From f75bc014e34cfeb3b75e09f9cb382ee731f64472 Mon Sep 17 00:00:00 2001 From: bubulle Date: Fri, 30 Oct 2009 19:14:00 +0000 Subject: merge upstream 3.4.3 git-svn-id: svn://svn.debian.org/svn/pkg-samba/trunk/samba@3098 fc4039ab-9d04-0410-8cac-899223bdd6b0 --- docs/htmldocs/manpages/cifs.upcall.8.html | 17 +- docs/htmldocs/manpages/mount.cifs.8.html | 19 +- docs/htmldocs/manpages/smb.conf.5.html | 1534 +++++++++++++++-------------- 3 files changed, 793 insertions(+), 777 deletions(-) (limited to 'docs/htmldocs/manpages') diff --git a/docs/htmldocs/manpages/cifs.upcall.8.html b/docs/htmldocs/manpages/cifs.upcall.8.html index 0187c44312..650c0721cb 100644 --- a/docs/htmldocs/manpages/cifs.upcall.8.html +++ b/docs/htmldocs/manpages/cifs.upcall.8.html @@ -1,12 +1,13 @@ -cifs.upcall

Name

cifs.upcall — Userspace upcall helper for Common Internet File System (CIFS)

Synopsis

cifs.upcall [-c] [-v] {keyid}

DESCRIPTION

This tool is part of the samba(7) suite.

cifs.upcall is a userspace helper program for the linux CIFS client +cifs.upcall

Name

cifs.upcall — Userspace upcall helper for Common Internet File System (CIFS)

Synopsis

cifs.upcall [--trust-dns|-t] [--version|-v] {keyid}

DESCRIPTION

This tool is part of the samba(7) suite.

cifs.upcall is a userspace helper program for the linux CIFS client filesystem. There are a number of activities that the kernel cannot easily do itself. This program is a callout program that does these things for the kernel and then returns the result.

cifs.upcall is generally intended to be run when the kernel calls request-key(8) for a particular key type. While it can be run directly from the command-line, it's not generally intended -to be run that way.

OPTIONS

-c

When handling a kerberos upcall, use a service principal that starts with "cifs/". The default is to use the "host/" service principal. -

-v

Print version number and exit. -

CONFIGURATION FOR KEYCTL

cifs.upcall is designed to be called from the kernel via the +to be run that way.

OPTIONS

-c

This option is deprecated and is currently ignored. +

--trust-dns|-t

With krb5 upcalls, the name used as the host portion of the service principal defaults to the hostname portion of the UNC. This option allows the upcall program to reverse resolve the network address of the server in order to get the hostname.

This is less secure than not trusting DNS. When using this option, it's possible that an attacker could get control of DNS and trick the client into mounting a different server altogether. It's preferable to instead add server principals to the KDC for every possible hostname, but this option exists for cases where that isn't possible. The default is to not trust reverse hostname lookups in this fashion. +

--version|-v

Print version number and exit. +

CONFIGURATION FOR KEYCTL

cifs.upcall is designed to be called from the kernel via the request-key callout program. This requires that request-key be told where and how to call this program. The current cifs.upcall program handles two different key types: @@ -14,15 +15,15 @@ to be run that way.

dns_resolver

This key type is for resolving hostnames into IP addresses

To make this program useful for CIFS, you'll need to set up entries for them in request-key.conf(5). Here's an example of an entry for each key type:

 #OPERATION  TYPE           D C PROGRAM ARG1 ARG2...
-#=========  =============  = = ==========================================
-create	    cifs.spnego    * * /usr/local/sbin/cifs.upcall -c %k
+#=========  =============  = = ================================
+create      cifs.spnego    * * /usr/local/sbin/cifs.upcall %k
 create      dns_resolver   * * /usr/local/sbin/cifs.upcall %k

See request-key.conf(5) for more info on each field. -

SEE ALSO

+

SEE ALSO

request-key.conf(5), mount.cifs(8) -

AUTHOR

Igor Mammedov wrote the cifs.upcall program.

Jeff Layton authored this manpage.

The maintainer of the Linux CIFS VFS is Steve French.

The Linux +

AUTHOR

Igor Mammedov wrote the cifs.upcall program.

Jeff Layton authored this manpage.

The maintainer of the Linux CIFS VFS is Steve French.

The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs.

diff --git a/docs/htmldocs/manpages/mount.cifs.8.html b/docs/htmldocs/manpages/mount.cifs.8.html index 44046cf294..0d812470fa 100644 --- a/docs/htmldocs/manpages/mount.cifs.8.html +++ b/docs/htmldocs/manpages/mount.cifs.8.html @@ -23,7 +23,12 @@ kernel log.

mount.cifs causes the cifs vfs to launch a thread named cifsd. After mounting it keeps running until the mounted resource is unmounted (usually via the umount utility). -

OPTIONS

user=arg

specifies the username to connect as. If +

+ mount.cifs -V command displays the version of cifs mount helper. +

+ + modinfo cifs command displays the version of cifs module. +

OPTIONS

user=arg

specifies the username to connect as. If this is not given, then the environment variable USER is used. This option can also take the form "user%password" or "workgroup/user" or "workgroup/user%password" to allow the password and workgroup @@ -222,7 +227,7 @@ port 445 is tried and if no response then port 139 is tried. It's generally preferred to use forward slashes (/) as a delimiter in service names. They are considered to be the "universal delimiter" since they are generally not allowed to be embedded within path components on Windows machines and the client can convert them to blackslashes (\) unconditionally. Conversely, backslash characters are allowed by POSIX to be part of a path component, and can't be automatically converted in the same way.

mount.cifs will attempt to convert backslashes to forward slashes where it's able to do so, but it cannot do so in any path component following the sharename. -

ENVIRONMENT VARIABLES

+

ENVIRONMENT VARIABLES

The variable USER may contain the username of the person to be used to authenticate to the server. The variable can be used to set both username and @@ -234,7 +239,7 @@ person using the client. The variable PASSWD_FILE may contain the pathname of a file to read the password from. A single line of input is read and used as the password. -

NOTES

This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.

CONFIGURATION

+

NOTES

This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.

CONFIGURATION

The primary mechanism for making configuration changes and for reading debug information for the cifs vfs is via the Linux /proc filesystem. In the directory /proc/fs/cifs are various @@ -245,7 +250,7 @@ loaded. These can be seen by running the modinfo utility against the file cifs.ko which will list the options that may be passed to cifs during module installation (device driver load). For more information see the kernel file fs/cifs/README. -

BUGS

Mounting using the CIFS URL specification is currently not supported. +

BUGS

Mounting using the CIFS URL specification is currently not supported.

The credentials file does not handle usernames or passwords with leading space.

Note that the typical response to a bug report is a suggestion @@ -253,11 +258,11 @@ to try the latest version first. So please try doing that first, and always include which versions you use of relevant software when reporting bugs (minimum: mount.cifs (try mount.cifs -V), kernel (see /proc/version) and server type you are trying to contact. -

VERSION

This man page is correct for version 1.52 of - the cifs vfs filesystem (roughly Linux kernel 2.6.24).

SEE ALSO

+

VERSION

This man page is correct for version 1.52 of + the cifs vfs filesystem (roughly Linux kernel 2.6.24).

SEE ALSO

Documentation/filesystems/cifs.txt and fs/cifs/README in the linux kernel source tree may contain additional options and information. -

umount.cifs(8)

AUTHOR

Steve French

The syntax and manpage were loosely based on that of smbmount. It +

umount.cifs(8)

AUTHOR

Steve French

The syntax and manpage were loosely based on that of smbmount. It was converted to Docbook/XML by Jelmer Vernooij.

The maintainer of the Linux cifs vfs and the userspace tool mount.cifs is Steve French. The Linux CIFS Mailing list diff --git a/docs/htmldocs/manpages/smb.conf.5.html b/docs/htmldocs/manpages/smb.conf.5.html index adabd9af7e..c20d0c9290 100644 --- a/docs/htmldocs/manpages/smb.conf.5.html +++ b/docs/htmldocs/manpages/smb.conf.5.html @@ -371,11 +371,8 @@ abort shutdown script (G)

-public -

This parameter is a synonym for access based share enum.

- access based share enum (S) -

If this parameter is yes for a +

If this parameter is yes for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \\sambaserver). This has @@ -384,10 +381,10 @@ access based share enum (S) descriptors on files contained on the share are not used in computing enumeration access rights.

Default: access based share enum = no -

+

acl check permissions (S) -

This boolean parameter controls what smbd(8)does on receiving a protocol request of "open for delete" +

This boolean parameter controls what smbd(8)does on receiving a protocol request of "open for delete" from a Windows client. If a Windows client doesn't have permissions to delete a file then they expect this to be denied at open time. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory. As Windows clients can (and do) "back out" a @@ -407,10 +404,10 @@ acl check permissions (S) with slightly different semantics was introduced in 3.0.20. That older version is not documented here.

Default: acl check permissions = True -

+

acl compatibility (G) -

This parameter specifies what OS ACL semantics should +

This parameter specifies what OS ACL semantics should be compatible with. Possible values are winnt for Windows NT 4, win2k for Windows 2000 and above and auto. If you specify auto, the value for this parameter @@ -419,10 +416,10 @@ acl compatibility (G)

Example: acl compatibility = win2k -

+

acl group control (S) -

+

In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the primary group owner of a file or directory to modify the permissions and ACLs @@ -449,10 +446,10 @@ acl group control (S) dos filemode option.

Default: acl group control = no -

+

acl map full control (S) -

+

This boolean parameter controls whether smbd(8)maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any @@ -460,10 +457,10 @@ acl map full control (S) execute.

Default: acl map full control = True -

+

add group script (G) -

+

This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with @@ -473,10 +470,10 @@ add group script (G)

Example: add group script = /usr/sbin/groupadd %g -

+

add machine script (G) -

+

This is the full pathname to a script that will be run by smbd(8) when a machine is added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not @@ -487,10 +484,10 @@ add machine script (G)

Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u -

+

add port command (G) -

Samba 3.0.23 introduced support for adding printer ports +

Samba 3.0.23 introduced support for adding printer ports remotely using the Windows "Add Standard TCP/IP Port Wizard". This option defines an external program to be executed when smbd receives a request to add a new Port to the system. @@ -499,10 +496,10 @@ add port command (G)

Example: add port command = /etc/samba/scripts/addport.sh -

+

addprinter command (G) -

With the introduction of MS-RPC based printing +

With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers..." folder displayed a share listing. The APW @@ -533,10 +530,10 @@ addprinter command (G)

Example: addprinter command = /usr/bin/addprinter -

+

add share command (G) -

+

Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The add share command is used to define an external program or script which will add a new service definition to @@ -568,10 +565,10 @@ add share command (G)

Example: add share command = /usr/local/bin/addshare -

+

add user script (G) -

+

This is the full pathname to a script that will be run AS ROOT by smbd(8) under special circumstances described below. @@ -606,10 +603,10 @@ add user script (G)

Example: add user script = /usr/local/samba/bin/add_user %u -

+

add user to group script (G) -

+

Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and @@ -621,20 +618,20 @@ add user to group script (G)

Example: add user to group script = /usr/sbin/adduser %u %g -

+

administrative share (S) -

If this parameter is set to yes for +

If this parameter is set to yes for a share, then the share will be an administrative share. The Administrative Shares are the default network shares created by all Windows NT-based operating systems. These are shares like C$, D$ or ADMIN$. The type of these shares is STYPE_DISKTREE_HIDDEN.

See the section below on security for more information about this option.

Default: administrative share = no -

+

admin users (S) -

This is a list of users who will be granted +

This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user (root).

You should use this option very carefully, as any user in this list will be able to do anything they like on the share, @@ -643,20 +640,20 @@ admin users (S)

Example: admin users = jason -

+

afs share (S) -

This parameter controls whether special AFS features are enabled +

This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure.

Default: afs share = no -

+

afs username map (G) -

If you are using the fake kaserver AFS feature, you might +

If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. For example this is necessary if you have users from several domain in your AFS Protection Database. One possible scheme to code users @@ -666,10 +663,10 @@ afs username map (G)

Example: afs username map = %u@afs.samba.org -

+

aio read size (S) -

If Samba has been built with asynchronous I/O support and this +

If Samba has been built with asynchronous I/O support and this integer parameter is set to non-zero value, Samba will read from file asynchronously when size of request is bigger than this value. Note that it happens only for non-chained and non-chaining @@ -680,10 +677,10 @@ aio read size (S) # Use asynchronous I/O for reads bigger than 16KB request size -

+

aio write size (S) -

If Samba has been built with asynchronous I/O support and this +

If Samba has been built with asynchronous I/O support and this integer parameter is set to non-zero value, Samba will write to file asynchronously when size of request is bigger than this value. Note that it happens only for non-chained and non-chaining @@ -694,10 +691,10 @@ aio write size (S) # Use asynchronous I/O for writes bigger than 16KB request size -

+

algorithmic rid base (G) -

This determines how Samba will use its +

This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers.

Setting this option to a larger value could be useful to sites @@ -712,10 +709,10 @@ algorithmic rid base (G)

Example: algorithmic rid base = 100000 -

+

allocation roundup size (S) -

This parameter allows an administrator to tune the +

This parameter allows an administrator to tune the allocation size reported to Windows clients. The default size of 1Mb generally results in improved Windows client performance. However, rounding the allocation size may cause @@ -727,10 +724,10 @@ allocation roundup size (S)

Example: allocation roundup size = 0 # (to disable roundups) -

+

allow trusted domains (G) -

+

This option only takes effect when the security option is set to server, domain or ads. If it is set to no, then attempts to connect to a resource from @@ -745,10 +742,10 @@ allow trusted domains (G) Samba server even if they do not have an account in DOMA. This can make implementing a security boundary difficult.

Default: allow trusted domains = yes -

+

announce as (G) -

This specifies what type of server nmbd(8) will announce itself as, to a network neighborhood browse +

This specifies what type of server nmbd(8) will announce itself as, to a network neighborhood browse list. By default this is set to Windows NT. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, @@ -760,20 +757,20 @@ announce as (G)

Example: announce as = Win95 -

+

announce version (G) -

This specifies the major and minor version numbers +

This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default is 4.9. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server.

Default: announce version = 4.9

Example: announce version = 2.0 -

+

auth methods (G) -

+

This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) @@ -794,18 +791,18 @@ auth methods (G)

Example: auth methods = guest sam winbind -

+

available (S) -

This parameter lets you "turn off" a service. If +

This parameter lets you "turn off" a service. If available = no, then ALL attempts to connect to the service will fail. Such failures are logged.

Default: available = yes -

+

bind interfaces only (G) -

This global parameter allows the Samba admin +

This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways.

For name service it causes nmbd to bind to ports 137 and 138 on the @@ -846,10 +843,10 @@ bind interfaces only (G) from starting/stopping/restarting smbd and nmbd.

Default: bind interfaces only = no -

+

blocking locks (S) -

This parameter controls the behavior +

This parameter controls the behavior of smbd(8) when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it.

If this parameter is set and the lock range requested @@ -860,10 +857,10 @@ blocking locks (S) will fail the lock request immediately if the lock range cannot be obtained.

Default: blocking locks = yes -

+

block size (S) -

This parameter controls the behavior of smbd(8) when reporting disk free +

This parameter controls the behavior of smbd(8) when reporting disk free sizes. By default, this reports a disk block size of 1024 bytes.

Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This @@ -877,42 +874,42 @@ block size (S)

Example: block size = 4096 -

+

browsable -

This parameter is a synonym for browseable.

+

This parameter is a synonym for browseable.

browseable (S) -

This controls whether this share is seen in +

This controls whether this share is seen in the list of available shares in a net view and in the browse list.

Default: browseable = yes -

+

browse list (G) -

This controls whether smbd(8) will serve a browse list to +

This controls whether smbd(8) will serve a browse list to a client doing a NetServerEnum call. Normally set to yes. You should never need to change this.

Default: browse list = yes -

+

casesignames -

This parameter is a synonym for case sensitive.

+

This parameter is a synonym for case sensitive.

case sensitive (S) -

See the discussion in the section name mangling.

Default: case sensitive = no +

See the discussion in the section name mangling.

Default: case sensitive = no -

+

change notify (S) -

This parameter specifies whether Samba should reply +

This parameter specifies whether Samba should reply to a client's file change notify requests.

You should never need to change this parameter

Default: change notify = yes -

+

change share command (G) -

+

Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The change share command is used to define an external program or script which will modify an existing service definition in smb.conf. @@ -947,10 +944,10 @@ program or script which will modify an existing service definition in

Example: change share command = /usr/local/bin/changeshare -

+

check password script (G) -

The name of a program that can be used to check password +

The name of a program that can be used to check password complexity. The password is sent to the program's standard input.

The program must return 0 on a good password, or any other value if the password is bad. In case the password is considered weak (the program does not return 0) the @@ -959,10 +956,10 @@ check password script (G)

Example: check password script = /usr/local/sbin/crackcheck -

+

client lanman auth (G) -

This parameter determines whether or not smbclient(8) and other samba client +

This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not @@ -973,10 +970,10 @@ client lanman auth (G) auth parameter is enabled, then only NTLMv2 logins will be attempted.

Default: client lanman auth = no -

+

client ldap sasl wrapping (G) -

+

The client ldap sasl wrapping defines whether ldap traffic will be signed or signed and encrypted (sealed). Possible values are plain, sign @@ -1004,10 +1001,10 @@ client ldap sasl wrapping (G) seal.

Default: client ldap sasl wrapping = plain -

+

client ntlmv2 auth (G) -

This parameter determines whether or not smbclient(8) will attempt to +

This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response.

If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Many servers @@ -1019,16 +1016,16 @@ client ntlmv2 auth (G) those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.

Default: client ntlmv2 auth = no -

+

client plaintext auth (G) -

Specifies whether a client should send a plaintext +

Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.

Default: client plaintext auth = no -

+

client schannel (G) -

+

This controls whether the client offers or even demands the use of the netlogon schannel. client schannel = no does not offer the schannel, client schannel = auto offers the schannel but does not @@ -1038,10 +1035,10 @@ client schannel (G)

Example: client schannel = yes -

+

client signing (G) -

This controls whether the client is allowed or required to use SMB signing. Possible values +

This controls whether the client is allowed or required to use SMB signing. Possible values are auto, mandatory and disabled.

When set to auto, SMB signing is offered, but not enforced. @@ -1049,19 +1046,19 @@ client signing (G) to disabled, SMB signing is not offered either.

Default: client signing = auto -

+

client use spnego (G) -

This variable controls whether Samba clients will try +

This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba 3.0) to agree upon an authentication mechanism. This enables Kerberos authentication in particular.

Default: client use spnego = yes -

+

cluster addresses (G) -

With this parameter you can add additional addresses +

With this parameter you can add additional addresses nmbd will register with a WINS server. These addresses are not necessarily present on all nodes simultaneously, but they will be registered with the WINS server so that clients can contact @@ -1070,20 +1067,20 @@ cluster addresses (G)

Example: cluster addresses = 10.0.0.1 10.0.0.2 10.0.0.3 -

+

clustering (G) -

This parameter specifies whether Samba should contact +

This parameter specifies whether Samba should contact ctdb for accessing its tdb files and use ctdb as a backend for its messaging backend.

Set this parameter to yes only if you have a cluster setup with ctdb running.

Default: clustering = no -

+

comment (S) -

This is a text field that is seen next to a share +

This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available.

If you want to set the string that is displayed next to the @@ -1092,10 +1089,10 @@ comment (S)

Example: comment = Fred's Files -

+

config backend (G) -

+

This controls the backend for storing the configuration. Possible values are file (the default) and registry. @@ -1113,10 +1110,10 @@ config backend (G)

Example: config backend = registry -

+

config file (G) -

This allows you to override the config file +

This allows you to override the config file to use, instead of the default (usually smb.conf). There is a chicken and egg problem here as this option is set in the config file!

For this reason, if the name of the config file has changed @@ -1126,10 +1123,10 @@ config file (G) (allowing you to special case the config files of just a few clients).

No default

Example: config file = /usr/local/samba/lib/smb.conf.%m -

+

copy (S) -

This parameter allows you to "clone" service +

This parameter allows you to "clone" service entries. The specified service is simply duplicated under the current service's name. Any parameters specified in the current section will override those in the section being copied.

This feature lets you set up a 'template' service and @@ -1139,13 +1136,13 @@ copy (S)

Example: copy = otherservice -

+

create mode -

This parameter is a synonym for create mask.

+

This parameter is a synonym for create mask.

create mask (S) -

+

When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will @@ -1166,10 +1163,10 @@ create mask (S)

Example: create mask = 0775 -

+

csc policy (S) -

+

This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.

@@ -1181,10 +1178,10 @@ csc policy (S)

Example: csc policy = programs -

+

ctdbd socket (G) -

If you set clustering=yes, +

If you set clustering=yes, you need to tell Samba where ctdbd listens on its unix domain socket. The default path as of ctdb 1.0 is /tmp/ctdb.socket which you have to explicitly set for Samba in smb.conf. @@ -1192,10 +1189,10 @@ ctdbd socket (G)

Example: ctdbd socket = /tmp/ctdb.socket -

+

cups connection timeout (G) -

+

This parameter is only applicable if printing is set to cups.

If set, this option specifies the number of seconds that smbd will wait @@ -1205,10 +1202,10 @@ cups connection timeout (G)

Example: cups connection timeout = 60 -

+

cups options (S) -

+

This parameter is only applicable if printing is set to cups. Its value is a free form string of options passed directly to the cups library. @@ -1230,10 +1227,10 @@ cups options (S)

Example: cups options = "raw media=a4" -

+

cups server (G) -

+

This parameter is only applicable if printing is set to cups.

If set, this option overrides the ServerName option in the CUPS client.conf. This is @@ -1247,10 +1244,10 @@ cups server (G)

Example: cups server = mycupsserver:1631 -

+

deadtime (G) -

The value of the parameter (a decimal integer) +

The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected. The deadtime only takes effect if the number of open files is zero.

This is useful to stop a server's resources being @@ -1262,10 +1259,10 @@ deadtime (G)

Example: deadtime = 15 -

+

debug class (G) -

+

With this boolean parameter enabled, the debug class (DBGC_CLASS) will be displayed in the debug header.

@@ -1273,20 +1270,20 @@ debug class (G) section about log level.

Default: debug class = no -

+

debug hires timestamp (G) -

+

Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this boolean parameter adds microsecond resolution to the timestamp message header when turned on.

Note that the parameter debug timestamp must be on for this to have an effect.

Default: debug hires timestamp = no -

+

debug pid (G) -

+

When using only one log file for more then one forked smbd(8)-process there may be hard to follow which process outputs which message. This boolean parameter is adds the process-id to the timestamp message headers in the logfile when turned on. @@ -1294,10 +1291,10 @@ debug pid (G) Note that the parameter debug timestamp must be on for this to have an effect.

Default: debug pid = no -

+

debug prefix timestamp (G) -

+

With this option enabled, the timestamp message header is prefixed to the debug message without the filename and function information that is included with the debug timestamp parameter. This gives timestamps to the messages without adding an additional line. @@ -1305,32 +1302,32 @@ debug prefix timestamp (G) Note that this parameter overrides the debug timestamp parameter.

Default: debug prefix timestamp = no -

+

timestamp logs -

This parameter is a synonym for debug timestamp.

+

This parameter is a synonym for debug timestamp.

debug timestamp (G) -

+

Samba debug log messages are timestamped by default. If you are running at a high debug level these timestamps can be distracting. This boolean parameter allows timestamping to be turned off.

Default: debug timestamp = yes -

+

debug uid (G) -

+

Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.

Note that the parameter debug timestamp must be on for this to have an effect.

Default: debug uid = no -

+

dedicated keytab file (G) -

+

Specifies the path to the kerberos keytab file when kerberos method is set to "dedicated keytab". @@ -1338,16 +1335,16 @@ dedicated keytab file (G)

Example: dedicated keytab file = /usr/local/etc/krb5.keytab -

+

default case (S) -

See the section on name mangling. +

See the section on name mangling. Also note the short preserve case parameter.

Default: default case = lower -

+

default devmode (S) -

This parameter is only applicable to printable services. +

This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be @@ -1370,13 +1367,13 @@ default devmode (S) see the MSDN documentation.

Default: default devmode = yes -

+

default -

This parameter is a synonym for default service.

+

This parameter is a synonym for default service.

default service (G) -

This parameter specifies the name of a service +

This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found. Note that the square brackets are NOT given in the parameter value (see example below).

There is no default value for this parameter. If this @@ -1390,10 +1387,10 @@ default service (G)

Example: default service = pub -

+

defer sharing violations (G) -

+

Windows allows specifying how a file will be shared with other processes when it is opened. Sharing violations occur when a file is opened by a different process using options that violate @@ -1406,19 +1403,19 @@ defer sharing violations (G) designed to enable Samba to more correctly emulate Windows.

Default: defer sharing violations = True -

+

delete group script (G) -

This is the full pathname to a script that will +

This is the full pathname to a script that will be run AS ROOT smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.

Default: delete group script = -

+

deleteprinter command (G) -

With the introduction of MS-RPC based printer +

With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete a printer at run time by issuing the DeletePrinter() RPC call.

For a Samba host this means that the printer must be @@ -1436,18 +1433,18 @@ deleteprinter command (G)

Example: deleteprinter command = /usr/bin/removeprinter -

+

delete readonly (S) -

This parameter allows readonly files to be deleted. +

This parameter allows readonly files to be deleted. This is not normal DOS semantics, but is allowed by UNIX.

This option may be useful for running applications such as rcs, where UNIX file ownership prevents changing file permissions, and DOS semantics prevent deletion of a read only file.

Default: delete readonly = no -

+

delete share command (G) -

+

Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The delete share command is used to define an external program or script which will remove an existing service definition from @@ -1473,10 +1470,10 @@ delete share command (G)

Example: delete share command = /usr/local/bin/delshare -

+

delete user from group script (G) -

Full path to the script that will be called when +

Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and @@ -1485,10 +1482,10 @@ delete user from group script (G)

Example: delete user from group script = /usr/sbin/deluser %u %g -

+

delete user script (G) -

This is the full pathname to a script that will +

This is the full pathname to a script that will be run by smbd(8) when managing users with remote RPC (NT) tools.

This script is called when a remote client removes a user @@ -1497,10 +1494,10 @@ delete user script (G)

Example: delete user script = /usr/local/samba/bin/del_user %u -

+

delete veto files (S) -

This option is used when Samba is attempting to +

This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the veto files option). If this option is set to no (the default) then if a vetoed @@ -1514,10 +1511,10 @@ delete veto files (S) directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so).

Default: delete veto files = no -

+

dfree cache time (S) -

+

The dfree cache time should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the @@ -1530,10 +1527,10 @@ dfree cache time (S) By default this parameter is zero, meaning no caching will be done.

No default

Example: dfree cache time = dfree cache time = 60 -

+

dfree command (S) -

+

The dfree command setting should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" @@ -1571,13 +1568,13 @@ df $1 | tail -1 | awk '{print $(NF-4),$(NF-2)}' By default internal routines for determining the disk capacity and remaining space will be used.

No default

Example: dfree command = /usr/local/samba/bin/dfree -

+

directory mode -

This parameter is a synonym for directory mask.

+

This parameter is a synonym for directory mask.

directory mask (S) -

This parameter is the octal modes which are +

This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.

When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, @@ -1595,10 +1592,10 @@ directory mask (S)

Example: directory mask = 0775 -

+

directory security mask (S) -

This parameter controls what UNIX permission bits +

This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.

@@ -1618,19 +1615,19 @@ directory security mask (S)

Example: directory security mask = 0700 -

+

disable netbios (G) -

Enabling this parameter will disable netbios support +

Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP.

Note

Clients that only support netbios won't be able to see your samba server when netbios support is disabled.

Default: disable netbios = no -

+

disable spoolss (G) -

Enabling this parameter will disable Samba's support +

Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be unaffected by @@ -1642,10 +1639,10 @@ disable spoolss (G) Be very careful about enabling this parameter.

Default: disable spoolss = no -

+

display charset (G) -

+

Specifies the charset that samba will use to print messages to stdout and stderr. The default value is "LOCALE", which means automatically set, depending on the current locale. The value should generally be the same as the value of the parameter @@ -1654,10 +1651,10 @@ display charset (G)

Example: display charset = UTF8 -

+

dmapi support (S) -

This parameter specifies whether Samba should use DMAPI to +

This parameter specifies whether Samba should use DMAPI to determine whether a file is offline or not. This would typically be used in conjunction with a hierarchical storage system that automatically migrates files to tape. @@ -1672,10 +1669,10 @@ dmapi support (S)

Default: dmapi support = no -

+

dns proxy (G) -

Specifies that nmbd(8) when acting as a WINS server and +

Specifies that nmbd(8) when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

Note that the maximum length for a NetBIOS name is 15 @@ -1684,10 +1681,10 @@ dns proxy (G) DNS name lookup requests, as doing a name lookup is a blocking action.

Default: dns proxy = yes -

+

domain logons (G) -

+

If set to yes, the Samba server will provide the netlogon service for Windows 9X network logons for the workgroup it is in. @@ -1697,10 +1694,10 @@ domain logons (G) Samba HOWTO Collection.

Default: domain logons = no -

+

domain master (G) -

+

Tell smbd(8) to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given @@ -1726,10 +1723,10 @@ domain master (G) Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.

Default: domain master = auto -

+

dont descend (S) -

There are certain directories on some systems +

There are certain directories on some systems (e.g., the /proc tree under Linux) that are either not of interest to clients or are infinitely deep (recursive). This parameter allows you to specify a comma-delimited list of directories @@ -1740,18 +1737,18 @@ dont descend (S)

Example: dont descend = /proc,/dev -

+

dos charset (G) -

DOS SMB clients assume the server has +

DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients.

The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in - case it is not available. Run testparm(1) to check the default on your system.

No default

+ case it is not available. Run testparm(1) to check the default on your system.

No default

dos filemode (S) -

The default behavior in Samba is to provide +

The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter @@ -1762,10 +1759,10 @@ dos filemode (S) the group is only granted read access. Ownership of the file/directory may also be changed.

Default: dos filemode = no -

+

dos filetime resolution (S) -

Under the DOS and Windows FAT filesystem, the finest +

Under the DOS and Windows FAT filesystem, the finest granularity on time resolution is two seconds. Setting this parameter for a share causes Samba to round the reported time down to the nearest two second boundary when a query call that requires one second @@ -1780,10 +1777,10 @@ dos filetime resolution (S) this option causes the two timestamps to match, and Visual C++ is happy.

Default: dos filetime resolution = no -

+

dos filetimes (S) -

Under DOS and Windows, if a user can write to a +

Under DOS and Windows, if a user can write to a file they can change the timestamp on it. Under POSIX semantics, only the owner of the file or root may change the timestamp. By default, Samba runs with POSIX semantics and refuses to change the @@ -1797,20 +1794,20 @@ dos filetimes (S) shared between users.

Default: dos filetimes = yes -

+

ea support (S) -

This boolean parameter controls whether smbd(8) will allow clients to attempt to store OS/2 style Extended +

This boolean parameter controls whether smbd(8) will allow clients to attempt to store OS/2 style Extended attributes on a share. In order to enable this parameter the underlying filesystem exported by the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the correct kernel patches). On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.

Default: ea support = no -

+

enable asu support (G) -

Hosts running the "Advanced Server for Unix (ASU)" product +

Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections. The has been the default behavior in smbd for many years. However, certain Microsoft applications @@ -1818,10 +1815,10 @@ enable asu support (G) an [ADMIN$} file share. Disabling this parameter allows for creating an [ADMIN$] file share in smb.conf.

Default: enable asu support = no -

+

enable privileges (G) -

+

This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either net rpc rights or one of the Windows user and group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to @@ -1834,10 +1831,10 @@ enable privileges (G) Please read the extended description provided in the Samba HOWTO documentation.

Default: enable privileges = yes -

+

encrypt passwords (G) -

This boolean controls whether encrypted passwords +

This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in @@ -1860,10 +1857,10 @@ encrypt passwords (G) causes smbd to authenticate against another server.

Default: encrypt passwords = yes -

+

enhanced browsing (G) -

This option enables a couple of enhancements to +

This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations.

The first enhancement to browse propagation consists of a regular @@ -1876,10 +1873,10 @@ enhanced browsing (G) to stay around forever which can be annoying.

In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable.

Default: enhanced browsing = yes -

+

enumports command (G) -

The concept of a "port" is fairly foreign +

The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port @@ -1896,10 +1893,10 @@ enumports command (G)

Example: enumports command = /usr/bin/listports -

+

eventlog list (G) -

This option defines a list of log names that Samba will +

This option defines a list of log names that Samba will report to the Microsoft EventViewer utility. The listed eventlogs will be associated with tdb file on disk in the $(lockdir)/eventlog. @@ -1912,10 +1909,10 @@ eventlog list (G)

Example: eventlog list = Security Application Syslog Apache -

+

fake directory create times (S) -

NTFS and Windows VFAT file systems keep a create +

NTFS and Windows VFAT file systems keep a create time for all files and directories. This is not the same as the ctime - status change time - that Unix keeps, so Samba by default reports the earliest of the various times Unix does keep. Setting @@ -1937,10 +1934,10 @@ fake directory create times (S) ensures directories always predate their contents and an NMAKE build will proceed as expected.

Default: fake directory create times = no -

+

fake oplocks (S) -

Oplocks are the way that SMB clients get permission +

Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will aggressively @@ -1956,10 +1953,10 @@ fake oplocks (S) files read-write at the same time you can get data corruption. Use this option carefully!

Default: fake oplocks = no -

+

follow symlinks (S) -

+

This parameter allows the Samba administrator to stop smbd(8) from following symbolic links in a particular share. Setting this parameter to no prevents any file or directory that is a symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a symbolic @@ -1969,10 +1966,10 @@ follow symlinks (S) This option is enabled (i.e. smbd will follow symbolic links) by default.

Default: follow symlinks = yes -

+

force create mode (S) -

This parameter specifies a set of UNIX mode bit +

This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a file that is being created. The default for this parameter is (in octal) @@ -1984,10 +1981,10 @@ force create mode (S)

Example: force create mode = 0755 -

+

force directory mode (S) -

This parameter specifies a set of UNIX mode bit +

This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this @@ -2000,10 +1997,10 @@ force directory mode (S)

Example: force directory mode = 0755 -

+

force directory security mode (S) -

+

This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.

@@ -2024,13 +2021,13 @@ force directory security mode (S)

Example: force directory security mode = 700 -

+

group -

This parameter is a synonym for force group.

+

This parameter is a synonym for force group.

force group (S) -

This specifies a UNIX group name that will be +

This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. This is useful for sharing files by ensuring that all access to files on service will use the named group for @@ -2054,10 +2051,10 @@ force group (S)

Example: force group = agroup -

+

force printername (S) -

When printing from Windows NT (or later), +

When printing from Windows NT (or later), each printer in smb.conf has two associated names which can be used by the client. The first is the sharename (or shortname) defined in smb.conf. This @@ -2080,10 +2077,10 @@ force printername (S) not be able to delete printer connections from their local Printers folder.

Default: force printername = no -

+

force security mode (S) -

+

This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.

@@ -2103,10 +2100,10 @@ force security mode (S)

Example: force security mode = 700 -

+

force unknown acl user (S) -

+

If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or representation of a user or group id) as the owner or group owner of the file will be silently mapped into the current UNIX uid or gid of the currently connected user. @@ -2120,10 +2117,10 @@ force unknown acl user (S) Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.

Default: force unknown acl user = no -

+

force user (S) -

This specifies a UNIX user name that will be +

This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. You should also use it carefully as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. @@ -2137,10 +2134,10 @@ force user (S)

Example: force user = auser -

+

fstype (S) -

+

This parameter allows the administrator to configure the string that specifies the type of filesystem a share is using that is reported by smbd(8) when a client queries the filesystem type for a share. The default type is NTFS for compatibility @@ -2150,10 +2147,10 @@ fstype (S)

Example: fstype = Samba -

+

get quota command (G) -

The get quota command should only be used +

The get quota command should only be used whenever there is no operating system API available from the OS that samba can use.

This option is only available you have compiled Samba with the --with-sys-quotas option or on Linux with @@ -2166,18 +2163,18 @@ get quota command (G)

Example: get quota command = /usr/local/sbin/query_quota -

+

getwd cache (G) -

This is a tuning option. When this is enabled a +

This is a tuning option. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls. This can have a significant impact on performance, especially when the wide smbconfoptions parameter is set to no.

Default: getwd cache = yes -

+

guest account (G) -

This is a username which will be used for access +

This is a username which will be used for access to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require @@ -2195,40 +2192,40 @@ guest account (G)

Example: guest account = ftp -

+

public -

This parameter is a synonym for guest ok.

+

This parameter is a synonym for guest ok.

guest ok (S) -

If this parameter is yes for +

If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account.

This paramater nullifies the benifits of setting restrict anonymous = 2

See the section below on security for more information about this option.

Default: guest ok = no -

+

only guest -

This parameter is a synonym for guest only.

+

This parameter is a synonym for guest only.

guest only (S) -

If this parameter is yes for +

If this parameter is yes for a service, then only guest connections to the service are permitted. This parameter will have no effect if guest ok is not set for the service.

See the section below on security for more information about this option.

Default: guest only = no -

+

hide dot files (S) -

This is a boolean parameter that controls whether +

This is a boolean parameter that controls whether files starting with a dot appear as hidden files.

Default: hide dot files = yes -

+

hide files (S) -

This is a list of files or directories that are not +

This is a list of files or directories that are not visible but are accessible. The DOS 'hidden' attribute is applied to any files or directories that match.

Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' @@ -2250,32 +2247,32 @@ hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/

Default: hide files = # no file are hidden -

+

hide special files (S) -

+

This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings.

Default: hide special files = no -

+

hide unreadable (S) -

This parameter prevents clients from seeing the +

This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off.

Default: hide unreadable = no -

+

hide unwriteable files (S) -

+

This parameter prevents clients from seeing the existance of files that cannot be written to. Defaults to off. Note that unwriteable directories are shown as usual.

Default: hide unwriteable files = no -

+

homedir map (G) -

+

If nis homedir is yes, and smbd(8) is also acting as a Win95/98 logon server then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. At present, only the Sun auto.home map format is understood. The form of the map is: @@ -2290,10 +2287,10 @@ homedir map (G)

Example: homedir map = amd.homedir -

+

host msdfs (G) -

+

If set to yes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server.

@@ -2301,10 +2298,10 @@ host msdfs (G) setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO.

Default: host msdfs = yes -

+

hostname lookups (G) -

Specifies whether samba should use (expensive) +

Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the hosts deny and hosts allow. @@ -2312,13 +2309,13 @@ hostname lookups (G)

Example: hostname lookups = yes -

+

allow hosts -

This parameter is a synonym for hosts allow.

+

This parameter is a synonym for hosts allow.

hosts allow (S) -

A synonym for this parameter is allow hosts.

This parameter is a comma, space, or tab delimited +

A synonym for this parameter is allow hosts.

This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service.

If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.

You can specify the hosts by name or IP number. For @@ -2338,13 +2335,13 @@ hosts allow (S)

Example: hosts allow = 150.203.5. myhost.mynet.edu.au -

+

deny hosts -

This parameter is a synonym for hosts deny.

+

This parameter is a synonym for hosts deny.

hosts deny (S) -

The opposite of hosts allow +

The opposite of hosts allow - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the allow @@ -2358,10 +2355,10 @@ hosts deny (S)

Example: hosts deny = 150.203.4. badhost.mynet.edu.au -

+

idmap alloc backend (G) -

+

The idmap alloc backend provides a plugin interface for Winbind to use when allocating Unix uids/gids for Windows SIDs. This option refers to the name of the idmap module which will provide the id allocation @@ -2378,18 +2375,18 @@ idmap alloc backend (G) Also refer to the idmap alloc config option.

No default

Example: idmap alloc backend = tdb -

+

idmap alloc config (G) -

+

The idmap alloc config prefix provides a means of managing settings for the backend defined by the idmap alloc backend parameter. Refer to the man page for each idmap plugin regarding specific configuration details. -

No default

+

No default

idmap backend (G) -

+

The idmap backend provides a plugin interface for Winbind to use varying backends to store SID/uid/gid mapping tables.

@@ -2410,17 +2407,17 @@ idmap backend (G) and ad (idmap_ad(8)).

Default: idmap backend = tdb -

+

idmap cache time (G) -

This parameter specifies the number of seconds that Winbind's +

This parameter specifies the number of seconds that Winbind's idmap interface will cache positive SID/uid/gid query results.

Default: idmap cache time = 604800 (one week) -

+

idmap config (G) -

+

The idmap config prefix provides a means of managing each trusted domain separately. The idmap config prefix should be followed by the name of the domain, a colon, and a setting specific to the chosen @@ -2452,13 +2449,13 @@ idmap config (G) idmap config CORP : backend = ad idmap config CORP : range = 1000-999999 -

No default

+

No default

winbind gid -

This parameter is a synonym for idmap gid.

+

This parameter is a synonym for idmap gid.

idmap gid (G) -

The idmap gid parameter specifies the range of group ids +

The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can @@ -2468,20 +2465,20 @@ idmap gid (G)

Example: idmap gid = 10000-20000 -

+

idmap negative cache time (G) -

This parameter specifies the number of seconds that Winbind's +

This parameter specifies the number of seconds that Winbind's idmap interface will cache negative SID/uid/gid query results.

Default: idmap negative cache time = 120 -

+

winbind uid -

This parameter is a synonym for idmap uid.

+

This parameter is a synonym for idmap uid.

idmap uid (G) -

+

The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local @@ -2491,10 +2488,10 @@ idmap uid (G)

Example: idmap uid = 10000-20000 -

+

include (G) -

+

This allows you to include one config file inside another. The file is included literally, as though typed in place.

@@ -2512,10 +2509,10 @@ include (G)

Example: include = /usr/local/samba/lib/admin_smb.conf -

+

inherit acls (S) -

This parameter can be used to ensure that if default acls +

This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these parent directories. The default behavior is to use the unix mode specified when creating the directory. @@ -2523,10 +2520,10 @@ inherit acls (S) default directory acls are propagated.

Default: inherit acls = no -

+

inherit owner (S) -

The ownership of new files and directories +

The ownership of new files and directories is normally governed by effective uid of the connected user. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled @@ -2535,10 +2532,10 @@ inherit owner (S) delete them and to ensure that newly create files in a user's roaming profile directory are actually owner by the user.

Default: inherit owner = no -

+

inherit permissions (S) -

+

The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.

New directories inherit the mode of the parent directory, @@ -2550,10 +2547,10 @@ inherit permissions (S) many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.

Default: inherit permissions = no -

+

init logon delayed hosts (G) -

+

This parameter takes a list of host names, addresses or networks for which the initial samlogon reply should be delayed (so other DCs get preferred by XP workstations if there are any). @@ -2564,19 +2561,19 @@ init logon delayed hosts (G)

Example: init logon delayed hosts = 150.203.5. myhost.mynet.de -

+

init logon delay (G) -

+

This parameter specifies a delay in milliseconds for the hosts configured for delayed initial samlogon with init logon delayed hosts.

Default: init logon delay = 100 -

+

interfaces (G) -

This option allows you to override the default +

This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NetBIOS over TCP/IP (NBT) traffic. By default Samba will query the kernel for the list of all active interfaces and use any @@ -2600,10 +2597,10 @@ interfaces (G)

Example: interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 -

+

invalid users (S) -

This is a list of users that should not be allowed +

This is a list of users that should not be allowed to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security.

A name starting with a '@' is interpreted as an NIS @@ -2623,10 +2620,10 @@ invalid users (S)

Example: invalid users = root fred admin @wheel -

+

iprint server (G) -

+

This parameter is only applicable if printing is set to iprint.

If set, this option overrides the ServerName option in the CUPS client.conf. This is @@ -2635,10 +2632,10 @@ iprint server (G)

Example: iprint server = MYCUPSSERVER -

+

keepalive (G) -

The value of the parameter (an integer) represents +

The value of the parameter (an integer) represents the number of seconds between keepalive packets. If this parameter is zero, no keepalive packets will be sent. Keepalive packets, if sent, allow the server to tell whether @@ -2648,10 +2645,10 @@ Basically you should only use this option if you strike difficulties.

Defa

Example: keepalive = 600 -

+

kerberos method (G) -

+

Controls how kerberos tickets are verified.

Valid options are:

  • secrets only - use only the secrets.tdb for ticket verification (default)

  • system keytab - use only the system keytab @@ -2668,20 +2665,20 @@ kerberos method (G) specify the location of the keytab file.

    Default: kerberos method = secrets only -

+

kernel change notify (S) -

This parameter specifies whether Samba should ask the +

This parameter specifies whether Samba should ask the kernel for change notifications in directories so that SMB clients can refresh whenever the data on the server changes.

This parameter is only used when your kernel supports change notification to user programs using the inotify interface.

Default: kernel change notify = yes -

+

kernel oplocks (G) -

For UNIXes that support kernel based oplocks +

For UNIXes that support kernel based oplocks (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off.

Kernel oplocks support allows Samba oplocks to be broken whenever a local UNIX process or NFS operation @@ -2691,10 +2688,10 @@ kernel oplocks (G) to a no-op on systems that no not have the necessary kernel support. You should never need to touch this parameter.

Default: kernel oplocks = yes -

+

lanman auth (G) -

This parameter determines whether or not smbd(8) will attempt to +

This parameter determines whether or not smbd(8) will attempt to authenticate users or permit password changes using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, but not @@ -2711,10 +2708,10 @@ lanman auth (G) permited. Not all clients support NTLMv2, and most will require special configuration to use it.

Default: lanman auth = no -

+

large readwrite (G) -

This parameter determines whether or not +

This parameter determines whether or not smbd(8) supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000. Note that due to Windows 2000 client redirector bugs @@ -2723,10 +2720,10 @@ large readwrite (G) performance by 10% with Windows 2000 clients. Defaults to on. Not as tested as some other Samba code paths.

Default: large readwrite = yes -

+

ldap admin dn (G) -

+

The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The ldap admin dn is used in conjunction with the admin dn password stored in the private/secrets.tdb @@ -2734,10 +2731,10 @@ ldap admin dn (G) man page for more information on how to accomplish this.

The ldap admin dn requires a fully specified DN. The ldap suffix is not appended to the ldap admin dn. -

No default

+

No default

ldap connection timeout (G) -

+

This parameter tells the LDAP library calls which timeout in seconds they should honor during initial connection establishments to LDAP servers. It is very useful in failover scenarios in particular. If one or more LDAP @@ -2749,10 +2746,10 @@ ldap connection timeout (G) and not establishing an initial connection.

Default: ldap connection timeout = 2 -

+

ldap debug level (G) -

+

This parameter controls the debug level of the LDAP library calls. In the case of OpenLDAP, it is the same bit-field as understood by the server and documented in the @@ -2769,10 +2766,10 @@ ldap debug level (G)

Example: ldap debug level = 1 -

+

ldap debug threshold (G) -

+

This parameter controls the Samba debug level at which the ldap library debug output is printed in the Samba logs. See the description of @@ -2781,28 +2778,28 @@ ldap debug threshold (G)

Example: ldap debug threshold = 5 -

+

ldap delete dn (G) -

This parameter specifies whether a delete +

This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba.

Default: ldap delete dn = no -

+

ldap group suffix (G) -

This parameter specifies the suffix that is +

This parameter specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the ldap suffix string so use a partial DN.

Default: ldap group suffix =

Example: ldap group suffix = ou=Groups -

+

ldap idmap suffix (G) -

+

This parameters specifies the suffix that is used when storing idmap mappings. If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the ldap suffix string so use a partial DN. @@ -2810,10 +2807,10 @@ ldap idmap suffix (G)

Example: ldap idmap suffix = ou=Idmap -

+

ldap machine suffix (G) -

+

It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the ldap suffix string so use a partial DN. @@ -2821,10 +2818,10 @@ ldap machine suffix (G)

Example: ldap machine suffix = ou=Computers -

+

ldap passwd sync (G) -

+

This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA. @@ -2835,10 +2832,10 @@ ldap passwd sync (G) LM passwords and update the pwdLastSet time.

  • Only = Only update the LDAP password and let the LDAP server do the rest.

    • Default: ldap passwd sync = no -

    +

    ldap replication sleep (G) -

    +

    When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. This server then replicates our changes back to the 'local' server, however the replication might take some seconds, especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' @@ -2851,10 +2848,10 @@ ldap replication sleep (G) The value is specified in milliseconds, the maximum value is 5000 (5 seconds).

    Default: ldap replication sleep = 1000 -

    +

    ldapsam:editposix (G) -

    +

    Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller eliminating the need to set up custom scripts to add and manage the posix users and groups. This option will instead directly manipulate the ldap tree to create, remove and modify user and group entries. @@ -2932,10 +2929,10 @@ ldapsam:editposix (G)

    Default: ldapsam:editposix = no -

    +

    ldapsam:trusted (G) -

    +

    By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he @@ -2953,10 +2950,10 @@ ldapsam:trusted (G) is easily achieved.

    Default: ldapsam:trusted = no -

    +

    ldap ssl ads (G) -

    This option is used to define whether or not Samba should +

    This option is used to define whether or not Samba should use SSL when connecting to the ldap server using ads methods. Rpc methods are not affected by this parameter. Please note, that @@ -2966,10 +2963,10 @@ ldap ssl ads (G) for more information on ldap ssl.

    Default: ldap ssl ads = no -

    +

    ldap ssl (G) -

    This option is used to define whether or not Samba should +

    This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba's previous SSL support which was enabled by specifying the @@ -2994,10 +2991,10 @@ ldap ssl (G) for more information on ldap ssl ads.

    Default: ldap ssl = start tls -

    +

    ldap suffix (G) -

    Specifies the base for all ldap suffixes and for storing the sambaDomain object.

    +

    Specifies the base for all ldap suffixes and for storing the sambaDomain object.

    The ldap suffix will be appended to the values specified for the ldap user suffix, ldap group suffix, ldap machine suffix, and the ldap idmap suffix. Each of these should be given only a DN relative to the @@ -3006,17 +3003,17 @@ ldap suffix (G)

    Example: ldap suffix = dc=samba,dc=org -

    +

    ldap timeout (G) -

    +

    This parameter defines the number of seconds that Samba should use as timeout for LDAP operations.

    Default: ldap timeout = 15 -

    +

    ldap user suffix (G) -

    +

    This parameter specifies where users are added to the tree. If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the ldap suffix string so use a partial DN. @@ -3024,10 +3021,10 @@ ldap user suffix (G)

    Example: ldap user suffix = ou=people -

    +

    level2 oplocks (S) -

    This parameter controls whether Samba supports +

    This parameter controls whether Samba supports level2 (read-only) oplocks on a share.

    Level2, or read-only oplocks allow Windows NT clients that have an oplock on a file to downgrade from a read-write oplock to a read-only oplock once a second client opens the file (instead @@ -3047,10 +3044,10 @@ level2 oplocks (S) parameter must be set to yes on this share in order for this parameter to have any effect.

    Default: level2 oplocks = yes -

    +

    lm announce (G) -

    This parameter determines if nmbd(8) will produce Lanman announce +

    This parameter determines if nmbd(8) will produce Lanman announce broadcasts that are needed by OS/2 clients in order for them to see the Samba server in their browse list. This parameter can have three values, yes, no, or @@ -3066,10 +3063,10 @@ lm announce (G)

    Example: lm announce = yes -

    +

    lm interval (G) -

    If Samba is set to produce Lanman announce +

    If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the lm announce parameter) then this parameter defines the frequency in seconds with which they will be @@ -3079,18 +3076,18 @@ lm interval (G)

    Example: lm interval = 120 -

    +

    load printers (G) -

    A boolean variable that controls whether all +

    A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. See the printers section for more details.

    Default: load printers = yes -

    +

    local master (G) -

    This option allows nmbd(8) to try and become a local master browser +

    This option allows nmbd(8) to try and become a local master browser on a subnet. If set to no then nmbd will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By @@ -3100,13 +3097,13 @@ local master (G) will participate in elections for local master browser.

    Setting this value to no will cause nmbd never to become a local master browser.

    Default: local master = yes -

    +

    lock dir -

    This parameter is a synonym for lock directory.

    +

    This parameter is a synonym for lock directory.

    lock directory (G) -

    This option specifies the directory where lock +

    This option specifies the directory where lock files will be placed. The lock files are used to implement the max connections option.

    @@ -3116,10 +3113,10 @@ lock directory (G)

    Example: lock directory = /var/run/samba/locks -

    +

    locking (S) -

    This controls whether or not locking will be +

    This controls whether or not locking will be performed by the server in response to lock requests from the client.

    If locking = no, all lock and unlock requests will appear to succeed and all lock queries will report @@ -3129,18 +3126,18 @@ locking (S) CDROM drives), although setting this parameter of no is not really recommended even in this case.

    Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption. - You should never need to set this parameter.

    No default

    + You should never need to set this parameter.

    No default

    lock spin count (G) -

    This parameter has been made inoperative in Samba 3.0.24. +

    This parameter has been made inoperative in Samba 3.0.24. The functionality it contolled is now controlled by the parameter lock spin time.

    Default: lock spin count = 0 -

    +

    lock spin time (G) -

    The time in microseconds that smbd should +

    The time in microseconds that smbd should keep waiting to see if a failed lock request can be granted. This parameter has changed in default value from Samba 3.0.23 from 10 to 200. The associated @@ -3148,22 +3145,22 @@ lock spin time (G) no longer used in Samba 3.0.24. You should not need to change the value of this parameter.

    Default: lock spin time = 200 -

    +

    log file (G) -

    +

    This option allows you to override the name of the Samba log file (also known as the debug file).

    This option takes the standard substitutions, allowing you to have separate log files for each user or machine.

    No default

    Example: log file = /usr/local/samba/var/log.%m -

    +

    debuglevel -

    This parameter is a synonym for log level.

    +

    This parameter is a synonym for log level.

    log level (G) -

    +

    The value of the parameter (a astring) allows the debug level (logging level) to be specified in the smb.conf file.

    This parameter has been extended since the 2.2.x @@ -3174,10 +3171,10 @@ log level (G)

    Example: log level = 3 passdb:5 auth:10 winbind:2 -

    +

    logon drive (G) -

    +

    This parameter specifies the local path to which the home directory will be connected (see logon home) and is only used by NT Workstations. @@ -3187,10 +3184,10 @@ logon drive (G)

    Example: logon drive = h: -

    +

    logon home (G) -

    +

    This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. It allows you to do

    @@ -3221,10 +3218,10 @@ logon home (G)

    Example: logon home = \\remote_smb_server\%U -

    +

    logon path (G) -

    +

    This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the @@ -3268,10 +3265,10 @@ logon path = \\PROFILESERVER\PROFILE\%U

    Default: logon path = \\%N\%U\profile -

    +

    logon script (G) -

    +

    This parameter specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. @@ -3302,10 +3299,10 @@ logon script (G)

    Example: logon script = scripts\%U.bat -

    +

    lppause command (S) -

    This parameter specifies the command to be +

    This parameter specifies the command to be executed on the server host in order to stop printing or spooling a specific print job.

    This command should be a program or script which takes a printer name and job number to pause the print job. One way @@ -3329,10 +3326,10 @@ lppause command (S)

    Example: lppause command = /usr/bin/lpalt %p-%j -p0 -

    +

    lpq cache time (G) -

    This controls how long lpq info will be cached +

    This controls how long lpq info will be cached for to prevent the lpq command being called too often. A separate cache is kept for each variation of the lpq command used by the system, so if you use different @@ -3345,10 +3342,10 @@ lpq cache time (G)

    Example: lpq cache time = 10 -

    +

    lpq command (S) -

    This parameter specifies the command to be +

    This parameter specifies the command to be executed on the server host in order to obtain lpq -style printer status information.

    This command should be a program or script which takes a printer name as its only parameter and outputs printer @@ -3370,10 +3367,10 @@ lpq command (S)

    Example: lpq command = /usr/bin/lpq -P%p -

    +

    lpresume command (S) -

    This parameter specifies the command to be +

    This parameter specifies the command to be executed on the server host in order to restart or continue printing or spooling a specific print job.

    This command should be a program or script which takes a printer name and job number to resume the print job. See @@ -3386,10 +3383,10 @@ lpresume command (S) parameter is SYSV, in which case the default is:

    lp -i %p-%j -H resume

    or if the value of the printing parameter is SOFTQ, then the default is:

    qstat -s -j%j -r

    No default

    Example: lpresume command = /usr/bin/lpalt %p-%j -p2 -

    +

    lprm command (S) -

    This parameter specifies the command to be +

    This parameter specifies the command to be executed on the server host in order to delete a print job.

    This command should be a program or script which takes a printer name and job number, and deletes the print job.

    If a %p is given then the printer name is put in its place. A %j is replaced with @@ -3406,10 +3403,10 @@ lprm command = /usr/bin/cancel %p-%j

    Default: lprm command = determined by printing parameter -

    +

    machine password timeout (G) -

    +

    If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb . This parameter specifies how often this password will be changed, in seconds. The default is one @@ -3419,10 +3416,10 @@ machine password timeout (G) and the security = domain parameter.

    Default: machine password timeout = 604800 -

    +

    magic output (S) -

    +

    This parameter specifies the name of a file which will contain output created by a magic script (see the magic script parameter below).

    Warning

    If two clients use the same magic script @@ -3431,10 +3428,10 @@ magic output (S)

    Example: magic output = myfile.txt -

    +

    magic script (S) -

    This parameter specifies the name of a file which, +

    This parameter specifies the name of a file which, if opened, will be executed by the server when the file is closed. This allows a UNIX script to be sent to the Samba host and executed on behalf of the connected user.

    Scripts executed in this way will be deleted upon @@ -3450,10 +3447,10 @@ magic script (S)

    Example: magic script = user.csh -

    +

    mangled names (S) -

    This controls whether non-DOS names under UNIX +

    This controls whether non-DOS names under UNIX should be mapped to DOS-compatible names ("mangled") and made visible, or whether non-DOS names should simply be ignored.

    See the section on name mangling for details on how to control the mangling process.

    If mangling is used then the mangling algorithm is as follows:

    • The first (up to) five alphanumeric characters @@ -3478,10 +3475,10 @@ mangled names (S) from Windows/DOS and will retain the same basename. Mangled names do not change between sessions.

      Default: mangled names = yes -

    +

    mangle prefix (G) -

    controls the number of prefix +

    controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum @@ -3491,20 +3488,20 @@ mangle prefix (G)

    Example: mangle prefix = 4 -

    +

    mangling char (S) -

    This controls what character is used as +

    This controls what character is used as the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set it to whatever you prefer. This is effective only when mangling method is hash.

    Default: mangling char = ~

    Example: mangling char = ^ -

    +

    mangling method (G) -

    controls the algorithm used for the generating +

    controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the algorithm that was used used in Samba for many years and was the default in Samba 2.2.x "hash2" is @@ -3515,10 +3512,10 @@ mangling method (G)

    Example: mangling method = hash -

    +

    map acl inherit (S) -

    This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' +

    This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and @@ -3526,10 +3523,10 @@ map acl inherit (S) POSIX ACL mapping code.

    Default: map acl inherit = no -

    +

    map archive (S) -

    +

    This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit. The DOS archive bit is set when a file has been modified since its last backup. One @@ -3542,19 +3539,19 @@ map archive (S) create mask for details.

    Default: map archive = yes -

    +

    map hidden (S) -

    +

    This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.

    Note that this requires the create mask to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter create mask for details. -

    No default

    +

    No default

    map read only (S) -

    +

    This controls how the DOS read only attribute should be mapped from a UNIX filesystem.

    This parameter can take three different values, which tell smbd(8) how to display the read only attribute on files, where either @@ -3579,10 +3576,10 @@ map read only (S) the store dos attributes method. This may be useful for exporting mounted CDs.

    Default: map read only = yes -

    +

    map system (S) -

    +

    This controls whether DOS style system files should be mapped to the UNIX group execute bit.

    Note that this requires the create mask to be set such that the group @@ -3590,10 +3587,10 @@ map system (S) create mask for details.

    Default: map system = no -

    +

    map to guest (G) -

    This parameter is only useful in SECURITY = +

    This parameter is only useful in SECURITY = security modes other than security = share and security = server - i.e. user, and domain.

    This parameter can take four different values, which tell @@ -3635,10 +3632,10 @@ map to guest (G)

    Example: map to guest = Bad User -

    +

    map untrusted to domain (G) -

    +

    If a client connects to smbd using an untrusted domain name, such as BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before attempting to authenticate that user. In the case where smbd is acting as @@ -3656,10 +3653,10 @@ map untrusted to domain (G) effect.

    Default: map untrusted to domain = no -

    +

    max connections (S) -

    This option allows the number of simultaneous connections to a service to be limited. +

    This option allows the number of simultaneous connections to a service to be limited. If max connections is greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made.

    Record lock files are used to implement this feature. The lock files will be stored in @@ -3667,10 +3664,10 @@ max connections (S)

    Example: max connections = 10 -

    +

    max disk size (G) -

    This option allows you to put an upper limit +

    This option allows you to put an upper limit on the apparent size of disks. If you set this option to 100 then all shares will appear to be not larger than 100 MB in size.

    Note that this option does not limit the amount of @@ -3684,10 +3681,10 @@ max disk size (G)

    Example: max disk size = 1000 -

    +

    max log size (G) -

    +

    This option (an integer in kilobytes) specifies the max size the log file should grow to. Samba periodically checks the size and if it is exceeded it will rename the file, adding a .old extension. @@ -3696,17 +3693,17 @@ max log size (G)

    Example: max log size = 1000 -

    +

    max mux (G) -

    This option controls the maximum number of +

    This option controls the maximum number of outstanding simultaneous SMB operations that Samba tells the client it will allow. You should never need to set this parameter.

    Default: max mux = 50 -

    +

    max open files (G) -

    This parameter limits the maximum number of +

    This parameter limits the maximum number of open files that one smbd(8) file serving process may have open for a client at any one time. The default for this parameter is set very high (10,000) as Samba uses @@ -3714,23 +3711,23 @@ max open files (G) by the UNIX per-process file descriptor limit rather than this parameter so you should never need to touch this parameter.

    Default: max open files = 10000 -

    +

    max print jobs (S) -

    This parameter limits the maximum number of +

    This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. If this number is exceeded, smbd(8) will remote "Out of Space" to the client.

    Default: max print jobs = 1000

    Example: max print jobs = 5000 -

    +

    protocol -

    This parameter is a synonym for max protocol.

    +

    This parameter is a synonym for max protocol.

    max protocol (G) -

    The value of the parameter (a string) is the highest +

    The value of the parameter (a string) is the highest protocol level that will be supported by the server.

    Possible values are :

    • CORE: Earliest version. No concept of user names.

    • COREPLUS: Slight improvements on CORE for efficiency.

    • LANMAN1: First @@ -3742,10 +3739,10 @@ max protocol (G)

      Example: max protocol = LANMAN1 -

    +

    max reported print jobs (S) -

    +

    This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment. If this number is exceeded, the excess jobs will not be shown. A value of zero means there is no limit on the number of @@ -3754,10 +3751,10 @@ max reported print jobs (S)

    Example: max reported print jobs = 1000 -

    +

    max smbd processes (G) -

    This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended +

    This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended as a stopgap to prevent degrading service to clients in the event that the server has insufficient resources to handle more than this number of connections. Remember that under normal operating conditions, each user will have an smbd(8) associated with him or her to handle connections to all @@ -3765,10 +3762,10 @@ max smbd processes (G)

    Example: max smbd processes = 1000 -

    +

    max stat cache size (G) -

    This parameter limits the size in memory of any +

    This parameter limits the size in memory of any stat cache being used to speed up case insensitive name mappings. It represents the number of kilobyte (1024) units the stat cache can use. @@ -3779,27 +3776,27 @@ max stat cache size (G)

    Example: max stat cache size = 100 -

    +

    max ttl (G) -

    This option tells nmbd(8) what the default 'time to live' +

    This option tells nmbd(8) what the default 'time to live' of NetBIOS names should be (in seconds) when nmbd is requesting a name using either a broadcast packet or from a WINS server. You should never need to change this parameter. The default is 3 days.

    Default: max ttl = 259200 -

    +

    max wins ttl (G) -

    This option tells smbd(8) when acting as a WINS server +

    This option tells smbd(8) when acting as a WINS server (wins support = yes) what the maximum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds).

    Default: max wins ttl = 518400 -

    +

    max xmit (G) -

    This option controls the maximum packet size +

    This option controls the maximum packet size that will be negotiated by Samba. The default is 16644, which matches the behavior of Windows 2000. A value below 2048 is likely to cause problems. You should never need to change this parameter from its default value. @@ -3807,10 +3804,10 @@ max xmit (G)

    Example: max xmit = 8192 -

    +

    message command (G) -

    This specifies what command to run when the +

    This specifies what command to run when the server receives a WinPopup style message.

    This would normally be a command that would deliver the message somehow. How this is to be done is up to your imagination.

    An example is: @@ -3849,20 +3846,20 @@ message command (G)

    Example: message command = csh -c 'xedit %s; rm %s' & -

    +

    min print space (S) -

    This sets the minimum amount of free disk +

    This sets the minimum amount of free disk space that must be available before a user will be able to spool a print job. It is specified in kilobytes. The default is 0, which means a user can always spool a print job.

    Default: min print space = 0

    Example: min print space = 2000 -

    +

    min protocol (G) -

    The value of the parameter (a string) is the +

    The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the max protocol parameter for a list of valid protocol names and a brief description @@ -3874,10 +3871,10 @@ min protocol (G)

    Example: min protocol = NT1 -

    +

    min receivefile size (G) -

    This option changes the behavior of smbd(8) when processing SMBwriteX calls. Any incoming +

    This option changes the behavior of smbd(8) when processing SMBwriteX calls. Any incoming SMBwriteX call on a non-signed SMB/CIFS connection greater than this value will not be processed in the normal way but will be passed to any underlying kernel recvfile or splice system call (if there is no such call Samba will emulate in user space). This allows zero-copy writes directly from network @@ -3886,19 +3883,19 @@ but user testing is recommended. If set to zero Samba processes SMBwriteX calls normal way. To enable POSIX large write support (SMB/CIFS writes up to 16Mb) this option must be nonzero. The maximum value is 128k. Values greater than 128k will be silently set to 128k.

    Note this option will have NO EFFECT if set on a SMB signed connection.

    The default is zero, which diables this option.

    Default: min receivefile size = 0 -

    +

    min wins ttl (G) -

    This option tells nmbd(8) +

    This option tells nmbd(8) when acting as a WINS server (wins support = yes) what the minimum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 hours (21600 seconds).

    Default: min wins ttl = 21600 -

    +

    msdfs proxy (S) -

    This parameter indicates that the share is a +

    This parameter indicates that the share is a stand-in for another CIFS share whose location is specified by the value of the parameter. When clients attempt to connect to this share, they are redirected to the proxied share using @@ -3906,10 +3903,10 @@ msdfs proxy (S) msdfs root and host msdfs options to find out how to set up a Dfs root share.

    No default

    Example: msdfs proxy = \otherserver\someshare -

    +

    msdfs root (S) -

    If set to yes, Samba treats the +

    If set to yes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic @@ -3917,20 +3914,20 @@ msdfs root (S) and so on. For more information on setting up a Dfs tree on Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.

    Default: msdfs root = no -

    +

    name cache timeout (G) -

    Specifies the number of seconds it takes before +

    Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If the timeout is set to 0. the caching is disabled.

    Default: name cache timeout = 660

    Example: name cache timeout = 0 -

    +

    name resolve order (G) -

    This option is used by the programs in the Samba +

    This option is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. Its main purpose to is to control how netbios name resolution is performed. The option takes a space @@ -3961,10 +3958,10 @@ name resolve order (G)

    Example: name resolve order = lmhosts bcast host -

    +

    netbios aliases (G) -

    This is a list of NetBIOS names that nmbd will +

    This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon @@ -3974,10 +3971,10 @@ netbios aliases (G)

    Example: netbios aliases = TEST TEST1 TEST2 -

    +

    netbios name (G) -

    +

    This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under. @@ -3990,17 +3987,17 @@ netbios name (G)

    Example: netbios name = MYNAME -

    +

    netbios scope (G) -

    This sets the NetBIOS scope that Samba will +

    This sets the NetBIOS scope that Samba will operate under. This should not be set unless every machine on your LAN also sets this value.

    Default: netbios scope = -

    +

    nis homedir (G) -

    Get the home share server from a NIS map. For +

    Get the home share server from a NIS map. For UNIX systems that use an automounter, the user's home directory will often be mounted on a workstation on demand from a remote server.

    When the Samba logon server is not the actual home directory @@ -4019,20 +4016,20 @@ nis homedir (G) NIS system and the Samba server with this option must also be a logon server.

    Default: nis homedir = no -

    +

    nt acl support (S) -

    This boolean parameter controls whether smbd(8) will attempt to map +

    This boolean parameter controls whether smbd(8) will attempt to map UNIX permissions into Windows NT access control lists. The UNIX permissions considered are the the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories. This parameter was formally a global parameter in releases prior to 2.2.2.

    Default: nt acl support = yes -

    +

    ntlm auth (G) -

    This parameter determines whether or not smbd(8) will attempt to +

    This parameter determines whether or not smbd(8) will attempt to authenticate users using the NTLM encrypted password response. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client.

    If this option, and lanman @@ -4040,33 +4037,33 @@ ntlm auth (G) permited. Not all clients support NTLMv2, and most will require special configuration to use it.

    Default: ntlm auth = yes -

    +

    nt pipe support (G) -

    This boolean parameter controls whether +

    This boolean parameter controls whether smbd(8) will allow Windows NT clients to connect to the NT SMB specific IPC$ pipes. This is a developer debugging option and can be left alone.

    Default: nt pipe support = yes -

    +

    nt status support (G) -

    This boolean parameter controls whether smbd(8) will negotiate NT specific status +

    This boolean parameter controls whether smbd(8) will negotiate NT specific status support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. If this option is set to no then Samba offers exactly the same DOS error codes that versions prior to Samba 2.2.3 reported.

    You should not need to ever disable this parameter.

    Default: nt status support = yes -

    +

    null passwords (G) -

    Allow or disallow client access to accounts that have null passwords.

    See also smbpasswd(5).

    Default: null passwords = no +

    Allow or disallow client access to accounts that have null passwords.

    See also smbpasswd(5).

    Default: null passwords = no -

    +

    obey pam restrictions (G) -

    When Samba 3.0 is configured to enable PAM support +

    When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only @@ -4076,10 +4073,10 @@ obey pam restrictions (G) authentication mechanism needed in the presence of SMB password encryption.

    Default: obey pam restrictions = no -

    +

    only user (S) -

    This is a boolean option that controls whether +

    This is a boolean option that controls whether connections with usernames not in the user list will be allowed. By default this option is disabled so that a client can supply a username to be used by the server. Enabling @@ -4092,10 +4089,10 @@ only user (S) will be just the service name, which for home directories is the name of the user.

    Default: only user = no -

    +

    oplock break wait time (G) -

    +

    This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too quickly when that client issues an SMB that can cause an oplock break request, then the network client can fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount @@ -4104,10 +4101,10 @@ oplock break wait time (G) DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.

    Default: oplock break wait time = 0 -

    +

    oplock contention limit (S) -

    +

    This is a very advanced smbd(8) tuning option to improve the efficiency of the granting of oplocks under multiple client contention for the same file.

    @@ -4119,10 +4116,10 @@ oplock contention limit (S) DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.

    Default: oplock contention limit = 2 -

    +

    oplocks (S) -

    +

    This boolean option tells smbd whether to issue oplocks (opportunistic locks) to file open requests on this share. The oplock code can dramatically (approx. 30% or more) improve @@ -4141,10 +4138,10 @@ oplocks (S) kernel oplocks parameter for details.

    Default: oplocks = yes -

    +

    os2 driver map (G) -

    The parameter is used to define the absolute +

    The parameter is used to define the absolute path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is:

    <nt driver name> = <os2 driver name>.<device name>

    For example, a valid entry using the HP LaserJet 5 printer driver would appear as HP LaserJet 5L = LASERJET.HP @@ -4154,10 +4151,10 @@ os2 driver map (G) details on OS/2 clients, please refer to chapter on other clients in the Samba3-HOWTO book.

    Default: os2 driver map = -

    +

    os level (G) -

    +

    This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd(8) has a chance of becoming a local master browser for the workgroup in the local broadcast area.

    @@ -4173,10 +4170,10 @@ os level (G)

    Example: os level = 65 -

    +

    pam password change (G) -

    With the addition of better PAM support in Samba 2.2, +

    With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in @@ -4184,20 +4181,20 @@ pam password change (G) It should be possible to enable this without changing your passwd chat parameter for most setups.

    Default: pam password change = no -

    +

    panic action (G) -

    This is a Samba developer option that allows a +

    This is a Samba developer option that allows a system command to be called when either smbd(8) or nmbd(8) crashes. This is usually used to draw attention to the fact that a problem occurred.

    Default: panic action =

    Example: panic action = "/bin/sleep 90000" -

    +

    paranoid server security (G) -

    Some version of NT 4.x allow non-guest +

    Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit. @@ -4205,10 +4202,10 @@ paranoid server security (G) this check, which involves deliberatly attempting a bad logon to the remote server.

    Default: paranoid server security = yes -

    +

    passdb backend (G) -

    This option allows the administrator to chose which backend +

    This option allows the administrator to chose which backend will be used for storing user and possibly group information. This allows you to swap between different storage mechanisms without recompile.

    The parameter value is divided into two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated @@ -4243,19 +4240,19 @@ or multi server LDAP URL with Netscape based LDAP library: passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"

    Default: passdb backend = tdbsam -

    +

    passdb expand explicit (G) -

    +

    This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable %G_osver% in which %G would have been substituted by the user's primary group.

    Default: passdb expand explicit = no -

    +

    passwd chat debug (G) -

    This boolean specifies if the passwd chat script +

    This boolean specifies if the passwd chat script parameter is run in debug mode. In this mode the strings passed to and received from the passwd chat are printed in the smbd(8) log with a @@ -4268,18 +4265,18 @@ passwd chat debug (G) pam password change parameter is set. This parameter is off by default.

    Default: passwd chat debug = no -

    +

    passwd chat timeout (G) -

    This integer specifies the number of seconds smbd will wait for an initial +

    This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run. Once the initial answer is received the subsequent answers must be received in one tenth of this time. The default it two seconds.

    Default: passwd chat timeout = 2 -

    +

    passwd chat (G) -

    This string controls the "chat" +

    This string controls the "chat" conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the @@ -4310,10 +4307,10 @@ passwd chat (G)

    Example: passwd chat = "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" -

    +

    passwd program (G) -

    The name of a program that can be used to set +

    The name of a program that can be used to set UNIX user passwords. Any occurrences of %u will be replaced with the user name. The user name is checked for existence before calling the password changing program.

    Also note that many passwd programs insist in reasonable @@ -4334,10 +4331,10 @@ passwd program (G)

    Example: passwd program = /bin/passwd %u -

    +

    password level (G) -

    Some client/server combinations have difficulty +

    Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when @@ -4359,10 +4356,10 @@ password level (G)

    Example: password level = 4 -

    +

    password server (G) -

    By specifying the name of another SMB server +

    By specifying the name of another SMB server or Active Directory domain controller with this option, and using security = [ads|domain|server] it is possible to get Samba @@ -4422,13 +4419,13 @@ password server (G)

    Example: password server = windc.mydomain.com:389 192.168.1.101 * -

    +

    directory -

    This parameter is a synonym for path.

    +

    This parameter is a synonym for path.

    path (S) -

    This parameter specifies a directory to which +

    This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.

    For a printable service offering guest access, the service @@ -4445,25 +4442,25 @@ path (S)

    Example: path = /home/fred -

    +

    perfcount module (G) -

    This parameter specifies the perfcount backend to be used when monitoring SMB +

    This parameter specifies the perfcount backend to be used when monitoring SMB operations. Only one perfcount module may be used, and it must implement all of the apis contained in the smb_perfcount_handler structure defined in smb.h. -

    No default

    +

    No default

    pid directory (G) -

    +

    This option specifies the directory where pid files will be placed.

    Default: pid directory = ${prefix}/var/locks

    Example: pid directory = pid directory = /var/run/ -

    +

    posix locking (S) -

    +

    The smbd(8) daemon maintains an database of file locks obtained by SMB clients. The default behavior is to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are @@ -4471,10 +4468,10 @@ posix locking (S) method (e.g. NFS or local file access). You should never need to disable this parameter.

    Default: posix locking = yes -

    +

    postexec (S) -

    This option specifies a command to be run +

    This option specifies a command to be run whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.

    An interesting example may be to unmount server @@ -4482,21 +4479,21 @@ postexec (S)

    Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log -

    +

    preexec close (S) -

    +

    This boolean option controls whether a non-zero return code from preexec should close the service being connected to.

    Default: preexec close = no -

    +

    exec -

    This parameter is a synonym for preexec.

    +

    This parameter is a synonym for preexec.

    preexec (S) -

    This option specifies a command to be run whenever +

    This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.

    An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:

    @@ -4508,13 +4505,13 @@ preexec (S)

    Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log -

    +

    prefered master -

    This parameter is a synonym for preferred master.

    +

    This parameter is a synonym for preferred master.

    preferred master (G) -

    +

    This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup.

    If this is set to yes, on startup, nmbd will force @@ -4528,22 +4525,22 @@ preferred master (G) capabilities.

    Default: preferred master = auto -

    +

    preload modules (G) -

    This is a list of paths to modules that should +

    This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat.

    Default: preload modules =

    Example: preload modules = /usr/lib/samba/passdb/mysql.so -

    +

    auto services -

    This parameter is a synonym for preload.

    +

    This parameter is a synonym for preload.

    preload (G) -

    This is a list of services that you want to be +

    This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible.

    @@ -4554,33 +4551,33 @@ preload (G)

    Example: preload = fred lp colorlp -

    +

    preserve case (S) -

    +

    This controls if new filenames are created with the case that the client passes, or if they are forced to be the default case.

    See the section on NAME MANGLING for a fuller discussion.

    Default: preserve case = yes -

    +

    print ok -

    This parameter is a synonym for printable.

    +

    This parameter is a synonym for printable.

    printable (S) -

    If this parameter is yes, then +

    If this parameter is yes, then clients may open, write to and submit spool files on the directory specified for the service.

    Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The read only parameter controls only non-printing access to the resource.

    Default: printable = no -

    +

    printcap cache time (G) -

    This option specifies the number of seconds before the printing +

    This option specifies the number of seconds before the printing subsystem is again asked for the known printers. If the value is greater than 60 the initial waiting time is set to 60 seconds to allow an earlier first rescan of the printing subsystem. @@ -4590,13 +4587,13 @@ printcap cache time (G)

    Example: printcap cache time = 600 -

    +

    printcap -

    This parameter is a synonym for printcap name.

    +

    This parameter is a synonym for printcap name.

    printcap name (G) -

    +

    This parameter may be used to override the compiled-in default printcap name used by the server (usually /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.

    @@ -4631,10 +4628,10 @@ print5|My Printer 5

    Example: printcap name = /etc/myprintcap -

    +

    print command (S) -

    After a print job has finished spooling to +

    After a print job has finished spooling to a service, this command will be used via a system() call to process the spool file. Typically the command specified will submit the spool file to the host's printing subsystem, but there @@ -4676,10 +4673,10 @@ print command (S) and if SAMBA is compiled against libcups, any manually set print command will be ignored.

    No default

    Example: print command = /usr/local/samba/bin/myprintscript %p %s -

    +

    printer admin (S) -

    +

    This lists users who can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation). @@ -4695,13 +4692,13 @@ printer admin (S)

    Example: printer admin = admin, @staff -

    +

    printer -

    This parameter is a synonym for printer name.

    +

    This parameter is a synonym for printer name.

    printer name (S) -

    +

    This parameter specifies the name of the printer to which print jobs spooled through a printable service will be sent.

    @@ -4714,10 +4711,10 @@ printer name (S)

    Example: printer name = laserwriter -

    +

    printing (S) -

    This parameters controls how printer status information is +

    This parameters controls how printer status information is interpreted on your system. It also affects the default values for the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the [global] section.

    Currently nine printing styles are supported. They are @@ -4734,27 +4731,27 @@ printing (S) [printers] section.

    Default: printing = Depends on the operating system, see testparm -v. -

    +

    printjob username (S) -

    This parameter specifies which user information will be +

    This parameter specifies which user information will be passed to the printing system. Usually, the username is sent, but in some cases, e.g. the domain prefix is useful, too.

    Default: printjob username = %U

    Example: printjob username = %D\%U -

    +

    private dir (G) -

    This parameters defines the directory +

    This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb.

    Default: private dir = ${prefix}/private -

    +

    profile acls (S) -

    +

    This boolean parameter was added to fix the problems that people have been having with storing user profiles on Samba shares from Windows 2000 or Windows XP clients. New versions of Windows 2000 or Windows XP service @@ -4782,10 +4779,10 @@ profile acls (S) tree to the owning user.

    Default: profile acls = no -

    +

    queuepause command (S) -

    This parameter specifies the command to be +

    This parameter specifies the command to be executed on the server host in order to pause the printer queue.

    This command should be a program or script which takes a printer name as its only parameter and stops the printer queue, such that no longer jobs are submitted to the printer.

    This command is not supported by Windows for Workgroups, @@ -4796,10 +4793,10 @@ queuepause command (S) path in the command as the PATH may not be available to the server.

    No default

    Example: queuepause command = disable %p -

    +

    queueresume command (S) -

    This parameter specifies the command to be +

    This parameter specifies the command to be executed on the server host in order to resume the printer queue. It is the command to undo the behavior that is caused by the previous parameter (queuepause command).

    This command should be a program or script which takes @@ -4814,10 +4811,10 @@ queueresume command (S)

    Example: queueresume command = enable %p -

    +

    read list (S) -

    +

    This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the read only option is set to. The list can include group names using the syntax described in the invalid users @@ -4827,19 +4824,19 @@ read list (S)

    Example: read list = mary, @students -

    +

    read only (S) -

    An inverted synonym is writeable.

    If this parameter is yes, then users +

    An inverted synonym is writeable.

    If this parameter is yes, then users of a service may not create or modify files in the service's directory.

    Note that a printable service (printable = yes) will ALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations.

    Default: read only = yes -

    +

    read raw (G) -

    This parameter controls whether or not the server +

    This parameter controls whether or not the server will support the raw read SMB requests when transferring data to clients.

    If enabled, raw reads allow reads of 65535 bytes in one packet. This typically provides a major performance benefit. @@ -4848,20 +4845,20 @@ read raw (G) sizes, and for these clients you may need to disable raw reads.

    In general this parameter should be viewed as a system tuning tool and left severely alone.

    Default: read raw = yes -

    +

    realm (G) -

    This option specifies the kerberos realm to use. The realm is +

    This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server.

    Default: realm =

    Example: realm = mysambabox.mycompany.com -

    +

    registry shares (G) -

    +

    This turns on or off support for share definitions read from registry. Shares defined in smb.conf take precedence over shares with the same name defined in @@ -4876,10 +4873,10 @@ registry shares (G)

    Example: registry shares = yes -

    +

    remote announce (G) -

    +

    This option allows you to setup nmbd(8) to periodically announce itself to arbitrary IP addresses with an arbitrary workgroup name.

    @@ -4903,10 +4900,10 @@ remote announce (G) See the chapter on Network Browsing in the Samba-HOWTO book.

    Default: remote announce = -

    +

    remote browse sync (G) -

    +

    This option allows you to setup nmbd(8) to periodically request synchronization of browse lists with the master browser of a Samba server that is on a remote segment. This option will allow you to @@ -4938,10 +4935,10 @@ remote browse sync (G) each network has its own WINS server.

    Default: remote browse sync = -

    +

    rename user script (G) -

    +

    This is the full pathname to a script that will be run as root by smbd(8) under special circumstances described below.

    When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager @@ -4959,10 +4956,10 @@ rename user script (G) needs to change for other applications using the same directory.

    Default: rename user script = no -

    +

    reset on zero vc (G) -

    +

    This boolean option controls whether an incoming session setup should kill other connections coming from the same IP. This matches the default Windows 2003 behaviour. @@ -4981,10 +4978,10 @@ reset on zero vc (G)

    Default: reset on zero vc = no -

    +

    restrict anonymous (G) -

    The setting of this parameter determines whether user and +

    The setting of this parameter determines whether user and group list information is returned for an anonymous connection. and mirrors the effects of the 

    @@ -5007,16 +5004,16 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
     by setting guest ok = yes on any share.

    Default: restrict anonymous = 0 -

    +

    root -

    This parameter is a synonym for root directory.

    +

    This parameter is a synonym for root directory.

    root dir -

    This parameter is a synonym for root directory.

    +

    This parameter is a synonym for root directory.

    root directory (G) -

    The server will chroot() (i.e. +

    The server will chroot() (i.e. Change its root directory) to this directory on startup. This is not strictly necessary for secure operation. Even without it the server will deny access to files not in one of the service entries. @@ -5039,34 +5036,34 @@ root directory (G)

    Example: root directory = /homes/smb -

    +

    root postexec (S) -

    +

    This is the same as the postexec parameter except that the command is run as root. This is useful for unmounting filesystems (such as CDROMs) after a connection is closed.

    Default: root postexec = -

    +

    root preexec close (S) -

    This is the same as the preexec close +

    This is the same as the preexec close parameter except that the command is run as root.

    Default: root preexec close = no -

    +

    root preexec (S) -

    +

    This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.

    Default: root preexec = -

    +

    security mask (S) -

    +

    This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.

    @@ -5085,10 +5082,10 @@ security mask (S)

    Example: security mask = 0770 -

    +

    security (G) -

    This option affects how clients respond to +

    This option affects how clients respond to Samba and is one of the most important settings in the smb.conf file.

    The option sets the "security mode bit" in replies to protocol negotiations with smbd(8) to turn share level security on or off. Clients decide @@ -5212,10 +5209,10 @@ security (G)

    Example: security = DOMAIN -

    +

    server schannel (G) -

    +

    This controls whether the server offers or even demands the use of the netlogon schannel. server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4. @@ -5226,20 +5223,20 @@ server schannel (G)

    Example: server schannel = yes -

    +

    server signing (G) -

    This controls whether the client is allowed or required to use SMB signing. Possible values +

    This controls whether the client is allowed or required to use SMB signing. Possible values are auto, mandatory and disabled.

    When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either.

    Default: server signing = Disabled -

    +

    server string (G) -

    This controls what string will show up in the printer comment box in print +

    This controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. It can be any string that you wish to show to your users.

    It also sets what will appear in browse lists next to the machine name.

    A %v will be replaced with the Samba @@ -5248,10 +5245,10 @@ server string (G)

    Example: server string = University of GNUs Samba Server -

    +

    set directory (S) -

    +

    If set directory = no, then users of the service may not use the setdir command to change directory.

    @@ -5260,10 +5257,10 @@ set directory (S) for details.

    Default: set directory = no -

    +

    set primary group script (G) -

    Thanks to the Posix subsystem in NT a Windows User has a +

    Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user @@ -5275,10 +5272,10 @@ set primary group script (G)

    Example: set primary group script = /usr/sbin/usermod -g '%g' '%u' -

    +

    set quota command (G) -

    The set quota command should only be used +

    The set quota command should only be used whenever there is no operating system API available from the OS that samba can use.

    This option is only available if Samba was configured with the argument --with-sys-quotas or on linux when ./configure --with-quotas was used and a working quota api @@ -5288,10 +5285,23 @@ set quota command (G)

    Example: set quota command = /usr/local/sbin/set_quota -

    +

    + +share:fake_fscaps (G) +

    + This is needed to support some special application that makes + QFSINFO calls to check whether we set the SPARSE_FILES bit + (0x40). If this bit is not set that particular application + refuses to work against + Samba. With share:fake_fscaps = 64 + the SPARSE_FILES file system capability flag is set. Use other + decimal values to specify the bitmask you need to fake. +

    Default: share:fake_fscaps = 0 + +

    share modes (S) -

    This enables or disables the honoring of +

    This enables or disables the honoring of the share modes during a file open. These modes are used by clients to gain exclusive read or write access to a file.

    This is a deprecated option from old versions of @@ -5303,20 +5313,20 @@ share modes (S) by default.

    You should NEVER turn this parameter off as many Windows applications will break if you do so.

    Default: share modes = yes -

    +

    short preserve case (S) -

    +

    This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the default case. This option can be use with preserve case = yes to permit long filenames to retain their case, while short names are lowered.

    See the section on NAME MANGLING.

    Default: short preserve case = yes -

    +

    show add printer wizard (G) -

    With the introduction of MS-RPC based printing support +

    With the introduction of MS-RPC based printing support for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is @@ -5334,10 +5344,10 @@ show add printer wizard (G)

    Note

    This does not prevent the same user from having administrative privilege on an individual printer.

    Default: show add printer wizard = yes -

    +

    shutdown script (G) -

    This a full path name to a script called by +

    This a full path name to a script called by smbd(8) that should start a shutdown procedure.

    If the connected user posseses the SeRemoteShutdownPrivilege, right, this command will be run as root.

    The %z %t %r %f variables are expanded as follows:

    • %z will be substituted with the @@ -5362,10 +5372,10 @@ let "time++"

      Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f -

    +

    smb encrypt (S) -

    This is a new feature introduced with Samba 3.2 and above. It is an +

    This is a new feature introduced with Samba 3.2 and above. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream. When @@ -5393,10 +5403,10 @@ smb encrypt (S) When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated.

    Default: smb encrypt = auto -

    +

    smb passwd file (G) -

    This option sets the path to the encrypted smbpasswd file. By +

    This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

    An example of use is: 

    @@ -5404,15 +5414,15 @@ smb passwd file = /etc/samba/smbpasswd

    Default: smb passwd file = ${prefix}/private/smbpasswd -

    +

    smb ports (G) -

    Specifies which ports the server should listen on for SMB traffic.

    Default: smb ports = 445 139 +

    Specifies which ports the server should listen on for SMB traffic.

    Default: smb ports = 445 139 -

    +

    socket address (G) -

    This option allows you to control what +

    This option allows you to control what address Samba will listen for connections on. This is used to support multiple virtual interfaces on the one server, each with a different configuration.

    Setting this option should never be necessary on usual Samba @@ -5421,10 +5431,10 @@ socket address (G)

    Example: socket address = 192.168.2.20 -

    +

    socket options (G) -

    This option allows you to set socket options +

    This option allows you to set socket options to be used when talking with the client.

    Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned.

    This option will typically be used to tune your Samba server @@ -5452,17 +5462,17 @@ socket options (G)

    Example: socket options = IPTOS_LOWDELAY -

    +

    stat cache (G) -

    This parameter determines if smbd(8) will use a cache in order to +

    This parameter determines if smbd(8) will use a cache in order to speed up case insensitive name mappings. You should never need to change this parameter.

    Default: stat cache = yes -

    +

    store dos attributes (S) -

    +

    If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such as occurs with map hidden and map readonly). When set, DOS @@ -5474,10 +5484,10 @@ store dos attributes (S) extended attributes to work, also extended attributes must be compiled into the Linux kernel.

    Default: store dos attributes = no -

    +

    strict allocate (S) -

    This is a boolean that controls the handling of +

    This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour @@ -5489,10 +5499,10 @@ strict allocate (S) out of quota messages on systems that are restricting the disk quota of users.

    Default: strict allocate = no -

    +

    strict locking (S) -

    +

    This is an enumerated type that controls the handling of file locking in the server. When this is set to yes, the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on some systems. @@ -5508,10 +5518,10 @@ strict locking (S) strict locking = no is acceptable.

    Default: strict locking = Auto -

    +

    strict sync (S) -

    Many Windows applications (including the Windows 98 explorer +

    Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk. Under UNIX, a sync call forces the process to be suspended until the kernel has ensured that all outstanding data in @@ -5525,10 +5535,10 @@ strict sync (S) addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies.

    Default: strict sync = no -

    +

    svcctl list (G) -

    This option defines a list of init scripts that smbd +

    This option defines a list of init scripts that smbd will use for starting and stopping Unix services via the Win32 ServiceControl API. This allows Windows administrators to utilize the MS Management Console plug-ins to manage a @@ -5541,10 +5551,10 @@ svcctl list (G)

    Example: svcctl list = cups postfix portmap httpd -

    +

    sync always (S) -

    This is a boolean parameter that controls +

    This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns. If this is no then the server will be guided by the client's request in each write call (clients can @@ -5555,19 +5565,19 @@ sync always (S) yes in order for this parameter to have any effect.

    Default: sync always = no -

    +

    syslog only (G) -

    +

    If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files. There still will be some logging to log.[sn]mbd even if syslog only is enabled.

    Default: syslog only = no -

    +

    syslog (G) -

    +

    This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug level zero maps onto syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps onto LOG_NOTICE, @@ -5578,10 +5588,10 @@ syslog (G) logging to log.[sn]mbd even if syslog only is enabled.

    Default: syslog = 1 -

    +

    template homedir (G) -

    When filling out the user information for a Windows NT +

    When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it @@ -5589,31 +5599,31 @@ template homedir (G) string %U is present it is substituted with the user's Windows NT user name.

    Default: template homedir = /home/%D/%U -

    +

    template shell (G) -

    When filling out the user information for a Windows NT +

    When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this - parameter to fill in the login shell for that user.

    No default

    + parameter to fill in the login shell for that user.

    No default

    time offset (G) -

    This parameter is a setting in minutes to add +

    This parameter is a setting in minutes to add to the normal GMT to local time conversion. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling.

    Default: time offset = 0

    Example: time offset = 60 -

    +

    time server (G) -

    This parameter determines if nmbd(8) advertises itself as a time server to Windows +

    This parameter determines if nmbd(8) advertises itself as a time server to Windows clients.

    Default: time server = no -

    +

    unix charset (G) -

    Specifies the charset the unix machine +

    Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

    This is also the charset Samba will use when specifying arguments @@ -5622,20 +5632,20 @@ unix charset (G)

    Example: unix charset = ASCII -

    +

    unix extensions (G) -

    This boolean parameter controls whether Samba +

    This boolean parameter controls whether Samba implements the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

    Default: unix extensions = yes -

    +

    unix password sync (G) -

    This boolean parameter controls whether Samba +

    This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to yes the program specified in the passwd @@ -5644,10 +5654,10 @@ unix password sync (G) old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new).

    Default: unix password sync = no -

    +

    update encrypted (G) -

    +

    This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the @@ -5665,10 +5675,10 @@ update encrypted (G) passwords.

    Default: update encrypted = no -

    +

    use client driver (S) -

    This parameter applies only to Windows NT/2000 +

    This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required @@ -5693,10 +5703,10 @@ use client driver (S) on a print share which has valid print driver installed on the Samba server.

    Default: use client driver = no -

    +

    use mmap (G) -

    This global parameter determines if the tdb internals of Samba can +

    This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to no by @@ -5705,10 +5715,10 @@ use mmap (G) the tdb internal code.

    Default: use mmap = yes -

    +

    username level (G) -

    This option helps Samba to try and 'guess' at +

    This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the @@ -5723,10 +5733,10 @@ username level (G)

    Example: username level = 5 -

    +

    username map script (G) -

    This script is a mutually exclusive alternative to the +

    This script is a mutually exclusive alternative to the username map parameter. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication @@ -5737,10 +5747,10 @@ username map script (G)

    Example: username map script = /etc/samba/scripts/mapusers.sh -

    +

    username map (G) -

    +

    This option allows you to specify a file containing a mapping of usernames from the clients to the server. This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they @@ -5824,16 +5834,16 @@ username map = /usr/local/samba/lib/users.map

    Default: username map = # no username map -

    +

    user -

    This parameter is a synonym for username.

    +

    This parameter is a synonym for username.

    users -

    This parameter is a synonym for username.

    +

    This parameter is a synonym for username.

    username (S) -

    Multiple users may be specified in a comma-delimited +

    Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).

    The username line is needed only when the PC is unable to supply its own username. This is the case @@ -5871,28 +5881,28 @@ username (S)

    Example: username = fred, mary, jack, jane, @users, @pcgroup -

    +

    usershare allow guests (G) -

    This parameter controls whether user defined shares are allowed +

    This parameter controls whether user defined shares are allowed to be accessed by non-authenticated users or not. It is the equivalent of allowing people who can create a share the option of setting guest ok = yes in a share definition. Due to its security sensitive nature, the default is set to off.

    Default: usershare allow guests = no -

    +

    usershare max shares (G) -

    This parameter specifies the number of user defined shares +

    This parameter specifies the number of user defined shares that are allowed to be created by users belonging to the group owning the usershare directory. If set to zero (the default) user defined shares are ignored.

    Default: usershare max shares = 0 -

    +

    usershare owner only (G) -

    This parameter controls whether the pathname exported by +

    This parameter controls whether the pathname exported by a user defined shares must be owned by the user creating the user defined share or not. If set to True (the default) then smbd checks that the directory path being shared is owned by @@ -5902,10 +5912,10 @@ usershare owner only (G) regardless of who owns it.

    Default: usershare owner only = True -

    +

    usershare path (G) -

    This parameter specifies the absolute path of the directory on the +

    This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files. This directory must be owned by root, and have no access for other, and be writable only by the group owner. In addition the @@ -5926,10 +5936,10 @@ usershare path (G) In this case, only members of the group "power_users" can create user defined shares.

    Default: usershare path = NULL -

    +

    usershare prefix allow list (G) -

    This parameter specifies a list of absolute pathnames +

    This parameter specifies a list of absolute pathnames the root of which are allowed to be exported by user defined share definitions. If the pathname to be exported doesn't start with one of the strings in this list, the user defined share will not be allowed. This allows the Samba @@ -5944,10 +5954,10 @@ usershare prefix allow list (G)

    Example: usershare prefix allow list = /home /data /space -

    +

    usershare prefix deny list (G) -

    This parameter specifies a list of absolute pathnames +

    This parameter specifies a list of absolute pathnames the root of which are NOT allowed to be exported by user defined share definitions. If the pathname exported starts with one of the strings in this list the user defined share will not be allowed. Any pathname not @@ -5963,10 +5973,10 @@ usershare prefix deny list (G)

    Example: usershare prefix deny list = /etc /dev /private -

    +

    usershare template share (G) -

    User defined shares only have limited possible parameters +

    User defined shares only have limited possible parameters such as path, guest ok, etc. This parameter allows usershares to "cloned" from an existing share. If "usershare template share" is set to the name of an existing share, then all usershares @@ -5981,10 +5991,10 @@ usershare template share (G)

    Example: usershare template share = template_share -

    +

    use sendfile (S) -

    If this parameter is yes, and the sendfile() +

    If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's @@ -5993,10 +6003,10 @@ use sendfile (S) Windows 9x (using sendfile from Linux will cause these clients to fail).

    Default: use sendfile = false -

    +

    use spnego (G) -

    This variable controls controls whether samba will try +

    This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism.

    @@ -6004,10 +6014,10 @@ use spnego (G) implementation, there is no reason this should ever be disabled.

    Default: use spnego = yes -

    +

    utmp directory (G) -

    This parameter is only available if Samba has +

    This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that @@ -6019,10 +6029,10 @@ utmp directory (G)

    Example: utmp directory = /var/run/utmp -

    +

    utmp (G) -

    +

    This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records @@ -6034,10 +6044,10 @@ utmp (G) to find this number. This may impede performance on large installations.

    Default: utmp = no -

    +

    valid users (S) -

    +

    This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter. @@ -6053,10 +6063,10 @@ valid users (S)

    Example: valid users = greg, @pcusers -

    +

    -valid (S) -

    This parameter indicates whether a share is +

    This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.

    @@ -6065,10 +6075,10 @@ valid users (S) Samba uses this option internally to mark shares as deleted.

    Default: -valid = yes -

    +

    veto files (S) -

    +

    This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards. @@ -6099,10 +6109,10 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

    Default: veto files = No files or directories are vetoed. -

    +

    veto oplock files (S) -

    +

    This parameter is only valid when the oplocks parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that @@ -6123,31 +6133,31 @@ veto oplock files = /.*SEM/

    Default: veto oplock files = # No files are vetoed for oplock grants -

    +

    vfs object -

    This parameter is a synonym for vfs objects.

    +

    This parameter is a synonym for vfs objects.

    vfs objects (S) -

    This parameter specifies the backend names which +

    This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects.

    Default: vfs objects =

    Example: vfs objects = extd_audit recycle -

    +

    volume (S) -

    This allows you to override the volume label +

    This allows you to override the volume label returned for a share. Useful for CDROMs with installation programs that insist on a particular volume label.

    Default: volume = # the name of the share -

    +

    wide links (S) -

    This parameter controls whether or not links +

    This parameter controls whether or not links in the UNIX file system may be followed by the server. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only @@ -6155,10 +6165,10 @@ wide links (S) effect on your server performance due to the extra system calls that Samba has to do in order to perform the link checks.

    Default: wide links = yes -

    +

    winbind cache time (G) -

    This parameter specifies the number of +

    This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again.

    @@ -6166,10 +6176,10 @@ winbind cache time (G) evaluated in real time unless the winbind offline logon option has been enabled.

    Default: winbind cache time = 300 -

    +

    winbind enum groups (G) -

    On large installations using winbindd(8) it may be necessary to suppress +

    On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If @@ -6177,10 +6187,10 @@ winbind enum groups (G) no, calls to the getgrent() system call will not return any data.

    Warning

    Turning off group enumeration may cause some programs to behave oddly.

    Default: winbind enum groups = no -

    +

    winbind enum users (G) -

    On large installations using winbindd(8) it may be +

    On large installations using winbindd(8) it may be necessary to suppress the enumeration of users through the setpwent(), getpwent() and endpwent() group of system calls. If @@ -6192,10 +6202,10 @@ winbind enum users (G) full user list when searching for matching usernames.

    Default: winbind enum users = no -

    +

    winbind expand groups (G) -

    This option controls the maximum depth that winbindd +

    This option controls the maximum depth that winbindd will traverse when flattening nested group memberships of Windows domain groups. This is different from the winbind nested groups option @@ -6207,10 +6217,10 @@ winbind expand groups (G) must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time.

    Default: winbind expand groups = 1 -

    +

    winbind nested groups (G) -

    If set to yes, this parameter activates the support for nested +

    If set to yes, this parameter activates the support for nested groups. Nested groups are also called local groups or aliases. They work like their counterparts in Windows: Nested groups are defined locally on any machine (they are shared @@ -6218,10 +6228,10 @@ winbind nested groups (G) global groups from any trusted SAM. To be able to use nested groups, you need to run nss_winbind.

    Default: winbind nested groups = yes -

    +

    winbind normalize names (G) -

    This parameter controls whether winbindd will replace +

    This parameter controls whether winbindd will replace whitespace in user and group names with an underscore (_) character. For example, whether the name "Space Kadet" should be replaced with the string "space_kadet". @@ -6241,10 +6251,10 @@ winbind normalize names (G)

    Example: winbind normalize names = yes -

    +

    winbind nss info (G) -

    This parameter is designed to control how Winbind retrieves Name +

    This parameter is designed to control how Winbind retrieves Name Service Information to construct a user's home directory and login shell. Currently the following settings are available: @@ -6266,10 +6276,10 @@ winbind nss info (G)

    Example: winbind nss info = template sfu -

    +

    winbind offline logon (G) -

    This parameter is designed to control whether Winbind should +

    This parameter is designed to control whether Winbind should allow to login with the pam_winbind module using Cached Credentials. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache. @@ -6277,37 +6287,37 @@ winbind offline logon (G)

    Example: winbind offline logon = true -

    +

    winbind reconnect delay (G) -

    This parameter specifies the number of +

    This parameter specifies the number of seconds the winbindd(8) daemon will wait between attempts to contact a Domain controller for a domain that is determined to be down or not contactable.

    Default: winbind reconnect delay = 30 -

    +

    winbind refresh tickets (G) -

    This parameter is designed to control whether Winbind should refresh Kerberos Tickets +

    This parameter is designed to control whether Winbind should refresh Kerberos Tickets retrieved using the pam_winbind module.

    Default: winbind refresh tickets = false

    Example: winbind refresh tickets = true -

    +

    winbind rpc only (G) -

    +

    Setting this parameter to yes forces winbindd to use RPC instead of LDAP to retrieve information from Domain Controllers.

    Default: winbind rpc only = no -

    +

    winbind separator (G) -

    This parameter allows an admin to define the character +

    This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \user. This parameter is only applicable when using the pam_winbind.so @@ -6318,10 +6328,10 @@ winbind separator (G)

    Example: winbind separator = + -

    +

    winbind trusted domains only (G) -

    +

    This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. @@ -6332,10 +6342,10 @@ winbind trusted domains only (G) Refer to the idmap_nss(8) man page for more information.

    Default: winbind trusted domains only = no -

    +

    winbind use default domain (G) -

    This parameter specifies whether the +

    This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own @@ -6345,10 +6355,10 @@ winbind use default domain (G)

    Example: winbind use default domain = yes -

    +

    wins hook (G) -

    When Samba is running as a WINS server this +

    When Samba is running as a WINS server this allows you to call an external program for all changes to the WINS database. The primary use for this option is to allow the dynamic update of external name resolution databases such as @@ -6369,17 +6379,17 @@ wins hook (G) addresses currently registered for that name. If this list is empty then the name should be deleted.

    An example script that calls the BIND dynamic DNS update program nsupdate is provided in the examples - directory of the Samba source code.

    No default

    + directory of the Samba source code.

    No default

    wins proxy (G) -

    This is a boolean that controls if nmbd(8) will respond to broadcast name +

    This is a boolean that controls if nmbd(8) will respond to broadcast name queries on behalf of other hosts. You may need to set this to yes for some older clients.

    Default: wins proxy = no -

    +

    wins server (G) -

    This specifies the IP address (or DNS name: IP +

    This specifies the IP address (or DNS name: IP address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on your network then you should set this to the WINS server's IP.

    You should point this at your WINS server if you have a multi-subnetted network.

    If you want to work in multiple namespaces, you can @@ -6398,19 +6408,19 @@ wins server (G)

    Example: wins server = 192.9.200.1 192.168.2.61 -

    +

    wins support (G) -

    This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should +

    This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should not set this to yes unless you have a multi-subnetted network and you wish a particular nmbd to be your WINS server. Note that you should NEVER set this to yes on more than one machine in your network.

    Default: wins support = no -

    +

    workgroup (G) -

    This controls what workgroup your server will +

    This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain @@ -6418,18 +6428,18 @@ workgroup (G)

    Example: workgroup = MYGROUP -

    +

    writable -

    This parameter is a synonym for writeable.

    +

    This parameter is a synonym for writeable.

    writeable (S) -

    Inverted synonym for read only.

    Default: writeable = no +

    Inverted synonym for read only.

    Default: writeable = no -

    +

    write cache size (S) -

    If this integer parameter is set to non-zero value, +

    If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request @@ -6447,10 +6457,10 @@ write cache size (S)

    Example: write cache size = 262144 # for a 256k cache size per file -

    +

    write list (S) -

    +

    This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the read only option is set to. The list can @@ -6465,17 +6475,17 @@ write list (S)

    Example: write list = admin, root, @staff -

    +

    write raw (G) -

    This parameter controls whether or not the server +

    This parameter controls whether or not the server will support raw write SMB's when transferring data from clients. You should never need to change this parameter.

    Default: write raw = yes -

    +

    wtmp directory (G) -

    +

    This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact @@ -6487,7 +6497,7 @@ wtmp directory (G)

    Example: wtmp directory = /var/log/wtmp -

    WARNINGS

    +

    WARNINGS

    Although the configuration file permits service names to contain spaces, your client software may not. Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.

    @@ -6500,8 +6510,8 @@ wtmp directory (G) for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct. -

    VERSION

    This man page is correct for version 3 of the Samba suite.

    SEE ALSO

    - samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

    AUTHOR

    +

    VERSION

    This man page is correct for version 3 of the Samba suite.

    SEE ALSO

    + samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

    AUTHOR

    The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

    -- cgit v1.2.3