64
64
ok</em></span> parameter means access will be permitted as the default guest user (specified elsewhere):
65
65
</p><pre class="programlisting">
66
66
<em class="parameter"><code>[aprinter]</code></em>
67
<a class="indexterm" name="id2450854"></a>path = /usr/spool/public
68
<a class="indexterm" name="id2450861"></a>read only = yes
69
<a class="indexterm" name="id2450868"></a>printable = yes
70
<a class="indexterm" name="id2450876"></a>guest ok = yes
67
<a class="indexterm" name="id2488297"></a>path = /usr/spool/public
68
<a class="indexterm" name="id2488304"></a>read only = yes
69
<a class="indexterm" name="id2488312"></a>printable = yes
70
<a class="indexterm" name="id2488319"></a>guest ok = yes
72
</p></div><div class="refsect1" lang="en"><a name="id2450886"></a><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><a name="id2450892"></a><h3>The [global] section</h3><p>
72
</p></div><div class="refsect1" lang="en"><a name="id2488329"></a><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><a name="id2488335"></a><h3>The [global] section</h3><p>
73
73
Parameters in this section apply to the server as a whole, or are defaults for sections that do not
74
74
specifically define certain items. See the notes under PARAMETERS for more information.
75
75
</p></div><div class="refsect2" lang="en"><a name="HOMESECT"></a><h3>The [homes] section</h3><p>
160
160
On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use
161
161
<code class="literal">printcap name = lpstat</code> to automatically obtain a list of printers. See the
162
162
<code class="literal">printcap name</code> option for more details.
163
</p></div></div></div><div class="refsect1" lang="en"><a name="id2451415"></a><h2>PARAMETERS</h2><p>Parameters define the specific attributes of sections.</p><p>
163
</p></div></div></div><div class="refsect1" lang="en"><a name="id2488859"></a><h2>USERSHARES</h2><p>Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete
164
their own share definitions has been added. This capability is called <span class="emphasis"><em>usershares</em></span> and
165
is controlled by a set of parameters in the <em class="parameter"><code></code></em> section of the smb.conf.
166
The relevant parameters are :
167
</p><div class="variablelist"><dl><dt><span class="term">usershare allow guests</span></dt><dd><p>Controls if usershares can permit guest access.</p></dd><dt><span class="term">usershare max shares</span></dt><dd><p>Maximum number of user defined shares allowed.</p></dd><dt><span class="term">usershare owner only</span></dt><dd><p>If set only directories owned by the sharing user can be shared.</p></dd><dt><span class="term">usershare path</span></dt><dd><p>Points to the directory containing the user defined share definitions.
168
The filesystem permissions on this directory control who can create user defined shares.</p></dd><dt><span class="term">usershare prefix allow list</span></dt><dd><p>Comma-separated list of abolute pathnames restricting what directories
169
can be shared. Only directories below the pathnames in this list are permitted.</p></dd><dt><span class="term">usershare prefix deny list</span></dt><dd><p>Comma-separated list of abolute pathnames restricting what directories
170
can be shared. Directories below the pathnames in this list are prohibited.</p></dd><dt><span class="term">usershare template share</span></dt><dd><p>Names a pre-existing share used as a template for creating new usershares.
171
All other share parameters not specified in the user defined share definition
172
are copied from this named share.</p></dd></dl></div><p>To allow members of the UNIX group <code class="literal">foo</code> to create user defined
173
shares, create the directory to contain the share definitions as follows:
174
</p><p>Become root:</p><pre class="programlisting">
175
mkdir /usr/local/samba/lib/usershares
176
chgrp foo /usr/local/samba/lib/usershares
177
chmod 1770 /usr/local/samba/lib/usershares
178
</pre><p>Then add the parameters
180
</p><pre class="programlisting">
181
<a class="indexterm" name="id2489007"></a>usershare path = /usr/local/samba/lib/usershares
182
<a class="indexterm" name="id2489015"></a>usershare max shares = 10 # (or the desired number of shares)
186
section of your <code class="filename">smb.conf</code>. Members of the group foo may then manipulate the user defined shares
187
using the following commands.</p><div class="variablelist"><dl><dt><span class="term">net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]</span></dt><dd><p>To create or modify (overwrite) a user defined share.</p></dd><dt><span class="term">net usershare delete sharename</span></dt><dd><p>To delete a user defined share.</p></dd><dt><span class="term">net usershare list wildcard-sharename</span></dt><dd><p>To list user defined shares.</p></dd><dt><span class="term">net usershare info wildcard-sharename</span></dt><dd><p>To print information about user defined shares.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id2489086"></a><h2>PARAMETERS</h2><p>Parameters define the specific attributes of sections.</p><p>
164
188
Some parameters are specific to the [global] section (e.g., <span class="emphasis"><em>security</em></span>). Some parameters
165
189
are usable in all sections (e.g., <span class="emphasis"><em>create mask</em></span>). All others are permissible only in normal
166
190
sections. For the purposes of the following descriptions the [homes] and [printers] sections will be
229
253
</p></dd><dt><span class="term">default case = upper/lower</span></dt><dd><p>
230
254
controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem).
231
255
Default <span class="emphasis"><em>lower</em></span>. IMPORTANT NOTE: This option will be used to modify the case of
232
<span class="emphasis"><em>all</em></span> incoming client filenames, not just new filenames if the options <a class="indexterm" name="id2498574"></a>case sensitive = yes, <a class="indexterm" name="id2498582"></a>preserve case = No,
233
<a class="indexterm" name="id2498589"></a>short preserve case = No are set. This change is needed as part of the
256
<span class="emphasis"><em>all</em></span> incoming client filenames, not just new filenames if the options <a class="indexterm" name="id2536061"></a>case sensitive = yes, <a class="indexterm" name="id2536069"></a>preserve case = No,
257
<a class="indexterm" name="id2536076"></a>short preserve case = No are set. This change is needed as part of the
234
258
optimisations for directories containing large numbers of files.
235
259
</p></dd><dt><span class="term">preserve case = yes/no</span></dt><dd><p>
236
260
controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case
327
351
directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to
328
352
control the permissions on a file or directory they have group ownership on.
330
This parameter is best used with the <a class="indexterm" name="id2499084"></a>inherit owner option and also
354
This parameter is best used with the <a class="indexterm" name="id2536571"></a>inherit owner option and also
331
355
on on a share containing directories with the UNIX <span class="emphasis"><em>setgid bit</em></span> bit set
332
356
on them, which causes new files and directories created within it to inherit the group
333
357
ownership from the containing directory.
335
This is a new parameter introduced in Samba 3.0.20.
337
This can be particularly useful to allow groups to manage their own security on a part
338
of the filesystem they have group ownership of, removing the bottleneck of having only
339
the user owner or superuser able to reset permissions.
359
This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now
360
implemented by the <em class="parameter"><code>dos filemode</code></em> option.
340
361
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl group control</code></em> = no
342
363
</p></dd><dt><span class="term"><a name="ACLMAPFULLCONTROL"></a>acl map full control (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>maps a POSIX ACE entry of "rwx" (read/write/execute),
363
384
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u
386
</p></dd><dt><span class="term"><a name="ADDPORTCOMMAND"></a>add port command (G)</span></dt><dd><p>Samba 3.0.23 introduces support for adding printer ports
387
remotely using the Windows "Add Standard TCP/IP Port Wizard".
388
This option defines an external program to be executed when
389
smbd receives a request to add a new Port to the system.
390
he script is passed two parameters:
391
</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>port name</code></em></p></li><li><p><em class="parameter"><code>device URI</code></em></p></li></ul></div><p>The deviceURI is in the for of socket://<hostname>[:<portnumber>]
392
or lpd://<hostname>/<queuename>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add port command</code></em> =
394
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add port command</code></em> = /etc/samba/scripts/addport.sh
365
396
</p></dd><dt><span class="term"><a name="ADDPRINTERCOMMAND"></a>add printer command (G)</span></dt><dd><p>With the introduction of MS-RPC based printing
366
397
support for Windows NT/2000 clients in Samba 2.2, The MS Add
367
398
Printer Wizard (APW) icon is now also available in the
429
464
<span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.
431
466
In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to
432
<a class="indexterm" name="id2499696"></a>security = share and <a class="indexterm" name="id2499704"></a>add user script
467
<a class="indexterm" name="id2537408"></a>security = share and <a class="indexterm" name="id2537416"></a>add user script
433
468
must be set to a full pathname for a script that will create a UNIX user given one argument of
434
469
<em class="parameter"><code>%u</code></em>, which expands into the UNIX user name to create.
436
471
When the Windows user attempts to access the Samba server, at login (session setup in
437
the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id2499732"></a>password server
472
the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id2537444"></a>password server
438
473
and attempts to authenticate the given user with the given password. If the authentication
439
474
succeeds then <span><strong class="command">smbd</strong></span> attempts to find a UNIX user in the UNIX
440
475
password database to map the Windows user into. If this lookup fails, and
441
<a class="indexterm" name="id2499750"></a>add user script is set then <span><strong class="command">smbd</strong></span> will
476
<a class="indexterm" name="id2537462"></a>add user script is set then <span><strong class="command">smbd</strong></span> will
442
477
call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding any
443
478
<em class="parameter"><code>%u</code></em> argument to be the user name to create.
581
616
to limit what interfaces on a machine will serve SMB requests. It
582
617
affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p>
583
618
For name service it causes <span><strong class="command">nmbd</strong></span> to bind to ports 137 and 138 on the
584
interfaces listed in the <a class="indexterm" name="id2500718"></a>interfaces parameter. <span><strong class="command">nmbd</strong></span>
619
interfaces listed in the <a class="indexterm" name="id2538294"></a>interfaces parameter. <span><strong class="command">nmbd</strong></span>
585
620
also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of
586
621
reading broadcast messages. If this option is not set then <span><strong class="command">nmbd</strong></span> will
587
service name requests on all of these sockets. If <a class="indexterm" name="id2500741"></a>bind interfaces only is set then
622
service name requests on all of these sockets. If <a class="indexterm" name="id2538316"></a>bind interfaces only is set then
588
623
<span><strong class="command">nmbd</strong></span> will check the source address of any packets coming in on the
589
624
broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
590
<a class="indexterm" name="id2500757"></a>interfaces parameter list. As unicast packets are received on the other sockets it
625
<a class="indexterm" name="id2538333"></a>interfaces parameter list. As unicast packets are received on the other sockets it
591
626
allows <span><strong class="command">nmbd</strong></span> to refuse to serve names to machines that send packets that
592
arrive through any interfaces not listed in the <a class="indexterm" name="id2500773"></a>interfaces list. IP Source address
627
arrive through any interfaces not listed in the <a class="indexterm" name="id2538349"></a>interfaces list. IP Source address
593
628
spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
594
629
<span><strong class="command">nmbd</strong></span>.
596
For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id2500801"></a>interfaces parameter. This restricts the networks that <span><strong class="command">smbd</strong></span> will
631
For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id2538377"></a>interfaces parameter. This restricts the networks that <span><strong class="command">smbd</strong></span> will
597
632
serve to packets coming in those interfaces. Note that you should not use this parameter for machines that
598
633
are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with
599
634
non-permanent interfaces.
601
If <a class="indexterm" name="id2500822"></a>bind interfaces only is set then unless the network address
602
<span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id2500834"></a>interfaces parameter list
636
If <a class="indexterm" name="id2538398"></a>bind interfaces only is set then unless the network address
637
<span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id2538410"></a>interfaces parameter list
603
638
<a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and
604
639
<a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as
605
640
expected due to the reasons covered below.
607
642
To change a users SMB password, the <span><strong class="command">smbpasswd</strong></span> by default connects to the
608
643
<span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If
609
<a class="indexterm" name="id2500874"></a>bind interfaces only is set then unless the network address
610
<span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id2500886"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode. <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
644
<a class="indexterm" name="id2538450"></a>bind interfaces only is set then unless the network address
645
<span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id2538462"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode. <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
611
646
its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> <em class="parameter"><code>-r <em class="replaceable"><code>remote machine</code></em></code></em> parameter, with <em class="replaceable"><code>remote
612
647
machine</code></em> set to the IP name of the primary interface of the local host.
647
686
set to <code class="constant">yes</code>. You should never need to change
648
687
this.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browse list</code></em> = yes
650
</p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id2501267"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = no
689
</p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id2538861"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = no
652
</p></dd><dt><span class="term"><a name="CHANGENOTIFYTIMEOUT"></a>change notify timeout (G)</span></dt><dd><p>This SMB allows a client to tell a server to
691
</p></dd><dt><span class="term"><a name="CHANGENOTIFYTIMEOUT"></a>change notify timeout (S)</span></dt><dd><p>This SMB allows a client to tell a server to
653
692
"watch" a particular directory for any changes and only reply to
654
693
the SMB request when a change has occurred. Such constant scanning of
655
694
a directory is expensive under UNIX, hence an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> daemon only performs such a scan
656
695
on each requested directory once every <em class="parameter"><code>change notify
657
timeout</code></em> seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>change notify timeout</code></em> = 60
696
timeout</code></em> seconds. Note that in 3.0.23 this has been changed to a
697
per-share parameter and setting this to zero prevents any change notify directory
698
scans completely on a share. This is to allow this paramter to be set to zero on
699
shares configured for very large directories, where a Windows client will re-scan
700
the entire directory after every delete operation (when deleting many files) due to
701
the change notify triggering. This is an extremely expensive operation on some
702
systems.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>change notify timeout</code></em> = 60
659
704
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>change notify timeout</code></em> = 300
660
705
# Would change the scan time to every 5 minutes.
828
877
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups options</code></em> = "raw,media=a4,job-sheets=secret,secret"
830
879
</p></dd><dt><span class="term"><a name="CUPSSERVER"></a>cups server (G)</span></dt><dd><p>
831
This parameter is only applicable if <a class="indexterm" name="id2502423"></a>printing is set to <code class="constant">cups</code>.
880
This parameter is only applicable if <a class="indexterm" name="id2540038"></a>printing is set to <code class="constant">cups</code>.
833
882
If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is
834
883
necessary if you have virtual samba servers that connect to different CUPS daemons.
884
</p><p>Optionally, a port can be specified by separating the server name
885
and port number with a colon. If no port was specified,
886
the default port for IPP (631) will be used.
835
887
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = ""
837
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = MYCUPSSERVER
889
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = mycupsserver
891
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = mycupsserver:1631
839
893
</p></dd><dt><span class="term"><a name="DEADTIME"></a>deadtime (G)</span></dt><dd><p>The value of the parameter (a decimal integer)
840
894
represents the number of minutes of inactivity before a connection
873
927
Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the
874
928
current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.
876
Note that the parameter <a class="indexterm" name="id2502740"></a>debug timestamp must be on for this to have an effect.
930
Note that the parameter <a class="indexterm" name="id2540372"></a>debug timestamp must be on for this to have an effect.
877
931
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug uid</code></em> = no
879
</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id2502782"></a>name mangling
880
. Also note the <a class="indexterm" name="id2502789"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = lower
933
</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id2540414"></a>name mangling
934
. Also note the <a class="indexterm" name="id2540421"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = lower
882
</p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id2502831"></a>printable services.
936
</p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id2540463"></a>printable services.
883
937
When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
884
938
server has a Device Mode which defines things such as paper size and
885
939
orientation and duplex settings. The device mode can only correctly be
940
994
possible to delete printer at run time by issuing the
941
995
DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be
942
996
physically deleted from underlying printing system. The
943
<a class="indexterm" name="id2503147"></a>deleteprinter command defines a script to be run which
997
<a class="indexterm" name="id2540779"></a>deleteprinter command defines a script to be run which
944
998
will perform the necessary operations for removing the printer
945
999
from the print system and from <code class="filename">smb.conf</code>.
946
</p><p>The <a class="indexterm" name="id2503167"></a>deleteprinter command is
947
automatically called with only one parameter: <a class="indexterm" name="id2503175"></a>printer name.
948
</p><p>Once the <a class="indexterm" name="id2503186"></a>deleteprinter command has
1000
</p><p>The <a class="indexterm" name="id2540799"></a>deleteprinter command is
1001
automatically called with only one parameter: <a class="indexterm" name="id2540807"></a>printer name.
1002
</p><p>Once the <a class="indexterm" name="id2540818"></a>deleteprinter command has
949
1003
been executed, <span><strong class="command">smbd</strong></span> will reparse the <code class="filename">
950
1004
smb.conf</code> to associated printer no longer exists.
951
1005
If the sharename is still valid, then <span><strong class="command">smbd
1119
1173
</p></dd><dt><span class="term"><a name="DISPLAYCHARSET"></a>display charset (G)</span></dt><dd><p>Specifies the charset that samba will use
1120
1174
to print messages to stdout and stderr and SWAT will use.
1121
Should generally be the same as the <a class="indexterm" name="id2504157"></a>unix charset.
1175
Should generally be the same as the <a class="indexterm" name="id2541784"></a>unix charset.
1122
1176
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = ASCII
1124
1178
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = UTF8
1180
</p></dd><dt><span class="term"><a name="DMAPISUPPORT"></a>dmapi support (S)</span></dt><dd><p>This parameter specifies whether Samba should use DMAPI to
1181
determine whether a file is offline or not. This would typically
1182
be used in conjunction with a hierarchical storage system that
1183
automatically migrates files to tape.
1184
</p><p>Note that Samba infers the status of a file by examining the
1185
events that a DMAPI application has registered interest in. This
1186
heuristic is satisfactory for a number of hierarchical storage
1187
systems, but there may be system for which it will fail. In this
1188
case, Samba may erroneously report files to be offline.
1189
</p><p>This parameter is only available if a supported DMAPI
1190
implementation was found at compilation time. It will only be used
1191
if DMAPI is found to enabled on the system at run time.
1193
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dmapi support</code></em> = no
1126
1195
</p></dd><dt><span class="term"><a name="DNSPROXY"></a>dns proxy (G)</span></dt><dd><p>Specifies that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> when acting as a WINS server and
1127
1196
finding that a NetBIOS name has not been registered, should treat the
1128
1197
NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server
1146
1215
Tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to enable
1147
1216
WAN-wide browse list collation. Setting this option causes <span><strong class="command">nmbd</strong></span> to claim a
1148
1217
special domain specific NetBIOS name that identifies it as a domain master browser for its given
1149
<a class="indexterm" name="id2504337"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id2504345"></a>workgroup on
1218
<a class="indexterm" name="id2542020"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id2542028"></a>workgroup on
1150
1219
broadcast-isolated subnets will give this <span><strong class="command">nmbd</strong></span> their local browse lists,
1151
1220
and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a
1152
1221
complete copy of the browse list for the whole wide area network. Browser clients will then contact their
1153
1222
local master browser, and will receive the domain-wide browse list, instead of just the list for their
1154
1223
broadcast-isolated subnet.
1156
Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id2504376"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
1157
<a class="indexterm" name="id2504384"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
1225
Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id2542059"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
1226
<a class="indexterm" name="id2542067"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
1158
1227
to do this). This means that if this parameter is set and <span><strong class="command">nmbd</strong></span> claims the
1159
special name for a <a class="indexterm" name="id2504400"></a>workgroup before a Windows NT PDC is able to do so then cross
1228
special name for a <a class="indexterm" name="id2542083"></a>workgroup before a Windows NT PDC is able to do so then cross
1160
1229
subnet browsing will behave strangely and may fail.
1162
If <a class="indexterm" name="id2504413"></a>domain logons = yes, then the default behavior is to enable the
1163
<a class="indexterm" name="id2504421"></a>domain master parameter. If <a class="indexterm" name="id2504428"></a>domain logons is not enabled (the
1164
default setting), then neither will <a class="indexterm" name="id2504437"></a>domain master be enabled by default.
1231
If <a class="indexterm" name="id2542095"></a>domain logons = yes, then the default behavior is to enable the
1232
<a class="indexterm" name="id2542103"></a>domain master parameter. If <a class="indexterm" name="id2542111"></a>domain logons is not enabled (the
1233
default setting), then neither will <a class="indexterm" name="id2542119"></a>domain master be enabled by default.
1166
When <a class="indexterm" name="id2504448"></a>domain logons = Yes the default setting for this parameter is
1167
Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id2504457"></a>domain master = No,
1235
When <a class="indexterm" name="id2542130"></a>domain logons = Yes the default setting for this parameter is
1236
Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id2542139"></a>domain master = No,
1168
1237
Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.
1169
1238
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain master</code></em> = auto
1189
1258
able to change the permissions on it. However, this behavior
1190
1259
is often confusing to DOS/Windows users. Enabling this parameter
1191
1260
allows a user who has write access to the file (by whatever
1192
means) to modify the permissions on it. Note that a user
1261
means) to modify the permissions (including ACL) on it. Note that a user
1193
1262
belonging to the group owning the file will not be allowed to
1194
1263
change permissions if the group is only granted read access.
1195
Ownership of the file/directory is not changed, only the permissions
1196
are modified.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filemode</code></em> = no
1264
Ownership of the file/directory may also be changed.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filemode</code></em> = no
1198
1266
</p></dd><dt><span class="term"><a name="DOSFILETIMERESOLUTION"></a>dos filetime resolution (S)</span></dt><dd><p>Under the DOS and Windows FAT filesystem, the finest
1199
1267
granularity on time resolution is two seconds. Setting this parameter
1237
1305
behavior in smbd for many years. However, certain Microsoft applications
1238
1306
such as the Print Migrator tool require that the remote server support
1239
1307
an [ADMIN$} file share. Disabling this parameter allows for creating
1240
an [ADMIN$] file share in smb.conf.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable asu support</code></em> = yes
1242
</p></dd><dt><span class="term"><a name="ENABLEPRIVILEGES"></a>enable privileges (G)</span></dt><dd><p>This parameter controls whether or not smbd will honor
1243
privileges assigned to specific SIDs via either <span><strong class="command">net rpc rights</strong></span>
1244
or one of the Windows user and group manager tools. This parameter is
1245
disabled by default to prevent members of the Domain Admins group from
1246
being able to assign privileges to users or groups which can then result in certain
1247
smbd operations running as root that would normally run under the context
1248
of the connected user. </p><p>An example of how privileges can be used is to assign
1249
the right to join clients to a Samba controlled domain without
1250
providing root access to the server via smbd.</p><p>Please read the extended description provided in the
1251
Samba documentation before enabling this option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable privileges</code></em> = no
1253
</p></dd><dt><span class="term"><a name="ENABLERIDALGORITHM"></a>enable rid algorithm (G)</span></dt><dd><p>This option is used to control whether or not smbd in Samba 3.0 should fallback
1254
to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm
1255
development goal is to remove the algorithmic mappings of RIDs altogether, but
1256
this has proved to be difficult. This parameter is mainly provided so that
1257
developers can turn the algorithm on and off and see what breaks. This parameter
1258
should not be disabled by non-developers because certain features in Samba will fail
1260
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable rid algorithm</code></em> = yes
1308
an [ADMIN$] file share in smb.conf.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable asu support</code></em> = no
1310
</p></dd><dt><span class="term"><a name="ENABLEPRIVILEGES"></a>enable privileges (G)</span></dt><dd><p>
1311
This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
1312
<span><strong class="command">net rpc rights</strong></span> or one of the Windows user and group manager tools. This parameter is
1313
enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to
1314
assign privileges to users or groups which can then result in certain smbd operations running as root that
1315
would normally run under the context of the connected user.
1317
An example of how privileges can be used is to assign the right to join clients to a Samba controlled
1318
domain without providing root access to the server via smbd.
1320
Please read the extended description provided in the Samba HOWTO documentation.
1321
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable privileges</code></em> = yes
1262
1323
</p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords
1263
1324
will be negotiated with the client. Note that Windows NT 4.0 SP3 and
1363
1424
files read-write at the same time you can get data corruption. Use
1364
1425
this option carefully!</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fake oplocks</code></em> = no
1427
</p></dd><dt><span class="term"><a name="FAMCHANGENOTIFY"></a>fam change notify (G)</span></dt><dd><p>This parameter specifies whether Samba should ask the
1428
FAM daemon change notifications in directories so that
1429
SMB clients can refresh whenever the data on the server changes.
1430
</p><p>This parameter is only used when your system supports
1431
change notification to user programs, using the FAM daemon. If the FAM
1432
daemon is not running, this parameter is automatically disabled. The
1433
<em class="parameter"><code>kernel change notify</code></em>
1434
parameter will take precedence if it is also enabled.
1435
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fam change notify</code></em> = yes
1366
1437
</p></dd><dt><span class="term"><a name="FOLLOWSYMLINKS"></a>follow symlinks (S)</span></dt><dd><p>
1367
1438
This parameter allows the Samba administrator to stop <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> from following symbolic links in a particular share. Setting this
1368
1439
parameter to <code class="constant">no</code> prevents any file or directory that is a symbolic link from being
1540
1611
</p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a
1541
1612
caching algorithm will be used to reduce the time taken for getwd()
1542
1613
calls. This can have a significant impact on performance, especially
1543
when the <a class="indexterm" name="id2506390"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = yes
1614
when the <a class="indexterm" name="id2544069"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = yes
1545
1616
</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G)</span></dt><dd><p>This is a username which will be used for access
1546
to services which are specified as <a class="indexterm" name="id2506435"></a>guest ok (see below). Whatever privileges this
1617
to services which are specified as <a class="indexterm" name="id2544115"></a>guest ok (see below). Whatever privileges this
1547
1618
user has will be available to any client connecting to the guest service.
1548
1619
This user must exist in the password file, but does not require
1549
1620
a valid login. The user account "ftp" is often a good choice
1563
1634
</p></dd><dt><span class="term"><a name="PUBLIC"></a>public</span></dt><dd><p>This parameter is a synonym for guest ok.</p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for
1564
1635
a service, then no password is required to connect to the service.
1565
Privileges will be those of the <a class="indexterm" name="id2506551"></a>guest account.</p><p>This paramater nullifies the benifits of setting
1566
<a class="indexterm" name="id2506563"></a>restrict anonymous = 2
1567
</p><p>See the section below on <a class="indexterm" name="id2506574"></a>security for more information about this option.
1636
Privileges will be those of the <a class="indexterm" name="id2544231"></a>guest account.</p><p>This paramater nullifies the benifits of setting
1637
<a class="indexterm" name="id2544242"></a>restrict anonymous = 2
1638
</p><p>See the section below on <a class="indexterm" name="id2544253"></a>security for more information about this option.
1568
1639
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest ok</code></em> = no
1570
1641
</p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest</span></dt><dd><p>This parameter is a synonym for guest only.</p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for
1571
1642
a service, then only guest connections to the service are permitted.
1572
This parameter will have no effect if <a class="indexterm" name="id2506642"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id2506653"></a>security for more information about this option.
1643
This parameter will have no effect if <a class="indexterm" name="id2544321"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id2544332"></a>security for more information about this option.
1573
1644
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest only</code></em> = no
1575
1646
</p></dd><dt><span class="term"><a name="HIDEDOTFILES"></a>hide dot files (S)</span></dt><dd><p>This is a boolean parameter that controls whether
1668
1739
list takes precedence.</p><p>
1669
1740
In the event that it is necessary to deny all by default, use the keyword
1670
1741
ALL (or the netmask <code class="literal">0.0.0.0/0</code>) and then explicitly specify
1671
to the <a class="indexterm" name="id2507378"></a>hosts allow = hosts allow parameter those hosts
1742
to the <a class="indexterm" name="id2545058"></a>hosts allow = hosts allow parameter those hosts
1672
1743
that should be permitted access.
1673
1744
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> =
1674
1745
# none (i.e., no hosts specifically excluded)
1676
1747
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> = 150.203.4. badhost.mynet.edu.au
1678
</p></dd><dt><span class="term"><a name="HOSTSEQUIV"></a>hosts equiv (G)</span></dt><dd><p>If this global parameter is a non-null string,
1679
it specifies the name of a file to read for the names of hosts
1680
and users who will be allowed access without specifying a password.
1681
</p><p>This is not be confused with <a class="indexterm" name="id2507440"></a>hosts allow which is about hosts
1682
access to services and is more useful for guest services. <em class="parameter"><code>
1683
hosts equiv</code></em> may be useful for NT clients which will
1684
not supply passwords to Samba.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The use of <em class="parameter"><code>hosts equiv
1685
</code></em> can be a major security hole. This is because you are
1686
trusting the PC to supply the correct username. It is very easy to
1687
get a PC to supply a false username. I recommend that the
1688
<em class="parameter"><code>hosts equiv</code></em> option be only used if you really
1689
know what you are doing, or perhaps on a home network where you trust
1690
your spouse and kids. And only if you <span class="emphasis"><em>really</em></span> trust
1691
them :-).</p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts equiv</code></em> =
1692
# no host equivalences
1694
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hosts equiv</code></em> = hosts equiv = /etc/hosts.equiv
1696
1749
</p></dd><dt><span class="term"><a name="IDMAPBACKEND"></a>idmap backend (G)</span></dt><dd><p>
1697
1750
The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap
1698
tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common
1751
tdb file to obtain SID to UID / GID mappings for unmapped SIDs, but instead to obtain them from a common
1699
1752
LDAP backend. This way all domain members and controllers will have the same UID and GID
1700
1753
to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux
1701
1754
systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).
1703
An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid
1756
An alternate method of SID to UID / GID mapping can be achieved using the rid
1704
1757
plug-in. This plug-in uses the account RID to derive the UID and GID by adding the
1705
1758
RID to a base value specified. This utility requires that the parameter
1706
1759
“<span class="quote">allow trusted domains = No</span>” must be specified, as it is not compatible
1707
1760
with multiple domain environments. The idmap uid and idmap gid ranges must also be
1710
Finally, using the idmap_ad module, the UID and GID can directly
1763
Finally, using the ad module, the UID and GID can directly
1711
1764
be retrieved from an Active Directory LDAP Server that supports an
1712
RFC2307 compliant LDAP schema. idmap_ad supports "Services for Unix"
1765
RFC2307 compliant LDAP schema. ad supports "Services for Unix"
1713
1766
(SFU) version 2.x and 3.0.
1714
1767
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> =
1716
1769
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> = ldap:ldap://ldapslave.example.com
1718
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> = idmap_rid:BUILTIN=1000-1999,DOMNAME=2000-100000000
1771
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"
1720
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> = idmap_ad
1773
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> = ad
1722
1775
</p></dd><dt><span class="term"><a name="WINBINDGID"></a>winbind gid</span></dt><dd><p>This parameter is a synonym for idmap gid.</p></dd><dt><span class="term"><a name="IDMAPGID"></a>idmap gid (G)</span></dt><dd><p>The idmap gid parameter specifies the range of group ids that are allocated for
1723
1776
the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no
1759
1812
roaming profile directory are actually owner by the user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit owner</code></em> = no
1761
1814
</p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p>
1762
The permissions on new files and directories are normally governed by <a class="indexterm" name="id2507922"></a>create mask,
1763
<a class="indexterm" name="id2507929"></a>directory mask, <a class="indexterm" name="id2507936"></a>force create mode and <a class="indexterm" name="id2507944"></a>force directory mode but the boolean inherit permissions parameter overrides this.
1815
The permissions on new files and directories are normally governed by <a class="indexterm" name="id2545507"></a>create mask,
1816
<a class="indexterm" name="id2545513"></a>directory mask, <a class="indexterm" name="id2545521"></a>force create mode and <a class="indexterm" name="id2545528"></a>force directory mode but the boolean inherit permissions parameter overrides this.
1764
1817
</p><p>New directories inherit the mode of the parent directory,
1765
1818
including bits such as setgid.</p><p>
1766
1819
New files inherit their read/write bits from the parent directory. Their execute bits continue to be
1767
determined by <a class="indexterm" name="id2507963"></a>map archive, <a class="indexterm" name="id2507970"></a>map hidden and <a class="indexterm" name="id2507977"></a>map system as usual.
1820
determined by <a class="indexterm" name="id2545547"></a>map archive, <a class="indexterm" name="id2545554"></a>map hidden and <a class="indexterm" name="id2545562"></a>map system as usual.
1768
1821
</p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via
1769
1822
inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with
1770
1823
many users, perhaps several thousand, to allow a single [homes]
1877
1930
tested as some other Samba code paths.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>large readwrite</code></em> = yes
1879
1932
</p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p>
1880
The <a class="indexterm" name="id2508631"></a>ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact
1881
the ldap server when retreiving user account information. The <a class="indexterm" name="id2508640"></a>ldap admin dn is used
1933
The <a class="indexterm" name="id2546215"></a>ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact
1934
the ldap server when retreiving user account information. The <a class="indexterm" name="id2546225"></a>ldap admin dn is used
1882
1935
in conjunction with the admin dn password stored in the <code class="filename">private/secrets.tdb</code>
1883
1936
file. See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>
1884
1937
man page for more information on how to accomplish this.
1886
The <a class="indexterm" name="id2508667"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id2508675"></a>ldap suffix is not appended to the <a class="indexterm" name="id2508683"></a>ldap admin dn.
1939
The <a class="indexterm" name="id2546252"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id2546260"></a>ldap suffix is not appended to the <a class="indexterm" name="id2546267"></a>ldap admin dn.
1887
1940
</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete
1888
1941
operation in the ldapsam deletes the complete entry or only the attributes
1889
1942
specific to Samba.
1890
1943
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap delete dn</code></em> = no
1892
</p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameters specifies the suffix that is
1945
</p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameter specifies the suffix that is
1893
1946
used for groups when these are added to the LDAP directory.
1894
If this parameter is unset, the value of <a class="indexterm" name="id2508756"></a>ldap suffix will be used instead. The suffix string is pre-pended to the
1895
<a class="indexterm" name="id2508764"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> =
1947
If this parameter is unset, the value of <a class="indexterm" name="id2546340"></a>ldap suffix will be used instead. The suffix string is pre-pended to the
1948
<a class="indexterm" name="id2546349"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> =
1897
1950
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = ou=Groups
1899
1952
</p></dd><dt><span class="term"><a name="LDAPIDMAPSUFFIX"></a>ldap idmap suffix (G)</span></dt><dd><p>
1900
1953
This parameters specifies the suffix that is used when storing idmap mappings. If this parameter
1901
is unset, the value of <a class="indexterm" name="id2508820"></a>ldap suffix will be used instead. The suffix
1902
string is pre-pended to the <a class="indexterm" name="id2508828"></a>ldap suffix string so use a partial DN.
1954
is unset, the value of <a class="indexterm" name="id2546404"></a>ldap suffix will be used instead. The suffix
1955
string is pre-pended to the <a class="indexterm" name="id2546412"></a>ldap suffix string so use a partial DN.
1903
1956
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> =
1905
1958
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> = ou=Idmap
1907
1960
</p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p>
1908
1961
It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of
1909
<a class="indexterm" name="id2508882"></a>ldap suffix will be used instead. The suffix string is pre-pended to the
1910
<a class="indexterm" name="id2508890"></a>ldap suffix string so use a partial DN.
1962
<a class="indexterm" name="id2546467"></a>ldap suffix will be used instead. The suffix string is pre-pended to the
1963
<a class="indexterm" name="id2546475"></a>ldap suffix string so use a partial DN.
1911
1964
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> =
1913
1966
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> = ou=Computers
1917
1970
and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password
1918
1971
change via SAMBA.
1920
The <a class="indexterm" name="id2508951"></a>ldap passwd sync can be set to one of three values:
1973
The <a class="indexterm" name="id2546535"></a>ldap passwd sync can be set to one of three values:
1921
1974
</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Yes</code></em> = Try
1922
1975
to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>No</code></em> = Update NT and
1923
1976
LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>Only</code></em> = Only update
1924
1977
the LDAP password and let the LDAP server do the rest.</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap passwd sync</code></em> = no
1926
</p></dd><dt><span class="term"><a name="LDAPPORT"></a>ldap port (G)</span></dt><dd><p>
1927
This parameter is only available if Samba has been configure to include the
1928
<span><strong class="command">--with-ldapsam</strong></span> option at compile time.
1930
This option is used to control the tcp port number used to contact the
1931
<a class="indexterm" name="id2509044"></a>ldap server. The default is to use the stand LDAPS port 636.
1932
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap port</code></em> = 636
1935
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap port</code></em> = 389
1938
1979
</p></dd><dt><span class="term"><a name="LDAPREPLICATIONSLEEP"></a>ldap replication sleep (G)</span></dt><dd><p>
1939
1980
When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server.
1940
1981
This server then replicates our changes back to the 'local' server, however the replication might take some seconds,
1956
1997
counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that
1957
1998
are used to deal with user and group attributes lack such optimization.
1959
o make Samba scale well in large environments, the <a class="indexterm" name="id2509166"></a>ldapsam:trusted = yes
2000
o make Samba scale well in large environments, the <a class="indexterm" name="id2546686"></a>ldapsam:trusted = yes
1960
2001
option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the
1961
2002
standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are
1962
2003
stored together with the POSIX data in the same LDAP object. If these assumptions are met,
1963
<a class="indexterm" name="id2509179"></a>ldapsam:trusted = yes can be activated and Samba can completely bypass the
2004
<a class="indexterm" name="id2546699"></a>ldapsam:trusted = yes can be activated and Samba can completely bypass the
1964
2005
NSS system to query user information. Optimized LDAP queries can greatly speed up domain logon and
1965
2006
administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries
1966
2007
is easily achieved.
1967
2008
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldapsam:trusted</code></em> = no
1969
</p></dd><dt><span class="term"><a name="LDAPSERVER"></a>ldap server (G)</span></dt><dd><p>This parameter is only available if Samba has been
1970
configure to include the <span><strong class="command">--with-ldapsam</strong></span>
1971
option at compile time.</p><p>This parameter should contain the FQDN of the ldap directory
1972
server which should be queried to locate user account information.
1973
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap server</code></em> = localhost
1975
2010
</p></dd><dt><span class="term"><a name="LDAPSSL"></a>ldap ssl (G)</span></dt><dd><p>This option is used to define whether or not Samba should
1976
2011
use SSL when connecting to the ldap server
1977
2012
This is <span class="emphasis"><em>NOT</em></span> related to
1978
2013
Samba's previous SSL support which was enabled by specifying the
1979
2014
<span><strong class="command">--with-ssl</strong></span> option to the <code class="filename">configure</code>
1980
script.</p><p>The <a class="indexterm" name="id2509294"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never
2015
script.</p><p>The <a class="indexterm" name="id2546767"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never
1981
2016
use SSL when querying the directory.</p></li><li><p><em class="parameter"><code>Start_tls</code></em> = Use
1982
2017
the LDAPv3 StartTLS extended operation (RFC2830) for
1983
2018
communicating with the directory server.</p></li><li><p><em class="parameter"><code>On</code></em> = Use SSL
1984
2019
on the ldaps port when contacting the <em class="parameter"><code>ldap server</code></em>. Only available when the
1985
2020
backwards-compatiblity <span><strong class="command">--with-ldapsam</strong></span> option is specified
1986
to configure. See <a class="indexterm" name="id2509352"></a>passdb backend</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
2021
to configure. See <a class="indexterm" name="id2546826"></a>passdb backend</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
1988
2023
</p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</p><p>
1989
The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id2509401"></a>ldap user suffix,
1990
<a class="indexterm" name="id2509408"></a>ldap group suffix, <a class="indexterm" name="id2509416"></a>ldap machine suffix, and the
1991
<a class="indexterm" name="id2509423"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
1992
<a class="indexterm" name="id2509432"></a>ldap suffix.
2024
The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id2546876"></a>ldap user suffix,
2025
<a class="indexterm" name="id2546883"></a>ldap group suffix, <a class="indexterm" name="id2546890"></a>ldap machine suffix, and the
2026
<a class="indexterm" name="id2546898"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
2027
<a class="indexterm" name="id2546906"></a>ldap suffix.
1993
2028
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> =
1995
2030
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> = dc=samba,dc=org
2036
2071
If set to <code class="constant">no</code> Samba will never produce these
2037
2072
broadcasts. If set to <code class="constant">yes</code> Samba will produce
2038
2073
Lanman announce broadcasts at a frequency set by the parameter
2039
<a class="indexterm" name="id2509712"></a>lm interval. If set to <code class="constant">auto</code>
2074
<a class="indexterm" name="id2547186"></a>lm interval. If set to <code class="constant">auto</code>
2040
2075
Samba will not send Lanman announce broadcasts by default but will
2041
2076
listen for them. If it hears such a broadcast on the wire it will
2042
2077
then start sending them at a frequency set by the parameter
2043
<a class="indexterm" name="id2509726"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = auto
2078
<a class="indexterm" name="id2547200"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = auto
2045
2080
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = yes
2047
2082
</p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce
2048
2083
broadcasts needed by OS/2 clients (see the
2049
<a class="indexterm" name="id2509780"></a>lm announce parameter) then this
2084
<a class="indexterm" name="id2547254"></a>lm announce parameter) then this
2050
2085
parameter defines the frequency in seconds with which they will be
2051
2086
made. If this is set to zero then no Lanman announcements will be
2052
made despite the setting of the <a class="indexterm" name="id2509790"></a>lm announce
2087
made despite the setting of the <a class="indexterm" name="id2547264"></a>lm announce
2053
2088
parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = 60
2055
2090
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = 120
2057
2092
</p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all
2058
2093
printers in the printcap will be loaded for browsing by default.
2059
See the <a class="indexterm" name="id2509845"></a>printers section for
2094
See the <a class="indexterm" name="id2547318"></a>printers section for
2060
2095
more details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>load printers</code></em> = yes
2062
2097
</p></dd><dt><span class="term"><a name="LOCALMASTER"></a>local master (G)</span></dt><dd><p>This option allows <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to try and become a local master browser
2086
2121
CDROM drives), although setting this parameter of <code class="constant">no</code>
2087
2122
is not really recommended even in this case.</p><p>Be careful about disabling locking either globally or in a
2088
2123
specific service, as lack of locking may result in data corruption.
2089
You should never need to set this parameter.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter controls the number of times
2090
that smbd should attempt to gain a byte range lock on the
2091
behalf of a client request. Experiments have shown that
2092
Windows 2k servers do not reply with a failure if the lock
2093
could not be immediately granted, but try a few more times
2094
in case the lock could later be acquired. This behavior
2095
is used to support PC database formats such as MS Access
2097
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin count</code></em> = 3
2124
You should never need to set this parameter.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter has been made inoperative in Samba 3.0.24.
2125
The functionality it contolled is now controlled by the parameter
2126
<a class="indexterm" name="id2547606"></a>lock spin time.
2127
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin count</code></em> = 0
2099
2129
</p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should
2100
pause before attempting to gain a failed lock. See
2101
<a class="indexterm" name="id2510180"></a>lock spin count for more details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin time</code></em> = 10
2130
keep waiting to see if a failed lock request can
2131
be granted. This parameter has changed in default
2132
value from Samba 3.0.23 from 10 to 200. The associated
2133
<a class="indexterm" name="id2547651"></a>lock spin count parameter is
2134
no longer used in Samba 3.0.24. You should not need
2135
to change the value of this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin time</code></em> = 200
2103
2137
</p></dd><dt><span class="term"><a name="LOGFILE"></a>log file (G)</span></dt><dd><p>
2104
2138
This option allows you to override the name of the Samba log file (also known as the debug file).
2294
2328
executed on the server host in order to restart or continue
2295
2329
printing or spooling a specific print job.</p><p>This command should be a program or script which takes
2296
2330
a printer name and job number to resume the print job. See
2297
also the <a class="indexterm" name="id2511207"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
2331
also the <a class="indexterm" name="id2548679"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
2298
2332
is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with
2299
2333
the job number (an integer).</p><p>Note that it is good practice to include the absolute path
2300
2334
in the <em class="parameter"><code>lpresume command</code></em> as the PATH may not
2301
be available to the server.</p><p>See also the <a class="indexterm" name="id2511245"></a>printing parameter.</p><p>Default: Currently no default value is given
2335
be available to the server.</p><p>See also the <a class="indexterm" name="id2548718"></a>printing parameter.</p><p>Default: Currently no default value is given
2302
2336
to this string, unless the value of the <em class="parameter"><code>printing</code></em>
2303
2337
parameter is <code class="constant">SYSV</code>, in which case the default is :</p><p><span><strong class="command">lp -i %p-%j -H resume</strong></span></p><p>or if the value of the <em class="parameter"><code>printing</code></em> parameter
2304
2338
is <code class="constant">SOFTQ</code>, then the default is:</p><p><span><strong class="command">qstat -s -j%j -r</strong></span></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpresume command</code></em> = lpresume command = /usr/bin/lpalt %p-%j -p2
2321
2355
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lprm command</code></em> = determined by printing parameter
2323
2357
</p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>
2324
If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id2511411"></a>security = domain parameter) then periodically a running smbd process will try and change
2358
If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id2548884"></a>security = domain parameter) then periodically a running smbd process will try and change
2325
2359
the MACHINE ACCOUNT PASSWORD stored in the TDB called <code class="filename">private/secrets.tdb
2326
2360
</code>. This parameter specifies how often this password will be changed, in seconds. The default is one
2327
2361
week (expressed in seconds), the same as a Windows NT Domain member server.
2329
2363
See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>,
2330
and the <a class="indexterm" name="id2511441"></a>security = domain parameter.
2364
and the <a class="indexterm" name="id2548913"></a>security = domain parameter.
2331
2365
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>machine password timeout</code></em> = 604800
2333
2367
</p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p>
2334
2368
This parameter specifies the name of a file which will contain output created by a magic script (see the
2335
<a class="indexterm" name="id2511483"></a>magic script parameter below).
2369
<a class="indexterm" name="id2548956"></a>magic script parameter below).
2336
2370
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If two clients use the same <em class="parameter"><code>magic script
2337
2371
</code></em> in the same directory the output file content is undefined.
2338
2372
</p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>magic output</code></em> = <magic script name>.out
2445
2479
any file it touches from becoming executable under UNIX. This can
2446
2480
be quite annoying for shared source code, documents, etc...
2448
Note that this requires the <a class="indexterm" name="id2512097"></a>create mask parameter to be set such that owner
2482
Note that this requires the <a class="indexterm" name="id2549560"></a>create mask parameter to be set such that owner
2449
2483
execute bit is not masked out (i.e. it must include 100). See the parameter
2450
<a class="indexterm" name="id2512105"></a>create mask for details.
2484
<a class="indexterm" name="id2549569"></a>create mask for details.
2451
2485
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map archive</code></em> = yes
2453
2487
</p></dd><dt><span class="term"><a name="MAPHIDDEN"></a>map hidden (S)</span></dt><dd><p>
2454
2488
This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
2456
Note that this requires the <a class="indexterm" name="id2512152"></a>create mask to be set such that the world execute
2457
bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id2512160"></a>create mask
2490
Note that this requires the <a class="indexterm" name="id2549616"></a>create mask to be set such that the world execute
2491
bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id2549624"></a>create mask
2459
2493
</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="MAPREADONLY"></a>map read only (S)</span></dt><dd><p>
2460
2494
This controls how the DOS read only attribute should be mapped from a UNIX filesystem.
2462
2496
This parameter can take three different values, which tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> how to display the read only attribute on files, where either
2463
<a class="indexterm" name="id2512208"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
2464
present. If <a class="indexterm" name="id2512220"></a>store dos attributes is set to <code class="constant">yes</code> then this
2497
<a class="indexterm" name="id2549672"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
2498
present. If <a class="indexterm" name="id2549684"></a>store dos attributes is set to <code class="constant">yes</code> then this
2465
2499
parameter is <span class="emphasis"><em>ignored</em></span>. This is a new parameter introduced in Samba version 3.0.21.
2466
2500
</p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p>
2467
2501
<code class="constant">Yes</code> - The read only DOS attribute is mapped to the inverse of the user
2474
2508
is reported as being set on the file.
2475
2509
</p></li><li><p>
2476
2510
<code class="constant">No</code> - The read only DOS attribute is unaffected by permissions, and can only be set by
2477
the <a class="indexterm" name="id2512283"></a>store dos attributes method. This may be useful for exporting mounted CDs.
2511
the <a class="indexterm" name="id2549747"></a>store dos attributes method. This may be useful for exporting mounted CDs.
2478
2512
</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>map read only</code></em> = yes
2480
2514
</p></dd><dt><span class="term"><a name="MAPSYSTEM"></a>map system (S)</span></dt><dd><p>
2481
2515
This controls whether DOS style system files should be mapped to the UNIX group execute bit.
2483
Note that this requires the <a class="indexterm" name="id2512332"></a>create mask to be set such that the group
2517
Note that this requires the <a class="indexterm" name="id2549795"></a>create mask to be set such that the group
2484
2518
execute bit is not masked out (i.e. it must include 010). See the parameter
2485
<a class="indexterm" name="id2512340"></a>create mask for details.
2519
<a class="indexterm" name="id2549804"></a>create mask for details.
2486
2520
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map system</code></em> = no
2488
</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id2512381"></a>SECURITY =
2522
</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id2549845"></a>SECURITY =
2489
2523
security modes other than <em class="parameter"><code>security = share</code></em>
2490
2524
- i.e. <code class="constant">user</code>, <code class="constant">server</code>,
2491
2525
and <code class="constant">domain</code>.</p><p>This parameter can take four different values, which tell
2617
2651
never need to change this parameter. The default is 3 days.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max ttl</code></em> = 259200
2619
2653
</p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server
2620
(<a class="indexterm" name="id2513314"></a>wins support = yes) what the maximum
2654
(<a class="indexterm" name="id2550778"></a>wins support = yes) what the maximum
2621
2655
'time to live' of NetBIOS names that <span><strong class="command">nmbd</strong></span>
2622
2656
will grant will be (in seconds). You should never need to change this
2623
2657
parameter. The default is 6 days (518400 seconds).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max wins ttl</code></em> = 518400
2625
2659
</p></dd><dt><span class="term"><a name="MAXXMIT"></a>max xmit (G)</span></dt><dd><p>This option controls the maximum packet size
2626
that will be negotiated by Samba. The default is 65535, which
2627
is the maximum. In some cases you may find you get better performance
2628
with a smaller value. A value below 2048 is likely to cause problems.
2629
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = 65535
2660
that will be negotiated by Samba. The default is 16644, which
2661
matches the behavior of Windows 2000. A value below 2048 is likely to cause problems.
2662
You should never need to change this parameter from its default value.
2663
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = 16644
2631
2665
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = 8192
2679
2713
</p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the
2680
2714
lowest SMB protocol dialect than Samba will support. Please refer
2681
to the <a class="indexterm" name="id2513663"></a>max protocol
2715
to the <a class="indexterm" name="id2551128"></a>max protocol
2682
2716
parameter for a list of valid protocol names and a brief description
2683
2717
of each. You may also wish to refer to the C source code in
2684
2718
<code class="filename">source/smbd/negprot.c</code> for a listing of known protocol
2685
2719
dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should
2686
also refer to the <a class="indexterm" name="id2513685"></a>lanman auth parameter. Otherwise, you should never need
2720
also refer to the <a class="indexterm" name="id2551149"></a>lanman auth parameter. Otherwise, you should never need
2687
2721
to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = CORE
2689
2723
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = NT1
2691
2725
</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
2692
when acting as a WINS server (<a class="indexterm" name="id2513746"></a>wins support = yes) what the minimum 'time to live'
2726
when acting as a WINS server (<a class="indexterm" name="id2551211"></a>wins support = yes) what the minimum 'time to live'
2693
2727
of NetBIOS names that <span><strong class="command">nmbd</strong></span> will grant will be (in
2694
2728
seconds). You should never need to change this parameter. The default
2695
2729
is 6 hours (21600 seconds).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min wins ttl</code></em> = 21600
2789
2823
it will be mounted on the Samba client directly from the directory
2790
2824
server. When Samba is returning the home share to the client, it
2791
2825
will consult the NIS map specified in
2792
<a class="indexterm" name="id2514316"></a>homedir map and return the server
2826
<a class="indexterm" name="id2551780"></a>homedir map and return the server
2793
2827
listed there.</p><p>Note that for this option to work there must be a working
2794
2828
NIS system and the Samba server with this option must also
2795
2829
be a logon server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nis homedir</code></em> = no
2797
2831
</p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map
2798
UNIX permissions into Windows NT access control lists.
2799
This parameter was formally a global parameter in releases
2800
prior to 2.2.2.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt acl support</code></em> = yes
2832
UNIX permissions into Windows NT access control lists. The UNIX
2833
permissions considered are the the traditional UNIX owner and
2834
group permissions, as well as POSIX ACLs set on any files or
2835
directories. This parameter was formally a global parameter in
2836
releases prior to 2.2.2.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt acl support</code></em> = yes
2802
2838
</p></dd><dt><span class="term"><a name="NTLMAUTH"></a>ntlm auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to
2803
2839
authenticate users using the NTLM encrypted password response.
2837
2873
client can supply a username to be used by the server. Enabling
2838
2874
this parameter will force the server to only use the login
2839
2875
names from the <em class="parameter"><code>user</code></em> list and is only really
2840
useful in <a class="indexterm" name="id2514680"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
2876
useful in <a class="indexterm" name="id2552147"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
2841
2877
usernames from the service name. This can be annoying for
2842
2878
the [homes] section. To get around this you could use <span><strong class="command">user =
2843
2879
%S</strong></span> which means your <em class="parameter"><code>user</code></em> list
2844
2880
will be just the service name, which for home directories is the
2845
2881
name of the user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>only user</code></em> = no
2883
</p></dd><dt><span class="term"><a name="OPENFILESDATABASEHASHSIZE"></a>open files database hash size (G)</span></dt><dd><p>This parameter was added in Samba 3.0.23. This is an internal tuning parameter that sets
2884
the hash size of the tdb used for the open file databases. The presence of this parameter
2885
allows tuning of the system for very large (thousands of concurrent users) Samba setups.
2886
The default setting of this parameter should be sufficient for most normal environments.
2887
It is advised not to change this parameter unless advised to by a Samba Team member.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>open files database hash size</code></em> = 10007
2889
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>open files database hash size</code></em> = 1338457
2847
2891
</p></dd><dt><span class="term"><a name="OPLOCKBREAKWAITTIME"></a>oplock break wait time (G)</span></dt><dd><p>
2848
2892
This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too
2849
2893
quickly when that client issues an SMB that can cause an oplock break request, then the network client can
2930
2974
this check, which involves deliberatly attempting a
2931
2975
bad logon to the remote server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>paranoid server security</code></em> = yes
2933
</p></dd><dt><span class="term"><a name="PASSDBBACKEND"></a>passdb backend (G)</span></dt><dd><p>This option allows the administrator to chose which backends
2934
to retrieve and store passwords with. This allows (for example) both
2935
smbpasswd and tdbsam to be used without a recompile. Multiple
2936
backends can be specified, separated by spaces. The backends will be
2937
searched in the order they are specified. New users are always added
2938
to the first backend specified. </p><p>This parameter is in two parts, the backend's name, and a 'location'
2977
</p></dd><dt><span class="term"><a name="PASSDBBACKEND"></a>passdb backend (G)</span></dt><dd><p>This option allows the administrator to chose which backend
2978
will be used for storing user and possibly group information. This allows
2979
you to swap between dfferent storage mechanisms without recompile. </p><p>The parameter value is divided into two parts, the backend's name, and a 'location'
2939
2980
string that has meaning only to that particular backed. These are separated
2940
2981
by a : character.</p><p>Available backends can include:
2941
2982
</p><div class="itemizedlist"><ul type="disc"><li><p><span><strong class="command">smbpasswd</strong></span> - The default smbpasswd
2942
2983
backend. Takes a path to the smbpasswd file as an optional argument.
2943
2984
</p></li><li><p><span><strong class="command">tdbsam</strong></span> - The TDB based password storage
2944
2985
backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
2945
in the <a class="indexterm" name="id2515289"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
2986
in the <a class="indexterm" name="id2552807"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
2946
2987
backend. Takes an LDAP URL as an optional argument (defaults to
2947
2988
<span><strong class="command">ldap://localhost</strong></span>)</p><p>LDAP connections should be secured where possible. This may be done using either
2948
Start-TLS (see <a class="indexterm" name="id2515324"></a>ldap ssl) or by
2989
Start-TLS (see <a class="indexterm" name="id2552842"></a>ldap ssl) or by
2949
2990
specifying <em class="parameter"><code>ldaps://</code></em> in
2950
2991
the URL argument. </p><p>Multiple servers may also be specified in double-quotes, if your
2951
2992
LDAP libraries supports the LDAP URL notation.
2952
2993
(OpenLDAP does).
2953
</p></li><li><p><span><strong class="command">nisplussam</strong></span> -
2954
The NIS+ based passdb backend. Takes name NIS domain as
2955
an optional argument. Only works with sun NIS+ servers.
2956
</p></li><li><p><span><strong class="command">mysql</strong></span> -
2957
The MySQL based passdb backend. Takes an identifier as
2958
argument. Read the Samba HOWTO Collection for configuration
2960
2994
</p></li></ul></div><p>
2963
2997
Examples of use are:
2964
2998
<pre class="programlisting">
2965
passdb backend = tdbsam:/etc/samba/private/passdb.tdb \
2966
smbpasswd:/etc/samba/smbpasswd
2970
passdb backend = ldapsam:ldaps://ldap.example.com
2974
passdb backend = ldapsam:"ldap://ldap-1.example.com \
2975
ldap://ldap-2.example.com"
2979
passdb backend = mysql:my_plugin_args tdbsam
2999
passdb backend = tdbsam:/etc/samba/private/passdb.tdb
3003
passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
2980
3004
</pre><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb backend</code></em> = smbpasswd
2982
3006
</p></dd><dt><span class="term"><a name="PASSDBEXPANDEXPLICIT"></a>passdb expand explicit (G)</span></dt><dd><p>
2983
3007
This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We
2984
3008
used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable
2985
3009
%G_osver% in which %G would have been substituted by the user's primary group.
2987
This parameter is set to "yes" by default, but this is about to change in the future.
2988
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb expand explicit</code></em> = yes
3010
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb expand explicit</code></em> = no
2990
3012
</p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span>
2991
3013
conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing
2992
3014
program to change the user's password. The string describes a
2993
3015
sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the
2994
<a class="indexterm" name="id2515484"></a>passwd program and what to expect back. If the expected output is not
3016
<a class="indexterm" name="id2552974"></a>passwd program and what to expect back. If the expected output is not
2995
3017
received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending
2996
3018
on what local methods are used for password control (such as NIS
2997
etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id2515502"></a>unix password sync parameter is set to <code class="constant">yes</code>. This sequence is
3019
etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id2552993"></a>unix password sync parameter is set to <code class="constant">yes</code>. This sequence is
2998
3020
then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password in the
2999
3021
smbpasswd file is being changed, without access to the old password
3000
3022
cleartext. This means that root must be able to reset the user's password without
3001
3023
knowing the text of the previous password. In the presence of
3002
NIS/YP, this means that the <a class="indexterm" name="id2515522"></a>passwd program must
3024
NIS/YP, this means that the <a class="indexterm" name="id2553013"></a>passwd program must
3003
3025
be executed on the NIS master.
3004
3026
</p><p>The string can contain the macro <em class="parameter"><code>%n</code></em> which is substituted
3005
3027
for the new password. The chat sequence can also contain the standard
3019
3041
parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
3020
3042
strings passed to and received from the passwd chat are printed
3021
3043
in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
3022
<a class="indexterm" name="id2515632"></a>debug level
3044
<a class="indexterm" name="id2553122"></a>debug level
3023
3045
of 100. This is a dangerous option as it will allow plaintext passwords
3024
3046
to be seen in the <span><strong class="command">smbd</strong></span> log. It is available to help
3025
3047
Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts
3026
3048
when calling the <em class="parameter"><code>passwd program</code></em> and should
3027
3049
be turned off after this has been done. This option has no effect if the
3028
<a class="indexterm" name="id2515662"></a>pam password change
3050
<a class="indexterm" name="id2553152"></a>pam password change
3029
3051
paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = no
3031
3053
</p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial
3184
3206
<span><strong class="command">preexec = csh -c 'echo \"Welcome to %S!\" |
3185
3207
/usr/local/samba/bin/smbclient -M %m -I %I' & </strong></span>
3186
3208
</p><p>Of course, this could get annoying after a while :-)</p><p>
3187
See also <a class="indexterm" name="id2516584"></a>preexec close and <a class="indexterm" name="id2516592"></a>postexec.
3209
See also <a class="indexterm" name="id2554075"></a>preexec close and <a class="indexterm" name="id2554082"></a>postexec.
3188
3210
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> =
3190
3212
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = echo \"%u connected to %S from %m (%I)\" >> /tmp/log
3192
3214
</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>
3193
This boolean option controls whether a non-zero return code from <a class="indexterm" name="id2516646"></a>preexec
3215
This boolean option controls whether a non-zero return code from <a class="indexterm" name="id2554137"></a>preexec
3194
3216
should close the service being connected to.
3195
3217
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = no
3307
3329
printable service nor a global print command, spool files will
3308
3330
be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the
3309
3331
<code class="constant">nobody</code> account. If this happens then create
3310
an alternative guest account that can print and set the <a class="indexterm" name="id2517496"></a>guest account
3332
an alternative guest account that can print and set the <a class="indexterm" name="id2554987"></a>guest account
3311
3333
in the [global] section.</p><p>You can form quite complex print commands by realizing
3312
3334
that they are just passed to a shell. For example the following
3313
3335
will log a print job, print the file, then remove it. Note that
3314
3336
';' is the usual separator for command in shell scripts.</p><p><span><strong class="command">print command = echo Printing %s >>
3315
3337
/tmp/print.log; lpr -P %p %s; rm %s</strong></span></p><p>You may have to vary this command considerably depending
3316
3338
on how you normally print files on your system. The default for
3317
the parameter varies depending on the setting of the <a class="indexterm" name="id2517528"></a>printing
3339
the parameter varies depending on the setting of the <a class="indexterm" name="id2555019"></a>printing
3318
3340
parameter.</p><p>Default: For <span><strong class="command">printing = BSD, AIX, QNX, LPRNG
3319
3341
or PLP :</strong></span></p><p><span><strong class="command">print command = lpr -r -P%p %s</strong></span></p><p>For <span><strong class="command">printing = SYSV or HPUX :</strong></span></p><p><span><strong class="command">print command = lp -c -d%p %s; rm %s</strong></span></p><p>For <span><strong class="command">printing = SOFTQ :</strong></span></p><p><span><strong class="command">print command = lp -d%p -s %s; rm %s</strong></span></p><p>For printing = CUPS : If SAMBA is compiled against
3320
libcups, then <a class="indexterm" name="id2517588"></a>printcap = cups
3342
libcups, then <a class="indexterm" name="id2555078"></a>printcap = cups
3321
3343
uses the CUPS API to
3322
3344
submit jobs, etc. Otherwise it maps to the System V
3323
3345
commands with the -oraw option for printing, i.e. it
3437
3459
</p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>
3438
3460
This is a list of users that are given read-only access to a service. If the connecting user is in this list
3439
then they will not be given write access, no matter what the <a class="indexterm" name="id2518251"></a>read only option is set
3440
to. The list can include group names using the syntax described in the <a class="indexterm" name="id2518259"></a>invalid users
3461
then they will not be given write access, no matter what the <a class="indexterm" name="id2555742"></a>read only option is set
3462
to. The list can include group names using the syntax described in the <a class="indexterm" name="id2555750"></a>invalid users
3442
</p><p>This parameter will not work with the <a class="indexterm" name="id2518271"></a>security = share in
3464
</p><p>This parameter will not work with the <a class="indexterm" name="id2555761"></a>security = share in
3443
3465
Samba 3.0. This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> =
3445
3467
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = mary, @students
3447
</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id2518324"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
3469
</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id2555815"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
3448
3470
of a service may not create or modify files in the service's
3449
3471
directory.</p><p>Note that a printable service (<span><strong class="command">printable = yes</strong></span>)
3450
3472
will <span class="emphasis"><em>ALWAYS</em></span> allow writing to the directory
3644
3666
want to mainly setup shares without a password (guest shares). This
3645
3667
is commonly used for a shared printer server. It is more difficult
3646
3668
to setup guest shares with <span><strong class="command">security = user</strong></span>, see
3647
the <a class="indexterm" name="id2519282"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
3669
the <a class="indexterm" name="id2556773"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
3648
3670
hybrid mode</em></span> where it is offers both user and share
3649
level security under different <a class="indexterm" name="id2519305"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
3671
level security under different <a class="indexterm" name="id2556795"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
3650
3672
need not log onto the server with a valid username and password before
3651
3673
attempting to connect to a shared resource (although modern clients
3652
3674
such as Windows 95/98 and Windows NT will send a logon request with
3659
3681
in share level security, <span><strong class="command">smbd</strong></span> uses several
3660
3682
techniques to determine the correct UNIX user to use on behalf
3661
3683
of the client.</p><p>A list of possible UNIX usernames to match with the given
3662
client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id2519389"></a>guest only parameter is set, then all the other
3663
stages are missed and only the <a class="indexterm" name="id2519397"></a>guest account username is checked.
3684
client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id2556880"></a>guest only parameter is set, then all the other
3685
stages are missed and only the <a class="indexterm" name="id2556888"></a>guest account username is checked.
3664
3686
</p></li><li><p>Is a username is sent with the share connection
3665
request, then this username (after mapping - see <a class="indexterm" name="id2519413"></a>username map),
3687
request, then this username (after mapping - see <a class="indexterm" name="id2556904"></a>username map),
3666
3688
is added as a potential username.
3667
3689
</p></li><li><p>If the client did a previous <span class="emphasis"><em>logon
3668
3690
</em></span> request (the SessionSetup SMB call) then the
3683
3705
be used in granting access.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
3684
3706
NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0.
3685
3707
With user-level security a client must first "log-on" with a
3686
valid username and password (which can be mapped using the <a class="indexterm" name="id2519534"></a>username map
3687
parameter). Encrypted passwords (see the <a class="indexterm" name="id2519542"></a>encrypted passwords parameter) can also
3688
be used in this security mode. Parameters such as <a class="indexterm" name="id2519551"></a>user and <a class="indexterm" name="id2519558"></a>guest only if set are then applied and
3708
valid username and password (which can be mapped using the <a class="indexterm" name="id2557025"></a>username map
3709
parameter). Encrypted passwords (see the <a class="indexterm" name="id2557033"></a>encrypted passwords parameter) can also
3710
be used in this security mode. Parameters such as <a class="indexterm" name="id2557042"></a>user and <a class="indexterm" name="id2557049"></a>guest only if set are then applied and
3689
3711
may change the UNIX user to use on this connection, but only after
3690
3712
the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
3691
3713
requested is <span class="emphasis"><em>not</em></span> sent to the server until after
3692
3714
the server has successfully authenticated the client. This is why
3693
3715
guest shares don't work in user level security without allowing
3694
the server to automatically map unknown users into the <a class="indexterm" name="id2519582"></a>guest account.
3695
See the <a class="indexterm" name="id2519589"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
3696
machine into a Windows NT Domain. It expects the <a class="indexterm" name="id2519631"></a>encrypted passwords
3716
the server to automatically map unknown users into the <a class="indexterm" name="id2557072"></a>guest account.
3717
See the <a class="indexterm" name="id2557080"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
3718
machine into a Windows NT Domain. It expects the <a class="indexterm" name="id2557122"></a>encrypted passwords
3697
3719
parameter to be set to <code class="constant">yes</code>. In this
3698
3720
mode Samba will try to validate the username/password by passing
3699
3721
it to a Windows NT Primary or Backup Domain Controller, in exactly
3707
3729
requested is <span class="emphasis"><em>not</em></span> sent to the server until after
3708
3730
the server has successfully authenticated the client. This is why
3709
3731
guest shares don't work in user level security without allowing
3710
the server to automatically map unknown users into the <a class="indexterm" name="id2519689"></a>guest account.
3711
See the <a class="indexterm" name="id2519696"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
3712
NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id2519719"></a>password server parameter and
3713
the <a class="indexterm" name="id2519727"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
3732
the server to automatically map unknown users into the <a class="indexterm" name="id2557179"></a>guest account.
3733
See the <a class="indexterm" name="id2557187"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
3734
NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id2557210"></a>password server parameter and
3735
the <a class="indexterm" name="id2557218"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
3714
3736
In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
3715
3737
NT box. If this fails it will revert to <span><strong class="command">security = user</strong></span>. It expects the
3716
<a class="indexterm" name="id2519757"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
3738
<a class="indexterm" name="id2557248"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
3717
3739
server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
3718
3740
revert back to checking the UNIX password file, it must have a valid <code class="filename">smbpasswd</code> file to check users against. See the chapter about the User Database in
3719
3741
the Samba HOWTO Collection for details on how to set this up.
3720
3742
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This mode of operation has
3721
significant pitfalls, due to the fact that is activly initiates a
3722
man-in-the-middle attack on the remote SMB server. In particular,
3743
significant pitfalls since it is more vulnerable to
3744
man-in-the-middle attacks and server impersonation. In particular,
3723
3745
this mode of operation can cause significant resource consuption on
3724
3746
the PDC, as it must maintain an active connection for the duration
3725
3747
of the user's session. Furthermore, if this connection is lost,
3726
there is no way to reestablish it, and futher authenticaions to the
3727
Samba server may fail. (From a single client, till it disconnects).
3748
there is no way to reestablish it, and futher authentications to the
3749
Samba server may fail (from a single client, till it disconnects).
3728
3750
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>From the client's point of
3729
3751
view <span><strong class="command">security = server</strong></span> is the
3730
3752
same as <span><strong class="command">security = user</strong></span>. It
3733
3755
requested is <span class="emphasis"><em>not</em></span> sent to the server until after
3734
3756
the server has successfully authenticated the client. This is why
3735
3757
guest shares don't work in user level security without allowing
3736
the server to automatically map unknown users into the <a class="indexterm" name="id2519826"></a>guest account.
3737
See the <a class="indexterm" name="id2519834"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
3738
NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id2519856"></a>password server parameter and the
3739
<a class="indexterm" name="id2519864"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
3758
the server to automatically map unknown users into the <a class="indexterm" name="id2557316"></a>guest account.
3759
See the <a class="indexterm" name="id2557324"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
3760
NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id2557347"></a>password server parameter and the
3761
<a class="indexterm" name="id2557354"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
3740
3762
in this mode, the machine running Samba will need to have Kerberos installed
3741
3763
and configured and Samba will need to be joined to the ADS realm using the
3742
3764
net utility. </p><p>Note that this mode does NOT make Samba operate as a Active Directory Domain
3939
3961
</p></dd><dt><span class="term"><a name="STOREDOSATTRIBUTES"></a>store dos attributes (S)</span></dt><dd><p>
3940
3962
If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or
3941
3963
READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such
3942
as occurs with <a class="indexterm" name="id2521278"></a>map hidden and <a class="indexterm" name="id2521285"></a>map readonly). When set, DOS
3964
as occurs with <a class="indexterm" name="id2558769"></a>map hidden and <a class="indexterm" name="id2558775"></a>map readonly). When set, DOS
3943
3965
attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or
3944
directory. For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id2521296"></a>map hidden,
3945
<a class="indexterm" name="id2521303"></a>map system, <a class="indexterm" name="id2521310"></a>map archive and <a class="indexterm" name="id2521317"></a>map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended
3966
directory. For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id2558786"></a>map hidden,
3967
<a class="indexterm" name="id2558793"></a>map system, <a class="indexterm" name="id2558800"></a>map archive and <a class="indexterm" name="id2558808"></a>map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended
3946
3968
attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an
3947
3969
EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for
3948
3970
extended attributes to work, also extended attributes must be compiled into the Linux kernel.
3961
3983
of users.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict allocate</code></em> = no
3963
3985
</p></dd><dt><span class="term"><a name="STRICTLOCKING"></a>strict locking (S)</span></dt><dd><p>
3964
This is a boolean that controls the handling of file locking in the server. When this is set to <code class="constant">yes</code>,
3986
This is an enumerated type that controls the handling of file locking in the server. When this is set to <code class="constant">yes</code>,
3965
3987
the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on
3990
When strict locking is set to Auto (the default), the server performs file lock checks only on non-oplocked files.
3991
As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for
3992
inproved performance.
3968
3994
When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them.
3970
3996
Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases,
3997
<span><strong class="command">strict locking = Auto</strong></span> or
3971
3998
<span><strong class="command">strict locking = no</strong></span> is acceptable.
3972
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict locking</code></em> = yes
3999
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict locking</code></em> = Auto
3974
4001
</p></dd><dt><span class="term"><a name="STRICTSYNC"></a>strict sync (S)</span></dt><dd><p>Many Windows applications (including the Windows 98 explorer
3975
4002
shell) seem to confuse flushing buffer contents to disk with doing
4281
4308
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = /etc/samba/scripts/mapusers.sh
4310
</p></dd><dt><span class="term"><a name="USERSHAREALLOWGUESTS"></a>usershare allow guests (G)</span></dt><dd><p>This parameter controls whether user defined shares are allowed
4311
to be accessed by non-authenticated users or not. It is the equivalent
4312
of allowing people who can create a share the option of setting
4313
<em class="parameter"><code>guest ok = yes</code></em> in a share
4314
definition. Due to the security sensitive nature of this the default
4315
is set to off.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare allow guests</code></em> = no
4317
</p></dd><dt><span class="term"><a name="USERSHAREMAXSHARES"></a>usershare max shares (G)</span></dt><dd><p>This parameter specifies the number of user defined shares
4318
that are allowed to be created by users belonging to the group owning the
4319
usershare directory. If set to zero (the default) user defined shares are ignored.
4320
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare max shares</code></em> = 0
4322
</p></dd><dt><span class="term"><a name="USERSHAREOWNERONLY"></a>usershare owner only (G)</span></dt><dd><p>This parameter controls whether the pathname exported by
4323
a user defined shares must be owned by the user creating the
4324
user defined share or not. If set to True (the default) then
4325
smbd checks that the directory path being shared is owned by
4326
the user who owns the usershare file defining this share and
4327
refuses to create the share if not. If set to False then no
4328
such check is performed and any directory path may be exported
4329
regardless of who owns it.
4330
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare owner only</code></em> = True
4332
</p></dd><dt><span class="term"><a name="USERSHAREPATH"></a>usershare path (G)</span></dt><dd><p>This parameter specifies the absolute path of the directory on the
4333
filesystem used to store the user defined share definition files.
4334
This directory must be owned by root, and have no access for
4335
other, and be writable only by the group owner. In addition the
4336
"sticky" bit must also be set, restricting rename and delete to
4337
owners of a file (in the same way the /tmp directory is usually configured).
4338
Members of the group owner of this directory are the users allowed to create
4339
usershares. If this parameter is undefined then no user defined
4342
For example, a valid usershare directory might be /usr/local/samba/lib/usershares,
4345
</p><pre class="programlisting">
4346
ls -ld /usr/local/samba/lib/usershares/
4347
drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/
4350
In this case, only members of the group "power_users" can create user defined shares.
4351
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare path</code></em> = NULL
4353
</p></dd><dt><span class="term"><a name="USERSHAREPREFIXALLOWLIST"></a>usershare prefix allow list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames
4354
the root of which are allowed to be exported by user defined share definitions.
4355
If the pathname exported doesn't start with one of the strings in this
4356
list the user defined share will not be allowed. This allows the Samba
4357
administrator to restrict the directories on the system that can be
4358
exported by user defined shares.
4360
If there is a "usershare prefix deny list" and also a
4361
"usershare prefix allow list" the deny list is processed
4362
first, followed by the allow list, thus leading to the most
4363
restrictive interpretation.
4364
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare prefix allow list</code></em> = NULL
4366
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare prefix allow list</code></em> = /home /data /space
4368
</p></dd><dt><span class="term"><a name="USERSHAREPREFIXDENYLIST"></a>usershare prefix deny list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames
4369
the root of which are NOT allowed to be exported by user defined share definitions.
4370
If the pathname exported starts with one of the strings in this
4371
list the user defined share will not be allowed. Any pathname not
4372
starting with one of these strings will be allowed to be exported
4373
as a usershare. This allows the Samba administrator to restrict the
4374
directories on the system that can be exported by user defined shares.
4376
If there is a "usershare prefix deny list" and also a
4377
"usershare prefix allow list" the deny list is processed
4378
first, followed by the allow list, thus leading to the most
4379
restrictive interpretation.
4380
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare prefix deny list</code></em> = NULL
4382
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare prefix deny list</code></em> = /etc /dev /private
4384
</p></dd><dt><span class="term"><a name="USERSHARETEMPLATESHARE"></a>usershare template share (G)</span></dt><dd><p>User defined shares only have limited possible parameters
4385
such as path, guest ok etc. This parameter allows usershares to
4386
"cloned" from an existing share. If "usershare template share"
4387
is set to the name of an existing share, then all usershares
4388
created have their defaults set from the parameters set on this
4391
The target share may be set to be invalid for real file
4392
sharing by setting the parameter "-valid = False" on the template
4393
share definition. This causes it not to be seen as a real exported
4394
share but to be able to be used as a template for usershares.
4395
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare template share</code></em> = NULL
4397
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare template share</code></em> = template_share
4283
4399
</p></dd><dt><span class="term"><a name="USESENDFILE"></a>use sendfile (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code>, and the <code class="constant">sendfile()</code>
4284
4400
system call is supported by the underlying operating system, then some SMB read calls
4285
4401
(mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that
4474
4589
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind nss info</code></em> = template sfu
4591
</p></dd><dt><span class="term"><a name="WINBINDOFFLINELOGON"></a>winbind offline logon (G)</span></dt><dd><p>This parameter is designed to control whether Winbind should
4592
allow to login with the <em class="parameter"><code>pam_winbind</code></em>
4593
module using Cached Credentials. If enabled, winbindd will store user credentials
4594
from successful logins encrypted in a local cache.
4595
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind offline logon</code></em> = false
4597
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind offline logon</code></em> = true
4599
</p></dd><dt><span class="term"><a name="WINBINDREFRESHTICKETS"></a>winbind refresh tickets (G)</span></dt><dd><p>This parameter is designed to control whether Winbind should refresh Kerberos Tickets
4600
retrieved using the <em class="parameter"><code>pam_winbind</code></em> module.
4602
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind refresh tickets</code></em> = false
4604
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind refresh tickets</code></em> = true
4476
4606
</p></dd><dt><span class="term"><a name="WINBINDSEPARATOR"></a>winbind separator (G)</span></dt><dd><p>This parameter allows an admin to define the character
4477
4607
used when listing a username of the form of <em class="replaceable"><code>DOMAIN
4478
4608
</code></em>\<em class="replaceable"><code>user</code></em>. This parameter
4554
4684
</p></dd><dt><span class="term"><a name="WORKGROUP"></a>workgroup (G)</span></dt><dd><p>This controls what workgroup your server will
4555
4685
appear to be in when queried by clients. Note that this parameter
4556
4686
also controls the Domain name used with
4557
the <a class="indexterm" name="id2524492"></a>security = domain
4687
the <a class="indexterm" name="id2562486"></a>security = domain
4558
4688
setting.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = WORKGROUP
4560
4690
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = MYGROUP
4562
</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id2524566"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
4692
</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id2562560"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
4563
4693
Samba will create an in-memory cache for each oplocked file
4564
4694
(it does <span class="emphasis"><em>not</em></span> do this for
4565
4695
non-oplocked files). All writes that the client does not request
4580
4710
</p></dd><dt><span class="term"><a name="WRITELIST"></a>write list (S)</span></dt><dd><p>
4581
4711
This is a list of users that are given read-write access to a service. If the
4582
4712
connecting user is in this list then they will be given write access, no matter
4583
what the <a class="indexterm" name="id2524673"></a>read only option is set to. The list can
4713
what the <a class="indexterm" name="id2562667"></a>read only option is set to. The list can
4584
4714
include group names using the @group syntax.
4586
4716
Note that if a user is in both the read list and the write list then they will be
4587
4717
given write access.
4589
4719
By design, this parameter will not work with the
4590
<a class="indexterm" name="id2524691"></a>security = share in Samba 3.0.
4720
<a class="indexterm" name="id2562685"></a>security = share in Samba 3.0.
4591
4721
</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> =
4593
4723
</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> = admin, root, @staff
4621
4751
for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme
4622
4752
care when designing these sections. In particular, ensure that the permissions on spool directories are
4624
</p></div><div class="refsect1" lang="en"><a name="id2524882"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id2524893"></a><h2>SEE ALSO</h2><p>
4625
<a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id2524972"></a><h2>AUTHOR</h2><p>
4754
</p></div><div class="refsect1" lang="en"><a name="id2562876"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id2562887"></a><h2>SEE ALSO</h2><p>
4755
<a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id2562967"></a><h2>AUTHOR</h2><p>
4626
4756
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed
4627
4757
by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.