From 9f16d8b72dfc9386bd01a4862c76a254b4ce6df6 Mon Sep 17 00:00:00 2001 From: bubulle Date: Thu, 18 Jun 2009 04:10:23 +0000 Subject: merge upstream 3.3.5 git-svn-id: svn://svn.debian.org/svn/pkg-samba/trunk/samba@2855 fc4039ab-9d04-0410-8cac-899223bdd6b0 --- docs/htmldocs/manpages/index.html | 2 +- docs/htmldocs/manpages/net.8.html | 26 ++- docs/htmldocs/manpages/pam_winbind.7.html | 66 ------- docs/htmldocs/manpages/pam_winbind.8.html | 101 ++++++++++ docs/htmldocs/manpages/smb.conf.5.html | 295 +++++++++++++++--------------- 5 files changed, 274 insertions(+), 216 deletions(-) delete mode 100644 docs/htmldocs/manpages/pam_winbind.7.html create mode 100644 docs/htmldocs/manpages/pam_winbind.8.html (limited to 'docs/htmldocs/manpages') diff --git a/docs/htmldocs/manpages/index.html b/docs/htmldocs/manpages/index.html index 79181781aa..130a807a16 100644 --- a/docs/htmldocs/manpages/index.html +++ b/docs/htmldocs/manpages/index.html @@ -29,7 +29,7 @@

nmblookup(1)

NetBIOS over TCP/IP client used to lookup NetBIOS names

ntlm_auth(1)

tool to allow external access to Winbind's NTLM authentication function -

pam_winbind(7)

PAM module for Winbind +

pam_winbind(8)

PAM module for Winbind

pdbedit(8)

manage the SAM database (Database of Samba Users)

profiles(1)

A utility to report and change SIDs in registry files diff --git a/docs/htmldocs/manpages/net.8.html b/docs/htmldocs/manpages/net.8.html index a19e0eec63..5bd0f779b5 100644 --- a/docs/htmldocs/manpages/net.8.html +++ b/docs/htmldocs/manpages/net.8.html @@ -437,8 +437,30 @@ list of one or more filenames. The filenames may contain the usual smb.conf macros like %I.

CONF DELINCLUDES section

Delete the list of includes from the provided section (global or share). -

HELP [COMMAND]

Gives usage information for the specified command.

VERSION

This man page is complete for version 3 of the Samba - suite.

AUTHOR

The original Samba software and related utilities +

DOM

Starting with version 3.2.0 Samba has support for remote join and unjoin APIs, both client and server-side. Windows supports remote join capabilities since Windows 2000. +

In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. +

The client side support for remote join is implemented in the net dom commands which are: +

net dom join - Join a remote computer into a domain.
net dom unjoin - Unjoin a remote computer from a domain.

+

DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot

+Joins a computer into a domain. This command supports the following additional parameters: +

  • DOMAIN can be a NetBIOS domain name (also known as short domain name) or a DNS domain name for Active Directory Domains. As in Windows, it is also possible to control which Domain Controller to use. This can be achieved by appending the DC name using the \ separator character. Example: MYDOM\MYDC. The DOMAIN parameter cannot be NULL.

  • OU can be set to a RFC 1779 LDAP DN, like ou=mymachines,cn=Users,dc=example,dc=com in order to create the machine account in a non-default LDAP containter. This optional parameter is only supported when joining Active Directory Domains.

  • ACCOUNT defines a domain account that will be used to join the machine to the domain. This domain account needs to have sufficient privileges to join machines.

  • PASSWORD defines the password for the domain account defined with ACCOUNT.

  • REBOOT is an optional parameter that can be set to reboot the remote machine after successful join to the domain.

+Note that you also need to use standard net paramters to connect and authenticate to the remote machine that you want to join. These additional parameters include: -S computer and -U user. +

+ Example: + net dom join -S xp -U XP\\administrator%secret domain=MYDOM account=MYDOM\\administrator password=topsecret reboot. +

+This example would connect to a computer named XP as the local administrator using password secret, and join the computer into a domain called MYDOM using the MYDOM domain administrator account and password topsecret. After successful join, the computer would reboot. +

DOM UNJOIN account=ACCOUNT password=PASSWORD reboot

+Unjoins a computer from a domain. This command supports the following additional parameters: +

  • ACCOUNT defines a domain account that will be used to unjoin the machine from the domain. This domain account needs to have sufficient privileges to unjoin machines.

  • PASSWORD defines the password for the domain account defined with ACCOUNT.

  • REBOOT is an optional parameter that can be set to reboot the remote machine after successful unjoin from the domain.

+Note that you also need to use standard net paramters to connect and authenticate to the remote machine that you want to unjoin. These additional parameters include: -S computer and -U user. +

+ Example: + net dom unjoin -S xp -U XP\\administrator%secret account=MYDOM\\administrator password=topsecret reboot. +

+This example would connect to a computer named XP as the local administrator using password secret, and unjoin the computer from the domain using the MYDOM domain administrator account and password topsecret. After successful unjoin, the computer would reboot. +

HELP [COMMAND]

Gives usage information for the specified command.

VERSION

This man page is complete for version 3 of the Samba + suite.

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

The net manpage was written by Jelmer Vernooij.

diff --git a/docs/htmldocs/manpages/pam_winbind.7.html b/docs/htmldocs/manpages/pam_winbind.7.html deleted file mode 100644 index 19669c73b5..0000000000 --- a/docs/htmldocs/manpages/pam_winbind.7.html +++ /dev/null @@ -1,66 +0,0 @@ -pam_winbind

Name

pam_winbind — PAM module for Winbind

DESCRIPTION

This tool is part of the samba(7) suite.

- pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon. -

OPTIONS

- - pam_winbind supports several options which can either be set in - the PAM configuration files or in the pam_winbind configuration - file situated at - /etc/security/pam_winbind.conf. Options - from the PAM configuration file take precedence to those from - the configuration file. - -

debug

Gives debugging output to syslog.

debug_state

Gives detailed PAM state debugging output to syslog.

require_membership_of=[SID or NAME]

- If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID - can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the - SID. That name must have the form: MYDOMAIN\\mygroup or - MYDOMAIN\\myuser. pam_winbind will, in that case, lookup the SID internally. Note that - NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a - user is a member of with wbinfo --user-sids=SID. -

try_first_pass

use_first_pass

- By default, pam_winbind tries to get the authentication token from a previous module. If no token is available - it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication - token from a previous module is available. -

use_authtok

- Set the new password to the one provided by the previously stacked password module. If this option is not set - pam_winbind will ask the user for the new password. -

krb5_auth

- - pam_winbind can authenticate using Kerberos when winbindd is - talking to an Active Directory domain controller. Kerberos - authentication must be enabled with this parameter. When - Kerberos authentication can not succeed (e.g. due to clock - skew), winbindd will fallback to samlogon authentication over - MSRPC. When this parameter is used in conjunction with - winbind refresh tickets, winbind will - keep your Ticket Granting Ticket (TGT) uptodate by refreshing - it whenever necessary. - -

krb5_ccache_type=[type]

- - When pam_winbind is configured to try kerberos authentication - by enabling the krb5_auth option, it can - store the retrieved Ticket Granting Ticket (TGT) in a - credential cache. The type of credential cache can be set with - this option. Currently the only supported value is: - FILE. In that case a credential cache in - the form of /tmp/krb5cc_UID will be created, where UID is - replaced with the numeric user id. Leave empty to just do - kerberos authentication without having a ticket cache after the - logon has succeeded. - -

cached_login

- Winbind allows to logon using cached credentials when winbind offline logon is enabled. To use this feature from the PAM module this option must be set. -

silent

- Do not emit any messages. -

mkhomedir

- Create homedirectory for a user on-the-fly, option is valid in - PAM session block. -

warn_pwd_expire

- Defines number of days before pam_winbind starts to warn about passwords that are - going to expire. Defaults to 14 days. -

- -

SEE ALSO

wbinfo(1), winbindd(8), smb.conf(5)

VERSION

This man page is correct for version 3 of Samba.

AUTHOR

- The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by - the Samba Team as an Open Source project similar to the way the Linux kernel is developed. -

This manpage was written by Jelmer Vernooij and Guenther Deschner.

diff --git a/docs/htmldocs/manpages/pam_winbind.8.html b/docs/htmldocs/manpages/pam_winbind.8.html new file mode 100644 index 0000000000..94044ba37c --- /dev/null +++ b/docs/htmldocs/manpages/pam_winbind.8.html @@ -0,0 +1,101 @@ +pam_winbind

Name

pam_winbind — PAM module for Winbind

DESCRIPTION

This tool is part of the samba(7) suite.

+ pam_winbind is a PAM module that can authenticate users against the local domain by talking to the Winbind daemon. +

SYNOPSIS

+ Edit the PAM system config /etc/pam.d/service and modify it as the following example shows: + 

+			    ...
+			    auth      required        pam_env.so
+			    auth      sufficient      pam_unix2.so
+			+++ auth      required        pam_winbind.so  use_first_pass
+			    account   requisite       pam_unix2.so
+			+++ account   required        pam_winbind.so  use_first_pass
+			+++ password  sufficient      pam_winbind.so
+			    password  requisite       pam_pwcheck.so  cracklib
+			    password  required        pam_unix2.so    use_authtok
+			    session   required        pam_unix2.so
+			+++ session   required        pam_winbind.so
+			    ...
+

+ + Make sure that pam_winbind is one of the first modules in the session part. It may retrieve + kerberos tickets which are needed by other modules. +

OPTIONS

+ + pam_winbind supports several options which can either be set in + the PAM configuration files or in the pam_winbind configuration + file situated at + /etc/security/pam_winbind.conf. Options + from the PAM configuration file take precedence to those from + the configuration file. + +

debug

Gives debugging output to syslog.

debug_state

Gives detailed PAM state debugging output to syslog.

require_membership_of=[SID or NAME]

+ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID + can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the + SID. That name must have the form: MYDOMAIN\\mygroup or + MYDOMAIN\\myuser. pam_winbind will, in that case, lookup the SID internally. Note that + NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a + user is a member of with wbinfo --user-sids=SID. +

use_first_pass

+ By default, pam_winbind tries to get the authentication token from a previous module. If no token is available + it asks the user for the old password. With this option, pam_winbind aborts with an error if no authentication + token from a previous module is available. +

try_first_pass

+ Same as the use_first_pass option (previous item), except that if the primary password is not + valid, PAM will prompt for a password. +

use_authtok

+ Set the new password to the one provided by the previously stacked password module. If this option is not set + pam_winbind will ask the user for the new password. +

krb5_auth

+ + pam_winbind can authenticate using Kerberos when winbindd is + talking to an Active Directory domain controller. Kerberos + authentication must be enabled with this parameter. When + Kerberos authentication can not succeed (e.g. due to clock + skew), winbindd will fallback to samlogon authentication over + MSRPC. When this parameter is used in conjunction with + winbind refresh tickets, winbind will + keep your Ticket Granting Ticket (TGT) uptodate by refreshing + it whenever necessary. + +

krb5_ccache_type=[type]

+ + When pam_winbind is configured to try kerberos authentication + by enabling the krb5_auth option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be set with + this option. Currently the only supported value is: + FILE. In that case a credential cache in + the form of /tmp/krb5cc_UID will be created, where UID is + replaced with the numeric user id. Leave empty to just do + kerberos authentication without having a ticket cache after the + logon has succeeded. + +

cached_login

+ Winbind allows to logon using cached credentials when winbind offline logon is enabled. To use this feature from the PAM module this option must be set. +

silent

+ Do not emit any messages. +

mkhomedir

+ Create homedirectory for a user on-the-fly, option is valid in + PAM session block. +

warn_pwd_expire

+ Defines number of days before pam_winbind starts to warn about passwords that are + going to expire. Defaults to 14 days. +

+ +

PAM DATA EXPORTS

This section describes the data exported in the PAM stack which could be used in other PAM modules.

PAM_WINBIND_HOMEDIR

+ This is the Windows Home Directory set in the profile tab in the user settings + on the Active Directory Server. This could be a local path or a directory on a + share mapped to a drive. +

PAM_WINBIND_LOGONSCRIPT

+ The path to the logon script which should be executed if a user logs in. This is + normally a relative path to the script stored on the server. +

PAM_WINBIND_LOGONSERVER

+ This exports the Active Directory server we are authenticating against. This can be + used as a variable later. +

PAM_WINBIND_PROFILEPATH

+ This is the profile path set in the profile tab in the user settings. Noramlly + the home directory is synced with this directory on a share. +

SEE ALSO

wbinfo(1), winbindd(8), smb.conf(5)

VERSION

This man page is correct for version 3 of Samba.

AUTHOR

+ The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by + the Samba Team as an Open Source project similar to the way the Linux kernel is developed. +

This manpage was written by Jelmer Vernooij and Guenther Deschner.

diff --git a/docs/htmldocs/manpages/smb.conf.5.html b/docs/htmldocs/manpages/smb.conf.5.html index e6462e809e..6b77065d63 100644 --- a/docs/htmldocs/manpages/smb.conf.5.html +++ b/docs/htmldocs/manpages/smb.conf.5.html @@ -365,7 +365,7 @@ chmod 1770 /usr/local/samba/lib/usershares abort shutdown script (G)

This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script.

If the connected user posseses the SeRemoteShutdownPrivilege, - right, this command will be run as user.

Default: abort shutdown script = "" + right, this command will be run as root.

Default: abort shutdown script = ""

Example: abort shutdown script = /sbin/shutdown -c @@ -5265,7 +5265,7 @@ shutdown script (G)

This a full path name to a script called by smbd(8) that should start a shutdown procedure.

If the connected user posseses the SeRemoteShutdownPrivilege, - right, this command will be run as user.

The %z %t %r %f variables are expanded as follows:

  • %z will be substituted with the + right, this command will be run as root.

    The %z %t %r %f variables are expanded as follows:

    • %z will be substituted with the shutdown message sent to the server.

    • %t will be substituted with the number of seconds to wait before effectively starting the shutdown procedure.

    • %r will be substituted with the @@ -5275,12 +5275,13 @@ shutdown script (G) even if applications do not respond for NT.

    Shutdown script example: 

     #!/bin/bash
-		
-$time=0
-let "time/60"
-let "time++"
+
+time=$2
+let time="${time} / 60"
+let time="${time} + 1"
 
 /sbin/shutdown $3 $4 +$time $1 &
+

    Shutdown does not return so we need to launch it in background.

    Default: shutdown script = @@ -5329,15 +5330,15 @@ smb passwd file = /etc/samba/smbpasswd

    Default: smb passwd file = ${prefix}/private/smbpasswd -

+

smb ports (G) -

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139 +

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139 -

+

socket address (G) -

This option allows you to control what +

This option allows you to control what address Samba will listen for connections on. This is used to support multiple virtual interfaces on the one server, each with a different configuration.

Setting this option should never be necessary on usual Samba @@ -5346,10 +5347,10 @@ socket address (G)

Example: socket address = 192.168.2.20 -

+

socket options (G) -

This option allows you to set socket options +

This option allows you to set socket options to be used when talking with the client.

Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned.

This option will typically be used to tune your Samba server @@ -5384,10 +5385,10 @@ stat cache (G) speed up case insensitive name mappings. You should never need to change this parameter.

Default: stat cache = yes -

+

store dos attributes (S) -

+

If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such as occurs with map hidden and map readonly). When set, DOS @@ -5414,10 +5415,10 @@ strict allocate (S) out of quota messages on systems that are restricting the disk quota of users.

Default: strict allocate = no -

+

strict locking (S) -

+

This is an enumerated type that controls the handling of file locking in the server. When this is set to yes, the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on some systems. @@ -5433,7 +5434,7 @@ strict locking (S) strict locking = no is acceptable.

Default: strict locking = Auto -

+

strict sync (S)

Many Windows applications (including the Windows 98 explorer @@ -5450,10 +5451,10 @@ strict sync (S) addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies.

Default: strict sync = no -

+

svcctl list (G) -

This option defines a list of init scripts that smbd +

This option defines a list of init scripts that smbd will use for starting and stopping Unix services via the Win32 ServiceControl API. This allows Windows administrators to utilize the MS Management Console plug-ins to manage a @@ -5466,10 +5467,10 @@ svcctl list (G)

Example: svcctl list = cups postfix portmap httpd -

+

sync always (S) -

This is a boolean parameter that controls +

This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns. If this is no then the server will be guided by the client's request in each write call (clients can @@ -5480,19 +5481,19 @@ sync always (S) yes in order for this parameter to have any affect.

Default: sync always = no -

+

syslog only (G) -

+

If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files. There still will be some logging to log.[sn]mbd even if syslog only is enabled.

Default: syslog only = no -

+

syslog (G) -

+

This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug level zero maps onto syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps onto LOG_NOTICE, @@ -5503,10 +5504,10 @@ syslog (G) logging to log.[sn]mbd even if syslog only is enabled.

Default: syslog = 1 -

+

template homedir (G) -

When filling out the user information for a Windows NT +

When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it @@ -5514,31 +5515,31 @@ template homedir (G) string %U is present it is substituted with the user's Windows NT user name.

Default: template homedir = /home/%D/%U -

+

template shell (G) -

When filling out the user information for a Windows NT +

When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this - parameter to fill in the login shell for that user.

No default

+ parameter to fill in the login shell for that user.

No default

time offset (G) -

This parameter is a setting in minutes to add +

This parameter is a setting in minutes to add to the normal GMT to local time conversion. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling.

Default: time offset = 0

Example: time offset = 60 -

+

time server (G) -

This parameter determines if nmbd(8) advertises itself as a time server to Windows +

This parameter determines if nmbd(8) advertises itself as a time server to Windows clients.

Default: time server = no -

+

unix charset (G) -

Specifies the charset the unix machine +

Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

This is also the charset Samba will use when specifying arguments @@ -5547,20 +5548,20 @@ unix charset (G)

Example: unix charset = ASCII -

+

unix extensions (G) -

This boolean parameter controls whether Samba - implments the CIFS UNIX extensions, as defined by HP. +

This boolean parameter controls whether Samba + implements the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

Default: unix extensions = yes -

+

unix password sync (G) -

This boolean parameter controls whether Samba +

This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to yes the program specified in the passwd @@ -5569,10 +5570,10 @@ unix password sync (G) old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new).

Default: unix password sync = no -

+

update encrypted (G) -

+

This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the @@ -5590,10 +5591,10 @@ update encrypted (G) passwords.

Default: update encrypted = no -

+

use client driver (S) -

This parameter applies only to Windows NT/2000 +

This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required @@ -5618,10 +5619,10 @@ use client driver (S) on a print share which has valid print driver installed on the Samba server.

Default: use client driver = no -

+

use kerberos keytab (G) -

+

Specifies whether Samba should attempt to maintain service principals in the systems keytab file for host/FQDN and cifs/FQDN.

@@ -5633,10 +5634,10 @@ default_keytab_name = FILE:/etc/krb5.keytab

Default: use kerberos keytab = False -

+

use mmap (G) -

This global parameter determines if the tdb internals of Samba can +

This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to no by @@ -5645,10 +5646,10 @@ use mmap (G) the tdb internal code.

Default: use mmap = yes -

+

username level (G) -

This option helps Samba to try and 'guess' at +

This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the @@ -5663,10 +5664,10 @@ username level (G)

Example: username level = 5 -

+

username map script (G) -

This script is a mutually exclusive alternative to the +

This script is a mutually exclusive alternative to the username map parameter. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication @@ -5677,10 +5678,10 @@ username map script (G)

Example: username map script = /etc/samba/scripts/mapusers.sh -

+

username map (G) -

+

This option allows you to specify a file containing a mapping of usernames from the clients to the server. This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they @@ -5764,16 +5765,16 @@ username map = /usr/local/samba/lib/users.map

Default: username map = # no username map -

+

user -

This parameter is a synonym for username.

+

This parameter is a synonym for username.

users -

This parameter is a synonym for username.

+

This parameter is a synonym for username.

username (S) -

Multiple users may be specified in a comma-delimited +

Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).

The username line is needed only when the PC is unable to supply its own username. This is the case @@ -5811,28 +5812,28 @@ username (S)

Example: username = fred, mary, jack, jane, @users, @pcgroup -

+

usershare allow guests (G) -

This parameter controls whether user defined shares are allowed +

This parameter controls whether user defined shares are allowed to be accessed by non-authenticated users or not. It is the equivalent of allowing people who can create a share the option of setting guest ok = yes in a share definition. Due to its security sensitive nature, the default is set to off.

Default: usershare allow guests = no -

+

usershare max shares (G) -

This parameter specifies the number of user defined shares +

This parameter specifies the number of user defined shares that are allowed to be created by users belonging to the group owning the usershare directory. If set to zero (the default) user defined shares are ignored.

Default: usershare max shares = 0 -

+

usershare owner only (G) -

This parameter controls whether the pathname exported by +

This parameter controls whether the pathname exported by a user defined shares must be owned by the user creating the user defined share or not. If set to True (the default) then smbd checks that the directory path being shared is owned by @@ -5842,10 +5843,10 @@ usershare owner only (G) regardless of who owns it.

Default: usershare owner only = True -

+

usershare path (G) -

This parameter specifies the absolute path of the directory on the +

This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files. This directory must be owned by root, and have no access for other, and be writable only by the group owner. In addition the @@ -5866,10 +5867,10 @@ usershare path (G) In this case, only members of the group "power_users" can create user defined shares.

Default: usershare path = NULL -

+

usershare prefix allow list (G) -

This parameter specifies a list of absolute pathnames +

This parameter specifies a list of absolute pathnames the root of which are allowed to be exported by user defined share definitions. If the pathname to be exported doesn't start with one of the strings in this list, the user defined share will not be allowed. This allows the Samba @@ -5884,10 +5885,10 @@ usershare prefix allow list (G)

Example: usershare prefix allow list = /home /data /space -

+

usershare prefix deny list (G) -

This parameter specifies a list of absolute pathnames +

This parameter specifies a list of absolute pathnames the root of which are NOT allowed to be exported by user defined share definitions. If the pathname exported starts with one of the strings in this list the user defined share will not be allowed. Any pathname not @@ -5903,10 +5904,10 @@ usershare prefix deny list (G)

Example: usershare prefix deny list = /etc /dev /private -

+

usershare template share (G) -

User defined shares only have limited possible parameters +

User defined shares only have limited possible parameters such as path, guest ok, etc. This parameter allows usershares to "cloned" from an existing share. If "usershare template share" is set to the name of an existing share, then all usershares @@ -5921,10 +5922,10 @@ usershare template share (G)

Example: usershare template share = template_share -

+

use sendfile (S) -

If this parameter is yes, and the sendfile() +

If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's @@ -5933,10 +5934,10 @@ use sendfile (S) Windows 9x (using sendfile from Linux will cause these clients to fail).

Default: use sendfile = false -

+

use spnego (G) -

This variable controls controls whether samba will try +

This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism.

@@ -5944,10 +5945,10 @@ use spnego (G) implementation, there is no reason this should ever be disabled.

Default: use spnego = yes -

+

utmp directory (G) -

This parameter is only available if Samba has +

This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that @@ -5959,10 +5960,10 @@ utmp directory (G)

Example: utmp directory = /var/run/utmp -

+

utmp (G) -

+

This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records @@ -5974,10 +5975,10 @@ utmp (G) to find this number. This may impede performance on large installations.

Default: utmp = no -

+

valid users (S) -

+

This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter. @@ -5993,10 +5994,10 @@ valid users (S)

Example: valid users = greg, @pcusers -

+

-valid (S) -

This parameter indicates whether a share is +

This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.

@@ -6005,10 +6006,10 @@ valid users (S) Samba uses this option internally to mark shares as deleted.

Default: -valid = yes -

+

veto files (S) -

+

This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards. @@ -6039,10 +6040,10 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

Default: veto files = No files or directories are vetoed. -

+

veto oplock files (S) -

+

This parameter is only valid when the oplocks parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that @@ -6063,31 +6064,31 @@ veto oplock files = /.*SEM/

Default: veto oplock files = # No files are vetoed for oplock grants -

+

vfs object -

This parameter is a synonym for vfs objects.

+

This parameter is a synonym for vfs objects.

vfs objects (S) -

This parameter specifies the backend names which +

This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects.

Default: vfs objects =

Example: vfs objects = extd_audit recycle -

+

volume (S) -

This allows you to override the volume label +

This allows you to override the volume label returned for a share. Useful for CDROMs with installation programs that insist on a particular volume label.

Default: volume = # the name of the share -

+

wide links (S) -

This parameter controls whether or not links +

This parameter controls whether or not links in the UNIX file system may be followed by the server. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only @@ -6095,10 +6096,10 @@ wide links (S) effect on your server performance due to the extra system calls that Samba has to do in order to perform the link checks.

Default: wide links = yes -

+

winbind cache time (G) -

This parameter specifies the number of +

This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again.

@@ -6106,10 +6107,10 @@ winbind cache time (G) evaluated in real time unless the winbind offline logon option has been enabled.

Default: winbind cache time = 300 -

+

winbind enum groups (G) -

On large installations using winbindd(8) it may be necessary to suppress +

On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If @@ -6117,10 +6118,10 @@ winbind enum groups (G) no, calls to the getgrent() system call will not return any data.

Warning

Turning off group enumeration may cause some programs to behave oddly.

Default: winbind enum groups = no -

+

winbind enum users (G) -

On large installations using winbindd(8) it may be +

On large installations using winbindd(8) it may be necessary to suppress the enumeration of users through the setpwent(), getpwent() and endpwent() group of system calls. If @@ -6132,10 +6133,10 @@ winbind enum users (G) full user list when searching for matching usernames.

Default: winbind enum users = no -

+

winbind expand groups (G) -

This option controls the maximum depth that winbindd +

This option controls the maximum depth that winbindd will traverse when flattening nested group memberships of Windows domain groups. This is different from the winbind nested groups option @@ -6147,10 +6148,10 @@ winbind expand groups (G) must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time.

Default: winbind expand groups = 1 -

+

winbind nested groups (G) -

If set to yes, this parameter activates the support for nested +

If set to yes, this parameter activates the support for nested groups. Nested groups are also called local groups or aliases. They work like their counterparts in Windows: Nested groups are defined locally on any machine (they are shared @@ -6158,10 +6159,10 @@ winbind nested groups (G) global groups from any trusted SAM. To be able to use nested groups, you need to run nss_winbind.

Default: winbind nested groups = yes -

+

winbind normalize names (G) -

This parameter controls whether winbindd will replace +

This parameter controls whether winbindd will replace whitespace in user and group names with an underscore (_) character. For example, whether the name "Space Kadet" should be replaced with the string "space_kadet". @@ -6181,10 +6182,10 @@ winbind normalize names (G)

Example: winbind normalize names = yes -

+

winbind nss info (G) -

This parameter is designed to control how Winbind retrieves Name +

This parameter is designed to control how Winbind retrieves Name Service Information to construct a user's home directory and login shell. Currently the following settings are available: @@ -6206,10 +6207,10 @@ winbind nss info (G)

Example: winbind nss info = template sfu -

+

winbind offline logon (G) -

This parameter is designed to control whether Winbind should +

This parameter is designed to control whether Winbind should allow to login with the pam_winbind module using Cached Credentials. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache. @@ -6217,37 +6218,37 @@ winbind offline logon (G)

Example: winbind offline logon = true -

+

winbind reconnect delay (G) -

This parameter specifies the number of +

This parameter specifies the number of seconds the winbindd(8) daemon will wait between attempts to contact a Domain controller for a domain that is determined to be down or not contactable.

Default: winbind reconnect delay = 30 -

+

winbind refresh tickets (G) -

This parameter is designed to control whether Winbind should refresh Kerberos Tickets +

This parameter is designed to control whether Winbind should refresh Kerberos Tickets retrieved using the pam_winbind module.

Default: winbind refresh tickets = false

Example: winbind refresh tickets = true -

+

winbind rpc only (G) -

+

Setting this parameter to yes forces winbindd to use RPC instead of LDAP to retrieve information from Domain Controllers.

Default: winbind rpc only = no -

+

winbind separator (G) -

This parameter allows an admin to define the character +

This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \user. This parameter is only applicable when using the pam_winbind.so @@ -6258,10 +6259,10 @@ winbind separator (G)

Example: winbind separator = + -

+

winbind trusted domains only (G) -

+

This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. @@ -6272,10 +6273,10 @@ winbind trusted domains only (G) Refer to the idmap_nss(8) man page for more information.

Default: winbind trusted domains only = no -

+

winbind use default domain (G) -

This parameter specifies whether the +

This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own @@ -6285,10 +6286,10 @@ winbind use default domain (G)

Example: winbind use default domain = yes -

+

wins hook (G) -

When Samba is running as a WINS server this +

When Samba is running as a WINS server this allows you to call an external program for all changes to the WINS database. The primary use for this option is to allow the dynamic update of external name resolution databases such as @@ -6309,17 +6310,17 @@ wins hook (G) addresses currently registered for that name. If this list is empty then the name should be deleted.

An example script that calls the BIND dynamic DNS update program nsupdate is provided in the examples - directory of the Samba source code.

No default

+ directory of the Samba source code.

No default

wins proxy (G) -

This is a boolean that controls if nmbd(8) will respond to broadcast name +

This is a boolean that controls if nmbd(8) will respond to broadcast name queries on behalf of other hosts. You may need to set this to yes for some older clients.

Default: wins proxy = no -

+

wins server (G) -

This specifies the IP address (or DNS name: IP +

This specifies the IP address (or DNS name: IP address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on your network then you should set this to the WINS server's IP.

You should point this at your WINS server if you have a multi-subnetted network.

If you want to work in multiple namespaces, you can @@ -6338,19 +6339,19 @@ wins server (G)

Example: wins server = 192.9.200.1 192.168.2.61 -

+

wins support (G) -

This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should +

This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should not set this to yes unless you have a multi-subnetted network and you wish a particular nmbd to be your WINS server. Note that you should NEVER set this to yes on more than one machine in your network.

Default: wins support = no -

+

workgroup (G) -

This controls what workgroup your server will +

This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain @@ -6358,18 +6359,18 @@ workgroup (G)

Example: workgroup = MYGROUP -

+

writable -

This parameter is a synonym for writeable.

+

This parameter is a synonym for writeable.

writeable (S) -

Inverted synonym for read only.

Default: writeable = no +

Inverted synonym for read only.

Default: writeable = no -

+

write cache size (S) -

If this integer parameter is set to non-zero value, +

If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request @@ -6387,10 +6388,10 @@ write cache size (S)

Example: write cache size = 262144 # for a 256k cache size per file -

+

write list (S) -

+

This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the read only option is set to. The list can @@ -6405,17 +6406,17 @@ write list (S)

Example: write list = admin, root, @staff -

+

write raw (G) -

This parameter controls whether or not the server +

This parameter controls whether or not the server will support raw write SMB's when transferring data from clients. You should never need to change this parameter.

Default: write raw = yes -

+

wtmp directory (G) -

+

This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact @@ -6427,7 +6428,7 @@ wtmp directory (G)

Example: wtmp directory = /var/log/wtmp -

WARNINGS

+

WARNINGS

Although the configuration file permits service names to contain spaces, your client software may not. Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.

@@ -6440,8 +6441,8 @@ wtmp directory (G) for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct. -

VERSION

This man page is correct for version 3 of the Samba suite.

SEE ALSO

- samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

AUTHOR

+

VERSION

This man page is correct for version 3 of the Samba suite.

SEE ALSO

+ samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

AUTHOR

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

-- cgit v1.2.3