1
<refentry id="smb.conf.5" xmlns:xi="http://www.w3.org/2003/XInclude"
2
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
5
<refentrytitle>smb.conf</refentrytitle>
6
<manvolnum>5</manvolnum>
7
<refmiscinfo class="source">Samba</refmiscinfo>
8
<refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
9
<refmiscinfo class="version">3.0</refmiscinfo>
14
<refname>smb.conf</refname>
15
<refpurpose>The configuration file for the Samba suite</refpurpose>
19
<title>SYNOPSIS</title>
22
The <filename moreinfo="none">smb.conf</filename> file is a configuration file for the Samba suite. <filename
23
moreinfo="none">smb.conf</filename> contains runtime configuration information for the Samba programs. The
24
<filename moreinfo="none">smb.conf</filename> file is designed to be configured and administered by the
25
<citerefentry><refentrytitle>swat</refentrytitle> <manvolnum>8</manvolnum></citerefentry> program. The
26
complete description of the file format and possible parameters held within are here for reference purposes.
30
<refsect1 id="FILEFORMATSECT">
31
<title>FILE FORMAT</title>
34
The file consists of sections and parameters. A section begins with the name of the section in square brackets
35
and continues until the next section begins. Sections contain parameters of the form:
37
<replaceable>name</replaceable> = <replaceable>value </replaceable>
42
The file is line-based - that is, each newline-terminated line represents either a comment, a section name or
46
<para>Section and parameter names are not case sensitive.</para>
49
Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is
50
discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading
51
and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is
56
Any line beginning with a semicolon (<quote>;</quote>) or a hash (<quote>#</quote>)
57
character is ignored, as are lines containing only whitespace.
61
Any line ending in a <quote><literal>\</literal></quote> is continued on the next line in the customary UNIX fashion.
65
The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean,
66
which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved
67
in string values. Some items such as create masks are numeric.
73
<title>SECTION DESCRIPTIONS</title>
76
Each section in the configuration file (except for the [global] section) describes a shared resource (known as
77
a <quote>share</quote>). The section name is the name of the shared resource and the parameters within the
78
section define the shares attributes.
82
There are three special sections, [global], [homes] and [printers], which are described under
83
<emphasis>special sections</emphasis>. The following notes apply to ordinary section descriptions.
87
A share consists of a directory to which access is being given plus a description of the access rights
88
which are granted to the user of the service. Some housekeeping options are also specifiable.
92
Sections are either file share services (used by the client as an extension of their native file systems)
93
or printable services (used by the client to access print services on the host running the server).
97
Sections may be designated <emphasis>guest</emphasis> services, in which case no password is required to
98
access them. A specified UNIX <emphasis>guest account</emphasis> is used to define access privileges in this
103
Sections other than guest services will require a password to access them. The client provides the
104
username. As older clients only provide passwords and not usernames, you may specify a list of usernames to
105
check against the password using the <literal>user =</literal> option in the share definition. For modern clients
106
such as Windows 95/98/ME/NT/2000, this should not be necessary.
110
The access rights granted by the server are masked by the access rights granted to the specified or guest
111
UNIX user by the host system. The server does not grant more access than the host system grants.
115
The following sample section defines a file space share. The user has write access to the path <filename
116
moreinfo="none">/home/bar</filename>. The share is accessed via the share name <literal>foo</literal>:
118
<smbconfsection name="[foo]"/>
119
<smbconfoption name="path">/home/bar</smbconfoption>
120
<smbconfoption name="read only">no</smbconfoption>
125
The following sample section defines a printable share. The share is read-only, but printable. That is,
126
the only write access permitted is via calls to open, write to and close a spool file. The <emphasis>guest
127
ok</emphasis> parameter means access will be permitted as the default guest user (specified elsewhere):
129
<smbconfsection name="[aprinter]"/>
130
<smbconfoption name="path">/usr/spool/public</smbconfoption>
131
<smbconfoption name="read only">yes</smbconfoption>
132
<smbconfoption name="printable">yes</smbconfoption>
133
<smbconfoption name="guest ok">yes</smbconfoption>
140
<title>SPECIAL SECTIONS</title>
143
<title>The [global] section</title>
146
Parameters in this section apply to the server as a whole, or are defaults for sections that do not
147
specifically define certain items. See the notes under PARAMETERS for more information.
151
<refsect2 id="HOMESECT">
152
<title>The [homes] section</title>
155
If a section called [homes] is included in the configuration file, services connecting clients
156
to their home directories can be created on the fly by the server.
160
When the connection request is made, the existing sections are scanned. If a match is found, it is
161
used. If no match is found, the requested section name is treated as a username and looked up in the local
162
password file. If the name exists and the correct password has been given, a share is created by cloning the
167
Some modifications are then made to the newly created share:
172
The share name is changed from homes to the located username.
176
If no path was given, the path is set to the user's home directory.
181
If you decide to use a <emphasis>path =</emphasis> line in your [homes] section, it may be useful
182
to use the %S macro. For example:
184
<userinput moreinfo="none">path = /data/pchome/%S</userinput>
186
is useful if you have different home directories for your PCs than for UNIX access.
190
This is a fast and simple way to give a large number of clients access to their home directories with a minimum
195
A similar process occurs if the requested section name is <quote>homes</quote>, except that the share
196
name is not changed to that of the requesting user. This method of using the [homes] section works well if
197
different users share a client PC.
201
The [homes] section can specify all the parameters a normal service section can specify, though some make more sense
202
than others. The following is a typical and suitable [homes] section:
204
<smbconfsection name="[homes]"/>
205
<smbconfoption name="read only">no</smbconfoption>
210
An important point is that if guest access is specified in the [homes] section, all home directories will be
211
visible to all clients <emphasis>without a password</emphasis>. In the very unlikely event that this is actually
212
desirable, it is wise to also specify <emphasis>read only access</emphasis>.
216
The <emphasis>browseable</emphasis> flag for auto home directories will be inherited from the global browseable
217
flag, not the [homes] browseable flag. This is useful as it means setting <emphasis>browseable = no</emphasis> in
218
the [homes] section will hide the [homes] share but make any auto home directories visible.
222
<refsect2 id="PRINTERSSECT">
223
<title>The [printers] section</title>
226
This section works like [homes], but for printers.
230
If a [printers] section occurs in the configuration file, users are able to connect to any printer
231
specified in the local host's printcap file.
235
When a connection request is made, the existing sections are scanned. If a match is found, it is used.
236
If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested
237
section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested
238
section name is a valid printer share name. If a match is found, a new printer share is created by cloning the
243
A few modifications are then made to the newly created share:
247
<listitem><para>The share name is set to the located printer name</para></listitem>
249
<listitem><para>If no printer name was given, the printer name is set to the located printer name</para></listitem>
251
<listitem><para>If the share does not permit guest access and no username was given, the username is set
252
to the located printer name.</para></listitem>
256
The [printers] service MUST be printable - if you specify otherwise, the server will refuse
257
to load the configuration file.
261
Typically the path specified is that of a world-writeable spool directory with the sticky bit set on
262
it. A typical [printers] entry looks like this:
264
<smbconfsection name="[printers]"/>
265
<smbconfoption name="path">/usr/spool/public</smbconfoption>
266
<smbconfoption name="guest ok">yes</smbconfoption>
267
<smbconfoption name="printable">yes</smbconfoption>
272
All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned.
273
If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file
274
consisting of one or more lines like this:
276
alias|alias|alias|alias...
281
Each alias should be an acceptable printer name for your printing subsystem. In the [global] section,
282
specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap,
283
which of course can contain whatever aliases you like. The same technique could be used simply to limit access
284
to a subset of your local printers.
288
An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines,
289
components (if there are more than one) are separated by vertical bar symbols (<literal>|</literal>).
293
On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use
294
<literal>printcap name = lpstat</literal> to automatically obtain a list of printers. See the
295
<literal>printcap name</literal> option for more details.
301
<title>USERSHARES</title>
303
<para>Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete
304
their own share definitions has been added. This capability is called <emphasis>usershares</emphasis> and
305
is controlled by a set of parameters in the [global] section of the smb.conf.
306
The relevant parameters are :
311
<term>usershare allow guests</term>
312
<listitem><para>Controls if usershares can permit guest access.</para></listitem>
316
<term>usershare max shares</term>
317
<listitem><para>Maximum number of user defined shares allowed.</para></listitem>
321
<term>usershare owner only</term>
322
<listitem><para>If set only directories owned by the sharing user can be shared.</para></listitem>
326
<term>usershare path</term>
327
<listitem><para>Points to the directory containing the user defined share definitions.
328
The filesystem permissions on this directory control who can create user defined shares.</para></listitem>
332
<term>usershare prefix allow list</term>
333
<listitem><para>Comma-separated list of absolute pathnames restricting what directories
334
can be shared. Only directories below the pathnames in this list are permitted.</para></listitem>
338
<term>usershare prefix deny list</term>
339
<listitem><para>Comma-separated list of absolute pathnames restricting what directories
340
can be shared. Directories below the pathnames in this list are prohibited.</para></listitem>
344
<term>usershare template share</term>
345
<listitem><para>Names a pre-existing share used as a template for creating new usershares.
346
All other share parameters not specified in the user defined share definition
347
are copied from this named share.</para></listitem>
351
<para>To allow members of the UNIX group <literal>foo</literal> to create user defined
352
shares, create the directory to contain the share definitions as follows:
354
<para>Become root:</para>
356
mkdir /usr/local/samba/lib/usershares
357
chgrp foo /usr/local/samba/lib/usershares
358
chmod 1770 /usr/local/samba/lib/usershares
360
<para>Then add the parameters
363
<smbconfoption name="usershare path">/usr/local/samba/lib/usershares</smbconfoption>
364
<smbconfoption name="usershare max shares">10</smbconfoption> # (or the desired number of shares)
368
section of your <filename>smb.conf</filename>. Members of the group foo may then manipulate the user defined shares
369
using the following commands.</para>
373
<term>net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]</term>
374
<listitem><para>To create or modify (overwrite) a user defined share.</para></listitem>
378
<term>net usershare delete sharename</term>
379
<listitem><para>To delete a user defined share.</para></listitem>
383
<term>net usershare list wildcard-sharename</term>
384
<listitem><para>To list user defined shares.</para></listitem>
388
<term>net usershare info wildcard-sharename</term>
389
<listitem><para>To print information about user defined shares.</para></listitem>
395
<title>PARAMETERS</title>
397
<para>Parameters define the specific attributes of sections.</para>
400
Some parameters are specific to the [global] section (e.g., <emphasis>security</emphasis>). Some parameters
401
are usable in all sections (e.g., <emphasis>create mask</emphasis>). All others are permissible only in normal
402
sections. For the purposes of the following descriptions the [homes] and [printers] sections will be
403
considered normal. The letter <emphasis>G</emphasis> in parentheses indicates that a parameter is specific to
404
the [global] section. The letter <emphasis>S</emphasis> indicates that a parameter can be specified in a
405
service specific section. All <emphasis>S</emphasis> parameters can also be specified in the [global] section
406
- in which case they will define the default behavior for all services.
410
Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can
411
find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred
417
<title>VARIABLE SUBSTITUTIONS</title>
420
Many of the strings that are settable in the config file can take substitutions. For example the option
421
<quote>path = /tmp/%u</quote> is interpreted as <quote>path = /tmp/john</quote> if the user connected with the
426
These substitutions are mostly noted in the descriptions below, but there are some general substitutions
427
which apply whenever they might be relevant. These are:
433
<listitem><para>session username (the username that the client wanted, not
434
necessarily the same as the one they got).</para></listitem>
439
<listitem><para>primary group name of %U.</para></listitem>
444
<listitem><para>the Internet hostname that Samba is running on.</para></listitem>
449
<listitem><para>the NetBIOS name of the client machine (very useful).</para>
451
<para>This parameter is not available when Samba listens on port 445, as clients no longer
452
send this information. If you use this macro in an include statement on a domain that has
453
a Samba domain controller be sure to set in the [global] section <parameter>smb ports =
454
139</parameter>. This will cause Samba to not listen on port 445 and will permit include
455
functionality to function as it did with Samba 2.x.
462
<listitem><para>the NetBIOS name of the server. This allows you to change your config based on what
463
the client calls you. Your server can have a <quote>dual personality</quote>.
469
<listitem><para>the Internet name of the client machine.
475
<listitem><para>the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS,
476
LANMAN1, LANMAN2 or NT1.</para></listitem>
481
<listitem><para>the process id of the current server
482
process.</para></listitem>
488
The architecture of the remote
489
machine. It currently recognizes Samba (<constant>Samba</constant>),
490
the Linux CIFS file system (<constant>CIFSFS</constant>), OS/2, (<constant>OS2</constant>),
491
Windows for Workgroups (<constant>WfWg</constant>), Windows 9x/ME
492
(<constant>Win95</constant>), Windows NT (<constant>WinNT</constant>),
493
Windows 2000 (<constant>Win2K</constant>),
494
Windows XP (<constant>WinXP</constant>),
495
Windows XP 64-bit(<constant>WinXP64</constant>),
496
Windows 2003 including
497
2003R2 (<constant>Win2K3</constant>), and Windows
498
Vista (<constant>Vista</constant>). Anything else will be known as
499
<constant>UNKNOWN</constant>.</para>
505
<listitem><para>the IP address of the client machine.</para>
511
<listitem><para>the local IP address to which a client connected.</para>
517
<listitem><para>the current date and time.</para></listitem>
522
<listitem><para>name of the domain or workgroup of the current user.</para></listitem>
527
<listitem><para>the winbind separator.</para></listitem>
531
<term>%$(<replaceable>envvar</replaceable>)</term>
532
<listitem><para>the value of the environment variable
533
<replaceable>envar</replaceable>.</para></listitem>
538
The following substitutes apply only to some configuration options (only those that are
539
used when a connection has been established):
545
<listitem><para>the name of the current service, if any.</para>
551
<listitem><para>the root directory of the current service, if any.</para></listitem>
556
<listitem><para>username of the current service, if any.</para>
562
<listitem><para>primary group name of %u.</para></listitem>
567
<listitem><para>the home directory of the user given by %u.</para></listitem>
573
the name of your NIS home directory server. This is obtained from your NIS auto.map entry.
574
If you have not compiled Samba with the <emphasis>--with-automount</emphasis> option, this
575
value will be the same as %L.</para></listitem>
581
the path of the service's home directory, obtained from your NIS auto.map entry. The NIS
582
auto.map entry is split up as <literal>%N:%p</literal>.</para></listitem>
587
There are some quite creative things that can be done with these substitutions and other
588
<filename moreinfo="none">smb.conf</filename> options.
592
<refsect1 id="NAMEMANGLINGSECT">
593
<title>NAME MANGLING</title>
596
Samba supports <literal>name mangling</literal> so that DOS and Windows clients can use files that don't
597
conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames.
601
There are several options that control the way mangling is performed, and they are grouped here rather
602
than listed separately. For the defaults look at the output of the testparm program.
606
These options can be set separately for each service.
616
<term>case sensitive = yes/no/auto</term>
618
controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on
619
passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS
620
and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to
621
access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or
622
DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no
623
for them. Default <emphasis>auto</emphasis>.
628
<term>default case = upper/lower</term>
630
controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem).
631
Default <emphasis>lower</emphasis>. IMPORTANT NOTE: This option will be used to modify the case of
632
<emphasis>all</emphasis> incoming client filenames, not just new filenames if the options <smbconfoption
633
name="case sensitive">yes</smbconfoption>, <smbconfoption name="preserve case">No</smbconfoption>,
634
<smbconfoption name="short preserve case">No</smbconfoption> are set. This change is needed as part of the
635
optimisations for directories containing large numbers of files.
640
<term>preserve case = yes/no</term>
642
controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case
643
that the client passes, or if they are forced to be the <literal>default</literal> case. Default
644
<emphasis>yes</emphasis>.
649
<term>short preserve case = yes/no</term>
651
controls if new files (ie. files that don't currently exist in the filesystem) which conform to 8.3 syntax,
652
that is all in upper case and of suitable length, are created upper case, or if they are forced to be the
653
<literal>default</literal> case. This option can be used with <literal>preserve case = yes</literal> to permit
654
long filenames to retain their case, while short names are lowercased. Default <emphasis>yes</emphasis>.
660
By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive
661
but case preserving. As a special case for directories with large numbers of files, if the case
662
options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no"
663
then the "default case" option will be applied and will modify all filenames sent from the client
664
when accessing this share.
669
<refsect1 id="VALIDATIONSECT">
670
<title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
673
There are a number of ways in which a user can connect to a service. The server uses the following steps
674
in determining if it will allow a connection to a specified service. If all the steps fail, the connection
675
request is rejected. However, if one of the steps succeeds, the following steps are not checked.
679
If the service is marked <quote>guest only = yes</quote> and the server is running with share-level
680
security (<quote>security = share</quote>, steps 1 to 5 are skipped.
684
<orderedlist continuation="restarts" inheritnum="ignore" numeration="arabic">
686
If the client has passed a username/password pair and that username/password pair is validated by the UNIX
687
system's password programs, the connection is made as that username. This includes the
688
<literal>\\server\service</literal>%<replaceable>username</replaceable> method of passing a username.
692
If the client has previously registered a username with the system and now supplies a correct password for that
693
username, the connection is allowed.
697
The client's NetBIOS name and any previously used usernames are checked against the supplied password. If
698
they match, the connection is allowed as the corresponding user.
702
If the client has previously validated a username/password pair with the server and the client has passed
703
the validation token, that username is used.
707
If a <literal>user = </literal> field is given in the <filename moreinfo="none">smb.conf</filename> file for the
708
service and the client has supplied a password, and that password matches (according to the UNIX system's
709
password checking) with one of the usernames from the <literal>user =</literal> field, the connection is made as
710
the username in the <literal>user =</literal> line. If one of the usernames in the <literal>user =</literal> list
711
begins with a <literal>@</literal>, that name expands to a list of names in the group of the same name.
715
If the service is a guest service, a connection is made as the username given in the <literal>guest account
716
=</literal> for the service, irrespective of the supplied password.
723
<title>EXPLANATION OF EACH PARAMETER</title>
725
<samba:parameterlist>
726
<xi:include href="../smbdotconf/parameters.all.xml" parse="xml"/>
727
</samba:parameterlist>
732
<title>WARNINGS</title>
735
Although the configuration file permits service names to contain spaces, your client software may not.
736
Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
740
On a similar note, many clients - especially DOS clients - limit service names to eight characters.
741
<citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> has no such
742
limitation, but attempts to connect from such clients will fail if they truncate the service names. For this
743
reason you should probably keep your service names down to eight characters in length.
747
Use of the <literal>[homes]</literal> and <literal>[printers]</literal> special sections make life
748
for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme
749
care when designing these sections. In particular, ensure that the permissions on spool directories are
756
<title>VERSION</title>
758
<para>This man page is correct for version 3.0 of the Samba suite.</para>
762
<title>SEE ALSO</title>
764
<citerefentry><refentrytitle>samba</refentrytitle>
765
<manvolnum>7</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbpasswd</refentrytitle>
766
<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>swat</refentrytitle>
767
<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbd</refentrytitle>
768
<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>nmbd</refentrytitle>
769
<manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>smbclient</refentrytitle>
770
<manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>nmblookup</refentrytitle>
771
<manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>testparm</refentrytitle>
772
<manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>testprns</refentrytitle>
773
<manvolnum>1</manvolnum></citerefentry>.</para>
777
<title>AUTHOR</title>
780
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed
781
by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
785
The original Samba man pages were written by Karl Auer. The man page sources were converted to YODL format (another
786
excellent piece of Open Source software, available at <ulink noescape="1" url="ftp://ftp.icce.rug.nl/pub/unix/">
787
ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0 release by Jeremy Allison. The conversion
788
to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by
added
removed
docs-xml/manpages-3/smb.conf.5.xml
