]</tt>, as well as any overriding
-options in <tt class="literal">[homes]</tt> with the exception of
-<tt class="literal">browsable</tt>.</p>
-</li><li>
-<p>Samba connects <tt class="literal">sofia</tt>'s client to
-that share.</p>
-</li></ol>
-<p>The <tt class="literal">[homes]</tt> share is a fast, painless way to
-create shares for your user community without having to duplicate the
-information from the password database file in the
-<em class="filename">smb.conf</em> file. It does have some
-<a name="INDEX-16"/>peculiarities, however, that we need to
-point out:</p>
-
-<ul><li>
-<p>The <tt class="literal">[homes]</tt> section can represent any account on
-the machine, which isn't always desirable. For
-example, it can potentially create a share for
-<tt class="literal">root</tt>, <tt class="literal">bin</tt>,
-<tt class="literal">sys</tt>, <tt class="literal">uucp</tt>, and the like. You
-can set a global
-<tt class="literal">invalid</tt><a name="INDEX-17"/> <tt class="literal">users</tt> option
-to protect against this.</p>
-</li><li>
-<p>The meaning of the
-<tt class="literal">browsable</tt><a name="INDEX-18"/> configuration option is
-different from other shares; it indicates only that a
-<tt class="literal">[homes]</tt> section won't show up in
-the local browse list, not that the <tt class="literal">[alice]</tt> share
-won't. When the <tt class="literal">[alice]</tt> section
-is created (after the initial connection), it will use the
-<tt class="literal">browsable</tt> value from the
-<tt class="literal">[globals]</tt> section for that share, not the value
-from <tt class="literal">[homes]</tt>.</p>
-</li></ul>
-<p>As we mentioned, there is no need for a path statement in
-<tt class="literal">[homes]</tt> if the users have Unix home directories in
-the server's <em class="filename">/etc/passwd</em> file.
-You should ensure that a valid home directory does exist, however, as
-Samba will not automatically create a home directory for a user and
-will refuse a tree connect if the user's directory
-does not exist or is not accessible. <a name="INDEX-19"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-9-SECT-2"/>
-
-<h2 class="head1">Controlling Access to Shares</h2>
-
-<p><a name="INDEX-20"/><a name="INDEX-21"/>Often you will need to restrict the users who
-can access a specific share for security reasons. This is very easy
-to do with Samba because it contains a wealth of options for creating
-practically any security configuration. Let's
-introduce a few configurations that you might want to use in your own
-Samba setup.</p>
-
-<p>We've seen what happens when you specify valid
-users. However, you are also allowed to specify a list of
-<a name="INDEX-22"/>invalid users&mdash;users who should never be
-allowed access to Samba or its shares. This is done with the
-<tt class="literal">invalid</tt><a name="INDEX-23"/> <tt class="literal">users</tt>
-option. We hinted at one frequent use of this option earlier: a
-global default with the <tt class="literal">[homes]</tt> section to ensure
-that various system users and superusers cannot be forged for access.
-For example:</p>
-
-<blockquote><pre class="code">[global]
- invalid users = root bin daemon adm sync shutdown \
- halt mail news uucp operator
- auto services = dave peter bob
-
-[homes]
- browsable = no
- writable = yes</pre></blockquote>
-
-<p>The <tt class="literal">invalid</tt> <tt class="literal">users</tt> option, like
-<tt class="literal">valid</tt> <tt class="literal">users</tt>, can take group
-names, preceded by an at sign (<tt class="literal">@</tt>), as well as
-usernames. In the event that a user or group appears in both lists,
-the <tt class="literal">invalid</tt> <tt class="literal">users</tt> option takes
-precedence, and the user or group is denied access to the share.</p>
-
-<p>At the other end of the spectrum, you can explicitly specify users
-who will be allowed <a name="INDEX-24"/><a name="INDEX-25"/>superuser (root) access to a share with
-the <tt class="literal">admin</tt><a name="INDEX-26"/> <tt class="literal">users</tt>
-option. An example follows:</p>
-
-<blockquote><pre class="code">[sales]
- path = /home/sales
- comment = Sedona Real Estate Sales Data
- writable = yes
- valid users = sofie shelby adilia
- admin users = mike</pre></blockquote>
-
-<p>This option takes both group names and usernames. In addition, you
-can specify NIS netgroups by preceding them with an
-<tt class="literal">@</tt> as well; if the netgroup is not found, Samba
-will assume that you are referring to a standard Unix group.</p>
-
-<p>Be careful if you assign administrative privileges to a share for an
-entire group. The Samba Team highly recommends you avoid using this
-option, as it essentially gives root access to the specified users or
-groups for that share.</p>
-
-<p>If you wish to force read-only or read/write access on users who
-access a share, you can do so with the
-<tt class="literal">read</tt><a name="INDEX-27"/> <tt class="literal">list</tt> and
-<tt class="literal">write</tt> <tt class="literal">list</tt> options,
-respectively. These options can be used on a per-share basis to
-restrict a writable share or to grant write access to specific users
-in a read-only share, respectively. For example:</p>
-
-<blockquote><pre class="code">[sales]
- path = /home/sales
- comment = Sedona Real Estate Sales Data
- read only = yes
- write list = sofie shelby</pre></blockquote>
-
-<p>The <tt class="literal">write</tt><a name="INDEX-28"/> <tt class="literal">list</tt> option
-cannot override Unix permissions. If you've created
-the share without giving the <tt class="literal">write-list</tt> user write
-permission on the Unix system, she will be denied write access
-regardless of the setting of <tt class="literal">write</tt>
-<tt class="literal">list</tt>.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-2.1"/>
-
-<h3 class="head2">Guest Access</h3>
-
-<p><a name="INDEX-29"/>As mentioned
-earlier, you can configure a share using
-<tt class="literal">guest</tt><a name="INDEX-30"/> <tt class="literal">ok</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> to allow access to guest
-users. This works only when using share-level security, which we will
-cover later in this chapter. When a user connects as a guest,
-authenticating with a username and password is unnecessary, but Samba
-still needs a way to map the connected client to a user on the local
-system. The <tt class="literal">guest</tt><a name="INDEX-31"/>
-<tt class="literal">account</tt> parameter can be used in the share to
-specify the Unix account that guest users should be assigned when
-connecting to the Samba server. The default value for this is set
-during compilation and is typically <tt class="literal">nobody</tt>, which
-works well with most Unix versions. However, on some systems the
-<tt class="literal">nobody</tt><a name="INDEX-32"/> account is not allowed to access some
-services (e.g., printing), and you might need to set the guest user
-to <tt class="literal">ftp</tt> or some other account instead.</p>
-
-<p>If you wish to restrict access in a share only to guests&mdash;in
-other words, all clients connect as the guest account when accessing
-the share&mdash;you can use the <tt class="literal">guest</tt>
-<tt class="literal">only</tt> option in conjunction with the
-<tt class="literal">guest</tt> <tt class="literal">ok</tt> option, as shown in
-the following example:</p>
-
-<blockquote><pre class="code">[sales]
- path = /home/sales
- comment = Sedona Real Estate Sales Data
- writable = yes
- guest ok = yes
- guest account = ftp
- guest only = yes</pre></blockquote>
-
-<p>Make sure you specify <tt class="literal">yes</tt> for both
-<tt class="literal">guest</tt> <tt class="literal">only</tt> and
-<tt class="literal">guest</tt> <tt class="literal">ok</tt>; otherwise, Samba will
-not use the guest account that you specify.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-2.2"/>
-
-<h3 class="head2">Access Control Options</h3>
-
-<p><a href="ch09.html#samba2-CHP-9-TABLE-1">Table 9-1</a> <a name="INDEX-33"/><a name="INDEX-34"/>summarizes the options that you can use
-to control access to shares.</p>
-
-<a name="samba2-CHP-9-TABLE-1"/><h4 class="head4">Table 9-1. Share-level access options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">admin users</tt></p>
-</td>
-<td>
-<p>string (list of usernames)</p>
-</td>
-<td>
-<p>Users who can perform operations as root</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">valid users</tt></p>
-</td>
-<td>
-<p>string (list of usernames)</p>
-</td>
-<td>
-<p>Users who can connect to a share</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">invalid users</tt></p>
-</td>
-<td>
-<p>string (list of usernames)</p>
-</td>
-<td>
-<p>Users who will be denied access to a share</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">read list</tt></p>
-</td>
-<td>
-<p>string (list of usernames)</p>
-</td>
-<td>
-<p>Users who have read-only access to a writable share</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">write list</tt></p>
-</td>
-<td>
-<p>string (list of usernames)</p>
-</td>
-<td>
-<p>Users who have read/write access to a read-only share</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">max connections</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Maximum number of connections for a share at a given time</p>
-</td>
-<td>
-<p><tt class="literal">0</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">guest only</tt> <tt class="literal">(only guest)</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows only guest access</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">guest account</tt></p>
-</td>
-<td>
-<p>string (name of account)</p>
-</td>
-<td>
-<p>Unix account that will be used for guest access</p>
-</td>
-<td>
-<p><tt class="literal">nobody</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.1"/>
-
-<a name="INDEX-35"/><h3 class="head3">admin users</h3>
-
-<p>This option specifies a list of users that perform file operations as
-if they were <tt class="literal">root</tt>. This means that they can modify
-or destroy any other user's files, regardless of the
-permissions. Any files that they create will have root ownership and
-will use the default group of the admin user. The
-<tt class="literal">admin</tt> <tt class="literal">users</tt> option allows PC
-users to act as administrators for particular shares. Be very careful
-when using this option, and make sure good password and other
-security policies are in place.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.2"/>
-
-<a name="INDEX-36"/><a name="INDEX-37"/><h3 class="head3">valid users, invalid users</h3>
-
-<p>These two options let you enumerate the users and groups who are
-granted or denied access to a particular share. You can enter a list
-of user and/or group names. If a name is prefixed by an at sign
-(<tt class="literal">@</tt>), it is interpreted as a group name&mdash;with
-NIS groups searched before Unix groups. If the name is prefixed by a
-plus sign (<tt class="literal">+</tt>), it is interpreted as the name of a
-Unix group, and NIS is not searched. If the name is prefixed by an
-ampersand (<tt class="literal">&amp;</tt>), it is interpreted as an NIS
-group name rather than as a Unix group name. The plus sign and
-ampersand can be used together to specify whether NIS or Unix groups
-are searched first. For example:</p>
-
-<blockquote><pre class="code">[database]
- valid users = mary ellen sue &amp;sales +marketing @dbadmin
- invalid users = gavin syd dana &amp;techies +&amp;helpdesk</pre></blockquote>
-
-<p>In the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter,
-users <tt class="literal">mary</tt>, <tt class="literal">ellen</tt>, and
-<tt class="literal">sue</tt> are allowed access to the
-<tt class="literal">[database]</tt> share, as are the members of the Unix
-group <tt class="literal">marketing</tt> and NIS/Unix group
-<tt class="literal">dbadmin</tt>. The <tt class="literal">invalid</tt>
-<tt class="literal">users</tt> parameter denies access to the share by
-users <tt class="literal">gavin</tt>, <tt class="literal">syd</tt>, and
-<tt class="literal">dana</tt>, as well as members of the NIS group
-<tt class="literal">techies</tt> and Unix/NIS group
-<tt class="literal">helpdesk</tt>. In this last case, the list of Unix
-groups is searched first for the <tt class="literal">helpdesk</tt> group,
-and if it is not found there, the list of NIS groups is searched.</p>
-
-<p>The important rule to remember with these options is that any name or
-group in the <tt class="literal">invalid</tt> <tt class="literal">users</tt> list
-will <em class="emphasis">always</em> be denied access, even if it is
-included (in any form) in the <tt class="literal">valid</tt>
-<tt class="literal">users</tt> list.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.3"/>
-
-<a name="INDEX-38"/><a name="INDEX-39"/><h3 class="head3">read list, write list</h3>
-
-<p>Like the <tt class="literal">valid</tt> <tt class="literal">users</tt>
-<tt class="literal">and</tt> <tt class="literal">invalid</tt>
-<tt class="literal">users</tt> options, this pair of options specifies
-which users have read-only access to a writable share and read/write
-access to a read-only share, respectively. The value of either
-options is a list of users. The <tt class="literal">read</tt>
-<tt class="literal">list</tt> parameter overrides any other Samba
-permissions granted&mdash;as well as Unix file permissions on the
-server system&mdash;to deny users write access.
-<tt class="literal">The</tt> <tt class="literal">write</tt>
-<tt class="literal">list</tt> parameter overrides other Samba permissions
-to grant write access, but cannot grant write access if the user
-lacks write permissions for the file on the Unix system. You can
-specify NIS or Unix group names by prefixing the name with an at sign
-(such as <tt class="literal">@users</tt>). Neither configuration option has
-a default value associated with it.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.4"/>
-
-<a name="INDEX-40"/><h3 class="head3">max connections</h3>
-
-<p>This option specifies the maximum number of client connections that a
-share can have at any given time. Any connections that are attempted
-after the maximum is reached will be rejected. The default value is
-<tt class="literal">0</tt>, which is a special case that allows an
-unlimited number of connections. You can override it per share as
-follows:</p>
-
-<blockquote><pre class="code">[accounting]
- max connections = 30</pre></blockquote>
-
-<p>This option is useful in the event that you need to limit the number
-of users who are accessing a licensed program or piece of data
-concurrently.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.5"/>
-
-<a name="INDEX-41"/><h3 class="head3">guest only</h3>
-
-<p>This share-level option (also called <tt class="literal">only</tt>
-<tt class="literal">guest</tt>) forces a connection to a share to be
-performed with the user specified by the <tt class="literal">guest</tt>
-<tt class="literal">account</tt> option. The share to which this is applied
-must explicitly specify <tt class="literal">guest</tt>
-<tt class="literal">ok</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt> for
-this option to be recognized by Samba. The default value for this
-option is <tt class="literal">no</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.6"/>
-
-<a name="INDEX-42"/><h3 class="head3">guest account</h3>
-
-<p>This option specifies the name of the account to be used for guest
-access to shares in Samba. The default for this option varies from
-system to system, but it is often set to <tt class="literal">nobody</tt>.
-Some default user accounts have trouble connecting as guest users. If
-that occurs on your system, the Samba Team recommends using the
-<tt class="literal">ftp</tt> account as the guest user. <a name="INDEX-43"/> <a name="INDEX-44"/><a name="INDEX-45"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-2.3"/>
-
-<h3 class="head2">Username Options</h3>
-
-<p><a href="ch09.html#samba2-CHP-9-TABLE-2">Table 9-2</a> shows two additional options that Samba
-can use to correct for incompatibilities in usernames between Windows
-and Unix.</p>
-
-<a name="samba2-CHP-9-TABLE-2"/><h4 class="head4">Table 9-2. Username options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">username</tt> <tt class="literal">map</tt></p>
-</td>
-<td>
-<p>string (filename)</p>
-</td>
-<td>
-<p>Sets the name of the username mapping file</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">username</tt> <tt class="literal">level</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Indicates the number of capital letters to use when trying to match a
-username</p>
-</td>
-<td>
-<p><tt class="literal">0</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.1"/>
-
-<a name="INDEX-46"/><h3 class="head3">username map</h3>
-
-<p>Client usernames on an SMB network can be relatively long (up to 255
-characters), while usernames on a Unix network often cannot be longer
-than eight characters. This means that an individual user can have
-one username on a client and another (shorter) one on the Samba
-server. You can get past this issue by<em class="firstterm">
-</em><a name="INDEX-47"/>mapping a free-form client
-username to a Unix username of eight or fewer characters. It is
-placed in a standard text file, using a format that
-we'll describe shortly. You can then specify the
-pathname to Samba with the global <tt class="literal">username</tt>
-<tt class="literal">map</tt> option. Be sure to restrict access to this
-file; make the root user the file's owner and deny
-write access to others (with octal permissions of 744 or 644).
-Otherwise, an untrusted user with access to the file can easily map
-his client username to the root user of the Samba server.</p>
-
-<p>You can specify this option as follows:</p>
-
-<blockquote><pre class="code">[global]
- username map = /usr/local/samba/private/usermap.txt</pre></blockquote>
-
-<p>Each entry in the username map file should be listed as follows: the
-Unix username, followed by an equal sign (<tt class="literal">=</tt>),
-followed by one or more whitespace-separated SMB client usernames.
-Note that unless instructed otherwise (i.e., a guest connection),
-Samba will expect both the client and the server user to have the
-same password. You can also map NT groups to one or more specific
-Unix groups using the <tt class="literal">@</tt> sign. Here are some
-examples:</p>
-
-<blockquote><pre class="code">jarwin = JosephArwin
-manderso = MarkAnderson
-users = @account</pre></blockquote>
-
-<p>You can also use the asterisk to specify a wildcard that matches any
-free-form client username as an entry in the username map file:</p>
-
-<blockquote><pre class="code">nobody = *</pre></blockquote>
-
-<p>Comments can be placed in the file by starting the line with a hash
-mark (<tt class="literal">#</tt>) or a semicolon (<tt class="literal">;</tt>).</p>
-
-<p>Note that you can also use this file to redirect one Unix user to
-another user. Be careful, though, as Samba and your client might not
-notify the user that the mapping has been made and Samba might be
-expecting a different password.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.2"/>
-
-<a name="INDEX-48"/><h3 class="head3">username level</h3>
-
-<p>SMB clients (such as Windows) will often send usernames in SMB
-connection requests entirely in capital letters; in other words,
-client usernames are not necessarily case-sensitive. On a Unix
-server, however, usernames <em class="emphasis">are</em> case-sensitive:
-the user <tt class="literal">ANDY</tt> is different from the user
-<tt class="literal">andy</tt>. By default, Samba attacks this problem by
-doing the following:</p>
-
-<ol><li>
-<p>Checking for a user account with the exact name sent by the client</p>
-</li><li>
-<p>Testing the username in all lowercase letters</p>
-</li><li>
-<p>Testing the username in lowercase letters with only the first letter
-capitalized</p>
-</li></ol>
-<p>If you wish to have Samba attempt more combinations of upper- and
-lowercase letters, you can use the <tt class="literal">username</tt>
-<tt class="literal">level</tt> global configuration option. This option
-takes an integer value that specifies how many letters in the
-username should be capitalized when attempting to connect to a share.
-You can specify this option as follows:</p>
-
-<blockquote><pre class="code">[global]
- username level = 3</pre></blockquote>
-
-<p>In this case, Samba attempts all possible permutations of usernames
-having three capital letters. The larger the number, the more
-computations Samba has to perform to match the username, and the
-longer the authentication will take.</p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-9-SECT-3"/>
-
-<h2 class="head1">Authentication of Clients</h2>
-
-<p><a name="INDEX-49"/>At
-this point, we should discuss how Samba authenticates users. Each
-user who attempts to connect to a share not allowing guest access
-must provide a password to
-<a name="INDEX-50"/>make a successful connection. What
-Samba does with that password&mdash;and consequently the strategy
-Samba will use to handle user authentication&mdash;is the arena of
-the <tt class="literal">security</tt> configuration option. Samba currently
-supports <a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>four
-<a name="INDEX-54"/>security levels on its network:
-<em class="firstterm">share</em>, <em class="firstterm">user</em>,
-<em class="firstterm">server</em>, and <em class="firstterm">domain</em>.</p>
-
-<dl>
-<dt><b><a name="INDEX-55"/>Share-level security</b></dt>
-<dd>
-<p>Each share in the workgroup has one or more passwords associated with
-it. Anyone who knows a valid password for the share can access it.</p>
-</dd>
-
-
-
-<dt><b><a name="INDEX-56"/>User-level security</b></dt>
-<dd>
-<p>Each share in the workgroup is configured to allow access from
-certain users. With each initial tree connection, the Samba server
-verifies users and their passwords to allow them access to the share.</p>
-</dd>
-
-
-
-<dt><b><a name="INDEX-57"/>Server-level security</b></dt>
-<dd>
-<p>This is the same as user-level security, except that the Samba server
-uses another server to validate users and their passwords before
-granting access to the share.</p>
-</dd>
-
-
-
-<dt><b><a name="INDEX-58"/>Domain-level security</b></dt>
-<dd>
-<p>Samba becomes a member of a Windows NT domain and uses one of the
-domain's domain controllers&mdash;either the PDC or
-a BDC&mdash;to perform authentication. Once authenticated, the user
-is given a special token that allows her access to any share with
-appropriate access rights. With this token, the domain controller
-will not have to revalidate the user's password each
-time she attempts to access another share within the domain. The
-domain controller can be a Windows NT/2000 PDC or BDC, or Samba
-acting as a Windows NT PDC.</p>
-</dd>
-
-</dl>
-
-<p>Each security policy can be implemented with the global
-<tt class="literal">security</tt> option, as shown in <a href="ch09.html#samba2-CHP-9-TABLE-3">Table 9-3</a>.</p>
-
-<a name="samba2-CHP-9-TABLE-3"/><h4 class="head4">Table 9-3. Security option</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">security</tt><a name="INDEX-59"/></p>
-</td>
-<td>
-<p><tt class="literal">domain</tt>, <tt class="literal">server</tt>,
-<tt class="literal">share</tt>, or <tt class="literal">user</tt></p>
-</td>
-<td>
-<p>Indicates the type of security that the Samba server will use</p>
-</td>
-<td>
-<p><tt class="literal">user</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-3.1"/>
-
-<h3 class="head2">Share-Level Security</h3>
-
-<p>With share-level security, each share has one or more passwords
-associated with it, with the client being authenticated when first
-connecting to the share. This differs from the other modes of
-security in that there are no restrictions as to whom can access a
-share, as long as that individual knows the correct password. Shares
-often have multiple passwords. For example, one password might grant
-read-only access, while another might grant read/write access.
-Security is maintained as long as unauthorized users do not discover
-the password for a share to which they shouldn't
-have access.</p>
-
-<p>OS/2 and Windows 95/98/Me both support share-level security on their
-resources. You can set up share-level security with Windows 95/98/Me
-by first enabling share-level security using the Access Control tab
-of the Network Control Panel dialog. Then select the
-&quot;Share-level access control&quot; radio
-button (which deselects the &quot;User-level access
-control&quot; radio button), as shown in <a href="ch09.html#samba2-CHP-9-FIG-1">Figure 9-1</a>, and click the OK button. Reboot as requested.</p>
-
-<div class="figure"><a name="samba2-CHP-9-FIG-1"/><img src="figs/sam2_0901.gif"/></div><h4 class="head4">Figure 9-1. Selecting share-level security on a Windows 95/98/Me system</h4>
-
-<p>Next, right-click a resource&mdash;such as a hard drive or a
-CD-ROM&mdash;and select the Properties menu item. This will bring up
-the Resource Properties dialog box. Select the Sharing tab at the top
-of the dialog box, and enable the resource as Shared As. From here,
-you can configure how the shared resource will appear to individual
-users, as well as assign whether the resource will appear as
-read-only, read/write, or a mix, depending on the password that is
-supplied.</p>
-
-<p>You might be thinking that this security model is not a good fit for
-Samba&mdash;and you would be right. In fact, if you set the
-<tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">share</tt> option in the Samba configuration file,
-Samba will still reuse the username/password combinations in the
-system password files to authenticate access. More precisely, Samba
-will take the following steps when a client requests a connection
-using share-level security:</p>
-
-<ol><li>
-<p>When a connection is requested, Samba will accept the password and
-(if sent) the username of the client.</p>
-</li><li>
-<p>If the share is <tt class="literal">guest</tt> <tt class="literal">only</tt> ,
-the user is immediately granted access to the share with the rights
-of the user specified by the <tt class="literal">guest</tt>
-<tt class="literal">account</tt> parameter; no password checking is
-performed.</p>
-</li><li>
-<p>For other shares, Samba appends the username to a list of users who
-are allowed access to the share. It then attempts to validate the
-password given in association with that username. If successful,
-Samba grants the user access to the share with the rights assigned to
-that user. The user will not need to authenticate again unless a
-<tt class="literal">revalidate</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt> option has been set inside the share.</p>
-</li><li>
-<p>If the authentication is unsuccessful, Samba attempts to validate the
-password against the list of users previously compiled during
-attempted connections, as well as those specified under the share in
-the configuration file. If the password matches that of any username
-(as specified in the system password file, typically
-<em class="filename">/etc/passwd </em>), the user is granted access to the
-share under that username.</p>
-</li><li>
-<p>However, if the share has a <tt class="literal">guest</tt>
-<tt class="literal">ok</tt> or <tt class="literal">public</tt> option set, the
-user will default to access with the rights of the user specified by
-the <tt class="literal">guest</tt> <tt class="literal">account</tt> option.</p>
-</li></ol>
-<p>You can indicate in the configuration file which users should be
-initially placed on the share-level security user list by using the
-<tt class="literal">username</tt> configuration option, as shown here:</p>
-
-<blockquote><pre class="code">[global]
- security = share
-
-[accounting1]
- path = /home/samba/accounting1
- guest ok = no
- writable = yes
- username = davecb, pkelly, andyo</pre></blockquote>
-
-<p>Here, when a user attempts to connect to a share, Samba verifies the
-sent password against each user in its own list, in addition to the
-passwords of users <tt class="literal">davecb</tt>,
-<tt class="literal">pkelly</tt>, and <tt class="literal">andyo</tt>. If any of
-the passwords match, the connection is verified, and the user is
-allowed. Otherwise, connection to the specific share will fail.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-3.2"/>
-
-<h3 class="head2">Share-Level Security Options</h3>
-
-<p><a href="ch09.html#samba2-CHP-9-TABLE-4">Table 9-4</a> shows the options typically associated
-with <em class="firstterm">share-level
-security</em><a name="INDEX-60"/>.</p>
-
-<a name="samba2-CHP-9-TABLE-4"/><h4 class="head4">Table 9-4. Share-level access options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">only user</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, usernames specified by
-<tt class="literal">username</tt> are the only ones allowed</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">username</tt> (<tt class="literal">user</tt> or
-<tt class="literal">users</tt>)</p>
-</td>
-<td>
-<p>string (list of usernames)</p>
-</td>
-<td>
-<p>Users against which a client's password is tested</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.1"/>
-
-<a name="INDEX-61"/><h3 class="head3">only user</h3>
-
-<p>This Boolean option indicates whether Samba will allow connections to
-a share using share-level security based solely on the individuals
-specified in the <tt class="literal">username</tt> option, instead of those
-users compiled on Samba's internal list. The default
-value for this option is <tt class="literal">no</tt>. You can override it
-per share as follows:</p>
-
-<blockquote><pre class="code">[global]
- security = share
-[data]
- username = andy, peter, valerie
- only user = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.2"/>
-
-<a name="INDEX-62"/><h3 class="head3">username</h3>
-
-<p>This option presents a list of usernames and/or group names against
-which Samba tests a connection password to allow access. It is
-typically used with clients that have share-level security to allow
-connections to a particular service based solely on a qualifying
-password&mdash;in this case, one that matches a password set up for a
-specific user:</p>
-
-<blockquote><pre class="code">[global]
- security = share
-[data]
- username = andy, peter, terry</pre></blockquote>
-
-<p>You can enter a list of usernames and/or group names. If a name is
-prefixed by an at sign (<tt class="literal">@</tt>), it is interpreted as a
-group name, with NIS groups searched before Unix groups. If the name
-is prefixed by a plus sign (<tt class="literal">+</tt>), it is interpreted
-as the name of a Unix group, and NIS is not searched. If the name is
-prefixed by an ampersand (<tt class="literal">&amp;</tt>), it is
-interpreted as an NIS group name rather than a Unix group name. The
-plus sign and ampersand can be used together to specify whether NIS
-or Unix groups are searched first. When Samba encounters a group name
-in this option, it attempts to authenticate each user in the group
-until if finds one that succeeds. Beware that this can be very
-inefficient.</p>
-
-<p>We recommend against using this option unless you are implementing a
-Samba server with share-level security.</p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-3.3"/>
-
-<h3 class="head2">User-Level Security</h3>
-
-<p>The default mode of security with Samba is <em class="firstterm">user-level
-security</em><a name="INDEX-63"/>. With this method, each share is
-assigned specific users that can access it. When a user requests a
-connection to a share, Samba authenticates by validating the given
-username and password with the authorized users in the configuration
-file and the passwords in the password database of the Samba server.
-As mentioned earlier in the chapter, one way to isolate which users
-are allowed access to a specific share is by using the
-<tt class="literal">valid</tt> <tt class="literal">users</tt> option for each
-share:</p>
-
-<blockquote><pre class="code">[global]
- security = user
-
-[accounting1]
- writable = yes
- valid users = bob, joe, sandy</pre></blockquote>
-
-<p>Each user listed can connect to the share if the password provided
-matches the password stored in the system password database on the
-server. Once the initial authentication succeeds, the client will not
-need to supply a password again to access that share unless the
-<tt class="literal">revalidate</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt> option has been set.</p>
-
-<p>Passwords can be sent to the Samba server in either an encrypted or a
-nonencrypted format. If you have both types of systems on your
-network, you should ensure that the passwords represented by each
-user are stored both in a traditional account database and
-Samba's encrypted password database. This way,
-authorized users can gain access to their shares from any type of
-client.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> However, we recommend that you
-move your system to encrypted passwords and abandon nonencrypted
-passwords if security is an issue. <a href="ch09.html#samba2-CHP-9-SECT-4">Section 9.4</a> of this chapter
-explains how to use encrypted as well as nonencrypted passwords.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-3.4"/>
-
-<h3 class="head2">Server-Level Security</h3>
-
-<p><em class="firstterm">Server-level
-security</em><a name="INDEX-64"/> is similar to user-level security.
-However, with server-level security, Samba delegates password
-authentication to another SMB password server&mdash;typically another
-Samba server or a Windows NT/2000 server acting as a PDC on the
-network. Note that Samba still maintains its list of shares and their
-configuration in its <em class="filename">smb.conf</em> file. When a
-client attempts to make a connection to a particular share, Samba
-validates that the user is indeed authorized to connect to the share.
-Samba then attempts to validate the password by passing the username
-and password to the SMB password server. If the password is accepted,
-a session is established with the client. See <a href="ch09.html#samba2-CHP-9-FIG-2">Figure 9-2</a> for an illustration of this setup.</p>
-
-<div class="figure"><a name="samba2-CHP-9-FIG-2"/><img src="figs/sam2_0902.gif"/></div><h4 class="head4">Figure 9-2. A typical system setup using server-level security</h4>
-
-<p>You can configure Samba to use a separate password server under
-server-level security with the use of the
-<tt class="literal">password</tt><a name="INDEX-65"/> <tt class="literal">server</tt>
-global configuration option, as follows:</p>
-
-<blockquote><pre class="code">[global]
- security = server
- password server = mixtec toltec</pre></blockquote>
-
-<p>Note that you can specify more than one machine as the target of the
-<tt class="literal">password</tt> <tt class="literal">server</tt>; Samba moves
-down the list of servers in the event that its first choice is
-unreachable. The servers identified by the
-<tt class="literal">password</tt> <tt class="literal">server</tt> option are
-given as NetBIOS names, not their DNS names or equivalent IP
-addresses. Also, if any of the servers reject the given password, the
-connection automatically fails&mdash;Samba will not attempt another
-server.</p>
-
-<p>One caveat: when using this option, you still need an account
-representing that user on the regular Samba server. This is because
-the Unix operating system needs a username to perform various I/O
-operations. The preferable method of handling this is to give the
-user an account on the Samba server but disable the
-account's password by replacing it in the system
-password file (e.g., <em class="filename">/etc/passwd </em>) with an
-asterisk (*).</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-3.5"/>
-
-<h3 class="head2">Domain-Level Security</h3>
-
-<p>With <em class="firstterm">domain-level
-security</em><a name="INDEX-66"/>, the Samba server acts as a member of
-a Windows domain. Recall from <a href="ch01.html">Chapter 1</a> that each
-domain has a primary domain controller, which can be a Windows
-NT/2000 or Samba server offering password authentication. The domain
-controller keeps track of users and passwords in its own database and
-authenticates each user when she first logs on and wishes to access
-another machine's shares.</p>
-
-<p>As mentioned earlier in this chapter, Samba has a similar ability to
-offer user-level security, but that option is Unix-centric and
-assumes that the authentication occurs via Unix password files. If
-the Unix machine is part of an NIS or NIS+ domain, Samba
-authenticates users transparently against a shared password file in
-typical Unix fashion. Samba then provides access to the NIS or NIS+
-domain from Windows. There is, of course, no relationship between the
-NIS concept of a domain and a Windows NT domain.</p>
-
-<p>Configuring Samba for domain-level security is covered in <a href="ch04.html">Chapter 4</a> in <a href="ch04.html#samba2-CHP-4-SECT-7">Section 4.7</a>. <a name="INDEX-67"/></p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-9-SECT-4"/>
-
-<h2 class="head1">Passwords</h2>
-
-<p><a name="INDEX-68"/>Passwords
-are a thorny issue with Samba. So much so, in fact, that they are
-often the first major problem that users encounter when they install
-Samba. At this point, we need to delve deeper into Samba to discover
-what is happening on the network.</p>
-
-<p>Passwords sent from individual clients can be either encrypted or
-nonencrypted. Encrypted passwords are, of course, more secure. A
-nonencrypted, plain-text password can be easily read with a
-packet-sniffing program, such as the modified
-<em class="emphasis">tcpdump</em> program for Samba that we used in <a href="ch01.html">Chapter 1</a>. Whether passwords are encrypted by default
-depends on the operating system that the client is using to connect
-to the Samba server. <a href="ch09.html#samba2-CHP-9-TABLE-5">Table 9-5</a> lists which
-<a name="INDEX-69"/>Windows operating
-systems encrypt their passwords and which send plain-text passwords
-by default.</p>
-
-<a name="samba2-CHP-9-TABLE-5"/><h4 class="head4">Table 9-5. Windows operating systems with encrypted passwords</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Operating system</p>
-</th>
-<th>
-<p>Encrypted or plain text</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>Windows for Workgroups</p>
-</td>
-<td>
-<p>Plain text</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 95</p>
-</td>
-<td>
-<p>Plain text</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 95 with SMB Update</p>
-</td>
-<td>
-<p>Encrypted</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 98</p>
-</td>
-<td>
-<p>Encrypted</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows Me</p>
-</td>
-<td>
-<p>Encrypted</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows NT 3.x</p>
-</td>
-<td>
-<p>Plain text</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows NT 4.0 before SP <tt class="literal">3</tt></p>
-</td>
-<td>
-<p>Plain text</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows NT 4.0 after SP 3</p>
-</td>
-<td>
-<p>Encrypted</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows 2000</p>
-</td>
-<td>
-<p>Encrypted</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Windows XP</p>
-</td>
-<td>
-<p>Encrypted</p>
-</td>
-</tr>
-
-</table>
-
-<p>Three different encryption methods are used. Windows 95/98/Me clients
-use a method inherited from Microsoft's LAN Manager
-network software. Windows NT/2000/XP systems use a newer system,
-called NT LAN Manager, or NTLM. A newer version of this (called NT
-LAN Manager Version 2, or NTLMv2) uses a different method for
-password hashing.</p>
-
-<p>If encrypted passwords are supported, Samba stores the encrypted
-passwords in a file called <em class="filename">smbpasswd</em>. By
-default, this file is located in the <em class="filename">private</em>
-directory of the Samba distribution (typically
-<em class="filename">/usr/local/samba/private</em>). At the same time, the
-client stores an encrypted version of a user's
-password on its own system. The plain-text password is never stored
-on either system. Each system encrypts the password automatically
-using a standard algorithm when the password is set or changed.</p>
-
-<p>When a client requests a connection to an SMB server that supports
-encrypted passwords (such as Samba or Windows NT/2000/XP), the two
-computers undergo the following negotiations:</p>
-
-<ol><li>
-<p>The client attempts to negotiate a protocol with the server.</p>
-</li><li>
-<p>The server responds with a protocol and indicates that it supports
-encrypted passwords. At this time, it sends back a randomly generated
-8-byte challenge string.</p>
-</li><li>
-<p>The client uses the challenge string as a key to encrypt its already
-encrypted password using an algorithm predefined by the negotiated
-protocol. It then sends the result to the server.</p>
-</li><li>
-<p>The server does the same thing with the encrypted password stored in
-its database. If the results match, the passwords are equivalent, and
-the user is authenticated.</p>
-</li></ol>
-<p>Note that even though the original passwords are not involved in the
-authentication process, you need to be very careful that the
-encrypted passwords located inside the <em class="filename">smbpasswd</em>
-file are guarded from unauthorized users. If they are compromised, an
-unauthorized user can break into the system by replaying the steps of
-the previous algorithm. The encrypted passwords are just as sensitive
-as the plain-text passwords&mdash;this is known as
-<em class="firstterm">plain-text-equivalent</em> data in the cryptography
-world. Of course, your local security policy should require that the
-clients safeguard their plain-text-equivalent passwords as well.</p>
-
-<p>You can configure Samba to accept encrypted passwords with the
-following global additions to <em class="filename">smb.conf</em>. Note
-that we explicitly name the location of the Samba password file:</p>
-
-<blockquote><pre class="code">[global]
- security = user
- encrypt passwords = yes
- smb passwd file = /usr/local/samba/private/smbpasswd</pre></blockquote>
-
-<p>Samba, however, will not accept any users until the
-<em class="filename">smbpasswd</em> file has been created and the users
-have been added to it with the <em class="emphasis">smbpasswd</em>
-command, as we showed you in <a href="ch02.html">Chapter 2</a>.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-4.1"/>
-
-<h3 class="head2">Disabling Encrypted Passwords on the Client</h3>
-
-<p><a name="INDEX-70"/><a name="INDEX-71"/>While Unix authentication has been
-in use for decades&mdash;including the use of
-<em class="emphasis">telnet</em> and <em class="emphasis">rlogin</em> access
-across the Internet&mdash;it embodies well-known security risks.
-Plaintext passwords are sent over the Internet and can be retrieved
-from TCP packets by malicious snoopers. However, if you feel that
-your network is secure and you wish to use standard Unix
-<em class="filename">/etc/passwd</em> authentication for all clients, you
-can do so, but you must disable encrypted passwords on those Windows
-clients that default to using them.</p>
-
-<p>To do this, you must modify the Windows registry on each client
-system. The Samba distribution includes the <em class="filename">.reg</em>
-files you need for this, located in the source
-distribution's <em class="filename">/docs/Registry</em>
-directory. Depending on the platform, you use one of the following
-files:</p>
-
-<blockquote class="simplelist">
-
-<p><em class="filename">Win95_PlainPassword.reg</em></p>
-
-<p><em class="filename">Win98_PlainPassword.reg</em></p>
-
-<p><em class="filename">WinME_PlainPassword.reg</em></p>
-
-<p><em class="filename">NT_PlainPassword.reg</em></p>
-
-<p><em class="filename">Win2000_PlainPassword.reg</em></p>
-
-</blockquote>
-
-<p>(For Windows XP, use the <em class="filename">.reg</em> file for Windows
-2000.) You can perform the installation by copying the appropriate
-<em class="filename">.reg</em> file to a DOS floppy, inserting the floppy
-in the client's floppy drive, and running the
-<em class="filename">.reg</em> file from the Run menu item in the
-client's Start menu. (Or you can just double-click
-the file's icon.)</p>
-
-<p>After you reboot the machine, the client will not encrypt its hashed
-passwords before sending them to the server. This means that the
-plain-text passwords can been seen in the TCP packets that are
-broadcast across the network. Again, we encourage you not to do this
-unless you are absolutely sure that your network is secure.</p>
-
-<p>If passwords are not encrypted, use these two lines in your Samba
-configuration file:</p>
-
-<blockquote><pre class="code">[global]
- security = user
- encrypt passwords = no</pre></blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-4.2"/>
-
-<h3 class="head2">The smbpasswd File</h3>
-
-<p>Samba stores its encrypted passwords in a file called
-<em class="filename">smbpasswd</em><a name="INDEX-72"/>,
-which by default resides in the
-<em class="filename">/usr/local/samba/private</em> directory. The
-<em class="filename">smbpasswd</em> file should be guarded as closely as
-the Unix system's password file (either
-<em class="filename">/etc/passwd</em> or
-<em class="filename">/etc/shadow</em>). Only the root user should have
-read/write access to the <em class="filename">private</em> directory, and
-no other users should have access to it at all. In addition, the
-<em class="filename">smbpasswd</em> file should have all access denied to
-all users except for root. When things are set up for good security,
-long listings of the <em class="filename">private</em> directory and
-<em class="filename">smbpasswd</em> file look like the following:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>ls -ld /usr/local/samba/private</b></tt>
-drwx- - - - - - 2 root root 4096 Nov 26 01:11 /usr/local/samba/private
-# <tt class="userinput"><b>ls -l /usr/local/samba/private/smbpasswd</b></tt>
--rw- - - - - - - 1 root root 204 Nov 26 01:11 /usr/local/samba/private/smbpasswd</pre></blockquote>
-
-<p>Before you can use encrypted passwords, you need to create an entry
-for each Unix user in the <em class="filename">smbpasswd</em> file. The
-structure of the file is somewhat similar to a Unix
-<em class="filename">passwd</em> file, but has different fields. <a href="ch09.html#samba2-CHP-9-FIG-3">Figure 9-3</a> illustrates the layout of the
-<em class="filename">smbpasswd</em> file; the entry shown is actually one
-line in the file.</p>
-
-<div class="figure"><a name="samba2-CHP-9-FIG-3"/><img src="figs/sam2_0903.gif"/></div><h4 class="head4">Figure 9-3. Structure of the smbpasswd file entry (actually one line)</h4>
-
-<p>Normally, entries in the <em class="filename">smbpasswd</em> file are
-created automatically by the <em class="emphasis">smbpasswd</em> command.
-Still, you might like to know how to interpret data within the
-<em class="filename">smbpasswd</em> file, in case you'd
-like to see what accounts are stored in it or even modify it
-manually. Here is a breakdown of the individual fields:</p>
-
-<dl>
-<dt><b>Username</b></dt>
-<dd>
-<p>This is the username of the account. It is taken directly from the
-system password file.</p>
-</dd>
-
-
-
-<dt><b>UID</b></dt>
-<dd>
-<p>This is the user ID (UID) of the account. Like the username, it is
-taken directly from the system password file and must match the UID
-there.</p>
-</dd>
-
-
-
-<dt><b>LAN Manager Password Hash</b></dt>
-<dd>
-<p>This is a 32-bit hexadecimal sequence that represents the password
-Windows 95/98/Me clients will use. It is derived by splitting the
-password into two 7-character strings, with all lowercase letters
-forced into uppercase. If fewer than 14 characters are in the
-password, the strings are padded with nulls. Then each 7-character
-string is converted to a 56-bit DES key and used to encrypt the
-constant string <tt class="literal">KGS!@#$%</tt>. The two 64-bit results
-are concatenated and stored as the password hash.</p>
-
-
-<p>If there is currently no password for the user, the first 11
-characters of the hash will consist of the sequence
-<tt class="literal">NO</tt> <tt class="literal">PASSWORD</tt> followed by
-<tt class="literal">X</tt> characters for the remainder. If the password
-has been disabled, it will consist of 32 <tt class="literal">X</tt>
-characters.</p>
-</dd>
-
-
-<dt><b>NT LAN Manager (NTLM) Password Hash</b></dt>
-<dd>
-<p>This is a 32-bit hexadecimal sequence that represents the password
-Windows NT/2000/XP clients will use. It is derived by hashing the
-user's password (represented as a 16-bit
-little-endian Unicode sequence) with an MD4 hash. The password is not
-converted to uppercase letters first.</p>
-</dd>
-
-
-
-<dt><b>Account Flags</b></dt>
-<dd>
-<p>This field consists of 11 characters between two braces ( [ ] ). Any
-of the following characters can appear in any order; the remaining
-characters should be spaces:</p>
-
-
-<dl>
-<dt><b>U</b></dt>
-<dd>
-<p>This account is a standard user account.</p>
-</dd>
-
-
-
-<dt><b>D</b></dt>
-<dd>
-<p>This account is currently disabled, and Samba should not allow any
-logins.</p>
-</dd>
-
-
-
-<dt><b>N</b></dt>
-<dd>
-<p>This account has no password associated with it.</p>
-</dd>
-
-
-
-<dt><b>W</b></dt>
-<dd>
-<p>This is a workstation trust account that can be used to configure
-Samba as a PDC when allowing Windows NT machines to join its domain.</p>
-</dd>
-
-</dl>
-</dd>
-
-
-<dt><b>Last Change Time</b></dt>
-<dd>
-<p>This code consists of the characters <tt class="literal">LCT-</tt> followed
-by a hexadecimal representation of the number of seconds since the
-epoch (midnight on January 1, 1970) that the entry was last changed.
-<a name="INDEX-73"/></p>
-</dd>
-
-</dl>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-4.3"/>
-
-<h3 class="head2">Password Synchronization</h3>
-
-<p><a name="INDEX-74"/><a name="INDEX-75"/>Having a regular password (either in
-<em class="filename">/etc/passwd</em> or <em class="filename">/etc/shadow</em>)
-and an encrypted version of the same password (in the
-<em class="filename">smbpasswd</em> file) can be troublesome when you need
-to change both of them. Luckily, Samba affords you a limited ability
-to keep your passwords synchronized. Samba has a pair of
-configuration options to update a user's regular
-Unix password automatically when the encrypted password is changed on
-the system. The feature can be activated by specifying the
-<tt class="literal">unix</tt><a name="INDEX-76"/> <tt class="literal">password</tt>
-<tt class="literal">sync</tt> global configuration option:</p>
-
-<blockquote><pre class="code">[global]
- unix password sync = yes</pre></blockquote>
-
-<p>With this option enabled, Samba attempts to change the
-user's regular password (as <tt class="literal">root</tt>)
-when the encrypted version is changed with
-<em class="filename">smbpasswd</em>. However, two other options have to be
-set correctly for this to work.</p>
-
-<p>The easier of the two is <tt class="literal">passwd</tt>
-<tt class="literal">program</tt>. This option simply specifies the Unix
-command used to change a user's standard system
-password. It is set to <tt class="literal">/bin/passwd</tt>
-<tt class="literal">%u</tt> by default. With some Unix systems, this is
-sufficient, and you do not need to change anything. Others, such as
-Red Hat Linux, use <em class="emphasis">/usr/bin/passwd</em> instead. In
-addition, you might want to change this to another program or script
-at some point in the future. For example, let's
-assume that you want to use a script called
-<em class="emphasis">changepass</em> to change a user's
-password. Recall that you can use the variable <tt class="literal">%u</tt>
-to represent the current Unix username. So the example becomes:</p>
-
-<blockquote><pre class="code">[global]
- unix password sync = yes
- passwd program = changepass %u</pre></blockquote>
-
-<p>Note that this program is called as the <tt class="literal">root</tt> user
-when the <tt class="literal">unix</tt> <tt class="literal">password</tt>
-<tt class="literal">sync</tt> option is set to <tt class="literal">yes</tt>. This
-is because Samba does not necessarily have the old plain-text
-password of the user.</p>
-
-<p>The harder option to configure is
-<tt class="literal">passwd</tt><a name="INDEX-77"/> <tt class="literal">chat</tt>. The
-<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option works like a
-Unix chat script. It specifies a series of strings to send, as well
-as responses to expect from the program specified by the
-<tt class="literal">passwd</tt> <tt class="literal">program</tt> option. For
-example, this is what the default <tt class="literal">passwd</tt>
-<tt class="literal">chat</tt> looks like. The delimiters are the spaces
-between each grouping of characters:</p>
-
-<blockquote><pre class="code">passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*</pre></blockquote>
-
-<p>The first grouping represents a response expected from the
-password-changing program. Note that it can contain wildcards
-(<tt class="literal">*</tt>), which help to generalize the chat programs to
-handle a variety of similar outputs. Here,
-<tt class="literal">*old*password*</tt> indicates that Samba is expecting
-any line from the password program containing the letters
-<tt class="literal">old</tt> followed by the letters
-<tt class="literal">password</tt>, without regard for what comes before,
-after, or between them. If Samba does not receive the expected
-response, the password change will fail.</p>
-
-<p>The second grouping indicates what Samba should send back once the
-data in the first grouping has been matched. In this case, you see
-<tt class="literal">%o\n</tt>. This response is actually two items: the
-variable <tt class="literal">%o</tt> represents the old password, while the
-<tt class="literal">\n</tt> is a newline character. So, in effect, this
-will &quot;type&quot; the old password into
-the standard input of the password-changing program, and then
-&quot;press&quot; Enter.</p>
-
-<p>Following that is another response grouping, followed by data that
-will be sent back to the password-changing program. (In fact, this
-response/send pattern continues indefinitely in any standard Unix
-<em class="emphasis">chat</em> script.) The script continues until the
-final pattern is matched.</p>
-
-<p>You can help match the response strings sent from the password
-program with the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-6">Table 9-6</a>.
-In addition, you can use the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-7">Table 9-7</a> to help formulate your response.</p>
-
-<a name="samba2-CHP-9-TABLE-6"/><h4 class="head4">Table 9-6. Password chat response characters</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Character</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">*</tt></p>
-</td>
-<td>
-<p>Zero or more occurrences of any character.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>&quot;<tt class="literal"> </tt>&quot;</p>
-</td>
-<td>
-<p>Allows you to include matching strings that contain spaces. Asterisks
-are still considered wildcards even inside of quotes, and you can
-represent a null response with empty quotes.</p>
-</td>
-</tr>
-
-</table>
-
-<a name="samba2-CHP-9-TABLE-7"/><h4 class="head4">Table 9-7. Password chat send characters</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Character</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">%o</tt></p>
-</td>
-<td>
-<p>The user's old password</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%n</tt></p>
-</td>
-<td>
-<p>The user's new password</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">\n</tt></p>
-</td>
-<td>
-<p>The linefeed character</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">\r</tt></p>
-</td>
-<td>
-<p>The carriage-return character</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">\t</tt></p>
-</td>
-<td>
-<p>The tab character</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">\s</tt></p>
-</td>
-<td>
-<p>A space</p>
-</td>
-</tr>
-
-</table>
-
-<p>For example, you might want to change your password chat to the
-following entry. This handles scenarios in which you do not have to
-enter the old password. In addition, this also handles the new
-<tt class="literal">all</tt> <tt class="literal">tokens</tt>
-<tt class="literal">updated</tt> <tt class="literal">successfully</tt> string
-that Red Hat Linux sends:</p>
-
-<blockquote><pre class="code">passwd chat = *New password* %n\n *new password* %n\n *success*</pre></blockquote>
-
-<p>Again, the default chat should be sufficient for many Unix systems.
-If it isn't, you can use the
-<tt class="literal">passwd</tt> <tt class="literal">chat</tt>
-<tt class="literal">debug</tt> global option to set up a new chat script
-for the password change program. The <tt class="literal">passwd</tt>
-<tt class="literal">chat</tt> <tt class="literal">debug</tt> option logs
-everything during a password chat. This option is a simple Boolean,
-as shown here:</p>
-
-<blockquote><pre class="code">[global]
- unix password sync = yes
- passwd chat debug = yes
- log level = 100</pre></blockquote>
-
-<p>After you activate the password chat debug feature, all I/O received
-by Samba through the password chat can be sent to the
-<em class="filename">log.smbd</em> Samba log file with a debug level of
-100, which is why we entered a new <tt class="literal">log</tt>
-<tt class="literal">level</tt> option as well. As this can often generate
-multitudes of error logs, it can be more efficient to use your own
-script&mdash;by setting the <tt class="literal">passwd</tt>
-<tt class="literal">program</tt> option&mdash;in place of
-<em class="filename">/bin/passwd</em> to record what happens during the
-exchange. Be careful because the log file contains the passwords in
-plain text. Keeping files containing plain-text passwords can (or
-<em class="emphasis">should</em>) be against local security policy in your
-organization, and it also might raise serious legal issues. Make sure
-to protect your log files with strict file permissions and to delete
-them as soon as you've grabbed the information you
-need. If possible, use the <tt class="literal">passwd</tt>
-<tt class="literal">chat</tt> <tt class="literal">debug</tt> option only while
-your own password is being changed.</p>
-
-<p>The operating system on which Samba is running might have strict
-requirements for valid passwords to make them more impervious to
-dictionary attacks and the like. Users should be made aware of these
-restrictions when changing their passwords.</p>
-
-<p>Earlier we said that password synchronization is limited. This is
-because there is no reverse synchronization of the encrypted
-<em class="filename">smbpasswd</em> file when a standard Unix password is
-updated by a user. There are various strategies to get around this,
-including NIS and freely available implementations of the Pluggable
-Authentication Modules (PAM) standard, but none of them really solves
-all the problems.</p>
-
-<p>More information regarding passwords can be found in the in the Samba
-source distribution file
-<em class="filename">docs/htmldocs/ENCRYPTION.html</em>.<a name="INDEX-80"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-4.4"/>
-
-<h3 class="head2">Password Configuration Options</h3>
-
-<p><a name="INDEX-81"/><a name="INDEX-82"/>The options in <a href="ch09.html#samba2-CHP-9-TABLE-8">Table 9-8</a> will help you work with passwords in Samba.</p>
-
-<a name="samba2-CHP-9-TABLE-8"/><h4 class="head4">Table 9-8. Password configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">encrypt</tt> <tt class="literal">passwords</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, enables encrypted passwords.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">unix password</tt> <tt class="literal">sync</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, updates the standard Unix password
-database when a user changes his encrypted password.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">passwd chat</tt></p>
-</td>
-<td>
-<p>string (chat commands)</p>
-</td>
-<td>
-<p>Sequence of commands sent to the password program.</p>
-</td>
-<td>
-<p>See earlier section on this option</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">passwd chat</tt> <tt class="literal">debug</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, sends debug logs of the password-change
-process to the log files with a level of 100.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">passwd program</tt></p>
-</td>
-<td>
-<p>string (Unix command)</p>
-</td>
-<td>
-<p>Program to be used to change passwords.</p>
-</td>
-<td>
-<p><tt class="literal">/bin/passwd</tt> <tt class="literal">%u</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">password level</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Number of capital-letter permutations to attempt when matching a
-client's password.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">update</tt> <tt class="literal">encrypted</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, updates the encrypted password file when a
-client connects to a share with a plain-text password.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">null passwords</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows access for users with null
-passwords.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">smb passwd file</tt></p>
-</td>
-<td>
-<p>string (filename)</p>
-</td>
-<td>
-<p>Name of the encrypted password file.</p>
-</td>
-<td>
-<p><tt class="literal">/usr/local/samba/private/smbpasswd</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">hosts equiv</tt></p>
-</td>
-<td>
-<p>string (filename)</p>
-</td>
-<td>
-<p>Name of a file that contains hosts and users that can connect without
-using a password.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">use rhosts</tt></p>
-</td>
-<td>
-<p>string (filename)</p>
-</td>
-<td>
-<p>Name of a .<em class="emphasis">rhosts</em> file that allows users to
-connect without using a password.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.1"/>
-
-<h3 class="head3">encrypt passwords</h3>
-
-<p>The <tt class="literal">encrypt</tt><a name="INDEX-83"/>
-<tt class="literal">passwords</tt> global option switches Samba from using
-plain-text passwords to encrypted passwords for authentication.
-Encrypted passwords will be expected from clients if the option is
-set to <tt class="literal">yes</tt>:</p>
-
-<blockquote><pre class="code">encrypt passwords = yes</pre></blockquote>
-
-<p>In Samba 2.2.x versions and with previous versions, encrypted
-passwords are disabled by default. This was changed in Samba 3.0 to
-make encrypted passwords enabled by default.</p>
-
-<p>If you use encrypted passwords, you must have a valid
-<em class="filename">smbpasswd</em> file in place and populated with
-usernames that authenticate with encrypted passwords. (See <a href="ch09.html#samba2-CHP-9-SECT-4.2">Section 9.4.2</a> earlier in
-this chapter.) In addition, Samba must know the location of the
-<em class="filename">smbpasswd</em> file; if it is not in the default
-location (typically
-<em class="filename">/usr/local/samba/private/smbpasswd</em> ), you can
-explicitly name it using the <tt class="literal">smb</tt>
-<tt class="literal">passwd</tt> <tt class="literal">file</tt> option.</p>
-
-<p>If you wish, you can use <tt class="literal">update</tt>
-<tt class="literal">encrypted</tt> to force Samba to update the
-<em class="filename">smbpasswd</em> file with encrypted passwords each
-time a client connects using a nonencrypted password.</p>
-
-<p>If you have a mixture of clients on your network, with some of them
-using encrypted passwords and others using plain-text passwords, you
-can use the <tt class="literal">include</tt> option to make Samba treat
-each client appropriately. To do this, create individual
-configuration files based on the client name (<tt class="literal">%m</tt>).
-These host-specific configuration files can contain an
-<tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> option that activates
-only when those clients are connecting to the server.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.2"/>
-
-<a name="INDEX-84"/><h3 class="head3">unix password sync</h3>
-
-<p>The <tt class="literal">unix</tt> <tt class="literal">password</tt>
-<tt class="literal">sync</tt> global option allows Samba to update the
-standard Unix password file when a user changes her encrypted
-password. The encrypted password is stored on a Samba server in the
-<em class="filename">smbpasswd</em> file, which is located by default in
-<em class="filename">/usr/local/samba/private</em>. You can activate this
-feature as follows:</p>
-
-<blockquote><pre class="code">[global]
- unix password sync = yes</pre></blockquote>
-
-<p>If this option is enabled, Samba changes the encrypted password and,
-in addition, attempts to change the standard Unix password by passing
-the username and new password to the program specified by the
-<tt class="literal">passwd</tt> <tt class="literal">program</tt> option
-(described earlier). Note that Samba does not necessarily have access
-to the plain-text password for this user, so the password changing
-program must be invoked as <tt class="literal">root</tt>.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> If the Unix password change does not
-succeed, for whatever reason, the SMB password is not changed either.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.3"/>
-
-<a name="INDEX-85"/><h3 class="head3">passwd chat</h3>
-
-<p>This option specifies a series of send/response strings similar to a
-Unix chat script, which interface with the password-changing program
-on the Samba server. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
-chapter covers this option in detail.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.4"/>
-
-<h3 class="head3">passwd chat debug</h3>
-
-<p>If set to <tt class="literal">yes</tt>, the
-<tt class="literal">passwd</tt><a name="INDEX-86"/> <tt class="literal">chat</tt>
-<tt class="literal">debug</tt> global option logs everything sent or
-received by Samba during a password chat. All the I/O received by
-Samba through the password chat is sent to the Samba logs with a
-debug level of 100; you must specify <tt class="literal">log</tt>
-<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">100</tt>
-for the information to be recorded. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
-chapter describes this option in more detail. Be aware that if you do
-set this option, the plain-text passwords will be visible in the
-debugging logs, which could be a security hazard if they are not
-properly secured. It is against the security policy of some
-organizations for system administrators to have access to
-users' passwords.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.5"/>
-
-<h3 class="head3">passwd program</h3>
-
-<p>The <tt class="literal">passwd</tt><a name="INDEX-87"/>
-<tt class="literal">program</tt> option specifies a program on the Unix
-Samba server that Samba can use to update the standard system
-password file when the encrypted password file is updated. This
-option defaults to the standard <em class="emphasis">passwd</em> program,
-usually located in the <em class="filename">/bin</em> directory. The
-<tt class="literal">%u</tt> variable is typically used as the requesting
-user when the command is executed. The actual handling of input and
-output to this program during execution is handled through the
-<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
-chapter covers this option in detail.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.6"/>
-
-<a name="INDEX-88"/><h3 class="head3">password level</h3>
-
-<p>With SMB, nonencrypted (or plain-text) passwords are sent with
-capital letters, just like the usernames mentioned previously. Many
-Unix users, however, choose passwords with both upper- and lowercase
-letters. Samba, by default, only attempts to match the password
-entirely in lowercase letters and not capitalizing the first letter.</p>
-
-<p>Like <tt class="literal">username</tt> <tt class="literal">level</tt>, a
-<tt class="literal">password</tt> <tt class="literal">level</tt> option can be
-used to attempt various permutations of the password with capital
-letters. This option takes an integer value that specifies how many
-letters in the password should be capitalized when attempting to
-connect to a share. You can specify this option as follows:</p>
-
-<blockquote><pre class="code">[global]
- password level = 3</pre></blockquote>
-
-<p>In this case, Samba then attempts all permutations of the password it
-can compute having three capital letters. The larger the number, the
-more computations Samba has to perform to match the password, and the
-longer a connection to a specific share might take.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.7"/>
-
-<a name="INDEX-89"/><h3 class="head3">update encrypted</h3>
-
-<p>For sites switching over to the encrypted password format, Samba
-provides an option that should help with the transition. The
-<tt class="literal">update</tt> <tt class="literal">encrypted</tt> option allows
-a site to ease into using encrypted passwords from plain-text
-passwords. You can activate this option as follows:</p>
-
-<blockquote><pre class="code">[global]
- update encrypted = yes</pre></blockquote>
-
-<p>This instructs Samba to create an encrypted version of each
-user's Unix password in the
-<em class="filename">smbpasswd</em> file each time she connects to a
-share. When this option is enabled, you must have the
-<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> option set to
-<tt class="literal">no</tt> so that the client passes plain-text passwords
-to Samba to update the files. Once each user has connected at least
-once, you can set <tt class="literal">encrypted</tt>
-<tt class="literal">passwords</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt>, allowing you to use only the encrypted
-passwords. The user must already have a valid entry in the
-<em class="filename">smbpasswd</em> file for this option to work.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.8"/>
-
-<a name="INDEX-90"/><h3 class="head3">null passwords</h3>
-
-<p>This global option tells Samba whether to allow access from users
-that have null passwords (encrypted or nonencrypted) set in their
-accounts. The default value is <tt class="literal">no</tt>. You can
-override it as follows:</p>
-
-<blockquote><pre class="code">null passwords = yes</pre></blockquote>
-
-<p>We highly recommend against doing so because of the security risks
-this option can present to your system, including inadvertent access
-to system users (such as <tt class="literal">bin</tt>) in the system
-password file who have null passwords set.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.9"/>
-
-<a name="INDEX-91"/><h3 class="head3">smb passwd file</h3>
-
-<p>This global option identifies the location of the encrypted password
-database. By default, it is set to
-<em class="filename">/usr/local/samba/private/smbpasswd</em>. You can
-override it as follows:</p>
-
-<blockquote><pre class="code">[global]
- smb passwd file = /etc/samba/smbpasswd</pre></blockquote>
-
-<p>This location, for example, is common on many Red Hat distributions
-on which Samba has been installed using an RPM package.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.10"/>
-
-<a name="INDEX-92"/><h3 class="head3">hosts equiv</h3>
-
-<p>This global option specifies the name of a standard Unix
-<em class="filename">hosts.equiv</em> file that allows hosts or users to
-access shares without specifying a password. You can specify the
-location of such a file as follows:</p>
-
-<blockquote><pre class="code">[global]
- hosts equiv = /etc/hosts.equiv</pre></blockquote>
-
-<p>The default value for this option does not specify any
-<em class="filename">hosts.equiv</em> file. Because using a
-<em class="filename">hosts.equiv</em> file is a huge security risk, we
-strongly recommend against using this option.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.11"/>
-
-<a name="INDEX-93"/><h3 class="head3">use rhosts</h3>
-
-<p>This global option specifies the name of a standard Unix
-user's <em class="filename">.rhosts</em> file that allows
-foreign hosts to access shares without specifying a password. You can
-specify the location of such a file as follows:</p>
-
-<blockquote><pre class="code">[global]
- use rhosts = /home/dave/.rhosts</pre></blockquote>
-
-<p>The default value for this option does not specify any
-<em class="filename">.rhosts</em> file. Like the <tt class="literal">hosts</tt>
-<tt class="literal">equiv</tt> option discussed earlier, using such a file
-is a security risk. We highly recommend that you do not use this
-option unless you are confident in the security of your network.
-<a name="INDEX-94"/>
-<a name="INDEX-95"/><a name="INDEX-96"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-9-SECT-5"/>
-
-<h2 class="head1">Authentication with winbind</h2>
-
-<p><a name="INDEX-97"/><a name="INDEX-98"/>In <a href="ch03.html">Chapter 3</a>, we
-showed you how to add Windows clients to a network in which user
-accounts were maintained on the Samba server. We added a user account
-to the Windows client using the same username and password as an
-account on the Unix system. This method works well in many computing
-environments. However, if a Samba server is added to a Windows
-network that already has a Windows NT/2000 primary domain controller,
-the PDC has a preexisting database of user accounts and group
-information that is used for authentication. It can be a big chore to
-transfer that database manually to the Unix server, and later
-maintain and synchronize the Unix and Windows databases.</p>
-
-<p>In <a href="ch04.html">Chapter 4</a>, we showed you how to add a Samba
-server as a domain member server to a network having a Windows
-NT/2000 primary domain controller. We set <tt class="literal">security</tt>
-<tt class="literal">=</tt> <tt class="literal">domain</tt> in the Samba
-configuration file to have the Samba server hand off authentication
-to the Windows PDC. Using that method, passwords are kept only on the
-PDC, but it is still necessary to set up user accounts on the Unix
-side to make sure each client has a valid Unix UID and group ID
-(GID). This is necessary for maintaining the file ownerships and
-permissions of the Unix security model. Whenever Samba performs an
-operation on the Unix filesystem on behalf of the Windows client, the
-user must have a valid UID and GID on the local Unix system.</p>
-
-<p>A facility that has recently been added to Samba, winbind, allows the
-Windows <a name="INDEX-99"/>PDC to handle
-not only authentication, but the user and group information as well.
-Winbind works by extending the Unix user and group databases beyond
-the standard <em class="filename">/etc/passwd</em> and
-<em class="filename">/etc/group</em> files such that users and groups on
-the Windows PDC also exist as valid users and groups on the Unix
-system. The extension applies to the entire Unix system and allows
-users who are members of a Windows domain to perform any action on
-the Unix system that a local user would, including logging in to the
-Unix system by <em class="emphasis">telnet</em> or even on the local
-system, using their domain usernames and passwords.</p>
-
-<p>When winbind is in use, administration of user accounts can be done
-on the Windows PDC, without having to repeat the tasks on the Unix
-side. This includes password expiration and allowing users to change
-their passwords, which would otherwise not be practical. Aside from
-simplifying domain administration and being a great time saver,
-winbind lets Samba be used in computing environments where it
-otherwise might not be allowed.</p>
-<a name="samba2-CHP-9-NOTE-143"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Because this is a chapter on security, we want to point out that some
-issues might relate to allowing a Windows system to authenticate
-users accessing a Unix system! Whatever you might think of the
-relative merits of Unix and Windows security models (and even more
-importantly, their <em class="emphasis">implementations</em>), one thing
-is certain: adding winbind support to your Samba server greatly
-complicates the authentication system overall&mdash;and quite
-possibly allows more opportunities for crackers.</p>
-
-<p>We present winbind in this chapter not as a means of improving
-security, but rather as a further example of Samba's
-ability to integrate itself into a modern Windows environment.</p>
-</blockquote>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-5.1"/>
-
-<h3 class="head2">Installing winbind</h3>
-
-<p><a name="INDEX-100"/>Installing
-and configuring winbind is fairly complicated and involves the
-following steps:</p>
-
-<ol><li>
-<p>Reconfigure, recompile, and reinstall Samba&mdash;to add support for
-winbind.</p>
-</li><li>
-<p>Configure the Unix name server switch.</p>
-</li><li>
-<p>Modify the Samba configuration file.</p>
-</li><li>
-<p>Start and test the <em class="emphasis">winbindd</em> daemon.</p>
-</li><li>
-<p>Configure the system to start and stop the
-<em class="emphasis">winbindd</em> daemon automatically.</p>
-</li><li>
-<p>Optionally, configure PAM for use with winbind.</p>
-</li></ol>
-<p>At the time this book was written, winbind was supported only on
-Linux, so all of the following directions are specific to it. Other
-Unix flavors might be supported at a later time. In addition, we
-assume you have a Windows NT/2000 primary domain controller running
-on your network.</p>
-
-<p>First, you will need to configure and compile Samba using the
-<tt class="literal">--with-winbind</tt> configure option. Directions for
-doing this are included in <a href="ch02.html">Chapter 2</a> in <a href="ch02.html#samba2-CHP-2-SECT-3">Section 2.3</a>. As usual, run
-<em class="emphasis">make install</em> to reinstall the Samba binaries.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-5.2"/>
-
-<h3 class="head2">Configuring nsswitch</h3>
-
-<p><a name="INDEX-101"/>When
-Samba is compiled after being configured with the
-<tt class="literal">--with-winbind</tt> option, the compilation process
-produces a library called
-<em class="filename">libnss_winbind.so</em><a name="INDEX-102"/> in the
-<em class="filename">source/nsswitch</em> directory. This library needs to
-be copied to the <em class="filename">/lib</em> directory:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>cp nsswitch/libnss_winbind.so /lib</b></tt></pre></blockquote>
-
-<p>Also, a symbolic link must be created for winbind to be fully
-functional:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</b></tt></pre></blockquote>
-
-<a name="samba2-CHP-9-NOTE-144"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>The name of this symbolic link is correct for Samba 2.2.3 and Red Hat
-7.1. The name might change&mdash;with a higher version number in the
-extension&mdash;in future releases. See the
-<em class="emphasis">winbindd</em> manual page for details.</p>
-</blockquote>
-
-<p>Next, we need to modify <em class="filename">/etc/nsswitch.conf</em> to
-make the lines for <tt class="literal">passwd</tt> and
-<tt class="literal">group</tt> look like this:</p>
-
-<blockquote><pre class="code">passwd: files winbind
-group: files winbind</pre></blockquote>
-
-<p>Then activate these changes by issuing the following command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/sbin/ldconfig</b></tt></pre></blockquote>
-
-<p>What we've just done is reconfigure the Linux name
-service switch, which allows name service and other tasks to be
-configured to use the traditional method (files in the
-<em class="filename">/etc</em> directory) or an extension coded in a
-library, such as the <em class="filename">libnss_winbind.so</em> library
-we've just installed. We've
-specified in our configuration that Samba will search for user and
-group information first in the <em class="filename">/etc/passwd</em> and
-<em class="filename">/etc/group files</em>, and if they are not found
-there, in the winbind service.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-5.3"/>
-
-<h3 class="head2">Modifying smb.conf</h3>
-
-<p><a name="INDEX-103"/><a name="INDEX-104"/>To use winbind, we must have our Samba
-server added to the Windows NT domain as a domain member server (as
-we described in <a href="ch04.html">Chapter 4</a>) and also add some
-parameters to the Samba configuration file to configure winbind. In
-addition to the options required to configure Samba as a domain
-member server, we need:</p>
-
-<blockquote><pre class="code">[global]
- winbind uid = 10000-20000
- winbind gid = 10000-20000</pre></blockquote>
-
-<p>The <tt class="literal">winbind</tt> <tt class="literal">uid</tt> and
-<tt class="literal">winbind</tt> <tt class="literal">gid</tt> options tell
-winbind how to map between Windows relative identifiers (RIDs) and
-Unix UIDs and GIDs. Windows uses RIDs to identify users and groups
-within the domain, and to function, the Unix system must have a UID
-and GID associated with every user and group RID that is received
-from the Windows primary domain controller. The
-<tt class="literal">winbind</tt> <tt class="literal">uid</tt> and
-<tt class="literal">winbind</tt> <tt class="literal">gid</tt> parameters simply
-provide winbind with a range of UIDs and GIDs, respectively, that are
-allocated by the system administrator for Windows NT domain users and
-groups. You can use whatever range you want for each; just make sure
-the lowest number in the range does not conflict with any entries in
-your <em class="filename">/etc/passwd</em> or
-<em class="filename">/etc/group</em> files at any time, either now or in
-the future. It is important to be conservative about this. Once
-winbind adds an RID to UID/GID mapping to its database, it is very
-difficult to modify the mapping.</p>
-<a name="samba2-CHP-9-NOTE-145"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p><a name="INDEX-105"/>The file
-<em class="filename">/usr/local/samba/locks/winbindd_idmap.tdb</em>
-contains winbind's RID mapping file by default. We
-suggest you regard this file as extremely sensitive and make sure to
-guard it carefully against any kind of harm or loss. If you lose it,
-you will have to re-create it manually, which can be a very
-labor-intensive task.</p>
-</blockquote>
-
-<a name="samba2-CHP-9-NOTE-145a"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>Be careful when adding local users after domain users have started
-accessing the Samba server. The domain users will have entries
-created for them by winbind in <em class="filename">/etc/passwd,</em> with
-UIDs in the range you specify. If you are using a method of creating
-new accounts that automatically assigns UIDs, it might choose UIDs by
-adding 1 to the highest UID assigned thus far, which will be the most
-recent UID added by winbind. (This is the case on Red Hat Linux, with
-the <em class="emphasis">useradd</em> script, for example.) The UID for
-the new local user will be within the range allocated for winbind,
-which will have undesired effects. Make sure to add new local users
-using a method that assigns them UIDs in the proper range. For
-example, you can use the <em class="emphasis">-u</em> option of
-<em class="emphasis">useradd</em> to specify the UID to assign to the new
-user.</p>
-</blockquote>
-
-<p>Restart the Samba daemons to put your changes to the configuration
-file into effect. If you have not already done so while adding your
-Samba server as a domain member server, you must issue the command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j </b></tt><em class="replaceable">domain</em><tt class="userinput"><b> -r </b></tt><em class="replaceable">pdc</em><tt class="userinput"><b> -U Administrator</b></tt></pre></blockquote>
-
-<p>as we described in <a href="ch04.html">Chapter 4</a>. At this point, you
-can start the <em class="emphasis">winbindd</em> daemon:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>winbindd</b></tt></pre></blockquote>
-
-<p><a name="INDEX-106"/>You might want to
-run a <em class="emphasis">ps ax</em> command to see that the
-<em class="emphasis">winbindd</em> daemon is running. Now, to make sure
-everything we've done up to this point works, we can
-use Samba's <em class="emphasis">wbinfo</em> command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -u</b></tt>
-METRAN\Administrator
-METRAN\bebe
-METRAN\Guest
-METRAN\jay
-METRAN\linda
-$ <tt class="userinput"><b>wbinfo -g</b></tt>
-METRAN\Domain Admins
-METRAN\Domain Guests
-METRAN\Domain Users</pre></blockquote>
-
-<p>The <em class="emphasis">-u</em> option queries the domain controller for
-a list of domain users, and the <em class="emphasis">-g</em> option asks
-for the list of groups. The output shows that the Samba host system
-can query the Windows PDC through winbind.</p>
-
-<p>Another thing to check is the list of users and groups, using the
-<em class="emphasis">getent</em> command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>getent passwd</b></tt>
-root:x:0:0:root:/root:/bin/bash
-bin:x:1:1:bin:/bin:
-daemon:x:2:2:daemon:/sbin:
- <i class="lineannotation">... deleted ...</i>
-jay:x:500:500:Jay Ts:/home/jay:/bin/bash
-rik:x:501:501::/home/rik:/bin/bash
-METRAN\Administrator:x:10000:10000::/home/METRAN/administrator:/bin/bash
-METRAN\bebe:x:10001:10000:Bebe Larta:/home/METRAN/bebe:/bin/bash
-METRAN\Guest:x:10002:10000::/home/METRAN/guest:/bin/bash
-METRAN\jay:x:10003:10000:Jay Ts:/home/METRAN/jay:/bin/bash
-METRAN\linda:x:10004:10000:Linda Lewis:/home/METRAN/linda:/bin/bash
-
-# getent group
-root:x:0:root
-bin:x:1:root,bin,daemon
-daemon:x:2:root,bin,daemon
- <i class="lineannotation">... deleted ...</i>
-jay:x:500:
-rik:x:501:
-METRAN\Domain Admins:x:10001:METRAN\Administrator
-METRAN\Domain Guests:x:10002:METRAN\Guest
-METRAN\Domain Users:x:10000:METRAN\Administrator,METRAN\jay,METRAN\linda,METRAN\bebe</pre></blockquote>
-
-<p>This shows that the Linux system is finding the domain users and
-groups through winbind, in addition to those in the
-<em class="filename">/etc/passwd</em> and <em class="filename">/etc/group</em>
-files. If this part doesn't work as shown earlier,
-with the domain users and groups listed after the local ones, check
-to make sure you made the symbolic link to
-<em class="filename">libnss_winbind.so</em> in <em class="filename">/lib</em>
-correctly.</p>
-
-<p>Now you can try connecting to a Samba share from a Windows system
-using a domain account. You can either log on to the domain from a
-Windows NT/2000/XP workstation or use <em class="emphasis">smbclient</em>
-with the <em class="emphasis">-U</em> option to specify a username.</p>
-
-<a name="samba2-CHP-9-NOTE-147"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
-<p>If you get errors while attempting to log on to the domain, it is
-probably because you had previously configured the client system with
-a computer account on another domain controller. Commonly, you get a
-dialog box that says, &quot;The domain
-<em class="replaceable">NAME</em> is not available.&quot;
-On a Windows 2000 system, the fix is to log in to the system as an
-administrative user and open the Control Panel, double-click the
-System icon, click the Network Identification tab, then click the
-Properties button. In the dialog that comes up, click the
-&quot;Workgroup:&quot; radio button and fill
-in the name of the workgroup (you can use the same name as the
-domain). Click the OK buttons in the dialogs, and reboot if
-requested.</p>
-
-<p>This removes the computer account from the primary domain controller.
-Now log in again as the administrative user and repeat the previous
-directions, but change from the workgroup back to the domain. This
-creates a new computer account that
-&quot;fits&quot; the workstation to the new
-primary domain controller. If your network has backup domain
-controllers, it will take up to 15 minutes for the new computer
-account to propagate to the BDCs.</p>
-
-<p>If you are using Windows NT/XP, the method is slightly different. For
-the exact procedure, see the section in <a href="ch04.html">Chapter 4</a>
-that is specific to your Windows version.</p>
-</blockquote>
-
-<p>After logging in as a domain user, try creating a file or two in a
-Samba share. (You might need to change the permissions on the shared
-directory&mdash;say, to 777&mdash;to allow this access. This is very
-permissive, but after you finish reading this section, you will
-understand how to change ownership and permissions on the directory
-to restrict access to selected domain users.) After
-you've created files by one or more domain users,
-take a look at the directory's contents from a Linux
-shell. You will see something like this:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /u</b></tt>
--rwxrw-rw- 1 METRAN\b METRAN\D 0 Apr 13 00:00 bebes-file.doc
--rwxrw-rw- 1 METRAN\l METRAN\D 0 Apr 12 23:58 lindas-file.doc
-drwxrwxr-x 6 jay jay 4096 Jan 15 05:12 snd
-<b class="emphasis-bold">$ ls -ln /u</b>
-total 4
--rwxrw-rw- 1 10001 10000 0 Apr 13 00:00 bebes-file.doc
--rwxrw-rw- 1 10004 10000 0 Apr 12 23:58 lindas-file.doc
-drwxrwxr-x 6 500 500 4096 Jan 15 05:12 snd</pre></blockquote>
-
-<p>We can even use the domain usernames and groups from the Linux shell:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /u</b></tt>
-# <tt class="userinput"><b>ls -ldu /u</b></tt>
-drwxrwxrwx 3 METRAN\l METRAN\D 4096 Apr 13 00:44 /u
-# <tt class="userinput"><b>ls -ldn /u</b></tt>
-drwxrwxrwx 3 10004 10000 4096 Apr 13 00:00 /u</pre></blockquote>
-
-<p>Notice how the owner and group are listed as being those of the
-domain user and group. Unfortunately, the GNU <em class="emphasis">ls</em>
-command won't show the full names of the domain
-users and groups, but we can use the <em class="emphasis">-ln</em> listing
-to show the UIDs and GIDs and then translate with the
-<em class="emphasis">wbinfo</em> command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -s `wbinfo -U 10004`</b></tt>
-METRAN\LINDA 1
-$ <tt class="userinput"><b>wbinfo -s `wbinfo -G 10000`</b></tt>
-METRAN\Domain Users 2</pre></blockquote>
-
-<p>(It's a bit messy, but it works, and it shows that
-the winbind system is working!) At this point, you might want to
-modify your <em class="filename">/etc/rc.d/init.d/smb</em> script to start
-and stop the <em class="emphasis">winbindd</em> daemon automatically along
-with the <em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>
-daemons. Starting with the script we presented in <a href="ch02.html">Chapter 2</a>, we first add this code to the
-<em class="emphasis">start( )</em> function:</p>
-
-<blockquote><pre class="code">echo -n $&quot;Starting WINBIND services: &quot;
-/usr/local/samba/bin/winbindd
-ERROR2=$?
-if [ $ERROR2 -ne 0 ]
-then
- ERROR=1
-fi
-echo</pre></blockquote>
-
-<p>The previous code should be located after the code that starts
-<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em>
-statement.</p>
-
-<a name="samba2-CHP-9-NOTE-148"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>We start <em class="emphasis">winbindd</em> after
-<em class="emphasis">nmbd</em> because <em class="emphasis">winbindd</em> needs
-<em class="emphasis">nmbd</em> to be running to work properly.</p>
-</blockquote>
-
-<p>In the <tt class="function">stop( )</tt> function, we add the following:</p>
-
-<blockquote><pre class="code">echo -n $&quot;Shutting down WINBIND services: &quot;
-/bin/kill -TERM -a winbindd
-ERROR2=$?
-if [ $ERROR2 -ne 0 ]
-then
- ERROR=1
-fi
-echo</pre></blockquote>
-
-<p>Again, this code should be located after the code that stops
-<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em>
-statement. <a name="INDEX-107"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-5.4"/>
-
-<h3 class="head2">Configuring PAM</h3>
-
-<p><a name="INDEX-108"/>Most
-popular Linux distributions use <a name="INDEX-109"/>Pluggable
-Authentication Modules (PAM), a suite of shared libraries that
-provide a centralized source of authentication for applications
-running on the Unix system. PAM can be configured differently for
-each application (or service) that uses it, without needing to
-recompile the application. As a hypothetical example, if an
-organization's security policy mandated the use of
-passwords exactly 10 characters in length, a PAM module could be
-written to check the length of passwords submitted by users and
-reject any attempts to use a longer or shorter password. PAM would
-then be reconfigured to include the new module for services such as
-<em class="emphasis">ftp</em>, console login, and GUI login that call upon
-PAM to authenticate users.</p>
-
-<p>If you are not already familiar with PAM, we suggest you read the
-documentation provided with the Linux PAM package before continuing.
-On most Linux systems, it is located in the
-<em class="filename">/usr/share/doc</em> directory hierarchy. Another
-resource is the <em class="citetitle">Linux-PAM System
-Administrator's
-Guide</em><a name="INDEX-110"/>, which you can find
-on the Internet at <a href="http://www.kernel.org/pub/linux/libs/pam">http://www.kernel.org/pub/linux/libs/pam</a>.</p>
-
-<p>The rest of this section is about using the PAM module provided in
-the Samba distribution to enable Windows domain users to authenticate
-on the Linux system hosting Samba. Depending on which services you
-choose to configure, this allows Windows domain users to log in on a
-local console (or through <em class="emphasis">telnet</em>), log in to a
-GUI desktop on the Linux system, authenticate with an FTP server
-running on the Linux system, or use other services normally limited
-to users who have an account on the Linux system. The PAM module
-authenticates Windows domain users by querying winbind, which passes
-the authentication off to a Windows NT domain controller.</p>
-
-<p>As an example, we will show how to allow Windows domain users to log
-in to a text console on the Linux system and get a command shell and
-home directory. The method used in our example can be applied (with
-variations) to other services.</p>
-
-<p>All users who can log in to the Linux system need a shell and a home
-directory. Unix and Linux keep this user information in the password
-file (<em class="filename">/etc/passwd</em> ), but information about
-Windows users isn't located there. Instead, in the
-Samba configuration file, we add the following to notify winbind what
-the shell and home directory for Windows domain users will be:</p>
-
-<blockquote><pre class="code">[global]
- template shell = /bin/bash
- template homedir = /home/%D/%U</pre></blockquote>
-
-<p>The first line sets the
-<tt class="literal">template</tt><a name="INDEX-111"/> <tt class="literal">shell</tt>
-parameter, which tells winbind what shell to use for domain users
-that are logging in to the Unix host. The
-<tt class="literal">template</tt><a name="INDEX-112"/>
-<tt class="literal">homedir</tt> parameter specifies the location of
-users' home directories. The <tt class="literal">%D</tt>
-variable is replaced by the name of the domain in which the
-user's account resides, and <tt class="literal">%U</tt> is
-replaced by the user's username in that domain.</p>
-
-<p>Before the domain users can successfully log in, their home
-directories must be created manually. To add a single account for
-<tt class="literal">linda</tt> in the METRAN domain, we would use these
-commands:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/METRAN</b></tt>
-# <tt class="userinput"><b>chmod 755 /home/METRAN</b></tt>
-
-# <tt class="userinput"><b>mkdir /home/METRAN/linda</b></tt>
-# <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /home/METRAN/linda</b></tt>
-# <tt class="userinput"><b>chmod 700 /home/METRAN/linda</b></tt></pre></blockquote>
-<a name="samba2-CHP-9-NOTE-149"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>One side effect of creating the home directories is that if the Samba
-server is configured with a <tt class="literal">[homes]</tt> share, the
-domain users can see and access their home directories through
-Samba's file sharing.</p>
-</blockquote>
-
-<p>Next, we need to compile and install the PAM module in the Samba
-distribution. From the source directory in the Samba distribution,
-issue the following commands:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>make nsswitch/pam_winbind.so</b></tt>
-# <tt class="userinput"><b>cp nsswitch/pam_winbind.so /lib/security</b></tt></pre></blockquote>
-
-<p>and check that it was copied over correctly:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>ls /lib/security/pam_winbind.so</b></tt>
-/lib/security/pam_winbind.so</pre></blockquote>
-
-<p>On Red Hat Linux, the PAM configuration files reside in
-<em class="filename">/etc/pam.d</em>. Before making any modifications, we
-strongly advise making a backup of this directory:</p>
-
-<blockquote><pre class="code"># cp -pR /etc/pam.d /etc/pam.d.backup</pre></blockquote>
-
-<p>The reason for this is that we will be modifying the Linux
-system's means of authenticating logins, and if our
-configuration goes awry, all users (including
-<tt class="literal">root</tt>) will be locked out of the system. In case
-the worst happens, we would reboot into single-user mode (by typing
-<tt class="literal">linux</tt> <tt class="literal">single</tt> at the LILO:
-prompt) or boot a rescue disk, and then we would issue these two
-commands:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>mv /etc/pam.d /etc/pam.d.bad</b></tt>
-# <tt class="userinput"><b>mv /etc/pam.d.backup /etc/pam.d</b></tt></pre></blockquote>
-
-<p>Be very careful to make sure you can recover from any errors you make
-because when PAM encounters any configuration information it
-doesn't understand, its action is not to allow
-access. This means you must be sure to enter everything correctly!
-You might want to leave yourself logged in as root on a spare virtual
-terminal while you are modifying your PAM configuration to ensure
-yourself a means of easy recovery.</p>
-
-<p>In the <em class="filename">/etc/pam.d</em> directory, you will encounter
-a file for each service that uses PAM. We are interested only in the
-file corresponding to the login service, which is called
-<em class="filename">login</em>. It contains the following lines:</p>
-
-<blockquote><pre class="code">auth required /lib/security/pam_securetty.so
-auth required /lib/security/pam_stack.so service=system-auth
-auth required /lib/security/pam_nologin.so
-account required /lib/security/pam_stack.so service=system-auth
-password required /lib/security/pam_stack.so service=system-auth
-session required /lib/security/pam_stack.so service=system-auth
-session optional /lib/security/pam_console.so</pre></blockquote>
-
-<p>The lines starting with <tt class="literal">auth</tt> are related to the
-function of authentication&mdash;that is, printing a password prompt,
-accepting the password, verifying that it is correct, and matching
-the user to a valid user and group ID. The line starting with
-<tt class="literal">account</tt> is for account management, which allows
-access to be controlled by other factors, such as what times during
-the day a user is allowed access. We are not concerned with the lines
-starting with <tt class="literal">password</tt> or
-<tt class="literal">session</tt> because winbind does not add to either of
-those functions.</p>
-
-<p>The third column lists the PAM module, possibly with arguments, that
-is called in for the task. The
-<em class="filename">pam_stack.so</em><a name="INDEX-113"/> module has been added by Red Hat to act
-somewhat like a macro or a subroutine. It calls the file in the
-<em class="filename">pam.d</em> directory named by the service argument.
-In this case, the file <em class="filename">/etc/pam.d/system-auth</em>
-contains a common set of lines that are used as a default for many
-services. Because we want to customize the login service for winbind,
-we first replace the <em class="filename">pam_stack.so</em> lines for
-<tt class="literal">auth</tt> and <tt class="literal">account</tt> with the
-<tt class="literal">auth</tt> and <tt class="literal">account</tt> lines from
-<em class="filename">/etc/pam.d/system-auth</em>. This yields:</p>
-
-<blockquote><pre class="code">auth required /lib/security/pam_securetty.so
-<b class="emphasis-bold">auth required /lib/security/pam_env.so</b>
-<b class="emphasis-bold">auth sufficient /lib/security/pam_unix.so likeauth nullok</b>
-<b class="emphasis-bold">auth required /lib/security/pam_deny.so</b>
-auth required /lib/security/pam_nologin.so
-<b class="emphasis-bold">account required /lib/security/pam_unix.so</b>
-password required /lib/security/pam_stack.so service=system-auth
-session required /lib/security/pam_stack.so service=system-auth
-session optional /lib/security/pam_console.so</pre></blockquote>
-
-<p>To add winbind support, we need to add a line in both the
-<tt class="literal">auth</tt> and <tt class="literal">account</tt> sections to
-call the
-<em class="filename">pam_winbind.so</em><a name="INDEX-114"/> module:</p>
-
-<blockquote><pre class="code">auth required /lib/security/pam_securetty.so
-auth required /lib/security/pam_env.so
-<b class="emphasis-bold">auth sufficient /lib/security/pam_winbind.so</b>
-auth sufficient /lib/security/pam_unix.so <b class="emphasis-bold">use_first_pass</b> likeauth nullok
-auth required /lib/security/pam_deny.so
-auth required /lib/security/pam_nologin.so
-<b class="emphasis-bold">account sufficient /lib/security/pam_winbind.so</b>
-account required /lib/security/pam_unix.so
-password required /lib/security/pam_stack.so service=system-auth
-session required /lib/security/pam_stack.so service=system-auth
-session optional /lib/security/pam_console.so</pre></blockquote>
-
-<p>The keywords <tt class="literal">required</tt> and
-<tt class="literal">sufficient</tt> in the second column are significant.
-The keyword <tt class="literal">required</tt> specifies that the result
-returned by the module (either to pass or fail the authentication)
-must be taken into account, whereas the keyword
-<tt class="literal">sufficient</tt> specifies that if the module
-successfully authenticates the user, no further lines need to be
-processed. By specifying <tt class="literal">sufficient</tt> for the
-<em class="filename">pam_winbind.so</em> module, we let winbind attempt to
-authenticate users, and if it succeeds, the PAM system returns to the
-application. If the <em class="filename">pam_winbind.so</em> module
-doesn't find the user or the password does not
-match, the PAM system continues with the next line, which performs
-authentication according to the usual Linux user authentication. This
-way, both domain users and local users can log in.</p>
-
-<p>Notice that we also added the <tt class="literal">use_first_pass</tt>
-argument to the <em class="filename">pam_unix.so</em> module in the
-<tt class="literal">auth</tt> section. By default, both the
-<em class="filename">pam_winbind.so</em> and
-<em class="filename">pam_unix.so</em> modules print a password prompt and
-accept a password. In cases where users are logging in to the Linux
-system using their local accounts, this would require them to enter
-their password twice. The <tt class="literal">user_first_pass</tt> argument
-tells the <em class="filename">pam_unix.so</em> module to reuse the
-password that was given to the <em class="filename">pam_winbind.so</em>
-module, which results in users having to enter the password only
-once.</p>
-
-<p>After modifying the <em class="filename">login</em> configuration file,
-switch to a spare virtual console and make sure you can still log in
-using a regular Linux account. If not, check your modifications
-carefully and try again until you get it right. Then log in using a
-domain user account from the Windows PDC database to check that the
-winbind authentication works. You will need to specify the username
-in <em class="replaceable">DOMAIN</em>\<em class="replaceable">user</em>
-format, like this:</p>
-
-<blockquote><pre class="code">login: METRAN\linda
-Password:</pre></blockquote>
-
-<p>More information on configuring winbind can be found in the Samba
-source distribution file
-<em class="filename">docs/htmldocs/winbind.html</em>, and in the
-<em class="emphasis">winbindd</em> manual page. If you would like to learn
-more about configuring PAM, we recommend the web page <a href="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</a> as
-a starting place. Some of the documentation for Linux PAM, including
-Red Hat's extensions, can also be found on Red Hat
-Linux in
-<em class="filename">/usr/share/doc/pam-</em><em class="replaceable">version</em>.
-<a name="INDEX-115"/></p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-9-SECT-5.5"/>
-
-<h3 class="head2">winbind Configuration Options</h3>
-
-<p><a href="ch09.html#samba2-CHP-9-TABLE-9">Table 9-9</a> <a name="INDEX-116"/><a name="INDEX-117"/>summarizes some commonly used options
-that you can use to configure winbind.</p>
-
-<a name="samba2-CHP-9-TABLE-9"/><h4 class="head4">Table 9-9. winbind options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">winbind</tt> <tt class="literal">separator</tt></p>
-</td>
-<td>
-<p>string (single character)</p>
-</td>
-<td>
-<p>Character to use as a separator in domain usernames and group names</p>
-</td>
-<td>
-<p>Backslash (<tt class="literal">\</tt>)</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">winbind uid</tt></p>
-</td>
-<td>
-<p>string (numeric range)</p>
-</td>
-<td>
-<p>Range of UIDs for RID-to-UID mapping</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">winbind gid</tt></p>
-</td>
-<td>
-<p>string (numeric range)</p>
-</td>
-<td>
-<p>Range of GIDs for RID-to-GID mapping</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">winbind cache time</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Number of seconds the <em class="emphasis">winbindd</em> daemon caches
-user and group data</p>
-</td>
-<td>
-<p><tt class="literal">15</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">template</tt> <tt class="literal">homedir</tt></p>
-</td>
-<td>
-<p>string (directory name)</p>
-</td>
-<td>
-<p>Directory to be used as the home directory of the logged-in domain
-user</p>
-</td>
-<td>
-<p><tt class="literal">/home/%D/%U</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">template</tt> <tt class="literal">shell</tt></p>
-</td>
-<td>
-<p>string (command name)</p>
-</td>
-<td>
-<p>The program to use as the logged-in domain user's
-shell</p>
-</td>
-<td>
-<p><tt class="literal">/bin/false</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.1"/>
-
-<a name="INDEX-118"/><h3 class="head3">winbind separator</h3>
-
-<p>On Windows systems, the backslash (<tt class="literal">\</tt>) is commonly
-used as a separator in file names, UNCs, and the names of domain
-users and groups. For example, an account in the METRAN domain with a
-username of <tt class="literal">linda</tt> would be written as
-<tt class="literal">METRAN\linda</tt>. On Unix systems, the backslash is
-commonly used as a metacharacter for quoting, so the account would
-have to be specified as <tt class="literal">METRAN\\linda</tt> or
-'<tt class="literal">METRAN\linda</tt>'. The winbind separator parameter
-allows another character to be used instead of the backslash
-character, making it much easier to type in domain user and group
-names. For example, with:</p>
-
-<blockquote><pre class="code">[global]
- winbind separator = +</pre></blockquote>
-
-<p>the aforementioned account could be written simply as
-<tt class="literal">METRAN+linda</tt> on the Unix host, making it
-unnecessary to use additional backslashes or single quotes. Winbind
-then uses the same format for reporting domain user and group names.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.2"/>
-
-<a name="INDEX-119"/><h3 class="head3">winbind uid</h3>
-
-<p>As part of <em class="emphasis">winbindd</em> 's task of
-letting Windows NT domain users function as local users on the Unix
-host, <em class="emphasis">winbindd</em> supplies a Unix UID that is
-linked to the Windows RID of the domain user. The
-<tt class="literal">winbind</tt> <tt class="literal">uid</tt> parameter allows
-the Unix system administrator to allocate a range of UIDs for this
-purpose. It is very important that this range not overlap any UIDs
-used for other purposes on the Unix system, so we recommend you begin
-your range at a very high number, one much larger than the number of
-local users and NIS users that will ever exist. For example,
-<tt class="literal">winbind</tt> <tt class="literal">uid</tt> might be defined
-as:</p>
-
-<blockquote><pre class="code">[global]
- winbind uid = 10000-15000</pre></blockquote>
-
-<p>on a system that would never have more than 9,999 local and NIS
-users, or for that matter, any other entries in
-<em class="filename">/etc/passwd</em> that would use up another UID.
-Because the example allocates 5,000 UIDs to
-<em class="emphasis">winbindd</em>, the assumption is that there will
-never be more than 5,000 domain users accessing the Samba host.</p>
-
-<p>If your method for adding new local users to the system assigns UIDs
-automatically, make sure it does not assign them within the range of
-UIDs allocated to winbind. This might happen if the algorithm used
-adds 1 to the highest UID assigned thus far.</p>
-
-<p>There is no default for <tt class="literal">winbind</tt>
-<tt class="literal">uid</tt>, so you must specify it in your Samba
-configuration file for winbind to work.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.3"/>
-
-<a name="INDEX-120"/><h3 class="head3">winbind gid</h3>
-
-<p>This option works like <tt class="literal">winbind</tt>
-<tt class="literal">uid</tt>, except that it is for allocating a range of
-GIDs for use with <em class="emphasis">winbindd</em>. You might not need
-to allocate as many GIDs as UIDs because you probably have relatively
-few domain groups that need corresponding GIDs. (In many cases, users
-are all members of the Domain Users group, requiring only one GID.)
-However, it is best to play it safe, so make sure to allocate many
-more GIDs than you think you will need.</p>
-
-<p>As with <tt class="literal">winbind</tt> <tt class="literal">uid</tt>, if you are
-using a method of adding new local users to your Unix host that
-automatically assigns GIDs, either make sure the method used
-doesn't conflict with winbind or set the GIDs
-manually.</p>
-
-<p>There is no default for <tt class="literal">winbind</tt>
-<tt class="literal">gid</tt>, so you must specify it in your Samba
-configuration file for winbind to work.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.4"/>
-
-<a name="INDEX-121"/><h3 class="head3">winbind cache time</h3>
-
-<p>The <em class="emphasis">winbindd</em> daemon maintains a cache of user
-and group data that has been retrieved from the Windows PDC to reduce
-network queries and increase performance. The
-<tt class="literal">winbind</tt> <tt class="literal">cache</tt>
-<tt class="literal">time</tt> parameter allows the amount of time (in
-seconds) <em class="emphasis">winbindd</em> can use the cached data before
-querying the PDC to check for an update. By default, this interval is
-set to 15 seconds. This means that when any part of a user or group
-account on the PDC is modified, it can take up to 15 seconds for
-<em class="emphasis">winbindd</em> to update its own database.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.5"/>
-
-<a name="INDEX-122"/><h3 class="head3">template homedir</h3>
-
-<p>When the local Unix system is configured to allow domain users to log
-in, the user must be provided with a home directory for many
-programs, including command shells, to function properly. The
-<tt class="literal">template</tt> <tt class="literal">homedir</tt> option is used
-to set the name of the home directory. In the name of the directory,
-<tt class="literal">%D</tt> is replaced by the name of the Windows NT
-domain the user is in, and <tt class="literal">%U</tt> is replaced by his
-username. By default, <tt class="literal">template</tt>
-<tt class="literal">homedir</tt> is set to <tt class="literal">/home/%D/%U</tt>,
-which works fine for a network in which there might be more than one
-Windows NT domain, and it is possible for different people in
-different domains to have the same username. If you are sure you will
-never have more than one Windows NT domain on your network, or you
-have more than one domain but know for sure that unique users have
-identical usernames in each multiple domain, you might prefer to set
-<tt class="literal">template</tt> <tt class="literal">homedir</tt> like this:</p>
-
-<blockquote><pre class="code">[global]
- template homedir = /home/%U</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.6"/>
-
-<a name="INDEX-123"/><h3 class="head3">template shell</h3>
-
-<p>This option specifies the program to use as the shell for domain
-users who are logged in to the Unix host. By default, it is set to
-<em class="emphasis">/bin/false</em>, which effectively denies domain
-users to log in. If you wish to allow logins for domain users, set
-<tt class="literal">template</tt> <tt class="literal">shell</tt> to a valid
-command shell (or other program) that you want to act as the textual
-interface the domain users will receive when logged in. A common
-setting on Linux would be:</p>
-
-<blockquote><pre class="code">[global]
- template shell = /bin/bash</pre></blockquote>
-
-<p>which would give users the Bash shell for their interactive login
-sessions. <a name="INDEX-124"/><a name="INDEX-125"/> <a name="INDEX-126"/><a name="INDEX-127"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Having both encrypted and nonencrypted
-password clients on your network is one of the reasons why Samba
-allows you to include (or not include) various options in the Samba
-configuration file based on the client operating system or machine
-name variables.</p> <a name="FOOTNOTE-2"/>
-<p><a href="#FNPTR-2">[2]</a> This is because the Unix <em class="emphasis">passwd</em> program,
-which is the usual target for this operation, allows
-<tt class="literal">root</tt> to change a user's password
-without the security restriction that requests the old password of
-that user.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch10.html b/docs/htmldocs/using_samba/ch10.html
deleted file mode 100644
index 7ba29b1e95..0000000000
--- a/docs/htmldocs/using_samba/ch10.html
+++ /dev/null
@@ -1,1695 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 10. Printing</h1>
-
-
-
-<p><a name="INDEX-1"/>This
-chapter tackles the topic of setting up printers for use with Samba.
-Aside from the &quot;coolness factor&quot; of
-seeing documents from Windows word processing and graphics
-applications appearing in the output tray of the Unix printer, this
-facility can greatly increase the usefulness of your Samba server. In
-many organizations, using a Unix system as the print server has led
-to happier system administrators and users alike, due to the reduced
-frequency of problems.</p>
-
-<p>Samba allows client machines to share printers connected to the Samba
-host system, and Samba can also send Unix documents to printers
-shared by Windows systems. In this chapter, we discuss how to get
-printers configured to work in either direction.</p>
-
-<p>We focus in this chapter on getting Samba to serve up printers that
-are already functioning on the Unix host. We include just a few
-basics about setting up printers on Unix. Good references for this
-topic include <em class="citetitle">Network Printing</em>,
-<em class="citetitle">Essential System Administration</em>, and
-<em class="citetitle">Running Linux</em>, all by
-O'Reilly and Associates.</p>
-
-
-
-<div class="sect1"><a name="samba2-CHP-10-SECT-1"/>
-
-<h2 class="head1">Sending Print Jobs to Samba</h2>
-
-<p><a name="INDEX-2"/>A
-printer shared by the Samba server shows up in the list of shares
-offered in the Network Neighborhood. If the printer is registered on
-the client machine and the client has the correct printer driver
-installed, the client can effortlessly send print jobs to a printer
-attached to a Samba server. <a href="ch10.html#samba2-CHP-10-FIG-1">Figure 10-1</a> shows a
-Samba printer as it appears in the Network Neighborhood of a Windows
-client.</p>
-
-<div class="figure"><a name="samba2-CHP-10-FIG-1"/><img src="figs/sam2_1001.gif"/></div><h4 class="head4">Figure 10-1. A Samba printer in the Network Neighborhood</h4>
-
-<p>To administer printers with Samba, you should understand the basic
-process by which
-<a name="INDEX-3"/>printing
-takes place on a network. On the client system, the application
-software prints by utilizing the system's printer
-driver for the printer that will be creating the actual output. It is
-the printer driver software running on the client system that
-translates the application's high-level calls into a
-stream of binary data specific to the model of printer in use. In the
-case of a serial, parallel, or USB printer, the data is stored in a
-temporary file in the local system's printer queue
-and then sent through the respective port directly to the printer.
-For a network printer, the file is sent over the network.</p>
-
-<a name="samba2-CHP-10-NOTE-150"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Because the data has already been processed through a printer driver
-by the time it reaches the Samba host, make sure the printer on the
-Unix system is configured without any printer driver and that it will
-print whatever data it receives in raw form. If you already have the
-printer configured for use by Unix applications, you might need to
-set up another queue for it to print documents received from Windows
-clients correctly.</p>
-</blockquote>
-
-<p>Sending a <a name="INDEX-4"/>print job to a printer on a
-<a name="INDEX-5"/>Samba server involves four steps:</p>
-
-<ol><li>
-<p>Opening and authenticating a connection to the printer share</p>
-</li><li>
-<p>Copying the file over the network</p>
-</li><li>
-<p>Closing the connection</p>
-</li><li>
-<p>Printing and deleting the copy of the file</p>
-</li></ol>
-<p>When a print job arrives at a Samba server, the print data is
-temporarily written to disk in the directory specified by the
-<tt class="literal">path</tt> option of the printer share. Samba then
-executes a Unix print command to send that datafile to the printer.
-The job is then printed as the authenticated user of the share. Note
-that this can be the guest user, depending on how the share is
-configured.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-1.1"/>
-
-<h3 class="head2">Print Commands</h3>
-
-<p><a name="INDEX-6"/>To print the
-document, you'll need to inform Samba of the command
-used to print and delete a file. On Linux, which uses a BSD-style
-printing system, a command that does this is:</p>
-
-<blockquote><pre class="code">lpr -r -P<em class="replaceable">printer</em> <em class="replaceable">file</em></pre></blockquote>
-
-<p>This command tells <a name="INDEX-7"/><em class="emphasis">lpr</em> to retrieve the
-name of the printer in the system configuration file
-(<em class="filename">/etc/printcap</em>) and interpret the rules it finds
-there to decide how to process the data and which physical device to
-send it to. Note that because the <em class="emphasis">-r</em> option has
-been specified, the file will be deleted after it has been printed.
-Of course, the file removed is just a copy stored on the Samba
-server; the original document on the client is unaffected.</p>
-
-<p>The process is similar on System V Unix. Here, printing and deleting
-become a compound command:</p>
-
-<blockquote><pre class="code">lp -d<em class="replaceable">printer</em> -s <em class="replaceable">file</em>; rm <em class="replaceable">file</em></pre></blockquote>
-
-<p>In this case, the <em class="filename">/etc/printcap</em> file is replaced
-with a different set of configuration files residing in
-<em class="filename">/usr/spool/lp</em>. Because the
-<em class="emphasis">lp</em> command has no option to delete the file
-after it is printed, we have added the <em class="emphasis">rm</em>
-command.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-1.2"/>
-
-<h3 class="head2">A Minimal Printing Setup</h3>
-
-<p>Let's start with a simple yet illustrative
-<a name="INDEX-8"/>printing
-share. Assuming that you're on a Linux system and
-you have a printer called <tt class="literal">netprinter</tt> listed in the
-printer capabilities file, the following addition to your
-<em class="filename">smb.conf</em> file makes the printer accessible
-through the network:</p>
-
-<blockquote><pre class="code">[printer1]
- printable = yes
- print command = /usr/bin/lpr -P%p -r %s
- printer = netprinter
- printing = BSD
- path = /var/tmp</pre></blockquote>
-
-<p>The variable <tt class="literal">%s</tt> in the
-<tt class="literal">print</tt><a name="INDEX-9"/> <tt class="literal">command</tt>
-option is replaced with the name of the file to be printed when Samba
-executes the command. There are four Samba configuration-file
-variables specifically for use with
-<a name="INDEX-10"/>printing
-options. They are shown in <a href="ch10.html#samba2-CHP-10-TABLE-1">Table 10-1</a>.</p>
-
-<a name="samba2-CHP-10-TABLE-1"/><h4 class="head4">Table 10-1. Printing variables</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Variable</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">%s</tt></p>
-</td>
-<td>
-<p>The full pathname of the file on the Samba server to be printed</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%f</tt></p>
-</td>
-<td>
-<p>The name of the file itself (without the preceding path) on the Samba
-server to be printed</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%p</tt></p>
-</td>
-<td>
-<p>The name of the Unix printer to use</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%j</tt></p>
-</td>
-<td>
-<p>The number of the print job (for use with <tt class="literal">lprm</tt>,
-<tt class="literal">lppause</tt>, and <tt class="literal">lpresume</tt>)</p>
-</td>
-</tr>
-
-</table>
-
-<p>For other flavors of Unix, it is necessary to modify both the
-<tt class="literal">printing</tt> and <tt class="literal">print</tt>
-<tt class="literal">command</tt> options. For System V Unix, we would
-specify:</p>
-
-<blockquote><pre class="code">[printer1]
- printing = SYSV
- print command = lp -d%p -s %s; rm %s</pre></blockquote>
-
-<p>With the <tt class="literal">printing</tt> <tt class="literal">=</tt>
-<tt class="literal">SYSV</tt> parameter, we notify Samba that the local
-printing system uses the System V Unix method. As mentioned earlier,
-the <tt class="literal">%p</tt> variable resolves to the name of the
-printer, while the <tt class="literal">%s</tt> variable resolves to the
-name of the file.</p>
-
-<p>Clients might need to request the status of a print job sent to the
-Samba server. Because Samba sends print jobs to the Unix printing
-system for spooling, there might be a number of jobs in the queue at
-any given time. Consequently, Samba needs to communicate to the
-client not only the status of the current printing job, but also
-which documents are waiting to be printed on that printer. Samba also
-has to provide the client the ability to pause print jobs, resume
-print jobs, and remove print jobs from the printing queue. Samba
-provides options for each of these tasks. As you might expect, they
-borrow functionality from the following existing Unix commands:</p>
-
-<ul><li>
-<p><tt class="literal">lpq</tt><a name="INDEX-11"/></p>
-</li><li>
-<p><tt class="literal">lprm</tt><a name="INDEX-12"/></p>
-</li><li>
-<p><tt class="literal">lppause</tt><a name="INDEX-13"/></p>
-</li><li>
-<p><tt class="literal">lpresume</tt><a name="INDEX-14"/></p>
-</li></ul>
-<p>We cover these options in more detail later in this chapter. For the
-most part, Samba provides reasonable default values for them based on
-the value of the <tt class="literal">printing</tt> configuration option, so
-you can probably get by without having to formulate your own commands
-for them.</p>
-
-<p>Here are a few important items to remember about
-<a name="INDEX-15"/>printing shares:</p>
-
-<ul><li>
-<p>You must put
-<tt class="literal">printable</tt><a name="INDEX-16"/> <tt class="literal">=</tt>
-<tt class="literal">yes</tt> in all printer shares (even
-<tt class="literal">[printers]</tt>) so that Samba knows they are printer
-shares. If you forget, the shares will be unusable for printing and
-will instead be treated as disk shares.</p>
-</li><li>
-<p>If you set the <tt class="literal">path</tt> configuration option in the
-printer section, any files sent to the printer(s) will be copied to
-the directory you specify instead of to the default location of
-<em class="filename">/tmp</em>. Because the amount of disk space allocated
-to <em class="filename">/tmp</em> can be relatively small in some Unix
-operating systems, many administrators prefer to use
-<em class="filename">/var/tmp, /var/spool/tmp</em>, or some other
-directory instead.</p>
-</li><li>
-<p>If you set <tt class="literal">guest</tt> <tt class="literal">ok</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> in a printer share and
-Samba is configured for share-level security, anyone can send data to
-the printer as the <tt class="literal">guest</tt>
-<tt class="literal">account</tt> user.</p>
-</li></ul>
-<p>Using one or more Samba machines as a print server gives you a great
-deal of flexibility on your LAN. You can easily partition your
-available printers, restricting some to members of one department, or
-you can maintain a bank of printers available to all. In addition,
-you can restrict a printer to a select few by adding the
-<tt class="literal">valid</tt> <tt class="literal">users</tt> option to its share
-definition:</p>
-
-<blockquote><pre class="code">[deskjet]
- printable = yes
- path = /var/spool/samba/print
- valid users = elizabeth cozy jack heather alexander lina emerald</pre></blockquote>
-
-<p>All the other share accessibility options work for printing shares as
-well.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-1.3"/>
-
-<h3 class="head2">The [printers] Share</h3>
-
-<p>If a share named
-<tt class="literal">[printers]</tt><a name="INDEX-17"/> is in the configuration file,
-Samba will automatically read in your printer capabilities file and
-create a printing share for each printer that appears in the file.
-For example, if the Samba server had <tt class="literal">lp</tt>,
-<tt class="literal">pcl</tt>, and <tt class="literal">ps</tt> printers in its
-printer capabilities file, Samba would provide three printer shares
-with those names, each configured with the options in the
-<tt class="literal">[printers]</tt> share.</p>
-
-<p>Recall that Samba obeys the following rules when a client requests a
-share that has not been created with an explicit share definition in
-the <em class="filename">smb.conf</em> file:</p>
-
-<ul><li>
-<p>If the share name matches a username in the system password file and
-a <tt class="literal">[homes]</tt> share exists, a new share is created
-with the name of the user and is initialized using the values given
-in the <tt class="literal">[homes]</tt> and <tt class="literal">[global]</tt>
-sections.</p>
-</li><li>
-<p>Otherwise, if the name matches a printer in the system printer
-capabilities file and a <tt class="literal">[printers]</tt> share exists, a
-new share is created with the name of the printer and initialized
-using the values given in the <tt class="literal">[printers]</tt> section.
-(Variables in the <tt class="literal">[global]</tt> section do not apply
-here.)</p>
-</li><li>
-<p>If neither of those succeeds, Samba looks for a
-<tt class="literal">default</tt> <tt class="literal">service</tt> share. If none
-is found, it returns an error.</p>
-</li></ul>
-<p>This brings to light an important point: be careful that you do not
-give a printer the same name as a user. Otherwise, users end up
-connecting to a disk share when they might have wanted a printer
-share instead.</p>
-
-<p>Here is an example
-<tt class="literal">[printers]</tt><a name="INDEX-18"/> share for a Linux system. Some of
-these options are already defaults; however, we have listed them
-anyway for illustrative purposes:</p>
-
-<blockquote><pre class="code">[printers]
- printable = yes
- printing = BSD
- printcap name = /etc/printcap
- print command = /usr/bin/lpr -P%p -r %s
- path = /var/spool/lpd/tmp
- min print space = 2000</pre></blockquote>
-
-<p>Here, we've given Samba global options that specify
-the printing type (BSD), a print command to send data to the printer
-and later remove the temporary file, the location of our printer
-capabilities file, and a minimum disk space for printing of 2MB.</p>
-
-<p>In addition, we've created a
-<tt class="literal">[printers]</tt> share for each system printer. Our
-temporary spooling directory is specified by the
-<tt class="literal">path</tt> option:
-<em class="filename">/var/spool/lpd/tmp</em>. Each share is marked as
-printable&mdash;this is a necessary option, even in the
-<tt class="literal">[printers]</tt> section.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-1.4"/>
-
-<h3 class="head2">Testing the Configuration</h3>
-
-<p><a name="INDEX-19"/>After running
-<em class="emphasis">testparm</em> and restarting the Samba daemons, you
-can check to make sure everything is set up correctly by using
-<em class="emphasis">smbclient</em><a name="INDEX-20"/><a name="INDEX-21"/> to send a file to the printer.
-Connect to the printer using the command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbclient /</b></tt><em class="replaceable">server</em><tt class="userinput"><b>/</b></tt><em class="replaceable">printshare</em></pre></blockquote>
-
-<p>and then use the <em class="emphasis">print</em> command to print a file:</p>
-
-<blockquote><pre class="code">smb: /&gt; <tt class="userinput"><b>print </b></tt><em class="replaceable">textfile</em></pre></blockquote>
-
-<a name="samba2-CHP-10-NOTE-151"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you connect to a print share served by a Windows 95/98/Me system
-configured to use user-mode security and cannot authenticate using
-what you know to be a correct username and password, try
-reconfiguring the Windows system to use share-mode security.</p>
-</blockquote>
-
-<p>When you print something through the Samba server via
-<em class="emphasis">smbclient</em>, the following actions should occur:</p>
-
-<ul><li>
-<p>The job appears (briefly) in the Samba spool directory specified by
-the path.</p>
-</li><li>
-<p>The job shows up in your print system's spool
-directory.</p>
-</li><li>
-<p>The job disappears from the spool directory that Samba used.</p>
-</li></ul>
-<p>If <em class="emphasis">smbclient</em> cannot print, you can reset the
-<tt class="literal">print</tt> <tt class="literal">command</tt> option to collect
-debugging information:</p>
-
-<blockquote><pre class="code">print command = echo &quot;printed %s on %p&quot; &gt;&gt;/tmp/printlog</pre></blockquote>
-
-<p>A <a name="INDEX-22"/>common
-problem with Samba printer configuration is forgetting to use the
-full pathnames for commands. Another frequent problem is not having
-the correct permissions on the spooling directory.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> As usual,
-check your Samba log files and system log files for error messages.
-If you use BSD printing, you can change the <tt class="literal">lp</tt>
-keyword in the printer's printcap entry to something
-other than <em class="filename">/dev/null</em>, allowing you to collect
-error messages from the printing system.</p>
-
-<a name="samba2-CHP-10-NOTE-152"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>More information on
-<a name="INDEX-23"/>debugging printers is in the file
-<em class="filename">docs/textdocs/Printing.txt</em> in the Samba source
-distribution. The Unix print systems are covered in detail in
-<a name="INDEX-24"/>&AElig;leen
-Frisch's <em class="emphasis">Essential Systems
-Administration</em> (published by O'Reilly).</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-1.5"/>
-
-<h3 class="head2">Enabling SMB Printer Sharing in Mac OS X</h3>
-
-<p>With Samba preinstalled with
-<a name="INDEX-25"/><a name="INDEX-26"/>Mac OS X, sharing access to a printer
-among Windows clients is easy. First, of course, you should set up
-local access using the Print Center application (located in
-<em class="filename">/Applications/Utilities</em>). Under the Printers
-menu, select Add Printer..., and make the appropriate selection from
-the pop-up menu. For example, if the printer is directly attached,
-select USB; if the printer is powered on, it should appear in the
-list. Choose the printer, and press the Add button.</p>
-
-<p>Edit <em class="filename">/etc/smb.conf</em>, uncommenting the
-<tt class="literal">[printers]</tt> share and making any additional
-configuration changes you feel are necessary. Finally, enable the
-Samba startup item as described in <a href="ch02.html">Chapter 2</a>,
-either by checking Windows File Sharing in Sharing Preferences or by
-manually editing <em class="filename">/etc/hostconfig</em>. Now your
-printer can be used by remote Windows clients.</p>
-
-<p>On Mac OS X and some other BSD-based systems, you can test your
-configuration using
-<em class="emphasis">smbutil</em><a name="INDEX-27"/>. The following will send the
-file named <em class="filename">print_test_file</em> to the printer named
-<em class="filename">printshare</em> on the server
-<em class="emphasis">bsdserver</em> :</p>
-
-<blockquote><pre class="code">% <tt class="userinput"><b>smbutil print //bsdserver/printshare print_test_file</b></tt></pre></blockquote>
-
-<p>See <a href="ch05.html">Chapter 5</a> for more information on using
-<em class="emphasis">smbutil</em>.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-1.6"/>
-
-<h3 class="head2">Setting Up and Testing a Windows Client</h3>
-
-<p><a name="INDEX-28"/>Now that Samba is
-offering a workable printer, you can set up your access to it on a
-Windows client. Browse through the Samba server in the Network
-Neighborhood. It should now show each printer that is available. For
-example, in <a href="ch10.html#samba2-CHP-10-FIG-1">Figure 10-1</a>, we saw a printer called
-<tt class="literal">lp</tt>.</p>
-
-<p>Next, you need to have the Windows client recognize the printer.
-Double-click the printer icon to get started. If you try to select an
-uninstalled printer (as you just did), Windows will ask you if it
-should help configure it for the Windows system. Click the Yes or OK
-button, and the Printer Wizard will open.</p>
-
-<p>If you are installing a printer on Windows 95/98/Me, the first thing
-the wizard will ask is whether you need to print from DOS.
-Let's assume you don't, so choose
-the &quot;No&quot; radio button and press the
-Next &gt; button to get to the manufacturer/model window, as shown in
-<a href="ch10.html#samba2-CHP-10-FIG-2">Figure 10-2</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-10-FIG-2"/><img src="figs/sam2_1002.gif"/></div><h4 class="head4">Figure 10-2. Setting the manufacturer and model of the printer</h4>
-
-<p>In this dialog box, you should see a large list of manufacturers and
-models for a huge number of printers. Select the manufacturer of your
-printer in the left side of the dialog box, and then the exact model
-of the printer in the list on the right side.</p>
-
-<p>In some cases, you might not find your printer in the list, or the
-version of the printer driver included with Windows might be out of
-date. In cases such as these, consult the printer
-manufacturer's documentation on how to install the
-driver. Typically, you will click the Have Disk... button to install
-the driver from a CD-ROM or disk file.</p>
-
-<p>If you don't see your printer on the list, but you
-know it's a PostScript printer, select Apple as the
-manufacturer and Apple LaserWriter as the model. This will give you
-the most basic PostScript printer setup&mdash;and arguably one of the
-most reliable. If you already have PostScript printers attached, you
-will be asked about replacing or reusing the existing driver. Be
-aware that if you replace it with a new one, you might make your
-other printers fail. Therefore, we recommend you keep using your
-existing printer drivers as long as they're working
-properly.</p>
-
-<p>Click the Next &gt; or OK button. On Windows 95/98/Me, the Printer
-Wizard asks you to name the printer. On Windows NT/2000/XP, you need
-to right-click the printer's icon and select
-Properties to assign the printer a name. <a href="ch10.html#samba2-CHP-10-FIG-3">Figure 10-3</a>
-shows how we've named our printer to show that
-it's shared by the <tt class="literal">mixtec</tt> Samba
-server.</p>
-
-<div class="figure"><a name="samba2-CHP-10-FIG-3"/><img src="figs/sam2_1003.gif"/></div><h4 class="head4">Figure 10-3. Setting the printer name</h4>
-
-<p>Finally, on Windows 95/98/Me the Printing Wizard asks if it should
-print a test page. Click the &quot;Yes&quot;
-radio button, then the Finish button, and you should be presented
-with the dialog box shown in <a href="ch10.html#samba2-CHP-10-FIG-4">Figure 10-4</a>. On Windows
-NT/2000/XP, the printer test function is also accessed through the
-printer's Properties dialog box.</p>
-
-<div class="figure"><a name="samba2-CHP-10-FIG-4"/><img src="figs/sam2_1004.gif"/></div><h4 class="head4">Figure 10-4. Sending a test page to the printer</h4>
-
-<p>If the test printing was unsuccessful, click the No button and the
-Printing Wizard will walk you through some debugging steps for the
-client side of the process. If the test printing does work, the
-remote printer will now be available to all Windows applications
-through the File and Print menu items.</p>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-10-SECT-2"/>
-
-<h2 class="head1">Printing to Windows Printers</h2>
-
-<p><a name="INDEX-29"/>If you have printers
-connected to systems running Windows 95/98/Me or Windows NT/2000/XP,
-the printers can also be accessed from your Unix system using tools
-that are part of the Samba distribution. First, it is necessary to
-create a printer share on the Windows system. Then set up the printer
-on the Unix side by configuring a new printer and using a Samba
-printing program as the printer's filter.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-2.1"/>
-
-<h3 class="head2">Sharing Windows Printers</h3>
-
-<p>Sharing printers on Windows is not unlike sharing files. In fact, it
-is a little simpler. Open the Control Panel, then double-click the
-Printers icon to open the Printers window. Right-click the icon for
-the printer you want to share, and select Sharing.... This opens the
-dialog box shown in <a href="ch10.html#samba2-CHP-10-FIG-5">Figure 10-5</a> for a Windows 98
-system, or <a href="ch10.html#samba2-CHP-10-FIG-6">Figure 10-6</a> on a Windows 2000 system.
-(The dialog box appears slightly different on other Windows versions,
-but functions almost identically.)</p>
-
-<a name="samba2-CHP-10-NOTE-153"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>On Windows 95/98/Me systems, you may need to run file sharing in
-share-level (rather than user-level) access control mode to access a
-shared printer from Samba. To check or set this mode, go to Control
-Panel, then double-click on Network, then click on the Access Control
-tab. More detailed information on this can be found in <a href="ch05.html">Chapter 5</a>.</p>
-</blockquote>
-
-<div class="figure"><a name="samba2-CHP-10-FIG-5"/><img src="figs/sam2_1005.gif"/></div><h4 class="head4">Figure 10-5. Sharing printers on Windows 98</h4>
-
-<div class="figure"><a name="samba2-CHP-10-FIG-6"/><img src="figs/sam2_1006.gif"/></div><h4 class="head4">Figure 10-6. Sharing printers on Windows 2000</h4>
-
-<p>Click the &quot;Shared as&quot; radio button,
-then click the OK button. The printer is now accessible by other
-systems on the network.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-2.2"/>
-
-<h3 class="head2">Adding a Unix Printer</h3>
-
-<p><a name="INDEX-30"/>The Samba distribution comes with
-three programs that assist with printing on shared printers. The
-<em class="emphasis">smbprint</em><a name="INDEX-31"/> program works with systems that use the
-BSD printing system,
-<em class="emphasis">smbprint.sysv</em><a name="INDEX-32"/>
-works with systems that use System V printing, and
-<em class="emphasis">smbspool</em><a name="INDEX-33"/>
-works with systems that use the Common Unix Printing System (CUPS).
-In the following sections we show you how to install printers for
-each system.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.1"/>
-
-<h3 class="head3">BSD printers</h3>
-
-<p><a name="INDEX-34"/><a name="INDEX-35"/>The
-BSD printing system is used by many Unix variants, including Red Hat
-Linux. With BSD printing, all the printers on the system have an
-entry in the <em class="filename">/etc/printcap</em> file, which is the
-database of printer capabilities used by the <em class="emphasis">lpd</em>
-line printer daemon and other programs that assist with printing. The
-Red Hat Linux implementation is a bit different in that
-<em class="filename">/etc/printcap</em> is a machine-generated file, which
-is re-created every time the <em class="emphasis">lpd</em> daemon is
-restarted by the <em class="emphasis">/etc/rc.d/init.d/lpd</em> script.
-Instead of editing <em class="filename">/etc/printcap</em>, we will add an
-entry for our printer in <em class="filename">/etc/printcap.local</em>,
-which the system automatically includes verbatim when creating
-<em class="filename">/etc/printcap</em>.</p>
-
-<a name="samba2-CHP-10-NOTE-154"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If you are using the version of Samba installed from an RPM file as
-on Red Hat Linux, you might be able to skip these directions and use
-the <em class="emphasis">printconf</em> tool, which has support for SMB
-printers. Unfortunately, this tool might not work correctly if you
-have installed Samba from the Samba source distribution.</p>
-</blockquote>
-
-<p>Here is the entry we added to our
-<em class="filename">/etc/printcap.local</em><a name="INDEX-36"/><a name="INDEX-37"/> file to support our Hewlett-Packard
-DeskJet 932C printer, which is shared by <tt class="literal">maya</tt>, a
-Windows 98 system:</p>
-
-<blockquote><pre class="code">lp|maya-hp932c:\
- :cm=HP 932C on maya:\
- :sd=/var/spool/lpd/maya:\
- :af=/var/spool/lpd/maya/acct:\
- :if=/usr/local/samba/bin/smbprint:\
- :mx=0:\
- :lp=/dev/null:</pre></blockquote>
-
-<p>The first line creates names for the printer. We are calling it both
-<tt class="literal">maya-hp932c</tt>, to describe its location on the
-network and the type of printer, and <tt class="literal">lp</tt> so that
-programs will use it as the default printer. The rest of the lines
-specify keywords and values. The <tt class="literal">cm</tt> keyword allows
-us to assign a comment string to the printer. The
-<tt class="literal">sd</tt> and <tt class="literal">af</tt> keywords assign the
-printer's spool directory and accounting files,
-respectively. The <tt class="literal">if</tt> keyword assigns the print
-filter. We are using the <em class="emphasis">smbprint</em> command to
-send the output to the shared SMB printer. The <tt class="literal">mx</tt>
-keyword is set to zero to allow any size file to be printed, and
-<tt class="literal">lp</tt> is set to <em class="filename">/dev/null</em> to
-discard error messages.</p>
-
-<p>You can follow our model to create an entry for your own printer. If
-you want to go beyond the capabilities we used, refer to your
-system's <em class="emphasis">printcap(5)</em> manual
-page for a complete listing of keywords.</p>
-
-<p>Go to your Samba source distribution's root
-directory, and install the <em class="emphasis">smbprint</em> program like
-this:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>cp examples/printing/smbprint /usr/local/samba/bin</b></tt></pre></blockquote>
-
-<p>We next create the printer's spool directory:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>cd /var/spool/lpd</b></tt>
-# <tt class="userinput"><b>mkdir maya</b></tt>
-# <tt class="userinput"><b>chown lp:lp maya</b></tt>
-# <tt class="userinput"><b>chmod 700 maya</b></tt></pre></blockquote>
-
-<p>The <em class="emphasis">smbprint</em> program looks for a file named
-<em class="filename">.config</em> in the printer's spool
-directory, which contains information on how to connect to the
-printer share. We create this file and then fill in the required
-information:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>cd maya</b></tt>
-# <tt class="userinput"><b>&gt;.config</b></tt>
-# <tt class="userinput"><b>chown lp:lp .config</b></tt>
-# <tt class="userinput"><b>chmod 600 .config</b></tt></pre></blockquote>
-
-<p>Use your preferred text editor to edit the
-<em class="filename">.config</em> file, and enter three lines, like this:</p>
-
-<blockquote><pre class="code">server=maya
-service=hp
-password=&quot;&quot;</pre></blockquote>
-
-<p>This is for our shared printer having a UNC of
-<em class="filename">\\maya\hp</em>. When we created the printer share, we
-did not give it a password, so we use a null password here. If your
-printer share is on a Windows NT/2000/XP system, use your domain
-password.</p>
-
-<p>Finally, restart the printer daemon:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/lpd restart</b></tt></pre></blockquote>
-
-<p>You can now try printing something. Run the following command:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>lpr textfile</b></tt></pre></blockquote>
-
-<p>If you have everything set up correctly, the file prints on the
-shared printer. If you get &quot;stair
-stepping&quot; of text, caused by the printer not
-returning to the left margin at the beginning of every line, modify
-the <tt class="literal">if</tt> keyword in your printcap entry to run
-<em class="emphasis">smbprint</em> with the <em class="emphasis">-t</em>
-option. <a name="INDEX-38"/><a name="INDEX-39"/></p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.2"/>
-
-<h3 class="head3">System V printers</h3>
-
-<p><a name="INDEX-40"/><a name="INDEX-41"/>Sending print jobs from a System V Unix
-system is a little easier than with the BSD system. Here, you need to
-edit the <em class="filename">smbprint.sysv</em> script in the
-<em class="filename">examples/printing</em> directory of the Samba
-distribution and do the following:</p>
-
-<ol><li>
-<p>Change the <tt class="literal">server</tt>, <tt class="literal">service</tt>, and
-<tt class="literal">password</tt> parameters in the script to match the
-NetBIOS computer name, its shared printer service, and its password,
-respectively. For example, the following entries would be correct for
-the service in the previous example:</p>
-
-<blockquote><pre class="code">server = maya
-service = hp
-password = &quot;&quot;</pre></blockquote>
-</li>
-<li>
-<p>Run the following commands, which create a reference for the new
-printer (which we are naming <tt class="literal">hp_printer</tt>) in the
-printer capabilities file:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>lpadmin -p hp_printer -v /dev/null -i./smbprint.sysv</b></tt>
-# <tt class="userinput"><b>enable hp_printer</b></tt>
-# <tt class="userinput"><b>accept hp_printer</b></tt></pre></blockquote>
-</li></ol>
-<p>After you've done that, restart the Samba daemons
-and try printing to <tt class="literal">hp_printer</tt> using any standard
-Unix program.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.3"/>
-
-<h3 class="head3">CUPS printers</h3>
-
-<p><a name="INDEX-42"/><a name="INDEX-43"/><a name="INDEX-44"/>CUPS<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> uses
-a set of modules, called
-<em class="firstterm">backends</em><a name="INDEX-45"/>, to send print jobs to various
-destinations, such as local printers attached to parallel, serial, or
-Universal Serial Bus (USB) ports, or over the network using Unix line
-printer daemon (LPD) protocol, Internet Printing Protocol (IPP),
-AppleTalk Printer Access Protocol (PAP), and so on. The software
-package does not come with a backend for SMB; the Samba suite
-includes the <em class="emphasis">smbspool</em>
-<a name="INDEX-46"/>utility for this purpose.</p>
-
-<p>To enable printing to remote SMB printers using CUPS, create a
-symbolic link named <em class="filename">smb</em> in the CUPS backend
-directory pointing to <em class="emphasis">smbspool</em>. Depending on
-installation options, these could be in a number of places in the
-directory hierarchy, so be sure to check your system. Using a common
-default installation, the command would look like this:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /usr/local/samba/bin/smbspool /usr/lib/cups/backend/smb</b></tt></pre></blockquote>
-
-<p>Issue a HUP signal to the CUPS daemon, <em class="emphasis">cupsd</em>,
-and check for the existence of SMB support with the <em class="emphasis">lpinfo
--v</em> command. Its output should now include a line that says
-<tt class="literal">network</tt> <tt class="literal">smb</tt>.</p>
-
-<p>To add a printer, use the CUPS web interface, accessible on the local
-system at <em class="emphasis">http://localhost:631/</em>,
-or use the <em class="emphasis">lpadmin</em> command:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>lpadmin -p hp932c -E -v smb://maya/hp932c -D &quot;HP 932C on maya&quot;</b></tt></pre></blockquote>
-
-<p>This creates and enables the new print spool called
-<tt class="literal">hp932c</tt>. The <em class="emphasis">-v</em> argument
-specifies the printer device, which in this case is accessed over the
-network using an SMB URI. If the printer is not guest-accessible,
-you'll need to provide a username and password in
-the URI. The full format is as follows:</p>
-
-<blockquote><pre class="code">smb://[<em class="replaceable">username</em>[:<em class="replaceable">password</em>]@][<em class="replaceable">workgroup</em>/]<em class="replaceable">server</em>/<em class="replaceable">printshare</em></pre></blockquote>
-
-<p>The <em class="emphasis">lpadmin</em><a name="INDEX-47"/> command makes changes to
-<em class="filename">/etc/cups/printers.conf</em> and sends a HUP signal
-to the <em class="emphasis">cupsd</em> daemon, resulting in the creation
-of a local raw printer spool. In this example, print data is passed
-in raw format to the Windows system, which has the necessary printer
-drivers and printer description files to format the data
-appropriately. The <em class="emphasis">-D</em> option is used to give the
-printer a comment string.</p>
-
-<p>Once you have the printer set up, it's time to test
-it out. CUPS understands both BSD-style and System V-style printing
-commands, so you can use whichever is more comfortable. Using the BSD
-<em class="emphasis">lpr</em> command, try something like:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>lpr -P hp932c textfile</b></tt></pre></blockquote>
-
-<p>You should now be set up to use the printer from any application on
-the Unix system. <a name="INDEX-48"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-10-SECT-2.3"/>
-
-<h3 class="head2">Samba Printing Options</h3>
-
-<p><a href="ch10.html#samba2-CHP-10-TABLE-2">Table 10-2</a> summarizes the Samba <a name="INDEX-49"/><a name="INDEX-50"/>printing
-options.</p>
-
-<a name="samba2-CHP-10-TABLE-2"/><h4 class="head4">Table 10-2. Printing configuration options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">printing</tt></p>
-</td>
-<td>
-<p><tt class="literal">bsd</tt>, <tt class="literal">sysv</tt>,
-<tt class="literal">cups</tt>, <tt class="literal">hpux</tt>,
-<tt class="literal">aix</tt>, <tt class="literal">qnx</tt>,
-<tt class="literal">plp</tt>, <tt class="literal">softq</tt>, or
-<tt class="literal">lprng</tt></p>
-</td>
-<td>
-<p>Printing system type of the Samba host</p>
-</td>
-<td>
-<p>System-dependent</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">printable</tt> <tt class="literal">(print ok)</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>Marks a share as a printing share</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">printer</tt> <tt class="literal">(printer name)</tt></p>
-</td>
-<td>
-<p>string (Unix printer name)</p>
-</td>
-<td>
-<p>Name for the printer that is shown to clients</p>
-</td>
-<td>
-<p>System-dependent</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lpq cache time</tt></p>
-</td>
-<td>
-<p>numeric (time in seconds)</p>
-</td>
-<td>
-<p>Amount of time in seconds that Samba will cache the printer queue
-status</p>
-</td>
-<td>
-<p><tt class="literal">10</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">postscript</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>Treats all print jobs as PostScript by prefixing
-<tt class="literal">%!</tt> at the beginning of each file</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">load printers</tt></p>
-</td>
-<td>
-<p>boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, automatically loads each printer in the
-<em class="emphasis">printcap</em> file as printing shares</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">print command</tt></p>
-</td>
-<td>
-<p>string (shell command)</p>
-</td>
-<td>
-<p>Unix command to perform printing</p>
-</td>
-<td>
-<p>See below</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lpq command</tt></p>
-</td>
-<td>
-<p>string (shell command)</p>
-</td>
-<td>
-<p>Unix command to return the status of the printing queue</p>
-</td>
-<td>
-<p>See below</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lprm command</tt></p>
-</td>
-<td>
-<p>string (shell command)</p>
-</td>
-<td>
-<p>Unix command to remove a job from the printing queue</p>
-</td>
-<td>
-<p>See below</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lppause command</tt></p>
-</td>
-<td>
-<p>string (shell command)</p>
-</td>
-<td>
-<p>Unix command to pause a job on the printing queue</p>
-</td>
-<td>
-<p>See below</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lpresume</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p>string (shell command)</p>
-</td>
-<td>
-<p>Unix command to resume a paused job on the printing queue</p>
-</td>
-<td>
-<p>See below</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">printcap name</tt></p>
-
-<p><tt class="literal">(printcap)</tt></p>
-</td>
-<td>
-<p>string (filename)</p>
-</td>
-<td>
-<p>Location of the printer capabilities file</p>
-</td>
-<td>
-<p>System-dependent</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">min print space</tt></p>
-</td>
-<td>
-<p>numeric (size in kilobytes)</p>
-</td>
-<td>
-<p>Minimum amount of free disk space that must be present to print</p>
-</td>
-<td>
-<p><tt class="literal">0</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">queuepause</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p>string (shell command)</p>
-</td>
-<td>
-<p>Unix command to pause a queue</p>
-</td>
-<td>
-<p>See below</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">queueresume</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p>string (shell command)</p>
-</td>
-<td>
-<p>Unix command to resume a queue</p>
-</td>
-<td>
-<p>See below</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.1"/>
-
-<h3 class="head3">printing</h3>
-
-<p>The <tt class="literal">printing</tt><a name="INDEX-51"/> configuration option tells
-Samba which <a name="INDEX-52"/>printing system to use. There are
-several different families of commands to control printing and print
-statusing. Samba supports seven different types, as shown in <a href="ch10.html#samba2-CHP-10-TABLE-3">Table 10-3</a>.</p>
-
-<a name="samba2-CHP-10-TABLE-3"/><h4 class="head4">Table 10-3. Printing system types</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Variable</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>BSD</p>
-</td>
-<td>
-<p>Berkeley Unix system</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>SYSV</p>
-</td>
-<td>
-<p>System V</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>CUPS</p>
-</td>
-<td>
-<p>Common Unix Printing System</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>AIX</p>
-</td>
-<td>
-<p>IBM's AIX operating system</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>HPUX</p>
-</td>
-<td>
-<p>Hewlett-Packard Unix</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>QNX</p>
-</td>
-<td>
-<p>QNX Realtime Operating System</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>LPRNG</p>
-</td>
-<td>
-<p>LPR Next Generation</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>SOFTQ</p>
-</td>
-<td>
-<p>SOFTQ system</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>PLP</p>
-</td>
-<td>
-<p>Portable Line Printer</p>
-</td>
-</tr>
-
-</table>
-
-<p>The value for this option must be one of these seven selections. For
-example:</p>
-
-<blockquote><pre class="code">printing = SYSV</pre></blockquote>
-
-<p>The default value of this option is system-dependent and is
-configured when Samba is first compiled. For most systems, the
-<em class="filename">configure</em> script automatically detects the
-printing system to be used and configures it properly in the Samba
-makefile. However, if your system is a PLP, LPRNG, or QNX printing
-system, you need to specify this explicitly in the makefile or the
-printing share.</p>
-
-<p>The most common system types are BSD, SYSV, and CUPS. Each printer on
-a BSD Unix server is described in the printer capabilities
-file&mdash;normally <em class="filename">/etc/printcap</em>. See the
-section on the <tt class="literal">printcap</tt> <tt class="literal">file</tt>
-parameter for more information on this topic.</p>
-
-<p>Setting the <tt class="literal">printing</tt> configuration option
-automatically sets at least three other printing options for the
-service in question: <tt class="literal">print</tt>
-<tt class="literal">command</tt>, <tt class="literal">lpq</tt>
-<tt class="literal">command</tt>, and <tt class="literal">lprm</tt>
-<tt class="literal">command</tt>. If you are running Samba on a system that
-doesn't support any of the printing styles listed in
-<a href="ch10.html#samba2-CHP-10-TABLE-3">Table 10-3</a>, simply set the commands for each of
-these manually.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.2"/>
-
-<h3 class="head3">printable</h3>
-
-<p>The <tt class="literal">printable</tt><a name="INDEX-53"/> option must be set to
-<tt class="literal">yes</tt> to flag a share as a printing service. If this
-option is not set, the share will be treated as a disk share instead.
-You can set the option as follows:</p>
-
-<blockquote><pre class="code">[printer1]
- printable = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.3"/>
-
-<a name="INDEX-54"/><h3 class="head3">printer</h3>
-
-<p>The option, also called
-<tt class="literal">printer</tt><a name="INDEX-55"/> <tt class="literal">name</tt>,
-specifies the name of the printer on the server to which the share
-points. This option has no default and should be set explicitly in
-the configuration file, even though Unix systems themselves often
-recognize a default name such as <tt class="literal">lp</tt> for a printer.
-For example:</p>
-
-<blockquote><pre class="code">[deskjet]
- printer = hpdkjet1</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.4"/>
-
-<h3 class="head3">lpq cache time</h3>
-
-<p>The global <tt class="literal">lpq</tt><a name="INDEX-56"/> <tt class="literal">cache</tt>
-<tt class="literal">time</tt> option allows you to set the number of
-seconds for which Samba will remember the current printer status.
-After this time elapses, Samba will issue an <em class="emphasis">lpq</em>
-command (or whatever command you specify with the
-<tt class="literal">lpq</tt> <tt class="literal">command</tt> option) to get a
-more up-to-date status that it can report to users. This defaults to
-10 seconds, but can be increased if your <tt class="literal">lpq</tt>
-<tt class="literal">command</tt> takes an unusually long time to run or you
-have lots of clients. A time setting of 0 disables caching of queue
-status. The following example resets the time to 30 seconds:</p>
-
-<blockquote><pre class="code">[deskjet]
- lpq cache time = 30</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.5"/>
-
-<h3 class="head3">postscript</h3>
-
-<p>The <tt class="literal">postscript</tt><a name="INDEX-57"/> option forces the
-printer to treat all data sent to it as PostScript. It does this by
-prefixing the characters <tt class="literal">%!</tt> to the beginning of
-the first line of each job. It is normally used with PCs that insert
-a <tt class="literal">^D</tt> (control-D or
-&quot;end-of-file&quot; mark) in front of the
-first line of a PostScript file. It will not, obviously, turn a
-non-PostScript printer into a PostScript one. The default value of
-this options is <tt class="literal">no</tt>. You can override it as
-follows:</p>
-
-<blockquote><pre class="code">[deskjet]
- postscript = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.6"/>
-
-<h3 class="head3">load printers</h3>
-
-<p>The <tt class="literal">load</tt><a name="INDEX-58"/> <tt class="literal">printers</tt>
-option tells Samba to create shares for all known printer names and
-load those shares into the browse list. Samba will create and list a
-printer share for each printer name in
-<em class="filename">/etc/printcap</em> (or the system equivalent). For
-example, if your
-<em class="filename">printcap</em><a name="INDEX-59"/> file looks
-like this:<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a></p>
-
-<blockquote><pre class="code">lp:\
- :sd=/var/spool/lpd/lp:\ <i class="lineannotation">spool directory</i>
- :mx#0:\ <i class="lineannotation">maximum file size (none)</i>
- :sh:\ <i class="lineannotation">supress burst header (no)</i>
- :lp=/dev/lp1:\ <i class="lineannotation">device name for output</i>
- :if=/var/spool/lpd/lp/filter: <i class="lineannotation">text filter</i>
-
-laser:\
- :sd=/var/spool/lpd/laser:\ <i class="lineannotation">spool directory</i>
- :mx#0:\ <i class="lineannotation">maximum file size (none)</i>
- :sh:\ <i class="lineannotation">supress burst header (no)</i>
- :lp=/dev/laser:\ <i class="lineannotation">device name for output</i>
- :if=/var/spool/lpd/lp/filter: <i class="lineannotation">text filter</i></pre></blockquote>
-
-<p>the shares <tt class="literal">[lp]</tt> and <tt class="literal">[laser]</tt> are
-automatically created as valid print shares when Samba is started.
-Both shares borrow the configuration options specified in the
-<tt class="literal">[printers]</tt> section to configure themselves and are
-available in the browse list for the Samba server. The default value
-for this option is <tt class="literal">yes</tt>. If you prefer to specify
-each printer explicitly in your configuration file, use the
-following:</p>
-
-<blockquote><pre class="code">[global]
- load printers = no</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.7"/>
-
-<a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/><a name="INDEX-64"/><h3 class="head3">print command, lpq command, lprm command,lppause command, lpresume command</h3>
-
-<p>These options tell Samba which Unix commands control and send data to
-the printer. The Unix commands involved are: <em class="emphasis">lpr</em>
-(send to Line PRinter), <em class="emphasis">lpq</em> (List Printer
-Queue), <em class="emphasis">lprm</em> (Line Printer ReMove), and
-optionally <em class="emphasis">lppause</em> and
-<em class="emphasis">lpresume</em>. Samba provides an option named after
-each command, in case you need to override any of the system
-defaults. For example, consider the following:</p>
-
-<blockquote><pre class="code">lpq command = /usr/ucb/lpq %p</pre></blockquote>
-
-<p>This would set <tt class="literal">lpq</tt> <tt class="literal">command</tt> to
-use <em class="filename">/usr/ucb/lpq</em>. Similarly:</p>
-
-<blockquote><pre class="code">lprm command = /usr/local/bin/lprm -P%p %j</pre></blockquote>
-
-<p>would set the Samba printer remove command to
-<em class="filename">/usr/local/bin/lprm</em> and provide it the print job
-number using the <tt class="literal">%j</tt> variable.</p>
-
-<p>The default values for each option are dependent on the value of the
-<tt class="literal">printing</tt> option. <a href="ch10.html#samba2-CHP-10-TABLE-4">Table 10-4</a>
-shows the default commands for each printing option. The most popular
-printing system is BSD.</p>
-
-<a name="samba2-CHP-10-TABLE-4"/><h4 class="head4">Table 10-4. Default commands for various printing options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>BSD, AIX, PLP, LPRNG</p>
-</th>
-<th>
-<p>SYSV, HPUX</p>
-</th>
-<th>
-<p>QNX</p>
-</th>
-<th>
-<p>SOFTQ</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">print</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p><tt class="literal">lpr -r -P%p %s</tt></p>
-</td>
-<td>
-<p><tt class="literal">lp -c -d%p %s; rm</tt> <tt class="literal">%s</tt></p>
-</td>
-<td>
-<p><tt class="literal">lp -r -P%p %s</tt></p>
-</td>
-<td>
-<p><tt class="literal">lp -d%p -s %s; rm %s</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lpq</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p><tt class="literal">lpq -P%p</tt></p>
-</td>
-<td>
-<p><tt class="literal">lpstat -o%p</tt></p>
-</td>
-<td>
-<p><tt class="literal">lpq -P%p</tt></p>
-</td>
-<td>
-<p><tt class="literal">lpstat -o%p</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lprm</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p><tt class="literal">lprm -P%p %j</tt></p>
-</td>
-<td>
-<p><tt class="literal">cancel %p-%j</tt></p>
-</td>
-<td>
-<p><tt class="literal">cancel %p-%j</tt></p>
-</td>
-<td>
-<p><tt class="literal">cancel %p-%j</tt></p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lppause</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p><tt class="literal">lp -i %p-%j -H</tt> <tt class="literal">hold</tt></p>
-
-<p>(SYSV only)</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>None</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">lpresume</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p><tt class="literal">lp -i %p-%j -H</tt> <tt class="literal">resume</tt></p>
-
-<p>(SYSV only)</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p><tt class="literal">qstat -s -j%j -r</tt></p>
-</td>
-</tr>
-
-</table>
-
-<p>It is usually unnecessary to reset these options in Samba, with the
-possible exception of the <tt class="literal">print</tt>
-<tt class="literal">command</tt>. This option might need to be set
-explicitly if your printing system doesn't have a
-<em class="emphasis">-r</em> (remove after printing) option on the
-printing command. For example:</p>
-
-<blockquote><pre class="code">print command = /usr/local/lpr -P%p %s; /bin/rm %s</pre></blockquote>
-
-<p>With a bit of judicious programming, these
-<em class="filename">smb.conf</em> options can also be used for debugging:</p>
-
-<blockquote><pre class="code">print command = cat %s &gt;&gt;/tmp/printlog; lpr -r -P%p %s</pre></blockquote>
-
-<p>Using the previous configuration, it is possible to verify that files
-are actually being delivered to the Samba server. If they are, their
-contents will show up in the file <em class="filename">/tmp/printlog</em>.</p>
-
-<p>After BSD, the next most popular kind of printing system is SYSV (or
-System V) printing, plus some SYSV variants for
-IBM's AIX and Hewlett-Packard's
-HP-UX. These systems do not have an
-<em class="filename">/etc/printcap</em> file. Instead, the
-<tt class="literal">printcap</tt> <tt class="literal">file</tt> option can be set
-to an appropriate <em class="emphasis">lpstat</em> command for the system.
-This tells Samba to get a list of printers from the
-<em class="emphasis">lpstat</em> command. Alternatively, you can set the
-global configuration option <tt class="literal">printcap</tt>
-<tt class="literal">name</tt> to the name of a dummy
-<em class="filename">printcap</em> file you provide. In the latter case,
-the file must contain a series of lines such as:</p>
-
-<blockquote><pre class="code">lp|print1|My Printer 1
-print2|My Printer 2
-print3|My Printer 3</pre></blockquote>
-
-<p>Each line names a printer followed by aliases for it. In this
-example, the first printer is called <tt class="literal">lp</tt>,
-<tt class="literal">print1</tt>, or <tt class="literal">My</tt>
-<tt class="literal">Printer</tt> <tt class="literal">1</tt>, whichever the user
-prefers to use. The first name is used in place of
-<tt class="literal">%p</tt> in any command Samba executes for that printer.</p>
-
-<p>Two additional printer types are also supported by Samba: LPRNG (LPR
-New Generation) and PLP (Public Line Printer). These are public
-domain and open source printing systems and are used by many sites to
-overcome problems with vendor-supplied software. Samba also supports
-the printing systems of the SOFTQ and QNX real-time operating
-systems.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.8"/>
-
-<h3 class="head3">printcap name</h3>
-
-<p>If the <tt class="literal">printcap</tt><a name="INDEX-65"/><a name="INDEX-66"/>
-<tt class="literal">name</tt> option (also called
-<tt class="literal">printcap</tt>) appears in a printing share, Samba uses
-the file specified as the system printer capabilities file (normally
-<em class="filename">/etc/printcap</em>). However, you can reset it to a
-file consisting of only the printers you want to share over the
-network. The value must be the filename (with its complete path
-specified) of a printer capabilities file on the server:</p>
-
-<blockquote><pre class="code">[deskjet]
- printcap name = /usr/local/samba/lib/printcap</pre></blockquote>
-
-<p>The CUPS printing system uses its own method of determining printer
-capabilities, rather than the standard <em class="filename">printcap</em>
-file. In this case, set <tt class="literal">printcap</tt>
-<tt class="literal">name</tt> as follows:</p>
-
-<blockquote><pre class="code">[global]
- printing = cups
- printcap name = cups</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.9"/>
-
-<h3 class="head3">min print space</h3>
-
-<p>The <tt class="literal">min</tt><a name="INDEX-67"/> <tt class="literal">print</tt>
-<tt class="literal">space</tt> option sets the amount of space that must be
-available on the disk that contains the spool directory if printing
-is to be allowed. Setting it to zero (the default) turns the check
-off; setting it to any other number sets the amount of free space in
-kilobytes required. This option helps to avoid having print jobs fill
-up the remaining disk space on the server, which can cause other
-processes to fail:</p>
-
-<blockquote><pre class="code">[deskjet]
- min print space = 4000</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.10"/>
-
-<a name="INDEX-68"/><h3 class="head3">queuepause command</h3>
-
-<p>This configuration option specifies a command that tells Samba how to
-pause an entire print queue, as opposed to a single job on the queue.
-The default value depends on the printing type chosen. You should not
-need to alter this option.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.11"/>
-
-<a name="INDEX-69"/><h3 class="head3">queueresume command</h3>
-
-<p>This configuration option specifies a command that tells Samba how to
-resume a paused print queue, as opposed to resuming a single job on
-the print queue. The default value depends on the printing type
-chosen. You should not need to alter this option. <a name="INDEX-70"/> <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> If
-you are using Linux, you can use the <em class="emphasis">checkpc</em>
-command to check for this type of error.</p> <a name="FOOTNOTE-2"/>
-<p><a href="#FNPTR-2">[2]</a> CUPS is open source software (<a href="http://www.opensource.org">http://www.opensource.org</a>) developed by Easy
-Software Products. For more information, visit <a href="http://www.cups.org">http://www.cups.org</a>.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> We have placed annotated comments off to
-the right in case you've never dealt with this file
-before.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch11.html b/docs/htmldocs/using_samba/ch11.html
deleted file mode 100644
index 026879db40..0000000000
--- a/docs/htmldocs/using_samba/ch11.html
+++ /dev/null
@@ -1,2123 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 11. Additional Samba Information</h1>
-
-
-<p>This chapter wraps up our coverage of the
-<em class="filename">smb.conf</em> configuration file with some
-miscellaneous options that can perform a variety of tasks. We talk
-briefly about options for time synchronization, internationalization,
-messages, and common Windows bugs. For the most part, you will use
-these options only in isolated circumstances.</p>
-
-
-
-<div class="sect1"><a name="samba2-CHP-11-SECT-1"/>
-
-<h2 class="head1">Time Synchronization</h2>
-
-<p>In a network of computers, the systems on the network must agree on
-the current time and also on what time files have been modified. One
-example of the importance of synchronization is the
-<a name="INDEX-1"/>roaming profiles we covered in
-<a href="ch04.html">Chapter 4</a>. It is vital for all clients accessing a
-roaming profile to agree on what time it is and which client last
-modified the user's profile.</p>
-
-<p><a name="INDEX-2"/>Time synchronization can also be
-very important to programmers. A useful group of settings consists of
-the following options:</p>
-
-<blockquote><pre class="code">[global]
- time server = yes
- dos filetimes = yes
- fake directory create times = yes
- dos filetime resolution = yes
- delete readonly = yes</pre></blockquote>
-
-<p>If you set these options, Samba shares will provide compatibility of
-file-modification times that Visual C++, <em class="emphasis">nmake</em>,
-and other Microsoft programming tools require. Otherwise, PC
-<em class="emphasis">make</em> programs might think that all the files in
-a directory need to be recompiled every time. Obviously, this is not
-the behavior you want.</p>
-
-<p>In <a href="ch04.html">Chapter 4</a>, we showed you how to create a logon
-script that used the <em class="emphasis">net
-time</em><a name="INDEX-3"/> command to synchronize
-clients' clocks automatically when they log on to
-the domain. If your network is configured as a workgroup rather than
-a domain, you can still make use of <em class="emphasis">net time</em> by
-placing the command:</p>
-
-<blockquote><pre class="code">net time \\<em class="replaceable">sambaserver</em> /set /yes</pre></blockquote>
-
-<p>in a startup script on each client that is run when the system boots.
-Samba always provides time service&mdash;regardless of whether it is
-running as a primary domain controller&mdash;or the
-<tt class="literal">time</tt> <tt class="literal">service</tt> configuration file
-parameter is set.</p>
-
-<p>Assuming that domain users log on to the domain at least once per day
-and workgroup clients reboot frequently, the <em class="emphasis">net
-time</em> command can keep client systems'
-clocks fairly well synchronized. However, sometimes domain users stay
-logged on for longer periods, and workgroup clients can run for days
-between reboots. In the meantime, the systems'
-hardware clocks can wander enough to become a problem. It might be
-possible to work around this, depending on the version of Windows the
-client system is running. On Windows 98/Me, you can use the Task
-Scheduler to run the <em class="emphasis">net time</em> command at regular
-intervals. Likewise, on Windows 2000/XP you can use the MS-DOS
-<em class="emphasis">at</em> command. However, a better way to deal with
-this issue is to use Network Time Protocol, which we will discuss
-shortly.</p>
-
-<p>Proper time synchronization is also important when operating in an
-Active Directory domain because Active Directory uses
-<a name="INDEX-4"/>Kerberos authentication.
-When a Kerberos domain controller creates an authentication ticket
-for a client, the time is encoded into the challenge-and-response
-exchanges between the client and domain controller. If the
-client's clock disagrees with the
-server's clock, authentication can fail.</p>
-
-<p>To provide proper time synchronization in <a name="INDEX-5"/>Active Directory domains, Microsoft has
-adopted <a name="INDEX-6"/>Network Time Protocol (NTP), using the
-name Windows Time Service for its implementation. For further
-information, the Microsoft white paper entitled <em class="citetitle">The
-Windows Time Service</em> can be downloaded from <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
-
-<p>The nice thing about this is that NTP is the standard method for
-synchronizing Unix hosts on a network, so you can synchronize all
-your Unix systems (including the Samba server) and Windows systems
-with the following method:</p>
-
-<ol><li>
-<p>Run NTP on the Unix systems in your network. For more information on
-using NTP, refer to <a href="http://www.ntp.org">http://www.ntp.org</a>.</p>
-</li><li>
-<p>Use one of the Unix systems (such as the Samba host system) as an NTP
-server to serve Windows 2000/XP clients.</p>
-</li><li>
-<p>For other Windows clients, you might have to download an update from
-Microsoft to add <a name="INDEX-7"/><a name="INDEX-8"/>Windows Time Service client support or
-use a third-party application such as the free
-<a name="INDEX-9"/>analogX Atomic TimeSync (<a href="http://www.analogx.com">http://www.analogx.com</a>). Or you can use the
-<em class="emphasis">net time</em> command to update the
-client's clock periodically, as discussed
-previously.</p>
-</li></ol>
-
-<div class="sect2"><a name="samba2-CHP-11-SECT-1.1"/>
-
-<h3 class="head2">Time-Synchronization Options</h3>
-
-<p>To support roaming profiles, programmers accessing your Samba server,
-and other time-sensitive functions on your network,
-you'll want to be aware of the options listed in
-<a href="ch11.html#samba2-CHP-11-TABLE-1">Table 11-1</a>.</p>
-
-<a name="samba2-CHP-11-TABLE-1"/><h4 class="head4">Table 11-1. Time-synchronization options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">time server</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, announces <em class="emphasis">nmbd</em> as an
-SMB time service to Windows clients</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">time offset</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Adds a specified number of minutes to the reported time</p>
-</td>
-<td>
-<p><tt class="literal">0</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">dos filetimes</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Allows non-owners of a file to change its time if they can write to it</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">dos filetime</tt></p>
-
-<p><tt class="literal">resolution</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Causes file times to be rounded to the next even second</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">fake directory</tt> <tt class="literal">create times</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Sets directory times to avoid an MS <em class="emphasis">nmake</em> bug</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.1"/>
-
-<a name="INDEX-12"/><h3 class="head3">time server</h3>
-
-<p>Samba always operates as an SMB time server, matching the behavior of
-Windows systems. However, Samba's default is not to
-advertise itself as a time server to the network. When this option is
-set to <tt class="literal">yes</tt>, Samba advertises itself as an SMB time
-server:</p>
-
-<blockquote><pre class="code">[global]
- time service = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.2"/>
-
-<a name="INDEX-13"/><h3 class="head3">time offset</h3>
-
-<p>To deal with clients that don't properly process
-daylight savings time, Samba provides the <tt class="literal">time</tt>
-<tt class="literal">offset</tt> option. If set, it adds the specified
-number of minutes to the current time. This is handy if
-you're in Newfoundland and Windows
-doesn't know about the 30-minute time difference
-there:</p>
-
-<blockquote><pre class="code">[global]
- time offset = 30</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.3"/>
-
-<a name="INDEX-14"/><h3 class="head3">dos filetimes</h3>
-
-<p>Traditionally, only the root user and the owner of a file can change
-its last-modified date on a Unix system. The share-level
-<tt class="literal">dos</tt> <tt class="literal">filetimes</tt> option allows the
-Samba server to mimic the characteristics of a DOS or Windows system:
-any user can change the last-modified date on a file in that share if
-she has write permission to it. To do this, Samba uses its root
-privileges to modify the timestamp on the file.</p>
-
-<p>By default, this option is disabled. Setting this option to
-<tt class="literal">yes</tt> is often necessary to allow PC
-<em class="emphasis">make</em> programs to work properly. Without it, they
-cannot change the last-modified date themselves. This often results
-in the program thinking <em class="emphasis">all</em> files need
-recompiling when they really don't.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.4"/>
-
-<h3 class="head3">dos filetime resolution</h3>
-
-<p>The <tt class="literal">dos</tt><a name="INDEX-15"/>
-<tt class="literal">filetime</tt> <tt class="literal">resolution</tt> parameter
-is a share-level option. If set to <tt class="literal">yes</tt>, Samba
-rounds file times to the closest 2-second boundary. This option
-exists primarily to satisfy a quirk in Windows that prevents Visual
-C++ from correctly recognizing that a file has not changed. You can
-enable it as follows:</p>
-
-<blockquote><pre class="code">[data]
- dos filetime resolution = yes</pre></blockquote>
-
-<p>We recommend using this option only if you are using Microsoft Visual
-C++ on a Samba share that supports opportunistic locking.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.5"/>
-
-<h3 class="head3">fake directory create times</h3>
-
-<p>The <tt class="literal">fake</tt><a name="INDEX-16"/>
-<tt class="literal">directory</tt> <tt class="literal">create</tt>
-<tt class="literal">times</tt> option exists to keep PC
-<em class="emphasis">make</em> programs sane. VFAT and NTFS filesystems
-record the creation date of a specific directory, while Unix does
-not. Without this option, Samba takes the earliest recorded date it
-has for the directory (often the last-modified date of a file) and
-returns it to the client. If this is not sufficient, set the
-following option under a share definition:</p>
-
-<blockquote><pre class="code">[data]
- fake directory create times = yes</pre></blockquote>
-
-<p>If set, Samba will adjust the directory create time it reports to the
-hardcoded value January 1, 1980. This is primarily used to convince
-the Visual C++ <em class="emphasis">nmake</em> program that any object
-files in its build directories are indeed younger than the creation
-date of the directory itself and need to be recompiled. <a name="INDEX-17"/> <a name="INDEX-18"/><a name="INDEX-19"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-11-SECT-2"/>
-
-<h2 class="head1">Magic Scripts</h2>
-
-<p><em class="firstterm">Magic scripts</em> are a method of running programs
-on Unix and redirecting the output back to the SMB client. These are
-essentially an experimental hack. However, some users and their
-programs still rely on these two options for their programs to
-function correctly. Magic scripts are not widely trusted, and their
-use is highly discouraged by the Samba Team.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-11-SECT-2.1"/>
-
-<h3 class="head2">Magic Script Options</h3>
-
-<p><a href="ch11.html#samba2-CHP-11-TABLE-2">Table 11-2</a> lists the options that deal with
-<a name="INDEX-20"/>magic scripts
-on the Samba server.</p>
-
-<a name="samba2-CHP-11-TABLE-2"/><h4 class="head4">Table 11-2. Magic script options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">magic</tt> <tt class="literal">script</tt></p>
-</td>
-<td>
-<p>string (filename)</p>
-</td>
-<td>
-<p>File to be executed by Samba, as the logged-on user, when closed</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">magic</tt> <tt class="literal">output</tt></p>
-</td>
-<td>
-<p>string (filename)</p>
-</td>
-<td>
-<p>File to log output from the magic file</p>
-</td>
-<td>
-<p><em class="emphasis">scriptname.out</em></p>
-</td>
-<td>
-<p>Share</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-2.1.1"/>
-
-<h3 class="head3">magic script</h3>
-
-<p>If the <tt class="literal">magic</tt><a name="INDEX-21"/>
-<tt class="literal">script</tt> option is set to a filename and the client
-creates a file by that name in that share, Samba will run the file as
-soon as the user has opened and closed it. For example,
-let's assume that the following option was created
-in the share <tt class="literal">[accounting]</tt>:</p>
-
-<blockquote><pre class="code">[accounting]
- magic script = tally.sh</pre></blockquote>
-
-<p>Samba continually monitors the files in that share. If one by the
-name of <em class="emphasis">tally.sh</em> is closed (after being opened)
-by a user, Samba will execute the contents of that file locally. The
-file will be passed to the shell to execute; it must therefore be a
-legal Unix shell script. This means that it must have newline
-characters as line endings instead of Windows CRLFs. In addition, you
-need to use the <tt class="literal">#!</tt> directive at the beginning of
-the file to indicate under which shell or interpreter the script
-should run, unless the script is for the default shell on your
-system.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-2.1.2"/>
-
-<a name="INDEX-22"/><h3 class="head3">magic output</h3>
-
-<p>This option specifies an output file to which the script specified by
-the <tt class="literal">magic</tt> <tt class="literal">script</tt> option will
-send output. You must specify a filename in a writable directory:</p>
-
-<blockquote><pre class="code">[accounting]
- magic script = tally.sh
- magic output = /var/log/magicoutput</pre></blockquote>
-
-<p>If this option is omitted, the default output file is the name of the
-script (as stated in the <tt class="literal">magic</tt>
-<tt class="literal">script</tt> option) with the extension
-<em class="emphasis">.out</em> appended onto it.</p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-11-SECT-3"/>
-
-<h2 class="head1">Internationalization</h2>
-
-<p><a name="INDEX-23"/><a name="INDEX-24"/>Starting
-with Samba 3.0, Samba supports Unicode &quot;on the
-wire,&quot; requiring no additional effort on your part
-to support filenames and other text containing characters in
-international character sets.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-11-SECT-3.1"/>
-
-<h3 class="head2">Internationalization Options</h3>
-
-<p>Samba 2.2.x has a limited ability to speak foreign tongues: if you
-need to support filenames containing characters that
-aren't in standard ASCII, some options that can help
-you are shown in <a href="ch11.html#samba2-CHP-11-TABLE-3">Table 11-3</a>.</p>
-
-<a name="samba2-CHP-11-TABLE-3"/><h4 class="head4">Table 11-3. Internationalization options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">client code</tt> <tt class="literal">page</tt></p>
-</td>
-<td>
-<p>Described in this section</p>
-</td>
-<td>
-<p>Sets a code page to expect from clients</p>
-</td>
-<td>
-<p>850</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">character set</tt></p>
-</td>
-<td>
-<p>Described in this section</p>
-</td>
-<td>
-<p>Translates code pages into alternate Unix character sets</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">coding system</tt></p>
-</td>
-<td>
-<p>Described in this section</p>
-</td>
-<td>
-<p>Translates code page 932 into an Asian character set</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">valid chars</tt></p>
-</td>
-<td>
-<p>string (set of characters)</p>
-</td>
-<td>
-<p>Adds individual characters to a code page</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.1"/>
-
-<h3 class="head3">client code page</h3>
-
-<p>The character sets on Windows platforms hark back to the original
-concept of a <em class="emphasis">code page</em><a name="INDEX-25"/>. These code pages are used by DOS and
-Windows clients to determine rules for mapping lowercase letters to
-uppercase letters. Samba can be instructed to use a variety of code
-pages through the use of the global
-<tt class="literal">client</tt><a name="INDEX-26"/> <tt class="literal">code</tt>
-<tt class="literal">page</tt> option to match the corresponding code page
-in use on the client. This option loads a code page definition file
-and can take the values specified in <a href="ch11.html#samba2-CHP-11-TABLE-4">Table 11-4</a>.</p>
-
-<a name="samba2-CHP-11-TABLE-4"/><h4 class="head4">Table 11-4. Valid code pages with Samba 2.0</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Code page</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">437</tt></p>
-</td>
-<td>
-<p>MS-DOS Latin (United States)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">737</tt></p>
-</td>
-<td>
-<p>Windows 95 Greek</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">850</tt></p>
-</td>
-<td>
-<p>MS-DOS Latin 1 (Western European)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">852</tt></p>
-</td>
-<td>
-<p>MS-DOS Latin 2 (Eastern European)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">861</tt></p>
-</td>
-<td>
-<p>MS-DOS Icelandic</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">866</tt></p>
-</td>
-<td>
-<p>MS-DOS Cyrillic (Russian)</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">932</tt></p>
-</td>
-<td>
-<p>MS-DOS Japanese Shift-JIS</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">936</tt></p>
-</td>
-<td>
-<p>MS-DOS Simplified Chinese</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">949</tt></p>
-</td>
-<td>
-<p>MS-DOS Korean Hangul</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">950</tt></p>
-</td>
-<td>
-<p>MS-DOS Traditional Chinese</p>
-</td>
-</tr>
-
-</table>
-
-<p>You can set the client code page as follows:</p>
-
-<blockquote><pre class="code">[global]
- client code page = 852</pre></blockquote>
-
-<p>The default value of this option is 850, for MS-DOS Latin 1. You can
-use the <em class="emphasis">make_smbcodepage</em> tool that comes with
-Samba (by default in <em class="filename">/usr/local/samba/bin</em> ) to
-create your own SMB code pages, in the event that those listed
-earlier are not sufficient.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.2"/>
-
-<h3 class="head3">character set</h3>
-
-<p>The global <tt class="literal">character</tt><a name="INDEX-27"/>
-<tt class="literal">set</tt> option can be used to convert filenames
-offered through a DOS code page (see the previous section, <a href="ch11.html#samba2-CHP-11-SECT-3.1.1">Section 11.3.1.1</a>) to equivalents that can be
-represented by Unix character sets other than those in the United
-States. For example, if you want to convert the Western European
-MS-DOS character set on the client to a Western European Unix
-character set on the server, you can use the following in your
-configuration file:</p>
-
-<blockquote><pre class="code">[global]
- client code page = 850
- character set = ISO8859-1</pre></blockquote>
-
-<p>Note that you must include a <tt class="literal">client</tt>
-<tt class="literal">code</tt> <tt class="literal">page</tt> option to specify the
-character set from which you are converting. The valid character sets
-(and their matching code pages) that Samba accepts are listed in
-<a href="ch11.html#samba2-CHP-11-TABLE-5">Table 11-5</a>.</p>
-
-<a name="samba2-CHP-11-TABLE-5"/><h4 class="head4">Table 11-5. Valid character sets</h4><table border="1">
-
-
-
-
-<tr>
-<th>
-<p>Character set</p>
-</th>
-<th>
-<p>Matching code page</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">ISO8859-1</tt></p>
-</td>
-<td>
-<p><tt class="literal">850</tt></p>
-</td>
-<td>
-<p>Western European Unix</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">ISO8859-2</tt></p>
-</td>
-<td>
-<p><tt class="literal">852</tt></p>
-</td>
-<td>
-<p>Eastern European Unix</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">ISO8859-5</tt></p>
-</td>
-<td>
-<p><tt class="literal">866</tt></p>
-</td>
-<td>
-<p>Russian Cyrillic Unix</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">ISO8859-7</tt></p>
-</td>
-<td>
-<p>737</p>
-</td>
-<td>
-<p>Greek Unix</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">KOI8-R</tt></p>
-</td>
-<td>
-<p><tt class="literal">866</tt></p>
-</td>
-<td>
-<p>Alternate Russian Cyrillic Unix</p>
-</td>
-</tr>
-
-</table>
-
-<p>Normally, the <tt class="literal">character</tt> <tt class="literal">set</tt>
-option is disabled completely.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.3"/>
-
-<h3 class="head3">coding system</h3>
-
-<p>The <tt class="literal">coding</tt><a name="INDEX-28"/> <tt class="literal">system</tt>
-option is similar to the <tt class="literal">character</tt>
-<tt class="literal">set</tt> option. However, its purpose is to determine
-how to convert a Japanese Shift JIS code page into an appropriate
-Unix character set. To use this option, the <tt class="literal">client</tt>
-<tt class="literal">code</tt> <tt class="literal">page</tt> option described
-previously must be set to page <tt class="literal">932</tt>. The valid
-coding systems that Samba accepts are listed in <a href="ch11.html#samba2-CHP-11-TABLE-6">Table 11-6</a>.</p>
-
-<a name="samba2-CHP-11-TABLE-6"/><h4 class="head4">Table 11-6. Valid coding-system parameters</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Character set</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">SJIS</tt></p>
-</td>
-<td>
-<p>Standard Shift JIS</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">JIS8</tt></p>
-</td>
-<td>
-<p>Eight-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J8BB</tt></p>
-</td>
-<td>
-<p>Eight-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J8BH</tt></p>
-</td>
-<td>
-<p>Eight-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J8@B</tt></p>
-</td>
-<td>
-<p>Eight-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J8@J</tt></p>
-</td>
-<td>
-<p>Eight-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J8@H</tt></p>
-</td>
-<td>
-<p>Eight-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">JIS7</tt></p>
-</td>
-<td>
-<p>Seven-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J7BB</tt></p>
-</td>
-<td>
-<p>Seven-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J7BH</tt></p>
-</td>
-<td>
-<p>Seven-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J7@B</tt></p>
-</td>
-<td>
-<p>Seven-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J7@J</tt></p>
-</td>
-<td>
-<p>Seven-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">J7@H</tt></p>
-</td>
-<td>
-<p>Seven-bit JIS codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">JUNET</tt></p>
-</td>
-<td>
-<p>JUNET codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">JUBB</tt></p>
-</td>
-<td>
-<p>JUNET codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">JUBH</tt></p>
-</td>
-<td>
-<p>JUNET codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">JU@B</tt></p>
-</td>
-<td>
-<p>JUNET codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">JU@J</tt></p>
-</td>
-<td>
-<p>JUNET codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">JU@H</tt></p>
-</td>
-<td>
-<p>JUNET codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">EUC</tt></p>
-</td>
-<td>
-<p>EUC codes</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">HEX</tt></p>
-</td>
-<td>
-<p>Three-byte hexadecimal code</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">CAP</tt></p>
-</td>
-<td>
-<p>Three-byte hexadecimal code (Columbia AppleTalk Program)</p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.4"/>
-
-<h3 class="head3">valid chars</h3>
-
-<p>The <tt class="literal">valid</tt><a name="INDEX-29"/> <tt class="literal">chars</tt> option
-can be used to add individual characters to a code page. You can use
-this option as follows:</p>
-
-<blockquote><pre class="code">valid chars = &Icirc;
-valid chars = 0450:0420 0x0A20:0x0A00
-valid chars = A:a</pre></blockquote>
-
-<p>Each character in the list specified should be separated by spaces.
-If there is a colon between two characters or a numerical equivalent,
-the data to the left of the colon is considered an uppercase
-character, while the data to the right is considered the lowercase
-character. You can represent characters both by literals (if you can
-type them) and by octal, hexadecimal, or decimal Unicode equivalents.</p>
-
-<p>If you use this option, it must be listed after the
-<tt class="literal">client</tt> <tt class="literal">code</tt>
-<tt class="literal">page</tt> to which you wish to add the character.
-<a name="INDEX-30"/><a name="INDEX-31"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-11-SECT-4"/>
-
-<h2 class="head1">Windows Messenger Service</h2>
-
-<p>One of the odd features of SMB protocol is its ability to send text
-messages between computers. Although both the name and functionality
-are similar to that of Windows Messenger, the two are not the same.
-<a name="INDEX-32"/><a name="INDEX-33"/><a name="INDEX-34"/>Windows Messenger (also called MSN
-Messenger) is an Internet-oriented instant messenging service, while
-Windows Messenger Service is an older and simpler LAN-oriented
-service. Using the Windows Messenger Service, messages can be
-addressed to users, individual computers, or entire workgroups on the
-network.</p>
-
-<p>The <a name="INDEX-35"/>WinPopup
-tool (<em class="filename">Winpopup.exe</em>), shown in <a href="ch11.html#samba2-CHP-11-FIG-1">Figure 11-1</a>, can be used on Windows 95/98/Me to send or
-receive messages. WinPopup is a handy tool for sending messages.
-However, to receive messages, it must already be running when the
-message is sent from the remote system.</p>
-
-<div class="figure"><a name="samba2-CHP-11-FIG-1"/><img src="figs/sam2_1101.gif"/></div><h4 class="head4">Figure 11-1. Sending a message from a Windows 95/98/Me system (left); receiving a message (right)</h4>
-
-<p>On Windows NT/2000/XP, the messenger service lets you receive
-messages without having an application already running; messages will
-automatically appear in a small dialog box on the screen when
-received, as shown in <a href="ch11.html#samba2-CHP-11-FIG-2">Figure 11-2</a>.</p>
-
-<div class="figure"><a name="samba2-CHP-11-FIG-2"/><img src="figs/sam2_1102.gif"/></div><h4 class="head4">Figure 11-2. Receiving a message on a Windows 2000 system</h4>
-
-<p>To send messages, it is necessary to use the <em class="emphasis">net
-send</em> command from a command-prompt window, like this:</p>
-
-<blockquote><pre class="code">C:\&gt; <tt class="userinput"><b>net send maya &quot;Who's There?&quot;</b></tt>
-The message was successfully sent to MAYA.</pre></blockquote>
-
-
-<div class="sect2"><a name="samba2-CHP-11-SECT-4.1"/>
-
-<h3 class="head2">Windows Messenger Service Configuration Option</h3>
-
-<p>Samba has a single option to handle Windows Messenger Service,
-<tt class="literal">message</tt> <tt class="literal">command</tt>, as shown in
-<a href="ch11.html#samba2-CHP-11-TABLE-7">Table 11-7</a>.</p>
-
-<a name="samba2-CHP-11-TABLE-7"/><h4 class="head4">Table 11-7. Windows Messenger Service configuration option</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameter</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">message</tt> <tt class="literal">command</tt></p>
-</td>
-<td>
-<p>string (shell command)</p>
-</td>
-<td>
-<p>Sets a command to run on Unix when a WinPopup message is received</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-4.1.1"/>
-
-<h3 class="head3">message command</h3>
-
-<p>Samba's
-<tt class="literal">message</tt><a name="INDEX-36"/> <tt class="literal">command</tt>
-option defines the command that will run on the server when a Windows
-Messenger Service message arrives. The command will be executed as
-the <tt class="literal">guest</tt> <tt class="literal">account</tt> user. What to
-do with messages is questionable because most Samba hosts run as
-unattended servers. One solution is to mail the messages to root like
-this:</p>
-
-<blockquote><pre class="code">[global]
- message command = /bin/mail -s &quot;SMB Message From %f on %m&quot; root &lt;%s; rm %s</pre></blockquote>
-
-<p>Note the use of variables here. The <tt class="literal">%s</tt> variable
-will be replaced by the name of the file in which the message
-resides. This file should be deleted when the command is finished
-with it; otherwise, a buildup of message files will collect on the
-Samba server. In addition, the command must either exit quickly or
-fork its own process (using an <tt class="literal">&amp;</tt> after the
-command); otherwise, the client might suspend and wait for
-notification that the command was sent successfully before
-continuing.</p>
-
-<p>In addition to the standard variables, <a href="ch11.html#samba2-CHP-11-TABLE-8">Table 11-8</a>
-shows the three unique variables that you can use in a
-<tt class="literal">message</tt> <tt class="literal">command</tt>.</p>
-
-<a name="samba2-CHP-11-TABLE-8"/><h4 class="head4">Table 11-8. message command variables</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Variable</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">%s</tt></p>
-</td>
-<td>
-<p>The name of the file in which the message resides</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%f</tt></p>
-</td>
-<td>
-<p>The name of the system that sent the message</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">%t</tt></p>
-</td>
-<td>
-<p>The name of the system that is the destination of the message
-<a name="INDEX-37"/><a name="INDEX-38"/><a name="INDEX-39"/></p>
-</td>
-</tr>
-
-</table>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-11-SECT-5"/>
-
-<h2 class="head1">Miscellaneous Options</h2>
-
-<p>Many Samba options are available to deal with operating system issues
-on either Unix or Windows. In particular, some of these options are
-used for setting limits for clients' use of
-resources on the Unix server. The options shown in <a href="ch11.html#samba2-CHP-11-TABLE-9">Table 11-9</a> deal with some of these issues.</p>
-
-<a name="samba2-CHP-11-TABLE-9"/><h4 class="head4">Table 11-9. Miscellaneous options</h4><table border="1">
-
-
-
-
-
-
-<tr>
-<th>
-<p>Option</p>
-</th>
-<th>
-<p>Parameters</p>
-</th>
-<th>
-<p>Function</p>
-</th>
-<th>
-<p>Default</p>
-</th>
-<th>
-<p>Scope</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p><tt class="literal">deadtime</tt></p>
-</td>
-<td>
-<p>numeric (minutes)</p>
-</td>
-<td>
-<p>Number of minutes of inactivity before a connection should be
-terminated.</p>
-</td>
-<td>
-<p><tt class="literal">0</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">dfree command</tt></p>
-</td>
-<td>
-<p>string (command)</p>
-</td>
-<td>
-<p>Used to specify a command that returns free disk space in a format
-recognized by Samba.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">fstype</tt></p>
-</td>
-<td>
-<p><tt class="literal">NTFS</tt>, <tt class="literal">FAT</tt>, or
-<tt class="literal">Samba</tt></p>
-</td>
-<td>
-<p>Filesystem type reported by the server to the client.</p>
-</td>
-<td>
-<p><tt class="literal">NTFS</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">keepalive</tt></p>
-</td>
-<td>
-<p>numeric (seconds)</p>
-</td>
-<td>
-<p>Number of seconds between checks for an inoperative client.</p>
-</td>
-<td>
-<p><tt class="literal">300</tt> (none)</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">max disk size</tt></p>
-</td>
-<td>
-<p>numeric (MB)</p>
-</td>
-<td>
-<p>Largest disk size to return to a client, some of which have limits.
-Does not affect actual operations on the disk.</p>
-</td>
-<td>
-<p><tt class="literal">0</tt> (infinity)</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">max mux</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Maximum number of simultaneous SMB operations that clients can make.</p>
-</td>
-<td>
-<p><tt class="literal">50</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">max open files</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Limits number of open files to be below Unix limits.</p>
-</td>
-<td>
-<p><tt class="literal">10000</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">max xmit</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Specifies the maximum packet size that Samba will send.</p>
-</td>
-<td>
-<p><tt class="literal">65535</tt> or <tt class="literal">16644</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">nt pipe support</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Turns off an NT/2000/XP support feature; for benchmarking or in case
-of an error.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">nt smb support</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Turns off an NT/2000/XP support feature; for benchmarking or in case
-of an error.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">ole locking</tt> <tt class="literal">compatibility</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>Remaps out-of-range lock requests used on Windows to fit in allowable
-range on Unix. Turning it off causes Unix lock errors.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">panic action</tt></p>
-</td>
-<td>
-<p>string</p>
-</td>
-<td>
-<p>Command to run if Samba server fails; for debugging.</p>
-</td>
-<td>
-<p>None</p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">set directory</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows VMS clients to issue
-<tt class="literal">set</tt> <tt class="literal">dir</tt> commands.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">status</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, allows Samba to monitor status for
-<tt class="literal">smbstatus</tt> command.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">strict sync</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">no</tt>, ignores Windows application requests to
-perform a sync-to-disk.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">sync always</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, forces all client writes to be committed
-to disk before returning from the call.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">strip dot</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, strips trailing dots from Unix filenames.</p>
-</td>
-<td>
-<p><tt class="literal">no</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">change notify timeout</tt></p>
-</td>
-<td>
-<p>numeric (seconds)</p>
-</td>
-<td>
-<p>Interval between checks when a client asks to wait for a change in a
-specified directory.</p>
-</td>
-<td>
-<p><tt class="literal">60</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">stat cache</tt></p>
-</td>
-<td>
-<p>Boolean</p>
-</td>
-<td>
-<p>If <tt class="literal">yes</tt>, Samba will cache recent name mappings.</p>
-</td>
-<td>
-<p><tt class="literal">yes</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-<tr>
-<td>
-<p><tt class="literal">stat cache size</tt></p>
-</td>
-<td>
-<p>numeric</p>
-</td>
-<td>
-<p>Number of entries in the stat cache.</p>
-</td>
-<td>
-<p><tt class="literal">50</tt></p>
-</td>
-<td>
-<p>Global</p>
-</td>
-</tr>
-
-</table>
-
-
-<div class="sect2"><a name="samba2-CHP-11-SECT-5.1"/>
-
-<a name="INDEX-40"/><h3 class="head2">deadtime</h3>
-
-<p>This global option sets the number of minutes that Samba will wait
-for an inactive client before closing its session with the Samba
-server. A client is considered inactive when it has no open files and
-no data is being sent from it. The default value for this option is
-0, which means that Samba never closes any connection, regardless of
-how long they have been inactive. This can lead to unnecessary
-consumption of the server's resources by inactive
-clients. We recommend that you override the default as follows:</p>
-
-<blockquote><pre class="code">[global]
- deadtime = 10</pre></blockquote>
-
-<p>This tells Samba to terminate any inactive client sessions after 10
-minutes. For most networks, setting this option as such will not
-inconvenience users because reconnections from the client are
-generally performed transparently to the user. See also the
-<tt class="literal">keepalive</tt> parameter.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.1"/>
-
-<a name="INDEX-41"/><h3 class="head3">dfree command</h3>
-
-<p>This global option is used on systems that incorrectly determine the
-free space left on the disk. So far, the only confirmed system that
-needs this option set is Ultrix. There is no default value for this
-option, which means that Samba already knows how to compute the free
-disk space on its own and the results are considered reliable. You
-can override it as follows:</p>
-
-<blockquote><pre class="code">[global]
- dfree command = /usr/local/bin/dfree</pre></blockquote>
-
-<p>This option should point to a script that returns the total disk
-space in a block and the number of available blocks. The Samba
-documentation recommends the following as a usable script:</p>
-
-<blockquote><pre class="code">#!/bin/sh
-df $1 | tail -1 | awk '{print $2&quot; &quot;$4}'</pre></blockquote>
-
-<p>On System V machines, the following will work:</p>
-
-<blockquote><pre class="code">#!/bin/sh
-/usr/bin/df $1 | tail -1 | awk '{print $3&quot; &quot;$5}'</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.2"/>
-
-<a name="INDEX-42"/><h3 class="head3">fstype</h3>
-
-<p>This share-level option sets the type of filesystem that Samba
-reports when queried by the client. Three strings can be used as a
-value to this configuration option, as listed in <a href="ch11.html#samba2-CHP-11-TABLE-10">Table 11-10</a>.</p>
-
-<a name="samba2-CHP-11-TABLE-10"/><h4 class="head4">Table 11-10. Filesystem types</h4><table border="1">
-
-
-
-<tr>
-<th>
-<p>Value</p>
-</th>
-<th>
-<p>Definition</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>NTFS</p>
-</td>
-<td>
-<p>Microsoft Windows NT filesystem</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>FAT</p>
-</td>
-<td>
-<p>DOS FAT filesystem</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Samba</p>
-</td>
-<td>
-<p>Samba filesystem</p>
-</td>
-</tr>
-
-</table>
-
-<p>The default value for this option is <tt class="literal">NTFS</tt>, which
-represents a Windows NT filesystem. There probably
-isn't a need to specify any other type of
-filesystem. However, if you need to, you can override the default
-value per share as follows:</p>
-
-<blockquote><pre class="code">[data]
- fstype = FAT</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.3"/>
-
-<a name="INDEX-43"/><h3 class="head3">keepalive</h3>
-
-<p>This global option specifies the number of seconds that Samba waits
-between sending NetBIOS <em class="emphasis">keepalive packets</em>. These
-packets are used to ping a client to detect whether it is still alive
-and on the network. The default value for this option is
-<tt class="literal">300</tt> (5 minutes), which you can override as
-follows:</p>
-
-<blockquote><pre class="code">[global]
- keepalive = 600</pre></blockquote>
-
-<p>The value of <tt class="literal">600</tt> (10 minutes) is good for networks
-populated by reliable clients. If your network contains relatively
-unreliable clients, you might prefer to set
-<tt class="literal">keepalive</tt> to a lower value, such as
-<tt class="literal">30</tt>. If <tt class="literal">keepalive</tt> is set to 0,
-no NetBIOS keepalive packets will be sent. See also the
-<tt class="literal">deadtime</tt> parameter.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.4"/>
-
-<a name="INDEX-44"/><h3 class="head3">max disk size</h3>
-
-<p>This global option specifies an illusory limit, in megabytes, for
-each share that Samba is offering. It only affects how much disk
-space Samba reports the share as having and does not prevent more
-disk space from actually being available for use. You would typically
-set this option to prevent clients with older operating
-systems&mdash;or running buggy applications&mdash;from being confused
-by large disk spaces. For example, some older Windows applications
-become confused when they encounter a share larger than 1 gigabyte.
-To work around this problem, <tt class="literal">max</tt>
-<tt class="literal">disk</tt> <tt class="literal">size</tt> can be set as
-follows:</p>
-
-<blockquote><pre class="code">[global]
- max disk size = 1000</pre></blockquote>
-
-<p>The default value for this option is <tt class="literal">0</tt>, which
-means there is no upper limit.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.5"/>
-
-<a name="INDEX-45"/><h3 class="head3">max mux</h3>
-
-<p>This global option specifies the maximum number of concurrent SMB
-operations Samba allows. The default value for this option is
-<tt class="literal">50</tt>. You can override it as follows:</p>
-
-<blockquote><pre class="code">[global]
- max mux = 100</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.6"/>
-
-<a name="INDEX-46"/><h3 class="head3">max open files</h3>
-
-<p>This global option specifies the maximum number of open files that
-Samba should allow at any given time for all processes. This value
-must be equal to or less than the amount allowed by the operating
-system, which varies from system to system. The default value for
-this option is <tt class="literal">10000</tt>. You can override it as
-follows:</p>
-
-<blockquote><pre class="code">[global]
- max open files = 8000</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.7"/>
-
-<a name="INDEX-47"/><h3 class="head3">max xmit</h3>
-
-<p>This global option sets the maximum size of packets that Samba
-exchanges with a client. In rare cases, setting a smaller maximum
-packet size can increase performance, especially with Windows for
-Workgroups. In Samba versions up to 2.2.5, the default value for this
-option is <tt class="literal">65535</tt>. In 2.2.7 and later versions, the
-default was changed to <tt class="literal">16644</tt> to match the behavior
-of Windows 2000 and improve support for Windows NT 4.0. You can
-override the default as follows:</p>
-
-<blockquote><pre class="code">[global]
- max xmit = 4096</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.8"/>
-
-<a name="INDEX-48"/><h3 class="head3">nt pipe support</h3>
-
-<p>This global option is used by developers to allow or disallow Windows
-NT/2000/XP clients the ability to make connections to
-<a name="INDEX-49"/>NT-specific SMB IPC$ pipes. As a user, you
-should never need to override the default:</p>
-
-<blockquote><pre class="code">[global]
- nt pipe support = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.9"/>
-
-<a name="INDEX-50"/><h3 class="head3">nt smb support</h3>
-
-<p>This global option is used by developers to negotiate NT-specific SMB
-options with Windows NT/2000/XP clients. The Samba Team has
-discovered that slightly better performance comes from setting this
-value to <tt class="literal">no</tt>. However, as a user, you should
-probably not override the default:</p>
-
-<blockquote><pre class="code">[global]
- nt smb support = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.10"/>
-
-<a name="INDEX-51"/><h3 class="head3">ole locking compatibility</h3>
-
-<p>This global option turns off Samba's internal
-byte-range locking manipulation in files, which gives compatibility
-with Object Linking and Embedding (OLE) applications that use high
-byte-range locks as a method of interprocess communication. The
-default value for this option is <tt class="literal">yes</tt>. If you trust
-your Unix locking mechanisms, you can override it as follows:</p>
-
-<blockquote><pre class="code">[global]
- ole locking compatibility = no</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.11"/>
-
-<a name="INDEX-52"/><h3 class="head3">panic action</h3>
-
-<p>This global option specifies a command to execute in the event that
-Samba encounters a fatal error when loading or running. There is no
-default value for this option. You can specify an action as follows:</p>
-
-<blockquote><pre class="code">[global]
- panic action = /bin/csh -c
- 'xedit &lt;&lt;: &quot;Samba has shutdown unexpectedly&quot;;:'</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.12"/>
-
-<a name="INDEX-53"/><h3 class="head3">set directory</h3>
-
-<p>This Boolean share-level option allows <a name="INDEX-54"/>Digital Pathworks clients to
-use the <em class="emphasis">setdir</em> command to change directories on
-the server. If you are not using the Digital Pathworks client, you
-should not need to alter this option. The default value for this
-option is <tt class="literal">no</tt>. You can override it per share as
-follows:</p>
-
-<blockquote><pre class="code">[data]
- set directory = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.13"/>
-
-<a name="INDEX-55"/><h3 class="head3">status</h3>
-
-<p>This global option indicates whether Samba should log all active
-connections to a status file. This file is used only by the
-<em class="emphasis">smbstatus</em> command. If you have no intentions of
-using this command, you can set this option to <tt class="literal">no</tt>,
-which can result in a small increase of speed on the server. The
-default value for this option is <tt class="literal">yes</tt>. You can
-override it as follows:</p>
-
-<blockquote><pre class="code">[global]
- status = no</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.14"/>
-
-<a name="INDEX-56"/><h3 class="head3">strict sync</h3>
-
-<p>This share-level option determines whether Samba honors all requests
-to perform a disk sync when requested to do so by a client. Many
-Windows clients request a disk sync when they are really just trying
-to flush data to their own open files. In this case, a disk sync is
-generally unnecessary on Unix due to its high reliability, and it
-mostly has the effect of substantially reducing the performance of
-the Samba host system. The default value for this option is
-<tt class="literal">no</tt>, which allows the superfluous disk sync
-requests to be ignored. You can override the default as follows:</p>
-
-<blockquote><pre class="code">[data]
- strict sync = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.15"/>
-
-<a name="INDEX-57"/><h3 class="head3">sync always</h3>
-
-<p>This share-level option decides whether every write to disk should be
-followed by a disk synchronization before the write call returns
-control to the client. Even if the value of this option is
-<tt class="literal">no</tt>, clients can request a disk synchronization;
-see the earlier <tt class="literal">strict</tt> <tt class="literal">sync</tt>
-option. The default value for this option is <tt class="literal">no</tt>.
-You can override it per share as follows:</p>
-
-<blockquote><pre class="code">[data]
- sync always = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.16"/>
-
-<a name="INDEX-58"/><h3 class="head3">strip dot</h3>
-
-<p>This global option determines whether to remove the trailing dot from
-Unix filenames that are formatted with a dot at the end. The default
-value for this option is <tt class="literal">no</tt>. You can override it
-per share as follows:</p>
-
-<blockquote><pre class="code">[global]
- strip dot = yes</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.17"/>
-
-<h3 class="head3">change notify timeout</h3>
-
-<p>The <tt class="literal">change</tt><a name="INDEX-59"/>
-<tt class="literal">notify</tt> <tt class="literal">timeout</tt> global option
-emulates a Windows NT/2000 SMB feature called <em class="firstterm">change
-notification</em><a name="INDEX-60"/>. This allows a client to request
-that a Windows NT/2000 server periodically monitor a specific
-directory on a share for any changes. If changes occur, the server
-will notify the client.</p>
-
-<p>Samba performs this function for its clients at an interval that
-defaults to 1 minute (60 seconds). Performing these checks too often
-can slow down the server considerably; however, you can use this
-option to specify an alternate time that Samba should wait between
-performing checks:</p>
-
-<blockquote><pre class="code">[global]
- change notify timeout = 30</pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.18"/>
-
-<h3 class="head3">stat cache</h3>
-
-<p>The <tt class="literal">stat</tt><a name="INDEX-61"/> <tt class="literal">cache</tt> global
-option turns on caching of recent case-insensitive name mappings. The
-default is <tt class="literal">yes</tt>. The Samba Team recommends that you
-never change this parameter.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.19"/>
-
-<h3 class="head3">stat cache size</h3>
-
-<p>The <tt class="literal">stat</tt><a name="INDEX-62"/> <tt class="literal">cache</tt>
-<tt class="literal">size</tt> global option sets the number of cache
-entries to be used for the <tt class="literal">stat</tt>
-<tt class="literal">cache</tt> option. The default here is
-<tt class="literal">50</tt>. Again, the Samba Team recommends that you
-never change this parameter.</p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch12.html b/docs/htmldocs/using_samba/ch12.html
deleted file mode 100644
index 6ba643fe73..0000000000
--- a/docs/htmldocs/using_samba/ch12.html
+++ /dev/null
@@ -1,3341 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h1 class="head0">Chapter 12. Troubleshooting Samba</h1>
-
-
-<p><a name="INDEX-1"/><a name="INDEX-2"/>Samba is extremely robust. Once you have
-everything set up the way you want, you'll probably
-forget that it is running. When trouble occurs, it's
-typically during installation or when you're trying
-to reconfigure the server. Fortunately, a wide variety of resources
-are available to diagnose these troubles. While we
-can't describe in detail the solution to every
-problem you might encounter, you should be able to get a good start
-at resolving the problem by following the advice given in this
-chapter.</p>
-
-<p>The first section of this chapter lists the tool bag, a collection of
-tools available for troubleshooting Samba; the second section is a
-detailed how-to; the last section lists extra resources to track down
-particularly stubborn problems.</p>
-
-
-
-<div class="sect1"><a name="samba2-CHP-12-SECT-1"/>
-
-<h2 class="head1">The Tool Box</h2>
-
-<p><a name="INDEX-3"/><a name="INDEX-4"/>Sometimes Unix
-seems to be made up of a grab bag of applications and tools. There
-are tools to troubleshoot tools. And of course, there are several
-ways to accomplish the same task. When trying to solve a problem
-related to Samba, a good plan of attack is to use the following:</p>
-
-<ul><li>
-<p>Samba logs</p>
-</li><li>
-<p>Samba test utilities</p>
-</li><li>
-<p>Unix utilities</p>
-</li><li>
-<p>Fault tree</p>
-</li><li>
-<p>Documentation and FAQs</p>
-</li><li>
-<p>Samba newsgroups</p>
-</li><li>
-<p>Searchable mailing list archives</p>
-</li></ul>
-<p>Let's go over each of these one-by-one in the
-following sections.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-1.1"/>
-
-<h3 class="head2">Samba Logs</h3>
-
-<p><a name="INDEX-5"/><a name="INDEX-6"/>Your first line of attack should always
-be to check the log files. The Samba log files can help diagnose the
-vast majority of the problems faced by beginning- to
-intermediate-level Samba administrators. Samba is quite flexible when
-it comes to logging. You can set up the server to log as little or as
-much information as you want. Using substitution variables in the
-Samba configuration file allows you to isolate individual logs for
-each system, share, or combination thereof.</p>
-
-<p>Logs are placed in <em class="filename">/usr/local/samba/var/smbd.log</em>
-and <em class="filename">/usr/local/samba/var/nmbd.log</em> by default.
-You can specify a log directory to use with the
-<em class="emphasis">-l</em> flag on the command line when starting the
-Samba daemons. For example:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>smbd -l /var/log/samba</b></tt>
-# <tt class="userinput"><b>nmbd -l /var/log/samba</b></tt></pre></blockquote>
-
-<p>Alternatively, you can override the location and name using the
-<tt class="literal">log</tt><a name="INDEX-7"/> <tt class="literal">file</tt> configuration
-option in <em class="filename">smb.conf</em>. This option accepts all the
-substitution variables, so you could easily have the server keep a
-separate log for each connecting client system by specifying the
-following:</p>
-
-<blockquote><pre class="code">[global]
- log file = %m.log</pre></blockquote>
-
-<p>Another useful trick is to have the server keep a log for each
-service (share) that is offered, especially if you suspect a
-particular share is causing trouble. To do this, use the
-<tt class="literal">%S</tt> variable, like this:</p>
-
-<blockquote><pre class="code">[global]
- log file = %S.log</pre></blockquote>
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.1"/>
-
-<h3 class="head3">Log levels</h3>
-
-<p><a name="INDEX-8"/>The level of logging that Samba uses
-can be set in the <em class="filename">smb.conf</em> file using the global
-<tt class="literal">log</tt> <tt class="literal">level</tt> or
-<tt class="literal">debug</tt> <tt class="literal">level</tt> option; they are
-equivalent. The logging level is an integer that can range from 0 to
-10. At level 0, no logging is done. Higher values result in more
-voluminous logging. For example, let's assume that
-we will use a Windows client to browse a directory on a Samba server.
-For a small amount of log information, you can use
-<tt class="literal">log</tt> <tt class="literal">level</tt> <tt class="literal">=</tt>
-<tt class="literal">1</tt>, which instructs Samba to show only cursory
-information, in this case only the connection itself:</p>
-
-<blockquote><pre class="code">05/25/02 22:02:11 server (192.168.236.86) connect to service public as user pcguest
-(uid=503,gid=100) (pid 3377)</pre></blockquote>
-
-<p>Higher debug levels produce more detailed information. Usually, you
-won't need more than level 3, which is fully
-adequate for most Samba administrators. Levels above 3 are used by
-the developers and dump enormous amounts of cryptic information.</p>
-
-<p>Here is an example of output at levels 2 and 3 for the same
-operation. Don't worry if you don't
-understand the intricacies of an SMB connection; the point is simply
-to show you what types of information are shown at the different
-<a name="INDEX-9"/>logging levels:</p>
-
-<blockquote><pre class="code"> /* Level 2 */
-Got SIGHUP
-Processing section &quot;[homes]&quot;
-Processing section &quot;[public]&quot;
-Processing section &quot;[temp]&quot;
-Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
-Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/
-
-
-/* Level 3 */
-05/25/02 22:15:09 Transaction 63 of length 67
-switch message SMBtconX (pid 3377)
-Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
-ACCEPTED: guest account and guest ok
-found free connection number 105
-Connect path is /tmp
-chdir to /tmp
-chdir to /
-05/25/02 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest
-(uid=503,gid=100) (pid 3377)
-05/25/02 22:15:09 tconX service=ipc$ user=pcguest cnum=105
-05/25/02 22:15:09 Transaction 64 of length 99
-switch message SMBtrans (pid 3377)
-chdir to /tmp
-trans &lt;\PIPE\LANMAN&gt; data=0 params=19 setup=0
-Got API command 0 of form &lt;WrLeh&gt; &lt;B13BWz&gt; (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
-Doing RNetShareEnum
-RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
-05/25/02 22:15:11 Transaction 65 of length 99
-switch message SMBtrans (pid 3377)
-chdir to /
-chdir to /tmp
-trans &lt;\PIPE\LANMAN&gt; data=0 params=19 setup=0
-Got API command 0 of form &lt;WrLeh&gt; &lt;B13BWz&gt; (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
-Doing RNetShareEnum
-RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
-05/25/02 22:15:11 Transaction 66 of length 95
-switch message SMBtrans2 (pid 3377)
-chdir to /
-chdir to /pcdisk/public
-call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end
-= 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432
-unix_clean_name [./DESKTOP.INI]
-unix_clean_name [desktop.ini]
-unix_clean_name [./]
-creating new dirptr 1 for path ./, expect_close = 1
-05/25/02 22:15:11 Transaction 67 of length 53
-switch message SMBgetatr (pid 3377)
-chdir to /
-
-<i class="lineannotation">[... deleted ...]</i></pre></blockquote>
-
-<p>We cut off this listing after the first packet because it runs on for
-many pages. However, be aware that log levels above 3 will quickly
-consume disk space with megabytes of excruciating detail concerning
-Samba's internal operations. Log level 3 is
-extremely useful for following exactly what the server is doing, and
-most of the time it will be obvious where an error occurs by glancing
-through the log file.</p>
-
-<p>Using a high log level (3 or above) will
-<em class="emphasis">seriously</em> slow down the Samba server. Remember
-that every log message generated causes a write to disk (an
-inherently slow operation) and log levels greater than 2 produce
-massive amounts of data. Essentially, you should turn on logging
-level 3 only when you're actively tracking a problem
-in the Samba server. <a name="INDEX-10"/></p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.2"/>
-
-<h3 class="head3">Activating and deactivating logging</h3>
-
-<p><a name="INDEX-11"/><a name="INDEX-12"/>To turn logging on and off,
-set the appropriate level in the <tt class="literal">[global]</tt> section
-of <em class="filename">smb.conf</em>. Then, you can either restart Samba
-or force the current daemon to reprocess the configuration file by
-sending it a hangup (HUP) signal. You also can send the
-<em class="emphasis">smbd</em> process a SIGUSR1 signal to increase its
-log level by one while it's running, like this:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR1 1234</b></tt></pre></blockquote>
-
-<p>or a SIGUSR2 signal to decrease it by one:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR2 1234</b></tt></pre></blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.3"/>
-
-<h3 class="head3">Logging by individual client systems or users</h3>
-
-<p>An effective way to diagnose problems without hampering other users
-is to assign different log levels for different systems in the
-<tt class="literal">[global]</tt> section of the
-<em class="filename">smb.conf</em> file. We can do this by building on the
-strategy we presented earlier:</p>
-
-<blockquote><pre class="code">[global]
- log level = 0
- log file = /usr/local/samba/var/log.%m
- include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
-
-<p>These options instruct Samba to use unique configuration and log
-files for each client that connects. Now all you have to do is create
-an <em class="filename">smb.conf</em> file for a specific client system
-with a <tt class="literal">log</tt> <tt class="literal">level</tt>
-<tt class="literal">=</tt> <tt class="literal">3</tt> entry in it (the others
-will pick up the default log level of 0) and use that log file to
-track down the problem.</p>
-
-<p>Similarly, if only particular users are experiencing a
-problem&mdash;and it travels from system to system with
-them&mdash;you can isolate logging to a specific user by adding the
-following to the <em class="filename">smb.conf</em> file:</p>
-
-<blockquote><pre class="code">[global]
- log level = 0
- log file = /usr/local/samba/var/log.%u
- include = /usr/local/samba/lib/smb.conf.%u</pre></blockquote>
-
-<p>Then you can create a unique <em class="filename">smb.conf</em> file for
-each user you wish to monitor (e.g.,
-<em class="filename">/usr/local/samba/lib/smb.conf.tim</em>). Files
-containing the configuration option <tt class="literal">log</tt>
-<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">3</tt>
-and only those users will get more detailed logging.<a name="INDEX-13"/><a name="INDEX-14"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-1.2"/>
-
-<h3 class="head2">Samba Test Utilities</h3>
-
-<p><a name="INDEX-15"/><a name="INDEX-16"/>A rigorous set of tests that exercise
-the major parts of Samba are described in various files in the
-<em class="emphasis">/docs/textdocs</em> directory of the Samba
-distribution kit, starting with <em class="emphasis">DIAGNOSIS.txt</em>.
-The fault tree in this chapter is a more detailed version of the
-basic tests suggested by the Samba Team, but it covers only
-installation and reconfiguration diagnosis, such as
-<em class="emphasis">DIAGNOSIS.txt</em>. The other files in the
-<em class="emphasis">/docs</em> subdirectories address specific problems
-and instruct you how to troubleshoot items not included in this book.
-If the fault tree doesn't suffice, be sure to look
-at
-<em class="emphasis">DIAGNOSIS.txt</em><a name="INDEX-17"/>
-and its friends.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-1.3"/>
-
-<h3 class="head2">Unix Utilities</h3>
-
-<p>Sometimes it's useful to use a tool outside the
-Samba suite to examine what's happening inside the
-server. Three diagnostic tools can be of particular help in debugging
-Samba troubles: <em class="emphasis">trace</em>,
-<em class="emphasis">tcpdump</em>, and <em class="emphasis">Ethereal</em>.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.1"/>
-
-<h3 class="head3">Using trace</h3>
-
-<p>The <em class="emphasis">trace</em><a name="INDEX-18"/> command masquerades under several
-different names, depending on the operating system you are using. On
-Linux it will be
-<em class="emphasis">strace</em><a name="INDEX-19"/>; on Solaris you'll use
-<em class="emphasis">truss</em><a name="INDEX-20"/>; SGI will have
-<em class="emphasis">padc</em><a name="INDEX-21"/> and
-<em class="emphasis">par</em><a name="INDEX-22"/>; and HP-UX will have
-<em class="emphasis">trace</em> or
-<em class="emphasis">tusc</em><a name="INDEX-23"/>. All have essentially the same
-function, which is to display each operating system function call as
-it is executed. This allows you to follow the execution of a program,
-such as the Samba server, and often pinpoints the exact call that is
-causing the difficulty.</p>
-
-<p>One problem that <em class="emphasis">trace</em> can highlight is an
-incorrect version of a dynamically linked library. This can happen if
-you've downloaded prebuilt binaries of Samba.
-You'll typically see the offending call at the end
-of the <em class="emphasis">trace</em>, just before the program
-terminates.</p>
-
-<p>A sample <em class="emphasis">strace</em> output for the Linux operating
-system follows. This is a small section of a larger file created
-during the opening of a directory on the Samba server. Each line
-lists a system call and includes its parameters and the return value.
-If there was an error, the error value (e.g.,
-<tt class="literal">ENOENT</tt>) and its explanation are also shown. You
-can look up the parameter types and the errors that can occur in the
-appropriate <em class="emphasis">trace</em> manual page for the operating
-system you are using.</p>
-
-<blockquote><pre class="code">chdir(&quot;/pcdisk/public&quot;) = 0
-stat(&quot;mini/desktop.ini&quot;, 0xbffff7ec) = -1 ENOENT (No such file or directory)
-stat(&quot;mini&quot;, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
-stat(&quot;mini/desktop.ini&quot;, 0xbffff7ec) = -1 ENOENT (No such file or directory)
-open(&quot;mini&quot;, O_RDONLY) = 5
-fcntl(5, F_SETFD, FD_CLOEXEC) = 0
-fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
-lseek(5, 0, SEEK_CUR) = 0
-SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196
-lseek(5, 0, SEEK_CUR) = 1024
-SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0
-close(5) = 0
-stat(&quot;mini/desktop.ini&quot;, 0xbffff86c) = -1 ENOENT (No such file or directory)
-write(3, &quot;\0\0\0#\377SMB\10\1\0\2\0\200\1\0&quot;..., 39) = 39
-SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1
-read(3, &quot;\0\0\0?&quot;, 4) = 4
-read(3, &quot;\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0&quot;..., 63) = 63
-time(NULL) = 896143871</pre></blockquote>
-
-<p>This example shows several <em class="emphasis">stat() calls</em> failing
-to find the files they were expecting. You don't
-have to be an expert to see that the file
-<em class="emphasis">desktop.ini</em> is missing from that directory. In
-fact, many difficult problems can be identified by looking for
-obvious, repeatable errors with <em class="emphasis">trace</em>. Often,
-you need not look further than the last message before a crash.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.2"/>
-
-<h3 class="head3">Using tcpdump</h3>
-
-<p>The <em class="emphasis">tcpdump</em><a name="INDEX-24"/> program, as extended by Andrew
-<a name="INDEX-25"/>Tridgell,
-allows you to monitor SMB <a name="INDEX-26"/>network
-traffic in real time. A variety of output formats are available, and
-you can filter the output to look at only a particular type of
-traffic. You can examine all conversations between client and server,
-including SMB and NMB broadcast messages. While its troubleshooting
-capabilities lie mainly at the OSI network layer, you can still use
-its output to get a general idea of what the server and client are
-attempting to do.</p>
-
-<p>A sample <em class="emphasis">tcpdump</em> log follows. In this instance,
-the client has requested a directory listing, and the server has
-responded appropriately, giving the directory names
-<tt class="literal">homes</tt>, <tt class="literal">public</tt>,
-<tt class="literal">IPC$</tt>, and <tt class="literal">temp</tt>
-(we've added a few explanations on the right):</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>tcpdump -v -s 255 -i eth0 port not telnet</b></tt>
-SMB PACKET: SMBtrans (REQUEST) <i class="lineannotation"> Request packet</i>
-SMB Command = 0x25 <i class="lineannotation">Request was ls or dir</i>
-
-[000] 01 00 00 10 <i class="lineannotation">....</i>
-
-
-&gt;&gt;&gt; NBT Packet <i class="lineannotation">Outer frame of SMB packet</i>
-NBT Session Packet
-Flags=0x0
-Length=226
-[lines skipped]
-
-SMB PACKET: SMBtrans (REPLY) <i class="lineannotation">Beginning of a reply to request</i>
-SMB Command = 0x25 <i class="lineannotation">Command was an ls or dir</i>
-Error class = 0x0
-Error code = 0 <i class="lineannotation">No errors</i>
-Flags1 = 0x80
-Flags2 = 0x1
-Tree ID = 105
-Proc ID = 6075
-UID = 100
-MID = 30337
-Word Count = 10
-TotParamCnt=8
-TotDataCnt=163
-Res1=0
-ParamCnt=8
-ParamOff=55
-Res2=0
-DataCnt=163
-DataOff=63
-Res3=0
-Lsetup=0
-Param Data: (8 bytes)
-[000] 00 00 00 00 05 00 05 00 ........
-
-Data Data: (135 bytes) <i class="lineannotation">Actual directory contents:</i>
-[000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........
-[010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic......
-[020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp....
-[030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$
-[040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w...
-[050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........
-[060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo
-[070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi
-[080] 63 65 20 28 53 61 6D ce (Sam</pre></blockquote>
-
-<p>This is more of the same debugging session as we saw before with the
-<em class="emphasis">trace</em> command: the listing of a directory. The options
-we used were <em class="emphasis">-v</em> (verbose), <em class="emphasis">-i
-eth0</em> to tell <em class="emphasis">tcpdump</em> on which
-interface to listen (an Ethernet port), and <em class="emphasis">-s
-255</em> to tell it to save the first 255 bytes of each packet
-instead of the default: the first 68. The option
-<tt class="literal">port</tt> <tt class="literal">not</tt>
-<tt class="literal">telnet</tt> is used to avoid screens of telnet traffic,
-because we were logged in to the server remotely. The
-<em class="emphasis">tcpdump</em> program actually has quite a number of
-options to filter just the traffic you want to look at. If
-you've used <em class="emphasis">snoop</em> or
-<em class="emphasis">etherdump</em>, it will look vaguely familiar.</p>
-
-<p>You can download the modified <em class="emphasis">tcpdump</em> from the
-Samba FTP server, located at
-<a href="ftp://samba.anu.edu.au/pub/samba/tcpdump-smb">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</a>.
-Other versions might not include support for the SMB protocol; if you
-don't see output such as that shown in the example,
-you'll need to use the SMB-enabled version.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.3"/>
-
-<h3 class="head3">Using Ethereal</h3>
-
-<p><a name="INDEX-27"/>Ethereal (<a href="http://www.ethereal.com">http://www.ethereal.com</a>) is a GUI-based
-utility that performs the same basic function as
-<em class="emphasis">tcpdump</em>. You might prefer Ethereal because it is
-much easier to use. Once you have Ethereal running, just do the
-following:</p>
-
-<ol><li>
-<p>Select Start from the Capture menu.</p>
-</li><li>
-<p>Click the OK button in the dialog box that appears. This will bring
-up a dialog box showing how many packets Ethereal has seen. Perform
-the actions on the system(s) in your network to reproduce the problem
-you are analyzing.</p>
-</li><li>
-<p>Click the Stop button in the Ethereal dialog box to make it finish
-collecting data.</p>
-</li><li>
-<p>In the main Ethereal window, click any item in the upper window to
-view it in the lower window. In the lower window, click any of the
-boxes containing a plus sign (<tt class="literal">+</tt>) to expand the
-view.</p>
-</li></ol>
-<p>Ethereal does a good job of translating the content of the packets it
-encounters into human-readable format, and you should have little
-trouble seeing what happened on the network during the capture
-period. <a name="INDEX-28"/><a name="INDEX-29"/></p>
-
-
-</div>
-
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-12-SECT-2"/>
-
-<h2 class="head1">The Fault Tree</h2>
-
-<p><a name="INDEX-30"/><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>The fault
-tree presented in this section is for diagnosing and fixing problems
-that occur when you're installing and reconfiguring
-Samba. It's an expanded form of the trouble and
-diagnostic document <em class="filename">DIAGNOSIS.txt</em>, which is part
-of the Samba distribution.</p>
-
-<p>Before you set out to troubleshoot any part of the Samba suite, you
-should know the following information:</p>
-
-<ul><li>
-<p>Your client IP address (we use 192.168.236.10)</p>
-</li><li>
-<p>Your server IP address (we use 192.168.236.86)</p>
-</li><li>
-<p>The netmask for your network (typically 255.255.255.0)</p>
-</li><li>
-<p>Whether the systems are all on the same subnet (ours are)</p>
-</li></ul>
-<p>For clarity, we've renamed the server in the
-following examples to <tt class="literal">server.example.com</tt>, and the
-client system to <tt class="literal">client.example.com</tt>.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.1"/>
-
-<h3 class="head2">How to Use the Fault Tree</h3>
-
-<p>Start the tests here, without skipping forward; it
-won't take long (about 5 minutes) and might actually
-save you time backtracking. Whenever a test succeeds, you will be
-given a name of a section to which you can safely skip.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.2"/>
-
-<h3 class="head2">Troubleshooting Low-Level IP</h3>
-
-<p><a name="INDEX-34"/>The
-first series of tests is that of the low-level services that Samba
-needs to run. The tests in this section verify that:</p>
-
-<ul><li>
-<p>The IP software works</p>
-</li><li>
-<p>The Ethernet hardware works</p>
-</li><li>
-<p>Basic name service is in place</p>
-</li></ul>
-<p>Subsequent sections add TCP software, the Samba daemons
-<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>, host-based
-access control, authentication and per-user access control, file
-services, and browsing. The tests are described in considerable
-detail to make them understandable by both technically oriented end
-users and experienced systems and network administrators.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.1"/>
-
-<h3 class="head3">Testing the networking software with ping</h3>
-
-<p><a name="INDEX-35"/>The first command to enter
-on both the server and the client is
-<tt class="literal">ping</tt><a name="INDEX-36"/><a name="INDEX-37"/>
-<tt class="literal">127.0.0.1</tt>. This pings the loopback address and
-indicates whether any networking support is functioning. On Unix, you
-can use <tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> with the
-statistics option and interrupt it after a few lines. On Sun
-workstations, the command is typically
-<tt class="literal">/usr/etc/ping</tt> <tt class="literal">-s</tt>
-<tt class="literal">127.0.0.1</tt>; on Linux, just <tt class="literal">ping</tt>
-<tt class="literal">127.0.0.1</tt>. On Windows clients, run
-<tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> in an MS-DOS
-(command prompt) window, and it will stop by itself after four lines.</p>
-
-<p>Here is an example on a Linux server:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ping 127.0.0.1 </b></tt>
-PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1):
-icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1):
-icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1):
-icmp-seq=2. time=1. ms ^C
-----127.0.0.1 PING Statistics----
-3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
-min/avg/max = 0/0/1</pre></blockquote>
-
-<p>If you get &quot;ping: no answer from . . .
-&quot; or &quot;100% packet
-loss,&quot; you have no IP networking installed on the
-system. The address <tt class="literal">127.0.0.1</tt> is the internal
-loopback address and doesn't depend on the computer
-being physically connected to a network. If this test fails, you have
-a serious local problem. TCP/IP either isn't
-installed or is seriously misconfigured. See your operating system
-documentation if it's a Unix server. If
-it's a Windows client, follow the instructions in
-<a href="ch03.html">Chapter 3</a> to install networking support.</p>
-
-<a name="samba2-CHP-12-NOTE-155"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>If <em class="emphasis">you're</em> the network manager,
-some good references are Craig Hunt's
-<em class="emphasis">TCP/IP Network Administration</em>, Chapter 11, and Craig Hunt and Robert Bruce
-Thompson's <em class="emphasis">Windows NT TCP/IP Network
-Administration</em>, both published by
-O'Reilly.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.2"/>
-
-<h3 class="head3">Testing local name services with ping</h3>
-
-<p><a name="INDEX-38"/>Next, try to ping
-<tt class="literal">localhost</tt> on the Samba server. The
-<tt class="literal">localhost</tt> hostname is the conventional hostname
-for the <tt class="literal">127.0.0.1</tt> loopback interface, and it
-should resolve to that address. After typing <tt class="literal">ping</tt>
-<tt class="literal">localhost</tt>, you should see output similar to the
-following:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ping localhost </b></tt>
-PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1):
-icmp-seq=0. time=0. ms 64 bytes from localhost (127.0.0.1):
-icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1):
-icmp-seq=2. time=0. ms ^C</pre></blockquote>
-
-<p>If this succeeds, try the same test on the client. Otherwise:</p>
-
-<ul><li>
-<p>If you get &quot;unknown host:
-localhost,&quot; there is a problem resolving the
-hostname <em class="filename">localhost</em> into a valid IP address.
-(This might be as simple as a missing entry in a local
-<em class="emphasis">hosts</em> file.) From here, skip down to
-<a href="ch03.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a> later in this chapter.</p>
-</li><li>
-<p>If you get &quot;ping: no answer,&quot; or
-&quot;100% packet loss,&quot; but pinging
-<tt class="literal">127.0.0.1</tt> worked, name services is resolving to an
-address, but it isn't the correct one. Check the
-file or database (typically <em class="filename">/etc/hosts</em> on a Unix
-system) that the name service is using to resolve addresses to ensure
-that the entry is correct.</p>
-</li></ul>
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.3"/>
-
-<h3 class="head3">Testing the networking hardware with ping</h3>
-
-<p><a name="INDEX-39"/>Next, ping the
-server's network IP address from itself. This should
-get you exactly the same results as pinging
-<tt class="literal">127.0.0.1</tt>:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ping 192.168.236.86 </b></tt>
-PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86):
-icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86):
-icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86):
-icmp-seq=2. time=1. ms ^C
-----192.168.236.86 PING Statistics----
-3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
-min/avg/max = 0/0/1</pre></blockquote>
-
-<p>If this works on the server, repeat it for the client. Otherwise:</p>
-
-<ul><li>
-<p>If <tt class="literal">ping</tt> <em class="replaceable">network_ip</em>
-fails on either the server or client, but <tt class="literal">ping</tt>
-<tt class="literal">127.0.0.1</tt> works on that system, you have a TCP/IP
-problem that is specific to the Ethernet network interface card on
-the computer. Check with the documentation for the network card or
-host operating system to determine how to configure it correctly.
-However, be aware that on some operating systems, the
-<em class="emphasis">ping</em> command appears to work even if the network
-is disconnected, so this test doesn't always
-diagnose all hardware problems.</p>
-</li></ul>
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.4"/>
-
-<h3 class="head3">Testing connections with ping</h3>
-
-<p><a name="INDEX-40"/>Now, ping the server by name (instead
-of its IP address)&mdash;once from the server and once from the
-client. This is the general test for working network hardware:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ping server </b></tt>
-PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86):
-icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86):
-icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86):
-icmp-seq=2. time=1. ms ^C
-----server.example.com PING Statistics----
-3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
-min/avg/max = 0/0/1</pre></blockquote>
-
-<p>If successful, this test tells us five things:</p>
-
-<ul><li>
-<p>The hostname (e.g., <tt class="literal">server</tt>) is being found by your
-local name server.</p>
-</li><li>
-<p>The hostname has been expanded to the full name (e.g.,
-<tt class="literal">server.example.com</tt>).</p>
-</li><li>
-<p>Its address is being returned (<tt class="literal">192.168.236.86</tt>).</p>
-</li><li>
-<p>The client has sent the Samba server four 56-byte UDP/IP packets.</p>
-</li><li>
-<p>The Samba server has replied to all four packets.</p>
-</li></ul>
-<p>If this test isn't successful, one of several things
-can be wrong with the network:</p>
-
-<ul><li>
-<p>First, if you get <tt class="literal">ping</tt>: <tt class="literal">no</tt>
-<tt class="literal">answer</tt>, or <tt class="literal">100%</tt>
-<tt class="literal">packet</tt> <tt class="literal">loss</tt>,
-you're not connecting to the network, the other
-system isn't connecting, or one of the addresses is
-incorrect. Check the addresses that the <em class="emphasis">ping</em>
-command reports on each system, and ensure that they match the ones
-you set up initially.</p>
-
-<p>If not, there is at least one mismatched address between the two
-systems. Try entering the command <tt class="literal">arp</tt>
-<tt class="literal">-a</tt>, and see if there is an entry for the other
-system. (The <em class="emphasis">arp</em> command stands for the Address
-Resolution Protocol. The <tt class="literal">arp</tt> <tt class="literal">-a</tt>
-command lists all the addresses known on the local system.) Here are
-some things to try:</p>
-<ul><li>
-<p>If you receive a message like <tt class="literal">192.168.236.86</tt>
-<tt class="literal">at</tt> <tt class="literal">(incomplete)</tt>, the Ethernet
-address of 192.168.236.86 is unknown. This indicates a complete lack
-of connectivity, and you're likely having a problem
-at the very bottom of the TCP/IP protocol stack&mdash;the Ethernet
-interface layer. This is discussed in Chapters 5 and 6 of
-<em class="citetitle">TCP/IP Network Administration
-</em>(O'Reilly).</p>
-</li><li>
-<p>If you receive a response similar to server
-<tt class="literal">(192.168.236.86)</tt> <tt class="literal">at</tt>
-<tt class="literal">8:0:20:12:7c:94</tt>, the server has been reached at
-some time, or another system is answering on its behalf. However,
-this means that <em class="emphasis">ping</em> should have worked: you may
-have an intermittent networking or ARP problem.</p>
-</li><li>
-<p>If the IP address from ARP doesn't match the
-addresses you expected, investigate and correct the addresses
-manually.</p>
-</li>
-</ul>
-</li>
-
-<li>
-<p>If each system can ping itself but not another, something is wrong on
-the network between them.</p>
-</li><li>
-<p>If you get <tt class="literal">ping</tt>: <tt class="literal">network</tt>
-<tt class="literal">unreachable</tt> or <tt class="literal">ICMP</tt>
-<tt class="literal">Host</tt> <tt class="literal">Unreachable</tt>,
-you're not receiving an answer, and more than one
-network is probably involved.</p>
-
-<p>In principle, you shouldn't try to troubleshoot SMB
-clients and servers on different networks. Try to test a server and
-client that are on the same network:</p>
-
-<ol><li>
-<p>First, perform the tests for <tt class="literal">ping</tt>:
-<tt class="literal">no</tt> <tt class="literal">answer</tt> described earlier in
-this section. If this doesn't identify the problem,
-the remaining possibilities are the following: an address is wrong,
-your netmask is wrong, a network is down, or the packets have been
-stopped by a firewall.</p>
-</li>
-<li>
-<p>Check both the address and the netmasks on source and destination
-systems to see if something is obviously wrong. Assuming both systems
-really are on the same network, they both should have the same
-netmasks, and <em class="emphasis">ping</em> should report the correct
-addresses. If the addresses are wrong, you'll need
-to correct them. If they are correct, the programs might be confused
-by an incorrect netmask. See <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter.</p>
-</li>
-<li>
-<p>If the commands are still reporting that the network is unreachable
-and neither of the previous two conditions are in error, one network
-really might be unreachable from the other. This, too, is an issue
-for the network manager.</p>
-</li></ol>
-</li><li>
-<p>If you get <tt class="literal">ICMP</tt>
-<tt class="literal">Administratively</tt> <tt class="literal">Prohibited</tt>,
-you've struck a firewall of some sort or a
-misconfigured router. You will need to speak to your network security
-officer.</p>
-</li><li>
-<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
-<tt class="literal">redirect</tt> and <em class="emphasis">ping</em> reports
-packets getting through, this is generally harmless:
-you're simply being rerouted over the network.</p>
-</li><li>
-<p>If you get a host redirect and no <em class="emphasis">ping</em>
-responses, you are being redirected, but no one is responding. Treat
-this just like the <tt class="literal">Network</tt>
-<tt class="literal">unreachable</tt> response, and check your addresses and
-netmasks.</p>
-</li><li>
-<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
-<tt class="literal">Unreachable</tt> <tt class="literal">from</tt>
-<tt class="literal">gateway</tt> <tt class="literal">gateway</tt>
-<tt class="literal">name</tt>, ping packets are being routed to another
-network, but the other system isn't responding and
-the router is reporting the problem on its behalf. Again, treat this
-like a <tt class="literal">Network</tt> <tt class="literal">unreachable</tt>
-response, and start checking addresses and netmasks.</p>
-</li><li>
-<p>If you get <tt class="literal">ping</tt>: <tt class="literal">unknown</tt>
-<tt class="literal">host</tt> <tt class="literal">hostname</tt>, your
-system's name is not known. This tends to indicate a
-name service problem, which didn't affect
-<tt class="literal">localhost</tt>. Have a look at <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
-</li><li>
-<p>If you get a partial success&mdash;with some pings failing but others
-succeeding&mdash;you have either an intermittent problem between the
-systems or an overloaded network. Ping a bit longer, and see if more
-than about three percent of the packets fail. If so, check it with
-your network manager: a problem might just be starting. However, if
-only a few fail, or if you happen to know some massive network
-program is running, don't worry unduly. The ICMP
-(and UDP) protocols used by <em class="emphasis">ping</em> are allowed to
-drop occasional packets.</p>
-</li><li>
-<p>If you get a response such as <tt class="literal">smtsvr.antares.net</tt>
-<tt class="literal">is</tt> <tt class="literal">alive</tt> when you actually
-pinged <tt class="literal">client.example.com</tt>, either
-you're using someone else's address
-or the system has multiple names and addresses. If the address is
-wrong, the name service is clearly the culprit;
-you'll need to change the address in the name
-service database to refer to the correct system. This is discussed in
-<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this
-chapter.</p>
-
-<p>Servers are often <em class="emphasis">multihomed</em> &mdash;i.e.,
-connected to more than one network, with different names on each net.
-If you are getting a response from an unexpected name on a multihomed
-server, look at the address and see if it's on your
-network (see <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter). If
-so, you should use that address, rather than one on a different
-network, for both performance and reliability reasons.</p>
-
-<p>Servers can also have multiple names for a single Ethernet address,
-especially if they are web servers. This is harmless, albeit
-startling. You probably will want to use the official (and permanent)
-name, rather than an alias that might change.</p>
-</li><li>
-<p>If everything works but the IP address reported is
-<tt class="literal">127.0.0.1</tt>, you have a name service error. This
-typically occurs when an operating-system installation program
-generates an <em class="filename">/etc/hosts</em> line similar to
-<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
-<em class="emphasis">hostname.domainname</em>. The localhost line should
-say <tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> or
-<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
-<tt class="literal">loghost</tt>. Correct it, lest it cause failures to
-negotiate who is the master browse list holder and who is the master
-browser. It can also cause (ambiguous) errors in later tests.</p>
-</li></ul>
-<p>If this worked from the server, repeat it from the client. <a name="INDEX-41"/>
-<a name="INDEX-42"/><a name="INDEX-43"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.3"/>
-
-<h3 class="head2">Troubleshooting TCP</h3>
-
-<p><a name="INDEX-44"/><a name="INDEX-45"/>Now that
-you've tested IP, UDP, and a name service with
-<em class="emphasis">ping</em>, it's time to test TCP.
-Browsing and <em class="emphasis">ping</em> use ICMP and UDP; file and
-print services (shares) use TCP. Both depend on IP as a lower layer,
-and all four depend on name services. Testing TCP is most
-conveniently done using the FTP program.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.3.1"/>
-
-<h3 class="head3">Testing TCP with FTP</h3>
-
-<p>Try connecting via FTP, once from the server to itself, and once from
-the client to the server:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ftp server</b></tt>
-Connected to server.example.com.
-220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready.
- Name (server:davecb):
-331 Password required for davecb.
-Password:
-230 User davecb logged in.
- ftp&gt;<tt class="userinput"><b> quit </b></tt>
-221 Goodbye.</pre></blockquote>
-
-<p>If this worked, skip to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>. Otherwise:</p>
-
-<ul><li>
-<p>If you received the message <tt class="literal">server</tt>:
-<tt class="literal">unknown</tt> <tt class="literal">host</tt>, name service has
-failed. Go back to the corresponding <em class="emphasis">ping</em> step,
-<a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>, and rerun those tests
-to see why name lookup failed.</p>
-</li><li>
-<p>If you received <tt class="literal">ftp</tt>: <tt class="literal">connect</tt>:
-<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the system
-isn't running an FTP daemon. This is mildly unusual
-on Unix servers. Optionally, you might try this test by connecting to
-the system using <em class="emphasis">telnet</em> instead of
-<em class="emphasis">ftp</em>; the messages are very similar, and
-<em class="emphasis">telnet</em> uses TCP as well.</p>
-</li><li>
-<p>If there was a long pause, and then <tt class="literal">ftp</tt>:
-<tt class="literal">connect</tt>: <tt class="literal">Connection</tt>
-<tt class="literal">timed</tt> <tt class="literal">out</tt>, the system
-isn't reachable. Return to <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>.</p>
-</li><li>
-<p>If you received <tt class="literal">530</tt> <tt class="literal">Logon</tt>
-<tt class="literal">Incorrect</tt>, you connected successfully, but
-you've just found a different problem. You likely
-provided an incorrect username or password. Try again, making sure
-you use your username from the Unix server and type your password
-correctly.</p>
-</li></ul>
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.4"/>
-
-<h3 class="head2">Troubleshooting Server Daemons</h3>
-
-<p><a name="INDEX-46"/>Once
-you've confirmed that TCP networking is working
-properly, the next step is to make sure the daemons are running on
-the server. This takes three separate tests because no single one of
-the following will decisively prove that they're
-working correctly.</p>
-
-<p>To be sure they're running, you need to find out
-whether the daemons:</p>
-
-<ol><li>
-<p>Have started</p>
-</li><li>
-<p>Are registered or bound to a TCP/IP port by the operating system</p>
-</li><li>
-<p>Are actually paying attention</p>
-</li></ol>
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.1"/>
-
-<h3 class="head3">Tracking daemon startup</h3>
-
-<p><a name="INDEX-47"/>First, check the Samba logs. If
-you've started the daemons, the message
-<tt class="literal">smbd</tt> <tt class="literal">version</tt>
-<tt class="literal">number</tt> <tt class="literal">started</tt> should appear.
-If it doesn't, you need to restart the Samba
-daemons.</p>
-
-<p>If the daemon reports that it has indeed started, look out for
-<tt class="literal">bind</tt> <tt class="literal">failed</tt>
-<tt class="literal">on</tt> <tt class="literal">port</tt> <tt class="literal">139</tt>
-<tt class="literal">socket_addr=0</tt> <tt class="literal">(Address</tt>
-<tt class="literal">already</tt> <tt class="literal">in</tt>
-<tt class="literal">use)</tt>. This means another daemon has been started
-on port 139 (<em class="emphasis">smbd</em> ). Also,
-<em class="emphasis">nmbd</em> will report a similar failure if it cannot
-bind to port 137. Either you've started them twice,
-or the <em class="emphasis">inetd</em> server has tried to provide a
-daemon for you. If it's the latter,
-we'll diagnose that in a moment.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.2"/>
-
-<h3 class="head3">Looking for daemon processes with ps</h3>
-
-<p><a name="INDEX-48"/>Another way to make sure the daemons are
-running is to check their processes on the system. Use the
-<em class="emphasis">ps</em><a name="INDEX-49"/> command on the server with the
-&quot;long&quot; option for your system type
-(commonly <tt class="literal">ps</tt> <tt class="literal">ax</tt> or
-<tt class="literal">ps</tt> <tt class="literal">-ef</tt>), and see whether
-<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> are already
-running. This often looks like the following:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ps ax</b></tt>
- PID TTY STAT TIME COMMAND
- 1 ? S 0:03 init [2]
- 2 ? SW 0:00 (kflushd)
-<i class="lineannotation">(...many lines of processes...) </i>
- 234 ? S 0:14 nmbd -D3
- 237 ? S 0:11 smbd -D3
-<i class="lineannotation">(...more lines, possibly including more smbd lines...)</i></pre></blockquote>
-
-<p>This example illustrates that <em class="emphasis">smbd</em> and
-<em class="emphasis">nmbd</em> have already started as standalone daemons
-(the <em class="emphasis">-D</em> option) at log level 3.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.3"/>
-
-<h3 class="head3">Looking for daemons bound to ports</h3>
-
-<p><a name="INDEX-50"/>Next, the daemons have to be registered
-with the operating system so that they can get access to TCP/IP
-ports. The <em class="emphasis">netstat</em> command will tell you if this
-has been done. Run the command <tt class="literal">netstat</tt>
-<tt class="literal">-a</tt> on the server, and look for lines mentioning
-<tt class="literal">netbios</tt>, <tt class="literal">137</tt>, or
-<tt class="literal">139</tt>:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>netstat -a </b></tt>
-Active Internet connections (including servers)
-Proto Recv-Q Send-Q Local Address Foreign Address (state)
-udp 0 0 *.137 *.*
-tcp 0 0 *.139 *.* LISTEN
-tcp 8370 8760 server.139 client.1439 ESTABLISHED</pre></blockquote>
-
-<p>Among similar lines, there should be at least one UDP line for
-<tt class="literal">*.netbios-</tt> or <tt class="literal">*.137</tt>. This
-indicates that the <em class="emphasis">nmbd</em> server is registered and
-(we hope) is waiting to answer requests. There should also be at
-least one TCP line mentioning <tt class="literal">*.netbios-</tt> or
-<tt class="literal">*.139</tt>, and it will probably be in the LISTEN
-state. This means that <em class="emphasis">smbd</em> is up and listening
-for connections.</p>
-
-<p>There might be other TCP lines indicating connections from
-<em class="emphasis">smbd</em> to clients, one for each client. These are
-usually in the ESTABLISHED state. If there are
-<em class="emphasis">smbd</em> lines in the ESTABLISHED state,
-<em class="emphasis">smbd</em> is definitely running. If there is only one
-line in the LISTEN state, we're not sure yet. If
-both of the lines are missing, a daemon has not succeeded in
-starting, so it's time to check the logs and then go
-back to <a href="ch02.html">Chapter 2</a>.</p>
-
-<p>If there is a line for each client, it might be coming either from a
-Samba daemon or from the master IP daemon,
-<em class="emphasis">inetd</em>. It's quite possible that
-your <em class="emphasis">inetd</em> startup file contains lines that
-start Samba daemons without your realizing it; for instance, the
-lines might have been placed there if you installed Samba as part of
-a Linux distribution. The daemons started by
-<em class="emphasis">inetd</em> prevent ours from running. This problem
-typically produces log messages such as <tt class="literal">bind</tt>
-<tt class="literal">failed</tt> <tt class="literal">on</tt>
-<tt class="literal">port</tt> <tt class="literal">139</tt>
-<tt class="literal">socket</tt> <tt class="literal">addr=0</tt>
-<tt class="literal">(Address</tt> <tt class="literal">already</tt>
-<tt class="literal">in</tt> <tt class="literal">use)</tt>.</p>
-
-<p>Check your <em class="filename">/etc/inetd.conf</em> ; unless
-you're intentionally starting the daemons from
-there, <tt class="literal">netbios-ns</tt> (UDP port 137) or
-<tt class="literal">netbios-ssn</tt> (tcp port 139) servers should be
-mentioned there. If your system is providing an SMB daemon via
-<em class="emphasis">inetd</em>, lines such as the following will appear
-in the <em class="filename">inetd.conf</em> file:</p>
-
-<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
-netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></blockquote>
-
-<p>If your system uses <em class="emphasis">xinetd</em> instead of
-<em class="emphasis">inetd</em>, see <a href="ch02.html">Chapter 2</a> for
-details concerning its configuration.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.4"/>
-
-<h3 class="head3">Checking smbd with telnet</h3>
-
-<p><a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>Ironically, the easiest way to test that
-the <em class="emphasis">smbd</em> server is actually working is to send
-it a meaningless message and see if it is rejected. Try something
-such as the following:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>echo &quot;hello&quot; | telnet localhost 139 </b></tt>
-Trying
-Trying 192.168.236.86 ...
-Connected to localhost. Escape character is '^]'.
-Connection closed by foreign host.</pre></blockquote>
-
-<p>This sends an erroneous but harmless message to
-<em class="emphasis">smbd</em>. If you get a <tt class="literal">Connected</tt>
-message followed by a <tt class="literal">Connection</tt>
-<tt class="literal">closed</tt> message, the test was a success. You have
-an <em class="emphasis">smbd</em> daemon listening on the port and
-rejecting improper connection messages. On the other hand, if you get
-<tt class="literal">telnet</tt>: <tt class="literal">connect</tt>:
-<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, most likely
-no daemon is present. Check the logs and go back to <a href="ch02.html">Chapter 2</a>.</p>
-
-<p>Regrettably, there isn't an easy test for
-<em class="emphasis">nmbd</em>. If the <em class="emphasis">telnet</em> test
-and the <em class="emphasis">netstat</em> test both say that an
-<em class="emphasis">smbd</em> is running, there is a good chance that
-<em class="emphasis">netstat</em> will also be correct about
-<em class="emphasis">nmbd</em> running.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.5"/>
-
-<h3 class="head3">Testing daemons with testparm</h3>
-
-<p><a name="INDEX-54"/><a name="INDEX-55"/>Once you know
-there's a daemon, you should always run
-<em class="emphasis">testparm</em>, in hopes of getting something such as
-the following:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>testparm </b></tt>
-Load smb config files from /opt/samba/lib/smb.conf
-Processing section &quot;[homes]&quot;
-Processing section &quot;[printers]&quot; ...
-Processing section &quot;[tmp]&quot;
-Loaded services file OK. ...</pre></blockquote>
-
-<p>The <em class="emphasis">testparm</em> program normally reports the
-processing of a series of sections and responds with
-<tt class="literal">Loaded</tt> <tt class="literal">services</tt>
-<tt class="literal">file</tt> <tt class="literal">OK</tt> if it succeeds. If not,
-it reports one or more of the following messages, which also appear
-in the logs as noted:</p>
-
-<dl>
-<dt><b>Allow/Deny connection from account (n) to service</b></dt>
-<dd>
-<p>A <em class="emphasis">testparm</em>-only message produced if you have
-<tt class="literal">valid</tt> <tt class="literal">user</tt> or
-<tt class="literal">invalid</tt> <tt class="literal">user</tt> options set in
-your <em class="emphasis">smb.conf</em>. You will want to make sure that
-you are on the valid user list, and that <tt class="literal">root</tt>,
-<tt class="literal">bin</tt>, etc., are on the invalid user list. If you
-don't, you will not be able to connect, or users who
-shouldn't <em class="emphasis">will</em> be able to.</p>
-</dd>
-
-
-
-<dt><b>Warning: You have some share names that are longer than eight chars</b></dt>
-<dd>
-<p>For anyone using Windows for Workgroups and older clients. They fail
-to connect to shares with long names, producing an overflow message
-that sounds confusingly like a memory overflow.</p>
-</dd>
-
-
-
-<dt><b>Warning: [name] service MUST be printable!</b></dt>
-<dd>
-<p>A printer share lacks a <tt class="literal">printable</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> option.</p>
-</dd>
-
-
-
-<dt><b>No path in service name using [name]</b></dt>
-<dd>
-<p>A file share doesn't know which directory to provide
-to the user, or a print share doesn't know which
-directory to use for spooling. If no path is specified, the service
-will try to run with a path of <em class="emphasis">/tmp</em>, which might
-not be what you want.</p>
-</dd>
-
-
-
-<dt><b>Note: Servicename is flagged unavailable</b></dt>
-<dd>
-<p>Just a reminder that you have used the <tt class="literal">available</tt>
-<tt class="literal">=</tt> <tt class="literal">no</tt> option in a share.</p>
-</dd>
-
-
-
-<dt><b>Can't find include file [name] </b></dt>
-<dd>
-<p>A configuration file referred to by an <tt class="literal">include</tt>
-option did not exist. If you were including the file unconditionally,
-this is an error and probably a serious one: the share will not have
-the configuration you intended. If you were including it based on one
-of the <tt class="literal">%</tt> variables, such as <tt class="literal">%a</tt>
-(architecture), you will need to decide whether, for example, a
-missing Windows for Workgroups configuration file is a problem. It
-often isn't.</p>
-</dd>
-
-
-
-<dt><b>Can't copy service name, unable to copy to itself</b></dt>
-<dd>
-<p>You tried to copy an <em class="filename">smb.conf</em> section into
-itself.</p>
-</dd>
-
-
-
-<dt><b>Unable to copy service&mdash;source not found: [name]</b></dt>
-<dd>
-<p>Indicates a missing or misspelled section in a
-<tt class="literal">copy</tt> <tt class="literal">=</tt> option.</p>
-</dd>
-
-
-
-<dt><b>Ignoring unknown parameter name </b></dt>
-<dd>
-<p>Typically indicates an obsolete, misspelled, or unsupported option.</p>
-</dd>
-
-
-
-<dt><b>Global parameter name found in service section </b></dt>
-<dd>
-<p>Indicates that a global-only parameter has been used in an individual
-share. Samba ignores the parameter.</p>
-</dd>
-
-</dl>
-
-<p>After the <em class="emphasis">testparm</em> test, repeat it with
-(exactly) three parameters: the name of your
-<em class="filename">smb.conf</em> file, the name of your client, and its
-IP address:</p>
-
-<blockquote><pre class="code"># <tt class="userinput"><b>testparm /usr/local/samba/lib/smb.conf client 192.168.236.10</b></tt></pre></blockquote>
-
-<p>This will run one more test that checks the hostname and address
-against <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options and might
-produce the <tt class="literal">Allow</tt> <tt class="literal">connection</tt>
-<tt class="literal">from</tt> <tt class="literal">hostname</tt>
-<tt class="literal">to</tt> <tt class="literal">service</tt> and/or
-<tt class="literal">Deny</tt> <tt class="literal">connection</tt>
-<tt class="literal">from</tt> <tt class="literal">hostname</tt>
-<tt class="literal">to</tt> <tt class="literal">service</tt> messages for the
-client system. These messages indicate that you have
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and/or
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options in your
-<em class="filename">smb.conf</em>, and they prohibit access from the
-client system. <a name="INDEX-56"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.5"/>
-
-<h3 class="head2">Troubleshooting SMB Connections</h3>
-
-<p><a name="INDEX-57"/><a name="INDEX-58"/>Now
-that you know the servers are up, you need to make sure
-they're running properly. We start by placing a
-simple <em class="filename">smb.conf</em> file in the
-<em class="filename">/usr/local/samba/lib</em> directory.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.1"/>
-
-<h3 class="head3">A minimal smb.conf file</h3>
-
-<p>In the following tests, we assume you have a
-<tt class="literal">[temp]</tt> share suitable for testing, plus at least
-one account. An <em class="filename">smb.conf</em> file that includes just
-these is as follows:</p>
-
-<blockquote><pre class="code">[global]
- workgroup = <em class="replaceable">EXAMPLE</em>
- security = user
- browsable = yes
- local master = yes
-[homes]
- guest ok = no
- browsable = no
-[temp]
- path = /tmp
- public = yes</pre></blockquote>
-<a name="samba2-CHP-12-NOTE-156"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
-<p>The <tt class="literal">public</tt> <tt class="literal">=</tt>
-<tt class="literal">yes</tt> option in the <tt class="literal">[temp]</tt> share
-is just for testing. You probably don't want people
-without accounts storing things on your Samba server, so you should
-comment it out when you're done.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.2"/>
-
-<h3 class="head3">Testing locally with smbclient</h3>
-
-<p><a name="INDEX-59"/><a name="INDEX-60"/>The first test is to ensure that the
-server can list its own services (shares). Run the command
-<tt class="literal">smbclient</tt> <em class="emphasis">-L</em>
-<tt class="literal">localhost</tt> <tt class="literal">-U%</tt> to connect to the
-server from itself, and specify the guest user. You should see the
-following:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L localhost -U% </b></tt>
-Server time is Wed May 27 17:57:40 2002 Timezone is UTC-4.0
-Server=[localhost]
-User=[davecb]
-Workgroup=[EXAMPLE]
-Domain=[EXAMPLE]
- Sharename Type Comment
- --------- ----- ----------
- temp Disk
- IPC$ IPC IPC Service (Samba 1.9.18)
- homes Disk Home directories
-This machine does not have a browse list</pre></blockquote>
-
-<p>If you received this output, move on to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>. On the other hand, if you
-receive an error, check the following:</p>
-
-<ul><li>
-<p>If you get <tt class="literal">Get_hostbyname</tt>:
-<tt class="literal">unknown</tt> <tt class="literal">host</tt>
-<tt class="literal">localhost</tt>, either you've spelled
-its name wrong or there actually is a problem (which should have been
-seen back in <a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>). In the
-latter case, move on to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
-</li><li>
-<p>If you get <tt class="literal">Connect</tt> <tt class="literal">error</tt>:
-<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the server
-was found, but it wasn't running an
-<em class="emphasis">nmbd</em> daemon. Skip back to
-<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>,
-earlier in this chapter, and retest the daemons.</p>
-</li><li>
-<p>If you get the message <tt class="literal">Your</tt>
-<tt class="literal">server</tt> <tt class="literal">software</tt>
-<tt class="literal">is</tt> <tt class="literal">being</tt>
-<tt class="literal">unfriendly</tt>, the initial session request packet got
-a garbage response from the server. The server might have crashed or
-started improperly. The common causes of this can be discovered by
-scanning the logs for the following:</p>
-<ul><li>
-<p>Invalid command-line parameters to <em class="emphasis">smbd</em> ; see
-the <em class="emphasis">smbd</em> manual page.</p>
-</li><li>
-<p>A fatal problem with the <em class="filename">smb.conf</em> file that
-prevents the startup of <em class="emphasis">smbd</em>. Always check your
-changes with <em class="emphasis">testparm</em>, as was done in <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>, earlier in this chapter.</p>
-</li><li>
-<p>Missing directories where Samba is supposed to keep its log and lock
-files.</p>
-</li><li>
-<p>The presence of a server already on the port (139 for
-<em class="emphasis">smbd</em>, 137 for <em class="emphasis">nmbd</em> ),
-preventing the daemon from starting.</p>
-</li></ul>
-</li>
-<li>
-<p>If you're using <em class="emphasis">inetd</em> (or
-xinetd ) instead of standalone daemons, be sure to check your
-<em class="filename">/etc/inetd.conf</em> (or xinetd configuration files)
-and <em class="filename">/etc/services</em> entries against their manual
-pages for errors as well.</p>
-</li><li>
-<p>If you get a <tt class="literal">Password</tt>: prompt, your guest account
-is not set up properly. The <em class="emphasis">-U%</em> option tells
-<em class="emphasis">smbclient</em> to do a &quot;null
-login,&quot; which requires that the guest account be
-present but does not require it to have any privileges.</p>
-</li><li>
-<p>If you get the message <tt class="literal">SMBtconX</tt>
-<tt class="literal">failed</tt>. <tt class="literal">ERRSRV--ERRaccess</tt>, you
-aren't permitted access to the server. This normally
-means you have a <tt class="literal">hosts</tt> <tt class="literal">allow</tt>
-option that doesn't include the server or a
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.
-Recheck with the command <tt class="literal">testparm</tt>
-<tt class="literal">smb.conf</tt> <em class="replaceable">your_hostname</em>
-<em class="replaceable">your_ip_address</em> (see
-<a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>),
-and correct any unintended prohibitions.</p>
-</li></ul>
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.3"/>
-
-<h3 class="head3">Testing connections with smbclient</h3>
-
-<p><a name="INDEX-61"/><a name="INDEX-62"/>Run the command
-<tt class="literal">smbclient</tt>
-<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
-to connect to the server's <tt class="literal">[temp]</tt>
-share and to see if you can connect to a file service. You should get
-the following response:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient '\\server\temp' </b></tt>
-Server time is Tue May 5 09:49:32 2002 Timezone is UTC-4.0 Password:
-<b class="emphasis-bold">smb: \&gt; quit</b></pre></blockquote>
-<p>You might receive the following errors:</p>
-
-<ul><li>
-<p>If you get <tt class="literal">Get_Hostbyname</tt>:
-<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
-<tt class="literal">name</tt>, <tt class="literal">Connect</tt>
-<tt class="literal">error</tt>: <tt class="literal">Connection</tt>
-<tt class="literal">refused</tt>, or <tt class="literal">Your</tt>
-<tt class="literal">server</tt> <tt class="literal">software</tt>
-<tt class="literal">is</tt> <tt class="literal">being</tt>
-<tt class="literal">unfriendly</tt>, see the previous section,
-<a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, for
-the diagnoses.</p>
-</li><li>
-<p>If you get the message <tt class="literal">servertemp</tt>:
-<tt class="literal">Not</tt> <tt class="literal">enough</tt>
-<tt class="literal">`\</tt>'
-<tt class="literal">characters</tt> <tt class="literal">in</tt>
-<tt class="literal">service</tt>, you likely didn't quote
-the address, so Unix stripped off backslashes. You can also write the
-command:</p>
-
-<blockquote><pre class="code">smbclient \\\\<em class="replaceable">server</em>\\temp</pre></blockquote>
-
-<p>or:</p>
-<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/temp</pre></blockquote>
-</li>
-</ul>
-<p>Now, provide your Unix account password to the
-<tt class="literal">Password</tt>: prompt. If you then get an
-<tt class="literal">smb</tt>: <tt class="literal">\&gt;</tt> prompt, it worked.
-Enter <tt class="literal">quit</tt> and continue on to the next section,
-<a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If
-you got <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
-<tt class="literal">ERRSRV--ERRinvnetname</tt>, the problem can be any of
-the following:</p>
-
-<ul><li>
-<p>A wrong share name: you might have spelled it wrong, it might be too
-long, it might be in mixed case, or it might not be available. Check
-that it's what you expect with
-<em class="emphasis">testparm</em> (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
-</li><li>
-<p>A <tt class="literal">security</tt> <tt class="literal">=</tt>
-<tt class="literal">share</tt> parameter in your Samba configuration file,
-in which case you might have to add <tt class="literal">-U</tt>
-<em class="replaceable">your_account</em> to the
-<em class="emphasis">smbclient</em> command.</p>
-</li><li>
-<p>An erroneous username.</p>
-</li><li>
-<p>An erroneous password.</p>
-</li><li>
-<p>An <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
-<tt class="literal">valid</tt> <tt class="literal">users</tt> option in your
-<em class="emphasis">smb.conf</em> file that doesn't
-allow your account to connect. Recheck using
-<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
-<em class="replaceable">your_hostname your_ip_address</em> (see the
-earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
-</li><li>
-<p>A <tt class="literal">valid</tt> <tt class="literal">hosts</tt> option that
-doesn't include the server, or an
-<tt class="literal">invalid</tt> <tt class="literal">hosts</tt> option that does.
-Also test this with <em class="emphasis">testparm</em>.</p>
-</li><li>
-<p>A problem in authentication, such as if shadow passwords or the
-Password Authentication Module (PAM) is used on the server, but Samba
-is not compiled to use it. This is rare, but it occasionally happens
-when a SunOS 4 Samba binary (with no shadow passwords) is run without
-recompilation on a Solaris system (with shadow passwords).</p>
-</li><li>
-<p>The <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> option is in the
-configuration file, but no password for your account is in the
-<em class="emphasis">smbpasswd</em> file.</p>
-</li><li>
-<p>You have a null password entry, either in Unix
-<em class="filename">/etc/passwd</em> or in the
-<em class="emphasis">smbpasswd</em> file.</p>
-</li><li>
-<p>You are connecting to <tt class="literal">[temp]</tt>, and you do not have
-the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> option in the
-<tt class="literal">[temp]</tt> section of the
-<em class="emphasis">smb.conf</em> file.</p>
-</li><li>
-<p>You are connecting to <tt class="literal">[temp]</tt> before connecting to
-your home directory, and your guest account isn't
-set up correctly. If you can connect to your home directory and then
-connect to <tt class="literal">[temp]</tt>, that's the
-problem. See <a href="ch02.html">Chapter 2</a> for more information on
-creating a basic Samba configuration file.</p>
-
-<p>A bad guest account will also prevent you from printing or browsing
-until after you've logged in to your home directory.</p>
-</li></ul>
-<p>There is one more reason for this failure that has nothing at all to
-do with passwords: the <tt class="literal">path</tt> parameter in your
-<em class="filename">smb.conf</em> file might point somewhere that
-doesn't exist. This will not be diagnosed by
-<em class="emphasis">testparm</em>, and most SMB clients
-can't distinguish it from other types of bad user
-accounts. You will have to check it manually.</p>
-
-<p>Once you have connected to <tt class="literal">[temp]</tt> successfully,
-repeat the test, this time logging in to your home directory (e.g.,
-map network drive
-<em class="replaceable">server</em><tt class="literal">\davecb</tt>). If you
-have to change anything to get that to work, retest
-<tt class="literal">[temp]</tt> again afterward.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.4"/>
-
-<h3 class="head3">Testing connections with net use</h3>
-
-<p><a name="INDEX-63"/><a name="INDEX-64"/>Run the command
-<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">*</tt>
-<tt class="literal">\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
-on the Windows client to see if it can connect to the server. You
-should be prompted for a password, then receive the response
-<tt class="literal">The</tt> <tt class="literal">command</tt>
-<tt class="literal">was</tt> <tt class="literal">completed</tt>
-<tt class="literal">successfully</tt>.</p>
-
-<p>If that worked, continue with the steps in the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.5">Section 12.2.5.5</a>. Otherwise:</p>
-
-<ul><li>
-<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
-<tt class="literal">shared</tt> <tt class="literal">directory</tt>
-<tt class="literal">cannot</tt> <tt class="literal">be</tt>
-<tt class="literal">found</tt>, or <tt class="literal">Cannot</tt>
-<tt class="literal">locate</tt> <tt class="literal">specified</tt>
-<tt class="literal">share</tt> <tt class="literal">name</tt>, the directory name
-is either misspelled or not in the <em class="emphasis">smb.conf</em>
-file. This message can also warn of a name that is in mixed case,
-including spaces, or that is longer than eight characters.</p>
-</li><li>
-<p>If you get <tt class="literal">The</tt> <tt class="literal">computer</tt>
-<tt class="literal">name</tt> <tt class="literal">specified</tt>
-<tt class="literal">in</tt> <tt class="literal">the</tt>
-<tt class="literal">network</tt> <tt class="literal">path</tt>
-<tt class="literal">cannot</tt> <tt class="literal">be</tt>
-<tt class="literal">located</tt> or <tt class="literal">Cannot</tt>
-<tt class="literal">locate</tt> <tt class="literal">specified</tt>
-<tt class="literal">computer</tt>, the directory name has been misspelled,
-the name service has failed, there is a networking problem, or the
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option includes your
-host.</p>
-<ul><li>
-<p>If it is not a spelling mistake, you need to double back at least to
-<a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a> to
-investigate why it doesn't connect.</p>
-</li><li>
-<p>If <em class="emphasis">smbclient</em> does work, there is a name service
-problem with the client name service, and you need to go forward to
-<a href="ch12.html#samba2-CHP-12-SECT-2.6.2">Section 12.2.6.2</a> and see if
-you can look up both the client and server with
-<em class="emphasis">nmblookup</em>.</p>
-</li>
-</ul>
-</li>
-
-<li>
-<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
-<tt class="literal">is</tt> <tt class="literal">invalid</tt>
-<tt class="literal">for</tt> <tt class="literal">\server\username</tt>, your
-locally cached copy on the client doesn't match the
-one on the server. You will be prompted for a replacement.</p>
-
-<a name="samba2-CHP-12-NOTE-157"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Each Windows 95/98/Me client keeps a local
-<em class="emphasis">password</em> file, but it's really
-just a cached copy of the password it sends to Samba and NT/2000/XP
-servers to authenticate you. That's what is being
-prompted for here. You can still log on to a Windows system without a
-password (but not to NT/2000/XP).</p>
-</blockquote>
-
-<p>If you provide your password and it still fails, your password is not
-being matched on the server, you have a <tt class="literal">valid</tt>
-<tt class="literal">users</tt> or <tt class="literal">invalid</tt>
-<tt class="literal">users</tt> list denying you permission, NetBEUI is
-interfering, or the encrypted password problem described in the next
-paragraph exists.</p>
-</li><li>
-<p>If your client is Windows NT 4.0, NT 3.5 with Patch 3, Windows 95
-with Patch 3, Windows 98, any of these with Internet Explorer 4.0, or
-any subsequent version of Windows, the system will default to
-Microsoft encryption for passwords. In general, if you have installed
-a major Microsoft product on any of the older Windows versions, you
-might have applied an update and turned on encrypted passwords. If
-the client is defaulting to encrypted passwords, you will need to
-specify <tt class="literal">encrypt</tt> <tt class="literal">passwords</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> in your Samba
-configuration file if you are using a version of Samba prior to Samba
-3.0.</p>
-
-<a name="samba2-CHP-12-NOTE-158"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Because of Internet Explorer's willingness to honor
-URLs such as <em class="filename">file://somehost/somefile</em> by making
-SMB connections, clients up to and including Windows 95 Patch Level 2
-would happily send your password, in plain text, to SMB servers
-anywhere on the Internet. This was considered a bad idea, and
-Microsoft switched to using only encrypted passwords in the SMB
-protocol. All subsequent releases of Microsoft's
-products have included this correction.</p>
-</blockquote>
-</li>
-
-<li>
-<p>If you have a mixed-case password on Unix, the client is probably
-sending it in all one case. If changing your password to all one case
-works, this was the problem. Regrettably, all but the oldest clients
-support uppercase passwords, so Samba will try once with the password
-in uppercase and once in lowercase. If you wish to use mixed-case
-passwords, see the <tt class="literal">password</tt>
-<tt class="literal">level</tt> option in <a href="ch09.html">Chapter 9</a> for a
-workaround.</p>
-</li><li>
-<p>You might have a <tt class="literal">valid</tt> <tt class="literal">users</tt>
-problem, as tested with <em class="emphasis">smbclient</em> (see the
-earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>).</p>
-</li><li>
-<p>You might have the NetBEUI protocol bound to the Microsoft client.
-This often produces long timeouts and erratic failures and is known
-to have caused failures to accept passwords in the past. Unless you
-absolutely need the NetBEUI protocol, remove it.</p>
-</li></ul>
-<a name="samba2-CHP-12-NOTE-159"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>The term &quot;bind&quot; is used here to
-mean connecting one piece of software to another. When configured
-correctly, the Microsoft SMB client is &quot;bound
-to&quot; TCP/IP in the bindings section of the TCP/IP
-properties panel under the Windows 95/98/Me Network icon in the
-Control Panel. TCP/IP in turn is bound to an Ethernet card. This is
-not the same sense of the word as binding an SMB daemon to a TCP/IP
-port.</p>
-</blockquote>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.5"/>
-
-<h3 class="head3">Testing connections with Windows Explorer</h3>
-
-<p><a name="INDEX-65"/><a name="INDEX-66"/>Start Windows Explorer
-(not Internet Explorer), select Map Network Drive from the Tools
-menu, and specify the UNC for one of your shares on the Samba server
-to see if you can make Explorer connect to it. If so,
-you've succeeded and can skip to the next section,
-<a href="ch12.html#samba2-CHP-12-SECT-2.6">Section 12.2.6</a>.</p>
-
-<p>Windows Explorer is a rather poor diagnostic tool: it tells you that
-something's wrong, but rarely what it is. If you get
-a failure, you'll need to track it down with the
-Windows <em class="emphasis">net use</em> command, which has far superior
-error reporting:</p>
-
-<ul><li>
-<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
-<tt class="literal">for</tt> <tt class="literal">this</tt>
-<tt class="literal">connection</tt> <tt class="literal">that</tt>
-<tt class="literal">is</tt> <tt class="literal">in</tt> <tt class="literal">your</tt>
-<tt class="literal">password</tt> <tt class="literal">file</tt>
-<tt class="literal">is</tt> <tt class="literal">no</tt> <tt class="literal">longer</tt>
-<tt class="literal">correct</tt>, you might have any of the following:</p>
-<ul><li>
-<p>Your locally cached copy on the client doesn't match
-the one on the server.</p>
-</li><li>
-<p>You didn't provide a username and password when
-logging on to the client. Some versions of Explorer will continue to
-send a null username and password, even if you provide a password.</p>
-</li><li>
-<p>You have misspelled the password.</p>
-</li><li>
-<p>You have an <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
-<tt class="literal">valid</tt> <tt class="literal">users</tt> list denying
-permission.</p>
-</li><li>
-<p>Your client is defaulting to encrypted passwords, but Samba is
-configured with the <tt class="literal">encrypt</tt>
-<tt class="literal">passwords</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt> configuration file parameter.</p>
-</li><li>
-<p>You have a mixed-case password, which the client is supplying in all
-one case.</p>
-</li>
-</ul>
-</li>
-<li>
-<p>If you get <tt class="literal">The</tt> <tt class="literal">network</tt>
-<tt class="literal">name</tt> <tt class="literal">is</tt>
-<tt class="literal">either</tt> <tt class="literal">incorrect</tt>,
-<tt class="literal">or</tt> <tt class="literal">a</tt> <tt class="literal">network</tt>
-<tt class="literal">to</tt> <tt class="literal">which</tt> <tt class="literal">you</tt>
-<tt class="literal">do</tt> <tt class="literal">not</tt> <tt class="literal">have</tt>
-<tt class="literal">full</tt> <tt class="literal">access</tt>, or
-<tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
-<tt class="literal">specified</tt> <tt class="literal">computer</tt>, you might
-have any of the following:</p>
-<ul><li>
-<p>Misspelled name</p>
-</li><li>
-<p>Malfunctioning service</p>
-</li><li>
-<p>Failed share</p>
-</li><li>
-<p>Networking problem</p>
-</li><li>
-<p>Bad <tt class="literal">path</tt> parameter in
-<em class="filename">smb.conf</em></p>
-</li><li>
-<p><tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that excludes
-you</p>
-</li>
-</ul>
-</li>
-<li>
-<p>If you get <tt class="literal">You</tt> <tt class="literal">must</tt>
-<tt class="literal">supply</tt> <tt class="literal">a</tt>
-<tt class="literal">password</tt> <tt class="literal">to</tt>
-<tt class="literal">make</tt> <tt class="literal">this</tt>
-<tt class="literal">connection</tt>, the password on the client is out of
-synchronization with the server, or this is the first time
-you've tried from this client system and the client
-hasn't cached it locally yet.</p>
-</li><li>
-<p>If you get <tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
-<tt class="literal">specified</tt> <tt class="literal">share</tt>
-<tt class="literal">name</tt>, you have a wrong share name or a syntax
-error in specifying it, a share name longer than eight characters, or
-one containing spaces or in mixed case.</p>
-</li></ul>
-<p>Once you can reliably connect to the share, try again, this time
-using your home directory. If you have to change something to get
-home directories working, retest with the first share, and vice
-versa, as we showed in the earlier section, &quot;Testing
-connections with net use.&quot; As always, if Explorer
-fails, drop back to that section and debug the connection there.
-<a name="INDEX-67"/><a name="INDEX-68"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.6"/>
-
-<h3 class="head2">Troubleshooting Browsing</h3>
-
-<p><a name="INDEX-69"/><a name="INDEX-70"/>Finally, we
-come to browsing. We've left this for last, not
-because it is the most difficult, but because it's
-both optional and partially dependent on a protocol that
-doesn't guarantee delivery of a packet. Browsing is
-hard to diagnose if you don't already know that all
-the other services are running.</p>
-
-<p>Browsing is purely optional: it's just a way to find
-the servers on your network and the shares that they provide. Unix
-has nothing of the sort and happily does without. Browsing also
-assumes all your systems are on a local area network (LAN) where
-broadcasts are allowable.</p>
-
-<p>First, the browsing mechanism identifies a system using the
-unreliable UDP protocol; it then makes a normal (reliable) TCP/IP
-connection to list the shares the system provides.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.1"/>
-
-<h3 class="head3">Testing browsing with smbclient</h3>
-
-<p><a name="INDEX-71"/><a name="INDEX-72"/>We'll start with
-testing the reliable connection first. From the server, try listing
-its own shares using <em class="emphasis">smbclient</em> with a
-<tt class="literal">-L</tt> option and your server's name.
-You should get something resembling the following:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L server</b></tt>
-Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server
-time is Tue Apr 28 09:57:28 2002 Timezone is UTC-4.0
-Password:
-Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.5]
-
- Sharename Type Comment
- --------- ---- -------
- cdrom Disk CD-ROM
- cl Printer Color Printer 1
- davecb Disk Home Directories
-
- Server Comment
- --------- -------
- SERVER Samba 2.2.5
-
- Workgroup Master
- --------- -------
- EXAMPLE SERVER</pre></blockquote>
-
-<ul><li>
-<p>If you didn't get a Sharename list, the server is
-not allowing you to browse any shares. This should not be the case if
-you've tested any of the shares with Windows
-Explorer or the <em class="emphasis">net use</em> command. If you
-haven't done the <tt class="literal">smbclient</tt>
-<tt class="literal">-L</tt> <tt class="literal">localhost</tt>
-<tt class="literal">-U%</tt> test yet (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), do it now. An erroneous
-guest account can prevent the shares from being seen. Also, check the
-<em class="filename">smb.conf</em> file to make sure you do not have the
-option <tt class="literal">browsable</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt> anywhere in it: we suggest using a minimal
-<em class="filename">smb.conf</em> file (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.1">Section 12.2.5.1</a>). You need to have
-<tt class="literal">browsable</tt> enabled (which is the default) to see
-the share.</p>
-</li><li>
-<p>If you didn't get a browse list, the server is not
-providing information about the systems on the network. At least one
-system on the net must support browse lists. Make sure you have
-<tt class="literal">local</tt> <tt class="literal">master</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
-<em class="filename">smb.conf</em> file if you want Samba to be the local
-master browser.</p>
-</li><li>
-<p>If you got a browse list but didn't get
-<em class="emphasis">/tmp</em>, you probably have a
-<em class="filename">smb.conf</em> problem. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>.</p>
-</li><li>
-<p>If you didn't get a workgroup list with your
-workgroup name in it, it is possible that your workgroup is set
-incorrectly in the <em class="filename">smb.conf</em> file.</p>
-</li><li>
-<p>If you didn't get a workgroup list at all, ensure
-that <tt class="literal">workgroup</tt> <tt class="literal">=</tt>
-<tt class="literal">EXAMPLE</tt> is present in the
-<em class="filename">smb.conf</em> file.</p>
-</li><li>
-<p>If you get nothing, try once more with the options
-<tt class="literal">-I</tt> <em class="emphasis">ip_address</em>
-<tt class="literal">-n</tt> <em class="emphasis">netbios_name</em>
-<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>
-<tt class="literal">-d3</tt> with the NetBIOS and workgroup name in
-uppercase. (The <tt class="literal">-d3</tt> option sets the log /debugging
-level to 3.) Then check the Samba logs for clues.</p>
-</li></ul>
-<p>If you're still getting nothing, you
-shouldn't have gotten this far; double back to at
-least <a href="ch12.html#samba2-CHP-12-SECT-2.3.1">Section 12.2.3.1</a>, or perhaps
-<a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. On the other hand:</p>
-
-<ul><li>
-<p>If you get <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
-<tt class="literal">ERRSRV--ERRaccess</tt>, you aren't
-permitted access to the server. This normally means you have a
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option that
-doesn't include the server or a
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.</p>
-</li><li>
-<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>, you
-presumably have one of the following:</p>
-<ul><li>
-<p>An incorrect <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line</p>
-</li><li>
-<p>An incorrect <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
-<tt class="literal">valid</tt> <tt class="literal">users</tt> line</p>
-</li><li>
-<p>A lowercase password and OS/2 or Windows for Workgroups clients</p>
-</li><li>
-<p>A missing or invalid guest account</p>
-</li></ul>
-<p>Check what your guest account is (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), change or comment out any
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt>,
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt>,
-<tt class="literal">valid</tt> <tt class="literal">users</tt>, or
-<tt class="literal">invalid</tt> <tt class="literal">users</tt> lines, and verify
-your <em class="filename">smb.conf</em> file with
-<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
-<em class="replaceable">your_hostname your_ip_address</em> (see the
-earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
-</li><li>
-<p>If you get <tt class="literal">Connection</tt> <tt class="literal">refused</tt>,
-the <em class="emphasis">smbd</em> server is not running or has crashed.
-Check that it's up, running, and listening to the
-network with <em class="emphasis">netstat</em>. See the earlier section,
-<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>.</p>
-</li><li>
-<p>If you get <tt class="literal">Get_Hostbyname</tt>:
-<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
-<tt class="literal">name</tt>, you've made a spelling
-error, there is a mismatch between the Unix and NetBIOS hostname, or
-there is a name service problem. Start name service debugging as
-discussed in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If this works, suspect a
-name mismatch, and go to the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
-</li><li>
-<p>If you get <tt class="literal">Session</tt> <tt class="literal">request</tt>
-<tt class="literal">failed</tt>, the server refused the connection. This
-usually indicates an internal error, such as insufficient memory to
-fork a process.</p>
-</li><li>
-<p>If you get <tt class="literal">Your</tt> <tt class="literal">server</tt>
-<tt class="literal">software</tt> <tt class="literal">is</tt>
-<tt class="literal">being</tt> <tt class="literal">unfriendly</tt>, the initial
-session request packet received a garbage response from the server.
-The server might have crashed or started improperly. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, where the
-problem is first analyzed.</p>
-</li><li>
-<p>If you suspect the server is not running, go back to
-<a href="ch12.html#samba2-CHP-12-SECT-2.4.2">Section 12.2.4.2</a> to see why the server
-daemon isn't responding.</p>
-</li></ul>
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.2"/>
-
-<h3 class="head3">Testing the server with nmblookup</h3>
-
-<p><a name="INDEX-73"/><a name="INDEX-74"/>This will test the
-&quot;advertising&quot; system used for
-Windows name services and browsing. Advertising works by broadcasting
-one's presence or willingness to provide services.
-It is the part of browsing that uses an unreliable protocol (UDP) and
-works only on broadcast networks such as Ethernets. The
-<em class="emphasis">nmblookup</em> program broadcasts name queries for
-the hostname you provide and returns its IP address and the name of
-the system, much as <em class="emphasis">nslookup</em> does with DNS.
-Here, the <em class="emphasis">-d</em> (debug or log-level) and
-<em class="emphasis">-B</em> (broadcast address) options direct queries to
-specific systems.</p>
-
-<p>First, we check the server from itself. Run
-<em class="emphasis">nmblookup</em> with a <em class="emphasis">-B</em> option
-of your server's name (to tell it to send the query
-to the Samba server) and a parameter of <tt class="literal">_ _SAMBA_
-_</tt> as the symbolic name to look up. You should get:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -B server _ _SAMBA_ _</b></tt>
-Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0
-Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre></blockquote>
-
-<p>You should get the IP address of the server, followed by the name
-<tt class="literal">_ _SAMBA_ _</tt> , which means that the server has
-successfully advertised that it has a service called <tt class="literal">_
-_SAMBA_ _</tt> , and therefore at least part of NetBIOS name
-service works.</p>
-
-<ul><li>
-<p>If you get <tt class="literal">Name_query</tt> <tt class="literal">failed</tt>
-<tt class="literal">to</tt> <tt class="literal">find</tt> <tt class="literal">name</tt>
-<tt class="literal">_ _SAMBA_ _</tt>, you might have specified the server
-name to the <em class="emphasis">-B</em> option, or
-<em class="emphasis">nmbd</em> is not running. The <em class="emphasis">-B</em>
-option actually takes a broadcast address: we're
-using a computer name to get a unicast address and to ask the server
-if it has claimed <tt class="literal">_ _SAMBA_ _</tt>. Try again with
-<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
-<em class="replaceable">ip_address</em>, and if that fails too,
-<em class="emphasis">nmbd</em> isn't claiming the name.
-Go back briefly to the earlier section, &quot;Testing
-daemons with testparm,&quot; to see if
-<em class="emphasis">nmbd</em> is running. If so, it might not be claiming
-names; this means that Samba is not providing the browsing
-service&mdash;a configuration problem. If that is the case, make sure
-that <em class="filename">smb.conf</em> doesn't contain
-the option <tt class="literal">browsing</tt> <tt class="literal">=</tt>
-<tt class="literal">no</tt>.</p>
-</li></ul>
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.3"/>
-
-<h3 class="head3">Testing the client with nmblookup</h3>
-
-<p><a name="INDEX-75"/><a name="INDEX-76"/>Next, check the IP address of the
-client from the server with <em class="emphasis">nmblookup</em> using the
-<tt class="literal">-B</tt> option for the client's name
-and a parameter of '<tt class="literal">*</tt>' meaning
-&quot;anything,&quot; as shown here:</p>
-
-<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -B client '*</b>'
-Sending queries to 192.168.236.10 192.168.236.10 *
-Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre></blockquote>
-
-<p>You might get the following error:</p>
-
-<ul><li>
-<p>If you receive <tt class="literal">Name-query</tt>
-<tt class="literal">failed</tt> <tt class="literal">to</tt>
-<tt class="literal">find</tt> <tt class="literal">name</tt> <tt class="literal">*</tt>,
-you have made a spelling mistake, or the client software on the PC
-isn't installed, started, or bound to TCP/IP. Double
-back to <a href="ch03.html">Chapter 3</a> and ensure that you have a
-client installed that is listening to the network.</p>
-</li></ul>
-<p>Repeat the command with the following options if you had any failures:</p>
-
-<ul><li>
-<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
-<em class="replaceable">client_IP_address</em> succeeds but
-<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
-<em class="replaceable">client_name</em> fails, there is a name service
-problem with the client's name; go to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
-</li><li>
-<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
-<tt class="literal">127.0.0.1</tt> '<tt class="literal">*</tt>' succeeds, but
-<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
-<em class="replaceable">client_IP_address</em> fails, there is a
-hardware problem, and <em class="emphasis">ping</em> should have failed.
-See your network manager.</p>
-</li></ul>
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.4"/>
-
-<h3 class="head3">Testing the network with nmblookup</h3>
-
-<p><a name="INDEX-77"/><a name="INDEX-78"/>Run the command
-<em class="emphasis">nmblookup</em> again with a <em class="emphasis">-d2</em>
-option (for a debug level of 2) and a parameter of
-'<tt class="literal">*</tt>'. This time we are testing the ability of
-programs (such as <em class="emphasis">nmbd</em> ) to use broadcast.
-It's essentially a connectivity test, done via a
-broadcast to the default broadcast address.</p>
-
-<p>A number of NetBIOS over TCP/IP hosts on the network should respond
-with <tt class="literal">got</tt> <tt class="literal">a</tt>
-<tt class="literal">positive</tt> <tt class="literal">name</tt>
-<tt class="literal">query</tt> <tt class="literal">response</tt> messages. Samba
-might not catch all the responses in the short time it listens, so
-you won't always see all the SMB clients on the
-network. However, you should see most of them:</p>
-
-<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -d 2 '*</b>'
-Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending
-queries to 192.168.236.255
-Got a positive name query response from 192.168.236.191 (192.168.236.191)
-Got a positive name query response from 192.168.236.228 (192.168.236.228)
-Got a positive name query response from 192.168.236.75 (192.168.236.75)
-Got a positive name query response from 192.168.236.79 (192.168.236.79)
-Got a positive name query response from 192.168.236.206 (192.168.236.206)
-Got a positive name query response from 192.168.236.207 (192.168.236.207)
-Got a positive name query response from 192.168.236.217 (192.168.236.217)
-Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre></blockquote>
-
-<p>However:</p>
-
-<ul><li>
-<p>If this doesn't give at least the client address you
-previously tested, the default broadcast address is wrong. Try
-<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
-<tt class="literal">255.255.255.255</tt> <tt class="literal">-d</tt>
-<tt class="literal">2</tt> '<tt class="literal">*</tt>', which is a last-ditch
-variant (using a broadcast address of all 1s). If this draws
-responses, the broadcast address you've been using
-before is wrong. Troubleshooting these is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
-chapter.</p>
-</li><li>
-<p>If the address 255.255.255.255 fails too, check your notes to see if
-your PC and server are on different subnets, as discovered in the
-earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. You
-should try to diagnose this step with a server and client on the same
-subnet, but if you can't, you can try specifying the
-remote subnet's broadcast address with
-<em class="emphasis">-B</em>. Finding that address is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
-chapter. The <em class="emphasis">-B</em> option will work if your router
-supports directed broadcasts; if it doesn't, you
-might be forced to test with a client on the same network.</p>
-</li></ul>
-<p>As usual, you can check the Samba log files for additional clues.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.5"/>
-
-<h3 class="head3">Testing client browsing with net view</h3>
-
-<p><a name="INDEX-79"/><a name="INDEX-80"/>On the client, run the
-command <em class="replaceable">net view \\server</em> in an MS-DOS
-(command prompt) window to see if you can connect to the client and
-ask what shares it provides. You should get back a list of available
-shares on the server.</p>
-
-<p>If this works, continue with the later section <a href="ch12.html#samba2-CHP-12-SECT-3.1">Section 12.3.1</a>. Otherwise:</p>
-
-<ul><li>
-<p>If you get <tt class="literal">Network</tt> <tt class="literal">name</tt>
-<tt class="literal">not</tt> <tt class="literal">found</tt> for the name you just
-tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.3">Section 12.2.6.3</a>, there is a problem with the
-client software itself. Double-check this by running
-<em class="emphasis">nmblookup</em> on the client; if it works and
-<em class="emphasis">net view</em> doesn't, the client is
-at fault.</p>
-</li><li>
-<p>If <em class="emphasis">nmblookup</em> fails, there is a NetBIOS name
-service problem, as discussed in the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
-</li><li>
-<p>If you get <tt class="literal">You</tt> <tt class="literal">do</tt>
-<tt class="literal">not</tt> <tt class="literal">have</tt> <tt class="literal">the</tt>
-<tt class="literal">necessary</tt> <tt class="literal">access</tt>
-<tt class="literal">rights</tt>, or <tt class="literal">This</tt>
-<tt class="literal">server</tt> <tt class="literal">is</tt>
-<tt class="literal">not</tt> <tt class="literal">configured</tt>
-<tt class="literal">to</tt> <tt class="literal">list</tt>
-<tt class="literal">shared</tt> <tt class="literal">resources</tt>, either your
-guest account is misconfigured (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>) or you have a
-<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
-<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that prohibits
-connections from your system. These problems should have been
-detected by the <em class="emphasis">smbclient</em> tests starting in the
-earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.1">Section 12.2.6.1</a>.</p>
-</li><li>
-<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
-<tt class="literal">computer</tt> <tt class="literal">is</tt>
-<tt class="literal">not</tt> <tt class="literal">receiving</tt>
-<tt class="literal">requests</tt>, you have misspelled the name, the system
-is unreachable by broadcast (tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.4">Section 12.2.6.4</a>), or it's
-not running <em class="emphasis">nmbd</em>.</p>
-</li><li>
-<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>
-<tt class="literal">error</tt>, you're probably
-encountering the Microsoft-encrypted password problem, as discussed
-earlier in this chapter and in <a href="ch09.html">Chapter 9</a>, with its
-corrections.</p>
-</li></ul>
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.6"/>
-
-<h3 class="head3">Browsing the server from the client</h3>
-
-<p><a name="INDEX-81"/><a name="INDEX-82"/>From the Windows Network
-Neighborhood (or My Network Places in newer releases), try to browse
-the server. Your Samba server should appear in the browse list of
-your local workgroup. You should be able to double-click the name of
-the server to get a list of shares.</p>
-
-<ul><li>
-<p>If you get an <tt class="literal">Invalid</tt> <tt class="literal">password</tt>
-error, it's most likely the encryption problem
-again.</p>
-</li><li>
-<p>If you receive an <tt class="literal">Unable</tt> <tt class="literal">to</tt>
-<tt class="literal">browse</tt> <tt class="literal">the</tt>
-<tt class="literal">network</tt> error, one of the following has occurred:</p>
-<ul><li>
-<p>You have looked too soon, before the broadcasts and updates have
-completed. Wait 30 seconds and try again.</p>
-</li><li>
-<p>There is a network problem you've not yet diagnosed.</p>
-</li><li>
-<p>There is no browse master. Add the configuration option
-<tt class="literal">local</tt> <tt class="literal">master</tt>
-<tt class="literal">=</tt> <tt class="literal">yes</tt> to your
-<em class="emphasis">smb.conf</em> file.</p>
-</li><li>
-<p>No shares are made browsable in the <em class="emphasis">smb.conf</em>
-file.</p>
-</li></ul>
-</li>
-<li>
-<p>If you receive the message <tt class="literal">\\server</tt>
-<tt class="literal">is</tt> <tt class="literal">not</tt>
-<tt class="literal">accessible</tt> then:</p>
-<ul><li>
-<p>You have the encrypted password problem.</p>
-</li><li>
-<p>The system really isn't accessible.</p>
-</li><li>
-<p>The system doesn't support browsing.</p>
-</li></ul>
-</li>
-</ul>
-
-<p>If you've made it this far and the problem is not
-yet solved, either the problem is one we've not yet
-seen, or it is a problem related to a topic we have already covered,
-and further analysis is required. Name resolution is often related to
-difficulties with Samba, so we cover it in more detail in the next
-sections. If you know your problem is not related to name resolution,
-skip to the <a href="ch12.html#samba2-CHP-12-SECT-3">Section 12.3</a> at the end of the chapter. <a name="INDEX-83"/><a name="INDEX-84"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.7"/>
-
-<h3 class="head2">Troubleshooting Name Services</h3>
-
-<p><a name="INDEX-85"/><a name="INDEX-86"/>This
-section looks at simple troubleshooting of all the name services
-you'll encounter, but only for the common problems
-that affect Samba.</p>
-
-<p>There are several good references for troubleshooting particular name
-services: Paul <a name="INDEX-87"/>Albitz and Cricket <a name="INDEX-88"/>Liu's <em class="emphasis">DNS and
-Bind</em> (O'Reilly) covers the DNS, Hal
-<a name="INDEX-89"/>Stern's <em class="emphasis">NFS and
-NIS</em> (O'Reilly) covers NIS
-(&quot;Yellow pages&quot;), while Windows
-Internet Name Service (WINS), <em class="filename">hosts/LMHOSTS</em>
-files, and NIS+ are best covered by their respective
-vendors' manuals.</p>
-
-<p>The problems addressed in this section are as follows:</p>
-
-<ul><li>
-<p>Name services are identified.</p>
-</li><li>
-<p>A hostname can't be looked up.</p>
-</li><li>
-<p>The long (FQDN) form of a hostname works but the short form
-doesn't.</p>
-</li><li>
-<p>The short form of the name works, but the long form
-doesn't.</p>
-</li><li>
-<p>A long delay occurs before the expected result.</p>
-</li></ul>
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.1"/>
-
-<h3 class="head3">Identifying what's in use</h3>
-
-<p><a name="INDEX-90"/>First, see if both the
-server and the client are using DNS, WINS, NIS, or
-<em class="filename">hosts</em> files to look up IP addresses when you
-give them a name. Each kind of system has a different preference:</p>
-
-<ul><li>
-<p>Windows 95/98/Me tries WINS and the <em class="filename">LMHOSTS</em> file
-first, then broadcast, and finally DNS and <em class="filename">HOSTS</em>
-files.</p>
-</li><li>
-<p>Windows NT/2000/XP tries WINS, then broadcast, then the
-<em class="filename">LMHOSTS</em> file, and finally
-<em class="filename">HOSTS</em> and DNS.</p>
-</li><li>
-<p>Windows programs using the WINSOCK standard use the HOSTS file, DNS,
-WINS, and then broadcast. Don't assume that if a
-different program's name service works, the SMB
-client program's name service will!</p>
-</li><li>
-<p>Samba daemons use <em class="filename">lmhosts</em>, WINS, the Unix
-system's name resolution, and then broadcast.</p>
-</li><li>
-<p>Unix systems can be configured to use any combination of DNS,
-<em class="filename">HOSTS</em> files, NIS or NIS+, and winbind, generally
-in any order.</p>
-</li></ul>
-<p>We recommend that the client systems be configured to use WINS and
-DNS, the Samba daemons to use WINS and DNS, and the Unix server to
-use DNS, <em class="filename">hosts</em> files, and perhaps NIS+.
-You'll have to look at your notes and the actual
-systems to see which is in use.</p>
-
-<p>On the clients, the name services are all set in the TCP/IP
-Properties panel of the Networking Control Panel, as discussed in
-<a href="ch03.html">Chapter 3</a>. You might need to check there to see
-what you've actually turned on. On the server, see
-if a <em class="filename">/etc/resolv.conf</em> file exists. If it does,
-you're using DNS. You might be using the others as
-well, though. You'll need to check for NIS and
-combinations of services.</p>
-
-<p>Check for a <em class="filename">/etc/nsswitch.conf</em> file on Solaris
-and other System V Unix operating systems. If you have one, look for
-a line that begins with <tt class="literal">host</tt>: followed by one or
-more of <tt class="literal">files</tt>, <tt class="literal">bind</tt>,
-<tt class="literal">nis</tt>, or <tt class="literal">nis+</tt>. These are the
-name services to use, in order, with optional extra material in
-square brackets. The <tt class="literal">files</tt> keyword is for
-using <em class="emphasis">HOSTS</em> files, while <tt class="literal">bind</tt>
-(the Berkeley Internet Name Daemon) refers to using DNS.</p>
-
-<p>If the client and server differ, the first thing to do is to get them
-in sync. Clients can use DNS, WINS, <em class="emphasis">HOSTS</em>, and
-<em class="emphasis">LMHOSTS</em> files, but not NIS or NIS+. Servers can
-use <em class="emphasis">HOSTS</em> and <em class="filename">LMHOSTS</em>
-files, DNS, NIS or NIS+, and winbind, but not WINS&mdash;even if your
-Samba server provides WINS services. If you can't
-get all the systems to use the same services, you'll
-have to check the server and the client carefully for the same data.</p>
-
-<p>You can also make use of the <em class="emphasis">-R</em> (resolve order)
-option for <em class="emphasis">smbclient</em>. If you want to
-troubleshoot WINS, for example, you'd say:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L </b></tt><em class="replaceable">server</em> <tt class="userinput"><b>-R wins</b></tt></pre></blockquote>
-
-<p>The possible settings are <tt class="literal">hosts</tt> (which means
-whatever the Unix system is using, not just<em class="filename">
-/etc/hosts</em> files), <tt class="literal">lmhosts</tt>,
-<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt> (broadcast).</p>
-
-<p>In the following sections, we use the term <em class="emphasis">long
-name</em> for a fully qualified domain name (FQDN), such as
-<tt class="literal">server.example.com</tt> , and the term <em class="emphasis">short
-name</em> for the host part of an FQDN, such as
-<tt class="literal">server</tt>.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.2"/>
-
-<h3 class="head3">Cannot look up hostnames</h3>
-
-<p><a name="INDEX-91"/>Try the
-following:</p>
-
-<dl>
-<dt><b>DNS</b></dt>
-<dd>
-<p>Run <tt class="literal">nslookup</tt> <em class="replaceable">name</em>. If
-this fails, look for a <em class="filename">resolv.conf</em> error, a
-downed DNS server, or a short/long name problem (see the next
-section). Try the following:</p>
-
-
-<ul><li>
-<p>Your <em class="filename">/etc/resolv.conf</em> file should contain one or
-more <tt class="literal">nameserver</tt> lines, each with an IP address.
-These are the addresses of your DNS servers.</p>
-</li><li>
-<p>Ping each server address you find. If this fails for one, suspect the
-system. If it fails for each, suspect your network.</p>
-</li><li>
-<p>Retry the lookup using the full domain name (e.g.,
-<tt class="literal">server.example.com</tt>) if you tried the short name
-first, or the short name if you tried the long name first. If results
-differ, skip to the next section.</p>
-</li></ul>
-</dd>
-
-
-
-<dt><b>Broadcast/ WINS</b></dt>
-<dd>
-<p>Broadcast/ WINS does only short names such as
-<tt class="literal">server</tt>, and not long ones, such as
-<tt class="literal">server.example.com</tt>. Run
-<tt class="literal">nmblookup</tt> <tt class="literal">-S</tt>
-<em class="replaceable">server</em>. This reports everything broadcast
-has registered for the name. In our example, it looks like this:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S server</b></tt>
-Looking up status of 192.168.236.86
-received 10 names
- SERVER &lt;00&gt; - M &lt;ACTIVE&gt;
- SERVER &lt;03&gt; - M &lt;ACTIVE&gt;
- SERVER &lt;1f&gt; - M &lt;ACTIVE&gt;
- SERVER &lt;20&gt; - M &lt;ACTIVE&gt;
- ..__MSBROWSE__. &lt;01&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
- MYGROUP &lt;00&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
- MYGROUP &lt;1b&gt; - M &lt;ACTIVE&gt;
- MYGROUP &lt;1c&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
- MYGROUP &lt;1d&gt; - M &lt;ACTIVE&gt;
- MYGROUP &lt;1e&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;</pre></blockquote>
-
-<p>The required entry is <tt class="literal">SERVER</tt>
-<tt class="literal">&lt;00&gt;</tt>, which identifies
-<em class="replaceable">server</em> as being this
-system's NetBIOS name. You should also see your
-workgroup mentioned one or more times. If these lines are missing,
-Broadcast/WINS cannot look up names and will need attention.</p>
-
-<a name="samba2-CHP-12-NOTE-160"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>The numbers in angle brackets in the previous output identify NetBIOS
-names as being workgroups, workstations, and file users of the
-messenger service, master browsers, domain master browsers, domain
-controllers, and a plethora of others. We primarily use
-<tt class="literal">&lt;00&gt;</tt> to identify system and workgroup names
-and <tt class="literal">&lt;20&gt;</tt> to identify systems as servers. The
-complete list is available at <a href="http://support.microsoft.com/support/kb/articles/q163/4/09.asp">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</a>.</p>
-</blockquote>
-</dd>
-
-
-
-<dt><b>NIS</b></dt>
-<dd>
-<p>Try <tt class="literal">ypmatch</tt> <tt class="literal">name</tt>
-<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
-NIS server's name by running
-<em class="emphasis">ypwhich</em>, and ping the system to see if
-it's accessible.</p>
-</dd>
-
-
-
-<dt><b>NIS+</b></dt>
-<dd>
-<p>If you're running NIS+, try
-<tt class="literal">nismatch</tt> <tt class="literal">name</tt>
-<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
-NIS+ server's name by running
-<em class="emphasis">niswhich</em>, and ping that system to see if
-it's accessible.</p>
-</dd>
-
-
-
-<dt><b>hosts and HOSTS files</b></dt>
-<dd>
-<p>Inspect the <em class="filename">HOSTS</em> file on the client
-(<em class="filename">C:\Windows\ Hosts</em> on Windows 95/98/Me, and
-<em class="filename">C:\WINNT \system32\drivers\etc\hosts</em> on Windows
-NT/2000/XP). Each line should have an IP number and one or more
-names, the primary name first, then any optional aliases. An example
-follows:</p>
-
-
-<blockquote><pre class="code">127.0.0.1 localhost
-192.168.236.1 dns.svc.example.com
-192.168.236.10 client.example.com client
-192.168.236.11 backup.example.com loghost
-192.168.236.86 server.example.com server
-192.168.236.254 router.svc.example.com</pre></blockquote>
-
-<p>On Unix, <tt class="literal">localhost</tt> should always be 127.0.0.1,
-although it might be just an alias for a hostname on the PC. On the
-client, check that there are no <tt class="literal">#XXX</tt> directives at
-the ends of the lines; these are LAN Manager/NetBIOS directives and
-should appear only in <em class="emphasis">LMHOSTS</em> files.</p>
-</dd>
-
-
-
-<dt><b>LMHOSTS files</b></dt>
-<dd>
-<p>This file is a local source for LAN Manager (NetBIOS) names. It has a
-format similar to <em class="filename">hosts</em> files, but it does not
-support long-form domain names (e.g.,
-<tt class="literal">server.example.com</tt>) and can have a number of
-optional <tt class="literal">#XXX</tt> directives following the NetBIOS
-names. There is usually an <em class="emphasis">lmhosts.sam</em> (for
-sample) file located in <em class="filename">C:\Windows</em> on Windows
-95/98/Me, and in <em class="filename">C:\WINNT\system32\drivers\etc</em>
-on Windows NT/2000/XP, but it's not used unless it
-is renamed to <em class="emphasis">Lmhosts</em> in the same directory.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.3"/>
-
-<h3 class="head3">Long and short hostnames</h3>
-
-<p><a name="INDEX-92"/>Where the long (FQDN) form of a hostname
-works but the short name doesn't (for example,
-<tt class="literal">client.example.com</tt> works but
-<tt class="literal">client</tt> doesn't), consider the
-following:</p>
-
-<dl>
-<dt><b>DNS </b></dt>
-<dd>
-<p>This usually indicates that there is no default domain in which to
-look up the short names. Look for a <tt class="literal">default</tt> line
-in <em class="filename">/etc/resolv.conf</em> on the Samba server with
-your domain in it, or look for a <tt class="literal">search</tt> line with
-one or more domains in it. One or the other might need to be present
-to make short names usable; which one depends on the vendor and
-version of the DNS resolver. Try adding <tt class="literal">domain</tt>
-<em class="replaceable">your_domain</em> to
-<em class="filename">resolv.conf</em>, and ask your network or DNS
-administrator what should be in the file.</p>
-</dd>
-
-
-
-<dt><b>Broadcast/WINS </b></dt>
-<dd>
-<p>Broadcast/WINS doesn't support long names; it
-won't suffer from this problem.</p>
-</dd>
-
-
-
-<dt><b>NIS </b></dt>
-<dd>
-<p>Try the command <tt class="literal">ypmatch</tt>
-<em class="replaceable">hostname</em> <tt class="literal">hosts</tt>. If you
-don't get a match, your tables
-don't include short names. Speak to your network
-manager; short names might be missing by accident or might be
-unsupported as a matter of policy. Some sites don't
-ever use (ambiguous) short names.</p>
-</dd>
-
-
-
-<dt><b>NIS+</b></dt>
-<dd>
-<p>Try <tt class="literal">nismatch</tt> <em class="replaceable">hostname</em>
-<tt class="literal">hosts</tt>, and treat failure exactly as with NIS.</p>
-</dd>
-
-
-
-<dt><b>hosts </b></dt>
-<dd>
-<p>If the short name is not in <em class="filename">/etc/hosts</em>, consider
-adding it as an alias. Avoid, if you can, short names as primary
-names (the first one on a line). Have them as aliases if your system
-permits.</p>
-</dd>
-
-
-
-<dt><b>LMHOSTS </b></dt>
-<dd>
-<p>LAN Manager doesn't support long names, so it
-won't suffer from this problem.</p>
-</dd>
-
-</dl>
-
-<p>On the other hand, if the short form of the name works and the long
-form doesn't, consider the following:</p>
-
-<dl>
-<dt><b>DNS </b></dt>
-<dd>
-<p>This is bizarre; see your network or DNS administrator, as this is
-probably a DNS setup error.</p>
-</dd>
-
-
-
-<dt><b>Broadcast/WINS </b></dt>
-<dd>
-<p>This is normal; Broadcast/WINS can't use the long
-form. Optionally, consider DNS. (Be aware that Microsoft has stated
-that it will eventually switch entirely to DNS, even though DNS does
-not provide name types such as &lt;00&gt;.)</p>
-</dd>
-
-
-
-<dt><b>NIS</b></dt>
-<dd>
-<p>If you can use <em class="emphasis">ypmatch</em> to look up the short form
-but not the long, consider adding the long form to the table as at
-least an alias.</p>
-</dd>
-
-
-
-<dt><b>NIS+ </b></dt>
-<dd>
-<p>Same as NIS, except you use <em class="emphasis">nismatch</em> instead of
-<em class="emphasis">ypmatch</em> to look up names.</p>
-</dd>
-
-
-
-<dt><b>hosts and HOSTS</b></dt>
-<dd>
-<p>Add the long name as at least an alias, and preferably as the primary
-form. Also consider using DNS if it's practical.</p>
-</dd>
-
-
-
-<dt><b>LMHOSTS </b></dt>
-<dd>
-<p>This is normal. LAN Manager can't use the long form;
-consider switching to DNS or <em class="filename">hosts</em>.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.4"/>
-
-<h3 class="head3">Unusual delays</h3>
-
-<p><a name="INDEX-93"/>When there is a long delay before the
-expected result:</p>
-
-<dl>
-<dt><b>DNS </b></dt>
-<dd>
-<p>Test the same name with the <em class="emphasis">nslookup</em> command on
-the system that is slow (client or server). If
-<em class="emphasis">nslookup</em> is also slow, you have a DNS problem.
-If it's slower on a client, you might have too many
-protocols bound to the Ethernet card. Eliminate NetBEUI, which is
-infamously slow, and, optionally, Novell&mdash;assuming you
-don't need them. This is especially important on
-Windows 95, which is particularly sensitive to excess protocols.</p>
-</dd>
-
-
-
-<dt><b>Broadcast/ WINS</b></dt>
-<dd>
-<p>Test the client using <em class="emphasis">nmblookup</em>; if
-it's faster, you probably have the protocols problem
-as mentioned in the previous item.</p>
-</dd>
-
-
-
-<dt><b>NIS</b></dt>
-<dd>
-<p>Try <em class="emphasis">ypmatch</em>; if it's slow,
-report the problem to your network manager.</p>
-</dd>
-
-
-
-<dt><b>NIS+ </b></dt>
-<dd>
-<p>Try <em class="emphasis">nismatch</em>, similarly.</p>
-</dd>
-
-
-
-<dt><b>hosts and HOSTS</b></dt>
-<dd>
-<p>The <em class="emphasis">hosts</em> files, if of reasonable size, are
-always fast. You probably have the protocols problem mentioned
-previously under DNS.</p>
-</dd>
-
-
-
-<dt><b>lmhosts and LMHOSTS</b></dt>
-<dd>
-<p>This is not a name lookup problem; <em class="emphasis">LMHOSTS</em> files
-are as fast as <em class="emphasis">hosts</em> and
-<em class="filename">HOSTS</em> files.</p>
-</dd>
-
-</dl>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.5"/>
-
-<h3 class="head3">Localhost issues</h3>
-
-<p><a name="INDEX-94"/>When a localhost isn't
-127.0.0.1, try the following:</p>
-
-<dl>
-<dt><b>DNS</b></dt>
-<dd>
-<p>There is probably no record for <tt class="literal">localhost</tt>.
-<tt class="literal">A</tt> <tt class="literal">127.0.0.1</tt>. Arrange to add
-one, as well as a reverse entry,
-<tt class="literal">1.0.0.127.IN-ADDR.ARPA</tt> <tt class="literal">PTR</tt>
-<tt class="literal">127.0.0.1</tt>.</p>
-</dd>
-
-
-
-<dt><b>Broadcast/WINS</b></dt>
-<dd>
-<p>Not applicable.</p>
-</dd>
-
-
-
-<dt><b>NIS</b></dt>
-<dd>
-<p>If <tt class="literal">localhost</tt> isn't in the table,
-add it.</p>
-</dd>
-
-
-
-<dt><b>NIS+ </b></dt>
-<dd>
-<p>If <tt class="literal">localhost</tt> isn't in the table,
-add it.</p>
-</dd>
-
-
-
-<dt><b>hosts and HOSTS</b></dt>
-<dd>
-<p>Add a line that says <tt class="literal">127.0.0.1</tt>
-<tt class="literal">localhost</tt>.</p>
-</dd>
-
-
-
-<dt><b>LMHOSTS</b></dt>
-<dd>
-<p>Not applicable. <a name="INDEX-95"/><a name="INDEX-96"/></p>
-</dd>
-
-</dl>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.8"/>
-
-<h3 class="head2">Troubleshooting Network Addresses</h3>
-
-<p><a name="INDEX-97"/><a name="INDEX-98"/>A
-number of common problems are caused by incorrect routing of Internet
-addresses or by the incorrect assignment of addresses. This section
-helps you determine what your addresses are.</p>
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.1"/>
-
-<h3 class="head3">Netmasks</h3>
-
-<p>Using the <a name="INDEX-99"/>netmask, it is possible to
-determine which addresses can be reached directly (i.e., which are on
-the local network) and which addresses require forwarding packets
-through a router. If the netmask is wrong, the systems will make one
-of two mistakes. One is to route local packets via a router, which is
-an expensive waste of time&mdash;it might work reasonably fast, it
-might run slowly, or it might fail utterly. The second mistake is to
-fail to send packets from a remote system to the router, which will
-prevent them from being forwarded to the remote system.</p>
-
-<p>The netmask is a number like an IP address, with one-bits for the
-network part of an address and zero-bits for the host portion. It is
-used as a bitmask to mask off parts of the address inside the TCP/IP
-code. If the mask is 255.255.0.0, the first 2 bytes are the network
-part and the last 2 are the host part. More common is 255.255.255.0,
-in which the first 3 bytes are the network part and the last one is
-the host part.</p>
-
-<p>For example, let's say your IP address is
-192.168.0.10 and the Samba server is 192.168.236.86. If your netmask
-happens to be 255.255.255.0, the network part of the address is the
-first 3 bytes, and the host part is the last byte. In this case, the
-network parts are different, and the systems are on different
-networks:</p>
-
-<a name="ch12-37-fm2xml"/><table border="1">
-
-
-
-<tr>
-<th>
-<p>Network part</p>
-</th>
-<th>
-<p>Host part</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>192 168 000</p>
-</td>
-<td>
-<p>10</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>192 168 235</p>
-</td>
-<td>
-<p>86</p>
-</td>
-</tr>
-
-</table>
-
-<p>If your netmask happens to be 255.255.0.0, the network part is just
-the first 2 bytes. In this case, the network parts match, and so the
-two systems are on the same network:</p>
-
-<a name="ch12-38-fm2xml"/><table border="1">
-
-
-
-<tr>
-<th>
-<p>Network part</p>
-</th>
-<th>
-<p>Host part</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>192 168</p>
-</td>
-<td>
-<p>000 10</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>192 168</p>
-</td>
-<td>
-<p>236 86</p>
-</td>
-</tr>
-
-</table>
-
-<p>Make sure the netmask in use on each system matches the structure of
-your network. On every subnet, the netmask should be identical on
-each system.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.2"/>
-
-<h3 class="head3">Broadcast addresses</h3>
-
-<p>The <a name="INDEX-100"/>broadcast address is a normal address,
-with the hosts part all one-bits. It means &quot;all
-hosts on your network.&quot; You can compute it easily
-from your netmask and address: take the address and put one-bits in
-it for all the bits that are zero at the end of the netmask (the host
-part). The following table illustrates this:</p>
-
-<a name="ch12-39-fm2xml"/><table border="1">
-
-
-
-
-<tr>
-<th>
-</th>
-<th>
-<p>Network part</p>
-</th>
-<th>
-<p>Host part</p>
-</th>
-</tr>
-
-
-<tr>
-<td>
-<p>IP address</p>
-</td>
-<td>
-<p>192 168 236</p>
-</td>
-<td>
-<p>86</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Netmask</p>
-</td>
-<td>
-<p>255 255 255</p>
-</td>
-<td>
-<p>000</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Broadcast</p>
-</td>
-<td>
-<p>192 168 236</p>
-</td>
-<td>
-<p>255</p>
-</td>
-</tr>
-
-</table>
-
-<p>In this example, the broadcast address on the 192.168.236 network is
-192.168.236.255. There is also an old
-&quot;universal&quot; broadcast address,
-255.255.255.255. Routers are prohibited from forwarding these, but
-most systems on your local network will respond to broadcasts to this
-address.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.3"/>
-
-<h3 class="head3">Network address ranges</h3>
-
-<p>A <a name="INDEX-101"/>number of address ranges have been
-reserved for testing and for nonconnected networks; we use these for
-the examples in this book. If you don't have an
-address yet, feel free to use one of these to start. They include one
-class A network, 10.*.*.*, a range of class B network addresses,
-172.16.*.* through 172.31.*.*, and 254 class C networks, 192.168.1.*
-through 192.168.254.*. The domain <tt class="literal">example.com</tt> is
-also reserved for unconnected networks, explanatory examples, and
-books.</p>
-
-<p>If you're actually connecting to the Internet,
-you'll need to get an appropriate IP address and a
-domain name, probably through the same company that provides your
-connection.</p>
-
-
-</div>
-
-
-
-<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.4"/>
-
-<h3 class="head3">Finding your network address</h3>
-
-<p><a name="INDEX-102"/>If you
-haven't recorded your IP address, you can learn it
-through the <em class="emphasis">ifconfig</em><a name="INDEX-103"/> command on Unix or the
-<em class="emphasis">ipconfig</em> <a name="INDEX-104"/>command on Windows. (Check your manual
-pages for any options required by your brand of Unix. For example,
-<tt class="literal">ifconfig</tt> <tt class="literal">-a</tt> works on Solaris.)
-You should see output similar to the following:</p>
-
-<blockquote><pre class="code">$ <tt class="userinput"><b>ifconfig -a</b></tt>
-le0: flags=63&lt;UP,BROADCAST,NOTRAILERS,RUNNING &gt;
- inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255
-lo0: flags=49&lt;&amp;lt&gt;UP,LOOPBACK,RUNNING&lt;&amp;gt&gt;
- inet 127.0.0.1 netmask ff000000</pre></blockquote>
-
-<p>One of the interfaces will be loopback (in our examples,
-<tt class="literal">lo0</tt>), and the other will be the regular IP
-interface. The flags should show that the interface is running, and
-Ethernet interfaces will also say they support broadcasts (PPP
-interfaces don't). The other places to look for IP
-addresses are <em class="filename">/etc/hosts</em> files, Windows
-<em class="emphasis">HOSTS</em> files, Windows
-<em class="emphasis">LMHOSTS</em> files, NIS, NIS+, and DNS. <a name="INDEX-105"/><a name="INDEX-106"/></p>
-
-
-</div>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-2.9"/>
-
-<h3 class="head2">Troubleshooting NetBIOS Names</h3>
-
-<p><a name="INDEX-107"/><a name="INDEX-108"/>Historically, SMB protocols have
-depended on the NetBIOS name system, also called the LAN Manager name
-system. This was a simple scheme where each system had a unique
-20-character name and broadcast it on the LAN for everyone to know.
-With TCP/IP, we tend to use names such as
-<tt class="literal">client.example.com</tt>, stored in
-<em class="filename">/etc/hosts</em> files through DNS or WINS.</p>
-
-<p>The usual mapping of domain names such as
-<tt class="literal">server.example.com</tt> to NetBIOS names simply uses
-the <tt class="literal">server</tt> part as the NetBIOS name and converts
-it to uppercase. Alas, this doesn't always work,
-especially if you have a system with a 21-character name; not
-everyone uses the same NetBIOS and DNS names. For example,
-<tt class="literal">corpvm1</tt> along with <tt class="literal">vm1.corp.com</tt>
-is not unusual.</p>
-
-<p>A system with a different NetBIOS name and domain name is confusing
-when you're troubleshooting; we recommend that you
-try to avoid this wherever possible. NetBIOS names are discoverable
-with <em class="emphasis">smbclient</em> :</p>
-
-<ul><li>
-<p>If you can list shares on your Samba server with
-<tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
-<tt class="literal">short_name</tt>, the short name is the NetBIOS name.</p>
-</li><li>
-<p>If you get <tt class="literal">Get_Hostbyname</tt>:
-<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
-<tt class="literal">name</tt>, there is probably a mismatch. Check in the
-<em class="filename">smb.conf</em> file to see if the NetBIOS name is
-explicitly set.</p>
-</li><li>
-<p>Try to list shares again, specifying <tt class="literal">-I</tt> and the IP
-address of the Samba server (e.g., <tt class="literal">smbclient</tt>
-<tt class="literal">-L</tt> <tt class="literal">server</tt> <tt class="literal">-I</tt>
-<tt class="literal">192.168.236.86</tt>). This overrides the name lookup
-and forces the packets to go to the IP address. If this works, there
-was a mismatch.</p>
-</li><li>
-<p>Try with <tt class="literal">-I</tt> and the full domain name of the server
-(e.g., <tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
-<tt class="literal">server</tt> <tt class="literal">-I</tt>
-<tt class="literal">server.example.com</tt>). This tests the lookup of the
-domain name, using whatever scheme the Samba server uses (e.g., DNS).
-If it fails, you have a name service problem. You should reread the
-earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>,
-after you finish troubleshooting the NetBIOS names.</p>
-</li><li>
-<p>Try with the <tt class="literal">-n</tt> (NetBIOS name) option, giving it
-the name you expect to work (e.g., <tt class="literal">smbclient</tt>
-<tt class="literal">-n</tt> <tt class="literal">server</tt> <tt class="literal">-L</tt>
-<tt class="literal">server-12</tt>), but without overriding the IP address
-through <tt class="literal">-I</tt>. If this works, the name you specified
-with <tt class="literal">-n</tt> is the actual NetBIOS name of the server.
-If you receive <tt class="literal">Get-Hostbyname</tt>:
-<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
-<tt class="literal">SERVER</tt>, it's not the right server
-yet.</p>
-</li><li>
-<p>If nothing is working so far, repeat the tests specifying
-<tt class="literal">-U</tt> <em class="emphasis">username</em> and
-<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>, with the
-username and workgroup in uppercase, to make sure
-you're not being derailed by a user or workgroup
-mismatch.</p>
-</li><li>
-<p>If still nothing works and you had evidence of a name service
-problem, troubleshoot the name service (see the earlier section,
-<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>) and then return to
-the NetBIOS name service. <a name="INDEX-109"/><a name="INDEX-110"/></p>
-</li></ul>
-
-</div>
-
-
-</div>
-
-
-
-<div class="sect1"><a name="samba2-CHP-12-SECT-3"/>
-
-<h2 class="head1">Extra Resources</h2>
-
-<p>At some point during your work with Samba, you'll
-want to turn to online or printed resources for news, updates, and
-aid.</p>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-3.1"/>
-
-<h3 class="head2">Documentation and FAQs</h3>
-
-<p>It's OK to read the <a name="INDEX-111"/><a name="INDEX-112"/>documentation. Really. Nobody can see you,
-and we won't tell. In fact, Samba ships with a large
-set of documentation files, and it is well worth the effort to at
-least browse through them, either in the distribution directory on
-your computer under <em class="filename">/docs</em> or online at the Samba
-web site: <a href="http://www.samba.org">http://www.samba.org</a>. The most current
-FAQ list, bug information, and distribution locations are located at
-the web site, with links to all the Samba manual pages and HOWTOs.</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-3.2"/>
-
-<h3 class="head2">Samba Newsgroups</h3>
-
-<p><a name="INDEX-113"/>Usenet
-newsgroups have always been a great place to get advice on just about
-any topic. In the past few years, though, this vast pool of knowledge
-has developed something that has made it into an invaluable resource:
-a memory. Archival and search sites such as the one at
-<a name="INDEX-114"/>Google (<a href="http://groups.google.com/advanced_group_search">http://groups.google.com/advanced_group_search</a>)
-have made sifting through years of valuable solutions as simple as a
-few mouse clicks.</p>
-
-<p>The primary newsgroup for Samba is
-<em class="emphasis">comp.protocols.smb</em><a name="INDEX-115"/>. This should always be your first
-stop when there's a problem. More often than not,
-spending 5 minutes researching an error here will save hours of
-frustration while trying to debug something yourself.</p>
-
-<p>When searching a newsgroup, try to be as specific as possible, but
-not too wordy. Searching on actual error messages is best. If you
-don't find an answer immediately in the newsgroup,
-resist the temptation to post a request for help until
-you've done a bit more work on the problem. You
-might find that the answer is in a FAQ or one of the many
-documentation files that ship with Samba, or a solution might become
-evident when you run one of Samba's diagnostic
-tools. If nothing works, post a request in
-<em class="emphasis">comp.protocols.smb</em>, and be as specific as
-possible about what you have tried and what you are seeing. Include
-any error messages that appear. It might be days before you receive
-help, so be patient and keep trying things while you wait.</p>
-
-<a name="samba2-CHP-12-NOTE-161"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
-<p>Once you post a request for help, keep poking at the problem
-yourself. Most of us have had the experience of posting a Usenet
-article containing hundreds of lines of intricate detail, only to
-solve the problem an hour later after the article has blazed its way
-across several continents. The rule of thumb goes something like
-this: the more folks who have read your request, the simpler the
-solution. Usually this means that once everyone in the Unix community
-has seen your article, the solution will be something simple such as,
-&quot;Plug the power cord into the wall
-socket.&quot;</p>
-</blockquote>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-3.3"/>
-
-<h3 class="head2">Samba Mailing Lists</h3>
-
-<p>The following are <a name="INDEX-116"/>mailing lists for support with Samba. See
-the Samba home page, <a href="http://www.samba.org/">http://www.samba.org/</a>, for
-information on subscribing and unsubscribing to these mailing lists:</p>
-
-<dl>
-<dt><b>samba@samba.org</b></dt>
-<dd>
-<p>This is the primary mailing list for general questions and discussion
-regarding Samba.</p>
-</dd>
-
-
-
-<dt><b>samba-announce@samba.org</b></dt>
-<dd>
-<p>This list is for receiving news regarding Samba, such as
-announcements of new releases.</p>
-</dd>
-
-
-
-<dt><b>samba-cvs@samba.org</b></dt>
-<dd>
-<p>By subscribing to this list, you can automatically receive a message
-every time one of the Samba developers updates the Samba source code
-in the CVS repository. You might want to do this if you are waiting
-for a specific bug fix or feature to be applied. To avoid congesting
-your email inbox, we suggest using the digest feature, which
-consolidates messages into a smaller number of emails.</p>
-</dd>
-
-
-
-<dt><b>samba-docs@samba.org</b></dt>
-<dd>
-<p>This list is for discussing Samba documentation.</p>
-</dd>
-
-
-
-<dt><b>samba-vms@samba.org</b></dt>
-<dd>
-<p>This mailing list is for people who are running Samba on the VMS
-operating system.</p>
-</dd>
-
-
-
-<dt><b>samba-binaries@samba.org</b></dt>
-<dd>
-<p>This is a list for developers to use when discussing precompiled
-Samba distributions.</p>
-</dd>
-
-
-
-<dt><b>samba-technical@samba.org</b></dt>
-<dd>
-<p>This mailing list is for developer discussion of the Samba code.</p>
-</dd>
-
-</dl>
-
-<p>Searchable versions of the Samba mailing list archives can be found
-at <a href="http://marc.theaimsgroup.com">http://marc.theaimsgroup.com</a>.</p>
-
-<p>When posting messages to the Samba mailing lists, keep in mind that
-you are sending your message to a large audience. The notes in the
-previous section regarding Usenet postings also apply here. A
-well-formulated question or comment is more likely to be answered,
-and a poorly conceived message is <em class="emphasis">very</em> likely to
-be ignored!</p>
-
-
-</div>
-
-
-<div class="sect2"><a name="samba2-CHP-12-SECT-3.4"/>
-
-<h3 class="head2">Further Reading</h3>
-
-<ol><li>
-<p>Hunt, Craig. <em class="emphasis">TCP/IP Network Administration</em>,
-Third Edition. Sebastopol, CA: O'Reilly
-&amp; Associates, 1997.</p>
-</li>
-<li>
-<p>Hunt, Craig, and Robert Bruce Thompson. <em class="emphasis">Windows NT TCP/IP
-Network Administration</em>. Sebastopol, CA:
-O'Reilly &amp; Associates, 1998.</p>
-</li>
-<li>
-<p>Albitz, Paul, and Cricket Liu. <em class="emphasis">DNS and Bind</em>,
-Fourth Edition. Sebastopol, CA: O'Reilly
-&amp; Associates, 1998.</p>
-</li>
-<li>
-<p>Stern, Hal. <em class="emphasis">Managing NFS and NIS</em>, Second
-Edition. Sebastopol, CA: O'Reilly &amp; Associates,
-1991.<a name="INDEX-117"/></p>
-</li></ol>
-
-</div>
-
-
-</div>
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/figs/sam2_0101.gif b/docs/htmldocs/using_samba/figs/sam2_0101.gif
deleted file mode 100644
index 195326a205..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0101.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0102.gif b/docs/htmldocs/using_samba/figs/sam2_0102.gif
deleted file mode 100644
index e453dbf023..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0102.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0103.gif b/docs/htmldocs/using_samba/figs/sam2_0103.gif
deleted file mode 100644
index ed50af69af..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0103.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0104.gif b/docs/htmldocs/using_samba/figs/sam2_0104.gif
deleted file mode 100644
index e903a0f22e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0104.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0105.gif b/docs/htmldocs/using_samba/figs/sam2_0105.gif
deleted file mode 100644
index 0fec77125d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0105.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0106.gif b/docs/htmldocs/using_samba/figs/sam2_0106.gif
deleted file mode 100644
index 32cbfdbee4..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0106.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0107.gif b/docs/htmldocs/using_samba/figs/sam2_0107.gif
deleted file mode 100644
index 2d8b8e66b7..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0107.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0108.gif b/docs/htmldocs/using_samba/figs/sam2_0108.gif
deleted file mode 100644
index 9d26856e38..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0108.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0109.gif b/docs/htmldocs/using_samba/figs/sam2_0109.gif
deleted file mode 100644
index 2c7db9617a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0109.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0110.gif b/docs/htmldocs/using_samba/figs/sam2_0110.gif
deleted file mode 100644
index 2d7d50a702..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0110.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0111.gif b/docs/htmldocs/using_samba/figs/sam2_0111.gif
deleted file mode 100644
index f6be700fa5..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0111.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0112.gif b/docs/htmldocs/using_samba/figs/sam2_0112.gif
deleted file mode 100644
index 4eddb82069..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0112.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0113.gif b/docs/htmldocs/using_samba/figs/sam2_0113.gif
deleted file mode 100644
index 1886bbcb5a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0113.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0114.gif b/docs/htmldocs/using_samba/figs/sam2_0114.gif
deleted file mode 100644
index 75cf0a750a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0114.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0201.gif b/docs/htmldocs/using_samba/figs/sam2_0201.gif
deleted file mode 100644
index 7dc140530c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0201.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0202.gif b/docs/htmldocs/using_samba/figs/sam2_0202.gif
deleted file mode 100644
index ccbaeed4fe..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0202.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0203.gif b/docs/htmldocs/using_samba/figs/sam2_0203.gif
deleted file mode 100644
index 127705fd38..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0203.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0204.gif b/docs/htmldocs/using_samba/figs/sam2_0204.gif
deleted file mode 100644
index 5359423fd5..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0204.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0301.gif b/docs/htmldocs/using_samba/figs/sam2_0301.gif
deleted file mode 100644
index 30759463cf..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0301.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0302.gif b/docs/htmldocs/using_samba/figs/sam2_0302.gif
deleted file mode 100644
index 5576573e83..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0302.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0303.gif b/docs/htmldocs/using_samba/figs/sam2_0303.gif
deleted file mode 100644
index 76b8dd36bb..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0303.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0304.gif b/docs/htmldocs/using_samba/figs/sam2_0304.gif
deleted file mode 100644
index b309fc9968..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0304.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0305.gif b/docs/htmldocs/using_samba/figs/sam2_0305.gif
deleted file mode 100644
index 5a9fd77443..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0305.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0306.gif b/docs/htmldocs/using_samba/figs/sam2_0306.gif
deleted file mode 100644
index 47b15548f3..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0306.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0307.gif b/docs/htmldocs/using_samba/figs/sam2_0307.gif
deleted file mode 100644
index 7874ccb889..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0307.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0308.gif b/docs/htmldocs/using_samba/figs/sam2_0308.gif
deleted file mode 100644
index 23d4fccd65..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0308.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0309.gif b/docs/htmldocs/using_samba/figs/sam2_0309.gif
deleted file mode 100644
index 2e27a2f407..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0309.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0310.gif b/docs/htmldocs/using_samba/figs/sam2_0310.gif
deleted file mode 100644
index 846b228eff..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0310.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0311.gif b/docs/htmldocs/using_samba/figs/sam2_0311.gif
deleted file mode 100644
index acb82fa77b..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0311.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0312.gif b/docs/htmldocs/using_samba/figs/sam2_0312.gif
deleted file mode 100644
index 2a96425312..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0312.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0313.gif b/docs/htmldocs/using_samba/figs/sam2_0313.gif
deleted file mode 100644
index 4482a8b27b..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0313.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0314.gif b/docs/htmldocs/using_samba/figs/sam2_0314.gif
deleted file mode 100644
index 02b8bcd2c7..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0314.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0315.gif b/docs/htmldocs/using_samba/figs/sam2_0315.gif
deleted file mode 100644
index bd747a23a9..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0315.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0316.gif b/docs/htmldocs/using_samba/figs/sam2_0316.gif
deleted file mode 100644
index a12e20e8b4..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0316.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0317.gif b/docs/htmldocs/using_samba/figs/sam2_0317.gif
deleted file mode 100644
index 1957fc09e6..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0317.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0318.gif b/docs/htmldocs/using_samba/figs/sam2_0318.gif
deleted file mode 100644
index 2c90ee6523..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0318.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0319.gif b/docs/htmldocs/using_samba/figs/sam2_0319.gif
deleted file mode 100644
index ceb8041299..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0319.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0320.gif b/docs/htmldocs/using_samba/figs/sam2_0320.gif
deleted file mode 100644
index 766c0ec4ba..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0320.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0321.gif b/docs/htmldocs/using_samba/figs/sam2_0321.gif
deleted file mode 100644
index b1dac33f23..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0321.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0322.gif b/docs/htmldocs/using_samba/figs/sam2_0322.gif
deleted file mode 100644
index fa0c2a3ed2..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0322.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0323.gif b/docs/htmldocs/using_samba/figs/sam2_0323.gif
deleted file mode 100644
index 9678a4b0da..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0323.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0324.gif b/docs/htmldocs/using_samba/figs/sam2_0324.gif
deleted file mode 100644
index f1fd719fc2..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0324.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0325.gif b/docs/htmldocs/using_samba/figs/sam2_0325.gif
deleted file mode 100644
index 3887d36b94..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0325.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0326.gif b/docs/htmldocs/using_samba/figs/sam2_0326.gif
deleted file mode 100644
index 26047eb48e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0326.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0327.gif b/docs/htmldocs/using_samba/figs/sam2_0327.gif
deleted file mode 100644
index f8b661bce8..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0327.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0328.gif b/docs/htmldocs/using_samba/figs/sam2_0328.gif
deleted file mode 100644
index 9f767a156e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0328.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0329.gif b/docs/htmldocs/using_samba/figs/sam2_0329.gif
deleted file mode 100644
index 4cfa231e86..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0329.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0330.gif b/docs/htmldocs/using_samba/figs/sam2_0330.gif
deleted file mode 100644
index 4c90f3b8c7..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0330.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0331.gif b/docs/htmldocs/using_samba/figs/sam2_0331.gif
deleted file mode 100644
index bc1fc19721..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0331.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0332.gif b/docs/htmldocs/using_samba/figs/sam2_0332.gif
deleted file mode 100644
index a507e19018..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0332.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0333.gif b/docs/htmldocs/using_samba/figs/sam2_0333.gif
deleted file mode 100644
index 6b1b2a7dd5..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0333.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0334.gif b/docs/htmldocs/using_samba/figs/sam2_0334.gif
deleted file mode 100644
index ff408ecd6c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0334.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0335.gif b/docs/htmldocs/using_samba/figs/sam2_0335.gif
deleted file mode 100644
index fdf01219e1..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0335.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0336.gif b/docs/htmldocs/using_samba/figs/sam2_0336.gif
deleted file mode 100644
index a44851c340..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0336.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0337.gif b/docs/htmldocs/using_samba/figs/sam2_0337.gif
deleted file mode 100644
index 219afbd147..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0337.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0338.gif b/docs/htmldocs/using_samba/figs/sam2_0338.gif
deleted file mode 100644
index 8f1ba6e36f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0338.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0339.gif b/docs/htmldocs/using_samba/figs/sam2_0339.gif
deleted file mode 100644
index f42c1b57ec..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0339.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0340.gif b/docs/htmldocs/using_samba/figs/sam2_0340.gif
deleted file mode 100644
index 76c5a1b347..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0340.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0341.gif b/docs/htmldocs/using_samba/figs/sam2_0341.gif
deleted file mode 100644
index 634b847d04..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0341.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0342.gif b/docs/htmldocs/using_samba/figs/sam2_0342.gif
deleted file mode 100644
index 51284782a3..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0342.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0343.gif b/docs/htmldocs/using_samba/figs/sam2_0343.gif
deleted file mode 100644
index 0618a841cf..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0343.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0344.gif b/docs/htmldocs/using_samba/figs/sam2_0344.gif
deleted file mode 100644
index 7d40dbcdf1..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0344.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0345.gif b/docs/htmldocs/using_samba/figs/sam2_0345.gif
deleted file mode 100644
index 0b36aa6da3..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0345.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0346.gif b/docs/htmldocs/using_samba/figs/sam2_0346.gif
deleted file mode 100644
index 36c3999ad1..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0346.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0347.gif b/docs/htmldocs/using_samba/figs/sam2_0347.gif
deleted file mode 100644
index db6c3e10ce..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0347.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0348.gif b/docs/htmldocs/using_samba/figs/sam2_0348.gif
deleted file mode 100644
index 16457a3421..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0348.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0349.gif b/docs/htmldocs/using_samba/figs/sam2_0349.gif
deleted file mode 100644
index 6445cdd3bc..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0349.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0350.gif b/docs/htmldocs/using_samba/figs/sam2_0350.gif
deleted file mode 100644
index 08ee35b8e7..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0350.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0351.gif b/docs/htmldocs/using_samba/figs/sam2_0351.gif
deleted file mode 100644
index b30b603818..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0351.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0352.gif b/docs/htmldocs/using_samba/figs/sam2_0352.gif
deleted file mode 100644
index bfab1e0031..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0352.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0353.gif b/docs/htmldocs/using_samba/figs/sam2_0353.gif
deleted file mode 100644
index 4c1e84f37e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0353.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0354.gif b/docs/htmldocs/using_samba/figs/sam2_0354.gif
deleted file mode 100644
index 3519397705..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0354.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0355.gif b/docs/htmldocs/using_samba/figs/sam2_0355.gif
deleted file mode 100644
index 8559956df8..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0355.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0356.gif b/docs/htmldocs/using_samba/figs/sam2_0356.gif
deleted file mode 100644
index 9cffddf4b2..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0356.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0357.gif b/docs/htmldocs/using_samba/figs/sam2_0357.gif
deleted file mode 100644
index f1a7043858..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0357.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0358.gif b/docs/htmldocs/using_samba/figs/sam2_0358.gif
deleted file mode 100644
index 58073c2d19..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0358.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0359.gif b/docs/htmldocs/using_samba/figs/sam2_0359.gif
deleted file mode 100644
index 1fe90edca6..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0359.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0360.gif b/docs/htmldocs/using_samba/figs/sam2_0360.gif
deleted file mode 100644
index c306296f08..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0360.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0361.gif b/docs/htmldocs/using_samba/figs/sam2_0361.gif
deleted file mode 100644
index 7b6cc3c878..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0361.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0401.gif b/docs/htmldocs/using_samba/figs/sam2_0401.gif
deleted file mode 100644
index 68c4ec949e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0401.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0402.gif b/docs/htmldocs/using_samba/figs/sam2_0402.gif
deleted file mode 100644
index 817622adee..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0402.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0403.gif b/docs/htmldocs/using_samba/figs/sam2_0403.gif
deleted file mode 100644
index 8d2bf580e6..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0403.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0404.gif b/docs/htmldocs/using_samba/figs/sam2_0404.gif
deleted file mode 100644
index 5f93a6715c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0404.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0405.gif b/docs/htmldocs/using_samba/figs/sam2_0405.gif
deleted file mode 100644
index 67925c1db5..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0405.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0406.gif b/docs/htmldocs/using_samba/figs/sam2_0406.gif
deleted file mode 100644
index f6b3924711..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0406.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0407.gif b/docs/htmldocs/using_samba/figs/sam2_0407.gif
deleted file mode 100644
index 486a629e9e..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0407.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0408.gif b/docs/htmldocs/using_samba/figs/sam2_0408.gif
deleted file mode 100644
index dbc31bb54d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0408.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0409.gif b/docs/htmldocs/using_samba/figs/sam2_0409.gif
deleted file mode 100644
index b9d31f2a4d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0409.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0410.gif b/docs/htmldocs/using_samba/figs/sam2_0410.gif
deleted file mode 100644
index 83e4c9cb89..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0410.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0411.gif b/docs/htmldocs/using_samba/figs/sam2_0411.gif
deleted file mode 100644
index c6684d625c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0411.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0412.gif b/docs/htmldocs/using_samba/figs/sam2_0412.gif
deleted file mode 100644
index 4706a99f51..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0412.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0413.gif b/docs/htmldocs/using_samba/figs/sam2_0413.gif
deleted file mode 100644
index 71bf8690f8..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0413.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0414.gif b/docs/htmldocs/using_samba/figs/sam2_0414.gif
deleted file mode 100644
index 2056eb45bb..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0414.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0415.gif b/docs/htmldocs/using_samba/figs/sam2_0415.gif
deleted file mode 100644
index 0c8eb01774..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0415.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0416.gif b/docs/htmldocs/using_samba/figs/sam2_0416.gif
deleted file mode 100644
index c2b2fecf3d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0416.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0417.gif b/docs/htmldocs/using_samba/figs/sam2_0417.gif
deleted file mode 100644
index a84d217c1f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0417.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0501.gif b/docs/htmldocs/using_samba/figs/sam2_0501.gif
deleted file mode 100644
index eda8e934d7..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0501.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0502.gif b/docs/htmldocs/using_samba/figs/sam2_0502.gif
deleted file mode 100644
index 1f996e1b63..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0502.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0503.gif b/docs/htmldocs/using_samba/figs/sam2_0503.gif
deleted file mode 100644
index 0d7e3654ec..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0503.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0504.gif b/docs/htmldocs/using_samba/figs/sam2_0504.gif
deleted file mode 100644
index 9c60c26ef5..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0504.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0505.gif b/docs/htmldocs/using_samba/figs/sam2_0505.gif
deleted file mode 100644
index 346409e3e6..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0505.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0506.gif b/docs/htmldocs/using_samba/figs/sam2_0506.gif
deleted file mode 100644
index 78f5d54da2..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0506.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0507.gif b/docs/htmldocs/using_samba/figs/sam2_0507.gif
deleted file mode 100644
index e6ff6f14bd..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0507.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0508.gif b/docs/htmldocs/using_samba/figs/sam2_0508.gif
deleted file mode 100644
index 28dcb6227a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0508.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0601.gif b/docs/htmldocs/using_samba/figs/sam2_0601.gif
deleted file mode 100644
index 006fa95580..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0601.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0602.gif b/docs/htmldocs/using_samba/figs/sam2_0602.gif
deleted file mode 100644
index 598a7015dc..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0602.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0603.gif b/docs/htmldocs/using_samba/figs/sam2_0603.gif
deleted file mode 100644
index 62a8054c6f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0603.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0604.gif b/docs/htmldocs/using_samba/figs/sam2_0604.gif
deleted file mode 100644
index 9327385eed..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0604.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0605.gif b/docs/htmldocs/using_samba/figs/sam2_0605.gif
deleted file mode 100644
index 236badf15f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0605.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0701.gif b/docs/htmldocs/using_samba/figs/sam2_0701.gif
deleted file mode 100644
index b0b16d458c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0701.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0801.gif b/docs/htmldocs/using_samba/figs/sam2_0801.gif
deleted file mode 100644
index 5f9d87b206..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0801.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0802.gif b/docs/htmldocs/using_samba/figs/sam2_0802.gif
deleted file mode 100644
index fde794c19a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0802.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0803.gif b/docs/htmldocs/using_samba/figs/sam2_0803.gif
deleted file mode 100644
index 13baa02ed4..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0803.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0804.gif b/docs/htmldocs/using_samba/figs/sam2_0804.gif
deleted file mode 100644
index fc42ebf685..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0804.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0805.gif b/docs/htmldocs/using_samba/figs/sam2_0805.gif
deleted file mode 100644
index 015ca5df19..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0805.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0806.gif b/docs/htmldocs/using_samba/figs/sam2_0806.gif
deleted file mode 100644
index f11b8a18c9..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0806.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0807.gif b/docs/htmldocs/using_samba/figs/sam2_0807.gif
deleted file mode 100644
index 1ffc3eac39..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0807.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0808.gif b/docs/htmldocs/using_samba/figs/sam2_0808.gif
deleted file mode 100644
index 36839a754c..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0808.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0809.gif b/docs/htmldocs/using_samba/figs/sam2_0809.gif
deleted file mode 100644
index 3145d367ce..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0809.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0810.gif b/docs/htmldocs/using_samba/figs/sam2_0810.gif
deleted file mode 100644
index cd76217d1f..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0810.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0811.gif b/docs/htmldocs/using_samba/figs/sam2_0811.gif
deleted file mode 100644
index e7add2a0e7..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0811.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0901.gif b/docs/htmldocs/using_samba/figs/sam2_0901.gif
deleted file mode 100644
index 6ac1e9c966..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0901.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0902.gif b/docs/htmldocs/using_samba/figs/sam2_0902.gif
deleted file mode 100644
index f30bd1037d..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0902.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_0903.gif b/docs/htmldocs/using_samba/figs/sam2_0903.gif
deleted file mode 100644
index 0a073278dd..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_0903.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_1001.gif b/docs/htmldocs/using_samba/figs/sam2_1001.gif
deleted file mode 100644
index 491cbaf8eb..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_1001.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_1002.gif b/docs/htmldocs/using_samba/figs/sam2_1002.gif
deleted file mode 100644
index 2b3177c433..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_1002.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_1003.gif b/docs/htmldocs/using_samba/figs/sam2_1003.gif
deleted file mode 100644
index 39077e86ad..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_1003.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_1004.gif b/docs/htmldocs/using_samba/figs/sam2_1004.gif
deleted file mode 100644
index 9e81522a65..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_1004.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_1005.gif b/docs/htmldocs/using_samba/figs/sam2_1005.gif
deleted file mode 100644
index 5d9fe6f72a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_1005.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_1006.gif b/docs/htmldocs/using_samba/figs/sam2_1006.gif
deleted file mode 100644
index 34fcb1054b..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_1006.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_1101.gif b/docs/htmldocs/using_samba/figs/sam2_1101.gif
deleted file mode 100644
index 0a8afebd6a..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_1101.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_1102.gif b/docs/htmldocs/using_samba/figs/sam2_1102.gif
deleted file mode 100644
index 5bfc6b5521..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_1102.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_af01.gif b/docs/htmldocs/using_samba/figs/sam2_af01.gif
deleted file mode 100644
index 290cc7f491..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_af01.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_af02.gif b/docs/htmldocs/using_samba/figs/sam2_af02.gif
deleted file mode 100644
index 2bc59dab69..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_af02.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_af03.gif b/docs/htmldocs/using_samba/figs/sam2_af03.gif
deleted file mode 100644
index 5bff6142f8..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_af03.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_af04.gif b/docs/htmldocs/using_samba/figs/sam2_af04.gif
deleted file mode 100644
index f1ee885f32..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_af04.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_af05.gif b/docs/htmldocs/using_samba/figs/sam2_af05.gif
deleted file mode 100644
index ef15448708..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_af05.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_af06.gif b/docs/htmldocs/using_samba/figs/sam2_af06.gif
deleted file mode 100644
index 756a6b1c99..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_af06.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/figs/sam2_af07.gif b/docs/htmldocs/using_samba/figs/sam2_af07.gif
deleted file mode 100644
index dfe2199484..0000000000
--- a/docs/htmldocs/using_samba/figs/sam2_af07.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/inx.html b/docs/htmldocs/using_samba/inx.html
deleted file mode 100644
index cc01eeb56c..0000000000
--- a/docs/htmldocs/using_samba/inx.html
+++ /dev/null
@@ -1,1814 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
-hspace="10" align="left" />
-
-<h2>Index</h2>
-
-<A HREF="#Symbols">[&nbsp;Symbols&nbsp;]</A>,
-<A HREF="#Numbers">[&nbsp;Numbers&nbsp;]</A>,
-<A HREF="#A">[&nbsp;A&nbsp;]</A>,
-<A HREF="#B">[&nbsp;B&nbsp;]</A>,
-<A HREF="#C">[&nbsp;C&nbsp;]</A>,
-<A HREF="#D">[&nbsp;D&nbsp;]</A>,
-<A HREF="#E">[&nbsp;E&nbsp;]</A>,
-<A HREF="#F">[&nbsp;F&nbsp;]</A>,
-<A HREF="#G">[&nbsp;G&nbsp;]</A>,
-<A HREF="#H">[&nbsp;H&nbsp;]</A>,
-<A HREF="#I">[&nbsp;I&nbsp;]</A>,
-<A HREF="#K">[&nbsp;K&nbsp;]</A>,
-<A HREF="#L">[&nbsp;L&nbsp;]</A>,
-<A HREF="#M">[&nbsp;M&nbsp;]</A>,
-<A HREF="#N">[&nbsp;N&nbsp;]</A>,
-<A HREF="#O">[&nbsp;O&nbsp;]</A>,
-<A HREF="#P">[&nbsp;P&nbsp;]</A>,
-<A HREF="#Q">[&nbsp;Q&nbsp;]</A>,
-<A HREF="#R">[&nbsp;R&nbsp;]</A>,
-<A HREF="#S">[&nbsp;S&nbsp;]</A>,
-<A HREF="#T">[&nbsp;T&nbsp;]</A>,
-<A HREF="#U">[&nbsp;U&nbsp;]</A>,
-<A HREF="#V">[&nbsp;V&nbsp;]</A>,
-<A HREF="#W">[&nbsp;W&nbsp;]</A>,
-<A HREF="#X">[&nbsp;X&nbsp;]</A>
-
-
-<P><A NAME="Symbols"><B>Symbols</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>_ _MSBROWSE _ _ resource entry, 16, 229
-<BR>. (period)
-<BR> &nbsp; &nbsp; &nbsp; NetBIOS names and, 14
-<BR> &nbsp; &nbsp; &nbsp; (see also dot files)
-<BR>%$ variable, 192
-<P><A NAME="Numbers"><B>Numbers</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>127.0.0.1 (localhost), 73
-<BR> &nbsp; &nbsp; &nbsp; bind interfaces only option, 208
-<P><A NAME="A"><B>A</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%a variable, 143, 192
-<BR> &nbsp; &nbsp; &nbsp; variable substitution, 191
-<BR>abort shutdown script option (smb.conf file), 401
-<BR>Access Control Entries (ACEs), 31, 253
-<BR>Access Control Lists (see ACLs)
-<BR>access control options, 287-288
-<BR>access, controlling (see ACLs; controlling access to shares)
-<BR>accounts (see computer accounts, adding; users)
-<BR>ACLs, 30
-<BR> &nbsp; &nbsp; &nbsp; configuration options, 260-262
-<BR> &nbsp; &nbsp; &nbsp; inheriting, 416
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 495
-<BR> &nbsp; &nbsp; &nbsp; mapping to Unix permissions, 426
-<BR> &nbsp; &nbsp; &nbsp; POSIX.1e, 259
-<BR> &nbsp; &nbsp; &nbsp; support in Samba 2.2, 37
-<BR> &nbsp; &nbsp; &nbsp; Unix, 259
-<BR> &nbsp; &nbsp; &nbsp; versus Unix file permissions, 31
-<BR> &nbsp; &nbsp; &nbsp; Windows NT/2000/XP, 165, 253-262
-<BR>Active Directory
-<BR> &nbsp; &nbsp; &nbsp; Samba 2.2, 34, 121
-<BR> &nbsp; &nbsp; &nbsp; Samba 3.0, 34
-<BR> &nbsp; &nbsp; &nbsp; server, specifying, 402
-<BR> &nbsp; &nbsp; &nbsp; time synchronization and, 340
-<BR>adapters, 69
-<BR>add machine script option (smb.conf file), 402
-<BR>add printer command option (smb.conf file), 401
-<BR>add share command option (smb.conf file), 402
-<BR>add user script option (smb.conf file), 159, 402
-<BR>admin users option (smb.conf file), 285, 287, 402
-<BR>admin users (see root accounts)
-<BR>administrator (see domain administrator)
-<BR>ads server option (smb.conf file), 402
-<BR>AFS (Andrew Filesystem), installing Samba with support for, 495
-<BR>Albitz, Paul, 383
-<BR>algorithmic rid base option (smb.conf file), 402
-<BR>allow hosts option (smb.conf file), 403
-<BR>allow trusted domains option (smb.conf file), 403
-<BR>analogX Atomic TimeSync, 340
-<BR>announce as option (smb.conf file), 234, 403
-<BR>announce version option (smb.conf file), 235, 403
-<BR>anonymous
-<BR> &nbsp; &nbsp; &nbsp; restricting access, 434
-<BR> &nbsp; &nbsp; &nbsp; (see also guest access)
-<BR>ANSI C compiler required by Samba source, 44
-<BR>auth methods option (smb.conf file), 403
-<BR>authentication
-<BR> &nbsp; &nbsp; &nbsp; client, 290-296
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; setting method of, 436
-<BR> &nbsp; &nbsp; &nbsp; defined, 30
-<BR> &nbsp; &nbsp; &nbsp; enabling Samba as WINS server, configuration file example, 395
-<BR> &nbsp; &nbsp; &nbsp; files, specifying where Samba keeps, 497
-<BR> &nbsp; &nbsp; &nbsp; methods, specifying, 403
-<BR> &nbsp; &nbsp; &nbsp; overview, 31
-<BR> &nbsp; &nbsp; &nbsp; pass-through, 33
-<BR> &nbsp; &nbsp; &nbsp; Samba security levels, 290
-<BR> &nbsp; &nbsp; &nbsp; Samba's default user-level versus Windows, 74
-<BR> &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 28
-<BR> &nbsp; &nbsp; &nbsp; with winbind, 307-319
-<BR> &nbsp; &nbsp; &nbsp; (see also passwords)
-<BR>auto services option (smb.conf file), 233, 235, 403
-<BR>automounting shares, 495
-<BR>available option (smb.conf file), 403
-<P><A NAME="B"><B>B</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>backends (CUPS modules), 332
-<BR>backup browsers, 27, 226
-<BR>backup domain controllers (BDCs), 31
-<BR> &nbsp; &nbsp; &nbsp; Samba 2.2's inability to work with, 122
-<BR> &nbsp; &nbsp; &nbsp; (see also primary domain controllers)
-<BR>backups, creating and restoring using smbclient, 172-174
-<BR>.bak files, 251
-<BR>.bat files, 138
-<BR>bind interfaces only option (smb.conf file), 208, 403
-<BR>bindings, 69
-<BR> &nbsp; &nbsp; &nbsp; Windows 2000, 100
-<BR> &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 80
-<BR> &nbsp; &nbsp; &nbsp; Windows NT, 93
-<BR> &nbsp; &nbsp; &nbsp; Windows XP, 110
-<BR>--bindir (configure script option), 48
-<BR>bitmasks, 176
-<BR> &nbsp; &nbsp; &nbsp; CIDR format, 208
-<BR>block size option (smb.conf file), 404
-<BR>blocking locks option (smb.conf file), 404
-<BR>b-node (NetBios node type), 13
-<BR>broadcast
-<BR> &nbsp; &nbsp; &nbsp; name resolution, 71
-<BR> &nbsp; &nbsp; &nbsp; versus NBNS name registration, 11
-<BR>broadcast address, 389
-<BR>broadcasting, 12
-<BR>browsable option (smb.conf file), 233, 235, 284, 404
-<BR>browse list option (smb.conf file), 235, 404
-<BR>browse lists, 27, 224
-<BR> &nbsp; &nbsp; &nbsp; invisible shares, 233
-<BR> &nbsp; &nbsp; &nbsp; printer names, 419
-<BR> &nbsp; &nbsp; &nbsp; specifying list of shares, 431
-<BR> &nbsp; &nbsp; &nbsp; specifying shares in, 403, 404
-<BR> &nbsp; &nbsp; &nbsp; specifying the directory where Samba keeps, 497
-<BR> &nbsp; &nbsp; &nbsp; synchronizing with all domain master browsers, 411
-<BR>browse master (see local master browser)
-<BR>browse server (see local master browser)
-<BR>browseable option (smb.conf file) (see browsable option (smb.conf file))
-<BR>browser elections, 28, 226-229, 419
-<BR>browsers
-<BR> &nbsp; &nbsp; &nbsp; backup (see backup browsers)
-<BR> &nbsp; &nbsp; &nbsp; domain master browser (see domain master browser)
-<BR> &nbsp; &nbsp; &nbsp; local master (see local master browser)
-<BR>browsing, 216, 224-239
-<BR> &nbsp; &nbsp; &nbsp; a list of computers and shared resources, defined, 26
-<BR> &nbsp; &nbsp; &nbsp; configuring Samba for, 229
-<BR> &nbsp; &nbsp; &nbsp; cross-subnet, 231
-<BR> &nbsp; &nbsp; &nbsp; in a Windows network, 224-229
-<BR> &nbsp; &nbsp; &nbsp; invisible shares, 233
-<BR> &nbsp; &nbsp; &nbsp; options, 233-239
-<BR> &nbsp; &nbsp; &nbsp; overview, 26-28
-<BR> &nbsp; &nbsp; &nbsp; server from the client, 382
-<BR> &nbsp; &nbsp; &nbsp; shared resource of a specific computer, 26
-<BR> &nbsp; &nbsp; &nbsp; troubleshooting problems, 377-383
-<BR>Browsing and Windows 95 Networking and CIFS/E Browser Protocol, 229
-<BR>BROWSING.txt and BROWSING-Config.txt, 229
-<BR>BSD Unix
-<BR> &nbsp; &nbsp; &nbsp; automatically starting Samba daemons, 61
-<BR> &nbsp; &nbsp; &nbsp; printers, 330-331
-<P><A NAME="C"><B>C</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>caching policy, client-side, 406
-<BR>case sensitive option (smb.conf file), 265, 404
-<BR>case sensitivity, 262-267
-<BR> &nbsp; &nbsp; &nbsp; how Samba handles, 264
-<BR> &nbsp; &nbsp; &nbsp; preserving case of filename, 431
-<BR>casesignames option (smb.conf file), 404
-<BR>change notification, 354
-<BR>change notify timeout option (smb.conf file), 354, 405
-<BR>change share command option (smb.conf file), 405
-<BR>character set option (smb.conf file), 344, 405
-<BR>character sets, translating, 405
-<BR>checking (message from configure script), 48
-<BR>CIDR format bitmask, 208
-<BR>CIFS, 21
-<BR> &nbsp; &nbsp; &nbsp; Unix extensions, 37, 442
-<BR> &nbsp; &nbsp; &nbsp; (see also SMB)
-<BR>CIFS Technical Reference, 20
-<BR>client code page option (smb.conf file), 344, 405
-<BR>clustered environment, Samba in, 437
-<BR> &nbsp; &nbsp; &nbsp; (see also multihomed system; multiple subnets), 437
-<BR>.cmd files, 138
-<BR>code page directory option (smb.conf file), 405
-<BR>code pages, 344
-<BR>coding system option (smb.conf file), 345, 405
-<BR>command-line options, parsing, 495
-<BR>comment option (smb.conf file), 203, 406
-<BR>Common Internet File System (see CIFS)
-<BR>compiling Samba, 49-52
-<BR>components, Windows, 69
-<BR>comp.protocols.smb newsgroup, 392
-<BR>computer accounts, adding, 126
-<BR>computer names
-<BR> &nbsp; &nbsp; &nbsp; name resolution (see name resolution)
-<BR> &nbsp; &nbsp; &nbsp; Windows 2000, 103
-<BR> &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 81
-<BR> &nbsp; &nbsp; &nbsp; Windows NT, 93
-<BR> &nbsp; &nbsp; &nbsp; Windows XP, 113
-<BR>computers, adding to domains, 402
-<BR>Concurrent Versions System (CVS), 491
-<BR>config file option (smb.conf file), 196, 406
-<BR>config.log file, 49
-<BR>config.pol file, 155
-<BR>config.status file, 51
-<BR>configuration file
-<BR> &nbsp; &nbsp; &nbsp; Samba's main (see smb.conf file)
-<BR> &nbsp; &nbsp; &nbsp; selecting new, 406
-<BR> &nbsp; &nbsp; &nbsp; variables (see smb.conf file, variables)
-<BR> &nbsp; &nbsp; &nbsp; (see also configuring Samba)
-<BR>configuration management tool (see CVS)
-<BR>configuration value types, 448-449
-<BR>configure script, 46
-<BR> &nbsp; &nbsp; &nbsp; options, 493-499
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --bindir, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --datadir, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --eprefix, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --include dir, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --infodir, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --libdir, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --libexec dir, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --mandir, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --prefix, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --sbindir, 48
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; with feature, 47
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-acl-support, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-afs, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-automount, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-codepagedir, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-configdir, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-dce-dfs, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-fhs, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-included-popt, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-krb4, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-krb5, 495
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-ldapsam, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-libiconv, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-libsmbclient, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-lockdir, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-logfilebase, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-manpages-langs, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-msdfs, 47, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-nisplus-home, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-nisplussam, 496
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; without feature, 47
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-pam, 497
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-pam_smbpass, 497
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-piddir, 497
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-privatedir, 497
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-profiling-data, 497
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-quotas, 497
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-readline, 497
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-sendfile-support, 497
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-smbmount, 47, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-smbwrapper, 47, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-spinlocks, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-ssl, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-sslinc, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-ssllib, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-swatdir, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-syslog, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-tdbsam, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-utmp, 498
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --with-winbind, 499
-<BR> &nbsp; &nbsp; &nbsp; sample execution, 48
-<BR>configuring Samba, 46-49
-<BR> &nbsp; &nbsp; &nbsp; configuration file (see smb.conf file)
-<BR> &nbsp; &nbsp; &nbsp; for browsing, 229
-<BR> &nbsp; &nbsp; &nbsp; for installation (see configure script)
-<BR> &nbsp; &nbsp; &nbsp; for roaming profiles, 143-147
-<BR> &nbsp; &nbsp; &nbsp; identifying options used in previous installations, 51
-<BR> &nbsp; &nbsp; &nbsp; troubleshooting problems (see troubleshooting Samba, fault tree)
-<BR>connection scripts, 274-277
-<BR> &nbsp; &nbsp; &nbsp; monitoring directory contents, 275
-<BR> &nbsp; &nbsp; &nbsp; options, 275-277
-<BR>connections
-<BR> &nbsp; &nbsp; &nbsp; denying, 409
-<BR> &nbsp; &nbsp; &nbsp; specifying time limits for unused, 407
-<BR>controlling access to shares, 285-288
-<BR>copy option (smb.conf file), 197, 406
-<BR>Core and Core Plus, 20
-<BR>create mask option (smb.conf file), 248, 250, 406
-<BR>create mode option (smb.conf file), 284, 406
-<BR>creating (message from configure script), 48
-<BR>creation masks, 247-250
-<BR>csc policy option (smb.conf file), 406
-<BR>CVS (Concurrent Versions System), 491
-<P><A NAME="D"><B>D</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%d variable, 192
-<BR>daemons (see inetd daemon; nmbd daemon; smbd daemon; xinetd daemon)
-<BR>Darwin, automatically starting Samba daemons, 64
-<BR>.dat files
-<BR> &nbsp; &nbsp; &nbsp; changing to .man files, 150
-<BR> &nbsp; &nbsp; &nbsp; NTUSER.DAT, 141
-<BR> &nbsp; &nbsp; &nbsp; USER.DAT, 141
-<BR>--datadir (configure script option), 48
-<BR>datagram primitives, 17
-<BR>datagram services, defined, 10
-<BR>datagram services (NBT)
-<BR> &nbsp; &nbsp; &nbsp; defined, 16
-<BR> &nbsp; &nbsp; &nbsp; tips, 18
-<BR>deadtime option (smb.conf file), 349, 407
-<BR>debug hires timestamp option (smb.conf file), 407
-<BR>debug pid option (smb.conf file), 407
-<BR>debug timestamp option (smb.conf file), 214, 407
-<BR>debug uid option (smb.conf file), 407
-<BR>debuglevel option (smb.conf file), 407
-<BR>default case option (smb.conf file), 264, 265, 408
-<BR>default device mode, setting, 408
-<BR>default devmode option (smb.conf file), 408
-<BR>default option (smb.conf file), 407
-<BR>default service option (smb.conf file), 236, 408
-<BR>defending the hostname, 12
-<BR>delete printer command option (smb.conf file), 408
-<BR>delete readonly option (smb.conf file), 250, 251, 408
-<BR>delete share command option (smb.conf file), 408
-<BR>delete user script option (smb.conf file), 159, 409
-<BR>delete veto files option (smb.conf file), 241, 245, 409
-<BR>deny hosts option (smb.conf file), 409
-<BR>dfree command option (smb.conf file), 350, 409
-<BR>Dfs (Microsoft's Distributed filesystem), 277-280
-<BR> &nbsp; &nbsp; &nbsp; configuring Samba as Dfs server, 278-279
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 496
-<BR> &nbsp; &nbsp; &nbsp; providing services, 415
-<BR> &nbsp; &nbsp; &nbsp; support in Samba 2.2, 36
-<BR> &nbsp; &nbsp; &nbsp; Windows clients, 278
-<BR>DHCP and IP addresses, 70
-<BR>DIAGNOSIS.txt, 359
-<BR>dig command (Unix), 73
-<BR>Digital Pathworks clients, 353
-<BR>directories
-<BR> &nbsp; &nbsp; &nbsp; caching for performance, 414
-<BR> &nbsp; &nbsp; &nbsp; connecting to drive letter, 138
-<BR> &nbsp; &nbsp; &nbsp; creating on the Samba server, 125
-<BR> &nbsp; &nbsp; &nbsp; deleting when vetoed files are present, 241, 409
-<BR> &nbsp; &nbsp; &nbsp; home, setting, 420
-<BR> &nbsp; &nbsp; &nbsp; monitoring contents, 275
-<BR> &nbsp; &nbsp; &nbsp; setting maximum allowable permissions, 409
-<BR> &nbsp; &nbsp; &nbsp; setting paths, 409
-<BR>directory mask option (smb.conf file), 249, 251, 409
-<BR>directory mode option (smb.conf file), 284, 410
-<BR>directory option (smb.conf file), 409
-<BR>directory permissions, 416
-<BR> &nbsp; &nbsp; &nbsp; options, 250-253
-<BR>directory recursion, 171
-<BR>directory security mask option (smb.conf file), 261, 262, 410
-<BR>disable spools option (smb.conf file), 410
-<BR>disk services, example of sharing, 4-7
-<BR>disk share configuration, 201-203
-<BR>disk-quota support, 497
-<BR>Distributed Computing Environment Distributed Filesystem (DCE/DFS), 495
-<BR>Distributed filesystem (see Dfs)
-<BR>dmask option, 176
-<BR>DNS, 70
-<BR> &nbsp; &nbsp; &nbsp; configuration
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 2000, 101
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 79
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows NT, 92
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows XP, 111
-<BR> &nbsp; &nbsp; &nbsp; NetBIOS names
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; translating between DNS names and, 182
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; versus hostnames versus, 14
-<BR> &nbsp; &nbsp; &nbsp; overview, 73
-<BR> &nbsp; &nbsp; &nbsp; servers, name resolution and, 217
-<BR>DNS proxy, configuring on WINS server, 220
-<BR>dns proxy option (smb.conf file), 220, 223, 410
-<BR>documentation, Samba, 45, 391
-<BR>domain admin group option (smb.conf file), 160, 410
-<BR>domain administrator, 126, 410
-<BR>Domain Admins group, 410
-<BR>domain controllers, 30
-<BR> &nbsp; &nbsp; &nbsp; backup (see backup domain controllers)
-<BR> &nbsp; &nbsp; &nbsp; primary (see primary domain controllers)
-<BR>Domain Guest group, 410
-<BR>domain guest group option (smb.conf file), 410
-<BR>domain logons
-<BR> &nbsp; &nbsp; &nbsp; configuring Windows clients for, 128-137
-<BR> &nbsp; &nbsp; &nbsp; Windows 2000, 133-135
-<BR> &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 128-131
-<BR> &nbsp; &nbsp; &nbsp; Windows complains that you are already logged on, 129
-<BR> &nbsp; &nbsp; &nbsp; Windows NT, 131-133
-<BR> &nbsp; &nbsp; &nbsp; Windows XP Professional, 135-137
-<BR>domain logons option (smb.conf file), 159, 410
-<BR>domain master browser, 35, 226
-<BR> &nbsp; &nbsp; &nbsp; configuring Samba as both local master browser and, 124
-<BR> &nbsp; &nbsp; &nbsp; forcing Samba to be, 237, 411
-<BR> &nbsp; &nbsp; &nbsp; problems with, 35
-<BR> &nbsp; &nbsp; &nbsp; Samba as, 230
-<BR> &nbsp; &nbsp; &nbsp; synchronizing browse lists with all, 411
-<BR> &nbsp; &nbsp; &nbsp; verifying Samba as, 231
-<BR>domain master option (smb.conf file), 159, 237, 411
-<BR>domain member server, 34
-<BR> &nbsp; &nbsp; &nbsp; Samba as, 156-157
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; smb.conf file example, 400
-<BR>domain membership, 126
-<BR>Domain Name System (see DNS)
-<BR>domain-level security, 291, 296
-<BR>domains
-<BR> &nbsp; &nbsp; &nbsp; adding computers to, 402
-<BR> &nbsp; &nbsp; &nbsp; advantages of, 120
-<BR> &nbsp; &nbsp; &nbsp; more information on how to set up, 122
-<BR> &nbsp; &nbsp; &nbsp; trust relationships, 33
-<BR> &nbsp; &nbsp; &nbsp; trusted, 403
-<BR> &nbsp; &nbsp; &nbsp; (see also Windows NT domain options)
-<BR>dont descend option (smb.conf file), 241, 243, 411
-<BR>dos filemode option (smb.conf file), 411
-<BR>dos filetime resolution option (smb.conf file), 342, 411
-<BR>dos filetimes option (smb.conf file), 341, 411
-<BR>dos2unix command, 170
-<BR>dot files, 240
-<BR> &nbsp; &nbsp; &nbsp; hiding, 414
-<BR> &nbsp; &nbsp; &nbsp; (see also hiding files)
-<BR>drive letter, connecting a directory to, 6, 138
-<P><A NAME="E"><B>E</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>emacs text editor, 139
-<BR>encrypt passwords option (smb.conf file), 304, 411
-<BR>encrypted passwords
-<BR> &nbsp; &nbsp; &nbsp; disabling, 298
-<BR> &nbsp; &nbsp; &nbsp; managing, 483
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see also smbpasswd program)
-<BR> &nbsp; &nbsp; &nbsp; smb.conf file and, 55
-<BR> &nbsp; &nbsp; &nbsp; (see also passwords)
-<BR>enhanced browsing option (smb.conf file), 411
-<BR>enumports command option (smb.conf file), 412
-<BR>environment variables, forcing Samba to read list of, 437
-<BR>--eprefix (configure script option), 48
-<BR>error messages from configure script, 48
-<BR>/etc/fstab file, warning about editing, 177
-<BR>/etc/group, 283
-<BR>/etc/hosts file, 70
-<BR>/etc/nsswitch.conf file, 71
-<BR>/etc/passwd file, creating entries manually, 127
-<BR>/etc/printcap.local file, 330
-<BR>/etc/resolv.conf file, 73, 220
-<BR>Ethereal (SMB sniffer), 20, 361
-<BR>exec option (smb.conf file), 412
-<BR>executable file permission bit, 248
-<BR>ext2/ext3 filesystem, 37
-<P><A NAME="F"><B>F</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>fake directory create times option (smb.conf file), 342, 412
-<BR>fake oplocks option (smb.conf file), 273, 412
-<BR>FAQs, Samba, 391
-<BR>fault tree, troubleshooting Samba, 362-391
-<BR>file locking (see locks and oplocks)
-<BR>file permissions
-<BR> &nbsp; &nbsp; &nbsp; executable bit, 248
-<BR> &nbsp; &nbsp; &nbsp; on MS-DOS and Unix, 245-253
-<BR> &nbsp; &nbsp; &nbsp; options, 250-253
-<BR> &nbsp; &nbsp; &nbsp; setting in Windows NT/2000/XP, 165
-<BR> &nbsp; &nbsp; &nbsp; setting maximum allowable, 406
-<BR> &nbsp; &nbsp; &nbsp; Unix permission bits summary, 247
-<BR> &nbsp; &nbsp; &nbsp; Unix permissions versus ACLs, 31
-<BR> &nbsp; &nbsp; &nbsp; versus ACLs, 31
-<BR>file transfer using smbclient, 170
-<BR>filenames
-<BR> &nbsp; &nbsp; &nbsp; conventions, 262
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see also name mangling)
-<BR> &nbsp; &nbsp; &nbsp; representing and resolving in Samba, 264
-<BR>Filesystem Hierarchy Standard, 495
-<BR>filesystem options, 243-245
-<BR>findsmb program, 40, 455
-<BR>firewall configuration, 60
-<BR>fmask option (sbmount), 176
-<BR>follow symlinks option (smb.conf file), 242, 243, 412
-<BR>force create mode option (smb.conf file), 251, 412
-<BR>force directory mode option (smb.conf file), 251, 413
-<BR>force directory security mode option (smb.conf file), 262, 413
-<BR>force group option (smb.conf file), 249, 251, 413
-<BR>force security mode option (smb.conf file), 261, 413
-<BR>force unknown acl user option (smb.conf file), 413
-<BR>force user option (smb.conf file), 249, 251, 413
-<BR>Frisch, Æleen, 325
-<BR>fstab file, warning about editing, 177
-<BR>fstype option (smb.conf file), 350, 413
-<P><A NAME="G"><B>G</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%G variable, 192
-<BR>%g variable, 192
-<BR>gcc binaries, 44
-<BR>get command, 170
-<BR>getwd cache option (smb.conf file), 243, 414
-<BR>[global] section (smb.conf file), 193
-<BR>GNU configure script (see configure script)
-<BR>GNU Free Documentation License, 511-518
-<BR>Google, 392
-<BR>group ID (GID), 31
-<BR>group option (smb.conf file), 414
-<BR>grouppol.inf file, 153
-<BR>groups
-<BR> &nbsp; &nbsp; &nbsp; additional information, 16
-<BR> &nbsp; &nbsp; &nbsp; overriding a user's normal group membership, 413
-<BR> &nbsp; &nbsp; &nbsp; setting a group share in smb.conf file, 283
-<BR> &nbsp; &nbsp; &nbsp; system group file, 283
-<BR> &nbsp; &nbsp; &nbsp; (see also workgroups; SMB, groups)
-<BR>guest access, 286
-<BR>guest account option (smb.conf file), 286, 288, 414
-<BR>guest ok option (smb.conf file), 286, 414
-<BR>guest only option (smb.conf file), 288, 414
-<P><A NAME="H"><B>H</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%H variable, 192, 283
-<BR>%h variable, 192
-<BR>hide dot files option (smb.conf file), 240, 244, 414
-<BR>hide files option (smb.conf file), 241, 244, 414
-<BR>hide local users option (smb.conf file), 415
-<BR>hide unreadable option (smb.conf file), 415
-<BR>hiding files, 240-242
-<BR>h-node (NetBios node type), 13
-<BR>home directory, setting, 420
-<BR>homedir map option (smb.conf file), 281, 415
-<BR>[homes] share (smb.conf file), 125, 194, 233, 284
-<BR> &nbsp; &nbsp; &nbsp; peculiarities with, 284
-<BR>host msdfs option (smb.conf file), 280, 415
-<BR>hostname, defending, 12
-<BR>hosts allow option (smb.conf file), 204-207, 415
-<BR>hosts deny option (smb.conf file), 204-207, 415
-<BR>hosts equiv option (smb.conf file), 307, 415
-<BR>HOSTS file, 70, 74
-<BR>hosts.sam file, 74
-<BR>Hunt, Craig, 87
-<P><A NAME="I"><B>I</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%I variable, 192
-<BR>iconv( ) function, 496
-<BR>ifconfig command, 390
-<BR>Implementing Policies and Profiles for Windows NT 4.0, 141
-<BR>--include dir (configure script option), 48
-<BR>include option (smb.conf file), 193, 197, 416
-<BR>inetd daemon, 53
-<BR> &nbsp; &nbsp; &nbsp; starting smbd and nmbd daemons, 66
-<BR>--infodir (configure script option), 48
-<BR>inherit acls option (smb.conf file), 416
-<BR>inherit permissions option (smb.conf file), 253, 416
-<BR>.ini files, 187
-<BR>installation directories for Samba, 50
-<BR>installing Samba, 49-52
-<BR> &nbsp; &nbsp; &nbsp; on a Unix system, 42-67
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ANSI C compiler required by Samba source, 44
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; binary versus source, 43
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; bundled versions, 42-45
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; configuration (see configure script)
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; source, overview of steps, 44
-<BR> &nbsp; &nbsp; &nbsp; troubleshooting problems (see troubleshooting Samba, fault tree)
-<BR>interfaces list, 403
-<BR>interfaces option (smb.conf file), 207, 416
-<BR>internationalization, 343-346
-<BR> &nbsp; &nbsp; &nbsp; features of Samba 2.2, 456
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 495
-<BR>invalid users option (smb.conf file), 284, 285, 287, 416
-<BR>invalid users, specifying list of, 285
-<BR>IP addresses, 70
-<BR> &nbsp; &nbsp; &nbsp; 127.0.0.1 (localhost), 73
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; bind interfaces only option, 208
-<BR> &nbsp; &nbsp; &nbsp; translating between NetBIOS names and, 182
-<BR> &nbsp; &nbsp; &nbsp; Windows 2000, 100
-<BR> &nbsp; &nbsp; &nbsp; Windows 95/98/Me networks, 78
-<BR> &nbsp; &nbsp; &nbsp; Windows NT, 90
-<BR> &nbsp; &nbsp; &nbsp; Windows XP, 111
-<BR>IPC$ password, 75
-<BR>ipconfig /all command (Windows NT/2000/XP), 13
-<BR>ipconfig command, 390
-<P><A NAME="K"><B>K</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>keepalive option (smb.conf file), 351, 416
-<BR>Kerberos authentication, 38
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 495
-<BR> &nbsp; &nbsp; &nbsp; Samba 2.2 and, 121
-<BR> &nbsp; &nbsp; &nbsp; time synchronization and, 340
-<BR>kernel oplocks option (smb.conf file), 272, 417
-<P><A NAME="L"><B>L</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%L variable, 140, 144, 192
-<BR>LAN Manager host announcements, 236
-<BR>LAN Manager versions 1.0, 2.0, and 2.1, 20
-<BR>lanman auth option (smb.conf file), 417
-<BR>large readwrite option (smb.conf file), 417
-<BR>LDAP, 34, 38
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 496
-<BR> &nbsp; &nbsp; &nbsp; Samba 2.2 and, 121
-<BR>ldap admin dn option (smb.conf file), 417
-<BR>ldap filter option (smb.conf file), 417
-<BR>ldap port option (smb.conf file), 417
-<BR>ldap server option (smb.conf file), 418
-<BR>ldap ssl option (smb.conf file), 418
-<BR>ldap suffix option (smb.conf file), 418
-<BR>level2 oplocks option (smb.conf file), 272, 418
-<BR>--libdir (configure script option), 48
-<BR>--libexec dir (configure script option), 48
-<BR>libnss_winbind.so library, 309
-<BR>Linux-PAM System Administrator's Guide, 314
-<BR>Liu, Cricket, 383
-<BR>lm announce option (smb.conf file), 236, 418
-<BR>lm interval option (smb.conf file), 237, 418
-<BR>LMHOSTS file, 72
-<BR> &nbsp; &nbsp; &nbsp; name resolution and, 218
-<BR> &nbsp; &nbsp; &nbsp; Windows 2000, 102
-<BR> &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 80
-<BR> &nbsp; &nbsp; &nbsp; Windows NT, 92
-<BR> &nbsp; &nbsp; &nbsp; Windows XP, 112
-<BR>load balancing and Dfs, 277, 279
-<BR>load printers option (smb.conf file), 336, 419
-<BR>local master browser, 27, 224
-<BR> &nbsp; &nbsp; &nbsp; configuring Samba as both domain master browser and, 124
-<BR>local master option (smb.conf file), 230, 236, 419
-<BR>local profiles, 141
-<BR>localhost address (see 127.0.0.1 (localhost))
-<BR>lock dir option (smb.conf file), 419
-<BR>lock directory option (smb.conf file), 274, 419
-<BR>lock spin count option (smb.conf file), 419
-<BR>lock spin time option (smb.conf file), 419
-<BR>locking files (see locks and oplocks)
-<BR>locking option (smb.conf file), 271, 419
-<BR>locks and oplocks, 268-274
-<BR> &nbsp; &nbsp; &nbsp; advanced tuning parameter, 428
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; release an oplock, 427
-<BR> &nbsp; &nbsp; &nbsp; configuration options, 270-274
-<BR> &nbsp; &nbsp; &nbsp; oplock failure, 269
-<BR> &nbsp; &nbsp; &nbsp; opportunistic locking process, 268
-<BR> &nbsp; &nbsp; &nbsp; setting file locking, 419
-<BR> &nbsp; &nbsp; &nbsp; specifying directory where Samba keeps lock files, 496
-<BR> &nbsp; &nbsp; &nbsp; spin locks, 498
-<BR> &nbsp; &nbsp; &nbsp; Unix and oplocks, 270
-<BR>log file option (smb.conf file), 213, 356, 419
-<BR>log files, 67
-<BR> &nbsp; &nbsp; &nbsp; changing timestamps, 407
-<BR> &nbsp; &nbsp; &nbsp; example, 210
-<BR> &nbsp; &nbsp; &nbsp; levels of logging, 356-358
-<BR> &nbsp; &nbsp; &nbsp; nmbd, 231
-<BR> &nbsp; &nbsp; &nbsp; sample output of levels 2 and 3, 356
-<BR> &nbsp; &nbsp; &nbsp; setting location of, 419
-<BR> &nbsp; &nbsp; &nbsp; setting maximum size, 423
-<BR> &nbsp; &nbsp; &nbsp; specifying the directory where Samba keeps, 496
-<BR> &nbsp; &nbsp; &nbsp; troubleshooting with, 356-359
-<BR> &nbsp; &nbsp; &nbsp; (see also logging)
-<BR>log level option (smb.conf file), 213, 420
-<BR>logging
-<BR> &nbsp; &nbsp; &nbsp; activating and deactivating, 358
-<BR> &nbsp; &nbsp; &nbsp; adding process ID, 407
-<BR> &nbsp; &nbsp; &nbsp; configuration options, 210-215
-<BR> &nbsp; &nbsp; &nbsp; debugging particular user, 407
-<BR> &nbsp; &nbsp; &nbsp; (see also log files)
-<BR>login parameters, setting, 24
-<BR>logon drive option (smb.conf file), 151, 420
-<BR>logon home line (smb.conf file), 144
-<BR>logon home option (smb.conf file), 152, 420
-<BR>logon path line (smb.conf file), 144
-<BR>logon path option (smb.conf file), 151, 420
-<BR>logon path, supporting roaming profiles for Windows NT/2000/XP clients, 124
-<BR>logon script option (smb.conf file), 151, 420
-<BR>logon scripts, 120, 137-140
-<BR> &nbsp; &nbsp; &nbsp; checking the format, 139
-<BR> &nbsp; &nbsp; &nbsp; creating, 138-140
-<BR> &nbsp; &nbsp; &nbsp; more information regarding, 140
-<BR> &nbsp; &nbsp; &nbsp; options, 150
-<BR> &nbsp; &nbsp; &nbsp; using variables inside, 139
-<BR>logon.bat, 138
-<BR>log.smb file, 67
-<BR>lpadmin command (Unix), 333
-<BR>lppause command option (smb.conf file), 336, 420
-<BR>lppause command (Unix), 323
-<BR>lpq cache time option (smb.conf file), 335, 420
-<BR>lpq command option (smb.conf file), 336, 421
-<BR>lpq command (Unix), 323
-<BR>lpr command (Unix), 322
-<BR>lpresume command option (smb.conf file), 336, 421
-<BR>lpresume command (Unix), 323
-<BR>lprm command option (smb.conf file), 336, 421
-<BR>lprm command (Unix), 323
-<P><A NAME="M"><B>M</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%M variable, 192
-<BR>%m variable, 140, 143, 192
-<BR>Mac OS X
-<BR> &nbsp; &nbsp; &nbsp; automatically starting Samba daemons, 64
-<BR> &nbsp; &nbsp; &nbsp; configuration details, 506-509
-<BR> &nbsp; &nbsp; &nbsp; enabling SMB printer sharing, 325
-<BR> &nbsp; &nbsp; &nbsp; monitoring services, 505
-<BR> &nbsp; &nbsp; &nbsp; Password Server, 504
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; activating, 504
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; enabling, 505
-<BR> &nbsp; &nbsp; &nbsp; smbutil and mount_smbfs, 184-186
-<BR>Mac OS X Server
-<BR> &nbsp; &nbsp; &nbsp; configuration settings, 508
-<BR> &nbsp; &nbsp; &nbsp; configuring and activating services, 503
-<BR> &nbsp; &nbsp; &nbsp; running Samba on, 500-510
-<BR> &nbsp; &nbsp; &nbsp; sharing files, 501
-<BR> &nbsp; &nbsp; &nbsp; sharing printers, 501
-<BR>Mac OS X Server Administrator's Guide, 500
-<BR>machine password timeout option (smb.conf file), 160, 421
-<BR>magic output option (smb.conf file), 343, 421
-<BR>magic script option (smb.conf file), 343, 421
-<BR>magic scripts, 342
-<BR>mailing lists, Samba, 392
-<BR> &nbsp; &nbsp; &nbsp; archives, 45
-<BR>make install command (Unix), 50
-<BR> &nbsp; &nbsp; &nbsp; upgrading installations, 52
-<BR>make revert command (Unix), 50
-<BR>make utility (Unix), 49
-<BR>makefile, generating for Samba configuration, 46
-<BR>make_smbcodepage program, 40, 456
-<BR>make_unicodemap program, 40, 456
-<BR>.man files, changing from .dat files, 150
-<BR>man pages (see manual pages)
-<BR>managing connections to shares (see connection scripts)
-<BR>mandatory profiles, 149
-<BR> &nbsp; &nbsp; &nbsp; changing from roaming profiles, 150
-<BR>--mandir (configure script option), 48
-<BR>mangle case option (smb.conf file), 267, 421
-<BR>mangled map option (smb.conf file), 267, 422
-<BR>mangled names option (smb.conf file), 266, 422
-<BR>mangled stack option (smb.conf file), 267, 422
-<BR>mangling char option (smb.conf file), 267, 422
-<BR>mangling method option (smb.conf file), 422
-<BR>MANPATH environment variable, 52
-<BR>manual pages, 52
-<BR> &nbsp; &nbsp; &nbsp; in different languages, 496
-<BR>map archive option (smb.conf file), 247, 252, 422
-<BR>map hidden option (smb.conf file), 247, 252, 422
-<BR>map system option (smb.conf file), 247, 252, 422
-<BR>map to guest option (smb.conf file), 423
-<BR>mapping a free-form client username to a Unix username, 289
-<BR>mapping a network drive (see drive letter, connecting a directory to)
-<BR>master browser (see local master browser)
-<BR>max connections option (smb.conf file), 288, 423
-<BR>max disk size option (smb.conf file), 351, 423
-<BR>max log size option (smb.conf file), 213, 423
-<BR>max mux option (smb.conf file), 351, 423
-<BR>max open files option (smb.conf file), 423
-<BR>max open files (smb.conf file), 351
-<BR>max print jobs option (smb.conf file), 424
-<BR>max protocol option (smb.conf file), 424
-<BR>max smbd processes option (smb.conf file), 424
-<BR>max ttl option (smb.conf file), 224, 424
-<BR>max wins ttl option (smb.conf file), 224, 424
-<BR>max xmit option (smb.conf file), 352, 424
-<BR>message command option (smb.conf file), 348, 424
-<BR>messenger service, 346-348
-<BR>mget command, 170
-<BR>Microsoft Distributed filesystem (see Dfs)
-<BR>min passwd length option (smb.conf file), 425
-<BR>min password length option (smb.conf file), 425
-<BR>min print space option (smb.conf file), 338, 425
-<BR>min protocol option (smb.conf file), 425
-<BR>min wins ttl option (smb.conf file), 224, 425
-<BR>m-node (NetBios node type), 13
-<BR>mount_smbfs program, 161, 182
-<BR> &nbsp; &nbsp; &nbsp; options, 183
-<BR>mput command, 170
-<BR>msdfs root option (smb.conf file), 280, 425
-<BR>MS-DOS file permissions, 245-253
-<BR>MSN Messenger, 346-348
-<BR>multihomed system
-<BR> &nbsp; &nbsp; &nbsp; running Samba on, 204
-<BR> &nbsp; &nbsp; &nbsp; (see also clustered environment, Samba in; multiple subnets)
-<BR>multiple subnets
-<BR> &nbsp; &nbsp; &nbsp; cross-subnet browsing, 232
-<BR> &nbsp; &nbsp; &nbsp; with Samba servers, 232
-<BR> &nbsp; &nbsp; &nbsp; (see also clustered environment, Samba in; multihomed system)
-<BR>My Network Places, 26
-<BR> &nbsp; &nbsp; &nbsp; (see also Network Neighborhood)
-<P><A NAME="N"><B>N</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%N variable, 192
-<BR>name mangling, 262-267
-<BR> &nbsp; &nbsp; &nbsp; how Samba mangles a long filename into a 8.3 filename, 263
-<BR> &nbsp; &nbsp; &nbsp; options, 265-267, 421
-<BR>name registration, 11-13
-<BR>name resolution, 11-13, 70, 216-224
-<BR> &nbsp; &nbsp; &nbsp; broadcast method, 71
-<BR> &nbsp; &nbsp; &nbsp; configuring in Samba, 219
-<BR> &nbsp; &nbsp; &nbsp; methods, 217
-<BR> &nbsp; &nbsp; &nbsp; using broadcast packets, 217
-<BR>name resolve order option (smb.conf file), 219, 223, 425
-<BR>name services
-<BR> &nbsp; &nbsp; &nbsp; defined, 10
-<BR> &nbsp; &nbsp; &nbsp; identifying what's in use, 383
-<BR> &nbsp; &nbsp; &nbsp; switching, 71
-<BR> &nbsp; &nbsp; &nbsp; troubleshooting, 383-388
-<BR>name-resolution configuration options, 221-224
-<BR>NBNS name registration
-<BR> &nbsp; &nbsp; &nbsp; versus broadcast, 11
-<BR>NBT, 10, 69
-<BR> &nbsp; &nbsp; &nbsp; services, 16
-<BR>NBT Standard, 10
-<BR>nbtstat utility, 228
-<BR> &nbsp; &nbsp; &nbsp; examples, 14, 15
-<BR>net program, 40, 457-462
-<BR>net time command, 138, 339
-<BR>net use command, 138, 144
-<BR> &nbsp; &nbsp; &nbsp; testing connections with, 374
-<BR>net view program, 225
-<BR> &nbsp; &nbsp; &nbsp; testing client browsing, 381
-<BR>NetBEUI protocol, 10
-<BR> &nbsp; &nbsp; &nbsp; running at same time as NetBIOS over TCP/IP, 69
-<BR>NetBIOS
-<BR> &nbsp; &nbsp; &nbsp; group resource types, 16
-<BR> &nbsp; &nbsp; &nbsp; names
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; translating between IP address or DNS names and, 182
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; troubleshooting, 390
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; versus DNS hostnames, 14
-<BR> &nbsp; &nbsp; &nbsp; node types, 13
-<BR> &nbsp; &nbsp; &nbsp; overview, 9
-<BR> &nbsp; &nbsp; &nbsp; resource names and types, 14
-<BR> &nbsp; &nbsp; &nbsp; session, establishing, 22
-<BR> &nbsp; &nbsp; &nbsp; unique resource types, 15
-<BR> &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 80
-<BR>netbios aliases option (smb.conf file), 209, 426
-<BR>netbios name option (smb.conf file), 200, 426
-<BR>NetBIOS over TCP/IP (see NBT)
-<BR>netbios scope option (smb.conf file), 426
-<BR>[netlogon] share (smb.conf file), 125, 138, 233
-<BR>netmask, using to troubleshoot, 388
-<BR>network adapters, 69
-<BR>network addresses
-<BR> &nbsp; &nbsp; &nbsp; finding your specific address, 390
-<BR> &nbsp; &nbsp; &nbsp; troubleshooting, 388-390
-<BR>Network Information Service (see NIS)
-<BR>Network Neighborhood, 27
-<BR> &nbsp; &nbsp; &nbsp; (see also My Network Places)
-<BR>Network Time Protocol (NTP), 340
-<BR>network traffic, monitoring (see tcpdump program)
-<BR>networking
-<BR> &nbsp; &nbsp; &nbsp; components
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 2000, 99
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows XP, 109
-<BR> &nbsp; &nbsp; &nbsp; concepts, Windows (see Windows, networking concepts)
-<BR> &nbsp; &nbsp; &nbsp; options, 204-208
-<BR>new features
-<BR> &nbsp; &nbsp; &nbsp; in Samba 2.2, 36
-<BR> &nbsp; &nbsp; &nbsp; in Samba 3.0, 38
-<BR>news, Samba, 45
-<BR>newsgroups, Samba, 391
-<BR>NFS, installing Samba with support for, 495
-<BR>NIS+
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 496
-<BR> &nbsp; &nbsp; &nbsp; server, installing Samba with support for locating, 496
-<BR>nis homedir option (smb.conf file), 281, 426
-<BR>NIS (Network Information Service), 71, 280
-<BR> &nbsp; &nbsp; &nbsp; configuration options, 280
-<BR> &nbsp; &nbsp; &nbsp; server, 30
-<BR>nmake command, 412
-<BR>nmap command (Unix), 73
-<BR>nmbd daemon, 3, 39, 61, 453
-<BR> &nbsp; &nbsp; &nbsp; starting automatically, 61-65
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; BSD Unix, 61
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Darwin and Mac OS X, 64
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; System V Unix, 61
-<BR> &nbsp; &nbsp; &nbsp; starting from inetd, 66
-<BR> &nbsp; &nbsp; &nbsp; starting manually, 61
-<BR> &nbsp; &nbsp; &nbsp; testing, 66
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; automatic startup, 65
-<BR> &nbsp; &nbsp; &nbsp; time service, 442
-<BR>nmbd log file, 231
-<BR>nmblookup program, 40, 229, 231, 462
-<BR> &nbsp; &nbsp; &nbsp; testing clients, 380
-<BR> &nbsp; &nbsp; &nbsp; testing network, 381
-<BR> &nbsp; &nbsp; &nbsp; testing servers, 379
-<BR>nobody account, 286
-<BR>node types, 13
-<BR>non unix account range option (smb.conf file), 426
-<BR>nslookup command (Unix), 73
-<BR>nsmb.conf file, 181
-<BR>.nsmbrc files, 181
-<BR>nsswitch, configuring, 309
-<BR>nsswitch.conf file, 71
-<BR>nt acl support option (smb.conf file), 260, 426
-<BR>NT LAN Manager 1.0, 21
-<BR>nt pipe support option (smb.conf file), 352, 426
-<BR>nt smb support option (smb.conf file), 352, 427
-<BR>nt status support option (smb.conf file), 427
-<BR>ntconfig.pol file, 155
-<BR>NT-specific SMB IPC$ pipes, 352
-<BR>NTUSER.DAT file, 141
-<BR>null passwords option (smb.conf file), 306, 427
-<BR>number of address ranges, 389
-
-<P><A NAME="O"><B>O</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>obey pam restrictions option (smb.conf file), 427
-<BR>od command, 139
-<BR>.old files, 50
-<BR>ole locking compatibility (smb.conf file), 352
-<BR>only guest option (smb.conf file), 427
-<BR>only user option (smb.conf file), 293, 427
-<BR>Open Directory Password Server, 504
-<BR>oplock break wait time option (smb.conf file), 427
-<BR>oplock contention limit option (smb.conf file), 428
-<BR>oplocks option (smb.conf file), 272, 428
-<BR>opportunistic locking (see locks and oplocks)
-<BR>os level option (smb.conf file), 230, 238, 428
-<BR>os2 driver map option (smb.conf file), 428
-<BR>overwriting files (see locks and oplocks)
-
-<P><A NAME="P"><B>P</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%P variable, 192
-<BR>%p variable, 192
-<BR>padc command, 359
-<BR>pam password change option (smb.conf file), 428
-<BR>PAM (Pluggable Authentication Modules), 38
-<BR> &nbsp; &nbsp; &nbsp; configuring, 313-317
-<BR>pam_stack.so module, 316
-<BR>pam_winbind.so module, 316
-<BR>panic action option (smb.conf file), 352, 428
-<BR>par command, 359
-<BR>passdb backend option (smb.conf file), 429
-<BR>pass-through authentication, 33
-<BR>passwd chat debug option (smb.conf file), 305, 429
-<BR>passwd chat option (smb.conf file), 301, 305, 429
-<BR>PASSWD environment variable, 167
-<BR>passwd file, creating entries manually, 127
-<BR>passwd program option (smb.conf file), 305, 429
-<BR>password chat response characters, 302
-<BR>password chat send characters, 302
-<BR>password level option (smb.conf file), 305, 429
-<BR>Password Server (Mac OS X), 504
-<BR> &nbsp; &nbsp; &nbsp; activating, 504
-<BR> &nbsp; &nbsp; &nbsp; enabling, 505
-<BR>password server option (smb.conf file), 160, 295, 429
-<BR>passwords, 74, 296-307
-<BR> &nbsp; &nbsp; &nbsp; adding to smb.conf file, 75
-<BR> &nbsp; &nbsp; &nbsp; configuration options, 303-307
-<BR> &nbsp; &nbsp; &nbsp; disabling encrypted, 298
-<BR> &nbsp; &nbsp; &nbsp; encrypted (see encrypted passwords)
-<BR> &nbsp; &nbsp; &nbsp; IPC$, 75
-<BR> &nbsp; &nbsp; &nbsp; limiting length of, 425
-<BR> &nbsp; &nbsp; &nbsp; plain-text versus encrypted, 74
-<BR> &nbsp; &nbsp; &nbsp; setting on Windows 95/98/Me, 83
-<BR> &nbsp; &nbsp; &nbsp; setting servers that validate, 429
-<BR> &nbsp; &nbsp; &nbsp; synchronization, 300-303
-<BR> &nbsp; &nbsp; &nbsp; Windows versus Unix, 29
-<BR> &nbsp; &nbsp; &nbsp; (see also authentication)
-<BR>PATH environment variable, 52
-<BR>path option (smb.conf file), 202, 430
-<BR>pdbedit program, 40, 464
-<BR>PDC emulator, 121
-<BR>PDCs (see primary domain controllers)
-<BR>Pearce, Eric, 16, 160
-<BR>performance, caching directories, 414
-<BR>period (.)
-<BR> &nbsp; &nbsp; &nbsp; NetBIOS names and, 14
-<BR> &nbsp; &nbsp; &nbsp; (see also dot files)
-<BR>permissions
-<BR> &nbsp; &nbsp; &nbsp; mapping to Windows NT ACLs, 426
-<BR> &nbsp; &nbsp; &nbsp; (see also file permissions; directory permissions)
-<BR>pid directory option (smb.conf file), 430
-<BR>PIDs, adding to log lines, 407
-<BR>ping, troubleshooting with, 363-367
-<BR>Pluggable Authentication Modules (see PAM)
-<BR>p-node (NetBios node type), 13
-<BR>point-to-point communication, 12
-<BR>policies, defined, 120
-<BR>port names, customized, 412
-<BR>POSIX ACL support, 416
-<BR>posix locking option (smb.conf file), 272, 430
-<BR>POSIX.1e ACLs, 259
-<BR>postexec option (smb.conf file), 277, 430
-<BR>postscript option (smb.conf file), 335, 430
-<BR>preexec close option (smb.conf file), 277, 430
-<BR>preexec option (smb.conf file), 274, 276, 430
-<BR>preferred master option (smb.conf file), 237, 431
-<BR>preferred master parameter (smb.conf file), 230
-<BR>--prefix (configure script option), 48
-<BR>preload option (smb.conf file), 235, 431
-<BR>preserve case option (smb.conf file), 264, 266, 431
-<BR>preventing file overwrites (see locks and oplocks)
-<BR>primary domain controllers (PDCs), 31, 226
-<BR> &nbsp; &nbsp; &nbsp; handling authentication (see winbind)
-<BR> &nbsp; &nbsp; &nbsp; modifying smb.conf file, 122-125
-<BR> &nbsp; &nbsp; &nbsp; Samba as, 121-126
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; smb.conf file example, 397-399
-<BR>primary WINS server, 32
-<BR> &nbsp; &nbsp; &nbsp; synchronization problems with Samba 2.2, 33
-<BR>print command option (smb.conf file), 322, 336, 431
-<BR>print commands, 321
-<BR>print jobs
-<BR> &nbsp; &nbsp; &nbsp; deleting, 421
-<BR> &nbsp; &nbsp; &nbsp; limiting number of, 424
-<BR> &nbsp; &nbsp; &nbsp; pausing, 420
-<BR> &nbsp; &nbsp; &nbsp; resuming, 421
-<BR> &nbsp; &nbsp; &nbsp; sending over Samba, 321
-<BR>print ok option (smb.conf file), 433
-<BR>printable option (smb.conf file), 323, 335, 431
-<BR>printcap file, 419
-<BR> &nbsp; &nbsp; &nbsp; example, 336
-<BR>printcap name option (smb.conf file), 338, 431
-<BR>printcap option (smb.conf file), 338
-<BR>printcap.local file, 330
-<BR>printer admin option (smb.conf file), 432
-<BR>printer driver file option (smb.conf file), 432
-<BR>printer driver location option (smb.conf file), 432
-<BR>printer driver option (smb.conf file), 432
-<BR>printer name option (smb.conf file), 335, 432
-<BR>printer option (smb.conf file), 335, 432
-<BR>printer status, setting command for, 421
-<BR>printers
-<BR> &nbsp; &nbsp; &nbsp; adding new to system, 401
-<BR> &nbsp; &nbsp; &nbsp; BSD, 330-331
-<BR> &nbsp; &nbsp; &nbsp; CUPS, 332
-<BR> &nbsp; &nbsp; &nbsp; example of sharing, 8
-<BR> &nbsp; &nbsp; &nbsp; names in browse lists, 419
-<BR> &nbsp; &nbsp; &nbsp; removing from system, 408
-<BR> &nbsp; &nbsp; &nbsp; sending files using smbclient, 325
-<BR> &nbsp; &nbsp; &nbsp; setting default device mode, 408
-<BR> &nbsp; &nbsp; &nbsp; setting up from Windows, 8
-<BR> &nbsp; &nbsp; &nbsp; sharing, 320
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; on Mac OS X, 501
-<BR> &nbsp; &nbsp; &nbsp; System V, 331
-<BR> &nbsp; &nbsp; &nbsp; (see also printing)
-<BR>[printers] share (smb.conf file), 195, 324
-<BR> &nbsp; &nbsp; &nbsp; example for a Linux system, 324
-<BR>printing, 320-338
-<BR> &nbsp; &nbsp; &nbsp; adding a Unix printer, 330-333
-<BR> &nbsp; &nbsp; &nbsp; common problem with Samba printer configuration, 325
-<BR> &nbsp; &nbsp; &nbsp; CUPS-compatible, 486
-<BR> &nbsp; &nbsp; &nbsp; debugging printers, 325
-<BR> &nbsp; &nbsp; &nbsp; Mac OS X environment, 325
-<BR> &nbsp; &nbsp; &nbsp; network, 320
-<BR> &nbsp; &nbsp; &nbsp; options, 333-338
-<BR> &nbsp; &nbsp; &nbsp; setting up and testing a Windows client, 326
-<BR> &nbsp; &nbsp; &nbsp; shares
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; example, 322
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; important information about, 323
-<BR> &nbsp; &nbsp; &nbsp; system types, 334
-<BR> &nbsp; &nbsp; &nbsp; testing the configuration, 325
-<BR> &nbsp; &nbsp; &nbsp; to Windows from Unix, 327-338
-<BR> &nbsp; &nbsp; &nbsp; variables, 322
-<BR> &nbsp; &nbsp; &nbsp; (see also printers)
-<BR>printing option (smb.conf file), 334, 432
-<BR>private directory option (smb.conf file), 433
-<BR>process IDs, adding to log lines, 407
-<BR>processes, viewing in Unix, 8
-<BR>[profiles] share (smb.conf file), 125
-<BR>prompt command, 171
-<BR>protocol option (smb.conf file), 433
-<BR>ps command (Unix), 8
-<BR> &nbsp; &nbsp; &nbsp; looking for daemon processes with, 368
-<BR>public option (smb.conf file), 433
-<BR>put command, 170
-<BR>.pwl files, 29
-<P><A NAME="Q"><B>Q</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>queuepause command option (smb.conf file), 338, 433
-<BR>queueresume command option (smb.conf file), 338, 433
-<P><A NAME="R"><B>R</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%R variable, 192
-<BR>read bmpx option (smb.conf file), 433
-<BR>read list option (smb.conf file), 286, 288, 433
-<BR>read only option (smb.conf file), 203, 434
-<BR>read raw option (smb.conf file), 434
-<BR>read size option (smb.conf file), 434
-<BR>readline( ) support, 497
-<BR>read-only access, specifying users, 433
-<BR>realm option (smb.conf file), 434
-<BR>reconfiguring Samba, 52
-<BR>recurse command, 171
-<BR>registry files, 141
-<BR> &nbsp; &nbsp; &nbsp; settings and passwords, 74
-<BR>relative identifier (RID), 30
-<BR>remote announce option (smb.conf file), 232, 238, 434
-<BR>remote browse sync option (smb.conf file), 238, 434
-<BR>remote logons (see roaming profiles)
-<BR>resolv.conf file, 73, 220
-<BR>resource names and types (NetBIOS), 14
-<BR>restrict anonymous option (smb.conf file), 434
-<BR>roaming profiles, 120, 140-152
-<BR> &nbsp; &nbsp; &nbsp; changing to mandatory profiles, 150
-<BR> &nbsp; &nbsp; &nbsp; configuring
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Samba for, 143-147
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 95/98/Me for, 147
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows NT/2000/XP for, 148
-<BR> &nbsp; &nbsp; &nbsp; defining a logon path for Windows NT/2000/XP clients, 124
-<BR> &nbsp; &nbsp; &nbsp; definitive documentation, 141
-<BR> &nbsp; &nbsp; &nbsp; how they work, 141
-<BR> &nbsp; &nbsp; &nbsp; options, 150
-<BR> &nbsp; &nbsp; &nbsp; possible problems, 142
-<BR> &nbsp; &nbsp; &nbsp; restricting users from editing their own, 149
-<BR> &nbsp; &nbsp; &nbsp; setting path to directory (Windows NT/2000/XP), 420
-<BR> &nbsp; &nbsp; &nbsp; smb.conf file, 138
-<BR> &nbsp; &nbsp; &nbsp; Temporary Internet Files folder, 143
-<BR> &nbsp; &nbsp; &nbsp; time synchronization, 339
-<BR> &nbsp; &nbsp; &nbsp; users logged onto multiple clients, 142
-<BR> &nbsp; &nbsp; &nbsp; warning, 141
-<BR> &nbsp; &nbsp; &nbsp; (see also mandatory profiles)
-<BR>root access, 285
-<BR>root accounts
-<BR> &nbsp; &nbsp; &nbsp; adding root user to Samba's password database, 126
-<BR> &nbsp; &nbsp; &nbsp; (see also domain administrator)
-<BR> &nbsp; &nbsp; &nbsp; specifying users with root permissions, 402
-<BR>root dir option (smb.conf file), 435
-<BR>root directory option (smb.conf file), 435
-<BR>root option (smb.conf file), 435
-<BR>root postexec option (smb.conf file), 277, 435
-<BR>root preexec close option (smb.conf file), 276, 435
-<BR>root preexec option (smb.conf file), 275, 276, 435
-<BR>roving profiles (see roaming profiles)
-<BR>rpcclient commands, 467-470
-<BR>rpcclient program, 40, 465
-<BR>rpm command (Unix), 43
-<P><A NAME="S"><B>S</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%S variable, 192
-<BR>SAM (Security Account Manager), 30
-<BR> &nbsp; &nbsp; &nbsp; database, 126
-<BR>Samba
-<BR> &nbsp; &nbsp; &nbsp; advantages of using, 3
-<BR> &nbsp; &nbsp; &nbsp; allowing outside applications to access Samba features, 496
-<BR> &nbsp; &nbsp; &nbsp; compiling (see compiling Samba)
-<BR> &nbsp; &nbsp; &nbsp; configuration file (see smb.conf file)
-<BR> &nbsp; &nbsp; &nbsp; configuring (see configuring Samba)
-<BR> &nbsp; &nbsp; &nbsp; defined, 2
-<BR> &nbsp; &nbsp; &nbsp; distribution, overview, 39
-<BR> &nbsp; &nbsp; &nbsp; as domain member server, 34
-<BR> &nbsp; &nbsp; &nbsp; downloading, 45
-<BR> &nbsp; &nbsp; &nbsp; examples
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sharing a printer, 8
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sharing disk service, 4-7
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; simple network, 4
-<BR> &nbsp; &nbsp; &nbsp; in a clustered environment, 437
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see also multihomed system; multiple subnets), 437
-<BR> &nbsp; &nbsp; &nbsp; installing (see installing Samba)
-<BR> &nbsp; &nbsp; &nbsp; manual pages, 52
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; in different languages, 496
-<BR> &nbsp; &nbsp; &nbsp; obtaining, 41
-<BR> &nbsp; &nbsp; &nbsp; overview, 1-41
-<BR> &nbsp; &nbsp; &nbsp; running on a multihomed system, 204
-<BR> &nbsp; &nbsp; &nbsp; troubleshooting (see troubleshooting Samba)
-<BR> &nbsp; &nbsp; &nbsp; upgrading installations, 51
-<BR> &nbsp; &nbsp; &nbsp; variables (see smb.conf file, variables)
-<BR> &nbsp; &nbsp; &nbsp; web site, 41
-<BR>Samba 2.2
-<BR> &nbsp; &nbsp; &nbsp; in a domain hosted by native mode Windows 2000 server, 34
-<BR> &nbsp; &nbsp; &nbsp; issues with Active Directory, 34, 121
-<BR> &nbsp; &nbsp; &nbsp; new features, 36
-<BR>Samba 3.0
-<BR> &nbsp; &nbsp; &nbsp; new features, 38
-<BR> &nbsp; &nbsp; &nbsp; obsolete options
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; blocksize, 404
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; character set, 405
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; client code page, 405
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; code page directory, 405
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; coding system, 405
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; domain guest group, 410
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; force unknown acl user, 413
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ldap admin dn, 417
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ldap filter, 417
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ldap port, 417
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ldap server, 418
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ldap ssl, 418
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ldap suffix, 418
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; nt smb support, 427
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; related to SSL, 438-440
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; status, 440
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; unix extensions, 442
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; userhosts, 443
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; valid chars, 444
-<BR> &nbsp; &nbsp; &nbsp; roles, 38
-<BR>Samba server
-<BR> &nbsp; &nbsp; &nbsp; adding to workgroup, configuration file example, 396
-<BR> &nbsp; &nbsp; &nbsp; connecting from
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 2000, 107
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 84
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows NT, 96
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows XP, 116
-<BR> &nbsp; &nbsp; &nbsp; connection listings (see smbstatus program)
-<BR> &nbsp; &nbsp; &nbsp; creating directories on, 125
-<BR> &nbsp; &nbsp; &nbsp; restarting, 126
-<BR> &nbsp; &nbsp; &nbsp; sending a print job, 321
-<BR> &nbsp; &nbsp; &nbsp; services, 2
-<BR>Samba Web Administration Tool (see SWAT)
-<BR>Samba-BDC-HOWTO.html, 122
-<BR>Samba-PDC-HOWTO.html, 122
-<BR>Samba's NT LM 0.12, 21
-<BR>SASL (Simple Authentication and Security Layer) standard, 504
-<BR>--sbindir (configure script option), 48
-<BR>scope ID (SMB packet), 16
-<BR>search paths, setting, 52
-<BR>secrets.tdb file, 156
-<BR>security
-<BR> &nbsp; &nbsp; &nbsp; Samba security levels
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; domain (see domain-level security)
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; server (see server-level security)
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; share (see share-level security)
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; user (see user-level security)
-<BR> &nbsp; &nbsp; &nbsp; user-level for Windows 95/98/Me, 129
-<BR> &nbsp; &nbsp; &nbsp; (see also authentication)
-<BR>Security Access Token (SAT), 31
-<BR>Security Account Manager (SAM), 30
-<BR>security identifiers (SIDs), 30
-<BR>security issues
-<BR> &nbsp; &nbsp; &nbsp; creating entries for /etc/passwd and smbpasswd manually, 127
-<BR> &nbsp; &nbsp; &nbsp; disabling oplocks in smb.conf file, 58
-<BR>security mask option (smb.conf file), 261, 436
-<BR>security models, Unix versus Windows, 253
-<BR>security option (smb.conf file), 291, 436
-<BR>sendfile( ) system call, 497
-<BR>server announcements, 229
-<BR>Server Message Block (SMB) protocol (see SMB)
-<BR>server string option (smb.conf file), 200, 436
-<BR>server-level security, 291, 295
-<BR>session parameters, setting, 24
-<BR>session primitives, 17
-<BR>session service, defined, 10
-<BR>session services (NBT)
-<BR> &nbsp; &nbsp; &nbsp; defined, 16
-<BR> &nbsp; &nbsp; &nbsp; tips, 18
-<BR>set directory option (smb.conf file), 353, 436
-<BR>share modes option (smb.conf file), 436
-<BR>share-level security, 290
-<BR> &nbsp; &nbsp; &nbsp; options, 293
-<BR> &nbsp; &nbsp; &nbsp; versus user-level security, 162
-<BR>shares
-<BR> &nbsp; &nbsp; &nbsp; adding new, 402
-<BR> &nbsp; &nbsp; &nbsp; allowing and denying, 415
-<BR> &nbsp; &nbsp; &nbsp; copying configurations, 406
-<BR> &nbsp; &nbsp; &nbsp; deleting, 408
-<BR> &nbsp; &nbsp; &nbsp; denying access to, 403
-<BR> &nbsp; &nbsp; &nbsp; invisible, 233
-<BR> &nbsp; &nbsp; &nbsp; managing connections to (see connection scripts)
-<BR> &nbsp; &nbsp; &nbsp; modifying, 405
-<BR> &nbsp; &nbsp; &nbsp; printers, setting default device mode, 408
-<BR> &nbsp; &nbsp; &nbsp; sections in smb.conf file, 125
-<BR> &nbsp; &nbsp; &nbsp; setting maximum number, 423
-<BR> &nbsp; &nbsp; &nbsp; specifying in browse lists, 403, 404, 431
-<BR> &nbsp; &nbsp; &nbsp; specifying systems that may connect to, 403
-<BR>sharing
-<BR> &nbsp; &nbsp; &nbsp; disk services example, 4-7
-<BR> &nbsp; &nbsp; &nbsp; files
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Mac OS X, 501
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 162
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows NT/2000/XP, 163, 165
-<BR> &nbsp; &nbsp; &nbsp; printers (see printers, sharing)
-<BR>Sharpe, Richard, 19
-<BR>short preserve case option (smb.conf file), 264, 266, 436
-<BR>show add printer wizard option (smb.conf file), 437
-<BR>shutdown script option (smb.conf file), 437
-<BR>SIDs (security identifiers), 30
-<BR>SMB, 2
-<BR> &nbsp; &nbsp; &nbsp; CIFS and, 21
-<BR> &nbsp; &nbsp; &nbsp; clients, 21
-<BR> &nbsp; &nbsp; &nbsp; command format, 19
-<BR> &nbsp; &nbsp; &nbsp; connections, troubleshooting, 371-377
-<BR> &nbsp; &nbsp; &nbsp; groups, 15
-<BR> &nbsp; &nbsp; &nbsp; header fields, 19
-<BR> &nbsp; &nbsp; &nbsp; header format, 19
-<BR> &nbsp; &nbsp; &nbsp; message format, 19
-<BR> &nbsp; &nbsp; &nbsp; network, overview, 9-18
-<BR> &nbsp; &nbsp; &nbsp; online summary, 19
-<BR> &nbsp; &nbsp; &nbsp; packets, 16
-<BR> &nbsp; &nbsp; &nbsp; protocol
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; additional information, 20
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; negotiating a protocol variant, 22
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; overview, 18-26
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; versions, 20
-<BR> &nbsp; &nbsp; &nbsp; servers, 21
-<BR> &nbsp; &nbsp; &nbsp; simple connection, 22
-<BR>smb passwd file option (smb.conf file), 306, 437
-<BR>SMB sniffer (Ethereal), 20
-<BR>smbcacls program, 40, 470
-<BR>smbclient commands, 168
-<BR>smbclient program, 40, 67, 161, 165-174, 472-478
-<BR> &nbsp; &nbsp; &nbsp; authenticating with, 167
-<BR> &nbsp; &nbsp; &nbsp; compared to smbfs and smbsh, 165
-<BR> &nbsp; &nbsp; &nbsp; creating and restoring backups, 172-174
-<BR> &nbsp; &nbsp; &nbsp; file transfer, 170
-<BR> &nbsp; &nbsp; &nbsp; interactive session, 168-171
-<BR> &nbsp; &nbsp; &nbsp; listing services, 165
-<BR> &nbsp; &nbsp; &nbsp; programming with, 171
-<BR> &nbsp; &nbsp; &nbsp; security and, 168
-<BR> &nbsp; &nbsp; &nbsp; sending a file to the printer, 325
-<BR> &nbsp; &nbsp; &nbsp; testing
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; browsing, 377
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; connections with, 373
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; locally with, 372
-<BR>smb.conf file, 187-215
-<BR> &nbsp; &nbsp; &nbsp; adding user passwords, 75
-<BR> &nbsp; &nbsp; &nbsp; bracketed names, 188
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (see also shares, sections in smb.conf file)
-<BR> &nbsp; &nbsp; &nbsp; capitalization, 189
-<BR> &nbsp; &nbsp; &nbsp; comments, 190
-<BR> &nbsp; &nbsp; &nbsp; configuring winbind, 309
-<BR> &nbsp; &nbsp; &nbsp; creating and modifying (see SWAT)
-<BR> &nbsp; &nbsp; &nbsp; disabling oplocks, 58
-<BR> &nbsp; &nbsp; &nbsp; encrypted passwords and, 55
-<BR> &nbsp; &nbsp; &nbsp; examples, 187
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; configuring Samba to use another WINS server, 396
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; disk share, 201-203
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; enabling Samba as WINS server, 395
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; server configuration file, 198-201
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; setting Samba as domain member server, 400
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; setting Samba as PDC, 397-399
-<BR> &nbsp; &nbsp; &nbsp; file structure, 188-191
-<BR> &nbsp; &nbsp; &nbsp; getting started, 54-60
-<BR> &nbsp; &nbsp; &nbsp; [global] section, 193
-<BR> &nbsp; &nbsp; &nbsp; include option, 193
-<BR> &nbsp; &nbsp; &nbsp; line continuation, 189
-<BR> &nbsp; &nbsp; &nbsp; location from bundled installation, 42
-<BR> &nbsp; &nbsp; &nbsp; logon scripts (see logon scripts)
-<BR> &nbsp; &nbsp; &nbsp; Mac OS X, 509
-<BR> &nbsp; &nbsp; &nbsp; making significant changes, 190
-<BR> &nbsp; &nbsp; &nbsp; modifying Samba to be a PDC, 122-125
-<BR> &nbsp; &nbsp; &nbsp; modifying Samba to be domain member server, 157
-<BR> &nbsp; &nbsp; &nbsp; name resolution, 219
-<BR> &nbsp; &nbsp; &nbsp; options, 188, 195-198
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; access control, 287-288
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ACLs, 260-262
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; browsing, 233-239
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; connection scripts, 275-277
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; disk share, 202
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; dot files, 240
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; file and directory permissions, 250-253
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; filesystem, 243-245
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; internationalization, 343-346
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; locks and oplocks, 270-274
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; logging, 210-215
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; name mangling, 265-267
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; name resolution, 221-224
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; networking, 204-208
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; NIS, 280
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; password, 303-307
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; printing, 333-338
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; server, 199
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; time synchronization, 341-342
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; virtual servers, 209
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; winbind, 317-319
-<BR> &nbsp; &nbsp; &nbsp; [printers] section, 195
-<BR> &nbsp; &nbsp; &nbsp; roaming profiles, 138
-<BR> &nbsp; &nbsp; &nbsp; runtime changes, 190
-<BR> &nbsp; &nbsp; &nbsp; shares, 125, 194
-<BR> &nbsp; &nbsp; &nbsp; smbmount program and, 174
-<BR> &nbsp; &nbsp; &nbsp; smbsh and, 179
-<BR> &nbsp; &nbsp; &nbsp; testing, 59
-<BR> &nbsp; &nbsp; &nbsp; variables, 191-193
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; example of use, 193
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; table, 192
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; used at runtime, 140
-<BR> &nbsp; &nbsp; &nbsp; WINS support, 71
-<BR>smbcontrol program, 40, 478
-<BR>smbd daemon, 3, 39, 61, 451
-<BR> &nbsp; &nbsp; &nbsp; checking with telnet, 369
-<BR> &nbsp; &nbsp; &nbsp; starting automatically, 61-65
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; BSD Unix, 61
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Darwin and Mac OS X, 64
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; System V Unix, 61
-<BR> &nbsp; &nbsp; &nbsp; starting from inetd, 66
-<BR> &nbsp; &nbsp; &nbsp; starting manually, 61
-<BR> &nbsp; &nbsp; &nbsp; testing, 66
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; automatic startup, 65
-<BR>smbfs filesystem, 161, 174-178
-<BR> &nbsp; &nbsp; &nbsp; compared to smbclient, 165
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 498
-<BR> &nbsp; &nbsp; &nbsp; mounting automatically, 177
-<BR>smbgroupedit program, 40, 479
-<BR>smbmnt program, 40, 174, 480
-<BR>smbmount program, 40, 175, 481
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 498
-<BR> &nbsp; &nbsp; &nbsp; options, 178
-<BR> &nbsp; &nbsp; &nbsp; smb.conf file, 174
-<BR>SMBnegprot request, 23
-<BR>smbpasswd file, 126, 299-300
-<BR> &nbsp; &nbsp; &nbsp; creating entries manually, 127
-<BR>smbpasswd program, 41, 55, 483
-<BR>smbprint program, 330
-<BR>smbprint.sysv, 330
-<BR>SMBSesssetupX command, 24
-<BR>smbsh program, 41, 161, 179, 485
-<BR> &nbsp; &nbsp; &nbsp; compared to smbclient, 165
-<BR> &nbsp; &nbsp; &nbsp; installing Samba with support for, 498
-<BR> &nbsp; &nbsp; &nbsp; interactive session, 179
-<BR> &nbsp; &nbsp; &nbsp; smb.conf file, 179
-<BR>smbspool, 330
-<BR>smbspool program, 41, 486
-<BR>smbspool utility, 332
-<BR>smbstatus program, 8, 41, 487
-<BR>smbtar program, 41, 487
-<BR>SMBtconX message, 25
-<BR>smbumount program, 41, 488
-<BR>smbutil program, 161, 181
-<BR> &nbsp; &nbsp; &nbsp; options, 183
-<BR> &nbsp; &nbsp; &nbsp; testing print configuration, 326
-<BR>smbwrapper library, 179, 498
-<BR>socket address option (smb.conf file), 437
-<BR>socket options option (smb.conf file), 437
-<BR>source environment option (smb.conf file), 437
-<BR>source/config.status file, 51
-<BR>spin locks, 498
-<BR>SSL
-<BR> &nbsp; &nbsp; &nbsp; installing Samba to support, 498
-<BR> &nbsp; &nbsp; &nbsp; options, 438-440
-<BR>ssl CA certDir option (smb.conf file), 438
-<BR>ssl CA certFile option (smb.conf file), 438
-<BR>ssl ciphers option (smb.conf file), 438
-<BR>ssl client cert option (smb.conf file), 438
-<BR>ssl client key option (smb.conf file), 438
-<BR>ssl compatibility option (smb.conf file), 439
-<BR>ssl hosts option (smb.conf file), 439
-<BR>ssl hosts resign option (smb.conf file), 439
-<BR>ssl option (smb.conf file), 438
-<BR>ssl require clientcert option (smb.conf file), 439
-<BR>ssl require servercert option (smb.conf file), 439
-<BR>ssl server cert option (smb.conf file), 439
-<BR>ssl server key option (smb.conf file), 440
-<BR>ssl version option (smb.conf file), 440
-<BR>stat cache option (smb.conf file), 354, 440
-<BR>stat cache size option (smb.conf file), 354, 440
-<BR>status option (smb.conf file), 440
-<BR>status (smb.conf file), 353
-<BR>Stern, Hal, 383
-<BR>strace command, 359
-<BR>strict allocate option (smb.conf file), 440
-<BR>strict locking option (smb.conf file), 271, 441
-<BR>strict sync option (smb.conf file), 353, 441
-<BR>strip dot option (smb.conf file), 353, 441
-<BR>subnets, workgroups spanning multiple, 34
-<BR>superuser (root) access, 285
-<BR>SWAT
-<BR> &nbsp; &nbsp; &nbsp; enabling, 52
-<BR> &nbsp; &nbsp; &nbsp; login, 56
-<BR> &nbsp; &nbsp; &nbsp; specifying where to install files for, 498
-<BR> &nbsp; &nbsp; &nbsp; using, 56-58
-<BR>symbolic links, 242
-<BR> &nbsp; &nbsp; &nbsp; creating before clients are added to network, 147
-<BR> &nbsp; &nbsp; &nbsp; in file shares, 412
-<BR>symlinks option (smb.conf file), 242
-<BR>sync always option (smb.conf file), 353, 441
-<BR>synchronization, password (see passwords, synchronization)
-<BR>synchronization problems with WINS servers in Samba, 33, 71
-<BR>syslog, 211
-<BR> &nbsp; &nbsp; &nbsp; error logging, installing Samba to support, 498
-<BR>syslog only option (smb.conf file), 215, 441
-<BR>syslog option (smb.conf file), 214, 441
-<BR>syslog.conf file, 212
-<BR>system group file, 283
-<BR>system policies, 152-156
-<BR> &nbsp; &nbsp; &nbsp; Windows Me, 155
-<BR>System Policy Editor, 152-156
-<BR>System V Unix
-<BR> &nbsp; &nbsp; &nbsp; automatically starting Samba daemons, 61
-<BR> &nbsp; &nbsp; &nbsp; printers, 331
-
-<P><A NAME="T"><B>T</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%T variable, 192
-<BR>TCP, troubleshooting, 367
-<BR>tcpdump program, 360
-<BR> &nbsp; &nbsp; &nbsp; download, 22
-<BR> &nbsp; &nbsp; &nbsp; example, 22
-<BR>TCP/IP
-<BR> &nbsp; &nbsp; &nbsp; adding to Windows 95/98/Me network, 76
-<BR> &nbsp; &nbsp; &nbsp; configuring for Windows 2000, 100
-<BR> &nbsp; &nbsp; &nbsp; configuring for Windows 95/98/Me, 78
-<BR> &nbsp; &nbsp; &nbsp; configuring for Windows NT, 89
-<BR> &nbsp; &nbsp; &nbsp; configuring for Windows XP, 110
-<BR> &nbsp; &nbsp; &nbsp; Windows NT, 88
-<BR>telnet, checking smbd with, 369
-<BR>template homedir option (smb.conf file), 314, 319, 441
-<BR>template shell option (smb.conf file), 314, 319, 442
-<BR>Temporary Internet Files folder, 143
-<BR>test utilities, troubleshooting with, 359-362
-<BR>testing Samba (see testparm program; troubleshooting Samba)
-<BR>testparm program, 41, 59, 125, 489
-<BR> &nbsp; &nbsp; &nbsp; testing daemons with, 370
-<BR>testprns program, 41, 489
-<BR>Thompson, Robert Bruce, 87
-<BR>time offset option (smb.conf file), 341, 442
-<BR>time server option (smb.conf file), 341, 442
-<BR>time service, 340
-<BR> &nbsp; &nbsp; &nbsp; configuring in Samba for network use, 124
-<BR>time synchronization, 339-342
-<BR>time to live (TTL), 424, 425
-<BR>timestamp logs option (smb.conf file), 214, 442
-<BR>timestamps
-<BR> &nbsp; &nbsp; &nbsp; changing in logs, 407
-<BR> &nbsp; &nbsp; &nbsp; importance of, 142
-<BR>time-synchronization options, 341-342
-<BR>total print jobs option (smb.conf file), 442
-<BR>trace command, 359
-<BR>translating between IP addresses or DNS names and NetBIOS names, 182
-<BR>tree identifier (TID), defined, 22
-<BR>Tridgell, Andrew, 2, 360
-<BR>troubleshooting Samba, 355-393
-<BR> &nbsp; &nbsp; &nbsp; browsing, 377-383
-<BR> &nbsp; &nbsp; &nbsp; fault tree, 362-391
-<BR> &nbsp; &nbsp; &nbsp; hostnames, 384
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; long and short, 386
-<BR> &nbsp; &nbsp; &nbsp; localhost issues, 388
-<BR> &nbsp; &nbsp; &nbsp; low-level IP, 362-367
-<BR> &nbsp; &nbsp; &nbsp; name services, 383-388
-<BR> &nbsp; &nbsp; &nbsp; NetBIOS names, 390
-<BR> &nbsp; &nbsp; &nbsp; network addresses, 388-390
-<BR> &nbsp; &nbsp; &nbsp; server daemons, 368-371
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; checking smbd with telnet, 369
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; looking for daemon processes with ps, 368
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; looking for daemons bound to ports, 369
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; testing daemons with testparm, 370
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tracking daemon startup, 368
-<BR> &nbsp; &nbsp; &nbsp; SMB connections, 371-377
-<BR> &nbsp; &nbsp; &nbsp; TCP, 367
-<BR> &nbsp; &nbsp; &nbsp; testing
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; browsing the server from the client, 382
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; browsing with smbclient, 377
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; client browsing with net view, 381
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; clients with nmblookup, 380
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; connections with net use, 374
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; connections with ping, 364
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; connections with smbclient, 373
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; connections with Windows Explorer, 376
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; locally with smbclient, 372
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; name services with ping, 363
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; network software with ping, 363
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; network with nmblookup, 381
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; networking hardware with ping, 364
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; servers with nmblookup, 379
-<BR> &nbsp; &nbsp; &nbsp; tools, 355
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; log files, 356-359
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ping, 363-367
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test utilities, 359-362
-<BR> &nbsp; &nbsp; &nbsp; unusual delays, 387
-<BR>truss command, 359
-<BR>trust relationships, 33
-<BR>trusted domains, 403
-<BR>tusc command, 359
-<BR>tutorials, Samba, 45
-<P><A NAME="U"><B>U</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%U variable, 192, 283
-<BR>%u variable, 140, 144, 192, 283
-<BR>umasks, 247
-<BR>UNC (Universal Naming Convention) defined, 6
-<BR>Unicode, 456
-<BR>uniform resource locators (see URLs)
-<BR>Unix
-<BR> &nbsp; &nbsp; &nbsp; ACLs, 259
-<BR> &nbsp; &nbsp; &nbsp; CIFS extensions, 37
-<BR> &nbsp; &nbsp; &nbsp; configuring clients to access shared resources, 161-186
-<BR> &nbsp; &nbsp; &nbsp; file permissions, 245-253
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; versus ACLs, 31
-<BR> &nbsp; &nbsp; &nbsp; permission bits summary, 247
-<BR> &nbsp; &nbsp; &nbsp; viewing processes, 8
-<BR>unix extensions option (smb.conf file), 442
-<BR>unix password sync option (smb.conf file), 300, 304, 442
-<BR>unix2dos program, 139, 170
-<BR>update encrypted option (smb.conf file), 306, 443
-<BR>upgrading Samba, 50, 51
-<BR>URLs, defined, 6
-<BR>use client driver option (smb.conf file), 443
-<BR>use mmap option (smb.conf file), 443
-<BR>use rhosts option (smb.conf file), 307, 443
-<BR>use sendfile option (smb.conf file), 443
-<BR>user accounting, 498
-<BR>USER environment variable, 167
-<BR>user ID (UID), 31
-<BR>user option (smb.conf file), 443
-<BR>USER.DAT file, 141
-<BR>user-level security, 290, 294
-<BR> &nbsp; &nbsp; &nbsp; for Windows 95/98/Me, 129
-<BR> &nbsp; &nbsp; &nbsp; versus share-level security, 162
-<BR>username level option (smb.conf file), 290, 444
-<BR>username map option (smb.conf file), 289, 444
-<BR>username option (smb.conf file), 293, 443
-<BR>users
-<BR> &nbsp; &nbsp; &nbsp; account files in Windows, 29
-<BR> &nbsp; &nbsp; &nbsp; adding new, 402
-<BR> &nbsp; &nbsp; &nbsp; adding to
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 2000, 104
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 83
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows NT, 95
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Windows XP, 115
-<BR> &nbsp; &nbsp; &nbsp; debugging particular, 407
-<BR> &nbsp; &nbsp; &nbsp; deleting account automatically, 409
-<BR> &nbsp; &nbsp; &nbsp; group membership, overriding, 413
-<BR> &nbsp; &nbsp; &nbsp; multiple, adding in Unix, 284-285
-<BR> &nbsp; &nbsp; &nbsp; single, adding in Unix, 282-284
-<BR> &nbsp; &nbsp; &nbsp; specifying read-only access, 433
-<BR>users option (smb.conf file), 444
-<BR>/usr/local/etc/nsmb.conf file, 181
-<BR>utmp directory option (smb.conf file), 444
-<BR>utmp file, 498
-<BR>utmp option (smb.conf file), 444
-<P><A NAME="V"><B>V</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>%v variable, 192
-<BR>valid chars option (smb.conf file), 346, 444
-<BR>valid users option (smb.conf file), 282, 287, 444
-<BR>variables used at runtime in smb.conf file (see smb.conf file, variables)
-<BR>veto files option (smb.conf file), 241, 244, 445
-<BR>veto oplock files option (smb.conf file), 269, 270, 273, 445
-<BR>vetoing files, 240-242
-<BR>vfs object option (smb.conf file), 445
-<BR>vfs options option (smb.conf file), 445
-<BR>vi text editor, 139
-<BR>vim text editor, 139
-<BR>virtual servers, 208
-<BR> &nbsp; &nbsp; &nbsp; configuration options, 209
-<BR>volume option (smb.conf file), 203, 445
-<BR>VPN (virtual private network), 498
-
-<P><A NAME="W"><B>W</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>wbinfo program, 41, 489
-<BR>wide links option (smb.conf file), 242, 244, 445
-<BR>winbind, 37
-<BR> &nbsp; &nbsp; &nbsp; authentication with, 307-319
-<BR> &nbsp; &nbsp; &nbsp; configuration options, 317-319
-<BR> &nbsp; &nbsp; &nbsp; configuring in smb.conf file, 309
-<BR> &nbsp; &nbsp; &nbsp; installing, 308
-<BR> &nbsp; &nbsp; &nbsp; installing Samba to support, 499
-<BR> &nbsp; &nbsp; &nbsp; RID mapping file, 310
-<BR> &nbsp; &nbsp; &nbsp; verifying it's working properly, 310-313
-<BR>winbind cache time option (smb.conf file), 319, 445
-<BR>winbind enum groups option (smb.conf file), 446
-<BR>winbind enum users option (smb.conf file), 445
-<BR>winbind gid option (smb.conf file), 318, 446
-<BR>winbind separator option (smb.conf file), 317, 446
-<BR>winbind uid option (smb.conf file), 318, 446
-<BR>winbindd daemon, 39, 41, 454
-<BR>Windows
-<BR> &nbsp; &nbsp; &nbsp; components, 69
-<BR> &nbsp; &nbsp; &nbsp; configuring clients to access shared resources, 68-119
-<BR> &nbsp; &nbsp; &nbsp; domain with a local master and local backup browser (diagram), 33
-<BR> &nbsp; &nbsp; &nbsp; .ini files, 187
-<BR> &nbsp; &nbsp; &nbsp; networking concepts, 68-76
-<BR> &nbsp; &nbsp; &nbsp; operating systems and password format defaults, 296
-<BR> &nbsp; &nbsp; &nbsp; printers, setting up, 8
-<BR> &nbsp; &nbsp; &nbsp; registry settings and passwords, 74
-<BR> &nbsp; &nbsp; &nbsp; user account files, 29
-<BR>Windows 2000
-<BR> &nbsp; &nbsp; &nbsp; ACLs, 253-262
-<BR> &nbsp; &nbsp; &nbsp; adding users, 104
-<BR> &nbsp; &nbsp; &nbsp; bindings, 100
-<BR> &nbsp; &nbsp; &nbsp; client connecting to Samba server, 107
-<BR> &nbsp; &nbsp; &nbsp; computer names, 103
-<BR> &nbsp; &nbsp; &nbsp; configuring for roaming profiles, 148
-<BR> &nbsp; &nbsp; &nbsp; configuring TCP/IP, 100
-<BR> &nbsp; &nbsp; &nbsp; DNS configuration, 101
-<BR> &nbsp; &nbsp; &nbsp; domain logons, 133-135
-<BR> &nbsp; &nbsp; &nbsp; identify node type, ipconfig /all command, 13
-<BR> &nbsp; &nbsp; &nbsp; IP addresses, 100
-<BR> &nbsp; &nbsp; &nbsp; LMHOSTS file, 102
-<BR> &nbsp; &nbsp; &nbsp; networking components, 99
-<BR> &nbsp; &nbsp; &nbsp; registry file, 141
-<BR> &nbsp; &nbsp; &nbsp; security model (see ACLs)
-<BR> &nbsp; &nbsp; &nbsp; servers
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; operating in native mode, 34
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PDC emulation mode, 34
-<BR> &nbsp; &nbsp; &nbsp; setting path to directory of roaming profiles, 420
-<BR> &nbsp; &nbsp; &nbsp; setting up, 98-108
-<BR> &nbsp; &nbsp; &nbsp; sharing files, 163
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; setting permissions, 165
-<BR> &nbsp; &nbsp; &nbsp; WINS server, 101
-<BR> &nbsp; &nbsp; &nbsp; workgroups, 103
-<BR>Windows 95/98/Me
-<BR> &nbsp; &nbsp; &nbsp; accessing Samba server, 84
-<BR> &nbsp; &nbsp; &nbsp; adding TCP/IP, 76
-<BR> &nbsp; &nbsp; &nbsp; authentication, 28
-<BR> &nbsp; &nbsp; &nbsp; bindings, 80
-<BR> &nbsp; &nbsp; &nbsp; configuring for roaming profiles, 147
-<BR> &nbsp; &nbsp; &nbsp; configuring TCP/IP, 78
-<BR> &nbsp; &nbsp; &nbsp; DNS configuration, 79
-<BR> &nbsp; &nbsp; &nbsp; domain logons, 128-131
-<BR> &nbsp; &nbsp; &nbsp; identify node type, 13
-<BR> &nbsp; &nbsp; &nbsp; IP addresses, 78
-<BR> &nbsp; &nbsp; &nbsp; LMHOSTS file, 80
-<BR> &nbsp; &nbsp; &nbsp; NetBIOS, 80
-<BR> &nbsp; &nbsp; &nbsp; registry file, 141
-<BR> &nbsp; &nbsp; &nbsp; security model, 253
-<BR> &nbsp; &nbsp; &nbsp; setting computer name, 81
-<BR> &nbsp; &nbsp; &nbsp; setting up, 76-87
-<BR> &nbsp; &nbsp; &nbsp; setting workgroup, 81
-<BR> &nbsp; &nbsp; &nbsp; sharing files, 162
-<BR> &nbsp; &nbsp; &nbsp; system policies, 155
-<BR> &nbsp; &nbsp; &nbsp; user-level security for, 129
-<BR> &nbsp; &nbsp; &nbsp; username and password, 83
-<BR> &nbsp; &nbsp; &nbsp; WINS configuration, 78
-<BR> &nbsp; &nbsp; &nbsp; (see also Windows)
-<BR>Windows Explorer, testing connections with, 376
-<BR>Windows Internet Name Service (see WINS)
-<BR>Windows Internet Naming Service (WINS) Architecture and Capacity Planning, 218
-<BR>Windows Messenger Service, 346-348
-<BR>Windows NT
-<BR> &nbsp; &nbsp; &nbsp; ACLs, 253-262
-<BR> &nbsp; &nbsp; &nbsp; adding a user, 95
-<BR> &nbsp; &nbsp; &nbsp; basic configuration, 87
-<BR> &nbsp; &nbsp; &nbsp; bindings, 93
-<BR> &nbsp; &nbsp; &nbsp; computer names, 93
-<BR> &nbsp; &nbsp; &nbsp; configuring for roaming profiles, 148
-<BR> &nbsp; &nbsp; &nbsp; configuring TCP/IP, 89
-<BR> &nbsp; &nbsp; &nbsp; connecting to a Samba server, 96
-<BR> &nbsp; &nbsp; &nbsp; DNS configuration, 92
-<BR> &nbsp; &nbsp; &nbsp; domains, 120-160
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; logons, 131-133
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; overview, 29-34
-<BR> &nbsp; &nbsp; &nbsp; identify node type, ipconfig /all command, 13
-<BR> &nbsp; &nbsp; &nbsp; installing Workstation service, 89
-<BR> &nbsp; &nbsp; &nbsp; IP addresses, 90
-<BR> &nbsp; &nbsp; &nbsp; LMHOSTS file, 92
-<BR> &nbsp; &nbsp; &nbsp; registry file, 141
-<BR> &nbsp; &nbsp; &nbsp; security model, 30
-<BR> &nbsp; &nbsp; &nbsp; security model (see ACLs)
-<BR> &nbsp; &nbsp; &nbsp; setting path to directory of roaming profiles, 420
-<BR> &nbsp; &nbsp; &nbsp; setting up, 87-98
-<BR> &nbsp; &nbsp; &nbsp; sharing files, 163
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; setting permissions, 165
-<BR> &nbsp; &nbsp; &nbsp; TCP/IP installing, 88
-<BR> &nbsp; &nbsp; &nbsp; WINS server, 90
-<BR> &nbsp; &nbsp; &nbsp; workgroups, 93
-<BR>Windows NT domain options, 158
-<BR>Windows Time Service, 340
-<BR>Windows Workgroups (see workgroups)
-<BR>Windows XP
-<BR> &nbsp; &nbsp; &nbsp; ACLs, 253-262
-<BR> &nbsp; &nbsp; &nbsp; adding users, 115
-<BR> &nbsp; &nbsp; &nbsp; bindings, 110
-<BR> &nbsp; &nbsp; &nbsp; computer names, 113
-<BR> &nbsp; &nbsp; &nbsp; configuring for roaming profiles, 148
-<BR> &nbsp; &nbsp; &nbsp; configuring TCP/IP, 110
-<BR> &nbsp; &nbsp; &nbsp; connecting to Samba server, 116
-<BR> &nbsp; &nbsp; &nbsp; DNS configuration, 111
-<BR> &nbsp; &nbsp; &nbsp; domain logons, 135-137
-<BR> &nbsp; &nbsp; &nbsp; Home version, problems in a domain environment, 135
-<BR> &nbsp; &nbsp; &nbsp; identify node type, ipconfig /all command, 13
-<BR> &nbsp; &nbsp; &nbsp; IP addresses, 111
-<BR> &nbsp; &nbsp; &nbsp; LMHOSTS file, 112
-<BR> &nbsp; &nbsp; &nbsp; networking components, 109
-<BR> &nbsp; &nbsp; &nbsp; registry file, 141
-<BR> &nbsp; &nbsp; &nbsp; security model (see ACLs)
-<BR> &nbsp; &nbsp; &nbsp; setting path to directory of roaming profiles, 420
-<BR> &nbsp; &nbsp; &nbsp; setting up, 109-119
-<BR> &nbsp; &nbsp; &nbsp; sharing files, 163
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; setting permissions, 165
-<BR> &nbsp; &nbsp; &nbsp; WINS server, 112
-<BR> &nbsp; &nbsp; &nbsp; workgroups, 113
-<BR>winipcfg command (Windows 95/98/Me), 13
-<BR>WinPopup tool, 346
-<BR>.win_profile directory, 144
-<BR> &nbsp; &nbsp; &nbsp; example, 145
-<BR>WINS, 32
-<BR> &nbsp; &nbsp; &nbsp; client and a server interaction, 218
-<BR> &nbsp; &nbsp; &nbsp; configuration, Windows 95/98/Me, 78
-<BR> &nbsp; &nbsp; &nbsp; proxy, configuring, 221
-<BR> &nbsp; &nbsp; &nbsp; replication, 38
-<BR> &nbsp; &nbsp; &nbsp; support, smb.conf file, 71
-<BR>wins hook option (smb.conf file), 223, 446
-<BR>wins proxy option (smb.conf file), 221, 222, 446
-<BR>wins server option (smb.conf file), 220, 222, 446
-<BR>WINS servers
-<BR> &nbsp; &nbsp; &nbsp; configuring a DNS proxy, 220
-<BR> &nbsp; &nbsp; &nbsp; configuring Samba to use another, 220
-<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; configuration file example, 396
-<BR> &nbsp; &nbsp; &nbsp; enabling Samba as, configuration file example, 395
-<BR> &nbsp; &nbsp; &nbsp; multiple, 32
-<BR> &nbsp; &nbsp; &nbsp; primary (see primary WINS server)
-<BR> &nbsp; &nbsp; &nbsp; setting Samba as, 220
-<BR> &nbsp; &nbsp; &nbsp; synchronization problems in Samba, 71
-<BR> &nbsp; &nbsp; &nbsp; Windows 2000, 101
-<BR> &nbsp; &nbsp; &nbsp; Windows NT, 90
-<BR> &nbsp; &nbsp; &nbsp; Windows XP, 112
-<BR>wins support option (smb.conf file), 222, 447
-<BR>wins support parameter (smb.conf file), 220
-<BR>with feature option, configuring Samba, 47
-<BR>--with-acl-support (configure script option), 495
-<BR>--with-afs (configure script option), 495
-<BR>--with-automount (configure script option), 495
-<BR>--with-codepagedir (configure script option), 495
-<BR>--with-configdir (configure script option), 495
-<BR>--with-dce-dfs (configure script option), 495
-<BR>--with-fhs (configure script option), 495
-<BR>--with-included-popt (configure script option), 495
-<BR>--with-krb4 (configure script option), 495
-<BR>--with-krb5 (configure script option), 495
-<BR>--with-ldapsam (configure script option), 496
-<BR>--with-libiconv (configure script option), 496
-<BR>--with-libsmbclient (configure script option), 496
-<BR>--with-lockdir (configure script option), 496
-<BR>--with-logfilebase (configure script option), 496
-<BR>--with-manpages-langs (configure script option), 496
-<BR>--with-msdfs (configure script option), 47, 496
-<BR>--with-nisplus-home (configure script option), 496
-<BR>--with-nisplussam (configure script option), 496
-<BR>without feature option, configuring Samba, 47
-<BR>--with-pam (configure script option), 497
-<BR>--with-pam_smbpass (configure script option), 497
-<BR>--with-piddir (configure script option), 497
-<BR>--with-privatedir (configure script option), 497
-<BR>--with-profiling-data (configure script option), 497
-<BR>--with-quotas (configure script option), 497
-<BR>--with-readline (configure script option), 497
-<BR>--with-sendfile-support (configure script option), 497
-<BR>--with-smbmount (configure script option), 47, 498
-<BR>--with-smbwrapper (configure script option), 47, 498
-<BR>--with-spinlocks (configure script option), 498
-<BR>--with-ssl (configure script option), 498
-<BR>--with-sslinc (configure script option), 498
-<BR>--with-ssllib (configure script option), 498
-<BR>--with-swatdir (configure script option), 498
-<BR>--with-syslog (configure script option), 498
-<BR>--with-tdbsam (configure script option), 498
-<BR>--with-utmp (configure script option), 498
-<BR>--with-winbind (configure script option), 499
-<BR>workgroup option (smb.conf file), 447
-<BR>workgroup parameter (smb.conf file), 200
-<BR>workgroups, 26-29
-<BR> &nbsp; &nbsp; &nbsp; adding first Samba server to, 396
-<BR> &nbsp; &nbsp; &nbsp; defined, 15
-<BR> &nbsp; &nbsp; &nbsp; problems related to, 29
-<BR> &nbsp; &nbsp; &nbsp; spanning multiple subnets, 34
-<BR> &nbsp; &nbsp; &nbsp; Windows 2000, 103
-<BR> &nbsp; &nbsp; &nbsp; Windows 95/98/Me, 81
-<BR> &nbsp; &nbsp; &nbsp; Windows NT, 93
-<BR> &nbsp; &nbsp; &nbsp; Windows XP, 113
-<BR>Workstation service, installing on Windows NT, 89
-<BR>writable option (smb.conf file), 203, 447
-<BR>write cache size option (smb.conf file), 447
-<BR>write list option (smb.conf file), 286, 288, 447
-<BR>write ok option (smb.conf file), 203, 447
-<BR>write raw option (smb.conf file), 448
-<BR>writeable option (smb.conf file), 203, 447
-<P><A NAME="X"><B>X</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
-<BR>XFS filesystem, 37
-<BR>xinetd daemon, 53
-
-<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
-
-</body></html>
diff --git a/docs/htmldocs/using_samba/samba2_s.gif b/docs/htmldocs/using_samba/samba2_s.gif
deleted file mode 100644
index 23d7e5ee64..0000000000
--- a/docs/htmldocs/using_samba/samba2_s.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/samba2_xs.gif b/docs/htmldocs/using_samba/samba2_xs.gif
deleted file mode 100644
index e489480df6..0000000000
--- a/docs/htmldocs/using_samba/samba2_xs.gif
+++ /dev/null
Binary files differ
diff --git a/docs/htmldocs/using_samba/toc.html b/docs/htmldocs/using_samba/toc.html
deleted file mode 100644
index 54d5c3f55f..0000000000
--- a/docs/htmldocs/using_samba/toc.html
+++ /dev/null
@@ -1,138 +0,0 @@
-<html>
-<body bgcolor="#ffffff">
-
-<table border="0" cellpadding="4" cellspacing="4">
-<tr>
-<td>
-<img src="samba2_s.gif" border="0" height="190" width="145" alt="Using Samba,
-2nd Edition" />
-</td>
-<td>
-<h2>Using Samba, 2nd Edition</h2>
-By Jay Ts, Robert Eckstein, and David Collier-Brown<br />
-2nd Edition, February 2003 <br />
-O'Reilly &amp; Associates, ISBN: 0-596-00256-4<br />
-<a href="http://www.oreilly.com/catalog/samba2/"><b>www.oreilly.com/catalog/samba2/</b></a>
-</td>
-</tr>
-</table>
-
-<blockquote>
-<h2>Table of Contents</h2>
-
-<P><B><a href="ch00.html">Preface</a></B>
-
-<P><B><a href="ch01.html">1. Learning the Samba</a></B>
-<BR> &nbsp; &nbsp; &nbsp;What Is Samba?
-<BR> &nbsp; &nbsp; &nbsp;What Can Samba Do for Me?
-<BR> &nbsp; &nbsp; &nbsp;Getting Familiar with an SMB Network
-<BR> &nbsp; &nbsp; &nbsp;An Introduction to the SMB Protocol
-<BR> &nbsp; &nbsp; &nbsp;Windows Workgroups and Domains
-<BR> &nbsp; &nbsp; &nbsp;What's New in Samba 2.2?
-<BR> &nbsp; &nbsp; &nbsp;What's New in Samba 3.0?
-<BR> &nbsp; &nbsp; &nbsp;What Can Samba Do?
-<BR> &nbsp; &nbsp; &nbsp;An Overview of the Samba Distribution
-<BR> &nbsp; &nbsp; &nbsp;How Can I Get Samba?
-
-<P><B><a href="ch02.html">2. Installing Samba on a Unix System</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Bundled Versions
-<BR> &nbsp; &nbsp; &nbsp;Downloading the Samba Distribution
-<BR> &nbsp; &nbsp; &nbsp;Configuring Samba
-<BR> &nbsp; &nbsp; &nbsp;Compiling and Installing Samba
-<BR> &nbsp; &nbsp; &nbsp;Enabling SWAT
-<BR> &nbsp; &nbsp; &nbsp;A Basic Samba Configuration File
-<BR> &nbsp; &nbsp; &nbsp;Firewall Configuration
-<BR> &nbsp; &nbsp; &nbsp;Starting the Samba Daemons
-<BR> &nbsp; &nbsp; &nbsp;Testing the Samba Daemons
-
-<P><B><a href="ch03.html">3. Configuring Windows Clients</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Windows Networking Concepts
-<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows 95/98/Me Computers
-<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows NT 4.0 Computers
-<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows 2000 Computers
-<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows XP Computers
-
-<P><B><a href="ch04.html">4. Windows NT Domains</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Samba as the Primary Domain Controller
-<BR> &nbsp; &nbsp; &nbsp;Adding Computer Accounts
-<BR> &nbsp; &nbsp; &nbsp;Configuring Windows Clients for Domain Logons
-<BR> &nbsp; &nbsp; &nbsp;Logon Scripts
-<BR> &nbsp; &nbsp; &nbsp;Roaming Profiles
-<BR> &nbsp; &nbsp; &nbsp;System Policies
-<BR> &nbsp; &nbsp; &nbsp;Samba as a Domain Member Server
-<BR> &nbsp; &nbsp; &nbsp;Windows NT Domain Options
-
-<P><B><a href="ch05.html">5. Unix Clients</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Sharing Files on Windows 95/98/Me
-<BR> &nbsp; &nbsp; &nbsp;Sharing Files on Windows NT/2000/XP
-<BR> &nbsp; &nbsp; &nbsp;smbclient
-<BR> &nbsp; &nbsp; &nbsp;smbfs
-<BR> &nbsp; &nbsp; &nbsp;smbsh
-<BR> &nbsp; &nbsp; &nbsp;smbutil and mount_smbfs
-
-<P><B><a href="ch06.html">6. The Samba Configuration File</a></B>
-<BR> &nbsp; &nbsp; &nbsp;The Samba Configuration File
-<BR> &nbsp; &nbsp; &nbsp;Special Sections
-<BR> &nbsp; &nbsp; &nbsp;Configuration Options
-<BR> &nbsp; &nbsp; &nbsp;Server Configuration
-<BR> &nbsp; &nbsp; &nbsp;Disk Share Configuration
-<BR> &nbsp; &nbsp; &nbsp;Networking Options with Samba
-<BR> &nbsp; &nbsp; &nbsp;Virtual Servers
-<BR> &nbsp; &nbsp; &nbsp;Logging Configuration Options
-
-<P><B><a href="ch07.html">7. Name Resolution and Browsing</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Name Resolution
-<BR> &nbsp; &nbsp; &nbsp;Browsing
-
-<P><B><a href="ch08.html">8. Advanced Disk Shares</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Filesystem Differences
-<BR> &nbsp; &nbsp; &nbsp;File Permissions and Attributes on MS-DOS and Unix
-<BR> &nbsp; &nbsp; &nbsp;Windows NT/2000/XP ACLs
-<BR> &nbsp; &nbsp; &nbsp;Name Mangling and Case
-<BR> &nbsp; &nbsp; &nbsp;Locks and Oplocks
-<BR> &nbsp; &nbsp; &nbsp;Connection Scripts
-<BR> &nbsp; &nbsp; &nbsp;Microsoft Distributed Filesystems
-<BR> &nbsp; &nbsp; &nbsp;Working with NIS
-
-<P><B><a href="ch09.html">9. Users and Security</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Users and Groups
-<BR> &nbsp; &nbsp; &nbsp;Controlling Access to Shares
-<BR> &nbsp; &nbsp; &nbsp;Authentication of Clients
-<BR> &nbsp; &nbsp; &nbsp;Passwords
-<BR> &nbsp; &nbsp; &nbsp;Authentication with winbind
-
-<P><B><a href="ch10.html">10. Printing</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Sending Print Jobs to Samba
-<BR> &nbsp; &nbsp; &nbsp;Printing to Windows Printers
-
-<P><B><a href="ch11.html">11. Additional Samba Information</a></B>
-<BR> &nbsp; &nbsp; &nbsp;Time Synchronization
-<BR> &nbsp; &nbsp; &nbsp;Magic Scripts
-<BR> &nbsp; &nbsp; &nbsp;Internationalization
-<BR> &nbsp; &nbsp; &nbsp;Windows Messenger Service
-<BR> &nbsp; &nbsp; &nbsp;Miscellaneous Options
-
-<P><B><a href="ch12.html">12. Troubleshooting Samba</a></B>
-<BR> &nbsp; &nbsp; &nbsp;The Tool Box
-<BR> &nbsp; &nbsp; &nbsp;The Fault Tree
-<BR> &nbsp; &nbsp; &nbsp;Extra Resources
-
-<P><B><a href="appa.html">Appendix A. Example Configuration Files</a></B>
-
-<P><B><a href="appb.html">Appendix B. Samba Configuration Option Quick Reference</a></B>
-
-<P><B><a href="appc.html">Appendix C. Summary of Samba Daemons and Commands</a></B>
-
-<P><B><a href="appd.html">Appendix D. Downloading Samba with CVS</a></B>
-
-<P><B><a href="appe.html">Appendix E. Configure Options</a></B>
-
-<P><B><a href="appf.html">Appendix F. Running Samba on Mac OS X Server</a></B>
-
-<P><B><a href="appg.html">Appendix G. GNU Free Documentation License</a></B>
-
-<P><B><a href="inx.html">Index</a></B>
-</blockquote>
-
-</body>
-</html>
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-04 10:18:37 +0000