1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"><div></div><div></div></div><div class="refnamediv"><h2>Name</h2><p>smb.conf — The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><h2>SYNOPSIS</h2><p>The <tt class="filename">smb.conf</tt> file is a configuration
2 file for the Samba suite. <tt class="filename">smb.conf</tt> contains
3 runtime configuration information for the Samba programs. The <tt class="filename">smb.conf</tt> file
4 is designed to be configured and administered by the <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> program. The complete
5 description of the file format and possible parameters held within
6 are here for reference purposes.</p></div><div class="refsect1" lang="en"><a name="FILEFORMATSECT"></a><h2>FILE FORMAT</h2><p>The file consists of sections and parameters. A section
7 begins with the name of the section in square brackets and continues
8 until the next section begins. Sections contain parameters of the
9 form</p><p><i class="replaceable"><tt>name</tt></i> = <i class="replaceable"><tt>value
10 </tt></i></p><p>The file is line-based - that is, each newline-terminated
11 line represents either a comment, a section name or a parameter.</p><p>Section and parameter names are not case sensitive.</p><p>Only the first equals sign in a parameter is significant.
12 Whitespace before or after the first equals sign is discarded.
13 Leading, trailing and internal whitespace in section and parameter
14 names is irrelevant. Leading and trailing whitespace in a parameter
15 value is discarded. Internal whitespace within a parameter value
16 is retained verbatim.</p><p>Any line beginning with a semicolon (';') or a hash ('#')
17 character is ignored, as are lines containing only whitespace.</p><p>Any line ending in a '\' is continued
18 on the next line in the customary UNIX fashion.</p><p>The values following the equals sign in parameters are all
19 either a string (no quotes needed) or a boolean, which may be given
20 as yes/no, 0/1 or true/false. Case is not significant in boolean
21 values, but is preserved in string values. Some items such as
22 create modes are numeric.</p></div><div class="refsect1" lang="en"><h2>SECTION DESCRIPTIONS</h2><p>Each section in the configuration file (except for the
23 [global] section) describes a shared resource (known
24 as a "share"). The section name is the name of the
25 shared resource and the parameters within the section define
26 the shares attributes.</p><p>There are three special sections, [global],
27 [homes] and [printers], which are
28 described under <span class="emphasis"><em>special sections</em></span>. The
29 following notes apply to ordinary section descriptions.</p><p>A share consists of a directory to which access is being
30 given plus a description of the access rights which are granted
31 to the user of the service. Some housekeeping options are
32 also specifiable.</p><p>Sections are either file share services (used by the
33 client as an extension of their native file systems) or
34 printable services (used by the client to access print services
35 on the host running the server).</p><p>Sections may be designated <span class="emphasis"><em>guest</em></span> services,
36 in which case no password is required to access them. A specified
37 UNIX <span class="emphasis"><em>guest account</em></span> is used to define access
38 privileges in this case.</p><p>Sections other than guest services will require a password
39 to access them. The client provides the username. As older clients
40 only provide passwords and not usernames, you may specify a list
41 of usernames to check against the password using the "user ="
42 option in the share definition. For modern clients such as
43 Windows 95/98/ME/NT/2000, this should not be necessary.</p><p>Note that the access rights granted by the server are
44 masked by the access rights granted to the specified or guest
45 UNIX user by the host system. The server does not grant more
46 access than the host system grants.</p><p>The following sample section defines a file space share.
47 The user has write access to the path <tt class="filename">/home/bar</tt>.
48 The share is accessed via the share name "foo":</p><pre class="screen">
49 <tt class="computeroutput">
54 </pre><p>The following sample section defines a printable share.
55 The share is readonly, but printable. That is, the only write
56 access permitted is via calls to open, write to and close a
57 spool file. The <span class="emphasis"><em>guest ok</em></span> parameter means
58 access will be permitted as the default guest user (specified
59 elsewhere):</p><pre class="screen">
60 <tt class="computeroutput">
62 path = /usr/spool/public
67 </pre></div><div class="refsect1" lang="en"><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><h3>The [global] section</h3><p>parameters in this section apply to the server
68 as a whole, or are defaults for sections which do not
69 specifically define certain items. See the notes
70 under PARAMETERS for more information.</p></div><div class="refsect2" lang="en"><a name="HOMESECT"></a><h3>The [homes] section</h3><p>If a section called homes is included in the
71 configuration file, services connecting clients to their
72 home directories can be created on the fly by the server.</p><p>When the connection request is made, the existing
73 sections are scanned. If a match is found, it is used. If no
74 match is found, the requested section name is treated as a
75 user name and looked up in the local password file. If the
76 name exists and the correct password has been given, a share is
77 created by cloning the [homes] section.</p><p>Some modifications are then made to the newly
78 created share:</p><div class="itemizedlist"><ul type="disc"><li><p>The share name is changed from homes to
79 the located username.</p></li><li><p>If no path was given, the path is set to
80 the user's home directory.</p></li></ul></div><p>If you decide to use a <span class="emphasis"><em>path =</em></span> line
81 in your [homes] section then you may find it useful
82 to use the %S macro. For example :</p><p><b class="userinput"><tt>path = /data/pchome/%S</tt></b></p><p>would be useful if you have different home directories
83 for your PCs than for UNIX access.</p><p>This is a fast and simple way to give a large number
84 of clients access to their home directories with a minimum
85 of fuss.</p><p>A similar process occurs if the requested section
86 name is "homes", except that the share name is not
87 changed to that of the requesting user. This method of using
88 the [homes] section works well if different users share
89 a client PC.</p><p>The [homes] section can specify all the parameters
90 a normal service section can specify, though some make more sense
91 than others. The following is a typical and suitable [homes]
92 section:</p><pre class="screen">
93 <tt class="computeroutput">
97 </pre><p>An important point is that if guest access is specified
98 in the [homes] section, all home directories will be
99 visible to all clients <span class="emphasis"><em>without a password</em></span>.
100 In the very unlikely event that this is actually desirable, it
101 would be wise to also specify <span class="emphasis"><em>read only
102 access</em></span>.</p><p>Note that the <span class="emphasis"><em>browseable</em></span> flag for
103 auto home directories will be inherited from the global browseable
104 flag, not the [homes] browseable flag. This is useful as
105 it means setting <span class="emphasis"><em>browseable = no</em></span> in
106 the [homes] section will hide the [homes] share but make
107 any auto home directories visible.</p></div><div class="refsect2" lang="en"><a name="PRINTERSSECT"></a><h3>The [printers] section</h3><p>This section works like [homes],
108 but for printers.</p><p>If a [printers] section occurs in the
109 configuration file, users are able to connect to any printer
110 specified in the local host's printcap file.</p><p>When a connection request is made, the existing sections
111 are scanned. If a match is found, it is used. If no match is found,
112 but a [homes] section exists, it is used as described
113 above. Otherwise, the requested section name is treated as a
114 printer name and the appropriate printcap file is scanned to see
115 if the requested section name is a valid printer share name. If
116 a match is found, a new printer share is created by cloning
117 the [printers] section.</p><p>A few modifications are then made to the newly created
118 share:</p><div class="itemizedlist"><ul type="disc"><li><p>The share name is set to the located printer
119 name</p></li><li><p>If no printer name was given, the printer name
120 is set to the located printer name</p></li><li><p>If the share does not permit guest access and
121 no username was given, the username is set to the located
122 printer name.</p></li></ul></div><p>Note that the [printers] service MUST be
123 printable - if you specify otherwise, the server will refuse
124 to load the configuration file.</p><p>Typically the path specified would be that of a
125 world-writeable spool directory with the sticky bit set on
126 it. A typical [printers] entry would look like
127 this:</p><pre class="screen"><tt class="computeroutput">
129 path = /usr/spool/public
132 </tt></pre><p>All aliases given for a printer in the printcap file
133 are legitimate printer names as far as the server is concerned.
134 If your printing subsystem doesn't work like that, you will have
135 to set up a pseudo-printcap. This is a file consisting of one or
136 more lines like this:</p><pre class="screen">
137 <tt class="computeroutput">
138 alias|alias|alias|alias...
140 </pre><p>Each alias should be an acceptable printer name for
141 your printing subsystem. In the [global] section, specify
142 the new file as your printcap. The server will then only recognize
143 names found in your pseudo-printcap, which of course can contain
144 whatever aliases you like. The same technique could be used
145 simply to limit access to a subset of your local printers.</p><p>An alias, by the way, is defined as any component of the
146 first entry of a printcap record. Records are separated by newlines,
147 components (if there are more than one) are separated by vertical
148 bar symbols ('|').</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>On SYSV systems which use lpstat to determine what
149 printers are defined on the system you may be able to use
150 "printcap name = lpstat" to automatically obtain a list
151 of printers. See the "printcap name" option
152 for more details.</p></div></div></div><div class="refsect1" lang="en"><h2>PARAMETERS</h2><p>parameters define the specific attributes of sections.</p><p>Some parameters are specific to the [global] section
153 (e.g., <span class="emphasis"><em>security</em></span>). Some parameters are usable
154 in all sections (e.g., <span class="emphasis"><em>create mode</em></span>). All others
155 are permissible only in normal sections. For the purposes of the
156 following descriptions the [homes] and [printers]
157 sections will be considered normal. The letter <span class="emphasis"><em>G</em></span>
158 in parentheses indicates that a parameter is specific to the
159 [global] section. The letter <span class="emphasis"><em>S</em></span>
160 indicates that a parameter can be specified in a service specific
161 section. Note that all <span class="emphasis"><em>S</em></span> parameters can also be specified in
162 the [global] section - in which case they will define
163 the default behavior for all services.</p><p>parameters are arranged here in alphabetical order - this may
164 not create best bedfellows, but at least you can find them! Where
165 there are synonyms, the preferred synonym is described, others refer
166 to the preferred synonym.</p></div><div class="refsect1" lang="en"><h2>VARIABLE SUBSTITUTIONS</h2><p>Many of the strings that are settable in the config file
167 can take substitutions. For example the option "path =
168 /tmp/%u" would be interpreted as "path =
169 /tmp/john" if the user connected with the username john.</p><p>These substitutions are mostly noted in the descriptions below,
170 but there are some general substitutions which apply whenever they
171 might be relevant. These are:</p><div class="variablelist"><dl><dt><span class="term">%U</span></dt><dd><p>session user name (the user name that the client
172 wanted, not necessarily the same as the one they got).</p></dd><dt><span class="term">%G</span></dt><dd><p>primary group name of %U.</p></dd><dt><span class="term">%h</span></dt><dd><p>the Internet hostname that Samba is running
173 on.</p></dd><dt><span class="term">%m</span></dt><dd><p>the NetBIOS name of the client machine
174 (very useful).</p></dd><dt><span class="term">%L</span></dt><dd><p>the NetBIOS name of the server. This allows you
175 to change your config based on what the client calls you. Your
176 server can have a "dual personality".</p><p>Note that this parameter is not available when Samba listens
177 on port 445, as clients no longer send this information </p></dd><dt><span class="term">%M</span></dt><dd><p>the Internet name of the client machine.
178 </p></dd><dt><span class="term">%R</span></dt><dd><p>the selected protocol level after
179 protocol negotiation. It can be one of CORE, COREPLUS,
180 LANMAN1, LANMAN2 or NT1.</p></dd><dt><span class="term">%d</span></dt><dd><p>The process id of the current server
181 process.</p></dd><dt><span class="term">%a</span></dt><dd><p>the architecture of the remote
182 machine. Only some are recognized, and those may not be
183 100% reliable. It currently recognizes Samba, WfWg, Win95,
184 WinNT and Win2k. Anything else will be known as
185 "UNKNOWN". If it gets it wrong then sending a level
186 3 log to <a href="mailto:samba@samba.org" target="_top">samba@samba.org
187 </a> should allow it to be fixed.</p></dd><dt><span class="term">%I</span></dt><dd><p>The IP address of the client machine.</p></dd><dt><span class="term">%T</span></dt><dd><p>the current date and time.</p></dd><dt><span class="term">%D</span></dt><dd><p>Name of the domain or workgroup of the current user.</p></dd><dt><span class="term">%$(<i class="replaceable"><tt>envvar</tt></i>)</span></dt><dd><p>The value of the environment variable
188 <i class="replaceable"><tt>envar</tt></i>.</p></dd></dl></div><p>The following substitutes apply only to some configuration options(only those
189 that are used when a connection has been established):</p><div class="variablelist"><dl><dt><span class="term">%S</span></dt><dd><p>the name of the current service, if any.</p></dd><dt><span class="term">%P</span></dt><dd><p>the root directory of the current service,
190 if any.</p></dd><dt><span class="term">%u</span></dt><dd><p>user name of the current service, if any.</p></dd><dt><span class="term">%g</span></dt><dd><p>primary group name of %u.</p></dd><dt><span class="term">%H</span></dt><dd><p>the home directory of the user given
191 by %u.</p></dd><dt><span class="term">%N</span></dt><dd><p>the name of your NIS home directory server.
192 This is obtained from your NIS auto.map entry. If you have
193 not compiled Samba with the <span class="emphasis"><em>--with-automount</em></span>
194 option then this value will be the same as %L.</p></dd><dt><span class="term">%p</span></dt><dd><p>the path of the service's home directory,
195 obtained from your NIS auto.map entry. The NIS auto.map entry
196 is split up as "%N:%p".</p></dd></dl></div><p>There are some quite creative things that can be done
197 with these substitutions and other smb.conf options.</p></div><div class="refsect1" lang="en"><a name="NAMEMANGLINGSECT"></a><h2>NAME MANGLING</h2><p>Samba supports "name mangling" so that DOS and
198 Windows clients can use files that don't conform to the 8.3 format.
199 It can also be set to adjust the case of 8.3 format filenames.</p><p>There are several options that control the way mangling is
200 performed, and they are grouped here rather than listed separately.
201 For the defaults look at the output of the testparm program. </p><p>All of these options can be set separately for each service
202 (or globally, of course). </p><p>The options are: </p><div class="variablelist"><dl><dt><span class="term">mangle case = yes/no</span></dt><dd><p> controls if names that have characters that
203 aren't of the "default" case are mangled. For example,
204 if this is yes then a name like "Mail" would be mangled.
205 Default <span class="emphasis"><em>no</em></span>.</p></dd><dt><span class="term">case sensitive = yes/no</span></dt><dd><p>controls whether filenames are case sensitive. If
206 they aren't then Samba must do a filename search and match on passed
207 names. Default <span class="emphasis"><em>no</em></span>.</p></dd><dt><span class="term">default case = upper/lower</span></dt><dd><p>controls what the default case is for new
208 filenames. Default <span class="emphasis"><em>lower</em></span>.</p></dd><dt><span class="term">preserve case = yes/no</span></dt><dd><p>controls if new files are created with the
209 case that the client passes, or if they are forced to be the
210 "default" case. Default <span class="emphasis"><em>yes</em></span>.
211 </p></dd><dt><span class="term">short preserve case = yes/no</span></dt><dd><p>controls if new files which conform to 8.3 syntax,
212 that is all in upper case and of suitable length, are created
213 upper case, or if they are forced to be the "default"
214 case. This option can be use with "preserve case = yes"
215 to permit long filenames to retain their case, while short names
216 are lowercased. Default <span class="emphasis"><em>yes</em></span>.</p></dd></dl></div><p>By default, Samba 3.0 has the same semantics as a Windows
217 NT server, in that it is case insensitive but case preserving.</p></div><div class="refsect1" lang="en"><a name="VALIDATIONSECT"></a><h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2><p>There are a number of ways in which a user can connect
218 to a service. The server uses the following steps in determining
219 if it will allow a connection to a specified service. If all the
220 steps fail, then the connection request is rejected. However, if one of the
221 steps succeeds, then the following steps are not checked.</p><p>If the service is marked "guest only = yes" and the
222 server is running with share-level security ("security = share")
223 then steps 1 to 5 are skipped.</p><div class="orderedlist"><ol type="1"><li><p>If the client has passed a username/password
224 pair and that username/password pair is validated by the UNIX
225 system's password programs then the connection is made as that
226 username. Note that this includes the
227 \\server\service%<i class="replaceable"><tt>username</tt></i> method of passing
228 a username.</p></li><li><p>If the client has previously registered a username
229 with the system and now supplies a correct password for that
230 username then the connection is allowed.</p></li><li><p>The client's NetBIOS name and any previously
231 used user names are checked against the supplied password, if
232 they match then the connection is allowed as the corresponding
233 user.</p></li><li><p>If the client has previously validated a
234 username/password pair with the server and the client has passed
235 the validation token then that username is used. </p></li><li><p>If a "user = " field is given in the
236 <tt class="filename">smb.conf</tt> file for the service and the client
237 has supplied a password, and that password matches (according to
238 the UNIX system's password checking) with one of the usernames
239 from the "user =" field then the connection is made as
240 the username in the "user =" line. If one
241 of the username in the "user =" list begins with a
242 '@' then that name expands to a list of names in
243 the group of the same name.</p></li><li><p>If the service is a guest service then a
244 connection is made as the username given in the "guest
245 account =" for the service, irrespective of the
246 supplied password.</p></li></ol></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF GLOBAL PARAMETERS</h2><p>Here is a list of all global parameters. See the section of
247 each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ABORTSHUTDOWNSCRIPT"><i class="parameter"><tt>abort shutdown script</tt></i></a></p></li><li><p><a href="#ADDGROUPSCRIPT"><i class="parameter"><tt>add group script</tt></i></a></p></li><li><p><a href="#ADDMACHINESCRIPT"><i class="parameter"><tt>add machine script</tt></i></a></p></li><li><p><a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>addprinter command</tt></i></a></p></li><li><p><a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share command</tt></i></a></p></li><li><p><a href="#ADDUSERSCRIPT"><i class="parameter"><tt>add user script</tt></i></a></p></li><li><p><a href="#ADDUSERTOGROUPSCRIPT"><i class="parameter"><tt>add user to group script</tt></i></a></p></li><li><p><a href="#ALGORITHMICRIDBASE"><i class="parameter"><tt>algorithmic rid base</tt></i></a></p></li><li><p><a href="#ALLOWTRUSTEDDOMAINS"><i class="parameter"><tt>allow trusted domains</tt></i></a></p></li><li><p><a href="#ANNOUNCEAS"><i class="parameter"><tt>announce as</tt></i></a></p></li><li><p><a href="#ANNOUNCEVERSION"><i class="parameter"><tt>announce version</tt></i></a></p></li><li><p><a href="#AUTHMETHODS"><i class="parameter"><tt>auth methods</tt></i></a></p></li><li><p><a href="#AUTOSERVICES"><i class="parameter"><tt>auto services</tt></i></a></p></li><li><p><a href="#BINDINTERFACESONLY"><i class="parameter"><tt>bind interfaces only</tt></i></a></p></li><li><p><a href="#BROWSELIST"><i class="parameter"><tt>browse list</tt></i></a></p></li><li><p><a href="#CHANGENOTIFYTIMEOUT"><i class="parameter"><tt>change notify timeout</tt></i></a></p></li><li><p><a href="#CHANGESHARECOMMAND"><i class="parameter"><tt>change share command</tt></i></a></p></li><li><p><a href="#CLIENTUSESPNEGO"><i class="parameter"><tt>client use spnego</tt></i></a></p></li><li><p><a href="#CONFIGFILE"><i class="parameter"><tt>config file</tt></i></a></p></li><li><p><a href="#DEADTIME"><i class="parameter"><tt>dead time</tt></i></a></p></li><li><p><a href="#DEBUGHIRESTIMESTAMP"><i class="parameter"><tt>debug hires timestamp</tt></i></a></p></li><li><p><a href="#DEBUGLEVEL"><i class="parameter"><tt>debug level</tt></i></a></p></li><li><p><a href="#DEBUGPID"><i class="parameter"><tt>debug pid</tt></i></a></p></li><li><p><a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>debug timestamp</tt></i></a></p></li><li><p><a href="#DEBUGUID"><i class="parameter"><tt>debug uid</tt></i></a></p></li><li><p><a href="#DEFAULT"><i class="parameter"><tt>default</tt></i></a></p></li><li><p><a href="#DEFAULTSERVICE"><i class="parameter"><tt>default service</tt></i></a></p></li><li><p><a href="#DELETEGROUPSCRIPT"><i class="parameter"><tt>delete group script</tt></i></a></p></li><li><p><a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt>deleteprinter command</tt></i></a></p></li><li><p><a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete share command</tt></i></a></p></li><li><p><a href="#DELETEUSERFROMGROUPSCRIPT"><i class="parameter"><tt>delete user from group script</tt></i></a></p></li><li><p><a href="#DELETEUSERSCRIPT"><i class="parameter"><tt>delete user script</tt></i></a></p></li><li><p><a href="#DFREECOMMAND"><i class="parameter"><tt>dfree command</tt></i></a></p></li><li><p><a href="#DISABLENETBIOS"><i class="parameter"><tt>disable netbios</tt></i></a></p></li><li><p><a href="#DISABLESPOOLSS"><i class="parameter"><tt>disable spoolss</tt></i></a></p></li><li><p><a href="#DISPLAYCHARSET"><i class="parameter"><tt>display charset</tt></i></a></p></li><li><p><a href="#DNSPROXY"><i class="parameter"><tt>dns proxy</tt></i></a></p></li><li><p><a href="#DOMAINLOGONS"><i class="parameter"><tt>domain logons</tt></i></a></p></li><li><p><a href="#DOMAINMASTER"><i class="parameter"><tt>domain master</tt></i></a></p></li><li><p><a href="#DOSCHARSET"><i class="parameter"><tt>dos charset</tt></i></a></p></li><li><p><a href="#ENCRYPTPASSWORDS"><i class="parameter"><tt>encrypt passwords</tt></i></a></p></li><li><p><a href="#ENHANCEDBROWSING"><i class="parameter"><tt>enhanced browsing</tt></i></a></p></li><li><p><a href="#ENUMPORTSCOMMAND"><i class="parameter"><tt>enumports command</tt></i></a></p></li><li><p><a href="#GETWDCACHE"><i class="parameter"><tt>getwd cache</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i class="parameter"><tt>guest account</tt></i></a></p></li><li><p><a href="#HIDELOCALUSERS"><i class="parameter"><tt>hide local users</tt></i></a></p></li><li><p><a href="#HOMEDIRMAP"><i class="parameter"><tt>homedir map</tt></i></a></p></li><li><p><a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a></p></li><li><p><a href="#HOSTNAMELOOKUPS"><i class="parameter"><tt>hostname lookups</tt></i></a></p></li><li><p><a href="#HOSTSEQUIV"><i class="parameter"><tt>hosts equiv</tt></i></a></p></li><li><p><a href="#IDMAPGID"><i class="parameter"><tt>idmap gid</tt></i></a></p></li><li><p><a href="#IDMAPUID"><i class="parameter"><tt>idmap uid</tt></i></a></p></li><li><p><a href="#INCLUDE"><i class="parameter"><tt>include</tt></i></a></p></li><li><p><a href="#INTERFACES"><i class="parameter"><tt>interfaces</tt></i></a></p></li><li><p><a href="#KEEPALIVE"><i class="parameter"><tt>keepalive</tt></i></a></p></li><li><p><a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel oplocks</tt></i></a></p></li><li><p><a href="#LANMANAUTH"><i class="parameter"><tt>lanman auth</tt></i></a></p></li><li><p><a href="#LARGEREADWRITE"><i class="parameter"><tt>large readwrite</tt></i></a></p></li><li><p><a href="#LDAPADMINDN"><i class="parameter"><tt>ldap admin dn</tt></i></a></p></li><li><p><a href="#LDAPDELETEDN"><i class="parameter"><tt>ldap delete dn</tt></i></a></p></li><li><p><a href="#LDAPFILTER"><i class="parameter"><tt>ldap filter</tt></i></a></p></li><li><p><a href="#LDAPMACHINESUFFIX"><i class="parameter"><tt>ldap machine suffix</tt></i></a></p></li><li><p><a href="#LDAPPASSWDSYNC"><i class="parameter"><tt>ldap passwd sync</tt></i></a></p></li><li><p><a href="#LDAPPORT"><i class="parameter"><tt>ldap port</tt></i></a></p></li><li><p><a href="#LDAPSERVER"><i class="parameter"><tt>ldap server</tt></i></a></p></li><li><p><a href="#LDAPSSL"><i class="parameter"><tt>ldap ssl</tt></i></a></p></li><li><p><a href="#LDAPSUFFIX"><i class="parameter"><tt>ldap suffix</tt></i></a></p></li><li><p><a href="#LDAPTRUSTIDS"><i class="parameter"><tt>ldap trust ids</tt></i></a></p></li><li><p><a href="#LDAPUSERSUFFIX"><i class="parameter"><tt>ldap user suffix</tt></i></a></p></li><li><p><a href="#LMANNOUNCE"><i class="parameter"><tt>lm announce</tt></i></a></p></li><li><p><a href="#LMINTERVAL"><i class="parameter"><tt>lm interval</tt></i></a></p></li><li><p><a href="#LOADPRINTERS"><i class="parameter"><tt>load printers</tt></i></a></p></li><li><p><a href="#LOCALMASTER"><i class="parameter"><tt>local master</tt></i></a></p></li><li><p><a href="#LOCKDIR"><i class="parameter"><tt>lock dir</tt></i></a></p></li><li><p><a href="#LOCKDIRECTORY"><i class="parameter"><tt>lock directory</tt></i></a></p></li><li><p><a href="#LOCKSPINCOUNT"><i class="parameter"><tt>lock spin count</tt></i></a></p></li><li><p><a href="#LOCKSPINTIME"><i class="parameter"><tt>lock spin time</tt></i></a></p></li><li><p><a href="#LOGFILE"><i class="parameter"><tt>log file</tt></i></a></p></li><li><p><a href="#LOGLEVEL"><i class="parameter"><tt>log level</tt></i></a></p></li><li><p><a href="#LOGONDRIVE"><i class="parameter"><tt>logon drive</tt></i></a></p></li><li><p><a href="#LOGONHOME"><i class="parameter"><tt>logon home</tt></i></a></p></li><li><p><a href="#LOGONPATH"><i class="parameter"><tt>logon path</tt></i></a></p></li><li><p><a href="#LOGONSCRIPT"><i class="parameter"><tt>logon script</tt></i></a></p></li><li><p><a href="#LPQCACHETIME"><i class="parameter"><tt>lpq cache time</tt></i></a></p></li><li><p><a href="#MACHINEPASSWORDTIMEOUT"><i class="parameter"><tt>machine password timeout</tt></i></a></p></li><li><p><a href="#MANGLINGSTACK"><i class="parameter"><tt>mangling stack</tt></i></a></p></li><li><p><a href="#MANGLINGPREFIX"><i class="parameter"><tt>mangling prefix</tt></i></a></p></li><li><p><a href="#MANGLINGMETHOD"><i class="parameter"><tt>mangling method</tt></i></a></p></li><li><p><a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i></a></p></li><li><p><a href="#MAXDISKSIZE"><i class="parameter"><tt>max disk size</tt></i></a></p></li><li><p><a href="#MAXLOGSIZE"><i class="parameter"><tt>max log size</tt></i></a></p></li><li><p><a href="#MAXMUX"><i class="parameter"><tt>max mux</tt></i></a></p></li><li><p><a href="#MAXOPENFILES"><i class="parameter"><tt>max open files</tt></i></a></p></li><li><p><a href="#MAXPROTOCOL"><i class="parameter"><tt>max protocol</tt></i></a></p></li><li><p><a href="#MAXSMBDPROCESSES"><i class="parameter"><tt>max smbd processes</tt></i></a></p></li><li><p><a href="#MAXTTL"><i class="parameter"><tt>max ttl</tt></i></a></p></li><li><p><a href="#MAXWINSTTL"><i class="parameter"><tt>max wins ttl</tt></i></a></p></li><li><p><a href="#MAXXMIT"><i class="parameter"><tt>max xmit</tt></i></a></p></li><li><p><a href="#MESSAGECOMMAND"><i class="parameter"><tt>message command</tt></i></a></p></li><li><p><a href="#MINPASSWDLENGTH"><i class="parameter"><tt>min passwd length</tt></i></a></p></li><li><p><a href="#MINPASSWORDLENGTH"><i class="parameter"><tt>min password length</tt></i></a></p></li><li><p><a href="#MINPROTOCOL"><i class="parameter"><tt>min protocol</tt></i></a></p></li><li><p><a href="#MINWINSTTL"><i class="parameter"><tt>min wins ttl</tt></i></a></p></li><li><p><a href="#NAMECACHETIMEOUT"><i class="parameter"><tt>name cache timeout</tt></i></a></p></li><li><p><a href="#NAMERESOLVEORDER"><i class="parameter"><tt>name resolve order</tt></i></a></p></li><li><p><a href="#NETBIOSALIASES"><i class="parameter"><tt>netbios aliases</tt></i></a></p></li><li><p><a href="#NETBIOSNAME"><i class="parameter"><tt>netbios name</tt></i></a></p></li><li><p><a href="#NETBIOSSCOPE"><i class="parameter"><tt>netbios scope</tt></i></a></p></li><li><p><a href="#NISHOMEDIR"><i class="parameter"><tt>nis homedir</tt></i></a></p></li><li><p><a href="#NONUNIXACCOUNTRANGE"><i class="parameter"><tt>non unix account range</tt></i></a></p></li><li><p><a href="#NTLMAUTH"><i class="parameter"><tt>ntlm auth</tt></i></a></p></li><li><p><a href="#NTPIPESUPPORT"><i class="parameter"><tt>nt pipe support</tt></i></a></p></li><li><p><a href="#NTSTATUSSUPPORT"><i class="parameter"><tt>nt status support</tt></i></a></p></li><li><p><a href="#NULLPASSWORDS"><i class="parameter"><tt>null passwords</tt></i></a></p></li><li><p><a href="#OBEYPAMRESTRICTIONS"><i class="parameter"><tt>obey pam restrictions</tt></i></a></p></li><li><p><a href="#OPLOCKBREAKWAITTIME"><i class="parameter"><tt>oplock break wait time</tt></i></a></p></li><li><p><a href="#OS2DRIVERMAP"><i class="parameter"><tt>os2 driver map</tt></i></a></p></li><li><p><a href="#OSLEVEL"><i class="parameter"><tt>os level</tt></i></a></p></li><li><p><a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i></a></p></li><li><p><a href="#PANICACTION"><i class="parameter"><tt>panic action</tt></i></a></p></li><li><p><a href="#PARANOIDSERVERSECURITY"><i class="parameter"><tt>paranoid server security</tt></i></a></p></li><li><p><a href="#PASSDBBACKEND"><i class="parameter"><tt>passdb backend</tt></i></a></p></li><li><p><a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i></a></p></li><li><p><a href="#PASSWDCHATDEBUG"><i class="parameter"><tt>passwd chat debug</tt></i></a></p></li><li><p><a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i></a></p></li><li><p><a href="#PASSWORDLEVEL"><i class="parameter"><tt>password level</tt></i></a></p></li><li><p><a href="#PASSWORDSERVER"><i class="parameter"><tt>password server</tt></i></a></p></li><li><p><a href="#PIDDIRECTORY"><i class="parameter"><tt>pid directory</tt></i></a></p></li><li><p><a href="#PREFEREDMASTER"><i class="parameter"><tt>prefered master</tt></i></a></p></li><li><p><a href="#PREFERREDMASTER"><i class="parameter"><tt>preferred master</tt></i></a></p></li><li><p><a href="#PRELOAD"><i class="parameter"><tt>preload</tt></i></a></p></li><li><p><a href="#PRELOADMODULES"><i class="parameter"><tt>preload modules</tt></i></a></p></li><li><p><a href="#PRINTCAP"><i class="parameter"><tt>printcap</tt></i></a></p></li><li><p><a href="#PRIVATEDIR"><i class="parameter"><tt>private dir</tt></i></a></p></li><li><p><a href="#PROTOCOL"><i class="parameter"><tt>protocol</tt></i></a></p></li><li><p><a href="#READBMPX"><i class="parameter"><tt>read bmpx</tt></i></a></p></li><li><p><a href="#READRAW"><i class="parameter"><tt>read raw</tt></i></a></p></li><li><p><a href="#READSIZE"><i class="parameter"><tt>read size</tt></i></a></p></li><li><p><a href="#REALM"><i class="parameter"><tt>realm</tt></i></a></p></li><li><p><a href="#REMOTEANNOUNCE"><i class="parameter"><tt>remote announce</tt></i></a></p></li><li><p><a href="#REMOTEBROWSESYNC"><i class="parameter"><tt>remote browse sync</tt></i></a></p></li><li><p><a href="#RESTRICTANONYMOUS"><i class="parameter"><tt>restrict anonymous</tt></i></a></p></li><li><p><a href="#ROOT"><i class="parameter"><tt>root</tt></i></a></p></li><li><p><a href="#ROOTDIR"><i class="parameter"><tt>root dir</tt></i></a></p></li><li><p><a href="#ROOTDIRECTORY"><i class="parameter"><tt>root directory</tt></i></a></p></li><li><p><a href="#SECURITY"><i class="parameter"><tt>security</tt></i></a></p></li><li><p><a href="#SERVERSCHANNEL"><i class="parameter"><tt>server schannel</tt></i></a></p></li><li><p><a href="#SERVERSTRING"><i class="parameter"><tt>server string</tt></i></a></p></li><li><p><a href="#SETPRIMARYGROUPSCRIPT"><i class="parameter"><tt>set primary group script</tt></i></a></p></li><li><p><a href="#SHOWADDPRINTERWIZARD"><i class="parameter"><tt>show add printer wizard</tt></i></a></p></li><li><p><a href="#SHUTDOWNSCRIPT"><i class="parameter"><tt>shutdown script</tt></i></a></p></li><li><p><a href="#SMBPASSWDFILE"><i class="parameter"><tt>smb passwd file</tt></i></a></p></li><li><p><a href="#SMBPORTS"><i class="parameter"><tt>smb ports</tt></i></a></p></li><li><p><a href="#SOCKETADDRESS"><i class="parameter"><tt>socket address</tt></i></a></p></li><li><p><a href="#SOCKETOPTIONS"><i class="parameter"><tt>socket options</tt></i></a></p></li><li><p><a href="#SOURCEENVIRONMENT"><i class="parameter"><tt>source environment</tt></i></a></p></li><li><p><a href="#STATCACHE"><i class="parameter"><tt>stat cache</tt></i></a></p></li><li><p><a href="#STATCACHESIZE"><i class="parameter"><tt>stat cache size</tt></i></a></p></li><li><p><a href="#STRIPDOT"><i class="parameter"><tt>strip dot</tt></i></a></p></li><li><p><a href="#SYSLOG"><i class="parameter"><tt>syslog</tt></i></a></p></li><li><p><a href="#SYSLOGONLY"><i class="parameter"><tt>syslog only</tt></i></a></p></li><li><p><a href="#TEMPLATEHOMEDIR"><i class="parameter"><tt>template homedir</tt></i></a></p></li><li><p><a href="#TEMPLATESHELL"><i class="parameter"><tt>template shell</tt></i></a></p></li><li><p><a href="#TIMEOFFSET"><i class="parameter"><tt>time offset</tt></i></a></p></li><li><p><a href="#TIMESERVER"><i class="parameter"><tt>time server</tt></i></a></p></li><li><p><a href="#TIMESTAMPLOGS"><i class="parameter"><tt>timestamp logs</tt></i></a></p></li><li><p><a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total print jobs</tt></i></a></p></li><li><p><a href="#UNICODE"><i class="parameter"><tt>unicode</tt></i></a></p></li><li><p><a href="#UNIXCHARSET"><i class="parameter"><tt>unix charset</tt></i></a></p></li><li><p><a href="#UNIXEXTENSIONS"><i class="parameter"><tt>unix extensions</tt></i></a></p></li><li><p><a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix password sync</tt></i></a></p></li><li><p><a href="#UPDATEENCRYPTED"><i class="parameter"><tt>update encrypted</tt></i></a></p></li><li><p><a href="#USEMMAP"><i class="parameter"><tt>use mmap</tt></i></a></p></li><li><p><a href="#USERNAMELEVEL"><i class="parameter"><tt>username level</tt></i></a></p></li><li><p><a href="#USERNAMEMAP"><i class="parameter"><tt>username map</tt></i></a></p></li><li><p><a href="#USESPNEGO"><i class="parameter"><tt>use spnego</tt></i></a></p></li><li><p><a href="#UTMP"><i class="parameter"><tt>utmp</tt></i></a></p></li><li><p><a href="#UTMPDIRECTORY"><i class="parameter"><tt>utmp directory</tt></i></a></p></li><li><p><a href="#WINBINDCACHETIME"><i class="parameter"><tt>winbind cache time</tt></i></a></p></li><li><p><a href="#WINBINDENUMGROUPS"><i class="parameter"><tt>winbind enum groups</tt></i></a></p></li><li><p><a href="#WINBINDENUMUSERS"><i class="parameter"><tt>winbind enum users</tt></i></a></p></li><li><p><a href="#WINBINDGID"><i class="parameter"><tt>winbind gid</tt></i></a></p></li><li><p><a href="#WINBINDSEPARATOR"><i class="parameter"><tt>winbind separator</tt></i></a></p></li><li><p><a href="#WINBINDUID"><i class="parameter"><tt>winbind uid</tt></i></a></p></li><li><p><a href="#WINBINDUSEDDEFAULTDOMAIN"><i class="parameter"><tt>winbind used default domain</tt></i></a></p></li><li><p><a href="#WINSHOOK"><i class="parameter"><tt>wins hook</tt></i></a></p></li><li><p><a href="#WINSPARTNER"><i class="parameter"><tt>wins partner</tt></i></a></p></li><li><p><a href="#WINSPROXY"><i class="parameter"><tt>wins proxy</tt></i></a></p></li><li><p><a href="#WINSSERVER"><i class="parameter"><tt>wins server</tt></i></a></p></li><li><p><a href="#WINSSUPPORT"><i class="parameter"><tt>wins support</tt></i></a></p></li><li><p><a href="#WORKGROUP"><i class="parameter"><tt>workgroup</tt></i></a></p></li><li><p><a href="#WRITERAW"><i class="parameter"><tt>write raw</tt></i></a></p></li><li><p><a href="#WTMPDIRECTORY"><i class="parameter"><tt>wtmp directory</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>COMPLETE LIST OF SERVICE PARAMETERS</h2><p>Here is a list of all service parameters. See the section on
248 each parameter for details. Note that some are synonyms.</p><div class="itemizedlist"><ul type="disc"><li><p><a href="#ADMINUSERS"><i class="parameter"><tt>admin users</tt></i></a></p></li><li><p><a href="#ALLOWHOSTS"><i class="parameter"><tt>allow hosts</tt></i></a></p></li><li><p><a href="#AVAILABLE"><i class="parameter"><tt>available</tt></i></a></p></li><li><p><a href="#BLOCKINGLOCKS"><i class="parameter"><tt>blocking locks</tt></i></a></p></li><li><p><a href="#BLOCKSIZE"><i class="parameter"><tt>block size</tt></i></a></p></li><li><p><a href="#BROWSABLE"><i class="parameter"><tt>browsable</tt></i></a></p></li><li><p><a href="#BROWSEABLE"><i class="parameter"><tt>browseable</tt></i></a></p></li><li><p><a href="#CASESENSITIVE"><i class="parameter"><tt>case sensitive</tt></i></a></p></li><li><p><a href="#CASESIGNAMES"><i class="parameter"><tt>casesignames</tt></i></a></p></li><li><p><a href="#COMMENT"><i class="parameter"><tt>comment</tt></i></a></p></li><li><p><a href="#COPY"><i class="parameter"><tt>copy</tt></i></a></p></li><li><p><a href="#CREATEMASK"><i class="parameter"><tt>create mask</tt></i></a></p></li><li><p><a href="#CREATEMODE"><i class="parameter"><tt>create mode</tt></i></a></p></li><li><p><a href="#CSCPOLICY"><i class="parameter"><tt>csc policy</tt></i></a></p></li><li><p><a href="#DEFAULTCASE"><i class="parameter"><tt>default case</tt></i></a></p></li><li><p><a href="#DEFAULTDEVMODE"><i class="parameter"><tt>default devmode</tt></i></a></p></li><li><p><a href="#DELETEREADONLY"><i class="parameter"><tt>delete readonly</tt></i></a></p></li><li><p><a href="#DELETEVETOFILES"><i class="parameter"><tt>delete veto files</tt></i></a></p></li><li><p><a href="#DENYHOSTS"><i class="parameter"><tt>deny hosts</tt></i></a></p></li><li><p><a href="#DIRECTORY"><i class="parameter"><tt>directory</tt></i></a></p></li><li><p><a href="#DIRECTORYMASK"><i class="parameter"><tt>directory mask</tt></i></a></p></li><li><p><a href="#DIRECTORYMODE"><i class="parameter"><tt>directory mode</tt></i></a></p></li><li><p><a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory security mask</tt></i></a></p></li><li><p><a href="#DONTDESCEND"><i class="parameter"><tt>dont descend</tt></i></a></p></li><li><p><a href="#DOSFILEMODE"><i class="parameter"><tt>dos filemode</tt></i></a></p></li><li><p><a href="#DOSFILETIMERESOLUTION"><i class="parameter"><tt>dos filetime resolution</tt></i></a></p></li><li><p><a href="#DOSFILETIMES"><i class="parameter"><tt>dos filetimes</tt></i></a></p></li><li><p><a href="#EXEC"><i class="parameter"><tt>exec</tt></i></a></p></li><li><p><a href="#FAKEDIRECTORYCREATETIMES"><i class="parameter"><tt>fake directory create times</tt></i></a></p></li><li><p><a href="#FAKEOPLOCKS"><i class="parameter"><tt>fake oplocks</tt></i></a></p></li><li><p><a href="#FOLLOWSYMLINKS"><i class="parameter"><tt>follow symlinks</tt></i></a></p></li><li><p><a href="#FORCECREATEMODE"><i class="parameter"><tt>force create mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYMODE"><i class="parameter"><tt>force directory mode</tt></i></a></p></li><li><p><a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt>force directory security mode</tt></i></a></p></li><li><p><a href="#FORCEGROUP"><i class="parameter"><tt>force group</tt></i></a></p></li><li><p><a href="#FORCESECURITYMODE"><i class="parameter"><tt>force security mode</tt></i></a></p></li><li><p><a href="#FORCEUSER"><i class="parameter"><tt>force user</tt></i></a></p></li><li><p><a href="#FSTYPE"><i class="parameter"><tt>fstype</tt></i></a></p></li><li><p><a href="#GROUP"><i class="parameter"><tt>group</tt></i></a></p></li><li><p><a href="#GUESTACCOUNT"><i class="parameter"><tt>guest account</tt></i></a></p></li><li><p><a href="#GUESTOK"><i class="parameter"><tt>guest ok</tt></i></a></p></li><li><p><a href="#GUESTONLY"><i class="parameter"><tt>guest only</tt></i></a></p></li><li><p><a href="#HIDEDOTFILES"><i class="parameter"><tt>hide dot files</tt></i></a></p></li><li><p><a href="#HIDEFILES"><i class="parameter"><tt>hide files</tt></i></a></p></li><li><p><a href="#HIDESPECIALFILES"><i class="parameter"><tt>hide special files</tt></i></a></p></li><li><p><a href="#HIDEUNREADABLE"><i class="parameter"><tt>hide unreadable</tt></i></a></p></li><li><p><a href="#HIDEUNWRITEABLEFILES"><i class="parameter"><tt>hide unwriteable files</tt></i></a></p></li><li><p><a href="#HOSTSALLOW"><i class="parameter"><tt>hosts allow</tt></i></a></p></li><li><p><a href="#HOSTSDENY"><i class="parameter"><tt>hosts deny</tt></i></a></p></li><li><p><a href="#INHERITACLS"><i class="parameter"><tt>inherit acls</tt></i></a></p></li><li><p><a href="#INHERITPERMISSIONS"><i class="parameter"><tt>inherit permissions</tt></i></a></p></li><li><p><a href="#INVALIDUSERS"><i class="parameter"><tt>invalid users</tt></i></a></p></li><li><p><a href="#LEVEL2OPLOCKS"><i class="parameter"><tt>level2 oplocks</tt></i></a></p></li><li><p><a href="#LOCKING"><i class="parameter"><tt>locking</tt></i></a></p></li><li><p><a href="#LPPAUSECOMMAND"><i class="parameter"><tt>lppause command</tt></i></a></p></li><li><p><a href="#LPQCOMMAND"><i class="parameter"><tt>lpq command</tt></i></a></p></li><li><p><a href="#LPRESUMECOMMAND"><i class="parameter"><tt>lpresume command</tt></i></a></p></li><li><p><a href="#LPRMCOMMAND"><i class="parameter"><tt>lprm command</tt></i></a></p></li><li><p><a href="#MAGICOUTPUT"><i class="parameter"><tt>magic output</tt></i></a></p></li><li><p><a href="#MAGICSCRIPT"><i class="parameter"><tt>magic script</tt></i></a></p></li><li><p><a href="#MANGLECASE"><i class="parameter"><tt>mangle case</tt></i></a></p></li><li><p><a href="#MANGLEDMAP"><i class="parameter"><tt>mangled map</tt></i></a></p></li><li><p><a href="#MANGLEDNAMES"><i class="parameter"><tt>mangled names</tt></i></a></p></li><li><p><a href="#MANGLINGCHAR"><i class="parameter"><tt>mangling char</tt></i></a></p></li><li><p><a href="#MAPACLINHERIT"><i class="parameter"><tt>map acl inherit</tt></i></a></p></li><li><p><a href="#MAPARCHIVE"><i class="parameter"><tt>map archive</tt></i></a></p></li><li><p><a href="#MAPHIDDEN"><i class="parameter"><tt>map hidden</tt></i></a></p></li><li><p><a href="#MAPSYSTEM"><i class="parameter"><tt>map system</tt></i></a></p></li><li><p><a href="#MAXCONNECTIONS"><i class="parameter"><tt>max connections</tt></i></a></p></li><li><p><a href="#MAXPRINTJOBS"><i class="parameter"><tt>max print jobs</tt></i></a></p></li><li><p><a href="#MAXREPORTEDPRINTJOBS"><i class="parameter"><tt>max reported print jobs</tt></i></a></p></li><li><p><a href="#MINPRINTSPACE"><i class="parameter"><tt>min print space</tt></i></a></p></li><li><p><a href="#MSDFSPROXY"><i class="parameter"><tt>msdfs proxy</tt></i></a></p></li><li><p><a href="#MSDFSROOT"><i class="parameter"><tt>msdfs root</tt></i></a></p></li><li><p><a href="#NTACLSUPPORT"><i class="parameter"><tt>nt acl support</tt></i></a></p></li><li><p><a href="#ONLYGUEST"><i class="parameter"><tt>only guest</tt></i></a></p></li><li><p><a href="#ONLYUSER"><i class="parameter"><tt>only user</tt></i></a></p></li><li><p><a href="#OPLOCKCONTENTIONLIMIT"><i class="parameter"><tt>oplock contention limit</tt></i></a></p></li><li><p><a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i></a></p></li><li><p><a href="#PATH"><i class="parameter"><tt>path</tt></i></a></p></li><li><p><a href="#POSIXLOCKING"><i class="parameter"><tt>posix locking</tt></i></a></p></li><li><p><a href="#POSTEXEC"><i class="parameter"><tt>postexec</tt></i></a></p></li><li><p><a href="#PREEXEC"><i class="parameter"><tt>preexec</tt></i></a></p></li><li><p><a href="#PREEXECCLOSE"><i class="parameter"><tt>preexec close</tt></i></a></p></li><li><p><a href="#PRESERVECASE"><i class="parameter"><tt>preserve case</tt></i></a></p></li><li><p><a href="#PRINTABLE"><i class="parameter"><tt>printable</tt></i></a></p></li><li><p><a href="#PRINTCAPNAME"><i class="parameter"><tt>printcap name</tt></i></a></p></li><li><p><a href="#PRINTCOMMAND"><i class="parameter"><tt>print command</tt></i></a></p></li><li><p><a href="#PRINTER"><i class="parameter"><tt>printer</tt></i></a></p></li><li><p><a href="#PRINTERADMIN"><i class="parameter"><tt>printer admin</tt></i></a></p></li><li><p><a href="#PRINTERNAME"><i class="parameter"><tt>printer name</tt></i></a></p></li><li><p><a href="#PRINTING"><i class="parameter"><tt>printing</tt></i></a></p></li><li><p><a href="#PRINTOK"><i class="parameter"><tt>print ok</tt></i></a></p></li><li><p><a href="#PUBLIC"><i class="parameter"><tt>public</tt></i></a></p></li><li><p><a href="#QUEUEPAUSECOMMAND"><i class="parameter"><tt>queuepause command</tt></i></a></p></li><li><p><a href="#QUEUERESUMECOMMAND"><i class="parameter"><tt>queueresume command</tt></i></a></p></li><li><p><a href="#READLIST"><i class="parameter"><tt>read list</tt></i></a></p></li><li><p><a href="#READONLY"><i class="parameter"><tt>read only</tt></i></a></p></li><li><p><a href="#ROOTPOSTEXEC"><i class="parameter"><tt>root postexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXEC"><i class="parameter"><tt>root preexec</tt></i></a></p></li><li><p><a href="#ROOTPREEXECCLOSE"><i class="parameter"><tt>root preexec close</tt></i></a></p></li><li><p><a href="#SECURITYMASK"><i class="parameter"><tt>security mask</tt></i></a></p></li><li><p><a href="#SETDIRECTORY"><i class="parameter"><tt>set directory</tt></i></a></p></li><li><p><a href="#SHAREMODES"><i class="parameter"><tt>share modes</tt></i></a></p></li><li><p><a href="#SHORTPRESERVECASE"><i class="parameter"><tt>short preserve case</tt></i></a></p></li><li><p><a href="#STRICTALLOCATE"><i class="parameter"><tt>strict allocate</tt></i></a></p></li><li><p><a href="#STRICTLOCKING"><i class="parameter"><tt>strict locking</tt></i></a></p></li><li><p><a href="#STRICTSYNC"><i class="parameter"><tt>strict sync</tt></i></a></p></li><li><p><a href="#SYNCALWAYS"><i class="parameter"><tt>sync always</tt></i></a></p></li><li><p><a href="#USECLIENTDRIVER"><i class="parameter"><tt>use client driver</tt></i></a></p></li><li><p><a href="#USER"><i class="parameter"><tt>user</tt></i></a></p></li><li><p><a href="#USERNAME"><i class="parameter"><tt>username</tt></i></a></p></li><li><p><a href="#USERS"><i class="parameter"><tt>users</tt></i></a></p></li><li><p><a href="#USESENDFILE"><i class="parameter"><tt>use sendfile</tt></i></a></p></li><li><p><a href="#-VALID"><i class="parameter"><tt>-valid</tt></i></a></p></li><li><p><a href="#VALIDUSERS"><i class="parameter"><tt>valid users</tt></i></a></p></li><li><p><a href="#VETOFILES"><i class="parameter"><tt>veto files</tt></i></a></p></li><li><p><a href="#VETOOPLOCKFILES"><i class="parameter"><tt>veto oplock files</tt></i></a></p></li><li><p><a href="#VFSOBJECT"><i class="parameter"><tt>vfs object</tt></i></a></p></li><li><p><a href="#VFSOBJECTS"><i class="parameter"><tt>vfs objects</tt></i></a></p></li><li><p><a href="#VOLUME"><i class="parameter"><tt>volume</tt></i></a></p></li><li><p><a href="#WIDELINKS"><i class="parameter"><tt>wide links</tt></i></a></p></li><li><p><a href="#WRITABLE"><i class="parameter"><tt>writable</tt></i></a></p></li><li><p><a href="#WRITEABLE"><i class="parameter"><tt>writeable</tt></i></a></p></li><li><p><a href="#WRITECACHESIZE"><i class="parameter"><tt>write cache size</tt></i></a></p></li><li><p><a href="#WRITELIST"><i class="parameter"><tt>write list</tt></i></a></p></li><li><p><a href="#WRITEOK"><i class="parameter"><tt>write ok</tt></i></a></p></li></ul></div></div><div class="refsect1" lang="en"><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p><span class="emphasis"><em>This parameter only exists in the HEAD cvs branch</em></span>
249 This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that
250 should stop a shutdown procedure issued by the <a href="#SHUTDOWNSCRIPT">
251 <i class="parameter"><tt>shutdown script</tt></i></a>.</p><p>This command will be run as user.</p><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b class="command">abort shutdown script = /sbin/shutdown -c</b></p></dd><dt><span class="term"><a name="ADDGROUPSCRIPT"></a>add group script (G)</span></dt><dd><p>This is the full pathname to a script that will be run
252 <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>
253 when a new group is requested. It will expand any <i class="parameter"><tt>%g</tt></i> to the group name passed. This
254 script is only useful for installations using the Windows NT
255 domain administration tools. The script is free to create a
256 group with an arbitrary name to circumvent unix group name
257 restrictions. In that case the script must print the numeric gid
258 of the created group on stdout.</p></dd><dt><span class="term"><a name="ADDMACHINESCRIPT"></a>add machine script (G)</span></dt><dd><p>This is the full pathname to a script that will be run by
259 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is added
260 to it's domain using the administrator username and password
261 method. </p><p>This option is only required when using sam back-ends tied
262 to the Unix uid method of RID calculation such as smbpasswd.
263 This option is only available in Samba 3.0.</p><p>Default: <b class="command">add machine script = <empty string></b></p><p>Example: <b class="command">add machine script = /usr/sbin/adduser -n -g
264 machines -c Machine -d /dev/null -s /bin/false %u</b></p></dd><dt><span class="term"><a name="ADDPRINTERCOMMAND"></a>addprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printing
265 support for Windows NT/2000 clients in Samba 2.2, The MS Add
266 Printer Wizard (APW) icon is now also available in the
267 "Printers..." folder displayed a share listing. The APW
268 allows for printers to be add remotely to a Samba or Windows
269 NT/2000 print server.</p><p>For a Samba host this means that the printer must be
270 physically added to the underlying printing system. The <i class="parameter"><tt>add
271 printer command</tt></i> defines a script to be run which
272 will perform the necessary operations for adding the printer
273 to the print system and to add the appropriate service definition
274 to the <tt class="filename">smb.conf</tt> file in order that it can be
275 shared by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>The <i class="parameter"><tt>addprinter command</tt></i> is
276 automatically invoked with the following parameter (in
277 order):</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>printer name</tt></i></p></li><li><p><i class="parameter"><tt>share name</tt></i></p></li><li><p><i class="parameter"><tt>port name</tt></i></p></li><li><p><i class="parameter"><tt>driver name</tt></i></p></li><li><p><i class="parameter"><tt>location</tt></i></p></li><li><p><i class="parameter"><tt>Windows 9x driver location</tt></i></p></li></ul></div><p>All parameters are filled in from the PRINTER_INFO_2 structure sent
278 by the Windows NT/2000 client with one exception. The "Windows 9x
279 driver location" parameter is included for backwards compatibility
280 only. The remaining fields in the structure are generated from answers
281 to the APW questions.</p><p>Once the <i class="parameter"><tt>addprinter command</tt></i> has
282 been executed, <b class="command">smbd</b> will reparse the <tt class="filename">
283 smb.conf</tt> to determine if the share defined by the APW
284 exists. If the sharename is still invalid, then <b class="command">smbd
285 </b> will return an ACCESS_DENIED error to the client.</p><p>
286 The "add printer command" program can output a single line of text,
287 which Samba will set as the port the new printer is connected to.
288 If this line isn't output, Samba won't reload its printer shares.
289 </p><p>See also <a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt>
290 deleteprinter command</tt></i></a>, <a href="#PRINTING">
291 <i class="parameter"><tt>printing</tt></i></a>,
292 <a href="#SHOWADDPRINTERWIZARD"><i class="parameter"><tt>show add
293 printer wizard</tt></i></a></p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">addprinter command = /usr/bin/addprinter</b></p></dd><dt><span class="term"><a name="ADDSHARECOMMAND"></a>add share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
294 add and delete shares via the Windows NT 4.0 Server Manager. The
295 <i class="parameter"><tt>add share command</tt></i> is used to define an
296 external program or script which will add a new service definition
297 to <tt class="filename">smb.conf</tt>. In order to successfully
298 execute the <i class="parameter"><tt>add share command</tt></i>, <b class="command">smbd</b>
299 requires that the administrator be connected using a root account (i.e.
302 When executed, <b class="command">smbd</b> will automatically invoke the
303 <i class="parameter"><tt>add share command</tt></i> with four parameters.
304 </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>configFile</tt></i> - the location
305 of the global <tt class="filename">smb.conf</tt> file.
306 </p></li><li><p><i class="parameter"><tt>shareName</tt></i> - the name of the new
308 </p></li><li><p><i class="parameter"><tt>pathName</tt></i> - path to an **existing**
310 </p></li><li><p><i class="parameter"><tt>comment</tt></i> - comment string to associate
312 </p></li></ul></div><p>
313 This parameter is only used for add file shares. To add printer shares,
314 see the <a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>addprinter
315 command</tt></i></a>.
317 See also <a href="#CHANGESHARECOMMAND"><i class="parameter"><tt>change share
318 command</tt></i></a>, <a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete share
319 command</tt></i></a>.
320 </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">add share command = /usr/local/bin/addshare</b></p></dd><dt><span class="term"><a name="ADDUSERSCRIPT"></a>add user script (G)</span></dt><dd><p>This is the full pathname to a script that will
321 be run <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> under special circumstances described below.</p><p>Normally, a Samba server requires that UNIX users are
322 created for all users accessing files on this server. For sites
323 that use Windows NT account databases as their primary user database
324 creating these users and keeping the user list in sync with the
325 Windows NT PDC is an onerous task. This option allows <a href="smbd.8.html" target="_top">smbd</a> to create the required UNIX users
326 <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.</p><p>In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to <i class="parameter"><tt>security = share</tt></i>
327 and <i class="parameter"><tt>add user script</tt></i>
328 must be set to a full pathname for a script that will create a UNIX
329 user given one argument of <i class="parameter"><tt>%u</tt></i>, which expands into
330 the UNIX user name to create.</p><p>When the Windows user attempts to access the Samba server,
331 at login (session setup in the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <i class="parameter"><tt>password server</tt></i> and
332 attempts to authenticate the given user with the given password. If the
333 authentication succeeds then <b class="command">smbd</b>
334 attempts to find a UNIX user in the UNIX password database to map the
335 Windows user into. If this lookup fails, and <i class="parameter"><tt>add user script
336 </tt></i> is set then <b class="command">smbd</b> will
337 call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding
338 any <i class="parameter"><tt>%u</tt></i> argument to be the user name to create.</p><p>If this script successfully creates the user then <b class="command">smbd
339 </b> will continue on as though the UNIX user
340 already existed. In this way, UNIX users are dynamically created to
341 match existing Windows NT accounts.</p><p>See also <a href="#SECURITY"><i class="parameter"><tt>
342 security</tt></i></a>, <a href="#PASSWORDSERVER">
343 <i class="parameter"><tt>password server</tt></i></a>,
344 <a href="#DELETEUSERSCRIPT"><i class="parameter"><tt>delete user
345 script</tt></i></a>.</p><p>Default: <b class="command">add user script = <empty string></b></p><p>Example: <b class="command">add user script = /usr/local/samba/bin/add_user %u</b></p></dd><dt><span class="term"><a name="ADDUSERTOGROUPSCRIPT"></a>add user to group script (G)</span></dt><dd><p>Full path to the script that will be called when
346 a user is added to a group using the Windows NT domain administration
347 tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> <span class="emphasis"><em>AS ROOT</em></span>.
348 Any <i class="parameter"><tt>%g</tt></i> will be replaced with the group name and
349 any <i class="parameter"><tt>%u</tt></i> will be replaced with the user name.
350 </p><p>Default: <b class="command">add user to group script = </b></p><p>Example: <b class="command">add user to group script = /usr/sbin/adduser %u %g</b></p></dd><dt><span class="term"><a name="ADMINUSERS"></a>admin users (S)</span></dt><dd><p>This is a list of users who will be granted
351 administrative privileges on the share. This means that they
352 will do all file operations as the super-user (root).</p><p>You should use this option very carefully, as any user in
353 this list will be able to do anything they like on the share,
354 irrespective of file permissions.</p><p>Default: <span class="emphasis"><em>no admin users</em></span></p><p>Example: <b class="command">admin users = jason</b></p></dd><dt><span class="term"><a name="ALGORITHMICRIDBASE"></a>algorithmic rid base (G)</span></dt><dd><p>This determines how Samba will use its
355 algorithmic mapping from uids/gid to the RIDs needed to construct
356 NT Security Identifiers.
357 </p><p>Setting this option to a larger value could be useful to sites
358 transitioning from WinNT and Win2k, as existing user and
359 group rids would otherwise clash with sytem users etc.
360 </p><p>All UIDs and GIDs must be able to be resolved into SIDs for
361 the correct operation of ACLs on the server. As such the algorithmic
362 mapping can't be 'turned off', but pushing it 'out of the way' should
363 resolve the issues. Users and groups can then be assigned 'low' RIDs
364 in arbitary-rid supporting backends.
365 </p><p>Default: <b class="command">algorithmic rid base = 1000</b></p><p>Example: <b class="command">algorithmic rid base = 100000</b></p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts (S)</span></dt><dd><p>Synonym for <a href="#HOSTSALLOW">
366 <i class="parameter"><tt>hosts allow</tt></i></a>.</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p>This option only takes effect when the <a href="#SECURITY">
367 <i class="parameter"><tt>security</tt></i></a> option is set to
368 <tt class="constant">server</tt> or <tt class="constant">domain</tt>.
369 If it is set to no, then attempts to connect to a resource from
370 a domain or workgroup other than the one which <a href="smbd.8.html" target="_top">smbd</a> is running
371 in will fail, even if that domain is trusted by the remote server
372 doing the authentication.</p><p>This is useful if you only want your Samba server to
373 serve resources to users in the domain it is a member of. As
374 an example, suppose that there are two domains DOMA and DOMB. DOMB
375 is trusted by DOMA, which contains the Samba server. Under normal
376 circumstances, a user with an account in DOMB can then access the
377 resources of a UNIX account with the same account name on the
378 Samba server even if they do not have an account in DOMA. This
379 can make implementing a security boundary difficult.</p><p>Default: <b class="command">allow trusted domains = yes</b></p></dd><dt><span class="term"><a name="ANNOUNCEAS"></a>announce as (G)</span></dt><dd><p>This specifies what type of server <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will announce itself as, to a network neighborhood browse
380 list. By default this is set to Windows NT. The valid options
381 are : "NT Server" (which can also be written as "NT"),
382 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
383 Windows NT Workstation, Windows 95 and Windows for Workgroups
384 respectively. Do not change this parameter unless you have a
385 specific need to stop Samba appearing as an NT server as this
386 may prevent Samba servers from participating as browser servers
387 correctly.</p><p>Default: <b class="command">announce as = NT Server</b></p><p>Example: <b class="command">announce as = Win95</b></p></dd><dt><span class="term"><a name="ANNOUNCEVERSION"></a>announce version (G)</span></dt><dd><p>This specifies the major and minor version numbers
388 that nmbd will use when announcing itself as a server. The default
389 is 4.9. Do not change this parameter unless you have a specific
390 need to set a Samba server to be a downlevel server.</p><p>Default: <b class="command">announce version = 4.9</b></p><p>Example: <b class="command">announce version = 2.0</b></p></dd><dt><span class="term"><a name="AUTHMETHODS"></a>auth methods (G)</span></dt><dd><p>This option allows the administrator to chose what
391 authentication methods <b class="command">smbd</b> will use when authenticating
392 a user. This option defaults to sensible values based on <a href="#SECURITY">
393 <i class="parameter"><tt>security</tt></i></a>. This should be considered
394 a developer option and used only in rare circumstances. In the majority (if not all)
395 of production servers, the default setting should be adequate.</p><p>Each entry in the list attempts to authenticate the user in turn, until
396 the user authenticates. In practice only one method will ever actually
397 be able to complete the authentication.
398 </p><p>Possible options include <tt class="constant">guest</tt> (anonymous access),
399 <tt class="constant">sam</tt> (lookups in local list of accounts based on netbios
400 name or domain name), <tt class="constant">winbind</tt> (relay authentication requests
401 for remote users through winbindd), <tt class="constant">ntdomain</tt> (pre-winbindd
402 method of authentication for remote domain users; deprecated in favour of winbind method),
403 <tt class="constant">trustdomain</tt> (authenticate trusted users by contacting the
404 remote DC directly from smbd; deprecated in favour of winbind method).</p><p>Default: <b class="command">auth methods = <empty string></b></p><p>Example: <b class="command">auth methods = guest sam winbind</b></p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services (G)</span></dt><dd><p>This is a synonym for the <a href="#PRELOAD">
405 <i class="parameter"><tt>preload</tt></i></a>.</p></dd><dt><span class="term"><a name="AVAILABLE"></a>available (S)</span></dt><dd><p>This parameter lets you "turn off" a service. If
406 <i class="parameter"><tt>available = no</tt></i>, then <span class="emphasis"><em>ALL</em></span>
407 attempts to connect to the service will fail. Such failures are
408 logged.</p><p>Default: <b class="command">available = yes</b></p></dd><dt><span class="term"><a name="BINDINTERFACESONLY"></a>bind interfaces only (G)</span></dt><dd><p>This global parameter allows the Samba admin
409 to limit what interfaces on a machine will serve SMB requests. It
410 affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p>For name service it causes <b class="command">nmbd</b> to bind
411 to ports 137 and 138 on the interfaces listed in
412 the <a href="#INTERFACES">interfaces</a> parameter. <b class="command">nmbd</b> also
413 binds to the "all addresses" interface (0.0.0.0)
414 on ports 137 and 138 for the purposes of reading broadcast messages.
415 If this option is not set then <b class="command">nmbd</b> will service
416 name requests on all of these sockets. If <i class="parameter"><tt>bind interfaces
417 only</tt></i> is set then <b class="command">nmbd</b> will check the
418 source address of any packets coming in on the broadcast sockets
419 and discard any that don't match the broadcast addresses of the
420 interfaces in the <i class="parameter"><tt>interfaces</tt></i> parameter list.
421 As unicast packets are received on the other sockets it allows
422 <b class="command">nmbd</b> to refuse to serve names to machines that
423 send packets that arrive through any interfaces not listed in the
424 <i class="parameter"><tt>interfaces</tt></i> list. IP Source address spoofing
425 does defeat this simple check, however, so it must not be used
426 seriously as a security feature for <b class="command">nmbd</b>.</p><p>For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list
427 given in the <a href="#INTERFACES">interfaces</a> parameter. This
428 restricts the networks that <b class="command">smbd</b> will serve
429 to packets coming in those interfaces. Note that you should not use this parameter
430 for machines that are serving PPP or other intermittent or non-broadcast network
431 interfaces as it will not cope with non-permanent interfaces.</p><p>If <i class="parameter"><tt>bind interfaces only</tt></i> is set then
432 unless the network address <span class="emphasis"><em>127.0.0.1</em></span> is added
433 to the <i class="parameter"><tt>interfaces</tt></i> parameter
434 list <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as expected due
435 to the reasons covered below.</p><p>To change a users SMB password, the <b class="command">smbpasswd</b>
436 by default connects to the <span class="emphasis"><em>localhost - 127.0.0.1</em></span>
437 address as an SMB client to issue the password change request. If
438 <i class="parameter"><tt>bind interfaces only</tt></i> is set then unless the
439 network address <span class="emphasis"><em>127.0.0.1</em></span> is added to the
440 <i class="parameter"><tt>interfaces</tt></i> parameter list then <b class="command">
441 smbpasswd</b> will fail to connect in it's default mode.
442 <b class="command">smbpasswd</b> can be forced to use the primary IP interface
443 of the local host by using its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> <i class="parameter"><tt>-r <i class="replaceable"><tt>remote machine</tt></i></tt></i>
444 parameter, with <i class="replaceable"><tt>remote machine</tt></i> set
445 to the IP name of the primary interface of the local host.</p><p>The <b class="command">swat</b> status page tries to connect with
446 <b class="command">smbd</b> and <b class="command">nmbd</b> at the address
447 <span class="emphasis"><em>127.0.0.1</em></span> to determine if they are running.
448 Not adding <span class="emphasis"><em>127.0.0.1</em></span> will cause <b class="command">
449 smbd</b> and <b class="command">nmbd</b> to always show
450 "not running" even if they really are. This can prevent <b class="command">
451 swat</b> from starting/stopping/restarting <b class="command">smbd</b>
452 and <b class="command">nmbd</b>.</p><p>Default: <b class="command">bind interfaces only = no</b></p></dd><dt><span class="term"><a name="BLOCKINGLOCKS"></a>blocking locks (S)</span></dt><dd><p>This parameter controls the behavior
453 of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when given a request by a client
454 to obtain a byte range lock on a region of an open file, and the
455 request has a time limit associated with it.</p><p>If this parameter is set and the lock range requested
456 cannot be immediately satisfied, samba will internally
457 queue the lock request, and periodically attempt to obtain
458 the lock until the timeout period expires.</p><p>If this parameter is set to <tt class="constant">no</tt>, then
459 samba will behave as previous versions of Samba would and
460 will fail the lock request immediately if the lock range
461 cannot be obtained.</p><p>Default: <b class="command">blocking locks = yes</b></p></dd><dt><span class="term"><a name="BLOCKSIZE"></a>block size (S)</span></dt><dd><p>This parameter controls the behavior of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when reporting disk free
462 sizes. By default, this reports a disk block size of 1024 bytes.
463 </p><p>Changing this parameter may have some effect on the
464 efficiency of client writes, this is not yet confirmed. This
465 parameter was added to allow advanced administrators to change
466 it (usually to a higher value) and test the effect it has on
467 client write performance without re-compiling the code. As this
468 is an experimental option it may be removed in a future release.
469 </p><p>Changing this option does not change the disk free reporting
470 size, just the block size unit reported to the client.
471 </p></dd><dt><span class="term"><a name="BROWSABLE"></a>browsable (S)</span></dt><dd><p>See the <a href="#BROWSEABLE">
472 <i class="parameter"><tt>browseable</tt></i></a>.</p></dd><dt><span class="term"><a name="BROWSEABLE"></a>browseable (S)</span></dt><dd><p>This controls whether this share is seen in
473 the list of available shares in a net view and in the browse list.</p><p>Default: <b class="command">browseable = yes</b></p></dd><dt><span class="term"><a name="BROWSELIST"></a>browse list (G)</span></dt><dd><p>This controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will serve a browse list to
474 a client doing a <b class="command">NetServerEnum</b> call. Normally
475 set to <tt class="constant">yes</tt>. You should never need to change
476 this.</p><p>Default: <b class="command">browse list = yes</b></p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <b class="command">case sensitive = no</b></p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames (S)</span></dt><dd><p>Synonym for <a href="#CASESENSITIVE">case sensitive</a>.</p></dd><dt><span class="term"><a name="CHANGENOTIFYTIMEOUT"></a>change notify timeout (G)</span></dt><dd><p>This SMB allows a client to tell a server to
477 "watch" a particular directory for any changes and only reply to
478 the SMB request when a change has occurred. Such constant scanning of
479 a directory is expensive under UNIX, hence an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> daemon only performs such a scan
480 on each requested directory once every <i class="parameter"><tt>change notify
481 timeout</tt></i> seconds.</p><p>Default: <b class="command">change notify timeout = 60</b></p><p>Example: <b class="command">change notify timeout = 300</b></p><p>Would change the scan time to every 5 minutes.</p></dd><dt><span class="term"><a name="CHANGESHARECOMMAND"></a>change share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
482 add and delete shares via the Windows NT 4.0 Server Manager. The
483 <i class="parameter"><tt>change share command</tt></i> is used to define an
484 external program or script which will modify an existing service definition
485 in <tt class="filename">smb.conf</tt>. In order to successfully
486 execute the <i class="parameter"><tt>change share command</tt></i>, <b class="command">smbd</b>
487 requires that the administrator be connected using a root account (i.e.
490 When executed, <b class="command">smbd</b> will automatically invoke the
491 <i class="parameter"><tt>change share command</tt></i> with four parameters.
492 </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>configFile</tt></i> - the location
493 of the global <tt class="filename">smb.conf</tt> file.
494 </p></li><li><p><i class="parameter"><tt>shareName</tt></i> - the name of the new
496 </p></li><li><p><i class="parameter"><tt>pathName</tt></i> - path to an **existing**
498 </p></li><li><p><i class="parameter"><tt>comment</tt></i> - comment string to associate
500 </p></li></ul></div><p>
501 This parameter is only used modify existing file shares definitions. To modify
502 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
504 See also <a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share
505 command</tt></i></a>, <a href="#DELETESHARECOMMAND"><i class="parameter"><tt>delete
506 share command</tt></i></a>.
507 </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">change share command = /usr/local/bin/addshare</b></p></dd><dt><span class="term"><a name="CLIENTUSESPNEGO"></a>client use spnego (G)</span></dt><dd><p> This variable controls controls whether samba clients will try
508 to use Simple and Protected NEGOciation (as specified by rfc2478) with
509 WindowsXP and Windows2000 servers to agree upon an authentication mechanism.
510 SPNEGO client support with Sign and Seal is currently broken, so
511 you might want to turn this option off when doing joins to
512 Windows 2003 domains.
513 </p><p>Default: <span class="emphasis"><em>client use spnego = yes</em></span></p></dd><dt><span class="term"><a name="COMMENT"></a>comment (S)</span></dt><dd><p>This is a text field that is seen next to a share
514 when a client does a queries the server, either via the network
515 neighborhood or via <b class="command">net view</b> to list what shares
516 are available.</p><p>If you want to set the string that is displayed next to the
517 machine name then see the <a href="#SERVERSTRING"><i class="parameter"><tt>
518 server string</tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>No comment string</em></span></p><p>Example: <b class="command">comment = Fred's Files</b></p></dd><dt><span class="term"><a name="CONFIGFILE"></a>config file (G)</span></dt><dd><p>This allows you to override the config file
519 to use, instead of the default (usually <tt class="filename">smb.conf</tt>).
520 There is a chicken and egg problem here as this option is set
521 in the config file!</p><p>For this reason, if the name of the config file has changed
522 when the parameters are loaded then it will reload them from
523 the new config file.</p><p>This option takes the usual substitutions, which can
524 be very useful.</p><p>If the config file doesn't exist then it won't be loaded
525 (allowing you to special case the config files of just a few
526 clients).</p><p>Example: <b class="command">config file = /usr/local/samba/lib/smb.conf.%m</b></p></dd><dt><span class="term"><a name="COPY"></a>copy (S)</span></dt><dd><p>This parameter allows you to "clone" service
527 entries. The specified service is simply duplicated under the
528 current service's name. Any parameters specified in the current
529 section will override those in the section being copied.</p><p>This feature lets you set up a 'template' service and
530 create similar services easily. Note that the service being
531 copied must occur earlier in the configuration file than the
532 service doing the copying.</p><p>Default: <span class="emphasis"><em>no value</em></span></p><p>Example: <b class="command">copy = otherservice</b></p></dd><dt><span class="term"><a name="CREATEMASK"></a>create mask (S)</span></dt><dd><p>A synonym for this parameter is
533 <a href="#CREATEMODE"><i class="parameter"><tt>create mode</tt></i>
534 </a>.</p><p>When a file is created, the necessary permissions are
535 calculated according to the mapping from DOS modes to UNIX
536 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
537 with this parameter. This parameter may be thought of as a bit-wise
538 MASK for the UNIX modes of a file. Any bit <span class="emphasis"><em>not</em></span>
539 set here will be removed from the modes set on a file when it is
540 created.</p><p>The default value of this parameter removes the
541 'group' and 'other' write and execute bits from the UNIX modes.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode created
542 from this parameter with the value of the <a href="#FORCECREATEMODE">
543 <i class="parameter"><tt>force create mode</tt></i></a>
544 parameter which is set to 000 by default.</p><p>This parameter does not affect directory modes. See the
545 parameter <a href="#DIRECTORYMODE"><i class="parameter"><tt>directory mode
546 </tt></i></a> for details.</p><p>See also the <a href="#FORCECREATEMODE"><i class="parameter"><tt>force
547 create mode</tt></i></a> parameter for forcing particular mode
548 bits to be set on created files. See also the <a href="#DIRECTORYMODE">
549 <i class="parameter"><tt>directory mode</tt></i></a> parameter for masking
550 mode bits on created directories. See also the <a href="#INHERITPERMISSIONS">
551 <i class="parameter"><tt>inherit permissions</tt></i></a> parameter.</p><p>Note that this parameter does not apply to permissions
552 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
553 a mask on access control lists also, they need to set the <a href="#SECURITYMASK">
554 <i class="parameter"><tt>security mask</tt></i></a>.</p><p>Default: <b class="command">create mask = 0744</b></p><p>Example: <b class="command">create mask = 0775</b></p></dd><dt><span class="term"><a name="CREATEMODE"></a>create mode (S)</span></dt><dd><p>This is a synonym for <a href="#CREATEMASK"><i class="parameter"><tt>
555 create mask</tt></i></a>.</p></dd><dt><span class="term"><a name="CSCPOLICY"></a>csc policy (S)</span></dt><dd><p>This stands for <span class="emphasis"><em>client-side caching
556 policy</em></span>, and specifies how clients capable of offline
557 caching will cache the files in the share. The valid values
558 are: manual, documents, programs, disable.</p><p>These values correspond to those used on Windows servers.</p><p>For example, shares containing roaming profiles can have
559 offline caching disabled using <b class="command">csc policy = disable</b>.</p><p>Default: <b class="command">csc policy = manual</b></p><p>Example: <b class="command">csc policy = programs</b></p></dd><dt><span class="term"><a name="DEADTIME"></a>dead time (G)</span></dt><dd><p>The value of the parameter (a decimal integer)
560 represents the number of minutes of inactivity before a connection
561 is considered dead, and it is disconnected. The deadtime only takes
562 effect if the number of open files is zero.</p><p>This is useful to stop a server's resources being
563 exhausted by a large number of inactive connections.</p><p>Most clients have an auto-reconnect feature when a
564 connection is broken so in most cases this parameter should be
565 transparent to users.</p><p>Using this parameter with a timeout of a few minutes
566 is recommended for most systems.</p><p>A deadtime of zero indicates that no auto-disconnection
567 should be performed.</p><p>Default: <b class="command">deadtime = 0</b></p><p>Example: <b class="command">deadtime = 15</b></p></dd><dt><span class="term"><a name="DEBUGHIRESTIMESTAMP"></a>debug hires timestamp (G)</span></dt><dd><p>Sometimes the timestamps in the log messages
568 are needed with a resolution of higher that seconds, this
569 boolean parameter adds microsecond resolution to the timestamp
570 message header when turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>
571 debug timestamp</tt></i></a> must be on for this to have an
572 effect.</p><p>Default: <b class="command">debug hires timestamp = no</b></p></dd><dt><span class="term"><a name="DEBUGLEVEL"></a>debug level (G)</span></dt><dd><p>Synonym for <a href="#LOGLEVEL"><i class="parameter"><tt>
573 log level</tt></i></a>.</p></dd><dt><span class="term"><a name="DEBUGPID"></a>debug pid (G)</span></dt><dd><p>When using only one log file for more then one forked
574 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>-process there may be hard to
575 follow which process outputs which message. This boolean parameter
576 is adds the process-id to the timestamp message headers in the
577 logfile when turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>
578 debug timestamp</tt></i></a> must be on for this to have an
579 effect.</p><p>Default: <b class="command">debug pid = no</b></p></dd><dt><span class="term"><a name="DEBUGTIMESTAMP"></a>debug timestamp (G)</span></dt><dd><p>Samba debug log messages are timestamped
580 by default. If you are running at a high <a href="#DEBUGLEVEL">
581 <i class="parameter"><tt>debug level</tt></i></a> these timestamps
582 can be distracting. This boolean parameter allows timestamping
583 to be turned off.</p><p>Default: <b class="command">debug timestamp = yes</b></p></dd><dt><span class="term"><a name="DEBUGUID"></a>debug uid (G)</span></dt><dd><p>Samba is sometimes run as root and sometime
584 run as the connected user, this boolean parameter inserts the
585 current euid, egid, uid and gid to the timestamp message headers
586 in the log file if turned on.</p><p>Note that the parameter <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>
587 debug timestamp</tt></i></a> must be on for this to have an
588 effect.</p><p>Default: <b class="command">debug uid = no</b></p></dd><dt><span class="term"><a name="DEFAULT"></a>default (G)</span></dt><dd><p>A synonym for <a href="#DEFAULTSERVICE"><i class="parameter"><tt>
589 default service</tt></i></a>.</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">
590 NAME MANGLING</a>. Also note the <a href="#SHORTPRESERVECASE">
591 <i class="parameter"><tt>short preserve case</tt></i></a> parameter.</p><p>Default: <b class="command">default case = lower</b></p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a href="#PRINTOK">printable</a> services.
592 When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
593 server has a Device Mode which defines things such as paper size and
594 orientation and duplex settings. The device mode can only correctly be
595 generated by the printer driver itself (which can only be executed on a
596 Win32 platform). Because smbd is unable to execute the driver code
597 to generate the device mode, the default behavior is to set this field
599 </p><p>Most problems with serving printer drivers to Windows NT/2k/XP clients
600 can be traced to a problem with the generated device mode. Certain drivers
601 will do things such as crashing the client's Explorer.exe with a NULL devmode.
602 However, other printer drivers can cause the client's spooler service
603 (spoolsv.exe) to die if the devmode was not created by the driver itself
604 (i.e. smbd generates a default devmode).
605 </p><p>This parameter should be used with care and tested with the printer
606 driver in question. It is better to leave the device mode to NULL
607 and let the Windows client set the correct values. Because drivers do not
608 do this all the time, setting <b class="command">default devmode = yes</b>
609 will instruct smbd to generate a default one.
610 </p><p>For more information on Windows NT/2k printing and Device Modes,
611 see the <a href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a>.
612 </p><p>Default: <b class="command">default devmode = no</b></p></dd><dt><span class="term"><a name="DEFAULTSERVICE"></a>default service (G)</span></dt><dd><p>This parameter specifies the name of a service
613 which will be connected to if the service actually requested cannot
614 be found. Note that the square brackets are <span class="emphasis"><em>NOT</em></span>
615 given in the parameter value (see example below).</p><p>There is no default value for this parameter. If this
616 parameter is not given, attempting to connect to a nonexistent
617 service results in an error.</p><p>Typically the default service would be a <a href="#GUESTOK">
618 <i class="parameter"><tt>guest ok</tt></i></a>, <a href="#READONLY">
619 <i class="parameter"><tt>read-only</tt></i></a> service.</p><p>Also note that the apparent service name will be changed
620 to equal that of the requested service, this is very useful as it
621 allows you to use macros like <i class="parameter"><tt>%S</tt></i> to make
622 a wildcard service.</p><p>Note also that any "_" characters in the name of the service
623 used in the default service will get mapped to a "/". This allows for
624 interesting things.</p><p>Example:</p><pre class="programlisting">
626 default service = pub
630 </pre></dd><dt><span class="term"><a name="DELETEGROUPSCRIPT"></a>delete group script (G)</span></dt><dd><p>This is the full pathname to a script that will
631 be run <span class="emphasis"><em>AS ROOT</em></span> <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a group is requested to be deleted.
632 It will expand any <i class="parameter"><tt>%g</tt></i> to the group name passed.
633 This script is only useful for installations using the Windows NT domain administration tools.
634 </p></dd><dt><span class="term"><a name="DELETEPRINTERCOMMAND"></a>deleteprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printer
635 support for Windows NT/2000 clients in Samba 2.2, it is now
636 possible to delete printer at run time by issuing the
637 DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be
638 physically deleted from underlying printing system. The <i class="parameter"><tt>
639 deleteprinter command</tt></i> defines a script to be run which
640 will perform the necessary operations for removing the printer
641 from the print system and from <tt class="filename">smb.conf</tt>.
642 </p><p>The <i class="parameter"><tt>deleteprinter command</tt></i> is
643 automatically called with only one parameter: <i class="parameter"><tt>
644 "printer name"</tt></i>.</p><p>Once the <i class="parameter"><tt>deleteprinter command</tt></i> has
645 been executed, <b class="command">smbd</b> will reparse the <tt class="filename">
646 smb.conf</tt> to associated printer no longer exists.
647 If the sharename is still valid, then <b class="command">smbd
648 </b> will return an ACCESS_DENIED error to the client.</p><p>See also <a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>
649 addprinter command</tt></i></a>, <a href="#PRINTING">
650 <i class="parameter"><tt>printing</tt></i></a>,
651 <a href="#SHOWADDPRINTERWIZARD"><i class="parameter"><tt>show add
652 printer wizard</tt></i></a></p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">deleteprinter command = /usr/bin/removeprinter</b></p></dd><dt><span class="term"><a name="DELETEREADONLY"></a>delete readonly (S)</span></dt><dd><p>This parameter allows readonly files to be deleted.
653 This is not normal DOS semantics, but is allowed by UNIX.</p><p>This option may be useful for running applications such
654 as rcs, where UNIX file ownership prevents changing file
655 permissions, and DOS semantics prevent deletion of a read only file.</p><p>Default: <b class="command">delete readonly = no</b></p></dd><dt><span class="term"><a name="DELETESHARECOMMAND"></a>delete share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically
656 add and delete shares via the Windows NT 4.0 Server Manager. The
657 <i class="parameter"><tt>delete share command</tt></i> is used to define an
658 external program or script which will remove an existing service
659 definition from <tt class="filename">smb.conf</tt>. In order to successfully
660 execute the <i class="parameter"><tt>delete share command</tt></i>, <b class="command">smbd</b>
661 requires that the administrator be connected using a root account (i.e.
664 When executed, <b class="command">smbd</b> will automatically invoke the
665 <i class="parameter"><tt>delete share command</tt></i> with two parameters.
666 </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>configFile</tt></i> - the location
667 of the global <tt class="filename">smb.conf</tt> file.
668 </p></li><li><p><i class="parameter"><tt>shareName</tt></i> - the name of
669 the existing service.
670 </p></li></ul></div><p>
671 This parameter is only used to remove file shares. To delete printer shares,
672 see the <a href="#DELETEPRINTERCOMMAND"><i class="parameter"><tt>deleteprinter
673 command</tt></i></a>.
675 See also <a href="#ADDSHARECOMMAND"><i class="parameter"><tt>add share
676 command</tt></i></a>, <a href="#CHANGESHARECOMMAND"><i class="parameter"><tt>change
677 share command</tt></i></a>.
678 </p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">delete share command = /usr/local/bin/delshare</b></p></dd><dt><span class="term"><a name="DELETEUSERFROMGROUPSCRIPT"></a>delete user from group script (G)</span></dt><dd><p>Full path to the script that will be called when
679 a user is removed from a group using the Windows NT domain administration
680 tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> <span class="emphasis"><em>AS ROOT</em></span>.
681 Any <i class="parameter"><tt>%g</tt></i> will be replaced with the group name and
682 any <i class="parameter"><tt>%u</tt></i> will be replaced with the user name.
683 </p><p>Default: <b class="command">delete user from group script = </b></p><p>Example: <b class="command">delete user from group script = /usr/sbin/deluser %u %g</b></p></dd><dt><span class="term"><a name="DELETEUSERSCRIPT"></a>delete user script (G)</span></dt><dd><p>This is the full pathname to a script that will
684 be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when managing users
685 with remote RPC (NT) tools.
686 </p><p>This script is called when a remote client removes a user
687 from the server, normally using 'User Manager for Domains' or
688 <b class="command">rpcclient</b>.</p><p>This script should delete the given UNIX username.</p><p>Default: <b class="command">delete user script = <empty string></b></p><p>Example: <b class="command">delete user script = /usr/local/samba/bin/del_user %u</b></p></dd><dt><span class="term"><a name="DELETEVETOFILES"></a>delete veto files (S)</span></dt><dd><p>This option is used when Samba is attempting to
689 delete a directory that contains one or more vetoed directories
690 (see the <a href="#VETOFILES"><i class="parameter"><tt>veto files</tt></i></a>
691 option). If this option is set to <tt class="constant">no</tt> (the default) then if a vetoed
692 directory contains any non-vetoed files or directories then the
693 directory delete will fail. This is usually what you want.</p><p>If this option is set to <tt class="constant">yes</tt>, then Samba
694 will attempt to recursively delete any files and directories within
695 the vetoed directory. This can be useful for integration with file
696 serving systems such as NetAtalk which create meta-files within
697 directories you might normally veto DOS/Windows users from seeing
698 (e.g. <tt class="filename">.AppleDouble</tt>)</p><p>Setting <b class="command">delete veto files = yes</b> allows these
699 directories to be transparently deleted when the parent directory
700 is deleted (so long as the user has permissions to do so).</p><p>See also the <a href="#VETOFILES"><i class="parameter"><tt>veto
701 files</tt></i></a> parameter.</p><p>Default: <b class="command">delete veto files = no</b></p></dd><dt><span class="term"><a name="DENYHOSTS"></a>deny hosts (S)</span></dt><dd><p>Synonym for <a href="#HOSTSDENY"><i class="parameter"><tt>hosts
702 deny</tt></i></a>.</p></dd><dt><span class="term"><a name="DFREECOMMAND"></a>dfree command (G)</span></dt><dd><p>The <i class="parameter"><tt>dfree command</tt></i> setting
703 should only be used on systems where a problem occurs with the
704 internal disk space calculations. This has been known to happen
705 with Ultrix, but may occur with other operating systems. The
706 symptom that was seen was an error of "Abort Retry
707 Ignore" at the end of each directory listing.</p><p>This setting allows the replacement of the internal routines to
708 calculate the total disk space and amount available with an external
709 routine. The example below gives a possible script that might fulfill
710 this function.</p><p>The external program will be passed a single parameter indicating
711 a directory in the filesystem being queried. This will typically consist
712 of the string <tt class="filename">./</tt>. The script should return two
713 integers in ASCII. The first should be the total disk space in blocks,
714 and the second should be the number of available blocks. An optional
715 third return value can give the block size in bytes. The default
716 blocksize is 1024 bytes.</p><p>Note: Your script should <span class="emphasis"><em>NOT</em></span> be setuid or
717 setgid and should be owned by (and writeable only by) root!</p><p>Default: <span class="emphasis"><em>By default internal routines for
718 determining the disk capacity and remaining space will be used.
719 </em></span></p><p>Example: <b class="command">dfree command = /usr/local/samba/bin/dfree</b></p><p>Where the script dfree (which must be made executable) could be:</p><pre class="programlisting">
721 df $1 | tail -1 | awk '{print $2" "$4}'
722 </pre><p>or perhaps (on Sys V based systems):</p><pre class="programlisting">
724 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
725 </pre><p>Note that you may have to replace the command names with full path names on some systems.</p></dd><dt><span class="term"><a name="DIRECTORY"></a>directory (S)</span></dt><dd><p>Synonym for <a href="#PATH"><i class="parameter"><tt>path</tt></i></a>.</p></dd><dt><span class="term"><a name="DIRECTORYMASK"></a>directory mask (S)</span></dt><dd><p>This parameter is the octal modes which are
726 used when converting DOS modes to UNIX modes when creating UNIX
727 directories.</p><p>When a directory is created, the necessary permissions are
728 calculated according to the mapping from DOS modes to UNIX permissions,
729 and the resulting UNIX mode is then bit-wise 'AND'ed with this
730 parameter. This parameter may be thought of as a bit-wise MASK for
731 the UNIX modes of a directory. Any bit <span class="emphasis"><em>not</em></span> set
732 here will be removed from the modes set on a directory when it is
733 created.</p><p>The default value of this parameter removes the 'group'
734 and 'other' write bits from the UNIX mode, allowing only the
735 user who owns the directory to modify it.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode
736 created from this parameter with the value of the <a href="#FORCEDIRECTORYMODE">
737 <i class="parameter"><tt>force directory mode</tt></i></a> parameter.
738 This parameter is set to 000 by default (i.e. no extra mode bits are added).</p><p>Note that this parameter does not apply to permissions
739 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
740 a mask on access control lists also, they need to set the <a href="#DIRECTORYSECURITYMASK">
741 <i class="parameter"><tt>directory security mask</tt></i></a>.</p><p>See the <a href="#FORCEDIRECTORYMODE"><i class="parameter"><tt>force
742 directory mode</tt></i></a> parameter to cause particular mode
743 bits to always be set on created directories.</p><p>See also the <a href="#CREATEMODE"><i class="parameter"><tt>create mode
744 </tt></i></a> parameter for masking mode bits on created files,
745 and the <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory
746 security mask</tt></i></a> parameter.</p><p>Also refer to the <a href="#INHERITPERMISSIONS"><i class="parameter"><tt>
747 inherit permissions</tt></i></a> parameter.</p><p>Default: <b class="command">directory mask = 0755</b></p><p>Example: <b class="command">directory mask = 0775</b></p></dd><dt><span class="term"><a name="DIRECTORYMODE"></a>directory mode (S)</span></dt><dd><p>Synonym for <a href="#DIRECTORYMASK"><i class="parameter"><tt>
748 directory mask</tt></i></a></p></dd><dt><span class="term"><a name="DIRECTORYSECURITYMASK"></a>directory security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission bits
749 can be modified when a Windows NT client is manipulating the UNIX
750 permission on a directory using the native NT security dialog
751 box.</p><p>This parameter is applied as a mask (AND'ed with) to
752 the changed permission bits, thus preventing any bits not in
753 this mask from being modified. Essentially, zero bits in this
754 mask may be treated as a set of bits the user is not allowed
755 to change.</p><p>If not set explicitly this parameter is set to 0777
756 meaning a user is allowed to modify all the user/group/world
757 permissions on a directory.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the
758 Samba server through other means can easily bypass this restriction,
759 so it is primarily useful for standalone "appliance" systems.
760 Administrators of most normal systems will probably want to leave
761 it as the default of <tt class="constant">0777</tt>.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt>
762 force directory security mode</tt></i></a>, <a href="#SECURITYMASK">
763 <i class="parameter"><tt>security mask</tt></i></a>,
764 <a href="#FORCESECURITYMODE"><i class="parameter"><tt>force security mode
765 </tt></i></a> parameters.</p><p>Default: <b class="command">directory security mask = 0777</b></p><p>Example: <b class="command">directory security mask = 0700</b></p></dd><dt><span class="term"><a name="DISABLENETBIOS"></a>disable netbios (G)</span></dt><dd><p>Enabling this parameter will disable netbios support
766 in Samba. Netbios is the only available form of browsing in
767 all windows versions except for 2000 and XP. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that clients that only support netbios won't be able to
768 see your samba server when netbios support is disabled.
769 </p></div><p>Default: <b class="command">disable netbios = no</b></p><p>Example: <b class="command">disable netbios = yes</b></p></dd><dt><span class="term"><a name="DISABLESPOOLSS"></a>disable spoolss (G)</span></dt><dd><p>Enabling this parameter will disable Samba's support
770 for the SPOOLSS set of MS-RPC's and will yield identical behavior
771 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
772 Lanman style printing commands. Windows 9x/ME will be uneffected by
773 the parameter. However, this will also disable the ability to upload
774 printer drivers to a Samba server via the Windows NT Add Printer
775 Wizard or by using the NT printer properties dialog window. It will
776 also disable the capability of Windows NT/2000 clients to download
777 print drivers from the Samba host upon demand.
778 <span class="emphasis"><em>Be very careful about enabling this parameter.</em></span>
779 </p><p>See also <a href="#USECLIENTDRIVER">use client driver</a>
780 </p><p>Default : <b class="command">disable spoolss = no</b></p></dd><dt><span class="term"><a name="DISPLAYCHARSET"></a>display charset (G)</span></dt><dd><p>Specifies the charset that samba will use
781 to print messages to stdout and stderr and SWAT will use.
782 Should generally be the same as the <b class="command">unix charset</b>.
783 </p><p>Default: <b class="command">display charset = ASCII</b></p><p>Example: <b class="command">display charset = UTF8</b></p></dd><dt><span class="term"><a name="DNSPROXY"></a>dns proxy (G)</span></dt><dd><p>Specifies that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> when acting as a WINS server and
784 finding that a NetBIOS name has not been registered, should treat the
785 NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server
786 for that name on behalf of the name-querying client.</p><p>Note that the maximum length for a NetBIOS name is 15
787 characters, so the DNS name (or DNS alias) can likewise only be
788 15 characters, maximum.</p><p><b class="command">nmbd</b> spawns a second copy of itself to do the
789 DNS name lookup requests, as doing a name lookup is a blocking
790 action.</p><p>See also the parameter <a href="#WINSSUPPORT"><i class="parameter"><tt>
791 wins support</tt></i></a>.</p><p>Default: <b class="command">dns proxy = yes</b></p></dd><dt><span class="term"><a name="DOMAINLOGONS"></a>domain logons (G)</span></dt><dd><p>If set to <tt class="constant">yes</tt>, the Samba server will serve
792 Windows 95/98 Domain logons for the <a href="#WORKGROUP">
793 <i class="parameter"><tt>workgroup</tt></i></a> it is in. Samba 2.2
794 has limited capability to act as a domain controller for Windows
795 NT 4 Domains. For more details on setting up this feature see
796 the Samba-PDC-HOWTO included in the Samba documentation.</p><p>Default: <b class="command">domain logons = no</b></p></dd><dt><span class="term"><a name="DOMAINMASTER"></a>domain master (G)</span></dt><dd><p>Tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to enable WAN-wide browse list
797 collation. Setting this option causes <b class="command">nmbd</b> to
798 claim a special domain specific NetBIOS name that identifies
799 it as a domain master browser for its given <a href="#WORKGROUP">
800 <i class="parameter"><tt>workgroup</tt></i></a>. Local master browsers
801 in the same <i class="parameter"><tt>workgroup</tt></i> on broadcast-isolated
802 subnets will give this <b class="command">nmbd</b> their local browse lists,
803 and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a complete copy of the browse
804 list for the whole wide area network. Browser clients will then contact
805 their local master browser, and will receive the domain-wide browse list,
806 instead of just the list for their broadcast-isolated subnet.</p><p>Note that Windows NT Primary Domain Controllers expect to be
807 able to claim this <i class="parameter"><tt>workgroup</tt></i> specific special
808 NetBIOS name that identifies them as domain master browsers for
809 that <i class="parameter"><tt>workgroup</tt></i> by default (i.e. there is no
810 way to prevent a Windows NT PDC from attempting to do this). This
811 means that if this parameter is set and <b class="command">nmbd</b> claims
812 the special name for a <i class="parameter"><tt>workgroup</tt></i> before a Windows
813 NT PDC is able to do so then cross subnet browsing will behave
814 strangely and may fail.</p><p>If <a href="#DOMAINLOGONS"><b class="command">domain logons = yes</b>
815 </a>, then the default behavior is to enable the <i class="parameter"><tt>domain
816 master</tt></i> parameter. If <i class="parameter"><tt>domain logons</tt></i> is
817 not enabled (the default setting), then neither will <i class="parameter"><tt>domain
818 master</tt></i> be enabled by default.</p><p>Default: <b class="command">domain master = auto</b></p></dd><dt><span class="term"><a name="DONTDESCEND"></a>dont descend (S)</span></dt><dd><p>There are certain directories on some systems
819 (e.g., the <tt class="filename">/proc</tt> tree under Linux) that are either not
820 of interest to clients or are infinitely deep (recursive). This
821 parameter allows you to specify a comma-delimited list of directories
822 that the server should always show as empty.</p><p>Note that Samba can be very fussy about the exact format
823 of the "dont descend" entries. For example you may need <tt class="filename">
824 ./proc</tt> instead of just <tt class="filename">/proc</tt>.
825 Experimentation is the best policy :-) </p><p>Default: <span class="emphasis"><em>none (i.e., all directories are OK
826 to descend)</em></span></p><p>Example: <b class="command">dont descend = /proc,/dev</b></p></dd><dt><span class="term"><a name="DOSCHARSET"></a>dos charset (G)</span></dt><dd><p>DOS SMB clients assume the server has
827 the same charset as they do. This option specifies which
828 charset Samba should talk to DOS clients.
829 </p><p>The default depends on which charsets you have installed.
830 Samba tries to use charset 850 but falls back to ASCII in
831 case it is not available. Run <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> to check the default on your system.</p></dd><dt><span class="term"><a name="DOSFILEMODE"></a>dos filemode (S)</span></dt><dd><p> The default behavior in Samba is to provide
832 UNIX-like behavior where only the owner of a file/directory is
833 able to change the permissions on it. However, this behavior
834 is often confusing to DOS/Windows users. Enabling this parameter
835 allows a user who has write access to the file (by whatever
836 means) to modify the permissions on it. Note that a user
837 belonging to the group owning the file will not be allowed to
838 change permissions if the group is only granted read access.
839 Ownership of the file/directory is not changed, only the permissions
840 are modified.</p><p>Default: <b class="command">dos filemode = no</b></p></dd><dt><span class="term"><a name="DOSFILETIMERESOLUTION"></a>dos filetime resolution (S)</span></dt><dd><p>Under the DOS and Windows FAT filesystem, the finest
841 granularity on time resolution is two seconds. Setting this parameter
842 for a share causes Samba to round the reported time down to the
843 nearest two second boundary when a query call that requires one second
844 resolution is made to <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>This option is mainly used as a compatibility option for Visual
845 C++ when used against Samba shares. If oplocks are enabled on a
846 share, Visual C++ uses two different time reading calls to check if a
847 file has changed since it was last read. One of these calls uses a
848 one-second granularity, the other uses a two second granularity. As
849 the two second call rounds any odd second down, then if the file has a
850 timestamp of an odd number of seconds then the two timestamps will not
851 match and Visual C++ will keep reporting the file has changed. Setting
852 this option causes the two timestamps to match, and Visual C++ is
853 happy.</p><p>Default: <b class="command">dos filetime resolution = no</b></p></dd><dt><span class="term"><a name="DOSFILETIMES"></a>dos filetimes (S)</span></dt><dd><p>Under DOS and Windows, if a user can write to a
854 file they can change the timestamp on it. Under POSIX semantics,
855 only the owner of the file or root may change the timestamp. By
856 default, Samba runs with POSIX semantics and refuses to change the
857 timestamp on a file if the user <b class="command">smbd</b> is acting
858 on behalf of is not the file owner. Setting this option to <tt class="constant">
859 yes</tt> allows DOS semantics and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will change the file
860 timestamp as DOS requires.</p><p>Default: <b class="command">dos filetimes = no</b></p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords
861 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
862 above and also Windows 98 will by default expect encrypted passwords
863 unless a registry entry is changed. To use encrypted passwords in
864 Samba see the chapter "User Database" in the Samba HOWTO Collection. </p><p>In order for encrypted passwords to work correctly
865 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must either
866 have access to a local <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file (see the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> program for information on how to set up
867 and maintain this file), or set the <a href="#SECURITY">security = [server|domain|ads]</a> parameter which
868 causes <b class="command">smbd</b> to authenticate against another
869 server.</p><p>Default: <b class="command">encrypt passwords = yes</b></p></dd><dt><span class="term"><a name="ENHANCEDBROWSING"></a>enhanced browsing (G)</span></dt><dd><p>This option enables a couple of enhancements to
870 cross-subnet browse propagation that have been added in Samba
871 but which are not standard in Microsoft implementations.
872 </p><p>The first enhancement to browse propagation consists of a regular
873 wildcard query to a Samba WINS server for all Domain Master Browsers,
874 followed by a browse synchronization with each of the returned
875 DMBs. The second enhancement consists of a regular randomised browse
876 synchronization with all currently known DMBs.</p><p>You may wish to disable this option if you have a problem with empty
877 workgroups not disappearing from browse lists. Due to the restrictions
878 of the browse protocols these enhancements can cause a empty workgroup
879 to stay around forever which can be annoying.</p><p>In general you should leave this option enabled as it makes
880 cross-subnet browse propagation much more reliable.</p><p>Default: <b class="command">enhanced browsing = yes</b></p></dd><dt><span class="term"><a name="ENUMPORTSCOMMAND"></a>enumports command (G)</span></dt><dd><p>The concept of a "port" is fairly foreign
881 to UNIX hosts. Under Windows NT/2000 print servers, a port
882 is associated with a port monitor and generally takes the form of
883 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
884 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
885 port defined--<tt class="constant">"Samba Printer Port"</tt>. Under
886 Windows NT/2000, all printers must have a valid port name.
887 If you wish to have a list of ports displayed (<b class="command">smbd
888 </b> does not use a port name for anything) other than
889 the default <tt class="constant">"Samba Printer Port"</tt>, you
890 can define <i class="parameter"><tt>enumports command</tt></i> to point to
891 a program which should generate a list of ports, one per line,
892 to standard output. This listing will then be used in response
893 to the level 1 and 2 EnumPorts() RPC.</p><p>Default: <span class="emphasis"><em>no enumports command</em></span></p><p>Example: <b class="command">enumports command = /usr/bin/listports</b></p></dd><dt><span class="term"><a name="EXEC"></a>exec (S)</span></dt><dd><p>This is a synonym for <a href="#PREEXEC">
894 <i class="parameter"><tt>preexec</tt></i></a>.</p></dd><dt><span class="term"><a name="FAKEDIRECTORYCREATETIMES"></a>fake directory create times (S)</span></dt><dd><p>NTFS and Windows VFAT file systems keep a create
895 time for all files and directories. This is not the same as the
896 ctime - status change time - that Unix keeps, so Samba by default
897 reports the earliest of the various times Unix does keep. Setting
898 this parameter for a share causes Samba to always report midnight
899 1-1-1980 as the create time for directories.</p><p>This option is mainly used as a compatibility option for
900 Visual C++ when used against Samba shares. Visual C++ generated
901 makefiles have the object directory as a dependency for each object
902 file, and a make rule to create the directory. Also, when NMAKE
903 compares timestamps it uses the creation time when examining a
904 directory. Thus the object directory will be created if it does not
905 exist, but once it does exist it will always have an earlier
906 timestamp than the object files it contains.</p><p>However, Unix time semantics mean that the create time
907 reported by Samba will be updated whenever a file is created or
908 or deleted in the directory. NMAKE finds all object files in
909 the object directory. The timestamp of the last one built is then
910 compared to the timestamp of the object directory. If the
911 directory's timestamp if newer, then all object files
912 will be rebuilt. Enabling this option
913 ensures directories always predate their contents and an NMAKE build
914 will proceed as expected.</p><p>Default: <b class="command">fake directory create times = no</b></p></dd><dt><span class="term"><a name="FAKEOPLOCKS"></a>fake oplocks (S)</span></dt><dd><p>Oplocks are the way that SMB clients get permission
915 from a server to locally cache file operations. If a server grants
916 an oplock (opportunistic lock) then the client is free to assume
917 that it is the only one accessing the file and it will aggressively
918 cache file data. With some oplock types the client may even cache
919 file open/close operations. This can give enormous performance benefits.
920 </p><p>When you set <b class="command">fake oplocks = yes</b>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will
921 always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a href="#OPLOCKS">
922 <i class="parameter"><tt>oplocks</tt></i></a> support rather
923 than this parameter.</p><p>If you enable this option on all read-only shares or
924 shares that you know will only be accessed from one client at a
925 time such as physically read-only media like CDROMs, you will see
926 a big performance improvement on many operations. If you enable
927 this option on shares where multiple clients may be accessing the
928 files read-write at the same time you can get data corruption. Use
929 this option carefully!</p><p>Default: <b class="command">fake oplocks = no</b></p></dd><dt><span class="term"><a name="FOLLOWSYMLINKS"></a>follow symlinks (S)</span></dt><dd><p>This parameter allows the Samba administrator
930 to stop <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> from following symbolic
931 links in a particular share. Setting this
932 parameter to <tt class="constant">no</tt> prevents any file or directory
933 that is a symbolic link from being followed (the user will get an
934 error). This option is very useful to stop users from adding a
935 symbolic link to <tt class="filename">/etc/passwd</tt> in their home
936 directory for instance. However it will slow filename lookups
937 down slightly.</p><p>This option is enabled (i.e. <b class="command">smbd</b> will
938 follow symbolic links) by default.</p><p>Default: <b class="command">follow symlinks = yes</b></p></dd><dt><span class="term"><a name="FORCECREATEMODE"></a>force create mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit
939 permissions that will <span class="emphasis"><em>always</em></span> be set on a
940 file created by Samba. This is done by bitwise 'OR'ing these bits onto
941 the mode bits of a file that is being created or having its
942 permissions changed. The default for this parameter is (in octal)
943 000. The modes in this parameter are bitwise 'OR'ed onto the file
944 mode after the mask set in the <i class="parameter"><tt>create mask</tt></i>
945 parameter is applied.</p><p>See also the parameter <a href="#CREATEMASK"><i class="parameter"><tt>create
946 mask</tt></i></a> for details on masking mode bits on files.</p><p>See also the <a href="#INHERITPERMISSIONS"><i class="parameter"><tt>inherit
947 permissions</tt></i></a> parameter.</p><p>Default: <b class="command">force create mode = 000</b></p><p>Example: <b class="command">force create mode = 0755</b></p><p>would force all created files to have read and execute
948 permissions set for 'group' and 'other' as well as the
949 read/write/execute bits set for the 'user'.</p></dd><dt><span class="term"><a name="FORCEDIRECTORYMODE"></a>force directory mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit
950 permissions that will <span class="emphasis"><em>always</em></span> be set on a directory
951 created by Samba. This is done by bitwise 'OR'ing these bits onto the
952 mode bits of a directory that is being created. The default for this
953 parameter is (in octal) 0000 which will not add any extra permission
954 bits to a created directory. This operation is done after the mode
955 mask in the parameter <i class="parameter"><tt>directory mask</tt></i> is
956 applied.</p><p>See also the parameter <a href="#DIRECTORYMASK"><i class="parameter"><tt>
957 directory mask</tt></i></a> for details on masking mode bits
958 on created directories.</p><p>See also the <a href="#INHERITPERMISSIONS"><i class="parameter"><tt>
959 inherit permissions</tt></i></a> parameter.</p><p>Default: <b class="command">force directory mode = 000</b></p><p>Example: <b class="command">force directory mode = 0755</b></p><p>would force all created directories to have read and execute
960 permissions set for 'group' and 'other' as well as the
961 read/write/execute bits set for the 'user'.</p></dd><dt><span class="term"><a name="FORCEDIRECTORYSECURITYMODE"></a>force directory security mode (S)</span></dt><dd><p>This parameter controls what UNIX permission bits
962 can be modified when a Windows NT client is manipulating the UNIX
963 permission on a directory using the native NT security dialog box.</p><p>This parameter is applied as a mask (OR'ed with) to the
964 changed permission bits, thus forcing any bits in this mask that
965 the user may have modified to be on. Essentially, one bits in this
966 mask may be treated as a set of bits that, when modifying security
967 on a directory, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is 000, which
968 allows a user to modify all the user/group/world permissions on a
969 directory without restrictions.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the
970 Samba server through other means can easily bypass this restriction,
971 so it is primarily useful for standalone "appliance" systems.
972 Administrators of most normal systems will probably want to leave
973 it set as 0000.</p><p>See also the <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>
974 directory security mask</tt></i></a>, <a href="#SECURITYMASK">
975 <i class="parameter"><tt>security mask</tt></i></a>,
976 <a href="#FORCESECURITYMODE"><i class="parameter"><tt>force security mode
977 </tt></i></a> parameters.</p><p>Default: <b class="command">force directory security mode = 0</b></p><p>Example: <b class="command">force directory security mode = 700</b></p></dd><dt><span class="term"><a name="FORCEGROUP"></a>force group (S)</span></dt><dd><p>This specifies a UNIX group name that will be
978 assigned as the default primary group for all users connecting
979 to this service. This is useful for sharing files by ensuring
980 that all access to files on service will use the named group for
981 their permissions checking. Thus, by assigning permissions for this
982 group to the files and directories within this service the Samba
983 administrator can restrict or allow sharing of these files.</p><p>In Samba 2.0.5 and above this parameter has extended
984 functionality in the following way. If the group name listed here
985 has a '+' character prepended to it then the current user accessing
986 the share only has the primary group default assigned to this group
987 if they are already assigned as a member of that group. This allows
988 an administrator to decide that only users who are already in a
989 particular group will create files with group ownership set to that
990 group. This gives a finer granularity of ownership assignment. For
991 example, the setting <tt class="filename">force group = +sys</tt> means
992 that only users who are already in group sys will have their default
993 primary group assigned to sys when accessing this Samba share. All
994 other users will retain their ordinary primary group.</p><p>If the <a href="#FORCEUSER"><i class="parameter"><tt>force user</tt></i>
995 </a> parameter is also set the group specified in
996 <i class="parameter"><tt>force group</tt></i> will override the primary group
997 set in <i class="parameter"><tt>force user</tt></i>.</p><p>See also <a href="#FORCEUSER"><i class="parameter"><tt>force user</tt></i></a>.</p><p>Default: <span class="emphasis"><em>no forced group</em></span></p><p>Example: <b class="command">force group = agroup</b></p></dd><dt><span class="term"><a name="FORCESECURITYMODE"></a>force security mode (S)</span></dt><dd><p>This parameter controls what UNIX permission
998 bits can be modified when a Windows NT client is manipulating
999 the UNIX permission on a file using the native NT security dialog
1000 box.</p><p>This parameter is applied as a mask (OR'ed with) to the
1001 changed permission bits, thus forcing any bits in this mask that
1002 the user may have modified to be on. Essentially, one bits in this
1003 mask may be treated as a set of bits that, when modifying security
1004 on a file, the user has always set to be 'on'.</p><p>If not set explicitly this parameter is set to 0,
1005 and allows a user to modify all the user/group/world permissions on a file,
1006 with no restrictions.</p><p><span class="emphasis"><em>Note</em></span> that users who can access
1007 the Samba server through other means can easily bypass this restriction,
1008 so it is primarily useful for standalone "appliance" systems.
1009 Administrators of most normal systems will probably want to leave
1010 this set to 0000.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE"><i class="parameter"><tt>
1011 force directory security mode</tt></i></a>,
1012 <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory security
1013 mask</tt></i></a>, <a href="#SECURITYMASK"><i class="parameter"><tt>
1014 security mask</tt></i></a> parameters.</p><p>Default: <b class="command">force security mode = 0</b></p><p>Example: <b class="command">force security mode = 700</b></p></dd><dt><span class="term"><a name="FORCEUSER"></a>force user (S)</span></dt><dd><p>This specifies a UNIX user name that will be
1015 assigned as the default user for all users connecting to this service.
1016 This is useful for sharing files. You should also use it carefully
1017 as using it incorrectly can cause security problems.</p><p>This user name only gets used once a connection is established.
1018 Thus clients still need to connect as a valid user and supply a
1019 valid password. Once connected, all file operations will be performed
1020 as the "forced user", no matter what username the client connected
1021 as. This can be very useful.</p><p>In Samba 2.0.5 and above this parameter also causes the
1022 primary group of the forced user to be used as the primary group
1023 for all file activity. Prior to 2.0.5 the primary group was left
1024 as the primary group of the connecting user (this was a bug).</p><p>See also <a href="#FORCEGROUP"><i class="parameter"><tt>force group</tt></i></a></p><p>Default: <span class="emphasis"><em>no forced user</em></span></p><p>Example: <b class="command">force user = auser</b></p></dd><dt><span class="term"><a name="FSTYPE"></a>fstype (S)</span></dt><dd><p>This parameter allows the administrator to
1025 configure the string that specifies the type of filesystem a share
1026 is using that is reported by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a client queries the filesystem type
1027 for a share. The default type is <tt class="constant">NTFS</tt> for
1028 compatibility with Windows NT but this can be changed to other
1029 strings such as <tt class="constant">Samba</tt> or <tt class="constant">FAT
1030 </tt> if required.</p><p>Default: <b class="command">fstype = NTFS</b></p><p>Example: <b class="command">fstype = Samba</b></p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a
1031 caching algorithm will be used to reduce the time taken for getwd()
1032 calls. This can have a significant impact on performance, especially
1033 when the <a href="#WIDELINKS"><i class="parameter"><tt>wide links</tt></i>
1034 </a> parameter is set to <tt class="constant">no</tt>.</p><p>Default: <b class="command">getwd cache = yes</b></p></dd><dt><span class="term"><a name="GROUP"></a>group (S)</span></dt><dd><p>Synonym for <a href="#FORCEGROUP">
1035 <i class="parameter"><tt>force group</tt></i></a>.</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G,S)</span></dt><dd><p>This is a username which will be used for access
1036 to services which are specified as <a href="#GUESTOK"><i class="parameter"><tt>
1037 guest ok</tt></i></a> (see below). Whatever privileges this
1038 user has will be available to any client connecting to the guest service.
1039 Typically this user will exist in the password file, but will not
1040 have a valid login. The user account "ftp" is often a good choice
1041 for this parameter. If a username is specified in a given service,
1042 the specified username overrides this one.
1043 </p><p>One some systems the default guest account "nobody" may not
1044 be able to print. Use another account in this case. You should test
1045 this by trying to log in as your guest user (perhaps by using the
1046 <b class="command">su -</b> command) and trying to print using the
1047 system print command such as <b class="command">lpr(1)</b> or <b class="command">
1048 lp(1)</b>.</p><p>This parameter does not accept % macros, because
1049 many parts of the system require this value to be
1050 constant for correct operation.</p><p>Default: <span class="emphasis"><em>specified at compile time, usually "nobody"</em></span></p><p>Example: <b class="command">guest account = ftp</b></p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt> for
1051 a service, then no password is required to connect to the service.
1052 Privileges will be those of the <a href="#GUESTACCOUNT"><i class="parameter"><tt>
1053 guest account</tt></i></a>.</p><p>This paramater nullifies the benifits of setting
1054 <a href="#RESTRICTANONYMOUS"><i class="parameter"><tt>restrict
1055 anonymous</tt></i></a> = 2</p><p>See the section below on <a href="#SECURITY"><i class="parameter"><tt>
1056 security</tt></i></a> for more information about this option.
1057 </p><p>Default: <b class="command">guest ok = no</b></p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt> for
1058 a service, then only guest connections to the service are permitted.
1059 This parameter will have no effect if <a href="#GUESTOK">
1060 <i class="parameter"><tt>guest ok</tt></i></a> is not set for the service.</p><p>See the section below on <a href="#SECURITY"><i class="parameter"><tt>
1061 security</tt></i></a> for more information about this option.
1062 </p><p>Default: <b class="command">guest only = no</b></p></dd><dt><span class="term"><a name="HIDEDOTFILES"></a>hide dot files (S)</span></dt><dd><p>This is a boolean parameter that controls whether
1063 files starting with a dot appear as hidden files.</p><p>Default: <b class="command">hide dot files = yes</b></p></dd><dt><span class="term"><a name="HIDEFILES"></a>hide files (S)</span></dt><dd><p>This is a list of files or directories that are not
1064 visible but are accessible. The DOS 'hidden' attribute is applied
1065 to any files or directories that match.</p><p>Each entry in the list must be separated by a '/',
1066 which allows spaces to be included in the entry. '*'
1067 and '?' can be used to specify multiple files or directories
1068 as in DOS wildcards.</p><p>Each entry must be a Unix path, not a DOS path and must
1069 not include the Unix directory separator '/'.</p><p>Note that the case sensitivity option is applicable
1070 in hiding files.</p><p>Setting this parameter will affect the performance of Samba,
1071 as it will be forced to check all files and directories for a match
1072 as they are scanned.</p><p>See also <a href="#HIDEDOTFILES"><i class="parameter"><tt>hide
1073 dot files</tt></i></a>, <a href="#VETOFILES"><i class="parameter"><tt>
1074 veto files</tt></i></a> and <a href="#CASESENSITIVE">
1075 <i class="parameter"><tt>case sensitive</tt></i></a>.</p><p>Default: <span class="emphasis"><em>no file are hidden</em></span></p><p>Example: <b class="command">hide files =
1076 /.*/DesktopFolderDB/TrashFor%m/resource.frk/</b></p><p>The above example is based on files that the Macintosh
1077 SMB client (DAVE) available from <a href="http://www.thursby.com" target="_top">
1078 Thursby</a> creates for internal use, and also still hides
1079 all files beginning with a dot.</p></dd><dt><span class="term"><a name="HIDELOCALUSERS"></a>hide local users (G)</span></dt><dd><p>This parameter toggles the hiding of local UNIX
1080 users (root, wheel, floppy, etc) from remote clients.</p><p>Default: <b class="command">hide local users = no</b></p></dd><dt><span class="term"><a name="HIDESPECIALFILES"></a>hide special files (S)</span></dt><dd><p>This parameter prevents clients from seeing
1081 special files such as sockets, devices and fifo's in directory
1083 </p><p>Default: <b class="command">hide special files = no</b></p></dd><dt><span class="term"><a name="HIDEUNREADABLE"></a>hide unreadable (S)</span></dt><dd><p>This parameter prevents clients from seeing the
1084 existance of files that cannot be read. Defaults to off.</p><p>Default: <b class="command">hide unreadable = no</b></p></dd><dt><span class="term"><a name="HIDEUNWRITEABLEFILES"></a>hide unwriteable files (S)</span></dt><dd><p>This parameter prevents clients from seeing
1085 the existance of files that cannot be written to. Defaults to off.
1086 Note that unwriteable directories are shown as usual.
1087 </p><p>Default: <b class="command">hide unwriteable = no</b></p></dd><dt><span class="term"><a name="HOMEDIRMAP"></a>homedir map (G)</span></dt><dd><p>If<a href="#NISHOMEDIR"><i class="parameter"><tt>nis homedir
1088 </tt></i></a> is <tt class="constant">yes</tt>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting
1089 as a Win95/98 <i class="parameter"><tt>logon server</tt></i> then this parameter
1090 specifies the NIS (or YP) map from which the server for the user's
1091 home directory should be extracted. At present, only the Sun
1092 auto.home map format is understood. The form of the map is:</p><p><b class="command">username server:/some/file/system</b></p><p>and the program will extract the servername from before
1093 the first ':'. There should probably be a better parsing system
1094 that copes with different map formats and also Amd (another
1095 automounter) maps.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>A working NIS client is required on
1096 the system for this option to work.</p></div><p>See also <a href="#NISHOMEDIR"><i class="parameter"><tt>nis homedir</tt></i>
1097 </a>, <a href="#DOMAINLOGONS"><i class="parameter"><tt>domain logons</tt></i>
1098 </a>.</p><p>Default: <b class="command">homedir map = <empty string></b></p><p>Example: <b class="command">homedir map = amd.homedir</b></p></dd><dt><span class="term"><a name="HOSTMSDFS"></a>host msdfs (G)</span></dt><dd><p>This boolean parameter is only available
1099 if Samba has been configured and compiled with the <b class="command">
1100 --with-msdfs</b> option. If set to <tt class="constant">yes</tt>,
1101 Samba will act as a Dfs server, and allow Dfs-aware clients
1102 to browse Dfs trees hosted on the server.</p><p>See also the <a href="#MSDFSROOT"><i class="parameter"><tt>
1103 msdfs root</tt></i></a> share level parameter. For
1104 more information on setting up a Dfs tree on Samba,
1105 refer to <a href="msdfs_setup.html" target="_top">msdfs_setup.html</a>.
1106 </p><p>Default: <b class="command">host msdfs = no</b></p></dd><dt><span class="term"><a name="HOSTNAMELOOKUPS"></a>hostname lookups (G)</span></dt><dd><p>Specifies whether samba should use (expensive)
1107 hostname lookups or use the ip addresses instead. An example place
1108 where hostname lookups are currently used is when checking
1109 the <b class="command">hosts deny</b> and <b class="command">hosts allow</b>.
1110 </p><p>Default: <b class="command">hostname lookups = yes</b></p><p>Example: <b class="command">hostname lookups = no</b></p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <i class="parameter"><tt>allow
1111 hosts</tt></i>.</p><p>This parameter is a comma, space, or tab delimited
1112 set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will
1113 apply to all services, regardless of whether the individual
1114 service has a different setting.</p><p>You can specify the hosts by name or IP number. For
1115 example, you could restrict access to only the hosts on a
1116 Class C subnet with something like <b class="command">allow hosts = 150.203.5.
1117 </b>. The full syntax of the list is described in the man
1118 page <tt class="filename">hosts_access(5)</tt>. Note that this man
1119 page may not be present on your system, so a brief description will
1120 be given here also.</p><p>Note that the localhost address 127.0.0.1 will always
1121 be allowed access unless specifically denied by a <a href="#HOSTSDENY">
1122 <i class="parameter"><tt>hosts deny</tt></i></a> option.</p><p>You can also specify hosts by network/netmask pairs and
1123 by netgroup names if your system supports netgroups. The
1124 <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a
1125 wildcard list. The following examples may provide some help:</p><p>Example 1: allow all IPs in 150.203.*.*; except one</p><p><b class="command">hosts allow = 150.203. EXCEPT 150.203.6.66</b></p><p>Example 2: allow hosts that match the given network/netmask</p><p><b class="command">hosts allow = 150.203.15.0/255.255.255.0</b></p><p>Example 3: allow a couple of hosts</p><p><b class="command">hosts allow = lapland, arvidsjaur</b></p><p>Example 4: allow only hosts in NIS netgroup "foonet", but
1126 deny access from one particular host</p><p><b class="command">hosts allow = @foonet</b></p><p><b class="command">hosts deny = pirate</b></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that access still requires suitable user-level passwords.</p></div><p>See <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> for a way of testing your host access
1127 to see if it does what you expect.</p><p>Default: <span class="emphasis"><em>none (i.e., all hosts permitted access)</em></span></p><p>Example: <b class="command">allow hosts = 150.203.5. myhost.mynet.edu.au</b></p></dd><dt><span class="term"><a name="HOSTSDENY"></a>hosts deny (S)</span></dt><dd><p>The opposite of <i class="parameter"><tt>hosts allow</tt></i>
1128 - hosts listed here are <span class="emphasis"><em>NOT</em></span> permitted access to
1129 services unless the specific services have their own lists to override
1130 this one. Where the lists conflict, the <i class="parameter"><tt>allow</tt></i>
1131 list takes precedence.</p><p>Default: <span class="emphasis"><em>none (i.e., no hosts specifically excluded)</em></span></p><p>Example: <b class="command">hosts deny = 150.203.4. badhost.mynet.edu.au</b></p></dd><dt><span class="term"><a name="HOSTSEQUIV"></a>hosts equiv (G)</span></dt><dd><p>If this global parameter is a non-null string,
1132 it specifies the name of a file to read for the names of hosts
1133 and users who will be allowed access without specifying a password.
1134 </p><p>This is not be confused with <a href="#HOSTSALLOW">
1135 <i class="parameter"><tt>hosts allow</tt></i></a> which is about hosts
1136 access to services and is more useful for guest services. <i class="parameter"><tt>
1137 hosts equiv</tt></i> may be useful for NT clients which will
1138 not supply passwords to Samba.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The use of <i class="parameter"><tt>hosts equiv
1139 </tt></i> can be a major security hole. This is because you are
1140 trusting the PC to supply the correct username. It is very easy to
1141 get a PC to supply a false username. I recommend that the
1142 <i class="parameter"><tt>hosts equiv</tt></i> option be only used if you really
1143 know what you are doing, or perhaps on a home network where you trust
1144 your spouse and kids. And only if you <span class="emphasis"><em>really</em></span> trust
1145 them :-).</p></div><p>Default: <span class="emphasis"><em>no host equivalences</em></span></p><p>Example: <b class="command">hosts equiv = /etc/hosts.equiv</b></p></dd><dt><span class="term"><a name="IDMAPGID"></a>idmap gid (G)</span></dt><dd><p>The idmap gid parameter specifies the range of group ids that are allocated for
1146 the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no
1147 existing local or NIS groups within it as strange conflicts can occur otherwise.</p><p>The availability of an idmap gid range is essential for correct operation of
1148 all group mapping.</p><p>Default: <b class="command">idmap gid = <empty string></b></p><p>Example: <b class="command">idmap gid = 10000-20000</b></p></dd><dt><span class="term"><a name="IDMAPUID"></a>idmap uid (G)</span></dt><dd><p>The idmap uid parameter specifies the range of user ids that are allocated for use
1149 in mapping UNIX users to NT user SIDs. This range of ids should have no existing local
1150 or NIS users within it as strange conflicts can occur otherwise.</p><p>Default: <b class="command">idmap uid = <empty string></b></p><p>Example: <b class="command">idmap uid = 10000-20000</b></p></dd><dt><span class="term"><a name="INCLUDE"></a>include (G)</span></dt><dd><p>This allows you to include one config file
1151 inside another. The file is included literally, as though typed
1152 in place.</p><p>It takes the standard substitutions, except <i class="parameter"><tt>%u
1153 </tt></i>, <i class="parameter"><tt>%P</tt></i> and <i class="parameter"><tt>%S</tt></i>.
1154 </p><p>Default: <span class="emphasis"><em>no file included</em></span></p><p>Example: <b class="command">include = /usr/local/samba/lib/admin_smb.conf</b></p></dd><dt><span class="term"><a name="INHERITACLS"></a>inherit acls (S)</span></dt><dd><p>This parameter can be used to ensure that if default acls
1155 exist on parent directories, they are always honored when creating a
1156 subdirectory. The default behavior is to use the mode specified when
1157 creating the directory. Enabling this option sets the mode to 0777,
1158 thus guaranteeing that default directory acls are propagated.
1159 </p><p>Default: <b class="command">inherit acls = no</b>
1160 </p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p>The permissions on new files and directories
1161 are normally governed by <a href="#CREATEMASK"><i class="parameter"><tt>
1162 create mask</tt></i></a>, <a href="#DIRECTORYMASK">
1163 <i class="parameter"><tt>directory mask</tt></i></a>, <a href="#FORCECREATEMODE">
1164 <i class="parameter"><tt>force create mode</tt></i>
1165 </a> and <a href="#FORCEDIRECTORYMODE"><i class="parameter"><tt>force
1166 directory mode</tt></i></a> but the boolean inherit
1167 permissions parameter overrides this.</p><p>New directories inherit the mode of the parent directory,
1168 including bits such as setgid.</p><p>New files inherit their read/write bits from the parent
1169 directory. Their execute bits continue to be determined by
1170 <a href="#MAPARCHIVE"><i class="parameter"><tt>map archive</tt></i>
1171 </a>, <a href="#MAPHIDDEN"><i class="parameter"><tt>map hidden</tt></i>
1172 </a> and <a href="#MAPSYSTEM"><i class="parameter"><tt>map system</tt></i>
1173 </a> as usual.</p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via
1174 inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with
1175 many users, perhaps several thousand, to allow a single [homes]
1176 share to be used flexibly by each user.</p><p>See also <a href="#CREATEMASK"><i class="parameter"><tt>create mask
1177 </tt></i></a>, <a href="#DIRECTORYMASK"><i class="parameter"><tt>
1178 directory mask</tt></i></a>, <a href="#FORCECREATEMODE">
1179 <i class="parameter"><tt>force create mode</tt></i></a> and <a href="#FORCEDIRECTORYMODE">
1180 <i class="parameter"><tt>force directory mode</tt></i>
1181 </a>.</p><p>Default: <b class="command">inherit permissions = no</b></p></dd><dt><span class="term"><a name="INTERFACES"></a>interfaces (G)</span></dt><dd><p>This option allows you to override the default
1182 network interfaces list that Samba will use for browsing, name
1183 registration and other NBT traffic. By default Samba will query
1184 the kernel for the list of all active interfaces and use any
1185 interfaces except 127.0.0.1 that are broadcast capable.</p><p>The option takes a list of interface strings. Each string
1186 can be in any of the following forms:</p><div class="itemizedlist"><ul type="disc"><li><p>a network interface name (such as eth0).
1187 This may include shell-like wildcards so eth* will match
1188 any interface starting with the substring "eth"</p></li><li><p>an IP address. In this case the netmask is
1189 determined from the list of interfaces obtained from the
1190 kernel</p></li><li><p>an IP/mask pair. </p></li><li><p>a broadcast/mask pair.</p></li></ul></div><p>The "mask" parameters can either be a bit length (such
1191 as 24 for a C class network) or a full netmask in dotted
1192 decimal form.</p><p>The "IP" parameters above can either be a full dotted
1193 decimal IP address or a hostname which will be looked up via
1194 the OS's normal hostname resolution mechanisms.</p><p>For example, the following line:</p><p><b class="command">interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</b></p><p>would configure three network interfaces corresponding
1195 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
1196 The netmasks of the latter two interfaces would be set to 255.255.255.0.</p><p>See also <a href="#BINDINTERFACESONLY"><i class="parameter"><tt>bind
1197 interfaces only</tt></i></a>.</p><p>Default: <span class="emphasis"><em>all active interfaces except 127.0.0.1
1198 that are broadcast capable</em></span></p></dd><dt><span class="term"><a name="INVALIDUSERS"></a>invalid users (S)</span></dt><dd><p>This is a list of users that should not be allowed
1199 to login to this service. This is really a <span class="emphasis"><em>paranoid</em></span>
1200 check to absolutely ensure an improper setting does not breach
1201 your security.</p><p>A name starting with a '@' is interpreted as an NIS
1202 netgroup first (if your system supports NIS), and then as a UNIX
1203 group if the name was not found in the NIS netgroup database.</p><p>A name starting with '+' is interpreted only
1204 by looking in the UNIX group database. A name starting with
1205 '&' is interpreted only by looking in the NIS netgroup database
1206 (this requires NIS to be working on your system). The characters
1207 '+' and '&' may be used at the start of the name in either order
1208 so the value <i class="parameter"><tt>+&group</tt></i> means check the
1209 UNIX group database, followed by the NIS netgroup database, and
1210 the value <i class="parameter"><tt>&+group</tt></i> means check the NIS
1211 netgroup database, followed by the UNIX group database (the
1212 same as the '@' prefix).</p><p>The current servicename is substituted for <i class="parameter"><tt>%S</tt></i>.
1213 This is useful in the [homes] section.</p><p>See also <a href="#VALIDUSERS"><i class="parameter"><tt>valid users
1214 </tt></i></a>.</p><p>Default: <span class="emphasis"><em>no invalid users</em></span></p><p>Example: <b class="command">invalid users = root fred admin @wheel</b></p></dd><dt><span class="term"><a name="KEEPALIVE"></a>keepalive (G)</span></dt><dd><p>The value of the parameter (an integer) represents
1215 the number of seconds between <i class="parameter"><tt>keepalive</tt></i>
1216 packets. If this parameter is zero, no keepalive packets will be
1217 sent. Keepalive packets, if sent, allow the server to tell whether
1218 a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket
1219 being used has the SO_KEEPALIVE attribute set on it (see <a href="#SOCKETOPTIONS">
1220 <i class="parameter"><tt>socket options</tt></i></a>).
1221 Basically you should only use this option if you strike difficulties.</p><p>Default: <b class="command">keepalive = 300</b></p><p>Example: <b class="command">keepalive = 600</b></p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a href="#OPLOCKS">
1222 <i class="parameter"><tt>oplocks</tt></i></a>
1223 (currently only IRIX and the Linux 2.4 kernel), this parameter
1224 allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <i class="parameter"><tt>oplocks
1225 </tt></i> to be broken whenever a local UNIX process or NFS operation
1226 accesses a file that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has oplocked. This allows complete
1227 data consistency between SMB/CIFS, NFS and local file access (and is
1228 a <span class="emphasis"><em>very</em></span> cool feature :-).</p><p>This parameter defaults to <tt class="constant">on</tt>, but is translated
1229 to a no-op on systems that no not have the necessary kernel support.
1230 You should never need to touch this parameter.</p><p>See also the <a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i>
1231 </a> and <a href="#LEVEL2OPLOCKS"><i class="parameter"><tt>level2 oplocks
1232 </tt></i></a> parameters.</p><p>Default: <b class="command">kernel oplocks = yes</b></p></dd><dt><span class="term"><a name="LANMANAUTH"></a>lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to authenticate users
1233 using the LANMAN password hash. If disabled, only clients which support NT
1234 password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
1235 Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</p><p>The LANMAN encrypted response is easily broken, due to it's
1236 case-insensitive nature, and the choice of algorithm. Servers
1237 without Windows 95/98 or MS DOS clients are advised to disable
1238 this option. </p><p>Unlike the <b class="command">encypt
1239 passwords</b> option, this parameter cannot alter client
1240 behaviour, and the LANMAN response will still be sent over the
1241 network. See the <b class="command">client lanman
1242 auth</b> to disable this for Samba's clients (such as smbclient)</p><p>If this option, and <b class="command">ntlm
1243 auth</b> are both disabled, then only NTLMv2 logins will be
1244 permited. Not all clients support NTLMv2, and most will require
1245 special configuration to us it.</p><p>Default : <b class="command">lanman auth = yes</b></p></dd><dt><span class="term"><a name="LARGEREADWRITE"></a>large readwrite (G)</span></dt><dd><p>This parameter determines whether or not
1246 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> supports the new 64k
1247 streaming read and write varient SMB requests introduced with
1248 Windows 2000. Note that due to Windows 2000 client redirector bugs
1249 this requires Samba to be running on a 64-bit capable operating
1250 system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve
1251 performance by 10% with Windows 2000 clients. Defaults to on. Not as
1252 tested as some other Samba code paths.</p><p>Default: <b class="command">large readwrite = yes</b></p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p> The <i class="parameter"><tt>ldap admin dn</tt></i>
1253 defines the Distinguished Name (DN) name used by Samba to
1254 contact the ldap server when retreiving user account
1255 information. The <i class="parameter"><tt>ldap admin
1256 dn</tt></i> is used in conjunction with the admin dn password
1257 stored in the <tt class="filename">private/secrets.tdb</tt> file.
1258 See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> man page for more
1259 information on how to accmplish this.</p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete
1260 operation in the ldapsam deletes the complete entry or only the attributes
1262 </p><p>Default: <span class="emphasis"><em>ldap delete dn = no</em></span></p></dd><dt><span class="term"><a name="LDAPFILTER"></a>ldap filter (G)</span></dt><dd><p>This parameter specifies the RFC 2254 compliant LDAP search filter.
1263 The default is to match the login name with the <tt class="constant">uid</tt>
1264 attribute for all entries matching the <tt class="constant">sambaAccount</tt>
1265 objectclass. Note that this filter should only return one entry.
1266 </p><p>Default: <b class="command">ldap filter = (&(uid=%u)(objectclass=sambaAccount))</b></p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p>It specifies where machines should be added to the ldap tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPPASSWDSYNC"></a>ldap passwd sync (G)</span></dt><dd><p>This option is used to define whether
1267 or not Samba should sync the LDAP password with the NT
1268 and LM hashes for normal accounts (NOT for
1269 workstation, server or domain trusts) on a password
1271 </p><p>The <i class="parameter"><tt>ldap passwd
1272 sync</tt></i> can be set to one of three values: </p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>Yes</tt></i> = Try
1273 to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><i class="parameter"><tt>No</tt></i> = Update NT and
1274 LM passwords and update the pwdLastSet time.</p></li><li><p><i class="parameter"><tt>Only</tt></i> = Only update
1275 the LDAP password and let the LDAP server do the rest.</p></li></ul></div><p>Default: <b class="command">ldap passwd sync = no</b></p></dd><dt><span class="term"><a name="LDAPPORT"></a>ldap port (G)</span></dt><dd><p>This parameter is only available if Samba has been
1276 configure to include the <b class="command">--with-ldapsam</b> option
1277 at compile time.</p><p>This option is used to control the tcp port number used to contact
1278 the <a href="#LDAPSERVER"><i class="parameter"><tt>ldap server</tt></i></a>.
1279 The default is to use the stand LDAPS port 636.</p><p>See Also: <a href="#LDAPSSL">ldap ssl</a></p><p>Default : <b class="command">ldap port = 636 ; if ldap ssl = on</b></p><p>Default : <b class="command">ldap port = 389 ; if ldap ssl = off</b></p></dd><dt><span class="term"><a name="LDAPSERVER"></a>ldap server (G)</span></dt><dd><p>This parameter is only available if Samba has been
1280 configure to include the <b class="command">--with-ldapsam</b>
1281 option at compile time.</p><p>This parameter should contain the FQDN of the ldap directory
1282 server which should be queried to locate user account information.
1283 </p><p>Default : <b class="command">ldap server = localhost</b></p></dd><dt><span class="term"><a name="LDAPSSL"></a>ldap ssl (G)</span></dt><dd><p>This option is used to define whether or not Samba should
1284 use SSL when connecting to the ldap server
1285 This is <span class="emphasis"><em>NOT</em></span> related to
1286 Samba's previous SSL support which was enabled by specifying the
1287 <b class="command">--with-ssl</b> option to the <tt class="filename">configure</tt>
1288 script.</p><p>The <i class="parameter"><tt>ldap ssl</tt></i> can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>Off</tt></i> = Never
1289 use SSL when querying the directory.</p></li><li><p><i class="parameter"><tt>Start_tls</tt></i> = Use
1290 the LDAPv3 StartTLS extended operation (RFC2830) for
1291 communicating with the directory server.</p></li><li><p><i class="parameter"><tt>On</tt></i> = Use SSL
1292 on the ldaps port when contacting the <i class="parameter"><tt>ldap server</tt></i>. Only available when the
1293 backwards-compatiblity <b class="command">--with-ldapsam</b> option is specified
1294 to configure. See <a href="#PASSDBBACKEND"><i class="parameter"><tt>passdb backend</tt></i></a></p></li></ul></div><p>Default : <b class="command">ldap ssl = start_tls</b></p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies where user and machine accounts are added to the
1295 tree. Can be overriden by <b class="command">ldap user
1296 suffix</b> and <b class="command">ldap machine
1297 suffix</b>. It also used as the base dn for all ldap
1298 searches. </p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LDAPTRUSTIDS"></a>ldap trust ids (G)</span></dt><dd><p>Normally, Samba validates each entry in the LDAP server
1299 against getpwnam(). This allows LDAP to be used for Samba with
1300 the unix system using NIS (for example) and also ensures that
1301 Samba does not present accounts that do not otherwise exist.
1302 </p><p>This option is used to disable this functionality, and
1303 instead to rely on the presence of the appropriate attributes
1304 in LDAP directly, which can result in a significant performance
1305 boost in some situations. Setting this option to yes effectivly
1306 assumes that the local machine is running <b class="command">nss_ldap</b> against the same LDAP
1307 server.</p><p>Default: <b class="command">ldap trust ids = No</b></p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p>It specifies where users are added to the tree.</p><p>Default: <span class="emphasis"><em>none</em></span></p></dd><dt><span class="term"><a name="LEVEL2OPLOCKS"></a>level2 oplocks (S)</span></dt><dd><p>This parameter controls whether Samba supports
1308 level2 (read-only) oplocks on a share.</p><p>Level2, or read-only oplocks allow Windows NT clients
1309 that have an oplock on a file to downgrade from a read-write oplock
1310 to a read-only oplock once a second client opens the file (instead
1311 of releasing all oplocks on a second open, as in traditional,
1312 exclusive oplocks). This allows all openers of the file that
1313 support level2 oplocks to cache the file for read-ahead only (ie.
1314 they may not cache writes or lock requests) and increases performance
1315 for many accesses of files that are not commonly written (such as
1316 application .EXE files).</p><p>Once one of the clients which have a read-only oplock
1317 writes to the file all clients are notified (no reply is needed
1318 or waited for) and told to break their oplocks to "none" and
1319 delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to
1320 speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p>Currently, if <a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel
1321 oplocks</tt></i></a> are supported then level2 oplocks are
1322 not granted (even if this parameter is set to <tt class="constant">yes</tt>).
1323 Note also, the <a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i>
1324 </a> parameter must be set to <tt class="constant">yes</tt> on this share in order for
1325 this parameter to have any effect.</p><p>See also the <a href="#OPLOCKS"><i class="parameter"><tt>oplocks</tt></i>
1326 </a> and <a href="#OPLOCKS"><i class="parameter"><tt>kernel oplocks</tt></i>
1327 </a> parameters.</p><p>Default: <b class="command">level2 oplocks = yes</b></p></dd><dt><span class="term"><a name="LMANNOUNCE"></a>lm announce (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will produce Lanman announce
1328 broadcasts that are needed by OS/2 clients in order for them to see
1329 the Samba server in their browse list. This parameter can have three
1330 values, <tt class="constant">yes</tt>, <tt class="constant">no</tt>, or
1331 <tt class="constant">auto</tt>. The default is <tt class="constant">auto</tt>.
1332 If set to <tt class="constant">no</tt> Samba will never produce these
1333 broadcasts. If set to <tt class="constant">yes</tt> Samba will produce
1334 Lanman announce broadcasts at a frequency set by the parameter
1335 <i class="parameter"><tt>lm interval</tt></i>. If set to <tt class="constant">auto</tt>
1336 Samba will not send Lanman announce broadcasts by default but will
1337 listen for them. If it hears such a broadcast on the wire it will
1338 then start sending them at a frequency set by the parameter
1339 <i class="parameter"><tt>lm interval</tt></i>.</p><p>See also <a href="#LMINTERVAL"><i class="parameter"><tt>lm interval</tt></i></a>.</p><p>Default: <b class="command">lm announce = auto</b></p><p>Example: <b class="command">lm announce = yes</b></p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce
1340 broadcasts needed by OS/2 clients (see the <a href="#LMANNOUNCE">
1341 <i class="parameter"><tt>lm announce</tt></i></a> parameter) then this
1342 parameter defines the frequency in seconds with which they will be
1343 made. If this is set to zero then no Lanman announcements will be
1344 made despite the setting of the <i class="parameter"><tt>lm announce</tt></i>
1345 parameter.</p><p>See also <a href="#LMANNOUNCE"><i class="parameter"><tt>lm announce</tt></i></a>.</p><p>Default: <b class="command">lm interval = 60</b></p><p>Example: <b class="command">lm interval = 120</b></p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all
1346 printers in the printcap will be loaded for browsing by default.
1347 See the <a href="#PRINTERSSECT" title="The [printers] section">printers</a> section for
1348 more details.</p><p>Default: <b class="command">load printers = yes</b></p></dd><dt><span class="term"><a name="LOCALMASTER"></a>local master (G)</span></dt><dd><p>This option allows <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to try and become a local master browser
1349 on a subnet. If set to <tt class="constant">no</tt> then <b class="command">
1350 nmbd</b> will not attempt to become a local master browser
1351 on a subnet and will also lose in all browsing elections. By
1352 default this value is set to <tt class="constant">yes</tt>. Setting this value to
1353 <tt class="constant">yes</tt> doesn't mean that Samba will <span class="emphasis"><em>become</em></span> the
1354 local master browser on a subnet, just that <b class="command">nmbd</b>
1355 will <span class="emphasis"><em>participate</em></span> in elections for local master browser.</p><p>Setting this value to <tt class="constant">no</tt> will cause <b class="command">nmbd</b> <span class="emphasis"><em>never</em></span> to become a local
1356 master browser.</p><p>Default: <b class="command">local master = yes</b></p></dd><dt><span class="term"><a name="LOCKDIR"></a>lock dir (G)</span></dt><dd><p>Synonym for <a href="#LOCKDIRECTORY"><i class="parameter"><tt>
1357 lock directory</tt></i></a>.
1358 </p></dd><dt><span class="term"><a name="LOCKDIRECTORY"></a>lock directory (G)</span></dt><dd><p>This option specifies the directory where lock
1359 files will be placed. The lock files are used to implement the
1360 <a href="#MAXCONNECTIONS"><i class="parameter"><tt>max connections</tt></i>
1361 </a> option.</p><p>Default: <b class="command">lock directory = ${prefix}/var/locks</b></p><p>Example: <b class="command">lock directory = /var/run/samba/locks</b></p></dd><dt><span class="term"><a name="LOCKING"></a>locking (S)</span></dt><dd><p>This controls whether or not locking will be
1362 performed by the server in response to lock requests from the
1363 client.</p><p>If <b class="command">locking = no</b>, all lock and unlock
1364 requests will appear to succeed and all lock queries will report
1365 that the file in question is available for locking.</p><p>If <b class="command">locking = yes</b>, real locking will be performed
1366 by the server.</p><p>This option <span class="emphasis"><em>may</em></span> be useful for read-only
1367 filesystems which <span class="emphasis"><em>may</em></span> not need locking (such as
1368 CDROM drives), although setting this parameter of <tt class="constant">no</tt>
1369 is not really recommended even in this case.</p><p>Be careful about disabling locking either globally or in a
1370 specific service, as lack of locking may result in data corruption.
1371 You should never need to set this parameter.</p><p>Default: <b class="command">locking = yes</b></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter controls the number of times
1372 that smbd should attempt to gain a byte range lock on the
1373 behalf of a client request. Experiments have shown that
1374 Windows 2k servers do not reply with a failure if the lock
1375 could not be immediately granted, but try a few more times
1376 in case the lock could later be aquired. This behavior
1377 is used to support PC database formats such as MS Access
1379 </p><p>Default: <b class="command">lock spin count = 2</b></p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should
1380 pause before attempting to gain a failed lock. See
1381 <a href="#LOCKSPINCOUNT"><i class="parameter"><tt>lock spin
1382 count</tt></i></a> for more details.</p><p>Default: <b class="command">lock spin time = 10</b></p></dd><dt><span class="term"><a name="LOGFILE"></a>log file (G)</span></dt><dd><p>This option allows you to override the name
1383 of the Samba log file (also known as the debug file).</p><p>This option takes the standard substitutions, allowing
1384 you to have separate log files for each user or machine.</p><p>Example: <b class="command">log file = /usr/local/samba/var/log.%m</b></p></dd><dt><span class="term"><a name="LOGLEVEL"></a>log level (G)</span></dt><dd><p>The value of the parameter (a astring) allows
1385 the debug level (logging level) to be specified in the
1386 <tt class="filename">smb.conf</tt> file. This parameter has been
1387 extended since the 2.2.x series, now it allow to specify the debug
1388 level for multiple debug classes. This is to give greater
1389 flexibility in the configuration of the system.</p><p>The default will be the log level specified on
1390 the command line or level zero if none was specified.</p><p>Example: <b class="command">log level = 3 passdb:5 auth:10 winbind:2</b></p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p>This parameter specifies the local path to
1391 which the home directory will be connected (see <a href="#LOGONHOME">
1392 <i class="parameter"><tt>logon home</tt></i></a>)
1393 and is only used by NT Workstations. </p><p>Note that this option is only useful if Samba is set up as a
1394 logon server.</p><p>Default: <b class="command">logon drive = z:</b></p><p>Example: <b class="command">logon drive = h:</b></p></dd><dt><span class="term"><a name="LOGONHOME"></a>logon home (G)</span></dt><dd><p>This parameter specifies the home directory
1395 location when a Win95/98 or NT Workstation logs into a Samba PDC.
1396 It allows you to do </p><p><tt class="prompt">C:\></tt>
1397 <b class="userinput"><tt>NET USE H: /HOME</tt></b>
1398 </p><p>from a command prompt, for example.</p><p>This option takes the standard substitutions, allowing
1399 you to have separate logon scripts for each user or machine.</p><p>This parameter can be used with Win9X workstations to ensure
1400 that roaming profiles are stored in a subdirectory of the user's
1401 home directory. This is done in the following way:</p><p><b class="command">logon home = \\%N\%U\profile</b></p><p>This tells Samba to return the above string, with
1402 substitutions made when a client requests the info, generally
1403 in a NetUserGetInfo request. Win9X clients truncate the info to
1404 \\server\share when a user does <b class="command">net use /home</b>
1405 but use the whole string when dealing with profiles.</p><p>Note that in prior versions of Samba, the <a href="#LOGONPATH">
1406 <i class="parameter"><tt>logon path</tt></i></a> was returned rather than
1407 <i class="parameter"><tt>logon home</tt></i>. This broke <b class="command">net use /home</b> but allowed profiles outside the home directory.
1408 The current implementation is correct, and can be used for profiles if you use
1409 the above trick.</p><p>This option is only useful if Samba is set up as a logon
1410 server.</p><p>Default: <b class="command">logon home = "\\%N\%U"</b></p><p>Example: <b class="command">logon home = "\\remote_smb_server\%U"</b></p></dd><dt><span class="term"><a name="LOGONPATH"></a>logon path (G)</span></dt><dd><p>This parameter specifies the home directory
1411 where roaming profiles (NTuser.dat etc files for Windows NT) are
1412 stored. Contrary to previous versions of these manual pages, it has
1413 nothing to do with Win 9X roaming profiles. To find out how to
1414 handle roaming profiles for Win 9X system, see the <a href="#LOGONHOME">
1415 <i class="parameter"><tt>logon home</tt></i></a> parameter.</p><p>This option takes the standard substitutions, allowing you
1416 to have separate logon scripts for each user or machine. It also
1417 specifies the directory from which the "Application Data",
1418 (<tt class="filename">desktop</tt>, <tt class="filename">start menu</tt>,
1419 <tt class="filename">network neighborhood</tt>, <tt class="filename">programs</tt>
1420 and other folders, and their contents, are loaded and displayed on
1421 your Windows NT client.</p><p>The share and the path must be readable by the user for
1422 the preferences and directories to be loaded onto the Windows NT
1423 client. The share must be writeable when the user logs in for the first
1424 time, in order that the Windows NT client can create the NTuser.dat
1425 and other directories.</p><p>Thereafter, the directories and any of the contents can,
1426 if required, be made read-only. It is not advisable that the
1427 NTuser.dat file be made read-only - rename it to NTuser.man to
1428 achieve the desired effect (a <span class="emphasis"><em>MAN</em></span>datory
1429 profile). </p><p>Windows clients can sometimes maintain a connection to
1430 the [homes] share, even though there is no user logged in.
1431 Therefore, it is vital that the logon path does not include a
1432 reference to the homes share (i.e. setting this parameter to
1433 \%N\%U\profile_path will cause problems).</p><p>This option takes the standard substitutions, allowing
1434 you to have separate logon scripts for each user or machine.</p><p>Note that this option is only useful if Samba is set up
1435 as a logon server.</p><p>Default: <b class="command">logon path = \\%N\%U\profile</b></p><p>Example: <b class="command">logon path = \\PROFILESERVER\PROFILE\%U</b></p></dd><dt><span class="term"><a name="LOGONSCRIPT"></a>logon script (G)</span></dt><dd><p>This parameter specifies the batch file (.bat) or
1436 NT command file (.cmd) to be downloaded and run on a machine when
1437 a user successfully logs in. The file must contain the DOS
1438 style CR/LF line endings. Using a DOS-style editor to create the
1439 file is recommended.</p><p>The script must be a relative path to the [netlogon]
1440 service. If the [netlogon] service specifies a <a href="#PATH">
1441 <i class="parameter"><tt>path</tt></i></a> of <tt class="filename">/usr/local/samba/netlogon</tt>, and <b class="command">logon script = STARTUP.BAT</b>, then
1442 the file that will be downloaded is:</p><p><tt class="filename">/usr/local/samba/netlogon/STARTUP.BAT</tt></p><p>The contents of the batch file are entirely your choice. A
1443 suggested command would be to add <b class="command">NET TIME \\SERVER /SET
1444 /YES</b>, to force every machine to synchronize clocks with
1445 the same time server. Another use would be to add <b class="command">NET USE
1446 U: \\SERVER\UTILS</b> for commonly used utilities, or <b class="command">
1447 NET USE Q: \\SERVER\ISO9001_QA</b> for example.</p><p>Note that it is particularly important not to allow write
1448 access to the [netlogon] share, or to grant users write permission
1449 on the batch files in a secure environment, as this would allow
1450 the batch files to be arbitrarily modified and security to be
1451 breached.</p><p>This option takes the standard substitutions, allowing you
1452 to have separate logon scripts for each user or machine.</p><p>This option is only useful if Samba is set up as a logon
1453 server.</p><p>Default: <span class="emphasis"><em>no logon script defined</em></span></p><p>Example: <b class="command">logon script = scripts\%U.bat</b></p></dd><dt><span class="term"><a name="LPPAUSECOMMAND"></a>lppause command (S)</span></dt><dd><p>This parameter specifies the command to be
1454 executed on the server host in order to stop printing or spooling
1455 a specific print job.</p><p>This command should be a program or script which takes
1456 a printer name and job number to pause the print job. One way
1457 of implementing this is by using job priorities, where jobs
1458 having a too low priority won't be sent to the printer.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
1459 is put in its place. A <i class="parameter"><tt>%j</tt></i> is replaced with
1460 the job number (an integer). On HPUX (see <i class="parameter"><tt>printing=hpux
1461 </tt></i>), if the <i class="parameter"><tt>-p%p</tt></i> option is added
1462 to the lpq command, the job will show up with the correct status, i.e.
1463 if the job priority is lower than the set fence priority it will
1464 have the PAUSED status, whereas if the priority is equal or higher it
1465 will have the SPOOLED or PRINTING status.</p><p>Note that it is good practice to include the absolute path
1466 in the lppause command as the PATH may not be available to the server.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
1467 </tt></i></a> parameter.</p><p>Default: Currently no default value is given to
1468 this string, unless the value of the <i class="parameter"><tt>printing</tt></i>
1469 parameter is <tt class="constant">SYSV</tt>, in which case the default is :</p><p><b class="command">lp -i %p-%j -H hold</b></p><p>or if the value of the <i class="parameter"><tt>printing</tt></i> parameter
1470 is <tt class="constant">SOFTQ</tt>, then the default is:</p><p><b class="command">qstat -s -j%j -h</b></p><p>Example for HPUX: <b class="command">lppause command = /usr/bin/lpalt %p-%j -p0</b></p></dd><dt><span class="term"><a name="LPQCACHETIME"></a>lpq cache time (G)</span></dt><dd><p>This controls how long lpq info will be cached
1471 for to prevent the <b class="command">lpq</b> command being called too
1472 often. A separate cache is kept for each variation of the <b class="command">
1473 lpq</b> command used by the system, so if you use different
1474 <b class="command">lpq</b> commands for different users then they won't
1475 share cache information.</p><p>The cache files are stored in <tt class="filename">/tmp/lpq.xxxx</tt>
1476 where xxxx is a hash of the <b class="command">lpq</b> command in use.</p><p>The default is 10 seconds, meaning that the cached results
1477 of a previous identical <b class="command">lpq</b> command will be used
1478 if the cached data is less than 10 seconds old. A large value may
1479 be advisable if your <b class="command">lpq</b> command is very slow.</p><p>A value of 0 will disable caching completely.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing</tt></i></a> parameter.</p><p>Default: <b class="command">lpq cache time = 10</b></p><p>Example: <b class="command">lpq cache time = 30</b></p></dd><dt><span class="term"><a name="LPQCOMMAND"></a>lpq command (S)</span></dt><dd><p>This parameter specifies the command to be
1480 executed on the server host in order to obtain <b class="command">lpq
1481 </b>-style printer status information.</p><p>This command should be a program or script which
1482 takes a printer name as its only parameter and outputs printer
1483 status information.</p><p>Currently nine styles of printer status information
1484 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
1485 This covers most UNIX systems. You control which type is expected
1486 using the <i class="parameter"><tt>printing =</tt></i> option.</p><p>Some clients (notably Windows for Workgroups) may not
1487 correctly send the connection number for the printer they are
1488 requesting status information about. To get around this, the
1489 server reports on the first printer service connected to by the
1490 client. This only happens if the connection number sent is invalid.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
1491 is put in its place. Otherwise it is placed at the end of the
1492 command.</p><p>Note that it is good practice to include the absolute path
1493 in the <i class="parameter"><tt>lpq command</tt></i> as the <tt class="envar">$PATH
1494 </tt> may not be available to the server. When compiled with
1495 the CUPS libraries, no <i class="parameter"><tt>lpq command</tt></i> is
1496 needed because smbd will make a library call to obtain the
1497 print queue listing.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
1498 </tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i class="parameter"><tt>
1499 printing</tt></i></em></span></p><p>Example: <b class="command">lpq command = /usr/bin/lpq -P%p</b></p></dd><dt><span class="term"><a name="LPRESUMECOMMAND"></a>lpresume command (S)</span></dt><dd><p>This parameter specifies the command to be
1500 executed on the server host in order to restart or continue
1501 printing or spooling a specific print job.</p><p>This command should be a program or script which takes
1502 a printer name and job number to resume the print job. See
1503 also the <a href="#LPPAUSECOMMAND"><i class="parameter"><tt>lppause command
1504 </tt></i></a> parameter.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
1505 is put in its place. A <i class="parameter"><tt>%j</tt></i> is replaced with
1506 the job number (an integer).</p><p>Note that it is good practice to include the absolute path
1507 in the <i class="parameter"><tt>lpresume command</tt></i> as the PATH may not
1508 be available to the server.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
1509 </tt></i></a> parameter.</p><p>Default: Currently no default value is given
1510 to this string, unless the value of the <i class="parameter"><tt>printing</tt></i>
1511 parameter is <tt class="constant">SYSV</tt>, in which case the default is :</p><p><b class="command">lp -i %p-%j -H resume</b></p><p>or if the value of the <i class="parameter"><tt>printing</tt></i> parameter
1512 is <tt class="constant">SOFTQ</tt>, then the default is:</p><p><b class="command">qstat -s -j%j -r</b></p><p>Example for HPUX: <b class="command">lpresume command = /usr/bin/lpalt %p-%j -p2</b></p></dd><dt><span class="term"><a name="LPRMCOMMAND"></a>lprm command (S)</span></dt><dd><p>This parameter specifies the command to be
1513 executed on the server host in order to delete a print job.</p><p>This command should be a program or script which takes
1514 a printer name and job number, and deletes the print job.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
1515 is put in its place. A <i class="parameter"><tt>%j</tt></i> is replaced with
1516 the job number (an integer).</p><p>Note that it is good practice to include the absolute
1517 path in the <i class="parameter"><tt>lprm command</tt></i> as the PATH may not be
1518 available to the server.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
1519 </tt></i></a> parameter.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i class="parameter"><tt>printing
1520 </tt></i></em></span></p><p>Example 1: <b class="command">lprm command = /usr/bin/lprm -P%p %j</b></p><p>Example 2: <b class="command">lprm command = /usr/bin/cancel %p-%j</b></p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>If a Samba server is a member of a Windows
1521 NT Domain (see the <a href="#SECURITYEQUALSDOMAIN">security = domain</a>)
1522 parameter) then periodically a running <a href="smbd.8.html" target="_top">
1523 smbd(8)</a> process will try and change the MACHINE ACCOUNT
1524 PASSWORD stored in the TDB called <tt class="filename">private/secrets.tdb
1525 </tt>. This parameter specifies how often this password
1526 will be changed, in seconds. The default is one week (expressed in
1527 seconds), the same as a Windows NT Domain member server.</p><p>See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, and the <a href="#SECURITYEQUALSDOMAIN">
1528 security = domain</a>) parameter.</p><p>Default: <b class="command">machine password timeout = 604800</b></p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p>This parameter specifies the name of a file
1529 which will contain output created by a magic script (see the
1530 <a href="#MAGICSCRIPT"><i class="parameter"><tt>magic script</tt></i></a>
1531 parameter below).</p><p>Warning: If two clients use the same <i class="parameter"><tt>magic script
1532 </tt></i> in the same directory the output file content
1533 is undefined.</p><p>Default: <b class="command">magic output = <magic script name>.out</b></p><p>Example: <b class="command">magic output = myfile.txt</b></p></dd><dt><span class="term"><a name="MAGICSCRIPT"></a>magic script (S)</span></dt><dd><p>This parameter specifies the name of a file which,
1534 if opened, will be executed by the server when the file is closed.
1535 This allows a UNIX script to be sent to the Samba host and
1536 executed on behalf of the connected user.</p><p>Scripts executed in this way will be deleted upon
1537 completion assuming that the user has the appropriate level
1538 of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to
1539 the file specified by the <a href="#MAGICOUTPUT"><i class="parameter"><tt>
1540 magic output</tt></i></a> parameter (see above).</p><p>Note that some shells are unable to interpret scripts
1541 containing CR/LF instead of CR as
1542 the end-of-line marker. Magic scripts must be executable
1543 <span class="emphasis"><em>as is</em></span> on the host, which for some hosts and
1544 some shells will require filtering at the DOS end.</p><p>Magic scripts are <span class="emphasis"><em>EXPERIMENTAL</em></span> and
1545 should <span class="emphasis"><em>NOT</em></span> be relied upon.</p><p>Default: <span class="emphasis"><em>None. Magic scripts disabled.</em></span></p><p>Example: <b class="command">magic script = user.csh</b></p></dd><dt><span class="term"><a name="MANGLECASE"></a>mangle case (S)</span></dt><dd><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a></p><p>Default: <b class="command">mangle case = no</b></p></dd><dt><span class="term"><a name="MANGLEDMAP"></a>mangled map (S)</span></dt><dd><p>This is for those who want to directly map UNIX
1546 file names which cannot be represented on Windows/DOS. The mangling
1547 of names is not always what is needed. In particular you may have
1548 documents with file extensions that differ between DOS and UNIX.
1549 For example, under UNIX it is common to use <tt class="filename">.html</tt>
1550 for HTML files, whereas under Windows/DOS <tt class="filename">.htm</tt>
1551 is more commonly used.</p><p>So to map <tt class="filename">html</tt> to <tt class="filename">htm</tt>
1552 you would use:</p><p><b class="command">mangled map = (*.html *.htm)</b></p><p>One very useful case is to remove the annoying <tt class="filename">;1
1553 </tt> off the ends of filenames on some CDROMs (only visible
1554 under some UNIXes). To do this use a map of (*;1 *;).</p><p>Default: <span class="emphasis"><em>no mangled map</em></span></p><p>Example: <b class="command">mangled map = (*;1 *;)</b></p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX
1555 should be mapped to DOS-compatible names ("mangled") and made visible,
1556 or whether non-DOS names should simply be ignored.</p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for
1557 details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters
1558 before the rightmost dot of the filename are preserved, forced
1559 to upper case, and appear as the first (up to) five characters
1560 of the mangled name.</p></li><li><p>A tilde "~" is appended to the first part of the mangled
1561 name, followed by a two-character unique sequence, based on the
1562 original root name (i.e., the original filename minus its final
1563 extension). The final extension is included in the hash calculation
1564 only if it contains any upper case characters or is longer than three
1565 characters.</p><p>Note that the character to use may be specified using
1566 the <a href="#MANGLINGCHAR"><i class="parameter"><tt>mangling char</tt></i>
1567 </a> option, if you don't like '~'.</p></li><li><p>The first three alphanumeric characters of the final
1568 extension are preserved, forced to upper case and appear as the
1569 extension of the mangled name. The final extension is defined as that
1570 part of the original filename after the rightmost dot. If there are no
1571 dots in the filename, the mangled name will have no extension (except
1572 in the case of "hidden files" - see below).</p></li><li><p>Files whose UNIX name begins with a dot will be
1573 presented as DOS hidden files. The mangled name will be created as
1574 for other filenames, but with the leading dot removed and "___" as
1575 its extension regardless of actual original extension (that's three
1576 underscores).</p></li></ul></div><p>The two-digit hash value consists of upper case alphanumeric characters.</p><p>This algorithm can cause name collisions only if files
1577 in a directory share the same first five alphanumeric characters.
1578 The probability of such a clash is 1/1300.</p><p>The name mangling (if enabled) allows a file to be
1579 copied between UNIX directories from Windows/DOS while retaining
1580 the long UNIX filename. UNIX files can be renamed to a new extension
1581 from Windows/DOS and will retain the same basename. Mangled names
1582 do not change between sessions.</p><p>Default: <b class="command">mangled names = yes</b></p></dd><dt><span class="term"><a name="MANGLINGSTACK"></a>mangling stack (G)</span></dt><dd><p>This parameter controls the number of mangled names
1583 that should be cached in the Samba server <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>This stack is a list of recently mangled base names
1584 (extensions are only maintained if they are longer than 3 characters
1585 or contains upper case characters).</p><p>The larger this value, the more likely it is that mangled
1586 names can be successfully converted to correct long UNIX names.
1587 However, large stack sizes will slow most directory accesses. Smaller
1588 stacks save memory in the server (each stack element costs 256 bytes).
1589 </p><p>It is not possible to absolutely guarantee correct long
1590 filenames, so be prepared for some surprises!</p><p>Default: <b class="command">mangled stack = 50</b></p><p>Example: <b class="command">mangled stack = 100</b></p></dd><dt><span class="term"><a name="MANGLINGPREFIX"></a>mangling prefix (G)</span></dt><dd><p> controls the number of prefix
1591 characters from the original name used when generating
1592 the mangled names. A larger value will give a weaker
1593 hash and therefore more name collisions. The minimum
1594 value is 1 and the maximum value is 6.</p><p>Default: <b class="command">mangle prefix = 1</b></p><p>Example: <b class="command">mangle prefix = 4</b></p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as
1595 the <span class="emphasis"><em>magic</em></span> character in <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">name mangling</a>. The
1596 default is a '~' but this may interfere with some software. Use this option to set
1597 it to whatever you prefer.</p><p>Default: <b class="command">mangling char = ~</b></p><p>Example: <b class="command">mangling char = ^</b></p></dd><dt><span class="term"><a name="MANGLINGMETHOD"></a>mangling method (G)</span></dt><dd><p> controls the algorithm used for the generating
1598 the mangled names. Can take two different values, "hash" and
1599 "hash2". "hash" is the default and is the algorithm that has been
1600 used in Samba for many years. "hash2" is a newer and considered
1601 a better algorithm (generates less collisions) in the names.
1602 However, many Win32 applications store the mangled names and so
1603 changing to the new algorithm must not be done
1604 lightly as these applications may break unless reinstalled.</p><p>Default: <b class="command">mangling method = hash2</b></p><p>Example: <b class="command">mangling method = hash</b></p></dd><dt><span class="term"><a name="MAPACLINHERIT"></a>map acl inherit (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map the 'inherit' and 'protected'
1605 access control entry flags stored in Windows ACLs into an extended attribute
1606 called user.SAMBA_PAI. This parameter only takes effect if Samba is being run
1607 on a platform that supports extended attributes (Linux and IRIX so far) and
1608 allows the Windows 2000 ACL editor to correctly use inheritance with the Samba
1609 POSIX ACL mapping code.
1610 </p><p>Default: <b class="command">map acl inherit = no</b></p></dd><dt><span class="term"><a name="MAPARCHIVE"></a>map archive (S)</span></dt><dd><p>This controls whether the DOS archive attribute
1611 should be mapped to the UNIX owner execute bit. The DOS archive bit
1612 is set when a file has been modified since its last backup. One
1613 motivation for this option it to keep Samba/your PC from making
1614 any file it touches from becoming executable under UNIX. This can
1615 be quite annoying for shared source code, documents, etc...</p><p>Note that this requires the <i class="parameter"><tt>create mask</tt></i>
1616 parameter to be set such that owner execute bit is not masked out
1617 (i.e. it must include 100). See the parameter <a href="#CREATEMASK">
1618 <i class="parameter"><tt>create mask</tt></i></a> for details.</p><p>Default: <b class="command">map archive = yes</b></p></dd><dt><span class="term"><a name="MAPHIDDEN"></a>map hidden (S)</span></dt><dd><p>This controls whether DOS style hidden files
1619 should be mapped to the UNIX world execute bit.</p><p>Note that this requires the <i class="parameter"><tt>create mask</tt></i>
1620 to be set such that the world execute bit is not masked out (i.e.
1621 it must include 001). See the parameter <a href="#CREATEMASK">
1622 <i class="parameter"><tt>create mask</tt></i></a> for details.</p><p>Default: <b class="command">map hidden = no</b></p></dd><dt><span class="term"><a name="MAPSYSTEM"></a>map system (S)</span></dt><dd><p>This controls whether DOS style system files
1623 should be mapped to the UNIX group execute bit.</p><p>Note that this requires the <i class="parameter"><tt>create mask</tt></i>
1624 to be set such that the group execute bit is not masked out (i.e.
1625 it must include 010). See the parameter <a href="#CREATEMASK">
1626 <i class="parameter"><tt>create mask</tt></i></a> for details.</p><p>Default: <b class="command">map system = no</b></p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a href="#SECURITY">
1627 security</a> modes other than <i class="parameter"><tt>security = share</tt></i>
1628 - i.e. <tt class="constant">user</tt>, <tt class="constant">server</tt>,
1629 and <tt class="constant">domain</tt>.</p><p>This parameter can take three different values, which tell
1630 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> what to do with user
1631 login requests that don't match a valid UNIX user in some way.</p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="constant">Never</tt> - Means user login
1632 requests with an invalid password are rejected. This is the
1633 default.</p></li><li><p><tt class="constant">Bad User</tt> - Means user
1634 logins with an invalid password are rejected, unless the username
1635 does not exist, in which case it is treated as a guest login and
1636 mapped into the <a href="#GUESTACCOUNT"><i class="parameter"><tt>
1637 guest account</tt></i></a>.</p></li><li><p><tt class="constant">Bad Password</tt> - Means user logins
1638 with an invalid password are treated as a guest login and mapped
1639 into the <a href="#GUESTACCOUNT">guest account</a>. Note that
1640 this can cause problems as it means that any user incorrectly typing
1641 their password will be silently logged on as "guest" - and
1642 will not know the reason they cannot access files they think
1643 they should - there will have been no message given to them
1644 that they got their password wrong. Helpdesk services will
1645 <span class="emphasis"><em>hate</em></span> you if you set the <i class="parameter"><tt>map to
1646 guest</tt></i> parameter this way :-).</p></li></ul></div><p>Note that this parameter is needed to set up "Guest"
1647 share services when using <i class="parameter"><tt>security</tt></i> modes other than
1648 share. This is because in these modes the name of the resource being
1649 requested is <span class="emphasis"><em>not</em></span> sent to the server until after
1650 the server has successfully authenticated the client so the server
1651 cannot make authentication decisions at the correct time (connection
1652 to the share) for "Guest" shares.</p><p>For people familiar with the older Samba releases, this
1653 parameter maps to the old compile-time setting of the <tt class="constant">
1654 GUEST_SESSSETUP</tt> value in local.h.</p><p>Default: <b class="command">map to guest = Never</b></p><p>Example: <b class="command">map to guest = Bad User</b></p></dd><dt><span class="term"><a name="MAXCONNECTIONS"></a>max connections (S)</span></dt><dd><p>This option allows the number of simultaneous connections to a service to be limited.
1655 If <i class="parameter"><tt>max connections</tt></i> is greater than 0 then connections
1656 will be refused if this number of connections to the service are already open. A value
1657 of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in
1658 the directory specified by the <a href="#LOCKDIRECTORY">
1659 <i class="parameter"><tt>lock directory</tt></i></a> option.</p><p>Default: <b class="command">max connections = 0</b></p><p>Example: <b class="command">max connections = 10</b></p></dd><dt><span class="term"><a name="MAXDISKSIZE"></a>max disk size (G)</span></dt><dd><p>This option allows you to put an upper limit
1660 on the apparent size of disks. If you set this option to 100
1661 then all shares will appear to be not larger than 100 MB in
1662 size.</p><p>Note that this option does not limit the amount of
1663 data you can put on the disk. In the above case you could still
1664 store much more than 100 MB on the disk, but if a client ever asks
1665 for the amount of free disk space or the total disk size then the
1666 result will be bounded by the amount specified in <i class="parameter"><tt>max
1667 disk size</tt></i>.</p><p>This option is primarily useful to work around bugs
1668 in some pieces of software that can't handle very large disks,
1669 particularly disks over 1GB in size.</p><p>A <i class="parameter"><tt>max disk size</tt></i> of 0 means no limit.</p><p>Default: <b class="command">max disk size = 0</b></p><p>Example: <b class="command">max disk size = 1000</b></p></dd><dt><span class="term"><a name="MAXLOGSIZE"></a>max log size (G)</span></dt><dd><p>This option (an integer in kilobytes) specifies
1670 the max size the log file should grow to. Samba periodically checks
1671 the size and if it is exceeded it will rename the file, adding
1672 a <tt class="filename">.old</tt> extension.</p><p>A size of 0 means no limit.</p><p>Default: <b class="command">max log size = 5000</b></p><p>Example: <b class="command">max log size = 1000</b></p></dd><dt><span class="term"><a name="MAXMUX"></a>max mux (G)</span></dt><dd><p>This option controls the maximum number of
1673 outstanding simultaneous SMB operations that Samba tells the client
1674 it will allow. You should never need to set this parameter.</p><p>Default: <b class="command">max mux = 50</b></p></dd><dt><span class="term"><a name="MAXOPENFILES"></a>max open files (G)</span></dt><dd><p>This parameter limits the maximum number of
1675 open files that one <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> file
1676 serving process may have open for a client at any one time. The
1677 default for this parameter is set very high (10,000) as Samba uses
1678 only one bit per unopened file.</p><p>The limit of the number of open files is usually set
1679 by the UNIX per-process file descriptor limit rather than
1680 this parameter so you should never need to touch this parameter.</p><p>Default: <b class="command">max open files = 10000</b></p></dd><dt><span class="term"><a name="MAXPRINTJOBS"></a>max print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of
1681 jobs allowable in a Samba printer queue at any given moment.
1682 If this number is exceeded, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will remote "Out of Space" to the client.
1683 See all <a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total
1684 print jobs</tt></i></a>.
1685 </p><p>Default: <b class="command">max print jobs = 1000</b></p><p>Example: <b class="command">max print jobs = 5000</b></p></dd><dt><span class="term"><a name="MAXPROTOCOL"></a>max protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the highest
1686 protocol level that will be supported by the server.</p><p>Possible values are :</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="constant">CORE</tt>: Earliest version. No
1687 concept of user names.</p></li><li><p><tt class="constant">COREPLUS</tt>: Slight improvements on
1688 CORE for efficiency.</p></li><li><p><tt class="constant">LANMAN1</tt>: First <span class="emphasis"><em>
1689 modern</em></span> version of the protocol. Long filename
1690 support.</p></li><li><p><tt class="constant">LANMAN2</tt>: Updates to Lanman1 protocol.</p></li><li><p><tt class="constant">NT1</tt>: Current up to date version of the protocol.
1691 Used by Windows NT. Known as CIFS.</p></li></ul></div><p>Normally this option should not be set as the automatic
1692 negotiation phase in the SMB protocol takes care of choosing
1693 the appropriate protocol.</p><p>See also <a href="#MINPROTOCOL"><i class="parameter"><tt>min
1694 protocol</tt></i></a></p><p>Default: <b class="command">max protocol = NT1</b></p><p>Example: <b class="command">max protocol = LANMAN1</b></p></dd><dt><span class="term"><a name="MAXREPORTEDPRINTJOBS"></a>max reported print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of
1695 jobs displayed in a port monitor for Samba printer queue at any given
1696 moment. If this number is exceeded, the excess jobs will not be shown.
1697 A value of zero means there is no limit on the number of print
1700 See all <a href="#TOTALPRINTJOBS"><i class="parameter"><tt>total
1701 print jobs</tt></i></a> and <a href="#MAXPRINTJOBS"><i class="parameter"><tt>max print
1702 jobs</tt></i></a> parameters.
1703 </p><p>Default: <b class="command">max reported print jobs = 0</b></p><p>Example: <b class="command">max reported print jobs = 1000</b></p></dd><dt><span class="term"><a name="MAXSMBDPROCESSES"></a>max smbd processes (G)</span></dt><dd><p>This parameter limits the maximum number of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> processes concurrently running on a system and is intended
1704 as a stopgap to prevent degrading service to clients in the event that the server has insufficient
1705 resources to handle more than this number of connections. Remember that under normal operating
1706 conditions, each user will have an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> associated with him or her to handle connections to all
1707 shares from a given host.</p><p>Default: <b class="command">max smbd processes = 0</b> ## no limit</p><p>Example: <b class="command">max smbd processes = 1000</b></p></dd><dt><span class="term"><a name="MAXTTL"></a>max ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> what the default 'time to live'
1708 of NetBIOS names should be (in seconds) when <b class="command">nmbd</b> is
1709 requesting a name using either a broadcast packet or from a WINS server. You should
1710 never need to change this parameter. The default is 3 days.</p><p>Default: <b class="command">max ttl = 259200</b></p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server (<a href="#WINSSUPPORT">
1711 <i class="parameter"><tt>wins support = yes</tt></i></a>) what the maximum
1712 'time to live' of NetBIOS names that <b class="command">nmbd</b>
1713 will grant will be (in seconds). You should never need to change this
1714 parameter. The default is 6 days (518400 seconds).</p><p>See also the <a href="#MINWINSTTL"><i class="parameter"><tt>min
1715 wins ttl</tt></i></a> parameter.</p><p>Default: <b class="command">max wins ttl = 518400</b></p></dd><dt><span class="term"><a name="MAXXMIT"></a>max xmit (G)</span></dt><dd><p>This option controls the maximum packet size
1716 that will be negotiated by Samba. The default is 65535, which
1717 is the maximum. In some cases you may find you get better performance
1718 with a smaller value. A value below 2048 is likely to cause problems.
1719 </p><p>Default: <b class="command">max xmit = 65535</b></p><p>Example: <b class="command">max xmit = 8192</b></p></dd><dt><span class="term"><a name="MESSAGECOMMAND"></a>message command (G)</span></dt><dd><p>This specifies what command to run when the
1720 server receives a WinPopup style message.</p><p>This would normally be a command that would
1721 deliver the message somehow. How this is to be done is
1722 up to your imagination.</p><p>An example is:</p><p><b class="command">message command = csh -c 'xedit %s;rm %s' &</b>
1723 </p><p>This delivers the message using <b class="command">xedit</b>, then
1724 removes it afterwards. <span class="emphasis"><em>NOTE THAT IT IS VERY IMPORTANT
1725 THAT THIS COMMAND RETURN IMMEDIATELY</em></span>. That's why I
1726 have the '&' on the end. If it doesn't return immediately then
1727 your PCs may freeze when sending messages (they should recover
1728 after 30 seconds, hopefully).</p><p>All messages are delivered as the global guest user.
1729 The command takes the standard substitutions, although <i class="parameter"><tt>
1730 %u</tt></i> won't work (<i class="parameter"><tt>%U</tt></i> may be better
1731 in this case).</p><p>Apart from the standard substitutions, some additional
1732 ones apply. In particular:</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>%s</tt></i> = the filename containing
1733 the message.</p></li><li><p><i class="parameter"><tt>%t</tt></i> = the destination that
1734 the message was sent to (probably the server name).</p></li><li><p><i class="parameter"><tt>%f</tt></i> = who the message
1735 is from.</p></li></ul></div><p>You could make this command send mail, or whatever else
1736 takes your fancy. Please let us know of any really interesting
1737 ideas you have.</p><p>Here's a way of sending the messages as mail to root:</p><p><b class="command">message command = /bin/mail -s 'message from %f on
1738 %m' root < %s; rm %s</b></p><p>If you don't have a message command then the message
1739 won't be delivered and Samba will tell the sender there was
1740 an error. Unfortunately WfWg totally ignores the error code
1741 and carries on regardless, saying that the message was delivered.
1742 </p><p>If you want to silently delete it then try:</p><p><b class="command">message command = rm %s</b></p><p>Default: <span class="emphasis"><em>no message command</em></span></p><p>Example: <b class="command">message command = csh -c 'xedit %s; rm %s' &</b></p></dd><dt><span class="term"><a name="MINPASSWDLENGTH"></a>min passwd length (G)</span></dt><dd><p>Synonym for <a href="#MINPASSWORDLENGTH">
1743 <i class="parameter"><tt>min password length</tt></i></a>.
1744 </p></dd><dt><span class="term"><a name="MINPASSWORDLENGTH"></a>min password length (G)</span></dt><dd><p>This option sets the minimum length in characters of a
1745 plaintext password that <b class="command">smbd</b> will
1746 accept when performing UNIX password changing.</p><p>See also <a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix
1747 password sync</tt></i></a>, <a href="#PASSWDPROGRAM">
1748 <i class="parameter"><tt>passwd program</tt></i></a> and <a href="#PASSWDCHATDEBUG">
1749 <i class="parameter"><tt>passwd chat debug</tt></i></a>.</p><p>Default: <b class="command">min password length = 5</b></p></dd><dt><span class="term"><a name="MINPRINTSPACE"></a>min print space (S)</span></dt><dd><p>This sets the minimum amount of free disk
1750 space that must be available before a user will be able to spool
1751 a print job. It is specified in kilobytes. The default is 0, which
1752 means a user can always spool a print job.</p><p>See also the <a href="#PRINTING"><i class="parameter"><tt>printing
1753 </tt></i></a> parameter.</p><p>Default: <b class="command">min print space = 0</b></p><p>Example: <b class="command">min print space = 2000</b></p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the
1754 lowest SMB protocol dialect than Samba will support. Please refer
1755 to the <a href="#MAXPROTOCOL"><i class="parameter"><tt>max protocol</tt></i></a>
1756 parameter for a list of valid protocol names and a brief description
1757 of each. You may also wish to refer to the C source code in
1758 <tt class="filename">source/smbd/negprot.c</tt> for a listing of known protocol
1759 dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should
1760 also refer to the <a href="#LANMANAUTH"><i class="parameter"><tt>lanman
1761 auth</tt></i></a> parameter. Otherwise, you should never need
1762 to change this parameter.</p><p>Default : <b class="command">min protocol = CORE</b></p><p>Example : <b class="command">min protocol = NT1</b> # disable DOS clients</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
1763 when acting as a WINS server (<a href="#WINSSUPPORT"><i class="parameter"><tt>
1764 wins support = yes</tt></i></a>) what the minimum 'time to live'
1765 of NetBIOS names that <b class="command">nmbd</b> will grant will be (in
1766 seconds). You should never need to change this parameter. The default
1767 is 6 hours (21600 seconds).</p><p>Default: <b class="command">min wins ttl = 21600</b></p></dd><dt><span class="term"><a name="MSDFSPROXY"></a>msdfs proxy (S)</span></dt><dd><p>This parameter indicates that the share is a
1768 stand-in for another CIFS share whose location is specified by
1769 the value of the parameter. When clients attempt to connect to
1770 this share, they are redirected to the proxied share using
1771 the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the
1772 <a href="#MSDFSROOT"><i class="parameter"><tt>msdfs root</tt></i></a>
1773 and <a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a>
1774 options to find out how to set up a Dfs root share.</p><p>Example: <b class="command">msdfs proxy = \\\\otherserver\\someshare</b></p></dd><dt><span class="term"><a name="MSDFSROOT"></a>msdfs root (S)</span></dt><dd><p>This boolean parameter is only available if
1775 Samba is configured and compiled with the <b class="command">
1776 --with-msdfs</b> option. If set to <tt class="constant">yes</tt>,
1777 Samba treats the share as a Dfs root and allows clients to browse
1778 the distributed file system tree rooted at the share directory.
1779 Dfs links are specified in the share directory by symbolic
1780 links of the form <tt class="filename">msdfs:serverA\\shareA,serverB\\shareB</tt>
1781 and so on. For more information on setting up a Dfs tree
1782 on Samba, refer to <a href="msdfs.html" target="_top">"Hosting a Microsoft
1783 Distributed File System tree on Samba"</a> document.</p><p>See also <a href="#HOSTMSDFS"><i class="parameter"><tt>host msdfs</tt></i></a></p><p>Default: <b class="command">msdfs root = no</b></p></dd><dt><span class="term"><a name="NAMECACHETIMEOUT"></a>name cache timeout (G)</span></dt><dd><p>Specifies the number of seconds it takes before
1784 entries in samba's hostname resolve cache time out. If
1785 the timeout is set to 0. the caching is disabled.
1786 </p><p>Default: <b class="command">name cache timeout = 660</b></p><p>Example: <b class="command">name cache timeout = 0</b></p></dd><dt><span class="term"><a name="NAMERESOLVEORDER"></a>name resolve order (G)</span></dt><dd><p>This option is used by the programs in the Samba
1787 suite to determine what naming services to use and in what order
1788 to resolve host names to IP addresses. Its main purpose to is to
1789 control how netbios name resolution is performed. The option takes a space
1790 separated string of name resolution options.</p><p>The options are: "lmhosts", "host",
1791 "wins" and "bcast". They cause names to be
1792 resolved as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><tt class="constant">lmhosts</tt> : Lookup an IP
1793 address in the Samba lmhosts file. If the line in lmhosts has
1794 no name type attached to the NetBIOS name (see the <a href="lmhosts.5.html" target="_top">lmhosts(5)</a> for details) then
1795 any name type matches for lookup.</p></li><li><p><tt class="constant">host</tt> : Do a standard host
1796 name to IP address resolution, using the system <tt class="filename">/etc/hosts
1797 </tt>, NIS, or DNS lookups. This method of name resolution
1798 is operating system depended for instance on IRIX or Solaris this
1799 may be controlled by the <tt class="filename">/etc/nsswitch.conf</tt>
1800 file. Note that this method is used only if the NetBIOS name
1801 type being queried is the 0x20 (server) name type or 0x1c (domain controllers).
1802 The latter case is only useful for active directory domains and results in a DNS
1803 query for the SRV RR entry matching _ldap._tcp.domain.</p></li><li><p><tt class="constant">wins</tt> : Query a name with
1804 the IP address listed in the <a href="#WINSSERVER"><i class="parameter"><tt>
1805 wins server</tt></i></a> parameter. If no WINS server has
1806 been specified this method will be ignored.</p></li><li><p><tt class="constant">bcast</tt> : Do a broadcast on
1807 each of the known local interfaces listed in the <a href="#INTERFACES"><i class="parameter"><tt>interfaces</tt></i></a>
1808 parameter. This is the least reliable of the name resolution
1809 methods as it depends on the target host being on a locally
1810 connected subnet.</p></li></ul></div><p>Default: <b class="command">name resolve order = lmhosts host wins bcast</b></p><p>Example: <b class="command">name resolve order = lmhosts bcast host</b></p><p>This will cause the local lmhosts file to be examined
1811 first, followed by a broadcast attempt, followed by a normal
1812 system hostname lookup.</p><p>When Samba is functioning in ADS security mode (<b class="command">security = ads</b>)
1813 it is advised to use following settings for <i class="parameter"><tt>name resolve order</tt></i>:</p><p><b class="command">name resolve order = wins bcast</b></p><p>DC lookups will still be done via DNS, but fallbacks to netbios names will
1814 not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</p></dd><dt><span class="term"><a name="NETBIOSALIASES"></a>netbios aliases (G)</span></dt><dd><p>This is a list of NetBIOS names that <a href="nmbd.8.html" target="_top">nmbd(8)</a> will
1815 advertise as additional names by which the Samba server is known. This allows one machine
1816 to appear in browse lists under multiple names. If a machine is acting as a browse server
1817 or logon server none of these names will be advertised as either browse server or logon
1818 servers, only the primary name of the machine will be advertised with these capabilities.
1819 </p><p>See also <a href="#NETBIOSNAME"><i class="parameter"><tt>netbios
1820 name</tt></i></a>.</p><p>Default: <span class="emphasis"><em>empty string (no additional names)</em></span></p><p>Example: <b class="command">netbios aliases = TEST TEST1 TEST2</b></p></dd><dt><span class="term"><a name="NETBIOSNAME"></a>netbios name (G)</span></dt><dd><p>This sets the NetBIOS name by which a Samba
1821 server is known. By default it is the same as the first component
1822 of the host's DNS name. If a machine is a browse server or
1823 logon server this name (or the first component
1824 of the hosts DNS name) will be the name that these services are
1825 advertised under.</p><p>See also <a href="#NETBIOSALIASES"><i class="parameter"><tt>netbios
1826 aliases</tt></i></a>.</p><p>Default: <span class="emphasis"><em>machine DNS name</em></span></p><p>Example: <b class="command">netbios name = MYNAME</b></p></dd><dt><span class="term"><a name="NETBIOSSCOPE"></a>netbios scope (G)</span></dt><dd><p>This sets the NetBIOS scope that Samba will
1827 operate under. This should not be set unless every machine
1828 on your LAN also sets this value.</p></dd><dt><span class="term"><a name="NISHOMEDIR"></a>nis homedir (G)</span></dt><dd><p>Get the home share server from a NIS map. For
1829 UNIX systems that use an automounter, the user's home directory
1830 will often be mounted on a workstation on demand from a remote
1831 server. </p><p>When the Samba logon server is not the actual home directory
1832 server, but is mounting the home directories via NFS then two
1833 network hops would be required to access the users home directory
1834 if the logon server told the client to use itself as the SMB server
1835 for home directories (one over SMB and one over NFS). This can
1836 be very slow.</p><p>This option allows Samba to return the home share as
1837 being on a different server to the logon server and as
1838 long as a Samba daemon is running on the home directory server,
1839 it will be mounted on the Samba client directly from the directory
1840 server. When Samba is returning the home share to the client, it
1841 will consult the NIS map specified in <a href="#HOMEDIRMAP">
1842 <i class="parameter"><tt>homedir map</tt></i></a> and return the server
1843 listed there.</p><p>Note that for this option to work there must be a working
1844 NIS system and the Samba server with this option must also
1845 be a logon server.</p><p>Default: <b class="command">nis homedir = no</b></p></dd><dt><span class="term"><a name="NONUNIXACCOUNTRANGE"></a>non unix account range (G)</span></dt><dd><p>The non unix account range parameter specifies
1846 the range of 'user ids' that are allocated by the various 'non unix
1847 account' passdb backends. These backends allow
1848 the storage of passwords for users who don't exist in /etc/passwd.
1849 This is most often used for machine account creation.
1850 This range of ids should have no existing local or NIS users within
1851 it as strange conflicts can occur otherwise.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>These userids never appear on the system and Samba will never
1852 'become' these users. They are used only to ensure that the algorithmic
1853 RID mapping does not conflict with normal users.
1854 </p></div><p>Default: <b class="command">non unix account range = <empty string></b></p><p>Example: <b class="command">non unix account range = 10000-20000</b></p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map
1855 UNIX permissions into Windows NT access control lists.
1856 This parameter was formally a global parameter in releases
1857 prior to 2.2.2.</p><p>Default: <b class="command">nt acl support = yes</b></p></dd><dt><span class="term"><a name="NTLMAUTH"></a>ntlm auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to
1858 authenticate users using the NTLM encrypted password response.
1859 If disabled, either the lanman password hash or an NTLMv2 response
1860 will need to be sent by the client.</p><p>If this option, and <b class="command">lanman
1861 auth</b> are both disabled, then only NTLMv2 logins will be
1862 permited. Not all clients support NTLMv2, and most will require
1863 special configuration to us it.</p><p>Default : <b class="command">ntlm auth = yes</b></p></dd><dt><span class="term"><a name="NTPIPESUPPORT"></a>nt pipe support (G)</span></dt><dd><p>This boolean parameter controls whether
1864 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will allow Windows NT
1865 clients to connect to the NT SMB specific <tt class="constant">IPC$</tt>
1866 pipes. This is a developer debugging option and can be left
1867 alone.</p><p>Default: <b class="command">nt pipe support = yes</b></p></dd><dt><span class="term"><a name="NTSTATUSSUPPORT"></a>nt status support (G)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will negotiate NT specific status
1868 support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone.
1869 If this option is set to <tt class="constant">no</tt> then Samba offers
1870 exactly the same DOS error codes that versions prior to Samba 2.2.3
1871 reported.</p><p>You should not need to ever disable this parameter.</p><p>Default: <b class="command">nt status support = yes</b></p></dd><dt><span class="term"><a name="NULLPASSWORDS"></a>null passwords (G)</span></dt><dd><p>Allow or disallow client access to accounts that have null passwords. </p><p>See also <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>.</p><p>Default: <b class="command">null passwords = no</b></p></dd><dt><span class="term"><a name="OBEYPAMRESTRICTIONS"></a>obey pam restrictions (G)</span></dt><dd><p>When Samba 3.0 is configured to enable PAM support
1872 (i.e. --with-pam), this parameter will control whether or not Samba
1873 should obey PAM's account and session management directives. The
1874 default behavior is to use PAM for clear text authentication only
1875 and to ignore any account or session management. Note that Samba
1876 always ignores PAM for authentication in the case of <a href="#ENCRYPTPASSWORDS">
1877 <i class="parameter"><tt>encrypt passwords = yes</tt></i></a>. The reason
1878 is that PAM modules cannot support the challenge/response
1879 authentication mechanism needed in the presence of SMB password encryption.
1880 </p><p>Default: <b class="command">obey pam restrictions = no</b></p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest (S)</span></dt><dd><p>A synonym for <a href="#GUESTONLY"><i class="parameter"><tt>
1881 guest only</tt></i></a>.</p></dd><dt><span class="term"><a name="ONLYUSER"></a>only user (S)</span></dt><dd><p>This is a boolean option that controls whether
1882 connections with usernames not in the <i class="parameter"><tt>user</tt></i>
1883 list will be allowed. By default this option is disabled so that a
1884 client can supply a username to be used by the server. Enabling
1885 this parameter will force the server to only use the login
1886 names from the <i class="parameter"><tt>user</tt></i> list and is only really
1887 useful in <a href="#SECURITYEQUALSSHARE">share level</a>
1888 security.</p><p>Note that this also means Samba won't try to deduce
1889 usernames from the service name. This can be annoying for
1890 the [homes] section. To get around this you could use <b class="command">user =
1891 %S</b> which means your <i class="parameter"><tt>user</tt></i> list
1892 will be just the service name, which for home directories is the
1893 name of the user.</p><p>See also the <a href="#USER"><i class="parameter"><tt>user</tt></i>
1894 </a> parameter.</p><p>Default: <b class="command">only user = no</b></p></dd><dt><span class="term"><a name="OPLOCKBREAKWAITTIME"></a>oplock break wait time (G)</span></dt><dd><p>This is a tuning parameter added due to bugs in
1895 both Windows 9x and WinNT. If Samba responds to a client too
1896 quickly when that client issues an SMB that can cause an oplock
1897 break request, then the network client can fail and not respond
1898 to the break request. This tuning parameter (which is set in milliseconds)
1899 is the amount of time Samba will wait before sending an oplock break
1900 request to such (broken) clients.</p><p><span class="emphasis"><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
1901 UNDERSTOOD THE SAMBA OPLOCK CODE</em></span>.</p><p>Default: <b class="command">oplock break wait time = 0</b></p></dd><dt><span class="term"><a name="OPLOCKCONTENTIONLIMIT"></a>oplock contention limit (S)</span></dt><dd><p>This is a <span class="emphasis"><em>very</em></span> advanced
1902 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> tuning option to
1903 improve the efficiency of the granting of oplocks under multiple
1904 client contention for the same file.</p><p>In brief it specifies a number, which causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>not to grant an oplock even when requested
1905 if the approximate number of clients contending for an oplock on the same file goes over this
1906 limit. This causes <b class="command">smbd</b> to behave in a similar
1907 way to Windows NT.</p><p><span class="emphasis"><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
1908 AND UNDERSTOOD THE SAMBA OPLOCK CODE</em></span>.</p><p>Default: <b class="command">oplock contention limit = 2</b></p></dd><dt><span class="term"><a name="OPLOCKS"></a>oplocks (S)</span></dt><dd><p>This boolean option tells <b class="command">smbd</b> whether to
1909 issue oplocks (opportunistic locks) to file open requests on this
1910 share. The oplock code can dramatically (approx. 30% or more) improve
1911 the speed of access to files on Samba servers. It allows the clients
1912 to aggressively cache files locally and you may want to disable this
1913 option for unreliable network environments (it is turned on by
1914 default in Windows NT Servers). For more information see the file
1915 <tt class="filename">Speed.txt</tt> in the Samba <tt class="filename">docs/</tt>
1916 directory.</p><p>Oplocks may be selectively turned off on certain files with a
1917 share. See the <a href="#VETOOPLOCKFILES"><i class="parameter"><tt>
1918 veto oplock files</tt></i></a> parameter. On some systems
1919 oplocks are recognized by the underlying operating system. This
1920 allows data synchronization between all access to oplocked files,
1921 whether it be via Samba or NFS or a local UNIX process. See the
1922 <i class="parameter"><tt>kernel oplocks</tt></i> parameter for details.</p><p>See also the <a href="#KERNELOPLOCKS"><i class="parameter"><tt>kernel
1923 oplocks</tt></i></a> and <a href="#LEVEL2OPLOCKS"><i class="parameter"><tt>
1924 level2 oplocks</tt></i></a> parameters.</p><p>Default: <b class="command">oplocks = yes</b></p></dd><dt><span class="term"><a name="OS2DRIVERMAP"></a>os2 driver map (G)</span></dt><dd><p>The parameter is used to define the absolute
1925 path to a file containing a mapping of Windows NT printer driver
1926 names to OS/2 printer driver names. The format is:</p><p><nt driver name> = <os2 driver name>.<device name></p><p>For example, a valid entry using the HP LaserJet 5
1927 printer driver would appear as <b class="command">HP LaserJet 5L = LASERJET.HP
1928 LaserJet 5L</b>.</p><p>The need for the file is due to the printer driver namespace
1929 problem described in the <a href="printing.html" target="_top">Samba
1930 Printing HOWTO</a>. For more details on OS/2 clients, please
1931 refer to the OS2-Client-HOWTO containing in the Samba documentation.</p><p>Default: <b class="command">os2 driver map = <empty string></b></p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>This integer value controls what level Samba
1932 advertises itself as for browse elections. The value of this
1933 parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
1934 has a chance of becoming a local master browser for the <i class="parameter"><tt>
1935 WORKGROUP</tt></i> in the local broadcast area.</p><p><span class="emphasis"><em>Note :</em></span>By default, Samba will win
1936 a local master browsing election over all Microsoft operating
1937 systems except a Windows NT 4.0/2000 Domain Controller. This
1938 means that a misconfigured Samba host can effectively isolate
1939 a subnet for browsing purposes. See <tt class="filename">BROWSING.txt
1940 </tt> in the Samba <tt class="filename">docs/</tt> directory
1941 for details.</p><p>Default: <b class="command">os level = 20</b></p><p>Example: <b class="command">os level = 65 </b></p></dd><dt><span class="term"><a name="PAMPASSWORDCHANGE"></a>pam password change (G)</span></dt><dd><p>With the addition of better PAM support in Samba 2.2,
1942 this parameter, it is possible to use PAM's password change control
1943 flag for Samba. If enabled, then PAM will be used for password
1944 changes when requested by an SMB client instead of the program listed in
1945 <a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i></a>.
1946 It should be possible to enable this without changing your
1947 <a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i></a>
1948 parameter for most setups.</p><p>Default: <b class="command">pam password change = no</b></p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a
1949 system command to be called when either <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> or <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> crashes. This is usually used to
1950 draw attention to the fact that a problem occurred.</p><p>Default: <b class="command">panic action = <empty string></b></p><p>Example: <b class="command">panic action = "/bin/sleep 90000"</b></p></dd><dt><span class="term"><a name="PARANOIDSERVERSECURITY"></a>paranoid server security (G)</span></dt><dd><p>Some version of NT 4.x allow non-guest
1951 users with a bad passowrd. When this option is enabled, samba will not
1952 use a broken NT 4.x server as password server, but instead complain
1953 to the logs and exit.
1954 </p><p>Disabling this option prevents Samba from making
1955 this check, which involves deliberatly attempting a
1956 bad logon to the remote server.</p><p>Default: <b class="command">paranoid server security = yes</b></p></dd><dt><span class="term"><a name="PASSDBBACKEND"></a>passdb backend (G)</span></dt><dd><p>This option allows the administrator to chose which backends
1957 to retrieve and store passwords with. This allows (for example) both
1958 smbpasswd and tdbsam to be used without a recompile. Multiple
1959 backends can be specified, separated by spaces. The backends will be
1960 searched in the order they are specified. New users are always added
1961 to the first backend specified. </p><p>This parameter is in two parts, the backend's name, and a 'location'
1962 string that has meaning only to that particular backed. These are separated
1963 by a : character.</p><p>Available backends can include:
1964 </p><div class="itemizedlist"><ul type="disc"><li><p><b class="command">smbpasswd</b> - The default smbpasswd
1965 backend. Takes a path to the smbpasswd file as an optional argument.
1966 </p></li><li><p><b class="command">tdbsam</b> - The TDB based password storage
1967 backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
1968 in the <a href="#PRIVATEDIR">
1969 <i class="parameter"><tt>private dir</tt></i></a> directory.</p></li><li><p><b class="command">ldapsam</b> - The LDAP based passdb
1970 backend. Takes an LDAP URL as an optional argument (defaults to
1971 <b class="command">ldap://localhost</b>)</p><p>LDAP connections should be secured where possible. This may be done using either
1972 Start-TLS (see <a href="#LDAPSSL"><i class="parameter"><tt>ldap ssl</tt></i></a>) or by
1973 specifying <i class="parameter"><tt>ldaps://</tt></i> in
1974 the URL argument. </p></li><li><p><b class="command">nisplussam</b> -
1975 The NIS+ based passdb backend. Takes name NIS domain as
1976 an optional argument. Only works with sun NIS+ servers.
1977 </p></li><li><p><b class="command">mysql</b> -
1978 The MySQL based passdb backend. Takes an identifier as
1979 argument. Read the Samba HOWTO Collection for configuration
1981 </p></li><li><p><b class="command">guest</b> -
1982 Very simple backend that only provides one user: the guest user.
1983 Only maps the NT guest user to the <i class="parameter"><tt>guest account</tt></i>.
1984 Required in pretty much all situations.
1985 </p></li></ul></div><p>
1986 </p><p>Default: <b class="command">passdb backend = smbpasswd</b></p><p>Example: <b class="command">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</b></p><p>Example: <b class="command">passdb backend = ldapsam:ldaps://ldap.example.com guest</b></p><p>Example: <b class="command">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</b></p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span>
1987 conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing
1988 program to change the user's password. The string describes a
1989 sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the
1990 <a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i>
1991 </a> and what to expect back. If the expected output is not
1992 received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending
1993 on what local methods are used for password control (such as NIS
1994 etc).</p><p>Note that this parameter only is only used if the <a href="#UNIXPASSWORDSYNC"> <i class="parameter"><tt>unix password sync</tt></i>
1995 </a> parameter is set to <tt class="constant">yes</tt>. This sequence is
1996 then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password in the
1997 smbpasswd file is being changed, without access to the old password
1998 cleartext. This means that root must be able to reset the user's password without
1999 knowing the text of the previous password. In the presence of
2000 NIS/YP, this means that the <a href="#PASSWDPROGRAM">passwd program</a> must
2001 be executed on the NIS master.
2002 </p><p>The string can contain the macro <i class="parameter"><tt>%n</tt></i> which is substituted
2003 for the new password. The chat sequence can also contain the standard
2004 macros <tt class="constant">\\n</tt>, <tt class="constant">\\r</tt>, <tt class="constant">\\t</tt> and <tt class="constant">\\s</tt> to
2005 give line-feed, carriage-return, tab and space. The chat sequence string can also contain
2006 a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces
2007 in them into a single string.</p><p>If the send string in any part of the chat sequence is a full
2008 stop ".", then no string is sent. Similarly, if the
2009 expect string is a full stop then no string is expected.</p><p>If the <a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam
2010 password change</tt></i></a> parameter is set to <tt class="constant">yes</tt>, the chat pairs
2011 may be matched in any order, and success is determined by the PAM result,
2012 not any particular output. The \n macro is ignored for PAM conversions.
2013 </p><p>See also <a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix password
2014 sync</tt></i></a>, <a href="#PASSWDPROGRAM"><i class="parameter"><tt>
2015 passwd program</tt></i></a> ,<a href="#PASSWDCHATDEBUG">
2016 <i class="parameter"><tt>passwd chat debug</tt></i></a> and <a href="#PAMPASSWORDCHANGE">
2017 <i class="parameter"><tt>pam password change</tt></i></a>.</p><p>Default: <b class="command">passwd chat = *new*password* %n\\n
2018 *new*password* %n\\n *changed*</b></p><p>Example: <b class="command">passwd chat = "*Enter OLD password*" %o\\n
2019 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n
2020 "*Password changed*"</b></p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
2021 parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
2022 strings passed to and received from the passwd chat are printed
2023 in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
2024 <a href="#DEBUGLEVEL"><i class="parameter"><tt>debug level</tt></i></a>
2025 of 100. This is a dangerous option as it will allow plaintext passwords
2026 to be seen in the <b class="command">smbd</b> log. It is available to help
2027 Samba admins debug their <i class="parameter"><tt>passwd chat</tt></i> scripts
2028 when calling the <i class="parameter"><tt>passwd program</tt></i> and should
2029 be turned off after this has been done. This option has no effect if the
2030 <a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i></a>
2031 paramter is set. This parameter is off by default.</p><p>See also <a href="#PASSWDCHAT"><i class="parameter"><tt>passwd chat</tt></i>
2032 </a>, <a href="#PAMPASSWORDCHANGE"><i class="parameter"><tt>pam password change</tt></i>
2033 </a>, <a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd program</tt></i>
2034 </a>.</p><p>Default: <b class="command">passwd chat debug = no</b></p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set
2035 UNIX user passwords. Any occurrences of <i class="parameter"><tt>%u</tt></i>
2036 will be replaced with the user name. The user name is checked for
2037 existence before calling the password changing program.</p><p>Also note that many passwd programs insist in <span class="emphasis"><em>reasonable
2038 </em></span> passwords, such as a minimum length, or the inclusion
2039 of mixed case chars and digits. This can pose a problem as some clients
2040 (such as Windows for Workgroups) uppercase the password before sending
2041 it.</p><p><span class="emphasis"><em>Note</em></span> that if the <i class="parameter"><tt>unix
2042 password sync</tt></i> parameter is set to <tt class="constant">yes
2043 </tt> then this program is called <span class="emphasis"><em>AS ROOT</em></span>
2044 before the SMB password in the <a href="smbpasswd.5.html" target="_top"><a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>
2045 </a> file is changed. If this UNIX password change fails, then
2046 <b class="command">smbd</b> will fail to change the SMB password also
2047 (this is by design).</p><p>If the <i class="parameter"><tt>unix password sync</tt></i> parameter
2048 is set this parameter <span class="emphasis"><em>MUST USE ABSOLUTE PATHS</em></span>
2049 for <span class="emphasis"><em>ALL</em></span> programs called, and must be examined
2050 for security implications. Note that by default <i class="parameter"><tt>unix
2051 password sync</tt></i> is set to <tt class="constant">no</tt>.</p><p>See also <a href="#UNIXPASSWORDSYNC"><i class="parameter"><tt>unix
2052 password sync</tt></i></a>.</p><p>Default: <b class="command">passwd program = /bin/passwd</b></p><p>Example: <b class="command">passwd program = /sbin/npasswd %u</b></p></dd><dt><span class="term"><a name="PASSWORDLEVEL"></a>password level (G)</span></dt><dd><p>Some client/server combinations have difficulty
2053 with mixed-case passwords. One offending client is Windows for
2054 Workgroups, which for some reason forces passwords to upper
2055 case when using the LANMAN1 protocol, but leaves them alone when
2056 using COREPLUS! Another problem child is the Windows 95/98
2057 family of operating systems. These clients upper case clear
2058 text passwords even when NT LM 0.12 selected by the protocol
2059 negotiation request/response.</p><p>This parameter defines the maximum number of characters
2060 that may be upper case in passwords.</p><p>For example, say the password given was "FRED". If <i class="parameter"><tt>
2061 password level</tt></i> is set to 1, the following combinations
2062 would be tried if "FRED" failed:</p><p>"Fred", "fred", "fRed", "frEd","freD"</p><p>If <i class="parameter"><tt>password level</tt></i> was set to 2,
2063 the following combinations would also be tried: </p><p>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</p><p>And so on.</p><p>The higher value this parameter is set to the more likely
2064 it is that a mixed case password will be matched against a single
2065 case password. However, you should be aware that use of this
2066 parameter reduces security and increases the time taken to
2067 process a new connection.</p><p>A value of zero will cause only two attempts to be
2068 made - the password as is and the password in all-lower case.</p><p>Default: <b class="command">password level = 0</b></p><p>Example: <b class="command">password level = 4</b></p></dd><dt><span class="term"><a name="PASSWORDSERVER"></a>password server (G)</span></dt><dd><p>By specifying the name of another SMB server
2069 or Active Directory domain controller with this option,
2070 and using <b class="command">security = [ads|domain|server]</b>
2071 it is possible to get Samba to
2072 to do all its username/password validation using a specific remote server.</p><p>This option sets the name or IP address of the password server to use.
2073 New syntax has been added to support defining the port to use when connecting
2074 to the server the case of an ADS realm. To define a port other than the
2075 default LDAP port of 389, add the port number using a colon after the
2076 name or IP address (e.g. 192.168.1.100:389). If you do not specify a port,
2077 Samba will use the standard LDAP port of tcp/389. Note that port numbers
2078 have no effect on password servers for Windows NT 4.0 domains or netbios
2079 connections.</p><p>If parameter is a name, it is looked up using the
2080 parameter <a href="#NAMERESOLVEORDER"><i class="parameter"><tt>name
2081 resolve order</tt></i></a> and so may resolved
2082 by any method and order described in that parameter.</p><p>The password server must be a machine capable of using
2083 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
2084 user level security mode.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Using a password server means your UNIX box (running
2085 Samba) is only as secure as your password server. <span class="emphasis"><em>DO NOT
2086 CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</em></span>.
2087 </p></div><p>Never point a Samba server at itself for password serving.
2088 This will cause a loop and could lock up your Samba server!</p><p>The name of the password server takes the standard
2089 substitutions, but probably the only useful one is <i class="parameter"><tt>%m
2090 </tt></i>, which means the Samba server will use the incoming
2091 client as the password server. If you use this then you better
2092 trust your clients, and you had better restrict them with hosts allow!</p><p>If the <i class="parameter"><tt>security</tt></i> parameter is set to
2093 <tt class="constant">domain</tt> or <tt class="constant">ads</tt>, then the list of machines in this
2094 option must be a list of Primary or Backup Domain controllers for the
2095 Domain or the character '*', as the Samba server is effectively
2096 in that domain, and will use cryptographically authenticated RPC calls
2097 to authenticate the user logging on. The advantage of using <b class="command">
2098 security = domain</b> is that if you list several hosts in the
2099 <i class="parameter"><tt>password server</tt></i> option then <b class="command">smbd
2100 </b> will try each in turn till it finds one that responds. This
2101 is useful in case your primary server goes down.</p><p>If the <i class="parameter"><tt>password server</tt></i> option is set
2102 to the character '*', then Samba will attempt to auto-locate the
2103 Primary or Backup Domain controllers to authenticate against by
2104 doing a query for the name <tt class="constant">WORKGROUP<1C></tt>
2105 and then contacting each server returned in the list of IP
2106 addresses from the name resolution source. </p><p>If the list of servers contains both names/IP's and the '*'
2107 character, the list is treated as a list of preferred
2108 domain controllers, but an auto lookup of all remaining DC's
2109 will be added to the list as well. Samba will not attempt to optimize
2110 this list by locating the closest DC.</p><p>If the <i class="parameter"><tt>security</tt></i> parameter is
2111 set to <tt class="constant">server</tt>, then there are different
2112 restrictions that <b class="command">security = domain</b> doesn't
2113 suffer from:</p><div class="itemizedlist"><ul type="disc"><li><p>You may list several password servers in
2114 the <i class="parameter"><tt>password server</tt></i> parameter, however if an
2115 <b class="command">smbd</b> makes a connection to a password server,
2116 and then the password server fails, no more users will be able
2117 to be authenticated from this <b class="command">smbd</b>. This is a
2118 restriction of the SMB/CIFS protocol when in <b class="command">security = server
2119 </b> mode and cannot be fixed in Samba.</p></li><li><p>If you are using a Windows NT server as your
2120 password server then you will have to ensure that your users
2121 are able to login from the Samba server, as when in <b class="command">
2122 security = server</b> mode the network logon will appear to
2123 come from there rather than from the users workstation.</p></li></ul></div><p>See also the <a href="#SECURITY"><i class="parameter"><tt>security
2124 </tt></i></a> parameter.</p><p>Default: <b class="command">password server = <empty string></b></p><p>Example: <b class="command">password server = NT-PDC, NT-BDC1, NT-BDC2, *</b></p><p>Example: <b class="command">password server = windc.mydomain.com:389 192.168.1.101 *</b></p><p>Example: <b class="command">password server = *</b></p></dd><dt><span class="term"><a name="PATH"></a>path (S)</span></dt><dd><p>This parameter specifies a directory to which
2125 the user of the service is to be given access. In the case of
2126 printable services, this is where print data will spool prior to
2127 being submitted to the host for printing.</p><p>For a printable service offering guest access, the service
2128 should be readonly and the path should be world-writeable and
2129 have the sticky bit set. This is not mandatory of course, but
2130 you probably won't get the results you expect if you do
2131 otherwise.</p><p>Any occurrences of <i class="parameter"><tt>%u</tt></i> in the path
2132 will be replaced with the UNIX username that the client is using
2133 on this connection. Any occurrences of <i class="parameter"><tt>%m</tt></i>
2134 will be replaced by the NetBIOS name of the machine they are
2135 connecting from. These replacements are very useful for setting
2136 up pseudo home directories for users.</p><p>Note that this path will be based on <a href="#ROOTDIR">
2137 <i class="parameter"><tt>root dir</tt></i></a> if one was specified.</p><p>Default: <span class="emphasis"><em>none</em></span></p><p>Example: <b class="command">path = /home/fred</b></p></dd><dt><span class="term"><a name="PIDDIRECTORY"></a>pid directory (G)</span></dt><dd><p>This option specifies the directory where pid
2138 files will be placed. </p><p>Default: <b class="command">pid directory = ${prefix}/var/locks</b></p><p>Example: <b class="command">pid directory = /var/run/</b></p></dd><dt><span class="term"><a name="POSIXLOCKING"></a>posix locking (S)</span></dt><dd><p>The <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>
2139 daemon maintains an database of file locks obtained by SMB clients.
2140 The default behavior is to map this internal database to POSIX
2141 locks. This means that file locks obtained by SMB clients are
2142 consistent with those seen by POSIX compliant applications accessing
2143 the files via a non-SMB method (e.g. NFS or local file access).
2144 You should never need to disable this parameter.</p><p>Default: <b class="command">posix locking = yes</b></p></dd><dt><span class="term"><a name="POSTEXEC"></a>postexec (S)</span></dt><dd><p>This option specifies a command to be run
2145 whenever the service is disconnected. It takes the usual
2146 substitutions. The command may be run as the root on some
2147 systems.</p><p>An interesting example may be to unmount server
2148 resources:</p><p><b class="command">postexec = /etc/umount /cdrom</b></p><p>See also <a href="#PREEXEC"><i class="parameter"><tt>preexec</tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b class="command">postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever
2149 the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome
2150 message every time they log in. Maybe a message of the day? Here
2151 is an example:</p><p><b class="command">preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & </b></p><p>Of course, this could get annoying after a while :-)</p><p>See also <a href="#PREEXECCLOSE"><i class="parameter"><tt>preexec close</tt></i></a> and <a href="#POSTEXEC"><i class="parameter"><tt>postexec
2152 </tt></i></a>.</p><p>Default: <span class="emphasis"><em>none (no command executed)</em></span></p><p>Example: <b class="command">preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log</b></p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>This boolean option controls whether a non-zero
2153 return code from <a href="#PREEXEC"><i class="parameter"><tt>preexec
2154 </tt></i></a> should close the service being connected to.</p><p>Default: <b class="command">preexec close = no</b></p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master (G)</span></dt><dd><p>Synonym for <a href="#PREFERREDMASTER"><i class="parameter"><tt>
2155 preferred master</tt></i></a> for people who cannot spell :-).</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p>This boolean parameter controls if
2156 <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> is a preferred master
2157 browser for its workgroup.</p><p>If this is set to <tt class="constant">yes</tt>, on startup, <b class="command">nmbd</b>
2158 will force an election, and it will have a slight advantage in
2159 winning the election. It is recommended that this parameter is
2160 used in conjunction with <b class="command"><a href="#DOMAINMASTER">
2161 <i class="parameter"><tt>domain master</tt></i></a> = yes</b>, so
2162 that <b class="command">nmbd</b> can guarantee becoming a domain master.</p><p>Use this option with caution, because if there are several
2163 hosts (whether Samba servers, Windows 95 or NT) that are
2164 preferred master browsers on the same subnet, they will each
2165 periodically and continuously attempt to become the local
2166 master browser. This will result in unnecessary broadcast
2167 traffic and reduced browsing capabilities.</p><p>See also <a href="#OSLEVEL"><i class="parameter"><tt>os level</tt></i></a>.</p><p>Default: <b class="command">preferred master = auto</b></p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be
2168 automatically added to the browse lists. This is most useful
2169 for homes and printers services that would otherwise not be
2170 visible.</p><p>Note that if you just want all printers in your
2171 printcap file loaded then the <a href="#LOADPRINTERS">
2172 <i class="parameter"><tt>load printers</tt></i></a> option is easier.</p><p>Default: <span class="emphasis"><em>no preloaded services</em></span></p><p>Example: <b class="command">preload = fred lp colorlp</b></p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
2173 be loaded into smbd before a client connects. This improves
2174 the speed of smbd when reacting to new connections somewhat. </p><p>It is recommended to only use this option on heavy-performance
2175 servers.</p><p>Default: <b class="command">preload modules = </b></p><p>Example: <b class="command">preload modules = /usr/lib/samba/passdb/mysql.so+++ </b></p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p> This controls if new filenames are created
2176 with the case that the client passes, or if they are forced to
2177 be the <a href="#DEFAULTCASE"><i class="parameter"><tt>default case
2178 </tt></i></a>.</p><p>Default: <b class="command">preserve case = yes</b></p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion.</p></dd><dt><span class="term"><a name="PRINTABLE"></a>printable (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt>, then
2179 clients may open, write to and submit spool files on the directory
2180 specified for the service. </p><p>Note that a printable service will ALWAYS allow writing
2181 to the service path (user privileges permitting) via the spooling
2182 of print data. The <a href="#READONLY"><i class="parameter"><tt>read only
2183 </tt></i></a> parameter controls only non-printing access to
2184 the resource.</p><p>Default: <b class="command">printable = no</b></p></dd><dt><span class="term"><a name="PRINTCAP"></a>printcap (G)</span></dt><dd><p>Synonym for <a href="#PRINTCAPNAME"><i class="parameter"><tt>
2185 printcap name</tt></i></a>.</p></dd><dt><span class="term"><a name="PRINTCAPNAME"></a>printcap name (S)</span></dt><dd><p>This parameter may be used to override the
2186 compiled-in default printcap name used by the server (usually <tt class="filename">
2187 /etc/printcap</tt>). See the discussion of the <a href="#PRINTERSSECT" title="The [printers] section">[printers]</a> section above for reasons
2188 why you might want to do this.</p><p>To use the CUPS printing interface set <b class="command">printcap name = cups
2189 </b>. This should be supplemented by an addtional setting
2190 <a href="#PRINTING">printing = cups</a> in the [global]
2191 section. <b class="command">printcap name = cups</b> will use the
2192 "dummy" printcap created by CUPS, as specified in your CUPS
2194 </p><p>On System V systems that use <b class="command">lpstat</b> to
2195 list available printers you can use <b class="command">printcap name = lpstat
2196 </b> to automatically obtain lists of available printers. This
2197 is the default for systems that define SYSV at configure time in
2198 Samba (this includes most System V based systems). If <i class="parameter"><tt>
2199 printcap name</tt></i> is set to <b class="command">lpstat</b> on
2200 these systems then Samba will launch <b class="command">lpstat -v</b> and
2201 attempt to parse the output to obtain a printer list.</p><p>A minimal printcap file would look something like this:</p><pre class="programlisting">
2207 </pre><p>where the '|' separates aliases of a printer. The fact
2208 that the second alias has a space in it gives a hint to Samba
2209 that it's a comment.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Under AIX the default printcap
2210 name is <tt class="filename">/etc/qconfig</tt>. Samba will assume the
2211 file is in AIX <tt class="filename">qconfig</tt> format if the string
2212 <tt class="filename">qconfig</tt> appears in the printcap filename.</p></div><p>Default: <b class="command">printcap name = /etc/printcap</b></p><p>Example: <b class="command">printcap name = /etc/myprintcap</b></p></dd><dt><span class="term"><a name="PRINTCOMMAND"></a>print command (S)</span></dt><dd><p>After a print job has finished spooling to
2213 a service, this command will be used via a <b class="command">system()</b>
2214 call to process the spool file. Typically the command specified will
2215 submit the spool file to the host's printing subsystem, but there
2216 is no requirement that this be the case. The server will not remove
2217 the spool file, so whatever command you specify should remove the
2218 spool file when it has been processed, otherwise you will need to
2219 manually remove old spool files.</p><p>The print command is simply a text string. It will be used
2220 verbatim after macro substitutions have been made:</p><p>%s, %f - the path to the spool
2221 file name</p><p>%p - the appropriate printer
2222 name</p><p>%J - the job
2223 name as transmitted by the client.</p><p>%c - The number of printed pages
2224 of the spooled job (if known).</p><p>%z - the size of the spooled
2225 print job (in bytes)</p><p>The print command <span class="emphasis"><em>MUST</em></span> contain at least
2226 one occurrence of <i class="parameter"><tt>%s</tt></i> or <i class="parameter"><tt>%f
2227 </tt></i> - the <i class="parameter"><tt>%p</tt></i> is optional. At the time
2228 a job is submitted, if no printer name is supplied the <i class="parameter"><tt>%p
2229 </tt></i> will be silently removed from the printer command.</p><p>If specified in the [global] section, the print command given
2230 will be used for any printable service that does not have its own
2231 print command specified.</p><p>If there is neither a specified print command for a
2232 printable service nor a global print command, spool files will
2233 be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the
2234 <tt class="constant">nobody</tt> account. If this happens then create
2235 an alternative guest account that can print and set the <a href="#GUESTACCOUNT">
2236 <i class="parameter"><tt>guest account</tt></i></a>
2237 in the [global] section.</p><p>You can form quite complex print commands by realizing
2238 that they are just passed to a shell. For example the following
2239 will log a print job, print the file, then remove it. Note that
2240 ';' is the usual separator for command in shell scripts.</p><p><b class="command">print command = echo Printing %s >>
2241 /tmp/print.log; lpr -P %p %s; rm %s</b></p><p>You may have to vary this command considerably depending
2242 on how you normally print files on your system. The default for
2243 the parameter varies depending on the setting of the <a href="#PRINTING">
2244 <i class="parameter"><tt>printing</tt></i></a> parameter.</p><p>Default: For <b class="command">printing = BSD, AIX, QNX, LPRNG
2245 or PLP :</b></p><p><b class="command">print command = lpr -r -P%p %s</b></p><p>For <b class="command">printing = SYSV or HPUX :</b></p><p><b class="command">print command = lp -c -d%p %s; rm %s</b></p><p>For <b class="command">printing = SOFTQ :</b></p><p><b class="command">print command = lp -d%p -s %s; rm %s</b></p><p>For printing = CUPS : If SAMBA is compiled against
2246 libcups, then <a href="#PRINTING">printcap = cups</a>
2247 uses the CUPS API to
2248 submit jobs, etc. Otherwise it maps to the System V
2249 commands with the -oraw option for printing, i.e. it
2250 uses <b class="command">lp -c -d%p -oraw; rm %s</b>.
2251 With <b class="command">printing = cups</b>,
2252 and if SAMBA is compiled against libcups, any manually
2253 set print command will be ignored.</p><p>Example: <b class="command">print command = /usr/local/samba/bin/myprintscript %p %s</b></p></dd><dt><span class="term"><a name="PRINTER"></a>printer (S)</span></dt><dd><p>Synonym for <a href="#PRINTERNAME"><i class="parameter"><tt>
2254 printer name</tt></i></a>.</p></dd><dt><span class="term"><a name="PRINTERADMIN"></a>printer admin (S)</span></dt><dd><p>This is a list of users that can do anything to
2255 printers via the remote administration interfaces offered by MS-RPC
2256 (usually using a NT workstation). Note that the root user always
2257 has admin rights.</p><p>Default: <b class="command">printer admin = <empty string></b></p><p>Example: <b class="command">printer admin = admin, @staff</b></p></dd><dt><span class="term"><a name="PRINTERNAME"></a>printer name (S)</span></dt><dd><p>This parameter specifies the name of the printer
2258 to which print jobs spooled through a printable service will be sent.</p><p>If specified in the [global] section, the printer
2259 name given will be used for any printable service that does
2260 not have its own printer name specified.</p><p>Default: <span class="emphasis"><em>none (but may be <tt class="constant">lp</tt>
2261 on many systems)</em></span></p><p>Example: <b class="command">printer name = laserwriter</b></p></dd><dt><span class="term"><a name="PRINTING"></a>printing (S)</span></dt><dd><p>This parameters controls how printer status information is
2262 interpreted on your system. It also affects the default values for
2263 the <i class="parameter"><tt>print command</tt></i>, <i class="parameter"><tt>lpq command</tt></i>, <i class="parameter"><tt>lppause command </tt></i>, <i class="parameter"><tt>lpresume command</tt></i>, and <i class="parameter"><tt>lprm command</tt></i> if specified in the
2264 [global] section.</p><p>Currently nine printing styles are supported. They are
2265 <tt class="constant">BSD</tt>, <tt class="constant">AIX</tt>,
2266 <tt class="constant">LPRNG</tt>, <tt class="constant">PLP</tt>,
2267 <tt class="constant">SYSV</tt>, <tt class="constant">HPUX</tt>,
2268 <tt class="constant">QNX</tt>, <tt class="constant">SOFTQ</tt>,
2269 and <tt class="constant">CUPS</tt>.</p><p>To see what the defaults are for the other print
2270 commands when using the various options use the <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> program.</p><p>This option can be set on a per printer basis</p><p>See also the discussion in the <a href="#PRINTERSSECT" title="The [printers] section">
2271 [printers]</a> section.</p></dd><dt><span class="term"><a name="PRINTOK"></a>print ok (S)</span></dt><dd><p>Synonym for <a href="#PRINTABLE">
2272 <i class="parameter"><tt>printable</tt></i></a>.</p></dd><dt><span class="term"><a name="PRIVATEDIR"></a>private dir (G)</span></dt><dd><p>This parameters defines the directory
2273 smbd will use for storing such files as <tt class="filename">smbpasswd</tt>
2274 and <tt class="filename">secrets.tdb</tt>.
2275 </p><p>Default :<b class="command">private dir = ${prefix}/private</b></p></dd><dt><span class="term"><a name="PROTOCOL"></a>protocol (G)</span></dt><dd><p>Synonym for <a href="#MAXPROTOCOL">
2276 <i class="parameter"><tt>max protocol</tt></i></a>.</p></dd><dt><span class="term"><a name="PUBLIC"></a>public (S)</span></dt><dd><p>Synonym for <a href="#GUESTOK"><i class="parameter"><tt>guest
2277 ok</tt></i></a>.</p></dd><dt><span class="term"><a name="QUEUEPAUSECOMMAND"></a>queuepause command (S)</span></dt><dd><p>This parameter specifies the command to be
2278 executed on the server host in order to pause the printer queue.</p><p>This command should be a program or script which takes
2279 a printer name as its only parameter and stops the printer queue,
2280 such that no longer jobs are submitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
2281 but can be issued from the Printers window under Windows 95
2282 and NT.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
2283 is put in its place. Otherwise it is placed at the end of the command.
2284 </p><p>Note that it is good practice to include the absolute
2285 path in the command as the PATH may not be available to the
2286 server.</p><p>Default: <span class="emphasis"><em>depends on the setting of <i class="parameter"><tt>printing</tt></i></em></span></p><p>Example: <b class="command">queuepause command = disable %p</b></p></dd><dt><span class="term"><a name="QUEUERESUMECOMMAND"></a>queueresume command (S)</span></dt><dd><p>This parameter specifies the command to be
2287 executed on the server host in order to resume the printer queue. It
2288 is the command to undo the behavior that is caused by the
2289 previous parameter (<a href="#QUEUEPAUSECOMMAND"><i class="parameter"><tt>
2290 queuepause command</tt></i></a>).</p><p>This command should be a program or script which takes
2291 a printer name as its only parameter and resumes the printer queue,
2292 such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
2293 but can be issued from the Printers window under Windows 95
2294 and NT.</p><p>If a <i class="parameter"><tt>%p</tt></i> is given then the printer name
2295 is put in its place. Otherwise it is placed at the end of the
2296 command.</p><p>Note that it is good practice to include the absolute
2297 path in the command as the PATH may not be available to the
2298 server.</p><p>Default: <span class="emphasis"><em>depends on the setting of <a href="#PRINTING">
2299 <i class="parameter"><tt>printing</tt></i></a></em></span></p><p>Example: <b class="command">queuepause command = enable %p</b></p></dd><dt><span class="term"><a name="READBMPX"></a>read bmpx (G)</span></dt><dd><p>This boolean parameter controls whether
2300 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will support the "Read
2301 Block Multiplex" SMB. This is now rarely used and defaults to
2302 <tt class="constant">no</tt>. You should never need to set this
2303 parameter.</p><p>Default: <b class="command">read bmpx = no</b></p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>This is a list of users that are given read-only
2304 access to a service. If the connecting user is in this list then
2305 they will not be given write access, no matter what the <a href="#READONLY">
2306 <i class="parameter"><tt>read only</tt></i></a>
2307 option is set to. The list can include group names using the
2308 syntax described in the <a href="#INVALIDUSERS"><i class="parameter"><tt>
2309 invalid users</tt></i></a> parameter.</p><p>See also the <a href="#WRITELIST"><i class="parameter"><tt>
2310 write list</tt></i></a> parameter and the <a href="#INVALIDUSERS">
2311 <i class="parameter"><tt>invalid users</tt></i>
2312 </a> parameter.</p><p>Default: <b class="command">read list = <empty string></b></p><p>Example: <b class="command">read list = mary, @students</b></p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a href="#WRITEABLE">
2313 <i class="parameter"><tt>writeable</tt></i></a>.</p><p>If this parameter is <tt class="constant">yes</tt>, then users
2314 of a service may not create or modify files in the service's
2315 directory.</p><p>Note that a printable service (<b class="command">printable = yes</b>)
2316 will <span class="emphasis"><em>ALWAYS</em></span> allow writing to the directory
2317 (user privileges permitting), but only via spooling operations.</p><p>Default: <b class="command">read only = yes</b></p></dd><dt><span class="term"><a name="READRAW"></a>read raw (G)</span></dt><dd><p>This parameter controls whether or not the server
2318 will support the raw read SMB requests when transferring data
2319 to clients.</p><p>If enabled, raw reads allow reads of 65535 bytes in
2320 one packet. This typically provides a major performance benefit.
2321 </p><p>However, some clients either negotiate the allowable
2322 block size incorrectly or are incapable of supporting larger block
2323 sizes, and for these clients you may need to disable raw reads.</p><p>In general this parameter should be viewed as a system tuning
2324 tool and left severely alone. See also <a href="#WRITERAW">
2325 <i class="parameter"><tt>write raw</tt></i></a>.</p><p>Default: <b class="command">read raw = yes</b></p></dd><dt><span class="term"><a name="READSIZE"></a>read size (G)</span></dt><dd><p>The option <i class="parameter"><tt>read size</tt></i>
2326 affects the overlap of disk reads/writes with network reads/writes.
2327 If the amount of data being transferred in several of the SMB
2328 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
2329 than this value then the server begins writing the data before it
2330 has received the whole packet from the network, or in the case of
2331 SMBreadbraw, it begins writing to the network before all the data
2332 has been read from disk.</p><p>This overlapping works best when the speeds of disk and
2333 network access are similar, having very little effect when the
2334 speed of one is much greater than the other.</p><p>The default value is 16384, but very little experimentation
2335 has been done yet to determine the optimal value, and it is likely
2336 that the best value will vary greatly between systems anyway.
2337 A value over 65536 is pointless and will cause you to allocate
2338 memory unnecessarily.</p><p>Default: <b class="command">read size = 16384</b></p><p>Example: <b class="command">read size = 8192</b></p></dd><dt><span class="term"><a name="REALM"></a>realm (G)</span></dt><dd><p>This option specifies the kerberos realm to use. The realm is
2339 used as the ADS equivalent of the NT4 <b class="command">domain</b>. It
2340 is usually set to the DNS name of the kerberos server.
2341 </p><p>Default: <b class="command">realm = </b></p><p>Example: <b class="command">realm = mysambabox.mycompany.com</b></p></dd><dt><span class="term"><a name="REMOTEANNOUNCE"></a>remote announce (G)</span></dt><dd><p>This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>to periodically announce itself
2342 to arbitrary IP addresses with an arbitrary workgroup name.</p><p>This is useful if you want your Samba server to appear
2343 in a remote workgroup for which the normal browse propagation
2344 rules don't work. The remote workgroup can be anywhere that you
2345 can send IP packets to.</p><p>For example:</p><p><b class="command">remote announce = 192.168.2.255/SERVERS
2346 192.168.4.255/STAFF</b></p><p>the above line would cause <b class="command">nmbd</b> to announce itself
2347 to the two given IP addresses using the given workgroup names.
2348 If you leave out the workgroup name then the one given in
2349 the <a href="#WORKGROUP"><i class="parameter"><tt>workgroup</tt></i></a>
2350 parameter is used instead.</p><p>The IP addresses you choose would normally be the broadcast
2351 addresses of the remote networks, but can also be the IP addresses
2352 of known browse masters if your network config is that stable.</p><p>See the documentation file <a href="improved-browsing.html" target="_top">BROWSING</a>
2353 in the <tt class="filename">docs/</tt> directory.</p><p>Default: <b class="command">remote announce = <empty string></b></p></dd><dt><span class="term"><a name="REMOTEBROWSESYNC"></a>remote browse sync (G)</span></dt><dd><p>This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to periodically request
2354 synchronization of browse lists with the master browser of a Samba
2355 server that is on a remote segment. This option will allow you to
2356 gain browse lists for multiple workgroups across routed networks. This
2357 is done in a manner that does not work with any non-Samba servers.</p><p>This is useful if you want your Samba server and all local
2358 clients to appear in a remote workgroup for which the normal browse
2359 propagation rules don't work. The remote workgroup can be anywhere
2360 that you can send IP packets to.</p><p>For example:</p><p><b class="command">remote browse sync = 192.168.2.255 192.168.4.255</b></p><p>the above line would cause <b class="command">nmbd</b> to request
2361 the master browser on the specified subnets or addresses to
2362 synchronize their browse lists with the local server.</p><p>The IP addresses you choose would normally be the broadcast
2363 addresses of the remote networks, but can also be the IP addresses
2364 of known browse masters if your network config is that stable. If
2365 a machine IP address is given Samba makes NO attempt to validate
2366 that the remote machine is available, is listening, nor that it
2367 is in fact the browse master on its segment.</p><p>Default: <b class="command">remote browse sync = <empty string></b></p></dd><dt><span class="term"><a name="RESTRICTANONYMOUS"></a>restrict anonymous (G)</span></dt><dd><p>The setting of this parameter determines whether user and
2368 group list information is returned for an anonymous connection.
2369 and mirrors the effects of the
2370 <tt class="constant">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous</tt> registry key in Windows
2371 2000 and Windows NT. When set to 0, user and group list
2372 information is returned to anyone who asks. When set
2373 to 1, only an authenticated user can retrive user and
2374 group list information. For the value 2, supported by
2375 Windows 2000/XP and Samba, no anonymous connections are allowed at
2376 all. This can break third party and Microsoft
2377 applications which expect to be allowed to perform
2378 operations anonymously.</p><p>
2379 The security advantage of using restrict anonymous = 1 is dubious,
2380 as user and group list information can be obtained using other
2382 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2383 The security advantage of using restrict anonymous = 2 is removed
2384 by setting <a href="#GUESTOK"><i class="parameter"><tt>guest
2385 ok</tt></i> = yes</a> on any share.
2386 </p></div><p>Default: <b class="command">restrict anonymous = 0</b></p></dd><dt><span class="term"><a name="ROOT"></a>root (G)</span></dt><dd><p>Synonym for <a href="#ROOTDIRECTORY">
2387 <i class="parameter"><tt>root directory"</tt></i></a>.
2388 </p></dd><dt><span class="term"><a name="ROOTDIR"></a>root dir (G)</span></dt><dd><p>Synonym for <a href="#ROOTDIRECTORY">
2389 <i class="parameter"><tt>root directory"</tt></i></a>.
2390 </p></dd><dt><span class="term"><a name="ROOTDIRECTORY"></a>root directory (G)</span></dt><dd><p>The server will <b class="command">chroot()</b> (i.e.
2391 Change its root directory) to this directory on startup. This is
2392 not strictly necessary for secure operation. Even without it the
2393 server will deny access to files not in one of the service entries.
2394 It may also check for, and deny access to, soft links to other
2395 parts of the filesystem, or attempts to use ".." in file names
2396 to access other directories (depending on the setting of the <a href="#WIDELINKS">
2397 <i class="parameter"><tt>wide links</tt></i></a>
2399 </p><p>Adding a <i class="parameter"><tt>root directory</tt></i> entry other
2400 than "/" adds an extra level of security, but at a price. It
2401 absolutely ensures that no access is given to files not in the
2402 sub-tree specified in the <i class="parameter"><tt>root directory</tt></i>
2403 option, <span class="emphasis"><em>including</em></span> some files needed for
2404 complete operation of the server. To maintain full operability
2405 of the server you will need to mirror some system files
2406 into the <i class="parameter"><tt>root directory</tt></i> tree. In particular
2407 you will need to mirror <tt class="filename">/etc/passwd</tt> (or a
2408 subset of it), and any binaries or configuration files needed for
2409 printing (if required). The set of files that must be mirrored is
2410 operating system dependent.</p><p>Default: <b class="command">root directory = /</b></p><p>Example: <b class="command">root directory = /homes/smb</b></p></dd><dt><span class="term"><a name="ROOTPOSTEXEC"></a>root postexec (S)</span></dt><dd><p>This is the same as the <i class="parameter"><tt>postexec</tt></i>
2411 parameter except that the command is run as root. This
2412 is useful for unmounting filesystems
2413 (such as CDROMs) after a connection is closed.</p><p>See also <a href="#POSTEXEC"><i class="parameter"><tt>
2414 postexec</tt></i></a>.</p><p>Default: <b class="command">root postexec = <empty string></b></p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p>This is the same as the <i class="parameter"><tt>preexec</tt></i>
2415 parameter except that the command is run as root. This
2416 is useful for mounting filesystems (such as CDROMs) when a
2417 connection is opened.</p><p>See also <a href="#PREEXEC"><i class="parameter"><tt>
2418 preexec</tt></i></a> and <a href="#PREEXECCLOSE">
2419 <i class="parameter"><tt>preexec close</tt></i></a>.</p><p>Default: <b class="command">root preexec = <empty string></b></p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <i class="parameter"><tt>preexec close
2420 </tt></i> parameter except that the command is run as root.</p><p>See also <a href="#PREEXEC"><i class="parameter"><tt>
2421 preexec</tt></i></a> and <a href="#PREEXECCLOSE">
2422 <i class="parameter"><tt>preexec close</tt></i></a>.</p><p>Default: <b class="command">root preexec close = no</b></p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to
2423 Samba and is one of the most important settings in the <tt class="filename">
2424 smb.conf</tt> file.</p><p>The option sets the "security mode bit" in replies to
2425 protocol negotiations with <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to turn share level security on or off. Clients decide
2426 based on this bit whether (and how) to transfer user and password
2427 information to the server.</p><p>The default is <b class="command">security = user</b>, as this is
2428 the most common setting needed when talking to Windows 98 and
2429 Windows NT.</p><p>The alternatives are <b class="command">security = share</b>,
2430 <b class="command">security = server</b> or <b class="command">security = domain
2431 </b>.</p><p>In versions of Samba prior to 2.0.0, the default was
2432 <b class="command">security = share</b> mainly because that was
2433 the only option at one stage.</p><p>There is a bug in WfWg that has relevance to this
2434 setting. When in user or server level security a WfWg client
2435 will totally ignore the password you type in the "connect
2436 drive" dialog box. This makes it very difficult (if not impossible)
2437 to connect to a Samba service as anyone except the user that
2438 you are logged into WfWg as.</p><p>If your PCs use usernames that are the same as their
2439 usernames on the UNIX machine then you will want to use
2440 <b class="command">security = user</b>. If you mostly use usernames
2441 that don't exist on the UNIX box then use <b class="command">security =
2442 share</b>.</p><p>You should also use <b class="command">security = share</b> if you
2443 want to mainly setup shares without a password (guest shares). This
2444 is commonly used for a shared printer server. It is more difficult
2445 to setup guest shares with <b class="command">security = user</b>, see
2446 the <a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i>
2447 </a>parameter for details.</p><p>It is possible to use <b class="command">smbd</b> in a <span class="emphasis"><em>
2448 hybrid mode</em></span> where it is offers both user and share
2449 level security under different <a href="#NETBIOSALIASES">
2450 <i class="parameter"><tt>NetBIOS aliases</tt></i></a>. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
2451 need not log onto the server with a valid username and password before
2452 attempting to connect to a shared resource (although modern clients
2453 such as Windows 95/98 and Windows NT will send a logon request with
2454 a username but no password when talking to a <b class="command">security = share
2455 </b> server). Instead, the clients send authentication information
2456 (passwords) on a per-share basis, at the time they attempt to connect
2457 to that share.</p><p>Note that <b class="command">smbd</b> <span class="emphasis"><em>ALWAYS</em></span>
2458 uses a valid UNIX user to act on behalf of the client, even in
2459 <b class="command">security = share</b> level security.</p><p>As clients are not required to send a username to the server
2460 in share level security, <b class="command">smbd</b> uses several
2461 techniques to determine the correct UNIX user to use on behalf
2462 of the client.</p><p>A list of possible UNIX usernames to match with the given
2463 client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a href="#GUESTONLY"><i class="parameter"><tt>guest
2464 only</tt></i></a> parameter is set, then all the other
2465 stages are missed and only the <a href="#GUESTACCOUNT">
2466 <i class="parameter"><tt>guest account</tt></i></a> username is checked.
2467 </p></li><li><p>Is a username is sent with the share connection
2468 request, then this username (after mapping - see <a href="#USERNAMEMAP">
2469 <i class="parameter"><tt>username map</tt></i></a>),
2470 is added as a potential username.
2471 </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon
2472 </em></span> request (the SessionSetup SMB call) then the
2473 username sent in this SMB will be added as a potential username.
2474 </p></li><li><p>The name of the service the client requested is
2475 added as a potential username.
2476 </p></li><li><p>The NetBIOS name of the client is added to
2477 the list as a potential username.
2478 </p></li><li><p>Any users on the <a href="#USER"><i class="parameter"><tt>
2479 user</tt></i></a> list are added as potential usernames.
2480 </p></li></ul></div><p>If the <i class="parameter"><tt>guest only</tt></i> parameter is
2481 not set, then this list is then tried with the supplied password.
2482 The first user for whom the password matches will be used as the
2483 UNIX user.</p><p>If the <i class="parameter"><tt>guest only</tt></i> parameter is
2484 set, or no username can be determined then if the share is marked
2485 as available to the <i class="parameter"><tt>guest account</tt></i>, then this
2486 guest user will be used, otherwise access is denied.</p><p>Note that it can be <span class="emphasis"><em>very</em></span> confusing
2487 in share-level security as to which UNIX username will eventually
2488 be used in granting access.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
2489 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0.
2490 With user-level security a client must first "log-on" with a
2491 valid username and password (which can be mapped using the <a href="#USERNAMEMAP">
2492 <i class="parameter"><tt>username map</tt></i></a>
2493 parameter). Encrypted passwords (see the <a href="#ENCRYPTPASSWORDS">
2494 <i class="parameter"><tt>encrypted passwords</tt></i></a> parameter) can also
2495 be used in this security mode. Parameters such as <a href="#USER">
2496 <i class="parameter"><tt>user</tt></i></a> and <a href="#GUESTONLY">
2497 <i class="parameter"><tt>guest only</tt></i></a> if set are then applied and
2498 may change the UNIX user to use on this connection, but only after
2499 the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
2500 requested is <span class="emphasis"><em>not</em></span> sent to the server until after
2501 the server has successfully authenticated the client. This is why
2502 guest shares don't work in user level security without allowing
2503 the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
2504 <i class="parameter"><tt>guest account</tt></i></a>.
2505 See the <a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i>
2506 </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
2507 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
2508 machine into a Windows NT Domain. It expects the <a href="#ENCRYPTPASSWORDS">
2509 <i class="parameter"><tt>encrypted passwords</tt></i>
2510 </a> parameter to be set to <tt class="constant">yes</tt>. In this
2511 mode Samba will try to validate the username/password by passing
2512 it to a Windows NT Primary or Backup Domain Controller, in exactly
2513 the same way that a Windows NT Server would do.</p><p><span class="emphasis"><em>Note</em></span> that a valid UNIX user must still
2514 exist as well as the account on the Domain Controller to allow
2515 Samba to have a valid UNIX account to map file access to.</p><p><span class="emphasis"><em>Note</em></span> that from the client's point
2516 of view <b class="command">security = domain</b> is the same
2517 as <b class="command">security = user</b>. It only
2518 affects how the server deals with the authentication,
2519 it does not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
2520 requested is <span class="emphasis"><em>not</em></span> sent to the server until after
2521 the server has successfully authenticated the client. This is why
2522 guest shares don't work in user level security without allowing
2523 the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
2524 <i class="parameter"><tt>guest account</tt></i></a>.
2525 See the <a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i>
2526 </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
2527 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a href="#PASSWORDSERVER"><i class="parameter"><tt>password
2528 server</tt></i></a> parameter and the <a href="#ENCRYPTPASSWORDS">
2529 <i class="parameter"><tt>encrypted passwords</tt></i>
2530 </a> parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>In this mode Samba will try to validate the username/password
2531 by passing it to another SMB server, such as an NT box. If this
2532 fails it will revert to <b class="command">security =
2533 user</b>. It expects the <a href="#ENCRYPTPASSWORDS">
2534 <i class="parameter"><tt>encrypted passwords</tt></i></a> parameter
2535 to be set to <tt class="constant">yes</tt>, unless the remote server
2536 does not support them. However note that if encrypted passwords have been
2537 negotiated then Samba cannot revert back to checking the UNIX password file,
2538 it must have a valid <tt class="filename">smbpasswd</tt> file to check
2539 users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</p><p><span class="emphasis"><em>Note</em></span> this mode of operation has
2540 significant pitfalls, due to the fact that is activly initiates a
2541 man-in-the-middle attack on the remote SMB server. In particular,
2542 this mode of operation can cause significant resource consuption on
2543 the PDC, as it must maintain an active connection for the duration
2544 of the user's session. Furthermore, if this connection is lost,
2545 there is no way to reestablish it, and futher authenticaions to the
2546 Samba server may fail. (From a single client, till it disconnects).
2547 </p><p><span class="emphasis"><em>Note</em></span> that from the client's point of
2548 view <b class="command">security = server</b> is the
2549 same as <b class="command">security = user</b>. It
2550 only affects how the server deals with the authentication, it does
2551 not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
2552 requested is <span class="emphasis"><em>not</em></span> sent to the server until after
2553 the server has successfully authenticated the client. This is why
2554 guest shares don't work in user level security without allowing
2555 the server to automatically map unknown users into the <a href="#GUESTACCOUNT">
2556 <i class="parameter"><tt>guest account</tt></i></a>.
2557 See the <a href="#MAPTOGUEST"><i class="parameter"><tt>map to guest</tt></i>
2558 </a> parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
2559 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a href="#PASSWORDSERVER"><i class="parameter"><tt>password
2560 server</tt></i></a> parameter and the <a href="#ENCRYPTPASSWORDS">
2561 <i class="parameter"><tt>encrypted passwords</tt></i></a> parameter.</p><p>Default: <b class="command">security = USER</b></p><p>Example: <b class="command">security = DOMAIN</b></p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission
2562 bits can be modified when a Windows NT client is manipulating
2563 the UNIX permission on a file using the native NT security
2564 dialog box.</p><p>This parameter is applied as a mask (AND'ed with) to
2565 the changed permission bits, thus preventing any bits not in
2566 this mask from being modified. Essentially, zero bits in this
2567 mask may be treated as a set of bits the user is not allowed
2568 to change.</p><p>If not set explicitly this parameter is 0777, allowing
2569 a user to modify all the user/group/world permissions on a file.
2570 </p><p><span class="emphasis"><em>Note</em></span> that users who can access the
2571 Samba server through other means can easily bypass this
2572 restriction, so it is primarily useful for standalone
2573 "appliance" systems. Administrators of most normal systems will
2574 probably want to leave it set to <tt class="constant">0777</tt>.</p><p>See also the <a href="#FORCEDIRECTORYSECURITYMODE">
2575 <i class="parameter"><tt>force directory security mode</tt></i></a>,
2576 <a href="#DIRECTORYSECURITYMASK"><i class="parameter"><tt>directory
2577 security mask</tt></i></a>, <a href="#FORCESECURITYMODE">
2578 <i class="parameter"><tt>force security mode</tt></i></a> parameters.</p><p>Default: <b class="command">security mask = 0777</b></p><p>Example: <b class="command">security mask = 0770</b></p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p>This controls whether the server offers or even
2579 demands the use of the netlogon schannel.
2580 <i class="parameter"><tt>server schannel = no</tt></i> does not
2581 offer the schannel, <i class="parameter"><tt>server schannel =
2582 auto</tt></i> offers the schannel but does not
2583 enforce it, and <i class="parameter"><tt>server schannel =
2584 yes</tt></i> denies access if the client is not
2585 able to speak netlogon schannel. This is only the case
2586 for Windows NT4 before SP4.</p><p>Please note that with this set to
2587 <i class="parameter"><tt>no</tt></i> you will have to apply the
2588 WindowsXP requireSignOrSeal-Registry patch found in
2589 the docs/Registry subdirectory.</p><p>Default: <b class="command">server schannel = auto</b></p><p>Example: <b class="command">server schannel = yes</b></p></dd><dt><span class="term"><a name="SERVERSTRING"></a>server string (G)</span></dt><dd><p>This controls what string will show up in the printer comment box in print
2590 manager and next to the IPC connection in <b class="command">net view</b>. It
2591 can be any string that you wish to show to your users.</p><p>It also sets what will appear in browse lists next
2592 to the machine name.</p><p>A <i class="parameter"><tt>%v</tt></i> will be replaced with the Samba
2593 version number.</p><p>A <i class="parameter"><tt>%h</tt></i> will be replaced with the
2594 hostname.</p><p>Default: <b class="command">server string = Samba %v</b></p><p>Example: <b class="command">server string = University of GNUs Samba
2595 Server</b></p></dd><dt><span class="term"><a name="SETDIRECTORY"></a>set directory (S)</span></dt><dd><p>If <b class="command">set directory = no</b>, then
2596 users of the service may not use the setdir command to change
2597 directory.</p><p>The <b class="command">setdir</b> command is only implemented
2598 in the Digital Pathworks client. See the Pathworks documentation
2599 for details.</p><p>Default: <b class="command">set directory = no</b></p></dd><dt><span class="term"><a name="SETPRIMARYGROUPSCRIPT"></a>set primary group script (G)</span></dt><dd><p>Thanks to the Posix subsystem in NT a Windows User has a
2600 primary group in addition to the auxiliary groups. This script
2601 sets the primary group in the unix userdatase when an
2602 administrator sets the primary group from the windows user
2603 manager or when fetching a SAM with <b class="command">net rpc
2604 vampire</b>. <i class="parameter"><tt>%u</tt></i> will be replaced
2605 with the user whose primary group is to be set.
2606 <i class="parameter"><tt>%g</tt></i> will be replaced with the group to
2607 set.</p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Example: <b class="command">set primary group script = /usr/sbin/usermod -g '%g' '%u'</b></p></dd><dt><span class="term"><a name="SHAREMODES"></a>share modes (S)</span></dt><dd><p>This enables or disables the honoring of
2608 the <i class="parameter"><tt>share modes</tt></i> during a file open. These
2609 modes are used by clients to gain exclusive read or write access
2610 to a file.</p><p>These open modes are not directly supported by UNIX, so
2611 they are simulated using shared memory, or lock files if your
2612 UNIX doesn't support shared memory (almost all do).</p><p>The share modes that are enabled by this option are
2613 <tt class="constant">DENY_DOS</tt>, <tt class="constant">DENY_ALL</tt>,
2614 <tt class="constant">DENY_READ</tt>, <tt class="constant">DENY_WRITE</tt>,
2615 <tt class="constant">DENY_NONE</tt> and <tt class="constant">DENY_FCB</tt>.
2616 </p><p>This option gives full share compatibility and enabled
2617 by default.</p><p>You should <span class="emphasis"><em>NEVER</em></span> turn this parameter
2618 off as many Windows applications will break if you do so.</p><p>Default: <b class="command">share modes = yes</b></p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p>This boolean parameter controls if new files
2619 which conform to 8.3 syntax, that is all in upper case and of
2620 suitable length, are created upper case, or if they are forced
2621 to be the <a href="#DEFAULTCASE"><i class="parameter"><tt>default case
2622 </tt></i></a>. This option can be use with <a href="#PRESERVECASE"><b class="command">preserve case = yes</b>
2623 </a> to permit long filenames to retain their case, while short
2624 names are lowered. </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <b class="command">short preserve case = yes</b></p></dd><dt><span class="term"><a name="SHOWADDPRINTERWIZARD"></a>show add printer wizard (G)</span></dt><dd><p>With the introduction of MS-RPC based printing support
2625 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
2626 appear on Samba hosts in the share listing. Normally this folder will
2627 contain an icon for the MS Add Printer Wizard (APW). However, it is
2628 possible to disable this feature regardless of the level of privilege
2629 of the connected user.</p><p>Under normal circumstances, the Windows NT/2000 client will
2630 open a handle on the printer server with OpenPrinterEx() asking for
2631 Administrator privileges. If the user does not have administrative
2632 access on the print server (i.e is not root or a member of the
2633 <i class="parameter"><tt>printer admin</tt></i> group), the OpenPrinterEx()
2634 call fails and the client makes another open call with a request for
2635 a lower privilege level. This should succeed, however the APW
2636 icon will not be displayed.</p><p>Disabling the <i class="parameter"><tt>show add printer wizard</tt></i>
2637 parameter will always cause the OpenPrinterEx() on the server
2638 to fail. Thus the APW icon will never be displayed. <span class="emphasis"><em>
2639 Note :</em></span>This does not prevent the same user from having
2640 administrative privilege on an individual printer.</p><p>See also <a href="#ADDPRINTERCOMMAND"><i class="parameter"><tt>addprinter
2641 command</tt></i></a>, <a href="#DELETEPRINTERCOMMAND">
2642 <i class="parameter"><tt>deleteprinter command</tt></i></a>, <a href="#PRINTERADMIN">
2643 <i class="parameter"><tt>printer admin</tt></i></a></p><p>Default :<b class="command">show add printer wizard = yes</b></p></dd><dt><span class="term"><a name="SHUTDOWNSCRIPT"></a>shutdown script (G)</span></dt><dd><p><span class="emphasis"><em>This parameter only exists in the HEAD cvs branch</em></span>
2644 This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should start a shutdown procedure.</p><p>This command will be run as the user connected to the server.</p><p>%m %t %r %f parameters are expanded:</p><div class="itemizedlist"><ul type="disc"><li><p><i class="parameter"><tt>%m</tt></i> will be substituted with the
2645 shutdown message sent to the server.</p></li><li><p><i class="parameter"><tt>%t</tt></i> will be substituted with the
2646 number of seconds to wait before effectively starting the
2647 shutdown procedure.</p></li><li><p><i class="parameter"><tt>%r</tt></i> will be substituted with the
2648 switch <span class="emphasis"><em>-r</em></span>. It means reboot after shutdown
2649 for NT.</p></li><li><p><i class="parameter"><tt>%f</tt></i> will be substituted with the
2650 switch <span class="emphasis"><em>-f</em></span>. It means force the shutdown
2651 even if applications do not respond for NT.</p></li></ul></div><p>Default: <span class="emphasis"><em>None</em></span>.</p><p>Example: <b class="command">abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</b></p><p>Shutdown script example:
2652 </p><pre class="programlisting">
2656 let "time/60"
2657 let "time++"
2659 /sbin/shutdown $3 $4 +$time $1 &
2661 Shutdown does not return so we need to launch it in background.
2662 </p><p>See also <a href="#ABORTSHUTDOWNSCRIPT">
2663 <i class="parameter"><tt>abort shutdown script</tt></i></a>.</p></dd><dt><span class="term"><a name="SMBPASSWDFILE"></a>smb passwd file (G)</span></dt><dd><p>This option sets the path to the encrypted smbpasswd file. By
2664 default the path to the smbpasswd file is compiled into Samba.</p><p>Default: <b class="command">smb passwd file = ${prefix}/private/smbpasswd</b></p><p>Example: <b class="command">smb passwd file = /etc/samba/smbpasswd</b></p></dd><dt><span class="term"><a name="SMBPORTS"></a>smb ports (G)</span></dt><dd><p>Specifies which ports the server should listen on for SMB traffic.</p><p>Default: <b class="command">smb ports = 445 139</b></p></dd><dt><span class="term"><a name="SOCKETADDRESS"></a>socket address (G)</span></dt><dd><p>This option allows you to control what
2665 address Samba will listen for connections on. This is used to
2666 support multiple virtual interfaces on the one server, each
2667 with a different configuration.</p><p>By default Samba will accept connections on any
2668 address.</p><p>Example: <b class="command">socket address = 192.168.2.20</b></p></dd><dt><span class="term"><a name="SOCKETOPTIONS"></a>socket options (G)</span></dt><dd><p>This option allows you to set socket options
2669 to be used when talking with the client.</p><p>Socket options are controls on the networking layer
2670 of the operating systems which allow the connection to be
2671 tuned.</p><p>This option will typically be used to tune your Samba server
2672 for optimal performance for your local network. There is no way
2673 that Samba can know what the optimal parameters are for your net,
2674 so you must experiment and choose them yourself. We strongly
2675 suggest you read the appropriate documentation for your operating
2676 system first (perhaps <b class="command">man
2677 setsockopt</b> will help).</p><p>You may find that on some systems Samba will say
2678 "Unknown socket option" when you supply an option. This means you
2679 either incorrectly typed it or you need to add an include file
2680 to includes.h for your OS. If the latter is the case please
2681 send the patch to <a href="mailto:samba-technical@samba.org" target="_top">
2682 samba-technical@samba.org</a>.</p><p>Any of the supported socket options may be combined
2683 in any way you like, as long as your OS allows it.</p><p>This is the list of socket options currently settable
2684 using this option:</p><div class="itemizedlist"><ul type="disc"><li><p>SO_KEEPALIVE</p></li><li><p>SO_REUSEADDR</p></li><li><p>SO_BROADCAST</p></li><li><p>TCP_NODELAY</p></li><li><p>IPTOS_LOWDELAY</p></li><li><p>IPTOS_THROUGHPUT</p></li><li><p>SO_SNDBUF *</p></li><li><p>SO_RCVBUF *</p></li><li><p>SO_SNDLOWAT *</p></li><li><p>SO_RCVLOWAT *</p></li></ul></div><p>Those marked with a <span class="emphasis"><em>'*'</em></span> take an integer
2685 argument. The others can optionally take a 1 or 0 argument to enable
2686 or disable the option, by default they will be enabled if you
2687 don't specify 1 or 0.</p><p>To specify an argument use the syntax SOME_OPTION = VALUE
2688 for example <b class="command">SO_SNDBUF = 8192</b>. Note that you must
2689 not have any spaces before or after the = sign.</p><p>If you are on a local network then a sensible option
2690 might be:</p><p><b class="command">socket options = IPTOS_LOWDELAY</b></p><p>If you have a local network then you could try:</p><p><b class="command">socket options = IPTOS_LOWDELAY TCP_NODELAY</b></p><p>If you are on a wide area network then perhaps try
2691 setting IPTOS_THROUGHPUT. </p><p>Note that several of the options may cause your Samba
2692 server to fail completely. Use these options with caution!</p><p>Default: <b class="command">socket options = TCP_NODELAY</b></p><p>Example: <b class="command">socket options = IPTOS_LOWDELAY</b></p></dd><dt><span class="term"><a name="SOURCEENVIRONMENT"></a>source environment (G)</span></dt><dd><p>This parameter causes Samba to set environment
2693 variables as per the content of the file named.</p><p>If the value of this parameter starts with a "|" character
2694 then Samba will treat that value as a pipe command to open and
2695 will set the environment variables from the output of the pipe.</p><p>The contents of the file or the output of the pipe should
2696 be formatted as the output of the standard Unix <b class="command">env(1)</b> command. This is of the form:</p><p>Example environment entry:</p><p><b class="command">SAMBA_NETBIOS_NAME = myhostname</b></p><p>Default: <span class="emphasis"><em>No default value</em></span></p><p>Examples: <b class="command">source environment = |/etc/smb.conf.sh</b></p><p>Example: <b class="command">source environment =
2697 /usr/local/smb_env_vars</b></p></dd><dt><span class="term"><a name="STATCACHE"></a>stat cache (G)</span></dt><dd><p>This parameter determines if <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will use a cache in order to
2698 speed up case insensitive name mappings. You should never need
2699 to change this parameter.</p><p>Default: <b class="command">stat cache = yes</b></p></dd><dt><span class="term"><a name="STATCACHESIZE"></a>stat cache size (G)</span></dt><dd><p>This parameter determines the number of
2700 entries in the <i class="parameter"><tt>stat cache</tt></i>. You should
2701 never need to change this parameter.</p><p>Default: <b class="command">stat cache size = 50</b></p></dd><dt><span class="term"><a name="STRICTALLOCATE"></a>strict allocate (S)</span></dt><dd><p>This is a boolean that controls the handling of
2702 disk space allocation in the server. When this is set to <tt class="constant">yes</tt>
2703 the server will change from UNIX behaviour of not committing real
2704 disk storage blocks when a file is extended to the Windows behaviour
2705 of actually forcing the disk system to allocate real storage blocks
2706 when a file is created or extended to be a given size. In UNIX
2707 terminology this means that Samba will stop creating sparse files.
2708 This can be slow on some systems.</p><p>When strict allocate is <tt class="constant">no</tt> the server does sparse
2709 disk block allocation when a file is extended.</p><p>Setting this to <tt class="constant">yes</tt> can help Samba return
2710 out of quota messages on systems that are restricting the disk quota
2711 of users.</p><p>Default: <b class="command">strict allocate = no</b></p></dd><dt><span class="term"><a name="STRICTLOCKING"></a>strict locking (S)</span></dt><dd><p>This is a boolean that controls the handling of
2712 file locking in the server. When this is set to <tt class="constant">yes</tt>
2713 the server will check every read and write access for file locks, and
2714 deny access if locks exist. This can be slow on some systems.</p><p>When strict locking is <tt class="constant">no</tt> the server does file
2715 lock checks only when the client explicitly asks for them.</p><p>Well-behaved clients always ask for lock checks when it
2716 is important, so in the vast majority of cases <b class="command">strict
2717 locking = no</b> is preferable.</p><p>Default: <b class="command">strict locking = no</b></p></dd><dt><span class="term"><a name="STRICTSYNC"></a>strict sync (S)</span></dt><dd><p>Many Windows applications (including the Windows 98 explorer
2718 shell) seem to confuse flushing buffer contents to disk with doing
2719 a sync to disk. Under UNIX, a sync call forces the process to be
2720 suspended until the kernel has ensured that all outstanding data in
2721 kernel disk buffers has been safely stored onto stable storage.
2722 This is very slow and should only be done rarely. Setting this
2723 parameter to <tt class="constant">no</tt> (the default) means that
2724 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> ignores the Windows
2725 applications requests for a sync call. There is only a possibility
2726 of losing data if the operating system itself that Samba is running
2727 on crashes, so there is little danger in this default setting. In
2728 addition, this fixes many performance problems that people have
2729 reported with the new Windows98 explorer shell file copies.</p><p>See also the <a href="#SYNCALWAYS"><i class="parameter"><tt>sync
2730 always</tt></i></a> parameter.</p><p>Default: <b class="command">strict sync = no</b></p></dd><dt><span class="term"><a name="STRIPDOT"></a>strip dot (G)</span></dt><dd><p>This is a boolean that controls whether to
2731 strip trailing dots off UNIX filenames. This helps with some
2732 CDROMs that have filenames ending in a single dot.</p><p>Default: <b class="command">strip dot = no</b></p></dd><dt><span class="term"><a name="SYNCALWAYS"></a>sync always (S)</span></dt><dd><p>This is a boolean parameter that controls
2733 whether writes will always be written to stable storage before
2734 the write call returns. If this is <tt class="constant">no</tt> then the server will be
2735 guided by the client's request in each write call (clients can
2736 set a bit indicating that a particular write should be synchronous).
2737 If this is <tt class="constant">yes</tt> then every write will be followed by a <b class="command">fsync()
2738 </b> call to ensure the data is written to disk. Note that
2739 the <i class="parameter"><tt>strict sync</tt></i> parameter must be set to
2740 <tt class="constant">yes</tt> in order for this parameter to have
2741 any affect.</p><p>See also the <a href="#STRICTSYNC"><i class="parameter"><tt>strict
2742 sync</tt></i></a> parameter.</p><p>Default: <b class="command">sync always = no</b></p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p>This parameter maps how Samba debug messages
2743 are logged onto the system syslog logging levels. Samba debug
2744 level zero maps onto syslog <tt class="constant">LOG_ERR</tt>, debug
2745 level one maps onto <tt class="constant">LOG_WARNING</tt>, debug level
2746 two maps onto <tt class="constant">LOG_NOTICE</tt>, debug level three
2747 maps onto LOG_INFO. All higher levels are mapped to <tt class="constant">
2748 LOG_DEBUG</tt>.</p><p>This parameter sets the threshold for sending messages
2749 to syslog. Only messages with debug level less than this value
2750 will be sent to syslog.</p><p>Default: <b class="command">syslog = 1</b></p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>If this parameter is set then Samba debug
2751 messages are logged into the system syslog only, and not to
2752 the debug log files.</p><p>Default: <b class="command">syslog only = no</b></p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT
2753 user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this
2754 parameter to fill in the home directory for that user. If the
2755 string <i class="parameter"><tt>%D</tt></i> is present it
2756 is substituted with the user's Windows NT domain name. If the
2757 string <i class="parameter"><tt>%U</tt></i> is present it
2758 is substituted with the user's Windows NT user name.</p><p>Default: <b class="command">template homedir = /home/%D/%U</b></p></dd><dt><span class="term"><a name="TEMPLATESHELL"></a>template shell (G)</span></dt><dd><p>When filling out the user information for a Windows NT
2759 user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this
2760 parameter to fill in the login shell for that user.</p><p>Default: <b class="command">template shell = /bin/false</b></p></dd><dt><span class="term"><a name="TIMEOFFSET"></a>time offset (G)</span></dt><dd><p>This parameter is a setting in minutes to add
2761 to the normal GMT to local time conversion. This is useful if
2762 you are serving a lot of PCs that have incorrect daylight
2763 saving time handling.</p><p>Default: <b class="command">time offset = 0</b></p><p>Example: <b class="command">time offset = 60</b></p></dd><dt><span class="term"><a name="TIMESERVER"></a>time server (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> advertises itself as a time server to Windows
2764 clients.</p><p>Default: <b class="command">time server = no</b></p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs (G)</span></dt><dd><p>Synonym for <a href="#DEBUGTIMESTAMP"><i class="parameter"><tt>
2765 debug timestamp</tt></i></a>.</p></dd><dt><span class="term"><a name="TOTALPRINTJOBS"></a>total print jobs (G)</span></dt><dd><p>This parameter accepts an integer value which defines
2766 a limit on the maximum number of print jobs that will be accepted
2767 system wide at any given time. If a print job is submitted
2768 by a client which will exceed this number, then <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will return an
2769 error indicating that no space is available on the server. The
2770 default value of 0 means that no such limit exists. This parameter
2771 can be used to prevent a server from exceeding its capacity and is
2772 designed as a printing throttle. See also <a href="#MAXPRINTJOBS">
2773 <i class="parameter"><tt>max print jobs</tt></i></a>.
2774 </p><p>Default: <b class="command">total print jobs = 0</b></p><p>Example: <b class="command">total print jobs = 5000</b></p></dd><dt><span class="term"><a name="UNICODE"></a>unicode (G)</span></dt><dd><p>Specifies whether Samba should try
2775 to use unicode on the wire by default. Note: This does NOT
2776 mean that samba will assume that the unix machine uses unicode!
2777 </p><p>Default: <b class="command">unicode = yes</b></p></dd><dt><span class="term"><a name="UNIXCHARSET"></a>unix charset (G)</span></dt><dd><p>Specifies the charset the unix machine
2778 Samba runs on uses. Samba needs to know this in order to be able to
2779 convert text to the charsets other SMB clients use.
2780 </p><p>Default: <b class="command">unix charset = UTF8</b></p><p>Example: <b class="command">unix charset = ASCII</b></p></dd><dt><span class="term"><a name="UNIXEXTENSIONS"></a>unix extensions (G)</span></dt><dd><p>This boolean parameter controls whether Samba
2781 implments the CIFS UNIX extensions, as defined by HP.
2782 These extensions enable Samba to better serve UNIX CIFS clients
2783 by supporting features such as symbolic links, hard links, etc...
2784 These extensions require a similarly enabled client, and are of
2785 no current use to Windows clients.</p><p>Default: <b class="command">unix extensions = no</b></p></dd><dt><span class="term"><a name="UNIXPASSWORDSYNC"></a>unix password sync (G)</span></dt><dd><p>This boolean parameter controls whether Samba
2786 attempts to synchronize the UNIX password with the SMB password
2787 when the encrypted SMB password in the smbpasswd file is changed.
2788 If this is set to <tt class="constant">yes</tt> the program specified in the <i class="parameter"><tt>passwd
2789 program</tt></i>parameter is called <span class="emphasis"><em>AS ROOT</em></span> -
2790 to allow the new UNIX password to be set without access to the
2791 old UNIX password (as the SMB password change code has no
2792 access to the old password cleartext, only the new).</p><p>See also <a href="#PASSWDPROGRAM"><i class="parameter"><tt>passwd
2793 program</tt></i></a>, <a href="#PASSWDCHAT"><i class="parameter"><tt>
2794 passwd chat</tt></i></a>.
2795 </p><p>Default: <b class="command">unix password sync = no</b></p></dd><dt><span class="term"><a name="UPDATEENCRYPTED"></a>update encrypted (G)</span></dt><dd><p>This boolean parameter allows a user logging on with
2796 a plaintext password to have their encrypted (hashed) password in
2797 the smbpasswd file to be updated automatically as they log
2798 on. This option allows a site to migrate from plaintext
2799 password authentication (users authenticate with plaintext
2800 password over the wire, and are checked against a UNIX account
2801 database) to encrypted password authentication (the SMB
2802 challenge/response authentication mechanism) without forcing all
2803 users to re-enter their passwords via smbpasswd at the time the
2804 change is made. This is a convenience option to allow the change
2805 over to encrypted passwords to be made over a longer period.
2806 Once all users have encrypted representations of their passwords
2807 in the smbpasswd file this parameter should be set to
2808 <tt class="constant">no</tt>.</p><p>In order for this parameter to work correctly the <a href="#ENCRYPTPASSWORDS">
2809 <i class="parameter"><tt>encrypt passwords</tt></i></a> parameter must
2810 be set to <tt class="constant">no</tt> when this parameter is set to <tt class="constant">yes</tt>.</p><p>Note that even when this parameter is set a user
2811 authenticating to <b class="command">smbd</b> must still enter a valid
2812 password in order to connect correctly, and to update their hashed
2813 (smbpasswd) passwords.</p><p>Default: <b class="command">update encrypted = no</b></p></dd><dt><span class="term"><a name="USECLIENTDRIVER"></a>use client driver (S)</span></dt><dd><p>This parameter applies only to Windows NT/2000
2814 clients. It has no effect on Windows 95/98/ME clients. When
2815 serving a printer to Windows NT/2000 clients without first installing
2816 a valid printer driver on the Samba host, the client will be required
2817 to install a local printer driver. From this point on, the client
2818 will treat the print as a local printer and not a network printer
2819 connection. This is much the same behavior that will occur
2820 when <b class="command">disable spoolss = yes</b>.
2821 </p><p>The differentiating factor is that under normal
2822 circumstances, the NT/2000 client will attempt to open the network
2823 printer using MS-RPC. The problem is that because the client
2824 considers the printer to be local, it will attempt to issue the
2825 OpenPrinterEx() call requesting access rights associated with the
2826 logged on user. If the user possesses local administator rights but
2827 not root privilegde on the Samba host (often the case), the
2828 OpenPrinterEx() call will fail. The result is that the client will
2829 now display an "Access Denied; Unable to connect" message
2830 in the printer queue window (even though jobs may successfully be
2831 printed). </p><p>If this parameter is enabled for a printer, then any attempt
2832 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
2833 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
2834 call to succeed. <span class="emphasis"><em>This parameter MUST not be able enabled
2835 on a print share which has valid print driver installed on the Samba
2836 server.</em></span></p><p>See also <a href="#DISABLESPOOLSS"><i class="parameter"><tt>disable spoolss</tt></i></a></p><p>Default: <b class="command">use client driver = no</b></p></dd><dt><span class="term"><a name="USEMMAP"></a>use mmap (G)</span></dt><dd><p>This global parameter determines if the tdb internals of Samba can
2837 depend on mmap working correctly on the running system. Samba requires a coherent
2838 mmap/read-write system memory cache. Currently only HPUX does not have such a
2839 coherent cache, and so this parameter is set to <tt class="constant">no</tt> by
2840 default on HPUX. On all other systems this parameter should be left alone. This
2841 parameter is provided to help the Samba developers track down problems with
2842 the tdb internal code.
2843 </p><p>Default: <b class="command">use mmap = yes</b></p></dd><dt><span class="term"><a name="USER"></a>user (S)</span></dt><dd><p>Synonym for <a href="#USERNAME"><i class="parameter"><tt>username</tt></i></a>.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited
2844 list, in which case the supplied password will be tested against
2845 each username in turn (left to right).</p><p>The <i class="parameter"><tt>username</tt></i> line is needed only when
2846 the PC is unable to supply its own username. This is the case
2847 for the COREPLUS protocol or where your users have different WfWg
2848 usernames to UNIX usernames. In both these cases you may also be
2849 better using the \\server\share%user syntax instead.</p><p>The <i class="parameter"><tt>username</tt></i> line is not a great
2850 solution in many cases as it means Samba will try to validate
2851 the supplied password against each of the usernames in the
2852 <i class="parameter"><tt>username</tt></i> line in turn. This is slow and
2853 a bad idea for lots of users in case of duplicate passwords.
2854 You may get timeouts or security breaches using this parameter
2855 unwisely.</p><p>Samba relies on the underlying UNIX security. This
2856 parameter does not restrict who can login, it just offers hints
2857 to the Samba server as to what usernames might correspond to the
2858 supplied password. Users can login as whoever they please and
2859 they will be able to do no more damage than if they started a
2860 telnet session. The daemon runs as the user that they log in as,
2861 so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
2862 can use the <a href="#VALIDUSERS"><i class="parameter"><tt>valid users
2863 </tt></i></a> parameter.</p><p>If any of the usernames begin with a '@' then the name
2864 will be looked up first in the NIS netgroups list (if Samba
2865 is compiled with netgroup support), followed by a lookup in
2866 the UNIX groups database and will expand to a list of all users
2867 in the group of that name.</p><p>If any of the usernames begin with a '+' then the name
2868 will be looked up only in the UNIX groups database and will
2869 expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&' then the name
2870 will be looked up only in the NIS netgroups database (if Samba
2871 is compiled with netgroup support) and will expand to a list
2872 of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take
2873 quite some time, and some clients may time out during the
2874 search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT
2875 USERNAME/PASSWORD VALIDATION</a> for more information on how
2876 this parameter determines access to the services.</p><p>Default: <b class="command">The guest account if a guest service,
2877 else <empty string>.</b></p><p>Examples:<b class="command">username = fred, mary, jack, jane,
2878 @users, @pcgroup</b></p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at
2879 the real UNIX username, as many DOS clients send an all-uppercase
2880 username. By default Samba tries all lowercase, followed by the
2881 username with the first letter capitalized, and fails if the
2882 username is not found on the UNIX machine.</p><p>If this parameter is set to non-zero the behavior changes.
2883 This parameter is a number that specifies the number of uppercase
2884 combinations to try while trying to determine the UNIX user name. The
2885 higher the number the more combinations will be tried, but the slower
2886 the discovery of usernames will be. Use this parameter when you have
2887 strange usernames on your UNIX machine, such as <tt class="constant">AstrangeUser
2888 </tt>.</p><p>Default: <b class="command">username level = 0</b></p><p>Example: <b class="command">username level = 5</b></p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p>This option allows you to specify a file containing
2889 a mapping of usernames from the clients to the server. This can be
2890 used for several purposes. The most common is to map usernames
2891 that users use on DOS or Windows machines to those that the UNIX
2892 box uses. The other is to map multiple users to a single username
2893 so that they can more easily share files.</p><p>The map file is parsed line by line. Each line should
2894 contain a single UNIX username on the left then a '=' followed
2895 by a list of usernames on the right. The list of usernames on the
2896 right may contain names of the form @group in which case they
2897 will match any UNIX username in that group. The special client
2898 name '*' is a wildcard and matches any name. Each line of the
2899 map file may be up to 1023 characters long.</p><p>The file is processed on each line by taking the
2900 supplied username and comparing it with each username on the right
2901 hand side of the '=' signs. If the supplied name matches any of
2902 the names on the right hand side then it is replaced with the name
2903 on the left. Processing then continues with the next line.</p><p>If any line begins with a '#' or a ';' then it is ignored</p><p>If any line begins with an '!' then the processing
2904 will stop after that line if a mapping was done by the line.
2905 Otherwise mapping continues with every line being processed.
2906 Using '!' is most useful when you have a wildcard mapping line
2907 later in the file.</p><p>For example to map from the name <tt class="constant">admin</tt>
2908 or <tt class="constant">administrator</tt> to the UNIX name <tt class="constant">
2909 root</tt> you would use:</p><p><b class="command">root = admin administrator</b></p><p>Or to map anyone in the UNIX group <tt class="constant">system</tt>
2910 to the UNIX name <tt class="constant">sys</tt> you would use:</p><p><b class="command">sys = @system</b></p><p>You can have as many mappings as you like in a username map file.</p><p>If your system supports the NIS NETGROUP option then
2911 the netgroup database is checked before the <tt class="filename">/etc/group
2912 </tt> database for matching groups.</p><p>You can map Windows usernames that have spaces in them
2913 by using double quotes around the name. For example:</p><p><b class="command">tridge = "Andrew Tridgell"</b></p><p>would map the windows username "Andrew Tridgell" to the
2914 unix username "tridge".</p><p>The following example would map mary and fred to the
2915 unix user sys, and map the rest to guest. Note the use of the
2916 '!' to tell Samba to stop processing if it gets a match on
2917 that line.</p><pre class="programlisting">
2920 </pre><p>Note that the remapping is applied to all occurrences
2921 of usernames. Thus if you connect to \\server\fred and <tt class="constant">
2922 fred</tt> is remapped to <tt class="constant">mary</tt> then you
2923 will actually be connecting to \\server\mary and will need to
2924 supply a password suitable for <tt class="constant">mary</tt> not
2925 <tt class="constant">fred</tt>. The only exception to this is the
2926 username passed to the <a href="#PASSWORDSERVER"><i class="parameter"><tt>
2927 password server</tt></i></a> (if you have one). The password
2928 server will receive whatever username the client supplies without
2929 modification.</p><p>Also note that no reverse mapping is done. The main effect
2930 this has is with printing. Users who have been mapped may have
2931 trouble deleting print jobs as PrintManager under WfWg will think
2932 they don't own the print job.</p><p>Default: <span class="emphasis"><em>no username map</em></span></p><p>Example: <b class="command">username map = /usr/local/samba/lib/users.map</b></p></dd><dt><span class="term"><a name="USERS"></a>users (S)</span></dt><dd><p>Synonym for <a href="#USERNAME"><i class="parameter"><tt>
2933 username</tt></i></a>.</p></dd><dt><span class="term"><a name="USESENDFILE"></a>use sendfile (S)</span></dt><dd><p>If this parameter is <tt class="constant">yes</tt>, and Samba
2934 was built with the --with-sendfile-support option, and the underlying operating
2935 system supports sendfile system call, then some SMB read calls (mainly ReadAndX
2936 and ReadRaw) will use the more efficient sendfile system call for files that
2937 are exclusively oplocked. This may make more efficient use of the system CPU's
2938 and cause Samba to be faster. This is off by default as it's effects are unknown
2939 as yet.</p><p>Default: <b class="command">use sendfile = no</b></p></dd><dt><span class="term"><a name="USESPNEGO"></a>use spnego (G)</span></dt><dd><p> This variable controls controls whether samba will try
2940 to use Simple and Protected NEGOciation (as specified by rfc2478) with
2941 WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
2942 Unless further issues are discovered with our SPNEGO
2943 implementation, there is no reason this should ever be
2944 disabled.</p><p>Default: <span class="emphasis"><em>use spnego = yes</em></span></p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>This boolean parameter is only available if
2945 Samba has been configured and compiled with the option <b class="command">
2946 --with-utmp</b>. If set to <tt class="constant">yes</tt> then Samba will attempt
2947 to add utmp or utmpx records (depending on the UNIX system) whenever a
2948 connection is made to a Samba server. Sites may use this to record the
2949 user connecting to a Samba share.</p><p>Due to the requirements of the utmp record, we
2950 are required to create a unique identifier for the
2951 incoming user. Enabling this option creates an n^2
2952 algorithm to find this number. This may impede
2953 performance on large installations. </p><p>See also the <a href="#UTMPDIRECTORY"><i class="parameter"><tt>
2954 utmp directory</tt></i></a> parameter.</p><p>Default: <b class="command">utmp = no</b></p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
2955 been configured and compiled with the option <b class="command">
2956 --with-utmp</b>. It specifies a directory pathname that is
2957 used to store the utmp or utmpx files (depending on the UNIX system) that
2958 record user connections to a Samba server. See also the <a href="#UTMP">
2959 <i class="parameter"><tt>utmp</tt></i></a> parameter. By default this is
2960 not set, meaning the system will use whatever utmp file the
2961 native system is set to use (usually
2962 <tt class="filename">/var/run/utmp</tt> on Linux).</p><p>Default: <span class="emphasis"><em>no utmp directory</em></span></p><p>Example: <b class="command">utmp directory = /var/run/utmp</b></p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is
2963 valid and thus can be used. When this parameter is set to false,
2964 the share will be in no way visible nor accessible.
2966 This option should not be
2967 used by regular users but might be of help to developers.
2968 Samba uses this option internally to mark shares as deleted.
2969 </p><p>Default: <span class="emphasis"><em>True</em></span></p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p>This is a list of users that should be allowed
2970 to login to this service. Names starting with '@', '+' and '&'
2971 are interpreted using the same rules as described in the
2972 <i class="parameter"><tt>invalid users</tt></i> parameter.</p><p>If this is empty (the default) then any user can login.
2973 If a username is in both this list and the <i class="parameter"><tt>invalid
2974 users</tt></i> list then access is denied for that user.</p><p>The current servicename is substituted for <i class="parameter"><tt>%S
2975 </tt></i>. This is useful in the [homes] section.</p><p>See also <a href="#INVALIDUSERS"><i class="parameter"><tt>invalid users
2976 </tt></i></a></p><p>Default: <span class="emphasis"><em>No valid users list (anyone can login)
2977 </em></span></p><p>Example: <b class="command">valid users = greg, @pcusers</b></p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd><p>This is a list of files and directories that
2978 are neither visible nor accessible. Each entry in the list must
2979 be separated by a '/', which allows spaces to be included
2980 in the entry. '*' and '?' can be used to specify multiple files
2981 or directories as in DOS wildcards.</p><p>Each entry must be a unix path, not a DOS path and
2982 must <span class="emphasis"><em>not</em></span> include the unix directory
2983 separator '/'.</p><p>Note that the <i class="parameter"><tt>case sensitive</tt></i> option
2984 is applicable in vetoing files.</p><p>One feature of the veto files parameter that it
2985 is important to be aware of is Samba's behaviour when
2986 trying to delete a directory. If a directory that is
2987 to be deleted contains nothing but veto files this
2988 deletion will <span class="emphasis"><em>fail</em></span> unless you also set
2989 the <i class="parameter"><tt>delete veto files</tt></i> parameter to
2990 <i class="parameter"><tt>yes</tt></i>.</p><p>Setting this parameter will affect the performance
2991 of Samba, as it will be forced to check all files and directories
2992 for a match as they are scanned.</p><p>See also <a href="#HIDEFILES"><i class="parameter"><tt>hide files
2993 </tt></i></a> and <a href="#CASESENSITIVE"><i class="parameter"><tt>
2994 case sensitive</tt></i></a>.</p><p>Default: <span class="emphasis"><em>No files or directories are vetoed.
2995 </em></span></p><p>Examples:
2996 </p><pre class="programlisting">
2997 ; Veto any files containing the word Security,
2998 ; any ending in .tmp, and any directory containing the
3000 veto files = /*Security*/*.tmp/*root*/
3002 ; Veto the Apple specific files that a NetAtalk server
3004 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
3005 </pre></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p>This parameter is only valid when the <a href="#OPLOCKS">
3006 <i class="parameter"><tt>oplocks</tt></i></a>
3007 parameter is turned on for a share. It allows the Samba administrator
3008 to selectively turn off the granting of oplocks on selected files that
3009 match a wildcarded list, similar to the wildcarded list used in the
3010 <a href="#VETOFILES"><i class="parameter"><tt>veto files</tt></i></a>
3011 parameter.</p><p>Default: <span class="emphasis"><em>No files are vetoed for oplock grants</em></span></p><p>You might want to do this on files that you know will
3012 be heavily contended for by clients. A good example of this
3013 is in the NetBench SMB benchmark program, which causes heavy
3014 client contention for files ending in <tt class="filename">.SEM</tt>.
3015 To cause Samba not to grant oplocks on these files you would use
3016 the line (either in the [global] section or in the section for
3017 the particular NetBench share :</p><p>Example: <b class="command">veto oplock files = /*.SEM/</b></p></dd><dt><span class="term"><a name="VFSOBJECT"></a>vfs object (S)</span></dt><dd><p>Synonym for
3018 <a href="#VFSOBJECTS">
3019 <i class="parameter"><tt>vfs objects</tt></i>
3021 </p></dd><dt><span class="term"><a name="VFSOBJECTS"></a>vfs objects (S)</span></dt><dd><p>This parameter specifies the backend names which
3022 are used for Samba VFS I/O operations. By default, normal
3023 disk I/O operations are used but these can be overloaded
3024 with one or more VFS objects. </p><p>Default: <span class="emphasis"><em>no value</em></span></p><p>Example: <b class="command">vfs objects = extd_audit recycle</b></p></dd><dt><span class="term"><a name="VOLUME"></a>volume (S)</span></dt><dd><p> This allows you to override the volume label
3025 returned for a share. Useful for CDROMs with installation programs
3026 that insist on a particular volume label.</p><p>Default: <span class="emphasis"><em>the name of the share</em></span></p></dd><dt><span class="term"><a name="WIDELINKS"></a>wide links (S)</span></dt><dd><p>This parameter controls whether or not links
3027 in the UNIX file system may be followed by the server. Links
3028 that point to areas within the directory tree exported by the
3029 server are always allowed; this parameter controls access only
3030 to areas that are outside the directory tree being exported.</p><p>Note that setting this parameter can have a negative
3031 effect on your server performance due to the extra system calls
3032 that Samba has to do in order to perform the link checks.</p><p>Default: <b class="command">wide links = yes</b></p></dd><dt><span class="term"><a name="WINBINDCACHETIME"></a>winbind cache time (G)</span></dt><dd><p>This parameter specifies the number of
3033 seconds the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon will cache
3034 user and group information before querying a Windows NT server
3035 again.</p><p>Default: <b class="command">winbind cache type = 15</b></p></dd><dt><span class="term"><a name="WINBINDENUMGROUPS"></a>winbind enum groups (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be necessary to suppress
3036 the enumeration of groups through the <b class="command">setgrent()</b>,
3037 <b class="command">getgrent()</b> and
3038 <b class="command">endgrent()</b> group of system calls. If
3039 the <i class="parameter"><tt>winbind enum groups</tt></i> parameter is
3040 <tt class="constant">no</tt>, calls to the <b class="command">getgrent()</b> system
3041 call will not return any data. </p><p><span class="emphasis"><em>Warning:</em></span> Turning off group
3042 enumeration may cause some programs to behave oddly.
3043 </p><p>Default: <b class="command">winbind enum groups = yes </b></p></dd><dt><span class="term"><a name="WINBINDENUMUSERS"></a>winbind enum users (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be
3044 necessary to suppress the enumeration of users through the <b class="command">setpwent()</b>,
3045 <b class="command">getpwent()</b> and
3046 <b class="command">endpwent()</b> group of system calls. If
3047 the <i class="parameter"><tt>winbind enum users</tt></i> parameter is
3048 <tt class="constant">no</tt>, calls to the <b class="command">getpwent</b> system call
3049 will not return any data. </p><p><span class="emphasis"><em>Warning:</em></span> Turning off user
3050 enumeration may cause some programs to behave oddly. For
3051 example, the finger program relies on having access to the
3052 full user list when searching for matching
3053 usernames. </p><p>Default: <b class="command">winbind enum users = yes </b></p></dd><dt><span class="term"><a name="WINBINDGID"></a>winbind gid (G)</span></dt><dd><p>This parameter is now an alias for <b class="command">idmap gid</b></p><p>The winbind gid parameter specifies the range of group
3054 ids that are allocated by the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon. This range of group ids should have no
3055 existing local or NIS groups within it as strange conflicts can
3056 occur otherwise.</p><p>Default: <b class="command">winbind gid = <empty string></b></p><p>Example: <b class="command">winbind gid = 10000-20000</b></p></dd><dt><span class="term"><a name="WINBINDSEPARATOR"></a>winbind separator (G)</span></dt><dd><p>This parameter allows an admin to define the character
3057 used when listing a username of the form of <i class="replaceable"><tt>DOMAIN
3058 </tt></i>\<i class="replaceable"><tt>user</tt></i>. This parameter
3059 is only applicable when using the <tt class="filename">pam_winbind.so</tt>
3060 and <tt class="filename">nss_winbind.so</tt> modules for UNIX services.
3061 </p><p>Please note that setting this parameter to + causes problems
3062 with group membership at least on glibc systems, as the character +
3063 is used as a special character for NIS in /etc/group.</p><p>Default: <b class="command">winbind separator = '\'</b></p><p>Example: <b class="command">winbind separator = +</b></p></dd><dt><span class="term"><a name="WINBINDUID"></a>winbind uid (G)</span></dt><dd><p>This parameter is now an alias for <b class="command">idmap uid</b></p><p>The winbind gid parameter specifies the range of user ids that are allocated by the
3064 <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a>
3065 daemon. This range of ids should have no existing local or NIS users within it as strange
3066 conflicts can occur otherwise.</p><p>Default: <b class="command">winbind uid = <empty string></b></p><p>Example: <b class="command">winbind uid = 10000-20000</b></p></dd><dt><span class="term"><a name="WINBINDUSEDDEFAULTDOMAIN"></a>winbind used default domain (G)</span></dt><dd><p>This parameter specifies whether the
3067 <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users
3068 without domain component in their username. Users without a domain
3069 component are treated as is part of the winbindd server's own
3070 domain. While this does not benifit Windows users, it makes SSH, FTP and
3071 e-mail function in a way much closer to the way they
3072 would in a native unix system.</p><p>Default: <b class="command">winbind use default domain = <no></b></p><p>Example: <b class="command">winbind use default domain = yes</b></p></dd><dt><span class="term"><a name="WINSHOOK"></a>wins hook (G)</span></dt><dd><p>When Samba is running as a WINS server this
3073 allows you to call an external program for all changes to the
3074 WINS database. The primary use for this option is to allow the
3075 dynamic update of external name resolution databases such as
3076 dynamic DNS.</p><p>The wins hook parameter specifies the name of a script
3077 or executable that will be called as follows:</p><p><b class="command">wins_hook operation name nametype ttl IP_list</b></p><div class="itemizedlist"><ul type="disc"><li><p>The first argument is the operation and is
3078 one of "add", "delete", or
3079 "refresh". In most cases the operation
3080 can be ignored as the rest of the parameters
3081 provide sufficient information. Note that
3082 "refresh" may sometimes be called when
3083 the name has not previously been added, in that
3084 case it should be treated as an add.</p></li><li><p>The second argument is the NetBIOS name. If the
3085 name is not a legal name then the wins hook is not called.
3086 Legal names contain only letters, digits, hyphens, underscores
3087 and periods.</p></li><li><p>The third argument is the NetBIOS name
3088 type as a 2 digit hexadecimal number. </p></li><li><p>The fourth argument is the TTL (time to live)
3089 for the name in seconds.</p></li><li><p>The fifth and subsequent arguments are the IP
3090 addresses currently registered for that name. If this list is
3091 empty then the name should be deleted.</p></li></ul></div><p>An example script that calls the BIND dynamic DNS update
3092 program <b class="command">nsupdate</b> is provided in the examples
3093 directory of the Samba source code. </p></dd><dt><span class="term"><a name="WINSPARTNER"></a>wins partner (G)</span></dt><dd><p>A space separated list of partners' IP addresses for
3094 WINS replication. WINS partners are always defined as push/pull
3095 partners as defining only one way WINS replication is unreliable.
3096 WINS replication is currently experimental and unreliable between
3098 </p><p>Default: <b class="command">wins partners = </b></p><p>Example: <b class="command">wins partners = 192.168.0.1 172.16.1.2</b></p></dd><dt><span class="term"><a name="WINSPROXY"></a>wins proxy (G)</span></dt><dd><p>This is a boolean that controls if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will respond to broadcast name
3099 queries on behalf of other hosts. You may need to set this
3100 to <tt class="constant">yes</tt> for some older clients.</p><p>Default: <b class="command">wins proxy = no</b></p></dd><dt><span class="term"><a name="WINSSERVER"></a>wins server (G)</span></dt><dd><p>This specifies the IP address (or DNS name: IP
3101 address for preference) of the WINS server that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> should register with. If you have a WINS server on
3102 your network then you should set this to the WINS server's IP.</p><p>You should point this at your WINS server if you have a
3103 multi-subnetted network.</p><p>If you want to work in multiple namespaces, you can
3104 give every wins server a 'tag'. For each tag, only one
3105 (working) server will be queried for a name. The tag should be
3106 seperated from the ip address by a colon.
3107 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You need to set up Samba to point
3108 to a WINS server if you have multiple subnets and wish cross-subnet
3109 browsing to work correctly.</p></div><p>See the documentation file <a href="improved-browsing.html" target="_top">Browsing</a> in the samba howto collection.</p><p>Default: <span class="emphasis"><em>not enabled</em></span></p><p>Example: <b class="command">wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61</b></p><p>For this example when querying a certain name, 192.19.200.1 will
3110 be asked first and if that doesn't respond 192.168.2.61. If either
3111 of those doesn't know the name 192.168.3.199 will be queried.
3112 </p><p>Example: <b class="command">wins server = 192.9.200.1 192.168.2.61</b></p></dd><dt><span class="term"><a name="WINSSUPPORT"></a>wins support (G)</span></dt><dd><p>This boolean controls if the <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> process in Samba will act as a WINS server. You should
3113 not set this to <tt class="constant">yes</tt> unless you have a multi-subnetted network and
3114 you wish a particular <b class="command">nmbd</b> to be your WINS server.
3115 Note that you should <span class="emphasis"><em>NEVER</em></span> set this to <tt class="constant">yes</tt>
3116 on more than one machine in your network.</p><p>Default: <b class="command">wins support = no</b></p></dd><dt><span class="term"><a name="WORKGROUP"></a>workgroup (G)</span></dt><dd><p>This controls what workgroup your server will
3117 appear to be in when queried by clients. Note that this parameter
3118 also controls the Domain name used with
3119 the <a href="#SECURITYEQUALSDOMAIN"><b class="command">security = domain</b></a>
3120 setting.</p><p>Default: <span class="emphasis"><em>set at compile time to WORKGROUP</em></span></p><p>Example: <b class="command">workgroup = MYGROUP</b></p></dd><dt><span class="term"><a name="WRITABLE"></a>writable (S)</span></dt><dd><p>Synonym for <a href="#WRITEABLE"><i class="parameter"><tt>
3121 writeable</tt></i></a> for people who can't spell :-).</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a href="#READONLY">
3122 <i class="parameter"><tt>read only</tt></i></a>.</p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
3123 Samba will create an in-memory cache for each oplocked file
3124 (it does <span class="emphasis"><em>not</em></span> do this for
3125 non-oplocked files). All writes that the client does not request
3126 to be flushed directly to disk will be stored in this cache if possible.
3127 The cache is flushed onto disk when a write comes in whose offset
3128 would not fit into the cache or when the file is closed by the client.
3129 Reads for the file are also served from this cache if the data is stored
3130 within it.</p><p>This cache allows Samba to batch client writes into a more
3131 efficient write size for RAID disks (i.e. writes may be tuned to
3132 be the RAID stripe size) and can improve performance on systems
3133 where the disk subsystem is a bottleneck but there is free
3134 memory for userspace programs.</p><p>The integer parameter specifies the size of this cache
3135 (per oplocked file) in bytes.</p><p>Default: <b class="command">write cache size = 0</b></p><p>Example: <b class="command">write cache size = 262144</b></p><p>for a 256k cache size per file.</p></dd><dt><span class="term"><a name="WRITELIST"></a>write list (S)</span></dt><dd><p>This is a list of users that are given read-write
3136 access to a service. If the connecting user is in this list then
3137 they will be given write access, no matter what the <a href="#READONLY">
3138 <i class="parameter"><tt>read only</tt></i></a>
3139 option is set to. The list can include group names using the
3140 @group syntax.</p><p>Note that if a user is in both the read list and the
3141 write list then they will be given write access.</p><p>See also the <a href="#READLIST"><i class="parameter"><tt>read list
3142 </tt></i></a> option.</p><p>Default: <b class="command">write list = <empty string></b></p><p>Example: <b class="command">write list = admin, root, @staff</b></p></dd><dt><span class="term"><a name="WRITEOK"></a>write ok (S)</span></dt><dd><p>Inverted synonym for <a href="#READONLY">
3143 <i class="parameter"><tt>read only</tt></i></a>.</p></dd><dt><span class="term"><a name="WRITERAW"></a>write raw (G)</span></dt><dd><p>This parameter controls whether or not the server
3144 will support raw write SMB's when transferring data from clients.
3145 You should never need to change this parameter.</p><p>Default: <b class="command">write raw = yes</b></p></dd><dt><span class="term"><a name="WTMPDIRECTORY"></a>wtmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
3146 been configured and compiled with the option <b class="command">
3147 --with-utmp</b>. It specifies a directory pathname that is
3148 used to store the wtmp or wtmpx files (depending on the UNIX system) that
3149 record user connections to a Samba server. The difference with
3150 the utmp directory is the fact that user info is kept after a user
3151 has logged out.</p><p>See also the <a href="#UTMP">
3152 <i class="parameter"><tt>utmp</tt></i></a> parameter. By default this is
3153 not set, meaning the system will use whatever utmp file the
3154 native system is set to use (usually
3155 <tt class="filename">/var/run/wtmp</tt> on Linux).</p><p>Default: <span class="emphasis"><em>no wtmp directory</em></span></p><p>Example: <b class="command">wtmp directory = /var/log/wtmp</b></p></dd></dl></div></div><div class="refsect1" lang="en"><h2>WARNINGS</h2><p>Although the configuration file permits service names
3156 to contain spaces, your client software may not. Spaces will
3157 be ignored in comparisons anyway, so it shouldn't be a
3158 problem - but be aware of the possibility.</p><p>On a similar note, many clients - especially DOS clients -
3159 limit service names to eight characters. <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has no such limitation, but attempts to connect from such
3160 clients will fail if they truncate the service names. For this reason
3161 you should probably keep your service names down to eight characters
3162 in length.</p><p>Use of the [homes] and [printers] special sections make life
3163 for an administrator easy, but the various combinations of default
3164 attributes can be tricky. Take extreme care when designing these
3165 sections. In particular, ensure that the permissions on spool
3166 directories are correct.</p></div><div class="refsect1" lang="en"><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><h2>SEE ALSO</h2><p>
3167 <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><h2>AUTHOR</h2><p>The original Samba software and related utilities
3168 were created by Andrew Tridgell. Samba is now developed
3169 by the Samba Team as an Open Source project similar
3170 to the way the Linux kernel is developed.</p><p>The original Samba man pages were written by Karl Auer.
3171 The man page sources were converted to YODL format (another
3172 excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top">
3173 ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0
3174 release by Jeremy Allison. The conversion to DocBook for
3175 Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
3176 for Samba 3.0 was done by Alexander Bokovoy.</p></div></div></body></html>