-.TH "smb\&.conf " "5" "23 Oct 1998" "Samba" "SAMBA"
+.TH "smb\&.conf " "5" "10 Jan 2001" "Samba" "SAMBA"
.PP
.SH "NAME"
smb\&.conf \- The configuration file for the Samba suite
the share name "foo":
.PP
-.DS
+.nf
writeable = true
-.DE
+.fi
.PP
as the default guest user (specified elsewhere):
.PP
-.DS
+.nf
[aprinter]
path = /usr/spool/public
- read only = true
+ writeable = false
printable = true
guest ok = true
-.DE
+.fi
.PP
following is a typical and suitable [homes] section:
.IP
-.DS
+.nf
[homes]
writeable = yes
-.DE
+.fi
.IP
.IP
This section works like \fB[homes]\fP, but for printers\&.
.IP
-If a [printers] section occurs in the configuration file, users are
+If a \fB[printers]\fP section occurs in the configuration file, users are
able to connect to any printer specified in the local host\'s printcap
file\&.
.IP
above\&. Otherwise, the requested section name is treated as a printer
name and the appropriate printcap file is scanned to see if the
requested section name is a valid printer share name\&. If a match is
-found, a new printer share is created by cloning the [printers]
+found, a new printer share is created by cloning the \fB[printers]\fP
section\&.
.IP
A few modifications are then made to the newly created share:
given, the username is set to the located printer name\&.
.IP
.IP
-Note that the [printers] service MUST be printable - if you specify
+Note that the \fB[printers]\fP service MUST be printable - if you specify
otherwise, the server will refuse to load the configuration file\&.
.IP
Typically the path specified would be that of a world-writeable spool
-directory with the sticky bit set on it\&. A typical [printers] entry
+directory with the sticky bit set on it\&. A typical \fB[printers]\fP entry
would look like this:
.IP
-.DS
+.nf
[printers]
path = /usr/spool/public
- writeable = no
guest ok = yes
printable = yes
-.DE
+.fi
.IP
this:
.IP
-.DS
+.nf
alias|alias|alias|alias\&.\&.\&.
-.DE
+.fi
.IP
machine\&. Only some are recognized, and those may not be 100%
reliable\&. It currently recognizes Samba, WfWg, WinNT and
Win95\&. Anything else will be known as "UNKNOWN"\&. If it gets it wrong
-then sending a level 3 log to \fIsamba-bugs@samba\&.org\fP
+then sending a level 3 log to \fIsamba@samba\&.org\fP
should allow it to be fixed\&.
.IP
.IP o
.IP 4\&.
Step 4: If the client has previously validated a
username/password pair with the server and the client has passed the
-validation token then that username is used\&. This step is skipped if
-\fB"revalidate = yes"\fP for this service\&.
+validation token then that username is used\&.
.IP
.IP 5\&.
Step 5: If a \fB"user = "\fP field is given in the
.PP
.IP
.IP o
+\fBadd user script\fP
+.IP
+.IP o
+\fBallow trusted domains\fP
+.IP
+.IP o
\fBannounce as\fP
.IP
.IP o
\fBdeadtime\fP
.IP
.IP o
+\fBdebug hires timestamp\fP
+.IP
+.IP o
+\fBdebug pid\fP
+.IP
+.IP o
\fBdebug timestamp\fP
.IP
.IP o
-\fBdebuglevel\fP
+\fBdebug uid\fP
+.IP
+.IP o
+\fBdebug level\fP
.IP
.IP o
\fBdefault\fP
\fBdefault service\fP
.IP
.IP o
+\fBdelete user script\fP
+.IP
+.IP o
\fBdfree command\fP
.IP
.IP o
\fBdomain admin users\fP
.IP
.IP o
-\fBdomain controller\fP
-.IP
-.IP o
-\fBdomain group map\fP
-.IP
-.IP o
\fBdomain groups\fP
.IP
.IP o
\fBdomain master\fP
.IP
.IP o
-\fBdomain user map\fP
-.IP
-.IP o
\fBencrypt passwords\fP
.IP
.IP o
\fBgetwd cache\fP
.IP
.IP o
+\fBhide local users\fP
+.IP
+.IP o
\fBhomedir map\fP
.IP
.IP o
\fBkernel oplocks\fP
.IP
.IP o
-\fBldap bind as\fP
+\fBldap filter\fP
+.IP
+.IP o
+\fBldap port\fP
.IP
.IP o
-\fBldap passwd file\fP
+\fBldap root\fP
.IP
.IP o
-\fBldap port\fP
+\fBldap root passwd\fP
.IP
.IP o
\fBldap server\fP
\fBload printers\fP
.IP
.IP o
-\fBlocal group map\fP
-.IP
-.IP o
\fBlocal master\fP
.IP
.IP o
\fBmangled stack\fP
.IP
.IP o
+\fBmap to guest\fP
+.IP
+.IP o
\fBmax disk size\fP
.IP
.IP o
\fBmessage command\fP
.IP
.IP o
+\fBmin passwd length\fP
+.IP
+.IP o
+\fBmin password length\fP
+.IP
+.IP o
\fBmin wins ttl\fP
.IP
.IP o
\fBnetbios name\fP
.IP
.IP o
+\fBnetbios scope\fP
+.IP
+.IP o
\fBnis homedir\fP
.IP
.IP o
+\fBnt acl support\fP
+.IP
+.IP o
\fBnt pipe support\fP
.IP
.IP o
\fBole locking compatibility\fP
.IP
.IP o
+\fBoplock break wait time\fP
+.IP
+.IP o
\fBos level\fP
.IP
.IP o
\fBprinter driver file\fP
.IP
.IP o
+\fBprivate dir\fP
+.IP
+.IP o
\fBprotocol\fP
.IP
.IP o
\fBremote browse sync\fP
.IP
.IP o
+\fBrestrict anonymous\fP
+.IP
+.IP o
\fBroot\fP
.IP
.IP o
\fBsocket options\fP
.IP
.IP o
+\fBsource environment\fP
+.IP
+.IP o
\fBssl\fP
.IP
.IP o
\fBsyslog only\fP
.IP
.IP o
+\fBtemplate homedir\fP
+.IP
+.IP o
+\fBtemplate shell\fP
+.IP
+.IP o
\fBtime offset\fP
.IP
.IP o
\fBusername map\fP
.IP
.IP o
+\fButmp directory\fP
+.IP
+.IP o
\fBvalid chars\fP
.IP
.IP o
+\fBwinbind cache time\fP
+.IP
+.IP o
+\fBwinbind gid\fP
+.IP
+.IP o
+\fBwinbind uid\fP
+.IP
+.IP o
+\fBwins hook\fP
+.IP
+.IP o
\fBwins proxy\fP
.IP
.IP o
\fBdirectory mode\fP
.IP
.IP o
+\fBdirectory security mask\fP
+.IP
+.IP o
\fBdont descend\fP
.IP
.IP o
\fBforce directory mode\fP
.IP
.IP o
+\fBforce directory security mode\fP
+.IP
+.IP o
\fBforce group\fP
.IP
.IP o
+\fBforce security mode\fP
+.IP
+.IP o
\fBforce user\fP
.IP
.IP o
\fBinclude\fP
.IP
.IP o
+\fBinherit permissions\fP
+.IP
+.IP o
\fBinvalid users\fP
.IP
.IP o
+\fBlevel2 oplocks\fP
+.IP
+.IP o
\fBlocking\fP
.IP
.IP o
\fBmangle case\fP
.IP
.IP o
+\fBmangle locks\fP
+.IP
+.IP o
\fBmangled map\fP
.IP
.IP o
\fBmap system\fP
.IP
.IP o
-\fBmap to guest\fP
-.IP
-.IP o
\fBmax connections\fP
.IP
.IP o
\fBonly user\fP
.IP
.IP o
+\fBoplock contention limit\fP
+.IP
+.IP o
\fBoplocks\fP
.IP
.IP o
\fBpreexec\fP
.IP
.IP o
+\fBpreexec close\fP
+.IP
+.IP o
\fBpreserve case\fP
.IP
.IP o
\fBprinter\fP
.IP
.IP o
+\fBprinter admin\fP
+.IP
+.IP o
\fBprinter driver\fP
.IP
.IP o
\fBread only\fP
.IP
.IP o
-\fBrevalidate\fP
-.IP
-.IP o
\fBroot postexec\fP
.IP
.IP o
\fBroot preexec\fP
.IP
.IP o
+\fBroot preexec close\fP
+.IP
+.IP o
+\fBsecurity mask\fP
+.IP
+.IP o
\fBset directory\fP
.IP
.IP o
\fBusers\fP
.IP
.IP o
+\fButmp\fP
+.IP
+.IP o
\fBvalid users\fP
.IP
.IP o
\fBwritable\fP
.IP
.IP o
+\fBwrite cache size\fP
+.IP
+.IP o
\fBwrite list\fP
.IP
.IP o
.SH "EXPLANATION OF EACH PARAMETER"
.PP
.IP
+.IP "\fBadd user script (G)\fP"
+.IP
+This is the full pathname to a script that will be run \fIAS ROOT\fP by
+\fBsmbd (8)\fP under special circumstances decribed
+below\&.
+.IP
+Normally, a Samba server requires that UNIX users are created for all
+users accessing files on this server\&. For sites that use Windows NT
+account databases as their primary user database creating these users
+and keeping the user list in sync with the Windows NT PDC is an
+onerous task\&. This option allows \fBsmbd\fP to create
+the required UNIX users \fION DEMAND\fP when a user accesses the Samba
+server\&.
+.IP
+In order to use this option, \fBsmbd\fP must be set to
+\fBsecurity=server\fP or
+\fBsecurity=domain\fP and \fB"add user script"\fP
+must be set to a full pathname for a script that will create a UNIX user
+given one argument of \fB%u\fP, which expands into the UNIX user name to
+create\&.
+.IP
+When the Windows user attempts to access the Samba server, at
+\fI"login"\fP(session setup in the SMB protocol) time,
+\fBsmbd\fP contacts the \fBpassword
+server\fP and attempts to authenticate the given user
+with the given password\&. If the authentication succeeds then
+\fBsmbd\fP attempts to find a UNIX user in the UNIX
+password database to map the Windows user into\&. If this lookup fails,
+and \fB"add user script"\fP is set then \fBsmbd\fP will
+call the specified script \fIAS ROOT\fP, expanding any \fB%u\fP argument
+to be the user name to create\&.
+.IP
+If this script successfully creates the user then
+\fBsmbd\fP will continue on as though the UNIX user
+already existed\&. In this way, UNIX users are dynamically created to
+match existing Windows NT accounts\&.
+.IP
+See also \fBsecurity=server\fP,
+\fBsecurity=domain\fP, \fBpassword
+server\fP, \fBdelete user
+script\fP\&.
+.IP
+\fBDefault:\fP
+\f(CW add user script = <empty string>\fP
+.IP
+\fBExample:\fP
+\f(CW add user script = /usr/local/samba/bin/add_user %u\fP
+.IP
.IP "\fBadmin users (S)\fP"
.IP
This is a list of users who will be granted administrative privileges
.IP
.IP "\fBallow hosts (S)\fP"
.IP
-A synonym for this parameter is \fB\'hosts allow\'\fP
-.IP
-This parameter is a comma, space, or tab delimited set of hosts which
-are permitted to access a service\&.
-.IP
-If specified in the \fB[global]\fP section then it will
-apply to all services, regardless of whether the individual service
-has a different setting\&.
-.IP
-You can specify the hosts by name or IP number\&. For example, you could
-restrict access to only the hosts on a Class C subnet with something
-like \f(CW"allow hosts = 150\&.203\&.5\&."\fP\&. The full syntax of the list is
-described in the man page \fBhosts_access (5)\fP\&. Note that this man
-page may not be present on your system, so a brief description will
-be given here also\&.
-.IP
-\fINOTE:\fP IF you wish to allow the \fBsmbpasswd
-(8)\fP program to be run by local users to change
-their Samba passwords using the local \fBsmbd (8)\fP
-daemon, then you \fIMUST\fP ensure that the localhost is listed in your
-\fBallow hosts\fP list, as \fBsmbpasswd (8)\fP runs
-in client-server mode and is seen by the local
-\fBsmbd\fP process as just another client\&.
-.IP
-You can also specify hosts by network/netmask pairs and by netgroup
-names if your system supports netgroups\&. The \fIEXCEPT\fP keyword can also
-be used to limit a wildcard list\&. The following examples may provide
-some help:
-.IP
-\fBExample 1\fP: allow localhost and all IPs in 150\&.203\&.*\&.* except one
-.IP
-\f(CW hosts allow = localhost, 150\&.203\&. EXCEPT 150\&.203\&.6\&.66\fP
-.IP
-\fBExample 2\fP: allow localhost and hosts that match the given network/netmask
+Synonym for \fBhosts allow\fP\&.
.IP
-\f(CW hosts allow = localhost, 150\&.203\&.15\&.0/255\&.255\&.255\&.0\fP
+.IP "\fBallow trusted domains (G)\fP"
.IP
-\fBExample 3\fP: allow a localhost plus a couple of hosts
+This option only takes effect when the \fBsecurity\fP
+option is set to \fBserver\fP or \fBdomain\fP\&. If it is set to no,
+then attempts to connect to a resource from a domain or workgroup other than
+the one which smbd is running in will fail, even if that domain
+is trusted by the remote server doing the authentication\&.
.IP
-\f(CW hosts allow = localhost, lapland, arvidsjaur\fP
-.IP
-\fBExample 4\fP: allow only hosts in NIS netgroup "foonet" or localhost, but
-deny access from one particular host
-.IP
-\f(CW hosts allow = @foonet, localhost\fP
-\f(CW hosts deny = pirate\fP
-.IP
-Note that access still requires suitable user-level passwords\&.
-.IP
-See \fBtestparm (1)\fP for a way of testing your
-host access to see if it does what you expect\&.
+This is useful if you only want your Samba server to serve resources
+to users in the domain it is a member of\&. As an example, suppose that there are
+two domains DOMA and DOMB\&. DOMB is trusted by DOMA, which contains
+the Samba server\&. Under normal circumstances, a user with an account
+in DOMB can then access the resources of a UNIX account with the same
+account name on the Samba server even if they do not have an account
+in DOMA\&. This can make implementing a security boundary difficult\&.
.IP
\fBDefault:\fP
-\f(CW none (i\&.e\&., all hosts permitted access)\fP
+\f(CW allow trusted domains = Yes\fP
.IP
\fBExample:\fP
-\f(CW allow hosts = 150\&.203\&.5\&. localhost myhost\&.mynet\&.edu\&.au\fP
+\f(CW allow trusted domains = No\fP
.IP
.IP "\fBalternate permissions (S)\fP"
.IP
.IP
This specifies what type of server \fBnmbd\fP will
announce itself as, to a network neighborhood browse list\&. By default
-this is set to Windows NT\&. The valid options are : "NT", "Win95" or
-"WfW" meaning Windows NT, Windows 95 and Windows for Workgroups
-respectively\&. Do not change this parameter unless you have a specific
-need to stop Samba appearing as an NT server as this may prevent Samba
-servers from participating as browser servers correctly\&.
+this is set to Windows NT\&. The valid options are : "NT", which is a
+synonym for "NT Server", "NT Server", "NT Workstation", "Win95" or
+"WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95
+and Windows for Workgroups respectively\&. Do not change this parameter
+unless you have a specific need to stop Samba appearing as an NT server
+as this may prevent Samba servers from participating as browser servers correctly\&.
.IP
\fBDefault:\fP
-\f(CW announce as = NT\fP
+\f(CW announce as = NT Server\fP
.IP
\fBExample\fP
\f(CW announce as = Win95\fP
other intermittent or non-broadcast network interfaces as it will not
cope with non-permanent interfaces\&.
.IP
-In addition, to change a users SMB password, the
-\fBsmbpasswd\fP by default connects to the
-\fI"localhost" - 127\&.0\&.0\&.1\fP address as an SMB client to issue the
-password change request\&. If \fB"bind interfaces only"\fP is set then
-unless the network address \fI127\&.0\&.0\&.1\fP is added to the
+If \fB"bind interfaces only"\fP is set then unless the network address
+\fI127\&.0\&.0\&.1\fP is added to the \fB\'interfaces\'\fP parameter
+list \fBsmbpasswd\fP and
+\fBswat\fP may not work as expected due to the
+reasons covered below\&.
+.IP
+To change a users SMB password, the \fBsmbpasswd\fP
+by default connects to the \fI"localhost" - 127\&.0\&.0\&.1\fP address as an SMB
+client to issue the password change request\&. If \fB"bind interfaces only"\fP
+is set then unless the network address \fI127\&.0\&.0\&.1\fP is added to the
\fB\'interfaces\'\fP parameter list then
\fBsmbpasswd\fP will fail to connect in it\'s
default mode\&. \fBsmbpasswd\fP can be forced to
\fB"remote machine"\fP set to the IP name of the primary interface
of the local host\&.
.IP
+The \fBswat\fP status page tries to connect with
+\fBsmbd\fP and \fBnmbd\fP at the address
+\fI127\&.0\&.0\&.1\fP to determine if they are running\&. Not adding \fI127\&.0\&.0\&.1\fP will cause
+\fBsmbd\fP and \fBnmbd\fP to always show
+"not running" even if they really are\&. This can prevent
+\fBswat\fP from starting/stopping/restarting
+\fBsmbd\fP and \fBnmbd\fP\&.
+.IP
\fBDefault:\fP
\f(CW bind interfaces only = False\fP
.IP
.IP o
\fBISO8859-5\fP Russian Cyrillic UNIX character set\&. The parameter
\fBclient code page\fP \fIMUST\fP be set to code
-page 866 if the \fBcharacter set\fP parameter is set to ISO8859-2
+page 866 if the \fBcharacter set\fP parameter is set to ISO8859-5
+in order for the conversion to the UNIX character set to be done
+correctly\&.
+.IP
+.IP o
+\fBISO8859-7\fP Greek UNIX character set\&. The parameter
+\fBclient code page\fP \fIMUST\fP be set to code
+page 737 if the \fBcharacter set\fP parameter is set to ISO8859-7
in order for the conversion to the UNIX character set to be done
correctly\&.
.IP
for forcing particular mode bits to be set on created files\&. See also
the \fB"directory mode"\fP parameter for masking
mode bits on created directories\&.
+See also the \fB"inherit permissions"\fP parameter\&.
.IP
\fBDefault:\fP
\f(CW create mask = 0744\fP
\fBExample:\fP
\f(CW deadtime = 15\fP
.IP
+.IP "\fBdebug hires timestamp (G)\fP"
+.IP
+Sometimes the timestamps in the log messages are needed with a
+resolution of higher that seconds, this boolean parameter adds
+microsecond resolution to the timestamp message header when turned on\&.
+.IP
+Note that the parameter \fBdebug timestamp\fP
+must be on for this to have an effect\&.
+.IP
+\fBDefault:\fP
+\f(CW debug hires timestamp = No\fP
+.IP
+\fBExample:\fP
+\f(CW debug hires timestamp = Yes\fP
+.IP
.IP "\fBdebug timestamp (G)\fP"
.IP
Samba2\&.0 debug log messages are timestamped by default\&. If you are
running at a high \fB"debug level"\fP these timestamps
-can be distracting\&. This boolean parameter allows them to be turned
+can be distracting\&. This boolean parameter allows timestamping to be turned
off\&.
.IP
\fBDefault:\fP
\fBExample:\fP
\f(CW debug timestamp = No\fP
.IP
+.IP "\fBdebug pid (G)\fP"
+.IP
+When using only one log file for more then one forked smbd-process
+there may be hard to follow which process outputs which message\&.
+This boolean parameter is adds the process-id to the timestamp message
+headers in the logfile when turned on\&.
+.IP
+Note that the parameter \fBdebug timestamp\fP
+must be on for this to have an effect\&.
+.IP
+\fBDefault:\fP
+\f(CW debug pid = No\fP
+.IP
+\fBExample:\fP
+\f(CW debug pid = Yes\fP
+.IP
+.IP "\fBdebug uid (G)\fP"
+.IP
+Samba is sometimes run as root and sometime run as the connected
+user, this boolean parameter inserts the current euid, egid, uid
+and gid to the timestamp message headers in the log file if turned on\&.
+.IP
+Note that the parameter \fBdebug timestamp\fP
+must be on for this to have an effect\&.
+.IP
+\fBDefault:\fP
+\f(CW debug uid = No\fP
+.IP
+\fBExample:\fP
+\f(CW debug uid = Yes\fP
+.IP
.IP "\fBdebug level (G)\fP"
.IP
The value of the parameter (an integer) allows the debug level
.IP
\fBExample:\fP
-.DS
+.nf
default service = pub
[pub]
path = /%S
-.DE
+.fi
+.IP
+.IP "\fBdelete user script (G)\fP"
+.IP
+This is the full pathname to a script that will be run \fIAS ROOT\fP by
+\fBsmbd (8)\fP under special circumstances decribed
+below\&.
+.IP
+Normally, a Samba server requires that UNIX users are created for all
+users accessing files on this server\&. For sites that use Windows NT
+account databases as their primary user database creating these users
+and keeping the user list in sync with the Windows NT PDC is an
+onerous task\&. This option allows \fBsmbd\fP to delete
+the required UNIX users \fION DEMAND\fP when a user accesses the Samba
+server and the Windows NT user no longer exists\&.
+.IP
+In order to use this option, \fBsmbd\fP must be set to
+\fBsecurity=domain\fP and \fB"delete user
+script"\fP must be set to a full pathname for a script that will delete
+a UNIX user given one argument of \fB%u\fP, which expands into the UNIX
+user name to delete\&. \fINOTE\fP that this is different to the
+\fBadd user script\fP which will work with the
+\fBsecurity=server\fP option as well as
+\fBsecurity=domain\fP\&. The reason for this
+is only when Samba is a domain member does it get the information
+on an attempted user logon that a user no longer exists\&. In the
+\fBsecurity=server\fP mode a missing user
+is treated the same as an invalid password logon attempt\&. Deleting
+the user in this circumstance would not be a good idea\&.
+.IP
+When the Windows user attempts to access the Samba server, at
+\fI"login"\fP(session setup in the SMB protocol) time,
+\fBsmbd\fP contacts the \fBpassword
+server\fP and attempts to authenticate the given user
+with the given password\&. If the authentication fails with the specific
+Domain error code meaning that the user no longer exists then
+\fBsmbd\fP attempts to find a UNIX user in the UNIX
+password database that matches the Windows user account\&. If this lookup succeeds,
+and \fB"delete user script"\fP is set then \fBsmbd\fP will
+call the specified script \fIAS ROOT\fP, expanding any \fB%u\fP argument
+to be the user name to delete\&.
+.IP
+This script should delete the given UNIX username\&. In this way, UNIX
+users are dynamically deleted to match existing Windows NT accounts\&.
+.IP
+See also \fBsecurity=domain\fP,
+\fBpassword server\fP, \fBadd user
+script\fP\&.
+.IP
+\fBDefault:\fP
+\f(CW delete user script = <empty string>\fP
+.IP
+\fBExample:\fP
+\f(CW delete user script = /usr/local/samba/bin/del_user %u\fP
.IP
.IP "\fBdelete readonly (S)\fP"
.IP
.IP
.IP "\fBdeny hosts (S)\fP"
.IP
-The opposite of \fB\'allow hosts\'\fP - hosts listed
-here are \fINOT\fP permitted access to services unless the specific
-services have their own lists to override this one\&. Where the lists
-conflict, the \fB\'allow\'\fP list takes precedence\&.
-.IP
-\fBDefault:\fP
-\f(CW none (i\&.e\&., no hosts specifically excluded)\fP
-.IP
-\fBExample:\fP
-\f(CW deny hosts = 150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au\fP
+Synonym for \fBhosts deny\fP\&.
.IP
.IP "\fBdfree command (G)\fP"
.IP
Where the script dfree (which must be made executable) could be:
.IP
-.DS
+.nf
#!/bin/sh
df $1 | tail -1 | awk \'{print $2" "$4}\'
-.DE
+.fi
.IP
or perhaps (on Sys V based systems):
.IP
-.DS
+.nf
#!/bin/sh
/usr/bin/df -k $1 | tail -1 | awk \'{print $3" "$5}\'
-.DE
+.fi
.IP
to cause particular mode bits to always be set on created directories\&.
.IP
See also the \fB"create mode"\fP parameter for masking
-mode bits on created files\&.
+mode bits on created files, and the \fB"directory security mask"\fP
+parameter\&.
+.IP
+See also the \fB"inherit permissions"\fP parameter\&.
.IP
\fBDefault:\fP
\f(CW directory mask = 0755\fP
.IP
Synonym for \fBdirectory mask\fP\&.
.IP
+.IP "\fBdirectory security mask (S)\fP"
+.IP
+This parameter controls what UNIX permission bits can be modified
+when a Windows NT client is manipulating the UNIX permission on a
+directory using the native NT security dialog box\&.
+.IP
+This parameter is applied as a mask (AND\'ed with) to the changed
+permission bits, thus preventing any bits not in this mask from
+being modified\&. Essentially, zero bits in this mask may be treated
+as a set of bits the user is not allowed to change\&.
+.IP
+If not set explicitly this parameter is set to the same value as the
+\fBdirectory mask\fP parameter\&. To allow a user to
+modify all the user/group/world permissions on a directory, set this
+parameter to 0777\&.
+.IP
+\fINote\fP that users who can access the Samba server through other
+means can easily bypass this restriction, so it is primarily
+useful for standalone "appliance" systems\&. Administrators of
+most normal systems will probably want to set it to 0777\&.
+.IP
+See also the \fBforce directory security
+mode\fP, \fBsecurity
+mask\fP, \fBforce security mode\fP
+parameters\&.
+.IP
+\fBDefault:\fP
+\f(CW directory security mask = <same as directory mask>\fP
+.IP
+\fBExample:\fP
+\f(CW directory security mask = 0777\fP
+.IP
.IP "\fBdns proxy (G)\fP"
.IP
Specifies that \fBnmbd\fP when acting as a WINS
\fBdomain admin group (G)\fP
.IP
This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It has been removed as of November 98\&.
+Samba NT Domain Controller Code\&. It may be removed in a later release\&.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by sending email to
-\fIlistproc@samba\&.org\fP
+mailing list \fBSamba-ntdom\fP available by visiting the web page at
+http://lists\&.samba\&.org/
.IP
.IP "\fBdomain admin users (G)\fP"
.IP
This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It has been removed as of November 98\&.
+Samba NT Domain Controller Code\&. It may be removed in a later release\&.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by sending email to
-\fIlistproc@samba\&.org\fP
-.IP
-.IP "\fBdomain controller (G)\fP"
-.IP
-This is a \fBDEPRECATED\fP parameter\&. It is currently not used within
-the Samba source and should be removed from all current smb\&.conf
-files\&. It is left behind for compatibility reasons\&.
-.IP
-.IP "\fBdomain group map (G)\fP"
-.IP
-This option allows you to specify a file containing unique mappings
-of individual NT Domain Group names (in any domain) to UNIX group
-names\&. This allows NT domain groups to be presented correctly to
-NT users, despite the lack of native support for the NT Security model
-(based on VAX/VMS) in UNIX\&. The reader is advised to become familiar
-with the NT Domain system and its administration\&.
-.IP
-This option is used in conjunction with \fB\'local group map\'\fP
-and \fB\'domain user map\'\fP\&. The use of these three
-options is trivial and often unnecessary in the case where Samba is
-not expected to interact with any other SAM databases (whether local
-workstations or Domain Controllers)\&.
-.IP
-The map file is parsed line by line\&. If any line begins with a \f(CW\'#\'\fP
-or a \f(CW\';\'\fP then it is ignored\&. Each line should contain a single UNIX
-group name on the left then a single NT Domain Group name on the right,
-separated by a tabstop or \f(CW\'=\'\fP\&. If either name contains spaces then
-it should be enclosed in quotes\&.
-The line can be either of the form:
-.IP
-\f(CW UNIXgroupname \e\eDOMAIN_NAME\e\eDomainGroupName \fP
-.IP
-or:
-.IP
-\f(CW UNIXgroupname DomainGroupName \fP
-.IP
-In the case where Samba is either an \fBEXPERIMENTAL\fP Domain Controller
-or it is a member of a domain using \fB"security = domain"\fP,
-the latter format can be used: the default Domain name is the Samba Server\'s
-Domain name, specified by \fB"workgroup = MYGROUP"\fP\&.
-.IP
-Any UNIX groups that are \fINOT\fP specified in this map file are assumed to
-be either Local or Domain Groups, depending on the role of the Samba Server\&.
-.IP
-In the case when Samba is an \fBEXPERIMENTAL\fP Domain Controller, Samba
-will present \fIALL\fP such unspecified UNIX groups as its own NT Domain
-Groups, with the same name\&.
-.IP
-In the case where Samba is member of a domain using
-\fB"security = domain"\fP, Samba will check the UNIX name with
-its Domain Controller (see \fB"password server"\fP)
-as if it was an NT Domain Group\&. If the Domain Controller says that it is not,
-such unspecified (unmapped) UNIX groups which also are not NT Domain
-Groups are treated as Local Groups in the Samba Server\'s local SAM database\&.
-NT Administrators will recognise these as Workstation Local Groups,
-which are managed by running \fBUSRMGR\&.EXE\fP and selecting a remote
-Domain named "\e\eWORKSTATION_NAME", or by running \fBMUSRMGR\&.EXE\fP on
-a local Workstation\&.
-.IP
-This may sound complicated, but it means that a Samba Server as
-either a member of a domain or as an \fBEXPERIMENTAL\fP Domain Controller
-will act like an NT Workstation (with a local SAM database) or an NT PDC
-(with a Domain SAM database) respectively, without the need for any of
-the map files at all\&. If you \fBwant\fP to get fancy, however, you can\&.
-.IP
-Note that adding an entry to map an arbitrary NT group in an arbitrary
-Domain to an arbitrary UNIX group \fIREQUIRES\fP the following:
-.IP
-.IP
-.IP o
-that the UNIX group exists on the UNIX server\&.
-.IP
-.IP o
-that the NT Domain Group exists in the specified NT Domain
-.IP
-.IP o
-that the UNIX Server knows about the specified Domain;
-.IP
-.IP o
-that all the UNIX users (who are expecting to access the Samba
-Server as the correct NT user and with the correct NT group permissions)
-in the UNIX group be mapped to the correct NT Domain users in the specified
-NT Domain using \fB\'domain user map\'\fP\&.
-.IP
-.IP
-Failure to meet any of these requirements may result in either (or
-both) errors reported in the log files or (and) incorrect or missing
-access rights granted to users\&.
+mailing list \fBSamba-ntdom\fP available by visiting the web page at
+http://lists\&.samba\&.org/
.IP
.IP "\fBdomain groups (G)\fP"
.IP
This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It has been removed as of November 98\&.
+Samba NT Domain Controller Code\&. It may be removed in a later release\&.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by sending email to
-\fIlistproc@samba\&.org\fP
+mailing list \fBSamba-ntdom\fP available by visiting the web page at
+http://lists\&.samba\&.org/
.IP
.IP "\fBdomain guest group (G)\fP"
.IP
This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It has been removed as of November 98\&.
+Samba NT Domain Controller Code\&. It may be removed in a later release\&.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by sending email to
-\fIlistproc@samba\&.org\fP
+mailing list \fBSamba-ntdom\fP available by visiting the web page at
+http://lists\&.samba\&.org/
.IP
.IP "\fBdomain guest users (G)\fP"
.IP
This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It has been removed as of November 98\&.
+Samba NT Domain Controller Code\&. It may be removed in a later release\&.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by sending email to
-\fIlistproc@samba\&.org\fP
+mailing list \fBSamba-ntdom\fP available by visiting the web page at
+http://lists\&.samba\&.org/
.IP
.IP "\fBdomain logons (G)\fP"
.IP
PDC is able to do so then cross subnet browsing will behave strangely
and may fail\&.
.IP
-By default ("auto") Samba will attempt to become the domain master
-browser only if it is the Primary Domain Controller\&.
-.IP
\fBDefault:\fP
-\f(CW domain master = auto\fP
-.IP
-\fBExample:\fP
\f(CW domain master = no\fP
.IP
-.IP "\fBdomain user map (G)\fP"
-.IP
-This option allows you to specify a file containing unique mappings
-of individual NT Domain User names (in any domain) to UNIX user
-names\&. This allows NT domain users to be presented correctly to
-NT systems, despite the lack of native support for the NT Security model
-(based on VAX/VMS) in UNIX\&. The reader is advised to become familiar
-with the NT Domain system and its administration\&.
-.IP
-This option is used in conjunction with \fB\'local group map\'\fP
-and \fB\'domain group map\'\fP\&. The use of these three
-options is trivial and often unnecessary in the case where Samba is
-not expected to interact with any other SAM databases (whether local
-workstations or Domain Controllers)\&.
-.IP
-This option, which provides (and maintains) a one-to-one link between
-UNIX and NT users, is \fIDIFFERENT\fP from \fB\'username map\'\fP, which does \fINOT\fP maintain a distinction between the
-name(s) it can map to and the name it maps\&.
-.IP
-The map file is parsed line by line\&. If any line begins with a \f(CW\'#\'\fP
-or a \f(CW\';\'\fP then the line is ignored\&. Each line should contain a single UNIX
-user name on the left then a single NT Domain User name on the right,
-separated by a tabstop or \f(CW\'=\'\fP\&. If either name contains spaces then
-it should be enclosed in quotes\&.
-The line can be either of the form:
-.IP
-\f(CW UNIXusername \e\eDOMAIN_NAME\e\eDomainUserName \fP
-.IP
-or:
-.IP
-\f(CW UNIXusername DomainUserName \fP
-.IP
-In the case where Samba is either an \fBEXPERIMENTAL\fP Domain Controller
-or it is a member of a domain using \fB"security = domain"\fP,
-the latter format can be used: the default Domain name is the Samba Server\'s
-Domain name, specified by \fB"workgroup = MYGROUP"\fP\&.
-.IP
-Any UNIX users that are \fINOT\fP specified in this map file are assumed
-to be either Domain or Workstation Users, depending on the role of the
-Samba Server\&.
-.IP
-In the case when Samba is an \fBEXPERIMENTAL\fP Domain Controller, Samba
-will present \fIALL\fP such unspecified UNIX users as its own NT Domain
-Users, with the same name\&.
-.IP
-In the case where Samba is a member of a domain using
-\fB"security = domain"\fP, Samba will check the UNIX name with
-its Domain Controller (see \fB"password server"\fP)
-as if it was an NT Domain User\&. If the Domain Controller says that it is not,
-such unspecified (unmapped) UNIX users which also are not NT Domain
-Users are treated as Local Users in the Samba Server\'s local SAM database\&.
-NT Administrators will recognise these as Workstation Users,
-which are managed by running \fBUSRMGR\&.EXE\fP and selecting a remote
-Domain named "\e\eWORKSTATION_NAME", or by running \fBMUSRMGR\&.EXE\fP on
-a local Workstation\&.
-.IP
-This may sound complicated, but it means that a Samba Server as
-either a member of a domain or as an \fBEXPERIMENTAL\fP Domain Controller
-will act like an NT Workstation (with a local SAM database) or an NT PDC
-(with a Domain SAM database) respectively, without the need for any of
-the map files at all\&. If you \fBwant\fP to get fancy, however, you can\&.
-.IP
-Note that adding an entry to map an arbitrary NT User in an arbitrary
-Domain to an arbitrary UNIX user \fIREQUIRES\fP the following:
-.IP
-.IP
-.IP o
-that the UNIX user exists on the UNIX server\&.
-.IP
-.IP o
-that the NT Domain User exists in the specified NT Domain\&.
-.IP
-.IP o
-that the UNIX Server knows about the specified Domain\&.
-.IP
-.IP
-Failure to meet any of these requirements may result in either (or
-both) errors reported in the log files or (and) incorrect or missing
-access rights granted to users\&.
-.IP
.IP "\fBdont descend (S)\fP"
.IP
There are certain directories on some systems (e\&.g\&., the \f(CW/proc\fP tree
.IP "\fBforce create mode (S)\fP"
.IP
This parameter specifies a set of UNIX mode bit permissions that will
-\fI*always*\fP be set on a file created by Samba\&. This is done by
-bitwise \'OR\'ing these bits onto the mode bits of a file that is being
-created\&. The default for this parameter is (in octal) 000\&. The modes
-in this parameter are bitwise \'OR\'ed onto the file mode after the mask
-set in the \fB"create mask"\fP parameter is applied\&.
+\fI*always*\fP be set on a file by Samba\&. This is done by bitwise
+\'OR\'ing these bits onto the mode bits of a file that is being created
+or having its permissions changed\&. The default for this parameter is
+(in octal) 000\&. The modes in this parameter are bitwise \'OR\'ed onto
+the file mode after the mask set in the \fB"create
+mask"\fP parameter is applied\&.
.IP
See also the parameter \fB"create mask"\fP for details
-on masking mode bits on created files\&.
+on masking mode bits on files\&.
+.IP
+See also the \fB"inherit permissions"\fP parameter\&.
.IP
\fBDefault:\fP
\f(CW force create mode = 000\fP
See also the parameter \fB"directory mask"\fP for
details on masking mode bits on created directories\&.
.IP
+See also the \fB"inherit permissions"\fP parameter\&.
+.IP
\fBDefault:\fP
\f(CW force directory mode = 000\fP
.IP
permissions set for \'group\' and \'other\' as well as the
read/write/execute bits set for the \'user\'\&.
.IP
+.IP "\fBforce directory security mode (S)\fP"
+.IP
+This parameter controls what UNIX permission bits can be modified when
+a Windows NT client is manipulating the UNIX permission on a directory
+using the native NT security dialog box\&.
+.IP
+This parameter is applied as a mask (OR\'ed with) to the changed
+permission bits, thus forcing any bits in this mask that the user may
+have modified to be on\&. Essentially, one bits in this mask may be
+treated as a set of bits that, when modifying security on a directory,
+the user has always set to be \'on\'\&.
+.IP
+If not set explicitly this parameter is set to the same value as the
+\fBforce directory mode\fP parameter\&. To allow
+a user to modify all the user/group/world permissions on a directory,
+with restrictions set this parameter to 000\&.
+.IP
+\fINote\fP that users who can access the Samba server through other
+means can easily bypass this restriction, so it is primarily
+useful for standalone "appliance" systems\&. Administrators of
+most normal systems will probably want to set it to 0000\&.
+.IP
+See also the \fBdirectory security mask\fP,
+\fBsecurity mask\fP, \fBforce security
+mode\fP parameters\&.
+.IP
+\fBDefault:\fP
+\f(CW force directory security mode = <same as force directory mode>\fP
+.IP
+\fBExample:\fP
+\f(CW force directory security mode = 0\fP
+.IP
.IP "\fBforce group (S)\fP"
.IP
This specifies a UNIX group name that will be assigned as the default
service the Samba administrator can restrict or allow sharing of these
files\&.
.IP
+In Samba 2\&.0\&.5 and above this parameter has extended functionality in the following
+way\&. If the group name listed here has a \'+\' character prepended to it
+then the current user accessing the share only has the primary group
+default assigned to this group if they are already assigned as a member
+of that group\&. This allows an administrator to decide that only users
+who are already in a particular group will create files with group
+ownership set to that group\&. This gives a finer granularity of ownership
+assignment\&. For example, the setting \f(CWforce group = +sys\fP means
+that only users who are already in group sys will have their default
+primary group assigned to sys when accessing this Samba share\&. All
+other users will retain their ordinary primary group\&.
+.IP
+If the \fB"force user"\fP parameter is also set the
+group specified in \fBforce group\fP will override the primary group
+set in \fB"force user"\fP\&.
+.IP
+See also \fB"force user"\fP
+.IP
\fBDefault:\fP
\f(CW no forced group\fP
.IP
\fBExample:\fP
\f(CW force group = agroup\fP
.IP
+.IP "\fBforce security mode (S)\fP"
+.IP
+This parameter controls what UNIX permission bits can be modified when
+a Windows NT client is manipulating the UNIX permission on a file
+using the native NT security dialog box\&.
+.IP
+This parameter is applied as a mask (OR\'ed with) to the changed
+permission bits, thus forcing any bits in this mask that the user may
+have modified to be on\&. Essentially, one bits in this mask may be
+treated as a set of bits that, when modifying security on a file, the
+user has always set to be \'on\'\&.
+.IP
+If not set explicitly this parameter is set to the same value as the
+\fBforce create mode\fP parameter\&. To allow
+a user to modify all the user/group/world permissions on a file,
+with no restrictions set this parameter to 000\&.
+.IP
+\fINote\fP that users who can access the Samba server through other
+means can easily bypass this restriction, so it is primarily
+useful for standalone "appliance" systems\&. Administrators of
+most normal systems will probably want to set it to 0000\&.
+.IP
+See also the \fBforce directory security
+mode\fP, \fBdirectory security
+mask\fP, \fBsecurity mask\fP
+parameters\&.
+.IP
+\fBDefault:\fP
+\f(CW force security mode = <same as force create mode>\fP
+.IP
+\fBExample:\fP
+\f(CW force security mode = 0\fP
+.IP
.IP "\fBforce user (S)\fP"
.IP
This specifies a UNIX user name that will be assigned as the default
.IP
This can be very useful\&.
.IP
+In Samba 2\&.0\&.5 and above this parameter also causes the primary
+group of the forced user to be used as the primary group for all
+file activity\&. Prior to 2\&.0\&.5 the primary group was left as the
+primary group of the connecting user (this was a bug)\&.
+.IP
+See also \fB"force group"\fP
+.IP
\fBDefault:\fP
\f(CW no forced user\fP
.IP
.IP
\fBDefault\fP
-.DS
+.nf
No files or directories are hidden by this option (dot files are
hidden by default because of the "hide dot files" option)\&.
-.DE
+.fi
.IP
(DAVE) available from \fBThursby\fP creates for
internal use, and also still hides all files beginning with a dot\&.
.IP
+.IP "\fBhide local users(G)\fP"
+.IP
+This parameter toggles the hiding of local UNIX users (root, wheel, floppy, etc)
+from remote clients\&.
+.IP
+\fBDefault:\fP
+\f(CW hide local users = No\fP
+.IP
+\fBExample:\fP
+\f(CW hide local users = Yes\fP
+.IP
.IP "\fBhomedir map (G)\fP"
.IP
If \fB"nis homedir"\fP is true, and
.IP
.IP "\fBhosts allow (S)\fP"
.IP
-Synonym for \fBallow hosts\fP\&.
+A synonym for this parameter is \fB\'allow hosts\'\fP
+.IP
+This parameter is a comma, space, or tab delimited set of hosts which
+are permitted to access a service\&.
+.IP
+If specified in the \fB[global]\fP section then it will
+apply to all services, regardless of whether the individual service
+has a different setting\&.
+.IP
+You can specify the hosts by name or IP number\&. For example, you could
+restrict access to only the hosts on a Class C subnet with something
+like \f(CW"allow hosts = 150\&.203\&.5\&."\fP\&. The full syntax of the list is
+described in the man page \fBhosts_access (5)\fP\&. Note that this man
+page may not be present on your system, so a brief description will
+be given here also\&.
+.IP
+Note that the localhost address 127\&.0\&.0\&.1 will always be allowed
+access unless specifically denied by a "hosts deny" option\&.
+.IP
+You can also specify hosts by network/netmask pairs and by netgroup
+names if your system supports netgroups\&. The \fIEXCEPT\fP keyword can also
+be used to limit a wildcard list\&. The following examples may provide
+some help:
+.IP
+\fBExample 1\fP: allow all IPs in 150\&.203\&.*\&.* except one
+.IP
+\f(CW hosts allow = 150\&.203\&. EXCEPT 150\&.203\&.6\&.66\fP
+.IP
+\fBExample 2\fP: allow hosts that match the given network/netmask
+.IP
+\f(CW hosts allow = 150\&.203\&.15\&.0/255\&.255\&.255\&.0\fP
+.IP
+\fBExample 3\fP: allow a couple of hosts
+.IP
+\f(CW hosts allow = lapland, arvidsjaur\fP
+.IP
+\fBExample 4\fP: allow only hosts in NIS netgroup "foonet", but
+deny access from one particular host
+.IP
+\f(CW hosts allow = @foonet\fP
+.IP
+\f(CW hosts deny = pirate\fP
+.IP
+Note that access still requires suitable user-level passwords\&.
+.IP
+See \fBtestparm (1)\fP for a way of testing your
+host access to see if it does what you expect\&.
+.IP
+\fBDefault:\fP
+\f(CW none (i\&.e\&., all hosts permitted access)\fP
+.IP
+\fBExample:\fP
+\f(CW allow hosts = 150\&.203\&.5\&. myhost\&.mynet\&.edu\&.au\fP
.IP
.IP "\fBhosts deny (S)\fP"
.IP
-Synonym for \fBdenyhosts\fP\&.
+The opposite of \fB\'hosts allow\'\fP - hosts listed
+here are \fINOT\fP permitted access to services unless the specific
+services have their own lists to override this one\&. Where the lists
+conflict, the \fB\'allow\'\fP list takes precedence\&.
+.IP
+\fBDefault:\fP
+\f(CW none (i\&.e\&., no hosts specifically excluded)\fP
+.IP
+\fBExample:\fP
+\f(CW hosts deny = 150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au\fP
.IP
.IP "\fBhosts equiv (G)\fP"
.IP
of a file to read for the names of hosts and users who will be allowed
access without specifying a password\&.
.IP
-This is not be confused with \fBallow hosts\fP which
+This is not be confused with \fBhosts allow\fP which
is about hosts access to services and is more useful for guest
services\&. \fBhosts equiv\fP may be useful for NT clients which will not
supply passwords to samba\&.
.IP
.IP "\fBinclude (G)\fP"
.IP
-This allows you to include one config file inside another\&. The file
-is included literally, as though typed in place\&.
+This allows you to include one config file inside another\&. The file
+is included literally, as though typed in place\&.
+.IP
+It takes the standard substitutions, except \fB%u\fP,
+\fB%P\fP and \fB%S\fP\&.
+.IP
+.IP "\fBinherit permissions (S)\fP"
+.IP
+The permissions on new files and directories are normally governed by
+\fB"create mask"\fP,
+\fB"directory mask"\fP,
+\fB"force create mode"\fP and
+\fB"force directory mode"\fP
+but the boolean inherit permissions parameter overrides this\&.
+.IP
+New directories inherit the mode of the parent directory,
+including bits such as setgid\&.
+.IP
+New files inherit their read/write bits from the parent directory\&.
+Their execute bits continue to be determined by
+\fB"map archive"\fP,
+\fB"map hidden"\fP and
+\fB"map system"\fP as usual\&.
+.IP
+Note that the setuid bit is *never* set via inheritance
+(the code explicitly prohibits this)\&.
+.IP
+This can be particularly useful on large systems with many users,
+perhaps several thousand,
+to allow a single \fB[homes]\fP share to be used flexibly by each user\&.
+.IP
+See also \fB"create mask"\fP, \fB"directory mask"\fP,
+\fB"force create mode"\fP and
+\fB"force directory mode"\fP\&.
+.IP
+\fBDefault\fP
+\f(CW inherit permissions = no\fP
.IP
-It takes the standard substitutions, except \fB%u\fP,
-\fB%P\fP and \fB%S\fP\&.
+\fBExample\fP
+\f(CW inherit permissions = yes\fP
.IP
.IP "\fBinterfaces (G)\fP"
.IP
-This option allows you to setup multiple network interfaces, so that
-Samba can properly handle browsing on all interfaces\&.
+This option allows you to override the default network interfaces list
+that Samba will use for browsing, name registration and other NBT
+traffic\&. By default Samba will query the kernel for the list of all
+active interfaces and use any interfaces except 127\&.0\&.0\&.1 that are
+broadcast capable\&.
.IP
-The option takes a list of ip/netmask pairs\&. The netmask may either be
-a bitmask, or a bitlength\&.
-.IP
-For example, the following line:
+The option takes a list of interface strings\&. Each string can be in
+any of the following forms:
.IP
-\f(CWinterfaces = 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/24\fP
+.IP o
+a network interface name (such as eth0)\&. This may include
+shell-like wildcards so eth* will match any interface starting
+with the substring "eth"
+.IP o
+an IP address\&. In this case the netmask is determined
+from the list of interfaces obtained from the kernel
+.IP o
+an IP/mask pair\&.
+.IP o
+a broadcast/mask pair\&.
.IP
-would configure two network interfaces with IP addresses 192\&.168\&.2\&.10
-and 192\&.168\&.3\&.10\&. The netmasks of both interfaces would be set to
-255\&.255\&.255\&.0\&.
+The "mask" parameters can either be a bit length (such as 24 for a C
+class network) or a full netmask in dotted decmal form\&.
.IP
-You could produce an equivalent result by using:
+The "IP" parameters above can either be a full dotted decimal IP
+address or a hostname which will be looked up via the OSes normal
+hostname resolution mechanisms\&.
.IP
-\f(CWinterfaces = 192\&.168\&.2\&.10/255\&.255\&.255\&.0 192\&.168\&.3\&.10/255\&.255\&.255\&.0\fP
+For example, the following line:
.IP
-if you prefer that format\&.
+\f(CWinterfaces = eth0 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/255\&.255\&.255\&.0\fP
.IP
-If this option is not set then Samba will attempt to find a primary
-interface, but won\'t attempt to configure more than one interface\&.
+would configure three network interfaces corresponding to the eth0
+device and IP addresses 192\&.168\&.2\&.10 and 192\&.168\&.3\&.10\&. The netmasks of
+the latter two interfaces would be set to 255\&.255\&.255\&.0\&.
.IP
See also \fB"bind interfaces only"\fP\&.
.IP
if you strike difficulties\&.
.IP
\fBDefault:\fP
-\f(CW keep alive = 0\fP
+\f(CW keepalive = 0\fP
.IP
\fBExample:\fP
-\f(CW keep alive = 60\fP
+\f(CW keepalive = 60\fP
.IP
.IP "\fBkernel oplocks (G)\fP"
.IP
and \fI"off"\fP on systems that don\'t\&. You should never need to touch
this parameter\&.
.IP
-.IP "\fBldap bind as (G)\fP"
+See also the \fB"oplocks"\fP and \fB"level2 oplocks"\fP
+parameters\&.
+.IP
+.IP "\fBldap filter (G)\fP"
.IP
This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server\&. These options are only
-available if your version of Samba was configured with the \fB--with-ldap\fP
-option\&.
+password database stored on an LDAP server back-end\&. These options
+are only available if your version of Samba was configured with
+the \fB--with-ldap\fP option\&.
.IP
-This parameter specifies the entity to bind to an LDAP directory as\&.
-Usually it should be safe to use the LDAP root account; for larger
-installations it may be preferable to restrict Samba\'s access\&. See also
-\fBldap passwd file\fP\&.
+This parameter specifies an LDAP search filter used to search for a
+user name in the LDAP database\&. It must contain the string
+\fB%u\fP which will be replaced with the user being
+searched for\&.
.IP
\fBDefault:\fP
-\f(CW none (bind anonymously)\fP
-.IP
-\fBExample:\fP
-\f(CW ldap bind as = "uid=root, dc=mydomain, dc=org"\fP
+\f(CW empty string\&.\fP
.IP
-.IP "\fBldap passwd file (G)\fP"
+.IP "\fBldap port (G)\fP"
.IP
This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server\&. These options are only
-available if your version of Samba was configured with the \fB--with-ldap\fP
-option\&.
+password database stored on an LDAP server back-end\&. These options
+are only available if your version of Samba was configured with
+the \fB--with-ldap\fP option\&.
.IP
-This parameter specifies a file containing the password with which
-Samba should bind to an LDAP server\&. For obvious security reasons
-this file must be set to mode 700 or less\&.
+This parameter specifies the TCP port number to use to contact
+the LDAP server on\&.
.IP
\fBDefault:\fP
-\f(CW none (bind anonymously)\fP
+\f(CW ldap port = 389\&.\fP
.IP
-\fBExample:\fP
-\f(CW ldap passwd file = /usr/local/samba/private/ldappasswd\fP
+.IP "\fBldap root (G)\fP"
.IP
-.IP "\fBldap port (G)\fP"
+This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
+password database stored on an LDAP server back-end\&. These options
+are only available if your version of Samba was configured with
+the \fB--with-ldap\fP option\&.
+.IP
+This parameter specifies the entity to bind to the LDAP server
+as (essentially the LDAP username) in order to be able to perform
+queries and modifications on the LDAP database\&.
+.IP
+See also \fBldap root passwd\fP\&.
+.IP
+\fBDefault:\fP
+\f(CW empty string (no user defined)\fP
+.IP
+.IP "\fBldap root passwd (G)\fP"
.IP
This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server\&. These options are only
-available if your version of Samba was configured with the \fB--with-ldap\fP
-option\&.
+password database stored on an LDAP server back-end\&. These options
+are only available if your version of Samba was configured with
+the \fB--with-ldap\fP option\&.
+.IP
+This parameter specifies the password for the entity to bind to the
+LDAP server as (the password for this LDAP username) in order to be
+able to perform queries and modifications on the LDAP database\&.
+.IP
+\fIBUGS:\fP This parameter should \fINOT\fP be a readable parameter
+in the \fBsmb\&.conf\fP file and will be removed once a correct
+storage place is found\&.
.IP
-This parameter specifies the TCP port number of the LDAP server\&.
+See also \fBldap root\fP\&.
.IP
\fBDefault:\fP
-\f(CW ldap port = 389\&.\fP
+\f(CW empty string\&.\fP
.IP
.IP "\fBldap server (G)\fP"
.IP
the \fB--with-ldap\fP option\&.
.IP
This parameter specifies the DNS name of the LDAP server to use
-when storing and retrieving information about Samba users and
-groups\&.
+for SMB/CIFS authentication purposes\&.
.IP
\fBDefault:\fP
\f(CW ldap server = localhost\fP
are only available if your version of Samba was configured with
the \fB--with-ldap\fP option\&.
.IP
-This parameter specifies the node of the LDAP tree beneath which
-Samba should store its information\&. This parameter MUST be provided
-when using LDAP with Samba\&.
+This parameter specifies the \f(CW"dn"\fP or LDAP \fI"distinguished name"\fP
+that tells \fBsmbd\fP to start from when searching
+for an entry in the LDAP password database\&.
.IP
\fBDefault:\fP
-\f(CW none\fP
+\f(CW empty string\&.\fP
+.IP
+.IP "\fBlevel2 oplocks (S)\fP"
+.IP
+This parameter (new in Samba 2\&.0\&.5) controls whether Samba supports
+level2 (read-only) oplocks on a share\&. In Samba 2\&.0\&.5 this parameter
+defaults to "False" as the code is new, but will default to "True"
+in a later release\&.
+.IP
+Level2, or read-only oplocks allow Windows NT clients that have an
+oplock on a file to downgrade from a read-write oplock to a read-only
+oplock once a second client opens the file (instead of releasing all
+oplocks on a second open, as in traditional, exclusive oplocks)\&. This
+allows all openers of the file that support level2 oplocks to cache
+the file for read-ahead only (ie\&. they may not cache writes or lock
+requests) and increases performance for many acesses of files that
+are not commonly written (such as application \&.EXE files)\&.
+.IP
+Once one of the clients which have a read-only oplock writes to
+the file all clients are notified (no reply is needed or waited
+for) and told to break their oplocks to "none" and delete any
+read-ahead caches\&.
+.IP
+It is recommended that this parameter be turned on to speed access
+to shared executables (and also to test the code :-)\&.
+.IP
+For more discussions on level2 oplocks see the CIFS spec\&.
+.IP
+Currently, if \fB"kernel oplocks"\fP are supported
+then level2 oplocks are not granted (even if this parameter is set
+to \f(CW"true"\fP)\&. Note also, the \fB"oplocks"\fP parameter must
+be set to "true" on this share in order for this parameter to have any
+effect\&.
+.IP
+See also the \fB"oplocks"\fP and \fB"kernel oplocks"\fP parameters\&.
+.IP
+\fBDefault:\fP
+\f(CW level2 oplocks = False\fP
.IP
\fBExample:\fP
-\f(CW ldap suffix = "dc=mydomain, dc=org"\fP
+\f(CW level2 oplocks = True\fP
.IP
.IP "\fBlm announce (G)\fP"
.IP
\fBExample:\fP
\f(CW load printers = no\fP
.IP
-.IP "\fBlocal group map (G)\fP"
-.IP
-This option allows you to specify a file containing unique mappings
-of individual NT Local Group names (in any domain) to UNIX group
-names\&. This allows NT Local groups (aliases) to be presented correctly to
-NT users, despite the lack of native support for the NT Security model
-(based on VAX/VMS) in UNIX\&. The reader is advised to become familiar
-with the NT Domain system and its administration\&.
-.IP
-This option is used in conjunction with \fB\'domain group map\'\fP
-and \fB\'domain name map\'\fP\&. The use of these three
-options is trivial and often unnecessary in the case where Samba
-is not expected to interact with any other SAM databases (whether local
-workstations or Domain Controllers)\&.
-.IP
-The map file is parsed line by line\&. If any line begins with a \f(CW\'#\'\fP
-or a \f(CW\';\'\fP then it is ignored\&. Each line should contain a single UNIX
-group name on the left then a single NT Local Group name on the right,
-separated by a tabstop or \f(CW\'=\'\fP\&. If either name contains spaces then
-it should be enclosed in quotes\&.
-The line can be either of the form:
-.IP
-\f(CW UNIXgroupname \e\eDOMAIN_NAME\e\eLocalGroupName \fP
-.IP
-or:
-.IP
-\f(CW UNIXgroupname LocalGroupName \fP
-.IP
-In the case where Samba is either an \fBEXPERIMENTAL\fP Domain Controller
-or it is a member of a domain using \fB"security = domain"\fP,
-the latter format can be used: the default Domain name is the Samba Server\'s
-Domain name, specified by \fB"workgroup = MYGROUP"\fP\&.
-.IP
-Any UNIX groups that are \fINOT\fP specified in this map file are treated
-as either Local or Domain Groups depending on the role of the Samba Server\&.
-.IP
-In the case when Samba is an \fBEXPERIMENTAL\fP Domain Controller, Samba
-will present \fIALL\fP unspecified UNIX groups as its own NT Domain
-Groups, with the same name, and \fINOT\fP as Local Groups\&.
-.IP
-In the case where Samba is member of a domain using
-\fB"security = domain"\fP, Samba will check the UNIX name with
-its Domain Controller (see \fB"password server"\fP)
-as if it was an NT Domain Group\&. If the Domain Controller says that it is not,
-such unspecified (unmapped) UNIX groups which also are not NT Domain
-Groups are treated as Local Groups in the Samba Server\'s local SAM database\&.
-NT Administrators will recognise these as Workstation Local Groups,
-which are managed by running \fBUSRMGR\&.EXE\fP and selecting a remote
-Domain named "\e\eWORKSTATION_NAME", or by running \fBMUSRMGR\&.EXE\fP on
-a local Workstation\&.
-.IP
-This may sound complicated, but it means that a Samba Server as
-either a member of a domain or as an \fBEXPERIMENTAL\fP Domain Controller
-will act like an NT Workstation (with a local SAM database) or an NT PDC
-(with a Domain SAM database) respectively, without the need for any of
-the map files at all\&. If you \fBwant\fP to get fancy, however, you can\&.
-.IP
-Note that adding an entry to map an arbitrary NT group in an arbitrary
-Domain to an arbitrary UNIX group \fIREQUIRES\fP the following:
-.IP
-.IP
-.IP o
-that the UNIX group exists on the UNIX server\&.
-.IP
-.IP o
-that the NT Domain Group exists in the specified NT Domain
-.IP
-.IP o
-that the UNIX Server knows about the specified Domain;
-.IP
-.IP o
-that all the UNIX users (who are expecting to access the Samba
-Server as the correct NT user and with the correct NT group permissions)
-in the UNIX group be mapped to the correct NT Domain users in the specified
-NT Domain using \fB\'domain user map\'\fP\&.
-.IP
-.IP
-Failure to meet any of these requirements may result in either (or
-both) errors reported in the log files or (and) incorrect or missing
-access rights granted to users\&.
-.IP
.IP "\fBlocal master (G)\fP"
.IP
This option allows \fBnmbd\fP to try and become a
This option takes the standard substitutions, allowing you to have
separate logon scripts for each user or machine\&.
.IP
+This parameter can be used with Win9X workstations to ensure that
+roaming profiles are stored in a subdirectory of the user\'s home
+directory\&. This is done in the following way:
+.IP
+\f(CW" logon home = \e\e%L\e%U\eprofile"\fP
+.IP
+This tells Samba to return the above string, with substitutions made
+when a client requests the info, generally in a NetUserGetInfo request\&.
+Win9X clients truncate the info to \e\eserver\eshare when a user does \f(CW"net use /home"\fP,
+but use the whole string when dealing with profiles\&.
+.IP
+Note that in prior versions of Samba, the \f(CW"logon path"\fP was returned rather than
+\f(CW"logon home"\fP\&. This broke \f(CW"net use /home"\fP but allowed profiles outside the
+home directory\&. The current implementation is correct, and can be used for profiles
+if you use the above trick\&.
+.IP
Note that this option is only useful if Samba is set up as a
\fBlogon server\fP\&.
.IP
.IP "\fBlogon path (G)\fP"
.IP
This parameter specifies the home directory where roaming profiles
-(USER\&.DAT / USER\&.MAN files for Windows 95/98) are stored\&.
+(NTuser\&.dat etc files for Windows NT) are stored\&. Contrary to previous
+versions of these manual pages, it has nothing to do with Win 9X roaming
+profiles\&. To find out how to handle roaming profiles for Win 9X system, see
+the \f(CW"logon home"\fP parameter\&.
.IP
This option takes the standard substitutions, allowing you to have
separate logon scripts for each user or machine\&. It also specifies
-the directory from which the \f(CW"desktop"\fP, \f(CW"start menu"\fP,
-\f(CW"network neighborhood"\fP and \f(CW"programs"\fP folders, and their
-contents, are loaded and displayed on your Windows 95/98 client\&.
+the directory from which the \f(CW"application data"\fP, (\f(CW"desktop"\fP, \f(CW"start menu"\fP,
+\f(CW"network neighborhood"\fP, \f(CW"programs"\fP and other folders, and their
+contents, are loaded and displayed on your Windows NT client\&.
.IP
The share and the path must be readable by the user for the
-preferences and directories to be loaded onto the Windows 95/98
+preferences and directories to be loaded onto the Windows NT
client\&. The share must be writeable when the logs in for the first
-time, in order that the Windows 95/98 client can create the user\&.dat
+time, in order that the Windows NT client can create the NTuser\&.dat
and other directories\&.
.IP
Thereafter, the directories and any of the contents can, if required, be
-made read-only\&. It is not advisable that the USER\&.DAT file be made
-read-only - rename it to USER\&.MAN to achieve the desired effect (a
-\fIMAN\fPdatory profile)\&.
+made read-only\&. It is not advisable that the NTuser\&.dat file be made
+read-only - rename it to NTuser\&.man to achieve the desired effect (a
+\fIMAN\fPdatory profile)\&.
.IP
Windows clients can sometimes maintain a connection to the [homes]
share, even though there is no user logged in\&. Therefore, it is vital
.IP
See the section on \fB"NAME MANGLING"\fP\&.
.IP
+.IP "\fBmangle locks (S)\fP"
+.IP
+This option is was introduced with Samba 2\&.0\&.4 and above and has been
+removed in Samba 2\&.0\&.6 as Samba now dynamically configures such things
+on 32 bit systems\&.
+.IP
.IP "\fBmangled map (S)\fP"
.IP
This is for those who want to directly map UNIX file names which can
\fBDefault:\fP
\f(CW max mux = 50\fP
.IP
-.IP "\fBmaxopenfiles (G)\fP"
+.IP "\fBmax open files (G)\fP"
.IP
This parameter limits the maximum number of open files that one
\fBsmbd\fP file serving process may have open for
.IP
.IP "\fBmax packet (G)\fP"
.IP
-Synonym for (packetsize)\&.
+Synonym for \fB"packet size"\fP\&.
.IP
.IP "\fBmax ttl (G)\fP"
.IP
\fBExample:\fP
\f(CW min print space = 2000\fP
.IP
+.IP "\fBmin passwd length (G)\fP"
+.IP
+Synonym for \fB"min password length"\fP\&.
+.IP
+.IP "\fBmin password length (G)\fP"
+.IP
+This option sets the minimum length in characters of a plaintext password
+than smbd will accept when performing UNIX password changing\&.
+.IP
+See also \fB"unix password sync"\fP,
+\fB"passwd program"\fP and \fB"passwd chat
+debug"\fP\&.
+.IP
+\fBDefault:\fP
+\f(CW min password length = 5\fP
+.IP
.IP "\fBmin wins ttl (G)\fP"
.IP
This option tells \fBnmbd\fP when acting as a WINS
.IP
.IP o
\fBlmhosts\fP : Lookup an IP address in the Samba lmhosts file\&.
+If the line in lmhosts has no name type attached to the NetBIOS
+name (see the \fBlmhosts (5)\fP for details) then
+any name type matches for lookup\&.
.IP
.IP o
\fBhost\fP : Do a standard host name to IP address resolution,
using the system /etc/hosts, NIS, or DNS lookups\&. This method of name
resolution is operating system depended for instance on IRIX or
Solaris this may be controlled by the \fI/etc/nsswitch\&.conf\fP file)\&.
+Note that this method is only used if the NetBIOS name type being
+queried is the 0x20 (server) name type, otherwise it is ignored\&.
.IP
.IP o
\fBwins\fP : Query a name with the IP address listed in the
\fBExample:\fP
\f(CW netbios name = MYNAME\fP
.IP
+.IP "\fBnetbios scope (G)\fP"
+.IP
+This sets the NetBIOS scope that Samba will operate under\&. This should
+not be set unless every machine on your LAN also sets this value\&.
+.IP
.IP "\fBnis homedir (G)\fP"
.IP
Get the home share server from a NIS map\&. For UNIX systems that use an
\fBExample:\fP
\f(CW nis homedir = true\fP
.IP
+.IP "\fBnt acl support (G)\fP"
+.IP
+This boolean parameter controls whether \fBsmbd\fP
+will attempt to map UNIX permissions into Windows NT access control lists\&.
+.IP
+\fBDefault:\fP
+\f(CW nt acl support = yes\fP
+.IP
+\fBExample:\fP
+\f(CW nt acl support = no\fP
+.IP
.IP "\fBnt pipe support (G)\fP"
.IP
This boolean parameter controls whether \fBsmbd\fP
UNIX process\&. See the \fBkernel oplocks\fP parameter
for details\&.
.IP
+See also the \fB"kernel oplocks"\fP and
+\fB"level2 oplocks"\fP parameters\&.
+.IP
\fBDefault:\fP
\f(CW oplocks = True\fP
.IP
\fBExample:\fP
\f(CW oplocks = False\fP
.IP
+.IP "\fBoplock break wait time (G)\fP"
+.IP
+This is a tuning parameter added due to bugs in both Windows 9x and WinNT\&.
+If Samba responds to a client too quickly when that client issues an SMB that
+can cause an oplock break request, then the client redirector can fail and
+not respond to the break request\&. This tuning parameter (which is set in
+milliseconds) is the amount of time Samba will wait before sending an
+oplock break request to such (broken) clients\&.
+.IP
+\fIDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
+OPLOCK CODE\fP\&.
+.IP
+\fBDefault:\fP
+\f(CW oplock break wait time = 10\fP
+.IP
+.IP "\fBoplock contention limit (S)\fP"
+.IP
+This is a \fIvery\fP advanced \fBsmbd\fP tuning option to improve
+the efficiency of the granting of oplocks under multiple client contention for the same file\&.
+.IP
+In brief it specifies a number, which causes smbd not to grant an oplock even
+when requested if the approximate number of clients contending for an oplock on
+the same file goes over this limit\&. This causes \fBsmbd\fP to
+behave in a similar way to Windows NT\&.
+.IP
+\fIDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
+OPLOCK CODE\fP\&.
+.IP
+\fBDefault:\fP
+\f(CW oplock contention limit = 2\fP
+.IP
.IP "\fBos level (G)\fP"
.IP
This integer value controls what level Samba advertises itself as for
browse elections\&. The value of this parameter determines whether
\fBnmbd\fP has a chance of becoming a local master
browser for the \fBWORKGROUP\fP in the local broadcast
-area\&. Setting this to zero will cause \fBnmbd\fP to
-always lose elections to Windows machines\&. See BROWSING\&.txt in the
-Samba docs/ directory for details\&.
+area\&. The default is zero, which means \fBnmbd\fP will
+lose elections to Windows machines\&. See BROWSING\&.txt in the Samba
+docs/ directory for details\&.
.IP
\fBDefault:\fP
-\f(CW os level = 32\fP
+\f(CW os level = 20\fP
.IP
\fBExample:\fP
\f(CW os level = 65 ; This will win against any NT Server\fP
.IP
.IP "\fBpacket size (G)\fP"
.IP
-This is a deprecated parameter that how no effect on the current
+This is a deprecated parameter that has no effect on the current
Samba code\&. It is left in the parameter list to prevent breaking
old \fBsmb\&.conf\fP files\&.
.IP
.IP
\fBExample:\fP
-.DS
+.nf
passwd chat = "*Enter OLD password*" %o\en "*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"
-.DE
+.fi
.IP
\fBDefault:\fP
-.DS
+.nf
passwd chat = *old*password* %o\en *new*password* %n\en *new*password* %n\en *changed*
-.DE
+.fi
.IP
If the \fB"security"\fP parameter is set to
\fB"domain"\fP, then the list of machines in this option must be a list
of Primary or Backup Domain controllers for the
-\fBDomain\fP, as the Samba server is cryptographicly
+\fBDomain\fP or the character \f(CW*\fP, as the Samba server is cryptographicly
in that domain, and will use cryptographicly authenticated RPC calls
to authenticate the user logging on\&. The advantage of using
\fB"security=domain"\fP is that if you list
\fBsmbd\fP will try each in turn till it finds one
that responds\&. This is useful in case your primary server goes down\&.
.IP
+If the \fB"password server"\fP option is set to the character \f(CW*\fP,
+then Samba will attempt to auto-locate the Primary or Backup Domain controllers
+to authenticate against by doing a query for the name \f(CWWORKGROUP<1C>\fP
+and then contacting each server returned in the list of IP addresses
+from the \fBname resolution\fP source\&.
+.IP
If the \fB"security"\fP parameter is set to
\fB"server"\fP, then there are different
restrictions that \fB"security=domain"\fP
\fBExample:\fP
\f(CW password server = NT-PDC, NT-BDC1, NT-BDC2\fP
.IP
+\fBExample:\fP
+\f(CW password server = *\fP
+.IP
.IP "\fBpath (S)\fP"
.IP
This parameter specifies a directory to which the user of the service
time they log in\&. Maybe a message of the day? Here is an example:
.IP
-.DS
+.nf
preexec = csh -c \'echo \e"Welcome to %S!\e" | /usr/local/samba/bin/smbclient -M %m -I %I\' &
-.DE
+.fi
.IP
Of course, this could get annoying after a while :-)
.IP
-See also \fBpostexec\fP\&.
+See also \fBpreexec close\fP and \fBpostexec\fP\&.
.IP
\fBDefault:\fP
\f(CW none (no command executed)\fP
\fBExample:\fP
\f(CW preexec = echo \e"%u connected to %S from %m (%I)\e" >> /tmp/log\fP
.IP
+.IP "\fBpreexec close (S)\fP"
+.IP
+This boolean option controls whether a non-zero return code from
+\fB"preexec"\fP should close the service being connected to\&.
+.IP
+\fBDefault:\fP
+\f(CW preexec close = no\fP
+.IP
+\fBExample:\fP
+\f(CW preexec close = yes\fP
+.IP
.IP "\fBpreferred master (G)\fP"
.IP
This boolean parameter controls if \fBnmbd\fP is a
election\&. It is recommended that this parameter is used in
conjunction with \fB"domain master = yes"\fP, so
that \fBnmbd\fP can guarantee becoming a domain
-master\&. Indeed the default ("auto") enables "preferred master" if
-Samba is configured as the domain master browser\&.
+master\&.
.IP
Use this option with caution, because if there are several hosts
(whether Samba servers, Windows 95 or NT) that are preferred master
See also \fBos level\fP\&.
.IP
\fBDefault:\fP
-\f(CW preferred master = auto\fP
+\f(CW preferred master = no\fP
.IP
\fBExample:\fP
\f(CW preferred master = yes\fP
processed, otherwise you will need to manually remove old spool files\&.
.IP
The print command is simply a text string\&. It will be used verbatim,
-with two exceptions: All occurrences of \f(CW"%s"\fP will be replaced by
-the appropriate spool file name, and all occurrences of \f(CW"%p"\fP will
-be replaced by the appropriate printer name\&. The spool file name is
-generated automatically by the server, the printer name is discussed
-below\&.
-.IP
-The full path name will be used for the filename if \f(CW"%s"\fP is not
-preceded by a \f(CW\'/\'\fP\&. If you don\'t like this (it can stuff up some
-lpq output) then use \f(CW"%f"\fP instead\&. Any occurrences of \f(CW"%f"\fP get
-replaced by the spool filename without the full path at the front\&.
+with two exceptions: All occurrences of \f(CW"%s"\fP and \f(CW"%f"\fP will be
+replaced by the appropriate spool file name, and all occurrences of
+\f(CW"%p"\fP will be replaced by the appropriate printer name\&. The spool
+file name is generated automatically by the server, the printer name
+is discussed below\&.
.IP
The print command \fIMUST\fP contain at least one occurrence of \f(CW"%s"\fP
or \f(CW"%f"\fP - the \f(CW"%p"\fP is optional\&. At the time a job is
.IP
Note that a printable service will ALWAYS allow writing to the service
path (user privileges permitting) via the spooling of print data\&. The
-\fB"read only"\fP parameter controls only non-printing
+\fB"writeable"\fP parameter controls only non-printing
access to the resource\&.
.IP
\fBDefault:\fP
.IP
Synonym for \fBprintcapname\fP\&.
.IP
+.IP "\fBprinter admin (S)\fP"
+.IP
+This is a list of users that can do anything to printers via the
+remote administration interfaces offered by MSRPC (usually using a NT
+workstation)\&. Note that the root user always has admin rights\&.
+.IP
+\fBDefault:\fP
+\f(CW printer admin = <empty string>\fP
+.IP
+\fBExample:\fP
+\f(CW printer admin = admin, @staff\fP
+.IP
.IP "\fBprintcap name (G)\fP"
.IP
This parameter may be used to override the compiled-in default
A minimal printcap file would look something like this:
.IP
-.DS
+.nf
print1|My Printer 1
print4|My Printer 4
print5|My Printer 5
-.DE
+.fi
.IP
.IP
\f(CWSAMBA_INSTALL_DIRECTORY/lib/printers\&.def\fP
.IP
-This file is created from Windows 95 \f(CW"msprint\&.def"\fP files found on
+This file is created from Windows 95 \f(CW"msprint\&.inf"\fP files found on
the Windows 95 client system\&. For more details on setting up serving
of printer drivers to Windows 95 clients, see the documentation file
in the docs/ directory, PRINTER_DRIVER\&.txt\&.
drivers for Windows 95 machines\&. If Samba is set up to serve printer
drivers to Windows 95 machines, this should be set to
.IP
-\f(CW\e\eMACHINE\eaPRINTER$\fP
+\f(CW\e\eMACHINE\ePRINTER$\fP
.IP
Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
is a share you set up for serving printer driver files\&. For more
.IP "\fBprinting (S)\fP"
.IP
This parameters controls how printer status information is interpreted
-on your system, and also affects the default values for the
+on your system\&. It also affects the default values for the
\fB"print command"\fP, \fB"lpq
command"\fP \fB"lppause command"\fP,
\fB"lpresume command"\fP, and \fB"lprm
-command"\fP\&.
+command"\fP if specified in the \fB[global]\fP
+section\&.
.IP
Currently eight printing styles are supported\&. They are
-\fB"printing=BSD"\fP, \fB"printing=AIX"\fP, \fB"printing=LPRNG"\fP,
-\fB"printing=PLP"\fP,
-\fB"printing=SYSV"\fP,\fB"printing="HPUX"\fP,\fB"printing=QNX"\fP and
-\fB"printing=SOFTQ"\fP\&.
+\fB"printing=BSD"\fP, \fB"printing=AIX"\fP,
+\fB"printing=LPRNG"\fP, \fB"printing=PLP"\fP, \fB"printing=SYSV"\fP,
+\fB"printing="HPUX"\fP, \fB"printing=QNX"\fP, \fB"printing=SOFTQ"\fP,
+and \fB"printing=CUPS"\fP\&.
.IP
To see what the defaults are for the other print commands when using
-these three options use the \fB"testparm"\fP program\&.
+the various options use the \fB"testparm"\fP program\&.
.IP
This option can be set on a per printer basis
.IP
See also the discussion in the \fB[printers]\fP section\&.
.IP
+.IP "\fBprivate dir(G)\fP"
+.IP
+The \fBprivate dir\fP parameter allows an administator to define a
+directory path used to hold the various databases Samba will use
+to store things like a the machine trust account information
+when acting as a domain member (i\&.e\&. where the secrets\&.tdb file will
+be located), where the passdb\&.tbd file will stored in the case
+of using the experiemental tdbsam support, etc\&.\&.\&.
+.IP
+\fBDefault:\fP
+\f(CW private dir = <compile time location of smbpasswd>\fP
+.IP
+\fBExample:\fP
+\f(CW private dir = /etc/smbprivate\fP
+.IP
.IP "\fBprotocol (G)\fP"
.IP
The value of the parameter (a string) is the highest protocol level
.IP
This is a list of users that are given read-only access to a
service\&. If the connecting user is in this list then they will not be
-given write access, no matter what the \fB"read only"\fP
+given write access, no matter what the \fB"writeable"\fP
option is set to\&. The list can include group names using the syntax
described in the \fB"invalid users"\fP parameter\&.
.IP
.IP "\fBread only (S)\fP"
.IP
Note that this is an inverted synonym for
-\fB"writeable"\fP and \fB"write ok"\fP\&.
-.IP
-See also \fB"writeable"\fP and \fB"write
-ok"\fP\&.
+\fB"writeable"\fP\&.
.IP
.IP "\fBread prediction (G)\fP"
.IP
are similar, having very little effect when the speed of one is much
greater than the other\&.
.IP
-The default value is 2048, but very little experimentation has been
+The default value is 16384, but very little experimentation has been
done yet to determine the optimal value, and it is likely that the
best value will vary greatly between systems anyway\&. A value over
65536 is pointless and will cause you to allocate memory
unnecessarily\&.
.IP
\fBDefault:\fP
-\f(CW read size = 2048\fP
+\f(CW read size = 16384\fP
.IP
\fBExample:\fP
\f(CW read size = 8192\fP
\fBExample:\fP
\f(CW remote browse sync = 192\&.168\&.2\&.255 192\&.168\&.4\&.255\fP
.IP
-.IP "\fBrevalidate (S)\fP"
+.IP "\fBrestrict anonymous (G)\fP"
.IP
-Note that this option only works with
-\fB"security=share"\fP and will be ignored if
-this is not the case\&.
+This is a boolean parameter\&. If it is true, then anonymous access
+to the server will be restricted, namely in the case where the server
+is expecting the client to send a username, but it doesn\'t\&. Setting
+it to true will force these anonymous connections to be denied, and
+the client will be required to always supply a username and password
+when connecting\&. Use of this parameter is only recommened for homogenous
+NT client environments\&.
.IP
-This option controls whether Samba will allow a previously validated
-username/password pair to be used to attach to a share\&. Thus if you
-connect to \f(CW\e\eserver\eshare1\fP then to \f(CW\e\eserver\eshare2\fP it won\'t
-automatically allow the client to request connection to the second
-share as the same username as the first without a password\&.
+This parameter makes the use of macro expansions that rely
+on the username (%U, %G, etc) consistant\&. NT 4\&.0 likes to use
+anonymous connections when refreshing the share list, and this
+is a way to work around that\&.
.IP
-If \fB"revalidate"\fP is \f(CW"True"\fP then the client will be denied
-automatic access as the same username\&.
+When restrict anonymous is true, all anonymous connections are denied
+no matter what they are for\&. This can effect the ability of a machine
+to access the samba Primary Domain Controller to revalidate it\'s machine
+account after someone else has logged on the client interactively\&. The
+NT client will display a message saying that the machine\'s account in
+the domain doesn\'t exist or the password is bad\&. The best way to deal
+with this is to reboot NT client machines between interactive logons,
+using "Shutdown and Restart", rather than "Close all programs and logon
+as a different user"\&.
.IP
\fBDefault:\fP
-\f(CW revalidate = False\fP
+\f(CW restrict anonymous = false\fP
.IP
\fBExample:\fP
-\f(CW revalidate = True\fP
+\f(CW restrict anonymous = true\fP
.IP
.IP "\fBroot (G)\fP"
.IP
that the command is run as root\&. This is useful for mounting
filesystems (such as cdroms) before a connection is finalized\&.
.IP
-See also \fB"preexec"\fP\&.
+See also \fB"preexec"\fP
+and \fB"root preexec close"\fP\&.
+.IP
+.IP "\fBroot preexec close (S)\fP"
+.IP
+This is the same as the \fB"preexec close"\fP parameter
+except that the command is run as root\&.
+.IP
+See also \fB"preexec"\fP, \fB"preexec close"\fP\&.
.IP
.IP "\fBsecurity (G)\fP"
.IP
\fB"map to guest"\fP parameter for details on
doing this\&.
.IP
-e,(BUG:) There is currently a bug in the implementation of
+\fIBUG:\fP There is currently a bug in the implementation of
\fB"security=domain\fP with respect to multi-byte character
set usernames\&. The communication with a Domain Controller
must be done in UNICODE and Samba currently does not widen
\fBExample:\fP
\f(CW security = DOMAIN\fP
.IP
+.IP "\fBsecurity mask (S)\fP"
+.IP
+This parameter controls what UNIX permission bits can be modified
+when a Windows NT client is manipulating the UNIX permission on a
+file using the native NT security dialog box\&.
+.IP
+This parameter is applied as a mask (AND\'ed with) to the changed
+permission bits, thus preventing any bits not in this mask from
+being modified\&. Essentially, zero bits in this mask may be treated
+as a set of bits the user is not allowed to change\&.
+.IP
+If not set explicitly this parameter is set to the same value as the
+\fBcreate mask\fP parameter\&. To allow a user to
+modify all the user/group/world permissions on a file, set this
+parameter to 0777\&.
+.IP
+\fINote\fP that users who can access the Samba server through other
+means can easily bypass this restriction, so it is primarily
+useful for standalone "appliance" systems\&. Administrators of
+most normal systems will probably want to set it to 0777\&.
+.IP
+See also the \fBforce directory security
+mode\fP, \fBdirectory security
+mask\fP, \fBforce security
+mode\fP parameters\&.
+.IP
+\fBDefault:\fP
+\f(CW security mask = <same as create mask>\fP
+.IP
+\fBExample:\fP
+\f(CW security mask = 0777\fP
+.IP
.IP "\fBserver string (G)\fP"
.IP
This controls what string will show up in the printer comment box in
and error messages in the smbd log looking like \f(CW"ERROR
smb_shm_alloc : alloc of XX bytes failed"\fP\&.
.IP
+If your OS refuses the size that Samba asks for then Samba will try a
+smaller size, reducing by a factor of 0\&.8 until the OS accepts it\&.
+.IP
\fBDefault:\fP
\f(CW shared mem size = 1048576\fP
.IP
option" when you supply an option\&. This means you either incorrectly
typed it or you need to add an include file to includes\&.h for your OS\&.
If the latter is the case please send the patch to
-\fIsamba-bugs@samba\&.org\fP\&.
+\fIsamba@samba\&.org\fP\&.
.IP
Any of the supported socket options may be combined in any way you
like, as long as your OS allows it\&.
\fBExample:\fP
\f(CW socket options = IPTOS_LOWDELAY\fP
.IP
+.IP "\fBsource environment (G)\fP"
+.IP
+This parameter causes Samba to set environment variables as per the
+content of the file named\&.
+.IP
+The file \fBmust\fP be owned by root and not world writable in order
+to be read (this is a security check)\&.
+.IP
+If the value of this parameter starts with a "|" character then Samba will
+treat that value as a pipe command to open and will set the environment
+variables from the oput of the pipe\&. This command must not be world writable
+and must reside in a directory that is not world writable\&.
+.IP
+The contents of the file or the output of the pipe should be formatted
+as the output of the standard Unix env(1) command\&. This is of the form :
+.IP
+Example environment entry:
+\f(CW SAMBA_NETBIOS_NAME=myhostname \fP
+.IP
+\fBDefault:\fP
+\f(CWNo default value\fP
+.IP
+\fBExamples:\fP
+.IP
+\f(CW source environment = |/etc/smb\&.conf\&.sh\fP
+.IP
+\f(CW source environment = /usr/local/smb_env_vars\fP
+.IP
.IP "\fBssl (G)\fP"
.IP
This variable is part of SSL-enabled Samba\&. This is only available if
This parameter maps how Samba debug messages are logged onto the
system syslog logging levels\&. Samba debug level zero maps onto syslog
LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps
-to LOG_NOTICE, debug level three maps onto LOG_INFO\&. The parameter
-sets the threshold for doing the mapping, all Samba debug messages
-above this threshold are mapped to syslog LOG_DEBUG messages\&.
+onto LOG_NOTICE, debug level three maps onto LOG_INFO\&. All higher
+levels are mapped to LOG_DEBUG\&.
+.IP
+This paramter sets the threshold for sending messages to syslog\&.
+Only messages with debug level less than this value will be sent
+to syslog\&.
.IP
\fBDefault:\fP
\f(CW syslog = 1\fP
\fBDefault:\fP
\f(CW syslog only = no\fP
.IP
+.IP "\fBtemplate homedir (G)\fP"
+.IP
+NOTE: this parameter is only available in Samba 3\&.0\&.
+.IP
+When filling out the user information for a Windows NT user, the
+\fBwinbindd\fP daemon uses this parameter to fill in
+the home directory for that user\&. If the string \f(CW%D\fP is present it is
+substituted with the user\'s Windows NT domain name\&. If the string \f(CW%U\fP
+is present it is substituted with the user\'s Windows NT user name\&.
+.IP
+\fBDefault:\fP
+\f(CW template homedir = /home/%D/%U\fP
+.IP
+.IP "\fBtemplate shell (G)\fP"
+.IP
+NOTE: this parameter is only available in Samba 3\&.0\&.
+.IP
+When filling out the user information for a Windows NT user, the
+\fBwinbindd\fP daemon uses this parameter to fill in
+the login shell for that user\&.
+.IP
+\fBDefault:\fP
+\f(CW template shell = /bin/false\fP
+.IP
.IP "\fBtime offset (G)\fP"
.IP
This parameter is a setting in minutes to add to the normal GMT to
.IP
.IP "\fBtimestamp logs (G)\fP"
.IP
-Samba2\&.0 will a timestamps to all log entries by default\&. This
-can be distracting if you are attempting to debug a problem\&. This
-parameter allows the timestamping to be turned off\&.
-.IP
-\fBDefault:\fP
-\f(CW timestamp logs = True\fP
-.IP
-\fBExample:\fP
-\f(CW timestamp logs = False\fP
+Synonym for \fB"debug timestamp"\fP\&.
.IP
.IP "\fBunix password sync (G)\fP"
.IP
.IP
\fBExamples:\fP
-.DS
+.nf
username = fred
username = fred, mary, jack, jane, @users, @pcgroup
-.DE
+.fi
.IP
multiple users to a single username so that they can more easily share
files\&.
.IP
-The use of this option, therefore, relates to UNIX usernames
-and not Windows (specifically NT Domain) usernames\&. In other words,
-once a name has been mapped using this option, the Samba server uses
-the mapped name for internal \fIAND\fP external purposes\&.
-.IP
-This option is \fIDIFFERENT\fP from the \fB"domain user map"\fP
-parameter, which maintains a one-to-one mapping between UNIX usernames
-and NT Domain Usernames: more specifically, the Samba server maintains
-a link between \fIBOTH\fP usernames, presenting the NT username to the
-external NT world, and using the UNIX username internally\&.
-.IP
The map file is parsed line by line\&. Each line should contain a single
UNIX username on the left then a \f(CW\'=\'\fP followed by a list of
usernames on the right\&. The list of usernames on the right may contain
to stop processing if it gets a match on that line\&.
.IP
-.DS
+.nf
!sys = mary fred
guest = *
-.DE
+.fi
.IP
\fBExample:\fP
\f(CW username map = /usr/local/samba/lib/users\&.map\fP
.IP
-.IP "\fBvalid chars (S)\fP"
+.IP "\fButmp (S)\fP"
+.IP
+This boolean parameter is only available if Samba has been configured and compiled
+with the option \f(CW--with-utmp\fP\&. If set to True then Samba will attempt
+to add utmp or utmpx records (depending on the UNIX system) whenever a
+connection is made to a Samba server\&. Sites may use this to record the
+user connecting to a Samba share\&.
+.IP
+See also the \fB"utmp directory"\fP parameter\&.
+.IP
+\fBDefault:\fP
+\f(CWutmp = False\fP
+.IP
+\fBExample:\fP
+\f(CWutmp = True\fP
+.IP
+.IP "\fButmp directory(G)\fP"
+.IP
+This parameter is only available if Samba has been configured and compiled
+with the option \f(CW--with-utmp\fP\&. It specifies a directory pathname that is
+used to store the utmp or utmpx files (depending on the UNIX system) that
+record user connections to a Samba server\&. See also the \fB"utmp"\fP
+parameter\&. By default this is not set, meaning the system will use whatever
+utmp file the native system is set to use (usually /var/run/utmp on Linux)\&.
+.IP
+\fBDefault:\fP
+\f(CWno utmp directory\fP
+.IP
+\fBExample:\fP
+\f(CWutmp directory = /var/adm/\fP
+.IP
+.IP "winbind cache time"
+.IP
+NOTE: this parameter is only available in Samba 3\&.0\&.
+.IP
+This parameter specifies the number of seconds the
+\fBwinbindd\fP daemon will cache user and group
+information before querying a Windows NT server again\&.
+.IP
+\fBDefault:\fP
+\f(CW winbind cache type = 15\fP
+.IP
+.IP "winbind gid"
+.IP
+NOTE: this parameter is only available in Samba 3\&.0\&.
+.IP
+The winbind gid parameter specifies the range of group ids that are
+allocated by the \fBwinbindd\fP daemon\&. This range of
+group ids should have no existing local or nis groups within it as strange
+conflicts can occur otherwise\&.
+.IP
+\fBDefault:\fP
+\f(CW winbind gid = <empty string>\fP
+.IP
+\fBExample:\fP
+\f(CW winbind gid = 10000-20000\fP
+.IP
+.IP "winbind uid"
+.IP
+NOTE: this parameter is only available in Samba 3\&.0\&.
+.IP
+The winbind uid parameter specifies the range of user ids that are
+allocated by the \fBwinbindd\fP daemon\&. This range of
+ids should have no existing local or nis users within it as strange
+conflicts can occur otherwise\&.
+.IP
+\fBDefault:\fP
+\f(CW winbind uid = <empty string>\fP
+.IP
+\fBExample:\fP
+\f(CW winbind uid = 10000-20000\fP
+.IP
+.IP "\fBvalid chars (G)\fP"
.IP
The option allows you to specify additional characters that should be
considered valid by the server in filenames\&. This is particularly
the following
.IP
-.DS
+.nf
valid chars = Z
valid chars = z:Z
valid chars = 0132:0172
-.DE
+.fi
.IP
.IP
\fBDefault:\fP
-.DS
+.nf
Samba defaults to using a reasonable set of valid characters
for English systems
-.DE
+.fi
.IP
Example 1\&.
.IP
-.DS
+.nf
veto files = /*Security*/*\&.tmp/*root*/
-.DE
+.fi
.IP
Example 2\&.
.IP
-.DS
+.nf
Veto the Apple specific files that a NetAtalk server
veto files = /\&.AppleDouble/\&.bin/\&.AppleDesktop/Network Trash Folder/
-.DE
+.fi
.IP
parameter controls access only to areas that are outside the directory
tree being exported\&.
.IP
+Note that setting this parameter can have a negative effect on your
+server performance due to the extra system calls that Samba has to
+do in order to perform the link checks\&.
+.IP
\fBDefault:\fP
\f(CW wide links = yes\fP
.IP
This specifies the IP address (or DNS name: IP address for preference)
of the WINS server that \fBnmbd\fP should register with\&.
If you have a WINS server on your network then you should set this to
-the WINS server\'s IP\&.
+the WINS server\'s IP\&.
.IP
You should point this at your WINS server if you have a
multi-subnetted network\&.
\fBExample:\fP
\f(CW wins server = 192\&.9\&.200\&.1\fP
.IP
+.IP "\fBwins hook (G)\fP"
+.IP
+When Samba is running as a WINS server this allows you to call an
+external program for all changes to the WINS database\&. The primary use
+for this option is to allow the dynamic update of external name
+resolution databases such as dynamic DNS\&.
+.IP
+The wins hook parameter specifies the name of a script or executable
+that will be called as follows:
+.IP
+wins_hook operation name nametype ttl IP_list
+.IP
+The first argument is the operation and is one of "add", "delete",
+or "refresh"\&. In most cases the operation can be ignored as the rest
+of the parameters provide sufficient information\&. Note that "refresh"
+may sometimes be called when the name has not previously been added,
+in that case it should be treated as an add\&.
+.IP
+The second argument is the netbios name\&. If the name is not a legal
+name then the wins hook is not called\&. Legal names contain only
+letters, digits, hyphens, underscores and periods\&.
+.IP
+The third argument is the netbios name type as a 2 digit hexadecimal
+number\&.
+.IP
+The fourth argument is the TTL (time to live) for the name in seconds\&.
+.IP
+The fifth and subsequent arguments are the IP addresses currently
+registered for that name\&. If this list is empty then the name should
+be deleted\&.
+.IP
+An example script that calls the BIND dynamic DNS update program
+"nsupdate" is provided in the examples directory of the Samba source
+code\&.
+.IP
.IP "\fBwins support (G)\fP"
.IP
This boolean controls if the \fBnmbd\fP process in
.IP "\fBwritable (S)\fP"
.IP
Synonym for \fB"writeable"\fP for people who can\'t spell :-)\&.
-Pronounced "ritter-bull"\&.
.IP
.IP "\fBwrite list (S)\fP"
.IP
This is a list of users that are given read-write access to a
service\&. If the connecting user is in this list then they will be
-given write access, no matter what the \fB"read only"\fP
+given write access, no matter what the \fB"writeable"\fP
option is set to\&. The list can include group names using the @group
syntax\&.
.IP
\fBExample:\fP
\f(CW write list = admin, root, @staff\fP
.IP
+.IP "\fBwrite cache size (S)\fP"
+.IP
+This integer parameter (new with Samba 2\&.0\&.7) if set to non-zero causes Samba to create an in-memory
+cache for each oplocked file (it does \fBnot\fP do this for non-oplocked files)\&. All
+writes that the client does not request to be flushed directly to disk will be
+stored in this cache if possible\&. The cache is flushed onto disk when a write
+comes in whose offset would not fit into the cache or when the file is closed
+by the client\&. Reads for the file are also served from this cache if the data
+is stored within it\&.
+.IP
+This cache allows Samba to batch client writes into a more efficient write
+size for RAID disks (ie\&. writes may be tuned to be the RAID stripe size) and
+can improve performance on systems where the disk subsystem is a bottleneck
+but there is free memory for userspace programs\&.
+.IP
+The integer parameter specifies the size of this cache (per oplocked file)
+in bytes\&.
+.IP
+\fBDefault:\fP
+\f(CW write cache size = 0\fP
+.IP
+\fBExample:\fP
+\f(CW write cache size = 262144\fP
+for a 256k cache size per file\&.
+.IP
.IP "\fBwrite ok (S)\fP"
.IP
Synonym for \fBwriteable\fP\&.
.IP
\fBExamples:\fP
-.DS
+.nf
read only = no
writeable = yes
write ok = yes
-.DE
+.fi
.IP
+.PP
.SH "WARNINGS"
-.IP
+.PP
Although the configuration file permits service names to contain
spaces, your client software may not\&. Spaces will be ignored in
comparisons anyway, so it shouldn\'t be a problem - but be aware of the
possibility\&.
-.IP
+.PP
On a similar note, many clients - especially DOS clients - limit
service names to eight characters\&. \fBSmbd\fP has no
such limitation, but attempts to connect from such clients will fail
if they truncate the service names\&. For this reason you should
probably keep your service names down to eight characters in length\&.
-.IP
+.PP
Use of the \fB[homes]\fP and \fB[printers]\fP
special sections make life for an administrator easy, but the various
combinations of default attributes can be tricky\&. Take extreme care
when designing these sections\&. In particular, ensure that the
permissions on spool directories are correct\&.
-.IP
+.PP
.SH "VERSION"
-.IP
+.PP
This man page is correct for version 2\&.0 of the Samba suite\&.
-.IP
+.PP
.SH "SEE ALSO"
-.IP
+.PP
\fBsmbd (8)\fP, \fBsmbclient (1)\fP,
\fBnmbd (8)\fP, \fBtestparm (1)\fP,
\fBtestprns (1)\fP, \fBSamba\fP,
\fBnmblookup (1)\fP, \fBsmbpasswd (5)\fP,
\fBsmbpasswd (8)\fP\&.
-.IP
+.PP
.SH "AUTHOR"
-.IP
+.PP
The original Samba software and related utilities were created by
-Andrew Tridgell \fIsamba-bugs@samba\&.org\fP\&. Samba is now developed
+Andrew Tridgell \fIsamba@samba\&.org\fP\&. Samba is now developed
by the Samba Team as an Open Source project similar to the way the
Linux kernel is developed\&.
-.IP
+.PP
The original Samba man pages were written by Karl Auer\&. The man page
sources were converted to YODL format (another excellent piece of Open
Source software, available at
\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP)
and updated for the Samba2\&.0 release by Jeremy Allison\&.
-\fIsamba-bugs@samba\&.org\fP\&.
-.IP
+\fIsamba@samba\&.org\fP\&.
+.PP
See \fBsamba (7)\fP to find out how to get a full
list of contributors and details on how to submit bug reports,
comments etc\&.
git.samba.org / ira / wip.git / blobdiff