1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smb.conf — The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><h2>SYNOPSIS</h2><p>The <tt>smb.conf</tt> file is a configuration
2 file for the Samba suite. <tt>smb.conf</tt> contains
3 runtime configuration information for the Samba programs. The <tt>smb.conf</tt> file
4 is designed to be configured and administered by the <a href="swat.8.html">swat(8)</a> program. The complete
5 description of the file format and possible parameters held within
6 are here for reference purposes.</p></div><div class="refsect1" lang="en"><a name="FILEFORMATSECT"></a><h2>FILE FORMAT</h2><p>The file consists of sections and parameters. A section
7 begins with the name of the section in square brackets and continues
8 until the next section begins. Sections contain parameters of the
9 form</p><p><i><tt>name</tt></i> = <i><tt>value
10 </tt></i></p><p>The file is line-based - that is, each newline-terminated
11 line represents either a comment, a section name or a parameter.</p><p>Section and parameter names are not case sensitive.</p><p>Only the first equals sign in a parameter is significant.
12 Whitespace before or after the first equals sign is discarded.
13 Leading, trailing and internal whitespace in section and parameter
14 names is irrelevant. Leading and trailing whitespace in a parameter
15 value is discarded. Internal whitespace within a parameter value
16 is retained verbatim.</p><p>Any line beginning with a semicolon (';') or a hash ('#')
17 character is ignored, as are lines containing only whitespace.</p><p>Any line ending in a '\' is continued
18 on the next line in the customary UNIX fashion.</p><p>The values following the equals sign in parameters are all
19 either a string (no quotes needed) or a boolean, which may be given
20 as yes/no, 0/1 or true/false. Case is not significant in boolean
21 values, but is preserved in string values. Some items such as
22 create modes are numeric.</p></div><div class="refsect1" lang="en"><h2>SECTION DESCRIPTIONS</h2><p>Each section in the configuration file (except for the
23 [global] section) describes a shared resource (known
24 as a "share"). The section name is the name of the
25 shared resource and the parameters within the section define
26 the shares attributes.</p><p>There are three special sections, [global],
27 [homes] and [printers], which are
28 described under <span class="emphasis"><em>special sections</em></span>. The
29 following notes apply to ordinary section descriptions.</p><p>A share consists of a directory to which access is being
30 given plus a description of the access rights which are granted
31 to the user of the service. Some housekeeping options are
32 also specifiable.</p><p>Sections are either file share services (used by the
33 client as an extension of their native file systems) or
34 printable services (used by the client to access print services
35 on the host running the server).</p><p>Sections may be designated <span class="emphasis"><em>guest</em></span> services,
36 in which case no password is required to access them. A specified
37 UNIX <span class="emphasis"><em>guest account</em></span> is used to define access
38 privileges in this case.</p><p>Sections other than guest services will require a password
39 to access them. The client provides the username. As older clients
40 only provide passwords and not usernames, you may specify a list
41 of usernames to check against the password using the "user ="
42 option in the share definition. For modern clients such as
43 Windows 95/98/ME/NT/2000, this should not be necessary.</p><p>Note that the access rights granted by the server are
44 masked by the access rights granted to the specified or guest
45 UNIX user by the host system. The server does not grant more
46 access than the host system grants.</p><p>The following sample section defines a file space share.
47 The user has write access to the path <tt>/home/bar</tt>.
48 The share is accessed via the share name "foo":</p><pre class="screen">
54 </pre><p>The following sample section defines a printable share.
55 The share is readonly, but printable. That is, the only write
56 access permitted is via calls to open, write to and close a
57 spool file. The <span class="emphasis"><em>guest ok</em></span> parameter means
58 access will be permitted as the default guest user (specified
59 elsewhere):</p><pre class="screen">
62 path = /usr/spool/public
67 </pre></div><div class="refsect1" lang="en"><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><h3>The [global] section</h3><p>parameters in this section apply to the server
68 as a whole, or are defaults for sections which do not
69 specifically define certain items. See the notes
70 under PARAMETERS for more information.</p></div><div class="refsect2" lang="en"><a name="HOMESECT"></a><h3>The [homes] section</h3><p>If a section called homes is included in the
71 configuration file, services connecting clients to their
72 home directories can be created on the fly by the server.</p><p>When the connection request is made, the existing
73 sections are scanned. If a match is found, it is used. If no
74 match is found, the requested section name is treated as a
75 user name and looked up in the local password file. If the
76 name exists and the correct password has been given, a share is
77 created by cloning the [homes] section.</p><p>Some modifications are then made to the newly
78 created share:</p><div class="itemizedlist"><ul type="disc"><li><p>The share name is changed from homes to
79 the located username.</p></li><li><p>If no path was given, the path is set to
80 the user's home directory.</p></li></ul></div><p>If you decide to use a <span class="emphasis"><em>path =</em></span> line
81 in your [homes] section then you may find it useful
82 to use the %S macro. For example :</p><p><b><tt>path = /data/pchome/%S</tt></b></p><p>would be useful if you have different home directories
83 for your PCs than for UNIX access.</p><p>This is a fast and simple way to give a large number
84 of clients access to their home directories with a minimum
85 of fuss.</p><p>A similar process occurs if the requested section
86 name is "homes", except that the share name is not
87 changed to that of the requesting user. This method of using
88 the [homes] section works well if different users share
89 a client PC.</p><p>The [homes] section can specify all the parameters
90 a normal service section can specify, though some make more sense
91 than others. The following is a typical and suitable [homes]
92 section:</p><pre class="screen">
97 </pre><p>An important point is that if guest access is specified
98 in the [homes] section, all home directories will be
99 visible to all clients <span class="emphasis"><em>without a password</em></span>.
100 In the very unlikely event that this is actually desirable, it
101 would be wise to also specify <span class="emphasis"><em>read only
102 access</em></span>.</p><p>Note that the <span class="emphasis"><em>browseable</em></span> flag for
103 auto home directories will be inherited from the global browseable
104 flag, not the [homes] browseable flag. This is useful as
105 it means setting <span class="emphasis"><em>browseable = no</em></span> in
106 the [homes] section will hide the [homes] share but make
107 any auto home directories visible.</p></div><div class="refsect2" lang="en"><a name="PRINTERSSECT"></a><h3>The [printers] section</h3><p>This section works like [homes],
108 but for printers.</p><p>If a [printers] section occurs in the
109 configuration file, users are able to connect to any printer
110 specified in the local host's printcap file.</p><p>When a connection request is made, the existing sections
111 are scanned. If a match is found, it is used. If no match is found,
112 but a [homes] section exists, it is used as described
113 above. Otherwise, the requested section name is treated as a
114 printer name and the appropriate printcap file is scanned to see
115 if the requested section name is a valid printer share name. If
116 a match is found, a new printer share is created by cloning
117 the [printers] section.</p><p>A few modifications are then made to the newly created
118 share:</p><div class="itemizedlist"><ul type="disc"><li><p>The share name is set to the located printer
119 name</p></li><li><p>If no printer name was given, the printer name
120 is set to the located printer name</p></li><li><p>If the share does not permit guest access and
121 no username was given, the username is set to the located
122 printer name.</p></li></ul></div><p>Note that the [printers] service MUST be
123 printable - if you specify otherwise, the server will refuse
124 to load the configuration file.</p><p>Typically the path specified would be that of a
125 world-writeable spool directory with the sticky bit set on
126 it. A typical [printers] entry would look like
127 this:</p><pre class="screen"><tt>
129 path = /usr/spool/public
132 </tt></pre><p>All aliases given for a printer in the printcap file
133 are legitimate printer names as far as the server is concerned.
134 If your printing subsystem doesn't work like that, you will have
135 to set up a pseudo-printcap. This is a file consisting of one or
136 more lines like this:</p><pre class="screen">
138 alias|alias|alias|alias...
140 </pre><p>Each alias should be an acceptable printer name for
141 your printing subsystem. In the [global] section, specify
142 the new file as your printcap. The server will then only recognize
143 names found in your pseudo-printcap, which of course can contain
144 whatever aliases you like. The same technique could be used
145 simply to limit access to a subset of your local printers.</p><p>An alias, by the way, is defined as any component of the
146 first entry of a printcap record. Records are separated by newlines,
147 components (if there are more than one) are separated by vertical
148 bar symbols ('|').</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>On SYSV systems which use lpstat to determine what
149 printers are defined on the system you may be able to use
150 "printcap name = lpstat" to automatically obtain a list
151 of printers. See the "printcap name" option
152 for more details.</p></div></div></div><div class="refsect1" lang="en"><h2>PARAMETERS</h2><p>parameters define the specific attributes of sections.</p><p>Some parameters are specific to the [global] section
153 (e.g., <span class="emphasis"><em>security</em></span>). Some parameters are usable
154 in all sections (e.g., <span class="emphasis"><em>create mode</em></span>). All others
155 are permissible only in normal sections. For the purposes of the
156 following descriptions the [homes] and [printers]
157 sections will be considered normal. The letter <span class="emphasis"><em>G</em></span>
158 in parentheses indicates that a parameter is specific to the
159 [global] section. The letter <span class="emphasis"><em>S</em></span>
160 indicates that a parameter can be specified in a service specific
161 section. Note that all <span class="emphasis"><em>S</em></span> parameters can also be specified in
162 the [global] section - in which case they will define
163 the default behavior for all services.</p><p>parameters are arranged here in alphabetical order - this may
164 not create best bedfellows, but at least you can find them! Where
165 there are synonyms, the preferred synonym is described, others refer
166 to the preferred synonym.</p></div><div class="refsect1" lang="en"><h2>VARIABLE SUBSTITUTIONS</h2><p>Many of the strings that are settable in the config file
167 can take substitutions. For example the option "path =
168 /tmp/%u" would be interpreted as "path =
169 /tmp/john" if the user connected with the username john.</p><p>These substitutions are mostly noted in the descriptions below,
170 but there are some general substitutions which apply whenever they
171 might be relevant. These are:</p><div class="variablelist"><dl><dt><span class="term">%U</span></dt><dd><p>session user name (the user name that the client
172 wanted, not necessarily the same as the one they got).</p></dd><dt><span class="term">%G</span></dt><dd><p>primary group name of %U.</p></dd><dt><span class="term">%h</span></dt><dd><p>the Internet hostname that Samba is running
173 on.</p></dd><dt><span class="term">%m</span></dt><dd><p>the NetBIOS name of the client machine
174 (very useful).</p></dd><dt><span class="term">%L</span></dt><dd><p>the NetBIOS name of the server. This allows you
175 to change your config based on what the client calls you. Your
176 server can have a "dual personality".</p><p>Note that this parameter is not available when Samba listens
177 on port 445, as clients no longer send this information </p></dd><dt><span class="term">%M</span></dt><dd><p>the Internet name of the client machine.
178 </p></dd><dt><span class="term">%R</span></dt><dd><p>the selected protocol level after
179 protocol negotiation. It can be one of CORE, COREPLUS,
180 LANMAN1, LANMAN2 or NT1.</p></dd><dt><span class="term">%d</span></dt><dd><p>The process id of the current server
181 process.</p></dd><dt><span class="term">%a</span></dt><dd><p>the architecture of the remote
182 machine. Only some are recognized, and those may not be
183 100% reliable. It currently recognizes Samba, WfWg, Win95,
184 WinNT and Win2k. Anything else will be known as
185 "UNKNOWN". If it gets it wrong then sending a level
186 3 log to <a href="mailto:samba@samba.org" target="_top">samba@samba.org
187 </a> should allow it to be fixed.</p></dd><dt><span class="term">%I</span></dt><dd><p>The IP address of the client machine.</p></dd><dt><span class="term">%T</span></dt><dd><p>the current date and time.</p></dd><dt><span class="term">%D</span></dt><dd><p>Name of the domain or workgroup of the current user.</p></dd><dt><span class="term">%$(<i><tt>envvar</tt></i>)</span></dt><dd><p>The value of the environment variable
188 <i><tt>envar</tt></i>.</p></dd></dl></div><p>The following substitutes apply only to some configuration options(only those
189 that are used when a connection has been established):</p><div class="variablelist"><dl><dt><span class="term">%S</span></dt><dd><p>the name of the current service, if any.</p></dd><dt><span class="term">%P</span></dt><dd><p>the root directory of the current service,
190 if any.</p></dd><dt><span class="term">%u</span></dt><dd><p>user name of the current service, if any.</p></dd><dt><span class="term">%g</span></dt><dd><p>primary group name of %u.</p></dd><dt><span class="term">%H</span></dt><dd><p>the home directory of the user given
191 by %u.</p></dd><dt><span class="term">%N</span></dt><dd><p>the name of your NIS home directory server.
192 This is obtained from your NIS auto.map entry. If you have
193 not compiled Samba with the <span class="emphasis"><em>--with-automount</em></span>
194 option then this value will be the same as %L.</p></dd><dt><span class="term">%p</span></dt><dd><p>the path of the service's home directory,
195 obtained from your NIS auto.map entry. The NIS auto.map entry
196 is split up as "%N:%p".</p></dd></dl></div><p>There are some quite creative things that can be done
197 with these substitutions and other smb.conf options.</p></div><div class="refsect1" lang="en"><a name="NAMEMANGLINGSECT"></a><h2>NAME MANGLING</h2><p>Samba supports "name mangling" so that DOS and
198 Windows clients can use files that don't conform to the 8.3 format.
199 It can also be set to adjust the case of 8.3 format filenames.</p><p>There are several options that control the way mangling is
200 performed, and they are grouped here rather than listed separately.
201 For the defaults look at the output of the testparm program. </p><p>All of these options can be set separately for each service
202 (or globally, of course). </p><p>The options are: </p><div class="variablelist"><dl><dt><span class="term">mangle case = yes/no</span></dt><dd><p> controls if names that have characters that
203 aren't of the "default" case are mangled. For example,
204 if this is yes then a name like "Mail" would be mangled.
205 Default <span class="emphasis"><em>no</em></span>.</p></dd><dt><span class="term">case sensitive = yes/no</span></dt><dd><p>controls whether filenames are case sensitive. If
206 they aren't then Samba must do a filename search and match on passed
207 names. Default <span class="emphasis"><em>no</em></span>.</p></dd><dt><span class="term">default case = upper/lower</span></dt><dd><p>controls what the default case is for new
208 filenames. Default <span class="emphasis"><em>lower</em></span>.</p></dd><dt><span class="term">preserve case = yes/no</span></dt><dd><p>controls if new files are created with the
209 case that the client passes, or if they are forced to be the
210 "default" case. Default <span class="emphasis"><em>yes</em></span>.
211 </p></dd><dt><span class="term">short preserve case = yes/no</span></dt><dd><p>controls if new files which conform to 8.3 syntax,
212 that is all in upper case and of suitable length, are created
213 upper case, or if they are forced to be the "default"
214 case. This option can be use with "preserve case = yes"
215 to permit long filenames to retain their case, while short names
216 are lowercased. Default <span class="emphasis"><em>yes</em></span>.</p></dd></dl></div><p>By default, Samba 3.0 has the same semantics as a Windows
217 NT server, in that it is case insensitive but case preserving.</p></div><div class="refsect1" lang="en"><a name="VALIDATIONSECT"></a><h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2><p>There are a number of ways in which a user can connect
218 to a service. The server uses the following steps in determining
219 if it will allow a connection to a specified service. If all the
220 steps fail, then the connection request is rejected. However, if one of the
221 steps succeeds, then the following steps are not checked.</p><p>If the service is marked "guest only = yes" and the
222 server is running with share-level security ("security = share")
223 then steps 1 to 5 are skipped.</p><div class="orderedlist"><ol type="1"><li><p>If the client has passed a username/password
224 pair and that username/password pair is validated by the UNIX
225 system's password programs then the connection is made as that
226 username. Note that this includes the
227 \\server\service%<i><tt>username</tt></i> method of passing
228 a username.</p></li><li><p>If the client has previously registered a username
229 with the system and now supplies a correct password for that
230 username then the connection is allowed.</p></li><li><p>The client's NetBIOS name and any previously
231 used user names are checked against the supplied password, if
232 they match then the connection is allowed as the corresponding
233 user.</p></li><li><p>If the client has previously validated a
234 username/password pair with the server and the client has passed
235 the validation token then that username is used. </p></li><li><p>If a "user = " field is given in the
236 <tt>smb.conf</tt> file for the service and the client
237 has supplied a password, and that password matches (according to
238 the UNIX system's password checking) with one of the usernames
239 from the "user =" field then the connection is made as
240 the username in the "user =" line. If one
241 of the username in the "user =" list begins with a
242 '@' then that name expands to a list of names in
243 the group of the same name.</p></li><li><p>If the service is a guest service then a
244 connection is made as the username given in the "guest
245 account =" for the service, irrespective of the
246 supplied password.</p></li></ol></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF GLOBAL PARAMETERS</h2><p>Here is a list of all global parameters. See the section of
247 each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ABORTSHUTDOWNSCRIPT"><i><tt>abort shutdown script</tt></i></a></p></li><li><p><a href="#ADDGROUPSCRIPT"><i><tt>add group script</tt></i></a></p></li><li><p><a href="#ADDMACHINESCRIPT"><i><tt>add machine script</tt></i></a></p></li><li><p><a href="#ADDPRINTERCOMMAND"><i><tt>addprinter command</tt></i></a></p></li><li><p><a href="#ADDSHARECOMMAND"><i><tt>add share command</tt></i></a></p></li><li><p><a href="#ADDUSERSCRIPT"><i><tt>add user script</tt></i></a></p></li><li><p><a href="#ADDUSERTOGROUPSCRIPT"><i><tt>add user to group script</tt></i></a></p></li><li><p><a href="#ADSSERVER"><i><tt>ads server</tt></i></a></p></li><li><p><a href="#ALGORITHMICRIDBASE"><i><tt>algorithmic rid base</tt></i></a></p></li><li><p><a href="#ALLOWTRUSTEDDOMAINS"><i><tt>allow trusted domains</tt></i></a></p></li><li><p><a href="#ANNOUNCEAS"><i><tt>announce as</tt></i></a></p></li><li><p><a href="#ANNOUNCEVERSION"><i><tt>announce version</tt></i></a></p></li><li><p><a href="#AUTHMETHODS"><i><tt>auth methods</tt></i></a></p></li><li><p><a href="#AUTOSERVICES"><i><tt>auto services</tt></i></a></p></li><li><p><a href="#BINDINTERFACESONLY"><i><tt>bind interfaces only</tt></i></a></p></li><li><p><a href="#BROWSELIST"><i><tt>browse list</tt></i></a></p></li><li><p><a href="#CHANGENOTIFYTIMEOUT"><i><tt>change notify timeout</tt></i></a></p></li><li><p><a href="#CHANGESHARECOMMAND"><i><tt>change share command</tt></i></a></p></li><li><p><a href="#CONFIGFILE"><i><tt>config file</tt></i></a></p></li><li><p><a href="#DEADTIME"><i><tt>dead time</tt></i></a></p></li><li><p><a href="#DEBUGHIRESTIMESTAMP"><i><tt>debug hires timestamp</tt></i></a></p></li><li><p><a href="#DEBUGLEVEL"><i><tt>debug level</tt></i></a></p></li><li><p><a href="#DEBUGPID"><i><tt>debug pid</tt></i></a></p></li><li><p><a href="#DEBUGTIMESTAMP"><i><tt>debug timestamp</tt></i></a></p></li><li><p><a href="#DEBUGUID"><i><tt>debug uid</tt></i></a></p></li><li><p><a href="#DEFAULTSERVICE"><i><tt>default service</tt></i></a></p></li><li><p><a href="#DEFAULT"><i><tt>default</tt></i></a></p></li><li><p><a href="#DELETEGROUPSCRIPT"><i><tt>delete group script</tt></i></a></p></li><li><p><a href="#DELETEPRINTERCOMMAND"><i><tt>deleteprinter command</tt></i></a></p></li><li><p><a href="#DELETESHARECOMMAND"><i><tt>delete share command</tt></i></a></p></li><li><p><a href="#DELETEUSERFROMGROUPSCRIPT"><i><tt>delete user from group script</tt></i></a></p></li><li><p><a href="#DELETEUSERSCRIPT"><i><tt>delete user script</tt></i></a></p></li><li><p><a href="#DFREECOMMAND"><i><tt>dfree command</tt></i></a></p></li><li><p><a href="#DISABLENETBIOS"><i><tt>disable netbios</tt></i></a></p></li><li><p><a href="#DISABLESPOOLSS"><i><tt>disable spoolss</tt></i></a></p></li><li><p><a href="#DISPLAYCHARSET"><i><tt>display charset</tt></i></a></p></li><li><p><a href="#DNSPROXY"><i><tt>dns proxy</tt></i></a></p></li><li><p><a href="#DOMAINLOGONS"><i><tt>domain logons</tt></i></a></p></li><li><p><a href="#DOMAINMASTER"><i><tt>domain master</tt></i></a></p></li><li><p><a href="#DOSCHARSET"><i><tt>dos charset</tt></i></a></p></li><li><p><a href="#ENCRYPTPASSWORDS"><i><tt>encrypt passwords</tt></i></a></p></li><li><p><a href="#ENHANCEDBROWSING"><i><tt>enhanced browsing</tt></i></a></p></li><li><p><a href="#ENUMPORTSCOMMAND"><i><tt>enumports command</tt></i></a></p></li><li><p><a href="#GETWDCACHE"><i><tt>getwd cache</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i><tt>guest account</tt></i></a></p></li><li><p><a href="#HIDELOCALUSERS"><i><tt>hide local users</tt></i></a></p></li><li><p><a href="#HOMEDIRMAP"><i><tt>homedir map</tt></i></a></p></li><li><p><a href="#HOSTMSDFS"><i><tt>host msdfs</tt></i></a></p></li><li><p><a href="#HOSTNAMELOOKUPS"><i><tt>hostname lookups</tt></i></a></p></li><li><p><a href="#HOSTSEQUIV"><i><tt>hosts equiv</tt></i></a></p></li><li><p><a href="#INCLUDE"><i><tt>include</tt></i></a></p></li><li><p><a href="#INTERFACES"><i><tt>interfaces</tt></i></a></p></li><li><p><a href="#KEEPALIVE"><i><tt>keepalive</tt></i></a></p></li><li><p><a href="#KERNELOPLOCKS"><i><tt>kernel oplocks</tt></i></a></p></li><li><p><a href="#LANMANAUTH"><i><tt>lanman auth</tt></i></a></p></li><li><p><a href="#LARGEREADWRITE"><i><tt>large readwrite</tt></i></a></p></li><li><p><a href="#LDAPADMINDN"><i><tt>ldap admin dn</tt></i></a></p></li><li><p><a href="#LDAPDELETEDN"><i><tt>ldap delete dn</tt></i></a></p></li><li><p><a href="#LDAPFILTER"><i><tt>ldap filter</tt></i></a></p></li><li><p><a href="#LDAPMACHINESUFFIX"><i><tt>ldap machine suffix</tt></i></a></p></li><li><p><a href="#LDAPPASSWDSYNC"><i><tt>ldap passwd sync</tt></i></a></p></li><li><p><a href="#LDAPPORT"><i><tt>ldap port</tt></i></a></p></li><li><p><a href="#LDAPSERVER"><i><tt>ldap server</tt></i></a></p></li><li><p><a href="#LDAPSSL"><i><tt>ldap ssl</tt></i></a></p></li><li><p><a href="#LDAPSUFFIX"><i><tt>ldap suffix</tt></i></a></p></li><li><p><a href="#LDAPTRUSTIDS"><i><tt>ldap trust ids</tt></i></a></p></li><li><p><a href="#LDAPUSERSUFFIX"><i><tt>ldap user suffix</tt></i></a></p></li><li><p><a href="#LMANNOUNCE"><i><tt>lm announce</tt></i></a></p></li><li><p><a href="#LMINTERVAL"><i><tt>lm interval</tt></i></a></p></li><li><p><a href="#LOADPRINTERS"><i><tt>load printers</tt></i></a></p></li><li><p><a href="#LOCALMASTER"><i><tt>local master</tt></i></a></p></li><li><p><a href="#LOCKDIRECTORY"><i><tt>lock directory</tt></i></a></p></li><li><p><a href="#LOCKDIR"><i><tt>lock dir</tt></i></a></p></li><li><p><a href="#LOCKSPINCOUNT"><i><tt>lock spin count</tt></i></a></p></li><li><p><a href="#LOCKSPINTIME"><i><tt>lock spin time</tt></i></a></p></li><li><p><a href="#LOGFILE"><i><tt>log file</tt></i></a></p></li><li><p><a href="#LOGLEVEL"><i><tt>log level</tt></i></a></p></li><li><p><a href="#LOGONDRIVE"><i><tt>logon drive</tt></i></a></p></li><li><p><a href="#LOGONHOME"><i><tt>logon home</tt></i></a></p></li><li><p><a href="#LOGONPATH"><i><tt>logon path</tt></i></a></p></li><li><p><a href="#LOGONSCRIPT"><i><tt>logon script</tt></i></a></p></li><li><p><a href="#LPQCACHETIME"><i><tt>lpq cache time</tt></i></a></p></li><li><p><a href="#MACHINEPASSWORDTIMEOUT"><i><tt>machine password timeout</tt></i></a></p></li><li><p><a href="#MANGLINGSTACK"><i><tt>mangling stack</tt></i></a></p></li><li><p><a href="#MANGLINGPREFIX"><i><tt>mangling prefix</tt></i></a></p></li><li><p><a href="#MANGLINGMETHOD"><i><tt>mangling method</tt></i></a></p></li><li><p><a href="#MAPTOGUEST"><i><tt>map to guest</tt></i></a></p></li><li><p><a href="#MAXDISKSIZE"><i><tt>max disk size</tt></i></a></p></li><li><p><a href="#MAXLOGSIZE"><i><tt>max log size</tt></i></a></p></li><li><p><a href="#MAXMUX"><i><tt>max mux</tt></i></a></p></li><li><p><a href="#MAXOPENFILES"><i><tt>max open files</tt></i></a></p></li><li><p><a href="#MAXPROTOCOL"><i><tt>max protocol</tt></i></a></p></li><li><p><a href="#MAXSMBDPROCESSES"><i><tt>max smbd processes</tt></i></a></p></li><li><p><a href="#MAXTTL"><i><tt>max ttl</tt></i></a></p></li><li><p><a href="#MAXWINSTTL"><i><tt>max wins ttl</tt></i></a></p></li><li><p><a href="#MAXXMIT"><i><tt>max xmit</tt></i></a></p></li><li><p><a href="#MESSAGECOMMAND"><i><tt>message command</tt></i></a></p></li><li><p><a href="#MINPASSWDLENGTH"><i><tt>min passwd length</tt></i></a></p></li><li><p><a href="#MINPASSWORDLENGTH"><i><tt>min password length</tt></i></a></p></li><li><p><a href="#MINPROTOCOL"><i><tt>min protocol</tt></i></a></p></li><li><p><a href="#MINWINSTTL"><i><tt>min wins ttl</tt></i></a></p></li><li><p><a href="#NAMECACHETIMEOUT"><i><tt>name cache timeout</tt></i></a></p></li><li><p><a href="#NAMERESOLVEORDER"><i><tt>name resolve order</tt></i></a></p></li><li><p><a href="#NETBIOSALIASES"><i><tt>netbios aliases</tt></i></a></p></li><li><p><a href="#NETBIOSNAME"><i><tt>netbios name</tt></i></a></p></li><li><p><a href="#NETBIOSSCOPE"><i><tt>netbios scope</tt></i></a></p></li><li><p><a href="#NISHOMEDIR"><i><tt>nis homedir</tt></i></a></p></li><li><p><a href="#NONUNIXACCOUNTRANGE"><i><tt>non unix account range</tt></i></a></p></li><li><p><a href="#NTLMAUTH"><i><tt>ntlm auth</tt></i></a></p></li><li><p><a href="#NTPIPESUPPORT"><i><tt>nt pipe support</tt></i></a></p></li><li><p><a href="#NTSTATUSSUPPORT"><i><tt>nt status support</tt></i></a></p></li><li><p><a href="#NULLPASSWORDS"><i><tt>null passwords</tt></i></a></p></li><li><p><a href="#OBEYPAMRESTRICTIONS"><i><tt>obey pam restrictions</tt></i></a></p></li><li><p><a href="#OPLOCKBREAKWAITTIME"><i><tt>oplock break wait time</tt></i></a></p></li><li><p><a href="#OS2DRIVERMAP"><i><tt>os2 driver map</tt></i></a></p></li><li><p><a href="#OSLEVEL"><i><tt>os level</tt></i></a></p></li><li><p><a href="#PAMPASSWORDCHANGE"><i><tt>pam password change</tt></i></a></p></li><li><p><a href="#PANICACTION"><i><tt>panic action</tt></i></a></p></li><li><p><a href="#PARANOIDSERVERSECURITY"><i><tt>paranoid server security</tt></i></a></p></li><li><p><a href="#PASSDBBACKEND"><i><tt>passdb backend</tt></i></a></p></li><li><p><a href="#PASSWDCHATDEBUG"><i><tt>passwd chat debug</tt></i></a></p></li><li><p><a href="#PASSWDCHAT"><i><tt>passwd chat</tt></i></a></p></li><li><p><a href="#PASSWDPROGRAM"><i><tt>passwd program</tt></i></a></p></li><li><p><a href="#PASSWORDLEVEL"><i><tt>password level</tt></i></a></p></li><li><p><a href="#PASSWORDSERVER"><i><tt>password server</tt></i></a></p></li><li><p><a href="#PIDDIRECTORY"><i><tt>pid directory</tt></i></a></p></li><li><p><a href="#PREFEREDMASTER"><i><tt>prefered master</tt></i></a></p></li><li><p><a href="#PREFERREDMASTER"><i><tt>preferred master</tt></i></a></p></li><li><p><a href="#PRELOADMODULES"><i><tt>preload modules</tt></i></a></p></li><li><p><a href="#PRELOAD"><i><tt>preload</tt></i></a></p></li><li><p><a href="#PRINTCAP"><i><tt>printcap</tt></i></a></p></li><li><p><a href="#PRIVATEDIR"><i><tt>private dir</tt></i></a></p></li><li><p><a href="#PROTOCOL"><i><tt>protocol</tt></i></a></p></li><li><p><a href="#READBMPX"><i><tt>read bmpx</tt></i></a></p></li><li><p><a href="#READRAW"><i><tt>read raw</tt></i></a></p></li><li><p><a href="#READSIZE"><i><tt>read size</tt></i></a></p></li><li><p><a href="#REALM"><i><tt>realm</tt></i></a></p></li><li><p><a href="#REMOTEANNOUNCE"><i><tt>remote announce</tt></i></a></p></li><li><p><a href="#REMOTEBROWSESYNC"><i><tt>remote browse sync</tt></i></a></p></li><li><p><a href="#RESTRICTANONYMOUS"><i><tt>restrict anonymous</tt></i></a></p></li><li><p><a href="#ROOTDIRECTORY"><i><tt>root directory</tt></i></a></p></li><li><p><a href="#ROOTDIR"><i><tt>root dir</tt></i></a></p></li><li><p><a href="#ROOT"><i><tt>root</tt></i></a></p></li><li><p><a href="#SECURITY"><i><tt>security</tt></i></a></p></li><li><p><a href="#SERVERSCHANNEL"><i><tt>server schannel</tt></i></a></p></li><li><p><a href="#SERVERSTRING"><i><tt>server string</tt></i></a></p></li><li><p><a href="#SETPRIMARYGROUPSCRIPT"><i><tt>set primary group script</tt></i></a></p></li><li><p><a href="#SHOWADDPRINTERWIZARD"><i><tt>show add printer wizard</tt></i></a></p></li><li><p><a href="#SHUTDOWNSCRIPT"><i><tt>shutdown script</tt></i></a></p></li><li><p><a href="#SMBPASSWDFILE"><i><tt>smb passwd file</tt></i></a></p></li><li><p><a href="#SMBPORTS"><i><tt>smb ports</tt></i></a></p></li><li><p><a href="#SOCKETADDRESS"><i><tt>socket address</tt></i></a></p></li><li><p><a href="#SOCKETOPTIONS"><i><tt>socket options</tt></i></a></p></li><li><p><a href="#SOURCEENVIRONMENT"><i><tt>source environment</tt></i></a></p></li><li><p><a href="#STATCACHESIZE"><i><tt>stat cache size</tt></i></a></p></li><li><p><a href="#STATCACHE"><i><tt>stat cache</tt></i></a></p></li><li><p><a href="#STRIPDOT"><i><tt>strip dot</tt></i></a></p></li><li><p><a href="#SYSLOGONLY"><i><tt>syslog only</tt></i></a></p></li><li><p><a href="#SYSLOG"><i><tt>syslog</tt></i></a></p></li><li><p><a href="#TEMPLATEHOMEDIR"><i><tt>template homedir</tt></i></a></p></li><li><p><a href="#TEMPLATESHELL"><i><tt>template shell</tt></i></a></p></li><li><p><a href="#TIMEOFFSET"><i><tt>time offset</tt></i></a></p></li><li><p><a href="#TIMESERVER"><i><tt>time server</tt></i></a></p></li><li><p><a href="#TIMESTAMPLOGS"><i><tt>timestamp logs</tt></i></a></p></li><li><p><a href="#TOTALPRINTJOBS"><i><tt>total print jobs</tt></i></a></p></li><li><p><a href="#UNICODE"><i><tt>unicode</tt></i></a></p></li><li><p><a href="#UNIXCHARSET"><i><tt>unix charset</tt></i></a></p></li><li><p><a href="#UNIXEXTENSIONS"><i><tt>unix extensions</tt></i></a></p></li><li><p><a href="#UNIXPASSWORDSYNC"><i><tt>unix password sync</tt></i></a></p></li><li><p><a href="#UPDATEENCRYPTED"><i><tt>update encrypted</tt></i></a></p></li><li><p><a href="#USEMMAP"><i><tt>use mmap</tt></i></a></p></li><li><p><a href="#USERNAMELEVEL"><i><tt>username level</tt></i></a></p></li><li><p><a href="#USERNAMEMAP"><i><tt>username map</tt></i></a></p></li><li><p><a href="#USESPNEGO"><i><tt>use spnego</tt></i></a></p></li><li><p><a href="#UTMPDIRECTORY"><i><tt>utmp directory</tt></i></a></p></li><li><p><a href="#UTMP"><i><tt>utmp</tt></i></a></p></li><li><p><a href="#WINBINDCACHETIME"><i><tt>winbind cache time</tt></i></a></p></li><li><p><a href="#WINBINDENUMGROUPS"><i><tt>winbind enum groups</tt></i></a></p></li><li><p><a href="#WINBINDENUMUSERS"><i><tt>winbind enum users</tt></i></a></p></li><li><p><a href="#WINBINDGID"><i><tt>winbind gid</tt></i></a></p></li><li><p><a href="#WINBINDSEPARATOR"><i><tt>winbind separator</tt></i></a></p></li><li><p><a href="#WINBINDUID"><i><tt>winbind uid</tt></i></a></p></li><li><p><a href="#WINBINDUSEDDEFAULTDOMAIN"><i><tt>winbind used default domain</tt></i></a></p></li><li><p><a href="#WINSHOOK"><i><tt>wins hook</tt></i></a></p></li><li><p><a href="#WINSPARTNER"><i><tt>wins partner</tt></i></a></p></li><li><p><a href="#WINSPROXY"><i><tt>wins proxy</tt></i></a></p></li><li><p><a href="#WINSSERVER"><i><tt>wins server</tt></i></a></p></li><li><p><a href="#WINSSUPPORT"><i><tt>wins support</tt></i></a></p></li><li><p><a href="#WORKGROUP"><i><tt>workgroup</tt></i></a></p></li><li><p><a href="#WRITERAW"><i><tt>write raw</tt></i></a></p></li><li><p><a href="#WTMPDIRECTORY"><i><tt>wtmp directory</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF SERVICE PARAMETERS</h2><p>Here is a list of all service parameters. See the section on
248 each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ADMINUSERS"><i><tt>admin users</tt></i></a></p></li><li><p><a href="#ALLOWHOSTS"><i><tt>allow hosts</tt></i></a></p></li><li><p><a href="#AVAILABLE"><i><tt>available</tt></i></a></p></li><li><p><a href="#BLOCKINGLOCKS"><i><tt>blocking locks</tt></i></a></p></li><li><p><a href="#BLOCKSIZE"><i><tt>block size</tt></i></a></p></li><li><p><a href="#BROWSABLE"><i><tt>browsable</tt></i></a></p></li><li><p><a href="#BROWSEABLE"><i><tt>browseable</tt></i></a></p></li><li><p><a href="#CASESENSITIVE"><i><tt>case sensitive</tt></i></a></p></li><li><p><a href="#CASESIGNAMES"><i><tt>casesignames</tt></i></a></p></li><li><p><a href="#COMMENT"><i><tt>comment</tt></i></a></p></li><li><p><a href="#COPY"><i><tt>copy</tt></i></a></p></li><li><p><a href="#CREATEMASK"><i><tt>create mask</tt></i></a></p></li><li><p><a href="#CREATEMODE"><i><tt>create mode</tt></i></a></p></li><li><p><a href="#CSCPOLICY"><i><tt>csc policy</tt></i></a></p></li><li><p><a href="#DEFAULTCASE"><i><tt>default case</tt></i></a></p></li><li><p><a href="#DEFAULTDEVMODE"><i><tt>default devmode</tt></i></a></p></li><li><p><a href="#DELETEREADONLY"><i><tt>delete readonly</tt></i></a></p></li><li><p><a href="#DELETEVETOFILES"><i><tt>delete veto files</tt></i></a></p></li><li><p><a href="#DENYHOSTS"><i><tt>deny hosts</tt></i></a></p></li><li><p><a href="#DIRECTORYMASK"><i><tt>directory mask</tt></i></a></p></li><li><p><a href="#DIRECTORYMODE"><i><tt>directory mode</tt></i></a></p></li><li><p><a href="#DIRECTORYSECURITYMASK"><i><tt>directory security mask</tt></i></a></p></li><li><p><a href="#DIRECTORY"><i><tt>directory</tt></i></a></p></li><li><p><a href="#DONTDESCEND"><i><tt>dont descend</tt></i></a></p></li><li><p><a href="#DOSFILEMODE"><i><tt>dos filemode</tt></i></a></p></li><li><p><a href="#DOSFILETIMERESOLUTION"><i><tt>dos filetime resolution</tt></i></a></p></li><li><p><a href="#DOSFILETIMES"><i><tt>dos filetimes</tt></i></a></p></li><li><p><a href="#EXEC"><i><tt>exec</tt></i></a></p></li><li><p><a href="#FAKEDIRECTORYCREATETIMES"><i><tt>fake directory create times</tt></i></a></p></li><li><p><a href="#FAKEOPLOCKS"><i><tt>fake oplocks</tt></i></a></p></li><li><p><a href="#FOLLOWSYMLINKS"><i><tt>follow symlinks</tt></i></a></p></li><li><p><a href="#FORCECREATEMODE"><i><tt>force create mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYMODE"><i><tt>force directory mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYSECURITYMODE"><i><tt>force directory security mode</tt></i></a></p></li><li><p><a href="#FORCEGROUP"><i><tt>force group</tt></i></a></p></li><li><p><a href="#FORCESECURITYMODE"><i><tt>force security mode</tt></i></a></p></li><li><p><a href="#FORCEUSER"><i><tt>force user</tt></i></a></p></li><li><p><a href="#FSTYPE"><i><tt>fstype</tt></i></a></p></li><li><p><a href="#GROUP"><i><tt>group</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i><tt>guest account</tt></i></a></p></li><li><p><a href="#GUESTOK"><i><tt>guest ok</tt></i></a></p></li><li><p><a href="#GUESTONLY"><i><tt>guest only</tt></i></a></p></li><li><p><a href="#HIDEDOTFILES"><i><tt>hide dot files</tt></i></a></p></li><li><p><a href="#HIDEFILES"><i><tt>hide files</tt></i></a></p></li><li><p><a href="#HIDESPECIALFILES"><i><tt>hide special files</tt></i></a></p></li><li><p><a href="#HIDEUNREADABLE"><i><tt>hide unreadable</tt></i></a></p></li><li><p><a href="#HIDEUNWRITEABLEFILES"><i><tt>hide unwriteable files</tt></i></a></p></li><li><p><a href="#HOSTSALLOW"><i><tt>hosts allow</tt></i></a></p></li><li><p><a href="#HOSTSDENY"><i><tt>hosts deny</tt></i></a></p></li><li><p><a href="#INHERITACLS"><i><tt>inherit acls</tt></i></a></p></li><li><p><a href="#INHERITPERMISSIONS"><i><tt>inherit permissions</tt></i></a></p></li><li><p><a href="#INVALIDUSERS"><i><tt>invalid users</tt></i></a></p></li><li><p><a href="#LEVEL2OPLOCKS"><i><tt>level2 oplocks</tt></i></a></p></li><li><p><a href="#LOCKING"><i><tt>locking</tt></i></a></p></li><li><p><a href="#LPPAUSECOMMAND"><i><tt>lppause command</tt></i></a></p></li><li><p><a href="#LPQCOMMAND"><i><tt>lpq command</tt></i></a></p></li><li><p><a href="#LPRESUMECOMMAND"><i><tt>lpresume command</tt></i></a></p></li><li><p><a href="#LPRMCOMMAND"><i><tt>lprm command</tt></i></a></p></li><li><p><a href="#MAGICOUTPUT"><i><tt>magic output</tt></i></a></p></li><li><p><a href="#MAGICSCRIPT"><i><tt>magic script</tt></i></a></p></li><li><p><a href="#MANGLECASE"><i><tt>mangle case</tt></i></a></p></li><li><p><a href="#MANGLEDMAP"><i><tt>mangled map</tt></i></a></p></li><li><p><a href="#MANGLEDNAMES"><i><tt>mangled names</tt></i></a></p></li><li><p><a href="#MANGLINGCHAR"><i><tt>mangling char</tt></i></a></p></li><li><p><a href="#MAPARCHIVE"><i><tt>map archive</tt></i></a></p></li><li><p><a href="#MAPHIDDEN"><i><tt>map hidden</tt></i></a></p></li><li><p><a href="#MAPSYSTEM"><i><tt>map system</tt></i></a></p></li><li><p><a href="#MAXCONNECTIONS"><i><tt>max connections</tt></i></a></p></li><li><p><a href="#MAXPRINTJOBS"><i><tt>max print jobs</tt></i></a></p></li><li><p><a href="#MINPRINTSPACE"><i><tt>min print space</tt></i></a></p></li><li><p><a href="#MSDFSPROXY"><i><tt>msdfs proxy</tt></i></a></p></li><li><p><a href="#MSDFSROOT"><i><tt>msdfs root</tt></i></a></p></li><li><p><a href="#NTACLSUPPORT"><i><tt>nt acl support</tt></i></a></p></li><li><p><a href="#ONLYGUEST"><i><tt>only guest</tt></i></a></p></li><li><p><a href="#ONLYUSER"><i><tt>only user</tt></i></a></p></li><li><p><a href="#OPLOCKCONTENTIONLIMIT"><i><tt>oplock contention limit</tt></i></a></p></li><li><p><a href="#OPLOCKS"><i><tt>oplocks</tt></i></a></p></li><li><p><a href="#PATH"><i><tt>path</tt></i></a></p></li><li><p><a href="#POSIXLOCKING"><i><tt>posix locking</tt></i></a></p></li><li><p><a href="#POSTEXEC"><i><tt>postexec</tt></i></a></p></li><li><p><a href="#PREEXECCLOSE"><i><tt>preexec close</tt></i></a></p></li><li><p><a href="#PREEXEC"><i><tt>preexec</tt></i></a></p></li><li><p><a href="#PRESERVECASE"><i><tt>preserve case</tt></i></a></p></li><li><p><a href="#PRINTABLE"><i><tt>printable</tt></i></a></p></li><li><p><a href="#PRINTCAPNAME"><i><tt>printcap name</tt></i></a></p></li><li><p><a href="#PRINTCOMMAND"><i><tt>print command</tt></i></a></p></li><li><p><a href="#PRINTERADMIN"><i><tt>printer admin</tt></i></a></p></li><li><p><a href="#PRINTERNAME"><i><tt>printer name</tt></i></a></p></li><li><p><a href="#PRINTER"><i><tt>printer</tt></i></a></p></li><li><p><a href="#PRINTING"><i><tt>printing</tt></i></a></p></li><li><p><a href="#PRINTOK"><i><tt>print ok</tt></i></a></p></li><li><p><a href="#PUBLIC"><i><tt>public</tt></i></a></p></li><li><p><a href="#QUEUEPAUSECOMMAND"><i><tt>queuepause command</tt></i></a></p></li><li><p><a href="#QUEUERESUMECOMMAND"><i><tt>queueresume command</tt></i></a></p></li><li><p><a href="#READLIST"><i><tt>read list</tt></i></a></p></li><li><p><a href="#READONLY"><i><tt>read only</tt></i></a></p></li><li><p><a href="#ROOTPOSTEXEC"><i><tt>root postexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXECCLOSE"><i><tt>root preexec close</tt></i></a></p></li><li><p><a href="#ROOTPREEXEC"><i><tt>root preexec</tt></i></a></p></li><li><p><a href="#SECURITYMASK"><i><tt>security mask</tt></i></a></p></li><li><p><a href="#SETDIRECTORY"><i><tt>set directory</tt></i></a></p></li><li><p><a href="#SHAREMODES"><i><tt>share modes</tt></i></a></p></li><li><p><a href="#SHORTPRESERVECASE"><i><tt>short preserve case</tt></i></a></p></li><li><p><a href="#STRICTALLOCATE"><i><tt>strict allocate</tt></i></a></p></li><li><p><a href="#STRICTLOCKING"><i><tt>strict locking</tt></i></a></p></li><li><p><a href="#STRICTSYNC"><i><tt>strict sync</tt></i></a></p></li><li><p><a href="#SYNCALWAYS"><i><tt>sync always</tt></i></a></p></li><li><p><a href="#USECLIENTDRIVER"><i><tt>use client driver</tt></i></a></p></li><li><p><a href="#USERNAME"><i><tt>username</tt></i></a></p></li><li><p><a href="#USERS"><i><tt>users</tt></i></a></p></li><li><p><a href="#USER"><i><tt>user</tt></i></a></p></li><li><p><a href="#USESENDFILE"><i><tt>use sendfile</tt></i></a></p></li><li><p><a href="#VALIDUSERS"><i><tt>valid users</tt></i></a></p></li><li><p><a href="#VETOFILES"><i><tt>veto files</tt></i></a></p></li><li><p><a href="#VETOOPLOCKFILES"><i><tt>veto oplock files</tt></i></a></p></li><li><p><a href="#VFSOBJECT"><i><tt>vfs object</tt></i></a></p></li><li><p><a href="#VFSOPTIONS"><i><tt>vfs options</tt></i></a></p></li><li><p><a href="#VFSPATH"><i><tt>vfs path</tt></i></a></p></li><li><p><a href="#VOLUME"><i><tt>volume</tt></i></a></p></li><li><p><a href="#WIDELINKS"><i><tt>wide links</tt></i></a></p></li><li><p><a href="#WRITABLE"><i><tt>writable</tt></i></a></p></li><li><p><a href="#WRITEABLE"><i><tt>writeable</tt></i></a></p></li><li><p><a href="#WRITECACHESIZE"><i><tt>write cache size</tt></i></a></p></li><li><p><a href="#WRITELIST"><i><tt>write list</tt></i></a></p></li><li><p><a href="#WRITEOK"><i><tt>write ok</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p><span class="emphasis"><em>This parameter only exists in the HEAD cvs branch</em></span>
249 This a full path name to a script called by <a href="smbd.8.html">smbd(8)</a> that
250 should stop a shutdown procedure issued by the <a href="#SHUTDOWNSCRIPT">
251 <i><tt>shutdown script</tt></i></a>.</p><p>This command will be run as user.</p><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b>abort shutdown script = /sbin/shutdown -c</b></p></dd><dt><span class="term"><a name="ADDGROUPSCRIPT"></a>add group script (G)</span></dt><dd><p>This is the full pathname to a script that will be run
252 <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html">smbd(8)</a>
253 when a new group is requested. It will expand any <i><tt>%g</tt></i> to the group name passed. This
254 script is only useful for installations using the Windows NT
255 domain administration tools. The script is free to create a
256 group with an arbitrary name to circumvent unix group name
257 restrictions. In that case the script must print the numeric gid
258 of the created group on stdout.</p></dd><dt><span class="term"><a name="ADDMACHINESCRIPT"></a>add machine script (G)</span></dt><dd><p>This is the full pathname to a script that will be run by
259 <a href="smbd.8.html">smbd(8)</a> when a machine is added
260 to it's domain using the administrator username and password
261 method. </p><p>This option is only required when using sam back-ends tied
262 to the Unix uid method of RID calculation such as smbpasswd.
263 This option is only available in Samba 3.0.</p><p>Default: <b>add machine script = <empty string></b></p><p>Example: <b>add machine script = /usr/sbin/adduser -n -g
264 machines -c Machine -d /dev/null -s /bin/false %u</b></p></dd><dt><span class="term"><a name="ADDPRINTERCOMMAND"></a>addprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printing
265 support for Windows NT/2000 clients in Samba 2.2, The MS Add
266 Printer Wizard (APW) icon is now also available in the
267 "Printers..." folder displayed a share listing. The APW
268 allows for printers to be add remotely to a Samba or Windows
269 NT/2000 print server.</p><p>For a Samba host this means that the printer must be
270 physically added to the underlying printing system. The <i><tt>add
271 printer command</tt></i> defines a script to be run which
272 will perform the necessary operations for adding the printer
273 to the print system and to add the appropriate service definition
274 to the <tt>smb.conf</tt> file in order that it can be
275 shared by <a href="smbd.8.html">smbd(8)</a>.</p><p>The <i><tt>addprinter command</tt></i> is
276 automatically invoked with the following parameter (in
277 order):</p><div class="itemizedlist"><ul type="disc"><li><p><i><tt>printer name</tt></i></p></li><li><p><i><tt>share name</tt></i></p></li><li><p><i><tt>port name</tt></i></p></li><li><p><i><tt>driver name</tt></i></p></li><li><p><i><tt>location</tt></i></p></li><li><p><i><tt>Windows 9x driver location</tt></i></p></li></ul></div><p>All parameters are filled in from the PRINTER_INFO_2 structure sent
278 by the Windows NT/2000 client with one exception. The "Windows 9x
279 driver location" parameter is included for backwards compatibility
280 only. The remaining fields in the structure are generated from answers
281 to the APW questions.</p><p>Once the <i><tt>addprinter command</tt></i> has
282 been executed, <b>smbd</b> will reparse the <tt>
283 smb.conf</tt> to determine if the share defined by the APW
284 exists. If the sharename is still invalid, then <b>smbd
285 </b> will return an ACCESS_DENIED error to the client.</p><p>
286 The "add printer command" program can output a single line of text,
287 which Samba will set as the port the new printer is connected to.
288 If this line isn't output, Samba won't reload its printer shares.
289 </p><p>See also <a href="#DELETEPRINTERCOMMAND"><i><tt>
290 deleteprinter command</tt></i></a>, <a href="#PRINTING">
291 <i><tt>printing</tt></i></a>,
292 <a href="#SHOWADDPRINTERWIZARD"><i><tt>show add
293 printer wizard</tt></i></a></p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b>addprinter command = /usr/bin/addprinter</b></p></dd><dt><span class="term"><a name="ADDSHARECOMMAND"></a>add share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
294 add and delete shares via the Windows NT 4.0 Server Manager. The
295 <i><tt>add share command</tt></i> is used to define an
296 external program or script which will add a new service definition
297 to <tt>smb.conf</tt>. In order to successfully
298 execute the <i><tt>add share command</tt></i>, <b>smbd</b>
299 requires that the administrator be connected using a root account (i.e.
302 When executed, <b>smbd</b> will automatically invoke the
303 <i><tt>add share command</tt></i> with four parameters.
304 </p><div class="itemizedlist"><ul type="disc"><li><p><i><tt>configFile</tt></i> - the location
305 of the global <tt>smb.conf</tt> file.
306 </p></li><li><p><i><tt>shareName</tt></i> - the name of the new
308 </p></li><li><p><i><tt>pathName</tt></i> - path to an **existing**
310 </p></li><li><p><i><tt>comment</tt></i> - comment string to associate
312 </p></li></ul></div><p>
313 This parameter is only used for add file shares. To add printer shares,
314 see the <a href="#ADDPRINTERCOMMAND"><i><tt>addprinter
315 command</tt></i></a>.
317 See also <a href="#CHANGESHARECOMMAND"><i><tt>change share
318 command</tt></i></a>, <a href="#DELETESHARECOMMAND"><i><tt>delete share
319 command</tt></i></a>.
320 </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b>add share command = /usr/local/bin/addshare</b></p></dd><dt><span class="term"><a name="ADDUSERSCRIPT"></a>add user script (G)</span></dt><dd><p>This is the full pathname to a script that will
321 be run <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html">smbd(8)</a> under special circumstances described below.</p><p>Normally, a Samba server requires that UNIX users are
322 created for all users accessing files on this server. For sites
323 that use Windows NT account databases as their primary user database
324 creating these users and keeping the user list in sync with the
325 Windows NT PDC is an onerous task. This option allows <a href="smbd.8.html" target="_top">smbd</a> to create the required UNIX users
326 <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.</p><p>In order to use this option, <a href="smbd.8.html">smbd(8)</a> must <span class="emphasis"><em>NOT</em></span> be set to <i><tt>security = share</tt></i>
327 and <i><tt>add user script</tt></i>
328 must be set to a full pathname for a script that will create a UNIX
329 user given one argument of <i><tt>%u</tt></i>, which expands into
330 the UNIX user name to create.</p><p>When the Windows user attempts to access the Samba server,
331 at login (session setup in the SMB protocol) time, <a href="smbd.8.html">smbd(8)</a> contacts the <i><tt>password server</tt></i> and
332 attempts to authenticate the given user with the given password. If the
333 authentication succeeds then <b>smbd</b>
334 attempts to find a UNIX user in the UNIX password database to map the
335 Windows user into. If this lookup fails, and <i><tt>add user script
336 </tt></i> is set then <b>smbd</b> will
337 call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding
338 any <i><tt>%u</tt></i> argument to be the user name to create.</p><p>If this script successfully creates the user then <b>smbd
339 </b> will continue on as though the UNIX user
340 already existed. In this way, UNIX users are dynamically created to
341 match existing Windows NT accounts.</p><p>See also <a href="#SECURITY"><i><tt>
342 security</tt></i></a>, <a href="#PASSWORDSERVER">
343 <i><tt>password server</tt></i></a>,
344 <a href="#DELETEUSERSCRIPT"><i><tt>delete user
345 script</tt></i></a>.</p><p>Default: <b>add user script = <empty string></b></p><p>Example: <b>add user script = /usr/local/samba/bin/add_user %u</b></p></dd><dt><span class="term"><a name="ADDUSERTOGROUPSCRIPT"></a>add user to group script (G)</span></dt><dd><p>Full path to the script that will be called when
346 a user is added to a group using the Windows NT domain administration
347 tools. It will be run by <a href="smbd.8.html">smbd(8)</a> <span class="emphasis"><em>AS ROOT</em></span>.
348 Any <i><tt>%g</tt></i> will be replaced with the group name and
349 any <i><tt>%u</tt></i> will be replaced with the user name.
350 </p><p>Default: <b>add user to group script = </b></p><p>Example: <b>add user to group script = /usr/sbin/adduser %u %g</b></p></dd><dt><span class="term"><a name="ADMINUSERS"></a>admin users (S)</span></dt><dd><p>This is a list of users who will be granted
351 administrative privileges on the share. This means that they
352 will do all file operations as the super-user (root).</p><p>You should use this option very carefully, as any user in
353 this list will be able to do anything they like on the share,
354 irrespective of file permissions.</p><p>Default: <span class="emphasis"><em>no admin users</em></span></p><p>Example: <b>admin users = jason</b></p></dd><dt><span class="term"><a name="ADSSERVER"></a>ads server (G)</span></dt><dd><p>If this option is specified, samba does not try to figure out what
355 ads server to use itself, but uses the specified ads server. Either one
356 DNS name or IP address can be used.</p><p>Default: <b>ads server = </b></p><p>Example: <b>ads server = 192.168.1.2</b></p></dd><dt><span class="term"><a name="ALGORITHMICRIDBASE"></a>algorithmic rid base (G)</span></dt><dd><p>This determines how Samba will use its
357 algorithmic mapping from uids/gid to the RIDs needed to construct
358 NT Security Identifiers.
359 </p><p>Setting this option to a larger value could be useful to sites
360 transitioning from WinNT and Win2k, as existing user and
361 group rids would otherwise clash with sytem users etc.
362 </p><p>All UIDs and GIDs must be able to be resolved into SIDs for
363 the correct operation of ACLs on the server. As such the algorithmic
364 mapping can't be 'turned off', but pushing it 'out of the way' should
365 resolve the issues. Users and groups can then be assigned 'low' RIDs
366 in arbitary-rid supporting backends.
367 </p><p>Default: <b>algorithmic rid base = 1000</b></p><p>Example: <b>algorithmic rid base = 100000</b></p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts (S)</span></dt><dd><p>Synonym for <a href="#HOSTSALLOW">
368 <i><tt>hosts allow</tt></i></a>.</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p>This option only takes effect when the <a href="#SECURITY">
369 <i><tt>security</tt></i></a> option is set to
370 <tt>server</tt> or <tt>domain</tt>.
371 If it is set to no, then attempts to connect to a resource from
372 a domain or workgroup other than the one which <a href="smbd.8.html" target="_top">smbd</a> is running
373 in will fail, even if that domain is trusted by the remote server
374 doing the authentication.</p><p>This is useful if you only want your Samba server to
375 serve resources to users in the domain it is a member of. As
376 an example, suppose that there are two domains DOMA and DOMB. DOMB
377 is trusted by DOMA, which contains the Samba server. Under normal
378 circumstances, a user with an account in DOMB can then access the
379 resources of a UNIX account with the same account name on the
380 Samba server even if they do not have an account in DOMA. This
381 can make implementing a security boundary difficult.</p><p>Default: <b>allow trusted domains = yes</b></p></dd><dt><span class="term"><a name="ANNOUNCEAS"></a>announce as (G)</span></dt><dd><p>This specifies what type of server <a href="nmbd.8.html">nmbd(8)</a> will announce itself as, to a network neighborhood browse
382 list. By default this is set to Windows NT. The valid options
383 are : "NT Server" (which can also be written as "NT"),
384 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
385 Windows NT Workstation, Windows 95 and Windows for Workgroups
386 respectively. Do not change this parameter unless you have a
387 specific need to stop Samba appearing as an NT server as this
388 may prevent Samba servers from participating as browser servers
389 correctly.</p><p>Default: <b>announce as = NT Server</b></p><p>Example: <b>announce as = Win95</b></p></dd><dt><span class="term"><a name="ANNOUNCEVERSION"></a>announce version (G)</span></dt><dd><p>This specifies the major and minor version numbers
390 that nmbd will use when announcing itself as a server. The default
391 is 4.9. Do not change this parameter unless you have a specific
392 need to set a Samba server to be a downlevel server.</p><p>Default: <b>announce version = 4.9</b></p><p>Example: <b>announce version = 2.0</b></p></dd><dt><span class="term"><a name="AUTHMETHODS"></a>auth methods (G)</span></dt><dd><p>This option allows the administrator to chose what
393 authentication methods <b>smbd</b> will use when authenticating
394 a user. This option defaults to sensible values based on <a href="#SECURITY">
395 <i><tt>security</tt></i></a>.</p><p>Each entry in the list attempts to authenticate the user in turn, until
396 the user authenticates. In practice only one method will ever actually
397 be able to complete the authentication.
398 </p><p>Default: <b>auth methods = <empty string></b></p><p>Example: <b>auth methods = guest sam ntdomain</b></p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services (G)</span></dt><dd><p>This is a synonym for the <a href="#PRELOAD">
399 <i><tt>preload</tt></i></a>.</p></dd><dt><span class="term"><a name="AVAILABLE"></a>available (S)</span></dt><dd><p>This parameter lets you "turn off" a service. If
400 <i><tt>available = no</tt></i>, then <span class="emphasis"><em>ALL</em></span>
401 attempts to connect to the service will fail. Such failures are
402 logged.</p><p>Default: <b>available = yes</b></p></dd><dt><span class="term"><a name="BINDINTERFACESONLY"></a>bind interfaces only (G)</span></dt><dd><p>This global parameter allows the Samba admin
403 to limit what interfaces on a machine will serve SMB requests. It
404 affects file service <a href="smbd.8.html">smbd(8)</a> and name service <a href="nmbd.8.html">nmbd(8)</a> in a slightly different ways.</p><p>For name service it causes <b>nmbd</b> to bind
405 to ports 137 and 138 on the interfaces listed in
406 the <a href="#INTERFACES">interfaces</a> parameter. <b>nmbd</b> also
407 binds to the "all addresses" interface (0.0.0.0)
408 on ports 137 and 138 for the purposes of reading broadcast messages.
409 If this option is not set then <b>nmbd</b> will service
410 name requests on all of these sockets. If <i><tt>bind interfaces
411 only</tt></i> is set then <b>nmbd</b> will check the
412 source address of any packets coming in on the broadcast sockets
413 and discard any that don't match the broadcast addresses of the
414 interfaces in the <i><tt>interfaces</tt></i> parameter list.
415 As unicast packets are received on the other sockets it allows
416 <b>nmbd</b> to refuse to serve names to machines that
417 send packets that arrive through any interfaces not listed in the
418 <i><tt>interfaces</tt></i> list. IP Source address spoofing
419 does defeat this simple check, however, so it must not be used
420 seriously as a security feature for <b>nmbd</b>.</p><p>For file service it causes <a href="smbd.8.html">smbd(8)</a> to bind only to the interface list
421 given in the <a href="#INTERFACES">interfaces</a> parameter. This
422 restricts the networks that <b>smbd</b> will serve
423 to packets coming in those interfaces. Note that you should not use this parameter
424 for machines that are serving PPP or other intermittent or non-broadcast network
425 interfaces as it will not cope with non-permanent interfaces.</p><p>If <i><tt>bind interfaces only</tt></i> is set then
426 unless the network address <span class="emphasis"><em>127.0.0.1</em></span> is added
427 to the <i><tt>interfaces</tt></i> parameter
428 list <a href="smbpasswd.8.html">smbpasswd(8)</a> and <a href="swat.8.html">swat(8)</a> may not work as expected due
429 to the reasons covered below.</p><p>To change a users SMB password, the <b>smbpasswd</b>
430 by default connects to the <span class="emphasis"><em>localhost - 127.0.0.1</em></span>
431 address as an SMB client to issue the password change request. If
432 <i><tt>bind interfaces only</tt></i> is set then unless the
433 network address <span class="emphasis"><em>127.0.0.1</em></span> is added to the
434 <i><tt>interfaces</tt></i> parameter list then <b>
435 smbpasswd</b> will fail to connect in it's default mode.
436 <b>smbpasswd</b> can be forced to use the primary IP interface
437 of the local host by using its <a href="smbpasswd.8.html">smbpasswd(8)</a> <i><tt>-r <i><tt>remote machine</tt></i></tt></i>
438 parameter, with <i><tt>remote machine</tt></i> set
439 to the IP name of the primary interface of the local host.</p><p>The <b>swat</b> status page tries to connect with
440 <b>smbd</b> and <b>nmbd</b> at the address
441 <span class="emphasis"><em>127.0.0.1</em></span> to determine if they are running.
442 Not adding <span class="emphasis"><em>127.0.0.1</em></span> will cause <b>
443 smbd</b> and <b>nmbd</b> to always show
444 "not running" even if they really are. This can prevent <b>
445 swat</b> from starting/stopping/restarting <b>smbd</b>
446 and <b>nmbd</b>.</p><p>Default: <b>bind interfaces only = no</b></p></dd><dt><span class="term"><a name="BLOCKINGLOCKS"></a>blocking locks (S)</span></dt><dd><p>This parameter controls the behavior
447 of <a href="smbd.8.html">smbd(8)</a> when given a request by a client
448 to obtain a byte range lock on a region of an open file, and the
449 request has a time limit associated with it.</p><p>If this parameter is set and the lock range requested
450 cannot be immediately satisfied, samba will internally
451 queue the lock request, and periodically attempt to obtain
452 the lock until the timeout period expires.</p><p>If this parameter is set to <tt>no</tt>, then
453 samba will behave as previous versions of Samba would and
454 will fail the lock request immediately if the lock range
455 cannot be obtained.</p><p>Default: <b>blocking locks = yes</b></p></dd><dt><span class="term"><a name="BLOCKSIZE"></a>block size (S)</span></dt><dd><p>This parameter controls the behavior of <a href="smbd.8.html">smbd(8)</a> when reporting disk free
456 sizes. By default, this reports a disk block size of 1024 bytes.
457 </p><p>Changing this parameter may have some effect on the
458 efficiency of client writes, this is not yet confirmed. This
459 parameter was added to allow advanced administrators to change
460 it (usually to a higher value) and test the effect it has on
461 client write performance without re-compiling the code. As this
462 is an experimental option it may be removed in a future release.
463 </p><p>Changing this option does not change the disk free reporting
464 size, just the block size unit reported to the client.
465 </p></dd><dt><span class="term"><a name="BROWSABLE"></a>browsable (S)</span></dt><dd><p>See the <a href="#BROWSEABLE">
466 <i><tt>browseable</tt></i></a>.</p></dd><dt><span class="term"><a name="BROWSEABLE"></a>browseable (S)</span></dt><dd><p>This controls whether this share is seen in
467 the list of available shares in a net view and in the browse list.</p><p>Default: <b>browseable = yes</b></p></dd><dt><span class="term"><a name="BROWSELIST"></a>browse list (G)</span></dt><dd><p>This controls whether <a href="smbd.8.html">smbd(8)</a> will serve a browse list to
468 a client doing a <b>NetServerEnum</b> call. Normally
469 set to <tt>yes</tt>. You should never need to change
470 this.</p><p>Default: <b>browse list = yes</b></p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <b>case sensitive = no</b></p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames (S)</span></dt><dd><p>Synonym for <a href="#CASESENSITIVE">case sensitive</a>.</p></dd><dt><span class="term"><a name="CHANGENOTIFYTIMEOUT"></a>change notify timeout (G)</span></dt><dd><p>This SMB allows a client to tell a server to
471 "watch" a particular directory for any changes and only reply to
472 the SMB request when a change has occurred. Such constant scanning of
473 a directory is expensive under UNIX, hence an <a href="smbd.8.html">smbd(8)</a> daemon only performs such a scan
474 on each requested directory once every <i><tt>change notify
475 timeout</tt></i> seconds.</p><p>Default: <b>change notify timeout = 60</b></p><p>Example: <b>change notify timeout = 300</b></p><p>Would change the scan time to every 5 minutes.</p></dd><dt><span class="term"><a name="CHANGESHARECOMMAND"></a>change share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
476 add and delete shares via the Windows NT 4.0 Server Manager. The
477 <i><tt>change share command</tt></i> is used to define an
478 external program or script which will modify an existing service definition
479 in <tt>smb.conf</tt>. In order to successfully
480 execute the <i><tt>change share command</tt></i>, <b>smbd</b>
481 requires that the administrator be connected using a root account (i.e.
484 When executed, <b>smbd</b> will automatically invoke the
485 <i><tt>change share command</tt></i> with four parameters.
486 </p><div class="itemizedlist"><ul type="disc"><li><p><i><tt>configFile</tt></i> - the location
487 of the global <tt>smb.conf</tt> file.
488 </p></li><li><p><i><tt>shareName</tt></i> - the name of the new
490 </p></li><li><p><i><tt>pathName</tt></i> - path to an **existing**
492 </p></li><li><p><i><tt>comment</tt></i> - comment string to associate
494 </p></li></ul></div><p>
495 This parameter is only used modify existing file shares definitions. To modify
496 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
498 See also <a href="#ADDSHARECOMMAND"><i><tt>add share
499 command</tt></i></a>, <a href="#DELETESHARECOMMAND"><i><tt>delete
500 share command</tt></i></a>.
501 </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b>change share command = /usr/local/bin/addshare</b></p></dd><dt><span class="term"><a name="COMMENT"></a>comment (S)</span></dt><dd><p>This is a text field that is seen next to a share
502 when a client does a queries the server, either via the network
503 neighborhood or via <b>net view</b> to list what shares
504 are available.</p><p>If you want to set the string that is displayed next to the
505 machine name then see the <a href="#SERVERSTRING"><i><tt>
506 server string</tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>No comment string</em></span></p><p>Example: <b>comment = Fred's Files</b></p></dd><dt><span class="term"><a name="CONFIGFILE"></a>config file (G)</span></dt><dd><p>This allows you to override the config file
507 to use, instead of the default (usually <tt>smb.conf</tt>).
508 There is a chicken and egg problem here as this option is set
509 in the config file!</p><p>For this reason, if the name of the config file has changed
510 when the parameters are loaded then it will reload them from
511 the new config file.</p><p>This option takes the usual substitutions, which can
512 be very useful.</p><p>If the config file doesn't exist then it won't be loaded
513 (allowing you to special case the config files of just a few
514 clients).</p><p>Example: <b>config file = /usr/local/samba/lib/smb.conf.%m</b></p></dd><dt><span class="term"><a name="COPY"></a>copy (S)</span></dt><dd><p>This parameter allows you to "clone" service
515 entries. The specified service is simply duplicated under the
516 current service's name. Any parameters specified in the current
517 section will override those in the section being copied.</p><p>This feature lets you set up a 'template' service and
518 create similar services easily. Note that the service being
519 copied must occur earlier in the configuration file than the
520 service doing the copying.</p><p>Default: <span class="emphasis"><em>no value</em></span></p><p>Example: <b>copy = otherservice</b></p></dd><dt><span class="term"><a name="CREATEMASK"></a>create mask (S)</span></dt><dd><p>A synonym for this parameter is
521 <a href="#CREATEMODE"><i><tt>create mode</tt></i>
522 </a>.</p><p>When a file is created, the necessary permissions are
523 calculated according to the mapping from DOS modes to UNIX
524 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
525 with this parameter. This parameter may be thought of as a bit-wise
526 MASK for the UNIX modes of a file. Any bit <span class="emphasis"><em>not</em></span>
527 set here will be removed from the modes set on a file when it is
528 created.</p><p>The default value of this parameter removes the
529 'group' and 'other' write and execute bits from the UNIX modes.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode created
530 from this parameter with the value of the <a href="#FORCECREATEMODE">
531 <i><tt>force create mode</tt></i></a>
532 parameter which is set to 000 by default.</p><p>This parameter does not affect directory modes. See the
533 parameter <a href="#DIRECTORYMODE"><i><tt>directory mode
534 </tt></i></a> for details.</p><p>See also the <a href="#FORCECREATEMODE"><i><tt>force
535 create mode</tt></i></a> parameter for forcing particular mode
536 bits to be set on created files. See also the <a href="#DIRECTORYMODE">
537 <i><tt>directory mode</tt></i></a> parameter for masking
538 mode bits on created directories. See also the <a href="#INHERITPERMISSIONS">
539 <i><tt>inherit permissions</tt></i></a> parameter.</p><p>Note that this parameter does not apply to permissions
540 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
541 a mask on access control lists also, they need to set the <a href="#SECURITYMASK">
542 <i><tt>security mask</tt></i></a>.</p><p>Default: <b>create mask = 0744</b></p><p>Example: <b>create mask = 0775</b></p></dd><dt><span class="term"><a name="CREATEMODE"></a>create mode (S)</span></dt><dd><p>This is a synonym for <a href="#CREATEMASK"><i><tt>
543 create mask</tt></i></a>.</p></dd><dt><span class="term"><a name="CSCPOLICY"></a>csc policy (S)</span></dt><dd><p>This stands for <span class="emphasis"><em>client-side caching
544 policy</em></span>, and specifies how clients capable of offline
545 caching will cache the files in the share. The valid values
546 are: manual, documents, programs, disable.</p><p>These values correspond to those used on Windows servers.</p><p>For example, shares containing roaming profiles can have
547 offline caching disabled using <b>csc policy = disable</b>.</p><p>Default: <b>csc policy = manual</b></p><p>Example: <b>csc policy = programs</b></p></dd><dt><span class="term"><a name="DEADTIME"></a>dead time (G)</span></dt><dd><p>The value of the parameter (a decimal integer)
548 represents the number of minutes of inactivity before a connection
549 is considered dead, and it is disconnected. The deadtime only takes
550 effect if the number of open files is zero.</p><p>This is useful to stop a server's resources being
551 exhausted by a large number of inactive connections.</p><p>Most clients have an auto-reconnect feature when a
552 connection is broken so in most cases this parameter should be
553 transparent to users.</p><p>Using this parameter with a timeout of a few minutes
554 is recommended for most systems.</p><p>A deadtime of zero indicates that no auto-disconnection
555 should be performed.</p><p>Default: <b>deadtime = 0</b></p><p>Example: <b>deadtime = 15</b></p></dd><dt><span class="term"><a name="DEBUGHIRESTIMESTAMP"></a>debug hires timestamp (G)</span></dt><dd><p>Sometimes the timestamps in the log messages
556 are needed with a resolution of higher that seconds, this
557 boolean parameter adds microsecond resolution to the timestamp
558 message header when turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i><tt>
559 debug timestamp</tt></i></a> must be on for this to have an
560 effect.</p><p>Default: <b>debug hires timestamp = no</b></p></dd><dt><span class="term"><a name="DEBUGLEVEL"></a>debug level (G)</span></dt><dd><p>Synonym for <a href="#LOGLEVEL"><i><tt>
561 log level</tt></i></a>.</p></dd><dt><span class="term"><a name="DEBUGPID"></a>debug pid (G)</span></dt><dd><p>When using only one log file for more then one forked
562 <a href="smbd.8.html">smbd(8)</a>-process there may be hard to
563 follow which process outputs which message. This boolean parameter
564 is adds the process-id to the timestamp message headers in the
565 logfile when turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i><tt>
566 debug timestamp</tt></i></a> must be on for this to have an
567 effect.</p><p>Default: <b>debug pid = no</b></p></dd><dt><span class="term"><a name="DEBUGTIMESTAMP"></a>debug timestamp (G)</span></dt><dd><p>Samba debug log messages are timestamped
568 by default. If you are running at a high <a href="#DEBUGLEVEL">
569 <i><tt>debug level</tt></i></a> these timestamps
570 can be distracting. This boolean parameter allows timestamping
571 to be turned off.</p><p>Default: <b>debug timestamp = yes</b></p></dd><dt><span class="term"><a name="DEBUGUID"></a>debug uid (G)</span></dt><dd><p>Samba is sometimes run as root and sometime
572 run as the connected user, this boolean parameter inserts the
573 current euid, egid, uid and gid to the timestamp message headers
574 in the log file if turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i><tt>
575 debug timestamp</tt></i></a> must be on for this to have an
576 effect.</p><p>Default: <b>debug uid = no</b></p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">
577 NAME MANGLING</a>. Also note the <a href="#SHORTPRESERVECASE">
578 <i><tt>short preserve case</tt></i></a> parameter.</p><p>Default: <b>default case = lower</b></p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a href="#PRINTOK">printable</a> services.
579 When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
580 server has a Device Mode which defines things such as paper size and
581 orientation and duplex settings. The device mode can only correctly be
582 generated by the printer driver itself (which can only be executed on a
583 Win32 platform). Because smbd is unable to execute the driver code
584 to generate the device mode, the default behavior is to set this field
586 </p><p>Most problems with serving printer drivers to Windows NT/2k/XP clients
587 can be traced to a problem with the generated device mode. Certain drivers
588 will do things such as crashing the client's Explorer.exe with a NULL devmode.
589 However, other printer drivers can cause the client's spooler service
590 (spoolsv.exe) to die if the devmode was not created by the driver itself
591 (i.e. smbd generates a default devmode).
592 </p><p>This parameter should be used with care and tested with the printer
593 driver in question. It is better to leave the device mode to NULL
594 and let the Windows client set the correct values. Because drivers do not
595 do this all the time, setting <b>default devmode = yes</b>
596 will instruct smbd to generate a default one.
597 </p><p>For more information on Windows NT/2k printing and Device Modes,
598 see the <a href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a>.
599 </p><p>Default: <b>default devmode = no</b></p></dd><dt><span class="term"><a name="DEFAULTSERVICE"></a>default service (G)</span></dt><dd><p>This parameter specifies the name of a service
600 which will be connected to if the service actually requested cannot
601 be found. Note that the square brackets are <span class="emphasis"><em>NOT</em></span>
602 given in the parameter value (see example below).</p><p>There is no default value for this parameter. If this
603 parameter is not given, attempting to connect to a nonexistent
604 service results in an error.</p><p>Typically the default service would be a <a href="#GUESTOK">
605 <i><tt>guest ok</tt></i></a>, <a href="#READONLY">
606 <i><tt>read-only</tt></i></a> service.</p><p>Also note that the apparent service name will be changed
607 to equal that of the requested service, this is very useful as it
608 allows you to use macros like <i><tt>%S</tt></i> to make
609 a wildcard service.</p><p>Note also that any "_" characters in the name of the service
610 used in the default service will get mapped to a "/". This allows for
611 interesting things.</p><p>Example:</p><pre class="programlisting">
613 default service = pub
617 </pre></dd><dt><span class="term"><a name="DEFAULT"></a>default (G)</span></dt><dd><p>A synonym for <a href="#DEFAULTSERVICE"><i><tt>
618 default service</tt></i></a>.</p></dd><dt><span class="term"><a name="DELETEGROUPSCRIPT"></a>delete group script (G)</span></dt><dd><p>This is the full pathname to a script that will
619 be run <span class="emphasis"><em>AS ROOT</em></span> <a href="smbd.8.html">smbd(8)</a> when a group is requested to be deleted.
620 It will expand any <i><tt>%g</tt></i> to the group name passed.
621 This script is only useful for installations using the Windows NT domain administration tools.
622 </p></dd><dt><span class="term"><a name="DELETEPRINTERCOMMAND"></a>deleteprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printer
623 support for Windows NT/2000 clients in Samba 2.2, it is now
624 possible to delete printer at run time by issuing the
625 DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be
626 physically deleted from underlying printing system. The <i><tt>
627 deleteprinter command</tt></i> defines a script to be run which
628 will perform the necessary operations for removing the printer
629 from the print system and from <tt>smb.conf</tt>.
630 </p><p>The <i><tt>deleteprinter command</tt></i> is
631 automatically called with only one parameter: <i><tt>
632 "printer name"</tt></i>.</p><p>Once the <i><tt>deleteprinter command</tt></i> has
633 been executed, <b>smbd</b> will reparse the <tt>
634 smb.conf</tt> to associated printer no longer exists.
635 If the sharename is still valid, then <b>smbd
636 </b> will return an ACCESS_DENIED error to the client.</p><p>See also <a href="#ADDPRINTERCOMMAND"><i><tt>
637 addprinter command</tt></i></a>, <a href="#PRINTING">
638 <i><tt>printing</tt></i></a>,
639 <a href="#SHOWADDPRINTERWIZARD"><i><tt>show add
640 printer wizard</tt></i></a></p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b>deleteprinter command = /usr/bin/removeprinter</b></p></dd><dt><span class="term"><a name="DELETEREADONLY"></a>delete readonly (S)</span></dt><dd><p>This parameter allows readonly files to be deleted.
641 This is not normal DOS semantics, but is allowed by UNIX.</p><p>This option may be useful for running applications such
642 as rcs, where UNIX file ownership prevents changing file
643 permissions, and DOS semantics prevent deletion of a read only file.</p><p>Default: <b>delete readonly = no</b></p></dd><dt><span class="term"><a name="DELETESHARECOMMAND"></a>delete share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
644 add and delete shares via the Windows NT 4.0 Server Manager. The
645 <i><tt>delete share command</tt></i> is used to define an
646 external program or script which will remove an existing service
647 definition from <tt>smb.conf</tt>. In order to successfully
648 execute the <i><tt>delete share command</tt></i>, <b>smbd</b>
649 requires that the administrator be connected using a root account (i.e.
652 When executed, <b>smbd</b> will automatically invoke the
653 <i><tt>delete share command</tt></i> with two parameters.
654 </p><div class="itemizedlist"><ul type="disc"><li><p><i><tt>configFile</tt></i> - the location
655 of the global <tt>smb.conf</tt> file.
656 </p></li><li><p><i><tt>shareName</tt></i> - the name of
657 the existing service.
658 </p></li></ul></div><p>
659 This parameter is only used to remove file shares. To delete printer shares,
660 see the <a href="#DELETEPRINTERCOMMAND"><i><tt>deleteprinter
661 command</tt></i></a>.
663 See also <a href="#ADDSHARECOMMAND"><i><tt>add share
664 command</tt></i></a>, <a href="#CHANGESHARECOMMAND"><i><tt>change
665 share command</tt></i></a>.
666 </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b>delete share command = /usr/local/bin/delshare</b></p></dd><dt><span class="term"><a name="DELETEUSERFROMGROUPSCRIPT"></a>delete user from group script (G)</span></dt><dd><p>Full path to the script that will be called when
667 a user is removed from a group using the Windows NT domain administration
668 tools. It will be run by <a href="smbd.8.html">smbd(8)</a> <span class="emphasis"><em>AS ROOT</em></span>.
669 Any <i><tt>%g</tt></i> will be replaced with the group name and
670 any <i><tt>%u</tt></i> will be replaced with the user name.
671 </p><p>Default: <b>delete user from group script = </b></p><p>Example: <b>delete user from group script = /usr/sbin/deluser %u %g</b></p></dd><dt><span class="term"><a name="DELETEUSERSCRIPT"></a>delete user script (G)</span></dt><dd><p>This is the full pathname to a script that will
672 be run by <a href="smbd.8.html">smbd(8)</a> when managing users
673 with remote RPC (NT) tools.
674 </p><p>This script is called when a remote client removes a user
675 from the server, normally using 'User Manager for Domains' or
676 <b>rpcclient</b>.</p><p>This script should delete the given UNIX username.</p><p>Default: <b>delete user script = <empty string></b></p><p>Example: <b>delete user script = /usr/local/samba/bin/del_user %u</b></p></dd><dt><span class="term"><a name="DELETEVETOFILES"></a>delete veto files (S)</span></dt><dd><p>This option is used when Samba is attempting to
677 delete a directory that contains one or more vetoed directories
678 (see the <a href="#VETOFILES"><i><tt>veto files</tt></i></a>
679 option). If this option is set to <tt>no</tt> (the default) then if a vetoed
680 directory contains any non-vetoed files or directories then the
681 directory delete will fail. This is usually what you want.</p><p>If this option is set to <tt>yes</tt>, then Samba
682 will attempt to recursively delete any files and directories within
683 the vetoed directory. This can be useful for integration with file
684 serving systems such as NetAtalk which create meta-files within
685 directories you might normally veto DOS/Windows users from seeing
686 (e.g. <tt>.AppleDouble</tt>)</p><p>Setting <b>delete veto files = yes</b> allows these
687 directories to be transparently deleted when the parent directory
688 is deleted (so long as the user has permissions to do so).</p><p>See also the <a href="#VETOFILES"><i><tt>veto
689 files</tt></i></a> parameter.</p><p>Default: <b>delete veto files = no</b></p></dd><dt><span class="term"><a name="DENYHOSTS"></a>deny hosts (S)</span></dt><dd><p>Synonym for <a href="#HOSTSDENY"><i><tt>hosts
690 deny</tt></i></a>.</p></dd><dt><span class="term"><a name="DFREECOMMAND"></a>dfree command (G)</span></dt><dd><p>The <i><tt>dfree command</tt></i> setting
691 should only be used on systems where a problem occurs with the
692 internal disk space calculations. This has been known to happen
693 with Ultrix, but may occur with other operating systems. The
694 symptom that was seen was an error of "Abort Retry
695 Ignore" at the end of each directory listing.</p><p>This setting allows the replacement of the internal routines to
696 calculate the total disk space and amount available with an external
697 routine. The example below gives a possible script that might fulfill
698 this function.</p><p>The external program will be passed a single parameter indicating
699 a directory in the filesystem being queried. This will typically consist
700 of the string <tt>./</tt>. The script should return two
701 integers in ASCII. The first should be the total disk space in blocks,
702 and the second should be the number of available blocks. An optional
703 third return value can give the block size in bytes. The default
704 blocksize is 1024 bytes.</p><p>Note: Your script should <span class="emphasis"><em>NOT</em></span> be setuid or
705 setgid and should be owned by (and writeable only by) root!</p><p>Default: <span class="emphasis"><em>By default internal routines for
706 determining the disk capacity and remaining space will be used.
707 </em></span></p><p>Example: <b>dfree command = /usr/local/samba/bin/dfree</b></p><p>Where the script dfree (which must be made executable) could be:</p><pre class="programlisting">
709 df $1 | tail -1 | awk '{print $2" "$4}'
710 </pre><p>or perhaps (on Sys V based systems):</p><pre class="programlisting">
712 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
713 </pre><p>Note that you may have to replace the command names with full path names on some systems.</p></dd><dt><span class="term"><a name="DIRECTORYMASK"></a>directory mask (S)</span></dt><dd><p>This parameter is the octal modes which are
714 used when converting DOS modes to UNIX modes when creating UNIX
715 directories.</p><p>When a directory is created, the necessary permissions are
716 calculated according to the mapping from DOS modes to UNIX permissions,
717 and the resulting UNIX mode is then bit-wise 'AND'ed with this
718 parameter. This parameter may be thought of as a bit-wise MASK for
719 the UNIX modes of a directory. Any bit <span class="emphasis"><em>not</em></span> set
720 here will be removed from the modes set on a directory when it is
721 created.</p><p>The default value of this parameter removes the 'group'
722 and 'other' write bits from the UNIX mode, allowing only the
723 user who owns the directory to modify it.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode
724 created from this parameter with the value of the <a href="#FORCEDIRECTORYMODE">
725 <i><tt>force directory mode</tt></i></a> parameter.
726 This parameter is set to 000 by default (i.e. no extra mode bits are added).</p><p>Note that this parameter does not apply to permissions
727 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
728 a mask on access control lists also, they need to set the <a href="#DIRECTORYSECURITYMASK">
729 <i><tt>directory security mask</tt></i></a>.</p><p>See the <a href="#FORCEDIRECTORYMODE"><i><tt>force
730 directory mode</tt></i></a> parameter to cause particular mode
731 bits to always be set on created directories.</p><p>See also the <a href="#CREATEMODE"><i><tt>create mode
732 </tt></i></a> parameter for masking mode bits on created files,
733 and the <a href="#DIRECTORYSECURITYMASK"><i><tt>directory
734 security mask</tt></i></a> parameter.</p><p>Also refer to the <a href="#INHERITPERMISSIONS"><i><tt>
735 inherit permissions</tt></i></a> parameter.</p><p>Default: <b>directory mask = 0755</b></p><p>Example: <b>directory mask = 0775</b></p></dd><dt><span class="term"><a name="DIRECTORYMODE"></a>directory mode (S)</span></dt><dd><p>Synonym for <a href="#DIRECTORYMASK"><i><tt>
736 directory mask</tt></i></a></p></dd><dt><span class="term"><a name="DIRECTORYSECURITYMASK"></a>directory security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission bits
737 can be modified when a Windows NT client is manipulating the UNIX
738 permission on a directory using the native NT security dialog
739 box.</p><p>This parameter is applied as a mask (AND'ed with) to
740 the changed permission bits, thus preventing any bits not in
741 this mask from being modified. Essentially, zero bits in this
742 mask may be treated as a set of bits the user is not allowed
743 to change.</p><p>If not set explicitly this parameter is set to 0777
744 meaning a user is allowed to modify all the user/group/world
745 permissions on a directory.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the
746 Samba server through other means can easily bypass this restriction,
747 so it is primarily useful for standalone "appliance" systems.
748 Administrators of most normal systems will probably want to leave
749 it as the default of <tt>0777</tt>.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"><i><tt>
750 force directory security mode</tt></i></a>, <a href="#SECURITYMASK">
751 <i><tt>security mask</tt></i></a>,
752 <a href="#FORCESECURITYMODE"><i><tt>force security mode
753 </tt></i></a> parameters.</p><p>Default: <b>directory security mask = 0777</b></p><p>Example: <b>directory security mask = 0700</b></p></dd><dt><span class="term"><a name="DIRECTORY"></a>directory (S)</span></dt><dd><p>Synonym for <a href="#PATH"><i><tt>path</tt></i></a>.</p></dd><dt><span class="term"><a name="DISABLENETBIOS"></a>disable netbios (G)</span></dt><dd><p>Enabling this parameter will disable netbios support
754 in Samba. Netbios is the only available form of browsing in
755 all windows versions except for 2000 and XP. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that clients that only support netbios won't be able to
756 see your samba server when netbios support is disabled.
757 </p></div><p>Default: <b>disable netbios = no</b></p><p>Example: <b>disable netbios = yes</b></p></dd><dt><span class="term"><a name="DISABLESPOOLSS"></a>disable spoolss (G)</span></dt><dd><p>Enabling this parameter will disable Samba's support
758 for the SPOOLSS set of MS-RPC's and will yield identical behavior
759 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
760 Lanman style printing commands. Windows 9x/ME will be uneffected by
761 the parameter. However, this will also disable the ability to upload
762 printer drivers to a Samba server via the Windows NT Add Printer
763 Wizard or by using the NT printer properties dialog window. It will
764 also disable the capability of Windows NT/2000 clients to download
765 print drivers from the Samba host upon demand.
766 <span class="emphasis"><em>Be very careful about enabling this parameter.</em></span>
767 </p><p>See also <a href="#USECLIENTDRIVER">use client driver</a>
768 </p><p>Default : <b>disable spoolss = no</b></p></dd><dt><span class="term"><a name="DISPLAYCHARSET"></a>display charset (G)</span></dt><dd><p>Specifies the charset that samba will use
769 to print messages to stdout and stderr and SWAT will use.
770 Should generally be the same as the <b>unix charset</b>.
771 </p><p>Default: <b>display charset = ASCII</b></p><p>Example: <b>display charset = UTF8</b></p></dd><dt><span class="term"><a name="DNSPROXY"></a>dns proxy (G)</span></dt><dd><p>Specifies that <a href="nmbd.8.html">nmbd(8)</a> when acting as a WINS server and
772 finding that a NetBIOS name has not been registered, should treat the
773 NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server
774 for that name on behalf of the name-querying client.</p><p>Note that the maximum length for a NetBIOS name is 15
775 characters, so the DNS name (or DNS alias) can likewise only be
776 15 characters, maximum.</p><p><b>nmbd</b> spawns a second copy of itself to do the
777 DNS name lookup requests, as doing a name lookup is a blocking
778 action.</p><p>See also the parameter <a href="#WINSSUPPORT"><i><tt>
779 wins support</tt></i></a>.</p><p>Default: <b>dns proxy = yes</b></p></dd><dt><span class="term"><a name="DOMAINLOGONS"></a>domain logons (G)</span></dt><dd><p>If set to <tt>yes</tt>, the Samba server will serve
780 Windows 95/98 Domain logons for the <a href="#WORKGROUP">
781 <i><tt>workgroup</tt></i></a> it is in. Samba 2.2
782 has limited capability to act as a domain controller for Windows
783 NT 4 Domains. For more details on setting up this feature see
784 the Samba-PDC-HOWTO included in the Samba documentation.</p><p>Default: <b>domain logons = no</b></p></dd><dt><span class="term"><a name="DOMAINMASTER"></a>domain master (G)</span></dt><dd><p>Tell <a href="smbd.8.html">smbd(8)</a> to enable WAN-wide browse list
785 collation. Setting this option causes <b>nmbd</b> to
786 claim a special domain specific NetBIOS name that identifies
787 it as a domain master browser for its given <a href="#WORKGROUP">
788 <i><tt>workgroup</tt></i></a>. Local master browsers
789 in the same <i><tt>workgroup</tt></i> on broadcast-isolated
790 subnets will give this <b>nmbd</b> their local browse lists,
791 and then ask <a href="smbd.8.html">smbd(8)</a> for a complete copy of the browse
792 list for the whole wide area network. Browser clients will then contact
793 their local master browser, and will receive the domain-wide browse list,
794 instead of just the list for their broadcast-isolated subnet.</p><p>Note that Windows NT Primary Domain Controllers expect to be
795 able to claim this <i><tt>workgroup</tt></i> specific special
796 NetBIOS name that identifies them as domain master browsers for
797 that <i><tt>workgroup</tt></i> by default (i.e. there is no
798 way to prevent a Windows NT PDC from attempting to do this). This
799 means that if this parameter is set and <b>nmbd</b> claims
800 the special name for a <i><tt>workgroup</tt></i> before a Windows
801 NT PDC is able to do so then cross subnet browsing will behave
802 strangely and may fail.</p><p>If <a href="#DOMAINLOGONS"><b>domain logons = yes</b>
803 </a>, then the default behavior is to enable the <i><tt>domain
804 master</tt></i> parameter. If <i><tt>domain logons</tt></i> is
805 not enabled (the default setting), then neither will <i><tt>domain
806 master</tt></i> be enabled by default.</p><p>Default: <b>domain master = auto</b></p></dd><dt><span class="term"><a name="DONTDESCEND"></a>dont descend (S)</span></dt><dd><p>There are certain directories on some systems
807 (e.g., the <tt>/proc</tt> tree under Linux) that are either not
808 of interest to clients or are infinitely deep (recursive). This
809 parameter allows you to specify a comma-delimited list of directories
810 that the server should always show as empty.</p><p>Note that Samba can be very fussy about the exact format
811 of the "dont descend" entries. For example you may need <tt>
812 ./proc</tt> instead of just <tt>/proc</tt>.
813 Experimentation is the best policy :-) </p><p>Default: <span class="emphasis"><em>none (i.e., all directories are OK
814 to descend)</em></span></p><p>Example: <b>dont descend = /proc,/dev</b></p></dd><dt><span class="term"><a name="DOSCHARSET"></a>dos charset (G)</span></dt><dd><p>DOS SMB clients assume the server has
815 the same charset as they do. This option specifies which
816 charset Samba should talk to DOS clients.
817 </p><p>The default depends on which charsets you have installed.
818 Samba tries to use charset 850 but falls back to ASCII in
819 case it is not available. Run <a href="testparm.1.html">testparm(1)</a> to check the default on your system.</p></dd><dt><span class="term"><a name="DOSFILEMODE"></a>dos filemode (S)</span></dt><dd><p> The default behavior in Samba is to provide
820 UNIX-like behavior where only the owner of a file/directory is
821 able to change the permissions on it. However, this behavior
822 is often confusing to DOS/Windows users. Enabling this parameter
823 allows a user who has write access to the file (by whatever
824 means) to modify the permissions on it. Note that a user
825 belonging to the group owning the file will not be allowed to
826 change permissions if the group is only granted read access.
827 Ownership of the file/directory is not changed, only the permissions
828 are modified.</p><p>Default: <b>dos filemode = no</b></p></dd><dt><span class="term"><a name="DOSFILETIMERESOLUTION"></a>dos filetime resolution (S)</span></dt><dd><p>Under the DOS and Windows FAT filesystem, the finest
829 granularity on time resolution is two seconds. Setting this parameter
830 for a share causes Samba to round the reported time down to the
831 nearest two second boundary when a query call that requires one second
832 resolution is made to <a href="smbd.8.html">smbd(8)</a>.</p><p>This option is mainly used as a compatibility option for Visual
833 C++ when used against Samba shares. If oplocks are enabled on a
834 share, Visual C++ uses two different time reading calls to check if a
835 file has changed since it was last read. One of these calls uses a
836 one-second granularity, the other uses a two second granularity. As
837 the two second call rounds any odd second down, then if the file has a
838 timestamp of an odd number of seconds then the two timestamps will not
839 match and Visual C++ will keep reporting the file has changed. Setting
840 this option causes the two timestamps to match, and Visual C++ is
841 happy.</p><p>Default: <b>dos filetime resolution = no</b></p></dd><dt><span class="term"><a name="DOSFILETIMES"></a>dos filetimes (S)</span></dt><dd><p>Under DOS and Windows, if a user can write to a
842 file they can change the timestamp on it. Under POSIX semantics,
843 only the owner of the file or root may change the timestamp. By
844 default, Samba runs with POSIX semantics and refuses to change the
845 timestamp on a file if the user <b>smbd</b> is acting
846 on behalf of is not the file owner. Setting this option to <tt>
847 yes</tt> allows DOS semantics and <a href="smbd.8.html">smbd(8)</a> will change the file
848 timestamp as DOS requires.</p><p>Default: <b>dos filetimes = no</b></p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords
849 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
850 above and also Windows 98 will by default expect encrypted passwords
851 unless a registry entry is changed. To use encrypted passwords in
852 Samba see the chapter "User Database" in the Samba HOWTO Collection. </p><p>In order for encrypted passwords to work correctly
853 <a href="smbd.8.html">smbd(8)</a> must either
854 have access to a local <a href="smbpasswd.5.html">smbpasswd(5)</a> file (see the <a href="smbpasswd.8.html">smbpasswd(8)</a> program for information on how to set up
855 and maintain this file), or set the <a href="#SECURITY">security = [server|domain|ads]</a> parameter which
856 causes <b>smbd</b> to authenticate against another
857 server.</p><p>Default: <b>encrypt passwords = yes</b></p></dd><dt><span class="term"><a name="ENHANCEDBROWSING"></a>enhanced browsing (G)</span></dt><dd><p>This option enables a couple of enhancements to
858 cross-subnet browse propagation that have been added in Samba
859 but which are not standard in Microsoft implementations.
860 </p><p>The first enhancement to browse propagation consists of a regular
861 wildcard query to a Samba WINS server for all Domain Master Browsers,
862 followed by a browse synchronization with each of the returned
863 DMBs. The second enhancement consists of a regular randomised browse
864 synchronization with all currently known DMBs.</p><p>You may wish to disable this option if you have a problem with empty
865 workgroups not disappearing from browse lists. Due to the restrictions
866 of the browse protocols these enhancements can cause a empty workgroup
867 to stay around forever which can be annoying.</p><p>In general you should leave this option enabled as it makes
868 cross-subnet browse propagation much more reliable.</p><p>Default: <b>enhanced browsing = yes</b></p></dd><dt><span class="term"><a name="ENUMPORTSCOMMAND"></a>enumports command (G)</span></dt><dd><p>The concept of a "port" is fairly foreign
869 to UNIX hosts. Under Windows NT/2000 print servers, a port
870 is associated with a port monitor and generally takes the form of
871 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
872 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
873 port defined--<tt>"Samba Printer Port"</tt>. Under
874 Windows NT/2000, all printers must have a valid port name.
875 If you wish to have a list of ports displayed (<b>smbd
876 </b> does not use a port name for anything) other than
877 the default <tt>"Samba Printer Port"</tt>, you
878 can define <i><tt>enumports command</tt></i> to point to
879 a program which should generate a list of ports, one per line,
880 to standard output. This listing will then be used in response
881 to the level 1 and 2 EnumPorts() RPC.</p><p>Default: <span class="emphasis"><em>no enumports command</em></span></p><p>Example: <b>enumports command = /usr/bin/listports</b></p></dd><dt><span class="term"><a name="EXEC"></a>exec (S)</span></dt><dd><p>This is a synonym for <a href="#PREEXEC">
882 <i><tt>preexec</tt></i></a>.</p></dd><dt><span class="term"><a name="FAKEDIRECTORYCREATETIMES"></a>fake directory create times (S)</span></dt><dd><p>NTFS and Windows VFAT file systems keep a create
883 time for all files and directories. This is not the same as the
884 ctime - status change time - that Unix keeps, so Samba by default
885 reports the earliest of the various times Unix does keep. Setting
886 this parameter for a share causes Samba to always report midnight
887 1-1-1980 as the create time for directories.</p><p>This option is mainly used as a compatibility option for
888 Visual C++ when used against Samba shares. Visual C++ generated
889 makefiles have the object directory as a dependency for each object
890 file, and a make rule to create the directory. Also, when NMAKE
891 compares timestamps it uses the creation time when examining a
892 directory. Thus the object directory will be created if it does not
893 exist, but once it does exist it will always have an earlier
894 timestamp than the object files it contains.</p><p>However, Unix time semantics mean that the create time
895 reported by Samba will be updated whenever a file is created or
896 or deleted in the directory. NMAKE finds all object files in
897 the object directory. The timestamp of the last one built is then
898 compared to the timestamp of the object directory. If the
899 directory's timestamp if newer, then all object files
900 will be rebuilt. Enabling this option
901 ensures directories always predate their contents and an NMAKE build
902 will proceed as expected.</p><p>Default: <b>fake directory create times = no</b></p></dd><dt><span class="term"><a name="FAKEOPLOCKS"></a>fake oplocks (S)</span></dt><dd><p>Oplocks are the way that SMB clients get permission
903 from a server to locally cache file operations. If a server grants
904 an oplock (opportunistic lock) then the client is free to assume
905 that it is the only one accessing the file and it will aggressively
906 cache file data. With some oplock types the client may even cache
907 file open/close operations. This can give enormous performance benefits.
908 </p><p>When you set <b>fake oplocks = yes</b>, <a href="smbd.8.html">smbd(8)</a> will
909 always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a href="#OPLOCKS">
910 <i><tt>oplocks</tt></i></a> support rather
911 than this parameter.</p><p>If you enable this option on all read-only shares or
912 shares that you know will only be accessed from one client at a
913 time such as physically read-only media like CDROMs, you will see
914 a big performance improvement on many operations. If you enable
915 this option on shares where multiple clients may be accessing the
916 files read-write at the same time you can get data corruption. Use
917 this option carefully!</p><p>Default: <b>fake oplocks = no</b></p></dd><dt><span class="term"><a name="FOLLOWSYMLINKS"></a>follow symlinks (S)</span></dt><dd><p>This parameter allows the Samba administrator
918 to stop <a href="smbd.8.html">smbd(8)</a> from following symbolic
919 links in a particular share. Setting this
920 parameter to <tt>no</tt> prevents any file or directory
921 that is a symbolic link from being followed (the user will get an
922 error). This option is very useful to stop users from adding a
923 symbolic link to <tt>/etc/passwd</tt> in their home
924 directory for instance. However it will slow filename lookups
925 down slightly.</p><p>This option is enabled (i.e. <b>smbd</b> will
926 follow symbolic links) by default.</p><p>Default: <b>follow symlinks = yes</b></p></dd><dt><span class="term"><a name="FORCECREATEMODE"></a>force create mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit
927 permissions that will <span class="emphasis"><em>always</em></span> be set on a
928 file created by Samba. This is done by bitwise 'OR'ing these bits onto
929 the mode bits of a file that is being created or having its
930 permissions changed. The default for this parameter is (in octal)
931 000. The modes in this parameter are bitwise 'OR'ed onto the file
932 mode after the mask set in the <i><tt>create mask</tt></i>
933 parameter is applied.</p><p>See also the parameter <a href="#CREATEMASK"><i><tt>create
934 mask</tt></i></a> for details on masking mode bits on files.</p><p>See also the <a href="#INHERITPERMISSIONS"><i><tt>inherit
935 permissions</tt></i></a> parameter.</p><p>Default: <b>force create mode = 000</b></p><p>Example: <b>force create mode = 0755</b></p><p>would force all created files to have read and execute
936 permissions set for 'group' and 'other' as well as the
937 read/write/execute bits set for the 'user'.</p></dd><dt><span class="term"><a name="FORCEDIRECTORYMODE"></a>force directory mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit
938 permissions that will <span class="emphasis"><em>always</em></span> be set on a directory
939 created by Samba. This is done by bitwise 'OR'ing these bits onto the
940 mode bits of a directory that is being created. The default for this
941 parameter is (in octal) 0000 which will not add any extra permission
942 bits to a created directory. This operation is done after the mode
943 mask in the parameter <i><tt>directory mask</tt></i> is
944 applied.</p><p>See also the parameter <a href="#DIRECTORYMASK"><i><tt>
945 directory mask</tt></i></a> for details on masking mode bits
946 on created directories.</p><p>See also the <a href="#INHERITPERMISSIONS"><i><tt>
947 inherit permissions</tt></i></a> parameter.</p><p>Default: <b>force directory mode = 000</b></p><p>Example: <b>force directory mode = 0755</b></p><p>would force all created directories to have read and execute
948 permissions set for 'group' and 'other' as well as the
949 read/write/execute bits set for the 'user'.</p></dd><dt><span class="term"><a name="FORCEDIRECTORYSECURITYMODE"></a>force directory security mode (S)</span></dt><dd><p>This parameter controls what UNIX permission bits
950 can be modified when a Windows NT client is manipulating the UNIX
951 permission on a directory using the native NT security dialog box.</p><p>This parameter is applied as a mask (OR'ed with) to the
952 changed permission bits, thus forcing any bits in this mask that
953 the user may have modified to be on. Essentially, one bits in this
954 mask may be treated as a set of bits that, when modifying security
955 on a directory, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is 000, which
956 allows a user to modify all the user/group/world permissions on a
957 directory without restrictions.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the
958 Samba server through other means can easily bypass this restriction,
959 so it is primarily useful for standalone "appliance" systems.
960 Administrators of most normal systems will probably want to leave
961 it set as 0000.</p><p>See also the <a href="#DIRECTORYSECURITYMASK"><i><tt>
962 directory security mask</tt></i></a>, <a href="#SECURITYMASK">
963 <i><tt>security mask</tt></i></a>,
964 <a href="#FORCESECURITYMODE"><i><tt>force security mode
965 </tt></i></a> parameters.</p><p>Default: <b>force directory security mode = 0</b></p><p>Example: <b>force directory security mode = 700</b></p></dd><dt><span class="term"><a name="FORCEGROUP"></a>force group (S)</span></dt><dd><p>This specifies a UNIX group name that will be
966 assigned as the default primary group for all users connecting
967 to this service. This is useful for sharing files by ensuring
968 that all access to files on service will use the named group for
969 their permissions checking. Thus, by assigning permissions for this
970 group to the files and directories within this service the Samba
971 administrator can restrict or allow sharing of these files.</p><p>In Samba 2.0.5 and above this parameter has extended
972 functionality in the following way. If the group name listed here
973 has a '+' character prepended to it then the current user accessing
974 the share only has the primary group default assigned to this group
975 if they are already assigned as a member of that group. This allows
976 an administrator to decide that only users who are already in a
977 particular group will create files with group ownership set to that
978 group. This gives a finer granularity of ownership assignment. For
979 example, the setting <tt>force group = +sys</tt> means
980 that only users who are already in group sys will have their default
981 primary group assigned to sys when accessing this Samba share. All
982 other users will retain their ordinary primary group.</p><p>If the <a href="#FORCEUSER"><i><tt>force user</tt></i>
983 </a> parameter is also set the group specified in
984 <i><tt>force group</tt></i> will override the primary group
985 set in <i><tt>force user</tt></i>.</p><p>See also <a href="#FORCEUSER"><i><tt>force user</tt></i></a>.</p><p>Default: <span class="emphasis"><em>no forced group</em></span></p><p>Example: <b>force group = agroup</b></p></dd><dt><span class="term"><a name="FORCESECURITYMODE"></a>force security mode (S)</span></dt><dd><p>This parameter controls what UNIX permission
986 bits can be modified when a Windows NT client is manipulating
987 the UNIX permission on a file using the native NT security dialog
988 box.</p><p>This parameter is applied as a mask (OR'ed with) to the
989 changed permission bits, thus forcing any bits in this mask that
990 the user may have modified to be on. Essentially, one bits in this
991 mask may be treated as a set of bits that, when modifying security
992 on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to 0,
993 and allows a user to modify all the user/group/world permissions on a file,
994 with no restrictions.</p><p><span class="emphasis"><em>Note</em></span> that users who can access
995 the Samba server through other means can easily bypass this restriction,
996 so it is primarily useful for standalone "appliance" systems.
997 Administrators of most normal systems will probably want to leave
998 this set to 0000.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"><i><tt>
999 force directory security mode</tt></i></a>,
1000 <a href="#DIRECTORYSECURITYMASK"><i><tt>directory security
1001 mask</tt></i></a>, <a href="#SECURITYMASK"><i><tt>
1002 security mask</tt></i></a> parameters.</p><p>Default: <b>force security mode = 0</b></p><p>Example: <b>force security mode = 700</b></p></dd><dt><span class="term"><a name="FORCEUSER"></a>force user (S)</span></dt><dd><p>This specifies a UNIX user name that will be
1003 assigned as the default user for all users connecting to this service.
1004 This is useful for sharing files. You should also use it carefully
1005 as using it incorrectly can cause security problems.</p><p>This user name only gets used once a connection is established.
1006 Thus clients still need to connect as a valid user and supply a
1007 valid password. Once connected, all file operations will be performed
1008 as the "forced user", no matter what username the client connected
1009 as. This can be very useful.</p><p>In Samba 2.0.5 and above this parameter also causes the
1010 primary group of the forced user to be used as the primary group
1011 for all file activity. Prior to 2.0.5 the primary group was left
1012 as the primary group of the connecting user (this was a bug).</p><p>See also <a href="#FORCEGROUP"><i><tt>force group</tt></i></a></p><p>Default: <span class="emphasis"><em>no forced user</em></span></p><p>Example: <b>force user = auser</b></p></dd><dt><span class="term"><a name="FSTYPE"></a>fstype (S)</span></dt><dd><p>This parameter allows the administrator to
1013 configure the string that specifies the type of filesystem a share
1014 is using that is reported by <a href="smbd.8.html">smbd(8)</a> when a client queries the filesystem type
1015 for a share. The default type is <tt>NTFS</tt> for
1016 compatibility with Windows NT but this can be changed to other
1017 strings such as <tt>Samba</tt> or <tt>FAT
1018 </tt> if required.</p><p>Default: <b>fstype = NTFS</b></p><p>Example: <b>fstype = Samba</b></p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a
1019 caching algorithm will be used to reduce the time taken for getwd()
1020 calls. This can have a significant impact on performance, especially
1021 when the <a href="#WIDELINKS"><i><tt>wide links</tt></i>
1022 </a> parameter is set to <tt>no</tt>.</p><p>Default: <b>getwd cache = yes</b></p></dd><dt><span class="term"><a name="GROUP"></a>group (S)</span></dt><dd><p>Synonym for <a href="#FORCEGROUP">
1023 <i><tt>force group</tt></i></a>.</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G,S)</span></dt><dd><p>This is a username which will be used for access
1024 to services which are specified as <a href="#GUESTOK"><i><tt>
1025 guest ok</tt></i></a> (see below). Whatever privileges this
1026 user has will be available to any client connecting to the guest service.
1027 Typically this user will exist in the password file, but will not
1028 have a valid login. The user account "ftp" is often a good choice
1029 for this parameter. If a username is specified in a given service,
1030 the specified username overrides this one.
1031 </p><p>One some systems the default guest account "nobody" may not
1032 be able to print. Use another account in this case. You should test
1033 this by trying to log in as your guest user (perhaps by using the
1034 <b>su -</b> command) and trying to print using the
1035 system print command such as <b>lpr(1)</b> or <b>
1036 lp(1)</b>.</p><p>This parameter does not accept % macros, because
1037 many parts of the system require this value to be
1038 constant for correct operation.</p><p>Default: <span class="emphasis"><em>specified at compile time, usually "nobody"</em></span></p><p>Example: <b>guest account = ftp</b></p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <tt>yes</tt> for
1039 a service, then no password is required to connect to the service.
1040 Privileges will be those of the <a href="#GUESTACCOUNT"><i><tt>
1041 guest account</tt></i></a>.</p><p>This paramater nullifies the benifits of setting
1042 <a href="#RESTRICTANONYMOUS"><i><tt>restrict
1043 anonymous</tt></i></a> = 2</p><p>See the section below on <a href="#SECURITY"><i><tt>
1044 security</tt></i></a> for more information about this option.
1045 </p><p>Default: <b>guest ok = no</b></p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <tt>yes</tt> for
1046 a service, then only guest connections to the service are permitted.
1047 This parameter will have no effect if <a href="#GUESTOK">
1048 <i><tt>guest ok</tt></i></a> is not set for the service.</p><p>See the section below on <a href="#SECURITY"><i><tt>
1049 security</tt></i></a> for more information about this option.
1050 </p><p>Default: <b>guest only = no</b></p></dd><dt><span class="term"><a name="HIDEDOTFILES"></a>hide dot files (S)</span></dt><dd><p>This is a boolean parameter that controls whether
1051 files starting with a dot appear as hidden files.</p><p>Default: <b>hide dot files = yes</b></p></dd><dt><span class="term"><a name="HIDEFILES"></a>hide files (S)</span></dt><dd><p>This is a list of files or directories that are not
1052 visible but are accessible. The DOS 'hidden' attribute is applied
1053 to any files or directories that match.</p><p>Each entry in the list must be separated by a '/',
1054 which allows spaces to be included in the entry. '*'
1055 and '?' can be used to specify multiple files or directories
1056 as in DOS wildcards.</p><p>Each entry must be a Unix path, not a DOS path and must
1057 not include the Unix directory separator '/'.</p><p>Note that the case sensitivity option is applicable
1058 in hiding files.</p><p>Setting this parameter will affect the performance of Samba,
1059 as it will be forced to check all files and directories for a match
1060 as they are scanned.</p><p>See also <a href="#HIDEDOTFILES"><i><tt>hide
1061 dot files</tt></i></a>, <a href="#VETOFILES"><i><tt>
1062 veto files</tt></i></a> and <a href="#CASESENSITIVE">
1063 <i><tt>case sensitive</tt></i></a>.</p><p>Default: <span class="emphasis"><em>no file are hidden</em></span></p><p>Example: <b>hide files =
1064 /.*/DesktopFolderDB/TrashFor%m/resource.frk/</b></p><p>The above example is based on files that the Macintosh
1065 SMB client (DAVE) available from <a href="http://www.thursby.com" target="_top">
1066 Thursby</a> creates for internal use, and also still hides
1067 all files beginning with a dot.</p></dd><dt><span class="term"><a name="HIDELOCALUSERS"></a>hide local users (G)</span></dt><dd><p>This parameter toggles the hiding of local UNIX
1068 users (root, wheel, floppy, etc) from remote clients.</p><p>Default: <b>hide local users = no</b></p></dd><dt><span class="term"><a name="HIDESPECIALFILES"></a>hide special files (S)</span></dt><dd><p>This parameter prevents clients from seeing
1069 special files such as sockets, devices and fifo's in directory
1071 </p><p>Default: <b>hide special files = no</b></p></dd><dt><span class="term"><a name="HIDEUNREADABLE"></a>hide unreadable (S)</span></dt><dd><p>This parameter prevents clients from seeing the
1072 existance of files that cannot be read. Defaults to off.</p><p>Default: <b>hide unreadable = no</b></p></dd><dt><span class="term"><a name="HIDEUNWRITEABLEFILES"></a>hide unwriteable files (S)</span></dt><dd><p>This parameter prevents clients from seeing
1073 the existance of files that cannot be written to. Defaults to off.
1074 Note that unwriteable directories are shown as usual.
1075 </p><p>Default: <b>hide unwriteable = no</b></p></dd><dt><span class="term"><a name="HOMEDIRMAP"></a>homedir map (G)</span></dt><dd><p>If<a href="#NISHOMEDIR"><i><tt>nis homedir
1076 </tt></i></a> is <tt>yes</tt>, and <a href="smbd.8.html">smbd(8)</a> is also acting
1077 as a Win95/98 <i><tt>logon server</tt></i> then this parameter
1078 specifies the NIS (or YP) map from which the server for the user's
1079 home directory should be extracted. At present, only the Sun
1080 auto.home map format is understood. The form of the map is:</p><p><b>username server:/some/file/system</b></p><p>and the program will extract the servername from before
1081 the first ':'. There should probably be a better parsing system
1082 that copes with different map formats and also Amd (another
1083 automounter) maps.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>A working NIS client is required on
1084 the system for this option to work.</p></div><p>See also <a href="#NISHOMEDIR"><i><tt>nis homedir</tt></i>
1085 </a>, <a href="#DOMAINLOGONS"><i><tt>domain logons</tt></i>
1086 </a>.</p><p>Default: <b>homedir map = <empty string></b></p><p>Example: <b>homedir map = amd.homedir</b></p></dd><dt><span class="term"><a name="HOSTMSDFS"></a>host msdfs (G)</span></dt><dd><p>This boolean parameter is only available
1087 if Samba has been configured and compiled with the <b>
1088 --with-msdfs</b> option. If set to <tt>yes</tt>,
1089 Samba will act as a Dfs server, and allow Dfs-aware clients
1090 to browse Dfs trees hosted on the server.</p><p>See also the <a href="#MSDFSROOT"><i><tt>
1091 msdfs root</tt></i></a> share level parameter. For
1092 more information on setting up a Dfs tree on Samba,
1093 refer to <a href="msdfs_setup.html" target="_top">msdfs_setup.html</a>.
1094 </p><p>Default: <b>host msdfs = no</b></p></dd><dt><span class="term"><a name="HOSTNAMELOOKUPS"></a>hostname lookups (G)</span></dt><dd><p>Specifies whether samba should use (expensive)
1095 hostname lookups or use the ip addresses instead. An example place
1096 where hostname lookups are currently used is when checking
1097 the <b>hosts deny</b> and <b>hosts allow</b>.
1098 </p><p>Default: <b>hostname lookups = yes</b></p><p>Example: <b>hostname lookups = no</b></p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <i><tt>allow
1099 hosts</tt></i>.</p><p>This parameter is a comma, space, or tab delimited
1100 set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will
1101 apply to all services, regardless of whether the individual
1102 service has a different setting.</p><p>You can specify the hosts by name or IP number. For
1103 example, you could restrict access to only the hosts on a
1104 Class C subnet with something like <b>allow hosts = 150.203.5.
1105 </b>. The full syntax of the list is described in the man
1106 page <tt>hosts_access(5)</tt>. Note that this man
1107 page may not be present on your system, so a brief description will
1108 be given here also.</p><p>Note that the localhost address 127.0.0.1 will always
1109 be allowed access unless specifically denied by a <a href="#HOSTSDENY">
1110 <i><tt>hosts deny</tt></i></a> option.</p><p>You can also specify hosts by network/netmask pairs and
1111 by netgroup names if your system supports netgroups. The
1112 <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a
1113 wildcard list. The following examples may provide some help:</p><p>Example 1: allow all IPs in 150.203.*.*; except one</p><p><b>hosts allow = 150.203. EXCEPT 150.203.6.66</b></p><p>Example 2: allow hosts that match the given network/netmask</p><p><b>hosts allow = 150.203.15.0/255.255.255.0</b></p><p>Example 3: allow a couple of hosts</p><p><b>hosts allow = lapland, arvidsjaur</b></p><p>Example 4: allow only hosts in NIS netgroup "foonet", but
1114 deny access from one particular host</p><p><b>hosts allow = @foonet</b></p><p><b>hosts deny = pirate</b></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that access still requires suitable user-level passwords.</p></div><p>See <a href="testparm.1.html">testparm(1)</a> for a way of testing your host access
1115 to see if it does what you expect.</p><p>Default: <span class="emphasis"><em>none (i.e., all hosts permitted access)</em></span></p><p>Example: <b>allow hosts = 150.203.5. myhost.mynet.edu.au</b></p></dd><dt><span class="term"><a name="HOSTSDENY"></a>hosts deny (S)</span></dt><dd><p>The opposite of <i><tt>hosts allow</tt></i>
1116 - hosts listed here are <span class="emphasis"><em>NOT</em></span> permitted access to
1117 services unless the specific services have their own lists to override
1118 this one. Where the lists conflict, the <i><tt>allow</tt></i>
1119 list takes precedence.</p><p>Default: <span class="emphasis"><em>none (i.e., no hosts specifically excluded)</em></span></p><p>Example: <b>hosts deny = 150.203.4. badhost.mynet.edu.au</b></p></dd><dt><span class="term"><a name="HOSTSEQUIV"></a>hosts equiv (G)</span></dt><dd><p>If this global parameter is a non-null string,
1120 it specifies the name of a file to read for the names of hosts
1121 and users who will be allowed access without specifying a password.
1122 </p><p>This is not be confused with <a href="#HOSTSALLOW">
1123 <i><tt>hosts allow</tt></i></a> which is about hosts
1124 access to services and is more useful for guest services. <i><tt>
1125 hosts equiv</tt></i> may be useful for NT clients which will
1126 not supply passwords to Samba.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The use of <i><tt>hosts equiv
1127 </tt></i> can be a major security hole. This is because you are
1128 trusting the PC to supply the correct username. It is very easy to
1129 get a PC to supply a false username. I recommend that the
1130 <i><tt>hosts equiv</tt></i> option be only used if you really
1131 know what you are doing, or perhaps on a home network where you trust
1132 your spouse and kids. And only if you <span class="emphasis"><em>really</em></span> trust
1133 them :-).</p></div><p>Default: <span class="emphasis"><em>no host equivalences</em></span></p><p>Example: <b>hosts equiv = /etc/hosts.equiv</b></p></dd><dt><span class="term"><a name="INCLUDE"></a>include (G)</span></dt><dd><p>This allows you to include one config file
1134 inside another. The file is included literally, as though typed
1135 in place.</p><p>It takes the standard substitutions, except <i><tt>%u
1136 </tt></i>, <i><tt>%P</tt></i> and <i><tt>%S</tt></i>.
1137 </p><p>Default: <span class="emphasis"><em>no file included</em></span></p><p>Example: <b>include = /usr/local/samba/lib/admin_smb.conf</b></p></dd><dt><span class="term"><a name="INHERITACLS"></a>inherit acls (S)</span></dt><dd><p>This parameter can be used to ensure that if default acls
1138 exist on parent directories, they are always honored when creating a
1139 subdirectory. The default behavior is to use the mode specified when
1140 creating the directory. Enabling this option sets the mode to 0777,
1141 thus guaranteeing that default directory acls are propagated.
1142 </p><p>Default: <b>inherit acls = no</b>
1143 </p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p>The permissions on new files and directories
1144 are normally governed by <a href="#CREATEMASK"><i><tt>
1145 create mask</tt></i></a>, <a href="#DIRECTORYMASK">
1146 <i><tt>directory mask</tt></i></a>, <a href="#FORCECREATEMODE">
1147 <i><tt>force create mode</tt></i>
1148 </a> and <a href="#FORCEDIRECTORYMODE"><i><tt>force
1149 directory mode</tt></i></a> but the boolean inherit
1150 permissions parameter overrides this.</p><p>New directories inherit the mode of the parent directory,
1151 including bits such as setgid.</p><p>New files inherit their read/write bits from the parent
1152 directory. Their execute bits continue to be determined by
1153 <a href="#MAPARCHIVE"><i><tt>map archive</tt></i>
1154 </a>, <a href="#MAPHIDDEN"><i><tt>map hidden</tt></i>
1155 </a> and <a href="#MAPSYSTEM"><i><tt>map system</tt></i>
1156 </a> as usual.</p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via
1157 inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with
1158 many users, perhaps several thousand, to allow a single [homes]
1159 share to be used flexibly by each user.</p><p>See also <a href="#CREATEMASK"><i><tt>create mask
1160 </tt></i></a>, <a href="#DIRECTORYMASK"><i><tt>
1161 directory mask</tt></i></a>, <a href="#FORCECREATEMODE">
1162 <i><tt>force create mode</tt></i></a> and <a href="#FORCEDIRECTORYMODE">
1163 <i><tt>force directory mode</tt></i>
1164 </a>.</p><p>Default: <b>inherit permissions = no</b></p></dd><dt><span class="term"><a name="INTERFACES"></a>interfaces (G)</span></dt><dd><p>This option allows you to override the default
1165 network interfaces list that Samba will use for browsing, name
1166 registration and other NBT traffic. By default Samba will query
1167 the kernel for the list of all active interfaces and use any
1168 interfaces except 127.0.0.1 that are broadcast capable.</p><p>The option takes a list of interface strings. Each string
1169 can be in any of the following forms:</p><div class="itemizedlist"><ul type="disc"><li><p>a network interface name (such as eth0).
1170 This may include shell-like wildcards so eth* will match
1171 any interface starting with the substring "eth"</p></li><li><p>an IP address. In this case the netmask is
1172 determined from the list of interfaces obtained from the
1173 kernel</p></li><li><p>an IP/mask pair. </p></li><li><p>a broadcast/mask pair.</p></li></ul></div><p>The "mask" parameters can either be a bit length (such
1174 as 24 for a C class network) or a full netmask in dotted
1175 decimal form.</p><p>The "IP" parameters above can either be a full dotted
1176 decimal IP address or a hostname which will be looked up via
1177 the OS's normal hostname resolution mechanisms.</p><p>For example, the following line:</p><p><b>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</b></p><p>would configure three network interfaces corresponding
1178 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
1179 The netmasks of the latter two interfaces would be set to 255.255.255.0.</p><p>See also <a href="#BINDINTERFACESONLY"><i><tt>bind
1180 interfaces only</tt></i></a>.</p><p>Default: <span class="emphasis"><em>all active interfaces except 127.0.0.1
1181 that are broadcast capable</em></span></p></dd><dt><span class="term"><a name="INVALIDUSERS"></a>invalid users (S)</span></dt><dd><p>This is a list of users that should not be allowed
1182 to login to this service. This is really a <span class="emphasis"><em>paranoid</em></span>
1183 check to absolutely ensure an improper setting does not breach
1184 your security.</p><p>A name starting with a '@' is interpreted as an NIS
1185 netgroup first (if your system supports NIS), and then as a UNIX
1186 group if the name was not found in the NIS netgroup database.</p><p>A name starting with '+' is interpreted only
1187 by looking in the UNIX group database. A name starting with
1188 '&' is interpreted only by looking in the NIS netgroup database
1189 (this requires NIS to be working on your system). The characters
1190 '+' and '&' may be used at the start of the name in either order
1191 so the value <i><tt>+&group</tt></i> means check the
1192 UNIX group database, followed by the NIS netgroup database, and
1193 the value <i><tt>&+group</tt></i> means check the NIS
1194 netgroup database, followed by the UNIX group database (the
1195 same as the '@' prefix).</p><p>The current servicename is substituted for <i><tt>%S</tt></i>.
1196 This is useful in the [homes] section.</p><p>See also <a href="#VALIDUSERS"><i><tt>valid users
1197 </tt></i></a>.</p><p>Default: <span class="emphasis"><em>no invalid users</em></span></p><p>Example: <b>invalid users = root fred admin @wheel</b></p></dd><dt><span class="term"><a name="KEEPALIVE"></a>keepalive (G)</span></dt><dd><p>The value of the parameter (an integer) represents
1198 the number of seconds between <i><tt>keepalive</tt></i>
1199 packets. If this parameter is zero, no keepalive packets will be
1200 sent. Keepalive packets, if sent, allow the server to tell whether
1201 a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket
1202 being used has the SO_KEEPALIVE attribute set on it (see <a href="#SOCKETOPTIONS">
1203 <i><tt>socket options</tt></i></a>).
1204 Basically you should only use this option if you strike difficulties.</p><p>Default: <b>keepalive = 300</b></p><p>Example: <b>keepalive = 600</b></p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a href="#OPLOCKS">
1205 <i><tt>oplocks</tt></i></a>
1206 (currently only IRIX and the Linux 2.4 kernel), this parameter
1207 allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <i><tt>oplocks
1208 </tt></i> to be broken whenever a local UNIX process or NFS operation
1209 accesses a file that <a href="smbd.8.html">smbd(8)</a> has oplocked. This allows complete
1210 data consistency between SMB/CIFS, NFS and local file access (and is
1211 a <span class="emphasis"><em>very</em></span> cool feature :-).</p><p>This parameter defaults to <tt>on</tt>, but is translated
1212 to a no-op on systems that no not have the necessary kernel support.
1213 You should never need to touch this parameter.</p><p>See also the <a href="#OPLOCKS"><i><tt>oplocks</tt></i>
1214 </a> and <a href="#LEVEL2OPLOCKS"><i><tt>level2 oplocks
1215 </tt></i></a> parameters.</p><p>Default: <b>kernel oplocks = yes</b></p></dd><dt><span class="term"><a name="LANMANAUTH"></a>lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html">smbd(8)</a> will attempt to authenticate users
1216 using the LANMAN password hash. If disabled, only clients which support NT
1217 password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
1218 Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</p><p>Default : <b>lanman auth = yes</b></p></dd><dt><span class="term"><a name="LARGEREADWRITE"></a>large readwrite (G)</span></dt><dd><p>This parameter determines whether or not
1219 <a href="smbd.8.html">smbd(8)</a> supports the new 64k
1220 streaming read and write varient SMB requests introduced with
1221 Windows 2000. Note that due to Windows 2000 client redirector bugs
1222 this requires Samba to be running on a 64-bit capable operating
1223 system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve
1224 performance by 10% with Windows 2000 clients. Defaults to on. Not as
1225 tested as some other Samba code paths.</p><p>Default: <b>large readwrite = yes</b></p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p> The <i><tt>ldap admin dn</tt></i>
1226 defines the Distinguished Name (DN) name used by Samba to
1227 contact the ldap server when retreiving user account
1228 information. The <i><tt>ldap admin
1229 dn</tt></i> is used in conjunction with the admin dn password
1230 stored in the <tt>private/secrets.tdb</tt> file.
1231 See the <a href="smbpasswd.8.html">smbpasswd(8)</a> man page for more
1232 information on how to accmplish this.</p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete
1233 operation in the ldapsam deletes the complete entry or only the attributes
1235 </p><p>Default: <span class="emphasis"><em>ldap delete dn = no</em></span></p></dd><dt><span class="term"><a name="LDAPFILTER"></a>ldap filter (G)</span></dt><dd><p>This parameter specifies the RFC 2254 compliant LDAP search filter.
1236 The default is to match the login name with the <tt>uid</tt>
1237 attribute for all entries matching the <tt>sambaAccount</tt>
1238 objectclass. Note that this filter should only return one entry.
1239 </p><p>Default: <b>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</b></p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p>It specifies where machines should be added to the ldap tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPPASSWDSYNC"></a>ldap passwd sync (G)</span></dt><dd><p>This option is used to define whether
1240 or not Samba should sync the LDAP password with the NT
1241 and LM hashes for normal accounts (NOT for
1242 workstation, server or domain trusts) on a password
1244 </p><p>The <i><tt>ldap passwd
1245 sync</tt></i> can be set to one of three values: </p><div class="itemizedlist"><ul type="disc"><li><p><i><tt>Yes</tt></i> = Try
1246 to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><i><tt>No</tt></i> = Update NT and
1247 LM passwords and update the pwdLastSet time.</p></li><li><p><i><tt>Only</tt></i> = Only update
1248 the LDAP password and let the LDAP server do the rest.</p></li></ul></div><p>Default: <b>ldap passwd sync = no</b></p></dd><dt><span class="term"><a name="LDAPPORT"></a>ldap port (G)</span></dt><dd><p>This parameter is only available if Samba has been
1249 configure to include the <b>--with-ldapsam</b> option
1250 at compile time.</p><p>This option is used to control the tcp port number used to contact
1251 the <a href="#LDAPSERVER"><i><tt>ldap server</tt></i></a>.
1252 The default is to use the stand LDAPS port 636.</p><p>See Also: <a href="#LDAPSSL">ldap ssl</a></p><p>Default : <b>ldap port = 636 ; if ldap ssl = on</b></p><p>Default : <b>ldap port = 389 ; if ldap ssl = off</b></p></dd><dt><span class="term"><a name="LDAPSERVER"></a>ldap server (G)</span></dt><dd><p>This parameter is only available if Samba has been
1253 configure to include the <b>--with-ldapsam</b>
1254 option at compile time.</p><p>This parameter should contain the FQDN of the ldap directory
1255 server which should be queried to locate user account information.
1256 </p><p>Default : <b>ldap server = localhost</b></p></dd><dt><span class="term"><a name="LDAPSSL"></a>ldap ssl (G)</span></dt><dd><p>This option is used to define whether or not Samba should
1257 use SSL when connecting to the ldap server
1258 This is <span class="emphasis"><em>NOT</em></span> related to
1259 Samba's previous SSL support which was enabled by specifying the
1260 <b>--with-ssl</b> option to the <tt>configure</tt>
1261 script.</p><p>The <i><tt>ldap ssl</tt></i> can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><i><tt>Off</tt></i> = Never
1262 use SSL when querying the directory.</p></li><li><p><i><tt>Start_tls</tt></i> = Use
1263 the LDAPv3 StartTLS extended operation (RFC2830) for
1264 communicating with the directory server.</p></li><li><p><i><tt>On</tt></i> = Use SSL
1265 on the ldaps port when contacting the <i><tt>ldap server</tt></i>. Only available when the
1266 backwards-compatiblity <b>--with-ldapsam</b> option is specified
1267 to configure. See <a href="#PASSDBBACKEND"><i><tt>passdb backend</tt></i></a></p></li></ul></div><p>Default : <b>ldap ssl = start_tls</b></p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies where user and machine accounts are added to the
1268 tree. Can be overriden by <b>ldap user
1269 suffix</b> and <b>ldap machine
1270 suffix</b>. It also used as the base dn for all ldap
1271 searches. </p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPTRUSTIDS"></a>ldap trust ids (G)</span></dt><dd><p>Normally, Samba validates each entry in the LDAP server
1272 against getpwnam(). This allows LDAP to be used for Samba with
1273 the unix system using NIS (for example) and also ensures that
1274 Samba does not present accounts that do not otherwise exist.
1275 </p><p>This option is used to disable this functionality, and
1276 instead to rely on the presence of the appropriate attributes
1277 in LDAP directly, which can result in a significant performance
1278 boost in some situations. Setting this option to yes effectivly
1279 assumes that the local machine is running <b>nss_ldap</b> against the same LDAP
1280 server.</p><p>Default: <b>ldap trust ids = No</b></p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p>It specifies where users are added to the tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LEVEL2OPLOCKS"></a>level2 oplocks (S)</span></dt><dd><p>This parameter controls whether Samba supports
1281 level2 (read-only) oplocks on a share.</p><p>Level2, or read-only oplocks allow Windows NT clients
1282 that have an oplock on a file to downgrade from a read-write oplock
1283 to a read-only oplock once a second client opens the file (instead
1284 of releasing all oplocks on a second open, as in traditional,
1285 exclusive oplocks). This allows all openers of the file that
1286 support level2 oplocks to cache the file for read-ahead only (ie.
1287 they may not cache writes or lock requests) and increases performance
1288 for many accesses of files that are not commonly written (such as
1289 application .EXE files).</p><p>Once one of the clients which have a read-only oplock
1290 writes to the file all clients are notified (no reply is needed
1291 or waited for) and told to break their oplocks to "none" and
1292 delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to
1293 speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p>Currently, if <a href="#KERNELOPLOCKS"><i><tt>kernel
1294 oplocks</tt></i></a> are supported then level2 oplocks are
1295 not granted (even if this parameter is set to <tt>yes</tt>).
1296 Note also, the <a href="#OPLOCKS"><i><tt>oplocks</tt></i>
1297 </a> parameter must be set to <tt>yes</tt> on this share in order for
1298 this parameter to have any effect.</p><p>See also the <a href="#OPLOCKS"><i><tt>oplocks</tt></i>
1299 </a> and <a href="#OPLOCKS"><i><tt>kernel oplocks</tt></i>
1300 </a> parameters.</p><p>Default: <b>level2 oplocks = yes</b></p></dd><dt><span class="term"><a name="LMANNOUNCE"></a>lm announce (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html">nmbd(8)</a> will produce Lanman announce
1301 broadcasts that are needed by OS/2 clients in order for them to see
1302 the Samba server in their browse list. This parameter can have three
1303 values, <tt>yes</tt>, <tt>no</tt>, or
1304 <tt>auto</tt>. The default is <tt>auto</tt>.
1305 If set to <tt>no</tt> Samba will never produce these
1306 broadcasts. If set to <tt>yes</tt> Samba will produce
1307 Lanman announce broadcasts at a frequency set by the parameter
1308 <i><tt>lm interval</tt></i>. If set to <tt>auto</tt>
1309 Samba will not send Lanman announce broadcasts by default but will
1310 listen for them. If it hears such a broadcast on the wire it will
1311 then start sending them at a frequency set by the parameter
1312 <i><tt>lm interval</tt></i>.</p><p>See also <a href="#LMINTERVAL"><i><tt>lm interval</tt></i></a>.</p><p>Default: <b>lm announce = auto</b></p><p>Example: <b>lm announce = yes</b></p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce
1313 broadcasts needed by OS/2 clients (see the <a href="#LMANNOUNCE">
1314 <i><tt>lm announce</tt></i></a> parameter) then this
1315 parameter defines the frequency in seconds with which they will be
1316 made. If this is set to zero then no Lanman announcements will be
1317 made despite the setting of the <i><tt>lm announce</tt></i>
1318 parameter.</p><p>See also <a href="#LMANNOUNCE"><i><tt>lm announce</tt></i></a>.</p><p>Default: <b>lm interval = 60</b></p><p>Example: <b>lm interval = 120</b></p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all
1319 printers in the printcap will be loaded for browsing by default.
1320 See the <a href="#PRINTERSSECT" title="The [printers] section">printers</a> section for
1321 more details.</p><p>Default: <b>load printers = yes</b></p></dd><dt><span class="term"><a name="LOCALMASTER"></a>local master (G)</span></dt><dd><p>This option allows <a href="nmbd.8.html">nmbd(8)</a> to try and become a local master browser
1322 on a subnet. If set to <tt>no</tt> then <b>
1323 nmbd</b> will not attempt to become a local master browser
1324 on a subnet and will also lose in all browsing elections. By
1325 default this value is set to <tt>yes</tt>. Setting this value to
1326 <tt>yes</tt> doesn't mean that Samba will <span class="emphasis"><em>become</em></span> the
1327 local master browser on a subnet, just that <b>nmbd</b>
1328 will <span class="emphasis"><em>participate</em></span> in elections for local master browser.</p><p>Setting this value to <tt>no</tt> will cause <b>nmbd</b> <span class="emphasis"><em>never</em></span> to become a local
1329 master browser.</p><p>Default: <b>local master = yes</b></p></dd><dt><span class="term"><a name="LOCKDIRECTORY"></a>lock directory (G)</span></dt><dd><p>This option specifies the directory where lock
1330 files will be placed. The lock files are used to implement the
1331 <a href="#MAXCONNECTIONS"><i><tt>max connections</tt></i>
1332 </a> option.</p><p>Default: <b>lock directory = ${prefix}/var/locks</b></p><p>Example: <b>lock directory = /var/run/samba/locks</b></p></dd><dt><span class="term"><a name="LOCKDIR"></a>lock dir (G)</span></dt><dd><p>Synonym for <a href="#LOCKDIRECTORY"><i><tt>
1333 lock directory</tt></i></a>.
1334 </p></dd><dt><span class="term"><a name="LOCKING"></a>locking (S)</span></dt><dd><p>This controls whether or not locking will be
1335 performed by the server in response to lock requests from the
1336 client.</p><p>If <b>locking = no</b>, all lock and unlock
1337 requests will appear to succeed and all lock queries will report
1338 that the file in question is available for locking.</p><p>If <b>locking = yes</b>, real locking will be performed
1339 by the server.</p><p>This option <span class="emphasis"><em>may</em></span> be useful for read-only
1340 filesystems which <span class="emphasis"><em>may</em></span> not need locking (such as
1341 CDROM drives), although setting this parameter of <tt>no</tt>
1342 is not really recommended even in this case.</p><p>Be careful about disabling locking either globally or in a
1343 specific service, as lack of locking may result in data corruption.
1344 You should never need to set this parameter.</p><p>Default: <b>locking = yes</b></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter controls the number of times
1345 that smbd should attempt to gain a byte range lock on the
1346 behalf of a client request. Experiments have shown that
1347 Windows 2k servers do not reply with a failure if the lock
1348 could not be immediately granted, but try a few more times
1349 in case the lock could later be aquired. This behavior
1350 is used to support PC database formats such as MS Access
1352 </p><p>Default: <b>lock spin count = 2</b></p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should
1353 pause before attempting to gain a failed lock. See
1354 <a href="#LOCKSPINCOUNT"><i><tt>lock spin
1355 count</tt></i></a> for more details.</p><p>Default: <b>lock spin time = 10</b></p></dd><dt><span class="term"><a name="LOGFILE"></a>log file (G)</span></dt><dd><p>This option allows you to override the name
1356 of the Samba log file (also known as the debug file).</p><p>This option takes the standard substitutions, allowing
1357 you to have separate log files for each user or machine.</p><p>Example: <b>log file = /usr/local/samba/var/log.%m</b></p></dd><dt><span class="term"><a name="LOGLEVEL"></a>log level (G)</span></dt><dd><p>The value of the parameter (a astring) allows
1358 the debug level (logging level) to be specified in the
1359 <tt>smb.conf</tt> file. This parameter has been
1360 extended since the 2.2.x series, now it allow to specify the debug
1361 level for multiple debug classes. This is to give greater
1362 flexibility in the configuration of the system.</p><p>The default will be the log level specified on
1363 the command line or level zero if none was specified.</p><p>Example: <b>log level = 3 passdb:5 auth:10 winbind:2</b></p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p>This parameter specifies the local path to
1364 which the home directory will be connected (see <a href="#LOGONHOME">
1365 <i><tt>logon home</tt></i></a>)
1366 and is only used by NT Workstations. </p><p>Note that this option is only useful if Samba is set up as a
1367 logon server.</p><p>Default: <b>logon drive = z:</b></p><p>Example: <b>logon drive = h:</b></p></dd><dt><span class="term"><a name="LOGONHOME"></a>logon home (G)</span></dt><dd><p>This parameter specifies the home directory
1368 location when a Win95/98 or NT Workstation logs into a Samba PDC.
1369 It allows you to do </p><p><tt>C:\></tt>
1370 <b><tt>NET USE H: /HOME</tt></b>
1371 </p><p>from a command prompt, for example.</p><p>This option takes the standard substitutions, allowing
1372 you to have separate logon scripts for each user or machine.</p><p>This parameter can be used with Win9X workstations to ensure
1373 that roaming profiles are stored in a subdirectory of the user's
1374 home directory. This is done in the following way:</p><p><b>logon home = \\%N\%U\profile</b></p><p>This tells Samba to return the above string, with
1375 substitutions made when a client requests the info, generally
1376 in a NetUserGetInfo request. Win9X clients truncate the info to
1377 \\server\share when a user does <b>net use /home</b>
1378 but use the whole string when dealing with profiles.</p><p>Note that in prior versions of Samba, the <a href="#LOGONPATH">
1379 <i><tt>logon path</tt></i></a> was returned rather than
1380 <i><tt>logon home</tt></i>. This broke <b>net use /home</b> but allowed profiles outside the home directory.
1381 The current implementation is correct, and can be used for profiles if you use
1382 the above trick.</p><p>This option is only useful if Samba is set up as a logon
1383 server.</p><p>Default: <b>logon home = "\\%N\%U"</b></p><p>Example: <b>logon home = "\\remote_smb_server\%U"</b></p></dd><dt><span class="term"><a name="LOGONPATH"></a>logon path (G)</span></dt><dd><p>This parameter specifies the home directory
1384 where roaming profiles (NTuser.dat etc files for Windows NT) are
1385 stored. Contrary to previous versions of these manual pages, it has
1386 nothing to do with Win 9X roaming profiles. To find out how to
1387 handle roaming profiles for Win 9X system, see the <a href="#LOGONHOME">
1388 <i><tt>logon home</tt></i></a> parameter.</p><p>This option takes the standard substitutions, allowing you
1389 to have separate logon scripts for each user or machine. It also
1390 specifies the directory from which the "Application Data",
1391 (<tt>desktop</tt>, <tt>start menu</tt>,
1392 <tt>network neighborhood</tt>, <tt>programs</tt>
1393 and other folders, and their contents, are loaded and displayed on
1394 your Windows NT client.</p><p>The share and the path must be readable by the user for
1395 the preferences and directories to be loaded onto the Windows NT
1396 client. The share must be writeable when the user logs in for the first
1397 time, in order that the Windows NT client can create the NTuser.dat
1398 and other directories.</p><p>Thereafter, the directories and any of the contents can,
1399 if required, be made read-only. It is not advisable that the
1400 NTuser.dat file be made read-only - rename it to NTuser.man to
1401 achieve the desired effect (a <span class="emphasis"><em>MAN</em></span>datory
1402 profile). </p><p>Windows clients can sometimes maintain a connection to
1403 the [homes] share, even though there is no user logged in.
1404 Therefore, it is vital that the logon path does not include a
1405 reference to the homes share (i.e. setting this parameter to
1406 \%N\%U\profile_path will cause problems).</p><p>This option takes the standard substitutions, allowing
1407 you to have separate logon scripts for each user or machine.</p><p>Note that this option is only useful if Samba is set up
1408 as a logon server.</p><p>Default: <b>logon path = \\%N\%U\profile</b></p><p>Example: <b>logon path = \\PROFILESERVER\PROFILE\%U</b></p></dd><dt><span class="term"><a name="LOGONSCRIPT"></a>logon script (G)</span></dt><dd><p>This parameter specifies the batch file (.bat) or
1409 NT command file (.cmd) to be downloaded and run on a machine when
1410 a user successfully logs in. The file must contain the DOS
1411 style CR/LF line endings. Using a DOS-style editor to create the
1412 file is recommended.</p><p>The script must be a relative path to the [netlogon]
1413 service. If the [netlogon] service specifies a <a href="#PATH">
1414 <i><tt>path</tt></i></a> of <tt>/usr/local/samba/netlogon</tt>, and <b>logon script = STARTUP.BAT</b>, then
1415 the file that will be downloaded is:</p><p><tt>/usr/local/samba/netlogon/STARTUP.BAT</tt></p><p>The contents of the batch file are entirely your choice. A
1416 suggested command would be to add <b>NET TIME \\SERVER /SET
1417 /YES</b>, to force every machine to synchronize clocks with
1418 the same time server. Another use would be to add <b>NET USE
1419 U: \\SERVER\UTILS</b> for commonly used utilities, or <b>
1420 NET USE Q: \\SERVER\ISO9001_QA</b> for example.</p><p>Note that it is particularly important not to allow write
1421 access to the [netlogon] share, or to grant users write permission
1422 on the batch files in a secure environment, as this would allow
1423 the batch files to be arbitrarily modified and security to be
1424 breached.</p><p>This option takes the standard substitutions, allowing you
1425 to have separate logon scripts for each user or machine.</p><p>This option is only useful if Samba is set up as a logon
1426 server.</p><p>Default: <span class="emphasis"><em>no logon script defined</em></span></p><p>Example: <b>logon script = scripts\%U.bat</b></p></dd><dt><span class="term"><a name="LPPAUSECOMMAND"></a>lppause command (S)</span></dt><dd><p>This parameter specifies the command to be
1427 executed on the server host in order to stop printing or spooling
1428 a specific print job.</p><p>This command should be a program or script which takes
1429 a printer name and job number to pause the print job. One way
1430 of implementing this is by using job priorities, where jobs
1431 having a too low priority won't be sent to the printer.</p><p>If a <i><tt>%p</tt></i> is given then the printer name
1432 is put in its place. A <i><tt>%j</tt></i> is replaced with
1433 the job number (an integer). On HPUX (see <i><tt>printing=hpux
1434 </tt></i>), if the <i><tt>-p%p</tt></i> option is added
1435 to the lpq command, the job will show up with the correct status, i.e.
1436 if the job priority is lower than the set fence priority it will
1437 have the PAUSED status, whereas if the priority is equal or higher it
1438 will have the SPOOLED or PRINTING status.</p><p>Note that it is good practice to include the absolute path
1439 in the lppause command as the PATH may not be available to the server.</p><p>See also the <a href="#PRINTING"><i><tt>printing
1440 </tt></i></a> parameter.</p><p>Default: Currently no default value is given to
1441 this string, unless the value of the <i><tt>printing</tt></i>
1442 parameter is <tt>SYSV</tt>, in which case the default is :</p><p><b>lp -i %p-%j -H hold</b></p><p>or if the value of the <i><tt>printing</tt></i> parameter
1443 is <tt>SOFTQ</tt>, then the default is:</p><p><b>qstat -s -j%j -h</b></p><p>Example for HPUX: <b>lppause command = /usr/bin/lpalt %p-%j -p0</b></p></dd><dt><span class="term"><a name="LPQCACHETIME"></a>lpq cache time (G)</span></dt><dd><p>This controls how long lpq info will be cached
1444 for to prevent the <b>lpq</b> command being called too
1445 often. A separate cache is kept for each variation of the <b>
1446 lpq</b> command used by the system, so if you use different
1447 <b>lpq</b> commands for different users then they won't
1448 share cache information.</p><p>The cache files are stored in <tt>/tmp/lpq.xxxx</tt>
1449 where xxxx is a hash of the <b>lpq</b> command in use.</p><p>The default is 10 seconds, meaning that the cached results
1450 of a previous identical <b>lpq</b> command will be used
1451 if the cached data is less than 10 seconds old. A large value may
1452 be advisable if your <b>lpq</b> command is very slow.</p><p>A value of 0 will disable caching completely.</p><p>See also the <a href="#PRINTING"><i><tt>printing</tt></i></a> parameter.</p><p>Default: <b>lpq cache time = 10</b></p><p>Example: <b>lpq cache time = 30</b></p></dd><dt><span class="term"><a name="LPQCOMMAND"></a>lpq command (S)</span></dt><dd><p>This parameter specifies the command to be
1453 executed on the server host in order to obtain <b>lpq
1454 </b>-style printer status information.</p><p>This command should be a program or script which
1455 takes a printer name as its only parameter and outputs printer
1456 status information.</p><p>Currently nine styles of printer status information
1457 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
1458 This covers most UNIX systems. You control which type is expected
1459 using the <i><tt>printing =</tt></i> option.</p><p>Some clients (notably Windows for Workgroups) may not
1460 correctly send the connection number for the printer they are
1461 requesting status information about. To get around this, the
1462 server reports on the first printer service connected to by the
1463 client. This only happens if the connection number sent is invalid.</p><p>If a <i><tt>%p</tt></i> is given then the printer name
1464 is put in its place. Otherwise it is placed at the end of the
1465 command.</p><p>Note that it is good practice to include the absolute path
1466 in the <i><tt>lpq command</tt></i> as the <tt>$PATH
1467 </tt> may not be available to the server. When compiled with
1468 the CUPS libraries, no <i><tt>lpq command</tt></i> is
1469 needed because smbd will make a library call to obtain the
1470 print queue listing.</p><p>See also the <a href="#PRINTING"><i><tt>printing
1471 </tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i><tt>
1472 printing</tt></i></em></span></p><p>Example: <b>lpq command = /usr/bin/lpq -P%p</b></p></dd><dt><span class="term"><a name="LPRESUMECOMMAND"></a>lpresume command (S)</span></dt><dd><p>This parameter specifies the command to be
1473 executed on the server host in order to restart or continue
1474 printing or spooling a specific print job.</p><p>This command should be a program or script which takes
1475 a printer name and job number to resume the print job. See
1476 also the <a href="#LPPAUSECOMMAND"><i><tt>lppause command
1477 </tt></i></a> parameter.</p><p>If a <i><tt>%p</tt></i> is given then the printer name
1478 is put in its place. A <i><tt>%j</tt></i> is replaced with
1479 the job number (an integer).</p><p>Note that it is good practice to include the absolute path
1480 in the <i><tt>lpresume command</tt></i> as the PATH may not
1481 be available to the server.</p><p>See also the <a href="#PRINTING"><i><tt>printing
1482 </tt></i></a> parameter.</p><p>Default: Currently no default value is given
1483 to this string, unless the value of the <i><tt>printing</tt></i>
1484 parameter is <tt>SYSV</tt>, in which case the default is :</p><p><b>lp -i %p-%j -H resume</b></p><p>or if the value of the <i><tt>printing</tt></i> parameter
1485 is <tt>SOFTQ</tt>, then the default is:</p><p><b>qstat -s -j%j -r</b></p><p>Example for HPUX: <b>lpresume command = /usr/bin/lpalt %p-%j -p2</b></p></dd><dt><span class="term"><a name="LPRMCOMMAND"></a>lprm command (S)</span></dt><dd><p>This parameter specifies the command to be
1486 executed on the server host in order to delete a print job.</p><p>This command should be a program or script which takes
1487 a printer name and job number, and deletes the print job.</p><p>If a <i><tt>%p</tt></i> is given then the printer name
1488 is put in its place. A <i><tt>%j</tt></i> is replaced with
1489 the job number (an integer).</p><p>Note that it is good practice to include the absolute
1490 path in the <i><tt>lprm command</tt></i> as the PATH may not be
1491 available to the server.</p><p>See also the <a href="#PRINTING"><i><tt>printing
1492 </tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i><tt>printing
1493 </tt></i></em></span></p><p>Example 1: <b>lprm command = /usr/bin/lprm -P%p %j</b></p><p>Example 2: <b>lprm command = /usr/bin/cancel %p-%j</b></p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>If a Samba server is a member of a Windows
1494 NT Domain (see the <a href="#SECURITYEQUALSDOMAIN">security = domain</a>)
1495 parameter) then periodically a running <a href="smbd.8.html" target="_top">
1496 smbd(8)</a> process will try and change the MACHINE ACCOUNT
1497 PASSWORD stored in the TDB called <tt>private/secrets.tdb
1498 </tt>. This parameter specifies how often this password
1499 will be changed, in seconds. The default is one week (expressed in
1500 seconds), the same as a Windows NT Domain member server.</p><p>See also <a href="smbpasswd.8.html">smbpasswd(8)</a>, and the <a href="#SECURITYEQUALSDOMAIN">
1501 security = domain</a>) parameter.</p><p>Default: <b>machine password timeout = 604800</b></p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p>This parameter specifies the name of a file
1502 which will contain output created by a magic script (see the
1503 <a href="#MAGICSCRIPT"><i><tt>magic script</tt></i></a>
1504 parameter below).</p><p>Warning: If two clients use the same <i><tt>magic script
1505 </tt></i> in the same directory the output file content
1506 is undefined.</p><p>Default: <b>magic output = <magic script name>.out</b></p><p>Example: <b>magic output = myfile.txt</b></p></dd><dt><span class="term"><a name="MAGICSCRIPT"></a>magic script (S)</span></dt><dd><p>This parameter specifies the name of a file which,
1507 if opened, will be executed by the server when the file is closed.
1508 This allows a UNIX script to be sent to the Samba host and
1509 executed on behalf of the connected user.</p><p>Scripts executed in this way will be deleted upon
1510 completion assuming that the user has the appropriate level
1511 of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to
1512 the file specified by the <a href="#MAGICOUTPUT"><i><tt>
1513 magic output</tt></i></a> parameter (see above).</p><p>Note that some shells are unable to interpret scripts
1514 containing CR/LF instead of CR as
1515 the end-of-line marker. Magic scripts must be executable
1516 <span class="emphasis"><em>as is</em></span> on the host, which for some hosts and
1517 some shells will require filtering at the DOS end.</p><p>Magic scripts are <span class="emphasis"><em>EXPERIMENTAL</em></span> and
1518 should <span class="emphasis"><em>NOT</em></span> be relied upon.</p><p>Default: <span class="emphasis"><em>None. Magic scripts disabled.</em></span></p><p>Example: <b>magic script = user.csh</b></p></dd><dt><span class="term"><a name="MANGLECASE"></a>mangle case (S)</span></dt><dd><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a></p><p>Default: <b>mangle case = no</b></p></dd><dt><span class="term"><a name="MANGLEDMAP"></a>mangled map (S)</span></dt><dd><p>This is for those who want to directly map UNIX
1519 file names which cannot be represented on Windows/DOS. The mangling
1520 of names is not always what is needed. In particular you may have
1521 documents with file extensions that differ between DOS and UNIX.
1522 For example, under UNIX it is common to use <tt>.html</tt>
1523 for HTML files, whereas under Windows/DOS <tt>.htm</tt>
1524 is more commonly used.</p><p>So to map <tt>html</tt> to <tt>htm</tt>
1525 you would use:</p><p><b>mangled map = (*.html *.htm)</b></p><p>One very useful case is to remove the annoying <tt>;1
1526 </tt> off the ends of filenames on some CDROMs (only visible
1527 under some UNIXes). To do this use a map of (*;1 *;).</p><p>Default: <span class="emphasis"><em>no mangled map</em></span></p><p>Example: <b>mangled map = (*;1 *;)</b></p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX
1528 should be mapped to DOS-compatible names ("mangled") and made visible,
1529 or whether non-DOS names should simply be ignored.</p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for
1530 details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters
1531 before the rightmost dot of the filename are preserved, forced
1532 to upper case, and appear as the first (up to) five characters
1533 of the mangled name.</p></li><li><p>A tilde "~" is appended to the first part of the mangled
1534 name, followed by a two-character unique sequence, based on the
1535 original root name (i.e., the original filename minus its final
1536 extension). The final extension is included in the hash calculation
1537 only if it contains any upper case characters or is longer than three
1538 characters.</p><p>Note that the character to use may be specified using
1539 the <a href="#MANGLINGCHAR"><i><tt>mangling char</tt></i>
1540 </a> option, if you don't like '~'.</p></li><li><p>The first three alphanumeric characters of the final
1541 extension are preserved, forced to upper case and appear as the
1542 extension of the mangled name. The final extension is defined as that
1543 part of the original filename after the rightmost dot. If there are no
1544 dots in the filename, the mangled name will have no extension (except
1545 in the case of "hidden files" - see below).</p></li><li><p>Files whose UNIX name begins with a dot will be
1546 presented as DOS hidden files. The mangled name will be created as
1547 for other filenames, but with the leading dot removed and "___" as
1548 its extension regardless of actual original extension (that's three
1549 underscores).</p></li></ul></div><p>The two-digit hash value consists of upper case alphanumeric characters.</p><p>This algorithm can cause name collisions only if files
1550 in a directory share the same first five alphanumeric characters.
1551 The probability of such a clash is 1/1300.</p><p>The name mangling (if enabled) allows a file to be
1552 copied between UNIX directories from Windows/DOS while retaining
1553 the long UNIX filename. UNIX files can be renamed to a new extension
1554 from Windows/DOS and will retain the same basename. Mangled names
1555 do not change between sessions.</p><p>Default: <b>mangled names = yes</b></p></dd><dt><span class="term"><a name="MANGLINGSTACK"></a>mangling stack (G)</span></dt><dd><p>This parameter controls the number of mangled names
1556 that should be cached in the Samba server <a href="smbd.8.html">smbd(8)</a>.</p><p>This stack is a list of recently mangled base names
1557 (extensions are only maintained if they are longer than 3 characters
1558 or contains upper case characters).</p><p>The larger this value, the more likely it is that mangled
1559 names can be successfully converted to correct long UNIX names.
1560 However, large stack sizes will slow most directory accesses. Smaller
1561 stacks save memory in the server (each stack element costs 256 bytes).
1562 </p><p>It is not possible to absolutely guarantee correct long
1563 filenames, so be prepared for some surprises!</p><p>Default: <b>mangled stack = 50</b></p><p>Example: <b>mangled stack = 100</b></p></dd><dt><span class="term"><a name="MANGLINGPREFIX"></a>mangling prefix (G)</span></dt><dd><p> controls the number of prefix
1564 characters from the original name used when generating
1565 the mangled names. A larger value will give a weaker
1566 hash and therefore more name collisions. The minimum
1567 value is 1 and the maximum value is 6.</p><p>Default: <b>mangle prefix = 1</b></p><p>Example: <b>mangle prefix = 4</b></p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as
1568 the <span class="emphasis"><em>magic</em></span> character in <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">name mangling</a>. The
1569 default is a '~' but this may interfere with some software. Use this option to set
1570 it to whatever you prefer.</p><p>Default: <b>mangling char = ~</b></p><p>Example: <b>mangling char = ^</b></p></dd><dt><span class="term"><a name="MANGLINGMETHOD"></a>mangling method (G)</span></dt><dd><p> controls the algorithm used for the generating
1571 the mangled names. Can take two different values, "hash" and
1572 "hash2". "hash" is the default and is the algorithm that has been
1573 used in Samba for many years. "hash2" is a newer and considered
1574 a better algorithm (generates less collisions) in the names.
1575 However, many Win32 applications store the mangled names and so
1576 changing to the new algorithm must not be done
1577 lightly as these applications may break unless reinstalled.</p><p>Default: <b>mangling method = hash2</b></p><p>Example: <b>mangling method = hash</b></p></dd><dt><span class="term"><a name="MAPARCHIVE"></a>map archive (S)</span></dt><dd><p>This controls whether the DOS archive attribute
1578 should be mapped to the UNIX owner execute bit. The DOS archive bit
1579 is set when a file has been modified since its last backup. One
1580 motivation for this option it to keep Samba/your PC from making
1581 any file it touches from becoming executable under UNIX. This can
1582 be quite annoying for shared source code, documents, etc...</p><p>Note that this requires the <i><tt>create mask</tt></i>
1583 parameter to be set such that owner execute bit is not masked out
1584 (i.e. it must include 100). See the parameter <a href="#CREATEMASK">
1585 <i><tt>create mask</tt></i></a> for details.</p><p>Default: <b>map archive = yes</b></p></dd><dt><span class="term"><a name="MAPHIDDEN"></a>map hidden (S)</span></dt><dd><p>This controls whether DOS style hidden files
1586 should be mapped to the UNIX world execute bit.</p><p>Note that this requires the <i><tt>create mask</tt></i>
1587 to be set such that the world execute bit is not masked out (i.e.
1588 it must include 001). See the parameter <a href="#CREATEMASK">
1589 <i><tt>create mask</tt></i></a> for details.</p><p>Default: <b>map hidden = no</b></p></dd><dt><span class="term"><a name="MAPSYSTEM"></a>map system (S)</span></dt><dd><p>This controls whether DOS style system files
1590 should be mapped to the UNIX group execute bit.</p><p>Note that this requires the <i><tt>create mask</tt></i>
1591 to be set such that the group execute bit is not masked out (i.e.
1592 it must include 010). See the parameter <a href="#CREATEMASK">
1593 <i><tt>create mask</tt></i></a> for details.</p><p>Default: <b>map system = no</b></p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a href="#SECURITY">
1594 security</a> modes other than <i><tt>security = share</tt></i>
1595 - i.e. <tt>user</tt>, <tt>server</tt>,
1596 and <tt>domain</tt>.</p><p>This parameter can take three different values, which tell
1597 <a href="smbd.8.html">smbd(8)</a> what to do with user
1598 login requests that don't match a valid UNIX user in some way.</p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p><tt>Never</tt> - Means user login
1599 requests with an invalid password are rejected. This is the
1600 default.</p></li><li><p><tt>Bad User</tt> - Means user
1601 logins with an invalid password are rejected, unless the username
1602 does not exist, in which case it is treated as a guest login and
1603 mapped into the <a href="#GUESTACCOUNT"><i><tt>
1604 guest account</tt></i></a>.</p></li><li><p><tt>Bad Password</tt> - Means user logins
1605 with an invalid password are treated as a guest login and mapped
1606 into the <a href="#GUESTACCOUNT">guest account</a>. Note that
1607 this can cause problems as it means that any user incorrectly typing
1608 their password will be silently logged on as "guest" - and
1609 will not know the reason they cannot access files they think
1610 they should - there will have been no message given to them
1611 that they got their password wrong. Helpdesk services will
1612 <span class="emphasis"><em>hate</em></span> you if you set the <i><tt>map to
1613 guest</tt></i> parameter this way :-).</p></li></ul></div><p>Note that this parameter is needed to set up "Guest"
1614 share services when using <i><tt>security</tt></i> modes other than
1615 share. This is because in these modes the name of the resource being
1616 requested is <span class="emphasis"><em>not</em></span> sent to the server until after
1617 the server has successfully authenticated the client so the server
1618 cannot make authentication decisions at the correct time (connection
1619 to the share) for "Guest" shares.</p><p>For people familiar with the older Samba releases, this
1620 parameter maps to the old compile-time setting of the <tt>
1621 GUEST_SESSSETUP</tt> value in local.h.</p><p>Default: <b>map to guest = Never</b></p><p>Example: <b>map to guest = Bad User</b></p></dd><dt><span class="term"><a name="MAXCONNECTIONS"></a>max connections (S)</span></dt><dd><p>This option allows the number of simultaneous connections to a service to be limited.
1622 If <i><tt>max connections</tt></i> is greater than 0 then connections
1623 will be refused if this number of connections to the service are already open. A value
1624 of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in
1625 the directory specified by the <a href="#LOCKDIRECTORY">
1626 <i><tt>lock directory</tt></i></a> option.</p><p>Default: <b>max connections = 0</b></p><p>Example: <b>max connections = 10</b></p></dd><dt><span class="term"><a name="MAXDISKSIZE"></a>max disk size (G)</span></dt><dd><p>This option allows you to put an upper limit
1627 on the apparent size of disks. If you set this option to 100
1628 then all shares will appear to be not larger than 100 MB in
1629 size.</p><p>Note that this option does not limit the amount of
1630 data you can put on the disk. In the above case you could still
1631 store much more than 100 MB on the disk, but if a client ever asks
1632 for the amount of free disk space or the total disk size then the
1633 result will be bounded by the amount specified in <i><tt>max
1634 disk size</tt></i>.</p><p>This option is primarily useful to work around bugs
1635 in some pieces of software that can't handle very large disks,
1636 particularly disks over 1GB in size.</p><p>A <i><tt>max disk size</tt></i> of 0 means no limit.</p><p>Default: <b>max disk size = 0</b></p><p>Example: <b>max disk size = 1000</b></p></dd><dt><span class="term"><a name="MAXLOGSIZE"></a>max log size (G)</span></dt><dd><p>This option (an integer in kilobytes) specifies
1637 the max size the log file should grow to. Samba periodically checks
1638 the size and if it is exceeded it will rename the file, adding
1639 a <tt>.old</tt> extension.</p><p>A size of 0 means no limit.</p><p>Default: <b>max log size = 5000</b></p><p>Example: <b>max log size = 1000</b></p></dd><dt><span class="term"><a name="MAXMUX"></a>max mux (G)</span></dt><dd><p>This option controls the maximum number of
1640 outstanding simultaneous SMB operations that Samba tells the client
1641 it will allow. You should never need to set this parameter.</p><p>Default: <b>max mux = 50</b></p></dd><dt><span class="term"><a name="MAXOPENFILES"></a>max open files (G)</span></dt><dd><p>This parameter limits the maximum number of
1642 open files that one <a href="smbd.8.html">smbd(8)</a> file
1643 serving process may have open for a client at any one time. The
1644 default for this parameter is set very high (10,000) as Samba uses
1645 only one bit per unopened file.</p><p>The limit of the number of open files is usually set
1646 by the UNIX per-process file descriptor limit rather than
1647 this parameter so you should never need to touch this parameter.</p><p>Default: <b>max open files = 10000</b></p></dd><dt><span class="term"><a name="MAXPRINTJOBS"></a>max print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of
1648 jobs allowable in a Samba printer queue at any given moment.
1649 If this number is exceeded, <a href="smbd.8.html">smbd(8)</a> will remote "Out of Space" to the client.
1650 See all <a href="#TOTALPRINTJOBS"><i><tt>total
1651 print jobs</tt></i></a>.
1652 </p><p>Default: <b>max print jobs = 1000</b></p><p>Example: <b>max print jobs = 5000</b></p></dd><dt><span class="term"><a name="MAXPROTOCOL"></a>max protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the highest
1653 protocol level that will be supported by the server.</p><p>Possible values are :</p><div class="itemizedlist"><ul type="disc"><li><p><tt>CORE</tt>: Earliest version. No
1654 concept of user names.</p></li><li><p><tt>COREPLUS</tt>: Slight improvements on
1655 CORE for efficiency.</p></li><li><p><tt>LANMAN1</tt>: First <span class="emphasis"><em>
1656 modern</em></span> version of the protocol. Long filename
1657 support.</p></li><li><p><tt>LANMAN2</tt>: Updates to Lanman1 protocol.</p></li><li><p><tt>NT1</tt>: Current up to date version of the protocol.
1658 Used by Windows NT. Known as CIFS.</p></li></ul></div><p>Normally this option should not be set as the automatic
1659 negotiation phase in the SMB protocol takes care of choosing
1660 the appropriate protocol.</p><p>See also <a href="#MINPROTOCOL"><i><tt>min
1661 protocol</tt></i></a></p><p>Default: <b>max protocol = NT1</b></p><p>Example: <b>max protocol = LANMAN1</b></p></dd><dt><span class="term"><a name="MAXSMBDPROCESSES"></a>max smbd processes (G)</span></dt><dd><p>This parameter limits the maximum number of <a href="smbd.8.html">smbd(8)</a> processes concurrently running on a system and is intended
1662 as a stopgap to prevent degrading service to clients in the event that the server has insufficient
1663 resources to handle more than this number of connections. Remember that under normal operating
1664 conditions, each user will have an <a href="smbd.8.html">smbd(8)</a> associated with him or her to handle connections to all
1665 shares from a given host.</p><p>Default: <b>max smbd processes = 0</b> ## no limit</p><p>Example: <b>max smbd processes = 1000</b></p></dd><dt><span class="term"><a name="MAXTTL"></a>max ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html">nmbd(8)</a> what the default 'time to live'
1666 of NetBIOS names should be (in seconds) when <b>nmbd</b> is
1667 requesting a name using either a broadcast packet or from a WINS server. You should
1668 never need to change this parameter. The default is 3 days.</p><p>Default: <b>max ttl = 259200</b></p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html">smbd(8)</a> when acting as a WINS server (<a href="#WINSSUPPORT">
1669 <i><tt>wins support = yes</tt></i></a>) what the maximum
1670 'time to live' of NetBIOS names that <b>nmbd</b>
1671 will grant will be (in seconds). You should never need to change this
1672 parameter. The default is 6 days (518400 seconds).</p><p>See also the <a href="#MINWINSTTL"><i><tt>min
1673 wins ttl</tt></i></a> parameter.</p><p>Default: <b>max wins ttl = 518400</b></p></dd><dt><span class="term"><a name="MAXXMIT"></a>max xmit (G)</span></dt><dd><p>This option controls the maximum packet size
1674 that will be negotiated by Samba. The default is 65535, which
1675 is the maximum. In some cases you may find you get better performance
1676 with a smaller value. A value below 2048 is likely to cause problems.
1677 </p><p>Default: <b>max xmit = 65535</b></p><p>Example: <b>max xmit = 8192</b></p></dd><dt><span class="term"><a name="MESSAGECOMMAND"></a>message command (G)</span></dt><dd><p>This specifies what command to run when the
1678 server receives a WinPopup style message.</p><p>This would normally be a command that would
1679 deliver the message somehow. How this is to be done is
1680 up to your imagination.</p><p>An example is:</p><p><b>message command = csh -c 'xedit %s;rm %s' &</b>
1681 </p><p>This delivers the message using <b>xedit</b>, then
1682 removes it afterwards. <span class="emphasis"><em>NOTE THAT IT IS VERY IMPORTANT
1683 THAT THIS COMMAND RETURN IMMEDIATELY</em></span>. That's why I
1684 have the '&' on the end. If it doesn't return immediately then
1685 your PCs may freeze when sending messages (they should recover
1686 after 30 seconds, hopefully).</p><p>All messages are delivered as the global guest user.
1687 The command takes the standard substitutions, although <i><tt>
1688 %u</tt></i> won't work (<i><tt>%U</tt></i> may be better
1689 in this case).</p><p>Apart from the standard substitutions, some additional
1690 ones apply. In particular:</p><div class="itemizedlist"><ul type="disc"><li><p><i><tt>%s</tt></i> = the filename containing
1691 the message.</p></li><li><p><i><tt>%t</tt></i> = the destination that
1692 the message was sent to (probably the server name).</p></li><li><p><i><tt>%f</tt></i> = who the message
1693 is from.</p></li></ul></div><p>You could make this command send mail, or whatever else
1694 takes your fancy. Please let us know of any really interesting
1695 ideas you have.</p><p>Here's a way of sending the messages as mail to root:</p><p><b>message command = /bin/mail -s 'message from %f on
1696 %m' root < %s; rm %s</b></p><p>If you don't have a message command then the message
1697 won't be delivered and Samba will tell the sender there was
1698 an error. Unfortunately WfWg totally ignores the error code
1699 and carries on regardless, saying that the message was delivered.
1700 </p><p>If you want to silently delete it then try:</p><p><b>message command = rm %s</b></p><p>Default: <span class="emphasis"><em>no message command</em></span></p><p>Example: <b>message command = csh -c 'xedit %s; rm %s' &</b></p></dd><dt><span class="term"><a name="MINPASSWDLENGTH"></a>min passwd length (G)</span></dt><dd><p>Synonym for <a href="#MINPASSWORDLENGTH">
1701 <i><tt>min password length</tt></i></a>.
1702 </p></dd><dt><span class="term"><a name="MINPASSWORDLENGTH"></a>min password length (G)</span></dt><dd><p>This option sets the minimum length in characters of a
1703 plaintext password that <b>smbd</b> will
1704 accept when performing UNIX password changing.</p><p>See also <a href="#UNIXPASSWORDSYNC"><i><tt>unix
1705 password sync</tt></i></a>, <a href="#PASSWDPROGRAM">
1706 <i><tt>passwd program</tt></i></a> and <a href="#PASSWDCHATDEBUG">
1707 <i><tt>passwd chat debug</tt></i></a>.</p><p>Default: <b>min password length = 5</b></p></dd><dt><span class="term"><a name="MINPRINTSPACE"></a>min print space (S)</span></dt><dd><p>This sets the minimum amount of free disk
1708 space that must be available before a user will be able to spool
1709 a print job. It is specified in kilobytes. The default is 0, which
1710 means a user can always spool a print job.</p><p>See also the <a href="#PRINTING"><i><tt>printing
1711 </tt></i></a> parameter.</p><p>Default: <b>min print space = 0</b></p><p>Example: <b>min print space = 2000</b></p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the
1712 lowest SMB protocol dialect than Samba will support. Please refer
1713 to the <a href="#MAXPROTOCOL"><i><tt>max protocol</tt></i></a>
1714 parameter for a list of valid protocol names and a brief description
1715 of each. You may also wish to refer to the C source code in
1716 <tt>source/smbd/negprot.c</tt> for a listing of known protocol
1717 dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should
1718 also refer to the <a href="#LANMANAUTH"><i><tt>lanman
1719 auth</tt></i></a> parameter. Otherwise, you should never need
1720 to change this parameter.</p><p>Default : <b>min protocol = CORE</b></p><p>Example : <b>min protocol = NT1</b> # disable DOS clients</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html">nmbd(8)</a>
1721 when acting as a WINS server (<a href="#WINSSUPPORT"><i><tt>
1722 wins support = yes</tt></i></a>) what the minimum 'time to live'
1723 of NetBIOS names that <b>nmbd</b> will grant will be (in
1724 seconds). You should never need to change this parameter. The default
1725 is 6 hours (21600 seconds).</p><p>Default: <b>min wins ttl = 21600</b></p></dd><dt><span class="term"><a name="MSDFSPROXY"></a>msdfs proxy (S)</span></dt><dd><p>This parameter indicates that the share is a
1726 stand-in for another CIFS share whose location is specified by
1727 the value of the parameter. When clients attempt to connect to
1728 this share, they are redirected to the proxied share using
1729 the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the
1730 <a href="#MSDFSROOT"><i><tt>msdfs root</tt></i></a>
1731 and <a href="#HOSTMSDFS"><i><tt>host msdfs</tt></i></a>
1732 options to find out how to set up a Dfs root share.</p><p>Example: <b>msdfs proxy = \\\\otherserver\\someshare</b></p></dd><dt><span class="term"><a name="MSDFSROOT"></a>msdfs root (S)</span></dt><dd><p>This boolean parameter is only available if
1733 Samba is configured and compiled with the <b>
1734 --with-msdfs</b> option. If set to <tt>yes</tt>,
1735 Samba treats the share as a Dfs root and allows clients to browse
1736 the distributed file system tree rooted at the share directory.
1737 Dfs links are specified in the share directory by symbolic
1738 links of the form <tt>msdfs:serverA\\shareA,serverB\\shareB</tt>
1739 and so on. For more information on setting up a Dfs tree
1740 on Samba, refer to <a href="msdfs.html" target="_top">"Hosting a Microsoft
1741 Distributed File System tree on Samba"</a> document.</p><p>See also <a href="#HOSTMSDFS"><i><tt>host msdfs</tt></i></a></p><p>Default: <b>msdfs root = no</b></p></dd><dt><span class="term"><a name="NAMECACHETIMEOUT"></a>name cache timeout (G)</span></dt><dd><p>Specifies the number of seconds it takes before
1742 entries in samba's hostname resolve cache time out. If
1743 the timeout is set to 0. the caching is disabled.
1744 </p><p>Default: <b>name cache timeout = 660</b></p><p>Example: <b>name cache timeout = 0</b></p></dd><dt><span class="term"><a name="NAMERESOLVEORDER"></a>name resolve order (G)</span></dt><dd><p>This option is used by the programs in the Samba
1745 suite to determine what naming services to use and in what order
1746 to resolve host names to IP addresses. The option takes a space
1747 separated string of name resolution options.</p><p>The options are: "lmhosts", "host",
1748 "wins" and "bcast". They cause names to be
1749 resolved as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><tt>lmhosts</tt> : Lookup an IP
1750 address in the Samba lmhosts file. If the line in lmhosts has
1751 no name type attached to the NetBIOS name (see the <a href="lmhosts.5.html" target="_top">lmhosts(5)</a> for details) then
1752 any name type matches for lookup.</p></li><li><p><tt>host</tt> : Do a standard host
1753 name to IP address resolution, using the system <tt>/etc/hosts
1754 </tt>, NIS, or DNS lookups. This method of name resolution
1755 is operating system depended for instance on IRIX or Solaris this
1756 may be controlled by the <tt>/etc/nsswitch.conf</tt>
1757 file. Note that this method is only used if the NetBIOS name
1758 type being queried is the 0x20 (server) name type, otherwise
1759 it is ignored.</p></li><li><p><tt>wins</tt> : Query a name with
1760 the IP address listed in the <a href="#WINSSERVER"><i><tt>
1761 wins server</tt></i></a> parameter. If no WINS server has
1762 been specified this method will be ignored.</p></li><li><p><tt>bcast</tt> : Do a broadcast on
1763 each of the known local interfaces listed in the <a href="#INTERFACES"><i><tt>interfaces</tt></i></a>
1764 parameter. This is the least reliable of the name resolution
1765 methods as it depends on the target host being on a locally
1766 connected subnet.</p></li></ul></div><p>Default: <b>name resolve order = lmhosts host wins bcast</b></p><p>Example: <b>name resolve order = lmhosts bcast host</b></p><p>This will cause the local lmhosts file to be examined
1767 first, followed by a broadcast attempt, followed by a normal
1768 system hostname lookup.</p></dd><dt><span class="term"><a name="NETBIOSALIASES"></a>netbios aliases (G)</span></dt><dd><p>This is a list of NetBIOS names that <a href="nmbd.8.html" target="_top">nmbd(8)</a> will
1769 advertise as additional names by which the Samba server is known. This allows one machine
1770 to appear in browse lists under multiple names. If a machine is acting as a browse server
1771 or logon server none of these names will be advertised as either browse server or logon
1772 servers, only the primary name of the machine will be advertised with these capabilities.
1773 </p><p>See also <a href="#NETBIOSNAME"><i><tt>netbios
1774 name</tt></i></a>.</p><p>Default: <span class="emphasis"><em>empty string (no additional names)</em></span></p><p>Example: <b>netbios aliases = TEST TEST1 TEST2</b></p></dd><dt><span class="term"><a name="NETBIOSNAME"></a>netbios name (G)</span></dt><dd><p>This sets the NetBIOS name by which a Samba
1775 server is known. By default it is the same as the first component
1776 of the host's DNS name. If a machine is a browse server or
1777 logon server this name (or the first component
1778 of the hosts DNS name) will be the name that these services are
1779 advertised under.</p><p>See also <a href="#NETBIOSALIASES"><i><tt>netbios
1780 aliases</tt></i></a>.</p><p>Default: <span class="emphasis"><em>machine DNS name</em></span></p><p>Example: <b>netbios name = MYNAME</b></p></dd><dt><span class="term"><a name="NETBIOSSCOPE"></a>netbios scope (G)</span></dt><dd><p>This sets the NetBIOS scope that Samba will
1781 operate under. This should not be set unless every machine
1782 on your LAN also sets this value.</p></dd><dt><span class="term"><a name="NISHOMEDIR"></a>nis homedir (G)</span></dt><dd><p>Get the home share server from a NIS map. For
1783 UNIX systems that use an automounter, the user's home directory
1784 will often be mounted on a workstation on demand from a remote
1785 server. </p><p>When the Samba logon server is not the actual home directory
1786 server, but is mounting the home directories via NFS then two
1787 network hops would be required to access the users home directory
1788 if the logon server told the client to use itself as the SMB server
1789 for home directories (one over SMB and one over NFS). This can
1790 be very slow.</p><p>This option allows Samba to return the home share as
1791 being on a different server to the logon server and as
1792 long as a Samba daemon is running on the home directory server,
1793 it will be mounted on the Samba client directly from the directory
1794 server. When Samba is returning the home share to the client, it
1795 will consult the NIS map specified in <a href="#HOMEDIRMAP">
1796 <i><tt>homedir map</tt></i></a> and return the server
1797 listed there.</p><p>Note that for this option to work there must be a working
1798 NIS system and the Samba server with this option must also
1799 be a logon server.</p><p>Default: <b>nis homedir = no</b></p></dd><dt><span class="term"><a name="NONUNIXACCOUNTRANGE"></a>non unix account range (G)</span></dt><dd><p>The non unix account range parameter specifies
1800 the range of 'user ids' that are allocated by the various 'non unix
1801 account' passdb backends. These backends allow
1802 the storage of passwords for users who don't exist in /etc/passwd.
1803 This is most often used for machine account creation.
1804 This range of ids should have no existing local or NIS users within
1805 it as strange conflicts can occur otherwise.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>These userids never appear on the system and Samba will never
1806 'become' these users. They are used only to ensure that the algorithmic
1807 RID mapping does not conflict with normal users.
1808 </p></div><p>Default: <b>non unix account range = <empty string></b></p><p>Example: <b>non unix account range = 10000-20000</b></p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html">smbd(8)</a> will attempt to map
1809 UNIX permissions into Windows NT access control lists.
1810 This parameter was formally a global parameter in releases
1811 prior to 2.2.2.</p><p>Default: <b>nt acl support = yes</b></p></dd><dt><span class="term"><a name="NTLMAUTH"></a>ntlm auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html">smbd(8)</a> will attempt to authenticate users using the NTLM password hash.
1812 If disabled, only the lanman password hashes will be used.</p><p>Please note that at least this option or <b>lanman auth</b> should
1813 be enabled in order to be able to log in.</p><p>Default : <b>ntlm auth = yes</b></p></dd><dt><span class="term"><a name="NTPIPESUPPORT"></a>nt pipe support (G)</span></dt><dd><p>This boolean parameter controls whether
1814 <a href="smbd.8.html">smbd(8)</a> will allow Windows NT
1815 clients to connect to the NT SMB specific <tt>IPC$</tt>
1816 pipes. This is a developer debugging option and can be left
1817 alone.</p><p>Default: <b>nt pipe support = yes</b></p></dd><dt><span class="term"><a name="NTSTATUSSUPPORT"></a>nt status support (G)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html">smbd(8)</a> will negotiate NT specific status
1818 support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone.
1819 If this option is set to <tt>no</tt> then Samba offers
1820 exactly the same DOS error codes that versions prior to Samba 2.2.3
1821 reported.</p><p>You should not need to ever disable this parameter.</p><p>Default: <b>nt status support = yes</b></p></dd><dt><span class="term"><a name="NULLPASSWORDS"></a>null passwords (G)</span></dt><dd><p>Allow or disallow client access to accounts that have null passwords. </p><p>See also <a href="smbpasswd.5.html">smbpasswd(5)</a>.</p><p>Default: <b>null passwords = no</b></p></dd><dt><span class="term"><a name="OBEYPAMRESTRICTIONS"></a>obey pam restrictions (G)</span></dt><dd><p>When Samba 3.0 is configured to enable PAM support
1822 (i.e. --with-pam), this parameter will control whether or not Samba
1823 should obey PAM's account and session management directives. The
1824 default behavior is to use PAM for clear text authentication only
1825 and to ignore any account or session management. Note that Samba
1826 always ignores PAM for authentication in the case of <a href="#ENCRYPTPASSWORDS">
1827 <i><tt>encrypt passwords = yes</tt></i></a>. The reason
1828 is that PAM modules cannot support the challenge/response
1829 authentication mechanism needed in the presence of SMB password encryption.
1830 </p><p>Default: <b>obey pam restrictions = no</b></p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest (S)</span></dt><dd><p>A synonym for <a href="#GUESTONLY"><i><tt>
1831 guest only</tt></i></a>.</p></dd><dt><span class="term"><a name="ONLYUSER"></a>only user (S)</span></dt><dd><p>This is a boolean option that controls whether
1832 connections with usernames not in the <i><tt>user</tt></i>
1833 list will be allowed. By default this option is disabled so that a
1834 client can supply a username to be used by the server. Enabling
1835 this parameter will force the server to only use the login
1836 names from the <i><tt>user</tt></i> list and is only really
1837 useful in <a href="#SECURITYEQUALSSHARE">share level</a>
1838 security.</p><p>Note that this also means Samba won't try to deduce
1839 usernames from the service name. This can be annoying for
1840 the [homes] section. To get around this you could use <b>user =
1841 %S</b> which means your <i><tt>user</tt></i> list
1842 will be just the service name, which for home directories is the
1843 name of the user.</p><p>See also the <a href="#USER"><i><tt>user</tt></i>
1844 </a> parameter.</p><p>Default: <b>only user = no</b></p></dd><dt><span class="term"><a name="OPLOCKBREAKWAITTIME"></a>oplock break wait time (G)</span></dt><dd><p>This is a tuning parameter added due to bugs in
1845 both Windows 9x and WinNT. If Samba responds to a client too
1846 quickly when that client issues an SMB that can cause an oplock
1847 break request, then the network client can fail and not respond
1848 to the break request. This tuning parameter (which is set in milliseconds)
1849 is the amount of time Samba will wait before sending an oplock break
1850 request to such (broken) clients.</p><p><span class="emphasis"><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
1851 UNDERSTOOD THE SAMBA OPLOCK CODE</em></span>.</p><p>Default: <b>oplock break wait time = 0</b></p></dd><dt><span class="term"><a name="OPLOCKCONTENTIONLIMIT"></a>oplock contention limit (S)</span></dt><dd><p>This is a <span class="emphasis"><em>very</em></span> advanced
1852 <a href="smbd.8.html">smbd(8)</a> tuning option to
1853 improve the efficiency of the granting of oplocks under multiple
1854 client contention for the same file.</p><p>In brief it specifies a number, which causes <a href="smbd.8.html">smbd(8)</a>not to grant an oplock even when requested
1855 if the approximate number of clients contending for an oplock on the same file goes over this
1856 limit. This causes <b>smbd</b> to behave in a similar
1857 way to Windows NT.</p><p><span class="emphasis"><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
1858 AND UNDERSTOOD THE SAMBA OPLOCK CODE</em></span>.</p><p>Default: <b>oplock contention limit = 2</b></p></dd><dt><span class="term"><a name="OPLOCKS"></a>oplocks (S)</span></dt><dd><p>This boolean option tells <b>smbd</b> whether to
1859 issue oplocks (opportunistic locks) to file open requests on this
1860 share. The oplock code can dramatically (approx. 30% or more) improve
1861 the speed of access to files on Samba servers. It allows the clients
1862 to aggressively cache files locally and you may want to disable this
1863 option for unreliable network environments (it is turned on by
1864 default in Windows NT Servers). For more information see the file
1865 <tt>Speed.txt</tt> in the Samba <tt>docs/</tt>
1866 directory.</p><p>Oplocks may be selectively turned off on certain files with a
1867 share. See the <a href="#VETOOPLOCKFILES"><i><tt>
1868 veto oplock files</tt></i></a> parameter. On some systems
1869 oplocks are recognized by the underlying operating system. This
1870 allows data synchronization between all access to oplocked files,
1871 whether it be via Samba or NFS or a local UNIX process. See the
1872 <i><tt>kernel oplocks</tt></i> parameter for details.</p><p>See also the <a href="#KERNELOPLOCKS"><i><tt>kernel
1873 oplocks</tt></i></a> and <a href="#LEVEL2OPLOCKS"><i><tt>
1874 level2 oplocks</tt></i></a> parameters.</p><p>Default: <b>oplocks = yes</b></p></dd><dt><span class="term"><a name="OS2DRIVERMAP"></a>os2 driver map (G)</span></dt><dd><p>The parameter is used to define the absolute
1875 path to a file containing a mapping of Windows NT printer driver
1876 names to OS/2 printer driver names. The format is:</p><p><nt driver name> = <os2 driver name>.<device name></p><p>For example, a valid entry using the HP LaserJet 5
1877 printer driver would appear as <b>HP LaserJet 5L = LASERJET.HP
1878 LaserJet 5L</b>.</p><p>The need for the file is due to the printer driver namespace
1879 problem described in the <a href="printing.html" target="_top">Samba
1880 Printing HOWTO</a>. For more details on OS/2 clients, please
1881 refer to the OS2-Client-HOWTO containing in the Samba documentation.</p><p>Default: <b>os2 driver map = <empty string></b></p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>This integer value controls what level Samba
1882 advertises itself as for browse elections. The value of this
1883 parameter determines whether <a href="nmbd.8.html">nmbd(8)</a>
1884 has a chance of becoming a local master browser for the <i><tt>
1885 WORKGROUP</tt></i> in the local broadcast area.</p><p><span class="emphasis"><em>Note :</em></span>By default, Samba will win
1886 a local master browsing election over all Microsoft operating
1887 systems except a Windows NT 4.0/2000 Domain Controller. This
1888 means that a misconfigured Samba host can effectively isolate
1889 a subnet for browsing purposes. See <tt>BROWSING.txt
1890 </tt> in the Samba <tt>docs/</tt> directory
1891 for details.</p><p>Default: <b>os level = 20</b></p><p>Example: <b>os level = 65 </b></p></dd><dt><span class="term"><a name="PAMPASSWORDCHANGE"></a>pam password change (G)</span></dt><dd><p>With the addition of better PAM support in Samba 2.2,
1892 this parameter, it is possible to use PAM's password change control
1893 flag for Samba. If enabled, then PAM will be used for password
1894 changes when requested by an SMB client instead of the program listed in
1895 <a href="#PASSWDPROGRAM"><i><tt>passwd program</tt></i></a>.
1896 It should be possible to enable this without changing your
1897 <a href="#PASSWDCHAT"><i><tt>passwd chat</tt></i></a>
1898 parameter for most setups.</p><p>Default: <b>pam password change = no</b></p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a
1899 system command to be called when either <a href="smbd.8.html">smbd(8)</a> or <a href="smbd.8.html">smbd(8)</a> crashes. This is usually used to
1900 draw attention to the fact that a problem occurred.</p><p>Default: <b>panic action = <empty string></b></p><p>Example: <b>panic action = "/bin/sleep 90000"</b></p></dd><dt><span class="term"><a name="PARANOIDSERVERSECURITY"></a>paranoid server security (G)</span></dt><dd><p>Some version of NT 4.x allow non-guest
1901 users with a bad passowrd. When this option is enabled, samba will not
1902 use a broken NT 4.x server as password server, but instead complain
1903 to the logs and exit.
1904 </p><p>Disabling this option prevents Samba from making
1905 this check, which involves deliberatly attempting a
1906 bad logon to the remote server.</p><p>Default: <b>paranoid server security = yes</b></p></dd><dt><span class="term"><a name="PASSDBBACKEND"></a>passdb backend (G)</span></dt><dd><p>This option allows the administrator to chose which backends
1907 to retrieve and store passwords with. This allows (for example) both
1908 smbpasswd and tdbsam to be used without a recompile. Multiple
1909 backends can be specified, separated by spaces. The backends will be
1910 searched in the order they are specified. New users are always added
1911 to the first backend specified. </p><p>This parameter is in two parts, the backend's name, and a 'location'
1912 string that has meaning only to that particular backed. These are separated
1913 by a : character.</p><p>Available backends can include:
1914 </p><div class="itemizedlist"><ul type="disc"><li><p><b>smbpasswd</b> - The default smbpasswd
1915 backend. Takes a path to the smbpasswd file as an optional argument.
1916 </p></li><li><p><b>smbpasswd_nua</b> - The smbpasswd
1917 backend, but with support for 'not unix accounts'.
1918 Takes a path to the smbpasswd file as an optional argument.</p><p>See also <a href="#NONUNIXACCOUNTRANGE">
1919 <i><tt>non unix account range</tt></i></a></p></li><li><p><b>tdbsam</b> - The TDB based password storage
1920 backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
1921 in the <a href="#PRIVATEDIR">
1922 <i><tt>private dir</tt></i></a> directory.</p></li><li><p><b>tdbsam_nua</b> - The TDB based password storage
1923 backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
1924 in the <a href="#PRIVATEDIR">
1925 <i><tt>private dir</tt></i></a> directory.</p><p>See also <a href="#NONUNIXACCOUNTRANGE">
1926 <i><tt>non unix account range</tt></i></a></p></li><li><p><b>ldapsam</b> - The LDAP based passdb
1927 backend. Takes an LDAP URL as an optional argument (defaults to
1928 <b>ldap://localhost</b>)</p></li><li><p><b>ldapsam_nua</b> - The LDAP based passdb
1929 backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
1930 <b>ldap://localhost</b>)</p><p>Note: In this module, any account without a matching POSIX account is regarded
1931 as 'non unix'. </p><p>See also <a href="#NONUNIXACCOUNTRANGE">
1932 <i><tt>non unix account range</tt></i></a></p><p>LDAP connections should be secured where possible. This may be done using either
1933 Start-TLS (see <a href="#LDAPSSL"><i><tt>ldap ssl</tt></i></a>) or by
1934 specifying <i><tt>ldaps://</tt></i> in
1935 the URL argument. </p></li><li><p><b>nisplussam</b> -
1936 The NIS+ based passdb backend. Takes name NIS domain as
1937 an optional argument. Only works with sun NIS+ servers.
1938 </p></li></ul></div><p>
1939 </p><p>Default: <b>passdb backend = smbpasswd unixsam</b></p><p>Example: <b>passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</b></p><p>Example: <b>passdb backend = ldapsam_nua:ldaps://ldap.example.com guest</b></p><p>Example: <b>passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</b></p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
1940 parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
1941 strings passed to and received from the passwd chat are printed
1942 in the <a href="smbd.8.html">smbd(8)</a> log with a
1943 <a href="#DEBUGLEVEL"><i><tt>debug level</tt></i></a>
1944 of 100. This is a dangerous option as it will allow plaintext passwords
1945 to be seen in the <b>smbd</b> log. It is available to help
1946 Samba admins debug their <i><tt>passwd chat</tt></i> scripts
1947 when calling the <i><tt>passwd program</tt></i> and should
1948 be turned off after this has been done. This option has no effect if the
1949 <a href="#PAMPASSWORDCHANGE"><i><tt>pam password change</tt></i></a>
1950 paramter is set. This parameter is off by default.</p><p>See also <a href="#PASSWDCHAT"><i><tt>passwd chat</tt></i>
1951 </a>, <a href="#PAMPASSWORDCHANGE"><i><tt>pam password change</tt></i>
1952 </a>, <a href="#PASSWDPROGRAM"><i><tt>passwd program</tt></i>
1953 </a>.</p><p>Default: <b>passwd chat debug = no</b></p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span>
1954 conversation that takes places between <a href="smbd.8.html">smbd(8)</a> and the local password changing
1955 program to change the user's password. The string describes a
1956 sequence of response-receive pairs that <a href="smbd.8.html">smbd(8)</a> uses to determine what to send to the
1957 <a href="#PASSWDPROGRAM"><i><tt>passwd program</tt></i>
1958 </a> and what to expect back. If the expected output is not
1959 received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending
1960 on what local methods are used for password control (such as NIS
1961 etc).</p><p>Note that this parameter only is only used if the <a href="#UNIXPASSWORDSYNC"> <i><tt>unix password sync</tt></i>
1962 </a> parameter is set to <tt>yes</tt>. This sequence is
1963 then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password in the
1964 smbpasswd file is being changed, without access to the old password
1965 cleartext. This means that root must be able to reset the user's password without
1966 knowing the text of the previous password. In the presence of
1967 NIS/YP, this means that the <a href="#PASSWDPROGRAM">passwd program</a> must
1968 be executed on the NIS master.
1969 </p><p>The string can contain the macro <i><tt>%n</tt></i> which is substituted
1970 for the new password. The chat sequence can also contain the standard
1971 macros <tt>\\n</tt>, <tt>\\r</tt>, <tt>\\t</tt> and <tt>\\s</tt> to
1972 give line-feed, carriage-return, tab and space. The chat sequence string can also contain
1973 a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces
1974 in them into a single string.</p><p>If the send string in any part of the chat sequence is a full
1975 stop ".", then no string is sent. Similarly, if the
1976 expect string is a full stop then no string is expected.</p><p>If the <a href="#PAMPASSWORDCHANGE"><i><tt>pam
1977 password change</tt></i></a> parameter is set to <tt>yes</tt>, the chat pairs
1978 may be matched in any order, and success is determined by the PAM result,
1979 not any particular output. The \n macro is ignored for PAM conversions.
1980 </p><p>See also <a href="#UNIXPASSWORDSYNC"><i><tt>unix password
1981 sync</tt></i></a>, <a href="#PASSWDPROGRAM"><i><tt>
1982 passwd program</tt></i></a> ,<a href="#PASSWDCHATDEBUG">
1983 <i><tt>passwd chat debug</tt></i></a> and <a href="#PAMPASSWORDCHANGE">
1984 <i><tt>pam password change</tt></i></a>.</p><p>Default: <b>passwd chat = *new*password* %n\\n
1985 *new*password* %n\\n *changed*</b></p><p>Example: <b>passwd chat = "*Enter OLD password*" %o\\n
1986 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n
1987 "*Password changed*"</b></p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set
1988 UNIX user passwords. Any occurrences of <i><tt>%u</tt></i>
1989 will be replaced with the user name. The user name is checked for
1990 existence before calling the password changing program.</p><p>Also note that many passwd programs insist in <span class="emphasis"><em>reasonable
1991 </em></span> passwords, such as a minimum length, or the inclusion
1992 of mixed case chars and digits. This can pose a problem as some clients
1993 (such as Windows for Workgroups) uppercase the password before sending
1994 it.</p><p><span class="emphasis"><em>Note</em></span> that if the <i><tt>unix
1995 password sync</tt></i> parameter is set to <tt>yes
1996 </tt> then this program is called <span class="emphasis"><em>AS ROOT</em></span>
1997 before the SMB password in the <a href="smbpasswd.5.html" target="_top"><a href="smbpasswd.5.html">smbpasswd(5)</a>
1998 </a> file is changed. If this UNIX password change fails, then
1999 <b>smbd</b> will fail to change the SMB password also
2000 (this is by design).</p><p>If the <i><tt>unix password sync</tt></i> parameter
2001 is set this parameter <span class="emphasis"><em>MUST USE ABSOLUTE PATHS</em></span>
2002 for <span class="emphasis"><em>ALL</em></span> programs called, and must be examined
2003 for security implications. Note that by default <i><tt>unix
2004 password sync</tt></i> is set to <tt>no</tt>.</p><p>See also <a href="#UNIXPASSWORDSYNC"><i><tt>unix
2005 password sync</tt></i></a>.</p><p>Default: <b>passwd program = /bin/passwd</b></p><p>Example: <b>passwd program = /sbin/npasswd %u</b></p></dd><dt><span class="term"><a name="PASSWORDLEVEL"></a>password level (G)</span></dt><dd><p>Some client/server combinations have difficulty
2006 with mixed-case passwords. One offending client is Windows for
2007 Workgroups, which for some reason forces passwords to upper
2008 case when using the LANMAN1 protocol, but leaves them alone when
2009 using COREPLUS! Another problem child is the Windows 95/98
2010 family of operating systems. These clients upper case clear
2011 text passwords even when NT LM 0.12 selected by the protocol
2012 negotiation request/response.</p><p>This parameter defines the maximum number of characters
2013 that may be upper case in passwords.</p><p>For example, say the password given was "FRED". If <i><tt>
2014 password level</tt></i> is set to 1, the following combinations
2015 would be tried if "FRED" failed:</p><p>"Fred", "fred", "fRed", "frEd","freD"</p><p>If <i><tt>password level</tt></i> was set to 2,
2016 the following combinations would also be tried: </p><p>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</p><p>And so on.</p><p>The higher value this parameter is set to the more likely
2017 it is that a mixed case password will be matched against a single
2018 case password. However, you should be aware that use of this
2019 parameter reduces security and increases the time taken to
2020 process a new connection.</p><p>A value of zero will cause only two attempts to be
2021 made - the password as is and the password in all-lower case.</p><p>Default: <b>password level = 0</b></p><p>Example: <b>password level = 4</b></p></dd><dt><span class="term"><a name="PASSWORDSERVER"></a>password server (G)</span></dt><dd><p>By specifying the name of another SMB server (such
2022 as a WinNT box) with this option, and using <b>security = domain
2023 </b> or <b>security = server</b> you can get Samba
2024 to do all its username/password validation via a remote server.</p><p>This option sets the name of the password server to use.
2025 It must be a NetBIOS name, so if the machine's NetBIOS name is
2026 different from its Internet name then you may have to add its NetBIOS
2027 name to the lmhosts file which is stored in the same directory
2028 as the <tt>smb.conf</tt> file.</p><p>The name of the password server is looked up using the
2029 parameter <a href="#NAMERESOLVEORDER"><i><tt>name
2030 resolve order</tt></i></a> and so may resolved
2031 by any method and order described in that parameter.</p><p>The password server must be a machine capable of using
2032 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
2033 user level security mode.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Using a password server means your UNIX box (running
2034 Samba) is only as secure as your password server. <span class="emphasis"><em>DO NOT
2035 CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</em></span>.
2036 </p></div><p>Never point a Samba server at itself for password serving.
2037 This will cause a loop and could lock up your Samba server!</p><p>The name of the password server takes the standard
2038 substitutions, but probably the only useful one is <i><tt>%m
2039 </tt></i>, which means the Samba server will use the incoming
2040 client as the password server. If you use this then you better
2041 trust your clients, and you had better restrict them with hosts allow!</p><p>If the <i><tt>security</tt></i> parameter is set to
2042 <tt>domain</tt>, then the list of machines in this
2043 option must be a list of Primary or Backup Domain controllers for the
2044 Domain or the character '*', as the Samba server is effectively
2045 in that domain, and will use cryptographically authenticated RPC calls
2046 to authenticate the user logging on. The advantage of using <b>
2047 security = domain</b> is that if you list several hosts in the
2048 <i><tt>password server</tt></i> option then <b>smbd
2049 </b> will try each in turn till it finds one that responds. This
2050 is useful in case your primary server goes down.</p><p>If the <i><tt>password server</tt></i> option is set
2051 to the character '*', then Samba will attempt to auto-locate the
2052 Primary or Backup Domain controllers to authenticate against by
2053 doing a query for the name <tt>WORKGROUP<1C></tt>
2054 and then contacting each server returned in the list of IP
2055 addresses from the name resolution source. </p><p>If the list of servers contains both names and the '*'
2056 character, the list is treated as a list of preferred
2057 domain controllers, but an auto lookup of all remaining DC's
2058 will be added to the list as well. Samba will not attempt to optimize
2059 this list by locating the closest DC.</p><p>If the <i><tt>security</tt></i> parameter is
2060 set to <tt>server</tt>, then there are different
2061 restrictions that <b>security = domain</b> doesn't
2062 suffer from:</p><div class="itemizedlist"><ul type="disc"><li><p>You may list several password servers in
2063 the <i><tt>password server</tt></i> parameter, however if an
2064 <b>smbd</b> makes a connection to a password server,
2065 and then the password server fails, no more users will be able
2066 to be authenticated from this <b>smbd</b>. This is a
2067 restriction of the SMB/CIFS protocol when in <b>security = server
2068 </b> mode and cannot be fixed in Samba.</p></li><li><p>If you are using a Windows NT server as your
2069 password server then you will have to ensure that your users
2070 are able to login from the Samba server, as when in <b>
2071 security = server</b> mode the network logon will appear to
2072 come from there rather than from the users workstation.</p></li></ul></div><p>See also the <a href="#SECURITY"><i><tt>security
2073 </tt></i></a> parameter.</p><p>Default: <b>password server = <empty string></b></p><p>Example: <b>password server = NT-PDC, NT-BDC1, NT-BDC2, *</b></p><p>Example: <b>password server = *</b></p></dd><dt><span class="term"><a name="PATH"></a>path (S)</span></dt><dd><p>This parameter specifies a directory to which
2074 the user of the service is to be given access. In the case of
2075 printable services, this is where print data will spool prior to
2076 being submitted to the host for printing.</p><p>For a printable service offering guest access, the service
2077 should be readonly and the path should be world-writeable and
2078 have the sticky bit set. This is not mandatory of course, but
2079 you probably won't get the results you expect if you do
2080 otherwise.</p><p>Any occurrences of <i><tt>%u</tt></i> in the path
2081 will be replaced with the UNIX username that the client is using
2082 on this connection. Any occurrences of <i><tt>%m</tt></i>
2083 will be replaced by the NetBIOS name of the machine they are
2084 connecting from. These replacements are very useful for setting
2085 up pseudo home directories for users.</p><p>Note that this path will be based on <a href="#ROOTDIR">
2086 <i><tt>root dir</tt></i></a> if one was specified.</p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b>path = /home/fred</b></p></dd><dt><span class="term"><a name="PIDDIRECTORY"></a>pid directory (G)</span></dt><dd><p>This option specifies the directory where pid
2087 files will be placed. </p><p>Default: <b>pid directory = ${prefix}/var/locks</b></p><p>Example: <b>pid directory = /var/run/</b></p></dd><dt><span class="term"><a name="POSIXLOCKING"></a>posix locking (S)</span></dt><dd><p>The <a href="smbd.8.html">smbd(8)</a>
2088 daemon maintains an database of file locks obtained by SMB clients.
2089 The default behavior is to map this internal database to POSIX
2090 locks. This means that file locks obtained by SMB clients are
2091 consistent with those seen by POSIX compliant applications accessing
2092 the files via a non-SMB method (e.g. NFS or local file access).
2093 You should never need to disable this parameter.</p><p>Default: <b>posix locking = yes</b></p></dd><dt><span class="term"><a name="POSTEXEC"></a>postexec (S)</span></dt><dd><p>This option specifies a command to be run
2094 whenever the service is disconnected. It takes the usual
2095 substitutions. The command may be run as the root on some
2096 systems.</p><p>An interesting example may be to unmount server
2097 resources:</p><p><b>postexec = /etc/umount /cdrom</b></p><p>See also <a href="#PREEXEC"><i><tt>preexec</tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b>postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>This boolean option controls whether a non-zero
2098 return code from <a href="#PREEXEC"><i><tt>preexec
2099 </tt></i></a> should close the service being connected to.</p><p>Default: <b>preexec close = no</b></p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever
2100 the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome
2101 message every time they log in. Maybe a message of the day? Here
2102 is an example:</p><p><b>preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & </b></p><p>Of course, this could get annoying after a while :-)</p><p>See also <a href="#PREEXECCLOSE"><i><tt>preexec close</tt></i></a> and <a href="#POSTEXEC"><i><tt>postexec
2103 </tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b>preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log</b></p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master (G)</span></dt><dd><p>Synonym for <a href="#PREFERREDMASTER"><i><tt>
2104 preferred master</tt></i></a> for people who cannot spell :-).</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p>This boolean parameter controls if
2105 <a href="nmbd.8.html">nmbd(8)</a> is a preferred master
2106 browser for its workgroup.</p><p>If this is set to <tt>yes</tt>, on startup, <b>nmbd</b>
2107 will force an election, and it will have a slight advantage in
2108 winning the election. It is recommended that this parameter is
2109 used in conjunction with <b><a href="#DOMAINMASTER">
2110 <i><tt>domain master</tt></i></a> = yes</b>, so
2111 that <b>nmbd</b> can guarantee becoming a domain master.</p><p>Use this option with caution, because if there are several
2112 hosts (whether Samba servers, Windows 95 or NT) that are
2113 preferred master browsers on the same subnet, they will each
2114 periodically and continuously attempt to become the local
2115 master browser. This will result in unnecessary broadcast
2116 traffic and reduced browsing capabilities.</p><p>See also <a href="#OSLEVEL"><i><tt>os level</tt></i></a>.</p><p>Default: <b>preferred master = auto</b></p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
2117 be loaded into smbd before a client connects. This improves
2118 the speed of smbd when reacting to new connections somewhat. </p><p>It is recommended to only use this option on heavy-performance
2119 servers.</p><p>Default: <b>preload modules = </b></p><p>Example: <b>preload modules = /usr/lib/samba/passdb/mysql.so+++ </b></p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be
2120 automatically added to the browse lists. This is most useful
2121 for homes and printers services that would otherwise not be
2122 visible.</p><p>Note that if you just want all printers in your
2123 printcap file loaded then the <a href="#LOADPRINTERS">
2124 <i><tt>load printers</tt></i></a> option is easier.</p><p>Default: <span class="emphasis"><em>no preloaded services</em></span></p><p>Example: <b>preload = fred lp colorlp</b></p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p> This controls if new filenames are created
2125 with the case that the client passes, or if they are forced to
2126 be the <a href="#DEFAULTCASE"><i><tt>default case
2127 </tt></i></a>.</p><p>Default: <b>preserve case = yes</b></p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion.</p></dd><dt><span class="term"><a name="PRINTABLE"></a>printable (S)</span></dt><dd><p>If this parameter is <tt>yes</tt>, then
2128 clients may open, write to and submit spool files on the directory
2129 specified for the service. </p><p>Note that a printable service will ALWAYS allow writing
2130 to the service path (user privileges permitting) via the spooling
2131 of print data. The <a href="#READONLY"><i><tt>read only
2132 </tt></i></a> parameter controls only non-printing access to
2133 the resource.</p><p>Default: <b>printable = no</b></p></dd><dt><span class="term"><a name="PRINTCAPNAME"></a>printcap name (S)</span></dt><dd><p>This parameter may be used to override the
2134 compiled-in default printcap name used by the server (usually <tt>
2135 /etc/printcap</tt>). See the discussion of the <a href="#PRINTERSSECT" title="The [printers] section">[printers]</a> section above for reasons
2136 why you might want to do this.</p><p>To use the CUPS printing interface set <b>printcap name = cups
2137 </b>. This should be supplemented by an addtional setting
2138 <a href="#PRINTING">printing = cups</a> in the [global]
2139 section. <b>printcap name = cups</b> will use the
2140 "dummy" printcap created by CUPS, as specified in your CUPS
2142 </p><p>On System V systems that use <b>lpstat</b> to
2143 list available printers you can use <b>printcap name = lpstat
2144 </b> to automatically obtain lists of available printers. This
2145 is the default for systems that define SYSV at configure time in
2146 Samba (this includes most System V based systems). If <i><tt>
2147 printcap name</tt></i> is set to <b>lpstat</b> on
2148 these systems then Samba will launch <b>lpstat -v</b> and
2149 attempt to parse the output to obtain a printer list.</p><p>A minimal printcap file would look something like this:</p><pre class="programlisting">
2155 </pre><p>where the '|' separates aliases of a printer. The fact
2156 that the second alias has a space in it gives a hint to Samba
2157 that it's a comment.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Under AIX the default printcap
2158 name is <tt>/etc/qconfig</tt>. Samba will assume the
2159 file is in AIX <tt>qconfig</tt> format if the string
2160 <tt>qconfig</tt> appears in the printcap filename.</p></div><p>Default: <b>printcap name = /etc/printcap</b></p><p>Example: <b>printcap name = /etc/myprintcap</b></p></dd><dt><span class="term"><a name="PRINTCAP"></a>printcap (G)</span></dt><dd><p>Synonym for <a href="#PRINTCAPNAME"><i><tt>
2161 printcap name</tt></i></a>.</p></dd><dt><span class="term"><a name="PRINTCOMMAND"></a>print command (S)</span></dt><dd><p>After a print job has finished spooling to
2162 a service, this command will be used via a <b>system()</b>
2163 call to process the spool file. Typically the command specified will
2164 submit the spool file to the host's printing subsystem, but there
2165 is no requirement that this be the case. The server will not remove
2166 the spool file, so whatever command you specify should remove the
2167 spool file when it has been processed, otherwise you will need to
2168 manually remove old spool files.</p><p>The print command is simply a text string. It will be used
2169 verbatim after macro substitutions have been made:</p><p>%s, %p - the path to the spool
2170 file name</p><p>%p - the appropriate printer
2171 name</p><p>%J - the job
2172 name as transmitted by the client.</p><p>%c - The number of printed pages
2173 of the spooled job (if known).</p><p>%z - the size of the spooled
2174 print job (in bytes)</p><p>The print command <span class="emphasis"><em>MUST</em></span> contain at least
2175 one occurrence of <i><tt>%s</tt></i> or <i><tt>%f
2176 </tt></i> - the <i><tt>%p</tt></i> is optional. At the time
2177 a job is submitted, if no printer name is supplied the <i><tt>%p
2178 </tt></i> will be silently removed from the printer command.</p><p>If specified in the [global] section, the print command given
2179 will be used for any printable service that does not have its own
2180 print command specified.</p><p>If there is neither a specified print command for a
2181 printable service nor a global print command, spool files will
2182 be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the
2183 <tt>nobody</tt> account. If this happens then create
2184 an alternative guest account that can print and set the <a href="#GUESTACCOUNT">
2185 <i><tt>guest account</tt></i></a>
2186 in the [global] section.</p><p>You can form quite complex print commands by realizing
2187 that they are just passed to a shell. For example the following
2188 will log a print job, print the file, then remove it. Note that
2189 ';' is the usual separator for command in shell scripts.</p><p><b>print command = echo Printing %s >>
2190 /tmp/print.log; lpr -P %p %s; rm %s</b></p><p>You may have to vary this command considerably depending
2191 on how you normally print files on your system. The default for
2192 the parameter varies depending on the setting of the <a href="#PRINTING">
2193 <i><tt>printing</tt></i></a> parameter.</p><p>Default: For <b>printing = BSD, AIX, QNX, LPRNG
2194 or PLP :</b></p><p><b>print command = lpr -r -P%p %s</b></p><p>For <b>printing = SYSV or HPUX :</b></p><p><b>print command = lp -c -d%p %s; rm %s</b></p><p>For <b>printing = SOFTQ :</b></p><p><b>print command = lp -d%p -s %s; rm %s</b></p><p>For printing = CUPS : If SAMBA is compiled against
2195 libcups, then <a href="#PRINTING">printcap = cups</a>
2196 uses the CUPS API to
2197 submit jobs, etc. Otherwise it maps to the System V
2198 commands with the -oraw option for printing, i.e. it
2199 uses <b>lp -c -d%p -oraw; rm %s</b>.
2200 With <b>printing = cups</b>,
2201 and if SAMBA is compiled against libcups, any manually
2202 set print command will be ignored.</p><p>Example: <b>print command = /usr/local/samba/bin/myprintscript %p %s</b></p></dd><dt><span class="term"><a name="PRINTERADMIN"></a>printer admin (S)</span></dt><dd><p>This is a list of users that can do anything to
2203 printers via the remote administration interfaces offered by MS-RPC
2204 (usually using a NT workstation). Note that the root user always
2205 has admin rights.</p><p>Default: <b>printer admin = <empty string></b></p><p>Example: <b>printer admin = admin, @staff</b></p></dd><dt><span class="term"><a name="PRINTERNAME"></a>printer name (S)</span></dt><dd><p>This parameter specifies the name of the printer
2206 to which print jobs spooled through a printable service will be sent.</p><p>If specified in the [global] section, the printer
2207 name given will be used for any printable service that does
2208 not have its own printer name specified.</p><p>Default: <span class="emphasis"><em>none (but may be <tt>lp</tt>
2209 on many systems)</em></span></p><p>Example: <b>printer name = laserwriter</b></p></dd><dt><span class="term"><a name="PRINTER"></a>printer (S)</span></dt><dd><p>Synonym for <a href="#PRINTERNAME"><i><tt>
2210 printer name</tt></i></a>.</p></dd><dt><span class="term"><a name="PRINTING"></a>printing (S)</span></dt><dd><p>This parameters controls how printer status information is
2211 interpreted on your system. It also affects the default values for
2212 the <i><tt>print command</tt></i>, <i><tt>lpq command</tt></i>, <i><tt>lppause command </tt></i>, <i><tt>lpresume command</tt></i>, and <i><tt>lprm command</tt></i> if specified in the
2213 [global] section.</p><p>Currently nine printing styles are supported. They are
2214 <tt>BSD</tt>, <tt>AIX</tt>,
2215 <tt>LPRNG</tt>, <tt>PLP</tt>,
2216 <tt>SYSV</tt>, <tt>HPUX</tt>,
2217 <tt>QNX</tt>, <tt>SOFTQ</tt>,
2218 and <tt>CUPS</tt>.</p><p>To see what the defaults are for the other print
2219 commands when using the various options use the <a href="testparm.1.html">testparm(1)</a> program.</p><p>This option can be set on a per printer basis</p><p>See also the discussion in the <a href="#PRINTERSSECT" title="The [printers] section">
2220 [printers]</a> section.</p></dd><dt><span class="term"><a name="PRINTOK"></a>print ok (S)</span></dt><dd><p>Synonym for <a href="#PRINTABLE">
2221 <i><tt>printable</tt></i></a>.</p></dd><dt><span class="term"><a name="PRIVATEDIR"></a>private dir (G)</span></dt><dd><p>This parameters defines the directory
2222 smbd will use for storing such files as <tt>smbpasswd</tt>
2223 and <tt>secrets.tdb</tt>.
2224 </p><p>Default :<b>private dir = ${prefix}/private</b></p></dd><dt><span class="term"><a name="PROTOCOL"></a>protocol (G)</span></dt><dd><p>Synonym for <a href="#MAXPROTOCOL">
2225 <i><tt>max protocol</tt></i></a>.</p></dd><dt><span class="term"><a name="PUBLIC"></a>public (S)</span></dt><dd><p>Synonym for <a href="#GUESTOK"><i><tt>guest
2226 ok</tt></i></a>.</p></dd><dt><span class="term"><a name="QUEUEPAUSECOMMAND"></a>queuepause command (S)</span></dt><dd><p>This parameter specifies the command to be
2227 executed on the server host in order to pause the printer queue.</p><p>This command should be a program or script which takes
2228 a printer name as its only parameter and stops the printer queue,
2229 such that no longer jobs are submitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
2230 but can be issued from the Printers window under Windows 95
2231 and NT.</p><p>If a <i><tt>%p</tt></i> is given then the printer name
2232 is put in its place. Otherwise it is placed at the end of the command.
2233 </p><p>Note that it is good practice to include the absolute
2234 path in the command as the PATH may not be available to the
2235 server.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i><tt>printing</tt></i></em></span></p><p>Example: <b>queuepause command = disable %p</b></p></dd><dt><span class="term"><a name="QUEUERESUMECOMMAND"></a>queueresume command (S)</span></dt><dd><p>This parameter specifies the command to be
2236 executed on the server host in order to resume the printer queue. It
2237 is the command to undo the behavior that is caused by the
2238 previous parameter (<a href="#QUEUEPAUSECOMMAND"><i><tt>
2239 queuepause command</tt></i></a>).</p><p>This command should be a program or script which takes
2240 a printer name as its only parameter and resumes the printer queue,
2241 such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
2242 but can be issued from the Printers window under Windows 95
2243 and NT.</p><p>If a <i><tt>%p</tt></i> is given then the printer name
2244 is put in its place. Otherwise it is placed at the end of the
2245 command.</p><p>Note that it is good practice to include the absolute
2246 path in the command as the PATH may not be available to the
2247 server.</p><p>Default: <span class="emphasis"><em>depends on the setting of <a href="#PRINTING">
2248 <i><tt>printing</tt></i></a></em></span></p><p>Example: <b>queuepause command = enable %p</b></p></dd><dt><span class="term"><a name="READBMPX"></a>read bmpx (G)</span></dt><dd><p>This boolean parameter controls whether
2249 <a href="smbd.8.html">smbd(8)</a> will support the "Read
2250 Block Multiplex" SMB. This is now rarely used and defaults to
2251 <tt>no</tt>. You should never need to set this
2252 parameter.</p><p>Default: <b>read bmpx = no</b></p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>This is a list of users that are given read-only
2253 access to a service. If the connecting user is in this list then
2254 they will not be given write access, no matter what the <a href="#READONLY">
2255 <i><tt>read only</tt></i></a>
2256 option is set to. The list can include group names using the
2257 syntax described in the <a href="#INVALIDUSERS"><i><tt>
2258 invalid users</tt></i></a> parameter.</p><p>See also the <a href="#WRITELIST"><i><tt>
2259 write list</tt></i></a> parameter and the <a href="#INVALIDUSERS">
2260 <i><tt>invalid users</tt></i>
2261 </a> parameter.</p><p>Default: <b>read list = <empty string></b></p><p>Example: <b>read list = mary, @students</b></p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a href="#WRITEABLE">
2262 <i><tt>writeable</tt></i></a>.</p><p>If this parameter is <tt>yes</tt>, then users
2263 of a service may not create or modify files in the service's
2264 directory.</p><p>Note that a printable service (<b>printable = yes</b>)
2265 will <span class="emphasis"><em>ALWAYS</em></span> allow writing to the directory
2266 (user privileges permitting), but only via spooling operations.</p><p>Default: <b>read only = yes</b></p></dd><dt><span class="term"><a name="READRAW"></a>read raw (G)</span></dt><dd><p>This parameter controls whether or not the server
2267 will support the raw read SMB requests when transferring data
2268 to clients.</p><p>If enabled, raw reads allow reads of 65535 bytes in
2269 one packet. This typically provides a major performance benefit.
2270 </p><p>However, some clients either negotiate the allowable
2271 block size incorrectly or are incapable of supporting larger block
2272 sizes, and for these clients you may need to disable raw reads.</p><p>In general this parameter should be viewed as a system tuning
2273 tool and left severely alone. See also <a href="#WRITERAW">
2274 <i><tt>write raw</tt></i></a>.</p><p>Default: <b>read raw = yes</b></p></dd><dt><span class="term"><a name="READSIZE"></a>read size (G)</span></dt><dd><p>The option <i><tt>read size</tt></i>
2275 affects the overlap of disk reads/writes with network reads/writes.
2276 If the amount of data being transferred in several of the SMB
2277 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
2278 than this value then the server begins writing the data before it
2279 has received the whole packet from the network, or in the case of
2280 SMBreadbraw, it begins writing to the network before all the data
2281 has been read from disk.</p><p>This overlapping works best when the speeds of disk and
2282 network access are similar, having very little effect when the
2283 speed of one is much greater than the other.</p><p>The default value is 16384, but very little experimentation
2284 has been done yet to determine the optimal value, and it is likely
2285 that the best value will vary greatly between systems anyway.
2286 A value over 65536 is pointless and will cause you to allocate
2287 memory unnecessarily.</p><p>Default: <b>read size = 16384</b></p><p>Example: <b>read size = 8192</b></p></dd><dt><span class="term"><a name="REALM"></a>realm (G)</span></dt><dd><p>This option specifies the kerberos realm to use. The realm is
2288 used as the ADS equivalent of the NT4 <b>domain</b>. It
2289 is usually set to the DNS name of the kerberos server.
2290 </p><p>Default: <b>realm = </b></p><p>Example: <b>realm = mysambabox.mycompany.com</b></p></dd><dt><span class="term"><a name="REMOTEANNOUNCE"></a>remote announce (G)</span></dt><dd><p>This option allows you to setup <a href="nmbd.8.html">nmbd(8)</a>to periodically announce itself
2291 to arbitrary IP addresses with an arbitrary workgroup name.</p><p>This is useful if you want your Samba server to appear
2292 in a remote workgroup for which the normal browse propagation
2293 rules don't work. The remote workgroup can be anywhere that you
2294 can send IP packets to.</p><p>For example:</p><p><b>remote announce = 192.168.2.255/SERVERS
2295 192.168.4.255/STAFF</b></p><p>the above line would cause <b>nmbd</b> to announce itself
2296 to the two given IP addresses using the given workgroup names.
2297 If you leave out the workgroup name then the one given in
2298 the <a href="#WORKGROUP"><i><tt>workgroup</tt></i></a>
2299 parameter is used instead.</p><p>The IP addresses you choose would normally be the broadcast
2300 addresses of the remote networks, but can also be the IP addresses
2301 of known browse masters if your network config is that stable.</p><p>See the documentation file <a href="improved-browsing.html" target="_top">BROWSING</a>
2302 in the <tt>docs/</tt> directory.</p><p>Default: <b>remote announce = <empty string></b></p></dd><dt><span class="term"><a name="REMOTEBROWSESYNC"></a>remote browse sync (G)</span></dt><dd><p>This option allows you to setup <a href="nmbd.8.html">nmbd(8)</a> to periodically request
2303 synchronization of browse lists with the master browser of a Samba
2304 server that is on a remote segment. This option will allow you to
2305 gain browse lists for multiple workgroups across routed networks. This
2306 is done in a manner that does not work with any non-Samba servers.</p><p>This is useful if you want your Samba server and all local
2307 clients to appear in a remote workgroup for which the normal browse
2308 propagation rules don't work. The remote workgroup can be anywhere
2309 that you can send IP packets to.</p><p>For example:</p><p><b>remote browse sync = 192.168.2.255 192.168.4.255</b></p><p>the above line would cause <b>nmbd</b> to request
2310 the master browser on the specified subnets or addresses to
2311 synchronize their browse lists with the local server.</p><p>The IP addresses you choose would normally be the broadcast
2312 addresses of the remote networks, but can also be the IP addresses
2313 of known browse masters if your network config is that stable. If
2314 a machine IP address is given Samba makes NO attempt to validate
2315 that the remote machine is available, is listening, nor that it
2316 is in fact the browse master on its segment.</p><p>Default: <b>remote browse sync = <empty string></b></p></dd><dt><span class="term"><a name="RESTRICTANONYMOUS"></a>restrict anonymous (G)</span></dt><dd><p>This is a integer parameter, and mirrors as much as possible the functinality the
2317 <tt>RestrictAnonymous</tt> registry key does on NT/Win2k.
2318 </p><p>Default: <b>restrict anonymous = 0</b></p></dd><dt><span class="term"><a name="ROOTDIRECTORY"></a>root directory (G)</span></dt><dd><p>The server will <b>chroot()</b> (i.e.
2319 Change its root directory) to this directory on startup. This is
2320 not strictly necessary for secure operation. Even without it the
2321 server will deny access to files not in one of the service entries.
2322 It may also check for, and deny access to, soft links to other
2323 parts of the filesystem, or attempts to use ".." in file names
2324 to access other directories (depending on the setting of the <a href="#WIDELINKS">
2325 <i><tt>wide links</tt></i></a>
2327 </p><p>Adding a <i><tt>root directory</tt></i> entry other
2328 than "/" adds an extra level of security, but at a price. It
2329 absolutely ensures that no access is given to files not in the
2330 sub-tree specified in the <i><tt>root directory</tt></i>
2331 option, <span class="emphasis"><em>including</em></span> some files needed for
2332 complete operation of the server. To maintain full operability
2333 of the server you will need to mirror some system files
2334 into the <i><tt>root directory</tt></i> tree. In particular
2335 you will need to mirror <tt>/etc/passwd</tt> (or a
2336 subset of it), and any binaries or configuration files needed for
2337 printing (if required). The set of files that must be mirrored is
2338 operating system dependent.</p><p>Default: <b>root directory = /</b></p><p>Example: <b>root directory = /homes/smb</b></p></dd><dt><span class="term"><a name="ROOTDIR"></a>root dir (G)</span></dt><dd><p>Synonym for <a href="#ROOTDIRECTORY">
2339 <i><tt>root directory"</tt></i></a>.
2340 </p></dd><dt><span class="term"><a name="ROOTPOSTEXEC"></a>root postexec (S)</span></dt><dd><p>This is the same as the <i><tt>postexec</tt></i>
2341 parameter except that the command is run as root. This
2342 is useful for unmounting filesystems
2343 (such as CDROMs) after a connection is closed.</p><p>See also <a href="#POSTEXEC"><i><tt>
2344 postexec</tt></i></a>.</p><p>Default: <b>root postexec = <empty string></b></p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <i><tt>preexec close
2345 </tt></i> parameter except that the command is run as root.</p><p>See also <a href="#PREEXEC"><i><tt>
2346 preexec</tt></i></a> and <a href="#PREEXECCLOSE">
2347 <i><tt>preexec close</tt></i></a>.</p><p>Default: <b>root preexec close = no</b></p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p>This is the same as the <i><tt>preexec</tt></i>
2348 parameter except that the command is run as root. This
2349 is useful for mounting filesystems (such as CDROMs) when a
2350 connection is opened.</p><p>See also <a href="#PREEXEC"><i><tt>
2351 preexec</tt></i></a> and <a href="#PREEXECCLOSE">
2352 <i><tt>preexec close</tt></i></a>.</p><p>Default: <b>root preexec = <empty string></b></p></dd><dt><span class="term"><a name="ROOT"></a>root (G)</span></dt><dd><p>Synonym for <a href="#ROOTDIRECTORY">
2353 <i><tt>root directory"</tt></i></a>.
2354 </p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission
2355 bits can be modified when a Windows NT client is manipulating
2356 the UNIX permission on a file using the native NT security
2357 dialog box.</p><p>This parameter is applied as a mask (AND'ed with) to
2358 the changed permission bits, thus preventing any bits not in
2359 this mask from being modified. Essentially, zero bits in this
2360 mask may be treated as a set of bits the user is not allowed
2361 to change.</p><p>If not set explicitly this parameter is 0777, allowing
2362 a user to modify all the user/group/world permissions on a file.
2363 </p><p><span class="emphasis"><em>Note</em></span> that users who can access the
2364 Samba server through other means can easily bypass this
2365 restriction, so it is primarily useful for standalone
2366 "appliance" systems. Administrators of most normal systems will
2367 probably want to leave it set to <tt>0777</tt>.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE">
2368 <i><tt>force directory security mode</tt></i></a>,
2369 <a href="#DIRECTORYSECURITYMASK"><i><tt>directory
2370 security mask</tt></i></a>, <a href="#FORCESECURITYMODE">
2371 <i><tt>force security mode</tt></i></a> parameters.</p><p>Default: <b>security mask = 0777</b></p><p>Example: <b>security mask = 0770</b></p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to
2372 Samba and is one of the most important settings in the <tt>
2373 smb.conf</tt> file.</p><p>The option sets the "security mode bit" in replies to
2374 protocol negotiations with <a href="smbd.8.html">smbd(8)</a> to turn share level security on or off. Clients decide
2375 based on this bit whether (and how) to transfer user and password
2376 information to the server.</p><p>The default is <b>security = user</b>, as this is
2377 the most common setting needed when talking to Windows 98 and
2378 Windows NT.</p><p>The alternatives are <b>security = share</b>,
2379 <b>security = server</b> or <b>security = domain
2380 </b>.</p><p>In versions of Samba prior to 2.0.0, the default was
2381 <b>security = share</b> mainly because that was
2382 the only option at one stage.</p><p>There is a bug in WfWg that has relevance to this
2383 setting. When in user or server level security a WfWg client
2384 will totally ignore the password you type in the "connect
2385 drive" dialog box. This makes it very difficult (if not impossible)
2386 to connect to a Samba service as anyone except the user that
2387 you are logged into WfWg as.</p><p>If your PCs use usernames that are the same as their
2388 usernames on the UNIX machine then you will want to use
2389 <b>security = user</b>. If you mostly use usernames
2390 that don't exist on the UNIX box then use <b>security =
2391 share</b>.</p><p>You should also use <b>security = share</b> if you
2392 want to mainly setup shares without a password (guest shares). This
2393 is commonly used for a shared printer server. It is more difficult
2394 to setup guest shares with <b>security = user</b>, see
2395 the <a href="#MAPTOGUEST"><i><tt>map to guest</tt></i>
2396 </a>parameter for details.</p><p>It is possible to use <b>smbd</b> in a <span class="emphasis"><em>
2397 hybrid mode</em></span> where it is offers both user and share
2398 level security under different <a href="#NETBIOSALIASES">
2399 <i><tt>NetBIOS aliases</tt></i></a>. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
2400 need not log onto the server with a valid username and password before
2401 attempting to connect to a shared resource (although modern clients
2402 such as Windows 95/98 and Windows NT will send a logon request with
2403 a username but no password when talking to a <b>security = share
2404 </b> server). Instead, the clients send authentication information
2405 (passwords) on a per-share basis, at the time they attempt to connect
2406 to that share.</p><p>Note that <b>smbd</b> <span class="emphasis"><em>ALWAYS</em></span>
2407 uses a valid UNIX user to act on behalf of the client, even in
2408 <b>security = share</b> level security.</p><p>As clients are not required to send a username to the server
2409 in share level security, <b>smbd</b> uses several
2410 techniques to determine the correct UNIX user to use on behalf
2411 of the client.</p><p>A list of possible UNIX usernames to match with the given
2412 client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a href="#GUESTONLY"><i><tt>guest
2413 only</tt></i></a> parameter is set, then all the other
2414 stages are missed and only the <a href="#GUESTACCOUNT">
2415 <i><tt>guest account</tt></i></a> username is checked.
2416 </p></li><li><p>Is a username is sent with the share connection
2417 request, then this username (after mapping - see <a href="#USERNAMEMAP">
2418 <i><tt>username map</tt></i></a>),
2419 is added as a potential username.
2420 </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon
2421 </em></span> request (the SessionSetup SMB call) then the
2422 username sent in this SMB will be added as a potential username.
2423 </p></li><li><p>The name of the service the client requested is
2424 added as a potential username.
2425 </p></li><li><p>The NetBIOS name of the client is added to
2426 the list as a potential username.
2427 </p></li><li><p>Any users on the <a href="#USER"><i><tt>
2428 user</tt></i></a> list are added as potential usernames.
2429 </p></li></ul></div><p>If the <i><tt>guest only</tt></i> parameter is
2430 not set, then this list is then tried with the supplied password.
2431 The first user for whom the password matches will be used as the
2432 UNIX user.</p><p>If the <i><tt>guest only</tt></i> parameter is
2433 set, or no username can be determined then if the share is marked
2434 as available to the <i><tt>guest account</tt></i>, then this
2435 guest user will be used, otherwise access is denied.</p><p>Note that it can be <span class="emphasis"><em>very</em></span> confusing
2436 in share-level security as to which UNIX username will eventually
2437 be used in granting access.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
2438 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0.
2439 With user-level security a client must first "log-on" with a
2440 valid username and password (which can be mapped using the <a href="#USERNAMEMAP">
2441 <i><tt>username map</tt></i></a>
2442 parameter). Encrypted passwords (see the <a href="#ENCRYPTPASSWORDS">
2443 <i><tt>encrypted passwords</tt></i></a> parameter) can also
2444 be used in this security mode. Parameters such as <a href="#USER">
2445 <i><tt>user</tt></i></a> and <a href="#GUESTONLY">
2446 <i><tt>guest only</tt></i></a> if set are then applied and
2447 may change the UNIX user to use on this connection, but only after
2448 the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
2449 requested is <span class="emphasis"><em>not</em></span> sent to the server until after
2450 the server has successfully authenticated the client. This is why
2451 guest shares don't work in user level security without allowing
2452 the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
2453 <i><tt>guest account</tt></i></a>.
2454 See the <a href="#MAPTOGUEST"><i><tt>map to guest</tt></i>
2455 </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
2456 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html">net(8)</a> has been used to add this
2457 machine into a Windows NT Domain. It expects the <a href="#ENCRYPTPASSWORDS">
2458 <i><tt>encrypted passwords</tt></i>
2459 </a> parameter to be set to <tt>yes</tt>. In this
2460 mode Samba will try to validate the username/password by passing
2461 it to a Windows NT Primary or Backup Domain Controller, in exactly
2462 the same way that a Windows NT Server would do.</p><p><span class="emphasis"><em>Note</em></span> that a valid UNIX user must still
2463 exist as well as the account on the Domain Controller to allow
2464 Samba to have a valid UNIX account to map file access to.</p><p><span class="emphasis"><em>Note</em></span> that from the client's point
2465 of view <b>security = domain</b> is the same
2466 as <b>security = user</b>. It only
2467 affects how the server deals with the authentication,
2468 it does not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
2469 requested is <span class="emphasis"><em>not</em></span> sent to the server until after
2470 the server has successfully authenticated the client. This is why
2471 guest shares don't work in user level security without allowing
2472 the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
2473 <i><tt>guest account</tt></i></a>.
2474 See the <a href="#MAPTOGUEST"><i><tt>map to guest</tt></i>
2475 </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
2476 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a href="#PASSWORDSERVER"><i><tt>password
2477 server</tt></i></a> parameter and the <a href="#ENCRYPTPASSWORDS">
2478 <i><tt>encrypted passwords</tt></i>
2479 </a> parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>In this mode Samba will try to validate the username/password
2480 by passing it to another SMB server, such as an NT box. If this
2481 fails it will revert to <b>security =
2482 user</b>. It expects the <a href="#ENCRYPTPASSWORDS">
2483 <i><tt>encrypted passwords</tt></i></a> parameter
2484 to be set to <tt>yes</tt>, unless the remote server
2485 does not support them. However note that if encrypted passwords have been
2486 negotiated then Samba cannot revert back to checking the UNIX password file,
2487 it must have a valid <tt>smbpasswd</tt> file to check
2488 users against. See the documentation file in the <tt>docs/</tt> directory
2489 <tt>ENCRYPTION.txt</tt> for details on how to set this up.</p><p><span class="emphasis"><em>Note</em></span> this mode of operation has
2490 significant pitfalls, due to the fact that is activly initiates a
2491 man-in-the-middle attack on the remote SMB server. In particular,
2492 this mode of operation can cause significant resource consuption on
2493 the PDC, as it must maintain an active connection for the duration
2494 of the user's session. Furthermore, if this connection is lost,
2495 there is no way to reestablish it, and futher authenticaions to the
2496 Samba server may fail. (From a single client, till it disconnects).
2497 </p><p><span class="emphasis"><em>Note</em></span> that from the client's point of
2498 view <b>security = server</b> is the
2499 same as <b>security = user</b>. It
2500 only affects how the server deals with the authentication, it does
2501 not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
2502 requested is <span class="emphasis"><em>not</em></span> sent to the server until after
2503 the server has successfully authenticated the client. This is why
2504 guest shares don't work in user level security without allowing
2505 the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
2506 <i><tt>guest account</tt></i></a>.
2507 See the <a href="#MAPTOGUEST"><i><tt>map to guest</tt></i>
2508 </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
2509 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a href="#PASSWORDSERVER"><i><tt>password
2510 server</tt></i></a> parameter and the <a href="#ENCRYPTPASSWORDS">
2511 <i><tt>encrypted passwords</tt></i></a> parameter.</p><p>Default: <b>security = USER</b></p><p>Example: <b>security = DOMAIN</b></p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p>This controls whether the server offers or even
2512 demands the use of the netlogon schannel.
2513 <i><tt>server schannel = no</tt></i> does not
2514 offer the schannel, <i><tt>server schannel =
2515 auto</tt></i> offers the schannel but does not
2516 enforce it, and <i><tt>server schannel =
2517 yes</tt></i> denies access if the client is not
2518 able to speak netlogon schannel. This is only the case
2519 for Windows NT4 before SP4.</p><p>Please note that with this set to
2520 <i><tt>no</tt></i> you will have to apply the
2521 WindowsXP requireSignOrSeal-Registry patch found in
2522 the docs/Registry subdirectory.</p><p>Default: <b>server schannel = auto</b></p><p>Example: <b>server schannel = yes</b></p></dd><dt><span class="term"><a name="SERVERSTRING"></a>server string (G)</span></dt><dd><p>This controls what string will show up in the printer comment box in print
2523 manager and next to the IPC connection in <b>net view</b>. It
2524 can be any string that you wish to show to your users.</p><p>It also sets what will appear in browse lists next
2525 to the machine name.</p><p>A <i><tt>%v</tt></i> will be replaced with the Samba
2526 version number.</p><p>A <i><tt>%h</tt></i> will be replaced with the
2527 hostname.</p><p>Default: <b>server string = Samba %v</b></p><p>Example: <b>server string = University of GNUs Samba
2528 Server</b></p></dd><dt><span class="term"><a name="SETDIRECTORY"></a>set directory (S)</span></dt><dd><p>If <b>set directory = no</b>, then
2529 users of the service may not use the setdir command to change
2530 directory.</p><p>The <b>setdir</b> command is only implemented
2531 in the Digital Pathworks client. See the Pathworks documentation
2532 for details.</p><p>Default: <b>set directory = no</b></p></dd><dt><span class="term"><a name="SETPRIMARYGROUPSCRIPT"></a>set primary group script (G)</span></dt><dd><p>Thanks to the Posix subsystem in NT a Windows User has a
2533 primary group in addition to the auxiliary groups. This script
2534 sets the primary group in the unix userdatase when an
2535 administrator sets the primary group from the windows user
2536 manager or when fetching a SAM with <b>net rpc
2537 vampire</b>. <i><tt>%u</tt></i> will be replaced
2538 with the user whose primary group is to be set.
2539 <i><tt>%g</tt></i> will be replaced with the group to
2540 set.</p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Example: <b>set primary group script = /usr/sbin/usermod -g '%g' '%u'</b></p></dd><dt><span class="term"><a name="SHAREMODES"></a>share modes (S)</span></dt><dd><p>This enables or disables the honoring of
2541 the <i><tt>share modes</tt></i> during a file open. These
2542 modes are used by clients to gain exclusive read or write access
2543 to a file.</p><p>These open modes are not directly supported by UNIX, so
2544 they are simulated using shared memory, or lock files if your
2545 UNIX doesn't support shared memory (almost all do).</p><p>The share modes that are enabled by this option are
2546 <tt>DENY_DOS</tt>, <tt>DENY_ALL</tt>,
2547 <tt>DENY_READ</tt>, <tt>DENY_WRITE</tt>,
2548 <tt>DENY_NONE</tt> and <tt>DENY_FCB</tt>.
2549 </p><p>This option gives full share compatibility and enabled
2550 by default.</p><p>You should <span class="emphasis"><em>NEVER</em></span> turn this parameter
2551 off as many Windows applications will break if you do so.</p><p>Default: <b>share modes = yes</b></p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p>This boolean parameter controls if new files
2552 which conform to 8.3 syntax, that is all in upper case and of
2553 suitable length, are created upper case, or if they are forced
2554 to be the <a href="#DEFAULTCASE"><i><tt>default case
2555 </tt></i></a>. This option can be use with <a href="#PRESERVECASE"><b>preserve case = yes</b>
2556 </a> to permit long filenames to retain their case, while short
2557 names are lowered. </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <b>short preserve case = yes</b></p></dd><dt><span class="term"><a name="SHOWADDPRINTERWIZARD"></a>show add printer wizard (G)</span></dt><dd><p>With the introduction of MS-RPC based printing support
2558 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
2559 appear on Samba hosts in the share listing. Normally this folder will
2560 contain an icon for the MS Add Printer Wizard (APW). However, it is
2561 possible to disable this feature regardless of the level of privilege
2562 of the connected user.</p><p>Under normal circumstances, the Windows NT/2000 client will
2563 open a handle on the printer server with OpenPrinterEx() asking for
2564 Administrator privileges. If the user does not have administrative
2565 access on the print server (i.e is not root or a member of the
2566 <i><tt>printer admin</tt></i> group), the OpenPrinterEx()
2567 call fails and the client makes another open call with a request for
2568 a lower privilege level. This should succeed, however the APW
2569 icon will not be displayed.</p><p>Disabling the <i><tt>show add printer wizard</tt></i>
2570 parameter will always cause the OpenPrinterEx() on the server
2571 to fail. Thus the APW icon will never be displayed. <span class="emphasis"><em>
2572 Note :</em></span>This does not prevent the same user from having
2573 administrative privilege on an individual printer.</p><p>See also <a href="#ADDPRINTERCOMMAND"><i><tt>addprinter
2574 command</tt></i></a>, <a href="#DELETEPRINTERCOMMAND">
2575 <i><tt>deleteprinter command</tt></i></a>, <a href="#PRINTERADMIN">
2576 <i><tt>printer admin</tt></i></a></p><p>Default :<b>show add printer wizard = yes</b></p></dd><dt><span class="term"><a name="SHUTDOWNSCRIPT"></a>shutdown script (G)</span></dt><dd><p><span class="emphasis"><em>This parameter only exists in the HEAD cvs branch</em></span>
2577 This a full path name to a script called by <a href="smbd.8.html">smbd(8)</a> that should start a shutdown procedure.</p><p>This command will be run as the user connected to the server.</p><p>%m %t %r %f parameters are expanded:</p><div class="itemizedlist"><ul type="disc"><li><p><i><tt>%m</tt></i> will be substituted with the
2578 shutdown message sent to the server.</p></li><li><p><i><tt>%t</tt></i> will be substituted with the
2579 number of seconds to wait before effectively starting the
2580 shutdown procedure.</p></li><li><p><i><tt>%r</tt></i> will be substituted with the
2581 switch <span class="emphasis"><em>-r</em></span>. It means reboot after shutdown
2582 for NT.</p></li><li><p><i><tt>%f</tt></i> will be substituted with the
2583 switch <span class="emphasis"><em>-f</em></span>. It means force the shutdown
2584 even if applications do not respond for NT.</p></li></ul></div><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b>abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</b></p><p>Shutdown script example:
2585 </p><pre class="programlisting">
2589 let "time/60"
2590 let "time++"
2592 /sbin/shutdown $3 $4 +$time $1 &
2594 Shutdown does not return so we need to launch it in background.
2595 </p><p>See also <a href="#ABORTSHUTDOWNSCRIPT">
2596 <i><tt>abort shutdown script</tt></i></a>.</p></dd><dt><span class="term"><a name="SMBPASSWDFILE"></a>smb passwd file (G)</span></dt><dd><p>This option sets the path to the encrypted smbpasswd file. By
2597 default the path to the smbpasswd file is compiled into Samba.</p><p>Default: <b>smb passwd file = ${prefix}/private/smbpasswd</b></p><p>Example: <b>smb passwd file = /etc/samba/smbpasswd</b></p></dd><dt><span class="term"><a name="SMBPORTS"></a>smb ports (G)</span></dt><dd><p>Specifies which ports the server should listen on for SMB traffic.</p><p>Default: <b>smb ports = 445 139</b></p></dd><dt><span class="term"><a name="SOCKETADDRESS"></a>socket address (G)</span></dt><dd><p>This option allows you to control what
2598 address Samba will listen for connections on. This is used to
2599 support multiple virtual interfaces on the one server, each
2600 with a different configuration.</p><p>By default Samba will accept connections on any
2601 address.</p><p>Example: <b>socket address = 192.168.2.20</b></p></dd><dt><span class="term"><a name="SOCKETOPTIONS"></a>socket options (G)</span></dt><dd><p>This option allows you to set socket options
2602 to be used when talking with the client.</p><p>Socket options are controls on the networking layer
2603 of the operating systems which allow the connection to be
2604 tuned.</p><p>This option will typically be used to tune your Samba server
2605 for optimal performance for your local network. There is no way
2606 that Samba can know what the optimal parameters are for your net,
2607 so you must experiment and choose them yourself. We strongly
2608 suggest you read the appropriate documentation for your operating
2609 system first (perhaps <b>man
2610 setsockopt</b> will help).</p><p>You may find that on some systems Samba will say
2611 "Unknown socket option" when you supply an option. This means you
2612 either incorrectly typed it or you need to add an include file
2613 to includes.h for your OS. If the latter is the case please
2614 send the patch to <a href="mailto:samba-technical@samba.org" target="_top">
2615 samba-technical@samba.org</a>.</p><p>Any of the supported socket options may be combined
2616 in any way you like, as long as your OS allows it.</p><p>This is the list of socket options currently settable
2617 using this option:</p><div class="itemizedlist"><ul type="disc"><li><p>SO_KEEPALIVE</p></li><li><p>SO_REUSEADDR</p></li><li><p>SO_BROADCAST</p></li><li><p>TCP_NODELAY</p></li><li><p>IPTOS_LOWDELAY</p></li><li><p>IPTOS_THROUGHPUT</p></li><li><p>SO_SNDBUF *</p></li><li><p>SO_RCVBUF *</p></li><li><p>SO_SNDLOWAT *</p></li><li><p>SO_RCVLOWAT *</p></li></ul></div><p>Those marked with a <span class="emphasis"><em>'*'</em></span> take an integer
2618 argument. The others can optionally take a 1 or 0 argument to enable
2619 or disable the option, by default they will be enabled if you
2620 don't specify 1 or 0.</p><p>To specify an argument use the syntax SOME_OPTION = VALUE
2621 for example <b>SO_SNDBUF = 8192</b>. Note that you must
2622 not have any spaces before or after the = sign.</p><p>If you are on a local network then a sensible option
2623 might be:</p><p><b>socket options = IPTOS_LOWDELAY</b></p><p>If you have a local network then you could try:</p><p><b>socket options = IPTOS_LOWDELAY TCP_NODELAY</b></p><p>If you are on a wide area network then perhaps try
2624 setting IPTOS_THROUGHPUT. </p><p>Note that several of the options may cause your Samba
2625 server to fail completely. Use these options with caution!</p><p>Default: <b>socket options = TCP_NODELAY</b></p><p>Example: <b>socket options = IPTOS_LOWDELAY</b></p></dd><dt><span class="term"><a name="SOURCEENVIRONMENT"></a>source environment (G)</span></dt><dd><p>This parameter causes Samba to set environment
2626 variables as per the content of the file named.</p><p>If the value of this parameter starts with a "|" character
2627 then Samba will treat that value as a pipe command to open and
2628 will set the environment variables from the output of the pipe.</p><p>The contents of the file or the output of the pipe should
2629 be formatted as the output of the standard Unix <b>env(1)</b> command. This is of the form:</p><p>Example environment entry:</p><p><b>SAMBA_NETBIOS_NAME = myhostname</b></p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Examples: <b>source environment = |/etc/smb.conf.sh</b></p><p>Example: <b>source environment =
2630 /usr/local/smb_env_vars</b></p></dd><dt><span class="term"><a name="STATCACHESIZE"></a>stat cache size (G)</span></dt><dd><p>This parameter determines the number of
2631 entries in the <i><tt>stat cache</tt></i>. You should
2632 never need to change this parameter.</p><p>Default: <b>stat cache size = 50</b></p></dd><dt><span class="term"><a name="STATCACHE"></a>stat cache (G)</span></dt><dd><p>This parameter determines if <a href="smbd.8.html">smbd(8)</a> will use a cache in order to
2633 speed up case insensitive name mappings. You should never need
2634 to change this parameter.</p><p>Default: <b>stat cache = yes</b></p></dd><dt><span class="term"><a name="STRICTALLOCATE"></a>strict allocate (S)</span></dt><dd><p>This is a boolean that controls the handling of
2635 disk space allocation in the server. When this is set to <tt>yes</tt>
2636 the server will change from UNIX behaviour of not committing real
2637 disk storage blocks when a file is extended to the Windows behaviour
2638 of actually forcing the disk system to allocate real storage blocks
2639 when a file is created or extended to be a given size. In UNIX
2640 terminology this means that Samba will stop creating sparse files.
2641 This can be slow on some systems.</p><p>When strict allocate is <tt>no</tt> the server does sparse
2642 disk block allocation when a file is extended.</p><p>Setting this to <tt>yes</tt> can help Samba return
2643 out of quota messages on systems that are restricting the disk quota
2644 of users.</p><p>Default: <b>strict allocate = no</b></p></dd><dt><span class="term"><a name="STRICTLOCKING"></a>strict locking (S)</span></dt><dd><p>This is a boolean that controls the handling of
2645 file locking in the server. When this is set to <tt>yes</tt>
2646 the server will check every read and write access for file locks, and
2647 deny access if locks exist. This can be slow on some systems.</p><p>When strict locking is <tt>no</tt> the server does file
2648 lock checks only when the client explicitly asks for them.</p><p>Well-behaved clients always ask for lock checks when it
2649 is important, so in the vast majority of cases <b>strict
2650 locking = no</b> is preferable.</p><p>Default: <b>strict locking = no</b></p></dd><dt><span class="term"><a name="STRICTSYNC"></a>strict sync (S)</span></dt><dd><p>Many Windows applications (including the Windows 98 explorer
2651 shell) seem to confuse flushing buffer contents to disk with doing
2652 a sync to disk. Under UNIX, a sync call forces the process to be
2653 suspended until the kernel has ensured that all outstanding data in
2654 kernel disk buffers has been safely stored onto stable storage.
2655 This is very slow and should only be done rarely. Setting this
2656 parameter to <tt>no</tt> (the default) means that
2657 <a href="smbd.8.html">smbd(8)</a> ignores the Windows
2658 applications requests for a sync call. There is only a possibility
2659 of losing data if the operating system itself that Samba is running
2660 on crashes, so there is little danger in this default setting. In
2661 addition, this fixes many performance problems that people have
2662 reported with the new Windows98 explorer shell file copies.</p><p>See also the <a href="#SYNCALWAYS"><i><tt>sync
2663 always</tt></i></a> parameter.</p><p>Default: <b>strict sync = no</b></p></dd><dt><span class="term"><a name="STRIPDOT"></a>strip dot (G)</span></dt><dd><p>This is a boolean that controls whether to
2664 strip trailing dots off UNIX filenames. This helps with some
2665 CDROMs that have filenames ending in a single dot.</p><p>Default: <b>strip dot = no</b></p></dd><dt><span class="term"><a name="SYNCALWAYS"></a>sync always (S)</span></dt><dd><p>This is a boolean parameter that controls
2666 whether writes will always be written to stable storage before
2667 the write call returns. If this is <tt>no</tt> then the server will be
2668 guided by the client's request in each write call (clients can
2669 set a bit indicating that a particular write should be synchronous).
2670 If this is <tt>yes</tt> then every write will be followed by a <b>fsync()
2671 </b> call to ensure the data is written to disk. Note that
2672 the <i><tt>strict sync</tt></i> parameter must be set to
2673 <tt>yes</tt> in order for this parameter to have
2674 any affect.</p><p>See also the <a href="#STRICTSYNC"><i><tt>strict
2675 sync</tt></i></a> parameter.</p><p>Default: <b>sync always = no</b></p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>If this parameter is set then Samba debug
2676 messages are logged into the system syslog only, and not to
2677 the debug log files.</p><p>Default: <b>syslog only = no</b></p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p>This parameter maps how Samba debug messages
2678 are logged onto the system syslog logging levels. Samba debug
2679 level zero maps onto syslog <tt>LOG_ERR</tt>, debug
2680 level one maps onto <tt>LOG_WARNING</tt>, debug level
2681 two maps onto <tt>LOG_NOTICE</tt>, debug level three
2682 maps onto LOG_INFO. All higher levels are mapped to <tt>
2683 LOG_DEBUG</tt>.</p><p>This parameter sets the threshold for sending messages
2684 to syslog. Only messages with debug level less than this value
2685 will be sent to syslog.</p><p>Default: <b>syslog = 1</b></p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT
2686 user, the <a href="winbindd.8.html">winbindd(8)</a> daemon uses this
2687 parameter to fill in the home directory for that user. If the
2688 string <i><tt>%D</tt></i> is present it
2689 is substituted with the user's Windows NT domain name. If the
2690 string <i><tt>%U</tt></i> is present it
2691 is substituted with the user's Windows NT user name.</p><p>Default: <b>template homedir = /home/%D/%U</b></p></dd><dt><span class="term"><a name="TEMPLATESHELL"></a>template shell (G)</span></dt><dd><p>When filling out the user information for a Windows NT
2692 user, the <a href="winbindd.8.html">winbindd(8)</a> daemon uses this
2693 parameter to fill in the login shell for that user.</p><p>Default: <b>template shell = /bin/false</b></p></dd><dt><span class="term"><a name="TIMEOFFSET"></a>time offset (G)</span></dt><dd><p>This parameter is a setting in minutes to add
2694 to the normal GMT to local time conversion. This is useful if
2695 you are serving a lot of PCs that have incorrect daylight
2696 saving time handling.</p><p>Default: <b>time offset = 0</b></p><p>Example: <b>time offset = 60</b></p></dd><dt><span class="term"><a name="TIMESERVER"></a>time server (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html">nmbd(8)</a> advertises itself as a time server to Windows
2697 clients.</p><p>Default: <b>time server = no</b></p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs (G)</span></dt><dd><p>Synonym for <a href="#DEBUGTIMESTAMP"><i><tt>
2698 debug timestamp</tt></i></a>.</p></dd><dt><span class="term"><a name="TOTALPRINTJOBS"></a>total print jobs (G)</span></dt><dd><p>This parameter accepts an integer value which defines
2699 a limit on the maximum number of print jobs that will be accepted
2700 system wide at any given time. If a print job is submitted
2701 by a client which will exceed this number, then <a href="smbd.8.html">smbd(8)</a> will return an
2702 error indicating that no space is available on the server. The
2703 default value of 0 means that no such limit exists. This parameter
2704 can be used to prevent a server from exceeding its capacity and is
2705 designed as a printing throttle. See also <a href="#MAXPRINTJOBS">
2706 <i><tt>max print jobs</tt></i></a>.
2707 </p><p>Default: <b>total print jobs = 0</b></p><p>Example: <b>total print jobs = 5000</b></p></dd><dt><span class="term"><a name="UNICODE"></a>unicode (G)</span></dt><dd><p>Specifies whether Samba should try
2708 to use unicode on the wire by default. Note: This does NOT
2709 mean that samba will assume that the unix machine uses unicode!
2710 </p><p>Default: <b>unicode = yes</b></p></dd><dt><span class="term"><a name="UNIXCHARSET"></a>unix charset (G)</span></dt><dd><p>Specifies the charset the unix machine
2711 Samba runs on uses. Samba needs to know this in order to be able to
2712 convert text to the charsets other SMB clients use.
2713 </p><p>Default: <b>unix charset = UTF8</b></p><p>Example: <b>unix charset = ASCII</b></p></dd><dt><span class="term"><a name="UNIXEXTENSIONS"></a>unix extensions (G)</span></dt><dd><p>This boolean parameter controls whether Samba
2714 implments the CIFS UNIX extensions, as defined by HP.
2715 These extensions enable Samba to better serve UNIX CIFS clients
2716 by supporting features such as symbolic links, hard links, etc...
2717 These extensions require a similarly enabled client, and are of
2718 no current use to Windows clients.</p><p>Default: <b>unix extensions = no</b></p></dd><dt><span class="term"><a name="UNIXPASSWORDSYNC"></a>unix password sync (G)</span></dt><dd><p>This boolean parameter controls whether Samba
2719 attempts to synchronize the UNIX password with the SMB password
2720 when the encrypted SMB password in the smbpasswd file is changed.
2721 If this is set to <tt>yes</tt> the program specified in the <i><tt>passwd
2722 program</tt></i>parameter is called <span class="emphasis"><em>AS ROOT</em></span> -
2723 to allow the new UNIX password to be set without access to the
2724 old UNIX password (as the SMB password change code has no
2725 access to the old password cleartext, only the new).</p><p>See also <a href="#PASSWDPROGRAM"><i><tt>passwd
2726 program</tt></i></a>, <a href="#PASSWDCHAT"><i><tt>
2727 passwd chat</tt></i></a>.
2728 </p><p>Default: <b>unix password sync = no</b></p></dd><dt><span class="term"><a name="UPDATEENCRYPTED"></a>update encrypted (G)</span></dt><dd><p>This boolean parameter allows a user logging on with
2729 a plaintext password to have their encrypted (hashed) password in
2730 the smbpasswd file to be updated automatically as they log
2731 on. This option allows a site to migrate from plaintext
2732 password authentication (users authenticate with plaintext
2733 password over the wire, and are checked against a UNIX account
2734 database) to encrypted password authentication (the SMB
2735 challenge/response authentication mechanism) without forcing all
2736 users to re-enter their passwords via smbpasswd at the time the
2737 change is made. This is a convenience option to allow the change
2738 over to encrypted passwords to be made over a longer period.
2739 Once all users have encrypted representations of their passwords
2740 in the smbpasswd file this parameter should be set to
2741 <tt>no</tt>.</p><p>In order for this parameter to work correctly the <a href="#ENCRYPTPASSWORDS">
2742 <i><tt>encrypt passwords</tt></i></a> parameter must
2743 be set to <tt>no</tt> when this parameter is set to <tt>yes</tt>.</p><p>Note that even when this parameter is set a user
2744 authenticating to <b>smbd</b> must still enter a valid
2745 password in order to connect correctly, and to update their hashed
2746 (smbpasswd) passwords.</p><p>Default: <b>update encrypted = no</b></p></dd><dt><span class="term"><a name="USECLIENTDRIVER"></a>use client driver (S)</span></dt><dd><p>This parameter applies only to Windows NT/2000
2747 clients. It has no affect on Windows 95/98/ME clients. When
2748 serving a printer to Windows NT/2000 clients without first installing
2749 a valid printer driver on the Samba host, the client will be required
2750 to install a local printer driver. From this point on, the client
2751 will treat the print as a local printer and not a network printer
2752 connection. This is much the same behavior that will occur
2753 when <b>disable spoolss = yes</b>.
2754 </p><p>The differentiating factor is that under normal
2755 circumstances, the NT/2000 client will attempt to open the network
2756 printer using MS-RPC. The problem is that because the client
2757 considers the printer to be local, it will attempt to issue the
2758 OpenPrinterEx() call requesting access rights associated with the
2759 logged on user. If the user possesses local administator rights but
2760 not root privilegde on the Samba host (often the case), the
2761 OpenPrinterEx() call will fail. The result is that the client will
2762 now display an "Access Denied; Unable to connect" message
2763 in the printer queue window (even though jobs may successfully be
2764 printed). </p><p>If this parameter is enabled for a printer, then any attempt
2765 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
2766 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
2767 call to succeed. <span class="emphasis"><em>This parameter MUST not be able enabled
2768 on a print share which has valid print driver installed on the Samba
2769 server.</em></span></p><p>See also <a href="#DISABLESPOOLSS"><i><tt>disable spoolss</tt></i></a></p><p>Default: <b>use client driver = no</b></p></dd><dt><span class="term"><a name="USEMMAP"></a>use mmap (G)</span></dt><dd><p>This global parameter determines if the tdb internals of Samba can
2770 depend on mmap working correctly on the running system. Samba requires a coherent
2771 mmap/read-write system memory cache. Currently only HPUX does not have such a
2772 coherent cache, and so this parameter is set to <tt>no</tt> by
2773 default on HPUX. On all other systems this parameter should be left alone. This
2774 parameter is provided to help the Samba developers track down problems with
2775 the tdb internal code.
2776 </p><p>Default: <b>use mmap = yes</b></p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at
2777 the real UNIX username, as many DOS clients send an all-uppercase
2778 username. By default Samba tries all lowercase, followed by the
2779 username with the first letter capitalized, and fails if the
2780 username is not found on the UNIX machine.</p><p>If this parameter is set to non-zero the behavior changes.
2781 This parameter is a number that specifies the number of uppercase
2782 combinations to try while trying to determine the UNIX user name. The
2783 higher the number the more combinations will be tried, but the slower
2784 the discovery of usernames will be. Use this parameter when you have
2785 strange usernames on your UNIX machine, such as <tt>AstrangeUser
2786 </tt>.</p><p>Default: <b>username level = 0</b></p><p>Example: <b>username level = 5</b></p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p>This option allows you to specify a file containing
2787 a mapping of usernames from the clients to the server. This can be
2788 used for several purposes. The most common is to map usernames
2789 that users use on DOS or Windows machines to those that the UNIX
2790 box uses. The other is to map multiple users to a single username
2791 so that they can more easily share files.</p><p>The map file is parsed line by line. Each line should
2792 contain a single UNIX username on the left then a '=' followed
2793 by a list of usernames on the right. The list of usernames on the
2794 right may contain names of the form @group in which case they
2795 will match any UNIX username in that group. The special client
2796 name '*' is a wildcard and matches any name. Each line of the
2797 map file may be up to 1023 characters long.</p><p>The file is processed on each line by taking the
2798 supplied username and comparing it with each username on the right
2799 hand side of the '=' signs. If the supplied name matches any of
2800 the names on the right hand side then it is replaced with the name
2801 on the left. Processing then continues with the next line.</p><p>If any line begins with a '#' or a ';' then it is ignored</p><p>If any line begins with an '!' then the processing
2802 will stop after that line if a mapping was done by the line.
2803 Otherwise mapping continues with every line being processed.
2804 Using '!' is most useful when you have a wildcard mapping line
2805 later in the file.</p><p>For example to map from the name <tt>admin</tt>
2806 or <tt>administrator</tt> to the UNIX name <tt>
2807 root</tt> you would use:</p><p><b>root = admin administrator</b></p><p>Or to map anyone in the UNIX group <tt>system</tt>
2808 to the UNIX name <tt>sys</tt> you would use:</p><p><b>sys = @system</b></p><p>You can have as many mappings as you like in a username map file.</p><p>If your system supports the NIS NETGROUP option then
2809 the netgroup database is checked before the <tt>/etc/group
2810 </tt> database for matching groups.</p><p>You can map Windows usernames that have spaces in them
2811 by using double quotes around the name. For example:</p><p><b>tridge = "Andrew Tridgell"</b></p><p>would map the windows username "Andrew Tridgell" to the
2812 unix username "tridge".</p><p>The following example would map mary and fred to the
2813 unix user sys, and map the rest to guest. Note the use of the
2814 '!' to tell Samba to stop processing if it gets a match on
2815 that line.</p><pre class="programlisting">
2818 </pre><p>Note that the remapping is applied to all occurrences
2819 of usernames. Thus if you connect to \\server\fred and <tt>
2820 fred</tt> is remapped to <tt>mary</tt> then you
2821 will actually be connecting to \\server\mary and will need to
2822 supply a password suitable for <tt>mary</tt> not
2823 <tt>fred</tt>. The only exception to this is the
2824 username passed to the <a href="#PASSWORDSERVER"><i><tt>
2825 password server</tt></i></a> (if you have one). The password
2826 server will receive whatever username the client supplies without
2827 modification.</p><p>Also note that no reverse mapping is done. The main effect
2828 this has is with printing. Users who have been mapped may have
2829 trouble deleting print jobs as PrintManager under WfWg will think
2830 they don't own the print job.</p><p>Default: <span class="emphasis"><em>no username map</em></span></p><p>Example: <b>username map = /usr/local/samba/lib/users.map</b></p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited
2831 list, in which case the supplied password will be tested against
2832 each username in turn (left to right).</p><p>The <i><tt>username</tt></i> line is needed only when
2833 the PC is unable to supply its own username. This is the case
2834 for the COREPLUS protocol or where your users have different WfWg
2835 usernames to UNIX usernames. In both these cases you may also be
2836 better using the \\server\share%user syntax instead.</p><p>The <i><tt>username</tt></i> line is not a great
2837 solution in many cases as it means Samba will try to validate
2838 the supplied password against each of the usernames in the
2839 <i><tt>username</tt></i> line in turn. This is slow and
2840 a bad idea for lots of users in case of duplicate passwords.
2841 You may get timeouts or security breaches using this parameter
2842 unwisely.</p><p>Samba relies on the underlying UNIX security. This
2843 parameter does not restrict who can login, it just offers hints
2844 to the Samba server as to what usernames might correspond to the
2845 supplied password. Users can login as whoever they please and
2846 they will be able to do no more damage than if they started a
2847 telnet session. The daemon runs as the user that they log in as,
2848 so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
2849 can use the <a href="#VALIDUSERS"><i><tt>valid users
2850 </tt></i></a> parameter.</p><p>If any of the usernames begin with a '@' then the name
2851 will be looked up first in the NIS netgroups list (if Samba
2852 is compiled with netgroup support), followed by a lookup in
2853 the UNIX groups database and will expand to a list of all users
2854 in the group of that name.</p><p>If any of the usernames begin with a '+' then the name
2855 will be looked up only in the UNIX groups database and will
2856 expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&' then the name
2857 will be looked up only in the NIS netgroups database (if Samba
2858 is compiled with netgroup support) and will expand to a list
2859 of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take
2860 quite some time, and some clients may time out during the
2861 search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT
2862 USERNAME/PASSWORD VALIDATION</a> for more information on how
2863 this parameter determines access to the services.</p><p>Default: <b>The guest account if a guest service,
2864 else <empty string>.</b></p><p>Examples:<b>username = fred, mary, jack, jane,
2865 @users, @pcgroup</b></p></dd><dt><span class="term"><a name="USERS"></a>users (S)</span></dt><dd><p>Synonym for <a href="#USERNAME"><i><tt>
2866 username</tt></i></a>.</p></dd><dt><span class="term"><a name="USER"></a>user (S)</span></dt><dd><p>Synonym for <a href="#USERNAME"><i><tt>username</tt></i></a>.</p></dd><dt><span class="term"><a name="USESENDFILE"></a>use sendfile (S)</span></dt><dd><p>If this parameter is <tt>yes</tt>, and Samba
2867 was built with the --with-sendfile-support option, and the underlying operating
2868 system supports sendfile system call, then some SMB read calls (mainly ReadAndX
2869 and ReadRaw) will use the more efficient sendfile system call for files that
2870 are exclusively oplocked. This may make more efficient use of the system CPU's
2871 and cause Samba to be faster. This is off by default as it's effects are unknown
2872 as yet.</p><p>Default: <b>use sendfile = no</b></p></dd><dt><span class="term"><a name="USESPNEGO"></a>use spnego (G)</span></dt><dd><p> This variable controls controls whether samba will try
2873 to use Simple and Protected NEGOciation (as specified by rfc2478) with
2874 WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism.
2875 Unless further issues are discovered with our SPNEGO
2876 implementation, there is no reason this should ever be
2877 disabled.</p><p>Default: <span class="emphasis"><em>use spnego = yes</em></span></p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
2878 been configured and compiled with the option <b>
2879 --with-utmp</b>. It specifies a directory pathname that is
2880 used to store the utmp or utmpx files (depending on the UNIX system) that
2881 record user connections to a Samba server. See also the <a href="#UTMP">
2882 <i><tt>utmp</tt></i></a> parameter. By default this is
2883 not set, meaning the system will use whatever utmp file the
2884 native system is set to use (usually
2885 <tt>/var/run/utmp</tt> on Linux).</p><p>Default: <span class="emphasis"><em>no utmp directory</em></span></p><p>Example: <b>utmp directory = /var/run/utmp</b></p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>This boolean parameter is only available if
2886 Samba has been configured and compiled with the option <b>
2887 --with-utmp</b>. If set to <tt>yes</tt> then Samba will attempt
2888 to add utmp or utmpx records (depending on the UNIX system) whenever a
2889 connection is made to a Samba server. Sites may use this to record the
2890 user connecting to a Samba share.</p><p>Due to the requirements of the utmp record, we
2891 are required to create a unique identifier for the
2892 incoming user. Enabling this option creates an n^2
2893 algorithm to find this number. This may impede
2894 performance on large installations. </p><p>See also the <a href="#UTMPDIRECTORY"><i><tt>
2895 utmp directory</tt></i></a> parameter.</p><p>Default: <b>utmp = no</b></p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p>This is a list of users that should be allowed
2896 to login to this service. Names starting with '@', '+' and '&'
2897 are interpreted using the same rules as described in the
2898 <i><tt>invalid users</tt></i> parameter.</p><p>If this is empty (the default) then any user can login.
2899 If a username is in both this list and the <i><tt>invalid
2900 users</tt></i> list then access is denied for that user.</p><p>The current servicename is substituted for <i><tt>%S
2901 </tt></i>. This is useful in the [homes] section.</p><p>See also <a href="#INVALIDUSERS"><i><tt>invalid users
2902 </tt></i></a></p><p>Default: <span class="emphasis"><em>No valid users list (anyone can login)
2903 </em></span></p><p>Example: <b>valid users = greg, @pcusers</b></p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd><p>This is a list of files and directories that
2904 are neither visible nor accessible. Each entry in the list must
2905 be separated by a '/', which allows spaces to be included
2906 in the entry. '*' and '?' can be used to specify multiple files
2907 or directories as in DOS wildcards.</p><p>Each entry must be a unix path, not a DOS path and
2908 must <span class="emphasis"><em>not</em></span> include the unix directory
2909 separator '/'.</p><p>Note that the <i><tt>case sensitive</tt></i> option
2910 is applicable in vetoing files.</p><p>One feature of the veto files parameter that it
2911 is important to be aware of is Samba's behaviour when
2912 trying to delete a directory. If a directory that is
2913 to be deleted contains nothing but veto files this
2914 deletion will <span class="emphasis"><em>fail</em></span> unless you also set
2915 the <i><tt>delete veto files</tt></i> parameter to
2916 <i><tt>yes</tt></i>.</p><p>Setting this parameter will affect the performance
2917 of Samba, as it will be forced to check all files and directories
2918 for a match as they are scanned.</p><p>See also <a href="#HIDEFILES"><i><tt>hide files
2919 </tt></i></a> and <a href="#CASESENSITIVE"><i><tt>
2920 case sensitive</tt></i></a>.</p><p>Default: <span class="emphasis"><em>No files or directories are vetoed.
2921 </em></span></p><p>Examples:
2922 </p><pre class="programlisting">
2923 ; Veto any files containing the word Security,
2924 ; any ending in .tmp, and any directory containing the
2926 veto files = /*Security*/*.tmp/*root*/
2928 ; Veto the Apple specific files that a NetAtalk server
2930 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
2931 </pre></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p>This parameter is only valid when the <a href="#OPLOCKS">
2932 <i><tt>oplocks</tt></i></a>
2933 parameter is turned on for a share. It allows the Samba administrator
2934 to selectively turn off the granting of oplocks on selected files that
2935 match a wildcarded list, similar to the wildcarded list used in the
2936 <a href="#VETOFILES"><i><tt>veto files</tt></i></a>
2937 parameter.</p><p>Default: <span class="emphasis"><em>No files are vetoed for oplock grants</em></span></p><p>You might want to do this on files that you know will
2938 be heavily contended for by clients. A good example of this
2939 is in the NetBench SMB benchmark program, which causes heavy
2940 client contention for files ending in <tt>.SEM</tt>.
2941 To cause Samba not to grant oplocks on these files you would use
2942 the line (either in the [global] section or in the section for
2943 the particular NetBench share :</p><p>Example: <b>veto oplock files = /*.SEM/</b></p></dd><dt><span class="term"><a name="VFSOBJECT"></a>vfs object (S)</span></dt><dd><p>This parameter specifies a shared object files that
2944 are used for Samba VFS I/O operations. By default, normal
2945 disk I/O operations are used but these can be overloaded
2946 with one or more VFS objects. </p><p>Default: <span class="emphasis"><em>no value</em></span></p></dd><dt><span class="term"><a name="VFSOPTIONS"></a>vfs options (S)</span></dt><dd><p>This parameter allows parameters to be passed
2947 to the vfs layer at initialization time.
2948 See also <a href="#VFSOBJECT"><i><tt>
2949 vfs object</tt></i></a>.</p><p>Default: <span class="emphasis"><em>no value</em></span></p></dd><dt><span class="term"><a name="VFSPATH"></a>vfs path (S)</span></dt><dd><p>This parameter specifies the directory
2950 to look in for vfs modules. The name of every <b>vfs object
2951 </b> will be prepended by this directory.</p><p>Default: <b>vfs path = </b></p><p>Example: <b>vfs path = /usr/lib/samba/vfs</b></p></dd><dt><span class="term"><a name="VOLUME"></a>volume (S)</span></dt><dd><p> This allows you to override the volume label
2952 returned for a share. Useful for CDROMs with installation programs
2953 that insist on a particular volume label.</p><p>Default: <span class="emphasis"><em>the name of the share</em></span></p></dd><dt><span class="term"><a name="WIDELINKS"></a>wide links (S)</span></dt><dd><p>This parameter controls whether or not links
2954 in the UNIX file system may be followed by the server. Links
2955 that point to areas within the directory tree exported by the
2956 server are always allowed; this parameter controls access only
2957 to areas that are outside the directory tree being exported.</p><p>Note that setting this parameter can have a negative
2958 effect on your server performance due to the extra system calls
2959 that Samba has to do in order to perform the link checks.</p><p>Default: <b>wide links = yes</b></p></dd><dt><span class="term"><a name="WINBINDCACHETIME"></a>winbind cache time (G)</span></dt><dd><p>This parameter specifies the number of
2960 seconds the <a href="winbindd.8.html">winbindd(8)</a> daemon will cache
2961 user and group information before querying a Windows NT server
2962 again.</p><p>Default: <b>winbind cache type = 15</b></p></dd><dt><span class="term"><a name="WINBINDENUMGROUPS"></a>winbind enum groups (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html">winbindd(8)</a> it may be necessary to suppress
2963 the enumeration of groups through the <b>setgrent()</b>,
2964 <b>getgrent()</b> and
2965 <b>endgrent()</b> group of system calls. If
2966 the <i><tt>winbind enum groups</tt></i> parameter is
2967 <tt>no</tt>, calls to the <b>getgrent()</b> system
2968 call will not return any data. </p><p><span class="emphasis"><em>Warning:</em></span> Turning off group
2969 enumeration may cause some programs to behave oddly.
2970 </p><p>Default: <b>winbind enum groups = yes </b></p></dd><dt><span class="term"><a name="WINBINDENUMUSERS"></a>winbind enum users (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html">winbindd(8)</a> it may be
2971 necessary to suppress the enumeration of users through the <b>setpwent()</b>,
2972 <b>getpwent()</b> and
2973 <b>endpwent()</b> group of system calls. If
2974 the <i><tt>winbind enum users</tt></i> parameter is
2975 <tt>no</tt>, calls to the <b>getpwent</b> system call
2976 will not return any data. </p><p><span class="emphasis"><em>Warning:</em></span> Turning off user
2977 enumeration may cause some programs to behave oddly. For
2978 example, the finger program relies on having access to the
2979 full user list when searching for matching
2980 usernames. </p><p>Default: <b>winbind enum users = yes </b></p></dd><dt><span class="term"><a name="WINBINDGID"></a>winbind gid (G)</span></dt><dd><p>The winbind gid parameter specifies the range of group
2981 ids that are allocated by the <a href="winbindd.8.html">winbindd(8)</a> daemon. This range of group ids should have no
2982 existing local or NIS groups within it as strange conflicts can
2983 occur otherwise.</p><p>Default: <b>winbind gid = <empty string></b></p><p>Example: <b>winbind gid = 10000-20000</b></p></dd><dt><span class="term"><a name="WINBINDSEPARATOR"></a>winbind separator (G)</span></dt><dd><p>This parameter allows an admin to define the character
2984 used when listing a username of the form of <i><tt>DOMAIN
2985 </tt></i>\<i><tt>user</tt></i>. This parameter
2986 is only applicable when using the <tt>pam_winbind.so</tt>
2987 and <tt>nss_winbind.so</tt> modules for UNIX services.
2988 </p><p>Please note that setting this parameter to + causes problems
2989 with group membership at least on glibc systems, as the character +
2990 is used as a special character for NIS in /etc/group.</p><p>Default: <b>winbind separator = '\'</b></p><p>Example: <b>winbind separator = +</b></p></dd><dt><span class="term"><a name="WINBINDUID"></a>winbind uid (G)</span></dt><dd><p>The winbind gid parameter specifies the range of group
2991 ids that are allocated by the <a href="winbindd.8.html">winbindd(8)</a> daemon. This range of ids should have no
2992 existing local or NIS users within it as strange conflicts can
2993 occur otherwise.</p><p>Default: <b>winbind uid = <empty string></b></p><p>Example: <b>winbind uid = 10000-20000</b></p></dd><dt><span class="term"><a name="WINBINDUSEDDEFAULTDOMAIN"></a>winbind used default domain (G)</span></dt><dd><p>This parameter specifies whether the
2994 <a href="winbindd.8.html">winbindd(8)</a> daemon should operate on users
2995 without domain component in their username. Users without a domain
2996 component are treated as is part of the winbindd server's own
2997 domain. While this does not benifit Windows users, it makes SSH, FTP and
2998 e-mail function in a way much closer to the way they
2999 would in a native unix system.</p><p>Default: <b>winbind use default domain = <no></b></p><p>Example: <b>winbind use default domain = yes</b></p></dd><dt><span class="term"><a name="WINSHOOK"></a>wins hook (G)</span></dt><dd><p>When Samba is running as a WINS server this
3000 allows you to call an external program for all changes to the
3001 WINS database. The primary use for this option is to allow the
3002 dynamic update of external name resolution databases such as
3003 dynamic DNS.</p><p>The wins hook parameter specifies the name of a script
3004 or executable that will be called as follows:</p><p><b>wins_hook operation name nametype ttl IP_list</b></p><div class="itemizedlist"><ul type="disc"><li><p>The first argument is the operation and is
3005 one of "add", "delete", or
3006 "refresh". In most cases the operation
3007 can be ignored as the rest of the parameters
3008 provide sufficient information. Note that
3009 "refresh" may sometimes be called when
3010 the name has not previously been added, in that
3011 case it should be treated as an add.</p></li><li><p>The second argument is the NetBIOS name. If the
3012 name is not a legal name then the wins hook is not called.
3013 Legal names contain only letters, digits, hyphens, underscores
3014 and periods.</p></li><li><p>The third argument is the NetBIOS name
3015 type as a 2 digit hexadecimal number. </p></li><li><p>The fourth argument is the TTL (time to live)
3016 for the name in seconds.</p></li><li><p>The fifth and subsequent arguments are the IP
3017 addresses currently registered for that name. If this list is
3018 empty then the name should be deleted.</p></li></ul></div><p>An example script that calls the BIND dynamic DNS update
3019 program <b>nsupdate</b> is provided in the examples
3020 directory of the Samba source code. </p></dd><dt><span class="term"><a name="WINSPARTNER"></a>wins partner (G)</span></dt><dd><p>A space separated list of partners' IP addresses for
3021 WINS replication. WINS partners are always defined as push/pull
3022 partners as defining only one way WINS replication is unreliable.
3023 WINS replication is currently experimental and unreliable between
3025 </p><p>Default: <b>wins partners = </b></p><p>Example: <b>wins partners = 192.168.0.1 172.16.1.2</b></p></dd><dt><span class="term"><a name="WINSPROXY"></a>wins proxy (G)</span></dt><dd><p>This is a boolean that controls if <a href="nmbd.8.html">nmbd(8)</a> will respond to broadcast name
3026 queries on behalf of other hosts. You may need to set this
3027 to <tt>yes</tt> for some older clients.</p><p>Default: <b>wins proxy = no</b></p></dd><dt><span class="term"><a name="WINSSERVER"></a>wins server (G)</span></dt><dd><p>This specifies the IP address (or DNS name: IP
3028 address for preference) of the WINS server that <a href="nmbd.8.html">nmbd(8)</a> should register with. If you have a WINS server on
3029 your network then you should set this to the WINS server's IP.</p><p>You should point this at your WINS server if you have a
3030 multi-subnetted network.</p><p>If you want to work in multiple namespaces, you can
3031 give every wins server a 'tag'. For each tag, only one
3032 (working) server will be queried for a name. The tag should be
3033 seperated from the ip address by a colon.
3034 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You need to set up Samba to point
3035 to a WINS server if you have multiple subnets and wish cross-subnet
3036 browsing to work correctly.</p></div><p>See the documentation file <a href="improved-browsing.html" target="_top">Browsing</a> in the samba howto collection.</p><p>Default: <span class="emphasis"><em>not enabled</em></span></p><p>Example: <b>wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61</b></p><p>For this example when querying a certain name, 192.19.200.1 will
3037 be asked first and if that doesn't respond 192.168.2.61. If either
3038 of those doesn't know the name 192.168.3.199 will be queried.
3039 </p><p>Example: <b>wins server = 192.9.200.1 192.168.2.61</b></p></dd><dt><span class="term"><a name="WINSSUPPORT"></a>wins support (G)</span></dt><dd><p>This boolean controls if the <a href="nmbd.8.html">nmbd(8)</a> process in Samba will act as a WINS server. You should
3040 not set this to <tt>yes</tt> unless you have a multi-subnetted network and
3041 you wish a particular <b>nmbd</b> to be your WINS server.
3042 Note that you should <span class="emphasis"><em>NEVER</em></span> set this to <tt>yes</tt>
3043 on more than one machine in your network.</p><p>Default: <b>wins support = no</b></p></dd><dt><span class="term"><a name="WORKGROUP"></a>workgroup (G)</span></dt><dd><p>This controls what workgroup your server will
3044 appear to be in when queried by clients. Note that this parameter
3045 also controls the Domain name used with
3046 the <a href="#SECURITYEQUALSDOMAIN"><b>security = domain</b></a>
3047 setting.</p><p>Default: <span class="emphasis"><em>set at compile time to WORKGROUP</em></span></p><p>Example: <b>workgroup = MYGROUP</b></p></dd><dt><span class="term"><a name="WRITABLE"></a>writable (S)</span></dt><dd><p>Synonym for <a href="#WRITEABLE"><i><tt>
3048 writeable</tt></i></a> for people who can't spell :-).</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a href="#READONLY">
3049 <i><tt>read only</tt></i></a>.</p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
3050 Samba will create an in-memory cache for each oplocked file
3051 (it does <span class="emphasis"><em>not</em></span> do this for
3052 non-oplocked files). All writes that the client does not request
3053 to be flushed directly to disk will be stored in this cache if possible.
3054 The cache is flushed onto disk when a write comes in whose offset
3055 would not fit into the cache or when the file is closed by the client.
3056 Reads for the file are also served from this cache if the data is stored
3057 within it.</p><p>This cache allows Samba to batch client writes into a more
3058 efficient write size for RAID disks (i.e. writes may be tuned to
3059 be the RAID stripe size) and can improve performance on systems
3060 where the disk subsystem is a bottleneck but there is free
3061 memory for userspace programs.</p><p>The integer parameter specifies the size of this cache
3062 (per oplocked file) in bytes.</p><p>Default: <b>write cache size = 0</b></p><p>Example: <b>write cache size = 262144</b></p><p>for a 256k cache size per file.</p></dd><dt><span class="term"><a name="WRITELIST"></a>write list (S)</span></dt><dd><p>This is a list of users that are given read-write
3063 access to a service. If the connecting user is in this list then
3064 they will be given write access, no matter what the <a href="#READONLY">
3065 <i><tt>read only</tt></i></a>
3066 option is set to. The list can include group names using the
3067 @group syntax.</p><p>Note that if a user is in both the read list and the
3068 write list then they will be given write access.</p><p>See also the <a href="#READLIST"><i><tt>read list
3069 </tt></i></a> option.</p><p>Default: <b>write list = <empty string></b></p><p>Example: <b>write list = admin, root, @staff</b></p></dd><dt><span class="term"><a name="WRITEOK"></a>write ok (S)</span></dt><dd><p>Inverted synonym for <a href="#READONLY">
3070 <i><tt>read only</tt></i></a>.</p></dd><dt><span class="term"><a name="WRITERAW"></a>write raw (G)</span></dt><dd><p>This parameter controls whether or not the server
3071 will support raw write SMB's when transferring data from clients.
3072 You should never need to change this parameter.</p><p>Default: <b>write raw = yes</b></p></dd><dt><span class="term"><a name="WTMPDIRECTORY"></a>wtmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
3073 been configured and compiled with the option <b>
3074 --with-utmp</b>. It specifies a directory pathname that is
3075 used to store the wtmp or wtmpx files (depending on the UNIX system) that
3076 record user connections to a Samba server. The difference with
3077 the utmp directory is the fact that user info is kept after a user
3078 has logged out.</p><p>See also the <a href="#UTMP">
3079 <i><tt>utmp</tt></i></a> parameter. By default this is
3080 not set, meaning the system will use whatever utmp file the
3081 native system is set to use (usually
3082 <tt>/var/run/wtmp</tt> on Linux).</p><p>Default: <span class="emphasis"><em>no wtmp directory</em></span></p><p>Example: <b>wtmp directory = /var/log/wtmp</b></p></dd></dl></div></div><div class="refsect1" lang="en"><h2>WARNINGS</h2><p>Although the configuration file permits service names
3083 to contain spaces, your client software may not. Spaces will
3084 be ignored in comparisons anyway, so it shouldn't be a
3085 problem - but be aware of the possibility.</p><p>On a similar note, many clients - especially DOS clients -
3086 limit service names to eight characters. <a href="smbd.8.html">smbd(8)</a> has no such limitation, but attempts to connect from such
3087 clients will fail if they truncate the service names. For this reason
3088 you should probably keep your service names down to eight characters
3089 in length.</p><p>Use of the [homes] and [printers] special sections make life
3090 for an administrator easy, but the various combinations of default
3091 attributes can be tricky. Take extreme care when designing these
3092 sections. In particular, ensure that the permissions on spool
3093 directories are correct.</p></div><div class="refsect1" lang="en"><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><h2>SEE ALSO</h2><p>
3094 <a href="samba.7.html">samba(7)</a>, <a href="smbpasswd.8.html">smbpasswd(8)</a>, <a href="swat.8.html">swat(8)</a>, <a href="smbd.8.html">smbd(8)</a>, <a href="nmbd.8.html">nmbd(8)</a>, <a href="smbclient.1.html">smbclient(1)</a>, <a href="nmblookup.1.html">nmblookup(1)</a>, <a href="testparm.1.html">testparm(1)</a>, <a href="testprns.1.html">testprns(1)</a>.</p></div><div class="refsect1" lang="en"><h2>AUTHOR</h2><p>The original Samba software and related utilities
3095 were created by Andrew Tridgell. Samba is now developed
3096 by the Samba Team as an Open Source project similar
3097 to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer.
3098 The man page sources were converted to YODL format (another
3099 excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top">
3100 ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0
3101 release by Jeremy Allison. The conversion to DocBook for
3102 Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
3103 for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html>