« back to all changes in this revision
Viewing changes to docs/manpages/smb.conf.5
- browse files at revision 91
- compare with another revision
- download diff
- download tarball
- view history from revision 91
- Committer: Bazaar Package Importer
- Author(s): Chuck Short
- Date: 2010-01-29 06:16:15 UTC
- mfrom: (0.27.9 upstream) (0.34.4 squeeze)
- Revision ID: james.westby@ubuntu.com-20100129061615-37hs6xqpsdhjq3ld
Tags: 2:3.4.5~dfsg-1ubuntu1
* Merge from debian testing. Remaining changes:
+ debian/patches/VERSION.patch:
- set SAMBA_VERSION_SUFFIX to Ubuntu.
+ debian/smb.conf:
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
- Set 'usershare allow guests', so that usershare admins are allowed to create
public shares in additon to authenticated ones.
- add map to guest = Bad user, maps bad username to gues access.
+ debian/samba-common.conf:
- Do not change priority to high if dhclient3 is installed.
- Use priority medium instead of high for the workgroup question.
+ debian/mksambapasswd.awk:
- Do not add user with UID less than 1000 to smbpasswd.
+ debian/control:
- Make libswbclient0 replace/conflict with hardy's likewise-open.
- Don't build against ctdb, since its not in main yet.
+ debian/rules:
- Enable "native" PIE hardening.
- Add BIND_NOW to maximize benefit of RELRO hardening.
+ Add ufw integration:
- Created debian/samba.ufw.profile.
- debian/rules, debian/samba.dirs, debian/samba.files: install
+ Add apoort hook:
- Created debian/source_samba.py.
- debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
+ debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
family... it's obviously /not/ an address family, but it's what gets
sent when using NM, so we'll cope for now. (LP: #462169). Taken from karmic-proposed.
+ debian/control: Recommend keyutils for smbfs (LP: #493565)
+ Dropped patches:
- debian/patches/security-CVE-2009-3297.patch: No longer needed
- debian/patches/fix-too-many-open-files.patch: No longer needed
+ debian/patches/VERSION.patch:
- set SAMBA_VERSION_SUFFIX to Ubuntu.
+ debian/smb.conf:
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
- Set 'usershare allow guests', so that usershare admins are allowed to create
public shares in additon to authenticated ones.
- add map to guest = Bad user, maps bad username to gues access.
+ debian/samba-common.conf:
- Do not change priority to high if dhclient3 is installed.
- Use priority medium instead of high for the workgroup question.
+ debian/mksambapasswd.awk:
- Do not add user with UID less than 1000 to smbpasswd.
+ debian/control:
- Make libswbclient0 replace/conflict with hardy's likewise-open.
- Don't build against ctdb, since its not in main yet.
+ debian/rules:
- Enable "native" PIE hardening.
- Add BIND_NOW to maximize benefit of RELRO hardening.
+ Add ufw integration:
- Created debian/samba.ufw.profile.
- debian/rules, debian/samba.dirs, debian/samba.files: install
+ Add apoort hook:
- Created debian/source_samba.py.
- debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
+ debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
family... it's obviously /not/ an address family, but it's what gets
sent when using NM, so we'll cope for now. (LP: #462169). Taken from karmic-proposed.
+ debian/control: Recommend keyutils for smbfs (LP: #493565)
+ Dropped patches:
- debian/patches/security-CVE-2009-3297.patch: No longer needed
- debian/patches/fix-too-many-open-files.patch: No longer needed
- files added:
- .pc/debian-changes-2:3.4.5~dfsg-1ubuntu1
- .pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3
- .pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3/client
- files removed:
- .pc/fix-manpages-warnings.patch
- .pc/fix-manpages-warnings.patch/docs
- .pc/fix-manpages-warnings.patch/docs/manpages
- .pc/fix-too-many-open-files.patch
- .pc/fix-too-many-open-files.patch/source3
- .pc/fix-too-many-open-files.patch/source3/include
- .pc/fix-too-many-open-files.patch/source3/param
- .pc/fix-too-many-open-files.patch/source3/smbd
- .pc/security-CVE-2009-3297.patch
- .pc/security-CVE-2009-3297.patch/source3
- .pc/security-CVE-2009-3297.patch/source3/client
- files modified:
- .pc/VERSION.patch/source3/VERSION
added
removed
docs/manpages/smb.conf.5
1
'\" t
1
2
.\" Title: smb.conf
2
3
.\" Author: [see the "AUTHOR" section]
3
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
4
.\" Date: 10/29/2009
4
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
5
.\" Date: 01/18/2010
5
6
.\" Manual: File Formats and Conventions
6
7
.\" Source: Samba 3.4
7
8
.\" Language: English
8
9
.\"
9
.TH "SMB\&.CONF" "5" "10/29/2009" "Samba 3\&.4" "File Formats and Conventions"
10
.\" -----------------------------------------------------------------
11
.\" * (re)Define some macros
12
.\" -----------------------------------------------------------------
13
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14
.\" toupper - uppercase a string (locale-aware)
15
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16
.de toupper
17
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
18
\\$*
19
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
20
..
21
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22
.\" SH-xref - format a cross-reference to an SH section
23
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
24
.de SH-xref
25
.ie n \{\
26
.\}
27
.toupper \\$*
28
.el \{\
29
\\$*
30
.\}
31
..
32
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
33
.\" SH - level-one heading that works better for non-TTY output
34
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
35
.de1 SH
36
.if t \{\
37
.sp 1
38
.\}
39
.sp \\n[PD]u
40
.nr an-level 1
41
.set-an-margin
42
.nr an-prevailing-indent \\n[IN]
43
.fi
44
.in \\n[an-margin]u
45
.ti 0
46
.HTML-TAG ".NH \\n[an-level]"
47
.it 1 an-trap
48
.nr an-no-space-flag 1
49
.nr an-break-flag 1
50
.ps +3
51
.ft B
52
.ne (2v + 1u)
53
.ie n \{\
54
.\" if n (TTY output), use uppercase
55
.toupper \\$*
56
.\}
57
.el \{\
58
.nr an-break-flag 0
59
.\" if not n (not TTY), use normal case (not uppercase)
60
\\$1
61
.in \\n[an-margin]u
62
.ti 0
63
.\" if not n (not TTY), put a border/line under subheading
64
.sp -.6
65
\l'\n(.lu'
66
.\}
67
..
68
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
69
.\" SS - level-two heading that works better for non-TTY output
70
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
71
.de1 SS
72
.sp \\n[PD]u
73
.nr an-level 1
74
.set-an-margin
75
.nr an-prevailing-indent \\n[IN]
76
.fi
77
.in \\n[IN]u
78
.ti \\n[SN]u
79
.it 1 an-trap
80
.nr an-no-space-flag 1
81
.nr an-break-flag 1
82
.ps \\n[PS-SS]u
83
.ps +2
84
.ft B
85
.ne (2v + 1u)
86
.if \\n[.$] \&\\$*
87
..
88
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
89
.\" BB/BE - put background/screen (filled box) around block of text
90
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
91
.de BB
92
.if t \{\
93
.sp -.5
94
.br
95
.in +2n
96
.ll -2n
97
.gcolor red
98
.di BX
99
.\}
100
..
101
.de EB
102
.if t \{\
103
.if "\\$2"adjust-for-leading-newline" \{\
104
.sp -1
105
.\}
106
.br
107
.di
108
.in
109
.ll
110
.gcolor
111
.nr BW \\n(.lu-\\n(.i
112
.nr BH \\n(dn+.5v
113
.ne \\n(BHu+.5v
114
.ie "\\$2"adjust-for-leading-newline" \{\
115
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
116
.\}
117
.el \{\
118
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
119
.\}
120
.in 0
121
.sp -.5v
122
.nf
123
.BX
124
.in
125
.sp .5v
126
.fi
127
.\}
128
..
129
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
130
.\" BM/EM - put colored marker in margin next to block of text
131
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
132
.de BM
133
.if t \{\
134
.br
135
.ll -2n
136
.gcolor red
137
.di BX
138
.\}
139
..
140
.de EM
141
.if t \{\
142
.br
143
.di
144
.ll
145
.gcolor
146
.nr BH \\n(dn
147
.ne \\n(BHu
148
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
149
.in 0
150
.nf
151
.BX
152
.in
153
.fi
154
.\}
155
..
10
.TH "SMB\&.CONF" "5" "01/18/2010" "Samba 3\&.4" "File Formats and Conventions"
156
11
.\" -----------------------------------------------------------------
157
12
.\" * set default formatting
158
13
.\" -----------------------------------------------------------------
163
18
.\" -----------------------------------------------------------------
164
19
.\" * MAIN CONTENT STARTS HERE *
165
20
.\" -----------------------------------------------------------------
166
.SH "Name"
21
.SH "NAME"
167
22
smb.conf \- The configuration file for the Samba suite
168
23
.SH "SYNOPSIS"
169
24
.PP
170
25
The
171
\FCsmb\&.conf\F[]
26
smb\&.conf
172
27
file is a configuration file for the Samba suite\&.
173
\FCsmb\&.conf\F[]
28
smb\&.conf
174
29
contains runtime configuration information for the Samba programs\&. The
175
\FCsmb\&.conf\F[]
30
smb\&.conf
176
31
file is designed to be configured and administered by the
177
32
\fBswat\fR(8)
178
33
program\&. The complete description of the file format and possible parameters held within are here for reference purposes\&.
183
38
.if n \{\
184
39
.RS 4
185
40
.\}
186
.fam C
187
.ps -1
188
41
.nf
189
.if t \{\
190
.sp -1
191
.\}
192
.BB lightgray adjust-for-leading-newline
193
.sp -1
194
195
42
\fIname\fR = \fIvalue \fR
196
.EB lightgray adjust-for-leading-newline
197
.if t \{\
198
.sp 1
199
.\}
200
43
.fi
201
.fam
202
.ps +1
203
44
.if n \{\
204
45
.RE
205
46
.\}
213
54
Any line beginning with a semicolon (\(lq;\(rq) or a hash (\(lq#\(rq) character is ignored, as are lines containing only whitespace\&.
214
55
.PP
215
56
Any line ending in a
216
\(lq\FC\e\F[]\(rq
57
\(lq\e\(rq
217
58
is continued on the next line in the customary UNIX fashion\&.
218
59
.PP
219
60
The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 1/0 or true/false\&. Case is not significant in boolean values, but is preserved in string values\&. Some items such as create masks are numeric\&.
236
77
is used to define access privileges in this case\&.
237
78
.PP
238
79
Sections other than guest services will require a password to access them\&. The client provides the username\&. As older clients only provide passwords and not usernames, you may specify a list of usernames to check against the password using the
239
\FCuser =\F[]
80
user =
240
81
option in the share definition\&. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary\&.
241
82
.PP
242
83
The access rights granted by the server are masked by the access rights granted to the specified or guest UNIX user by the host system\&. The server does not grant more access than the host system grants\&.
243
84
.PP
244
85
The following sample section defines a file space share\&. The user has write access to the path
245
\FC/home/bar\F[]\&. The share is accessed via the share name
246
\FCfoo\F[]:
86
/home/bar\&. The share is accessed via the share name
87
foo:
247
88
.sp
248
89
.if n \{\
249
90
.RS 4
250
91
.\}
251
.fam C
252
.ps -1
253
92
.nf
254
.if t \{\
255
.sp -1
256
.\}
257
.BB lightgray adjust-for-leading-newline
258
.sp -1
259
260
93
\fI[foo]\fR
261
94
\m[blue]\fBpath = /home/bar\fR\m[]
262
95
\m[blue]\fBread only = no\fR\m[]
263
.EB lightgray adjust-for-leading-newline
264
.if t \{\
265
.sp 1
266
.\}
267
96
.fi
268
.fam
269
.ps +1
270
97
.if n \{\
271
98
.RE
272
99
.\}
278
105
.if n \{\
279
106
.RS 4
280
107
.\}
281
.fam C
282
.ps -1
283
108
.nf
284
.if t \{\
285
.sp -1
286
.\}
287
.BB lightgray adjust-for-leading-newline
288
.sp -1
289
290
109
\fI[aprinter]\fR
291
110
\m[blue]\fBpath = /usr/spool/public\fR\m[]
292
111
\m[blue]\fBread only = yes\fR\m[]
293
112
\m[blue]\fBprintable = yes\fR\m[]
294
113
\m[blue]\fBguest ok = yes\fR\m[]
295
.EB lightgray adjust-for-leading-newline
296
.if t \{\
297
.sp 1
298
.\}
299
114
.fi
300
.fam
301
.ps +1
302
115
.if n \{\
303
116
.RE
304
117
.\}
345
158
.if n \{\
346
159
.RS 4
347
160
.\}
348
.fam C
349
.ps -1
350
161
.nf
351
.if t \{\
352
.sp -1
353
.\}
354
.BB lightgray adjust-for-leading-newline
355
.sp -1
356
357
162
\fBpath = /data/pchome/%S\fR
358
.EB lightgray adjust-for-leading-newline
359
.if t \{\
360
.sp 1
361
.\}
362
163
.fi
363
.fam
364
.ps +1
365
164
.if n \{\
366
165
.RE
367
166
.\}
378
177
.if n \{\
379
178
.RS 4
380
179
.\}
381
.fam C
382
.ps -1
383
180
.nf
384
.if t \{\
385
.sp -1
386
.\}
387
.BB lightgray adjust-for-leading-newline
388
.sp -1
389
390
181
\fI[homes]\fR
391
182
\m[blue]\fBread only = no\fR\m[]
392
.EB lightgray adjust-for-leading-newline
393
.if t \{\
394
.sp 1
395
.\}
396
183
.fi
397
.fam
398
.ps +1
399
184
.if n \{\
400
185
.RE
401
186
.\}
460
245
.if n \{\
461
246
.RS 4
462
247
.\}
463
.fam C
464
.ps -1
465
248
.nf
466
.if t \{\
467
.sp -1
468
.\}
469
.BB lightgray adjust-for-leading-newline
470
.sp -1
471
472
249
\fI[printers]\fR
473
250
\m[blue]\fBpath = /usr/spool/public\fR\m[]
474
251
\m[blue]\fBguest ok = yes\fR\m[]
475
252
\m[blue]\fBprintable = yes\fR\m[]
476
.EB lightgray adjust-for-leading-newline
477
.if t \{\
478
.sp 1
479
.\}
480
253
.fi
481
.fam
482
.ps +1
483
254
.if n \{\
484
255
.RE
485
256
.\}
489
260
.if n \{\
490
261
.RS 4
491
262
.\}
492
.fam C
493
.ps -1
494
263
.nf
495
.if t \{\
496
.sp -1
497
.\}
498
.BB lightgray adjust-for-leading-newline
499
.sp -1
500
501
264
alias|alias|alias|alias\&.\&.\&.
502
.EB lightgray adjust-for-leading-newline
503
.if t \{\
504
.sp 1
505
.\}
506
265
.fi
507
.fam
508
.ps +1
509
266
.if n \{\
510
267
.RE
511
268
.\}
512
269
.PP
513
270
Each alias should be an acceptable printer name for your printing subsystem\&. In the [global] section, specify the new file as your printcap\&. The server will only recognize names found in your pseudo\-printcap, which of course can contain whatever aliases you like\&. The same technique could be used simply to limit access to a subset of your local printers\&.
514
271
.PP
515
An alias, by the way, is defined as any component of the first entry of a printcap record\&. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols (\FC|\F[])\&.
272
An alias, by the way, is defined as any component of the first entry of a printcap record\&. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols (|)\&.
516
273
.if n \{\
517
274
.sp
518
275
.\}
519
276
.RS 4
520
.BM yellow
521
277
.it 1 an-trap
522
278
.nr an-no-space-flag 1
523
279
.nr an-break-flag 1
528
284
.br
529
285
.PP
530
286
On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use
531
\FCprintcap name = lpstat\F[]
287
printcap name = lpstat
532
288
to automatically obtain a list of printers\&. See the
533
\FCprintcap name\F[]
289
printcap name
534
290
option for more details\&.
535
291
.sp .5v
536
.EM yellow
537
292
.RE
538
293
.SH "USERSHARES"
539
294
.PP
577
332
.RE
578
333
.PP
579
334
To allow members of the UNIX group
580
\FCfoo\F[]
335
foo
581
336
to create user defined shares, create the directory to contain the share definitions as follows:
582
337
.PP
583
338
Become root:
585
340
.if n \{\
586
341
.RS 4
587
342
.\}
588
.fam C
589
.ps -1
590
343
.nf
591
.if t \{\
592
.sp -1
593
.\}
594
.BB lightgray adjust-for-leading-newline
595
.sp -1
596
597
344
mkdir /usr/local/samba/lib/usershares
598
345
chgrp foo /usr/local/samba/lib/usershares
599
346
chmod 1770 /usr/local/samba/lib/usershares
600
.EB lightgray adjust-for-leading-newline
601
.if t \{\
602
.sp 1
603
.\}
604
347
.fi
605
.fam
606
.ps +1
607
348
.if n \{\
608
349
.RE
609
350
.\}
613
354
.if n \{\
614
355
.RS 4
615
356
.\}
616
.fam C
617
.ps -1
618
357
.nf
619
.if t \{\
620
.sp -1
621
.\}
622
.BB lightgray adjust-for-leading-newline
623
.sp -1
624
625
358
\m[blue]\fBusershare path = /usr/local/samba/lib/usershares\fR\m[]
626
359
\m[blue]\fBusershare max shares = 10\fR\m[] # (or the desired number of shares)
627
.EB lightgray adjust-for-leading-newline
628
.if t \{\
629
.sp 1
630
.\}
631
360
.fi
632
.fam
633
.ps +1
634
361
.if n \{\
635
362
.RE
636
363
.\}
637
364
.sp
638
365
to the global section of your
639
\FCsmb\&.conf\F[]\&. Members of the group foo may then manipulate the user defined shares using the following commands\&.
366
smb\&.conf\&. Members of the group foo may then manipulate the user defined shares using the following commands\&.
640
367
.PP
641
368
net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]
642
369
.RS 4
800
527
%p
801
528
.RS 4
802
529
the path of the service\'s home directory, obtained from your NIS auto\&.map entry\&. The NIS auto\&.map entry is split up as
803
\FC%N:%p\F[]\&.
530
%N:%p\&.
804
531
.RE
805
532
.PP
806
533
There are some quite creative things that can be done with these substitutions and other
807
\FCsmb\&.conf\F[]
534
smb\&.conf
808
535
options\&.
809
536
.SH "NAME MANGLING"
810
537
.PP
811
538
Samba supports
812
\FCname mangling\F[]
539
name mangling
813
540
so that DOS and Windows clients can use files that don\'t conform to the 8\&.3 format\&. It can also be set to adjust the case of 8\&.3 format filenames\&.
814
541
.PP
815
542
There are several options that control the way mangling is performed, and they are grouped here rather than listed separately\&. For the defaults look at the output of the testparm program\&.
839
566
preserve case = yes/no
840
567
.RS 4
841
568
controls whether new files (ie\&. files that don\'t currently exist in the filesystem) are created with the case that the client passes, or if they are forced to be the
842
\FCdefault\F[]
569
default
843
570
case\&. Default
844
571
\fIyes\fR\&.
845
572
.RE
847
574
short preserve case = yes/no
848
575
.RS 4
849
576
controls if new files (ie\&. files that don\'t currently exist in the filesystem) which conform to 8\&.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the
850
\FCdefault\F[]
577
default
851
578
case\&. This option can be used with
852
\FCpreserve case = yes\F[]
579
preserve case = yes
853
580
to permit long filenames to retain their case, while short names are lowercased\&. Default
854
581
\fIyes\fR\&.
855
582
.RE
872
599
.IP " 1." 4.2
873
600
.\}
874
601
If the client has passed a username/password pair and that username/password pair is validated by the UNIX system\'s password programs, the connection is made as that username\&. This includes the
875
\FC\e\eserver\eservice\F[]%\fIusername\fR
602
\e\eserver\eservice%\fIusername\fR
876
603
method of passing a username\&.
877
604
.RE
878
605
.sp
918
645
.IP " 5." 4.2
919
646
.\}
920
647
If a
921
\FCuser = \F[]
648
user =
922
649
field is given in the
923
\FCsmb\&.conf\F[]
650
smb\&.conf
924
651
file for the service and the client has supplied a password, and that password matches (according to the UNIX system\'s password checking) with one of the usernames from the
925
\FCuser =\F[]
652
user =
926
653
field, the connection is made as the username in the
927
\FCuser =\F[]
654
user =
928
655
line\&. If one of the usernames in the
929
\FCuser =\F[]
656
user =
930
657
list begins with a
931
\FC@\F[], that name expands to a list of names in the group of the same name\&.
658
@, that name expands to a list of names in the group of the same name\&.
932
659
.RE
933
660
.sp
934
661
.RS 4
940
667
.IP " 6." 4.2
941
668
.\}
942
669
If the service is a guest service, a connection is made as the username given in the
943
\FCguest account =\F[]
670
guest account =
944
671
for the service, irrespective of the supplied password\&.
945
672
.RE
946
673
.SH "REGISTRY-BASED CONFIGURATION"
947
674
.PP
948
675
Starting with Samba version 3\&.2\&.0, the capability to store Samba configuration in the registry is available\&. The configuration is stored in the registry key
949
\fI\FCHKLM\eSoftware\eSamba\esmbconf\F[]\fR\&. There are two levels of registry configuration:
676
\fIHKLM\eSoftware\eSamba\esmbconf\fR\&. There are two levels of registry configuration:
950
677
.sp
951
678
.RS 4
952
679
.ie n \{\
1009
736
or
1010
737
\fInet (rpc) registry\fR
1011
738
in the key
1012
\fI\FCHKLM\eSoftware\eSamba\esmbconf\F[]\fR\&. More conveniently, the
739
\fIHKLM\eSoftware\eSamba\esmbconf\fR\&. More conveniently, the
1013
740
\fIconf\fR
1014
741
subcommand of the
1015
742
\fBnet\fR(8)
1030
757
\fBSeRemoteShutdownPrivilege\fR, right, this command will be run as root\&.
1031
758
.sp
1032
759
Default:
1033
\fI\fIabort shutdown script\fR\fR\fI = \fR\fI\FC""\F[]\fR\fI \fR
760
\fI\fIabort shutdown script\fR\fR\fI = \fR\fI""\fR\fI \fR
1034
761
.sp
1035
762
Example:
1036
\fI\fIabort shutdown script\fR\fR\fI = \fR\fI\FC/sbin/shutdown \-c\F[]\fR\fI \fR
763
\fI\fIabort shutdown script\fR\fR\fI = \fR\fI/sbin/shutdown \-c\fR\fI \fR
1037
764
.RE
1038
765
1039
766
access based share enum (S)
1045
772
for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \e\esambaserver)\&. This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights\&.
1046
773
.sp
1047
774
Default:
1048
\fI\fIaccess based share enum\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
775
\fI\fIaccess based share enum\fR\fR\fI = \fR\fIno\fR\fI \fR
1049
776
.RE
1050
777
1051
778
acl check permissions (S)
1058
785
If this parameter is set to "false" Samba doesn\'t check permissions on "open for delete" and allows the open\&. If the user doesn\'t have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user\&. The symptom of this is files that appear to have been deleted "magically" re\-appearing on a Windows explorer refresh\&. This is an extremely advanced protocol option which should not need to be changed\&. This parameter was introduced in its final form in 3\&.0\&.21, an earlier version with slightly different semantics was introduced in 3\&.0\&.20\&. That older version is not documented here\&.
1059
786
.sp
1060
787
Default:
1061
\fI\fIacl check permissions\fR\fR\fI = \fR\fI\FCTrue\F[]\fR\fI \fR
788
\fI\fIacl check permissions\fR\fR\fI = \fR\fITrue\fR\fI \fR
1062
789
.RE
1063
790
1064
791
acl compatibility (G)
1074
801
\fIauto\fR, the value for this parameter will be based upon the version of the client\&. There should be no reason to change this parameter from the default\&.
1075
802
.sp
1076
803
Default:
1077
\fI\fIacl compatibility\fR\fR\fI = \fR\fI\FCAuto\F[]\fR\fI \fR
804
\fI\fIacl compatibility\fR\fR\fI = \fR\fIAuto\fR\fI \fR
1078
805
.sp
1079
806
Example:
1080
\fI\fIacl compatibility\fR\fR\fI = \fR\fI\FCwin2k\F[]\fR\fI \fR
807
\fI\fIacl compatibility\fR\fR\fI = \fR\fIwin2k\fR\fI \fR
1081
808
.RE
1082
809
1083
810
acl group control (S)
1103
830
option\&.
1104
831
.sp
1105
832
Default:
1106
\fI\fIacl group control\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
833
\fI\fIacl group control\fR\fR\fI = \fR\fIno\fR\fI \fR
1107
834
.RE
1108
835
1109
836
acl map full control (S)
1114
841
\fBsmbd\fR(8)maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum allowed POSIX permission set, into a Windows ACL of "FULL CONTROL"\&. If this parameter is set to true any POSIX ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and execute\&.
1115
842
.sp
1116
843
Default:
1117
\fI\fIacl map full control\fR\fR\fI = \fR\fI\FCTrue\F[]\fR\fI \fR
844
\fI\fIacl map full control\fR\fR\fI = \fR\fITrue\fR\fI \fR
1118
845
.RE
1119
846
1120
847
add group script (G)
1130
857
to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions\&. In that case the script must print the numeric gid of the created group on stdout\&.
1131
858
.sp
1132
859
Default:
1133
\fI\fIadd group script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
860
\fI\fIadd group script\fR\fR\fI = \fR\fI\fR\fI \fR
1134
861
.sp
1135
862
Example:
1136
\fI\fIadd group script\fR\fR\fI = \fR\fI\FC/usr/sbin/groupadd %g\F[]\fR\fI \fR
863
\fI\fIadd group script\fR\fR\fI = \fR\fI/usr/sbin/groupadd %g\fR\fI \fR
1137
864
.RE
1138
865
1139
866
add machine script (G)
1148
875
\m[blue]\fBadd user script\fR\m[], and likewise uses the %u substitution for the account name\&. Do not use the %m substitution\&.
1149
876
.sp
1150
877
Default:
1151
\fI\fIadd machine script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
878
\fI\fIadd machine script\fR\fR\fI = \fR\fI\fR\fI \fR
1152
879
.sp
1153
880
Example for Debian:
1154
881
\fI\fIadd machine script\fR\fR\fI = \fR\fI\FC/usr/sbin/adduser \-\-disabled-password \-\-ingroup machines \-\-gecos Machine \-\-home /var/lib/samba \-\-shell /bin/false %u\F[]\fR\fI \fR
1185
912
The deviceURI is in the for of socket://<hostname>[:<portnumber>] or lpd://<hostname>/<queuename>\&.
1186
913
.sp
1187
914
Default:
1188
\fI\fIadd port command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
915
\fI\fIadd port command\fR\fR\fI = \fR\fI\fR\fI \fR
1189
916
.sp
1190
917
Example:
1191
\fI\fIadd port command\fR\fR\fI = \fR\fI\FC/etc/samba/scripts/addport\&.sh\F[]\fR\fI \fR
918
\fI\fIadd port command\fR\fR\fI = \fR\fI/etc/samba/scripts/addport\&.sh\fR\fI \fR
1192
919
.RE
1193
920
1194
921
addprinter command (G)
1200
927
For a Samba host this means that the printer must be physically added to the underlying printing system\&. The
1201
928
\fIaddprinter command\fR
1202
929
defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the
1203
\FCsmb\&.conf\F[]
930
smb\&.conf
1204
931
file in order that it can be shared by
1205
932
\fBsmbd\fR(8)\&.
1206
933
.sp
1279
1006
Once the
1280
1007
\fIaddprinter command\fR
1281
1008
has been executed,
1282
\FCsmbd\F[]
1009
smbd
1283
1010
will reparse the
1284
\FC smb\&.conf\F[]
1011
smb\&.conf
1285
1012
to determine if the share defined by the APW exists\&. If the sharename is still invalid, then
1286
\FCsmbd \F[]
1013
smbd
1287
1014
will return an ACCESS_DENIED error to the client\&.
1288
1015
.sp
1289
1016
The
1291
1018
program can output a single line of text, which Samba will set as the port the new printer is connected to\&. If this line isn\'t output, Samba won\'t reload its printer shares\&.
1292
1019
.sp
1293
1020
Default:
1294
\fI\fIaddprinter command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1021
\fI\fIaddprinter command\fR\fR\fI = \fR\fI\fR\fI \fR
1295
1022
.sp
1296
1023
Example:
1297
\fI\fIaddprinter command\fR\fR\fI = \fR\fI\FC/usr/bin/addprinter\F[]\fR\fI \fR
1024
\fI\fIaddprinter command\fR\fR\fI = \fR\fI/usr/bin/addprinter\fR\fI \fR
1298
1025
.RE
1299
1026
1300
1027
add share command (G)
1304
1031
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The
1305
1032
\fIadd share command\fR
1306
1033
is used to define an external program or script which will add a new service definition to
1307
\FCsmb\&.conf\F[]\&.
1034
smb\&.conf\&.
1308
1035
.sp
1309
1036
In order to successfully execute the
1310
1037
\fIadd share command\fR,
1311
\FCsmbd\F[]
1038
smbd
1312
1039
requires that the administrator connects using a root account (i\&.e\&. uid == 0) or has the
1313
\FCSeDiskOperatorPrivilege\F[]\&. Scripts defined in the
1040
SeDiskOperatorPrivilege\&. Scripts defined in the
1314
1041
\fIadd share command\fR
1315
1042
parameter are executed as root\&.
1316
1043
.sp
1317
1044
When executed,
1318
\FCsmbd\F[]
1045
smbd
1319
1046
will automatically invoke the
1320
1047
\fIadd share command\fR
1321
1048
with five parameters\&.
1330
1057
.\}
1331
1058
\fIconfigFile\fR
1332
1059
\- the location of the global
1333
\FCsmb\&.conf\F[]
1060
smb\&.conf
1334
1061
file\&.
1335
1062
.RE
1336
1063
.sp
1386
1113
\m[blue]\fBaddprinter command\fR\m[]\&.
1387
1114
.sp
1388
1115
Default:
1389
\fI\fIadd share command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1116
\fI\fIadd share command\fR\fR\fI = \fR\fI\fR\fI \fR
1390
1117
.sp
1391
1118
Example:
1392
\fI\fIadd share command\fR\fR\fI = \fR\fI\FC/usr/local/bin/addshare\F[]\fR\fI \fR
1119
\fI\fIadd share command\fR\fR\fI = \fR\fI/usr/local/bin/addshare\fR\fI \fR
1393
1120
.RE
1394
1121
1395
1122
add user script (G)
1422
1149
contacts the
1423
1150
\m[blue]\fBpassword server\fR\m[]
1424
1151
and attempts to authenticate the given user with the given password\&. If the authentication succeeds then
1425
\FCsmbd\F[]
1152
smbd
1426
1153
attempts to find a UNIX user in the UNIX password database to map the Windows user into\&. If this lookup fails, and
1427
1154
\m[blue]\fBadd user script\fR\m[]
1428
1155
is set then
1429
\FCsmbd\F[]
1156
smbd
1430
1157
will call the specified script
1431
1158
\fIAS ROOT\fR, expanding any
1432
1159
\fI%u\fR
1433
1160
argument to be the user name to create\&.
1434
1161
.sp
1435
1162
If this script successfully creates the user then
1436
\FCsmbd\F[]
1163
smbd
1437
1164
will continue on as though the UNIX user already existed\&. In this way, UNIX users are dynamically created to match existing Windows NT accounts\&.
1438
1165
.sp
1439
1166
See also
1442
1169
\m[blue]\fBdelete user script\fR\m[]\&.
1443
1170
.sp
1444
1171
Default:
1445
\fI\fIadd user script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1172
\fI\fIadd user script\fR\fR\fI = \fR\fI\fR\fI \fR
1446
1173
.sp
1447
1174
Example:
1448
\fI\fIadd user script\fR\fR\fI = \fR\fI\FC/usr/local/samba/bin/add_user %u\F[]\fR\fI \fR
1175
\fI\fIadd user script\fR\fR\fI = \fR\fI/usr/local/samba/bin/add_user %u\fR\fI \fR
1449
1176
.RE
1450
1177
1451
1178
add user to group script (G)
1461
1188
will be replaced with the user name\&.
1462
1189
.sp
1463
1190
Note that the
1464
\FCadduser\F[]
1191
adduser
1465
1192
command used in the example below does not support the used syntax on all systems\&.
1466
1193
.sp
1467
1194
Default:
1468
\fI\fIadd user to group script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1195
\fI\fIadd user to group script\fR\fR\fI = \fR\fI\fR\fI \fR
1469
1196
.sp
1470
1197
Example:
1471
\fI\fIadd user to group script\fR\fR\fI = \fR\fI\FC/usr/sbin/adduser %u %g\F[]\fR\fI \fR
1198
\fI\fIadd user to group script\fR\fR\fI = \fR\fI/usr/sbin/adduser %u %g\fR\fI \fR
1472
1199
.RE
1473
1200
1474
1201
administrative share (S)
1484
1211
for more information about this option\&.
1485
1212
.sp
1486
1213
Default:
1487
\fI\fIadministrative share\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1214
\fI\fIadministrative share\fR\fR\fI = \fR\fIno\fR\fI \fR
1488
1215
.RE
1489
1216
1490
1217
admin users (S)
1500
1227
in Samba 3\&.0\&. This is by design\&.
1501
1228
.sp
1502
1229
Default:
1503
\fI\fIadmin users\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1230
\fI\fIadmin users\fR\fR\fI = \fR\fI\fR\fI \fR
1504
1231
.sp
1505
1232
Example:
1506
\fI\fIadmin users\fR\fR\fI = \fR\fI\FCjason\F[]\fR\fI \fR
1233
\fI\fIadmin users\fR\fR\fI = \fR\fIjason\fR\fI \fR
1507
1234
.RE
1508
1235
1509
1236
afs share (S)
1515
1242
parameter is a local AFS import\&. The special AFS features include the attempt to hand\-craft an AFS token if you enabled \-\-with\-fake\-kaserver in configure\&.
1516
1243
.sp
1517
1244
Default:
1518
\fI\fIafs share\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1245
\fI\fIafs share\fR\fR\fI = \fR\fIno\fR\fI \fR
1519
1246
.RE
1520
1247
1521
1248
afs username map (G)
1527
1254
The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token\&.
1528
1255
.sp
1529
1256
Default:
1530
\fI\fIafs username map\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1257
\fI\fIafs username map\fR\fR\fI = \fR\fI\fR\fI \fR
1531
1258
.sp
1532
1259
Example:
1533
\fI\fIafs username map\fR\fR\fI = \fR\fI\FC%u@afs\&.samba\&.org\F[]\fR\fI \fR
1260
\fI\fIafs username map\fR\fR\fI = \fR\fI%u@afs\&.samba\&.org\fR\fI \fR
1534
1261
.RE
1535
1262
1536
1263
aio read size (S)
1548
1275
\m[blue]\fBaio write size\fR\m[]
1549
1276
.sp
1550
1277
Default:
1551
\fI\fIaio read size\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
1552
.sp
1553
Example:
1554
\fI\fIaio read size\fR\fR\fI = \fR\fI\FC16384 # Use asynchronous I/O for reads bigger than 16KB request size\F[]\fR\fI \fR
1278
\fI\fIaio read size\fR\fR\fI = \fR\fI0\fR\fI \fR
1279
.sp
1280
Example:
1281
\fI\fIaio read size\fR\fR\fI = \fR\fI16384 # Use asynchronous I/O for reads bigger than 16KB request size\fR\fI \fR
1282
.RE
1283
1284
aio write behind (S)
1285
.\" aio write behind
1286
.PP
1287
.RS 4
1288
If Samba has been built with asynchronous I/O support, Samba will not wait until write requests are finished before returning the result to the client for files listed in this parameter\&. Instead, Samba will immediately return that the write request has been finished successfully, no matter if the operation will succeed or not\&. This might speed up clients without aio support, but is really dangerous, because data could be lost and files could be damaged\&.
1289
.sp
1290
The syntax is identical to the
1291
\m[blue]\fBveto files\fR\m[]
1292
parameter\&.
1293
.sp
1294
Default:
1295
\fI\fIaio write behind\fR\fR\fI = \fR\fI\fR\fI \fR
1296
.sp
1297
Example:
1298
\fI\fIaio write behind\fR\fR\fI = \fR\fI/*\&.tmp/\fR\fI \fR
1555
1299
.RE
1556
1300
1557
1301
aio write size (S)
1569
1313
\m[blue]\fBaio read size\fR\m[]
1570
1314
.sp
1571
1315
Default:
1572
\fI\fIaio write size\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
1316
\fI\fIaio write size\fR\fR\fI = \fR\fI0\fR\fI \fR
1573
1317
.sp
1574
1318
Example:
1575
\fI\fIaio write size\fR\fR\fI = \fR\fI\FC16384 # Use asynchronous I/O for writes bigger than 16KB request size\F[]\fR\fI \fR
1319
\fI\fIaio write size\fR\fR\fI = \fR\fI16384 # Use asynchronous I/O for writes bigger than 16KB request size\fR\fI \fR
1576
1320
.RE
1577
1321
1578
1322
algorithmic rid base (G)
1586
1330
All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server\&. As such the algorithmic mapping can\'t be \'turned off\', but pushing it \'out of the way\' should resolve the issues\&. Users and groups can then be assigned \'low\' RIDs in arbitrary\-rid supporting backends\&.
1587
1331
.sp
1588
1332
Default:
1589
\fI\fIalgorithmic rid base\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
1333
\fI\fIalgorithmic rid base\fR\fR\fI = \fR\fI1000\fR\fI \fR
1590
1334
.sp
1591
1335
Example:
1592
\fI\fIalgorithmic rid base\fR\fR\fI = \fR\fI\FC100000\F[]\fR\fI \fR
1336
\fI\fIalgorithmic rid base\fR\fR\fI = \fR\fI100000\fR\fI \fR
1593
1337
.RE
1594
1338
1595
1339
allocation roundup size (S)
1601
1345
The integer parameter specifies the roundup size in bytes\&.
1602
1346
.sp
1603
1347
Default:
1604
\fI\fIallocation roundup size\fR\fR\fI = \fR\fI\FC1048576\F[]\fR\fI \fR
1348
\fI\fIallocation roundup size\fR\fR\fI = \fR\fI1048576\fR\fI \fR
1605
1349
.sp
1606
1350
Example:
1607
\fI\fIallocation roundup size\fR\fR\fI = \fR\fI\FC0 # (to disable roundups)\F[]\fR\fI \fR
1351
\fI\fIallocation roundup size\fR\fR\fI = \fR\fI0 # (to disable roundups)\fR\fI \fR
1608
1352
.RE
1609
1353
1610
1354
allow trusted domains (G)
1622
1366
This is useful if you only want your Samba server to serve resources to users in the domain it is a member of\&. As an example, suppose that there are two domains DOMA and DOMB\&. DOMB is trusted by DOMA, which contains the Samba server\&. Under normal circumstances, a user with an account in DOMB can then access the resources of a UNIX account with the same account name on the Samba server even if they do not have an account in DOMA\&. This can make implementing a security boundary difficult\&.
1623
1367
.sp
1624
1368
Default:
1625
\fI\fIallow trusted domains\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1369
\fI\fIallow trusted domains\fR\fR\fI = \fR\fIyes\fR\fI \fR
1626
1370
.RE
1627
1371
1628
1372
announce as (G)
1634
1378
will announce itself as, to a network neighborhood browse list\&. By default this is set to Windows NT\&. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively\&. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly\&.
1635
1379
.sp
1636
1380
Default:
1637
\fI\fIannounce as\fR\fR\fI = \fR\fI\FCNT Server\F[]\fR\fI \fR
1381
\fI\fIannounce as\fR\fR\fI = \fR\fINT Server\fR\fI \fR
1638
1382
.sp
1639
1383
Example:
1640
\fI\fIannounce as\fR\fR\fI = \fR\fI\FCWin95\F[]\fR\fI \fR
1384
\fI\fIannounce as\fR\fR\fI = \fR\fIWin95\fR\fI \fR
1641
1385
.RE
1642
1386
1643
1387
announce version (G)
1647
1391
This specifies the major and minor version numbers that nmbd will use when announcing itself as a server\&. The default is 4\&.9\&. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server\&.
1648
1392
.sp
1649
1393
Default:
1650
\fI\fIannounce version\fR\fR\fI = \fR\fI\FC4\&.9\F[]\fR\fI \fR
1394
\fI\fIannounce version\fR\fR\fI = \fR\fI4\&.9\fR\fI \fR
1651
1395
.sp
1652
1396
Example:
1653
\fI\fIannounce version\fR\fR\fI = \fR\fI\FC2\&.0\F[]\fR\fI \fR
1397
\fI\fIannounce version\fR\fR\fI = \fR\fI2\&.0\fR\fI \fR
1654
1398
.RE
1655
1399
1656
1400
auth methods (G)
1658
1402
.PP
1659
1403
.RS 4
1660
1404
This option allows the administrator to chose what authentication methods
1661
\FCsmbd\F[]
1405
smbd
1662
1406
will use when authenticating a user\&. This option defaults to sensible values based on
1663
1407
\m[blue]\fBsecurity\fR\m[]\&. This should be considered a developer option and used only in rare circumstances\&. In the majority (if not all) of production servers, the default setting should be adequate\&.
1664
1408
.sp
1677
1421
(authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method)\&.
1678
1422
.sp
1679
1423
Default:
1680
\fI\fIauth methods\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1424
\fI\fIauth methods\fR\fR\fI = \fR\fI\fR\fI \fR
1681
1425
.sp
1682
1426
Example:
1683
\fI\fIauth methods\fR\fR\fI = \fR\fI\FCguest sam winbind\F[]\fR\fI \fR
1427
\fI\fIauth methods\fR\fR\fI = \fR\fIguest sam winbind\fR\fI \fR
1684
1428
.RE
1685
1429
1686
1430
available (S)
1693
1437
attempts to connect to the service will fail\&. Such failures are logged\&.
1694
1438
.sp
1695
1439
Default:
1696
\fI\fIavailable\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1440
\fI\fIavailable\fR\fR\fI = \fR\fIyes\fR\fI \fR
1697
1441
.RE
1698
1442
1699
1443
bind interfaces only (G)
1707
1451
in a slightly different ways\&.
1708
1452
.sp
1709
1453
For name service it causes
1710
\FCnmbd\F[]
1454
nmbd
1711
1455
to bind to ports 137 and 138 on the interfaces listed in the
1712
1456
\m[blue]\fBinterfaces\fR\m[]
1713
1457
parameter\&.
1714
\FCnmbd\F[]
1458
nmbd
1715
1459
also binds to the "all addresses" interface (0\&.0\&.0\&.0) on ports 137 and 138 for the purposes of reading broadcast messages\&. If this option is not set then
1716
\FCnmbd\F[]
1460
nmbd
1717
1461
will service name requests on all of these sockets\&. If
1718
1462
\m[blue]\fBbind interfaces only\fR\m[]
1719
1463
is set then
1720
\FCnmbd\F[]
1464
nmbd
1721
1465
will check the source address of any packets coming in on the broadcast sockets and discard any that don\'t match the broadcast addresses of the interfaces in the
1722
1466
\m[blue]\fBinterfaces\fR\m[]
1723
1467
parameter list\&. As unicast packets are received on the other sockets it allows
1724
\FCnmbd\F[]
1468
nmbd
1725
1469
to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the
1726
1470
\m[blue]\fBinterfaces\fR\m[]
1727
1471
list\&. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
1728
\FCnmbd\F[]\&.
1472
nmbd\&.
1729
1473
.sp
1730
1474
For file service it causes
1731
1475
\fBsmbd\fR(8)
1732
1476
to bind only to the interface list given in the
1733
1477
\m[blue]\fBinterfaces\fR\m[]
1734
1478
parameter\&. This restricts the networks that
1735
\FCsmbd\F[]
1479
smbd
1736
1480
will serve, to packets coming in on those interfaces\&. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non\-broadcast network interfaces as it will not cope with non\-permanent interfaces\&.
1737
1481
.sp
1738
1482
If
1748
1492
may not work as expected due to the reasons covered below\&.
1749
1493
.sp
1750
1494
To change a users SMB password, the
1751
\FCsmbpasswd\F[]
1495
smbpasswd
1752
1496
by default connects to the
1753
1497
\fIlocalhost \- 127\&.0\&.0\&.1\fR
1754
1498
address as an SMB client to issue the password change request\&. If
1758
1502
is added to the
1759
1503
\m[blue]\fBinterfaces\fR\m[]
1760
1504
parameter list then
1761
\FC smbpasswd\F[]
1505
smbpasswd
1762
1506
will fail to connect in it\'s default mode\&.
1763
\FCsmbpasswd\F[]
1507
smbpasswd
1764
1508
can be forced to use the primary IP interface of the local host by using its
1765
1509
\fBsmbpasswd\fR(8)
1766
1510
\fI\-r \fR\fI\fIremote machine\fR\fR
1769
1513
set to the IP name of the primary interface of the local host\&.
1770
1514
.sp
1771
1515
The
1772
\FCswat\F[]
1516
swat
1773
1517
status page tries to connect with
1774
\FCsmbd\F[]
1518
smbd
1775
1519
and
1776
\FCnmbd\F[]
1520
nmbd
1777
1521
at the address
1778
1522
\fI127\&.0\&.0\&.1\fR
1779
1523
to determine if they are running\&. Not adding
1780
1524
\fI127\&.0\&.0\&.1\fR
1781
1525
will cause
1782
\FC smbd\F[]
1526
smbd
1783
1527
and
1784
\FCnmbd\F[]
1528
nmbd
1785
1529
to always show "not running" even if they really are\&. This can prevent
1786
\FC swat\F[]
1530
swat
1787
1531
from starting/stopping/restarting
1788
\FCsmbd\F[]
1532
smbd
1789
1533
and
1790
\FCnmbd\F[]\&.
1534
nmbd\&.
1791
1535
.sp
1792
1536
Default:
1793
\fI\fIbind interfaces only\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1537
\fI\fIbind interfaces only\fR\fR\fI = \fR\fIno\fR\fI \fR
1794
1538
.RE
1795
1539
1796
1540
blocking locks (S)
1807
1551
\fBno\fR, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained\&.
1808
1552
.sp
1809
1553
Default:
1810
\fI\fIblocking locks\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1554
\fI\fIblocking locks\fR\fR\fI = \fR\fIyes\fR\fI \fR
1811
1555
.RE
1812
1556
1813
1557
block size (S)
1823
1567
Changing this option does not change the disk free reporting size, just the block size unit reported to the client\&.
1824
1568
.sp
1825
1569
Default:
1826
\fI\fIblock size\fR\fR\fI = \fR\fI\FC1024\F[]\fR\fI \fR
1570
\fI\fIblock size\fR\fR\fI = \fR\fI1024\fR\fI \fR
1827
1571
.sp
1828
1572
Example:
1829
\fI\fIblock size\fR\fR\fI = \fR\fI\FC4096\F[]\fR\fI \fR
1573
\fI\fIblock size\fR\fR\fI = \fR\fI4096\fR\fI \fR
1830
1574
.RE
1831
1575
1832
1576
browsable
1844
1588
This controls whether this share is seen in the list of available shares in a net view and in the browse list\&.
1845
1589
.sp
1846
1590
Default:
1847
\fI\fIbrowseable\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1591
\fI\fIbrowseable\fR\fR\fI = \fR\fIyes\fR\fI \fR
1848
1592
.RE
1849
1593
1850
1594
browse list (G)
1854
1598
This controls whether
1855
1599
\fBsmbd\fR(8)
1856
1600
will serve a browse list to a client doing a
1857
\FCNetServerEnum\F[]
1601
NetServerEnum
1858
1602
call\&. Normally set to
1859
1603
\fByes\fR\&. You should never need to change this\&.
1860
1604
.sp
1861
1605
Default:
1862
\fI\fIbrowse list\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1606
\fI\fIbrowse list\fR\fR\fI = \fR\fIyes\fR\fI \fR
1607
.RE
1608
1609
cache directory (G)
1610
.\" cache directory
1611
.PP
1612
.RS 4
1613
Usually, most of the TDB files are stored in the
1614
\fIlock directory\fR\&. Since Samba 3\&.4\&.0, it is possible to differentiate between TDB files with persistent data and TDB files with non\-persistent data using the
1615
\fIstate directory\fR
1616
and the
1617
\fIcache directory\fR
1618
options\&.
1619
.sp
1620
This option specifies the directory where TDB files containing non\-persistent data will be stored\&.
1621
.sp
1622
Default:
1623
\fI\fIcache directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
1624
.sp
1625
Example:
1626
\fI\fIcache directory\fR\fR\fI = \fR\fI/var/run/samba/locks/cache\fR\fI \fR
1863
1627
.RE
1864
1628
1865
1629
casesignames
1878
1642
\m[blue]\fBname mangling\fR\m[]\&.
1879
1643
.sp
1880
1644
Default:
1881
\fI\fIcase sensitive\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1645
\fI\fIcase sensitive\fR\fR\fI = \fR\fIno\fR\fI \fR
1882
1646
.RE
1883
1647
1884
1648
change notify (S)
1890
1654
You should never need to change this parameter
1891
1655
.sp
1892
1656
Default:
1893
\fI\fIchange notify\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1657
\fI\fIchange notify\fR\fR\fI = \fR\fIyes\fR\fI \fR
1894
1658
.RE
1895
1659
1896
1660
change share command (G)
1900
1664
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The
1901
1665
\fIchange share command\fR
1902
1666
is used to define an external program or script which will modify an existing service definition in
1903
\FCsmb\&.conf\F[]\&.
1667
smb\&.conf\&.
1904
1668
.sp
1905
1669
In order to successfully execute the
1906
1670
\fIchange share command\fR,
1907
\FCsmbd\F[]
1671
smbd
1908
1672
requires that the administrator connects using a root account (i\&.e\&. uid == 0) or has the
1909
\FCSeDiskOperatorPrivilege\F[]\&. Scripts defined in the
1673
SeDiskOperatorPrivilege\&. Scripts defined in the
1910
1674
\fIchange share command\fR
1911
1675
parameter are executed as root\&.
1912
1676
.sp
1913
1677
When executed,
1914
\FCsmbd\F[]
1678
smbd
1915
1679
will automatically invoke the
1916
1680
\fIchange share command\fR
1917
1681
with five parameters\&.
1926
1690
.\}
1927
1691
\fIconfigFile\fR
1928
1692
\- the location of the global
1929
\FCsmb\&.conf\F[]
1693
smb\&.conf
1930
1694
file\&.
1931
1695
.RE
1932
1696
.sp
1981
1745
This parameter is only used to modify existing file share definitions\&. To modify printer shares, use the "Printers\&.\&.\&." folder as seen when browsing the Samba host\&.
1982
1746
.sp
1983
1747
Default:
1984
\fI\fIchange share command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1748
\fI\fIchange share command\fR\fR\fI = \fR\fI\fR\fI \fR
1985
1749
.sp
1986
1750
Example:
1987
\fI\fIchange share command\fR\fR\fI = \fR\fI\FC/usr/local/bin/changeshare\F[]\fR\fI \fR
1751
\fI\fIchange share command\fR\fR\fI = \fR\fI/usr/local/bin/changeshare\fR\fI \fR
1988
1752
.RE
1989
1753
1990
1754
check password script (G)
1996
1760
The program must return 0 on a good password, or any other value if the password is bad\&. In case the password is considered weak (the program does not return 0) the user will be notified and the password change will fail\&.
1997
1761
.sp
1998
1762
Note: In the example directory is a sample program called
1999
\FCcrackcheck\F[]
1763
crackcheck
2000
1764
that uses cracklib to check the password quality\&.
2001
1765
.sp
2002
1766
Default:
2003
\fI\fIcheck password script\fR\fR\fI = \fR\fI\FCDisabled\F[]\fR\fI \fR
1767
\fI\fIcheck password script\fR\fR\fI = \fR\fIDisabled\fR\fI \fR
2004
1768
.sp
2005
1769
Example:
2006
\fI\fIcheck password script\fR\fR\fI = \fR\fI\FC/usr/local/sbin/crackcheck\F[]\fR\fI \fR
1770
\fI\fIcheck password script\fR\fR\fI = \fR\fI/usr/local/sbin/crackcheck\fR\fI \fR
2007
1771
.RE
2008
1772
2009
1773
client lanman auth (G)
2017
1781
The LANMAN encrypted response is easily broken, due to its case\-insensitive nature, and the choice of algorithm\&. Clients without Windows 95/98 servers are advised to disable this option\&.
2018
1782
.sp
2019
1783
Disabling this option will also disable the
2020
\FCclient plaintext auth\F[]
1784
client plaintext auth
2021
1785
option\&.
2022
1786
.sp
2023
1787
Likewise, if the
2024
\FCclient ntlmv2 auth\F[]
1788
client ntlmv2 auth
2025
1789
parameter is enabled, then only NTLMv2 logins will be attempted\&.
2026
1790
.sp
2027
1791
Default:
2028
\fI\fIclient lanman auth\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1792
\fI\fIclient lanman auth\fR\fR\fI = \fR\fIno\fR\fI \fR
2029
1793
.RE
2030
1794
2031
1795
client ldap sasl wrapping (G)
2046
1810
\fIseal\fR
2047
1811
are only available if Samba has been compiled against a modern OpenLDAP version (2\&.3\&.x or higher)\&.
2048
1812
.sp
2049
This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "\FCHKLM\eSystem\eCurrentControlSet\eServices\e\F[]
2050
\FCNTDS\eParameters\eLDAPServerIntegrity\F[]" on the Windows server side\&.
1813
This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "HKLM\eSystem\eCurrentControlSet\eServices\e
1814
NTDS\eParameters\eLDAPServerIntegrity" on the Windows server side\&.
2051
1815
.sp
2052
1816
Depending on the used KRB5 library (MIT and older Heimdal versions) it is possible that the message "integrity only" is not supported\&. In this case,
2053
1817
\fIsign\fR
2062
1826
\fIseal\fR\&.
2063
1827
.sp
2064
1828
Default:
2065
\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fI\FCplain\F[]\fR\fI \fR
1829
\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIplain\fR\fI \fR
2066
1830
.RE
2067
1831
2068
1832
client ntlmv2 auth (G)
2076
1840
If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent\&. Many servers (including NT4 < SP4, Win9x and Samba 2\&.2) are not compatible with NTLMv2\&.
2077
1841
.sp
2078
1842
Similarly, if enabled, NTLMv1,
2079
\FCclient lanman auth\F[]
1843
client lanman auth
2080
1844
and
2081
\FCclient plaintext auth\F[]
1845
client plaintext auth
2082
1846
authentication will be disabled\&. This also disables share\-level authentication\&.
2083
1847
.sp
2084
1848
If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of
2085
\FCclient lanman auth\F[]\&.
1849
client lanman auth\&.
2086
1850
.sp
2087
1851
Note that some sites (particularly those following \'best practice\' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM\&.
2088
1852
.sp
2089
1853
Default:
2090
\fI\fIclient ntlmv2 auth\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1854
\fI\fIclient ntlmv2 auth\fR\fR\fI = \fR\fIno\fR\fI \fR
2091
1855
.RE
2092
1856
2093
1857
client plaintext auth (G)
2097
1861
Specifies whether a client should send a plaintext password if the server does not support encrypted passwords\&.
2098
1862
.sp
2099
1863
Default:
2100
\fI\fIclient plaintext auth\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1864
\fI\fIclient plaintext auth\fR\fR\fI = \fR\fIno\fR\fI \fR
2101
1865
.RE
2102
1866
2103
1867
client schannel (G)
2113
1877
denies access if the server is not able to speak netlogon schannel\&.
2114
1878
.sp
2115
1879
Default:
2116
\fI\fIclient schannel\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
1880
\fI\fIclient schannel\fR\fR\fI = \fR\fIauto\fR\fI \fR
2117
1881
.sp
2118
1882
Example:
2119
\fI\fIclient schannel\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1883
\fI\fIclient schannel\fR\fR\fI = \fR\fIyes\fR\fI \fR
2120
1884
.RE
2121
1885
2122
1886
client signing (G)
2132
1896
When set to auto, SMB signing is offered, but not enforced\&. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&.
2133
1897
.sp
2134
1898
Default:
2135
\fI\fIclient signing\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
1899
\fI\fIclient signing\fR\fR\fI = \fR\fIauto\fR\fI \fR
2136
1900
.RE
2137
1901
2138
1902
client use spnego (G)
2142
1906
This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba 3\&.0) to agree upon an authentication mechanism\&. This enables Kerberos authentication in particular\&.
2143
1907
.sp
2144
1908
Default:
2145
\fI\fIclient use spnego\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
1909
\fI\fIclient use spnego\fR\fR\fI = \fR\fIyes\fR\fI \fR
2146
1910
.RE
2147
1911
2148
1912
cluster addresses (G)
2152
1916
With this parameter you can add additional addresses nmbd will register with a WINS server\&. These addresses are not necessarily present on all nodes simultaneously, but they will be registered with the WINS server so that clients can contact any of the nodes\&.
2153
1917
.sp
2154
1918
Default:
2155
\fI\fIcluster addresses\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
1919
\fI\fIcluster addresses\fR\fR\fI = \fR\fI\fR\fI \fR
2156
1920
.sp
2157
1921
Example:
2158
\fI\fIcluster addresses\fR\fR\fI = \fR\fI\FC10\&.0\&.0\&.1 10\&.0\&.0\&.2 10\&.0\&.0\&.3\F[]\fR\fI \fR
1922
\fI\fIcluster addresses\fR\fR\fI = \fR\fI10\&.0\&.0\&.1 10\&.0\&.0\&.2 10\&.0\&.0\&.3\fR\fI \fR
2159
1923
.RE
2160
1924
2161
1925
clustering (G)
2165
1929
This parameter specifies whether Samba should contact ctdb for accessing its tdb files and use ctdb as a backend for its messaging backend\&.
2166
1930
.sp
2167
1931
Set this parameter to
2168
\FCyes\F[]
1932
yes
2169
1933
only if you have a cluster setup with ctdb running\&.
2170
1934
.sp
2171
1935
Default:
2172
\fI\fIclustering\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
1936
\fI\fIclustering\fR\fR\fI = \fR\fIno\fR\fI \fR
2173
1937
.RE
2174
1938
2175
1939
comment (S)
2177
1941
.PP
2178
1942
.RS 4
2179
1943
This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via
2180
\FCnet view\F[]
1944
net view
2181
1945
to list what shares are available\&.
2182
1946
.sp
2183
1947
If you want to set the string that is displayed next to the machine name then see the
2185
1949
parameter\&.
2186
1950
.sp
2187
1951
Default:
2188
\fI\fIcomment\fR\fR\fI = \fR\fI\FC # No comment\F[]\fR\fI \fR
1952
\fI\fIcomment\fR\fR\fI = \fR\fI # No comment\fR\fI \fR
2189
1953
.sp
2190
1954
Example:
2191
\fI\fIcomment\fR\fR\fI = \fR\fI\FCFred\'s Files\F[]\fR\fI \fR
1955
\fI\fIcomment\fR\fR\fI = \fR\fIFred\'s Files\fR\fI \fR
2192
1956
.RE
2193
1957
2194
1958
config backend (G)
2209
1973
Note: This option can not be set inside the registry configuration itself\&.
2210
1974
.sp
2211
1975
Default:
2212
\fI\fIconfig backend\fR\fR\fI = \fR\fI\FCfile\F[]\fR\fI \fR
1976
\fI\fIconfig backend\fR\fR\fI = \fR\fIfile\fR\fI \fR
2213
1977
.sp
2214
1978
Example:
2215
\fI\fIconfig backend\fR\fR\fI = \fR\fI\FCregistry\F[]\fR\fI \fR
1979
\fI\fIconfig backend\fR\fR\fI = \fR\fIregistry\fR\fI \fR
2216
1980
.RE
2217
1981
2218
1982
config file (G)
2220
1984
.PP
2221
1985
.RS 4
2222
1986
This allows you to override the config file to use, instead of the default (usually
2223
\FCsmb\&.conf\F[])\&. There is a chicken and egg problem here as this option is set in the config file!
1987
smb\&.conf)\&. There is a chicken and egg problem here as this option is set in the config file!
2224
1988
.sp
2225
1989
For this reason, if the name of the config file has changed when the parameters are loaded then it will reload them from the new config file\&.
2226
1990
.sp
2231
1995
\fINo default\fR
2232
1996
.sp
2233
1997
Example:
2234
\fI\fIconfig file\fR\fR\fI = \fR\fI\FC/usr/local/samba/lib/smb\&.conf\&.%m\F[]\fR\fI \fR
1998
\fI\fIconfig file\fR\fR\fI = \fR\fI/usr/local/samba/lib/smb\&.conf\&.%m\fR\fI \fR
2235
1999
.RE
2236
2000
2237
2001
copy (S)
2243
2007
This feature lets you set up a \'template\' service and create similar services easily\&. Note that the service being copied must occur earlier in the configuration file than the service doing the copying\&.
2244
2008
.sp
2245
2009
Default:
2246
\fI\fIcopy\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2010
\fI\fIcopy\fR\fR\fI = \fR\fI\fR\fI \fR
2247
2011
.sp
2248
2012
Example:
2249
\fI\fIcopy\fR\fR\fI = \fR\fI\FCotherservice\F[]\fR\fI \fR
2013
\fI\fIcopy\fR\fR\fI = \fR\fIotherservice\fR\fI \fR
2250
2014
.RE
2251
2015
2252
2016
create mode
2266
2030
set here will be removed from the modes set on a file when it is created\&.
2267
2031
.sp
2268
2032
The default value of this parameter removes the
2269
\FCgroup\F[]
2033
group
2270
2034
and
2271
\FCother\F[]
2035
other
2272
2036
write and execute bits from the UNIX modes\&.
2273
2037
.sp
2274
2038
Following this Samba will bit\-wise \'OR\' the UNIX mode created from this parameter with the value of the
2283
2047
\m[blue]\fBsecurity mask\fR\m[]\&.
2284
2048
.sp
2285
2049
Default:
2286
\fI\fIcreate mask\fR\fR\fI = \fR\fI\FC0744\F[]\fR\fI \fR
2050
\fI\fIcreate mask\fR\fR\fI = \fR\fI0744\fR\fI \fR
2287
2051
.sp
2288
2052
Example:
2289
\fI\fIcreate mask\fR\fR\fI = \fR\fI\FC0775\F[]\fR\fI \fR
2053
\fI\fIcreate mask\fR\fR\fI = \fR\fI0775\fR\fI \fR
2290
2054
.RE
2291
2055
2292
2056
csc policy (S)
2302
2066
\m[blue]\fBcsc policy = disable\fR\m[]\&.
2303
2067
.sp
2304
2068
Default:
2305
\fI\fIcsc policy\fR\fR\fI = \fR\fI\FCmanual\F[]\fR\fI \fR
2069
\fI\fIcsc policy\fR\fR\fI = \fR\fImanual\fR\fI \fR
2306
2070
.sp
2307
2071
Example:
2308
\fI\fIcsc policy\fR\fR\fI = \fR\fI\FCprograms\F[]\fR\fI \fR
2072
\fI\fIcsc policy\fR\fR\fI = \fR\fIprograms\fR\fI \fR
2309
2073
.RE
2310
2074
2311
2075
ctdbd socket (G)
2313
2077
.PP
2314
2078
.RS 4
2315
2079
If you set
2316
\FCclustering=yes\F[], you need to tell Samba where ctdbd listens on its unix domain socket\&. The default path as of ctdb 1\&.0 is /tmp/ctdb\&.socket which you have to explicitly set for Samba in smb\&.conf\&.
2080
clustering=yes, you need to tell Samba where ctdbd listens on its unix domain socket\&. The default path as of ctdb 1\&.0 is /tmp/ctdb\&.socket which you have to explicitly set for Samba in smb\&.conf\&.
2317
2081
.sp
2318
2082
Default:
2319
\fI\fIctdbd socket\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2083
\fI\fIctdbd socket\fR\fR\fI = \fR\fI\fR\fI \fR
2320
2084
.sp
2321
2085
Example:
2322
\fI\fIctdbd socket\fR\fR\fI = \fR\fI\FC/tmp/ctdb\&.socket\F[]\fR\fI \fR
2086
\fI\fIctdbd socket\fR\fR\fI = \fR\fI/tmp/ctdb\&.socket\fR\fI \fR
2323
2087
.RE
2324
2088
2325
2089
cups connection timeout (G)
2334
2098
If set, this option specifies the number of seconds that smbd will wait whilst trying to contact to the CUPS server\&. The connection will fail if it takes longer than this number of seconds\&.
2335
2099
.sp
2336
2100
Default:
2337
\fI\fIcups connection timeout\fR\fR\fI = \fR\fI\FC30\F[]\fR\fI \fR
2101
\fI\fIcups connection timeout\fR\fR\fI = \fR\fI30\fR\fI \fR
2338
2102
.sp
2339
2103
Example:
2340
\fI\fIcups connection timeout\fR\fR\fI = \fR\fI\FC60\F[]\fR\fI \fR
2104
\fI\fIcups connection timeout\fR\fR\fI = \fR\fI60\fR\fI \fR
2341
2105
.RE
2342
2106
2343
2107
cups options (S)
2354
2118
You should set this parameter to
2355
2119
\fBraw\fR
2356
2120
if your CUPS server
2357
\FCerror_log\F[]
2121
error_log
2358
2122
file contains messages such as "Unsupported format \'application/octet\-stream\'" when printing from a Windows client through Samba\&. It is no longer necessary to enable system wide raw printing in
2359
\FC/etc/cups/mime\&.{convs,types}\F[]\&.
2123
/etc/cups/mime\&.{convs,types}\&.
2360
2124
.sp
2361
2125
Default:
2362
\fI\fIcups options\fR\fR\fI = \fR\fI\FC""\F[]\fR\fI \fR
2126
\fI\fIcups options\fR\fR\fI = \fR\fI""\fR\fI \fR
2363
2127
.sp
2364
2128
Example:
2365
\fI\fIcups options\fR\fR\fI = \fR\fI\FC"raw media=a4"\F[]\fR\fI \fR
2129
\fI\fIcups options\fR\fR\fI = \fR\fI"raw media=a4"\fR\fI \fR
2366
2130
.RE
2367
2131
2368
2132
cups server (G)
2375
2139
\fBcups\fR\&.
2376
2140
.sp
2377
2141
If set, this option overrides the ServerName option in the CUPS
2378
\FCclient\&.conf\F[]\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
2142
client\&.conf\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
2379
2143
.sp
2380
2144
Optionally, a port can be specified by separating the server name and port number with a colon\&. If no port was specified, the default port for IPP (631) will be used\&.
2381
2145
.sp
2382
2146
Default:
2383
\fI\fIcups server\fR\fR\fI = \fR\fI\FC""\F[]\fR\fI \fR
2384
.sp
2385
Example:
2386
\fI\fIcups server\fR\fR\fI = \fR\fI\FCmycupsserver\F[]\fR\fI \fR
2387
.sp
2388
Example:
2389
\fI\fIcups server\fR\fR\fI = \fR\fI\FCmycupsserver:1631\F[]\fR\fI \fR
2147
\fI\fIcups server\fR\fR\fI = \fR\fI""\fR\fI \fR
2148
.sp
2149
Example:
2150
\fI\fIcups server\fR\fR\fI = \fR\fImycupsserver\fR\fI \fR
2151
.sp
2152
Example:
2153
\fI\fIcups server\fR\fR\fI = \fR\fImycupsserver:1631\fR\fI \fR
2390
2154
.RE
2391
2155
2392
2156
deadtime (G)
2404
2168
A deadtime of zero indicates that no auto\-disconnection should be performed\&.
2405
2169
.sp
2406
2170
Default:
2407
\fI\fIdeadtime\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
2171
\fI\fIdeadtime\fR\fR\fI = \fR\fI0\fR\fI \fR
2408
2172
.sp
2409
2173
Example:
2410
\fI\fIdeadtime\fR\fR\fI = \fR\fI\FC15\F[]\fR\fI \fR
2174
\fI\fIdeadtime\fR\fR\fI = \fR\fI15\fR\fI \fR
2411
2175
.RE
2412
2176
2413
2177
debug class (G)
2420
2184
\m[blue]\fBlog level\fR\m[]\&.
2421
2185
.sp
2422
2186
Default:
2423
\fI\fIdebug class\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2187
\fI\fIdebug class\fR\fR\fI = \fR\fIno\fR\fI \fR
2424
2188
.RE
2425
2189
2426
2190
debug hires timestamp (G)
2434
2198
must be on for this to have an effect\&.
2435
2199
.sp
2436
2200
Default:
2437
\fI\fIdebug hires timestamp\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2201
\fI\fIdebug hires timestamp\fR\fR\fI = \fR\fIno\fR\fI \fR
2438
2202
.RE
2439
2203
2440
2204
debug pid (G)
2449
2213
must be on for this to have an effect\&.
2450
2214
.sp
2451
2215
Default:
2452
\fI\fIdebug pid\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2216
\fI\fIdebug pid\fR\fR\fI = \fR\fIno\fR\fI \fR
2453
2217
.RE
2454
2218
2455
2219
debug prefix timestamp (G)
2465
2229
parameter\&.
2466
2230
.sp
2467
2231
Default:
2468
\fI\fIdebug prefix timestamp\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2232
\fI\fIdebug prefix timestamp\fR\fR\fI = \fR\fIno\fR\fI \fR
2469
2233
.RE
2470
2234
2471
2235
timestamp logs
2485
2249
these timestamps can be distracting\&. This boolean parameter allows timestamping to be turned off\&.
2486
2250
.sp
2487
2251
Default:
2488
\fI\fIdebug timestamp\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
2252
\fI\fIdebug timestamp\fR\fR\fI = \fR\fIyes\fR\fI \fR
2489
2253
.RE
2490
2254
2491
2255
debug uid (G)
2499
2263
must be on for this to have an effect\&.
2500
2264
.sp
2501
2265
Default:
2502
\fI\fIdebug uid\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2266
\fI\fIdebug uid\fR\fR\fI = \fR\fIno\fR\fI \fR
2503
2267
.RE
2504
2268
2505
2269
dedicated keytab file (G)
2511
2275
is set to "dedicated keytab"\&.
2512
2276
.sp
2513
2277
Default:
2514
\fI\fIdedicated keytab file\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2278
\fI\fIdedicated keytab file\fR\fR\fI = \fR\fI\fR\fI \fR
2515
2279
.sp
2516
2280
Example:
2517
\fI\fIdedicated keytab file\fR\fR\fI = \fR\fI\FC/usr/local/etc/krb5\&.keytab\F[]\fR\fI \fR
2281
\fI\fIdedicated keytab file\fR\fR\fI = \fR\fI/usr/local/etc/krb5\&.keytab\fR\fI \fR
2518
2282
.RE
2519
2283
2520
2284
default case (S)
2527
2291
parameter\&.
2528
2292
.sp
2529
2293
Default:
2530
\fI\fIdefault case\fR\fR\fI = \fR\fI\FClower\F[]\fR\fI \fR
2294
\fI\fIdefault case\fR\fR\fI = \fR\fIlower\fR\fI \fR
2531
2295
.RE
2532
2296
2533
2297
default devmode (S)
2541
2305
Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode\&. Certain drivers will do things such as crashing the client\'s Explorer\&.exe with a NULL devmode\&. However, other printer drivers can cause the client\'s spooler service (spoolsv\&.exe) to die if the devmode was not created by the driver itself (i\&.e\&. smbd generates a default devmode)\&.
2542
2306
.sp
2543
2307
This parameter should be used with care and tested with the printer driver in question\&. It is better to leave the device mode to NULL and let the Windows client set the correct values\&. Because drivers do not do this all the time, setting
2544
\FCdefault devmode = yes\F[]
2308
default devmode = yes
2545
2309
will instruct smbd to generate a default one\&.
2546
2310
.sp
2547
2311
For more information on Windows NT/2k printing and Device Modes, see the
2548
2312
MSDN documentation\&.
2549
2313
.sp
2550
2314
Default:
2551
\fI\fIdefault devmode\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
2315
\fI\fIdefault devmode\fR\fR\fI = \fR\fIyes\fR\fI \fR
2552
2316
.RE
2553
2317
2554
2318
default
2581
2345
Note also that any "_" characters in the name of the service used in the default service will get mapped to a "/"\&. This allows for interesting things\&.
2582
2346
.sp
2583
2347
Default:
2584
\fI\fIdefault service\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2348
\fI\fIdefault service\fR\fR\fI = \fR\fI\fR\fI \fR
2585
2349
.sp
2586
2350
Example:
2587
\fI\fIdefault service\fR\fR\fI = \fR\fI\FCpub\F[]\fR\fI \fR
2351
\fI\fIdefault service\fR\fR\fI = \fR\fIpub\fR\fI \fR
2588
2352
.RE
2589
2353
2590
2354
defer sharing violations (G)
2598
2362
There should be no reason to turn off this parameter, as it is designed to enable Samba to more correctly emulate Windows\&.
2599
2363
.sp
2600
2364
Default:
2601
\fI\fIdefer sharing violations\fR\fR\fI = \fR\fI\FCTrue\F[]\fR\fI \fR
2365
\fI\fIdefer sharing violations\fR\fR\fI = \fR\fITrue\fR\fI \fR
2602
2366
.RE
2603
2367
2604
2368
delete group script (G)
2613
2377
to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&.
2614
2378
.sp
2615
2379
Default:
2616
\fI\fIdelete group script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2380
\fI\fIdelete group script\fR\fR\fI = \fR\fI\fR\fI \fR
2617
2381
.RE
2618
2382
2619
2383
deleteprinter command (G)
2625
2389
For a Samba host this means that the printer must be physically deleted from the underlying printing system\&. The
2626
2390
\m[blue]\fBdeleteprinter command\fR\m[]
2627
2391
defines a script to be run which will perform the necessary operations for removing the printer from the print system and from
2628
\FCsmb\&.conf\F[]\&.
2392
smb\&.conf\&.
2629
2393
.sp
2630
2394
The
2631
2395
\m[blue]\fBdeleteprinter command\fR\m[]
2635
2399
Once the
2636
2400
\m[blue]\fBdeleteprinter command\fR\m[]
2637
2401
has been executed,
2638
\FCsmbd\F[]
2402
smbd
2639
2403
will reparse the
2640
\FC smb\&.conf\F[]
2404
smb\&.conf
2641
2405
to check that the associated printer no longer exists\&. If the sharename is still valid, then
2642
\FCsmbd \F[]
2406
smbd
2643
2407
will return an ACCESS_DENIED error to the client\&.
2644
2408
.sp
2645
2409
Default:
2646
\fI\fIdeleteprinter command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2410
\fI\fIdeleteprinter command\fR\fR\fI = \fR\fI\fR\fI \fR
2647
2411
.sp
2648
2412
Example:
2649
\fI\fIdeleteprinter command\fR\fR\fI = \fR\fI\FC/usr/bin/removeprinter\F[]\fR\fI \fR
2413
\fI\fIdeleteprinter command\fR\fR\fI = \fR\fI/usr/bin/removeprinter\fR\fI \fR
2650
2414
.RE
2651
2415
2652
2416
delete readonly (S)
2658
2422
This option may be useful for running applications such as rcs, where UNIX file ownership prevents changing file permissions, and DOS semantics prevent deletion of a read only file\&.
2659
2423
.sp
2660
2424
Default:
2661
\fI\fIdelete readonly\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2425
\fI\fIdelete readonly\fR\fR\fI = \fR\fIno\fR\fI \fR
2662
2426
.RE
2663
2427
2664
2428
delete share command (G)
2668
2432
Samba 2\&.2\&.0 introduced the ability to dynamically add and delete shares via the Windows NT 4\&.0 Server Manager\&. The
2669
2433
\fIdelete share command\fR
2670
2434
is used to define an external program or script which will remove an existing service definition from
2671
\FCsmb\&.conf\F[]\&.
2435
smb\&.conf\&.
2672
2436
.sp
2673
2437
In order to successfully execute the
2674
2438
\fIdelete share command\fR,
2675
\FCsmbd\F[]
2439
smbd
2676
2440
requires that the administrator connects using a root account (i\&.e\&. uid == 0) or has the
2677
\FCSeDiskOperatorPrivilege\F[]\&. Scripts defined in the
2441
SeDiskOperatorPrivilege\&. Scripts defined in the
2678
2442
\fIdelete share command\fR
2679
2443
parameter are executed as root\&.
2680
2444
.sp
2681
2445
When executed,
2682
\FCsmbd\F[]
2446
smbd
2683
2447
will automatically invoke the
2684
2448
\fIdelete share command\fR
2685
2449
with two parameters\&.
2694
2458
.\}
2695
2459
\fIconfigFile\fR
2696
2460
\- the location of the global
2697
\FCsmb\&.conf\F[]
2461
smb\&.conf
2698
2462
file\&.
2699
2463
.RE
2700
2464
.sp
2714
2478
\m[blue]\fBdeleteprinter command\fR\m[]\&.
2715
2479
.sp
2716
2480
Default:
2717
\fI\fIdelete share command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2481
\fI\fIdelete share command\fR\fR\fI = \fR\fI\fR\fI \fR
2718
2482
.sp
2719
2483
Example:
2720
\fI\fIdelete share command\fR\fR\fI = \fR\fI\FC/usr/local/bin/delshare\F[]\fR\fI \fR
2484
\fI\fIdelete share command\fR\fR\fI = \fR\fI/usr/local/bin/delshare\fR\fI \fR
2721
2485
.RE
2722
2486
2723
2487
delete user from group script (G)
2733
2497
will be replaced with the user name\&.
2734
2498
.sp
2735
2499
Default:
2736
\fI\fIdelete user from group script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2500
\fI\fIdelete user from group script\fR\fR\fI = \fR\fI\fR\fI \fR
2737
2501
.sp
2738
2502
Example:
2739
\fI\fIdelete user from group script\fR\fR\fI = \fR\fI\FC/usr/sbin/deluser %u %g\F[]\fR\fI \fR
2503
\fI\fIdelete user from group script\fR\fR\fI = \fR\fI/usr/sbin/deluser %u %g\fR\fI \fR
2740
2504
.RE
2741
2505
2742
2506
delete user script (G)
2748
2512
when managing users with remote RPC (NT) tools\&.
2749
2513
.sp
2750
2514
This script is called when a remote client removes a user from the server, normally using \'User Manager for Domains\' or
2751
\FCrpcclient\F[]\&.
2515
rpcclient\&.
2752
2516
.sp
2753
2517
This script should delete the given UNIX username\&.
2754
2518
.sp
2755
2519
Default:
2756
\fI\fIdelete user script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2520
\fI\fIdelete user script\fR\fR\fI = \fR\fI\fR\fI \fR
2757
2521
.sp
2758
2522
Example:
2759
\fI\fIdelete user script\fR\fR\fI = \fR\fI\FC/usr/local/samba/bin/del_user %u\F[]\fR\fI \fR
2523
\fI\fIdelete user script\fR\fR\fI = \fR\fI/usr/local/samba/bin/del_user %u\fR\fI \fR
2760
2524
.RE
2761
2525
2762
2526
delete veto files (S)
2771
2535
.sp
2772
2536
If this option is set to
2773
2537
\fByes\fR, then Samba will attempt to recursively delete any files and directories within the vetoed directory\&. This can be useful for integration with file serving systems such as NetAtalk which create meta\-files within directories you might normally veto DOS/Windows users from seeing (e\&.g\&.
2774
\FC\&.AppleDouble\F[])
2538
\&.AppleDouble)
2775
2539
.sp
2776
2540
Setting
2777
2541
\m[blue]\fBdelete veto files = yes\fR\m[]
2778
2542
allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so)\&.
2779
2543
.sp
2780
2544
Default:
2781
\fI\fIdelete veto files\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2545
\fI\fIdelete veto files\fR\fR\fI = \fR\fIno\fR\fI \fR
2782
2546
.RE
2783
2547
2784
2548
dfree cache time (S)
2798
2562
\fINo default\fR
2799
2563
.sp
2800
2564
Example:
2801
\fI\fIdfree cache time\fR\fR\fI = \fR\fI\FCdfree cache time = 60\F[]\fR\fI \fR
2565
\fI\fIdfree cache time\fR\fR\fI = \fR\fIdfree cache time = 60\fR\fI \fR
2802
2566
.RE
2803
2567
2804
2568
dfree command (S)
2816
2580
was added to allow the output of this script to be cached for systems under heavy load\&.
2817
2581
.sp
2818
2582
The external program will be passed a single parameter indicating a directory in the filesystem being queried\&. This will typically consist of the string
2819
\FC\&./\F[]\&. The script should return two integers in ASCII\&. The first should be the total disk space in blocks, and the second should be the number of available blocks\&. An optional third return value can give the block size in bytes\&. The default blocksize is 1024 bytes\&.
2583
\&./\&. The script should return two integers in ASCII\&. The first should be the total disk space in blocks, and the second should be the number of available blocks\&. An optional third return value can give the block size in bytes\&. The default blocksize is 1024 bytes\&.
2820
2584
.sp
2821
2585
Note: Your script should
2822
2586
\fINOT\fR
2827
2591
.if n \{\
2828
2592
.RS 4
2829
2593
.\}
2830
.fam C
2831
.ps -1
2832
2594
.nf
2833
.BB lightgray
2834
2595
2835
2596
#!/bin/sh
2836
2597
df $1 | tail \-1 | awk \'{print $(NF\-4),$(NF\-2)}\'
2837
.EB lightgray
2838
2598
.fi
2839
.fam
2840
.ps +1
2841
2599
.if n \{\
2842
2600
.RE
2843
2601
.\}
2847
2605
.if n \{\
2848
2606
.RS 4
2849
2607
.\}
2850
.fam C
2851
.ps -1
2852
2608
.nf
2853
.BB lightgray
2854
2609
2855
2610
#!/bin/sh
2856
2611
/usr/bin/df \-k $1 | tail \-1 | awk \'{print $3" "$5}\'
2857
.EB lightgray
2858
2612
.fi
2859
.fam
2860
.ps +1
2861
2613
.if n \{\
2862
2614
.RE
2863
2615
.\}
2869
2621
\fINo default\fR
2870
2622
.sp
2871
2623
Example:
2872
\fI\fIdfree command\fR\fR\fI = \fR\fI\FC/usr/local/samba/bin/dfree\F[]\fR\fI \fR
2624
\fI\fIdfree command\fR\fR\fI = \fR\fI/usr/local/samba/bin/dfree\fR\fI \fR
2873
2625
.RE
2874
2626
2875
2627
directory mode
2900
2652
\m[blue]\fBdirectory security mask\fR\m[]\&.
2901
2653
.sp
2902
2654
Default:
2903
\fI\fIdirectory mask\fR\fR\fI = \fR\fI\FC0755\F[]\fR\fI \fR
2655
\fI\fIdirectory mask\fR\fR\fI = \fR\fI0755\fR\fI \fR
2904
2656
.sp
2905
2657
Example:
2906
\fI\fIdirectory mask\fR\fR\fI = \fR\fI\FC0775\F[]\fR\fI \fR
2658
\fI\fIdirectory mask\fR\fR\fI = \fR\fI0775\fR\fI \fR
2659
.RE
2660
2661
directory name cache size (S)
2662
.\" directory name cache size
2663
.PP
2664
.RS 4
2665
This parameter specifies the the size of the directory name cache\&. It will be needed to turn this off for *BSD systems\&.
2666
.sp
2667
Default:
2668
\fI\fIdirectory name cache size\fR\fR\fI = \fR\fI100\fR\fI \fR
2907
2669
.RE
2908
2670
2909
2671
directory security mask (S)
2924
2686
\fB0777\fR\&.
2925
2687
.sp
2926
2688
Default:
2927
\fI\fIdirectory security mask\fR\fR\fI = \fR\fI\FC0777\F[]\fR\fI \fR
2689
\fI\fIdirectory security mask\fR\fR\fI = \fR\fI0777\fR\fI \fR
2928
2690
.sp
2929
2691
Example:
2930
\fI\fIdirectory security mask\fR\fR\fI = \fR\fI\FC0700\F[]\fR\fI \fR
2692
\fI\fIdirectory security mask\fR\fR\fI = \fR\fI0700\fR\fI \fR
2931
2693
.RE
2932
2694
2933
2695
disable netbios (G)
2939
2701
.sp
2940
2702
.\}
2941
2703
.RS 4
2942
.BM yellow
2943
2704
.it 1 an-trap
2944
2705
.nr an-no-space-flag 1
2945
2706
.nr an-break-flag 1
2950
2711
.br
2951
2712
Clients that only support netbios won\'t be able to see your samba server when netbios support is disabled\&.
2952
2713
.sp .5v
2953
.EM yellow
2954
2714
.RE
2955
2715
Default:
2956
\fI\fIdisable netbios\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2716
\fI\fIdisable netbios\fR\fR\fI = \fR\fIno\fR\fI \fR
2957
2717
.RE
2958
2718
2959
2719
disable spoolss (G)
2964
2724
\fIBe very careful about enabling this parameter\&.\fR
2965
2725
.sp
2966
2726
Default:
2967
\fI\fIdisable spoolss\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2727
\fI\fIdisable spoolss\fR\fR\fI = \fR\fIno\fR\fI \fR
2968
2728
.RE
2969
2729
2970
2730
display charset (G)
2975
2735
\m[blue]\fBunix charset\fR\m[]\&.
2976
2736
.sp
2977
2737
Default:
2978
\fI\fIdisplay charset\fR\fR\fI = \fR\fI\FC"LOCALE" or "ASCII" (depending on the system)\F[]\fR\fI \fR
2738
\fI\fIdisplay charset\fR\fR\fI = \fR\fI"LOCALE" or "ASCII" (depending on the system)\fR\fI \fR
2979
2739
.sp
2980
2740
Example:
2981
\fI\fIdisplay charset\fR\fR\fI = \fR\fI\FCUTF8\F[]\fR\fI \fR
2741
\fI\fIdisplay charset\fR\fR\fI = \fR\fIUTF8\fR\fI \fR
2982
2742
.RE
2983
2743
2984
2744
dmapi support (S)
2992
2752
This parameter is only available if a supported DMAPI implementation was found at compilation time\&. It will only be used if DMAPI is found to enabled on the system at run time\&.
2993
2753
.sp
2994
2754
Default:
2995
\fI\fIdmapi support\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2755
\fI\fIdmapi support\fR\fR\fI = \fR\fIno\fR\fI \fR
2996
2756
.RE
2997
2757
2998
2758
dns proxy (G)
3005
2765
.sp
3006
2766
Note that the maximum length for a NetBIOS name is 15 characters, so the DNS name (or DNS alias) can likewise only be 15 characters, maximum\&.
3007
2767
.sp
3008
\FCnmbd\F[]
2768
nmbd
3009
2769
spawns a second copy of itself to do the DNS name lookup requests, as doing a name lookup is a blocking action\&.
3010
2770
.sp
3011
2771
Default:
3012
\fI\fIdns proxy\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
2772
\fI\fIdns proxy\fR\fR\fI = \fR\fIyes\fR\fI \fR
3013
2773
.RE
3014
2774
3015
2775
domain logons (G)
3022
2782
it is in\&. This will also cause the Samba server to act as a domain controller for NT4 style domain services\&. For more details on setting up this feature see the Domain Control chapter of the Samba HOWTO Collection\&.
3023
2783
.sp
3024
2784
Default:
3025
\fI\fIdomain logons\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2785
\fI\fIdomain logons\fR\fR\fI = \fR\fIno\fR\fI \fR
3026
2786
.RE
3027
2787
3028
2788
domain master (G)
3032
2792
Tell
3033
2793
\fBsmbd\fR(8)
3034
2794
to enable WAN\-wide browse list collation\&. Setting this option causes
3035
\FCnmbd\F[]
2795
nmbd
3036
2796
to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given
3037
2797
\m[blue]\fBworkgroup\fR\m[]\&. Local master browsers in the same
3038
2798
\m[blue]\fBworkgroup\fR\m[]
3039
2799
on broadcast\-isolated subnets will give this
3040
\FCnmbd\F[]
2800
nmbd
3041
2801
their local browse lists, and then ask
3042
2802
\fBsmbd\fR(8)
3043
2803
for a complete copy of the browse list for the whole wide area network\&. Browser clients will then contact their local master browser, and will receive the domain\-wide browse list, instead of just the list for their broadcast\-isolated subnet\&.
3047
2807
specific special NetBIOS name that identifies them as domain master browsers for that
3048
2808
\m[blue]\fBworkgroup\fR\m[]
3049
2809
by default (i\&.e\&. there is no way to prevent a Windows NT PDC from attempting to do this)\&. This means that if this parameter is set and
3050
\FCnmbd\F[]
2810
nmbd
3051
2811
claims the special name for a
3052
2812
\m[blue]\fBworkgroup\fR\m[]
3053
2813
before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail\&.
3067
2827
\m[blue]\fBdomain master = No\fR\m[], Samba will function as a BDC\&. In general, this parameter should be set to \'No\' only on a BDC\&.
3068
2828
.sp
3069
2829
Default:
3070
\fI\fIdomain master\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
2830
\fI\fIdomain master\fR\fR\fI = \fR\fIauto\fR\fI \fR
3071
2831
.RE
3072
2832
3073
2833
dont descend (S)
3075
2835
.PP
3076
2836
.RS 4
3077
2837
There are certain directories on some systems (e\&.g\&., the
3078
\FC/proc\F[]
2838
/proc
3079
2839
tree under Linux) that are either not of interest to clients or are infinitely deep (recursive)\&. This parameter allows you to specify a comma\-delimited list of directories that the server should always show as empty\&.
3080
2840
.sp
3081
2841
Note that Samba can be very fussy about the exact format of the "dont descend" entries\&. For example you may need
3082
\FC \&./proc\F[]
2842
\&./proc
3083
2843
instead of just
3084
\FC/proc\F[]\&. Experimentation is the best policy :\-)
2844
/proc\&. Experimentation is the best policy :\-)
3085
2845
.sp
3086
2846
Default:
3087
\fI\fIdont descend\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
2847
\fI\fIdont descend\fR\fR\fI = \fR\fI\fR\fI \fR
3088
2848
.sp
3089
2849
Example:
3090
\fI\fIdont descend\fR\fR\fI = \fR\fI\FC/proc,/dev\F[]\fR\fI \fR
2850
\fI\fIdont descend\fR\fR\fI = \fR\fI/proc,/dev\fR\fI \fR
3091
2851
.RE
3092
2852
3093
2853
dos charset (G)
3110
2870
The default behavior in Samba is to provide UNIX\-like behavior where only the owner of a file/directory is able to change the permissions on it\&. However, this behavior is often confusing to DOS/Windows users\&. Enabling this parameter allows a user who has write access to the file (by whatever means, including an ACL permission) to modify the permissions (including ACL) on it\&. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access\&. Ownership of the file/directory may also be changed\&.
3111
2871
.sp
3112
2872
Default:
3113
\fI\fIdos filemode\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2873
\fI\fIdos filemode\fR\fR\fI = \fR\fIno\fR\fI \fR
3114
2874
.RE
3115
2875
3116
2876
dos filetime resolution (S)
3123
2883
This option is mainly used as a compatibility option for Visual C++ when used against Samba shares\&. If oplocks are enabled on a share, Visual C++ uses two different time reading calls to check if a file has changed since it was last read\&. One of these calls uses a one\-second granularity, the other uses a two second granularity\&. As the two second call rounds any odd second down, then if the file has a timestamp of an odd number of seconds then the two timestamps will not match and Visual C++ will keep reporting the file has changed\&. Setting this option causes the two timestamps to match, and Visual C++ is happy\&.
3124
2884
.sp
3125
2885
Default:
3126
\fI\fIdos filetime resolution\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2886
\fI\fIdos filetime resolution\fR\fR\fI = \fR\fIno\fR\fI \fR
3127
2887
.RE
3128
2888
3129
2889
dos filetimes (S)
3131
2891
.PP
3132
2892
.RS 4
3133
2893
Under DOS and Windows, if a user can write to a file they can change the timestamp on it\&. Under POSIX semantics, only the owner of the file or root may change the timestamp\&. By default, Samba runs with POSIX semantics and refuses to change the timestamp on a file if the user
3134
\FCsmbd\F[]
2894
smbd
3135
2895
is acting on behalf of is not the file owner\&. Setting this option to
3136
2896
\fB yes\fR
3137
2897
allows DOS semantics and
3139
2899
will change the file timestamp as DOS requires\&. Due to changes in Microsoft Office 2000 and beyond, the default for this parameter has been changed from "no" to "yes" in Samba 3\&.0\&.14 and above\&. Microsoft Excel will display dialog box warnings about the file being changed by another user if this parameter is not set to "yes" and files are being shared between users\&.
3140
2900
.sp
3141
2901
Default:
3142
\fI\fIdos filetimes\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
2902
\fI\fIdos filetimes\fR\fR\fI = \fR\fIyes\fR\fI \fR
3143
2903
.RE
3144
2904
3145
2905
ea support (S)
3151
2911
will allow clients to attempt to store OS/2 style Extended attributes on a share\&. In order to enable this parameter the underlying filesystem exported by the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the correct kernel patches)\&. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel\&.
3152
2912
.sp
3153
2913
Default:
3154
\fI\fIea support\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2914
\fI\fIea support\fR\fR\fI = \fR\fIno\fR\fI \fR
3155
2915
.RE
3156
2916
3157
2917
enable asu support (G)
3161
2921
Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
3162
2922
.sp
3163
2923
Default:
3164
\fI\fIenable asu support\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
2924
\fI\fIenable asu support\fR\fR\fI = \fR\fIno\fR\fI \fR
2925
.RE
2926
2927
enable core files (G)
2928
.\" enable core files
2929
.PP
2930
.RS 4
2931
This parameter specifies whether core dumps should be written on internal exits\&. Normally set to
2932
\fByes\fR\&. You should never need to change this\&.
2933
.sp
2934
Default:
2935
\fI\fIenable core files\fR\fR\fI = \fR\fIyes\fR\fI \fR
2936
.sp
2937
Example:
2938
\fI\fIenable core files\fR\fR\fI = \fR\fIno\fR\fI \fR
3165
2939
.RE
3166
2940
3167
2941
enable privileges (G)
3169
2943
.PP
3170
2944
.RS 4
3171
2945
This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
3172
\FCnet rpc rights\F[]
2946
net rpc rights
3173
2947
or one of the Windows user and group manager tools\&. This parameter is enabled by default\&. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user\&.
3174
2948
.sp
3175
2949
An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via smbd\&.
3177
2951
Please read the extended description provided in the Samba HOWTO documentation\&.
3178
2952
.sp
3179
2953
Default:
3180
\fI\fIenable privileges\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
2954
\fI\fIenable privileges\fR\fR\fI = \fR\fIyes\fR\fI \fR
2955
.RE
2956
2957
enable spoolss (G)
2958
.\" enable spoolss
2959
.PP
2960
.RS 4
2961
Inverted synonym for
2962
\m[blue]\fBdisable spoolss\fR\m[]\&.
2963
.sp
2964
Default:
2965
\fI\fIenable spoolss\fR\fR\fI = \fR\fIyes\fR\fI \fR
3181
2966
.RE
3182
2967
3183
2968
encrypt passwords (G)
3199
2984
program for information on how to set up and maintain this file), or set the
3200
2985
\m[blue]\fBsecurity = [server|domain|ads]\fR\m[]
3201
2986
parameter which causes
3202
\FCsmbd\F[]
2987
smbd
3203
2988
to authenticate against another server\&.
3204
2989
.sp
3205
2990
Default:
3206
\fI\fIencrypt passwords\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
2991
\fI\fIencrypt passwords\fR\fR\fI = \fR\fIyes\fR\fI \fR
3207
2992
.RE
3208
2993
3209
2994
enhanced browsing (G)
3219
3004
In general you should leave this option enabled as it makes cross\-subnet browse propagation much more reliable\&.
3220
3005
.sp
3221
3006
Default:
3222
\fI\fIenhanced browsing\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
3007
\fI\fIenhanced browsing\fR\fR\fI = \fR\fIyes\fR\fI \fR
3223
3008
.RE
3224
3009
3225
3010
enumports command (G)
3226
3011
.\" enumports command
3227
3012
.PP
3228
3013
.RS 4
3229
The concept of a "port" is fairly foreign to UNIX hosts\&. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i\&.e\&. LPT1:, COM1:, FILE:) or a remote port (i\&.e\&. LPD Port Monitor, etc\&.\&.\&.)\&. By default, Samba has only one port defined\-\-\fB"Samba Printer Port"\fR\&. Under Windows NT/2000, all printers must have a valid port name\&. If you wish to have a list of ports displayed (\FCsmbd \F[]
3014
The concept of a "port" is fairly foreign to UNIX hosts\&. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i\&.e\&. LPT1:, COM1:, FILE:) or a remote port (i\&.e\&. LPD Port Monitor, etc\&.\&.\&.)\&. By default, Samba has only one port defined\-\-\fB"Samba Printer Port"\fR\&. Under Windows NT/2000, all printers must have a valid port name\&. If you wish to have a list of ports displayed (smbd
3230
3015
does not use a port name for anything) other than the default
3231
3016
\fB"Samba Printer Port"\fR, you can define
3232
3017
\fIenumports command\fR
3233
3018
to point to a program which should generate a list of ports, one per line, to standard output\&. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC\&.
3234
3019
.sp
3235
3020
Default:
3236
\fI\fIenumports command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3021
\fI\fIenumports command\fR\fR\fI = \fR\fI\fR\fI \fR
3237
3022
.sp
3238
3023
Example:
3239
\fI\fIenumports command\fR\fR\fI = \fR\fI\FC/usr/bin/listports\F[]\fR\fI \fR
3024
\fI\fIenumports command\fR\fR\fI = \fR\fI/usr/bin/listports\fR\fI \fR
3240
3025
.RE
3241
3026
3242
3027
eventlog list (G)
3244
3029
.PP
3245
3030
.RS 4
3246
3031
This option defines a list of log names that Samba will report to the Microsoft EventViewer utility\&. The listed eventlogs will be associated with tdb file on disk in the
3247
\FC$(lockdir)/eventlog\F[]\&.
3032
$(lockdir)/eventlog\&.
3248
3033
.sp
3249
3034
The administrator must use an external process to parse the normal Unix logs such as
3250
\FC/var/log/messages\F[]
3035
/var/log/messages
3251
3036
and write then entries to the eventlog tdb files\&. Refer to the eventlogadm(8) utility for how to write eventlog entries\&.
3252
3037
.sp
3253
3038
Default:
3254
\fI\fIeventlog list\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3039
\fI\fIeventlog list\fR\fR\fI = \fR\fI\fR\fI \fR
3255
3040
.sp
3256
3041
Example:
3257
\fI\fIeventlog list\fR\fR\fI = \fR\fI\FCSecurity Application Syslog Apache\F[]\fR\fI \fR
3042
\fI\fIeventlog list\fR\fR\fI = \fR\fISecurity Application Syslog Apache\fR\fI \fR
3258
3043
.RE
3259
3044
3260
3045
fake directory create times (S)
3268
3053
However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or or deleted in the directory\&. NMAKE finds all object files in the object directory\&. The timestamp of the last one built is then compared to the timestamp of the object directory\&. If the directory\'s timestamp if newer, then all object files will be rebuilt\&. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected\&.
3269
3054
.sp
3270
3055
Default:
3271
\fI\fIfake directory create times\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3056
\fI\fIfake directory create times\fR\fR\fI = \fR\fIno\fR\fI \fR
3272
3057
.RE
3273
3058
3274
3059
fake oplocks (S)
3278
3063
Oplocks are the way that SMB clients get permission from a server to locally cache file operations\&. If a server grants an oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data\&. With some oplock types the client may even cache file open/close operations\&. This can give enormous performance benefits\&.
3279
3064
.sp
3280
3065
When you set
3281
\FCfake oplocks = yes\F[],
3066
fake oplocks = yes,
3282
3067
\fBsmbd\fR(8)
3283
3068
will always grant oplock requests no matter how many clients are using the file\&.
3284
3069
.sp
3289
3074
If you enable this option on all read\-only shares or shares that you know will only be accessed from one client at a time such as physically read\-only media like CDROMs, you will see a big performance improvement on many operations\&. If you enable this option on shares where multiple clients may be accessing the files read\-write at the same time you can get data corruption\&. Use this option carefully!
3290
3075
.sp
3291
3076
Default:
3292
\fI\fIfake oplocks\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3077
\fI\fIfake oplocks\fR\fR\fI = \fR\fIno\fR\fI \fR
3293
3078
.RE
3294
3079
3295
3080
follow symlinks (S)
3301
3086
from following symbolic links in a particular share\&. Setting this parameter to
3302
3087
\fBno\fR
3303
3088
prevents any file or directory that is a symbolic link from being followed (the user will get an error)\&. This option is very useful to stop users from adding a symbolic link to
3304
\FC/etc/passwd\F[]
3089
/etc/passwd
3305
3090
in their home directory for instance\&. However it will slow filename lookups down slightly\&.
3306
3091
.sp
3307
3092
This option is enabled (i\&.e\&.
3308
\FCsmbd\F[]
3093
smbd
3309
3094
will follow symbolic links) by default\&.
3310
3095
.sp
3311
3096
Default:
3312
\fI\fIfollow symlinks\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
3097
\fI\fIfollow symlinks\fR\fR\fI = \fR\fIyes\fR\fI \fR
3313
3098
.RE
3314
3099
3315
3100
force create mode (S)
3325
3110
The example below would force all newly created files to have read and execute permissions set for \'group\' and \'other\' as well as the read/write/execute bits set for the \'user\'\&.
3326
3111
.sp
3327
3112
Default:
3328
\fI\fIforce create mode\fR\fR\fI = \fR\fI\FC000\F[]\fR\fI \fR
3113
\fI\fIforce create mode\fR\fR\fI = \fR\fI000\fR\fI \fR
3329
3114
.sp
3330
3115
Example:
3331
\fI\fIforce create mode\fR\fR\fI = \fR\fI\FC0755\F[]\fR\fI \fR
3116
\fI\fIforce create mode\fR\fR\fI = \fR\fI0755\fR\fI \fR
3332
3117
.RE
3333
3118
3334
3119
force directory mode (S)
3344
3129
The example below would force all created directories to have read and execute permissions set for \'group\' and \'other\' as well as the read/write/execute bits set for the \'user\'\&.
3345
3130
.sp
3346
3131
Default:
3347
\fI\fIforce directory mode\fR\fR\fI = \fR\fI\FC000\F[]\fR\fI \fR
3132
\fI\fIforce directory mode\fR\fR\fI = \fR\fI000\fR\fI \fR
3348
3133
.sp
3349
3134
Example:
3350
\fI\fIforce directory mode\fR\fR\fI = \fR\fI\FC0755\F[]\fR\fI \fR
3135
\fI\fIforce directory mode\fR\fR\fI = \fR\fI0755\fR\fI \fR
3351
3136
.RE
3352
3137
3353
3138
force directory security mode (S)
3366
3151
.sp
3367
3152
.\}
3368
3153
.RS 4
3369
.BM yellow
3370
3154
.it 1 an-trap
3371
3155
.nr an-no-space-flag 1
3372
3156
.nr an-break-flag 1
3377
3161
.br
3378
3162
Users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set as 0000\&.
3379
3163
.sp .5v
3380
.EM yellow
3381
3164
.RE
3382
3165
Default:
3383
\fI\fIforce directory security mode\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
3166
\fI\fIforce directory security mode\fR\fR\fI = \fR\fI0\fR\fI \fR
3384
3167
.sp
3385
3168
Example:
3386
\fI\fIforce directory security mode\fR\fR\fI = \fR\fI\FC700\F[]\fR\fI \fR
3169
\fI\fIforce directory security mode\fR\fR\fI = \fR\fI700\fR\fI \fR
3387
3170
.RE
3388
3171
3389
3172
group
3401
3184
This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service\&. This is useful for sharing files by ensuring that all access to files on service will use the named group for their permissions checking\&. Thus, by assigning permissions for this group to the files and directories within this service the Samba administrator can restrict or allow sharing of these files\&.
3402
3185
.sp
3403
3186
In Samba 2\&.0\&.5 and above this parameter has extended functionality in the following way\&. If the group name listed here has a \'+\' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group\&. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group\&. This gives a finer granularity of ownership assignment\&. For example, the setting
3404
\FCforce group = +sys\F[]
3187
force group = +sys
3405
3188
means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share\&. All other users will retain their ordinary primary group\&.
3406
3189
.sp
3407
3190
If the
3412
3195
\fIforce user\fR\&.
3413
3196
.sp
3414
3197
Default:
3415
\fI\fIforce group\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3198
\fI\fIforce group\fR\fR\fI = \fR\fI\fR\fI \fR
3416
3199
.sp
3417
3200
Example:
3418
\fI\fIforce group\fR\fR\fI = \fR\fI\FCagroup\F[]\fR\fI \fR
3201
\fI\fIforce group\fR\fR\fI = \fR\fIagroup\fR\fI \fR
3419
3202
.RE
3420
3203
3421
3204
force printername (S)
3423
3206
.PP
3424
3207
.RS 4
3425
3208
When printing from Windows NT (or later), each printer in
3426
\FCsmb\&.conf\F[]
3209
smb\&.conf
3427
3210
has two associated names which can be used by the client\&. The first is the sharename (or shortname) defined in smb\&.conf\&. This is the only printername available for use by Windows 9x clients\&. The second name associated with a printer can be seen when browsing to the "Printers" (or "Printers and Faxes") folder on the Samba server\&. This is referred to simply as the printername (not to be confused with the
3428
3211
\fIprinter name\fR
3429
3212
option)\&.
3436
3219
It is recommended that this parameter\'s value not be changed once the printer is in use by clients as this could cause a user not be able to delete printer connections from their local Printers folder\&.
3437
3220
.sp
3438
3221
Default:
3439
\fI\fIforce printername\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3222
\fI\fIforce printername\fR\fR\fI = \fR\fIno\fR\fI \fR
3440
3223
.RE
3441
3224
3442
3225
force security mode (S)
3456
3239
that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave this set to 0000\&.
3457
3240
.sp
3458
3241
Default:
3459
\fI\fIforce security mode\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
3242
\fI\fIforce security mode\fR\fR\fI = \fR\fI0\fR\fI \fR
3460
3243
.sp
3461
3244
Example:
3462
\fI\fIforce security mode\fR\fR\fI = \fR\fI\FC700\F[]\fR\fI \fR
3245
\fI\fIforce security mode\fR\fR\fI = \fR\fI700\fR\fI \fR
3463
3246
.RE
3464
3247
3465
3248
force unknown acl user (S)
3473
3256
Try using this parameter when XCOPY /O gives an ACCESS_DENIED error\&.
3474
3257
.sp
3475
3258
Default:
3476
\fI\fIforce unknown acl user\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3259
\fI\fIforce unknown acl user\fR\fR\fI = \fR\fIno\fR\fI \fR
3477
3260
.RE
3478
3261
3479
3262
force user (S)
3487
3270
In Samba 2\&.0\&.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity\&. Prior to 2\&.0\&.5 the primary group was left as the primary group of the connecting user (this was a bug)\&.
3488
3271
.sp
3489
3272
Default:
3490
\fI\fIforce user\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3273
\fI\fIforce user\fR\fR\fI = \fR\fI\fR\fI \fR
3491
3274
.sp
3492
3275
Example:
3493
\fI\fIforce user\fR\fR\fI = \fR\fI\FCauser\F[]\fR\fI \fR
3276
\fI\fIforce user\fR\fR\fI = \fR\fIauser\fR\fI \fR
3494
3277
.RE
3495
3278
3496
3279
fstype (S)
3508
3291
if required\&.
3509
3292
.sp
3510
3293
Default:
3511
\fI\fIfstype\fR\fR\fI = \fR\fI\FCNTFS\F[]\fR\fI \fR
3294
\fI\fIfstype\fR\fR\fI = \fR\fINTFS\fR\fI \fR
3512
3295
.sp
3513
3296
Example:
3514
\fI\fIfstype\fR\fR\fI = \fR\fI\FCSamba\F[]\fR\fI \fR
3297
\fI\fIfstype\fR\fR\fI = \fR\fISamba\fR\fI \fR
3515
3298
.RE
3516
3299
3517
3300
get quota command (G)
3519
3302
.PP
3520
3303
.RS 4
3521
3304
The
3522
\FCget quota command\F[]
3305
get quota command
3523
3306
should only be used whenever there is no operating system API available from the OS that samba can use\&.
3524
3307
.sp
3525
3308
This option is only available you have compiled Samba with the
3526
\FC\-\-with\-sys\-quotas\F[]
3309
\-\-with\-sys\-quotas
3527
3310
option or on Linux with
3528
\FC\-\-with\-quotas\F[]
3311
\-\-with\-quotas
3529
3312
and a working quota api was found in the system\&.
3530
3313
.sp
3531
3314
This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on\&.
3702
3485
.sp
3703
3486
.RE
3704
3487
Default:
3705
\fI\fIget quota command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3488
\fI\fIget quota command\fR\fR\fI = \fR\fI\fR\fI \fR
3706
3489
.sp
3707
3490
Example:
3708
\fI\fIget quota command\fR\fR\fI = \fR\fI\FC/usr/local/sbin/query_quota\F[]\fR\fI \fR
3491
\fI\fIget quota command\fR\fR\fI = \fR\fI/usr/local/sbin/query_quota\fR\fI \fR
3709
3492
.RE
3710
3493
3711
3494
getwd cache (G)
3718
3501
\fBno\fR\&.
3719
3502
.sp
3720
3503
Default:
3721
\fI\fIgetwd cache\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
3504
\fI\fIgetwd cache\fR\fR\fI = \fR\fIyes\fR\fI \fR
3722
3505
.RE
3723
3506
3724
3507
guest account (G)
3730
3513
(see below)\&. Whatever privileges this user has will be available to any client connecting to the guest service\&. This user must exist in the password file, but does not require a valid login\&. The user account "ftp" is often a good choice for this parameter\&.
3731
3514
.sp
3732
3515
On some systems the default guest account "nobody" may not be able to print\&. Use another account in this case\&. You should test this by trying to log in as your guest user (perhaps by using the
3733
\FCsu \-\F[]
3516
su \-
3734
3517
command) and trying to print using the system print command such as
3735
\FClpr(1)\F[]
3518
lpr(1)
3736
3519
or
3737
\FC lp(1)\F[]\&.
3520
lp(1)\&.
3738
3521
.sp
3739
3522
This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation\&.
3740
3523
.sp
3741
3524
Default:
3742
\fI\fIguest account\fR\fR\fI = \fR\fI\FCnobody # default can be changed at compile\-time\F[]\fR\fI \fR
3525
\fI\fIguest account\fR\fR\fI = \fR\fInobody # default can be changed at compile\-time\fR\fI \fR
3743
3526
.sp
3744
3527
Example:
3745
\fI\fIguest account\fR\fR\fI = \fR\fI\FCftp\F[]\fR\fI \fR
3528
\fI\fIguest account\fR\fR\fI = \fR\fIftp\fR\fI \fR
3746
3529
.RE
3747
3530
3748
3531
public
3770
3553
for more information about this option\&.
3771
3554
.sp
3772
3555
Default:
3773
\fI\fIguest ok\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3556
\fI\fIguest ok\fR\fR\fI = \fR\fIno\fR\fI \fR
3774
3557
.RE
3775
3558
3776
3559
only guest
3796
3579
for more information about this option\&.
3797
3580
.sp
3798
3581
Default:
3799
\fI\fIguest only\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3582
\fI\fIguest only\fR\fR\fI = \fR\fIno\fR\fI \fR
3800
3583
.RE
3801
3584
3802
3585
hide dot files (S)
3806
3589
This is a boolean parameter that controls whether files starting with a dot appear as hidden files\&.
3807
3590
.sp
3808
3591
Default:
3809
\fI\fIhide dot files\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
3592
\fI\fIhide dot files\fR\fR\fI = \fR\fIyes\fR\fI \fR
3810
3593
.RE
3811
3594
3812
3595
hide files (S)
3832
3615
.if n \{\
3833
3616
.RS 4
3834
3617
.\}
3835
.fam C
3836
.ps -1
3837
3618
.nf
3838
.if t \{\
3839
.sp -1
3840
.\}
3841
.BB lightgray adjust-for-leading-newline
3842
.sp -1
3843
3844
3619
hide files = /\&.*/DesktopFolderDB/TrashFor%m/resource\&.frk/
3845
.EB lightgray adjust-for-leading-newline
3846
.if t \{\
3847
.sp 1
3848
.\}
3849
3620
.fi
3850
.fam
3851
.ps +1
3852
3621
.if n \{\
3853
3622
.RE
3854
3623
.\}
3855
3624
.sp
3856
3625
Default:
3857
\fI\fIhide files\fR\fR\fI = \fR\fI\FC # no file are hidden\F[]\fR\fI \fR
3626
\fI\fIhide files\fR\fR\fI = \fR\fI # no file are hidden\fR\fI \fR
3858
3627
.RE
3859
3628
3860
3629
hide special files (S)
3864
3633
This parameter prevents clients from seeing special files such as sockets, devices and fifo\'s in directory listings\&.
3865
3634
.sp
3866
3635
Default:
3867
\fI\fIhide special files\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3636
\fI\fIhide special files\fR\fR\fI = \fR\fIno\fR\fI \fR
3868
3637
.RE
3869
3638
3870
3639
hide unreadable (S)
3874
3643
This parameter prevents clients from seeing the existance of files that cannot be read\&. Defaults to off\&.
3875
3644
.sp
3876
3645
Default:
3877
\fI\fIhide unreadable\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3646
\fI\fIhide unreadable\fR\fR\fI = \fR\fIno\fR\fI \fR
3878
3647
.RE
3879
3648
3880
3649
hide unwriteable files (S)
3884
3653
This parameter prevents clients from seeing the existance of files that cannot be written to\&. Defaults to off\&. Note that unwriteable directories are shown as usual\&.
3885
3654
.sp
3886
3655
Default:
3887
\fI\fIhide unwriteable files\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3656
\fI\fIhide unwriteable files\fR\fR\fI = \fR\fIno\fR\fI \fR
3888
3657
.RE
3889
3658
3890
3659
homedir map (G)
3903
3672
.if n \{\
3904
3673
.RS 4
3905
3674
.\}
3906
.fam C
3907
.ps -1
3908
3675
.nf
3909
.if t \{\
3910
.sp -1
3911
.\}
3912
.BB lightgray adjust-for-leading-newline
3913
.sp -1
3914
3915
\FCusername server:/some/file/system\F[]
3916
.EB lightgray adjust-for-leading-newline
3917
.if t \{\
3918
.sp 1
3919
.\}
3676
username server:/some/file/system
3920
3677
.fi
3921
.fam
3922
.ps +1
3923
3678
.if n \{\
3924
3679
.RE
3925
3680
.\}
3929
3684
.sp
3930
3685
.\}
3931
3686
.RS 4
3932
.BM yellow
3933
3687
.it 1 an-trap
3934
3688
.nr an-no-space-flag 1
3935
3689
.nr an-break-flag 1
3940
3694
.br
3941
3695
A working NIS client is required on the system for this option to work\&.
3942
3696
.sp .5v
3943
.EM yellow
3944
3697
.RE
3945
3698
Default:
3946
\fI\fIhomedir map\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3699
\fI\fIhomedir map\fR\fR\fI = \fR\fI\fR\fI \fR
3947
3700
.sp
3948
3701
Example:
3949
\fI\fIhomedir map\fR\fR\fI = \fR\fI\FCamd\&.homedir\F[]\fR\fI \fR
3702
\fI\fIhomedir map\fR\fR\fI = \fR\fIamd\&.homedir\fR\fI \fR
3950
3703
.RE
3951
3704
3952
3705
host msdfs (G)
3961
3714
share level parameter\&. For more information on setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3\-HOWTO\&.
3962
3715
.sp
3963
3716
Default:
3964
\fI\fIhost msdfs\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
3717
\fI\fIhost msdfs\fR\fR\fI = \fR\fIyes\fR\fI \fR
3965
3718
.RE
3966
3719
3967
3720
hostname lookups (G)
3969
3722
.PP
3970
3723
.RS 4
3971
3724
Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead\&. An example place where hostname lookups are currently used is when checking the
3972
\FChosts deny\F[]
3725
hosts deny
3973
3726
and
3974
\FChosts allow\F[]\&.
3727
hosts allow\&.
3975
3728
.sp
3976
3729
Default:
3977
\fI\fIhostname lookups\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
3730
\fI\fIhostname lookups\fR\fR\fI = \fR\fIno\fR\fI \fR
3978
3731
.sp
3979
3732
Example:
3980
\fI\fIhostname lookups\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
3733
\fI\fIhostname lookups\fR\fR\fI = \fR\fIyes\fR\fI \fR
3981
3734
.RE
3982
3735
3983
3736
allow hosts
4000
3753
If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting\&.
4001
3754
.sp
4002
3755
You can specify the hosts by name or IP number\&. For example, you could restrict access to only the hosts on a Class C subnet with something like
4003
\FCallow hosts = 150\&.203\&.5\&.\F[]\&. The full syntax of the list is described in the man page
4004
\FChosts_access(5)\F[]\&. Note that this man page may not be present on your system, so a brief description will be given here also\&.
3756
allow hosts = 150\&.203\&.5\&.\&. The full syntax of the list is described in the man page
3757
hosts_access(5)\&. Note that this man page may not be present on your system, so a brief description will be given here also\&.
4005
3758
.sp
4006
3759
Note that the localhost address 127\&.0\&.0\&.1 will always be allowed access unless specifically denied by a
4007
3760
\m[blue]\fBhosts deny\fR\m[]
4013
3766
.sp
4014
3767
Example 1: allow all IPs in 150\&.203\&.*\&.*; except one
4015
3768
.sp
4016
\FChosts allow = 150\&.203\&. EXCEPT 150\&.203\&.6\&.66\F[]
3769
hosts allow = 150\&.203\&. EXCEPT 150\&.203\&.6\&.66
4017
3770
.sp
4018
3771
Example 2: allow hosts that match the given network/netmask
4019
3772
.sp
4020
\FChosts allow = 150\&.203\&.15\&.0/255\&.255\&.255\&.0\F[]
3773
hosts allow = 150\&.203\&.15\&.0/255\&.255\&.255\&.0
4021
3774
.sp
4022
3775
Example 3: allow a couple of hosts
4023
3776
.sp
4024
\FChosts allow = lapland, arvidsjaur\F[]
3777
hosts allow = lapland, arvidsjaur
4025
3778
.sp
4026
3779
Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host
4027
3780
.sp
4028
\FChosts allow = @foonet\F[]
3781
hosts allow = @foonet
4029
3782
.sp
4030
\FChosts deny = pirate\F[]
3783
hosts deny = pirate
4031
3784
.if n \{\
4032
3785
.sp
4033
3786
.\}
4034
3787
.RS 4
4035
.BM yellow
4036
3788
.it 1 an-trap
4037
3789
.nr an-no-space-flag 1
4038
3790
.nr an-break-flag 1
4043
3795
.br
4044
3796
Note that access still requires suitable user\-level passwords\&.
4045
3797
.sp .5v
4046
.EM yellow
4047
3798
.RE
4048
3799
See
4049
3800
\fBtestparm\fR(1)
4050
3801
for a way of testing your host access to see if it does what you expect\&.
4051
3802
.sp
4052
3803
Default:
4053
\fI\fIhosts allow\fR\fR\fI = \fR\fI\FC # none (i\&.e\&., all hosts permitted access)\F[]\fR\fI \fR
3804
\fI\fIhosts allow\fR\fR\fI = \fR\fI # none (i\&.e\&., all hosts permitted access)\fR\fI \fR
4054
3805
.sp
4055
3806
Example:
4056
\fI\fIhosts allow\fR\fR\fI = \fR\fI\FC150\&.203\&.5\&. myhost\&.mynet\&.edu\&.au\F[]\fR\fI \fR
3807
\fI\fIhosts allow\fR\fR\fI = \fR\fI150\&.203\&.5\&. myhost\&.mynet\&.edu\&.au\fR\fI \fR
4057
3808
.RE
4058
3809
4059
3810
deny hosts
4077
3828
list takes precedence\&.
4078
3829
.sp
4079
3830
In the event that it is necessary to deny all by default, use the keyword ALL (or the netmask
4080
\FC0\&.0\&.0\&.0/0\F[]) and then explicitly specify to the
3831
0\&.0\&.0\&.0/0) and then explicitly specify to the
4081
3832
\m[blue]\fBhosts allow = hosts allow\fR\m[]
4082
3833
parameter those hosts that should be permitted access\&.
4083
3834
.sp
4084
3835
Default:
4085
\fI\fIhosts deny\fR\fR\fI = \fR\fI\FC # none (i\&.e\&., no hosts specifically excluded)\F[]\fR\fI \fR
3836
\fI\fIhosts deny\fR\fR\fI = \fR\fI # none (i\&.e\&., no hosts specifically excluded)\fR\fI \fR
4086
3837
.sp
4087
3838
Example:
4088
\fI\fIhosts deny\fR\fR\fI = \fR\fI\FC150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au\F[]\fR\fI \fR
3839
\fI\fIhosts deny\fR\fR\fI = \fR\fI150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au\fR\fI \fR
4089
3840
.RE
4090
3841
4091
3842
idmap alloc backend (G)
4105
3856
\fINo default\fR
4106
3857
.sp
4107
3858
Example:
4108
\fI\fIidmap alloc backend\fR\fR\fI = \fR\fI\FCtdb\F[]\fR\fI \fR
3859
\fI\fIidmap alloc backend\fR\fR\fI = \fR\fItdb\fR\fI \fR
4109
3860
.RE
4110
3861
4111
3862
idmap alloc config (G)
4147
3898
Examples of SID/uid/gid backends include tdb (\fBidmap_tdb\fR(8)), ldap (\fBidmap_ldap\fR(8)), rid (\fBidmap_rid\fR(8)), and ad (\fBidmap_ad\fR(8))\&.
4148
3899
.sp
4149
3900
Default:
4150
\fI\fIidmap backend\fR\fR\fI = \fR\fI\FCtdb\F[]\fR\fI \fR
3901
\fI\fIidmap backend\fR\fR\fI = \fR\fItdb\fR\fI \fR
4151
3902
.RE
4152
3903
4153
3904
idmap cache time (G)
4157
3908
This parameter specifies the number of seconds that Winbind\'s idmap interface will cache positive SID/uid/gid query results\&.
4158
3909
.sp
4159
3910
Default:
4160
\fI\fIidmap cache time\fR\fR\fI = \fR\fI\FC604800 (one week)\F[]\fR\fI \fR
3911
\fI\fIidmap cache time\fR\fR\fI = \fR\fI604800 (one week)\fR\fI \fR
4161
3912
.RE
4162
3913
4163
3914
idmap config (G)
4190
3941
.if n \{\
4191
3942
.RS 4
4192
3943
.\}
4193
.fam C
4194
.ps -1
4195
3944
.nf
4196
.if t \{\
4197
.sp -1
4198
.\}
4199
.BB lightgray adjust-for-leading-newline
4200
.sp -1
4201
4202
3945
idmap backend = tdb
4203
3946
idmap uid = 1000000\-1999999
4204
3947
idmap gid = 1000000\-1999999
4206
3949
idmap config CORP : backend = ad
4207
3950
idmap config CORP : range = 1000\-999999
4208
3951
4209
.EB lightgray adjust-for-leading-newline
4210
.if t \{\
4211
.sp 1
4212
.\}
4213
3952
.fi
4214
.fam
4215
.ps +1
4216
3953
.if n \{\
4217
3954
.RE
4218
3955
.\}
4240
3977
options\&.
4241
3978
.sp
4242
3979
Default:
4243
\fI\fIidmap gid\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
3980
\fI\fIidmap gid\fR\fR\fI = \fR\fI\fR\fI \fR
4244
3981
.sp
4245
3982
Example:
4246
\fI\fIidmap gid\fR\fR\fI = \fR\fI\FC10000\-20000\F[]\fR\fI \fR
3983
\fI\fIidmap gid\fR\fR\fI = \fR\fI10000\-20000\fR\fI \fR
4247
3984
.RE
4248
3985
4249
3986
idmap negative cache time (G)
4253
3990
This parameter specifies the number of seconds that Winbind\'s idmap interface will cache negative SID/uid/gid query results\&.
4254
3991
.sp
4255
3992
Default:
4256
\fI\fIidmap negative cache time\fR\fR\fI = \fR\fI\FC120\F[]\fR\fI \fR
3993
\fI\fIidmap negative cache time\fR\fR\fI = \fR\fI120\fR\fI \fR
4257
3994
.RE
4258
3995
4259
3996
winbind uid
4277
4014
options\&.
4278
4015
.sp
4279
4016
Default:
4280
\fI\fIidmap uid\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4017
\fI\fIidmap uid\fR\fR\fI = \fR\fI\fR\fI \fR
4281
4018
.sp
4282
4019
Example:
4283
\fI\fIidmap uid\fR\fR\fI = \fR\fI\FC10000\-20000\F[]\fR\fI \fR
4020
\fI\fIidmap uid\fR\fR\fI = \fR\fI10000\-20000\fR\fI \fR
4284
4021
.RE
4285
4022
4286
4023
include (G)
4304
4041
from the current working directory, but instead reads the global configuration options from the registry\&. See the section on registry\-based configuration for details\&. Note that this option automatically activates registry shares\&.
4305
4042
.sp
4306
4043
Default:
4307
\fI\fIinclude\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4044
\fI\fIinclude\fR\fR\fI = \fR\fI\fR\fI \fR
4308
4045
.sp
4309
4046
Example:
4310
\fI\fIinclude\fR\fR\fI = \fR\fI\FC/usr/local/samba/lib/admin_smb\&.conf\F[]\fR\fI \fR
4047
\fI\fIinclude\fR\fR\fI = \fR\fI/usr/local/samba/lib/admin_smb\&.conf\fR\fI \fR
4311
4048
.RE
4312
4049
4313
4050
inherit acls (S)
4317
4054
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these parent directories\&. The default behavior is to use the unix mode specified when creating the directory\&. Enabling this option sets the unix mode to 0777, thus guaranteeing that default directory acls are propagated\&.
4318
4055
.sp
4319
4056
Default:
4320
\fI\fIinherit acls\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4057
\fI\fIinherit acls\fR\fR\fI = \fR\fIno\fR\fI \fR
4321
4058
.RE
4322
4059
4323
4060
inherit owner (S)
4329
4066
Common scenarios where this behavior is useful is in implementing drop\-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user\'s roaming profile directory are actually owner by the user\&.
4330
4067
.sp
4331
4068
Default:
4332
\fI\fIinherit owner\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4069
\fI\fIinherit owner\fR\fR\fI = \fR\fIno\fR\fI \fR
4333
4070
.RE
4334
4071
4335
4072
inherit permissions (S)
4360
4097
This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user\&.
4361
4098
.sp
4362
4099
Default:
4363
\fI\fIinherit permissions\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4100
\fI\fIinherit permissions\fR\fR\fI = \fR\fIno\fR\fI \fR
4364
4101
.RE
4365
4102
4366
4103
init logon delayed hosts (G)
4374
4111
parameter\&.
4375
4112
.sp
4376
4113
Default:
4377
\fI\fIinit logon delayed hosts\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4114
\fI\fIinit logon delayed hosts\fR\fR\fI = \fR\fI\fR\fI \fR
4378
4115
.sp
4379
4116
Example:
4380
\fI\fIinit logon delayed hosts\fR\fR\fI = \fR\fI\FC150\&.203\&.5\&. myhost\&.mynet\&.de\F[]\fR\fI \fR
4117
\fI\fIinit logon delayed hosts\fR\fR\fI = \fR\fI150\&.203\&.5\&. myhost\&.mynet\&.de\fR\fI \fR
4381
4118
.RE
4382
4119
4383
4120
init logon delay (G)
4388
4125
\m[blue]\fBinit logon delayed hosts\fR\m[]\&.
4389
4126
.sp
4390
4127
Default:
4391
\fI\fIinit logon delay\fR\fR\fI = \fR\fI\FC100\F[]\fR\fI \fR
4128
\fI\fIinit logon delay\fR\fR\fI = \fR\fI100\fR\fI \fR
4392
4129
.RE
4393
4130
4394
4131
interfaces (G)
4452
4189
The example below configures three network interfaces corresponding to the eth0 device and IP addresses 192\&.168\&.2\&.10 and 192\&.168\&.3\&.10\&. The netmasks of the latter two interfaces would be set to 255\&.255\&.255\&.0\&.
4453
4190
.sp
4454
4191
Default:
4455
\fI\fIinterfaces\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4192
\fI\fIinterfaces\fR\fR\fI = \fR\fI\fR\fI \fR
4456
4193
.sp
4457
4194
Example:
4458
\fI\fIinterfaces\fR\fR\fI = \fR\fI\FCeth0 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/255\&.255\&.255\&.0\F[]\fR\fI \fR
4195
\fI\fIinterfaces\fR\fR\fI = \fR\fIeth0 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/255\&.255\&.255\&.0\fR\fI \fR
4459
4196
.RE
4460
4197
4461
4198
invalid users (S)
4478
4215
\fI%S\fR\&. This is useful in the [homes] section\&.
4479
4216
.sp
4480
4217
Default:
4481
\fI\fIinvalid users\fR\fR\fI = \fR\fI\FC # no invalid users\F[]\fR\fI \fR
4218
\fI\fIinvalid users\fR\fR\fI = \fR\fI # no invalid users\fR\fI \fR
4482
4219
.sp
4483
4220
Example:
4484
\fI\fIinvalid users\fR\fR\fI = \fR\fI\FCroot fred admin @wheel\F[]\fR\fI \fR
4221
\fI\fIinvalid users\fR\fR\fI = \fR\fIroot fred admin @wheel\fR\fI \fR
4485
4222
.RE
4486
4223
4487
4224
iprint server (G)
4494
4231
\fBiprint\fR\&.
4495
4232
.sp
4496
4233
If set, this option overrides the ServerName option in the CUPS
4497
\FCclient\&.conf\F[]\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
4234
client\&.conf\&. This is necessary if you have virtual samba servers that connect to different CUPS daemons\&.
4498
4235
.sp
4499
4236
Default:
4500
\fI\fIiprint server\fR\fR\fI = \fR\fI\FC""\F[]\fR\fI \fR
4237
\fI\fIiprint server\fR\fR\fI = \fR\fI""\fR\fI \fR
4501
4238
.sp
4502
4239
Example:
4503
\fI\fIiprint server\fR\fR\fI = \fR\fI\FCMYCUPSSERVER\F[]\fR\fI \fR
4240
\fI\fIiprint server\fR\fR\fI = \fR\fIMYCUPSSERVER\fR\fI \fR
4504
4241
.RE
4505
4242
4506
4243
keepalive (G)
4515
4252
\m[blue]\fBsocket options\fR\m[])\&. Basically you should only use this option if you strike difficulties\&.
4516
4253
.sp
4517
4254
Default:
4518
\fI\fIkeepalive\fR\fR\fI = \fR\fI\FC300\F[]\fR\fI \fR
4255
\fI\fIkeepalive\fR\fR\fI = \fR\fI300\fR\fI \fR
4519
4256
.sp
4520
4257
Example:
4521
\fI\fIkeepalive\fR\fR\fI = \fR\fI\FC600\F[]\fR\fI \fR
4258
\fI\fIkeepalive\fR\fR\fI = \fR\fI600\fR\fI \fR
4522
4259
.RE
4523
4260
4524
4261
kerberos method (G)
4580
4317
must be set to specify the location of the keytab file\&.
4581
4318
.sp
4582
4319
Default:
4583
\fI\fIkerberos method\fR\fR\fI = \fR\fI\FCsecrets only\F[]\fR\fI \fR
4320
\fI\fIkerberos method\fR\fR\fI = \fR\fIsecrets only\fR\fI \fR
4584
4321
.RE
4585
4322
4586
4323
kernel change notify (S)
4592
4329
This parameter is only used when your kernel supports change notification to user programs using the inotify interface\&.
4593
4330
.sp
4594
4331
Default:
4595
\fI\fIkernel change notify\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
4332
\fI\fIkernel change notify\fR\fR\fI = \fR\fIyes\fR\fI \fR
4596
4333
.RE
4597
4334
4598
4335
kernel oplocks (G)
4615
4352
\fBon\fR, but is translated to a no\-op on systems that no not have the necessary kernel support\&. You should never need to touch this parameter\&.
4616
4353
.sp
4617
4354
Default:
4618
\fI\fIkernel oplocks\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
4355
\fI\fIkernel oplocks\fR\fR\fI = \fR\fIyes\fR\fI \fR
4619
4356
.RE
4620
4357
4621
4358
lanman auth (G)
4629
4366
The LANMAN encrypted response is easily broken, due to its case\-insensitive nature, and the choice of algorithm\&. Servers without Windows 95/98/ME or MS DOS clients are advised to disable this option\&.
4630
4367
.sp
4631
4368
Unlike the
4632
\FCencrypt passwords\F[]
4369
encrypt passwords
4633
4370
option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network\&. See the
4634
\FCclient lanman auth\F[]
4371
client lanman auth
4635
4372
to disable this for Samba\'s clients (such as smbclient)
4636
4373
.sp
4637
4374
If this option, and
4638
\FCntlm auth\F[]
4375
ntlm auth
4639
4376
are both disabled, then only NTLMv2 logins will be permited\&. Not all clients support NTLMv2, and most will require special configuration to use it\&.
4640
4377
.sp
4641
4378
Default:
4642
\fI\fIlanman auth\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4379
\fI\fIlanman auth\fR\fR\fI = \fR\fIno\fR\fI \fR
4643
4380
.RE
4644
4381
4645
4382
large readwrite (G)
4651
4388
supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000\&. Note that due to Windows 2000 client redirector bugs this requires Samba to be running on a 64\-bit capable operating system such as IRIX, Solaris or a Linux 2\&.4 kernel\&. Can improve performance by 10% with Windows 2000 clients\&. Defaults to on\&. Not as tested as some other Samba code paths\&.
4652
4389
.sp
4653
4390
Default:
4654
\fI\fIlarge readwrite\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
4391
\fI\fIlarge readwrite\fR\fR\fI = \fR\fIyes\fR\fI \fR
4655
4392
.RE
4656
4393
4657
4394
ldap admin dn (G)
4663
4400
defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information\&. The
4664
4401
\m[blue]\fBldap admin dn\fR\m[]
4665
4402
is used in conjunction with the admin dn password stored in the
4666
\FCprivate/secrets\&.tdb\F[]
4403
private/secrets\&.tdb
4667
4404
file\&. See the
4668
4405
\fBsmbpasswd\fR(8)
4669
4406
man page for more information on how to accomplish this\&.
4689
4426
which affects operations on LDAP servers using an existing connection and not establishing an initial connection\&.
4690
4427
.sp
4691
4428
Default:
4692
\fI\fIldap connection timeout\fR\fR\fI = \fR\fI\FC2\F[]\fR\fI \fR
4429
\fI\fIldap connection timeout\fR\fR\fI = \fR\fI2\fR\fI \fR
4693
4430
.RE
4694
4431
4695
4432
ldap debug level (G)
4706
4443
\fIldap debug threshold\fR\&.
4707
4444
.sp
4708
4445
Default:
4709
\fI\fIldap debug level\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
4446
\fI\fIldap debug level\fR\fR\fI = \fR\fI0\fR\fI \fR
4710
4447
.sp
4711
4448
Example:
4712
\fI\fIldap debug level\fR\fR\fI = \fR\fI\FC1\F[]\fR\fI \fR
4449
\fI\fIldap debug level\fR\fR\fI = \fR\fI1\fR\fI \fR
4713
4450
.RE
4714
4451
4715
4452
ldap debug threshold (G)
4721
4458
for details\&.
4722
4459
.sp
4723
4460
Default:
4724
\fI\fIldap debug threshold\fR\fR\fI = \fR\fI\FC10\F[]\fR\fI \fR
4461
\fI\fIldap debug threshold\fR\fR\fI = \fR\fI10\fR\fI \fR
4725
4462
.sp
4726
4463
Example:
4727
\fI\fIldap debug threshold\fR\fR\fI = \fR\fI\FC5\F[]\fR\fI \fR
4464
\fI\fIldap debug threshold\fR\fR\fI = \fR\fI5\fR\fI \fR
4728
4465
.RE
4729
4466
4730
4467
ldap delete dn (G)
4734
4471
This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba\&.
4735
4472
.sp
4736
4473
Default:
4737
\fI\fIldap delete dn\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4474
\fI\fIldap delete dn\fR\fR\fI = \fR\fIno\fR\fI \fR
4738
4475
.RE
4739
4476
4740
4477
ldap group suffix (G)
4748
4485
string so use a partial DN\&.
4749
4486
.sp
4750
4487
Default:
4751
\fI\fIldap group suffix\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4488
\fI\fIldap group suffix\fR\fR\fI = \fR\fI\fR\fI \fR
4752
4489
.sp
4753
4490
Example:
4754
\fI\fIldap group suffix\fR\fR\fI = \fR\fI\FCou=Groups\F[]\fR\fI \fR
4491
\fI\fIldap group suffix\fR\fR\fI = \fR\fIou=Groups\fR\fI \fR
4755
4492
.RE
4756
4493
4757
4494
ldap idmap suffix (G)
4765
4502
string so use a partial DN\&.
4766
4503
.sp
4767
4504
Default:
4768
\fI\fIldap idmap suffix\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4505
\fI\fIldap idmap suffix\fR\fR\fI = \fR\fI\fR\fI \fR
4769
4506
.sp
4770
4507
Example:
4771
\fI\fIldap idmap suffix\fR\fR\fI = \fR\fI\FCou=Idmap\F[]\fR\fI \fR
4508
\fI\fIldap idmap suffix\fR\fR\fI = \fR\fIou=Idmap\fR\fI \fR
4772
4509
.RE
4773
4510
4774
4511
ldap machine suffix (G)
4782
4519
string so use a partial DN\&.
4783
4520
.sp
4784
4521
Default:
4785
\fI\fIldap machine suffix\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4786
.sp
4787
Example:
4788
\fI\fIldap machine suffix\fR\fR\fI = \fR\fI\FCou=Computers\F[]\fR\fI \fR
4522
\fI\fIldap machine suffix\fR\fR\fI = \fR\fI\fR\fI \fR
4523
.sp
4524
Example:
4525
\fI\fIldap machine suffix\fR\fR\fI = \fR\fIou=Computers\fR\fI \fR
4526
.RE
4527
4528
ldap page size (G)
4529
.\" ldap page size
4530
.PP
4531
.RS 4
4532
This parameter specifies the number of entries per page\&.
4533
.sp
4534
If the LDAP server supports paged results, clients can request subsets of search results (pages) instead of the entire list\&. This parameter specifies the size of these pages\&.
4535
.sp
4536
Default:
4537
\fI\fIldap page size\fR\fR\fI = \fR\fI1024\fR\fI \fR
4538
.sp
4539
Example:
4540
\fI\fIldap page size\fR\fR\fI = \fR\fI512\fR\fI \fR
4789
4541
.RE
4790
4542
4791
4543
ldap passwd sync (G)
4835
4587
.sp
4836
4588
.RE
4837
4589
Default:
4838
\fI\fIldap passwd sync\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4590
\fI\fIldap passwd sync\fR\fR\fI = \fR\fIno\fR\fI \fR
4839
4591
.RE
4840
4592
4841
4593
ldap replication sleep (G)
4849
4601
The value is specified in milliseconds, the maximum value is 5000 (5 seconds)\&.
4850
4602
.sp
4851
4603
Default:
4852
\fI\fIldap replication sleep\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
4604
\fI\fIldap replication sleep\fR\fR\fI = \fR\fI1000\fR\fI \fR
4853
4605
.RE
4854
4606
4855
4607
ldapsam:editposix (G)
4859
4611
Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller eliminating the need to set up custom scripts to add and manage the posix users and groups\&. This option will instead directly manipulate the ldap tree to create, remove and modify user and group entries\&. This option also requires a running winbindd as it is used to allocate new uids/gids on user/group creation\&. The allocation range must be therefore configured\&.
4860
4612
.sp
4861
4613
To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured\&. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command
4862
\FCnet sam provision\F[]\&. To run this command the ldap server must be running, Winindd must be running and the smb\&.conf ldap options must be properly configured\&. The typical ldap setup used with the
4614
net sam provision\&. To run this command the ldap server must be running, Winindd must be running and the smb\&.conf ldap options must be properly configured\&. The typical ldap setup used with the
4863
4615
\m[blue]\fBldapsam:trusted = yes\fR\m[]
4864
4616
option is usually sufficient to use
4865
4617
\m[blue]\fBldapsam:editposix = yes\fR\m[]
4870
4622
.if n \{\
4871
4623
.RS 4
4872
4624
.\}
4873
.fam C
4874
.ps -1
4875
4625
.nf
4876
.if t \{\
4877
.sp -1
4878
.\}
4879
.BB lightgray adjust-for-leading-newline
4880
.sp -1
4881
4882
4626
encrypt passwords = true
4883
4627
passdb backend = ldapsam
4884
4628
4898
4642
idmap uid = 5000\-50000
4899
4643
idmap gid = 5000\-50000
4900
4644
4901
.EB lightgray adjust-for-leading-newline
4902
.if t \{\
4903
.sp 1
4904
.\}
4905
4645
.fi
4906
.fam
4907
.ps +1
4908
4646
.if n \{\
4909
4647
.RE
4910
4648
.\}
4914
4652
.if n \{\
4915
4653
.RS 4
4916
4654
.\}
4917
.fam C
4918
.ps -1
4919
4655
.nf
4920
.if t \{\
4921
.sp -1
4922
.\}
4923
.BB lightgray adjust-for-leading-newline
4924
.sp -1
4925
4926
4656
dn: dc=samba,dc=org
4927
4657
objectClass: top
4928
4658
objectClass: dcObject
4957
4687
objectClass: organizationalUnit
4958
4688
ou: computers
4959
4689
4960
.EB lightgray adjust-for-leading-newline
4961
.if t \{\
4962
.sp 1
4963
.\}
4964
4690
.fi
4965
.fam
4966
.ps +1
4967
4691
.if n \{\
4968
4692
.RE
4969
4693
.\}
4970
4694
.sp
4971
4695
Default:
4972
\fI\fIldapsam:editposix\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4696
\fI\fIldapsam:editposix\fR\fR\fI = \fR\fIno\fR\fI \fR
4973
4697
.RE
4974
4698
4975
4699
ldapsam:trusted (G)
4985
4709
can be activated and Samba can bypass the NSS system to query user group memberships\&. Optimized LDAP queries can greatly speed up domain logon and administration tasks\&. Depending on the size of the LDAP database a factor of 100 or more for common queries is easily achieved\&.
4986
4710
.sp
4987
4711
Default:
4988
\fI\fIldapsam:trusted\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4712
\fI\fIldapsam:trusted\fR\fR\fI = \fR\fIno\fR\fI \fR
4989
4713
.RE
4990
4714
4991
4715
ldap ssl ads (G)
5005
4729
\m[blue]\fBldap ssl\fR\m[]\&.
5006
4730
.sp
5007
4731
Default:
5008
\fI\fIldap ssl ads\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
4732
\fI\fIldap ssl ads\fR\fR\fI = \fR\fIno\fR\fI \fR
5009
4733
.RE
5010
4734
5011
4735
ldap ssl (G)
5015
4739
This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is
5016
4740
\fINOT\fR
5017
4741
related to Samba\'s previous SSL support which was enabled by specifying the
5018
\FC\-\-with\-ssl\F[]
4742
\-\-with\-ssl
5019
4743
option to the
5020
\FCconfigure\F[]
4744
configure
5021
4745
script\&.
5022
4746
.sp
5023
4747
LDAP connections should be secured where possible\&. This may be done setting
5070
4794
\m[blue]\fBldap ssl ads\fR\m[]\&.
5071
4795
.sp
5072
4796
Default:
5073
\fI\fIldap ssl\fR\fR\fI = \fR\fI\FCstart tls\F[]\fR\fI \fR
4797
\fI\fIldap ssl\fR\fR\fI = \fR\fIstart tls\fR\fI \fR
5074
4798
.RE
5075
4799
5076
4800
ldap suffix (G)
5087
4811
\m[blue]\fBldap suffix\fR\m[]\&.
5088
4812
.sp
5089
4813
Default:
5090
\fI\fIldap suffix\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4814
\fI\fIldap suffix\fR\fR\fI = \fR\fI\fR\fI \fR
5091
4815
.sp
5092
4816
Example:
5093
\fI\fIldap suffix\fR\fR\fI = \fR\fI\FCdc=samba,dc=org\F[]\fR\fI \fR
4817
\fI\fIldap suffix\fR\fR\fI = \fR\fIdc=samba,dc=org\fR\fI \fR
5094
4818
.RE
5095
4819
5096
4820
ldap timeout (G)
5100
4824
This parameter defines the number of seconds that Samba should use as timeout for LDAP operations\&.
5101
4825
.sp
5102
4826
Default:
5103
\fI\fIldap timeout\fR\fR\fI = \fR\fI\FC15\F[]\fR\fI \fR
4827
\fI\fIldap timeout\fR\fR\fI = \fR\fI15\fR\fI \fR
5104
4828
.RE
5105
4829
5106
4830
ldap user suffix (G)
5114
4838
string so use a partial DN\&.
5115
4839
.sp
5116
4840
Default:
5117
\fI\fIldap user suffix\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
4841
\fI\fIldap user suffix\fR\fR\fI = \fR\fI\fR\fI \fR
5118
4842
.sp
5119
4843
Example:
5120
\fI\fIldap user suffix\fR\fR\fI = \fR\fI\FCou=people\F[]\fR\fI \fR
4844
\fI\fIldap user suffix\fR\fR\fI = \fR\fIou=people\fR\fI \fR
5121
4845
.RE
5122
4846
5123
4847
level2 oplocks (S)
5144
4868
on this share in order for this parameter to have any effect\&.
5145
4869
.sp
5146
4870
Default:
5147
\fI\fIlevel2 oplocks\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
4871
\fI\fIlevel2 oplocks\fR\fR\fI = \fR\fIyes\fR\fI \fR
5148
4872
.RE
5149
4873
5150
4874
lm announce (G)
5168
4892
\m[blue]\fBlm interval\fR\m[]\&.
5169
4893
.sp
5170
4894
Default:
5171
\fI\fIlm announce\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
4895
\fI\fIlm announce\fR\fR\fI = \fR\fIauto\fR\fI \fR
5172
4896
.sp
5173
4897
Example:
5174
\fI\fIlm announce\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
4898
\fI\fIlm announce\fR\fR\fI = \fR\fIyes\fR\fI \fR
5175
4899
.RE
5176
4900
5177
4901
lm interval (G)
5185
4909
parameter\&.
5186
4910
.sp
5187
4911
Default:
5188
\fI\fIlm interval\fR\fR\fI = \fR\fI\FC60\F[]\fR\fI \fR
4912
\fI\fIlm interval\fR\fR\fI = \fR\fI60\fR\fI \fR
5189
4913
.sp
5190
4914
Example:
5191
\fI\fIlm interval\fR\fR\fI = \fR\fI\FC120\F[]\fR\fI \fR
4915
\fI\fIlm interval\fR\fR\fI = \fR\fI120\fR\fI \fR
5192
4916
.RE
5193
4917
5194
4918
load printers (G)
5200
4924
section for more details\&.
5201
4925
.sp
5202
4926
Default:
5203
\fI\fIload printers\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
4927
\fI\fIload printers\fR\fR\fI = \fR\fIyes\fR\fI \fR
5204
4928
.RE
5205
4929
5206
4930
local master (G)
5212
4936
to try and become a local master browser on a subnet\&. If set to
5213
4937
\fBno\fR
5214
4938
then
5215
\FC nmbd\F[]
4939
nmbd
5216
4940
will not attempt to become a local master browser on a subnet and will also lose in all browsing elections\&. By default this value is set to
5217
4941
\fByes\fR\&. Setting this value to
5218
4942
\fByes\fR
5219
4943
doesn\'t mean that Samba will
5220
4944
\fIbecome\fR
5221
4945
the local master browser on a subnet, just that
5222
\FCnmbd\F[]
4946
nmbd
5223
4947
will
5224
4948
\fIparticipate\fR
5225
4949
in elections for local master browser\&.
5227
4951
Setting this value to
5228
4952
\fBno\fR
5229
4953
will cause
5230
\FCnmbd\F[]
4954
nmbd
5231
4955
\fInever\fR
5232
4956
to become a local master browser\&.
5233
4957
.sp
5234
4958
Default:
5235
\fI\fIlocal master\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
4959
\fI\fIlocal master\fR\fR\fI = \fR\fIyes\fR\fI \fR
5236
4960
.RE
5237
4961
5238
4962
lock dir
5254
4978
Note: This option can not be set inside registry configurations\&.
5255
4979
.sp
5256
4980
Default:
5257
\fI\fIlock directory\fR\fR\fI = \fR\fI\FC${prefix}/var/locks\F[]\fR\fI \fR
4981
\fI\fIlock directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
5258
4982
.sp
5259
4983
Example:
5260
\fI\fIlock directory\fR\fR\fI = \fR\fI\FC/var/run/samba/locks\F[]\fR\fI \fR
4984
\fI\fIlock directory\fR\fR\fI = \fR\fI/var/run/samba/locks\fR\fI \fR
5261
4985
.RE
5262
4986
5263
4987
locking (S)
5267
4991
This controls whether or not locking will be performed by the server in response to lock requests from the client\&.
5268
4992
.sp
5269
4993
If
5270
\FClocking = no\F[], all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking\&.
4994
locking = no, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking\&.
5271
4995
.sp
5272
4996
If
5273
\FClocking = yes\F[], real locking will be performed by the server\&.
4997
locking = yes, real locking will be performed by the server\&.
5274
4998
.sp
5275
4999
This option
5276
5000
\fImay\fR
5293
5017
\m[blue]\fBlock spin time\fR\m[]\&.
5294
5018
.sp
5295
5019
Default:
5296
\fI\fIlock spin count\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
5020
\fI\fIlock spin count\fR\fR\fI = \fR\fI0\fR\fI \fR
5297
5021
.RE
5298
5022
5299
5023
lock spin time (G)
5305
5029
parameter is no longer used in Samba 3\&.0\&.24\&. You should not need to change the value of this parameter\&.
5306
5030
.sp
5307
5031
Default:
5308
\fI\fIlock spin time\fR\fR\fI = \fR\fI\FC200\F[]\fR\fI \fR
5032
\fI\fIlock spin time\fR\fR\fI = \fR\fI200\fR\fI \fR
5309
5033
.RE
5310
5034
5311
5035
log file (G)
5319
5043
\fINo default\fR
5320
5044
.sp
5321
5045
Example:
5322
\fI\fIlog file\fR\fR\fI = \fR\fI\FC/usr/local/samba/var/log\&.%m\F[]\fR\fI \fR
5046
\fI\fIlog file\fR\fR\fI = \fR\fI/usr/local/samba/var/log\&.%m\fR\fI \fR
5323
5047
.RE
5324
5048
5325
5049
debuglevel
5335
5059
.PP
5336
5060
.RS 4
5337
5061
The value of the parameter (a astring) allows the debug level (logging level) to be specified in the
5338
\FCsmb\&.conf\F[]
5062
smb\&.conf
5339
5063
file\&.
5340
5064
.sp
5341
5065
This parameter has been extended since the 2\&.2\&.x series, now it allows to specify the debug level for multiple debug classes\&. This is to give greater flexibility in the configuration of the system\&. The following debug classes are currently implemented:
5561
5285
.sp
5562
5286
.RE
5563
5287
Default:
5564
\fI\fIlog level\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
5288
\fI\fIlog level\fR\fR\fI = \fR\fI0\fR\fI \fR
5565
5289
.sp
5566
5290
Example:
5567
\fI\fIlog level\fR\fR\fI = \fR\fI\FC3 passdb:5 auth:10 winbind:2\F[]\fR\fI \fR
5291
\fI\fIlog level\fR\fR\fI = \fR\fI3 passdb:5 auth:10 winbind:2\fR\fI \fR
5568
5292
.RE
5569
5293
5570
5294
logon drive (G)
5577
5301
Note that this option is only useful if Samba is set up as a logon server\&.
5578
5302
.sp
5579
5303
Default:
5580
\fI\fIlogon drive\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
5304
\fI\fIlogon drive\fR\fR\fI = \fR\fI\fR\fI \fR
5581
5305
.sp
5582
5306
Example:
5583
\fI\fIlogon drive\fR\fR\fI = \fR\fI\FCh:\F[]\fR\fI \fR
5307
\fI\fIlogon drive\fR\fR\fI = \fR\fIh:\fR\fI \fR
5584
5308
.RE
5585
5309
5586
5310
logon home (G)
5590
5314
This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC\&. It allows you to do
5591
5315
.sp
5592
5316
5593
\FCC:\e>\F[]\fBNET USE H: /HOME\fR
5317
C:\e>\fBNET USE H: /HOME\fR
5594
5318
.sp
5595
5319
from a command prompt, for example\&.
5596
5320
.sp
5599
5323
This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user\'s home directory\&. This is done in the following way:
5600
5324
.sp
5601
5325
5602
\FClogon home = \e\e%N\e%U\eprofile\F[]
5326
logon home = \e\e%N\e%U\eprofile
5603
5327
.sp
5604
5328
This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request\&. Win9X clients truncate the info to \e\eserver\eshare when a user does
5605
\FCnet use /home\F[]
5329
net use /home
5606
5330
but use the whole string when dealing with profiles\&.
5607
5331
.sp
5608
5332
Note that in prior versions of Samba, the
5609
5333
\m[blue]\fBlogon path\fR\m[]
5610
5334
was returned rather than
5611
5335
\fIlogon home\fR\&. This broke
5612
\FCnet use /home\F[]
5336
net use /home
5613
5337
but allowed profiles outside the home directory\&. The current implementation is correct, and can be used for profiles if you use the above trick\&.
5614
5338
.sp
5615
5339
Disable this feature by setting
5619
5343
This option is only useful if Samba is set up as a logon server\&.
5620
5344
.sp
5621
5345
Default:
5622
\fI\fIlogon home\fR\fR\fI = \fR\fI\FC\e\e%N\e%U\F[]\fR\fI \fR
5346
\fI\fIlogon home\fR\fR\fI = \fR\fI\e\e%N\e%U\fR\fI \fR
5623
5347
.sp
5624
5348
Example:
5625
\fI\fIlogon home\fR\fR\fI = \fR\fI\FC\e\eremote_smb_server\e%U\F[]\fR\fI \fR
5349
\fI\fIlogon home\fR\fR\fI = \fR\fI\e\eremote_smb_server\e%U\fR\fI \fR
5626
5350
.RE
5627
5351
5628
5352
logon path (G)
5634
5358
parameter\&.
5635
5359
.sp
5636
5360
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine\&. It also specifies the directory from which the "Application Data",
5637
\FCdesktop\F[],
5638
\FCstart menu\F[],
5639
\FCnetwork neighborhood\F[],
5640
\FCprograms\F[]
5361
desktop,
5362
start menu,
5363
network neighborhood,
5364
programs
5641
5365
and other folders, and their contents, are loaded and displayed on your Windows NT client\&.
5642
5366
.sp
5643
5367
The share and the path must be readable by the user for the preferences and directories to be loaded onto the Windows NT client\&. The share must be writeable when the user logs in for the first time, in order that the Windows NT client can create the NTuser\&.dat and other directories\&. Thereafter, the directories and any of the contents can, if required, be made read\-only\&. It is not advisable that the NTuser\&.dat file be made read\-only \- rename it to NTuser\&.man to achieve the desired effect (a
5650
5374
.sp
5651
5375
.\}
5652
5376
.RS 4
5653
.BM yellow
5654
5377
.it 1 an-trap
5655
5378
.nr an-no-space-flag 1
5656
5379
.nr an-break-flag 1
5663
5386
\(lq\e\e%N\eprofile\e%U\(rq
5664
5387
will break profile handling\&. Where the tdbsam or ldapsam passdb backend is used, at the time the user account is created the value configured for this parameter is written to the passdb backend and that value will over\-ride the parameter value present in the smb\&.conf file\&. Any error present in the passdb backend account record must be editted using the appropriate tool (pdbedit on the command\-line, or any other locally provided system tool)\&.
5665
5388
.sp .5v
5666
.EM yellow
5667
5389
.RE
5668
5390
Note that this option is only useful if Samba is set up as a domain controller\&.
5669
5391
.sp
5675
5397
.if n \{\
5676
5398
.RS 4
5677
5399
.\}
5678
.fam C
5679
.ps -1
5680
5400
.nf
5681
.if t \{\
5682
.sp -1
5683
.\}
5684
.BB lightgray adjust-for-leading-newline
5685
.sp -1
5686
5687
5401
logon path = \e\ePROFILESERVER\ePROFILE\e%U
5688
.EB lightgray adjust-for-leading-newline
5689
.if t \{\
5690
.sp 1
5691
.\}
5692
5402
.fi
5693
.fam
5694
.ps +1
5695
5403
.if n \{\
5696
5404
.RE
5697
5405
.\}
5698
5406
.sp
5699
5407
Default:
5700
\fI\fIlogon path\fR\fR\fI = \fR\fI\FC\e\e%N\e%U\eprofile\F[]\fR\fI \fR
5408
\fI\fIlogon path\fR\fR\fI = \fR\fI\e\e%N\e%U\eprofile\fR\fI \fR
5701
5409
.RE
5702
5410
5703
5411
logon script (G)
5704
5412
.\" logon script
5705
5413
.PP
5706
5414
.RS 4
5707
This parameter specifies the batch file (\FC\&.bat\F[]) or NT command file (\FC\&.cmd\F[]) to be downloaded and run on a machine when a user successfully logs in\&. The file must contain the DOS style CR/LF line endings\&. Using a DOS\-style editor to create the file is recommended\&.
5415
This parameter specifies the batch file (\&.bat) or NT command file (\&.cmd) to be downloaded and run on a machine when a user successfully logs in\&. The file must contain the DOS style CR/LF line endings\&. Using a DOS\-style editor to create the file is recommended\&.
5708
5416
.sp
5709
5417
The script must be a relative path to the
5710
5418
\fI[netlogon]\fR
5711
5419
service\&. If the [netlogon] service specifies a
5712
5420
\m[blue]\fBpath\fR\m[]
5713
5421
of
5714
\FC/usr/local/samba/netlogon\F[], and
5422
/usr/local/samba/netlogon, and
5715
5423
\m[blue]\fBlogon script = STARTUP\&.BAT\fR\m[], then the file that will be downloaded is:
5716
5424
.sp
5717
5425
.if n \{\
5718
5426
.RS 4
5719
5427
.\}
5720
.fam C
5721
.ps -1
5722
5428
.nf
5723
.if t \{\
5724
.sp -1
5725
.\}
5726
.BB lightgray adjust-for-leading-newline
5727
.sp -1
5728
5729
5429
/usr/local/samba/netlogon/STARTUP\&.BAT
5730
.EB lightgray adjust-for-leading-newline
5731
.if t \{\
5732
.sp 1
5733
.\}
5734
5430
.fi
5735
.fam
5736
.ps +1
5737
5431
.if n \{\
5738
5432
.RE
5739
5433
.\}
5740
5434
.sp
5741
5435
The contents of the batch file are entirely your choice\&. A suggested command would be to add
5742
\FCNET TIME \e\eSERVER /SET /YES\F[], to force every machine to synchronize clocks with the same time server\&. Another use would be to add
5743
\FCNET USE U: \e\eSERVER\eUTILS\F[]
5436
NET TIME \e\eSERVER /SET /YES, to force every machine to synchronize clocks with the same time server\&. Another use would be to add
5437
NET USE U: \e\eSERVER\eUTILS
5744
5438
for commonly used utilities, or
5745
5439
.sp
5746
5440
.if n \{\
5747
5441
.RS 4
5748
5442
.\}
5749
.fam C
5750
.ps -1
5751
5443
.nf
5752
.if t \{\
5753
.sp -1
5754
.\}
5755
.BB lightgray adjust-for-leading-newline
5756
.sp -1
5757
5758
5444
\fBNET USE Q: \e\eSERVER\eISO9001_QA\fR
5759
.EB lightgray adjust-for-leading-newline
5760
.if t \{\
5761
.sp 1
5762
.\}
5763
5445
.fi
5764
.fam
5765
.ps +1
5766
5446
.if n \{\
5767
5447
.RE
5768
5448
.\}
5776
5456
This option is only useful if Samba is set up as a logon server\&.
5777
5457
.sp
5778
5458
Default:
5779
\fI\fIlogon script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
5459
\fI\fIlogon script\fR\fR\fI = \fR\fI\fR\fI \fR
5780
5460
.sp
5781
5461
Example:
5782
\fI\fIlogon script\fR\fR\fI = \fR\fI\FCscripts\e%U\&.bat\F[]\fR\fI \fR
5462
\fI\fIlogon script\fR\fR\fI = \fR\fIscripts\e%U\&.bat\fR\fI \fR
5783
5463
.RE
5784
5464
5785
5465
lppause command (S)
5802
5482
Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server\&.
5803
5483
.sp
5804
5484
Default:
5805
\fI\fIlppause command\fR\fR\fI = \fR\fI\FC # Currently no default value is given to this string, unless the value of the \m[blue]\fBprinting\fR\m[] parameter is \fBSYSV\fR, in which case the default is : \FClp \-i %p\-%j \-H hold\F[] or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: \FCqstat \-s \-j%j \-h\F[]\&. \F[]\fR\fI \fR
5485
\fI\fIlppause command\fR\fR\fI = \fR\fI # Currently no default value is given to this string, unless the value of the \m[blue]\fBprinting\fR\m[] parameter is \fBSYSV\fR, in which case the default is : lp \-i %p\-%j \-H hold or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: qstat \-s \-j%j \-h\&. \fR\fI \fR
5806
5486
.sp
5807
5487
Example:
5808
\fI\fIlppause command\fR\fR\fI = \fR\fI\FC/usr/bin/lpalt %p\-%j \-p0\F[]\fR\fI \fR
5488
\fI\fIlppause command\fR\fR\fI = \fR\fI/usr/bin/lpalt %p\-%j \-p0\fR\fI \fR
5809
5489
.RE
5810
5490
5811
5491
lpq cache time (G)
5813
5493
.PP
5814
5494
.RS 4
5815
5495
This controls how long lpq info will be cached for to prevent the
5816
\FClpq\F[]
5496
lpq
5817
5497
command being called too often\&. A separate cache is kept for each variation of the
5818
\FC lpq\F[]
5498
lpq
5819
5499
command used by the system, so if you use different
5820
\FClpq\F[]
5500
lpq
5821
5501
commands for different users then they won\'t share cache information\&.
5822
5502
.sp
5823
5503
The cache files are stored in
5824
\FC/tmp/lpq\&.xxxx\F[]
5504
/tmp/lpq\&.xxxx
5825
5505
where xxxx is a hash of the
5826
\FClpq\F[]
5506
lpq
5827
5507
command in use\&.
5828
5508
.sp
5829
5509
The default is 30 seconds, meaning that the cached results of a previous identical
5830
\FClpq\F[]
5510
lpq
5831
5511
command will be used if the cached data is less than 30 seconds old\&. A large value may be advisable if your
5832
\FClpq\F[]
5512
lpq
5833
5513
command is very slow\&.
5834
5514
.sp
5835
5515
A value of 0 will disable caching completely\&.
5836
5516
.sp
5837
5517
Default:
5838
\fI\fIlpq cache time\fR\fR\fI = \fR\fI\FC30\F[]\fR\fI \fR
5518
\fI\fIlpq cache time\fR\fR\fI = \fR\fI30\fR\fI \fR
5839
5519
.sp
5840
5520
Example:
5841
\fI\fIlpq cache time\fR\fR\fI = \fR\fI\FC10\F[]\fR\fI \fR
5521
\fI\fIlpq cache time\fR\fR\fI = \fR\fI10\fR\fI \fR
5842
5522
.RE
5843
5523
5844
5524
lpq command (S)
5846
5526
.PP
5847
5527
.RS 4
5848
5528
This parameter specifies the command to be executed on the server host in order to obtain
5849
\FClpq \F[]\-style printer status information\&.
5529
lpq\-style printer status information\&.
5850
5530
.sp
5851
5531
This command should be a program or script which takes a printer name as its only parameter and outputs printer status information\&.
5852
5532
.sp
5869
5549
is needed because smbd will make a library call to obtain the print queue listing\&.
5870
5550
.sp
5871
5551
Default:
5872
\fI\fIlpq command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
5552
\fI\fIlpq command\fR\fR\fI = \fR\fI\fR\fI \fR
5873
5553
.sp
5874
5554
Example:
5875
\fI\fIlpq command\fR\fR\fI = \fR\fI\FC/usr/bin/lpq \-P%p\F[]\fR\fI \fR
5555
\fI\fIlpq command\fR\fR\fI = \fR\fI/usr/bin/lpq \-P%p\fR\fI \fR
5876
5556
.RE
5877
5557
5878
5558
lpresume command (S)
5904
5584
parameter is
5905
5585
\fBSYSV\fR, in which case the default is:
5906
5586
.sp
5907
\FClp \-i %p\-%j \-H resume\F[]
5587
lp \-i %p\-%j \-H resume
5908
5588
.sp
5909
5589
or if the value of the
5910
5590
\fIprinting\fR
5911
5591
parameter is
5912
5592
\fBSOFTQ\fR, then the default is:
5913
5593
.sp
5914
\FCqstat \-s \-j%j \-r\F[]
5594
qstat \-s \-j%j \-r
5915
5595
.sp
5916
5596
\fINo default\fR
5917
5597
.sp
5918
5598
Example:
5919
\fI\fIlpresume command\fR\fR\fI = \fR\fI\FC/usr/bin/lpalt %p\-%j \-p2\F[]\fR\fI \fR
5599
\fI\fIlpresume command\fR\fR\fI = \fR\fI/usr/bin/lpalt %p\-%j \-p2\fR\fI \fR
5920
5600
.RE
5921
5601
5922
5602
lprm command (S)
5942
5622
.if n \{\
5943
5623
.RS 4
5944
5624
.\}
5945
.fam C
5946
.ps -1
5947
5625
.nf
5948
.if t \{\
5949
.sp -1
5950
.\}
5951
.BB lightgray adjust-for-leading-newline
5952
.sp -1
5953
5954
5626
lprm command = /usr/bin/lprm \-P%p %j
5955
5627
5956
5628
or
5957
5629
5958
5630
lprm command = /usr/bin/cancel %p\-%j
5959
.EB lightgray adjust-for-leading-newline
5960
.if t \{\
5961
.sp 1
5962
.\}
5963
5631
.fi
5964
.fam
5965
.ps +1
5966
5632
.if n \{\
5967
5633
.RE
5968
5634
.\}
5969
5635
.sp
5970
5636
Default:
5971
\fI\fIlprm command\fR\fR\fI = \fR\fI\FC determined by printing parameter\F[]\fR\fI \fR
5637
\fI\fIlprm command\fR\fR\fI = \fR\fI determined by printing parameter\fR\fI \fR
5972
5638
.RE
5973
5639
5974
5640
machine password timeout (G)
5978
5644
If a Samba server is a member of a Windows NT Domain (see the
5979
5645
\m[blue]\fBsecurity = domain\fR\m[]
5980
5646
parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called
5981
\FCprivate/secrets\&.tdb \F[]\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
5647
private/secrets\&.tdb\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
5982
5648
.sp
5983
5649
See also
5984
5650
\fBsmbpasswd\fR(8), and the
5986
5652
parameter\&.
5987
5653
.sp
5988
5654
Default:
5989
\fI\fImachine password timeout\fR\fR\fI = \fR\fI\FC604800\F[]\fR\fI \fR
5655
\fI\fImachine password timeout\fR\fR\fI = \fR\fI604800\fR\fI \fR
5990
5656
.RE
5991
5657
5992
5658
magic output (S)
6000
5666
.sp
6001
5667
.\}
6002
5668
.RS 4
6003
.BM yellow
6004
5669
.it 1 an-trap
6005
5670
.nr an-no-space-flag 1
6006
5671
.nr an-break-flag 1
6013
5678
\fImagic script \fR
6014
5679
in the same directory the output file content is undefined\&.
6015
5680
.sp .5v
6016
.EM yellow
6017
5681
.RE
6018
5682
Default:
6019
\fI\fImagic output\fR\fR\fI = \fR\fI\FC<magic script name>\&.out\F[]\fR\fI \fR
5683
\fI\fImagic output\fR\fR\fI = \fR\fI<magic script name>\&.out\fR\fI \fR
6020
5684
.sp
6021
5685
Example:
6022
\fI\fImagic output\fR\fR\fI = \fR\fI\FCmyfile\&.txt\F[]\fR\fI \fR
5686
\fI\fImagic output\fR\fR\fI = \fR\fImyfile\&.txt\fR\fI \fR
6023
5687
.RE
6024
5688
6025
5689
magic script (S)
6045
5709
be relied upon\&.
6046
5710
.sp
6047
5711
Default:
6048
\fI\fImagic script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
5712
\fI\fImagic script\fR\fR\fI = \fR\fI\fR\fI \fR
6049
5713
.sp
6050
5714
Example:
6051
\fI\fImagic script\fR\fR\fI = \fR\fI\FCuser\&.csh\F[]\fR\fI \fR
5715
\fI\fImagic script\fR\fR\fI = \fR\fIuser\&.csh\fR\fI \fR
6052
5716
.RE
6053
5717
6054
5718
mangled names (S)
6061
5725
\m[blue]\fBname mangling\fR\m[]
6062
5726
for details on how to control the mangling process\&.
6063
5727
.sp
6064
If mangling is used then the mangling algorithm is as follows:
5728
If mangling is used then the mangling method is as follows:
6065
5729
.sp
6066
5730
.RS 4
6067
5731
.ie n \{\
6107
5771
The name mangling (if enabled) allows a file to be copied between UNIX directories from Windows/DOS while retaining the long UNIX filename\&. UNIX files can be renamed to a new extension from Windows/DOS and will retain the same basename\&. Mangled names do not change between sessions\&.
6108
5772
.sp
6109
5773
Default:
6110
\fI\fImangled names\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
5774
\fI\fImangled names\fR\fR\fI = \fR\fIyes\fR\fI \fR
6111
5775
.RE
6112
5776
6113
5777
mangle prefix (G)
6119
5783
mangle prefix is effective only when mangling method is hash2\&.
6120
5784
.sp
6121
5785
Default:
6122
\fI\fImangle prefix\fR\fR\fI = \fR\fI\FC1\F[]\fR\fI \fR
5786
\fI\fImangle prefix\fR\fR\fI = \fR\fI1\fR\fI \fR
6123
5787
.sp
6124
5788
Example:
6125
\fI\fImangle prefix\fR\fR\fI = \fR\fI\FC4\F[]\fR\fI \fR
5789
\fI\fImangle prefix\fR\fR\fI = \fR\fI4\fR\fI \fR
6126
5790
.RE
6127
5791
6128
5792
mangling char (S)
6135
5799
\m[blue]\fBname mangling\fR\m[]\&. The default is a \'~\' but this may interfere with some software\&. Use this option to set it to whatever you prefer\&. This is effective only when mangling method is hash\&.
6136
5800
.sp
6137
5801
Default:
6138
\fI\fImangling char\fR\fR\fI = \fR\fI\FC~\F[]\fR\fI \fR
5802
\fI\fImangling char\fR\fR\fI = \fR\fI~\fR\fI \fR
6139
5803
.sp
6140
5804
Example:
6141
\fI\fImangling char\fR\fR\fI = \fR\fI\FC^\F[]\fR\fI \fR
5805
\fI\fImangling char\fR\fR\fI = \fR\fI^\fR\fI \fR
6142
5806
.RE
6143
5807
6144
5808
mangling method (G)
6148
5812
controls the algorithm used for the generating the mangled names\&. Can take two different values, "hash" and "hash2"\&. "hash" is the algorithm that was used used in Samba for many years and was the default in Samba 2\&.2\&.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names\&. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled\&.
6149
5813
.sp
6150
5814
Default:
6151
\fI\fImangling method\fR\fR\fI = \fR\fI\FChash2\F[]\fR\fI \fR
5815
\fI\fImangling method\fR\fR\fI = \fR\fIhash2\fR\fI \fR
6152
5816
.sp
6153
5817
Example:
6154
\fI\fImangling method\fR\fR\fI = \fR\fI\FChash\F[]\fR\fI \fR
5818
\fI\fImangling method\fR\fR\fI = \fR\fIhash\fR\fI \fR
6155
5819
.RE
6156
5820
6157
5821
map acl inherit (S)
6163
5827
will attempt to map the \'inherit\' and \'protected\' access control entry flags stored in Windows ACLs into an extended attribute called user\&.SAMBA_PAI\&. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code\&.
6164
5828
.sp
6165
5829
Default:
6166
\fI\fImap acl inherit\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
5830
\fI\fImap acl inherit\fR\fR\fI = \fR\fIno\fR\fI \fR
6167
5831
.RE
6168
5832
6169
5833
map archive (S)
6179
5843
for details\&.
6180
5844
.sp
6181
5845
Default:
6182
\fI\fImap archive\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
5846
\fI\fImap archive\fR\fR\fI = \fR\fIyes\fR\fI \fR
6183
5847
.RE
6184
5848
6185
5849
map hidden (S)
6261
5925
.sp
6262
5926
.RE
6263
5927
Default:
6264
\fI\fImap read only\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
5928
\fI\fImap read only\fR\fR\fI = \fR\fIyes\fR\fI \fR
6265
5929
.RE
6266
5930
6267
5931
map system (S)
6277
5941
for details\&.
6278
5942
.sp
6279
5943
Default:
6280
\fI\fImap system\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
5944
\fI\fImap system\fR\fR\fI = \fR\fIno\fR\fI \fR
6281
5945
.RE
6282
5946
6283
5947
map to guest (G)
6367
6031
value in local\&.h\&.
6368
6032
.sp
6369
6033
Default:
6370
\fI\fImap to guest\fR\fR\fI = \fR\fI\FCNever\F[]\fR\fI \fR
6034
\fI\fImap to guest\fR\fR\fI = \fR\fINever\fR\fI \fR
6371
6035
.sp
6372
6036
Example:
6373
\fI\fImap to guest\fR\fR\fI = \fR\fI\FCBad User\F[]\fR\fI \fR
6037
\fI\fImap to guest\fR\fR\fI = \fR\fIBad User\fR\fI \fR
6374
6038
.RE
6375
6039
6376
6040
map untrusted to domain (G)
6386
6050
smbd provides the legacy behavior of mapping untrusted domain names to the primary domain\&. When smbd is not acting as a domain member server, this parameter has no effect\&.
6387
6051
.sp
6388
6052
Default:
6389
\fI\fImap untrusted to domain\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
6053
\fI\fImap untrusted to domain\fR\fR\fI = \fR\fIno\fR\fI \fR
6390
6054
.RE
6391
6055
6392
6056
max connections (S)
6402
6066
option\&.
6403
6067
.sp
6404
6068
Default:
6405
\fI\fImax connections\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6069
\fI\fImax connections\fR\fR\fI = \fR\fI0\fR\fI \fR
6406
6070
.sp
6407
6071
Example:
6408
\fI\fImax connections\fR\fR\fI = \fR\fI\FC10\F[]\fR\fI \fR
6072
\fI\fImax connections\fR\fR\fI = \fR\fI10\fR\fI \fR
6409
6073
.RE
6410
6074
6411
6075
max disk size (G)
6424
6088
of 0 means no limit\&.
6425
6089
.sp
6426
6090
Default:
6427
\fI\fImax disk size\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6091
\fI\fImax disk size\fR\fR\fI = \fR\fI0\fR\fI \fR
6428
6092
.sp
6429
6093
Example:
6430
\fI\fImax disk size\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
6094
\fI\fImax disk size\fR\fR\fI = \fR\fI1000\fR\fI \fR
6431
6095
.RE
6432
6096
6433
6097
max log size (G)
6435
6099
.PP
6436
6100
.RS 4
6437
6101
This option (an integer in kilobytes) specifies the max size the log file should grow to\&. Samba periodically checks the size and if it is exceeded it will rename the file, adding a
6438
\FC\&.old\F[]
6102
\&.old
6439
6103
extension\&.
6440
6104
.sp
6441
6105
A size of 0 means no limit\&.
6442
6106
.sp
6443
6107
Default:
6444
\fI\fImax log size\fR\fR\fI = \fR\fI\FC5000\F[]\fR\fI \fR
6108
\fI\fImax log size\fR\fR\fI = \fR\fI5000\fR\fI \fR
6445
6109
.sp
6446
6110
Example:
6447
\fI\fImax log size\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
6111
\fI\fImax log size\fR\fR\fI = \fR\fI1000\fR\fI \fR
6448
6112
.RE
6449
6113
6450
6114
max mux (G)
6454
6118
This option controls the maximum number of outstanding simultaneous SMB operations that Samba tells the client it will allow\&. You should never need to set this parameter\&.
6455
6119
.sp
6456
6120
Default:
6457
\fI\fImax mux\fR\fR\fI = \fR\fI\FC50\F[]\fR\fI \fR
6121
\fI\fImax mux\fR\fR\fI = \fR\fI50\fR\fI \fR
6458
6122
.RE
6459
6123
6460
6124
max open files (G)
6468
6132
The limit of the number of open files is usually set by the UNIX per\-process file descriptor limit rather than this parameter so you should never need to touch this parameter\&.
6469
6133
.sp
6470
6134
Default:
6471
\fI\fImax open files\fR\fR\fI = \fR\fI\FC10000\F[]\fR\fI \fR
6135
\fI\fImax open files\fR\fR\fI = \fR\fI10000\fR\fI \fR
6472
6136
.RE
6473
6137
6474
6138
max print jobs (S)
6480
6144
will remote "Out of Space" to the client\&.
6481
6145
.sp
6482
6146
Default:
6483
\fI\fImax print jobs\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
6147
\fI\fImax print jobs\fR\fR\fI = \fR\fI1000\fR\fI \fR
6484
6148
.sp
6485
6149
Example:
6486
\fI\fImax print jobs\fR\fR\fI = \fR\fI\FC5000\F[]\fR\fI \fR
6150
\fI\fImax print jobs\fR\fR\fI = \fR\fI5000\fR\fI \fR
6487
6151
.RE
6488
6152
6489
6153
protocol
6562
6226
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
6563
6227
.sp
6564
6228
Default:
6565
\fI\fImax protocol\fR\fR\fI = \fR\fI\FCNT1\F[]\fR\fI \fR
6229
\fI\fImax protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
6566
6230
.sp
6567
6231
Example:
6568
\fI\fImax protocol\fR\fR\fI = \fR\fI\FCLANMAN1\F[]\fR\fI \fR
6232
\fI\fImax protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
6569
6233
.RE
6570
6234
6571
6235
max reported print jobs (S)
6575
6239
This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment\&. If this number is exceeded, the excess jobs will not be shown\&. A value of zero means there is no limit on the number of print jobs reported\&.
6576
6240
.sp
6577
6241
Default:
6578
\fI\fImax reported print jobs\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6242
\fI\fImax reported print jobs\fR\fR\fI = \fR\fI0\fR\fI \fR
6579
6243
.sp
6580
6244
Example:
6581
\fI\fImax reported print jobs\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
6245
\fI\fImax reported print jobs\fR\fR\fI = \fR\fI1000\fR\fI \fR
6582
6246
.RE
6583
6247
6584
6248
max smbd processes (G)
6592
6256
associated with him or her to handle connections to all shares from a given host\&.
6593
6257
.sp
6594
6258
Default:
6595
\fI\fImax smbd processes\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6259
\fI\fImax smbd processes\fR\fR\fI = \fR\fI0\fR\fI \fR
6596
6260
.sp
6597
6261
Example:
6598
\fI\fImax smbd processes\fR\fR\fI = \fR\fI\FC1000\F[]\fR\fI \fR
6262
\fI\fImax smbd processes\fR\fR\fI = \fR\fI1000\fR\fI \fR
6599
6263
.RE
6600
6264
6601
6265
max stat cache size (G)
6607
6271
being used to speed up case insensitive name mappings\&. It represents the number of kilobyte (1024) units the stat cache can use\&. A value of zero, meaning unlimited, is not advisable due to increased memory useage\&. You should not need to change this parameter\&.
6608
6272
.sp
6609
6273
Default:
6610
\fI\fImax stat cache size\fR\fR\fI = \fR\fI\FC256\F[]\fR\fI \fR
6274
\fI\fImax stat cache size\fR\fR\fI = \fR\fI256\fR\fI \fR
6611
6275
.sp
6612
6276
Example:
6613
\fI\fImax stat cache size\fR\fR\fI = \fR\fI\FC100\F[]\fR\fI \fR
6277
\fI\fImax stat cache size\fR\fR\fI = \fR\fI100\fR\fI \fR
6614
6278
.RE
6615
6279
6616
6280
max ttl (G)
6620
6284
This option tells
6621
6285
\fBnmbd\fR(8)
6622
6286
what the default \'time to live\' of NetBIOS names should be (in seconds) when
6623
\FCnmbd\F[]
6287
nmbd
6624
6288
is requesting a name using either a broadcast packet or from a WINS server\&. You should never need to change this parameter\&. The default is 3 days\&.
6625
6289
.sp
6626
6290
Default:
6627
\fI\fImax ttl\fR\fR\fI = \fR\fI\FC259200\F[]\fR\fI \fR
6291
\fI\fImax ttl\fR\fR\fI = \fR\fI259200\fR\fI \fR
6628
6292
.RE
6629
6293
6630
6294
max wins ttl (G)
6634
6298
This option tells
6635
6299
\fBsmbd\fR(8)
6636
6300
when acting as a WINS server (\m[blue]\fBwins support = yes\fR\m[]) what the maximum \'time to live\' of NetBIOS names that
6637
\FCnmbd\F[]
6301
nmbd
6638
6302
will grant will be (in seconds)\&. You should never need to change this parameter\&. The default is 6 days (518400 seconds)\&.
6639
6303
.sp
6640
6304
Default:
6641
\fI\fImax wins ttl\fR\fR\fI = \fR\fI\FC518400\F[]\fR\fI \fR
6305
\fI\fImax wins ttl\fR\fR\fI = \fR\fI518400\fR\fI \fR
6642
6306
.RE
6643
6307
6644
6308
max xmit (G)
6648
6312
This option controls the maximum packet size that will be negotiated by Samba\&. The default is 16644, which matches the behavior of Windows 2000\&. A value below 2048 is likely to cause problems\&. You should never need to change this parameter from its default value\&.
6649
6313
.sp
6650
6314
Default:
6651
\fI\fImax xmit\fR\fR\fI = \fR\fI\FC16644\F[]\fR\fI \fR
6315
\fI\fImax xmit\fR\fR\fI = \fR\fI16644\fR\fI \fR
6652
6316
.sp
6653
6317
Example:
6654
\fI\fImax xmit\fR\fR\fI = \fR\fI\FC8192\F[]\fR\fI \fR
6318
\fI\fImax xmit\fR\fR\fI = \fR\fI8192\fR\fI \fR
6655
6319
.RE
6656
6320
6657
6321
message command (G)
6667
6331
.if n \{\
6668
6332
.RS 4
6669
6333
.\}
6670
.fam C
6671
.ps -1
6672
6334
.nf
6673
.if t \{\
6674
.sp -1
6675
.\}
6676
.BB lightgray adjust-for-leading-newline
6677
.sp -1
6678
6679
\FCmessage command = csh \-c \'xedit %s;rm %s\' &\F[]
6680
.EB lightgray adjust-for-leading-newline
6681
.if t \{\
6682
.sp 1
6683
.\}
6335
message command = csh \-c \'xedit %s;rm %s\' &
6684
6336
.fi
6685
.fam
6686
.ps +1
6687
6337
.if n \{\
6688
6338
.RE
6689
6339
.\}
6690
6340
.sp
6691
6341
This delivers the message using
6692
\FCxedit\F[], then removes it afterwards\&.
6342
xedit, then removes it afterwards\&.
6693
6343
\fINOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY\fR\&. That\'s why I have the \'&\' on the end\&. If it doesn\'t return immediately then your PCs may freeze when sending messages (they should recover after 30 seconds, hopefully)\&.
6694
6344
.sp
6695
6345
All messages are delivered as the global guest user\&. The command takes the standard substitutions, although
6742
6392
.if n \{\
6743
6393
.RS 4
6744
6394
.\}
6745
.fam C
6746
.ps -1
6747
6395
.nf
6748
.if t \{\
6749
.sp -1
6750
.\}
6751
.BB lightgray adjust-for-leading-newline
6752
.sp -1
6753
6754
\FCmessage command = /bin/mail \-s \'message from %f on %m\' root < %s; rm %s\F[]
6755
.EB lightgray adjust-for-leading-newline
6756
.if t \{\
6757
.sp 1
6758
.\}
6396
message command = /bin/mail \-s \'message from %f on %m\' root < %s; rm %s
6759
6397
.fi
6760
.fam
6761
.ps +1
6762
6398
.if n \{\
6763
6399
.RE
6764
6400
.\}
6770
6406
.if n \{\
6771
6407
.RS 4
6772
6408
.\}
6773
.fam C
6774
.ps -1
6775
6409
.nf
6776
.if t \{\
6777
.sp -1
6778
.\}
6779
.BB lightgray adjust-for-leading-newline
6780
.sp -1
6781
6782
\FCmessage command = rm %s\F[]
6783
.EB lightgray adjust-for-leading-newline
6784
.if t \{\
6785
.sp 1
6786
.\}
6410
message command = rm %s
6787
6411
.fi
6788
.fam
6789
.ps +1
6790
6412
.if n \{\
6791
6413
.RE
6792
6414
.\}
6793
6415
.sp
6794
6416
Default:
6795
\fI\fImessage command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
6417
\fI\fImessage command\fR\fR\fI = \fR\fI\fR\fI \fR
6796
6418
.sp
6797
6419
Example:
6798
\fI\fImessage command\fR\fR\fI = \fR\fI\FCcsh \-c \'xedit %s; rm %s\' &\F[]\fR\fI \fR
6420
\fI\fImessage command\fR\fR\fI = \fR\fIcsh \-c \'xedit %s; rm %s\' &\fR\fI \fR
6799
6421
.RE
6800
6422
6801
6423
min print space (S)
6805
6427
This sets the minimum amount of free disk space that must be available before a user will be able to spool a print job\&. It is specified in kilobytes\&. The default is 0, which means a user can always spool a print job\&.
6806
6428
.sp
6807
6429
Default:
6808
\fI\fImin print space\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6430
\fI\fImin print space\fR\fR\fI = \fR\fI0\fR\fI \fR
6809
6431
.sp
6810
6432
Example:
6811
\fI\fImin print space\fR\fR\fI = \fR\fI\FC2000\F[]\fR\fI \fR
6433
\fI\fImin print space\fR\fR\fI = \fR\fI2000\fR\fI \fR
6812
6434
.RE
6813
6435
6814
6436
min protocol (G)
6818
6440
The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support\&. Please refer to the
6819
6441
\m[blue]\fBmax protocol\fR\m[]
6820
6442
parameter for a list of valid protocol names and a brief description of each\&. You may also wish to refer to the C source code in
6821
\FCsource/smbd/negprot\&.c\F[]
6443
source/smbd/negprot\&.c
6822
6444
for a listing of known protocol dialects supported by clients\&.
6823
6445
.sp
6824
6446
If you are viewing this parameter as a security measure, you should also refer to the
6826
6448
parameter\&. Otherwise, you should never need to change this parameter\&.
6827
6449
.sp
6828
6450
Default:
6829
\fI\fImin protocol\fR\fR\fI = \fR\fI\FCCORE\F[]\fR\fI \fR
6451
\fI\fImin protocol\fR\fR\fI = \fR\fICORE\fR\fI \fR
6830
6452
.sp
6831
6453
Example:
6832
\fI\fImin protocol\fR\fR\fI = \fR\fI\FCNT1\F[]\fR\fI \fR
6454
\fI\fImin protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
6833
6455
.RE
6834
6456
6835
6457
min receivefile size (G)
6845
6467
The default is zero, which diables this option\&.
6846
6468
.sp
6847
6469
Default:
6848
\fI\fImin receivefile size\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6470
\fI\fImin receivefile size\fR\fR\fI = \fR\fI0\fR\fI \fR
6849
6471
.RE
6850
6472
6851
6473
min wins ttl (G)
6855
6477
This option tells
6856
6478
\fBnmbd\fR(8)
6857
6479
when acting as a WINS server (\m[blue]\fBwins support = yes\fR\m[]) what the minimum \'time to live\' of NetBIOS names that
6858
\FCnmbd\F[]
6480
nmbd
6859
6481
will grant will be (in seconds)\&. You should never need to change this parameter\&. The default is 6 hours (21600 seconds)\&.
6860
6482
.sp
6861
6483
Default:
6862
\fI\fImin wins ttl\fR\fR\fI = \fR\fI\FC21600\F[]\fR\fI \fR
6484
\fI\fImin wins ttl\fR\fR\fI = \fR\fI21600\fR\fI \fR
6863
6485
.RE
6864
6486
6865
6487
msdfs proxy (S)
6877
6499
\fINo default\fR
6878
6500
.sp
6879
6501
Example:
6880
\fI\fImsdfs proxy\fR\fR\fI = \fR\fI\FC\eotherserver\esomeshare\F[]\fR\fI \fR
6502
\fI\fImsdfs proxy\fR\fR\fI = \fR\fI\eotherserver\esomeshare\fR\fI \fR
6881
6503
.RE
6882
6504
6883
6505
msdfs root (S)
6886
6508
.RS 4
6887
6509
If set to
6888
6510
\fByes\fR, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory\&. Dfs links are specified in the share directory by symbolic links of the form
6889
\FCmsdfs:serverA\e\eshareA,serverB\e\eshareB\F[]
6511
msdfs:serverA\e\eshareA,serverB\e\eshareB
6890
6512
and so on\&. For more information on setting up a Dfs tree on Samba, refer to the MSDFS chapter in the Samba3\-HOWTO book\&.
6891
6513
.sp
6892
6514
Default:
6893
\fI\fImsdfs root\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
6515
\fI\fImsdfs root\fR\fR\fI = \fR\fIno\fR\fI \fR
6894
6516
.RE
6895
6517
6896
6518
name cache timeout (G)
6900
6522
Specifies the number of seconds it takes before entries in samba\'s hostname resolve cache time out\&. If the timeout is set to 0\&. the caching is disabled\&.
6901
6523
.sp
6902
6524
Default:
6903
\fI\fIname cache timeout\fR\fR\fI = \fR\fI\FC660\F[]\fR\fI \fR
6525
\fI\fIname cache timeout\fR\fR\fI = \fR\fI660\fR\fI \fR
6904
6526
.sp
6905
6527
Example:
6906
\fI\fIname cache timeout\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6528
\fI\fIname cache timeout\fR\fR\fI = \fR\fI0\fR\fI \fR
6907
6529
.RE
6908
6530
6909
6531
name resolve order (G)
6938
6560
6939
6561
\fBhost\fR
6940
6562
: Do a standard host name to IP address resolution, using the system
6941
\FC/etc/hosts \F[], NIS, or DNS lookups\&. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the
6942
\FC/etc/nsswitch\&.conf\F[]
6563
/etc/hosts, NIS, or DNS lookups\&. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the
6564
/etc/nsswitch\&.conf
6943
6565
file\&. Note that this method is used only if the NetBIOS name type being queried is the 0x20 (server) name type or 0x1c (domain controllers)\&. The latter case is only useful for active directory domains and results in a DNS query for the SRV RR entry matching _ldap\&._tcp\&.domain\&.
6944
6566
.RE
6945
6567
.sp
6973
6595
.RE
6974
6596
The example below will cause the local lmhosts file to be examined first, followed by a broadcast attempt, followed by a normal system hostname lookup\&.
6975
6597
.sp
6976
When Samba is functioning in ADS security mode (\FCsecurity = ads\F[]) it is advised to use following settings for
6598
When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for
6977
6599
\fIname resolve order\fR:
6978
6600
.sp
6979
\FCname resolve order = wins bcast\F[]
6601
name resolve order = wins bcast
6980
6602
.sp
6981
6603
DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups\&.
6982
6604
.sp
6983
6605
Default:
6984
\fI\fIname resolve order\fR\fR\fI = \fR\fI\FClmhosts host wins bcast\F[]\fR\fI \fR
6606
\fI\fIname resolve order\fR\fR\fI = \fR\fIlmhosts host wins bcast\fR\fI \fR
6985
6607
.sp
6986
6608
Example:
6987
\fI\fIname resolve order\fR\fR\fI = \fR\fI\FClmhosts bcast host\F[]\fR\fI \fR
6609
\fI\fIname resolve order\fR\fR\fI = \fR\fIlmhosts bcast host\fR\fI \fR
6988
6610
.RE
6989
6611
6990
6612
netbios aliases (G)
6994
6616
This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known\&. This allows one machine to appear in browse lists under multiple names\&. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon servers, only the primary name of the machine will be advertised with these capabilities\&.
6995
6617
.sp
6996
6618
Default:
6997
\fI\fInetbios aliases\fR\fR\fI = \fR\fI\FC # empty string (no additional names)\F[]\fR\fI \fR
6619
\fI\fInetbios aliases\fR\fR\fI = \fR\fI # empty string (no additional names)\fR\fI \fR
6998
6620
.sp
6999
6621
Example:
7000
\fI\fInetbios aliases\fR\fR\fI = \fR\fI\FCTEST TEST1 TEST2\F[]\fR\fI \fR
6622
\fI\fInetbios aliases\fR\fR\fI = \fR\fITEST TEST1 TEST2\fR\fI \fR
7001
6623
.RE
7002
6624
7003
6625
netbios name (G)
7007
6629
This sets the NetBIOS name by which a Samba server is known\&. By default it is the same as the first component of the host\'s DNS name\&. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under\&.
7008
6630
.sp
7009
6631
There is a bug in Samba\-3 that breaks operation of browsing and access to shares if the netbios name is set to the literal name
7010
\FCPIPE\F[]\&. To avoid this problem, do not name your Samba\-3 server
7011
\FCPIPE\F[]\&.
6632
PIPE\&. To avoid this problem, do not name your Samba\-3 server
6633
PIPE\&.
7012
6634
.sp
7013
6635
Default:
7014
\fI\fInetbios name\fR\fR\fI = \fR\fI\FC # machine DNS name\F[]\fR\fI \fR
6636
\fI\fInetbios name\fR\fR\fI = \fR\fI # machine DNS name\fR\fI \fR
7015
6637
.sp
7016
6638
Example:
7017
\fI\fInetbios name\fR\fR\fI = \fR\fI\FCMYNAME\F[]\fR\fI \fR
6639
\fI\fInetbios name\fR\fR\fI = \fR\fIMYNAME\fR\fI \fR
7018
6640
.RE
7019
6641
7020
6642
netbios scope (G)
7024
6646
This sets the NetBIOS scope that Samba will operate under\&. This should not be set unless every machine on your LAN also sets this value\&.
7025
6647
.sp
7026
6648
Default:
7027
\fI\fInetbios scope\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
6649
\fI\fInetbios scope\fR\fR\fI = \fR\fI\fR\fI \fR
7028
6650
.RE
7029
6651
7030
6652
nis homedir (G)
7042
6664
Note that for this option to work there must be a working NIS system and the Samba server with this option must also be a logon server\&.
7043
6665
.sp
7044
6666
Default:
7045
\fI\fInis homedir\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
6667
\fI\fInis homedir\fR\fR\fI = \fR\fIno\fR\fI \fR
7046
6668
.RE
7047
6669
7048
6670
nt acl support (S)
7054
6676
will attempt to map UNIX permissions into Windows NT access control lists\&. The UNIX permissions considered are the the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories\&. This parameter was formally a global parameter in releases prior to 2\&.2\&.2\&.
7055
6677
.sp
7056
6678
Default:
7057
\fI\fInt acl support\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
6679
\fI\fInt acl support\fR\fR\fI = \fR\fIyes\fR\fI \fR
7058
6680
.RE
7059
6681
7060
6682
ntlm auth (G)
7066
6688
will attempt to authenticate users using the NTLM encrypted password response\&. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client\&.
7067
6689
.sp
7068
6690
If this option, and
7069
\FClanman auth\F[]
6691
lanman auth
7070
6692
are both disabled, then only NTLMv2 logins will be permited\&. Not all clients support NTLMv2, and most will require special configuration to use it\&.
7071
6693
.sp
7072
6694
Default:
7073
\fI\fIntlm auth\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
6695
\fI\fIntlm auth\fR\fR\fI = \fR\fIyes\fR\fI \fR
7074
6696
.RE
7075
6697
7076
6698
nt pipe support (G)
7084
6706
pipes\&. This is a developer debugging option and can be left alone\&.
7085
6707
.sp
7086
6708
Default:
7087
\fI\fInt pipe support\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
6709
\fI\fInt pipe support\fR\fR\fI = \fR\fIyes\fR\fI \fR
7088
6710
.RE
7089
6711
7090
6712
nt status support (G)
7100
6722
You should not need to ever disable this parameter\&.
7101
6723
.sp
7102
6724
Default:
7103
\fI\fInt status support\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
6725
\fI\fInt status support\fR\fR\fI = \fR\fIyes\fR\fI \fR
7104
6726
.RE
7105
6727
7106
6728
null passwords (G)
7113
6735
\fBsmbpasswd\fR(5)\&.
7114
6736
.sp
7115
6737
Default:
7116
\fI\fInull passwords\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
6738
\fI\fInull passwords\fR\fR\fI = \fR\fIno\fR\fI \fR
7117
6739
.RE
7118
6740
7119
6741
obey pam restrictions (G)
7124
6746
\m[blue]\fBencrypt passwords = yes\fR\m[]\&. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption\&.
7125
6747
.sp
7126
6748
Default:
7127
\fI\fIobey pam restrictions\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
6749
\fI\fIobey pam restrictions\fR\fR\fI = \fR\fIno\fR\fI \fR
7128
6750
.RE
7129
6751
7130
6752
only user (S)
7140
6762
level security\&.
7141
6763
.sp
7142
6764
Note that this also means Samba won\'t try to deduce usernames from the service name\&. This can be annoying for the [homes] section\&. To get around this you could use
7143
\FCuser = %S\F[]
6765
user = %S
7144
6766
which means your
7145
6767
\fIuser\fR
7146
6768
list will be just the service name, which for home directories is the name of the user\&.
7147
6769
.sp
7148
6770
Default:
7149
\fI\fIonly user\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
6771
\fI\fIonly user\fR\fR\fI = \fR\fIno\fR\fI \fR
7150
6772
.RE
7151
6773
7152
6774
oplock break wait time (G)
7158
6780
.sp
7159
6781
.\}
7160
6782
.RS 4
7161
.BM yellow
7162
6783
.it 1 an-trap
7163
6784
.nr an-no-space-flag 1
7164
6785
.nr an-break-flag 1
7169
6790
.br
7170
6791
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE\&.
7171
6792
.sp .5v
7172
.EM yellow
7173
6793
.RE
7174
6794
Default:
7175
\fI\fIoplock break wait time\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
6795
\fI\fIoplock break wait time\fR\fR\fI = \fR\fI0\fR\fI \fR
7176
6796
.RE
7177
6797
7178
6798
oplock contention limit (S)
7187
6807
.sp
7188
6808
In brief it specifies a number, which causes
7189
6809
\fBsmbd\fR(8)not to grant an oplock even when requested if the approximate number of clients contending for an oplock on the same file goes over this limit\&. This causes
7190
\FCsmbd\F[]
6810
smbd
7191
6811
to behave in a similar way to Windows NT\&.
7192
6812
.if n \{\
7193
6813
.sp
7194
6814
.\}
7195
6815
.RS 4
7196
.BM yellow
7197
6816
.it 1 an-trap
7198
6817
.nr an-no-space-flag 1
7199
6818
.nr an-break-flag 1
7204
6823
.br
7205
6824
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE\&.
7206
6825
.sp .5v
7207
.EM yellow
7208
6826
.RE
7209
6827
Default:
7210
\fI\fIoplock contention limit\fR\fR\fI = \fR\fI\FC2\F[]\fR\fI \fR
6828
\fI\fIoplock contention limit\fR\fR\fI = \fR\fI2\fR\fI \fR
7211
6829
.RE
7212
6830
7213
6831
oplocks (S)
7215
6833
.PP
7216
6834
.RS 4
7217
6835
This boolean option tells
7218
\FCsmbd\F[]
7219
whether to issue oplocks (opportunistic locks) to file open requests on this share\&. The oplock code can dramatically (approx\&. 30% or more) improve the speed of access to files on Samba servers\&. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers)\&. For more information see the file
7220
\FCSpeed\&.txt\F[]
7221
in the Samba
7222
\FCdocs/\F[]
7223
directory\&.
6836
smbd
6837
whether to issue oplocks (opportunistic locks) to file open requests on this share\&. The oplock code can dramatically (approx\&. 30% or more) improve the speed of access to files on Samba servers\&. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers)\&.
7224
6838
.sp
7225
6839
Oplocks may be selectively turned off on certain files with a share\&. See the
7226
6840
\m[blue]\fBveto oplock files\fR\m[]
7229
6843
parameter for details\&.
7230
6844
.sp
7231
6845
Default:
7232
\fI\fIoplocks\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
6846
\fI\fIoplocks\fR\fR\fI = \fR\fIyes\fR\fI \fR
7233
6847
.RE
7234
6848
7235
6849
os2 driver map (G)
7241
6855
<nt driver name> = <os2 driver name>\&.<device name>
7242
6856
.sp
7243
6857
For example, a valid entry using the HP LaserJet 5 printer driver would appear as
7244
\FCHP LaserJet 5L = LASERJET\&.HP LaserJet 5L\F[]\&.
6858
HP LaserJet 5L = LASERJET\&.HP LaserJet 5L\&.
7245
6859
.sp
7246
6860
The need for the file is due to the printer driver namespace problem described in the chapter on Classical Printing in the Samba3\-HOWTO book\&. For more details on OS/2 clients, please refer to chapter on other clients in the Samba3\-HOWTO book\&.
7247
6861
.sp
7248
6862
Default:
7249
\fI\fIos2 driver map\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
6863
\fI\fIos2 driver map\fR\fR\fI = \fR\fI\fR\fI \fR
7250
6864
.RE
7251
6865
7252
6866
os level (G)
7265
6879
The maximum value for this parameter is 255\&. If you use higher values, counting will start at 0!
7266
6880
.sp
7267
6881
Default:
7268
\fI\fIos level\fR\fR\fI = \fR\fI\FC20\F[]\fR\fI \fR
6882
\fI\fIos level\fR\fR\fI = \fR\fI20\fR\fI \fR
7269
6883
.sp
7270
6884
Example:
7271
\fI\fIos level\fR\fR\fI = \fR\fI\FC65\F[]\fR\fI \fR
6885
\fI\fIos level\fR\fR\fI = \fR\fI65\fR\fI \fR
7272
6886
.RE
7273
6887
7274
6888
pam password change (G)
7281
6895
parameter for most setups\&.
7282
6896
.sp
7283
6897
Default:
7284
\fI\fIpam password change\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
6898
\fI\fIpam password change\fR\fR\fI = \fR\fIno\fR\fI \fR
7285
6899
.RE
7286
6900
7287
6901
panic action (G)
7295
6909
crashes\&. This is usually used to draw attention to the fact that a problem occurred\&.
7296
6910
.sp
7297
6911
Default:
7298
\fI\fIpanic action\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
6912
\fI\fIpanic action\fR\fR\fI = \fR\fI\fR\fI \fR
7299
6913
.sp
7300
6914
Example:
7301
\fI\fIpanic action\fR\fR\fI = \fR\fI\FC"/bin/sleep 90000"\F[]\fR\fI \fR
6915
\fI\fIpanic action\fR\fR\fI = \fR\fI"/bin/sleep 90000"\fR\fI \fR
7302
6916
.RE
7303
6917
7304
6918
paranoid server security (G)
7310
6924
Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server\&.
7311
6925
.sp
7312
6926
Default:
7313
\fI\fIparanoid server security\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
6927
\fI\fIparanoid server security\fR\fR\fI = \fR\fIyes\fR\fI \fR
7314
6928
.RE
7315
6929
7316
6930
passdb backend (G)
7331
6945
.sp -1
7332
6946
.IP \(bu 2.3
7333
6947
.\}
7334
\FCsmbpasswd\F[]
6948
smbpasswd
7335
6949
\- The old plaintext passdb backend\&. Some Samba features will not work if this passdb backend is used\&. Takes a path to the smbpasswd file as an optional argument\&.
7336
6950
.RE
7337
6951
.sp
7343
6957
.sp -1
7344
6958
.IP \(bu 2.3
7345
6959
.\}
7346
\FCtdbsam\F[]
6960
tdbsam
7347
6961
\- The TDB based password storage backend\&. Takes a path to the TDB as an optional argument (defaults to passdb\&.tdb in the
7348
6962
\m[blue]\fBprivate dir\fR\m[]
7349
6963
directory\&.
7357
6971
.sp -1
7358
6972
.IP \(bu 2.3
7359
6973
.\}
7360
\FCldapsam\F[]
6974
ldapsam
7361
6975
\- The LDAP based passdb backend\&. Takes an LDAP URL as an optional argument (defaults to
7362
\FCldap://localhost\F[])
6976
ldap://localhost)
7363
6977
.sp
7364
6978
LDAP connections should be secured where possible\&. This may be done using either Start\-TLS (see
7365
6979
\m[blue]\fBldap ssl\fR\m[]) or by specifying
7375
6989
.if n \{\
7376
6990
.RS 4
7377
6991
.\}
7378
.fam C
7379
.ps -1
7380
6992
.nf
7381
.if t \{\
7382
.sp -1
7383
.\}
7384
.BB lightgray adjust-for-leading-newline
7385
.sp -1
7386
7387
6993
passdb backend = tdbsam:/etc/samba/private/passdb\&.tdb
7388
6994
7389
6995
or multi server LDAP URL with OpenLDAP library:
7393
6999
or multi server LDAP URL with Netscape based LDAP library:
7394
7000
7395
7001
passdb backend = ldapsam:"ldap://ldap\-1\&.example\&.com ldap\-2\&.example\&.com"
7396
.EB lightgray adjust-for-leading-newline
7397
.if t \{\
7398
.sp 1
7399
.\}
7400
7002
.fi
7401
.fam
7402
.ps +1
7403
7003
.if n \{\
7404
7004
.RE
7405
7005
.\}
7406
7006
.sp
7407
7007
Default:
7408
\fI\fIpassdb backend\fR\fR\fI = \fR\fI\FCtdbsam\F[]\fR\fI \fR
7008
\fI\fIpassdb backend\fR\fR\fI = \fR\fItdbsam\fR\fI \fR
7409
7009
.RE
7410
7010
7411
7011
passdb expand explicit (G)
7415
7015
This parameter controls whether Samba substitutes %\-macros in the passdb fields if they are explicitly set\&. We used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable %G_osver% in which %G would have been substituted by the user\'s primary group\&.
7416
7016
.sp
7417
7017
Default:
7418
\fI\fIpassdb expand explicit\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
7018
\fI\fIpassdb expand explicit\fR\fR\fI = \fR\fIno\fR\fI \fR
7419
7019
.RE
7420
7020
7421
7021
passwd chat debug (G)
7429
7029
log with a
7430
7030
\m[blue]\fBdebug level\fR\m[]
7431
7031
of 100\&. This is a dangerous option as it will allow plaintext passwords to be seen in the
7432
\FCsmbd\F[]
7032
smbd
7433
7033
log\&. It is available to help Samba admins debug their
7434
7034
\fIpasswd chat\fR
7435
7035
scripts when calling the
7439
7039
parameter is set\&. This parameter is off by default\&.
7440
7040
.sp
7441
7041
Default:
7442
\fI\fIpasswd chat debug\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
7042
\fI\fIpasswd chat debug\fR\fR\fI = \fR\fIno\fR\fI \fR
7443
7043
.RE
7444
7044
7445
7045
passwd chat timeout (G)
7449
7049
This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run\&. Once the initial answer is received the subsequent answers must be received in one tenth of this time\&. The default it two seconds\&.
7450
7050
.sp
7451
7051
Default:
7452
\fI\fIpasswd chat timeout\fR\fR\fI = \fR\fI\FC2\F[]\fR\fI \fR
7052
\fI\fIpasswd chat timeout\fR\fR\fI = \fR\fI2\fR\fI \fR
7453
7053
.RE
7454
7054
7455
7055
passwd chat (G)
7491
7091
\fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \en macro is ignored for PAM conversions\&.
7492
7092
.sp
7493
7093
Default:
7494
\fI\fIpasswd chat\fR\fR\fI = \fR\fI\FC*new*password* %n\en*new*password* %n\en *changed*\F[]\fR\fI \fR
7094
\fI\fIpasswd chat\fR\fR\fI = \fR\fI*new*password* %n\en*new*password* %n\en *changed*\fR\fI \fR
7495
7095
.sp
7496
7096
Example:
7497
\fI\fIpasswd chat\fR\fR\fI = \fR\fI\FC"*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"\F[]\fR\fI \fR
7097
\fI\fIpasswd chat\fR\fR\fI = \fR\fI"*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"\fR\fI \fR
7498
7098
.RE
7499
7099
7500
7100
passwd program (G)
7517
7117
then this program is called
7518
7118
\fIAS ROOT\fR
7519
7119
before the SMB password in the smbpasswd file is changed\&. If this UNIX password change fails, then
7520
\FCsmbd\F[]
7120
smbd
7521
7121
will fail to change the SMB password also (this is by design)\&.
7522
7122
.sp
7523
7123
If the
7532
7132
\fBno\fR\&.
7533
7133
.sp
7534
7134
Default:
7535
\fI\fIpasswd program\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7135
\fI\fIpasswd program\fR\fR\fI = \fR\fI\fR\fI \fR
7536
7136
.sp
7537
7137
Example:
7538
\fI\fIpasswd program\fR\fR\fI = \fR\fI\FC/bin/passwd %u\F[]\fR\fI \fR
7138
\fI\fIpasswd program\fR\fR\fI = \fR\fI/bin/passwd %u\fR\fI \fR
7539
7139
.RE
7540
7140
7541
7141
password level (G)
7568
7168
\m[blue]\fBencrypt passwords = No\fR\m[]\&.
7569
7169
.sp
7570
7170
Default:
7571
\fI\fIpassword level\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
7171
\fI\fIpassword level\fR\fR\fI = \fR\fI0\fR\fI \fR
7572
7172
.sp
7573
7173
Example:
7574
\fI\fIpassword level\fR\fR\fI = \fR\fI\FC4\F[]\fR\fI \fR
7174
\fI\fIpassword level\fR\fR\fI = \fR\fI4\fR\fI \fR
7575
7175
.RE
7576
7176
7577
7177
password server (G)
7579
7179
.PP
7580
7180
.RS 4
7581
7181
By specifying the name of another SMB server or Active Directory domain controller with this option, and using
7582
\FCsecurity = [ads|domain|server]\F[]
7182
security = [ads|domain|server]
7583
7183
it is possible to get Samba to do all its username/password validation using a specific remote server\&.
7584
7184
.sp
7585
7185
This option sets the name or IP address of the password server to use\&. New syntax has been added to support defining the port to use when connecting to the server the case of an ADS realm\&. To define a port other than the default LDAP port of 389, add the port number using a colon after the name or IP address (e\&.g\&. 192\&.168\&.1\&.100:389)\&. If you do not specify a port, Samba will use the standard LDAP port of tcp/389\&. Note that port numbers have no effect on password servers for Windows NT 4\&.0 domains or netbios connections\&.
7593
7193
.sp
7594
7194
.\}
7595
7195
.RS 4
7596
.BM yellow
7597
7196
.it 1 an-trap
7598
7197
.nr an-no-space-flag 1
7599
7198
.nr an-break-flag 1
7605
7204
Using a password server means your UNIX box (running Samba) is only as secure as your password server\&.
7606
7205
\fIDO NOT CHOOSE A PASSWORD SERVER THAT YOU DON\'T COMPLETELY TRUST\fR\&.
7607
7206
.sp .5v
7608
.EM yellow
7609
7207
.RE
7610
7208
Never point a Samba server at itself for password serving\&. This will cause a loop and could lock up your Samba server!
7611
7209
.sp
7618
7216
\fBdomain\fR
7619
7217
or
7620
7218
\fBads\fR, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character \'*\', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on\&. The advantage of using
7621
\FC security = domain\F[]
7219
security = domain
7622
7220
is that if you list several hosts in the
7623
7221
\fIpassword server\fR
7624
7222
option then
7625
\FCsmbd \F[]
7223
smbd
7626
7224
will try each in turn till it finds one that responds\&. This is useful in case your primary server goes down\&.
7627
7225
.sp
7628
7226
If the
7637
7235
\fIsecurity\fR
7638
7236
parameter is set to
7639
7237
\fBserver\fR, then there are different restrictions that
7640
\FCsecurity = domain\F[]
7238
security = domain
7641
7239
doesn\'t suffer from:
7642
7240
.sp
7643
7241
.RS 4
7651
7249
You may list several password servers in the
7652
7250
\fIpassword server\fR
7653
7251
parameter, however if an
7654
\FCsmbd\F[]
7252
smbd
7655
7253
makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this
7656
\FCsmbd\F[]\&. This is a restriction of the SMB/CIFS protocol when in
7657
\FCsecurity = server \F[]
7254
smbd\&. This is a restriction of the SMB/CIFS protocol when in
7255
security = server
7658
7256
mode and cannot be fixed in Samba\&.
7659
7257
.RE
7660
7258
.sp
7667
7265
.IP \(bu 2.3
7668
7266
.\}
7669
7267
If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in
7670
\FC security = server\F[]
7268
security = server
7671
7269
mode the network logon will appear to come from there rather than from the users workstation\&.
7672
7270
.sp
7673
7271
.RE
7674
7272
Default:
7675
\fI\fIpassword server\fR\fR\fI = \fR\fI\FC*\F[]\fR\fI \fR
7676
.sp
7677
Example:
7678
\fI\fIpassword server\fR\fR\fI = \fR\fI\FCNT\-PDC, NT\-BDC1, NT\-BDC2, *\F[]\fR\fI \fR
7679
.sp
7680
Example:
7681
\fI\fIpassword server\fR\fR\fI = \fR\fI\FCwindc\&.mydomain\&.com:389 192\&.168\&.1\&.101 *\F[]\fR\fI \fR
7273
\fI\fIpassword server\fR\fR\fI = \fR\fI*\fR\fI \fR
7274
.sp
7275
Example:
7276
\fI\fIpassword server\fR\fR\fI = \fR\fINT\-PDC, NT\-BDC1, NT\-BDC2, *\fR\fI \fR
7277
.sp
7278
Example:
7279
\fI\fIpassword server\fR\fR\fI = \fR\fIwindc\&.mydomain\&.com:389 192\&.168\&.1\&.101 *\fR\fI \fR
7682
7280
.RE
7683
7281
7684
7282
directory
7708
7306
if one was specified\&.
7709
7307
.sp
7710
7308
Default:
7711
\fI\fIpath\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7309
\fI\fIpath\fR\fR\fI = \fR\fI\fR\fI \fR
7712
7310
.sp
7713
7311
Example:
7714
\fI\fIpath\fR\fR\fI = \fR\fI\FC/home/fred\F[]\fR\fI \fR
7312
\fI\fIpath\fR\fR\fI = \fR\fI/home/fred\fR\fI \fR
7715
7313
.RE
7716
7314
7717
7315
perfcount module (G)
7730
7328
This option specifies the directory where pid files will be placed\&.
7731
7329
.sp
7732
7330
Default:
7733
\fI\fIpid directory\fR\fR\fI = \fR\fI\FC${prefix}/var/locks\F[]\fR\fI \fR
7331
\fI\fIpid directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
7734
7332
.sp
7735
7333
Example:
7736
\fI\fIpid directory\fR\fR\fI = \fR\fI\FCpid directory = /var/run/\F[]\fR\fI \fR
7334
\fI\fIpid directory\fR\fR\fI = \fR\fIpid directory = /var/run/\fR\fI \fR
7737
7335
.RE
7738
7336
7739
7337
posix locking (S)
7745
7343
daemon maintains an database of file locks obtained by SMB clients\&. The default behavior is to map this internal database to POSIX locks\&. This means that file locks obtained by SMB clients are consistent with those seen by POSIX compliant applications accessing the files via a non\-SMB method (e\&.g\&. NFS or local file access)\&. You should never need to disable this parameter\&.
7746
7344
.sp
7747
7345
Default:
7748
\fI\fIposix locking\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
7346
\fI\fIposix locking\fR\fR\fI = \fR\fIyes\fR\fI \fR
7749
7347
.RE
7750
7348
7751
7349
postexec (S)
7756
7354
.sp
7757
7355
An interesting example may be to unmount server resources:
7758
7356
.sp
7759
\FCpostexec = /etc/umount /cdrom\F[]
7357
postexec = /etc/umount /cdrom
7760
7358
.sp
7761
7359
Default:
7762
\fI\fIpostexec\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7360
\fI\fIpostexec\fR\fR\fI = \fR\fI\fR\fI \fR
7763
7361
.sp
7764
7362
Example:
7765
\fI\fIpostexec\fR\fR\fI = \fR\fI\FCecho \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log\F[]\fR\fI \fR
7363
\fI\fIpostexec\fR\fR\fI = \fR\fIecho \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log\fR\fI \fR
7766
7364
.RE
7767
7365
7768
7366
preexec close (S)
7774
7372
should close the service being connected to\&.
7775
7373
.sp
7776
7374
Default:
7777
\fI\fIpreexec close\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
7375
\fI\fIpreexec close\fR\fR\fI = \fR\fIno\fR\fI \fR
7778
7376
.RE
7779
7377
7780
7378
exec
7794
7392
An interesting example is to send the users a welcome message every time they log in\&. Maybe a message of the day? Here is an example:
7795
7393
.sp
7796
7394
7797
\FCpreexec = csh \-c \'echo \e"Welcome to %S!\e" | /usr/local/samba/bin/smbclient \-M %m \-I %I\' & \F[]
7395
preexec = csh \-c \'echo \e"Welcome to %S!\e" | /usr/local/samba/bin/smbclient \-M %m \-I %I\' &
7798
7396
.sp
7799
7397
Of course, this could get annoying after a while :\-)
7800
7398
.sp
7804
7402
\m[blue]\fBpostexec\fR\m[]\&.
7805
7403
.sp
7806
7404
Default:
7807
\fI\fIpreexec\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7405
\fI\fIpreexec\fR\fR\fI = \fR\fI\fR\fI \fR
7808
7406
.sp
7809
7407
Example:
7810
\fI\fIpreexec\fR\fR\fI = \fR\fI\FCecho \e"%u connected to %S from %m (%I)\e" >> /tmp/log\F[]\fR\fI \fR
7408
\fI\fIpreexec\fR\fR\fI = \fR\fIecho \e"%u connected to %S from %m (%I)\e" >> /tmp/log\fR\fI \fR
7811
7409
.RE
7812
7410
7813
7411
prefered master
7828
7426
.sp
7829
7427
If this is set to
7830
7428
\fByes\fR, on startup,
7831
\FCnmbd\F[]
7429
nmbd
7832
7430
will force an election, and it will have a slight advantage in winning the election\&. It is recommended that this parameter is used in conjunction with
7833
7431
\m[blue]\fBdomain master = yes\fR\m[], so that
7834
\FCnmbd\F[]
7432
nmbd
7835
7433
can guarantee becoming a domain master\&.
7836
7434
.sp
7837
7435
Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser\&. This will result in unnecessary broadcast traffic and reduced browsing capabilities\&.
7838
7436
.sp
7839
7437
Default:
7840
\fI\fIpreferred master\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
7438
\fI\fIpreferred master\fR\fR\fI = \fR\fIauto\fR\fI \fR
7841
7439
.RE
7842
7440
7843
7441
preload modules (G)
7847
7445
This is a list of paths to modules that should be loaded into smbd before a client connects\&. This improves the speed of smbd when reacting to new connections somewhat\&.
7848
7446
.sp
7849
7447
Default:
7850
\fI\fIpreload modules\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7448
\fI\fIpreload modules\fR\fR\fI = \fR\fI\fR\fI \fR
7851
7449
.sp
7852
7450
Example:
7853
\fI\fIpreload modules\fR\fR\fI = \fR\fI\FC/usr/lib/samba/passdb/mysql\&.so\F[]\fR\fI \fR
7451
\fI\fIpreload modules\fR\fR\fI = \fR\fI/usr/lib/samba/passdb/mysql\&.so\fR\fI \fR
7854
7452
.RE
7855
7453
7856
7454
auto services
7872
7470
option is easier\&.
7873
7471
.sp
7874
7472
Default:
7875
\fI\fIpreload\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7473
\fI\fIpreload\fR\fR\fI = \fR\fI\fR\fI \fR
7876
7474
.sp
7877
7475
Example:
7878
\fI\fIpreload\fR\fR\fI = \fR\fI\FCfred lp colorlp\F[]\fR\fI \fR
7476
\fI\fIpreload\fR\fR\fI = \fR\fIfred lp colorlp\fR\fI \fR
7879
7477
.RE
7880
7478
7881
7479
preserve case (S)
7890
7488
for a fuller discussion\&.
7891
7489
.sp
7892
7490
Default:
7893
\fI\fIpreserve case\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
7491
\fI\fIpreserve case\fR\fR\fI = \fR\fIyes\fR\fI \fR
7894
7492
.RE
7895
7493
7896
7494
print ok
7913
7511
parameter controls only non\-printing access to the resource\&.
7914
7512
.sp
7915
7513
Default:
7916
\fI\fIprintable\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
7514
\fI\fIprintable\fR\fR\fI = \fR\fIno\fR\fI \fR
7917
7515
.RE
7918
7516
7919
7517
printcap cache time (G)
7925
7523
Setting this parameter to 0 disables any rescanning for new or removed printers after the initial startup\&.
7926
7524
.sp
7927
7525
Default:
7928
\fI\fIprintcap cache time\fR\fR\fI = \fR\fI\FC750\F[]\fR\fI \fR
7526
\fI\fIprintcap cache time\fR\fR\fI = \fR\fI750\fR\fI \fR
7929
7527
.sp
7930
7528
Example:
7931
\fI\fIprintcap cache time\fR\fR\fI = \fR\fI\FC600\F[]\fR\fI \fR
7529
\fI\fIprintcap cache time\fR\fR\fI = \fR\fI600\fR\fI \fR
7932
7530
.RE
7933
7531
7934
7532
printcap
7944
7542
.PP
7945
7543
.RS 4
7946
7544
This parameter may be used to override the compiled\-in default printcap name used by the server (usually
7947
\FC /etc/printcap\F[])\&. See the discussion of the
7545
/etc/printcap)\&. See the discussion of the
7948
7546
[printers]
7949
7547
section above for reasons why you might want to do this\&.
7950
7548
.sp
7951
7549
To use the CUPS printing interface set
7952
\FCprintcap name = cups \F[]\&. This should be supplemented by an addtional setting
7550
printcap name = cups\&. This should be supplemented by an addtional setting
7953
7551
\m[blue]\fBprinting = cups\fR\m[]
7954
7552
in the [global] section\&.
7955
\FCprintcap name = cups\F[]
7553
printcap name = cups
7956
7554
will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file\&.
7957
7555
.sp
7958
7556
On System V systems that use
7959
\FClpstat\F[]
7557
lpstat
7960
7558
to list available printers you can use
7961
\FCprintcap name = lpstat \F[]
7559
printcap name = lpstat
7962
7560
to automatically obtain lists of available printers\&. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems)\&. If
7963
7561
\fI printcap name\fR
7964
7562
is set to
7965
\FClpstat\F[]
7563
lpstat
7966
7564
on these systems then Samba will launch
7967
\FClpstat \-v\F[]
7565
lpstat \-v
7968
7566
and attempt to parse the output to obtain a printer list\&.
7969
7567
.sp
7970
7568
A minimal printcap file would look something like this:
7972
7570
.if n \{\
7973
7571
.RS 4
7974
7572
.\}
7975
.fam C
7976
.ps -1
7977
7573
.nf
7978
.if t \{\
7979
.sp -1
7980
.\}
7981
.BB lightgray adjust-for-leading-newline
7982
.sp -1
7983
7984
7574
print1|My Printer 1
7985
7575
print2|My Printer 2
7986
7576
print3|My Printer 3
7987
7577
print4|My Printer 4
7988
7578
print5|My Printer 5
7989
.EB lightgray adjust-for-leading-newline
7990
.if t \{\
7991
.sp 1
7992
.\}
7993
7579
.fi
7994
.fam
7995
.ps +1
7996
7580
.if n \{\
7997
7581
.RE
7998
7582
.\}
8002
7586
.sp
8003
7587
.\}
8004
7588
.RS 4
8005
.BM yellow
8006
7589
.it 1 an-trap
8007
7590
.nr an-no-space-flag 1
8008
7591
.nr an-break-flag 1
8012
7595
.ps -1
8013
7596
.br
8014
7597
Under AIX the default printcap name is
8015
\FC/etc/qconfig\F[]\&. Samba will assume the file is in AIX
8016
\FCqconfig\F[]
7598
/etc/qconfig\&. Samba will assume the file is in AIX
7599
qconfig
8017
7600
format if the string
8018
\FCqconfig\F[]
7601
qconfig
8019
7602
appears in the printcap filename\&.
8020
7603
.sp .5v
8021
.EM yellow
8022
7604
.RE
8023
7605
Default:
8024
\fI\fIprintcap name\fR\fR\fI = \fR\fI\FC/etc/printcap\F[]\fR\fI \fR
7606
\fI\fIprintcap name\fR\fR\fI = \fR\fI/etc/printcap\fR\fI \fR
8025
7607
.sp
8026
7608
Example:
8027
\fI\fIprintcap name\fR\fR\fI = \fR\fI\FC/etc/myprintcap\F[]\fR\fI \fR
7609
\fI\fIprintcap name\fR\fR\fI = \fR\fI/etc/myprintcap\fR\fI \fR
8028
7610
.RE
8029
7611
8030
7612
print command (S)
8032
7614
.PP
8033
7615
.RS 4
8034
7616
After a print job has finished spooling to a service, this command will be used via a
8035
\FCsystem()\F[]
7617
system()
8036
7618
call to process the spool file\&. Typically the command specified will submit the spool file to the host\'s printing subsystem, but there is no requirement that this be the case\&. The server will not remove the spool file, so whatever command you specify should remove the spool file when it has been processed, otherwise you will need to manually remove old spool files\&.
8037
7619
.sp
8038
7620
The print command is simply a text string\&. It will be used verbatim after macro substitutions have been made:
8071
7653
.sp
8072
7654
You can form quite complex print commands by realizing that they are just passed to a shell\&. For example the following will log a print job, print the file, then remove it\&. Note that \';\' is the usual separator for command in shell scripts\&.
8073
7655
.sp
8074
\FCprint command = echo Printing %s >> /tmp/print\&.log; lpr \-P %p %s; rm %s\F[]
7656
print command = echo Printing %s >> /tmp/print\&.log; lpr \-P %p %s; rm %s
8075
7657
.sp
8076
7658
You may have to vary this command considerably depending on how you normally print files on your system\&. The default for the parameter varies depending on the setting of the
8077
7659
\m[blue]\fBprinting\fR\m[]
8078
7660
parameter\&.
8079
7661
.sp
8080
7662
Default: For
8081
\FCprinting = BSD, AIX, QNX, LPRNG or PLP :\F[]
8082
.sp
8083
\FCprint command = lpr \-r \-P%p %s\F[]
8084
.sp
8085
For
8086
\FCprinting = SYSV or HPUX :\F[]
8087
.sp
8088
\FCprint command = lp \-c \-d%p %s; rm %s\F[]
8089
.sp
8090
For
8091
\FCprinting = SOFTQ :\F[]
8092
.sp
8093
\FCprint command = lp \-d%p \-s %s; rm %s\F[]
7663
printing = BSD, AIX, QNX, LPRNG or PLP :
7664
.sp
7665
print command = lpr \-r \-P%p %s
7666
.sp
7667
For
7668
printing = SYSV or HPUX :
7669
.sp
7670
print command = lp \-c \-d%p %s; rm %s
7671
.sp
7672
For
7673
printing = SOFTQ :
7674
.sp
7675
print command = lp \-d%p \-s %s; rm %s
8094
7676
.sp
8095
7677
For printing = CUPS : If SAMBA is compiled against libcups, then
8096
7678
\m[blue]\fBprintcap = cups\fR\m[]
8097
7679
uses the CUPS API to submit jobs, etc\&. Otherwise it maps to the System V commands with the \-oraw option for printing, i\&.e\&. it uses
8098
\FClp \-c \-d%p \-oraw; rm %s\F[]\&. With
8099
\FCprinting = cups\F[], and if SAMBA is compiled against libcups, any manually set print command will be ignored\&.
7680
lp \-c \-d%p \-oraw; rm %s\&. With
7681
printing = cups, and if SAMBA is compiled against libcups, any manually set print command will be ignored\&.
8100
7682
.sp
8101
7683
\fINo default\fR
8102
7684
.sp
8103
7685
Example:
8104
\fI\fIprint command\fR\fR\fI = \fR\fI\FC/usr/local/samba/bin/myprintscript %p %s\F[]\fR\fI \fR
7686
\fI\fIprint command\fR\fR\fI = \fR\fI/usr/local/samba/bin/myprintscript %p %s\fR\fI \fR
8105
7687
.RE
8106
7688
8107
7689
printer admin (S)
8113
7695
This parameter has been marked deprecated in favor of using the SePrintOperatorPrivilege and individual print security descriptors\&. It will be removed in a future release\&.
8114
7696
.sp
8115
7697
Default:
8116
\fI\fIprinter admin\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7698
\fI\fIprinter admin\fR\fR\fI = \fR\fI\fR\fI \fR
8117
7699
.sp
8118
7700
Example:
8119
\fI\fIprinter admin\fR\fR\fI = \fR\fI\FCadmin, @staff\F[]\fR\fI \fR
7701
\fI\fIprinter admin\fR\fR\fI = \fR\fIadmin, @staff\fR\fI \fR
8120
7702
.RE
8121
7703
8122
7704
printer
8138
7720
The default value of the
8139
7721
\m[blue]\fBprinter name\fR\m[]
8140
7722
may be
8141
\FClp\F[]
7723
lp
8142
7724
on many systems\&.
8143
7725
.sp
8144
7726
Default:
8145
\fI\fIprinter name\fR\fR\fI = \fR\fI\FCnone\F[]\fR\fI \fR
7727
\fI\fIprinter name\fR\fR\fI = \fR\fInone\fR\fI \fR
8146
7728
.sp
8147
7729
Example:
8148
\fI\fIprinter name\fR\fR\fI = \fR\fI\FClaserwriter\F[]\fR\fI \fR
7730
\fI\fIprinter name\fR\fR\fI = \fR\fIlaserwriter\fR\fI \fR
8149
7731
.RE
8150
7732
8151
7733
printing (S)
8184
7766
section\&.
8185
7767
.sp
8186
7768
Default:
8187
\fI\fIprinting\fR\fR\fI = \fR\fI\FCDepends on the operating system, see \FCtestparm \-v\&.\F[]\F[]\fR\fI \fR
7769
\fI\fIprinting\fR\fR\fI = \fR\fIDepends on the operating system, see testparm \-v\&.\fR\fI \fR
8188
7770
.RE
8189
7771
8190
7772
printjob username (S)
8194
7776
This parameter specifies which user information will be passed to the printing system\&. Usually, the username is sent, but in some cases, e\&.g\&. the domain prefix is useful, too\&.
8195
7777
.sp
8196
7778
Default:
8197
\fI\fIprintjob username\fR\fR\fI = \fR\fI\FC%U\F[]\fR\fI \fR
7779
\fI\fIprintjob username\fR\fR\fI = \fR\fI%U\fR\fI \fR
8198
7780
.sp
8199
7781
Example:
8200
\fI\fIprintjob username\fR\fR\fI = \fR\fI\FC%D\e%U\F[]\fR\fI \fR
7782
\fI\fIprintjob username\fR\fR\fI = \fR\fI%D\e%U\fR\fI \fR
8201
7783
.RE
8202
7784
8203
7785
private dir (G)
8205
7787
.PP
8206
7788
.RS 4
8207
7789
This parameters defines the directory smbd will use for storing such files as
8208
\FCsmbpasswd\F[]
7790
smbpasswd
8209
7791
and
8210
\FCsecrets\&.tdb\F[]\&.
7792
secrets\&.tdb\&.
8211
7793
.sp
8212
7794
Default:
8213
\fI\fIprivate dir\fR\fR\fI = \fR\fI\FC${prefix}/private\F[]\fR\fI \fR
7795
\fI\fIprivate dir\fR\fR\fI = \fR\fI${prefix}/private\fR\fI \fR
8214
7796
.RE
8215
7797
8216
7798
profile acls (S)
8224
7806
Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access each others profiles you must remove the "Bypass traverse checking" advanced user right\&. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user\&.
8225
7807
.sp
8226
7808
Default:
8227
\fI\fIprofile acls\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
7809
\fI\fIprofile acls\fR\fR\fI = \fR\fIno\fR\fI \fR
8228
7810
.RE
8229
7811
8230
7812
queuepause command (S)
8246
7828
\fINo default\fR
8247
7829
.sp
8248
7830
Example:
8249
\fI\fIqueuepause command\fR\fR\fI = \fR\fI\FCdisable %p\F[]\fR\fI \fR
7831
\fI\fIqueuepause command\fR\fR\fI = \fR\fIdisable %p\fR\fI \fR
8250
7832
.RE
8251
7833
8252
7834
queueresume command (S)
8266
7848
Note that it is good practice to include the absolute path in the command as the PATH may not be available to the server\&.
8267
7849
.sp
8268
7850
Default:
8269
\fI\fIqueueresume command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7851
\fI\fIqueueresume command\fR\fR\fI = \fR\fI\fR\fI \fR
8270
7852
.sp
8271
7853
Example:
8272
\fI\fIqueueresume command\fR\fR\fI = \fR\fI\FCenable %p\F[]\fR\fI \fR
7854
\fI\fIqueueresume command\fR\fR\fI = \fR\fIenable %p\fR\fI \fR
8273
7855
.RE
8274
7856
8275
7857
read list (S)
8287
7869
in Samba 3\&.0\&. This is by design\&.
8288
7870
.sp
8289
7871
Default:
8290
\fI\fIread list\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7872
\fI\fIread list\fR\fR\fI = \fR\fI\fR\fI \fR
8291
7873
.sp
8292
7874
Example:
8293
\fI\fIread list\fR\fR\fI = \fR\fI\FCmary, @students\F[]\fR\fI \fR
7875
\fI\fIread list\fR\fR\fI = \fR\fImary, @students\fR\fI \fR
8294
7876
.RE
8295
7877
8296
7878
read only (S)
8303
7885
If this parameter is
8304
7886
\fByes\fR, then users of a service may not create or modify files in the service\'s directory\&.
8305
7887
.sp
8306
Note that a printable service (\FCprintable = yes\F[]) will
7888
Note that a printable service (printable = yes) will
8307
7889
\fIALWAYS\fR
8308
7890
allow writing to the directory (user privileges permitting), but only via spooling operations\&.
8309
7891
.sp
8310
7892
Default:
8311
\fI\fIread only\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
7893
\fI\fIread only\fR\fR\fI = \fR\fIyes\fR\fI \fR
8312
7894
.RE
8313
7895
8314
7896
read raw (G)
8324
7906
In general this parameter should be viewed as a system tuning tool and left severely alone\&.
8325
7907
.sp
8326
7908
Default:
8327
\fI\fIread raw\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
7909
\fI\fIread raw\fR\fR\fI = \fR\fIyes\fR\fI \fR
8328
7910
.RE
8329
7911
8330
7912
realm (G)
8332
7914
.PP
8333
7915
.RS 4
8334
7916
This option specifies the kerberos realm to use\&. The realm is used as the ADS equivalent of the NT4
8335
\FCdomain\F[]\&. It is usually set to the DNS name of the kerberos server\&.
7917
domain\&. It is usually set to the DNS name of the kerberos server\&.
8336
7918
.sp
8337
7919
Default:
8338
\fI\fIrealm\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7920
\fI\fIrealm\fR\fR\fI = \fR\fI\fR\fI \fR
8339
7921
.sp
8340
7922
Example:
8341
\fI\fIrealm\fR\fR\fI = \fR\fI\FCmysambabox\&.mycompany\&.com\F[]\fR\fI \fR
7923
\fI\fIrealm\fR\fR\fI = \fR\fImysambabox\&.mycompany\&.com\fR\fI \fR
8342
7924
.RE
8343
7925
8344
7926
registry shares (G)
8358
7940
\fIregistry\fR\&.
8359
7941
.sp
8360
7942
Default:
8361
\fI\fIregistry shares\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
7943
\fI\fIregistry shares\fR\fR\fI = \fR\fIno\fR\fI \fR
8362
7944
.sp
8363
7945
Example:
8364
\fI\fIregistry shares\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
7946
\fI\fIregistry shares\fR\fR\fI = \fR\fIyes\fR\fI \fR
8365
7947
.RE
8366
7948
8367
7949
remote announce (G)
8379
7961
.if n \{\
8380
7962
.RS 4
8381
7963
.\}
8382
.fam C
8383
.ps -1
8384
7964
.nf
8385
.if t \{\
8386
.sp -1
8387
.\}
8388
.BB lightgray adjust-for-leading-newline
8389
.sp -1
8390
8391
\FCremote announce = 192\&.168\&.2\&.255/SERVERS 192\&.168\&.4\&.255/STAFF\F[]
8392
.EB lightgray adjust-for-leading-newline
8393
.if t \{\
8394
.sp 1
8395
.\}
7965
remote announce = 192\&.168\&.2\&.255/SERVERS 192\&.168\&.4\&.255/STAFF
8396
7966
.fi
8397
.fam
8398
.ps +1
8399
7967
.if n \{\
8400
7968
.RE
8401
7969
.\}
8402
7970
.sp
8403
7971
the above line would cause
8404
\FCnmbd\F[]
7972
nmbd
8405
7973
to announce itself to the two given IP addresses using the given workgroup names\&. If you leave out the workgroup name, then the one given in the
8406
7974
\m[blue]\fBworkgroup\fR\m[]
8407
7975
parameter is used instead\&.
8411
7979
See the chapter on Network Browsing in the Samba\-HOWTO book\&.
8412
7980
.sp
8413
7981
Default:
8414
\fI\fIremote announce\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
7982
\fI\fIremote announce\fR\fR\fI = \fR\fI\fR\fI \fR
8415
7983
.RE
8416
7984
8417
7985
remote browse sync (G)
8429
7997
.if n \{\
8430
7998
.RS 4
8431
7999
.\}
8432
.fam C
8433
.ps -1
8434
8000
.nf
8435
.if t \{\
8436
.sp -1
8437
.\}
8438
.BB lightgray adjust-for-leading-newline
8439
.sp -1
8440
8441
8001
\fIremote browse sync = 192\&.168\&.2\&.255 192\&.168\&.4\&.255\fR
8442
.EB lightgray adjust-for-leading-newline
8443
.if t \{\
8444
.sp 1
8445
.\}
8446
8002
.fi
8447
.fam
8448
.ps +1
8449
8003
.if n \{\
8450
8004
.RE
8451
8005
.\}
8452
8006
.sp
8453
8007
the above line would cause
8454
\FCnmbd\F[]
8008
nmbd
8455
8009
to request the master browser on the specified subnets or addresses to synchronize their browse lists with the local server\&.
8456
8010
.sp
8457
8011
The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses of known browse masters if your network config is that stable\&. If a machine IP address is given Samba makes NO attempt to validate that the remote machine is available, is listening, nor that it is in fact the browse master on its segment\&.
8461
8015
may be used on networks where there is no WINS server, and may be used on disjoint networks where each network has its own WINS server\&.
8462
8016
.sp
8463
8017
Default:
8464
\fI\fIremote browse sync\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
8018
\fI\fIremote browse sync\fR\fR\fI = \fR\fI\fR\fI \fR
8465
8019
.RE
8466
8020
8467
8021
rename user script (G)
8473
8027
under special circumstances described below\&.
8474
8028
.sp
8475
8029
When a user with admin authority or SeAddUserPrivilege rights renames a user (e\&.g\&.: from the NT4 User Manager for Domains), this script will be run to rename the POSIX user\&. Two variables,
8476
\FC%uold\F[]
8030
%uold
8477
8031
and
8478
\FC%unew\F[], will be substituted with the old and new usernames, respectively\&. The script should return 0 upon successful completion, and nonzero otherwise\&.
8032
%unew, will be substituted with the old and new usernames, respectively\&. The script should return 0 upon successful completion, and nonzero otherwise\&.
8479
8033
.if n \{\
8480
8034
.sp
8481
8035
.\}
8482
8036
.RS 4
8483
.BM yellow
8484
8037
.it 1 an-trap
8485
8038
.nr an-no-space-flag 1
8486
8039
.nr an-break-flag 1
8491
8044
.br
8492
8045
The script has all responsibility to rename all the necessary data that is accessible in this posix method\&. This can mean different requirements for different backends\&. The tdbsam and smbpasswd backends will take care of the contents of their respective files, so the script is responsible only for changing the POSIX username, and other data that may required for your circumstances, such as home directory\&. Please also consider whether or not you need to rename the actual home directories themselves\&. The ldapsam backend will not make any changes, because of the potential issues with renaming the LDAP naming attribute\&. In this case the script is responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that needs to change for other applications using the same directory\&.
8493
8046
.sp .5v
8494
.EM yellow
8495
8047
.RE
8496
8048
Default:
8497
\fI\fIrename user script\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
8049
\fI\fIrename user script\fR\fR\fI = \fR\fIno\fR\fI \fR
8498
8050
.RE
8499
8051
8500
8052
reset on zero vc (G)
8504
8056
This boolean option controls whether an incoming session setup should kill other connections coming from the same IP\&. This matches the default Windows 2003 behaviour\&. Setting this parameter to yes becomes necessary when you have a flaky network and windows decides to reconnect while the old connection still has files with share modes open\&. These files become inaccessible over the new connection\&. The client sends a zero VC on the new connection, and Windows 2003 kills all other connections coming from the same IP\&. This way the locked files are accessible again\&. Please be aware that enabling this option will kill connections behind a masquerading router\&.
8505
8057
.sp
8506
8058
Default:
8507
\fI\fIreset on zero vc\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
8059
\fI\fIreset on zero vc\fR\fR\fI = \fR\fIno\fR\fI \fR
8508
8060
.RE
8509
8061
8510
8062
restrict anonymous (G)
8516
8068
.if n \{\
8517
8069
.RS 4
8518
8070
.\}
8519
.fam C
8520
.ps -1
8521
8071
.nf
8522
.if t \{\
8523
.sp -1
8524
.\}
8525
.BB lightgray adjust-for-leading-newline
8526
.sp -1
8527
8528
8072
HKEY_LOCAL_MACHINE\eSYSTEM\eCurrentControlSet\e
8529
8073
Control\eLSA\eRestrictAnonymous
8530
.EB lightgray adjust-for-leading-newline
8531
.if t \{\
8532
.sp 1
8533
.\}
8534
8074
.fi
8535
.fam
8536
.ps +1
8537
8075
.if n \{\
8538
8076
.RE
8539
8077
.\}
8545
8083
.sp
8546
8084
.\}
8547
8085
.RS 4
8548
.BM yellow
8549
8086
.it 1 an-trap
8550
8087
.nr an-no-space-flag 1
8551
8088
.nr an-break-flag 1
8558
8095
\m[blue]\fBguest ok = yes\fR\m[]
8559
8096
on any share\&.
8560
8097
.sp .5v
8561
.EM yellow
8562
8098
.RE
8563
8099
Default:
8564
\fI\fIrestrict anonymous\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
8100
\fI\fIrestrict anonymous\fR\fR\fI = \fR\fI0\fR\fI \fR
8565
8101
.RE
8566
8102
8567
8103
root
8585
8121
.PP
8586
8122
.RS 4
8587
8123
The server will
8588
\FCchroot()\F[]
8124
chroot()
8589
8125
(i\&.e\&. Change its root directory) to this directory on startup\&. This is not strictly necessary for secure operation\&. Even without it the server will deny access to files not in one of the service entries\&. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use "\&.\&." in file names to access other directories (depending on the setting of the
8590
8126
\m[blue]\fBwide smbconfoptions\fR\m[]
8591
8127
parameter)\&.
8599
8135
some files needed for complete operation of the server\&. To maintain full operability of the server you will need to mirror some system files into the
8600
8136
\fIroot directory\fR
8601
8137
tree\&. In particular you will need to mirror
8602
\FC/etc/passwd\F[]
8138
/etc/passwd
8603
8139
(or a subset of it), and any binaries or configuration files needed for printing (if required)\&. The set of files that must be mirrored is operating system dependent\&.
8604
8140
.sp
8605
8141
Default:
8606
\fI\fIroot directory\fR\fR\fI = \fR\fI\FC/\F[]\fR\fI \fR
8142
\fI\fIroot directory\fR\fR\fI = \fR\fI/\fR\fI \fR
8607
8143
.sp
8608
8144
Example:
8609
\fI\fIroot directory\fR\fR\fI = \fR\fI\FC/homes/smb\F[]\fR\fI \fR
8145
\fI\fIroot directory\fR\fR\fI = \fR\fI/homes/smb\fR\fI \fR
8610
8146
.RE
8611
8147
8612
8148
root postexec (S)
8618
8154
parameter except that the command is run as root\&. This is useful for unmounting filesystems (such as CDROMs) after a connection is closed\&.
8619
8155
.sp
8620
8156
Default:
8621
\fI\fIroot postexec\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
8157
\fI\fIroot postexec\fR\fR\fI = \fR\fI\fR\fI \fR
8622
8158
.RE
8623
8159
8624
8160
root preexec close (S)
8630
8166
parameter except that the command is run as root\&.
8631
8167
.sp
8632
8168
Default:
8633
\fI\fIroot preexec close\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
8169
\fI\fIroot preexec close\fR\fR\fI = \fR\fIno\fR\fI \fR
8634
8170
.RE
8635
8171
8636
8172
root preexec (S)
8642
8178
parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&.
8643
8179
.sp
8644
8180
Default:
8645
\fI\fIroot preexec\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
8181
\fI\fIroot preexec\fR\fR\fI = \fR\fI\fR\fI \fR
8646
8182
.RE
8647
8183
8648
8184
security mask (S)
8663
8199
\fB0777\fR\&.
8664
8200
.sp
8665
8201
Default:
8666
\fI\fIsecurity mask\fR\fR\fI = \fR\fI\FC0777\F[]\fR\fI \fR
8202
\fI\fIsecurity mask\fR\fR\fI = \fR\fI0777\fR\fI \fR
8667
8203
.sp
8668
8204
Example:
8669
\fI\fIsecurity mask\fR\fR\fI = \fR\fI\FC0770\F[]\fR\fI \fR
8205
\fI\fIsecurity mask\fR\fR\fI = \fR\fI0770\fR\fI \fR
8670
8206
.RE
8671
8207
8672
8208
security (G)
8674
8210
.PP
8675
8211
.RS 4
8676
8212
This option affects how clients respond to Samba and is one of the most important settings in the
8677
\FC smb\&.conf\F[]
8213
smb\&.conf
8678
8214
file\&.
8679
8215
.sp
8680
8216
The option sets the "security mode bit" in replies to protocol negotiations with
8682
8218
to turn share level security on or off\&. Clients decide based on this bit whether (and how) to transfer user and password information to the server\&.
8683
8219
.sp
8684
8220
The default is
8685
\FCsecurity = user\F[], as this is the most common setting needed when talking to Windows 98 and Windows NT\&.
8221
security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT\&.
8686
8222
.sp
8687
8223
The alternatives are
8688
\FCsecurity = share\F[],
8689
\FCsecurity = server\F[]
8224
security = share,
8225
security = server
8690
8226
or
8691
\FCsecurity = domain \F[]\&.
8227
security = domain\&.
8692
8228
.sp
8693
8229
In versions of Samba prior to 2\&.0\&.0, the default was
8694
\FCsecurity = share\F[]
8230
security = share
8695
8231
mainly because that was the only option at one stage\&.
8696
8232
.sp
8697
8233
There is a bug in WfWg that has relevance to this setting\&. When in user or server level security a WfWg client will totally ignore the username and password you type in the "connect drive" dialog box\&. This makes it very difficult (if not impossible) to connect to a Samba service as anyone except the user that you are logged into WfWg as\&.
8698
8234
.sp
8699
8235
If your PCs use usernames that are the same as their usernames on the UNIX machine then you will want to use
8700
\FCsecurity = user\F[]\&. If you mostly use usernames that don\'t exist on the UNIX box then use
8701
\FCsecurity = share\F[]\&.
8236
security = user\&. If you mostly use usernames that don\'t exist on the UNIX box then use
8237
security = share\&.
8702
8238
.sp
8703
8239
You should also use
8704
\FCsecurity = share\F[]
8240
security = share
8705
8241
if you want to mainly setup shares without a password (guest shares)\&. This is commonly used for a shared printer server\&. It is more difficult to setup guest shares with
8706
\FCsecurity = user\F[], see the
8242
security = user, see the
8707
8243
\m[blue]\fBmap to guest\fR\m[]
8708
8244
parameter for details\&.
8709
8245
.sp
8710
8246
It is possible to use
8711
\FCsmbd\F[]
8247
smbd
8712
8248
in a
8713
8249
\fI hybrid mode\fR
8714
8250
where it is offers both user and share level security under different
8719
8255
\fISECURITY = SHARE\fR
8720
8256
.sp
8721
8257
When clients connect to a share level security server, they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a
8722
\FCsecurity = share \F[]
8258
security = share
8723
8259
server)\&. Instead, the clients send authentication information (passwords) on a per\-share basis, at the time they attempt to connect to that share\&.
8724
8260
.sp
8725
8261
Note that
8726
\FCsmbd\F[]
8262
smbd
8727
8263
\fIALWAYS\fR
8728
8264
uses a valid UNIX user to act on behalf of the client, even in
8729
\FCsecurity = share\F[]
8265
security = share
8730
8266
level security\&.
8731
8267
.sp
8732
8268
As clients are not required to send a username to the server in share level security,
8733
\FCsmbd\F[]
8269
smbd
8734
8270
uses several techniques to determine the correct UNIX user to use on behalf of the client\&.
8735
8271
.sp
8736
8272
A list of possible UNIX usernames to match with the given client password is constructed using the following methods :
8863
8399
.sp
8864
8400
\fINote\fR
8865
8401
that from the client\'s point of view
8866
\FCsecurity = domain\F[]
8402
security = domain
8867
8403
is the same as
8868
\FCsecurity = user\F[]\&. It only affects how the server deals with the authentication, it does not in any way affect what the client sees\&.
8404
security = user\&. It only affects how the server deals with the authentication, it does not in any way affect what the client sees\&.
8869
8405
.sp
8870
8406
\fINote\fR
8871
8407
that the name of the resource being requested is
8887
8423
\fISECURITY = SERVER\fR
8888
8424
.sp
8889
8425
In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box\&. If this fails it will revert to
8890
\FCsecurity = user\F[]\&. It expects the
8426
security = user\&. It expects the
8891
8427
\m[blue]\fBencrypted passwords\fR\m[]
8892
8428
parameter to be set to
8893
8429
\fByes\fR, unless the remote server does not support them\&. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid
8894
\FCsmbpasswd\F[]
8430
smbpasswd
8895
8431
file to check users against\&. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up\&.
8896
8432
.if n \{\
8897
8433
.sp
8898
8434
.\}
8899
8435
.RS 4
8900
.BM yellow
8901
8436
.it 1 an-trap
8902
8437
.nr an-no-space-flag 1
8903
8438
.nr an-break-flag 1
8908
8443
.br
8909
8444
This mode of operation has significant pitfalls since it is more vulnerable to man\-in\-the\-middle attacks and server impersonation\&. In particular, this mode of operation can cause significant resource consuption on the PDC, as it must maintain an active connection for the duration of the user\'s session\&. Furthermore, if this connection is lost, there is no way to reestablish it, and futher authentications to the Samba server may fail (from a single client, till it disconnects)\&.
8910
8445
.sp .5v
8911
.EM yellow
8912
8446
.RE
8913
8447
.if n \{\
8914
8448
.sp
8915
8449
.\}
8916
8450
.RS 4
8917
.BM yellow
8918
8451
.it 1 an-trap
8919
8452
.nr an-no-space-flag 1
8920
8453
.nr an-break-flag 1
8924
8457
.ps -1
8925
8458
.br
8926
8459
From the client\'s point of view,
8927
\FCsecurity = server\F[]
8460
security = server
8928
8461
is the same as
8929
\FCsecurity = user\F[]\&. It only affects how the server deals with the authentication, it does not in any way affect what the client sees\&.
8462
security = user\&. It only affects how the server deals with the authentication, it does not in any way affect what the client sees\&.
8930
8463
.sp .5v
8931
.EM yellow
8932
8464
.RE
8933
8465
\fINote\fR
8934
8466
that the name of the resource being requested is
8956
8488
Read the chapter about Domain Membership in the HOWTO for details\&.
8957
8489
.sp
8958
8490
Default:
8959
\fI\fIsecurity\fR\fR\fI = \fR\fI\FCUSER\F[]\fR\fI \fR
8491
\fI\fIsecurity\fR\fR\fI = \fR\fIUSER\fR\fI \fR
8960
8492
.sp
8961
8493
Example:
8962
\fI\fIsecurity\fR\fR\fI = \fR\fI\FCDOMAIN\F[]\fR\fI \fR
8494
\fI\fIsecurity\fR\fR\fI = \fR\fIDOMAIN\fR\fI \fR
8963
8495
.RE
8964
8496
8965
8497
server schannel (G)
8975
8507
denies access if the client is not able to speak netlogon schannel\&. This is only the case for Windows NT4 before SP4\&.
8976
8508
.sp
8977
8509
Please note that with this set to
8978
\FCno\F[], you will have to apply the WindowsXP
8979
\FCWinXP_SignOrSeal\&.reg\F[]
8510
no, you will have to apply the WindowsXP
8511
WinXP_SignOrSeal\&.reg
8980
8512
registry patch found in the docs/registry subdirectory of the Samba distribution tarball\&.
8981
8513
.sp
8982
8514
Default:
8983
\fI\fIserver schannel\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
8515
\fI\fIserver schannel\fR\fR\fI = \fR\fIauto\fR\fI \fR
8984
8516
.sp
8985
8517
Example:
8986
\fI\fIserver schannel\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
8518
\fI\fIserver schannel\fR\fR\fI = \fR\fIyes\fR\fI \fR
8987
8519
.RE
8988
8520
8989
8521
server signing (G)
8999
8531
When set to auto, SMB signing is offered, but not enforced\&. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&.
9000
8532
.sp
9001
8533
Default:
9002
\fI\fIserver signing\fR\fR\fI = \fR\fI\FCDisabled\F[]\fR\fI \fR
8534
\fI\fIserver signing\fR\fR\fI = \fR\fIDisabled\fR\fI \fR
9003
8535
.RE
9004
8536
9005
8537
server string (G)
9007
8539
.PP
9008
8540
.RS 4
9009
8541
This controls what string will show up in the printer comment box in print manager and next to the IPC connection in
9010
\FCnet view\F[]\&. It can be any string that you wish to show to your users\&.
8542
net view\&. It can be any string that you wish to show to your users\&.
9011
8543
.sp
9012
8544
It also sets what will appear in browse lists next to the machine name\&.
9013
8545
.sp
9020
8552
will be replaced with the hostname\&.
9021
8553
.sp
9022
8554
Default:
9023
\fI\fIserver string\fR\fR\fI = \fR\fI\FCSamba %v\F[]\fR\fI \fR
8555
\fI\fIserver string\fR\fR\fI = \fR\fISamba %v\fR\fI \fR
9024
8556
.sp
9025
8557
Example:
9026
\fI\fIserver string\fR\fR\fI = \fR\fI\FCUniversity of GNUs Samba Server\F[]\fR\fI \fR
8558
\fI\fIserver string\fR\fR\fI = \fR\fIUniversity of GNUs Samba Server\fR\fI \fR
9027
8559
.RE
9028
8560
9029
8561
set directory (S)
9031
8563
.PP
9032
8564
.RS 4
9033
8565
If
9034
\FCset directory = no\F[], then users of the service may not use the setdir command to change directory\&.
8566
set directory = no, then users of the service may not use the setdir command to change directory\&.
9035
8567
.sp
9036
8568
The
9037
\FCsetdir\F[]
8569
setdir
9038
8570
command is only implemented in the Digital Pathworks client\&. See the Pathworks documentation for details\&.
9039
8571
.sp
9040
8572
Default:
9041
\fI\fIset directory\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
8573
\fI\fIset directory\fR\fR\fI = \fR\fIno\fR\fI \fR
9042
8574
.RE
9043
8575
9044
8576
set primary group script (G)
9046
8578
.PP
9047
8579
.RS 4
9048
8580
Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups\&. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM with
9049
\FCnet rpc vampire\F[]\&.
8581
net rpc vampire\&.
9050
8582
\fI%u\fR
9051
8583
will be replaced with the user whose primary group is to be set\&.
9052
8584
\fI%g\fR
9053
8585
will be replaced with the group to set\&.
9054
8586
.sp
9055
8587
Default:
9056
\fI\fIset primary group script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
8588
\fI\fIset primary group script\fR\fR\fI = \fR\fI\fR\fI \fR
9057
8589
.sp
9058
8590
Example:
9059
\fI\fIset primary group script\fR\fR\fI = \fR\fI\FC/usr/sbin/usermod \-g \'%g\' \'%u\'\F[]\fR\fI \fR
8591
\fI\fIset primary group script\fR\fR\fI = \fR\fI/usr/sbin/usermod \-g \'%g\' \'%u\'\fR\fI \fR
9060
8592
.RE
9061
8593
9062
8594
set quota command (G)
9064
8596
.PP
9065
8597
.RS 4
9066
8598
The
9067
\FCset quota command\F[]
8599
set quota command
9068
8600
should only be used whenever there is no operating system API available from the OS that samba can use\&.
9069
8601
.sp
9070
8602
This option is only available if Samba was configured with the argument
9071
\FC\-\-with\-sys\-quotas\F[]
8603
\-\-with\-sys\-quotas
9072
8604
or on linux when
9073
\FC\&./configure \-\-with\-quotas\F[]
8605
\&./configure \-\-with\-quotas
9074
8606
was used and a working quota api was found in the system\&. Most packages are configured with these options already\&.
9075
8607
.sp
9076
8608
This parameter should specify the path to a script that can set quota for the specified arguments\&.
9213
8745
The script should output at least one line of data on success\&. And nothing on failure\&.
9214
8746
.sp
9215
8747
Default:
9216
\fI\fIset quota command\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
8748
\fI\fIset quota command\fR\fR\fI = \fR\fI\fR\fI \fR
9217
8749
.sp
9218
8750
Example:
9219
\fI\fIset quota command\fR\fR\fI = \fR\fI\FC/usr/local/sbin/set_quota\F[]\fR\fI \fR
8751
\fI\fIset quota command\fR\fR\fI = \fR\fI/usr/local/sbin/set_quota\fR\fI \fR
9220
8752
.RE
9221
8753
9222
8754
share:fake_fscaps (G)
9228
8760
the SPARSE_FILES file system capability flag is set\&. Use other decimal values to specify the bitmask you need to fake\&.
9229
8761
.sp
9230
8762
Default:
9231
\fI\fIshare:fake_fscaps\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
8763
\fI\fIshare:fake_fscaps\fR\fR\fI = \fR\fI0\fR\fI \fR
9232
8764
.RE
9233
8765
9234
8766
share modes (S)
9252
8784
turn this parameter off as many Windows applications will break if you do so\&.
9253
8785
.sp
9254
8786
Default:
9255
\fI\fIshare modes\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
8787
\fI\fIshare modes\fR\fR\fI = \fR\fIyes\fR\fI \fR
9256
8788
.RE
9257
8789
9258
8790
short preserve case (S)
9268
8800
NAME MANGLING\&.
9269
8801
.sp
9270
8802
Default:
9271
\fI\fIshort preserve case\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
8803
\fI\fIshort preserve case\fR\fR\fI = \fR\fIyes\fR\fI \fR
9272
8804
.RE
9273
8805
9274
8806
show add printer wizard (G)
9288
8820
.sp
9289
8821
.\}
9290
8822
.RS 4
9291
.BM yellow
9292
8823
.it 1 an-trap
9293
8824
.nr an-no-space-flag 1
9294
8825
.nr an-break-flag 1
9299
8830
.br
9300
8831
This does not prevent the same user from having administrative privilege on an individual printer\&.
9301
8832
.sp .5v
9302
.EM yellow
9303
8833
.RE
9304
8834
Default:
9305
\fI\fIshow add printer wizard\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
8835
\fI\fIshow add printer wizard\fR\fR\fI = \fR\fIyes\fR\fI \fR
9306
8836
.RE
9307
8837
9308
8838
shutdown script (G)
9373
8903
.if n \{\
9374
8904
.RS 4
9375
8905
.\}
9376
.fam C
9377
.ps -1
9378
8906
.nf
9379
.if t \{\
9380
.sp -1
9381
.\}
9382
.BB lightgray adjust-for-leading-newline
9383
.sp -1
9384
9385
8907
#!/bin/bash
9386
8908
9387
8909
$time=0
9389
8911
let "time++"
9390
8912
9391
8913
/sbin/shutdown $3 $4 +$time $1 &
9392
.EB lightgray adjust-for-leading-newline
9393
.if t \{\
9394
.sp 1
9395
.\}
9396
8914
.fi
9397
.fam
9398
.ps +1
9399
8915
.if n \{\
9400
8916
.RE
9401
8917
.\}
9403
8919
Shutdown does not return so we need to launch it in background\&.
9404
8920
.sp
9405
8921
Default:
9406
\fI\fIshutdown script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
8922
\fI\fIshutdown script\fR\fR\fI = \fR\fI\fR\fI \fR
9407
8923
.sp
9408
8924
Example:
9409
\fI\fIshutdown script\fR\fR\fI = \fR\fI\FC/usr/local/samba/sbin/shutdown %m %t %r %f\F[]\fR\fI \fR
8925
\fI\fIshutdown script\fR\fR\fI = \fR\fI/usr/local/samba/sbin/shutdown %m %t %r %f\fR\fI \fR
9410
8926
.RE
9411
8927
9412
8928
smb encrypt (S)
9430
8946
When set to auto, SMB encryption is offered, but not enforced\&. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated\&.
9431
8947
.sp
9432
8948
Default:
9433
\fI\fIsmb encrypt\fR\fR\fI = \fR\fI\FCauto\F[]\fR\fI \fR
8949
\fI\fIsmb encrypt\fR\fR\fI = \fR\fIauto\fR\fI \fR
9434
8950
.RE
9435
8951
9436
8952
smb passwd file (G)
9444
8960
.if n \{\
9445
8961
.RS 4
9446
8962
.\}
9447
.fam C
9448
.ps -1
9449
8963
.nf
9450
.if t \{\
9451
.sp -1
9452
.\}
9453
.BB lightgray adjust-for-leading-newline
9454
.sp -1
9455
9456
8964
smb passwd file = /etc/samba/smbpasswd
9457
.EB lightgray adjust-for-leading-newline
9458
.if t \{\
9459
.sp 1
9460
.\}
9461
8965
.fi
9462
.fam
9463
.ps +1
9464
8966
.if n \{\
9465
8967
.RE
9466
8968
.\}
9467
8969
.sp
9468
8970
Default:
9469
\fI\fIsmb passwd file\fR\fR\fI = \fR\fI\FC${prefix}/private/smbpasswd\F[]\fR\fI \fR
8971
\fI\fIsmb passwd file\fR\fR\fI = \fR\fI${prefix}/private/smbpasswd\fR\fI \fR
9470
8972
.RE
9471
8973
9472
8974
smb ports (G)
9476
8978
Specifies which ports the server should listen on for SMB traffic\&.
9477
8979
.sp
9478
8980
Default:
9479
\fI\fIsmb ports\fR\fR\fI = \fR\fI\FC445 139\F[]\fR\fI \fR
8981
\fI\fIsmb ports\fR\fR\fI = \fR\fI445 139\fR\fI \fR
9480
8982
.RE
9481
8983
9482
8984
socket address (G)
9490
8992
By default Samba will accept connections on any address\&.
9491
8993
.sp
9492
8994
Default:
9493
\fI\fIsocket address\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
8995
\fI\fIsocket address\fR\fR\fI = \fR\fI\fR\fI \fR
9494
8996
.sp
9495
8997
Example:
9496
\fI\fIsocket address\fR\fR\fI = \fR\fI\FC192\&.168\&.2\&.20\F[]\fR\fI \fR
8998
\fI\fIsocket address\fR\fR\fI = \fR\fI192\&.168\&.2\&.20\fR\fI \fR
9497
8999
.RE
9498
9000
9499
9001
socket options (G)
9505
9007
Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned\&.
9506
9008
.sp
9507
9009
This option will typically be used to tune your Samba server for optimal performance for your local network\&. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself\&. We strongly suggest you read the appropriate documentation for your operating system first (perhaps
9508
\FCman setsockopt\F[]
9010
man setsockopt
9509
9011
will help)\&.
9510
9012
.sp
9511
9013
You may find that on some systems Samba will say "Unknown socket option" when you supply an option\&. This means you either incorrectly typed it or you need to add an include file to includes\&.h for your OS\&. If the latter is the case please send the patch to
9630
9132
take an integer argument\&. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you don\'t specify 1 or 0\&.
9631
9133
.sp
9632
9134
To specify an argument use the syntax SOME_OPTION = VALUE for example
9633
\FCSO_SNDBUF = 8192\F[]\&. Note that you must not have any spaces before or after the = sign\&.
9135
SO_SNDBUF = 8192\&. Note that you must not have any spaces before or after the = sign\&.
9634
9136
.sp
9635
9137
If you are on a local network then a sensible option might be:
9636
9138
.sp
9637
\FCsocket options = IPTOS_LOWDELAY\F[]
9139
socket options = IPTOS_LOWDELAY
9638
9140
.sp
9639
9141
If you have a local network then you could try:
9640
9142
.sp
9641
\FCsocket options = IPTOS_LOWDELAY TCP_NODELAY\F[]
9143
socket options = IPTOS_LOWDELAY TCP_NODELAY
9642
9144
.sp
9643
9145
If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT\&.
9644
9146
.sp
9645
9147
Note that several of the options may cause your Samba server to fail completely\&. Use these options with caution!
9646
9148
.sp
9647
9149
Default:
9648
\fI\fIsocket options\fR\fR\fI = \fR\fI\FCTCP_NODELAY\F[]\fR\fI \fR
9150
\fI\fIsocket options\fR\fR\fI = \fR\fITCP_NODELAY\fR\fI \fR
9649
9151
.sp
9650
9152
Example:
9651
\fI\fIsocket options\fR\fR\fI = \fR\fI\FCIPTOS_LOWDELAY\F[]\fR\fI \fR
9153
\fI\fIsocket options\fR\fR\fI = \fR\fIIPTOS_LOWDELAY\fR\fI \fR
9652
9154
.RE
9653
9155
9654
9156
stat cache (G)
9660
9162
will use a cache in order to speed up case insensitive name mappings\&. You should never need to change this parameter\&.
9661
9163
.sp
9662
9164
Default:
9663
\fI\fIstat cache\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
9165
\fI\fIstat cache\fR\fR\fI = \fR\fIyes\fR\fI \fR
9166
.RE
9167
9168
state directory (G)
9169
.\" state directory
9170
.PP
9171
.RS 4
9172
Usually, most of the TDB files are stored in the
9173
\fIlock directory\fR\&. Since Samba 3\&.4\&.0, it is possible to differentiate between TDB files with persistent data and TDB files with non\-persistent data using the
9174
\fIstate directory\fR
9175
and the
9176
\fIcache directory\fR
9177
options\&.
9178
.sp
9179
This option specifies the directory where TDB files containing persistent data will be stored\&.
9180
.sp
9181
Default:
9182
\fI\fIstate directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
9183
.sp
9184
Example:
9185
\fI\fIstate directory\fR\fR\fI = \fR\fI/var/run/samba/locks/state\fR\fI \fR
9664
9186
.RE
9665
9187
9666
9188
store dos attributes (S)
9679
9201
must be set to off\&. This parameter writes the DOS attributes as a string into the extended attribute named "user\&.DOSATTRIB"\&. This extended attribute is explicitly hidden from smbd clients requesting an EA list\&. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel\&.
9680
9202
.sp
9681
9203
Default:
9682
\fI\fIstore dos attributes\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9204
\fI\fIstore dos attributes\fR\fR\fI = \fR\fIno\fR\fI \fR
9683
9205
.RE
9684
9206
9685
9207
strict allocate (S)
9699
9221
can help Samba return out of quota messages on systems that are restricting the disk quota of users\&.
9700
9222
.sp
9701
9223
Default:
9702
\fI\fIstrict allocate\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9224
\fI\fIstrict allocate\fR\fR\fI = \fR\fIno\fR\fI \fR
9703
9225
.RE
9704
9226
9705
9227
strict locking (S)
9714
9236
When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them\&.
9715
9237
.sp
9716
9238
Well\-behaved clients always ask for lock checks when it is important\&. So in the vast majority of cases,
9717
\FCstrict locking = Auto\F[]
9239
strict locking = Auto
9718
9240
or
9719
\FCstrict locking = no\F[]
9241
strict locking = no
9720
9242
is acceptable\&.
9721
9243
.sp
9722
9244
Default:
9723
\fI\fIstrict locking\fR\fR\fI = \fR\fI\FCAuto\F[]\fR\fI \fR
9245
\fI\fIstrict locking\fR\fR\fI = \fR\fIAuto\fR\fI \fR
9724
9246
.RE
9725
9247
9726
9248
strict sync (S)
9734
9256
ignores the Windows applications requests for a sync call\&. There is only a possibility of losing data if the operating system itself that Samba is running on crashes, so there is little danger in this default setting\&. In addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies\&.
9735
9257
.sp
9736
9258
Default:
9737
\fI\fIstrict sync\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9259
\fI\fIstrict sync\fR\fR\fI = \fR\fIno\fR\fI \fR
9738
9260
.RE
9739
9261
9740
9262
svcctl list (G)
9744
9266
This option defines a list of init scripts that smbd will use for starting and stopping Unix services via the Win32 ServiceControl API\&. This allows Windows administrators to utilize the MS Management Console plug\-ins to manage a Unix server running Samba\&.
9745
9267
.sp
9746
9268
The administrator must create a directory name
9747
\FCsvcctl\F[]
9269
svcctl
9748
9270
in Samba\'s $(libdir) and create symbolic links to the init scripts in
9749
\FC/etc/init\&.d/\F[]\&. The name of the links must match the names given as part of the
9271
/etc/init\&.d/\&. The name of the links must match the names given as part of the
9750
9272
\fIsvcctl list\fR\&.
9751
9273
.sp
9752
9274
Default:
9753
\fI\fIsvcctl list\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
9275
\fI\fIsvcctl list\fR\fR\fI = \fR\fI\fR\fI \fR
9754
9276
.sp
9755
9277
Example:
9756
\fI\fIsvcctl list\fR\fR\fI = \fR\fI\FCcups postfix portmap httpd\F[]\fR\fI \fR
9278
\fI\fIsvcctl list\fR\fR\fI = \fR\fIcups postfix portmap httpd\fR\fI \fR
9757
9279
.RE
9758
9280
9759
9281
sync always (S)
9765
9287
then the server will be guided by the client\'s request in each write call (clients can set a bit indicating that a particular write should be synchronous)\&. If this is
9766
9288
\fByes\fR
9767
9289
then every write will be followed by a
9768
\FCfsync() \F[]
9290
fsync()
9769
9291
call to ensure the data is written to disk\&. Note that the
9770
9292
\fIstrict sync\fR
9771
9293
parameter must be set to
9773
9295
in order for this parameter to have any effect\&.
9774
9296
.sp
9775
9297
Default:
9776
\fI\fIsync always\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9298
\fI\fIsync always\fR\fR\fI = \fR\fIno\fR\fI \fR
9777
9299
.RE
9778
9300
9779
9301
syslog only (G)
9785
9307
is enabled\&.
9786
9308
.sp
9787
9309
Default:
9788
\fI\fIsyslog only\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9310
\fI\fIsyslog only\fR\fR\fI = \fR\fIno\fR\fI \fR
9789
9311
.RE
9790
9312
9791
9313
syslog (G)
9803
9325
is enabled\&.
9804
9326
.sp
9805
9327
Default:
9806
\fI\fIsyslog\fR\fR\fI = \fR\fI\FC1\F[]\fR\fI \fR
9328
\fI\fIsyslog\fR\fR\fI = \fR\fI1\fR\fI \fR
9807
9329
.RE
9808
9330
9809
9331
template homedir (G)
9819
9341
is present it is substituted with the user\'s Windows NT user name\&.
9820
9342
.sp
9821
9343
Default:
9822
\fI\fItemplate homedir\fR\fR\fI = \fR\fI\FC/home/%D/%U\F[]\fR\fI \fR
9344
\fI\fItemplate homedir\fR\fR\fI = \fR\fI/home/%D/%U\fR\fI \fR
9823
9345
.RE
9824
9346
9825
9347
template shell (G)
9840
9362
This parameter is a setting in minutes to add to the normal GMT to local time conversion\&. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling\&.
9841
9363
.sp
9842
9364
Default:
9843
\fI\fItime offset\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
9365
\fI\fItime offset\fR\fR\fI = \fR\fI0\fR\fI \fR
9844
9366
.sp
9845
9367
Example:
9846
\fI\fItime offset\fR\fR\fI = \fR\fI\FC60\F[]\fR\fI \fR
9368
\fI\fItime offset\fR\fR\fI = \fR\fI60\fR\fI \fR
9847
9369
.RE
9848
9370
9849
9371
time server (G)
9855
9377
advertises itself as a time server to Windows clients\&.
9856
9378
.sp
9857
9379
Default:
9858
\fI\fItime server\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9380
\fI\fItime server\fR\fR\fI = \fR\fIno\fR\fI \fR
9859
9381
.RE
9860
9382
9861
9383
unix charset (G)
9867
9389
This is also the charset Samba will use when specifying arguments to scripts that it invokes\&.
9868
9390
.sp
9869
9391
Default:
9870
\fI\fIunix charset\fR\fR\fI = \fR\fI\FCUTF8\F[]\fR\fI \fR
9392
\fI\fIunix charset\fR\fR\fI = \fR\fIUTF8\fR\fI \fR
9871
9393
.sp
9872
9394
Example:
9873
\fI\fIunix charset\fR\fR\fI = \fR\fI\FCASCII\F[]\fR\fI \fR
9395
\fI\fIunix charset\fR\fR\fI = \fR\fIASCII\fR\fI \fR
9874
9396
.RE
9875
9397
9876
9398
unix extensions (G)
9880
9402
This boolean parameter controls whether Samba implements the CIFS UNIX extensions, as defined by HP\&. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc\&.\&.\&. These extensions require a similarly enabled client, and are of no current use to Windows clients\&.
9881
9403
.sp
9882
9404
Default:
9883
\fI\fIunix extensions\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
9405
\fI\fIunix extensions\fR\fR\fI = \fR\fIyes\fR\fI \fR
9884
9406
.RE
9885
9407
9886
9408
unix password sync (G)
9896
9418
\- to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new)\&.
9897
9419
.sp
9898
9420
Default:
9899
\fI\fIunix password sync\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9421
\fI\fIunix password sync\fR\fR\fI = \fR\fIno\fR\fI \fR
9900
9422
.RE
9901
9423
9902
9424
update encrypted (G)
9917
9439
to work\&.
9918
9440
.sp
9919
9441
Note that even when this parameter is set, a user authenticating to
9920
\FCsmbd\F[]
9442
smbd
9921
9443
must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords\&.
9922
9444
.sp
9923
9445
Default:
9924
\fI\fIupdate encrypted\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9446
\fI\fIupdate encrypted\fR\fR\fI = \fR\fIno\fR\fI \fR
9925
9447
.RE
9926
9448
9927
9449
use client driver (S)
9929
9451
.PP
9930
9452
.RS 4
9931
9453
This parameter applies only to Windows NT/2000 clients\&. It has no effect on Windows 95/98/ME clients\&. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver\&. From this point on, the client will treat the print as a local printer and not a network printer connection\&. This is much the same behavior that will occur when
9932
\FCdisable spoolss = yes\F[]\&.
9454
disable spoolss = yes\&.
9933
9455
.sp
9934
9456
The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS\-RPC\&. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user\&. If the user possesses local administator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail\&. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed)\&.
9935
9457
.sp
9937
9459
\fIThis parameter MUST not be enabled on a print share which has valid print driver installed on the Samba server\&.\fR
9938
9460
.sp
9939
9461
Default:
9940
\fI\fIuse client driver\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9462
\fI\fIuse client driver\fR\fR\fI = \fR\fIno\fR\fI \fR
9941
9463
.RE
9942
9464
9943
9465
use mmap (G)
9949
9471
by default on HPUX\&. On all other systems this parameter should be left alone\&. This parameter is provided to help the Samba developers track down problems with the tdb internal code\&.
9950
9472
.sp
9951
9473
Default:
9952
\fI\fIuse mmap\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
9474
\fI\fIuse mmap\fR\fR\fI = \fR\fIyes\fR\fI \fR
9953
9475
.RE
9954
9476
9955
9477
username level (G)
9964
9486
This parameter is needed only on UNIX systems that have case sensitive usernames\&.
9965
9487
.sp
9966
9488
Default:
9967
\fI\fIusername level\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
9489
\fI\fIusername level\fR\fR\fI = \fR\fI0\fR\fI \fR
9968
9490
.sp
9969
9491
Example:
9970
\fI\fIusername level\fR\fR\fI = \fR\fI\FC5\F[]\fR\fI \fR
9492
\fI\fIusername level\fR\fR\fI = \fR\fI5\fR\fI \fR
9971
9493
.RE
9972
9494
9973
9495
username map script (G)
9979
9501
parameter\&. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped)\&. In this way, it is possible to store username map tables in an LDAP or NIS directory services\&.
9980
9502
.sp
9981
9503
Default:
9982
\fI\fIusername map script\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
9504
\fI\fIusername map script\fR\fR\fI = \fR\fI\fR\fI \fR
9983
9505
.sp
9984
9506
Example:
9985
\fI\fIusername map script\fR\fR\fI = \fR\fI\FC/etc/samba/scripts/mapusers\&.sh\F[]\fR\fI \fR
9507
\fI\fIusername map script\fR\fR\fI = \fR\fI/etc/samba/scripts/mapusers\&.sh\fR\fI \fR
9986
9508
.RE
9987
9509
9988
9510
username map (G)
9992
9514
This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
9993
9515
.sp
9994
9516
Please note that for user or share mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified enties in the map table (e\&.g\&. biddle =
9995
\FCDOMAIN\efoo\F[])\&.
9517
DOMAIN\efoo)\&.
9996
9518
.sp
9997
9519
The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a \'=\' followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name \'*\' is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
9998
9520
.sp
10013
9535
.if n \{\
10014
9536
.RS 4
10015
9537
.\}
10016
.fam C
10017
.ps -1
10018
9538
.nf
10019
.if t \{\
10020
.sp -1
10021
.\}
10022
.BB lightgray adjust-for-leading-newline
10023
.sp -1
10024
10025
\FCroot = admin administrator\F[]
10026
.EB lightgray adjust-for-leading-newline
10027
.if t \{\
10028
.sp 1
10029
.\}
9539
root = admin administrator
10030
9540
.fi
10031
.fam
10032
.ps +1
10033
9541
.if n \{\
10034
9542
.RE
10035
9543
.\}
10043
9551
.if n \{\
10044
9552
.RS 4
10045
9553
.\}
10046
.fam C
10047
.ps -1
10048
9554
.nf
10049
.if t \{\
10050
.sp -1
10051
.\}
10052
.BB lightgray adjust-for-leading-newline
10053
.sp -1
10054
10055
\FCsys = @system\F[]
10056
.EB lightgray adjust-for-leading-newline
10057
.if t \{\
10058
.sp 1
10059
.\}
9555
sys = @system
10060
9556
.fi
10061
.fam
10062
.ps +1
10063
9557
.if n \{\
10064
9558
.RE
10065
9559
.\}
10067
9561
You can have as many mappings as you like in a username map file\&.
10068
9562
.sp
10069
9563
If your system supports the NIS NETGROUP option then the netgroup database is checked before the
10070
\FC/etc/group \F[]
9564
/etc/group
10071
9565
database for matching groups\&.
10072
9566
.sp
10073
9567
You can map Windows usernames that have spaces in them by using double quotes around the name\&. For example:
10075
9569
.if n \{\
10076
9570
.RS 4
10077
9571
.\}
10078
.fam C
10079
.ps -1
10080
9572
.nf
10081
.if t \{\
10082
.sp -1
10083
.\}
10084
.BB lightgray adjust-for-leading-newline
10085
.sp -1
10086
10087
\FCtridge = "Andrew Tridgell"\F[]
10088
.EB lightgray adjust-for-leading-newline
10089
.if t \{\
10090
.sp 1
10091
.\}
9573
tridge = "Andrew Tridgell"
10092
9574
.fi
10093
.fam
10094
.ps +1
10095
9575
.if n \{\
10096
9576
.RE
10097
9577
.\}
10103
9583
.if n \{\
10104
9584
.RS 4
10105
9585
.\}
10106
.fam C
10107
.ps -1
10108
9586
.nf
10109
.if t \{\
10110
.sp -1
10111
.\}
10112
.BB lightgray adjust-for-leading-newline
10113
.sp -1
10114
10115
9587
!sys = mary fred
10116
9588
guest = *
10117
.EB lightgray adjust-for-leading-newline
10118
.if t \{\
10119
.sp 1
10120
.\}
10121
9589
.fi
10122
.fam
10123
.ps +1
10124
9590
.if n \{\
10125
9591
.RE
10126
9592
.\}
10139
9605
Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don\'t own the print job\&.
10140
9606
.sp
10141
9607
Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.:
10142
\FCDOMAIN\euser\F[]) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
9608
DOMAIN\euser) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
10143
9609
.sp
10144
9610
The following functionality is obeyed in version 3\&.0\&.8 and later:
10145
9611
.sp
10146
9612
When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
10147
9613
.sp
10148
9614
When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&.
10149
\FCDOMAIN\euser\F[]) only after the user has been successfully authenticated\&.
9615
DOMAIN\euser) only after the user has been successfully authenticated\&.
10150
9616
.sp
10151
9617
An example of use is:
10152
9618
.sp
10153
9619
.if n \{\
10154
9620
.RS 4
10155
9621
.\}
10156
.fam C
10157
.ps -1
10158
9622
.nf
10159
.if t \{\
10160
.sp -1
10161
.\}
10162
.BB lightgray adjust-for-leading-newline
10163
.sp -1
10164
10165
9623
username map = /usr/local/samba/lib/users\&.map
10166
.EB lightgray adjust-for-leading-newline
10167
.if t \{\
10168
.sp 1
10169
.\}
10170
9624
.fi
10171
.fam
10172
.ps +1
10173
9625
.if n \{\
10174
9626
.RE
10175
9627
.\}
10176
9628
.sp
10177
9629
Default:
10178
\fI\fIusername map\fR\fR\fI = \fR\fI\FC # no username map\F[]\fR\fI \fR
9630
\fI\fIusername map\fR\fR\fI = \fR\fI # no username map\fR\fI \fR
10179
9631
.RE
10180
9632
10181
9633
user
10229
9681
for more information on how this parameter determines access to the services\&.
10230
9682
.sp
10231
9683
Default:
10232
\fI\fIusername\fR\fR\fI = \fR\fI\FC # The guest account if a guest service, else <empty string>\&.\F[]\fR\fI \fR
9684
\fI\fIusername\fR\fR\fI = \fR\fI # The guest account if a guest service, else <empty string>\&.\fR\fI \fR
10233
9685
.sp
10234
9686
Example:
10235
\fI\fIusername\fR\fR\fI = \fR\fI\FCfred, mary, jack, jane, @users, @pcgroup\F[]\fR\fI \fR
9687
\fI\fIusername\fR\fR\fI = \fR\fIfred, mary, jack, jane, @users, @pcgroup\fR\fI \fR
10236
9688
.RE
10237
9689
10238
9690
usershare allow guests (G)
10244
9696
in a share definition\&. Due to its security sensitive nature, the default is set to off\&.
10245
9697
.sp
10246
9698
Default:
10247
\fI\fIusershare allow guests\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9699
\fI\fIusershare allow guests\fR\fR\fI = \fR\fIno\fR\fI \fR
10248
9700
.RE
10249
9701
10250
9702
usershare max shares (G)
10254
9706
This parameter specifies the number of user defined shares that are allowed to be created by users belonging to the group owning the usershare directory\&. If set to zero (the default) user defined shares are ignored\&.
10255
9707
.sp
10256
9708
Default:
10257
\fI\fIusershare max shares\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
9709
\fI\fIusershare max shares\fR\fR\fI = \fR\fI0\fR\fI \fR
10258
9710
.RE
10259
9711
10260
9712
usershare owner only (G)
10264
9716
This parameter controls whether the pathname exported by a user defined shares must be owned by the user creating the user defined share or not\&. If set to True (the default) then smbd checks that the directory path being shared is owned by the user who owns the usershare file defining this share and refuses to create the share if not\&. If set to False then no such check is performed and any directory path may be exported regardless of who owns it\&.
10265
9717
.sp
10266
9718
Default:
10267
\fI\fIusershare owner only\fR\fR\fI = \fR\fI\FCTrue\F[]\fR\fI \fR
9719
\fI\fIusershare owner only\fR\fR\fI = \fR\fITrue\fR\fI \fR
10268
9720
.RE
10269
9721
10270
9722
usershare path (G)
10280
9732
.if n \{\
10281
9733
.RS 4
10282
9734
.\}
10283
.fam C
10284
.ps -1
10285
9735
.nf
10286
.if t \{\
10287
.sp -1
10288
.\}
10289
.BB lightgray adjust-for-leading-newline
10290
.sp -1
10291
10292
9736
ls \-ld /usr/local/samba/lib/usershares/
10293
9737
drwxrwx\-\-T 2 root power_users 4096 2006\-05\-05 12:27 /usr/local/samba/lib/usershares/
10294
9738
10295
.EB lightgray adjust-for-leading-newline
10296
.if t \{\
10297
.sp 1
10298
.\}
10299
9739
.fi
10300
.fam
10301
.ps +1
10302
9740
.if n \{\
10303
9741
.RE
10304
9742
.\}
10306
9744
In this case, only members of the group "power_users" can create user defined shares\&.
10307
9745
.sp
10308
9746
Default:
10309
\fI\fIusershare path\fR\fR\fI = \fR\fI\FCNULL\F[]\fR\fI \fR
9747
\fI\fIusershare path\fR\fR\fI = \fR\fINULL\fR\fI \fR
10310
9748
.RE
10311
9749
10312
9750
usershare prefix allow list (G)
10318
9756
If there is a "usershare prefix deny list" and also a "usershare prefix allow list" the deny list is processed first, followed by the allow list, thus leading to the most restrictive interpretation\&.
10319
9757
.sp
10320
9758
Default:
10321
\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fI\FCNULL\F[]\fR\fI \fR
9759
\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fINULL\fR\fI \fR
10322
9760
.sp
10323
9761
Example:
10324
\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fI\FC/home /data /space\F[]\fR\fI \fR
9762
\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fI/home /data /space\fR\fI \fR
10325
9763
.RE
10326
9764
10327
9765
usershare prefix deny list (G)
10333
9771
If there is a "usershare prefix deny list" and also a "usershare prefix allow list" the deny list is processed first, followed by the allow list, thus leading to the most restrictive interpretation\&.
10334
9772
.sp
10335
9773
Default:
10336
\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fI\FCNULL\F[]\fR\fI \fR
9774
\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fINULL\fR\fI \fR
10337
9775
.sp
10338
9776
Example:
10339
\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fI\FC/etc /dev /private\F[]\fR\fI \fR
9777
\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fI/etc /dev /private\fR\fI \fR
10340
9778
.RE
10341
9779
10342
9780
usershare template share (G)
10348
9786
The target share may be set to be invalid for real file sharing by setting the parameter "\-valid = False" on the template share definition\&. This causes it not to be seen as a real exported share but to be able to be used as a template for usershares\&.
10349
9787
.sp
10350
9788
Default:
10351
\fI\fIusershare template share\fR\fR\fI = \fR\fI\FCNULL\F[]\fR\fI \fR
9789
\fI\fIusershare template share\fR\fR\fI = \fR\fINULL\fR\fI \fR
10352
9790
.sp
10353
9791
Example:
10354
\fI\fIusershare template share\fR\fR\fI = \fR\fI\FCtemplate_share\F[]\fR\fI \fR
9792
\fI\fIusershare template share\fR\fR\fI = \fR\fItemplate_share\fR\fI \fR
10355
9793
.RE
10356
9794
10357
9795
use sendfile (S)
10364
9802
system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked\&. This may make more efficient use of the system CPU\'s and cause Samba to be faster\&. Samba automatically turns this off for clients that use protocol levels lower than NT LM 0\&.12 and when it detects a client is Windows 9x (using sendfile from Linux will cause these clients to fail)\&.
10365
9803
.sp
10366
9804
Default:
10367
\fI\fIuse sendfile\fR\fR\fI = \fR\fI\FCfalse\F[]\fR\fI \fR
9805
\fI\fIuse sendfile\fR\fR\fI = \fR\fIfalse\fR\fI \fR
10368
9806
.RE
10369
9807
10370
9808
use spnego (G)
10376
9814
Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled\&.
10377
9815
.sp
10378
9816
Default:
10379
\fI\fIuse spnego\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
9817
\fI\fIuse spnego\fR\fR\fI = \fR\fIyes\fR\fI \fR
10380
9818
.RE
10381
9819
10382
9820
utmp directory (G)
10384
9822
.PP
10385
9823
.RS 4
10386
9824
This parameter is only available if Samba has been configured and compiled with the option
10387
\FC \-\-with\-utmp\F[]\&. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server\&. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
10388
\FC/var/run/utmp\F[]
9825
\-\-with\-utmp\&. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server\&. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
9826
/var/run/utmp
10389
9827
on Linux)\&.
10390
9828
.sp
10391
9829
Default:
10392
\fI\fIutmp directory\fR\fR\fI = \fR\fI\FC # Determined automatically\F[]\fR\fI \fR
9830
\fI\fIutmp directory\fR\fR\fI = \fR\fI # Determined automatically\fR\fI \fR
10393
9831
.sp
10394
9832
Example:
10395
\fI\fIutmp directory\fR\fR\fI = \fR\fI\FC/var/run/utmp\F[]\fR\fI \fR
9833
\fI\fIutmp directory\fR\fR\fI = \fR\fI/var/run/utmp\fR\fI \fR
10396
9834
.RE
10397
9835
10398
9836
utmp (G)
10400
9838
.PP
10401
9839
.RS 4
10402
9840
This boolean parameter is only available if Samba has been configured and compiled with the option
10403
\FC\-\-with\-utmp\F[]\&. If set to
9841
\-\-with\-utmp\&. If set to
10404
9842
\fByes\fR
10405
9843
then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
10406
9844
.sp
10407
9845
Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
10408
9846
.sp
10409
9847
Default:
10410
\fI\fIutmp\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
9848
\fI\fIutmp\fR\fR\fI = \fR\fIno\fR\fI \fR
10411
9849
.RE
10412
9850
10413
9851
valid users (S)
10426
9864
\fI%S\fR\&. This is useful in the [homes] section\&.
10427
9865
.sp
10428
9866
Default:
10429
\fI\fIvalid users\fR\fR\fI = \fR\fI\FC # No valid users list (anyone can login) \F[]\fR\fI \fR
9867
\fI\fIvalid users\fR\fR\fI = \fR\fI # No valid users list (anyone can login) \fR\fI \fR
10430
9868
.sp
10431
9869
Example:
10432
\fI\fIvalid users\fR\fR\fI = \fR\fI\FCgreg, @pcusers\F[]\fR\fI \fR
9870
\fI\fIvalid users\fR\fR\fI = \fR\fIgreg, @pcusers\fR\fI \fR
10433
9871
.RE
10434
9872
10435
9873
\-valid (S)
10441
9879
This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
10442
9880
.sp
10443
9881
Default:
10444
\fI\fI\-valid\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
9882
\fI\fI\-valid\fR\fR\fI = \fR\fIyes\fR\fI \fR
10445
9883
.RE
10446
9884
10447
9885
veto files (S)
10472
9910
.if n \{\
10473
9911
.RS 4
10474
9912
.\}
10475
.fam C
10476
.ps -1
10477
9913
.nf
10478
.if t \{\
10479
.sp -1
10480
.\}
10481
.BB lightgray adjust-for-leading-newline
10482
.sp -1
10483
10484
9914
; Veto any files containing the word Security,
10485
9915
; any ending in \&.tmp, and any directory containing the
10486
9916
; word root\&.
10489
9919
; Veto the Apple specific files that a NetAtalk server
10490
9920
; creates\&.
10491
9921
veto files = /\&.AppleDouble/\&.bin/\&.AppleDesktop/Network Trash Folder/
10492
.EB lightgray adjust-for-leading-newline
10493
.if t \{\
10494
.sp 1
10495
.\}
10496
9922
.fi
10497
.fam
10498
.ps +1
10499
9923
.if n \{\
10500
9924
.RE
10501
9925
.\}
10502
9926
.sp
10503
9927
Default:
10504
\fI\fIveto files\fR\fR\fI = \fR\fI\FCNo files or directories are vetoed\&.\F[]\fR\fI \fR
9928
\fI\fIveto files\fR\fR\fI = \fR\fINo files or directories are vetoed\&.\fR\fI \fR
10505
9929
.RE
10506
9930
10507
9931
veto oplock files (S)
10515
9939
parameter\&.
10516
9940
.sp
10517
9941
You might want to do this on files that you know will be heavily contended for by clients\&. A good example of this is in the NetBench SMB benchmark program, which causes heavy client contention for files ending in
10518
\FC\&.SEM\F[]\&. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share\&.
9942
\&.SEM\&. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share\&.
10519
9943
.sp
10520
9944
An example of use is:
10521
9945
.sp
10522
9946
.if n \{\
10523
9947
.RS 4
10524
9948
.\}
10525
.fam C
10526
.ps -1
10527
9949
.nf
10528
.if t \{\
10529
.sp -1
10530
.\}
10531
.BB lightgray adjust-for-leading-newline
10532
.sp -1
10533
10534
9950
veto oplock files = /\&.*SEM/
10535
.EB lightgray adjust-for-leading-newline
10536
.if t \{\
10537
.sp 1
10538
.\}
10539
9951
.fi
10540
.fam
10541
.ps +1
10542
9952
.if n \{\
10543
9953
.RE
10544
9954
.\}
10545
9955
.sp
10546
9956
Default:
10547
\fI\fIveto oplock files\fR\fR\fI = \fR\fI\FC # No files are vetoed for oplock grants\F[]\fR\fI \fR
9957
\fI\fIveto oplock files\fR\fR\fI = \fR\fI # No files are vetoed for oplock grants\fR\fI \fR
10548
9958
.RE
10549
9959
10550
9960
vfs object
10562
9972
This parameter specifies the backend names which are used for Samba VFS I/O operations\&. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects\&.
10563
9973
.sp
10564
9974
Default:
10565
\fI\fIvfs objects\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
9975
\fI\fIvfs objects\fR\fR\fI = \fR\fI\fR\fI \fR
10566
9976
.sp
10567
9977
Example:
10568
\fI\fIvfs objects\fR\fR\fI = \fR\fI\FCextd_audit recycle\F[]\fR\fI \fR
9978
\fI\fIvfs objects\fR\fR\fI = \fR\fIextd_audit recycle\fR\fI \fR
10569
9979
.RE
10570
9980
10571
9981
volume (S)
10575
9985
This allows you to override the volume label returned for a share\&. Useful for CDROMs with installation programs that insist on a particular volume label\&.
10576
9986
.sp
10577
9987
Default:
10578
\fI\fIvolume\fR\fR\fI = \fR\fI\FC # the name of the share\F[]\fR\fI \fR
9988
\fI\fIvolume\fR\fR\fI = \fR\fI # the name of the share\fR\fI \fR
10579
9989
.RE
10580
9990
10581
9991
wide links (S)
10587
9997
Note that setting this parameter can have a negative effect on your server performance due to the extra system calls that Samba has to do in order to perform the link checks\&.
10588
9998
.sp
10589
9999
Default:
10590
\fI\fIwide links\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
10000
\fI\fIwide links\fR\fR\fI = \fR\fIyes\fR\fI \fR
10591
10001
.RE
10592
10002
10593
10003
winbind cache time (G)
10603
10013
option has been enabled\&.
10604
10014
.sp
10605
10015
Default:
10606
\fI\fIwinbind cache time\fR\fR\fI = \fR\fI\FC300\F[]\fR\fI \fR
10016
\fI\fIwinbind cache time\fR\fR\fI = \fR\fI300\fR\fI \fR
10607
10017
.RE
10608
10018
10609
10019
winbind enum groups (G)
10613
10023
On large installations using
10614
10024
\fBwinbindd\fR(8)
10615
10025
it may be necessary to suppress the enumeration of groups through the
10616
\FCsetgrent()\F[],
10617
\FCgetgrent()\F[]
10026
setgrent(),
10027
getgrent()
10618
10028
and
10619
\FCendgrent()\F[]
10029
endgrent()
10620
10030
group of system calls\&. If the
10621
10031
\fIwinbind enum groups\fR
10622
10032
parameter is
10623
10033
\fBno\fR, calls to the
10624
\FCgetgrent()\F[]
10034
getgrent()
10625
10035
system call will not return any data\&.
10626
10036
.if n \{\
10627
10037
.sp
10628
10038
.\}
10629
10039
.RS 4
10630
.BM yellow
10631
10040
.it 1 an-trap
10632
10041
.nr an-no-space-flag 1
10633
10042
.nr an-break-flag 1
10638
10047
.br
10639
10048
Turning off group enumeration may cause some programs to behave oddly\&.
10640
10049
.sp .5v
10641
.EM yellow
10642
10050
.RE
10643
10051
Default:
10644
\fI\fIwinbind enum groups\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10052
\fI\fIwinbind enum groups\fR\fR\fI = \fR\fIno\fR\fI \fR
10645
10053
.RE
10646
10054
10647
10055
winbind enum users (G)
10651
10059
On large installations using
10652
10060
\fBwinbindd\fR(8)
10653
10061
it may be necessary to suppress the enumeration of users through the
10654
\FCsetpwent()\F[],
10655
\FCgetpwent()\F[]
10062
setpwent(),
10063
getpwent()
10656
10064
and
10657
\FCendpwent()\F[]
10065
endpwent()
10658
10066
group of system calls\&. If the
10659
10067
\fIwinbind enum users\fR
10660
10068
parameter is
10661
10069
\fBno\fR, calls to the
10662
\FCgetpwent\F[]
10070
getpwent
10663
10071
system call will not return any data\&.
10664
10072
.if n \{\
10665
10073
.sp
10666
10074
.\}
10667
10075
.RS 4
10668
.BM yellow
10669
10076
.it 1 an-trap
10670
10077
.nr an-no-space-flag 1
10671
10078
.nr an-break-flag 1
10676
10083
.br
10677
10084
Turning off user enumeration may cause some programs to behave oddly\&. For example, the finger program relies on having access to the full user list when searching for matching usernames\&.
10678
10085
.sp .5v
10679
.EM yellow
10680
10086
.RE
10681
10087
Default:
10682
\fI\fIwinbind enum users\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10088
\fI\fIwinbind enum users\fR\fR\fI = \fR\fIno\fR\fI \fR
10683
10089
.RE
10684
10090
10685
10091
winbind expand groups (G)
10693
10099
Be aware that a high value for this parameter can result in system slowdown as the main parent winbindd daemon must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time\&.
10694
10100
.sp
10695
10101
Default:
10696
\fI\fIwinbind expand groups\fR\fR\fI = \fR\fI\FC1\F[]\fR\fI \fR
10102
\fI\fIwinbind expand groups\fR\fR\fI = \fR\fI1\fR\fI \fR
10697
10103
.RE
10698
10104
10699
10105
winbind nested groups (G)
10703
10109
If set to yes, this parameter activates the support for nested groups\&. Nested groups are also called local groups or aliases\&. They work like their counterparts in Windows: Nested groups are defined locally on any machine (they are shared between DC\'s through their SAM) and can contain users and global groups from any trusted SAM\&. To be able to use nested groups, you need to run nss_winbind\&.
10704
10110
.sp
10705
10111
Default:
10706
\fI\fIwinbind nested groups\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
10112
\fI\fIwinbind nested groups\fR\fR\fI = \fR\fIyes\fR\fI \fR
10707
10113
.RE
10708
10114
10709
10115
winbind normalize names (G)
10715
10121
This feature also enables the name aliasing API which can be used to make domain user and group names to a non\-qualified version\&. Please refer to the manpage for the configured idmap and nss_info plugin for the specifics on how to configure name aliasing for a specific configuration\&. Name aliasing takes precendence (and is mutually exclusive) over the whitespace replacement mechanism discussed previsouly\&.
10716
10122
.sp
10717
10123
Default:
10718
\fI\fIwinbind normalize names\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10124
\fI\fIwinbind normalize names\fR\fR\fI = \fR\fIno\fR\fI \fR
10719
10125
.sp
10720
10126
Example:
10721
\fI\fIwinbind normalize names\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
10127
\fI\fIwinbind normalize names\fR\fR\fI = \fR\fIyes\fR\fI \fR
10722
10128
.RE
10723
10129
10724
10130
winbind nss info (G)
10760
10166
.RE
10761
10167
.sp
10762
10168
Default:
10763
\fI\fIwinbind nss info\fR\fR\fI = \fR\fI\FCtemplate\F[]\fR\fI \fR
10169
\fI\fIwinbind nss info\fR\fR\fI = \fR\fItemplate\fR\fI \fR
10764
10170
.sp
10765
10171
Example:
10766
\fI\fIwinbind nss info\fR\fR\fI = \fR\fI\FCtemplate sfu\F[]\fR\fI \fR
10172
\fI\fIwinbind nss info\fR\fR\fI = \fR\fItemplate sfu\fR\fI \fR
10767
10173
.RE
10768
10174
10769
10175
winbind offline logon (G)
10775
10181
module using Cached Credentials\&. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache\&.
10776
10182
.sp
10777
10183
Default:
10778
\fI\fIwinbind offline logon\fR\fR\fI = \fR\fI\FCfalse\F[]\fR\fI \fR
10184
\fI\fIwinbind offline logon\fR\fR\fI = \fR\fIfalse\fR\fI \fR
10779
10185
.sp
10780
10186
Example:
10781
\fI\fIwinbind offline logon\fR\fR\fI = \fR\fI\FCtrue\F[]\fR\fI \fR
10187
\fI\fIwinbind offline logon\fR\fR\fI = \fR\fItrue\fR\fI \fR
10782
10188
.RE
10783
10189
10784
10190
winbind reconnect delay (G)
10790
10196
daemon will wait between attempts to contact a Domain controller for a domain that is determined to be down or not contactable\&.
10791
10197
.sp
10792
10198
Default:
10793
\fI\fIwinbind reconnect delay\fR\fR\fI = \fR\fI\FC30\F[]\fR\fI \fR
10199
\fI\fIwinbind reconnect delay\fR\fR\fI = \fR\fI30\fR\fI \fR
10794
10200
.RE
10795
10201
10796
10202
winbind refresh tickets (G)
10802
10208
module\&.
10803
10209
.sp
10804
10210
Default:
10805
\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fI\FCfalse\F[]\fR\fI \fR
10211
\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fIfalse\fR\fI \fR
10806
10212
.sp
10807
10213
Example:
10808
\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fI\FCtrue\F[]\fR\fI \fR
10214
\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fItrue\fR\fI \fR
10809
10215
.RE
10810
10216
10811
10217
winbind rpc only (G)
10813
10219
.PP
10814
10220
.RS 4
10815
10221
Setting this parameter to
10816
\FCyes\F[]
10222
yes
10817
10223
forces winbindd to use RPC instead of LDAP to retrieve information from Domain Controllers\&.
10818
10224
.sp
10819
10225
Default:
10820
\fI\fIwinbind rpc only\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10226
\fI\fIwinbind rpc only\fR\fR\fI = \fR\fIno\fR\fI \fR
10821
10227
.RE
10822
10228
10823
10229
winbind separator (G)
10826
10232
.RS 4
10827
10233
This parameter allows an admin to define the character used when listing a username of the form of
10828
10234
\fIDOMAIN \fR\e\fIuser\fR\&. This parameter is only applicable when using the
10829
\FCpam_winbind\&.so\F[]
10235
pam_winbind\&.so
10830
10236
and
10831
\FCnss_winbind\&.so\F[]
10237
nss_winbind\&.so
10832
10238
modules for UNIX services\&.
10833
10239
.sp
10834
10240
Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group\&.
10835
10241
.sp
10836
10242
Default:
10837
\fI\fIwinbind separator\fR\fR\fI = \fR\fI\FC\'\e\'\F[]\fR\fI \fR
10243
\fI\fIwinbind separator\fR\fR\fI = \fR\fI\'\e\'\fR\fI \fR
10838
10244
.sp
10839
10245
Example:
10840
\fI\fIwinbind separator\fR\fR\fI = \fR\fI\FC+\F[]\fR\fI \fR
10246
\fI\fIwinbind separator\fR\fR\fI = \fR\fI+\fR\fI \fR
10841
10247
.RE
10842
10248
10843
10249
winbind trusted domains only (G)
10845
10251
.PP
10846
10252
.RS 4
10847
10253
This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed via NIS, rsync, or LDAP as the uid\'s for winbindd users in the hosts primary domain\&. Therefore, the user
10848
\FCDOMAIN\euser1\F[]
10254
DOMAIN\euser1
10849
10255
would be mapped to the account user1 in /etc/passwd instead of allocating a new uid for him or her\&.
10850
10256
.sp
10851
10257
This parameter is now deprecated in favor of the newer idmap_nss backend\&. Refer to the
10853
10259
man page for more information\&.
10854
10260
.sp
10855
10261
Default:
10856
\fI\fIwinbind trusted domains only\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10262
\fI\fIwinbind trusted domains only\fR\fR\fI = \fR\fIno\fR\fI \fR
10857
10263
.RE
10858
10264
10859
10265
winbind use default domain (G)
10865
10271
daemon should operate on users without domain component in their username\&. Users without a domain component are treated as is part of the winbindd server\'s own domain\&. While this does not benifit Windows users, it makes SSH, FTP and e\-mail function in a way much closer to the way they would in a native unix system\&.
10866
10272
.sp
10867
10273
Default:
10868
\fI\fIwinbind use default domain\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10274
\fI\fIwinbind use default domain\fR\fR\fI = \fR\fIno\fR\fI \fR
10869
10275
.sp
10870
10276
Example:
10871
\fI\fIwinbind use default domain\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
10277
\fI\fIwinbind use default domain\fR\fR\fI = \fR\fIyes\fR\fI \fR
10872
10278
.RE
10873
10279
10874
10280
wins hook (G)
10879
10285
.sp
10880
10286
The wins hook parameter specifies the name of a script or executable that will be called as follows:
10881
10287
.sp
10882
\FCwins_hook operation name nametype ttl IP_list\F[]
10288
wins_hook operation name nametype ttl IP_list
10883
10289
.sp
10884
10290
.RS 4
10885
10291
.ie n \{\
10937
10343
.sp
10938
10344
.RE
10939
10345
An example script that calls the BIND dynamic DNS update program
10940
\FCnsupdate\F[]
10346
nsupdate
10941
10347
is provided in the examples directory of the Samba source code\&.
10942
10348
.sp
10943
10349
\fINo default\fR
10954
10360
for some older clients\&.
10955
10361
.sp
10956
10362
Default:
10957
\fI\fIwins proxy\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10363
\fI\fIwins proxy\fR\fR\fI = \fR\fIno\fR\fI \fR
10958
10364
.RE
10959
10365
10960
10366
wins server (G)
10972
10378
.sp
10973
10379
.\}
10974
10380
.RS 4
10975
.BM yellow
10976
10381
.it 1 an-trap
10977
10382
.nr an-no-space-flag 1
10978
10383
.nr an-break-flag 1
10983
10388
.br
10984
10389
You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross\-subnet browsing to work correctly\&.
10985
10390
.sp .5v
10986
.EM yellow
10987
10391
.RE
10988
10392
See the chapter in the Samba3\-HOWTO on Network Browsing\&.
10989
10393
.sp
10990
10394
Default:
10991
\fI\fIwins server\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
10992
.sp
10993
Example:
10994
\fI\fIwins server\fR\fR\fI = \fR\fI\FCmary:192\&.9\&.200\&.1 fred:192\&.168\&.3\&.199 mary:192\&.168\&.2\&.61 # For this example when querying a certain name, 192\&.19\&.200\&.1 will be asked first and if that doesn\'t respond 192\&.168\&.2\&.61\&. If either of those doesn\'t know the name 192\&.168\&.3\&.199 will be queried\&.\F[]\fR\fI \fR
10995
.sp
10996
Example:
10997
\fI\fIwins server\fR\fR\fI = \fR\fI\FC192\&.9\&.200\&.1 192\&.168\&.2\&.61\F[]\fR\fI \fR
10395
\fI\fIwins server\fR\fR\fI = \fR\fI\fR\fI \fR
10396
.sp
10397
Example:
10398
\fI\fIwins server\fR\fR\fI = \fR\fImary:192\&.9\&.200\&.1 fred:192\&.168\&.3\&.199 mary:192\&.168\&.2\&.61 # For this example when querying a certain name, 192\&.19\&.200\&.1 will be asked first and if that doesn\'t respond 192\&.168\&.2\&.61\&. If either of those doesn\'t know the name 192\&.168\&.3\&.199 will be queried\&.\fR\fI \fR
10399
.sp
10400
Example:
10401
\fI\fIwins server\fR\fR\fI = \fR\fI192\&.9\&.200\&.1 192\&.168\&.2\&.61\fR\fI \fR
10998
10402
.RE
10999
10403
11000
10404
wins support (G)
11006
10410
process in Samba will act as a WINS server\&. You should not set this to
11007
10411
\fByes\fR
11008
10412
unless you have a multi\-subnetted network and you wish a particular
11009
\FCnmbd\F[]
10413
nmbd
11010
10414
to be your WINS server\&. Note that you should
11011
10415
\fINEVER\fR
11012
10416
set this to
11014
10418
on more than one machine in your network\&.
11015
10419
.sp
11016
10420
Default:
11017
\fI\fIwins support\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10421
\fI\fIwins support\fR\fR\fI = \fR\fIno\fR\fI \fR
11018
10422
.RE
11019
10423
11020
10424
workgroup (G)
11026
10430
setting\&.
11027
10431
.sp
11028
10432
Default:
11029
\fI\fIworkgroup\fR\fR\fI = \fR\fI\FCWORKGROUP\F[]\fR\fI \fR
10433
\fI\fIworkgroup\fR\fR\fI = \fR\fIWORKGROUP\fR\fI \fR
11030
10434
.sp
11031
10435
Example:
11032
\fI\fIworkgroup\fR\fR\fI = \fR\fI\FCMYGROUP\F[]\fR\fI \fR
10436
\fI\fIworkgroup\fR\fR\fI = \fR\fIMYGROUP\fR\fI \fR
11033
10437
.RE
11034
10438
11035
10439
writable
11048
10452
\m[blue]\fBread only\fR\m[]\&.
11049
10453
.sp
11050
10454
Default:
11051
\fI\fIwriteable\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
10455
\fI\fIwriteable\fR\fR\fI = \fR\fIno\fR\fI \fR
11052
10456
.RE
11053
10457
11054
10458
write cache size (S)
11064
10468
The integer parameter specifies the size of this cache (per oplocked file) in bytes\&.
11065
10469
.sp
11066
10470
Default:
11067
\fI\fIwrite cache size\fR\fR\fI = \fR\fI\FC0\F[]\fR\fI \fR
10471
\fI\fIwrite cache size\fR\fR\fI = \fR\fI0\fR\fI \fR
11068
10472
.sp
11069
10473
Example:
11070
\fI\fIwrite cache size\fR\fR\fI = \fR\fI\FC262144 # for a 256k cache size per file\F[]\fR\fI \fR
10474
\fI\fIwrite cache size\fR\fR\fI = \fR\fI262144 # for a 256k cache size per file\fR\fI \fR
11071
10475
.RE
11072
10476
11073
10477
write list (S)
11085
10489
in Samba 3\&.0\&.
11086
10490
.sp
11087
10491
Default:
11088
\fI\fIwrite list\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
10492
\fI\fIwrite list\fR\fR\fI = \fR\fI\fR\fI \fR
11089
10493
.sp
11090
10494
Example:
11091
\fI\fIwrite list\fR\fR\fI = \fR\fI\FCadmin, root, @staff\F[]\fR\fI \fR
10495
\fI\fIwrite list\fR\fR\fI = \fR\fIadmin, root, @staff\fR\fI \fR
11092
10496
.RE
11093
10497
11094
10498
write raw (G)
11098
10502
This parameter controls whether or not the server will support raw write SMB\'s when transferring data from clients\&. You should never need to change this parameter\&.
11099
10503
.sp
11100
10504
Default:
11101
\fI\fIwrite raw\fR\fR\fI = \fR\fI\FCyes\F[]\fR\fI \fR
10505
\fI\fIwrite raw\fR\fR\fI = \fR\fIyes\fR\fI \fR
11102
10506
.RE
11103
10507
11104
10508
wtmp directory (G)
11106
10510
.PP
11107
10511
.RS 4
11108
10512
This parameter is only available if Samba has been configured and compiled with the option
11109
\FC \-\-with\-utmp\F[]\&. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server\&. The difference with the utmp directory is the fact that user info is kept after a user has logged out\&.
10513
\-\-with\-utmp\&. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server\&. The difference with the utmp directory is the fact that user info is kept after a user has logged out\&.
11110
10514
.sp
11111
10515
By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
11112
\FC/var/run/wtmp\F[]
10516
/var/run/wtmp
11113
10517
on Linux)\&.
11114
10518
.sp
11115
10519
Default:
11116
\fI\fIwtmp directory\fR\fR\fI = \fR\fI\FC\F[]\fR\fI \fR
10520
\fI\fIwtmp directory\fR\fR\fI = \fR\fI\fR\fI \fR
11117
10521
.sp
11118
10522
Example:
11119
\fI\fIwtmp directory\fR\fR\fI = \fR\fI\FC/var/log/wtmp\F[]\fR\fI \fR
10523
\fI\fIwtmp directory\fR\fR\fI = \fR\fI/var/log/wtmp\fR\fI \fR
11120
10524
.RE
11121
10525
.SH "WARNINGS"
11122
10526
.PP
11127
10531
has no such limitation, but attempts to connect from such clients will fail if they truncate the service names\&. For this reason you should probably keep your service names down to eight characters in length\&.
11128
10532
.PP
11129
10533
Use of the
11130
\FC[homes]\F[]
10534
[homes]
11131
10535
and
11132
\FC[printers]\F[]
10536
[printers]
11133
10537
special sections make life for an administrator easy, but the various combinations of default attributes can be tricky\&. Take extreme care when designing these sections\&. In particular, ensure that the permissions on spool directories are correct\&.
11134
10538
.SH "VERSION"
11135
10539
.PP
Loggerhead is a web-based interface for Breezy
Version: 2.0.1