1 mailto(samba-bugs@samba.anu.edu.au)
3 manpage(smb.conf)(5)(23 Oct 1998)(Samba)(SAMBA)
6 manpagename(smb.conf)(The configuration file for the Samba suite)
11 bf(smb.conf) The bf(smb.conf) file is a configuration file for the
12 Samba suite. bf(smb.conf) contains runtime configuration information
13 for the Samba programs. The bf(smb.conf) file is designed to be
14 configured and administered by the url(bf(swat (8)))(swat.8.html)
15 program. The complete description of the file format and possible
16 parameters held within are here for reference purposes.
19 manpagesection(FILE FORMAT)
21 The file consists of sections and parameters. A section begins with
22 the name of the section in square brackets and continues until the
23 next section begins. Sections contain parameters of the form
27 The file is line-based - that is, each newline-terminated line
28 represents either a comment, a section name or a parameter.
30 Section and parameter names are not case sensitive.
32 Only the first equals sign in a parameter is significant. Whitespace
33 before or after the first equals sign is discarded. Leading, trailing
34 and internal whitespace in section and parameter names is
35 irrelevant. Leading and trailing whitespace in a parameter value is
36 discarded. Internal whitespace within a parameter value is retained
39 Any line beginning with a semicolon (';') or a hash ('#') character is
40 ignored, as are lines containing only whitespace.
42 Any line ending in a tt('\') is "continued" on the next line in the
43 customary UNIX fashion.
45 The values following the equals sign in parameters are all either a
46 string (no quotes needed) or a boolean, which may be given as yes/no,
47 0/1 or true/false. Case is not significant in boolean values, but is
48 preserved in string values. Some items such as create modes are
51 label(SECTIONDESCRIPTIONS)
52 manpagesection(SECTION DESCRIPTIONS)
54 Each section in the configuration file (except for the
55 link(bf([global]))(global) section) describes a shared resource (known
56 as a em("share")). The section name is the name of the shared resource
57 and the parameters within the section define the shares attributes.
59 There are three special sections, link(bf([global]))(global),
60 link(bf([homes]))(homes) and link(bf([printers]))(printers), which are
61 described under link(bf('special sections'))(specialsections). The
62 following notes apply to ordinary section descriptions.
64 A share consists of a directory to which access is being given plus
65 a description of the access rights which are granted to the user of
66 the service. Some housekeeping options are also specifiable.
68 Sections are either filespace services (used by the client as an
69 extension of their native file systems) or printable services (used by
70 the client to access print services on the host running the server).
72 Sections may be designated link(bf(guest))(guestok) services, in which
73 case no password is required to access them. A specified UNIX
74 link(bf(guest account))(guestaccount) is used to define access
75 privileges in this case.
77 Sections other than guest services will require a password to access
78 them. The client provides the username. As older clients only provide
79 passwords and not usernames, you may specify a list of usernames to
80 check against the password using the link(bf("user="))(user) option in
81 the share definition. For modern clients such as Windows 95/98 and
82 Windows NT, this should not be neccessary.
84 Note that the access rights granted by the server are masked by the
85 access rights granted to the specified or guest UNIX user by the host
86 system. The server does not grant more access than the host system
89 The following sample section defines a file space share. The user has
90 write access to the path tt(/home/bar). The share is accessed via
101 The following sample section defines a printable share. The share
102 is readonly, but printable. That is, the only write access permitted
103 is via calls to open, write to and close a spool file. The
104 link(bf('guest ok'))(guestok) parameter means access will be permitted
105 as the default guest user (specified elsewhere):
109 path = /usr/spool/public
115 label(SPECIALSECTIONS)
116 manpagesection(SPECIAL SECTIONS)
121 dit(bf(The [global] section))
123 Parameters in this section apply to the server as a whole, or are
124 defaults for sections which do not specifically define certain
125 items. See the notes under link(bf('Parameters'))(Parameters) for more
129 dit(bf(The [homes] section))
131 If a section called tt('homes') is included in the configuration file,
132 services connecting clients to their home directories can be created
133 on the fly by the server.
135 When the connection request is made, the existing sections are
136 scanned. If a match is found, it is used. If no match is found, the
137 requested section name is treated as a user name and looked up in the
138 local password file. If the name exists and the correct password has
139 been given, a share is created by cloning the [homes] section.
141 Some modifications are then made to the newly created share:
145 it() The share name is changed from tt('homes') to the located
148 it() If no path was given, the path is set to the user's home
153 If you decide to use a link(bf(path=))(path) line in your [homes]
154 section then you may find it useful to use the link(bf(%S))(percentS)
157 tt(path=/data/pchome/%S)
159 would be useful if you have different home directories for your PCs
160 than for UNIX access.
162 This is a fast and simple way to give a large number of clients access
163 to their home directories with a minimum of fuss.
165 A similar process occurs if the requested section name is tt("homes"),
166 except that the share name is not changed to that of the requesting
167 user. This method of using the [homes] section works well if different
168 users share a client PC.
170 The [homes] section can specify all the parameters a normal service
171 section can specify, though some make more sense than others. The
172 following is a typical and suitable [homes] section:
179 An important point is that if guest access is specified in the [homes]
180 section, all home directories will be visible to all clients
181 bf(without a password). In the very unlikely event that this is
182 actually desirable, it would be wise to also specify link(bf(read only
185 Note that the link(bf(browseable))(browseable) flag for auto home
186 directories will be inherited from the global browseable flag, not the
187 [homes] browseable flag. This is useful as it means setting
188 browseable=no in the [homes] section will hide the [homes] share but
189 make any auto home directories visible.
192 dit(bf(The [printers] section))
194 This section works like link(bf([homes]))(homes), but for printers.
196 If a [printers] section occurs in the configuration file, users are
197 able to connect to any printer specified in the local host's printcap
200 When a connection request is made, the existing sections are
201 scanned. If a match is found, it is used. If no match is found, but a
202 link(bf([homes]))(homes) section exists, it is used as described
203 above. Otherwise, the requested section name is treated as a printer
204 name and the appropriate printcap file is scanned to see if the
205 requested section name is a valid printer share name. If a match is
206 found, a new printer share is created by cloning the [printers]
209 A few modifications are then made to the newly created share:
213 it() The share name is set to the located printer name
215 it() If no printer name was given, the printer name is set to the
218 it() If the share does not permit guest access and no username was
219 given, the username is set to the located printer name.
223 Note that the [printers] service MUST be printable - if you specify
224 otherwise, the server will refuse to load the configuration file.
226 Typically the path specified would be that of a world-writable spool
227 directory with the sticky bit set on it. A typical [printers] entry
228 would look like this:
232 path = /usr/spool/public
238 All aliases given for a printer in the printcap file are legitimate
239 printer names as far as the server is concerned. If your printing
240 subsystem doesn't work like that, you will have to set up a
241 pseudo-printcap. This is a file consisting of one or more lines like
244 verb( alias|alias|alias|alias... )
246 Each alias should be an acceptable printer name for your printing
247 subsystem. In the link(bf([global]))(global) section, specify the new
248 file as your printcap. The server will then only recognise names
249 found in your pseudo-printcap, which of course can contain whatever
250 aliases you like. The same technique could be used simply to limit
251 access to a subset of your local printers.
253 An alias, by the way, is defined as any component of the first entry
254 of a printcap record. Records are separated by newlines, components
255 (if there are more than one) are separated by vertical bar symbols
258 NOTE: On SYSV systems which use lpstat to determine what printers are
259 defined on the system you may be able to use link(bf("printcap name =
260 lpstat"))(printcapname) to automatically obtain a list of
261 printers. See the link(bf("printcap name"))(printcapname) option for
267 manpagesection(PARAMETERS)
269 Parameters define the specific attributes of sections.
271 Some parameters are specific to the link(bf([global]))(global) section
272 (eg., link(bf(security))(security)). Some parameters are usable in
273 all sections (eg., link(bf(create mode))(createmode)). All others are
274 permissible only in normal sections. For the purposes of the following
275 descriptions the link(bf([homes]))(homes) and
276 link(bf([printers]))(printers) sections will be considered normal.
277 The letter tt('G') in parentheses indicates that a parameter is
278 specific to the link(bf([global]))(global) section. The letter tt('S')
279 indicates that a parameter can be specified in a service specific
280 section. Note that all tt('S') parameters can also be specified in the
281 link(bf([global]))(global) section - in which case they will define
282 the default behaviour for all services.
284 Parameters are arranged here in alphabetical order - this may not
285 create best bedfellows, but at least you can find them! Where there
286 are synonyms, the preferred synonym is described, others refer to the
289 label(VARIABLESUBSTITUTIONS)
290 manpagesection(VARIABLE SUBSTITUTIONS)
292 Many of the strings that are settable in the config file can take
293 substitutions. For example the option link(bf(tt("path =
294 /tmp/%u")))(path) would be interpreted as tt("path = /tmp/john") if
295 the user connected with the username john.
297 These substitutions are mostly noted in the descriptions below, but
298 there are some general substitutions which apply whenever they might
299 be relevant. These are:
304 it() bf(%S) = the name of the current service, if any.
307 it() bf(%P) = the root directory of the current service, if any.
310 it() bf(%u) = user name of the current service, if any.
313 it() bf(%g) = primary group name of link(bf(%u))(percentu).
316 it() bf(%U) = session user name (the user name that
317 the client wanted, not necessarily the same as the one they got).
320 it() bf(%G) = primary group name of link(bf(%U))(percentU).
323 it() bf(%H) = the home directory of the user given by link(bf(%u))(percentu).
326 it() bf(%v) = the Samba version.
329 it() bf(%h) = the internet hostname that Samba is running on.
332 it() bf(%m) = the NetBIOS name of the client machine (very useful).
335 it() bf(%L) = the NetBIOS name of the server. This allows you to change your
336 config based on what the client calls you. Your server can have a "dual
340 it() bf(%M) = the internet name of the client machine.
343 it() bf(%N) = the name of your NIS home directory server. This is
344 obtained from your NIS auto.map entry. If you have not compiled Samba
345 with the bf(--with-automount) option then this value will be the same
346 as link(bf(%L))(percentL).
349 it() bf(%p) = the path of the service's home directory, obtained from your NIS
350 auto.map entry. The NIS auto.map entry is split up as "%N:%p".
353 it() bf(%R) = the selected protocol level after protocol
354 negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
357 it() bf(%d) = The process id of the current server process.
360 it() bf(%a) = the architecture of the remote
361 machine. Only some are recognised, and those may not be 100%
362 reliable. It currently recognises Samba, WfWg, WinNT and
363 Win95. Anything else will be known as "UNKNOWN". If it gets it wrong
364 then sending a level 3 log to email(samba-bugs@samba.anu.edu.au)
365 should allow it to be fixed.
368 it() bf(%I) = The IP address of the client machine.
371 it() bf(%T) = the current date and time.
375 There are some quite creative things that can be done with these
376 substitutions and other smb.conf options.
379 manpagesection(NAME MANGLING)
381 Samba supports em("name mangling") so that DOS and Windows clients can
382 use files that don't conform to the 8.3 format. It can also be set to
383 adjust the case of 8.3 format filenames.
385 There are several options that control the way mangling is performed,
386 and they are grouped here rather than listed separately. For the
387 defaults look at the output of the testparm program.
389 All of these options can be set separately for each service (or
390 globally, of course).
394 label(manglecaseoption)
395 bf("mangle case = yes/no") controls if names that have characters that
396 aren't of the "default" case are mangled. For example, if this is yes
397 then a name like tt("Mail") would be mangled. Default em(no).
399 label(casesensitiveoption)
400 bf("case sensitive = yes/no") controls whether filenames are case
401 sensitive. If they aren't then Samba must do a filename search and
402 match on passed names. Default em(no).
404 label(defaultcaseoption)
405 bf("default case = upper/lower") controls what the default case is for new
406 filenames. Default em(lower).
408 label(preservecaseoption)
409 bf("preserve case = yes/no") controls if new files are created with the
410 case that the client passes, or if they are forced to be the tt("default")
411 case. Default em(Yes).
413 label(shortpreservecaseoption)
415 bf("short preserve case = yes/no") controls if new files which conform
416 to 8.3 syntax, that is all in upper case and of suitable length, are
417 created upper case, or if they are forced to be the tt("default")
418 case. This option can be use with link(bf("preserve case =
419 yes"))(preservecaseoption) to permit long filenames to retain their
420 case, while short names are lowered. Default em(Yes).
422 By default, Samba 2.0 has the same semantics as a Windows NT
423 server, in that it is case insensitive but case preserving.
425 label(COMPLETELISTOFGLOBALPARAMETERS)
426 manpagesection(COMPLETE LIST OF GLOBAL PARAMETERS)
428 Here is a list of all global parameters. See the section of each
429 parameter for details. Note that some are synonyms.
433 it() link(bf(announce as))(announceas)
435 it() link(bf(announce version))(announceversion)
437 it() link(bf(auto services))(autoservices)
439 it() link(bf(bind interfaces only))(bindinterfacesonly)
441 it() link(bf(browse list))(browselist)
443 it() link(bf(change notify timeout))(changenotifytimeout)
445 it() link(bf(character set))(characterset)
447 it() link(bf(client code page))(clientcodepage)
449 it() link(bf(coding system))(codingsystem)
451 it() link(bf(config file))(configfile)
453 it() link(bf(deadtime))(deadtime)
455 it() link(bf(debug timestamp))(debugtimestamp)
457 it() link(bf(debuglevel))(debuglevel)
459 it() link(bf(default))(default)
461 it() link(bf(default service))(defaultservice)
463 it() link(bf(dfree command))(dfreecommand)
465 it() link(bf(dns proxy))(dns proxy)
467 it() link(bf(domain admin group))(domainadmingroup)
469 it() link(bf(domain admin users))(domainadminusers)
471 it() link(bf(domain controller))(domaincontroller)
473 it() link(bf(domain groups))(domaingroups)
475 it() link(bf(domain guest group))(domainguestgroup)
477 it() link(bf(domain guest users))(domainguestusers)
479 it() link(bf(domain logons))(domainlogons)
481 it() link(bf(domain master))(domainmaster)
483 it() link(bf(encrypt passwords))(encryptpasswords)
485 it() link(bf(getwd cache))(getwdcache)
487 it() link(bf(homedir map))(homedirmap)
489 it() link(bf(hosts equiv))(hostsequiv)
491 it() link(bf(interfaces))(interfaces)
493 it() link(bf(keepalive))(keepalive)
495 it() link(bf(kernel oplocks))(kerneloplocks)
497 it() link(bf(ldap filter))(ldapfilter)
499 it() link(bf(ldap port))(ldapport)
501 it() link(bf(ldap root))(ldaproot)
503 it() link(bf(ldap root passwd))(ldaprootpasswd)
505 it() link(bf(ldap server))(ldapserver)
507 it() link(bf(ldap suffix))(ldapsuffix)
509 it() link(bf(lm announce))(lmannounce)
511 it() link(bf(lm interval))(lminterval)
513 it() link(bf(load printers))(loadprinters)
515 it() link(bf(local master))(localmaster)
517 it() link(bf(lock dir))(lockdir)
519 it() link(bf(lock directory))(lockdirectory)
521 it() link(bf(log file))(logfile)
523 it() link(bf(log level))(loglevel)
525 it() link(bf(logon drive))(logondrive)
527 it() link(bf(logon home))(logonhome)
529 it() link(bf(logon path))(logonpath)
531 it() link(bf(logon script))(logonscript)
533 it() link(bf(lpq cache time))(lpqcachetime)
535 it() link(bf(machine password timeout))(machinepasswordtimeout)
537 it() link(bf(mangled stack))(mangledstack)
539 it() link(bf(max disk size))(maxdisksize)
541 it() link(bf(max log size))(maxlogsize)
543 it() link(bf(max mux))(maxmux)
545 it() link(bf(max open files))(maxopenfiles)
547 it() link(bf(max packet))(maxpacket)
549 it() link(bf(max ttl))(maxttl)
551 it() link(bf(max wins ttl))(maxwinsttl)
553 it() link(bf(max xmit))(maxxmit)
555 it() link(bf(message command))(messagecommand)
557 it() link(bf(min wins ttl))(minwinsttl)
559 it() link(bf(name resolve order))(nameresolveorder)
561 it() link(bf(netbios aliases))(netbiosaliases)
563 it() link(bf(netbios name))(netbiosname)
565 it() link(bf(networkstation user login))(networkstationuserlogin)
567 it() link(bf(NIS homedir))(NIShomedir)
569 it() link(bf(nt pipe support))(ntpipesupport)
571 it() link(bf(nt smb support))(ntsmbsupport)
573 it() link(bf(null passwords))(nullpasswords)
575 it() link(bf(ole locking compatibility))(olelockingcompatibility)
577 it() link(bf(os level))(oslevel)
579 it() link(bf(packet size))(packetsize)
581 it() link(bf(panic action))(panicaction)
583 it() link(bf(passwd chat))(passwdchat)
585 it() link(bf(passwd chat debug))(passwdchatdebug)
587 it() link(bf(passwd program))(passwdprogram)
589 it() link(bf(password level))(passwordlevel)
591 it() link(bf(password server))(passwordserver)
593 it() link(bf(prefered master))(preferedmaster)
595 it() link(bf(preferred master))(preferredmaster)
597 it() link(bf(preload))(preload)
599 it() link(bf(printcap))(printcap)
601 it() link(bf(printcap name))(printcapname)
603 it() link(bf(printer driver file))(printerdriverfile)
605 it() link(bf(protocol))(protocol)
607 it() link(bf(read bmpx))(readbmpx)
609 it() link(bf(read prediction))(readprediction)
611 it() link(bf(read raw))(readraw)
613 it() link(bf(read size))(readsize)
615 it() link(bf(remote announce))(remoteannounce)
617 it() link(bf(remote browse sync))(remotebrowsesync)
619 it() link(bf(root))(root)
621 it() link(bf(root dir))(rootdir)
623 it() link(bf(root directory))(rootdirectory)
625 it() link(bf(security))(security)
627 it() link(bf(server string))(serverstring)
629 it() link(bf(shared mem size))(sharedmemsize)
631 it() link(bf(smb passwd file))(smbpasswdfile)
633 it() link(bf(smbrun))(smbrun)
635 it() link(bf(socket address))(socketaddress)
637 it() link(bf(socket options))(socketoptions)
639 it() link(bf(ssl))(ssl)
641 it() link(bf(ssl CA certDir))(sslCAcertDir)
643 it() link(bf(ssl CA certFile))(sslCAcertFile)
645 it() link(bf(ssl ciphers))(sslciphers)
647 it() link(bf(ssl client cert))(sslclientcert)
649 it() link(bf(ssl client key))(sslclientkey)
651 it() link(bf(ssl compatibility))(sslcompatibility)
653 it() link(bf(ssl hosts))(sslhosts)
655 it() link(bf(ssl hosts resign))(sslhostsresign)
657 it() link(bf(ssl require clientcert))(sslrequireclientcert)
659 it() link(bf(ssl require servercert))(sslrequireservercert)
661 it() link(bf(ssl server cert))(sslservercert)
663 it() link(bf(ssl server key))(sslserverkey)
665 it() link(bf(ssl version))(sslversion)
667 it() link(bf(stat cache))(statcache)
669 it() link(bf(stat cache size))(statcachesize)
671 it() link(bf(strip dot))(stripdot)
673 it() link(bf(syslog))(syslog)
675 it() link(bf(syslog only))(syslogonly)
677 it() link(bf(time offset))(timeoffset)
679 it() link(bf(time server))(timeserver)
681 it() link(bf(timestamp logs))(timestamplogs)
683 it() link(bf(unix password sync))(unixpasswordsync)
685 it() link(bf(unix realname))(unixrealname)
687 it() link(bf(update encrypted))(updateencrypted)
689 it() link(bf(use rhosts))(userhosts)
691 it() link(bf(username level))(usernamelevel)
693 it() link(bf(username map))(usernamemap)
695 it() link(bf(valid chars))(validchars)
697 it() link(bf(wins proxy))(winsproxy)
699 it() link(bf(wins server))(winsserver)
701 it() link(bf(wins support))(winssupport)
703 it() link(bf(workgroup))(workgroup)
705 it() link(bf(write raw))(writeraw)
709 label(COMPLETELISTOFSERVICEPARAMETERS)
710 manpagesection(COMPLETE LIST OF SERVICE PARAMETERS)
712 Here is a list of all service parameters. See the section of each
713 parameter for details. Note that some are synonyms.
717 it() link(bf(admin users))(adminusers)
719 it() link(bf(allow hosts))(allowhosts)
721 it() link(bf(alternate permissions))(alternatepermissions)
723 it() link(bf(available))(available)
725 it() link(bf(blocking locks))(blockinglocks)
727 it() link(bf(browsable))(browsable)
729 it() link(bf(browseable))(browseable)
731 it() link(bf(case sensitive))(casesensitive)
733 it() link(bf(casesignames))(casesignames)
735 it() link(bf(comment))(comment)
737 it() link(bf(copy))(copy)
739 it() link(bf(create mask))(createmask)
741 it() link(bf(create mode))(createmode)
743 it() link(bf(default case))(defaultcase)
745 it() link(bf(delete readonly))(deletereadonly)
747 it() link(bf(delete veto files))(deletevetofiles)
749 it() link(bf(deny hosts))(denyhosts)
751 it() link(bf(directory))(directory)
753 it() link(bf(directory mask))(directorymask)
755 it() link(bf(directory mode))(directorymode)
757 it() link(bf(dont descend))(dontdescend)
759 it() link(bf(dos filetime resolution))(dosfiletimeresolution)
761 it() link(bf(dos filetimes))(dosfiletimes)
763 it() link(bf(exec))(exec)
765 it() link(bf(fake directory create times))(fakedirectorycreatetimes)
767 it() link(bf(fake oplocks))(fakeoplocks)
769 it() link(bf(follow symlinks))(followsymlinks)
771 it() link(bf(force create mode))(forcecreatemode)
773 it() link(bf(force directory mode))(forcedirectorymode)
775 it() link(bf(force group))(forcegroup)
777 it() link(bf(force user))(forceuser)
779 it() link(bf(fstype))(fstype)
781 it() link(bf(group))(group)
783 it() link(bf(guest account))(guestaccount)
785 it() link(bf(guest ok))(guestok)
787 it() link(bf(guest only))(guestonly)
789 it() link(bf(hide dot files))(hidedotfiles)
791 it() link(bf(hide files))(hidefiles)
793 it() link(bf(hosts allow))(hostsallow)
795 it() link(bf(hosts deny))(hostsdeny)
797 it() link(bf(include))(include)
799 it() link(bf(invalid users))(invalidusers)
801 it() link(bf(locking))(locking)
803 it() link(bf(lppause command))(lppausecommand)
805 it() link(bf(lpq command))(lpqcommand)
807 it() link(bf(lpresume command))(lpresumecommand)
809 it() link(bf(lprm command))(lprmcommand)
811 it() link(bf(magic output))(magicoutput)
813 it() link(bf(magic script))(magicscript)
815 it() link(bf(mangle case))(manglecase)
817 it() link(bf(mangled map))(mangledmap)
819 it() link(bf(mangled names))(manglednames)
821 it() link(bf(mangling char))(manglingchar)
823 it() link(bf(map archive))(maparchive)
825 it() link(bf(map hidden))(maphidden)
827 it() link(bf(map system))(mapsystem)
829 it() link(bf(max connections))(maxconnections)
831 it() link(bf(min print space))(minprintspace)
833 it() link(bf(only guest))(onlyguest)
835 it() link(bf(only user))(onlyuser)
837 it() link(bf(oplocks))(oplocks)
839 it() link(bf(path))(path)
841 it() link(bf(postexec))(postexec)
843 it() link(bf(postscript))(postscript)
845 it() link(bf(preexec))(preexec)
847 it() link(bf(preserve case))(preservecase)
849 it() link(bf(print command))(printcommand)
851 it() link(bf(print ok))(printok)
853 it() link(bf(printable))(printable)
855 it() link(bf(printer))(printer)
857 it() link(bf(printer driver))(printerdriver)
859 it() link(bf(printer driver location))(printerdriverlocation)
861 it() link(bf(printer name))(printername)
863 it() link(bf(printing))(printing)
865 it() link(bf(public))(public)
867 it() link(bf(queuepause command))(queuepausecommand)
869 it() link(bf(queueresume command))(queueresumecommand)
871 it() link(bf(read list))(readlist)
873 it() link(bf(read only))(readonly)
875 it() link(bf(revalidate))(revalidate)
877 it() link(bf(root postexec))(rootpostexec)
879 it() link(bf(root preexec))(rootpreexec)
881 it() link(bf(set directory))(setdirectory)
883 it() link(bf(share modes))(sharemodes)
885 it() link(bf(short preserve case))(shortpreservecase)
887 it() link(bf(status))(status)
889 it() link(bf(strict locking))(strictlocking)
891 it() link(bf(strict sync))(strictsync)
893 it() link(bf(sync always))(syncalways)
895 it() link(bf(user))(user)
897 it() link(bf(username))(username)
899 it() link(bf(users))(users)
901 it() link(bf(valid users))(validusers)
903 it() link(bf(veto files))(vetofiles)
905 it() link(bf(veto oplock files))(vetooplockfiles)
907 it() link(bf(volume))(volume)
909 it() link(bf(wide links))(wide links)
911 it() link(bf(writable))(writable)
913 it() link(bf(write list))(write list)
915 it() link(bf(write ok))(write ok)
917 it() link(bf(writeable))(writeable)
921 label(EXPLANATIONOFEACHPARAMETER)
922 manpagesection(EXPLANATION OF EACH PARAMETER)
927 dit(bf(admin users (S)))
929 This is a list of users who will be granted administrative privileges
930 on the share. This means that they will do all file operations as the
933 You should use this option very carefully, as any user in this list
934 will be able to do anything they like on the share, irrespective of
944 dit(bf(allow hosts (S)))
946 A synonym for this parameter is link(bf('hosts allow'))(hostsallow)
948 This parameter is a comma, space, or tab delimited set of hosts which
949 are permitted to access a service.
951 If specified in the link(bf([global]))(global) section then it will
952 apply to all services, regardless of whether the individual service
953 has a different setting.
955 You can specify the hosts by name or IP number. For example, you could
956 restrict access to only the hosts on a Class C subnet with something
957 like tt("allow hosts = 150.203.5."). The full syntax of the list is
958 described in the man page bf(hosts_access (5)). Note that this man
959 page may not be present on your system, so a brief description will
962 em(NOTE:) IF you wish to allow the url(bf(smbpasswd
963 (8)))(smbpasswd.html.8) program to be run by local users to change
964 their Samba passwords using the local url(bf(smbd (8)))(smbd.8.html)
965 daemon, then you em(MUST) ensure that the localhost is listed in your
966 bf(allow hosts) list, as url(bf(smbpasswd (8)))(smbpasswd.html.8) runs
967 in client-server mode and is seen by the local
968 url(bf(smbd))(smbd.8.html) process as just another client.
970 You can also specify hosts by network/netmask pairs and by netgroup
971 names if your system supports netgroups. The em(EXCEPT) keyword can also
972 be used to limit a wildcard list. The following examples may provide
975 bf(Example 1): allow localhost and all IPs in 150.203.*.* except one
977 tt( hosts allow = localhost, 150.203. EXCEPT 150.203.6.66)
979 bf(Example 2): allow localhost and hosts that match the given network/netmask
981 tt( hosts allow = localhost, 150.203.15.0/255.255.255.0)
983 bf(Example 3): allow a localhost plus a couple of hosts
985 tt( hosts allow = localhost, lapland, arvidsjaur)
987 bf(Example 4): allow only hosts in NIS netgroup "foonet" or localhost, but
988 deny access from one particular host
990 tt( hosts allow = @foonet, localhost)
991 tt( hosts deny = pirate)
993 Note that access still requires suitable user-level passwords.
995 See url(bf(testparm (1)))(testparm.1.html) for a way of testing your
996 host access to see if it does what you expect.
999 none (i.e., all hosts permitted access)
1002 allow hosts = 150.203.5. localhost myhost.mynet.edu.au
1004 label(alternatepermissions)
1005 dit(bf(alternate permissions (S)))
1007 This is a deprecated parameter. It no longer has any effect in Samba2.0.
1008 In previous versions of Samba it affected the way the DOS "read only"
1009 attribute was mapped for a file. In Samba2.0 a file is marked "read only"
1010 if the UNIX file does not have the 'w' bit set for the owner of the file,
1011 regardless if the owner of the file is the currently logged on user or not.
1014 dit(bf(announce as (G)))
1016 This specifies what type of server url(bf(nmbd))(nmbd.8.html) will
1017 announce itself as, to a network neighborhood browse list. By default
1018 this is set to Windows NT. The valid options are : "NT", "Win95" or
1019 "WfW" meaining Windows NT, Windows 95 and Windows for Workgroups
1020 respectively. Do not change this parameter unless you have a specific
1021 need to stop Samba appearing as an NT server as this may prevent Samba
1022 servers from participating as browser servers correctly.
1030 label(announceversion)
1031 dit(bf(announce version (G)))
1033 This specifies the major and minor version numbers that nmbd will use
1034 when announcing itself as a server. The default is 4.2. Do not change
1035 this parameter unless you have a specific need to set a Samba server
1036 to be a downlevel server.
1039 announce version = 4.2
1042 announce version = 2.0
1046 dit(bf(auto services (G)))
1048 This is a list of services that you want to be automatically added to
1049 the browse lists. This is most useful for homes and printers services
1050 that would otherwise not be visible.
1052 Note that if you just want all printers in your printcap file loaded
1053 then the link(bf("load printers"))(loadprinters) option is easier.
1059 auto services = fred lp colorlp
1062 dit(bf(available (S)))
1064 This parameter lets you em('turn off') a service. If tt('available = no'),
1065 then em(ALL) attempts to connect to the service will fail. Such failures
1074 label(bindinterfacesonly)
1075 dit(bf(bind interfaces only (G)))
1077 This global parameter allows the Samba admin to limit what interfaces
1078 on a machine will serve smb requests. If affects file service
1079 url(bf(smbd))(smbd.8.html) and name service url(bf(nmbd))(nmbd.8.html)
1080 in slightly different ways.
1082 For name service it causes url(bf(nmbd))(nmbd.8.html) to bind to ports
1083 137 and 138 on the interfaces listed in the
1084 link(bf('interfaces'))(interfaces) parameter. nmbd also binds to the
1085 'all addresses' interface (0.0.0.0) on ports 137 and 138 for the
1086 purposes of reading broadcast messages. If this option is not set then
1087 nmbd will service name requests on all of these sockets. If bf("bind
1088 interfaces only") is set then nmbd will check the source address of
1089 any packets coming in on the broadcast sockets and discard any that
1090 don't match the broadcast addresses of the interfaces in the
1091 link(bf('interfaces'))(interfaces) parameter list. As unicast packets
1092 are received on the other sockets it allows nmbd to refuse to serve
1093 names to machines that send packets that arrive through any interfaces
1094 not listed in the 'interfaces' list. IP Source address spoofing does
1095 defeat this simple check, however so it must not be used seriously as
1096 a security feature for nmbd.
1098 For file service it causes smbd to bind only to the interface list
1099 given in the link(bf('interfaces'))(interfaces) parameter. This
1100 restricts the networks that smbd will serve to packets coming in those
1101 interfaces. Note that you should not use this parameter for machines
1102 that are serving PPP or other intermittant or non-broadcast network
1103 interfaces as it will not cope with non-permanent interfaces.
1105 In addition, to change a users SMB password, the
1106 url(bf(smbpasswd))(smbpasswd.8.html) by default connects to the
1107 em("localhost" - 127.0.0.1) address as an SMB client to issue the
1108 password change request. If bf("bind interfaces only") is set then
1109 unless the network address em(127.0.0.1) is added to the
1110 link(bf('interfaces'))(interfaces) parameter list then
1111 url(bf(smbpasswd))(smbpasswd.8.html) will fail to connect in it's
1112 default mode. url(bf(smbpasswd))(smbpasswd.8.html) can be forced to
1113 use the primary IP interface of the local host by using its
1114 url(bf("-r remote machine"))(smbpasswd.8.html#minusr) parameter, with
1115 bf("remote machine") set to the IP name of the primary interface
1119 bind interfaces only = False
1122 bind interfaces only = True
1124 label(blockinglocks)
1125 dit(bf(blocking locks (S)))
1127 This parameter controls the behavior of url(bf(smbd))(smbd.8.html) when
1128 given a request by a client to obtain a byte range lock on a region
1129 of an open file, and the request has a time limit associated with it.
1131 If this parameter is set and the lock range requested cannot be
1132 immediately satisfied, Samba 2.0 will internally queue the lock
1133 request, and periodically attempt to obtain the lock until the
1134 timeout period expires.
1136 If this parameter is set to "False", then Samba 2.0 will behave
1137 as previous versions of Samba would and will fail the lock
1138 request immediately if the lock range cannot be obtained.
1140 This parameter can be set per share.
1143 blocking locks = True
1146 blocking locks = False
1149 dit(bf(broweable (S)))
1151 This controls whether this share is seen in the list of available
1152 shares in a net view and in the browse list.
1161 dit(bf(browse list(G)))
1163 This controls whether url(bf(smbd))(smbd.8.html) will serve a browse
1164 list to a client doing a NetServerEnum call. Normally set to true. You
1165 should never need to change this.
1173 Synonym for link(bf(browsable))(browsable).
1175 label(casesensitive)
1176 dit(bf(case sensitive (G)))
1178 See the discussion in the section link(bf(NAME MANGLING))(NAMEMANGLING).
1181 dit(bf(casesignames (G)))
1183 Synonym for link(bf("case sensitive"))(casesensitive).
1185 label(changenotifytimeout)
1186 dit(bf(change notify timeout (G)))
1188 One of the new NT SMB requests that Samba 2.0 supports is the
1189 "ChangeNotify" requests. This SMB allows a client to tell a server to
1190 em("watch") a particular directory for any changes and only reply to
1191 the SMB request when a change has occurred. Such constant scanning of
1192 a directory is expensive under UNIX, hence an
1193 url(bf(smbd))(smbd.8.html) daemon only performs such a scan on each
1194 requested directory once every bf(change notify timeout) seconds.
1196 bf(change notify timeout) is specified in units of seconds.
1199 change notify timeout = 60
1202 change notify timeout = 300
1204 Would change the scan time to every 5 minutes.
1207 dit(bf(character set (G)))
1209 This allows a smbd to map incoming filenames from a DOS Code page (see
1210 the link(bf(client code page))(clientcodepage) parameter) to several
1211 built in UNIX character sets. The built in code page translations are:
1215 it() bf(ISO8859-1) Western European UNIX character set. The parameter
1216 link(bf(client code page))(clientcodepage) em(MUST) be set to code
1217 page 850 if the bf(character set) parameter is set to iso8859-1
1218 in order for the conversion to the UNIX character set to be done
1221 it() bf(ISO8859-2) Eastern European UNIX character set. The parameter
1222 link(bf(client code page))(clientcodepage) em(MUST) be set to code
1223 page 852 if the bf(character set) parameter is set to ISO8859-2
1224 in order for the conversion to the UNIX character set to be done
1227 it() bf(ISO8859-5) Russian Cyrillic UNIX character set. The parameter
1228 link(bf(client code page))(clientcodepage) em(MUST) be set to code
1229 page 866 if the bf(character set) parameter is set to ISO8859-2
1230 in order for the conversion to the UNIX character set to be done
1233 it() bf(KOI8-R) Alternate mapping for Russian Cyrillic UNIX
1234 character set. The parameter link(bf(client code
1235 page))(clientcodepage) em(MUST) be set to code page 866 if the
1236 bf(character set) parameter is set to KOI8-R in order for the
1237 conversion to the UNIX character set to be done correctly.
1241 em(BUG). These MSDOS code page to UNIX character set mappings should
1242 be dynamic, like the loading of MS DOS code pages, not static.
1244 See also link(bf(client code page))(clientcodepage). Normally this
1245 parameter is not set, meaning no filename translation is done.
1251 character set = ISO8859-1
1253 label(clientcodepage)
1254 dit(bf(client code page (G)))
1256 This parameter specifies the DOS code page that the clients accessing
1257 Samba are using. To determine what code page a Windows or DOS client
1258 is using, open a DOS command prompt and type the command "chcp". This
1259 will output the code page. The default for USA MS-DOS, Windows 95, and
1260 Windows NT releases is code page 437. The default for western european
1261 releases of the above operating systems is code page 850.
1263 This parameter tells url(bf(smbd))(smbd.8.html) which of the
1264 tt(codepage.XXX) files to dynamically load on startup. These files,
1265 described more fully in the manual page url(bf(make_smbcodepage
1266 (1)))(make_smbcodepage.1.html), tell url(bf(smbd))(smbd.8.html) how
1267 to map lower to upper case characters to provide the case insensitivity
1268 of filenames that Windows clients expect.
1270 Samba currenly ships with the following code page files :
1274 it() bf(Code Page 437 - MS-DOS Latin US)
1276 it() bf(Code Page 737 - Windows '95 Greek)
1278 it() bf(Code Page 850 - MS-DOS Latin 1)
1280 it() bf(Code Page 852 - MS-DOS Latin 2)
1282 it() bf(Code Page 861 - MS-DOS Icelandic)
1284 it() bf(Code Page 866 - MS-DOS Cyrillic)
1286 it() bf(Code Page 932 - MS-DOS Japanese SJIS)
1288 it() bf(Code Page 936 - MS-DOS Simplified Chinese)
1290 it() bf(Code Page 949 - MS-DOS Korean Hangul)
1292 it() bf(Code Page 950 - MS-DOS Traditional Chinese)
1296 Thus this parameter may have any of the values 437, 737, 850, 852,
1297 861, 932, 936, 949, or 950. If you don't find the codepage you need,
1298 read the comments in one of the other codepage files and the
1299 url(bf(make_smbcodepage (1)))(make_smbcodepage.1.html) man page and
1300 write one. Please remember to donate it back to the Samba user
1303 This parameter co-operates with the link(bf("valid
1304 chars"))(validchars) parameter in determining what characters are
1305 valid in filenames and how capitalization is done. If you set both
1306 this parameter and the link(bf("valid chars"))(validchars) parameter
1307 the bf("client code page") parameter em(MUST) be set before the
1308 link(bf("valid chars"))(validchars) parameter in the bf(smb.conf)
1309 file. The link(bf("valid chars"))(validchars) string will then augment
1310 the character settings in the "client code page" parameter.
1312 If not set, bf("client code page") defaults to 850.
1314 See also : link(bf("valid chars"))(validchars)
1317 client code page = 850
1320 client code page = 936
1323 dit(bf(codingsystem (G)))
1325 This parameter is used to determine how incoming Shift-JIS Japanese
1326 characters are mapped from the incoming link(bf("client code
1327 page"))(clientcodepage) used by the client, into file names in the
1328 UNIX filesystem. Only useful if link(bf("client code
1329 page"))(clientcodepage) is set to 932 (Japanese Shift-JIS).
1335 it() bf(SJIS)) Shift-JIS. Does no conversion of the incoming filename.
1337 it() bf(JIS8, J8BB, J8BH, J8@B, J8@J, J8@H )) Convert from incoming
1338 Shift-JIS to eight bit JIS code with different shift-in, shift out
1341 it() bf(JIS7, J7BB, J7BH, J7@B, J7@J, J7@H )) Convert from incoming
1342 Shift-JIS to seven bit JIS code with different shift-in, shift out
1345 it() bf(JUNET, JUBB, JUBH, JU@B, JU@J, JU@H )) Convert from incoming
1346 Shift-JIS to JUNET code with different shift-in, shift out codes.
1348 it() bf(EUC) Convert an incoming Shift-JIS character to EUC code.
1350 it() bf(HEX) Convert an incoming Shift-JIS character to a 3 byte hex
1351 representation, ie. tt(:AB).
1353 it() bf(CAP) Convert an incoming Shift-JIS character to the 3 byte hex
1354 representation used by the Columbia Appletalk Program (CAP),
1355 ie. tt(:AB). This is used for compatibility between Samba and CAP.
1360 dit(bf(comment (S)))
1362 This is a text field that is seen next to a share when a client does a
1363 queries the server, either via the network neighborhood or via "net
1364 view" to list what shares are available.
1366 If you want to set the string that is displayed next to the machine
1367 name then see the server string command.
1373 comment = Fred's Files
1376 dit(bf(config file (G)))
1378 This allows you to override the config file to use, instead of the
1379 default (usually bf(smb.conf)). There is a chicken and egg problem
1380 here as this option is set in the config file!
1382 For this reason, if the name of the config file has changed when the
1383 parameters are loaded then it will reload them from the new config
1386 This option takes the usual substitutions, which can be very useful.
1388 If the config file doesn't exist then it won't be loaded (allowing you
1389 to special case the config files of just a few clients).
1392 tt( config file = /usr/local/samba/lib/smb.conf.%m)
1397 This parameter allows you to em('clone') service entries. The specified
1398 service is simply duplicated under the current service's name. Any
1399 parameters specified in the current section will override those in the
1400 section being copied.
1402 This feature lets you set up a 'template' service and create similar
1403 services easily. Note that the service being copied must occur earlier
1404 in the configuration file than the service doing the copying.
1413 dit(bf(create mask (S)))
1415 A synonym for this parameter is link(bf('create mode'))(createmode).
1417 When a file is created, the neccessary permissions are calculated
1418 according to the mapping from DOS modes to UNIX permissions, and the
1419 resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
1420 This parameter may be thought of as a bit-wise MASK for the UNIX modes
1421 of a file. Any bit em(*not*) set here will be removed from the modes set
1422 on a file when it is created.
1424 The default value of this parameter removes the 'group' and 'other'
1425 write and execute bits from the UNIX modes.
1427 Following this Samba will bit-wise 'OR' the UNIX mode created from
1428 this parameter with the value of the "force create mode" parameter
1429 which is set to 000 by default.
1431 This parameter does not affect directory modes. See the parameter
1432 link(bf('directory mode'))(directorymode) for details.
1434 See also the link(bf("force create mode"))(forcecreatemode) parameter
1435 for forcing particular mode bits to be set on created files. See also
1436 the link(bf("directory mode"))(directorymode) parameter for masking
1437 mode bits on created directories.
1446 dit(bf(create mode (S)))
1448 This is a synonym for link(bf(create mask))(createmask).
1451 dit(bf(deadtime (G)))
1453 The value of the parameter (a decimal integer) represents the number
1454 of minutes of inactivity before a connection is considered dead, and
1455 it is disconnected. The deadtime only takes effect if the number of
1458 This is useful to stop a server's resources being exhausted by a large
1459 number of inactive connections.
1461 Most clients have an auto-reconnect feature when a connection is
1462 broken so in most cases this parameter should be transparent to users.
1464 Using this parameter with a timeout of a few minutes is recommended
1467 A deadtime of zero indicates that no auto-disconnection should be
1476 label(debug timestamp (G))
1478 Samba2.0 debug log messages are timestamped by default. If you are
1479 running at a high link(bf("debug level"))(debuglevel) these timestamps
1480 can be distracting. This boolean parameter allows them to be turned
1484 debug timestamp = Yes
1487 debug timestamp = No
1490 dit(bf(debug level (G)))
1492 The value of the parameter (an integer) allows the debug level
1493 (logging level) to be specified in the bf(smb.conf) file. This is to
1494 give greater flexibility in the configuration of the system.
1496 The default will be the debug level specified on the command line
1497 or level zero if none was specified.
1503 dit(bf(default (G)))
1505 A synonym for link(bf(default service))(defaultservice).
1508 dit(bf(default case (S)))
1510 See the section on link(bf("NAME MANGLING"))(NAMEMANGLING). Also note
1511 the link(bf("short preserve case"))(shortpreservecase) parameter.
1513 label(default service)
1514 dit(bf(default service (G)))
1516 This parameter specifies the name of a service which will be connected
1517 to if the service actually requested cannot be found. Note that the
1518 square brackets are em(NOT) given in the parameter value (see example
1521 There is no default value for this parameter. If this parameter is not
1522 given, attempting to connect to a nonexistent service results in an
1525 Typically the default service would be a link(bf(guest ok))(guestok),
1526 link(bf(read-only))(readonly) service.
1528 Also note that the apparent service name will be changed to equal that
1529 of the requested service, this is very useful as it allows you to use
1530 macros like link(bf(%S))(percentS) to make a wildcard service.
1532 Note also that any tt('_') characters in the name of the service used
1533 in the default service will get mapped to a tt('/'). This allows for
1539 default service = pub
1545 label(deletereadonly)
1546 dit(bf(delete readonly (S)))
1548 This parameter allows readonly files to be deleted. This is not
1549 normal DOS semantics, but is allowed by UNIX.
1551 This option may be useful for running applications such as rcs, where
1552 UNIX file ownership prevents changing file permissions, and DOS
1553 semantics prevent deletion of a read only file.
1556 delete readonly = No
1559 delete readonly = Yes
1561 label(deletevetofiles)
1562 dit(bf(delete veto files (S)))
1564 This option is used when Samba is attempting to delete a directory
1565 that contains one or more vetoed directories (see the link(bf('veto
1566 files'))(vetofiles) option). If this option is set to False (the
1567 default) then if a vetoed directory contains any non-vetoed files or
1568 directories then the directory delete will fail. This is usually what
1571 If this option is set to True, then Samba will attempt to recursively
1572 delete any files and directories within the vetoed directory. This can
1573 be useful for integration with file serving systems such as bf(NetAtalk),
1574 which create meta-files within directories you might normally veto
1575 DOS/Windows users from seeing (eg. tt(.AppleDouble))
1577 Setting tt('delete veto files = True') allows these directories to be
1578 transparently deleted when the parent directory is deleted (so long
1579 as the user has permissions to do so).
1581 See also the link(bf(veto files))(vetofiles) parameter.
1584 delete veto files = False
1587 delete veto files = True
1590 dit(bf(deny hosts (S)))
1592 The opposite of link(bf('allow hosts'))(allowhosts) - hosts listed
1593 here are em(NOT) permitted access to services unless the specific
1594 services have their own lists to override this one. Where the lists
1595 conflict, the link(bf('allow'))(allowhosts) list takes precedence.
1598 none (i.e., no hosts specifically excluded)
1601 deny hosts = 150.203.4. badhost.mynet.edu.au
1604 dit(bf(dfree command (G)))
1606 The dfree command setting should only be used on systems where a
1607 problem occurs with the internal disk space calculations. This has
1608 been known to happen with Ultrix, but may occur with other operating
1609 systems. The symptom that was seen was an error of "Abort Retry
1610 Ignore" at the end of each directory listing.
1612 This setting allows the replacement of the internal routines to
1613 calculate the total disk space and amount available with an external
1614 routine. The example below gives a possible script that might fulfill
1617 The external program will be passed a single parameter indicating a
1618 directory in the filesystem being queried. This will typically consist
1619 of the string tt("./"). The script should return two integers in
1620 ascii. The first should be the total disk space in blocks, and the
1621 second should be the number of available blocks. An optional third
1622 return value can give the block size in bytes. The default blocksize
1625 Note: Your script should em(NOT) be setuid or setgid and should be
1626 owned by (and writable only by) root!
1629 By default internal routines for determining the disk capacity
1630 and remaining space will be used.
1633 dfree command = /usr/local/samba/bin/dfree
1635 Where the script dfree (which must be made executable) could be:
1639 df $1 | tail -1 | awk '{print $2" "$4}'
1642 or perhaps (on Sys V based systems):
1646 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
1649 Note that you may have to replace the command names with full
1650 path names on some systems.
1653 dit(bf(directory (S)))
1655 Synonym for link(bf(path))(path).
1657 label(directorymask)
1658 dit(bf(directory mask (S)))
1660 This parameter is the octal modes which are used when converting DOS
1661 modes to UNIX modes when creating UNIX directories.
1663 When a directory is created, the neccessary permissions are calculated
1664 according to the mapping from DOS modes to UNIX permissions, and the
1665 resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
1666 This parameter may be thought of as a bit-wise MASK for the UNIX modes
1667 of a directory. Any bit em(*not*) set here will be removed from the
1668 modes set on a directory when it is created.
1670 The default value of this parameter removes the 'group' and 'other'
1671 write bits from the UNIX mode, allowing only the user who owns the
1672 directory to modify it.
1674 Following this Samba will bit-wise 'OR' the UNIX mode created from
1675 this parameter with the value of the "force directory mode"
1676 parameter. This parameter is set to 000 by default (ie. no extra mode
1679 See the link(bf("force directory mode"))(forcedirectorymode) parameter
1680 to cause particular mode bits to always be set on created directories.
1682 See also the link(bf("create mode"))(createmode) parameter for masking
1683 mode bits on created files.
1686 directory mask = 0755
1689 directory mask = 0775
1691 label(directorymode)
1692 dit(bf(directory mode (S)))
1694 Synonym for link(bf(directory mask))(directorymask).
1697 dit(bf(dns proxy (G)))
1699 Specifies that url(bf(nmbd))(nmbd.8.html) when acting as a WINS
1700 server and finding that a NetBIOS name has not been registered, should
1701 treat the NetBIOS name word-for-word as a DNS name and do a lookup
1702 with the DNS server for that name on behalf of the name-querying
1705 Note that the maximum length for a NetBIOS name is 15 characters, so
1706 the DNS name (or DNS alias) can likewise only be 15 characters,
1709 url(bf(nmbd))(nmbd.8.html) spawns a second copy of itself to do the
1710 DNS name lookup requests, as doing a name lookup is a blocking action.
1712 See also the parameter link(bf(wins support))(winssupport).
1717 label(domainadmingroup)
1718 bf(domain admin group (G))
1720 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
1721 Samba NT Domain Controller Code. It may be removed in a later release.
1722 To work with the latest code builds that may have more support for
1723 Samba NT Domain Controller functionality please subscibe to the
1724 mailing list bf(Samba-ntdom) available by sending email to
1725 email(listproc@samba.anu.edu.au)
1727 label(domainadminusers)
1728 dit(bf(domain admin users)
1730 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
1731 Samba NT Domain Controller Code. It may be removed in a later release.
1732 To work with the latest code builds that may have more support for
1733 Samba NT Domain Controller functionality please subscibe to the
1734 mailing list bf(Samba-ntdom) available by sending email to
1735 email(listproc@samba.anu.edu.au)
1737 label(domain controller)
1738 dit(bf(domain controller (G)))
1740 This is a bf(DEPRECATED) parameter. It is currently not used within
1741 the Samba source and should be removed from all current smb.conf
1742 files. It is left behind for compatibility reasons.
1745 dit(bf(domain groups (G)))
1747 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
1748 Samba NT Domain Controller Code. It may be removed in a later release.
1749 To work with the latest code builds that may have more support for
1750 Samba NT Domain Controller functionality please subscibe to the
1751 mailing list bf(Samba-ntdom) available by sending email to
1752 email(listproc@samba.anu.edu.au)
1754 label(domainguestgroup)
1755 dit(bf(domain guest group (G)))
1757 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
1758 Samba NT Domain Controller Code. It may be removed in a later release.
1759 To work with the latest code builds that may have more support for
1760 Samba NT Domain Controller functionality please subscibe to the
1761 mailing list bf(Samba-ntdom) available by sending email to
1762 email(listproc@samba.anu.edu.au)
1764 label(domainguestusers)
1765 dit(bf(domain guest users (G)))
1767 This is an bf(EXPERIMENTAL) parameter that is part of the unfinished
1768 Samba NT Domain Controller Code. It may be removed in a later release.
1769 To work with the latest code builds that may have more support for
1770 Samba NT Domain Controller functionality please subscibe to the
1771 mailing list bf(Samba-ntdom) available by sending email to
1772 email(listproc@samba.anu.edu.au)
1775 dit(bf(domain logons (G)))
1777 If set to true, the Samba server will serve Windows 95/98 Domain
1778 logons for the link(bf(workgroup))(workgroup) it is in. For more
1779 details on setting up this feature see the file DOMAINS.txt in the
1780 Samba documentation directory tt(docs/) shipped with the source code.
1782 Note that Win95/98 Domain logons are em(NOT) the same as Windows
1783 NT Domain logons. NT Domain logons require a Primary Domain Controller
1784 (PDC) for the Domain. It is inteded that in a future release Samba
1785 will be able to provide this functionality for Windows NT clients
1792 dit(bf(domain master (G)))
1794 Tell url(bf(nmbd))(nmbd.8.html) to enable WAN-wide browse list
1795 collation.Setting this option causes url(bf(nmbd))(nmbd.8.html) to
1796 claim a special domain specific NetBIOS name that identifies it as a
1797 domain master browser for its given
1798 link(bf(workgroup))(workgroup). Local master browsers in the same
1799 link(bf(workgroup))(workgroup) on broadcast-isolated subnets will give
1800 this url(bf(nmbd))(nmbd.8.html) their local browse lists, and then
1801 ask url(bf(smbd))(smbd.8.html) for a complete copy of the browse list
1802 for the whole wide area network. Browser clients will then contact
1803 their local master browser, and will receive the domain-wide browse
1804 list, instead of just the list for their broadcast-isolated subnet.
1806 Note that Windows NT Primary Domain Controllers expect to be able to
1807 claim this link(bf(workgroup))(workgroup) specific special NetBIOS
1808 name that identifies them as domain master browsers for that
1809 link(bf(workgroup))(workgroup) by default (ie. there is no way to
1810 prevent a Windows NT PDC from attempting to do this). This means that
1811 if this parameter is set and url(bf(nmbd))(nmbd.8.html) claims the
1812 special name for a link(bf(workgroup))(workgroup) before a Windows NT
1813 PDC is able to do so then cross subnet browsing will behave strangely
1820 dit(bf(dont descend (S)))
1822 There are certain directories on some systems (eg., the tt(/proc) tree
1823 under Linux) that are either not of interest to clients or are
1824 infinitely deep (recursive). This parameter allows you to specify a
1825 comma-delimited list of directories that the server should always show
1828 Note that Samba can be very fussy about the exact format of the "dont
1829 descend" entries. For example you may need tt("./proc") instead of
1830 just tt("/proc"). Experimentation is the best policy :-)
1833 none (i.e., all directories are OK to descend)
1836 dont descend = /proc,/dev
1838 label(dosfiletimeresolution)
1839 dit(bf(dos filetime resolution (S)))
1841 Under the DOS and Windows FAT filesystem, the finest granulatity on
1842 time resolution is two seconds. Setting this parameter for a share
1843 causes Samba to round the reported time down to the nearest two second
1844 boundary when a query call that requires one second resolution is made
1845 to url(bf(smbd))(smbd.8.html).
1847 This option is mainly used as a compatibility option for Visual C++
1848 when used against Samba shares. If oplocks are enabled on a share,
1849 Visual C++ uses two different time reading calls to check if a file
1850 has changed since it was last read. One of these calls uses a
1851 one-second granularity, the other uses a two second granularity. As
1852 the two second call rounds any odd second down, then if the file has a
1853 timestamp of an odd number of seconds then the two timestamps will not
1854 match and Visual C++ will keep reporting the file has changed. Setting
1855 this option causes the two timestamps to match, and Visual C++ is
1859 dos filetime resolution = False
1862 dos filetime resolution = True
1864 label(dos filetimes)
1865 dit(bf(dos filetimes (S)))
1867 Under DOS and Windows, if a user can write to a file they can change
1868 the timestamp on it. Under POSIX semantics, only the owner of the file
1869 or root may change the timestamp. By default, Samba runs with POSIX
1870 semantics and refuses to change the timestamp on a file if the user
1871 smbd is acting on behalf of is not the file owner. Setting this option
1872 to True allows DOS semantics and smbd will change the file timstamp as
1876 dos filetimes = False
1879 dos filetimes = True
1881 label(encryptpasswords)
1882 dit(bf(encrypt passwords (G)))
1884 This boolean controls whether encrypted passwords will be negotiated
1885 with the client. Note that Windows NT 4.0 SP3 and above and also
1886 Windows 98 will by default expect encrypted passwords unless a
1887 registry entry is changed. To use encrypted passwords in Samba see the
1888 file ENCRYPTION.txt in the Samba documentation directory tt(docs/)
1889 shipped with the source code.
1891 In order for encrypted passwords to work correctly
1892 url(bf(smbd))(smbd.8.html) must either have access to a local
1893 url(bf(smbpasswd (5)))(smbpasswd.5.html) file (see the
1894 url(bf(smbpasswd (8)))(smbpasswd.8.html) program for information on
1895 how to set up and maintain this file), or set the
1896 link(bf(security=))(security) parameter to either em("server") or
1897 em("domain") which causes url(bf(smbd))(smbd.8.html) to authenticate
1898 against another server.
1903 This is a synonym for link(bf(preexec))(preexec).
1906 label(fake directory create times)
1907 dit(bf(fake directory create times (S)))
1909 NTFS and Windows VFAT file systems keep a create time for all files
1910 and directories. This is not the same as the ctime - status change
1911 time - that Unix keeps, so Samba by default reports the earliest of
1912 the various times Unix does keep. Setting this parameter for a share
1913 causes Samba to always report midnight 1-1-1980 as the create time for
1916 This option is mainly used as a compatibility option for Visual C++
1917 when used against Samba shares. Visual C++ generated makefiles have
1918 the object directory as a dependency for each object file, and a make
1919 rule to create the directory. Also, when NMAKE compares timestamps it
1920 uses the creation time when examining a directory. Thus the object
1921 directory will be created if it does not exist, but once it does exist
1922 it will always have an earlier timestamp than the object files it
1925 However, Unix time semantics mean that the create time reported by
1926 Samba will be updated whenever a file is created or deleted in the
1927 directory. NMAKE therefore finds all object files in the object
1928 directory bar the last one built are out of date compared to the
1929 directory and rebuilds them. Enabling this option ensures directories
1930 always predate their contents and an NMAKE build will proceed as
1934 fake directory create times = False
1937 fake directory create times = True
1940 dit(bf(fake oplocks (S)))
1942 Oplocks are the way that SMB clients get permission from a server to
1943 locally cache file operations. If a server grants an oplock
1944 (opportunistic lock) then the client is free to assume that it is the
1945 only one accessing the file and it will aggressively cache file
1946 data. With some oplock types the client may even cache file open/close
1947 operations. This can give enormous performance benefits.
1949 When you set tt("fake oplocks = yes") url(bf(smbd))(smbd.8.html) will
1950 always grant oplock requests no matter how many clients are using the
1953 It is generally much better to use the real link(bf(oplock))(oplock)
1954 support rather than this parameter.
1956 If you enable this option on all read-only shares or shares that you
1957 know will only be accessed from one client at a time such as
1958 physically read-only media like CDROMs, you will see a big performance
1959 improvement on many operations. If you enable this option on shares
1960 where multiple clients may be accessing the files read-write at the
1961 same time you can get data corruption. Use this option carefully!
1963 This option is disabled by default.
1965 label(followsymlinks)
1966 dit(bf(follow symlinks (S)))
1968 This parameter allows the Samba administrator to stop
1969 url(bf(smbd))(smbd.8.html) from following symbolic links in a
1970 particular share. Setting this parameter to em("No") prevents any file
1971 or directory that is a symbolic link from being followed (the user
1972 will get an error). This option is very useful to stop users from
1973 adding a symbolic link to tt(/etc/pasword) in their home directory for
1974 instance. However it will slow filename lookups down slightly.
1976 This option is enabled (ie. url(bf(smbd))(smbd.8.html) will follow
1977 symbolic links) by default.
1979 label(forcecreatemode)
1980 dit(bf(force create mode (S)))
1982 This parameter specifies a set of UNIX mode bit permissions that will
1983 em(*always*) be set on a file created by Samba. This is done by
1984 bitwise 'OR'ing these bits onto the mode bits of a file that is being
1985 created. The default for this parameter is (in octel) 000. The modes
1986 in this parameter are bitwise 'OR'ed onto the file mode after the mask
1987 set in the link(bf("create mask"))(createmark) parameter is applied.
1989 See also the parameter link(bf("create mask"))(createmask) for details
1990 on masking mode bits on created files.
1993 force create mode = 000
1996 force create mode = 0755
1998 would force all created files to have read and execute permissions set
1999 for 'group' and 'other' as well as the read/write/execute bits set for
2002 label(forcedirectorymode)
2003 dit(bf(force directory mode (S)))
2005 This parameter specifies a set of UNIX mode bit permissions that will
2006 em(*always*) be set on a directory created by Samba. This is done by
2007 bitwise 'OR'ing these bits onto the mode bits of a directory that is
2008 being created. The default for this parameter is (in octel) 0000 which
2009 will not add any extra permission bits to a created directory. This
2010 operation is done after the mode mask in the parameter
2011 link(bf("directory mask"))(directorymask) is applied.
2013 See also the parameter link(bf("directory mask"))(directorymask) for
2014 details on masking mode bits on created directories.
2017 force directory mode = 000
2020 force directory mode = 0755
2022 would force all created directories to have read and execute
2023 permissions set for 'group' and 'other' as well as the
2024 read/write/execute bits set for the 'user'.
2027 dit(bf(force group (S)))
2029 This specifies a UNIX group name that will be assigned as the default
2030 primary group for all users connecting to this service. This is useful
2031 for sharing files by ensuring that all access to files on service will
2032 use the named group for their permissions checking. Thus, by assigning
2033 permissions for this group to the files and directories within this
2034 service the Samba administrator can restrict or allow sharing of these
2041 force group = agroup
2044 dit(bf(force user (S)))
2046 This specifies a UNIX user name that will be assigned as the default
2047 user for all users connecting to this service. This is useful for
2048 sharing files. You should also use it carefully as using it
2049 incorrectly can cause security problems.
2051 This user name only gets used once a connection is established. Thus
2052 clients still need to connect as a valid user and supply a valid
2053 password. Once connected, all file operations will be performed as the
2054 tt("forced user"), no matter what username the client connected as.
2056 This can be very useful.
2067 This parameter allows the administrator to configure the string that
2068 specifies the type of filesystem a share is using that is reported by
2069 url(bf(smbd))(smbd.8.html) when a client queries the filesystem type
2070 for a share. The default type is bf("NTFS") for compatibility with
2071 Windows NT but this can be changed to other strings such as "Samba" or
2081 dit(bf(getwd cache (G)))
2083 This is a tuning option. When this is enabled a cacheing algorithm
2084 will be used to reduce the time taken for getwd() calls. This can have
2085 a significant impact on performance, especially when the
2086 link(bf(widelinks))(widelinks) parameter is set to False.
2097 Synonym for link(bf("force group"))(forcegroup).
2100 dit(bf(guest account (S)))
2102 This is a username which will be used for access to services which are
2103 specified as link(bf('guest ok'))(guestok) (see below). Whatever
2104 privileges this user has will be available to any client connecting to
2105 the guest service. Typically this user will exist in the password
2106 file, but will not have a valid login. The user account bf("ftp") is
2107 often a good choice for this parameter. If a username is specified in
2108 a given service, the specified username overrides this one.
2110 One some systems the default guest account "nobody" may not be able to
2111 print. Use another account in this case. You should test this by
2112 trying to log in as your guest user (perhaps by using the tt("su -")
2113 command) and trying to print using the system print command such as
2114 bf(lpr (1)) or bf(lp (1)).
2117 specified at compile time, usually "nobody"
2123 dit(bf(guest ok (S)))
2125 If this parameter is em('yes') for a service, then no password is
2126 required to connect to the service. Privileges will be those of the
2127 link(bf(guest account))(guestaccount).
2129 See the section below on link(bf(security))(security) for more
2130 information about this option.
2139 dit(bf(guest only (S)))
2141 If this parameter is em('yes') for a service, then only guest
2142 connections to the service are permitted. This parameter will have no
2143 affect if link(bf("guest ok"))(guestok) or link(bf("public"))(public)
2144 is not set for the service.
2146 See the section below on link(bf(security))(security) for more
2147 information about this option.
2156 dit(bf(hide dot files (S)))
2158 This is a boolean parameter that controls whether files starting with
2159 a dot appear as hidden files.
2162 hide dot files = yes
2169 dit(bf(hide files(S)))
2171 This is a list of files or directories that are not visible but are
2172 accessible. The DOS 'hidden' attribute is applied to any files or
2173 directories that match.
2175 Each entry in the list must be separated by a tt('/'), which allows
2176 spaces to be included in the entry. tt('*') and tt('?') can be used
2177 to specify multiple files or directories as in DOS wildcards.
2179 Each entry must be a unix path, not a DOS path and must not include the
2180 unix directory separator tt('/').
2182 Note that the case sensitivity option is applicable in hiding files.
2184 Setting this parameter will affect the performance of Samba, as it
2185 will be forced to check all files and directories for a match as they
2188 See also link(bf("hide dot files"))(hidedotfiles), link(bf("veto
2189 files"))(vetofiles) and link(bf("case sensitive"))(casesensitive).
2192 No files or directories are hidden by this option (dot files are
2193 hidden by default because of the "hide dot files" option).
2196 tt( hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/)
2198 The above example is based on files that the Macintosh SMB client
2199 (DAVE) available from url(bf(Thursby))(www.thursby.com) creates for
2200 internal use, and also still hides all files beginning with a dot.
2203 dit(bf(homedir map (G)))
2205 If link(bf("nis homedir"))(nishomedir) is true, and
2206 url(bf(smbd))(smbd.8.html) is also acting as a Win95/98 link(bf(logon
2207 server))(domainlogons) then this parameter specifies the NIS (or YP)
2208 map from which the server for the user's home directory should be
2209 extracted. At present, only the Sun auto.home map format is
2210 understood. The form of the map is:
2212 tt(username server:/some/file/system)
2214 and the program will extract the servername from before the first
2215 tt(':'). There should probably be a better parsing system that copes
2216 with different map formats and also Amd (another automounter) maps.
2218 NB: A working NIS is required on the system for this option to work.
2220 See also link(bf("nis homedir"))(nishomedir), link(bf(domain
2221 logons))(domainlogons).
2224 homedir map = auto.home
2227 homedir map = amd.homedir
2230 dit(bf(hosts allow (S)))
2232 Synonym for link(bf(allow hosts))(allowhosts).
2235 dit(bf(hosts deny (S)))
2237 Synonym for link(bf(denyhosts))(denyhosts).
2240 dit(bf(hosts equiv (G)))
2242 If this global parameter is a non-null string, it specifies the name
2243 of a file to read for the names of hosts and users who will be allowed
2244 access without specifying a password.
2246 This is not be confused with link(bf(allow hosts))(allowhosts) which
2247 is about hosts access to services and is more useful for guest
2248 services. bf(hosts equiv) may be useful for NT clients which will not
2249 supply passwords to samba.
2251 NOTE: The use of bf(hosts equiv) can be a major security hole. This is
2252 because you are trusting the PC to supply the correct username. It is
2253 very easy to get a PC to supply a false username. I recommend that the
2254 bf(hosts equiv) option be only used if you really know what you are
2255 doing, or perhaps on a home network where you trust your spouse and
2256 kids. And only if you em(really) trust them :-).
2259 No host equivalences
2262 hosts equiv = /etc/hosts.equiv
2265 dit(bf(include (G)))
2267 This allows you to include one config file inside another. The file
2268 is included literally, as though typed in place.
2270 It takes the standard substitutions, except link(bf(%u))(percentu),
2271 link(bf(%P))(percentP) and link(bf(%S))(percentS).
2274 dit(bf(interfaces (G)))
2276 This option allows you to setup multiple network interfaces, so that
2277 Samba can properly handle browsing on all interfaces.
2279 The option takes a list of ip/netmask pairs. The netmask may either be
2280 a bitmask, or a bitlength.
2282 For example, the following line:
2284 tt(interfaces = 192.168.2.10/24 192.168.3.10/24)
2286 would configure two network interfaces with IP addresses 192.168.2.10
2287 and 192.168.3.10. The netmasks of both interfaces would be set to
2290 You could produce an equivalent result by using:
2292 tt(interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0)
2294 if you prefer that format.
2296 If this option is not set then Samba will attempt to find a primary
2297 interface, but won't attempt to configure more than one interface.
2299 See also link(bf("bind interfaces only"))(bindinterfacesonly).
2302 dit(bf(invalid users (S)))
2304 This is a list of users that should not be allowed to login to this
2305 service. This is really a em("paranoid") check to absolutely ensure an
2306 improper setting does not breach your security.
2308 A name starting with a tt('@') is interpreted as an NIS netgroup first
2309 (if your system supports NIS), and then as a UNIX group if the name
2310 was not found in the NIS netgroup database.
2312 A name starting with tt('+') is interpreted only by looking in the
2313 UNIX group database. A name starting with tt('&') is interpreted only
2314 by looking in the NIS netgroup database (this requires NIS to be
2315 working on your system). The characters tt('+') and tt('&') may be
2316 used at the start of the name in either order so the value
2317 tt("+&group") means check the UNIX group database, followed by the NIS
2318 netgroup database, and the value tt("&+group") means check the NIS
2319 netgroup database, followed by the UNIX group database (the same as
2320 the tt('@') prefix).
2322 The current servicename is substituted for
2323 link(bf(%S))(percentS). This is useful in the link(bf([homes]))(homes)
2326 See also link(bf("valid users"))(validusers).
2332 tt( invalid users = root fred admin @wheel)
2335 dit(bf(keepalive (G)))
2337 The value of the parameter (an integer) represents the number of
2338 seconds between bf('keepalive') packets. If this parameter is zero, no
2339 keepalive packets will be sent. Keepalive packets, if sent, allow the
2340 server to tell whether a client is still present and responding.
2342 Keepalives should, in general, not be needed if the socket being used
2343 has the SO_KEEPALIVE attribute set on it (see link(bf("socket
2344 options"))(socketoptions)). Basically you should only use this option
2345 if you strike difficulties.
2353 label(kerneloplocks)
2354 dit(bf(kernel oplocks (G)))
2356 For UNIXs that support kernel based oplocks (currently only IRIX but
2357 hopefully also Linux and FreeBSD soon) this parameter allows the use
2358 of them to be turned on or off.
2360 Kernel oplocks support allows Samba oplocks to be broken whenever a
2361 local UNIX process or NFS operation accesses a file that
2362 url(bf(smbd))(smbd.8.html) has oplocked. This allows complete data
2363 consistancy between SMB/CIFS, NFS and local file access (and is a
2364 em(very) cool feature :-).
2366 This parameter defaults to em("On") on systems that have the support,
2367 and em("off") on systems that don't. You should never need to touch
2371 dit(bf(ldap filter (G)))
2373 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2374 password database stored on an LDAP server back-end. These options
2375 are only available if your version of Samba was configured with
2376 the bf(--with-ldap) option.
2378 This parameter specifies an LDAP search filter used to search for a
2379 user name in the LDAP database. It must contain the string
2380 link(bf(%u))(percentU) which will be replaced with the user being
2387 dit(bf(ldap port (G)))
2389 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2390 password database stored on an LDAP server back-end. These options
2391 are only available if your version of Samba was configured with
2392 the bf(--with-ldap) option.
2394 This parameter specifies the TCP port number to use to contact
2401 dit(bf(ldap root (G)))
2403 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2404 password database stored on an LDAP server back-end. These options
2405 are only available if your version of Samba was configured with
2406 the bf(--with-ldap) option.
2408 This parameter specifies the entity to bind to the LDAP server
2409 as (essentially the LDAP username) in order to be able to perform
2410 queries and modifications on the LDAP database.
2412 See also link(bf(ldap root passwd))(ldaprootpasswd).
2415 empty string (no user defined)
2417 label(ldaprootpasswd)
2418 dit(bf(ldap root passwd (G)))
2420 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2421 password database stored on an LDAP server back-end. These options
2422 are only available if your version of Samba was configured with
2423 the bf(--with-ldap) option.
2425 This parameter specifies the password for the entity to bind to the
2426 LDAP server as (the password for this LDAP username) in order to be
2427 able to perform queries and modifications on the LDAP database.
2429 em(BUGS:) This parameter should em(NOT) be a readable parameter
2430 in the bf(smb.conf) file and will be removed once a correct
2431 storage place is found.
2433 See also link(bf(ldap root))(ldaproot).
2439 dit(bf(ldap server (G)))
2441 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2442 password database stored on an LDAP server back-end. These options
2443 are only available if your version of Samba was configured with
2444 the bf(--with-ldap) option.
2446 This parameter specifies the DNS name of the LDAP server to use
2447 for SMB/CIFS authentication purposes.
2450 ldap server = localhost
2453 dit(bf(ldap suffix (G)))
2455 This parameter is part of the em(EXPERIMENTAL) Samba support for a
2456 password database stored on an LDAP server back-end. These options
2457 are only available if your version of Samba was configured with
2458 the bf(--with-ldap) option.
2460 This parameter specifies the tt("dn") or LDAP em("distinguished name")
2461 that tells url(bf(smbd))(smbd.8.html) to start from when searching
2462 for an entry in the LDAP password database.
2468 dit(bf(lm announce (G)))
2470 This parameter determines if url(bf(nmbd))(nmbd.8.html) will produce
2471 Lanman announce broadcasts that are needed by bf(OS/2) clients in order
2472 for them to see the Samba server in their browse list. This parameter
2473 can have three values, tt("true"), tt("false"), or tt("auto"). The
2474 default is tt("auto"). If set to tt("false") Samba will never produce
2475 these broadcasts. If set to tt("true") Samba will produce Lanman
2476 announce broadcasts at a frequency set by the parameter link(bf("lm
2477 interval"))(lminterval). If set to tt("auto") Samba will not send Lanman
2478 announce broadcasts by default but will listen for them. If it hears
2479 such a broadcast on the wire it will then start sending them at a
2480 frequency set by the parameter link(bf("lm interval"))(lminterval).
2482 See also link(bf("lm interval"))(lminterval).
2491 dit(bf(lm interval (G)))
2493 If Samba is set to produce Lanman announce broadcasts needed by
2494 bf(OS/2) clients (see the link(bf("lm announce"))(lmannounce)
2495 parameter) then this parameter defines the frequency in seconds with
2496 which they will be made. If this is set to zero then no Lanman
2497 announcements will be made despite the setting of the link(bf("lm
2498 announce"))(lmannounce) parameter.
2500 See also link(bf("lm announce"))(lmannounce).
2509 dit(bf(load printers (G)))
2511 A boolean variable that controls whether all printers in the printcap
2512 will be loaded for browsing by default. See the
2513 link(bf("printers"))(printers) section for more details.
2522 dit(bf(local master (G)))
2524 This option allows url(bf(nmbd))(nmbd.8.html) to try and become a
2525 local master browser on a subnet. If set to False then
2526 url(bf(nmbd))(nmbd.8.html) will not attempt to become a local master
2527 browser on a subnet and will also lose in all browsing elections. By
2528 default this value is set to true. Setting this value to true doesn't
2529 mean that Samba will em(become) the local master browser on a subnet,
2530 just that url(bf(nmbd))(nmbd.8.html) will em(participate) in
2531 elections for local master browser.
2533 Setting this value to False will cause url(bf(nmbd))(nmbd.8.html)
2534 em(never) to become a local master browser.
2539 label(lockdirectory)
2540 dit(bf(lock directory (G)))
2542 This option specifies the directory where lock files will be placed.
2543 The lock files are used to implement the link(bf("max
2544 connections"))(maxconnections) option.
2547 lock directory = /tmp/samba
2550 lock directory = /usr/local/samba/var/locks
2553 dit(bf(locking (S)))
2555 This controls whether or not locking will be performed by the server
2556 in response to lock requests from the client.
2558 If tt("locking = no"), all lock and unlock requests will appear to
2559 succeed and all lock queries will indicate that the queried lock is
2562 If tt("locking = yes"), real locking will be performed by the server.
2564 This option em(may) be useful for read-only filesystems which em(may)
2565 not need locking (such as cdrom drives), although setting this
2566 parameter of tt("no") is not really recommended even in this case.
2568 Be careful about disabling locking either globally or in a specific
2569 service, as lack of locking may result in data corruption. You should
2570 never need to set this parameter.
2579 dit(bf(log file (G)))
2581 This options allows you to override the name of the Samba log file
2582 (also known as the debug file).
2584 This option takes the standard substitutions, allowing you to have
2585 separate log files for each user or machine.
2588 tt( log file = /usr/local/samba/var/log.%m)
2591 dit(bf(log level (G)))
2593 Synonym for link(bf("debug level"))(debuglevel).
2596 dit(bf(logon drive (G)))
2598 This parameter specifies the local path to which the home directory
2599 will be connected (see link(bf("logon home"))(logonhome)) and is only
2600 used by NT Workstations.
2602 Note that this option is only useful if Samba is set up as a
2603 link(bf(logon server))(domainlogons).
2609 dit(bf(logon home (G)))
2611 This parameter specifies the home directory location when a Win95/98 or
2612 NT Workstation logs into a Samba PDC. It allows you to do
2614 tt("NET USE H: /HOME")
2616 from a command prompt, for example.
2618 This option takes the standard substitutions, allowing you to have
2619 separate logon scripts for each user or machine.
2621 Note that this option is only useful if Samba is set up as a
2622 link(bf(logon server))(domainlogons).
2625 tt( logon home = "\\remote_smb_server\%U")
2628 tt( logon home = "\\%N\%U")
2631 dit(bf(logon path (G)))
2633 This parameter specifies the home directory where roaming profiles
2634 (USER.DAT / USER.MAN files for Windows 95/98) are stored.
2636 This option takes the standard substitutions, allowing you to have
2637 separate logon scripts for each user or machine. It also specifies
2638 the directory from which the tt("desktop"), tt("start menu"),
2639 tt("network neighborhood") and tt("programs") folders, and their
2640 contents, are loaded and displayed on your Windows 95/98 client.
2642 The share and the path must be readable by the user for the
2643 preferences and directories to be loaded onto the Windows 95/98
2644 client. The share must be writeable when the logs in for the first
2645 time, in order that the Windows 95/98 client can create the user.dat
2646 and other directories.
2648 Thereafter, the directories and any of contents can, if required, be
2649 made read-only. It is not adviseable that the USER.DAT file be made
2650 read-only - rename it to USER.MAN to achieve the desired effect (a
2651 em(MAN)datory profile).
2653 Windows clients can sometimes maintain a connection to the [homes]
2654 share, even though there is no user logged in. Therefore, it is vital
2655 that the logon path does not include a reference to the homes share
2656 (i.e setting this parameter to tt(\\%N\HOMES\profile_path) will cause
2659 This option takes the standard substitutions, allowing you to have
2660 separate logon scripts for each user or machine.
2662 Note that this option is only useful if Samba is set up as a
2663 link(bf(logon server))(domainlogons).
2666 tt( logon path = \\%N\%U\profile)
2669 tt( logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE)
2672 dit(bf(logon script (G)))
2674 This parameter specifies the batch file (.bat) or NT command file
2675 (.cmd) to be downloaded and run on a machine when a user successfully
2676 logs in. The file must contain the DOS style cr/lf line endings.
2677 Using a DOS-style editor to create the file is recommended.
2679 The script must be a relative path to the tt([netlogon]) service. If
2680 the tt([netlogon]) service specifies a link(bf(path))(path) of
2681 /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the
2682 file that will be downloaded is:
2684 tt(/usr/local/samba/netlogon/STARTUP.BAT)
2686 The contents of the batch file is entirely your choice. A suggested
2687 command would be to add tt(NET TIME \\SERVER /SET /YES), to force every
2688 machine to synchronise clocks with the same time server. Another use
2689 would be to add tt(NET USE U: \\SERVER\UTILS) for commonly used
2690 utilities, or tt(NET USE Q: \\SERVER\ISO9001_QA) for example.
2692 Note that it is particularly important not to allow write access to
2693 the tt([netlogon]) share, or to grant users write permission on the
2694 batch files in a secure environment, as this would allow the batch
2695 files to be arbitrarily modified and security to be breached.
2697 This option takes the standard substitutions, allowing you to have
2698 separate logon scripts for each user or machine.
2700 Note that this option is only useful if Samba is set up as a
2701 link(bf(logon server))(domainlogons).
2704 tt( logon script = scripts\%U.bat)
2706 label(lppausecommand)
2707 dit(bf(lppause command (S)))
2709 This parameter specifies the command to be executed on the server host
2710 in order to stop printing or spooling a specific print job.
2712 This command should be a program or script which takes a printer name
2713 and job number to pause the print job. One way of implementing this is
2714 by using job priorities, where jobs having a too low priority won't be
2715 sent to the printer.
2717 If a tt("%p") is given then the printername is put in its place. A
2718 tt("%j") is replaced with the job number (an integer). On HPUX (see
2719 link(bf(printing=hpux))(printing)), if the tt("-p%p") option is added
2720 to the lpq command, the job will show up with the correct status,
2721 i.e. if the job priority is lower than the set fence priority it will
2722 have the PAUSED status, whereas if the priority is equal or higher it
2723 will have the SPOOLED or PRINTING status.
2725 Note that it is good practice to include the absolute path in the
2726 lppause command as the PATH may not be available to the server.
2728 See also the link(bf("printing"))(printing) parameter.
2731 Currently no default value is given to this string, unless the
2732 value of the link(bf("printing"))(printing) parameter is tt(SYSV), in
2733 which case the default is :
2735 tt( lp -i %p-%j -H hold)
2737 or if the value of the link(bf("printing"))(printing) parameter is tt(softq),
2738 then the default is:
2740 tt( qstat -s -j%j -h)
2742 bf(Example for HPUX:)
2743 lppause command = /usr/bin/lpalt %p-%j -p0
2746 dit(bf(lpq cache time (G)))
2748 This controls how long lpq info will be cached for to prevent the
2749 bf(lpq) command being called too often. A separate cache is kept for
2750 each variation of the bf(lpq) command used by the system, so if you
2751 use different bf(lpq) commands for different users then they won't
2752 share cache information.
2754 The cache files are stored in tt(/tmp/lpq.xxxx) where xxxx is a hash of
2755 the bf(lpq) command in use.
2757 The default is 10 seconds, meaning that the cached results of a
2758 previous identical bf(lpq) command will be used if the cached data is
2759 less than 10 seconds old. A large value may be advisable if your
2760 bf(lpq) command is very slow.
2762 A value of 0 will disable cacheing completely.
2764 See also the link(bf("printing"))(printing) parameter.
2773 dit(bf(lpq command (S)))
2775 This parameter specifies the command to be executed on the server host
2776 in order to obtain tt("lpq")-style printer status information.
2778 This command should be a program or script which takes a printer name
2779 as its only parameter and outputs printer status information.
2781 Currently eight styles of printer status information are supported;
2782 BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX
2783 systems. You control which type is expected using the
2784 link(bf("printing ="))(printing) option.
2786 Some clients (notably Windows for Workgroups) may not correctly send
2787 the connection number for the printer they are requesting status
2788 information about. To get around this, the server reports on the first
2789 printer service connected to by the client. This only happens if the
2790 connection number sent is invalid.
2792 If a tt(%p) is given then the printername is put in its place. Otherwise
2793 it is placed at the end of the command.
2795 Note that it is good practice to include the absolute path in the bf(lpq
2796 command) as the PATH may not be available to the server.
2798 See also the link(bf("printing"))(printing) parameter.
2801 depends on the setting of link(bf("printing ="))(printing)
2804 tt( lpq command = /usr/bin/lpq %p)
2806 label(lpresumecommand)
2807 dit(bf(lpresume command (S)))
2809 This parameter specifies the command to be executed on the server host
2810 in order to restart or continue printing or spooling a specific print
2813 This command should be a program or script which takes a printer name
2814 and job number to resume the print job. See also the link(bf("lppause
2815 command"))(lppausecommand) parameter.
2817 If a tt(%p) is given then the printername is put in its place. A
2818 tt(%j) is replaced with the job number (an integer).
2820 Note that it is good practice to include the absolute path in the bf(lpresume
2821 command) as the PATH may not be available to the server.
2823 See also the link(bf("printing"))(printing) parameter.
2827 Currently no default value is given to this string, unless the
2828 value of the link(bf("printing"))(printing) parameter is tt(SYSV), in
2829 which case the default is :
2831 tt( lp -i %p-%j -H resume)
2833 or if the value of the link(bf("printing"))(printing) parameter is tt(softq),
2834 then the default is:
2836 tt( qstat -s -j%j -r)
2838 bf(Example for HPUX:)
2839 tt( lpresume command = /usr/bin/lpalt %p-%j -p2)
2842 dit(bf(lprm command (S)))
2844 This parameter specifies the command to be executed on the server host
2845 in order to delete a print job.
2847 This command should be a program or script which takes a printer name
2848 and job number, and deletes the print job.
2850 If a tt(%p) is given then the printername is put in its place. A
2851 tt(%j) is replaced with the job number (an integer).
2853 Note that it is good practice to include the absolute path in the
2854 bf(lprm command) as the PATH may not be available to the server.
2856 See also the link(bf("printing"))(printing) parameter.
2859 depends on the setting of "printing ="
2862 tt( lprm command = /usr/bin/lprm -P%p %j)
2865 tt( lprm command = /usr/bin/cancel %p-%j)
2867 label(machinepasswordtimeout)
2868 dit(bf(machine password timeout (G)))
2870 If a Samba server is a member of an Windows NT Domain (see the
2871 link(bf("security=domain"))(security)) parameter) then periodically a
2872 running url(bf(smbd))(smbd.8.html) process will try and change the
2873 bf(MACHINE ACCOUNT PASWORD) stored in the file called
2874 tt(<Domain>.<Machine>.mac) where tt(<Domain>) is the name of the
2875 Domain we are a member of and tt<Machine> is the primary
2876 link(bf("NetBIOS name"))(netbiosname) of the machine
2877 url(bf(smbd))(smbd.8.html) is running on. This parameter specifies
2878 how often this password will be changed, in seconds. The default
2879 is one week (expressed in seconds), the same as a Windows NT
2880 Domain member server.
2882 See also url(bf(smbpasswd (8)))(smbpasswd.8.html), and the
2883 link(bf("security=domain"))(security)) parameter.
2886 machine password timeout = 604800
2889 dit(bf(magic output (S)))
2891 This parameter specifies the name of a file which will contain output
2892 created by a magic script (see the link(bf("magic
2893 script"))(magicscript) parameter below).
2895 Warning: If two clients use the same link(bf("magic
2896 script"))(magicscript) in the same directory the output file content
2900 magic output = <magic script name>.out
2903 magic output = myfile.txt
2906 dit(bf(magic script (S)))
2908 This parameter specifies the name of a file which, if opened, will be
2909 executed by the server when the file is closed. This allows a UNIX
2910 script to be sent to the Samba host and executed on behalf of the
2913 Scripts executed in this way will be deleted upon completion,
2914 permissions permitting.
2916 If the script generates output, output will be sent to the file
2917 specified by the link(bf("magic output"))(magicoutput) parameter (see
2920 Note that some shells are unable to interpret scripts containing
2921 carriage-return-linefeed instead of linefeed as the end-of-line
2922 marker. Magic scripts must be executable em("as is") on the host,
2923 which for some hosts and some shells will require filtering at the DOS
2926 Magic scripts are em(EXPERIMENTAL) and should em(NOT) be relied upon.
2929 None. Magic scripts disabled.
2932 magic script = user.csh
2935 dit(bf(mangle case (S)))
2937 See the section on link(bf("NAME MANGLING"))(NAMEMANGLING).
2940 dit(bf(mangled map (S)))
2942 This is for those who want to directly map UNIX file names which are
2943 not representable on Windows/DOS. The mangling of names is not always
2944 what is needed. In particular you may have documents with file
2945 extensions that differ between DOS and UNIX. For example, under UNIX
2946 it is common to use tt(".html") for HTML files, whereas under
2947 Windows/DOS tt(".htm") is more commonly used.
2949 So to map tt("html") to tt("htm") you would use:
2951 tt( mangled map = (*.html *.htm))
2953 One very useful case is to remove the annoying tt(";1") off the ends
2954 of filenames on some CDROMS (only visible under some UNIXes). To do
2955 this use a map of (*;1 *).
2961 tt( mangled map = (*;1 *))
2964 dit(bf(mangled names (S)))
2966 This controls whether non-DOS names under UNIX should be mapped to
2967 DOS-compatible names ("mangled") and made visible, or whether non-DOS
2968 names should simply be ignored.
2970 See the section on link(bf("NAME MANGLING"))(NAMEMANGLING) for details
2971 on how to control the mangling process.
2973 If mangling is used then the mangling algorithm is as follows:
2977 it() The first (up to) five alphanumeric characters before the
2978 rightmost dot of the filename are preserved, forced to upper case, and
2979 appear as the first (up to) five characters of the mangled name.
2981 it() A tilde tt("~") is appended to the first part of the mangled
2982 name, followed by a two-character unique sequence, based on the
2983 original root name (i.e., the original filename minus its final
2984 extension). The final extension is included in the hash calculation
2985 only if it contains any upper case characters or is longer than three
2988 Note that the character to use may be specified using the
2989 link(bf("mangling char"))(manglingchar) option, if you don't like
2992 it() The first three alphanumeric characters of the final extension
2993 are preserved, forced to upper case and appear as the extension of the
2994 mangled name. The final extension is defined as that part of the
2995 original filename after the rightmost dot. If there are no dots in the
2996 filename, the mangled name will have no extension (except in the case
2997 of link(bf("hidden files"))(hidefiles) - see below).
2999 it() Files whose UNIX name begins with a dot will be presented as DOS
3000 hidden files. The mangled name will be created as for other filenames,
3001 but with the leading dot removed and tt("___") as its extension regardless
3002 of actual original extension (that's three underscores).
3006 The two-digit hash value consists of upper case alphanumeric
3009 This algorithm can cause name collisions only if files in a directory
3010 share the same first five alphanumeric characters. The probability of
3011 such a clash is 1/1300.
3013 The name mangling (if enabled) allows a file to be copied between UNIX
3014 directories from Windows/DOS while retaining the long UNIX
3015 filename. UNIX files can be renamed to a new extension from
3016 Windows/DOS and will retain the same basename. Mangled names do not
3017 change between sessions.
3026 dit(bf(mangling char (S)))
3028 This controls what character is used as the em("magic") character in
3029 link(bf(name mangling))(manglednames). The default is a tt('~') but
3030 this may interfere with some software. Use this option to set it to
3031 whatever you prefer.
3040 dit(bf(mangled stack (G)))
3042 This parameter controls the number of mangled names that should be
3043 cached in the Samba server url(bf(smbd))(smbd.8.html).
3045 This stack is a list of recently mangled base names (extensions are
3046 only maintained if they are longer than 3 characters or contains upper
3049 The larger this value, the more likely it is that mangled names can be
3050 successfully converted to correct long UNIX names. However, large
3051 stack sizes will slow most directory access. Smaller stacks save
3052 memory in the server (each stack element costs 256 bytes).
3054 It is not possible to absolutely guarantee correct long file names, so
3055 be prepared for some surprises!
3064 dit(bf(map archive (S)))
3066 This controls whether the DOS archive attribute should be mapped to
3067 the UNIX owner execute bit. The DOS archive bit is set when a file
3068 has been modified since its last backup. One motivation for this
3069 option it to keep Samba/your PC from making any file it touches from
3070 becoming executable under UNIX. This can be quite annoying for shared
3071 source code, documents, etc...
3073 Note that this requires the link(bf("create mask"))(createmask)
3074 parameter to be set such that owner execute bit is not masked out
3075 (ie. it must include 100). See the parameter link(bf("create
3076 mask"))(createmask) for details.
3085 dit(bf(map hidden (S)))
3087 This controls whether DOS style hidden files should be mapped to the
3088 UNIX world execute bit.
3090 Note that this requires the link(bf("create mask"))(createmask) to be
3091 set such that the world execute bit is not masked out (ie. it must
3092 include 001). See the parameter link(bf("create mask"))(createmask)
3102 dit(bf(map system (S)))
3104 This controls whether DOS style system files should be mapped to the
3105 UNIX group execute bit.
3107 Note that this requires the link(bf("create mask"))(createmask) to be
3108 set such that the group execute bit is not masked out (ie. it must
3109 include 010). See the parameter link(bf("create mask"))(createmask)
3118 label(maxconnections)
3119 dit(bf(max connections (S)))
3121 This option allows the number of simultaneous connections to a service
3122 to be limited. If bf("max connections") is greater than 0 then
3123 connections will be refused if this number of connections to the
3124 service are already open. A value of zero mean an unlimited number of
3125 connections may be made.
3127 Record lock files are used to implement this feature. The lock files
3128 will be stored in the directory specified by the link(bf("lock
3129 directory"))(lockdirectory) option.
3135 max connections = 10
3138 dit(bf(max disk size (G)))
3140 This option allows you to put an upper limit on the apparent size of
3141 disks. If you set this option to 100 then all shares will appear to be
3142 not larger than 100 MB in size.
3144 Note that this option does not limit the amount of data you can put on
3145 the disk. In the above case you could still store much more than 100
3146 MB on the disk, but if a client ever asks for the amount of free disk
3147 space or the total disk size then the result will be bounded by the
3148 amount specified in bf("max disk size").
3150 This option is primarily useful to work around bugs in some pieces of
3151 software that can't handle very large disks, particularly disks over
3154 A bf("max disk size") of 0 means no limit.
3160 max disk size = 1000
3163 dit(bf(max log size (G)))
3165 This option (an integer in kilobytes) specifies the max size the log
3166 file should grow to. Samba periodically checks the size and if it is
3167 exceeded it will rename the file, adding a tt(".old") extension.
3169 A size of 0 means no limit.
3178 dit(bf(max mux (G)))
3180 This option controls the maximum number of outstanding simultaneous
3181 SMB operations that samba tells the client it will allow. You should
3182 never need to set this parameter.
3188 dit(bf(maxopenfiles (G)))
3190 This parameter limits the maximum number of open files that one
3191 url(bf(smbd))(smbd.8.html) file serving process may have open for
3192 a client at any one time. The default for this parameter is set
3193 very high (10,000) as Samba uses only one bit per un-opened file.
3195 The limit of the number of open files is usually set by the
3196 UNIX per-process file descriptor limit rather than this parameter
3197 so you should never need to touch this parameter.
3200 max open files = 10000
3203 dit(bf(max packet (G)))
3205 Synonym for label(bf("packet size"))(packetsize).
3208 dit(bf(max ttl (G)))
3210 This option tells url(bf(nmbd))(nmbd.8.html) what the default 'time
3211 to live' of NetBIOS names should be (in seconds) when
3212 url(bf(nmbd))(nmbd.8.html) is requesting a name using either a
3213 broadcast packet or from a WINS server. You should never need to
3214 change this parameter. The default is 3 days.
3220 dit(bf(max wins ttl (G)))
3222 This option tells url(bf(nmbd))(nmbd.8.html) when acting as a WINS
3223 server link(bf((wins support =true)))(winssupport) what the maximum
3224 'time to live' of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will
3225 grant will be (in seconds). You should never need to change this
3226 parameter. The default is 6 days (518400 seconds).
3228 See also the link(bf("min wins ttl"))(minwinsttl) parameter.
3231 max wins ttl = 518400
3234 dit(bf(max xmit (G)))
3236 This option controls the maximum packet size that will be negotiated
3237 by Samba. The default is 65535, which is the maximum. In some cases
3238 you may find you get better performance with a smaller value. A value
3239 below 2048 is likely to cause problems.
3247 label(messagecommand)
3248 dit(bf(message command (G)))
3250 This specifies what command to run when the server receives a WinPopup
3253 This would normally be a command that would deliver the message
3254 somehow. How this is to be done is up to your imagination.
3258 tt( message command = csh -c 'xedit %s;rm %s' &)
3260 This delivers the message using bf(xedit), then removes it
3261 afterwards. em(NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
3262 IMMEDIATELY). That's why I have the tt('&') on the end. If it doesn't
3263 return immediately then your PCs may freeze when sending messages
3264 (they should recover after 30secs, hopefully).
3266 All messages are delivered as the global guest user. The command takes
3267 the standard substitutions, although link(bf(%u))(percentu) won't work
3268 (link(bf(%U))(percentU) may be better in this case).
3270 Apart from the standard substitutions, some additional ones apply. In
3275 it() %s = the filename containing the message
3277 it() %t = the destination that the message was sent to (probably the server
3280 it() %f = who the message is from
3284 You could make this command send mail, or whatever else takes your
3285 fancy. Please let us know of any really interesting ideas you have.
3287 Here's a way of sending the messages as mail to root:
3289 tt(message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s)
3291 If you don't have a message command then the message won't be
3292 delivered and Samba will tell the sender there was an
3293 error. Unfortunately WfWg totally ignores the error code and carries
3294 on regardless, saying that the message was delivered.
3296 If you want to silently delete it then try:
3298 tt("message command = rm %s").
3300 For the really adventurous, try something like this:
3302 tt(message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient -M %m; rm %s' &)
3304 this would execute the command as a script on the server, then give
3305 them the result in a WinPopup message. Note that this could cause a
3306 loop if you send a message from the server using smbclient! You better
3307 wrap the above in a script that checks for this :-)
3313 tt( message command = csh -c 'xedit %s;rm %s' &)
3315 label(minprintspace)
3316 dit(bf(min print space (S)))
3318 This sets the minimum amount of free disk space that must be available
3319 before a user will be able to spool a print job. It is specified in
3320 kilobytes. The default is 0, which means a user can always spool a print
3323 See also the link(bf(printing))(printing) parameter.
3329 min print space = 2000
3332 dit(bf(min wins ttl (G)))
3334 This option tells url(bf(nmbd))(nmbd.8.html) when acting as a WINS
3335 server link(bf((wins support = true)))(winssupport) what the minimum
3336 'time to live' of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will
3337 grant will be (in seconds). You should never need to change this
3338 parameter. The default is 6 hours (21600 seconds).
3341 min wins ttl = 21600
3344 label(nameresolveorder)
3345 dit(bf(name resolve order (G)))
3347 This option is used by the programs in the Samba suite to determine
3348 what naming services and in what order to resolve host names to IP
3349 addresses. The option takes a space separated string of different name
3352 The options are :"lmhosts", "host", "wins" and "bcast". They cause
3353 names to be resolved as follows :
3357 it() bf(lmhosts) : Lookup an IP address in the Samba lmhosts file.
3359 it() bf(host) : Do a standard host name to IP address resolution,
3360 using the system /etc/hosts, NIS, or DNS lookups. This method of name
3361 resolution is operating system depended for instance on IRIX or
3362 Solaris this may be controlled by the em(/etc/nsswitch.conf) file).
3364 it() bf(wins) : Query a name with the IP address listed in the
3365 link(bf(wins server))(winsserver) parameter. If no WINS server has
3366 been specified this method will be ignored.
3368 it() bf(bcast) : Do a broadcast on each of the known local interfaces
3369 listed in the link(bf(interfaces))(interfaces) parameter. This is the
3370 least reliable of the name resolution methods as it depends on the
3371 target host being on a locally connected subnet.
3376 name resolve order = lmhosts host wins bcast
3379 name resolve order = lmhosts bcast host
3381 This will cause the local lmhosts file to be examined first, followed
3382 by a broadcast attempt, followed by a normal system hostname lookup.
3384 label(netbiosaliases)
3385 dit(bf(netbios aliases (G)))
3387 This is a list of NetBIOS names that url(bf(nmbd))(nmbd.8.html) will
3388 advertise as additional names by which the Samba server is known. This
3389 allows one machine to appear in browse lists under multiple names. If
3390 a machine is acting as a link(bf(browse server))(localmaster) or
3391 link(bf(logon server))(domainlogons) none of these names will be
3392 advertised as either browse server or logon servers, only the primary
3393 name of the machine will be advertised with these capabilities.
3395 See also link(bf("netbios name"))(netbiosname).
3398 empty string (no additional names)
3401 netbios aliases = TEST TEST1 TEST2
3404 dit(bf(netbios name (G)))
3406 This sets the NetBIOS name by which a Samba server is known. By
3407 default it is the same as the first component of the host's DNS name.
3408 If a machine is a link(bf(browse server))(localmaster) or
3409 link(bf(logon server))(domainlogons) this name (or the first component
3410 of the hosts DNS name) will be the name that these services are
3413 See also link(bf("netbios aliases"))(netbiosaliases).
3419 netbios name = MYNAME
3422 dit(bf(nis homedir (G)))
3424 Get the home share server from a NIS map. For UNIX systems that use an
3425 automounter, the user's home directory will often be mounted on a
3426 workstation on demand from a remote server.
3428 When the Samba logon server is not the actual home directory server,
3429 but is mounting the home directories via NFS then two network hops
3430 would be required to access the users home directory if the logon
3431 server told the client to use itself as the SMB server for home
3432 directories (one over SMB and one over NFS). This can be very
3435 This option allows Samba to return the home share as being on a
3436 different server to the logon server and as long as a Samba daemon is
3437 running on the home directory server, it will be mounted on the Samba
3438 client directly from the directory server. When Samba is returning the
3439 home share to the client, it will consult the NIS map specified in
3440 link(bf("homedir map"))(homedirmap) and return the server listed
3443 Note that for this option to work there must be a working NIS
3444 system and the Samba server with this option must also be a
3445 link(bf(logon server))(domainlogons).
3453 label(ntpipesupport)
3454 dit(bf(nt pipe support (G)))
3456 This boolean parameter controlls whether url(bf(smbd))(smbd.8.html)
3457 will allow Windows NT clients to connect to the NT SMB specific
3458 tt(IPC$) pipes. This is a developer debugging option and can be left
3462 nt pipe support = yes
3465 dit(bf(nt smb support (G)))
3467 This boolean parameter controlls whether url(bf(smbd))(smbd.8.html)
3468 will negotiate NT specific SMB support with Windows NT
3469 clients. Although this is a developer debugging option and should be
3470 left alone, benchmarking has discovered that Windows NT clients give
3471 faster performance with this option set to tt("no"). This is still
3472 being investigated. If this option is set to tt("no") then Samba
3473 offers exactly the same SMB calls that versions prior to Samba2.0
3474 offered. This information may be of use if any users are having
3475 problems with NT SMB support.
3480 label(nullpasswords)
3481 dit(bf(null passwords (G)))
3483 Allow or disallow client access to accounts that have null passwords.
3485 See also url(bf(smbpasswd (5)))(smbpasswd.5.html).
3491 null passwords = yes
3493 label(olelockingcompatibility)
3494 dit(bf(ole locking compatibility (G)))
3496 This parameter allows an administrator to turn off the byte range lock
3497 manipulation that is done within Samba to give compatibility for OLE
3498 applications. Windows OLE applications use byte range locking as a
3499 form of inter-process communication, by locking ranges of bytes around
3500 the 2^32 region of a file range. This can cause certain UNIX lock
3501 managers to crash or otherwise cause problems. Setting this parameter
3502 to tt("no") means you trust your UNIX lock manager to handle such cases
3506 ole locking compatibility = yes
3509 ole locking compatibility = no
3512 dit(bf(only guest (S)))
3514 A synonym for link(bf("guest only"))(guestonly).
3517 dit(bf(only user (S)))
3519 This is a boolean option that controls whether connections with
3520 usernames not in the link(bf(user=))(user) list will be allowed. By
3521 default this option is disabled so a client can supply a username to
3522 be used by the server.
3524 Note that this also means Samba won't try to deduce usernames from the
3525 service name. This can be annoying for the link(bf([homes]))(homes)
3526 section. To get around this you could use "link(bf(user))(user) =
3527 link(bf(%S))(percentS)" which means your link(bf("user"))(user) list
3528 will be just the service name, which for home directories is the name
3531 See also the link(bf(user))(user) parameter.
3540 dit(bf(oplocks (S)))
3542 This boolean option tells smbd whether to issue oplocks (opportunistic
3543 locks) to file open requests on this share. The oplock code can
3544 dramatically (approx 30% or more) improve the speed of access to files
3545 on Samba servers. It allows the clients to agressively cache files
3546 locally and you may want to disable this option for unreliable network
3547 environments (it is turned on by default in Windows NT Servers). For
3548 more information see the file Speed.txt in the Samba docs/ directory.
3550 Oplocks may be selectively turned off on certain files on a per share basis.
3551 See the 'veto oplock files' parameter. On some systems oplocks are recognised
3552 by the underlying operating system. This allows data synchronisation between
3553 all access to oplocked files, whether it be via Samba or NFS or a local
3554 UNIX process. See the link(bf(kernel oplocks))(kerneloplocks) parameter
3564 dit(bf(os level (G)))
3566 This integer value controls what level Samba advertises itself as for
3567 browse elections. The value of this parameter determines whether
3568 url(bf(nmbd))(nmbd.8.html) has a chance of becoming a local master
3569 browser for the link(bf(WORKGROUP))(workgroup) in the local broadcast
3570 area. The default is zero, which means url(bf(nmbd))(nmbd.8.html) will
3571 lose elections to Windows machines. See BROWSING.txt in the Samba
3572 docs/ directory for details.
3578 tt( os level = 65 ; This will win against any NT Server)
3581 dit(bf(packet size (G)))
3583 This is a deprecated parameter that how no effect on the current
3584 Samba code. It is left in the parameter list to prevent breaking
3585 old bf(smb.conf) files.
3588 dit(bf(panic action (G))
3590 This is a Samba developer option that allows a system command to be
3591 called when either url(bf(smbd))(smbd.8.html) or
3592 url(bf(nmbd))(nmbd.8.html) crashes. This is usually used to draw
3593 attention to the fact that a problem occured.
3596 panic action = <empty string>
3599 dit(bf(passwd chat (G)))
3601 This string controls the em("chat") conversation that takes places
3602 between url(bf(smbd))(smbd.8.html) and the local password changing
3603 program to change the users password. The string describes a sequence
3604 of response-receive pairs that url(bf(smbd))(smbd.8.html) uses to
3605 determine what to send to the link(bf(passwd))(passwdprogram) program
3606 and what to expect back. If the expected output is not received then
3607 the password is not changed.
3609 This chat sequence is often quite site specific, depending on what
3610 local methods are used for password control (such as NIS etc).
3612 The string can contain the macros tt("%o") and tt("%n") which are
3613 substituted for the old and new passwords respectively. It can also
3614 contain the standard macros tt("\n"), tt("\r"), tt("\t") and tt("\s")
3615 to give line-feed, carriage-return, tab and space.
3617 The string can also contain a tt('*') which matches any sequence of
3620 Double quotes can be used to collect strings with spaces in them into
3623 If the send string in any part of the chat sequence is a fullstop
3624 tt(".") then no string is sent. Similarly, is the expect string is a
3625 fullstop then no string is expected.
3627 Note that if the link(bf("unix password sync"))(unixpasswordsync)
3628 parameter is set to true, then this sequence is called em(*AS ROOT*)
3629 when the SMB password in the smbpasswd file is being changed, without
3630 access to the old password cleartext. In this case the old password
3631 cleartext is set to tt("") (the empty string).
3633 See also link(bf("unix password sync"))(unixpasswordsync),
3634 link(bf("passwd program"))(passwdprogram) and link(bf("passwd chat
3635 debug"))(passwdchatdebug).
3638 verb( passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \
3639 "*Reenter NEW password*" %n\n "*Password changed*"
3643 verb( passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*)
3645 label(passwdchatdebug)
3646 dit(bf(passwd chat debug (G)))
3648 This boolean specifies if the passwd chat script parameter is run in
3649 tt("debug") mode. In this mode the strings passed to and received from
3650 the passwd chat are printed in the url(bf(smbd))(smbd.8.html) log with
3651 a link(bf("debug level"))(debuglevel) of 100. This is a dangerous
3652 option as it will allow plaintext passwords to be seen in the
3653 url(bf(smbd))(smbd.8.html) log. It is available to help Samba admins
3654 debug their link(bf("passwd chat"))(passwdchat) scripts when calling
3655 the link(bf("passwd program"))(passwdprogram) and should be turned off
3656 after this has been done. This parameter is off by default.
3658 See also link(bf("passwd chat"))(passwdchat"), link(bf("passwd
3659 program"))(passwdprogram).
3662 passwd chat debug = True
3665 passwd chat debug = False
3667 label(passwdprogram)
3668 dit(bf(passwd program (G)))
3670 The name of a program that can be used to set UNIX user passwords.
3671 Any occurrences of link(bf(%u))(percentu) will be replaced with the
3672 user name. The user name is checked for existance before calling the
3673 password changing program.
3675 Also note that many passwd programs insist in em("reasonable")
3676 passwords, such as a minimum length, or the inclusion of mixed case
3677 chars and digits. This can pose a problem as some clients (such as
3678 Windows for Workgroups) uppercase the password before sending it.
3680 em(Note) that if the link(bf("unix password sync"))(unixpasswordsync)
3681 parameter is set to tt("True") then this program is called em(*AS
3682 ROOT*) before the SMB password in the
3683 url(bf(smbpassswd))(smbpasswd.5.html) file is changed. If this UNIX
3684 password change fails, then url(bf(smbd))(smbd.8.html) will fail to
3685 change the SMB password also (this is by design).
3687 If the link(bf("unix password sync"))(unixpasswordsync) parameter is
3688 set this parameter em(MUST USE ABSOLUTE PATHS) for em(ALL) programs
3689 called, and must be examined for security implications. Note that by
3690 default link(bf("unix password sync"))(unixpasswordsync) is set to
3693 See also link(bf("unix password sync"))(unixpasswordsync).
3696 tt( passwd program = /bin/passwd)
3699 tt( passwd program = /sbin/passwd %u)
3701 label(passwordlevel)
3702 dit(bf(password level (G)))
3704 Some client/server combinations have difficulty with mixed-case
3705 passwords. One offending client is Windows for Workgroups, which for
3706 some reason forces passwords to upper case when using the LANMAN1
3707 protocol, but leaves them alone when using COREPLUS!
3709 This parameter defines the maximum number of characters that may be
3710 upper case in passwords.
3712 For example, say the password given was tt("FRED"). If bf(password
3713 level) is set to 1, the following combinations would be tried if
3716 tt("Fred"), tt("fred"), tt("fRed"), tt("frEd"), tt("freD")
3718 If bf(password level) was set to 2, the following combinations would
3721 tt("FRed"), tt("FrEd"), tt("FreD"), tt("fREd"), tt("fReD"),
3726 The higher value this parameter is set to the more likely it is that a
3727 mixed case password will be matched against a single case
3728 password. However, you should be aware that use of this parameter
3729 reduces security and increases the time taken to process a new
3732 A value of zero will cause only two attempts to be made - the password
3733 as is and the password in all-lower case.
3741 label(passwordserver)
3742 dit(bf(password server (G)))
3744 By specifying the name of another SMB server (such as a WinNT box)
3745 with this option, and using link(bf("security = domain"))(security) or
3746 link(bf("security = server"))(security) you can get Samba to do all
3747 its username/password validation via a remote server.
3749 This options sets the name of the password server to use. It must be a
3750 NetBIOS name, so if the machine's NetBIOS name is different from its
3751 internet name then you may have to add its NetBIOS name to the lmhosts
3752 file which is stored in the same directory as the bf(smb.conf) file.
3754 The name of the password server is looked up using the parameter
3755 link(bf("name resolve order="))(nameresolveorder) and so may resolved
3756 by any method and order described in that parameter.
3758 The password server much be a machine capable of using the "LM1.2X002"
3759 or the "LM NT 0.12" protocol, and it must be in user level security
3762 NOTE: Using a password server means your UNIX box (running Samba) is
3763 only as secure as your password server. em(DO NOT CHOOSE A PASSWORD
3764 SERVER THAT YOU DON'T COMPLETELY TRUST).
3766 Never point a Samba server at itself for password serving. This will
3767 cause a loop and could lock up your Samba server!
3769 The name of the password server takes the standard substitutions, but
3770 probably the only useful one is link(bf(%m))(percentm), which means
3771 the Samba server will use the incoming client as the password
3772 server. If you use this then you better trust your clients, and you
3773 better restrict them with hosts allow!
3775 If the link(bf("security"))(security) parameter is set to
3776 bf("domain"), then the list of machines in this option must be a list
3777 of Primary or Backup Domain controllers for the
3778 link(bf(Domain))(workgroup), as the Samba server is cryptographically
3779 in that domain, and will use crpytographically authenticated RPC calls
3780 to authenticate the user logging on. The advantage of using
3781 link(bf("security=domain"))(security) is that if you list several
3782 hosts in the bf("password server") option then
3783 url(bf(smbd))(smbd.8.html) will try each in turn till it finds one
3784 that responds. This is useful in case your primary server goes down.
3786 If the link(bf("security"))(security) parameter is set to
3787 bf("server"), then there are different restrictions that
3788 link(bf("security=domain"))(security) doesn't suffer from:
3792 it() You may list several password servers in the bf("password server"
3793 parameter, however if an url(bf(smbd))(smbd.8.html) makes a connection
3794 to a password server, and then the password server fails, no more
3795 users will be able to be authenticated from this
3796 url(bf(smbd))(smbd.8.html). This is a restriction of the SMB/CIFS
3797 protocol when in link(bf("security=server"))(security) mode and cannot
3800 it() If you are using a WindowsNT server as your password server then
3801 you will have to ensure that your users are able to login from the
3802 Samba server, as when in link(bf("security=server"))(security) mode
3803 the network logon will appear to come from there rather than from the
3808 See also the link(bf("security") parameter.
3811 password server = <empty string>
3814 password server = NT-PDC, NT-BDC1, NT-BDC2
3819 This parameter specifies a directory to which the user of the service
3820 is to be given access. In the case of printable services, this is
3821 where print data will spool prior to being submitted to the host for
3824 For a printable service offering guest access, the service should be
3825 readonly and the path should be world-writable and have the sticky bit
3826 set. This is not mandatory of course, but you probably won't get the
3827 results you expect if you do otherwise.
3829 Any occurrences of link(bf(%u))(percentu) in the path will be replaced
3830 with the UNIX username that the client is using on this
3831 connection. Any occurrences of link(bf(%m))(percentm) will be replaced
3832 by the NetBIOS name of the machine they are connecting from. These
3833 replacements are very useful for setting up pseudo home directories
3836 Note that this path will be based on link(bf("root dir"))(rootdir) if
3846 dit(bf(postexec (S)))
3848 This option specifies a command to be run whenever the service is
3849 disconnected. It takes the usual substitutions. The command may be run
3850 as the root on some systems.
3852 An interesting example may be do unmount server resources:
3854 tt(postexec = /etc/umount /cdrom)
3856 See also link(bf(preexec))(preexec).
3859 none (no command executed)
3862 tt( postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log)
3865 dit(bf(postscript (S)))
3867 This parameter forces a printer to interpret the print files as
3868 postscript. This is done by adding a tt(%!) to the start of print output.
3870 This is most useful when you have lots of PCs that persist in putting
3871 a control-D at the start of print jobs, which then confuses your
3881 dit(bf(preexec (S)))
3883 This option specifies a command to be run whenever the service is
3884 connected to. It takes the usual substitutions.
3886 An interesting example is to send the users a welcome message every
3887 time they log in. Maybe a message of the day? Here is an example:
3890 preexec = csh -c 'echo \"Welcome to %S!\" | \
3891 /usr/local/samba/bin/smbclient -M %m -I %I' &
3894 Of course, this could get annoying after a while :-)
3896 See also link(bf(postexec))(postexec).
3899 none (no command executed)
3902 tt( preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log)
3904 label(preferredmaster)
3905 dit(bf(preferred master (G)))
3907 This boolean parameter controls if url(bf(nmbd))(nmbd.8.html) is a
3908 preferred master browser for its workgroup.
3910 If this is set to true, on startup, url(bf(nmbd))(nmbd.8.html) will
3911 force an election, and it will have a slight advantage in winning the
3912 election. It is recommended that this parameter is used in
3913 conjunction with link(bf("domain master = yes"))(domainmaster), so
3914 that url(bf(nmbd))(nmbd.8.html) can guarantee becoming a domain
3917 Use this option with caution, because if there are several hosts
3918 (whether Samba servers, Windows 95 or NT) that are preferred master
3919 browsers on the same subnet, they will each periodically and
3920 continuously attempt to become the local master browser. This will
3921 result in unnecessary broadcast traffic and reduced browsing
3924 See also link(bf(os level))(oslevel).
3927 preferred master = no
3929 label(preferedmaster)
3930 dit(bf(prefered master (G)))
3932 Synonym for link(bf("preferred master"))(preferredmaster) for people
3933 who cannot spell :-).
3937 Synonym for link(bf("auto services"))(autoservices).
3940 dit(bf(preserve case (S)))
3942 This controls if new filenames are created with the case that the
3943 client passes, or if they are forced to be the tt("default") case.
3948 See the section on link(bf("NAME MANGLING"))(NAMEMANGLING) for a
3952 dit(bf(print command (S)))
3954 After a print job has finished spooling to a service, this command
3955 will be used via a tt(system()) call to process the spool
3956 file. Typically the command specified will submit the spool file to
3957 the host's printing subsystem, but there is no requirement that this
3958 be the case. The server will not remove the spool file, so whatever
3959 command you specify should remove the spool file when it has been
3960 processed, otherwise you will need to manually remove old spool files.
3962 The print command is simply a text string. It will be used verbatim,
3963 with two exceptions: All occurrences of tt("%s") will be replaced by
3964 the appropriate spool file name, and all occurrences of tt("%p") will
3965 be replaced by the appropriate printer name. The spool file name is
3966 generated automatically by the server, the printer name is discussed
3969 The full path name will be used for the filename if tt("%s") is not
3970 preceded by a tt('/'). If you don't like this (it can stuff up some
3971 lpq output) then use tt("%f") instead. Any occurrences of tt("%f") get
3972 replaced by the spool filename without the full path at the front.
3974 The print command em(MUST) contain at least one occurrence of tt("%s")
3975 or tt("%f") - the tt("%p") is optional. At the time a job is
3976 submitted, if no printer name is supplied the tt("%p") will be
3977 silently removed from the printer command.
3979 If specified in the link(bf("[global]")(global) section, the print
3980 command given will be used for any printable service that does not
3981 have its own print command specified.
3983 If there is neither a specified print command for a printable service
3984 nor a global print command, spool files will be created but not
3985 processed and (most importantly) not removed.
3987 Note that printing may fail on some UNIXes from the tt("nobody")
3988 account. If this happens then create an alternative guest account that
3989 can print and set the link(bf("guest account"))(guestaccount) in the
3990 link(bf("[global]")(global) section.
3992 You can form quite complex print commands by realising that they are
3993 just passed to a shell. For example the following will log a print
3994 job, print the file, then remove it. Note that tt(';') is the usual
3995 separator for command in shell scripts.
3997 tt(print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s)
3999 You may have to vary this command considerably depending on how you
4000 normally print files on your system. The default for the parameter
4001 varies depending on the setting of the link(bf("printing="))(printing)
4005 For link(bf("printing="))(printing) BSD, AIX, QNX, LPRNG or PLP :
4006 tt( print command = lpr -r -P%p %s)
4008 For link(bf("printing="))(printing) SYS or HPUX :
4009 tt( print command = lp -c -d%p %s; rm %s)
4011 For link(bf("printing="))(printing) SOFTQ :
4012 tt( print command = lp -d%p -s %s; rm %s)
4015 tt( print command = /usr/local/samba/bin/myprintscript %p %s)
4018 dit(bf(print ok (S)))
4020 Synonym for link(bf(printable))(printable).
4023 dit(bf(printable (S)))
4025 If this parameter is tt("yes"), then clients may open, write to and
4026 submit spool files on the directory specified for the service.
4028 Note that a printable service will ALWAYS allow writing to the service
4029 path (user privileges permitting) via the spooling of print data. The
4030 link(bf("read only"))(readonly) parameter controls only non-printing
4031 access to the resource.
4040 dit(bf(printcap (G)))
4042 Synonym for link(bf(printcapname))(printcapname).
4045 dit(bf(printcap name (G)))
4047 This parameter may be used to override the compiled-in default
4048 printcap name used by the server (usually /etc/printcap). See the
4049 discussion of the link(bf([printers]))(printers) section above for
4050 reasons why you might want to do this.
4052 On System V systems that use bf(lpstat) to list available printers you
4053 can use tt("printcap name = lpstat") to automatically obtain lists of
4054 available printers. This is the default for systems that define SYSV
4055 at configure time in Samba (this includes most System V based
4056 systems). If bf("printcap name") is set to bf(lpstat) on these systems
4057 then Samba will launch tt("lpstat -v") and attempt to parse the output
4058 to obtain a printer list.
4060 A minimal printcap file would look something like this:
4070 where the tt('|') separates aliases of a printer. The fact that the
4071 second alias has a space in it gives a hint to Samba that it's a
4074 em(NOTE): Under AIX the default printcap name is
4075 tt("/etc/qconfig"). Samba will assume the file is in AIX tt("qconfig")
4076 format if the string tt("/qconfig") appears in the printcap filename.
4079 tt( printcap name = /etc/printcap)
4082 tt( printcap name = /etc/myprintcap)
4085 dit(bf(printer (S)))
4087 This parameter specifies the name of the printer to which print jobs
4088 spooled through a printable service will be sent.
4090 If specified in the link(bf([global]))(global) section, the printer
4091 name given will be used for any printable service that does not have
4092 its own printer name specified.
4095 none (but may be tt("lp") on many systems)
4098 printer name = laserwriter
4100 label(printerdriver)
4101 dit(bf(printer driver (S)))
4103 This option allows you to control the string that clients receive when
4104 they ask the server for the printer driver associated with a
4105 printer. If you are using Windows95 or WindowsNT then you can use this
4106 to automate the setup of printers on your system.
4108 You need to set this parameter to the exact string (case sensitive)
4109 that describes the appropriate printer driver for your system. If you
4110 don't know the exact string to use then you should first try with no
4111 bf("printer driver") option set and the client will give you a list of
4112 printer drivers. The appropriate strings are shown in a scrollbox
4113 after you have chosen the printer manufacturer.
4115 See also link(bf("printer driver file"))(printerdriverfile).
4118 printer driver = HP LaserJet 4L
4120 label(printerdriverfile)
4121 dit(bf(printer driver file (G)))
4123 This parameter tells Samba where the printer driver definition file,
4124 used when serving drivers to Windows 95 clients, is to be found. If
4125 this is not set, the default is :
4127 tt(SAMBA_INSTALL_DIRECTORY/lib/printers.def)
4129 This file is created from Windows 95 tt("msprint.def") files found on
4130 the Windows 95 client system. For more details on setting up serving
4131 of printer drivers to Windows 95 clients, see the documentation file
4132 in the docs/ directory, PRINTER_DRIVER.txt.
4135 None (set in compile).
4138 tt( printer driver file = /usr/local/samba/printers/drivers.def)
4140 See also link(bf("printer driver location"))(printerdriverlocation).
4142 label(printerdriverlocation)
4143 dit(bf(printer driver location (S)))
4145 This parameter tells clients of a particular printer share where to
4146 find the printer driver files for the automatic installation of
4147 drivers for Windows 95 machines. If Samba is set up to serve printer
4148 drivers to Windows 95 machines, this should be set to
4150 tt(\\MACHINE\aPRINTER$)
4152 Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
4153 is a share you set up for serving printer driver files. For more
4154 details on setting this up see the documentation file in the docs/
4155 directory, PRINTER_DRIVER.txt.
4161 tt( printer driver location = \\MACHINE\PRINTER$)
4163 See also link(bf("printer driver file"))(printerdriverfile).
4166 dit(bf(printer name (S)))
4168 Synonym for link(bf(printer))(printer).
4171 dit(bf(printing (S)))
4173 This parameters controls how printer status information is interpreted
4174 on your system, and also affects the default values for the
4175 link(bf("print command"))(printcommand), link(bf("lpq
4176 command"))(lpqcommand) link(bf("lppause command"))(lppausecommand),
4177 link(bf("lpresume command"))(lpresumecommand), and link(bf("lprm
4178 command"))(lprmcommand).
4180 Currently eight printing styles are supported. They are
4181 bf("printing=BSD"), bf("printing=AIX"), bf("printing=LPRNG"),
4183 bf("printing=SYSV"),bf("printing="HPUX"),bf("printing=QNX") and
4184 bf("printing=SOFTQ").
4186 To see what the defaults are for the other print commands when using
4187 these three options use the url(bf("testparm"))(testparm) program.
4189 This option can be set on a per printer basis
4191 See also the discussion in the link(bf([printers]))(printers) section.
4194 dit(bf(protocol (G)))
4196 The value of the parameter (a string) is the highest protocol level
4197 that will be supported by the server.
4199 Possible values are :
4203 it() CORE: Earliest version. No concept of user names.
4205 it() COREPLUS: Slight improvements on CORE for efficiency.
4207 it() LANMAN1: First em("modern") version of the protocol. Long
4210 it() LANMAN2: Updates to Lanman1 protocol.
4212 it() NT1: Current up to date version of the protocol. Used by Windows
4217 Normally this option should not be set as the automatic negotiation
4218 phase in the SMB protocol takes care of choosing the appropriate
4230 Synonym for link(bf("guest ok"))(guestok).
4232 label(queuepausecommand)
4233 dit(bf(queuepause command (S)))
4235 This parameter specifies the command to be executed on the server host
4236 in order to pause the printerqueue.
4238 This command should be a program or script which takes a printer name
4239 as its only parameter and stops the printerqueue, such that no longer
4240 jobs are submitted to the printer.
4242 This command is not supported by Windows for Workgroups, but can be
4243 issued from the Printer's window under Windows 95 & NT.
4245 If a tt("%p") is given then the printername is put in its
4246 place. Otherwise it is placed at the end of the command.
4248 Note that it is good practice to include the absolute path in the
4249 command as the PATH may not be available to the server.
4252 depends on the setting of "printing ="
4255 tt( queuepause command = disable %p)
4257 label(queueresumecommand)
4258 dit(bf(queueresume command (S)))
4260 This parameter specifies the command to be executed on the server host
4261 in order to resume the printerqueue. It is the command to undo the
4262 behaviour that is caused by the previous parameter
4263 (link(bf("queuepause command))(queuepausecommand)).
4265 This command should be a program or script which takes a printer name
4266 as its only parameter and resumes the printerqueue, such that queued
4267 jobs are resubmitted to the printer.
4269 This command is not supported by Windows for Workgroups, but can be
4270 issued from the Printer's window under Windows 95 & NT.
4272 If a tt("%p") is given then the printername is put in its
4273 place. Otherwise it is placed at the end of the command.
4275 Note that it is good practice to include the absolute path in the
4276 command as the PATH may not be available to the server.
4279 depends on the setting of "printing ="
4282 tt( queuepause command = enable %p)
4285 dit(bf(read bmpx (G)))
4287 This boolean parameter controls whether url(bf(smbd))(smbd.8.html)
4288 will support the "Read Block Multiplex" SMB. This is now rarely used
4289 and defaults to off. You should never need to set this parameter.
4295 dit(bf(read list (S)))
4297 This is a list of users that are given read-only access to a
4298 service. If the connecting user is in this list then they will not be
4299 given write access, no matter what the link(bf("read only"))(readonly)
4300 option is set to. The list can include group names using the syntax
4301 described in the link(bf("invalid users"))(invalidusers) parameter.
4303 See also the link(bf("write list"))(writelist) parameter and
4304 the link(bf("invalid users"))(invalidusers) parameter.
4307 tt( read list = <empty string>)
4310 tt( read list = mary, @students)
4313 dit(bf(read only (S)))
4315 Note that this is an inverted synonym for
4316 link(bf("writable"))(writable) and link(bf("write ok"))(writeok).
4318 See also link(bf("writable"))(writable) and link(bf("write
4321 label(readprediction)
4322 dit(bf(read prediction (G)))
4324 em(NOTE): This code is currently disabled in Samba2.0 and
4325 may be removed at a later date. Hence this parameter has
4328 This options enables or disables the read prediction code used to
4329 speed up reads from the server. When enabled the server will try to
4330 pre-read data from the last accessed file that was opened read-only
4331 while waiting for packets.
4334 read prediction = False
4337 dit(bf(read raw (G)))
4339 This parameter controls whether or not the server will support the raw
4340 read SMB requests when transferring data to clients.
4342 If enabled, raw reads allow reads of 65535 bytes in one packet. This
4343 typically provides a major performance benefit.
4345 However, some clients either negotiate the allowable block size
4346 incorrectly or are incapable of supporting larger block sizes, and for
4347 these clients you may need to disable raw reads.
4349 In general this parameter should be viewed as a system tuning tool and left
4350 severely alone. See also link(bf("write raw"))(writeraw).
4356 dit(bf(read size (G)))
4358 The option bf("read size") affects the overlap of disk reads/writes
4359 with network reads/writes. If the amount of data being transferred in
4360 several of the SMB commands (currently SMBwrite, SMBwriteX and
4361 SMBreadbraw) is larger than this value then the server begins writing
4362 the data before it has received the whole packet from the network, or
4363 in the case of SMBreadbraw, it begins writing to the network before
4364 all the data has been read from disk.
4366 This overlapping works best when the speeds of disk and network access
4367 are similar, having very little effect when the speed of one is much
4368 greater than the other.
4370 The default value is 2048, but very little experimentation has been
4371 done yet to determine the optimal value, and it is likely that the
4372 best value will vary greatly between systems anyway. A value over
4373 65536 is pointless and will cause you to allocate memory
4382 label(remoteannounce)
4383 dit(bf(remote announce (G)))
4385 This option allows you to setup url(bf(nmbd))(nmbd.8.html) to
4386 periodically announce itself to arbitrary IP addresses with an
4387 arbitrary workgroup name.
4389 This is useful if you want your Samba server to appear in a remote
4390 workgroup for which the normal browse propagation rules don't
4391 work. The remote workgroup can be anywhere that you can send IP
4396 tt( remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF)
4398 the above line would cause nmbd to announce itself to the two given IP
4399 addresses using the given workgroup names. If you leave out the
4400 workgroup name then the one given in the
4401 link(bf("workgroup"))(workgroup) parameter is used instead.
4403 The IP addresses you choose would normally be the broadcast addresses
4404 of the remote networks, but can also be the IP addresses of known
4405 browse masters if your network config is that stable.
4407 See the documentation file BROWSING.txt in the docs/ directory.
4410 remote announce = <empty string>
4413 tt( remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF)
4415 label(remotebrowsesync)
4416 dit(bf(remote browse sync (G)))
4418 This option allows you to setup url(bf(nmbd))(nmbd.8.html) to
4419 periodically request synchronisation of browse lists with the master
4420 browser of a samba server that is on a remote segment. This option
4421 will allow you to gain browse lists for multiple workgroups across
4422 routed networks. This is done in a manner that does not work with any
4425 This is useful if you want your Samba server and all local clients to
4426 appear in a remote workgroup for which the normal browse propagation
4427 rules don't work. The remote workgroup can be anywhere that you can
4432 tt( remote browse sync = 192.168.2.255 192.168.4.255)
4434 the above line would cause url(bf(nmbd))(nmbd.8.html) to request the
4435 master browser on the specified subnets or addresses to synchronise
4436 their browse lists with the local server.
4438 The IP addresses you choose would normally be the broadcast addresses
4439 of the remote networks, but can also be the IP addresses of known
4440 browse masters if your network config is that stable. If a machine IP
4441 address is given Samba makes NO attempt to validate that the remote
4442 machine is available, is listening, nor that it is in fact the browse
4443 master on it's segment.
4446 remote browse sync = <empty string>
4449 tt( remote browse sync = 192.168.2.255 192.168.4.255)
4452 dit(bf(revalidate (S)))
4454 Note that this option only works with
4455 link(bf("security=share"))(security) and will be ignored if this is
4458 This option controls whether Samba will allow a previously validated
4459 username/password pair to be used to attach to a share. Thus if you
4460 connect to tt(\\server\share1) then to tt(\\server\share2) it won't
4461 automatically allow the client to request connection to the second
4462 share as the same username as the first without a password.
4464 If bf("revalidate") is tt("True") then the client will be denied
4465 automatic access as the same username.
4476 Synonym for link(bf("root directory"))(rootdirectory).
4479 dit(bf(root dir (G)))
4481 Synonym for link(bf("root directory"))(rootdirectory).
4483 label(rootdirectory)
4484 dit(bf(root directory (G)))
4486 The server will tt("chroot()") (ie. Change it's root directory) to
4487 this directory on startup. This is not strictly necessary for secure
4488 operation. Even without it the server will deny access to files not in
4489 one of the service entries. It may also check for, and deny access to,
4490 soft links to other parts of the filesystem, or attempts to use
4491 tt("..") in file names to access other directories (depending on the
4492 setting of the link(bf("wide links"))(widelinks) parameter).
4494 Adding a bf("root directory") entry other than tt("/") adds an extra
4495 level of security, but at a price. It absolutely ensures that no
4496 access is given to files not in the sub-tree specified in the bf("root
4497 directory") option, em(*including*) some files needed for complete
4498 operation of the server. To maintain full operability of the server
4499 you will need to mirror some system files into the bf("root
4500 directory") tree. In particular you will need to mirror /etc/passwd
4501 (or a subset of it), and any binaries or configuration files needed
4502 for printing (if required). The set of files that must be mirrored is
4503 operating system dependent.
4506 tt( root directory = /)
4509 tt( root directory = /homes/smb)
4512 dit(bf(root postexec (S)))
4514 This is the same as the link(bf("postexec"))(postexec) parameter
4515 except that the command is run as root. This is useful for unmounting
4516 filesystems (such as cdroms) after a connection is closed.
4518 See also link(bf("postexec"))(postexec).
4521 dit(bf(root preexec (S)))
4523 This is the same as the link(bf("preexec"))(preexec) parameter except
4524 that the command is run as root. This is useful for mounting
4525 filesystems (such as cdroms) before a connection is finalised.
4527 See also link(bf("preexec"))(preexec).
4530 dit(bf(security (G)))
4532 This option affects how clients respond to Samba and is one of the most
4533 important settings in the bf(smb.conf) file.
4535 The option sets the tt("security mode bit") in replies to protocol
4536 negotiations with url(bf(smbd))(smbd.8.html) to turn share level
4537 security on or off. Clients decide based on this bit whether (and how)
4538 to transfer user and password information to the server.
4540 The default is bf("security=user"), as this is the most common setting
4541 needed when talking to Windows 98 and Windows NT4.0 SP3.
4543 The alternatives are bf("security = share") or bf("security = server") or
4544 bf("security=domain").
4546 em(*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR
4547 PREVIOUS VERSIONS OF SAMBA *******).
4549 In previous versions of Samba the default was "security=share") mainly
4550 because that was the only option at one stage.
4552 There is a bug in WfWg that has relevence to this setting. When in
4553 user or server level security a WfWg client will totally ignore the
4554 password you type in the "connect drive" dialog box. This makes it
4555 very difficult (if not impossible) to connect to a Samba service as
4556 anyone except the user that you are logged into WfWg as.
4558 If your PCs use usernames that are the same as their usernames on the
4559 UNIX machine then you will want to use bf("security = user"). If you
4560 mostly use usernames that don't exist on the UNIX box then use
4561 bf("security = share").
4563 The different settings will now be explained.
4567 dit(bf("security=share")) When clients connect to a share level
4568 security server then need not log onto the server with a valid
4569 username and password before attempting to connect to a shared
4570 resource. Instead, the clients send authentication information on a
4571 per-share basis, at the time they attempt to connect to that
4574 Note that url(bf(smbd))(smbd.8.html) em(*ALWAYS*) uses a valid UNIX
4575 user to act on behalf of the client, even in bf("security=share")
4576 level security. There are no tt("anonymous") users.
4578 As clients are not required to send a username to the server
4579 in share level security, url(bf(smbd))(smbd.8.html) uses several
4580 techniques to determine the correct UNIX user to use on behalf
4585 it() Parameters such as link(bf("user"))(user) and link(bf("guest
4586 only"))(guestonly), if set, will determine the UNIX user to use.
4588 it() Is a username is sent with the share connection request, then
4589 this is used as the UNIX username (see also link(bf("username
4590 map"))(usernamemap).
4592 it() If a username is not sent to the server, then
4593 url(bf(smbd))(smbd.8.html) will try the NetBIOS name of the client as
4594 a potential UNIX username.
4596 it() If no username can be determined then if the share is marked as
4597 available to the link(bf("guest account"))(guestaccount), then this
4598 guest user will be used.
4602 Note that it can be confusing in share-level security as to which UNIX
4603 username will eventually be used in granting access.
4605 Note also that share-level security cannot support link(bf("encrypted
4606 passwords"))(encryptpasswords).
4608 dit(bf("security=user"))
4610 This is the default security setting in Samba2.0. With user-level
4611 security a client must first tt("log-on") with a valid username and
4612 password (which can be mapped using the link(bf("username
4613 map"))(usernamemap) parameter). Encrypted passwords (see the
4614 link(bf("encrypted passwords"))(encryptpasswords) parameter) can also
4615 be used in this security mode. Parameters such as
4616 link(bf("user"))(user) and link(bf("guest only"))(guestonly), if set
4617 are then applied and may change the UNIX user to use on this
4618 connection, but only after the user has been successfully
4621 dit(bf("security=server"))
4623 In this mode Samba will try to validate the username/password by
4624 passing it to another SMB server, such as an NT box. If this fails it
4625 will revert to bf("security = user"), but note that if encrypted
4626 passwords have been negotiated then Samba cannot revert back to
4627 checking the UNIX password file, it must have a valid smbpasswd file
4628 to check users against. See the documentation file in the docs/
4629 directory ENCRYPTION.txt for details on how to set this up.
4631 See also the link(bf("password server"))(passwordserver) parameter.
4632 and the link(bf("encrypted passwords"))(encryptpasswords) parameter.
4634 dit(bf("security=domain"))
4636 This mode will only work correctly if
4637 url(bf(smbpasswd))(smbpasswd.8.html) has been used to add this machine
4638 into a Windows NT Domain. It expects the link(bf("encrypted
4639 passwords"))(encryptpasswords) parameter to be set to tt("true"). In
4640 this mode Samba will try to validate the username/password by passing
4641 it to a Windows NT Primary or Backup Domain Controller, in exactly the
4642 same way that a Windows NT Server would do.
4644 em(Note) that a valid UNIX user must still exist as well as the
4645 account on the Domain Controller to allow Samba to have a valid
4646 UNIX account to map file access to.
4648 See also the link(bf("password server"))(passwordserver) parameter.
4649 and the link(bf("encrypted passwords"))(encryptpasswords) parameter.
4660 dit(bf(server string (G)))
4662 This controls what string will show up in the printer comment box in
4663 print manager and next to the IPC connection in tt("net view"). It can be
4664 any string that you wish to show to your users.
4666 It also sets what will appear in browse lists next to the machine
4669 A tt("%v") will be replaced with the Samba version number.
4671 A tt("%h") will be replaced with the hostname.
4674 tt( server string = Samba %v)
4677 tt( server string = University of GNUs Samba Server)
4680 dit(bf(set directory (S)))
4682 If tt("set directory = no"), then users of the service may not use the
4683 setdir command to change directory.
4685 The setdir command is only implemented in the Digital Pathworks
4686 client. See the Pathworks documentation for details.
4695 dit(bf(share modes (S)))
4697 This enables or disables the honouring of the tt("share modes") during a
4698 file open. These modes are used by clients to gain exclusive read or
4699 write access to a file.
4701 These open modes are not directly supported by UNIX, so they are
4702 simulated using shared memory, or lock files if your UNIX doesn't
4703 support shared memory (almost all do).
4705 The share modes that are enabled by this option are DENY_DOS,
4706 DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.
4708 This option gives full share compatibility and enabled by default.
4710 You should em(*NEVER*) turn this parameter off as many Windows
4711 applications will break if you do so.
4716 label(sharedmemsize)
4717 dit(bf(shared mem size (G)))
4719 It specifies the size of the shared memory (in bytes) to use between
4720 url(bf(smbd))(smbd.8.html) processes. This parameter defaults to one
4721 megabyte of shared memory. It is possible that if you have a large
4722 server with many files open simultaneously that you may need to
4723 increase this parameter. Signs that this parameter is set too low are
4724 users reporting strange problems trying to save files (locking errors)
4725 and error messages in the smbd log looking like tt("ERROR
4726 smb_shm_alloc : alloc of XX bytes failed").
4729 tt( shared mem size = 1048576)
4732 tt( shared mem size = 5242880 ; Set to 5mb for a large number of files.)
4734 label(shortpreservecase)
4735 dit(bf(short preserve case (G)))
4737 This boolean parameter controls if new files which conform to 8.3
4738 syntax, that is all in upper case and of suitable length, are created
4739 upper case, or if they are forced to be the tt("default") case. This
4740 option can be use with link(bf("preserve case
4741 =yes"))(preservecaseoption) to permit long filenames to retain their
4742 case, while short names are lowered. Default em(Yes).
4744 See the section on link(bf(NAME MANGLING))(NAMEMANGLING).
4747 short preserve case = yes
4749 label(smbpasswdfile)
4750 dit(bf(smb passwd file (G)))
4752 This option sets the path to the encrypted smbpasswd file. By default
4753 the path to the smbpasswd file is compiled into Samba.
4756 smb passwd file= <compiled default>
4759 smb passwd file = /usr/samba/private/smbpasswd
4764 This sets the full path to the bf(smbrun) binary. This defaults to the
4765 value in the Makefile.
4767 You must get this path right for many services to work correctly.
4769 You should not need to change this parameter so long as Samba
4770 is installed correctly.
4773 smbrun=<compiled default>
4776 smbrun = /usr/local/samba/bin/smbrun
4778 label(socketaddress)
4779 dit(bf(socket address (G)))
4781 This option allows you to control what address Samba will listen for
4782 connections on. This is used to support multiple virtual interfaces on
4783 the one server, each with a different configuration.
4785 By default samba will accept connections on any address.
4788 socket address = 192.168.2.20
4790 label(socketoptions)
4791 dit(bf(socket options (G)))
4793 This option allows you to set socket options to be used when talking
4796 Socket options are controls on the networking layer of the operating
4797 systems which allow the connection to be tuned.
4799 This option will typically be used to tune your Samba server for
4800 optimal performance for your local network. There is no way that Samba
4801 can know what the optimal parameters are for your net, so you must
4802 experiment and choose them yourself. We strongly suggest you read the
4803 appropriate documentation for your operating system first (perhaps
4804 bf("man setsockopt") will help).
4806 You may find that on some systems Samba will say "Unknown socket
4807 option" when you supply an option. This means you either mis-typed it
4808 or you need to add an include file to includes.h for your OS. If the
4809 latter is the case please send the patch to
4810 email(samba-bugs@samba.anu.edu.au).
4812 Any of the supported socket options may be combined in any way you
4813 like, as long as your OS allows it.
4815 This is the list of socket options currently settable using this
4830 it() IPTOS_THROUGHPUT
4842 Those marked with a tt(*) take an integer argument. The others can
4843 optionally take a 1 or 0 argument to enable or disable the option, by
4844 default they will be enabled if you don't specify 1 or 0.
4846 To specify an argument use the syntax SOME_OPTION=VALUE for example
4847 SO_SNDBUF=8192. Note that you must not have any spaces before or after
4850 If you are on a local network then a sensible option might be
4852 socket options = IPTOS_LOWDELAY
4854 If you have a local network then you could try:
4856 socket options = IPTOS_LOWDELAY TCP_NODELAY
4858 If you are on a wide area network then perhaps try setting
4861 Note that several of the options may cause your Samba server to fail
4862 completely. Use these options with caution!
4865 socket options = TCP_NODELAY
4868 socket options = IPTOS_LOWDELAY
4874 This enables or disables logging of connections to a status file that
4880 won't be able to tell you what
4881 connections are active.
4889 .SS strict locking (S)
4890 This is a boolean that controls the handling of file locking in the
4891 server. When this is set to yes the server will check every read and
4892 write access for file locks, and deny access if locks exist. This can
4893 be slow on some systems.
4895 When strict locking is "no" the server does file lock checks only when
4896 the client explicitly asks for them.
4898 Well behaved clients always ask for lock checks when it is important,
4899 so in the vast majority of cases "strict locking = no" is preferable.
4905 strict locking = yes
4908 Many Windows applications (including the Windows 98 explorer
4909 shell) seem to confuse flushing buffer contents to disk with
4910 doing a sync to disk. Under UNIX, a sync call forces the process
4911 to be suspended until the kernel has ensured that all outstanding
4912 data in kernel disk buffers has been safely stored onto stable
4913 storate. This is very slow and should only be done rarely. Setting
4914 this parameter to "no" (the default) means that smbd ignores the
4915 Windows applications requests for a sync call. There is only a
4916 possibility of losing data if the operating system itself that
4917 Samba is running on crashes, so there is little danger in this
4918 default setting. In addition, this fixes many performace problems
4919 that people have reported with the new Windows98 explorer shell
4922 See also the "sync always" parameter.
4932 This is a boolean that controls whether to strip trailing dots off
4933 UNIX filenames. This helps with some CDROMs that have filenames ending in a
4943 This parameter maps how Samba debug messages are logged onto the
4944 system syslog logging levels. Samba debug level zero maps onto
4945 syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug
4946 level two maps to LOG_NOTICE, debug level three maps onto LOG_INFO.
4947 The paramter sets the threshold for doing the mapping, all Samba
4948 debug messages above this threashold are mapped to syslog LOG_DEBUG
4956 If this parameter is set then Samba debug messages are logged into
4957 the system syslog only, and not to the debug log files.
4964 This is a boolean parameter that controls whether writes will always
4965 be written to stable storage before the write call returns. If this is
4966 false then the server will be guided by the client's request in each
4967 write call (clients can set a bit indicating that a particular write
4968 should be synchronous). If this is true then every write will be
4969 followed by a fsync() call to ensure the data is written to disk.
4970 Note that the "strict sync" parameter must be set to "yes" in
4971 order for this parameter to have any affect.
4973 See also the "strict sync" parameter.
4982 This parameter is a setting in minutes to add to the normal GMT to
4983 local time conversion. This is useful if you are serving a lot of PCs
4984 that have incorrect daylight saving time handling.
4993 This parameter determines if nmbd advertises itself as a time server
4994 to Windows clients. The default is False.
5002 .SS unix password sync (G)
5003 This boolean parameter controlls whether Samba attempts to synchronise
5004 the UNIX password with the SMB password when the encrypted SMB password
5005 in the smbpasswd file is changed. If this is set to true the 'passwd program'
5006 program is called *AS ROOT* - to allow the new UNIX password to be set
5007 without access to the old UNIX password (as the SMB password has change
5008 code has no access to the old password cleartext, only the new). By
5009 default this is set to false.
5011 See also 'passwd program', 'passwd chat'
5014 unix password sync = False
5017 unix password sync = True
5019 .SS unix realname (G)
5020 This boolean parameter when set causes samba to supply the real name field
5021 from the unix password file to the client. This is useful for setting up
5022 mail clients and WWW browsers on systems used by more than one person.
5030 .SS update encrypted (G)
5031 This boolean parameter allows a user logging on with a plaintext
5032 password to have their encrypted (hashed) password in the smbpasswd
5033 file to be updated automatically as they log on. This option allows
5034 a site to migrate from plaintext password authentication (users
5035 authenticate with plaintext password over the wire, and are checked
5036 against a UNIX account database) to encrypted password authentication
5037 (the SMB challenge/response authentication mechanism) without forcing
5038 all users to re-enter their passwords via smbpasswd at the time the change
5039 is made. This is a convenience option to allow the change over to
5040 encrypted passwords to be made over a longer period. Once all users
5041 have encrypted representations of their passwords in the smbpasswd
5042 file this parameter should be set to "off".
5044 In order for this parameter to work correctly the "encrypt passwords"
5045 must be set to "no" when this parameter is set to "yes".
5047 Note that even when this parameter is set a user authenticating to
5048 smbd must still enter a valid password in order to connect correctly,
5049 and to update their hashed (smbpasswd) passwords.
5052 update encrypted = no
5055 update encrypted = yes
5061 A synonym for this parameter is 'user'.
5063 Multiple users may be specified in a comma-delimited list, in which case the
5064 supplied password will be tested against each username in turn (left to right).
5066 The username= line is needed only when the PC is unable to supply its own
5067 username. This is the case for the coreplus protocol or where your
5068 users have different WfWg usernames to UNIX usernames. In both these
5069 cases you may also be better using the \e\eserver\eshare%user syntax
5072 The username= line is not a great solution in many cases as it means Samba
5073 will try to validate the supplied password against each of the
5074 usernames in the username= line in turn. This is slow and a bad idea for
5075 lots of users in case of duplicate passwords. You may get timeouts or
5076 security breaches using this parameter unwisely.
5078 Samba relies on the underlying UNIX security. This parameter does not
5079 restrict who can login, it just offers hints to the Samba server as to
5080 what usernames might correspond to the supplied password. Users can
5081 login as whoever they please and they will be able to do no more
5082 damage than if they started a telnet session. The daemon runs as the
5083 user that they log in as, so they cannot do anything that user cannot
5086 To restrict a service to a particular set of users you can use the
5087 "valid users=" line.
5089 If any of the usernames begin with a @ then the name will be looked up
5090 first in the yp netgroups list (if Samba is compiled with netgroup support),
5091 followed by a lookup in the UNIX groups database and will expand to a list of
5092 all users in the group of that name.
5094 If any of the usernames begin with a + then the name will be looked up only
5095 in the UNIX groups database and will expand to a list of all users in the
5098 If any of the usernames begin with a & then the name will be looked up only
5099 in the yp netgroups database (if Samba is compiled with netgroup support) and
5100 will expand to a list of all users in the netgroup group of that name.
5102 Note that searching though a groups database can take quite
5103 some time, and some clients may time out during the search.
5105 See the section below on username/password validation for more information
5106 on how this parameter determines access to the services.
5109 The guest account if a guest service, else the name of the service.
5113 username = fred, mary, jack, jane, @users, @pcgroup
5115 .SS username level (G)
5117 This option helps Samba to try and 'guess' at the real UNIX username,
5118 as many DOS clients send an all-uppercase username. By default Samba
5119 tries all lowercase, followed by the username with the first letter
5120 capitalized, and fails if the username is not found on the UNIX machine.
5122 If this parameter is set to non-zero the behaviour changes. This
5123 parameter is a number that specifies the number of uppercase combinations
5124 to try whilst trying to determine the UNIX user name. The higher the number
5125 the more combinations will be tried, but the slower the discovery
5126 of usernames will be. Use this parameter when you have strange
5127 usernames on your UNIX machine, such as 'AstrangeUser'.
5135 .SS username map (G)
5137 This option allows you to to specify a file containing a mapping of
5138 usernames from the clients to the server. This can be used for several
5139 purposes. The most common is to map usernames that users use on DOS or
5140 Windows machines to those that the UNIX box uses. The other is to map
5141 multiple users to a single username so that they can more easily share
5144 The map file is parsed line by line. Each line should contain a single
5145 UNIX username on the left then a '=' followed by a list of usernames
5146 on the right. The list of usernames on the right may contain names of
5147 the form @group in which case they will match any UNIX username in
5148 that group. The special client name '*' is a wildcard and matches any
5149 name. Each line of the map file may be up to 1023 characters long.
5151 The file is processed on each line by taking the supplied username and
5152 comparing it with each username on the right hand side of the '='
5153 signs. If the supplied name matches any of the names on the right
5154 hand side then it is replaced with the name on the left. Processing
5155 then continues with the next line.
5157 If any line begins with a '#' or a ';' then it is ignored
5159 If any line begins with an ! then the processing will stop after that
5160 line if a mapping was done by the line. Otherwise mapping continues
5161 with every line being processed. Using ! is most useful when you have
5162 a wildcard mapping line later in the file.
5164 For example to map from the name "admin" or "administrator" to the UNIX
5165 name "root" you would use
5167 root = admin administrator
5169 Or to map anyone in the UNIX group "system" to the UNIX name "sys" you
5174 You can have as many mappings as you like in a username map file.
5176 If Samba has been compiled with the -DNETGROUP compile option
5177 then the netgroup database is checked before the /etc/group
5178 database for matching groups.
5180 You can map Windows usernames that have spaces in them by using double
5181 quotes around the name. For example:
5183 tridge = "Andrew Tridgell"
5185 would map the windows username "Andrew Tridgell" to the unix username
5188 The following example would map mary and fred to the unix user sys,
5189 and map the rest to guest. Note the use of the ! to tell Samba to stop
5190 processing if it gets a match on that line.
5196 Note that the remapping is applied to all occurrences of
5197 usernames. Thus if you connect to "\e\eserver\efred" and "fred" is
5198 remapped to "mary" then you will actually be connecting to
5199 "\e\eserver\emary" and will need to supply a password suitable for
5200 "mary" not "fred". The only exception to this is the username passed
5201 to the "password server" (if you have one). The password server will
5202 receive whatever username the client supplies without modification.
5204 Also note that no reverse mapping is done. The main effect this has is
5205 with printing. Users who have been mapped may have trouble deleting
5206 print jobs as PrintManager under WfWg will think they don't own the
5213 username map = /usr/local/samba/lib/users.map
5217 The option allows you to specify additional characters that should be
5218 considered valid by the server in filenames. This is particularly
5219 useful for national character sets, such as adding u-umlaut or a-ring.
5221 The option takes a list of characters in either integer or character
5222 form with spaces between them. If you give two characters with a colon
5223 between them then it will be taken as an lowercase:uppercase pair.
5225 If you have an editor capable of entering the characters into the
5226 config file then it is probably easiest to use this method. Otherwise
5227 you can specify the characters in octal, decimal or hexadecimal form
5228 using the usual C notation.
5230 For example to add the single character 'Z' to the charset (which is a
5231 pointless thing to do as it's already there) you could do one of the
5236 valid chars = 0132:0172
5238 The last two examples above actually add two characters, and alter
5239 the uppercase and lowercase mappings appropriately.
5241 Note that you MUST specify this parameter after the "client code page"
5242 parameter if you have both set. If "client code page" is set after
5243 the "valid chars" parameter the "valid chars" settings will be
5246 See also the "client code page" parameter.
5250 Samba defaults to using a reasonable set of valid characters
5255 valid chars = 0345:0305 0366:0326 0344:0304
5257 The above example allows filenames to have the swedish characters in
5260 NOTE: It is actually quite difficult to correctly produce a "valid
5261 chars" line for a particular system. To automate the process
5262 tino@augsburg.net has written a package called "validchars" which will
5263 automatically produce a complete "valid chars" line for a given client
5264 system. Look in the examples subdirectory for this package.
5267 This is a list of users that should be allowed to login to this
5268 service. A name starting with @ is interpreted as a UNIX group.
5270 If this is empty (the default) then any user can login. If a username
5271 is in both this list and the "invalid users" list then access is
5272 denied for that user.
5274 The current servicename is substituted for %S. This is useful in the
5277 See also "invalid users"
5280 No valid users list. (anyone can login)
5283 valid users = greg, @pcusers
5287 This is a list of files and directories that are neither visible nor
5288 accessible. Each entry in the list must be separated by a "/", which
5289 allows spaces to be included in the entry. '*' and '?' can be used to
5290 specify multiple files or directories as in DOS wildcards.
5292 Each entry must be a unix path, not a DOS path and must not include the
5293 unix directory separator "/".
5295 Note that the case sensitivity option is applicable in vetoing files.
5297 One feature of the veto files parameter that it is important to be
5298 aware of, is that if a directory contains nothing but files that
5299 match the veto files parameter (which means that Windows/DOS clients
5300 cannot ever see them) is deleted, the veto files within that directory
5301 *are automatically deleted* along with it, if the user has UNIX permissions
5304 Setting this parameter will affect the performance of Samba, as
5305 it will be forced to check all files and directories for a match
5306 as they are scanned.
5308 See also "hide files" and "case sensitive"
5311 No files or directories are vetoed.
5315 Veto any files containing the word Security,
5316 any ending in .tmp, and any directory containing the
5319 veto files = /*Security*/*.tmp/*root*/
5322 Veto the Apple specific files that a NetAtalk server
5325 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
5327 .SS veto oplock files (S)
5328 This parameter is only valid when the 'oplocks' parameter is turned on
5329 for a share. It allows the Samba administrator to selectively turn off
5330 the granting of oplocks on selected files that match a wildcarded list,
5331 similar to the wildcarded list used in the 'veto files' parameter.
5334 No files are vetoed for oplock grants.
5337 You might want to do this on files that you know will be heavily
5338 contended for by clients. A good example of this is in the NetBench
5339 SMB benchmark program, which causes heavy client contention for files
5340 ending in .SEM. To cause Samba not to grant oplocks on these files
5341 you would use the line (either in the [global] section or in the section
5342 for the particular NetBench share :
5344 veto oplock files = /*.SEM/
5347 This allows you to override the volume label returned for a
5348 share. Useful for CDROMs with installation programs that insist on a
5349 particular volume label.
5351 The default is the name of the share
5354 This parameter controls whether or not links in the UNIX file system may be
5355 followed by the server. Links that point to areas within the directory tree
5356 exported by the server are always allowed; this parameter controls access
5357 only to areas that are outside the directory tree being exported.
5367 This is a boolean that controls if nmbd will respond to broadcast name
5368 queries on behalf of other hosts. You may need to set this to no for
5375 This specifies the DNS name (or IP address) of the WINS server that Samba
5376 should register with. If you have a WINS server on your network then you
5377 should set this to the WINS servers name.
5379 You should point this at your WINS server if you have a multi-subnetted
5384 .SS wins support (G)
5386 This boolean controls if the nmbd process in Samba will act as a WINS server.
5387 You should not set this to true unless you have a multi-subnetted network and
5388 you wish a particular nmbd to be your WINS server. Note that you
5389 should *NEVER* set this to true on more than one machine in your
5397 This controls what workgroup your server will appear to be in when
5407 A synonym for this parameter is 'write ok'. An inverted synonym is 'read only'.
5409 If this parameter is 'no', then users of a service may not create or modify
5410 files in the service's directory.
5412 Note that a printable service ('printable = yes') will ALWAYS allow
5413 writing to the directory (user privileges permitting), but only via
5414 spooling operations.
5424 This is a list of users that are given read-write access to a
5425 service. If the connecting user is in this list then they will be
5426 given write access, no matter what the "read only" option is set
5427 to. The list can include group names using the @group syntax.
5429 Note that if a user is in both the read list and the write list then
5430 they will be given write access.
5432 See also the "read list" option
5438 write list = admin, root, @staff
5446 This parameter controls whether or not the server will support raw writes when
5447 transferring data from clients.
5455 .SH NOTE ABOUT USERNAME/PASSWORD VALIDATION
5456 There are a number of ways in which a user can connect to a
5457 service. The server follows the following steps in determining if it
5458 will allow a connection to a specified service. If all the steps fail
5459 then the connection request is rejected. If one of the steps pass then
5460 the following steps are not checked.
5462 If the service is marked "guest only = yes" then steps 1 to 5 are skipped
5464 Step 1: If the client has passed a username/password pair and that
5465 username/password pair is validated by the UNIX system's password
5466 programs then the connection is made as that username. Note that this
5467 includes the \e\eserver\eservice%username method of passing a username.
5469 Step 2: If the client has previously registered a username with the
5470 system and now supplies a correct password for that username then the
5471 connection is allowed.
5473 Step 3: The client's netbios name and any previously used user names
5474 are checked against the supplied password, if they match then the
5475 connection is allowed as the corresponding user.
5477 Step 4: If the client has previously validated a username/password
5478 pair with the server and the client has passed the validation token
5479 then that username is used. This step is skipped if "revalidate = yes"
5482 Step 5: If a "user = " field is given in the smb.conf file for the
5483 service and the client has supplied a password, and that password
5484 matches (according to the UNIX system's password checking) with one of
5485 the usernames from the user= field then the connection is made as the
5486 username in the "user=" line. If one of the username in the user= list
5487 begins with a @ then that name expands to a list of names in the group
5490 Step 6: If the service is a guest service then a connection is made as
5491 the username given in the "guest account =" for the service,
5492 irrespective of the supplied password.
5494 Although the configuration file permits service names to contain spaces,
5495 your client software may not. Spaces will be ignored in comparisons anyway,
5496 so it shouldn't be a problem - but be aware of the possibility.
5498 On a similar note, many clients - especially DOS clients - limit service
5499 names to eight characters. Smbd has no such limitation, but attempts
5500 to connect from such clients will fail if they truncate the service names.
5501 For this reason you should probably keep your service names down to eight
5502 characters in length.
5504 Use of the [homes] and [printers] special sections make life for an
5505 administrator easy, but the various combinations of default attributes can be
5506 tricky. Take extreme care when designing these sections. In particular,
5507 ensure that the permissions on spool directories are correct.
5509 This man page is (mostly) correct for version 1.9.18 of the Samba suite, plus some
5510 of the recent patches to it. These notes will necessarily lag behind
5511 development of the software, so it is possible that your version of
5512 the server has extensions or parameter semantics that differ from or are not
5513 covered by this man page. Please notify these to the address below for
5516 Prior to version 1.5.21 of the Samba suite, the configuration file was
5517 radically different (more primitive). If you are using a version earlier than
5518 1.8.05, it is STRONGLY recommended that you upgrade.
5523 .SH ENVIRONMENT VARIABLES
5532 .BR hosts_access (5)
5534 [This section under construction]
5536 Most diagnostics issued by the server are logged in a specified log file. The
5537 log file name is specified at compile time, but may be overridden on the
5538 smbd command line (see
5541 The number and nature of diagnostics available depends on the debug level used
5542 by the server. If you have problems, set the debug level to 3 and peruse the
5545 Most messages are reasonably self-explanatory. Unfortunately, at time of
5546 creation of this man page the source code is still too fluid to warrant
5547 describing each and every diagnostic. At this stage your best bet is still
5548 to grep the source code and inspect the conditions that gave rise to the
5549 diagnostics you are seeing.
5553 Please send bug reports, comments and so on to:
5556 .B samba-bugs@samba.anu.edu.au (Andrew Tridgell)
5559 or to the mailing list:
5562 .B samba@listproc.anu.edu.au
5565 You may also like to subscribe to the announcement channel:
5568 .B samba-announce@listproc.anu.edu.au
5571 To subscribe to these lists send a message to
5572 listproc@listproc.anu.edu.au with a body of "subscribe samba Your
5573 Name" or "subscribe samba-announce Your Name".
5575 Errors or suggestions for improvements to the Samba man pages should be
5579 .B samba-bugs@samba.anu.edu.au (Andrew Tridgell)