1 .\" This manpage has been automatically generated by docbook2man
2 .\" from a DocBook document. This tool can be found at:
3 .\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
4 .\" Please send any bug reports, improvements, comments, patches,
5 .\" etc. to Steve Cheng <steve@ggi-project.org>.
6 .TH "SMB.CONF" "5" "29 December 2002" "" ""
8 smb.conf \- The configuration file for the Samba suite
11 The \fIsmb.conf\fR file is a configuration
12 file for the Samba suite. \fIsmb.conf\fR contains
13 runtime configuration information for the Samba programs. The
14 \fIsmb.conf\fR file is designed to be configured and
15 administered by the \fBswat(8)\fR
16 program. The complete description of the file format and
17 possible parameters held within are here for reference purposes.
20 The file consists of sections and parameters. A section
21 begins with the name of the section in square brackets and continues
22 until the next section begins. Sections contain parameters of the
28 The file is line-based - that is, each newline-terminated
29 line represents either a comment, a section name or a parameter.
31 Section and parameter names are not case sensitive.
33 Only the first equals sign in a parameter is significant.
34 Whitespace before or after the first equals sign is discarded.
35 Leading, trailing and internal whitespace in section and parameter
36 names is irrelevant. Leading and trailing whitespace in a parameter
37 value is discarded. Internal whitespace within a parameter value
40 Any line beginning with a semicolon (';') or a hash ('#')
41 character is ignored, as are lines containing only whitespace.
43 Any line ending in a '\\' is continued
44 on the next line in the customary UNIX fashion.
46 The values following the equals sign in parameters are all
47 either a string (no quotes needed) or a boolean, which may be given
48 as yes/no, 0/1 or true/false. Case is not significant in boolean
49 values, but is preserved in string values. Some items such as
50 create modes are numeric.
51 .SH "SECTION DESCRIPTIONS"
53 Each section in the configuration file (except for the
54 [global] section) describes a shared resource (known
55 as a "share"). The section name is the name of the
56 shared resource and the parameters within the section define
57 the shares attributes.
59 There are three special sections, [global],
60 [homes] and [printers], which are
61 described under \fBspecial sections\fR. The
62 following notes apply to ordinary section descriptions.
64 A share consists of a directory to which access is being
65 given plus a description of the access rights which are granted
66 to the user of the service. Some housekeeping options are
69 Sections are either file share services (used by the
70 client as an extension of their native file systems) or
71 printable services (used by the client to access print services
72 on the host running the server).
74 Sections may be designated \fBguest\fR services,
75 in which case no password is required to access them. A specified
76 UNIX \fBguest account\fR is used to define access
77 privileges in this case.
79 Sections other than guest services will require a password
80 to access them. The client provides the username. As older clients
81 only provide passwords and not usernames, you may specify a list
82 of usernames to check against the password using the "user ="
83 option in the share definition. For modern clients such as
84 Windows 95/98/ME/NT/2000, this should not be necessary.
86 Note that the access rights granted by the server are
87 masked by the access rights granted to the specified or guest
88 UNIX user by the host system. The server does not grant more
89 access than the host system grants.
91 The following sample section defines a file space share.
92 The user has write access to the path \fI/home/bar\fR.
93 The share is accessed via the share name "foo":
103 The following sample section defines a printable share.
104 The share is readonly, but printable. That is, the only write
105 access permitted is via calls to open, write to and close a
106 spool file. The \fBguest ok\fR parameter means
107 access will be permitted as the default guest user (specified
112 path = /usr/spool/public
119 .SH "SPECIAL SECTIONS"
120 .SS "THE [GLOBAL] SECTION"
122 parameters in this section apply to the server
123 as a whole, or are defaults for sections which do not
124 specifically define certain items. See the notes
125 under PARAMETERS for more information.
126 .SS "THE [HOMES] SECTION"
128 If a section called homes is included in the
129 configuration file, services connecting clients to their
130 home directories can be created on the fly by the server.
132 When the connection request is made, the existing
133 sections are scanned. If a match is found, it is used. If no
134 match is found, the requested section name is treated as a
135 user name and looked up in the local password file. If the
136 name exists and the correct password has been given, a share is
137 created by cloning the [homes] section.
139 Some modifications are then made to the newly
143 The share name is changed from homes to
144 the located username.
147 If no path was given, the path is set to
148 the user's home directory.
150 If you decide to use a \fBpath =\fR line
151 in your [homes] section then you may find it useful
152 to use the %S macro. For example :
154 \fBpath = /data/pchome/%S\fR
156 would be useful if you have different home directories
157 for your PCs than for UNIX access.
159 This is a fast and simple way to give a large number
160 of clients access to their home directories with a minimum
163 A similar process occurs if the requested section
164 name is "homes", except that the share name is not
165 changed to that of the requesting user. This method of using
166 the [homes] section works well if different users share
169 The [homes] section can specify all the parameters
170 a normal service section can specify, though some make more sense
171 than others. The following is a typical and suitable [homes]
181 An important point is that if guest access is specified
182 in the [homes] section, all home directories will be
183 visible to all clients \fBwithout a password\fR.
184 In the very unlikely event that this is actually desirable, it
185 would be wise to also specify \fBread only
188 Note that the \fBbrowseable\fR flag for
189 auto home directories will be inherited from the global browseable
190 flag, not the [homes] browseable flag. This is useful as
191 it means setting \fBbrowseable = no\fR in
192 the [homes] section will hide the [homes] share but make
193 any auto home directories visible.
194 .SS "THE [PRINTERS] SECTION"
196 This section works like [homes],
199 If a [printers] section occurs in the
200 configuration file, users are able to connect to any printer
201 specified in the local host's printcap file.
203 When a connection request is made, the existing sections
204 are scanned. If a match is found, it is used. If no match is found,
205 but a [homes] section exists, it is used as described
206 above. Otherwise, the requested section name is treated as a
207 printer name and the appropriate printcap file is scanned to see
208 if the requested section name is a valid printer share name. If
209 a match is found, a new printer share is created by cloning
210 the [printers] section.
212 A few modifications are then made to the newly created
216 The share name is set to the located printer
220 If no printer name was given, the printer name
221 is set to the located printer name
224 If the share does not permit guest access and
225 no username was given, the username is set to the located
228 Note that the [printers] service MUST be
229 printable - if you specify otherwise, the server will refuse
230 to load the configuration file.
232 Typically the path specified would be that of a
233 world-writeable spool directory with the sticky bit set on
234 it. A typical [printers] entry would look like
239 path = /usr/spool/public
245 All aliases given for a printer in the printcap file
246 are legitimate printer names as far as the server is concerned.
247 If your printing subsystem doesn't work like that, you will have
248 to set up a pseudo-printcap. This is a file consisting of one or
249 more lines like this:
252 alias|alias|alias|alias...
257 Each alias should be an acceptable printer name for
258 your printing subsystem. In the [global] section, specify
259 the new file as your printcap. The server will then only recognize
260 names found in your pseudo-printcap, which of course can contain
261 whatever aliases you like. The same technique could be used
262 simply to limit access to a subset of your local printers.
264 An alias, by the way, is defined as any component of the
265 first entry of a printcap record. Records are separated by newlines,
266 components (if there are more than one) are separated by vertical
269 NOTE: On SYSV systems which use lpstat to determine what
270 printers are defined on the system you may be able to use
271 "printcap name = lpstat" to automatically obtain a list
272 of printers. See the "printcap name" option
276 parameters define the specific attributes of sections.
278 Some parameters are specific to the [global] section
279 (e.g., \fBsecurity\fR). Some parameters are usable
280 in all sections (e.g., \fBcreate mode\fR). All others
281 are permissible only in normal sections. For the purposes of the
282 following descriptions the [homes] and [printers]
283 sections will be considered normal. The letter \fBG\fR
284 in parentheses indicates that a parameter is specific to the
285 [global] section. The letter \fBS\fR
286 indicates that a parameter can be specified in a service specific
287 section. Note that all \fBS\fR parameters can also be specified in
288 the [global] section - in which case they will define
289 the default behavior for all services.
291 parameters are arranged here in alphabetical order - this may
292 not create best bedfellows, but at least you can find them! Where
293 there are synonyms, the preferred synonym is described, others refer
294 to the preferred synonym.
295 .SH "VARIABLE SUBSTITUTIONS"
297 Many of the strings that are settable in the config file
298 can take substitutions. For example the option "path =
299 /tmp/%u" would be interpreted as "path =
300 /tmp/john" if the user connected with the username john.
302 These substitutions are mostly noted in the descriptions below,
303 but there are some general substitutions which apply whenever they
304 might be relevant. These are:
307 session user name (the user name that the client
308 wanted, not necessarily the same as the one they got).
311 primary group name of %U.
314 the Internet hostname that Samba is running
318 the NetBIOS name of the client machine
322 the NetBIOS name of the server. This allows you
323 to change your config based on what the client calls you. Your
324 server can have a "dual personality".
326 Note that this parameter is not available when Samba listens
327 on port 445, as clients no longer send this information
330 the Internet name of the client machine.
333 the selected protocol level after
334 protocol negotiation. It can be one of CORE, COREPLUS,
335 LANMAN1, LANMAN2 or NT1.
338 The process id of the current server
342 the architecture of the remote
343 machine. Only some are recognized, and those may not be
344 100% reliable. It currently recognizes Samba, WfWg, Win95,
345 WinNT and Win2k. Anything else will be known as
346 "UNKNOWN". If it gets it wrong then sending a level
347 3 log to samba@samba.org
348 <URL:mailto:samba@samba.org> should allow it to be fixed.
351 The IP address of the client machine.
354 the current date and time.
357 Name of the domain or workgroup of the current user.
359 \fB%$(\fIenvvar\fB)\fR
360 The value of the environment variable
363 The following substitutes apply only to some configuration options(only those
364 that are used when a connection has been established):
367 the name of the current service, if any.
370 the root directory of the current service,
374 user name of the current service, if any.
377 primary group name of %u.
380 the home directory of the user given
384 the name of your NIS home directory server.
385 This is obtained from your NIS auto.map entry. If you have
386 not compiled Samba with the \fB--with-automount\fR
387 option then this value will be the same as %L.
390 the path of the service's home directory,
391 obtained from your NIS auto.map entry. The NIS auto.map entry
392 is split up as "%N:%p".
394 There are some quite creative things that can be done
395 with these substitutions and other smb.conf options.
398 Samba supports "name mangling" so that DOS and
399 Windows clients can use files that don't conform to the 8.3 format.
400 It can also be set to adjust the case of 8.3 format filenames.
402 There are several options that control the way mangling is
403 performed, and they are grouped here rather than listed separately.
404 For the defaults look at the output of the testparm program.
406 All of these options can be set separately for each service
407 (or globally, of course).
411 \fBmangle case = yes/no\fR
412 controls if names that have characters that
413 aren't of the "default" case are mangled. For example,
414 if this is yes then a name like "Mail" would be mangled.
417 \fBcase sensitive = yes/no\fR
418 controls whether filenames are case sensitive. If
419 they aren't then Samba must do a filename search and match on passed
420 names. Default \fBno\fR.
422 \fBdefault case = upper/lower\fR
423 controls what the default case is for new
424 filenames. Default \fBlower\fR.
426 \fBpreserve case = yes/no\fR
427 controls if new files are created with the
428 case that the client passes, or if they are forced to be the
429 "default" case. Default \fByes\fR.
431 \fBshort preserve case = yes/no\fR
432 controls if new files which conform to 8.3 syntax,
433 that is all in upper case and of suitable length, are created
434 upper case, or if they are forced to be the "default"
435 case. This option can be use with "preserve case = yes"
436 to permit long filenames to retain their case, while short names
437 are lowercased. Default \fByes\fR.
439 By default, Samba 3.0 has the same semantics as a Windows
440 NT server, in that it is case insensitive but case preserving.
441 .SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
443 There are a number of ways in which a user can connect
444 to a service. The server uses the following steps in determining
445 if it will allow a connection to a specified service. If all the
446 steps fail, then the connection request is rejected. However, if one of the
447 steps succeeds, then the following steps are not checked.
449 If the service is marked "guest only = yes" and the
450 server is running with share-level security ("security = share")
451 then steps 1 to 5 are skipped.
454 If the client has passed a username/password
455 pair and that username/password pair is validated by the UNIX
456 system's password programs then the connection is made as that
457 username. Note that this includes the
458 \\\\server\\service%\fIusername\fR method of passing
462 If the client has previously registered a username
463 with the system and now supplies a correct password for that
464 username then the connection is allowed.
467 The client's NetBIOS name and any previously
468 used user names are checked against the supplied password, if
469 they match then the connection is allowed as the corresponding
473 If the client has previously validated a
474 username/password pair with the server and the client has passed
475 the validation token then that username is used.
478 If a "user = " field is given in the
479 \fIsmb.conf\fR file for the service and the client
480 has supplied a password, and that password matches (according to
481 the UNIX system's password checking) with one of the usernames
482 from the "user =" field then the connection is made as
483 the username in the "user =" line. If one
484 of the username in the "user =" list begins with a
485 \&'@' then that name expands to a list of names in
486 the group of the same name.
489 If the service is a guest service then a
490 connection is made as the username given in the "guest
491 account =" for the service, irrespective of the
493 .SH "COMPLETE LIST OF GLOBAL PARAMETERS"
495 Here is a list of all global parameters. See the section of
496 each parameter for details. Note that some are synonyms.
499 \fIabort shutdown script\fR
502 \fIadd group script\fR
505 \fIaddprinter command\fR
508 \fIadd share command\fR
511 \fIadd user script\fR
514 \fIadd user to group script\fR
517 \fIadd machine script\fR
520 \fIdelete group script\fR
526 \fIalgorithmic rid base\fR
529 \fIallow trusted domains\fR
535 \fIannounce version\fR
544 \fIbind interfaces only\fR
550 \fIchange notify timeout\fR
553 \fIchange share command\fR
562 \fIdebug hires timestamp\fR
568 \fIdebug timestamp\fR
580 \fIdefault service\fR
583 \fIdeleteprinter command\fR
586 \fIdelete share command\fR
589 \fIdelete user script\fR
592 \fIdelete user from group script\fR
598 \fIdisable netbios\fR
601 \fIdisable spoolss\fR
604 \fIdisplay charset\fR
619 \fIencrypt passwords\fR
622 \fIenhanced browsing\fR
625 \fIenumports command\fR
631 \fIhide local users\fR
634 \fIhide unreadable\fR
637 \fIhide unwriteable files\fR
640 \fIhide special files\fR
649 \fIhostname lookups\fR
667 \fIlarge readwrite\fR
682 \fIldap user suffix\fR
685 \fIldap machine suffix\fR
688 \fIldap passwd sync\fR
712 \fIlock spin count\fR
742 \fImachine password timeout\fR
766 \fImax smbd processes\fR
778 \fImessage command\fR
781 \fImin passwd length\fR
784 \fImin password length\fR
793 \fIname cache timeout\fR
796 \fIname resolve order\fR
799 \fInetbios aliases\fR
814 \fInon unix account range\fR
817 \fInt pipe support\fR
820 \fInt status support\fR
826 \fIobey pam restrictions\fR
829 \fIoplock break wait time\fR
838 \fIpam password change\fR
844 \fIparanoid server security\fR
853 \fIpasswd chat debug\fR
862 \fIpassword server\fR
865 \fIprefered master\fR
868 \fIpreferred master\fR
880 \fIprinter driver file\fR
901 \fIremote announce\fR
904 \fIremote browse sync\fR
907 \fIrestrict anonymous\fR
925 \fIshow add printer wizard\fR
928 \fIshutdown script\fR
931 \fIsmb passwd file\fR
943 \fIsource environment\fR
952 \fIstat cache size\fR
964 \fItemplate homedir\fR
979 \fItotal print jobs\fR
988 \fIunix extensions\fR
991 \fIunix password sync\fR
994 \fIupdate encrypted\fR
1006 \fIusername level\fR
1015 \fIutmp directory\fR
1018 \fIwtmp directory\fR
1021 \fIwinbind cache time\fR
1024 \fIwinbind enum users\fR
1027 \fIwinbind enum groups\fR
1033 \fIwinbind separator\fR
1039 \fIwinbind use default domain\fR
1061 .SH "COMPLETE LIST OF SERVICE PARAMETERS"
1063 Here is a list of all service parameters. See the section on
1064 each parameter for details. Note that some are synonyms.
1076 \fIblocking locks\fR
1088 \fIcase sensitive\fR
1112 \fIdefault devmode\fR
1115 \fIdelete readonly\fR
1118 \fIdelete veto files\fR
1127 \fIdirectory mask\fR
1130 \fIdirectory mode\fR
1133 \fIdirectory security mask\fR
1142 \fIdos filetime resolution\fR
1151 \fIfake directory create times\fR
1157 \fIfollow symlinks\fR
1160 \fIforce create mode\fR
1163 \fIforce directory mode\fR
1166 \fIforce directory security mode\fR
1172 \fIforce security mode\fR
1193 \fIhide dot files\fR
1211 \fIinherit permissions\fR
1217 \fIlevel2 oplocks\fR
1223 \fIlppause command\fR
1229 \fIlpresume command\fR
1253 \fImangling method\fR
1265 \fImax connections\fR
1268 \fImax print jobs\fR
1271 \fImin print space\fR
1280 \fInt acl support\fR
1289 \fIoplock contention limit\fR
1331 \fIprinter driver\fR
1334 \fIprinter driver location\fR
1346 \fIqueuepause command\fR
1349 \fIqueueresume command\fR
1364 \fIroot preexec close\fR
1376 \fIshort preserve case\fR
1379 \fIstrict allocate\fR
1382 \fIstrict locking\fR
1391 \fIuse client driver\fR
1409 \fIveto oplock files\fR
1430 \fIwrite cache size\fR
1440 .SH "EXPLANATION OF EACH PARAMETER"
1442 \fBabort shutdown script (G)\fR
1443 \fBThis parameter only exists in the HEAD cvs branch\fR
1444 This a full path name to a script called by
1446 should stop a shutdown procedure issued by the \fIshutdown script\fR.
1448 This command will be run as user.
1450 Default: \fBNone\fR.
1452 Example: \fBabort shutdown script = /sbin/shutdown -c\fR
1454 \fBaddprinter command (G)\fR
1455 With the introduction of MS-RPC based printing
1456 support for Windows NT/2000 clients in Samba 2.2, The MS Add
1457 Printer Wizard (APW) icon is now also available in the
1458 "Printers..." folder displayed a share listing. The APW
1459 allows for printers to be add remotely to a Samba or Windows
1460 NT/2000 print server.
1462 For a Samba host this means that the printer must be
1463 physically added to the underlying printing system. The \fIadd
1464 printer command\fR defines a script to be run which
1465 will perform the necessary operations for adding the printer
1466 to the print system and to add the appropriate service definition
1467 to the \fIsmb.conf\fR file in order that it can be
1468 shared by \fBsmbd(8)\fR
1471 The \fIaddprinter command\fR is
1472 automatically invoked with the following parameter (in
1492 \fIWindows 9x driver location\fR
1495 All parameters are filled in from the PRINTER_INFO_2 structure sent
1496 by the Windows NT/2000 client with one exception. The "Windows 9x
1497 driver location" parameter is included for backwards compatibility
1498 only. The remaining fields in the structure are generated from answers
1499 to the APW questions.
1501 Once the \fIaddprinter command\fR has
1502 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to determine if the share defined by the APW
1503 exists. If the sharename is still invalid, then \fBsmbd
1504 \fR will return an ACCESS_DENIED error to the client.
1506 See also \fI deleteprinter command\fR, \fIprinting\fR,
1512 Example: \fBaddprinter command = /usr/bin/addprinter
1515 \fBadd share command (G)\fR
1516 Samba 2.2.0 introduced the ability to dynamically
1517 add and delete shares via the Windows NT 4.0 Server Manager. The
1518 \fIadd share command\fR is used to define an
1519 external program or script which will add a new service definition
1520 to \fIsmb.conf\fR. In order to successfully
1521 execute the \fIadd share command\fR, \fBsmbd\fR
1522 requires that the administrator be connected using a root account (i.e.
1525 When executed, \fBsmbd\fR will automatically invoke the
1526 \fIadd share command\fR with four parameters.
1530 \fIconfigFile\fR - the location
1531 of the global \fIsmb.conf\fR file.
1534 \fIshareName\fR - the name of the new
1538 \fIpathName\fR - path to an **existing**
1542 \fIcomment\fR - comment string to associate
1546 This parameter is only used for add file shares. To add printer shares,
1547 see the \fIaddprinter
1550 See also \fIchange share
1551 command\fR, \fIdelete share
1556 Example: \fBadd share command = /usr/local/bin/addshare\fR
1558 \fBadd machine script (G)\fR
1559 This is the full pathname to a script that will
1560 be run by smbd(8) when a machine is added
1561 to it's domain using the administrator username and password method.
1563 This option is only required when using sam back-ends tied to the
1564 Unix uid method of RID calculation such as smbpasswd. This option is only
1565 available in Samba 3.0.
1567 Default: \fBadd machine script = <empty string>
1570 Example: \fBadd machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
1573 \fBads server (G)\fR
1574 If this option is specified, samba does
1575 not try to figure out what ads server to use itself, but
1576 uses the specified ads server. Either one DNS name or IP
1577 address can be used.
1579 Default: \fBads server = \fR
1581 Example: \fBads server = 192.168.1.2\fR
1583 \fBadd user script (G)\fR
1584 This is the full pathname to a script that will
1585 be run \fBAS ROOT\fR by smbd(8)
1586 under special circumstances described below.
1588 Normally, a Samba server requires that UNIX users are
1589 created for all users accessing files on this server. For sites
1590 that use Windows NT account databases as their primary user database
1591 creating these users and keeping the user list in sync with the
1592 Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users
1593 \fBON DEMAND\fR when a user accesses the Samba server.
1595 In order to use this option, smbd
1596 must \fBNOT\fR be set to \fIsecurity = share\fR
1597 and \fIadd user script\fR
1598 must be set to a full pathname for a script that will create a UNIX
1599 user given one argument of \fI%u\fR, which expands into
1600 the UNIX user name to create.
1602 When the Windows user attempts to access the Samba server,
1603 at login (session setup in the SMB protocol) time, smbd contacts the \fIpassword server\fR and
1604 attempts to authenticate the given user with the given password. If the
1605 authentication succeeds then \fBsmbd\fR
1606 attempts to find a UNIX user in the UNIX password database to map the
1607 Windows user into. If this lookup fails, and \fIadd user script
1608 \fR is set then \fBsmbd\fR will
1609 call the specified script \fBAS ROOT\fR, expanding
1610 any \fI%u\fR argument to be the user name to create.
1612 If this script successfully creates the user then \fBsmbd
1613 \fR will continue on as though the UNIX user
1614 already existed. In this way, UNIX users are dynamically created to
1615 match existing Windows NT accounts.
1617 See also \fI security\fR, \fIpassword server\fR,
1621 Default: \fBadd user script = <empty string>
1624 Example: \fBadd user script = /usr/local/samba/bin/add_user
1627 \fBadd group script (G)\fR
1628 This is the full pathname to a script that will
1629 be run \fBAS ROOT\fR by smbd(8) when a new group is
1630 requested. It will expand any
1631 \fI%g\fR to the group name passed.
1632 This script is only useful for installations using the
1633 Windows NT domain administration tools. The script is
1634 free to create a group with an arbitrary name to
1635 circumvent unix group name restrictions. In that case
1636 the script must print the numeric gid of the created
1639 \fBadmin users (S)\fR
1640 This is a list of users who will be granted
1641 administrative privileges on the share. This means that they
1642 will do all file operations as the super-user (root).
1644 You should use this option very carefully, as any user in
1645 this list will be able to do anything they like on the share,
1646 irrespective of file permissions.
1648 Default: \fBno admin users\fR
1650 Example: \fBadmin users = jason\fR
1652 \fBadd user to group script (G)\fR
1653 Full path to the script that will be called when
1654 a user is added to a group using the Windows NT domain administration
1655 tools. It will be run by smbd(8)
1656 \fBAS ROOT\fR. Any \fI%g\fR will be
1657 replaced with the group name and any \fI%u\fR will
1658 be replaced with the user name.
1660 Default: \fBadd user to group script = \fR
1662 Example: \fBadd user to group script = /usr/sbin/adduser %u %g\fR
1664 \fBallow hosts (S)\fR
1665 Synonym for \fIhosts allow\fR.
1667 \fBalgorithmic rid base (G)\fR
1668 This determines how Samba will use its
1669 algorithmic mapping from uids/gid to the RIDs needed to construct
1670 NT Security Identifiers.
1672 Setting this option to a larger value could be useful to sites
1673 transitioning from WinNT and Win2k, as existing user and
1674 group rids would otherwise clash with sytem users etc.
1676 All UIDs and GIDs must be able to be resolved into SIDs for
1677 the correct operation of ACLs on the server. As such the algorithmic
1678 mapping can't be 'turned off', but pushing it 'out of the way' should
1679 resolve the issues. Users and groups can then be assigned 'low' RIDs
1680 in arbitary-rid supporting backends.
1682 Default: \fBalgorithmic rid base = 1000\fR
1684 Example: \fBalgorithmic rid base = 100000\fR
1686 \fBallow trusted domains (G)\fR
1687 This option only takes effect when the \fIsecurity\fR option is set to
1689 If it is set to no, then attempts to connect to a resource from
1690 a domain or workgroup other than the one which smbd is running
1691 in will fail, even if that domain is trusted by the remote server
1692 doing the authentication.
1694 This is useful if you only want your Samba server to
1695 serve resources to users in the domain it is a member of. As
1696 an example, suppose that there are two domains DOMA and DOMB. DOMB
1697 is trusted by DOMA, which contains the Samba server. Under normal
1698 circumstances, a user with an account in DOMB can then access the
1699 resources of a UNIX account with the same account name on the
1700 Samba server even if they do not have an account in DOMA. This
1701 can make implementing a security boundary difficult.
1703 Default: \fBallow trusted domains = yes\fR
1705 \fBannounce as (G)\fR
1706 This specifies what type of server
1708 will announce itself as, to a network neighborhood browse
1709 list. By default this is set to Windows NT. The valid options
1710 are : "NT Server" (which can also be written as "NT"),
1711 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
1712 Windows NT Workstation, Windows 95 and Windows for Workgroups
1713 respectively. Do not change this parameter unless you have a
1714 specific need to stop Samba appearing as an NT server as this
1715 may prevent Samba servers from participating as browser servers
1718 Default: \fBannounce as = NT Server\fR
1720 Example: \fBannounce as = Win95\fR
1722 \fBannounce version (G)\fR
1723 This specifies the major and minor version numbers
1724 that nmbd will use when announcing itself as a server. The default
1725 is 4.9. Do not change this parameter unless you have a specific
1726 need to set a Samba server to be a downlevel server.
1728 Default: \fBannounce version = 4.9\fR
1730 Example: \fBannounce version = 2.0\fR
1732 \fBauto services (G)\fR
1733 This is a synonym for the \fIpreload\fR.
1735 \fBauth methods (G)\fR
1736 This option allows the administrator to chose what
1737 authentication methods \fBsmbd\fR will use when authenticating
1738 a user. This option defaults to sensible values based on \fI security\fR.
1739 Each entry in the list attempts to authenticate the user in turn, until
1740 the user authenticates. In practice only one method will ever actually
1741 be able to complete the authentication.
1743 Default: \fBauth methods = <empty string>\fR
1745 Example: \fBauth methods = guest sam ntdomain\fR
1748 This parameter lets you "turn off" a service. If
1749 \fIavailable = no\fR, then \fBALL\fR
1750 attempts to connect to the service will fail. Such failures are
1753 Default: \fBavailable = yes\fR
1755 \fBbind interfaces only (G)\fR
1756 This global parameter allows the Samba admin
1757 to limit what interfaces on a machine will serve SMB requests. It
1758 affects file service smbd(8) and
1759 name service nmbd(8) in slightly
1762 For name service it causes \fBnmbd\fR to bind
1763 to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd
1764 \fR also binds to the "all addresses" interface (0.0.0.0)
1765 on ports 137 and 138 for the purposes of reading broadcast messages.
1766 If this option is not set then \fBnmbd\fR will service
1767 name requests on all of these sockets. If \fIbind interfaces
1768 only\fR is set then \fBnmbd\fR will check the
1769 source address of any packets coming in on the broadcast sockets
1770 and discard any that don't match the broadcast addresses of the
1771 interfaces in the \fIinterfaces\fR parameter list.
1772 As unicast packets are received on the other sockets it allows
1773 \fBnmbd\fR to refuse to serve names to machines that
1774 send packets that arrive through any interfaces not listed in the
1775 \fIinterfaces\fR list. IP Source address spoofing
1776 does defeat this simple check, however, so it must not be used
1777 seriously as a security feature for \fBnmbd\fR.
1779 For file service it causes smbd(8)
1780 to bind only to the interface list given in the interfaces parameter. This restricts the networks that
1781 \fBsmbd\fR will serve to packets coming in those
1782 interfaces. Note that you should not use this parameter for machines
1783 that are serving PPP or other intermittent or non-broadcast network
1784 interfaces as it will not cope with non-permanent interfaces.
1786 If \fIbind interfaces only\fR is set then
1787 unless the network address \fB127.0.0.1\fR is added
1788 to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fR
1789 and \fBswat(8)\fR may
1790 not work as expected due to the reasons covered below.
1792 To change a users SMB password, the \fBsmbpasswd\fR
1793 by default connects to the \fBlocalhost - 127.0.0.1\fR
1794 address as an SMB client to issue the password change request. If
1795 \fIbind interfaces only\fR is set then unless the
1796 network address \fB127.0.0.1\fR is added to the
1797 \fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode.
1798 \fBsmbpasswd\fR can be forced to use the primary IP interface
1799 of the local host by using its \fI-r remote machine\fR
1800 parameter, with \fIremote machine\fR set
1801 to the IP name of the primary interface of the local host.
1803 The \fBswat\fR status page tries to connect with
1804 \fBsmbd\fR and \fBnmbd\fR at the address
1805 \fB127.0.0.1\fR to determine if they are running.
1806 Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show
1807 "not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR
1810 Default: \fBbind interfaces only = no\fR
1812 \fBblocking locks (S)\fR
1813 This parameter controls the behavior of smbd(8) when given a request by a client
1814 to obtain a byte range lock on a region of an open file, and the
1815 request has a time limit associated with it.
1817 If this parameter is set and the lock range requested
1818 cannot be immediately satisfied, samba will internally
1819 queue the lock request, and periodically attempt to obtain
1820 the lock until the timeout period expires.
1822 If this parameter is set to no, then
1823 samba will behave as previous versions of Samba would and
1824 will fail the lock request immediately if the lock range
1827 Default: \fBblocking locks = yes\fR
1829 \fBblock size (S)\fR
1830 This parameter controls the behavior of
1831 smbd(8) when reporting disk free
1832 sizes. By default, this reports a disk block size of 1024 bytes.
1834 Changing this parameter may have some effect on the
1835 efficiency of client writes, this is not yet confirmed. This
1836 parameter was added to allow advanced administrators to change
1837 it (usually to a higher value) and test the effect it has on
1838 client write performance without re-compiling the code. As this
1839 is an experimental option it may be removed in a future release.
1841 Changing this option does not change the disk free reporting
1842 size, just the block size unit reported to the client.
1844 Default: \fBblock size = 1024\fR
1846 Example: \fBblock size = 65536\fR
1849 See the \fI browseable\fR.
1851 \fBbrowse list (G)\fR
1852 This controls whether \fBsmbd(8)\fR will serve a browse list to
1853 a client doing a \fBNetServerEnum\fR call. Normally
1854 set to yes. You should never need to change
1857 Default: \fBbrowse list = yes\fR
1859 \fBbrowseable (S)\fR
1860 This controls whether this share is seen in
1861 the list of available shares in a net view and in the browse list.
1863 Default: \fBbrowseable = yes\fR
1865 \fBcase sensitive (S)\fR
1866 See the discussion in the section NAME MANGLING.
1868 Default: \fBcase sensitive = no\fR
1870 \fBcasesignames (S)\fR
1874 \fBchange notify timeout (G)\fR
1875 This SMB allows a client to tell a server to
1876 "watch" a particular directory for any changes and only reply to
1877 the SMB request when a change has occurred. Such constant scanning of
1878 a directory is expensive under UNIX, hence an \fBsmbd(8)\fR daemon only performs such a scan
1879 on each requested directory once every \fIchange notify
1882 Default: \fBchange notify timeout = 60\fR
1884 Example: \fBchange notify timeout = 300\fR
1886 Would change the scan time to every 5 minutes.
1888 \fBchange share command (G)\fR
1889 Samba 2.2.0 introduced the ability to dynamically
1890 add and delete shares via the Windows NT 4.0 Server Manager. The
1891 \fIchange share command\fR is used to define an
1892 external program or script which will modify an existing service definition
1893 in \fIsmb.conf\fR. In order to successfully
1894 execute the \fIchange share command\fR, \fBsmbd\fR
1895 requires that the administrator be connected using a root account (i.e.
1898 When executed, \fBsmbd\fR will automatically invoke the
1899 \fIchange share command\fR with four parameters.
1903 \fIconfigFile\fR - the location
1904 of the global \fIsmb.conf\fR file.
1907 \fIshareName\fR - the name of the new
1911 \fIpathName\fR - path to an **existing**
1915 \fIcomment\fR - comment string to associate
1919 This parameter is only used modify existing file shares definitions. To modify
1920 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
1922 See also \fIadd share
1923 command\fR, \fIdelete
1928 Example: \fBchange share command = /usr/local/bin/addshare\fR
1931 This is a text field that is seen next to a share
1932 when a client does a queries the server, either via the network
1933 neighborhood or via \fBnet view\fR to list what shares
1936 If you want to set the string that is displayed next to the
1937 machine name then see the \fI server string\fR parameter.
1939 Default: \fBNo comment string\fR
1941 Example: \fBcomment = Fred's Files\fR
1943 \fBconfig file (G)\fR
1944 This allows you to override the config file
1945 to use, instead of the default (usually \fIsmb.conf\fR).
1946 There is a chicken and egg problem here as this option is set
1949 For this reason, if the name of the config file has changed
1950 when the parameters are loaded then it will reload them from
1951 the new config file.
1953 This option takes the usual substitutions, which can
1956 If the config file doesn't exist then it won't be loaded
1957 (allowing you to special case the config files of just a few
1960 Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m
1964 This parameter allows you to "clone" service
1965 entries. The specified service is simply duplicated under the
1966 current service's name. Any parameters specified in the current
1967 section will override those in the section being copied.
1969 This feature lets you set up a 'template' service and
1970 create similar services easily. Note that the service being
1971 copied must occur earlier in the configuration file than the
1972 service doing the copying.
1974 Default: \fBno value\fR
1976 Example: \fBcopy = otherservice\fR
1978 \fBcreate mask (S)\fR
1979 A synonym for this parameter is
1983 When a file is created, the necessary permissions are
1984 calculated according to the mapping from DOS modes to UNIX
1985 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
1986 with this parameter. This parameter may be thought of as a bit-wise
1987 MASK for the UNIX modes of a file. Any bit \fBnot\fR
1988 set here will be removed from the modes set on a file when it is
1991 The default value of this parameter removes the
1992 \&'group' and 'other' write and execute bits from the UNIX modes.
1994 Following this Samba will bit-wise 'OR' the UNIX mode created
1995 from this parameter with the value of the \fIforce create mode\fR
1996 parameter which is set to 000 by default.
1998 This parameter does not affect directory modes. See the
1999 parameter \fIdirectory mode
2002 See also the \fIforce
2003 create mode\fR parameter for forcing particular mode
2004 bits to be set on created files. See also the \fIdirectory mode\fR parameter for masking
2005 mode bits on created directories. See also the \fIinherit permissions\fR parameter.
2007 Note that this parameter does not apply to permissions
2008 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2009 a mask on access control lists also, they need to set the \fIsecurity mask\fR.
2011 Default: \fBcreate mask = 0744\fR
2013 Example: \fBcreate mask = 0775\fR
2015 \fBcreate mode (S)\fR
2016 This is a synonym for \fI create mask\fR.
2018 \fBcsc policy (S)\fR
2019 This stands for \fBclient-side caching
2020 policy\fR, and specifies how clients capable of offline
2021 caching will cache the files in the share. The valid values
2022 are: manual, documents, programs, disable.
2024 These values correspond to those used on Windows
2027 For example, shares containing roaming profiles can have
2028 offline caching disabled using \fBcsc policy = disable
2031 Default: \fBcsc policy = manual\fR
2033 Example: \fBcsc policy = programs\fR
2036 The value of the parameter (a decimal integer)
2037 represents the number of minutes of inactivity before a connection
2038 is considered dead, and it is disconnected. The deadtime only takes
2039 effect if the number of open files is zero.
2041 This is useful to stop a server's resources being
2042 exhausted by a large number of inactive connections.
2044 Most clients have an auto-reconnect feature when a
2045 connection is broken so in most cases this parameter should be
2046 transparent to users.
2048 Using this parameter with a timeout of a few minutes
2049 is recommended for most systems.
2051 A deadtime of zero indicates that no auto-disconnection
2052 should be performed.
2054 Default: \fBdeadtime = 0\fR
2056 Example: \fBdeadtime = 15\fR
2058 \fBdebug hires timestamp (G)\fR
2059 Sometimes the timestamps in the log messages
2060 are needed with a resolution of higher that seconds, this
2061 boolean parameter adds microsecond resolution to the timestamp
2062 message header when turned on.
2064 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2067 Default: \fBdebug hires timestamp = no\fR
2070 When using only one log file for more then one
2071 forked smbdprocess there may be hard to follow which process
2072 outputs which message. This boolean parameter is adds the process-id
2073 to the timestamp message headers in the logfile when turned on.
2075 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2078 Default: \fBdebug pid = no\fR
2080 \fBdebug timestamp (G)\fR
2081 Samba debug log messages are timestamped
2082 by default. If you are running at a high \fIdebug level\fR these timestamps
2083 can be distracting. This boolean parameter allows timestamping
2086 Default: \fBdebug timestamp = yes\fR
2089 Samba is sometimes run as root and sometime
2090 run as the connected user, this boolean parameter inserts the
2091 current euid, egid, uid and gid to the timestamp message headers
2092 in the log file if turned on.
2094 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2097 Default: \fBdebug uid = no\fR
2099 \fBdebuglevel (G)\fR
2100 Synonym for \fI log level\fR.
2103 A synonym for \fI default service\fR.
2105 \fBdefault case (S)\fR
2106 See the section on NAME MANGLING. Also note the \fIshort preserve case\fR parameter.
2108 Default: \fBdefault case = lower\fR
2110 \fBdefault devmode (S)\fR
2111 This parameter is only applicable to printable services. When smbd is serving
2112 Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
2113 server has a Device Mode which defines things such as paper size and
2114 orientation and duplex settings. The device mode can only correctly be
2115 generated by the printer driver itself (which can only be executed on a
2116 Win32 platform). Because smbd is unable to execute the driver code
2117 to generate the device mode, the default behavior is to set this field
2120 Most problems with serving printer drivers to Windows NT/2k/XP clients
2121 can be traced to a problem with the generated device mode. Certain drivers
2122 will do things such as crashing the client's Explorer.exe with a NULL devmode.
2123 However, other printer drivers can cause the client's spooler service
2124 (spoolsv.exe) to die if the devmode was not created by the driver itself
2125 (i.e. smbd generates a default devmode).
2127 This parameter should be used with care and tested with the printer
2128 driver in question. It is better to leave the device mode to NULL
2129 and let the Windows client set the correct values. Because drivers do not
2130 do this all the time, setting \fBdefault devmode = yes\fR
2131 will instruct smbd to generate a default one.
2133 For more information on Windows NT/2k printing and Device Modes,
2134 see the MSDN documentation <URL:http://msdn.microsoft.com/>.
2136 Default: \fBdefault devmode = no\fR
2138 \fBdefault service (G)\fR
2139 This parameter specifies the name of a service
2140 which will be connected to if the service actually requested cannot
2141 be found. Note that the square brackets are \fBNOT\fR
2142 given in the parameter value (see example below).
2144 There is no default value for this parameter. If this
2145 parameter is not given, attempting to connect to a nonexistent
2146 service results in an error.
2148 Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service.
2150 Also note that the apparent service name will be changed
2151 to equal that of the requested service, this is very useful as it
2152 allows you to use macros like \fI%S\fR to make
2155 Note also that any "_" characters in the name of the service
2156 used in the default service will get mapped to a "/". This allows for
2164 default service = pub
2171 \fBdelete group script (G)\fR
2172 This is the full pathname to a script that will
2173 be run \fBAS ROOT\fR by smbd(8) when a group is requested to be deleted. It will expand any \fI%g\fR to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.
2175 \fBdeleteprinter command (G)\fR
2176 With the introduction of MS-RPC based printer
2177 support for Windows NT/2000 clients in Samba 2.2, it is now
2178 possible to delete printer at run time by issuing the
2179 DeletePrinter() RPC call.
2181 For a Samba host this means that the printer must be
2182 physically deleted from underlying printing system. The \fI deleteprinter command\fR defines a script to be run which
2183 will perform the necessary operations for removing the printer
2184 from the print system and from \fIsmb.conf\fR.
2186 The \fIdeleteprinter command\fR is
2187 automatically called with only one parameter: \fI "printer name"\fR.
2189 Once the \fIdeleteprinter command\fR has
2190 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to associated printer no longer exists.
2191 If the sharename is still valid, then \fBsmbd
2192 \fR will return an ACCESS_DENIED error to the client.
2194 See also \fI addprinter command\fR, \fIprinting\fR,
2200 Example: \fBdeleteprinter command = /usr/bin/removeprinter
2203 \fBdelete readonly (S)\fR
2204 This parameter allows readonly files to be deleted.
2205 This is not normal DOS semantics, but is allowed by UNIX.
2207 This option may be useful for running applications such
2208 as rcs, where UNIX file ownership prevents changing file
2209 permissions, and DOS semantics prevent deletion of a read only file.
2211 Default: \fBdelete readonly = no\fR
2213 \fBdelete share command (G)\fR
2214 Samba 2.2.0 introduced the ability to dynamically
2215 add and delete shares via the Windows NT 4.0 Server Manager. The
2216 \fIdelete share command\fR is used to define an
2217 external program or script which will remove an existing service
2218 definition from \fIsmb.conf\fR. In order to successfully
2219 execute the \fIdelete share command\fR, \fBsmbd\fR
2220 requires that the administrator be connected using a root account (i.e.
2223 When executed, \fBsmbd\fR will automatically invoke the
2224 \fIdelete share command\fR with two parameters.
2228 \fIconfigFile\fR - the location
2229 of the global \fIsmb.conf\fR file.
2232 \fIshareName\fR - the name of
2233 the existing service.
2236 This parameter is only used to remove file shares. To delete printer shares,
2237 see the \fIdeleteprinter
2240 See also \fIadd share
2241 command\fR, \fIchange
2246 Example: \fBdelete share command = /usr/local/bin/delshare\fR
2248 \fBdelete user script (G)\fR
2249 This is the full pathname to a script that will
2250 be run by \fBsmbd(8)\fR
2251 when managing user's with remote RPC (NT) tools.
2253 This script is called when a remote client removes a user
2254 from the server, normally using 'User Manager for Domains' or
2257 This script should delete the given UNIX username.
2259 Default: \fBdelete user script = <empty string>
2262 Example: \fBdelete user script = /usr/local/samba/bin/del_user
2265 \fBdelete user from group script (G)\fR
2266 Full path to the script that will be called when
2267 a user is removed from a group using the Windows NT domain administration
2268 tools. It will be run by smbd(8)
2269 \fBAS ROOT\fR. Any \fI%g\fR will be
2270 replaced with the group name and any \fI%u\fR will
2271 be replaced with the user name.
2273 Default: \fBdelete user from group script = \fR
2275 Example: \fBdelete user from group script = /usr/sbin/deluser %u %g\fR
2277 \fBdelete veto files (S)\fR
2278 This option is used when Samba is attempting to
2279 delete a directory that contains one or more vetoed directories
2280 (see the \fIveto files\fR
2281 option). If this option is set to no (the default) then if a vetoed
2282 directory contains any non-vetoed files or directories then the
2283 directory delete will fail. This is usually what you want.
2285 If this option is set to yes, then Samba
2286 will attempt to recursively delete any files and directories within
2287 the vetoed directory. This can be useful for integration with file
2288 serving systems such as NetAtalk which create meta-files within
2289 directories you might normally veto DOS/Windows users from seeing
2290 (e.g. \fI.AppleDouble\fR)
2292 Setting \fBdelete veto files = yes\fR allows these
2293 directories to be transparently deleted when the parent directory
2294 is deleted (so long as the user has permissions to do so).
2296 See also the \fIveto
2299 Default: \fBdelete veto files = no\fR
2301 \fBdeny hosts (S)\fR
2302 Synonym for \fIhosts
2305 \fBdfree command (G)\fR
2306 The \fIdfree command\fR setting should
2307 only be used on systems where a problem occurs with the internal
2308 disk space calculations. This has been known to happen with Ultrix,
2309 but may occur with other operating systems. The symptom that was
2310 seen was an error of "Abort Retry Ignore" at the end of each
2313 This setting allows the replacement of the internal routines to
2314 calculate the total disk space and amount available with an external
2315 routine. The example below gives a possible script that might fulfill
2318 The external program will be passed a single parameter indicating
2319 a directory in the filesystem being queried. This will typically consist
2320 of the string \fI./\fR. The script should return two
2321 integers in ASCII. The first should be the total disk space in blocks,
2322 and the second should be the number of available blocks. An optional
2323 third return value can give the block size in bytes. The default
2324 blocksize is 1024 bytes.
2326 Note: Your script should \fBNOT\fR be setuid or
2327 setgid and should be owned by (and writeable only by) root!
2329 Default: \fBBy default internal routines for
2330 determining the disk capacity and remaining space will be used.
2333 Example: \fBdfree command = /usr/local/samba/bin/dfree
2336 Where the script dfree (which must be made executable) could be:
2342 df $1 | tail -1 | awk '{print $2" "$4}'
2346 or perhaps (on Sys V based systems):
2352 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
2356 Note that you may have to replace the command names
2357 with full path names on some systems.
2363 \fBdirectory mask (S)\fR
2364 This parameter is the octal modes which are
2365 used when converting DOS modes to UNIX modes when creating UNIX
2368 When a directory is created, the necessary permissions are
2369 calculated according to the mapping from DOS modes to UNIX permissions,
2370 and the resulting UNIX mode is then bit-wise 'AND'ed with this
2371 parameter. This parameter may be thought of as a bit-wise MASK for
2372 the UNIX modes of a directory. Any bit \fBnot\fR set
2373 here will be removed from the modes set on a directory when it is
2376 The default value of this parameter removes the 'group'
2377 and 'other' write bits from the UNIX mode, allowing only the
2378 user who owns the directory to modify it.
2380 Following this Samba will bit-wise 'OR' the UNIX mode
2381 created from this parameter with the value of the \fIforce directory mode
2382 \fR parameter. This parameter is set to 000 by
2383 default (i.e. no extra mode bits are added).
2385 Note that this parameter does not apply to permissions
2386 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2387 a mask on access control lists also, they need to set the \fIdirectory security mask\fR.
2390 directory mode\fR parameter to cause particular mode
2391 bits to always be set on created directories.
2393 See also the \fIcreate mode
2394 \fR parameter for masking mode bits on created files,
2395 and the \fIdirectory
2396 security mask\fR parameter.
2398 Also refer to the \fI inherit permissions\fR parameter.
2400 Default: \fBdirectory mask = 0755\fR
2402 Example: \fBdirectory mask = 0775\fR
2404 \fBdirectory mode (S)\fR
2405 Synonym for \fI directory mask\fR
2407 \fBdirectory security mask (S)\fR
2408 This parameter controls what UNIX permission bits
2409 can be modified when a Windows NT client is manipulating the UNIX
2410 permission on a directory using the native NT security dialog
2413 This parameter is applied as a mask (AND'ed with) to
2414 the changed permission bits, thus preventing any bits not in
2415 this mask from being modified. Essentially, zero bits in this
2416 mask may be treated as a set of bits the user is not allowed
2419 If not set explicitly this parameter is set to 0777
2420 meaning a user is allowed to modify all the user/group/world
2421 permissions on a directory.
2423 \fBNote\fR that users who can access the
2424 Samba server through other means can easily bypass this restriction,
2425 so it is primarily useful for standalone "appliance" systems.
2426 Administrators of most normal systems will probably want to leave
2427 it as the default of 0777.
2429 See also the \fI force directory security mode\fR, \fIsecurity mask\fR,
2430 \fIforce security mode
2433 Default: \fBdirectory security mask = 0777\fR
2435 Example: \fBdirectory security mask = 0700\fR
2437 \fBdisable netbios (G)\fR
2438 Enabling this parameter will disable netbios support
2439 in Samba. Netbios is the only available form of browsing in
2440 all windows versions except for 2000 and XP.
2442 Note that clients that only support netbios won't be able to
2443 see your samba server when netbios support is disabled.
2445 Default: \fBdisable netbios = no\fR
2447 Example: \fBdisable netbios = yes\fR
2449 \fBdisable spoolss (G)\fR
2450 Enabling this parameter will disable Samba's support
2451 for the SPOOLSS set of MS-RPC's and will yield identical behavior
2452 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
2453 Lanman style printing commands. Windows 9x/ME will be uneffected by
2454 the parameter. However, this will also disable the ability to upload
2455 printer drivers to a Samba server via the Windows NT Add Printer
2456 Wizard or by using the NT printer properties dialog window. It will
2457 also disable the capability of Windows NT/2000 clients to download
2458 print drivers from the Samba host upon demand.
2459 \fBBe very careful about enabling this parameter.\fR
2461 See also use client driver
2463 Default : \fBdisable spoolss = no\fR
2465 \fBdisplay charset (G)\fR
2466 Specifies the charset that samba will use
2467 to print messages to stdout and stderr and SWAT will use.
2468 Should generally be the same as the \fBunix charset\fR.
2470 Default: \fBdisplay charset = ASCII\fR
2472 Example: \fBdisplay charset = UTF8\fR
2475 Specifies that nmbd(8)
2476 when acting as a WINS server and finding that a NetBIOS name has not
2477 been registered, should treat the NetBIOS name word-for-word as a DNS
2478 name and do a lookup with the DNS server for that name on behalf of
2479 the name-querying client.
2481 Note that the maximum length for a NetBIOS name is 15
2482 characters, so the DNS name (or DNS alias) can likewise only be
2483 15 characters, maximum.
2485 \fBnmbd\fR spawns a second copy of itself to do the
2486 DNS name lookup requests, as doing a name lookup is a blocking
2489 See also the parameter \fI wins support\fR.
2491 Default: \fBdns proxy = yes\fR
2493 \fBdomain logons (G)\fR
2494 If set to yes, the Samba server will serve
2495 Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2
2496 has limited capability to act as a domain controller for Windows
2497 NT 4 Domains. For more details on setting up this feature see
2498 the Samba-PDC-HOWTO included in the \fIhtmldocs/\fR
2499 directory shipped with the source code.
2501 Default: \fBdomain logons = no\fR
2503 \fBdomain master (G)\fR
2504 Tell \fB nmbd(8)\fR to enable WAN-wide browse list
2505 collation. Setting this option causes \fBnmbd\fR to
2506 claim a special domain specific NetBIOS name that identifies
2507 it as a domain master browser for its given \fIworkgroup\fR. Local master browsers
2508 in the same \fIworkgroup\fR on broadcast-isolated
2509 subnets will give this \fBnmbd\fR their local browse lists,
2510 and then ask \fBsmbd(8)\fR
2511 for a complete copy of the browse list for the whole wide area
2512 network. Browser clients will then contact their local master browser,
2513 and will receive the domain-wide browse list, instead of just the list
2514 for their broadcast-isolated subnet.
2516 Note that Windows NT Primary Domain Controllers expect to be
2517 able to claim this \fIworkgroup\fR specific special
2518 NetBIOS name that identifies them as domain master browsers for
2519 that \fIworkgroup\fR by default (i.e. there is no
2520 way to prevent a Windows NT PDC from attempting to do this). This
2521 means that if this parameter is set and \fBnmbd\fR claims
2522 the special name for a \fIworkgroup\fR before a Windows
2523 NT PDC is able to do so then cross subnet browsing will behave
2524 strangely and may fail.
2526 If \fBdomain logons = yes\fR
2527 , then the default behavior is to enable the \fIdomain
2528 master\fR parameter. If \fIdomain logons\fR is
2529 not enabled (the default setting), then neither will \fIdomain
2530 master\fR be enabled by default.
2532 Default: \fBdomain master = auto\fR
2534 \fBdont descend (S)\fR
2535 There are certain directories on some systems
2536 (e.g., the \fI/proc\fR tree under Linux) that are either not
2537 of interest to clients or are infinitely deep (recursive). This
2538 parameter allows you to specify a comma-delimited list of directories
2539 that the server should always show as empty.
2541 Note that Samba can be very fussy about the exact format
2542 of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR.
2543 Experimentation is the best policy :-)
2545 Default: \fBnone (i.e., all directories are OK
2548 Example: \fBdont descend = /proc,/dev\fR
2550 \fBdos charset (G)\fR
2551 DOS SMB clients assume the server has
2552 the same charset as they do. This option specifies which
2553 charset Samba should talk to DOS clients.
2555 The default depends on which charsets you have instaled.
2556 Samba tries to use charset 850 but falls back to ASCII in
2557 case it is not available. Run testparm(1)
2558 to check the default on your system.
2560 \fBdos filemode (S)\fR
2561 The default behavior in Samba is to provide
2562 UNIX-like behavior where only the owner of a file/directory is
2563 able to change the permissions on it. However, this behavior
2564 is often confusing to DOS/Windows users. Enabling this parameter
2565 allows a user who has write access to the file (by whatever
2566 means) to modify the permissions on it. Note that a user
2567 belonging to the group owning the file will not be allowed to
2568 change permissions if the group is only granted read access.
2569 Ownership of the file/directory is not changed, only the permissions
2572 Default: \fBdos filemode = no\fR
2574 \fBdos filetime resolution (S)\fR
2575 Under the DOS and Windows FAT filesystem, the finest
2576 granularity on time resolution is two seconds. Setting this parameter
2577 for a share causes Samba to round the reported time down to the
2578 nearest two second boundary when a query call that requires one second
2579 resolution is made to \fBsmbd(8)\fR
2582 This option is mainly used as a compatibility option for Visual
2583 C++ when used against Samba shares. If oplocks are enabled on a
2584 share, Visual C++ uses two different time reading calls to check if a
2585 file has changed since it was last read. One of these calls uses a
2586 one-second granularity, the other uses a two second granularity. As
2587 the two second call rounds any odd second down, then if the file has a
2588 timestamp of an odd number of seconds then the two timestamps will not
2589 match and Visual C++ will keep reporting the file has changed. Setting
2590 this option causes the two timestamps to match, and Visual C++ is
2593 Default: \fBdos filetime resolution = no\fR
2595 \fBdos filetimes (S)\fR
2596 Under DOS and Windows, if a user can write to a
2597 file they can change the timestamp on it. Under POSIX semantics,
2598 only the owner of the file or root may change the timestamp. By
2599 default, Samba runs with POSIX semantics and refuses to change the
2600 timestamp on a file if the user \fBsmbd\fR is acting
2601 on behalf of is not the file owner. Setting this option to yes allows DOS semantics and smbd will change the file
2602 timestamp as DOS requires.
2604 Default: \fBdos filetimes = no\fR
2606 \fBencrypt passwords (G)\fR
2607 This boolean controls whether encrypted passwords
2608 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
2609 above and also Windows 98 will by default expect encrypted passwords
2610 unless a registry entry is changed. To use encrypted passwords in
2611 Samba see the file ENCRYPTION.txt in the Samba documentation
2612 directory \fIdocs/\fR shipped with the source code.
2614 In order for encrypted passwords to work correctly
2615 \fBsmbd(8)\fR must either
2616 have access to a local \fIsmbpasswd(5)
2617 \fR program for information on how to set up
2618 and maintain this file), or set the security = [server|domain|ads] parameter which
2619 causes \fBsmbd\fR to authenticate against another
2622 Default: \fBencrypt passwords = yes\fR
2624 \fBenhanced browsing (G)\fR
2625 This option enables a couple of enhancements to
2626 cross-subnet browse propagation that have been added in Samba
2627 but which are not standard in Microsoft implementations.
2629 The first enhancement to browse propagation consists of a regular
2630 wildcard query to a Samba WINS server for all Domain Master Browsers,
2631 followed by a browse synchronization with each of the returned
2632 DMBs. The second enhancement consists of a regular randomised browse
2633 synchronization with all currently known DMBs.
2635 You may wish to disable this option if you have a problem with empty
2636 workgroups not disappearing from browse lists. Due to the restrictions
2637 of the browse protocols these enhancements can cause a empty workgroup
2638 to stay around forever which can be annoying.
2640 In general you should leave this option enabled as it makes
2641 cross-subnet browse propagation much more reliable.
2643 Default: \fBenhanced browsing = yes\fR
2645 \fBenumports command (G)\fR
2646 The concept of a "port" is fairly foreign
2647 to UNIX hosts. Under Windows NT/2000 print servers, a port
2648 is associated with a port monitor and generally takes the form of
2649 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
2650 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
2651 port defined--"Samba Printer Port". Under
2652 Windows NT/2000, all printers must have a valid port name.
2653 If you wish to have a list of ports displayed (\fBsmbd
2654 \fR does not use a port name for anything) other than
2655 the default "Samba Printer Port", you
2656 can define \fIenumports command\fR to point to
2657 a program which should generate a list of ports, one per line,
2658 to standard output. This listing will then be used in response
2659 to the level 1 and 2 EnumPorts() RPC.
2661 Default: \fBno enumports command\fR
2663 Example: \fBenumports command = /usr/bin/listports
2667 This is a synonym for \fIpreexec\fR.
2669 \fBfake directory create times (S)\fR
2670 NTFS and Windows VFAT file systems keep a create
2671 time for all files and directories. This is not the same as the
2672 ctime - status change time - that Unix keeps, so Samba by default
2673 reports the earliest of the various times Unix does keep. Setting
2674 this parameter for a share causes Samba to always report midnight
2675 1-1-1980 as the create time for directories.
2677 This option is mainly used as a compatibility option for
2678 Visual C++ when used against Samba shares. Visual C++ generated
2679 makefiles have the object directory as a dependency for each object
2680 file, and a make rule to create the directory. Also, when NMAKE
2681 compares timestamps it uses the creation time when examining a
2682 directory. Thus the object directory will be created if it does not
2683 exist, but once it does exist it will always have an earlier
2684 timestamp than the object files it contains.
2686 However, Unix time semantics mean that the create time
2687 reported by Samba will be updated whenever a file is created or
2688 or deleted in the directory. NMAKE finds all object files in
2689 the object directory. The timestamp of the last one built is then
2690 compared to the timestamp of the object directory. If the
2691 directory's timestamp if newer, then all object files
2692 will be rebuilt. Enabling this option
2693 ensures directories always predate their contents and an NMAKE build
2694 will proceed as expected.
2696 Default: \fBfake directory create times = no\fR
2698 \fBfake oplocks (S)\fR
2699 Oplocks are the way that SMB clients get permission
2700 from a server to locally cache file operations. If a server grants
2701 an oplock (opportunistic lock) then the client is free to assume
2702 that it is the only one accessing the file and it will aggressively
2703 cache file data. With some oplock types the client may even cache
2704 file open/close operations. This can give enormous performance benefits.
2706 When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fR will
2707 always grant oplock requests no matter how many clients are using
2710 It is generally much better to use the real \fIoplocks\fR support rather
2711 than this parameter.
2713 If you enable this option on all read-only shares or
2714 shares that you know will only be accessed from one client at a
2715 time such as physically read-only media like CDROMs, you will see
2716 a big performance improvement on many operations. If you enable
2717 this option on shares where multiple clients may be accessing the
2718 files read-write at the same time you can get data corruption. Use
2719 this option carefully!
2721 Default: \fBfake oplocks = no\fR
2723 \fBfollow symlinks (S)\fR
2724 This parameter allows the Samba administrator
2725 to stop \fBsmbd(8)\fR
2726 from following symbolic links in a particular share. Setting this
2727 parameter to no prevents any file or directory
2728 that is a symbolic link from being followed (the user will get an
2729 error). This option is very useful to stop users from adding a
2730 symbolic link to \fI/etc/passwd\fR in their home
2731 directory for instance. However it will slow filename lookups
2734 This option is enabled (i.e. \fBsmbd\fR will
2735 follow symbolic links) by default.
2737 Default: \fBfollow symlinks = yes\fR
2739 \fBforce create mode (S)\fR
2740 This parameter specifies a set of UNIX mode bit
2741 permissions that will \fBalways\fR be set on a
2742 file created by Samba. This is done by bitwise 'OR'ing these bits onto
2743 the mode bits of a file that is being created or having its
2744 permissions changed. The default for this parameter is (in octal)
2745 000. The modes in this parameter are bitwise 'OR'ed onto the file
2746 mode after the mask set in the \fIcreate mask\fR
2747 parameter is applied.
2749 See also the parameter \fIcreate
2750 mask\fR for details on masking mode bits on files.
2752 See also the \fIinherit
2753 permissions\fR parameter.
2755 Default: \fBforce create mode = 000\fR
2757 Example: \fBforce create mode = 0755\fR
2759 would force all created files to have read and execute
2760 permissions set for 'group' and 'other' as well as the
2761 read/write/execute bits set for the 'user'.
2763 \fBforce directory mode (S)\fR
2764 This parameter specifies a set of UNIX mode bit
2765 permissions that will \fBalways\fR be set on a directory
2766 created by Samba. This is done by bitwise 'OR'ing these bits onto the
2767 mode bits of a directory that is being created. The default for this
2768 parameter is (in octal) 0000 which will not add any extra permission
2769 bits to a created directory. This operation is done after the mode
2770 mask in the parameter \fIdirectory mask\fR is
2773 See also the parameter \fI directory mask\fR for details on masking mode bits
2774 on created directories.
2776 See also the \fI inherit permissions\fR parameter.
2778 Default: \fBforce directory mode = 000\fR
2780 Example: \fBforce directory mode = 0755\fR
2782 would force all created directories to have read and execute
2783 permissions set for 'group' and 'other' as well as the
2784 read/write/execute bits set for the 'user'.
2786 \fBforce directory security mode (S)\fR
2787 This parameter controls what UNIX permission bits
2788 can be modified when a Windows NT client is manipulating the UNIX
2789 permission on a directory using the native NT security dialog box.
2791 This parameter is applied as a mask (OR'ed with) to the
2792 changed permission bits, thus forcing any bits in this mask that
2793 the user may have modified to be on. Essentially, one bits in this
2794 mask may be treated as a set of bits that, when modifying security
2795 on a directory, the user has always set to be 'on'.
2797 If not set explicitly this parameter is 000, which
2798 allows a user to modify all the user/group/world permissions on a
2799 directory without restrictions.
2801 \fBNote\fR that users who can access the
2802 Samba server through other means can easily bypass this restriction,
2803 so it is primarily useful for standalone "appliance" systems.
2804 Administrators of most normal systems will probably want to leave
2807 See also the \fI directory security mask\fR, \fIsecurity mask\fR,
2808 \fIforce security mode
2811 Default: \fBforce directory security mode = 0\fR
2813 Example: \fBforce directory security mode = 700\fR
2815 \fBforce group (S)\fR
2816 This specifies a UNIX group name that will be
2817 assigned as the default primary group for all users connecting
2818 to this service. This is useful for sharing files by ensuring
2819 that all access to files on service will use the named group for
2820 their permissions checking. Thus, by assigning permissions for this
2821 group to the files and directories within this service the Samba
2822 administrator can restrict or allow sharing of these files.
2824 In Samba 2.0.5 and above this parameter has extended
2825 functionality in the following way. If the group name listed here
2826 has a '+' character prepended to it then the current user accessing
2827 the share only has the primary group default assigned to this group
2828 if they are already assigned as a member of that group. This allows
2829 an administrator to decide that only users who are already in a
2830 particular group will create files with group ownership set to that
2831 group. This gives a finer granularity of ownership assignment. For
2832 example, the setting \fIforce group = +sys\fR means
2833 that only users who are already in group sys will have their default
2834 primary group assigned to sys when accessing this Samba share. All
2835 other users will retain their ordinary primary group.
2837 If the \fIforce user
2838 \fR parameter is also set the group specified in
2839 \fIforce group\fR will override the primary group
2840 set in \fIforce user\fR.
2845 Default: \fBno forced group\fR
2847 Example: \fBforce group = agroup\fR
2849 \fBforce security mode (S)\fR
2850 This parameter controls what UNIX permission
2851 bits can be modified when a Windows NT client is manipulating
2852 the UNIX permission on a file using the native NT security dialog
2855 This parameter is applied as a mask (OR'ed with) to the
2856 changed permission bits, thus forcing any bits in this mask that
2857 the user may have modified to be on. Essentially, one bits in this
2858 mask may be treated as a set of bits that, when modifying security
2859 on a file, the user has always set to be 'on'.
2861 If not set explicitly this parameter is set to 0,
2862 and allows a user to modify all the user/group/world permissions on a file,
2863 with no restrictions.
2865 \fBNote\fR that users who can access
2866 the Samba server through other means can easily bypass this restriction,
2867 so it is primarily useful for standalone "appliance" systems.
2868 Administrators of most normal systems will probably want to leave
2871 See also the \fI force directory security mode\fR,
2872 \fIdirectory security
2873 mask\fR, \fI security mask\fR parameters.
2875 Default: \fBforce security mode = 0\fR
2877 Example: \fBforce security mode = 700\fR
2879 \fBforce user (S)\fR
2880 This specifies a UNIX user name that will be
2881 assigned as the default user for all users connecting to this service.
2882 This is useful for sharing files. You should also use it carefully
2883 as using it incorrectly can cause security problems.
2885 This user name only gets used once a connection is established.
2886 Thus clients still need to connect as a valid user and supply a
2887 valid password. Once connected, all file operations will be performed
2888 as the "forced user", no matter what username the client connected
2889 as. This can be very useful.
2891 In Samba 2.0.5 and above this parameter also causes the
2892 primary group of the forced user to be used as the primary group
2893 for all file activity. Prior to 2.0.5 the primary group was left
2894 as the primary group of the connecting user (this was a bug).
2896 See also \fIforce group
2899 Default: \fBno forced user\fR
2901 Example: \fBforce user = auser\fR
2904 This parameter allows the administrator to
2905 configure the string that specifies the type of filesystem a share
2906 is using that is reported by \fBsmbd(8)
2907 \fR when a client queries the filesystem type
2908 for a share. The default type is NTFS for
2909 compatibility with Windows NT but this can be changed to other
2910 strings such as Samba or FAT
2913 Default: \fBfstype = NTFS\fR
2915 Example: \fBfstype = Samba\fR
2917 \fBgetwd cache (G)\fR
2918 This is a tuning option. When this is enabled a
2919 caching algorithm will be used to reduce the time taken for getwd()
2920 calls. This can have a significant impact on performance, especially
2921 when the \fIwide links\fR
2922 parameter is set to no.
2924 Default: \fBgetwd cache = yes\fR
2927 Synonym for \fIforce
2930 \fBguest account (S)\fR
2931 This is a username which will be used for access
2932 to services which are specified as \fI guest ok\fR (see below). Whatever privileges this
2933 user has will be available to any client connecting to the guest service.
2934 Typically this user will exist in the password file, but will not
2935 have a valid login. The user account "ftp" is often a good choice
2936 for this parameter. If a username is specified in a given service,
2937 the specified username overrides this one.
2939 One some systems the default guest account "nobody" may not
2940 be able to print. Use another account in this case. You should test
2941 this by trying to log in as your guest user (perhaps by using the
2942 \fBsu -\fR command) and trying to print using the
2943 system print command such as \fBlpr(1)\fR or \fB lp(1)\fR.
2945 This parameter does not accept % macros, because
2946 many parts of the system require this value to be
2947 constant for correct operation.
2949 Default: \fBspecified at compile time, usually
2952 Example: \fBguest account = ftp\fR
2955 If this parameter is yes for
2956 a service, then no password is required to connect to the service.
2957 Privileges will be those of the \fI guest account\fR.
2959 See the section below on \fI security\fR for more information about this option.
2961 Default: \fBguest ok = no\fR
2963 \fBguest only (S)\fR
2964 If this parameter is yes for
2965 a service, then only guest connections to the service are permitted.
2966 This parameter will have no effect if \fIguest ok\fR is not set for the service.
2968 See the section below on \fI security\fR for more information about this option.
2970 Default: \fBguest only = no\fR
2972 \fBhide dot files (S)\fR
2973 This is a boolean parameter that controls whether
2974 files starting with a dot appear as hidden files.
2976 Default: \fBhide dot files = yes\fR
2979 This is a list of files or directories that are not
2980 visible but are accessible. The DOS 'hidden' attribute is applied
2981 to any files or directories that match.
2983 Each entry in the list must be separated by a '/',
2984 which allows spaces to be included in the entry. '*'
2985 and '?' can be used to specify multiple files or directories
2986 as in DOS wildcards.
2988 Each entry must be a Unix path, not a DOS path and must
2989 not include the Unix directory separator '/'.
2991 Note that the case sensitivity option is applicable
2994 Setting this parameter will affect the performance of Samba,
2995 as it will be forced to check all files and directories for a match
2996 as they are scanned.
2999 dot files\fR, \fI veto files\fR and \fIcase sensitive\fR.
3001 Default: \fBno file are hidden\fR
3003 Example: \fBhide files =
3004 /.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR
3006 The above example is based on files that the Macintosh
3007 SMB client (DAVE) available from
3008 Thursby <URL:http://www.thursby.com> creates for internal use, and also still hides
3009 all files beginning with a dot.
3011 \fBhide local users(G)\fR
3012 This parameter toggles the hiding of local UNIX
3013 users (root, wheel, floppy, etc) from remote clients.
3015 Default: \fBhide local users = no\fR
3017 \fBhide unreadable (G)\fR
3018 This parameter prevents clients from seeing the
3019 existance of files that cannot be read. Defaults to off.
3021 Default: \fBhide unreadable = no\fR
3023 \fBhide unwriteable files (G)\fR
3024 This parameter prevents clients from seeing
3025 the existance of files that cannot be written to. Defaults to off.
3026 Note that unwriteable directories are shown as usual.
3028 Default: \fBhide unwriteable = no\fR
3030 \fBhide special files (G)\fR
3031 This parameter prevents clients from seeing
3032 special files such as sockets, devices and fifo's in directory
3035 Default: \fBhide special files = no\fR
3037 \fBhomedir map (G)\fR
3039 \fR is yes, and \fBsmbd(8)\fR is also acting
3040 as a Win95/98 \fIlogon server\fR then this parameter
3041 specifies the NIS (or YP) map from which the server for the user's
3042 home directory should be extracted. At present, only the Sun
3043 auto.home map format is understood. The form of the map is:
3045 \fBusername server:/some/file/system\fR
3047 and the program will extract the servername from before
3048 the first ':'. There should probably be a better parsing system
3049 that copes with different map formats and also Amd (another
3052 \fBNOTE :\fRA working NIS client is required on
3053 the system for this option to work.
3055 See also \fInis homedir\fR
3056 , \fIdomain logons\fR
3059 Default: \fBhomedir map = <empty string>\fR
3061 Example: \fBhomedir map = amd.homedir\fR
3063 \fBhost msdfs (G)\fR
3064 This boolean parameter is only available
3065 if Samba has been configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
3066 Samba will act as a Dfs server, and allow Dfs-aware clients
3067 to browse Dfs trees hosted on the server.
3069 See also the \fI msdfs root\fR share level parameter. For
3070 more information on setting up a Dfs tree on Samba,
3071 refer to msdfs_setup.html
3073 Default: \fBhost msdfs = no\fR
3075 \fBhostname lookups (G)\fR
3076 Specifies whether samba should use (expensive)
3077 hostname lookups or use the ip addresses instead. An example place
3078 where hostname lookups are currently used is when checking
3079 the \fBhosts deny\fR and \fBhosts allow\fR.
3081 Default: \fBhostname lookups = yes\fR
3083 Example: \fBhostname lookups = no\fR
3085 \fBhosts allow (S)\fR
3086 A synonym for this parameter is \fIallow
3089 This parameter is a comma, space, or tab delimited
3090 set of hosts which are permitted to access a service.
3092 If specified in the [global] section then it will
3093 apply to all services, regardless of whether the individual
3094 service has a different setting.
3096 You can specify the hosts by name or IP number. For
3097 example, you could restrict access to only the hosts on a
3098 Class C subnet with something like \fBallow hosts = 150.203.5.
3099 \fR. The full syntax of the list is described in the man
3100 page \fIhosts_access(5)\fR. Note that this man
3101 page may not be present on your system, so a brief description will
3104 Note that the localhost address 127.0.0.1 will always
3105 be allowed access unless specifically denied by a \fIhosts deny\fR option.
3107 You can also specify hosts by network/netmask pairs and
3108 by netgroup names if your system supports netgroups. The
3109 \fBEXCEPT\fR keyword can also be used to limit a
3110 wildcard list. The following examples may provide some help:
3112 Example 1: allow all IPs in 150.203.*.*; except one
3114 \fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
3116 Example 2: allow hosts that match the given network/netmask
3118 \fBhosts allow = 150.203.15.0/255.255.255.0\fR
3120 Example 3: allow a couple of hosts
3122 \fBhosts allow = lapland, arvidsjaur\fR
3124 Example 4: allow only hosts in NIS netgroup "foonet", but
3125 deny access from one particular host
3127 \fBhosts allow = @foonet\fR
3129 \fBhosts deny = pirate\fR
3131 Note that access still requires suitable user-level passwords.
3133 See \fBtestparm(1)\fR
3134 for a way of testing your host access to see if it does
3137 Default: \fBnone (i.e., all hosts permitted access)
3140 Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au
3143 \fBhosts deny (S)\fR
3144 The opposite of \fIhosts allow\fR
3145 - hosts listed here are \fBNOT\fR permitted access to
3146 services unless the specific services have their own lists to override
3147 this one. Where the lists conflict, the \fIallow\fR
3148 list takes precedence.
3150 Default: \fBnone (i.e., no hosts specifically excluded)
3153 Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au
3156 \fBhosts equiv (G)\fR
3157 If this global parameter is a non-null string,
3158 it specifies the name of a file to read for the names of hosts
3159 and users who will be allowed access without specifying a password.
3161 This is not be confused with \fIhosts allow\fR which is about hosts
3162 access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will
3163 not supply passwords to Samba.
3165 \fBNOTE :\fR The use of \fIhosts equiv
3166 \fR can be a major security hole. This is because you are
3167 trusting the PC to supply the correct username. It is very easy to
3168 get a PC to supply a false username. I recommend that the
3169 \fIhosts equiv\fR option be only used if you really
3170 know what you are doing, or perhaps on a home network where you trust
3171 your spouse and kids. And only if you \fBreally\fR trust
3174 Default: \fBno host equivalences\fR
3176 Example: \fBhosts equiv = /etc/hosts.equiv\fR
3179 This allows you to include one config file
3180 inside another. The file is included literally, as though typed
3183 It takes the standard substitutions, except \fI%u
3184 \fR, \fI%P\fR and \fI%S\fR.
3186 Default: \fBno file included\fR
3188 Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf
3191 \fBinherit acls (S)\fR
3192 This parameter can be used to ensure
3193 that if default acls exist on parent directories,
3194 they are always honored when creating a subdirectory.
3195 The default behavior is to use the mode specified
3196 when creating the directory. Enabling this option
3197 sets the mode to 0777, thus guaranteeing that
3198 default directory acls are propagated.
3200 Default: \fBinherit acls = no\fR
3202 \fBinherit permissions (S)\fR
3203 The permissions on new files and directories
3204 are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR
3206 directory mode\fR but the boolean inherit
3207 permissions parameter overrides this.
3209 New directories inherit the mode of the parent directory,
3210 including bits such as setgid.
3212 New files inherit their read/write bits from the parent
3213 directory. Their execute bits continue to be determined by
3216 and \fImap system\fR
3219 Note that the setuid bit is \fBnever\fR set via
3220 inheritance (the code explicitly prohibits this).
3222 This can be particularly useful on large systems with
3223 many users, perhaps several thousand, to allow a single [homes]
3224 share to be used flexibly by each user.
3226 See also \fIcreate mask
3227 \fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR
3230 Default: \fBinherit permissions = no\fR
3232 \fBinterfaces (G)\fR
3233 This option allows you to override the default
3234 network interfaces list that Samba will use for browsing, name
3235 registration and other NBT traffic. By default Samba will query
3236 the kernel for the list of all active interfaces and use any
3237 interfaces except 127.0.0.1 that are broadcast capable.
3239 The option takes a list of interface strings. Each string
3240 can be in any of the following forms:
3244 a network interface name (such as eth0).
3245 This may include shell-like wildcards so eth* will match
3246 any interface starting with the substring "eth"
3249 an IP address. In this case the netmask is
3250 determined from the list of interfaces obtained from the
3257 a broadcast/mask pair.
3260 The "mask" parameters can either be a bit length (such
3261 as 24 for a C class network) or a full netmask in dotted
3264 The "IP" parameters above can either be a full dotted
3265 decimal IP address or a hostname which will be looked up via
3266 the OS's normal hostname resolution mechanisms.
3268 For example, the following line:
3270 \fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3273 would configure three network interfaces corresponding
3274 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3275 The netmasks of the latter two interfaces would be set to 255.255.255.0.
3280 Default: \fBall active interfaces except 127.0.0.1
3281 that are broadcast capable\fR
3283 \fBinvalid users (S)\fR
3284 This is a list of users that should not be allowed
3285 to login to this service. This is really a \fBparanoid\fR
3286 check to absolutely ensure an improper setting does not breach
3289 A name starting with a '@' is interpreted as an NIS
3290 netgroup first (if your system supports NIS), and then as a UNIX
3291 group if the name was not found in the NIS netgroup database.
3293 A name starting with '+' is interpreted only
3294 by looking in the UNIX group database. A name starting with
3295 \&'&' is interpreted only by looking in the NIS netgroup database
3296 (this requires NIS to be working on your system). The characters
3297 \&'+' and '&' may be used at the start of the name in either order
3298 so the value \fI+&group\fR means check the
3299 UNIX group database, followed by the NIS netgroup database, and
3300 the value \fI&+group\fR means check the NIS
3301 netgroup database, followed by the UNIX group database (the
3302 same as the '@' prefix).
3304 The current servicename is substituted for \fI%S\fR.
3305 This is useful in the [homes] section.
3307 See also \fIvalid users
3310 Default: \fBno invalid users\fR
3312 Example: \fBinvalid users = root fred admin @wheel
3316 The value of the parameter (an integer) represents
3317 the number of seconds between \fIkeepalive\fR
3318 packets. If this parameter is zero, no keepalive packets will be
3319 sent. Keepalive packets, if sent, allow the server to tell whether
3320 a client is still present and responding.
3322 Keepalives should, in general, not be needed if the socket
3323 being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR).
3324 Basically you should only use this option if you strike difficulties.
3326 Default: \fBkeepalive = 300\fR
3328 Example: \fBkeepalive = 600\fR
3330 \fBkernel oplocks (G)\fR
3331 For UNIXes that support kernel based \fIoplocks\fR
3332 (currently only IRIX and the Linux 2.4 kernel), this parameter
3333 allows the use of them to be turned on or off.
3335 Kernel oplocks support allows Samba \fIoplocks
3336 \fR to be broken whenever a local UNIX process or NFS operation
3337 accesses a file that \fBsmbd(8)\fR
3338 has oplocked. This allows complete data consistency between
3339 SMB/CIFS, NFS and local file access (and is a \fBvery\fR
3342 This parameter defaults to on, but is translated
3343 to a no-op on systems that no not have the necessary kernel support.
3344 You should never need to touch this parameter.
3346 See also the \fIoplocks\fR
3347 and \fIlevel2 oplocks
3350 Default: \fBkernel oplocks = yes\fR
3352 \fBlanman auth (G)\fR
3353 This parameter determines whether or not smbd will
3354 attempt to authenticate users using the LANMAN password hash.
3355 If disabled, only clients which support NT password hashes (e.g. Windows
3356 NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
3357 network client) will be able to connect to the Samba host.
3359 Default : \fBlanman auth = yes\fR
3361 \fBlarge readwrite (G)\fR
3362 This parameter determines whether or not smbd
3363 supports the new 64k streaming read and write varient SMB requests introduced
3364 with Windows 2000. Note that due to Windows 2000 client redirector bugs
3365 this requires Samba to be running on a 64-bit capable operating system such
3366 as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
3367 Windows 2000 clients. Defaults to on. Not as tested as some other Samba
3370 Default : \fBlarge readwrite = yes\fR
3372 \fBldap admin dn (G)\fR
3373 The \fIldap admin dn\fR defines the Distinguished
3374 Name (DN) name used by Samba to contact the ldap server when retreiving
3375 user account information. The \fIldap
3376 admin dn\fR is used in conjunction with the admin dn password
3377 stored in the \fIprivate/secrets.tdb\fR file. See the
3378 \fBsmbpasswd(8)\fR man
3379 page for more information on how to accmplish this.
3381 Default : \fBnone\fR
3383 \fBldap filter (G)\fR
3384 This parameter specifies the RFC 2254 compliant LDAP search filter.
3385 The default is to match the login name with the uid
3386 attribute for all entries matching the sambaAccount
3387 objectclass. Note that this filter should only return one entry.
3389 Default : \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR
3392 This option is used to define whether or not Samba should
3393 use SSL when connecting to the ldap server
3394 This is \fBNOT\fR related to
3395 Samba's previous SSL support which was enabled by specifying the
3396 \fB--with-ssl\fR option to the \fIconfigure\fR
3399 The \fIldap ssl\fR can be set to one of three values:
3403 \fIOff\fR = Never use SSL when querying the directory.
3406 \fIStart_tls\fR = Use the LDAPv3 StartTLS extended operation
3407 (RFC2830) for communicating with the directory server.
3411 Use SSL on the ldaps port when contacting the
3412 \fIldap server\fR. Only
3413 available when the backwards-compatiblity \fB --with-ldapsam\fR option is specified
3414 to configure. See \fIpassdb backend\fR
3417 Default : \fBldap ssl = start_tls\fR
3419 \fBldap suffix (G)\fR
3420 Specifies where user and machine accounts are added to the tree. Can be overriden by \fBldap user suffix\fR and \fBldap machine suffix\fR. It also used as the base dn for all ldap searches.
3422 Default : \fBnone\fR
3424 \fBldap user suffix (G)\fR
3425 It specifies where users are added to the tree.
3427 Default : \fBnone\fR
3429 \fBldap machine suffix (G)\fR
3430 It specifies where machines should be
3431 added to the ldap tree.
3433 Default : \fBnone\fR
3435 \fBldap passwd sync (G)\fR
3436 This option is used to define whether
3437 or not Samba should sync the LDAP password with the NT
3438 and LM hashes for normal accounts (NOT for
3439 workstation, server or domain trusts) on a password
3442 The \fIldap passwd sync\fR can be set to one of three values:
3446 \fIYes\fR = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.
3449 \fINo\fR = Update NT and LM passwords and update the pwdLastSet time.
3452 \fIOnly\fR = Only update the LDAP password and let the LDAP server do the rest.
3455 Default : \fBldap passwd sync = no\fR
3457 \fBldap trust ids (G)\fR
3458 Normally, Samba validates each entry
3459 in the LDAP server against getpwnam(). This allows
3460 LDAP to be used for Samba with the unix system using
3461 NIS (for example) and also ensures that Samba does not
3462 present accounts that do not otherwise exist.
3464 This option is used to disable this functionality, and
3465 instead to rely on the presence of the appropriate
3466 attributes in LDAP directly, which can result in a
3467 significant performance boost in some situations.
3468 Setting this option to yes effectivly assumes
3469 that the local machine is running \fBnss_ldap\fR against the
3472 Default: \fBldap trust ids = No\fR
3474 \fBlevel2 oplocks (S)\fR
3475 This parameter controls whether Samba supports
3476 level2 (read-only) oplocks on a share.
3478 Level2, or read-only oplocks allow Windows NT clients
3479 that have an oplock on a file to downgrade from a read-write oplock
3480 to a read-only oplock once a second client opens the file (instead
3481 of releasing all oplocks on a second open, as in traditional,
3482 exclusive oplocks). This allows all openers of the file that
3483 support level2 oplocks to cache the file for read-ahead only (ie.
3484 they may not cache writes or lock requests) and increases performance
3485 for many accesses of files that are not commonly written (such as
3486 application .EXE files).
3488 Once one of the clients which have a read-only oplock
3489 writes to the file all clients are notified (no reply is needed
3490 or waited for) and told to break their oplocks to "none" and
3491 delete any read-ahead caches.
3493 It is recommended that this parameter be turned on
3494 to speed access to shared executables.
3496 For more discussions on level2 oplocks see the CIFS spec.
3498 Currently, if \fIkernel
3499 oplocks\fR are supported then level2 oplocks are
3500 not granted (even if this parameter is set to yes).
3501 Note also, the \fIoplocks\fR
3502 parameter must be set to yes on this share in order for
3503 this parameter to have any effect.
3505 See also the \fIoplocks\fR
3506 and \fIkernel oplocks\fR
3509 Default: \fBlevel2 oplocks = yes\fR
3511 \fBlm announce (G)\fR
3512 This parameter determines if \fBnmbd(8)\fR will produce Lanman announce
3513 broadcasts that are needed by OS/2 clients in order for them to see
3514 the Samba server in their browse list. This parameter can have three
3516 auto. The default is auto.
3517 If set to no Samba will never produce these
3518 broadcasts. If set to yes Samba will produce
3519 Lanman announce broadcasts at a frequency set by the parameter
3520 \fIlm interval\fR. If set to auto
3521 Samba will not send Lanman announce broadcasts by default but will
3522 listen for them. If it hears such a broadcast on the wire it will
3523 then start sending them at a frequency set by the parameter
3526 See also \fIlm interval
3529 Default: \fBlm announce = auto\fR
3531 Example: \fBlm announce = yes\fR
3533 \fBlm interval (G)\fR
3534 If Samba is set to produce Lanman announce
3535 broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this
3536 parameter defines the frequency in seconds with which they will be
3537 made. If this is set to zero then no Lanman announcements will be
3538 made despite the setting of the \fIlm announce\fR
3544 Default: \fBlm interval = 60\fR
3546 Example: \fBlm interval = 120\fR
3548 \fBload printers (G)\fR
3549 A boolean variable that controls whether all
3550 printers in the printcap will be loaded for browsing by default.
3551 See the printers section for
3554 Default: \fBload printers = yes\fR
3556 \fBlocal master (G)\fR
3557 This option allows \fB nmbd(8)\fR to try and become a local master browser
3558 on a subnet. If set to no then \fB nmbd\fR will not attempt to become a local master browser
3559 on a subnet and will also lose in all browsing elections. By
3560 default this value is set to yes. Setting this value to yes doesn't
3561 mean that Samba will \fBbecome\fR the local master
3562 browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser.
3564 Setting this value to no will cause \fBnmbd\fR
3565 \fBnever\fR to become a local master browser.
3567 Default: \fBlocal master = yes\fR
3570 Synonym for \fI lock directory\fR.
3572 \fBlock directory (G)\fR
3573 This option specifies the directory where lock
3574 files will be placed. The lock files are used to implement the
3575 \fImax connections\fR
3578 Default: \fBlock directory = ${prefix}/var/locks\fR
3580 Example: \fBlock directory = /var/run/samba/locks\fR
3582 \fBlock spin count (G)\fR
3583 This parameter controls the number of times
3584 that smbd should attempt to gain a byte range lock on the
3585 behalf of a client request. Experiments have shown that
3586 Windows 2k servers do not reply with a failure if the lock
3587 could not be immediately granted, but try a few more times
3588 in case the lock could later be aquired. This behavior
3589 is used to support PC database formats such as MS Access
3592 Default: \fBlock spin count = 2\fR
3594 \fBlock spin time (G)\fR
3595 The time in microseconds that smbd should
3596 pause before attempting to gain a failed lock. See
3598 count\fR for more details.
3600 Default: \fBlock spin time = 10\fR
3603 This controls whether or not locking will be
3604 performed by the server in response to lock requests from the
3607 If \fBlocking = no\fR, all lock and unlock
3608 requests will appear to succeed and all lock queries will report
3609 that the file in question is available for locking.
3611 If \fBlocking = yes\fR, real locking will be performed
3614 This option \fBmay\fR be useful for read-only
3615 filesystems which \fBmay\fR not need locking (such as
3616 CDROM drives), although setting this parameter of no
3617 is not really recommended even in this case.
3619 Be careful about disabling locking either globally or in a
3620 specific service, as lack of locking may result in data corruption.
3621 You should never need to set this parameter.
3623 Default: \fBlocking = yes\fR
3626 This option allows you to override the name
3627 of the Samba log file (also known as the debug file).
3629 This option takes the standard substitutions, allowing
3630 you to have separate log files for each user or machine.
3632 Example: \fBlog file = /usr/local/samba/var/log.%m
3636 The value of the parameter (a astring) allows
3637 the debug level (logging level) to be specified in the
3638 \fIsmb.conf\fR file. This parameter has been
3639 extended since the 2.2.x series, now it allow to specify the debug
3640 level for multiple debug classes. This is to give greater
3641 flexibility in the configuration of the system.
3643 The default will be the log level specified on
3644 the command line or level zero if none was specified.
3646 Example: \fBlog level = 3 passdb:5 auth:10 winbind:2
3649 \fBlogon drive (G)\fR
3650 This parameter specifies the local path to
3651 which the home directory will be connected (see \fIlogon home\fR)
3652 and is only used by NT Workstations.
3654 Note that this option is only useful if Samba is set up as a
3657 Default: \fBlogon drive = z:\fR
3659 Example: \fBlogon drive = h:\fR
3661 \fBlogon home (G)\fR
3662 This parameter specifies the home directory
3663 location when a Win95/98 or NT Workstation logs into a Samba PDC.
3666 C:\\> \fBNET USE H: /HOME\fR
3668 from a command prompt, for example.
3670 This option takes the standard substitutions, allowing
3671 you to have separate logon scripts for each user or machine.
3673 This parameter can be used with Win9X workstations to ensure
3674 that roaming profiles are stored in a subdirectory of the user's
3675 home directory. This is done in the following way:
3677 \fBlogon home = \\\\%N\\%U\\profile\fR
3679 This tells Samba to return the above string, with
3680 substitutions made when a client requests the info, generally
3681 in a NetUserGetInfo request. Win9X clients truncate the info to
3682 \\\\server\\share when a user does \fBnet use /home\fR
3683 but use the whole string when dealing with profiles.
3685 Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than
3686 \fIlogon home\fR. This broke \fBnet use
3687 /home\fR but allowed profiles outside the home directory.
3688 The current implementation is correct, and can be used for
3689 profiles if you use the above trick.
3691 This option is only useful if Samba is set up as a logon
3694 Default: \fBlogon home = "\\\\%N\\%U"\fR
3696 Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR
3698 \fBlogon path (G)\fR
3699 This parameter specifies the home directory
3700 where roaming profiles (NTuser.dat etc files for Windows NT) are
3701 stored. Contrary to previous versions of these manual pages, it has
3702 nothing to do with Win 9X roaming profiles. To find out how to
3703 handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter.
3705 This option takes the standard substitutions, allowing you
3706 to have separate logon scripts for each user or machine. It also
3707 specifies the directory from which the "Application Data",
3708 (\fIdesktop\fR, \fIstart menu\fR,
3709 \fInetwork neighborhood\fR, \fIprograms\fR
3710 and other folders, and their contents, are loaded and displayed on
3711 your Windows NT client.
3713 The share and the path must be readable by the user for
3714 the preferences and directories to be loaded onto the Windows NT
3715 client. The share must be writeable when the user logs in for the first
3716 time, in order that the Windows NT client can create the NTuser.dat
3717 and other directories.
3719 Thereafter, the directories and any of the contents can,
3720 if required, be made read-only. It is not advisable that the
3721 NTuser.dat file be made read-only - rename it to NTuser.man to
3722 achieve the desired effect (a \fBMAN\fRdatory
3725 Windows clients can sometimes maintain a connection to
3726 the [homes] share, even though there is no user logged in.
3727 Therefore, it is vital that the logon path does not include a
3728 reference to the homes share (i.e. setting this parameter to
3729 \\%N\\%U\\profile_path will cause problems).
3731 This option takes the standard substitutions, allowing
3732 you to have separate logon scripts for each user or machine.
3734 Note that this option is only useful if Samba is set up
3737 Default: \fBlogon path = \\\\%N\\%U\\profile\fR
3739 Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR
3741 \fBlogon script (G)\fR
3742 This parameter specifies the batch file (.bat) or
3743 NT command file (.cmd) to be downloaded and run on a machine when
3744 a user successfully logs in. The file must contain the DOS
3745 style CR/LF line endings. Using a DOS-style editor to create the
3746 file is recommended.
3748 The script must be a relative path to the [netlogon]
3749 service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon
3750 \fR, and \fBlogon script = STARTUP.BAT\fR, then
3751 the file that will be downloaded is:
3753 \fI/usr/local/samba/netlogon/STARTUP.BAT\fR
3755 The contents of the batch file are entirely your choice. A
3756 suggested command would be to add \fBNET TIME \\\\SERVER /SET
3757 /YES\fR, to force every machine to synchronize clocks with
3758 the same time server. Another use would be to add \fBNET USE
3759 U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example.
3761 Note that it is particularly important not to allow write
3762 access to the [netlogon] share, or to grant users write permission
3763 on the batch files in a secure environment, as this would allow
3764 the batch files to be arbitrarily modified and security to be
3767 This option takes the standard substitutions, allowing you
3768 to have separate logon scripts for each user or machine.
3770 This option is only useful if Samba is set up as a logon
3773 Default: \fBno logon script defined\fR
3775 Example: \fBlogon script = scripts\\%U.bat\fR
3777 \fBlppause command (S)\fR
3778 This parameter specifies the command to be
3779 executed on the server host in order to stop printing or spooling
3780 a specific print job.
3782 This command should be a program or script which takes
3783 a printer name and job number to pause the print job. One way
3784 of implementing this is by using job priorities, where jobs
3785 having a too low priority won't be sent to the printer.
3787 If a \fI%p\fR is given then the printer name
3788 is put in its place. A \fI%j\fR is replaced with
3789 the job number (an integer). On HPUX (see \fIprinting=hpux
3790 \fR), if the \fI-p%p\fR option is added
3791 to the lpq command, the job will show up with the correct status, i.e.
3792 if the job priority is lower than the set fence priority it will
3793 have the PAUSED status, whereas if the priority is equal or higher it
3794 will have the SPOOLED or PRINTING status.
3796 Note that it is good practice to include the absolute path
3797 in the lppause command as the PATH may not be available to the server.
3799 See also the \fIprinting
3802 Default: Currently no default value is given to
3803 this string, unless the value of the \fIprinting\fR
3804 parameter is SYSV, in which case the default is :
3806 \fBlp -i %p-%j -H hold\fR
3808 or if the value of the \fIprinting\fR parameter
3809 is SOFTQ, then the default is:
3811 \fBqstat -s -j%j -h\fR
3813 Example for HPUX: \fBlppause command = /usr/bin/lpalt
3816 \fBlpq cache time (G)\fR
3817 This controls how long lpq info will be cached
3818 for to prevent the \fBlpq\fR command being called too
3819 often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different
3820 \fBlpq\fR commands for different users then they won't
3821 share cache information.
3823 The cache files are stored in \fI/tmp/lpq.xxxx\fR
3824 where xxxx is a hash of the \fBlpq\fR command in use.
3826 The default is 10 seconds, meaning that the cached results
3827 of a previous identical \fBlpq\fR command will be used
3828 if the cached data is less than 10 seconds old. A large value may
3829 be advisable if your \fBlpq\fR command is very slow.
3831 A value of 0 will disable caching completely.
3833 See also the \fIprinting
3836 Default: \fBlpq cache time = 10\fR
3838 Example: \fBlpq cache time = 30\fR
3840 \fBlpq command (S)\fR
3841 This parameter specifies the command to be
3842 executed on the server host in order to obtain \fBlpq
3843 \fR-style printer status information.
3845 This command should be a program or script which
3846 takes a printer name as its only parameter and outputs printer
3849 Currently nine styles of printer status information
3850 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
3851 This covers most UNIX systems. You control which type is expected
3852 using the \fIprinting =\fR option.
3854 Some clients (notably Windows for Workgroups) may not
3855 correctly send the connection number for the printer they are
3856 requesting status information about. To get around this, the
3857 server reports on the first printer service connected to by the
3858 client. This only happens if the connection number sent is invalid.
3860 If a \fI%p\fR is given then the printer name
3861 is put in its place. Otherwise it is placed at the end of the
3864 Note that it is good practice to include the absolute path
3865 in the \fIlpq command\fR as the \fB$PATH
3866 \fR may not be available to the server. When compiled with
3867 the CUPS libraries, no \fIlpq command\fR is
3868 needed because smbd will make a library call to obtain the
3869 print queue listing.
3871 See also the \fIprinting
3874 Default: \fBdepends on the setting of \fI printing\fB\fR
3876 Example: \fBlpq command = /usr/bin/lpq -P%p\fR
3878 \fBlpresume command (S)\fR
3879 This parameter specifies the command to be
3880 executed on the server host in order to restart or continue
3881 printing or spooling a specific print job.
3883 This command should be a program or script which takes
3884 a printer name and job number to resume the print job. See
3885 also the \fIlppause command
3888 If a \fI%p\fR is given then the printer name
3889 is put in its place. A \fI%j\fR is replaced with
3890 the job number (an integer).
3892 Note that it is good practice to include the absolute path
3893 in the \fIlpresume command\fR as the PATH may not
3894 be available to the server.
3896 See also the \fIprinting
3899 Default: Currently no default value is given
3900 to this string, unless the value of the \fIprinting\fR
3901 parameter is SYSV, in which case the default is :
3903 \fBlp -i %p-%j -H resume\fR
3905 or if the value of the \fIprinting\fR parameter
3906 is SOFTQ, then the default is:
3908 \fBqstat -s -j%j -r\fR
3910 Example for HPUX: \fBlpresume command = /usr/bin/lpalt
3913 \fBlprm command (S)\fR
3914 This parameter specifies the command to be
3915 executed on the server host in order to delete a print job.
3917 This command should be a program or script which takes
3918 a printer name and job number, and deletes the print job.
3920 If a \fI%p\fR is given then the printer name
3921 is put in its place. A \fI%j\fR is replaced with
3922 the job number (an integer).
3924 Note that it is good practice to include the absolute
3925 path in the \fIlprm command\fR as the PATH may not be
3926 available to the server.
3928 See also the \fIprinting
3931 Default: \fBdepends on the setting of \fIprinting
3934 Example 1: \fBlprm command = /usr/bin/lprm -P%p %j
3937 Example 2: \fBlprm command = /usr/bin/cancel %p-%j
3940 \fBmachine password timeout (G)\fR
3941 If a Samba server is a member of a Windows
3942 NT Domain (see the security = domain)
3943 parameter) then periodically a running smbd(8) process will try and change the MACHINE ACCOUNT
3944 PASSWORD stored in the TDB called \fIprivate/secrets.tdb
3945 \fR. This parameter specifies how often this password
3946 will be changed, in seconds. The default is one week (expressed in
3947 seconds), the same as a Windows NT Domain member server.
3949 See also \fBsmbpasswd(8)
3950 \fR and the security = domain) parameter.
3952 Default: \fBmachine password timeout = 604800\fR
3954 \fBmagic output (S)\fR
3955 This parameter specifies the name of a file
3956 which will contain output created by a magic script (see the
3960 Warning: If two clients use the same \fImagic script
3961 \fR in the same directory the output file content
3964 Default: \fBmagic output = <magic script name>.out
3967 Example: \fBmagic output = myfile.txt\fR
3969 \fBmagic script (S)\fR
3970 This parameter specifies the name of a file which,
3971 if opened, will be executed by the server when the file is closed.
3972 This allows a UNIX script to be sent to the Samba host and
3973 executed on behalf of the connected user.
3975 Scripts executed in this way will be deleted upon
3976 completion assuming that the user has the appropriate level
3977 of privilege and the file permissions allow the deletion.
3979 If the script generates output, output will be sent to
3980 the file specified by the \fI magic output\fR parameter (see above).
3982 Note that some shells are unable to interpret scripts
3983 containing CR/LF instead of CR as
3984 the end-of-line marker. Magic scripts must be executable
3985 \fBas is\fR on the host, which for some hosts and
3986 some shells will require filtering at the DOS end.
3988 Magic scripts are \fBEXPERIMENTAL\fR and
3989 should \fBNOT\fR be relied upon.
3991 Default: \fBNone. Magic scripts disabled.\fR
3993 Example: \fBmagic script = user.csh\fR
3995 \fBmangle case (S)\fR
3996 See the section on NAME MANGLING
3998 Default: \fBmangle case = no\fR
4000 \fBmangled map (S)\fR
4001 This is for those who want to directly map UNIX
4002 file names which cannot be represented on Windows/DOS. The mangling
4003 of names is not always what is needed. In particular you may have
4004 documents with file extensions that differ between DOS and UNIX.
4005 For example, under UNIX it is common to use \fI.html\fR
4006 for HTML files, whereas under Windows/DOS \fI.htm\fR
4007 is more commonly used.
4009 So to map \fIhtml\fR to \fIhtm\fR
4012 \fBmangled map = (*.html *.htm)\fR
4014 One very useful case is to remove the annoying \fI;1
4015 \fR off the ends of filenames on some CDROMs (only visible
4016 under some UNIXes). To do this use a map of (*;1 *;).
4018 Default: \fBno mangled map\fR
4020 Example: \fBmangled map = (*;1 *;)\fR
4022 \fBmangled names (S)\fR
4023 This controls whether non-DOS names under UNIX
4024 should be mapped to DOS-compatible names ("mangled") and made visible,
4025 or whether non-DOS names should simply be ignored.
4027 See the section on NAME MANGLING for details on how to control the mangling process.
4029 If mangling is used then the mangling algorithm is as follows:
4033 The first (up to) five alphanumeric characters
4034 before the rightmost dot of the filename are preserved, forced
4035 to upper case, and appear as the first (up to) five characters
4036 of the mangled name.
4039 A tilde "~" is appended to the first part of the mangled
4040 name, followed by a two-character unique sequence, based on the
4041 original root name (i.e., the original filename minus its final
4042 extension). The final extension is included in the hash calculation
4043 only if it contains any upper case characters or is longer than three
4046 Note that the character to use may be specified using
4047 the \fImangling char\fR
4048 option, if you don't like '~'.
4051 The first three alphanumeric characters of the final
4052 extension are preserved, forced to upper case and appear as the
4053 extension of the mangled name. The final extension is defined as that
4054 part of the original filename after the rightmost dot. If there are no
4055 dots in the filename, the mangled name will have no extension (except
4056 in the case of "hidden files" - see below).
4059 Files whose UNIX name begins with a dot will be
4060 presented as DOS hidden files. The mangled name will be created as
4061 for other filenames, but with the leading dot removed and "___" as
4062 its extension regardless of actual original extension (that's three
4066 The two-digit hash value consists of upper case
4067 alphanumeric characters.
4069 This algorithm can cause name collisions only if files
4070 in a directory share the same first five alphanumeric characters.
4071 The probability of such a clash is 1/1300.
4073 The name mangling (if enabled) allows a file to be
4074 copied between UNIX directories from Windows/DOS while retaining
4075 the long UNIX filename. UNIX files can be renamed to a new extension
4076 from Windows/DOS and will retain the same basename. Mangled names
4077 do not change between sessions.
4079 Default: \fBmangled names = yes\fR
4081 \fBmangling method (G)\fR
4082 controls the algorithm used for the generating
4083 the mangled names. Can take two different values, "hash" and
4084 "hash2". "hash" is the default and is the algorithm that has been
4085 used in Samba for many years. "hash2" is a newer and considered
4086 a better algorithm (generates less collisions) in the names.
4087 However, many Win32 applications store the mangled names and so
4088 changing to the new algorithm must not be done
4089 lightly as these applications may break unless reinstalled.
4091 Default: \fBmangling method = hash2\fR
4093 Example: \fBmangling method = hash\fR
4095 \fBmangle prefix (G)\fR
4096 controls the number of prefix
4097 characters from the original name used when generating
4098 the mangled names. A larger value will give a weaker
4099 hash and therefore more name collisions. The minimum
4100 value is 1 and the maximum value is 6.
4102 Default: \fBmangle prefix = 1\fR
4104 Example: \fBmangle prefix = 4\fR
4106 \fBmangled stack (G)\fR
4107 This parameter controls the number of mangled names
4108 that should be cached in the Samba server smbd(8)
4110 This stack is a list of recently mangled base names
4111 (extensions are only maintained if they are longer than 3 characters
4112 or contains upper case characters).
4114 The larger this value, the more likely it is that mangled
4115 names can be successfully converted to correct long UNIX names.
4116 However, large stack sizes will slow most directory accesses. Smaller
4117 stacks save memory in the server (each stack element costs 256 bytes).
4119 It is not possible to absolutely guarantee correct long
4120 filenames, so be prepared for some surprises!
4122 Default: \fBmangled stack = 50\fR
4124 Example: \fBmangled stack = 100\fR
4126 \fBmangling char (S)\fR
4127 This controls what character is used as
4128 the \fBmagic\fR character in name mangling. The default is a '~'
4129 but this may interfere with some software. Use this option to set
4130 it to whatever you prefer.
4132 Default: \fBmangling char = ~\fR
4134 Example: \fBmangling char = ^\fR
4136 \fBmap archive (S)\fR
4137 This controls whether the DOS archive attribute
4138 should be mapped to the UNIX owner execute bit. The DOS archive bit
4139 is set when a file has been modified since its last backup. One
4140 motivation for this option it to keep Samba/your PC from making
4141 any file it touches from becoming executable under UNIX. This can
4142 be quite annoying for shared source code, documents, etc...
4144 Note that this requires the \fIcreate mask\fR
4145 parameter to be set such that owner execute bit is not masked out
4146 (i.e. it must include 100). See the parameter \fIcreate mask\fR for details.
4148 Default: \fBmap archive = yes\fR
4150 \fBmap hidden (S)\fR
4151 This controls whether DOS style hidden files
4152 should be mapped to the UNIX world execute bit.
4154 Note that this requires the \fIcreate mask\fR
4155 to be set such that the world execute bit is not masked out (i.e.
4156 it must include 001). See the parameter \fIcreate mask\fR for details.
4158 Default: \fBmap hidden = no\fR
4160 \fBmap system (S)\fR
4161 This controls whether DOS style system files
4162 should be mapped to the UNIX group execute bit.
4164 Note that this requires the \fIcreate mask\fR
4165 to be set such that the group execute bit is not masked out (i.e.
4166 it must include 010). See the parameter \fIcreate mask\fR for details.
4168 Default: \fBmap system = no\fR
4170 \fBmap to guest (G)\fR
4171 This parameter is only useful in security modes other than \fIsecurity = share\fR
4172 - i.e. user, server,
4175 This parameter can take three different values, which tell
4176 smbd(8) what to do with user
4177 login requests that don't match a valid UNIX user in some way.
4179 The three settings are :
4183 Never - Means user login
4184 requests with an invalid password are rejected. This is the
4188 Bad User - Means user
4189 logins with an invalid password are rejected, unless the username
4190 does not exist, in which case it is treated as a guest login and
4191 mapped into the \fI guest account\fR.
4194 Bad Password - Means user logins
4195 with an invalid password are treated as a guest login and mapped
4196 into the guest account. Note that
4197 this can cause problems as it means that any user incorrectly typing
4198 their password will be silently logged on as "guest" - and
4199 will not know the reason they cannot access files they think
4200 they should - there will have been no message given to them
4201 that they got their password wrong. Helpdesk services will
4202 \fBhate\fR you if you set the \fImap to
4203 guest\fR parameter this way :-).
4206 Note that this parameter is needed to set up "Guest"
4207 share services when using \fIsecurity\fR modes other than
4208 share. This is because in these modes the name of the resource being
4209 requested is \fBnot\fR sent to the server until after
4210 the server has successfully authenticated the client so the server
4211 cannot make authentication decisions at the correct time (connection
4212 to the share) for "Guest" shares.
4214 For people familiar with the older Samba releases, this
4215 parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.
4217 Default: \fBmap to guest = Never\fR
4219 Example: \fBmap to guest = Bad User\fR
4221 \fBmax connections (S)\fR
4222 This option allows the number of simultaneous
4223 connections to a service to be limited. If \fImax connections
4224 \fR is greater than 0 then connections will be refused if
4225 this number of connections to the service are already open. A value
4226 of zero mean an unlimited number of connections may be made.
4228 Record lock files are used to implement this feature. The
4229 lock files will be stored in the directory specified by the \fIlock directory\fR
4232 Default: \fBmax connections = 0\fR
4234 Example: \fBmax connections = 10\fR
4236 \fBmax disk size (G)\fR
4237 This option allows you to put an upper limit
4238 on the apparent size of disks. If you set this option to 100
4239 then all shares will appear to be not larger than 100 MB in
4242 Note that this option does not limit the amount of
4243 data you can put on the disk. In the above case you could still
4244 store much more than 100 MB on the disk, but if a client ever asks
4245 for the amount of free disk space or the total disk size then the
4246 result will be bounded by the amount specified in \fImax
4249 This option is primarily useful to work around bugs
4250 in some pieces of software that can't handle very large disks,
4251 particularly disks over 1GB in size.
4253 A \fImax disk size\fR of 0 means no limit.
4255 Default: \fBmax disk size = 0\fR
4257 Example: \fBmax disk size = 1000\fR
4259 \fBmax log size (G)\fR
4260 This option (an integer in kilobytes) specifies
4261 the max size the log file should grow to. Samba periodically checks
4262 the size and if it is exceeded it will rename the file, adding
4263 a \fI.old\fR extension.
4265 A size of 0 means no limit.
4267 Default: \fBmax log size = 5000\fR
4269 Example: \fBmax log size = 1000\fR
4272 This option controls the maximum number of
4273 outstanding simultaneous SMB operations that Samba tells the client
4274 it will allow. You should never need to set this parameter.
4276 Default: \fBmax mux = 50\fR
4278 \fBmax open files (G)\fR
4279 This parameter limits the maximum number of
4280 open files that one smbd(8) file
4281 serving process may have open for a client at any one time. The
4282 default for this parameter is set very high (10,000) as Samba uses
4283 only one bit per unopened file.
4285 The limit of the number of open files is usually set
4286 by the UNIX per-process file descriptor limit rather than
4287 this parameter so you should never need to touch this parameter.
4289 Default: \fBmax open files = 10000\fR
4291 \fBmax print jobs (S)\fR
4292 This parameter limits the maximum number of
4293 jobs allowable in a Samba printer queue at any given moment.
4294 If this number is exceeded, \fB smbd(8)\fR will remote "Out of Space" to the client.
4298 Default: \fBmax print jobs = 1000\fR
4300 Example: \fBmax print jobs = 5000\fR
4302 \fBmax protocol (G)\fR
4303 The value of the parameter (a string) is the highest
4304 protocol level that will be supported by the server.
4306 Possible values are :
4310 CORE: Earliest version. No
4311 concept of user names.
4314 COREPLUS: Slight improvements on
4315 CORE for efficiency.
4318 LANMAN1: First \fB modern\fR version of the protocol. Long filename
4322 LANMAN2: Updates to Lanman1 protocol.
4325 NT1: Current up to date version of
4326 the protocol. Used by Windows NT. Known as CIFS.
4329 Normally this option should not be set as the automatic
4330 negotiation phase in the SMB protocol takes care of choosing
4331 the appropriate protocol.
4336 Default: \fBmax protocol = NT1\fR
4338 Example: \fBmax protocol = LANMAN1\fR
4340 \fBmax smbd processes (G)\fR
4341 This parameter limits the maximum number of
4343 processes concurrently running on a system and is intended
4344 as a stopgap to prevent degrading service to clients in the event
4345 that the server has insufficient resources to handle more than this
4346 number of connections. Remember that under normal operating
4347 conditions, each user will have an smbd associated with him or her
4348 to handle connections to all shares from a given host.
4350 Default: \fBmax smbd processes = 0\fR ## no limit
4352 Example: \fBmax smbd processes = 1000\fR
4355 This option tells nmbd(8)
4356 what the default 'time to live' of NetBIOS names should be (in seconds)
4357 when \fBnmbd\fR is requesting a name using either a
4358 broadcast packet or from a WINS server. You should never need to
4359 change this parameter. The default is 3 days.
4361 Default: \fBmax ttl = 259200\fR
4363 \fBmax wins ttl (G)\fR
4364 This option tells nmbd(8)
4365 when acting as a WINS server ( \fIwins support = yes\fR) what the maximum
4366 \&'time to live' of NetBIOS names that \fBnmbd\fR
4367 will grant will be (in seconds). You should never need to change this
4368 parameter. The default is 6 days (518400 seconds).
4371 wins ttl\fR parameter.
4373 Default: \fBmax wins ttl = 518400\fR
4376 This option controls the maximum packet size
4377 that will be negotiated by Samba. The default is 65535, which
4378 is the maximum. In some cases you may find you get better performance
4379 with a smaller value. A value below 2048 is likely to cause problems.
4381 Default: \fBmax xmit = 65535\fR
4383 Example: \fBmax xmit = 8192\fR
4385 \fBmessage command (G)\fR
4386 This specifies what command to run when the
4387 server receives a WinPopup style message.
4389 This would normally be a command that would
4390 deliver the message somehow. How this is to be done is
4391 up to your imagination.
4395 \fBmessage command = csh -c 'xedit %s;rm %s' &\fR
4397 This delivers the message using \fBxedit\fR, then
4398 removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT
4399 THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I
4400 have the '&' on the end. If it doesn't return immediately then
4401 your PCs may freeze when sending messages (they should recover
4402 after 30 seconds, hopefully).
4404 All messages are delivered as the global guest user.
4405 The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better
4408 Apart from the standard substitutions, some additional
4409 ones apply. In particular:
4413 \fI%s\fR = the filename containing
4417 \fI%t\fR = the destination that
4418 the message was sent to (probably the server name).
4421 \fI%f\fR = who the message
4425 You could make this command send mail, or whatever else
4426 takes your fancy. Please let us know of any really interesting
4429 Here's a way of sending the messages as mail to root:
4431 \fBmessage command = /bin/mail -s 'message from %f on
4432 %m' root < %s; rm %s\fR
4434 If you don't have a message command then the message
4435 won't be delivered and Samba will tell the sender there was
4436 an error. Unfortunately WfWg totally ignores the error code
4437 and carries on regardless, saying that the message was delivered.
4439 If you want to silently delete it then try:
4441 \fBmessage command = rm %s\fR
4443 Default: \fBno message command\fR
4445 Example: \fBmessage command = csh -c 'xedit %s;
4448 \fBmin passwd length (G)\fR
4449 Synonym for \fImin password length\fR.
4451 \fBmin password length (G)\fR
4452 This option sets the minimum length in characters
4453 of a plaintext password that \fBsmbd\fR will accept when performing
4454 UNIX password changing.
4457 password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR
4460 Default: \fBmin password length = 5\fR
4462 \fBmin print space (S)\fR
4463 This sets the minimum amount of free disk
4464 space that must be available before a user will be able to spool
4465 a print job. It is specified in kilobytes. The default is 0, which
4466 means a user can always spool a print job.
4468 See also the \fIprinting
4471 Default: \fBmin print space = 0\fR
4473 Example: \fBmin print space = 2000\fR
4475 \fBmin protocol (G)\fR
4476 The value of the parameter (a string) is the
4477 lowest SMB protocol dialect than Samba will support. Please refer
4478 to the \fImax protocol\fR
4479 parameter for a list of valid protocol names and a brief description
4480 of each. You may also wish to refer to the C source code in
4481 \fIsource/smbd/negprot.c\fR for a listing of known protocol
4482 dialects supported by clients.
4484 If you are viewing this parameter as a security measure, you should
4485 also refer to the \fIlanman
4486 auth\fR parameter. Otherwise, you should never need
4487 to change this parameter.
4489 Default : \fBmin protocol = CORE\fR
4491 Example : \fBmin protocol = NT1\fR # disable DOS
4494 \fBmin wins ttl (G)\fR
4495 This option tells nmbd(8)
4496 when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live'
4497 of NetBIOS names that \fBnmbd\fR will grant will be (in
4498 seconds). You should never need to change this parameter. The default
4499 is 6 hours (21600 seconds).
4501 Default: \fBmin wins ttl = 21600\fR
4503 \fBmsdfs proxy (S)\fR
4504 This parameter indicates that the share is a
4505 stand-in for another CIFS share whose location is specified by
4506 the value of the parameter. When clients attempt to connect to
4507 this share, they are redirected to the proxied share using
4508 the SMB-Dfs protocol.
4510 Only Dfs roots can act as proxy shares. Take a look at the
4514 options to find out how to set up a Dfs root share.
4516 Example: \fBmsdfs proxy = \\otherserver\\someshare\fR
4518 \fBmsdfs root (S)\fR
4519 This boolean parameter is only available if
4520 Samba is configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
4521 Samba treats the share as a Dfs root and allows clients to browse
4522 the distributed file system tree rooted at the share directory.
4523 Dfs links are specified in the share directory by symbolic
4524 links of the form \fImsdfs:serverA\\shareA,serverB\\shareB\fR
4525 and so on. For more information on setting up a Dfs tree
4526 on Samba, refer to msdfs_setup.html
4529 See also \fIhost msdfs
4532 Default: \fBmsdfs root = no\fR
4534 \fBname cache timeout (G)\fR
4535 Specifies the number of seconds it takes before
4536 entries in samba's hostname resolve cache time out. If
4537 the timeout is set to 0. the caching is disabled.
4539 Default: \fBname cache timeout = 660\fR
4541 Example: \fBname cache timeout = 0\fR
4543 \fBname resolve order (G)\fR
4544 This option is used by the programs in the Samba
4545 suite to determine what naming services to use and in what order
4546 to resolve host names to IP addresses. The option takes a space
4547 separated string of name resolution options.
4549 The options are :"lmhosts", "host", "wins" and "bcast". They
4550 cause names to be resolved as follows :
4554 lmhosts : Lookup an IP
4555 address in the Samba lmhosts file. If the line in lmhosts has
4556 no name type attached to the NetBIOS name (see the lmhosts(5) for details) then
4557 any name type matches for lookup.
4560 host : Do a standard host
4561 name to IP address resolution, using the system \fI/etc/hosts
4562 \fR, NIS, or DNS lookups. This method of name resolution
4563 is operating system depended for instance on IRIX or Solaris this
4564 may be controlled by the \fI/etc/nsswitch.conf\fR
4565 file. Note that this method is only used if the NetBIOS name
4566 type being queried is the 0x20 (server) name type, otherwise
4570 wins : Query a name with
4571 the IP address listed in the \fI wins server\fR parameter. If no WINS server has
4572 been specified this method will be ignored.
4575 bcast : Do a broadcast on
4576 each of the known local interfaces listed in the \fIinterfaces\fR
4577 parameter. This is the least reliable of the name resolution
4578 methods as it depends on the target host being on a locally
4582 Default: \fBname resolve order = lmhosts host wins bcast
4585 Example: \fBname resolve order = lmhosts bcast host
4588 This will cause the local lmhosts file to be examined
4589 first, followed by a broadcast attempt, followed by a normal
4590 system hostname lookup.
4592 \fBnetbios aliases (G)\fR
4593 This is a list of NetBIOS names that nmbd(8) will advertise as additional
4594 names by which the Samba server is known. This allows one machine
4595 to appear in browse lists under multiple names. If a machine is
4596 acting as a browse server or logon server none
4597 of these names will be advertised as either browse server or logon
4598 servers, only the primary name of the machine will be advertised
4599 with these capabilities.
4604 Default: \fBempty string (no additional names)\fR
4606 Example: \fBnetbios aliases = TEST TEST1 TEST2\fR
4608 \fBnetbios name (G)\fR
4609 This sets the NetBIOS name by which a Samba
4610 server is known. By default it is the same as the first component
4611 of the host's DNS name. If a machine is a browse server or
4612 logon server this name (or the first component
4613 of the hosts DNS name) will be the name that these services are
4619 Default: \fBmachine DNS name\fR
4621 Example: \fBnetbios name = MYNAME\fR
4623 \fBnetbios scope (G)\fR
4624 This sets the NetBIOS scope that Samba will
4625 operate under. This should not be set unless every machine
4626 on your LAN also sets this value.
4628 \fBnis homedir (G)\fR
4629 Get the home share server from a NIS map. For
4630 UNIX systems that use an automounter, the user's home directory
4631 will often be mounted on a workstation on demand from a remote
4634 When the Samba logon server is not the actual home directory
4635 server, but is mounting the home directories via NFS then two
4636 network hops would be required to access the users home directory
4637 if the logon server told the client to use itself as the SMB server
4638 for home directories (one over SMB and one over NFS). This can
4641 This option allows Samba to return the home share as
4642 being on a different server to the logon server and as
4643 long as a Samba daemon is running on the home directory server,
4644 it will be mounted on the Samba client directly from the directory
4645 server. When Samba is returning the home share to the client, it
4646 will consult the NIS map specified in \fIhomedir map\fR and return the server
4649 Note that for this option to work there must be a working
4650 NIS system and the Samba server with this option must also
4653 Default: \fBnis homedir = no\fR
4655 \fBnon unix account range (G)\fR
4656 The non unix account range parameter specifies
4657 the range of 'user ids' that are allocated by the various 'non unix
4658 account' passdb backends. These backends allow
4659 the storage of passwords for users who don't exist in /etc/passwd.
4660 This is most often used for machine account creation.
4661 This range of ids should have no existing local or NIS users within
4662 it as strange conflicts can occur otherwise.
4664 NOTE: These userids never appear on the system and Samba will never
4665 \&'become' these users. They are used only to ensure that the algorithmic
4666 RID mapping does not conflict with normal users.
4668 Default: \fBnon unix account range = <empty string>
4671 Example: \fBnon unix account range = 10000-20000\fR
4673 \fBnt acl support (S)\fR
4674 This boolean parameter controls whether
4675 smbd(8) will attempt to map
4676 UNIX permissions into Windows NT access control lists.
4677 This parameter was formally a global parameter in releases
4680 Default: \fBnt acl support = yes\fR
4682 \fBnt pipe support (G)\fR
4683 This boolean parameter controls whether
4684 smbd(8) will allow Windows NT
4685 clients to connect to the NT SMB specific IPC$
4686 pipes. This is a developer debugging option and can be left
4689 Default: \fBnt pipe support = yes\fR
4691 \fBnt status support (G)\fR
4692 This boolean parameter controls whether smbd(8) will negotiate NT specific status
4693 support with Windows NT/2k/XP clients. This is a developer
4694 debugging option and should be left alone.
4695 If this option is set to no then Samba offers
4696 exactly the same DOS error codes that versions prior to Samba 2.2.3
4699 You should not need to ever disable this parameter.
4701 Default: \fBnt status support = yes\fR
4703 \fBnull passwords (G)\fR
4704 Allow or disallow client access to accounts
4705 that have null passwords.
4707 See also smbpasswd (5)
4709 Default: \fBnull passwords = no\fR
4711 \fBobey pam restrictions (G)\fR
4712 When Samba 2.2 is configured to enable PAM support
4713 (i.e. --with-pam), this parameter will control whether or not Samba
4714 should obey PAM's account and session management directives. The
4715 default behavior is to use PAM for clear text authentication only
4716 and to ignore any account or session management. Note that Samba
4717 always ignores PAM for authentication in the case of \fIencrypt passwords = yes\fR
4718 \&. The reason is that PAM modules cannot support the challenge/response
4719 authentication mechanism needed in the presence of SMB password encryption.
4721 Default: \fBobey pam restrictions = no\fR
4724 This is a boolean option that controls whether
4725 connections with usernames not in the \fIuser\fR
4726 list will be allowed. By default this option is disabled so that a
4727 client can supply a username to be used by the server. Enabling
4728 this parameter will force the server to only user the login
4729 names from the \fIuser\fR list and is only really
4730 useful in shave level
4733 Note that this also means Samba won't try to deduce
4734 usernames from the service name. This can be annoying for
4735 the [homes] section. To get around this you could use \fBuser =
4736 %S\fR which means your \fIuser\fR list
4737 will be just the service name, which for home directories is the
4740 See also the \fIuser\fR
4743 Default: \fBonly user = no\fR
4745 \fBonly guest (S)\fR
4746 A synonym for \fI guest only\fR.
4748 \fBoplock break wait time (G)\fR
4749 This is a tuning parameter added due to bugs in
4750 both Windows 9x and WinNT. If Samba responds to a client too
4751 quickly when that client issues an SMB that can cause an oplock
4752 break request, then the network client can fail and not respond
4753 to the break request. This tuning parameter (which is set in milliseconds)
4754 is the amount of time Samba will wait before sending an oplock break
4755 request to such (broken) clients.
4757 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4758 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4760 Default: \fBoplock break wait time = 0\fR
4762 \fBoplock contention limit (S)\fR
4763 This is a \fBvery\fR advanced
4764 smbd(8) tuning option to
4765 improve the efficiency of the granting of oplocks under multiple
4766 client contention for the same file.
4768 In brief it specifies a number, which causes smbd not to
4769 grant an oplock even when requested if the approximate number of
4770 clients contending for an oplock on the same file goes over this
4771 limit. This causes \fBsmbd\fR to behave in a similar
4774 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4775 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4777 Default: \fBoplock contention limit = 2\fR
4780 This boolean option tells \fBsmbd\fR whether to
4781 issue oplocks (opportunistic locks) to file open requests on this
4782 share. The oplock code can dramatically (approx. 30% or more) improve
4783 the speed of access to files on Samba servers. It allows the clients
4784 to aggressively cache files locally and you may want to disable this
4785 option for unreliable network environments (it is turned on by
4786 default in Windows NT Servers). For more information see the file
4787 \fISpeed.txt\fR in the Samba \fIdocs/\fR
4790 Oplocks may be selectively turned off on certain files with a
4791 share. See the \fI veto oplock files\fR parameter. On some systems
4792 oplocks are recognized by the underlying operating system. This
4793 allows data synchronization between all access to oplocked files,
4794 whether it be via Samba or NFS or a local UNIX process. See the
4795 \fIkernel oplocks\fR parameter for details.
4797 See also the \fIkernel
4798 oplocks\fR and \fI level2 oplocks\fR parameters.
4800 Default: \fBoplocks = yes\fR
4803 This parameter determines whether or not smbd will
4804 attempt to authenticate users using the NTLM password hash.
4805 If disabled, only the lanman password hashes will be used.
4807 Please note that at least this option or \fBlanman auth\fR should be enabled in order to be able to log in.
4809 Default : \fBntlm auth = yes\fR
4812 This integer value controls what level Samba
4813 advertises itself as for browse elections. The value of this
4814 parameter determines whether nmbd(8)
4815 has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area.
4817 \fBNote :\fRBy default, Samba will win
4818 a local master browsing election over all Microsoft operating
4819 systems except a Windows NT 4.0/2000 Domain Controller. This
4820 means that a misconfigured Samba host can effectively isolate
4821 a subnet for browsing purposes. See \fIBROWSING.txt
4822 \fR in the Samba \fIdocs/\fR directory
4825 Default: \fBos level = 20\fR
4827 Example: \fBos level = 65 \fR
4829 \fBos2 driver map (G)\fR
4830 The parameter is used to define the absolute
4831 path to a file containing a mapping of Windows NT printer driver
4832 names to OS/2 printer driver names. The format is:
4834 <nt driver name> = <os2 driver
4837 For example, a valid entry using the HP LaserJet 5
4838 printer driver would appear as \fBHP LaserJet 5L = LASERJET.HP
4841 The need for the file is due to the printer driver namespace
4842 problem described in the Samba
4843 Printing HOWTO For more details on OS/2 clients, please
4844 refer to the OS2-Client-HOWTO
4845 containing in the Samba documentation.
4847 Default: \fBos2 driver map = <empty string>
4850 \fBpam password change (G)\fR
4851 With the addition of better PAM support in Samba 2.2,
4852 this parameter, it is possible to use PAM's password change control
4853 flag for Samba. If enabled, then PAM will be used for password
4854 changes when requested by an SMB client instead of the program listed in
4855 \fIpasswd program\fR.
4856 It should be possible to enable this without changing your
4858 parameter for most setups.
4860 Default: \fBpam password change = no\fR
4862 \fBpanic action (G)\fR
4863 This is a Samba developer option that allows a
4864 system command to be called when either smbd(8)
4865 crashes. This is usually used to draw attention to the fact that
4868 Default: \fBpanic action = <empty string>\fR
4870 Example: \fBpanic action = "/bin/sleep 90000"\fR
4872 \fBparanoid server security (G)\fR
4873 Some version of NT 4.x allow non-guest
4874 users with a bad passowrd. When this option is enabled, samba will not
4875 use a broken NT 4.x server as password server, but instead complain
4876 to the logs and exit.
4878 Default: \fBparanoid server security = yes\fR
4880 \fBpassdb backend (G)\fR
4881 This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both
4882 smbpasswd and tdbsam to be used without a recompile.
4883 Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.
4884 Experimental backends must still be selected
4885 (eg --with-tdbsam) at configure time.
4887 This parameter is in two parts, the backend's name, and a 'location'
4888 string that has meaning only to that particular backed. These are separated
4891 Available backends can include:
4895 \fBsmbpasswd\fR - The default smbpasswd
4896 backend. Takes a path to the smbpasswd file as an optional argument.
4899 \fBsmbpasswd_nua\fR - The smbpasswd
4900 backend, but with support for 'not unix accounts'.
4901 Takes a path to the smbpasswd file as an optional argument.
4903 See also \fInon unix account range\fR
4906 \fBtdbsam\fR - The TDB based password storage
4907 backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
4908 in the \fIprivate dir\fR directory.
4911 \fBtdbsam_nua\fR - The TDB based password storage
4912 backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
4913 in the \fIprivate dir\fR directory.
4915 See also \fInon unix account range\fR
4918 \fBldapsam\fR - The LDAP based passdb
4919 backend. Takes an LDAP URL as an optional argument (defaults to
4920 \fBldap://localhost\fR)
4923 \fBldapsam_nua\fR - The LDAP based passdb
4924 backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
4925 \fBldap://localhost\fR)
4927 Note: In this module, any account without a matching POSIX account is regarded
4930 See also \fInon unix account
4933 LDAP connections should be secured where
4934 possible. This may be done using either
4935 Start-TLS (see \fIldap ssl\fR) or by
4936 specifying \fIldaps://\fR in
4940 \fBnisplussam\fR - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers.
4943 \fBplugin\fR - Allows Samba to load an
4944 arbitary passdb backend from the .so specified as a compulsary argument.
4946 Any characters after the (optional) second : are passed to the plugin
4947 for its own processing
4950 \fBunixsam\fR - Allows samba to map all (other) available unix users
4952 This backend uses the standard unix database for retrieving users. Users included
4953 in this pdb are NOT listed in samba user listings and users included in this pdb won't be
4954 able to login. The use of this backend is to always be able to display the owner of a file
4955 on the samba server - even when the user doesn't have a 'real' samba account in one of the
4956 other passdb backends.
4958 This backend should always be the last backend listed, since it contains all users in
4959 the unix passdb and might 'override' mappings if specified earlier. It's meant to only return
4960 accounts for users that aren't covered by the previous backends.
4963 Default: \fBpassdb backend = smbpasswd unixsam\fR
4965 Example: \fBpassdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam\fR
4967 Example: \fBpassdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam\fR
4969 Example: \fBpassdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb\fR
4971 \fBpasswd chat (G)\fR
4972 This string controls the \fB"chat"\fR
4973 conversation that takes places between smbd and the local password changing
4974 program to change the user's password. The string describes a
4975 sequence of response-receive pairs that smbd(8) uses to determine what to send to the
4976 \fIpasswd program\fR
4977 and what to expect back. If the expected output is not
4978 received then the password is not changed.
4980 This chat sequence is often quite site specific, depending
4981 on what local methods are used for password control (such as NIS
4984 Note that this parameter only is only used if the \fIunix
4985 password sync\fR parameter is set to yes. This
4986 sequence is then called \fBAS ROOT\fR when the SMB password
4987 in the smbpasswd file is being changed, without access to the old
4988 password cleartext. This means that root must be able to reset the user's password
4989 without knowing the text of the previous password. In the presence of NIS/YP,
4990 this means that the passwd program must be
4991 executed on the NIS master.
4993 The string can contain the macro \fI%n\fR which is substituted
4994 for the new password. The chat sequence can also contain the standard
4995 macros \\n, \\r, \\t and \\s to give line-feed,
4996 carriage-return, tab and space. The chat sequence string can also contain
4997 a '*' which matches any sequence of characters.
4998 Double quotes can be used to collect strings with spaces
4999 in them into a single string.
5001 If the send string in any part of the chat sequence
5002 is a full stop ".", then no string is sent. Similarly,
5003 if the expect string is a full stop then no string is expected.
5006 password change\fR parameter is set to yes, the chat pairs
5007 may be matched in any order, and success is determined by the PAM result,
5008 not any particular output. The \\n macro is ignored for PAM conversions.
5010 See also \fIunix password
5011 sync\fR, \fI passwd program\fR , \fIpasswd chat debug\fR and \fIpam password change\fR.
5013 Default: \fBpasswd chat = *new*password* %n\\n
5014 *new*password* %n\\n *changed*\fR
5016 Example: \fBpasswd chat = "*Enter OLD password*" %o\\n
5017 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password
5020 \fBpasswd chat debug (G)\fR
5021 This boolean specifies if the passwd chat script
5022 parameter is run in \fBdebug\fR mode. In this mode the
5023 strings passed to and received from the passwd chat are printed
5024 in the smbd(8) log with a
5026 of 100. This is a dangerous option as it will allow plaintext passwords
5027 to be seen in the \fBsmbd\fR log. It is available to help
5028 Samba admins debug their \fIpasswd chat\fR scripts
5029 when calling the \fIpasswd program\fR and should
5030 be turned off after this has been done. This option has no effect if the
5031 \fIpam password change\fR
5032 paramter is set. This parameter is off by default.
5034 See also \fIpasswd chat\fR
5035 , \fIpam password change\fR
5036 , \fIpasswd program\fR
5039 Default: \fBpasswd chat debug = no\fR
5041 \fBpasswd program (G)\fR
5042 The name of a program that can be used to set
5043 UNIX user passwords. Any occurrences of \fI%u\fR
5044 will be replaced with the user name. The user name is checked for
5045 existence before calling the password changing program.
5047 Also note that many passwd programs insist in \fBreasonable
5048 \fR passwords, such as a minimum length, or the inclusion
5049 of mixed case chars and digits. This can pose a problem as some clients
5050 (such as Windows for Workgroups) uppercase the password before sending
5053 \fBNote\fR that if the \fIunix
5054 password sync\fR parameter is set to yes
5055 then this program is called \fBAS ROOT\fR
5056 before the SMB password in the smbpasswd(5)
5057 file is changed. If this UNIX password change fails, then
5058 \fBsmbd\fR will fail to change the SMB password also
5059 (this is by design).
5061 If the \fIunix password sync\fR parameter
5062 is set this parameter \fBMUST USE ABSOLUTE PATHS\fR
5063 for \fBALL\fR programs called, and must be examined
5064 for security implications. Note that by default \fIunix
5065 password sync\fR is set to no.
5070 Default: \fBpasswd program = /bin/passwd\fR
5072 Example: \fBpasswd program = /sbin/npasswd %u\fR
5074 \fBpassword level (G)\fR
5075 Some client/server combinations have difficulty
5076 with mixed-case passwords. One offending client is Windows for
5077 Workgroups, which for some reason forces passwords to upper
5078 case when using the LANMAN1 protocol, but leaves them alone when
5079 using COREPLUS! Another problem child is the Windows 95/98
5080 family of operating systems. These clients upper case clear
5081 text passwords even when NT LM 0.12 selected by the protocol
5082 negotiation request/response.
5084 This parameter defines the maximum number of characters
5085 that may be upper case in passwords.
5087 For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations
5088 would be tried if "FRED" failed:
5090 "Fred", "fred", "fRed", "frEd","freD"
5092 If \fIpassword level\fR was set to 2,
5093 the following combinations would also be tried:
5095 "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
5099 The higher value this parameter is set to the more likely
5100 it is that a mixed case password will be matched against a single
5101 case password. However, you should be aware that use of this
5102 parameter reduces security and increases the time taken to
5103 process a new connection.
5105 A value of zero will cause only two attempts to be
5106 made - the password as is and the password in all-lower case.
5108 Default: \fBpassword level = 0\fR
5110 Example: \fBpassword level = 4\fR
5112 \fBpassword server (G)\fR
5113 By specifying the name of another SMB server (such
5114 as a WinNT box) with this option, and using \fBsecurity = domain
5115 \fR or \fBsecurity = server\fR you can get Samba
5116 to do all its username/password validation via a remote server.
5118 This option sets the name of the password server to use.
5119 It must be a NetBIOS name, so if the machine's NetBIOS name is
5120 different from its Internet name then you may have to add its NetBIOS
5121 name to the lmhosts file which is stored in the same directory
5122 as the \fIsmb.conf\fR file.
5124 The name of the password server is looked up using the
5126 resolve order\fR and so may resolved
5127 by any method and order described in that parameter.
5129 The password server much be a machine capable of using
5130 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
5131 user level security mode.
5133 \fBNOTE:\fR Using a password server
5134 means your UNIX box (running Samba) is only as secure as your
5135 password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT
5136 YOU DON'T COMPLETELY TRUST\fR.
5138 Never point a Samba server at itself for password
5139 serving. This will cause a loop and could lock up your Samba
5142 The name of the password server takes the standard
5143 substitutions, but probably the only useful one is \fI%m
5144 \fR, which means the Samba server will use the incoming
5145 client as the password server. If you use this then you better
5146 trust your clients, and you had better restrict them with hosts allow!
5148 If the \fIsecurity\fR parameter is set to
5149 domain, then the list of machines in this
5150 option must be a list of Primary or Backup Domain controllers for the
5151 Domain or the character '*', as the Samba server is effectively
5152 in that domain, and will use cryptographically authenticated RPC calls
5153 to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the
5154 \fIpassword server\fR option then \fBsmbd
5155 \fR will try each in turn till it finds one that responds. This
5156 is useful in case your primary server goes down.
5158 If the \fIpassword server\fR option is set
5159 to the character '*', then Samba will attempt to auto-locate the
5160 Primary or Backup Domain controllers to authenticate against by
5161 doing a query for the name WORKGROUP<1C>
5162 and then contacting each server returned in the list of IP
5163 addresses from the name resolution source.
5165 If the list of servers contains both names and the '*'
5166 character, the list is treated as a list of preferred
5167 domain controllers, but an auto lookup of all remaining DC's
5168 will be added to the list as well. Samba will not attempt to optimize
5169 this list by locating the closest DC.
5171 If the \fIsecurity\fR parameter is
5172 set to server, then there are different
5173 restrictions that \fBsecurity = domain\fR doesn't
5178 You may list several password servers in
5179 the \fIpassword server\fR parameter, however if an
5180 \fBsmbd\fR makes a connection to a password server,
5181 and then the password server fails, no more users will be able
5182 to be authenticated from this \fBsmbd\fR. This is a
5183 restriction of the SMB/CIFS protocol when in \fBsecurity = server
5184 \fR mode and cannot be fixed in Samba.
5187 If you are using a Windows NT server as your
5188 password server then you will have to ensure that your users
5189 are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to
5190 come from there rather than from the users workstation.
5193 See also the \fIsecurity
5196 Default: \fBpassword server = <empty string>\fR
5198 Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2, *
5201 Example: \fBpassword server = *\fR
5204 This parameter specifies a directory to which
5205 the user of the service is to be given access. In the case of
5206 printable services, this is where print data will spool prior to
5207 being submitted to the host for printing.
5209 For a printable service offering guest access, the service
5210 should be readonly and the path should be world-writeable and
5211 have the sticky bit set. This is not mandatory of course, but
5212 you probably won't get the results you expect if you do
5215 Any occurrences of \fI%u\fR in the path
5216 will be replaced with the UNIX username that the client is using
5217 on this connection. Any occurrences of \fI%m\fR
5218 will be replaced by the NetBIOS name of the machine they are
5219 connecting from. These replacements are very useful for setting
5220 up pseudo home directories for users.
5222 Note that this path will be based on \fIroot dir\fR if one was specified.
5226 Example: \fBpath = /home/fred\fR
5228 \fBpid directory (G)\fR
5229 This option specifies the directory where pid
5230 files will be placed.
5232 Default: \fBpid directory = ${prefix}/var/locks\fR
5234 Example: \fBpid directory = /var/run/\fR
5236 \fBposix locking (S)\fR
5238 daemon maintains an database of file locks obtained by SMB clients.
5239 The default behavior is to map this internal database to POSIX
5240 locks. This means that file locks obtained by SMB clients are
5241 consistent with those seen by POSIX compliant applications accessing
5242 the files via a non-SMB method (e.g. NFS or local file access).
5243 You should never need to disable this parameter.
5245 Default: \fBposix locking = yes\fR
5248 This option specifies a command to be run
5249 whenever the service is disconnected. It takes the usual
5250 substitutions. The command may be run as the root on some
5253 An interesting example may be to unmount server
5256 \fBpostexec = /etc/umount /cdrom\fR
5258 See also \fIpreexec\fR
5261 Default: \fBnone (no command executed)\fR
5263 Example: \fBpostexec = echo \\"%u disconnected from %S
5264 from %m (%I)\\" >> /tmp/log\fR
5266 \fBpostscript (S)\fR
5267 This parameter forces a printer to interpret
5268 the print files as PostScript. This is done by adding a %!
5269 to the start of print output.
5271 This is most useful when you have lots of PCs that persist
5272 in putting a control-D at the start of print jobs, which then
5273 confuses your printer.
5275 Default: \fBpostscript = no\fR
5278 This option specifies a command to be run whenever
5279 the service is connected to. It takes the usual substitutions.
5281 An interesting example is to send the users a welcome
5282 message every time they log in. Maybe a message of the day? Here
5285 \fBpreexec = csh -c 'echo \\"Welcome to %S!\\" |
5286 /usr/local/samba/bin/smbclient -M %m -I %I' & \fR
5288 Of course, this could get annoying after a while :-)
5290 See also \fIpreexec close
5294 Default: \fBnone (no command executed)\fR
5296 Example: \fBpreexec = echo \\"%u connected to %S from %m
5297 (%I)\\" >> /tmp/log\fR
5299 \fBpreexec close (S)\fR
5300 This boolean option controls whether a non-zero
5301 return code from \fIpreexec
5302 \fR should close the service being connected to.
5304 Default: \fBpreexec close = no\fR
5306 \fBpreferred master (G)\fR
5307 This boolean parameter controls if nmbd(8) is a preferred master browser
5310 If this is set to yes, on startup, \fBnmbd\fR
5311 will force an election, and it will have a slight advantage in
5312 winning the election. It is recommended that this parameter is
5313 used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master.
5315 Use this option with caution, because if there are several
5316 hosts (whether Samba servers, Windows 95 or NT) that are preferred
5317 master browsers on the same subnet, they will each periodically
5318 and continuously attempt to become the local master browser.
5319 This will result in unnecessary broadcast traffic and reduced browsing
5322 See also \fIos level\fR
5325 Default: \fBpreferred master = auto\fR
5327 \fBprefered master (G)\fR
5328 Synonym for \fI preferred master\fR for people who cannot spell :-).
5331 This is a list of services that you want to be
5332 automatically added to the browse lists. This is most useful
5333 for homes and printers services that would otherwise not be
5336 Note that if you just want all printers in your
5337 printcap file loaded then the \fIload printers\fR option is easier.
5339 Default: \fBno preloaded services\fR
5341 Example: \fBpreload = fred lp colorlp\fR
5343 \fBpreserve case (S)\fR
5344 This controls if new filenames are created
5345 with the case that the client passes, or if they are forced to
5346 be the \fIdefault case
5349 Default: \fBpreserve case = yes\fR
5351 See the section on NAME
5352 MANGLING for a fuller discussion.
5354 \fBprint command (S)\fR
5355 After a print job has finished spooling to
5356 a service, this command will be used via a \fBsystem()\fR
5357 call to process the spool file. Typically the command specified will
5358 submit the spool file to the host's printing subsystem, but there
5359 is no requirement that this be the case. The server will not remove
5360 the spool file, so whatever command you specify should remove the
5361 spool file when it has been processed, otherwise you will need to
5362 manually remove old spool files.
5364 The print command is simply a text string. It will be used
5365 verbatim after macro substitutions have been made:
5367 s, %p - the path to the spool
5370 %p - the appropriate printer
5374 name as transmitted by the client.
5376 %c - The number of printed pages
5377 of the spooled job (if known).
5379 %z - the size of the spooled
5380 print job (in bytes)
5382 The print command \fBMUST\fR contain at least
5383 one occurrence of \fI%s\fR or \fI%f
5384 \fR - the \fI%p\fR is optional. At the time
5385 a job is submitted, if no printer name is supplied the \fI%p
5386 \fR will be silently removed from the printer command.
5388 If specified in the [global] section, the print command given
5389 will be used for any printable service that does not have its own
5390 print command specified.
5392 If there is neither a specified print command for a
5393 printable service nor a global print command, spool files will
5394 be created but not processed and (most importantly) not removed.
5396 Note that printing may fail on some UNIXes from the
5397 nobody account. If this happens then create
5398 an alternative guest account that can print and set the \fIguest account\fR
5399 in the [global] section.
5401 You can form quite complex print commands by realizing
5402 that they are just passed to a shell. For example the following
5403 will log a print job, print the file, then remove it. Note that
5404 \&';' is the usual separator for command in shell scripts.
5406 \fBprint command = echo Printing %s >>
5407 /tmp/print.log; lpr -P %p %s; rm %s\fR
5409 You may have to vary this command considerably depending
5410 on how you normally print files on your system. The default for
5411 the parameter varies depending on the setting of the \fIprinting\fR parameter.
5413 Default: For \fBprinting = BSD, AIX, QNX, LPRNG
5416 \fBprint command = lpr -r -P%p %s\fR
5418 For \fBprinting = SYSV or HPUX :\fR
5420 \fBprint command = lp -c -d%p %s; rm %s\fR
5422 For \fBprinting = SOFTQ :\fR
5424 \fBprint command = lp -d%p -s %s; rm %s\fR
5426 For printing = CUPS : If SAMBA is compiled against
5427 libcups, then printcap = cups
5428 uses the CUPS API to
5429 submit jobs, etc. Otherwise it maps to the System V
5430 commands with the -oraw option for printing, i.e. it
5431 uses \fBlp -c -d%p -oraw; rm %s\fR.
5432 With \fBprinting = cups\fR,
5433 and if SAMBA is compiled against libcups, any manually
5434 set print command will be ignored.
5436 Example: \fBprint command = /usr/local/samba/bin/myprintscript
5440 Synonym for \fIprintable\fR.
5443 If this parameter is yes, then
5444 clients may open, write to and submit spool files on the directory
5445 specified for the service.
5447 Note that a printable service will ALWAYS allow writing
5448 to the service path (user privileges permitting) via the spooling
5449 of print data. The \fIread only
5450 \fR parameter controls only non-printing access to
5453 Default: \fBprintable = no\fR
5456 Synonym for \fI printcap name\fR.
5458 \fBprintcap name (G)\fR
5459 This parameter may be used to override the
5460 compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons
5461 why you might want to do this.
5463 To use the CUPS printing interface set \fBprintcap name = cups
5464 \fR. This should be supplemented by an addtional setting
5465 printing = cups in the [global]
5466 section. \fBprintcap name = cups\fR will use the
5467 "dummy" printcap created by CUPS, as specified in your CUPS
5470 On System V systems that use \fBlpstat\fR to
5471 list available printers you can use \fBprintcap name = lpstat
5472 \fR to automatically obtain lists of available printers. This
5473 is the default for systems that define SYSV at configure time in
5474 Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on
5475 these systems then Samba will launch \fBlpstat -v\fR and
5476 attempt to parse the output to obtain a printer list.
5478 A minimal printcap file would look something like this:
5490 where the '|' separates aliases of a printer. The fact
5491 that the second alias has a space in it gives a hint to Samba
5492 that it's a comment.
5494 \fBNOTE\fR: Under AIX the default printcap
5495 name is \fI/etc/qconfig\fR. Samba will assume the
5496 file is in AIX \fIqconfig\fR format if the string
5497 \fIqconfig\fR appears in the printcap filename.
5499 Default: \fBprintcap name = /etc/printcap\fR
5501 Example: \fBprintcap name = /etc/myprintcap\fR
5503 \fBprinter admin (S)\fR
5504 This is a list of users that can do anything to
5505 printers via the remote administration interfaces offered by MS-RPC
5506 (usually using a NT workstation). Note that the root user always
5509 Default: \fBprinter admin = <empty string>\fR
5511 Example: \fBprinter admin = admin, @staff\fR
5513 \fBprinter driver (S)\fR
5514 \fBNote :\fRThis is a deprecated
5515 parameter and will be removed in the next major release
5516 following version 2.2. Please see the instructions in
5517 the Samba 2.2. Printing
5518 HOWTO for more information
5519 on the new method of loading printer drivers onto a Samba server.
5521 This option allows you to control the string
5522 that clients receive when they ask the server for the printer driver
5523 associated with a printer. If you are using Windows95 or Windows NT
5524 then you can use this to automate the setup of printers on your
5527 You need to set this parameter to the exact string (case
5528 sensitive) that describes the appropriate printer driver for your
5529 system. If you don't know the exact string to use then you should
5530 first try with no \fI printer driver\fR option set and the client will
5531 give you a list of printer drivers. The appropriate strings are
5532 shown in a scroll box after you have chosen the printer manufacturer.
5537 Example: \fBprinter driver = HP LaserJet 4L\fR
5539 \fBprinter driver file (G)\fR
5540 \fBNote :\fRThis is a deprecated
5541 parameter and will be removed in the next major release
5542 following version 2.2. Please see the instructions in
5543 the Samba 2.2. Printing
5544 HOWTO for more information
5545 on the new method of loading printer drivers onto a Samba server.
5547 This parameter tells Samba where the printer driver
5548 definition file, used when serving drivers to Windows 95 clients, is
5549 to be found. If this is not set, the default is :
5551 \fISAMBA_INSTALL_DIRECTORY
5552 /lib/printers.def\fR
5554 This file is created from Windows 95 \fImsprint.inf
5555 \fR files found on the Windows 95 client system. For more
5556 details on setting up serving of printer drivers to Windows 95
5557 clients, see the outdated documentation file in the \fIdocs/\fR
5558 directory, \fIPRINTER_DRIVER.txt\fR.
5560 See also \fI printer driver location\fR.
5562 Default: \fBNone (set in compile).\fR
5564 Example: \fBprinter driver file =
5565 /usr/local/samba/printers/drivers.def\fR
5567 \fBprinter driver location (S)\fR
5568 \fBNote :\fRThis is a deprecated
5569 parameter and will be removed in the next major release
5570 following version 2.2. Please see the instructions in
5571 the Samba 2.2. Printing
5572 HOWTO for more information
5573 on the new method of loading printer drivers onto a Samba server.
5575 This parameter tells clients of a particular printer
5576 share where to find the printer driver files for the automatic
5577 installation of drivers for Windows 95 machines. If Samba is set up
5578 to serve printer drivers to Windows 95 machines, this should be set to
5580 \fB\\\\MACHINE\\PRINTER$\fR
5582 Where MACHINE is the NetBIOS name of your Samba server,
5583 and PRINTER$ is a share you set up for serving printer driver
5584 files. For more details on setting this up see the outdated documentation
5585 file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR.
5587 See also \fI printer driver file\fR.
5591 Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$
5594 \fBprinter name (S)\fR
5595 This parameter specifies the name of the printer
5596 to which print jobs spooled through a printable service will be sent.
5598 If specified in the [global] section, the printer
5599 name given will be used for any printable service that does
5600 not have its own printer name specified.
5602 Default: \fBnone (but may be lp
5605 Example: \fBprinter name = laserwriter\fR
5608 Synonym for \fI printer name\fR.
5611 This parameters controls how printer status
5612 information is interpreted on your system. It also affects the
5613 default values for the \fIprint command\fR,
5614 \fIlpq command\fR, \fIlppause command
5615 \fR, \fIlpresume command\fR, and
5616 \fIlprm command\fR if specified in the
5619 Currently nine printing styles are supported. They are
5626 To see what the defaults are for the other print
5627 commands when using the various options use the testparm(1) program.
5629 This option can be set on a per printer basis
5631 See also the discussion in the [printers] section.
5633 \fBprivate dir (G)\fR
5634 This parameters defines the directory
5635 smbd will use for storing such files as \fIsmbpasswd\fR
5636 and \fIsecrets.tdb\fR.
5638 Default :\fBprivate dir = ${prefix}/private\fR
5641 Synonym for \fImax protocol\fR.
5644 Synonym for \fIguest
5647 \fBqueuepause command (S)\fR
5648 This parameter specifies the command to be
5649 executed on the server host in order to pause the printer queue.
5651 This command should be a program or script which takes
5652 a printer name as its only parameter and stops the printer queue,
5653 such that no longer jobs are submitted to the printer.
5655 This command is not supported by Windows for Workgroups,
5656 but can be issued from the Printers window under Windows 95
5659 If a \fI%p\fR is given then the printer name
5660 is put in its place. Otherwise it is placed at the end of the command.
5662 Note that it is good practice to include the absolute
5663 path in the command as the PATH may not be available to the
5666 Default: \fBdepends on the setting of \fIprinting
5669 Example: \fBqueuepause command = disable %p\fR
5671 \fBqueueresume command (S)\fR
5672 This parameter specifies the command to be
5673 executed on the server host in order to resume the printer queue. It
5674 is the command to undo the behavior that is caused by the
5675 previous parameter (\fI queuepause command\fR).
5677 This command should be a program or script which takes
5678 a printer name as its only parameter and resumes the printer queue,
5679 such that queued jobs are resubmitted to the printer.
5681 This command is not supported by Windows for Workgroups,
5682 but can be issued from the Printers window under Windows 95
5685 If a \fI%p\fR is given then the printer name
5686 is put in its place. Otherwise it is placed at the end of the
5689 Note that it is good practice to include the absolute
5690 path in the command as the PATH may not be available to the
5693 Default: \fBdepends on the setting of \fIprinting\fB\fR
5695 Example: \fBqueuepause command = enable %p
5699 This boolean parameter controls whether smbd(8) will support the "Read
5700 Block Multiplex" SMB. This is now rarely used and defaults to
5701 no. You should never need to set this
5704 Default: \fBread bmpx = no\fR
5707 This is a list of users that are given read-only
5708 access to a service. If the connecting user is in this list then
5709 they will not be given write access, no matter what the \fIread only\fR
5710 option is set to. The list can include group names using the
5711 syntax described in the \fI invalid users\fR parameter.
5713 See also the \fI write list\fR parameter and the \fIinvalid users\fR
5716 Default: \fBread list = <empty string>\fR
5718 Example: \fBread list = mary, @students\fR
5721 An inverted synonym is \fIwriteable\fR.
5723 If this parameter is yes, then users
5724 of a service may not create or modify files in the service's
5727 Note that a printable service (\fBprintable = yes\fR)
5728 will \fBALWAYS\fR allow writing to the directory
5729 (user privileges permitting), but only via spooling operations.
5731 Default: \fBread only = yes\fR
5734 This parameter controls whether or not the server
5735 will support the raw read SMB requests when transferring data
5738 If enabled, raw reads allow reads of 65535 bytes in
5739 one packet. This typically provides a major performance benefit.
5741 However, some clients either negotiate the allowable
5742 block size incorrectly or are incapable of supporting larger block
5743 sizes, and for these clients you may need to disable raw reads.
5745 In general this parameter should be viewed as a system tuning
5746 tool and left severely alone. See also \fIwrite raw\fR.
5748 Default: \fBread raw = yes\fR
5751 The option \fIread size\fR
5752 affects the overlap of disk reads/writes with network reads/writes.
5753 If the amount of data being transferred in several of the SMB
5754 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
5755 than this value then the server begins writing the data before it
5756 has received the whole packet from the network, or in the case of
5757 SMBreadbraw, it begins writing to the network before all the data
5758 has been read from disk.
5760 This overlapping works best when the speeds of disk and
5761 network access are similar, having very little effect when the
5762 speed of one is much greater than the other.
5764 The default value is 16384, but very little experimentation
5765 has been done yet to determine the optimal value, and it is likely
5766 that the best value will vary greatly between systems anyway.
5767 A value over 65536 is pointless and will cause you to allocate
5768 memory unnecessarily.
5770 Default: \fBread size = 16384\fR
5772 Example: \fBread size = 8192\fR
5775 This option specifies the kerberos realm to use. The realm is
5776 used as the ADS equivalent of the NT4\fBdomain\fR. It
5777 is usually set to the DNS name of the kerberos server.
5779 Default: \fBrealm = \fR
5781 Example: \fBrealm = mysambabox.mycompany.com\fR
5783 \fBremote announce (G)\fR
5784 This option allows you to setup nmbd(8) to periodically announce itself
5785 to arbitrary IP addresses with an arbitrary workgroup name.
5787 This is useful if you want your Samba server to appear
5788 in a remote workgroup for which the normal browse propagation
5789 rules don't work. The remote workgroup can be anywhere that you
5790 can send IP packets to.
5794 \fBremote announce = 192.168.2.255/SERVERS
5795 192.168.4.255/STAFF\fR
5797 the above line would cause \fBnmbd\fR to announce itself
5798 to the two given IP addresses using the given workgroup names.
5799 If you leave out the workgroup name then the one given in
5801 parameter is used instead.
5803 The IP addresses you choose would normally be the broadcast
5804 addresses of the remote networks, but can also be the IP addresses
5805 of known browse masters if your network config is that stable.
5807 See the documentation file \fIBROWSING.txt\fR
5808 in the \fIdocs/\fR directory.
5810 Default: \fBremote announce = <empty string>
5813 \fBremote browse sync (G)\fR
5814 This option allows you to setup nmbd(8) to periodically request
5815 synchronization of browse lists with the master browser of a Samba
5816 server that is on a remote segment. This option will allow you to
5817 gain browse lists for multiple workgroups across routed networks. This
5818 is done in a manner that does not work with any non-Samba servers.
5820 This is useful if you want your Samba server and all local
5821 clients to appear in a remote workgroup for which the normal browse
5822 propagation rules don't work. The remote workgroup can be anywhere
5823 that you can send IP packets to.
5827 \fBremote browse sync = 192.168.2.255 192.168.4.255
5830 the above line would cause \fBnmbd\fR to request
5831 the master browser on the specified subnets or addresses to
5832 synchronize their browse lists with the local server.
5834 The IP addresses you choose would normally be the broadcast
5835 addresses of the remote networks, but can also be the IP addresses
5836 of known browse masters if your network config is that stable. If
5837 a machine IP address is given Samba makes NO attempt to validate
5838 that the remote machine is available, is listening, nor that it
5839 is in fact the browse master on its segment.
5841 Default: \fBremote browse sync = <empty string>
5844 \fBrestrict anonymous (G)\fR
5845 This is a integer parameter, and
5846 mirrors as much as possible the functinality the
5848 registry key does on NT/Win2k.
5850 Default: \fBrestrict anonymous = 0\fR
5853 Synonym for \fIroot directory"\fR.
5856 Synonym for \fIroot directory"\fR.
5858 \fBroot directory (G)\fR
5859 The server will \fBchroot()\fR (i.e.
5860 Change its root directory) to this directory on startup. This is
5861 not strictly necessary for secure operation. Even without it the
5862 server will deny access to files not in one of the service entries.
5863 It may also check for, and deny access to, soft links to other
5864 parts of the filesystem, or attempts to use ".." in file names
5865 to access other directories (depending on the setting of the \fIwide links\fR
5868 Adding a \fIroot directory\fR entry other
5869 than "/" adds an extra level of security, but at a price. It
5870 absolutely ensures that no access is given to files not in the
5871 sub-tree specified in the \fIroot directory\fR
5872 option, \fBincluding\fR some files needed for
5873 complete operation of the server. To maintain full operability
5874 of the server you will need to mirror some system files
5875 into the \fIroot directory\fR tree. In particular
5876 you will need to mirror \fI/etc/passwd\fR (or a
5877 subset of it), and any binaries or configuration files needed for
5878 printing (if required). The set of files that must be mirrored is
5879 operating system dependent.
5881 Default: \fBroot directory = /\fR
5883 Example: \fBroot directory = /homes/smb\fR
5885 \fBroot postexec (S)\fR
5886 This is the same as the \fIpostexec\fR
5887 parameter except that the command is run as root. This
5888 is useful for unmounting filesystems
5889 (such as CDROMs) after a connection is closed.
5891 See also \fI postexec\fR.
5893 Default: \fBroot postexec = <empty string>
5896 \fBroot preexec (S)\fR
5897 This is the same as the \fIpreexec\fR
5898 parameter except that the command is run as root. This
5899 is useful for mounting filesystems (such as CDROMs) when a
5900 connection is opened.
5902 See also \fI preexec\fR and \fIpreexec close\fR.
5904 Default: \fBroot preexec = <empty string>
5907 \fBroot preexec close (S)\fR
5908 This is the same as the \fIpreexec close
5909 \fR parameter except that the command is run as root.
5911 See also \fI preexec\fR and \fIpreexec close\fR.
5913 Default: \fBroot preexec close = no\fR
5916 This option affects how clients respond to
5917 Samba and is one of the most important settings in the \fI smb.conf\fR file.
5919 The option sets the "security mode bit" in replies to
5920 protocol negotiations with smbd(8)
5921 to turn share level security on or off. Clients decide
5922 based on this bit whether (and how) to transfer user and password
5923 information to the server.
5925 The default is \fBsecurity = user\fR, as this is
5926 the most common setting needed when talking to Windows 98 and
5929 The alternatives are \fBsecurity = share\fR,
5930 \fBsecurity = server\fR or \fBsecurity = domain
5933 In versions of Samba prior to 2.0.0, the default was
5934 \fBsecurity = share\fR mainly because that was
5935 the only option at one stage.
5937 There is a bug in WfWg that has relevance to this
5938 setting. When in user or server level security a WfWg client
5939 will totally ignore the password you type in the "connect
5940 drive" dialog box. This makes it very difficult (if not impossible)
5941 to connect to a Samba service as anyone except the user that
5942 you are logged into WfWg as.
5944 If your PCs use usernames that are the same as their
5945 usernames on the UNIX machine then you will want to use
5946 \fBsecurity = user\fR. If you mostly use usernames
5947 that don't exist on the UNIX box then use \fBsecurity =
5950 You should also use \fBsecurity = share\fR if you
5951 want to mainly setup shares without a password (guest shares). This
5952 is commonly used for a shared printer server. It is more difficult
5953 to setup guest shares with \fBsecurity = user\fR, see
5954 the \fImap to guest\fR
5955 parameter for details.
5957 It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share
5958 level security under different \fINetBIOS aliases\fR.
5960 The different settings will now be explained.
5965 When clients connect to a share level security server they
5966 need not log onto the server with a valid username and password before
5967 attempting to connect to a shared resource (although modern clients
5968 such as Windows 95/98 and Windows NT will send a logon request with
5969 a username but no password when talking to a \fBsecurity = share
5970 \fR server). Instead, the clients send authentication information
5971 (passwords) on a per-share basis, at the time they attempt to connect
5974 Note that \fBsmbd\fR \fBALWAYS\fR
5975 uses a valid UNIX user to act on behalf of the client, even in
5976 \fBsecurity = share\fR level security.
5978 As clients are not required to send a username to the server
5979 in share level security, \fBsmbd\fR uses several
5980 techniques to determine the correct UNIX user to use on behalf
5983 A list of possible UNIX usernames to match with the given
5984 client password is constructed using the following methods :
5989 only\fR parameter is set, then all the other
5990 stages are missed and only the \fIguest account\fR username is checked.
5993 Is a username is sent with the share connection
5994 request, then this username (after mapping - see \fIusername map\fR),
5995 is added as a potential username.
5998 If the client did a previous \fBlogon
5999 \fR request (the SessionSetup SMB call) then the
6000 username sent in this SMB will be added as a potential username.
6003 The name of the service the client requested is
6004 added as a potential username.
6007 The NetBIOS name of the client is added to
6008 the list as a potential username.
6011 Any users on the \fI user\fR list are added as potential usernames.
6014 If the \fIguest only\fR parameter is
6015 not set, then this list is then tried with the supplied password.
6016 The first user for whom the password matches will be used as the
6019 If the \fIguest only\fR parameter is
6020 set, or no username can be determined then if the share is marked
6021 as available to the \fIguest account\fR, then this
6022 guest user will be used, otherwise access is denied.
6024 Note that it can be \fBvery\fR confusing
6025 in share-level security as to which UNIX username will eventually
6026 be used in granting access.
6028 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6033 This is the default security setting in Samba 2.2.
6034 With user-level security a client must first "log-on" with a
6035 valid username and password (which can be mapped using the \fIusername map\fR
6036 parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also
6037 be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and
6038 may change the UNIX user to use on this connection, but only after
6039 the user has been successfully authenticated.
6041 \fBNote\fR that the name of the resource being
6042 requested is \fBnot\fR sent to the server until after
6043 the server has successfully authenticated the client. This is why
6044 guest shares don't work in user level security without allowing
6045 the server to automatically map unknown users into the \fIguest account\fR.
6046 See the \fImap to guest\fR
6047 parameter for details on doing this.
6049 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6051 \fBSECURITY = SERVER
6054 In this mode Samba will try to validate the username/password
6055 by passing it to another SMB server, such as an NT box. If this
6056 fails it will revert to \fBsecurity = user\fR, but note
6057 that if encrypted passwords have been negotiated then Samba cannot
6058 revert back to checking the UNIX password file, it must have a valid
6059 \fIsmbpasswd\fR file to check users against. See the
6060 documentation file in the \fIdocs/\fR directory
6061 \fIENCRYPTION.txt\fR for details on how to set this
6064 \fBNote\fR that from the client's point of
6065 view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals
6066 with the authentication, it does not in any way affect what the
6069 \fBNote\fR that the name of the resource being
6070 requested is \fBnot\fR sent to the server until after
6071 the server has successfully authenticated the client. This is why
6072 guest shares don't work in user level security without allowing
6073 the server to automatically map unknown users into the \fIguest account\fR.
6074 See the \fImap to guest\fR
6075 parameter for details on doing this.
6077 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6079 See also the \fIpassword
6080 server\fR parameter and the \fIencrypted passwords\fR
6083 \fBSECURITY = DOMAIN
6086 This mode will only work correctly if smbpasswd(8) has been used to add this
6087 machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR
6088 parameter to be set to yes. In this
6089 mode Samba will try to validate the username/password by passing
6090 it to a Windows NT Primary or Backup Domain Controller, in exactly
6091 the same way that a Windows NT Server would do.
6093 \fBNote\fR that a valid UNIX user must still
6094 exist as well as the account on the Domain Controller to allow
6095 Samba to have a valid UNIX account to map file access to.
6097 \fBNote\fR that from the client's point
6098 of view \fBsecurity = domain\fR is the same as \fBsecurity = user
6099 \fR. It only affects how the server deals with the authentication,
6100 it does not in any way affect what the client sees.
6102 \fBNote\fR that the name of the resource being
6103 requested is \fBnot\fR sent to the server until after
6104 the server has successfully authenticated the client. This is why
6105 guest shares don't work in user level security without allowing
6106 the server to automatically map unknown users into the \fIguest account\fR.
6107 See the \fImap to guest\fR
6108 parameter for details on doing this.
6110 \fBBUG:\fR There is currently a bug in the
6111 implementation of \fBsecurity = domain\fR with respect
6112 to multi-byte character set usernames. The communication with a
6113 Domain Controller must be done in UNICODE and Samba currently
6114 does not widen multi-byte user names to UNICODE correctly, thus
6115 a multi-byte username will not be recognized correctly at the
6116 Domain Controller. This issue will be addressed in a future release.
6118 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6120 See also the \fIpassword
6121 server\fR parameter and the \fIencrypted passwords\fR
6124 Default: \fBsecurity = USER\fR
6126 Example: \fBsecurity = DOMAIN\fR
6128 \fBsecurity mask (S)\fR
6129 This parameter controls what UNIX permission
6130 bits can be modified when a Windows NT client is manipulating
6131 the UNIX permission on a file using the native NT security
6134 This parameter is applied as a mask (AND'ed with) to
6135 the changed permission bits, thus preventing any bits not in
6136 this mask from being modified. Essentially, zero bits in this
6137 mask may be treated as a set of bits the user is not allowed
6140 If not set explicitly this parameter is 0777, allowing
6141 a user to modify all the user/group/world permissions on a file.
6143 \fBNote\fR that users who can access the
6144 Samba server through other means can easily bypass this
6145 restriction, so it is primarily useful for standalone
6146 "appliance" systems. Administrators of most normal systems will
6147 probably want to leave it set to 0777.
6149 See also the \fIforce directory security mode\fR,
6151 security mask\fR, \fIforce security mode\fR parameters.
6153 Default: \fBsecurity mask = 0777\fR
6155 Example: \fBsecurity mask = 0770\fR
6157 \fBserver string (G)\fR
6158 This controls what string will show up in the
6159 printer comment box in print manager and next to the IPC connection
6160 in \fBnet view\fR. It can be any string that you wish
6161 to show to your users.
6163 It also sets what will appear in browse lists next
6164 to the machine name.
6166 A \fI%v\fR will be replaced with the Samba
6169 A \fI%h\fR will be replaced with the
6172 Default: \fBserver string = Samba %v\fR
6174 Example: \fBserver string = University of GNUs Samba
6177 \fBset directory (S)\fR
6178 If \fBset directory = no\fR, then
6179 users of the service may not use the setdir command to change
6182 The \fBsetdir\fR command is only implemented
6183 in the Digital Pathworks client. See the Pathworks documentation
6186 Default: \fBset directory = no\fR
6188 \fBshare modes (S)\fR
6189 This enables or disables the honoring of
6190 the \fIshare modes\fR during a file open. These
6191 modes are used by clients to gain exclusive read or write access
6194 These open modes are not directly supported by UNIX, so
6195 they are simulated using shared memory, or lock files if your
6196 UNIX doesn't support shared memory (almost all do).
6198 The share modes that are enabled by this option are
6200 DENY_READ, DENY_WRITE,
6201 DENY_NONE and DENY_FCB.
6203 This option gives full share compatibility and enabled
6206 You should \fBNEVER\fR turn this parameter
6207 off as many Windows applications will break if you do so.
6209 Default: \fBshare modes = yes\fR
6211 \fBshort preserve case (S)\fR
6212 This boolean parameter controls if new files
6213 which conform to 8.3 syntax, that is all in upper case and of
6214 suitable length, are created upper case, or if they are forced
6215 to be the \fIdefault case
6216 \fR. This option can be use with \fBpreserve case = yes\fR
6217 to permit long filenames to retain their case, while short
6220 See the section on NAME MANGLING.
6222 Default: \fBshort preserve case = yes\fR
6224 \fBshow add printer wizard (G)\fR
6225 With the introduction of MS-RPC based printing support
6226 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
6227 appear on Samba hosts in the share listing. Normally this folder will
6228 contain an icon for the MS Add Printer Wizard (APW). However, it is
6229 possible to disable this feature regardless of the level of privilege
6230 of the connected user.
6232 Under normal circumstances, the Windows NT/2000 client will
6233 open a handle on the printer server with OpenPrinterEx() asking for
6234 Administrator privileges. If the user does not have administrative
6235 access on the print server (i.e is not root or a member of the
6236 \fIprinter admin\fR group), the OpenPrinterEx()
6237 call fails and the client makes another open call with a request for
6238 a lower privilege level. This should succeed, however the APW
6239 icon will not be displayed.
6241 Disabling the \fIshow add printer wizard\fR
6242 parameter will always cause the OpenPrinterEx() on the server
6243 to fail. Thus the APW icon will never be displayed. \fB Note :\fRThis does not prevent the same user from having
6244 administrative privilege on an individual printer.
6246 See also \fIaddprinter
6247 command\fR, \fIdeleteprinter command\fR, \fIprinter admin\fR
6249 Default :\fBshow add printer wizard = yes\fR
6251 \fBshutdown script (G)\fR
6252 \fBThis parameter only exists in the HEAD cvs branch\fR
6253 This a full path name to a script called by
6255 should start a shutdown procedure.
6257 This command will be run as the user connected to the
6260 %m %t %r %f parameters are expanded
6262 \fI%m\fR will be substituted with the
6263 shutdown message sent to the server.
6265 \fI%t\fR will be substituted with the
6266 number of seconds to wait before effectively starting the
6269 \fI%r\fR will be substituted with the
6270 switch \fB-r\fR. It means reboot after shutdown
6273 \fI%f\fR will be substituted with the
6274 switch \fB-f\fR. It means force the shutdown
6275 even if applications do not respond for NT.
6277 Default: \fBNone\fR.
6279 Example: \fBabort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f\fR
6281 Shutdown script example:
6290 /sbin/shutdown $3 $4 +$time $1 &
6293 Shutdown does not return so we need to launch it in background.
6295 See also \fIabort shutdown script\fR.
6297 \fBsmb passwd file (G)\fR
6298 This option sets the path to the encrypted
6299 smbpasswd file. By default the path to the smbpasswd file
6300 is compiled into Samba.
6302 Default: \fBsmb passwd file = ${prefix}/private/smbpasswd
6305 Example: \fBsmb passwd file = /etc/samba/smbpasswd
6309 Specifies which ports the server should listen on
6312 Default: \fBsmb ports = 445 139\fR
6314 \fBsocket address (G)\fR
6315 This option allows you to control what
6316 address Samba will listen for connections on. This is used to
6317 support multiple virtual interfaces on the one server, each
6318 with a different configuration.
6320 By default Samba will accept connections on any
6323 Example: \fBsocket address = 192.168.2.20\fR
6325 \fBsocket options (G)\fR
6326 This option allows you to set socket options
6327 to be used when talking with the client.
6329 Socket options are controls on the networking layer
6330 of the operating systems which allow the connection to be
6333 This option will typically be used to tune your Samba
6334 server for optimal performance for your local network. There is
6335 no way that Samba can know what the optimal parameters are for
6336 your net, so you must experiment and choose them yourself. We
6337 strongly suggest you read the appropriate documentation for your
6338 operating system first (perhaps \fBman setsockopt\fR
6341 You may find that on some systems Samba will say
6342 "Unknown socket option" when you supply an option. This means you
6343 either incorrectly typed it or you need to add an include file
6344 to includes.h for your OS. If the latter is the case please
6345 send the patch to samba@samba.org <URL:mailto:samba@samba.org>.
6347 Any of the supported socket options may be combined
6348 in any way you like, as long as your OS allows it.
6350 This is the list of socket options currently settable
6385 Those marked with a \fB'*'\fR take an integer
6386 argument. The others can optionally take a 1 or 0 argument to enable
6387 or disable the option, by default they will be enabled if you
6388 don't specify 1 or 0.
6390 To specify an argument use the syntax SOME_OPTION = VALUE
6391 for example \fBSO_SNDBUF = 8192\fR. Note that you must
6392 not have any spaces before or after the = sign.
6394 If you are on a local network then a sensible option
6397 \fBsocket options = IPTOS_LOWDELAY\fR
6399 If you have a local network then you could try:
6401 \fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
6403 If you are on a wide area network then perhaps try
6404 setting IPTOS_THROUGHPUT.
6406 Note that several of the options may cause your Samba
6407 server to fail completely. Use these options with caution!
6409 Default: \fBsocket options = TCP_NODELAY\fR
6411 Example: \fBsocket options = IPTOS_LOWDELAY\fR
6413 \fBsource environment (G)\fR
6414 This parameter causes Samba to set environment
6415 variables as per the content of the file named.
6417 If the value of this parameter starts with a "|" character
6418 then Samba will treat that value as a pipe command to open and
6419 will set the environment variables from the output of the pipe.
6421 The contents of the file or the output of the pipe should
6422 be formatted as the output of the standard Unix \fBenv(1)
6423 \fR command. This is of the form :
6425 Example environment entry:
6427 \fBSAMBA_NETBIOS_NAME = myhostname\fR
6429 Default: \fBNo default value\fR
6431 Examples: \fBsource environment = |/etc/smb.conf.sh
6434 Example: \fBsource environment =
6435 /usr/local/smb_env_vars\fR
6437 \fBuse spnego (G)\fR
6438 This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. As of samba 3.0alpha it must be set to "no" for these clients to join a samba domain controller. It can be set to "yes" to allow samba to participate in an AD domain controlled by a Windows2000 domain controller.
6440 Default: \fBuse spnego = yes\fR
6442 \fBstat cache (G)\fR
6443 This parameter determines if smbd(8) will use a cache in order to
6444 speed up case insensitive name mappings. You should never need
6445 to change this parameter.
6447 Default: \fBstat cache = yes\fR
6449 \fBstat cache size (G)\fR
6450 This parameter determines the number of
6451 entries in the \fIstat cache\fR. You should
6452 never need to change this parameter.
6454 Default: \fBstat cache size = 50\fR
6456 \fBstrict allocate (S)\fR
6457 This is a boolean that controls the handling of
6458 disk space allocation in the server. When this is set to yes
6459 the server will change from UNIX behaviour of not committing real
6460 disk storage blocks when a file is extended to the Windows behaviour
6461 of actually forcing the disk system to allocate real storage blocks
6462 when a file is created or extended to be a given size. In UNIX
6463 terminology this means that Samba will stop creating sparse files.
6464 This can be slow on some systems.
6466 When strict allocate is no the server does sparse
6467 disk block allocation when a file is extended.
6469 Setting this to yes can help Samba return
6470 out of quota messages on systems that are restricting the disk quota
6473 Default: \fBstrict allocate = no\fR
6475 \fBstrict locking (S)\fR
6476 This is a boolean that controls the handling of
6477 file locking in the server. When this is set to yes
6478 the server will check every read and write access for file locks, and
6479 deny access if locks exist. This can be slow on some systems.
6481 When strict locking is no the server does file
6482 lock checks only when the client explicitly asks for them.
6484 Well-behaved clients always ask for lock checks when it
6485 is important, so in the vast majority of cases \fBstrict
6486 locking = no\fR is preferable.
6488 Default: \fBstrict locking = no\fR
6490 \fBstrict sync (S)\fR
6491 Many Windows applications (including the Windows
6492 98 explorer shell) seem to confuse flushing buffer contents to
6493 disk with doing a sync to disk. Under UNIX, a sync call forces
6494 the process to be suspended until the kernel has ensured that
6495 all outstanding data in kernel disk buffers has been safely stored
6496 onto stable storage. This is very slow and should only be done
6497 rarely. Setting this parameter to no (the
6498 default) means that smbd ignores the Windows applications requests for
6499 a sync call. There is only a possibility of losing data if the
6500 operating system itself that Samba is running on crashes, so there is
6501 little danger in this default setting. In addition, this fixes many
6502 performance problems that people have reported with the new Windows98
6503 explorer shell file copies.
6505 See also the \fIsync
6506 always>\fR parameter.
6508 Default: \fBstrict sync = no\fR
6511 This is a boolean that controls whether to
6512 strip trailing dots off UNIX filenames. This helps with some
6513 CDROMs that have filenames ending in a single dot.
6515 Default: \fBstrip dot = no\fR
6517 \fBsync always (S)\fR
6518 This is a boolean parameter that controls
6519 whether writes will always be written to stable storage before
6520 the write call returns. If this is no then the server will be
6521 guided by the client's request in each write call (clients can
6522 set a bit indicating that a particular write should be synchronous).
6523 If this is yes then every write will be followed by a \fBfsync()
6524 \fR call to ensure the data is written to disk. Note that
6525 the \fIstrict sync\fR parameter must be set to
6526 yes in order for this parameter to have
6529 See also the \fIstrict
6532 Default: \fBsync always = no\fR
6535 This parameter maps how Samba debug messages
6536 are logged onto the system syslog logging levels. Samba debug
6537 level zero maps onto syslog LOG_ERR, debug
6538 level one maps onto LOG_WARNING, debug level
6539 two maps onto LOG_NOTICE, debug level three
6540 maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.
6542 This parameter sets the threshold for sending messages
6543 to syslog. Only messages with debug level less than this value
6544 will be sent to syslog.
6546 Default: \fBsyslog = 1\fR
6548 \fBsyslog only (G)\fR
6549 If this parameter is set then Samba debug
6550 messages are logged into the system syslog only, and not to
6551 the debug log files.
6553 Default: \fBsyslog only = no\fR
6555 \fBtemplate homedir (G)\fR
6556 When filling out the user information for a Windows NT
6557 user, the winbindd(8) daemon
6558 uses this parameter to fill in the home directory for that user.
6559 If the string \fI%D\fR is present it is substituted
6560 with the user's Windows NT domain name. If the string \fI%U
6561 \fR is present it is substituted with the user's Windows
6564 Default: \fBtemplate homedir = /home/%D/%U\fR
6566 \fBtemplate shell (G)\fR
6567 When filling out the user information for a Windows NT
6568 user, the winbindd(8) daemon
6569 uses this parameter to fill in the login shell for that user.
6571 Default: \fBtemplate shell = /bin/false\fR
6573 \fBtime offset (G)\fR
6574 This parameter is a setting in minutes to add
6575 to the normal GMT to local time conversion. This is useful if
6576 you are serving a lot of PCs that have incorrect daylight
6577 saving time handling.
6579 Default: \fBtime offset = 0\fR
6581 Example: \fBtime offset = 60\fR
6583 \fBtime server (G)\fR
6584 This parameter determines if
6585 nmbd(8) advertises itself as a time server to Windows
6588 Default: \fBtime server = no\fR
6590 \fBtimestamp logs (G)\fR
6591 Synonym for \fI debug timestamp\fR.
6593 \fBtotal print jobs (G)\fR
6594 This parameter accepts an integer value which defines
6595 a limit on the maximum number of print jobs that will be accepted
6596 system wide at any given time. If a print job is submitted
6597 by a client which will exceed this number, then smbd will return an
6598 error indicating that no space is available on the server. The
6599 default value of 0 means that no such limit exists. This parameter
6600 can be used to prevent a server from exceeding its capacity and is
6601 designed as a printing throttle. See also
6602 \fImax print jobs\fR.
6604 Default: \fBtotal print jobs = 0\fR
6606 Example: \fBtotal print jobs = 5000\fR
6609 Specifies whether Samba should try
6610 to use unicode on the wire by default. Note: This does NOT
6611 mean that samba will assume that the unix machine uses unicode!
6613 Default: \fBunicode = yes\fR
6615 \fBunix charset (G)\fR
6616 Specifies the charset the unix machine
6617 Samba runs on uses. Samba needs to know this in order to be able to
6618 convert text to the charsets other SMB clients use.
6620 Default: \fBunix charset = ASCII\fR
6622 Example: \fBunix charset = UTF8\fR
6624 \fBunix extensions(G)\fR
6625 This boolean parameter controls whether Samba
6626 implments the CIFS UNIX extensions, as defined by HP.
6627 These extensions enable Samba to better serve UNIX CIFS clients
6628 by supporting features such as symbolic links, hard links, etc...
6629 These extensions require a similarly enabled client, and are of
6630 no current use to Windows clients.
6632 Default: \fBunix extensions = no\fR
6634 \fBunix password sync (G)\fR
6635 This boolean parameter controls whether Samba
6636 attempts to synchronize the UNIX password with the SMB password
6637 when the encrypted SMB password in the smbpasswd file is changed.
6638 If this is set to yes the program specified in the \fIpasswd
6639 program\fRparameter is called \fBAS ROOT\fR -
6640 to allow the new UNIX password to be set without access to the
6641 old UNIX password (as the SMB password change code has no
6642 access to the old password cleartext, only the new).
6645 program\fR, \fI passwd chat\fR.
6647 Default: \fBunix password sync = no\fR
6649 \fBupdate encrypted (G)\fR
6650 This boolean parameter allows a user logging
6651 on with a plaintext password to have their encrypted (hashed)
6652 password in the smbpasswd file to be updated automatically as
6653 they log on. This option allows a site to migrate from plaintext
6654 password authentication (users authenticate with plaintext
6655 password over the wire, and are checked against a UNIX account
6656 database) to encrypted password authentication (the SMB
6657 challenge/response authentication mechanism) without forcing
6658 all users to re-enter their passwords via smbpasswd at the time the
6659 change is made. This is a convenience option to allow the change over
6660 to encrypted passwords to be made over a longer period. Once all users
6661 have encrypted representations of their passwords in the smbpasswd
6662 file this parameter should be set to no.
6664 In order for this parameter to work correctly the \fIencrypt passwords\fR
6665 parameter must be set to no when
6666 this parameter is set to yes.
6668 Note that even when this parameter is set a user
6669 authenticating to \fBsmbd\fR must still enter a valid
6670 password in order to connect correctly, and to update their hashed
6671 (smbpasswd) passwords.
6673 Default: \fBupdate encrypted = no\fR
6675 \fBuse client driver (S)\fR
6676 This parameter applies only to Windows NT/2000
6677 clients. It has no affect on Windows 95/98/ME clients. When
6678 serving a printer to Windows NT/2000 clients without first installing
6679 a valid printer driver on the Samba host, the client will be required
6680 to install a local printer driver. From this point on, the client
6681 will treat the print as a local printer and not a network printer
6682 connection. This is much the same behavior that will occur
6683 when \fBdisable spoolss = yes\fR.
6686 factor is that under normal circumstances, the NT/2000 client will
6687 attempt to open the network printer using MS-RPC. The problem is that
6688 because the client considers the printer to be local, it will attempt
6689 to issue the OpenPrinterEx() call requesting access rights associated
6690 with the logged on user. If the user possesses local administator rights
6691 but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
6692 call will fail. The result is that the client will now display an "Access
6693 Denied; Unable to connect" message in the printer queue window (even though
6694 jobs may successfully be printed).
6696 If this parameter is enabled for a printer, then any attempt
6697 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
6698 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
6699 call to succeed. \fBThis parameter MUST not be able enabled
6700 on a print share which has valid print driver installed on the Samba
6703 See also disable spoolss
6705 Default: \fBuse client driver = no\fR
6708 This global parameter determines if the tdb internals of Samba can
6709 depend on mmap working correctly on the running system. Samba requires a coherent
6710 mmap/read-write system memory cache. Currently only HPUX does not have such a
6711 coherent cache, and so this parameter is set to no by
6712 default on HPUX. On all other systems this parameter should be left alone. This
6713 parameter is provided to help the Samba developers track down problems with
6714 the tdb internal code.
6716 Default: \fBuse mmap = yes\fR
6718 \fBuse rhosts (G)\fR
6719 If this global parameter is yes, it specifies
6720 that the UNIX user's \fI.rhosts\fR file in their home directory
6721 will be read to find the names of hosts and users who will be allowed
6722 access without specifying a password.
6724 \fBNOTE:\fR The use of \fIuse rhosts
6725 \fR can be a major security hole. This is because you are
6726 trusting the PC to supply the correct username. It is very easy to
6727 get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what
6730 Default: \fBuse rhosts = no\fR
6733 Synonym for \fI username\fR.
6736 Synonym for \fI username\fR.
6739 Multiple users may be specified in a comma-delimited
6740 list, in which case the supplied password will be tested against
6741 each username in turn (left to right).
6743 The \fIusername\fR line is needed only when
6744 the PC is unable to supply its own username. This is the case
6745 for the COREPLUS protocol or where your users have different WfWg
6746 usernames to UNIX usernames. In both these cases you may also be
6747 better using the \\\\server\\share%user syntax instead.
6749 The \fIusername\fR line is not a great
6750 solution in many cases as it means Samba will try to validate
6751 the supplied password against each of the usernames in the
6752 \fIusername\fR line in turn. This is slow and
6753 a bad idea for lots of users in case of duplicate passwords.
6754 You may get timeouts or security breaches using this parameter
6757 Samba relies on the underlying UNIX security. This
6758 parameter does not restrict who can login, it just offers hints
6759 to the Samba server as to what usernames might correspond to the
6760 supplied password. Users can login as whoever they please and
6761 they will be able to do no more damage than if they started a
6762 telnet session. The daemon runs as the user that they log in as,
6763 so they cannot do anything that user cannot do.
6765 To restrict a service to a particular set of users you
6766 can use the \fIvalid users
6769 If any of the usernames begin with a '@' then the name
6770 will be looked up first in the NIS netgroups list (if Samba
6771 is compiled with netgroup support), followed by a lookup in
6772 the UNIX groups database and will expand to a list of all users
6773 in the group of that name.
6775 If any of the usernames begin with a '+' then the name
6776 will be looked up only in the UNIX groups database and will
6777 expand to a list of all users in the group of that name.
6779 If any of the usernames begin with a '&'then the name
6780 will be looked up only in the NIS netgroups database (if Samba
6781 is compiled with netgroup support) and will expand to a list
6782 of all users in the netgroup group of that name.
6784 Note that searching though a groups database can take
6785 quite some time, and some clients may time out during the
6788 See the section NOTE ABOUT
6789 USERNAME/PASSWORD VALIDATION for more information on how
6790 this parameter determines access to the services.
6792 Default: \fBThe guest account if a guest service,
6793 else <empty string>.\fR
6795 Examples:\fBusername = fred, mary, jack, jane,
6798 \fBusername level (G)\fR
6799 This option helps Samba to try and 'guess' at
6800 the real UNIX username, as many DOS clients send an all-uppercase
6801 username. By default Samba tries all lowercase, followed by the
6802 username with the first letter capitalized, and fails if the
6803 username is not found on the UNIX machine.
6805 If this parameter is set to non-zero the behavior changes.
6806 This parameter is a number that specifies the number of uppercase
6807 combinations to try while trying to determine the UNIX user name. The
6808 higher the number the more combinations will be tried, but the slower
6809 the discovery of usernames will be. Use this parameter when you have
6810 strange usernames on your UNIX machine, such as AstrangeUser
6813 Default: \fBusername level = 0\fR
6815 Example: \fBusername level = 5\fR
6817 \fBusername map (G)\fR
6818 This option allows you to specify a file containing
6819 a mapping of usernames from the clients to the server. This can be
6820 used for several purposes. The most common is to map usernames
6821 that users use on DOS or Windows machines to those that the UNIX
6822 box uses. The other is to map multiple users to a single username
6823 so that they can more easily share files.
6825 The map file is parsed line by line. Each line should
6826 contain a single UNIX username on the left then a '=' followed
6827 by a list of usernames on the right. The list of usernames on the
6828 right may contain names of the form @group in which case they
6829 will match any UNIX username in that group. The special client
6830 name '*' is a wildcard and matches any name. Each line of the
6831 map file may be up to 1023 characters long.
6833 The file is processed on each line by taking the
6834 supplied username and comparing it with each username on the right
6835 hand side of the '=' signs. If the supplied name matches any of
6836 the names on the right hand side then it is replaced with the name
6837 on the left. Processing then continues with the next line.
6839 If any line begins with a '#' or a ';' then it is
6842 If any line begins with an '!' then the processing
6843 will stop after that line if a mapping was done by the line.
6844 Otherwise mapping continues with every line being processed.
6845 Using '!' is most useful when you have a wildcard mapping line
6848 For example to map from the name admin
6849 or administrator to the UNIX name root you would use:
6851 \fBroot = admin administrator\fR
6853 Or to map anyone in the UNIX group system
6854 to the UNIX name sys you would use:
6858 You can have as many mappings as you like in a username
6861 If your system supports the NIS NETGROUP option then
6862 the netgroup database is checked before the \fI/etc/group
6863 \fR database for matching groups.
6865 You can map Windows usernames that have spaces in them
6866 by using double quotes around the name. For example:
6868 \fBtridge = "Andrew Tridgell"\fR
6870 would map the windows username "Andrew Tridgell" to the
6871 unix username "tridge".
6873 The following example would map mary and fred to the
6874 unix user sys, and map the rest to guest. Note the use of the
6875 \&'!' to tell Samba to stop processing if it gets a match on
6885 Note that the remapping is applied to all occurrences
6886 of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you
6887 will actually be connecting to \\\\server\\mary and will need to
6888 supply a password suitable for mary not
6889 fred. The only exception to this is the
6890 username passed to the \fI password server\fR (if you have one). The password
6891 server will receive whatever username the client supplies without
6894 Also note that no reverse mapping is done. The main effect
6895 this has is with printing. Users who have been mapped may have
6896 trouble deleting print jobs as PrintManager under WfWg will think
6897 they don't own the print job.
6899 Default: \fBno username map\fR
6901 Example: \fBusername map = /usr/local/samba/lib/users.map
6904 \fBuse sendfile (S)\fR
6905 If this parameter is yes, and Samba
6906 was built with the --with-sendfile-support option, and the underlying operating
6907 system supports sendfile system call, then some SMB read calls (mainly ReadAndX
6908 and ReadRaw) will use the more efficient sendfile system call for files that
6909 are exclusively oplocked. This may make more efficient use of the system CPU's
6910 and cause Samba to be faster. This is off by default as it's effects are unknown
6913 Default: \fBuse sendfile = no\fR
6916 This boolean parameter is only available if
6917 Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to yes then Samba will attempt
6918 to add utmp or utmpx records (depending on the UNIX system) whenever a
6919 connection is made to a Samba server. Sites may use this to record the
6920 user connecting to a Samba share.
6922 Due to the requirements of the utmp record, we
6923 are required to create a unique identifier for the
6924 incoming user. Enabling this option creates an n^2
6925 algorithm to find this number. This may impede
6926 performance on large installations.
6928 See also the \fI utmp directory\fR parameter.
6930 Default: \fButmp = no\fR
6932 \fButmp directory(G)\fR
6933 This parameter is only available if Samba has
6934 been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
6935 used to store the utmp or utmpx files (depending on the UNIX system) that
6936 record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is
6937 not set, meaning the system will use whatever utmp file the
6938 native system is set to use (usually
6939 \fI/var/run/utmp\fR on Linux).
6941 Default: \fBno utmp directory\fR
6943 Example: \fButmp directory = /var/run/utmp\fR
6945 \fBwtmp directory(G)\fR
6946 This parameter is only available if Samba has
6947 been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
6948 used to store the wtmp or wtmpx files (depending on the UNIX system) that
6949 record user connections to a Samba server. The difference with
6950 the utmp directory is the fact that user info is kept after a user
6952 See also the \fIutmp\fR parameter. By default this is
6953 not set, meaning the system will use whatever utmp file the
6954 native system is set to use (usually
6955 \fI/var/run/wtmp\fR on Linux).
6957 Default: \fBno wtmp directory\fR
6959 Example: \fBwtmp directory = /var/log/wtmp\fR
6961 \fBvalid users (S)\fR
6962 This is a list of users that should be allowed
6963 to login to this service. Names starting with '@', '+' and '&'
6964 are interpreted using the same rules as described in the
6965 \fIinvalid users\fR parameter.
6967 If this is empty (the default) then any user can login.
6968 If a username is in both this list and the \fIinvalid
6969 users\fR list then access is denied for that user.
6971 The current servicename is substituted for \fI%S
6972 \fR. This is useful in the [homes] section.
6974 See also \fIinvalid users
6977 Default: \fBNo valid users list (anyone can login)
6980 Example: \fBvalid users = greg, @pcusers\fR
6983 This is a list of files and directories that
6984 are neither visible nor accessible. Each entry in the list must
6985 be separated by a '/', which allows spaces to be included
6986 in the entry. '*' and '?' can be used to specify multiple files
6987 or directories as in DOS wildcards.
6989 Each entry must be a unix path, not a DOS path and
6990 must \fBnot\fR include the unix directory
6993 Note that the \fIcase sensitive\fR option
6994 is applicable in vetoing files.
6996 One feature of the veto files parameter that it
6997 is important to be aware of is Samba's behaviour when
6998 trying to delete a directory. If a directory that is
6999 to be deleted contains nothing but veto files this
7000 deletion will \fBfail\fR unless you also set
7001 the \fIdelete veto files\fR parameter to
7004 Setting this parameter will affect the performance
7005 of Samba, as it will be forced to check all files and directories
7006 for a match as they are scanned.
7008 See also \fIhide files
7009 \fR and \fI case sensitive\fR.
7011 Default: \fBNo files or directories are vetoed.
7017 ; Veto any files containing the word Security,
7018 ; any ending in .tmp, and any directory containing the
7020 veto files = /*Security*/*.tmp/*root*/
7022 ; Veto the Apple specific files that a NetAtalk server
7024 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
7027 \fBveto oplock files (S)\fR
7028 This parameter is only valid when the \fIoplocks\fR
7029 parameter is turned on for a share. It allows the Samba administrator
7030 to selectively turn off the granting of oplocks on selected files that
7031 match a wildcarded list, similar to the wildcarded list used in the
7035 Default: \fBNo files are vetoed for oplock
7038 You might want to do this on files that you know will
7039 be heavily contended for by clients. A good example of this
7040 is in the NetBench SMB benchmark program, which causes heavy
7041 client contention for files ending in \fI.SEM\fR.
7042 To cause Samba not to grant oplocks on these files you would use
7043 the line (either in the [global] section or in the section for
7044 the particular NetBench share :
7046 Example: \fBveto oplock files = /*.SEM/
7050 This parameter specifies the directory
7051 to look in for vfs modules. The name of every \fBvfs object
7052 \fR will be prepended by this directory
7054 Default: \fBvfs path = \fR
7056 Example: \fBvfs path = /usr/lib/samba/vfs\fR
7058 \fBvfs object (S)\fR
7059 This parameter specifies a shared object files that
7060 are used for Samba VFS I/O operations. By default, normal
7061 disk I/O operations are used but these can be overloaded
7062 with one or more VFS objects.
7064 Default : \fBno value\fR
7066 \fBvfs options (S)\fR
7067 This parameter allows parameters to be passed
7068 to the vfs layer at initialization time.
7069 See also \fI vfs object\fR.
7071 Default : \fBno value\fR
7074 This allows you to override the volume label
7075 returned for a share. Useful for CDROMs with installation programs
7076 that insist on a particular volume label.
7078 Default: \fBthe name of the share\fR
7080 \fBwide links (S)\fR
7081 This parameter controls whether or not links
7082 in the UNIX file system may be followed by the server. Links
7083 that point to areas within the directory tree exported by the
7084 server are always allowed; this parameter controls access only
7085 to areas that are outside the directory tree being exported.
7087 Note that setting this parameter can have a negative
7088 effect on your server performance due to the extra system calls
7089 that Samba has to do in order to perform the link checks.
7091 Default: \fBwide links = yes\fR
7093 \fBwinbind cache time (G)\fR
7094 This parameter specifies the number of seconds the
7095 winbindd(8) daemon will cache
7096 user and group information before querying a Windows NT server
7099 Default: \fBwinbind cache type = 15\fR
7101 \fBwinbind enum users (G)\fR
7102 On large installations using
7103 winbindd(8) it may be
7104 necessary to suppress the enumeration of users through the
7106 \fBgetpwent()\fR and
7107 \fBendpwent()\fR group of system calls. If
7108 the \fIwinbind enum users\fR parameter is
7109 no, calls to the \fBgetpwent\fR system call
7110 will not return any data.
7112 \fBWarning:\fR Turning off user
7113 enumeration may cause some programs to behave oddly. For
7114 example, the finger program relies on having access to the
7115 full user list when searching for matching
7118 Default: \fBwinbind enum users = yes \fR
7120 \fBwinbind enum groups (G)\fR
7121 On large installations using
7122 winbindd(8) it may be
7123 necessary to suppress the enumeration of groups through the
7125 \fBgetgrent()\fR and
7126 \fBendgrent()\fR group of system calls. If
7127 the \fIwinbind enum groups\fR parameter is
7128 no, calls to the \fBgetgrent()\fR system
7129 call will not return any data.
7131 \fBWarning:\fR Turning off group
7132 enumeration may cause some programs to behave oddly.
7134 Default: \fBwinbind enum groups = yes \fR
7136 \fBwinbind gid (G)\fR
7137 The winbind gid parameter specifies the range of group
7138 ids that are allocated by the winbindd(8) daemon. This range of group ids should have no
7139 existing local or NIS groups within it as strange conflicts can
7142 Default: \fBwinbind gid = <empty string>
7145 Example: \fBwinbind gid = 10000-20000\fR
7147 \fBwinbind separator (G)\fR
7148 This parameter allows an admin to define the character
7149 used when listing a username of the form of \fIDOMAIN
7150 \fR\\\fIuser\fR. This parameter
7151 is only applicable when using the \fIpam_winbind.so\fR
7152 and \fInss_winbind.so\fR modules for UNIX services.
7154 Please note that setting this parameter to + causes problems
7155 with group membership at least on glibc systems, as the character +
7156 is used as a special character for NIS in /etc/group.
7158 Default: \fBwinbind separator = '\\'\fR
7160 Example: \fBwinbind separator = +\fR
7162 \fBwinbind uid (G)\fR
7163 The winbind gid parameter specifies the range of group
7164 ids that are allocated by the winbindd(8) daemon. This range of ids should have no
7165 existing local or NIS users within it as strange conflicts can
7168 Default: \fBwinbind uid = <empty string>
7171 Example: \fBwinbind uid = 10000-20000\fR
7173 \fBwinbind use default domain\fR
7175 \fBwinbind use default domain (G)\fR
7176 This parameter specifies whether the winbindd(8)
7177 daemon should operate on users without domain component in their username.
7178 Users without a domain component are treated as is part of the winbindd server's
7179 own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
7180 function in a way much closer to the way they would in a native unix system.
7182 Default: \fBwinbind use default domain = <no>
7185 Example: \fBwinbind use default domain = yes\fR
7188 When Samba is running as a WINS server this
7189 allows you to call an external program for all changes to the
7190 WINS database. The primary use for this option is to allow the
7191 dynamic update of external name resolution databases such as
7194 The wins hook parameter specifies the name of a script
7195 or executable that will be called as follows:
7197 \fBwins_hook operation name nametype ttl IP_list
7202 The first argument is the operation and is one
7203 of "add", "delete", or "refresh". In most cases the operation can
7204 be ignored as the rest of the parameters provide sufficient
7205 information. Note that "refresh" may sometimes be called when the
7206 name has not previously been added, in that case it should be treated
7210 The second argument is the NetBIOS name. If the
7211 name is not a legal name then the wins hook is not called.
7212 Legal names contain only letters, digits, hyphens, underscores
7216 The third argument is the NetBIOS name
7217 type as a 2 digit hexadecimal number.
7220 The fourth argument is the TTL (time to live)
7221 for the name in seconds.
7224 The fifth and subsequent arguments are the IP
7225 addresses currently registered for that name. If this list is
7226 empty then the name should be deleted.
7229 An example script that calls the BIND dynamic DNS update
7230 program \fBnsupdate\fR is provided in the examples
7231 directory of the Samba source code.
7233 \fBwins proxy (G)\fR
7234 This is a boolean that controls if nmbd(8) will respond to broadcast name
7235 queries on behalf of other hosts. You may need to set this
7236 to yes for some older clients.
7238 Default: \fBwins proxy = no\fR
7240 \fBwins server (G)\fR
7241 This specifies the IP address (or DNS name: IP
7242 address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on
7243 your network then you should set this to the WINS server's IP.
7245 You should point this at your WINS server if you have a
7246 multi-subnetted network.
7248 \fBNOTE\fR. You need to set up Samba to point
7249 to a WINS server if you have multiple subnets and wish cross-subnet
7250 browsing to work correctly.
7252 See the documentation file \fIBROWSING.txt\fR
7253 in the docs/ directory of your Samba source distribution.
7255 Default: \fBnot enabled\fR
7257 Example: \fBwins server = 192.9.200.1\fR
7259 \fBwins support (G)\fR
7260 This boolean controls if the
7261 nmbd(8) process in Samba will act as a WINS server. You should
7262 not set this to yes unless you have a multi-subnetted network and
7263 you wish a particular \fBnmbd\fR to be your WINS server.
7264 Note that you should \fBNEVER\fR set this to yes
7265 on more than one machine in your network.
7267 Default: \fBwins support = no\fR
7270 This controls what workgroup your server will
7271 appear to be in when queried by clients. Note that this parameter
7272 also controls the Domain name used with the \fBsecurity = domain\fR
7275 Default: \fBset at compile time to WORKGROUP\fR
7277 Example: \fBworkgroup = MYGROUP\fR
7280 Synonym for \fI writeable\fR for people who can't spell :-).
7282 \fBwrite cache size (S)\fR
7283 If this integer parameter is set to non-zero value,
7284 Samba will create an in-memory cache for each oplocked file
7285 (it does \fBnot\fR do this for
7286 non-oplocked files). All writes that the client does not request
7287 to be flushed directly to disk will be stored in this cache if possible.
7288 The cache is flushed onto disk when a write comes in whose offset
7289 would not fit into the cache or when the file is closed by the client.
7290 Reads for the file are also served from this cache if the data is stored
7293 This cache allows Samba to batch client writes into a more
7294 efficient write size for RAID disks (i.e. writes may be tuned to
7295 be the RAID stripe size) and can improve performance on systems
7296 where the disk subsystem is a bottleneck but there is free
7297 memory for userspace programs.
7299 The integer parameter specifies the size of this cache
7300 (per oplocked file) in bytes.
7302 Default: \fBwrite cache size = 0\fR
7304 Example: \fBwrite cache size = 262144\fR
7306 for a 256k cache size per file.
7308 \fBwrite list (S)\fR
7309 This is a list of users that are given read-write
7310 access to a service. If the connecting user is in this list then
7311 they will be given write access, no matter what the \fIread only\fR
7312 option is set to. The list can include group names using the
7315 Note that if a user is in both the read list and the
7316 write list then they will be given write access.
7318 See also the \fIread list
7321 Default: \fBwrite list = <empty string>
7324 Example: \fBwrite list = admin, root, @staff
7327 \fBwins partners (G)\fR
7328 A space separated list of partners' IP addresses for
7329 WINS replication. WINS partners are always defined as push/pull
7330 partners as defining only one way WINS replication is unreliable.
7331 WINS replication is currently experimental and unreliable between
7334 Default: \fBwins partners = \fR
7336 Example: \fBwins partners = 192.168.0.1 172.16.1.2\fR
7339 Inverted synonym for \fI read only\fR.
7342 This parameter controls whether or not the server
7343 will support raw write SMB's when transferring data from clients.
7344 You should never need to change this parameter.
7346 Default: \fBwrite raw = yes\fR
7349 Inverted synonym for \fI read only\fR.
7352 Although the configuration file permits service names
7353 to contain spaces, your client software may not. Spaces will
7354 be ignored in comparisons anyway, so it shouldn't be a
7355 problem - but be aware of the possibility.
7357 On a similar note, many clients - especially DOS clients -
7358 limit service names to eight characters. smbd(8)
7359 has no such limitation, but attempts to connect from such
7360 clients will fail if they truncate the service names. For this reason
7361 you should probably keep your service names down to eight characters
7364 Use of the [homes] and [printers] special sections make life
7365 for an administrator easy, but the various combinations of default
7366 attributes can be tricky. Take extreme care when designing these
7367 sections. In particular, ensure that the permissions on spool
7368 directories are correct.
7371 This man page is correct for version 3.0 of
7386 The original Samba software and related utilities
7387 were created by Andrew Tridgell. Samba is now developed
7388 by the Samba Team as an Open Source project similar
7389 to the way the Linux kernel is developed.
7391 The original Samba man pages were written by Karl Auer.
7392 The man page sources were converted to YODL format (another
7393 excellent piece of Open Source software, available at
7394 ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
7395 release by Jeremy Allison. The conversion to DocBook for
7396 Samba 2.2 was done by Gerald Carter