1 mailto(samba-bugs@samba.org)
3 manpage(smb.conf htmlcommand((5)))(5)(23 Oct 1998)(Samba)(SAMBA)
6 manpagename(smb.conf)(The configuration file for the Samba suite)
11 bf(smb.conf) The bf(smb.conf) file is a configuration file for the
12 Samba suite. bf(smb.conf) contains runtime configuration information
13 for the Samba programs. The bf(smb.conf) file is designed to be
14 configured and administered by the url(bf(swat (8)))(swat.8.html)
15 program. The complete description of the file format and possible
16 parameters held within are here for reference purposes.
19 manpagesection(FILE FORMAT)
21 The file consists of sections and parameters. A section begins with
22 the name of the section in square brackets and continues until the
23 next section begins. Sections contain parameters of the form
27 The file is line-based - that is, each newline-terminated line
28 represents either a comment, a section name or a parameter.
30 Section and parameter names are not case sensitive.
32 Only the first equals sign in a parameter is significant. Whitespace
33 before or after the first equals sign is discarded. Leading, trailing
34 and internal whitespace in section and parameter names is
35 irrelevant. Leading and trailing whitespace in a parameter value is
36 discarded. Internal whitespace within a parameter value is retained
39 Any line beginning with a semicolon (';') or a hash ('#') character is
40 ignored, as are lines containing only whitespace.
42 Any line ending in a tt('\') is "continued" on the next line in the
43 customary UNIX fashion.
45 The values following the equals sign in parameters are all either a
46 string (no quotes needed) or a boolean, which may be given as yes/no,
47 0/1 or true/false. Case is not significant in boolean values, but is
48 preserved in string values. Some items such as create modes are
51 label(SECTIONDESCRIPTIONS)
52 manpagesection(SECTION DESCRIPTIONS)
54 Each section in the configuration file (except for the
55 link(bf([global]))(global) section) describes a shared resource (known
56 as a em("share")). The section name is the name of the shared resource
57 and the parameters within the section define the shares attributes.
59 There are three special sections, link(bf([global]))(global),
60 link(bf([homes]))(homes) and link(bf([printers]))(printers), which are
61 described under link(bf('special sections'))(SPECIALSECTIONS). The
62 following notes apply to ordinary section descriptions.
64 A share consists of a directory to which access is being given plus
65 a description of the access rights which are granted to the user of
66 the service. Some housekeeping options are also specifiable.
68 Sections are either filespace services (used by the client as an
69 extension of their native file systems) or printable services (used by
70 the client to access print services on the host running the server).
72 Sections may be designated link(bf(guest))(guestok) services, in which
73 case no password is required to access them. A specified UNIX
74 link(bf(guest account))(guestaccount) is used to define access
75 privileges in this case.
77 Sections other than guest services will require a password to access
78 them. The client provides the username. As older clients only provide
79 passwords and not usernames, you may specify a list of usernames to
80 check against the password using the link(bf("user="))(user) option in
81 the share definition. For modern clients such as Windows 95/98 and
82 Windows NT, this should not be necessary.
84 Note that the access rights granted by the server are masked by the
85 access rights granted to the specified or guest UNIX user by the host
86 system. The server does not grant more access than the host system
89 The following sample section defines a file space share. The user has
90 write access to the path tt(/home/bar). The share is accessed via
101 The following sample section defines a printable share. The share
102 is readonly, but printable. That is, the only write access permitted
103 is via calls to open, write to and close a spool file. The
104 link(bf('guest ok'))(guestok) parameter means access will be permitted
105 as the default guest user (specified elsewhere):
109 path = /usr/spool/public
115 label(SPECIALSECTIONS)
116 manpagesection(SPECIAL SECTIONS)
121 dit(bf(The [global] section))
123 Parameters in this section apply to the server as a whole, or are
124 defaults for sections which do not specifically define certain
125 items. See the notes under link(bf('PARAMETERS'))(PARAMETERS) for more
129 dit(bf(The [homes] section))
131 If a section called tt('homes') is included in the configuration file,
132 services connecting clients to their home directories can be created
133 on the fly by the server.
135 When the connection request is made, the existing sections are
136 scanned. If a match is found, it is used. If no match is found, the
137 requested section name is treated as a user name and looked up in the
138 local password file. If the name exists and the correct password has
139 been given, a share is created by cloning the [homes] section.
141 Some modifications are then made to the newly created share:
145 it() The share name is changed from tt('homes') to the located
148 it() If no path was given, the path is set to the user's home
153 If you decide to use a link(bf(path=))(path) line in your [homes]
154 section then you may find it useful to use the link(bf(%S))(percentS)
157 tt(path=/data/pchome/%S)
159 would be useful if you have different home directories for your PCs
160 than for UNIX access.
162 This is a fast and simple way to give a large number of clients access
163 to their home directories with a minimum of fuss.
165 A similar process occurs if the requested section name is tt("homes"),
166 except that the share name is not changed to that of the requesting
167 user. This method of using the [homes] section works well if different
168 users share a client PC.
170 The [homes] section can specify all the parameters a normal service
171 section can specify, though some make more sense than others. The
172 following is a typical and suitable [homes] section:
179 An important point is that if guest access is specified in the [homes]
180 section, all home directories will be visible to all clients
181 bf(without a password). In the very unlikely event that this is
182 actually desirable, it would be wise to also specify link(bf(read only
185 Note that the link(bf(browseable))(browseable) flag for auto home
186 directories will be inherited from the global browseable flag, not the
187 [homes] browseable flag. This is useful as it means setting
188 browseable=no in the [homes] section will hide the [homes] share but
189 make any auto home directories visible.
192 dit(bf(The [printers] section))
194 This section works like link(bf([homes]))(homes), but for printers.
196 If a [printers] section occurs in the configuration file, users are
197 able to connect to any printer specified in the local host's printcap
200 When a connection request is made, the existing sections are
201 scanned. If a match is found, it is used. If no match is found, but a
202 link(bf([homes]))(homes) section exists, it is used as described
203 above. Otherwise, the requested section name is treated as a printer
204 name and the appropriate printcap file is scanned to see if the
205 requested section name is a valid printer share name. If a match is
206 found, a new printer share is created by cloning the [printers]
209 A few modifications are then made to the newly created share:
213 it() The share name is set to the located printer name
215 it() If no printer name was given, the printer name is set to the
218 it() If the share does not permit guest access and no username was
219 given, the username is set to the located printer name.
223 Note that the [printers] service MUST be printable - if you specify
224 otherwise, the server will refuse to load the configuration file.
226 Typically the path specified would be that of a world-writeable spool
227 directory with the sticky bit set on it. A typical [printers] entry
228 would look like this:
232 path = /usr/spool/public
237 All aliases given for a printer in the printcap file are legitimate
238 printer names as far as the server is concerned. If your printing
239 subsystem doesn't work like that, you will have to set up a
240 pseudo-printcap. This is a file consisting of one or more lines like
243 verb( alias|alias|alias|alias... )
245 Each alias should be an acceptable printer name for your printing
246 subsystem. In the link(bf([global]))(global) section, specify the new
247 file as your printcap. The server will then only recognize names
248 found in your pseudo-printcap, which of course can contain whatever
249 aliases you like. The same technique could be used simply to limit
250 access to a subset of your local printers.
252 An alias, by the way, is defined as any component of the first entry
253 of a printcap record. Records are separated by newlines, components
254 (if there are more than one) are separated by vertical bar symbols
257 NOTE: On SYSV systems which use lpstat to determine what printers are
258 defined on the system you may be able to use link(bf("printcap name =
259 lpstat"))(printcapname) to automatically obtain a list of
260 printers. See the link(bf("printcap name"))(printcapname) option for
266 manpagesection(PARAMETERS)
268 Parameters define the specific attributes of sections.
270 Some parameters are specific to the link(bf([global]))(global) section
271 (e.g., link(bf(security))(security)). Some parameters are usable in
272 all sections (e.g., link(bf(create mode))(createmode)). All others are
273 permissible only in normal sections. For the purposes of the following
274 descriptions the link(bf([homes]))(homes) and
275 link(bf([printers]))(printers) sections will be considered normal.
276 The letter tt('G') in parentheses indicates that a parameter is
277 specific to the link(bf([global]))(global) section. The letter tt('S')
278 indicates that a parameter can be specified in a service specific
279 section. Note that all tt('S') parameters can also be specified in the
280 link(bf([global]))(global) section - in which case they will define
281 the default behavior for all services.
283 Parameters are arranged here in alphabetical order - this may not
284 create best bedfellows, but at least you can find them! Where there
285 are synonyms, the preferred synonym is described, others refer to the
288 label(VARIABLESUBSTITUTIONS)
289 manpagesection(VARIABLE SUBSTITUTIONS)
291 Many of the strings that are settable in the config file can take
292 substitutions. For example the option link(bf(tt("path =
293 /tmp/%u")))(path) would be interpreted as tt("path = /tmp/john") if
294 the user connected with the username john.
296 These substitutions are mostly noted in the descriptions below, but
297 there are some general substitutions which apply whenever they might
298 be relevant. These are:
303 it() bf(%S) = the name of the current service, if any.
306 it() bf(%P) = the root directory of the current service, if any.
309 it() bf(%u) = user name of the current service, if any.
312 it() bf(%g) = primary group name of link(bf(%u))(percentu).
315 it() bf(%U) = session user name (the user name that
316 the client wanted, not necessarily the same as the one they got).
319 it() bf(%G) = primary group name of link(bf(%U))(percentU).
322 it() bf(%H) = the home directory of the user given by link(bf(%u))(percentu).
325 it() bf(%v) = the Samba version.
328 it() bf(%h) = the internet hostname that Samba is running on.
331 it() bf(%m) = the NetBIOS name of the client machine (very useful).
334 it() bf(%L) = the NetBIOS name of the server. This allows you to change your
335 config based on what the client calls you. Your server can have a "dual
339 it() bf(%M) = the internet name of the client machine.
342 it() bf(%N) = the name of your NIS home directory server. This is
343 obtained from your NIS auto.map entry. If you have not compiled Samba
344 with the bf(--with-automount) option then this value will be the same
345 as link(bf(%L))(percentL).
348 it() bf(%p) = the path of the service's home directory, obtained from your NIS
349 auto.map entry. The NIS auto.map entry is split up as "%N:%p".
352 it() bf(%R) = the selected protocol level after protocol
353 negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
356 it() bf(%d) = The process id of the current server process.
359 it() bf(%a) = the architecture of the remote
360 machine. Only some are recognized, and those may not be 100%
361 reliable. It currently recognizes Samba, WfWg, WinNT and
362 Win95. Anything else will be known as "UNKNOWN". If it gets it wrong
363 then sending a level 3 log to email(samba-bugs@samba.org)
364 should allow it to be fixed.
367 it() bf(%I) = The IP address of the client machine.
370 it() bf(%T) = the current date and time.
374 There are some quite creative things that can be done with these
375 substitutions and other smb.conf options.
378 manpagesection(NAME MANGLING)
380 Samba supports em("name mangling") so that DOS and Windows clients can
381 use files that don't conform to the 8.3 format. It can also be set to
382 adjust the case of 8.3 format filenames.
384 There are several options that control the way mangling is performed,
385 and they are grouped here rather than listed separately. For the
386 defaults look at the output of the testparm program.
388 All of these options can be set separately for each service (or
389 globally, of course).
393 label(manglecaseoption)
394 bf("mangle case = yes/no") controls if names that have characters that
395 aren't of the "default" case are mangled. For example, if this is yes
396 then a name like tt("Mail") would be mangled. Default em(no).
398 label(casesensitiveoption)
399 bf("case sensitive = yes/no") controls whether filenames are case
400 sensitive. If they aren't then Samba must do a filename search and
401 match on passed names. Default em(no).
403 label(defaultcaseoption)
404 bf("default case = upper/lower") controls what the default case is for new
405 filenames. Default em(lower).
407 label(preservecaseoption)
408 bf("preserve case = yes/no") controls if new files are created with the
409 case that the client passes, or if they are forced to be the tt("default")
410 case. Default em(Yes).
412 label(shortpreservecaseoption)
414 bf("short preserve case = yes/no") controls if new files which conform
415 to 8.3 syntax, that is all in upper case and of suitable length, are
416 created upper case, or if they are forced to be the tt("default")
417 case. This option can be use with link(bf("preserve case =
418 yes"))(preservecaseoption) to permit long filenames to retain their
419 case, while short names are lowered. Default em(Yes).
421 By default, Samba 2.0 has the same semantics as a Windows NT
422 server, in that it is case insensitive but case preserving.
424 label(NOTEABOUTUSERNAMEPASSWORDVALIDATION)
425 manpagesection(NOTE ABOUT USERNAME/PASSWORD VALIDATION)
427 There are a number of ways in which a user can connect to a
428 service. The server follows the following steps in determining if it
429 will allow a connection to a specified service. If all the steps fail
430 then the connection request is rejected. If one of the steps pass then
431 the following steps are not checked.
433 If the service is marked link(bf("guest only = yes"))(guestonly) then
434 steps 1 to 5 are skipped.
438 eit() Step 1: If the client has passed a username/password pair and
439 that username/password pair is validated by the UNIX system's password
440 programs then the connection is made as that username. Note that this
441 includes the tt(\\server\service%username) method of passing a
444 eit() Step 2: If the client has previously registered a username with
445 the system and now supplies a correct password for that username then
446 the connection is allowed.
448 eit() Step 3: The client's netbios name and any previously used user
449 names are checked against the supplied password, if they match then
450 the connection is allowed as the corresponding user.
452 eit() Step 4: If the client has previously validated a
453 username/password pair with the server and the client has passed the
454 validation token then that username is used. This step is skipped if
455 link(bf("revalidate = yes"))(revalidate) for this service.
457 eit() Step 5: If a link(bf("user = "))(user) field is given in the
458 smb.conf file for the service and the client has supplied a password,
459 and that password matches (according to the UNIX system's password
460 checking) with one of the usernames from the link(bf(user=))(user)
461 field then the connection is made as the username in the
462 link(bf("user="))(user) line. If one of the username in the
463 link(bf(user=))(user) list begins with a tt('@') then that name
464 expands to a list of names in the group of the same name.
466 eit() Step 6: If the service is a guest service then a connection is
467 made as the username given in the link(bf("guest account
468 ="))(guestaccount) for the service, irrespective of the supplied
473 label(COMPLETELISTOFGLOBALPARAMETERS)
474 manpagesection(COMPLETE LIST OF GLOBAL PARAMETERS)
476 Here is a list of all global parameters. See the section of each
477 parameter for details. Note that some are synonyms.
481 it() link(bf(add user script))(adduserscript)
483 it() link(bf(allow trusted domains))(allowtrusteddomains)
485 it() link(bf(announce as))(announceas)
487 it() link(bf(announce version))(announceversion)
489 it() link(bf(auto services))(autoservices)
491 it() link(bf(bind interfaces only))(bindinterfacesonly)
493 it() link(bf(browse list))(browselist)
495 it() link(bf(change notify timeout))(changenotifytimeout)
497 it() link(bf(character set))(characterset)
499 it() link(bf(client code page))(clientcodepage)
501 it() link(bf(coding system))(codingsystem)
503 it() link(bf(config file))(configfile)
505 it() link(bf(deadtime))(deadtime)
507 it() link(bf(debug hires timestamp))(debughirestimestamp)
509 it() link(bf(debug pid))(debugpid)
511 it() link(bf(debug timestamp))(debugtimestamp)
513 it() link(bf(debug uid))(debuguid)
515 it() link(bf(debuglevel))(debuglevel)
517 it() link(bf(default))(default)
519 it() link(bf(default service))(defaultservice)
521 it() link(bf(delete user script))(deleteuserscript)
523 it() link(bf(dfree command))(dfreecommand)
525 it() link(bf(dns proxy))(dnsproxy)
527 it() link(bf(domain admin group))(domainadmingroup)
529 it() link(bf(domain admin users))(domainadminusers)
531 it() link(bf(domain controller))(domaincontroller)
533 it() link(bf(domain groups))(domaingroups)
535 it() link(bf(domain guest group))(domainguestgroup)
537 it() link(bf(domain guest users))(domainguestusers)
539 it() link(bf(domain logons))(domainlogons)
541 it() link(bf(domain master))(domainmaster)
543 it() link(bf(encrypt passwords))(encryptpasswords)
545 it() link(bf(getwd cache))(getwdcache)
547 it() link(bf(homedir map))(homedirmap)
549 it() link(bf(hosts equiv))(hostsequiv)
551 it() link(bf(interfaces))(interfaces)
553 it() link(bf(keepalive))(keepalive)
555 it() link(bf(kernel oplocks))(kerneloplocks)
557 it() link(bf(ldap filter))(ldapfilter)
559 it() link(bf(ldap port))(ldapport)
561 it() link(bf(ldap root))(ldaproot)
563 it() link(bf(ldap root passwd))(ldaprootpasswd)
565 it() link(bf(ldap server))(ldapserver)
567 it() link(bf(ldap suffix))(ldapsuffix)
569 it() link(bf(lm announce))(lmannounce)
571 it() link(bf(lm interval))(lminterval)
573 it() link(bf(load printers))(loadprinters)
575 it() link(bf(local master))(localmaster)
577 it() link(bf(lock dir))(lockdir)
579 it() link(bf(lock directory))(lockdirectory)
581 it() link(bf(log file))(logfile)
583 it() link(bf(log level))(loglevel)
585 it() link(bf(logon drive))(logondrive)
587 it() link(bf(logon home))(logonhome)
589 it() link(bf(logon path))(logonpath)
591 it() link(bf(logon script))(logonscript)
593 it() link(bf(lpq cache time))(lpqcachetime)
595 it() link(bf(machine password timeout))(machinepasswordtimeout)
597 it() link(bf(mangled stack))(mangledstack)
599 it() link(bf(map to guest))(maptoguest)
601 it() link(bf(max disk size))(maxdisksize)
603 it() link(bf(max log size))(maxlogsize)
605 it() link(bf(max mux))(maxmux)
607 it() link(bf(max open files))(maxopenfiles)
609 it() link(bf(max packet))(maxpacket)
611 it() link(bf(max ttl))(maxttl)
613 it() link(bf(max wins ttl))(maxwinsttl)
615 it() link(bf(max xmit))(maxxmit)
617 it() link(bf(message command))(messagecommand)
619 it() link(bf(min passwd length))(minpasswdlength)
621 it() link(bf(min wins ttl))(minwinsttl)
623 it() link(bf(name resolve order))(nameresolveorder)
625 it() link(bf(netbios aliases))(netbiosaliases)
627 it() link(bf(netbios name))(netbiosname)
629 it() link(bf(nis homedir))(nishomedir)
631 it() link(bf(nt acl support))(ntaclsupport)
633 it() link(bf(nt pipe support))(ntpipesupport)
635 it() link(bf(nt smb support))(ntsmbsupport)
637 it() link(bf(null passwords))(nullpasswords)
639 it() link(bf(ole locking compatibility))(olelockingcompatibility)
641 it() link(bf(oplock break wait time))(oplockbreakwaittime)
643 it() link(bf(os level))(oslevel)
645 it() link(bf(packet size))(packetsize)
647 it() link(bf(panic action))(panicaction)
649 it() link(bf(passwd chat))(passwdchat)
651 it() link(bf(passwd chat debug))(passwdchatdebug)
653 it() link(bf(passwd program))(passwdprogram)
655 it() link(bf(password level))(passwordlevel)
657 it() link(bf(password server))(passwordserver)
659 it() link(bf(prefered master))(preferedmaster)
661 it() link(bf(preferred master))(preferredmaster)
663 it() link(bf(preload))(preload)
665 it() link(bf(printcap))(printcap)
667 it() link(bf(printcap name))(printcapname)
669 it() link(bf(printer driver file))(printerdriverfile)
671 it() link(bf(protocol))(protocol)
673 it() link(bf(read bmpx))(readbmpx)
675 it() link(bf(read prediction))(readprediction)
677 it() link(bf(read raw))(readraw)
679 it() link(bf(read size))(readsize)
681 it() link(bf(remote announce))(remoteannounce)
683 it() link(bf(remote browse sync))(remotebrowsesync)
685 it() link(bf(restrict anonymous))(restrictanonymous)
687 it() link(bf(root))(root)
689 it() link(bf(root dir))(rootdir)
691 it() link(bf(root directory))(rootdirectory)
693 it() link(bf(security))(security)
695 it() link(bf(server string))(serverstring)
697 it() link(bf(shared mem size))(sharedmemsize)
699 it() link(bf(smb passwd file))(smbpasswdfile)
701 it() link(bf(smbrun))(smbrun)
703 it() link(bf(socket address))(socketaddress)
705 it() link(bf(socket options))(socketoptions)
707 it() link(bf(ssl))(ssl)
709 it() link(bf(ssl CA certDir))(sslCAcertDir)
711 it() link(bf(ssl CA certFile))(sslCAcertFile)
713 it() link(bf(ssl ciphers))(sslciphers)
715 it() link(bf(ssl client cert))(sslclientcert)
717 it() link(bf(ssl client key))(sslclientkey)
719 it() link(bf(ssl compatibility))(sslcompatibility)
721 it() link(bf(ssl hosts))(sslhosts)
723 it() link(bf(ssl hosts resign))(sslhostsresign)
725 it() link(bf(ssl require clientcert))(sslrequireclientcert)
727 it() link(bf(ssl require servercert))(sslrequireservercert)
729 it() link(bf(ssl server cert))(sslservercert)
731 it() link(bf(ssl server key))(sslserverkey)
733 it() link(bf(ssl version))(sslversion)
735 it() link(bf(stat cache))(statcache)
737 it() link(bf(stat cache size))(statcachesize)
739 it() link(bf(strip dot))(stripdot)
741 it() link(bf(syslog))(syslog)
743 it() link(bf(syslog only))(syslogonly)
745 it() link(bf(time offset))(timeoffset)
747 it() link(bf(time server))(timeserver)
749 it() link(bf(timestamp logs))(timestamplogs)
751 it() link(bf(unix password sync))(unixpasswordsync)
753 it() link(bf(unix realname))(unixrealname)
755 it() link(bf(update encrypted))(updateencrypted)
757 it() link(bf(use rhosts))(userhosts)
759 it() link(bf(username level))(usernamelevel)
761 it() link(bf(username map))(usernamemap)
763 it() link(bf(valid chars))(validchars)
765 it() link(bf(wins proxy))(winsproxy)
767 it() link(bf(wins server))(winsserver)
769 it() link(bf(wins hook))(winshook)
771 it() link(bf(wins support))(winssupport)
773 it() link(bf(workgroup))(workgroup)
775 it() link(bf(write raw))(writeraw)
779 label(COMPLETELISTOFSERVICEPARAMETERS)
780 manpagesection(COMPLETE LIST OF SERVICE PARAMETERS)
782 Here is a list of all service parameters. See the section of each
783 parameter for details. Note that some are synonyms.
787 it() link(bf(admin users))(adminusers)
789 it() link(bf(allow hosts))(allowhosts)
791 it() link(bf(alternate permissions))(alternatepermissions)
793 it() link(bf(available))(available)
795 it() link(bf(blocking locks))(blockinglocks)
797 it() link(bf(browsable))(browsable)
799 it() link(bf(browseable))(browseable)
801 it() link(bf(case sensitive))(casesensitive)
803 it() link(bf(casesignames))(casesignames)
805 it() link(bf(comment))(comment)
807 it() link(bf(copy))(copy)
809 it() link(bf(create mask))(createmask)
811 it() link(bf(create mode))(createmode)
813 it() link(bf(default case))(defaultcase)
815 it() link(bf(delete readonly))(deletereadonly)
817 it() link(bf(delete veto files))(deletevetofiles)
819 it() link(bf(deny hosts))(denyhosts)
821 it() link(bf(directory))(directory)
823 it() link(bf(directory mask))(directorymask)
825 it() link(bf(directory mode))(directorymode)
827 it() link(bf(directory security mask))(directorysecuritymask)
829 it() link(bf(dont descend))(dontdescend)
831 it() link(bf(dos filetime resolution))(dosfiletimeresolution)
833 it() link(bf(dos filetimes))(dosfiletimes)
835 it() link(bf(exec))(exec)
837 it() link(bf(fake directory create times))(fakedirectorycreatetimes)
839 it() link(bf(fake oplocks))(fakeoplocks)
841 it() link(bf(follow symlinks))(followsymlinks)
843 it() link(bf(force create mode))(forcecreatemode)
845 it() link(bf(force directory mode))(forcedirectorymode)
847 it() link(bf(force directory security mode))(forcedirectorysecuritymode)
849 it() link(bf(force group))(forcegroup)
851 it() link(bf(force security mode))(forcesecuritymode)
853 it() link(bf(force user))(forceuser)
855 it() link(bf(fstype))(fstype)
857 it() link(bf(group))(group)
859 it() link(bf(guest account))(guestaccount)
861 it() link(bf(guest ok))(guestok)
863 it() link(bf(guest only))(guestonly)
865 it() link(bf(hide dot files))(hidedotfiles)
867 it() link(bf(hide files))(hidefiles)
869 it() link(bf(hosts allow))(hostsallow)
871 it() link(bf(hosts deny))(hostsdeny)
873 it() link(bf(include))(include)
875 it() link(bf(invalid users))(invalidusers)
877 it() link(bf(level2 oplocks))(level2oplocks)
879 it() link(bf(locking))(locking)
881 it() link(bf(lppause command))(lppausecommand)
883 it() link(bf(lpq command))(lpqcommand)
885 it() link(bf(lpresume command))(lpresumecommand)
887 it() link(bf(lprm command))(lprmcommand)
889 it() link(bf(magic output))(magicoutput)
891 it() link(bf(magic script))(magicscript)
893 it() link(bf(mangle case))(manglecase)
895 it() link(bf(mangle locks))(manglelocks)
897 it() link(bf(mangled map))(mangledmap)
899 it() link(bf(mangled names))(manglednames)
901 it() link(bf(mangling char))(manglingchar)
903 it() link(bf(map archive))(maparchive)
905 it() link(bf(map hidden))(maphidden)
907 it() link(bf(map system))(mapsystem)
909 it() link(bf(max connections))(maxconnections)
911 it() link(bf(min print space))(minprintspace)
913 it() link(bf(only guest))(onlyguest)
915 it() link(bf(only user))(onlyuser)
917 it() link(bf(oplocks))(oplocks)
919 it() link(bf(oplock contention limit))(oplockcontentionlimit)
921 it() link(bf(path))(path)
923 it() link(bf(postexec))(postexec)
925 it() link(bf(postscript))(postscript)
927 it() link(bf(preexec))(preexec)
929 it() link(bf(preexec close))(preexecclose)
931 it() link(bf(preserve case))(preservecase)
933 it() link(bf(print command))(printcommand)
935 it() link(bf(print ok))(printok)
937 it() link(bf(printable))(printable)
939 it() link(bf(printer))(printer)
941 it() link(bf(printer driver))(printerdriver)
943 it() link(bf(printer driver location))(printerdriverlocation)
945 it() link(bf(printer name))(printername)
947 it() link(bf(printing))(printing)
949 it() link(bf(public))(public)
951 it() link(bf(queuepause command))(queuepausecommand)
953 it() link(bf(queueresume command))(queueresumecommand)
955 it() link(bf(read list))(readlist)
957 it() link(bf(read only))(readonly)
959 it() link(bf(revalidate))(revalidate)
961 it() link(bf(root postexec))(rootpostexec)
963 it() link(bf(root preexec))(rootpreexec)
965 it() link(bf(security mask))(securitymask)
967 it() link(bf(root preexec close))(rootpreexecclose)
969 it() link(bf(set directory))(setdirectory)
971 it() link(bf(share modes))(sharemodes)
973 it() link(bf(short preserve case))(shortpreservecase)
975 it() link(bf(status))(status)
977 it() link(bf(strict locking))(strictlocking)
979 it() link(bf(strict sync))(strictsync)
981 it() link(bf(sync always))(syncalways)
983 it() link(bf(user))(user)
985 it() link(bf(username))(username)
987 it() link(bf(users))(users)
989 it() link(bf(valid users))(validusers)
991 it() link(bf(veto files))(vetofiles)
993 it() link(bf(veto oplock files))(vetooplockfiles)
995 it() link(bf(volume))(volume)
997 it() link(bf(wide links))(widelinks)
999 it() link(bf(writable))(writable)
1001 it() link(bf(write list))(writelist)
1003 it() link(bf(write ok))(writeok)
1005 it() link(bf(writeable))(writeable)
1009 label(EXPLANATIONOFEACHPARAMETER)
1010 manpagesection(EXPLANATION OF EACH PARAMETER)
1014 label(adduserscript)
1015 dit(bf(add user script (G)))
1017 This is the full pathname to a script that will be run em(AS ROOT) by
1018 url(bf(smbd (8)))(smbd.8.html) under special circumstances decribed
1021 Normally, a Samba server requires that UNIX users are created for all
1022 users accessing files on this server. For sites that use Windows NT
1023 account databases as their primary user database creating these users
1024 and keeping the user list in sync with the Windows NT PDC is an
1025 onerous task. This option allows url(bf(smbd))(smbd.8.html) to create
1026 the required UNIX users em(ON DEMAND) when a user accesses the Samba
1029 In order to use this option, url(bf(smbd))(smbd.8.html) must be set to
1030 link(bf(security=server))(securityequalserver) or
1031 link(bf(security=domain))(securityequaldomain) and bf("add user script")
1032 must be set to a full pathname for a script that will create a UNIX user
1033 given one argument of bf(%u), which expands into the UNIX user name to
1036 When the Windows user attempts to access the Samba server, at
1037 em("login")(session setup in the SMB protocol) time,
1038 url(bf(smbd))(smbd.8.html) contacts the link(bf(password
1039 server))(passwordserver) and attempts to authenticate the given user
1040 with the given password. If the authentication succeeds then
1041 url(bf(smbd))(smbd.8.html) attempts to find a UNIX user in the UNIX
1042 password database to map the Windows user into. If this lookup fails,
1043 and bf("add user script") is set then url(bf(smbd))(smbd.8.html) will
1044 call the specified script em(AS ROOT), expanding any bf(%u) argument
1045 to be the user name to create.
1047 If this script successfully creates the user then
1048 url(bf(smbd))(smbd.8.html) will continue on as though the UNIX user
1049 already existed. In this way, UNIX users are dynamically created to
1050 match existing Windows NT accounts.
1052 See also link(bf(security=server))(securityequalserver),
1053 link(bf(security=domain))(securityequaldomain), link(bf(password
1054 server))(passwordserver), link(bf(delete user
1055 script))(deleteuserscript).
1058 tt( add user script = <empty string>)
1061 tt( add user script = /usr/local/samba/bin/add_user %u)
1064 dit(bf(admin users (S)))
1066 This is a list of users who will be granted administrative privileges
1067 on the share. This means that they will do all file operations as the
1070 You should use this option very carefully, as any user in this list
1071 will be able to do anything they like on the share, irrespective of
1078 tt( admin users = jason)
1081 dit(bf(allow hosts (S)))
1083 Synonym for link(bf(hosts allow))(hostsallow).
1085 label(allowtrusteddomains)
1086 dit(bf(allow trusted domains (G)))
1088 This option only takes effect when the link(bf(security))(security)
1089 option is set to bf(server) or bf(domain). If it is set to no,
1090 then attempts to connect to a resource from a domain or workgroup other than
1091 the one which smbd is running in will fail, even if that domain
1092 is trusted by the remote server doing the authentication.
1094 This is useful if you only want your Samba server to serve resources
1095 to users in the domain it is a member of. As an example, suppose that there are
1096 two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains
1097 the Samba server. Under normal circumstances, a user with an account
1098 in DOMB can then access the resources of a UNIX account with the same
1099 account name on the Samba server even if they do not have an account
1100 in DOMA. This can make implementing a security boundary difficult.
1103 tt( allow trusted domains = Yes)
1106 tt( allow trusted domains = No)
1108 label(alternatepermissions)
1109 dit(bf(alternate permissions (S)))
1111 This is a deprecated parameter. It no longer has any effect in Samba2.0.
1112 In previous versions of Samba it affected the way the DOS "read only"
1113 attribute was mapped for a file. In Samba2.0 a file is marked "read only"
1114 if the UNIX file does not have the 'w' bit set for the owner of the file,
1115 regardless if the owner of the file is the currently logged on user or not.
1118 dit(bf(announce as (G)))
1120 This specifies what type of server url(bf(nmbd))(nmbd.8.html) will
1121 announce itself as, to a network neighborhood browse list. By default
1122 this is set to Windows NT. The valid options are : "NT", which is a
1123 synonym for "NT Server", "NT Server", "NT Workstation", "Win95" or
1124 "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95
1125 and Windows for Workgroups respectively. Do not change this parameter
1126 unless you have a specific need to stop Samba appearing as an NT server
1127 as this may prevent Samba servers from participating as browser servers correctly.
1130 tt( announce as = NT Server)
1133 tt( announce as = Win95)
1135 label(announceversion)
1136 dit(bf(announce version (G)))
1138 This specifies the major and minor version numbers that nmbd will use
1139 when announcing itself as a server. The default is 4.2. Do not change
1140 this parameter unless you have a specific need to set a Samba server
1141 to be a downlevel server.
1144 tt( announce version = 4.2)
1147 tt( announce version = 2.0)
1151 dit(bf(auto services (G)))
1153 This is a list of services that you want to be automatically added to
1154 the browse lists. This is most useful for homes and printers services
1155 that would otherwise not be visible.
1157 Note that if you just want all printers in your printcap file loaded
1158 then the link(bf("load printers"))(loadprinters) option is easier.
1161 tt( no auto services)
1164 tt( auto services = fred lp colorlp)
1167 dit(bf(available (S)))
1169 This parameter lets you em('turn off') a service. If tt('available = no'),
1170 then em(ALL) attempts to connect to the service will fail. Such failures
1174 tt( available = yes)
1179 label(bindinterfacesonly)
1180 dit(bf(bind interfaces only (G)))
1182 This global parameter allows the Samba admin to limit what interfaces
1183 on a machine will serve smb requests. If affects file service
1184 url(bf(smbd))(smbd.8.html) and name service url(bf(nmbd))(nmbd.8.html)
1185 in slightly different ways.
1187 For name service it causes url(bf(nmbd))(nmbd.8.html) to bind to ports
1188 137 and 138 on the interfaces listed in the
1189 link(bf('interfaces'))(interfaces)
1190 parameter. url(bf(nmbd))(nmbd.8.html) also binds to the 'all
1191 addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes
1192 of reading broadcast messages. If this option is not set then
1193 url(bf(nmbd))(nmbd.8.html) will service name requests on all of these
1194 sockets. If bf("bind interfaces only") is set then
1195 url(bf(nmbd))(nmbd.8.html) will check the source address of any
1196 packets coming in on the broadcast sockets and discard any that don't
1197 match the broadcast addresses of the interfaces in the
1198 link(bf('interfaces'))(interfaces) parameter list. As unicast packets
1199 are received on the other sockets it allows url(bf(nmbd))(nmbd.8.html)
1200 to refuse to serve names to machines that send packets that arrive
1201 through any interfaces not listed in the
1202 link(bf("interfaces"))(interfaces) list. IP Source address spoofing
1203 does defeat this simple check, however so it must not be used
1204 seriously as a security feature for url(bf(nmbd))(nmbd.8.html).
1206 For file service it causes url(bf(smbd))(smbd.8.html) to bind only to
1207 the interface list given in the link(bf('interfaces'))(interfaces)
1208 parameter. This restricts the networks that url(bf(smbd))(smbd.8.html)
1209 will serve to packets coming in those interfaces. Note that you
1210 should not use this parameter for machines that are serving PPP or
1211 other intermittent or non-broadcast network interfaces as it will not
1212 cope with non-permanent interfaces.
1214 If bf("bind interfaces only") is set then unless the network address
1215 em(127.0.0.1) is added to the link(bf('interfaces'))(interfaces) parameter
1216 list url(bf(smbpasswd))(smbpasswd.8.html) and
1217 url(bf(swat))(swat.8.html) may not work as expected due to the
1218 reasons covered below.
1220 To change a users SMB password, the url(bf(smbpasswd))(smbpasswd.8.html)
1221 by default connects to the em("localhost" - 127.0.0.1) address as an SMB
1222 client to issue the password change request. If bf("bind interfaces only")
1223 is set then unless the network address em(127.0.0.1) is added to the
1224 link(bf('interfaces'))(interfaces) parameter list then
1225 url(bf(smbpasswd))(smbpasswd.8.html) will fail to connect in it's
1226 default mode. url(bf(smbpasswd))(smbpasswd.8.html) can be forced to
1227 use the primary IP interface of the local host by using its
1228 url(bf("-r remote machine"))(smbpasswd.8.html#minusr) parameter, with
1229 bf("remote machine") set to the IP name of the primary interface
1232 The url(bf(swat))(swat.8.html) status page tries to connect with
1233 url(bf(smbd))(smbd.8.html) and url(bf(nmbd))(nmbd.8.html) at the address
1234 em(127.0.0.1) to determine if they are running. Not adding em(127.0.0.1) will cause
1235 url(bf(smbd))(smbd.8.html) and url(bf(nmbd))(nmbd.8.html) to always show
1236 "not running" even if they really are. This can prevent
1237 url(bf(swat))(swat.8.html) from starting/stopping/restarting
1238 url(bf(smbd))(smbd.8.html) and url(bf(nmbd))(nmbd.8.html).
1241 tt( bind interfaces only = False)
1244 tt( bind interfaces only = True)
1246 label(blockinglocks)
1247 dit(bf(blocking locks (S)))
1249 This parameter controls the behavior of url(bf(smbd))(smbd.8.html) when
1250 given a request by a client to obtain a byte range lock on a region
1251 of an open file, and the request has a time limit associated with it.
1253 If this parameter is set and the lock range requested cannot be
1254 immediately satisfied, Samba 2.0 will internally queue the lock
1255 request, and periodically attempt to obtain the lock until the
1256 timeout period expires.
1258 If this parameter is set to "False", then Samba 2.0 will behave
1259 as previous versions of Samba would and will fail the lock
1260 request immediately if the lock range cannot be obtained.
1262 This parameter can be set per share.
1265 tt( blocking locks = True)
1268 tt( blocking locks = False)
1271 dit(bf(browsable (S)))
1273 Synonym for link(bf(browseable))(browseable).
1276 dit(bf(browse list(G)))
1278 This controls whether url(bf(smbd))(smbd.8.html) will serve a browse
1279 list to a client doing a NetServerEnum call. Normally set to true. You
1280 should never need to change this.
1283 tt( browse list = Yes)
1288 This controls whether this share is seen in the list of available
1289 shares in a net view and in the browse list.
1292 tt( browseable = Yes)
1295 tt( browseable = No)
1297 label(casesensitive)
1298 dit(bf(case sensitive (S)))
1300 See the discussion in the section link(bf(NAME MANGLING))(NAMEMANGLING).
1303 dit(bf(casesignames (S)))
1305 Synonym for link(bf("case sensitive"))(casesensitive).
1307 label(changenotifytimeout)
1308 dit(bf(change notify timeout (G)))
1310 One of the new NT SMB requests that Samba 2.0 supports is the
1311 "ChangeNotify" requests. This SMB allows a client to tell a server to
1312 em("watch") a particular directory for any changes and only reply to
1313 the SMB request when a change has occurred. Such constant scanning of
1314 a directory is expensive under UNIX, hence an
1315 url(bf(smbd))(smbd.8.html) daemon only performs such a scan on each
1316 requested directory once every bf(change notify timeout) seconds.
1318 bf(change notify timeout) is specified in units of seconds.
1321 tt( change notify timeout = 60)
1324 tt( change notify timeout = 300)
1326 Would change the scan time to every 5 minutes.
1329 dit(bf(character set (G)))
1331 This allows a smbd to map incoming filenames from a DOS Code page (see
1332 the link(bf(client code page))(clientcodepage) parameter) to several
1333 built in UNIX character sets. The built in code page translations are:
1337 it() bf(ISO8859-1) Western European UNIX character set. The parameter
1338 link(bf(client code page))(clientcodepage) em(MUST) be set to code
1339 page 850 if the bf(character set) parameter is set to iso8859-1
1340 in order for the conversion to the UNIX character set to be done
1343 it() bf(ISO8859-2) Eastern European UNIX character set. The parameter
1344 link(bf(client code page))(clientcodepage) em(MUST) be set to code
1345 page 852 if the bf(character set) parameter is set to ISO8859-2
1346 in order for the conversion to the UNIX character set to be done
1349 it() bf(ISO8859-5) Russian Cyrillic UNIX character set. The parameter
1350 link(bf(client code page))(clientcodepage) em(MUST) be set to code
1351 page 866 if the bf(character set) parameter is set to ISO8859-5
1352 in order for the conversion to the UNIX character set to be done
1355 it() bf(ISO8859-7) Greek UNIX character set. The parameter
1356 link(bf(client code page))(clientcodepage) em(MUST) be set to code
1357 page 737 if the bf(character set) parameter is set to ISO8859-7
1358 in order for the conversion to the UNIX character set to be done
1361 it() bf(KOI8-R) Alternate mapping for Russian Cyrillic UNIX
1362 character set. The parameter link(bf(client code
1363 page))(clientcodepage) em(MUST) be set to code page 866 if the
1364 bf(character set) parameter is set to KOI8-R in order for the
1365 conversion to the UNIX character set to be done correctly.
1369 em(BUG). These MSDOS code page to UNIX character set mappings should
1370 be dynamic, like the loading of MS DOS code pages, not static.
1372 See also link(bf(client code page))(clientcodepage). Normally this
1373 parameter is not set, meaning no filename translation is done.
1376 tt( character set = <empty string>)
1379 tt( character set = ISO8859-1)
1381 label(clientcodepage)
1382 dit(bf(client code page (G)))
1384 This parameter specifies the DOS code page that the clients accessing
1385 Samba are using. To determine what code page a Windows or DOS client
1386 is using, open a DOS command prompt and type the command "chcp". This
1387 will output the code page. The default for USA MS-DOS, Windows 95, and
1388 Windows NT releases is code page 437. The default for western european
1389 releases of the above operating systems is code page 850.
1391 This parameter tells url(bf(smbd))(smbd.8.html) which of the
1392 tt(codepage.XXX) files to dynamically load on startup. These files,
1393 described more fully in the manual page url(bf(make_smbcodepage
1394 (1)))(make_smbcodepage.1.html), tell url(bf(smbd))(smbd.8.html) how
1395 to map lower to upper case characters to provide the case insensitivity
1396 of filenames that Windows clients expect.
1398 Samba currently ships with the following code page files :
1402 it() bf(Code Page 437 - MS-DOS Latin US)
1404 it() bf(Code Page 737 - Windows '95 Greek)
1406 it() bf(Code Page 850 - MS-DOS Latin 1)
1408 it() bf(Code Page 852 - MS-DOS Latin 2)
1410 it() bf(Code Page 861 - MS-DOS Icelandic)
1412 it() bf(Code Page 866 - MS-DOS Cyrillic)
1414 it() bf(Code Page 932 - MS-DOS Japanese SJIS)
1416 it() bf(Code Page 936 - MS-DOS Simplified Chinese)
1418 it() bf(Code Page 949 - MS-DOS Korean Hangul)
1420 it() bf(Code Page 950 - MS-DOS Traditional Chinese)
1424 Thus this parameter may have any of the values 437, 737, 850, 852,
1425 861, 932, 936, 949, or 950. If you don't find the codepage you need,
1426 read the comments in one of the other codepage files and the
1427 url(bf(make_smbcodepage (1)))(make_smbcodepage.1.html) man page and
1428 write one. Please remember to donate it back to the Samba user
1431 This parameter co-operates with the link(bf("valid
1432 chars"))(validchars) parameter in determining what characters are
1433 valid in filenames and how capitalization is done. If you set both
1434 this parameter and the link(bf("valid chars"))(validchars) parameter
1435 the bf("client code page") parameter em(MUST) be set before the
1436 link(bf("valid chars"))(validchars) parameter in the bf(smb.conf)
1437 file. The link(bf("valid chars"))(validchars) string will then augment
1438 the character settings in the "client code page" parameter.
1440 If not set, bf("client code page") defaults to 850.
1442 See also : link(bf("valid chars"))(validchars)
1445 tt( client code page = 850)
1448 tt( client code page = 936)
1451 dit(bf(codingsystem (G)))
1453 This parameter is used to determine how incoming Shift-JIS Japanese
1454 characters are mapped from the incoming link(bf("client code
1455 page"))(clientcodepage) used by the client, into file names in the
1456 UNIX filesystem. Only useful if link(bf("client code
1457 page"))(clientcodepage) is set to 932 (Japanese Shift-JIS).
1463 it() bf(SJIS) Shift-JIS. Does no conversion of the incoming filename.
1465 it() bf(JIS8, J8BB, J8BH, J8@B, J8@J, J8@H ) Convert from incoming
1466 Shift-JIS to eight bit JIS code with different shift-in, shift out
1469 it() bf(JIS7, J7BB, J7BH, J7@B, J7@J, J7@H ) Convert from incoming
1470 Shift-JIS to seven bit JIS code with different shift-in, shift out
1473 it() bf(JUNET, JUBB, JUBH, JU@B, JU@J, JU@H ) Convert from incoming
1474 Shift-JIS to JUNET code with different shift-in, shift out codes.
1476 it() bf(EUC) Convert an incoming Shift-JIS character to EUC code.
1478 it() bf(HEX) Convert an incoming Shift-JIS character to a 3 byte hex
1479 representation, i.e. tt(:AB).
1481 it() bf(CAP) Convert an incoming Shift-JIS character to the 3 byte hex
1482 representation used by the Columbia AppleTalk Program (CAP),
1483 i.e. tt(:AB). This is used for compatibility between Samba and CAP.
1488 dit(bf(comment (S)))
1490 This is a text field that is seen next to a share when a client does a
1491 queries the server, either via the network neighborhood or via "net
1492 view" to list what shares are available.
1494 If you want to set the string that is displayed next to the machine
1495 name then see the server string command.
1498 tt( No comment string)
1501 tt( comment = Fred's Files)
1504 dit(bf(config file (G)))
1506 This allows you to override the config file to use, instead of the
1507 default (usually bf(smb.conf)). There is a chicken and egg problem
1508 here as this option is set in the config file!
1510 For this reason, if the name of the config file has changed when the
1511 parameters are loaded then it will reload them from the new config
1514 This option takes the usual substitutions, which can be very useful.
1516 If the config file doesn't exist then it won't be loaded (allowing you
1517 to special case the config files of just a few clients).
1520 tt( config file = /usr/local/samba/lib/smb.conf.%m)
1525 This parameter allows you to em('clone') service entries. The specified
1526 service is simply duplicated under the current service's name. Any
1527 parameters specified in the current section will override those in the
1528 section being copied.
1530 This feature lets you set up a 'template' service and create similar
1531 services easily. Note that the service being copied must occur earlier
1532 in the configuration file than the service doing the copying.
1538 tt( copy = otherservice)
1541 dit(bf(create mask (S)))
1543 A synonym for this parameter is link(bf('create mode'))(createmode).
1545 When a file is created, the necessary permissions are calculated
1546 according to the mapping from DOS modes to UNIX permissions, and the
1547 resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
1548 This parameter may be thought of as a bit-wise MASK for the UNIX modes
1549 of a file. Any bit em(*not*) set here will be removed from the modes set
1550 on a file when it is created.
1552 The default value of this parameter removes the 'group' and 'other'
1553 write and execute bits from the UNIX modes.
1555 Following this Samba will bit-wise 'OR' the UNIX mode created from
1556 this parameter with the value of the "force create mode" parameter
1557 which is set to 000 by default.
1559 This parameter does not affect directory modes. See the parameter
1560 link(bf('directory mode'))(directorymode) for details.
1562 See also the link(bf("force create mode"))(forcecreatemode) parameter
1563 for forcing particular mode bits to be set on created files. See also
1564 the link(bf("directory mode"))(directorymode) parameter for masking
1565 mode bits on created directories.
1568 tt( create mask = 0744)
1571 tt( create mask = 0775)
1574 dit(bf(create mode (S)))
1576 This is a synonym for link(bf(create mask))(createmask).
1579 dit(bf(deadtime (G)))
1581 The value of the parameter (a decimal integer) represents the number
1582 of minutes of inactivity before a connection is considered dead, and
1583 it is disconnected. The deadtime only takes effect if the number of
1586 This is useful to stop a server's resources being exhausted by a large
1587 number of inactive connections.
1589 Most clients have an auto-reconnect feature when a connection is
1590 broken so in most cases this parameter should be transparent to users.
1592 Using this parameter with a timeout of a few minutes is recommended
1595 A deadtime of zero indicates that no auto-disconnection should be
1604 label(debughirestimestamp)
1605 dit(bf(debug hires timestamp (G)))
1607 Sometimes the timestamps in the log messages are needed with a
1608 resolution of higher that seconds, this boolean parameter adds
1609 microsecond resolution to the timestamp message header when turned on.
1611 Note that the parameter link(bf(debug timestamp))(debugtimestamp)
1612 must be on for this to have an effect.
1615 tt( debug hires timestamp = No)
1618 tt( debug hires timestamp = Yes)
1620 label(debugtimestamp)
1621 dit(bf(debug timestamp (G)))
1623 Samba2.0 debug log messages are timestamped by default. If you are
1624 running at a high link(bf("debug level"))(debuglevel) these timestamps
1625 can be distracting. This boolean parameter allows them to be turned
1629 tt( debug timestamp = Yes)
1632 tt( debug timestamp = No)
1635 dit(bf(debug pid (G)))
1637 When using only one log file for more then one forked smbd-process
1638 there may be hard to follow which process outputs which message.
1639 This boolean parameter is adds the process-id to the timestamp message
1640 headers in the logfile when turned on.
1642 Note that the parameter link(bf(debug timestamp))(debugtimestamp)
1643 must be on for this to have an effect.
1649 tt( debug pid = Yes)
1652 dit(bf(debug uid (G)))
1654 Samba is sometimes run as root and sometime run as the connected
1655 user, this boolean parameter inserts the current euid, egid, uid
1656 and gid to the timestamp message headers in the log file if turned on.
1658 Note that the parameter link(bf(debug timestamp))(debugtimestamp)
1659 must be on for this to have an effect.
1665 tt( debug uid = Yes)
1668 dit(bf(debug level (G)))
1670 The value of the parameter (an integer) allows the debug level
1671 (logging level) to be specified in the bf(smb.conf) file. This is to
1672 give greater flexibility in the configuration of the system.
1674 The default will be the debug level specified on the command line
1675 or level zero if none was specified.
1678 tt( debug level = 3)
1681 dit(bf(default (G)))
1683 A synonym for link(bf(default service))(defaultservice).
1686 dit(bf(default case (S)))
1688 See the section on link(bf("NAME MANGLING"))(NAMEMANGLING). Also note
1689 the link(bf("short preserve case"))(shortpreservecase) parameter.
1691 label(defaultservice)
1692 dit(bf(default service (G)))
1694 This parameter specifies the name of a service which will be connected
1695 to if the service actually requested cannot be found. Note that the
1696 square brackets are em(NOT) given in the parameter value (see example
1699 There is no default value for this parameter. If this parameter is not
1700 given, attempting to connect to a nonexistent service results in an
1703 Typically the default service would be a link(bf(guest ok))(guestok),
1704 link(bf(read-only))(readonly) service.
1706 Also note that the apparent service name will be changed to equal that
1707 of the requested service, this is very useful as it allows you to use
1708 macros like link(bf(%S))(percentS) to make a wildcard service.
1710 Note also that any tt('_') characters in the name of the service used
1711 in the default service will get mapped to a tt('/'). This allows for
1717 default service = pub
1723 label(deleteuserscript)
1724 dit(bf(delete user script (G)))
1726 This is the full pathname to a script that will be run em(AS ROOT) by
1727 url(bf(smbd (8)))(smbd.8.html) under special circumstances decribed
1730 Normally, a Samba server requires that UNIX users are created for all
1731 users accessing files on this server. For sites that use Windows NT
1732 account databases as their primary user database creating these users
1733 and keeping the user list in sync with the Windows NT PDC is an
1734 onerous task. This option allows url(bf(smbd))(smbd.8.html) to delete
1735 the required UNIX users em(ON DEMAND) when a user accesses the Samba
1736 server and the Windows NT user no longer exists.
1738 In order to use this option, url(bf(smbd))(smbd.8.html) must be set to
1739 link(bf(security=domain))(securityequaldomain) and bf("delete user
1740 script") must be set to a full pathname for a script that will delete
1741 a UNIX user given one argument of bf(%u), which expands into the UNIX
1742 user name to delete. em(NOTE) that this is different to the
1743 link(bf(add user script))(adduserscript) which will work with the
1744 link(bf(security=server))(securityequalserver) option as well as
1745 link(bf(security=domain))(securityequaldomain). The reason for this
1746 is only when Samba is a domain member does it get the information
1747 on an attempted user logon that a user no longer exists. In the
1748 link(bf(security=server))(securityequalserver) mode a missing user
1749 is treated the same as an invalid password logon attempt. Deleting
1750 the user in this circumstance would not be a good idea.
1752 When the Windows user attempts to access the Samba server, at
1753 em("login")(session setup in the SMB protocol) time,
1754 url(bf(smbd))(smbd.8.html) contacts the link(bf(password
1755 server))(passwordserver) and attempts to authenticate the given user
1756 with the given password. If the authentication fails with the specific
1757 Domain error code meaning that the user no longer exists then
1758 url(bf(smbd))(smbd.8.html) attempts to find a UNIX user in the UNIX
1759 password database that matches the Windows user account. If this lookup succeeds,
1760 and bf("delete user script") is set then url(bf(smbd))(smbd.8.html) will
1761 call the specified script em(AS ROOT), expanding any bf(%u) argument
1762 to be the user name to delete.
1764 This script should delete the given UNIX username. In this way, UNIX
1765 users are dynamically deleted to match existing Windows NT accounts.
1767 See also link(bf(security=domain))(securityequaldomain),
1768 link(bf(password server))(passwordserver), link(bf(add user
1769 script))(adduserscript).
1772 tt( delete user script = <empty string>)
1775 tt( delete user script = /usr/local/samba/bin/del_user %u)
1777 label(deletereadonly)
1778 dit(bf(delete readonly (S)))
1780 This parameter allows readonly files to be deleted. This is not
1781 normal DOS semantics, but is allowed by UNIX.
1783 This option may be useful for running applications such as rcs, where
1784 UNIX file ownership prevents changing file permissions, and DOS
1785 semantics prevent deletion of a read only file.
1788 tt( delete readonly = No)
1791 tt( delete readonly = Yes)
1793 label(deletevetofiles)
1794 dit(bf(delete veto files (S)))
1796 This option is used when Samba is attempting to delete a directory
1797 that contains one or more vetoed directories (see the link(bf('veto
1798 files'))(vetofiles) option). If this option is set to False (the
1799 default) then if a vetoed directory contains any non-vetoed files or
1800 directories then the directory delete will fail. This is usually what
1803 If this option is set to True, then Samba will attempt to recursively
1804 delete any files and directories within the vetoed directory. This can
1805 be useful for integration with file serving systems such as bf(NetAtalk),
1806 which create meta-files within directories you might normally veto
1807 DOS/Windows users from seeing (e.g. tt(.AppleDouble))
1809 Setting tt('delete veto files = True') allows these directories to be
1810 transparently deleted when the parent directory is deleted (so long
1811 as the user has permissions to do so).
1813 See also the link(bf(veto files))(vetofiles) parameter.
1816 tt( delete veto files = False)
1819 tt( delete veto files = True)
1822 dit(bf(deny hosts (S)))
1824 Synonym for link(bf(hosts deny))(hostsdeny).
1827 dit(bf(dfree command (G)))
1829 The dfree command setting should only be used on systems where a
1830 problem occurs with the internal disk space calculations. This has
1831 been known to happen with Ultrix, but may occur with other operating
1832 systems. The symptom that was seen was an error of "Abort Retry
1833 Ignore" at the end of each directory listing.
1835 This setting allows the replacement of the internal routines to
1836 calculate the total disk space and amount available with an external
1837 routine. The example below gives a possible script that might fulfill
1840 The external program will be passed a single parameter indicating a
1841 directory in the filesystem being queried. This will typically consist
1842 of the string tt("./"). The script should return two integers in
1843 ascii. The first should be the total disk space in blocks, and the
1844 second should be the number of available blocks. An optional third
1845 return value can give the block size in bytes. The default blocksize
1848 Note: Your script should em(NOT) be setuid or setgid and should be
1849 owned by (and writeable only by) root!
1852 tt( By default internal routines for determining the disk capacity
1853 and remaining space will be used.)
1856 tt( dfree command = /usr/local/samba/bin/dfree)
1858 Where the script dfree (which must be made executable) could be:
1862 df $1 | tail -1 | awk '{print $2" "$4}'
1865 or perhaps (on Sys V based systems):
1869 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
1872 Note that you may have to replace the command names with full
1873 path names on some systems.
1876 dit(bf(directory (S)))
1878 Synonym for link(bf(path))(path).
1880 label(directorymask)
1881 dit(bf(directory mask (S)))
1883 This parameter is the octal modes which are used when converting DOS
1884 modes to UNIX modes when creating UNIX directories.
1886 When a directory is created, the necessary permissions are calculated
1887 according to the mapping from DOS modes to UNIX permissions, and the
1888 resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
1889 This parameter may be thought of as a bit-wise MASK for the UNIX modes
1890 of a directory. Any bit em(*not*) set here will be removed from the
1891 modes set on a directory when it is created.
1893 The default value of this parameter removes the 'group' and 'other'
1894 write bits from the UNIX mode, allowing only the user who owns the
1895 directory to modify it.
1897 Following this Samba will bit-wise 'OR' the UNIX mode created from
1898 this parameter with the value of the "force directory mode"
1899 parameter. This parameter is set to 000 by default (i.e. no extra mode
1902 See the link(bf("force directory mode"))(forcedirectorymode) parameter
1903 to cause particular mode bits to always be set on created directories.
1905 See also the link(bf("create mode"))(createmode) parameter for masking
1906 mode bits on created files, and the link(bf("directory security mask"))(directorysecuritymask)
1910 tt( directory mask = 0755)
1913 tt( directory mask = 0775)
1915 label(directorymode)
1916 dit(bf(directory mode (S)))
1918 Synonym for link(bf(directory mask))(directorymask).
1920 label(directorysecuritymask)
1921 dit(bf(directory security mask (S)))
1923 This parameter controls what UNIX permission bits can be modified
1924 when a Windows NT client is manipulating the UNIX permission on a
1925 directory using the native NT security dialog box.
1927 This parameter is applied as a mask (AND'ed with) to the changed
1928 permission bits, thus preventing any bits not in this mask from
1929 being modified. Essentially, zero bits in this mask may be treated
1930 as a set of bits the user is not allowed to change.
1932 If not set explicitly this parameter is set to the same value as the
1933 link(bf(directory mask))(directorymask) parameter. To allow a user to
1934 modify all the user/group/world permissions on a directory, set this
1937 em(Note) that users who can access the Samba server through other
1938 means can easily bypass this restriction, so it is primarily
1939 useful for standalone "appliance" systems. Administrators of
1940 most normal systems will probably want to set it to 0777.
1942 See also the link(bf(force directory security
1943 mode))(forcedirectorysecuritymode), link(bf(security
1944 mask))(securitymask), link(bf(force security mode))(forcesecuritymode)
1948 tt( directory security mask = <same as directory mask>)
1951 tt( directory security mask = 0777)
1954 dit(bf(dns proxy (G)))
1956 Specifies that url(bf(nmbd))(nmbd.8.html) when acting as a WINS
1957 server and finding that a NetBIOS name has not been registered, should
1958 treat the NetBIOS name word-for-word as a DNS name and do a lookup
1959 with the DNS server for that name on behalf of the name-querying
1962 Note that the maximum length for a NetBIOS name is 15 characters, so
1963 the DNS name (or DNS alias) can likewise only be 15 characters,
1966 url(bf(nmbd))(nmbd.8.html) spawns a second copy of itself to do the
1967 DNS name lookup requests, as doing a name lookup is a blocking action.
1969 See also the parameter link(bf(wins support))(winssupport).
1972 tt( dns proxy = yes)
1974 label(domainadmingroup)
1975 bf(domain admin group (G))
1977 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
1978 Samba NT Domain Controller Code. It may be removed in a later release.
1979 To work with the latest code builds that may have more support for
1980 Samba NT Domain Controller functionality please subscribe to the
1981 mailing list bf(Samba-ntdom) available by sending email to
1982 email(listproc@samba.org)
1984 label(domainadminusers)
1985 dit(bf(domain admin users (G)))
1987 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
1988 Samba NT Domain Controller Code. It may be removed in a later release.
1989 To work with the latest code builds that may have more support for
1990 Samba NT Domain Controller functionality please subscribe to the
1991 mailing list bf(Samba-ntdom) available by sending email to
1992 email(listproc@samba.org)
1994 label(domain controller)
1995 dit(bf(domain controller (G)))
1997 This is a bf(DEPRECATED) parameter. It is currently not used within
1998 the Samba source and should be removed from all current smb.conf
1999 files. It is left behind for compatibility reasons.
2002 dit(bf(domain groups (G)))
2004 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
2005 Samba NT Domain Controller Code. It may be removed in a later release.
2006 To work with the latest code builds that may have more support for
2007 Samba NT Domain Controller functionality please subscribe to the
2008 mailing list bf(Samba-ntdom) available by sending email to
2009 email(listproc@samba.org)
2011 label(domainguestgroup)
2012 dit(bf(domain guest group (G)))
2014 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
2015 Samba NT Domain Controller Code. It may be removed in a later release.
2016 To work with the latest code builds that may have more support for
2017 Samba NT Domain Controller functionality please subscribe to the
2018 mailing list bf(Samba-ntdom) available by sending email to
2019 email(listproc@samba.org)
2021 label(domainguestusers)
2022 dit(bf(domain guest users (G)))
2024 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
2025 Samba NT Domain Controller Code. It may be removed in a later release.
2026 To work with the latest code builds that may have more support for
2027 Samba NT Domain Controller functionality please subscribe to the
2028 mailing list bf(Samba-ntdom) available by sending email to
2029 email(listproc@samba.org)
2032 dit(bf(domain logons (G)))
2034 If set to true, the Samba server will serve Windows 95/98 Domain
2035 logons for the link(bf(workgroup))(workgroup) it is in. For more
2036 details on setting up this feature see the file DOMAINS.txt in the
2037 Samba documentation directory tt(docs/) shipped with the source code.
2039 Note that Win95/98 Domain logons are em(NOT) the same as Windows
2040 NT Domain logons. NT Domain logons require a Primary Domain Controller
2041 (PDC) for the Domain. It is intended that in a future release Samba
2042 will be able to provide this functionality for Windows NT clients
2046 tt( domain logons = no)
2049 dit(bf(domain master (G)))
2051 Tell url(bf(nmbd))(nmbd.8.html) to enable WAN-wide browse list
2052 collation. Setting this option causes url(bf(nmbd))(nmbd.8.html) to
2053 claim a special domain specific NetBIOS name that identifies it as a
2054 domain master browser for its given
2055 link(bf(workgroup))(workgroup). Local master browsers in the same
2056 link(bf(workgroup))(workgroup) on broadcast-isolated subnets will give
2057 this url(bf(nmbd))(nmbd.8.html) their local browse lists, and then
2058 ask url(bf(smbd))(smbd.8.html) for a complete copy of the browse list
2059 for the whole wide area network. Browser clients will then contact
2060 their local master browser, and will receive the domain-wide browse
2061 list, instead of just the list for their broadcast-isolated subnet.
2063 Note that Windows NT Primary Domain Controllers expect to be able to
2064 claim this link(bf(workgroup))(workgroup) specific special NetBIOS
2065 name that identifies them as domain master browsers for that
2066 link(bf(workgroup))(workgroup) by default (i.e. there is no way to
2067 prevent a Windows NT PDC from attempting to do this). This means that
2068 if this parameter is set and url(bf(nmbd))(nmbd.8.html) claims the
2069 special name for a link(bf(workgroup))(workgroup) before a Windows NT
2070 PDC is able to do so then cross subnet browsing will behave strangely
2074 tt( domain master = no)
2077 dit(bf(dont descend (S)))
2079 There are certain directories on some systems (e.g., the tt(/proc) tree
2080 under Linux) that are either not of interest to clients or are
2081 infinitely deep (recursive). This parameter allows you to specify a
2082 comma-delimited list of directories that the server should always show
2085 Note that Samba can be very fussy about the exact format of the "dont
2086 descend" entries. For example you may need tt("./proc") instead of
2087 just tt("/proc"). Experimentation is the best policy :-)
2090 tt( none (i.e., all directories are OK to descend))
2093 tt( dont descend = /proc,/dev)
2095 label(dosfiletimeresolution)
2096 dit(bf(dos filetime resolution (S)))
2098 Under the DOS and Windows FAT filesystem, the finest granularity on
2099 time resolution is two seconds. Setting this parameter for a share
2100 causes Samba to round the reported time down to the nearest two second
2101 boundary when a query call that requires one second resolution is made
2102 to url(bf(smbd))(smbd.8.html).
2104 This option is mainly used as a compatibility option for Visual C++
2105 when used against Samba shares. If oplocks are enabled on a share,
2106 Visual C++ uses two different time reading calls to check if a file
2107 has changed since it was last read. One of these calls uses a
2108 one-second granularity, the other uses a two second granularity. As
2109 the two second call rounds any odd second down, then if the file has a
2110 timestamp of an odd number of seconds then the two timestamps will not
2111 match and Visual C++ will keep reporting the file has changed. Setting
2112 this option causes the two timestamps to match, and Visual C++ is
2116 tt( dos filetime resolution = False)
2119 tt( dos filetime resolution = True)
2121 label(dos filetimes)
2122 dit(bf(dos filetimes (S)))
2124 Under DOS and Windows, if a user can write to a file they can change
2125 the timestamp on it. Under POSIX semantics, only the owner of the file
2126 or root may change the timestamp. By default, Samba runs with POSIX
2127 semantics and refuses to change the timestamp on a file if the user
2128 smbd is acting on behalf of is not the file owner. Setting this option
2129 to True allows DOS semantics and smbd will change the file timestamp as
2133 tt( dos filetimes = False)
2136 tt( dos filetimes = True)
2138 label(encryptpasswords)
2139 dit(bf(encrypt passwords (G)))
2141 This boolean controls whether encrypted passwords will be negotiated
2142 with the client. Note that Windows NT 4.0 SP3 and above and also
2143 Windows 98 will by default expect encrypted passwords unless a
2144 registry entry is changed. To use encrypted passwords in Samba see the
2145 file ENCRYPTION.txt in the Samba documentation directory tt(docs/)
2146 shipped with the source code.
2148 In order for encrypted passwords to work correctly
2149 url(bf(smbd))(smbd.8.html) must either have access to a local
2150 url(bf(smbpasswd (5)))(smbpasswd.5.html) file (see the
2151 url(bf(smbpasswd (8)))(smbpasswd.8.html) program for information on
2152 how to set up and maintain this file), or set the
2153 link(bf(security=))(security) parameter to either
2154 link(bf("server"))(securityequalserver) or
2155 link(bf("domain"))(securityequaldomain) which causes
2156 url(bf(smbd))(smbd.8.html) to authenticate against another server.
2161 This is a synonym for link(bf(preexec))(preexec).
2163 label(fake directory create times)
2164 dit(bf(fake directory create times (S)))
2166 NTFS and Windows VFAT file systems keep a create time for all files
2167 and directories. This is not the same as the ctime - status change
2168 time - that Unix keeps, so Samba by default reports the earliest of
2169 the various times Unix does keep. Setting this parameter for a share
2170 causes Samba to always report midnight 1-1-1980 as the create time for
2173 This option is mainly used as a compatibility option for Visual C++
2174 when used against Samba shares. Visual C++ generated makefiles have
2175 the object directory as a dependency for each object file, and a make
2176 rule to create the directory. Also, when NMAKE compares timestamps it
2177 uses the creation time when examining a directory. Thus the object
2178 directory will be created if it does not exist, but once it does exist
2179 it will always have an earlier timestamp than the object files it
2182 However, Unix time semantics mean that the create time reported by
2183 Samba will be updated whenever a file is created or deleted in the
2184 directory. NMAKE therefore finds all object files in the object
2185 directory bar the last one built are out of date compared to the
2186 directory and rebuilds them. Enabling this option ensures directories
2187 always predate their contents and an NMAKE build will proceed as
2191 tt( fake directory create times = False)
2194 tt( fake directory create times = True)
2197 dit(bf(fake oplocks (S)))
2199 Oplocks are the way that SMB clients get permission from a server to
2200 locally cache file operations. If a server grants an oplock
2201 (opportunistic lock) then the client is free to assume that it is the
2202 only one accessing the file and it will aggressively cache file
2203 data. With some oplock types the client may even cache file open/close
2204 operations. This can give enormous performance benefits.
2206 When you set tt("fake oplocks = yes") url(bf(smbd))(smbd.8.html) will
2207 always grant oplock requests no matter how many clients are using the
2210 It is generally much better to use the real link(bf(oplocks))(oplocks)
2211 support rather than this parameter.
2213 If you enable this option on all read-only shares or shares that you
2214 know will only be accessed from one client at a time such as
2215 physically read-only media like CDROMs, you will see a big performance
2216 improvement on many operations. If you enable this option on shares
2217 where multiple clients may be accessing the files read-write at the
2218 same time you can get data corruption. Use this option carefully!
2220 This option is disabled by default.
2222 label(followsymlinks)
2223 dit(bf(follow symlinks (S)))
2225 This parameter allows the Samba administrator to stop
2226 url(bf(smbd))(smbd.8.html) from following symbolic links in a
2227 particular share. Setting this parameter to em("No") prevents any file
2228 or directory that is a symbolic link from being followed (the user
2229 will get an error). This option is very useful to stop users from
2230 adding a symbolic link to tt(/etc/passwd) in their home directory for
2231 instance. However it will slow filename lookups down slightly.
2233 This option is enabled (i.e. url(bf(smbd))(smbd.8.html) will follow
2234 symbolic links) by default.
2236 label(forcecreatemode)
2237 dit(bf(force create mode (S)))
2239 This parameter specifies a set of UNIX mode bit permissions that will
2240 em(*always*) be set on a file by Samba. This is done by bitwise
2241 'OR'ing these bits onto the mode bits of a file that is being created
2242 or having its permissions changed. The default for this parameter is
2243 (in octal) 000. The modes in this parameter are bitwise 'OR'ed onto
2244 the file mode after the mask set in the link(bf("create
2245 mask"))(createmask) parameter is applied.
2247 See also the parameter link(bf("create mask"))(createmask) for details
2248 on masking mode bits on files.
2251 tt( force create mode = 000)
2254 tt( force create mode = 0755)
2256 would force all created files to have read and execute permissions set
2257 for 'group' and 'other' as well as the read/write/execute bits set for
2260 label(forcedirectorymode)
2261 dit(bf(force directory mode (S)))
2263 This parameter specifies a set of UNIX mode bit permissions that will
2264 em(*always*) be set on a directory created by Samba. This is done by
2265 bitwise 'OR'ing these bits onto the mode bits of a directory that is
2266 being created. The default for this parameter is (in octal) 0000 which
2267 will not add any extra permission bits to a created directory. This
2268 operation is done after the mode mask in the parameter
2269 link(bf("directory mask"))(directorymask) is applied.
2271 See also the parameter link(bf("directory mask"))(directorymask) for
2272 details on masking mode bits on created directories.
2275 tt( force directory mode = 000)
2278 tt( force directory mode = 0755)
2280 would force all created directories to have read and execute
2281 permissions set for 'group' and 'other' as well as the
2282 read/write/execute bits set for the 'user'.
2284 label(forcedirectorysecuritymode)
2285 dit(bf(force directory security mode (S)))
2287 This parameter controls what UNIX permission bits can be modified when
2288 a Windows NT client is manipulating the UNIX permission on a directory
2289 using the native NT security dialog box.
2291 This parameter is applied as a mask (OR'ed with) to the changed
2292 permission bits, thus forcing any bits in this mask that the user may
2293 have modified to be on. Essentially, one bits in this mask may be
2294 treated as a set of bits that, when modifying security on a directory,
2295 the user has always set to be 'on'.
2297 If not set explicitly this parameter is set to the same value as the
2298 link(bf(force directory mode))(forcedirectorymode) parameter. To allow
2299 a user to modify all the user/group/world permissions on a directory,
2300 with restrictions set this parameter to 000.
2302 em(Note) that users who can access the Samba server through other
2303 means can easily bypass this restriction, so it is primarily
2304 useful for standalone "appliance" systems. Administrators of
2305 most normal systems will probably want to set it to 0000.
2307 See also the link(bf(directory security mask))(directorysecuritymask),
2308 link(bf(security mask))(securitymask), link(bf(force security
2309 mode))(forcesecuritymode) parameters.
2312 tt( force directory security mode = <same as force directory mode>)
2315 tt( force directory security mode = 0)
2318 dit(bf(force group (S)))
2320 This specifies a UNIX group name that will be assigned as the default
2321 primary group for all users connecting to this service. This is useful
2322 for sharing files by ensuring that all access to files on service will
2323 use the named group for their permissions checking. Thus, by assigning
2324 permissions for this group to the files and directories within this
2325 service the Samba administrator can restrict or allow sharing of these
2328 In Samba 2.0.5 and above this parameter has extended functionality in the following
2329 way. If the group name listed here has a '+' character prepended to it
2330 then the current user accessing the share only has the primary group
2331 default assigned to this group if they are already assigned as a member
2332 of that group. This allows an administrator to decide that only users
2333 who are already in a particular group will create files with group
2334 ownership set to that group. This gives a finer granularity of ownership
2335 assignment. For example, the setting tt(force group = +sys) means
2336 that only users who are already in group sys will have their default
2337 primary group assigned to sys when accessing this Samba share. All
2338 other users will retain their ordinary primary group.
2340 If the link(bf("force user"))(forceuser) parameter is also set the
2341 group specified in bf(force group) will override the primary group
2342 set in link(bf("force user"))(forceuser).
2344 See also link(bf("force user"))(forceuser)
2347 tt( no forced group)
2350 tt( force group = agroup)
2352 label(forcesecuritymode)
2353 dit(bf(force security mode (S)))
2355 This parameter controls what UNIX permission bits can be modified when
2356 a Windows NT client is manipulating the UNIX permission on a file
2357 using the native NT security dialog box.
2359 This parameter is applied as a mask (OR'ed with) to the changed
2360 permission bits, thus forcing any bits in this mask that the user may
2361 have modified to be on. Essentially, one bits in this mask may be
2362 treated as a set of bits that, when modifying security on a file, the
2363 user has always set to be 'on'.
2365 If not set explicitly this parameter is set to the same value as the
2366 link(bf(force create mode))(forcecreatemode) parameter. To allow
2367 a user to modify all the user/group/world permissions on a file,
2368 with no restrictions set this parameter to 000.
2370 em(Note) that users who can access the Samba server through other
2371 means can easily bypass this restriction, so it is primarily
2372 useful for standalone "appliance" systems. Administrators of
2373 most normal systems will probably want to set it to 0000.
2375 See also the link(bf(force directory security
2376 mode))(forcedirectorysecuritymode), link(bf(directory security
2377 mask))(directorysecuritymask), link(bf(security mask))(securitymask)
2381 tt( force security mode = <same as force create mode>)
2384 tt( force security mode = 0)
2387 dit(bf(force user (S)))
2389 This specifies a UNIX user name that will be assigned as the default
2390 user for all users connecting to this service. This is useful for
2391 sharing files. You should also use it carefully as using it
2392 incorrectly can cause security problems.
2394 This user name only gets used once a connection is established. Thus
2395 clients still need to connect as a valid user and supply a valid
2396 password. Once connected, all file operations will be performed as the
2397 tt("forced user"), no matter what username the client connected as.
2399 This can be very useful.
2401 In Samba 2.0.5 and above this parameter also causes the primary
2402 group of the forced user to be used as the primary group for all
2403 file activity. Prior to 2.0.5 the primary group was left as the
2404 primary group of the connecting user (this was a bug).
2406 See also link(bf("force group"))(forcegroup)
2412 tt( force user = auser)
2417 This parameter allows the administrator to configure the string that
2418 specifies the type of filesystem a share is using that is reported by
2419 url(bf(smbd))(smbd.8.html) when a client queries the filesystem type
2420 for a share. The default type is bf("NTFS") for compatibility with
2421 Windows NT but this can be changed to other strings such as "Samba" or
2431 dit(bf(getwd cache (G)))
2433 This is a tuning option. When this is enabled a caching algorithm
2434 will be used to reduce the time taken for getwd() calls. This can have
2435 a significant impact on performance, especially when the
2436 link(bf(widelinks))(widelinks) parameter is set to False.
2439 tt( getwd cache = No)
2442 tt( getwd cache = Yes)
2447 Synonym for link(bf("force group"))(forcegroup).
2450 dit(bf(guest account (S)))
2452 This is a username which will be used for access to services which are
2453 specified as link(bf('guest ok'))(guestok) (see below). Whatever
2454 privileges this user has will be available to any client connecting to
2455 the guest service. Typically this user will exist in the password
2456 file, but will not have a valid login. The user account bf("ftp") is
2457 often a good choice for this parameter. If a username is specified in
2458 a given service, the specified username overrides this one.
2460 One some systems the default guest account "nobody" may not be able to
2461 print. Use another account in this case. You should test this by
2462 trying to log in as your guest user (perhaps by using the tt("su -")
2463 command) and trying to print using the system print command such as
2464 bf(lpr (1)) or bf(lp (1)).
2467 tt( specified at compile time, usually "nobody")
2470 tt( guest account = ftp)
2473 dit(bf(guest ok (S)))
2475 If this parameter is em('yes') for a service, then no password is
2476 required to connect to the service. Privileges will be those of the
2477 link(bf(guest account))(guestaccount).
2479 See the section below on link(bf(security))(security) for more
2480 information about this option.
2489 dit(bf(guest only (S)))
2491 If this parameter is em('yes') for a service, then only guest
2492 connections to the service are permitted. This parameter will have no
2493 affect if link(bf("guest ok"))(guestok) or link(bf("public"))(public)
2494 is not set for the service.
2496 See the section below on link(bf(security))(security) for more
2497 information about this option.
2500 tt( guest only = no)
2503 tt( guest only = yes)
2506 dit(bf(hide dot files (S)))
2508 This is a boolean parameter that controls whether files starting with
2509 a dot appear as hidden files.
2512 tt( hide dot files = yes)
2515 tt( hide dot files = no)
2519 dit(bf(hide files(S)))
2521 This is a list of files or directories that are not visible but are
2522 accessible. The DOS 'hidden' attribute is applied to any files or
2523 directories that match.
2525 Each entry in the list must be separated by a tt('/'), which allows
2526 spaces to be included in the entry. tt('*') and tt('?') can be used
2527 to specify multiple files or directories as in DOS wildcards.
2529 Each entry must be a Unix path, not a DOS path and must not include the
2530 Unix directory separator tt('/').
2532 Note that the case sensitivity option is applicable in hiding files.
2534 Setting this parameter will affect the performance of Samba, as it
2535 will be forced to check all files and directories for a match as they
2538 See also link(bf("hide dot files"))(hidedotfiles), link(bf("veto
2539 files"))(vetofiles) and link(bf("case sensitive"))(casesensitive).
2543 No files or directories are hidden by this option (dot files are
2544 hidden by default because of the "hide dot files" option).
2548 tt( hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/)
2550 The above example is based on files that the Macintosh SMB client
2551 (DAVE) available from url(bf(Thursby))(http://www.thursby.com) creates for
2552 internal use, and also still hides all files beginning with a dot.
2555 dit(bf(homedir map (G)))
2557 If link(bf("nis homedir"))(nishomedir) is true, and
2558 url(bf(smbd))(smbd.8.html) is also acting as a Win95/98 link(bf(logon
2559 server))(domainlogons) then this parameter specifies the NIS (or YP)
2560 map from which the server for the user's home directory should be
2561 extracted. At present, only the Sun auto.home map format is
2562 understood. The form of the map is:
2564 tt(username server:/some/file/system)
2566 and the program will extract the servername from before the first
2567 tt(':'). There should probably be a better parsing system that copes
2568 with different map formats and also Amd (another automounter) maps.
2570 NB: A working NIS is required on the system for this option to work.
2572 See also link(bf("nis homedir"))(nishomedir), link(bf(domain
2573 logons))(domainlogons).
2576 tt( homedir map = auto.home)
2579 tt( homedir map = amd.homedir)
2582 dit(bf(hosts allow (S)))
2584 A synonym for this parameter is link(bf('allow hosts'))(allowhosts)
2586 This parameter is a comma, space, or tab delimited set of hosts which
2587 are permitted to access a service.
2589 If specified in the link(bf([global]))(global) section then it will
2590 apply to all services, regardless of whether the individual service
2591 has a different setting.
2593 You can specify the hosts by name or IP number. For example, you could
2594 restrict access to only the hosts on a Class C subnet with something
2595 like tt("allow hosts = 150.203.5."). The full syntax of the list is
2596 described in the man page bf(hosts_access (5)). Note that this man
2597 page may not be present on your system, so a brief description will
2600 Note that the localhost address 127.0.0.1 will always be allowed
2601 access unless specifically denied by a "hosts deny" option.
2603 You can also specify hosts by network/netmask pairs and by netgroup
2604 names if your system supports netgroups. The em(EXCEPT) keyword can also
2605 be used to limit a wildcard list. The following examples may provide
2608 bf(Example 1): allow all IPs in 150.203.*.* except one
2610 tt( hosts allow = 150.203. EXCEPT 150.203.6.66)
2612 bf(Example 2): allow hosts that match the given network/netmask
2614 tt( hosts allow = 150.203.15.0/255.255.255.0)
2616 bf(Example 3): allow a couple of hosts
2618 tt( hosts allow = lapland, arvidsjaur)
2620 bf(Example 4): allow only hosts in NIS netgroup "foonet", but
2621 deny access from one particular host
2623 tt( hosts allow = @foonet)
2625 tt( hosts deny = pirate)
2627 Note that access still requires suitable user-level passwords.
2629 See url(bf(testparm (1)))(testparm.1.html) for a way of testing your
2630 host access to see if it does what you expect.
2633 tt( none (i.e., all hosts permitted access))
2636 tt( allow hosts = 150.203.5. myhost.mynet.edu.au)
2640 dit(bf(hosts deny (S)))
2642 The opposite of link(bf('hosts allow'))(hostsallow) - hosts listed
2643 here are em(NOT) permitted access to services unless the specific
2644 services have their own lists to override this one. Where the lists
2645 conflict, the link(bf('allow'))(hostsallow) list takes precedence.
2648 tt( none (i.e., no hosts specifically excluded))
2651 tt( hosts deny = 150.203.4. badhost.mynet.edu.au)
2654 dit(bf(hosts equiv (G)))
2656 If this global parameter is a non-null string, it specifies the name
2657 of a file to read for the names of hosts and users who will be allowed
2658 access without specifying a password.
2660 This is not be confused with link(bf(hosts allow))(hostsallow) which
2661 is about hosts access to services and is more useful for guest
2662 services. bf(hosts equiv) may be useful for NT clients which will not
2663 supply passwords to samba.
2665 NOTE: The use of bf(hosts equiv) can be a major security hole. This is
2666 because you are trusting the PC to supply the correct username. It is
2667 very easy to get a PC to supply a false username. I recommend that the
2668 bf(hosts equiv) option be only used if you really know what you are
2669 doing, or perhaps on a home network where you trust your spouse and
2670 kids. And only if you em(really) trust them :-).
2673 tt( No host equivalences)
2676 tt( hosts equiv = /etc/hosts.equiv)
2679 dit(bf(include (G)))
2681 This allows you to include one config file inside another. The file
2682 is included literally, as though typed in place.
2684 It takes the standard substitutions, except link(bf(%u))(percentu),
2685 link(bf(%P))(percentP) and link(bf(%S))(percentS).
2688 dit(bf(interfaces (G)))
2690 This option allows you to override the default network interfaces list
2691 that Samba will use for browsing, name registration and other NBT
2692 traffic. By default Samba will query the kernel for the list of all
2693 active interfaces and use any interfaces except 127.0.0.1 that are
2696 The option takes a list of interface strings. Each string can be in
2697 any of the following forms:
2700 it() a network interface name (such as eth0). This may include
2701 shell-like wildcards so eth* will match any interface starting
2702 with the substring "eth"
2703 if() a IP address. In this case the netmask is determined
2704 from the list of interfaces obtained from the kernel
2705 if() a IP/mask pair.
2706 if() a broadcast/mask pair.
2709 The "mask" parameters can either be a bit length (such as 24 for a C
2710 class network) or a full netmask in dotted decmal form.
2712 The "IP" parameters above can either be a full dotted decimal IP
2713 address or a hostname which will be looked up via the OSes normal
2714 hostname resolution mechanisms.
2716 For example, the following line:
2718 tt(interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0)
2720 would configure three network interfaces corresponding to the eth0
2721 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of
2722 the latter two interfaces would be set to 255.255.255.0.
2724 See also link(bf("bind interfaces only"))(bindinterfacesonly).
2727 dit(bf(invalid users (S)))
2729 This is a list of users that should not be allowed to login to this
2730 service. This is really a em("paranoid") check to absolutely ensure an
2731 improper setting does not breach your security.
2733 A name starting with a tt('@') is interpreted as an NIS netgroup first
2734 (if your system supports NIS), and then as a UNIX group if the name
2735 was not found in the NIS netgroup database.
2737 A name starting with tt('+') is interpreted only by looking in the
2738 UNIX group database. A name starting with tt('&') is interpreted only
2739 by looking in the NIS netgroup database (this requires NIS to be
2740 working on your system). The characters tt('+') and tt('&') may be
2741 used at the start of the name in either order so the value
2742 tt("+&group") means check the UNIX group database, followed by the NIS
2743 netgroup database, and the value tt("&+group") means check the NIS
2744 netgroup database, followed by the UNIX group database (the same as
2745 the tt('@') prefix).
2747 The current servicename is substituted for
2748 link(bf(%S))(percentS). This is useful in the link(bf([homes]))(homes)
2751 See also link(bf("valid users"))(validusers).
2754 tt( No invalid users)
2757 tt( invalid users = root fred admin @wheel)
2760 dit(bf(keepalive (G)))
2762 The value of the parameter (an integer) represents the number of
2763 seconds between bf('keepalive') packets. If this parameter is zero, no
2764 keepalive packets will be sent. Keepalive packets, if sent, allow the
2765 server to tell whether a client is still present and responding.
2767 Keepalives should, in general, not be needed if the socket being used
2768 has the SO_KEEPALIVE attribute set on it (see link(bf("socket
2769 options"))(socketoptions)). Basically you should only use this option
2770 if you strike difficulties.
2778 label(kerneloplocks)
2779 dit(bf(kernel oplocks (G)))
2781 For UNIXs that support kernel based link(bf(oplocks))(oplocks)
2782 (currently only IRIX but hopefully also Linux and FreeBSD soon) this
2783 parameter allows the use of them to be turned on or off.
2785 Kernel oplocks support allows Samba link(bf(oplocks))(oplocks) to be
2786 broken whenever a local UNIX process or NFS operation accesses a file
2787 that url(bf(smbd))(smbd.8.html) has oplocked. This allows complete
2788 data consistency between SMB/CIFS, NFS and local file access (and is a
2789 em(very) cool feature :-).
2791 This parameter defaults to em("On") on systems that have the support,
2792 and em("off") on systems that don't. You should never need to touch
2795 See also the link(bf("oplocks"))(oplocks) and link(bf("level2 oplocks"))(level2oplocks)
2799 dit(bf(ldap filter (G)))
2801 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2802 password database stored on an LDAP server back-end. These options
2803 are only available if your version of Samba was configured with
2804 the bf(--with-ldap) option.
2806 This parameter specifies an LDAP search filter used to search for a
2807 user name in the LDAP database. It must contain the string
2808 link(bf(%u))(percentU) which will be replaced with the user being
2815 dit(bf(ldap port (G)))
2817 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2818 password database stored on an LDAP server back-end. These options
2819 are only available if your version of Samba was configured with
2820 the bf(--with-ldap) option.
2822 This parameter specifies the TCP port number to use to contact
2826 tt( ldap port = 389.)
2829 dit(bf(ldap root (G)))
2831 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2832 password database stored on an LDAP server back-end. These options
2833 are only available if your version of Samba was configured with
2834 the bf(--with-ldap) option.
2836 This parameter specifies the entity to bind to the LDAP server
2837 as (essentially the LDAP username) in order to be able to perform
2838 queries and modifications on the LDAP database.
2840 See also link(bf(ldap root passwd))(ldaprootpasswd).
2843 tt( empty string (no user defined))
2845 label(ldaprootpasswd)
2846 dit(bf(ldap root passwd (G)))
2848 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2849 password database stored on an LDAP server back-end. These options
2850 are only available if your version of Samba was configured with
2851 the bf(--with-ldap) option.
2853 This parameter specifies the password for the entity to bind to the
2854 LDAP server as (the password for this LDAP username) in order to be
2855 able to perform queries and modifications on the LDAP database.
2857 em(BUGS:) This parameter should em(NOT) be a readable parameter
2858 in the bf(smb.conf) file and will be removed once a correct
2859 storage place is found.
2861 See also link(bf(ldap root))(ldaproot).
2867 dit(bf(ldap server (G)))
2869 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2870 password database stored on an LDAP server back-end. These options
2871 are only available if your version of Samba was configured with
2872 the bf(--with-ldap) option.
2874 This parameter specifies the DNS name of the LDAP server to use
2875 for SMB/CIFS authentication purposes.
2878 tt( ldap server = localhost)
2881 dit(bf(ldap suffix (G)))
2883 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2884 password database stored on an LDAP server back-end. These options
2885 are only available if your version of Samba was configured with
2886 the bf(--with-ldap) option.
2888 This parameter specifies the tt("dn") or LDAP em("distinguished name")
2889 that tells url(bf(smbd))(smbd.8.html) to start from when searching
2890 for an entry in the LDAP password database.
2895 label(level2oplocks)
2896 dit(bf(level2 oplocks (S)))
2898 This parameter (new in Samba 2.0.5) controls whether Samba supports
2899 level2 (read-only) oplocks on a share. In Samba 2.0.4 this parameter
2900 defaults to "False" as the code is new, but will default to "True"
2903 Level2, or read-only oplocks allow Windows NT clients that have an
2904 oplock on a file to downgrade from a read-write oplock to a read-only
2905 oplock once a second client opens the file (instead of releasing all
2906 oplocks on a second open, as in traditional, exclusive oplocks). This
2907 allows all openers of the file that support level2 oplocks to cache
2908 the file for read-ahead only (ie. they may not cache writes or lock
2909 requests) and increases performance for many acesses of files that
2910 are not commonly written (such as application .EXE files).
2912 Once one of the clients which have a read-only oplock writes to
2913 the file all clients are notified (no reply is needed or waited
2914 for) and told to break their oplocks to "none" and delete any
2917 It is recommended that this parameter be turned on to speed access
2918 to shared executables (and also to test the code :-).
2920 For more discussions on level2 oplocks see the CIFS spec.
2922 Currently, if link(bf("kernel oplocks"))(kerneloplocks) are supported
2923 then level2 oplocks are not granted (even if this parameter is set
2924 to tt("true")). Note also, the link(bf("oplocks"))(oplocks) parameter must
2925 be set to "true" on this share in order for this parameter to have any
2928 See also the link(bf("oplocks"))(oplocks) and link(bf("kernel oplocks"))(kerneloplocks) parameters.
2931 tt( level2 oplocks = False)
2934 tt( level2 oplocks = True)
2937 dit(bf(lm announce (G)))
2939 This parameter determines if url(bf(nmbd))(nmbd.8.html) will produce
2940 Lanman announce broadcasts that are needed by bf(OS/2) clients in order
2941 for them to see the Samba server in their browse list. This parameter
2942 can have three values, tt("true"), tt("false"), or tt("auto"). The
2943 default is tt("auto"). If set to tt("false") Samba will never produce
2944 these broadcasts. If set to tt("true") Samba will produce Lanman
2945 announce broadcasts at a frequency set by the parameter link(bf("lm
2946 interval"))(lminterval). If set to tt("auto") Samba will not send Lanman
2947 announce broadcasts by default but will listen for them. If it hears
2948 such a broadcast on the wire it will then start sending them at a
2949 frequency set by the parameter link(bf("lm interval"))(lminterval).
2951 See also link(bf("lm interval"))(lminterval).
2954 tt( lm announce = auto)
2957 tt( lm announce = true)
2960 dit(bf(lm interval (G)))
2962 If Samba is set to produce Lanman announce broadcasts needed by
2963 bf(OS/2) clients (see the link(bf("lm announce"))(lmannounce)
2964 parameter) then this parameter defines the frequency in seconds with
2965 which they will be made. If this is set to zero then no Lanman
2966 announcements will be made despite the setting of the link(bf("lm
2967 announce"))(lmannounce) parameter.
2969 See also link(bf("lm announce"))(lmannounce).
2972 tt( lm interval = 60)
2975 tt( lm interval = 120)
2978 dit(bf(load printers (G)))
2980 A boolean variable that controls whether all printers in the printcap
2981 will be loaded for browsing by default. See the
2982 link(bf("printers"))(printers) section for more details.
2985 tt( load printers = yes)
2988 tt( load printers = no)
2991 dit(bf(local master (G)))
2993 This option allows url(bf(nmbd))(nmbd.8.html) to try and become a
2994 local master browser on a subnet. If set to False then
2995 url(bf(nmbd))(nmbd.8.html) will not attempt to become a local master
2996 browser on a subnet and will also lose in all browsing elections. By
2997 default this value is set to true. Setting this value to true doesn't
2998 mean that Samba will em(become) the local master browser on a subnet,
2999 just that url(bf(nmbd))(nmbd.8.html) will em(participate) in
3000 elections for local master browser.
3002 Setting this value to False will cause url(bf(nmbd))(nmbd.8.html)
3003 em(never) to become a local master browser.
3006 tt( local master = yes)
3009 dit(bf(lock dir (G)))
3011 Synonym for link(bf("lock directory"))(lockdirectory).
3013 label(lockdirectory)
3014 dit(bf(lock directory (G)))
3016 This option specifies the directory where lock files will be placed.
3017 The lock files are used to implement the link(bf("max
3018 connections"))(maxconnections) option.
3021 tt( lock directory = /tmp/samba)
3024 tt( lock directory = /usr/local/samba/var/locks)
3027 dit(bf(locking (S)))
3029 This controls whether or not locking will be performed by the server
3030 in response to lock requests from the client.
3032 If tt("locking = no"), all lock and unlock requests will appear to
3033 succeed and all lock queries will indicate that the queried lock is
3036 If tt("locking = yes"), real locking will be performed by the server.
3038 This option em(may) be useful for read-only filesystems which em(may)
3039 not need locking (such as cdrom drives), although setting this
3040 parameter of tt("no") is not really recommended even in this case.
3042 Be careful about disabling locking either globally or in a specific
3043 service, as lack of locking may result in data corruption. You should
3044 never need to set this parameter.
3053 dit(bf(log file (G)))
3055 This options allows you to override the name of the Samba log file
3056 (also known as the debug file).
3058 This option takes the standard substitutions, allowing you to have
3059 separate log files for each user or machine.
3062 tt( log file = /usr/local/samba/var/log.%m)
3065 dit(bf(log level (G)))
3067 Synonym for link(bf("debug level"))(debuglevel).
3070 dit(bf(logon drive (G)))
3072 This parameter specifies the local path to which the home directory
3073 will be connected (see link(bf("logon home"))(logonhome)) and is only
3074 used by NT Workstations.
3076 Note that this option is only useful if Samba is set up as a
3077 link(bf(logon server))(domainlogons).
3080 tt( logon drive = h:)
3083 dit(bf(logon home (G)))
3085 This parameter specifies the home directory location when a Win95/98 or
3086 NT Workstation logs into a Samba PDC. It allows you to do
3088 tt("NET USE H: /HOME")
3090 from a command prompt, for example.
3092 This option takes the standard substitutions, allowing you to have
3093 separate logon scripts for each user or machine.
3095 Note that this option is only useful if Samba is set up as a
3096 link(bf(logon server))(domainlogons).
3099 tt( logon home = "\\remote_smb_server\%U")
3102 tt( logon home = "\\%N\%U")
3105 dit(bf(logon path (G)))
3107 This parameter specifies the home directory where roaming profiles
3108 (USER.DAT / USER.MAN files for Windows 95/98) are stored.
3110 This option takes the standard substitutions, allowing you to have
3111 separate logon scripts for each user or machine. It also specifies
3112 the directory from which the tt("desktop"), tt("start menu"),
3113 tt("network neighborhood") and tt("programs") folders, and their
3114 contents, are loaded and displayed on your Windows 95/98 client.
3116 The share and the path must be readable by the user for the
3117 preferences and directories to be loaded onto the Windows 95/98
3118 client. The share must be writeable when the logs in for the first
3119 time, in order that the Windows 95/98 client can create the user.dat
3120 and other directories.
3122 Thereafter, the directories and any of the contents can, if required, be
3123 made read-only. It is not advisable that the USER.DAT file be made
3124 read-only - rename it to USER.MAN to achieve the desired effect (a
3125 em(MAN)datory profile).
3127 Windows clients can sometimes maintain a connection to the [homes]
3128 share, even though there is no user logged in. Therefore, it is vital
3129 that the logon path does not include a reference to the homes share
3130 (i.e. setting this parameter to tt(\\%N\HOMES\profile_path) will cause
3133 This option takes the standard substitutions, allowing you to have
3134 separate logon scripts for each user or machine.
3136 Note that this option is only useful if Samba is set up as a
3137 link(bf(logon server))(domainlogons).
3140 tt( logon path = \\%N\%U\profile)
3143 tt( logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE)
3146 dit(bf(logon script (G)))
3148 This parameter specifies the batch file (.bat) or NT command file
3149 (.cmd) to be downloaded and run on a machine when a user successfully
3150 logs in. The file must contain the DOS style cr/lf line endings.
3151 Using a DOS-style editor to create the file is recommended.
3153 The script must be a relative path to the tt([netlogon]) service. If
3154 the tt([netlogon]) service specifies a link(bf(path))(path) of
3155 /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the
3156 file that will be downloaded is:
3158 tt(/usr/local/samba/netlogon/STARTUP.BAT)
3160 The contents of the batch file is entirely your choice. A suggested
3161 command would be to add tt(NET TIME \\SERVER /SET /YES), to force every
3162 machine to synchronize clocks with the same time server. Another use
3163 would be to add tt(NET USE U: \\SERVER\UTILS) for commonly used
3164 utilities, or tt(NET USE Q: \\SERVER\ISO9001_QA) for example.
3166 Note that it is particularly important not to allow write access to
3167 the tt([netlogon]) share, or to grant users write permission on the
3168 batch files in a secure environment, as this would allow the batch
3169 files to be arbitrarily modified and security to be breached.
3171 This option takes the standard substitutions, allowing you to have
3172 separate logon scripts for each user or machine.
3174 Note that this option is only useful if Samba is set up as a
3175 link(bf(logon server))(domainlogons).
3178 tt( logon script = scripts\%U.bat)
3180 label(lppausecommand)
3181 dit(bf(lppause command (S)))
3183 This parameter specifies the command to be executed on the server host
3184 in order to stop printing or spooling a specific print job.
3186 This command should be a program or script which takes a printer name
3187 and job number to pause the print job. One way of implementing this is
3188 by using job priorities, where jobs having a too low priority won't be
3189 sent to the printer.
3191 If a tt("%p") is given then the printername is put in its place. A
3192 tt("%j") is replaced with the job number (an integer). On HPUX (see
3193 link(bf(printing=hpux))(printing)), if the tt("-p%p") option is added
3194 to the lpq command, the job will show up with the correct status,
3195 i.e. if the job priority is lower than the set fence priority it will
3196 have the PAUSED status, whereas if the priority is equal or higher it
3197 will have the SPOOLED or PRINTING status.
3199 Note that it is good practice to include the absolute path in the
3200 lppause command as the PATH may not be available to the server.
3202 See also the link(bf("printing"))(printing) parameter.
3205 Currently no default value is given to this string, unless the
3206 value of the link(bf("printing"))(printing) parameter is tt(SYSV), in
3207 which case the default is :
3209 tt( lp -i %p-%j -H hold)
3211 or if the value of the link(bf("printing"))(printing) parameter is tt(softq),
3212 then the default is:
3214 tt( qstat -s -j%j -h)
3216 bf(Example for HPUX:)
3217 lppause command = /usr/bin/lpalt %p-%j -p0
3220 dit(bf(lpq cache time (G)))
3222 This controls how long lpq info will be cached for to prevent the
3223 bf(lpq) command being called too often. A separate cache is kept for
3224 each variation of the bf(lpq) command used by the system, so if you
3225 use different bf(lpq) commands for different users then they won't
3226 share cache information.
3228 The cache files are stored in tt(/tmp/lpq.xxxx) where xxxx is a hash of
3229 the bf(lpq) command in use.
3231 The default is 10 seconds, meaning that the cached results of a
3232 previous identical bf(lpq) command will be used if the cached data is
3233 less than 10 seconds old. A large value may be advisable if your
3234 bf(lpq) command is very slow.
3236 A value of 0 will disable caching completely.
3238 See also the link(bf("printing"))(printing) parameter.
3241 tt( lpq cache time = 10)
3244 tt( lpq cache time = 30)
3247 dit(bf(lpq command (S)))
3249 This parameter specifies the command to be executed on the server host
3250 in order to obtain tt("lpq")-style printer status information.
3252 This command should be a program or script which takes a printer name
3253 as its only parameter and outputs printer status information.
3255 Currently eight styles of printer status information are supported;
3256 BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX
3257 systems. You control which type is expected using the
3258 link(bf("printing ="))(printing) option.
3260 Some clients (notably Windows for Workgroups) may not correctly send
3261 the connection number for the printer they are requesting status
3262 information about. To get around this, the server reports on the first
3263 printer service connected to by the client. This only happens if the
3264 connection number sent is invalid.
3266 If a tt(%p) is given then the printername is put in its place. Otherwise
3267 it is placed at the end of the command.
3269 Note that it is good practice to include the absolute path in the bf(lpq
3270 command) as the PATH may not be available to the server.
3272 See also the link(bf("printing"))(printing) parameter.
3275 tt( depends on the setting of printing =)
3278 tt( lpq command = /usr/bin/lpq %p)
3280 label(lpresumecommand)
3281 dit(bf(lpresume command (S)))
3283 This parameter specifies the command to be executed on the server host
3284 in order to restart or continue printing or spooling a specific print
3287 This command should be a program or script which takes a printer name
3288 and job number to resume the print job. See also the link(bf("lppause
3289 command"))(lppausecommand) parameter.
3291 If a tt(%p) is given then the printername is put in its place. A
3292 tt(%j) is replaced with the job number (an integer).
3294 Note that it is good practice to include the absolute path in the bf(lpresume
3295 command) as the PATH may not be available to the server.
3297 See also the link(bf("printing"))(printing) parameter.
3301 Currently no default value is given to this string, unless the
3302 value of the link(bf("printing"))(printing) parameter is tt(SYSV), in
3303 which case the default is :
3305 tt( lp -i %p-%j -H resume)
3307 or if the value of the link(bf("printing"))(printing) parameter is tt(softq),
3308 then the default is:
3310 tt( qstat -s -j%j -r)
3312 bf(Example for HPUX:)
3313 tt( lpresume command = /usr/bin/lpalt %p-%j -p2)
3316 dit(bf(lprm command (S)))
3318 This parameter specifies the command to be executed on the server host
3319 in order to delete a print job.
3321 This command should be a program or script which takes a printer name
3322 and job number, and deletes the print job.
3324 If a tt(%p) is given then the printername is put in its place. A
3325 tt(%j) is replaced with the job number (an integer).
3327 Note that it is good practice to include the absolute path in the
3328 bf(lprm command) as the PATH may not be available to the server.
3330 See also the link(bf("printing"))(printing) parameter.
3333 tt( depends on the setting of "printing =")
3336 tt( lprm command = /usr/bin/lprm -P%p %j)
3339 tt( lprm command = /usr/bin/cancel %p-%j)
3341 label(machinepasswordtimeout)
3342 dit(bf(machine password timeout (G)))
3344 If a Samba server is a member of an Windows NT Domain (see the
3345 link(bf("security=domain"))(securityequaldomain)) parameter) then
3346 periodically a running url(bf(smbd))(smbd.8.html) process will try and
3347 change the bf(MACHINE ACCOUNT PASWORD) stored in the file called
3348 tt(<Domain>.<Machine>.mac) where tt(<Domain>) is the name of the
3349 Domain we are a member of and tt(<Machine>) is the primary
3350 link(bf("NetBIOS name"))(netbiosname) of the machine
3351 url(bf(smbd))(smbd.8.html) is running on. This parameter specifies how
3352 often this password will be changed, in seconds. The default is one
3353 week (expressed in seconds), the same as a Windows NT Domain member
3356 See also url(bf(smbpasswd (8)))(smbpasswd.8.html), and the
3357 link(bf("security=domain"))(securityequaldomain)) parameter.
3360 tt( machine password timeout = 604800)
3363 dit(bf(magic output (S)))
3365 This parameter specifies the name of a file which will contain output
3366 created by a magic script (see the link(bf("magic
3367 script"))(magicscript) parameter below).
3369 Warning: If two clients use the same link(bf("magic
3370 script"))(magicscript) in the same directory the output file content
3374 tt( magic output = <magic script name>.out)
3377 tt( magic output = myfile.txt)
3380 dit(bf(magic script (S)))
3382 This parameter specifies the name of a file which, if opened, will be
3383 executed by the server when the file is closed. This allows a UNIX
3384 script to be sent to the Samba host and executed on behalf of the
3387 Scripts executed in this way will be deleted upon completion,
3388 permissions permitting.
3390 If the script generates output, output will be sent to the file
3391 specified by the link(bf("magic output"))(magicoutput) parameter (see
3394 Note that some shells are unable to interpret scripts containing
3395 carriage-return-linefeed instead of linefeed as the end-of-line
3396 marker. Magic scripts must be executable em("as is") on the host,
3397 which for some hosts and some shells will require filtering at the DOS
3400 Magic scripts are em(EXPERIMENTAL) and should em(NOT) be relied upon.
3403 tt( None. Magic scripts disabled.)
3406 tt( magic script = user.csh)
3409 dit(bf(mangle case (S)))
3411 See the section on link(bf("NAME MANGLING"))(NAMEMANGLING).
3414 dit(bf(mangle locks (S)))
3416 This option is was introduced with Samba 2.0.4 and above and has been
3417 removed in Samba 2.0.6 as Samba now dynamically configures such things
3421 dit(bf(mangled map (S)))
3423 This is for those who want to directly map UNIX file names which can
3424 not be represented on Windows/DOS. The mangling of names is not always
3425 what is needed. In particular you may have documents with file
3426 extensions that differ between DOS and UNIX. For example, under UNIX
3427 it is common to use tt(".html") for HTML files, whereas under
3428 Windows/DOS tt(".htm") is more commonly used.
3430 So to map tt("html") to tt("htm") you would use:
3432 tt( mangled map = (*.html *.htm))
3434 One very useful case is to remove the annoying tt(";1") off the ends
3435 of filenames on some CDROMS (only visible under some UNIXs). To do
3436 this use a map of (*;1 *).
3442 tt( mangled map = (*;1 *))
3445 dit(bf(mangled names (S)))
3447 This controls whether non-DOS names under UNIX should be mapped to
3448 DOS-compatible names ("mangled") and made visible, or whether non-DOS
3449 names should simply be ignored.
3451 See the section on link(bf("NAME MANGLING"))(NAMEMANGLING) for details
3452 on how to control the mangling process.
3454 If mangling is used then the mangling algorithm is as follows:
3458 it() The first (up to) five alphanumeric characters before the
3459 rightmost dot of the filename are preserved, forced to upper case, and
3460 appear as the first (up to) five characters of the mangled name.
3462 it() A tilde tt("~") is appended to the first part of the mangled
3463 name, followed by a two-character unique sequence, based on the
3464 original root name (i.e., the original filename minus its final
3465 extension). The final extension is included in the hash calculation
3466 only if it contains any upper case characters or is longer than three
3469 Note that the character to use may be specified using the
3470 link(bf("mangling char"))(manglingchar) option, if you don't like
3473 it() The first three alphanumeric characters of the final extension
3474 are preserved, forced to upper case and appear as the extension of the
3475 mangled name. The final extension is defined as that part of the
3476 original filename after the rightmost dot. If there are no dots in the
3477 filename, the mangled name will have no extension (except in the case
3478 of link(bf("hidden files"))(hidefiles) - see below).
3480 it() Files whose UNIX name begins with a dot will be presented as DOS
3481 hidden files. The mangled name will be created as for other filenames,
3482 but with the leading dot removed and tt("___") as its extension regardless
3483 of actual original extension (that's three underscores).
3487 The two-digit hash value consists of upper case alphanumeric
3490 This algorithm can cause name collisions only if files in a directory
3491 share the same first five alphanumeric characters. The probability of
3492 such a clash is 1/1300.
3494 The name mangling (if enabled) allows a file to be copied between UNIX
3495 directories from Windows/DOS while retaining the long UNIX
3496 filename. UNIX files can be renamed to a new extension from
3497 Windows/DOS and will retain the same basename. Mangled names do not
3498 change between sessions.
3501 tt( mangled names = yes)
3504 tt( mangled names = no)
3507 dit(bf(mangling char (S)))
3509 This controls what character is used as the em("magic") character in
3510 link(bf(name mangling))(manglednames). The default is a tt('~') but
3511 this may interfere with some software. Use this option to set it to
3512 whatever you prefer.
3515 tt( mangling char = ~)
3518 tt( mangling char = ^)
3521 dit(bf(mangled stack (G)))
3523 This parameter controls the number of mangled names that should be
3524 cached in the Samba server url(bf(smbd))(smbd.8.html).
3526 This stack is a list of recently mangled base names (extensions are
3527 only maintained if they are longer than 3 characters or contains upper
3530 The larger this value, the more likely it is that mangled names can be
3531 successfully converted to correct long UNIX names. However, large
3532 stack sizes will slow most directory access. Smaller stacks save
3533 memory in the server (each stack element costs 256 bytes).
3535 It is not possible to absolutely guarantee correct long file names, so
3536 be prepared for some surprises!
3539 tt( mangled stack = 50)
3542 tt( mangled stack = 100)
3545 dit(bf(map archive (S)))
3547 This controls whether the DOS archive attribute should be mapped to
3548 the UNIX owner execute bit. The DOS archive bit is set when a file
3549 has been modified since its last backup. One motivation for this
3550 option it to keep Samba/your PC from making any file it touches from
3551 becoming executable under UNIX. This can be quite annoying for shared
3552 source code, documents, etc...
3554 Note that this requires the link(bf("create mask"))(createmask)
3555 parameter to be set such that owner execute bit is not masked out
3556 (i.e. it must include 100). See the parameter link(bf("create
3557 mask"))(createmask) for details.
3560 tt( map archive = yes)
3563 tt( map archive = no)
3566 dit(bf(map hidden (S)))
3568 This controls whether DOS style hidden files should be mapped to the
3569 UNIX world execute bit.
3571 Note that this requires the link(bf("create mask"))(createmask) to be
3572 set such that the world execute bit is not masked out (i.e. it must
3573 include 001). See the parameter link(bf("create mask"))(createmask)
3577 tt( map hidden = no)
3580 tt( map hidden = yes)
3583 dit(bf(map system (S)))
3585 This controls whether DOS style system files should be mapped to the
3586 UNIX group execute bit.
3588 Note that this requires the link(bf("create mask"))(createmask) to be
3589 set such that the group execute bit is not masked out (i.e. it must
3590 include 010). See the parameter link(bf("create mask"))(createmask)
3594 tt( map system = no)
3597 tt( map system = yes)
3600 dit(bf(map to guest (G)))
3602 This parameter is only useful in link(bf(security))(security) modes
3603 other than link(bf("security=share"))(securityequalshare) - i.e. user,
3606 This parameter can take three different values, which tell
3607 url(bf(smbd))(smbd.8.html) what to do with user login requests that
3608 don't match a valid UNIX user in some way.
3610 The three settings are :
3614 it() bf("Never") - Means user login requests with an invalid password
3615 are rejected. This is the default.
3617 it() bf("Bad User") - Means user logins with an invalid password are
3618 rejected, unless the username does not exist, in which case it is
3619 treated as a guest login and mapped into the link(bf("guest
3620 account"))(guestaccount).
3622 it() bf("Bad Password") - Means user logins with an invalid
3623 password are treated as a guest login and mapped into the
3624 link(bf("guest account"))(guestaccount). Note that this can
3625 cause problems as it means that any user incorrectly typing their
3626 password will be silently logged on a bf("guest") - and
3627 will not know the reason they cannot access files they think
3628 they should - there will have been no message given to them
3629 that they got their password wrong. Helpdesk services will
3630 em(*hate*) you if you set the bf("map to guest") parameter
3635 Note that this parameter is needed to set up bf("Guest") share
3636 services when using link(bf(security))(security) modes other than
3637 share. This is because in these modes the name of the resource being
3638 requested is em(*not*) sent to the server until after the server has
3639 successfully authenticated the client so the server cannot make
3640 authentication decisions at the correct time (connection to the
3641 share) for bf("Guest") shares.
3643 For people familiar with the older Samba releases, this parameter
3644 maps to the old compile-time setting of the GUEST_SESSSETUP value
3648 tt( map to guest = Never)
3650 tt( map to guest = Bad User)
3652 label(maxconnections)
3653 dit(bf(max connections (S)))
3655 This option allows the number of simultaneous connections to a service
3656 to be limited. If bf("max connections") is greater than 0 then
3657 connections will be refused if this number of connections to the
3658 service are already open. A value of zero mean an unlimited number of
3659 connections may be made.
3661 Record lock files are used to implement this feature. The lock files
3662 will be stored in the directory specified by the link(bf("lock
3663 directory"))(lockdirectory) option.
3666 tt( max connections = 0)
3669 tt( max connections = 10)
3672 dit(bf(max disk size (G)))
3674 This option allows you to put an upper limit on the apparent size of
3675 disks. If you set this option to 100 then all shares will appear to be
3676 not larger than 100 MB in size.
3678 Note that this option does not limit the amount of data you can put on
3679 the disk. In the above case you could still store much more than 100
3680 MB on the disk, but if a client ever asks for the amount of free disk
3681 space or the total disk size then the result will be bounded by the
3682 amount specified in bf("max disk size").
3684 This option is primarily useful to work around bugs in some pieces of
3685 software that can't handle very large disks, particularly disks over
3688 A bf("max disk size") of 0 means no limit.
3691 tt( max disk size = 0)
3694 tt( max disk size = 1000)
3697 dit(bf(max log size (G)))
3699 This option (an integer in kilobytes) specifies the max size the log
3700 file should grow to. Samba periodically checks the size and if it is
3701 exceeded it will rename the file, adding a tt(".old") extension.
3703 A size of 0 means no limit.
3706 tt( max log size = 5000)
3709 tt( max log size = 1000)
3712 dit(bf(max mux (G)))
3714 This option controls the maximum number of outstanding simultaneous
3715 SMB operations that samba tells the client it will allow. You should
3716 never need to set this parameter.
3722 dit(bf(max open files (G)))
3724 This parameter limits the maximum number of open files that one
3725 url(bf(smbd))(smbd.8.html) file serving process may have open for
3726 a client at any one time. The default for this parameter is set
3727 very high (10,000) as Samba uses only one bit per unopened file.
3729 The limit of the number of open files is usually set by the
3730 UNIX per-process file descriptor limit rather than this parameter
3731 so you should never need to touch this parameter.
3734 tt( max open files = 10000)
3737 dit(bf(max packet (G)))
3739 Synonym for label(bf("packet size"))(packetsize).
3742 dit(bf(max ttl (G)))
3744 This option tells url(bf(nmbd))(nmbd.8.html) what the default 'time
3745 to live' of NetBIOS names should be (in seconds) when
3746 url(bf(nmbd))(nmbd.8.html) is requesting a name using either a
3747 broadcast packet or from a WINS server. You should never need to
3748 change this parameter. The default is 3 days.
3751 tt( max ttl = 259200)
3754 dit(bf(max wins ttl (G)))
3756 This option tells url(bf(nmbd))(nmbd.8.html) when acting as a WINS
3757 server link(bf((wins support =true)))(winssupport) what the maximum
3758 'time to live' of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will
3759 grant will be (in seconds). You should never need to change this
3760 parameter. The default is 6 days (518400 seconds).
3762 See also the link(bf("min wins ttl"))(minwinsttl) parameter.
3765 tt( max wins ttl = 518400)
3768 dit(bf(max xmit (G)))
3770 This option controls the maximum packet size that will be negotiated
3771 by Samba. The default is 65535, which is the maximum. In some cases
3772 you may find you get better performance with a smaller value. A value
3773 below 2048 is likely to cause problems.
3776 tt( max xmit = 65535)
3779 tt( max xmit = 8192)
3781 label(messagecommand)
3782 dit(bf(message command (G)))
3784 This specifies what command to run when the server receives a WinPopup
3787 This would normally be a command that would deliver the message
3788 somehow. How this is to be done is up to your imagination.
3792 tt( message command = csh -c 'xedit %s;rm %s' &)
3794 This delivers the message using bf(xedit), then removes it
3795 afterwards. em(NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
3796 IMMEDIATELY). That's why I have the tt('&') on the end. If it doesn't
3797 return immediately then your PCs may freeze when sending messages
3798 (they should recover after 30secs, hopefully).
3800 All messages are delivered as the global guest user. The command takes
3801 the standard substitutions, although link(bf(%u))(percentu) won't work
3802 (link(bf(%U))(percentU) may be better in this case).
3804 Apart from the standard substitutions, some additional ones apply. In
3809 it() tt("%s") = the filename containing the message.
3811 it() tt("%t") = the destination that the message was sent to (probably the server
3814 it() tt("%f") = who the message is from.
3818 You could make this command send mail, or whatever else takes your
3819 fancy. Please let us know of any really interesting ideas you have.
3821 Here's a way of sending the messages as mail to root:
3823 tt(message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s)
3825 If you don't have a message command then the message won't be
3826 delivered and Samba will tell the sender there was an
3827 error. Unfortunately WfWg totally ignores the error code and carries
3828 on regardless, saying that the message was delivered.
3830 If you want to silently delete it then try:
3832 tt("message command = rm %s").
3835 tt( no message command)
3838 tt( message command = csh -c 'xedit %s;rm %s' &)
3840 label(minprintspace)
3841 dit(bf(min print space (S)))
3843 This sets the minimum amount of free disk space that must be available
3844 before a user will be able to spool a print job. It is specified in
3845 kilobytes. The default is 0, which means a user can always spool a print
3848 See also the link(bf(printing))(printing) parameter.
3851 tt( min print space = 0)
3854 tt( min print space = 2000)
3856 label(minpasswdlength)
3857 dit(bf(min passwd length (G)))
3859 This option sets the minimum length in characters of a plaintext password
3860 than smbd will accept when performing UNIX password changing.
3862 See also link(bf("unix password sync"))(unixpasswordsync),
3863 link(bf("passwd program"))(passwdprogram) and link(bf("passwd chat
3864 debug"))(passwdchatdebug).
3867 tt( min passwd length = 5)
3871 dit(bf(min wins ttl (G)))
3873 This option tells url(bf(nmbd))(nmbd.8.html) when acting as a WINS
3874 server link(bf((wins support = true)))(winssupport) what the minimum
3875 'time to live' of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will
3876 grant will be (in seconds). You should never need to change this
3877 parameter. The default is 6 hours (21600 seconds).
3880 tt( min wins ttl = 21600)
3883 label(nameresolveorder)
3884 dit(bf(name resolve order (G)))
3886 This option is used by the programs in the Samba suite to determine
3887 what naming services and in what order to resolve host names to IP
3888 addresses. The option takes a space separated string of different name
3891 The options are :"lmhosts", "host", "wins" and "bcast". They cause
3892 names to be resolved as follows :
3896 it() bf(lmhosts) : Lookup an IP address in the Samba lmhosts file.
3897 If the line in lmhosts has no name type attached to the NetBIOS
3898 name (see the url(bf(lmhosts (5)))(lmhosts.5.html) for details) then
3899 any name type matches for lookup.
3901 it() bf(host) : Do a standard host name to IP address resolution,
3902 using the system /etc/hosts, NIS, or DNS lookups. This method of name
3903 resolution is operating system depended for instance on IRIX or
3904 Solaris this may be controlled by the em(/etc/nsswitch.conf) file).
3905 Note that this method is only used if the NetBIOS name type being
3906 queried is the 0x20 (server) name type, otherwise it is ignored.
3908 it() bf(wins) : Query a name with the IP address listed in the
3909 link(bf(wins server))(winsserver) parameter. If no WINS server has
3910 been specified this method will be ignored.
3912 it() bf(bcast) : Do a broadcast on each of the known local interfaces
3913 listed in the link(bf(interfaces))(interfaces) parameter. This is the
3914 least reliable of the name resolution methods as it depends on the
3915 target host being on a locally connected subnet.
3920 tt( name resolve order = lmhosts host wins bcast)
3923 tt( name resolve order = lmhosts bcast host)
3925 This will cause the local lmhosts file to be examined first, followed
3926 by a broadcast attempt, followed by a normal system hostname lookup.
3928 label(netbiosaliases)
3929 dit(bf(netbios aliases (G)))
3931 This is a list of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will
3932 advertise as additional names by which the Samba server is known. This
3933 allows one machine to appear in browse lists under multiple names. If
3934 a machine is acting as a link(bf(browse server))(localmaster) or
3935 link(bf(logon server))(domainlogons) none of these names will be
3936 advertised as either browse server or logon servers, only the primary
3937 name of the machine will be advertised with these capabilities.
3939 See also link(bf("netbios name"))(netbiosname).
3942 tt( empty string (no additional names))
3945 tt( netbios aliases = TEST TEST1 TEST2)
3948 dit(bf(netbios name (G)))
3950 This sets the NetBIOS name by which a Samba server is known. By
3951 default it is the same as the first component of the host's DNS name.
3952 If a machine is a link(bf(browse server))(localmaster) or
3953 link(bf(logon server))(domainlogons) this name (or the first component
3954 of the hosts DNS name) will be the name that these services are
3957 See also link(bf("netbios aliases"))(netbiosaliases).
3960 tt( Machine DNS name.)
3963 tt( netbios name = MYNAME)
3966 dit(bf(nis homedir (G)))
3968 Get the home share server from a NIS map. For UNIX systems that use an
3969 automounter, the user's home directory will often be mounted on a
3970 workstation on demand from a remote server.
3972 When the Samba logon server is not the actual home directory server,
3973 but is mounting the home directories via NFS then two network hops
3974 would be required to access the users home directory if the logon
3975 server told the client to use itself as the SMB server for home
3976 directories (one over SMB and one over NFS). This can be very
3979 This option allows Samba to return the home share as being on a
3980 different server to the logon server and as long as a Samba daemon is
3981 running on the home directory server, it will be mounted on the Samba
3982 client directly from the directory server. When Samba is returning the
3983 home share to the client, it will consult the NIS map specified in
3984 link(bf("homedir map"))(homedirmap) and return the server listed
3987 Note that for this option to work there must be a working NIS
3988 system and the Samba server with this option must also be a
3989 link(bf(logon server))(domainlogons).
3992 tt( nis homedir = false)
3995 tt( nis homedir = true)
3998 dit(bf(nt acl support (G)))
4000 This boolean parameter controls whether url(bf(smbd))(smbd.8.html)
4001 will attempt to map UNIX permissions into Windows NT access control lists.
4004 tt( nt acl support = yes)
4007 tt( nt acl support = no)
4009 label(ntpipesupport)
4010 dit(bf(nt pipe support (G)))
4012 This boolean parameter controls whether url(bf(smbd))(smbd.8.html)
4013 will allow Windows NT clients to connect to the NT SMB specific
4014 tt(IPC$) pipes. This is a developer debugging option and can be left
4018 tt( nt pipe support = yes)
4021 dit(bf(nt smb support (G)))
4023 This boolean parameter controls whether url(bf(smbd))(smbd.8.html)
4024 will negotiate NT specific SMB support with Windows NT
4025 clients. Although this is a developer debugging option and should be
4026 left alone, benchmarking has discovered that Windows NT clients give
4027 faster performance with this option set to tt("no"). This is still
4028 being investigated. If this option is set to tt("no") then Samba
4029 offers exactly the same SMB calls that versions prior to Samba2.0
4030 offered. This information may be of use if any users are having
4031 problems with NT SMB support.
4034 tt( nt support = yes)
4036 label(nullpasswords)
4037 dit(bf(null passwords (G)))
4039 Allow or disallow client access to accounts that have null passwords.
4041 See also url(bf(smbpasswd (5)))(smbpasswd.5.html).
4044 tt( null passwords = no)
4047 tt( null passwords = yes)
4049 label(olelockingcompatibility)
4050 dit(bf(ole locking compatibility (G)))
4052 This parameter allows an administrator to turn off the byte range lock
4053 manipulation that is done within Samba to give compatibility for OLE
4054 applications. Windows OLE applications use byte range locking as a
4055 form of inter-process communication, by locking ranges of bytes around
4056 the 2^32 region of a file range. This can cause certain UNIX lock
4057 managers to crash or otherwise cause problems. Setting this parameter
4058 to tt("no") means you trust your UNIX lock manager to handle such cases
4062 tt( ole locking compatibility = yes)
4065 tt( ole locking compatibility = no)
4068 dit(bf(only guest (S)))
4070 A synonym for link(bf("guest only"))(guestonly).
4073 dit(bf(only user (S)))
4075 This is a boolean option that controls whether connections with
4076 usernames not in the link(bf(user=))(user) list will be allowed. By
4077 default this option is disabled so a client can supply a username to
4078 be used by the server.
4080 Note that this also means Samba won't try to deduce usernames from the
4081 service name. This can be annoying for the link(bf([homes]))(homes)
4082 section. To get around this you could use "link(bf(user))(user) =
4083 link(bf(%S))(percentS)" which means your link(bf("user"))(user) list
4084 will be just the service name, which for home directories is the name
4087 See also the link(bf(user))(user) parameter.
4090 tt( only user = False)
4093 tt( only user = True)
4096 dit(bf(oplocks (S)))
4098 This boolean option tells smbd whether to issue oplocks (opportunistic
4099 locks) to file open requests on this share. The oplock code can
4100 dramatically (approx. 30% or more) improve the speed of access to files
4101 on Samba servers. It allows the clients to aggressively cache files
4102 locally and you may want to disable this option for unreliable network
4103 environments (it is turned on by default in Windows NT Servers). For
4104 more information see the file Speed.txt in the Samba docs/ directory.
4106 Oplocks may be selectively turned off on certain files on a per share basis.
4107 See the 'veto oplock files' parameter. On some systems oplocks are recognized
4108 by the underlying operating system. This allows data synchronization between
4109 all access to oplocked files, whether it be via Samba or NFS or a local
4110 UNIX process. See the link(bf(kernel oplocks))(kerneloplocks) parameter
4113 See also the link(bf("kernel oplocks"))(kerneloplocks) and
4114 link(bf("level2 oplocks"))(level2oplocks) parameters.
4120 tt( oplocks = False)
4122 label(oplockbreakwaittime)
4123 dit(bf(oplock break wait time (G)))
4125 This is a tuning parameter added due to bugs in both Windows 9x and WinNT.
4126 If Samba responds to a client too quickly when that client issues an SMB that
4127 can cause an oplock break request, then the client redirector can fail and
4128 not respond to the break request. This tuning parameter (which is set in
4129 milliseconds) is the amount of time Samba will wait before sending an
4130 oplock break request to such (broken) clients.
4132 em(DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
4136 tt( oplock break wait time = 10)
4138 label(oplockcontentionlimit)
4139 dit(bf(oplock contention limit (S)))
4141 This is a em(very) advanced url(bf(smbd))(smbd.8.html) tuning option to improve
4142 the efficiency of the granting of oplocks under multiple client contention for the same file.
4144 In brief it specifies a number, which causes smbd not to grant an oplock even
4145 when requested if the approximate number of clients contending for an oplock on
4146 the same file goes over this limit. This causes url(bf(smbd))(smbd.8.html) to
4147 behave in a similar way to Windows NT.
4149 em(DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
4153 tt( oplock contention limit = 2)
4156 dit(bf(os level (G)))
4158 This integer value controls what level Samba advertises itself as for
4159 browse elections. The value of this parameter determines whether
4160 url(bf(nmbd))(nmbd.8.html) has a chance of becoming a local master
4161 browser for the link(bf(WORKGROUP))(workgroup) in the local broadcast
4162 area. The default is zero, which means url(bf(nmbd))(nmbd.8.html) will
4163 lose elections to Windows machines. See BROWSING.txt in the Samba
4164 docs/ directory for details.
4170 tt( os level = 65 ; This will win against any NT Server)
4173 dit(bf(packet size (G)))
4175 This is a deprecated parameter that how no effect on the current
4176 Samba code. It is left in the parameter list to prevent breaking
4177 old bf(smb.conf) files.
4180 dit(bf(panic action (G)))
4182 This is a Samba developer option that allows a system command to be
4183 called when either url(bf(smbd))(smbd.8.html) or
4184 url(bf(nmbd))(nmbd.8.html) crashes. This is usually used to draw
4185 attention to the fact that a problem occurred.
4188 tt( panic action = <empty string>)
4191 dit(bf(passwd chat (G)))
4193 This string controls the em("chat") conversation that takes places
4194 between url(bf(smbd))(smbd.8.html) and the local password changing
4195 program to change the users password. The string describes a sequence
4196 of response-receive pairs that url(bf(smbd))(smbd.8.html) uses to
4197 determine what to send to the link(bf(passwd))(passwdprogram) program
4198 and what to expect back. If the expected output is not received then
4199 the password is not changed.
4201 This chat sequence is often quite site specific, depending on what
4202 local methods are used for password control (such as NIS etc).
4204 The string can contain the macros tt("%o") and tt("%n") which are
4205 substituted for the old and new passwords respectively. It can also
4206 contain the standard macros tt("\n"), tt("\r"), tt("\t") and tt("\s")
4207 to give line-feed, carriage-return, tab and space.
4209 The string can also contain a tt('*') which matches any sequence of
4212 Double quotes can be used to collect strings with spaces in them into
4215 If the send string in any part of the chat sequence is a fullstop
4216 tt(".") then no string is sent. Similarly, is the expect string is a
4217 fullstop then no string is expected.
4219 Note that if the link(bf("unix password sync"))(unixpasswordsync)
4220 parameter is set to true, then this sequence is called em(*AS ROOT*)
4221 when the SMB password in the smbpasswd file is being changed, without
4222 access to the old password cleartext. In this case the old password
4223 cleartext is set to tt("") (the empty string).
4225 See also link(bf("unix password sync"))(unixpasswordsync),
4226 link(bf("passwd program"))(passwdprogram) and link(bf("passwd chat
4227 debug"))(passwdchatdebug).
4230 verb( passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \
4231 "*Reenter NEW password*" %n\n "*Password changed*"
4235 verb( passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*)
4237 label(passwdchatdebug)
4238 dit(bf(passwd chat debug (G)))
4240 This boolean specifies if the passwd chat script parameter is run in
4241 tt("debug") mode. In this mode the strings passed to and received from
4242 the passwd chat are printed in the url(bf(smbd))(smbd.8.html) log with
4243 a link(bf("debug level"))(debuglevel) of 100. This is a dangerous
4244 option as it will allow plaintext passwords to be seen in the
4245 url(bf(smbd))(smbd.8.html) log. It is available to help Samba admins
4246 debug their link(bf("passwd chat"))(passwdchat) scripts when calling
4247 the link(bf("passwd program"))(passwdprogram) and should be turned off
4248 after this has been done. This parameter is off by default.
4250 See also link(bf("passwd chat"))(passwdchat"), link(bf("passwd
4251 program"))(passwdprogram).
4254 tt( passwd chat debug = True)
4257 tt( passwd chat debug = False)
4259 label(passwdprogram)
4260 dit(bf(passwd program (G)))
4262 The name of a program that can be used to set UNIX user passwords.
4263 Any occurrences of link(bf(%u))(percentu) will be replaced with the
4264 user name. The user name is checked for existence before calling the
4265 password changing program.
4267 Also note that many passwd programs insist in em("reasonable")
4268 passwords, such as a minimum length, or the inclusion of mixed case
4269 chars and digits. This can pose a problem as some clients (such as
4270 Windows for Workgroups) uppercase the password before sending it.
4272 em(Note) that if the link(bf("unix password sync"))(unixpasswordsync)
4273 parameter is set to tt("True") then this program is called em(*AS
4274 ROOT*) before the SMB password in the
4275 url(bf(smbpasswd))(smbpasswd.5.html) file is changed. If this UNIX
4276 password change fails, then url(bf(smbd))(smbd.8.html) will fail to
4277 change the SMB password also (this is by design).
4279 If the link(bf("unix password sync"))(unixpasswordsync) parameter is
4280 set this parameter em(MUST USE ABSOLUTE PATHS) for em(ALL) programs
4281 called, and must be examined for security implications. Note that by
4282 default link(bf("unix password sync"))(unixpasswordsync) is set to
4285 See also link(bf("unix password sync"))(unixpasswordsync).
4288 tt( passwd program = /bin/passwd)
4291 tt( passwd program = /sbin/passwd %u)
4293 label(passwordlevel)
4294 dit(bf(password level (G)))
4296 Some client/server combinations have difficulty with mixed-case
4297 passwords. One offending client is Windows for Workgroups, which for
4298 some reason forces passwords to upper case when using the LANMAN1
4299 protocol, but leaves them alone when using COREPLUS!
4301 This parameter defines the maximum number of characters that may be
4302 upper case in passwords.
4304 For example, say the password given was tt("FRED"). If bf(password
4305 level) is set to 1, the following combinations would be tried if
4308 tt("Fred"), tt("fred"), tt("fRed"), tt("frEd"), tt("freD")
4310 If bf(password level) was set to 2, the following combinations would
4313 tt("FRed"), tt("FrEd"), tt("FreD"), tt("fREd"), tt("fReD"),
4318 The higher value this parameter is set to the more likely it is that a
4319 mixed case password will be matched against a single case
4320 password. However, you should be aware that use of this parameter
4321 reduces security and increases the time taken to process a new
4324 A value of zero will cause only two attempts to be made - the password
4325 as is and the password in all-lower case.
4328 tt( password level = 0)
4331 tt( password level = 4)
4333 label(passwordserver)
4334 dit(bf(password server (G)))
4336 By specifying the name of another SMB server (such as a WinNT box)
4337 with this option, and using link(bf("security = domain"))(security) or
4338 link(bf("security = server"))(security) you can get Samba to do all
4339 its username/password validation via a remote server.
4341 This options sets the name of the password server to use. It must be a
4342 NetBIOS name, so if the machine's NetBIOS name is different from its
4343 internet name then you may have to add its NetBIOS name to the lmhosts
4344 file which is stored in the same directory as the bf(smb.conf) file.
4346 The name of the password server is looked up using the parameter
4347 link(bf("name resolve order="))(nameresolveorder) and so may resolved
4348 by any method and order described in that parameter.
4350 The password server much be a machine capable of using the "LM1.2X002"
4351 or the "LM NT 0.12" protocol, and it must be in user level security
4354 NOTE: Using a password server means your UNIX box (running Samba) is
4355 only as secure as your password server. em(DO NOT CHOOSE A PASSWORD
4356 SERVER THAT YOU DON'T COMPLETELY TRUST).
4358 Never point a Samba server at itself for password serving. This will
4359 cause a loop and could lock up your Samba server!
4361 The name of the password server takes the standard substitutions, but
4362 probably the only useful one is link(bf(%m))(percentm), which means
4363 the Samba server will use the incoming client as the password
4364 server. If you use this then you better trust your clients, and you
4365 better restrict them with hosts allow!
4367 If the link(bf("security"))(security) parameter is set to
4368 bf("domain"), then the list of machines in this option must be a list
4369 of Primary or Backup Domain controllers for the
4370 link(bf(Domain))(workgroup) or the character tt(*), as the Samba server is cryptographicly
4371 in that domain, and will use cryptographicly authenticated RPC calls
4372 to authenticate the user logging on. The advantage of using
4373 link(bf("security=domain"))(securityequaldomain) is that if you list
4374 several hosts in the bf("password server") option then
4375 url(bf(smbd))(smbd.8.html) will try each in turn till it finds one
4376 that responds. This is useful in case your primary server goes down.
4378 If the bf("password server") option is set to the character tt(*),
4379 then Samba will attempt to auto-locate the Primary or Backup Domain controllers
4380 to authenticate against by doing a query for the name tt(WORKGROUP<1C>)
4381 and then contacting each server returned in the list of IP addresses
4382 from the link(bf(name resolution))(nameresolveorder) source.
4384 If the link(bf("security"))(security) parameter is set to
4385 link(bf("server"))(securityequalserver), then there are different
4386 restrictions that link(bf("security=domain"))(securityequaldomain)
4387 doesn't suffer from:
4391 it() You may list several password servers in the bf("password server")
4392 parameter, however if an url(bf(smbd))(smbd.8.html) makes a connection
4393 to a password server, and then the password server fails, no more
4394 users will be able to be authenticated from this
4395 url(bf(smbd))(smbd.8.html). This is a restriction of the SMB/CIFS
4396 protocol when in link(bf("security=server"))(securityequalserver) mode
4397 and cannot be fixed in Samba.
4399 it() If you are using a Windows NT server as your password server then
4400 you will have to ensure that your users are able to login from the
4401 Samba server, as when in
4402 link(bf("security=server"))(securityequalserver) mode the network
4403 logon will appear to come from there rather than from the users
4408 See also the link(bf("security"))(security) parameter.
4411 tt( password server = <empty string>)
4414 tt( password server = NT-PDC, NT-BDC1, NT-BDC2)
4417 tt( password server = *)
4422 This parameter specifies a directory to which the user of the service
4423 is to be given access. In the case of printable services, this is
4424 where print data will spool prior to being submitted to the host for
4427 For a printable service offering guest access, the service should be
4428 readonly and the path should be world-writeable and have the sticky bit
4429 set. This is not mandatory of course, but you probably won't get the
4430 results you expect if you do otherwise.
4432 Any occurrences of link(bf(%u))(percentu) in the path will be replaced
4433 with the UNIX username that the client is using on this
4434 connection. Any occurrences of link(bf(%m))(percentm) will be replaced
4435 by the NetBIOS name of the machine they are connecting from. These
4436 replacements are very useful for setting up pseudo home directories
4439 Note that this path will be based on link(bf("root dir"))(rootdir) if
4446 tt( path = /home/fred)
4449 dit(bf(postexec (S)))
4451 This option specifies a command to be run whenever the service is
4452 disconnected. It takes the usual substitutions. The command may be run
4453 as the root on some systems.
4455 An interesting example may be do unmount server resources:
4457 tt(postexec = /etc/umount /cdrom)
4459 See also link(bf(preexec))(preexec).
4462 tt( none (no command executed))
4465 tt( postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log)
4468 dit(bf(postscript (S)))
4470 This parameter forces a printer to interpret the print files as
4471 postscript. This is done by adding a tt(%!) to the start of print output.
4473 This is most useful when you have lots of PCs that persist in putting
4474 a control-D at the start of print jobs, which then confuses your
4478 tt( postscript = False)
4481 tt( postscript = True)
4484 dit(bf(preexec (S)))
4486 This option specifies a command to be run whenever the service is
4487 connected to. It takes the usual substitutions.
4489 An interesting example is to send the users a welcome message every
4490 time they log in. Maybe a message of the day? Here is an example:
4493 preexec = csh -c 'echo \"Welcome to %S!\" | \
4494 /usr/local/samba/bin/smbclient -M %m -I %I' &
4497 Of course, this could get annoying after a while :-)
4499 See also link(bf(preexec close))(preexecclose) and link(bf(postexec))(postexec).
4502 tt( none (no command executed))
4505 tt( preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log)
4508 dit(bf(preexec close (S)))
4510 This boolean option controls whether a non-zero return code from
4511 link(bf("preexec"))(preexec) should close the service being connected to.
4514 tt( preexec close = no)
4517 tt( preexec close = yes)
4519 label(preferredmaster)
4520 dit(bf(preferred master (G)))
4522 This boolean parameter controls if url(bf(nmbd))(nmbd.8.html) is a
4523 preferred master browser for its workgroup.
4525 If this is set to true, on startup, url(bf(nmbd))(nmbd.8.html) will
4526 force an election, and it will have a slight advantage in winning the
4527 election. It is recommended that this parameter is used in
4528 conjunction with link(bf("domain master = yes"))(domainmaster), so
4529 that url(bf(nmbd))(nmbd.8.html) can guarantee becoming a domain
4532 Use this option with caution, because if there are several hosts
4533 (whether Samba servers, Windows 95 or NT) that are preferred master
4534 browsers on the same subnet, they will each periodically and
4535 continuously attempt to become the local master browser. This will
4536 result in unnecessary broadcast traffic and reduced browsing
4539 See also link(bf(os level))(oslevel).
4542 tt( preferred master = no)
4545 tt( preferred master = yes)
4547 label(preferedmaster)
4548 dit(bf(prefered master (G)))
4550 Synonym for link(bf("preferred master"))(preferredmaster) for people
4551 who cannot spell :-).
4555 Synonym for link(bf("auto services"))(autoservices).
4558 dit(bf(preserve case (S)))
4560 This controls if new filenames are created with the case that the
4561 client passes, or if they are forced to be the tt("default") case.
4564 tt( preserve case = yes)
4566 See the section on link(bf("NAME MANGLING"))(NAMEMANGLING) for a
4570 dit(bf(print command (S)))
4572 After a print job has finished spooling to a service, this command
4573 will be used via a tt(system()) call to process the spool
4574 file. Typically the command specified will submit the spool file to
4575 the host's printing subsystem, but there is no requirement that this
4576 be the case. The server will not remove the spool file, so whatever
4577 command you specify should remove the spool file when it has been
4578 processed, otherwise you will need to manually remove old spool files.
4580 The print command is simply a text string. It will be used verbatim,
4581 with two exceptions: All occurrences of tt("%s") and tt("%f") will be
4582 replaced by the appropriate spool file name, and all occurrences of
4583 tt("%p") will be replaced by the appropriate printer name. The spool
4584 file name is generated automatically by the server, the printer name
4587 The print command em(MUST) contain at least one occurrence of tt("%s")
4588 or tt("%f") - the tt("%p") is optional. At the time a job is
4589 submitted, if no printer name is supplied the tt("%p") will be
4590 silently removed from the printer command.
4592 If specified in the link(bf("[global]"))(global) section, the print
4593 command given will be used for any printable service that does not
4594 have its own print command specified.
4596 If there is neither a specified print command for a printable service
4597 nor a global print command, spool files will be created but not
4598 processed and (most importantly) not removed.
4600 Note that printing may fail on some UNIXs from the tt("nobody")
4601 account. If this happens then create an alternative guest account that
4602 can print and set the link(bf("guest account"))(guestaccount) in the
4603 link(bf("[global]"))(global) section.
4605 You can form quite complex print commands by realizing that they are
4606 just passed to a shell. For example the following will log a print
4607 job, print the file, then remove it. Note that tt(';') is the usual
4608 separator for command in shell scripts.
4610 tt(print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s)
4612 You may have to vary this command considerably depending on how you
4613 normally print files on your system. The default for the parameter
4614 varies depending on the setting of the link(bf("printing="))(printing)
4618 For link(bf("printing="))(printing) BSD, AIX, QNX, LPRNG or PLP :
4619 tt( print command = lpr -r -P%p %s)
4621 For link(bf("printing="))(printing) SYS or HPUX :
4622 tt( print command = lp -c -d%p %s; rm %s)
4624 For link(bf("printing="))(printing) SOFTQ :
4625 tt( print command = lp -d%p -s %s; rm %s)
4628 tt( print command = /usr/local/samba/bin/myprintscript %p %s)
4631 dit(bf(print ok (S)))
4633 Synonym for link(bf(printable))(printable).
4636 dit(bf(printable (S)))
4638 If this parameter is tt("yes"), then clients may open, write to and
4639 submit spool files on the directory specified for the service.
4641 Note that a printable service will ALWAYS allow writing to the service
4642 path (user privileges permitting) via the spooling of print data. The
4643 link(bf("read only"))(readonly) parameter controls only non-printing
4644 access to the resource.
4650 tt( printable = yes)
4653 dit(bf(printcap (G)))
4655 Synonym for link(bf(printcapname))(printcapname).
4658 dit(bf(printcap name (G)))
4660 This parameter may be used to override the compiled-in default
4661 printcap name used by the server (usually /etc/printcap). See the
4662 discussion of the link(bf([printers]))(printers) section above for
4663 reasons why you might want to do this.
4665 On System V systems that use bf(lpstat) to list available printers you
4666 can use tt("printcap name = lpstat") to automatically obtain lists of
4667 available printers. This is the default for systems that define SYSV
4668 at configure time in Samba (this includes most System V based
4669 systems). If bf("printcap name") is set to bf(lpstat) on these systems
4670 then Samba will launch tt("lpstat -v") and attempt to parse the output
4671 to obtain a printer list.
4673 A minimal printcap file would look something like this:
4683 where the tt('|') separates aliases of a printer. The fact that the
4684 second alias has a space in it gives a hint to Samba that it's a
4687 em(NOTE): Under AIX the default printcap name is
4688 tt("/etc/qconfig"). Samba will assume the file is in AIX tt("qconfig")
4689 format if the string tt("/qconfig") appears in the printcap filename.
4692 tt( printcap name = /etc/printcap)
4695 tt( printcap name = /etc/myprintcap)
4698 dit(bf(printer (S)))
4700 This parameter specifies the name of the printer to which print jobs
4701 spooled through a printable service will be sent.
4703 If specified in the link(bf([global]))(global) section, the printer
4704 name given will be used for any printable service that does not have
4705 its own printer name specified.
4708 none (but may be tt("lp") on many systems)
4711 printer name = laserwriter
4713 label(printerdriver)
4714 dit(bf(printer driver (S)))
4716 This option allows you to control the string that clients receive when
4717 they ask the server for the printer driver associated with a
4718 printer. If you are using Windows95 or WindowsNT then you can use this
4719 to automate the setup of printers on your system.
4721 You need to set this parameter to the exact string (case sensitive)
4722 that describes the appropriate printer driver for your system. If you
4723 don't know the exact string to use then you should first try with no
4724 bf("printer driver") option set and the client will give you a list of
4725 printer drivers. The appropriate strings are shown in a scrollbox
4726 after you have chosen the printer manufacturer.
4728 See also link(bf("printer driver file"))(printerdriverfile).
4731 printer driver = HP LaserJet 4L
4733 label(printerdriverfile)
4734 dit(bf(printer driver file (G)))
4736 This parameter tells Samba where the printer driver definition file,
4737 used when serving drivers to Windows 95 clients, is to be found. If
4738 this is not set, the default is :
4740 tt(SAMBA_INSTALL_DIRECTORY/lib/printers.def)
4742 This file is created from Windows 95 tt("msprint.def") files found on
4743 the Windows 95 client system. For more details on setting up serving
4744 of printer drivers to Windows 95 clients, see the documentation file
4745 in the docs/ directory, PRINTER_DRIVER.txt.
4748 tt( None (set in compile).)
4751 tt( printer driver file = /usr/local/samba/printers/drivers.def)
4753 See also link(bf("printer driver location"))(printerdriverlocation).
4755 label(printerdriverlocation)
4756 dit(bf(printer driver location (S)))
4758 This parameter tells clients of a particular printer share where to
4759 find the printer driver files for the automatic installation of
4760 drivers for Windows 95 machines. If Samba is set up to serve printer
4761 drivers to Windows 95 machines, this should be set to
4763 tt(\\MACHINE\PRINTER$)
4765 Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
4766 is a share you set up for serving printer driver files. For more
4767 details on setting this up see the documentation file in the docs/
4768 directory, PRINTER_DRIVER.txt.
4774 tt( printer driver location = \\MACHINE\PRINTER$)
4776 See also link(bf("printer driver file"))(printerdriverfile).
4779 dit(bf(printer name (S)))
4781 Synonym for link(bf(printer))(printer).
4784 dit(bf(printing (S)))
4786 This parameters controls how printer status information is interpreted
4787 on your system, and also affects the default values for the
4788 link(bf("print command"))(printcommand), link(bf("lpq
4789 command"))(lpqcommand) link(bf("lppause command"))(lppausecommand),
4790 link(bf("lpresume command"))(lpresumecommand), and link(bf("lprm
4791 command"))(lprmcommand).
4793 Currently eight printing styles are supported. They are
4794 bf("printing=BSD"), bf("printing=AIX"), bf("printing=LPRNG"),
4796 bf("printing=SYSV"),bf("printing="HPUX"),bf("printing=QNX") and
4797 bf("printing=SOFTQ").
4799 To see what the defaults are for the other print commands when using
4800 these three options use the url(bf("testparm"))(testparm.1.html) program.
4802 This option can be set on a per printer basis
4804 See also the discussion in the link(bf([printers]))(printers) section.
4807 dit(bf(protocol (G)))
4809 The value of the parameter (a string) is the highest protocol level
4810 that will be supported by the server.
4812 Possible values are :
4816 it() CORE: Earliest version. No concept of user names.
4818 it() COREPLUS: Slight improvements on CORE for efficiency.
4820 it() LANMAN1: First em("modern") version of the protocol. Long
4823 it() LANMAN2: Updates to Lanman1 protocol.
4825 it() NT1: Current up to date version of the protocol. Used by Windows
4830 Normally this option should not be set as the automatic negotiation
4831 phase in the SMB protocol takes care of choosing the appropriate
4838 tt( protocol = LANMAN1)
4843 Synonym for link(bf("guest ok"))(guestok).
4845 label(queuepausecommand)
4846 dit(bf(queuepause command (S)))
4848 This parameter specifies the command to be executed on the server host
4849 in order to pause the printerqueue.
4851 This command should be a program or script which takes a printer name
4852 as its only parameter and stops the printerqueue, such that no longer
4853 jobs are submitted to the printer.
4855 This command is not supported by Windows for Workgroups, but can be
4856 issued from the Printer's window under Windows 95 & NT.
4858 If a tt("%p") is given then the printername is put in its
4859 place. Otherwise it is placed at the end of the command.
4861 Note that it is good practice to include the absolute path in the
4862 command as the PATH may not be available to the server.
4865 tt( depends on the setting of "printing =")
4868 tt( queuepause command = disable %p)
4870 label(queueresumecommand)
4871 dit(bf(queueresume command (S)))
4873 This parameter specifies the command to be executed on the server host
4874 in order to resume the printerqueue. It is the command to undo the
4875 behavior that is caused by the previous parameter
4876 (link(bf("queuepause command))(queuepausecommand)).
4878 This command should be a program or script which takes a printer name
4879 as its only parameter and resumes the printerqueue, such that queued
4880 jobs are resubmitted to the printer.
4882 This command is not supported by Windows for Workgroups, but can be
4883 issued from the Printer's window under Windows 95 & NT.
4885 If a tt("%p") is given then the printername is put in its
4886 place. Otherwise it is placed at the end of the command.
4888 Note that it is good practice to include the absolute path in the
4889 command as the PATH may not be available to the server.
4892 tt( depends on the setting of "printing =")
4895 tt( queuepause command = enable %p)
4898 dit(bf(read bmpx (G)))
4900 This boolean parameter controls whether url(bf(smbd))(smbd.8.html)
4901 will support the "Read Block Multiplex" SMB. This is now rarely used
4902 and defaults to off. You should never need to set this parameter.
4908 dit(bf(read list (S)))
4910 This is a list of users that are given read-only access to a
4911 service. If the connecting user is in this list then they will not be
4912 given write access, no matter what the link(bf("read only"))(readonly)
4913 option is set to. The list can include group names using the syntax
4914 described in the link(bf("invalid users"))(invalidusers) parameter.
4916 See also the link(bf("write list"))(writelist) parameter and
4917 the link(bf("invalid users"))(invalidusers) parameter.
4920 tt( read list = <empty string>)
4923 tt( read list = mary, @students)
4926 dit(bf(read only (S)))
4928 Note that this is an inverted synonym for
4929 link(bf("writeable"))(writeable) and link(bf("write ok"))(writeok).
4931 See also link(bf("writeable"))(writeable) and link(bf("write
4934 label(readprediction)
4935 dit(bf(read prediction (G)))
4937 em(NOTE): This code is currently disabled in Samba2.0 and
4938 may be removed at a later date. Hence this parameter has
4941 This options enables or disables the read prediction code used to
4942 speed up reads from the server. When enabled the server will try to
4943 pre-read data from the last accessed file that was opened read-only
4944 while waiting for packets.
4947 tt( read prediction = False)
4950 dit(bf(read raw (G)))
4952 This parameter controls whether or not the server will support the raw
4953 read SMB requests when transferring data to clients.
4955 If enabled, raw reads allow reads of 65535 bytes in one packet. This
4956 typically provides a major performance benefit.
4958 However, some clients either negotiate the allowable block size
4959 incorrectly or are incapable of supporting larger block sizes, and for
4960 these clients you may need to disable raw reads.
4962 In general this parameter should be viewed as a system tuning tool and left
4963 severely alone. See also link(bf("write raw"))(writeraw).
4969 dit(bf(read size (G)))
4971 The option bf("read size") affects the overlap of disk reads/writes
4972 with network reads/writes. If the amount of data being transferred in
4973 several of the SMB commands (currently SMBwrite, SMBwriteX and
4974 SMBreadbraw) is larger than this value then the server begins writing
4975 the data before it has received the whole packet from the network, or
4976 in the case of SMBreadbraw, it begins writing to the network before
4977 all the data has been read from disk.
4979 This overlapping works best when the speeds of disk and network access
4980 are similar, having very little effect when the speed of one is much
4981 greater than the other.
4983 The default value is 16384, but very little experimentation has been
4984 done yet to determine the optimal value, and it is likely that the
4985 best value will vary greatly between systems anyway. A value over
4986 65536 is pointless and will cause you to allocate memory
4990 tt( read size = 16384)
4993 tt( read size = 8192)
4995 label(remoteannounce)
4996 dit(bf(remote announce (G)))
4998 This option allows you to setup url(bf(nmbd))(nmbd.8.html) to
4999 periodically announce itself to arbitrary IP addresses with an
5000 arbitrary workgroup name.
5002 This is useful if you want your Samba server to appear in a remote
5003 workgroup for which the normal browse propagation rules don't
5004 work. The remote workgroup can be anywhere that you can send IP
5009 tt( remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF)
5011 the above line would cause nmbd to announce itself to the two given IP
5012 addresses using the given workgroup names. If you leave out the
5013 workgroup name then the one given in the
5014 link(bf("workgroup"))(workgroup) parameter is used instead.
5016 The IP addresses you choose would normally be the broadcast addresses
5017 of the remote networks, but can also be the IP addresses of known
5018 browse masters if your network config is that stable.
5020 See the documentation file BROWSING.txt in the docs/ directory.
5023 tt( remote announce = <empty string>)
5026 tt( remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF)
5028 label(remotebrowsesync)
5029 dit(bf(remote browse sync (G)))
5031 This option allows you to setup url(bf(nmbd))(nmbd.8.html) to
5032 periodically request synchronization of browse lists with the master
5033 browser of a samba server that is on a remote segment. This option
5034 will allow you to gain browse lists for multiple workgroups across
5035 routed networks. This is done in a manner that does not work with any
5038 This is useful if you want your Samba server and all local clients to
5039 appear in a remote workgroup for which the normal browse propagation
5040 rules don't work. The remote workgroup can be anywhere that you can
5045 tt( remote browse sync = 192.168.2.255 192.168.4.255)
5047 the above line would cause url(bf(nmbd))(nmbd.8.html) to request the
5048 master browser on the specified subnets or addresses to synchronize
5049 their browse lists with the local server.
5051 The IP addresses you choose would normally be the broadcast addresses
5052 of the remote networks, but can also be the IP addresses of known
5053 browse masters if your network config is that stable. If a machine IP
5054 address is given Samba makes NO attempt to validate that the remote
5055 machine is available, is listening, nor that it is in fact the browse
5056 master on it's segment.
5059 tt( remote browse sync = <empty string>)
5062 tt( remote browse sync = 192.168.2.255 192.168.4.255)
5065 label(restrict anonymous)
5066 dit(bf(restrict anonymous (G)))
5068 This is a boolean parameter. If it is true, then anonymous access
5069 to the server will be restricted, namely in the case where the server
5070 is expecting the client to send a username, but it doesn't. Setting
5071 it to true will force these anonymous connections to be denied, and
5072 the client will be required to always supply a username and password
5073 when connecting. Use of this parameter is only recommened for homogenous
5074 NT client environments.
5076 This parameter makes the use of macro expansions that rely
5077 on the username (%U, %G, etc) consistant. NT 4.0 likes to use
5078 anonymous connections when refreshing the share list, and this
5079 is a way to work around that.
5081 When restrict anonymous is true, all anonymous connections are denied
5082 no matter what they are for. This can effect the ability of a machine
5083 to access the samba Primary Domain Controller to revalidate it's machine
5084 account after someone else has logged on the client interactively. The
5085 NT client will display a message saying that the machine's account in
5086 the domain doesn't exist or the password is bad. The best way to deal
5087 with this is to reboot NT client machines between interactive logons,
5088 using "Shutdown and Restart", rather than "Close all programs and logon
5089 as a different user".
5092 tt( restrict anonymous = false)
5095 tt( restrict anonymous = true)
5098 dit(bf(revalidate (S)))
5100 Note that this option only works with
5101 link(bf("security=share"))(securityequalshare) and will be ignored if
5102 this is not the case.
5104 This option controls whether Samba will allow a previously validated
5105 username/password pair to be used to attach to a share. Thus if you
5106 connect to tt(\\server\share1) then to tt(\\server\share2) it won't
5107 automatically allow the client to request connection to the second
5108 share as the same username as the first without a password.
5110 If bf("revalidate") is tt("True") then the client will be denied
5111 automatic access as the same username.
5114 tt( revalidate = False)
5117 tt( revalidate = True)
5122 Synonym for link(bf("root directory"))(rootdirectory).
5125 dit(bf(root dir (G)))
5127 Synonym for link(bf("root directory"))(rootdirectory).
5129 label(rootdirectory)
5130 dit(bf(root directory (G)))
5132 The server will tt("chroot()") (i.e. Change it's root directory) to
5133 this directory on startup. This is not strictly necessary for secure
5134 operation. Even without it the server will deny access to files not in
5135 one of the service entries. It may also check for, and deny access to,
5136 soft links to other parts of the filesystem, or attempts to use
5137 tt("..") in file names to access other directories (depending on the
5138 setting of the link(bf("wide links"))(widelinks) parameter).
5140 Adding a bf("root directory") entry other than tt("/") adds an extra
5141 level of security, but at a price. It absolutely ensures that no
5142 access is given to files not in the sub-tree specified in the bf("root
5143 directory") option, em(*including*) some files needed for complete
5144 operation of the server. To maintain full operability of the server
5145 you will need to mirror some system files into the bf("root
5146 directory") tree. In particular you will need to mirror /etc/passwd
5147 (or a subset of it), and any binaries or configuration files needed
5148 for printing (if required). The set of files that must be mirrored is
5149 operating system dependent.
5152 tt( root directory = /)
5155 tt( root directory = /homes/smb)
5158 dit(bf(root postexec (S)))
5160 This is the same as the link(bf("postexec"))(postexec) parameter
5161 except that the command is run as root. This is useful for unmounting
5162 filesystems (such as cdroms) after a connection is closed.
5164 See also link(bf("postexec"))(postexec).
5167 dit(bf(root preexec (S)))
5169 This is the same as the link(bf("preexec"))(preexec) parameter except
5170 that the command is run as root. This is useful for mounting
5171 filesystems (such as cdroms) before a connection is finalized.
5173 See also link(bf("preexec"))(preexec)
5174 and link(bf("root preexec close"))(rootpreexecclose).
5176 label(rootpreexecclose)
5177 dit(bf(root preexec close (S)))
5179 This is the same as the link(bf("preexec close"))(preexecclose) parameter
5180 except that the command is run as root.
5182 See also link(bf("preexec"))(preexec), link(bf("preexec close"))(preexecclose).
5185 dit(bf(security (G)))
5187 This option affects how clients respond to Samba and is one of the most
5188 important settings in the bf(smb.conf) file.
5190 The option sets the tt("security mode bit") in replies to protocol
5191 negotiations with url(bf(smbd))(smbd.8.html) to turn share level
5192 security on or off. Clients decide based on this bit whether (and how)
5193 to transfer user and password information to the server.
5195 The default is link("security=user")(securityequaluser), as this is
5196 the most common setting needed when talking to Windows 98 and Windows
5199 The alternatives are link(bf("security = share"))(securityequalshare),
5200 link(bf("security = server"))(securityequalserver) or
5201 link(bf("security=domain"))(securityequaldomain).
5203 em(*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR
5204 PREVIOUS VERSIONS OF SAMBA *******).
5206 In previous versions of Samba the default was
5207 link(bf("security=share"))(securityequalshare) mainly because that was
5208 the only option at one stage.
5210 There is a bug in WfWg that has relevance to this setting. When in
5211 user or server level security a WfWg client will totally ignore the
5212 password you type in the "connect drive" dialog box. This makes it
5213 very difficult (if not impossible) to connect to a Samba service as
5214 anyone except the user that you are logged into WfWg as.
5216 If your PCs use usernames that are the same as their usernames on the
5217 UNIX machine then you will want to use bf("security = user"). If you
5218 mostly use usernames that don't exist on the UNIX box then use
5219 bf("security = share").
5221 You should also use link(bf(security=share))(securityequalshare) if
5222 you want to mainly setup shares without a password (guest
5223 shares). This is commonly used for a shared printer server. It is more
5224 difficult to setup guest shares with
5225 link(bf(security=user))(securityequaluser), see the link(bf("map to
5226 guest"))(maptoguest)parameter for details.
5228 It is possible to use url(bf(smbd))(smbd.8.html) in a em("hybrid
5229 mode") where it is offers both user and share level security under
5230 different link(bf(NetBIOS aliases))(netbiosaliases). See the
5231 link(bf(NetBIOS aliases))(netbiosaliases) and the
5232 link(bf(include))(include) parameters for more information.
5234 The different settings will now be explained.
5238 label(securityequalshare)
5239 dit(bf("security=share")) When clients connect to a share level
5240 security server then need not log onto the server with a valid
5241 username and password before attempting to connect to a shared
5242 resource (although modern clients such as Windows 95/98 and Windows NT
5243 will send a logon request with a username but no password when talking
5244 to a bf(security=share) server). Instead, the clients send
5245 authentication information (passwords) on a per-share basis, at the
5246 time they attempt to connect to that share.
5248 Note that url(bf(smbd))(smbd.8.html) em(*ALWAYS*) uses a valid UNIX
5249 user to act on behalf of the client, even in bf("security=share")
5252 As clients are not required to send a username to the server
5253 in share level security, url(bf(smbd))(smbd.8.html) uses several
5254 techniques to determine the correct UNIX user to use on behalf
5257 A list of possible UNIX usernames to match with the given
5258 client password is constructed using the following methods :
5262 it() If the link(bf("guest only"))(guestonly) parameter is set, then
5263 all the other stages are missed and only the link(bf("guest
5264 account"))(guestaccount) username is checked.
5266 it() Is a username is sent with the share connection request, then
5267 this username (after mapping - see link(bf("username
5268 map"))(usernamemap)), is added as a potential username.
5270 it() If the client did a previous em("logon") request (the
5271 SessionSetup SMB call) then the username sent in this SMB
5272 will be added as a potential username.
5274 it() The name of the service the client requested is added
5275 as a potential username.
5277 it() The NetBIOS name of the client is added to the list as a
5280 it() Any users on the link(bf("user"))(user) list are added
5281 as potential usernames.
5285 If the link(bf("guest only"))(guestonly) parameter is not set, then
5286 this list is then tried with the supplied password. The first user for
5287 whom the password matches will be used as the UNIX user.
5289 If the link(bf("guest only"))(guestonly) parameter is set, or no
5290 username can be determined then if the share is marked as available to
5291 the link(bf("guest account"))(guestaccount), then this guest user will
5292 be used, otherwise access is denied.
5294 Note that it can be em(*very*) confusing in share-level security as to
5295 which UNIX username will eventually be used in granting access.
5297 See also the section link(bf("NOTE ABOUT USERNAME/PASSWORD
5298 VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION).
5300 label(securityequaluser)
5301 dit(bf("security=user"))
5303 This is the default security setting in Samba2.0. With user-level
5304 security a client must first tt("log-on") with a valid username and
5305 password (which can be mapped using the link(bf("username
5306 map"))(usernamemap) parameter). Encrypted passwords (see the
5307 link(bf("encrypted passwords"))(encryptpasswords) parameter) can also
5308 be used in this security mode. Parameters such as
5309 link(bf("user"))(user) and link(bf("guest only"))(guestonly), if set
5310 are then applied and may change the UNIX user to use on this
5311 connection, but only after the user has been successfully
5314 em(Note) that the name of the resource being requested is
5315 em(*not*) sent to the server until after the server has successfully
5316 authenticated the client. This is why guest shares don't work in user
5317 level security without allowing the server to automatically map unknown
5318 users into the link(bf("guest account"))(guestaccount). See the
5319 link(bf("map to guest"))(maptoguest) parameter for details on
5322 See also the section link(bf("NOTE ABOUT USERNAME/PASSWORD
5323 VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION).
5325 label(securityequalserver)
5326 dit(bf("security=server"))
5328 In this mode Samba will try to validate the username/password by
5329 passing it to another SMB server, such as an NT box. If this fails it
5330 will revert to bf("security = user"), but note that if encrypted
5331 passwords have been negotiated then Samba cannot revert back to
5332 checking the UNIX password file, it must have a valid smbpasswd file
5333 to check users against. See the documentation file in the docs/
5334 directory ENCRYPTION.txt for details on how to set this up.
5336 em(Note) that from the clients point of view bf("security=server") is
5337 the same as link(bf("security=user"))(securityequaluser). It only
5338 affects how the server deals with the authentication, it does not in
5339 any way affect what the client sees.
5341 em(Note) that the name of the resource being requested is
5342 em(*not*) sent to the server until after the server has successfully
5343 authenticated the client. This is why guest shares don't work in server
5344 level security without allowing the server to automatically map unknown
5345 users into the link(bf("guest account"))(guestaccount). See the
5346 link(bf("map to guest"))(maptoguest) parameter for details on
5349 See also the section link(bf("NOTE ABOUT USERNAME/PASSWORD
5350 VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION).
5352 See also the link(bf("password server"))(passwordserver) parameter.
5353 and the link(bf("encrypted passwords"))(encryptpasswords) parameter.
5355 label(securityequaldomain)
5356 dit(bf("security=domain"))
5358 This mode will only work correctly if
5359 url(bf(smbpasswd))(smbpasswd.8.html) has been used to add this machine
5360 into a Windows NT Domain. It expects the link(bf("encrypted
5361 passwords"))(encryptpasswords) parameter to be set to tt("true"). In
5362 this mode Samba will try to validate the username/password by passing
5363 it to a Windows NT Primary or Backup Domain Controller, in exactly the
5364 same way that a Windows NT Server would do.
5366 em(Note) that a valid UNIX user must still exist as well as the
5367 account on the Domain Controller to allow Samba to have a valid
5368 UNIX account to map file access to.
5370 em(Note) that from the clients point of view bf("security=domain") is
5371 the same as link(bf("security=user"))(securityequaluser). It only
5372 affects how the server deals with the authentication, it does not in
5373 any way affect what the client sees.
5375 em(Note) that the name of the resource being requested is
5376 em(*not*) sent to the server until after the server has successfully
5377 authenticated the client. This is why guest shares don't work in domain
5378 level security without allowing the server to automatically map unknown
5379 users into the link(bf("guest account"))(guestaccount). See the
5380 link(bf("map to guest"))(maptoguest) parameter for details on
5383 em(BUG:) There is currently a bug in the implementation of
5384 bf("security=domain) with respect to multi-byte character
5385 set usernames. The communication with a Domain Controller
5386 must be done in UNICODE and Samba currently does not widen
5387 multi-byte user names to UNICODE correctly, thus a multi-byte
5388 username will not be recognized correctly at the Domain Controller.
5389 This issue will be addressed in a future release.
5391 See also the section link(bf("NOTE ABOUT USERNAME/PASSWORD
5392 VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION).
5394 See also the link(bf("password server"))(passwordserver) parameter.
5395 and the link(bf("encrypted passwords"))(encryptpasswords) parameter.
5400 tt( security = USER)
5403 tt( security = DOMAIN)
5406 dit(bf(security mask (S)))
5408 This parameter controls what UNIX permission bits can be modified
5409 when a Windows NT client is manipulating the UNIX permission on a
5410 file using the native NT security dialog box.
5412 This parameter is applied as a mask (AND'ed with) to the changed
5413 permission bits, thus preventing any bits not in this mask from
5414 being modified. Essentially, zero bits in this mask may be treated
5415 as a set of bits the user is not allowed to change.
5417 If not set explicitly this parameter is set to the same value as the
5418 link(bf(create mask))(createmask) parameter. To allow a user to
5419 modify all the user/group/world permissions on a file, set this
5422 em(Note) that users who can access the Samba server through other
5423 means can easily bypass this restriction, so it is primarily
5424 useful for standalone "appliance" systems. Administrators of
5425 most normal systems will probably want to set it to 0777.
5427 See also the link(bf(force directory security
5428 mode))(forcedirectorysecuritymode), link(bf(directory security
5429 mask))(directorysecuritymask), link(bf(force security
5430 mode))(forcesecuritymode) parameters.
5433 tt( security mask = <same as create mask>)
5436 tt( security mask = 0777)
5440 dit(bf(server string (G)))
5442 This controls what string will show up in the printer comment box in
5443 print manager and next to the IPC connection in tt("net view"). It can be
5444 any string that you wish to show to your users.
5446 It also sets what will appear in browse lists next to the machine
5449 A tt("%v") will be replaced with the Samba version number.
5451 A tt("%h") will be replaced with the hostname.
5454 tt( server string = Samba %v)
5457 tt( server string = University of GNUs Samba Server)
5460 dit(bf(set directory (S)))
5462 If tt("set directory = no"), then users of the service may not use the
5463 setdir command to change directory.
5465 The setdir command is only implemented in the Digital Pathworks
5466 client. See the Pathworks documentation for details.
5469 tt( set directory = no)
5472 tt( set directory = yes)
5475 dit(bf(share modes (S)))
5477 This enables or disables the honoring of the tt("share modes") during a
5478 file open. These modes are used by clients to gain exclusive read or
5479 write access to a file.
5481 These open modes are not directly supported by UNIX, so they are
5482 simulated using shared memory, or lock files if your UNIX doesn't
5483 support shared memory (almost all do).
5485 The share modes that are enabled by this option are DENY_DOS,
5486 DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.
5488 This option gives full share compatibility and enabled by default.
5490 You should em(*NEVER*) turn this parameter off as many Windows
5491 applications will break if you do so.
5494 tt( share modes = yes)
5496 label(sharedmemsize)
5497 dit(bf(shared mem size (G)))
5499 It specifies the size of the shared memory (in bytes) to use between
5500 url(bf(smbd))(smbd.8.html) processes. This parameter defaults to one
5501 megabyte of shared memory. It is possible that if you have a large
5502 server with many files open simultaneously that you may need to
5503 increase this parameter. Signs that this parameter is set too low are
5504 users reporting strange problems trying to save files (locking errors)
5505 and error messages in the smbd log looking like tt("ERROR
5506 smb_shm_alloc : alloc of XX bytes failed").
5508 If your OS refuses the size that Samba asks for then Samba will try a
5509 smaller size, reducing by a factor of 0.8 until the OS accepts it.
5512 tt( shared mem size = 1048576)
5515 tt( shared mem size = 5242880 ; Set to 5mb for a large number of files.)
5517 label(shortpreservecase)
5518 dit(bf(short preserve case (S)))
5520 This boolean parameter controls if new files which conform to 8.3
5521 syntax, that is all in upper case and of suitable length, are created
5522 upper case, or if they are forced to be the tt("default") case. This
5523 option can be use with link(bf("preserve case
5524 =yes"))(preservecaseoption) to permit long filenames to retain their
5525 case, while short names are lowered. Default em(Yes).
5527 See the section on link(bf(NAME MANGLING))(NAMEMANGLING).
5530 tt( short preserve case = yes)
5532 label(smbpasswdfile)
5533 dit(bf(smb passwd file (G)))
5535 This option sets the path to the encrypted smbpasswd file. By default
5536 the path to the smbpasswd file is compiled into Samba.
5539 tt( smb passwd file= <compiled default>)
5542 tt( smb passwd file = /usr/samba/private/smbpasswd)
5547 This sets the full path to the bf(smbrun) binary. This defaults to the
5548 value in the Makefile.
5550 You must get this path right for many services to work correctly.
5552 You should not need to change this parameter so long as Samba
5553 is installed correctly.
5556 tt( smbrun=<compiled default>)
5559 tt( smbrun = /usr/local/samba/bin/smbrun)
5561 label(socketaddress)
5562 dit(bf(socket address (G)))
5564 This option allows you to control what address Samba will listen for
5565 connections on. This is used to support multiple virtual interfaces on
5566 the one server, each with a different configuration.
5568 By default samba will accept connections on any address.
5571 tt( socket address = 192.168.2.20)
5573 label(socketoptions)
5574 dit(bf(socket options (G)))
5576 This option allows you to set socket options to be used when talking
5579 Socket options are controls on the networking layer of the operating
5580 systems which allow the connection to be tuned.
5582 This option will typically be used to tune your Samba server for
5583 optimal performance for your local network. There is no way that Samba
5584 can know what the optimal parameters are for your net, so you must
5585 experiment and choose them yourself. We strongly suggest you read the
5586 appropriate documentation for your operating system first (perhaps
5587 bf("man setsockopt") will help).
5589 You may find that on some systems Samba will say "Unknown socket
5590 option" when you supply an option. This means you either incorrectly
5591 typed it or you need to add an include file to includes.h for your OS.
5592 If the latter is the case please send the patch to
5593 email(samba-bugs@samba.org).
5595 Any of the supported socket options may be combined in any way you
5596 like, as long as your OS allows it.
5598 This is the list of socket options currently settable using this
5613 it() IPTOS_THROUGHPUT
5625 Those marked with a tt(*) take an integer argument. The others can
5626 optionally take a 1 or 0 argument to enable or disable the option, by
5627 default they will be enabled if you don't specify 1 or 0.
5629 To specify an argument use the syntax SOME_OPTION=VALUE for example
5630 tt(SO_SNDBUF=8192). Note that you must not have any spaces before or after
5633 If you are on a local network then a sensible option might be
5635 tt(socket options = IPTOS_LOWDELAY)
5637 If you have a local network then you could try:
5639 tt(socket options = IPTOS_LOWDELAY TCP_NODELAY)
5641 If you are on a wide area network then perhaps try setting
5644 Note that several of the options may cause your Samba server to fail
5645 completely. Use these options with caution!
5648 tt( socket options = TCP_NODELAY)
5651 tt( socket options = IPTOS_LOWDELAY)
5656 This variable is part of SSL-enabled Samba. This is only available if
5657 the SSL libraries have been compiled on your system and the configure
5658 option tt("--with-ssl") was given at configure time.
5660 em(Note) that for export control reasons this code is em(**NOT**)
5661 enabled by default in any current binary version of Samba.
5663 This variable enables or disables the entire SSL mode. If it is set to
5664 "no", the SSL enabled samba behaves exactly like the non-SSL samba. If
5665 set to "yes", it depends on the variables link(bf("ssl
5666 hosts"))(sslhosts) and link(bf("ssl hosts resign"))(sslhostsresign)
5667 whether an SSL connection will be required.
5675 dit(bf(ssl CA certDir (G)))
5677 This variable is part of SSL-enabled Samba. This is only available if
5678 the SSL libraries have been compiled on your system and the configure
5679 option tt("--with-ssl") was given at configure time.
5681 em(Note) that for export control reasons this code is em(**NOT**)
5682 enabled by default in any current binary version of Samba.
5684 This variable defines where to look up the Certification
5685 Authorities. The given directory should contain one file for each CA
5686 that samba will trust. The file name must be the hash value over the
5687 "Distinguished Name" of the CA. How this directory is set up is
5688 explained later in this document. All files within the directory that
5689 don't fit into this naming scheme are ignored. You don't need this
5690 variable if you don't verify client certificates.
5693 tt( ssl CA certDir = /usr/local/ssl/certs)
5695 label(sslCAcertFile)
5696 dit(bf(ssl CA certFile (G)))
5698 This variable is part of SSL-enabled Samba. This is only available if
5699 the SSL libraries have been compiled on your system and the configure
5700 option tt("--with-ssl") was given at configure time.
5702 em(Note) that for export control reasons this code is em(**NOT**)
5703 enabled by default in any current binary version of Samba.
5705 This variable is a second way to define the trusted CAs. The
5706 certificates of the trusted CAs are collected in one big file and this
5707 variable points to the file. You will probably only use one of the two
5708 ways to define your CAs. The first choice is preferable if you have
5709 many CAs or want to be flexible, the second is preferable if you only
5710 have one CA and want to keep things simple (you won't need to create
5711 the hashed file names). You don't need this variable if you don't
5712 verify client certificates.
5715 tt( ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem)
5718 dit(bf(ssl ciphers (G)))
5720 This variable is part of SSL-enabled Samba. This is only available if
5721 the SSL libraries have been compiled on your system and the configure
5722 option tt("--with-ssl") was given at configure time.
5724 em(Note) that for export control reasons this code is em(**NOT**)
5725 enabled by default in any current binary version of Samba.
5727 This variable defines the ciphers that should be offered during SSL
5728 negotiation. You should not set this variable unless you know what you
5731 label(sslclientcert)
5732 dit(bf(ssl client cert (G)))
5734 This variable is part of SSL-enabled Samba. This is only available if
5735 the SSL libraries have been compiled on your system and the configure
5736 option tt("--with-ssl") was given at configure time.
5738 em(Note) that for export control reasons this code is em(**NOT**)
5739 enabled by default in any current binary version of Samba.
5741 The certificate in this file is used by
5742 url(bf(smbclient))(smbclient.1.html) if it exists. It's needed if the
5743 server requires a client certificate.
5746 tt( ssl client cert = /usr/local/ssl/certs/smbclient.pem)
5749 dit(bf(ssl client key (G)))
5751 This variable is part of SSL-enabled Samba. This is only available if
5752 the SSL libraries have been compiled on your system and the configure
5753 option tt("--with-ssl") was given at configure time.
5755 em(Note) that for export control reasons this code is em(**NOT**)
5756 enabled by default in any current binary version of Samba.
5758 This is the private key for url(bf(smbclient))(smbclient.1.html). It's
5759 only needed if the client should have a certificate.
5762 tt( ssl client key = /usr/local/ssl/private/smbclient.pem)
5764 label(sslcompatibility)
5765 dit(bf(ssl compatibility (G)))
5767 This variable is part of SSL-enabled Samba. This is only available if
5768 the SSL libraries have been compiled on your system and the configure
5769 option tt("--with-ssl") was given at configure time.
5771 em(Note) that for export control reasons this code is em(**NOT**)
5772 enabled by default in any current binary version of Samba.
5774 This variable defines whether SSLeay should be configured for bug
5775 compatibility with other SSL implementations. This is probably not
5776 desirable because currently no clients with SSL implementations other
5780 tt( ssl compatibility = no)
5783 dit(bf(ssl hosts (G)))
5785 See link(bf("ssl hosts resign"))(sslhostsresign).
5787 label(sslhostsresign)
5788 dit(bf(ssl hosts resign (G)))
5790 This variable is part of SSL-enabled Samba. This is only available if
5791 the SSL libraries have been compiled on your system and the configure
5792 option tt("--with-ssl") was given at configure time.
5794 em(Note) that for export control reasons this code is em(**NOT**)
5795 enabled by default in any current binary version of Samba.
5797 These two variables define whether samba will go into SSL mode or
5798 not. If none of them is defined, samba will allow only SSL
5799 connections. If the link(bf("ssl hosts"))(sslhosts) variable lists
5800 hosts (by IP-address, IP-address range, net group or name), only these
5801 hosts will be forced into SSL mode. If the bf("ssl hosts resign")
5802 variable lists hosts, only these hosts will NOT be forced into SSL
5803 mode. The syntax for these two variables is the same as for the
5804 link(bf("hosts allow"))(hostsallow) and link(bf("hosts
5805 deny"))(hostsdeny) pair of variables, only that the subject of the
5806 decision is different: It's not the access right but whether SSL is
5807 used or not. See the link(bf("allow hosts"))(allowhosts) parameter for
5808 details. The example below requires SSL connections from all hosts
5809 outside the local net (which is 192.168.*.*).
5812 tt( ssl hosts = <empty string>)
5813 tt( ssl hosts resign = <empty string>)
5816 tt( ssl hosts resign = 192.168.)
5818 label(sslrequireclientcert)
5819 dit(bf(ssl require clientcert (G)))
5821 This variable is part of SSL-enabled Samba. This is only available if
5822 the SSL libraries have been compiled on your system and the configure
5823 option tt("--with-ssl") was given at configure time.
5825 em(Note) that for export control reasons this code is em(**NOT**)
5826 enabled by default in any current binary version of Samba.
5828 If this variable is set to tt("yes"), the server will not tolerate
5829 connections from clients that don't have a valid certificate. The
5830 directory/file given in link(bf("ssl CA certDir"))(sslCAcertDir) and
5831 link(bf("ssl CA certFile"))(sslCAcertFile) will be used to look up the
5832 CAs that issued the client's certificate. If the certificate can't be
5833 verified positively, the connection will be terminated. If this
5834 variable is set to tt("no"), clients don't need certificates. Contrary
5835 to web applications you really em(*should*) require client
5836 certificates. In the web environment the client's data is sensitive
5837 (credit card numbers) and the server must prove to be trustworthy. In
5838 a file server environment the server's data will be sensitive and the
5839 clients must prove to be trustworthy.
5842 tt( ssl require clientcert = no)
5844 label(sslrequireservercert)
5845 dit(bf(ssl require servercert (G)))
5847 This variable is part of SSL-enabled Samba. This is only available if
5848 the SSL libraries have been compiled on your system and the configure
5849 option tt("--with-ssl") was given at configure time.
5851 em(Note) that for export control reasons this code is em(**NOT**)
5852 enabled by default in any current binary version of Samba.
5854 If this variable is set to tt("yes"), the
5855 url(bf(smbclient))(smbclient.1.html) will request a certificate from
5856 the server. Same as link(bf("ssl require
5857 clientcert"))(sslrequireclientcert) for the server.
5860 tt( ssl require servercert = no)
5862 label(sslservercert)
5863 dit(bf(ssl server cert (G)))
5865 This variable is part of SSL-enabled Samba. This is only available if
5866 the SSL libraries have been compiled on your system and the configure
5867 option tt("--with-ssl") was given at configure time.
5869 em(Note) that for export control reasons this code is em(**NOT**)
5870 enabled by default in any current binary version of Samba.
5872 This is the file containing the server's certificate. The server _must_
5873 have a certificate. The file may also contain the server's private key.
5874 See later for how certificates and private keys are created.
5877 tt( ssl server cert = <empty string>)
5880 dit(bf(ssl server key (G)))
5882 This variable is part of SSL-enabled Samba. This is only available if
5883 the SSL libraries have been compiled on your system and the configure
5884 option tt("--with-ssl") was given at configure time.
5886 em(Note) that for export control reasons this code is em(**NOT**)
5887 enabled by default in any current binary version of Samba.
5889 This file contains the private key of the server. If this variable is
5890 not defined, the key is looked up in the certificate file (it may be
5891 appended to the certificate). The server em(*must*) have a private key
5892 and the certificate em(*must*) match this private key.
5895 tt( ssl server key = <empty string>)
5898 dit(bf(ssl version (G)))
5900 This variable is part of SSL-enabled Samba. This is only available if
5901 the SSL libraries have been compiled on your system and the configure
5902 option tt("--with-ssl") was given at configure time.
5904 em(Note) that for export control reasons this code is em(**NOT**)
5905 enabled by default in any current binary version of Samba.
5907 This enumeration variable defines the versions of the SSL protocol
5908 that will be used. tt("ssl2or3") allows dynamic negotiation of SSL v2
5909 or v3, tt("ssl2") results in SSL v2, tt("ssl3") results in SSL v3 and
5910 "tls1" results in TLS v1. TLS (Transport Layer Security) is the
5911 (proposed?) new standard for SSL.
5914 tt( ssl version = "ssl2or3")
5917 dit(bf(stat cache (G)))
5919 This parameter determines if url(bf(smbd))(smbd.8.html) will use a
5920 cache in order to speed up case insensitive name mappings. You should
5921 never need to change this parameter.
5924 tt( stat cache = yes)
5926 label(statcachesize)
5927 dit(bf(stat cache size (G)))
5929 This parameter determines the number of entries in the link(bf(stat
5930 cache))(statcache). You should never need to change this parameter.
5933 tt( stat cache size = 50)
5938 This enables or disables logging of connections to a status file that
5939 url(bf(smbstatus))(smbstatus.1.html) can read.
5941 With this disabled url(bf(smbstatus))(smbstatus.1.html) won't be able
5942 to tell you what connections are active. You should never need to
5943 change this parameter.
5948 label(strictlocking)
5949 dit(bf(strict locking (S)))
5951 This is a boolean that controls the handling of file locking in the
5952 server. When this is set to tt("yes") the server will check every read and
5953 write access for file locks, and deny access if locks exist. This can
5954 be slow on some systems.
5956 When strict locking is tt("no") the server does file lock checks only
5957 when the client explicitly asks for them.
5959 Well behaved clients always ask for lock checks when it is important,
5960 so in the vast majority of cases bf("strict locking = no") is
5964 tt( strict locking = no)
5967 tt( strict locking = yes)
5970 dit(bf(strict sync (S)))
5972 Many Windows applications (including the Windows 98 explorer shell)
5973 seem to confuse flushing buffer contents to disk with doing a sync to
5974 disk. Under UNIX, a sync call forces the process to be suspended until
5975 the kernel has ensured that all outstanding data in kernel disk
5976 buffers has been safely stored onto stable storage. This is very slow
5977 and should only be done rarely. Setting this parameter to "no" (the
5978 default) means that smbd ignores the Windows applications requests for
5979 a sync call. There is only a possibility of losing data if the
5980 operating system itself that Samba is running on crashes, so there is
5981 little danger in this default setting. In addition, this fixes many
5982 performance problems that people have reported with the new Windows98
5983 explorer shell file copies.
5985 See also the link(bf("sync always"))(syncalways) parameter.
5988 tt( strict sync = no)
5991 tt( strict sync = yes)
5994 dit(bf(strip dot (G)))
5996 This is a boolean that controls whether to strip trailing dots off
5997 UNIX filenames. This helps with some CDROMs that have filenames ending
6004 tt( strip dot = yes)
6007 dit(bf(sync always (S)))
6009 This is a boolean parameter that controls whether writes will always
6010 be written to stable storage before the write call returns. If this is
6011 false then the server will be guided by the client's request in each
6012 write call (clients can set a bit indicating that a particular write
6013 should be synchronous). If this is true then every write will be
6014 followed by a fsync() call to ensure the data is written to disk.
6015 Note that the link(bf("strict sync"))(strictsync) parameter must be
6016 set to tt("yes") in order for this parameter to have any affect.
6018 See also the link(bf("strict sync"))(strictsync) parameter.
6021 tt( sync always = no)
6024 tt( sync always = yes)
6029 This parameter maps how Samba debug messages are logged onto the
6030 system syslog logging levels. Samba debug level zero maps onto syslog
6031 LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps
6032 onto LOG_NOTICE, debug level three maps onto LOG_INFO. All higher
6033 levels are mapped to LOG_DEBUG.
6035 This paramter sets the threshold for sending messages to syslog.
6036 Only messages with debug level less than this value will be sent
6043 dit(bf(syslog only (G)))
6045 If this parameter is set then Samba debug messages are logged into the
6046 system syslog only, and not to the debug log files.
6049 tt( syslog only = no)
6052 dit(bf(time offset (G)))
6054 This parameter is a setting in minutes to add to the normal GMT to
6055 local time conversion. This is useful if you are serving a lot of PCs
6056 that have incorrect daylight saving time handling.
6059 tt( time offset = 0)
6062 tt( time offset = 60)
6066 dit(bf(time server (G)))
6068 This parameter determines if url(bf(nmbd))(nmbd.8.html) advertises
6069 itself as a time server to Windows clients. The default is False.
6072 tt( time server = False)
6075 tt( time server = True)
6077 label(timestamplogs)
6078 dit(bf(timestamp logs (G)))
6080 Samba2.0 will a timestamps to all log entries by default. This
6081 can be distracting if you are attempting to debug a problem. This
6082 parameter allows the timestamping to be turned off.
6085 tt( timestamp logs = True)
6088 tt( timestamp logs = False)
6090 label(unixpasswordsync)
6091 dit(bf(unix password sync (G)))
6093 This boolean parameter controls whether Samba attempts to synchronize
6094 the UNIX password with the SMB password when the encrypted SMB
6095 password in the smbpasswd file is changed. If this is set to true the
6096 program specified in the link(bf("passwd program"))(passwdprogram)
6097 parameter is called em(*AS ROOT*) - to allow the new UNIX password to be
6098 set without access to the old UNIX password (as the SMB password has
6099 change code has no access to the old password cleartext, only the
6100 new). By default this is set to tt("false").
6102 See also link(bf("passwd program"))(passwdprogram), link(bf("passwd
6103 chat"))(passwdchat).
6106 tt( unix password sync = False)
6109 tt( unix password sync = True)
6112 dit(bf(unix realname (G)))
6114 This boolean parameter when set causes samba to supply the real name
6115 field from the unix password file to the client. This is useful for
6116 setting up mail clients and WWW browsers on systems used by more than
6120 tt( unix realname = no)
6123 tt( unix realname = yes)
6125 label(updateencrypted)
6126 dit(bf(update encrypted (G)))
6128 This boolean parameter allows a user logging on with a plaintext
6129 password to have their encrypted (hashed) password in the smbpasswd
6130 file to be updated automatically as they log on. This option allows a
6131 site to migrate from plaintext password authentication (users
6132 authenticate with plaintext password over the wire, and are checked
6133 against a UNIX account database) to encrypted password authentication
6134 (the SMB challenge/response authentication mechanism) without forcing
6135 all users to re-enter their passwords via smbpasswd at the time the
6136 change is made. This is a convenience option to allow the change over
6137 to encrypted passwords to be made over a longer period. Once all users
6138 have encrypted representations of their passwords in the smbpasswd
6139 file this parameter should be set to tt("off").
6141 In order for this parameter to work correctly the link(bf("encrypt
6142 passwords"))(encryptpasswords) parameter must be set to tt("no") when
6143 this parameter is set to tt("yes").
6145 Note that even when this parameter is set a user authenticating to
6146 smbd must still enter a valid password in order to connect correctly,
6147 and to update their hashed (smbpasswd) passwords.
6150 tt( update encrypted = no)
6153 tt( update encrypted = yes)
6156 dit(bf(use rhosts (G)))
6158 If this global parameter is a true, it specifies that the UNIX users
6159 tt(".rhosts") file in their home directory will be read to find the
6160 names of hosts and users who will be allowed access without specifying
6163 NOTE: The use of bf(use rhosts) can be a major security hole. This is
6164 because you are trusting the PC to supply the correct username. It is
6165 very easy to get a PC to supply a false username. I recommend that the
6166 bf(use rhosts) option be only used if you really know what you are
6170 tt( use rhosts = no)
6173 tt( use rhosts = yes)
6178 Synonym for link(bf("username"))(username).
6183 Synonym for link(bf("username"))(username).
6186 dit(bf(username (S)))
6188 Multiple users may be specified in a comma-delimited list, in which
6189 case the supplied password will be tested against each username in
6190 turn (left to right).
6192 The bf(username=) line is needed only when the PC is unable to supply
6193 its own username. This is the case for the COREPLUS protocol or where
6194 your users have different WfWg usernames to UNIX usernames. In both
6195 these cases you may also be better using the tt(\\server\share%user)
6198 The bf(username=) line is not a great solution in many cases as it
6199 means Samba will try to validate the supplied password against each of
6200 the usernames in the username= line in turn. This is slow and a bad
6201 idea for lots of users in case of duplicate passwords. You may get
6202 timeouts or security breaches using this parameter unwisely.
6204 Samba relies on the underlying UNIX security. This parameter does not
6205 restrict who can login, it just offers hints to the Samba server as to
6206 what usernames might correspond to the supplied password. Users can
6207 login as whoever they please and they will be able to do no more
6208 damage than if they started a telnet session. The daemon runs as the
6209 user that they log in as, so they cannot do anything that user cannot
6212 To restrict a service to a particular set of users you can use the
6213 link(bf("valid users="))(validusers) parameter.
6215 If any of the usernames begin with a tt('@') then the name will be
6216 looked up first in the yp netgroups list (if Samba is compiled with
6217 netgroup support), followed by a lookup in the UNIX groups database
6218 and will expand to a list of all users in the group of that name.
6220 If any of the usernames begin with a tt('+') then the name will be
6221 looked up only in the UNIX groups database and will expand to a list
6222 of all users in the group of that name.
6224 If any of the usernames begin with a tt('&') then the name will be
6225 looked up only in the yp netgroups database (if Samba is compiled with
6226 netgroup support) and will expand to a list of all users in the
6227 netgroup group of that name.
6229 Note that searching though a groups database can take quite some time,
6230 and some clients may time out during the search.
6232 See the section link(bf("NOTE ABOUT USERNAME/PASSWORD
6233 VALIDATION"))(NOTEABOUTUSERNAMEPASSWORDVALIDATION) for more
6234 information on how this parameter determines access to the services.
6237 tt( The guest account if a guest service, else the name of the service.)
6242 username = fred, mary, jack, jane, @users, @pcgroup
6245 label(usernamelevel)
6246 dit(bf(username level (G)))
6248 This option helps Samba to try and 'guess' at the real UNIX username,
6249 as many DOS clients send an all-uppercase username. By default Samba
6250 tries all lowercase, followed by the username with the first letter
6251 capitalized, and fails if the username is not found on the UNIX
6254 If this parameter is set to non-zero the behavior changes. This
6255 parameter is a number that specifies the number of uppercase
6256 combinations to try whilst trying to determine the UNIX user name. The
6257 higher the number the more combinations will be tried, but the slower
6258 the discovery of usernames will be. Use this parameter when you have
6259 strange usernames on your UNIX machine, such as tt("AstrangeUser").
6262 tt( username level = 0)
6265 tt( username level = 5)
6268 dit(bf(username map (G)))
6270 This option allows you to specify a file containing a mapping of
6271 usernames from the clients to the server. This can be used for several
6272 purposes. The most common is to map usernames that users use on DOS or
6273 Windows machines to those that the UNIX box uses. The other is to map
6274 multiple users to a single username so that they can more easily share
6277 The map file is parsed line by line. Each line should contain a single
6278 UNIX username on the left then a tt('=') followed by a list of
6279 usernames on the right. The list of usernames on the right may contain
6280 names of the form @group in which case they will match any UNIX
6281 username in that group. The special client name tt('*') is a wildcard
6282 and matches any name. Each line of the map file may be up to 1023
6285 The file is processed on each line by taking the supplied username and
6286 comparing it with each username on the right hand side of the tt('=')
6287 signs. If the supplied name matches any of the names on the right hand
6288 side then it is replaced with the name on the left. Processing then
6289 continues with the next line.
6291 If any line begins with a tt('#') or a tt(';') then it is ignored
6293 If any line begins with an tt('!') then the processing will stop after
6294 that line if a mapping was done by the line. Otherwise mapping
6295 continues with every line being processed. Using tt('!') is most
6296 useful when you have a wildcard mapping line later in the file.
6298 For example to map from the name tt("admin") or tt("administrator") to
6299 the UNIX name tt("root") you would use:
6302 tt( root = admin administrator)
6304 Or to map anyone in the UNIX group tt("system") to the UNIX name
6305 tt("sys") you would use:
6309 You can have as many mappings as you like in a username map file.
6311 If your system supports the NIS NETGROUP option then the netgroup
6312 database is checked before the tt(/etc/group) database for matching
6315 You can map Windows usernames that have spaces in them by using double
6316 quotes around the name. For example:
6318 tt( tridge = "Andrew Tridgell")
6320 would map the windows username tt("Andrew Tridgell") to the unix
6323 The following example would map mary and fred to the unix user sys,
6324 and map the rest to guest. Note the use of the tt('!') to tell Samba
6325 to stop processing if it gets a match on that line.
6332 Note that the remapping is applied to all occurrences of
6333 usernames. Thus if you connect to tt("\\server\fred") and tt("fred")
6334 is remapped to tt("mary") then you will actually be connecting to
6335 tt("\\server\mary") and will need to supply a password suitable for
6336 tt("mary") not tt("fred"). The only exception to this is the username
6337 passed to the link(bf("password server"))(passwordserver) (if you have
6338 one). The password server will receive whatever username the client
6339 supplies without modification.
6341 Also note that no reverse mapping is done. The main effect this has is
6342 with printing. Users who have been mapped may have trouble deleting
6343 print jobs as PrintManager under WfWg will think they don't own the
6347 tt( no username map)
6350 tt( username map = /usr/local/samba/lib/users.map)
6353 dit(bf(valid chars (G)))
6355 The option allows you to specify additional characters that should be
6356 considered valid by the server in filenames. This is particularly
6357 useful for national character sets, such as adding u-umlaut or a-ring.
6359 The option takes a list of characters in either integer or character
6360 form with spaces between them. If you give two characters with a colon
6361 between them then it will be taken as an lowercase:uppercase pair.
6363 If you have an editor capable of entering the characters into the
6364 config file then it is probably easiest to use this method. Otherwise
6365 you can specify the characters in octal, decimal or hexadecimal form
6366 using the usual C notation.
6368 For example to add the single character tt('Z') to the charset (which
6369 is a pointless thing to do as it's already there) you could do one of
6375 valid chars = 0132:0172
6378 The last two examples above actually add two characters, and alter the
6379 uppercase and lowercase mappings appropriately.
6381 Note that you MUST specify this parameter after the link(bf("client
6382 code page"))(clientcodepage) parameter if you have both set. If
6383 link(bf("client code page"))(clientcodepage) is set after the
6384 bf("valid chars") parameter the bf("valid chars") settings will be
6387 See also the link(bf("client code page"))(clientcodepage) parameter.
6391 Samba defaults to using a reasonable set of valid characters
6396 tt( valid chars = 0345:0305 0366:0326 0344:0304)
6398 The above example allows filenames to have the Swedish characters in
6401 NOTE: It is actually quite difficult to correctly produce a bf("valid
6402 chars") line for a particular system. To automate the process
6403 email(tino@augsburg.net) has written a package called bf("validchars")
6404 which will automatically produce a complete bf("valid chars") line for
6405 a given client system. Look in the examples/validchars/ subdirectory
6406 of your Samba source code distribution for this package.
6409 dit(bf(valid users (S)))
6411 This is a list of users that should be allowed to login to this
6412 service. Names starting with tt('@'), tt('+') and tt('&') are
6413 interpreted using the same rules as described in the link(bf("invalid
6414 users"))(invalidusers) parameter.
6416 If this is empty (the default) then any user can login. If a username
6417 is in both this list and the link(bf("invalid users"))(invalidusers)
6418 list then access is denied for that user.
6420 The current servicename is substituted for
6421 link(bf("%S"))(percentS). This is useful in the
6422 link(bf([homes]))(homes) section.
6424 See also link(bf("invalid users"))(invalidusers).
6427 tt( No valid users list. (anyone can login))
6430 tt( valid users = greg, @pcusers)
6433 dit(bf(veto files(S)))
6435 This is a list of files and directories that are neither visible nor
6436 accessible. Each entry in the list must be separated by a tt('/'),
6437 which allows spaces to be included in the entry. tt('*') and tt('?')
6438 can be used to specify multiple files or directories as in DOS
6441 Each entry must be a unix path, not a DOS path and must em(*not*) include the
6442 unix directory separator tt('/').
6444 Note that the link(bf("case sensitive"))(casesensitive) option is
6445 applicable in vetoing files.
6447 One feature of the veto files parameter that it is important to be
6448 aware of, is that if a directory contains nothing but files that match
6449 the veto files parameter (which means that Windows/DOS clients cannot
6450 ever see them) is deleted, the veto files within that directory *are
6451 automatically deleted* along with it, if the user has UNIX permissions
6454 Setting this parameter will affect the performance of Samba, as it
6455 will be forced to check all files and directories for a match as they
6458 See also link(bf("hide files"))(hidefiles) and link(bf("case
6459 sensitive"))(casesensitive).
6462 tt( No files or directories are vetoed.)
6470 Veto any files containing the word Security,
6471 any ending in .tmp, and any directory containing the
6474 veto files = /*Security*/*.tmp/*root*/
6480 Veto the Apple specific files that a NetAtalk server
6483 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
6486 label(vetooplockfiles)
6487 dit(bf(veto oplock files (S)))
6489 This parameter is only valid when the link(bf("oplocks"))(oplocks)
6490 parameter is turned on for a share. It allows the Samba administrator
6491 to selectively turn off the granting of oplocks on selected files that
6492 match a wildcarded list, similar to the wildcarded list used in the
6493 link(bf("veto files"))(vetofiles) parameter.
6496 tt( No files are vetoed for oplock grants.)
6500 You might want to do this on files that you know will be heavily
6501 contended for by clients. A good example of this is in the NetBench
6502 SMB benchmark program, which causes heavy client contention for files
6503 ending in tt(".SEM"). To cause Samba not to grant oplocks on these
6504 files you would use the line (either in the link(bf([global]))(global)
6505 section or in the section for the particular NetBench share :
6507 tt( veto oplock files = /*.SEM/)
6512 This allows you to override the volume label returned for a
6513 share. Useful for CDROMs with installation programs that insist on a
6514 particular volume label.
6516 The default is the name of the share.
6519 dit(bf(wide links (S)))
6521 This parameter controls whether or not links in the UNIX file system
6522 may be followed by the server. Links that point to areas within the
6523 directory tree exported by the server are always allowed; this
6524 parameter controls access only to areas that are outside the directory
6525 tree being exported.
6527 Note that setting this parameter can have a negative effect on your
6528 server performance due to the extra system calls that Samba has to
6529 do in order to perform the link checks.
6532 tt( wide links = yes)
6535 tt( wide links = no)
6538 dit(bf(wins proxy (G)))
6540 This is a boolean that controls if url(bf(nmbd))(nmbd.8.html) will
6541 respond to broadcast name queries on behalf of other hosts. You may
6542 need to set this to tt("yes") for some older clients.
6545 tt( wins proxy = no)
6548 dit(bf(wins server (G)))
6550 This specifies the IP address (or DNS name: IP address for preference)
6551 of the WINS server that url(bf(nmbd))(nmbd.8.html) should register with.
6552 If you have a WINS server on your network then you should set this to
6553 the WINS server's IP.
6555 You should point this at your WINS server if you have a
6556 multi-subnetted network.
6558 em(NOTE). You need to set up Samba to point to a WINS server if you
6559 have multiple subnets and wish cross-subnet browsing to work correctly.
6561 See the documentation file BROWSING.txt in the docs/ directory of your
6562 Samba source distribution.
6568 tt( wins server = 192.9.200.1)
6571 dit(bf(wins hook (G)))
6573 When Samba is running as a WINS server this allows you to call an
6574 external program for all changes to the WINS database. The primary use
6575 for this option is to allow the dynamic update of external name
6576 resolution databases such as dynamic DNS.
6578 The wins hook parameter specifies the name of a script or executable
6579 that will be called as follows:
6581 wins_hook operation name nametype ttl IP_list
6583 The first argument is the operation and is one of "add", "delete",
6584 or "refresh". In most cases the operation can be ignored as the rest
6585 of the parameters provide sufficient information. Note that "refresh"
6586 may sometimes be called when the name has not previously been added,
6587 in that case it should be treated as an add.
6589 The second argument is the netbios name. If the name is not a legal
6590 name then the wins hook is not called. Legal names contain only
6591 letters, digits, hyphens, underscores and periods.
6593 The third argument is the netbios name type as a 2 digit hexadecimal
6596 The fourth argument is the TTL (time to live) for the name in seconds.
6598 The fifth and subsequent arguments are the IP addresses currently
6599 registered for that name. If this list is empty then the name should
6602 An example script that calls the BIND dynamic DNS update program
6603 "nsupdate" is provided in the examples directory of the Samba source
6607 dit(bf(wins support (G)))
6609 This boolean controls if the url(bf(nmbd))(nmbd.8.html) process in
6610 Samba will act as a WINS server. You should not set this to true
6611 unless you have a multi-subnetted network and you wish a particular
6612 url(bf(nmbd))(nmbd.8.html) to be your WINS server. Note that you
6613 should em(*NEVER*) set this to true on more than one machine in your
6617 tt( wins support = no)
6620 dit(bf(workgroup (G)))
6622 This controls what workgroup your server will appear to be in when
6623 queried by clients. Note that this parameter also controls the Domain
6624 name used with the link(bf("security=domain"))(securityequaldomain)
6628 tt( set at compile time to WORKGROUP)
6634 dit(bf(writable (S)))
6636 Synonym for link(bf("writeable"))(writeable) for people who can't spell :-).
6639 dit(bf(write list (S)))
6641 This is a list of users that are given read-write access to a
6642 service. If the connecting user is in this list then they will be
6643 given write access, no matter what the link(bf("read only"))(readonly)
6644 option is set to. The list can include group names using the @group
6647 Note that if a user is in both the read list and the write list then
6648 they will be given write access.
6650 See also the link(bf("read list"))(readlist) option.
6653 tt( write list = <empty string>)
6656 tt( write list = admin, root, @staff)
6659 dit(bf(write ok (S)))
6661 Synonym for link(bf(writeable))(writeable).
6664 dit(bf(write raw (G)))
6666 This parameter controls whether or not the server will support raw
6667 writes SMB's when transferring data from clients. You should never
6668 need to change this parameter.
6671 tt( write raw = yes)
6676 An inverted synonym is link(bf("read only"))(readonly).
6678 If this parameter is tt("no"), then users of a service may not create
6679 or modify files in the service's directory.
6681 Note that a printable service link(bf(("printable = yes")))(printable)
6682 will em(*ALWAYS*) allow writing to the directory (user privileges
6683 permitting), but only via spooling operations.
6698 manpagesection(WARNINGS)
6700 Although the configuration file permits service names to contain
6701 spaces, your client software may not. Spaces will be ignored in
6702 comparisons anyway, so it shouldn't be a problem - but be aware of the
6705 On a similar note, many clients - especially DOS clients - limit
6706 service names to eight characters. url(bf(Smbd))(smbd.8.html) has no
6707 such limitation, but attempts to connect from such clients will fail
6708 if they truncate the service names. For this reason you should
6709 probably keep your service names down to eight characters in length.
6711 Use of the link(bf([homes]))(homes) and link(bf([printers]))(printers)
6712 special sections make life for an administrator easy, but the various
6713 combinations of default attributes can be tricky. Take extreme care
6714 when designing these sections. In particular, ensure that the
6715 permissions on spool directories are correct.
6718 manpagesection(VERSION)
6720 This man page is correct for version 2.0 of the Samba suite.
6723 manpagesection(SEE ALSO)
6725 url(bf(smbd (8)))(smbd.8.html), url(bf(smbclient (1)))(smbclient.1.html),
6726 url(bf(nmbd (8)))(nmbd.8.html), url(bf(testparm (1)))(testparm.1.html),
6727 url(bf(testprns (1)))(testprns.1.html), url(bf(Samba))(samba.7.html),
6728 url(bf(nmblookup (1)))(nmblookup.1.html), url(bf(smbpasswd (5)))(smbpasswd.5.html),
6729 url(bf(smbpasswd (8)))(smbpasswd.8.html).
6734 The original Samba software and related utilities were created by
6735 Andrew Tridgell email(samba-bugs@samba.org). Samba is now developed
6736 by the Samba Team as an Open Source project similar to the way the
6737 Linux kernel is developed.
6739 The original Samba man pages were written by Karl Auer. The man page
6740 sources were converted to YODL format (another excellent piece of Open
6741 Source software, available at
6742 url(bf(ftp://ftp.icce.rug.nl/pub/unix/))(ftp://ftp.icce.rug.nl/pub/unix/))
6743 and updated for the Samba2.0 release by Jeremy Allison.
6744 email(samba-bugs@samba.org).
6746 See url(bf(samba (7)))(samba.7.html) to find out how to get a full
6747 list of contributors and details on how to submit bug reports,