1 .\" This manpage has been automatically generated by docbook2man-spec
2 .\" from a DocBook document. docbook2man-spec can be found at:
3 .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
4 .\" Please send any bug reports, improvements, comments, patches,
5 .\" etc. to Steve Cheng <steve@ggi-project.org>.
6 .TH "SMB.CONF" "5" "01 April 2002" "" ""
8 smb.conf \- The configuration file for the Samba suite
11 The \fIsmb.conf\fR file is a configuration
12 file for the Samba suite. \fIsmb.conf\fR contains
13 runtime configuration information for the Samba programs. The
14 \fIsmb.conf\fR file is designed to be configured and
15 administered by the \fBswat(8)\fR
16 program. The complete description of the file format and
17 possible parameters held within are here for reference purposes.
20 The file consists of sections and parameters. A section
21 begins with the name of the section in square brackets and continues
22 until the next section begins. Sections contain parameters of the
27 The file is line-based - that is, each newline-terminated
28 line represents either a comment, a section name or a parameter.
30 Section and parameter names are not case sensitive.
32 Only the first equals sign in a parameter is significant.
33 Whitespace before or after the first equals sign is discarded.
34 Leading, trailing and internal whitespace in section and parameter
35 names is irrelevant. Leading and trailing whitespace in a parameter
36 value is discarded. Internal whitespace within a parameter value
39 Any line beginning with a semicolon (';') or a hash ('#')
40 character is ignored, as are lines containing only whitespace.
42 Any line ending in a '\\' is continued
43 on the next line in the customary UNIX fashion.
45 The values following the equals sign in parameters are all
46 either a string (no quotes needed) or a boolean, which may be given
47 as yes/no, 0/1 or true/false. Case is not significant in boolean
48 values, but is preserved in string values. Some items such as
49 create modes are numeric.
50 .SH "SECTION DESCRIPTIONS"
52 Each section in the configuration file (except for the
53 [global] section) describes a shared resource (known
54 as a "share"). The section name is the name of the
55 shared resource and the parameters within the section define
56 the shares attributes.
58 There are three special sections, [global],
59 [homes] and [printers], which are
60 described under \fBspecial sections\fR. The
61 following notes apply to ordinary section descriptions.
63 A share consists of a directory to which access is being
64 given plus a description of the access rights which are granted
65 to the user of the service. Some housekeeping options are
68 Sections are either file share services (used by the
69 client as an extension of their native file systems) or
70 printable services (used by the client to access print services
71 on the host running the server).
73 Sections may be designated \fBguest\fR services,
74 in which case no password is required to access them. A specified
75 UNIX \fBguest account\fR is used to define access
76 privileges in this case.
78 Sections other than guest services will require a password
79 to access them. The client provides the username. As older clients
80 only provide passwords and not usernames, you may specify a list
81 of usernames to check against the password using the "user ="
82 option in the share definition. For modern clients such as
83 Windows 95/98/ME/NT/2000, this should not be necessary.
85 Note that the access rights granted by the server are
86 masked by the access rights granted to the specified or guest
87 UNIX user by the host system. The server does not grant more
88 access than the host system grants.
90 The following sample section defines a file space share.
91 The user has write access to the path \fI/home/bar\fR.
92 The share is accessed via the share name "foo":
103 The following sample section defines a printable share.
104 The share is readonly, but printable. That is, the only write
105 access permitted is via calls to open, write to and close a
106 spool file. The \fBguest ok\fR parameter means
107 access will be permitted as the default guest user (specified
112 path = /usr/spool/public
120 .SH "SPECIAL SECTIONS"
121 .SS "THE GLOBAL SECTION"
123 parameters in this section apply to the server
124 as a whole, or are defaults for sections which do not
125 specifically define certain items. See the notes
126 under PARAMETERS for more information.
127 .SS "THE HOMES SECTION"
129 If a section called homes is included in the
130 configuration file, services connecting clients to their
131 home directories can be created on the fly by the server.
133 When the connection request is made, the existing
134 sections are scanned. If a match is found, it is used. If no
135 match is found, the requested section name is treated as a
136 user name and looked up in the local password file. If the
137 name exists and the correct password has been given, a share is
138 created by cloning the [homes] section.
140 Some modifications are then made to the newly
144 The share name is changed from homes to
145 the located username.
148 If no path was given, the path is set to
149 the user's home directory.
151 If you decide to use a \fBpath =\fR line
152 in your [homes] section then you may find it useful
153 to use the %S macro. For example :
156 \fBpath = /data/pchome/%S\fR
159 would be useful if you have different home directories
160 for your PCs than for UNIX access.
163 This is a fast and simple way to give a large number
164 of clients access to their home directories with a minimum
168 A similar process occurs if the requested section
169 name is "homes", except that the share name is not
170 changed to that of the requesting user. This method of using
171 the [homes] section works well if different users share
175 The [homes] section can specify all the parameters
176 a normal service section can specify, though some make more sense
177 than others. The following is a typical and suitable [homes]
189 An important point is that if guest access is specified
190 in the [homes] section, all home directories will be
191 visible to all clients \fBwithout a password\fR.
192 In the very unlikely event that this is actually desirable, it
193 would be wise to also specify \fBread only
197 Note that the \fBbrowseable\fR flag for
198 auto home directories will be inherited from the global browseable
199 flag, not the [homes] browseable flag. This is useful as
200 it means setting \fBbrowseable = no\fR in
201 the [homes] section will hide the [homes] share but make
202 any auto home directories visible.
204 .SS "THE PRINTERS SECTION"
206 This section works like [homes],
209 If a [printers] section occurs in the
210 configuration file, users are able to connect to any printer
211 specified in the local host's printcap file.
213 When a connection request is made, the existing sections
214 are scanned. If a match is found, it is used. If no match is found,
215 but a [homes] section exists, it is used as described
216 above. Otherwise, the requested section name is treated as a
217 printer name and the appropriate printcap file is scanned to see
218 if the requested section name is a valid printer share name. If
219 a match is found, a new printer share is created by cloning
220 the [printers] section.
222 A few modifications are then made to the newly created
226 The share name is set to the located printer
230 If no printer name was given, the printer name
231 is set to the located printer name
234 If the share does not permit guest access and
235 no username was given, the username is set to the located
238 Note that the [printers] service MUST be
239 printable - if you specify otherwise, the server will refuse
240 to load the configuration file.
243 Typically the path specified would be that of a
244 world-writeable spool directory with the sticky bit set on
245 it. A typical [printers] entry would look like
251 path = /usr/spool/public
258 All aliases given for a printer in the printcap file
259 are legitimate printer names as far as the server is concerned.
260 If your printing subsystem doesn't work like that, you will have
261 to set up a pseudo-printcap. This is a file consisting of one or
262 more lines like this:
266 alias|alias|alias|alias...
272 Each alias should be an acceptable printer name for
273 your printing subsystem. In the [global] section, specify
274 the new file as your printcap. The server will then only recognize
275 names found in your pseudo-printcap, which of course can contain
276 whatever aliases you like. The same technique could be used
277 simply to limit access to a subset of your local printers.
280 An alias, by the way, is defined as any component of the
281 first entry of a printcap record. Records are separated by newlines,
282 components (if there are more than one) are separated by vertical
286 NOTE: On SYSV systems which use lpstat to determine what
287 printers are defined on the system you may be able to use
288 "printcap name = lpstat" to automatically obtain a list
289 of printers. See the "printcap name" option
294 parameters define the specific attributes of sections.
296 Some parameters are specific to the [global] section
297 (e.g., \fBsecurity\fR). Some parameters are usable
298 in all sections (e.g., \fBcreate mode\fR). All others
299 are permissible only in normal sections. For the purposes of the
300 following descriptions the [homes] and [printers]
301 sections will be considered normal. The letter \fBG\fR
302 in parentheses indicates that a parameter is specific to the
303 [global] section. The letter \fBS\fR
304 indicates that a parameter can be specified in a service specific
305 section. Note that all \fBS\fR parameters can also be specified in
306 the [global] section - in which case they will define
307 the default behavior for all services.
309 parameters are arranged here in alphabetical order - this may
310 not create best bedfellows, but at least you can find them! Where
311 there are synonyms, the preferred synonym is described, others refer
312 to the preferred synonym.
313 .SH "VARIABLE SUBSTITUTIONS"
315 Many of the strings that are settable in the config file
316 can take substitutions. For example the option "path =
317 /tmp/%u" would be interpreted as "path =
318 /tmp/john" if the user connected with the username john.
320 These substitutions are mostly noted in the descriptions below,
321 but there are some general substitutions which apply whenever they
322 might be relevant. These are:
325 the name of the current service, if any.
328 the root directory of the current service,
332 user name of the current service, if any.
335 primary group name of %u.
338 session user name (the user name that the client
339 wanted, not necessarily the same as the one they got).
342 primary group name of %U.
345 the home directory of the user given
352 the Internet hostname that Samba is running
356 the NetBIOS name of the client machine
360 the NetBIOS name of the server. This allows you
361 to change your config based on what the client calls you. Your
362 server can have a "dual personality".
364 Note that this paramater is not available when Samba listens
365 on port 445, as clients no longer send this information
368 the Internet name of the client machine.
371 the name of your NIS home directory server.
372 This is obtained from your NIS auto.map entry. If you have
373 not compiled Samba with the \fB--with-automount\fR
374 option then this value will be the same as %L.
377 the path of the service's home directory,
378 obtained from your NIS auto.map entry. The NIS auto.map entry
379 is split up as "%N:%p".
382 the selected protocol level after
383 protocol negotiation. It can be one of CORE, COREPLUS,
384 LANMAN1, LANMAN2 or NT1.
387 The process id of the current server
391 the architecture of the remote
392 machine. Only some are recognized, and those may not be
393 100% reliable. It currently recognizes Samba, WfWg, Win95,
394 WinNT and Win2k. Anything else will be known as
395 "UNKNOWN". If it gets it wrong then sending a level
396 3 log to samba@samba.org
397 <URL:mailto:samba@samba.org> should allow it to be fixed.
400 The IP address of the client machine.
403 the current date and time.
405 \fB%$(\fIenvvar\fB)\fR
406 The value of the environment variable
409 There are some quite creative things that can be done
410 with these substitutions and other smb.conf options.
414 Samba supports "name mangling" so that DOS and
415 Windows clients can use files that don't conform to the 8.3 format.
416 It can also be set to adjust the case of 8.3 format filenames.
418 There are several options that control the way mangling is
419 performed, and they are grouped here rather than listed separately.
420 For the defaults look at the output of the testparm program.
422 All of these options can be set separately for each service
423 (or globally, of course).
427 \fBmangle case = yes/no\fR
428 controls if names that have characters that
429 aren't of the "default" case are mangled. For example,
430 if this is yes then a name like "Mail" would be mangled.
433 \fBcase sensitive = yes/no\fR
434 controls whether filenames are case sensitive. If
435 they aren't then Samba must do a filename search and match on passed
436 names. Default \fBno\fR.
438 \fBdefault case = upper/lower\fR
439 controls what the default case is for new
440 filenames. Default \fBlower\fR.
442 \fBpreserve case = yes/no\fR
443 controls if new files are created with the
444 case that the client passes, or if they are forced to be the
445 "default" case. Default \fByes\fR.
447 \fBshort preserve case = yes/no\fR
448 controls if new files which conform to 8.3 syntax,
449 that is all in upper case and of suitable length, are created
450 upper case, or if they are forced to be the "default"
451 case. This option can be use with "preserve case = yes"
452 to permit long filenames to retain their case, while short names
453 are lowercased. Default \fByes\fR.
455 By default, Samba 2.2 has the same semantics as a Windows
456 NT server, in that it is case insensitive but case preserving.
458 .SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
460 There are a number of ways in which a user can connect
461 to a service. The server uses the following steps in determining
462 if it will allow a connection to a specified service. If all the
463 steps fail, then the connection request is rejected. However, if one of the
464 steps succeeds, then the following steps are not checked.
466 If the service is marked "guest only = yes" then
467 steps 1 to 5 are skipped.
469 If the client has passed a username/password
470 pair and that username/password pair is validated by the UNIX
471 system's password programs then the connection is made as that
472 username. Note that this includes the
473 \\\\server\\service%\fIusername\fR method of passing
476 If the client has previously registered a username
477 with the system and now supplies a correct password for that
478 username then the connection is allowed.
480 The client's NetBIOS name and any previously
481 used user names are checked against the supplied password, if
482 they match then the connection is allowed as the corresponding
485 If the client has previously validated a
486 username/password pair with the server and the client has passed
487 the validation token then that username is used.
489 If a "user = " field is given in the
490 \fIsmb.conf\fR file for the service and the client
491 has supplied a password, and that password matches (according to
492 the UNIX system's password checking) with one of the usernames
493 from the "user =" field then the connection is made as
494 the username in the "user =" line. If one
495 of the username in the "user =" list begins with a
496 \&'@' then that name expands to a list of names in
497 the group of the same name.
499 If the service is a guest service then a
500 connection is made as the username given in the "guest
501 account =" for the service, irrespective of the
503 .SH "COMPLETE LIST OF GLOBAL PARAMETERS"
505 Here is a list of all global parameters. See the section of
506 each parameter for details. Note that some are synonyms.
509 \fIabort shutdown script\fR
512 \fIadd printer command\fR
515 \fIadd share command\fR
518 \fIadd user script\fR
521 \fIadd machine script\fR
524 \fIallow trusted domains\fR
530 \fIannounce version\fR
539 \fIbind interfaces only\fR
545 \fIchange notify timeout\fR
548 \fIchange share command\fR
557 \fIdebug hires timestamp\fR
563 \fIdebug timestamp\fR
575 \fIdefault service\fR
578 \fIdelete printer command\fR
581 \fIdelete share command\fR
584 \fIdelete user script\fR
590 \fIdisable spoolss\fR
596 \fIdomain admin group\fR
599 \fIdomain guest group\fR
608 \fIencrypt passwords\fR
611 \fIenhanced browsing\fR
614 \fIenumports command\fR
620 \fIhide local users\fR
623 \fIhide unreadable\fR
647 \fIlarge readwrite\fR
707 \fImachine password timeout\fR
731 \fImax smbd processes\fR
743 \fImessage command\fR
746 \fImin passwd length\fR
749 \fImin password length\fR
758 \fIname resolve order\fR
761 \fInetbios aliases\fR
773 \fInon unix account range\fR
776 \fInt pipe support\fR
782 \fIobey pam restrictions\fR
785 \fIoplock break wait time\fR
794 \fIpam password change\fR
806 \fIpasswd chat debug\fR
815 \fIpassword server\fR
818 \fIprefered master\fR
821 \fIpreferred master\fR
833 \fIprinter driver file\fR
851 \fIremote announce\fR
854 \fIremote browse sync\fR
857 \fIrestrict anonymous\fR
875 \fIshow add printer wizard\fR
878 \fIshutdown script\fR
881 \fIsmb passwd file\fR
890 \fIsource environment\fR
899 \fIssl CA certFile\fR
905 \fIssl client cert\fR
911 \fIssl compatibility\fR
917 \fIssl entropy bytes\fR
920 \fIssl entropy file\fR
926 \fIssl hosts resign\fR
929 \fIssl require clientcert\fR
932 \fIssl require servercert\fR
935 \fIssl server cert\fR
947 \fIstat cache size\fR
959 \fItemplate homedir\fR
974 \fItotal print jobs\fR
977 \fIunix extensions\fR
980 \fIunix password sync\fR
983 \fIupdate encrypted\fR
1001 \fIutmp directory\fR
1004 \fIwinbind cache time\fR
1007 \fIwinbind enum users\fR
1010 \fIwinbind enum groups\fR
1016 \fIwinbind separator\fR
1022 \fIwinbind use default domain\fR
1041 .SH "COMPLETE LIST OF SERVICE PARAMETERS"
1043 Here is a list of all service parameters. See the section on
1044 each parameter for details. Note that some are synonyms.
1056 \fIblocking locks\fR
1065 \fIcase sensitive\fR
1086 \fIdefault devmode\fR
1089 \fIdelete readonly\fR
1092 \fIdelete veto files\fR
1101 \fIdirectory mask\fR
1104 \fIdirectory mode\fR
1107 \fIdirectory security mask\fR
1116 \fIdos filetime resolution\fR
1125 \fIfake directory create times\fR
1131 \fIfollow symlinks\fR
1134 \fIforce create mode\fR
1137 \fIforce directory mode\fR
1140 \fIforce directory security mode\fR
1146 \fIforce security mode\fR
1167 \fIhide dot files\fR
1182 \fIinherit permissions\fR
1188 \fIlevel2 oplocks\fR
1194 \fIlppause command\fR
1200 \fIlpresume command\fR
1233 \fImax connections\fR
1236 \fImax print jobs\fR
1239 \fImin print space\fR
1245 \fInt acl support\fR
1254 \fIoplock contention limit\fR
1296 \fIprinter driver\fR
1299 \fIprinter driver location\fR
1311 \fIqueuepause command\fR
1314 \fIqueueresume command\fR
1329 \fIroot preexec close\fR
1338 \fIshort preserve case\fR
1344 \fIstrict allocate\fR
1347 \fIstrict locking\fR
1356 \fIuse client driver\fR
1374 \fIveto oplock files\fR
1392 \fIwrite cache size\fR
1402 .SH "EXPLANATION OF EACH PARAMETER"
1404 \fBabort shutdown script (G)\fR
1405 \fBThis parameter only exists in the HEAD cvs branch\fR
1406 This a full path name to a script called by
1408 should stop a shutdown procedure issued by the \fIshutdown script\fR.
1410 This command will be run as user.
1412 Default: \fBNone\fR.
1414 Example: \fBabort shutdown script = /sbin/shutdown -c\fR
1416 \fBadd printer command (G)\fR
1417 With the introduction of MS-RPC based printing
1418 support for Windows NT/2000 clients in Samba 2.2, The MS Add
1419 Printer Wizard (APW) icon is now also available in the
1420 "Printers..." folder displayed a share listing. The APW
1421 allows for printers to be add remotely to a Samba or Windows
1422 NT/2000 print server.
1424 For a Samba host this means that the printer must be
1425 physically added to the underlying printing system. The \fIadd
1426 printer command\fR defines a script to be run which
1427 will perform the necessary operations for adding the printer
1428 to the print system and to add the appropriate service definition
1429 to the \fIsmb.conf\fR file in order that it can be
1430 shared by \fBsmbd(8)\fR
1433 The \fIadd printer command\fR is
1434 automatically invoked with the following parameter (in
1454 \fIWindows 9x driver location\fR
1457 All parameters are filled in from the PRINTER_INFO_2 structure sent
1458 by the Windows NT/2000 client with one exception. The "Windows 9x
1459 driver location" parameter is included for backwards compatibility
1460 only. The remaining fields in the structure are generated from answers
1461 to the APW questions.
1464 Once the \fIadd printer command\fR has
1465 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to determine if the share defined by the APW
1466 exists. If the sharename is still invalid, then \fBsmbd
1467 \fRwill return an ACCESS_DENIED error to the client.
1470 See also \fI delete printer command\fR, \fIprinting\fR,
1478 Example: \fBaddprinter command = /usr/bin/addprinter
1481 \fBadd share command (G)\fR
1482 Samba 2.2.0 introduced the ability to dynamically
1483 add and delete shares via the Windows NT 4.0 Server Manager. The
1484 \fIadd share command\fR is used to define an
1485 external program or script which will add a new service definition
1486 to \fIsmb.conf\fR. In order to successfully
1487 execute the \fIadd share command\fR, \fBsmbd\fR
1488 requires that the administrator be connected using a root account (i.e.
1491 When executed, \fBsmbd\fR will automatically invoke the
1492 \fIadd share command\fR with four parameters.
1496 \fIconfigFile\fR - the location
1497 of the global \fIsmb.conf\fR file.
1500 \fIshareName\fR - the name of the new
1504 \fIpathName\fR - path to an **existing**
1508 \fIcomment\fR - comment string to associate
1512 This parameter is only used for add file shares. To add printer shares,
1513 see the \fIadd printer
1517 See also \fIchange share
1518 command\fR, \fIdelete share
1525 Example: \fBadd share command = /usr/local/bin/addshare\fR
1528 \fBadd machine script (G)\fR
1529 This is the full pathname to a script that will
1530 be run by smbd(8)when a machine is added
1531 to it's domain using the administrator username and password method.
1533 This option is only required when using sam back-ends tied to the
1534 Unix uid method of RID calculation such as smbpasswd. This option is only
1535 available in Samba 3.0.
1537 Default: \fBadd machine script = <empty string>
1539 Example: \fBadd machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
1541 \fBadd user script (G)\fR
1542 This is the full pathname to a script that will
1543 be run \fBAS ROOT\fR by smbd(8)
1544 under special circumstances described below.
1546 Normally, a Samba server requires that UNIX users are
1547 created for all users accessing files on this server. For sites
1548 that use Windows NT account databases as their primary user database
1549 creating these users and keeping the user list in sync with the
1550 Windows NT PDC is an onerous task. This option allows smbdto create the required UNIX users
1551 \fBON DEMAND\fR when a user accesses the Samba server.
1553 In order to use this option, smbd
1554 must \fBNOT\fR be set to \fIsecurity = share\fR
1555 and \fIadd user script\fR
1556 must be set to a full pathname for a script that will create a UNIX
1557 user given one argument of \fI%u\fR, which expands into
1558 the UNIX user name to create.
1560 When the Windows user attempts to access the Samba server,
1561 at login (session setup in the SMB protocol) time, smbdcontacts the \fIpassword server\fR and
1562 attempts to authenticate the given user with the given password. If the
1563 authentication succeeds then \fBsmbd\fR
1564 attempts to find a UNIX user in the UNIX password database to map the
1565 Windows user into. If this lookup fails, and \fIadd user script
1566 \fRis set then \fBsmbd\fR will
1567 call the specified script \fBAS ROOT\fR, expanding
1568 any \fI%u\fR argument to be the user name to create.
1570 If this script successfully creates the user then \fBsmbd
1571 \fRwill continue on as though the UNIX user
1572 already existed. In this way, UNIX users are dynamically created to
1573 match existing Windows NT accounts.
1575 See also \fI security\fR, \fIpassword server\fR,
1579 Default: \fBadd user script = <empty string>
1581 Example: \fBadd user script = /usr/local/samba/bin/add_user
1584 \fBadmin users (S)\fR
1585 This is a list of users who will be granted
1586 administrative privileges on the share. This means that they
1587 will do all file operations as the super-user (root).
1589 You should use this option very carefully, as any user in
1590 this list will be able to do anything they like on the share,
1591 irrespective of file permissions.
1593 Default: \fBno admin users\fR
1595 Example: \fBadmin users = jason\fR
1597 \fBallow hosts (S)\fR
1598 Synonym for \fIhosts allow\fR.
1600 \fBallow trusted domains (G)\fR
1601 This option only takes effect when the \fIsecurity\fR option is set to
1603 If it is set to no, then attempts to connect to a resource from
1604 a domain or workgroup other than the one which smbdis running
1605 in will fail, even if that domain is trusted by the remote server
1606 doing the authentication.
1608 This is useful if you only want your Samba server to
1609 serve resources to users in the domain it is a member of. As
1610 an example, suppose that there are two domains DOMA and DOMB. DOMB
1611 is trusted by DOMA, which contains the Samba server. Under normal
1612 circumstances, a user with an account in DOMB can then access the
1613 resources of a UNIX account with the same account name on the
1614 Samba server even if they do not have an account in DOMA. This
1615 can make implementing a security boundary difficult.
1617 Default: \fBallow trusted domains = yes\fR
1619 \fBannounce as (G)\fR
1620 This specifies what type of server
1622 will announce itself as, to a network neighborhood browse
1623 list. By default this is set to Windows NT. The valid options
1624 are : "NT Server" (which can also be written as "NT"),
1625 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
1626 Windows NT Workstation, Windows 95 and Windows for Workgroups
1627 respectively. Do not change this parameter unless you have a
1628 specific need to stop Samba appearing as an NT server as this
1629 may prevent Samba servers from participating as browser servers
1632 Default: \fBannounce as = NT Server\fR
1634 Example: \fBannounce as = Win95\fR
1636 \fBannounce version (G)\fR
1637 This specifies the major and minor version numbers
1638 that nmbd will use when announcing itself as a server. The default
1639 is 4.2. Do not change this parameter unless you have a specific
1640 need to set a Samba server to be a downlevel server.
1642 Default: \fBannounce version = 4.5\fR
1644 Example: \fBannounce version = 2.0\fR
1646 \fBauto services (G)\fR
1647 This is a synonym for the \fIpreload\fR.
1649 \fBauth methods (G)\fR
1650 This option allows the administrator to chose what
1651 authentication methods \fBsmbd\fR will use when authenticating
1652 a user. This option defaults to sensible values based on \fI security\fR.
1653 Each entry in the list attempts to authenticate the user in turn, until
1654 the user authenticates. In practice only one method will ever actually
1655 be able to complete the authentication.
1657 Default: \fBauth methods = <empty string>\fR
1659 Example: \fBauth methods = guest sam ntdomain\fR
1662 This parameter lets you "turn off" a service. If
1663 \fIavailable = no\fR, then \fBALL\fR
1664 attempts to connect to the service will fail. Such failures are
1667 Default: \fBavailable = yes\fR
1669 \fBbind interfaces only (G)\fR
1670 This global parameter allows the Samba admin
1671 to limit what interfaces on a machine will serve SMB requests. If
1672 affects file service smbd(8)and
1673 name service nmbd(8)in slightly
1676 For name service it causes \fBnmbd\fR to bind
1677 to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd
1678 \fRalso binds to the "all addresses" interface (0.0.0.0)
1679 on ports 137 and 138 for the purposes of reading broadcast messages.
1680 If this option is not set then \fBnmbd\fR will service
1681 name requests on all of these sockets. If \fIbind interfaces
1682 only\fR is set then \fBnmbd\fR will check the
1683 source address of any packets coming in on the broadcast sockets
1684 and discard any that don't match the broadcast addresses of the
1685 interfaces in the \fIinterfaces\fR parameter list.
1686 As unicast packets are received on the other sockets it allows
1687 \fBnmbd\fR to refuse to serve names to machines that
1688 send packets that arrive through any interfaces not listed in the
1689 \fIinterfaces\fR list. IP Source address spoofing
1690 does defeat this simple check, however so it must not be used
1691 seriously as a security feature for \fBnmbd\fR.
1693 For file service it causes smbd(8)
1694 to bind only to the interface list given in the interfaces parameter. This restricts the networks that
1695 \fBsmbd\fR will serve to packets coming in those
1696 interfaces. Note that you should not use this parameter for machines
1697 that are serving PPP or other intermittent or non-broadcast network
1698 interfaces as it will not cope with non-permanent interfaces.
1700 If \fIbind interfaces only\fR is set then
1701 unless the network address \fB127.0.0.1\fR is added
1702 to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fR
1703 and \fBswat(8)\fRmay
1704 not work as expected due to the reasons covered below.
1706 To change a users SMB password, the \fBsmbpasswd\fR
1707 by default connects to the \fBlocalhost - 127.0.0.1\fR
1708 address as an SMB client to issue the password change request. If
1709 \fIbind interfaces only\fR is set then unless the
1710 network address \fB127.0.0.1\fR is added to the
1711 \fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode.
1712 \fBsmbpasswd\fR can be forced to use the primary IP interface
1713 of the local host by using its \fI-r remote machine\fR
1714 parameter, with \fIremote machine\fR set
1715 to the IP name of the primary interface of the local host.
1717 The \fBswat\fR status page tries to connect with
1718 \fBsmbd\fR and \fBnmbd\fR at the address
1719 \fB127.0.0.1\fR to determine if they are running.
1720 Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show
1721 "not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR
1724 Default: \fBbind interfaces only = no\fR
1726 \fBblocking locks (S)\fR
1727 This parameter controls the behavior of smbd(8)when given a request by a client
1728 to obtain a byte range lock on a region of an open file, and the
1729 request has a time limit associated with it.
1731 If this parameter is set and the lock range requested
1732 cannot be immediately satisfied, Samba 2.2 will internally
1733 queue the lock request, and periodically attempt to obtain
1734 the lock until the timeout period expires.
1736 If this parameter is set to false, then
1737 Samba 2.2 will behave as previous versions of Samba would and
1738 will fail the lock request immediately if the lock range
1741 Default: \fBblocking locks = yes\fR
1744 See the \fI browseable\fR.
1746 \fBbrowse list (G)\fR
1747 This controls whether \fBsmbd(8)\fRwill serve a browse list to
1748 a client doing a \fBNetServerEnum\fR call. Normally
1749 set to true. You should never need to change
1752 Default: \fBbrowse list = yes\fR
1754 \fBbrowseable (S)\fR
1755 This controls whether this share is seen in
1756 the list of available shares in a net view and in the browse list.
1758 Default: \fBbrowseable = yes\fR
1760 \fBcase sensitive (S)\fR
1761 See the discussion in the section NAME MANGLING.
1763 Default: \fBcase sensitive = no\fR
1765 \fBcasesignames (S)\fR
1769 \fBchange notify timeout (G)\fR
1770 This SMB allows a client to tell a server to
1771 "watch" a particular directory for any changes and only reply to
1772 the SMB request when a change has occurred. Such constant scanning of
1773 a directory is expensive under UNIX, hence an \fBsmbd(8)\fRdaemon only performs such a scan
1774 on each requested directory once every \fIchange notify
1777 Default: \fBchange notify timeout = 60\fR
1779 Example: \fBchange notify timeout = 300\fR
1781 Would change the scan time to every 5 minutes.
1783 \fBchange share command (G)\fR
1784 Samba 2.2.0 introduced the ability to dynamically
1785 add and delete shares via the Windows NT 4.0 Server Manager. The
1786 \fIchange share command\fR is used to define an
1787 external program or script which will modify an existing service definition
1788 in \fIsmb.conf\fR. In order to successfully
1789 execute the \fIchange share command\fR, \fBsmbd\fR
1790 requires that the administrator be connected using a root account (i.e.
1793 When executed, \fBsmbd\fR will automatically invoke the
1794 \fIchange share command\fR with four parameters.
1798 \fIconfigFile\fR - the location
1799 of the global \fIsmb.conf\fR file.
1802 \fIshareName\fR - the name of the new
1806 \fIpathName\fR - path to an **existing**
1810 \fIcomment\fR - comment string to associate
1814 This parameter is only used modify existing file shares definitions. To modify
1815 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
1818 See also \fIadd share
1819 command\fR, \fIdelete
1826 Example: \fBchange share command = /usr/local/bin/addshare\fR
1830 This is a text field that is seen next to a share
1831 when a client does a queries the server, either via the network
1832 neighborhood or via \fBnet view\fR to list what shares
1835 If you want to set the string that is displayed next to the
1836 machine name then see the \fI server string\fR parameter.
1838 Default: \fBNo comment string\fR
1840 Example: \fBcomment = Fred's Files\fR
1842 \fBconfig file (G)\fR
1843 This allows you to override the config file
1844 to use, instead of the default (usually \fIsmb.conf\fR).
1845 There is a chicken and egg problem here as this option is set
1848 For this reason, if the name of the config file has changed
1849 when the parameters are loaded then it will reload them from
1850 the new config file.
1852 This option takes the usual substitutions, which can
1855 If the config file doesn't exist then it won't be loaded
1856 (allowing you to special case the config files of just a few
1859 Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m
1862 This parameter allows you to "clone" service
1863 entries. The specified service is simply duplicated under the
1864 current service's name. Any parameters specified in the current
1865 section will override those in the section being copied.
1867 This feature lets you set up a 'template' service and
1868 create similar services easily. Note that the service being
1869 copied must occur earlier in the configuration file than the
1870 service doing the copying.
1872 Default: \fBno value\fR
1874 Example: \fBcopy = otherservice\fR
1876 \fBcreate mask (S)\fR
1877 A synonym for this parameter is
1881 When a file is created, the necessary permissions are
1882 calculated according to the mapping from DOS modes to UNIX
1883 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
1884 with this parameter. This parameter may be thought of as a bit-wise
1885 MASK for the UNIX modes of a file. Any bit \fBnot\fR
1886 set here will be removed from the modes set on a file when it is
1889 The default value of this parameter removes the
1890 \&'group' and 'other' write and execute bits from the UNIX modes.
1892 Following this Samba will bit-wise 'OR' the UNIX mode created
1893 from this parameter with the value of the \fIforce create mode\fR
1894 parameter which is set to 000 by default.
1896 This parameter does not affect directory modes. See the
1897 parameter \fIdirectory mode
1900 See also the \fIforce
1901 create mode\fR parameter for forcing particular mode
1902 bits to be set on created files. See also the \fIdirectory mode\fR parameter for masking
1903 mode bits on created directories. See also the \fIinherit permissions\fR parameter.
1905 Note that this parameter does not apply to permissions
1906 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
1907 a mask on access control lists also, they need to set the \fIsecurity mask\fR.
1909 Default: \fBcreate mask = 0744\fR
1911 Example: \fBcreate mask = 0775\fR
1913 \fBcreate mode (S)\fR
1914 This is a synonym for \fI create mask\fR.
1917 The value of the parameter (a decimal integer)
1918 represents the number of minutes of inactivity before a connection
1919 is considered dead, and it is disconnected. The deadtime only takes
1920 effect if the number of open files is zero.
1922 This is useful to stop a server's resources being
1923 exhausted by a large number of inactive connections.
1925 Most clients have an auto-reconnect feature when a
1926 connection is broken so in most cases this parameter should be
1927 transparent to users.
1929 Using this parameter with a timeout of a few minutes
1930 is recommended for most systems.
1932 A deadtime of zero indicates that no auto-disconnection
1933 should be performed.
1935 Default: \fBdeadtime = 0\fR
1937 Example: \fBdeadtime = 15\fR
1939 \fBdebug hires timestamp (G)\fR
1940 Sometimes the timestamps in the log messages
1941 are needed with a resolution of higher that seconds, this
1942 boolean parameter adds microsecond resolution to the timestamp
1943 message header when turned on.
1945 Note that the parameter \fI debug timestamp\fR must be on for this to have an
1948 Default: \fBdebug hires timestamp = no\fR
1951 When using only one log file for more then one
1952 forked smbd-process there may be hard to follow which process
1953 outputs which message. This boolean parameter is adds the process-id
1954 to the timestamp message headers in the logfile when turned on.
1956 Note that the parameter \fI debug timestamp\fR must be on for this to have an
1959 Default: \fBdebug pid = no\fR
1961 \fBdebug timestamp (G)\fR
1962 Samba 2.2 debug log messages are timestamped
1963 by default. If you are running at a high \fIdebug level\fR these timestamps
1964 can be distracting. This boolean parameter allows timestamping
1967 Default: \fBdebug timestamp = yes\fR
1970 Samba is sometimes run as root and sometime
1971 run as the connected user, this boolean parameter inserts the
1972 current euid, egid, uid and gid to the timestamp message headers
1973 in the log file if turned on.
1975 Note that the parameter \fI debug timestamp\fR must be on for this to have an
1978 Default: \fBdebug uid = no\fR
1980 \fBdebuglevel (G)\fR
1981 Synonym for \fI log level\fR.
1984 A synonym for \fI default service\fR.
1986 \fBdefault case (S)\fR
1987 See the section on NAME MANGLING. Also note the \fIshort preserve case\fR parameter.
1989 Default: \fBdefault case = lower\fR
1991 \fBdefault devmode (S)\fR
1992 This parameter is only applicable to printable services. When smbd is serving
1993 Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
1994 server has a Device Mode which defines things such as paper size and
1995 orientation and duplex settings. The device mode can only correctly be
1996 generated by the printer driver itself (which can only be executed on a
1997 Win32 platform). Because smbd is unable to execute the driver code
1998 to generate the device mode, the default behavior is to set this field
2001 Most problems with serving printer drivers to Windows NT/2k/XP clients
2002 can be traced to a problem with the generated device mode. Certain drivers
2003 will do things such as crashing the client's Explorer.exe with a NULL devmode.
2004 However, other printer drivers can cause the client's spooler service
2005 (spoolsv.exe) to die if the devmode was not created by the driver itself
2006 (i.e. smbd generates a default devmode).
2008 This parameter should be used with care and tested with the printer
2009 driver in question. It is better to leave the device mode to NULL
2010 and let the Windows client set the correct values. Because drivers do not
2011 do this all the time, setting \fBdefault devmode = yes\fR
2012 will instruct smbd to generate a default one.
2014 For more information on Windows NT/2k printing and Device Modes,
2015 see the MSDN documentation <URL:http://msdn.microsoft.com/>.
2017 Default: \fBdefault devmode = no\fR
2019 \fBdefault service (G)\fR
2020 This parameter specifies the name of a service
2021 which will be connected to if the service actually requested cannot
2022 be found. Note that the square brackets are \fBNOT\fR
2023 given in the parameter value (see example below).
2025 There is no default value for this parameter. If this
2026 parameter is not given, attempting to connect to a nonexistent
2027 service results in an error.
2029 Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service.
2031 Also note that the apparent service name will be changed
2032 to equal that of the requested service, this is very useful as it
2033 allows you to use macros like \fI%S\fR to make
2036 Note also that any "_" characters in the name of the service
2037 used in the default service will get mapped to a "/". This allows for
2045 default service = pub
2053 \fBdelete printer command (G)\fR
2054 With the introduction of MS-RPC based printer
2055 support for Windows NT/2000 clients in Samba 2.2, it is now
2056 possible to delete printer at run time by issuing the
2057 DeletePrinter() RPC call.
2059 For a Samba host this means that the printer must be
2060 physically deleted from underlying printing system. The \fI deleteprinter command\fR defines a script to be run which
2061 will perform the necessary operations for removing the printer
2062 from the print system and from \fIsmb.conf\fR.
2064 The \fIdelete printer command\fR is
2065 automatically called with only one parameter: \fI "printer name"\fR.
2067 Once the \fIdelete printer command\fR has
2068 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to associated printer no longer exists.
2069 If the sharename is still valid, then \fBsmbd
2070 \fRwill return an ACCESS_DENIED error to the client.
2072 See also \fI add printer command\fR, \fIprinting\fR,
2078 Example: \fBdeleteprinter command = /usr/bin/removeprinter
2080 \fBdelete readonly (S)\fR
2081 This parameter allows readonly files to be deleted.
2082 This is not normal DOS semantics, but is allowed by UNIX.
2084 This option may be useful for running applications such
2085 as rcs, where UNIX file ownership prevents changing file
2086 permissions, and DOS semantics prevent deletion of a read only file.
2088 Default: \fBdelete readonly = no\fR
2090 \fBdelete share command (G)\fR
2091 Samba 2.2.0 introduced the ability to dynamically
2092 add and delete shares via the Windows NT 4.0 Server Manager. The
2093 \fIdelete share command\fR is used to define an
2094 external program or script which will remove an existing service
2095 definition from \fIsmb.conf\fR. In order to successfully
2096 execute the \fIdelete share command\fR, \fBsmbd\fR
2097 requires that the administrator be connected using a root account (i.e.
2100 When executed, \fBsmbd\fR will automatically invoke the
2101 \fIdelete share command\fR with two parameters.
2105 \fIconfigFile\fR - the location
2106 of the global \fIsmb.conf\fR file.
2109 \fIshareName\fR - the name of
2110 the existing service.
2113 This parameter is only used to remove file shares. To delete printer shares,
2114 see the \fIdelete printer
2118 See also \fIadd share
2119 command\fR, \fIchange
2126 Example: \fBdelete share command = /usr/local/bin/delshare\fR
2129 \fBdelete user script (G)\fR
2130 This is the full pathname to a script that will
2131 be run \fBAS ROOT\fR by \fBsmbd(8)\fRunder special circumstances
2134 Normally, a Samba server requires that UNIX users are
2135 created for all users accessing files on this server. For sites
2136 that use Windows NT account databases as their primary user database
2137 creating these users and keeping the user list in sync with the
2138 Windows NT PDC is an onerous task. This option allows \fB smbd\fR to delete the required UNIX users \fBON
2139 DEMAND\fR when a user accesses the Samba server and the
2140 Windows NT user no longer exists.
2142 In order to use this option, \fBsmbd\fR must be
2143 set to \fIsecurity = domain\fR or \fIsecurity =
2144 user\fR and \fIdelete user script\fR
2145 must be set to a full pathname for a script
2146 that will delete a UNIX user given one argument of \fI%u\fR,
2147 which expands into the UNIX user name to delete.
2149 When the Windows user attempts to access the Samba server,
2150 at \fBlogin\fR (session setup in the SMB protocol)
2151 time, \fBsmbd\fR contacts the \fIpassword server\fR and attempts to authenticate
2152 the given user with the given password. If the authentication fails
2153 with the specific Domain error code meaning that the user no longer
2154 exists then \fBsmbd\fR attempts to find a UNIX user in
2155 the UNIX password database that matches the Windows user account. If
2156 this lookup succeeds, and \fIdelete user script\fR is
2157 set then \fBsmbd\fR will all the specified script
2158 \fBAS ROOT\fR, expanding any \fI%u\fR
2159 argument to be the user name to delete.
2161 This script should delete the given UNIX username. In this way,
2162 UNIX users are dynamically deleted to match existing Windows NT
2165 See also security = domain,
2166 \fIpassword server\fR
2167 , \fIadd user script\fR
2170 Default: \fBdelete user script = <empty string>
2172 Example: \fBdelete user script = /usr/local/samba/bin/del_user
2175 \fBdelete veto files (S)\fR
2176 This option is used when Samba is attempting to
2177 delete a directory that contains one or more vetoed directories
2178 (see the \fIveto files\fR
2179 option). If this option is set to false (the default) then if a vetoed
2180 directory contains any non-vetoed files or directories then the
2181 directory delete will fail. This is usually what you want.
2183 If this option is set to true, then Samba
2184 will attempt to recursively delete any files and directories within
2185 the vetoed directory. This can be useful for integration with file
2186 serving systems such as NetAtalk which create meta-files within
2187 directories you might normally veto DOS/Windows users from seeing
2188 (e.g. \fI.AppleDouble\fR)
2190 Setting \fBdelete veto files = yes\fR allows these
2191 directories to be transparently deleted when the parent directory
2192 is deleted (so long as the user has permissions to do so).
2194 See also the \fIveto
2197 Default: \fBdelete veto files = no\fR
2199 \fBdeny hosts (S)\fR
2200 Synonym for \fIhosts
2203 \fBdfree command (G)\fR
2204 The \fIdfree command\fR setting should
2205 only be used on systems where a problem occurs with the internal
2206 disk space calculations. This has been known to happen with Ultrix,
2207 but may occur with other operating systems. The symptom that was
2208 seen was an error of "Abort Retry Ignore" at the end of each
2211 This setting allows the replacement of the internal routines to
2212 calculate the total disk space and amount available with an external
2213 routine. The example below gives a possible script that might fulfill
2216 The external program will be passed a single parameter indicating
2217 a directory in the filesystem being queried. This will typically consist
2218 of the string \fI./\fR. The script should return two
2219 integers in ASCII. The first should be the total disk space in blocks,
2220 and the second should be the number of available blocks. An optional
2221 third return value can give the block size in bytes. The default
2222 blocksize is 1024 bytes.
2224 Note: Your script should \fBNOT\fR be setuid or
2225 setgid and should be owned by (and writeable only by) root!
2227 Default: \fBBy default internal routines for
2228 determining the disk capacity and remaining space will be used.
2230 Example: \fBdfree command = /usr/local/samba/bin/dfree
2232 Where the script dfree (which must be made executable) could be:
2238 df $1 | tail -1 | awk '{print $2" "$4}'
2243 or perhaps (on Sys V based systems):
2249 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
2254 Note that you may have to replace the command names
2255 with full path names on some systems.
2261 \fBdirectory mask (S)\fR
2262 This parameter is the octal modes which are
2263 used when converting DOS modes to UNIX modes when creating UNIX
2266 When a directory is created, the necessary permissions are
2267 calculated according to the mapping from DOS modes to UNIX permissions,
2268 and the resulting UNIX mode is then bit-wise 'AND'ed with this
2269 parameter. This parameter may be thought of as a bit-wise MASK for
2270 the UNIX modes of a directory. Any bit \fBnot\fR set
2271 here will be removed from the modes set on a directory when it is
2274 The default value of this parameter removes the 'group'
2275 and 'other' write bits from the UNIX mode, allowing only the
2276 user who owns the directory to modify it.
2278 Following this Samba will bit-wise 'OR' the UNIX mode
2279 created from this parameter with the value of the \fIforce directory mode
2280 \fRparameter. This parameter is set to 000 by
2281 default (i.e. no extra mode bits are added).
2283 Note that this parameter does not apply to permissions
2284 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2285 a mask on access control lists also, they need to set the \fIdirectory security mask\fR.
2288 directory mode\fR parameter to cause particular mode
2289 bits to always be set on created directories.
2291 See also the \fIcreate mode
2292 \fRparameter for masking mode bits on created files,
2293 and the \fIdirectory
2294 security mask\fR parameter.
2296 Also refer to the \fI inherit permissions\fR parameter.
2298 Default: \fBdirectory mask = 0755\fR
2300 Example: \fBdirectory mask = 0775\fR
2302 \fBdirectory mode (S)\fR
2303 Synonym for \fI directory mask\fR
2305 \fBdirectory security mask (S)\fR
2306 This parameter controls what UNIX permission bits
2307 can be modified when a Windows NT client is manipulating the UNIX
2308 permission on a directory using the native NT security dialog
2311 This parameter is applied as a mask (AND'ed with) to
2312 the changed permission bits, thus preventing any bits not in
2313 this mask from being modified. Essentially, zero bits in this
2314 mask may be treated as a set of bits the user is not allowed
2317 If not set explicitly this parameter is set to 0777
2318 meaning a user is allowed to modify all the user/group/world
2319 permissions on a directory.
2321 \fBNote\fR that users who can access the
2322 Samba server through other means can easily bypass this restriction,
2323 so it is primarily useful for standalone "appliance" systems.
2324 Administrators of most normal systems will probably want to leave
2325 it as the default of 0777.
2327 See also the \fI force directory security mode\fR, \fIsecurity mask\fR,
2328 \fIforce security mode
2331 Default: \fBdirectory security mask = 0777\fR
2333 Example: \fBdirectory security mask = 0700\fR
2335 \fBdisable spoolss (G)\fR
2336 Enabling this parameter will disables Samba's support
2337 for the SPOOLSS set of MS-RPC's and will yield identical behavior
2338 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
2339 Lanman style printing commands. Windows 9x/ME will be uneffected by
2340 the parameter. However, this will also disable the ability to upload
2341 printer drivers to a Samba server via the Windows NT Add Printer
2342 Wizard or by using the NT printer properties dialog window. It will
2343 also disable the capability of Windows NT/2000 clients to download
2344 print drivers from the Samba host upon demand.
2345 \fBBe very careful about enabling this parameter.\fR
2347 See also use client driver
2349 Default : \fBdisable spoolss = no\fR
2352 Specifies that nmbd(8)
2353 when acting as a WINS server and finding that a NetBIOS name has not
2354 been registered, should treat the NetBIOS name word-for-word as a DNS
2355 name and do a lookup with the DNS server for that name on behalf of
2356 the name-querying client.
2358 Note that the maximum length for a NetBIOS name is 15
2359 characters, so the DNS name (or DNS alias) can likewise only be
2360 15 characters, maximum.
2362 \fBnmbd\fR spawns a second copy of itself to do the
2363 DNS name lookup requests, as doing a name lookup is a blocking
2366 See also the parameter \fI wins support\fR.
2368 Default: \fBdns proxy = yes\fR
2370 \fBdomain admin group (G)\fR
2371 This parameter is intended as a temporary solution
2372 to enable users to be a member of the "Domain Admins" group when
2373 a Samba host is acting as a PDC. A complete solution will be provided
2374 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2375 Please note that this parameter has a somewhat confusing name. It
2376 accepts a list of usernames and of group names in standard
2377 \fIsmb.conf\fR notation.
2380 guest group\fR, \fIdomain
2383 Default: \fBno domain administrators\fR
2385 Example: \fBdomain admin group = root @wheel\fR
2387 \fBdomain guest group (G)\fR
2388 This parameter is intended as a temporary solution
2389 to enable users to be a member of the "Domain Guests" group when
2390 a Samba host is acting as a PDC. A complete solution will be provided
2391 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2392 Please note that this parameter has a somewhat confusing name. It
2393 accepts a list of usernames and of group names in standard
2394 \fIsmb.conf\fR notation.
2397 admin group\fR, \fIdomain
2400 Default: \fBno domain guests\fR
2402 Example: \fBdomain guest group = nobody @guest\fR
2404 \fBdomain logons (G)\fR
2405 If set to true, the Samba server will serve
2406 Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also
2407 has limited capability to act as a domain controller for Windows
2408 NT 4 Domains. For more details on setting up this feature see
2409 the Samba-PDC-HOWTO included in the \fIhtmldocs/\fR
2410 directory shipped with the source code.
2412 Default: \fBdomain logons = no\fR
2414 \fBdomain master (G)\fR
2415 Tell \fB nmbd(8)\fRto enable WAN-wide browse list
2416 collation. Setting this option causes \fBnmbd\fR to
2417 claim a special domain specific NetBIOS name that identifies
2418 it as a domain master browser for its given \fIworkgroup\fR. Local master browsers
2419 in the same \fIworkgroup\fR on broadcast-isolated
2420 subnets will give this \fBnmbd\fR their local browse lists,
2421 and then ask \fBsmbd(8)\fR
2422 for a complete copy of the browse list for the whole wide area
2423 network. Browser clients will then contact their local master browser,
2424 and will receive the domain-wide browse list, instead of just the list
2425 for their broadcast-isolated subnet.
2427 Note that Windows NT Primary Domain Controllers expect to be
2428 able to claim this \fIworkgroup\fR specific special
2429 NetBIOS name that identifies them as domain master browsers for
2430 that \fIworkgroup\fR by default (i.e. there is no
2431 way to prevent a Windows NT PDC from attempting to do this). This
2432 means that if this parameter is set and \fBnmbd\fR claims
2433 the special name for a \fIworkgroup\fR before a Windows
2434 NT PDC is able to do so then cross subnet browsing will behave
2435 strangely and may fail.
2437 If \fBdomain logons = yes\fR
2438 , then the default behavior is to enable the \fIdomain
2439 master\fR parameter. If \fIdomain logons\fR is
2440 not enabled (the default setting), then neither will \fIdomain
2441 master\fR be enabled by default.
2443 Default: \fBdomain master = auto\fR
2445 \fBdont descend (S)\fR
2446 There are certain directories on some systems
2447 (e.g., the \fI/proc\fR tree under Linux) that are either not
2448 of interest to clients or are infinitely deep (recursive). This
2449 parameter allows you to specify a comma-delimited list of directories
2450 that the server should always show as empty.
2452 Note that Samba can be very fussy about the exact format
2453 of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR.
2454 Experimentation is the best policy :-)
2456 Default: \fBnone (i.e., all directories are OK
2459 Example: \fBdont descend = /proc,/dev\fR
2461 \fBdos filemode (S)\fR
2462 The default behavior in Samba is to provide
2463 UNIX-like behavior where only the owner of a file/directory is
2464 able to change the permissions on it. However, this behavior
2465 is often confusing to DOS/Windows users. Enabling this parameter
2466 allows a user who has write access to the file (by whatever
2467 means) to modify the permissions on it. Note that a user
2468 belonging to the group owning the file will not be allowed to
2469 change permissions if the group is only granted read access.
2470 Ownership of the file/directory is not changed, only the permissions
2473 Default: \fBdos filemode = no\fR
2475 \fBdos filetime resolution (S)\fR
2476 Under the DOS and Windows FAT filesystem, the finest
2477 granularity on time resolution is two seconds. Setting this parameter
2478 for a share causes Samba to round the reported time down to the
2479 nearest two second boundary when a query call that requires one second
2480 resolution is made to \fBsmbd(8)\fR
2483 This option is mainly used as a compatibility option for Visual
2484 C++ when used against Samba shares. If oplocks are enabled on a
2485 share, Visual C++ uses two different time reading calls to check if a
2486 file has changed since it was last read. One of these calls uses a
2487 one-second granularity, the other uses a two second granularity. As
2488 the two second call rounds any odd second down, then if the file has a
2489 timestamp of an odd number of seconds then the two timestamps will not
2490 match and Visual C++ will keep reporting the file has changed. Setting
2491 this option causes the two timestamps to match, and Visual C++ is
2494 Default: \fBdos filetime resolution = no\fR
2496 \fBdos filetimes (S)\fR
2497 Under DOS and Windows, if a user can write to a
2498 file they can change the timestamp on it. Under POSIX semantics,
2499 only the owner of the file or root may change the timestamp. By
2500 default, Samba runs with POSIX semantics and refuses to change the
2501 timestamp on a file if the user \fBsmbd\fR is acting
2502 on behalf of is not the file owner. Setting this option to true allows DOS semantics and smbdwill change the file
2503 timestamp as DOS requires.
2505 Default: \fBdos filetimes = no\fR
2507 \fBencrypt passwords (G)\fR
2508 This boolean controls whether encrypted passwords
2509 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
2510 above and also Windows 98 will by default expect encrypted passwords
2511 unless a registry entry is changed. To use encrypted passwords in
2512 Samba see the file ENCRYPTION.txt in the Samba documentation
2513 directory \fIdocs/\fR shipped with the source code.
2515 In order for encrypted passwords to work correctly
2516 \fBsmbd(8)\fRmust either
2517 have access to a local \fIsmbpasswd(5)
2518 \fRprogram for information on how to set up
2519 and maintain this file), or set the security = [server|domain|ads] parameter which
2520 causes \fBsmbd\fR to authenticate against another
2523 Default: \fBencrypt passwords = yes\fR
2525 \fBenhanced browsing (G)\fR
2526 This option enables a couple of enhancements to
2527 cross-subnet browse propagation that have been added in Samba
2528 but which are not standard in Microsoft implementations.
2530 The first enhancement to browse propagation consists of a regular
2531 wildcard query to a Samba WINS server for all Domain Master Browsers,
2532 followed by a browse synchronization with each of the returned
2533 DMBs. The second enhancement consists of a regular randomised browse
2534 synchronization with all currently known DMBs.
2536 You may wish to disable this option if you have a problem with empty
2537 workgroups not disappearing from browse lists. Due to the restrictions
2538 of the browse protocols these enhancements can cause a empty workgroup
2539 to stay around forever which can be annoying.
2541 In general you should leave this option enabled as it makes
2542 cross-subnet browse propagation much more reliable.
2544 Default: \fBenhanced browsing = yes\fR
2546 \fBenumports command (G)\fR
2547 The concept of a "port" is fairly foreign
2548 to UNIX hosts. Under Windows NT/2000 print servers, a port
2549 is associated with a port monitor and generally takes the form of
2550 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
2551 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
2552 port defined--"Samba Printer Port". Under
2553 Windows NT/2000, all printers must have a valid port name.
2554 If you wish to have a list of ports displayed (\fBsmbd
2555 \fRdoes not use a port name for anything) other than
2556 the default "Samba Printer Port", you
2557 can define \fIenumports command\fR to point to
2558 a program which should generate a list of ports, one per line,
2559 to standard output. This listing will then be used in response
2560 to the level 1 and 2 EnumPorts() RPC.
2562 Default: \fBno enumports command\fR
2564 Example: \fBenumports command = /usr/bin/listports
2567 This is a synonym for \fIpreexec\fR.
2569 \fBfake directory create times (S)\fR
2570 NTFS and Windows VFAT file systems keep a create
2571 time for all files and directories. This is not the same as the
2572 ctime - status change time - that Unix keeps, so Samba by default
2573 reports the earliest of the various times Unix does keep. Setting
2574 this parameter for a share causes Samba to always report midnight
2575 1-1-1980 as the create time for directories.
2577 This option is mainly used as a compatibility option for
2578 Visual C++ when used against Samba shares. Visual C++ generated
2579 makefiles have the object directory as a dependency for each object
2580 file, and a make rule to create the directory. Also, when NMAKE
2581 compares timestamps it uses the creation time when examining a
2582 directory. Thus the object directory will be created if it does not
2583 exist, but once it does exist it will always have an earlier
2584 timestamp than the object files it contains.
2586 However, Unix time semantics mean that the create time
2587 reported by Samba will be updated whenever a file is created or
2588 or deleted in the directory. NMAKE finds all object files in
2589 the object directory. The timestamp of the last one built is then
2590 compared to the timestamp of the object directory. If the
2591 directory's timestamp if newer, then all object files
2592 will be rebuilt. Enabling this option
2593 ensures directories always predate their contents and an NMAKE build
2594 will proceed as expected.
2596 Default: \fBfake directory create times = no\fR
2598 \fBfake oplocks (S)\fR
2599 Oplocks are the way that SMB clients get permission
2600 from a server to locally cache file operations. If a server grants
2601 an oplock (opportunistic lock) then the client is free to assume
2602 that it is the only one accessing the file and it will aggressively
2603 cache file data. With some oplock types the client may even cache
2604 file open/close operations. This can give enormous performance benefits.
2606 When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fRwill
2607 always grant oplock requests no matter how many clients are using
2610 It is generally much better to use the real \fIoplocks\fR support rather
2611 than this parameter.
2613 If you enable this option on all read-only shares or
2614 shares that you know will only be accessed from one client at a
2615 time such as physically read-only media like CDROMs, you will see
2616 a big performance improvement on many operations. If you enable
2617 this option on shares where multiple clients may be accessing the
2618 files read-write at the same time you can get data corruption. Use
2619 this option carefully!
2621 Default: \fBfake oplocks = no\fR
2623 \fBfollow symlinks (S)\fR
2624 This parameter allows the Samba administrator
2625 to stop \fBsmbd(8)\fR
2626 from following symbolic links in a particular share. Setting this
2627 parameter to no prevents any file or directory
2628 that is a symbolic link from being followed (the user will get an
2629 error). This option is very useful to stop users from adding a
2630 symbolic link to \fI/etc/passwd\fR in their home
2631 directory for instance. However it will slow filename lookups
2634 This option is enabled (i.e. \fBsmbd\fR will
2635 follow symbolic links) by default.
2637 Default: \fBfollow symlinks = yes\fR
2639 \fBforce create mode (S)\fR
2640 This parameter specifies a set of UNIX mode bit
2641 permissions that will \fBalways\fR be set on a
2642 file created by Samba. This is done by bitwise 'OR'ing these bits onto
2643 the mode bits of a file that is being created or having its
2644 permissions changed. The default for this parameter is (in octal)
2645 000. The modes in this parameter are bitwise 'OR'ed onto the file
2646 mode after the mask set in the \fIcreate mask\fR
2647 parameter is applied.
2649 See also the parameter \fIcreate
2650 mask\fR for details on masking mode bits on files.
2652 See also the \fIinherit
2653 permissions\fR parameter.
2655 Default: \fBforce create mode = 000\fR
2657 Example: \fBforce create mode = 0755\fR
2659 would force all created files to have read and execute
2660 permissions set for 'group' and 'other' as well as the
2661 read/write/execute bits set for the 'user'.
2663 \fBforce directory mode (S)\fR
2664 This parameter specifies a set of UNIX mode bit
2665 permissions that will \fBalways\fR be set on a directory
2666 created by Samba. This is done by bitwise 'OR'ing these bits onto the
2667 mode bits of a directory that is being created. The default for this
2668 parameter is (in octal) 0000 which will not add any extra permission
2669 bits to a created directory. This operation is done after the mode
2670 mask in the parameter \fIdirectory mask\fR is
2673 See also the parameter \fI directory mask\fR for details on masking mode bits
2674 on created directories.
2676 See also the \fI inherit permissions\fR parameter.
2678 Default: \fBforce directory mode = 000\fR
2680 Example: \fBforce directory mode = 0755\fR
2682 would force all created directories to have read and execute
2683 permissions set for 'group' and 'other' as well as the
2684 read/write/execute bits set for the 'user'.
2686 \fBforce directory security mode (S)\fR
2687 This parameter controls what UNIX permission bits
2688 can be modified when a Windows NT client is manipulating the UNIX
2689 permission on a directory using the native NT security dialog box.
2691 This parameter is applied as a mask (OR'ed with) to the
2692 changed permission bits, thus forcing any bits in this mask that
2693 the user may have modified to be on. Essentially, one bits in this
2694 mask may be treated as a set of bits that, when modifying security
2695 on a directory, the user has always set to be 'on'.
2697 If not set explicitly this parameter is 000, which
2698 allows a user to modify all the user/group/world permissions on a
2699 directory without restrictions.
2701 \fBNote\fR that users who can access the
2702 Samba server through other means can easily bypass this restriction,
2703 so it is primarily useful for standalone "appliance" systems.
2704 Administrators of most normal systems will probably want to leave
2707 See also the \fI directory security mask\fR, \fIsecurity mask\fR,
2708 \fIforce security mode
2711 Default: \fBforce directory security mode = 0\fR
2713 Example: \fBforce directory security mode = 700\fR
2715 \fBforce group (S)\fR
2716 This specifies a UNIX group name that will be
2717 assigned as the default primary group for all users connecting
2718 to this service. This is useful for sharing files by ensuring
2719 that all access to files on service will use the named group for
2720 their permissions checking. Thus, by assigning permissions for this
2721 group to the files and directories within this service the Samba
2722 administrator can restrict or allow sharing of these files.
2724 In Samba 2.0.5 and above this parameter has extended
2725 functionality in the following way. If the group name listed here
2726 has a '+' character prepended to it then the current user accessing
2727 the share only has the primary group default assigned to this group
2728 if they are already assigned as a member of that group. This allows
2729 an administrator to decide that only users who are already in a
2730 particular group will create files with group ownership set to that
2731 group. This gives a finer granularity of ownership assignment. For
2732 example, the setting \fIforce group = +sys\fR means
2733 that only users who are already in group sys will have their default
2734 primary group assigned to sys when accessing this Samba share. All
2735 other users will retain their ordinary primary group.
2737 If the \fIforce user
2738 \fRparameter is also set the group specified in
2739 \fIforce group\fR will override the primary group
2740 set in \fIforce user\fR.
2745 Default: \fBno forced group\fR
2747 Example: \fBforce group = agroup\fR
2749 \fBforce security mode (S)\fR
2750 This parameter controls what UNIX permission
2751 bits can be modified when a Windows NT client is manipulating
2752 the UNIX permission on a file using the native NT security dialog
2755 This parameter is applied as a mask (OR'ed with) to the
2756 changed permission bits, thus forcing any bits in this mask that
2757 the user may have modified to be on. Essentially, one bits in this
2758 mask may be treated as a set of bits that, when modifying security
2759 on a file, the user has always set to be 'on'.
2761 If not set explicitly this parameter is set to 0,
2762 and allows a user to modify all the user/group/world permissions on a file,
2763 with no restrictions.
2765 \fBNote\fR that users who can access
2766 the Samba server through other means can easily bypass this restriction,
2767 so it is primarily useful for standalone "appliance" systems.
2768 Administrators of most normal systems will probably want to leave
2771 See also the \fI force directory security mode\fR,
2772 \fIdirectory security
2773 mask\fR, \fI security mask\fR parameters.
2775 Default: \fBforce security mode = 0\fR
2777 Example: \fBforce security mode = 700\fR
2779 \fBforce user (S)\fR
2780 This specifies a UNIX user name that will be
2781 assigned as the default user for all users connecting to this service.
2782 This is useful for sharing files. You should also use it carefully
2783 as using it incorrectly can cause security problems.
2785 This user name only gets used once a connection is established.
2786 Thus clients still need to connect as a valid user and supply a
2787 valid password. Once connected, all file operations will be performed
2788 as the "forced user", no matter what username the client connected
2789 as. This can be very useful.
2791 In Samba 2.0.5 and above this parameter also causes the
2792 primary group of the forced user to be used as the primary group
2793 for all file activity. Prior to 2.0.5 the primary group was left
2794 as the primary group of the connecting user (this was a bug).
2796 See also \fIforce group
2798 Default: \fBno forced user\fR
2800 Example: \fBforce user = auser\fR
2803 This parameter allows the administrator to
2804 configure the string that specifies the type of filesystem a share
2805 is using that is reported by \fBsmbd(8)
2806 \fRwhen a client queries the filesystem type
2807 for a share. The default type is NTFS for
2808 compatibility with Windows NT but this can be changed to other
2809 strings such as Samba or FAT
2812 Default: \fBfstype = NTFS\fR
2814 Example: \fBfstype = Samba\fR
2816 \fBgetwd cache (G)\fR
2817 This is a tuning option. When this is enabled a
2818 caching algorithm will be used to reduce the time taken for getwd()
2819 calls. This can have a significant impact on performance, especially
2820 when the \fIwide links\fR
2821 parameter is set to false.
2823 Default: \fBgetwd cache = yes\fR
2826 Synonym for \fIforce
2829 \fBguest account (S)\fR
2830 This is a username which will be used for access
2831 to services which are specified as \fI guest ok\fR (see below). Whatever privileges this
2832 user has will be available to any client connecting to the guest service.
2833 Typically this user will exist in the password file, but will not
2834 have a valid login. The user account "ftp" is often a good choice
2835 for this parameter. If a username is specified in a given service,
2836 the specified username overrides this one.
2838 One some systems the default guest account "nobody" may not
2839 be able to print. Use another account in this case. You should test
2840 this by trying to log in as your guest user (perhaps by using the
2841 \fBsu -\fR command) and trying to print using the
2842 system print command such as \fBlpr(1)\fR or \fB lp(1)\fR.
2844 Default: \fBspecified at compile time, usually
2847 Example: \fBguest account = ftp\fR
2850 If this parameter is yes for
2851 a service, then no password is required to connect to the service.
2852 Privileges will be those of the \fI guest account\fR.
2854 See the section below on \fI security\fR for more information about this option.
2856 Default: \fBguest ok = no\fR
2858 \fBguest only (S)\fR
2859 If this parameter is yes for
2860 a service, then only guest connections to the service are permitted.
2861 This parameter will have no effect if \fIguest ok\fR is not set for the service.
2863 See the section below on \fI security\fR for more information about this option.
2865 Default: \fBguest only = no\fR
2867 \fBhide dot files (S)\fR
2868 This is a boolean parameter that controls whether
2869 files starting with a dot appear as hidden files.
2871 Default: \fBhide dot files = yes\fR
2874 This is a list of files or directories that are not
2875 visible but are accessible. The DOS 'hidden' attribute is applied
2876 to any files or directories that match.
2878 Each entry in the list must be separated by a '/',
2879 which allows spaces to be included in the entry. '*'
2880 and '?' can be used to specify multiple files or directories
2881 as in DOS wildcards.
2883 Each entry must be a Unix path, not a DOS path and must
2884 not include the Unix directory separator '/'.
2886 Note that the case sensitivity option is applicable
2889 Setting this parameter will affect the performance of Samba,
2890 as it will be forced to check all files and directories for a match
2891 as they are scanned.
2894 dot files\fR, \fI veto files\fR and \fIcase sensitive\fR.
2896 Default: \fBno file are hidden\fR
2898 Example: \fBhide files =
2899 /.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR
2901 The above example is based on files that the Macintosh
2902 SMB client (DAVE) available from
2903 Thursby <URL:http://www.thursby.com> creates for internal use, and also still hides
2904 all files beginning with a dot.
2906 \fBhide local users(G)\fR
2907 This parameter toggles the hiding of local UNIX
2908 users (root, wheel, floppy, etc) from remote clients.
2910 Default: \fBhide local users = no\fR
2912 \fBhide unreadable (S)\fR
2913 This parameter prevents clients from seeing the
2914 existance of files that cannot be read. Defaults to off.
2916 Default: \fBhide unreadable = no\fR
2918 \fBhomedir map (G)\fR
2920 \fRis true, and \fBsmbd(8)\fRis also acting
2921 as a Win95/98 \fIlogon server\fR then this parameter
2922 specifies the NIS (or YP) map from which the server for the user's
2923 home directory should be extracted. At present, only the Sun
2924 auto.home map format is understood. The form of the map is:
2926 \fBusername server:/some/file/system\fR
2928 and the program will extract the servername from before
2929 the first ':'. There should probably be a better parsing system
2930 that copes with different map formats and also Amd (another
2933 \fBNOTE :\fRA working NIS client is required on
2934 the system for this option to work.
2936 See also \fInis homedir\fR
2937 , \fIdomain logons\fR
2940 Default: \fBhomedir map = <empty string>\fR
2942 Example: \fBhomedir map = amd.homedir\fR
2944 \fBhost msdfs (G)\fR
2945 This boolean parameter is only available
2946 if Samba has been configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
2947 Samba will act as a Dfs server, and allow Dfs-aware clients
2948 to browse Dfs trees hosted on the server.
2950 See also the \fI msdfs root\fR share level parameter. For
2951 more information on setting up a Dfs tree on Samba,
2952 refer to msdfs_setup.html.
2954 Default: \fBhost msdfs = no\fR
2956 \fBhosts allow (S)\fR
2957 A synonym for this parameter is \fIallow
2960 This parameter is a comma, space, or tab delimited
2961 set of hosts which are permitted to access a service.
2963 If specified in the [global] section then it will
2964 apply to all services, regardless of whether the individual
2965 service has a different setting.
2967 You can specify the hosts by name or IP number. For
2968 example, you could restrict access to only the hosts on a
2969 Class C subnet with something like \fBallow hosts = 150.203.5.
2970 \fR\&. The full syntax of the list is described in the man
2971 page \fIhosts_access(5)\fR. Note that this man
2972 page may not be present on your system, so a brief description will
2975 Note that the localhost address 127.0.0.1 will always
2976 be allowed access unless specifically denied by a \fIhosts deny\fR option.
2978 You can also specify hosts by network/netmask pairs and
2979 by netgroup names if your system supports netgroups. The
2980 \fBEXCEPT\fR keyword can also be used to limit a
2981 wildcard list. The following examples may provide some help:
2983 Example 1: allow all IPs in 150.203.*.*; except one
2985 \fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
2987 Example 2: allow hosts that match the given network/netmask
2989 \fBhosts allow = 150.203.15.0/255.255.255.0\fR
2991 Example 3: allow a couple of hosts
2993 \fBhosts allow = lapland, arvidsjaur\fR
2995 Example 4: allow only hosts in NIS netgroup "foonet", but
2996 deny access from one particular host
2998 \fBhosts allow = @foonet\fR
3000 \fBhosts deny = pirate\fR
3002 Note that access still requires suitable user-level passwords.
3004 See \fBtestparm(1)\fR
3005 for a way of testing your host access to see if it does
3008 Default: \fBnone (i.e., all hosts permitted access)
3010 Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au
3012 \fBhosts deny (S)\fR
3013 The opposite of \fIhosts allow\fR
3014 - hosts listed here are \fBNOT\fR permitted access to
3015 services unless the specific services have their own lists to override
3016 this one. Where the lists conflict, the \fIallow\fR
3017 list takes precedence.
3019 Default: \fBnone (i.e., no hosts specifically excluded)
3021 Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au
3023 \fBhosts equiv (G)\fR
3024 If this global parameter is a non-null string,
3025 it specifies the name of a file to read for the names of hosts
3026 and users who will be allowed access without specifying a password.
3028 This is not be confused with \fIhosts allow\fR which is about hosts
3029 access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will
3030 not supply passwords to Samba.
3032 \fBNOTE :\fR The use of \fIhosts equiv
3033 \fRcan be a major security hole. This is because you are
3034 trusting the PC to supply the correct username. It is very easy to
3035 get a PC to supply a false username. I recommend that the
3036 \fIhosts equiv\fR option be only used if you really
3037 know what you are doing, or perhaps on a home network where you trust
3038 your spouse and kids. And only if you \fBreally\fR trust
3041 Default: \fBno host equivalences\fR
3043 Example: \fBhosts equiv = /etc/hosts.equiv\fR
3046 This allows you to include one config file
3047 inside another. The file is included literally, as though typed
3050 It takes the standard substitutions, except \fI%u
3051 \fR, \fI%P\fR and \fI%S\fR.
3053 Default: \fBno file included\fR
3055 Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf
3057 \fBinherit permissions (S)\fR
3058 The permissions on new files and directories
3059 are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR
3061 directory mode\fR but the boolean inherit
3062 permissions parameter overrides this.
3064 New directories inherit the mode of the parent directory,
3065 including bits such as setgid.
3067 New files inherit their read/write bits from the parent
3068 directory. Their execute bits continue to be determined by
3071 and \fImap system\fR
3074 Note that the setuid bit is \fBnever\fR set via
3075 inheritance (the code explicitly prohibits this).
3077 This can be particularly useful on large systems with
3078 many users, perhaps several thousand, to allow a single [homes]
3079 share to be used flexibly by each user.
3081 See also \fIcreate mask
3082 \fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR
3085 Default: \fBinherit permissions = no\fR
3087 \fBinterfaces (G)\fR
3088 This option allows you to override the default
3089 network interfaces list that Samba will use for browsing, name
3090 registration and other NBT traffic. By default Samba will query
3091 the kernel for the list of all active interfaces and use any
3092 interfaces except 127.0.0.1 that are broadcast capable.
3094 The option takes a list of interface strings. Each string
3095 can be in any of the following forms:
3099 a network interface name (such as eth0).
3100 This may include shell-like wildcards so eth* will match
3101 any interface starting with the substring "eth"
3104 an IP address. In this case the netmask is
3105 determined from the list of interfaces obtained from the
3112 a broadcast/mask pair.
3115 The "mask" parameters can either be a bit length (such
3116 as 24 for a C class network) or a full netmask in dotted
3120 The "IP" parameters above can either be a full dotted
3121 decimal IP address or a hostname which will be looked up via
3122 the OS's normal hostname resolution mechanisms.
3125 For example, the following line:
3128 \fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3131 would configure three network interfaces corresponding
3132 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3133 The netmasks of the latter two interfaces would be set to 255.255.255.0.
3140 Default: \fBall active interfaces except 127.0.0.1
3141 that are broadcast capable\fR
3144 \fBinvalid users (S)\fR
3145 This is a list of users that should not be allowed
3146 to login to this service. This is really a \fBparanoid\fR
3147 check to absolutely ensure an improper setting does not breach
3150 A name starting with a '@' is interpreted as an NIS
3151 netgroup first (if your system supports NIS), and then as a UNIX
3152 group if the name was not found in the NIS netgroup database.
3154 A name starting with '+' is interpreted only
3155 by looking in the UNIX group database. A name starting with
3156 \&'&' is interpreted only by looking in the NIS netgroup database
3157 (this requires NIS to be working on your system). The characters
3158 \&'+' and '&' may be used at the start of the name in either order
3159 so the value \fI+&group\fR means check the
3160 UNIX group database, followed by the NIS netgroup database, and
3161 the value \fI&+group\fR means check the NIS
3162 netgroup database, followed by the UNIX group database (the
3163 same as the '@' prefix).
3165 The current servicename is substituted for \fI%S\fR.
3166 This is useful in the [homes] section.
3168 See also \fIvalid users
3171 Default: \fBno invalid users\fR
3173 Example: \fBinvalid users = root fred admin @wheel
3176 The value of the parameter (an integer) represents
3177 the number of seconds between \fIkeepalive\fR
3178 packets. If this parameter is zero, no keepalive packets will be
3179 sent. Keepalive packets, if sent, allow the server to tell whether
3180 a client is still present and responding.
3182 Keepalives should, in general, not be needed if the socket
3183 being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR).
3184 Basically you should only use this option if you strike difficulties.
3186 Default: \fBkeepalive = 300\fR
3188 Example: \fBkeepalive = 600\fR
3190 \fBkernel oplocks (G)\fR
3191 For UNIXes that support kernel based \fIoplocks\fR
3192 (currently only IRIX and the Linux 2.4 kernel), this parameter
3193 allows the use of them to be turned on or off.
3195 Kernel oplocks support allows Samba \fIoplocks
3196 \fRto be broken whenever a local UNIX process or NFS operation
3197 accesses a file that \fBsmbd(8)\fR
3198 has oplocked. This allows complete data consistency between
3199 SMB/CIFS, NFS and local file access (and is a \fBvery\fR
3202 This parameter defaults to on, but is translated
3203 to a no-op on systems that no not have the necessary kernel support.
3204 You should never need to touch this parameter.
3206 See also the \fIoplocks\fR
3207 and \fIlevel2 oplocks
3210 Default: \fBkernel oplocks = yes\fR
3212 \fBlanman auth (G)\fR
3213 This parameter determines whether or not smbdwill
3214 attempt to authenticate users using the LANMAN password hash.
3215 If disabled, only clients which support NT password hashes (e.g. Windows
3216 NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
3217 network client) will be able to connect to the Samba host.
3219 Default : \fBlanman auth = yes\fR
3221 \fBlarge readwrite (G)\fR
3222 This parameter determines whether or not smbd
3223 supports the new 64k streaming read and write varient SMB requests introduced
3224 with Windows 2000. Note that due to Windows 2000 client redirector bugs
3225 this requires Samba to be running on a 64-bit capable operating system such
3226 as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
3227 Windows 2000 clients. Defaults to on. Not as tested as some other Samba
3230 Default : \fBlarge readwrite = yes\fR
3232 \fBldap admin dn (G)\fR
3233 This parameter is only available if Samba has been
3234 configure to include the \fB--with-ldapsam\fR option
3235 at compile time. This option should be considered experimental and
3236 under active development.
3238 The \fIldap admin dn\fR defines the Distinguished
3239 Name (DN) name used by Samba to contact the ldap
3240 server when retreiving user account information. The \fIldap
3241 admin dn\fR is used in conjunction with the admin dn password
3242 stored in the \fIprivate/secrets.tdb\fR file. See the
3243 \fBsmbpasswd(8)\fRman
3244 page for more information on how to accmplish this.
3246 Default : \fBnone\fR
3248 \fBldap filter (G)\fR
3249 This parameter is only available if Samba has been
3250 configure to include the \fB--with-ldapsam\fR option
3251 at compile time. This option should be considered experimental and
3252 under active development.
3254 This parameter specifies the RFC 2254 compliant LDAP search filter.
3255 The default is to match the login name with the uid
3256 attribute for all entries matching the sambaAccount
3257 objectclass. Note that this filter should only return one entry.
3259 Default : \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR
3262 This parameter is only available if Samba has been
3263 configure to include the \fB--with-ldapsam\fR option
3264 at compile time. This option should be considered experimental and
3265 under active development.
3267 This option is used to control the tcp port number used to contact
3268 the \fIldap server\fR.
3269 The default is to use the stand LDAPS port 636.
3273 Default : \fBldap port = 636\fR
3275 \fBldap server (G)\fR
3276 This parameter is only available if Samba has been
3277 configure to include the \fB--with-ldapsam\fR option
3278 at compile time. This option should be considered experimental and
3279 under active development.
3281 This parameter should contains the FQDN of the ldap directory
3282 server which should be queried to locate user account information.
3284 Default : \fBldap server = localhost\fR
3287 This parameter is only available if Samba has been
3288 configure to include the \fB--with-ldapsam\fR option
3289 at compile time. This option should be considered experimental and
3290 under active development.
3292 This option is used to define whether or not Samba should
3293 use SSL when connecting to the \fIldap
3294 server\fR. This is \fBNOT\fR related to
3295 Samba SSL support which is enabled by specifying the
3296 \fB--with-ssl\fR option to the \fIconfigure\fR
3297 script (see \fIssl\fR).
3299 The \fIldap ssl\fR can be set to one of three values:
3300 (a) on - Always use SSL when contacting the
3301 \fIldap server\fR, (b) off -
3302 Never use SSL when querying the directory, or (c) start_tls
3303 - Use the LDAPv3 StartTLS extended operation
3304 (RFC2830) for communicating with the directory server.
3306 Default : \fBldap ssl = on\fR
3308 \fBldap suffix (G)\fR
3309 This parameter is only available if Samba has been
3310 configure to include the \fB--with-ldapsam\fR option
3311 at compile time. This option should be considered experimental and
3312 under active development.
3314 Default : \fBnone\fR
3316 \fBlevel2 oplocks (S)\fR
3317 This parameter controls whether Samba supports
3318 level2 (read-only) oplocks on a share.
3320 Level2, or read-only oplocks allow Windows NT clients
3321 that have an oplock on a file to downgrade from a read-write oplock
3322 to a read-only oplock once a second client opens the file (instead
3323 of releasing all oplocks on a second open, as in traditional,
3324 exclusive oplocks). This allows all openers of the file that
3325 support level2 oplocks to cache the file for read-ahead only (ie.
3326 they may not cache writes or lock requests) and increases performance
3327 for many accesses of files that are not commonly written (such as
3328 application .EXE files).
3330 Once one of the clients which have a read-only oplock
3331 writes to the file all clients are notified (no reply is needed
3332 or waited for) and told to break their oplocks to "none" and
3333 delete any read-ahead caches.
3335 It is recommended that this parameter be turned on
3336 to speed access to shared executables.
3338 For more discussions on level2 oplocks see the CIFS spec.
3340 Currently, if \fIkernel
3341 oplocks\fR are supported then level2 oplocks are
3342 not granted (even if this parameter is set to yes).
3343 Note also, the \fIoplocks\fR
3344 parameter must be set to true on this share in order for
3345 this parameter to have any effect.
3347 See also the \fIoplocks\fR
3348 and \fIkernel oplocks\fR
3351 Default: \fBlevel2 oplocks = yes\fR
3353 \fBlm announce (G)\fR
3354 This parameter determines if \fBnmbd(8)\fRwill produce Lanman announce
3355 broadcasts that are needed by OS/2 clients in order for them to see
3356 the Samba server in their browse list. This parameter can have three
3357 values, true, false, or
3358 auto. The default is auto.
3359 If set to false Samba will never produce these
3360 broadcasts. If set to true Samba will produce
3361 Lanman announce broadcasts at a frequency set by the parameter
3362 \fIlm interval\fR. If set to auto
3363 Samba will not send Lanman announce broadcasts by default but will
3364 listen for them. If it hears such a broadcast on the wire it will
3365 then start sending them at a frequency set by the parameter
3368 See also \fIlm interval
3371 Default: \fBlm announce = auto\fR
3373 Example: \fBlm announce = yes\fR
3375 \fBlm interval (G)\fR
3376 If Samba is set to produce Lanman announce
3377 broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this
3378 parameter defines the frequency in seconds with which they will be
3379 made. If this is set to zero then no Lanman announcements will be
3380 made despite the setting of the \fIlm announce\fR
3386 Default: \fBlm interval = 60\fR
3388 Example: \fBlm interval = 120\fR
3390 \fBload printers (G)\fR
3391 A boolean variable that controls whether all
3392 printers in the printcap will be loaded for browsing by default.
3393 See the printers section for
3396 Default: \fBload printers = yes\fR
3398 \fBlocal master (G)\fR
3399 This option allows \fB nmbd(8)\fRto try and become a local master browser
3400 on a subnet. If set to false then \fB nmbd\fR will not attempt to become a local master browser
3401 on a subnet and will also lose in all browsing elections. By
3402 default this value is set to true. Setting this value to true doesn't
3403 mean that Samba will \fBbecome\fR the local master
3404 browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser.
3406 Setting this value to false will cause \fBnmbd\fR
3407 \fBnever\fR to become a local master browser.
3409 Default: \fBlocal master = yes\fR
3412 Synonym for \fI lock directory\fR.
3414 \fBlock directory (G)\fR
3415 This option specifies the directory where lock
3416 files will be placed. The lock files are used to implement the
3417 \fImax connections\fR
3420 Default: \fBlock directory = ${prefix}/var/locks\fR
3422 Example: \fBlock directory = /var/run/samba/locks\fR
3425 This controls whether or not locking will be
3426 performed by the server in response to lock requests from the
3429 If \fBlocking = no\fR, all lock and unlock
3430 requests will appear to succeed and all lock queries will report
3431 that the file in question is available for locking.
3433 If \fBlocking = yes\fR, real locking will be performed
3436 This option \fBmay\fR be useful for read-only
3437 filesystems which \fBmay\fR not need locking (such as
3438 CDROM drives), although setting this parameter of no
3439 is not really recommended even in this case.
3441 Be careful about disabling locking either globally or in a
3442 specific service, as lack of locking may result in data corruption.
3443 You should never need to set this parameter.
3445 Default: \fBlocking = yes\fR
3448 This option allows you to override the name
3449 of the Samba log file (also known as the debug file).
3451 This option takes the standard substitutions, allowing
3452 you to have separate log files for each user or machine.
3454 Example: \fBlog file = /usr/local/samba/var/log.%m
3457 The value of the parameter (an integer) allows
3458 the debug level (logging level) to be specified in the
3459 \fIsmb.conf\fR file. This is to give greater
3460 flexibility in the configuration of the system.
3462 The default will be the log level specified on
3463 the command line or level zero if none was specified.
3465 Example: \fBlog level = 3\fR
3467 \fBlogon drive (G)\fR
3468 This parameter specifies the local path to
3469 which the home directory will be connected (see \fIlogon home\fR)
3470 and is only used by NT Workstations.
3472 Note that this option is only useful if Samba is set up as a
3475 Default: \fBlogon drive = z:\fR
3477 Example: \fBlogon drive = h:\fR
3479 \fBlogon home (G)\fR
3480 This parameter specifies the home directory
3481 location when a Win95/98 or NT Workstation logs into a Samba PDC.
3484 C:\\> \fBNET USE H: /HOME\fR
3486 from a command prompt, for example.
3488 This option takes the standard substitutions, allowing
3489 you to have separate logon scripts for each user or machine.
3491 This parameter can be used with Win9X workstations to ensure
3492 that roaming profiles are stored in a subdirectory of the user's
3493 home directory. This is done in the following way:
3495 \fBlogon home = \\\\%N\\%U\\profile\fR
3497 This tells Samba to return the above string, with
3498 substitutions made when a client requests the info, generally
3499 in a NetUserGetInfo request. Win9X clients truncate the info to
3500 \\\\server\\share when a user does \fBnet use /home\fR
3501 but use the whole string when dealing with profiles.
3503 Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than
3504 \fIlogon home\fR. This broke \fBnet use
3505 /home\fR but allowed profiles outside the home directory.
3506 The current implementation is correct, and can be used for
3507 profiles if you use the above trick.
3509 This option is only useful if Samba is set up as a logon
3512 Default: \fBlogon home = "\\\\%N\\%U"\fR
3514 Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR
3516 \fBlogon path (G)\fR
3517 This parameter specifies the home directory
3518 where roaming profiles (NTuser.dat etc files for Windows NT) are
3519 stored. Contrary to previous versions of these manual pages, it has
3520 nothing to do with Win 9X roaming profiles. To find out how to
3521 handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter.
3523 This option takes the standard substitutions, allowing you
3524 to have separate logon scripts for each user or machine. It also
3525 specifies the directory from which the "Application Data",
3526 (\fIdesktop\fR, \fIstart menu\fR,
3527 \fInetwork neighborhood\fR, \fIprograms\fR
3528 and other folders, and their contents, are loaded and displayed on
3529 your Windows NT client.
3531 The share and the path must be readable by the user for
3532 the preferences and directories to be loaded onto the Windows NT
3533 client. The share must be writeable when the user logs in for the first
3534 time, in order that the Windows NT client can create the NTuser.dat
3535 and other directories.
3537 Thereafter, the directories and any of the contents can,
3538 if required, be made read-only. It is not advisable that the
3539 NTuser.dat file be made read-only - rename it to NTuser.man to
3540 achieve the desired effect (a \fBMAN\fRdatory
3543 Windows clients can sometimes maintain a connection to
3544 the [homes] share, even though there is no user logged in.
3545 Therefore, it is vital that the logon path does not include a
3546 reference to the homes share (i.e. setting this parameter to
3547 \\%N\\%U\\profile_path will cause problems).
3549 This option takes the standard substitutions, allowing
3550 you to have separate logon scripts for each user or machine.
3552 Note that this option is only useful if Samba is set up
3555 Default: \fBlogon path = \\\\%N\\%U\\profile\fR
3557 Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR
3559 \fBlogon script (G)\fR
3560 This parameter specifies the batch file (.bat) or
3561 NT command file (.cmd) to be downloaded and run on a machine when
3562 a user successfully logs in. The file must contain the DOS
3563 style CR/LF line endings. Using a DOS-style editor to create the
3564 file is recommended.
3566 The script must be a relative path to the [netlogon]
3567 service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon
3568 \fR, and \fBlogon script = STARTUP.BAT\fR, then
3569 the file that will be downloaded is:
3571 \fI/usr/local/samba/netlogon/STARTUP.BAT\fR
3573 The contents of the batch file are entirely your choice. A
3574 suggested command would be to add \fBNET TIME \\\\SERVER /SET
3575 /YES\fR, to force every machine to synchronize clocks with
3576 the same time server. Another use would be to add \fBNET USE
3577 U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example.
3579 Note that it is particularly important not to allow write
3580 access to the [netlogon] share, or to grant users write permission
3581 on the batch files in a secure environment, as this would allow
3582 the batch files to be arbitrarily modified and security to be
3585 This option takes the standard substitutions, allowing you
3586 to have separate logon scripts for each user or machine.
3588 This option is only useful if Samba is set up as a logon
3591 Default: \fBno logon script defined\fR
3593 Example: \fBlogon script = scripts\\%U.bat\fR
3595 \fBlppause command (S)\fR
3596 This parameter specifies the command to be
3597 executed on the server host in order to stop printing or spooling
3598 a specific print job.
3600 This command should be a program or script which takes
3601 a printer name and job number to pause the print job. One way
3602 of implementing this is by using job priorities, where jobs
3603 having a too low priority won't be sent to the printer.
3605 If a \fI%p\fR is given then the printer name
3606 is put in its place. A \fI%j\fR is replaced with
3607 the job number (an integer). On HPUX (see \fIprinting=hpux
3608 \fR), if the \fI-p%p\fR option is added
3609 to the lpq command, the job will show up with the correct status, i.e.
3610 if the job priority is lower than the set fence priority it will
3611 have the PAUSED status, whereas if the priority is equal or higher it
3612 will have the SPOOLED or PRINTING status.
3614 Note that it is good practice to include the absolute path
3615 in the lppause command as the PATH may not be available to the server.
3617 See also the \fIprinting
3620 Default: Currently no default value is given to
3621 this string, unless the value of the \fIprinting\fR
3622 parameter is SYSV, in which case the default is :
3624 \fBlp -i %p-%j -H hold\fR
3626 or if the value of the \fIprinting\fR parameter
3627 is SOFTQ, then the default is:
3629 \fBqstat -s -j%j -h\fR
3631 Example for HPUX: \fBlppause command = /usr/bin/lpalt
3634 \fBlpq cache time (G)\fR
3635 This controls how long lpq info will be cached
3636 for to prevent the \fBlpq\fR command being called too
3637 often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different
3638 \fBlpq\fR commands for different users then they won't
3639 share cache information.
3641 The cache files are stored in \fI/tmp/lpq.xxxx\fR
3642 where xxxx is a hash of the \fBlpq\fR command in use.
3644 The default is 10 seconds, meaning that the cached results
3645 of a previous identical \fBlpq\fR command will be used
3646 if the cached data is less than 10 seconds old. A large value may
3647 be advisable if your \fBlpq\fR command is very slow.
3649 A value of 0 will disable caching completely.
3651 See also the \fIprinting
3654 Default: \fBlpq cache time = 10\fR
3656 Example: \fBlpq cache time = 30\fR
3658 \fBlpq command (S)\fR
3659 This parameter specifies the command to be
3660 executed on the server host in order to obtain \fBlpq
3661 \fR-style printer status information.
3663 This command should be a program or script which
3664 takes a printer name as its only parameter and outputs printer
3667 Currently eight styles of printer status information
3668 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ.
3669 This covers most UNIX systems. You control which type is expected
3670 using the \fIprinting =\fR option.
3672 Some clients (notably Windows for Workgroups) may not
3673 correctly send the connection number for the printer they are
3674 requesting status information about. To get around this, the
3675 server reports on the first printer service connected to by the
3676 client. This only happens if the connection number sent is invalid.
3678 If a \fI%p\fR is given then the printer name
3679 is put in its place. Otherwise it is placed at the end of the
3682 Note that it is good practice to include the absolute path
3683 in the \fIlpq command\fR as the \fB$PATH
3684 \fRmay not be available to the server.
3686 See also the \fIprinting
3689 Default: \fBdepends on the setting of \fI printing\fB\fR
3691 Example: \fBlpq command = /usr/bin/lpq -P%p\fR
3693 \fBlpresume command (S)\fR
3694 This parameter specifies the command to be
3695 executed on the server host in order to restart or continue
3696 printing or spooling a specific print job.
3698 This command should be a program or script which takes
3699 a printer name and job number to resume the print job. See
3700 also the \fIlppause command
3703 If a \fI%p\fR is given then the printer name
3704 is put in its place. A \fI%j\fR is replaced with
3705 the job number (an integer).
3707 Note that it is good practice to include the absolute path
3708 in the \fIlpresume command\fR as the PATH may not
3709 be available to the server.
3711 See also the \fIprinting
3714 Default: Currently no default value is given
3715 to this string, unless the value of the \fIprinting\fR
3716 parameter is SYSV, in which case the default is :
3718 \fBlp -i %p-%j -H resume\fR
3720 or if the value of the \fIprinting\fR parameter
3721 is SOFTQ, then the default is:
3723 \fBqstat -s -j%j -r\fR
3725 Example for HPUX: \fBlpresume command = /usr/bin/lpalt
3728 \fBlprm command (S)\fR
3729 This parameter specifies the command to be
3730 executed on the server host in order to delete a print job.
3732 This command should be a program or script which takes
3733 a printer name and job number, and deletes the print job.
3735 If a \fI%p\fR is given then the printer name
3736 is put in its place. A \fI%j\fR is replaced with
3737 the job number (an integer).
3739 Note that it is good practice to include the absolute
3740 path in the \fIlprm command\fR as the PATH may not be
3741 available to the server.
3743 See also the \fIprinting
3746 Default: \fBdepends on the setting of \fIprinting
3748 Example 1: \fBlprm command = /usr/bin/lprm -P%p %j
3750 Example 2: \fBlprm command = /usr/bin/cancel %p-%j
3752 \fBmachine password timeout (G)\fR
3753 If a Samba server is a member of a Windows
3754 NT Domain (see the security = domain)
3755 parameter) then periodically a running smbd(8)process will try and change the MACHINE ACCOUNT
3756 PASSWORD stored in the TDB called \fIprivate/secrets.tdb
3757 \fR\&. This parameter specifies how often this password
3758 will be changed, in seconds. The default is one week (expressed in
3759 seconds), the same as a Windows NT Domain member server.
3761 See also \fBsmbpasswd(8)
3762 \fR, and the security = domain) parameter.
3764 Default: \fBmachine password timeout = 604800\fR
3766 \fBmagic output (S)\fR
3767 This parameter specifies the name of a file
3768 which will contain output created by a magic script (see the
3772 Warning: If two clients use the same \fImagic script
3773 \fRin the same directory the output file content
3776 Default: \fBmagic output = <magic script name>.out
3778 Example: \fBmagic output = myfile.txt\fR
3780 \fBmagic script (S)\fR
3781 This parameter specifies the name of a file which,
3782 if opened, will be executed by the server when the file is closed.
3783 This allows a UNIX script to be sent to the Samba host and
3784 executed on behalf of the connected user.
3786 Scripts executed in this way will be deleted upon
3787 completion assuming that the user has the appropriate level
3788 of privilege and the file permissions allow the deletion.
3790 If the script generates output, output will be sent to
3791 the file specified by the \fI magic output\fR parameter (see above).
3793 Note that some shells are unable to interpret scripts
3794 containing CR/LF instead of CR as
3795 the end-of-line marker. Magic scripts must be executable
3796 \fBas is\fR on the host, which for some hosts and
3797 some shells will require filtering at the DOS end.
3799 Magic scripts are \fBEXPERIMENTAL\fR and
3800 should \fBNOT\fR be relied upon.
3802 Default: \fBNone. Magic scripts disabled.\fR
3804 Example: \fBmagic script = user.csh\fR
3806 \fBmangle case (S)\fR
3807 See the section on NAME MANGLING
3809 Default: \fBmangle case = no\fR
3811 \fBmangled map (S)\fR
3812 This is for those who want to directly map UNIX
3813 file names which cannot be represented on Windows/DOS. The mangling
3814 of names is not always what is needed. In particular you may have
3815 documents with file extensions that differ between DOS and UNIX.
3816 For example, under UNIX it is common to use \fI.html\fR
3817 for HTML files, whereas under Windows/DOS \fI.htm\fR
3818 is more commonly used.
3820 So to map \fIhtml\fR to \fIhtm\fR
3823 \fBmangled map = (*.html *.htm)\fR
3825 One very useful case is to remove the annoying \fI;1
3826 \fRoff the ends of filenames on some CDROMs (only visible
3827 under some UNIXes). To do this use a map of (*;1 *;).
3829 Default: \fBno mangled map\fR
3831 Example: \fBmangled map = (*;1 *;)\fR
3833 \fBmangled names (S)\fR
3834 This controls whether non-DOS names under UNIX
3835 should be mapped to DOS-compatible names ("mangled") and made visible,
3836 or whether non-DOS names should simply be ignored.
3838 See the section on NAME MANGLING for details on how to control the mangling process.
3840 If mangling is used then the mangling algorithm is as follows:
3844 The first (up to) five alphanumeric characters
3845 before the rightmost dot of the filename are preserved, forced
3846 to upper case, and appear as the first (up to) five characters
3847 of the mangled name.
3850 A tilde "~" is appended to the first part of the mangled
3851 name, followed by a two-character unique sequence, based on the
3852 original root name (i.e., the original filename minus its final
3853 extension). The final extension is included in the hash calculation
3854 only if it contains any upper case characters or is longer than three
3857 Note that the character to use may be specified using
3858 the \fImangling char\fR
3859 option, if you don't like '~'.
3862 The first three alphanumeric characters of the final
3863 extension are preserved, forced to upper case and appear as the
3864 extension of the mangled name. The final extension is defined as that
3865 part of the original filename after the rightmost dot. If there are no
3866 dots in the filename, the mangled name will have no extension (except
3867 in the case of "hidden files" - see below).
3870 Files whose UNIX name begins with a dot will be
3871 presented as DOS hidden files. The mangled name will be created as
3872 for other filenames, but with the leading dot removed and "___" as
3873 its extension regardless of actual original extension (that's three
3877 The two-digit hash value consists of upper case
3878 alphanumeric characters.
3881 This algorithm can cause name collisions only if files
3882 in a directory share the same first five alphanumeric characters.
3883 The probability of such a clash is 1/1300.
3886 The name mangling (if enabled) allows a file to be
3887 copied between UNIX directories from Windows/DOS while retaining
3888 the long UNIX filename. UNIX files can be renamed to a new extension
3889 from Windows/DOS and will retain the same basename. Mangled names
3890 do not change between sessions.
3893 Default: \fBmangled names = yes\fR
3896 \fBmangled stack (G)\fR
3897 This parameter controls the number of mangled names
3898 that should be cached in the Samba server smbd(8).
3900 This stack is a list of recently mangled base names
3901 (extensions are only maintained if they are longer than 3 characters
3902 or contains upper case characters).
3904 The larger this value, the more likely it is that mangled
3905 names can be successfully converted to correct long UNIX names.
3906 However, large stack sizes will slow most directory accesses. Smaller
3907 stacks save memory in the server (each stack element costs 256 bytes).
3909 It is not possible to absolutely guarantee correct long
3910 filenames, so be prepared for some surprises!
3912 Default: \fBmangled stack = 50\fR
3914 Example: \fBmangled stack = 100\fR
3916 \fBmangling char (S)\fR
3917 This controls what character is used as
3918 the \fBmagic\fR character in name mangling. The default is a '~'
3919 but this may interfere with some software. Use this option to set
3920 it to whatever you prefer.
3922 Default: \fBmangling char = ~\fR
3924 Example: \fBmangling char = ^\fR
3926 \fBmap archive (S)\fR
3927 This controls whether the DOS archive attribute
3928 should be mapped to the UNIX owner execute bit. The DOS archive bit
3929 is set when a file has been modified since its last backup. One
3930 motivation for this option it to keep Samba/your PC from making
3931 any file it touches from becoming executable under UNIX. This can
3932 be quite annoying for shared source code, documents, etc...
3934 Note that this requires the \fIcreate mask\fR
3935 parameter to be set such that owner execute bit is not masked out
3936 (i.e. it must include 100). See the parameter \fIcreate mask\fR for details.
3938 Default: \fBmap archive = yes\fR
3940 \fBmap hidden (S)\fR
3941 This controls whether DOS style hidden files
3942 should be mapped to the UNIX world execute bit.
3944 Note that this requires the \fIcreate mask\fR
3945 to be set such that the world execute bit is not masked out (i.e.
3946 it must include 001). See the parameter \fIcreate mask\fR for details.
3948 Default: \fBmap hidden = no\fR
3950 \fBmap system (S)\fR
3951 This controls whether DOS style system files
3952 should be mapped to the UNIX group execute bit.
3954 Note that this requires the \fIcreate mask\fR
3955 to be set such that the group execute bit is not masked out (i.e.
3956 it must include 010). See the parameter \fIcreate mask\fR for details.
3958 Default: \fBmap system = no\fR
3960 \fBmap to guest (G)\fR
3961 This parameter is only useful in security modes other than \fIsecurity = share\fR
3962 - i.e. user, server,
3965 This parameter can take three different values, which tell
3966 smbd(8)what to do with user
3967 login requests that don't match a valid UNIX user in some way.
3969 The three settings are :
3973 Never - Means user login
3974 requests with an invalid password are rejected. This is the
3978 Bad User - Means user
3979 logins with an invalid password are rejected, unless the username
3980 does not exist, in which case it is treated as a guest login and
3981 mapped into the \fI guest account\fR.
3984 Bad Password - Means user logins
3985 with an invalid password are treated as a guest login and mapped
3986 into the guest account. Note that
3987 this can cause problems as it means that any user incorrectly typing
3988 their password will be silently logged on as "guest" - and
3989 will not know the reason they cannot access files they think
3990 they should - there will have been no message given to them
3991 that they got their password wrong. Helpdesk services will
3992 \fBhate\fR you if you set the \fImap to
3993 guest\fR parameter this way :-).
3996 Note that this parameter is needed to set up "Guest"
3997 share services when using \fIsecurity\fR modes other than
3998 share. This is because in these modes the name of the resource being
3999 requested is \fBnot\fR sent to the server until after
4000 the server has successfully authenticated the client so the server
4001 cannot make authentication decisions at the correct time (connection
4002 to the share) for "Guest" shares.
4005 For people familiar with the older Samba releases, this
4006 parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.
4009 Default: \fBmap to guest = Never\fR
4012 Example: \fBmap to guest = Bad User\fR
4015 \fBmax connections (S)\fR
4016 This option allows the number of simultaneous
4017 connections to a service to be limited. If \fImax connections
4018 \fRis greater than 0 then connections will be refused if
4019 this number of connections to the service are already open. A value
4020 of zero mean an unlimited number of connections may be made.
4022 Record lock files are used to implement this feature. The
4023 lock files will be stored in the directory specified by the \fIlock directory\fR
4026 Default: \fBmax connections = 0\fR
4028 Example: \fBmax connections = 10\fR
4030 \fBmax disk size (G)\fR
4031 This option allows you to put an upper limit
4032 on the apparent size of disks. If you set this option to 100
4033 then all shares will appear to be not larger than 100 MB in
4036 Note that this option does not limit the amount of
4037 data you can put on the disk. In the above case you could still
4038 store much more than 100 MB on the disk, but if a client ever asks
4039 for the amount of free disk space or the total disk size then the
4040 result will be bounded by the amount specified in \fImax
4043 This option is primarily useful to work around bugs
4044 in some pieces of software that can't handle very large disks,
4045 particularly disks over 1GB in size.
4047 A \fImax disk size\fR of 0 means no limit.
4049 Default: \fBmax disk size = 0\fR
4051 Example: \fBmax disk size = 1000\fR
4053 \fBmax log size (G)\fR
4054 This option (an integer in kilobytes) specifies
4055 the max size the log file should grow to. Samba periodically checks
4056 the size and if it is exceeded it will rename the file, adding
4057 a \fI.old\fR extension.
4059 A size of 0 means no limit.
4061 Default: \fBmax log size = 5000\fR
4063 Example: \fBmax log size = 1000\fR
4066 This option controls the maximum number of
4067 outstanding simultaneous SMB operations that Samba tells the client
4068 it will allow. You should never need to set this parameter.
4070 Default: \fBmax mux = 50\fR
4072 \fBmax open files (G)\fR
4073 This parameter limits the maximum number of
4074 open files that one smbd(8)file
4075 serving process may have open for a client at any one time. The
4076 default for this parameter is set very high (10,000) as Samba uses
4077 only one bit per unopened file.
4079 The limit of the number of open files is usually set
4080 by the UNIX per-process file descriptor limit rather than
4081 this parameter so you should never need to touch this parameter.
4083 Default: \fBmax open files = 10000\fR
4085 \fBmax print jobs (S)\fR
4086 This parameter limits the maximum number of
4087 jobs allowable in a Samba printer queue at any given moment.
4088 If this number is exceeded, \fB smbd(8)\fRwill remote "Out of Space" to the client.
4092 Default: \fBmax print jobs = 1000\fR
4094 Example: \fBmax print jobs = 5000\fR
4096 \fBmax protocol (G)\fR
4097 The value of the parameter (a string) is the highest
4098 protocol level that will be supported by the server.
4100 Possible values are :
4104 CORE: Earliest version. No
4105 concept of user names.
4108 COREPLUS: Slight improvements on
4109 CORE for efficiency.
4112 LANMAN1: First \fB modern\fR version of the protocol. Long filename
4116 LANMAN2: Updates to Lanman1 protocol.
4119 NT1: Current up to date version of
4120 the protocol. Used by Windows NT. Known as CIFS.
4123 Normally this option should not be set as the automatic
4124 negotiation phase in the SMB protocol takes care of choosing
4125 the appropriate protocol.
4132 Default: \fBmax protocol = NT1\fR
4135 Example: \fBmax protocol = LANMAN1\fR
4138 \fBmax smbd processes (G)\fR
4139 This parameter limits the maximum number of
4141 processes concurrently running on a system and is intended
4142 as a stopgap to prevent degrading service to clients in the event
4143 that the server has insufficient resources to handle more than this
4144 number of connections. Remember that under normal operating
4145 conditions, each user will have an smbdassociated with him or her
4146 to handle connections to all shares from a given host.
4148 Default: \fBmax smbd processes = 0\fR ## no limit
4150 Example: \fBmax smbd processes = 1000\fR
4153 This option tells nmbd(8)
4154 what the default 'time to live' of NetBIOS names should be (in seconds)
4155 when \fBnmbd\fR is requesting a name using either a
4156 broadcast packet or from a WINS server. You should never need to
4157 change this parameter. The default is 3 days.
4159 Default: \fBmax ttl = 259200\fR
4161 \fBmax wins ttl (G)\fR
4162 This option tells nmbd(8)
4163 when acting as a WINS server ( \fIwins support = yes\fR) what the maximum
4164 \&'time to live' of NetBIOS names that \fBnmbd\fR
4165 will grant will be (in seconds). You should never need to change this
4166 parameter. The default is 6 days (518400 seconds).
4169 wins ttl\fR parameter.
4171 Default: \fBmax wins ttl = 518400\fR
4174 This option controls the maximum packet size
4175 that will be negotiated by Samba. The default is 65535, which
4176 is the maximum. In some cases you may find you get better performance
4177 with a smaller value. A value below 2048 is likely to cause problems.
4179 Default: \fBmax xmit = 65535\fR
4181 Example: \fBmax xmit = 8192\fR
4183 \fBmessage command (G)\fR
4184 This specifies what command to run when the
4185 server receives a WinPopup style message.
4187 This would normally be a command that would
4188 deliver the message somehow. How this is to be done is
4189 up to your imagination.
4193 \fBmessage command = csh -c 'xedit %s;rm %s' &\fR
4195 This delivers the message using \fBxedit\fR, then
4196 removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT
4197 THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I
4198 have the '&' on the end. If it doesn't return immediately then
4199 your PCs may freeze when sending messages (they should recover
4200 after 30 seconds, hopefully).
4202 All messages are delivered as the global guest user.
4203 The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better
4206 Apart from the standard substitutions, some additional
4207 ones apply. In particular:
4211 \fI%s\fR = the filename containing
4215 \fI%t\fR = the destination that
4216 the message was sent to (probably the server name).
4219 \fI%f\fR = who the message
4223 You could make this command send mail, or whatever else
4224 takes your fancy. Please let us know of any really interesting
4228 Here's a way of sending the messages as mail to root:
4231 \fBmessage command = /bin/mail -s 'message from %f on
4232 %m' root < %s; rm %s\fR
4235 If you don't have a message command then the message
4236 won't be delivered and Samba will tell the sender there was
4237 an error. Unfortunately WfWg totally ignores the error code
4238 and carries on regardless, saying that the message was delivered.
4241 If you want to silently delete it then try:
4244 \fBmessage command = rm %s\fR
4247 Default: \fBno message command\fR
4250 Example: \fBmessage command = csh -c 'xedit %s;
4254 \fBmin passwd length (G)\fR
4255 Synonym for \fImin password length\fR.
4257 \fBmin password length (G)\fR
4258 This option sets the minimum length in characters
4259 of a plaintext password that \fBsmbd\fR will accept when performing
4260 UNIX password changing.
4263 password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR
4266 Default: \fBmin password length = 5\fR
4268 \fBmin print space (S)\fR
4269 This sets the minimum amount of free disk
4270 space that must be available before a user will be able to spool
4271 a print job. It is specified in kilobytes. The default is 0, which
4272 means a user can always spool a print job.
4274 See also the \fIprinting
4277 Default: \fBmin print space = 0\fR
4279 Example: \fBmin print space = 2000\fR
4281 \fBmin protocol (G)\fR
4282 The value of the parameter (a string) is the
4283 lowest SMB protocol dialect than Samba will support. Please refer
4284 to the \fImax protocol\fR
4285 parameter for a list of valid protocol names and a brief description
4286 of each. You may also wish to refer to the C source code in
4287 \fIsource/smbd/negprot.c\fR for a listing of known protocol
4288 dialects supported by clients.
4290 If you are viewing this parameter as a security measure, you should
4291 also refer to the \fIlanman
4292 auth\fR parameter. Otherwise, you should never need
4293 to change this parameter.
4295 Default : \fBmin protocol = CORE\fR
4297 Example : \fBmin protocol = NT1\fR # disable DOS
4300 \fBmin wins ttl (G)\fR
4301 This option tells nmbd(8)
4302 when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live'
4303 of NetBIOS names that \fBnmbd\fR will grant will be (in
4304 seconds). You should never need to change this parameter. The default
4305 is 6 hours (21600 seconds).
4307 Default: \fBmin wins ttl = 21600\fR
4309 \fBmsdfs root (S)\fR
4310 This boolean parameter is only available if
4311 Samba is configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
4312 Samba treats the share as a Dfs root and allows clients to browse
4313 the distributed file system tree rooted at the share directory.
4314 Dfs links are specified in the share directory by symbolic
4315 links of the form \fImsdfs:serverA\\shareA,serverB\\shareB
4316 \fRand so on. For more information on setting up a Dfs tree
4317 on Samba, refer to msdfs_setup.html
4320 See also \fIhost msdfs
4322 Default: \fBmsdfs root = no\fR
4324 \fBname resolve order (G)\fR
4325 This option is used by the programs in the Samba
4326 suite to determine what naming services to use and in what order
4327 to resolve host names to IP addresses. The option takes a space
4328 separated string of name resolution options.
4330 The options are :"lmhosts", "host", "wins" and "bcast". They
4331 cause names to be resolved as follows :
4335 lmhosts : Lookup an IP
4336 address in the Samba lmhosts file. If the line in lmhosts has
4337 no name type attached to the NetBIOS name (see the lmhosts(5)for details) then
4338 any name type matches for lookup.
4341 host : Do a standard host
4342 name to IP address resolution, using the system \fI/etc/hosts
4343 \fR, NIS, or DNS lookups. This method of name resolution
4344 is operating system depended for instance on IRIX or Solaris this
4345 may be controlled by the \fI/etc/nsswitch.conf\fR
4346 file. Note that this method is only used if the NetBIOS name
4347 type being queried is the 0x20 (server) name type, otherwise
4351 wins : Query a name with
4352 the IP address listed in the \fI wins server\fR parameter. If no WINS server has
4353 been specified this method will be ignored.
4356 bcast : Do a broadcast on
4357 each of the known local interfaces listed in the \fIinterfaces\fR
4358 parameter. This is the least reliable of the name resolution
4359 methods as it depends on the target host being on a locally
4363 Default: \fBname resolve order = lmhosts host wins bcast
4366 Example: \fBname resolve order = lmhosts bcast host
4369 This will cause the local lmhosts file to be examined
4370 first, followed by a broadcast attempt, followed by a normal
4371 system hostname lookup.
4374 \fBnetbios aliases (G)\fR
4375 This is a list of NetBIOS names that nmbd(8)will advertise as additional
4376 names by which the Samba server is known. This allows one machine
4377 to appear in browse lists under multiple names. If a machine is
4378 acting as a browse server or logon server none
4379 of these names will be advertised as either browse server or logon
4380 servers, only the primary name of the machine will be advertised
4381 with these capabilities.
4386 Default: \fBempty string (no additional names)\fR
4388 Example: \fBnetbios aliases = TEST TEST1 TEST2\fR
4390 \fBnetbios name (G)\fR
4391 This sets the NetBIOS name by which a Samba
4392 server is known. By default it is the same as the first component
4393 of the host's DNS name. If a machine is a browse server or
4394 logon server this name (or the first component
4395 of the hosts DNS name) will be the name that these services are
4401 Default: \fBmachine DNS name\fR
4403 Example: \fBnetbios name = MYNAME\fR
4405 \fBnetbios scope (G)\fR
4406 This sets the NetBIOS scope that Samba will
4407 operate under. This should not be set unless every machine
4408 on your LAN also sets this value.
4410 \fBnis homedir (G)\fR
4411 Get the home share server from a NIS map. For
4412 UNIX systems that use an automounter, the user's home directory
4413 will often be mounted on a workstation on demand from a remote
4416 When the Samba logon server is not the actual home directory
4417 server, but is mounting the home directories via NFS then two
4418 network hops would be required to access the users home directory
4419 if the logon server told the client to use itself as the SMB server
4420 for home directories (one over SMB and one over NFS). This can
4423 This option allows Samba to return the home share as
4424 being on a different server to the logon server and as
4425 long as a Samba daemon is running on the home directory server,
4426 it will be mounted on the Samba client directly from the directory
4427 server. When Samba is returning the home share to the client, it
4428 will consult the NIS map specified in \fIhomedir map\fR and return the server
4431 Note that for this option to work there must be a working
4432 NIS system and the Samba server with this option must also
4435 Default: \fBnis homedir = no\fR
4437 \fBnon unix account range (G)\fR
4438 The non unix account range parameter specifies
4439 the range of 'user ids' that are allocated by the various 'non unix
4440 account' passdb backends. These backends allow
4441 the storage of passwords for users who don't exist in /etc/passwd.
4442 This is most often used for machine account creation.
4443 This range of ids should have no existing local or NIS users within
4444 it as strange conflicts can occur otherwise.
4446 NOTE: These userids never appear on the system and Samba will never
4447 \&'become' these users. They are used only to ensure that the algorithmic
4448 RID mapping does not conflict with normal users.
4450 Default: \fBnon unix account range = <empty string>
4452 Example: \fBnon unix account range = 10000-20000\fR
4454 \fBnt acl support (S)\fR
4455 This boolean parameter controls whether
4456 smbd(8)will attempt to map
4457 UNIX permissions into Windows NT access control lists.
4458 This parameter was formally a global parameter in releases
4461 Default: \fBnt acl support = yes\fR
4463 \fBnt pipe support (G)\fR
4464 This boolean parameter controls whether
4465 smbd(8)will allow Windows NT
4466 clients to connect to the NT SMB specific IPC$
4467 pipes. This is a developer debugging option and can be left
4470 Default: \fBnt pipe support = yes\fR
4472 \fBnull passwords (G)\fR
4473 Allow or disallow client access to accounts
4474 that have null passwords.
4476 See also smbpasswd (5).
4478 Default: \fBnull passwords = no\fR
4480 \fBobey pam restrictions (G)\fR
4481 When Samba 2.2 is configured to enable PAM support
4482 (i.e. --with-pam), this parameter will control whether or not Samba
4483 should obey PAM's account and session management directives. The
4484 default behavior is to use PAM for clear text authentication only
4485 and to ignore any account or session management. Note that Samba
4486 always ignores PAM for authentication in the case of \fIencrypt passwords = yes\fR
4487 \&. The reason is that PAM modules cannot support the challenge/response
4488 authentication mechanism needed in the presence of SMB password encryption.
4490 Default: \fBobey pam restrictions = no\fR
4493 This is a boolean option that controls whether
4494 connections with usernames not in the \fIuser\fR
4495 list will be allowed. By default this option is disabled so that a
4496 client can supply a username to be used by the server. Enabling
4497 this parameter will force the server to only user the login
4498 names from the \fIuser\fR list and is only really
4499 useful in shave level
4502 Note that this also means Samba won't try to deduce
4503 usernames from the service name. This can be annoying for
4504 the [homes] section. To get around this you could use \fBuser =
4505 %S\fR which means your \fIuser\fR list
4506 will be just the service name, which for home directories is the
4509 See also the \fIuser\fR
4512 Default: \fBonly user = no\fR
4514 \fBonly guest (S)\fR
4515 A synonym for \fI guest only\fR.
4517 \fBoplock break wait time (G)\fR
4518 This is a tuning parameter added due to bugs in
4519 both Windows 9x and WinNT. If Samba responds to a client too
4520 quickly when that client issues an SMB that can cause an oplock
4521 break request, then the network client can fail and not respond
4522 to the break request. This tuning parameter (which is set in milliseconds)
4523 is the amount of time Samba will wait before sending an oplock break
4524 request to such (broken) clients.
4526 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4527 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4529 Default: \fBoplock break wait time = 0\fR
4531 \fBoplock contention limit (S)\fR
4532 This is a \fBvery\fR advanced
4533 smbd(8)tuning option to
4534 improve the efficiency of the granting of oplocks under multiple
4535 client contention for the same file.
4537 In brief it specifies a number, which causes smbdnot to
4538 grant an oplock even when requested if the approximate number of
4539 clients contending for an oplock on the same file goes over this
4540 limit. This causes \fBsmbd\fR to behave in a similar
4543 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4544 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4546 Default: \fBoplock contention limit = 2\fR
4549 This boolean option tells \fBsmbd\fR whether to
4550 issue oplocks (opportunistic locks) to file open requests on this
4551 share. The oplock code can dramatically (approx. 30% or more) improve
4552 the speed of access to files on Samba servers. It allows the clients
4553 to aggressively cache files locally and you may want to disable this
4554 option for unreliable network environments (it is turned on by
4555 default in Windows NT Servers). For more information see the file
4556 \fISpeed.txt\fR in the Samba \fIdocs/\fR
4559 Oplocks may be selectively turned off on certain files with a
4560 share. See the \fI veto oplock files\fR parameter. On some systems
4561 oplocks are recognized by the underlying operating system. This
4562 allows data synchronization between all access to oplocked files,
4563 whether it be via Samba or NFS or a local UNIX process. See the
4564 \fIkernel oplocks\fR parameter for details.
4566 See also the \fIkernel
4567 oplocks\fR and \fI level2 oplocks\fR parameters.
4569 Default: \fBoplocks = yes\fR
4572 This integer value controls what level Samba
4573 advertises itself as for browse elections. The value of this
4574 parameter determines whether nmbd(8)
4575 has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area.
4577 \fBNote :\fRBy default, Samba will win
4578 a local master browsing election over all Microsoft operating
4579 systems except a Windows NT 4.0/2000 Domain Controller. This
4580 means that a misconfigured Samba host can effectively isolate
4581 a subnet for browsing purposes. See \fIBROWSING.txt
4582 \fRin the Samba \fIdocs/\fR directory
4585 Default: \fBos level = 20\fR
4587 Example: \fBos level = 65 \fR
4589 \fBos2 driver map (G)\fR
4590 The parameter is used to define the absolute
4591 path to a file containing a mapping of Windows NT printer driver
4592 names to OS/2 printer driver names. The format is:
4594 <nt driver name> = <os2 driver
4597 For example, a valid entry using the HP LaserJet 5
4598 printer driver would appear as \fBHP LaserJet 5L = LASERJET.HP
4601 The need for the file is due to the printer driver namespace
4602 problem described in the Samba
4603 Printing HOWTO. For more details on OS/2 clients, please
4604 refer to the OS2-Client-HOWTO
4605 containing in the Samba documentation.
4607 Default: \fBos2 driver map = <empty string>
4609 \fBpam password change (G)\fR
4610 With the addition of better PAM support in Samba 2.2,
4611 this parameter, it is possible to use PAM's password change control
4612 flag for Samba. If enabled, then PAM will be used for password
4613 changes when requested by an SMB client instead of the program listed in
4614 \fIpasswd program\fR.
4615 It should be possible to enable this without changing your
4617 parameter for most setups.
4619 Default: \fBpam password change = no\fR
4621 \fBpanic action (G)\fR
4622 This is a Samba developer option that allows a
4623 system command to be called when either smbd(8)
4624 crashes. This is usually used to draw attention to the fact that
4627 Default: \fBpanic action = <empty string>\fR
4629 Example: \fBpanic action = "/bin/sleep 90000"\fR
4631 \fBpassdb backend (G)\fR
4632 This option allows the administrator to chose what
4633 backend in which to store passwords. This allows (for example) both
4634 smbpasswd and tdbsam to be used without a recompile. Only one can
4635 be used at a time however, and experimental backends must still be selected
4636 (eg --with-tdbsam) at configure time.
4638 This paramater is in two parts, the backend's name, and a 'location'
4639 string that has meaning only to that particular backed. These are separated
4642 Available backends can include:
4646 \fBsmbpasswd\fR - The default smbpasswd
4647 backend. Takes a path to the smbpasswd file as an optional argument.
4650 \fBsmbpasswd_nua\fR - The smbpasswd
4651 backend, but with support for 'not unix accounts'.
4652 Takes a path to the smbpasswd file as an optional argument.
4654 See also \fInon unix account range\fR
4657 \fBtdbsam\fR - The TDB based password storage
4658 backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
4659 in the \fIprivate dir\fR directory.
4662 \fBtdbsam_nua\fR - The TDB based password storage
4663 backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
4664 in the \fIprivate dir\fR directory.
4666 See also \fInon unix account range\fR
4669 \fBldapsam\fR - The LDAP based passdb
4670 backend. Takes an LDAP URL as an optional argument (defaults to
4671 \fBldap://localhost\fR)
4674 \fBldapsam_nua\fR - The LDAP based passdb
4675 backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
4676 \fBldap://localhost\fR)
4678 See also \fInon unix account range\fR
4681 \fBplugin\fR - Allows Samba to load an
4682 arbitary passdb backend from the .so specified as a compulsary argument.
4684 Any characters after the (optional) second : are passed to the plugin
4685 for its own processing
4689 Default: \fBpassdb backend = smbpasswd\fR
4691 Example: \fBpassdb backend = tdbsam:/etc/samba/private/passdb.tdb\fR
4693 Example: \fBpassdb backend = ldapsam_nua:ldaps://ldap.example.com\fR
4695 Example: \fBpassdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args\fR
4697 \fBpasswd chat (G)\fR
4698 This string controls the \fB"chat"\fR
4699 conversation that takes places between smbdand the local password changing
4700 program to change the user's password. The string describes a
4701 sequence of response-receive pairs that smbd(8)uses to determine what to send to the
4702 \fIpasswd program\fR
4703 and what to expect back. If the expected output is not
4704 received then the password is not changed.
4706 This chat sequence is often quite site specific, depending
4707 on what local methods are used for password control (such as NIS
4710 Note that this parameter only is only used if the \fIunix
4711 password sync\fR parameter is set to yes. This
4712 sequence is then called \fBAS ROOT\fR when the SMB password
4713 in the smbpasswd file is being changed, without access to the old
4714 password cleartext. This means that root must be able to reset the user's password
4715 without knowing the text of the previous password. In the presence of NIS/YP,
4716 this means that the passwd program must be
4717 executed on the NIS master.
4719 The string can contain the macro \fI%n\fR which is substituted
4720 for the new password. The chat sequence can also contain the standard
4721 macros \\n, \\r, \\t and \\s to give line-feed,
4722 carriage-return, tab and space. The chat sequence string can also contain
4723 a '*' which matches any sequence of characters.
4724 Double quotes can be used to collect strings with spaces
4725 in them into a single string.
4727 If the send string in any part of the chat sequence
4728 is a full stop ".", then no string is sent. Similarly,
4729 if the expect string is a full stop then no string is expected.
4732 password change\fR parameter is set to true, the chat pairs
4733 may be matched in any order, and success is determined by the PAM result,
4734 not any particular output. The \\n macro is ignored for PAM conversions.
4736 See also \fIunix password
4737 sync\fR, \fI passwd program\fR , \fIpasswd chat debug\fR and \fIpam password change\fR.
4739 Default: \fBpasswd chat = *new*password* %n\\n
4740 *new*password* %n\\n *changed*\fR
4742 Example: \fBpasswd chat = "*Enter OLD password*" %o\\n
4743 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password
4746 \fBpasswd chat debug (G)\fR
4747 This boolean specifies if the passwd chat script
4748 parameter is run in \fBdebug\fR mode. In this mode the
4749 strings passed to and received from the passwd chat are printed
4750 in the smbd(8)log with a
4752 of 100. This is a dangerous option as it will allow plaintext passwords
4753 to be seen in the \fBsmbd\fR log. It is available to help
4754 Samba admins debug their \fIpasswd chat\fR scripts
4755 when calling the \fIpasswd program\fR and should
4756 be turned off after this has been done. This option has no effect if the
4757 \fIpam password change\fR
4758 paramter is set. This parameter is off by default.
4760 See also \fIpasswd chat\fR
4761 , \fIpam password change\fR
4762 , \fIpasswd program\fR
4765 Default: \fBpasswd chat debug = no\fR
4767 \fBpasswd program (G)\fR
4768 The name of a program that can be used to set
4769 UNIX user passwords. Any occurrences of \fI%u\fR
4770 will be replaced with the user name. The user name is checked for
4771 existence before calling the password changing program.
4773 Also note that many passwd programs insist in \fBreasonable
4774 \fRpasswords, such as a minimum length, or the inclusion
4775 of mixed case chars and digits. This can pose a problem as some clients
4776 (such as Windows for Workgroups) uppercase the password before sending
4779 \fBNote\fR that if the \fIunix
4780 password sync\fR parameter is set to true
4781 then this program is called \fBAS ROOT\fR
4782 before the SMB password in the smbpasswd(5)
4783 file is changed. If this UNIX password change fails, then
4784 \fBsmbd\fR will fail to change the SMB password also
4785 (this is by design).
4787 If the \fIunix password sync\fR parameter
4788 is set this parameter \fBMUST USE ABSOLUTE PATHS\fR
4789 for \fBALL\fR programs called, and must be examined
4790 for security implications. Note that by default \fIunix
4791 password sync\fR is set to false.
4796 Default: \fBpasswd program = /bin/passwd\fR
4798 Example: \fBpasswd program = /sbin/npasswd %u\fR
4800 \fBpassword level (G)\fR
4801 Some client/server combinations have difficulty
4802 with mixed-case passwords. One offending client is Windows for
4803 Workgroups, which for some reason forces passwords to upper
4804 case when using the LANMAN1 protocol, but leaves them alone when
4805 using COREPLUS! Another problem child is the Windows 95/98
4806 family of operating systems. These clients upper case clear
4807 text passwords even when NT LM 0.12 selected by the protocol
4808 negotiation request/response.
4810 This parameter defines the maximum number of characters
4811 that may be upper case in passwords.
4813 For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations
4814 would be tried if "FRED" failed:
4816 "Fred", "fred", "fRed", "frEd","freD"
4818 If \fIpassword level\fR was set to 2,
4819 the following combinations would also be tried:
4821 "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
4825 The higher value this parameter is set to the more likely
4826 it is that a mixed case password will be matched against a single
4827 case password. However, you should be aware that use of this
4828 parameter reduces security and increases the time taken to
4829 process a new connection.
4831 A value of zero will cause only two attempts to be
4832 made - the password as is and the password in all-lower case.
4834 Default: \fBpassword level = 0\fR
4836 Example: \fBpassword level = 4\fR
4838 \fBpassword server (G)\fR
4839 By specifying the name of another SMB server (such
4840 as a WinNT box) with this option, and using \fBsecurity = domain
4841 \fRor \fBsecurity = server\fR you can get Samba
4842 to do all its username/password validation via a remote server.
4844 This option sets the name of the password server to use.
4845 It must be a NetBIOS name, so if the machine's NetBIOS name is
4846 different from its Internet name then you may have to add its NetBIOS
4847 name to the lmhosts file which is stored in the same directory
4848 as the \fIsmb.conf\fR file.
4850 The name of the password server is looked up using the
4852 resolve order\fR and so may resolved
4853 by any method and order described in that parameter.
4855 The password server much be a machine capable of using
4856 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
4857 user level security mode.
4859 \fBNOTE:\fR Using a password server
4860 means your UNIX box (running Samba) is only as secure as your
4861 password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT
4862 YOU DON'T COMPLETELY TRUST\fR.
4864 Never point a Samba server at itself for password
4865 serving. This will cause a loop and could lock up your Samba
4868 The name of the password server takes the standard
4869 substitutions, but probably the only useful one is \fI%m
4870 \fR, which means the Samba server will use the incoming
4871 client as the password server. If you use this then you better
4872 trust your clients, and you had better restrict them with hosts allow!
4874 If the \fIsecurity\fR parameter is set to
4875 domain, then the list of machines in this
4876 option must be a list of Primary or Backup Domain controllers for the
4877 Domain or the character '*', as the Samba server is effectively
4878 in that domain, and will use cryptographically authenticated RPC calls
4879 to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the
4880 \fIpassword server\fR option then \fBsmbd
4881 \fRwill try each in turn till it finds one that responds. This
4882 is useful in case your primary server goes down.
4884 If the \fIpassword server\fR option is set
4885 to the character '*', then Samba will attempt to auto-locate the
4886 Primary or Backup Domain controllers to authenticate against by
4887 doing a query for the name WORKGROUP<1C>
4888 and then contacting each server returned in the list of IP
4889 addresses from the name resolution source.
4891 If the \fIsecurity\fR parameter is
4892 set to server, then there are different
4893 restrictions that \fBsecurity = domain\fR doesn't
4898 You may list several password servers in
4899 the \fIpassword server\fR parameter, however if an
4900 \fBsmbd\fR makes a connection to a password server,
4901 and then the password server fails, no more users will be able
4902 to be authenticated from this \fBsmbd\fR. This is a
4903 restriction of the SMB/CIFS protocol when in \fBsecurity = server
4904 \fRmode and cannot be fixed in Samba.
4907 If you are using a Windows NT server as your
4908 password server then you will have to ensure that your users
4909 are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to
4910 come from there rather than from the users workstation.
4913 See also the \fIsecurity
4917 Default: \fBpassword server = <empty string>\fR
4920 Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2
4923 Example: \fBpassword server = *\fR
4927 This parameter specifies a directory to which
4928 the user of the service is to be given access. In the case of
4929 printable services, this is where print data will spool prior to
4930 being submitted to the host for printing.
4932 For a printable service offering guest access, the service
4933 should be readonly and the path should be world-writeable and
4934 have the sticky bit set. This is not mandatory of course, but
4935 you probably won't get the results you expect if you do
4938 Any occurrences of \fI%u\fR in the path
4939 will be replaced with the UNIX username that the client is using
4940 on this connection. Any occurrences of \fI%m\fR
4941 will be replaced by the NetBIOS name of the machine they are
4942 connecting from. These replacements are very useful for setting
4943 up pseudo home directories for users.
4945 Note that this path will be based on \fIroot dir\fR if one was specified.
4949 Example: \fBpath = /home/fred\fR
4951 \fBposix locking (S)\fR
4953 daemon maintains an database of file locks obtained by SMB clients.
4954 The default behavior is to map this internal database to POSIX
4955 locks. This means that file locks obtained by SMB clients are
4956 consistent with those seen by POSIX compliant applications accessing
4957 the files via a non-SMB method (e.g. NFS or local file access).
4958 You should never need to disable this parameter.
4960 Default: \fBposix locking = yes\fR
4963 This option specifies a command to be run
4964 whenever the service is disconnected. It takes the usual
4965 substitutions. The command may be run as the root on some
4968 An interesting example may be to unmount server
4971 \fBpostexec = /etc/umount /cdrom\fR
4973 See also \fIpreexec\fR
4976 Default: \fBnone (no command executed)\fR
4978 Example: \fBpostexec = echo \\"%u disconnected from %S
4979 from %m (%I)\\" >> /tmp/log\fR
4981 \fBpostscript (S)\fR
4982 This parameter forces a printer to interpret
4983 the print files as PostScript. This is done by adding a %!
4984 to the start of print output.
4986 This is most useful when you have lots of PCs that persist
4987 in putting a control-D at the start of print jobs, which then
4988 confuses your printer.
4990 Default: \fBpostscript = no\fR
4993 This option specifies a command to be run whenever
4994 the service is connected to. It takes the usual substitutions.
4996 An interesting example is to send the users a welcome
4997 message every time they log in. Maybe a message of the day? Here
5000 \fBpreexec = csh -c 'echo \\"Welcome to %S!\\" |
5001 /usr/local/samba/bin/smbclient -M %m -I %I' & \fR
5003 Of course, this could get annoying after a while :-)
5005 See also \fIpreexec close
5009 Default: \fBnone (no command executed)\fR
5011 Example: \fBpreexec = echo \\"%u connected to %S from %m
5012 (%I)\\" >> /tmp/log\fR
5014 \fBpreexec close (S)\fR
5015 This boolean option controls whether a non-zero
5016 return code from \fIpreexec
5017 \fRshould close the service being connected to.
5019 Default: \fBpreexec close = no\fR
5021 \fBpreferred master (G)\fR
5022 This boolean parameter controls if nmbd(8)is a preferred master browser
5025 If this is set to true, on startup, \fBnmbd\fR
5026 will force an election, and it will have a slight advantage in
5027 winning the election. It is recommended that this parameter is
5028 used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master.
5030 Use this option with caution, because if there are several
5031 hosts (whether Samba servers, Windows 95 or NT) that are preferred
5032 master browsers on the same subnet, they will each periodically
5033 and continuously attempt to become the local master browser.
5034 This will result in unnecessary broadcast traffic and reduced browsing
5037 See also \fIos level\fR
5040 Default: \fBpreferred master = auto\fR
5042 \fBprefered master (G)\fR
5043 Synonym for \fI preferred master\fR for people who cannot spell :-).
5046 This is a list of services that you want to be
5047 automatically added to the browse lists. This is most useful
5048 for homes and printers services that would otherwise not be
5051 Note that if you just want all printers in your
5052 printcap file loaded then the \fIload printers\fR option is easier.
5054 Default: \fBno preloaded services\fR
5056 Example: \fBpreload = fred lp colorlp\fR
5058 \fBpreserve case (S)\fR
5059 This controls if new filenames are created
5060 with the case that the client passes, or if they are forced to
5061 be the \fIdefault case
5064 Default: \fBpreserve case = yes\fR
5066 See the section on NAME
5067 MANGLING for a fuller discussion.
5069 \fBprint command (S)\fR
5070 After a print job has finished spooling to
5071 a service, this command will be used via a \fBsystem()\fR
5072 call to process the spool file. Typically the command specified will
5073 submit the spool file to the host's printing subsystem, but there
5074 is no requirement that this be the case. The server will not remove
5075 the spool file, so whatever command you specify should remove the
5076 spool file when it has been processed, otherwise you will need to
5077 manually remove old spool files.
5079 The print command is simply a text string. It will be used
5080 verbatim, with two exceptions: All occurrences of \fI%s
5081 \fRand \fI%f\fR will be replaced by the
5082 appropriate spool file name, and all occurrences of \fI%p
5083 \fRwill be replaced by the appropriate printer name. The
5084 spool file name is generated automatically by the server. The
5085 \fI%J\fR macro can be used to access the job
5086 name as transmitted by the client.
5088 The print command \fBMUST\fR contain at least
5089 one occurrence of \fI%s\fR or \fI%f
5090 \fR- the \fI%p\fR is optional. At the time
5091 a job is submitted, if no printer name is supplied the \fI%p
5092 \fRwill be silently removed from the printer command.
5094 If specified in the [global] section, the print command given
5095 will be used for any printable service that does not have its own
5096 print command specified.
5098 If there is neither a specified print command for a
5099 printable service nor a global print command, spool files will
5100 be created but not processed and (most importantly) not removed.
5102 Note that printing may fail on some UNIXes from the
5103 nobody account. If this happens then create
5104 an alternative guest account that can print and set the \fIguest account\fR
5105 in the [global] section.
5107 You can form quite complex print commands by realizing
5108 that they are just passed to a shell. For example the following
5109 will log a print job, print the file, then remove it. Note that
5110 \&';' is the usual separator for command in shell scripts.
5112 \fBprint command = echo Printing %s >>
5113 /tmp/print.log; lpr -P %p %s; rm %s\fR
5115 You may have to vary this command considerably depending
5116 on how you normally print files on your system. The default for
5117 the parameter varies depending on the setting of the \fIprinting\fR parameter.
5119 Default: For \fBprinting = BSD, AIX, QNX, LPRNG
5122 \fBprint command = lpr -r -P%p %s\fR
5124 For \fBprinting = SYSV or HPUX :\fR
5126 \fBprint command = lp -c -d%p %s; rm %s\fR
5128 For \fBprinting = SOFTQ :\fR
5130 \fBprint command = lp -d%p -s %s; rm %s\fR
5132 Example: \fBprint command = /usr/local/samba/bin/myprintscript
5136 Synonym for \fIprintable\fR.
5139 If this parameter is yes, then
5140 clients may open, write to and submit spool files on the directory
5141 specified for the service.
5143 Note that a printable service will ALWAYS allow writing
5144 to the service path (user privileges permitting) via the spooling
5145 of print data. The \fIwriteable
5146 \fRparameter controls only non-printing access to
5149 Default: \fBprintable = no\fR
5152 Synonym for \fI printcap name\fR.
5154 \fBprintcap name (G)\fR
5155 This parameter may be used to override the
5156 compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons
5157 why you might want to do this.
5159 On System V systems that use \fBlpstat\fR to
5160 list available printers you can use \fBprintcap name = lpstat
5161 \fRto automatically obtain lists of available printers. This
5162 is the default for systems that define SYSV at configure time in
5163 Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on
5164 these systems then Samba will launch \fBlpstat -v\fR and
5165 attempt to parse the output to obtain a printer list.
5167 A minimal printcap file would look something like this:
5180 where the '|' separates aliases of a printer. The fact
5181 that the second alias has a space in it gives a hint to Samba
5182 that it's a comment.
5184 \fBNOTE\fR: Under AIX the default printcap
5185 name is \fI/etc/qconfig\fR. Samba will assume the
5186 file is in AIX \fIqconfig\fR format if the string
5187 \fIqconfig\fR appears in the printcap filename.
5189 Default: \fBprintcap name = /etc/printcap\fR
5191 Example: \fBprintcap name = /etc/myprintcap\fR
5193 \fBprinter admin (S)\fR
5194 This is a list of users that can do anything to
5195 printers via the remote administration interfaces offered by MS-RPC
5196 (usually using a NT workstation). Note that the root user always
5199 Default: \fBprinter admin = <empty string>\fR
5201 Example: \fBprinter admin = admin, @staff\fR
5203 \fBprinter driver (S)\fR
5204 \fBNote :\fRThis is a deprecated
5205 parameter and will be removed in the next major release
5206 following version 2.2. Please see the instructions in
5207 the Samba 2.2. Printing
5208 HOWTOfor more information
5209 on the new method of loading printer drivers onto a Samba server.
5211 This option allows you to control the string
5212 that clients receive when they ask the server for the printer driver
5213 associated with a printer. If you are using Windows95 or Windows NT
5214 then you can use this to automate the setup of printers on your
5217 You need to set this parameter to the exact string (case
5218 sensitive) that describes the appropriate printer driver for your
5219 system. If you don't know the exact string to use then you should
5220 first try with no \fI printer driver\fR option set and the client will
5221 give you a list of printer drivers. The appropriate strings are
5222 shown in a scroll box after you have chosen the printer manufacturer.
5227 Example: \fBprinter driver = HP LaserJet 4L\fR
5229 \fBprinter driver file (G)\fR
5230 \fBNote :\fRThis is a deprecated
5231 parameter and will be removed in the next major release
5232 following version 2.2. Please see the instructions in
5233 the Samba 2.2. Printing
5234 HOWTOfor more information
5235 on the new method of loading printer drivers onto a Samba server.
5237 This parameter tells Samba where the printer driver
5238 definition file, used when serving drivers to Windows 95 clients, is
5239 to be found. If this is not set, the default is :
5241 \fISAMBA_INSTALL_DIRECTORY
5242 /lib/printers.def\fR
5244 This file is created from Windows 95 \fImsprint.inf
5245 \fRfiles found on the Windows 95 client system. For more
5246 details on setting up serving of printer drivers to Windows 95
5247 clients, see the outdated documentation file in the \fIdocs/\fR
5248 directory, \fIPRINTER_DRIVER.txt\fR.
5250 See also \fI printer driver location\fR.
5252 Default: \fBNone (set in compile).\fR
5254 Example: \fBprinter driver file =
5255 /usr/local/samba/printers/drivers.def\fR
5257 \fBprinter driver location (S)\fR
5258 \fBNote :\fRThis is a deprecated
5259 parameter and will be removed in the next major release
5260 following version 2.2. Please see the instructions in
5261 the Samba 2.2. Printing
5262 HOWTOfor more information
5263 on the new method of loading printer drivers onto a Samba server.
5265 This parameter tells clients of a particular printer
5266 share where to find the printer driver files for the automatic
5267 installation of drivers for Windows 95 machines. If Samba is set up
5268 to serve printer drivers to Windows 95 machines, this should be set to
5270 \fB\\\\MACHINE\\PRINTER$\fR
5272 Where MACHINE is the NetBIOS name of your Samba server,
5273 and PRINTER$ is a share you set up for serving printer driver
5274 files. For more details on setting this up see the outdated documentation
5275 file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR.
5277 See also \fI printer driver file\fR.
5281 Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$
5283 \fBprinter name (S)\fR
5284 This parameter specifies the name of the printer
5285 to which print jobs spooled through a printable service will be sent.
5287 If specified in the [global] section, the printer
5288 name given will be used for any printable service that does
5289 not have its own printer name specified.
5291 Default: \fBnone (but may be lp
5294 Example: \fBprinter name = laserwriter\fR
5297 Synonym for \fI printer name\fR.
5300 This parameters controls how printer status
5301 information is interpreted on your system. It also affects the
5302 default values for the \fIprint command\fR,
5303 \fIlpq command\fR, \fIlppause command
5304 \fR, \fIlpresume command\fR, and
5305 \fIlprm command\fR if specified in the
5308 Currently nine printing styles are supported. They are
5315 To see what the defaults are for the other print
5316 commands when using the various options use the testparm(1)program.
5318 This option can be set on a per printer basis
5320 See also the discussion in the [printers] section.
5322 \fBprivate dir (G)\fR
5323 This parameters defines the directory
5324 smbd will use for storing such files as \fIsmbpasswd\fR
5325 and \fIsecrets.tdb\fR.
5327 Default :\fBprivate dir = ${prefix}/private\fR
5330 Synonym for \fImax protocol\fR.
5333 Synonym for \fIguest
5336 \fBqueuepause command (S)\fR
5337 This parameter specifies the command to be
5338 executed on the server host in order to pause the printer queue.
5340 This command should be a program or script which takes
5341 a printer name as its only parameter and stops the printer queue,
5342 such that no longer jobs are submitted to the printer.
5344 This command is not supported by Windows for Workgroups,
5345 but can be issued from the Printers window under Windows 95
5348 If a \fI%p\fR is given then the printer name
5349 is put in its place. Otherwise it is placed at the end of the command.
5351 Note that it is good practice to include the absolute
5352 path in the command as the PATH may not be available to the
5355 Default: \fBdepends on the setting of \fIprinting
5357 Example: \fBqueuepause command = disable %p\fR
5359 \fBqueueresume command (S)\fR
5360 This parameter specifies the command to be
5361 executed on the server host in order to resume the printer queue. It
5362 is the command to undo the behavior that is caused by the
5363 previous parameter (\fI queuepause command\fR).
5365 This command should be a program or script which takes
5366 a printer name as its only parameter and resumes the printer queue,
5367 such that queued jobs are resubmitted to the printer.
5369 This command is not supported by Windows for Workgroups,
5370 but can be issued from the Printers window under Windows 95
5373 If a \fI%p\fR is given then the printer name
5374 is put in its place. Otherwise it is placed at the end of the
5377 Note that it is good practice to include the absolute
5378 path in the command as the PATH may not be available to the
5381 Default: \fBdepends on the setting of \fIprinting\fB\fR
5383 Example: \fBqueuepause command = enable %p
5386 This boolean parameter controls whether smbd(8)will support the "Read
5387 Block Multiplex" SMB. This is now rarely used and defaults to
5388 no. You should never need to set this
5391 Default: \fBread bmpx = no\fR
5394 This is a list of users that are given read-only
5395 access to a service. If the connecting user is in this list then
5396 they will not be given write access, no matter what the \fIwriteable\fR
5397 option is set to. The list can include group names using the
5398 syntax described in the \fI invalid users\fR parameter.
5400 See also the \fI write list\fR parameter and the \fIinvalid users\fR
5403 Default: \fBread list = <empty string>\fR
5405 Example: \fBread list = mary, @students\fR
5408 Note that this is an inverted synonym for \fIwriteable\fR.
5411 This parameter controls whether or not the server
5412 will support the raw read SMB requests when transferring data
5415 If enabled, raw reads allow reads of 65535 bytes in
5416 one packet. This typically provides a major performance benefit.
5418 However, some clients either negotiate the allowable
5419 block size incorrectly or are incapable of supporting larger block
5420 sizes, and for these clients you may need to disable raw reads.
5422 In general this parameter should be viewed as a system tuning
5423 tool and left severely alone. See also \fIwrite raw\fR.
5425 Default: \fBread raw = yes\fR
5428 The option \fIread size\fR
5429 affects the overlap of disk reads/writes with network reads/writes.
5430 If the amount of data being transferred in several of the SMB
5431 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
5432 than this value then the server begins writing the data before it
5433 has received the whole packet from the network, or in the case of
5434 SMBreadbraw, it begins writing to the network before all the data
5435 has been read from disk.
5437 This overlapping works best when the speeds of disk and
5438 network access are similar, having very little effect when the
5439 speed of one is much greater than the other.
5441 The default value is 16384, but very little experimentation
5442 has been done yet to determine the optimal value, and it is likely
5443 that the best value will vary greatly between systems anyway.
5444 A value over 65536 is pointless and will cause you to allocate
5445 memory unnecessarily.
5447 Default: \fBread size = 16384\fR
5449 Example: \fBread size = 8192\fR
5451 \fBremote announce (G)\fR
5452 This option allows you to setup nmbd(8)to periodically announce itself
5453 to arbitrary IP addresses with an arbitrary workgroup name.
5455 This is useful if you want your Samba server to appear
5456 in a remote workgroup for which the normal browse propagation
5457 rules don't work. The remote workgroup can be anywhere that you
5458 can send IP packets to.
5462 \fBremote announce = 192.168.2.255/SERVERS
5463 192.168.4.255/STAFF\fR
5465 the above line would cause \fBnmbd\fR to announce itself
5466 to the two given IP addresses using the given workgroup names.
5467 If you leave out the workgroup name then the one given in
5469 parameter is used instead.
5471 The IP addresses you choose would normally be the broadcast
5472 addresses of the remote networks, but can also be the IP addresses
5473 of known browse masters if your network config is that stable.
5475 See the documentation file \fIBROWSING.txt\fR
5476 in the \fIdocs/\fR directory.
5478 Default: \fBremote announce = <empty string>
5480 \fBremote browse sync (G)\fR
5481 This option allows you to setup nmbd(8)to periodically request
5482 synchronization of browse lists with the master browser of a Samba
5483 server that is on a remote segment. This option will allow you to
5484 gain browse lists for multiple workgroups across routed networks. This
5485 is done in a manner that does not work with any non-Samba servers.
5487 This is useful if you want your Samba server and all local
5488 clients to appear in a remote workgroup for which the normal browse
5489 propagation rules don't work. The remote workgroup can be anywhere
5490 that you can send IP packets to.
5494 \fBremote browse sync = 192.168.2.255 192.168.4.255
5496 the above line would cause \fBnmbd\fR to request
5497 the master browser on the specified subnets or addresses to
5498 synchronize their browse lists with the local server.
5500 The IP addresses you choose would normally be the broadcast
5501 addresses of the remote networks, but can also be the IP addresses
5502 of known browse masters if your network config is that stable. If
5503 a machine IP address is given Samba makes NO attempt to validate
5504 that the remote machine is available, is listening, nor that it
5505 is in fact the browse master on its segment.
5507 Default: \fBremote browse sync = <empty string>
5509 \fBrestrict anonymous (G)\fR
5510 This is a boolean parameter. If it is true, then
5511 anonymous access to the server will be restricted, namely in the
5512 case where the server is expecting the client to send a username,
5513 but it doesn't. Setting it to true will force these anonymous
5514 connections to be denied, and the client will be required to always
5515 supply a username and password when connecting. Use of this parameter
5516 is only recommended for homogeneous NT client environments.
5518 This parameter makes the use of macro expansions that rely
5519 on the username (%U, %G, etc) consistent. NT 4.0
5520 likes to use anonymous connections when refreshing the share list,
5521 and this is a way to work around that.
5523 When restrict anonymous is true, all anonymous connections
5524 are denied no matter what they are for. This can effect the ability
5525 of a machine to access the Samba Primary Domain Controller to revalidate
5526 its machine account after someone else has logged on the client
5527 interactively. The NT client will display a message saying that
5528 the machine's account in the domain doesn't exist or the password is
5529 bad. The best way to deal with this is to reboot NT client machines
5530 between interactive logons, using "Shutdown and Restart", rather
5531 than "Close all programs and logon as a different user".
5533 Default: \fBrestrict anonymous = no\fR
5536 Synonym for \fIroot directory"\fR.
5539 Synonym for \fIroot directory"\fR.
5541 \fBroot directory (G)\fR
5542 The server will \fBchroot()\fR (i.e.
5543 Change its root directory) to this directory on startup. This is
5544 not strictly necessary for secure operation. Even without it the
5545 server will deny access to files not in one of the service entries.
5546 It may also check for, and deny access to, soft links to other
5547 parts of the filesystem, or attempts to use ".." in file names
5548 to access other directories (depending on the setting of the \fIwide links\fR
5551 Adding a \fIroot directory\fR entry other
5552 than "/" adds an extra level of security, but at a price. It
5553 absolutely ensures that no access is given to files not in the
5554 sub-tree specified in the \fIroot directory\fR
5555 option, \fBincluding\fR some files needed for
5556 complete operation of the server. To maintain full operability
5557 of the server you will need to mirror some system files
5558 into the \fIroot directory\fR tree. In particular
5559 you will need to mirror \fI/etc/passwd\fR (or a
5560 subset of it), and any binaries or configuration files needed for
5561 printing (if required). The set of files that must be mirrored is
5562 operating system dependent.
5564 Default: \fBroot directory = /\fR
5566 Example: \fBroot directory = /homes/smb\fR
5568 \fBroot postexec (S)\fR
5569 This is the same as the \fIpostexec\fR
5570 parameter except that the command is run as root. This
5571 is useful for unmounting filesystems
5572 (such as CDROMs) after a connection is closed.
5574 See also \fI postexec\fR.
5576 Default: \fBroot postexec = <empty string>
5578 \fBroot preexec (S)\fR
5579 This is the same as the \fIpreexec\fR
5580 parameter except that the command is run as root. This
5581 is useful for mounting filesystems (such as CDROMs) when a
5582 connection is opened.
5584 See also \fI preexec\fR and \fIpreexec close\fR.
5586 Default: \fBroot preexec = <empty string>
5588 \fBroot preexec close (S)\fR
5589 This is the same as the \fIpreexec close
5590 \fRparameter except that the command is run as root.
5592 See also \fI preexec\fR and \fIpreexec close\fR.
5594 Default: \fBroot preexec close = no\fR
5597 This option affects how clients respond to
5598 Samba and is one of the most important settings in the \fI smb.conf\fR file.
5600 The option sets the "security mode bit" in replies to
5601 protocol negotiations with smbd(8)
5602 to turn share level security on or off. Clients decide
5603 based on this bit whether (and how) to transfer user and password
5604 information to the server.
5606 The default is \fBsecurity = user\fR, as this is
5607 the most common setting needed when talking to Windows 98 and
5610 The alternatives are \fBsecurity = share\fR,
5611 \fBsecurity = server\fR or \fBsecurity = domain
5614 In versions of Samba prior to 2.0.0, the default was
5615 \fBsecurity = share\fR mainly because that was
5616 the only option at one stage.
5618 There is a bug in WfWg that has relevance to this
5619 setting. When in user or server level security a WfWg client
5620 will totally ignore the password you type in the "connect
5621 drive" dialog box. This makes it very difficult (if not impossible)
5622 to connect to a Samba service as anyone except the user that
5623 you are logged into WfWg as.
5625 If your PCs use usernames that are the same as their
5626 usernames on the UNIX machine then you will want to use
5627 \fBsecurity = user\fR. If you mostly use usernames
5628 that don't exist on the UNIX box then use \fBsecurity =
5631 You should also use \fBsecurity = share\fR if you
5632 want to mainly setup shares without a password (guest shares). This
5633 is commonly used for a shared printer server. It is more difficult
5634 to setup guest shares with \fBsecurity = user\fR, see
5635 the \fImap to guest\fR
5636 parameter for details.
5638 It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share
5639 level security under different \fINetBIOS aliases\fR.
5641 The different settings will now be explained.
5645 When clients connect to a share level security server they
5646 need not log onto the server with a valid username and password before
5647 attempting to connect to a shared resource (although modern clients
5648 such as Windows 95/98 and Windows NT will send a logon request with
5649 a username but no password when talking to a \fBsecurity = share
5650 \fRserver). Instead, the clients send authentication information
5651 (passwords) on a per-share basis, at the time they attempt to connect
5654 Note that \fBsmbd\fR \fBALWAYS\fR
5655 uses a valid UNIX user to act on behalf of the client, even in
5656 \fBsecurity = share\fR level security.
5658 As clients are not required to send a username to the server
5659 in share level security, \fBsmbd\fR uses several
5660 techniques to determine the correct UNIX user to use on behalf
5663 A list of possible UNIX usernames to match with the given
5664 client password is constructed using the following methods :
5669 only\fR parameter is set, then all the other
5670 stages are missed and only the \fIguest account\fR username is checked.
5673 Is a username is sent with the share connection
5674 request, then this username (after mapping - see \fIusername map\fR),
5675 is added as a potential username.
5678 If the client did a previous \fBlogon
5679 \fRrequest (the SessionSetup SMB call) then the
5680 username sent in this SMB will be added as a potential username.
5683 The name of the service the client requested is
5684 added as a potential username.
5687 The NetBIOS name of the client is added to
5688 the list as a potential username.
5691 Any users on the \fI user\fR list are added as potential usernames.
5694 If the \fIguest only\fR parameter is
5695 not set, then this list is then tried with the supplied password.
5696 The first user for whom the password matches will be used as the
5700 If the \fIguest only\fR parameter is
5701 set, or no username can be determined then if the share is marked
5702 as available to the \fIguest account\fR, then this
5703 guest user will be used, otherwise access is denied.
5706 Note that it can be \fBvery\fR confusing
5707 in share-level security as to which UNIX username will eventually
5708 be used in granting access.
5711 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5717 This is the default security setting in Samba 2.2.
5718 With user-level security a client must first "log-on" with a
5719 valid username and password (which can be mapped using the \fIusername map\fR
5720 parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also
5721 be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and
5722 may change the UNIX user to use on this connection, but only after
5723 the user has been successfully authenticated.
5726 \fBNote\fR that the name of the resource being
5727 requested is \fBnot\fR sent to the server until after
5728 the server has successfully authenticated the client. This is why
5729 guest shares don't work in user level security without allowing
5730 the server to automatically map unknown users into the \fIguest account\fR.
5731 See the \fImap to guest\fR
5732 parameter for details on doing this.
5735 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5738 \fBSECURITY = SERVER
5741 In this mode Samba will try to validate the username/password
5742 by passing it to another SMB server, such as an NT box. If this
5743 fails it will revert to \fBsecurity = user\fR, but note
5744 that if encrypted passwords have been negotiated then Samba cannot
5745 revert back to checking the UNIX password file, it must have a valid
5746 \fIsmbpasswd\fR file to check users against. See the
5747 documentation file in the \fIdocs/\fR directory
5748 \fIENCRYPTION.txt\fR for details on how to set this
5752 \fBNote\fR that from the client's point of
5753 view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals
5754 with the authentication, it does not in any way affect what the
5758 \fBNote\fR that the name of the resource being
5759 requested is \fBnot\fR sent to the server until after
5760 the server has successfully authenticated the client. This is why
5761 guest shares don't work in user level security without allowing
5762 the server to automatically map unknown users into the \fIguest account\fR.
5763 See the \fImap to guest\fR
5764 parameter for details on doing this.
5767 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5770 See also the \fIpassword
5771 server\fR parameter and the \fIencrypted passwords\fR
5775 \fBSECURITY = DOMAIN
5778 This mode will only work correctly if smbpasswd(8)has been used to add this
5779 machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR
5780 parameter to be set to true. In this
5781 mode Samba will try to validate the username/password by passing
5782 it to a Windows NT Primary or Backup Domain Controller, in exactly
5783 the same way that a Windows NT Server would do.
5786 \fBNote\fR that a valid UNIX user must still
5787 exist as well as the account on the Domain Controller to allow
5788 Samba to have a valid UNIX account to map file access to.
5791 \fBNote\fR that from the client's point
5792 of view \fBsecurity = domain\fR is the same as \fBsecurity = user
5793 \fR\&. It only affects how the server deals with the authentication,
5794 it does not in any way affect what the client sees.
5797 \fBNote\fR that the name of the resource being
5798 requested is \fBnot\fR sent to the server until after
5799 the server has successfully authenticated the client. This is why
5800 guest shares don't work in user level security without allowing
5801 the server to automatically map unknown users into the \fIguest account\fR.
5802 See the \fImap to guest\fR
5803 parameter for details on doing this.
5806 \fBBUG:\fR There is currently a bug in the
5807 implementation of \fBsecurity = domain\fR with respect
5808 to multi-byte character set usernames. The communication with a
5809 Domain Controller must be done in UNICODE and Samba currently
5810 does not widen multi-byte user names to UNICODE correctly, thus
5811 a multi-byte username will not be recognized correctly at the
5812 Domain Controller. This issue will be addressed in a future release.
5815 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5818 See also the \fIpassword
5819 server\fR parameter and the \fIencrypted passwords\fR
5823 Default: \fBsecurity = USER\fR
5826 Example: \fBsecurity = DOMAIN\fR
5829 \fBsecurity mask (S)\fR
5830 This parameter controls what UNIX permission
5831 bits can be modified when a Windows NT client is manipulating
5832 the UNIX permission on a file using the native NT security
5835 This parameter is applied as a mask (AND'ed with) to
5836 the changed permission bits, thus preventing any bits not in
5837 this mask from being modified. Essentially, zero bits in this
5838 mask may be treated as a set of bits the user is not allowed
5841 If not set explicitly this parameter is 0777, allowing
5842 a user to modify all the user/group/world permissions on a file.
5844 \fBNote\fR that users who can access the
5845 Samba server through other means can easily bypass this
5846 restriction, so it is primarily useful for standalone
5847 "appliance" systems. Administrators of most normal systems will
5848 probably want to leave it set to 0777.
5850 See also the \fIforce directory security mode\fR,
5852 security mask\fR, \fIforce security mode\fR parameters.
5854 Default: \fBsecurity mask = 0777\fR
5856 Example: \fBsecurity mask = 0770\fR
5858 \fBserver string (G)\fR
5859 This controls what string will show up in the
5860 printer comment box in print manager and next to the IPC connection
5861 in \fBnet view\fR. It can be any string that you wish
5862 to show to your users.
5864 It also sets what will appear in browse lists next
5865 to the machine name.
5867 A \fI%v\fR will be replaced with the Samba
5870 A \fI%h\fR will be replaced with the
5873 Default: \fBserver string = Samba %v\fR
5875 Example: \fBserver string = University of GNUs Samba
5878 \fBset directory (S)\fR
5879 If \fBset directory = no\fR, then
5880 users of the service may not use the setdir command to change
5883 The \fBsetdir\fR command is only implemented
5884 in the Digital Pathworks client. See the Pathworks documentation
5887 Default: \fBset directory = no\fR
5889 \fBshort preserve case (S)\fR
5890 This boolean parameter controls if new files
5891 which conform to 8.3 syntax, that is all in upper case and of
5892 suitable length, are created upper case, or if they are forced
5893 to be the \fIdefault case
5894 \fR\&. This option can be use with \fBpreserve case = yes\fR
5895 to permit long filenames to retain their case, while short
5898 See the section on NAME MANGLING.
5900 Default: \fBshort preserve case = yes\fR
5902 \fBshow add printer wizard (G)\fR
5903 With the introduction of MS-RPC based printing support
5904 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
5905 appear on Samba hosts in the share listing. Normally this folder will
5906 contain an icon for the MS Add Printer Wizard (APW). However, it is
5907 possible to disable this feature regardless of the level of privilege
5908 of the connected user.
5910 Under normal circumstances, the Windows NT/2000 client will
5911 open a handle on the printer server with OpenPrinterEx() asking for
5912 Administrator privileges. If the user does not have administrative
5913 access on the print server (i.e is not root or a member of the
5914 \fIprinter admin\fR group), the OpenPrinterEx()
5915 call fails and the client makes another open call with a request for
5916 a lower privilege level. This should succeed, however the APW
5917 icon will not be displayed.
5919 Disabling the \fIshow add printer wizard\fR
5920 parameter will always cause the OpenPrinterEx() on the server
5921 to fail. Thus the APW icon will never be displayed. \fB Note :\fRThis does not prevent the same user from having
5922 administrative privilege on an individual printer.
5924 See also \fIaddprinter
5925 command\fR, \fIdeleteprinter command\fR, \fIprinter admin\fR
5927 Default :\fBshow add printer wizard = yes\fR
5929 \fBshutdown script (G)\fR
5930 \fBThis parameter only exists in the HEAD cvs branch\fR
5931 This a full path name to a script called by
5933 should start a shutdown procedure.
5935 This command will be run as the user connected to the
5938 %m %t %r %f parameters are expanded
5940 \fI%m\fR will be substituted with the
5941 shutdown message sent to the server.
5943 \fI%t\fR will be substituted with the
5944 number of seconds to wait before effectively starting the
5947 \fI%r\fR will be substituted with the
5948 switch \fB-r\fR. It means reboot after shutdown
5951 \fI%f\fR will be substituted with the
5952 switch \fB-f\fR. It means force the shutdown
5953 even if applications do not respond for NT.
5955 Default: \fBNone\fR.
5957 Example: \fBabort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f\fR
5959 Shutdown script example:
5968 /sbin/shutdown $3 $4 +$time $1 &
5972 Shutdown does not return so we need to launch it in background.
5974 See also \fIabort shutdown script\fR.
5976 \fBsmb passwd file (G)\fR
5977 This option sets the path to the encrypted
5978 smbpasswd file. By default the path to the smbpasswd file
5979 is compiled into Samba.
5981 Default: \fBsmb passwd file = ${prefix}/private/smbpasswd
5983 Example: \fBsmb passwd file = /etc/samba/smbpasswd
5985 \fBsocket address (G)\fR
5986 This option allows you to control what
5987 address Samba will listen for connections on. This is used to
5988 support multiple virtual interfaces on the one server, each
5989 with a different configuration.
5991 By default Samba will accept connections on any
5994 Example: \fBsocket address = 192.168.2.20\fR
5996 \fBsocket options (G)\fR
5997 This option allows you to set socket options
5998 to be used when talking with the client.
6000 Socket options are controls on the networking layer
6001 of the operating systems which allow the connection to be
6004 This option will typically be used to tune your Samba
6005 server for optimal performance for your local network. There is
6006 no way that Samba can know what the optimal parameters are for
6007 your net, so you must experiment and choose them yourself. We
6008 strongly suggest you read the appropriate documentation for your
6009 operating system first (perhaps \fBman setsockopt\fR
6012 You may find that on some systems Samba will say
6013 "Unknown socket option" when you supply an option. This means you
6014 either incorrectly typed it or you need to add an include file
6015 to includes.h for your OS. If the latter is the case please
6016 send the patch to samba@samba.org <URL:mailto:samba@samba.org>.
6018 Any of the supported socket options may be combined
6019 in any way you like, as long as your OS allows it.
6021 This is the list of socket options currently settable
6056 Those marked with a \fB'*'\fR take an integer
6057 argument. The others can optionally take a 1 or 0 argument to enable
6058 or disable the option, by default they will be enabled if you
6059 don't specify 1 or 0.
6062 To specify an argument use the syntax SOME_OPTION = VALUE
6063 for example \fBSO_SNDBUF = 8192\fR. Note that you must
6064 not have any spaces before or after the = sign.
6067 If you are on a local network then a sensible option
6071 \fBsocket options = IPTOS_LOWDELAY\fR
6074 If you have a local network then you could try:
6077 \fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
6080 If you are on a wide area network then perhaps try
6081 setting IPTOS_THROUGHPUT.
6084 Note that several of the options may cause your Samba
6085 server to fail completely. Use these options with caution!
6088 Default: \fBsocket options = TCP_NODELAY\fR
6091 Example: \fBsocket options = IPTOS_LOWDELAY\fR
6094 \fBsource environment (G)\fR
6095 This parameter causes Samba to set environment
6096 variables as per the content of the file named.
6098 If the value of this parameter starts with a "|" character
6099 then Samba will treat that value as a pipe command to open and
6100 will set the environment variables from the output of the pipe.
6102 The contents of the file or the output of the pipe should
6103 be formatted as the output of the standard Unix \fBenv(1)
6104 \fRcommand. This is of the form :
6106 Example environment entry:
6108 \fBSAMBA_NETBIOS_NAME = myhostname\fR
6110 Default: \fBNo default value\fR
6112 Examples: \fBsource environment = |/etc/smb.conf.sh
6114 Example: \fBsource environment =
6115 /usr/local/smb_env_vars\fR
6118 This variable is part of SSL-enabled Samba. This
6119 is only available if the SSL libraries have been compiled on your
6120 system and the configure option \fB--with-ssl\fR was
6121 given at configure time.
6123 This variable enables or disables the entire SSL mode. If
6124 it is set to no, the SSL-enabled Samba behaves
6125 exactly like the non-SSL Samba. If set to yes,
6126 it depends on the variables \fI ssl hosts\fR and \fIssl hosts resign\fR whether an SSL
6127 connection will be required.
6129 Default: \fBssl = no\fR
6131 \fBssl CA certDir (G)\fR
6132 This variable is part of SSL-enabled Samba. This
6133 is only available if the SSL libraries have been compiled on your
6134 system and the configure option \fB--with-ssl\fR was
6135 given at configure time.
6137 This variable defines where to look up the Certification
6138 Authorities. The given directory should contain one file for
6139 each CA that Samba will trust. The file name must be the hash
6140 value over the "Distinguished Name" of the CA. How this directory
6141 is set up is explained later in this document. All files within the
6142 directory that don't fit into this naming scheme are ignored. You
6143 don't need this variable if you don't verify client certificates.
6145 Default: \fBssl CA certDir = /usr/local/ssl/certs
6147 \fBssl CA certFile (G)\fR
6148 This variable is part of SSL-enabled Samba. This
6149 is only available if the SSL libraries have been compiled on your
6150 system and the configure option \fB--with-ssl\fR was
6151 given at configure time.
6153 This variable is a second way to define the trusted CAs.
6154 The certificates of the trusted CAs are collected in one big
6155 file and this variable points to the file. You will probably
6156 only use one of the two ways to define your CAs. The first choice is
6157 preferable if you have many CAs or want to be flexible, the second
6158 is preferable if you only have one CA and want to keep things
6159 simple (you won't need to create the hashed file names). You
6160 don't need this variable if you don't verify client certificates.
6162 Default: \fBssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
6164 \fBssl ciphers (G)\fR
6165 This variable is part of SSL-enabled Samba. This
6166 is only available if the SSL libraries have been compiled on your
6167 system and the configure option \fB--with-ssl\fR was
6168 given at configure time.
6170 This variable defines the ciphers that should be offered
6171 during SSL negotiation. You should not set this variable unless
6172 you know what you are doing.
6174 \fBssl client cert (G)\fR
6175 This variable is part of SSL-enabled Samba. This
6176 is only available if the SSL libraries have been compiled on your
6177 system and the configure option \fB--with-ssl\fR was
6178 given at configure time.
6180 The certificate in this file is used by \fBsmbclient(1)\fRif it exists. It's needed
6181 if the server requires a client certificate.
6183 Default: \fBssl client cert = /usr/local/ssl/certs/smbclient.pem
6185 \fBssl client key (G)\fR
6186 This variable is part of SSL-enabled Samba. This
6187 is only available if the SSL libraries have been compiled on your
6188 system and the configure option \fB--with-ssl\fR was
6189 given at configure time.
6191 This is the private key for \fBsmbclient(1)\fR. It's only needed if the
6192 client should have a certificate.
6194 Default: \fBssl client key = /usr/local/ssl/private/smbclient.pem
6196 \fBssl compatibility (G)\fR
6197 This variable is part of SSL-enabled Samba. This
6198 is only available if the SSL libraries have been compiled on your
6199 system and the configure option \fB--with-ssl\fR was
6200 given at configure time.
6202 This variable defines whether OpenSSL should be configured
6203 for bug compatibility with other SSL implementations. This is
6204 probably not desirable because currently no clients with SSL
6205 implementations other than OpenSSL exist.
6207 Default: \fBssl compatibility = no\fR
6209 \fBssl egd socket (G)\fR
6210 This variable is part of SSL-enabled Samba. This
6211 is only available if the SSL libraries have been compiled on your
6212 system and the configure option \fB--with-ssl\fR was
6213 given at configure time.
6215 This option is used to define the location of the communiation socket of
6216 an EGD or PRNGD daemon, from which entropy can be retrieved. This option
6217 can be used instead of or together with the \fIssl entropy file\fR
6218 directive. 255 bytes of entropy will be retrieved from the daemon.
6222 \fBssl entropy bytes (G)\fR
6223 This variable is part of SSL-enabled Samba. This
6224 is only available if the SSL libraries have been compiled on your
6225 system and the configure option \fB--with-ssl\fR was
6226 given at configure time.
6228 This parameter is used to define the number of bytes which should
6229 be read from the \fIssl entropy
6230 file\fR If a -1 is specified, the entire file will
6233 Default: \fBssl entropy bytes = 255\fR
6235 \fBssl entropy file (G)\fR
6236 This variable is part of SSL-enabled Samba. This
6237 is only available if the SSL libraries have been compiled on your
6238 system and the configure option \fB--with-ssl\fR was
6239 given at configure time.
6241 This parameter is used to specify a file from which processes will
6242 read "random bytes" on startup. In order to seed the internal pseudo
6243 random number generator, entropy must be provided. On system with a
6244 \fI/dev/urandom\fR device file, the processes
6245 will retrieve its entropy from the kernel. On systems without kernel
6246 entropy support, a file can be supplied that will be read on startup
6247 and that will be used to seed the PRNG.
6252 See \fI ssl hosts resign\fR.
6254 \fBssl hosts resign (G)\fR
6255 This variable is part of SSL-enabled Samba. This
6256 is only available if the SSL libraries have been compiled on your
6257 system and the configure option \fB--with-ssl\fR was
6258 given at configure time.
6260 These two variables define whether Samba will go
6261 into SSL mode or not. If none of them is defined, Samba will
6262 allow only SSL connections. If the \fIssl hosts\fR variable lists
6263 hosts (by IP-address, IP-address range, net group or name),
6264 only these hosts will be forced into SSL mode. If the \fI ssl hosts resign\fR variable lists hosts, only these
6265 hosts will \fBNOT\fR be forced into SSL mode. The syntax for these two
6266 variables is the same as for the \fI hosts allow\fR and \fIhosts deny\fR pair of variables, only
6267 that the subject of the decision is different: It's not the access
6268 right but whether SSL is used or not.
6270 The example below requires SSL connections from all hosts
6271 outside the local net (which is 192.168.*.*).
6273 Default: \fBssl hosts = <empty string>\fR
6275 \fBssl hosts resign = <empty string>\fR
6277 Example: \fBssl hosts resign = 192.168.\fR
6279 \fBssl require clientcert (G)\fR
6280 This variable is part of SSL-enabled Samba. This
6281 is only available if the SSL libraries have been compiled on your
6282 system and the configure option \fB--with-ssl\fR was
6283 given at configure time.
6285 If this variable is set to yes, the
6286 server will not tolerate connections from clients that don't
6287 have a valid certificate. The directory/file given in \fIssl CA certDir\fR
6288 and \fIssl CA certFile
6289 \fRwill be used to look up the CAs that issued
6290 the client's certificate. If the certificate can't be verified
6291 positively, the connection will be terminated. If this variable
6292 is set to no, clients don't need certificates.
6293 Contrary to web applications you really \fBshould\fR
6294 require client certificates. In the web environment the client's
6295 data is sensitive (credit card numbers) and the server must prove
6296 to be trustworthy. In a file server environment the server's data
6297 will be sensitive and the clients must prove to be trustworthy.
6299 Default: \fBssl require clientcert = no\fR
6301 \fBssl require servercert (G)\fR
6302 This variable is part of SSL-enabled Samba. This
6303 is only available if the SSL libraries have been compiled on your
6304 system and the configure option \fB--with-ssl\fR was
6305 given at configure time.
6307 If this variable is set to yes, the
6309 will request a certificate from the server. Same as
6311 clientcert\fR for the server.
6313 Default: \fBssl require servercert = no\fR
6315 \fBssl server cert (G)\fR
6316 This variable is part of SSL-enabled Samba. This
6317 is only available if the SSL libraries have been compiled on your
6318 system and the configure option \fB--with-ssl\fR was
6319 given at configure time.
6321 This is the file containing the server's certificate.
6322 The server \fBmust\fR have a certificate. The
6323 file may also contain the server's private key. See later for
6324 how certificates and private keys are created.
6326 Default: \fBssl server cert = <empty string>
6328 \fBssl server key (G)\fR
6329 This variable is part of SSL-enabled Samba. This
6330 is only available if the SSL libraries have been compiled on your
6331 system and the configure option \fB--with-ssl\fR was
6332 given at configure time.
6334 This file contains the private key of the server. If
6335 this variable is not defined, the key is looked up in the
6336 certificate file (it may be appended to the certificate).
6337 The server \fBmust\fR have a private key
6338 and the certificate \fBmust\fR
6339 match this private key.
6341 Default: \fBssl server key = <empty string>
6343 \fBssl version (G)\fR
6344 This variable is part of SSL-enabled Samba. This
6345 is only available if the SSL libraries have been compiled on your
6346 system and the configure option \fB--with-ssl\fR was
6347 given at configure time.
6349 This enumeration variable defines the versions of the
6350 SSL protocol that will be used. ssl2or3 allows
6351 dynamic negotiation of SSL v2 or v3, ssl2 results
6352 in SSL v2, ssl3 results in SSL v3 and
6353 tls1 results in TLS v1. TLS (Transport Layer
6354 Security) is the new standard for SSL.
6356 Default: \fBssl version = "ssl2or3"\fR
6358 \fBstat cache (G)\fR
6359 This parameter determines if smbd(8)will use a cache in order to
6360 speed up case insensitive name mappings. You should never need
6361 to change this parameter.
6363 Default: \fBstat cache = yes\fR
6365 \fBstat cache size (G)\fR
6366 This parameter determines the number of
6367 entries in the \fIstat cache\fR. You should
6368 never need to change this parameter.
6370 Default: \fBstat cache size = 50\fR
6373 This enables or disables logging of connections
6374 to a status file that smbstatus(1)
6377 With this disabled \fBsmbstatus\fR won't be able
6378 to tell you what connections are active. You should never need to
6379 change this parameter.
6381 Default: \fBstatus = yes\fR
6383 \fBstrict allocate (S)\fR
6384 This is a boolean that controls the handling of
6385 disk space allocation in the server. When this is set to yes
6386 the server will change from UNIX behaviour of not committing real
6387 disk storage blocks when a file is extended to the Windows behaviour
6388 of actually forcing the disk system to allocate real storage blocks
6389 when a file is created or extended to be a given size. In UNIX
6390 terminology this means that Samba will stop creating sparse files.
6391 This can be slow on some systems.
6393 When strict allocate is no the server does sparse
6394 disk block allocation when a file is extended.
6396 Setting this to yes can help Samba return
6397 out of quota messages on systems that are restricting the disk quota
6400 Default: \fBstrict allocate = no\fR
6402 \fBstrict locking (S)\fR
6403 This is a boolean that controls the handling of
6404 file locking in the server. When this is set to yes
6405 the server will check every read and write access for file locks, and
6406 deny access if locks exist. This can be slow on some systems.
6408 When strict locking is no the server does file
6409 lock checks only when the client explicitly asks for them.
6411 Well-behaved clients always ask for lock checks when it
6412 is important, so in the vast majority of cases \fBstrict
6413 locking = no\fR is preferable.
6415 Default: \fBstrict locking = no\fR
6417 \fBstrict sync (S)\fR
6418 Many Windows applications (including the Windows
6419 98 explorer shell) seem to confuse flushing buffer contents to
6420 disk with doing a sync to disk. Under UNIX, a sync call forces
6421 the process to be suspended until the kernel has ensured that
6422 all outstanding data in kernel disk buffers has been safely stored
6423 onto stable storage. This is very slow and should only be done
6424 rarely. Setting this parameter to no (the
6425 default) means that smbdignores the Windows applications requests for
6426 a sync call. There is only a possibility of losing data if the
6427 operating system itself that Samba is running on crashes, so there is
6428 little danger in this default setting. In addition, this fixes many
6429 performance problems that people have reported with the new Windows98
6430 explorer shell file copies.
6432 See also the \fIsync
6433 always>\fR parameter.
6435 Default: \fBstrict sync = no\fR
6438 This is a boolean that controls whether to
6439 strip trailing dots off UNIX filenames. This helps with some
6440 CDROMs that have filenames ending in a single dot.
6442 Default: \fBstrip dot = no\fR
6444 \fBsync always (S)\fR
6445 This is a boolean parameter that controls
6446 whether writes will always be written to stable storage before
6447 the write call returns. If this is false then the server will be
6448 guided by the client's request in each write call (clients can
6449 set a bit indicating that a particular write should be synchronous).
6450 If this is true then every write will be followed by a \fBfsync()
6451 \fRcall to ensure the data is written to disk. Note that
6452 the \fIstrict sync\fR parameter must be set to
6453 yes in order for this parameter to have
6456 See also the \fIstrict
6459 Default: \fBsync always = no\fR
6462 This parameter maps how Samba debug messages
6463 are logged onto the system syslog logging levels. Samba debug
6464 level zero maps onto syslog LOG_ERR, debug
6465 level one maps onto LOG_WARNING, debug level
6466 two maps onto LOG_NOTICE, debug level three
6467 maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.
6469 This parameter sets the threshold for sending messages
6470 to syslog. Only messages with debug level less than this value
6471 will be sent to syslog.
6473 Default: \fBsyslog = 1\fR
6475 \fBsyslog only (G)\fR
6476 If this parameter is set then Samba debug
6477 messages are logged into the system syslog only, and not to
6478 the debug log files.
6480 Default: \fBsyslog only = no\fR
6482 \fBtemplate homedir (G)\fR
6483 When filling out the user information for a Windows NT
6484 user, the winbindd(8)daemon
6485 uses this parameter to fill in the home directory for that user.
6486 If the string \fI%D\fR is present it is substituted
6487 with the user's Windows NT domain name. If the string \fI%U
6488 \fRis present it is substituted with the user's Windows
6491 Default: \fBtemplate homedir = /home/%D/%U\fR
6493 \fBtemplate shell (G)\fR
6494 When filling out the user information for a Windows NT
6495 user, the winbindd(8)daemon
6496 uses this parameter to fill in the login shell for that user.
6498 Default: \fBtemplate shell = /bin/false\fR
6500 \fBtime offset (G)\fR
6501 This parameter is a setting in minutes to add
6502 to the normal GMT to local time conversion. This is useful if
6503 you are serving a lot of PCs that have incorrect daylight
6504 saving time handling.
6506 Default: \fBtime offset = 0\fR
6508 Example: \fBtime offset = 60\fR
6510 \fBtime server (G)\fR
6511 This parameter determines if
6512 nmbd(8)advertises itself as a time server to Windows
6515 Default: \fBtime server = no\fR
6517 \fBtimestamp logs (G)\fR
6518 Synonym for \fI debug timestamp\fR.
6520 \fBtotal print jobs (G)\fR
6521 This parameter accepts an integer value which defines
6522 a limit on the maximum number of print jobs that will be accepted
6523 system wide at any given time. If a print job is submitted
6524 by a client which will exceed this number, then smbdwill return an
6525 error indicating that no space is available on the server. The
6526 default value of 0 means that no such limit exists. This parameter
6527 can be used to prevent a server from exceeding its capacity and is
6528 designed as a printing throttle. See also
6529 \fImax print jobs\fR.
6531 Default: \fBtotal print jobs = 0\fR
6533 Example: \fBtotal print jobs = 5000\fR
6535 \fBunix extensions(G)\fR
6536 This boolean parameter controls whether Samba
6537 implments the CIFS UNIX extensions, as defined by HP. These
6538 extensions enable CIFS to server UNIX clients to UNIX servers
6539 better, and allow such things as symbolic links, hard links etc.
6540 These extensions require a similarly enabled client, and are of
6541 no current use to Windows clients.
6543 Default: \fBunix extensions = no\fR
6545 \fBunix password sync (G)\fR
6546 This boolean parameter controls whether Samba
6547 attempts to synchronize the UNIX password with the SMB password
6548 when the encrypted SMB password in the smbpasswd file is changed.
6549 If this is set to true the program specified in the \fIpasswd
6550 program\fRparameter is called \fBAS ROOT\fR -
6551 to allow the new UNIX password to be set without access to the
6552 old UNIX password (as the SMB password change code has no
6553 access to the old password cleartext, only the new).
6556 program\fR, \fI passwd chat\fR.
6558 Default: \fBunix password sync = no\fR
6560 \fBupdate encrypted (G)\fR
6561 This boolean parameter allows a user logging
6562 on with a plaintext password to have their encrypted (hashed)
6563 password in the smbpasswd file to be updated automatically as
6564 they log on. This option allows a site to migrate from plaintext
6565 password authentication (users authenticate with plaintext
6566 password over the wire, and are checked against a UNIX account
6567 database) to encrypted password authentication (the SMB
6568 challenge/response authentication mechanism) without forcing
6569 all users to re-enter their passwords via smbpasswd at the time the
6570 change is made. This is a convenience option to allow the change over
6571 to encrypted passwords to be made over a longer period. Once all users
6572 have encrypted representations of their passwords in the smbpasswd
6573 file this parameter should be set to no.
6575 In order for this parameter to work correctly the \fIencrypt passwords\fR
6576 parameter must be set to no when
6577 this parameter is set to yes.
6579 Note that even when this parameter is set a user
6580 authenticating to \fBsmbd\fR must still enter a valid
6581 password in order to connect correctly, and to update their hashed
6582 (smbpasswd) passwords.
6584 Default: \fBupdate encrypted = no\fR
6586 \fBuse client driver (S)\fR
6587 This parameter applies only to Windows NT/2000
6588 clients. It has no affect on Windows 95/98/ME clients. When
6589 serving a printer to Windows NT/2000 clients without first installing
6590 a valid printer driver on the Samba host, the client will be required
6591 to install a local printer driver. From this point on, the client
6592 will treat the print as a local printer and not a network printer
6593 connection. This is much the same behavior that will occur
6594 when \fBdisable spoolss = yes\fR.
6597 factor is that under normal circumstances, the NT/2000 client will
6598 attempt to open the network printer using MS-RPC. The problem is that
6599 because the client considers the printer to be local, it will attempt
6600 to issue the OpenPrinterEx() call requesting access rights associated
6601 with the logged on user. If the user possesses local administator rights
6602 but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
6603 call will fail. The result is that the client will now display an "Access
6604 Denied; Unable to connect" message in the printer queue window (even though
6605 jobs may successfully be printed).
6607 If this parameter is enabled for a printer, then any attempt
6608 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
6609 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
6610 call to succeed. \fBThis parameter MUST not be able enabled
6611 on a print share which has valid print driver installed on the Samba
6614 See also disable spoolss
6616 Default: \fBuse client driver = no\fR
6619 This global parameter determines if the tdb internals of Samba can
6620 depend on mmap working correctly on the running system. Samba requires a coherent
6621 mmap/read-write system memory cache. Currently only HPUX does not have such a
6622 coherent cache, and so this parameter is set to false by
6623 default on HPUX. On all other systems this parameter should be left alone. This
6624 parameter is provided to help the Samba developers track down problems with
6625 the tdb internal code.
6627 Default: \fBuse mmap = yes\fR
6629 \fBuse rhosts (G)\fR
6630 If this global parameter is true, it specifies
6631 that the UNIX user's \fI.rhosts\fR file in their home directory
6632 will be read to find the names of hosts and users who will be allowed
6633 access without specifying a password.
6635 \fBNOTE:\fR The use of \fIuse rhosts
6636 \fRcan be a major security hole. This is because you are
6637 trusting the PC to supply the correct username. It is very easy to
6638 get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what
6641 Default: \fBuse rhosts = no\fR
6644 Synonym for \fI username\fR.
6647 Synonym for \fI username\fR.
6650 Multiple users may be specified in a comma-delimited
6651 list, in which case the supplied password will be tested against
6652 each username in turn (left to right).
6654 The \fIusername\fR line is needed only when
6655 the PC is unable to supply its own username. This is the case
6656 for the COREPLUS protocol or where your users have different WfWg
6657 usernames to UNIX usernames. In both these cases you may also be
6658 better using the \\\\server\\share%user syntax instead.
6660 The \fIusername\fR line is not a great
6661 solution in many cases as it means Samba will try to validate
6662 the supplied password against each of the usernames in the
6663 \fIusername\fR line in turn. This is slow and
6664 a bad idea for lots of users in case of duplicate passwords.
6665 You may get timeouts or security breaches using this parameter
6668 Samba relies on the underlying UNIX security. This
6669 parameter does not restrict who can login, it just offers hints
6670 to the Samba server as to what usernames might correspond to the
6671 supplied password. Users can login as whoever they please and
6672 they will be able to do no more damage than if they started a
6673 telnet session. The daemon runs as the user that they log in as,
6674 so they cannot do anything that user cannot do.
6676 To restrict a service to a particular set of users you
6677 can use the \fIvalid users
6680 If any of the usernames begin with a '@' then the name
6681 will be looked up first in the NIS netgroups list (if Samba
6682 is compiled with netgroup support), followed by a lookup in
6683 the UNIX groups database and will expand to a list of all users
6684 in the group of that name.
6686 If any of the usernames begin with a '+' then the name
6687 will be looked up only in the UNIX groups database and will
6688 expand to a list of all users in the group of that name.
6690 If any of the usernames begin with a '&'then the name
6691 will be looked up only in the NIS netgroups database (if Samba
6692 is compiled with netgroup support) and will expand to a list
6693 of all users in the netgroup group of that name.
6695 Note that searching though a groups database can take
6696 quite some time, and some clients may time out during the
6699 See the section NOTE ABOUT
6700 USERNAME/PASSWORD VALIDATION for more information on how
6701 this parameter determines access to the services.
6703 Default: \fBThe guest account if a guest service,
6704 else <empty string>.\fR
6706 Examples:\fBusername = fred, mary, jack, jane,
6709 \fBusername level (G)\fR
6710 This option helps Samba to try and 'guess' at
6711 the real UNIX username, as many DOS clients send an all-uppercase
6712 username. By default Samba tries all lowercase, followed by the
6713 username with the first letter capitalized, and fails if the
6714 username is not found on the UNIX machine.
6716 If this parameter is set to non-zero the behavior changes.
6717 This parameter is a number that specifies the number of uppercase
6718 combinations to try while trying to determine the UNIX user name. The
6719 higher the number the more combinations will be tried, but the slower
6720 the discovery of usernames will be. Use this parameter when you have
6721 strange usernames on your UNIX machine, such as AstrangeUser
6724 Default: \fBusername level = 0\fR
6726 Example: \fBusername level = 5\fR
6728 \fBusername map (G)\fR
6729 This option allows you to specify a file containing
6730 a mapping of usernames from the clients to the server. This can be
6731 used for several purposes. The most common is to map usernames
6732 that users use on DOS or Windows machines to those that the UNIX
6733 box uses. The other is to map multiple users to a single username
6734 so that they can more easily share files.
6736 The map file is parsed line by line. Each line should
6737 contain a single UNIX username on the left then a '=' followed
6738 by a list of usernames on the right. The list of usernames on the
6739 right may contain names of the form @group in which case they
6740 will match any UNIX username in that group. The special client
6741 name '*' is a wildcard and matches any name. Each line of the
6742 map file may be up to 1023 characters long.
6744 The file is processed on each line by taking the
6745 supplied username and comparing it with each username on the right
6746 hand side of the '=' signs. If the supplied name matches any of
6747 the names on the right hand side then it is replaced with the name
6748 on the left. Processing then continues with the next line.
6750 If any line begins with a '#' or a ';' then it is
6753 If any line begins with an '!' then the processing
6754 will stop after that line if a mapping was done by the line.
6755 Otherwise mapping continues with every line being processed.
6756 Using '!' is most useful when you have a wildcard mapping line
6759 For example to map from the name admin
6760 or administrator to the UNIX name root you would use:
6762 \fBroot = admin administrator\fR
6764 Or to map anyone in the UNIX group system
6765 to the UNIX name sys you would use:
6769 You can have as many mappings as you like in a username
6772 If your system supports the NIS NETGROUP option then
6773 the netgroup database is checked before the \fI/etc/group
6774 \fRdatabase for matching groups.
6776 You can map Windows usernames that have spaces in them
6777 by using double quotes around the name. For example:
6779 \fBtridge = "Andrew Tridgell"\fR
6781 would map the windows username "Andrew Tridgell" to the
6782 unix username "tridge".
6784 The following example would map mary and fred to the
6785 unix user sys, and map the rest to guest. Note the use of the
6786 \&'!' to tell Samba to stop processing if it gets a match on
6797 Note that the remapping is applied to all occurrences
6798 of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you
6799 will actually be connecting to \\\\server\\mary and will need to
6800 supply a password suitable for mary not
6801 fred. The only exception to this is the
6802 username passed to the \fI password server\fR (if you have one). The password
6803 server will receive whatever username the client supplies without
6806 Also note that no reverse mapping is done. The main effect
6807 this has is with printing. Users who have been mapped may have
6808 trouble deleting print jobs as PrintManager under WfWg will think
6809 they don't own the print job.
6811 Default: \fBno username map\fR
6813 Example: \fBusername map = /usr/local/samba/lib/users.map
6816 This boolean parameter is only available if
6817 Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to true then Samba will attempt
6818 to add utmp or utmpx records (depending on the UNIX system) whenever a
6819 connection is made to a Samba server. Sites may use this to record the
6820 user connecting to a Samba share.
6822 See also the \fI utmp directory\fR parameter.
6824 Default: \fButmp = no\fR
6826 \fButmp directory(G)\fR
6827 This parameter is only available if Samba has
6828 been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
6829 used to store the utmp or utmpx files (depending on the UNIX system) that
6830 record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is
6831 not set, meaning the system will use whatever utmp file the
6832 native system is set to use (usually
6833 \fI/var/run/utmp\fR on Linux).
6835 Default: \fBno utmp directory\fR
6837 \fBvalid users (S)\fR
6838 This is a list of users that should be allowed
6839 to login to this service. Names starting with '@', '+' and '&'
6840 are interpreted using the same rules as described in the
6841 \fIinvalid users\fR parameter.
6843 If this is empty (the default) then any user can login.
6844 If a username is in both this list and the \fIinvalid
6845 users\fR list then access is denied for that user.
6847 The current servicename is substituted for \fI%S
6848 \fR\&. This is useful in the [homes] section.
6850 See also \fIinvalid users
6852 Default: \fBNo valid users list (anyone can login)
6854 Example: \fBvalid users = greg, @pcusers\fR
6857 This is a list of files and directories that
6858 are neither visible nor accessible. Each entry in the list must
6859 be separated by a '/', which allows spaces to be included
6860 in the entry. '*' and '?' can be used to specify multiple files
6861 or directories as in DOS wildcards.
6863 Each entry must be a unix path, not a DOS path and
6864 must \fBnot\fR include the unix directory
6867 Note that the \fIcase sensitive\fR option
6868 is applicable in vetoing files.
6870 One feature of the veto files parameter that it
6871 is important to be aware of is Samba's behaviour when
6872 trying to delete a directory. If a directory that is
6873 to be deleted contains nothing but veto files this
6874 deletion will \fBfail\fR unless you also set
6875 the \fIdelete veto files\fR parameter to
6878 Setting this parameter will affect the performance
6879 of Samba, as it will be forced to check all files and directories
6880 for a match as they are scanned.
6882 See also \fIhide files
6883 \fRand \fI case sensitive\fR.
6885 Default: \fBNo files or directories are vetoed.
6890 ; Veto any files containing the word Security,
6891 ; any ending in .tmp, and any directory containing the
6893 veto files = /*Security*/*.tmp/*root*/
6895 ; Veto the Apple specific files that a NetAtalk server
6897 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
6901 \fBveto oplock files (S)\fR
6902 This parameter is only valid when the \fIoplocks\fR
6903 parameter is turned on for a share. It allows the Samba administrator
6904 to selectively turn off the granting of oplocks on selected files that
6905 match a wildcarded list, similar to the wildcarded list used in the
6909 Default: \fBNo files are vetoed for oplock
6912 You might want to do this on files that you know will
6913 be heavily contended for by clients. A good example of this
6914 is in the NetBench SMB benchmark program, which causes heavy
6915 client contention for files ending in \fI.SEM\fR.
6916 To cause Samba not to grant oplocks on these files you would use
6917 the line (either in the [global] section or in the section for
6918 the particular NetBench share :
6920 Example: \fBveto oplock files = /*.SEM/
6922 \fBvfs object (S)\fR
6923 This parameter specifies a shared object file that
6924 is used for Samba VFS I/O operations. By default, normal
6925 disk I/O operations are used but these can be overloaded
6926 with a VFS object. The Samba VFS layer is new to Samba 2.2 and
6927 must be enabled at compile time with --with-vfs.
6929 Default : \fBno value\fR
6931 \fBvfs options (S)\fR
6932 This parameter allows parameters to be passed
6933 to the vfs layer at initialization time. The Samba VFS layer
6934 is new to Samba 2.2 and must be enabled at compile time
6935 with --with-vfs. See also \fI vfs object\fR.
6937 Default : \fBno value\fR
6940 This allows you to override the volume label
6941 returned for a share. Useful for CDROMs with installation programs
6942 that insist on a particular volume label.
6944 Default: \fBthe name of the share\fR
6946 \fBwide links (S)\fR
6947 This parameter controls whether or not links
6948 in the UNIX file system may be followed by the server. Links
6949 that point to areas within the directory tree exported by the
6950 server are always allowed; this parameter controls access only
6951 to areas that are outside the directory tree being exported.
6953 Note that setting this parameter can have a negative
6954 effect on your server performance due to the extra system calls
6955 that Samba has to do in order to perform the link checks.
6957 Default: \fBwide links = yes\fR
6959 \fBwinbind cache time\fR
6960 This parameter specifies the number of seconds the
6961 winbindd(8)daemon will cache
6962 user and group information before querying a Windows NT server
6965 Default: \fBwinbind cache type = 15\fR
6967 \fBwinbind enum users\fR
6968 On large installations using
6969 winbindd(8)it may be
6970 necessary to suppress the enumeration of users through the
6972 \fBgetpwent()\fR and
6973 \fBendpwent()\fR group of system calls. If
6974 the \fIwinbind enum users\fR parameter is
6975 false, calls to the \fBgetpwent\fR system call
6976 will not return any data.
6978 \fBWarning:\fR Turning off user
6979 enumeration may cause some programs to behave oddly. For
6980 example, the finger program relies on having access to the
6981 full user list when searching for matching
6984 Default: \fBwinbind enum users = yes \fR
6986 \fBwinbind enum groups\fR
6987 On large installations using
6988 winbindd(8)it may be
6989 necessary to suppress the enumeration of groups through the
6991 \fBgetgrent()\fR and
6992 \fBendgrent()\fR group of system calls. If
6993 the \fIwinbind enum groups\fR parameter is
6994 false, calls to the \fBgetgrent()\fR system
6995 call will not return any data.
6997 \fBWarning:\fR Turning off group
6998 enumeration may cause some programs to behave oddly.
7000 Default: \fBwinbind enum groups = yes \fR
7003 The winbind gid parameter specifies the range of group
7004 ids that are allocated by the winbindd(8)daemon. This range of group ids should have no
7005 existing local or NIS groups within it as strange conflicts can
7008 Default: \fBwinbind gid = <empty string>
7010 Example: \fBwinbind gid = 10000-20000\fR
7012 \fBwinbind separator\fR
7013 This parameter allows an admin to define the character
7014 used when listing a username of the form of \fIDOMAIN
7015 \fR\\\fIuser\fR. This parameter
7016 is only applicable when using the \fIpam_winbind.so\fR
7017 and \fInss_winbind.so\fR modules for UNIX services.
7019 Example: \fBwinbind separator = \\\fR
7021 Example: \fBwinbind separator = +\fR
7024 The winbind gid parameter specifies the range of group
7025 ids that are allocated by the winbindd(8)daemon. This range of ids should have no
7026 existing local or NIS users within it as strange conflicts can
7029 Default: \fBwinbind uid = <empty string>
7031 Example: \fBwinbind uid = 10000-20000\fR
7033 \fBwinbind use default domain\fR
7035 \fBwinbind use default domain\fR
7036 This parameter specifies whether the winbindd(8)
7037 daemon should operate on users without domain component in their username.
7038 Users without a domain component are treated as is part of the winbindd server's
7039 own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
7040 function in a way much closer to the way they would in a native unix system.
7042 Default: \fBwinbind use default domain = <falseg>
7044 Example: \fBwinbind use default domain = true\fR
7047 When Samba is running as a WINS server this
7048 allows you to call an external program for all changes to the
7049 WINS database. The primary use for this option is to allow the
7050 dynamic update of external name resolution databases such as
7053 The wins hook parameter specifies the name of a script
7054 or executable that will be called as follows:
7056 \fBwins_hook operation name nametype ttl IP_list
7060 The first argument is the operation and is one
7061 of "add", "delete", or "refresh". In most cases the operation can
7062 be ignored as the rest of the parameters provide sufficient
7063 information. Note that "refresh" may sometimes be called when the
7064 name has not previously been added, in that case it should be treated
7068 The second argument is the NetBIOS name. If the
7069 name is not a legal name then the wins hook is not called.
7070 Legal names contain only letters, digits, hyphens, underscores
7074 The third argument is the NetBIOS name
7075 type as a 2 digit hexadecimal number.
7078 The fourth argument is the TTL (time to live)
7079 for the name in seconds.
7082 The fifth and subsequent arguments are the IP
7083 addresses currently registered for that name. If this list is
7084 empty then the name should be deleted.
7087 An example script that calls the BIND dynamic DNS update
7088 program \fBnsupdate\fR is provided in the examples
7089 directory of the Samba source code.
7092 \fBwins proxy (G)\fR
7093 This is a boolean that controls if nmbd(8)will respond to broadcast name
7094 queries on behalf of other hosts. You may need to set this
7095 to yes for some older clients.
7097 Default: \fBwins proxy = no\fR
7099 \fBwins server (G)\fR
7100 This specifies the IP address (or DNS name: IP
7101 address for preference) of the WINS server that nmbd(8)should register with. If you have a WINS server on
7102 your network then you should set this to the WINS server's IP.
7104 You should point this at your WINS server if you have a
7105 multi-subnetted network.
7107 \fBNOTE\fR. You need to set up Samba to point
7108 to a WINS server if you have multiple subnets and wish cross-subnet
7109 browsing to work correctly.
7111 See the documentation file \fIBROWSING.txt\fR
7112 in the docs/ directory of your Samba source distribution.
7114 Default: \fBnot enabled\fR
7116 Example: \fBwins server = 192.9.200.1\fR
7118 \fBwins support (G)\fR
7119 This boolean controls if the
7120 nmbd(8)process in Samba will act as a WINS server. You should
7121 not set this to true unless you have a multi-subnetted network and
7122 you wish a particular \fBnmbd\fR to be your WINS server.
7123 Note that you should \fBNEVER\fR set this to true
7124 on more than one machine in your network.
7126 Default: \fBwins support = no\fR
7129 This controls what workgroup your server will
7130 appear to be in when queried by clients. Note that this parameter
7131 also controls the Domain name used with the \fBsecurity = domain\fR
7134 Default: \fBset at compile time to WORKGROUP\fR
7136 Example: \fBworkgroup = MYGROUP\fR
7139 Synonym for \fI writeable\fR for people who can't spell :-).
7141 \fBwrite cache size (S)\fR
7142 If this integer parameter is set to non-zero value,
7143 Samba will create an in-memory cache for each oplocked file
7144 (it does \fBnot\fR do this for
7145 non-oplocked files). All writes that the client does not request
7146 to be flushed directly to disk will be stored in this cache if possible.
7147 The cache is flushed onto disk when a write comes in whose offset
7148 would not fit into the cache or when the file is closed by the client.
7149 Reads for the file are also served from this cache if the data is stored
7152 This cache allows Samba to batch client writes into a more
7153 efficient write size for RAID disks (i.e. writes may be tuned to
7154 be the RAID stripe size) and can improve performance on systems
7155 where the disk subsystem is a bottleneck but there is free
7156 memory for userspace programs.
7158 The integer parameter specifies the size of this cache
7159 (per oplocked file) in bytes.
7161 Default: \fBwrite cache size = 0\fR
7163 Example: \fBwrite cache size = 262144\fR
7165 for a 256k cache size per file.
7167 \fBwrite list (S)\fR
7168 This is a list of users that are given read-write
7169 access to a service. If the connecting user is in this list then
7170 they will be given write access, no matter what the \fIwriteable\fR
7171 option is set to. The list can include group names using the
7174 Note that if a user is in both the read list and the
7175 write list then they will be given write access.
7177 See also the \fIread list
7180 Default: \fBwrite list = <empty string>
7182 Example: \fBwrite list = admin, root, @staff
7185 Synonym for \fI writeable\fR.
7188 This parameter controls whether or not the server
7189 will support raw write SMB's when transferring data from clients.
7190 You should never need to change this parameter.
7192 Default: \fBwrite raw = yes\fR
7195 An inverted synonym is \fIread only\fR.
7197 If this parameter is no, then users
7198 of a service may not create or modify files in the service's
7201 Note that a printable service (\fBprintable = yes\fR)
7202 will \fBALWAYS\fR allow writing to the directory
7203 (user privileges permitting), but only via spooling operations.
7205 Default: \fBwriteable = no\fR
7208 Although the configuration file permits service names
7209 to contain spaces, your client software may not. Spaces will
7210 be ignored in comparisons anyway, so it shouldn't be a
7211 problem - but be aware of the possibility.
7213 On a similar note, many clients - especially DOS clients -
7214 limit service names to eight characters. smbd(8)
7215 has no such limitation, but attempts to connect from such
7216 clients will fail if they truncate the service names. For this reason
7217 you should probably keep your service names down to eight characters
7220 Use of the [homes] and [printers] special sections make life
7221 for an administrator easy, but the various combinations of default
7222 attributes can be tricky. Take extreme care when designing these
7223 sections. In particular, ensure that the permissions on spool
7224 directories are correct.
7227 This man page is correct for version 2.2 of
7242 The original Samba software and related utilities
7243 were created by Andrew Tridgell. Samba is now developed
7244 by the Samba Team as an Open Source project similar
7245 to the way the Linux kernel is developed.
7247 The original Samba man pages were written by Karl Auer.
7248 The man page sources were converted to YODL format (another
7249 excellent piece of Open Source software, available at
7250 ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
7251 release by Jeremy Allison. The conversion to DocBook for
7252 Samba 2.2 was done by Gerald Carter