196
All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned\&. If your printing subsystem doesn't work like that, you will have to set up a pseudo\-printcap\&. This is a file consisting of one or more lines like this:
199
alias|alias|alias|alias\&.\&.\&.
204
Each alias should be an acceptable printer name for your printing subsystem\&. In the [global] section, specify the new file as your printcap\&. The server will only recognize names found in your pseudo\-printcap, which of course can contain whatever aliases you like\&. The same technique could be used simply to limit access to a subset of your local printers\&.
207
An alias, by the way, is defined as any component of the first entry of a printcap record\&. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols (|)\&.
213
On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to useprintcap name = lpstat to automatically obtain a list of printers\&. See theprintcap name option for more details\&.
201
All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file consisting of one or more lines like this:
206
alias|alias|alias|alias...
210
Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, which of course can contain whatever aliases you like. The same technique could be used simply to limit access to a subset of your local printers.
212
An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols (|).
215
.nr an-no-space-flag 1
220
On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use
221
printcap name = lpstat
222
to automatically obtain a list of printers. See the
224
option for more details.
225
.\" end of SS subsection "The [printers] section"
228
Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete their own share definitions has been added. This capability is called
230
and is controlled by a set of parameters in the
232
section of the smb.conf. The relevant parameters are :
234
usershare allow guests
235
Controls if usershares can permit guest access.
238
Maximum number of user defined shares allowed.
241
If set only directories owned by the sharing user can be shared.
244
Points to the directory containing the user defined share definitions. The filesystem permissions on this directory control who can create user defined shares.
246
usershare prefix allow list
247
Comma-separated list of abolute pathnames restricting what directories can be shared. Only directories below the pathnames in this list are permitted.
249
usershare prefix deny list
250
Comma-separated list of abolute pathnames restricting what directories can be shared. Directories below the pathnames in this list are prohibited.
252
usershare template share
253
Names a pre-existing share used as a template for creating new usershares. All other share parameters not specified in the user defined share definition are copied from this named share.
255
To allow members of the UNIX group
257
to create user defined shares, create the directory to contain the share definitions as follows:
262
mkdir /usr/local/samba/lib/usershares
263
chgrp foo /usr/local/samba/lib/usershares
264
chmod 1770 /usr/local/samba/lib/usershares
267
Then add the parameters
272
usershare path = /usr/local/samba/lib/usershares
273
usershare max shares = 10 # (or the desired number of shares)
275
to the global section of your
276
\fIsmb.conf\fR. Members of the group foo may then manipulate the user defined shares using the following commands.
278
net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]
279
To create or modify (overwrite) a user defined share.
281
net usershare delete sharename
282
To delete a user defined share.
284
net usershare list wildcard-sharename
285
To list user defined shares.
287
net usershare info wildcard-sharename
288
To print information about user defined shares.
220
Parameters define the specific attributes of sections\&.
223
Some parameters are specific to the [global] section (e\&.g\&., \fBsecurity\fR)\&. Some parameters are usable in all sections (e\&.g\&., \fBcreate mask\fR)\&. All others are permissible only in normal sections\&. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal\&. The letter \fBG\fR in parentheses indicates that a parameter is specific to the [global] section\&. The letter \fBS\fR indicates that a parameter can be specified in a service specific section\&. All \fBS\fR parameters can also be specified in the [global] section \- in which case they will define the default behavior for all services\&.
226
Parameters are arranged here in alphabetical order \- this may not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym\&.
291
Parameters define the specific attributes of sections.
293
Some parameters are specific to the [global] section (e.g.,
294
\fBsecurity\fR). Some parameters are usable in all sections (e.g.,
295
\fBcreate mask\fR). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter
297
in parentheses indicates that a parameter is specific to the [global] section. The letter
299
indicates that a parameter can be specified in a service specific section. All
301
parameters can also be specified in the [global] section - in which case they will define the default behavior for all services.
303
Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.
228
304
.SH "VARIABLE SUBSTITUTIONS"
231
Many of the strings that are settable in the config file can take substitutions\&. For example the option``path = /tmp/%u'' is interpreted as ``path = /tmp/john'' if the user connected with the username john\&.
234
These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant\&. These are:
306
Many of the strings that are settable in the config file can take substitutions. For example the option
307
“path = /tmp/%u”
309
“path = /tmp/john”
310
if the user connected with the username john.
312
These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are:
238
session username (the username that the client wanted, not necessarily the same as the one they got)\&.
315
session username (the username that the client wanted, not necessarily the same as the one they got).
242
primary group name of %U\&.
318
primary group name of %U.
246
the Internet hostname that Samba is running on\&.
321
the Internet hostname that Samba is running on.
250
the NetBIOS name of the client machine (very useful)\&.
252
This parameter is not available when Samba listens on port 445, as clients no longer send this information\&. If you use this macro in an include statement on a domain that has a Samba domain controller be sure to set in the [global] section \fIsmb ports = 139\fR\&. This will cause Samba to not listen on port 445 and will permit include functionality to function as it did with Samba 2\&.x\&.
324
the NetBIOS name of the client machine (very useful).
326
This parameter is not available when Samba listens on port 445, as clients no longer send this information. If you use this macro in an include statement on a domain that has a Samba domain controller be sure to set in the [global] section
327
\fIsmb ports = 139\fR. This will cause Samba to not listen on port 445 and will permit include functionality to function as it did with Samba 2.x.
256
the NetBIOS name of the server\&. This allows you to change your config based on what the client calls you\&. Your server can have a ``dual personality''\&.
330
the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a
331
“dual personality”.
260
the Internet name of the client machine\&.
334
the Internet name of the client machine.
264
the selected protocol level after protocol negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1\&.
337
the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
268
the process id of the current server process\&.
340
the process id of the current server process.
272
the architecture of the remote machine\&. It currently recognizes Samba (\fBSamba\fR), the Linux CIFS file system (\fBCIFSFS\fR), OS/2, (\fBOS2\fR), Windows for Workgroups (\fBWfWg\fR), Windows 9x/ME (\fBWin95\fR), Windows NT (\fBWinNT\fR), Windows 2000 (\fBWin2K\fR), Windows XP (\fBWinXP\fR), and Windows 2003 (\fBWin2K3\fR)\&. Anything else will be known as\fBUNKNOWN\fR\&.
343
the architecture of the remote machine. It currently recognizes Samba (\fBSamba\fR), the Linux CIFS file system (\fBCIFSFS\fR), OS/2, (\fBOS2\fR), Windows for Workgroups (\fBWfWg\fR), Windows 9x/ME (\fBWin95\fR), Windows NT (\fBWinNT\fR), Windows 2000 (\fBWin2K\fR), Windows XP (\fBWinXP\fR), and Windows 2003 (\fBWin2K3\fR). Anything else will be known as
276
the IP address of the client machine\&.
347
the IP address of the client machine.
280
the local IP address to which a client connected\&.
350
the local IP address to which a client connected.
284
the current date and time\&.
353
the current date and time.
288
name of the domain or workgroup of the current user\&.
356
name of the domain or workgroup of the current user.
292
the winbind separator\&.
359
the winbind separator.
296
the value of the environment variable\fIenvar\fR\&.
362
the value of the environment variable
299
365
The following substitutes apply only to some configuration options (only those that are used when a connection has been established):
303
the name of the current service, if any\&.
368
the name of the current service, if any.
307
the root directory of the current service, if any\&.
371
the root directory of the current service, if any.
311
username of the current service, if any\&.
374
username of the current service, if any.
315
primary group name of %u\&.
377
primary group name of %u.
319
the home directory of the user given by %u\&.
380
the home directory of the user given by %u.
323
the name of your NIS home directory server\&. This is obtained from your NIS auto\&.map entry\&. If you have not compiled Samba with the \fB\-\-with\-automount\fR option, this value will be the same as %L\&.
383
the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the
384
\fB--with-automount\fR
385
option, this value will be the same as %L.
327
the path of the service's home directory, obtained from your NIS auto\&.map entry\&. The NIS auto\&.map entry is split up as %N:%p\&.
388
the path of the service's home directory, obtained from your NIS auto.map entry. The NIS auto.map entry is split up as
330
There are some quite creative things that can be done with these substitutions and other\fIsmb\&.conf\fR options\&.
391
There are some quite creative things that can be done with these substitutions and other
332
394
.SH "NAME MANGLING"
335
Samba supports name mangling so that DOS and Windows clients can use files that don't conform to the 8\&.3 format\&. It can also be set to adjust the case of 8\&.3 format filenames\&.
338
There are several options that control the way mangling is performed, and they are grouped here rather than listed separately\&. For the defaults look at the output of the testparm program\&.
341
All of these options can be set separately for each service (or globally, of course)\&.
398
so that DOS and Windows clients can use files that don't conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames.
400
There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program.
402
All of these options can be set separately for each service (or globally, of course).
347
406
case sensitive = yes/no/auto
348
controls whether filenames are case sensitive\&. If they aren't, Samba must do a filename search and match on passed names\&. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS and smbclient 3\&.0\&.5 and above currently) to tell the Samba server on a per\-packet basis that they wish to access the file system in a case\-sensitive manner (to support UNIX case sensitive semantics)\&. No Windows or DOS system supports case\-sensitive filename so setting this option to auto is that same as setting it to no for them\&. Default \fBauto\fR\&.
407
controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no for them. Default
351
410
default case = upper/lower
352
controls what the default case is for new filenames (ie\&. files that don't currently exist in the filesystem)\&. Default \fBlower\fR\&. IMPORTANT NOTE: This option will be used to modify the case of\fBall\fR incoming client filenames, not just new filenames if the options case sensitive = yes, preserve case = No,short preserve case = No are set\&. This change is needed as part of the optimisations for directories containing large numbers of files\&.
411
controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem). Default
412
\fBlower\fR. IMPORTANT NOTE: This option will be used to modify the case of
414
incoming client filenames, not just new filenames if the options
415
case sensitive = yes,
417
short preserve case = No are set. This change is needed as part of the optimisations for directories containing large numbers of files.
355
419
preserve case = yes/no
356
controls whether new files (ie\&. files that don't currently exist in the filesystem) are created with the case that the client passes, or if they are forced to be the default case\&. Default\fByes\fR\&.
420
controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case that the client passes, or if they are forced to be the
359
425
short preserve case = yes/no
360
controls if new files (ie\&. files that don't currently exist in the filesystem) which conform to 8\&.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be thedefault case\&. This option can be used with preserve case = yes to permit long filenames to retain their case, while short names are lowercased\&. Default \fByes\fR\&.
426
controls if new files (ie. files that don't currently exist in the filesystem) which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the
428
case. This option can be used with
430
to permit long filenames to retain their case, while short names are lowercased. Default
363
By default, Samba 3\&.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving\&. As a special case for directories with large numbers of files, if the case options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" then the "default case" option will be applied and will modify all filenames sent from the client when accessing this share\&.
433
By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving. As a special case for directories with large numbers of files, if the case options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" then the "default case" option will be applied and will modify all filenames sent from the client when accessing this share.
365
434
.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
368
There are a number of ways in which a user can connect to a service\&. The server uses the following steps in determining if it will allow a connection to a specified service\&. If all the steps fail, the connection request is rejected\&. However, if one of the steps succeeds, the following steps are not checked\&.
371
If the service is marked ``guest only = yes'' and the server is running with share\-level security (``security = share'', steps 1 to 5 are skipped\&.
436
There are a number of ways in which a user can connect to a service. The server uses the following steps in determining if it will allow a connection to a specified service. If all the steps fail, the connection request is rejected. However, if one of the steps succeeds, the following steps are not checked.
438
If the service is marked
439
“guest only = yes”
440
and the server is running with share-level security (“security = share”, steps 1 to 5 are skipped.
375
If the client has passed a username/password pair and that username/password pair is validated by the UNIX system's password programs, the connection is made as that username\&. This includes the\\\\server\\service%\fIusername\fR method of passing a username\&.
443
If the client has passed a username/password pair and that username/password pair is validated by the UNIX system's password programs, the connection is made as that username. This includes the
444
\\server\service%\fIusername\fR
445
method of passing a username.
378
If the client has previously registered a username with the system and now supplies a correct password for that username, the connection is allowed\&.
448
If the client has previously registered a username with the system and now supplies a correct password for that username, the connection is allowed.
381
The client's NetBIOS name and any previously used usernames are checked against the supplied password\&. If they match, the connection is allowed as the corresponding user\&.
451
The client's NetBIOS name and any previously used usernames are checked against the supplied password. If they match, the connection is allowed as the corresponding user.
384
If the client has previously validated a username/password pair with the server and the client has passed the validation token, that username is used\&.
454
If the client has previously validated a username/password pair with the server and the client has passed the validation token, that username is used.
387
If a user = field is given in the \fIsmb\&.conf\fR file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames from the user = field, the connection is made as the username in the user = line\&. If one of the usernames in the user = list begins with a @, that name expands to a list of names in the group of the same name\&.
459
field is given in the
461
file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames from the
463
field, the connection is made as the username in the
465
line. If one of the usernames in the
468
@, that name expands to a list of names in the group of the same name.
390
If the service is a guest service, a connection is made as the username given in the guest account = for the service, irrespective of the supplied password\&.
471
If the service is a guest service, a connection is made as the username given in the
473
for the service, irrespective of the supplied password.
393
474
.SH "EXPLANATION OF EACH PARAMETER"
396
476
abort shutdown script (G)
397
This a full path name to a script called by \fBsmbd\fR(8) that should stop a shutdown procedure issued by the shutdown script\&.
399
If the connected user posseses the \fBSeRemoteShutdownPrivilege\fR, right, this command will be run as user\&.
401
Default: \fB\fIabort shutdown script\fR = \fR
403
Example: \fB\fIabort shutdown script\fR = /sbin/shutdown \-c \fR
477
This a full path name to a script called by
479
that should stop a shutdown procedure issued by the
482
If the connected user posseses the
483
\fBSeRemoteShutdownPrivilege\fR, right, this command will be run as user.
486
\fB\fIabort shutdown script\fR = \fR
489
\fB\fIabort shutdown script\fR = /sbin/shutdown -c \fR
406
491
acl check permissions (S)
407
This boolean parameter controls what \fBsmbd\fR(8)does on receiving a protocol request of "open for delete" from a Windows client\&. If a Windows client doesn't have permissions to delete a file then they expect this to be denied at open time\&. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory\&. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file\&. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it\&. This is not perfect, as it's possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour\&. Samba will correctly check POSIX ACL semantics in this case\&.
409
If this parameter is set to "false" Samba doesn't check permissions on "open for delete" and allows the open\&. If the user doesn't have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user\&. The symptom of this is files that appear to have been deleted "magically" re\-appearing on a Windows explorer refersh\&. This is an extremely advanced protocol option which should not need to be changed\&. This parameter was introduced in its final form in 3\&.0\&.21, an earlier version with slightly different semantics was introduced in 3\&.0\&.20\&. That older version is not documented here\&.
411
Default: \fB\fIacl check permissions\fR = True \fR
492
This boolean parameter controls what
493
\fBsmbd\fR(8)does on receiving a protocol request of "open for delete" from a Windows client. If a Windows client doesn't have permissions to delete a file then they expect this to be denied at open time. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it. This is not perfect, as it's possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour. Samba will correctly check POSIX ACL semantics in this case.
495
If this parameter is set to "false" Samba doesn't check permissions on "open for delete" and allows the open. If the user doesn't have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user. The symptom of this is files that appear to have been deleted "magically" re-appearing on a Windows explorer refersh. This is an extremely advanced protocol option which should not need to be changed. This parameter was introduced in its final form in 3.0.21, an earlier version with slightly different semantics was introduced in 3.0.20. That older version is not documented here.
498
\fB\fIacl check permissions\fR = True \fR
414
500
acl compatibility (S)
415
This parameter specifies what OS ACL semantics should be compatible with\&. Possible values are \fBwinnt\fR for Windows NT 4,\fBwin2k\fR for Windows 2000 and above and \fBauto\fR\&. If you specify \fBauto\fR, the value for this parameter will be based upon the version of the client\&. There should be no reason to change this parameter from the default\&.
417
Default: \fB\fIacl compatibility\fR = Auto \fR
419
Example: \fB\fIacl compatibility\fR = win2k \fR
501
This parameter specifies what OS ACL semantics should be compatible with. Possible values are
505
for Windows 2000 and above and
506
\fBauto\fR. If you specify
507
\fBauto\fR, the value for this parameter will be based upon the version of the client. There should be no reason to change this parameter from the default.
510
\fB\fIacl compatibility\fR = Auto \fR
513
\fB\fIacl compatibility\fR = win2k \fR
422
515
acl group control (S)
423
In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file\&. If this parameter is set, then Samba overrides this restriction, and also allows the\fBprimary group owner\fR of a file or directory to modify the permissions and ACLs on that file\&.
425
On a Windows server, groups may be the owner of a file or directory \- thus allowing anyone in that group to modify the permissions on it\&. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group\&. This means there are multiple people with permissions to modify ACLs on a file or directory, easing managability\&.
427
This parameter allows Samba to also permit delegation of the control over a point in the exported directory hierarchy in much the same was as Windows\&. This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on\&.
429
This parameter is best used with the inherit owner option and also on on a share containing directories with the UNIX \fBsetgid bit\fR bit set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory\&.
431
This is a new parameter introduced in Samba 3\&.0\&.20\&.
433
This can be particularly useful to allow groups to manage their own security on a part of the filesystem they have group ownership of, removing the bottleneck of having only the user owner or superuser able to reset permissions\&.
435
Default: \fB\fIacl group control\fR = no \fR
516
In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the
517
\fBprimary group owner\fR
518
of a file or directory to modify the permissions and ACLs on that file.
520
On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in that group to modify the permissions on it. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group. This means there are multiple people with permissions to modify ACLs on a file or directory, easing managability.
522
This parameter allows Samba to also permit delegation of the control over a point in the exported directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on.
524
This parameter is best used with the
525
inherit owner option and also on on a share containing directories with the UNIX
527
bit set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory.
529
This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now implemented by the
534
\fB\fIacl group control\fR = no \fR
438
536
acl map full control (S)
439
This boolean parameter controls whether \fBsmbd\fR(8)maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum allowed POSIX permission set, into a Windows ACL of "FULL CONTROL"\&. If this parameter is set to true any POSIX ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and execute\&.
441
Default: \fB\fIacl map full control\fR = True \fR
537
This boolean parameter controls whether
538
\fBsmbd\fR(8)maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and execute.
541
\fB\fIacl map full control\fR = True \fR
444
543
add group script (G)
445
This is the full pathname to a script that will be run\fBAS ROOT\fR by \fBsmbd\fR(8) when a new group is requested\&. It will expand any \fI%g\fR to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions\&. In that case the script must print the numeric gid of the created group on stdout\&.
544
This is the full pathname to a script that will be run
548
when a new group is requested. It will expand any
550
to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout.
450
554
add machine script (G)
451
This is the full pathname to a script that will be run by\fBsmbd\fR(8) when a machine is added to it's domain using the administrator username and password method\&.
453
This option is only required when using sam back\-ends tied to the Unix uid method of RID calculation such as smbpasswd\&. This option is only available in Samba 3\&.0\&.
455
Default: \fB\fIadd machine script\fR = \fR
457
Example: \fB\fIadd machine script\fR = /usr/sbin/adduser \-n \-g machines \-c Machine \-d /var/lib/nobody \-s /bin/false %u \fR
555
This is the full pathname to a script that will be run by
557
when a machine is added to it's domain using the administrator username and password method.
559
This option is only required when using sam back-ends tied to the Unix uid method of RID calculation such as smbpasswd. This option is only available in Samba 3.0.
562
\fB\fIadd machine script\fR = \fR
565
\fB\fIadd machine script\fR = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u \fR
568
Samba 3.0.23 introduces support for adding printer ports remotely using the Windows "Add Standard TCP/IP Port Wizard". This option defines an external program to be executed when smbd receives a request to add a new Port to the system. he script is passed two parameters:
578
The deviceURI is in the for of socket://<hostname>[:<portnumber>] or lpd://<hostname>/<queuename>.
581
\fB\fIadd port command\fR = \fR
584
\fB\fIadd port command\fR = /etc/samba/scripts/addport.sh \fR
460
586
add printer command (G)
461
With the introduction of MS\-RPC based printing support for Windows NT/2000 clients in Samba 2\&.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers\&.\&.\&." folder displayed a share listing\&. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server\&.
463
For a Samba host this means that the printer must be physically added to the underlying printing system\&. The \fIadd printer command\fR defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the \fIsmb\&.conf\fR file in order that it can be shared by \fBsmbd\fR(8)\&.
465
The \fIaddprinter command\fR is automatically invoked with the following parameter (in order):
587
With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers..." folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server.
589
For a Samba host this means that the printer must be physically added to the underlying printing system. The
590
\fIadd printer command\fR
591
defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the
593
file in order that it can be shared by
597
\fIaddprinter command\fR
598
is automatically invoked with the following parameter (in order):
471
602
\fIprinter name\fR
480
611
\fIdriver name\fR
486
617
\fIWindows 9x driver location\fR
490
All parameters are filled in from the PRINTER_INFO_2 structure sent by the Windows NT/2000 client with one exception\&. The "Windows 9x driver location" parameter is included for backwards compatibility only\&. The remaining fields in the structure are generated from answers to the APW questions\&.
492
Once the \fIaddprinter command\fR has been executed, \fBsmbd\fR will reparse the \fI smb\&.conf\fR to determine if the share defined by the APW exists\&. If the sharename is still invalid, then \fBsmbd \fR will return an ACCESS_DENIED error to the client\&.
494
The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to\&. If this line isn't output, Samba won't reload its printer shares\&.
496
Default: \fB\fIadd printer command\fR = \fR
498
Example: \fB\fIadd printer command\fR = /usr/bin/addprinter \fR
620
All parameters are filled in from the PRINTER_INFO_2 structure sent by the Windows NT/2000 client with one exception. The "Windows 9x driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions.
623
\fIaddprinter command\fR
628
to determine if the share defined by the APW exists. If the sharename is still invalid, then
630
will return an ACCESS_DENIED error to the client.
632
The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn't output, Samba won't reload its printer shares.
635
\fB\fIadd printer command\fR = \fR
638
\fB\fIadd printer command\fR = /usr/bin/addprinter \fR
501
640
add share command (G)
502
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The\fIadd share command\fR is used to define an external program or script which will add a new service definition to \fIsmb\&.conf\fR\&. In order to successfully execute the \fIadd share command\fR, \fBsmbd\fR requires that the administrator be connected using a root account (i\&.e\&. uid == 0)\&.
504
When executed, \fBsmbd\fR will automatically invoke the\fIadd share command\fR with four parameters\&.
510
\fIconfigFile\fR \- the location of the global \fIsmb\&.conf\fR file\&.
513
\fIshareName\fR \- the name of the new share\&.
516
\fIpathName\fR \- path to an **existing** directory on disk\&.
519
\fIcomment\fR \- comment string to associate with the new share\&.
641
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The
642
\fIadd share command\fR
643
is used to define an external program or script which will add a new service definition to
644
\fIsmb.conf\fR. In order to successfully execute the
645
\fIadd share command\fR,
647
requires that the administrator be connected using a root account (i.e. uid == 0).
651
will automatically invoke the
652
\fIadd share command\fR
653
with five parameters.
658
- the location of the global
664
- the name of the new share.
668
- path to an **existing** directory on disk.
672
- comment string to associate with the new share.
675
\fImax connections\fR
676
Number of maximum simultaneous connections to this share.
523
This parameter is only used for add file shares\&. To add printer shares, see the addprinter command\&.
525
Default: \fB\fIadd share command\fR = \fR
527
Example: \fB\fIadd share command\fR = /usr/local/bin/addshare \fR
679
This parameter is only used for add file shares. To add printer shares, see the
683
\fB\fIadd share command\fR = \fR
686
\fB\fIadd share command\fR = /usr/local/bin/addshare \fR
530
688
add user script (G)
531
This is the full pathname to a script that will be run \fBAS ROOT\fR by\fBsmbd\fR(8) under special circumstances described below\&.
533
Normally, a Samba server requires that UNIX users are created for all users accessing files on this server\&. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task\&. This option allows smbd to create the required UNIX users\fBON DEMAND\fR when a user accesses the Samba server\&.
535
In order to use this option, \fBsmbd\fR(8) must \fBNOT\fR be set tosecurity = share and add user script must be set to a full pathname for a script that will create a UNIX user given one argument of\fI%u\fR, which expands into the UNIX user name to create\&.
537
When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time, \fBsmbd\fR(8) contacts the password server and attempts to authenticate the given user with the given password\&. If the authentication succeeds then \fBsmbd\fR attempts to find a UNIX user in the UNIX password database to map the Windows user into\&. If this lookup fails, andadd user script is set then \fBsmbd\fR will call the specified script \fBAS ROOT\fR, expanding any\fI%u\fR argument to be the user name to create\&.
539
If this script successfully creates the user then \fBsmbd\fR will continue on as though the UNIX user already existed\&. In this way, UNIX users are dynamically created to match existing Windows NT accounts\&.
541
See also security, password server,delete user script\&.
543
Default: \fB\fIadd user script\fR = \fR
545
Example: \fB\fIadd user script\fR = /usr/local/samba/bin/add_user %u \fR
689
This is the full pathname to a script that will be run
693
under special circumstances described below.
695
Normally, a Samba server requires that UNIX users are created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users
697
when a user accesses the Samba server.
699
In order to use this option,
705
add user script must be set to a full pathname for a script that will create a UNIX user given one argument of
706
\fI%u\fR, which expands into the UNIX user name to create.
708
When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time,
711
password server and attempts to authenticate the given user with the given password. If the authentication succeeds then
713
attempts to find a UNIX user in the UNIX password database to map the Windows user into. If this lookup fails, and
714
add user script is set then
716
will call the specified script
717
\fBAS ROOT\fR, expanding any
719
argument to be the user name to create.
721
If this script successfully creates the user then
723
will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts.
731
\fB\fIadd user script\fR = \fR
734
\fB\fIadd user script\fR = /usr/local/samba/bin/add_user %u \fR
548
736
add user to group script (G)
549
Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools\&. It will be run by \fBsmbd\fR(8) \fBAS ROOT\fR\&. Any \fI%g\fR will be replaced with the group name and any \fI%u\fR will be replaced with the user name\&.
551
Note that the \fBadduser\fR command used in the example below does not support the used syntax on all systems\&.
553
Default: \fB\fIadd user to group script\fR = \fR
555
Example: \fB\fIadd user to group script\fR = /usr/sbin/adduser %u %g \fR
737
Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by
741
will be replaced with the group name and any
743
will be replaced with the user name.
747
command used in the example below does not support the used syntax on all systems.
750
\fB\fIadd user to group script\fR = \fR
753
\fB\fIadd user to group script\fR = /usr/sbin/adduser %u %g \fR
559
This is a list of users who will be granted administrative privileges on the share\&. This means that they will do all file operations as the super\-user (root)\&.
561
You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions\&.
563
This parameter will not work with the security = share in Samba 3\&.0\&. This is by design\&.
565
Default: \fB\fIadmin users\fR = \fR
567
Example: \fB\fIadmin users\fR = jason \fR
756
This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user (root).
758
You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions.
760
This parameter will not work with the
761
security = share in Samba 3.0. This is by design.
764
\fB\fIadmin users\fR = \fR
767
\fB\fIadmin users\fR = jason \fR
571
This parameter controls whether special AFS features are enabled for this share\&. If enabled, it assumes that the directory exported via the \fIpath\fR parameter is a local AFS import\&. The special AFS features include the attempt to hand\-craft an AFS token if you enabled \-\-with\-fake\-kaserver in configure\&.
573
Default: \fB\fIafs share\fR = no \fR
770
This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the
772
parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure.
775
\fB\fIafs share\fR = no \fR
576
777
afs username map (G)
577
If you are using the fake kaserver AFS feature, you might want to hand\-craft the usernames you are creating tokens for\&. For example this is necessary if you have users from several domain in your AFS Protection Database\&. One possible scheme to code users as DOMAIN+User as it is done by winbind with the + as a separator\&.
579
The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token\&.
581
Default: \fB\fIafs username map\fR = \fR
583
Example: \fB\fIafs username map\fR = %u@afs\&.samba\&.org \fR
778
If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. For example this is necessary if you have users from several domain in your AFS Protection Database. One possible scheme to code users as DOMAIN+User as it is done by winbind with the + as a separator.
780
The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token.
783
\fB\fIafs username map\fR = \fR
786
\fB\fIafs username map\fR = %u@afs.samba.org \fR
586
788
algorithmic rid base (G)
587
This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers\&.
589
Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc\&.
591
All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server\&. As such the algorithmic mapping can't be 'turned off', but pushing it 'out of the way' should resolve the issues\&. Users and groups can then be assigned 'low' RIDs in arbitary\-rid supporting backends\&.
593
Default: \fB\fIalgorithmic rid base\fR = 1000 \fR
595
Example: \fB\fIalgorithmic rid base\fR = 100000 \fR
789
This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers.
791
Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc.
793
All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server. As such the algorithmic mapping can't be 'turned off', but pushing it 'out of the way' should resolve the issues. Users and groups can then be assigned 'low' RIDs in arbitary-rid supporting backends.
796
\fB\fIalgorithmic rid base\fR = 1000 \fR
799
\fB\fIalgorithmic rid base\fR = 100000 \fR
598
801
allocation roundup size (S)
599
This parameter allows an administrator to tune the allocation size reported to Windows clients\&. The default size of 1Mb generally results in improved Windows client performance\&. However, rounding the allocation size may cause difficulties for some applications, e\&.g\&. MS Visual Studio\&. If the MS Visual Studio compiler starts to crash with an internal error, set this parameter to zero for this share\&.
601
The integer parameter specifies the roundup size in bytes\&.
603
Default: \fB\fIallocation roundup size\fR = 1048576 \fR
605
Example: \fB\fIallocation roundup size\fR = 0 # (to disable roundups) \fR
802
This parameter allows an administrator to tune the allocation size reported to Windows clients. The default size of 1Mb generally results in improved Windows client performance. However, rounding the allocation size may cause difficulties for some applications, e.g. MS Visual Studio. If the MS Visual Studio compiler starts to crash with an internal error, set this parameter to zero for this share.
804
The integer parameter specifies the roundup size in bytes.
807
\fB\fIallocation roundup size\fR = 1048576 \fR
810
\fB\fIallocation roundup size\fR = 0 # (to disable roundups) \fR
608
812
allow trusted domains (G)
609
This option only takes effect when the security option is set to \fBserver\fR,\fBdomain\fR or \fBads\fR\&. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication\&.
611
This is useful if you only want your Samba server to serve resources to users in the domain it is a member of\&. As an example, suppose that there are two domains DOMA and DOMB\&. DOMB is trusted by DOMA, which contains the Samba server\&. Under normal circumstances, a user with an account in DOMB can then access the resources of a UNIX account with the same account name on the Samba server even if they do not have an account in DOMA\&. This can make implementing a security boundary difficult\&.
613
Default: \fB\fIallow trusted domains\fR = yes \fR
813
This option only takes effect when the
814
security option is set to
815
\fBserver\fR,\fBdomain\fR
817
\fBads\fR. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication.
819
This is useful if you only want your Samba server to serve resources to users in the domain it is a member of. As an example, suppose that there are two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains the Samba server. Under normal circumstances, a user with an account in DOMB can then access the resources of a UNIX account with the same account name on the Samba server even if they do not have an account in DOMA. This can make implementing a security boundary difficult.
822
\fB\fIallow trusted domains\fR = yes \fR
617
This specifies what type of server \fBnmbd\fR(8) will announce itself as, to a network neighborhood browse list\&. By default this is set to Windows NT\&. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively\&. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly\&.
619
Default: \fB\fIannounce as\fR = NT Server \fR
621
Example: \fB\fIannounce as\fR = Win95 \fR
825
This specifies what type of server
827
will announce itself as, to a network neighborhood browse list. By default this is set to Windows NT. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly.
830
\fB\fIannounce as\fR = NT Server \fR
833
\fB\fIannounce as\fR = Win95 \fR
624
835
announce version (G)
625
This specifies the major and minor version numbers that nmbd will use when announcing itself as a server\&. The default is 4\&.9\&. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server\&.
627
Default: \fB\fIannounce version\fR = 4\&.9 \fR
629
Example: \fB\fIannounce version\fR = 2\&.0 \fR
836
This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default is 4.9. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server.
839
\fB\fIannounce version\fR = 4.9 \fR
842
\fB\fIannounce version\fR = 2.0 \fR
633
This option allows the administrator to chose what authentication methods \fBsmbd\fR will use when authenticating a user\&. This option defaults to sensible values based on security\&. This should be considered a developer option and used only in rare circumstances\&. In the majority (if not all) of production servers, the default setting should be adequate\&.
635
Each entry in the list attempts to authenticate the user in turn, until the user authenticates\&. In practice only one method will ever actually be able to complete the authentication\&.
637
Possible options include \fBguest\fR (anonymous access), \fBsam\fR (lookups in local list of accounts based on netbios name or domain name), \fBwinbind\fR (relay authentication requests for remote users through winbindd), \fBntdomain\fR (pre\-winbindd method of authentication for remote domain users; deprecated in favour of winbind method), \fBtrustdomain\fR (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method)\&.
639
Default: \fB\fIauth methods\fR = \fR
641
Example: \fB\fIauth methods\fR = guest sam winbind \fR
845
This option allows the administrator to chose what authentication methods
847
will use when authenticating a user. This option defaults to sensible values based on
848
security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate.
850
Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication.
852
Possible options include
856
(lookups in local list of accounts based on netbios name or domain name),
858
(relay authentication requests for remote users through winbindd),
860
(pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method),
862
(authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method).
865
\fB\fIauth methods\fR = \fR
868
\fB\fIauth methods\fR = guest sam winbind \fR
645
This parameter lets you "turn off" a service\&. If\fIavailable = no\fR, then \fBALL\fR attempts to connect to the service will fail\&. Such failures are logged\&.
647
Default: \fB\fIavailable\fR = yes \fR
871
This parameter lets you "turn off" a service. If
872
\fIavailable = no\fR, then
874
attempts to connect to the service will fail. Such failures are logged.
877
\fB\fIavailable\fR = yes \fR
650
879
bind interfaces only (G)
651
This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests\&. It affects file service \fBsmbd\fR(8) and name service \fBnmbd\fR(8) in a slightly different ways\&.
653
For name service it causes \fBnmbd\fR to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter\&. \fBnmbd\fR also binds to the "all addresses" interface (0\&.0\&.0\&.0) on ports 137 and 138 for the purposes of reading broadcast messages\&. If this option is not set then \fBnmbd\fR will service name requests on all of these sockets\&. If bind interfaces only is set then\fBnmbd\fR will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in theinterfaces parameter list\&. As unicast packets are received on the other sockets it allows \fBnmbd\fR to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list\&. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for\fBnmbd\fR\&.
655
For file service it causes \fBsmbd\fR(8) to bind only to the interface list given in the interfaces parameter\&. This restricts the networks that \fBsmbd\fR will serve to packets coming in those interfaces\&. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non\-broadcast network interfaces as it will not cope with non\-permanent interfaces\&.
657
If bind interfaces only is set then unless the network address\fB127\&.0\&.0\&.1\fR is added to the interfaces parameter list\fBsmbpasswd\fR(8) and\fBswat\fR(8) may not work as expected due to the reasons covered below\&.
659
To change a users SMB password, the \fBsmbpasswd\fR by default connects to the\fBlocalhost \- 127\&.0\&.0\&.1\fR address as an SMB client to issue the password change request\&. Ifbind interfaces only is set then unless the network address\fB127\&.0\&.0\&.1\fR is added to the interfaces parameter list then \fB smbpasswd\fR will fail to connect in it's default mode\&. \fBsmbpasswd\fR can be forced to use the primary IP interface of the local host by using its \fBsmbpasswd\fR(8)\fI\-r \fIremote machine\fR\fR parameter, with \fIremote machine\fR set to the IP name of the primary interface of the local host\&.
661
The \fBswat\fR status page tries to connect with \fBsmbd\fR and \fBnmbd\fR at the address\fB127\&.0\&.0\&.1\fR to determine if they are running\&. Not adding \fB127\&.0\&.0\&.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show "not running" even if they really are\&. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR and \fBnmbd\fR\&.
663
Default: \fB\fIbind interfaces only\fR = no \fR
880
This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service
884
in a slightly different ways.
886
For name service it causes
888
to bind to ports 137 and 138 on the interfaces listed in the
889
interfaces parameter.
891
also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then
893
will service name requests on all of these sockets. If
894
bind interfaces only is set then
896
will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
897
interfaces parameter list. As unicast packets are received on the other sockets it allows
899
to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the
900
interfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
903
For file service it causes
905
to bind only to the interface list given in the
906
interfaces parameter. This restricts the networks that
908
will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.
911
bind interfaces only is set then unless the network address
914
interfaces parameter list
918
may not work as expected due to the reasons covered below.
920
To change a users SMB password, the
922
by default connects to the
923
\fBlocalhost - 127.0.0.1\fR
924
address as an SMB client to issue the password change request. If
925
bind interfaces only is set then unless the network address
928
interfaces parameter list then
930
will fail to connect in it's default mode.
932
can be forced to use the primary IP interface of the local host by using its
934
\fI-r \fR\fI\fIremote machine\fR\fR
937
set to the IP name of the primary interface of the local host.
941
status page tries to connect with
947
to determine if they are running. Not adding
953
to always show "not running" even if they really are. This can prevent
955
from starting/stopping/restarting
961
\fB\fIbind interfaces only\fR = no \fR
666
963
blocking locks (S)
667
This parameter controls the behavior of \fBsmbd\fR(8) when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it\&.
669
If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires\&.
671
If this parameter is set to \fBno\fR, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained\&.
673
Default: \fB\fIblocking locks\fR = yes \fR
964
This parameter controls the behavior of
966
when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it.
968
If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires.
970
If this parameter is set to
971
\fBno\fR, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained.
974
\fB\fIblocking locks\fR = yes \fR
677
This parameter controls the behavior of \fBsmbd\fR(8) when reporting disk free sizes\&. By default, this reports a disk block size of 1024 bytes\&.
679
Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed\&. This parameter was added to allow advanced administrators to change it (usually to a higher value) and test the effect it has on client write performance without re\-compiling the code\&. As this is an experimental option it may be removed in a future release\&.
681
Changing this option does not change the disk free reporting size, just the block size unit reported to the client\&.
977
This parameter controls the behavior of
979
when reporting disk free sizes. By default, this reports a disk block size of 1024 bytes.
981
Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This parameter was added to allow advanced administrators to change it (usually to a higher value) and test the effect it has on client write performance without re-compiling the code. As this is an experimental option it may be removed in a future release.
983
Changing this option does not change the disk free reporting size, just the block size unit reported to the client.
986
\fB\fIblock size\fR = 1024 \fR
989
\fB\fIblock size\fR = 4096 \fR
687
This parameter is a synonym for browseable\&.
992
This parameter is a synonym for browseable.
691
This controls whether this share is seen in the list of available shares in a net view and in the browse list\&.
693
Default: \fB\fIbrowseable\fR = yes \fR
995
This controls whether this share is seen in the list of available shares in a net view and in the browse list.
998
\fB\fIbrowseable\fR = yes \fR
697
This controls whether \fBsmbd\fR(8) will serve a browse list to a client doing a \fBNetServerEnum\fR call\&. Normally set to \fByes\fR\&. You should never need to change this\&.
699
Default: \fB\fIbrowse list\fR = yes \fR
1001
This controls whether
1003
will serve a browse list to a client doing a
1005
call. Normally set to
1006
\fByes\fR. You should never need to change this.
1009
\fB\fIbrowse list\fR = yes \fR
703
This parameter is a synonym for case sensitive\&.
1012
This parameter is a synonym for case sensitive.
706
1014
case sensitive (S)
707
See the discussion in the section name mangling\&.
709
Default: \fB\fIcase sensitive\fR = no \fR
712
change notify timeout (G)
713
This SMB allows a client to tell a server to "watch" a particular directory for any changes and only reply to the SMB request when a change has occurred\&. Such constant scanning of a directory is expensive under UNIX, hence an \fBsmbd\fR(8) daemon only performs such a scan on each requested directory once every \fIchange notify timeout\fR seconds\&.
715
Default: \fB\fIchange notify timeout\fR = 60 \fR
717
Example: \fB\fIchange notify timeout\fR = 300 # Would change the scan time to every 5 minutes\&. \fR
1015
See the discussion in the section
1019
\fB\fIcase sensitive\fR = no \fR
1021
change notify timeout (S)
1022
This SMB allows a client to tell a server to "watch" a particular directory for any changes and only reply to the SMB request when a change has occurred. Such constant scanning of a directory is expensive under UNIX, hence an
1024
daemon only performs such a scan on each requested directory once every
1025
\fIchange notify timeout\fR
1026
seconds. Note that in 3.0.23 this has been changed to a per-share parameter and setting this to zero prevents any change notify directory scans completely on a share. This is to allow this paramter to be set to zero on shares configured for very large directories, where a Windows client will re-scan the entire directory after every delete operation (when deleting many files) due to the change notify triggering. This is an extremely expensive operation on some systems.
1029
\fB\fIchange notify timeout\fR = 60 \fR
1032
\fB\fIchange notify timeout\fR = 300 # Would change the scan time to every 5 minutes. \fR
720
1034
change share command (G)
721
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The\fIchange share command\fR is used to define an external program or script which will modify an existing service definition in \fIsmb\&.conf\fR\&. In order to successfully execute the \fIchange share command\fR, \fBsmbd\fR requires that the administrator be connected using a root account (i\&.e\&. uid == 0)\&.
723
When executed, \fBsmbd\fR will automatically invoke the\fIchange share command\fR with four parameters\&.
729
\fIconfigFile\fR \- the location of the global \fIsmb\&.conf\fR file\&.
732
\fIshareName\fR \- the name of the new share\&.
735
\fIpathName\fR \- path to an **existing** directory on disk\&.
738
\fIcomment\fR \- comment string to associate with the new share\&.
1035
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The
1036
\fIchange share command\fR
1037
is used to define an external program or script which will modify an existing service definition in
1038
\fIsmb.conf\fR. In order to successfully execute the
1039
\fIchange share command\fR,
1041
requires that the administrator be connected using a root account (i.e. uid == 0).
1045
will automatically invoke the
1046
\fIchange share command\fR
1047
with five parameters.
1052
- the location of the global
1058
- the name of the new share.
1062
- path to an **existing** directory on disk.
1066
- comment string to associate with the new share.
1069
\fImax connections\fR
1070
Number of maximum simultaneous connections to this share.
742
This parameter is only used modify existing file shares definitions\&. To modify printer shares, use the "Printers\&.\&.\&." folder as seen when browsing the Samba host\&.
744
Default: \fB\fIchange share command\fR = \fR
746
Example: \fB\fIchange share command\fR = /usr/local/bin/addshare \fR
1073
This parameter is only used modify existing file shares definitions. To modify printer shares, use the "Printers..." folder as seen when browsing the Samba host.
1076
\fB\fIchange share command\fR = \fR
1079
\fB\fIchange share command\fR = /usr/local/bin/addshare \fR
749
1081
check password script (G)
750
The name of a program that can be used to check password complexity\&. The password is sent to the program's standrad input\&.
752
The program must return 0 on good password any other value otherwise\&. In case the password is considered weak (the program do not return 0) the user will be notified and the password change will fail\&.
1082
The name of a program that can be used to check password complexity. The password is sent to the program's standrad input.
1084
The program must return 0 on good password any other value otherwise. In case the password is considered weak (the program do not return 0) the user will be notified and the password change will fail.
754
1086
Note: In the example directory there is a sample program called crackcheck that uses cracklib to checkpassword quality
759
Default: \fB\fIcheck password script\fR = Disabled \fR
761
Example: \fB\fIcheck password script\fR = check password script = /usr/local/sbin/crackcheck \fR
1092
\fB\fIcheck password script\fR = Disabled \fR
1095
\fB\fIcheck password script\fR = check password script = /usr/local/sbin/crackcheck \fR
764
1097
client lanman auth (G)
765
This parameter determines whether or not \fBsmbclient\fR(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash\&. If disabled, only server which support NT password hashes (e\&.g\&. Windows NT/2000, Samba, etc\&.\&.\&. but not Windows 95/98) will be able to be connected from the Samba client\&.
767
The LANMAN encrypted response is easily broken, due to it's case\-insensitive nature, and the choice of algorithm\&. Clients without Windows 95/98 servers are advised to disable this option\&.
769
Disabling this option will also disable the \fBclient plaintext auth\fR option
771
Likewise, if the \fBclient ntlmv2 auth\fR parameter is enabled, then only NTLMv2 logins will be attempted\&.
773
Default: \fB\fIclient lanman auth\fR = yes \fR
1098
This parameter determines whether or not
1100
and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from the Samba client.
1102
The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Clients without Windows 95/98 servers are advised to disable this option.
1104
Disabling this option will also disable the
1105
\fBclient plaintext auth\fR
1109
\fBclient ntlmv2 auth\fR
1110
parameter is enabled, then only NTLMv2 logins will be attempted.
1113
\fB\fIclient lanman auth\fR = yes \fR
776
1115
client ntlmv2 auth (G)
777
This parameter determines whether or not \fBsmbclient\fR(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response\&.
779
If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent\&. Many servers (including NT4 < SP4, Win9x and Samba 2\&.2) are not compatible with NTLMv2\&.
781
Similarly, if enabled, NTLMv1, \fBclient lanman auth\fR and \fBclient plaintext auth\fR authentication will be disabled\&. This also disables share\-level authentication\&.
783
If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of \fBclient lanman auth\fR\&.
785
Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM\&.
787
Default: \fB\fIclient ntlmv2 auth\fR = no \fR
1116
This parameter determines whether or not
1118
will attempt to authenticate itself to servers using the NTLMv2 encrypted password response.
1120
If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Many servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2.
1122
Similarly, if enabled, NTLMv1,
1123
\fBclient lanman auth\fR
1125
\fBclient plaintext auth\fR
1126
authentication will be disabled. This also disables share-level authentication.
1128
If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of
1129
\fBclient lanman auth\fR.
1131
Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.
1134
\fB\fIclient ntlmv2 auth\fR = no \fR
790
1136
client plaintext auth (G)
791
Specifies whether a client should send a plaintext password if the server does not support encrypted passwords\&.
793
Default: \fB\fIclient plaintext auth\fR = yes \fR
1137
Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.
1140
\fB\fIclient plaintext auth\fR = yes \fR
796
1142
client schannel (G)
797
This controls whether the client offers or even demands the use of the netlogon schannel\&. client schannel = no does not offer the schannel, client schannel = auto offers the schannel but does not enforce it, and client schannel = yes denies access if the server is not able to speak netlogon schannel\&.
799
Default: \fB\fIclient schannel\fR = auto \fR
801
Example: \fB\fIclient schannel\fR = yes \fR
1143
This controls whether the client offers or even demands the use of the netlogon schannel.
1144
client schannel = no does not offer the schannel,
1145
client schannel = auto offers the schannel but does not enforce it, and
1146
client schannel = yes denies access if the server is not able to speak netlogon schannel.
1149
\fB\fIclient schannel\fR = auto \fR
1152
\fB\fIclient schannel\fR = yes \fR
804
1154
client signing (G)
805
This controls whether the client offers or requires the server it talks to to use SMB signing\&. Possible values are \fBauto\fR, \fBmandatory\fR and \fBdisabled\fR\&.
807
When set to auto, SMB signing is offered, but not enforced\&. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&.
809
Default: \fB\fIclient signing\fR = auto \fR
1155
This controls whether the client offers or requires the server it talks to to use SMB signing. Possible values are
1161
When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either.
1164
\fB\fIclient signing\fR = auto \fR
812
1166
client use spnego (G)
813
This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba 3\&.0) to agree upon an authentication mechanism\&. This enables Kerberos authentication in particular\&.
815
Default: \fB\fIclient use spnego\fR = yes \fR
1167
This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba 3.0) to agree upon an authentication mechanism. This enables Kerberos authentication in particular.
1170
\fB\fIclient use spnego\fR = yes \fR
819
This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via \fBnet view\fR to list what shares are available\&.
821
If you want to set the string that is displayed next to the machine name then see the server string parameter\&.
823
Default: \fB\fIcomment\fR = # No comment \fR
825
Example: \fB\fIcomment\fR = Fred's Files \fR
1173
This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via
1175
to list what shares are available.
1177
If you want to set the string that is displayed next to the machine name then see the
1178
server string parameter.
1181
\fB\fIcomment\fR = # No comment \fR
1184
\fB\fIcomment\fR = Fred's Files \fR
829
This allows you to override the config file to use, instead of the default (usually \fIsmb\&.conf\fR)\&. There is a chicken and egg problem here as this option is set in the config file!
831
For this reason, if the name of the config file has changed when the parameters are loaded then it will reload them from the new config file\&.
833
This option takes the usual substitutions, which can be very useful\&.
835
If the config file doesn't exist then it won't be loaded (allowing you to special case the config files of just a few clients)\&.
1187
This allows you to override the config file to use, instead of the default (usually
1188
\fIsmb.conf\fR). There is a chicken and egg problem here as this option is set in the config file!
1190
For this reason, if the name of the config file has changed when the parameters are loaded then it will reload them from the new config file.
1192
This option takes the usual substitutions, which can be very useful.
1194
If the config file doesn't exist then it won't be loaded (allowing you to special case the config files of just a few clients).
837
1196
\fBNo default\fR
839
Example: \fB\fIconfig file\fR = /usr/local/samba/lib/smb\&.conf\&.%m \fR
1199
\fB\fIconfig file\fR = /usr/local/samba/lib/smb.conf.%m \fR
843
This parameter allows you to "clone" service entries\&. The specified service is simply duplicated under the current service's name\&. Any parameters specified in the current section will override those in the section being copied\&.
845
This feature lets you set up a 'template' service and create similar services easily\&. Note that the service being copied must occur earlier in the configuration file than the service doing the copying\&.
847
Default: \fB\fIcopy\fR = \fR
849
Example: \fB\fIcopy\fR = otherservice \fR
1202
This parameter allows you to "clone" service entries. The specified service is simply duplicated under the current service's name. Any parameters specified in the current section will override those in the section being copied.
1204
This feature lets you set up a 'template' service and create similar services easily. Note that the service being copied must occur earlier in the configuration file than the service doing the copying.
1210
\fB\fIcopy\fR = otherservice \fR
853
This parameter is a synonym for create mask\&.
1213
This parameter is a synonym for create mask.
857
When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit\-wise 'AND'ed with this parameter\&. This parameter may be thought of as a bit\-wise MASK for the UNIX modes of a file\&. Any bit \fBnot\fR set here will be removed from the modes set on a file when it is created\&.
859
The default value of this parameter removes the group and other write and execute bits from the UNIX modes\&.
861
Following this Samba will bit\-wise 'OR' the UNIX mode created from this parameter with the value of theforce create mode parameter which is set to 000 by default\&.
863
This parameter does not affect directory masks\&. See the parameter directory mask for details\&.
865
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors\&. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask\&.
867
Default: \fB\fIcreate mask\fR = 0744 \fR
869
Example: \fB\fIcreate mask\fR = 0775 \fR
1216
When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit
1218
set here will be removed from the modes set on a file when it is created.
1220
The default value of this parameter removes the
1224
write and execute bits from the UNIX modes.
1226
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
1227
force create mode parameter which is set to 000 by default.
1229
This parameter does not affect directory masks. See the parameter
1230
directory mask for details.
1232
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the
1236
\fB\fIcreate mask\fR = 0744 \fR
1239
\fB\fIcreate mask\fR = 0775 \fR
873
This stands for \fBclient\-side caching policy\fR, and specifies how clients capable of offline caching will cache the files in the share\&. The valid values are: manual, documents, programs, disable\&.
875
These values correspond to those used on Windows servers\&.
877
For example, shares containing roaming profiles can have offline caching disabled usingcsc policy = disable\&.
879
Default: \fB\fIcsc policy\fR = manual \fR
881
Example: \fB\fIcsc policy\fR = programs \fR
1243
\fBclient-side caching policy\fR, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.
1245
These values correspond to those used on Windows servers.
1247
For example, shares containing roaming profiles can have offline caching disabled using
1248
csc policy = disable.
1251
\fB\fIcsc policy\fR = manual \fR
1254
\fB\fIcsc policy\fR = programs \fR
884
1256
cups options (S)
885
This parameter is only applicable if printing is set to \fBcups\fR\&. Its value is a free form string of options passed directly to the cups library\&.
887
You can pass any generic print option known to CUPS (as listed in the CUPS "Software Users' Manual")\&. You can also pass any printer specific option (as listed in "lpoptions \-d printername \-l") valid for the target queue\&.
889
You should set this parameter to \fBraw\fR if your CUPS server \fIerror_log\fR file contains messages such as "Unsupported format 'application/octet\-stream'" when printing from a Windows client through Samba\&. It is no longer necessary to enable system wide raw printing in \fI/etc/cups/mime\&.{convs,types}\fR\&.
891
Default: \fB\fIcups options\fR = "" \fR
893
Example: \fB\fIcups options\fR = "raw,media=a4,job\-sheets=secret,secret" \fR
1257
This parameter is only applicable if
1259
\fBcups\fR. Its value is a free form string of options passed directly to the cups library.
1261
You can pass any generic print option known to CUPS (as listed in the CUPS "Software Users' Manual"). You can also pass any printer specific option (as listed in "lpoptions -d printername -l") valid for the target queue.
1263
You should set this parameter to
1267
file contains messages such as "Unsupported format 'application/octet-stream'" when printing from a Windows client through Samba. It is no longer necessary to enable system wide raw printing in
1268
\fI/etc/cups/mime.{convs,types}\fR.
1271
\fB\fIcups options\fR = "" \fR
1274
\fB\fIcups options\fR = "raw,media=a4,job-sheets=secret,secret" \fR
897
This parameter is only applicable if printing is set to \fBcups\fR\&.
899
If set, this option overrides the ServerName option in the CUPS \fIclient\&.conf\fR\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
901
Default: \fB\fIcups server\fR = "" \fR
903
Example: \fB\fIcups server\fR = MYCUPSSERVER \fR
1277
This parameter is only applicable if
1281
If set, this option overrides the ServerName option in the CUPS
1282
\fIclient.conf\fR. This is necessary if you have virtual samba servers that connect to different CUPS daemons.
1284
Optionally, a port can be specified by separating the server name and port number with a colon. If no port was specified, the default port for IPP (631) will be used.
1287
\fB\fIcups server\fR = "" \fR
1290
\fB\fIcups server\fR = mycupsserver \fR
1293
\fB\fIcups server\fR = mycupsserver:1631 \fR
907
The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected\&. The deadtime only takes effect if the number of open files is zero\&.
909
This is useful to stop a server's resources being exhausted by a large number of inactive connections\&.
911
Most clients have an auto\-reconnect feature when a connection is broken so in most cases this parameter should be transparent to users\&.
913
Using this parameter with a timeout of a few minutes is recommended for most systems\&.
915
A deadtime of zero indicates that no auto\-disconnection should be performed\&.
917
Default: \fB\fIdeadtime\fR = 0 \fR
919
Example: \fB\fIdeadtime\fR = 15 \fR
1296
The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected. The deadtime only takes effect if the number of open files is zero.
1298
This is useful to stop a server's resources being exhausted by a large number of inactive connections.
1300
Most clients have an auto-reconnect feature when a connection is broken so in most cases this parameter should be transparent to users.
1302
Using this parameter with a timeout of a few minutes is recommended for most systems.
1304
A deadtime of zero indicates that no auto-disconnection should be performed.
1307
\fB\fIdeadtime\fR = 0 \fR
1310
\fB\fIdeadtime\fR = 15 \fR
922
1312
debug hires timestamp (G)
923
Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this boolean parameter adds microsecond resolution to the timestamp message header when turned on\&.
925
Note that the parameter debug timestamp must be on for this to have an effect\&.
927
Default: \fB\fIdebug hires timestamp\fR = no \fR
1313
Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this boolean parameter adds microsecond resolution to the timestamp message header when turned on.
1315
Note that the parameter
1316
debug timestamp must be on for this to have an effect.
1319
\fB\fIdebug hires timestamp\fR = no \fR
931
When using only one log file for more then one forked \fBsmbd\fR(8)\-process there may be hard to follow which process outputs which message\&. This boolean parameter is adds the process\-id to the timestamp message headers in the logfile when turned on\&.
933
Note that the parameter debug timestamp must be on for this to have an effect\&.
935
Default: \fB\fIdebug pid\fR = no \fR
1322
When using only one log file for more then one forked
1323
\fBsmbd\fR(8)-process there may be hard to follow which process outputs which message. This boolean parameter is adds the process-id to the timestamp message headers in the logfile when turned on.
1325
Note that the parameter
1326
debug timestamp must be on for this to have an effect.
1329
\fB\fIdebug pid\fR = no \fR
939
This parameter is a synonym for debug timestamp\&.
1332
This parameter is a synonym for debug timestamp.
942
1334
debug timestamp (G)
943
Samba debug log messages are timestamped by default\&. If you are running at a high debug level these timestamps can be distracting\&. This boolean parameter allows timestamping to be turned off\&.
945
Default: \fB\fIdebug timestamp\fR = yes \fR
1335
Samba debug log messages are timestamped by default. If you are running at a high
1336
debug level these timestamps can be distracting. This boolean parameter allows timestamping to be turned off.
1339
\fB\fIdebug timestamp\fR = yes \fR
949
Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on\&.
951
Note that the parameter debug timestamp must be on for this to have an effect\&.
953
Default: \fB\fIdebug uid\fR = no \fR
1342
Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.
1344
Note that the parameter
1345
debug timestamp must be on for this to have an effect.
1348
\fB\fIdebug uid\fR = no \fR
956
1350
default case (S)
957
See the section on name mangling \&. Also note the short preserve case parameter\&.
959
Default: \fB\fIdefault case\fR = lower \fR
1352
name mangling . Also note the
1353
short preserve case parameter.
1356
\fB\fIdefault case\fR = lower \fR
962
1358
default devmode (S)
963
This parameter is only applicable to printable services\&. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings\&. The device mode can only correctly be generated by the printer driver itself (which can only be executed on a Win32 platform)\&. Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL\&.
965
Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode\&. Certain drivers will do things such as crashing the client's Explorer\&.exe with a NULL devmode\&. However, other printer drivers can cause the client's spooler service (spoolsv\&.exe) to die if the devmode was not created by the driver itself (i\&.e\&. smbd generates a default devmode)\&.
967
This parameter should be used with care and tested with the printer driver in question\&. It is better to leave the device mode to NULL and let the Windows client set the correct values\&. Because drivers do not do this all the time, setting \fBdefault devmode = yes\fR will instruct smbd to generate a default one\&.
969
For more information on Windows NT/2k printing and Device Modes, see the MSDN documentation\&.
971
Default: \fB\fIdefault devmode\fR = no \fR
1359
This parameter is only applicable to
1360
printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be generated by the printer driver itself (which can only be executed on a Win32 platform). Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL.
1362
Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode. Certain drivers will do things such as crashing the client's Explorer.exe with a NULL devmode. However, other printer drivers can cause the client's spooler service (spoolsv.exe) to die if the devmode was not created by the driver itself (i.e. smbd generates a default devmode).
1364
This parameter should be used with care and tested with the printer driver in question. It is better to leave the device mode to NULL and let the Windows client set the correct values. Because drivers do not do this all the time, setting
1365
\fBdefault devmode = yes\fR
1366
will instruct smbd to generate a default one.
1368
For more information on Windows NT/2k printing and Device Modes, see the
1372
\fB\fIdefault devmode\fR = no \fR
975
This parameter is a synonym for default service\&.
1375
This parameter is a synonym for default service.
978
1377
default service (G)
979
This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found\&. Note that the square brackets are \fBNOT\fR given in the parameter value (see example below)\&.
981
There is no default value for this parameter\&. If this parameter is not given, attempting to connect to a nonexistent service results in an error\&.
983
Typically the default service would be a guest ok, read\-only service\&.
985
Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like \fI%S\fR to make a wildcard service\&.
987
Note also that any "_" characters in the name of the service used in the default service will get mapped to a "/"\&. This allows for interesting things\&.
989
Default: \fB\fIdefault service\fR = \fR
991
Example: \fB\fIdefault service\fR = pub \fR
1378
This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found. Note that the square brackets are
1380
given in the parameter value (see example below).
1382
There is no default value for this parameter. If this parameter is not given, attempting to connect to a nonexistent service results in an error.
1384
Typically the default service would be a
1388
Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like
1390
to make a wildcard service.
1392
Note also that any "_" characters in the name of the service used in the default service will get mapped to a "/". This allows for interesting things.
1395
\fB\fIdefault service\fR = \fR
1398
\fB\fIdefault service\fR = pub \fR
994
1400
defer sharing violations (G)
995
Windows allows specifying how a file will be shared with other processes when it is opened\&. Sharing violations occur when a file is opened by a different process using options that violate the share settings specified by other processes\&. This parameter causes smbd to act as a Windows server does, and defer returning a "sharing violation" error message for up to one second, allowing the client to close the file causing the violation in the meantime\&.
997
UNIX by default does not have this behaviour\&.
999
There should be no reason to turn off this parameter, as it is designed to enable Samba to more correctly emulate Windows\&.
1001
Default: \fB\fIdefer sharing violations\fR = True \fR
1401
Windows allows specifying how a file will be shared with other processes when it is opened. Sharing violations occur when a file is opened by a different process using options that violate the share settings specified by other processes. This parameter causes smbd to act as a Windows server does, and defer returning a "sharing violation" error message for up to one second, allowing the client to close the file causing the violation in the meantime.
1403
UNIX by default does not have this behaviour.
1405
There should be no reason to turn off this parameter, as it is designed to enable Samba to more correctly emulate Windows.
1408
\fB\fIdefer sharing violations\fR = True \fR
1004
1410
delete group script (G)
1005
This is the full pathname to a script that will be run \fBAS ROOT\fR \fBsmbd\fR(8) when a group is requested to be deleted\&. It will expand any \fI%g\fR to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&.
1007
Default: \fB\fIdelete group script\fR = \fR
1411
This is the full pathname to a script that will be run
1414
when a group is requested to be deleted. It will expand any
1416
to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.
1419
\fB\fIdelete group script\fR = \fR
1010
1421
deleteprinter command (G)
1011
With the introduction of MS\-RPC based printer support for Windows NT/2000 clients in Samba 2\&.2, it is now possible to delete printer at run time by issuing the DeletePrinter() RPC call\&.
1013
For a Samba host this means that the printer must be physically deleted from underlying printing system\&. The deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from \fIsmb\&.conf\fR\&.
1015
The deleteprinter command is automatically called with only one parameter: printer name\&.
1017
Once the deleteprinter command has been executed, \fBsmbd\fR will reparse the \fI smb\&.conf\fR to associated printer no longer exists\&. If the sharename is still valid, then \fBsmbd \fR will return an ACCESS_DENIED error to the client\&.
1019
Default: \fB\fIdeleteprinter command\fR = \fR
1021
Example: \fB\fIdeleteprinter command\fR = /usr/bin/removeprinter \fR
1422
With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete printer at run time by issuing the DeletePrinter() RPC call.
1424
For a Samba host this means that the printer must be physically deleted from underlying printing system. The
1425
deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from
1429
deleteprinter command is automatically called with only one parameter:
1433
deleteprinter command has been executed,
1437
to associated printer no longer exists. If the sharename is still valid, then
1439
will return an ACCESS_DENIED error to the client.
1442
\fB\fIdeleteprinter command\fR = \fR
1445
\fB\fIdeleteprinter command\fR = /usr/bin/removeprinter \fR
1024
1447
delete readonly (S)
1025
This parameter allows readonly files to be deleted\&. This is not normal DOS semantics, but is allowed by UNIX\&.
1027
This option may be useful for running applications such as rcs, where UNIX file ownership prevents changing file permissions, and DOS semantics prevent deletion of a read only file\&.
1029
Default: \fB\fIdelete readonly\fR = no \fR
1448
This parameter allows readonly files to be deleted. This is not normal DOS semantics, but is allowed by UNIX.
1450
This option may be useful for running applications such as rcs, where UNIX file ownership prevents changing file permissions, and DOS semantics prevent deletion of a read only file.
1453
\fB\fIdelete readonly\fR = no \fR
1032
1455
delete share command (G)
1033
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The\fIdelete share command\fR is used to define an external program or script which will remove an existing service definition from \fIsmb\&.conf\fR\&. In order to successfully execute the \fIdelete share command\fR, \fBsmbd\fR requires that the administrator be connected using a root account (i\&.e\&. uid == 0)\&.
1035
When executed, \fBsmbd\fR will automatically invoke the\fIdelete share command\fR with two parameters\&.
1041
\fIconfigFile\fR \- the location of the global \fIsmb\&.conf\fR file\&.
1044
\fIshareName\fR \- the name of the existing service\&.
1456
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The
1457
\fIdelete share command\fR
1458
is used to define an external program or script which will remove an existing service definition from
1459
\fIsmb.conf\fR. In order to successfully execute the
1460
\fIdelete share command\fR,
1462
requires that the administrator be connected using a root account (i.e. uid == 0).
1466
will automatically invoke the
1467
\fIdelete share command\fR
1468
with two parameters.
1473
- the location of the global
1479
- the name of the existing service.
1048
This parameter is only used to remove file shares\&. To delete printer shares, see the deleteprinter command\&.
1050
Default: \fB\fIdelete share command\fR = \fR
1052
Example: \fB\fIdelete share command\fR = /usr/local/bin/delshare \fR
1482
This parameter is only used to remove file shares. To delete printer shares, see the
1483
deleteprinter command.
1486
\fB\fIdelete share command\fR = \fR
1489
\fB\fIdelete share command\fR = /usr/local/bin/delshare \fR
1055
1491
delete user from group script (G)
1056
Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools\&. It will be run by \fBsmbd\fR(8) \fBAS ROOT\fR\&. Any \fI%g\fR will be replaced with the group name and any \fI%u\fR will be replaced with the user name\&.
1058
Default: \fB\fIdelete user from group script\fR = \fR
1060
Example: \fB\fIdelete user from group script\fR = /usr/sbin/deluser %u %g \fR
1492
Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by
1496
will be replaced with the group name and any
1498
will be replaced with the user name.
1501
\fB\fIdelete user from group script\fR = \fR
1504
\fB\fIdelete user from group script\fR = /usr/sbin/deluser %u %g \fR
1063
1506
delete user script (G)
1064
This is the full pathname to a script that will be run by \fBsmbd\fR(8) when managing users with remote RPC (NT) tools\&.
1066
This script is called when a remote client removes a user from the server, normally using 'User Manager for Domains' or\fBrpcclient\fR\&.
1068
This script should delete the given UNIX username\&.
1070
Default: \fB\fIdelete user script\fR = \fR
1072
Example: \fB\fIdelete user script\fR = /usr/local/samba/bin/del_user %u \fR
1507
This is the full pathname to a script that will be run by
1509
when managing users with remote RPC (NT) tools.
1511
This script is called when a remote client removes a user from the server, normally using 'User Manager for Domains' or
1514
This script should delete the given UNIX username.
1517
\fB\fIdelete user script\fR = \fR
1520
\fB\fIdelete user script\fR = /usr/local/samba/bin/del_user %u \fR
1075
1522
delete veto files (S)
1076
This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the veto files option)\&. If this option is set to \fBno\fR (the default) then if a vetoed directory contains any non\-vetoed files or directories then the directory delete will fail\&. This is usually what you want\&.
1078
If this option is set to \fByes\fR, then Samba will attempt to recursively delete any files and directories within the vetoed directory\&. This can be useful for integration with file serving systems such as NetAtalk which create meta\-files within directories you might normally veto DOS/Windows users from seeing (e\&.g\&. \fI\&.AppleDouble\fR)
1080
Setting delete veto files = yes allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so)\&.
1082
Default: \fB\fIdelete veto files\fR = no \fR
1523
This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the
1524
veto files option). If this option is set to
1526
(the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want.
1528
If this option is set to
1529
\fByes\fR, then Samba will attempt to recursively delete any files and directories within the vetoed directory. This can be useful for integration with file serving systems such as NetAtalk which create meta-files within directories you might normally veto DOS/Windows users from seeing (e.g.
1533
delete veto files = yes allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so).
1536
\fB\fIdelete veto files\fR = no \fR
1085
1538
dfree cache time (S)
1086
The \fIdfree cache time\fR should only be used on systems where a problem occurs with the internal disk space calculations\&. This has been known to happen with Ultrix, but may occur with other operating systems\&. The symptom that was seen was an error of "Abort Retry Ignore" at the end of each directory listing\&.
1088
This is a new parameter introduced in Samba version 3\&.0\&.21\&. It specifies in seconds the time that smbd will cache the output of a disk free query\&. If set to zero (the default) no caching is done\&. This allows a heavily loaded server to prevent rapid spawning of dfree command scripts increasing the load\&.
1090
By default this parameter is zero, meaning no caching will be done\&.
1540
\fIdfree cache time\fR
1541
should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the end of each directory listing.
1543
This is a new parameter introduced in Samba version 3.0.21. It specifies in seconds the time that smbd will cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily loaded server to prevent rapid spawning of
1544
dfree command scripts increasing the load.
1546
By default this parameter is zero, meaning no caching will be done.
1092
1548
\fBNo default\fR
1094
Example: \fB\fIdfree cache time\fR = dfree cache time = 60 \fR
1551
\fB\fIdfree cache time\fR = dfree cache time = 60 \fR
1097
1553
dfree command (S)
1098
The \fIdfree command\fR setting should only be used on systems where a problem occurs with the internal disk space calculations\&. This has been known to happen with Ultrix, but may occur with other operating systems\&. The symptom that was seen was an error of "Abort Retry Ignore" at the end of each directory listing\&.
1100
This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine\&. The example below gives a possible script that might fulfill this function\&.
1102
In Samba version 3\&.0\&.21 this parameter has been changed to be a per\-share parameter, and in addition the parameter dfree cache time was added to allow the output of this script to be cached for systems under heavy load\&.
1104
The external program will be passed a single parameter indicating a directory in the filesystem being queried\&. This will typically consist of the string \fI\&./\fR\&. The script should return two integers in ASCII\&. The first should be the total disk space in blocks, and the second should be the number of available blocks\&. An optional third return value can give the block size in bytes\&. The default blocksize is 1024 bytes\&.
1106
Note: Your script should \fBNOT\fR be setuid or setgid and should be owned by (and writeable only by) root!
1108
Where the script dfree (which must be made executable) could be:
1112
df $1 | tail \-1 | awk '{print $2" "$4}'
1114
or perhaps (on Sys V based systems):
1118
/usr/bin/df \-k $1 | tail \-1 | awk '{print $3" "$5}'
1120
Note that you may have to replace the command names with full path names on some systems\&.
1122
By default internal routines for determining the disk capacity and remaining space will be used\&.
1556
setting should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the end of each directory listing.
1558
This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill this function.
1560
In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the parameter
1561
dfree cache time was added to allow the output of this script to be cached for systems under heavy load.
1563
The external program will be passed a single parameter indicating a directory in the filesystem being queried. This will typically consist of the string
1564
\fI./\fR. The script should return two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number of available blocks. An optional third return value can give the block size in bytes. The default blocksize is 1024 bytes.
1566
Note: Your script should
1568
be setuid or setgid and should be owned by (and writeable only by) root!
1570
Where the script dfree (which must be made executable) could be:
1576
df $1 | tail -1 | awk '{print $2" "$4}'
1578
or perhaps (on Sys V based systems):
1584
/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
1586
Note that you may have to replace the command names with full path names on some systems.
1588
By default internal routines for determining the disk capacity and remaining space will be used.
1124
1590
\fBNo default\fR
1126
Example: \fB\fIdfree command\fR = /usr/local/samba/bin/dfree \fR
1593
\fB\fIdfree command\fR = /usr/local/samba/bin/dfree \fR
1130
This parameter is a synonym for directory mask\&.
1596
This parameter is a synonym for directory mask.
1133
1598
directory mask (S)
1134
This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories\&.
1136
When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit\-wise 'AND'ed with this parameter\&. This parameter may be thought of as a bit\-wise MASK for the UNIX modes of a directory\&. Any bit \fBnot\fR set here will be removed from the modes set on a directory when it is created\&.
1138
The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it\&.
1140
Following this Samba will bit\-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode parameter\&. This parameter is set to 000 by default (i\&.e\&. no extra mode bits are added)\&.
1142
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors\&. If the administrator wishes to enforce a mask on access control lists also, they need to set the directory security mask\&.
1144
Default: \fB\fIdirectory mask\fR = 0755 \fR
1146
Example: \fB\fIdirectory mask\fR = 0775 \fR
1599
This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.
1601
When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit
1603
set here will be removed from the modes set on a directory when it is created.
1605
The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it.
1607
Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
1608
force directory mode parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).
1610
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the
1611
directory security mask.
1614
\fB\fIdirectory mask\fR = 0755 \fR
1617
\fB\fIdirectory mask\fR = 0775 \fR
1149
1619
directory security mask (S)
1150
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box\&.
1152
This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified\&. Make sure not to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND\&. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change\&.
1154
If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world permissions on a directory\&.
1156
\fBNote\fR that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it as the default of \fB0777\fR\&.
1158
Default: \fB\fIdirectory security mask\fR = 0777 \fR
1160
Example: \fB\fIdirectory security mask\fR = 0700 \fR
1620
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.
1622
This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Make sure not to mix up this parameter with
1623
force directory security mode, which works similar like this one but uses logical OR instead of AND. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
1625
If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world permissions on a directory.
1628
that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it as the default of
1632
\fB\fIdirectory security mask\fR = 0777 \fR
1635
\fB\fIdirectory security mask\fR = 0700 \fR
1163
1637
disable netbios (G)
1164
Enabling this parameter will disable netbios support in Samba\&. Netbios is the only available form of browsing in all windows versions except for 2000 and XP\&.
1169
Clients that only support netbios won't be able to see your samba server when netbios support is disabled\&.
1172
Default: \fB\fIdisable netbios\fR = no \fR
1638
Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP.
1641
.nr an-no-space-flag 1
1645
Clients that only support netbios won't be able to see your samba server when netbios support is disabled.
1647
\fB\fIdisable netbios\fR = no \fR
1175
1649
disable spoolss (G)
1176
Enabling this parameter will disable Samba's support for the SPOOLSS set of MS\-RPC's and will yield identical behavior as Samba 2\&.0\&.x\&. Windows NT/2000 clients will downgrade to using Lanman style printing commands\&. Windows 9x/ME will be uneffected by the parameter\&. However, this will also disable the ability to upload printer drivers to a Samba server via the Windows NT Add Printer Wizard or by using the NT printer properties dialog window\&. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand\&. \fBBe very careful about enabling this parameter\&.\fR
1178
Default: \fB\fIdisable spoolss\fR = no \fR
1650
Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be unaffected by the parameter. However, this will also disable the ability to upload printer drivers to a Samba server via the Windows NT Add Printer Wizard or by using the NT printer properties dialog window. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand.
1651
\fBBe very careful about enabling this parameter.\fR
1654
\fB\fIdisable spoolss\fR = no \fR
1181
1656
display charset (G)
1182
Specifies the charset that samba will use to print messages to stdout and stderr and SWAT will use\&. Should generally be the same as the unix charset\&.
1184
Default: \fB\fIdisplay charset\fR = ASCII \fR
1186
Example: \fB\fIdisplay charset\fR = UTF8 \fR
1657
Specifies the charset that samba will use to print messages to stdout and stderr and SWAT will use. Should generally be the same as the
1661
\fB\fIdisplay charset\fR = ASCII \fR
1664
\fB\fIdisplay charset\fR = UTF8 \fR
1667
This parameter specifies whether Samba should use DMAPI to determine whether a file is offline or not. This would typically be used in conjunction with a hierarchical storage system that automatically migrates files to tape.
1669
Note that Samba infers the status of a file by examining the events that a DMAPI application has registered interest in. This heuristic is satisfactory for a number of hierarchical storage systems, but there may be system for which it will fail. In this case, Samba may erroneously report files to be offline.
1671
This parameter is only available if a supported DMAPI implementation was found at compilation time. It will only be used if DMAPI is found to enabled on the system at run time.
1676
\fB\fIdmapi support\fR = no \fR
1190
Specifies that \fBnmbd\fR(8) when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word\-for\-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name\-querying client\&.
1192
Note that the maximum length for a NetBIOS name is 15 characters, so the DNS name (or DNS alias) can likewise only be 15 characters, maximum\&.
1194
\fBnmbd\fR spawns a second copy of itself to do the DNS name lookup requests, as doing a name lookup is a blocking action\&.
1196
Default: \fB\fIdns proxy\fR = yes \fR
1681
when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.
1683
Note that the maximum length for a NetBIOS name is 15 characters, so the DNS name (or DNS alias) can likewise only be 15 characters, maximum.
1686
spawns a second copy of itself to do the DNS name lookup requests, as doing a name lookup is a blocking action.
1689
\fB\fIdns proxy\fR = yes \fR
1199
1691
domain logons (G)
1200
If set to \fByes\fR, the Samba server will provide the netlogon service for Windows 9X network logons for theworkgroup it is in\&. This will also cause the Samba server to act as a domain controller for NT4 style domain services\&. For more details on setting up this feature see the Domain Control chapter of the Samba HOWTO Collection\&.
1202
Default: \fB\fIdomain logons\fR = no \fR
1693
\fByes\fR, the Samba server will provide the netlogon service for Windows 9X network logons for the
1694
workgroup it is in. This will also cause the Samba server to act as a domain controller for NT4 style domain services. For more details on setting up this feature see the Domain Control chapter of the Samba HOWTO Collection.
1697
\fB\fIdomain logons\fR = no \fR
1205
1699
domain master (G)
1206
Tell \fBsmbd\fR(8) to enable WAN\-wide browse list collation\&. Setting this option causes \fBnmbd\fR to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its givenworkgroup\&. Local master browsers in the same workgroup on broadcast\-isolated subnets will give this \fBnmbd\fR their local browse lists, and then ask \fBsmbd\fR(8) for a complete copy of the browse list for the whole wide area network\&. Browser clients will then contact their local master browser, and will receive the domain\-wide browse list, instead of just the list for their broadcast\-isolated subnet\&.
1208
Note that Windows NT Primary Domain Controllers expect to be able to claim this workgroup specific special NetBIOS name that identifies them as domain master browsers for thatworkgroup by default (i\&.e\&. there is no way to prevent a Windows NT PDC from attempting to do this)\&. This means that if this parameter is set and \fBnmbd\fR claims the special name for a workgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail\&.
1210
If domain logons = yes, then the default behavior is to enable thedomain master parameter\&. If domain logons is not enabled (the default setting), then neither will domain master be enabled by default\&.
1212
When domain logons = Yes the default setting for this parameter is Yes, with the result that Samba will be a PDC\&. If domain master = No, Samba will function as a BDC\&. In general, this parameter should be set to 'No' only on a BDC\&.
1214
Default: \fB\fIdomain master\fR = auto \fR
1702
to enable WAN-wide browse list collation. Setting this option causes
1704
to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given
1705
workgroup. Local master browsers in the same
1706
workgroup on broadcast-isolated subnets will give this
1708
their local browse lists, and then ask
1710
for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.
1712
Note that Windows NT Primary Domain Controllers expect to be able to claim this
1713
workgroup specific special NetBIOS name that identifies them as domain master browsers for that
1714
workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and
1716
claims the special name for a
1717
workgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail.
1720
domain logons = yes, then the default behavior is to enable the
1721
domain master parameter. If
1722
domain logons is not enabled (the default setting), then neither will
1723
domain master be enabled by default.
1726
domain logons = Yes the default setting for this parameter is Yes, with the result that Samba will be a PDC. If
1727
domain master = No, Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.
1730
\fB\fIdomain master\fR = auto \fR
1217
1732
dont descend (S)
1218
There are certain directories on some systems (e\&.g\&., the \fI/proc\fR tree under Linux) that are either not of interest to clients or are infinitely deep (recursive)\&. This parameter allows you to specify a comma\-delimited list of directories that the server should always show as empty\&.
1220
Note that Samba can be very fussy about the exact format of the "dont descend" entries\&. For example you may need \fI \&./proc\fR instead of just \fI/proc\fR\&. Experimentation is the best policy :\-)
1222
Default: \fB\fIdont descend\fR = \fR
1224
Example: \fB\fIdont descend\fR = /proc,/dev \fR
1733
There are certain directories on some systems (e.g., the
1735
tree under Linux) that are either not of interest to clients or are infinitely deep (recursive). This parameter allows you to specify a comma-delimited list of directories that the server should always show as empty.
1737
Note that Samba can be very fussy about the exact format of the "dont descend" entries. For example you may need
1740
\fI/proc\fR. Experimentation is the best policy :-)
1743
\fB\fIdont descend\fR = \fR
1746
\fB\fIdont descend\fR = /proc,/dev \fR
1227
1748
dos charset (G)
1228
DOS SMB clients assume the server has the same charset as they do\&. This option specifies which charset Samba should talk to DOS clients\&.
1230
The default depends on which charsets you have installed\&. Samba tries to use charset 850 but falls back to ASCII in case it is not available\&. Run \fBtestparm\fR(1) to check the default on your system\&.
1749
DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients.
1751
The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run
1753
to check the default on your system.
1232
1755
\fBNo default\fR
1235
1757
dos filemode (S)
1236
The default behavior in Samba is to provide UNIX\-like behavior where only the owner of a file/directory is able to change the permissions on it\&. However, this behavior is often confusing to DOS/Windows users\&. Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions on it\&. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access\&. Ownership of the file/directory is not changed, only the permissions are modified\&.
1238
Default: \fB\fIdos filemode\fR = no \fR
1758
The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions (including ACL) on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory may also be changed.
1761
\fB\fIdos filemode\fR = no \fR
1241
1763
dos filetime resolution (S)
1242
Under the DOS and Windows FAT filesystem, the finest granularity on time resolution is two seconds\&. Setting this parameter for a share causes Samba to round the reported time down to the nearest two second boundary when a query call that requires one second resolution is made to \fBsmbd\fR(8)\&.
1244
This option is mainly used as a compatibility option for Visual C++ when used against Samba shares\&. If oplocks are enabled on a share, Visual C++ uses two different time reading calls to check if a file has changed since it was last read\&. One of these calls uses a one\-second granularity, the other uses a two second granularity\&. As the two second call rounds any odd second down, then if the file has a timestamp of an odd number of seconds then the two timestamps will not match and Visual C++ will keep reporting the file has changed\&. Setting this option causes the two timestamps to match, and Visual C++ is happy\&.
1246
Default: \fB\fIdos filetime resolution\fR = no \fR
1764
Under the DOS and Windows FAT filesystem, the finest granularity on time resolution is two seconds. Setting this parameter for a share causes Samba to round the reported time down to the nearest two second boundary when a query call that requires one second resolution is made to
1767
This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. If oplocks are enabled on a share, Visual C++ uses two different time reading calls to check if a file has changed since it was last read. One of these calls uses a one-second granularity, the other uses a two second granularity. As the two second call rounds any odd second down, then if the file has a timestamp of an odd number of seconds then the two timestamps will not match and Visual C++ will keep reporting the file has changed. Setting this option causes the two timestamps to match, and Visual C++ is happy.
1770
\fB\fIdos filetime resolution\fR = no \fR
1249
1772
dos filetimes (S)
1250
Under DOS and Windows, if a user can write to a file they can change the timestamp on it\&. Under POSIX semantics, only the owner of the file or root may change the timestamp\&. By default, Samba runs with POSIX semantics and refuses to change the timestamp on a file if the user \fBsmbd\fR is acting on behalf of is not the file owner\&. Setting this option to \fB yes\fR allows DOS semantics and \fBsmbd\fR(8) will change the file timestamp as DOS requires\&. Due to changes in Microsoft Office 2000 and beyond, the default for this parameter has been changed from "no" to "yes" in Samba 3\&.0\&.14 and above\&. Microsoft Excel will display dialog box warnings about the file being changed by another user if this parameter is not set to "yes" and files are being shared between users\&.
1252
Default: \fB\fIdos filetimes\fR = yes \fR
1773
Under DOS and Windows, if a user can write to a file they can change the timestamp on it. Under POSIX semantics, only the owner of the file or root may change the timestamp. By default, Samba runs with POSIX semantics and refuses to change the timestamp on a file if the user
1775
is acting on behalf of is not the file owner. Setting this option to
1777
allows DOS semantics and
1779
will change the file timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14 and above. Microsoft Excel will display dialog box warnings about the file being changed by another user if this parameter is not set to "yes" and files are being shared between users.
1782
\fB\fIdos filetimes\fR = yes \fR
1256
This boolean parameter controls whether \fBsmbd\fR(8) will allow clients to attempt to store OS/2 style Extended attributes on a share\&. In order to enable this parameter the underlying filesystem exported by the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the correct kernel patches)\&. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel\&.
1258
Default: \fB\fIea support\fR = no \fR
1785
This boolean parameter controls whether
1787
will allow clients to attempt to store OS/2 style Extended attributes on a share. In order to enable this parameter the underlying filesystem exported by the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the correct kernel patches). On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.
1790
\fB\fIea support\fR = no \fR
1261
1792
enable asu support (G)
1262
Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builting [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
1264
Default: \fB\fIenable asu support\fR = yes \fR
1793
Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builting [ADMIN$] share that only supports IPC connections. The has been the default behavior in smbd for many years. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share. Disabling this parameter allows for creating an [ADMIN$] file share in smb.conf.
1796
\fB\fIenable asu support\fR = no \fR
1267
1798
enable privileges (G)
1268
This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either \fBnet rpc rights\fR or one of the Windows user and group manager tools\&. This parameter is disabled by default to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user\&.
1270
An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via smbd\&.
1272
Please read the extended description provided in the Samba documentation before enabling this option\&.
1274
Default: \fB\fIenable privileges\fR = no \fR
1277
enable rid algorithm (G)
1278
This option is used to control whether or not smbd in Samba 3\&.0 should fallback to the algorithm used by Samba 2\&.2 to generate user and group RIDs\&. The longterm development goal is to remove the algorithmic mappings of RIDs altogether, but this has proved to be difficult\&. This parameter is mainly provided so that developers can turn the algorithm on and off and see what breaks\&. This parameter should not be disabled by non\-developers because certain features in Samba will fail to work without it\&.
1280
Default: \fB\fIenable rid algorithm\fR = yes \fR
1799
This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
1800
\fBnet rpc rights\fR
1801
or one of the Windows user and group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user.
1803
An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via smbd.
1805
Please read the extended description provided in the Samba HOWTO documentation.
1808
\fB\fIenable privileges\fR = yes \fR
1283
1810
encrypt passwords (G)
1284
This boolean controls whether encrypted passwords will be negotiated with the client\&. Note that Windows NT 4\&.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed\&. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection\&.
1286
MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encypted password support enabled and for which the user accounts have a valid encrypted password\&. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts\&.
1288
The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products\&. If you want to use plain text passwords you must set this parameter to no\&.
1290
In order for encrypted passwords to work correctly \fBsmbd\fR(8) must either have access to a local \fBsmbpasswd\fR(5) file (see the \fBsmbpasswd\fR(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes \fBsmbd\fR to authenticate against another server\&.
1292
Default: \fB\fIencrypt passwords\fR = yes \fR
1811
This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection.
1813
MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts.
1815
The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no.
1817
In order for encrypted passwords to work correctly
1819
must either have access to a local
1823
program for information on how to set up and maintain this file), or set the
1824
security = [server|domain|ads] parameter which causes
1826
to authenticate against another server.
1829
\fB\fIencrypt passwords\fR = yes \fR
1295
1831
enhanced browsing (G)
1296
This option enables a couple of enhancements to cross\-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations\&.
1298
The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs\&. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs\&.
1300
You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists\&. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying\&.
1302
In general you should leave this option enabled as it makes cross\-subnet browse propagation much more reliable\&.
1304
Default: \fB\fIenhanced browsing\fR = yes \fR
1832
This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations.
1834
The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs.
1836
You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying.
1838
In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable.
1841
\fB\fIenhanced browsing\fR = yes \fR
1307
1843
enumports command (G)
1308
The concept of a "port" is fairly foreign to UNIX hosts\&. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i\&.e\&. LPT1:, COM1:, FILE:) or a remote port (i\&.e\&. LPD Port Monitor, etc\&.\&.\&.)\&. By default, Samba has only one port defined\-\-\fB"Samba Printer Port"\fR\&. Under Windows NT/2000, all printers must have a valid port name\&. If you wish to have a list of ports displayed (\fBsmbd \fR does not use a port name for anything) other than the default \fB"Samba Printer Port"\fR, you can define \fIenumports command\fR to point to a program which should generate a list of ports, one per line, to standard output\&. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC\&.
1310
Default: \fB\fIenumports command\fR = \fR
1312
Example: \fB\fIenumports command\fR = /usr/bin/listports \fR
1844
The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one port defined--\fB"Samba Printer Port"\fR. Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (\fBsmbd \fR
1845
does not use a port name for anything) other than the default
1846
\fB"Samba Printer Port"\fR, you can define
1847
\fIenumports command\fR
1848
to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC.
1851
\fB\fIenumports command\fR = \fR
1854
\fB\fIenumports command\fR = /usr/bin/listports \fR
1315
1856
eventlog list (G)
1316
This option defines a list of log names that Samba will report to the Microsoft EventViewer utility\&. The listed eventlogs will be associated with tdb file on disk in the \fI$(libdir)/eventlog\fR\&.
1318
The administrator must use an external process to parse the normal Unix logs such as \fI/var/log/messages\fR and write then entries to the eventlog tdb files\&. Refer to the eventlogadm(8) utility for how to write eventlog entries\&.
1320
Default: \fB\fIeventlog list\fR = \fR
1322
Example: \fB\fIeventlog list\fR = Security Application Syslog Apache \fR
1857
This option defines a list of log names that Samba will report to the Microsoft EventViewer utility. The listed eventlogs will be associated with tdb file on disk in the
1858
\fI$(lockdir)/eventlog\fR.
1860
The administrator must use an external process to parse the normal Unix logs such as
1861
\fI/var/log/messages\fR
1862
and write then entries to the eventlog tdb files. Refer to the eventlogadm(8) utility for how to write eventlog entries.
1865
\fB\fIeventlog list\fR = \fR
1868
\fB\fIeventlog list\fR = Security Application Syslog Apache \fR
1325
1870
fake directory create times (S)
1326
NTFS and Windows VFAT file systems keep a create time for all files and directories\&. This is not the same as the ctime \- status change time \- that Unix keeps, so Samba by default reports the earliest of the various times Unix does keep\&. Setting this parameter for a share causes Samba to always report midnight 1\-1\-1980 as the create time for directories\&.
1328
This option is mainly used as a compatibility option for Visual C++ when used against Samba shares\&. Visual C++ generated makefiles have the object directory as a dependency for each object file, and a make rule to create the directory\&. Also, when NMAKE compares timestamps it uses the creation time when examining a directory\&. Thus the object directory will be created if it does not exist, but once it does exist it will always have an earlier timestamp than the object files it contains\&.
1330
However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or or deleted in the directory\&. NMAKE finds all object files in the object directory\&. The timestamp of the last one built is then compared to the timestamp of the object directory\&. If the directory's timestamp if newer, then all object files will be rebuilt\&. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected\&.
1332
Default: \fB\fIfake directory create times\fR = no \fR
1871
NTFS and Windows VFAT file systems keep a create time for all files and directories. This is not the same as the ctime - status change time - that Unix keeps, so Samba by default reports the earliest of the various times Unix does keep. Setting this parameter for a share causes Samba to always report midnight 1-1-1980 as the create time for directories.
1873
This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. Visual C++ generated makefiles have the object directory as a dependency for each object file, and a make rule to create the directory. Also, when NMAKE compares timestamps it uses the creation time when examining a directory. Thus the object directory will be created if it does not exist, but once it does exist it will always have an earlier timestamp than the object files it contains.
1875
However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or or deleted in the directory. NMAKE finds all object files in the object directory. The timestamp of the last one built is then compared to the timestamp of the object directory. If the directory's timestamp if newer, then all object files will be rebuilt. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected.
1878
\fB\fIfake directory create times\fR = no \fR
1335
1880
fake oplocks (S)
1336
Oplocks are the way that SMB clients get permission from a server to locally cache file operations\&. If a server grants an oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data\&. With some oplock types the client may even cache file open/close operations\&. This can give enormous performance benefits\&.
1338
When you set \fBfake oplocks = yes\fR, \fBsmbd\fR(8) will always grant oplock requests no matter how many clients are using the file\&.
1340
It is generally much better to use the real oplocks support rather than this parameter\&.
1342
If you enable this option on all read\-only shares or shares that you know will only be accessed from one client at a time such as physically read\-only media like CDROMs, you will see a big performance improvement on many operations\&. If you enable this option on shares where multiple clients may be accessing the files read\-write at the same time you can get data corruption\&. Use this option carefully!
1344
Default: \fB\fIfake oplocks\fR = no \fR
1881
Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data. With some oplock types the client may even cache file open/close operations. This can give enormous performance benefits.
1884
\fBfake oplocks = yes\fR,
1886
will always grant oplock requests no matter how many clients are using the file.
1888
It is generally much better to use the real
1889
oplocks support rather than this parameter.
1891
If you enable this option on all read-only shares or shares that you know will only be accessed from one client at a time such as physically read-only media like CDROMs, you will see a big performance improvement on many operations. If you enable this option on shares where multiple clients may be accessing the files read-write at the same time you can get data corruption. Use this option carefully!
1894
\fB\fIfake oplocks\fR = no \fR
1896
fam change notify (G)
1897
This parameter specifies whether Samba should ask the FAM daemon change notifications in directories so that SMB clients can refresh whenever the data on the server changes.
1899
This parameter is only used when your system supports change notification to user programs, using the FAM daemon. If the FAM daemon is not running, this parameter is automatically disabled. The
1900
\fIkernel change notify\fR
1901
parameter will take precedence if it is also enabled.
1904
\fB\fIfam change notify\fR = yes \fR
1347
1906
follow symlinks (S)
1348
This parameter allows the Samba administrator to stop \fBsmbd\fR(8)from following symbolic links in a particular share\&. Setting this parameter to \fBno\fR prevents any file or directory that is a symbolic link from being followed (the user will get an error)\&. This option is very useful to stop users from adding a symbolic link to \fI/etc/passwd\fR in their home directory for instance\&. However it will slow filename lookups down slightly\&.
1350
This option is enabled (i\&.e\&. \fBsmbd\fR will follow symbolic links) by default\&.
1352
Default: \fB\fIfollow symlinks\fR = yes \fR
1907
This parameter allows the Samba administrator to stop
1909
from following symbolic links in a particular share. Setting this parameter to
1911
prevents any file or directory that is a symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a symbolic link to
1913
in their home directory for instance. However it will slow filename lookups down slightly.
1915
This option is enabled (i.e.
1917
will follow symbolic links) by default.
1920
\fB\fIfollow symlinks\fR = yes \fR
1355
1922
force create mode (S)
1356
This parameter specifies a set of UNIX mode bit permissions that will \fBalways\fR be set on a file created by Samba\&. This is done by bitwise 'OR'ing these bits onto the mode bits of a file that is being created or having its permissions changed\&. The default for this parameter is (in octal) 000\&. The modes in this parameter are bitwise 'OR'ed onto the file mode after the mask set in the \fIcreate mask\fR parameter is applied\&.
1358
The example below would force all created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'\&.
1360
Default: \fB\fIforce create mode\fR = 000 \fR
1362
Example: \fB\fIforce create mode\fR = 0755 \fR
1923
This parameter specifies a set of UNIX mode bit permissions that will
1925
be set on a file created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a file that is being created or having its permissions changed. The default for this parameter is (in octal) 000. The modes in this parameter are bitwise 'OR'ed onto the file mode after the mask set in the
1927
parameter is applied.
1929
The example below would force all created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.
1932
\fB\fIforce create mode\fR = 000 \fR
1935
\fB\fIforce create mode\fR = 0755 \fR
1365
1937
force directory mode (S)
1366
This parameter specifies a set of UNIX mode bit permissions that will \fBalways\fR be set on a directory created by Samba\&. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created\&. The default for this parameter is (in octal) 0000 which will not add any extra permission bits to a created directory\&. This operation is done after the mode mask in the parameter \fIdirectory mask\fR is applied\&.
1368
The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'\&.
1370
Default: \fB\fIforce directory mode\fR = 000 \fR
1372
Example: \fB\fIforce directory mode\fR = 0755 \fR
1938
This parameter specifies a set of UNIX mode bit permissions that will
1940
be set on a directory created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this parameter is (in octal) 0000 which will not add any extra permission bits to a created directory. This operation is done after the mode mask in the parameter
1941
\fIdirectory mask\fR
1944
The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.
1947
\fB\fIforce directory mode\fR = 000 \fR
1950
\fB\fIforce directory mode\fR = 0755 \fR
1375
1952
force directory security mode (S)
1376
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box\&.
1378
This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on\&. Make sure not to mix up this parameter with directory security mask, which works in a similar manner to this one, but uses a logical AND instead of an OR\&.
1380
Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, to will enable (1) any flags that are off (0) but which the mask has set to on (1)\&.
1382
If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world permissions on a directory without restrictions\&.
1387
Users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set as 0000\&.
1390
Default: \fB\fIforce directory security mode\fR = 0 \fR
1392
Example: \fB\fIforce directory security mode\fR = 700 \fR
1953
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.
1955
This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on. Make sure not to mix up this parameter with
1956
directory security mask, which works in a similar manner to this one, but uses a logical AND instead of an OR.
1958
Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, to will enable (1) any flags that are off (0) but which the mask has set to on (1).
1960
If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world permissions on a directory without restrictions.
1963
.nr an-no-space-flag 1
1967
Users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it set as 0000.
1969
\fB\fIforce directory security mode\fR = 0 \fR
1972
\fB\fIforce directory security mode\fR = 700 \fR
1396
This parameter is a synonym for force group\&.
1975
This parameter is a synonym for force group.
1399
1977
force group (S)
1400
This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service\&. This is useful for sharing files by ensuring that all access to files on service will use the named group for their permissions checking\&. Thus, by assigning permissions for this group to the files and directories within this service the Samba administrator can restrict or allow sharing of these files\&.
1402
In Samba 2\&.0\&.5 and above this parameter has extended functionality in the following way\&. If the group name listed here has a '+' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group\&. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group\&. This gives a finer granularity of ownership assignment\&. For example, the setting \fIforce group = +sys\fR means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share\&. All other users will retain their ordinary primary group\&.
1404
If the force user parameter is also set the group specified in \fIforce group\fR will override the primary group set in \fIforce user\fR\&.
1406
Default: \fB\fIforce group\fR = \fR
1408
Example: \fB\fIforce group\fR = agroup \fR
1978
This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. This is useful for sharing files by ensuring that all access to files on service will use the named group for their permissions checking. Thus, by assigning permissions for this group to the files and directories within this service the Samba administrator can restrict or allow sharing of these files.
1980
In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a '+' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group. This gives a finer granularity of ownership assignment. For example, the setting
1981
\fIforce group = +sys\fR
1982
means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.
1985
force user parameter is also set the group specified in
1987
will override the primary group set in
1991
\fB\fIforce group\fR = \fR
1994
\fB\fIforce group\fR = agroup \fR
1411
1996
force printername (S)
1412
When printing from Windows NT (or later), each printer in \fIsmb\&.conf\fR has two associated names which can be used by the client\&. The first is the sharename (or shortname) defined in smb\&.conf\&. This is the only printername available for use by Windows 9x clients\&. The second name associated with a printer can be seen when browsing to the "Printers" (or "Printers and Faxes") folder on the Samba server\&. This is referred to simply as the printername (not to be confused with the \fIprinter name\fR option)\&.
1414
When assigning a new driver to a printer on a remote Windows compatible print server such as Samba, the Windows client will rename the printer to match the driver name just uploaded\&. This can result in confusion for users when multiple printers are bound to the same driver\&. To prevent Samba from allowing the printer's printername to differ from the sharename defined in smb\&.conf, set \fIforce printername = yes\fR\&.
1416
Be aware that enabling this parameter may affect migrating printers from a Windows server to Samba since Windows has no way to force the sharename and printername to match\&.
1418
It is recommended that this parameter's value not be changed once the printer is in use by clients as this could cause a user not be able to delete printer connections from their local Printers folder\&.
1420
Default: \fB\fIforce printername\fR = no \fR
1997
When printing from Windows NT (or later), each printer in
1999
has two associated names which can be used by the client. The first is the sharename (or shortname) defined in smb.conf. This is the only printername available for use by Windows 9x clients. The second name associated with a printer can be seen when browsing to the "Printers" (or "Printers and Faxes") folder on the Samba server. This is referred to simply as the printername (not to be confused with the
2003
When assigning a new driver to a printer on a remote Windows compatible print server such as Samba, the Windows client will rename the printer to match the driver name just uploaded. This can result in confusion for users when multiple printers are bound to the same driver. To prevent Samba from allowing the printer's printername to differ from the sharename defined in smb.conf, set
2004
\fIforce printername = yes\fR.
2006
Be aware that enabling this parameter may affect migrating printers from a Windows server to Samba since Windows has no way to force the sharename and printername to match.
2008
It is recommended that this parameter's value not be changed once the printer is in use by clients as this could cause a user not be able to delete printer connections from their local Printers folder.
2011
\fB\fIforce printername\fR = no \fR
1423
2013
force security mode (S)
1424
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
1426
This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on\&. Make sure not to mix up this parameter with security mask, which works similar like this one but uses logical AND instead of OR\&.
1428
Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, the user has always set to be on\&.
1430
If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world permissions on a file, with no restrictions\&.
1432
\fB Note\fR that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave this set to 0000\&.
1434
Default: \fB\fIforce security mode\fR = 0 \fR
1436
Example: \fB\fIforce security mode\fR = 700 \fR
2014
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.
2016
This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on. Make sure not to mix up this parameter with
2017
security mask, which works similar like this one but uses logical AND instead of OR.
2019
Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, the user has always set to be on.
2021
If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world permissions on a file, with no restrictions.
2024
that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave this set to 0000.
2027
\fB\fIforce security mode\fR = 0 \fR
2030
\fB\fIforce security mode\fR = 700 \fR
1439
2032
force unknown acl user (S)
1440
If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or representation of a user or group id) as the owner or group owner of the file will be silently mapped into the current UNIX uid or gid of the currently connected user\&.
1442
This is designed to allow Windows NT clients to copy files and folders containing ACLs that were created locally on the client machine and contain users local to that machine only (no domain users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and groupid of the file owner map to the current connected user\&. This can only be fixed correctly when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid\&.
1444
Try using this parameter when XCOPY /O gives an ACCESS_DENIED error\&.
1446
Default: \fB\fIforce unknown acl user\fR = no \fR
2033
If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or representation of a user or group id) as the owner or group owner of the file will be silently mapped into the current UNIX uid or gid of the currently connected user.
2035
This is designed to allow Windows NT clients to copy files and folders containing ACLs that were created locally on the client machine and contain users local to that machine only (no domain users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and groupid of the file owner map to the current connected user. This can only be fixed correctly when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid.
2037
Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
2040
\fB\fIforce unknown acl user\fR = no \fR
1450
This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service\&. This is useful for sharing files\&. You should also use it carefully as using it incorrectly can cause security problems\&.
1452
This user name only gets used once a connection is established\&. Thus clients still need to connect as a valid user and supply a valid password\&. Once connected, all file operations will be performed as the "forced user", no matter what username the client connected as\&. This can be very useful\&.
1454
In Samba 2\&.0\&.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity\&. Prior to 2\&.0\&.5 the primary group was left as the primary group of the connecting user (this was a bug)\&.
1456
Default: \fB\fIforce user\fR = \fR
1458
Example: \fB\fIforce user\fR = auser \fR
2043
This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. You should also use it carefully as using it incorrectly can cause security problems.
2045
This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed as the "forced user", no matter what username the client connected as. This can be very useful.
2047
In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5 the primary group was left as the primary group of the connecting user (this was a bug).
2050
\fB\fIforce user\fR = \fR
2053
\fB\fIforce user\fR = auser \fR
1462
This parameter allows the administrator to configure the string that specifies the type of filesystem a share is using that is reported by \fBsmbd\fR(8) when a client queries the filesystem type for a share\&. The default type is \fBNTFS\fR for compatibility with Windows NT but this can be changed to other strings such as \fBSamba\fR or \fBFAT\fR if required\&.
1464
Default: \fB\fIfstype\fR = NTFS \fR
1466
Example: \fB\fIfstype\fR = Samba \fR
2056
This parameter allows the administrator to configure the string that specifies the type of filesystem a share is using that is reported by
2058
when a client queries the filesystem type for a share. The default type is
2060
for compatibility with Windows NT but this can be changed to other strings such as
2067
\fB\fIfstype\fR = NTFS \fR
2070
\fB\fIfstype\fR = Samba \fR
1469
2072
get quota command (G)
1470
The \fBget quota command\fR should only be used whenever there is no operating system API available from the OS that samba can use\&.
1472
This option is only available with \fB\&./configure \-\-with\-sys\-quotas\fR\&. Or on linux when \fB\&./configure \-\-with\-quotas\fR was used and a working quota api was found in the system\&.
1474
This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on\&.
2074
\fBget quota command\fR
2075
should only be used whenever there is no operating system API available from the OS that samba can use.
2077
This option is only available with
2078
\fB./configure --with-sys-quotas\fR. Or on linux when
2079
\fB./configure --with-quotas\fR
2080
was used and a working quota api was found in the system.
2082
This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on.
1476
2084
Such a script should take 3 arguments:
1488
2094
uid of user or gid of group
1492
2097
The type of query can be one of :
1501
2 \- user default quotas (uid = \-1)
1507
4 \- group default quotas (gid = \-1)
1511
This script should print one line as output with spaces between the arguments\&. The arguments are:
1517
Arg 1 \- quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
1520
Arg 2 \- number of currently used blocks
1523
Arg 3 \- the softlimit number of blocks
1526
Arg 4 \- the hardlimit number of blocks
1529
Arg 5 \- currently used number of inodes
1532
Arg 6 \- the softlimit number of inodes
1535
Arg 7 \- the hardlimit number of inodes
1538
Arg 8(optional) \- the number of bytes in a block(default is 1024)
1542
Default: \fB\fIget quota command\fR = \fR
1544
Example: \fB\fIget quota command\fR = /usr/local/sbin/query_quota \fR
2104
2 - user default quotas (uid = -1)
2110
4 - group default quotas (gid = -1)
2113
This script should print one line as output with spaces between the arguments. The arguments are:
2117
Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
2120
Arg 2 - number of currently used blocks
2123
Arg 3 - the softlimit number of blocks
2126
Arg 4 - the hardlimit number of blocks
2129
Arg 5 - currently used number of inodes
2132
Arg 6 - the softlimit number of inodes
2135
Arg 7 - the hardlimit number of inodes
2138
Arg 8(optional) - the number of bytes in a block(default is 1024)
2142
\fB\fIget quota command\fR = \fR
2145
\fB\fIget quota command\fR = /usr/local/sbin/query_quota \fR
1547
2147
getwd cache (G)
1548
This is a tuning option\&. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls\&. This can have a significant impact on performance, especially when the wide smbconfoptions parameter is set to \fBno\fR\&.
1550
Default: \fB\fIgetwd cache\fR = yes \fR
2148
This is a tuning option. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls. This can have a significant impact on performance, especially when the
2149
wide smbconfoptions parameter is set to
2153
\fB\fIgetwd cache\fR = yes \fR
1553
2155
guest account (G)
1554
This is a username which will be used for access to services which are specified as guest ok (see below)\&. Whatever privileges this user has will be available to any client connecting to the guest service\&. This user must exist in the password file, but does not require a valid login\&. The user account "ftp" is often a good choice for this parameter\&.
1556
On some systems the default guest account "nobody" may not be able to print\&. Use another account in this case\&. You should test this by trying to log in as your guest user (perhaps by using the \fBsu \-\fR command) and trying to print using the system print command such as \fBlpr(1)\fR or \fB lp(1)\fR\&.
1558
This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation\&.
1560
Default: \fB\fIguest account\fR = nobody # default can be changed at compile\-time \fR
1562
Example: \fB\fIguest account\fR = ftp \fR
2156
This is a username which will be used for access to services which are specified as
2157
guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice for this parameter.
2159
On some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the
2161
command) and trying to print using the system print command such as
2166
This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation.
2169
\fB\fIguest account\fR = nobody # default can be changed at compile-time \fR
2172
\fB\fIguest account\fR = ftp \fR
1566
This parameter is a synonym for guest ok\&.
2175
This parameter is a synonym for guest ok.
1570
If this parameter is \fByes\fR for a service, then no password is required to connect to the service\&. Privileges will be those of the guest account\&.
1572
This paramater nullifies the benifits of setting restrict anonymous = 2
1574
See the section below on security for more information about this option\&.
1576
Default: \fB\fIguest ok\fR = no \fR
2178
If this parameter is
2180
for a service, then no password is required to connect to the service. Privileges will be those of the
2183
This paramater nullifies the benifits of setting
2184
restrict anonymous = 2
2186
See the section below on
2187
security for more information about this option.
2190
\fB\fIguest ok\fR = no \fR
1580
This parameter is a synonym for guest only\&.
2193
This parameter is a synonym for guest only.
1584
If this parameter is \fByes\fR for a service, then only guest connections to the service are permitted\&. This parameter will have no effect if guest ok is not set for the service\&.
1586
See the section below on security for more information about this option\&.
1588
Default: \fB\fIguest only\fR = no \fR
2196
If this parameter is
2198
for a service, then only guest connections to the service are permitted. This parameter will have no effect if
2199
guest ok is not set for the service.
2201
See the section below on
2202
security for more information about this option.
2205
\fB\fIguest only\fR = no \fR
1591
2207
hide dot files (S)
1592
This is a boolean parameter that controls whether files starting with a dot appear as hidden files\&.
1594
Default: \fB\fIhide dot files\fR = yes \fR
2208
This is a boolean parameter that controls whether files starting with a dot appear as hidden files.
2211
\fB\fIhide dot files\fR = yes \fR
1598
This is a list of files or directories that are not visible but are accessible\&. The DOS 'hidden' attribute is applied to any files or directories that match\&.
1600
Each entry in the list must be separated by a '/', which allows spaces to be included in the entry\&. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards\&.
1602
Each entry must be a Unix path, not a DOS path and must not include the Unix directory separator '/'\&.
1604
Note that the case sensitivity option is applicable in hiding files\&.
1606
Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned\&.
1608
The example shown above is based on files that the Macintosh SMB client (DAVE) available from Thursby creates for internal use, and also still hides all files beginning with a dot\&.
1610
An example of us of this parameter is:
2214
This is a list of files or directories that are not visible but are accessible. The DOS 'hidden' attribute is applied to any files or directories that match.
2216
Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards.
2218
Each entry must be a Unix path, not a DOS path and must not include the Unix directory separator '/'.
2220
Note that the case sensitivity option is applicable in hiding files.
2222
Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.
2224
The example shown above is based on files that the Macintosh SMB client (DAVE) available from
2226
creates for internal use, and also still hides all files beginning with a dot.
2228
An example of us of this parameter is:
1613
hide files = /\&.*/DesktopFolderDB/TrashFor%m/resource\&.frk/
2233
hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
1617
Default: \fB\fIhide files\fR = # no file are hidden \fR
2238
\fB\fIhide files\fR = # no file are hidden \fR
1620
2240
hide special files (S)
1621
This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings\&.
1623
Default: \fB\fIhide special files\fR = no \fR
2241
This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings.
2244
\fB\fIhide special files\fR = no \fR
1626
2246
hide unreadable (S)
1627
This parameter prevents clients from seeing the existance of files that cannot be read\&. Defaults to off\&.
1629
Default: \fB\fIhide unreadable\fR = no \fR
2247
This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off.
2250
\fB\fIhide unreadable\fR = no \fR
1632
2252
hide unwriteable files (S)
1633
This parameter prevents clients from seeing the existance of files that cannot be written to\&. Defaults to off\&. Note that unwriteable directories are shown as usual\&.
1635
Default: \fB\fIhide unwriteable files\fR = no \fR
2253
This parameter prevents clients from seeing the existance of files that cannot be written to. Defaults to off. Note that unwriteable directories are shown as usual.
2256
\fB\fIhide unwriteable files\fR = no \fR
1638
2258
homedir map (G)
1639
If nis homedir is \fByes\fR, and \fBsmbd\fR(8) is also acting as a Win95/98 \fIlogon server\fR then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted\&. At present, only the Sun auto\&.home map format is understood\&. The form of the map is:
2263
is also acting as a Win95/98
2265
then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. At present, only the Sun auto.home map format is understood. The form of the map is:
1642
2270
\fBusername server:/some/file/system\fR
1644
and the program will extract the servername from before the first ':'\&. There should probably be a better parsing system that copes with different map formats and also Amd (another automounter) maps\&.
1649
A working NIS client is required on the system for this option to work\&.
1652
Default: \fB\fIhomedir map\fR = \fR
1654
Example: \fB\fIhomedir map\fR = amd\&.homedir \fR
2272
and the program will extract the servername from before the first ':'. There should probably be a better parsing system that copes with different map formats and also Amd (another automounter) maps.
2275
.nr an-no-space-flag 1
2279
A working NIS client is required on the system for this option to work.
2281
\fB\fIhomedir map\fR = \fR
2284
\fB\fIhomedir map\fR = amd.homedir \fR
1658
If set to \fByes\fR, Samba will act as a Dfs server, and allow Dfs\-aware clients to browse Dfs trees hosted on the server\&.
1660
See also the msdfs root share level parameter\&. For more information on setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3\-HOWTO\&.
1662
Default: \fB\fIhost msdfs\fR = no \fR
2288
\fByes\fR, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server.
2291
msdfs root share level parameter. For more information on setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO.
2294
\fB\fIhost msdfs\fR = yes \fR
1665
2296
hostname lookups (G)
1666
Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead\&. An example place where hostname lookups are currently used is when checking the \fBhosts deny\fR and \fBhosts allow\fR\&.
1668
Default: \fB\fIhostname lookups\fR = no \fR
1670
Example: \fB\fIhostname lookups\fR = yes \fR
2297
Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the
2303
\fB\fIhostname lookups\fR = no \fR
2306
\fB\fIhostname lookups\fR = yes \fR
1674
This parameter is a synonym for hosts allow\&.
2309
This parameter is a synonym for hosts allow.
1677
2311
hosts allow (S)
1678
A synonym for this parameter is allow hosts\&.
1680
This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service\&.
1682
If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting\&.
1684
You can specify the hosts by name or IP number\&. For example, you could restrict access to only the hosts on a Class C subnet with something like \fBallow hosts = 150\&.203\&.5\&.\fR\&. The full syntax of the list is described in the man page \fIhosts_access(5)\fR\&. Note that this man page may not be present on your system, so a brief description will be given here also\&.
1686
Note that the localhost address 127\&.0\&.0\&.1 will always be allowed access unless specifically denied by a hosts deny option\&.
1688
You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups\&. The \fBEXCEPT\fR keyword can also be used to limit a wildcard list\&. The following examples may provide some help:
1690
Example 1: allow all IPs in 150\&.203\&.*\&.*; except one
1692
\fBhosts allow = 150\&.203\&. EXCEPT 150\&.203\&.6\&.66\fR
2312
A synonym for this parameter is
2315
This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service.
2317
If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.
2319
You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like
2320
\fBallow hosts = 150.203.5.\fR. The full syntax of the list is described in the man page
2321
\fIhosts_access(5)\fR. Note that this man page may not be present on your system, so a brief description will be given here also.
2323
Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a
2326
You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The
2328
keyword can also be used to limit a wildcard list. The following examples may provide some help:
2330
Example 1: allow all IPs in 150.203.*.*; except one
2332
\fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
1694
2334
Example 2: allow hosts that match the given network/netmask
1696
\fBhosts allow = 150\&.203\&.15\&.0/255\&.255\&.255\&.0\fR
2336
\fBhosts allow = 150.203.15.0/255.255.255.0\fR
1698
2338
Example 3: allow a couple of hosts
1700
2340
\fBhosts allow = lapland, arvidsjaur\fR
1702
2342
Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host
1704
2344
\fBhosts allow = @foonet\fR
1706
2346
\fBhosts deny = pirate\fR
1711
Note that access still requires suitable user\-level passwords\&.
1714
See \fBtestparm\fR(1) for a way of testing your host access to see if it does what you expect\&.
1716
Default: \fB\fIhosts allow\fR = # none (i\&.e\&., all hosts permitted access) \fR
1718
Example: \fB\fIhosts allow\fR = 150\&.203\&.5\&. myhost\&.mynet\&.edu\&.au \fR
2349
.nr an-no-space-flag 1
2353
Note that access still requires suitable user-level passwords.
2356
for a way of testing your host access to see if it does what you expect.
2359
\fB\fIhosts allow\fR = # none (i.e., all hosts permitted access) \fR
2362
\fB\fIhosts allow\fR = 150.203.5. myhost.mynet.edu.au \fR
1722
This parameter is a synonym for hosts deny\&.
2365
This parameter is a synonym for hosts deny.
1726
The opposite of \fIhosts allow\fR \- hosts listed here are \fBNOT\fR permitted access to services unless the specific services have their own lists to override this one\&. Where the lists conflict, the \fIallow\fR list takes precedence\&.
1728
In the event that it is necessary to deny all by default, use the keyword ALL (or the netmask 0\&.0\&.0\&.0/0) and then explicitly specify to the hosts allow = hosts allow parameter those hosts that should be permitted access\&.
1730
Default: \fB\fIhosts deny\fR = # none (i\&.e\&., no hosts specifically excluded) \fR
1732
Example: \fB\fIhosts deny\fR = 150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au \fR
1736
If this global parameter is a non\-null string, it specifies the name of a file to read for the names of hosts and users who will be allowed access without specifying a password\&.
1738
This is not be confused with hosts allow which is about hosts access to services and is more useful for guest services\&. \fI hosts equiv\fR may be useful for NT clients which will not supply passwords to Samba\&.
1743
The use of \fIhosts equiv \fR can be a major security hole\&. This is because you are trusting the PC to supply the correct username\&. It is very easy to get a PC to supply a false username\&. I recommend that the \fIhosts equiv\fR option be only used if you really know what you are doing, or perhaps on a home network where you trust your spouse and kids\&. And only if you \fBreally\fR trust them :\-)\&.
1746
Default: \fB\fIhosts equiv\fR = # no host equivalences \fR
1748
Example: \fB\fIhosts equiv\fR = hosts equiv = /etc/hosts\&.equiv \fR
2370
- hosts listed here are
2372
permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the
2374
list takes precedence.
2376
In the event that it is necessary to deny all by default, use the keyword ALL (or the netmask
2377
0.0.0.0/0) and then explicitly specify to the
2378
hosts allow = hosts allow parameter those hosts that should be permitted access.
2381
\fB\fIhosts deny\fR = # none (i.e., no hosts specifically excluded) \fR
2384
\fB\fIhosts deny\fR = 150.203.4. badhost.mynet.edu.au \fR
1751
2386
idmap backend (G)
1752
The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend\&. This way all domain members and controllers will have the same UID and GID to SID mappings\&. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS)\&.
1754
An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid plug\-in\&. This plug\-in uses the account RID to derive the UID and GID by adding the RID to a base value specified\&. This utility requires that the parameter``allow trusted domains = No'' must be specified, as it is not compatible with multiple domain environments\&. The idmap uid and idmap gid ranges must also be specified\&.
1756
Finally, using the idmap_ad module, the UID and GID can directly be retrieved from an Active Directory LDAP Server that supports an RFC2307 compliant LDAP schema\&. idmap_ad supports "Services for Unix" (SFU) version 2\&.x and 3\&.0\&.
1758
Default: \fB\fIidmap backend\fR = \fR
1760
Example: \fB\fIidmap backend\fR = ldap:ldap://ldapslave\&.example\&.com \fR
1762
Example: \fB\fIidmap backend\fR = idmap_rid:BUILTIN=1000\-1999,DOMNAME=2000\-100000000 \fR
1764
Example: \fB\fIidmap backend\fR = idmap_ad \fR
2387
The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings for unmapped SIDs, but instead to obtain them from a common LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).
2389
An alternate method of SID to UID / GID mapping can be achieved using the rid plug-in. This plug-in uses the account RID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter
2390
“allow trusted domains = No”
2391
must be specified, as it is not compatible with multiple domain environments. The idmap uid and idmap gid ranges must also be specified.
2393
Finally, using the ad module, the UID and GID can directly be retrieved from an Active Directory LDAP Server that supports an RFC2307 compliant LDAP schema. ad supports "Services for Unix" (SFU) version 2.x and 3.0.
2396
\fB\fIidmap backend\fR = \fR
2399
\fB\fIidmap backend\fR = ldap:ldap://ldapslave.example.com \fR
2402
\fB\fIidmap backend\fR = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000" \fR
2405
\fB\fIidmap backend\fR = ad \fR
1768
This parameter is a synonym for idmap gid\&.
2408
This parameter is a synonym for idmap gid.
1772
The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs\&. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise\&.
1774
The availability of an idmap gid range is essential for correct operation of all group mapping\&.
1776
Default: \fB\fIidmap gid\fR = \fR
1778
Example: \fB\fIidmap gid\fR = 10000\-20000 \fR
2411
The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.
2413
The availability of an idmap gid range is essential for correct operation of all group mapping.
2416
\fB\fIidmap gid\fR = \fR
2419
\fB\fIidmap gid\fR = 10000-20000 \fR
1782
This parameter is a synonym for idmap uid\&.
2422
This parameter is a synonym for idmap uid.
1786
The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs\&. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise\&.
1788
Default: \fB\fIidmap uid\fR = \fR
1790
Example: \fB\fIidmap uid\fR = 10000\-20000 \fR
2425
The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise.
2428
\fB\fIidmap uid\fR = \fR
2431
\fB\fIidmap uid\fR = 10000-20000 \fR
1794
This allows you to include one config file inside another\&. The file is included literally, as though typed in place\&.
1796
It takes the standard substitutions, except \fI%u\fR,\fI%P\fR and \fI%S\fR\&.
1798
Default: \fB\fIinclude\fR = \fR
1800
Example: \fB\fIinclude\fR = /usr/local/samba/lib/admin_smb\&.conf \fR
2434
This allows you to include one config file inside another. The file is included literally, as though typed in place.
2436
It takes the standard substitutions, except
2443
\fB\fIinclude\fR = \fR
2446
\fB\fIinclude\fR = /usr/local/samba/lib/admin_smb.conf \fR
1803
2448
inherit acls (S)
1804
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a subdirectory\&. The default behavior is to use the mode specified when creating the directory\&. Enabling this option sets the mode to 0777, thus guaranteeing that default directory acls are propagated\&.
1806
Default: \fB\fIinherit acls\fR = no \fR
2449
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a subdirectory. The default behavior is to use the mode specified when creating the directory. Enabling this option sets the mode to 0777, thus guaranteeing that default directory acls are propagated.
2452
\fB\fIinherit acls\fR = no \fR
1809
2454
inherit owner (S)
1810
The ownership of new files and directories is normally governed by effective uid of the connected user\&. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory\&.
1812
Common scenarios where this behavior is useful is in implementing drop\-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user's roaming profile directory are actually owner by the user\&.
1814
Default: \fB\fIinherit owner\fR = no \fR
2455
The ownership of new files and directories is normally governed by effective uid of the connected user. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory.
2457
Common scenarios where this behavior is useful is in implementing drop-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user's roaming profile directory are actually owner by the user.
2460
\fB\fIinherit owner\fR = no \fR
1817
2462
inherit permissions (S)
1818
The permissions on new files and directories are normally governed by create mask,directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this\&.
1820
New directories inherit the mode of the parent directory, including bits such as setgid\&.
1822
New files inherit their read/write bits from the parent directory\&. Their execute bits continue to be determined by map archive, map hidden and map system as usual\&.
1824
Note that the setuid bit is \fBnever\fR set via inheritance (the code explicitly prohibits this)\&.
1826
This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user\&.
1828
Default: \fB\fIinherit permissions\fR = no \fR
2463
The permissions on new files and directories are normally governed by
2466
force create mode and
2467
force directory mode but the boolean inherit permissions parameter overrides this.
2469
New directories inherit the mode of the parent directory, including bits such as setgid.
2471
New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by
2474
map system as usual.
2476
Note that the setuid bit is
2478
set via inheritance (the code explicitly prohibits this).
2480
This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.
2483
\fB\fIinherit permissions\fR = no \fR
1832
This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic\&. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127\&.0\&.0\&.1 that are broadcast capable\&.
1834
The option takes a list of interface strings\&. Each string can be in any of the following forms:
1840
a network interface name (such as eth0)\&. This may include shell\-like wildcards so eth* will match any interface starting with the substring "eth"
1843
an IP address\&. In this case the netmask is determined from the list of interfaces obtained from the kernel
1849
a broadcast/mask pair\&.
2486
This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable.
2488
The option takes a list of interface strings. Each string can be in any of the following forms:
2492
a network interface name (such as eth0). This may include shell-like wildcards so eth* will match any interface starting with the substring "eth"
2495
an IP address. In this case the netmask is determined from the list of interfaces obtained from the kernel
2501
a broadcast/mask pair.
1853
The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decimal form\&.
1855
The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS's normal hostname resolution mechanisms\&.
1857
By default Samba enables all active interfaces that are broadcast capable except the loopback adaptor (IP address 127\&.0\&.0\&.1)\&.
1859
The example below configures three network interfaces corresponding to the eth0 device and IP addresses 192\&.168\&.2\&.10 and 192\&.168\&.3\&.10\&. The netmasks of the latter two interfaces would be set to 255\&.255\&.255\&.0\&.
1861
Default: \fB\fIinterfaces\fR = \fR
1863
Example: \fB\fIinterfaces\fR = eth0 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/255\&.255\&.255\&.0 \fR
2504
The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decimal form.
2506
The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS's normal hostname resolution mechanisms.
2508
By default Samba enables all active interfaces that are broadcast capable except the loopback adaptor (IP address 127.0.0.1).
2510
The example below configures three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0.
2513
\fB\fIinterfaces\fR = \fR
2516
\fB\fIinterfaces\fR = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 \fR
1866
2518
invalid users (S)
1867
This is a list of users that should not be allowed to login to this service\&. This is really a \fBparanoid\fR check to absolutely ensure an improper setting does not breach your security\&.
1869
A name starting with a '@' is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database\&.
1871
A name starting with '+' is interpreted only by looking in the UNIX group database\&. A name starting with '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system)\&. The characters '+' and '&' may be used at the start of the name in either order so the value \fI+&group\fR means check the UNIX group database, followed by the NIS netgroup database, and the value \fI&+group\fR means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix)\&.
1873
The current servicename is substituted for \fI%S\fR\&. This is useful in the [homes] section\&.
1875
Default: \fB\fIinvalid users\fR = # no invalid users \fR
1877
Example: \fB\fIinvalid users\fR = root fred admin @wheel \fR
2519
This is a list of users that should not be allowed to login to this service. This is really a
2521
check to absolutely ensure an improper setting does not breach your security.
2523
A name starting with a '@' is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database.
2525
A name starting with '+' is interpreted only by looking in the UNIX group database. A name starting with '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters '+' and '&' may be used at the start of the name in either order so the value
2527
means check the UNIX group database, followed by the NIS netgroup database, and the value
2529
means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).
2531
The current servicename is substituted for
2532
\fI%S\fR. This is useful in the [homes] section.
2535
\fB\fIinvalid users\fR = # no invalid users \fR
2538
\fB\fIinvalid users\fR = root fred admin @wheel \fR
1880
2540
iprint server (G)
1881
This parameter is only applicable if printing is set to \fBiprint\fR\&.
1883
If set, this option overrides the ServerName option in the CUPS \fIclient\&.conf\fR\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
1885
Default: \fB\fIiprint server\fR = "" \fR
1887
Example: \fB\fIiprint server\fR = MYCUPSSERVER \fR
2541
This parameter is only applicable if
2545
If set, this option overrides the ServerName option in the CUPS
2546
\fIclient.conf\fR. This is necessary if you have virtual samba servers that connect to different CUPS daemons.
2549
\fB\fIiprint server\fR = "" \fR
2552
\fB\fIiprint server\fR = MYCUPSSERVER \fR
1891
The value of the parameter (an integer) represents the number of seconds between \fIkeepalive\fR packets\&. If this parameter is zero, no keepalive packets will be sent\&. Keepalive packets, if sent, allow the server to tell whether a client is still present and responding\&.
1893
Keepalives should, in general, not be needed if the socket has the SO_KEEPALIVE attribute set on it by default\&. (see socket options)\&. Basically you should only use this option if you strike difficulties\&.
1895
Default: \fB\fIkeepalive\fR = 300 \fR
1897
Example: \fB\fIkeepalive\fR = 600 \fR
2555
The value of the parameter (an integer) represents the number of seconds between
2557
packets. If this parameter is zero, no keepalive packets will be sent. Keepalive packets, if sent, allow the server to tell whether a client is still present and responding.
2559
Keepalives should, in general, not be needed if the socket has the SO_KEEPALIVE attribute set on it by default. (see
2560
socket options). Basically you should only use this option if you strike difficulties.
2563
\fB\fIkeepalive\fR = 300 \fR
2566
\fB\fIkeepalive\fR = 600 \fR
1900
2568
kernel change notify (G)
1901
This parameter specifies whether Samba should ask the kernel for change notifications in directories so that SMB clients can refresh whenever the data on the server changes\&.
1903
This parameter is only used when your kernel supports change notification to user programs, using the F_NOTIFY fcntl\&.
1905
Default: \fB\fIkernel change notify\fR = yes \fR
2569
This parameter specifies whether Samba should ask the kernel for change notifications in directories so that SMB clients can refresh whenever the data on the server changes.
2571
This parameter is only used when your kernel supports change notification to user programs, using the F_NOTIFY fcntl.
2574
\fB\fIkernel change notify\fR = yes \fR
1908
2576
kernel oplocks (G)
1909
For UNIXes that support kernel based oplocks (currently only IRIX and the Linux 2\&.4 kernel), this parameter allows the use of them to be turned on or off\&.
1911
Kernel oplocks support allows Samba \fIoplocks \fR to be broken whenever a local UNIX process or NFS operation accesses a file that \fBsmbd\fR(8) has oplocked\&. This allows complete data consistency between SMB/CIFS, NFS and local file access (and is a \fBvery\fR cool feature :\-)\&.
1913
This parameter defaults to \fBon\fR, but is translated to a no\-op on systems that no not have the necessary kernel support\&. You should never need to touch this parameter\&.
1915
Default: \fB\fIkernel oplocks\fR = yes \fR
2577
For UNIXes that support kernel based
2578
oplocks (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off.
2580
Kernel oplocks support allows Samba
2582
to be broken whenever a local UNIX process or NFS operation accesses a file that
2584
has oplocked. This allows complete data consistency between SMB/CIFS, NFS and local file access (and is a
2588
This parameter defaults to
2589
\fBon\fR, but is translated to a no-op on systems that no not have the necessary kernel support. You should never need to touch this parameter.
2592
\fB\fIkernel oplocks\fR = yes \fR
1918
2594
lanman auth (G)
1919
This parameter determines whether or not \fBsmbd\fR(8) will attempt to authenticate users or permit password changes using the LANMAN password hash\&. If disabled, only clients which support NT password hashes (e\&.g\&. Windows NT/2000 clients, smbclient, but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host\&.
1921
The LANMAN encrypted response is easily broken, due to it's case\-insensitive nature, and the choice of algorithm\&. Servers without Windows 95/98/ME or MS DOS clients are advised to disable this option\&.
1923
Unlike the \fBencypt passwords\fR option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network\&. See the \fBclient lanman auth\fR to disable this for Samba's clients (such as smbclient)
1925
If this option, and \fBntlm auth\fR are both disabled, then only NTLMv2 logins will be permited\&. Not all clients support NTLMv2, and most will require special configuration to use it\&.
1927
Default: \fB\fIlanman auth\fR = yes \fR
2595
This parameter determines whether or not
2597
will attempt to authenticate users or permit password changes using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.
2599
The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Servers without Windows 95/98/ME or MS DOS clients are advised to disable this option.
2602
\fBencypt passwords\fR
2603
option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network. See the
2604
\fBclient lanman auth\fR
2605
to disable this for Samba's clients (such as smbclient)
2609
are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to use it.
2612
\fB\fIlanman auth\fR = yes \fR
1930
2614
large readwrite (G)
1931
This parameter determines whether or not \fBsmbd\fR(8) supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000\&. Note that due to Windows 2000 client redirector bugs this requires Samba to be running on a 64\-bit capable operating system such as IRIX, Solaris or a Linux 2\&.4 kernel\&. Can improve performance by 10% with Windows 2000 clients\&. Defaults to on\&. Not as tested as some other Samba code paths\&.
1933
Default: \fB\fIlarge readwrite\fR = yes \fR
2615
This parameter determines whether or not
2617
supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000. Note that due to Windows 2000 client redirector bugs this requires Samba to be running on a 64-bit capable operating system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with Windows 2000 clients. Defaults to on. Not as tested as some other Samba code paths.
2620
\fB\fIlarge readwrite\fR = yes \fR
1936
2622
ldap admin dn (G)
1937
The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information\&. The ldap admin dn is used in conjunction with the admin dn password stored in the \fIprivate/secrets\&.tdb\fR file\&. See the \fBsmbpasswd\fR(8) man page for more information on how to accomplish this\&.
1939
The ldap admin dn requires a fully specified DN\&. The ldap suffix is not appended to the ldap admin dn\&.
2624
ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The
2625
ldap admin dn is used in conjunction with the admin dn password stored in the
2626
\fIprivate/secrets.tdb\fR
2629
man page for more information on how to accomplish this.
2632
ldap admin dn requires a fully specified DN. The
2633
ldap suffix is not appended to the
1941
2636
\fBNo default\fR
1944
2638
ldap delete dn (G)
1945
This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba\&.
1947
Default: \fB\fIldap delete dn\fR = no \fR
2639
This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba.
2642
\fB\fIldap delete dn\fR = no \fR
1950
2644
ldap group suffix (G)
1951
This parameters specifies the suffix that is used for groups when these are added to the LDAP directory\&. If this parameter is unset, the value of ldap suffix will be used instead\&. The suffix string is pre\-pended to the ldap suffix string so use a partial DN\&.
1953
Default: \fB\fIldap group suffix\fR = \fR
1955
Example: \fB\fIldap group suffix\fR = ou=Groups \fR
2645
This parameter specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of
2646
ldap suffix will be used instead. The suffix string is pre-pended to the
2647
ldap suffix string so use a partial DN.
2650
\fB\fIldap group suffix\fR = \fR
2653
\fB\fIldap group suffix\fR = ou=Groups \fR
1958
2655
ldap idmap suffix (G)
1959
This parameters specifies the suffix that is used when storing idmap mappings\&. If this parameter is unset, the value of ldap suffix will be used instead\&. The suffix string is pre\-pended to the ldap suffix string so use a partial DN\&.
1961
Default: \fB\fIldap idmap suffix\fR = \fR
1963
Example: \fB\fIldap idmap suffix\fR = ou=Idmap \fR
2656
This parameters specifies the suffix that is used when storing idmap mappings. If this parameter is unset, the value of
2657
ldap suffix will be used instead. The suffix string is pre-pended to the
2658
ldap suffix string so use a partial DN.
2661
\fB\fIldap idmap suffix\fR = \fR
2664
\fB\fIldap idmap suffix\fR = ou=Idmap \fR
1966
2666
ldap machine suffix (G)
1967
It specifies where machines should be added to the ldap tree\&. If this parameter is unset, the value ofldap suffix will be used instead\&. The suffix string is pre\-pended to theldap suffix string so use a partial DN\&.
1969
Default: \fB\fIldap machine suffix\fR = \fR
1971
Example: \fB\fIldap machine suffix\fR = ou=Computers \fR
2667
It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of
2668
ldap suffix will be used instead. The suffix string is pre-pended to the
2669
ldap suffix string so use a partial DN.
2672
\fB\fIldap machine suffix\fR = \fR
2675
\fB\fIldap machine suffix\fR = ou=Computers \fR
1974
2677
ldap passwd sync (G)
1975
This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA\&.
1977
The ldap passwd sync can be set to one of three values:
1983
\fIYes\fR = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time\&.
1986
\fINo\fR = Update NT and LM passwords and update the pwdLastSet time\&.
1989
\fIOnly\fR = Only update the LDAP password and let the LDAP server do the rest\&.
2678
This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA.
2681
ldap passwd sync can be set to one of three values:
2686
= Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.
2690
= Update NT and LM passwords and update the pwdLastSet time.
2694
= Only update the LDAP password and let the LDAP server do the rest.
1993
Default: \fB\fIldap passwd sync\fR = no \fR
1997
This parameter is only available if Samba has been configure to include the\fB\-\-with\-ldapsam\fR option at compile time\&.
1999
This option is used to control the tcp port number used to contact theldap server\&. The default is to use the stand LDAPS port 636\&.
2001
Default: \fB\fIldap port\fR = 636 # if ldap ssl = on \fR
2003
Default: \fB\fIldap port\fR = 389 # if ldap ssl = off \fR
2698
\fB\fIldap passwd sync\fR = no \fR
2006
2700
ldap replication sleep (G)
2007
When Samba is asked to write to a read\-only LDAP replica, we are redirected to talk to the read\-write master server\&. This server then replicates our changes back to the 'local' server, however the replication might take some seconds, especially over slow links\&. Certain client activities, particularly domain joins, can become confused by the 'success' that does not immediately change the LDAP back\-end's data\&.
2009
This option simply causes Samba to wait a short time, to allow the LDAP server to catch up\&. If you have a particularly high\-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly\&. Be aware that no checking is performed that the data has actually replicated\&.
2011
The value is specified in milliseconds, the maximum value is 5000 (5 seconds)\&.
2013
Default: \fB\fIldap replication sleep\fR = 1000 \fR
2701
When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. This server then replicates our changes back to the 'local' server, however the replication might take some seconds, especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' that does not immediately change the LDAP back-end's data.
2703
This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. Be aware that no checking is performed that the data has actually replicated.
2705
The value is specified in milliseconds, the maximum value is 5000 (5 seconds).
2708
\fB\fIldap replication sleep\fR = 1000 \fR
2016
2710
ldapsam:trusted (G)
2017
By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix\-style NSS subsystem to access user and group information\&. Due to the way Unix stores user information in /etc/passwd and /etc/group this inevitably leads to inefficiencies\&. One important question a user needs to know is the list of groups he is member of\&. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS counterparts in LDAP\&. UNIX has optimized functions to enumerate group membership\&. Sadly, other functions that are used to deal with user and group attributes lack such optimization\&.
2019
o make Samba scale well in large environments, the ldapsam:trusted = yes option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the standard posixAccount/posixGroup attributes\&. It further assumes that the Samba auxiliary object classes are stored together with the POSIX data in the same LDAP object\&. If these assumptions are met,ldapsam:trusted = yes can be activated and Samba can completely bypass the NSS system to query user information\&. Optimized LDAP queries can greatly speed up domain logon and administration tasks\&. Depending on the size of the LDAP database a factor of 100 or more for common queries is easily achieved\&.
2021
Default: \fB\fIldapsam:trusted\fR = no \fR
2025
This parameter is only available if Samba has been configure to include the \fB\-\-with\-ldapsam\fR option at compile time\&.
2027
This parameter should contain the FQDN of the ldap directory server which should be queried to locate user account information\&.
2029
Default: \fB\fIldap server\fR = localhost \fR
2711
By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that are used to deal with user and group attributes lack such optimization.
2713
o make Samba scale well in large environments, the
2714
ldapsam:trusted = yes option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are stored together with the POSIX data in the same LDAP object. If these assumptions are met,
2715
ldapsam:trusted = yes can be activated and Samba can completely bypass the NSS system to query user information. Optimized LDAP queries can greatly speed up domain logon and administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries is easily achieved.
2718
\fB\fIldapsam:trusted\fR = no \fR
2033
This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is \fBNOT\fR related to Samba's previous SSL support which was enabled by specifying the\fB\-\-with\-ssl\fR option to the \fIconfigure\fR script\&.
2035
The ldap ssl can be set to one of three values:
2041
\fIOff\fR = Never use SSL when querying the directory\&.
2044
\fIStart_tls\fR = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server\&.
2047
\fIOn\fR = Use SSL on the ldaps port when contacting the \fIldap server\fR\&. Only available when the backwards\-compatiblity \fB\-\-with\-ldapsam\fR option is specified to configure\&. See passdb backend
2721
This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is
2723
related to Samba's previous SSL support which was enabled by specifying the
2730
ldap ssl can be set to one of three values:
2735
= Never use SSL when querying the directory.
2739
= Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.
2743
= Use SSL on the ldaps port when contacting the
2744
\fIldap server\fR. Only available when the backwards-compatiblity
2745
\fB--with-ldapsam\fR
2746
option is specified to configure. See
2051
Default: \fB\fIldap ssl\fR = start_tls \fR
2751
\fB\fIldap ssl\fR = start_tls \fR
2054
2753
ldap suffix (G)
2055
Specifies the base for all ldap suffixes and for storing the sambaDomain object\&.
2057
The ldap suffix will be appended to the values specified for the ldap user suffix,ldap group suffix, ldap machine suffix, and theldap idmap suffix\&. Each of these should be given only a DN relative to theldap suffix\&.
2059
Default: \fB\fIldap suffix\fR = \fR
2061
Example: \fB\fIldap suffix\fR = dc=samba,dc=org \fR
2754
Specifies the base for all ldap suffixes and for storing the sambaDomain object.
2756
The ldap suffix will be appended to the values specified for the
2759
ldap machine suffix, and the
2760
ldap idmap suffix. Each of these should be given only a DN relative to the
2764
\fB\fIldap suffix\fR = \fR
2767
\fB\fIldap suffix\fR = dc=samba,dc=org \fR
2064
2769
ldap timeout (G)
2065
When Samba connects to an ldap server that servermay be down or unreachable\&. To prevent Samba from hanging whilst waiting for the connection this parameter specifies in seconds how long Samba should wait before failing the connect\&. The default is to only wait fifteen seconds for the ldap server to respond to the connect request\&.
2067
Default: \fB\fIldap timeout\fR = 15 \fR
2770
When Samba connects to an ldap server that servermay be down or unreachable. To prevent Samba from hanging whilst waiting for the connection this parameter specifies in seconds how long Samba should wait before failing the connect. The default is to only wait fifteen seconds for the ldap server to respond to the connect request.
2773
\fB\fIldap timeout\fR = 15 \fR
2070
2775
ldap user suffix (G)
2071
This parameter specifies where users are added to the tree\&. If this parameter is unset, the value of ldap suffix will be used instead\&. The suffix string is pre\-pended to the ldap suffix string so use a partial DN\&.
2073
Default: \fB\fIldap user suffix\fR = \fR
2075
Example: \fB\fIldap user suffix\fR = ou=people \fR
2776
This parameter specifies where users are added to the tree. If this parameter is unset, the value of
2777
ldap suffix will be used instead. The suffix string is pre-pended to the
2778
ldap suffix string so use a partial DN.
2781
\fB\fIldap user suffix\fR = \fR
2784
\fB\fIldap user suffix\fR = ou=people \fR
2078
2786
level2 oplocks (S)
2079
This parameter controls whether Samba supports level2 (read\-only) oplocks on a share\&.
2081
Level2, or read\-only oplocks allow Windows NT clients that have an oplock on a file to downgrade from a read\-write oplock to a read\-only oplock once a second client opens the file (instead of releasing all oplocks on a second open, as in traditional, exclusive oplocks)\&. This allows all openers of the file that support level2 oplocks to cache the file for read\-ahead only (ie\&. they may not cache writes or lock requests) and increases performance for many accesses of files that are not commonly written (such as application \&.EXE files)\&.
2083
Once one of the clients which have a read\-only oplock writes to the file all clients are notified (no reply is needed or waited for) and told to break their oplocks to "none" and delete any read\-ahead caches\&.
2085
It is recommended that this parameter be turned on to speed access to shared executables\&.
2087
For more discussions on level2 oplocks see the CIFS spec\&.
2089
Currently, if kernel oplocks are supported then level2 oplocks are not granted (even if this parameter is set to\fByes\fR)\&. Note also, the oplocks parameter must be set to \fByes\fR on this share in order for this parameter to have any effect\&.
2091
Default: \fB\fIlevel2 oplocks\fR = yes \fR
2787
This parameter controls whether Samba supports level2 (read-only) oplocks on a share.
2789
Level2, or read-only oplocks allow Windows NT clients that have an oplock on a file to downgrade from a read-write oplock to a read-only oplock once a second client opens the file (instead of releasing all oplocks on a second open, as in traditional, exclusive oplocks). This allows all openers of the file that support level2 oplocks to cache the file for read-ahead only (ie. they may not cache writes or lock requests) and increases performance for many accesses of files that are not commonly written (such as application .EXE files).
2791
Once one of the clients which have a read-only oplock writes to the file all clients are notified (no reply is needed or waited for) and told to break their oplocks to "none" and delete any read-ahead caches.
2793
It is recommended that this parameter be turned on to speed access to shared executables.
2795
For more discussions on level2 oplocks see the CIFS spec.
2798
kernel oplocks are supported then level2 oplocks are not granted (even if this parameter is set to
2799
\fByes\fR). Note also, the
2800
oplocks parameter must be set to
2802
on this share in order for this parameter to have any effect.
2805
\fB\fIlevel2 oplocks\fR = yes \fR
2094
2807
lm announce (G)
2095
This parameter determines if \fBnmbd\fR(8) will produce Lanman announce broadcasts that are needed by OS/2 clients in order for them to see the Samba server in their browse list\&. This parameter can have three values, \fByes\fR, \fBno\fR, or\fBauto\fR\&. The default is \fBauto\fR\&. If set to \fBno\fR Samba will never produce these broadcasts\&. If set to \fByes\fR Samba will produce Lanman announce broadcasts at a frequency set by the parameterlm interval\&. If set to \fBauto\fR Samba will not send Lanman announce broadcasts by default but will listen for them\&. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameterlm interval\&.
2097
Default: \fB\fIlm announce\fR = auto \fR
2099
Example: \fB\fIlm announce\fR = yes \fR
2808
This parameter determines if
2810
will produce Lanman announce broadcasts that are needed by OS/2 clients in order for them to see the Samba server in their browse list. This parameter can have three values,
2813
\fBauto\fR. The default is
2814
\fBauto\fR. If set to
2816
Samba will never produce these broadcasts. If set to
2818
Samba will produce Lanman announce broadcasts at a frequency set by the parameter
2819
lm interval. If set to
2821
Samba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameter
2825
\fB\fIlm announce\fR = auto \fR
2828
\fB\fIlm announce\fR = yes \fR
2102
2830
lm interval (G)
2103
If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see thelm announce parameter) then this parameter defines the frequency in seconds with which they will be made\&. If this is set to zero then no Lanman announcements will be made despite the setting of the lm announce parameter\&.
2105
Default: \fB\fIlm interval\fR = 60 \fR
2107
Example: \fB\fIlm interval\fR = 120 \fR
2831
If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the
2832
lm announce parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman announcements will be made despite the setting of the
2833
lm announce parameter.
2836
\fB\fIlm interval\fR = 60 \fR
2839
\fB\fIlm interval\fR = 120 \fR
2110
2841
load printers (G)
2111
A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default\&. See the printers section for more details\&.
2113
Default: \fB\fIload printers\fR = yes \fR
2842
A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. See the
2843
printers section for more details.
2846
\fB\fIload printers\fR = yes \fR
2116
2848
local master (G)
2117
This option allows \fBnmbd\fR(8) to try and become a local master browser on a subnet\&. If set to \fBno\fR then \fB nmbd\fR will not attempt to become a local master browser on a subnet and will also lose in all browsing elections\&. By default this value is set to \fByes\fR\&. Setting this value to\fByes\fR doesn't mean that Samba will \fBbecome\fR the local master browser on a subnet, just that \fBnmbd\fR will \fBparticipate\fR in elections for local master browser\&.
2119
Setting this value to \fBno\fR will cause \fBnmbd\fR \fBnever\fR to become a local master browser\&.
2121
Default: \fB\fIlocal master\fR = yes \fR
2851
to try and become a local master browser on a subnet. If set to
2855
will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By default this value is set to
2856
\fByes\fR. Setting this value to
2858
doesn't mean that Samba will
2860
the local master browser on a subnet, just that
2864
in elections for local master browser.
2866
Setting this value to
2871
to become a local master browser.
2874
\fB\fIlocal master\fR = yes \fR
2125
This parameter is a synonym for lock directory\&.
2877
This parameter is a synonym for lock directory.
2128
2879
lock directory (G)
2129
This option specifies the directory where lock files will be placed\&. The lock files are used to implement themax connections option\&.
2131
Default: \fB\fIlock directory\fR = ${prefix}/var/locks \fR
2133
Example: \fB\fIlock directory\fR = /var/run/samba/locks \fR
2880
This option specifies the directory where lock files will be placed. The lock files are used to implement the
2881
max connections option.
2884
\fB\fIlock directory\fR = ${prefix}/var/locks \fR
2887
\fB\fIlock directory\fR = /var/run/samba/locks \fR
2137
This controls whether or not locking will be performed by the server in response to lock requests from the client\&.
2139
If \fBlocking = no\fR, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking\&.
2141
If \fBlocking = yes\fR, real locking will be performed by the server\&.
2143
This option \fBmay\fR be useful for read\-only filesystems which \fBmay\fR not need locking (such as CDROM drives), although setting this parameter of \fBno\fR is not really recommended even in this case\&.
2145
Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption\&. You should never need to set this parameter\&.
2890
This controls whether or not locking will be performed by the server in response to lock requests from the client.
2893
\fBlocking = no\fR, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking.
2896
\fBlocking = yes\fR, real locking will be performed by the server.
2900
be useful for read-only filesystems which
2902
not need locking (such as CDROM drives), although setting this parameter of
2904
is not really recommended even in this case.
2906
Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption. You should never need to set this parameter.
2147
2908
\fBNo default\fR
2150
2910
lock spin count (G)
2151
This parameter controls the number of times that smbd should attempt to gain a byte range lock on the behalf of a client request\&. Experiments have shown that Windows 2k servers do not reply with a failure if the lock could not be immediately granted, but try a few more times in case the lock could later be acquired\&. This behavior is used to support PC database formats such as MS Access and FoxPro\&.
2153
Default: \fB\fIlock spin count\fR = 3 \fR
2911
This parameter has been made inoperative in Samba 3.0.24. The functionality it contolled is now controlled by the parameter
2915
\fB\fIlock spin count\fR = 0 \fR
2156
2917
lock spin time (G)
2157
The time in microseconds that smbd should pause before attempting to gain a failed lock\&. Seelock spin count for more details\&.
2159
Default: \fB\fIlock spin time\fR = 10 \fR
2918
The time in microseconds that smbd should keep waiting to see if a failed lock request can be granted. This parameter has changed in default value from Samba 3.0.23 from 10 to 200. The associated
2919
lock spin count parameter is no longer used in Samba 3.0.24. You should not need to change the value of this parameter.
2922
\fB\fIlock spin time\fR = 200 \fR
2163
This option allows you to override the name of the Samba log file (also known as the debug file)\&.
2165
This option takes the standard substitutions, allowing you to have separate log files for each user or machine\&.
2925
This option allows you to override the name of the Samba log file (also known as the debug file).
2927
This option takes the standard substitutions, allowing you to have separate log files for each user or machine.
2167
2929
\fBNo default\fR
2169
Example: \fB\fIlog file\fR = /usr/local/samba/var/log\&.%m \fR
2932
\fB\fIlog file\fR = /usr/local/samba/var/log.%m \fR
2173
This parameter is a synonym for log level\&.
2935
This parameter is a synonym for log level.
2177
The value of the parameter (a astring) allows the debug level (logging level) to be specified in the \fIsmb\&.conf\fR file\&. This parameter has been extended since the 2\&.2\&.x series, now it allow to specify the debug level for multiple debug classes\&. This is to give greater flexibility in the configuration of the system\&.
2179
The default will be the log level specified on the command line or level zero if none was specified\&.
2938
The value of the parameter (a astring) allows the debug level (logging level) to be specified in the
2940
file. This parameter has been extended since the 2.2.x series, now it allow to specify the debug level for multiple debug classes. This is to give greater flexibility in the configuration of the system.
2942
The default will be the log level specified on the command line or level zero if none was specified.
2181
2944
\fBNo default\fR
2183
Example: \fB\fIlog level\fR = 3 passdb:5 auth:10 winbind:2 \fR
2947
\fB\fIlog level\fR = 3 passdb:5 auth:10 winbind:2 \fR
2186
2949
logon drive (G)
2187
This parameter specifies the local path to which the home directory will be connected (see logon home) and is only used by NT Workstations\&.
2189
Note that this option is only useful if Samba is set up as a logon server\&.
2191
Default: \fB\fIlogon drive\fR = z: \fR
2193
Example: \fB\fIlogon drive\fR = h: \fR
2950
This parameter specifies the local path to which the home directory will be connected (see
2951
logon home) and is only used by NT Workstations.
2953
Note that this option is only useful if Samba is set up as a logon server.
2956
\fB\fIlogon drive\fR = \fR
2959
\fB\fIlogon drive\fR = h: \fR
2197
This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC\&. It allows you to do
2199
C:\\>\fBNET USE H: /HOME\fR
2201
from a command prompt, for example\&.
2203
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine\&.
2205
This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user's home directory\&. This is done in the following way:
2207
\fBlogon home = \\\\%N\\%U\\profile\fR
2209
This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request\&. Win9X clients truncate the info to \\\\server\\share when a user does\fBnet use /home\fR but use the whole string when dealing with profiles\&.
2211
Note that in prior versions of Samba, the logon path was returned rather than\fIlogon home\fR\&. This broke \fBnet use /home\fR but allowed profiles outside the home directory\&. The current implementation is correct, and can be used for profiles if you use the above trick\&.
2213
Disable this feature by setting logon home = "" \- using the empty string\&.
2215
This option is only useful if Samba is set up as a logon server\&.
2217
Default: \fB\fIlogon home\fR = \\\\%N\\%U \fR
2219
Example: \fB\fIlogon home\fR = \\\\remote_smb_server\\%U \fR
2962
This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. It allows you to do
2965
C:\>\fBNET USE H: /HOME\fR
2967
from a command prompt, for example.
2969
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.
2971
This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user's home directory. This is done in the following way:
2974
\fBlogon home = \\%N\%U\profile\fR
2976
This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does
2978
but use the whole string when dealing with profiles.
2980
Note that in prior versions of Samba, the
2981
logon path was returned rather than
2982
\fIlogon home\fR. This broke
2984
but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.
2986
Disable this feature by setting
2987
logon home = "" - using the empty string.
2989
This option is only useful if Samba is set up as a logon server.
2992
\fB\fIlogon home\fR = \\%N\%U \fR
2995
\fB\fIlogon home\fR = \\remote_smb_server\%U \fR
2223
This parameter specifies the directory where roaming profiles (Desktop, NTuser\&.dat, etc) are stored\&. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles\&. To find out how to handle roaming profiles for Win 9X system, see thelogon home parameter\&.
2225
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine\&. It also specifies the directory from which the "Application Data", (\fIdesktop\fR, \fIstart menu\fR, \fInetwork neighborhood\fR, \fIprograms\fR and other folders, and their contents, are loaded and displayed on your Windows NT client\&.
2227
The share and the path must be readable by the user for the preferences and directories to be loaded onto the Windows NT client\&. The share must be writeable when the user logs in for the first time, in order that the Windows NT client can create the NTuser\&.dat and other directories\&. Thereafter, the directories and any of the contents can, if required, be made read\-only\&. It is not advisable that the NTuser\&.dat file be made read\-only \- rename it to NTuser\&.man to achieve the desired effect (a\fBMAN\fRdatory profile)\&.
2229
Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged in\&. Therefore, it is vital that the logon path does not include a reference to the homes share (i\&.e\&. setting this parameter to \\\\%N\\homes\\profile_path will cause problems)\&.
2231
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine\&.
2236
Do not quote the value\&. Setting this as ``\\\\%N\\profile\\%U'' will break profile handling\&. Where the tdbsam or ldapsam passdb backend is used, at the time the user account is created the value configured for this parameter is written to the passdb backend and that value will over\-ride the parameter value present in the smb\&.conf file\&. Any error present in the passdb backend account record must be editted using the appropriate tool (pdbedit on the command\-line, or any other locally provided system tool\&.
2239
Note that this option is only useful if Samba is set up as a domain controller\&.
2241
Disable the use of roaming profiles by setting the value of this parameter to the empty string\&. For example, logon path = ""\&. Take note that even if the default setting in the smb\&.conf file is the empty string, any value specified in the user account settings in the passdb backend will over\-ride the effect of setting this parameter to null\&. Disabling of all roaming profile use requires that the user account settings must also be blank\&.
2243
An example of use is:
2998
This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the
2999
logon home parameter.
3001
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also specifies the directory from which the "Application Data", (\fIdesktop\fR,
3003
\fInetwork neighborhood\fR,
3005
and other folders, and their contents, are loaded and displayed on your Windows NT client.
3007
The share and the path must be readable by the user for the preferences and directories to be loaded onto the Windows NT client. The share must be writeable when the user logs in for the first time, in order that the Windows NT client can create the NTuser.dat and other directories. Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a
3008
\fBMAN\fRdatory profile).
3010
Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting this parameter to \\%N\homes\profile_path will cause problems).
3012
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.
3015
.nr an-no-space-flag 1
3019
Do not quote the value. Setting this as
3020
“\\%N\profile\%U”
3021
will break profile handling. Where the tdbsam or ldapsam passdb backend is used, at the time the user account is created the value configured for this parameter is written to the passdb backend and that value will over-ride the parameter value present in the smb.conf file. Any error present in the passdb backend account record must be editted using the appropriate tool (pdbedit on the command-line, or any other locally provided system tool.
3022
Note that this option is only useful if Samba is set up as a domain controller.
3024
Disable the use of roaming profiles by setting the value of this parameter to the empty string. For example,
3025
logon path = "". Take note that even if the default setting in the smb.conf file is the empty string, any value specified in the user account settings in the passdb backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use requires that the user account settings must also be blank.
3027
An example of use is:
2246
logon path = \\\\PROFILESERVER\\PROFILE\\%U
3032
logon path = \\PROFILESERVER\PROFILE\%U
2250
Default: \fB\fIlogon path\fR = \\\\%N\\%U\\profile \fR
3037
\fB\fIlogon path\fR = \\%N\%U\profile \fR
2253
3039
logon script (G)
2254
This parameter specifies the batch file (\fI\&.bat\fR) or NT command file (\fI\&.cmd\fR) to be downloaded and run on a machine when a user successfully logs in\&. The file must contain the DOS style CR/LF line endings\&. Using a DOS\-style editor to create the file is recommended\&.
2256
The script must be a relative path to the \fI[netlogon]\fR service\&. If the [netlogon] service specifies a path of \fI/usr/local/samba/netlogon\fR, and logon script = STARTUP\&.BAT, then the file that will be downloaded is:
2259
/usr/local/samba/netlogon/STARTUP\&.BAT
2263
The contents of the batch file are entirely your choice\&. A suggested command would be to add \fBNET TIME \\\\SERVER /SET /YES\fR, to force every machine to synchronize clocks with the same time server\&. Another use would be to add \fBNET USE U: \\\\SERVER\\UTILS\fR for commonly used utilities, or
2266
\fBNET USE Q: \\\\SERVER\\ISO9001_QA\fR
2270
Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users write permission on the batch files in a secure environment, as this would allow the batch files to be arbitrarily modified and security to be breached\&.
2272
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine\&.
2274
This option is only useful if Samba is set up as a logon server\&.
2276
Default: \fB\fIlogon script\fR = \fR
2278
Example: \fB\fIlogon script\fR = scripts\\%U\&.bat \fR
3040
This parameter specifies the batch file (\fI.bat\fR) or NT command file (\fI.cmd\fR) to be downloaded and run on a machine when a user successfully logs in. The file must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
3042
The script must be a relative path to the
3044
service. If the [netlogon] service specifies a
3046
\fI/usr/local/samba/netlogon\fR, and
3047
logon script = STARTUP.BAT, then the file that will be downloaded is:
3052
/usr/local/samba/netlogon/STARTUP.BAT
3056
The contents of the batch file are entirely your choice. A suggested command would be to add
3057
\fBNET TIME \\SERVER /SET /YES\fR, to force every machine to synchronize clocks with the same time server. Another use would be to add
3058
\fBNET USE U: \\SERVER\UTILS\fR
3059
for commonly used utilities, or
3064
\fBNET USE Q: \\SERVER\ISO9001_QA\fR
3068
Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users write permission on the batch files in a secure environment, as this would allow the batch files to be arbitrarily modified and security to be breached.
3070
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.
3072
This option is only useful if Samba is set up as a logon server.
3075
\fB\fIlogon script\fR = \fR
3078
\fB\fIlogon script\fR = scripts\%U.bat \fR
2281
3080
lppause command (S)
2282
This parameter specifies the command to be executed on the server host in order to stop printing or spooling a specific print job\&.
2284
This command should be a program or script which takes a printer name and job number to pause the print job\&. One way of implementing this is by using job priorities, where jobs having a too low priority won't be sent to the printer\&.
2286
If a \fI%p\fR is given then the printer name is put in its place\&. A \fI%j\fR is replaced with the job number (an integer)\&. On HPUX (see \fIprinting=hpux \fR), if the \fI\-p%p\fR option is added to the lpq command, the job will show up with the correct status, i\&.e\&. if the job priority is lower than the set fence priority it will have the PAUSED status, whereas if the priority is equal or higher it will have the SPOOLED or PRINTING status\&.
2288
Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server\&.
2290
Default: \fB\fIlppause command\fR = # Currently no default value is given to this string, unless the value of the printing parameter is \fBSYSV\fR, in which case the default is : \fBlp \-i %p\-%j \-H hold\fR or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: \fBqstat \-s \-j%j \-h\fR\&. \fR
2292
Example: \fB\fIlppause command\fR = /usr/bin/lpalt %p\-%j \-p0 \fR
3081
This parameter specifies the command to be executed on the server host in order to stop printing or spooling a specific print job.
3083
This command should be a program or script which takes a printer name and job number to pause the print job. One way of implementing this is by using job priorities, where jobs having a too low priority won't be sent to the printer.
3087
is given then the printer name is put in its place. A
3089
is replaced with the job number (an integer). On HPUX (see
3090
\fIprinting=hpux \fR), if the
3092
option is added to the lpq command, the job will show up with the correct status, i.e. if the job priority is lower than the set fence priority it will have the PAUSED status, whereas if the priority is equal or higher it will have the SPOOLED or PRINTING status.
3094
Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server.
3097
\fB\fIlppause command\fR = # Currently no default value is given to this string, unless the value of the printing parameter is \fBSYSV\fR, in which case the default is : \fBlp -i %p-%j -H hold\fR or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: \fBqstat -s -j%j -h\fR. \fR
3100
\fB\fIlppause command\fR = /usr/bin/lpalt %p-%j -p0 \fR
2295
3102
lpq cache time (G)
2296
This controls how long lpq info will be cached for to prevent the \fBlpq\fR command being called too often\&. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different\fBlpq\fR commands for different users then they won't share cache information\&.
2298
The cache files are stored in \fI/tmp/lpq\&.xxxx\fR where xxxx is a hash of the \fBlpq\fR command in use\&.
2300
The default is 10 seconds, meaning that the cached results of a previous identical \fBlpq\fR command will be used if the cached data is less than 10 seconds old\&. A large value may be advisable if your \fBlpq\fR command is very slow\&.
2302
A value of 0 will disable caching completely\&.
2304
Default: \fB\fIlpq cache time\fR = 10 \fR
2306
Example: \fB\fIlpq cache time\fR = 30 \fR
3103
This controls how long lpq info will be cached for to prevent the
3105
command being called too often. A separate cache is kept for each variation of the
3107
command used by the system, so if you use different
3109
commands for different users then they won't share cache information.
3111
The cache files are stored in
3113
where xxxx is a hash of the
3117
The default is 10 seconds, meaning that the cached results of a previous identical
3119
command will be used if the cached data is less than 10 seconds old. A large value may be advisable if your
3121
command is very slow.
3123
A value of 0 will disable caching completely.
3126
\fB\fIlpq cache time\fR = 10 \fR
3129
\fB\fIlpq cache time\fR = 30 \fR
2309
3131
lpq command (S)
2310
This parameter specifies the command to be executed on the server host in order to obtain \fBlpq \fR\-style printer status information\&.
2312
This command should be a program or script which takes a printer name as its only parameter and outputs printer status information\&.
2314
Currently nine styles of printer status information are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ\&. This covers most UNIX systems\&. You control which type is expected using the \fIprinting =\fR option\&.
2316
Some clients (notably Windows for Workgroups) may not correctly send the connection number for the printer they are requesting status information about\&. To get around this, the server reports on the first printer service connected to by the client\&. This only happens if the connection number sent is invalid\&.
2318
If a \fI%p\fR is given then the printer name is put in its place\&. Otherwise it is placed at the end of the command\&.
2320
Note that it is good practice to include the absolute path in the \fIlpq command\fR as the \fB$PATH \fR may not be available to the server\&. When compiled with the CUPS libraries, no \fIlpq command\fR is needed because smbd will make a library call to obtain the print queue listing\&.
2322
Default: \fB\fIlpq command\fR = \fR
2324
Example: \fB\fIlpq command\fR = /usr/bin/lpq \-P%p \fR
3132
This parameter specifies the command to be executed on the server host in order to obtain
3133
\fBlpq \fR-style printer status information.
3135
This command should be a program or script which takes a printer name as its only parameter and outputs printer status information.
3137
Currently nine styles of printer status information are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. This covers most UNIX systems. You control which type is expected using the
3141
Some clients (notably Windows for Workgroups) may not correctly send the connection number for the printer they are requesting status information about. To get around this, the server reports on the first printer service connected to by the client. This only happens if the connection number sent is invalid.
3145
is given then the printer name is put in its place. Otherwise it is placed at the end of the command.
3147
Note that it is good practice to include the absolute path in the
3151
may not be available to the server. When compiled with the CUPS libraries, no
3153
is needed because smbd will make a library call to obtain the print queue listing.
3156
\fB\fIlpq command\fR = \fR
3159
\fB\fIlpq command\fR = /usr/bin/lpq -P%p \fR
2327
3161
lpresume command (S)
2328
This parameter specifies the command to be executed on the server host in order to restart or continue printing or spooling a specific print job\&.
2330
This command should be a program or script which takes a printer name and job number to resume the print job\&. See also the lppause command parameter\&.
2332
If a \fI%p\fR is given then the printer name is put in its place\&. A \fI%j\fR is replaced with the job number (an integer)\&.
2334
Note that it is good practice to include the absolute path in the \fIlpresume command\fR as the PATH may not be available to the server\&.
2336
See also the printing parameter\&.
2338
Default: Currently no default value is given to this string, unless the value of the \fIprinting\fR parameter is \fBSYSV\fR, in which case the default is :
2340
\fBlp \-i %p\-%j \-H resume\fR
2342
or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is:
2344
\fBqstat \-s \-j%j \-r\fR
2346
Default: \fB\fIlpresume command\fR = lpresume command = /usr/bin/lpalt %p\-%j \-p2 \fR
3162
This parameter specifies the command to be executed on the server host in order to restart or continue printing or spooling a specific print job.
3164
This command should be a program or script which takes a printer name and job number to resume the print job. See also the
3165
lppause command parameter.
3169
is given then the printer name is put in its place. A
3171
is replaced with the job number (an integer).
3173
Note that it is good practice to include the absolute path in the
3174
\fIlpresume command\fR
3175
as the PATH may not be available to the server.
3180
Default: Currently no default value is given to this string, unless the value of the
3183
\fBSYSV\fR, in which case the default is :
3185
\fBlp -i %p-%j -H resume\fR
3187
or if the value of the
3190
\fBSOFTQ\fR, then the default is:
3192
\fBqstat -s -j%j -r\fR
3195
\fB\fIlpresume command\fR = lpresume command = /usr/bin/lpalt %p-%j -p2 \fR
2349
3197
lprm command (S)
2350
This parameter specifies the command to be executed on the server host in order to delete a print job\&.
2352
This command should be a program or script which takes a printer name and job number, and deletes the print job\&.
2354
If a \fI%p\fR is given then the printer name is put in its place\&. A \fI%j\fR is replaced with the job number (an integer)\&.
2356
Note that it is good practice to include the absolute path in the \fIlprm command\fR as the PATH may not be available to the server\&.
2358
Examples of use are:
3198
This parameter specifies the command to be executed on the server host in order to delete a print job.
3200
This command should be a program or script which takes a printer name and job number, and deletes the print job.
3204
is given then the printer name is put in its place. A
3206
is replaced with the job number (an integer).
3208
Note that it is good practice to include the absolute path in the
3210
as the PATH may not be available to the server.
3212
Examples of use are:
2361
lprm command = /usr/bin/lprm \-P%p %j
3217
lprm command = /usr/bin/lprm -P%p %j
2365
lprm command = /usr/bin/cancel %p\-%j
3221
lprm command = /usr/bin/cancel %p-%j
2369
Default: \fB\fIlprm command\fR = determined by printing parameter \fR
3226
\fB\fIlprm command\fR = determined by printing parameter \fR
2372
3228
machine password timeout (G)
2373
If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called \fIprivate/secrets\&.tdb \fR\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
2375
See also \fBsmbpasswd\fR(8), and the security = domain parameter\&.
2377
Default: \fB\fImachine password timeout\fR = 604800 \fR
3229
If a Samba server is a member of a Windows NT Domain (see the
3230
security = domain parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called
3231
\fIprivate/secrets.tdb \fR. This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server.
3234
\fBsmbpasswd\fR(8), and the
3235
security = domain parameter.
3238
\fB\fImachine password timeout\fR = 604800 \fR
2380
3240
magic output (S)
2381
This parameter specifies the name of a file which will contain output created by a magic script (see themagic script parameter below)\&.
2386
If two clients use the same \fImagic script \fR in the same directory the output file content is undefined\&.
2389
Default: \fB\fImagic output\fR = <magic script name>\&.out \fR
2391
Example: \fB\fImagic output\fR = myfile\&.txt \fR
3241
This parameter specifies the name of a file which will contain output created by a magic script (see the
3242
magic script parameter below).
3245
.nr an-no-space-flag 1
3249
If two clients use the same
3251
in the same directory the output file content is undefined.
3253
\fB\fImagic output\fR = <magic script name>.out \fR
3256
\fB\fImagic output\fR = myfile.txt \fR
2394
3258
magic script (S)
2395
This parameter specifies the name of a file which, if opened, will be executed by the server when the file is closed\&. This allows a UNIX script to be sent to the Samba host and executed on behalf of the connected user\&.
2397
Scripts executed in this way will be deleted upon completion assuming that the user has the appropriate level of privilege and the file permissions allow the deletion\&.
2399
If the script generates output, output will be sent to the file specified by the magic output parameter (see above)\&.
2401
Note that some shells are unable to interpret scripts containing CR/LF instead of CR as the end\-of\-line marker\&. Magic scripts must be executable\fBas is\fR on the host, which for some hosts and some shells will require filtering at the DOS end\&.
2403
Magic scripts are \fBEXPERIMENTAL\fR and should \fBNOT\fR be relied upon\&.
2405
Default: \fB\fImagic script\fR = \fR
2407
Example: \fB\fImagic script\fR = user\&.csh \fR
3259
This parameter specifies the name of a file which, if opened, will be executed by the server when the file is closed. This allows a UNIX script to be sent to the Samba host and executed on behalf of the connected user.
3261
Scripts executed in this way will be deleted upon completion assuming that the user has the appropriate level of privilege and the file permissions allow the deletion.
3263
If the script generates output, output will be sent to the file specified by the
3264
magic output parameter (see above).
3266
Note that some shells are unable to interpret scripts containing CR/LF instead of CR as the end-of-line marker. Magic scripts must be executable
3268
on the host, which for some hosts and some shells will require filtering at the DOS end.
3277
\fB\fImagic script\fR = \fR
3280
\fB\fImagic script\fR = user.csh \fR
2410
3282
mangled map (S)
2411
This is for those who want to directly map UNIX file names which cannot be represented on Windows/DOS\&. The mangling of names is not always what is needed\&. In particular you may have documents with file extensions that differ between DOS and UNIX\&. For example, under UNIX it is common to use \fI\&.html\fR for HTML files, whereas under Windows/DOS \fI\&.htm\fR is more commonly used\&.
2413
So to map \fIhtml\fR to \fIhtm\fR you would use:
2415
mangled map = (*\&.html *\&.htm)\&.
2417
One very useful case is to remove the annoying \fI;1\fR off the ends of filenames on some CDROMs (only visible under some UNIXes)\&. To do this use a map of (*;1 *;)\&.
2419
Default: \fB\fImangled map\fR = # no mangled map \fR
2421
Example: \fB\fImangled map\fR = (*;1 *;) \fR
3283
This is for those who want to directly map UNIX file names which cannot be represented on Windows/DOS. The mangling of names is not always what is needed. In particular you may have documents with file extensions that differ between DOS and UNIX. For example, under UNIX it is common to use
3285
for HTML files, whereas under Windows/DOS
3287
is more commonly used.
3296
mangled map = (*.html *.htm).
3298
One very useful case is to remove the annoying
3300
off the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of (*;1 *;).
3303
\fB\fImangled map\fR = # no mangled map \fR
3306
\fB\fImangled map\fR = (*;1 *;) \fR
2424
3308
mangled names (S)
2425
This controls whether non\-DOS names under UNIX should be mapped to DOS\-compatible names ("mangled") and made visible, or whether non\-DOS names should simply be ignored\&.
2427
See the section on name mangling for details on how to control the mangling process\&.
3309
This controls whether non-DOS names under UNIX should be mapped to DOS-compatible names ("mangled") and made visible, or whether non-DOS names should simply be ignored.
3312
name mangling for details on how to control the mangling process.
2429
3314
If mangling is used then the mangling algorithm is as follows:
2435
The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters of the mangled name\&.
2438
A tilde "~" is appended to the first part of the mangled name, followed by a two\-character unique sequence, based on the original root name (i\&.e\&., the original filename minus its final extension)\&. The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters\&.
2440
Note that the character to use may be specified using the mangling char option, if you don't like '~'\&.
2443
Files whose UNIX name begins with a dot will be presented as DOS hidden files\&. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that's three underscores)\&.
3318
The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters of the mangled name.
3321
A tilde "~" is appended to the first part of the mangled name, followed by a two-character unique sequence, based on the original root name (i.e., the original filename minus its final extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters.
3323
Note that the character to use may be specified using the
3324
mangling char option, if you don't like '~'.
3327
Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that's three underscores).
2447
The two\-digit hash value consists of upper case alphanumeric characters\&.
2449
This algorithm can cause name collisions only if files in a directory share the same first five alphanumeric characters\&. The probability of such a clash is 1/1300\&.
2451
The name mangling (if enabled) allows a file to be copied between UNIX directories from Windows/DOS while retaining the long UNIX filename\&. UNIX files can be renamed to a new extension from Windows/DOS and will retain the same basename\&. Mangled names do not change between sessions\&.
2453
Default: \fB\fImangled names\fR = yes \fR
3330
The two-digit hash value consists of upper case alphanumeric characters.
3332
This algorithm can cause name collisions only if files in a directory share the same first five alphanumeric characters. The probability of such a clash is 1/1300.
3334
The name mangling (if enabled) allows a file to be copied between UNIX directories from Windows/DOS while retaining the long UNIX filename. UNIX files can be renamed to a new extension from Windows/DOS and will retain the same basename. Mangled names do not change between sessions.
3337
\fB\fImangled names\fR = yes \fR
2456
3339
mangle prefix (G)
2457
controls the number of prefix characters from the original name used when generating the mangled names\&. A larger value will give a weaker hash and therefore more name collisions\&. The minimum value is 1 and the maximum value is 6\&.
2459
mangle prefix is effective only when mangling method is hash2\&.
2461
Default: \fB\fImangle prefix\fR = 1 \fR
2463
Example: \fB\fImangle prefix\fR = 4 \fR
3340
controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum value is 1 and the maximum value is 6.
3342
mangle prefix is effective only when mangling method is hash2.
3345
\fB\fImangle prefix\fR = 1 \fR
3348
\fB\fImangle prefix\fR = 4 \fR
2466
3350
mangling char (S)
2467
This controls what character is used as the \fBmagic\fR character in name mangling\&. The default is a '~' but this may interfere with some software\&. Use this option to set it to whatever you prefer\&. This is effective only when mangling method is hash\&.
2469
Default: \fB\fImangling char\fR = ~ \fR
2471
Example: \fB\fImangling char\fR = ^ \fR
3351
This controls what character is used as the
3354
name mangling. The default is a '~' but this may interfere with some software. Use this option to set it to whatever you prefer. This is effective only when mangling method is hash.
3357
\fB\fImangling char\fR = ~ \fR
3360
\fB\fImangling char\fR = ^ \fR
2474
3362
mangling method (G)
2475
controls the algorithm used for the generating the mangled names\&. Can take two different values, "hash" and "hash2"\&. "hash" is the algorithm that was used used in Samba for many years and was the default in Samba 2\&.2\&.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names\&. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled\&.
2477
Default: \fB\fImangling method\fR = hash2 \fR
2479
Example: \fB\fImangling method\fR = hash \fR
3363
controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the algorithm that was used used in Samba for many years and was the default in Samba 2.2.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled.
3366
\fB\fImangling method\fR = hash2 \fR
3369
\fB\fImangling method\fR = hash \fR
2482
3371
map acl inherit (S)
2483
This boolean parameter controls whether \fBsmbd\fR(8) will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user\&.SAMBA_PAI\&. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code\&.
2485
Default: \fB\fImap acl inherit\fR = no \fR
3372
This boolean parameter controls whether
3374
will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code.
3377
\fB\fImap acl inherit\fR = no \fR
2488
3379
map archive (S)
2489
This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit\&. The DOS archive bit is set when a file has been modified since its last backup\&. One motivation for this option it to keep Samba/your PC from making any file it touches from becoming executable under UNIX\&. This can be quite annoying for shared source code, documents, etc\&.\&.\&.
2491
Note that this requires the create mask parameter to be set such that owner execute bit is not masked out (i\&.e\&. it must include 100)\&. See the parametercreate mask for details\&.
2493
Default: \fB\fImap archive\fR = yes \fR
3380
This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit. The DOS archive bit is set when a file has been modified since its last backup. One motivation for this option it to keep Samba/your PC from making any file it touches from becoming executable under UNIX. This can be quite annoying for shared source code, documents, etc...
3382
Note that this requires the
3383
create mask parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter
3384
create mask for details.
3387
\fB\fImap archive\fR = yes \fR
2497
This controls whether DOS style hidden files should be mapped to the UNIX world execute bit\&.
2499
Note that this requires the create mask to be set such that the world execute bit is not masked out (i\&.e\&. it must include 001)\&. See the parameter create mask for details\&.
3390
This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
3392
Note that this requires the
3393
create mask to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter
3394
create mask for details.
2501
3396
\fBNo default\fR
2504
3398
map read only (S)
2505
This controls how the DOS read only attribute should be mapped from a UNIX filesystem\&.
2507
This parameter can take three different values, which tell \fBsmbd\fR(8) how to display the read only attribute on files, where eitherstore dos attributes is set to \fBNo\fR, or no extended attribute is present\&. If store dos attributes is set to \fByes\fR then this parameter is \fBignored\fR\&. This is a new parameter introduced in Samba version 3\&.0\&.21\&.
3399
This controls how the DOS read only attribute should be mapped from a UNIX filesystem.
3401
This parameter can take three different values, which tell
3403
how to display the read only attribute on files, where either
3404
store dos attributes is set to
3405
\fBNo\fR, or no extended attribute is present. If
3406
store dos attributes is set to
3408
then this parameter is
3409
\fBignored\fR. This is a new parameter introduced in Samba version 3.0.21.
2509
3411
The three settings are :
2515
\fBYes\fR \- The read only DOS attribute is mapped to the inverse of the user or owner write bit in the unix permission mode set\&. If the owner write bit is not set, the read only attribute is reported as being set on the file\&.
2518
\fBPermissions\fR \- The read only DOS attribute is mapped to the effective permissions of the connecting user, as evaluated by \fBsmbd\fR(8) by reading the unix permissions and POSIX ACL (if present)\&. If the connecting user does not have permission to modify the file, the read only attribute is reported as being set on the file\&.
2521
\fBNo\fR \- The read only DOS attribute is unaffected by permissions, and can only be set by the store dos attributes method\&. This may be useful for exporting mounted CDs\&.
3417
- The read only DOS attribute is mapped to the inverse of the user or owner write bit in the unix permission mode set. If the owner write bit is not set, the read only attribute is reported as being set on the file.
3422
- The read only DOS attribute is mapped to the effective permissions of the connecting user, as evaluated by
3424
by reading the unix permissions and POSIX ACL (if present). If the connecting user does not have permission to modify the file, the read only attribute is reported as being set on the file.
3429
- The read only DOS attribute is unaffected by permissions, and can only be set by the
3430
store dos attributes method. This may be useful for exporting mounted CDs.
2525
Default: \fB\fImap read only\fR = yes \fR
3434
\fB\fImap read only\fR = yes \fR
2529
This controls whether DOS style system files should be mapped to the UNIX group execute bit\&.
2531
Note that this requires the create mask to be set such that the group execute bit is not masked out (i\&.e\&. it must include 010)\&. See the parametercreate mask for details\&.
2533
Default: \fB\fImap system\fR = no \fR
3437
This controls whether DOS style system files should be mapped to the UNIX group execute bit.
3439
Note that this requires the
3440
create mask to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter
3441
create mask for details.
3444
\fB\fImap system\fR = no \fR
2536
3446
map to guest (G)
2537
This parameter is only useful in SECURITY = security modes other than \fIsecurity = share\fR \- i\&.e\&. \fBuser\fR, \fBserver\fR, and \fBdomain\fR\&.
2539
This parameter can take four different values, which tell \fBsmbd\fR(8) what to do with user login requests that don't match a valid UNIX user in some way\&.
3447
This parameter is only useful in
3448
SECURITY = security modes other than
3449
\fIsecurity = share\fR
3455
This parameter can take four different values, which tell
3457
what to do with user login requests that don't match a valid UNIX user in some way.
2541
3459
The four settings are :
2547
\fBNever\fR \- Means user login requests with an invalid password are rejected\&. This is the default\&.
2550
\fBBad User\fR \- Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account\&.
2553
\fBBad Password\fR \- Means user logins with an invalid password are treated as a guest login and mapped into the guest account\&. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" \- and will not know the reason they cannot access files they think they should \- there will have been no message given to them that they got their password wrong\&. Helpdesk services will \fBhate\fR you if you set the \fImap to guest\fR parameter this way :\-)\&.
2556
\fBBad Uid\fR \- Is only applicable when Samba is configured in some type of domain mode security (security = {domain|ads}) and means that user logins which are successfully authenticated but which have no valid Unix user account (and smbd is unable to create one) should be mapped to the defined guest account\&. This was the default behavior of Samba 2\&.x releases\&. Note that if a member server is running winbindd, this option should never be required because the nss_winbind library will export the Windows domain users and groups to the underlying OS via the Name Service Switch interface\&.
3464
- Means user login requests with an invalid password are rejected. This is the default.
3468
- Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the
3473
- Means user logins with an invalid password are treated as a guest login and mapped into the
3474
guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will
3478
parameter this way :-).
3482
- Is only applicable when Samba is configured in some type of domain mode security (security = {domain|ads}) and means that user logins which are successfully authenticated but which have no valid Unix user account (and smbd is unable to create one) should be mapped to the defined guest account. This was the default behavior of Samba 2.x releases. Note that if a member server is running winbindd, this option should never be required because the nss_winbind library will export the Windows domain users and groups to the underlying OS via the Name Service Switch interface.
2560
Note that this parameter is needed to set up "Guest" share services when using \fIsecurity\fR modes other than share\&. This is because in these modes the name of the resource being requested is \fBnot\fR sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares\&.
2562
For people familiar with the older Samba releases, this parameter maps to the old compile\-time setting of the \fB GUEST_SESSSETUP\fR value in local\&.h\&.
2564
Default: \fB\fImap to guest\fR = Never \fR
2566
Example: \fB\fImap to guest\fR = Bad User \fR
3485
Note that this parameter is needed to set up "Guest" share services when using
3487
modes other than share. This is because in these modes the name of the resource being requested is
3489
sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares.
3491
For people familiar with the older Samba releases, this parameter maps to the old compile-time setting of the
3492
\fB GUEST_SESSSETUP\fR
3496
\fB\fImap to guest\fR = Never \fR
3499
\fB\fImap to guest\fR = Bad User \fR
2569
3501
max connections (S)
2570
This option allows the number of simultaneous connections to a service to be limited\&. If \fImax connections\fR is greater than 0 then connections will be refused if this number of connections to the service are already open\&. A value of zero mean an unlimited number of connections may be made\&.
2572
Record lock files are used to implement this feature\&. The lock files will be stored in the directory specified by the lock directory option\&.
2574
Default: \fB\fImax connections\fR = 0 \fR
2576
Example: \fB\fImax connections\fR = 10 \fR
3502
This option allows the number of simultaneous connections to a service to be limited. If
3503
\fImax connections\fR
3504
is greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made.
3506
Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the
3507
lock directory option.
3510
\fB\fImax connections\fR = 0 \fR
3513
\fB\fImax connections\fR = 10 \fR
2579
3515
max disk size (G)
2580
This option allows you to put an upper limit on the apparent size of disks\&. If you set this option to 100 then all shares will appear to be not larger than 100 MB in size\&.
2582
Note that this option does not limit the amount of data you can put on the disk\&. In the above case you could still store much more than 100 MB on the disk, but if a client ever asks for the amount of free disk space or the total disk size then the result will be bounded by the amount specified in \fImax disk size\fR\&.
2584
This option is primarily useful to work around bugs in some pieces of software that can't handle very large disks, particularly disks over 1GB in size\&.
2586
A \fImax disk size\fR of 0 means no limit\&.
2588
Default: \fB\fImax disk size\fR = 0 \fR
2590
Example: \fB\fImax disk size\fR = 1000 \fR
3516
This option allows you to put an upper limit on the apparent size of disks. If you set this option to 100 then all shares will appear to be not larger than 100 MB in size.
3518
Note that this option does not limit the amount of data you can put on the disk. In the above case you could still store much more than 100 MB on the disk, but if a client ever asks for the amount of free disk space or the total disk size then the result will be bounded by the amount specified in
3519
\fImax disk size\fR.
3521
This option is primarily useful to work around bugs in some pieces of software that can't handle very large disks, particularly disks over 1GB in size.
3525
of 0 means no limit.
3528
\fB\fImax disk size\fR = 0 \fR
3531
\fB\fImax disk size\fR = 1000 \fR
2593
3533
max log size (G)
2594
This option (an integer in kilobytes) specifies the max size the log file should grow to\&. Samba periodically checks the size and if it is exceeded it will rename the file, adding a \fI\&.old\fR extension\&.
2596
A size of 0 means no limit\&.
2598
Default: \fB\fImax log size\fR = 5000 \fR
2600
Default: \fB\fImax log size\fR = 1000 \fR
3534
This option (an integer in kilobytes) specifies the max size the log file should grow to. Samba periodically checks the size and if it is exceeded it will rename the file, adding a
3538
A size of 0 means no limit.
3541
\fB\fImax log size\fR = 5000 \fR
3544
\fB\fImax log size\fR = 1000 \fR
2604
This option controls the maximum number of outstanding simultaneous SMB operations that Samba tells the client it will allow\&. You should never need to set this parameter\&.
2606
Default: \fB\fImax mux\fR = 50 \fR
3547
This option controls the maximum number of outstanding simultaneous SMB operations that Samba tells the client it will allow. You should never need to set this parameter.
3550
\fB\fImax mux\fR = 50 \fR
2609
3552
max open files (G)
2610
This parameter limits the maximum number of open files that one \fBsmbd\fR(8) file serving process may have open for a client at any one time\&. The default for this parameter is set very high (10,000) as Samba uses only one bit per unopened file\&.
2612
The limit of the number of open files is usually set by the UNIX per\-process file descriptor limit rather than this parameter so you should never need to touch this parameter\&.
2614
Default: \fB\fImax open files\fR = 10000 \fR
3553
This parameter limits the maximum number of open files that one
3555
file serving process may have open for a client at any one time. The default for this parameter is set very high (10,000) as Samba uses only one bit per unopened file.
3557
The limit of the number of open files is usually set by the UNIX per-process file descriptor limit rather than this parameter so you should never need to touch this parameter.
3560
\fB\fImax open files\fR = 10000 \fR
2617
3562
max print jobs (S)
2618
This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment\&. If this number is exceeded, \fBsmbd\fR(8) will remote "Out of Space" to the client\&.
2620
Default: \fB\fImax print jobs\fR = 1000 \fR
2622
Example: \fB\fImax print jobs\fR = 5000 \fR
3563
This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. If this number is exceeded,
3565
will remote "Out of Space" to the client.
3568
\fB\fImax print jobs\fR = 1000 \fR
3571
\fB\fImax print jobs\fR = 5000 \fR
2626
This parameter is a synonym for max protocol\&.
3574
This parameter is a synonym for max protocol.
2629
3576
max protocol (G)
2630
The value of the parameter (a string) is the highest protocol level that will be supported by the server\&.
3577
The value of the parameter (a string) is the highest protocol level that will be supported by the server.
2632
3579
Possible values are :
2638
\fBCORE\fR: Earliest version\&. No concept of user names\&.
2641
\fBCOREPLUS\fR: Slight improvements on CORE for efficiency\&.
2644
\fBLANMAN1\fR: First \fB modern\fR version of the protocol\&. Long filename support\&.
2647
\fBLANMAN2\fR: Updates to Lanman1 protocol\&.
2650
\fBNT1\fR: Current up to date version of the protocol\&. Used by Windows NT\&. Known as CIFS\&.
3583
\fBCORE\fR: Earliest version. No concept of user names.
3586
\fBCOREPLUS\fR: Slight improvements on CORE for efficiency.
3589
\fBLANMAN1\fR: First
3591
version of the protocol. Long filename support.
3594
\fBLANMAN2\fR: Updates to Lanman1 protocol.
3597
\fBNT1\fR: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
2654
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
2656
Default: \fB\fImax protocol\fR = NT1 \fR
2658
Example: \fB\fImax protocol\fR = LANMAN1 \fR
3600
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.
3603
\fB\fImax protocol\fR = NT1 \fR
3606
\fB\fImax protocol\fR = LANMAN1 \fR
2661
3608
max reported print jobs (S)
2662
This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment\&. If this number is exceeded, the excess jobs will not be shown\&. A value of zero means there is no limit on the number of print jobs reported\&.
2664
Default: \fB\fImax reported print jobs\fR = 0 \fR
2666
Example: \fB\fImax reported print jobs\fR = 1000 \fR
3609
This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment. If this number is exceeded, the excess jobs will not be shown. A value of zero means there is no limit on the number of print jobs reported.
3612
\fB\fImax reported print jobs\fR = 0 \fR
3615
\fB\fImax reported print jobs\fR = 1000 \fR
2669
3617
max smbd processes (G)
2670
This parameter limits the maximum number of \fBsmbd\fR(8) processes concurrently running on a system and is intended as a stopgap to prevent degrading service to clients in the event that the server has insufficient resources to handle more than this number of connections\&. Remember that under normal operating conditions, each user will have an \fBsmbd\fR(8) associated with him or her to handle connections to all shares from a given host\&.
2672
Default: \fB\fImax smbd processes\fR = 0 \fR
2674
Example: \fB\fImax smbd processes\fR = 1000 \fR
3618
This parameter limits the maximum number of
3620
processes concurrently running on a system and is intended as a stopgap to prevent degrading service to clients in the event that the server has insufficient resources to handle more than this number of connections. Remember that under normal operating conditions, each user will have an
3622
associated with him or her to handle connections to all shares from a given host.
3625
\fB\fImax smbd processes\fR = 0 \fR
3628
\fB\fImax smbd processes\fR = 1000 \fR
2677
3630
max stat cache size (G)
2678
This parameter limits the size in memory of any \fIstat cache\fR being used to speed up case insensitive name mappings\&. This parameter is the number of kilobyte (1024) units the stat cache can use\&. The default is zero, which means unlimited\&. You should not need to change this parameter\&.
2680
Default: \fB\fImax stat cache size\fR = 0 \fR
2682
Example: \fB\fImax stat cache size\fR = 1024 \fR
3631
This parameter limits the size in memory of any
3633
being used to speed up case insensitive name mappings. This parameter is the number of kilobyte (1024) units the stat cache can use. The default is zero, which means unlimited. You should not need to change this parameter.
3636
\fB\fImax stat cache size\fR = 0 \fR
3639
\fB\fImax stat cache size\fR = 1024 \fR
2686
This option tells \fBnmbd\fR(8) what the default 'time to live' of NetBIOS names should be (in seconds) when \fBnmbd\fR is requesting a name using either a broadcast packet or from a WINS server\&. You should never need to change this parameter\&. The default is 3 days\&.
2688
Default: \fB\fImax ttl\fR = 259200 \fR
3644
what the default 'time to live' of NetBIOS names should be (in seconds) when
3646
is requesting a name using either a broadcast packet or from a WINS server. You should never need to change this parameter. The default is 3 days.
3649
\fB\fImax ttl\fR = 259200 \fR
2691
3651
max wins ttl (G)
2692
This option tells \fBsmbd\fR(8) when acting as a WINS server (wins support = yes) what the maximum 'time to live' of NetBIOS names that \fBnmbd\fR will grant will be (in seconds)\&. You should never need to change this parameter\&. The default is 6 days (518400 seconds)\&.
2694
Default: \fB\fImax wins ttl\fR = 518400 \fR
3654
when acting as a WINS server (wins support = yes) what the maximum 'time to live' of NetBIOS names that
3656
will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds).
3659
\fB\fImax wins ttl\fR = 518400 \fR
2698
This option controls the maximum packet size that will be negotiated by Samba\&. The default is 65535, which is the maximum\&. In some cases you may find you get better performance with a smaller value\&. A value below 2048 is likely to cause problems\&.
2700
Default: \fB\fImax xmit\fR = 65535 \fR
2702
Example: \fB\fImax xmit\fR = 8192 \fR
3662
This option controls the maximum packet size that will be negotiated by Samba. The default is 16644, which matches the behavior of Windows 2000. A value below 2048 is likely to cause problems. You should never need to change this parameter from its default value.
3665
\fB\fImax xmit\fR = 16644 \fR
3668
\fB\fImax xmit\fR = 8192 \fR
2705
3670
message command (G)
2706
This specifies what command to run when the server receives a WinPopup style message\&.
2708
This would normally be a command that would deliver the message somehow\&. How this is to be done is up to your imagination\&.
3671
This specifies what command to run when the server receives a WinPopup style message.
3673
This would normally be a command that would deliver the message somehow. How this is to be done is up to your imagination.
2713
\fBmessage command = csh \-c 'xedit %s;rm %s' &\fR
3680
\fBmessage command = csh -c 'xedit %s;rm %s' &\fR
2717
This delivers the message using \fBxedit\fR, then removes it afterwards\&. \fBNOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY\fR\&. That's why I have the '&' on the end\&. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover after 30 seconds, hopefully)\&.
2719
All messages are delivered as the global guest user\&. The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better in this case)\&.
2721
Apart from the standard substitutions, some additional ones apply\&. In particular:
2727
\fI%s\fR = the filename containing the message\&.
2730
\fI%t\fR = the destination that the message was sent to (probably the server name)\&.
2733
\fI%f\fR = who the message is from\&.
3684
This delivers the message using
3685
\fBxedit\fR, then removes it afterwards.
3686
\fBNOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I have the '&' on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover after 30 seconds, hopefully).
3688
All messages are delivered as the global guest user. The command takes the standard substitutions, although
3690
won't work (\fI%U\fR
3691
may be better in this case).
3693
Apart from the standard substitutions, some additional ones apply. In particular:
3698
= the filename containing the message.
3702
= the destination that the message was sent to (probably the server name).
3706
= who the message is from.
2737
You could make this command send mail, or whatever else takes your fancy\&. Please let us know of any really interesting ideas you have\&.
3709
You could make this command send mail, or whatever else takes your fancy. Please let us know of any really interesting ideas you have.
3711
Here's a way of sending the messages as mail to root:
2739
Here's a way of sending the messages as mail to root:
2742
\fBmessage command = /bin/mail \-s 'message from %f on %m' root < %s; rm %s\fR
3716
\fBmessage command = /bin/mail -s 'message from %f on %m' root < %s; rm %s\fR
2746
If you don't have a message command then the message won't be delivered and Samba will tell the sender there was an error\&. Unfortunately WfWg totally ignores the error code and carries on regardless, saying that the message was delivered\&.
2748
If you want to silently delete it then try:
3720
If you don't have a message command then the message won't be delivered and Samba will tell the sender there was an error. Unfortunately WfWg totally ignores the error code and carries on regardless, saying that the message was delivered.
3722
If you want to silently delete it then try:
2751
3727
\fBmessage command = rm %s\fR
2755
Default: \fB\fImessage command\fR = \fR
2757
Example: \fB\fImessage command\fR = csh \-c 'xedit %s; rm %s' & \fR
3732
\fB\fImessage command\fR = \fR
3735
\fB\fImessage command\fR = csh -c 'xedit %s; rm %s' & \fR
2760
3737
min print space (S)
2761
This sets the minimum amount of free disk space that must be available before a user will be able to spool a print job\&. It is specified in kilobytes\&. The default is 0, which means a user can always spool a print job\&.
2763
Default: \fB\fImin print space\fR = 0 \fR
2765
Example: \fB\fImin print space\fR = 2000 \fR
3738
This sets the minimum amount of free disk space that must be available before a user will be able to spool a print job. It is specified in kilobytes. The default is 0, which means a user can always spool a print job.
3741
\fB\fImin print space\fR = 0 \fR
3744
\fB\fImin print space\fR = 2000 \fR
2768
3746
min protocol (G)
2769
The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support\&. Please refer to the max protocol parameter for a list of valid protocol names and a brief description of each\&. You may also wish to refer to the C source code in \fIsource/smbd/negprot\&.c\fR for a listing of known protocol dialects supported by clients\&.
2771
If you are viewing this parameter as a security measure, you should also refer to the lanman auth parameter\&. Otherwise, you should never need to change this parameter\&.
2773
Default: \fB\fImin protocol\fR = CORE \fR
2775
Example: \fB\fImin protocol\fR = NT1 \fR
3747
The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the
3748
max protocol parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C source code in
3749
\fIsource/smbd/negprot.c\fR
3750
for a listing of known protocol dialects supported by clients.
3752
If you are viewing this parameter as a security measure, you should also refer to the
3753
lanman auth parameter. Otherwise, you should never need to change this parameter.
3756
\fB\fImin protocol\fR = CORE \fR
3759
\fB\fImin protocol\fR = NT1 \fR
2778
3761
min wins ttl (G)
2779
This option tells \fBnmbd\fR(8) when acting as a WINS server (wins support = yes) what the minimum 'time to live' of NetBIOS names that \fBnmbd\fR will grant will be (in seconds)\&. You should never need to change this parameter\&. The default is 6 hours (21600 seconds)\&.
2781
Default: \fB\fImin wins ttl\fR = 21600 \fR
3764
when acting as a WINS server (wins support = yes) what the minimum 'time to live' of NetBIOS names that
3766
will grant will be (in seconds). You should never need to change this parameter. The default is 6 hours (21600 seconds).
3769
\fB\fImin wins ttl\fR = 21600 \fR
2784
3771
msdfs proxy (S)
2785
This parameter indicates that the share is a stand\-in for another CIFS share whose location is specified by the value of the parameter\&. When clients attempt to connect to this share, they are redirected to the proxied share using the SMB\-Dfs protocol\&.
2787
Only Dfs roots can act as proxy shares\&. Take a look at themsdfs root and host msdfs options to find out how to set up a Dfs root share\&.
3772
This parameter indicates that the share is a stand-in for another CIFS share whose location is specified by the value of the parameter. When clients attempt to connect to this share, they are redirected to the proxied share using the SMB-Dfs protocol.
3774
Only Dfs roots can act as proxy shares. Take a look at the
3776
host msdfs options to find out how to set up a Dfs root share.
2789
3778
\fBNo default\fR
2791
Example: \fB\fImsdfs proxy\fR = \\otherserver\\someshare \fR
3781
\fB\fImsdfs proxy\fR = \otherserver\someshare \fR
2795
If set to \fByes\fR, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory\&. Dfs links are specified in the share directory by symbolic links of the form \fImsdfs:serverA\\\\shareA,serverB\\\\shareB\fR and so on\&. For more information on setting up a Dfs tree on Samba, refer to the MSDFS chapter in the Samba3\-HOWTO book\&.
2797
Default: \fB\fImsdfs root\fR = no \fR
3785
\fByes\fR, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic links of the form
3786
\fImsdfs:serverA\\shareA,serverB\\shareB\fR
3787
and so on. For more information on setting up a Dfs tree on Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.
3790
\fB\fImsdfs root\fR = yes \fR
2800
3792
name cache timeout (G)
2801
Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out\&. If the timeout is set to 0\&. the caching is disabled\&.
2803
Default: \fB\fIname cache timeout\fR = 660 \fR
2805
Example: \fB\fIname cache timeout\fR = 0 \fR
3793
Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If the timeout is set to 0. the caching is disabled.
3796
\fB\fIname cache timeout\fR = 660 \fR
3799
\fB\fIname cache timeout\fR = 0 \fR
2808
3801
name resolve order (G)
2809
This option is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses\&. Its main purpose to is to control how netbios name resolution is performed\&. The option takes a space separated string of name resolution options\&.
2811
The options are: "lmhosts", "host", "wins" and "bcast"\&. They cause names to be resolved as follows:
2817
\fBlmhosts\fR : Lookup an IP address in the Samba lmhosts file\&. If the line in lmhosts has no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then any name type matches for lookup\&.
2820
\fBhost\fR : Do a standard host name to IP address resolution, using the system\fI/etc/hosts \fR, NIS, or DNS lookups\&. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the \fI/etc/nsswitch\&.conf\fR file\&. Note that this method is used only if the NetBIOS name type being queried is the 0x20 (server) name type or 0x1c (domain controllers)\&. The latter case is only useful for active directory domains and results in a DNS query for the SRV RR entry matching _ldap\&._tcp\&.domain\&.
2823
\fBwins\fR : Query a name with the IP address listed in the WINSSERVER parameter\&. If no WINS server has been specified this method will be ignored\&.
2826
\fBbcast\fR : Do a broadcast on each of the known local interfaces listed in the interfaces parameter\&. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet\&.
3802
This option is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. Its main purpose to is to control how netbios name resolution is performed. The option takes a space separated string of name resolution options.
3804
The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows:
3810
: Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then any name type matches for lookup.
3815
: Do a standard host name to IP address resolution, using the system
3816
\fI/etc/hosts \fR, NIS, or DNS lookups. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the
3817
\fI/etc/nsswitch.conf\fR
3818
file. Note that this method is used only if the NetBIOS name type being queried is the 0x20 (server) name type or 0x1c (domain controllers). The latter case is only useful for active directory domains and results in a DNS query for the SRV RR entry matching _ldap._tcp.domain.
3822
: Query a name with the IP address listed in the
3823
WINSSERVER parameter. If no WINS server has been specified this method will be ignored.
3827
: Do a broadcast on each of the known local interfaces listed in the
3828
interfaces parameter. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet.
2830
The example below will cause the local lmhosts file to be examined first, followed by a broadcast attempt, followed by a normal system hostname lookup\&.
2832
When Samba is functioning in ADS security mode (\fBsecurity = ads\fR) it is advised to use following settings for \fIname resolve order\fR:
3831
The example below will cause the local lmhosts file to be examined first, followed by a broadcast attempt, followed by a normal system hostname lookup.
3833
When Samba is functioning in ADS security mode (\fBsecurity = ads\fR) it is advised to use following settings for
3834
\fIname resolve order\fR:
2834
3836
\fBname resolve order = wins bcast\fR
2836
DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups\&.
2838
Default: \fB\fIname resolve order\fR = lmhosts host wins bcast \fR
2840
Example: \fB\fIname resolve order\fR = lmhosts bcast host \fR
3838
DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.
3841
\fB\fIname resolve order\fR = lmhosts host wins bcast \fR
3844
\fB\fIname resolve order\fR = lmhosts bcast host \fR
2843
3846
netbios aliases (G)
2844
This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known\&. This allows one machine to appear in browse lists under multiple names\&. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon servers, only the primary name of the machine will be advertised with these capabilities\&.
2846
Default: \fB\fInetbios aliases\fR = # empty string (no additional names) \fR
2848
Example: \fB\fInetbios aliases\fR = TEST TEST1 TEST2 \fR
3847
This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon servers, only the primary name of the machine will be advertised with these capabilities.
3850
\fB\fInetbios aliases\fR = # empty string (no additional names) \fR
3853
\fB\fInetbios aliases\fR = TEST TEST1 TEST2 \fR
2851
3855
netbios name (G)
2852
This sets the NetBIOS name by which a Samba server is known\&. By default it is the same as the first component of the host's DNS name\&. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under\&.
2854
There is a bug in Samba\-3 that breaks operation of browsing and access to shares if the netbios name is set to the literal name PIPE\&. To avoid this problem, do not name your Samba\-3 server PIPE\&.
2856
Default: \fB\fInetbios name\fR = # machine DNS name \fR
2858
Example: \fB\fInetbios name\fR = MYNAME \fR
3856
This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under.
3858
There is a bug in Samba-3 that breaks operation of browsing and access to shares if the netbios name is set to the literal name
3859
PIPE. To avoid this problem, do not name your Samba-3 server
3863
\fB\fInetbios name\fR = # machine DNS name \fR
3866
\fB\fInetbios name\fR = MYNAME \fR
2861
3868
netbios scope (G)
2862
This sets the NetBIOS scope that Samba will operate under\&. This should not be set unless every machine on your LAN also sets this value\&.
2864
Default: \fB\fInetbios scope\fR = \fR
3869
This sets the NetBIOS scope that Samba will operate under. This should not be set unless every machine on your LAN also sets this value.
3872
\fB\fInetbios scope\fR = \fR
2867
3874
nis homedir (G)
2868
Get the home share server from a NIS map\&. For UNIX systems that use an automounter, the user's home directory will often be mounted on a workstation on demand from a remote server\&.
2870
When the Samba logon server is not the actual home directory server, but is mounting the home directories via NFS then two network hops would be required to access the users home directory if the logon server told the client to use itself as the SMB server for home directories (one over SMB and one over NFS)\&. This can be very slow\&.
2872
This option allows Samba to return the home share as being on a different server to the logon server and as long as a Samba daemon is running on the home directory server, it will be mounted on the Samba client directly from the directory server\&. When Samba is returning the home share to the client, it will consult the NIS map specified inhomedir map and return the server listed there\&.
2874
Note that for this option to work there must be a working NIS system and the Samba server with this option must also be a logon server\&.
2876
Default: \fB\fInis homedir\fR = no \fR
3875
Get the home share server from a NIS map. For UNIX systems that use an automounter, the user's home directory will often be mounted on a workstation on demand from a remote server.
3877
When the Samba logon server is not the actual home directory server, but is mounting the home directories via NFS then two network hops would be required to access the users home directory if the logon server told the client to use itself as the SMB server for home directories (one over SMB and one over NFS). This can be very slow.
3879
This option allows Samba to return the home share as being on a different server to the logon server and as long as a Samba daemon is running on the home directory server, it will be mounted on the Samba client directly from the directory server. When Samba is returning the home share to the client, it will consult the NIS map specified in
3880
homedir map and return the server listed there.
3882
Note that for this option to work there must be a working NIS system and the Samba server with this option must also be a logon server.
3885
\fB\fInis homedir\fR = no \fR
2879
3887
nt acl support (S)
2880
This boolean parameter controls whether \fBsmbd\fR(8) will attempt to map UNIX permissions into Windows NT access control lists\&. This parameter was formally a global parameter in releases prior to 2\&.2\&.2\&.
2882
Default: \fB\fInt acl support\fR = yes \fR
3888
This boolean parameter controls whether
3890
will attempt to map UNIX permissions into Windows NT access control lists. The UNIX permissions considered are the the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories. This parameter was formally a global parameter in releases prior to 2.2.2.
3893
\fB\fInt acl support\fR = yes \fR
2886
This parameter determines whether or not \fBsmbd\fR(8) will attempt to authenticate users using the NTLM encrypted password response\&. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client\&.
2888
If this option, and \fBlanman auth\fR are both disabled, then only NTLMv2 logins will be permited\&. Not all clients support NTLMv2, and most will require special configuration to us it\&.
2890
Default: \fB\fIntlm auth\fR = yes \fR
3896
This parameter determines whether or not
3898
will attempt to authenticate users using the NTLM encrypted password response. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client.
3902
are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it.
3905
\fB\fIntlm auth\fR = yes \fR
2893
3907
nt pipe support (G)
2894
This boolean parameter controls whether \fBsmbd\fR(8) will allow Windows NT clients to connect to the NT SMB specific \fBIPC$\fR pipes\&. This is a developer debugging option and can be left alone\&.
2896
Default: \fB\fInt pipe support\fR = yes \fR
3908
This boolean parameter controls whether
3910
will allow Windows NT clients to connect to the NT SMB specific
3912
pipes. This is a developer debugging option and can be left alone.
3915
\fB\fInt pipe support\fR = yes \fR
2899
3917
nt status support (G)
2900
This boolean parameter controls whether \fBsmbd\fR(8) will negotiate NT specific status support with Windows NT/2k/XP clients\&. This is a developer debugging option and should be left alone\&. If this option is set to \fBno\fR then Samba offers exactly the same DOS error codes that versions prior to Samba 2\&.2\&.3 reported\&.
2902
You should not need to ever disable this parameter\&.
2904
Default: \fB\fInt status support\fR = yes \fR
3918
This boolean parameter controls whether
3920
will negotiate NT specific status support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. If this option is set to
3922
then Samba offers exactly the same DOS error codes that versions prior to Samba 2.2.3 reported.
3924
You should not need to ever disable this parameter.
3927
\fB\fInt status support\fR = yes \fR
2907
3929
null passwords (G)
2908
Allow or disallow client access to accounts that have null passwords\&.
2910
See also \fBsmbpasswd\fR(5)\&.
2912
Default: \fB\fInull passwords\fR = no \fR
3930
Allow or disallow client access to accounts that have null passwords.
3936
\fB\fInull passwords\fR = no \fR
2915
3938
obey pam restrictions (G)
2916
When Samba 3\&.0 is configured to enable PAM support (i\&.e\&. \-\-with\-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives\&. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management\&. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes\&. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption\&.
2918
Default: \fB\fIobey pam restrictions\fR = no \fR
3939
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of
3940
encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.
3943
\fB\fIobey pam restrictions\fR = no \fR
2922
This is a boolean option that controls whether connections with usernames not in the \fIuser\fR list will be allowed\&. By default this option is disabled so that a client can supply a username to be used by the server\&. Enabling this parameter will force the server to only use the login names from the \fIuser\fR list and is only really useful in security = share level security\&.
2924
Note that this also means Samba won't try to deduce usernames from the service name\&. This can be annoying for the [homes] section\&. To get around this you could use \fBuser = %S\fR which means your \fIuser\fR list will be just the service name, which for home directories is the name of the user\&.
2926
Default: \fB\fIonly user\fR = no \fR
3946
This is a boolean option that controls whether connections with usernames not in the
3948
list will be allowed. By default this option is disabled so that a client can supply a username to be used by the server. Enabling this parameter will force the server to only use the login names from the
3950
list and is only really useful in
3951
security = share level security.
3953
Note that this also means Samba won't try to deduce usernames from the service name. This can be annoying for the [homes] section. To get around this you could use
3957
list will be just the service name, which for home directories is the name of the user.
3960
\fB\fIonly user\fR = no \fR
3962
open files database hash size (G)
3963
This parameter was added in Samba 3.0.23. This is an internal tuning parameter that sets the hash size of the tdb used for the open file databases. The presence of this parameter allows tuning of the system for very large (thousands of concurrent users) Samba setups. The default setting of this parameter should be sufficient for most normal environments. It is advised not to change this parameter unless advised to by a Samba Team member.
3966
\fB\fIopen files database hash size\fR = 10007 \fR
3969
\fB\fIopen files database hash size\fR = 1338457 \fR
2929
3971
oplock break wait time (G)
2930
This is a tuning parameter added due to bugs in both Windows 9x and WinNT\&. If Samba responds to a client too quickly when that client issues an SMB that can cause an oplock break request, then the network client can fail and not respond to the break request\&. This tuning parameter (which is set in milliseconds) is the amount of time Samba will wait before sending an oplock break request to such (broken) clients\&.
2935
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE\&.
2938
Default: \fB\fIoplock break wait time\fR = 0 \fR
3972
This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too quickly when that client issues an SMB that can cause an oplock break request, then the network client can fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount of time Samba will wait before sending an oplock break request to such (broken) clients.
3975
.nr an-no-space-flag 1
3979
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.
3981
\fB\fIoplock break wait time\fR = 0 \fR
2941
3983
oplock contention limit (S)
2942
This is a \fBvery\fR advanced \fBsmbd\fR(8) tuning option to improve the efficiency of the granting of oplocks under multiple client contention for the same file\&.
2944
In brief it specifies a number, which causes \fBsmbd\fR(8)not to grant an oplock even when requested if the approximate number of clients contending for an oplock on the same file goes over this limit\&. This causes \fBsmbd\fR to behave in a similar way to Windows NT\&.
2949
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE\&.
2952
Default: \fB\fIoplock contention limit\fR = 2 \fR
3988
tuning option to improve the efficiency of the granting of oplocks under multiple client contention for the same file.
3990
In brief it specifies a number, which causes
3991
\fBsmbd\fR(8)not to grant an oplock even when requested if the approximate number of clients contending for an oplock on the same file goes over this limit. This causes
3993
to behave in a similar way to Windows NT.
3996
.nr an-no-space-flag 1
4000
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.
4002
\fB\fIoplock contention limit\fR = 2 \fR
2956
This boolean option tells \fBsmbd\fR whether to issue oplocks (opportunistic locks) to file open requests on this share\&. The oplock code can dramatically (approx\&. 30% or more) improve the speed of access to files on Samba servers\&. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers)\&. For more information see the file\fISpeed\&.txt\fR in the Samba\fIdocs/\fR directory\&.
2958
Oplocks may be selectively turned off on certain files with a share\&. See the veto oplock files parameter\&. On some systems oplocks are recognized by the underlying operating system\&. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process\&. See thekernel oplocks parameter for details\&.
2960
Default: \fB\fIoplocks\fR = yes \fR
4005
This boolean option tells
4007
whether to issue oplocks (opportunistic locks) to file open requests on this share. The oplock code can dramatically (approx. 30% or more) improve the speed of access to files on Samba servers. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers). For more information see the file
4013
Oplocks may be selectively turned off on certain files with a share. See the
4014
veto oplock files parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process. See the
4015
kernel oplocks parameter for details.
4018
\fB\fIoplocks\fR = yes \fR
2963
4020
os2 driver map (G)
2964
The parameter is used to define the absolute path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names\&. The format is:
2966
<nt driver name> = <os2 driver name>\&.<device name>
2968
For example, a valid entry using the HP LaserJet 5 printer driver would appear as \fBHP LaserJet 5L = LASERJET\&.HP LaserJet 5L\fR\&.
2970
The need for the file is due to the printer driver namespace problem described in the chapter on Classical Printing in the Samba3\-HOWTO book\&. For more details on OS/2 clients, please refer to chapter on other clients in the Samba3\-HOWTO book\&.
2972
Default: \fB\fIos2 driver map\fR = \fR
4021
The parameter is used to define the absolute path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is:
4023
<nt driver name> = <os2 driver name>.<device name>
4025
For example, a valid entry using the HP LaserJet 5 printer driver would appear as
4026
\fBHP LaserJet 5L = LASERJET.HP LaserJet 5L\fR.
4028
The need for the file is due to the printer driver namespace problem described in the chapter on Classical Printing in the Samba3-HOWTO book. For more details on OS/2 clients, please refer to chapter on other clients in the Samba3-HOWTO book.
4031
\fB\fIos2 driver map\fR = \fR
2976
This integer value controls what level Samba advertises itself as for browse elections\&. The value of this parameter determines whether \fBnmbd\fR(8) has a chance of becoming a local master browser for the workgroup in the local broadcast area\&.
2978
\fB Note :\fRBy default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4\&.0/2000 Domain Controller\&. This means that a misconfigured Samba host can effectively isolate a subnet for browsing purposes\&. This parameter is largely auto\-configured in the Samba\-3 release series and it is seldom necessary to manually over\-ride the default setting\&. Please refer to chapter 9 of the Samba\-3 HOWTO document for further information regarding the use of this parameter\&.
2980
Default: \fB\fIos level\fR = 20 \fR
2982
Example: \fB\fIos level\fR = 65 \fR
4034
This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether
4036
has a chance of becoming a local master browser for the
4037
workgroup in the local broadcast area.
4039
\fB Note :\fRBy default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3 release series and it is seldom necessary to manually over-ride the default setting. Please refer to chapter 9 of the Samba-3 HOWTO document for further information regarding the use of this parameter.
4042
\fB\fIos level\fR = 20 \fR
4045
\fB\fIos level\fR = 65 \fR
2985
4047
pam password change (G)
2986
With the addition of better PAM support in Samba 2\&.2, this parameter, it is possible to use PAM's password change control flag for Samba\&. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in passwd program\&. It should be possible to enable this without changing your passwd chat parameter for most setups\&.
2988
Default: \fB\fIpam password change\fR = no \fR
4048
With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in
4049
passwd program. It should be possible to enable this without changing your
4050
passwd chat parameter for most setups.
4053
\fB\fIpam password change\fR = no \fR
2991
4055
panic action (G)
2992
This is a Samba developer option that allows a system command to be called when either \fBsmbd\fR(8) or \fBsmbd\fR(8)crashes\&. This is usually used to draw attention to the fact that a problem occurred\&.
2994
Default: \fB\fIpanic action\fR = \fR
2996
Example: \fB\fIpanic action\fR = "/bin/sleep 90000" \fR
4056
This is a Samba developer option that allows a system command to be called when either
4060
crashes. This is usually used to draw attention to the fact that a problem occurred.
4063
\fB\fIpanic action\fR = \fR
4066
\fB\fIpanic action\fR = "/bin/sleep 90000" \fR
2999
4068
paranoid server security (G)
3000
Some version of NT 4\&.x allow non\-guest users with a bad passowrd\&. When this option is enabled, samba will not use a broken NT 4\&.x server as password server, but instead complain to the logs and exit\&.
3002
Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server\&.
3004
Default: \fB\fIparanoid server security\fR = yes \fR
4069
Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit.
4071
Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server.
4074
\fB\fIparanoid server security\fR = yes \fR
3007
4076
passdb backend (G)
3008
This option allows the administrator to chose which backends to retrieve and store passwords with\&. This allows (for example) both smbpasswd and tdbsam to be used without a recompile\&. Multiple backends can be specified, separated by spaces\&. The backends will be searched in the order they are specified\&. New users are always added to the first backend specified\&.
3010
This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed\&. These are separated by a : character\&.
4077
This option allows the administrator to chose which backend will be used for storing user and possibly group information. This allows you to swap between dfferent storage mechanisms without recompile.
4079
The parameter value is divided into two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character.
3012
4081
Available backends can include:
3017
\fBsmbpasswd\fR \- The default smbpasswd backend\&. Takes a path to the smbpasswd file as an optional argument\&.
3020
\fBtdbsam\fR \- The TDB based password storage backend\&. Takes a path to the TDB as an optional argument (defaults to passdb\&.tdb in the private dir directory\&.
3023
\fBldapsam\fR \- The LDAP based passdb backend\&. Takes an LDAP URL as an optional argument (defaults to \fBldap://localhost\fR)
3025
LDAP connections should be secured where possible\&. This may be done using either Start\-TLS (see ldap ssl) or by specifying \fIldaps://\fR in the URL argument\&.
3027
Multiple servers may also be specified in double\-quotes, if your LDAP libraries supports the LDAP URL notation\&. (OpenLDAP does)\&.
3030
\fBnisplussam\fR \- The NIS+ based passdb backend\&. Takes name NIS domain as an optional argument\&. Only works with sun NIS+ servers\&.
3033
\fBmysql\fR \- The MySQL based passdb backend\&. Takes an identifier as argument\&. Read the Samba HOWTO Collection for configuration details\&.
4086
- The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument.
4090
- The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the
4091
private dir directory.
4095
- The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to
4096
\fBldap://localhost\fR)
4098
LDAP connections should be secured where possible. This may be done using either Start-TLS (see
4099
ldap ssl) or by specifying
4101
in the URL argument.
4103
Multiple servers may also be specified in double-quotes, if your LDAP libraries supports the LDAP URL notation. (OpenLDAP does).
3040
4108
Examples of use are:
3043
passdb backend = tdbsam:/etc/samba/private/passdb\&.tdb \\
3044
smbpasswd:/etc/samba/smbpasswd
3048
passdb backend = ldapsam:ldaps://ldap\&.example\&.com
3052
passdb backend = ldapsam:"ldap://ldap\-1\&.example\&.com \\
3053
ldap://ldap\-2\&.example\&.com"
3057
passdb backend = mysql:my_plugin_args tdbsam
4111
passdb backend = tdbsam:/etc/samba/private/passdb.tdb
4115
passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
3059
Default: \fB\fIpassdb backend\fR = smbpasswd \fR
4118
\fB\fIpassdb backend\fR = smbpasswd \fR
3062
4120
passdb expand explicit (G)
3063
This parameter controls whether Samba substitutes %\-macros in the passdb fields if they are explicitly set\&. We used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable %G_osver% in which %G would have been substituted by the user's primary group\&.
3065
This parameter is set to "yes" by default, but this is about to change in the future\&.
3067
Default: \fB\fIpassdb expand explicit\fR = yes \fR
4121
This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable %G_osver% in which %G would have been substituted by the user's primary group.
4124
\fB\fIpassdb expand explicit\fR = no \fR
3070
4126
passwd chat (G)
3071
This string controls the \fB"chat"\fR conversation that takes places between \fBsmbd\fR(8) and the local password changing program to change the user's password\&. The string describes a sequence of response\-receive pairs that \fBsmbd\fR(8) uses to determine what to send to the passwd program and what to expect back\&. If the expected output is not received then the password is not changed\&.
3073
This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc)\&.
3075
Note that this parameter only is only used if the unix password sync parameter is set to \fByes\fR\&. This sequence is then called \fBAS ROOT\fR when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext\&. This means that root must be able to reset the user's password without knowing the text of the previous password\&. In the presence of NIS/YP, this means that the passwd program must be executed on the NIS master\&.
3077
The string can contain the macro \fI%n\fR which is substituted for the new password\&. The chat sequence can also contain the standard macros \\n, \\r, \\t and \\s to give line\-feed, carriage\-return, tab and space\&. The chat sequence string can also contain a '*' which matches any sequence of characters\&. Double quotes can be used to collect strings with spaces in them into a single string\&.
3079
If the send string in any part of the chat sequence is a full stop "\&.", then no string is sent\&. Similarly, if the expect string is a full stop then no string is expected\&.
3081
If the pam password change parameter is set to \fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \\n macro is ignored for PAM conversions\&.
3083
Default: \fB\fIpasswd chat\fR = *new*password* %n\\n*new*password* %n\\n *changed* \fR
3085
Example: \fB\fIpasswd chat\fR = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password changed*" \fR
4127
This string controls the
4129
conversation that takes places between
4131
and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that
4133
uses to determine what to send to the
4134
passwd program and what to expect back. If the expected output is not received then the password is not changed.
4136
This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc).
4138
Note that this parameter only is only used if the
4139
unix password sync parameter is set to
4140
\fByes\fR. This sequence is then called
4142
when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password without knowing the text of the previous password. In the presence of NIS/YP, this means that the
4143
passwd program must be executed on the NIS master.
4145
The string can contain the macro
4147
which is substituted for the new password. The chat sequence can also contain the standard macros \n, \r, \t and \s to give line-feed, carriage-return, tab and space. The chat sequence string can also contain a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces in them into a single string.
4149
If the send string in any part of the chat sequence is a full stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected.
4152
pam password change parameter is set to
4153
\fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions.
4156
\fB\fIpasswd chat\fR = *new*password* %n\n*new*password* %n\n *changed* \fR
4159
\fB\fIpasswd chat\fR = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" \fR
3088
4161
passwd chat debug (G)
3089
This boolean specifies if the passwd chat script parameter is run in \fBdebug\fR mode\&. In this mode the strings passed to and received from the passwd chat are printed in the \fBsmbd\fR(8) log with a debug level of 100\&. This is a dangerous option as it will allow plaintext passwords to be seen in the \fBsmbd\fR log\&. It is available to help Samba admins debug their \fIpasswd chat\fR scripts when calling the \fIpasswd program\fR and should be turned off after this has been done\&. This option has no effect if the pam password change paramter is set\&. This parameter is off by default\&.
3091
Default: \fB\fIpasswd chat debug\fR = no \fR
4162
This boolean specifies if the passwd chat script parameter is run in
4164
mode. In this mode the strings passed to and received from the passwd chat are printed in the
4167
debug level of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the
4169
log. It is available to help Samba admins debug their
4171
scripts when calling the
4172
\fIpasswd program\fR
4173
and should be turned off after this has been done. This option has no effect if the
4174
pam password change paramter is set. This parameter is off by default.
4177
\fB\fIpasswd chat debug\fR = no \fR
3094
4179
passwd chat timeout (G)
3095
This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run\&. Once the initial answer is received the subsequent answers must be received in one tenth of this time\&. The default it two seconds\&.
3097
Default: \fB\fIpasswd chat timeout\fR = 2 \fR
4180
This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run. Once the initial answer is received the subsequent answers must be received in one tenth of this time. The default it two seconds.
4183
\fB\fIpasswd chat timeout\fR = 2 \fR
3100
4185
passwd program (G)
3101
The name of a program that can be used to set UNIX user passwords\&. Any occurrences of \fI%u\fR will be replaced with the user name\&. The user name is checked for existence before calling the password changing program\&.
3103
Also note that many passwd programs insist in \fBreasonable \fR passwords, such as a minimum length, or the inclusion of mixed case chars and digits\&. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it\&.
3105
\fBNote\fR that if the \fIunix password sync\fR parameter is set to \fByes \fR then this program is called \fBAS ROOT\fR before the SMB password in the smbpasswd file is changed\&. If this UNIX password change fails, then \fBsmbd\fR will fail to change the SMB password also (this is by design)\&.
3107
If the \fIunix password sync\fR parameter is set this parameter \fBMUST USE ABSOLUTE PATHS\fR for \fBALL\fR programs called, and must be examined for security implications\&. Note that by default \fIunix password sync\fR is set to \fBno\fR\&.
3109
Default: \fB\fIpasswd program\fR = \fR
3111
Example: \fB\fIpasswd program\fR = /bin/passwd %u \fR
4186
The name of a program that can be used to set UNIX user passwords. Any occurrences of
4188
will be replaced with the user name. The user name is checked for existence before calling the password changing program.
4190
Also note that many passwd programs insist in
4192
passwords, such as a minimum length, or the inclusion of mixed case chars and digits. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it.
4196
\fIunix password sync\fR
4199
then this program is called
4201
before the SMB password in the smbpasswd file is changed. If this UNIX password change fails, then
4203
will fail to change the SMB password also (this is by design).
4206
\fIunix password sync\fR
4207
parameter is set this parameter
4208
\fBMUST USE ABSOLUTE PATHS\fR
4211
programs called, and must be examined for security implications. Note that by default
4212
\fIunix password sync\fR
4217
\fB\fIpasswd program\fR = \fR
4220
\fB\fIpasswd program\fR = /bin/passwd %u \fR
3114
4222
password level (G)
3115
Some client/server combinations have difficulty with mixed\-case passwords\&. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when using COREPLUS! Another problem child is the Windows 95/98 family of operating systems\&. These clients upper case clear text passwords even when NT LM 0\&.12 selected by the protocol negotiation request/response\&.
3117
This parameter defines the maximum number of characters that may be upper case in passwords\&.
3119
For example, say the password given was "FRED"\&. If \fI password level\fR is set to 1, the following combinations would be tried if "FRED" failed:
4223
Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when using COREPLUS! Another problem child is the Windows 95/98 family of operating systems. These clients upper case clear text passwords even when NT LM 0.12 selected by the protocol negotiation request/response.
4225
This parameter defines the maximum number of characters that may be upper case in passwords.
4227
For example, say the password given was "FRED". If
4228
\fI password level\fR
4229
is set to 1, the following combinations would be tried if "FRED" failed:
3121
4231
"Fred", "fred", "fRed", "frEd","freD"
3123
If \fIpassword level\fR was set to 2, the following combinations would also be tried:
3125
"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", \&.\&.
3129
The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password\&. However, you should be aware that use of this parameter reduces security and increases the time taken to process a new connection\&.
3131
A value of zero will cause only two attempts to be made \- the password as is and the password in all\-lower case\&.
3133
This parameter is used only when using plain\-text passwords\&. It is not at all used when encrypted passwords as in use (that is the default since samba\-3\&.0\&.0)\&. Use this only when encrypt passwords = No\&.
3135
Default: \fB\fIpassword level\fR = 0 \fR
3137
Example: \fB\fIpassword level\fR = 4 \fR
4234
\fIpassword level\fR
4235
was set to 2, the following combinations would also be tried:
4237
"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
4241
The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password. However, you should be aware that use of this parameter reduces security and increases the time taken to process a new connection.
4243
A value of zero will cause only two attempts to be made - the password as is and the password in all-lower case.
4245
This parameter is used only when using plain-text passwords. It is not at all used when encrypted passwords as in use (that is the default since samba-3.0.0). Use this only when
4246
encrypt passwords = No.
4249
\fB\fIpassword level\fR = 0 \fR
4252
\fB\fIpassword level\fR = 4 \fR
3140
4254
password server (G)
3141
By specifying the name of another SMB server or Active Directory domain controller with this option, and using \fBsecurity = [ads|domain|server]\fR it is possible to get Samba to to do all its username/password validation using a specific remote server\&.
3143
This option sets the name or IP address of the password server to use\&. New syntax has been added to support defining the port to use when connecting to the server the case of an ADS realm\&. To define a port other than the default LDAP port of 389, add the port number using a colon after the name or IP address (e\&.g\&. 192\&.168\&.1\&.100:389)\&. If you do not specify a port, Samba will use the standard LDAP port of tcp/389\&. Note that port numbers have no effect on password servers for Windows NT 4\&.0 domains or netbios connections\&.
3145
If parameter is a name, it is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter\&.
3147
The password server must be a machine capable of using the "LM1\&.2X002" or the "NT LM 0\&.12" protocol, and it must be in user level security mode\&.
3152
Using a password server means your UNIX box (running Samba) is only as secure as your password server\&. \fBDO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST\fR\&.
3155
Never point a Samba server at itself for password serving\&. This will cause a loop and could lock up your Samba server!
3157
The name of the password server takes the standard substitutions, but probably the only useful one is \fI%m \fR, which means the Samba server will use the incoming client as the password server\&. If you use this then you better trust your clients, and you had better restrict them with hosts allow!
3159
If the \fIsecurity\fR parameter is set to \fBdomain\fR or \fBads\fR, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on\&. The advantage of using \fB security = domain\fR is that if you list several hosts in the \fIpassword server\fR option then \fBsmbd \fR will try each in turn till it finds one that responds\&. This is useful in case your primary server goes down\&.
3161
If the \fIpassword server\fR option is set to the character '*', then Samba will attempt to auto\-locate the Primary or Backup Domain controllers to authenticate against by doing a query for the name \fBWORKGROUP<1C>\fR and then contacting each server returned in the list of IP addresses from the name resolution source\&.
3163
If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well\&. Samba will not attempt to optimize this list by locating the closest DC\&.
3165
If the \fIsecurity\fR parameter is set to \fBserver\fR, then there are different restrictions that \fBsecurity = domain\fR doesn't suffer from:
3171
You may list several password servers in the \fIpassword server\fR parameter, however if an \fBsmbd\fR makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this \fBsmbd\fR\&. This is a restriction of the SMB/CIFS protocol when in \fBsecurity = server \fR mode and cannot be fixed in Samba\&.
3174
If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to come from there rather than from the users workstation\&.
3178
Default: \fB\fIpassword server\fR = \fR
3180
Example: \fB\fIpassword server\fR = NT\-PDC, NT\-BDC1, NT\-BDC2, * \fR
3182
Example: \fB\fIpassword server\fR = windc\&.mydomain\&.com:389 192\&.168\&.1\&.101 * \fR
3184
Example: \fB\fIpassword server\fR = * \fR
4255
By specifying the name of another SMB server or Active Directory domain controller with this option, and using
4256
\fBsecurity = [ads|domain|server]\fR
4257
it is possible to get Samba to to do all its username/password validation using a specific remote server.
4259
This option sets the name or IP address of the password server to use. New syntax has been added to support defining the port to use when connecting to the server the case of an ADS realm. To define a port other than the default LDAP port of 389, add the port number using a colon after the name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, Samba will use the standard LDAP port of tcp/389. Note that port numbers have no effect on password servers for Windows NT 4.0 domains or netbios connections.
4261
If parameter is a name, it is looked up using the parameter
4262
name resolve order and so may resolved by any method and order described in that parameter.
4264
The password server must be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.
4267
.nr an-no-space-flag 1
4271
Using a password server means your UNIX box (running Samba) is only as secure as your password server.
4272
\fBDO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST\fR.
4273
Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server!
4275
The name of the password server takes the standard substitutions, but probably the only useful one is
4276
\fI%m \fR, which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you had better restrict them with hosts allow!
4283
\fBads\fR, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using
4284
\fB security = domain\fR
4285
is that if you list several hosts in the
4286
\fIpassword server\fR
4289
will try each in turn till it finds one that responds. This is useful in case your primary server goes down.
4292
\fIpassword server\fR
4293
option is set to the character '*', then Samba will attempt to auto-locate the Primary or Backup Domain controllers to authenticate against by doing a query for the name
4295
and then contacting each server returned in the list of IP addresses from the name resolution source.
4297
If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize this list by locating the closest DC.
4302
\fBserver\fR, then there are different restrictions that
4303
\fBsecurity = domain\fR
4304
doesn't suffer from:
4308
You may list several password servers in the
4309
\fIpassword server\fR
4310
parameter, however if an
4312
makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this
4313
\fBsmbd\fR. This is a restriction of the SMB/CIFS protocol when in
4314
\fBsecurity = server \fR
4315
mode and cannot be fixed in Samba.
4318
If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in
4319
\fB security = server\fR
4320
mode the network logon will appear to come from there rather than from the users workstation.
4324
\fB\fIpassword server\fR = \fR
4327
\fB\fIpassword server\fR = NT-PDC, NT-BDC1, NT-BDC2, * \fR
4330
\fB\fIpassword server\fR = windc.mydomain.com:389 192.168.1.101 * \fR
4333
\fB\fIpassword server\fR = * \fR
3188
This parameter is a synonym for path\&.
4336
This parameter is a synonym for path.
3192
This parameter specifies a directory to which the user of the service is to be given access\&. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing\&.
3194
For a printable service offering guest access, the service should be readonly and the path should be world\-writeable and have the sticky bit set\&. This is not mandatory of course, but you probably won't get the results you expect if you do otherwise\&.
3196
Any occurrences of \fI%u\fR in the path will be replaced with the UNIX username that the client is using on this connection\&. Any occurrences of \fI%m\fR will be replaced by the NetBIOS name of the machine they are connecting from\&. These replacements are very useful for setting up pseudo home directories for users\&.
3198
Note that this path will be based on root dir if one was specified\&.
3200
Default: \fB\fIpath\fR = \fR
3202
Example: \fB\fIpath\fR = /home/fred \fR
4339
This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.
4341
For a printable service offering guest access, the service should be readonly and the path should be world-writeable and have the sticky bit set. This is not mandatory of course, but you probably won't get the results you expect if you do otherwise.
4345
in the path will be replaced with the UNIX username that the client is using on this connection. Any occurrences of
4347
will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users.
4349
Note that this path will be based on
4350
root dir if one was specified.
4356
\fB\fIpath\fR = /home/fred \fR
3205
4358
pid directory (G)
3206
This option specifies the directory where pid files will be placed\&.
3208
Default: \fB\fIpid directory\fR = ${prefix}/var/locks \fR
3210
Example: \fB\fIpid directory\fR = pid directory = /var/run/ \fR
4359
This option specifies the directory where pid files will be placed.
4362
\fB\fIpid directory\fR = ${prefix}/var/locks \fR
4365
\fB\fIpid directory\fR = pid directory = /var/run/ \fR
3213
4367
posix locking (S)
3214
The \fBsmbd\fR(8) daemon maintains an database of file locks obtained by SMB clients\&. The default behavior is to map this internal database to POSIX locks\&. This means that file locks obtained by SMB clients are consistent with those seen by POSIX compliant applications accessing the files via a non\-SMB method (e\&.g\&. NFS or local file access)\&. You should never need to disable this parameter\&.
3216
Default: \fB\fIposix locking\fR = yes \fR
4370
daemon maintains an database of file locks obtained by SMB clients. The default behavior is to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are consistent with those seen by POSIX compliant applications accessing the files via a non-SMB method (e.g. NFS or local file access). You should never need to disable this parameter.
4373
\fB\fIposix locking\fR = yes \fR
3220
This option specifies a command to be run whenever the service is disconnected\&. It takes the usual substitutions\&. The command may be run as the root on some systems\&.
4376
This option specifies a command to be run whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.
3222
4378
An interesting example may be to unmount server resources:
3224
4380
\fBpostexec = /etc/umount /cdrom\fR
3226
Default: \fB\fIpostexec\fR = \fR
3228
Example: \fB\fIpostexec\fR = echo \\"%u disconnected from %S from %m (%I)\\" >> /tmp/log \fR
4383
\fB\fIpostexec\fR = \fR
4386
\fB\fIpostexec\fR = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log \fR
3232
This parameter is a synonym for preexec\&.
4389
This parameter is a synonym for preexec.
3236
This option specifies a command to be run whenever the service is connected to\&. It takes the usual substitutions\&.
3238
An interesting example is to send the users a welcome message every time they log in\&. Maybe a message of the day? Here is an example:
3240
\fBpreexec = csh \-c 'echo \\"Welcome to %S!\\" | /usr/local/samba/bin/smbclient \-M %m \-I %I' & \fR
3242
Of course, this could get annoying after a while :\-)
3244
See also preexec close and postexec\&.
3246
Default: \fB\fIpreexec\fR = \fR
3248
Example: \fB\fIpreexec\fR = echo \\"%u connected to %S from %m (%I)\\" >> /tmp/log \fR
4392
This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.
4394
An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:
4397
\fBpreexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & \fR
4399
Of course, this could get annoying after a while :-)
4406
\fB\fIpreexec\fR = \fR
4409
\fB\fIpreexec\fR = echo \"%u connected to %S from %m (%I)\" >> /tmp/log \fR
3251
4411
preexec close (S)
3252
This boolean option controls whether a non\-zero return code from preexec should close the service being connected to\&.
3254
Default: \fB\fIpreexec close\fR = no \fR
4412
This boolean option controls whether a non-zero return code from
4413
preexec should close the service being connected to.
4416
\fB\fIpreexec close\fR = no \fR
3257
4418
prefered master
3258
This parameter is a synonym for preferred master\&.
4419
This parameter is a synonym for preferred master.
3261
4421
preferred master (G)
3262
This boolean parameter controls if \fBnmbd\fR(8) is a preferred master browser for its workgroup\&.
3264
If this is set to \fByes\fR, on startup, \fBnmbd\fR will force an election, and it will have a slight advantage in winning the election\&. It is recommended that this parameter is used in conjunction with domain master = yes, so that\fBnmbd\fR can guarantee becoming a domain master\&.
3266
Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser\&. This will result in unnecessary broadcast traffic and reduced browsing capabilities\&.
3268
Default: \fB\fIpreferred master\fR = auto \fR
4422
This boolean parameter controls if
4424
is a preferred master browser for its workgroup.
4427
\fByes\fR, on startup,
4429
will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with
4430
domain master = yes, so that
4432
can guarantee becoming a domain master.
4434
Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.
4437
\fB\fIpreferred master\fR = auto \fR
3272
This parameter is a synonym for preload\&.
4440
This parameter is a synonym for preload.
3276
This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
3278
Note that if you just want all printers in your printcap file loaded then the load printers option is easier\&.
3280
Default: \fB\fIpreload\fR = \fR
3282
Example: \fB\fIpreload\fR = fred lp colorlp \fR
4443
This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible.
4445
Note that if you just want all printers in your printcap file loaded then the
4446
load printers option is easier.
4449
\fB\fIpreload\fR = \fR
4452
\fB\fIpreload\fR = fred lp colorlp \fR
3285
4454
preload modules (G)
3286
This is a list of paths to modules that should be loaded into smbd before a client connects\&. This improves the speed of smbd when reacting to new connections somewhat\&.
3288
Default: \fB\fIpreload modules\fR = \fR
3290
Example: \fB\fIpreload modules\fR = /usr/lib/samba/passdb/mysql\&.so \fR
4455
This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat.
4458
\fB\fIpreload modules\fR = \fR
4461
\fB\fIpreload modules\fR = /usr/lib/samba/passdb/mysql.so \fR
3293
4463
preserve case (S)
3294
This controls if new filenames are created with the case that the client passes, or if they are forced to be the default case\&.
3296
See the section on NAME MANGLING for a fuller discussion\&.
3298
Default: \fB\fIpreserve case\fR = yes \fR
4464
This controls if new filenames are created with the case that the client passes, or if they are forced to be the
4469
for a fuller discussion.
4472
\fB\fIpreserve case\fR = yes \fR
3302
This parameter is a synonym for printable\&.
4475
This parameter is a synonym for printable.
3306
If this parameter is \fByes\fR, then clients may open, write to and submit spool files on the directory specified for the service\&.
3308
Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data\&. The read only parameter controls only non\-printing access to the resource\&.
3310
Default: \fB\fIprintable\fR = no \fR
4478
If this parameter is
4479
\fByes\fR, then clients may open, write to and submit spool files on the directory specified for the service.
4481
Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The
4482
read only parameter controls only non-printing access to the resource.
4485
\fB\fIprintable\fR = no \fR
3313
4487
printcap cache time (G)
3314
This option specifies the number of seconds before the printing subsystem is again asked for the known printers\&. If the value is greater than 60 the initial waiting time is set to 60 seconds to allow an earlier first rescan of the printing subsystem\&.
3316
Setting this parameter to 0 (the default) disables any rescanning for new or removed printers after the initial startup\&.
3318
Default: \fB\fIprintcap cache time\fR = 0 \fR
3320
Example: \fB\fIprintcap cache time\fR = 600 \fR
4488
This option specifies the number of seconds before the printing subsystem is again asked for the known printers. If the value is greater than 60 the initial waiting time is set to 60 seconds to allow an earlier first rescan of the printing subsystem.
4490
Setting this parameter to 0 (the default) disables any rescanning for new or removed printers after the initial startup.
4493
\fB\fIprintcap cache time\fR = 0 \fR
4496
\fB\fIprintcap cache time\fR = 600 \fR
3324
This parameter is a synonym for printcap name\&.
4499
This parameter is a synonym for printcap name.
3327
4501
printcap name (S)
3328
This parameter may be used to override the compiled\-in default printcap name used by the server (usually\fI /etc/printcap\fR)\&. See the discussion of the [printers] section above for reasons why you might want to do this\&.
3330
To use the CUPS printing interface set \fBprintcap name = cups \fR\&. This should be supplemented by an addtional setting printing = cups in the [global] section\&. \fBprintcap name = cups\fR will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file\&.
3332
On System V systems that use \fBlpstat\fR to list available printers you can use \fBprintcap name = lpstat \fR to automatically obtain lists of available printers\&. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems)\&. If \fI printcap name\fR is set to \fBlpstat\fR on these systems then Samba will launch \fBlpstat \-v\fR and attempt to parse the output to obtain a printer list\&.
3334
A minimal printcap file would look something like this:
4502
This parameter may be used to override the compiled-in default printcap name used by the server (usually
4503
\fI /etc/printcap\fR). See the discussion of the
4505
section above for reasons why you might want to do this.
4507
To use the CUPS printing interface set
4508
\fBprintcap name = cups \fR. This should be supplemented by an addtional setting
4509
printing = cups in the [global] section.
4510
\fBprintcap name = cups\fR
4511
will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file.
4513
On System V systems that use
4515
to list available printers you can use
4516
\fBprintcap name = lpstat \fR
4517
to automatically obtain lists of available printers. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems). If
4518
\fI printcap name\fR
4521
on these systems then Samba will launch
4523
and attempt to parse the output to obtain a printer list.
4525
A minimal printcap file would look something like this:
3337
4530
print1|My Printer 1
3969
5420
/sbin/shutdown $3 $4 +$time $1 &
3971
Shutdown does not return so we need to launch it in background\&.
3973
Default: \fB\fIshutdown script\fR = \fR
3975
Example: \fB\fIshutdown script\fR = /usr/local/samba/sbin/shutdown %m %t %r %f \fR
5422
Shutdown does not return so we need to launch it in background.
5425
\fB\fIshutdown script\fR = \fR
5428
\fB\fIshutdown script\fR = /usr/local/samba/sbin/shutdown %m %t %r %f \fR
3978
5430
smb passwd file (G)
3979
This option sets the path to the encrypted smbpasswd file\&. By default the path to the smbpasswd file is compiled into Samba\&.
5431
This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.
5433
An example of use is:
3981
An example of use is:
3984
5438
smb passwd file = /etc/samba/smbpasswd
3988
Default: \fB\fIsmb passwd file\fR = ${prefix}/private/smbpasswd \fR
5443
\fB\fIsmb passwd file\fR = ${prefix}/private/smbpasswd \fR
3992
Specifies which ports the server should listen on for SMB traffic\&.
3994
Default: \fB\fIsmb ports\fR = 445 139 \fR
5446
Specifies which ports the server should listen on for SMB traffic.
5449
\fB\fIsmb ports\fR = 445 139 \fR
3997
5451
socket address (G)
3998
This option allows you to control what address Samba will listen for connections on\&. This is used to support multiple virtual interfaces on the one server, each with a different configuration\&.
4000
By default Samba will accept connections on any address\&.
4002
Default: \fB\fIsocket address\fR = \fR
4004
Example: \fB\fIsocket address\fR = 192\&.168\&.2\&.20 \fR
5452
This option allows you to control what address Samba will listen for connections on. This is used to support multiple virtual interfaces on the one server, each with a different configuration.
5454
By default Samba will accept connections on any address.
5457
\fB\fIsocket address\fR = \fR
5460
\fB\fIsocket address\fR = 192.168.2.20 \fR
4007
5462
socket options (G)
4008
This option allows you to set socket options to be used when talking with the client\&.
4010
Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned\&.
4012
This option will typically be used to tune your Samba server for optimal performance for your local network\&. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself\&. We strongly suggest you read the appropriate documentation for your operating system first (perhaps \fBman setsockopt\fR will help)\&.
4014
You may find that on some systems Samba will say "Unknown socket option" when you supply an option\&. This means you either incorrectly typed it or you need to add an include file to includes\&.h for your OS\&. If the latter is the case please send the patch to samba\-technical@samba\&.org\&.
4016
Any of the supported socket options may be combined in any way you like, as long as your OS allows it\&.
5463
This option allows you to set socket options to be used when talking with the client.
5465
Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned.
5467
This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself. We strongly suggest you read the appropriate documentation for your operating system first (perhaps
5468
\fBman setsockopt\fR
5471
You may find that on some systems Samba will say "Unknown socket option" when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. If the latter is the case please send the patch to
5472
samba-technical@samba.org.
5474
Any of the supported socket options may be combined in any way you like, as long as your OS allows it.
4018
5476
This is the list of socket options currently settable using this option:
4039
5495
IPTOS_THROUGHPUT
4055
Those marked with a \fB'*'\fR take an integer argument\&. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you don't specify 1 or 0\&.
4057
To specify an argument use the syntax SOME_OPTION = VALUE for example \fBSO_SNDBUF = 8192\fR\&. Note that you must not have any spaces before or after the = sign\&.
5512
take an integer argument. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you don't specify 1 or 0.
5514
To specify an argument use the syntax SOME_OPTION = VALUE for example
5515
\fBSO_SNDBUF = 8192\fR. Note that you must not have any spaces before or after the = sign.
4059
5517
If you are on a local network then a sensible option might be:
4061
5519
\fBsocket options = IPTOS_LOWDELAY\fR
4063
5521
If you have a local network then you could try:
4065
5523
\fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
4067
If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT\&.
4069
Note that several of the options may cause your Samba server to fail completely\&. Use these options with caution!
4071
Default: \fB\fIsocket options\fR = TCP_NODELAY \fR
4073
Example: \fB\fIsocket options\fR = IPTOS_LOWDELAY \fR
5525
If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT.
5527
Note that several of the options may cause your Samba server to fail completely. Use these options with caution!
5530
\fB\fIsocket options\fR = TCP_NODELAY \fR
5533
\fB\fIsocket options\fR = IPTOS_LOWDELAY \fR
4077
This parameter determines if \fBsmbd\fR(8) will use a cache in order to speed up case insensitive name mappings\&. You should never need to change this parameter\&.
4079
Default: \fB\fIstat cache\fR = yes \fR
5536
This parameter determines if
5538
will use a cache in order to speed up case insensitive name mappings. You should never need to change this parameter.
5541
\fB\fIstat cache\fR = yes \fR
4082
5543
store dos attributes (S)
4083
If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or READ\-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such as occurs with map hidden and map readonly)\&. When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory\&. For no other mapping to occur as a fall\-back, the parameters map hidden,map system, map archive and map readonly must be set to off\&. This parameter writes the DOS attributes as a string into the extended attribute named "user\&.DOSATTRIB"\&. This extended attribute is explicitly hidden from smbd clients requesting an EA list\&. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel\&.
4085
Default: \fB\fIstore dos attributes\fR = yes \fR
5544
If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such as occurs with
5546
map readonly). When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory. For no other mapping to occur as a fall-back, the parameters
5550
map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.
5553
\fB\fIstore dos attributes\fR = yes \fR
4088
5555
strict allocate (S)
4089
This is a boolean that controls the handling of disk space allocation in the server\&. When this is set to \fByes\fR the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size\&. In UNIX terminology this means that Samba will stop creating sparse files\&. This can be slow on some systems\&.
4091
When strict allocate is \fBno\fR the server does sparse disk block allocation when a file is extended\&.
4093
Setting this to \fByes\fR can help Samba return out of quota messages on systems that are restricting the disk quota of users\&.
4095
Default: \fB\fIstrict allocate\fR = no \fR
5556
This is a boolean that controls the handling of disk space allocation in the server. When this is set to
5558
the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size. In UNIX terminology this means that Samba will stop creating sparse files. This can be slow on some systems.
5560
When strict allocate is
5562
the server does sparse disk block allocation when a file is extended.
5566
can help Samba return out of quota messages on systems that are restricting the disk quota of users.
5569
\fB\fIstrict allocate\fR = no \fR
4098
5571
strict locking (S)
4099
This is a boolean that controls the handling of file locking in the server\&. When this is set to \fByes\fR, the server will check every read and write access for file locks, and deny access if locks exist\&. This can be slow on some systems\&.
4101
When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them\&.
4103
Well\-behaved clients always ask for lock checks when it is important\&. So in the vast majority of cases,\fBstrict locking = no\fR is acceptable\&.
4105
Default: \fB\fIstrict locking\fR = yes \fR
5572
This is an enumerated type that controls the handling of file locking in the server. When this is set to
5573
\fByes\fR, the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on some systems.
5575
When strict locking is set to Auto (the default), the server performs file lock checks only on non-oplocked files. As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for inproved performance.
5577
When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them.
5579
Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases,
5580
\fBstrict locking = Auto\fR
5582
\fBstrict locking = no\fR
5586
\fB\fIstrict locking\fR = Auto \fR
4108
5588
strict sync (S)
4109
Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk\&. Under UNIX, a sync call forces the process to be suspended until the kernel has ensured that all outstanding data in kernel disk buffers has been safely stored onto stable storage\&. This is very slow and should only be done rarely\&. Setting this parameter to \fBno\fR (the default) means that \fBsmbd\fR(8) ignores the Windows applications requests for a sync call\&. There is only a possibility of losing data if the operating system itself that Samba is running on crashes, so there is little danger in this default setting\&. In addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies\&.
4111
Default: \fB\fIstrict sync\fR = no \fR
5589
Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk. Under UNIX, a sync call forces the process to be suspended until the kernel has ensured that all outstanding data in kernel disk buffers has been safely stored onto stable storage. This is very slow and should only be done rarely. Setting this parameter to
5591
(the default) means that
5593
ignores the Windows applications requests for a sync call. There is only a possibility of losing data if the operating system itself that Samba is running on crashes, so there is little danger in this default setting. In addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies.
5596
\fB\fIstrict sync\fR = no \fR
4114
5598
svcctl list (G)
4115
This option defines a list of init scripts that smbd will use for starting and stopping Unix services via the Win32 ServiceControl API\&. This allows Windows administrators to utilize the MS Management Console plug\-ins to manage a Unix server running Samba\&.
4117
The administrator must create a directory name \fIsvcctl\fR in Samba's $(libdir) and create symbolic links to the init scripts in \fI/etc/init\&.d/\fR\&. The name of the links must match the names given as part of the \fIsvcctl list\fR\&.
4119
Default: \fB\fIsvcctl list\fR = \fR
4121
Example: \fB\fIsvcctl list\fR = cups postfix portmap httpd \fR
5599
This option defines a list of init scripts that smbd will use for starting and stopping Unix services via the Win32 ServiceControl API. This allows Windows administrators to utilize the MS Management Console plug-ins to manage a Unix server running Samba.
5601
The administrator must create a directory name
5603
in Samba's $(libdir) and create symbolic links to the init scripts in
5604
\fI/etc/init.d/\fR. The name of the links must match the names given as part of the
5608
\fB\fIsvcctl list\fR = \fR
5611
\fB\fIsvcctl list\fR = cups postfix portmap httpd \fR
4124
5613
sync always (S)
4125
This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns\&. If this is \fBno\fR then the server will be guided by the client's request in each write call (clients can set a bit indicating that a particular write should be synchronous)\&. If this is \fByes\fR then every write will be followed by a \fBfsync() \fR call to ensure the data is written to disk\&. Note that the \fIstrict sync\fR parameter must be set to \fByes\fR in order for this parameter to have any affect\&.
4127
Default: \fB\fIsync always\fR = no \fR
5614
This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns. If this is
5616
then the server will be guided by the client's request in each write call (clients can set a bit indicating that a particular write should be synchronous). If this is
5618
then every write will be followed by a
5620
call to ensure the data is written to disk. Note that the
5622
parameter must be set to
5624
in order for this parameter to have any affect.
5627
\fB\fIsync always\fR = no \fR
4131
This parameter maps how Samba debug messages are logged onto the system syslog logging levels\&. Samba debug level zero maps onto syslog \fBLOG_ERR\fR, debug level one maps onto \fBLOG_WARNING\fR, debug level two maps onto \fBLOG_NOTICE\fR, debug level three maps onto LOG_INFO\&. All higher levels are mapped to \fBLOG_DEBUG\fR\&.
4133
This parameter sets the threshold for sending messages to syslog\&. Only messages with debug level less than this value will be sent to syslog\&.
4135
Default: \fB\fIsyslog\fR = 1 \fR
5630
This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug level zero maps onto syslog
5631
\fBLOG_ERR\fR, debug level one maps onto
5632
\fBLOG_WARNING\fR, debug level two maps onto
5633
\fBLOG_NOTICE\fR, debug level three maps onto LOG_INFO. All higher levels are mapped to
5636
This parameter sets the threshold for sending messages to syslog. Only messages with debug level less than this value will be sent to syslog.
5639
\fB\fIsyslog\fR = 1 \fR
4138
5641
syslog only (G)
4139
If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&.
4141
Default: \fB\fIsyslog only\fR = no \fR
5642
If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files.
5645
\fB\fIsyslog only\fR = no \fR
4144
5647
template homedir (G)
4145
When filling out the user information for a Windows NT user, the \fBwinbindd\fR(8) daemon uses this parameter to fill in the home directory for that user\&. If the string \fI%D\fR is present it is substituted with the user's Windows NT domain name\&. If the string \fI%U\fR is present it is substituted with the user's Windows NT user name\&.
4147
Default: \fB\fItemplate homedir\fR = /home/%D/%U \fR
5648
When filling out the user information for a Windows NT user, the
5650
daemon uses this parameter to fill in the home directory for that user. If the string
5652
is present it is substituted with the user's Windows NT domain name. If the string
5654
is present it is substituted with the user's Windows NT user name.
5657
\fB\fItemplate homedir\fR = /home/%D/%U \fR
4150
5659
template shell (G)
4151
When filling out the user information for a Windows NT user, the \fBwinbindd\fR(8) daemon uses this parameter to fill in the login shell for that user\&.
5660
When filling out the user information for a Windows NT user, the
5662
daemon uses this parameter to fill in the login shell for that user.
4153
5664
\fBNo default\fR
4156
5666
time offset (G)
4157
This parameter is a setting in minutes to add to the normal GMT to local time conversion\&. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling\&.
4159
Default: \fB\fItime offset\fR = 0 \fR
4161
Example: \fB\fItime offset\fR = 60 \fR
5667
This parameter is a setting in minutes to add to the normal GMT to local time conversion. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling.
5670
\fB\fItime offset\fR = 0 \fR
5673
\fB\fItime offset\fR = 60 \fR
4164
5675
time server (G)
4165
This parameter determines if \fBnmbd\fR(8) advertises itself as a time server to Windows clients\&.
4167
Default: \fB\fItime server\fR = no \fR
5676
This parameter determines if
5678
advertises itself as a time server to Windows clients.
5681
\fB\fItime server\fR = no \fR
4170
5683
unix charset (G)
4171
Specifies the charset the unix machine Samba runs on uses\&. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use\&.
4173
This is also the charset Samba will use when specifying arguments to scripts that it invokes\&.
4175
Default: \fB\fIunix charset\fR = UTF8 \fR
4177
Example: \fB\fIunix charset\fR = ASCII \fR
5684
Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.
5686
This is also the charset Samba will use when specifying arguments to scripts that it invokes.
5689
\fB\fIunix charset\fR = UTF8 \fR
5692
\fB\fIunix charset\fR = ASCII \fR
4180
5694
unix extensions (G)
4181
This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP\&. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc\&.\&.\&. These extensions require a similarly enabled client, and are of no current use to Windows clients\&.
4183
Default: \fB\fIunix extensions\fR = yes \fR
5695
This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.
5698
\fB\fIunix extensions\fR = yes \fR
4186
5700
unix password sync (G)
4187
This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed\&. If this is set to \fByes\fR the program specified in the \fIpasswd program\fRparameter is called \fBAS ROOT\fR \- to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new)\&.
4189
Default: \fB\fIunix password sync\fR = no \fR
5701
This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to
5703
the program specified in the
5704
\fIpasswd program\fRparameter is called
5706
- to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new).
5709
\fB\fIunix password sync\fR = no \fR
4192
5711
update encrypted (G)
4193
This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on\&. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB challenge/response authentication mechanism) without forcing all users to re\-enter their passwords via smbpasswd at the time the change is made\&. This is a convenience option to allow the change over to encrypted passwords to be made over a longer period\&. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to \fBno\fR\&.
4195
In order for this parameter to be operative the encrypt passwords parameter must be set to \fBno\fR\&. The default value of encrypt passwords = Yes\&. Note: This must be set to \fBno\fR for this update encrypted to work\&.
4197
Note that even when this parameter is set a user authenticating to \fBsmbd\fR must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords\&.
4199
Default: \fB\fIupdate encrypted\fR = no \fR
5712
This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB challenge/response authentication mechanism) without forcing all users to re-enter their passwords via smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted passwords to be made over a longer period. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to
5715
In order for this parameter to be operative the
5716
encrypt passwords parameter must be set to
5717
\fBno\fR. The default value of
5718
encrypt passwords = Yes. Note: This must be set to
5721
update encrypted to work.
5723
Note that even when this parameter is set a user authenticating to
5725
must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords.
5728
\fB\fIupdate encrypted\fR = no \fR
4202
5730
use client driver (S)
4203
This parameter applies only to Windows NT/2000 clients\&. It has no effect on Windows 95/98/ME clients\&. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver\&. From this point on, the client will treat the print as a local printer and not a network printer connection\&. This is much the same behavior that will occur when \fBdisable spoolss = yes\fR\&.
4205
The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS\-RPC\&. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user\&. If the user possesses local administator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail\&. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed)\&.
4207
If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead\&. Thus allowing the OpenPrinterEx() call to succeed\&. \fBThis parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server\&.\fR
4209
Default: \fB\fIuse client driver\fR = no \fR
5731
This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver. From this point on, the client will treat the print as a local printer and not a network printer connection. This is much the same behavior that will occur when
5732
\fBdisable spoolss = yes\fR.
5734
The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS-RPC. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user. If the user possesses local administator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed).
5736
If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() call to succeed.
5737
\fBThis parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server.\fR
5740
\fB\fIuse client driver\fR = no \fR
4212
5742
use kerberos keytab (G)
4213
Specifies whether Samba should attempt to maintain service principals in the systems keytab file for \fBhost/FQDN\fR and \fBcifs/FQDN\fR\&.
5743
Specifies whether Samba should attempt to maintain service principals in the systems keytab file for
5748
When you are using the heimdal Kerberos libraries, you must also specify the following in
5749
\fI/etc/krb5.conf\fR:
4215
When you are using the heimdal Kerberos libraries, you must also specify the following in\fI/etc/krb5\&.conf\fR:
4219
default_keytab_name = FILE:/etc/krb5\&.keytab
5755
default_keytab_name = FILE:/etc/krb5.keytab
4223
Default: \fB\fIuse kerberos keytab\fR = False \fR
5760
\fB\fIuse kerberos keytab\fR = False \fR
4227
This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system\&. Samba requires a coherent mmap/read\-write system memory cache\&. Currently only HPUX does not have such a coherent cache, and so this parameter is set to \fBno\fR by default on HPUX\&. On all other systems this parameter should be left alone\&. This parameter is provided to help the Samba developers track down problems with the tdb internal code\&.
4229
Default: \fB\fIuse mmap\fR = yes \fR
5763
This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to
5765
by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with the tdb internal code.
5768
\fB\fIuse mmap\fR = yes \fR
4233
This parameter is a synonym for username\&.
5771
This parameter is a synonym for username.
4237
This parameter is a synonym for username\&.
5774
This parameter is a synonym for username.
4241
Multiple users may be specified in a comma\-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&.
4243
The \fIusername\fR line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \\\\server\\share%user syntax instead\&.
4245
The \fIusername\fR line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the \fIusername\fR line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&.
4247
Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&.
4249
To restrict a service to a particular set of users you can use the valid users parameter\&.
4251
If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&.
4253
If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&.
4255
If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&.
4257
Note that searching though a groups database can take quite some time, and some clients may time out during the search\&.
4259
See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the services\&.
4261
Default: \fB\fIusername\fR = # The guest account if a guest service, else <empty string>\&. \fR
4263
Example: \fB\fIusername\fR = fred, mary, jack, jane, @users, @pcgroup \fR
5777
Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).
5781
line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be better using the \\server\share%user syntax instead.
5785
line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the
5787
line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter unwisely.
5789
Samba relies on the underlying UNIX security. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.
5791
To restrict a service to a particular set of users you can use the
5792
valid users parameter.
5794
If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name.
5796
If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name.
5798
If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name.
5800
Note that searching though a groups database can take quite some time, and some clients may time out during the search.
5803
NOTE ABOUT USERNAME/PASSWORD VALIDATION
5804
for more information on how this parameter determines access to the services.
5807
\fB\fIusername\fR = # The guest account if a guest service, else <empty string>. \fR
5810
\fB\fIusername\fR = fred, mary, jack, jane, @users, @pcgroup \fR
4266
5812
username level (G)
4267
This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all\-uppercase username\&. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the username is not found on the UNIX machine\&.
4269
If this parameter is set to non\-zero the behavior changes\&. This parameter is a number that specifies the number of uppercase combinations to try while trying to determine the UNIX user name\&. The higher the number the more combinations will be tried, but the slower the discovery of usernames will be\&. Use this parameter when you have strange usernames on your UNIX machine, such as \fBAstrangeUser \fR\&.
4271
This parameter is needed only on UNIX systems that have case sensitive usernames\&.
4273
Default: \fB\fIusername level\fR = 0 \fR
4275
Example: \fB\fIusername level\fR = 5 \fR
5813
This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the username is not found on the UNIX machine.
5815
If this parameter is set to non-zero the behavior changes. This parameter is a number that specifies the number of uppercase combinations to try while trying to determine the UNIX user name. The higher the number the more combinations will be tried, but the slower the discovery of usernames will be. Use this parameter when you have strange usernames on your UNIX machine, such as
5816
\fBAstrangeUser \fR.
5818
This parameter is needed only on UNIX systems that have case sensitive usernames.
5821
\fB\fIusername level\fR = 0 \fR
5824
\fB\fIusername level\fR = 5 \fR
4278
5826
username map (G)
4279
This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
4281
Please note that for user or share mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified enties in the map table (e\&.g\&. biddle = DOMAIN\\foo)\&.
4283
The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a '=' followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name '*' is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
4285
The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the '=' signs\&. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left\&. Processing then continues with the next line\&.
4287
If any line begins with a '#' or a ';' then it is ignored\&.
4289
If any line begins with an '!' then the processing will stop after that line if a mapping was done by the line\&. Otherwise mapping continues with every line being processed\&. Using '!' is most useful when you have a wildcard mapping line later in the file\&.
4291
For example to map from the name \fBadmin\fR or \fBadministrator\fR to the UNIX name \fB root\fR you would use:
5827
This option allows you to specify a file containing a mapping of usernames from the clients to the server. This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they can more easily share files.
5829
Please note that for user or share mode security, the username map is applied prior to validating the user credentials. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g. biddle = DOMAIN\foo).
5831
The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' followed by a list of usernames on the right. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group. The special client name '*' is a wildcard and matches any name. Each line of the map file may be up to 1023 characters long.
5833
The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left. Processing then continues with the next line.
5835
If any line begins with a '#' or a ';' then it is ignored.
5837
If any line begins with an '!' then the processing will stop after that line if a mapping was done by the line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a wildcard mapping line later in the file.
5839
For example to map from the name
4294
5850
\fBroot = admin administrator\fR
4296
Or to map anyone in the UNIX group \fBsystem\fR to the UNIX name \fBsys\fR you would use:
5852
Or to map anyone in the UNIX group
4299
5861
\fBsys = @system\fR
4303
You can have as many mappings as you like in a username map file\&.
4305
If your system supports the NIS NETGROUP option then the netgroup database is checked before the \fI/etc/group \fR database for matching groups\&.
4307
You can map Windows usernames that have spaces in them by using double quotes around the name\&. For example:
5865
You can have as many mappings as you like in a username map file.
5867
If your system supports the NIS NETGROUP option then the netgroup database is checked before the
5869
database for matching groups.
5871
You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
4310
5876
\fBtridge = "Andrew Tridgell"\fR
4312
would map the windows username "Andrew Tridgell" to the unix username "tridge"\&.
5878
would map the windows username "Andrew Tridgell" to the unix username "tridge".
5880
The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line:
4314
The following example would map mary and fred to the unix user sys, and map the rest to guest\&. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line:
4317
5885
!sys = mary fred
4322
Note that the remapping is applied to all occurrences of usernames\&. Thus if you connect to \\\\server\\fred and\fBfred\fR is remapped to \fBmary\fR then you will actually be connecting to \\\\server\\mary and will need to supply a password suitable for \fBmary\fR not\fBfred\fR\&. The only exception to this is the username passed to the password server (if you have one)\&. The password server will receive whatever username the client supplies without modification\&.
4324
Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print job\&.
4326
Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.: DOMAIN\\user) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
4328
The following functionality is obeyed in version 3\&.0\&.8 and later:
4330
When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
4332
When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&. DOMAIN\\user) only after the user has been successfully authenticated\&.
4334
An example of use is:
5890
Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and
5894
then you will actually be connecting to \\server\mary and will need to supply a password suitable for
5897
\fBfred\fR. The only exception to this is the username passed to the
5898
password server (if you have one). The password server will receive whatever username the client supplies without modification.
5900
Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print job.
5902
Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from the username map when performing a kerberos login from a client. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent behavior sometimes even on the same server.
5904
The following functionality is obeyed in version 3.0.8 and later:
5906
When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection.
5908
When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated.
5910
An example of use is:
4337
username map = /usr/local/samba/lib/users\&.map
5915
username map = /usr/local/samba/lib/users.map
4341
Default: \fB\fIusername map\fR = # no username map \fR
5920
\fB\fIusername map\fR = # no username map \fR
4344
5922
username map script (G)
4345
This script is a mutually exclusive alternative to theusername map parameter\&. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped)\&. In this way, it is possible to store username map tables in an LDAP or NIS directory services\&.
4347
Default: \fB\fIusername map script\fR = \fR
4349
Example: \fB\fIusername map script\fR = /etc/samba/scripts/mapusers\&.sh \fR
5923
This script is a mutually exclusive alternative to the
5924
username map parameter. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped). In this way, it is possible to store username map tables in an LDAP or NIS directory services.
5927
\fB\fIusername map script\fR = \fR
5930
\fB\fIusername map script\fR = /etc/samba/scripts/mapusers.sh \fR
5932
usershare allow guests (G)
5933
This parameter controls whether user defined shares are allowed to be accessed by non-authenticated users or not. It is the equivalent of allowing people who can create a share the option of setting
5934
\fIguest ok = yes\fR
5935
in a share definition. Due to the security sensitive nature of this the default is set to off.
5938
\fB\fIusershare allow guests\fR = no \fR
5940
usershare max shares (G)
5941
This parameter specifies the number of user defined shares that are allowed to be created by users belonging to the group owning the usershare directory. If set to zero (the default) user defined shares are ignored.
5944
\fB\fIusershare max shares\fR = 0 \fR
5946
usershare owner only (G)
5947
This parameter controls whether the pathname exported by a user defined shares must be owned by the user creating the user defined share or not. If set to True (the default) then smbd checks that the directory path being shared is owned by the user who owns the usershare file defining this share and refuses to create the share if not. If set to False then no such check is performed and any directory path may be exported regardless of who owns it.
5950
\fB\fIusershare owner only\fR = True \fR
5953
This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files. This directory must be owned by root, and have no access for other, and be writable only by the group owner. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured). Members of the group owner of this directory are the users allowed to create usershares. If this parameter is undefined then no user defined shares are allowed.
5955
For example, a valid usershare directory might be /usr/local/samba/lib/usershares, set up as follows.
5962
ls -ld /usr/local/samba/lib/usershares/
5963
drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/
5967
In this case, only members of the group "power_users" can create user defined shares.
5970
\fB\fIusershare path\fR = NULL \fR
5972
usershare prefix allow list (G)
5973
This parameter specifies a list of absolute pathnames the root of which are allowed to be exported by user defined share definitions. If the pathname exported doesn't start with one of the strings in this list the user defined share will not be allowed. This allows the Samba administrator to restrict the directories on the system that can be exported by user defined shares.
5975
If there is a "usershare prefix deny list" and also a "usershare prefix allow list" the deny list is processed first, followed by the allow list, thus leading to the most restrictive interpretation.
5978
\fB\fIusershare prefix allow list\fR = NULL \fR
5981
\fB\fIusershare prefix allow list\fR = /home /data /space \fR
5983
usershare prefix deny list (G)
5984
This parameter specifies a list of absolute pathnames the root of which are NOT allowed to be exported by user defined share definitions. If the pathname exported starts with one of the strings in this list the user defined share will not be allowed. Any pathname not starting with one of these strings will be allowed to be exported as a usershare. This allows the Samba administrator to restrict the directories on the system that can be exported by user defined shares.
5986
If there is a "usershare prefix deny list" and also a "usershare prefix allow list" the deny list is processed first, followed by the allow list, thus leading to the most restrictive interpretation.
5989
\fB\fIusershare prefix deny list\fR = NULL \fR
5992
\fB\fIusershare prefix deny list\fR = /etc /dev /private \fR
5994
usershare template share (G)
5995
User defined shares only have limited possible parameters such as path, guest ok etc. This parameter allows usershares to "cloned" from an existing share. If "usershare template share" is set to the name of an existing share, then all usershares created have their defaults set from the parameters set on this share.
5997
The target share may be set to be invalid for real file sharing by setting the parameter "-valid = False" on the template share definition. This causes it not to be seen as a real exported share but to be able to be used as a template for usershares.
6000
\fB\fIusershare template share\fR = NULL \fR
6003
\fB\fIusershare template share\fR = template_share \fR
4352
6005
use sendfile (S)
4353
If this parameter is \fByes\fR, and the \fBsendfile()\fR system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked\&. This may make more efficient use of the system CPU's and cause Samba to be faster\&. Samba automatically turns this off for clients that use protocol levels lower than NT LM 0\&.12 and when it detects a client is Windows 9x (using sendfile from Linux will cause these clients to fail)\&.
4355
Default: \fB\fIuse sendfile\fR = false \fR
6006
If this parameter is
6009
system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's and cause Samba to be faster. Samba automatically turns this off for clients that use protocol levels lower than NT LM 0.12 and when it detects a client is Windows 9x (using sendfile from Linux will cause these clients to fail).
6012
\fB\fIuse sendfile\fR = false \fR
4359
This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism\&.
4361
Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled\&.
4363
Default: \fB\fIuse spnego\fR = yes \fR
6015
This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
6017
Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled.
6020
\fB\fIuse spnego\fR = yes \fR
4367
This boolean parameter is only available if Samba has been configured and compiled with the option \fB\-\-with\-utmp\fR\&. If set to\fByes\fR then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
4369
Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
4371
Default: \fB\fIutmp\fR = no \fR
6023
This boolean parameter is only available if Samba has been configured and compiled with the option
6024
\fB--with-utmp\fR. If set to
6026
then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share.
6028
Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.
6031
\fB\fIutmp\fR = no \fR
4374
6033
utmp directory (G)
4375
This parameter is only available if Samba has been configured and compiled with the option \fB \-\-with\-utmp\fR\&. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server\&. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually\fI/var/run/utmp\fR on Linux)\&.
4377
Default: \fB\fIutmp directory\fR = # Determined automatically \fR
4379
Example: \fB\fIutmp directory\fR = /var/run/utmp \fR
4383
This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
4385
This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
4387
Default: \fB\fI\-valid\fR = yes \fR
6034
This parameter is only available if Samba has been configured and compiled with the option
6035
\fB --with-utmp\fR. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
6040
\fB\fIutmp directory\fR = # Determined automatically \fR
6043
\fB\fIutmp directory\fR = /var/run/utmp \fR
6046
This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.
6048
This option should not be used by regular users but might be of help to developers. Samba uses this option internally to mark shares as deleted.
6051
\fB\fI-valid\fR = yes \fR
4390
6053
valid users (S)
4391
This is a list of users that should be allowed to login to this service\&. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the \fIinvalid users\fR parameter\&.
4393
If this is empty (the default) then any user can login\&. If a username is in both this list and the \fIinvalid users\fR list then access is denied for that user\&.
4395
The current servicename is substituted for \fI%S\fR\&. This is useful in the [homes] section\&.
4397
Default: \fB\fIvalid users\fR = # No valid users list (anyone can login) \fR
4399
Example: \fB\fIvalid users\fR = greg, @pcusers \fR
6054
This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the
6058
If this is empty (the default) then any user can login. If a username is in both this list and the
6060
list then access is denied for that user.
6062
The current servicename is substituted for
6063
\fI%S\fR. This is useful in the [homes] section.
6066
\fB\fIvalid users\fR = # No valid users list (anyone can login) \fR
6069
\fB\fIvalid users\fR = greg, @pcusers \fR
4403
This is a list of files and directories that are neither visible nor accessible\&. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry\&. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards\&.
4405
Each entry must be a unix path, not a DOS path and must \fBnot\fR include the unix directory separator '/'\&.
4407
Note that the case sensitive option is applicable in vetoing files\&.
4409
One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when trying to delete a directory\&. If a directory that is to be deleted contains nothing but veto files this deletion will \fBfail\fR unless you also set the delete veto files parameter to \fIyes\fR\&.
4411
Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned\&.
4413
Examples of use include:
6072
This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards.
6074
Each entry must be a unix path, not a DOS path and must
6076
include the unix directory separator '/'.
6079
case sensitive option is applicable in vetoing files.
6081
One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this deletion will
6083
unless you also set the
6084
delete veto files parameter to
6087
Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.
6089
Examples of use include:
4416
6094
; Veto any files containing the word Security,
4417
; any ending in \&.tmp, and any directory containing the
4419
veto files = /*Security*/*\&.tmp/*root*/
6095
; any ending in .tmp, and any directory containing the
6097
veto files = /*Security*/*.tmp/*root*/
4421
6099
; Veto the Apple specific files that a NetAtalk server
4423
veto files = /\&.AppleDouble/\&.bin/\&.AppleDesktop/Network Trash Folder/
6101
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
4427
Default: \fB\fIveto files\fR = No files or directories are vetoed\&. \fR
6106
\fB\fIveto files\fR = No files or directories are vetoed. \fR
4430
6108
veto oplock files (S)
4431
This parameter is only valid when the oplocks parameter is turned on for a share\&. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that match a wildcarded list, similar to the wildcarded list used in theveto files parameter\&.
4433
You might want to do this on files that you know will be heavily contended for by clients\&. A good example of this is in the NetBench SMB benchmark program, which causes heavy client contention for files ending in\fI\&.SEM\fR\&. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share\&.
4435
An example of use is:
6109
This parameter is only valid when the
6110
oplocks parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that match a wildcarded list, similar to the wildcarded list used in the
6111
veto files parameter.
6113
You might want to do this on files that you know will be heavily contended for by clients. A good example of this is in the NetBench SMB benchmark program, which causes heavy client contention for files ending in
6114
\fI.SEM\fR. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share.
6116
An example of use is:
4438
veto oplock files = /\&.*SEM/
6121
veto oplock files = /.*SEM/
4442
Default: \fB\fIveto oplock files\fR = # No files are vetoed for oplock grants \fR
6126
\fB\fIveto oplock files\fR = # No files are vetoed for oplock grants \fR
4446
This parameter is a synonym for vfs objects\&.
6129
This parameter is a synonym for vfs objects.
4449
6131
vfs objects (S)
4450
This parameter specifies the backend names which are used for Samba VFS I/O operations\&. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects\&.
4452
Default: \fB\fIvfs objects\fR = \fR
4454
Example: \fB\fIvfs objects\fR = extd_audit recycle \fR
6132
This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects.
6135
\fB\fIvfs objects\fR = \fR
6138
\fB\fIvfs objects\fR = extd_audit recycle \fR
4458
This allows you to override the volume label returned for a share\&. Useful for CDROMs with installation programs that insist on a particular volume label\&.
4460
Default: \fB\fIvolume\fR = # the name of the share \fR
6141
This allows you to override the volume label returned for a share. Useful for CDROMs with installation programs that insist on a particular volume label.
6144
\fB\fIvolume\fR = # the name of the share \fR
4464
This parameter controls whether or not links in the UNIX file system may be followed by the server\&. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only to areas that are outside the directory tree being exported\&.
4466
Note that setting this parameter can have a negative effect on your server performance due to the extra system calls that Samba has to do in order to perform the link checks\&.
4468
Default: \fB\fIwide links\fR = yes \fR
6147
This parameter controls whether or not links in the UNIX file system may be followed by the server. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only to areas that are outside the directory tree being exported.
6149
Note that setting this parameter can have a negative effect on your server performance due to the extra system calls that Samba has to do in order to perform the link checks.
6152
\fB\fIwide links\fR = yes \fR
4471
6154
winbind cache time (G)
4472
This parameter specifies the number of seconds the \fBwinbindd\fR(8) daemon will cache user and group information before querying a Windows NT server again\&.
4477
This does not apply to authentication requests, these are always evaluated in real time\&.
4480
Default: \fB\fIwinbind cache time\fR = 300 \fR
6155
This parameter specifies the number of seconds the
6157
daemon will cache user and group information before querying a Windows NT server again.
6160
.nr an-no-space-flag 1
6164
This does not apply to authentication requests, these are always evaluated in real time.
6166
\fB\fIwinbind cache time\fR = 300 \fR
4483
6168
winbind enum groups (G)
4484
On large installations using \fBwinbindd\fR(8) it may be necessary to suppress the enumeration of groups through the \fBsetgrent()\fR,\fBgetgrent()\fR and\fBendgrent()\fR group of system calls\&. If the \fIwinbind enum groups\fR parameter is\fBno\fR, calls to the \fBgetgrent()\fR system call will not return any data\&.
4489
Turning off group enumeration may cause some programs to behave oddly\&.
4492
Default: \fB\fIwinbind enum groups\fR = yes \fR
6169
On large installations using
6171
it may be necessary to suppress the enumeration of groups through the
6176
group of system calls. If the
6177
\fIwinbind enum groups\fR
6179
\fBno\fR, calls to the
6181
system call will not return any data.
6184
.nr an-no-space-flag 1
6188
Turning off group enumeration may cause some programs to behave oddly.
6190
\fB\fIwinbind enum groups\fR = no \fR
4495
6192
winbind enum users (G)
4496
On large installations using \fBwinbindd\fR(8) it may be necessary to suppress the enumeration of users through the \fBsetpwent()\fR,\fBgetpwent()\fR and\fBendpwent()\fR group of system calls\&. If the \fIwinbind enum users\fR parameter is\fBno\fR, calls to the \fBgetpwent\fR system call will not return any data\&.
4501
Turning off user enumeration may cause some programs to behave oddly\&. For example, the finger program relies on having access to the full user list when searching for matching usernames\&.
4504
Default: \fB\fIwinbind enum users\fR = yes \fR
6193
On large installations using
6195
it may be necessary to suppress the enumeration of users through the
6200
group of system calls. If the
6201
\fIwinbind enum users\fR
6203
\fBno\fR, calls to the
6205
system call will not return any data.
6208
.nr an-no-space-flag 1
6212
Turning off user enumeration may cause some programs to behave oddly. For example, the finger program relies on having access to the full user list when searching for matching usernames.
6214
\fB\fIwinbind enum users\fR = no \fR
4507
6216
winbind nested groups (G)
4508
If set to yes, this parameter activates the support for nested groups\&. Nested groups are also called local groups or aliases\&. They work like their counterparts in Windows: Nested groups are defined locally on any machine (they are shared between DC's through their SAM) and can contain users and global groups from any trusted SAM\&. To be able to use nested groups, you need to run nss_winbind\&.
4510
Please note that per 3\&.0\&.3 this is a new feature, so handle with care\&.
4512
Default: \fB\fIwinbind nested groups\fR = no \fR
6217
If set to yes, this parameter activates the support for nested groups. Nested groups are also called local groups or aliases. They work like their counterparts in Windows: Nested groups are defined locally on any machine (they are shared between DC's through their SAM) and can contain users and global groups from any trusted SAM. To be able to use nested groups, you need to run nss_winbind.
6220
\fB\fIwinbind nested groups\fR = yes \fR
4515
6222
winbind nss info (G)
4516
This parameter is designed to control how Winbind retrieves Name Service Information to construct a user's home directory and login shell\&. Currently the following settings are available:
4521
\fItemplate\fR \- The default, using the parameters of \fItemplate shell\fR and \fItemplate homedir\fR)
4524
\fIsfu\fR \- When Samba is running in security = ads and your Active Directory Domain Controller does support the Microsoft "Services for Unix" (SFU) LDAP schema, winbind can retrieve the login shell and the home directory attributes directly from your Directory Server\&. Note that retrieving UID and GID from your ADS\-Server requires to use\fIidmap backend\fR = idmap_ad as well\&.
6223
This parameter is designed to control how Winbind retrieves Name Service Information to construct a user's home directory and login shell. Currently the following settings are available:
6228
- The default, using the parameters of
6229
\fItemplate shell\fR
6231
\fItemplate homedir\fR)
6235
- When Samba is running in security = ads and your Active Directory Domain Controller does support the Microsoft "Services for Unix" (SFU) LDAP schema, winbind can retrieve the login shell and the home directory attributes directly from your Directory Server. Note that retrieving UID and GID from your ADS-Server requires to use
4530
Default: \fB\fIwinbind nss info\fR = template \fR
4532
Example: \fB\fIwinbind nss info\fR = template sfu \fR
6243
\fB\fIwinbind nss info\fR = template \fR
6246
\fB\fIwinbind nss info\fR = template sfu \fR
6248
winbind offline logon (G)
6249
This parameter is designed to control whether Winbind should allow to login with the
6251
module using Cached Credentials. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache.
6254
\fB\fIwinbind offline logon\fR = false \fR
6257
\fB\fIwinbind offline logon\fR = true \fR
6259
winbind refresh tickets (G)
6260
This parameter is designed to control whether Winbind should refresh Kerberos Tickets retrieved using the
6265
\fB\fIwinbind refresh tickets\fR = false \fR
6268
\fB\fIwinbind refresh tickets\fR = true \fR
4535
6270
winbind separator (G)
4536
This parameter allows an admin to define the character used when listing a username of the form of \fIDOMAIN \fR\\\fIuser\fR\&. This parameter is only applicable when using the \fIpam_winbind\&.so\fR and \fInss_winbind\&.so\fR modules for UNIX services\&.
4538
Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group\&.
4540
Default: \fB\fIwinbind separator\fR = '\\' \fR
4542
Example: \fB\fIwinbind separator\fR = + \fR
6271
This parameter allows an admin to define the character used when listing a username of the form of
6272
\fIDOMAIN \fR\\fIuser\fR. This parameter is only applicable when using the
6273
\fIpam_winbind.so\fR
6275
\fInss_winbind.so\fR
6276
modules for UNIX services.
6278
Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group.
6281
\fB\fIwinbind separator\fR = '\' \fR
6284
\fB\fIwinbind separator\fR = + \fR
4545
6286
winbind trusted domains only (G)
4546
This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain\&. Therefore, the user DOMAIN\\user1 would be mapped to the account user1 in /etc/passwd instead of allocating a new uid for him or her\&.
4548
Default: \fB\fIwinbind trusted domains only\fR = no \fR
6287
This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. Therefore, the user
6289
would be mapped to the account user1 in /etc/passwd instead of allocating a new uid for him or her.
6292
\fB\fIwinbind trusted domains only\fR = no \fR
4551
6294
winbind use default domain (G)
4552
This parameter specifies whether the\fBwinbindd\fR(8) daemon should operate on users without domain component in their username\&. Users without a domain component are treated as is part of the winbindd server's own domain\&. While this does not benifit Windows users, it makes SSH, FTP and e\-mail function in a way much closer to the way they would in a native unix system\&.
4554
Default: \fB\fIwinbind use default domain\fR = no \fR
4556
Example: \fB\fIwinbind use default domain\fR = yes \fR
6295
This parameter specifies whether the
6297
daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native unix system.
6300
\fB\fIwinbind use default domain\fR = no \fR
6303
\fB\fIwinbind use default domain\fR = yes \fR
4560
When Samba is running as a WINS server this allows you to call an external program for all changes to the WINS database\&. The primary use for this option is to allow the dynamic update of external name resolution databases such as dynamic DNS\&.
6306
When Samba is running as a WINS server this allows you to call an external program for all changes to the WINS database. The primary use for this option is to allow the dynamic update of external name resolution databases such as dynamic DNS.
4562
6308
The wins hook parameter specifies the name of a script or executable that will be called as follows:
4564
6310
\fBwins_hook operation name nametype ttl IP_list\fR
4570
The first argument is the operation and is one of "add", "delete", or "refresh"\&. In most cases the operation can be ignored as the rest of the parameters provide sufficient information\&. Note that "refresh" may sometimes be called when the name has not previously been added, in that case it should be treated as an add\&.
4573
The second argument is the NetBIOS name\&. If the name is not a legal name then the wins hook is not called\&. Legal names contain only letters, digits, hyphens, underscores and periods\&.
4576
The third argument is the NetBIOS name type as a 2 digit hexadecimal number\&.
4579
The fourth argument is the TTL (time to live) for the name in seconds\&.
4582
The fifth and subsequent arguments are the IP addresses currently registered for that name\&. If this list is empty then the name should be deleted\&.
6314
The first argument is the operation and is one of "add", "delete", or "refresh". In most cases the operation can be ignored as the rest of the parameters provide sufficient information. Note that "refresh" may sometimes be called when the name has not previously been added, in that case it should be treated as an add.
6317
The second argument is the NetBIOS name. If the name is not a legal name then the wins hook is not called. Legal names contain only letters, digits, hyphens, underscores and periods.
6320
The third argument is the NetBIOS name type as a 2 digit hexadecimal number.
6323
The fourth argument is the TTL (time to live) for the name in seconds.
6326
The fifth and subsequent arguments are the IP addresses currently registered for that name. If this list is empty then the name should be deleted.
4586
An example script that calls the BIND dynamic DNS update program \fBnsupdate\fR is provided in the examples directory of the Samba source code\&.
6329
An example script that calls the BIND dynamic DNS update program
6331
is provided in the examples directory of the Samba source code.
4588
6333
\fBNo default\fR
4592
This is a boolean that controls if \fBnmbd\fR(8) will respond to broadcast name queries on behalf of other hosts\&. You may need to set this to \fByes\fR for some older clients\&.
4594
Default: \fB\fIwins proxy\fR = no \fR
6336
This is a boolean that controls if
6338
will respond to broadcast name queries on behalf of other hosts. You may need to set this to
6340
for some older clients.
6343
\fB\fIwins proxy\fR = no \fR
4597
6345
wins server (G)
4598
This specifies the IP address (or DNS name: IP address for preference) of the WINS server that \fBnmbd\fR(8) should register with\&. If you have a WINS server on your network then you should set this to the WINS server's IP\&.
4600
You should point this at your WINS server if you have a multi\-subnetted network\&.
4602
If you want to work in multiple namespaces, you can give every wins server a 'tag'\&. For each tag, only one (working) server will be queried for a name\&. The tag should be separated from the ip address by a colon\&.
4607
You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross\-subnet browsing to work correctly\&.
4610
See the chapter in the Samba3\-HOWTO on Network Browsing\&.
4612
Default: \fB\fIwins server\fR = \fR
4614
Example: \fB\fIwins server\fR = mary:192\&.9\&.200\&.1 fred:192\&.168\&.3\&.199 mary:192\&.168\&.2\&.61 # For this example when querying a certain name, 192\&.19\&.200\&.1 will be asked first and if that doesn't respond 192\&.168\&.2\&.61\&. If either of those doesn't know the name 192\&.168\&.3\&.199 will be queried\&. \fR
4616
Example: \fB\fIwins server\fR = 192\&.9\&.200\&.1 192\&.168\&.2\&.61 \fR
6346
This specifies the IP address (or DNS name: IP address for preference) of the WINS server that
6348
should register with. If you have a WINS server on your network then you should set this to the WINS server's IP.
6350
You should point this at your WINS server if you have a multi-subnetted network.
6352
If you want to work in multiple namespaces, you can give every wins server a 'tag'. For each tag, only one (working) server will be queried for a name. The tag should be separated from the ip address by a colon.
6355
.nr an-no-space-flag 1
6359
You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet browsing to work correctly.
6360
See the chapter in the Samba3-HOWTO on Network Browsing.
6363
\fB\fIwins server\fR = \fR
6366
\fB\fIwins server\fR = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 # For this example when querying a certain name, 192.19.200.1 will be asked first and if that doesn't respond 192.168.2.61. If either of those doesn't know the name 192.168.3.199 will be queried. \fR
6369
\fB\fIwins server\fR = 192.9.200.1 192.168.2.61 \fR
4619
6371
wins support (G)
4620
This boolean controls if the \fBnmbd\fR(8) process in Samba will act as a WINS server\&. You should not set this to \fByes\fR unless you have a multi\-subnetted network and you wish a particular \fBnmbd\fR to be your WINS server\&. Note that you should \fBNEVER\fR set this to \fByes\fR on more than one machine in your network\&.
4622
Default: \fB\fIwins support\fR = no \fR
6372
This boolean controls if the
6374
process in Samba will act as a WINS server. You should not set this to
6376
unless you have a multi-subnetted network and you wish a particular
6378
to be your WINS server. Note that you should
6382
on more than one machine in your network.
6385
\fB\fIwins support\fR = no \fR
4626
This controls what workgroup your server will appear to be in when queried by clients\&. Note that this parameter also controls the Domain name used with the security = domain setting\&.
4628
Default: \fB\fIworkgroup\fR = WORKGROUP \fR
4630
Example: \fB\fIworkgroup\fR = MYGROUP \fR
6388
This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the
6389
security = domain setting.
6392
\fB\fIworkgroup\fR = WORKGROUP \fR
6395
\fB\fIworkgroup\fR = MYGROUP \fR
4634
This parameter is a synonym for writeable\&.
6398
This parameter is a synonym for writeable.
4638
Inverted synonym for read only\&.
6401
Inverted synonym for
4640
6404
\fBNo default\fR
4643
6406
write cache size (S)
4644
If this integer parameter is set to non\-zero value, Samba will create an in\-memory cache for each oplocked file (it does \fBnot\fR do this for non\-oplocked files)\&. All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible\&. The cache is flushed onto disk when a write comes in whose offset would not fit into the cache or when the file is closed by the client\&. Reads for the file are also served from this cache if the data is stored within it\&.
4646
This cache allows Samba to batch client writes into a more efficient write size for RAID disks (i\&.e\&. writes may be tuned to be the RAID stripe size) and can improve performance on systems where the disk subsystem is a bottleneck but there is free memory for userspace programs\&.
4648
The integer parameter specifies the size of this cache (per oplocked file) in bytes\&.
4650
Default: \fB\fIwrite cache size\fR = 0 \fR
4652
Example: \fB\fIwrite cache size\fR = 262144 # for a 256k cache size per file \fR
6407
If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does
6409
do this for non-oplocked files). All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible. The cache is flushed onto disk when a write comes in whose offset would not fit into the cache or when the file is closed by the client. Reads for the file are also served from this cache if the data is stored within it.
6411
This cache allows Samba to batch client writes into a more efficient write size for RAID disks (i.e. writes may be tuned to be the RAID stripe size) and can improve performance on systems where the disk subsystem is a bottleneck but there is free memory for userspace programs.
6413
The integer parameter specifies the size of this cache (per oplocked file) in bytes.
6416
\fB\fIwrite cache size\fR = 0 \fR
6419
\fB\fIwrite cache size\fR = 262144 # for a 256k cache size per file \fR
4656
This is a list of users that are given read\-write access to a service\&. If the connecting user is in this list then they will be given write access, no matter what the read only option is set to\&. The list can include group names using the @group syntax\&.
4658
Note that if a user is in both the read list and the write list then they will be given write access\&.
4660
By design, this parameter will not work with the security = share in Samba 3\&.0\&.
4662
Default: \fB\fIwrite list\fR = \fR
4664
Example: \fB\fIwrite list\fR = admin, root, @staff \fR
6422
This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the
6423
read only option is set to. The list can include group names using the @group syntax.
6425
Note that if a user is in both the read list and the write list then they will be given write access.
6427
By design, this parameter will not work with the
6428
security = share in Samba 3.0.
6431
\fB\fIwrite list\fR = \fR
6434
\fB\fIwrite list\fR = admin, root, @staff \fR
4668
This parameter controls whether or not the server will support raw write SMB's when transferring data from clients\&. You should never need to change this parameter\&.
4670
Default: \fB\fIwrite raw\fR = yes \fR
6437
This parameter controls whether or not the server will support raw write SMB's when transferring data from clients. You should never need to change this parameter.
6440
\fB\fIwrite raw\fR = yes \fR
4673
6442
wtmp directory (G)
4674
This parameter is only available if Samba has been configured and compiled with the option \fB \-\-with\-utmp\fR\&. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server\&. The difference with the utmp directory is the fact that user info is kept after a user has logged out\&.
4676
By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually\fI/var/run/wtmp\fR on Linux)\&.
4678
Default: \fB\fIwtmp directory\fR = \fR
4680
Example: \fB\fIwtmp directory\fR = /var/log/wtmp \fR
6443
This parameter is only available if Samba has been configured and compiled with the option
6444
\fB --with-utmp\fR. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact that user info is kept after a user has logged out.
6446
By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
6451
\fB\fIwtmp directory\fR = \fR
6454
\fB\fIwtmp directory\fR = /var/log/wtmp \fR
4685
Although the configuration file permits service names to contain spaces, your client software may not\&. Spaces will be ignored in comparisons anyway, so it shouldn't be a problem \- but be aware of the possibility\&.
4688
On a similar note, many clients \- especially DOS clients \- limit service names to eight characters\&.\fBsmbd\fR(8) has no such limitation, but attempts to connect from such clients will fail if they truncate the service names\&. For this reason you should probably keep your service names down to eight characters in length\&.
4691
Use of the [homes] and [printers] special sections make life for an administrator easy, but the various combinations of default attributes can be tricky\&. Take extreme care when designing these sections\&. In particular, ensure that the permissions on spool directories are correct\&.
6457
Although the configuration file permits service names to contain spaces, your client software may not. Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
6459
On a similar note, many clients - especially DOS clients - limit service names to eight characters.
6461
has no such limitation, but attempts to connect from such clients will fail if they truncate the service names. For this reason you should probably keep your service names down to eight characters in length.
6467
special sections make life for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct.
4696
This man page is correct for version 3\&.0 of the Samba suite\&.
6470
This man page is correct for version 3.0 of the Samba suite.
4701
\fBsamba\fR(7), \fBsmbpasswd\fR(8), \fBswat\fR(8), \fBsmbd\fR(8), \fBnmbd\fR(8), \fBsmbclient\fR(1), \fBnmblookup\fR(1), \fBtestparm\fR(1), \fBtestprns\fR(1)\&.
4706
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
4709
The original Samba man pages were written by Karl Auer\&. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at ftp://ftp\&.icce\&.rug\&.nl/pub/unix/) and updated for the Samba 2\&.0 release by Jeremy Allison\&. The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&.
6485
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
6487
The original Samba man pages were written by Karl Auer. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at
6488
ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 release by Jeremy Allison. The conversion to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.