-.TH SMB.CONF 5 "28 Oct 1997" "smb.conf 1.9.18alpha6"
+.TH SMB.CONF 5 "08 Jan 1998" "smb.conf 1.9.18"
.SH NAME
smb.conf \- configuration file for smbd
.SH SYNOPSIS
An alias, by the way, is defined as any component of the first entry of a
printcap record. Records are separated by newlines, components (if there are
more than one) are separated by vertical bar symbols ("|").
+
+NOTE: On SYSV systems which use lpstat to determine what printers are
+defined on the system you may be able to use "printcap name = lpstat"
+to automatically obtain a list of printers. See the "printcap name"
+option for more detils.
+
.RE
.SH PARAMETERS
Parameters define the specific attributes of services.
your NIS auto.map entry. If you have not compiled Samba with -DAUTOMOUNT
then this value will be the same as %L.
+%p = the path of the service's home directory, obtained from your NIS
+auto.map entry. The NIS auto.map entry is split up as "%N:%p".
+
+%R = the selected protocol level after protocol negotiation. As of
+Samba 1.9.18 it can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
+
%d = The process id of the current server process
%a = the architecture of the remote machine. Only some are recognised,
domain controller
-domain sid
-
-domain group
-
domain logons
domain master
keepalive
+lm announce
+
+lm interval
+
lock dir
load printers
max xmit
+max wins ttl
+
message command
+min wins ttl
+
+name resolve order
+
netbios aliases
netbios name
preload
-printing
-
printcap name
+printer driver file
+
protocol
read bmpx
remote announce
+remote browse sync
+
root
root dir
valid chars
-veto files
+wins proxy
+
+wins server
+
+wins support
workgroup
dos filetimes
+dos filetime resolution
+
exec
+fake directory create times
+
fake oplocks
follow symlinks
min print space
+networkstation user login
+
only guest
only user
printer driver
+printer driver location
+
+printing
+
print ok
printable
valid users
+veto files
+
+veto oplock files
+
volume
wide links
.SS alternate permissions (S)
-This option affects the way the "read only" DOS attribute is produced
-for UNIX files. If this is false then the read only bit is set for
-files on writeable shares which the user cannot write to.
-
-If this is true then it is set for files whos user write bit is not set.
-
-The latter behaviour is useful for when users copy files from each
-others directories, and use a file manager that preserves
-permissions. Without this option they may get annoyed as all copied
-files will have the "read only" bit set.
-
-.B Default:
- alternate permissions = no
-
-.B Example:
- alternate permissions = yes
+This option is deprecated and is only included for backward
+compatibility.
.SS available (S)
This parameter lets you 'turn off' a service. If 'available = no', then
See
.B create mask.
-.SS dead time (G)
+.SS deadtime (G)
The value of the parameter (a decimal integer) represents the number of
minutes of inactivity before a connection is considered dead, and it
is disconnected. The deadtime only takes effect if the number of open files
A deadtime of zero indicates that no auto-disconnection should be performed.
.B Default:
- dead time = 0
+ deadtime = 0
.B Example:
- dead time = 15
+ deadtime = 15
.SS debug level (G)
The value of the parameter (an integer) allows the debug level
(logging level) to be specified in the
.B Default:
domain controller = no
-.SS domain groups (G)
-
-Specifies the NT Domain groups that the user belongs to, and the attributes
-associated with that group. This parameter is a white-space separated list
-of group ids (in decimal), followed by an option attribute (in decimal) which
-defaults to a value of 7 if not specified. A group id and the user attributes
-associated with it are separated by "/".
-
-.B
-It is known that attributes are ignored by NT 4.0 Workstation, but not by
-NT 3.51 Workstation. Furthermore, no information on the exact meaning of
-NT Domain groups is presently known.
-
-.B Default:
- domain groups = 776/7
-
-.B Example:
- domain groups = 776 1024/7 777
-
-.SS domain sid (G)
-
-Specifies the SID when using Samba as a Logon Server for NT Workstations.
-The format of SIDs supported by samba at present is S-1-N-nnn-nnn-nnn-nnn-nnn.
-The number N indicates the number of sub-authorities (nnn).
-
-.B Default:
- domain sid = none
-
-.B Example:
- domain sid = S-1-5-21-123-456-789-123
-
.SS domain logons (G)
If set to true, the Samba server will serve Windows 95 domain logons
.B Example:
dos filetimes = True
+.SS dos filetime resolution (S)
+Under the DOS and Windows FAT filesystem, the finest granulatity on
+time resolution is two seconds. Setting this parameter for a share
+causes Samba to round the reported time down to the nearest two
+second boundary when a query call that requires one second resolution
+is made to smbd.
+
+This option is mainly used as a compatibility option for Visual C++
+when used against Samba shares. If oplocks are enabled on a share,
+Visual C++ uses two different time reading calls to check if a file
+has changed since it was last read. One of these calls uses a one-second
+granularity, the other uses a two second granularity. As the two second
+call rounds any odd second down, then if the file has a timestamp of an
+odd number of seconds then the two timestamps will not match and Visual
+C++ will keep reporting the file has changed. Setting this option causes
+the two timestamps to match, and Visual C++ is happy.
+
+.B Default:
+ dos filetime resolution = False
+
+.B Example:
+ dos filetime resolution = True
+
.SS encrypt passwords (G)
This boolean controls whether encrypted passwords will be negotiated
-with the client. Note that this option has no effect if you haven't
-compiled in the necessary des libraries and encryption code. It
-defaults to no.
+with the client. Note that Windows NT 4.0 SP3 and above will by default
+expect encrypted passwords unless a registry entry is changed. To use
+encrypted passwords in Samba see the file docs/ENCRYPTION.txt.
.SS exec (S)
This is an alias for preexec
+.SS fake directory create times (S)
+NTFS and Windows VFAT file systems keep a create time for all files
+and directories. This is not the same as the ctime - status change
+time - that Unix keeps, so Samba by default reports the earliest
+of the various times Unix does keep. Setting this parameter for a
+share causes Samba to always report midnight 1-1-1980 as
+the create time for directories.
+
+This option is mainly used as a compatibility option for Visual C++
+when used against Samba shares. Visual C++ generated makefiles
+have the object directory as a dependency for each object file,
+and a make rule to create the directory. Also, when NMAKE
+compares timestamps it uses the creation time when examining
+a directory. Thus the object directory will be created if it does
+not exist, but once it does exist it will always have an earlier
+timestamp than the object files it contains.
+
+However, Unix time semantics mean that the create time reported
+by Samba will be updated whenever a file is created or deleted
+in the directory. NMAKE therefore finds all object files in the
+object directory bar the last one built are out of date compared
+to the directory and rebuilds them. Enabling this option ensures
+directories always predate their contents and an NMAKE build will
+proceed as expected.
+
+.B Default:
+ fake directory create times = False
+
+.B Example:
+ fake directory create times = True
+
.SS fake oplocks (S)
Oplocks are the way that SMB clients get permission from a server to
.B Example
invalid users = root fred admin @wheel
-.SS keep alive (G)
+.SS keepalive (G)
The value of the parameter (an integer) represents the number of seconds
between 'keepalive' packets. If this parameter is zero, no keepalive packets
will be sent. Keepalive packets, if sent, allow the server to tell whether a
client is still present and responding.
-Keepalives should, in general, not be needed if the socket being used
-has the SO_KEEPALIVE attribute set on it (see "socket
-options"). Basically you should only use this option if you strike
-difficulties.
-
.B Default:
- keep alive = 0
+ keep alive = 300
.B Example:
keep alive = 60
+
+.SS lm announce (G)
+
+This parameter determines if Samba will produce Lanman announce
+broadcasts that are needed by OS/2 clients in order for them to
+see the Samba server in their browse list. This parameter can
+have three values, true, false, or auto. The default is auto.
+If set to False Samba will never produce these broadcasts. If
+set to true Samba will produce Lanman announce broadcasts at
+a frequency set by the parameter 'lm interval'. If set to auto
+Samba will not send Lanman announce broadcasts by default but
+will listen for them. If it hears such a broadcast on the wire
+it will then start sending them at a frequency set by the parameter
+'lm interval'.
+
+See also "lm interval".
+
+.B Default:
+ lm announce = auto
+
+.B Example:
+ lm announce = true
+
+.SS lm interval (G)
+
+If Samba is set to produce Lanman announce broadcasts needed
+by OS/2 clients (see the "lm announce" parameter) this parameter
+defines the frequency in seconds with which they will be made.
+If this is set to zero then no Lanman announcements will be
+made despite the setting of the "lm announce" parameter.
+
+See also "lm announce".
+
+.B Default:
+ lm interval = 60
+
+.B Example:
+ lm interval = 120
+
.SS load printers (G)
A boolean variable that controls whether all printers in the printcap
will be loaded for browsing by default.
.SS max ttl (G)
This option tells nmbd what the default 'time to live' of NetBIOS
-names should be (in seconds). You should never need to change this parameter.
+names should be (in seconds) when nmbd is requesting a name using
+either a broadcast or from a WINS server. You should never need to
+change this parameter.
.B Default:
max ttl = 14400
+
+.SS max wins ttl (G)
+
+This option tells nmbd when acting as a WINS server (wins support = true)
+what the maximum 'time to live' of NetBIOS names that nmbd will grant will
+be (in seconds). You should never need to change this parameter.
+The default is 3 days (259200 seconds).
+
+.B Default:
+ max wins ttl = 259200
+
.SS max xmit (G)
This option controls the maximum packet size that will be negotiated
.B Example:
min print space = 2000
+.SS min wins ttl (G)
+
+This option tells nmbd when acting as a WINS server (wins support = true)
+what the minimum 'time to live' of NetBIOS names that nmbd will grant will
+be (in seconds). You should never need to change this parameter.
+The default is 6 hours (21600 seconds).
+
+.B Default:
+ min wins ttl = 21600
+
+.SS name resolve order (G)
+
+This option is used by the programs smbd, nmbd and smbclient to determine
+what naming services and in what order to resolve host names to IP addresses.
+This option is most useful in smbclient. The option takes a space separated
+string of different name resolution options. These are "lmhosts", "host",
+"wins" and "bcast". They cause names to be resolved as follows :
+
+lmhosts : Lookup an IP address in the Samba lmhosts file.
+host : Do a standard host name to IP address resolution, using the
+ system /etc/hosts, NIS, or DNS lookups. This method of name
+ resolution is operating system depended (for instance on Solaris
+ this may be controlled by the /etc/nsswitch.conf file).
+wins : Query a name with the IP address listed in the "wins server ="
+ parameter. If no WINS server has been specified this method will
+ be ignored.
+bcast : Do a broadcast on each of the known local interfaces listed in
+ the "interfaces =" parameter. This is the least reliable of the
+ name resolution methods as it depends on the target host being
+ on a locally connected subnet.
+
+The default order is lmhosts, host, wins, bcast and these name resolution
+methods will be attempted in this order.
+
+This option was first introduced in Samba 1.9.18p4.
+
+.B Default:
+ name resolve order = lmhosts host wins bcast
+
+.Example:
+ name resolve order = lmhosts bcast host
+
+This will cause the local lmhosts file to be examined first, followed
+by a broadcast attempt, followed by a normal system hostname lookup.
+
.SS netbios aliases (G)
This is a list of names that nmbd will advertise as additional
.B Example:
nis homedir = true
+.SS networkstation user login (G)
+This global parameter (new for 1.9.18p3) affects server level security.
+With this set (recommended) samba will do a full NetWkstaUserLogon to
+confirm that the client really should have login rights. This can cause
+problems with machines in trust relationships in which case you can
+disable it here, but be warned, we have heard that some NT machines
+will then allow anyone in with any password! Make sure you test it.
+
+.B Default:
+ networkstation user login = yes
+
+.B Example:
+ networkstation user login = no
+
.SS null passwords (G)
Allow or disallow access to accounts that have null passwords.
network environments (it is turned on by default in Windows NT Servers).
For more information see the file Speed.txt in the Samba docs/ directory.
+Oplocks may be selectively turned off on certain files on a per share basis.
+See the 'veto oplock files' parameter.
+
.B Default:
oplocks = True
internet name then you may have to add its netbios name to
/etc/hosts.
+Note that with Samba 1.9.18p4 and above the name of the password
+server is looked up using the parameter "name resolve order=" and
+so may resolved by any method and order described in that parameter.
+
The password server much be a machine capable of using the "LM1.2X002"
or the "LM NT 0.12" protocol, and it must be in user level security
mode.
name used by the server (usually /etc/printcap). See the discussion of the
[printers] section above for reasons why you might want to do this.
-For those of you without a printcap (say on SysV) you can just create a
-minimal file that looks like a printcap and set "printcap name =" in
-[global] to point at it.
+On SystemV systems that use lpstat to list available printers you
+can use "printcap name = lpstat" to automatically obtain lists of
+available printers. This is the default for systems that define
+SYSV at compile time in Samba (this includes most SystemV based
+systems). If "printcap name" is set to lpstat on these systems then
+Samba will launch "lpstat -v" and attempt to parse the output to
+obtain a printer list.
A minimal printcap file would look something like this:
.B Example:
printcap name = /etc/myprintcap
+
.SS printer (S)
A synonym for this parameter is 'printer name'.
See
.B printer.
-.SS printing (G)
+.SS printer driver file (G)
+This parameter tells Samba where the printer driver definition file,
+used when serving drivers to Windows 95 clients, is to be found. If
+this is not set, the default is :
+
+SAMBA_INSTALL_DIRECTORY/lib/printers.def
+
+This file is created from Windows 95 'msprint.def' files found on the
+Windows 95 client system. For more details on setting up serving of
+printer drivers to Windows 95 clients, see the documentation file
+docs/PRINTER_DRIVER.txt.
+
+.B Default:
+ None (set in compile).
+
+.B Example:
+ printer driver file = /usr/local/samba/printers/drivers.def
+
+Related parameters.
+.B printer driver location
+
+.SS printer driver location (S)
+This parameter tells clients of a particular printer share where
+to find the printer driver files for the automatic installation
+of drivers for Windows 95 machines. If Samba is set up to serve
+printer drivers to Windows 95 machines, this should be set to
+
+\e\eMACHINE\ePRINTER$
+
+Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
+is a share you set up for serving printer driver files. For more
+details on setting this up see the documentation file
+docs/PRINTER_DRIVER.txt.
+
+.B Default:
+ None
+
+.B Example:
+ printer driver location = \e\eMACHINE\ePRINTER$
+
+Related paramerers.
+.B printer driver file
+
+
+.SS printing (S)
This parameters controls how printer status information is interpreted
on your system, and also affects the default values for the "print
command", "lpq command" and "lprm command".
To see what the defaults are for the other print commands when using
these three options use the "testparm" program.
+As of version 1.9.18 of Samba this option can be set on a per printer basis
.SS protocol (G)
The value of the parameter (a string) is the highest protocol level that will
This option replaces similar functionality from the nmbd lmhosts file.
+.SS remote browse sync (G)
+
+This option allows you to setup nmbd to periodically request synchronisation
+of browse lists with the master browser of a samba server that is on a remote
+segment. This option will allow you to gain browse lists for multiple
+workgroups across routed networks. This is done in a manner that does not work
+with any non-samba servers.
+
+This is useful if you want your Samba server and all local clients
+to appear in a remote workgroup for which the normal browse propagation
+rules don't work. The remote workgroup can be anywhere that you can send IP
+packets to.
+
+For example:
+
+ remote browse sync = 192.168.2.255 192.168.4.255
+
+the above line would cause nmbd to request the master browser on the
+specified subnets or addresses to synchronise their browse lists with
+the local server.
+
+The IP addresses you choose would normally be the broadcast addresses
+of the remote networks, but can also be the IP addresses of known
+browse masters if your network config is that stable. If a machine IP
+address is given Samba makes NO attempt to validate that the remote
+machine is available, is listening, nor that it is in fact the browse
+master on it's segment.
+
+
.SS revalidate (S)
This options controls whether Samba will allow a previously validated
set directory = yes
.SS shared file entries (G)
-This parameter is only useful when Samba has been compiled with FAST_SHARE_MODES.
-It specifies the number of hash bucket entries used for share file locking.
-You should never change this parameter unless you have studied the source
-and know what you are doing.
-
-.B Default
- shared file entries = 113
+This parameter has been removed (as of Samba 1.9.18 and above). The new
+System V shared memory code prohibits the user from allocating the
+share hash bucket size directly.
.SS shared mem size (G)
This parameter is only useful when Samba has been compiled with FAST_SHARE_MODES.
It specifies the size of the shared memory (in bytes) to use between smbd
processes. You should never change this parameter unless you have studied
-the source and know what you are doing.
+the source and know what you are doing. This parameter defaults to 1024
+multiplied by the setting of the maximum number of open files in the
+file local.h in the Samba source code. MAX_OPEN_FILES is normally set
+to 100, so this parameter defaults to 102400 bytes.
.B Default
shared mem size = 102400
If any line begins with a '#' or a ';' then it is ignored
+If any line begins with an ! then the processing will stop after that
+line if a mapping was done by the line. Otherwise mapping continues
+with every line being processed. Using ! is most useful when you have
+a wildcard mapping line later in the file.
+
For example to map from the name "admin" or "administrator" to the UNIX
name "root" you would use
would map the windows username "Andrew Tridgell" to the unix username
tridge.
+The following example would map mary and fred to the unix user sys,
+and map the rest to guest. Note the use of the ! to tell Samba to stop
+processing if it gets a match on that line.
+
+ !sys = mary fred
+ guest = *
+
+
Note that the remapping is applied to all occurrences of
usernames. Thus if you connect to "\e\eserver\efred" and "fred" is
remapped to "mary" then you will actually be connecting to
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+.SS veto oplock files (S)
+This parameter is only valid when the 'oplocks' parameter is turned on
+for a share. It allows the Samba administrator to selectively turn off
+the granting of oplocks on selected files that match a wildcarded list,
+similar to the wildcarded list used in the 'veto files' parameter.
+
+.B Default
+ No files are vetoed for oplock grants.
+
+.B Examples
+You might want to do this on files that you know will be heavily
+contended for by clients. A good example of this is in the NetBench
+SMB benchmark program, which causes heavy client contention for files
+ending in .SEM. To cause Samba not to grant oplocks on these files
+you would use the line (either in the [global] section or in the section
+for the particular NetBench share :
+
+ veto oplock files = /*.SEM/
+
.SS volume (S)
This allows you to override the volume label returned for a
share. Useful for CDROMs with installation programs that insist on a
.SS wins support (G)
-This boolean controls if Samba will act as a WINS server. You should
-not set this to true unless you have a multi-subnetted network and
+This boolean controls if the nmbd process in Samba will act as a WINS server.
+You should not set this to true unless you have a multi-subnetted network and
you wish a particular nmbd to be your WINS server. Note that you
should *NEVER* set this to true on more than one machine in your
network.
.B Default:
wins support = no
+
.SS workgroup (G)
This controls what workgroup your server will appear to be in when
.B Example:
write raw = no
+
.SH NOTE ABOUT USERNAME/PASSWORD VALIDATION
There are a number of ways in which a user can connect to a
service. The server follows the following steps in determining if it
git.samba.org / samba.git / blobdiff