2
3
.\" Author: [see the "AUTHOR" section]
3
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
4
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
5
6
.\" Manual: File Formats and Conventions
6
7
.\" Source: Samba 3.4
7
8
.\" Language: English
9
.TH "SMB\&.CONF" "5" "10/29/2009" "Samba 3\&.4" "File Formats and Conventions"
10
.\" -----------------------------------------------------------------
11
.\" * (re)Define some macros
12
.\" -----------------------------------------------------------------
13
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14
.\" toupper - uppercase a string (locale-aware)
15
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
19
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
21
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22
.\" SH-xref - format a cross-reference to an SH section
23
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33
.\" SH - level-one heading that works better for non-TTY output
34
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
42
.nr an-prevailing-indent \\n[IN]
46
.HTML-TAG ".NH \\n[an-level]"
48
.nr an-no-space-flag 1
54
.\" if n (TTY output), use uppercase
59
.\" if not n (not TTY), use normal case (not uppercase)
63
.\" if not n (not TTY), put a border/line under subheading
68
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
69
.\" SS - level-two heading that works better for non-TTY output
70
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
75
.nr an-prevailing-indent \\n[IN]
80
.nr an-no-space-flag 1
88
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
89
.\" BB/BE - put background/screen (filled box) around block of text
90
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
103
.if "\\$2"adjust-for-leading-newline" \{\
111
.nr BW \\n(.lu-\\n(.i
114
.ie "\\$2"adjust-for-leading-newline" \{\
115
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
118
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
129
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
130
.\" BM/EM - put colored marker in margin next to block of text
131
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
148
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
10
.TH "SMB\&.CONF" "5" "01/18/2010" "Samba 3\&.4" "File Formats and Conventions"
156
11
.\" -----------------------------------------------------------------
157
12
.\" * set default formatting
158
13
.\" -----------------------------------------------------------------
163
18
.\" -----------------------------------------------------------------
164
19
.\" * MAIN CONTENT STARTS HERE *
165
20
.\" -----------------------------------------------------------------
167
22
smb.conf \- The configuration file for the Samba suite
172
27
file is a configuration file for the Samba suite\&.
174
29
contains runtime configuration information for the Samba programs\&. The
176
31
file is designed to be configured and administered by the
178
33
program\&. The complete description of the file format and possible parameters held within are here for reference purposes\&.
236
77
is used to define access privileges in this case\&.
238
79
Sections other than guest services will require a password to access them\&. The client provides the username\&. As older clients only provide passwords and not usernames, you may specify a list of usernames to check against the password using the
240
81
option in the share definition\&. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary\&.
242
83
The access rights granted by the server are masked by the access rights granted to the specified or guest UNIX user by the host system\&. The server does not grant more access than the host system grants\&.
244
85
The following sample section defines a file space share\&. The user has write access to the path
245
\FC/home/bar\F[]\&. The share is accessed via the share name
86
/home/bar\&. The share is accessed via the share name
257
.BB lightgray adjust-for-leading-newline
261
94
\m[blue]\fBpath = /home/bar\fR\m[]
262
95
\m[blue]\fBread only = no\fR\m[]
263
.EB lightgray adjust-for-leading-newline
498
.BB lightgray adjust-for-leading-newline
501
264
alias|alias|alias|alias\&.\&.\&.
502
.EB lightgray adjust-for-leading-newline
513
270
Each alias should be an acceptable printer name for your printing subsystem\&. In the [global] section, specify the new file as your printcap\&. The server will only recognize names found in your pseudo\-printcap, which of course can contain whatever aliases you like\&. The same technique could be used simply to limit access to a subset of your local printers\&.
515
An alias, by the way, is defined as any component of the first entry of a printcap record\&. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols (\FC|\F[])\&.
272
An alias, by the way, is defined as any component of the first entry of a printcap record\&. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols (|)\&.
522
278
.nr an-no-space-flag 1
523
279
.nr an-break-flag 1
622
.BB lightgray adjust-for-leading-newline
625
358
\m[blue]\fBusershare path = /usr/local/samba/lib/usershares\fR\m[]
626
359
\m[blue]\fBusershare max shares = 10\fR\m[] # (or the desired number of shares)
627
.EB lightgray adjust-for-leading-newline
638
365
to the global section of your
639
\FCsmb\&.conf\F[]\&. Members of the group foo may then manipulate the user defined shares using the following commands\&.
366
smb\&.conf\&. Members of the group foo may then manipulate the user defined shares using the following commands\&.
641
368
net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]
802
529
the path of the service\'s home directory, obtained from your NIS auto\&.map entry\&. The NIS auto\&.map entry is split up as
806
533
There are some quite creative things that can be done with these substitutions and other
809
536
.SH "NAME MANGLING"
813
540
so that DOS and Windows clients can use files that don\'t conform to the 8\&.3 format\&. It can also be set to adjust the case of 8\&.3 format filenames\&.
815
542
There are several options that control the way mangling is performed, and they are grouped here rather than listed separately\&. For the defaults look at the output of the testparm program\&.
847
574
short preserve case = yes/no
849
576
controls if new files (ie\&. files that don\'t currently exist in the filesystem) which conform to 8\&.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the
851
578
case\&. This option can be used with
852
\FCpreserve case = yes\F[]
853
580
to permit long filenames to retain their case, while short names are lowercased\&. Default
922
649
field is given in the
924
651
file for the service and the client has supplied a password, and that password matches (according to the UNIX system\'s password checking) with one of the usernames from the
926
653
field, the connection is made as the username in the
928
655
line\&. If one of the usernames in the
930
657
list begins with a
931
\FC@\F[], that name expands to a list of names in the group of the same name\&.
658
@, that name expands to a list of names in the group of the same name\&.
942
669
If the service is a guest service, a connection is made as the username given in the
943
\FCguest account =\F[]
944
671
for the service, irrespective of the supplied password\&.
946
673
.SH "REGISTRY-BASED CONFIGURATION"
948
675
Starting with Samba version 3\&.2\&.0, the capability to store Samba configuration in the registry is available\&. The configuration is stored in the registry key
949
\fI\FCHKLM\eSoftware\eSamba\esmbconf\F[]\fR\&. There are two levels of registry configuration:
676
\fIHKLM\eSoftware\eSamba\esmbconf\fR\&. There are two levels of registry configuration:
1030
757
\fBSeRemoteShutdownPrivilege\fR, right, this command will be run as root\&.
1033
\fI\fIabort shutdown script\fR\fR\fI = \fR\fI\FC""\F[]\fR\fI \fR
760
\fI\fIabort shutdown script\fR\fR\fI = \fR\fI""\fR\fI \fR
1036
\fI\fIabort shutdown script\fR\fR\fI = \fR\fI\FC/sbin/shutdown \-c\F[]\fR\fI \fR
763
\fI\fIabort shutdown script\fR\fR\fI = \fR\fI/sbin/shutdown \-c\fR\fI \fR
1039
766
access based share enum (S)
1045
772
for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \e\esambaserver)\&. This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights\&.
1048
\fI\fIaccess based share enum\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
775
\fI\fIaccess based share enum\fR\fR\fI = \fR\fIno\fR\fI \fR
1051
778
acl check permissions (S)
1074
801
\fIauto\fR, the value for this parameter will be based upon the version of the client\&. There should be no reason to change this parameter from the default\&.
1077
\fI\fIacl compatibility\fR\fR\fI = \fR\fI\FCAuto\F[]\fR\fI \fR
804
\fI\fIacl compatibility\fR\fR\fI = \fR\fIAuto\fR\fI \fR
1080
\fI\fIacl compatibility\fR\fR\fI = \fR\fI\FCwin2k\F[]\fR\fI \fR
807
\fI\fIacl compatibility\fR\fR\fI = \fR\fIwin2k\fR\fI \fR
1083
810
acl group control (S)
1130
857
to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions\&. In that case the script must print the numeric gid of the created group on stdout\&.
1133
\fI\fIadd group script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
860
\fI\fIadd group script\fR\fR\fI = \fR\fI\fR\fI \fR
1136
\fI\fIadd group script\fR\fR\fI = \fR\fI\FC/usr/sbin/groupadd %g\F[]\fR\fI \fR
863
\fI\fIadd group script\fR\fR\fI = \fR\fI/usr/sbin/groupadd %g\fR\fI \fR
1139
866
add machine script (G)
1291
1018
program can output a single line of text, which Samba will set as the port the new printer is connected to\&. If this line isn\'t output, Samba won\'t reload its printer shares\&.
1294
\fI\fIaddprinter command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1021
\fI\fIaddprinter command\fR\fR\fI = \fR\fI\fR\fI \fR
1297
\fI\fIaddprinter command\fR\fR\fI = \fR\fI\FC/usr/bin/addprinter\F[]\fR\fI \fR
1024
\fI\fIaddprinter command\fR\fR\fI = \fR\fI/usr/bin/addprinter\fR\fI \fR
1300
1027
add share command (G)
1304
1031
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The
1305
1032
\fIadd share command\fR
1306
1033
is used to define an external program or script which will add a new service definition to
1307
\FCsmb\&.conf\F[]\&.
1309
1036
In order to successfully execute the
1310
1037
\fIadd share command\fR,
1312
1039
requires that the administrator connects using a root account (i\&.e\&. uid == 0) or has the
1313
\FCSeDiskOperatorPrivilege\F[]\&. Scripts defined in the
1040
SeDiskOperatorPrivilege\&. Scripts defined in the
1314
1041
\fIadd share command\fR
1315
1042
parameter are executed as root\&.
1319
1046
will automatically invoke the
1320
1047
\fIadd share command\fR
1321
1048
with five parameters\&.
1423
1150
\m[blue]\fBpassword server\fR\m[]
1424
1151
and attempts to authenticate the given user with the given password\&. If the authentication succeeds then
1426
1153
attempts to find a UNIX user in the UNIX password database to map the Windows user into\&. If this lookup fails, and
1427
1154
\m[blue]\fBadd user script\fR\m[]
1430
1157
will call the specified script
1431
1158
\fIAS ROOT\fR, expanding any
1433
1160
argument to be the user name to create\&.
1435
1162
If this script successfully creates the user then
1437
1164
will continue on as though the UNIX user already existed\&. In this way, UNIX users are dynamically created to match existing Windows NT accounts\&.
1442
1169
\m[blue]\fBdelete user script\fR\m[]\&.
1445
\fI\fIadd user script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1172
\fI\fIadd user script\fR\fR\fI = \fR\fI\fR\fI \fR
1448
\fI\fIadd user script\fR\fR\fI = \fR\fI\FC/usr/local/samba/bin/add_user %u\F[]\fR\fI \fR
1175
\fI\fIadd user script\fR\fR\fI = \fR\fI/usr/local/samba/bin/add_user %u\fR\fI \fR
1451
1178
add user to group script (G)
1461
1188
will be replaced with the user name\&.
1465
1192
command used in the example below does not support the used syntax on all systems\&.
1468
\fI\fIadd user to group script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1195
\fI\fIadd user to group script\fR\fR\fI = \fR\fI\fR\fI \fR
1471
\fI\fIadd user to group script\fR\fR\fI = \fR\fI\FC/usr/sbin/adduser %u %g\F[]\fR\fI \fR
1198
\fI\fIadd user to group script\fR\fR\fI = \fR\fI/usr/sbin/adduser %u %g\fR\fI \fR
1474
1201
administrative share (S)
1548
1275
\m[blue]\fBaio write size\fR\m[]
1551
\fI\fIaio read size\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
1554
\fI\fIaio read size\fR\fR\fI = \fR\fI\FC16384 # Use asynchronous I/O for reads bigger than 16KB request size\F[]\fR\fI \fR
1278
\fI\fIaio read size\fR\fR\fI = \fR\fI0\fR\fI \fR
1281
\fI\fIaio read size\fR\fR\fI = \fR\fI16384 # Use asynchronous I/O for reads bigger than 16KB request size\fR\fI \fR
1284
aio write behind (S)
1285
.\" aio write behind
1288
If Samba has been built with asynchronous I/O support, Samba will not wait until write requests are finished before returning the result to the client for files listed in this parameter\&. Instead, Samba will immediately return that the write request has been finished successfully, no matter if the operation will succeed or not\&. This might speed up clients without aio support, but is really dangerous, because data could be lost and files could be damaged\&.
1290
The syntax is identical to the
1291
\m[blue]\fBveto files\fR\m[]
1295
\fI\fIaio write behind\fR\fR\fI = \fR\fI\fR\fI \fR
1298
\fI\fIaio write behind\fR\fR\fI = \fR\fI/*\&.tmp/\fR\fI \fR
1557
1301
aio write size (S)
1586
1330
All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server\&. As such the algorithmic mapping can\'t be \'turned off\', but pushing it \'out of the way\' should resolve the issues\&. Users and groups can then be assigned \'low\' RIDs in arbitrary\-rid supporting backends\&.
1589
\fI\fIalgorithmic rid base\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
1333
\fI\fIalgorithmic rid base\fR\fR\fI = \fR\fI1000\fR\fI \fR
1592
\fI\fIalgorithmic rid base\fR\fR\fI = \fR\fI\FC100000\F[]\fR\fI \fR
1336
\fI\fIalgorithmic rid base\fR\fR\fI = \fR\fI100000\fR\fI \fR
1595
1339
allocation roundup size (S)
1601
1345
The integer parameter specifies the roundup size in bytes\&.
1604
\fI\fIallocation roundup size\fR\fR\fI = \fR\fI\FC1048576\F[]\fR\fI \fR
1348
\fI\fIallocation roundup size\fR\fR\fI = \fR\fI1048576\fR\fI \fR
1607
\fI\fIallocation roundup size\fR\fR\fI = \fR\fI\FC0 # (to disable roundups)\F[]\fR\fI \fR
1351
\fI\fIallocation roundup size\fR\fR\fI = \fR\fI0 # (to disable roundups)\fR\fI \fR
1610
1354
allow trusted domains (G)
1634
1378
will announce itself as, to a network neighborhood browse list\&. By default this is set to Windows NT\&. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively\&. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly\&.
1637
\fI\fIannounce as\fR\fR\fI = \fR\fI\FCNT Server\F[]\fR\fI \fR
1381
\fI\fIannounce as\fR\fR\fI = \fR\fINT Server\fR\fI \fR
1640
\fI\fIannounce as\fR\fR\fI = \fR\fI\FCWin95\F[]\fR\fI \fR
1384
\fI\fIannounce as\fR\fR\fI = \fR\fIWin95\fR\fI \fR
1643
1387
announce version (G)
1707
1451
in a slightly different ways\&.
1709
1453
For name service it causes
1711
1455
to bind to ports 137 and 138 on the interfaces listed in the
1712
1456
\m[blue]\fBinterfaces\fR\m[]
1715
1459
also binds to the "all addresses" interface (0\&.0\&.0\&.0) on ports 137 and 138 for the purposes of reading broadcast messages\&. If this option is not set then
1717
1461
will service name requests on all of these sockets\&. If
1718
1462
\m[blue]\fBbind interfaces only\fR\m[]
1721
1465
will check the source address of any packets coming in on the broadcast sockets and discard any that don\'t match the broadcast addresses of the interfaces in the
1722
1466
\m[blue]\fBinterfaces\fR\m[]
1723
1467
parameter list\&. As unicast packets are received on the other sockets it allows
1725
1469
to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the
1726
1470
\m[blue]\fBinterfaces\fR\m[]
1727
1471
list\&. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
1730
1474
For file service it causes
1732
1476
to bind only to the interface list given in the
1733
1477
\m[blue]\fBinterfaces\fR\m[]
1734
1478
parameter\&. This restricts the networks that
1736
1480
will serve, to packets coming in on those interfaces\&. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non\-broadcast network interfaces as it will not cope with non\-permanent interfaces\&.
1769
1513
set to the IP name of the primary interface of the local host\&.
1773
1517
status page tries to connect with
1778
1522
\fI127\&.0\&.0\&.1\fR
1779
1523
to determine if they are running\&. Not adding
1780
1524
\fI127\&.0\&.0\&.1\fR
1785
1529
to always show "not running" even if they really are\&. This can prevent
1787
1531
from starting/stopping/restarting
1793
\fI\fIbind interfaces only\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1537
\fI\fIbind interfaces only\fR\fR\fI = \fR\fIno\fR\fI \fR
1796
1540
blocking locks (S)
1854
1598
This controls whether
1856
1600
will serve a browse list to a client doing a
1857
\FCNetServerEnum\F[]
1858
1602
call\&. Normally set to
1859
1603
\fByes\fR\&. You should never need to change this\&.
1862
\fI\fIbrowse list\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1606
\fI\fIbrowse list\fR\fR\fI = \fR\fIyes\fR\fI \fR
1613
Usually, most of the TDB files are stored in the
1614
\fIlock directory\fR\&. Since Samba 3\&.4\&.0, it is possible to differentiate between TDB files with persistent data and TDB files with non\-persistent data using the
1615
\fIstate directory\fR
1617
\fIcache directory\fR
1620
This option specifies the directory where TDB files containing non\-persistent data will be stored\&.
1623
\fI\fIcache directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
1626
\fI\fIcache directory\fR\fR\fI = \fR\fI/var/run/samba/locks/cache\fR\fI \fR
1900
1664
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The
1901
1665
\fIchange share command\fR
1902
1666
is used to define an external program or script which will modify an existing service definition in
1903
\FCsmb\&.conf\F[]\&.
1905
1669
In order to successfully execute the
1906
1670
\fIchange share command\fR,
1908
1672
requires that the administrator connects using a root account (i\&.e\&. uid == 0) or has the
1909
\FCSeDiskOperatorPrivilege\F[]\&. Scripts defined in the
1673
SeDiskOperatorPrivilege\&. Scripts defined in the
1910
1674
\fIchange share command\fR
1911
1675
parameter are executed as root\&.
1915
1679
will automatically invoke the
1916
1680
\fIchange share command\fR
1917
1681
with five parameters\&.
1981
1745
This parameter is only used to modify existing file share definitions\&. To modify printer shares, use the "Printers\&.\&.\&." folder as seen when browsing the Samba host\&.
1984
\fI\fIchange share command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1748
\fI\fIchange share command\fR\fR\fI = \fR\fI\fR\fI \fR
1987
\fI\fIchange share command\fR\fR\fI = \fR\fI\FC/usr/local/bin/changeshare\F[]\fR\fI \fR
1751
\fI\fIchange share command\fR\fR\fI = \fR\fI/usr/local/bin/changeshare\fR\fI \fR
1990
1754
check password script (G)
1996
1760
The program must return 0 on a good password, or any other value if the password is bad\&. In case the password is considered weak (the program does not return 0) the user will be notified and the password change will fail\&.
1998
1762
Note: In the example directory is a sample program called
2000
1764
that uses cracklib to check the password quality\&.
2003
\fI\fIcheck password script\fR\fR\fI = \fR\fI\FCDisabled\F[]\fR\fI \fR
1767
\fI\fIcheck password script\fR\fR\fI = \fR\fIDisabled\fR\fI \fR
2006
\fI\fIcheck password script\fR\fR\fI = \fR\fI\FC/usr/local/sbin/crackcheck\F[]\fR\fI \fR
1770
\fI\fIcheck password script\fR\fR\fI = \fR\fI/usr/local/sbin/crackcheck\fR\fI \fR
2009
1773
client lanman auth (G)
2017
1781
The LANMAN encrypted response is easily broken, due to its case\-insensitive nature, and the choice of algorithm\&. Clients without Windows 95/98 servers are advised to disable this option\&.
2019
1783
Disabling this option will also disable the
2020
\FCclient plaintext auth\F[]
1784
client plaintext auth
2023
1787
Likewise, if the
2024
\FCclient ntlmv2 auth\F[]
2025
1789
parameter is enabled, then only NTLMv2 logins will be attempted\&.
2028
\fI\fIclient lanman auth\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1792
\fI\fIclient lanman auth\fR\fR\fI = \fR\fIno\fR\fI \fR
2031
1795
client ldap sasl wrapping (G)
2047
1811
are only available if Samba has been compiled against a modern OpenLDAP version (2\&.3\&.x or higher)\&.
2049
This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "\FCHKLM\eSystem\eCurrentControlSet\eServices\e\F[]
2050
\FCNTDS\eParameters\eLDAPServerIntegrity\F[]" on the Windows server side\&.
1813
This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "HKLM\eSystem\eCurrentControlSet\eServices\e
1814
NTDS\eParameters\eLDAPServerIntegrity" on the Windows server side\&.
2052
1816
Depending on the used KRB5 library (MIT and older Heimdal versions) it is possible that the message "integrity only" is not supported\&. In this case,
2076
1840
If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent\&. Many servers (including NT4 < SP4, Win9x and Samba 2\&.2) are not compatible with NTLMv2\&.
2078
1842
Similarly, if enabled, NTLMv1,
2079
\FCclient lanman auth\F[]
2081
\FCclient plaintext auth\F[]
1845
client plaintext auth
2082
1846
authentication will be disabled\&. This also disables share\-level authentication\&.
2084
1848
If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of
2085
\FCclient lanman auth\F[]\&.
1849
client lanman auth\&.
2087
1851
Note that some sites (particularly those following \'best practice\' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM\&.
2090
\fI\fIclient ntlmv2 auth\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1854
\fI\fIclient ntlmv2 auth\fR\fR\fI = \fR\fIno\fR\fI \fR
2093
1857
client plaintext auth (G)
2152
1916
With this parameter you can add additional addresses nmbd will register with a WINS server\&. These addresses are not necessarily present on all nodes simultaneously, but they will be registered with the WINS server so that clients can contact any of the nodes\&.
2155
\fI\fIcluster addresses\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1919
\fI\fIcluster addresses\fR\fR\fI = \fR\fI\fR\fI \fR
2158
\fI\fIcluster addresses\fR\fR\fI = \fR\fI\FC10\&.0\&.0\&.1 10\&.0\&.0\&.2 10\&.0\&.0\&.3\F[]\fR\fI \fR
1922
\fI\fIcluster addresses\fR\fR\fI = \fR\fI10\&.0\&.0\&.1 10\&.0\&.0\&.2 10\&.0\&.0\&.3\fR\fI \fR
2316
\FCclustering=yes\F[], you need to tell Samba where ctdbd listens on its unix domain socket\&. The default path as of ctdb 1\&.0 is /tmp/ctdb\&.socket which you have to explicitly set for Samba in smb\&.conf\&.
2080
clustering=yes, you need to tell Samba where ctdbd listens on its unix domain socket\&. The default path as of ctdb 1\&.0 is /tmp/ctdb\&.socket which you have to explicitly set for Samba in smb\&.conf\&.
2319
\fI\fIctdbd socket\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2083
\fI\fIctdbd socket\fR\fR\fI = \fR\fI\fR\fI \fR
2322
\fI\fIctdbd socket\fR\fR\fI = \fR\fI\FC/tmp/ctdb\&.socket\F[]\fR\fI \fR
2086
\fI\fIctdbd socket\fR\fR\fI = \fR\fI/tmp/ctdb\&.socket\fR\fI \fR
2325
2089
cups connection timeout (G)
2334
2098
If set, this option specifies the number of seconds that smbd will wait whilst trying to contact to the CUPS server\&. The connection will fail if it takes longer than this number of seconds\&.
2337
\fI\fIcups connection timeout\fR\fR\fI = \fR\fI\FC30\F[]\fR\fI \fR
2101
\fI\fIcups connection timeout\fR\fR\fI = \fR\fI30\fR\fI \fR
2340
\fI\fIcups connection timeout\fR\fR\fI = \fR\fI\FC60\F[]\fR\fI \fR
2104
\fI\fIcups connection timeout\fR\fR\fI = \fR\fI60\fR\fI \fR
2343
2107
cups options (S)
2354
2118
You should set this parameter to
2356
2120
if your CUPS server
2358
2122
file contains messages such as "Unsupported format \'application/octet\-stream\'" when printing from a Windows client through Samba\&. It is no longer necessary to enable system wide raw printing in
2359
\FC/etc/cups/mime\&.{convs,types}\F[]\&.
2123
/etc/cups/mime\&.{convs,types}\&.
2362
\fI\fIcups options\fR\fR\fI = \fR\fI\FC""\F[]\fR\fI \fR
2126
\fI\fIcups options\fR\fR\fI = \fR\fI""\fR\fI \fR
2365
\fI\fIcups options\fR\fR\fI = \fR\fI\FC"raw media=a4"\F[]\fR\fI \fR
2129
\fI\fIcups options\fR\fR\fI = \fR\fI"raw media=a4"\fR\fI \fR
2368
2132
cups server (G)
2377
2141
If set, this option overrides the ServerName option in the CUPS
2378
\FCclient\&.conf\F[]\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
2142
client\&.conf\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
2380
2144
Optionally, a port can be specified by separating the server name and port number with a colon\&. If no port was specified, the default port for IPP (631) will be used\&.
2383
\fI\fIcups server\fR\fR\fI = \fR\fI\FC""\F[]\fR\fI \fR
2386
\fI\fIcups server\fR\fR\fI = \fR\fI\FCmycupsserver\F[]\fR\fI \fR
2389
\fI\fIcups server\fR\fR\fI = \fR\fI\FCmycupsserver:1631\F[]\fR\fI \fR
2147
\fI\fIcups server\fR\fR\fI = \fR\fI""\fR\fI \fR
2150
\fI\fIcups server\fR\fR\fI = \fR\fImycupsserver\fR\fI \fR
2153
\fI\fIcups server\fR\fR\fI = \fR\fImycupsserver:1631\fR\fI \fR
2541
2305
Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode\&. Certain drivers will do things such as crashing the client\'s Explorer\&.exe with a NULL devmode\&. However, other printer drivers can cause the client\'s spooler service (spoolsv\&.exe) to die if the devmode was not created by the driver itself (i\&.e\&. smbd generates a default devmode)\&.
2543
2307
This parameter should be used with care and tested with the printer driver in question\&. It is better to leave the device mode to NULL and let the Windows client set the correct values\&. Because drivers do not do this all the time, setting
2544
\FCdefault devmode = yes\F[]
2308
default devmode = yes
2545
2309
will instruct smbd to generate a default one\&.
2547
2311
For more information on Windows NT/2k printing and Device Modes, see the
2548
2312
MSDN documentation\&.
2551
\fI\fIdefault devmode\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
2315
\fI\fIdefault devmode\fR\fR\fI = \fR\fIyes\fR\fI \fR
2581
2345
Note also that any "_" characters in the name of the service used in the default service will get mapped to a "/"\&. This allows for interesting things\&.
2584
\fI\fIdefault service\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2348
\fI\fIdefault service\fR\fR\fI = \fR\fI\fR\fI \fR
2587
\fI\fIdefault service\fR\fR\fI = \fR\fI\FCpub\F[]\fR\fI \fR
2351
\fI\fIdefault service\fR\fR\fI = \fR\fIpub\fR\fI \fR
2590
2354
defer sharing violations (G)
2636
2400
\m[blue]\fBdeleteprinter command\fR\m[]
2637
2401
has been executed,
2639
2403
will reparse the
2641
2405
to check that the associated printer no longer exists\&. If the sharename is still valid, then
2643
2407
will return an ACCESS_DENIED error to the client\&.
2646
\fI\fIdeleteprinter command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2410
\fI\fIdeleteprinter command\fR\fR\fI = \fR\fI\fR\fI \fR
2649
\fI\fIdeleteprinter command\fR\fR\fI = \fR\fI\FC/usr/bin/removeprinter\F[]\fR\fI \fR
2413
\fI\fIdeleteprinter command\fR\fR\fI = \fR\fI/usr/bin/removeprinter\fR\fI \fR
2652
2416
delete readonly (S)
2668
2432
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The
2669
2433
\fIdelete share command\fR
2670
2434
is used to define an external program or script which will remove an existing service definition from
2671
\FCsmb\&.conf\F[]\&.
2673
2437
In order to successfully execute the
2674
2438
\fIdelete share command\fR,
2676
2440
requires that the administrator connects using a root account (i\&.e\&. uid == 0) or has the
2677
\FCSeDiskOperatorPrivilege\F[]\&. Scripts defined in the
2441
SeDiskOperatorPrivilege\&. Scripts defined in the
2678
2442
\fIdelete share command\fR
2679
2443
parameter are executed as root\&.
2683
2447
will automatically invoke the
2684
2448
\fIdelete share command\fR
2685
2449
with two parameters\&.
2714
2478
\m[blue]\fBdeleteprinter command\fR\m[]\&.
2717
\fI\fIdelete share command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2481
\fI\fIdelete share command\fR\fR\fI = \fR\fI\fR\fI \fR
2720
\fI\fIdelete share command\fR\fR\fI = \fR\fI\FC/usr/local/bin/delshare\F[]\fR\fI \fR
2484
\fI\fIdelete share command\fR\fR\fI = \fR\fI/usr/local/bin/delshare\fR\fI \fR
2723
2487
delete user from group script (G)
2748
2512
when managing users with remote RPC (NT) tools\&.
2750
2514
This script is called when a remote client removes a user from the server, normally using \'User Manager for Domains\' or
2753
2517
This script should delete the given UNIX username\&.
2756
\fI\fIdelete user script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2520
\fI\fIdelete user script\fR\fR\fI = \fR\fI\fR\fI \fR
2759
\fI\fIdelete user script\fR\fR\fI = \fR\fI\FC/usr/local/samba/bin/del_user %u\F[]\fR\fI \fR
2523
\fI\fIdelete user script\fR\fR\fI = \fR\fI/usr/local/samba/bin/del_user %u\fR\fI \fR
2762
2526
delete veto files (S)
2772
2536
If this option is set to
2773
2537
\fByes\fR, then Samba will attempt to recursively delete any files and directories within the vetoed directory\&. This can be useful for integration with file serving systems such as NetAtalk which create meta\-files within directories you might normally veto DOS/Windows users from seeing (e\&.g\&.
2774
\FC\&.AppleDouble\F[])
2777
2541
\m[blue]\fBdelete veto files = yes\fR\m[]
2778
2542
allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so)\&.
2781
\fI\fIdelete veto files\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2545
\fI\fIdelete veto files\fR\fR\fI = \fR\fIno\fR\fI \fR
2784
2548
dfree cache time (S)
2816
2580
was added to allow the output of this script to be cached for systems under heavy load\&.
2818
2582
The external program will be passed a single parameter indicating a directory in the filesystem being queried\&. This will typically consist of the string
2819
\FC\&./\F[]\&. The script should return two integers in ASCII\&. The first should be the total disk space in blocks, and the second should be the number of available blocks\&. An optional third return value can give the block size in bytes\&. The default blocksize is 1024 bytes\&.
2583
\&./\&. The script should return two integers in ASCII\&. The first should be the total disk space in blocks, and the second should be the number of available blocks\&. An optional third return value can give the block size in bytes\&. The default blocksize is 1024 bytes\&.
2821
2585
Note: Your script should
2900
2652
\m[blue]\fBdirectory security mask\fR\m[]\&.
2903
\fI\fIdirectory mask\fR\fR\fI = \fR\fI\FC0755\F[]\fR\fI \fR
2655
\fI\fIdirectory mask\fR\fR\fI = \fR\fI0755\fR\fI \fR
2906
\fI\fIdirectory mask\fR\fR\fI = \fR\fI\FC0775\F[]\fR\fI \fR
2658
\fI\fIdirectory mask\fR\fR\fI = \fR\fI0775\fR\fI \fR
2661
directory name cache size (S)
2662
.\" directory name cache size
2665
This parameter specifies the the size of the directory name cache\&. It will be needed to turn this off for *BSD systems\&.
2668
\fI\fIdirectory name cache size\fR\fR\fI = \fR\fI100\fR\fI \fR
2909
2671
directory security mask (S)
3034
2794
to enable WAN\-wide browse list collation\&. Setting this option causes
3036
2796
to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given
3037
2797
\m[blue]\fBworkgroup\fR\m[]\&. Local master browsers in the same
3038
2798
\m[blue]\fBworkgroup\fR\m[]
3039
2799
on broadcast\-isolated subnets will give this
3041
2801
their local browse lists, and then ask
3043
2803
for a complete copy of the browse list for the whole wide area network\&. Browser clients will then contact their local master browser, and will receive the domain\-wide browse list, instead of just the list for their broadcast\-isolated subnet\&.
3047
2807
specific special NetBIOS name that identifies them as domain master browsers for that
3048
2808
\m[blue]\fBworkgroup\fR\m[]
3049
2809
by default (i\&.e\&. there is no way to prevent a Windows NT PDC from attempting to do this)\&. This means that if this parameter is set and
3051
2811
claims the special name for a
3052
2812
\m[blue]\fBworkgroup\fR\m[]
3053
2813
before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail\&.
3077
2837
There are certain directories on some systems (e\&.g\&., the
3079
2839
tree under Linux) that are either not of interest to clients or are infinitely deep (recursive)\&. This parameter allows you to specify a comma\-delimited list of directories that the server should always show as empty\&.
3081
2841
Note that Samba can be very fussy about the exact format of the "dont descend" entries\&. For example you may need
3083
2843
instead of just
3084
\FC/proc\F[]\&. Experimentation is the best policy :\-)
2844
/proc\&. Experimentation is the best policy :\-)
3087
\fI\fIdont descend\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2847
\fI\fIdont descend\fR\fR\fI = \fR\fI\fR\fI \fR
3090
\fI\fIdont descend\fR\fR\fI = \fR\fI\FC/proc,/dev\F[]\fR\fI \fR
2850
\fI\fIdont descend\fR\fR\fI = \fR\fI/proc,/dev\fR\fI \fR
3093
2853
dos charset (G)
3161
2921
Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
3164
\fI\fIenable asu support\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2924
\fI\fIenable asu support\fR\fR\fI = \fR\fIno\fR\fI \fR
2927
enable core files (G)
2928
.\" enable core files
2931
This parameter specifies whether core dumps should be written on internal exits\&. Normally set to
2932
\fByes\fR\&. You should never need to change this\&.
2935
\fI\fIenable core files\fR\fR\fI = \fR\fIyes\fR\fI \fR
2938
\fI\fIenable core files\fR\fR\fI = \fR\fIno\fR\fI \fR
3167
2941
enable privileges (G)
3219
3004
In general you should leave this option enabled as it makes cross\-subnet browse propagation much more reliable\&.
3222
\fI\fIenhanced browsing\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
3007
\fI\fIenhanced browsing\fR\fR\fI = \fR\fIyes\fR\fI \fR
3225
3010
enumports command (G)
3226
3011
.\" enumports command
3229
The concept of a "port" is fairly foreign to UNIX hosts\&. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i\&.e\&. LPT1:, COM1:, FILE:) or a remote port (i\&.e\&. LPD Port Monitor, etc\&.\&.\&.)\&. By default, Samba has only one port defined\-\-\fB"Samba Printer Port"\fR\&. Under Windows NT/2000, all printers must have a valid port name\&. If you wish to have a list of ports displayed (\FCsmbd \F[]
3014
The concept of a "port" is fairly foreign to UNIX hosts\&. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i\&.e\&. LPT1:, COM1:, FILE:) or a remote port (i\&.e\&. LPD Port Monitor, etc\&.\&.\&.)\&. By default, Samba has only one port defined\-\-\fB"Samba Printer Port"\fR\&. Under Windows NT/2000, all printers must have a valid port name\&. If you wish to have a list of ports displayed (smbd
3230
3015
does not use a port name for anything) other than the default
3231
3016
\fB"Samba Printer Port"\fR, you can define
3232
3017
\fIenumports command\fR
3233
3018
to point to a program which should generate a list of ports, one per line, to standard output\&. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC\&.
3236
\fI\fIenumports command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3021
\fI\fIenumports command\fR\fR\fI = \fR\fI\fR\fI \fR
3239
\fI\fIenumports command\fR\fR\fI = \fR\fI\FC/usr/bin/listports\F[]\fR\fI \fR
3024
\fI\fIenumports command\fR\fR\fI = \fR\fI/usr/bin/listports\fR\fI \fR
3242
3027
eventlog list (G)
3246
3031
This option defines a list of log names that Samba will report to the Microsoft EventViewer utility\&. The listed eventlogs will be associated with tdb file on disk in the
3247
\FC$(lockdir)/eventlog\F[]\&.
3032
$(lockdir)/eventlog\&.
3249
3034
The administrator must use an external process to parse the normal Unix logs such as
3250
\FC/var/log/messages\F[]
3251
3036
and write then entries to the eventlog tdb files\&. Refer to the eventlogadm(8) utility for how to write eventlog entries\&.
3254
\fI\fIeventlog list\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3039
\fI\fIeventlog list\fR\fR\fI = \fR\fI\fR\fI \fR
3257
\fI\fIeventlog list\fR\fR\fI = \fR\fI\FCSecurity Application Syslog Apache\F[]\fR\fI \fR
3042
\fI\fIeventlog list\fR\fR\fI = \fR\fISecurity Application Syslog Apache\fR\fI \fR
3260
3045
fake directory create times (S)
3301
3086
from following symbolic links in a particular share\&. Setting this parameter to
3303
3088
prevents any file or directory that is a symbolic link from being followed (the user will get an error)\&. This option is very useful to stop users from adding a symbolic link to
3305
3090
in their home directory for instance\&. However it will slow filename lookups down slightly\&.
3307
3092
This option is enabled (i\&.e\&.
3309
3094
will follow symbolic links) by default\&.
3312
\fI\fIfollow symlinks\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
3097
\fI\fIfollow symlinks\fR\fR\fI = \fR\fIyes\fR\fI \fR
3315
3100
force create mode (S)
3344
3129
The example below would force all created directories to have read and execute permissions set for \'group\' and \'other\' as well as the read/write/execute bits set for the \'user\'\&.
3347
\fI\fIforce directory mode\fR\fR\fI = \fR\fI\FC000\F[]\fR\fI \fR
3132
\fI\fIforce directory mode\fR\fR\fI = \fR\fI000\fR\fI \fR
3350
\fI\fIforce directory mode\fR\fR\fI = \fR\fI\FC0755\F[]\fR\fI \fR
3135
\fI\fIforce directory mode\fR\fR\fI = \fR\fI0755\fR\fI \fR
3353
3138
force directory security mode (S)
3378
3162
Users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set as 0000\&.
3383
\fI\fIforce directory security mode\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
3166
\fI\fIforce directory security mode\fR\fR\fI = \fR\fI0\fR\fI \fR
3386
\fI\fIforce directory security mode\fR\fR\fI = \fR\fI\FC700\F[]\fR\fI \fR
3169
\fI\fIforce directory security mode\fR\fR\fI = \fR\fI700\fR\fI \fR
3401
3184
This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service\&. This is useful for sharing files by ensuring that all access to files on service will use the named group for their permissions checking\&. Thus, by assigning permissions for this group to the files and directories within this service the Samba administrator can restrict or allow sharing of these files\&.
3403
3186
In Samba 2\&.0\&.5 and above this parameter has extended functionality in the following way\&. If the group name listed here has a \'+\' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group\&. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group\&. This gives a finer granularity of ownership assignment\&. For example, the setting
3404
\FCforce group = +sys\F[]
3405
3188
means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share\&. All other users will retain their ordinary primary group\&.
3456
3239
that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave this set to 0000\&.
3459
\fI\fIforce security mode\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
3242
\fI\fIforce security mode\fR\fR\fI = \fR\fI0\fR\fI \fR
3462
\fI\fIforce security mode\fR\fR\fI = \fR\fI\FC700\F[]\fR\fI \fR
3245
\fI\fIforce security mode\fR\fR\fI = \fR\fI700\fR\fI \fR
3465
3248
force unknown acl user (S)
3730
3513
(see below)\&. Whatever privileges this user has will be available to any client connecting to the guest service\&. This user must exist in the password file, but does not require a valid login\&. The user account "ftp" is often a good choice for this parameter\&.
3732
3515
On some systems the default guest account "nobody" may not be able to print\&. Use another account in this case\&. You should test this by trying to log in as your guest user (perhaps by using the
3734
3517
command) and trying to print using the system print command such as
3739
3522
This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation\&.
3742
\fI\fIguest account\fR\fR\fI = \fR\fI\FCnobody # default can be changed at compile\-time\F[]\fR\fI \fR
3525
\fI\fIguest account\fR\fR\fI = \fR\fInobody # default can be changed at compile\-time\fR\fI \fR
3745
\fI\fIguest account\fR\fR\fI = \fR\fI\FCftp\F[]\fR\fI \fR
3528
\fI\fIguest account\fR\fR\fI = \fR\fIftp\fR\fI \fR
4000
3753
If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting\&.
4002
3755
You can specify the hosts by name or IP number\&. For example, you could restrict access to only the hosts on a Class C subnet with something like
4003
\FCallow hosts = 150\&.203\&.5\&.\F[]\&. The full syntax of the list is described in the man page
4004
\FChosts_access(5)\F[]\&. Note that this man page may not be present on your system, so a brief description will be given here also\&.
3756
allow hosts = 150\&.203\&.5\&.\&. The full syntax of the list is described in the man page
3757
hosts_access(5)\&. Note that this man page may not be present on your system, so a brief description will be given here also\&.
4006
3759
Note that the localhost address 127\&.0\&.0\&.1 will always be allowed access unless specifically denied by a
4007
3760
\m[blue]\fBhosts deny\fR\m[]
4014
3767
Example 1: allow all IPs in 150\&.203\&.*\&.*; except one
4016
\FChosts allow = 150\&.203\&. EXCEPT 150\&.203\&.6\&.66\F[]
3769
hosts allow = 150\&.203\&. EXCEPT 150\&.203\&.6\&.66
4018
3771
Example 2: allow hosts that match the given network/netmask
4020
\FChosts allow = 150\&.203\&.15\&.0/255\&.255\&.255\&.0\F[]
3773
hosts allow = 150\&.203\&.15\&.0/255\&.255\&.255\&.0
4022
3775
Example 3: allow a couple of hosts
4024
\FChosts allow = lapland, arvidsjaur\F[]
3777
hosts allow = lapland, arvidsjaur
4026
3779
Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host
4028
\FChosts allow = @foonet\F[]
3781
hosts allow = @foonet
4030
\FChosts deny = pirate\F[]
4037
3789
.nr an-no-space-flag 1
4038
3790
.nr an-break-flag 1
4044
3796
Note that access still requires suitable user\-level passwords\&.
4049
3800
\fBtestparm\fR(1)
4050
3801
for a way of testing your host access to see if it does what you expect\&.
4053
\fI\fIhosts allow\fR\fR\fI = \fR\fI\FC # none (i\&.e\&., all hosts permitted access)\F[]\fR\fI \fR
3804
\fI\fIhosts allow\fR\fR\fI = \fR\fI # none (i\&.e\&., all hosts permitted access)\fR\fI \fR
4056
\fI\fIhosts allow\fR\fR\fI = \fR\fI\FC150\&.203\&.5\&. myhost\&.mynet\&.edu\&.au\F[]\fR\fI \fR
3807
\fI\fIhosts allow\fR\fR\fI = \fR\fI150\&.203\&.5\&. myhost\&.mynet\&.edu\&.au\fR\fI \fR
4077
3828
list takes precedence\&.
4079
3830
In the event that it is necessary to deny all by default, use the keyword ALL (or the netmask
4080
\FC0\&.0\&.0\&.0/0\F[]) and then explicitly specify to the
3831
0\&.0\&.0\&.0/0) and then explicitly specify to the
4081
3832
\m[blue]\fBhosts allow = hosts allow\fR\m[]
4082
3833
parameter those hosts that should be permitted access\&.
4085
\fI\fIhosts deny\fR\fR\fI = \fR\fI\FC # none (i\&.e\&., no hosts specifically excluded)\F[]\fR\fI \fR
3836
\fI\fIhosts deny\fR\fR\fI = \fR\fI # none (i\&.e\&., no hosts specifically excluded)\fR\fI \fR
4088
\fI\fIhosts deny\fR\fR\fI = \fR\fI\FC150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au\F[]\fR\fI \fR
3839
\fI\fIhosts deny\fR\fR\fI = \fR\fI150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au\fR\fI \fR
4091
3842
idmap alloc backend (G)
4304
4041
from the current working directory, but instead reads the global configuration options from the registry\&. See the section on registry\-based configuration for details\&. Note that this option automatically activates registry shares\&.
4307
\fI\fIinclude\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4044
\fI\fIinclude\fR\fR\fI = \fR\fI\fR\fI \fR
4310
\fI\fIinclude\fR\fR\fI = \fR\fI\FC/usr/local/samba/lib/admin_smb\&.conf\F[]\fR\fI \fR
4047
\fI\fIinclude\fR\fR\fI = \fR\fI/usr/local/samba/lib/admin_smb\&.conf\fR\fI \fR
4313
4050
inherit acls (S)
4452
4189
The example below configures three network interfaces corresponding to the eth0 device and IP addresses 192\&.168\&.2\&.10 and 192\&.168\&.3\&.10\&. The netmasks of the latter two interfaces would be set to 255\&.255\&.255\&.0\&.
4455
\fI\fIinterfaces\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4192
\fI\fIinterfaces\fR\fR\fI = \fR\fI\fR\fI \fR
4458
\fI\fIinterfaces\fR\fR\fI = \fR\fI\FCeth0 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/255\&.255\&.255\&.0\F[]\fR\fI \fR
4195
\fI\fIinterfaces\fR\fR\fI = \fR\fIeth0 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/255\&.255\&.255\&.0\fR\fI \fR
4461
4198
invalid users (S)
4494
4231
\fBiprint\fR\&.
4496
4233
If set, this option overrides the ServerName option in the CUPS
4497
\FCclient\&.conf\F[]\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
4234
client\&.conf\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
4500
\fI\fIiprint server\fR\fR\fI = \fR\fI\FC""\F[]\fR\fI \fR
4237
\fI\fIiprint server\fR\fR\fI = \fR\fI""\fR\fI \fR
4503
\fI\fIiprint server\fR\fR\fI = \fR\fI\FCMYCUPSSERVER\F[]\fR\fI \fR
4240
\fI\fIiprint server\fR\fR\fI = \fR\fIMYCUPSSERVER\fR\fI \fR
4629
4366
The LANMAN encrypted response is easily broken, due to its case\-insensitive nature, and the choice of algorithm\&. Servers without Windows 95/98/ME or MS DOS clients are advised to disable this option\&.
4632
\FCencrypt passwords\F[]
4633
4370
option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network\&. See the
4634
\FCclient lanman auth\F[]
4635
4372
to disable this for Samba\'s clients (such as smbclient)
4637
4374
If this option, and
4639
4376
are both disabled, then only NTLMv2 logins will be permited\&. Not all clients support NTLMv2, and most will require special configuration to use it\&.
4642
\fI\fIlanman auth\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4379
\fI\fIlanman auth\fR\fR\fI = \fR\fIno\fR\fI \fR
4645
4382
large readwrite (G)
4782
4519
string so use a partial DN\&.
4785
\fI\fIldap machine suffix\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4788
\fI\fIldap machine suffix\fR\fR\fI = \fR\fI\FCou=Computers\F[]\fR\fI \fR
4522
\fI\fIldap machine suffix\fR\fR\fI = \fR\fI\fR\fI \fR
4525
\fI\fIldap machine suffix\fR\fR\fI = \fR\fIou=Computers\fR\fI \fR
4532
This parameter specifies the number of entries per page\&.
4534
If the LDAP server supports paged results, clients can request subsets of search results (pages) instead of the entire list\&. This parameter specifies the size of these pages\&.
4537
\fI\fIldap page size\fR\fR\fI = \fR\fI1024\fR\fI \fR
4540
\fI\fIldap page size\fR\fR\fI = \fR\fI512\fR\fI \fR
4791
4543
ldap passwd sync (G)
4859
4611
Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller eliminating the need to set up custom scripts to add and manage the posix users and groups\&. This option will instead directly manipulate the ldap tree to create, remove and modify user and group entries\&. This option also requires a running winbindd as it is used to allocate new uids/gids on user/group creation\&. The allocation range must be therefore configured\&.
4861
4613
To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured\&. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command
4862
\FCnet sam provision\F[]\&. To run this command the ldap server must be running, Winindd must be running and the smb\&.conf ldap options must be properly configured\&. The typical ldap setup used with the
4614
net sam provision\&. To run this command the ldap server must be running, Winindd must be running and the smb\&.conf ldap options must be properly configured\&. The typical ldap setup used with the
4863
4615
\m[blue]\fBldapsam:trusted = yes\fR\m[]
4864
4616
option is usually sufficient to use
4865
4617
\m[blue]\fBldapsam:editposix = yes\fR\m[]
5212
4936
to try and become a local master browser on a subnet\&. If set to
5216
4940
will not attempt to become a local master browser on a subnet and will also lose in all browsing elections\&. By default this value is set to
5217
4941
\fByes\fR\&. Setting this value to
5219
4943
doesn\'t mean that Samba will
5221
4945
the local master browser on a subnet, just that
5224
4948
\fIparticipate\fR
5225
4949
in elections for local master browser\&.
5267
4991
This controls whether or not locking will be performed by the server in response to lock requests from the client\&.
5270
\FClocking = no\F[], all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking\&.
4994
locking = no, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking\&.
5273
\FClocking = yes\F[], real locking will be performed by the server\&.
4997
locking = yes, real locking will be performed by the server\&.
5599
5323
This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user\'s home directory\&. This is done in the following way:
5602
\FClogon home = \e\e%N\e%U\eprofile\F[]
5326
logon home = \e\e%N\e%U\eprofile
5604
5328
This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request\&. Win9X clients truncate the info to \e\eserver\eshare when a user does
5605
\FCnet use /home\F[]
5606
5330
but use the whole string when dealing with profiles\&.
5608
5332
Note that in prior versions of Samba, the
5609
5333
\m[blue]\fBlogon path\fR\m[]
5610
5334
was returned rather than
5611
5335
\fIlogon home\fR\&. This broke
5612
\FCnet use /home\F[]
5613
5337
but allowed profiles outside the home directory\&. The current implementation is correct, and can be used for profiles if you use the above trick\&.
5615
5339
Disable this feature by setting
5636
5360
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine\&. It also specifies the directory from which the "Application Data",
5639
\FCnetwork neighborhood\F[],
5363
network neighborhood,
5641
5365
and other folders, and their contents, are loaded and displayed on your Windows NT client\&.
5643
5367
The share and the path must be readable by the user for the preferences and directories to be loaded onto the Windows NT client\&. The share must be writeable when the user logs in for the first time, in order that the Windows NT client can create the NTuser\&.dat and other directories\&. Thereafter, the directories and any of the contents can, if required, be made read\-only\&. It is not advisable that the NTuser\&.dat file be made read\-only \- rename it to NTuser\&.man to achieve the desired effect (a
5684
.BB lightgray adjust-for-leading-newline
5687
5401
logon path = \e\ePROFILESERVER\ePROFILE\e%U
5688
.EB lightgray adjust-for-leading-newline
5700
\fI\fIlogon path\fR\fR\fI = \fR\fI\FC\e\e%N\e%U\eprofile\F[]\fR\fI \fR
5408
\fI\fIlogon path\fR\fR\fI = \fR\fI\e\e%N\e%U\eprofile\fR\fI \fR
5703
5411
logon script (G)
5704
5412
.\" logon script
5707
This parameter specifies the batch file (\FC\&.bat\F[]) or NT command file (\FC\&.cmd\F[]) to be downloaded and run on a machine when a user successfully logs in\&. The file must contain the DOS style CR/LF line endings\&. Using a DOS\-style editor to create the file is recommended\&.
5415
This parameter specifies the batch file (\&.bat) or NT command file (\&.cmd) to be downloaded and run on a machine when a user successfully logs in\&. The file must contain the DOS style CR/LF line endings\&. Using a DOS\-style editor to create the file is recommended\&.
5709
5417
The script must be a relative path to the
5710
5418
\fI[netlogon]\fR
5711
5419
service\&. If the [netlogon] service specifies a
5712
5420
\m[blue]\fBpath\fR\m[]
5714
\FC/usr/local/samba/netlogon\F[], and
5422
/usr/local/samba/netlogon, and
5715
5423
\m[blue]\fBlogon script = STARTUP\&.BAT\fR\m[], then the file that will be downloaded is:
5726
.BB lightgray adjust-for-leading-newline
5729
5429
/usr/local/samba/netlogon/STARTUP\&.BAT
5730
.EB lightgray adjust-for-leading-newline
5741
5435
The contents of the batch file are entirely your choice\&. A suggested command would be to add
5742
\FCNET TIME \e\eSERVER /SET /YES\F[], to force every machine to synchronize clocks with the same time server\&. Another use would be to add
5743
\FCNET USE U: \e\eSERVER\eUTILS\F[]
5436
NET TIME \e\eSERVER /SET /YES, to force every machine to synchronize clocks with the same time server\&. Another use would be to add
5437
NET USE U: \e\eSERVER\eUTILS
5744
5438
for commonly used utilities, or
5755
.BB lightgray adjust-for-leading-newline
5758
5444
\fBNET USE Q: \e\eSERVER\eISO9001_QA\fR
5759
.EB lightgray adjust-for-leading-newline
5802
5482
Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server\&.
5805
\fI\fIlppause command\fR\fR\fI = \fR\fI\FC # Currently no default value is given to this string, unless the value of the \m[blue]\fBprinting\fR\m[] parameter is \fBSYSV\fR, in which case the default is : \FClp \-i %p\-%j \-H hold\F[] or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: \FCqstat \-s \-j%j \-h\F[]\&. \F[]\fR\fI \fR
5485
\fI\fIlppause command\fR\fR\fI = \fR\fI # Currently no default value is given to this string, unless the value of the \m[blue]\fBprinting\fR\m[] parameter is \fBSYSV\fR, in which case the default is : lp \-i %p\-%j \-H hold or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: qstat \-s \-j%j \-h\&. \fR\fI \fR
5808
\fI\fIlppause command\fR\fR\fI = \fR\fI\FC/usr/bin/lpalt %p\-%j \-p0\F[]\fR\fI \fR
5488
\fI\fIlppause command\fR\fR\fI = \fR\fI/usr/bin/lpalt %p\-%j \-p0\fR\fI \fR
5811
5491
lpq cache time (G)
5815
5495
This controls how long lpq info will be cached for to prevent the
5817
5497
command being called too often\&. A separate cache is kept for each variation of the
5819
5499
command used by the system, so if you use different
5821
5501
commands for different users then they won\'t share cache information\&.
5823
5503
The cache files are stored in
5824
\FC/tmp/lpq\&.xxxx\F[]
5825
5505
where xxxx is a hash of the
5827
5507
command in use\&.
5829
5509
The default is 30 seconds, meaning that the cached results of a previous identical
5831
5511
command will be used if the cached data is less than 30 seconds old\&. A large value may be advisable if your
5833
5513
command is very slow\&.
5835
5515
A value of 0 will disable caching completely\&.
5838
\fI\fIlpq cache time\fR\fR\fI = \fR\fI\FC30\F[]\fR\fI \fR
5518
\fI\fIlpq cache time\fR\fR\fI = \fR\fI30\fR\fI \fR
5841
\fI\fIlpq cache time\fR\fR\fI = \fR\fI\FC10\F[]\fR\fI \fR
5521
\fI\fIlpq cache time\fR\fR\fI = \fR\fI10\fR\fI \fR
5844
5524
lpq command (S)
5905
5585
\fBSYSV\fR, in which case the default is:
5907
\FClp \-i %p\-%j \-H resume\F[]
5587
lp \-i %p\-%j \-H resume
5909
5589
or if the value of the
5912
5592
\fBSOFTQ\fR, then the default is:
5914
\FCqstat \-s \-j%j \-r\F[]
5916
5596
\fINo default\fR
5919
\fI\fIlpresume command\fR\fR\fI = \fR\fI\FC/usr/bin/lpalt %p\-%j \-p2\F[]\fR\fI \fR
5599
\fI\fIlpresume command\fR\fR\fI = \fR\fI/usr/bin/lpalt %p\-%j \-p2\fR\fI \fR
5922
5602
lprm command (S)
5951
.BB lightgray adjust-for-leading-newline
5954
5626
lprm command = /usr/bin/lprm \-P%p %j
5958
5630
lprm command = /usr/bin/cancel %p\-%j
5959
.EB lightgray adjust-for-leading-newline
5971
\fI\fIlprm command\fR\fR\fI = \fR\fI\FC determined by printing parameter\F[]\fR\fI \fR
5637
\fI\fIlprm command\fR\fR\fI = \fR\fI determined by printing parameter\fR\fI \fR
5974
5640
machine password timeout (G)
5978
5644
If a Samba server is a member of a Windows NT Domain (see the
5979
5645
\m[blue]\fBsecurity = domain\fR\m[]
5980
5646
parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called
5981
\FCprivate/secrets\&.tdb \F[]\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
5647
private/secrets\&.tdb\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
5984
5650
\fBsmbpasswd\fR(8), and the
6148
5812
controls the algorithm used for the generating the mangled names\&. Can take two different values, "hash" and "hash2"\&. "hash" is the algorithm that was used used in Samba for many years and was the default in Samba 2\&.2\&.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names\&. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled\&.
6151
\fI\fImangling method\fR\fR\fI = \fR\fI\FChash2\F[]\fR\fI \fR
5815
\fI\fImangling method\fR\fR\fI = \fR\fIhash2\fR\fI \fR
6154
\fI\fImangling method\fR\fR\fI = \fR\fI\FChash\F[]\fR\fI \fR
5818
\fI\fImangling method\fR\fR\fI = \fR\fIhash\fR\fI \fR
6157
5821
map acl inherit (S)
6437
6101
This option (an integer in kilobytes) specifies the max size the log file should grow to\&. Samba periodically checks the size and if it is exceeded it will rename the file, adding a
6441
6105
A size of 0 means no limit\&.
6444
\fI\fImax log size\fR\fR\fI = \fR\fI\FC5000\F[]\fR\fI \fR
6108
\fI\fImax log size\fR\fR\fI = \fR\fI5000\fR\fI \fR
6447
\fI\fImax log size\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
6111
\fI\fImax log size\fR\fR\fI = \fR\fI1000\fR\fI \fR
6562
6226
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
6565
\fI\fImax protocol\fR\fR\fI = \fR\fI\FCNT1\F[]\fR\fI \fR
6229
\fI\fImax protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
6568
\fI\fImax protocol\fR\fR\fI = \fR\fI\FCLANMAN1\F[]\fR\fI \fR
6232
\fI\fImax protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
6571
6235
max reported print jobs (S)
6575
6239
This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment\&. If this number is exceeded, the excess jobs will not be shown\&. A value of zero means there is no limit on the number of print jobs reported\&.
6578
\fI\fImax reported print jobs\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6242
\fI\fImax reported print jobs\fR\fR\fI = \fR\fI0\fR\fI \fR
6581
\fI\fImax reported print jobs\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
6245
\fI\fImax reported print jobs\fR\fR\fI = \fR\fI1000\fR\fI \fR
6584
6248
max smbd processes (G)
6607
6271
being used to speed up case insensitive name mappings\&. It represents the number of kilobyte (1024) units the stat cache can use\&. A value of zero, meaning unlimited, is not advisable due to increased memory useage\&. You should not need to change this parameter\&.
6610
\fI\fImax stat cache size\fR\fR\fI = \fR\fI\FC256\F[]\fR\fI \fR
6274
\fI\fImax stat cache size\fR\fR\fI = \fR\fI256\fR\fI \fR
6613
\fI\fImax stat cache size\fR\fR\fI = \fR\fI\FC100\F[]\fR\fI \fR
6277
\fI\fImax stat cache size\fR\fR\fI = \fR\fI100\fR\fI \fR
6648
6312
This option controls the maximum packet size that will be negotiated by Samba\&. The default is 16644, which matches the behavior of Windows 2000\&. A value below 2048 is likely to cause problems\&. You should never need to change this parameter from its default value\&.
6651
\fI\fImax xmit\fR\fR\fI = \fR\fI\FC16644\F[]\fR\fI \fR
6315
\fI\fImax xmit\fR\fR\fI = \fR\fI16644\fR\fI \fR
6654
\fI\fImax xmit\fR\fR\fI = \fR\fI\FC8192\F[]\fR\fI \fR
6318
\fI\fImax xmit\fR\fR\fI = \fR\fI8192\fR\fI \fR
6657
6321
message command (G)
6676
.BB lightgray adjust-for-leading-newline
6679
\FCmessage command = csh \-c \'xedit %s;rm %s\' &\F[]
6680
.EB lightgray adjust-for-leading-newline
6335
message command = csh \-c \'xedit %s;rm %s\' &
6691
6341
This delivers the message using
6692
\FCxedit\F[], then removes it afterwards\&.
6342
xedit, then removes it afterwards\&.
6693
6343
\fINOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY\fR\&. That\'s why I have the \'&\' on the end\&. If it doesn\'t return immediately then your PCs may freeze when sending messages (they should recover after 30 seconds, hopefully)\&.
6695
6345
All messages are delivered as the global guest user\&. The command takes the standard substitutions, although
6779
.BB lightgray adjust-for-leading-newline
6782
\FCmessage command = rm %s\F[]
6783
.EB lightgray adjust-for-leading-newline
6410
message command = rm %s
6795
\fI\fImessage command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
6417
\fI\fImessage command\fR\fR\fI = \fR\fI\fR\fI \fR
6798
\fI\fImessage command\fR\fR\fI = \fR\fI\FCcsh \-c \'xedit %s; rm %s\' &\F[]\fR\fI \fR
6420
\fI\fImessage command\fR\fR\fI = \fR\fIcsh \-c \'xedit %s; rm %s\' &\fR\fI \fR
6801
6423
min print space (S)
6805
6427
This sets the minimum amount of free disk space that must be available before a user will be able to spool a print job\&. It is specified in kilobytes\&. The default is 0, which means a user can always spool a print job\&.
6808
\fI\fImin print space\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6430
\fI\fImin print space\fR\fR\fI = \fR\fI0\fR\fI \fR
6811
\fI\fImin print space\fR\fR\fI = \fR\fI\FC2000\F[]\fR\fI \fR
6433
\fI\fImin print space\fR\fR\fI = \fR\fI2000\fR\fI \fR
6814
6436
min protocol (G)
6818
6440
The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support\&. Please refer to the
6819
6441
\m[blue]\fBmax protocol\fR\m[]
6820
6442
parameter for a list of valid protocol names and a brief description of each\&. You may also wish to refer to the C source code in
6821
\FCsource/smbd/negprot\&.c\F[]
6443
source/smbd/negprot\&.c
6822
6444
for a listing of known protocol dialects supported by clients\&.
6824
6446
If you are viewing this parameter as a security measure, you should also refer to the
6888
6510
\fByes\fR, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory\&. Dfs links are specified in the share directory by symbolic links of the form
6889
\FCmsdfs:serverA\e\eshareA,serverB\e\eshareB\F[]
6511
msdfs:serverA\e\eshareA,serverB\e\eshareB
6890
6512
and so on\&. For more information on setting up a Dfs tree on Samba, refer to the MSDFS chapter in the Samba3\-HOWTO book\&.
6893
\fI\fImsdfs root\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
6515
\fI\fImsdfs root\fR\fR\fI = \fR\fIno\fR\fI \fR
6896
6518
name cache timeout (G)
6940
6562
: Do a standard host name to IP address resolution, using the system
6941
\FC/etc/hosts \F[], NIS, or DNS lookups\&. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the
6942
\FC/etc/nsswitch\&.conf\F[]
6563
/etc/hosts, NIS, or DNS lookups\&. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the
6564
/etc/nsswitch\&.conf
6943
6565
file\&. Note that this method is used only if the NetBIOS name type being queried is the 0x20 (server) name type or 0x1c (domain controllers)\&. The latter case is only useful for active directory domains and results in a DNS query for the SRV RR entry matching _ldap\&._tcp\&.domain\&.
6974
6596
The example below will cause the local lmhosts file to be examined first, followed by a broadcast attempt, followed by a normal system hostname lookup\&.
6976
When Samba is functioning in ADS security mode (\FCsecurity = ads\F[]) it is advised to use following settings for
6598
When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for
6977
6599
\fIname resolve order\fR:
6979
\FCname resolve order = wins bcast\F[]
6601
name resolve order = wins bcast
6981
6603
DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups\&.
6984
\fI\fIname resolve order\fR\fR\fI = \fR\fI\FClmhosts host wins bcast\F[]\fR\fI \fR
6606
\fI\fIname resolve order\fR\fR\fI = \fR\fIlmhosts host wins bcast\fR\fI \fR
6987
\fI\fIname resolve order\fR\fR\fI = \fR\fI\FClmhosts bcast host\F[]\fR\fI \fR
6609
\fI\fIname resolve order\fR\fR\fI = \fR\fIlmhosts bcast host\fR\fI \fR
6990
6612
netbios aliases (G)
6994
6616
This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known\&. This allows one machine to appear in browse lists under multiple names\&. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon servers, only the primary name of the machine will be advertised with these capabilities\&.
6997
\fI\fInetbios aliases\fR\fR\fI = \fR\fI\FC # empty string (no additional names)\F[]\fR\fI \fR
6619
\fI\fInetbios aliases\fR\fR\fI = \fR\fI # empty string (no additional names)\fR\fI \fR
7000
\fI\fInetbios aliases\fR\fR\fI = \fR\fI\FCTEST TEST1 TEST2\F[]\fR\fI \fR
6622
\fI\fInetbios aliases\fR\fR\fI = \fR\fITEST TEST1 TEST2\fR\fI \fR
7003
6625
netbios name (G)
7007
6629
This sets the NetBIOS name by which a Samba server is known\&. By default it is the same as the first component of the host\'s DNS name\&. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under\&.
7009
6631
There is a bug in Samba\-3 that breaks operation of browsing and access to shares if the netbios name is set to the literal name
7010
\FCPIPE\F[]\&. To avoid this problem, do not name your Samba\-3 server
6632
PIPE\&. To avoid this problem, do not name your Samba\-3 server
7014
\fI\fInetbios name\fR\fR\fI = \fR\fI\FC # machine DNS name\F[]\fR\fI \fR
6636
\fI\fInetbios name\fR\fR\fI = \fR\fI # machine DNS name\fR\fI \fR
7017
\fI\fInetbios name\fR\fR\fI = \fR\fI\FCMYNAME\F[]\fR\fI \fR
6639
\fI\fInetbios name\fR\fR\fI = \fR\fIMYNAME\fR\fI \fR
7020
6642
netbios scope (G)
7066
6688
will attempt to authenticate users using the NTLM encrypted password response\&. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client\&.
7068
6690
If this option, and
7070
6692
are both disabled, then only NTLMv2 logins will be permited\&. Not all clients support NTLMv2, and most will require special configuration to use it\&.
7073
\fI\fIntlm auth\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
6695
\fI\fIntlm auth\fR\fR\fI = \fR\fIyes\fR\fI \fR
7076
6698
nt pipe support (G)
7217
6835
This boolean option tells
7219
whether to issue oplocks (opportunistic locks) to file open requests on this share\&. The oplock code can dramatically (approx\&. 30% or more) improve the speed of access to files on Samba servers\&. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers)\&. For more information see the file
6837
whether to issue oplocks (opportunistic locks) to file open requests on this share\&. The oplock code can dramatically (approx\&. 30% or more) improve the speed of access to files on Samba servers\&. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers)\&.
7225
6839
Oplocks may be selectively turned off on certain files with a share\&. See the
7226
6840
\m[blue]\fBveto oplock files\fR\m[]
7241
6855
<nt driver name> = <os2 driver name>\&.<device name>
7243
6857
For example, a valid entry using the HP LaserJet 5 printer driver would appear as
7244
\FCHP LaserJet 5L = LASERJET\&.HP LaserJet 5L\F[]\&.
6858
HP LaserJet 5L = LASERJET\&.HP LaserJet 5L\&.
7246
6860
The need for the file is due to the printer driver namespace problem described in the chapter on Classical Printing in the Samba3\-HOWTO book\&. For more details on OS/2 clients, please refer to chapter on other clients in the Samba3\-HOWTO book\&.
7249
\fI\fIos2 driver map\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
6863
\fI\fIos2 driver map\fR\fR\fI = \fR\fI\fR\fI \fR
7295
6909
crashes\&. This is usually used to draw attention to the fact that a problem occurred\&.
7298
\fI\fIpanic action\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
6912
\fI\fIpanic action\fR\fR\fI = \fR\fI\fR\fI \fR
7301
\fI\fIpanic action\fR\fR\fI = \fR\fI\FC"/bin/sleep 90000"\F[]\fR\fI \fR
6915
\fI\fIpanic action\fR\fR\fI = \fR\fI"/bin/sleep 90000"\fR\fI \fR
7304
6918
paranoid server security (G)
7393
6999
or multi server LDAP URL with Netscape based LDAP library:
7395
7001
passdb backend = ldapsam:"ldap://ldap\-1\&.example\&.com ldap\-2\&.example\&.com"
7396
.EB lightgray adjust-for-leading-newline
7408
\fI\fIpassdb backend\fR\fR\fI = \fR\fI\FCtdbsam\F[]\fR\fI \fR
7008
\fI\fIpassdb backend\fR\fR\fI = \fR\fItdbsam\fR\fI \fR
7411
7011
passdb expand explicit (G)
7491
7091
\fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \en macro is ignored for PAM conversions\&.
7494
\fI\fIpasswd chat\fR\fR\fI = \fR\fI\FC*new*password* %n\en*new*password* %n\en *changed*\F[]\fR\fI \fR
7094
\fI\fIpasswd chat\fR\fR\fI = \fR\fI*new*password* %n\en*new*password* %n\en *changed*\fR\fI \fR
7497
\fI\fIpasswd chat\fR\fR\fI = \fR\fI\FC"*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"\F[]\fR\fI \fR
7097
\fI\fIpasswd chat\fR\fR\fI = \fR\fI"*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"\fR\fI \fR
7500
7100
passwd program (G)
7581
7181
By specifying the name of another SMB server or Active Directory domain controller with this option, and using
7582
\FCsecurity = [ads|domain|server]\F[]
7182
security = [ads|domain|server]
7583
7183
it is possible to get Samba to do all its username/password validation using a specific remote server\&.
7585
7185
This option sets the name or IP address of the password server to use\&. New syntax has been added to support defining the port to use when connecting to the server the case of an ADS realm\&. To define a port other than the default LDAP port of 389, add the port number using a colon after the name or IP address (e\&.g\&. 192\&.168\&.1\&.100:389)\&. If you do not specify a port, Samba will use the standard LDAP port of tcp/389\&. Note that port numbers have no effect on password servers for Windows NT 4\&.0 domains or netbios connections\&.
7620
7218
\fBads\fR, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character \'*\', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on\&. The advantage of using
7621
\FC security = domain\F[]
7622
7220
is that if you list several hosts in the
7623
7221
\fIpassword server\fR
7626
7224
will try each in turn till it finds one that responds\&. This is useful in case your primary server goes down\&.
7651
7249
You may list several password servers in the
7652
7250
\fIpassword server\fR
7653
7251
parameter, however if an
7655
7253
makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this
7656
\FCsmbd\F[]\&. This is a restriction of the SMB/CIFS protocol when in
7657
\FCsecurity = server \F[]
7254
smbd\&. This is a restriction of the SMB/CIFS protocol when in
7658
7256
mode and cannot be fixed in Samba\&.
7669
7267
If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in
7670
\FC security = server\F[]
7671
7269
mode the network logon will appear to come from there rather than from the users workstation\&.
7675
\fI\fIpassword server\fR\fR\fI = \fR\fI\FC*\F[]\fR\fI \fR
7678
\fI\fIpassword server\fR\fR\fI = \fR\fI\FCNT\-PDC, NT\-BDC1, NT\-BDC2, *\F[]\fR\fI \fR
7681
\fI\fIpassword server\fR\fR\fI = \fR\fI\FCwindc\&.mydomain\&.com:389 192\&.168\&.1\&.101 *\F[]\fR\fI \fR
7273
\fI\fIpassword server\fR\fR\fI = \fR\fI*\fR\fI \fR
7276
\fI\fIpassword server\fR\fR\fI = \fR\fINT\-PDC, NT\-BDC1, NT\-BDC2, *\fR\fI \fR
7279
\fI\fIpassword server\fR\fR\fI = \fR\fIwindc\&.mydomain\&.com:389 192\&.168\&.1\&.101 *\fR\fI \fR
7757
7355
An interesting example may be to unmount server resources:
7759
\FCpostexec = /etc/umount /cdrom\F[]
7357
postexec = /etc/umount /cdrom
7762
\fI\fIpostexec\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7360
\fI\fIpostexec\fR\fR\fI = \fR\fI\fR\fI \fR
7765
\fI\fIpostexec\fR\fR\fI = \fR\fI\FCecho \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log\F[]\fR\fI \fR
7363
\fI\fIpostexec\fR\fR\fI = \fR\fIecho \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log\fR\fI \fR
7768
7366
preexec close (S)
7829
7427
If this is set to
7830
7428
\fByes\fR, on startup,
7832
7430
will force an election, and it will have a slight advantage in winning the election\&. It is recommended that this parameter is used in conjunction with
7833
7431
\m[blue]\fBdomain master = yes\fR\m[], so that
7835
7433
can guarantee becoming a domain master\&.
7837
7435
Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser\&. This will result in unnecessary broadcast traffic and reduced browsing capabilities\&.
7840
\fI\fIpreferred master\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
7438
\fI\fIpreferred master\fR\fR\fI = \fR\fIauto\fR\fI \fR
7843
7441
preload modules (G)
7946
7544
This parameter may be used to override the compiled\-in default printcap name used by the server (usually
7947
\FC /etc/printcap\F[])\&. See the discussion of the
7545
/etc/printcap)\&. See the discussion of the
7949
7547
section above for reasons why you might want to do this\&.
7951
7549
To use the CUPS printing interface set
7952
\FCprintcap name = cups \F[]\&. This should be supplemented by an addtional setting
7550
printcap name = cups\&. This should be supplemented by an addtional setting
7953
7551
\m[blue]\fBprinting = cups\fR\m[]
7954
7552
in the [global] section\&.
7955
\FCprintcap name = cups\F[]
7553
printcap name = cups
7956
7554
will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file\&.
7958
7556
On System V systems that use
7960
7558
to list available printers you can use
7961
\FCprintcap name = lpstat \F[]
7559
printcap name = lpstat
7962
7560
to automatically obtain lists of available printers\&. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems)\&. If
7963
7561
\fI printcap name\fR
7966
7564
on these systems then Samba will launch
7968
7566
and attempt to parse the output to obtain a printer list\&.
7970
7568
A minimal printcap file would look something like this:
8014
7597
Under AIX the default printcap name is
8015
\FC/etc/qconfig\F[]\&. Samba will assume the file is in AIX
7598
/etc/qconfig\&. Samba will assume the file is in AIX
8017
7600
format if the string
8019
7602
appears in the printcap filename\&.
8024
\fI\fIprintcap name\fR\fR\fI = \fR\fI\FC/etc/printcap\F[]\fR\fI \fR
7606
\fI\fIprintcap name\fR\fR\fI = \fR\fI/etc/printcap\fR\fI \fR
8027
\fI\fIprintcap name\fR\fR\fI = \fR\fI\FC/etc/myprintcap\F[]\fR\fI \fR
7609
\fI\fIprintcap name\fR\fR\fI = \fR\fI/etc/myprintcap\fR\fI \fR
8030
7612
print command (S)
8034
7616
After a print job has finished spooling to a service, this command will be used via a
8036
7618
call to process the spool file\&. Typically the command specified will submit the spool file to the host\'s printing subsystem, but there is no requirement that this be the case\&. The server will not remove the spool file, so whatever command you specify should remove the spool file when it has been processed, otherwise you will need to manually remove old spool files\&.
8038
7620
The print command is simply a text string\&. It will be used verbatim after macro substitutions have been made:
8072
7654
You can form quite complex print commands by realizing that they are just passed to a shell\&. For example the following will log a print job, print the file, then remove it\&. Note that \';\' is the usual separator for command in shell scripts\&.
8074
\FCprint command = echo Printing %s >> /tmp/print\&.log; lpr \-P %p %s; rm %s\F[]
7656
print command = echo Printing %s >> /tmp/print\&.log; lpr \-P %p %s; rm %s
8076
7658
You may have to vary this command considerably depending on how you normally print files on your system\&. The default for the parameter varies depending on the setting of the
8077
7659
\m[blue]\fBprinting\fR\m[]
8081
\FCprinting = BSD, AIX, QNX, LPRNG or PLP :\F[]
8083
\FCprint command = lpr \-r \-P%p %s\F[]
8086
\FCprinting = SYSV or HPUX :\F[]
8088
\FCprint command = lp \-c \-d%p %s; rm %s\F[]
8091
\FCprinting = SOFTQ :\F[]
8093
\FCprint command = lp \-d%p \-s %s; rm %s\F[]
7663
printing = BSD, AIX, QNX, LPRNG or PLP :
7665
print command = lpr \-r \-P%p %s
7668
printing = SYSV or HPUX :
7670
print command = lp \-c \-d%p %s; rm %s
7675
print command = lp \-d%p \-s %s; rm %s
8095
7677
For printing = CUPS : If SAMBA is compiled against libcups, then
8096
7678
\m[blue]\fBprintcap = cups\fR\m[]
8097
7679
uses the CUPS API to submit jobs, etc\&. Otherwise it maps to the System V commands with the \-oraw option for printing, i\&.e\&. it uses
8098
\FClp \-c \-d%p \-oraw; rm %s\F[]\&. With
8099
\FCprinting = cups\F[], and if SAMBA is compiled against libcups, any manually set print command will be ignored\&.
7680
lp \-c \-d%p \-oraw; rm %s\&. With
7681
printing = cups, and if SAMBA is compiled against libcups, any manually set print command will be ignored\&.
8101
7683
\fINo default\fR
8104
\fI\fIprint command\fR\fR\fI = \fR\fI\FC/usr/local/samba/bin/myprintscript %p %s\F[]\fR\fI \fR
7686
\fI\fIprint command\fR\fR\fI = \fR\fI/usr/local/samba/bin/myprintscript %p %s\fR\fI \fR
8107
7689
printer admin (S)
8113
7695
This parameter has been marked deprecated in favor of using the SePrintOperatorPrivilege and individual print security descriptors\&. It will be removed in a future release\&.
8116
\fI\fIprinter admin\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7698
\fI\fIprinter admin\fR\fR\fI = \fR\fI\fR\fI \fR
8119
\fI\fIprinter admin\fR\fR\fI = \fR\fI\FCadmin, @staff\F[]\fR\fI \fR
7701
\fI\fIprinter admin\fR\fR\fI = \fR\fIadmin, @staff\fR\fI \fR
8194
7776
This parameter specifies which user information will be passed to the printing system\&. Usually, the username is sent, but in some cases, e\&.g\&. the domain prefix is useful, too\&.
8197
\fI\fIprintjob username\fR\fR\fI = \fR\fI\FC%U\F[]\fR\fI \fR
7779
\fI\fIprintjob username\fR\fR\fI = \fR\fI%U\fR\fI \fR
8200
\fI\fIprintjob username\fR\fR\fI = \fR\fI\FC%D\e%U\F[]\fR\fI \fR
7782
\fI\fIprintjob username\fR\fR\fI = \fR\fI%D\e%U\fR\fI \fR
8203
7785
private dir (G)
8303
7885
If this parameter is
8304
7886
\fByes\fR, then users of a service may not create or modify files in the service\'s directory\&.
8306
Note that a printable service (\FCprintable = yes\F[]) will
7888
Note that a printable service (printable = yes) will
8308
7890
allow writing to the directory (user privileges permitting), but only via spooling operations\&.
8311
\fI\fIread only\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
7893
\fI\fIread only\fR\fR\fI = \fR\fIyes\fR\fI \fR
8334
7916
This option specifies the kerberos realm to use\&. The realm is used as the ADS equivalent of the NT4
8335
\FCdomain\F[]\&. It is usually set to the DNS name of the kerberos server\&.
7917
domain\&. It is usually set to the DNS name of the kerberos server\&.
8338
\fI\fIrealm\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7920
\fI\fIrealm\fR\fR\fI = \fR\fI\fR\fI \fR
8341
\fI\fIrealm\fR\fR\fI = \fR\fI\FCmysambabox\&.mycompany\&.com\F[]\fR\fI \fR
7923
\fI\fIrealm\fR\fR\fI = \fR\fImysambabox\&.mycompany\&.com\fR\fI \fR
8344
7926
registry shares (G)
8388
.BB lightgray adjust-for-leading-newline
8391
\FCremote announce = 192\&.168\&.2\&.255/SERVERS 192\&.168\&.4\&.255/STAFF\F[]
8392
.EB lightgray adjust-for-leading-newline
7965
remote announce = 192\&.168\&.2\&.255/SERVERS 192\&.168\&.4\&.255/STAFF
8403
7971
the above line would cause
8405
7973
to announce itself to the two given IP addresses using the given workgroup names\&. If you leave out the workgroup name, then the one given in the
8406
7974
\m[blue]\fBworkgroup\fR\m[]
8407
7975
parameter is used instead\&.
8438
.BB lightgray adjust-for-leading-newline
8441
8001
\fIremote browse sync = 192\&.168\&.2\&.255 192\&.168\&.4\&.255\fR
8442
.EB lightgray adjust-for-leading-newline
8453
8007
the above line would cause
8455
8009
to request the master browser on the specified subnets or addresses to synchronize their browse lists with the local server\&.
8457
8011
The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses of known browse masters if your network config is that stable\&. If a machine IP address is given Samba makes NO attempt to validate that the remote machine is available, is listening, nor that it is in fact the browse master on its segment\&.
8473
8027
under special circumstances described below\&.
8475
8029
When a user with admin authority or SeAddUserPrivilege rights renames a user (e\&.g\&.: from the NT4 User Manager for Domains), this script will be run to rename the POSIX user\&. Two variables,
8478
\FC%unew\F[], will be substituted with the old and new usernames, respectively\&. The script should return 0 upon successful completion, and nonzero otherwise\&.
8032
%unew, will be substituted with the old and new usernames, respectively\&. The script should return 0 upon successful completion, and nonzero otherwise\&.
8485
8038
.nr an-no-space-flag 1
8486
8039
.nr an-break-flag 1
8492
8045
The script has all responsibility to rename all the necessary data that is accessible in this posix method\&. This can mean different requirements for different backends\&. The tdbsam and smbpasswd backends will take care of the contents of their respective files, so the script is responsible only for changing the POSIX username, and other data that may required for your circumstances, such as home directory\&. Please also consider whether or not you need to rename the actual home directories themselves\&. The ldapsam backend will not make any changes, because of the potential issues with renaming the LDAP naming attribute\&. In this case the script is responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that needs to change for other applications using the same directory\&.
8497
\fI\fIrename user script\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
8049
\fI\fIrename user script\fR\fR\fI = \fR\fIno\fR\fI \fR
8500
8052
reset on zero vc (G)
8599
8135
some files needed for complete operation of the server\&. To maintain full operability of the server you will need to mirror some system files into the
8600
8136
\fIroot directory\fR
8601
8137
tree\&. In particular you will need to mirror
8603
8139
(or a subset of it), and any binaries or configuration files needed for printing (if required)\&. The set of files that must be mirrored is operating system dependent\&.
8606
\fI\fIroot directory\fR\fR\fI = \fR\fI\FC/\F[]\fR\fI \fR
8142
\fI\fIroot directory\fR\fR\fI = \fR\fI/\fR\fI \fR
8609
\fI\fIroot directory\fR\fR\fI = \fR\fI\FC/homes/smb\F[]\fR\fI \fR
8145
\fI\fIroot directory\fR\fR\fI = \fR\fI/homes/smb\fR\fI \fR
8612
8148
root postexec (S)
8682
8218
to turn share level security on or off\&. Clients decide based on this bit whether (and how) to transfer user and password information to the server\&.
8685
\FCsecurity = user\F[], as this is the most common setting needed when talking to Windows 98 and Windows NT\&.
8221
security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT\&.
8687
8223
The alternatives are
8688
\FCsecurity = share\F[],
8689
\FCsecurity = server\F[]
8691
\FCsecurity = domain \F[]\&.
8227
security = domain\&.
8693
8229
In versions of Samba prior to 2\&.0\&.0, the default was
8694
\FCsecurity = share\F[]
8695
8231
mainly because that was the only option at one stage\&.
8697
8233
There is a bug in WfWg that has relevance to this setting\&. When in user or server level security a WfWg client will totally ignore the username and password you type in the "connect drive" dialog box\&. This makes it very difficult (if not impossible) to connect to a Samba service as anyone except the user that you are logged into WfWg as\&.
8699
8235
If your PCs use usernames that are the same as their usernames on the UNIX machine then you will want to use
8700
\FCsecurity = user\F[]\&. If you mostly use usernames that don\'t exist on the UNIX box then use
8701
\FCsecurity = share\F[]\&.
8236
security = user\&. If you mostly use usernames that don\'t exist on the UNIX box then use
8703
8239
You should also use
8704
\FCsecurity = share\F[]
8705
8241
if you want to mainly setup shares without a password (guest shares)\&. This is commonly used for a shared printer server\&. It is more difficult to setup guest shares with
8706
\FCsecurity = user\F[], see the
8242
security = user, see the
8707
8243
\m[blue]\fBmap to guest\fR\m[]
8708
8244
parameter for details\&.
8710
8246
It is possible to use
8713
8249
\fI hybrid mode\fR
8714
8250
where it is offers both user and share level security under different
8719
8255
\fISECURITY = SHARE\fR
8721
8257
When clients connect to a share level security server, they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a
8722
\FCsecurity = share \F[]
8723
8259
server)\&. Instead, the clients send authentication information (passwords) on a per\-share basis, at the time they attempt to connect to that share\&.
8728
8264
uses a valid UNIX user to act on behalf of the client, even in
8729
\FCsecurity = share\F[]
8730
8266
level security\&.
8732
8268
As clients are not required to send a username to the server in share level security,
8734
8270
uses several techniques to determine the correct UNIX user to use on behalf of the client\&.
8736
8272
A list of possible UNIX usernames to match with the given client password is constructed using the following methods :
8887
8423
\fISECURITY = SERVER\fR
8889
8425
In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box\&. If this fails it will revert to
8890
\FCsecurity = user\F[]\&. It expects the
8426
security = user\&. It expects the
8891
8427
\m[blue]\fBencrypted passwords\fR\m[]
8892
8428
parameter to be set to
8893
8429
\fByes\fR, unless the remote server does not support them\&. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid
8895
8431
file to check users against\&. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up\&.
8902
8437
.nr an-no-space-flag 1
8903
8438
.nr an-break-flag 1
8975
8507
denies access if the client is not able to speak netlogon schannel\&. This is only the case for Windows NT4 before SP4\&.
8977
8509
Please note that with this set to
8978
\FCno\F[], you will have to apply the WindowsXP
8979
\FCWinXP_SignOrSeal\&.reg\F[]
8510
no, you will have to apply the WindowsXP
8511
WinXP_SignOrSeal\&.reg
8980
8512
registry patch found in the docs/registry subdirectory of the Samba distribution tarball\&.
8983
\fI\fIserver schannel\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
8515
\fI\fIserver schannel\fR\fR\fI = \fR\fIauto\fR\fI \fR
8986
\fI\fIserver schannel\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
8518
\fI\fIserver schannel\fR\fR\fI = \fR\fIyes\fR\fI \fR
8989
8521
server signing (G)
9034
\FCset directory = no\F[], then users of the service may not use the setdir command to change directory\&.
8566
set directory = no, then users of the service may not use the setdir command to change directory\&.
9038
8570
command is only implemented in the Digital Pathworks client\&. See the Pathworks documentation for details\&.
9041
\fI\fIset directory\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
8573
\fI\fIset directory\fR\fR\fI = \fR\fIno\fR\fI \fR
9044
8576
set primary group script (G)
9048
8580
Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups\&. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM with
9049
\FCnet rpc vampire\F[]\&.
9051
8583
will be replaced with the user whose primary group is to be set\&.
9053
8585
will be replaced with the group to set\&.
9056
\fI\fIset primary group script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
8588
\fI\fIset primary group script\fR\fR\fI = \fR\fI\fR\fI \fR
9059
\fI\fIset primary group script\fR\fR\fI = \fR\fI\FC/usr/sbin/usermod \-g \'%g\' \'%u\'\F[]\fR\fI \fR
8591
\fI\fIset primary group script\fR\fR\fI = \fR\fI/usr/sbin/usermod \-g \'%g\' \'%u\'\fR\fI \fR
9062
8594
set quota command (G)
9067
\FCset quota command\F[]
9068
8600
should only be used whenever there is no operating system API available from the OS that samba can use\&.
9070
8602
This option is only available if Samba was configured with the argument
9071
\FC\-\-with\-sys\-quotas\F[]
8603
\-\-with\-sys\-quotas
9072
8604
or on linux when
9073
\FC\&./configure \-\-with\-quotas\F[]
8605
\&./configure \-\-with\-quotas
9074
8606
was used and a working quota api was found in the system\&. Most packages are configured with these options already\&.
9076
8608
This parameter should specify the path to a script that can set quota for the specified arguments\&.
9630
9132
take an integer argument\&. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you don\'t specify 1 or 0\&.
9632
9134
To specify an argument use the syntax SOME_OPTION = VALUE for example
9633
\FCSO_SNDBUF = 8192\F[]\&. Note that you must not have any spaces before or after the = sign\&.
9135
SO_SNDBUF = 8192\&. Note that you must not have any spaces before or after the = sign\&.
9635
9137
If you are on a local network then a sensible option might be:
9637
\FCsocket options = IPTOS_LOWDELAY\F[]
9139
socket options = IPTOS_LOWDELAY
9639
9141
If you have a local network then you could try:
9641
\FCsocket options = IPTOS_LOWDELAY TCP_NODELAY\F[]
9143
socket options = IPTOS_LOWDELAY TCP_NODELAY
9643
9145
If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT\&.
9645
9147
Note that several of the options may cause your Samba server to fail completely\&. Use these options with caution!
9648
\fI\fIsocket options\fR\fR\fI = \fR\fI\FCTCP_NODELAY\F[]\fR\fI \fR
9150
\fI\fIsocket options\fR\fR\fI = \fR\fITCP_NODELAY\fR\fI \fR
9651
\fI\fIsocket options\fR\fR\fI = \fR\fI\FCIPTOS_LOWDELAY\F[]\fR\fI \fR
9153
\fI\fIsocket options\fR\fR\fI = \fR\fIIPTOS_LOWDELAY\fR\fI \fR
9660
9162
will use a cache in order to speed up case insensitive name mappings\&. You should never need to change this parameter\&.
9663
\fI\fIstat cache\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
9165
\fI\fIstat cache\fR\fR\fI = \fR\fIyes\fR\fI \fR
9172
Usually, most of the TDB files are stored in the
9173
\fIlock directory\fR\&. Since Samba 3\&.4\&.0, it is possible to differentiate between TDB files with persistent data and TDB files with non\-persistent data using the
9174
\fIstate directory\fR
9176
\fIcache directory\fR
9179
This option specifies the directory where TDB files containing persistent data will be stored\&.
9182
\fI\fIstate directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
9185
\fI\fIstate directory\fR\fR\fI = \fR\fI/var/run/samba/locks/state\fR\fI \fR
9666
9188
store dos attributes (S)
9714
9236
When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them\&.
9716
9238
Well\-behaved clients always ask for lock checks when it is important\&. So in the vast majority of cases,
9717
\FCstrict locking = Auto\F[]
9239
strict locking = Auto
9719
\FCstrict locking = no\F[]
9720
9242
is acceptable\&.
9723
\fI\fIstrict locking\fR\fR\fI = \fR\fI\FCAuto\F[]\fR\fI \fR
9245
\fI\fIstrict locking\fR\fR\fI = \fR\fIAuto\fR\fI \fR
9726
9248
strict sync (S)
9744
9266
This option defines a list of init scripts that smbd will use for starting and stopping Unix services via the Win32 ServiceControl API\&. This allows Windows administrators to utilize the MS Management Console plug\-ins to manage a Unix server running Samba\&.
9746
9268
The administrator must create a directory name
9748
9270
in Samba\'s $(libdir) and create symbolic links to the init scripts in
9749
\FC/etc/init\&.d/\F[]\&. The name of the links must match the names given as part of the
9271
/etc/init\&.d/\&. The name of the links must match the names given as part of the
9750
9272
\fIsvcctl list\fR\&.
9753
\fI\fIsvcctl list\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
9275
\fI\fIsvcctl list\fR\fR\fI = \fR\fI\fR\fI \fR
9756
\fI\fIsvcctl list\fR\fR\fI = \fR\fI\FCcups postfix portmap httpd\F[]\fR\fI \fR
9278
\fI\fIsvcctl list\fR\fR\fI = \fR\fIcups postfix portmap httpd\fR\fI \fR
9759
9281
sync always (S)
9931
9453
This parameter applies only to Windows NT/2000 clients\&. It has no effect on Windows 95/98/ME clients\&. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver\&. From this point on, the client will treat the print as a local printer and not a network printer connection\&. This is much the same behavior that will occur when
9932
\FCdisable spoolss = yes\F[]\&.
9454
disable spoolss = yes\&.
9934
9456
The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS\-RPC\&. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user\&. If the user possesses local administator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail\&. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed)\&.
9979
9501
parameter\&. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped)\&. In this way, it is possible to store username map tables in an LDAP or NIS directory services\&.
9982
\fI\fIusername map script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
9504
\fI\fIusername map script\fR\fR\fI = \fR\fI\fR\fI \fR
9985
\fI\fIusername map script\fR\fR\fI = \fR\fI\FC/etc/samba/scripts/mapusers\&.sh\F[]\fR\fI \fR
9507
\fI\fIusername map script\fR\fR\fI = \fR\fI/etc/samba/scripts/mapusers\&.sh\fR\fI \fR
9988
9510
username map (G)
9992
9514
This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
9994
9516
Please note that for user or share mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified enties in the map table (e\&.g\&. biddle =
9995
\FCDOMAIN\efoo\F[])\&.
9997
9519
The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a \'=\' followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name \'*\' is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
10139
9605
Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don\'t own the print job\&.
10141
9607
Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.:
10142
\FCDOMAIN\euser\F[]) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
9608
DOMAIN\euser) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
10144
9610
The following functionality is obeyed in version 3\&.0\&.8 and later:
10146
9612
When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
10148
9614
When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&.
10149
\FCDOMAIN\euser\F[]) only after the user has been successfully authenticated\&.
9615
DOMAIN\euser) only after the user has been successfully authenticated\&.
10151
9617
An example of use is:
10162
.BB lightgray adjust-for-leading-newline
10165
9623
username map = /usr/local/samba/lib/users\&.map
10166
.EB lightgray adjust-for-leading-newline
10178
\fI\fIusername map\fR\fR\fI = \fR\fI\FC # no username map\F[]\fR\fI \fR
9630
\fI\fIusername map\fR\fR\fI = \fR\fI # no username map\fR\fI \fR
10229
9681
for more information on how this parameter determines access to the services\&.
10232
\fI\fIusername\fR\fR\fI = \fR\fI\FC # The guest account if a guest service, else <empty string>\&.\F[]\fR\fI \fR
9684
\fI\fIusername\fR\fR\fI = \fR\fI # The guest account if a guest service, else <empty string>\&.\fR\fI \fR
10235
\fI\fIusername\fR\fR\fI = \fR\fI\FCfred, mary, jack, jane, @users, @pcgroup\F[]\fR\fI \fR
9687
\fI\fIusername\fR\fR\fI = \fR\fIfred, mary, jack, jane, @users, @pcgroup\fR\fI \fR
10238
9690
usershare allow guests (G)
10318
9756
If there is a "usershare prefix deny list" and also a "usershare prefix allow list" the deny list is processed first, followed by the allow list, thus leading to the most restrictive interpretation\&.
10321
\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fI\FCNULL\F[]\fR\fI \fR
9759
\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fINULL\fR\fI \fR
10324
\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fI\FC/home /data /space\F[]\fR\fI \fR
9762
\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fI/home /data /space\fR\fI \fR
10327
9765
usershare prefix deny list (G)
10333
9771
If there is a "usershare prefix deny list" and also a "usershare prefix allow list" the deny list is processed first, followed by the allow list, thus leading to the most restrictive interpretation\&.
10336
\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fI\FCNULL\F[]\fR\fI \fR
9774
\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fINULL\fR\fI \fR
10339
\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fI\FC/etc /dev /private\F[]\fR\fI \fR
9777
\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fI/etc /dev /private\fR\fI \fR
10342
9780
usershare template share (G)
10348
9786
The target share may be set to be invalid for real file sharing by setting the parameter "\-valid = False" on the template share definition\&. This causes it not to be seen as a real exported share but to be able to be used as a template for usershares\&.
10351
\fI\fIusershare template share\fR\fR\fI = \fR\fI\FCNULL\F[]\fR\fI \fR
9789
\fI\fIusershare template share\fR\fR\fI = \fR\fINULL\fR\fI \fR
10354
\fI\fIusershare template share\fR\fR\fI = \fR\fI\FCtemplate_share\F[]\fR\fI \fR
9792
\fI\fIusershare template share\fR\fR\fI = \fR\fItemplate_share\fR\fI \fR
10357
9795
use sendfile (S)
10386
9824
This parameter is only available if Samba has been configured and compiled with the option
10387
\FC \-\-with\-utmp\F[]\&. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server\&. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
10388
\FC/var/run/utmp\F[]
9825
\-\-with\-utmp\&. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server\&. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
10392
\fI\fIutmp directory\fR\fR\fI = \fR\fI\FC # Determined automatically\F[]\fR\fI \fR
9830
\fI\fIutmp directory\fR\fR\fI = \fR\fI # Determined automatically\fR\fI \fR
10395
\fI\fIutmp directory\fR\fR\fI = \fR\fI\FC/var/run/utmp\F[]\fR\fI \fR
9833
\fI\fIutmp directory\fR\fR\fI = \fR\fI/var/run/utmp\fR\fI \fR
10402
9840
This boolean parameter is only available if Samba has been configured and compiled with the option
10403
\FC\-\-with\-utmp\F[]\&. If set to
9841
\-\-with\-utmp\&. If set to
10405
9843
then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
10407
9845
Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
10410
\fI\fIutmp\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9848
\fI\fIutmp\fR\fR\fI = \fR\fIno\fR\fI \fR
10413
9851
valid users (S)
10426
9864
\fI%S\fR\&. This is useful in the [homes] section\&.
10429
\fI\fIvalid users\fR\fR\fI = \fR\fI\FC # No valid users list (anyone can login) \F[]\fR\fI \fR
9867
\fI\fIvalid users\fR\fR\fI = \fR\fI # No valid users list (anyone can login) \fR\fI \fR
10432
\fI\fIvalid users\fR\fR\fI = \fR\fI\FCgreg, @pcusers\F[]\fR\fI \fR
9870
\fI\fIvalid users\fR\fR\fI = \fR\fIgreg, @pcusers\fR\fI \fR
10517
9941
You might want to do this on files that you know will be heavily contended for by clients\&. A good example of this is in the NetBench SMB benchmark program, which causes heavy client contention for files ending in
10518
\FC\&.SEM\F[]\&. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share\&.
9942
\&.SEM\&. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share\&.
10520
9944
An example of use is:
10531
.BB lightgray adjust-for-leading-newline
10534
9950
veto oplock files = /\&.*SEM/
10535
.EB lightgray adjust-for-leading-newline
10547
\fI\fIveto oplock files\fR\fR\fI = \fR\fI\FC # No files are vetoed for oplock grants\F[]\fR\fI \fR
9957
\fI\fIveto oplock files\fR\fR\fI = \fR\fI # No files are vetoed for oplock grants\fR\fI \fR
10562
9972
This parameter specifies the backend names which are used for Samba VFS I/O operations\&. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects\&.
10565
\fI\fIvfs objects\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
9975
\fI\fIvfs objects\fR\fR\fI = \fR\fI\fR\fI \fR
10568
\fI\fIvfs objects\fR\fR\fI = \fR\fI\FCextd_audit recycle\F[]\fR\fI \fR
9978
\fI\fIvfs objects\fR\fR\fI = \fR\fIextd_audit recycle\fR\fI \fR
10715
10121
This feature also enables the name aliasing API which can be used to make domain user and group names to a non\-qualified version\&. Please refer to the manpage for the configured idmap and nss_info plugin for the specifics on how to configure name aliasing for a specific configuration\&. Name aliasing takes precendence (and is mutually exclusive) over the whitespace replacement mechanism discussed previsouly\&.
10718
\fI\fIwinbind normalize names\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10124
\fI\fIwinbind normalize names\fR\fR\fI = \fR\fIno\fR\fI \fR
10721
\fI\fIwinbind normalize names\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
10127
\fI\fIwinbind normalize names\fR\fR\fI = \fR\fIyes\fR\fI \fR
10724
10130
winbind nss info (G)
10775
10181
module using Cached Credentials\&. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache\&.
10778
\fI\fIwinbind offline logon\fR\fR\fI = \fR\fI\FCfalse\F[]\fR\fI \fR
10184
\fI\fIwinbind offline logon\fR\fR\fI = \fR\fIfalse\fR\fI \fR
10781
\fI\fIwinbind offline logon\fR\fR\fI = \fR\fI\FCtrue\F[]\fR\fI \fR
10187
\fI\fIwinbind offline logon\fR\fR\fI = \fR\fItrue\fR\fI \fR
10784
10190
winbind reconnect delay (G)
10827
10233
This parameter allows an admin to define the character used when listing a username of the form of
10828
10234
\fIDOMAIN \fR\e\fIuser\fR\&. This parameter is only applicable when using the
10829
\FCpam_winbind\&.so\F[]
10831
\FCnss_winbind\&.so\F[]
10832
10238
modules for UNIX services\&.
10834
10240
Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group\&.
10837
\fI\fIwinbind separator\fR\fR\fI = \fR\fI\FC\'\e\'\F[]\fR\fI \fR
10243
\fI\fIwinbind separator\fR\fR\fI = \fR\fI\'\e\'\fR\fI \fR
10840
\fI\fIwinbind separator\fR\fR\fI = \fR\fI\FC+\F[]\fR\fI \fR
10246
\fI\fIwinbind separator\fR\fR\fI = \fR\fI+\fR\fI \fR
10843
10249
winbind trusted domains only (G)
10865
10271
daemon should operate on users without domain component in their username\&. Users without a domain component are treated as is part of the winbindd server\'s own domain\&. While this does not benifit Windows users, it makes SSH, FTP and e\-mail function in a way much closer to the way they would in a native unix system\&.
10868
\fI\fIwinbind use default domain\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10274
\fI\fIwinbind use default domain\fR\fR\fI = \fR\fIno\fR\fI \fR
10871
\fI\fIwinbind use default domain\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
10277
\fI\fIwinbind use default domain\fR\fR\fI = \fR\fIyes\fR\fI \fR
10874
10280
wins hook (G)
10984
10389
You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross\-subnet browsing to work correctly\&.
10988
10392
See the chapter in the Samba3\-HOWTO on Network Browsing\&.
10991
\fI\fIwins server\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
10994
\fI\fIwins server\fR\fR\fI = \fR\fI\FCmary:192\&.9\&.200\&.1 fred:192\&.168\&.3\&.199 mary:192\&.168\&.2\&.61 # For this example when querying a certain name, 192\&.19\&.200\&.1 will be asked first and if that doesn\'t respond 192\&.168\&.2\&.61\&. If either of those doesn\'t know the name 192\&.168\&.3\&.199 will be queried\&.\F[]\fR\fI \fR
10997
\fI\fIwins server\fR\fR\fI = \fR\fI\FC192\&.9\&.200\&.1 192\&.168\&.2\&.61\F[]\fR\fI \fR
10395
\fI\fIwins server\fR\fR\fI = \fR\fI\fR\fI \fR
10398
\fI\fIwins server\fR\fR\fI = \fR\fImary:192\&.9\&.200\&.1 fred:192\&.168\&.3\&.199 mary:192\&.168\&.2\&.61 # For this example when querying a certain name, 192\&.19\&.200\&.1 will be asked first and if that doesn\'t respond 192\&.168\&.2\&.61\&. If either of those doesn\'t know the name 192\&.168\&.3\&.199 will be queried\&.\fR\fI \fR
10401
\fI\fIwins server\fR\fR\fI = \fR\fI192\&.9\&.200\&.1 192\&.168\&.2\&.61\fR\fI \fR
11000
10404
wins support (G)
11108
10512
This parameter is only available if Samba has been configured and compiled with the option
11109
\FC \-\-with\-utmp\F[]\&. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server\&. The difference with the utmp directory is the fact that user info is kept after a user has logged out\&.
10513
\-\-with\-utmp\&. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server\&. The difference with the utmp directory is the fact that user info is kept after a user has logged out\&.
11111
10515
By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
11112
\FC/var/run/wtmp\F[]
11116
\fI\fIwtmp directory\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
10520
\fI\fIwtmp directory\fR\fR\fI = \fR\fI\fR\fI \fR
11119
\fI\fIwtmp directory\fR\fR\fI = \fR\fI\FC/var/log/wtmp\F[]\fR\fI \fR
10523
\fI\fIwtmp directory\fR\fR\fI = \fR\fI/var/log/wtmp\fR\fI \fR
11121
10525
.SH "WARNINGS"