it() link(bf(map system))(mapsystem)
+it() link(bf(map to guest))(maptoguest)
+
it() link(bf(max connections))(maxconnections)
it() link(bf(min print space))(minprintspace)
file permissions.
bf(Default:) nl()
- no admin users
+tt( no admin users)
bf(Example:) nl()
- admin users = jason
+tt( admin users = jason)
label(allow hosts)
dit(bf(allow hosts (S)))
host access to see if it does what you expect.
bf(Default:)
- none (i.e., all hosts permitted access)
+tt( none (i.e., all hosts permitted access))
bf(Example:)
- allow hosts = 150.203.5. localhost myhost.mynet.edu.au
+tt( allow hosts = 150.203.5. localhost myhost.mynet.edu.au)
label(alternatepermissions)
dit(bf(alternate permissions (S)))
servers from participating as browser servers correctly.
bf(Default:)
- announce as = NT
+tt( announce as = NT)
bf(Example)
- announce as = Win95
+tt( announce as = Win95)
label(announceversion)
dit(bf(announce version (G)))
to be a downlevel server.
bf(Default:)
- announce version = 4.2
+tt( announce version = 4.2)
bf(Example:)
- announce version = 2.0
+tt( announce version = 2.0)
label(autoservices)
then the link(bf("load printers"))(loadprinters) option is easier.
bf(Default:)
- no auto services
+tt( no auto services)
bf(Example:)
- auto services = fred lp colorlp
+tt( auto services = fred lp colorlp)
label(available)
dit(bf(available (S)))
are logged.
bf(Default:)
- available = yes
+tt( available = yes)
bf(Example:)
- available = no
+tt( available = no)
label(bindinterfacesonly)
dit(bf(bind interfaces only (G)))
of the local host.
bf(Default:)
- bind interfaces only = False
+tt( bind interfaces only = False)
bf(Example:)
- bind interfaces only = True
+tt( bind interfaces only = True)
label(blockinglocks)
dit(bf(blocking locks (S)))
This parameter can be set per share.
bf(Default:)
- blocking locks = True
+tt( blocking locks = True)
bf(Example:)
- blocking locks = False
+tt( blocking locks = False)
label(browsable)
dit(bf(broweable (S)))
shares in a net view and in the browse list.
bf(Default:)
- browsable = Yes
+tt( browsable = Yes)
bf(Example:)
- browsable = No
+tt( browsable = No)
label(browselist)
dit(bf(browse list(G)))
should never need to change this.
bf(Default:)
- browse list = Yes
+tt( browse list = Yes)
label(browseable)
dit(bf(browseable))
bf(change notify timeout) is specified in units of seconds.
bf(Default:)
- change notify timeout = 60
+tt( change notify timeout = 60)
bf(Example:)
- change notify timeout = 300
+tt( change notify timeout = 300)
Would change the scan time to every 5 minutes.
parameter is not set, meaning no filename translation is done.
bf(Default:)
- character set =
+tt( character set = <empty string>)
bf(Example:)
- character set = ISO8859-1
+tt( character set = ISO8859-1)
label(clientcodepage)
dit(bf(client code page (G)))
See also : link(bf("valid chars"))(validchars)
bf(Default:)
- client code page = 850
+tt( client code page = 850)
bf(Example:)
- client code page = 936
+tt( client code page = 936)
label(codingsystem)
dit(bf(codingsystem (G)))
name then see the server string command.
bf(Default:)
- No comment string
+tt( No comment string)
bf(Example:)
- comment = Fred's Files
+tt( comment = Fred's Files)
label(configfile)
dit(bf(config file (G)))
in the configuration file than the service doing the copying.
bf(Default:)
- none
+tt( none)
bf(Example:)
- copy = otherservice
+tt( copy = otherservice)
label(createmode)
dit(bf(create mask (S)))
mode bits on created directories.
bf(Default:)
- create mask = 0744
+tt( create mask = 0744)
bf(Example:)
- create mask = 0775
+tt( create mask = 0775)
label(createmode)
dit(bf(create mode (S)))
performed.
bf(Default:)
- deadtime = 0
+tt( deadtime = 0)
bf(Example:)
- deadtime = 15
+tt( deadtime = 15)
label(debug timestamp (G))
off.
bf(Default:)
- debug timestamp = Yes
+tt( debug timestamp = Yes)
bf(Example:)
- debug timestamp = No
+tt( debug timestamp = No)
label(debuglevel)
dit(bf(debug level (G)))
or level zero if none was specified.
bf(Example:)
- debug level = 3
+tt( debug level = 3)
label(default)
dit(bf(default (G)))
semantics prevent deletion of a read only file.
bf(Default:)
- delete readonly = No
+tt( delete readonly = No)
bf(Example:)
- delete readonly = Yes
+tt( delete readonly = Yes)
label(deletevetofiles)
dit(bf(delete veto files (S)))
See also the link(bf(veto files))(vetofiles) parameter.
bf(Default:)
- delete veto files = False
+tt( delete veto files = False)
bf(Example:)
- delete veto files = True
+tt( delete veto files = True)
label(denyhosts)
dit(bf(deny hosts (S)))
conflict, the link(bf('allow'))(allowhosts) list takes precedence.
bf(Default:)
- none (i.e., no hosts specifically excluded)
+tt( none (i.e., no hosts specifically excluded))
bf(Example:)
- deny hosts = 150.203.4. badhost.mynet.edu.au
+tt( deny hosts = 150.203.4. badhost.mynet.edu.au)
label(dfreecommand)
dit(bf(dfree command (G)))
owned by (and writable only by) root!
bf(Default:)
- By default internal routines for determining the disk capacity
-and remaining space will be used.
+tt( By default internal routines for determining the disk capacity
+and remaining space will be used.)
bf(Example:)
- dfree command = /usr/local/samba/bin/dfree
+tt( dfree command = /usr/local/samba/bin/dfree)
Where the script dfree (which must be made executable) could be:
mode bits on created files.
bf(Default:)
- directory mask = 0755
+tt( directory mask = 0755)
bf(Example:)
- directory mask = 0775
+tt( directory mask = 0775)
label(directorymode)
dit(bf(directory mode (S)))
See also the parameter link(bf(wins support))(winssupport).
bf(Default:)
- dns proxy = yes
+tt( dns proxy = yes)
label(domainadmingroup)
bf(domain admin group (G))
also.
bf(Default:)
- domain logons = no
+tt( domain logons = no)
label(domainmaster)
dit(bf(domain master (G)))
and may fail.
bf(Default:)
- domain master = no
+tt( domain master = no)
label(dont descend)
dit(bf(dont descend (S)))
just tt("/proc"). Experimentation is the best policy :-)
bf(Default:)
- none (i.e., all directories are OK to descend)
+tt( none (i.e., all directories are OK to descend))
bf(Example:)
- dont descend = /proc,/dev
+tt( dont descend = /proc,/dev)
label(dosfiletimeresolution)
dit(bf(dos filetime resolution (S)))
happy.
bf(Default:)
- dos filetime resolution = False
+tt( dos filetime resolution = False)
bf(Example:)
- dos filetime resolution = True
+tt( dos filetime resolution = True)
label(dos filetimes)
dit(bf(dos filetimes (S)))
DOS requires.
bf(Default:)
- dos filetimes = False
+tt( dos filetimes = False)
bf(Example:)
- dos filetimes = True
+tt( dos filetimes = True)
label(encryptpasswords)
dit(bf(encrypt passwords (G)))
This is a synonym for link(bf(preexec))(preexec).
-
label(fake directory create times)
dit(bf(fake directory create times (S)))
expected.
bf(Default:)
- fake directory create times = False
+tt( fake directory create times = False)
bf(Example:)
- fake directory create times = True
+tt( fake directory create times = True)
label(fakeoplocks)
dit(bf(fake oplocks (S)))
on masking mode bits on created files.
bf(Default:)
- force create mode = 000
+tt( force create mode = 000)
bf(Example:)
- force create mode = 0755
+tt( force create mode = 0755)
would force all created files to have read and execute permissions set
for 'group' and 'other' as well as the read/write/execute bits set for
details on masking mode bits on created directories.
bf(Default:)
- force directory mode = 000
+tt( force directory mode = 000)
bf(Example:)
- force directory mode = 0755
+tt( force directory mode = 0755)
would force all created directories to have read and execute
permissions set for 'group' and 'other' as well as the
files.
bf(Default:)
- no forced group
+tt( no forced group)
bf(Example:)
- force group = agroup
+tt( force group = agroup)
label(forceuser)
dit(bf(force user (S)))
This can be very useful.
bf(Default:)
- no forced user
+tt( no forced user)
bf(Example:)
- force user = auser
+tt( force user = auser)
label(fstype)
dit(bf(fstype (S)))
"FAT" if required.
bf(Default:)
- fstype = NTFS
+tt( fstype = NTFS)
bf(Example:)
- fstype = Samba
+tt( fstype = Samba)
label(getwdcache)
dit(bf(getwd cache (G)))
link(bf(widelinks))(widelinks) parameter is set to False.
bf(Default:)
- getwd cache = No
+tt( getwd cache = No)
bf(Example:)
- getwd cache = Yes
+tt( getwd cache = Yes
label(group)
dit(bf(group (S)))
bf(lpr (1)) or bf(lp (1)).
bf(Default:)
- specified at compile time, usually "nobody"
+tt( specified at compile time, usually "nobody")
bf(Example:)
- guest account = ftp
+tt( guest account = ftp)
label(guestok)
dit(bf(guest ok (S)))
information about this option.
bf(Default:)
- guest ok = no
+tt( guest ok = no)
bf(Example:)
- guest ok = yes
+tt( guest ok = yes)
label(guestonly)
dit(bf(guest only (S)))
information about this option.
bf(Default:)
- guest only = no
+tt( guest only = no)
bf(Example:)
- guest only = yes
+tt( guest only = yes)
label(hidedotfiles)
dit(bf(hide dot files (S)))
a dot appear as hidden files.
bf(Default:)
- hide dot files = yes
+tt( hide dot files = yes)
bf(Example:)
- hide dot files = no
+tt( hide dot files = no)
label(hidefiles)
files"))(vetofiles) and link(bf("case sensitive"))(casesensitive).
bf(Default)
+verb(
No files or directories are hidden by this option (dot files are
hidden by default because of the "hide dot files" option).
+)
bf(Example)
tt( hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/)
logons))(domainlogons).
bf(Default:)
- homedir map = auto.home
+tt( homedir map = auto.home)
bf(Example:)
- homedir map = amd.homedir
+tt( homedir map = amd.homedir)
label(hostsallow)
dit(bf(hosts allow (S)))
kids. And only if you em(really) trust them :-).
bf(Default)
- No host equivalences
+tt( No host equivalences)
bf(Example)
- hosts equiv = /etc/hosts.equiv
+tt( hosts equiv = /etc/hosts.equiv)
label(include)
dit(bf(include (G)))
See also link(bf("valid users"))(validusers).
bf(Default:)
- No invalid users
+tt( No invalid users)
bf(Example:)
tt( invalid users = root fred admin @wheel)
if you strike difficulties.
bf(Default:)
- keep alive = 0
+tt( keep alive = 0)
bf(Example:)
- keep alive = 60
+tt( keep alive = 60)
label(kerneloplocks)
dit(bf(kernel oplocks (G)))
searched for.
bf(Default:)
- empty string.
+tt( empty string.)
label(ldapport)
dit(bf(ldap port (G)))
the LDAP server on.
bf(Default:)
- ldap port = 389.
+tt( ldap port = 389.)
label(ldaproot)
dit(bf(ldap root (G)))
See also link(bf(ldap root passwd))(ldaprootpasswd).
bf(Default:)
- empty string (no user defined)
+tt( empty string (no user defined))
label(ldaprootpasswd)
dit(bf(ldap root passwd (G)))
See also link(bf(ldap root))(ldaproot).
bf(Default:)
- empty string.
+tt( empty string.)
label(ldapserver)
dit(bf(ldap server (G)))
for SMB/CIFS authentication purposes.
bf(Default:)
- ldap server = localhost
+tt( ldap server = localhost)
label(ldapsuffix)
dit(bf(ldap suffix (G)))
for an entry in the LDAP password database.
bf(Default:)
- empty string.
+tt( empty string.)
label(lmannounce)
dit(bf(lm announce (G)))
See also link(bf("lm interval"))(lminterval).
bf(Default:)
- lm announce = auto
+tt( lm announce = auto)
bf(Example:)
- lm announce = true
+tt( lm announce = true)
label(lminterval)
dit(bf(lm interval (G)))
See also link(bf("lm announce"))(lmannounce).
bf(Default:)
- lm interval = 60
+tt( lm interval = 60)
bf(Example:)
- lm interval = 120
+tt( lm interval = 120)
label(loadprinters)
dit(bf(load printers (G)))
link(bf("printers"))(printers) section for more details.
bf(Default:)
- load printers = yes
+tt( load printers = yes)
bg(Example:)
- load printers = no
+tt( load printers = no)
label(localmaster)
dit(bf(local master (G)))
em(never) to become a local master browser.
bf(Default:)
- local master = yes
+tt( local master = yes)
label(lockdirectory)
dit(bf(lock directory (G)))
connections"))(maxconnections) option.
bf(Default:)
- lock directory = /tmp/samba
+tt( lock directory = /tmp/samba)
bf(Example:)
- lock directory = /usr/local/samba/var/locks
+tt( lock directory = /usr/local/samba/var/locks)
label(locking)
dit(bf(locking (S)))
never need to set this parameter.
bf(Default:)
- locking = yes
+tt( locking = yes)
bf(Example:)
- locking = no
+tt( locking = no)
label(logfile)
dit(bf(log file (G)))
link(bf(logon server))(domainlogons).
bf(Example:)
- logon drive = h:
+tt( logon drive = h:)
label(logonhome)
dit(bf(logon home (G)))
See also the link(bf("printing"))(printing) parameter.
bf(Default:)
- lpq cache time = 10
+tt( lpq cache time = 10)
bf(Example:)
- lpq cache time = 30
+tt( lpq cache time = 30)
label(lpqcommand)
dit(bf(lpq command (S)))
See also the link(bf("printing"))(printing) parameter.
bf(Default:)
- depends on the setting of link(bf("printing ="))(printing)
+tt( depends on the setting of printing =)
bf(Example:)
tt( lpq command = /usr/bin/lpq %p)
See also the link(bf("printing"))(printing) parameter.
-.B Default:
- depends on the setting of "printing ="
+ bf(Default:)
+tt( depends on the setting of "printing =")
bf(Example 1:)
tt( lprm command = /usr/bin/lprm -P%p %j)
link(bf("security=domain"))(security)) parameter.
bf(Default:)
- machine password timeout = 604800
+tt( machine password timeout = 604800)
label(magicoutput)
dit(bf(magic output (S)))
is undefined.
bf(Default:)
- magic output = <magic script name>.out
+tt( magic output = <magic script name>.out)
bf(Example:)
- magic output = myfile.txt
+tt( magic output = myfile.txt)
label(magicscript)
dit(bf(magic script (S)))
Magic scripts are em(EXPERIMENTAL) and should em(NOT) be relied upon.
bf(Default:)
- None. Magic scripts disabled.
+tt( None. Magic scripts disabled.)
bf(Example:)
- magic script = user.csh
+tt( magic script = user.csh)
label(manglecase)
dit(bf(mangle case (S)))
this use a map of (*;1 *).
bf(default:)
- no mangled map
+tt( no mangled map)
bf(Example:)
tt( mangled map = (*;1 *))
change between sessions.
bf(Default:)
- mangled names = yes
+tt( mangled names = yes)
bf(Example:)
- mangled names = no
+tt( mangled names = no)
label(manglingchar)
dit(bf(mangling char (S)))
whatever you prefer.
bf(Default:)
- mangling char = ~
+tt( mangling char = ~)
bf(Example:)
- mangling char = ^
+tt( mangling char = ^)
label(mangledstack)
dit(bf(mangled stack (G)))
be prepared for some surprises!
bf(Default:)
- mangled stack = 50
+tt( mangled stack = 50)
bf(Example:)
- mangled stack = 100
+tt( mangled stack = 100)
label(maparchive)
dit(bf(map archive (S)))
mask"))(createmask) for details.
bf(Default:)
- map archive = yes
+tt( map archive = yes)
bf(Example:)
- map archive = no
+tt( map archive = no)
label(maphidden)
dit(bf(map hidden (S)))
for details.
bf(Default:)
- map hidden = no
+tt( map hidden = no)
bf(Example:)
- map hidden = yes
+tt( map hidden = yes)
label(mapsystem)
dit(bf(map system (S)))
for details.
bf(Default:)
- map system = no
+tt( map system = no)
bf(Example:)
- map system = yes
+tt( map system = yes)
+
+label(maptoguest)
+dit(bf(map to guest (G)))
+
+This parameter is only useful in link(bf(security))(security) modes
+other than link(bf("security=share"))(security) - ie. user, server,
+and domain.
+
+This parameter can take three different values, which tell
+url(bf(smbd))(smbd.8.html) what to do with user login requests that
+don't match a valid UNIX user in some way.
+
+The three settings are :
+
+startit()
+
+it() bf("Never") - Means user login requests with an invalid password
+are rejected. This is the default.
+
+it() bf("Bad User") - Means user logins with an invalid password are
+rejected, unless the username does not exist, in which case it is
+treated as a guest login and mapped into the link(bf("guest
+account"))(guestaccount).
+
+it() bf("Bad Password") - Means user logins with an invalid
+password are treated as a guest login and mapped into the
+link(bf("guest account"))(guestaccount). Note that this can
+cause problems as it means that any user mistyping their
+password will be silently logged on a bf("guest") - and
+will not know the reason they cannot access files they think
+they should - there will have been no message given to them
+that they got their password wrong. Helpdesk services will
+em(*hate*) you if you set the bf("map to guest") parameter
+this way :-).
+
+endit()
+
+Note that this parameter is needed to set up bf("Guest") share
+services when using link(bf(security))(security) modes other than
+share. This is because in these modes the name of the resource being
+requested is em(*not*) sent to the server until after the server has
+successfully authenticated the client so the server cannot make
+authentication decisions at the correct time (connection to the
+share) for bf("Guest") shares.
+
+For people familiar with the older Samba releases, this parameter
+maps to the old compile-time setting of the GUEST_SESSSETUP value
+in local.h.
+
+ bf(Default:)
+tt( map to guest = Never)
+ bf(Example):
+tt( map to guest = Bad User)
label(maxconnections)
dit(bf(max connections (S)))
directory"))(lockdirectory) option.
bf(Default:)
- max connections = 0
+tt( max connections = 0)
bf(Example:)
- max connections = 10
+tt( max connections = 10)
label(maxdisksize)
dit(bf(max disk size (G)))
A bf("max disk size") of 0 means no limit.
bf(Default:)
- max disk size = 0
+tt( max disk size = 0)
bf(Example:)
- max disk size = 1000
+tt( max disk size = 1000)
label(maxlogsize)
dit(bf(max log size (G)))
A size of 0 means no limit.
bf(Default:)
- max log size = 5000
+tt( max log size = 5000)
bf(Example:)
- max log size = 1000
+tt( max log size = 1000)
label(maxmux)
dit(bf(max mux (G)))
never need to set this parameter.
bf(Default:)
- max mux = 50
+tt( max mux = 50)
label(maxopenfiles)
dit(bf(maxopenfiles (G)))
so you should never need to touch this parameter.
bf(Default:)
- max open files = 10000
+tt( max open files = 10000)
label(maxpacket)
dit(bf(max packet (G)))
change this parameter. The default is 3 days.
bf(Default:)
- max ttl = 259200
+tt( max ttl = 259200)
label(maxwinsttl)
dit(bf(max wins ttl (G)))
See also the link(bf("min wins ttl"))(minwinsttl) parameter.
bf(Default:)
- max wins ttl = 518400
+tt( max wins ttl = 518400)
label(maxxmit)
dit(bf(max xmit (G)))
below 2048 is likely to cause problems.
bf(Default:)
- max xmit = 65535
+tt( max xmit = 65535)
bf(Example:)
- max xmit = 8192
+tt( max xmit = 8192)
label(messagecommand)
dit(bf(message command (G)))
This would normally be a command that would deliver the message
somehow. How this is to be done is up to your imagination.
-What I use is:
+An example is:
tt( message command = csh -c 'xedit %s;rm %s' &)
startit()
-it() %s = the filename containing the message
+it() tt("%s") = the filename containing the message.
-it() %t = the destination that the message was sent to (probably the server
-name)
+it() tt("%t") = the destination that the message was sent to (probably the server
+name).
-it() %f = who the message is from
+it() tt("%f") = who the message is from.
endit()
If you want to silently delete it then try:
- tt("message command = rm %s").
+tt("message command = rm %s").
For the really adventurous, try something like this:
wrap the above in a script that checks for this :-)
bf(Default:)
- no message command
+tt( no message command)
bf(Example:)
tt( message command = csh -c 'xedit %s;rm %s' &)
See also the link(bf(printing))(printing) parameter.
bf(Default:)
- min print space = 0
+tt( min print space = 0)
bf(Example:)
- min print space = 2000
+tt( min print space = 2000)
label(minwinsttl)
dit(bf(min wins ttl (G)))
parameter. The default is 6 hours (21600 seconds).
bf(Default:)
- min wins ttl = 21600
+tt( min wins ttl = 21600)
label(nameresolveorder)
endit()
bf(Default:)
- name resolve order = lmhosts host wins bcast
+tt( name resolve order = lmhosts host wins bcast)
bf(Example:)
- name resolve order = lmhosts bcast host
+tt( name resolve order = lmhosts bcast host)
This will cause the local lmhosts file to be examined first, followed
by a broadcast attempt, followed by a normal system hostname lookup.
See also link(bf("netbios name"))(netbiosname).
bf(Default:)
- empty string (no additional names)
+tt( empty string (no additional names))
bf(Example:)
- netbios aliases = TEST TEST1 TEST2
+tt( netbios aliases = TEST TEST1 TEST2)
label(netbiosname)
dit(bf(netbios name (G)))
See also link(bf("netbios aliases"))(netbiosaliases).
bf(Default:)
- Machine DNS name.
+tt( Machine DNS name.)
bf(Example:)
- netbios name = MYNAME
+tt( netbios name = MYNAME)
label(nishomedir)
dit(bf(nis homedir (G)))
link(bf(logon server))(domainlogons).
bf(Default:)
- nis homedir = false
+tt( nis homedir = false)
bf(Example:)
- nis homedir = true
+tt( nis homedir = true)
label(ntpipesupport)
dit(bf(nt pipe support (G)))
alone.
bf(Default:)
- nt pipe support = yes
+tt( nt pipe support = yes)
label(ntsmbsupport)
dit(bf(nt smb support (G)))
problems with NT SMB support.
bf(Default:)
- nt support = yes
+tt( nt support = yes)
label(nullpasswords)
dit(bf(null passwords (G)))
See also url(bf(smbpasswd (5)))(smbpasswd.5.html).
bf(Default:)
- null passwords = no
+tt( null passwords = no)
bf(Example:)
- null passwords = yes
+tt( null passwords = yes)
label(olelockingcompatibility)
dit(bf(ole locking compatibility (G)))
correctly.
bf(Default:)
- ole locking compatibility = yes
+tt( ole locking compatibility = yes)
bf(Example:)
- ole locking compatibility = no
+tt( ole locking compatibility = no)
label(onlyguest)
dit(bf(only guest (S)))
See also the link(bf(user))(user) parameter.
bf(Default:)
- only user = False
+tt( only user = False)
bf(Example:)
- only user = True
+tt( only user = True)
label(oplocks)
dit(bf(oplocks (S)))
for details.
bf(Default:)
- oplocks = True
+tt( oplocks = True)
bf(Example:)
- oplocks = False
+tt( oplocks = False)
label(oslevel)
dit(bf(os level (G)))
docs/ directory for details.
bf(Default:)
- os level = 0
+tt( os level = 0)
bf(Example:)
tt( os level = 65 ; This will win against any NT Server)
attention to the fact that a problem occured.
bf(Default:)
- panic action = <empty string>
+tt( panic action = <empty string>)
label(passwdchat)
dit(bf(passwd chat (G)))
program"))(passwdprogram).
bf(Example:)
- passwd chat debug = True
+tt( passwd chat debug = True)
bf(Default:)
- passwd chat debug = False
+tt( passwd chat debug = False)
label(passwdprogram)
dit(bf(passwd program (G)))
as is and the password in all-lower case.
bf(Default:)
- password level = 0
+tt( password level = 0)
bf(Example:)
- password level = 4
+tt( password level = 4)
label(passwordserver)
dit(bf(password server (G)))
See also the link(bf("security") parameter.
bf(Default:)
- password server = <empty string>
+tt( password server = <empty string>)
bf(Example:)
- password server = NT-PDC, NT-BDC1, NT-BDC2
+tt( password server = NT-PDC, NT-BDC1, NT-BDC2)
label(path)
dit(bf(path (S)))
one was specified.
bf(Default:)
- none
+tt( none)
bf(Example:)
- path = /home/fred
+tt( path = /home/fred)
label(postexec)
dit(bf(postexec (S)))
See also link(bf(preexec))(preexec).
bf(Default:)
- none (no command executed)
+tt( none (no command executed))
bf(Example:)
tt( postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log)
printer.
bf(Default:)
- postscript = False
+tt( postscript = False)
bf(Example:)
- postscript = True
+tt( postscript = True)
label(preexec)
dit(bf(preexec (S)))
See also link(bf(postexec))(postexec).
bf(Default:)
- none (no command executed)
+tt( none (no command executed))
bf(Example:)
tt( preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log)
See also link(bf(os level))(oslevel).
bf(Default:)
- preferred master = no
+tt( preferred master = no)
+
+ bf(Example:)
+tt( preferred master = yes)
label(preferedmaster)
dit(bf(prefered master (G)))
client passes, or if they are forced to be the tt("default") case.
bf(Default:)
- preserve case = yes
+tt( preserve case = yes)
See the section on link(bf("NAME MANGLING"))(NAMEMANGLING) for a
fuller discussion.
access to the resource.
bf(Default:)
- printable = no
+tt( printable = no)
bf(Example:)
- printable = yes
+tt( printable = yes)
label(printcap)
dit(bf(printcap (G)))
in the docs/ directory, PRINTER_DRIVER.txt.
bf(Default:)
- None (set in compile).
+tt( None (set in compile).)
bf(Example:)
tt( printer driver file = /usr/local/samba/printers/drivers.def)
directory, PRINTER_DRIVER.txt.
bf(Default:)
- None
+tt( None)
bf(Example:)
tt( printer driver location = \\MACHINE\PRINTER$)
protocol.
bf(Default:)
- protocol = NT1
+tt( protocol = NT1)
bf(Example:)
- protocol = LANMAN1
+tt( protocol = LANMAN1)
label(public)
dit(bf(public (S)))
command as the PATH may not be available to the server.
bf(Default:)
- depends on the setting of "printing ="
+tt( depends on the setting of "printing =")
bf(Example:)
tt( queuepause command = disable %p)
command as the PATH may not be available to the server.
bf(Default:)
- depends on the setting of "printing ="
+tt( depends on the setting of "printing =")
bf(Example:)
tt( queuepause command = enable %p)
while waiting for packets.
bf(Default:)
- read prediction = False
+tt( read prediction = False)
label(readraw)
dit(bf(read raw (G)))
severely alone. See also link(bf("write raw"))(writeraw).
bf(Default:)
- read raw = yes
+tt( read raw = yes)
label(readsize)
dit(bf(read size (G)))
unnecessarily.
bf(Default:)
- read size = 2048
+tt( read size = 2048)
bf(Example:)
- read size = 8192
+tt( read size = 8192)
label(remoteannounce)
dit(bf(remote announce (G)))
See the documentation file BROWSING.txt in the docs/ directory.
bf(Default:)
- remote announce = <empty string>
+tt( remote announce = <empty string>)
bf(Example:)
tt( remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF)
master on it's segment.
bf(Default:)
- remote browse sync = <empty string>
+tt( remote browse sync = <empty string>)
bf(Example:)
tt( remote browse sync = 192.168.2.255 192.168.4.255)
automatic access as the same username.
bf(Default:)
- revalidate = False
+tt( revalidate = False)
bf(Example:)
- revalidate = True
+tt( revalidate = True)
label(root)
dit(bf(root (G)))
to transfer user and password information to the server.
The default is bf("security=user"), as this is the most common setting
-needed when talking to Windows 98 and Windows NT4.0 SP3.
+needed when talking to Windows 98 and Windows NT.
The alternatives are bf("security = share") or bf("security = server") or
bf("security=domain").
mostly use usernames that don't exist on the UNIX box then use
bf("security = share").
+You should also use bf(security=share) if you want to be able to
+access any shares without a password (guest shares). This is commonly
+used for a shared printer server. It is more difficult to setup guest
+shares with bf(security=user), see the link(bf("map to
+guest"))(maptoguest)parameter for details.
+
+It is possible to use url(bf(smbd))(smbd.8.html) in a em("hybred
+mode") where it is offers both user and share level security under
+different link(bf(NetBIOS aliases))(netbiosaliases). See the
+link(bf(NetBIOS aliases))(netbiosaliases) and the
+link(bf(include))(include) parameters for more information.
+
The different settings will now be explained.
startdit()
dit(bf("security=share")) When clients connect to a share level
security server then need not log onto the server with a valid
username and password before attempting to connect to a shared
-resource. Instead, the clients send authentication information on a
-per-share basis, at the time they attempt to connect to that
-share.
+resource (although modern clients such as Windows 95/98 and Windows NT
+will send a logon request with a username but no password when talking
+to a bf(security=share) server). Instead, the clients send
+authentication information (passwords) on a per-share basis, at the
+time they attempt to connect to that share.
Note that url(bf(smbd))(smbd.8.html) em(*ALWAYS*) uses a valid UNIX
user to act on behalf of the client, even in bf("security=share")
-level security. There are no tt("anonymous") users.
+level security.
As clients are not required to send a username to the server
in share level security, url(bf(smbd))(smbd.8.html) uses several
techniques to determine the correct UNIX user to use on behalf
-of the client.
+of the client.
+
+A list of possible UNIX usernames to match with the given
+client password is constructed using the following methods :
startit()
-it() Parameters such as link(bf("user"))(user) and link(bf("guest
-only"))(guestonly), if set, will determine the UNIX user to use.
+it() If the link(bf("guest only"))(guestonly) parameter is set, then
+all the other stages are missed and only the link(bf("guest
+account"))(guestaccount) username is checked.
it() Is a username is sent with the share connection request, then
-this is used as the UNIX username (see also link(bf("username
-map"))(usernamemap).
+this username (after mapping - see link(bf("username
+map"))(usernamemap)), is added as a potential username.
+
+it() If the client did a previous em("logon") request (the
+SessionSetup SMB call) then the username sent in this SMB
+will be added as a potential username.
-it() If a username is not sent to the server, then
-url(bf(smbd))(smbd.8.html) will try the NetBIOS name of the client as
-a potential UNIX username.
+it() The name of the service the client requested is added
+as a potential username.
-it() If no username can be determined then if the share is marked as
-available to the link(bf("guest account"))(guestaccount), then this
-guest user will be used.
+it() The NetBIOS name of the client is added to the list as a
+potential username.
+
+it() Ant users on the link(bf("user"))(user) list are added
+as potential usernames.
endit()
-Note that it can be confusing in share-level security as to which UNIX
-username will eventually be used in granting access.
+If the link(bf("guest only"))(guestonly) parameter is not set, then
+this list is then tried with the supplied password. The first user for
+whom the password matches will be used as the UNIX user.
+
+If the link(bf("guest only"))(guestonly) parameter is set, or no
+username can be determined then if the share is marked as available to
+the link(bf("guest account"))(guestaccount), then this guest user will
+be used, otherwise access is denied.
-Note also that share-level security cannot support link(bf("encrypted
-passwords"))(encryptpasswords).
+Note that it can be em(*very*) confusing in share-level security as to
+which UNIX username will eventually be used in granting access.
dit(bf("security=user"))
connection, but only after the user has been successfully
authenticated.
+em(Note) that the the name of the resource being requested is
+em(*not*) sent to the server until after the server has successfully
+authenticated the client. This is why guest shares don't work in user
+level security without allowing the server to automatically map unknown
+users into the link(bf("guest account"))(guestaccount). See the
+link(bf("map to guest"))(maptoguest) parameter for details on
+doing this.
+
dit(bf("security=server"))
In this mode Samba will try to validate the username/password by
to check users against. See the documentation file in the docs/
directory ENCRYPTION.txt for details on how to set this up.
+em(Note) that from the clients point of view bf("security=server")
+is the same as bf("security=user"). It only affects how the server
+deals with the authentication, it does not in any way affect what the
+client sees.
+
+em(Note) that the the name of the resource being requested is
+em(*not*) sent to the server until after the server has successfully
+authenticated the client. This is why guest shares don't work in server
+level security without allowing the server to automatically map unknown
+users into the link(bf("guest account"))(guestaccount). See the
+link(bf("map to guest"))(maptoguest) parameter for details on
+doing this.
+
See also the link(bf("password server"))(passwordserver) parameter.
and the link(bf("encrypted passwords"))(encryptpasswords) parameter.
account on the Domain Controller to allow Samba to have a valid
UNIX account to map file access to.
+em(Note) that from the clients point of view bf("security=domain")
+is the same as bf("security=user"). It only affects how the server
+deals with the authentication, it does not in any way affect what the
+client sees.
+
+em(Note) that the the name of the resource being requested is
+em(*not*) sent to the server until after the server has successfully
+authenticated the client. This is why guest shares don't work in domain
+level security without allowing the server to automatically map unknown
+users into the link(bf("guest account"))(guestaccount). See the
+link(bf("map to guest"))(maptoguest) parameter for details on
+doing this.
+
+e,(BUG:) There is currently a bug in the implementation of
+bf("security=domain) with respect to multi-byte character
+set usernames. The communication with a Domain Controller
+must be done in UNICODE and Samba currently does not widen
+multi-byte user names to UNICODE correctly, thus a multi-byte
+username will not be recognised correctly at the Domain Controller.
+This issue will be addressed in a future release.
+
See also the link(bf("password server"))(passwordserver) parameter.
and the link(bf("encrypted passwords"))(encryptpasswords) parameter.
enddit()
bf(Default:)
- security = USER
+tt( security = USER)
bf(Example:)
- security = DOMAIN
+tt( security = DOMAIN)
label(serverstring)
dit(bf(server string (G)))
client. See the Pathworks documentation for details.
bf(Default:)
- set directory = no
+tt( set directory = no)
bf(Example:)
- set directory = yes
+tt( set directory = yes)
label(sharemodes)
dit(bf(share modes (S)))
applications will break if you do so.
bf(Default:)
- share modes = yes
+tt( share modes = yes)
label(sharedmemsize)
dit(bf(shared mem size (G)))
See the section on link(bf(NAME MANGLING))(NAMEMANGLING).
bf(Default:)
- short preserve case = yes
+tt( short preserve case = yes)
label(smbpasswdfile)
dit(bf(smb passwd file (G)))
the path to the smbpasswd file is compiled into Samba.
bf(Default:)
- smb passwd file= <compiled default>
+tt( smb passwd file= <compiled default>)
bf(Example:)
- smb passwd file = /usr/samba/private/smbpasswd
+tt( smb passwd file = /usr/samba/private/smbpasswd)
label(smbrun)
dit(bf(smbrun (G)))
is installed correctly.
bf(Default:)
- smbrun=<compiled default>
+tt( smbrun=<compiled default>)
bf(Example:)
- smbrun = /usr/local/samba/bin/smbrun
+tt( smbrun = /usr/local/samba/bin/smbrun)
label(socketaddress)
dit(bf(socket address (G)))
By default samba will accept connections on any address.
bf(Example:)
- socket address = 192.168.2.20
+tt( socket address = 192.168.2.20)
label(socketoptions)
dit(bf(socket options (G)))
default they will be enabled if you don't specify 1 or 0.
To specify an argument use the syntax SOME_OPTION=VALUE for example
-SO_SNDBUF=8192. Note that you must not have any spaces before or after
+tt(SO_SNDBUF=8192). Note that you must not have any spaces before or after
the = sign.
If you are on a local network then a sensible option might be
-socket options = IPTOS_LOWDELAY
+tt(socket options = IPTOS_LOWDELAY)
If you have a local network then you could try:
-socket options = IPTOS_LOWDELAY TCP_NODELAY
+tt(socket options = IPTOS_LOWDELAY TCP_NODELAY)
If you are on a wide area network then perhaps try setting
IPTOS_THROUGHPUT.
completely. Use these options with caution!
bf(Default:)
- socket options = TCP_NODELAY
+tt( socket options = TCP_NODELAY)
+
+ bf(Example:)
+tt( socket options = IPTOS_LOWDELAY)
+
+label(ssl)
+dit(bf(ssl (G))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable enables or disables the entire SSL mode. If it is set to
+"no", the SSL enabled samba behaves exactly like the non-SSL samba. If
+set to "yes", it depends on the variables link(bf("ssl
+hosts"))(sslhosts) and link(bf("ssl hosts resign"))(sslhostsresign)
+whether an SSL connection will be required.
+
+ bf(Default:)
+tt( ssl=no)
+ bf(Example:)
+tt( ssl=yes)
+
+label(sslCAcertDir)
+dit(bf(ssl CA certDir (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable defines where to look up the Certification
+Autorities. The given directory should contain one file for each CA
+that samba will trust. The file name must be the hash value over the
+"Distinguished Name" of the CA. How this directory is set up is
+explained later in this document. All files within the directory that
+don't fit into this naming scheme are ignored. You don't need this
+variable if you don't verify client certificates.
+
+ bf(Default:)
+tt( ssl CA certDir = /usr/local/ssl/certs)
+
+label(CA certFile)
+dit(bf(ssl CA certFile (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable is a second way to define the trusted CAs. The
+certificates of the trusted CAs are collected in one big file and this
+variable points to the file. You will probably only use one of the two
+ways to define your CAs. The first choice is preferable if you have
+many CAs or want to be flexible, the second is perferable if you only
+have one CA and want to keep things simple (you won't need to create
+the hashed file names). You don't need this variable if you don't
+verify client certificates.
+
+ bf(Default:)
+tt( ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem)
+
+label(sslciphers)
+dit(bf(ssl ciphers (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable defines the ciphers that should be offered during SSL
+negotiation. You should not set this variable unless you know what you
+are doing.
+
+label(sslclientcert)
+dit(bf(ssl client cert (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+The certificate in this file is used by
+url(bf(smbclient))(smbclient.1.html) if it exists. It's needed if the
+server requires a client certificate.
+
+ bf(Default:)
+tt( ssl client cert = /usr/local/ssl/certs/smbclient.pem)
+
+label(sslclientkey)
+dit(bf(ssl client key (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This is the private key for url(bf(smbclient))(smbclient.1.html). It's
+only needed if the client should have a certificate.
+
+ bf(Default:)
+tt( ssl client key = /usr/local/ssl/private/smbclient.pem)
+
+label(sslcompatibility)
+dit(bf(ssl compatibility (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This variable defines whether SSLeay should be configured for bug
+compatibility with other SSL implementations. This is probably not
+desirable because currently no clients with SSL implementations other
+than SSLeay exist.
+
+ bf(Default:)
+tt( ssl compatibility = no)
+
+label(sslhosts)
+dit(bf(ssl hosts (G)))
+
+See link(bf("ssl hosts resign"))(sslhostsresign).
+
+label(sslhostsresign)
+dit(bf(ssl hosts resign (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+These two variables define whether samba will go into SSL mode or
+not. If none of them is defined, samba will allow only SSL
+connections. If the link(bf("ssl hosts"))(sslhosts) variable lists
+hosts (by IP-address, IP-address range, net group or name), only these
+hosts will be forced into SSL mode. If the bf("ssl hosts resign")
+variable lists hosts, only these hosts will NOT be forced into SSL
+mode. The syntax for these two variables is the same as for the
+link(bf("hosts allow"))(hostsallow) and link(bf("hosts
+deny"))(hostsdeny) pair of variables, only that the subject of the
+decision is different: It's not the access right but whether SSL is
+used or not. See the link(bf("allow hosts"))(allowhosts) parameter for
+details. The example below requires SSL connections from all hosts
+outside the local net (which is 192.168.*.*).
+
+ bf(Default:)
+tt( ssl hosts = <empty string>)
+tt( ssl hosts resign = <empty string>)
bf(Example:)
- socket options = IPTOS_LOWDELAY
+tt( ssl hosts resign = 192.168.)
+
+label(sslrequireclientcert)
+dit(bf(ssl require clientcert (G)))
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+If this variable is set to tt("yes"), the server will not tolerate
+connections from clients that don't have a valid certificate. The
+directory/file given in link(bf("ssl CA certDir"))(sslCAcertDir) and
+link(bf("ssl CA certFile"))(sslCAcertFile) will be used to look up the
+CAs that issued the client's certificate. If the certificate can't be
+verified positively, the connection will be terminated. If this
+variable is set to tt("no"), clients don't need certificates. Contrary
+to web applications you really em(*should*) require client
+certificates. In the web environment the client's data is sensitive
+(credit card numbers) and the server must prove to be trustworthy. In
+a file server environment the server's data will be sensitive and the
+clients must prove to be trustworthy.
+
+ bf(Default:)
+tt( ssl require clientcert = no)
+
+label(sslrequireservercert)
+dit(bf(ssl require servercert (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+If this variable is set to tt("yes"), the
+url(bf(smbclient))(smbclient.1.html) will request a certificate from
+the server. Same as link(bf("ssl require
+clientcert"))(sslrequireclientcert) for the server.
+
+ bf(Default:)
+tt( ssl require servercert = no)
+
+label(sslservercert)
+dit(bf(ssl server cert (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This is the file containing the server's certificate. The server _must_
+have a certificate. The file may also contain the server's private key.
+See later for how certificates and private keys are created.
+
+ bf(Default:)
+tt( ssl server cert = <empty string>)
+
+ssl server key G
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This file contains the private key of the server. If this variable is
+not defined, the key is looked up in the certificate file (it may be
+appended to the certificate). The server em(*must*) have a private key
+and the certificate em(*must*) match this private key.
+
+ bf(Default:)
+tt( ssl server key = <empty string>)
+
+label(sslversion)
+dit(bf(ssl version (G)))
+
+This variable is part of SSL-enabled Samba. This is only available if
+the SSL libraries have been compiled on your system and the configure
+option tt("--with-ssl") was given at configure time.
+
+em(Note) that for export control reasons this code is em(**NOT**)
+enabled by default in any current binary version of Samba.
+
+This enumeration variable defines the versions of the SSL protocol
+that will be used. tt("ssl2or3") allows dynamic negotiation of SSL v2
+or v3, tt("ssl2") results in SSL v2, tt("ssl3") results in SSL v3 and
+"tls1" results in TLS v1. TLS (Transport Layer Security) is the
+(proposed?) new standard for SSL.
+
+ bf(Default:)
+tt( ssl version = "ssl2or3")
+stat cache G
+stat cache size G
.SS status (G)
This enables or disables logging of connections to a status file that