1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77+"></HEAD
28 >smb.conf -- The configuration file for the Samba suite</DIV
40 > file is a configuration
41 file for the Samba suite. <TT
45 runtime configuration information for the Samba programs. The <TT
49 is designed to be configured and administered by the <SPAN
55 > program. The complete
56 description of the file format and possible parameters held within
57 are here for reference purposes.</P
67 >The file consists of sections and parameters. A section
68 begins with the name of the section in square brackets and continues
69 until the next section begins. Sections contain parameters of the
85 >The file is line-based - that is, each newline-terminated
86 line represents either a comment, a section name or a parameter.</P
88 >Section and parameter names are not case sensitive.</P
90 >Only the first equals sign in a parameter is significant.
91 Whitespace before or after the first equals sign is discarded.
92 Leading, trailing and internal whitespace in section and parameter
93 names is irrelevant. Leading and trailing whitespace in a parameter
94 value is discarded. Internal whitespace within a parameter value
95 is retained verbatim.</P
97 >Any line beginning with a semicolon (';') or a hash ('#')
98 character is ignored, as are lines containing only whitespace.</P
100 >Any line ending in a '\' is continued
101 on the next line in the customary UNIX fashion.</P
103 >The values following the equals sign in parameters are all
104 either a string (no quotes needed) or a boolean, which may be given
105 as yes/no, 0/1 or true/false. Case is not significant in boolean
106 values, but is preserved in string values. Some items such as
107 create modes are numeric.</P
115 >SECTION DESCRIPTIONS</H2
117 >Each section in the configuration file (except for the
118 [global] section) describes a shared resource (known
119 as a "share"). The section name is the name of the
120 shared resource and the parameters within the section define
121 the shares attributes.</P
123 >There are three special sections, [global],
124 [homes] and [printers], which are
125 described under <SPAN
132 following notes apply to ordinary section descriptions.</P
134 >A share consists of a directory to which access is being
135 given plus a description of the access rights which are granted
136 to the user of the service. Some housekeeping options are
139 >Sections are either file share services (used by the
140 client as an extension of their native file systems) or
141 printable services (used by the client to access print services
142 on the host running the server).</P
144 >Sections may be designated <SPAN
151 in which case no password is required to access them. A specified
158 > is used to define access
159 privileges in this case.</P
161 >Sections other than guest services will require a password
162 to access them. The client provides the username. As older clients
163 only provide passwords and not usernames, you may specify a list
164 of usernames to check against the password using the "user ="
165 option in the share definition. For modern clients such as
166 Windows 95/98/ME/NT/2000, this should not be necessary.</P
168 >Note that the access rights granted by the server are
169 masked by the access rights granted to the specified or guest
170 UNIX user by the host system. The server does not grant more
171 access than the host system grants.</P
173 >The following sample section defines a file space share.
174 The user has write access to the path <TT
178 The share is accessed via the share name "foo":</P
182 CLASS="COMPUTEROUTPUT"
188 >The following sample section defines a printable share.
189 The share is readonly, but printable. That is, the only write
190 access permitted is via calls to open, write to and close a
191 spool file. The <SPAN
198 access will be permitted as the default guest user (specified
203 CLASS="COMPUTEROUTPUT"
205 path = /usr/spool/public
217 >SPECIAL SECTIONS</H2
224 >The [global] section</H3
226 >parameters in this section apply to the server
227 as a whole, or are defaults for sections which do not
228 specifically define certain items. See the notes
229 under PARAMETERS for more information.</P
237 >The [homes] section</H3
239 >If a section called homes is included in the
240 configuration file, services connecting clients to their
241 home directories can be created on the fly by the server.</P
243 >When the connection request is made, the existing
244 sections are scanned. If a match is found, it is used. If no
245 match is found, the requested section name is treated as a
246 user name and looked up in the local password file. If the
247 name exists and the correct password has been given, a share is
248 created by cloning the [homes] section.</P
250 >Some modifications are then made to the newly
257 >The share name is changed from homes to
258 the located username.</P
262 >If no path was given, the path is set to
263 the user's home directory.</P
267 >If you decide to use a <SPAN
274 in your [homes] section then you may find it useful
275 to use the %S macro. For example :</P
280 >path = /data/pchome/%S</B
284 >would be useful if you have different home directories
285 for your PCs than for UNIX access.</P
287 >This is a fast and simple way to give a large number
288 of clients access to their home directories with a minimum
291 >A similar process occurs if the requested section
292 name is "homes", except that the share name is not
293 changed to that of the requesting user. This method of using
294 the [homes] section works well if different users share
297 >The [homes] section can specify all the parameters
298 a normal service section can specify, though some make more sense
299 than others. The following is a typical and suitable [homes]
304 CLASS="COMPUTEROUTPUT"
309 >An important point is that if guest access is specified
310 in the [homes] section, all home directories will be
311 visible to all clients <SPAN
315 >without a password</I
318 In the very unlikely event that this is actually desirable, it
319 would be wise to also specify <SPAN
335 auto home directories will be inherited from the global browseable
336 flag, not the [homes] browseable flag. This is useful as
337 it means setting <SPAN
344 the [homes] section will hide the [homes] share but make
345 any auto home directories visible.</P
353 >The [printers] section</H3
355 >This section works like [homes],
358 >If a [printers] section occurs in the
359 configuration file, users are able to connect to any printer
360 specified in the local host's printcap file.</P
362 >When a connection request is made, the existing sections
363 are scanned. If a match is found, it is used. If no match is found,
364 but a [homes] section exists, it is used as described
365 above. Otherwise, the requested section name is treated as a
366 printer name and the appropriate printcap file is scanned to see
367 if the requested section name is a valid printer share name. If
368 a match is found, a new printer share is created by cloning
369 the [printers] section.</P
371 >A few modifications are then made to the newly created
378 >The share name is set to the located printer
383 >If no printer name was given, the printer name
384 is set to the located printer name</P
388 >If the share does not permit guest access and
389 no username was given, the username is set to the located
394 >Note that the [printers] service MUST be
395 printable - if you specify otherwise, the server will refuse
396 to load the configuration file.</P
398 >Typically the path specified would be that of a
399 world-writeable spool directory with the sticky bit set on
400 it. A typical [printers] entry would look like
405 CLASS="COMPUTEROUTPUT"
407 path = /usr/spool/public
412 >All aliases given for a printer in the printcap file
413 are legitimate printer names as far as the server is concerned.
414 If your printing subsystem doesn't work like that, you will have
415 to set up a pseudo-printcap. This is a file consisting of one or
416 more lines like this:</P
420 CLASS="COMPUTEROUTPUT"
421 >alias|alias|alias|alias... </TT
424 >Each alias should be an acceptable printer name for
425 your printing subsystem. In the [global] section, specify
426 the new file as your printcap. The server will then only recognize
427 names found in your pseudo-printcap, which of course can contain
428 whatever aliases you like. The same technique could be used
429 simply to limit access to a subset of your local printers.</P
431 >An alias, by the way, is defined as any component of the
432 first entry of a printcap record. Records are separated by newlines,
433 components (if there are more than one) are separated by vertical
434 bar symbols ('|').</P
436 >NOTE: On SYSV systems which use lpstat to determine what
437 printers are defined on the system you may be able to use
438 "printcap name = lpstat" to automatically obtain a list
439 of printers. See the "printcap name" option
451 >parameters define the specific attributes of sections.</P
453 >Some parameters are specific to the [global] section
460 >). Some parameters are usable
461 in all sections (e.g., <SPAN
468 are permissible only in normal sections. For the purposes of the
469 following descriptions the [homes] and [printers]
470 sections will be considered normal. The letter <SPAN
477 in parentheses indicates that a parameter is specific to the
478 [global] section. The letter <SPAN
485 indicates that a parameter can be specified in a service specific
486 section. Note that all <SPAN
492 > parameters can also be specified in
493 the [global] section - in which case they will define
494 the default behavior for all services.</P
496 >parameters are arranged here in alphabetical order - this may
497 not create best bedfellows, but at least you can find them! Where
498 there are synonyms, the preferred synonym is described, others refer
499 to the preferred synonym.</P
507 >VARIABLE SUBSTITUTIONS</H2
509 >Many of the strings that are settable in the config file
510 can take substitutions. For example the option "path =
511 /tmp/%u" would be interpreted as "path =
512 /tmp/john" if the user connected with the username john.</P
514 >These substitutions are mostly noted in the descriptions below,
515 but there are some general substitutions which apply whenever they
516 might be relevant. These are:</P
526 >session user name (the user name that the client
527 wanted, not necessarily the same as the one they got).</P
533 >primary group name of %U.</P
539 >the Internet hostname that Samba is running
546 >the NetBIOS name of the client machine
553 >the NetBIOS name of the server. This allows you
554 to change your config based on what the client calls you. Your
555 server can have a "dual personality".</P
557 >Note that this parameter is not available when Samba listens
558 on port 445, as clients no longer send this information </P
564 >the Internet name of the client machine.
571 >the selected protocol level after
572 protocol negotiation. It can be one of CORE, COREPLUS,
573 LANMAN1, LANMAN2 or NT1.</P
579 >The process id of the current server
586 >the architecture of the remote
587 machine. Only some are recognized, and those may not be
588 100% reliable. It currently recognizes Samba, WfWg, Win95,
589 WinNT and Win2k. Anything else will be known as
590 "UNKNOWN". If it gets it wrong then sending a level
592 HREF="mailto:samba@samba.org"
596 > should allow it to be fixed.</P
602 >The IP address of the client machine.</P
608 >the current date and time.</P
614 >Name of the domain or workgroup of the current user.</P
625 >The value of the environment variable
636 >The following substitutes apply only to some configuration options(only those
637 that are used when a connection has been established):</P
647 >the name of the current service, if any.</P
653 >the root directory of the current service,
660 >user name of the current service, if any.</P
666 >primary group name of %u.</P
672 >the home directory of the user given
679 >the name of your NIS home directory server.
680 This is obtained from your NIS auto.map entry. If you have
681 not compiled Samba with the <SPAN
688 option then this value will be the same as %L.</P
694 >the path of the service's home directory,
695 obtained from your NIS auto.map entry. The NIS auto.map entry
696 is split up as "%N:%p".</P
701 >There are some quite creative things that can be done
702 with these substitutions and other smb.conf options.</P
712 >Samba supports "name mangling" so that DOS and
713 Windows clients can use files that don't conform to the 8.3 format.
714 It can also be set to adjust the case of 8.3 format filenames.</P
716 >There are several options that control the way mangling is
717 performed, and they are grouped here rather than listed separately.
718 For the defaults look at the output of the testparm program. </P
720 >All of these options can be set separately for each service
721 (or globally, of course). </P
723 >The options are: </P
730 >mangle case = yes/no</DT
733 > controls if names that have characters that
734 aren't of the "default" case are mangled. For example,
735 if this is yes then a name like "Mail" would be mangled.
745 >case sensitive = yes/no</DT
748 >controls whether filenames are case sensitive. If
749 they aren't then Samba must do a filename search and match on passed
759 >default case = upper/lower</DT
762 >controls what the default case is for new
763 filenames. Default <SPAN
772 >preserve case = yes/no</DT
775 >controls if new files are created with the
776 case that the client passes, or if they are forced to be the
777 "default" case. Default <SPAN
787 >short preserve case = yes/no</DT
790 >controls if new files which conform to 8.3 syntax,
791 that is all in upper case and of suitable length, are created
792 upper case, or if they are forced to be the "default"
793 case. This option can be use with "preserve case = yes"
794 to permit long filenames to retain their case, while short names
795 are lowercased. Default <SPAN
806 >By default, Samba 3.0 has the same semantics as a Windows
807 NT server, in that it is case insensitive but case preserving.</P
815 >NOTE ABOUT USERNAME/PASSWORD VALIDATION</H2
817 >There are a number of ways in which a user can connect
818 to a service. The server uses the following steps in determining
819 if it will allow a connection to a specified service. If all the
820 steps fail, then the connection request is rejected. However, if one of the
821 steps succeeds, then the following steps are not checked.</P
823 >If the service is marked "guest only = yes" and the
824 server is running with share-level security ("security = share")
825 then steps 1 to 5 are skipped.</P
832 >If the client has passed a username/password
833 pair and that username/password pair is validated by the UNIX
834 system's password programs then the connection is made as that
835 username. Note that this includes the
846 >If the client has previously registered a username
847 with the system and now supplies a correct password for that
848 username then the connection is allowed.</P
852 >The client's NetBIOS name and any previously
853 used user names are checked against the supplied password, if
854 they match then the connection is allowed as the corresponding
859 >If the client has previously validated a
860 username/password pair with the server and the client has passed
861 the validation token then that username is used. </P
865 >If a "user = " field is given in the
869 > file for the service and the client
870 has supplied a password, and that password matches (according to
871 the UNIX system's password checking) with one of the usernames
872 from the "user =" field then the connection is made as
873 the username in the "user =" line. If one
874 of the username in the "user =" list begins with a
875 '@' then that name expands to a list of names in
876 the group of the same name.</P
880 >If the service is a guest service then a
881 connection is made as the username given in the "guest
882 account =" for the service, irrespective of the
883 supplied password.</P
893 >COMPLETE LIST OF GLOBAL PARAMETERS</H2
895 >Here is a list of all global parameters. See the section of
896 each parameter for details. Note that some are synonyms.</P
903 HREF="#ABORTSHUTDOWNSCRIPT"
907 >abort shutdown script</I
915 HREF="#ADDGROUPSCRIPT"
927 HREF="#ADDPRINTERCOMMAND"
931 >addprinter command</I
939 HREF="#ADDSHARECOMMAND"
943 >add share command</I
951 HREF="#ADDUSERSCRIPT"
963 HREF="#ADDUSERTOGROUPSCRIPT"
967 >add user to group script</I
975 HREF="#ADDMACHINESCRIPT"
979 >add machine script</I
987 HREF="#DELETEGROUPSCRIPT"
991 >delete group script</I
1011 HREF="#ALGORITHMICRIDBASE"
1015 >algorithmic rid base</I
1023 HREF="#ALLOWTRUSTEDDOMAINS"
1027 >allow trusted domains</I
1047 HREF="#ANNOUNCEVERSION"
1051 >announce version</I
1071 HREF="#AUTOSERVICES"
1083 HREF="#BINDINTERFACESONLY"
1087 >bind interfaces only</I
1107 HREF="#CHANGENOTIFYTIMEOUT"
1111 >change notify timeout</I
1119 HREF="#CHANGESHARECOMMAND"
1123 >change share command</I
1155 HREF="#DEBUGHIRESTIMESTAMP"
1159 >debug hires timestamp</I
1179 HREF="#DEBUGTIMESTAMP"
1227 HREF="#DEFAULTSERVICE"
1239 HREF="#DELETEPRINTERCOMMAND"
1243 >deleteprinter command</I
1251 HREF="#DELETESHARECOMMAND"
1255 >delete share command</I
1263 HREF="#DELETEUSERSCRIPT"
1267 >delete user script</I
1275 HREF="#DELETEUSERFROMGROUPSCRIPT"
1279 >delete user from group script</I
1287 HREF="#DFREECOMMAND"
1299 HREF="#DISABLENETBIOS"
1311 HREF="#DISABLESPOOLSS"
1323 HREF="#DISPLAYCHARSET"
1347 HREF="#DOMAINLOGONS"
1359 HREF="#DOMAINMASTER"
1383 HREF="#ENCRYPTPASSWORDS"
1387 >encrypt passwords</I
1395 HREF="#ENHANCEDBROWSING"
1399 >enhanced browsing</I
1407 HREF="#ENUMPORTSCOMMAND"
1411 >enumports command</I
1431 HREF="#HIDELOCALUSERS"
1435 >hide local users</I
1443 HREF="#HIDEUNREADABLE"
1455 HREF="#HIDEUNWRITEABLEFILES"
1459 >hide unwriteable files</I
1467 HREF="#HIDESPECIALFILES"
1471 >hide special files</I
1503 HREF="#HOSTNAMELOOKUPS"
1507 >hostname lookups</I
1551 HREF="#KERNELOPLOCKS"
1575 HREF="#LARGEREADWRITE"
1659 HREF="#LDAPUSERSUFFIX"
1663 >ldap user suffix</I
1671 HREF="#LDAPMACHINESUFFIX"
1675 >ldap machine suffix</I
1683 HREF="#LDAPPASSWDSYNC"
1687 >ldap passwd sync</I
1695 HREF="#LDAPTRUSTIDS"
1731 HREF="#LOADPRINTERS"
1767 HREF="#LOCKDIRECTORY"
1779 HREF="#LOCKSPINCOUNT"
1791 HREF="#LOCKSPINTIME"
1803 HREF="#PIDDIRECTORY"
1887 HREF="#LPQCACHETIME"
1899 HREF="#MACHINEPASSWORDTIMEOUT"
1903 >machine password timeout</I
1911 HREF="#MANGLEDSTACK"
1971 HREF="#MAXOPENFILES"
1995 HREF="#MAXSMBDPROCESSES"
1999 >max smbd processes</I
2043 HREF="#MESSAGECOMMAND"
2055 HREF="#MINPASSWDLENGTH"
2059 >min passwd length</I
2067 HREF="#MINPASSWORDLENGTH"
2071 >min password length</I
2103 HREF="#NAMECACHETIMEOUT"
2107 >name cache timeout</I
2115 HREF="#NAMERESOLVEORDER"
2119 >name resolve order</I
2127 HREF="#NETBIOSALIASES"
2151 HREF="#NETBIOSSCOPE"
2187 HREF="#NONUNIXACCOUNTRANGE"
2191 >non unix account range</I
2199 HREF="#NTPIPESUPPORT"
2211 HREF="#NTSTATUSSUPPORT"
2215 >nt status support</I
2223 HREF="#NULLPASSWORDS"
2235 HREF="#OBEYPAMRESTRICTIONS"
2239 >obey pam restrictions</I
2247 HREF="#OPLOCKBREAKWAITTIME"
2251 >oplock break wait time</I
2271 HREF="#OS2DRIVERMAP"
2283 HREF="#PAMPASSWORDCHANGE"
2287 >pam password change</I
2307 HREF="#PARANOIDSERVERSECURITY"
2311 >paranoid server security</I
2319 HREF="#PASSDBBACKEND"
2343 HREF="#PASSWDCHATDEBUG"
2347 >passwd chat debug</I
2355 HREF="#PASSWDPROGRAM"
2367 HREF="#PASSWORDLEVEL"
2379 HREF="#PASSWORDSERVER"
2391 HREF="#PREFEREDMASTER"
2403 HREF="#PREFERREDMASTER"
2407 >preferred master</I
2439 HREF="#PRINTCAPNAME"
2451 HREF="#PRINTERDRIVERFILE"
2455 >printer driver file</I
2535 HREF="#REMOTEANNOUNCE"
2547 HREF="#REMOTEBROWSESYNC"
2551 >remote browse sync</I
2559 HREF="#RESTRICTANONYMOUS"
2563 >restrict anonymous</I
2595 HREF="#ROOTDIRECTORY"
2619 HREF="#SERVERSTRING"
2631 HREF="#SHOWADDPRINTERWIZARD"
2635 >show add printer wizard</I
2643 HREF="#SHUTDOWNSCRIPT"
2655 HREF="#SMBPASSWDFILE"
2679 HREF="#SOCKETADDRESS"
2691 HREF="#SOCKETOPTIONS"
2703 HREF="#SOURCEENVIRONMENT"
2707 >source environment</I
2739 HREF="#STATCACHESIZE"
2787 HREF="#TEMPLATEHOMEDIR"
2791 >template homedir</I
2799 HREF="#TEMPLATESHELL"
2835 HREF="#TIMESTAMPLOGS"
2847 HREF="#TOTALPRINTJOBS"
2851 >total print jobs</I
2883 HREF="#UNIXEXTENSIONS"
2895 HREF="#UNIXPASSWORDSYNC"
2899 >unix password sync</I
2907 HREF="#UPDATEENCRYPTED"
2911 >update encrypted</I
2955 HREF="#USERNAMELEVEL"
2991 HREF="#UTMPDIRECTORY"
3003 HREF="#WTMPDIRECTORY"
3015 HREF="#WINBINDCACHETIME"
3019 >winbind cache time</I
3027 HREF="#WINBINDENUMUSERS"
3031 >winbind enum users</I
3039 HREF="#WINBINDENUMGROUPS"
3043 >winbind enum groups</I
3063 HREF="#WINBINDSEPARATOR"
3067 >winbind separator</I
3087 HREF="#WINBINDUSEDEFAULTDOMAIN"
3091 >winbind use default domain</I
3111 HREF="#WINSPARTNERS"
3188 >COMPLETE LIST OF SERVICE PARAMETERS</H2
3190 >Here is a list of all service parameters. See the section on
3191 each parameter for details. Note that some are synonyms.</P
3234 HREF="#BLOCKINGLOCKS"
3282 HREF="#CASESENSITIVE"
3294 HREF="#CASESIGNAMES"
3378 HREF="#DEFAULTDEVMODE"
3390 HREF="#DELETEREADONLY"
3402 HREF="#DELETEVETOFILES"
3406 >delete veto files</I
3438 HREF="#DIRECTORYMASK"
3450 HREF="#DIRECTORYMODE"
3462 HREF="#DIRECTORYSECURITYMASK"
3466 >directory security mask</I
3498 HREF="#DOSFILETIMERESOLUTION"
3502 >dos filetime resolution</I
3510 HREF="#DOSFILETIMES"
3534 HREF="#FAKEDIRECTORYCREATETIMES"
3538 >fake directory create times</I
3558 HREF="#FOLLOWSYMLINKS"
3570 HREF="#FORCECREATEMODE"
3574 >force create mode</I
3582 HREF="#FORCEDIRECTORYMODE"
3586 >force directory mode</I
3594 HREF="#FORCEDIRECTORYSECURITYMODE"
3598 >force directory security mode</I
3618 HREF="#FORCESECURITYMODE"
3622 >force security mode</I
3666 HREF="#GUESTACCOUNT"
3702 HREF="#HIDEDOTFILES"
3774 HREF="#INHERITPERMISSIONS"
3778 >inherit permissions</I
3786 HREF="#INVALIDUSERS"
3798 HREF="#LEVEL2OPLOCKS"
3822 HREF="#LPPAUSECOMMAND"
3846 HREF="#LPRESUMECOMMAND"
3850 >lpresume command</I
3918 HREF="#MANGLEDNAMES"
3930 HREF="#MANGLINGCHAR"
3942 HREF="#MANGLINGMETHOD"
3990 HREF="#MAXCONNECTIONS"
4002 HREF="#MAXPRINTJOBS"
4014 HREF="#MINPRINTSPACE"
4050 HREF="#NTACLSUPPORT"
4086 HREF="#OPLOCKCONTENTIONLIMIT"
4090 >oplock contention limit</I
4122 HREF="#POSIXLOCKING"
4170 HREF="#PREEXECCLOSE"
4182 HREF="#PRESERVECASE"
4194 HREF="#PRINTCOMMAND"
4242 HREF="#PRINTERADMIN"
4254 HREF="#PRINTERDRIVER"
4266 HREF="#PRINTERDRIVERLOCATION"
4270 >printer driver location</I
4314 HREF="#QUEUEPAUSECOMMAND"
4318 >queuepause command</I
4326 HREF="#QUEUERESUMECOMMAND"
4330 >queueresume command</I
4362 HREF="#ROOTPOSTEXEC"
4386 HREF="#ROOTPREEXECCLOSE"
4390 >root preexec close</I
4398 HREF="#SECURITYMASK"
4410 HREF="#SETDIRECTORY"
4434 HREF="#SHORTPRESERVECASE"
4438 >short preserve case</I
4446 HREF="#STRICTALLOCATE"
4458 HREF="#STRICTLOCKING"
4494 HREF="#USECLIENTDRIVER"
4498 >use client driver</I
4566 HREF="#VETOOPLOCKFILES"
4570 >veto oplock files</I
4650 HREF="#WRITECACHESIZE"
4654 >write cache size</I
4703 >EXPLANATION OF EACH PARAMETER</H2
4707 CLASS="VARIABLELIST"
4711 NAME="ABORTSHUTDOWNSCRIPT"
4713 >>abort shutdown script (G)</DT
4720 >This parameter only exists in the HEAD cvs branch</I
4723 This a full path name to a script called by <SPAN
4724 CLASS="CITEREFENTRY"
4726 CLASS="REFENTRYTITLE"
4730 should stop a shutdown procedure issued by the <A
4731 HREF="#SHUTDOWNSCRIPT"
4740 >This command will be run as user.</P
4752 >abort shutdown script = /sbin/shutdown -c</B
4757 NAME="ADDPRINTERCOMMAND"
4759 >>addprinter command (G)</DT
4762 >With the introduction of MS-RPC based printing
4763 support for Windows NT/2000 clients in Samba 2.2, The MS Add
4764 Printer Wizard (APW) icon is now also available in the
4765 "Printers..." folder displayed a share listing. The APW
4766 allows for printers to be add remotely to a Samba or Windows
4767 NT/2000 print server.</P
4769 >For a Samba host this means that the printer must be
4770 physically added to the underlying printing system. The <TT
4776 > defines a script to be run which
4777 will perform the necessary operations for adding the printer
4778 to the print system and to add the appropriate service definition
4782 > file in order that it can be
4784 CLASS="CITEREFENTRY"
4786 CLASS="REFENTRYTITLE"
4794 >addprinter command</I
4797 automatically invoked with the following parameter (in
4852 >Windows 9x driver location</I
4859 >All parameters are filled in from the PRINTER_INFO_2 structure sent
4860 by the Windows NT/2000 client with one exception. The "Windows 9x
4861 driver location" parameter is included for backwards compatibility
4862 only. The remaining fields in the structure are generated from answers
4863 to the APW questions.</P
4868 >addprinter command</I
4874 > will reparse the <TT
4877 > to determine if the share defined by the APW
4878 exists. If the sharename is still invalid, then <B
4882 > will return an ACCESS_DENIED error to the client.</P
4885 HREF="#DELETEPRINTERCOMMAND"
4889 > deleteprinter command</I
4902 HREF="#SHOWADDPRINTERWIZARD"
4922 >addprinter command = /usr/bin/addprinter
4928 NAME="ADDSHARECOMMAND"
4930 >>add share command (G)</DT
4933 >Samba 2.2.0 introduced the ability to dynamically
4934 add and delete shares via the Windows NT 4.0 Server Manager. The
4938 >add share command</I
4940 > is used to define an
4941 external program or script which will add a new service definition
4945 >. In order to successfully
4949 >add share command</I
4955 requires that the administrator be connected using a root account (i.e.
4962 > will automatically invoke the
4966 >add share command</I
4968 > with four parameters.
4994 > - the name of the new
5005 > - path to an **existing**
5016 > - comment string to associate
5022 > This parameter is only used for add file shares. To add printer shares,
5024 HREF="#ADDPRINTERCOMMAND"
5036 HREF="#CHANGESHARECOMMAND"
5045 HREF="#DELETESHARECOMMAND"
5066 >add share command = /usr/local/bin/addshare</B
5071 NAME="ADDMACHINESCRIPT"
5073 >>add machine script (G)</DT
5076 >This is the full pathname to a script that will
5078 CLASS="CITEREFENTRY"
5080 CLASS="REFENTRYTITLE"
5083 > when a machine is added
5084 to it's domain using the administrator username and password method. </P
5086 >This option is only required when using sam back-ends tied to the
5087 Unix uid method of RID calculation such as smbpasswd. This option is only
5088 available in Samba 3.0.</P
5092 >add machine script = <empty string>
5098 >add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
5106 >>ads server (G)</DT
5109 >If this option is specified, samba does
5110 not try to figure out what ads server to use itself, but
5111 uses the specified ads server. Either one DNS name or IP
5112 address can be used.</P
5121 >ads server = 192.168.1.2</B
5126 NAME="ADDUSERSCRIPT"
5128 >>add user script (G)</DT
5131 >This is the full pathname to a script that will
5139 CLASS="CITEREFENTRY"
5141 CLASS="REFENTRYTITLE"
5144 > under special circumstances described below.</P
5146 >Normally, a Samba server requires that UNIX users are
5147 created for all users accessing files on this server. For sites
5148 that use Windows NT account databases as their primary user database
5149 creating these users and keeping the user list in sync with the
5150 Windows NT PDC is an onerous task. This option allows <A
5154 > to create the required UNIX users
5161 > when a user accesses the Samba server.</P
5163 >In order to use this option, <SPAN
5164 CLASS="CITEREFENTRY"
5166 CLASS="REFENTRYTITLE"
5178 >security = share</I
5187 must be set to a full pathname for a script that will create a UNIX
5188 user given one argument of <TT
5193 >, which expands into
5194 the UNIX user name to create.</P
5196 >When the Windows user attempts to access the Samba server,
5197 at login (session setup in the SMB protocol) time, <SPAN
5198 CLASS="CITEREFENTRY"
5200 CLASS="REFENTRYTITLE"
5209 attempts to authenticate the given user with the given password. If the
5210 authentication succeeds then <B
5214 attempts to find a UNIX user in the UNIX password database to map the
5215 Windows user into. If this lookup fails, and <TT
5225 call the specified script <SPAN
5237 > argument to be the user name to create.</P
5239 >If this script successfully creates the user then <B
5243 > will continue on as though the UNIX user
5244 already existed. In this way, UNIX users are dynamically created to
5245 match existing Windows NT accounts.</P
5256 HREF="#PASSWORDSERVER"
5265 HREF="#DELETEUSERSCRIPT"
5277 >add user script = <empty string>
5283 >add user script = /usr/local/samba/bin/add_user
5289 NAME="ADDGROUPSCRIPT"
5291 >>add group script (G)</DT
5294 >This is the full pathname to a script that will
5302 CLASS="CITEREFENTRY"
5304 CLASS="REFENTRYTITLE"
5307 > when a new group is
5308 requested. It will expand any
5314 > to the group name passed.
5315 This script is only useful for installations using the
5316 Windows NT domain administration tools. The script is
5317 free to create a group with an arbitrary name to
5318 circumvent unix group name restrictions. In that case
5319 the script must print the numeric gid of the created
5327 >>admin users (S)</DT
5330 >This is a list of users who will be granted
5331 administrative privileges on the share. This means that they
5332 will do all file operations as the super-user (root).</P
5334 >You should use this option very carefully, as any user in
5335 this list will be able to do anything they like on the share,
5336 irrespective of file permissions.</P
5348 >admin users = jason</B
5353 NAME="ADDUSERTOGROUPSCRIPT"
5355 >>add user to group script (G)</DT
5358 >Full path to the script that will be called when
5359 a user is added to a group using the Windows NT domain administration
5360 tools. It will be run by <SPAN
5361 CLASS="CITEREFENTRY"
5363 CLASS="REFENTRYTITLE"
5378 > will be replaced with the group name and
5384 > will be replaced with the user name.
5389 >add user to group script = </B
5394 >add user to group script = /usr/sbin/adduser %u %g</B
5401 >>allow hosts (S)</DT
5416 NAME="ALGORITHMICRIDBASE"
5418 >>algorithmic rid base (G)</DT
5421 >This determines how Samba will use its
5422 algorithmic mapping from uids/gid to the RIDs needed to construct
5423 NT Security Identifiers.</P
5425 >Setting this option to a larger value could be useful to sites
5426 transitioning from WinNT and Win2k, as existing user and
5427 group rids would otherwise clash with sytem users etc.
5430 >All UIDs and GIDs must be able to be resolved into SIDs for
5431 the correct operation of ACLs on the server. As such the algorithmic
5432 mapping can't be 'turned off', but pushing it 'out of the way' should
5433 resolve the issues. Users and groups can then be assigned 'low' RIDs
5434 in arbitary-rid supporting backends. </P
5438 >algorithmic rid base = 1000</B
5443 >algorithmic rid base = 100000</B
5448 NAME="ALLOWTRUSTEDDOMAINS"
5450 >>allow trusted domains (G)</DT
5453 >This option only takes effect when the <A
5469 If it is set to no, then attempts to connect to a resource from
5470 a domain or workgroup other than the one which <A
5475 in will fail, even if that domain is trusted by the remote server
5476 doing the authentication.</P
5478 >This is useful if you only want your Samba server to
5479 serve resources to users in the domain it is a member of. As
5480 an example, suppose that there are two domains DOMA and DOMB. DOMB
5481 is trusted by DOMA, which contains the Samba server. Under normal
5482 circumstances, a user with an account in DOMB can then access the
5483 resources of a UNIX account with the same account name on the
5484 Samba server even if they do not have an account in DOMA. This
5485 can make implementing a security boundary difficult.</P
5489 >allow trusted domains = yes</B
5496 >>announce as (G)</DT
5499 >This specifies what type of server <SPAN
5500 CLASS="CITEREFENTRY"
5502 CLASS="REFENTRYTITLE"
5505 > will announce itself as, to a network neighborhood browse
5506 list. By default this is set to Windows NT. The valid options
5507 are : "NT Server" (which can also be written as "NT"),
5508 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
5509 Windows NT Workstation, Windows 95 and Windows for Workgroups
5510 respectively. Do not change this parameter unless you have a
5511 specific need to stop Samba appearing as an NT server as this
5512 may prevent Samba servers from participating as browser servers
5517 >announce as = NT Server</B
5522 >announce as = Win95</B
5527 NAME="ANNOUNCEVERSION"
5529 >>announce version (G)</DT
5532 >This specifies the major and minor version numbers
5533 that nmbd will use when announcing itself as a server. The default
5534 is 4.9. Do not change this parameter unless you have a specific
5535 need to set a Samba server to be a downlevel server.</P
5539 >announce version = 4.9</B
5544 >announce version = 2.0</B
5551 >>auto services (G)</DT
5554 >This is a synonym for the <A
5568 >>auth methods (G)</DT
5571 >This option allows the administrator to chose what
5572 authentication methods <B
5575 > will use when authenticating
5576 a user. This option defaults to sensible values based on <A
5586 Each entry in the list attempts to authenticate the user in turn, until
5587 the user authenticates. In practice only one method will ever actually
5588 be able to complete the authentication.
5593 >auth methods = <empty string></B
5598 >auth methods = guest sam ntdomain</B
5605 >>available (S)</DT
5608 >This parameter lets you "turn off" a service. If
5621 attempts to connect to the service will fail. Such failures are
5631 NAME="BINDINTERFACESONLY"
5633 >>bind interfaces only (G)</DT
5636 >This global parameter allows the Samba admin
5637 to limit what interfaces on a machine will serve SMB requests. It
5638 affects file service <SPAN
5639 CLASS="CITEREFENTRY"
5641 CLASS="REFENTRYTITLE"
5644 > and name service <SPAN
5645 CLASS="CITEREFENTRY"
5647 CLASS="REFENTRYTITLE"
5650 > in a slightly different ways.</P
5652 >For name service it causes <B
5656 to ports 137 and 138 on the interfaces listed in the <A
5663 > also binds to the "all addresses" interface (0.0.0.0)
5664 on ports 137 and 138 for the purposes of reading broadcast messages.
5665 If this option is not set then <B
5669 name requests on all of these sockets. If <TT
5679 source address of any packets coming in on the broadcast sockets
5680 and discard any that don't match the broadcast addresses of the
5681 interfaces in the <TT
5687 As unicast packets are received on the other sockets it allows
5691 > to refuse to serve names to machines that
5692 send packets that arrive through any interfaces not listed in the
5698 > list. IP Source address spoofing
5699 does defeat this simple check, however, so it must not be used
5700 seriously as a security feature for <B
5705 >For file service it causes <SPAN
5706 CLASS="CITEREFENTRY"
5708 CLASS="REFENTRYTITLE"
5711 > to bind only to the interface list
5715 > parameter. This restricts the networks that
5719 > will serve to packets coming in those
5720 interfaces. Note that you should not use this parameter for machines
5721 that are serving PPP or other intermittent or non-broadcast network
5722 interfaces as it will not cope with non-permanent interfaces.</P
5727 >bind interfaces only</I
5730 unless the network address <SPAN
5742 > parameter list <SPAN
5743 CLASS="CITEREFENTRY"
5745 CLASS="REFENTRYTITLE"
5749 CLASS="CITEREFENTRY"
5751 CLASS="REFENTRYTITLE"
5754 > may not work as expected due to the reasons covered below.</P
5756 >To change a users SMB password, the <B
5760 by default connects to the <SPAN
5764 >localhost - 127.0.0.1</I
5767 address as an SMB client to issue the password change request. If
5771 >bind interfaces only</I
5773 > is set then unless the
5774 network address <SPAN
5786 > parameter list then <B
5789 > will fail to connect in it's default mode.
5793 > can be forced to use the primary IP interface
5794 of the local host by using its <SPAN
5795 CLASS="CITEREFENTRY"
5797 CLASS="REFENTRYTITLE"
5817 to the IP name of the primary interface of the local host.</P
5822 > status page tries to connect with
5836 > to determine if they are running.
5850 "not running" even if they really are. This can prevent <B
5853 > from starting/stopping/restarting <B
5864 >bind interfaces only = no</B
5869 NAME="BLOCKINGLOCKS"
5871 >>blocking locks (S)</DT
5874 >This parameter controls the behavior
5876 CLASS="CITEREFENTRY"
5878 CLASS="REFENTRYTITLE"
5881 > when given a request by a client
5882 to obtain a byte range lock on a region of an open file, and the
5883 request has a time limit associated with it.</P
5885 >If this parameter is set and the lock range requested
5886 cannot be immediately satisfied, samba will internally
5887 queue the lock request, and periodically attempt to obtain
5888 the lock until the timeout period expires.</P
5890 >If this parameter is set to <TT
5894 samba will behave as previous versions of Samba would and
5895 will fail the lock request immediately if the lock range
5896 cannot be obtained.</P
5900 >blocking locks = yes</B
5907 >>block size (S)</DT
5910 >This parameter controls the behavior of <SPAN
5911 CLASS="CITEREFENTRY"
5913 CLASS="REFENTRYTITLE"
5916 > when reporting disk free
5917 sizes. By default, this reports a disk block size of 1024 bytes.
5920 >Changing this parameter may have some effect on the
5921 efficiency of client writes, this is not yet confirmed. This
5922 parameter was added to allow advanced administrators to change
5923 it (usually to a higher value) and test the effect it has on
5924 client write performance without re-compiling the code. As this
5925 is an experimental option it may be removed in a future release.
5928 >Changing this option does not change the disk free reporting
5929 size, just the block size unit reported to the client.</P
5935 >>browsable (S)</DT
5952 >>browse list (G)</DT
5955 >This controls whether <SPAN
5956 CLASS="CITEREFENTRY"
5958 CLASS="REFENTRYTITLE"
5961 > will serve a browse list to
5969 >. You should never need to change
5974 >browse list = yes</B
5981 >>browseable (S)</DT
5984 >This controls whether this share is seen in
5985 the list of available shares in a net view and in the browse list.</P
5989 >browseable = yes</B
5994 NAME="CASESENSITIVE"
5996 >>case sensitive (S)</DT
5999 >See the discussion in the section <A
6006 >case sensitive = no</B
6013 >>casesignames (S)</DT
6017 HREF="#CASESENSITIVE"
6024 NAME="CHANGENOTIFYTIMEOUT"
6026 >>change notify timeout (G)</DT
6029 >This SMB allows a client to tell a server to
6030 "watch" a particular directory for any changes and only reply to
6031 the SMB request when a change has occurred. Such constant scanning of
6032 a directory is expensive under UNIX, hence an <SPAN
6033 CLASS="CITEREFENTRY"
6035 CLASS="REFENTRYTITLE"
6038 > daemon only performs such a scan
6039 on each requested directory once every <TT
6049 >change notify timeout = 60</B
6054 >change notify timeout = 300</B
6057 >Would change the scan time to every 5 minutes.</P
6061 NAME="CHANGESHARECOMMAND"
6063 >>change share command (G)</DT
6066 >Samba 2.2.0 introduced the ability to dynamically
6067 add and delete shares via the Windows NT 4.0 Server Manager. The
6071 >change share command</I
6073 > is used to define an
6074 external program or script which will modify an existing service definition
6078 >. In order to successfully
6082 >change share command</I
6088 requires that the administrator be connected using a root account (i.e.
6095 > will automatically invoke the
6099 >change share command</I
6101 > with four parameters.
6127 > - the name of the new
6138 > - path to an **existing**
6149 > - comment string to associate
6155 > This parameter is only used modify existing file shares definitions. To modify
6156 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
6160 HREF="#ADDSHARECOMMAND"
6169 HREF="#DELETESHARECOMMAND"
6190 >change share command = /usr/local/bin/addshare</B
6197 >>comment (S)</DT
6200 >This is a text field that is seen next to a share
6201 when a client does a queries the server, either via the network
6202 neighborhood or via <B
6205 > to list what shares
6208 >If you want to set the string that is displayed next to the
6209 machine name then see the <A
6210 HREF="#SERVERSTRING"
6223 >No comment string</I
6229 >comment = Fred's Files</B
6236 >>config file (G)</DT
6239 >This allows you to override the config file
6240 to use, instead of the default (usually <TT
6244 There is a chicken and egg problem here as this option is set
6245 in the config file!</P
6247 >For this reason, if the name of the config file has changed
6248 when the parameters are loaded then it will reload them from
6249 the new config file.</P
6251 >This option takes the usual substitutions, which can
6254 >If the config file doesn't exist then it won't be loaded
6255 (allowing you to special case the config files of just a few
6260 >config file = /usr/local/samba/lib/smb.conf.%m
6271 >This parameter allows you to "clone" service
6272 entries. The specified service is simply duplicated under the
6273 current service's name. Any parameters specified in the current
6274 section will override those in the section being copied.</P
6276 >This feature lets you set up a 'template' service and
6277 create similar services easily. Note that the service being
6278 copied must occur earlier in the configuration file than the
6279 service doing the copying.</P
6291 >copy = otherservice</B
6298 >>create mask (S)</DT
6301 >A synonym for this parameter is
6313 >When a file is created, the necessary permissions are
6314 calculated according to the mapping from DOS modes to UNIX
6315 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
6316 with this parameter. This parameter may be thought of as a bit-wise
6317 MASK for the UNIX modes of a file. Any bit <SPAN
6324 set here will be removed from the modes set on a file when it is
6327 >The default value of this parameter removes the
6328 'group' and 'other' write and execute bits from the UNIX modes.</P
6330 >Following this Samba will bit-wise 'OR' the UNIX mode created
6331 from this parameter with the value of the <A
6332 HREF="#FORCECREATEMODE"
6336 >force create mode</I
6340 parameter which is set to 000 by default.</P
6342 >This parameter does not affect directory modes. See the
6344 HREF="#DIRECTORYMODE"
6355 HREF="#FORCECREATEMODE"
6363 > parameter for forcing particular mode
6364 bits to be set on created files. See also the <A
6365 HREF="#DIRECTORYMODE"
6372 > parameter for masking
6373 mode bits on created directories. See also the <A
6374 HREF="#INHERITPERMISSIONS"
6378 >inherit permissions</I
6383 >Note that this parameter does not apply to permissions
6384 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
6385 a mask on access control lists also, they need to set the <A
6386 HREF="#SECURITYMASK"
6397 >create mask = 0744</B
6402 >create mask = 0775</B
6409 >>create mode (S)</DT
6412 >This is a synonym for <A
6426 >>csc policy (S)</DT
6429 >This stands for <SPAN
6433 >client-side caching
6436 >, and specifies how clients capable of offline
6437 caching will cache the files in the share. The valid values
6438 are: manual, documents, programs, disable.</P
6440 >These values correspond to those used on Windows
6443 >For example, shares containing roaming profiles can have
6444 offline caching disabled using <B
6446 >csc policy = disable
6452 >csc policy = manual</B
6457 >csc policy = programs</B
6464 >>deadtime (G)</DT
6467 >The value of the parameter (a decimal integer)
6468 represents the number of minutes of inactivity before a connection
6469 is considered dead, and it is disconnected. The deadtime only takes
6470 effect if the number of open files is zero.</P
6472 >This is useful to stop a server's resources being
6473 exhausted by a large number of inactive connections.</P
6475 >Most clients have an auto-reconnect feature when a
6476 connection is broken so in most cases this parameter should be
6477 transparent to users.</P
6479 >Using this parameter with a timeout of a few minutes
6480 is recommended for most systems.</P
6482 >A deadtime of zero indicates that no auto-disconnection
6483 should be performed.</P
6497 NAME="DEBUGHIRESTIMESTAMP"
6499 >>debug hires timestamp (G)</DT
6502 >Sometimes the timestamps in the log messages
6503 are needed with a resolution of higher that seconds, this
6504 boolean parameter adds microsecond resolution to the timestamp
6505 message header when turned on.</P
6507 >Note that the parameter <A
6508 HREF="#DEBUGTIMESTAMP"
6512 > debug timestamp</I
6515 > must be on for this to have an
6520 >debug hires timestamp = no</B
6527 >>debug pid (G)</DT
6530 >When using only one log file for more then one
6535 >-process there may be hard to follow which process
6536 outputs which message. This boolean parameter is adds the process-id
6537 to the timestamp message headers in the logfile when turned on.</P
6539 >Note that the parameter <A
6540 HREF="#DEBUGTIMESTAMP"
6544 > debug timestamp</I
6547 > must be on for this to have an
6557 NAME="DEBUGTIMESTAMP"
6559 >>debug timestamp (G)</DT
6562 >Samba debug log messages are timestamped
6563 by default. If you are running at a high <A
6572 can be distracting. This boolean parameter allows timestamping
6573 to be turned off.</P
6577 >debug timestamp = yes</B
6584 >>debug uid (G)</DT
6587 >Samba is sometimes run as root and sometime
6588 run as the connected user, this boolean parameter inserts the
6589 current euid, egid, uid and gid to the timestamp message headers
6590 in the log file if turned on.</P
6592 >Note that the parameter <A
6593 HREF="#DEBUGTIMESTAMP"
6597 > debug timestamp</I
6600 > must be on for this to have an
6612 >>debuglevel (G)</DT
6629 >>default (G)</DT
6633 HREF="#DEFAULTSERVICE"
6637 > default service</I
6646 >>default case (S)</DT
6649 >See the section on <A
6653 HREF="#SHORTPRESERVECASE"
6657 >short preserve case</I
6664 >default case = lower</B
6669 NAME="DEFAULTDEVMODE"
6671 >>default devmode (S)</DT
6674 >This parameter is only applicable to <A
6677 > services. When smbd is serving
6678 Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
6679 server has a Device Mode which defines things such as paper size and
6680 orientation and duplex settings. The device mode can only correctly be
6681 generated by the printer driver itself (which can only be executed on a
6682 Win32 platform). Because smbd is unable to execute the driver code
6683 to generate the device mode, the default behavior is to set this field
6687 >Most problems with serving printer drivers to Windows NT/2k/XP clients
6688 can be traced to a problem with the generated device mode. Certain drivers
6689 will do things such as crashing the client's Explorer.exe with a NULL devmode.
6690 However, other printer drivers can cause the client's spooler service
6691 (spoolsv.exe) to die if the devmode was not created by the driver itself
6692 (i.e. smbd generates a default devmode).
6695 >This parameter should be used with care and tested with the printer
6696 driver in question. It is better to leave the device mode to NULL
6697 and let the Windows client set the correct values. Because drivers do not
6698 do this all the time, setting <B
6700 >default devmode = yes</B
6702 will instruct smbd to generate a default one.
6705 >For more information on Windows NT/2k printing and Device Modes,
6707 HREF="http://msdn.microsoft.com/"
6709 >MSDN documentation</A
6715 >default devmode = no</B
6720 NAME="DEFAULTSERVICE"
6722 >>default service (G)</DT
6725 >This parameter specifies the name of a service
6726 which will be connected to if the service actually requested cannot
6727 be found. Note that the square brackets are <SPAN
6734 given in the parameter value (see example below).</P
6736 >There is no default value for this parameter. If this
6737 parameter is not given, attempting to connect to a nonexistent
6738 service results in an error.</P
6740 >Typically the default service would be a <A
6758 >Also note that the apparent service name will be changed
6759 to equal that of the requested service, this is very useful as it
6760 allows you to use macros like <TT
6766 a wildcard service.</P
6768 >Note also that any "_" characters in the name of the service
6769 used in the default service will get mapped to a "/". This allows for
6770 interesting things.</P
6775 CLASS="PROGRAMLISTING"
6777 default service = pub
6785 NAME="DELETEGROUPSCRIPT"
6787 >>delete group script (G)</DT
6790 >This is the full pathname to a script that will
6798 CLASS="CITEREFENTRY"
6800 CLASS="REFENTRYTITLE"
6803 > when a group is requested to be deleted.
6804 It will expand any <TT
6809 > to the group name passed.
6810 This script is only useful for installations using the Windows NT domain administration tools.
6815 NAME="DELETEPRINTERCOMMAND"
6817 >>deleteprinter command (G)</DT
6820 >With the introduction of MS-RPC based printer
6821 support for Windows NT/2000 clients in Samba 2.2, it is now
6822 possible to delete printer at run time by issuing the
6823 DeletePrinter() RPC call.</P
6825 >For a Samba host this means that the printer must be
6826 physically deleted from underlying printing system. The <TT
6829 > deleteprinter command</I
6831 > defines a script to be run which
6832 will perform the necessary operations for removing the printer
6833 from the print system and from <TT
6842 >deleteprinter command</I
6845 automatically called with only one parameter: <TT
6855 >deleteprinter command</I
6861 > will reparse the <TT
6864 > to associated printer no longer exists.
6865 If the sharename is still valid, then <B
6869 > will return an ACCESS_DENIED error to the client.</P
6872 HREF="#ADDPRINTERCOMMAND"
6876 > addprinter command</I
6889 HREF="#SHOWADDPRINTERWIZARD"
6909 >deleteprinter command = /usr/bin/removeprinter
6915 NAME="DELETEREADONLY"
6917 >>delete readonly (S)</DT
6920 >This parameter allows readonly files to be deleted.
6921 This is not normal DOS semantics, but is allowed by UNIX.</P
6923 >This option may be useful for running applications such
6924 as rcs, where UNIX file ownership prevents changing file
6925 permissions, and DOS semantics prevent deletion of a read only file.</P
6929 >delete readonly = no</B
6934 NAME="DELETESHARECOMMAND"
6936 >>delete share command (G)</DT
6939 >Samba 2.2.0 introduced the ability to dynamically
6940 add and delete shares via the Windows NT 4.0 Server Manager. The
6944 >delete share command</I
6946 > is used to define an
6947 external program or script which will remove an existing service
6951 >. In order to successfully
6955 >delete share command</I
6961 requires that the administrator be connected using a root account (i.e.
6968 > will automatically invoke the
6972 >delete share command</I
6974 > with two parameters.
7001 the existing service.
7006 > This parameter is only used to remove file shares. To delete printer shares,
7008 HREF="#DELETEPRINTERCOMMAND"
7020 HREF="#ADDSHARECOMMAND"
7029 HREF="#CHANGESHARECOMMAND"
7050 >delete share command = /usr/local/bin/delshare</B
7055 NAME="DELETEUSERSCRIPT"
7057 >>delete user script (G)</DT
7060 >This is the full pathname to a script that will
7062 CLASS="CITEREFENTRY"
7064 CLASS="REFENTRYTITLE"
7067 > when managing users
7068 with remote RPC (NT) tools.
7071 >This script is called when a remote client removes a user
7072 from the server, normally using 'User Manager for Domains' or
7079 >This script should delete the given UNIX username.
7084 >delete user script = <empty string>
7090 >delete user script = /usr/local/samba/bin/del_user
7096 NAME="DELETEUSERFROMGROUPSCRIPT"
7098 >>delete user from group script (G)</DT
7101 >Full path to the script that will be called when
7102 a user is removed from a group using the Windows NT domain administration
7103 tools. It will be run by <SPAN
7104 CLASS="CITEREFENTRY"
7106 CLASS="REFENTRYTITLE"
7121 > will be replaced with the group name and
7127 > will be replaced with the user name.
7132 >delete user from group script = </B
7137 >delete user from group script = /usr/sbin/deluser %u %g</B
7142 NAME="DELETEVETOFILES"
7144 >>delete veto files (S)</DT
7147 >This option is used when Samba is attempting to
7148 delete a directory that contains one or more vetoed directories
7158 option). If this option is set to <TT
7161 > (the default) then if a vetoed
7162 directory contains any non-vetoed files or directories then the
7163 directory delete will fail. This is usually what you want.</P
7165 >If this option is set to <TT
7169 will attempt to recursively delete any files and directories within
7170 the vetoed directory. This can be useful for integration with file
7171 serving systems such as NetAtalk which create meta-files within
7172 directories you might normally veto DOS/Windows users from seeing
7180 >delete veto files = yes</B
7182 directories to be transparently deleted when the parent directory
7183 is deleted (so long as the user has permissions to do so).</P
7198 >delete veto files = no</B
7205 >>deny hosts (S)</DT
7223 >>dfree command (G)</DT
7232 only be used on systems where a problem occurs with the internal
7233 disk space calculations. This has been known to happen with Ultrix,
7234 but may occur with other operating systems. The symptom that was
7235 seen was an error of "Abort Retry Ignore" at the end of each
7236 directory listing.</P
7238 >This setting allows the replacement of the internal routines to
7239 calculate the total disk space and amount available with an external
7240 routine. The example below gives a possible script that might fulfill
7243 >The external program will be passed a single parameter indicating
7244 a directory in the filesystem being queried. This will typically consist
7248 >. The script should return two
7249 integers in ASCII. The first should be the total disk space in blocks,
7250 and the second should be the number of available blocks. An optional
7251 third return value can give the block size in bytes. The default
7252 blocksize is 1024 bytes.</P
7254 >Note: Your script should <SPAN
7261 setgid and should be owned by (and writeable only by) root!</P
7267 >By default internal routines for
7268 determining the disk capacity and remaining space will be used.
7275 >dfree command = /usr/local/samba/bin/dfree
7279 >Where the script dfree (which must be made executable) could be:</P
7282 CLASS="PROGRAMLISTING"
7285 df $1 | tail -1 | awk '{print $2" "$4}'</PRE
7288 >or perhaps (on Sys V based systems):</P
7291 CLASS="PROGRAMLISTING"
7294 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'</PRE
7297 >Note that you may have to replace the command names
7298 with full path names on some systems.</P
7304 >>directory (S)</DT
7320 NAME="DIRECTORYMASK"
7322 >>directory mask (S)</DT
7325 >This parameter is the octal modes which are
7326 used when converting DOS modes to UNIX modes when creating UNIX
7329 >When a directory is created, the necessary permissions are
7330 calculated according to the mapping from DOS modes to UNIX permissions,
7331 and the resulting UNIX mode is then bit-wise 'AND'ed with this
7332 parameter. This parameter may be thought of as a bit-wise MASK for
7333 the UNIX modes of a directory. Any bit <SPAN
7340 here will be removed from the modes set on a directory when it is
7343 >The default value of this parameter removes the 'group'
7344 and 'other' write bits from the UNIX mode, allowing only the
7345 user who owns the directory to modify it.</P
7347 >Following this Samba will bit-wise 'OR' the UNIX mode
7348 created from this parameter with the value of the <A
7349 HREF="#FORCEDIRECTORYMODE"
7353 >force directory mode
7357 > parameter. This parameter is set to 000 by
7358 default (i.e. no extra mode bits are added).</P
7360 >Note that this parameter does not apply to permissions
7361 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
7362 a mask on access control lists also, they need to set the <A
7363 HREF="#DIRECTORYSECURITYMASK"
7367 >directory security mask</I
7373 HREF="#FORCEDIRECTORYMODE"
7381 > parameter to cause particular mode
7382 bits to always be set on created directories.</P
7393 > parameter for masking mode bits on created files,
7395 HREF="#DIRECTORYSECURITYMASK"
7405 >Also refer to the <A
7406 HREF="#INHERITPERMISSIONS"
7410 > inherit permissions</I
7417 >directory mask = 0755</B
7422 >directory mask = 0775</B
7427 NAME="DIRECTORYMODE"
7429 >>directory mode (S)</DT
7433 HREF="#DIRECTORYMASK"
7444 NAME="DIRECTORYSECURITYMASK"
7446 >>directory security mask (S)</DT
7449 >This parameter controls what UNIX permission bits
7450 can be modified when a Windows NT client is manipulating the UNIX
7451 permission on a directory using the native NT security dialog
7454 >This parameter is applied as a mask (AND'ed with) to
7455 the changed permission bits, thus preventing any bits not in
7456 this mask from being modified. Essentially, zero bits in this
7457 mask may be treated as a set of bits the user is not allowed
7460 >If not set explicitly this parameter is set to 0777
7461 meaning a user is allowed to modify all the user/group/world
7462 permissions on a directory.</P
7470 > that users who can access the
7471 Samba server through other means can easily bypass this restriction,
7472 so it is primarily useful for standalone "appliance" systems.
7473 Administrators of most normal systems will probably want to leave
7474 it as the default of <TT
7480 HREF="#FORCEDIRECTORYSECURITYMODE"
7484 > force directory security mode</I
7488 HREF="#SECURITYMASK"
7497 HREF="#FORCESECURITYMODE"
7501 >force security mode
7509 >directory security mask = 0777</B
7514 >directory security mask = 0700</B
7519 NAME="DISABLENETBIOS"
7521 >>disable netbios (G)</DT
7524 >Enabling this parameter will disable netbios support
7525 in Samba. Netbios is the only available form of browsing in
7526 all windows versions except for 2000 and XP. </P
7528 >Note that clients that only support netbios won't be able to
7529 see your samba server when netbios support is disabled.
7534 >disable netbios = no</B
7539 >disable netbios = yes</B
7544 NAME="DISABLESPOOLSS"
7546 >>disable spoolss (G)</DT
7549 >Enabling this parameter will disable Samba's support
7550 for the SPOOLSS set of MS-RPC's and will yield identical behavior
7551 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
7552 Lanman style printing commands. Windows 9x/ME will be uneffected by
7553 the parameter. However, this will also disable the ability to upload
7554 printer drivers to a Samba server via the Windows NT Add Printer
7555 Wizard or by using the NT printer properties dialog window. It will
7556 also disable the capability of Windows NT/2000 clients to download
7557 print drivers from the Samba host upon demand.
7562 >Be very careful about enabling this parameter.</I
7568 HREF="#USECLIENTDRIVER"
7569 >use client driver</A
7575 >disable spoolss = no</B
7580 NAME="DISPLAYCHARSET"
7582 >>display charset (G)</DT
7585 >Specifies the charset that samba will use
7586 to print messages to stdout and stderr and SWAT will use.
7587 Should generally be the same as the <B
7595 >display charset = ASCII</B
7600 >display charset = UTF8</B
7607 >>dns proxy (G)</DT
7610 >Specifies that <SPAN
7611 CLASS="CITEREFENTRY"
7613 CLASS="REFENTRYTITLE"
7616 > when acting as a WINS server and
7617 finding that a NetBIOS name has not been registered, should treat the
7618 NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server
7619 for that name on behalf of the name-querying client.</P
7621 >Note that the maximum length for a NetBIOS name is 15
7622 characters, so the DNS name (or DNS alias) can likewise only be
7623 15 characters, maximum.</P
7628 > spawns a second copy of itself to do the
7629 DNS name lookup requests, as doing a name lookup is a blocking
7632 >See also the parameter <A
7651 >>domain logons (G)</DT
7657 >, the Samba server will serve
7658 Windows 95/98 Domain logons for the <A
7666 > it is in. Samba 2.2
7667 has limited capability to act as a domain controller for Windows
7668 NT 4 Domains. For more details on setting up this feature see
7669 the Samba-PDC-HOWTO included in the <TT
7673 directory shipped with the source code.</P
7677 >domain logons = no</B
7684 >>domain master (G)</DT
7688 CLASS="CITEREFENTRY"
7690 CLASS="REFENTRYTITLE"
7693 > to enable WAN-wide browse list
7694 collation. Setting this option causes <B
7698 claim a special domain specific NetBIOS name that identifies
7699 it as a domain master browser for its given <A
7707 >. Local master browsers
7713 > on broadcast-isolated
7714 subnets will give this <B
7717 > their local browse lists,
7719 CLASS="CITEREFENTRY"
7721 CLASS="REFENTRYTITLE"
7724 > for a complete copy of the browse
7725 list for the whole wide area network. Browser clients will then contact
7726 their local master browser, and will receive the domain-wide browse list,
7727 instead of just the list for their broadcast-isolated subnet.</P
7729 >Note that Windows NT Primary Domain Controllers expect to be
7730 able to claim this <TT
7736 NetBIOS name that identifies them as domain master browsers for
7742 > by default (i.e. there is no
7743 way to prevent a Windows NT PDC from attempting to do this). This
7744 means that if this parameter is set and <B
7748 the special name for a <TT
7754 NT PDC is able to do so then cross subnet browsing will behave
7755 strangely and may fail.</P
7758 HREF="#DOMAINLOGONS"
7761 >domain logons = yes</B
7764 >, then the default behavior is to enable the <TT
7776 not enabled (the default setting), then neither will <TT
7782 > be enabled by default.</P
7786 >domain master = auto</B
7793 >>dont descend (S)</DT
7796 >There are certain directories on some systems
7800 > tree under Linux) that are either not
7801 of interest to clients or are infinitely deep (recursive). This
7802 parameter allows you to specify a comma-delimited list of directories
7803 that the server should always show as empty.</P
7805 >Note that Samba can be very fussy about the exact format
7806 of the "dont descend" entries. For example you may need <TT
7809 > instead of just <TT
7813 Experimentation is the best policy :-) </P
7819 >none (i.e., all directories are OK
7826 >dont descend = /proc,/dev</B
7833 >>dos charset (G)</DT
7836 >DOS SMB clients assume the server has
7837 the same charset as they do. This option specifies which
7838 charset Samba should talk to DOS clients.
7841 >The default depends on which charsets you have instaled.
7842 Samba tries to use charset 850 but falls back to ASCII in
7843 case it is not available. Run <SPAN
7844 CLASS="CITEREFENTRY"
7846 CLASS="REFENTRYTITLE"
7849 > to check the default on your system.
7856 >>dos filemode (S)</DT
7859 > The default behavior in Samba is to provide
7860 UNIX-like behavior where only the owner of a file/directory is
7861 able to change the permissions on it. However, this behavior
7862 is often confusing to DOS/Windows users. Enabling this parameter
7863 allows a user who has write access to the file (by whatever
7864 means) to modify the permissions on it. Note that a user
7865 belonging to the group owning the file will not be allowed to
7866 change permissions if the group is only granted read access.
7867 Ownership of the file/directory is not changed, only the permissions
7872 >dos filemode = no</B
7877 NAME="DOSFILETIMERESOLUTION"
7879 >>dos filetime resolution (S)</DT
7882 >Under the DOS and Windows FAT filesystem, the finest
7883 granularity on time resolution is two seconds. Setting this parameter
7884 for a share causes Samba to round the reported time down to the
7885 nearest two second boundary when a query call that requires one second
7886 resolution is made to <SPAN
7887 CLASS="CITEREFENTRY"
7889 CLASS="REFENTRYTITLE"
7894 >This option is mainly used as a compatibility option for Visual
7895 C++ when used against Samba shares. If oplocks are enabled on a
7896 share, Visual C++ uses two different time reading calls to check if a
7897 file has changed since it was last read. One of these calls uses a
7898 one-second granularity, the other uses a two second granularity. As
7899 the two second call rounds any odd second down, then if the file has a
7900 timestamp of an odd number of seconds then the two timestamps will not
7901 match and Visual C++ will keep reporting the file has changed. Setting
7902 this option causes the two timestamps to match, and Visual C++ is
7907 >dos filetime resolution = no</B
7914 >>dos filetimes (S)</DT
7917 >Under DOS and Windows, if a user can write to a
7918 file they can change the timestamp on it. Under POSIX semantics,
7919 only the owner of the file or root may change the timestamp. By
7920 default, Samba runs with POSIX semantics and refuses to change the
7921 timestamp on a file if the user <B
7925 on behalf of is not the file owner. Setting this option to <TT
7928 > allows DOS semantics and <SPAN
7929 CLASS="CITEREFENTRY"
7931 CLASS="REFENTRYTITLE"
7934 > will change the file
7935 timestamp as DOS requires.</P
7939 >dos filetimes = no</B
7944 NAME="ENCRYPTPASSWORDS"
7946 >>encrypt passwords (G)</DT
7949 >This boolean controls whether encrypted passwords
7950 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
7951 above and also Windows 98 will by default expect encrypted passwords
7952 unless a registry entry is changed. To use encrypted passwords in
7953 Samba see the file ENCRYPTION.txt in the Samba documentation
7957 > shipped with the source code.</P
7959 >In order for encrypted passwords to work correctly
7961 CLASS="CITEREFENTRY"
7963 CLASS="REFENTRYTITLE"
7967 have access to a local <SPAN
7968 CLASS="CITEREFENTRY"
7970 CLASS="REFENTRYTITLE"
7973 > file (see the <SPAN
7974 CLASS="CITEREFENTRY"
7976 CLASS="REFENTRYTITLE"
7979 > program for information on how to set up
7980 and maintain this file), or set the <A
7982 >security = [server|domain|ads]</A
7987 > to authenticate against another
7992 >encrypt passwords = yes</B
7997 NAME="ENHANCEDBROWSING"
7999 >>enhanced browsing (G)</DT
8002 >This option enables a couple of enhancements to
8003 cross-subnet browse propagation that have been added in Samba
8004 but which are not standard in Microsoft implementations.
8007 >The first enhancement to browse propagation consists of a regular
8008 wildcard query to a Samba WINS server for all Domain Master Browsers,
8009 followed by a browse synchronization with each of the returned
8010 DMBs. The second enhancement consists of a regular randomised browse
8011 synchronization with all currently known DMBs.</P
8013 >You may wish to disable this option if you have a problem with empty
8014 workgroups not disappearing from browse lists. Due to the restrictions
8015 of the browse protocols these enhancements can cause a empty workgroup
8016 to stay around forever which can be annoying.</P
8018 >In general you should leave this option enabled as it makes
8019 cross-subnet browse propagation much more reliable.</P
8023 >enhanced browsing = yes</B
8028 NAME="ENUMPORTSCOMMAND"
8030 >>enumports command (G)</DT
8033 >The concept of a "port" is fairly foreign
8034 to UNIX hosts. Under Windows NT/2000 print servers, a port
8035 is associated with a port monitor and generally takes the form of
8036 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
8037 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
8040 >"Samba Printer Port"</TT
8042 Windows NT/2000, all printers must have a valid port name.
8043 If you wish to have a list of ports displayed (<B
8047 > does not use a port name for anything) other than
8050 >"Samba Printer Port"</TT
8055 >enumports command</I
8058 a program which should generate a list of ports, one per line,
8059 to standard output. This listing will then be used in response
8060 to the level 1 and 2 EnumPorts() RPC.</P
8066 >no enumports command</I
8072 >enumports command = /usr/bin/listports
8083 >This is a synonym for <A
8095 NAME="FAKEDIRECTORYCREATETIMES"
8097 >>fake directory create times (S)</DT
8100 >NTFS and Windows VFAT file systems keep a create
8101 time for all files and directories. This is not the same as the
8102 ctime - status change time - that Unix keeps, so Samba by default
8103 reports the earliest of the various times Unix does keep. Setting
8104 this parameter for a share causes Samba to always report midnight
8105 1-1-1980 as the create time for directories.</P
8107 >This option is mainly used as a compatibility option for
8108 Visual C++ when used against Samba shares. Visual C++ generated
8109 makefiles have the object directory as a dependency for each object
8110 file, and a make rule to create the directory. Also, when NMAKE
8111 compares timestamps it uses the creation time when examining a
8112 directory. Thus the object directory will be created if it does not
8113 exist, but once it does exist it will always have an earlier
8114 timestamp than the object files it contains.</P
8116 >However, Unix time semantics mean that the create time
8117 reported by Samba will be updated whenever a file is created or
8118 or deleted in the directory. NMAKE finds all object files in
8119 the object directory. The timestamp of the last one built is then
8120 compared to the timestamp of the object directory. If the
8121 directory's timestamp if newer, then all object files
8122 will be rebuilt. Enabling this option
8123 ensures directories always predate their contents and an NMAKE build
8124 will proceed as expected.</P
8128 >fake directory create times = no</B
8135 >>fake oplocks (S)</DT
8138 >Oplocks are the way that SMB clients get permission
8139 from a server to locally cache file operations. If a server grants
8140 an oplock (opportunistic lock) then the client is free to assume
8141 that it is the only one accessing the file and it will aggressively
8142 cache file data. With some oplock types the client may even cache
8143 file open/close operations. This can give enormous performance benefits.
8148 >fake oplocks = yes</B
8157 always grant oplock requests no matter how many clients are using
8160 >It is generally much better to use the real <A
8169 than this parameter.</P
8171 >If you enable this option on all read-only shares or
8172 shares that you know will only be accessed from one client at a
8173 time such as physically read-only media like CDROMs, you will see
8174 a big performance improvement on many operations. If you enable
8175 this option on shares where multiple clients may be accessing the
8176 files read-write at the same time you can get data corruption. Use
8177 this option carefully!</P
8181 >fake oplocks = no</B
8186 NAME="FOLLOWSYMLINKS"
8188 >>follow symlinks (S)</DT
8191 >This parameter allows the Samba administrator
8193 CLASS="CITEREFENTRY"
8195 CLASS="REFENTRYTITLE"
8198 > from following symbolic
8199 links in a particular share. Setting this
8203 > prevents any file or directory
8204 that is a symbolic link from being followed (the user will get an
8205 error). This option is very useful to stop users from adding a
8206 symbolic link to <TT
8210 directory for instance. However it will slow filename lookups
8213 >This option is enabled (i.e. <B
8217 follow symbolic links) by default.</P
8221 >follow symlinks = yes</B
8226 NAME="FORCECREATEMODE"
8228 >>force create mode (S)</DT
8231 >This parameter specifies a set of UNIX mode bit
8232 permissions that will <SPAN
8239 file created by Samba. This is done by bitwise 'OR'ing these bits onto
8240 the mode bits of a file that is being created or having its
8241 permissions changed. The default for this parameter is (in octal)
8242 000. The modes in this parameter are bitwise 'OR'ed onto the file
8243 mode after the mask set in the <TT
8249 parameter is applied.</P
8251 >See also the parameter <A
8260 > for details on masking mode bits on files.</P
8263 HREF="#INHERITPERMISSIONS"
8275 >force create mode = 000</B
8280 >force create mode = 0755</B
8283 >would force all created files to have read and execute
8284 permissions set for 'group' and 'other' as well as the
8285 read/write/execute bits set for the 'user'.</P
8289 NAME="FORCEDIRECTORYMODE"
8291 >>force directory mode (S)</DT
8294 >This parameter specifies a set of UNIX mode bit
8295 permissions that will <SPAN
8301 > be set on a directory
8302 created by Samba. This is done by bitwise 'OR'ing these bits onto the
8303 mode bits of a directory that is being created. The default for this
8304 parameter is (in octal) 0000 which will not add any extra permission
8305 bits to a created directory. This operation is done after the mode
8306 mask in the parameter <TT
8314 >See also the parameter <A
8315 HREF="#DIRECTORYMASK"
8322 > for details on masking mode bits
8323 on created directories.</P
8326 HREF="#INHERITPERMISSIONS"
8330 > inherit permissions</I
8337 >force directory mode = 000</B
8342 >force directory mode = 0755</B
8345 >would force all created directories to have read and execute
8346 permissions set for 'group' and 'other' as well as the
8347 read/write/execute bits set for the 'user'.</P
8351 NAME="FORCEDIRECTORYSECURITYMODE"
8353 >>force directory security mode (S)</DT
8356 >This parameter controls what UNIX permission bits
8357 can be modified when a Windows NT client is manipulating the UNIX
8358 permission on a directory using the native NT security dialog box.</P
8360 >This parameter is applied as a mask (OR'ed with) to the
8361 changed permission bits, thus forcing any bits in this mask that
8362 the user may have modified to be on. Essentially, one bits in this
8363 mask may be treated as a set of bits that, when modifying security
8364 on a directory, the user has always set to be 'on'.</P
8366 >If not set explicitly this parameter is 000, which
8367 allows a user to modify all the user/group/world permissions on a
8368 directory without restrictions.</P
8376 > that users who can access the
8377 Samba server through other means can easily bypass this restriction,
8378 so it is primarily useful for standalone "appliance" systems.
8379 Administrators of most normal systems will probably want to leave
8383 HREF="#DIRECTORYSECURITYMASK"
8387 > directory security mask</I
8391 HREF="#SECURITYMASK"
8400 HREF="#FORCESECURITYMODE"
8404 >force security mode
8412 >force directory security mode = 0</B
8417 >force directory security mode = 700</B
8424 >>force group (S)</DT
8427 >This specifies a UNIX group name that will be
8428 assigned as the default primary group for all users connecting
8429 to this service. This is useful for sharing files by ensuring
8430 that all access to files on service will use the named group for
8431 their permissions checking. Thus, by assigning permissions for this
8432 group to the files and directories within this service the Samba
8433 administrator can restrict or allow sharing of these files.</P
8435 >In Samba 2.0.5 and above this parameter has extended
8436 functionality in the following way. If the group name listed here
8437 has a '+' character prepended to it then the current user accessing
8438 the share only has the primary group default assigned to this group
8439 if they are already assigned as a member of that group. This allows
8440 an administrator to decide that only users who are already in a
8441 particular group will create files with group ownership set to that
8442 group. This gives a finer granularity of ownership assignment. For
8443 example, the setting <TT
8445 >force group = +sys</TT
8447 that only users who are already in group sys will have their default
8448 primary group assigned to sys when accessing this Samba share. All
8449 other users will retain their ordinary primary group.</P
8460 > parameter is also set the group specified in
8466 > will override the primary group
8495 >force group = agroup</B
8500 NAME="FORCESECURITYMODE"
8502 >>force security mode (S)</DT
8505 >This parameter controls what UNIX permission
8506 bits can be modified when a Windows NT client is manipulating
8507 the UNIX permission on a file using the native NT security dialog
8510 >This parameter is applied as a mask (OR'ed with) to the
8511 changed permission bits, thus forcing any bits in this mask that
8512 the user may have modified to be on. Essentially, one bits in this
8513 mask may be treated as a set of bits that, when modifying security
8514 on a file, the user has always set to be 'on'.</P
8516 >If not set explicitly this parameter is set to 0,
8517 and allows a user to modify all the user/group/world permissions on a file,
8518 with no restrictions.</P
8526 > that users who can access
8527 the Samba server through other means can easily bypass this restriction,
8528 so it is primarily useful for standalone "appliance" systems.
8529 Administrators of most normal systems will probably want to leave
8530 this set to 0000.</P
8533 HREF="#FORCEDIRECTORYSECURITYMODE"
8537 > force directory security mode</I
8542 HREF="#DIRECTORYSECURITYMASK"
8551 HREF="#SECURITYMASK"
8562 >force security mode = 0</B
8567 >force security mode = 700</B
8574 >>force user (S)</DT
8577 >This specifies a UNIX user name that will be
8578 assigned as the default user for all users connecting to this service.
8579 This is useful for sharing files. You should also use it carefully
8580 as using it incorrectly can cause security problems.</P
8582 >This user name only gets used once a connection is established.
8583 Thus clients still need to connect as a valid user and supply a
8584 valid password. Once connected, all file operations will be performed
8585 as the "forced user", no matter what username the client connected
8586 as. This can be very useful.</P
8588 >In Samba 2.0.5 and above this parameter also causes the
8589 primary group of the forced user to be used as the primary group
8590 for all file activity. Prior to 2.0.5 the primary group was left
8591 as the primary group of the connecting user (this was a bug).</P
8614 >force user = auser</B
8621 >>fstype (S)</DT
8624 >This parameter allows the administrator to
8625 configure the string that specifies the type of filesystem a share
8626 is using that is reported by <SPAN
8627 CLASS="CITEREFENTRY"
8629 CLASS="REFENTRYTITLE"
8632 > when a client queries the filesystem type
8633 for a share. The default type is <TT
8637 compatibility with Windows NT but this can be changed to other
8661 >>getwd cache (G)</DT
8664 >This is a tuning option. When this is enabled a
8665 caching algorithm will be used to reduce the time taken for getwd()
8666 calls. This can have a significant impact on performance, especially
8676 >parameter is set to <TT
8683 >getwd cache = yes</B
8708 >>guest account (S)</DT
8711 >This is a username which will be used for access
8712 to services which are specified as <A
8720 > (see below). Whatever privileges this
8721 user has will be available to any client connecting to the guest service.
8722 Typically this user will exist in the password file, but will not
8723 have a valid login. The user account "ftp" is often a good choice
8724 for this parameter. If a username is specified in a given service,
8725 the specified username overrides this one.</P
8727 >One some systems the default guest account "nobody" may not
8728 be able to print. Use another account in this case. You should test
8729 this by trying to log in as your guest user (perhaps by using the
8733 > command) and trying to print using the
8734 system print command such as <B
8742 >This parameter does not accept % macros, because
8743 many parts of the system require this value to be
8744 constant for correct operation.</P
8750 >specified at compile time, usually
8757 >guest account = ftp</B
8764 >>guest ok (S)</DT
8767 >If this parameter is <TT
8771 a service, then no password is required to connect to the service.
8772 Privileges will be those of the <A
8773 HREF="#GUESTACCOUNT"
8782 >This paramater nullifies the benifits of setting
8784 HREF="#RESTRICTANONYMOUS"
8794 >See the section below on <A
8802 > for more information about this option.
8814 >>guest only (S)</DT
8817 >If this parameter is <TT
8821 a service, then only guest connections to the service are permitted.
8822 This parameter will have no effect if <A
8830 > is not set for the service.</P
8832 >See the section below on <A
8840 > for more information about this option.
8852 >>hide dot files (S)</DT
8855 >This is a boolean parameter that controls whether
8856 files starting with a dot appear as hidden files.</P
8860 >hide dot files = yes</B
8867 >>hide files(S)</DT
8870 >This is a list of files or directories that are not
8871 visible but are accessible. The DOS 'hidden' attribute is applied
8872 to any files or directories that match.</P
8874 >Each entry in the list must be separated by a '/',
8875 which allows spaces to be included in the entry. '*'
8876 and '?' can be used to specify multiple files or directories
8877 as in DOS wildcards.</P
8879 >Each entry must be a Unix path, not a DOS path and must
8880 not include the Unix directory separator '/'.</P
8882 >Note that the case sensitivity option is applicable
8885 >Setting this parameter will affect the performance of Samba,
8886 as it will be forced to check all files and directories for a match
8887 as they are scanned.</P
8890 HREF="#HIDEDOTFILES"
8907 HREF="#CASESENSITIVE"
8920 >no file are hidden</I
8927 /.*/DesktopFolderDB/TrashFor%m/resource.frk/</B
8930 >The above example is based on files that the Macintosh
8931 SMB client (DAVE) available from <A
8932 HREF="http://www.thursby.com"
8936 > creates for internal use, and also still hides
8937 all files beginning with a dot.</P
8941 NAME="HIDELOCALUSERS"
8943 >>hide local users(G)</DT
8946 >This parameter toggles the hiding of local UNIX
8947 users (root, wheel, floppy, etc) from remote clients.</P
8951 >hide local users = no</B
8956 NAME="HIDEUNREADABLE"
8958 >>hide unreadable (G)</DT
8961 >This parameter prevents clients from seeing the
8962 existance of files that cannot be read. Defaults to off.</P
8966 >hide unreadable = no</B
8971 NAME="HIDEUNWRITEABLEFILES"
8973 >>hide unwriteable files (G)</DT
8976 >This parameter prevents clients from seeing
8977 the existance of files that cannot be written to. Defaults to off.
8978 Note that unwriteable directories are shown as usual.
8983 >hide unwriteable = no</B
8988 NAME="HIDESPECIALFILES"
8990 >>hide special files (G)</DT
8993 >This parameter prevents clients from seeing
8994 special files such as sockets, devices and fifo's in directory
9000 >hide special files = no</B
9007 >>homedir map (G)</DT
9023 CLASS="CITEREFENTRY"
9025 CLASS="REFENTRYTITLE"
9034 > then this parameter
9035 specifies the NIS (or YP) map from which the server for the user's
9036 home directory should be extracted. At present, only the Sun
9037 auto.home map format is understood. The form of the map is:</P
9041 >username server:/some/file/system</B
9044 >and the program will extract the servername from before
9045 the first ':'. There should probably be a better parsing system
9046 that copes with different map formats and also Amd (another
9047 automounter) maps.</P
9055 >A working NIS client is required on
9056 the system for this option to work.</P
9068 HREF="#DOMAINLOGONS"
9080 >homedir map = <empty string></B
9085 >homedir map = amd.homedir</B
9092 >>host msdfs (G)</DT
9095 >This boolean parameter is only available
9096 if Samba has been configured and compiled with the <B
9099 > option. If set to <TT
9103 Samba will act as a Dfs server, and allow Dfs-aware clients
9104 to browse Dfs trees hosted on the server.</P
9114 > share level parameter. For
9115 more information on setting up a Dfs tree on Samba,
9117 HREF="msdfs_setup.html"
9119 >msdfs_setup.html</A
9130 NAME="HOSTNAMELOOKUPS"
9132 >>hostname lookups (G)</DT
9135 >Specifies whether samba should use (expensive)
9136 hostname lookups or use the ip addresses instead. An example place
9137 where hostname lookups are currently used is when checking
9149 >hostname lookups = yes</B
9154 >hostname lookups = no</B
9161 >>hosts allow (S)</DT
9164 >A synonym for this parameter is <TT
9172 >This parameter is a comma, space, or tab delimited
9173 set of hosts which are permitted to access a service.</P
9175 >If specified in the [global] section then it will
9176 apply to all services, regardless of whether the individual
9177 service has a different setting.</P
9179 >You can specify the hosts by name or IP number. For
9180 example, you could restrict access to only the hosts on a
9181 Class C subnet with something like <B
9183 >allow hosts = 150.203.5.
9185 >. The full syntax of the list is described in the man
9188 >hosts_access(5)</TT
9189 >. Note that this man
9190 page may not be present on your system, so a brief description will
9191 be given here also.</P
9193 >Note that the localhost address 127.0.0.1 will always
9194 be allowed access unless specifically denied by a <A
9204 >You can also specify hosts by network/netmask pairs and
9205 by netgroup names if your system supports netgroups. The
9212 > keyword can also be used to limit a
9213 wildcard list. The following examples may provide some help:</P
9215 >Example 1: allow all IPs in 150.203.*.*; except one</P
9219 >hosts allow = 150.203. EXCEPT 150.203.6.66</B
9222 >Example 2: allow hosts that match the given network/netmask</P
9226 >hosts allow = 150.203.15.0/255.255.255.0</B
9229 >Example 3: allow a couple of hosts</P
9233 >hosts allow = lapland, arvidsjaur</B
9236 >Example 4: allow only hosts in NIS netgroup "foonet", but
9237 deny access from one particular host</P
9241 >hosts allow = @foonet</B
9246 >hosts deny = pirate</B
9249 >Note that access still requires suitable user-level passwords.</P
9252 CLASS="CITEREFENTRY"
9254 CLASS="REFENTRYTITLE"
9257 > for a way of testing your host access
9258 to see if it does what you expect.</P
9264 >none (i.e., all hosts permitted access)
9271 >allow hosts = 150.203.5. myhost.mynet.edu.au
9279 >>hosts deny (S)</DT
9282 >The opposite of <TT
9288 - hosts listed here are <SPAN
9294 > permitted access to
9295 services unless the specific services have their own lists to override
9296 this one. Where the lists conflict, the <TT
9302 list takes precedence.</P
9308 >none (i.e., no hosts specifically excluded)
9315 >hosts deny = 150.203.4. badhost.mynet.edu.au
9323 >>hosts equiv (G)</DT
9326 >If this global parameter is a non-null string,
9327 it specifies the name of a file to read for the names of hosts
9328 and users who will be allowed access without specifying a password.
9331 >This is not be confused with <A
9339 > which is about hosts
9340 access to services and is more useful for guest services. <TT
9345 > may be useful for NT clients which will
9346 not supply passwords to Samba.</P
9360 > can be a major security hole. This is because you are
9361 trusting the PC to supply the correct username. It is very easy to
9362 get a PC to supply a false username. I recommend that the
9368 > option be only used if you really
9369 know what you are doing, or perhaps on a home network where you trust
9370 your spouse and kids. And only if you <SPAN
9383 >no host equivalences</I
9389 >hosts equiv = /etc/hosts.equiv</B
9396 >>include (G)</DT
9399 >This allows you to include one config file
9400 inside another. The file is included literally, as though typed
9403 >It takes the standard substitutions, except <TT
9426 >no file included</I
9432 >include = /usr/local/samba/lib/admin_smb.conf
9440 >>inherit acls (S)</DT
9443 >This parameter can be used to ensure
9444 that if default acls exist on parent directories,
9445 they are always honored when creating a subdirectory.
9446 The default behavior is to use the mode specified
9447 when creating the directory. Enabling this option
9448 sets the mode to 0777, thus guaranteeing that
9449 default directory acls are propagated.
9454 >inherit acls = no</B
9460 NAME="INHERITPERMISSIONS"
9462 >>inherit permissions (S)</DT
9465 >The permissions on new files and directories
9466 are normally governed by <A
9475 HREF="#DIRECTORYMASK"
9483 HREF="#FORCECREATEMODE"
9487 >force create mode</I
9492 HREF="#FORCEDIRECTORYMODE"
9500 > but the boolean inherit
9501 permissions parameter overrides this.</P
9503 >New directories inherit the mode of the parent directory,
9504 including bits such as setgid.</P
9506 >New files inherit their read/write bits from the parent
9507 directory. Their execute bits continue to be determined by
9537 >Note that the setuid bit is <SPAN
9544 inheritance (the code explicitly prohibits this).</P
9546 >This can be particularly useful on large systems with
9547 many users, perhaps several thousand, to allow a single [homes]
9548 share to be used flexibly by each user.</P
9560 HREF="#DIRECTORYMASK"
9568 HREF="#FORCECREATEMODE"
9572 >force create mode</I
9576 HREF="#FORCEDIRECTORYMODE"
9580 >force directory mode</I
9588 >inherit permissions = no</B
9595 >>interfaces (G)</DT
9598 >This option allows you to override the default
9599 network interfaces list that Samba will use for browsing, name
9600 registration and other NBT traffic. By default Samba will query
9601 the kernel for the list of all active interfaces and use any
9602 interfaces except 127.0.0.1 that are broadcast capable.</P
9604 >The option takes a list of interface strings. Each string
9605 can be in any of the following forms:</P
9611 >a network interface name (such as eth0).
9612 This may include shell-like wildcards so eth* will match
9613 any interface starting with the substring "eth"</P
9617 >an IP address. In this case the netmask is
9618 determined from the list of interfaces obtained from the
9623 >an IP/mask pair. </P
9627 >a broadcast/mask pair.</P
9631 >The "mask" parameters can either be a bit length (such
9632 as 24 for a C class network) or a full netmask in dotted
9635 >The "IP" parameters above can either be a full dotted
9636 decimal IP address or a hostname which will be looked up via
9637 the OS's normal hostname resolution mechanisms.</P
9639 >For example, the following line:</P
9643 >interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
9647 >would configure three network interfaces corresponding
9648 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
9649 The netmasks of the latter two interfaces would be set to 255.255.255.0.</P
9652 HREF="#BINDINTERFACESONLY"
9666 >all active interfaces except 127.0.0.1
9667 that are broadcast capable</I
9675 >>invalid users (S)</DT
9678 >This is a list of users that should not be allowed
9679 to login to this service. This is really a <SPAN
9686 check to absolutely ensure an improper setting does not breach
9689 >A name starting with a '@' is interpreted as an NIS
9690 netgroup first (if your system supports NIS), and then as a UNIX
9691 group if the name was not found in the NIS netgroup database.</P
9693 >A name starting with '+' is interpreted only
9694 by looking in the UNIX group database. A name starting with
9695 '&' is interpreted only by looking in the NIS netgroup database
9696 (this requires NIS to be working on your system). The characters
9697 '+' and '&' may be used at the start of the name in either order
9704 UNIX group database, followed by the NIS netgroup database, and
9710 > means check the NIS
9711 netgroup database, followed by the UNIX group database (the
9712 same as the '@' prefix).</P
9714 >The current servicename is substituted for <TT
9720 This is useful in the [homes] section.</P
9737 >no invalid users</I
9743 >invalid users = root fred admin @wheel
9751 >>keepalive (G)</DT
9754 >The value of the parameter (an integer) represents
9755 the number of seconds between <TT
9761 packets. If this parameter is zero, no keepalive packets will be
9762 sent. Keepalive packets, if sent, allow the server to tell whether
9763 a client is still present and responding.</P
9765 >Keepalives should, in general, not be needed if the socket
9766 being used has the SO_KEEPALIVE attribute set on it (see <A
9767 HREF="#SOCKETOPTIONS"
9775 Basically you should only use this option if you strike difficulties.</P
9789 NAME="KERNELOPLOCKS"
9791 >>kernel oplocks (G)</DT
9794 >For UNIXes that support kernel based <A
9803 (currently only IRIX and the Linux 2.4 kernel), this parameter
9804 allows the use of them to be turned on or off.</P
9806 >Kernel oplocks support allows Samba <TT
9812 > to be broken whenever a local UNIX process or NFS operation
9813 accesses a file that <SPAN
9814 CLASS="CITEREFENTRY"
9816 CLASS="REFENTRYTITLE"
9819 > has oplocked. This allows complete
9820 data consistency between SMB/CIFS, NFS and local file access (and is
9827 > cool feature :-).</P
9829 >This parameter defaults to <TT
9832 >, but is translated
9833 to a no-op on systems that no not have the necessary kernel support.
9834 You should never need to touch this parameter.</P
9846 HREF="#LEVEL2OPLOCKS"
9858 >kernel oplocks = yes</B
9865 >>lanman auth (G)</DT
9868 >This parameter determines whether or not <SPAN
9869 CLASS="CITEREFENTRY"
9871 CLASS="REFENTRYTITLE"
9874 > will attempt to authenticate users
9875 using the LANMAN password hash. If disabled, only clients which support NT
9876 password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
9877 Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</P
9881 >lanman auth = yes</B
9886 NAME="LARGEREADWRITE"
9888 >>large readwrite (G)</DT
9891 >This parameter determines whether or not <SPAN
9892 CLASS="CITEREFENTRY"
9894 CLASS="REFENTRYTITLE"
9897 > supports the new 64k streaming
9898 read and write varient SMB requests introduced
9899 with Windows 2000. Note that due to Windows 2000 client redirector bugs
9900 this requires Samba to be running on a 64-bit capable operating system such
9901 as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
9902 Windows 2000 clients. Defaults to on. Not as tested as some other Samba
9908 >large readwrite = yes</B
9915 >>ldap admin dn (G)</DT
9923 > defines the Distinguished
9924 Name (DN) name used by Samba to contact the ldap server when retreiving
9925 user account information. The <TT
9931 > is used in conjunction with the admin dn password
9934 >private/secrets.tdb</TT
9937 CLASS="CITEREFENTRY"
9939 CLASS="REFENTRYTITLE"
9942 > man page for more information on how
9958 >>ldap filter (G)</DT
9961 >This parameter specifies the RFC 2254 compliant LDAP search filter.
9962 The default is to match the login name with the <TT
9966 attribute for all entries matching the <TT
9970 objectclass. Note that this filter should only return one entry.
9975 >ldap filter = (&(uid=%u)(objectclass=sambaAccount))</B
9982 >>ldap port (G)</DT
9985 >This parameter is only available if Samba has been
9986 configure to include the <B
9993 > This option is used to control the tcp port number used to contact
10003 The default is to use the stand LDAPS port 636.
10014 >ldap port = 636 ; if ldap ssl = on</B
10019 >ldap port = 389 ; if ldap ssl = off</B
10026 >>ldap server (G)</DT
10029 >This parameter is only available if Samba has been
10030 configure to include the <B
10037 > This parameter should contain the FQDN of the ldap directory
10038 server which should be queried to locate user account information.
10043 >ldap server = localhost</B
10050 >>ldap ssl (G)</DT
10053 >This option is used to define whether or not Samba should
10054 use SSL when connecting to the ldap server
10062 Samba's previous SSL support which was enabled by specifying the
10066 > option to the <TT
10078 > can be set to one of three values:
10090 > = Never use SSL when querying the directory.</P
10099 > = Use the LDAPv3 StartTLS extended operation
10100 (RFC2830) for communicating with the directory server.</P
10110 Use SSL on the ldaps port when contacting the
10117 available when the backwards-compatiblity <B
10119 > --with-ldapsam</B
10120 > option is specified
10121 to configure. See <A
10122 HREF="#PASSDBBACKEND"
10135 >ldap ssl = start_tls</B
10142 >>ldap suffix (G)</DT
10145 >Specifies where user and machine accounts are added to the tree. Can be overriden by <B
10147 >ldap user suffix</B
10150 >ldap machine suffix</B
10151 >. It also used as the base dn for all ldap searches. </P
10163 NAME="LDAPUSERSUFFIX"
10165 >>ldap user suffix (G)</DT
10168 >It specifies where users are added to the tree.
10181 NAME="LDAPMACHINESUFFIX"
10183 >>ldap machine suffix (G)</DT
10186 >It specifies where machines should be
10187 added to the ldap tree.
10200 NAME="LDAPPASSWDSYNC"
10202 >>ldap passwd sync (G)</DT
10205 >This option is used to define whether
10206 or not Samba should sync the LDAP password with the NT
10207 and LM hashes for normal accounts (NOT for
10208 workstation, server or domain trusts) on a password
10215 >ldap passwd sync</I
10217 > can be set to one of three values:
10229 > = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.</P
10238 > = Update NT and LM passwords and update the pwdLastSet time.</P
10247 > = Only update the LDAP password and let the LDAP server do the rest.</P
10253 >ldap passwd sync = no</B
10258 NAME="LDAPTRUSTIDS"
10260 >>ldap trust ids (G)</DT
10263 >Normally, Samba validates each entry
10264 in the LDAP server against getpwnam(). This allows
10265 LDAP to be used for Samba with the unix system using
10266 NIS (for example) and also ensures that Samba does not
10267 present accounts that do not otherwise exist. </P
10269 >This option is used to disable this functionality, and
10270 instead to rely on the presence of the appropriate
10271 attributes in LDAP directly, which can result in a
10272 significant performance boost in some situations.
10273 Setting this option to yes effectivly assumes
10274 that the local machine is running <B
10278 same LDAP server.</P
10282 >ldap trust ids = No</B
10287 NAME="LEVEL2OPLOCKS"
10289 >>level2 oplocks (S)</DT
10292 >This parameter controls whether Samba supports
10293 level2 (read-only) oplocks on a share.</P
10295 >Level2, or read-only oplocks allow Windows NT clients
10296 that have an oplock on a file to downgrade from a read-write oplock
10297 to a read-only oplock once a second client opens the file (instead
10298 of releasing all oplocks on a second open, as in traditional,
10299 exclusive oplocks). This allows all openers of the file that
10300 support level2 oplocks to cache the file for read-ahead only (ie.
10301 they may not cache writes or lock requests) and increases performance
10302 for many accesses of files that are not commonly written (such as
10303 application .EXE files).</P
10305 >Once one of the clients which have a read-only oplock
10306 writes to the file all clients are notified (no reply is needed
10307 or waited for) and told to break their oplocks to "none" and
10308 delete any read-ahead caches.</P
10310 >It is recommended that this parameter be turned on
10311 to speed access to shared executables.</P
10313 >For more discussions on level2 oplocks see the CIFS spec.</P
10316 HREF="#KERNELOPLOCKS"
10324 > are supported then level2 oplocks are
10325 not granted (even if this parameter is set to <TT
10338 > parameter must be set to <TT
10341 > on this share in order for
10342 this parameter to have any effect.</P
10366 >level2 oplocks = yes</B
10373 >>lm announce (G)</DT
10376 >This parameter determines if <SPAN
10377 CLASS="CITEREFENTRY"
10379 CLASS="REFENTRYTITLE"
10382 > will produce Lanman announce
10383 broadcasts that are needed by OS/2 clients in order for them to see
10384 the Samba server in their browse list. This parameter can have three
10395 >. The default is <TT
10402 > Samba will never produce these
10403 broadcasts. If set to <TT
10406 > Samba will produce
10407 Lanman announce broadcasts at a frequency set by the parameter
10417 Samba will not send Lanman announce broadcasts by default but will
10418 listen for them. If it hears such a broadcast on the wire it will
10419 then start sending them at a frequency set by the parameter
10440 >lm announce = auto</B
10445 >lm announce = yes</B
10452 >>lm interval (G)</DT
10455 >If Samba is set to produce Lanman announce
10456 broadcasts needed by OS/2 clients (see the <A
10464 > parameter) then this
10465 parameter defines the frequency in seconds with which they will be
10466 made. If this is set to zero then no Lanman announcements will be
10467 made despite the setting of the <TT
10488 >lm interval = 60</B
10493 >lm interval = 120</B
10498 NAME="LOADPRINTERS"
10500 >>load printers (G)</DT
10503 >A boolean variable that controls whether all
10504 printers in the printcap will be loaded for browsing by default.
10513 >load printers = yes</B
10520 >>local master (G)</DT
10523 >This option allows <SPAN
10524 CLASS="CITEREFENTRY"
10526 CLASS="REFENTRYTITLE"
10529 > to try and become a local master browser
10530 on a subnet. If set to <TT
10536 > will not attempt to become a local master browser
10537 on a subnet and will also lose in all browsing elections. By
10538 default this value is set to <TT
10541 >. Setting this value to <TT
10545 mean that Samba will <SPAN
10552 browser on a subnet, just that <B
10561 > in elections for local master browser.</P
10563 >Setting this value to <TT
10576 > to become a local master browser.</P
10580 >local master = yes</B
10587 >>lock dir (G)</DT
10591 HREF="#LOCKDIRECTORY"
10595 > lock directory</I
10602 NAME="LOCKDIRECTORY"
10604 >>lock directory (G)</DT
10607 >This option specifies the directory where lock
10608 files will be placed. The lock files are used to implement the
10610 HREF="#MAXCONNECTIONS"
10614 >max connections</I
10622 >lock directory = ${prefix}/var/locks</B
10627 >lock directory = /var/run/samba/locks</B
10633 NAME="LOCKSPINCOUNT"
10635 >>lock spin count (G)</DT
10638 >This parameter controls the number of times
10639 that smbd should attempt to gain a byte range lock on the
10640 behalf of a client request. Experiments have shown that
10641 Windows 2k servers do not reply with a failure if the lock
10642 could not be immediately granted, but try a few more times
10643 in case the lock could later be aquired. This behavior
10644 is used to support PC database formats such as MS Access
10650 >lock spin count = 2</B
10656 NAME="LOCKSPINTIME"
10658 >>lock spin time (G)</DT
10661 >The time in microseconds that smbd should
10662 pause before attempting to gain a failed lock. See
10664 HREF="#LOCKSPINCOUNT"
10672 > for more details.
10677 >lock spin time = 10</B
10685 >>locking (S)</DT
10688 >This controls whether or not locking will be
10689 performed by the server in response to lock requests from the
10695 >, all lock and unlock
10696 requests will appear to succeed and all lock queries will report
10697 that the file in question is available for locking.</P
10702 >, real locking will be performed
10711 > be useful for read-only
10712 filesystems which <SPAN
10718 > not need locking (such as
10719 CDROM drives), although setting this parameter of <TT
10723 is not really recommended even in this case.</P
10725 >Be careful about disabling locking either globally or in a
10726 specific service, as lack of locking may result in data corruption.
10727 You should never need to set this parameter.</P
10738 >>log file (G)</DT
10741 >This option allows you to override the name
10742 of the Samba log file (also known as the debug file).</P
10744 >This option takes the standard substitutions, allowing
10745 you to have separate log files for each user or machine.</P
10749 >log file = /usr/local/samba/var/log.%m
10757 >>log level (G)</DT
10760 >The value of the parameter (a astring) allows
10761 the debug level (logging level) to be specified in the
10765 > file. This parameter has been
10766 extended since the 2.2.x series, now it allow to specify the debug
10767 level for multiple debug classes. This is to give greater
10768 flexibility in the configuration of the system.</P
10770 >The default will be the log level specified on
10771 the command line or level zero if none was specified.</P
10775 >log level = 3 passdb:5 auth:10 winbind:2
10783 >>logon drive (G)</DT
10786 >This parameter specifies the local path to
10787 which the home directory will be connected (see <A
10796 and is only used by NT Workstations. </P
10798 >Note that this option is only useful if Samba is set up as a
10803 >logon drive = z:</B
10808 >logon drive = h:</B
10815 >>logon home (G)</DT
10818 >This parameter specifies the home directory
10819 location when a Win95/98 or NT Workstation logs into a Samba PDC.
10820 It allows you to do </P
10828 >NET USE H: /HOME</B
10833 >from a command prompt, for example.</P
10835 >This option takes the standard substitutions, allowing
10836 you to have separate logon scripts for each user or machine.</P
10838 >This parameter can be used with Win9X workstations to ensure
10839 that roaming profiles are stored in a subdirectory of the user's
10840 home directory. This is done in the following way:</P
10844 >logon home = \\%N\%U\profile</B
10847 >This tells Samba to return the above string, with
10848 substitutions made when a client requests the info, generally
10849 in a NetUserGetInfo request. Win9X clients truncate the info to
10850 \\server\share when a user does <B
10854 but use the whole string when dealing with profiles.</P
10856 >Note that in prior versions of Samba, the <A
10864 > was returned rather than
10874 > but allowed profiles outside the home directory.
10875 The current implementation is correct, and can be used for
10876 profiles if you use the above trick.</P
10878 >This option is only useful if Samba is set up as a logon
10883 >logon home = "\\%N\%U"</B
10888 >logon home = "\\remote_smb_server\%U"</B
10896 >>logon path (G)</DT
10899 >This parameter specifies the home directory
10900 where roaming profiles (NTuser.dat etc files for Windows NT) are
10901 stored. Contrary to previous versions of these manual pages, it has
10902 nothing to do with Win 9X roaming profiles. To find out how to
10903 handle roaming profiles for Win 9X system, see the <A
10913 >This option takes the standard substitutions, allowing you
10914 to have separate logon scripts for each user or machine. It also
10915 specifies the directory from which the "Application Data",
10925 >network neighborhood</TT
10930 and other folders, and their contents, are loaded and displayed on
10931 your Windows NT client.</P
10933 >The share and the path must be readable by the user for
10934 the preferences and directories to be loaded onto the Windows NT
10935 client. The share must be writeable when the user logs in for the first
10936 time, in order that the Windows NT client can create the NTuser.dat
10937 and other directories.</P
10939 >Thereafter, the directories and any of the contents can,
10940 if required, be made read-only. It is not advisable that the
10941 NTuser.dat file be made read-only - rename it to NTuser.man to
10942 achieve the desired effect (a <SPAN
10951 >Windows clients can sometimes maintain a connection to
10952 the [homes] share, even though there is no user logged in.
10953 Therefore, it is vital that the logon path does not include a
10954 reference to the homes share (i.e. setting this parameter to
10955 \%N\%U\profile_path will cause problems).</P
10957 >This option takes the standard substitutions, allowing
10958 you to have separate logon scripts for each user or machine.</P
10960 >Note that this option is only useful if Samba is set up
10961 as a logon server.</P
10965 >logon path = \\%N\%U\profile</B
10970 >logon path = \\PROFILESERVER\PROFILE\%U</B
10977 >>logon script (G)</DT
10980 >This parameter specifies the batch file (.bat) or
10981 NT command file (.cmd) to be downloaded and run on a machine when
10982 a user successfully logs in. The file must contain the DOS
10983 style CR/LF line endings. Using a DOS-style editor to create the
10984 file is recommended.</P
10986 >The script must be a relative path to the [netlogon]
10987 service. If the [netlogon] service specifies a <A
10997 >/usr/local/samba/netlogon
11001 >logon script = STARTUP.BAT</B
11003 the file that will be downloaded is:</P
11007 >/usr/local/samba/netlogon/STARTUP.BAT</TT
11010 >The contents of the batch file are entirely your choice. A
11011 suggested command would be to add <B
11013 >NET TIME \\SERVER /SET
11015 >, to force every machine to synchronize clocks with
11016 the same time server. Another use would be to add <B
11019 U: \\SERVER\UTILS</B
11020 > for commonly used utilities, or <B
11022 > NET USE Q: \\SERVER\ISO9001_QA</B
11025 >Note that it is particularly important not to allow write
11026 access to the [netlogon] share, or to grant users write permission
11027 on the batch files in a secure environment, as this would allow
11028 the batch files to be arbitrarily modified and security to be
11031 >This option takes the standard substitutions, allowing you
11032 to have separate logon scripts for each user or machine.</P
11034 >This option is only useful if Samba is set up as a logon
11041 >no logon script defined</I
11047 >logon script = scripts\%U.bat</B
11052 NAME="LPPAUSECOMMAND"
11054 >>lppause command (S)</DT
11057 >This parameter specifies the command to be
11058 executed on the server host in order to stop printing or spooling
11059 a specific print job.</P
11061 >This command should be a program or script which takes
11062 a printer name and job number to pause the print job. One way
11063 of implementing this is by using job priorities, where jobs
11064 having a too low priority won't be sent to the printer.</P
11071 > is given then the printer name
11072 is put in its place. A <TT
11078 the job number (an integer). On HPUX (see <TT
11090 to the lpq command, the job will show up with the correct status, i.e.
11091 if the job priority is lower than the set fence priority it will
11092 have the PAUSED status, whereas if the priority is equal or higher it
11093 will have the SPOOLED or PRINTING status.</P
11095 >Note that it is good practice to include the absolute path
11096 in the lppause command as the PATH may not be available to the server.</P
11109 >Default: Currently no default value is given to
11110 this string, unless the value of the <TT
11119 >, in which case the default is :</P
11123 >lp -i %p-%j -H hold</B
11126 >or if the value of the <TT
11135 >, then the default is:</P
11139 >qstat -s -j%j -h</B
11142 >Example for HPUX: <B
11144 >lppause command = /usr/bin/lpalt
11150 NAME="LPQCACHETIME"
11152 >>lpq cache time (G)</DT
11155 >This controls how long lpq info will be cached
11156 for to prevent the <B
11159 > command being called too
11160 often. A separate cache is kept for each variation of the <B
11163 > command used by the system, so if you use different
11167 > commands for different users then they won't
11168 share cache information.</P
11170 >The cache files are stored in <TT
11174 where xxxx is a hash of the <B
11177 > command in use.</P
11179 >The default is 10 seconds, meaning that the cached results
11180 of a previous identical <B
11183 > command will be used
11184 if the cached data is less than 10 seconds old. A large value may
11185 be advisable if your <B
11188 > command is very slow.</P
11190 >A value of 0 will disable caching completely.</P
11205 >lpq cache time = 10</B
11210 >lpq cache time = 30</B
11217 >>lpq command (S)</DT
11220 >This parameter specifies the command to be
11221 executed on the server host in order to obtain <B
11225 >-style printer status information.</P
11227 >This command should be a program or script which
11228 takes a printer name as its only parameter and outputs printer
11229 status information.</P
11231 >Currently nine styles of printer status information
11232 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
11233 This covers most UNIX systems. You control which type is expected
11241 >Some clients (notably Windows for Workgroups) may not
11242 correctly send the connection number for the printer they are
11243 requesting status information about. To get around this, the
11244 server reports on the first printer service connected to by the
11245 client. This only happens if the connection number sent is invalid.</P
11252 > is given then the printer name
11253 is put in its place. Otherwise it is placed at the end of the
11256 >Note that it is good practice to include the absolute path
11266 > may not be available to the server. When compiled with
11267 the CUPS libraries, no <TT
11273 needed because smbd will make a library call to obtain the
11274 print queue listing.</P
11291 >depends on the setting of <TT
11302 >lpq command = /usr/bin/lpq -P%p</B
11307 NAME="LPRESUMECOMMAND"
11309 >>lpresume command (S)</DT
11312 >This parameter specifies the command to be
11313 executed on the server host in order to restart or continue
11314 printing or spooling a specific print job.</P
11316 >This command should be a program or script which takes
11317 a printer name and job number to resume the print job. See
11319 HREF="#LPPAUSECOMMAND"
11334 > is given then the printer name
11335 is put in its place. A <TT
11341 the job number (an integer).</P
11343 >Note that it is good practice to include the absolute path
11347 >lpresume command</I
11349 > as the PATH may not
11350 be available to the server.</P
11363 >Default: Currently no default value is given
11364 to this string, unless the value of the <TT
11373 >, in which case the default is :</P
11377 >lp -i %p-%j -H resume</B
11380 >or if the value of the <TT
11389 >, then the default is:</P
11393 >qstat -s -j%j -r</B
11396 >Example for HPUX: <B
11398 >lpresume command = /usr/bin/lpalt
11406 >>lprm command (S)</DT
11409 >This parameter specifies the command to be
11410 executed on the server host in order to delete a print job.</P
11412 >This command should be a program or script which takes
11413 a printer name and job number, and deletes the print job.</P
11420 > is given then the printer name
11421 is put in its place. A <TT
11427 the job number (an integer).</P
11429 >Note that it is good practice to include the absolute
11435 > as the PATH may not be
11436 available to the server.</P
11453 >depends on the setting of <TT
11465 >lprm command = /usr/bin/lprm -P%p %j
11471 >lprm command = /usr/bin/cancel %p-%j
11477 NAME="MACHINEPASSWORDTIMEOUT"
11479 >>machine password timeout (G)</DT
11482 >If a Samba server is a member of a Windows
11483 NT Domain (see the <A
11484 HREF="#SECURITYEQUALSDOMAIN"
11485 >security = domain</A
11487 parameter) then periodically a running <A
11491 > process will try and change the MACHINE ACCOUNT
11492 PASSWORD stored in the TDB called <TT
11494 >private/secrets.tdb
11496 >. This parameter specifies how often this password
11497 will be changed, in seconds. The default is one week (expressed in
11498 seconds), the same as a Windows NT Domain member server.</P
11501 CLASS="CITEREFENTRY"
11503 CLASS="REFENTRYTITLE"
11507 HREF="#SECURITYEQUALSDOMAIN"
11508 > security = domain</A
11513 >machine password timeout = 604800</B
11520 >>magic output (S)</DT
11523 >This parameter specifies the name of a file
11524 which will contain output created by a magic script (see the
11526 HREF="#MAGICSCRIPT"
11534 parameter below).</P
11536 >Warning: If two clients use the same <TT
11542 > in the same directory the output file content
11547 >magic output = <magic script name>.out
11553 >magic output = myfile.txt</B
11560 >>magic script (S)</DT
11563 >This parameter specifies the name of a file which,
11564 if opened, will be executed by the server when the file is closed.
11565 This allows a UNIX script to be sent to the Samba host and
11566 executed on behalf of the connected user.</P
11568 >Scripts executed in this way will be deleted upon
11569 completion assuming that the user has the appropriate level
11570 of privilege and the file permissions allow the deletion.</P
11572 >If the script generates output, output will be sent to
11573 the file specified by the <A
11574 HREF="#MAGICOUTPUT"
11581 > parameter (see above).</P
11583 >Note that some shells are unable to interpret scripts
11584 containing CR/LF instead of CR as
11585 the end-of-line marker. Magic scripts must be executable
11592 > on the host, which for some hosts and
11593 some shells will require filtering at the DOS end.</P
11595 >Magic scripts are <SPAN
11608 > be relied upon.</P
11614 >None. Magic scripts disabled.</I
11620 >magic script = user.csh</B
11627 >>mangle case (S)</DT
11630 >See the section on <A
11637 >mangle case = no</B
11644 >>mangled map (S)</DT
11647 >This is for those who want to directly map UNIX
11648 file names which cannot be represented on Windows/DOS. The mangling
11649 of names is not always what is needed. In particular you may have
11650 documents with file extensions that differ between DOS and UNIX.
11651 For example, under UNIX it is common to use <TT
11655 for HTML files, whereas under Windows/DOS <TT
11659 is more commonly used.</P
11672 >mangled map = (*.html *.htm)</B
11675 >One very useful case is to remove the annoying <TT
11679 > off the ends of filenames on some CDROMs (only visible
11680 under some UNIXes). To do this use a map of (*;1 *;).</P
11692 >mangled map = (*;1 *;)</B
11697 NAME="MANGLEDNAMES"
11699 >>mangled names (S)</DT
11702 >This controls whether non-DOS names under UNIX
11703 should be mapped to DOS-compatible names ("mangled") and made visible,
11704 or whether non-DOS names should simply be ignored.</P
11706 >See the section on <A
11709 > for details on how to control the mangling process.</P
11711 >If mangling is used then the mangling algorithm is as follows:</P
11717 >The first (up to) five alphanumeric characters
11718 before the rightmost dot of the filename are preserved, forced
11719 to upper case, and appear as the first (up to) five characters
11720 of the mangled name.</P
11724 >A tilde "~" is appended to the first part of the mangled
11725 name, followed by a two-character unique sequence, based on the
11726 original root name (i.e., the original filename minus its final
11727 extension). The final extension is included in the hash calculation
11728 only if it contains any upper case characters or is longer than three
11731 >Note that the character to use may be specified using
11733 HREF="#MANGLINGCHAR"
11741 > option, if you don't like '~'.</P
11745 >The first three alphanumeric characters of the final
11746 extension are preserved, forced to upper case and appear as the
11747 extension of the mangled name. The final extension is defined as that
11748 part of the original filename after the rightmost dot. If there are no
11749 dots in the filename, the mangled name will have no extension (except
11750 in the case of "hidden files" - see below).</P
11754 >Files whose UNIX name begins with a dot will be
11755 presented as DOS hidden files. The mangled name will be created as
11756 for other filenames, but with the leading dot removed and "___" as
11757 its extension regardless of actual original extension (that's three
11762 >The two-digit hash value consists of upper case
11763 alphanumeric characters.</P
11765 >This algorithm can cause name collisions only if files
11766 in a directory share the same first five alphanumeric characters.
11767 The probability of such a clash is 1/1300.</P
11769 >The name mangling (if enabled) allows a file to be
11770 copied between UNIX directories from Windows/DOS while retaining
11771 the long UNIX filename. UNIX files can be renamed to a new extension
11772 from Windows/DOS and will retain the same basename. Mangled names
11773 do not change between sessions.</P
11777 >mangled names = yes</B
11782 NAME="MANGLINGMETHOD"
11784 >>mangling method (G)</DT
11787 > controls the algorithm used for the generating
11788 the mangled names. Can take two different values, "hash" and
11789 "hash2". "hash" is the default and is the algorithm that has been
11790 used in Samba for many years. "hash2" is a newer and considered
11791 a better algorithm (generates less collisions) in the names.
11792 However, many Win32 applications store the mangled names and so
11793 changing to the new algorithm must not be done
11794 lightly as these applications may break unless reinstalled.</P
11798 >mangling method = hash2</B
11803 >mangling method = hash</B
11808 NAME="MANGLEPREFIX"
11810 >>mangle prefix (G)</DT
11813 > controls the number of prefix
11814 characters from the original name used when generating
11815 the mangled names. A larger value will give a weaker
11816 hash and therefore more name collisions. The minimum
11817 value is 1 and the maximum value is 6.</P
11821 >mangle prefix = 1</B
11826 >mangle prefix = 4</B
11831 NAME="MANGLEDSTACK"
11833 >>mangled stack (G)</DT
11836 >This parameter controls the number of mangled names
11837 that should be cached in the Samba server <SPAN
11838 CLASS="CITEREFENTRY"
11840 CLASS="REFENTRYTITLE"
11845 >This stack is a list of recently mangled base names
11846 (extensions are only maintained if they are longer than 3 characters
11847 or contains upper case characters).</P
11849 >The larger this value, the more likely it is that mangled
11850 names can be successfully converted to correct long UNIX names.
11851 However, large stack sizes will slow most directory accesses. Smaller
11852 stacks save memory in the server (each stack element costs 256 bytes).
11855 >It is not possible to absolutely guarantee correct long
11856 filenames, so be prepared for some surprises!</P
11860 >mangled stack = 50</B
11865 >mangled stack = 100</B
11870 NAME="MANGLINGCHAR"
11872 >>mangling char (S)</DT
11875 >This controls what character is used as
11885 >. The default is a '~'
11886 but this may interfere with some software. Use this option to set
11887 it to whatever you prefer.</P
11891 >mangling char = ~</B
11896 >mangling char = ^</B
11903 >>map archive (S)</DT
11906 >This controls whether the DOS archive attribute
11907 should be mapped to the UNIX owner execute bit. The DOS archive bit
11908 is set when a file has been modified since its last backup. One
11909 motivation for this option it to keep Samba/your PC from making
11910 any file it touches from becoming executable under UNIX. This can
11911 be quite annoying for shared source code, documents, etc...</P
11913 >Note that this requires the <TT
11919 parameter to be set such that owner execute bit is not masked out
11920 (i.e. it must include 100). See the parameter <A
11932 >map archive = yes</B
11939 >>map hidden (S)</DT
11942 >This controls whether DOS style hidden files
11943 should be mapped to the UNIX world execute bit.</P
11945 >Note that this requires the <TT
11951 to be set such that the world execute bit is not masked out (i.e.
11952 it must include 001). See the parameter <A
11964 >map hidden = no</B
11971 >>map system (S)</DT
11974 >This controls whether DOS style system files
11975 should be mapped to the UNIX group execute bit.</P
11977 >Note that this requires the <TT
11983 to be set such that the group execute bit is not masked out (i.e.
11984 it must include 010). See the parameter <A
11996 >map system = no</B
12003 >>map to guest (G)</DT
12006 >This parameter is only useful in <A
12009 > modes other than <TT
12012 >security = share</I
12027 >This parameter can take three different values, which tell
12029 CLASS="CITEREFENTRY"
12031 CLASS="REFENTRYTITLE"
12034 > what to do with user
12035 login requests that don't match a valid UNIX user in some way.</P
12037 >The three settings are :</P
12046 > - Means user login
12047 requests with an invalid password are rejected. This is the
12056 logins with an invalid password are rejected, unless the username
12057 does not exist, in which case it is treated as a guest login and
12059 HREF="#GUESTACCOUNT"
12073 > - Means user logins
12074 with an invalid password are treated as a guest login and mapped
12076 HREF="#GUESTACCOUNT"
12079 this can cause problems as it means that any user incorrectly typing
12080 their password will be silently logged on as "guest" - and
12081 will not know the reason they cannot access files they think
12082 they should - there will have been no message given to them
12083 that they got their password wrong. Helpdesk services will
12090 > you if you set the <TT
12096 > parameter this way :-).</P
12100 >Note that this parameter is needed to set up "Guest"
12101 share services when using <TT
12107 share. This is because in these modes the name of the resource being
12114 > sent to the server until after
12115 the server has successfully authenticated the client so the server
12116 cannot make authentication decisions at the correct time (connection
12117 to the share) for "Guest" shares.</P
12119 >For people familiar with the older Samba releases, this
12120 parameter maps to the old compile-time setting of the <TT
12122 > GUEST_SESSSETUP</TT
12123 > value in local.h.</P
12127 >map to guest = Never</B
12132 >map to guest = Bad User</B
12137 NAME="MAXCONNECTIONS"
12139 >>max connections (S)</DT
12142 >This option allows the number of simultaneous
12143 connections to a service to be limited. If <TT
12149 > is greater than 0 then connections will be refused if
12150 this number of connections to the service are already open. A value
12151 of zero mean an unlimited number of connections may be made.</P
12153 >Record lock files are used to implement this feature. The
12154 lock files will be stored in the directory specified by the <A
12155 HREF="#LOCKDIRECTORY"
12167 >max connections = 0</B
12172 >max connections = 10</B
12179 >>max disk size (G)</DT
12182 >This option allows you to put an upper limit
12183 on the apparent size of disks. If you set this option to 100
12184 then all shares will appear to be not larger than 100 MB in
12187 >Note that this option does not limit the amount of
12188 data you can put on the disk. In the above case you could still
12189 store much more than 100 MB on the disk, but if a client ever asks
12190 for the amount of free disk space or the total disk size then the
12191 result will be bounded by the amount specified in <TT
12199 >This option is primarily useful to work around bugs
12200 in some pieces of software that can't handle very large disks,
12201 particularly disks over 1GB in size.</P
12208 > of 0 means no limit.</P
12212 >max disk size = 0</B
12217 >max disk size = 1000</B
12224 >>max log size (G)</DT
12227 >This option (an integer in kilobytes) specifies
12228 the max size the log file should grow to. Samba periodically checks
12229 the size and if it is exceeded it will rename the file, adding
12235 >A size of 0 means no limit.</P
12239 >max log size = 5000</B
12244 >max log size = 1000</B
12251 >>max mux (G)</DT
12254 >This option controls the maximum number of
12255 outstanding simultaneous SMB operations that Samba tells the client
12256 it will allow. You should never need to set this parameter.</P
12265 NAME="MAXOPENFILES"
12267 >>max open files (G)</DT
12270 >This parameter limits the maximum number of
12271 open files that one <SPAN
12272 CLASS="CITEREFENTRY"
12274 CLASS="REFENTRYTITLE"
12278 serving process may have open for a client at any one time. The
12279 default for this parameter is set very high (10,000) as Samba uses
12280 only one bit per unopened file.</P
12282 >The limit of the number of open files is usually set
12283 by the UNIX per-process file descriptor limit rather than
12284 this parameter so you should never need to touch this parameter.</P
12288 >max open files = 10000</B
12293 NAME="MAXPRINTJOBS"
12295 >>max print jobs (S)</DT
12298 >This parameter limits the maximum number of
12299 jobs allowable in a Samba printer queue at any given moment.
12300 If this number is exceeded, <SPAN
12301 CLASS="CITEREFENTRY"
12303 CLASS="REFENTRYTITLE"
12306 > will remote "Out of Space" to the client.
12308 HREF="#TOTALPRINTJOBS"
12321 >max print jobs = 1000</B
12326 >max print jobs = 5000</B
12333 >>max protocol (G)</DT
12336 >The value of the parameter (a string) is the highest
12337 protocol level that will be supported by the server.</P
12339 >Possible values are :</P
12348 >: Earliest version. No
12349 concept of user names.</P
12356 >: Slight improvements on
12357 CORE for efficiency.</P
12370 > version of the protocol. Long filename
12378 >: Updates to Lanman1 protocol.
12386 >: Current up to date version of
12387 the protocol. Used by Windows NT. Known as CIFS.</P
12391 >Normally this option should not be set as the automatic
12392 negotiation phase in the SMB protocol takes care of choosing
12393 the appropriate protocol.</P
12396 HREF="#MINPROTOCOL"
12408 >max protocol = NT1</B
12413 >max protocol = LANMAN1</B
12418 NAME="MAXSMBDPROCESSES"
12420 >>max smbd processes (G)</DT
12423 >This parameter limits the maximum number of
12432 processes concurrently running on a system and is intended
12433 as a stopgap to prevent degrading service to clients in the event
12434 that the server has insufficient resources to handle more than this
12435 number of connections. Remember that under normal operating
12436 conditions, each user will have an <SPAN
12437 CLASS="CITEREFENTRY"
12439 CLASS="REFENTRYTITLE"
12442 > associated with him or her
12443 to handle connections to all shares from a given host.
12448 >max smbd processes = 0</B
12453 >max smbd processes = 1000</B
12460 >>max ttl (G)</DT
12463 >This option tells <SPAN
12464 CLASS="CITEREFENTRY"
12466 CLASS="REFENTRYTITLE"
12470 what the default 'time to live' of NetBIOS names should be (in seconds)
12474 > is requesting a name using either a
12475 broadcast packet or from a WINS server. You should never need to
12476 change this parameter. The default is 3 days.</P
12480 >max ttl = 259200</B
12487 >>max wins ttl (G)</DT
12490 >This option tells <SPAN
12491 CLASS="CITEREFENTRY"
12493 CLASS="REFENTRYTITLE"
12496 > when acting as a WINS server (<A
12497 HREF="#WINSSUPPORT"
12501 >wins support = yes</I
12504 >) what the maximum
12505 'time to live' of NetBIOS names that <B
12509 will grant will be (in seconds). You should never need to change this
12510 parameter. The default is 6 days (518400 seconds).</P
12525 >max wins ttl = 518400</B
12532 >>max xmit (G)</DT
12535 >This option controls the maximum packet size
12536 that will be negotiated by Samba. The default is 65535, which
12537 is the maximum. In some cases you may find you get better performance
12538 with a smaller value. A value below 2048 is likely to cause problems.
12543 >max xmit = 65535</B
12548 >max xmit = 8192</B
12553 NAME="MESSAGECOMMAND"
12555 >>message command (G)</DT
12558 >This specifies what command to run when the
12559 server receives a WinPopup style message.</P
12561 >This would normally be a command that would
12562 deliver the message somehow. How this is to be done is
12563 up to your imagination.</P
12569 >message command = csh -c 'xedit %s;rm %s' &</B
12573 >This delivers the message using <B
12577 removes it afterwards. <SPAN
12581 >NOTE THAT IT IS VERY IMPORTANT
12582 THAT THIS COMMAND RETURN IMMEDIATELY</I
12585 have the '&' on the end. If it doesn't return immediately then
12586 your PCs may freeze when sending messages (they should recover
12587 after 30 seconds, hopefully).</P
12589 >All messages are delivered as the global guest user.
12590 The command takes the standard substitutions, although <TT
12603 >Apart from the standard substitutions, some additional
12604 ones apply. In particular:</P
12615 > = the filename containing
12625 > = the destination that
12626 the message was sent to (probably the server name).</P
12635 > = who the message
12640 >You could make this command send mail, or whatever else
12641 takes your fancy. Please let us know of any really interesting
12644 >Here's a way of sending the messages as mail to root:</P
12648 >message command = /bin/mail -s 'message from %f on
12649 %m' root < %s; rm %s</B
12652 >If you don't have a message command then the message
12653 won't be delivered and Samba will tell the sender there was
12654 an error. Unfortunately WfWg totally ignores the error code
12655 and carries on regardless, saying that the message was delivered.
12658 >If you want to silently delete it then try:</P
12662 >message command = rm %s</B
12669 >no message command</I
12675 >message command = csh -c 'xedit %s;
12681 NAME="MINPASSWDLENGTH"
12683 >>min passwd length (G)</DT
12687 HREF="#MINPASSWORDLENGTH"
12691 >min password length</I
12698 NAME="MINPASSWORDLENGTH"
12700 >>min password length (G)</DT
12703 >This option sets the minimum length in characters
12704 of a plaintext password that <B
12707 > will accept when performing
12708 UNIX password changing.</P
12711 HREF="#UNIXPASSWORDSYNC"
12720 HREF="#PASSWDPROGRAM"
12728 HREF="#PASSWDCHATDEBUG"
12732 >passwd chat debug</I
12740 >min password length = 5</B
12745 NAME="MINPRINTSPACE"
12747 >>min print space (S)</DT
12750 >This sets the minimum amount of free disk
12751 space that must be available before a user will be able to spool
12752 a print job. It is specified in kilobytes. The default is 0, which
12753 means a user can always spool a print job.</P
12768 >min print space = 0</B
12773 >min print space = 2000</B
12780 >>min protocol (G)</DT
12783 >The value of the parameter (a string) is the
12784 lowest SMB protocol dialect than Samba will support. Please refer
12786 HREF="#MAXPROTOCOL"
12794 parameter for a list of valid protocol names and a brief description
12795 of each. You may also wish to refer to the C source code in
12798 >source/smbd/negprot.c</TT
12799 > for a listing of known protocol
12800 dialects supported by clients.</P
12802 >If you are viewing this parameter as a security measure, you should
12803 also refer to the <A
12812 > parameter. Otherwise, you should never need
12813 to change this parameter.</P
12817 >min protocol = CORE</B
12822 >min protocol = NT1</B
12830 >>min wins ttl (G)</DT
12833 >This option tells <SPAN
12834 CLASS="CITEREFENTRY"
12836 CLASS="REFENTRYTITLE"
12840 when acting as a WINS server (<A
12841 HREF="#WINSSUPPORT"
12845 > wins support = yes</I
12848 >) what the minimum 'time to live'
12849 of NetBIOS names that <B
12852 > will grant will be (in
12853 seconds). You should never need to change this parameter. The default
12854 is 6 hours (21600 seconds).</P
12858 >min wins ttl = 21600</B
12865 >>msdfs proxy (S)</DT
12868 >This parameter indicates that the share is a
12869 stand-in for another CIFS share whose location is specified by
12870 the value of the parameter. When clients attempt to connect to
12871 this share, they are redirected to the proxied share using
12872 the SMB-Dfs protocol.</P
12874 >Only Dfs roots can act as proxy shares. Take a look at the
12894 options to find out how to set up a Dfs root share.</P
12898 >msdfs proxy = \\\\otherserver\\someshare</B
12905 >>msdfs root (S)</DT
12908 >This boolean parameter is only available if
12909 Samba is configured and compiled with the <B
12912 > option. If set to <TT
12916 Samba treats the share as a Dfs root and allows clients to browse
12917 the distributed file system tree rooted at the share directory.
12918 Dfs links are specified in the share directory by symbolic
12919 links of the form <TT
12921 >msdfs:serverA\\shareA,serverB\\shareB</TT
12923 and so on. For more information on setting up a Dfs tree
12924 on Samba, refer to <A
12927 >"Hosting a Microsoft
12928 Distributed File System tree on Samba"</A
12944 >msdfs root = no</B
12949 NAME="NAMECACHETIMEOUT"
12951 >>name cache timeout (G)</DT
12954 >Specifies the number of seconds it takes before
12955 entries in samba's hostname resolve cache time out. If
12956 the timeout is set to 0. the caching is disabled.
12961 >name cache timeout = 660</B
12966 >name cache timeout = 0</B
12971 NAME="NAMERESOLVEORDER"
12973 >>name resolve order (G)</DT
12976 >This option is used by the programs in the Samba
12977 suite to determine what naming services to use and in what order
12978 to resolve host names to IP addresses. The option takes a space
12979 separated string of name resolution options.</P
12981 >The options are :"lmhosts", "host", "wins" and "bcast". They
12982 cause names to be resolved as follows :</P
12992 address in the Samba lmhosts file. If the line in lmhosts has
12993 no name type attached to the NetBIOS name (see the <A
12994 HREF="lmhosts.5.html"
12997 > for details) then
12998 any name type matches for lookup.</P
13005 > : Do a standard host
13006 name to IP address resolution, using the system <TT
13010 >, NIS, or DNS lookups. This method of name resolution
13011 is operating system depended for instance on IRIX or Solaris this
13012 may be controlled by the <TT
13014 >/etc/nsswitch.conf</TT
13016 file. Note that this method is only used if the NetBIOS name
13017 type being queried is the 0x20 (server) name type, otherwise
13025 > : Query a name with
13026 the IP address listed in the <A
13034 > parameter. If no WINS server has
13035 been specified this method will be ignored.</P
13042 > : Do a broadcast on
13043 each of the known local interfaces listed in the <A
13052 parameter. This is the least reliable of the name resolution
13053 methods as it depends on the target host being on a locally
13054 connected subnet.</P
13060 >name resolve order = lmhosts host wins bcast
13066 >name resolve order = lmhosts bcast host
13070 >This will cause the local lmhosts file to be examined
13071 first, followed by a broadcast attempt, followed by a normal
13072 system hostname lookup.</P
13076 NAME="NETBIOSALIASES"
13078 >>netbios aliases (G)</DT
13081 >This is a list of NetBIOS names that <A
13085 > will advertise as additional
13086 names by which the Samba server is known. This allows one machine
13087 to appear in browse lists under multiple names. If a machine is
13088 acting as a browse server or logon server none
13089 of these names will be advertised as either browse server or logon
13090 servers, only the primary name of the machine will be advertised
13091 with these capabilities.</P
13094 HREF="#NETBIOSNAME"
13108 >empty string (no additional names)</I
13114 >netbios aliases = TEST TEST1 TEST2</B
13121 >>netbios name (G)</DT
13124 >This sets the NetBIOS name by which a Samba
13125 server is known. By default it is the same as the first component
13126 of the host's DNS name. If a machine is a browse server or
13127 logon server this name (or the first component
13128 of the hosts DNS name) will be the name that these services are
13129 advertised under.</P
13132 HREF="#NETBIOSALIASES"
13146 >machine DNS name</I
13152 >netbios name = MYNAME</B
13157 NAME="NETBIOSSCOPE"
13159 >>netbios scope (G)</DT
13162 >This sets the NetBIOS scope that Samba will
13163 operate under. This should not be set unless every machine
13164 on your LAN also sets this value.</P
13170 >>nis homedir (G)</DT
13173 >Get the home share server from a NIS map. For
13174 UNIX systems that use an automounter, the user's home directory
13175 will often be mounted on a workstation on demand from a remote
13178 >When the Samba logon server is not the actual home directory
13179 server, but is mounting the home directories via NFS then two
13180 network hops would be required to access the users home directory
13181 if the logon server told the client to use itself as the SMB server
13182 for home directories (one over SMB and one over NFS). This can
13185 >This option allows Samba to return the home share as
13186 being on a different server to the logon server and as
13187 long as a Samba daemon is running on the home directory server,
13188 it will be mounted on the Samba client directly from the directory
13189 server. When Samba is returning the home share to the client, it
13190 will consult the NIS map specified in <A
13198 > and return the server
13201 >Note that for this option to work there must be a working
13202 NIS system and the Samba server with this option must also
13203 be a logon server.</P
13207 >nis homedir = no</B
13212 NAME="NONUNIXACCOUNTRANGE"
13214 >>non unix account range (G)</DT
13217 >The non unix account range parameter specifies
13218 the range of 'user ids' that are allocated by the various 'non unix
13219 account' passdb backends. These backends allow
13220 the storage of passwords for users who don't exist in /etc/passwd.
13221 This is most often used for machine account creation.
13222 This range of ids should have no existing local or NIS users within
13223 it as strange conflicts can occur otherwise.</P
13225 >NOTE: These userids never appear on the system and Samba will never
13226 'become' these users. They are used only to ensure that the algorithmic
13227 RID mapping does not conflict with normal users.
13232 >non unix account range = <empty string>
13238 >non unix account range = 10000-20000</B
13243 NAME="NTACLSUPPORT"
13245 >>nt acl support (S)</DT
13248 >This boolean parameter controls whether
13253 > will attempt to map
13254 UNIX permissions into Windows NT access control lists.
13255 This parameter was formally a global parameter in releases
13260 >nt acl support = yes</B
13265 NAME="NTPIPESUPPORT"
13267 >>nt pipe support (G)</DT
13270 >This boolean parameter controls whether
13272 CLASS="CITEREFENTRY"
13274 CLASS="REFENTRYTITLE"
13277 > will allow Windows NT
13278 clients to connect to the NT SMB specific <TT
13282 pipes. This is a developer debugging option and can be left
13287 >nt pipe support = yes</B
13292 NAME="NTSTATUSSUPPORT"
13294 >>nt status support (G)</DT
13297 >This boolean parameter controls whether <A
13301 > will negotiate NT specific status
13302 support with Windows NT/2k/XP clients. This is a developer
13303 debugging option and should be left alone.
13304 If this option is set to <TT
13307 > then Samba offers
13308 exactly the same DOS error codes that versions prior to Samba 2.2.3
13311 >You should not need to ever disable this parameter.</P
13315 >nt status support = yes</B
13320 NAME="NULLPASSWORDS"
13322 >>null passwords (G)</DT
13325 >Allow or disallow client access to accounts
13326 that have null passwords. </P
13329 CLASS="CITEREFENTRY"
13331 CLASS="REFENTRYTITLE"
13338 >null passwords = no</B
13343 NAME="OBEYPAMRESTRICTIONS"
13345 >>obey pam restrictions (G)</DT
13348 >When Samba 2.2 is configured to enable PAM support
13349 (i.e. --with-pam), this parameter will control whether or not Samba
13350 should obey PAM's account and session management directives. The
13351 default behavior is to use PAM for clear text authentication only
13352 and to ignore any account or session management. Note that Samba
13353 always ignores PAM for authentication in the case of <A
13354 HREF="#ENCRYPTPASSWORDS"
13358 >encrypt passwords = yes</I
13362 >. The reason is that PAM modules cannot support the challenge/response
13363 authentication mechanism needed in the presence of SMB password encryption.
13368 >obey pam restrictions = no</B
13375 >>only user (S)</DT
13378 >This is a boolean option that controls whether
13379 connections with usernames not in the <TT
13385 list will be allowed. By default this option is disabled so that a
13386 client can supply a username to be used by the server. Enabling
13387 this parameter will force the server to only use the login
13393 > list and is only really
13395 HREF="#SECURITYEQUALSSHARE"
13400 >Note that this also means Samba won't try to deduce
13401 usernames from the service name. This can be annoying for
13402 the [homes] section. To get around this you could use <B
13406 > which means your <TT
13412 will be just the service name, which for home directories is the
13413 name of the user.</P
13435 >>only guest (S)</DT
13450 NAME="OPLOCKBREAKWAITTIME"
13452 >>oplock break wait time (G)</DT
13455 >This is a tuning parameter added due to bugs in
13456 both Windows 9x and WinNT. If Samba responds to a client too
13457 quickly when that client issues an SMB that can cause an oplock
13458 break request, then the network client can fail and not respond
13459 to the break request. This tuning parameter (which is set in milliseconds)
13460 is the amount of time Samba will wait before sending an oplock break
13461 request to such (broken) clients.</P
13467 >DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
13468 AND UNDERSTOOD THE SAMBA OPLOCK CODE</I
13474 >oplock break wait time = 0</B
13479 NAME="OPLOCKCONTENTIONLIMIT"
13481 >>oplock contention limit (S)</DT
13496 improve the efficiency of the granting of oplocks under multiple
13497 client contention for the same file.</P
13499 >In brief it specifies a number, which causes <SPAN
13500 CLASS="CITEREFENTRY"
13502 CLASS="REFENTRYTITLE"
13505 >not to grant an oplock even when requested
13506 if the approximate number of clients contending for an oplock on the same file goes over this
13507 limit. This causes <B
13510 > to behave in a similar
13511 way to Windows NT.</P
13517 >DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
13518 AND UNDERSTOOD THE SAMBA OPLOCK CODE</I
13524 >oplock contention limit = 2</B
13531 >>oplocks (S)</DT
13534 >This boolean option tells <B
13538 issue oplocks (opportunistic locks) to file open requests on this
13539 share. The oplock code can dramatically (approx. 30% or more) improve
13540 the speed of access to files on Samba servers. It allows the clients
13541 to aggressively cache files locally and you may want to disable this
13542 option for unreliable network environments (it is turned on by
13543 default in Windows NT Servers). For more information see the file
13553 >Oplocks may be selectively turned off on certain files with a
13555 HREF="#VETOOPLOCKFILES"
13559 > veto oplock files</I
13562 > parameter. On some systems
13563 oplocks are recognized by the underlying operating system. This
13564 allows data synchronization between all access to oplocked files,
13565 whether it be via Samba or NFS or a local UNIX process. See the
13571 > parameter for details.</P
13574 HREF="#KERNELOPLOCKS"
13583 HREF="#LEVEL2OPLOCKS"
13587 > level2 oplocks</I
13601 >>ntlm auth (G)</DT
13604 >This parameter determines
13605 whether or not <SPAN
13606 CLASS="CITEREFENTRY"
13608 CLASS="REFENTRYTITLE"
13612 attempt to authenticate users using the NTLM password hash.
13613 If disabled, only the lanman password hashes will be used.
13616 >Please note that at least this option or <B
13620 be enabled in order to be able to log in.
13625 >ntlm auth = yes</B
13632 >>os level (G)</DT
13635 >This integer value controls what level Samba
13636 advertises itself as for browse elections. The value of this
13637 parameter determines whether <SPAN
13638 CLASS="CITEREFENTRY"
13640 CLASS="REFENTRYTITLE"
13644 has a chance of becoming a local master browser for the <TT
13649 > in the local broadcast area.</P
13657 >By default, Samba will win
13658 a local master browsing election over all Microsoft operating
13659 systems except a Windows NT 4.0/2000 Domain Controller. This
13660 means that a misconfigured Samba host can effectively isolate
13661 a subnet for browsing purposes. See <TT
13683 NAME="OS2DRIVERMAP"
13685 >>os2 driver map (G)</DT
13688 >The parameter is used to define the absolute
13689 path to a file containing a mapping of Windows NT printer driver
13690 names to OS/2 printer driver names. The format is:</P
13692 ><nt driver name> = <os2 driver
13693 name>.<device name></P
13695 >For example, a valid entry using the HP LaserJet 5
13696 printer driver would appear as <B
13698 >HP LaserJet 5L = LASERJET.HP
13702 >The need for the file is due to the printer driver namespace
13703 problem described in the <A
13704 HREF="printing.html"
13708 >. For more details on OS/2 clients, please
13709 refer to the OS2-Client-HOWTO containing in the Samba documentation.</P
13713 >os2 driver map = <empty string>
13719 NAME="PAMPASSWORDCHANGE"
13721 >>pam password change (G)</DT
13724 >With the addition of better PAM support in Samba 2.2,
13725 this parameter, it is possible to use PAM's password change control
13726 flag for Samba. If enabled, then PAM will be used for password
13727 changes when requested by an SMB client instead of the program listed in
13729 HREF="#PASSWDPROGRAM"
13737 It should be possible to enable this without changing your
13747 parameter for most setups.
13752 >pam password change = no</B
13759 >>panic action (G)</DT
13762 >This is a Samba developer option that allows a
13763 system command to be called when either <SPAN
13764 CLASS="CITEREFENTRY"
13766 CLASS="REFENTRYTITLE"
13770 CLASS="CITEREFENTRY"
13772 CLASS="REFENTRYTITLE"
13775 > crashes. This is usually used to
13776 draw attention to the fact that a problem occurred.</P
13780 >panic action = <empty string></B
13785 >panic action = "/bin/sleep 90000"</B
13790 NAME="PARANOIDSERVERSECURITY"
13792 >>paranoid server security (G)</DT
13795 >Some version of NT 4.x allow non-guest
13796 users with a bad passowrd. When this option is enabled, samba will not
13797 use a broken NT 4.x server as password server, but instead complain
13798 to the logs and exit.
13801 >Disabling this option prevents Samba from making
13802 this check, which involves deliberatly attempting a
13803 bad logon to the remote server.</P
13807 >paranoid server security = yes</B
13812 NAME="PASSDBBACKEND"
13814 >>passdb backend (G)</DT
13817 >This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both
13818 smbpasswd and tdbsam to be used without a recompile.
13819 Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.
13820 Experimental backends must still be selected
13821 (eg --with-tdbsam) at configure time.
13824 >This parameter is in two parts, the backend's name, and a 'location'
13825 string that has meaning only to that particular backed. These are separated
13826 by a : character.</P
13828 >Available backends can include:
13837 > - The default smbpasswd
13838 backend. Takes a path to the smbpasswd file as an optional argument.</P
13846 backend, but with support for 'not unix accounts'.
13847 Takes a path to the smbpasswd file as an optional argument.</P
13850 HREF="#NONUNIXACCOUNTRANGE"
13854 >non unix account range</I
13864 > - The TDB based password storage
13865 backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
13881 > - The TDB based password storage
13882 backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
13894 HREF="#NONUNIXACCOUNTRANGE"
13898 >non unix account range</I
13908 > - The LDAP based passdb
13909 backend. Takes an LDAP URL as an optional argument (defaults to
13912 >ldap://localhost</B
13920 > - The LDAP based passdb
13921 backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
13924 >ldap://localhost</B
13927 >Note: In this module, any account without a matching POSIX account is regarded
13931 HREF="#NONUNIXACCOUNTRANGE"
13941 >LDAP connections should be secured where
13942 possible. This may be done using either
13966 > - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. </P
13973 > - Allows Samba to load an
13974 arbitary passdb backend from the .so specified as a compulsary argument.
13977 >Any characters after the (optional) second : are passed to the plugin
13978 for its own processing</P
13985 > - Allows samba to map all (other) available unix users</P
13987 >This backend uses the standard unix database for retrieving users. Users included
13988 in this pdb are NOT listed in samba user listings and users included in this pdb won't be
13989 able to login. The use of this backend is to always be able to display the owner of a file
13990 on the samba server - even when the user doesn't have a 'real' samba account in one of the
13991 other passdb backends.
13994 >This backend should always be the last backend listed, since it contains all users in
13995 the unix passdb and might 'override' mappings if specified earlier. It's meant to only return
13996 accounts for users that aren't covered by the previous backends.</P
14004 >passdb backend = smbpasswd unixsam</B
14009 >passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam</B
14014 >passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam</B
14019 >passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</B
14026 >>passwd chat (G)</DT
14029 >This string controls the <SPAN
14036 conversation that takes places between <SPAN
14037 CLASS="CITEREFENTRY"
14039 CLASS="REFENTRYTITLE"
14042 > and the local password changing
14043 program to change the user's password. The string describes a
14044 sequence of response-receive pairs that <SPAN
14045 CLASS="CITEREFENTRY"
14047 CLASS="REFENTRYTITLE"
14050 > uses to determine what to send to the
14052 HREF="#PASSWDPROGRAM"
14060 > and what to expect back. If the expected output is not
14061 received then the password is not changed.</P
14063 >This chat sequence is often quite site specific, depending
14064 on what local methods are used for password control (such as NIS
14067 >Note that this parameter only is only used if the <A
14068 HREF="#UNIXPASSWORDSYNC"
14076 > parameter is set to <TT
14080 sequence is then called <SPAN
14086 > when the SMB password
14087 in the smbpasswd file is being changed, without access to the old
14088 password cleartext. This means that root must be able to reset the user's password
14089 without knowing the text of the previous password. In the presence of NIS/YP,
14090 this means that the <A
14091 HREF="#PASSWDPROGRAM"
14094 executed on the NIS master.
14097 >The string can contain the macro <TT
14102 > which is substituted
14103 for the new password. The chat sequence can also contain the standard
14116 > to give line-feed,
14117 carriage-return, tab and space. The chat sequence string can also contain
14118 a '*' which matches any sequence of characters.
14119 Double quotes can be used to collect strings with spaces
14120 in them into a single string.</P
14122 >If the send string in any part of the chat sequence
14123 is a full stop ".", then no string is sent. Similarly,
14124 if the expect string is a full stop then no string is expected.</P
14127 HREF="#PAMPASSWORDCHANGE"
14135 > parameter is set to <TT
14139 may be matched in any order, and success is determined by the PAM result,
14140 not any particular output. The \n macro is ignored for PAM conversions.
14144 HREF="#UNIXPASSWORDSYNC"
14153 HREF="#PASSWDPROGRAM"
14157 > passwd program</I
14161 HREF="#PASSWDCHATDEBUG"
14165 >passwd chat debug</I
14169 HREF="#PAMPASSWORDCHANGE"
14173 >pam password change</I
14180 >passwd chat = *new*password* %n\\n
14181 *new*password* %n\\n *changed*</B
14186 >passwd chat = "*Enter OLD password*" %o\\n
14187 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password
14193 NAME="PASSWDCHATDEBUG"
14195 >>passwd chat debug (G)</DT
14198 >This boolean specifies if the passwd chat script
14199 parameter is run in <SPAN
14205 > mode. In this mode the
14206 strings passed to and received from the passwd chat are printed
14208 CLASS="CITEREFENTRY"
14210 CLASS="REFENTRYTITLE"
14223 of 100. This is a dangerous option as it will allow plaintext passwords
14224 to be seen in the <B
14227 > log. It is available to help
14228 Samba admins debug their <TT
14234 when calling the <TT
14240 be turned off after this has been done. This option has no effect if the
14242 HREF="#PAMPASSWORDCHANGE"
14246 >pam password change</I
14250 paramter is set. This parameter is off by default.</P
14262 HREF="#PAMPASSWORDCHANGE"
14266 >pam password change</I
14271 HREF="#PASSWDPROGRAM"
14283 >passwd chat debug = no</B
14288 NAME="PASSWDPROGRAM"
14290 >>passwd program (G)</DT
14293 >The name of a program that can be used to set
14294 UNIX user passwords. Any occurrences of <TT
14300 will be replaced with the user name. The user name is checked for
14301 existence before calling the password changing program.</P
14303 >Also note that many passwd programs insist in <SPAN
14310 > passwords, such as a minimum length, or the inclusion
14311 of mixed case chars and digits. This can pose a problem as some clients
14312 (such as Windows for Workgroups) uppercase the password before sending
14327 > parameter is set to <TT
14331 > then this program is called <SPAN
14338 before the SMB password in the <A
14339 HREF="smbpasswd.5.html"
14343 > file is changed. If this UNIX password change fails, then
14347 > will fail to change the SMB password also
14348 (this is by design).</P
14353 >unix password sync</I
14356 is set this parameter <SPAN
14360 >MUST USE ABSOLUTE PATHS</I
14369 > programs called, and must be examined
14370 for security implications. Note that by default <TT
14382 HREF="#UNIXPASSWORDSYNC"
14394 >passwd program = /bin/passwd</B
14399 >passwd program = /sbin/npasswd %u</B
14405 NAME="PASSWORDLEVEL"
14407 >>password level (G)</DT
14410 >Some client/server combinations have difficulty
14411 with mixed-case passwords. One offending client is Windows for
14412 Workgroups, which for some reason forces passwords to upper
14413 case when using the LANMAN1 protocol, but leaves them alone when
14414 using COREPLUS! Another problem child is the Windows 95/98
14415 family of operating systems. These clients upper case clear
14416 text passwords even when NT LM 0.12 selected by the protocol
14417 negotiation request/response.</P
14419 >This parameter defines the maximum number of characters
14420 that may be upper case in passwords.</P
14422 >For example, say the password given was "FRED". If <TT
14425 > password level</I
14427 > is set to 1, the following combinations
14428 would be tried if "FRED" failed:</P
14430 >"Fred", "fred", "fRed", "frEd","freD"</P
14438 the following combinations would also be tried: </P
14440 >"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</P
14444 >The higher value this parameter is set to the more likely
14445 it is that a mixed case password will be matched against a single
14446 case password. However, you should be aware that use of this
14447 parameter reduces security and increases the time taken to
14448 process a new connection.</P
14450 >A value of zero will cause only two attempts to be
14451 made - the password as is and the password in all-lower case.</P
14455 >password level = 0</B
14460 >password level = 4</B
14465 NAME="PASSWORDSERVER"
14467 >>password server (G)</DT
14470 >By specifying the name of another SMB server (such
14471 as a WinNT box) with this option, and using <B
14477 >security = server</B
14478 > you can get Samba
14479 to do all its username/password validation via a remote server.</P
14481 >This option sets the name of the password server to use.
14482 It must be a NetBIOS name, so if the machine's NetBIOS name is
14483 different from its Internet name then you may have to add its NetBIOS
14484 name to the lmhosts file which is stored in the same directory
14490 >The name of the password server is looked up using the
14492 HREF="#NAMERESOLVEORDER"
14500 > and so may resolved
14501 by any method and order described in that parameter.</P
14503 >The password server much be a machine capable of using
14504 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
14505 user level security mode.</P
14513 > Using a password server
14514 means your UNIX box (running Samba) is only as secure as your
14515 password server. <SPAN
14519 >DO NOT CHOOSE A PASSWORD SERVER THAT
14520 YOU DON'T COMPLETELY TRUST</I
14524 >Never point a Samba server at itself for password
14525 serving. This will cause a loop and could lock up your Samba
14528 >The name of the password server takes the standard
14529 substitutions, but probably the only useful one is <TT
14535 >, which means the Samba server will use the incoming
14536 client as the password server. If you use this then you better
14537 trust your clients, and you had better restrict them with hosts allow!</P
14544 > parameter is set to
14548 >, then the list of machines in this
14549 option must be a list of Primary or Backup Domain controllers for the
14550 Domain or the character '*', as the Samba server is effectively
14551 in that domain, and will use cryptographically authenticated RPC calls
14552 to authenticate the user logging on. The advantage of using <B
14554 > security = domain</B
14555 > is that if you list several hosts in the
14559 >password server</I
14565 > will try each in turn till it finds one that responds. This
14566 is useful in case your primary server goes down.</P
14571 >password server</I
14574 to the character '*', then Samba will attempt to auto-locate the
14575 Primary or Backup Domain controllers to authenticate against by
14576 doing a query for the name <TT
14578 >WORKGROUP<1C></TT
14580 and then contacting each server returned in the list of IP
14581 addresses from the name resolution source. </P
14583 >If the list of servers contains both names and the '*'
14584 character, the list is treated as a list of preferred
14585 domain controllers, but an auto lookup of all remaining DC's
14586 will be added to the list as well. Samba will not attempt to optimize
14587 this list by locating the closest DC.</P
14598 >, then there are different
14599 restrictions that <B
14601 >security = domain</B
14609 >You may list several password servers in
14613 >password server</I
14615 > parameter, however if an
14619 > makes a connection to a password server,
14620 and then the password server fails, no more users will be able
14621 to be authenticated from this <B
14625 restriction of the SMB/CIFS protocol when in <B
14629 > mode and cannot be fixed in Samba.</P
14633 >If you are using a Windows NT server as your
14634 password server then you will have to ensure that your users
14635 are able to login from the Samba server, as when in <B
14637 > security = server</B
14638 > mode the network logon will appear to
14639 come from there rather than from the users workstation.</P
14656 >password server = <empty string></B
14662 >password server = NT-PDC, NT-BDC1, NT-BDC2, *
14668 >password server = *</B
14678 >This parameter specifies a directory to which
14679 the user of the service is to be given access. In the case of
14680 printable services, this is where print data will spool prior to
14681 being submitted to the host for printing.</P
14683 >For a printable service offering guest access, the service
14684 should be readonly and the path should be world-writeable and
14685 have the sticky bit set. This is not mandatory of course, but
14686 you probably won't get the results you expect if you do
14689 >Any occurrences of <TT
14695 will be replaced with the UNIX username that the client is using
14696 on this connection. Any occurrences of <TT
14702 will be replaced by the NetBIOS name of the machine they are
14703 connecting from. These replacements are very useful for setting
14704 up pseudo home directories for users.</P
14706 >Note that this path will be based on <A
14714 > if one was specified.</P
14726 >path = /home/fred</B
14731 NAME="PIDDIRECTORY"
14733 >>pid directory (G)</DT
14736 >This option specifies the directory where pid
14737 files will be placed. </P
14741 >pid directory = ${prefix}/var/locks</B
14746 >pid directory = /var/run/</B
14752 NAME="POSIXLOCKING"
14754 >>posix locking (S)</DT
14758 CLASS="CITEREFENTRY"
14760 CLASS="REFENTRYTITLE"
14764 daemon maintains an database of file locks obtained by SMB clients.
14765 The default behavior is to map this internal database to POSIX
14766 locks. This means that file locks obtained by SMB clients are
14767 consistent with those seen by POSIX compliant applications accessing
14768 the files via a non-SMB method (e.g. NFS or local file access).
14769 You should never need to disable this parameter.</P
14773 >posix locking = yes</B
14780 >>postexec (S)</DT
14783 >This option specifies a command to be run
14784 whenever the service is disconnected. It takes the usual
14785 substitutions. The command may be run as the root on some
14788 >An interesting example may be to unmount server
14793 >postexec = /etc/umount /cdrom</B
14811 >none (no command executed)</I
14818 >postexec = echo \"%u disconnected from %S
14819 from %m (%I)\" >> /tmp/log</B
14826 >>postscript (S)</DT
14829 >This parameter forces a printer to interpret
14830 the print files as PostScript. This is done by adding a <TT
14834 > to the start of print output.</P
14836 >This is most useful when you have lots of PCs that persist
14837 in putting a control-D at the start of print jobs, which then
14838 confuses your printer.</P
14842 >postscript = no</B
14849 >>preexec (S)</DT
14852 >This option specifies a command to be run whenever
14853 the service is connected to. It takes the usual substitutions.</P
14855 >An interesting example is to send the users a welcome
14856 message every time they log in. Maybe a message of the day? Here
14861 >preexec = csh -c 'echo \"Welcome to %S!\" |
14862 /usr/local/samba/bin/smbclient -M %m -I %I' & </B
14865 >Of course, this could get annoying after a while :-)</P
14868 HREF="#PREEXECCLOSE"
14891 >none (no command executed)</I
14897 >preexec = echo \"%u connected to %S from %m
14898 (%I)\" >> /tmp/log</B
14903 NAME="PREEXECCLOSE"
14905 >>preexec close (S)</DT
14908 >This boolean option controls whether a non-zero
14909 return code from <A
14918 > should close the service being connected to.</P
14922 >preexec close = no</B
14927 NAME="PREFERREDMASTER"
14929 >>preferred master (G)</DT
14932 >This boolean parameter controls if <A
14936 > is a preferred master browser
14937 for its workgroup.</P
14939 >If this is set to <TT
14946 will force an election, and it will have a slight advantage in
14947 winning the election. It is recommended that this parameter is
14948 used in conjunction with <B
14951 HREF="#DOMAINMASTER"
14962 > can guarantee becoming a domain master.</P
14964 >Use this option with caution, because if there are several
14965 hosts (whether Samba servers, Windows 95 or NT) that are preferred
14966 master browsers on the same subnet, they will each periodically
14967 and continuously attempt to become the local master browser.
14968 This will result in unnecessary broadcast traffic and reduced browsing
14984 >preferred master = auto</B
14989 NAME="PREFEREDMASTER"
14991 >>prefered master (G)</DT
14995 HREF="#PREFERREDMASTER"
14999 > preferred master</I
15002 > for people who cannot spell :-).</P
15008 >>preload (G)</DT
15011 >This is a list of services that you want to be
15012 automatically added to the browse lists. This is most useful
15013 for homes and printers services that would otherwise not be
15016 >Note that if you just want all printers in your
15017 printcap file loaded then the <A
15018 HREF="#LOADPRINTERS"
15025 > option is easier.</P
15031 >no preloaded services</I
15037 >preload = fred lp colorlp</B
15042 NAME="PRESERVECASE"
15044 >>preserve case (S)</DT
15047 > This controls if new filenames are created
15048 with the case that the client passes, or if they are forced to
15050 HREF="#DEFAULTCASE"
15062 >preserve case = yes</B
15065 >See the section on <A
15069 > for a fuller discussion.</P
15073 NAME="PRINTCOMMAND"
15075 >>print command (S)</DT
15078 >After a print job has finished spooling to
15079 a service, this command will be used via a <B
15083 call to process the spool file. Typically the command specified will
15084 submit the spool file to the host's printing subsystem, but there
15085 is no requirement that this be the case. The server will not remove
15086 the spool file, so whatever command you specify should remove the
15087 spool file when it has been processed, otherwise you will need to
15088 manually remove old spool files.</P
15090 >The print command is simply a text string. It will be used
15091 verbatim after macro substitutions have been made:</P
15093 >s, %p - the path to the spool
15096 >%p - the appropriate printer
15100 name as transmitted by the client.</P
15102 >%c - The number of printed pages
15103 of the spooled job (if known).</P
15105 >%z - the size of the spooled
15106 print job (in bytes)</P
15108 >The print command <SPAN
15115 one occurrence of <TT
15131 > is optional. At the time
15132 a job is submitted, if no printer name is supplied the <TT
15138 > will be silently removed from the printer command.</P
15140 >If specified in the [global] section, the print command given
15141 will be used for any printable service that does not have its own
15142 print command specified.</P
15144 >If there is neither a specified print command for a
15145 printable service nor a global print command, spool files will
15146 be created but not processed and (most importantly) not removed.</P
15148 >Note that printing may fail on some UNIXes from the
15152 > account. If this happens then create
15153 an alternative guest account that can print and set the <A
15154 HREF="#GUESTACCOUNT"
15162 in the [global] section.</P
15164 >You can form quite complex print commands by realizing
15165 that they are just passed to a shell. For example the following
15166 will log a print job, print the file, then remove it. Note that
15167 ';' is the usual separator for command in shell scripts.</P
15171 >print command = echo Printing %s >>
15172 /tmp/print.log; lpr -P %p %s; rm %s</B
15175 >You may have to vary this command considerably depending
15176 on how you normally print files on your system. The default for
15177 the parameter varies depending on the setting of the <A
15189 >printing = BSD, AIX, QNX, LPRNG
15195 >print command = lpr -r -P%p %s</B
15200 >printing = SYSV or HPUX :</B
15205 >print command = lp -c -d%p %s; rm %s</B
15210 >printing = SOFTQ :</B
15215 >print command = lp -d%p -s %s; rm %s</B
15218 >For printing = CUPS : If SAMBA is compiled against
15221 >printcap = cups</A
15223 uses the CUPS API to
15224 submit jobs, etc. Otherwise it maps to the System V
15225 commands with the -oraw option for printing, i.e. it
15228 >lp -c -d%p -oraw; rm %s</B
15232 >printing = cups</B
15234 and if SAMBA is compiled against libcups, any manually
15235 set print command will be ignored.</P
15239 >print command = /usr/local/samba/bin/myprintscript
15247 >>print ok (S)</DT
15264 >>printable (S)</DT
15267 >If this parameter is <TT
15271 clients may open, write to and submit spool files on the directory
15272 specified for the service. </P
15274 >Note that a printable service will ALWAYS allow writing
15275 to the service path (user privileges permitting) via the spooling
15276 of print data. The <A
15285 > parameter controls only non-printing access to
15297 >>printcap (G)</DT
15301 HREF="#PRINTCAPNAME"
15312 NAME="PRINTCAPNAME"
15314 >>printcap name (G)</DT
15317 >This parameter may be used to override the
15318 compiled-in default printcap name used by the server (usually <TT
15320 > /etc/printcap</TT
15321 >). See the discussion of the <A
15324 > section above for reasons
15325 why you might want to do this.</P
15327 >To use the CUPS printing interface set <B
15329 >printcap name = cups
15331 >. This should be supplemented by an addtional setting
15334 >printing = cups</A
15338 >printcap name = cups</B
15340 "dummy" printcap created by CUPS, as specified in your CUPS
15341 configuration file.
15344 >On System V systems that use <B
15348 list available printers you can use <B
15350 >printcap name = lpstat
15352 > to automatically obtain lists of available printers. This
15353 is the default for systems that define SYSV at configure time in
15354 Samba (this includes most System V based systems). If <TT
15363 these systems then Samba will launch <B
15367 attempt to parse the output to obtain a printer list.</P
15369 >A minimal printcap file would look something like this:</P
15372 CLASS="PROGRAMLISTING"
15373 >print1|My Printer 1
15374 print2|My Printer 2
15375 print3|My Printer 3
15376 print4|My Printer 4
15377 print5|My Printer 5</PRE
15380 >where the '|' separates aliases of a printer. The fact
15381 that the second alias has a space in it gives a hint to Samba
15382 that it's a comment.</P
15390 >: Under AIX the default printcap
15394 >. Samba will assume the
15398 > format if the string
15402 > appears in the printcap filename.</P
15406 >printcap name = /etc/printcap</B
15411 >printcap name = /etc/myprintcap</B
15416 NAME="PRINTERADMIN"
15418 >>printer admin (S)</DT
15421 >This is a list of users that can do anything to
15422 printers via the remote administration interfaces offered by MS-RPC
15423 (usually using a NT workstation). Note that the root user always
15424 has admin rights.</P
15428 >printer admin = <empty string></B
15434 >printer admin = admin, @staff</B
15439 NAME="PRINTERDRIVER"
15441 >>printer driver (S)</DT
15450 >This is a deprecated
15451 parameter and will be removed in the next major release
15452 following version 2.2. Please see the instructions in
15454 HREF="printing.html"
15456 >Samba 2.2. Printing
15458 > for more information
15459 on the new method of loading printer drivers onto a Samba server.
15462 >This option allows you to control the string
15463 that clients receive when they ask the server for the printer driver
15464 associated with a printer. If you are using Windows95 or Windows NT
15465 then you can use this to automate the setup of printers on your
15468 >You need to set this parameter to the exact string (case
15469 sensitive) that describes the appropriate printer driver for your
15470 system. If you don't know the exact string to use then you should
15471 first try with no <A
15472 HREF="#PRINTERDRIVER"
15476 > printer driver</I
15479 > option set and the client will
15480 give you a list of printer drivers. The appropriate strings are
15481 shown in a scroll box after you have chosen the printer manufacturer.</P
15484 HREF="#PRINTERDRIVERFILE"
15496 >printer driver = HP LaserJet 4L</B
15501 NAME="PRINTERDRIVERFILE"
15503 >>printer driver file (G)</DT
15512 >This is a deprecated
15513 parameter and will be removed in the next major release
15514 following version 2.2. Please see the instructions in
15516 HREF="printing.html"
15518 >Samba 2.2. Printing
15520 > for more information
15521 on the new method of loading printer drivers onto a Samba server.
15524 >This parameter tells Samba where the printer driver
15525 definition file, used when serving drivers to Windows 95 clients, is
15526 to be found. If this is not set, the default is :</P
15531 CLASS="REPLACEABLE"
15533 >SAMBA_INSTALL_DIRECTORY</I
15536 /lib/printers.def</TT
15539 >This file is created from Windows 95 <TT
15543 > files found on the Windows 95 client system. For more
15544 details on setting up serving of printer drivers to Windows 95
15545 clients, see the outdated documentation file in the <TT
15551 >PRINTER_DRIVER.txt</TT
15555 HREF="#PRINTERDRIVERLOCATION"
15559 > printer driver location</I
15568 >None (set in compile).</I
15574 >printer driver file =
15575 /usr/local/samba/printers/drivers.def</B
15580 NAME="PRINTERDRIVERLOCATION"
15582 >>printer driver location (S)</DT
15591 >This is a deprecated
15592 parameter and will be removed in the next major release
15593 following version 2.2. Please see the instructions in
15595 HREF="printing.html"
15597 >Samba 2.2. Printing
15599 > for more information
15600 on the new method of loading printer drivers onto a Samba server.
15603 >This parameter tells clients of a particular printer
15604 share where to find the printer driver files for the automatic
15605 installation of drivers for Windows 95 machines. If Samba is set up
15606 to serve printer drivers to Windows 95 machines, this should be set to</P
15610 >\\MACHINE\PRINTER$</B
15613 >Where MACHINE is the NetBIOS name of your Samba server,
15614 and PRINTER$ is a share you set up for serving printer driver
15615 files. For more details on setting this up see the outdated documentation
15621 > PRINTER_DRIVER.txt</TT
15625 HREF="#PRINTERDRIVERFILE"
15629 > printer driver file</I
15641 >printer driver location = \\MACHINE\PRINTER$
15649 >>printer name (S)</DT
15652 >This parameter specifies the name of the printer
15653 to which print jobs spooled through a printable service will be sent.</P
15655 >If specified in the [global] section, the printer
15656 name given will be used for any printable service that does
15657 not have its own printer name specified.</P
15663 >none (but may be <TT
15667 on many systems)</I
15673 >printer name = laserwriter</B
15680 >>printer (S)</DT
15684 HREF="#PRINTERNAME"
15697 >>printing (S)</DT
15700 >This parameters controls how printer status
15701 information is interpreted on your system. It also affects the
15702 default values for the <TT
15722 >lpresume command</I
15730 > if specified in the
15731 [global] section.</P
15733 >Currently nine printing styles are supported. They are
15767 >To see what the defaults are for the other print
15768 commands when using the various options use the <A
15769 HREF="testparm.1.html"
15774 >This option can be set on a per printer basis</P
15776 >See also the discussion in the <A
15785 >>private dir (G)</DT
15788 >This parameters defines the directory
15789 smbd will use for storing such files as <TT
15801 >private dir = ${prefix}/private</B
15808 >>protocol (G)</DT
15812 HREF="#MAXPROTOCOL"
15825 >>public (S)</DT
15841 NAME="QUEUEPAUSECOMMAND"
15843 >>queuepause command (S)</DT
15846 >This parameter specifies the command to be
15847 executed on the server host in order to pause the printer queue.</P
15849 >This command should be a program or script which takes
15850 a printer name as its only parameter and stops the printer queue,
15851 such that no longer jobs are submitted to the printer.</P
15853 >This command is not supported by Windows for Workgroups,
15854 but can be issued from the Printers window under Windows 95
15862 > is given then the printer name
15863 is put in its place. Otherwise it is placed at the end of the command.
15866 >Note that it is good practice to include the absolute
15867 path in the command as the PATH may not be available to the
15874 >depends on the setting of <TT
15886 >queuepause command = disable %p</B
15891 NAME="QUEUERESUMECOMMAND"
15893 >>queueresume command (S)</DT
15896 >This parameter specifies the command to be
15897 executed on the server host in order to resume the printer queue. It
15898 is the command to undo the behavior that is caused by the
15899 previous parameter (<A
15900 HREF="#QUEUEPAUSECOMMAND"
15904 > queuepause command</I
15909 >This command should be a program or script which takes
15910 a printer name as its only parameter and resumes the printer queue,
15911 such that queued jobs are resubmitted to the printer.</P
15913 >This command is not supported by Windows for Workgroups,
15914 but can be issued from the Printers window under Windows 95
15922 > is given then the printer name
15923 is put in its place. Otherwise it is placed at the end of the
15926 >Note that it is good practice to include the absolute
15927 path in the command as the PATH may not be available to the
15934 >depends on the setting of <A
15949 >queuepause command = enable %p
15957 >>read bmpx (G)</DT
15960 >This boolean parameter controls whether <A
15964 > will support the "Read
15965 Block Multiplex" SMB. This is now rarely used and defaults to
15969 >. You should never need to set this
15981 >>read list (S)</DT
15984 >This is a list of users that are given read-only
15985 access to a service. If the connecting user is in this list then
15986 they will not be given write access, no matter what the <A
15995 option is set to. The list can include group names using the
15996 syntax described in the <A
15997 HREF="#INVALIDUSERS"
16014 > parameter and the <A
16015 HREF="#INVALIDUSERS"
16027 >read list = <empty string></B
16032 >read list = mary, @students</B
16039 >>read only (S)</DT
16042 >An inverted synonym is <A
16052 >If this parameter is <TT
16056 of a service may not create or modify files in the service's
16059 >Note that a printable service (<B
16061 >printable = yes</B
16069 > allow writing to the directory
16070 (user privileges permitting), but only via spooling operations.</P
16074 >read only = yes</B
16081 >>read raw (G)</DT
16084 >This parameter controls whether or not the server
16085 will support the raw read SMB requests when transferring data
16088 >If enabled, raw reads allow reads of 65535 bytes in
16089 one packet. This typically provides a major performance benefit.
16092 >However, some clients either negotiate the allowable
16093 block size incorrectly or are incapable of supporting larger block
16094 sizes, and for these clients you may need to disable raw reads.</P
16096 >In general this parameter should be viewed as a system tuning
16097 tool and left severely alone. See also <A
16116 >>read size (G)</DT
16125 affects the overlap of disk reads/writes with network reads/writes.
16126 If the amount of data being transferred in several of the SMB
16127 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
16128 than this value then the server begins writing the data before it
16129 has received the whole packet from the network, or in the case of
16130 SMBreadbraw, it begins writing to the network before all the data
16131 has been read from disk.</P
16133 >This overlapping works best when the speeds of disk and
16134 network access are similar, having very little effect when the
16135 speed of one is much greater than the other.</P
16137 >The default value is 16384, but very little experimentation
16138 has been done yet to determine the optimal value, and it is likely
16139 that the best value will vary greatly between systems anyway.
16140 A value over 65536 is pointless and will cause you to allocate
16141 memory unnecessarily.</P
16145 >read size = 16384</B
16150 >read size = 8192</B
16157 >>realm (G)</DT
16160 > This option specifies the kerberos realm to use. The realm is
16161 used as the ADS equivalent of the NT4<B
16165 is usually set to the DNS name of the kerberos server.
16175 >realm = mysambabox.mycompany.com</B
16180 NAME="REMOTEANNOUNCE"
16182 >>remote announce (G)</DT
16185 >This option allows you to setup <A
16189 > to periodically announce itself
16190 to arbitrary IP addresses with an arbitrary workgroup name.</P
16192 >This is useful if you want your Samba server to appear
16193 in a remote workgroup for which the normal browse propagation
16194 rules don't work. The remote workgroup can be anywhere that you
16195 can send IP packets to.</P
16201 >remote announce = 192.168.2.255/SERVERS
16202 192.168.4.255/STAFF</B
16205 >the above line would cause <B
16208 > to announce itself
16209 to the two given IP addresses using the given workgroup names.
16210 If you leave out the workgroup name then the one given in
16220 parameter is used instead.</P
16222 >The IP addresses you choose would normally be the broadcast
16223 addresses of the remote networks, but can also be the IP addresses
16224 of known browse masters if your network config is that stable.</P
16226 >See the documentation file <A
16227 HREF="improved-browsing.html"
16238 >remote announce = <empty string>
16244 NAME="REMOTEBROWSESYNC"
16246 >>remote browse sync (G)</DT
16249 >This option allows you to setup <A
16253 > to periodically request
16254 synchronization of browse lists with the master browser of a Samba
16255 server that is on a remote segment. This option will allow you to
16256 gain browse lists for multiple workgroups across routed networks. This
16257 is done in a manner that does not work with any non-Samba servers.</P
16259 >This is useful if you want your Samba server and all local
16260 clients to appear in a remote workgroup for which the normal browse
16261 propagation rules don't work. The remote workgroup can be anywhere
16262 that you can send IP packets to.</P
16268 >remote browse sync = 192.168.2.255 192.168.4.255
16272 >the above line would cause <B
16276 the master browser on the specified subnets or addresses to
16277 synchronize their browse lists with the local server.</P
16279 >The IP addresses you choose would normally be the broadcast
16280 addresses of the remote networks, but can also be the IP addresses
16281 of known browse masters if your network config is that stable. If
16282 a machine IP address is given Samba makes NO attempt to validate
16283 that the remote machine is available, is listening, nor that it
16284 is in fact the browse master on its segment.</P
16288 >remote browse sync = <empty string>
16294 NAME="RESTRICTANONYMOUS"
16296 >>restrict anonymous (G)</DT
16299 >This is a integer parameter, and
16300 mirrors as much as possible the functinality the
16303 >RestrictAnonymous</TT
16305 registry key does on NT/Win2k. </P
16309 >restrict anonymous = 0</B
16320 HREF="#ROOTDIRECTORY"
16324 >root directory"</I
16333 >>root dir (G)</DT
16337 HREF="#ROOTDIRECTORY"
16341 >root directory"</I
16348 NAME="ROOTDIRECTORY"
16350 >>root directory (G)</DT
16353 >The server will <B
16357 Change its root directory) to this directory on startup. This is
16358 not strictly necessary for secure operation. Even without it the
16359 server will deny access to files not in one of the service entries.
16360 It may also check for, and deny access to, soft links to other
16361 parts of the filesystem, or attempts to use ".." in file names
16362 to access other directories (depending on the setting of the <A
16379 than "/" adds an extra level of security, but at a price. It
16380 absolutely ensures that no access is given to files not in the
16381 sub-tree specified in the <TT
16393 > some files needed for
16394 complete operation of the server. To maintain full operability
16395 of the server you will need to mirror some system files
16401 > tree. In particular
16402 you will need to mirror <TT
16406 subset of it), and any binaries or configuration files needed for
16407 printing (if required). The set of files that must be mirrored is
16408 operating system dependent.</P
16412 >root directory = /</B
16417 >root directory = /homes/smb</B
16422 NAME="ROOTPOSTEXEC"
16424 >>root postexec (S)</DT
16427 >This is the same as the <TT
16433 parameter except that the command is run as root. This
16434 is useful for unmounting filesystems
16435 (such as CDROMs) after a connection is closed.</P
16449 >root postexec = <empty string>
16457 >>root preexec (S)</DT
16460 >This is the same as the <TT
16466 parameter except that the command is run as root. This
16467 is useful for mounting filesystems (such as CDROMs) when a
16468 connection is opened.</P
16479 HREF="#PREEXECCLOSE"
16490 >root preexec = <empty string>
16496 NAME="ROOTPREEXECCLOSE"
16498 >>root preexec close (S)</DT
16501 >This is the same as the <TT
16507 > parameter except that the command is run as root.</P
16518 HREF="#PREEXECCLOSE"
16529 >root preexec close = no</B
16536 >>security (G)</DT
16539 >This option affects how clients respond to
16540 Samba and is one of the most important settings in the <TT
16545 >The option sets the "security mode bit" in replies to
16546 protocol negotiations with <SPAN
16547 CLASS="CITEREFENTRY"
16549 CLASS="REFENTRYTITLE"
16552 > to turn share level security on or off. Clients decide
16553 based on this bit whether (and how) to transfer user and password
16554 information to the server.</P
16558 >security = user</B
16560 the most common setting needed when talking to Windows 98 and
16563 >The alternatives are <B
16565 >security = share</B
16569 >security = server</B
16576 >In versions of Samba prior to 2.0.0, the default was
16579 >security = share</B
16580 > mainly because that was
16581 the only option at one stage.</P
16583 >There is a bug in WfWg that has relevance to this
16584 setting. When in user or server level security a WfWg client
16585 will totally ignore the password you type in the "connect
16586 drive" dialog box. This makes it very difficult (if not impossible)
16587 to connect to a Samba service as anyone except the user that
16588 you are logged into WfWg as.</P
16590 >If your PCs use usernames that are the same as their
16591 usernames on the UNIX machine then you will want to use
16594 >security = user</B
16595 >. If you mostly use usernames
16596 that don't exist on the UNIX box then use <B
16602 >You should also use <B
16604 >security = share</B
16606 want to mainly setup shares without a password (guest shares). This
16607 is commonly used for a shared printer server. It is more difficult
16608 to setup guest shares with <B
16610 >security = user</B
16621 >parameter for details.</P
16623 >It is possible to use <B
16632 > where it is offers both user and share
16633 level security under different <A
16634 HREF="#NETBIOSALIASES"
16638 >NetBIOS aliases</I
16643 >The different settings will now be explained.</P
16646 NAME="SECURITYEQUALSSHARE"
16657 >When clients connect to a share level security server they
16658 need not log onto the server with a valid username and password before
16659 attempting to connect to a shared resource (although modern clients
16660 such as Windows 95/98 and Windows NT will send a logon request with
16661 a username but no password when talking to a <B
16665 > server). Instead, the clients send authentication information
16666 (passwords) on a per-share basis, at the time they attempt to connect
16679 uses a valid UNIX user to act on behalf of the client, even in
16682 >security = share</B
16683 > level security.</P
16685 >As clients are not required to send a username to the server
16686 in share level security, <B
16690 techniques to determine the correct UNIX user to use on behalf
16693 >A list of possible UNIX usernames to match with the given
16694 client password is constructed using the following methods :</P
16709 > parameter is set, then all the other
16710 stages are missed and only the <A
16711 HREF="#GUESTACCOUNT"
16718 > username is checked.
16723 >Is a username is sent with the share connection
16724 request, then this username (after mapping - see <A
16725 HREF="#USERNAMEMAP"
16733 is added as a potential username.</P
16737 >If the client did a previous <SPAN
16744 > request (the SessionSetup SMB call) then the
16745 username sent in this SMB will be added as a potential username.
16750 >The name of the service the client requested is
16751 added as a potential username.</P
16755 >The NetBIOS name of the client is added to
16756 the list as a potential username.</P
16760 >Any users on the <A
16768 > list are added as potential usernames.
16779 not set, then this list is then tried with the supplied password.
16780 The first user for whom the password matches will be used as the
16789 set, or no username can be determined then if the share is marked
16790 as available to the <TT
16796 guest user will be used, otherwise access is denied.</P
16798 >Note that it can be <SPAN
16805 in share-level security as to which UNIX username will eventually
16806 be used in granting access.</P
16808 >See also the section <A
16810 > NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
16814 NAME="SECURITYEQUALSUSER"
16825 >This is the default security setting in Samba 3.0.
16826 With user-level security a client must first "log-on" with a
16827 valid username and password (which can be mapped using the <A
16828 HREF="#USERNAMEMAP"
16836 parameter). Encrypted passwords (see the <A
16837 HREF="#ENCRYPTPASSWORDS"
16841 >encrypted passwords</I
16844 > parameter) can also
16845 be used in this security mode. Parameters such as <A
16861 > if set are then applied and
16862 may change the UNIX user to use on this connection, but only after
16863 the user has been successfully authenticated.</P
16871 > that the name of the resource being
16878 > sent to the server until after
16879 the server has successfully authenticated the client. This is why
16880 guest shares don't work in user level security without allowing
16881 the server to automatically map unknown users into the <A
16882 HREF="#GUESTACCOUNT"
16899 > parameter for details on doing this.</P
16901 >See also the section <A
16903 > NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
16907 NAME="SECURITYEQUALSDOMAIN"
16919 >This mode will only work correctly if <SPAN
16920 CLASS="CITEREFENTRY"
16922 CLASS="REFENTRYTITLE"
16925 > has been used to add this
16926 machine into a Windows NT Domain. It expects the <A
16927 HREF="#ENCRYPTPASSWORDS"
16931 >encrypted passwords</I
16935 > parameter to be set to <TT
16939 mode Samba will try to validate the username/password by passing
16940 it to a Windows NT Primary or Backup Domain Controller, in exactly
16941 the same way that a Windows NT Server would do.</P
16949 > that a valid UNIX user must still
16950 exist as well as the account on the Domain Controller to allow
16951 Samba to have a valid UNIX account to map file access to.</P
16959 > that from the client's point
16962 >security = domain</B
16963 > is the same as <B
16967 >. It only affects how the server deals with the authentication,
16968 it does not in any way affect what the client sees.</P
16976 > that the name of the resource being
16983 > sent to the server until after
16984 the server has successfully authenticated the client. This is why
16985 guest shares don't work in user level security without allowing
16986 the server to automatically map unknown users into the <A
16987 HREF="#GUESTACCOUNT"
17004 > parameter for details on doing this.</P
17006 >See also the section <A
17008 > NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
17012 HREF="#PASSWORDSERVER"
17020 > parameter and the <A
17021 HREF="#ENCRYPTPASSWORDS"
17025 >encrypted passwords</I
17032 NAME="SECURITYEQUALSSERVER"
17043 >In this mode Samba will try to validate the username/password
17044 by passing it to another SMB server, such as an NT box. If this
17045 fails it will revert to <B
17049 >. It expects the <A
17050 HREF="#ENCRYPTPASSWORDS"
17054 >encrypted passwords</I
17058 > parameter to be set to
17062 >, unless the remote server
17063 does not support them. However note
17064 that if encrypted passwords have been negotiated then Samba cannot
17065 revert back to checking the UNIX password file, it must have a valid
17069 > file to check users against. See the
17070 documentation file in the <TT
17076 >ENCRYPTION.txt</TT
17077 > for details on how to set this
17086 > this mode of operation
17087 has significant pitfalls, due to the fact that is
17088 activly initiates a man-in-the-middle attack on the
17089 remote SMB server. In particular, this mode of
17090 operation can cause significant resource consuption on
17091 the PDC, as it must maintain an active connection for
17092 the duration of the user's session. Furthermore, if
17093 this connection is lost, there is no way to
17094 reestablish it, and futher authenticaions to the Samba
17095 server may fail. (From a single client, till it
17104 > that from the client's point of
17107 >security = server</B
17108 > is the same as <B
17110 > security = user</B
17111 >. It only affects how the server deals
17112 with the authentication, it does not in any way affect what the
17121 > that the name of the resource being
17128 > sent to the server until after
17129 the server has successfully authenticated the client. This is why
17130 guest shares don't work in user level security without allowing
17131 the server to automatically map unknown users into the <A
17132 HREF="#GUESTACCOUNT"
17149 > parameter for details on doing this.</P
17151 >See also the section <A
17153 > NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
17157 HREF="#PASSWORDSERVER"
17165 > parameter and the <A
17166 HREF="#ENCRYPTPASSWORDS"
17170 >encrypted passwords</I
17178 >security = USER</B
17183 >security = DOMAIN</B
17188 NAME="SECURITYMASK"
17190 >>security mask (S)</DT
17193 >This parameter controls what UNIX permission
17194 bits can be modified when a Windows NT client is manipulating
17195 the UNIX permission on a file using the native NT security
17198 >This parameter is applied as a mask (AND'ed with) to
17199 the changed permission bits, thus preventing any bits not in
17200 this mask from being modified. Essentially, zero bits in this
17201 mask may be treated as a set of bits the user is not allowed
17204 >If not set explicitly this parameter is 0777, allowing
17205 a user to modify all the user/group/world permissions on a file.
17214 > that users who can access the
17215 Samba server through other means can easily bypass this
17216 restriction, so it is primarily useful for standalone
17217 "appliance" systems. Administrators of most normal systems will
17218 probably want to leave it set to <TT
17224 HREF="#FORCEDIRECTORYSECURITYMODE"
17228 >force directory security mode</I
17233 HREF="#DIRECTORYSECURITYMASK"
17242 HREF="#FORCESECURITYMODE"
17246 >force security mode</I
17253 >security mask = 0777</B
17258 >security mask = 0770</B
17263 NAME="SERVERSTRING"
17265 >>server string (G)</DT
17268 >This controls what string will show up in the
17269 printer comment box in print manager and next to the IPC connection
17273 >. It can be any string that you wish
17274 to show to your users.</P
17276 >It also sets what will appear in browse lists next
17277 to the machine name.</P
17284 > will be replaced with the Samba
17292 > will be replaced with the
17297 >server string = Samba %v</B
17302 >server string = University of GNUs Samba
17308 NAME="SETDIRECTORY"
17310 >>set directory (S)</DT
17315 >set directory = no</B
17317 users of the service may not use the setdir command to change
17323 > command is only implemented
17324 in the Digital Pathworks client. See the Pathworks documentation
17329 >set directory = no</B
17336 >>share modes (S)</DT
17339 >This enables or disables the honoring of
17345 > during a file open. These
17346 modes are used by clients to gain exclusive read or write access
17349 >These open modes are not directly supported by UNIX, so
17350 they are simulated using shared memory, or lock files if your
17351 UNIX doesn't support shared memory (almost all do).</P
17353 >The share modes that are enabled by this option are
17377 >This option gives full share compatibility and enabled
17386 > turn this parameter
17387 off as many Windows applications will break if you do so.</P
17391 >share modes = yes</B
17396 NAME="SHORTPRESERVECASE"
17398 >>short preserve case (S)</DT
17401 >This boolean parameter controls if new files
17402 which conform to 8.3 syntax, that is all in upper case and of
17403 suitable length, are created upper case, or if they are forced
17405 HREF="#DEFAULTCASE"
17413 >. This option can be use with <A
17414 HREF="#PRESERVECASE"
17417 >preserve case = yes</B
17420 > to permit long filenames to retain their case, while short
17421 names are lowered. </P
17423 >See the section on <A
17430 >short preserve case = yes</B
17435 NAME="SHOWADDPRINTERWIZARD"
17437 >>show add printer wizard (G)</DT
17440 >With the introduction of MS-RPC based printing support
17441 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
17442 appear on Samba hosts in the share listing. Normally this folder will
17443 contain an icon for the MS Add Printer Wizard (APW). However, it is
17444 possible to disable this feature regardless of the level of privilege
17445 of the connected user.</P
17447 >Under normal circumstances, the Windows NT/2000 client will
17448 open a handle on the printer server with OpenPrinterEx() asking for
17449 Administrator privileges. If the user does not have administrative
17450 access on the print server (i.e is not root or a member of the
17456 > group), the OpenPrinterEx()
17457 call fails and the client makes another open call with a request for
17458 a lower privilege level. This should succeed, however the APW
17459 icon will not be displayed.</P
17464 >show add printer wizard</I
17467 parameter will always cause the OpenPrinterEx() on the server
17468 to fail. Thus the APW icon will never be displayed. <SPAN
17474 >This does not prevent the same user from having
17475 administrative privilege on an individual printer.</P
17478 HREF="#ADDPRINTERCOMMAND"
17487 HREF="#DELETEPRINTERCOMMAND"
17491 >deleteprinter command</I
17495 HREF="#PRINTERADMIN"
17506 >show add printer wizard = yes</B
17511 NAME="SHUTDOWNSCRIPT"
17513 >>shutdown script (G)</DT
17520 >This parameter only exists in the HEAD cvs branch</I
17523 This a full path name to a script called by
17532 should start a shutdown procedure.</P
17534 >This command will be run as the user connected to the
17537 >%m %t %r %f parameters are expanded</P
17544 > will be substituted with the
17545 shutdown message sent to the server.</P
17552 > will be substituted with the
17553 number of seconds to wait before effectively starting the
17554 shutdown procedure.</P
17561 > will be substituted with the
17568 >. It means reboot after shutdown
17577 > will be substituted with the
17584 >. It means force the shutdown
17585 even if applications do not respond for NT.</P
17597 >abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</B
17600 >Shutdown script example:
17602 CLASS="PROGRAMLISTING"
17609 /sbin/shutdown $3 $4 +$time $1 &</PRE
17611 Shutdown does not return so we need to launch it in background.
17615 HREF="#ABORTSHUTDOWNSCRIPT"
17619 >abort shutdown script</I
17626 NAME="SMBPASSWDFILE"
17628 >>smb passwd file (G)</DT
17631 >This option sets the path to the encrypted
17632 smbpasswd file. By default the path to the smbpasswd file
17633 is compiled into Samba.</P
17637 >smb passwd file = ${prefix}/private/smbpasswd
17643 >smb passwd file = /etc/samba/smbpasswd
17651 >>smb ports (G)</DT
17654 >Specifies which ports the server should listen on
17660 >smb ports = 445 139</B
17665 NAME="SOCKETADDRESS"
17667 >>socket address (G)</DT
17670 >This option allows you to control what
17671 address Samba will listen for connections on. This is used to
17672 support multiple virtual interfaces on the one server, each
17673 with a different configuration.</P
17675 >By default Samba will accept connections on any
17680 >socket address = 192.168.2.20</B
17686 NAME="SOCKETOPTIONS"
17688 >>socket options (G)</DT
17691 >This option allows you to set socket options
17692 to be used when talking with the client.</P
17694 >Socket options are controls on the networking layer
17695 of the operating systems which allow the connection to be
17698 >This option will typically be used to tune your Samba
17699 server for optimal performance for your local network. There is
17700 no way that Samba can know what the optimal parameters are for
17701 your net, so you must experiment and choose them yourself. We
17702 strongly suggest you read the appropriate documentation for your
17703 operating system first (perhaps <B
17709 >You may find that on some systems Samba will say
17710 "Unknown socket option" when you supply an option. This means you
17711 either incorrectly typed it or you need to add an include file
17712 to includes.h for your OS. If the latter is the case please
17713 send the patch to <A
17714 HREF="mailto:samba@samba.org"
17716 > samba@samba.org</A
17719 >Any of the supported socket options may be combined
17720 in any way you like, as long as your OS allows it.</P
17722 >This is the list of socket options currently settable
17723 using this option:</P
17749 >IPTOS_THROUGHPUT</P
17769 >Those marked with a <SPAN
17776 argument. The others can optionally take a 1 or 0 argument to enable
17777 or disable the option, by default they will be enabled if you
17778 don't specify 1 or 0.</P
17780 >To specify an argument use the syntax SOME_OPTION = VALUE
17783 >SO_SNDBUF = 8192</B
17784 >. Note that you must
17785 not have any spaces before or after the = sign.</P
17787 >If you are on a local network then a sensible option
17792 >socket options = IPTOS_LOWDELAY</B
17795 >If you have a local network then you could try:</P
17799 >socket options = IPTOS_LOWDELAY TCP_NODELAY</B
17802 >If you are on a wide area network then perhaps try
17803 setting IPTOS_THROUGHPUT. </P
17805 >Note that several of the options may cause your Samba
17806 server to fail completely. Use these options with caution!</P
17810 >socket options = TCP_NODELAY</B
17815 >socket options = IPTOS_LOWDELAY</B
17820 NAME="SOURCEENVIRONMENT"
17822 >>source environment (G)</DT
17825 >This parameter causes Samba to set environment
17826 variables as per the content of the file named.</P
17828 >If the value of this parameter starts with a "|" character
17829 then Samba will treat that value as a pipe command to open and
17830 will set the environment variables from the output of the pipe.</P
17832 >The contents of the file or the output of the pipe should
17833 be formatted as the output of the standard Unix <B
17837 > command. This is of the form :</P
17839 >Example environment entry:</P
17843 >SAMBA_NETBIOS_NAME = myhostname</B
17850 >No default value</I
17856 >source environment = |/etc/smb.conf.sh
17862 >source environment =
17863 /usr/local/smb_env_vars</B
17870 >>use spnego (G)</DT
17873 > This variable controls controls whether samba will try
17874 to use Simple and Protected NEGOciation (as specified by rfc2478) with
17875 WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism.
17876 Unless further issues are discovered with our SPNEGO
17877 implementation, there is no reason this should ever be
17884 >use spnego = yes</I
17892 >>stat cache (G)</DT
17895 >This parameter determines if <SPAN
17896 CLASS="CITEREFENTRY"
17898 CLASS="REFENTRYTITLE"
17901 > will use a cache in order to
17902 speed up case insensitive name mappings. You should never need
17903 to change this parameter.</P
17907 >stat cache = yes</B
17912 NAME="STATCACHESIZE"
17914 >>stat cache size (G)</DT
17917 >This parameter determines the number of
17924 never need to change this parameter.</P
17928 >stat cache size = 50</B
17933 NAME="STRICTALLOCATE"
17935 >>strict allocate (S)</DT
17938 >This is a boolean that controls the handling of
17939 disk space allocation in the server. When this is set to <TT
17943 the server will change from UNIX behaviour of not committing real
17944 disk storage blocks when a file is extended to the Windows behaviour
17945 of actually forcing the disk system to allocate real storage blocks
17946 when a file is created or extended to be a given size. In UNIX
17947 terminology this means that Samba will stop creating sparse files.
17948 This can be slow on some systems.</P
17950 >When strict allocate is <TT
17953 > the server does sparse
17954 disk block allocation when a file is extended.</P
17956 >Setting this to <TT
17959 > can help Samba return
17960 out of quota messages on systems that are restricting the disk quota
17965 >strict allocate = no</B
17970 NAME="STRICTLOCKING"
17972 >>strict locking (S)</DT
17975 >This is a boolean that controls the handling of
17976 file locking in the server. When this is set to <TT
17980 the server will check every read and write access for file locks, and
17981 deny access if locks exist. This can be slow on some systems.</P
17983 >When strict locking is <TT
17986 > the server does file
17987 lock checks only when the client explicitly asks for them.</P
17989 >Well-behaved clients always ask for lock checks when it
17990 is important, so in the vast majority of cases <B
17994 > is preferable.</P
17998 >strict locking = no</B
18005 >>strict sync (S)</DT
18008 >Many Windows applications (including the Windows
18009 98 explorer shell) seem to confuse flushing buffer contents to
18010 disk with doing a sync to disk. Under UNIX, a sync call forces
18011 the process to be suspended until the kernel has ensured that
18012 all outstanding data in kernel disk buffers has been safely stored
18013 onto stable storage. This is very slow and should only be done
18014 rarely. Setting this parameter to <TT
18018 default) means that <SPAN
18019 CLASS="CITEREFENTRY"
18021 CLASS="REFENTRYTITLE"
18024 > ignores the Windows applications requests for
18025 a sync call. There is only a possibility of losing data if the
18026 operating system itself that Samba is running on crashes, so there is
18027 little danger in this default setting. In addition, this fixes many
18028 performance problems that people have reported with the new Windows98
18029 explorer shell file copies.</P
18044 >strict sync = no</B
18051 >>strip dot (G)</DT
18054 >This is a boolean that controls whether to
18055 strip trailing dots off UNIX filenames. This helps with some
18056 CDROMs that have filenames ending in a single dot.</P
18067 >>sync always (S)</DT
18070 >This is a boolean parameter that controls
18071 whether writes will always be written to stable storage before
18072 the write call returns. If this is <TT
18075 > then the server will be
18076 guided by the client's request in each write call (clients can
18077 set a bit indicating that a particular write should be synchronous).
18081 > then every write will be followed by a <B
18085 > call to ensure the data is written to disk. Note that
18091 > parameter must be set to
18095 > in order for this parameter to have
18111 >sync always = no</B
18118 >>syslog (G)</DT
18121 >This parameter maps how Samba debug messages
18122 are logged onto the system syslog logging levels. Samba debug
18123 level zero maps onto syslog <TT
18127 level one maps onto <TT
18134 >, debug level three
18135 maps onto LOG_INFO. All higher levels are mapped to <TT
18140 >This parameter sets the threshold for sending messages
18141 to syslog. Only messages with debug level less than this value
18142 will be sent to syslog.</P
18153 >>syslog only (G)</DT
18156 >If this parameter is set then Samba debug
18157 messages are logged into the system syslog only, and not to
18158 the debug log files.</P
18162 >syslog only = no</B
18167 NAME="TEMPLATEHOMEDIR"
18169 >>template homedir (G)</DT
18172 >When filling out the user information for a Windows NT
18174 HREF="winbindd.8.html"
18178 uses this parameter to fill in the home directory for that user.
18184 > is present it is substituted
18185 with the user's Windows NT domain name. If the string <TT
18191 > is present it is substituted with the user's Windows
18196 >template homedir = /home/%D/%U</B
18201 NAME="TEMPLATESHELL"
18203 >>template shell (G)</DT
18206 >When filling out the user information for a Windows NT
18208 CLASS="CITEREFENTRY"
18210 CLASS="REFENTRYTITLE"
18214 uses this parameter to fill in the login shell for that user.</P
18218 >template shell = /bin/false</B
18225 >>time offset (G)</DT
18228 >This parameter is a setting in minutes to add
18229 to the normal GMT to local time conversion. This is useful if
18230 you are serving a lot of PCs that have incorrect daylight
18231 saving time handling.</P
18235 >time offset = 0</B
18240 >time offset = 60</B
18247 >>time server (G)</DT
18250 >This parameter determines if <SPAN
18251 CLASS="CITEREFENTRY"
18253 CLASS="REFENTRYTITLE"
18256 > advertises itself as a time server to Windows
18261 >time server = no</B
18266 NAME="TIMESTAMPLOGS"
18268 >>timestamp logs (G)</DT
18272 HREF="#DEBUGTIMESTAMP"
18276 > debug timestamp</I
18283 NAME="TOTALPRINTJOBS"
18285 >>total print jobs (G)</DT
18288 >This parameter accepts an integer value which defines
18289 a limit on the maximum number of print jobs that will be accepted
18290 system wide at any given time. If a print job is submitted
18291 by a client which will exceed this number, then <SPAN
18292 CLASS="CITEREFENTRY"
18294 CLASS="REFENTRYTITLE"
18298 error indicating that no space is available on the server. The
18299 default value of 0 means that no such limit exists. This parameter
18300 can be used to prevent a server from exceeding its capacity and is
18301 designed as a printing throttle. See also
18303 HREF="#MAXPRINTJOBS"
18315 >total print jobs = 0</B
18320 >total print jobs = 5000</B
18327 >>unicode (G)</DT
18330 >Specifies whether Samba should try
18331 to use unicode on the wire by default. Note: This does NOT
18332 mean that samba will assume that the unix machine uses unicode!
18344 >>unix charset (G)</DT
18347 >Specifies the charset the unix machine
18348 Samba runs on uses. Samba needs to know this in order to be able to
18349 convert text to the charsets other SMB clients use.
18354 >unix charset = UTF8</B
18359 >unix charset = ASCII</B
18364 NAME="UNIXEXTENSIONS"
18366 >>unix extensions(G)</DT
18369 >This boolean parameter controls whether Samba
18370 implments the CIFS UNIX extensions, as defined by HP.
18371 These extensions enable Samba to better serve UNIX CIFS clients
18372 by supporting features such as symbolic links, hard links, etc...
18373 These extensions require a similarly enabled client, and are of
18374 no current use to Windows clients.</P
18378 >unix extensions = no</B
18383 NAME="UNIXPASSWORDSYNC"
18385 >>unix password sync (G)</DT
18388 >This boolean parameter controls whether Samba
18389 attempts to synchronize the UNIX password with the SMB password
18390 when the encrypted SMB password in the smbpasswd file is changed.
18391 If this is set to <TT
18394 > the program specified in the <TT
18400 >parameter is called <SPAN
18407 to allow the new UNIX password to be set without access to the
18408 old UNIX password (as the SMB password change code has no
18409 access to the old password cleartext, only the new).</P
18412 HREF="#PASSWDPROGRAM"
18432 >unix password sync = no</B
18437 NAME="UPDATEENCRYPTED"
18439 >>update encrypted (G)</DT
18442 >This boolean parameter allows a user logging
18443 on with a plaintext password to have their encrypted (hashed)
18444 password in the smbpasswd file to be updated automatically as
18445 they log on. This option allows a site to migrate from plaintext
18446 password authentication (users authenticate with plaintext
18447 password over the wire, and are checked against a UNIX account
18448 database) to encrypted password authentication (the SMB
18449 challenge/response authentication mechanism) without forcing
18450 all users to re-enter their passwords via smbpasswd at the time the
18451 change is made. This is a convenience option to allow the change over
18452 to encrypted passwords to be made over a longer period. Once all users
18453 have encrypted representations of their passwords in the smbpasswd
18454 file this parameter should be set to <TT
18459 >In order for this parameter to work correctly the <A
18460 HREF="#ENCRYPTPASSWORDS"
18464 >encrypt passwords</I
18468 > parameter must be set to <TT
18472 this parameter is set to <TT
18477 >Note that even when this parameter is set a user
18478 authenticating to <B
18481 > must still enter a valid
18482 password in order to connect correctly, and to update their hashed
18483 (smbpasswd) passwords.</P
18487 >update encrypted = no</B
18492 NAME="USECLIENTDRIVER"
18494 >>use client driver (S)</DT
18497 >This parameter applies only to Windows NT/2000
18498 clients. It has no affect on Windows 95/98/ME clients. When
18499 serving a printer to Windows NT/2000 clients without first installing
18500 a valid printer driver on the Samba host, the client will be required
18501 to install a local printer driver. From this point on, the client
18502 will treat the print as a local printer and not a network printer
18503 connection. This is much the same behavior that will occur
18506 >disable spoolss = yes</B
18509 >The differentiating
18510 factor is that under normal circumstances, the NT/2000 client will
18511 attempt to open the network printer using MS-RPC. The problem is that
18512 because the client considers the printer to be local, it will attempt
18513 to issue the OpenPrinterEx() call requesting access rights associated
18514 with the logged on user. If the user possesses local administator rights
18515 but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
18516 call will fail. The result is that the client will now display an "Access
18517 Denied; Unable to connect" message in the printer queue window (even though
18518 jobs may successfully be printed). </P
18520 >If this parameter is enabled for a printer, then any attempt
18521 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
18522 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
18523 call to succeed. <SPAN
18527 >This parameter MUST not be able enabled
18528 on a print share which has valid print driver installed on the Samba
18534 HREF="#DISABLESPOOLSS"
18535 >disable spoolss</A
18541 >use client driver = no</B
18548 >>use mmap (G)</DT
18551 >This global parameter determines if the tdb internals of Samba can
18552 depend on mmap working correctly on the running system. Samba requires a coherent
18553 mmap/read-write system memory cache. Currently only HPUX does not have such a
18554 coherent cache, and so this parameter is set to <TT
18558 default on HPUX. On all other systems this parameter should be left alone. This
18559 parameter is provided to help the Samba developers track down problems with
18560 the tdb internal code.
18572 >>use rhosts (G)</DT
18575 >If this global parameter is <TT
18579 that the UNIX user's <TT
18582 > file in their home directory
18583 will be read to find the names of hosts and users who will be allowed
18584 access without specifying a password.</P
18598 > can be a major security hole. This is because you are
18599 trusting the PC to supply the correct username. It is very easy to
18600 get a PC to supply a false username. I recommend that the <TT
18605 > option be only used if you really know what
18610 >use rhosts = no</B
18634 >>users (S)</DT
18651 >>username (S)</DT
18654 >Multiple users may be specified in a comma-delimited
18655 list, in which case the supplied password will be tested against
18656 each username in turn (left to right).</P
18663 > line is needed only when
18664 the PC is unable to supply its own username. This is the case
18665 for the COREPLUS protocol or where your users have different WfWg
18666 usernames to UNIX usernames. In both these cases you may also be
18667 better using the \\server\share%user syntax instead.</P
18674 > line is not a great
18675 solution in many cases as it means Samba will try to validate
18676 the supplied password against each of the usernames in the
18682 > line in turn. This is slow and
18683 a bad idea for lots of users in case of duplicate passwords.
18684 You may get timeouts or security breaches using this parameter
18687 >Samba relies on the underlying UNIX security. This
18688 parameter does not restrict who can login, it just offers hints
18689 to the Samba server as to what usernames might correspond to the
18690 supplied password. Users can login as whoever they please and
18691 they will be able to do no more damage than if they started a
18692 telnet session. The daemon runs as the user that they log in as,
18693 so they cannot do anything that user cannot do.</P
18695 >To restrict a service to a particular set of users you
18707 >If any of the usernames begin with a '@' then the name
18708 will be looked up first in the NIS netgroups list (if Samba
18709 is compiled with netgroup support), followed by a lookup in
18710 the UNIX groups database and will expand to a list of all users
18711 in the group of that name.</P
18713 >If any of the usernames begin with a '+' then the name
18714 will be looked up only in the UNIX groups database and will
18715 expand to a list of all users in the group of that name.</P
18717 >If any of the usernames begin with a '&' then the name
18718 will be looked up only in the NIS netgroups database (if Samba
18719 is compiled with netgroup support) and will expand to a list
18720 of all users in the netgroup group of that name.</P
18722 >Note that searching though a groups database can take
18723 quite some time, and some clients may time out during the
18726 >See the section <A
18729 USERNAME/PASSWORD VALIDATION</A
18730 > for more information on how
18731 this parameter determines access to the services.</P
18735 >The guest account if a guest service,
18736 else <empty string>.</B
18741 >username = fred, mary, jack, jane,
18742 @users, @pcgroup</B
18747 NAME="USERNAMELEVEL"
18749 >>username level (G)</DT
18752 >This option helps Samba to try and 'guess' at
18753 the real UNIX username, as many DOS clients send an all-uppercase
18754 username. By default Samba tries all lowercase, followed by the
18755 username with the first letter capitalized, and fails if the
18756 username is not found on the UNIX machine.</P
18758 >If this parameter is set to non-zero the behavior changes.
18759 This parameter is a number that specifies the number of uppercase
18760 combinations to try while trying to determine the UNIX user name. The
18761 higher the number the more combinations will be tried, but the slower
18762 the discovery of usernames will be. Use this parameter when you have
18763 strange usernames on your UNIX machine, such as <TT
18771 >username level = 0</B
18776 >username level = 5</B
18783 >>username map (G)</DT
18786 >This option allows you to specify a file containing
18787 a mapping of usernames from the clients to the server. This can be
18788 used for several purposes. The most common is to map usernames
18789 that users use on DOS or Windows machines to those that the UNIX
18790 box uses. The other is to map multiple users to a single username
18791 so that they can more easily share files.</P
18793 >The map file is parsed line by line. Each line should
18794 contain a single UNIX username on the left then a '=' followed
18795 by a list of usernames on the right. The list of usernames on the
18796 right may contain names of the form @group in which case they
18797 will match any UNIX username in that group. The special client
18798 name '*' is a wildcard and matches any name. Each line of the
18799 map file may be up to 1023 characters long.</P
18801 >The file is processed on each line by taking the
18802 supplied username and comparing it with each username on the right
18803 hand side of the '=' signs. If the supplied name matches any of
18804 the names on the right hand side then it is replaced with the name
18805 on the left. Processing then continues with the next line.</P
18807 >If any line begins with a '#' or a ';' then it is
18810 >If any line begins with an '!' then the processing
18811 will stop after that line if a mapping was done by the line.
18812 Otherwise mapping continues with every line being processed.
18813 Using '!' is most useful when you have a wildcard mapping line
18814 later in the file.</P
18816 >For example to map from the name <TT
18823 > to the UNIX name <TT
18826 > you would use:</P
18830 >root = admin administrator</B
18833 >Or to map anyone in the UNIX group <TT
18837 to the UNIX name <TT
18840 > you would use:</P
18847 >You can have as many mappings as you like in a username
18850 >If your system supports the NIS NETGROUP option then
18851 the netgroup database is checked before the <TT
18855 > database for matching groups.</P
18857 >You can map Windows usernames that have spaces in them
18858 by using double quotes around the name. For example:</P
18862 >tridge = "Andrew Tridgell"</B
18865 >would map the windows username "Andrew Tridgell" to the
18866 unix username "tridge".</P
18868 >The following example would map mary and fred to the
18869 unix user sys, and map the rest to guest. Note the use of the
18870 '!' to tell Samba to stop processing if it gets a match on
18874 CLASS="PROGRAMLISTING"
18879 >Note that the remapping is applied to all occurrences
18880 of usernames. Thus if you connect to \\server\fred and <TT
18883 > is remapped to <TT
18887 will actually be connecting to \\server\mary and will need to
18888 supply a password suitable for <TT
18895 >. The only exception to this is the
18896 username passed to the <A
18897 HREF="#PASSWORDSERVER"
18901 > password server</I
18904 > (if you have one). The password
18905 server will receive whatever username the client supplies without
18908 >Also note that no reverse mapping is done. The main effect
18909 this has is with printing. Users who have been mapped may have
18910 trouble deleting print jobs as PrintManager under WfWg will think
18911 they don't own the print job.</P
18917 >no username map</I
18923 >username map = /usr/local/samba/lib/users.map
18931 >>use sendfile (S)</DT
18934 >If this parameter is <TT
18938 was built with the --with-sendfile-support option, and the underlying operating
18939 system supports sendfile system call, then some SMB read calls (mainly ReadAndX
18940 and ReadRaw) will use the more efficient sendfile system call for files that
18941 are exclusively oplocked. This may make more efficient use of the system CPU's
18942 and cause Samba to be faster. This is off by default as it's effects are unknown
18948 >use sendfile = no</B
18958 >This boolean parameter is only available if
18959 Samba has been configured and compiled with the option <B
18965 > then Samba will attempt
18966 to add utmp or utmpx records (depending on the UNIX system) whenever a
18967 connection is made to a Samba server. Sites may use this to record the
18968 user connecting to a Samba share.</P
18970 >Due to the requirements of the utmp record, we
18971 are required to create a unique identifier for the
18972 incoming user. Enabling this option creates an n^2
18973 algorithm to find this number. This may impede
18974 performance on large installations. </P
18977 HREF="#UTMPDIRECTORY"
18981 > utmp directory</I
18993 NAME="UTMPDIRECTORY"
18995 >>utmp directory(G)</DT
18998 >This parameter is only available if Samba has
18999 been configured and compiled with the option <B
19002 >. It specifies a directory pathname that is
19003 used to store the utmp or utmpx files (depending on the UNIX system) that
19004 record user connections to a Samba server. See also the <A
19012 > parameter. By default this is
19013 not set, meaning the system will use whatever utmp file the
19014 native system is set to use (usually
19024 >no utmp directory</I
19030 >utmp directory = /var/run/utmp</B
19035 NAME="WTMPDIRECTORY"
19037 >>wtmp directory(G)</DT
19040 >This parameter is only available if Samba has
19041 been configured and compiled with the option <B
19044 >. It specifies a directory pathname that is
19045 used to store the wtmp or wtmpx files (depending on the UNIX system) that
19046 record user connections to a Samba server. The difference with
19047 the utmp directory is the fact that user info is kept after a user
19058 > parameter. By default this is
19059 not set, meaning the system will use whatever utmp file the
19060 native system is set to use (usually
19070 >no wtmp directory</I
19076 >wtmp directory = /var/log/wtmp</B
19083 >>valid users (S)</DT
19086 >This is a list of users that should be allowed
19087 to login to this service. Names starting with '@', '+' and '&'
19088 are interpreted using the same rules as described in the
19096 >If this is empty (the default) then any user can login.
19097 If a username is in both this list and the <TT
19103 > list then access is denied for that user.</P
19105 >The current servicename is substituted for <TT
19111 >. This is useful in the [homes] section.</P
19114 HREF="#INVALIDUSERS"
19128 >No valid users list (anyone can login)
19135 >valid users = greg, @pcusers</B
19142 >>veto files(S)</DT
19145 >This is a list of files and directories that
19146 are neither visible nor accessible. Each entry in the list must
19147 be separated by a '/', which allows spaces to be included
19148 in the entry. '*' and '?' can be used to specify multiple files
19149 or directories as in DOS wildcards.</P
19151 >Each entry must be a unix path, not a DOS path and
19158 > include the unix directory
19167 is applicable in vetoing files.</P
19169 >One feature of the veto files parameter that it
19170 is important to be aware of is Samba's behaviour when
19171 trying to delete a directory. If a directory that is
19172 to be deleted contains nothing but veto files this
19173 deletion will <SPAN
19179 > unless you also set
19183 >delete veto files</I
19193 >Setting this parameter will affect the performance
19194 of Samba, as it will be forced to check all files and directories
19195 for a match as they are scanned.</P
19207 HREF="#CASESENSITIVE"
19211 > case sensitive</I
19220 >No files or directories are vetoed.
19226 CLASS="PROGRAMLISTING"
19227 >; Veto any files containing the word Security,
19228 ; any ending in .tmp, and any directory containing the
19230 veto files = /*Security*/*.tmp/*root*/
19232 ; Veto the Apple specific files that a NetAtalk server
19234 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/</PRE
19239 NAME="VETOOPLOCKFILES"
19241 >>veto oplock files (S)</DT
19244 >This parameter is only valid when the <A
19253 parameter is turned on for a share. It allows the Samba administrator
19254 to selectively turn off the granting of oplocks on selected files that
19255 match a wildcarded list, similar to the wildcarded list used in the
19271 >No files are vetoed for oplock
19276 >You might want to do this on files that you know will
19277 be heavily contended for by clients. A good example of this
19278 is in the NetBench SMB benchmark program, which causes heavy
19279 client contention for files ending in <TT
19283 To cause Samba not to grant oplocks on these files you would use
19284 the line (either in the [global] section or in the section for
19285 the particular NetBench share :</P
19289 >veto oplock files = /*.SEM/
19297 >>vfs path (S)</DT
19300 >This parameter specifies the directory
19301 to look in for vfs modules. The name of every <B
19305 > will be prepended by this directory
19315 >vfs path = /usr/lib/samba/vfs</B
19322 >>vfs object (S)</DT
19325 >This parameter specifies a shared object files that
19326 are used for Samba VFS I/O operations. By default, normal
19327 disk I/O operations are used but these can be overloaded
19328 with one or more VFS objects. </P
19342 >>vfs options (S)</DT
19345 >This parameter allows parameters to be passed
19346 to the vfs layer at initialization time.
19369 >>volume (S)</DT
19372 > This allows you to override the volume label
19373 returned for a share. Useful for CDROMs with installation programs
19374 that insist on a particular volume label.</P
19380 >the name of the share</I
19388 >>wide links (S)</DT
19391 >This parameter controls whether or not links
19392 in the UNIX file system may be followed by the server. Links
19393 that point to areas within the directory tree exported by the
19394 server are always allowed; this parameter controls access only
19395 to areas that are outside the directory tree being exported.</P
19397 >Note that setting this parameter can have a negative
19398 effect on your server performance due to the extra system calls
19399 that Samba has to do in order to perform the link checks.</P
19403 >wide links = yes</B
19408 NAME="WINBINDCACHETIME"
19410 >>winbind cache time (G)</DT
19413 >This parameter specifies the number of
19415 CLASS="CITEREFENTRY"
19417 CLASS="REFENTRYTITLE"
19420 > daemon will cache
19421 user and group information before querying a Windows NT server
19426 >winbind cache type = 15</B
19431 NAME="WINBINDENUMUSERS"
19433 >>winbind enum users (G)</DT
19436 >On large installations using <SPAN
19437 CLASS="CITEREFENTRY"
19439 CLASS="REFENTRYTITLE"
19443 necessary to suppress the enumeration of users through the <B
19454 > group of system calls. If
19458 >winbind enum users</I
19468 will not return any data. </P
19477 enumeration may cause some programs to behave oddly. For
19478 example, the finger program relies on having access to the
19479 full user list when searching for matching
19484 >winbind enum users = yes </B
19489 NAME="WINBINDENUMGROUPS"
19491 >>winbind enum groups (G)</DT
19494 >On large installations using <SPAN
19495 CLASS="CITEREFENTRY"
19497 CLASS="REFENTRYTITLE"
19500 > it may be necessary to suppress
19501 the enumeration of groups through the <B
19512 > group of system calls. If
19516 >winbind enum groups</I
19526 call will not return any data. </P
19534 > Turning off group
19535 enumeration may cause some programs to behave oddly.
19540 >winbind enum groups = yes </B
19548 >>winbind gid (G)</DT
19551 >The winbind gid parameter specifies the range of group
19552 ids that are allocated by the <SPAN
19553 CLASS="CITEREFENTRY"
19555 CLASS="REFENTRYTITLE"
19558 > daemon. This range of group ids should have no
19559 existing local or NIS groups within it as strange conflicts can
19560 occur otherwise.</P
19564 >winbind gid = <empty string>
19570 >winbind gid = 10000-20000</B
19575 NAME="WINBINDSEPARATOR"
19577 >>winbind separator (G)</DT
19580 >This parameter allows an admin to define the character
19581 used when listing a username of the form of <TT
19582 CLASS="REPLACEABLE"
19588 CLASS="REPLACEABLE"
19593 is only applicable when using the <TT
19595 >pam_winbind.so</TT
19599 >nss_winbind.so</TT
19600 > modules for UNIX services.
19603 >Please note that setting this parameter to + causes problems
19604 with group membership at least on glibc systems, as the character +
19605 is used as a special character for NIS in /etc/group.</P
19609 >winbind separator = '\'</B
19614 >winbind separator = +</B
19621 >>winbind uid (G)</DT
19624 >The winbind gid parameter specifies the range of group
19625 ids that are allocated by the <SPAN
19626 CLASS="CITEREFENTRY"
19628 CLASS="REFENTRYTITLE"
19631 > daemon. This range of ids should have no
19632 existing local or NIS users within it as strange conflicts can
19633 occur otherwise.</P
19637 >winbind uid = <empty string>
19643 >winbind uid = 10000-20000</B
19648 NAME="WINBINDUSEDEFAULTDOMAIN"
19650 >>winbind use default domain (G)</DT
19653 >This parameter specifies whether the <SPAN
19654 CLASS="CITEREFENTRY"
19656 CLASS="REFENTRYTITLE"
19659 > daemon should operate on users
19660 without domain component in their username.
19661 Users without a domain component are treated as is part of the winbindd server's
19662 own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
19663 function in a way much closer to the way they would in a native unix system.</P
19667 >winbind use default domain = <no>
19673 >winbind use default domain = yes</B
19680 >>wins hook (G)</DT
19683 >When Samba is running as a WINS server this
19684 allows you to call an external program for all changes to the
19685 WINS database. The primary use for this option is to allow the
19686 dynamic update of external name resolution databases such as
19689 >The wins hook parameter specifies the name of a script
19690 or executable that will be called as follows:</P
19694 >wins_hook operation name nametype ttl IP_list
19702 >The first argument is the operation and is one
19703 of "add", "delete", or "refresh". In most cases the operation can
19704 be ignored as the rest of the parameters provide sufficient
19705 information. Note that "refresh" may sometimes be called when the
19706 name has not previously been added, in that case it should be treated
19711 >The second argument is the NetBIOS name. If the
19712 name is not a legal name then the wins hook is not called.
19713 Legal names contain only letters, digits, hyphens, underscores
19718 >The third argument is the NetBIOS name
19719 type as a 2 digit hexadecimal number. </P
19723 >The fourth argument is the TTL (time to live)
19724 for the name in seconds.</P
19728 >The fifth and subsequent arguments are the IP
19729 addresses currently registered for that name. If this list is
19730 empty then the name should be deleted.</P
19734 >An example script that calls the BIND dynamic DNS update
19738 > is provided in the examples
19739 directory of the Samba source code. </P
19745 >>wins proxy (G)</DT
19748 >This is a boolean that controls if <A
19752 > will respond to broadcast name
19753 queries on behalf of other hosts. You may need to set this
19757 > for some older clients.</P
19761 >wins proxy = no</B
19768 >>wins server (G)</DT
19771 >This specifies the IP address (or DNS name: IP
19772 address for preference) of the WINS server that <SPAN
19773 CLASS="CITEREFENTRY"
19775 CLASS="REFENTRYTITLE"
19778 > should register with. If you have a WINS server on
19779 your network then you should set this to the WINS server's IP.</P
19781 >You should point this at your WINS server if you have a
19782 multi-subnetted network.</P
19790 >. You need to set up Samba to point
19791 to a WINS server if you have multiple subnets and wish cross-subnet
19792 browsing to work correctly.</P
19794 >See the documentation file <A
19795 HREF="improved-browsing.html"
19799 in the docs/ directory of your Samba source distribution.</P
19811 >wins server = 192.9.200.1</B
19818 >>wins support (G)</DT
19821 >This boolean controls if the <SPAN
19822 CLASS="CITEREFENTRY"
19824 CLASS="REFENTRYTITLE"
19827 > process in Samba will act as a WINS server. You should
19828 not set this to <TT
19831 > unless you have a multi-subnetted network and
19832 you wish a particular <B
19835 > to be your WINS server.
19836 Note that you should <SPAN
19846 on more than one machine in your network.</P
19850 >wins support = no</B
19857 >>workgroup (G)</DT
19860 >This controls what workgroup your server will
19861 appear to be in when queried by clients. Note that this parameter
19862 also controls the Domain name used with the <A
19863 HREF="#SECURITYEQUALSDOMAIN"
19866 >security = domain</B
19875 >set at compile time to WORKGROUP</I
19881 >workgroup = MYGROUP</B
19888 >>writable (S)</DT
19899 > for people who can't spell :-).</P
19903 NAME="WRITECACHESIZE"
19905 >>write cache size (S)</DT
19908 >If this integer parameter is set to non-zero value,
19909 Samba will create an in-memory cache for each oplocked file
19917 non-oplocked files). All writes that the client does not request
19918 to be flushed directly to disk will be stored in this cache if possible.
19919 The cache is flushed onto disk when a write comes in whose offset
19920 would not fit into the cache or when the file is closed by the client.
19921 Reads for the file are also served from this cache if the data is stored
19924 >This cache allows Samba to batch client writes into a more
19925 efficient write size for RAID disks (i.e. writes may be tuned to
19926 be the RAID stripe size) and can improve performance on systems
19927 where the disk subsystem is a bottleneck but there is free
19928 memory for userspace programs.</P
19930 >The integer parameter specifies the size of this cache
19931 (per oplocked file) in bytes.</P
19935 >write cache size = 0</B
19940 >write cache size = 262144</B
19943 >for a 256k cache size per file.</P
19949 >>write list (S)</DT
19952 >This is a list of users that are given read-write
19953 access to a service. If the connecting user is in this list then
19954 they will be given write access, no matter what the <A
19963 option is set to. The list can include group names using the
19966 >Note that if a user is in both the read list and the
19967 write list then they will be given write access.</P
19982 >write list = <empty string>
19988 >write list = admin, root, @staff
19994 NAME="WINSPARTNERS"
19996 >>wins partners (G)</DT
19999 >A space separated list of partners' IP addresses for
20000 WINS replication. WINS partners are always defined as push/pull
20001 partners as defining only one way WINS replication is unreliable.
20002 WINS replication is currently experimental and unreliable between
20008 >wins partners = </B
20013 >wins partners = 192.168.0.1 172.16.1.2</B
20020 >>write ok (S)</DT
20023 >Inverted synonym for <A
20037 >>write raw (G)</DT
20040 >This parameter controls whether or not the server
20041 will support raw write SMB's when transferring data from clients.
20042 You should never need to change this parameter.</P
20046 >write raw = yes</B
20053 >>writeable (S)</DT
20056 >Inverted synonym for <A
20077 >Although the configuration file permits service names
20078 to contain spaces, your client software may not. Spaces will
20079 be ignored in comparisons anyway, so it shouldn't be a
20080 problem - but be aware of the possibility.</P
20082 >On a similar note, many clients - especially DOS clients -
20083 limit service names to eight characters. <SPAN
20084 CLASS="CITEREFENTRY"
20086 CLASS="REFENTRYTITLE"
20089 > has no such limitation, but attempts to connect from such
20090 clients will fail if they truncate the service names. For this reason
20091 you should probably keep your service names down to eight characters
20094 >Use of the [homes] and [printers] special sections make life
20095 for an administrator easy, but the various combinations of default
20096 attributes can be tricky. Take extreme care when designing these
20097 sections. In particular, ensure that the permissions on spool
20098 directories are correct.</P
20108 >This man page is correct for version 3.0 of the Samba suite.</P
20119 CLASS="CITEREFENTRY"
20121 CLASS="REFENTRYTITLE"
20125 CLASS="CITEREFENTRY"
20127 CLASS="REFENTRYTITLE"
20131 CLASS="CITEREFENTRY"
20133 CLASS="REFENTRYTITLE"
20137 CLASS="CITEREFENTRY"
20139 CLASS="REFENTRYTITLE"
20143 CLASS="CITEREFENTRY"
20145 CLASS="REFENTRYTITLE"
20149 CLASS="CITEREFENTRY"
20151 CLASS="REFENTRYTITLE"
20155 CLASS="CITEREFENTRY"
20157 CLASS="REFENTRYTITLE"
20161 CLASS="CITEREFENTRY"
20163 CLASS="REFENTRYTITLE"
20167 CLASS="CITEREFENTRY"
20169 CLASS="REFENTRYTITLE"
20182 >The original Samba software and related utilities
20183 were created by Andrew Tridgell. Samba is now developed
20184 by the Samba Team as an Open Source project similar
20185 to the way the Linux kernel is developed.</P
20187 >The original Samba man pages were written by Karl Auer.
20188 The man page sources were converted to YODL format (another
20189 excellent piece of Open Source software, available at <A
20190 HREF="ftp://ftp.icce.rug.nl/pub/unix/"
20192 > ftp://ftp.icce.rug.nl/pub/unix/</A
20193 >) and updated for the Samba 2.0
20194 release by Jeremy Allison. The conversion to DocBook for
20195 Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2
20196 for Samba 3.0 was done by Alexander Bokovoy.</P