-
-
-
-
-
-
-<html><head><title>smb.conf (5)</title>
-
-<link rev="made" href="mailto:samba@samba.org">
-</head>
-<body>
-
-<hr>
-
-<h1>smb.conf (5)</h1>
-<h2>Samba</h2>
-<h2>23 Oct 1998</h2>
-
-
-
-<p><a name="NAME"></a>
-<h2>NAME</h2>
- smb.conf - The configuration file for the Samba suite
-<p><a name="SYNOPSIS"></a>
-<h2>SYNOPSIS</h2>
-
-<p><strong>smb.conf</strong> The <strong>smb.conf</strong> file is a configuration file for the
-Samba suite. <strong>smb.conf</strong> contains runtime configuration information
-for the Samba programs. The <strong>smb.conf</strong> file is designed to be
-configured and administered by the <a href="swat.8.html"><strong>swat (8)</strong></a>
-program. The complete description of the file format and possible
-parameters held within are here for reference purposes.
-<p><a name="FILEFORMAT"></a>
-<h2>FILE FORMAT</h2>
-
-<p>The file consists of sections and parameters. A section begins with
-the name of the section in square brackets and continues until the
-next section begins. Sections contain parameters of the form
-<p><code>'name = value'</code>
-<p>The file is line-based - that is, each newline-terminated line
-represents either a comment, a section name or a parameter.
-<p>Section and parameter names are not case sensitive.
-<p>Only the first equals sign in a parameter is significant. Whitespace
-before or after the first equals sign is discarded. Leading, trailing
-and internal whitespace in section and parameter names is
-irrelevant. Leading and trailing whitespace in a parameter value is
-discarded. Internal whitespace within a parameter value is retained
-verbatim.
-<p>Any line beginning with a semicolon (';') or a hash ('#') character is
-ignored, as are lines containing only whitespace.
-<p>Any line ending in a <code>'\'</code> is "continued" on the next line in the
-customary UNIX fashion.
-<p>The values following the equals sign in parameters are all either a
-string (no quotes needed) or a boolean, which may be given as yes/no,
-0/1 or true/false. Case is not significant in boolean values, but is
-preserved in string values. Some items such as create modes are
-numeric.
-<p><a name="SECTIONDESCRIPTIONS"></a>
-<h2>SECTION DESCRIPTIONS</h2>
-
-<p>Each section in the configuration file (except for the
-<a href="smb.conf.5.html#global"><strong>[global]</strong></a> section) describes a shared resource (known
-as a <em>"share"</em>). The section name is the name of the shared resource
-and the parameters within the section define the shares attributes.
-<p>There are three special sections, <a href="smb.conf.5.html#global"><strong>[global]</strong></a>,
-<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a>, which are
-described under <a href="smb.conf.5.html#SPECIALSECTIONS"><strong>'special sections'</strong></a>. The
-following notes apply to ordinary section descriptions.
-<p>A share consists of a directory to which access is being given plus
-a description of the access rights which are granted to the user of
-the service. Some housekeeping options are also specifiable.
-<p>Sections are either filespace services (used by the client as an
-extension of their native file systems) or printable services (used by
-the client to access print services on the host running the server).
-<p>Sections may be designated <a href="smb.conf.5.html#guestok"><strong>guest</strong></a> services, in which
-case no password is required to access them. A specified UNIX
-<a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a> is used to define access
-privileges in this case.
-<p>Sections other than guest services will require a password to access
-them. The client provides the username. As older clients only provide
-passwords and not usernames, you may specify a list of usernames to
-check against the password using the <a href="smb.conf.5.html#user"><strong>"user="</strong></a> option in
-the share definition. For modern clients such as Windows 95/98 and
-Windows NT, this should not be necessary.
-<p>Note that the access rights granted by the server are masked by the
-access rights granted to the specified or guest UNIX user by the host
-system. The server does not grant more access than the host system
-grants.
-<p>The following sample section defines a file space share. The user has
-write access to the path <code>/home/bar</code>. The share is accessed via
-the share name "foo":
-<p><pre>
-
-
- [foo]
+<HTML
+><HEAD
+><TITLE
+>smb.conf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="SMB.CONF"
+>smb.conf</A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN5"
+></A
+><H2
+>Name</H2
+>smb.conf -- The configuration file for the Samba suite</DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN8"
+></A
+><H2
+>SYNOPSIS</H2
+><P
+>The <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file is a configuration
+ file for the Samba suite. <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> contains
+ runtime configuration information for the Samba programs. The
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file is designed to be configured and
+ administered by the <A
+HREF="swat.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>swat(8)</B
+>
+ </A
+> program. The complete description of the file format and
+ possible parameters held within are here for reference purposes.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN16"
+></A
+><H2
+>FILE FORMAT</H2
+><P
+>The file consists of sections and parameters. A section
+ begins with the name of the section in square brackets and continues
+ until the next section begins. Sections contain parameters of the
+ form</P
+><P
+><TT
+CLASS="REPLACEABLE"
+><I
+>name</I
+></TT
+> = <TT
+CLASS="REPLACEABLE"
+><I
+>value
+ </I
+></TT
+></P
+><P
+>The file is line-based - that is, each newline-terminated
+ line represents either a comment, a section name or a parameter.</P
+><P
+>Section and parameter names are not case sensitive.</P
+><P
+>Only the first equals sign in a parameter is significant.
+ Whitespace before or after the first equals sign is discarded.
+ Leading, trailing and internal whitespace in section and parameter
+ names is irrelevant. Leading and trailing whitespace in a parameter
+ value is discarded. Internal whitespace within a parameter value
+ is retained verbatim.</P
+><P
+>Any line beginning with a semicolon (';') or a hash ('#')
+ character is ignored, as are lines containing only whitespace.</P
+><P
+>Any line ending in a '\' is continued
+ on the next line in the customary UNIX fashion.</P
+><P
+>The values following the equals sign in parameters are all
+ either a string (no quotes needed) or a boolean, which may be given
+ as yes/no, 0/1 or true/false. Case is not significant in boolean
+ values, but is preserved in string values. Some items such as
+ create modes are numeric.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN28"
+></A
+><H2
+>SECTION DESCRIPTIONS</H2
+><P
+>Each section in the configuration file (except for the
+ [global] section) describes a shared resource (known
+ as a "share"). The section name is the name of the
+ shared resource and the parameters within the section define
+ the shares attributes.</P
+><P
+>There are three special sections, [global],
+ [homes] and [printers], which are
+ described under <I
+CLASS="EMPHASIS"
+>special sections</I
+>. The
+ following notes apply to ordinary section descriptions.</P
+><P
+>A share consists of a directory to which access is being
+ given plus a description of the access rights which are granted
+ to the user of the service. Some housekeeping options are
+ also specifiable.</P
+><P
+>Sections are either filespace services (used by the
+ client as an extension of their native file systems) or
+ printable services (used by the client to access print services
+ on the host running the server).</P
+><P
+>Sections may be designated <I
+CLASS="EMPHASIS"
+>guest</I
+> services,
+ in which case no password is required to access them. A specified
+ UNIX <I
+CLASS="EMPHASIS"
+>guest account</I
+> is used to define access
+ privileges in this case.</P
+><P
+>Sections other than guest services will require a password
+ to access them. The client provides the username. As older clients
+ only provide passwords and not usernames, you may specify a list
+ of usernames to check against the password using the "user="
+ option in the share definition. For modern clients such as
+ Windows 95/98/ME/NT/2000, this should not be necessary.</P
+><P
+>Note that the access rights granted by the server are
+ masked by the access rights granted to the specified or guest
+ UNIX user by the host system. The server does not grant more
+ access than the host system grants.</P
+><P
+>The following sample section defines a file space share.
+ The user has write access to the path <TT
+CLASS="FILENAME"
+>/home/bar</TT
+>.
+ The share is accessed via the share name "foo":</P
+><PRE
+CLASS="SCREEN"
+> <TT
+CLASS="COMPUTEROUTPUT"
+> [foo]
path = /home/bar
writeable = true
-
-
-</pre>
-
-<p>The following sample section defines a printable share. The share
-is readonly, but printable. That is, the only write access permitted
-is via calls to open, write to and close a spool file. The
-<a href="smb.conf.5.html#guestok"><strong>'guest ok'</strong></a> parameter means access will be permitted
-as the default guest user (specified elsewhere):
-<p><pre>
-
- [aprinter]
+ </TT
+>
+ </PRE
+><P
+>The following sample section defines a printable share.
+ The share is readonly, but printable. That is, the only write
+ access permitted is via calls to open, write to and close a
+ spool file. The <I
+CLASS="EMPHASIS"
+>guest ok</I
+> parameter means
+ access will be permitted as the default guest user (specified
+ elsewhere):</P
+><PRE
+CLASS="SCREEN"
+> <TT
+CLASS="COMPUTEROUTPUT"
+> [aprinter]
path = /usr/spool/public
writeable = false
printable = true
guest ok = true
-
-</pre>
-
-<p><a name="SPECIALSECTIONS"></a>
-<h2>SPECIAL SECTIONS</h2>
-
-<p><dl>
-<p><a name="global"></a>
-<p></p><dt><strong><strong>The [global] section</strong></strong><dd>
-<p>Parameters in this section apply to the server as a whole, or are
-defaults for sections which do not specifically define certain
-items. See the notes under <a href="smb.conf.5.html#PARAMETERS"><strong>'PARAMETERS'</strong></a> for more
-information.
-<p><a name="homes"></a>
-<p></p><dt><strong><strong>The [homes] section</strong></strong><dd>
-<p>If a section called <code>'homes'</code> is included in the configuration file,
-services connecting clients to their home directories can be created
-on the fly by the server.
-<p>When the connection request is made, the existing sections are
-scanned. If a match is found, it is used. If no match is found, the
-requested section name is treated as a user name and looked up in the
-local password file. If the name exists and the correct password has
-been given, a share is created by cloning the [homes] section.
-<p>Some modifications are then made to the newly created share:
-<p><dl>
-<p><li > The share name is changed from <code>'homes'</code> to the located
-username
-<p><li > If no path was given, the path is set to the user's home
-directory.
-<p></dl>
-<p>If you decide to use a <a href="smb.conf.5.html#path"><strong>path=</strong></a> line in your [homes]
-section then you may find it useful to use the <a href="smb.conf.5.html#percentS"><strong>%S</strong></a>
-macro. For example :
-<p><code>path=/data/pchome/%S</code>
-<p>would be useful if you have different home directories for your PCs
-than for UNIX access.
-<p>This is a fast and simple way to give a large number of clients access
-to their home directories with a minimum of fuss.
-<p>A similar process occurs if the requested section name is <code>"homes"</code>,
-except that the share name is not changed to that of the requesting
-user. This method of using the [homes] section works well if different
-users share a client PC.
-<p>The [homes] section can specify all the parameters a normal service
-section can specify, though some make more sense than others. The
-following is a typical and suitable [homes] section:
-<p><pre>
-
- [homes]
- writeable = yes
-
-</pre>
-
-<p>An important point is that if guest access is specified in the [homes]
-section, all home directories will be visible to all clients
-<strong>without a password</strong>. In the very unlikely event that this is
-actually desirable, it would be wise to also specify <a href="smb.conf.5.html#readonly"><strong>read only
-access</strong></a>.
-<p>Note that the <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a> flag for auto home
-directories will be inherited from the global browseable flag, not the
-[homes] browseable flag. This is useful as it means setting
-browseable=no in the [homes] section will hide the [homes] share but
-make any auto home directories visible.
-<p><a name="printers"></a>
-<p></p><dt><strong><strong>The [printers] section</strong></strong><dd>
-<p>This section works like <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a>, but for printers.
-<p>If a <strong>[printers]</strong> section occurs in the configuration file, users are
-able to connect to any printer specified in the local host's printcap
-file.
-<p>When a connection request is made, the existing sections are
-scanned. If a match is found, it is used. If no match is found, but a
-<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> section exists, it is used as described
-above. Otherwise, the requested section name is treated as a printer
-name and the appropriate printcap file is scanned to see if the
-requested section name is a valid printer share name. If a match is
-found, a new printer share is created by cloning the <strong>[printers]</strong>
-section.
-<p>A few modifications are then made to the newly created share:
-<p><dl>
-<p><li > The share name is set to the located printer name
-<p><li > If no printer name was given, the printer name is set to the
-located printer name
-<p><li > If the share does not permit guest access and no username was
-given, the username is set to the located printer name.
-<p></dl>
-<p>Note that the <strong>[printers]</strong> service MUST be printable - if you specify
-otherwise, the server will refuse to load the configuration file.
-<p>Typically the path specified would be that of a world-writeable spool
-directory with the sticky bit set on it. A typical <strong>[printers]</strong> entry
-would look like this:
-<p><pre>
-
- [printers]
- path = /usr/spool/public
- guest ok = yes
- printable = yes
-
-</pre>
-
-<p>All aliases given for a printer in the printcap file are legitimate
-printer names as far as the server is concerned. If your printing
-subsystem doesn't work like that, you will have to set up a
-pseudo-printcap. This is a file consisting of one or more lines like
-this:
-<p><pre>
- alias|alias|alias|alias...
-</pre>
-
-<p>Each alias should be an acceptable printer name for your printing
-subsystem. In the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section, specify the new
-file as your printcap. The server will then only recognize names
-found in your pseudo-printcap, which of course can contain whatever
-aliases you like. The same technique could be used simply to limit
-access to a subset of your local printers.
-<p>An alias, by the way, is defined as any component of the first entry
-of a printcap record. Records are separated by newlines, components
-(if there are more than one) are separated by vertical bar symbols
-("|").
-<p>NOTE: On SYSV systems which use lpstat to determine what printers are
-defined on the system you may be able to use <a href="smb.conf.5.html#printcapname"><strong>"printcap name =
-lpstat"</strong></a> to automatically obtain a list of
-printers. See the <a href="smb.conf.5.html#printcapname"><strong>"printcap name"</strong></a> option for
-more details.
-<p></dl>
-<p><a name="PARAMETERS"></a>
-<h2>PARAMETERS</h2>
-
-<p>Parameters define the specific attributes of sections.
-<p>Some parameters are specific to the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section
-(e.g., <a href="smb.conf.5.html#security"><strong>security</strong></a>). Some parameters are usable in
-all sections (e.g., <a href="smb.conf.5.html#createmode"><strong>create mode</strong></a>). All others are
-permissible only in normal sections. For the purposes of the following
-descriptions the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and
-<a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> sections will be considered normal.
-The letter <code>'G'</code> in parentheses indicates that a parameter is
-specific to the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section. The letter <code>'S'</code>
-indicates that a parameter can be specified in a service specific
-section. Note that all <code>'S'</code> parameters can also be specified in the
-<a href="smb.conf.5.html#global"><strong>[global]</strong></a> section - in which case they will define
-the default behavior for all services.
-<p>Parameters are arranged here in alphabetical order - this may not
-create best bedfellows, but at least you can find them! Where there
-are synonyms, the preferred synonym is described, others refer to the
-preferred synonym.
-<p><a name="VARIABLESUBSTITUTIONS"></a>
-<h2>VARIABLE SUBSTITUTIONS</h2>
-
-<p>Many of the strings that are settable in the config file can take
-substitutions. For example the option <a href="smb.conf.5.html#path"><strong><code>"path =
-/tmp/%u"</code></strong></a> would be interpreted as <code>"path = /tmp/john"</code> if
-the user connected with the username john.
-<p>These substitutions are mostly noted in the descriptions below, but
-there are some general substitutions which apply whenever they might
-be relevant. These are:
-<p><dl>
-<p><a name="percentS"></a>
-<li > <strong>%S</strong> = the name of the current service, if any.
-<p><a name="percentP"></a>
-<li > <strong>%P</strong> = the root directory of the current service, if any.
-<p><a name="percentu"></a>
-<li > <strong>%u</strong> = user name of the current service, if any.
-<p><a name="percentg"></a>
-<li > <strong>%g</strong> = primary group name of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>.
-<p><a name="percentU"></a>
-<li > <strong>%U</strong> = session user name (the user name that
-the client wanted, not necessarily the same as the one they got).
-<p><a name="percentG"></a>
-<li > <strong>%G</strong> = primary group name of <a href="smb.conf.5.html#percentU"><strong>%U</strong></a>.
-<p><a name="percentH"></a>
-<li > <strong>%H</strong> = the home directory of the user given by <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>.
-<p><a name="percentv"></a>
-<li > <strong>%v</strong> = the Samba version.
-<p><a name="percenth"></a>
-<li > <strong>%h</strong> = the internet hostname that Samba is running on.
-<p><a name="percentm"></a>
-<li > <strong>%m</strong> = the NetBIOS name of the client machine (very useful).
-<p><a name="percentL"></a>
-<li > <strong>%L</strong> = the NetBIOS name of the server. This allows you to change your
-config based on what the client calls you. Your server can have a "dual
-personality".
-<p><a name="percentM"></a>
-<li > <strong>%M</strong> = the internet name of the client machine.
-<p><a name="percentN"></a>
-<li > <strong>%N</strong> = the name of your NIS home directory server. This is
-obtained from your NIS auto.map entry. If you have not compiled Samba
-with the <strong>--with-automount</strong> option then this value will be the same
-as <a href="smb.conf.5.html#percentL"><strong>%L</strong></a>.
-<p><a name="percentp"></a>
-<li > <strong>%p</strong> = the path of the service's home directory, obtained from your NIS
-auto.map entry. The NIS auto.map entry is split up as "%N:%p".
-<p><a name="percentR"></a>
-<li > <strong>%R</strong> = the selected protocol level after protocol
-negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
-<p><a name="percentd"></a>
-<li > <strong>%d</strong> = The process id of the current server process.
-<p><a name="percenta"></a>
-<li > <strong>%a</strong> = the architecture of the remote
-machine. Only some are recognized, and those may not be 100%
-reliable. It currently recognizes Samba, WfWg, WinNT and
-Win95. Anything else will be known as "UNKNOWN". If it gets it wrong
-then sending a level 3 log to <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>
-should allow it to be fixed.
-<p><a name="percentI"></a>
-<li > <strong>%I</strong> = The IP address of the client machine.
-<p><a name="percentT"></a>
-<li > <strong>%T</strong> = the current date and time.
-<p></dl>
-<p>There are some quite creative things that can be done with these
-substitutions and other smb.conf options.
-<p><a name="NAMEMANGLING"></a>
-<h2>NAME MANGLING</h2>
-
-<p>Samba supports <em>"name mangling"</em> so that DOS and Windows clients can
-use files that don't conform to the 8.3 format. It can also be set to
-adjust the case of 8.3 format filenames.
-<p>There are several options that control the way mangling is performed,
-and they are grouped here rather than listed separately. For the
-defaults look at the output of the testparm program.
-<p>All of these options can be set separately for each service (or
-globally, of course).
-<p>The options are:
-<p><a name="manglecaseoption"></a>
-<strong>"mangle case = yes/no"</strong> controls if names that have characters that
-aren't of the "default" case are mangled. For example, if this is yes
-then a name like <code>"Mail"</code> would be mangled. Default <em>no</em>.
-<p><a name="casesensitiveoption"></a>
-<strong>"case sensitive = yes/no"</strong> controls whether filenames are case
-sensitive. If they aren't then Samba must do a filename search and
-match on passed names. Default <em>no</em>.
-<p><a name="defaultcaseoption"></a>
-<strong>"default case = upper/lower"</strong> controls what the default case is for new
-filenames. Default <em>lower</em>.
-<p><a name="preservecaseoption"></a>
-<strong>"preserve case = yes/no"</strong> controls if new files are created with the
-case that the client passes, or if they are forced to be the <code>"default"</code>
-case. Default <em>Yes</em>.
-<p><a name="shortpreservecaseoption"></a>
-<p><strong>"short preserve case = yes/no"</strong> controls if new files which conform
-to 8.3 syntax, that is all in upper case and of suitable length, are
-created upper case, or if they are forced to be the <code>"default"</code>
-case. This option can be use with <a href="smb.conf.5.html#preservecaseoption"><strong>"preserve case =
-yes"</strong></a> to permit long filenames to retain their
-case, while short names are lowered. Default <em>Yes</em>.
-<p>By default, Samba 2.0 has the same semantics as a Windows NT
-server, in that it is case insensitive but case preserving.
-<p><a name="NOTEABOUTUSERNAMEPASSWORDVALIDATION"></a>
-<h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2>
-
-<p>There are a number of ways in which a user can connect to a
-service. The server follows the following steps in determining if it
-will allow a connection to a specified service. If all the steps fail
-then the connection request is rejected. If one of the steps pass then
-the following steps are not checked.
-<p>If the service is marked <a href="smb.conf.5.html#guestonly"><strong>"guest only = yes"</strong></a> then
-steps 1 to 5 are skipped.
-<p><ol>
-<p><li> Step 1: If the client has passed a username/password pair and
-that username/password pair is validated by the UNIX system's password
-programs then the connection is made as that username. Note that this
-includes the <code>\\server\service%username</code> method of passing a
-username.
-<p><li> Step 2: If the client has previously registered a username with
-the system and now supplies a correct password for that username then
-the connection is allowed.
-<p><li> Step 3: The client's netbios name and any previously used user
-names are checked against the supplied password, if they match then
-the connection is allowed as the corresponding user.
-<p><li> Step 4: If the client has previously validated a
-username/password pair with the server and the client has passed the
-validation token then that username is used.
-<p><li> Step 5: If a <a href="smb.conf.5.html#user"><strong>"user = "</strong></a> field is given in the
-smb.conf file for the service and the client has supplied a password,
-and that password matches (according to the UNIX system's password
-checking) with one of the usernames from the <a href="smb.conf.5.html#user"><strong>user=</strong></a>
-field then the connection is made as the username in the
-<a href="smb.conf.5.html#user"><strong>"user="</strong></a> line. If one of the username in the
-<a href="smb.conf.5.html#user"><strong>user=</strong></a> list begins with a <code>'@'</code> then that name
-expands to a list of names in the group of the same name.
-<p><li> Step 6: If the service is a guest service then a connection is
-made as the username given in the <a href="smb.conf.5.html#guestaccount"><strong>"guest account
-="</strong></a> for the service, irrespective of the supplied
-password.
-<p></ol>
-<p><a name="COMPLETELISTOFGLOBALPARAMETERS"></a>
-<h2>COMPLETE LIST OF GLOBAL PARAMETERS</h2>
-
-<p>Here is a list of all global parameters. See the section of each
-parameter for details. Note that some are synonyms.
-<p><dl>
-<p><li > <a href="smb.conf.5.html#adduserscript"><strong>add user script</strong></a>
-<p><li > <a href="smb.conf.5.html#allowtrusteddomains"><strong>allow trusted domains</strong></a>
-<p><li > <a href="smb.conf.5.html#announceas"><strong>announce as</strong></a>
-<p><li > <a href="smb.conf.5.html#announceversion"><strong>announce version</strong></a>
-<p><li > <a href="smb.conf.5.html#autoservices"><strong>auto services</strong></a>
-<p><li > <a href="smb.conf.5.html#bindinterfacesonly"><strong>bind interfaces only</strong></a>
-<p><li > <a href="smb.conf.5.html#browselist"><strong>browse list</strong></a>
-<p><li > <a href="smb.conf.5.html#changenotifytimeout"><strong>change notify timeout</strong></a>
-<p><li > <a href="smb.conf.5.html#characterset"><strong>character set</strong></a>
-<p><li > <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a>
-<p><li > <a href="smb.conf.5.html#codingsystem"><strong>coding system</strong></a>
-<p><li > <a href="smb.conf.5.html#configfile"><strong>config file</strong></a>
-<p><li > <a href="smb.conf.5.html#deadtime"><strong>deadtime</strong></a>
-<p><li > <a href="smb.conf.5.html#debughirestimestamp"><strong>debug hires timestamp</strong></a>
-<p><li > <a href="smb.conf.5.html#debugpid"><strong>debug pid</strong></a>
-<p><li > <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a>
-<p><li > <a href="smb.conf.5.html#debuguid"><strong>debug uid</strong></a>
-<p><li > <a href="smb.conf.5.html#debuglevel"><strong>debug level</strong></a>
-<p><li > <a href="smb.conf.5.html#default"><strong>default</strong></a>
-<p><li > <a href="smb.conf.5.html#defaultservice"><strong>default service</strong></a>
-<p><li > <a href="smb.conf.5.html#deleteuserscript"><strong>delete user script</strong></a>
-<p><li > <a href="smb.conf.5.html#dfreecommand"><strong>dfree command</strong></a>
-<p><li > <a href="smb.conf.5.html#dnsproxy"><strong>dns proxy</strong></a>
-<p><li > <a href="smb.conf.5.html#domainadmingroup"><strong>domain admin group</strong></a>
-<p><li > <a href="smb.conf.5.html#domainadminusers"><strong>domain admin users</strong></a>
-<p><li > <a href="smb.conf.5.html#domaingroups"><strong>domain groups</strong></a>
-<p><li > <a href="smb.conf.5.html#domainguestgroup"><strong>domain guest group</strong></a>
-<p><li > <a href="smb.conf.5.html#domainguestusers"><strong>domain guest users</strong></a>
-<p><li > <a href="smb.conf.5.html#domainlogons"><strong>domain logons</strong></a>
-<p><li > <a href="smb.conf.5.html#domainmaster"><strong>domain master</strong></a>
-<p><li > <a href="smb.conf.5.html#encryptpasswords"><strong>encrypt passwords</strong></a>
-<p><li > <a href="smb.conf.5.html#getwdcache"><strong>getwd cache</strong></a>
-<p><li > <a href="smb.conf.5.html#hidelocalusers"><strong>hide local users</strong></a>
-<p><li > <a href="smb.conf.5.html#homedirmap"><strong>homedir map</strong></a>
-<p><li > <a href="smb.conf.5.html#hostsequiv"><strong>hosts equiv</strong></a>
-<p><li > <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a>
-<p><li > <a href="smb.conf.5.html#keepalive"><strong>keepalive</strong></a>
-<p><li > <a href="smb.conf.5.html#kerneloplocks"><strong>kernel oplocks</strong></a>
-<p><li > <a href="smb.conf.5.html#ldapfilter"><strong>ldap filter</strong></a>
-<p><li > <a href="smb.conf.5.html#ldapport"><strong>ldap port</strong></a>
-<p><li > <a href="smb.conf.5.html#ldaproot"><strong>ldap root</strong></a>
-<p><li > <a href="smb.conf.5.html#ldaprootpasswd"><strong>ldap root passwd</strong></a>
-<p><li > <a href="smb.conf.5.html#ldapserver"><strong>ldap server</strong></a>
-<p><li > <a href="smb.conf.5.html#ldapsuffix"><strong>ldap suffix</strong></a>
-<p><li > <a href="smb.conf.5.html#lmannounce"><strong>lm announce</strong></a>
-<p><li > <a href="smb.conf.5.html#lminterval"><strong>lm interval</strong></a>
-<p><li > <a href="smb.conf.5.html#loadprinters"><strong>load printers</strong></a>
-<p><li > <a href="smb.conf.5.html#localmaster"><strong>local master</strong></a>
-<p><li > <a href="smb.conf.5.html#lockdir"><strong>lock dir</strong></a>
-<p><li > <a href="smb.conf.5.html#lockdirectory"><strong>lock directory</strong></a>
-<p><li > <a href="smb.conf.5.html#logfile"><strong>log file</strong></a>
-<p><li > <a href="smb.conf.5.html#loglevel"><strong>log level</strong></a>
-<p><li > <a href="smb.conf.5.html#logondrive"><strong>logon drive</strong></a>
-<p><li > <a href="smb.conf.5.html#logonhome"><strong>logon home</strong></a>
-<p><li > <a href="smb.conf.5.html#logonpath"><strong>logon path</strong></a>
-<p><li > <a href="smb.conf.5.html#logonscript"><strong>logon script</strong></a>
-<p><li > <a href="smb.conf.5.html#lpqcachetime"><strong>lpq cache time</strong></a>
-<p><li > <a href="smb.conf.5.html#machinepasswordtimeout"><strong>machine password timeout</strong></a>
-<p><li > <a href="smb.conf.5.html#mangledstack"><strong>mangled stack</strong></a>
-<p><li > <a href="smb.conf.5.html#maptoguest"><strong>map to guest</strong></a>
-<p><li > <a href="smb.conf.5.html#maxdisksize"><strong>max disk size</strong></a>
-<p><li > <a href="smb.conf.5.html#maxlogsize"><strong>max log size</strong></a>
-<p><li > <a href="smb.conf.5.html#maxmux"><strong>max mux</strong></a>
-<p><li > <a href="smb.conf.5.html#maxopenfiles"><strong>max open files</strong></a>
-<p><li > <a href="smb.conf.5.html#maxpacket"><strong>max packet</strong></a>
-<p><li > <a href="smb.conf.5.html#maxttl"><strong>max ttl</strong></a>
-<p><li > <a href="smb.conf.5.html#maxwinsttl"><strong>max wins ttl</strong></a>
-<p><li > <a href="smb.conf.5.html#maxxmit"><strong>max xmit</strong></a>
-<p><li > <a href="smb.conf.5.html#messagecommand"><strong>message command</strong></a>
-<p><li > <a href="smb.conf.5.html#minpasswdlength"><strong>min passwd length</strong></a>
-<p><li > <a href="smb.conf.5.html#minpasswordlength"><strong>min password length</strong></a>
-<p><li > <a href="smb.conf.5.html#minwinsttl"><strong>min wins ttl</strong></a>
-<p><li > <a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a>
-<p><li > <a href="smb.conf.5.html#netbiosaliases"><strong>netbios aliases</strong></a>
-<p><li > <a href="smb.conf.5.html#netbiosname"><strong>netbios name</strong></a>
-<p><li > <a href="smb.conf.5.html#netbiosscope"><strong>netbios scope</strong></a>
-<p><li > <a href="smb.conf.5.html#nishomedir"><strong>nis homedir</strong></a>
-<p><li > <a href="smb.conf.5.html#ntaclsupport"><strong>nt acl support</strong></a>
-<p><li > <a href="smb.conf.5.html#ntpipesupport"><strong>nt pipe support</strong></a>
-<p><li > <a href="smb.conf.5.html#ntsmbsupport"><strong>nt smb support</strong></a>
-<p><li > <a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a>
-<p><li > <a href="smb.conf.5.html#olelockingcompatibility"><strong>ole locking compatibility</strong></a>
-<p><li > <a href="smb.conf.5.html#oplockbreakwaittime"><strong>oplock break wait time</strong></a>
-<p><li > <a href="smb.conf.5.html#oslevel"><strong>os level</strong></a>
-<p><li > <a href="smb.conf.5.html#packetsize"><strong>packet size</strong></a>
-<p><li > <a href="smb.conf.5.html#panicaction"><strong>panic action</strong></a>
-<p><li > <a href="smb.conf.5.html#passwdchat"><strong>passwd chat</strong></a>
-<p><li > <a href="smb.conf.5.html#passwdchatdebug"><strong>passwd chat debug</strong></a>
-<p><li > <a href="smb.conf.5.html#passwdprogram"><strong>passwd program</strong></a>
-<p><li > <a href="smb.conf.5.html#passwordlevel"><strong>password level</strong></a>
-<p><li > <a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a>
-<p><li > <a href="smb.conf.5.html#preferedmaster"><strong>prefered master</strong></a>
-<p><li > <a href="smb.conf.5.html#preferredmaster"><strong>preferred master</strong></a>
-<p><li > <a href="smb.conf.5.html#preload"><strong>preload</strong></a>
-<p><li > <a href="smb.conf.5.html#printcap"><strong>printcap</strong></a>
-<p><li > <a href="smb.conf.5.html#printcapname"><strong>printcap name</strong></a>
-<p><li > <a href="smb.conf.5.html#printerdriverfile"><strong>printer driver file</strong></a>
-<p><li > <a href="smb.conf.5.html#protocol"><strong>protocol</strong></a>
-<p><li > <a href="smb.conf.5.html#readbmpx"><strong>read bmpx</strong></a>
-<p><li > <a href="smb.conf.5.html#readprediction"><strong>read prediction</strong></a>
-<p><li > <a href="smb.conf.5.html#readraw"><strong>read raw</strong></a>
-<p><li > <a href="smb.conf.5.html#readsize"><strong>read size</strong></a>
-<p><li > <a href="smb.conf.5.html#remoteannounce"><strong>remote announce</strong></a>
-<p><li > <a href="smb.conf.5.html#remotebrowsesync"><strong>remote browse sync</strong></a>
-<p><li > <a href="smb.conf.5.html#restrictanonymous"><strong>restrict anonymous</strong></a>
-<p><li > <a href="smb.conf.5.html#root"><strong>root</strong></a>
-<p><li > <a href="smb.conf.5.html#rootdir"><strong>root dir</strong></a>
-<p><li > <a href="smb.conf.5.html#rootdirectory"><strong>root directory</strong></a>
-<p><li > <a href="smb.conf.5.html#security"><strong>security</strong></a>
-<p><li > <a href="smb.conf.5.html#serverstring"><strong>server string</strong></a>
-<p><li > <a href="smb.conf.5.html#sharedmemsize"><strong>shared mem size</strong></a>
-<p><li > <a href="smb.conf.5.html#smbpasswdfile"><strong>smb passwd file</strong></a>
-<p><li > <a href="smb.conf.5.html#smbrun"><strong>smbrun</strong></a>
-<p><li > <a href="smb.conf.5.html#socketaddress"><strong>socket address</strong></a>
-<p><li > <a href="smb.conf.5.html#socketoptions"><strong>socket options</strong></a>
-<p><li > <a href="smb.conf.5.html#sourceenvironment"><strong>source environment</strong></a>
-<p><li > <a href="smb.conf.5.html#ssl"><strong>ssl</strong></a>
-<p><li > <a href="smb.conf.5.html#sslCAcertDir"><strong>ssl CA certDir</strong></a>
-<p><li > <a href="smb.conf.5.html#sslCAcertFile"><strong>ssl CA certFile</strong></a>
-<p><li > <a href="smb.conf.5.html#sslciphers"><strong>ssl ciphers</strong></a>
-<p><li > <a href="smb.conf.5.html#sslclientcert"><strong>ssl client cert</strong></a>
-<p><li > <a href="smb.conf.5.html#sslclientkey"><strong>ssl client key</strong></a>
-<p><li > <a href="smb.conf.5.html#sslcompatibility"><strong>ssl compatibility</strong></a>
-<p><li > <a href="smb.conf.5.html#sslhosts"><strong>ssl hosts</strong></a>
-<p><li > <a href="smb.conf.5.html#sslhostsresign"><strong>ssl hosts resign</strong></a>
-<p><li > <a href="smb.conf.5.html#sslrequireclientcert"><strong>ssl require clientcert</strong></a>
-<p><li > <a href="smb.conf.5.html#sslrequireservercert"><strong>ssl require servercert</strong></a>
-<p><li > <a href="smb.conf.5.html#sslservercert"><strong>ssl server cert</strong></a>
-<p><li > <a href="smb.conf.5.html#sslserverkey"><strong>ssl server key</strong></a>
-<p><li > <a href="smb.conf.5.html#sslversion"><strong>ssl version</strong></a>
-<p><li > <a href="smb.conf.5.html#statcache"><strong>stat cache</strong></a>
-<p><li > <a href="smb.conf.5.html#statcachesize"><strong>stat cache size</strong></a>
-<p><li > <a href="smb.conf.5.html#stripdot"><strong>strip dot</strong></a>
-<p><li > <a href="smb.conf.5.html#syslog"><strong>syslog</strong></a>
-<p><li > <a href="smb.conf.5.html#syslogonly"><strong>syslog only</strong></a>
-<p><li > <a href="smb.conf.5.html#templatehomedir"><strong>template homedir</strong></a>
-<p><li > <a href="smb.conf.5.html#templateshell"><strong>template shell</strong></a>
-<p><li > <a href="smb.conf.5.html#timeoffset"><strong>time offset</strong></a>
-<p><li > <a href="smb.conf.5.html#timeserver"><strong>time server</strong></a>
-<p><li > <a href="smb.conf.5.html#timestamplogs"><strong>timestamp logs</strong></a>
-<p><li > <a href="smb.conf.5.html#unixpasswordsync"><strong>unix password sync</strong></a>
-<p><li > <a href="smb.conf.5.html#unixrealname"><strong>unix realname</strong></a>
-<p><li > <a href="smb.conf.5.html#updateencrypted"><strong>update encrypted</strong></a>
-<p><li > <a href="smb.conf.5.html#userhosts"><strong>use rhosts</strong></a>
-<p><li > <a href="smb.conf.5.html#usernamelevel"><strong>username level</strong></a>
-<p><li > <a href="smb.conf.5.html#usernamemap"><strong>username map</strong></a>
-<p><li > <a href="smb.conf.5.html#utmpdirectory"><strong>utmp directory</strong></a>
-<p><li > <a href="smb.conf.5.html#validchars"><strong>valid chars</strong></a>
-<p><li > <a href="smb.conf.5.html#winbindcachetime"><strong>winbind cache time</strong></a>
-<p><li > <a href="smb.conf.5.html#winbindgid"><strong>winbind gid</strong></a>
-<p><li > <a href="smb.conf.5.html#winbinduid"><strong>winbind uid</strong></a>
-<p><li > <a href="smb.conf.5.html#winshook"><strong>wins hook</strong></a>
-<p><li > <a href="smb.conf.5.html#winsproxy"><strong>wins proxy</strong></a>
-<p><li > <a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a>
-<p><li > <a href="smb.conf.5.html#winssupport"><strong>wins support</strong></a>
-<p><li > <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a>
-<p><li > <a href="smb.conf.5.html#writeraw"><strong>write raw</strong></a>
-<p></dl>
-<p><a name="COMPLETELISTOFSERVICEPARAMETERS"></a>
-<h2>COMPLETE LIST OF SERVICE PARAMETERS</h2>
-
-<p>Here is a list of all service parameters. See the section of each
-parameter for details. Note that some are synonyms.
-<p><dl>
-<p><li > <a href="smb.conf.5.html#adminusers"><strong>admin users</strong></a>
-<p><li > <a href="smb.conf.5.html#allowhosts"><strong>allow hosts</strong></a>
-<p><li > <a href="smb.conf.5.html#alternatepermissions"><strong>alternate permissions</strong></a>
-<p><li > <a href="smb.conf.5.html#available"><strong>available</strong></a>
-<p><li > <a href="smb.conf.5.html#blockinglocks"><strong>blocking locks</strong></a>
-<p><li > <a href="smb.conf.5.html#browsable"><strong>browsable</strong></a>
-<p><li > <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a>
-<p><li > <a href="smb.conf.5.html#casesensitive"><strong>case sensitive</strong></a>
-<p><li > <a href="smb.conf.5.html#casesignames"><strong>casesignames</strong></a>
-<p><li > <a href="smb.conf.5.html#comment"><strong>comment</strong></a>
-<p><li > <a href="smb.conf.5.html#copy"><strong>copy</strong></a>
-<p><li > <a href="smb.conf.5.html#createmask"><strong>create mask</strong></a>
-<p><li > <a href="smb.conf.5.html#createmode"><strong>create mode</strong></a>
-<p><li > <a href="smb.conf.5.html#defaultcase"><strong>default case</strong></a>
-<p><li > <a href="smb.conf.5.html#deletereadonly"><strong>delete readonly</strong></a>
-<p><li > <a href="smb.conf.5.html#deletevetofiles"><strong>delete veto files</strong></a>
-<p><li > <a href="smb.conf.5.html#denyhosts"><strong>deny hosts</strong></a>
-<p><li > <a href="smb.conf.5.html#directory"><strong>directory</strong></a>
-<p><li > <a href="smb.conf.5.html#directorymask"><strong>directory mask</strong></a>
-<p><li > <a href="smb.conf.5.html#directorymode"><strong>directory mode</strong></a>
-<p><li > <a href="smb.conf.5.html#directorysecuritymask"><strong>directory security mask</strong></a>
-<p><li > <a href="smb.conf.5.html#dontdescend"><strong>dont descend</strong></a>
-<p><li > <a href="smb.conf.5.html#dosfiletimeresolution"><strong>dos filetime resolution</strong></a>
-<p><li > <a href="smb.conf.5.html#dosfiletimes"><strong>dos filetimes</strong></a>
-<p><li > <a href="smb.conf.5.html#exec"><strong>exec</strong></a>
-<p><li > <a href="smb.conf.5.html#fakedirectorycreatetimes"><strong>fake directory create times</strong></a>
-<p><li > <a href="smb.conf.5.html#fakeoplocks"><strong>fake oplocks</strong></a>
-<p><li > <a href="smb.conf.5.html#followsymlinks"><strong>follow symlinks</strong></a>
-<p><li > <a href="smb.conf.5.html#forcecreatemode"><strong>force create mode</strong></a>
-<p><li > <a href="smb.conf.5.html#forcedirectorymode"><strong>force directory mode</strong></a>
-<p><li > <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>force directory security mode</strong></a>
-<p><li > <a href="smb.conf.5.html#forcegroup"><strong>force group</strong></a>
-<p><li > <a href="smb.conf.5.html#forcesecuritymode"><strong>force security mode</strong></a>
-<p><li > <a href="smb.conf.5.html#forceuser"><strong>force user</strong></a>
-<p><li > <a href="smb.conf.5.html#fstype"><strong>fstype</strong></a>
-<p><li > <a href="smb.conf.5.html#group"><strong>group</strong></a>
-<p><li > <a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a>
-<p><li > <a href="smb.conf.5.html#guestok"><strong>guest ok</strong></a>
-<p><li > <a href="smb.conf.5.html#guestonly"><strong>guest only</strong></a>
-<p><li > <a href="smb.conf.5.html#hidedotfiles"><strong>hide dot files</strong></a>
-<p><li > <a href="smb.conf.5.html#hidefiles"><strong>hide files</strong></a>
-<p><li > <a href="smb.conf.5.html#hostsallow"><strong>hosts allow</strong></a>
-<p><li > <a href="smb.conf.5.html#hostsdeny"><strong>hosts deny</strong></a>
-<p><li > <a href="smb.conf.5.html#include"><strong>include</strong></a>
-<p><li > <a href="smb.conf.5.html#inheritpermissions"><strong>inherit permissions</strong></a>
-<p><li > <a href="smb.conf.5.html#invalidusers"><strong>invalid users</strong></a>
-<p><li > <a href="smb.conf.5.html#level2oplocks"><strong>level2 oplocks</strong></a>
-<p><li > <a href="smb.conf.5.html#locking"><strong>locking</strong></a>
-<p><li > <a href="smb.conf.5.html#lppausecommand"><strong>lppause command</strong></a>
-<p><li > <a href="smb.conf.5.html#lpqcommand"><strong>lpq command</strong></a>
-<p><li > <a href="smb.conf.5.html#lpresumecommand"><strong>lpresume command</strong></a>
-<p><li > <a href="smb.conf.5.html#lprmcommand"><strong>lprm command</strong></a>
-<p><li > <a href="smb.conf.5.html#magicoutput"><strong>magic output</strong></a>
-<p><li > <a href="smb.conf.5.html#magicscript"><strong>magic script</strong></a>
-<p><li > <a href="smb.conf.5.html#manglecase"><strong>mangle case</strong></a>
-<p><li > <a href="smb.conf.5.html#manglelocks"><strong>mangle locks</strong></a>
-<p><li > <a href="smb.conf.5.html#mangledmap"><strong>mangled map</strong></a>
-<p><li > <a href="smb.conf.5.html#manglednames"><strong>mangled names</strong></a>
-<p><li > <a href="smb.conf.5.html#manglingchar"><strong>mangling char</strong></a>
-<p><li > <a href="smb.conf.5.html#maparchive"><strong>map archive</strong></a>
-<p><li > <a href="smb.conf.5.html#maphidden"><strong>map hidden</strong></a>
-<p><li > <a href="smb.conf.5.html#mapsystem"><strong>map system</strong></a>
-<p><li > <a href="smb.conf.5.html#maxconnections"><strong>max connections</strong></a>
-<p><li > <a href="smb.conf.5.html#minprintspace"><strong>min print space</strong></a>
-<p><li > <a href="smb.conf.5.html#onlyguest"><strong>only guest</strong></a>
-<p><li > <a href="smb.conf.5.html#onlyuser"><strong>only user</strong></a>
-<p><li > <a href="smb.conf.5.html#oplockcontentionlimit"><strong>oplock contention limit</strong></a>
-<p><li > <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a>
-<p><li > <a href="smb.conf.5.html#path"><strong>path</strong></a>
-<p><li > <a href="smb.conf.5.html#postexec"><strong>postexec</strong></a>
-<p><li > <a href="smb.conf.5.html#postscript"><strong>postscript</strong></a>
-<p><li > <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a>
-<p><li > <a href="smb.conf.5.html#preexecclose"><strong>preexec close</strong></a>
-<p><li > <a href="smb.conf.5.html#preservecase"><strong>preserve case</strong></a>
-<p><li > <a href="smb.conf.5.html#printcommand"><strong>print command</strong></a>
-<p><li > <a href="smb.conf.5.html#printok"><strong>print ok</strong></a>
-<p><li > <a href="smb.conf.5.html#printable"><strong>printable</strong></a>
-<p><li > <a href="smb.conf.5.html#printer"><strong>printer</strong></a>
-<p><li > <a href="smb.conf.5.html#printeradmin"><strong>printer admin</strong></a>
-<p><li > <a href="smb.conf.5.html#printerdriver"><strong>printer driver</strong></a>
-<p><li > <a href="smb.conf.5.html#printerdriverlocation"><strong>printer driver location</strong></a>
-<p><li > <a href="smb.conf.5.html#printername"><strong>printer name</strong></a>
-<p><li > <a href="smb.conf.5.html#printing"><strong>printing</strong></a>
-<p><li > <a href="smb.conf.5.html#public"><strong>public</strong></a>
-<p><li > <a href="smb.conf.5.html#queuepausecommand"><strong>queuepause command</strong></a>
-<p><li > <a href="smb.conf.5.html#queueresumecommand"><strong>queueresume command</strong></a>
-<p><li > <a href="smb.conf.5.html#readlist"><strong>read list</strong></a>
-<p><li > <a href="smb.conf.5.html#readonly"><strong>read only</strong></a>
-<p><li > <a href="smb.conf.5.html#rootpostexec"><strong>root postexec</strong></a>
-<p><li > <a href="smb.conf.5.html#rootpreexec"><strong>root preexec</strong></a>
-<p><li > <a href="smb.conf.5.html#rootpreexecclose"><strong>root preexec close</strong></a>
-<p><li > <a href="smb.conf.5.html#securitymask"><strong>security mask</strong></a>
-<p><li > <a href="smb.conf.5.html#setdirectory"><strong>set directory</strong></a>
-<p><li > <a href="smb.conf.5.html#sharemodes"><strong>share modes</strong></a>
-<p><li > <a href="smb.conf.5.html#shortpreservecase"><strong>short preserve case</strong></a>
-<p><li > <a href="smb.conf.5.html#status"><strong>status</strong></a>
-<p><li > <a href="smb.conf.5.html#strictlocking"><strong>strict locking</strong></a>
-<p><li > <a href="smb.conf.5.html#strictsync"><strong>strict sync</strong></a>
-<p><li > <a href="smb.conf.5.html#syncalways"><strong>sync always</strong></a>
-<p><li > <a href="smb.conf.5.html#user"><strong>user</strong></a>
-<p><li > <a href="smb.conf.5.html#username"><strong>username</strong></a>
-<p><li > <a href="smb.conf.5.html#users"><strong>users</strong></a>
-<p><li > <a href="smb.conf.5.html#utmp"><strong>utmp</strong></a>
-<p><li > <a href="smb.conf.5.html#validusers"><strong>valid users</strong></a>
-<p><li > <a href="smb.conf.5.html#vetofiles"><strong>veto files</strong></a>
-<p><li > <a href="smb.conf.5.html#vetooplockfiles"><strong>veto oplock files</strong></a>
-<p><li > <a href="smb.conf.5.html#volume"><strong>volume</strong></a>
-<p><li > <a href="smb.conf.5.html#widelinks"><strong>wide links</strong></a>
-<p><li > <a href="smb.conf.5.html#writable"><strong>writable</strong></a>
-<p><li > <a href="smb.conf.5.html#writecachesize"><strong>write cache size</strong></a>
-<p><li > <a href="smb.conf.5.html#writelist"><strong>write list</strong></a>
-<p><li > <a href="smb.conf.5.html#writeok"><strong>write ok</strong></a>
-<p><li > <a href="smb.conf.5.html#writeable"><strong>writeable</strong></a>
-<p></dl>
-<p><a name="EXPLANATIONOFEACHPARAMETER"></a>
-<h2>EXPLANATION OF EACH PARAMETER</h2>
-
-<p><dl>
-<p><a name="adduserscript"></a>
-<p></p><dt><strong><strong>add user script (G)</strong></strong><dd>
-<p>This is the full pathname to a script that will be run <em>AS ROOT</em> by
-<a href="smbd.8.html"><strong>smbd (8)</strong></a> under special circumstances decribed
-below.
-<p>Normally, a Samba server requires that UNIX users are created for all
-users accessing files on this server. For sites that use Windows NT
-account databases as their primary user database creating these users
-and keeping the user list in sync with the Windows NT PDC is an
-onerous task. This option allows <a href="smbd.8.html"><strong>smbd</strong></a> to create
-the required UNIX users <em>ON DEMAND</em> when a user accesses the Samba
-server.
-<p>In order to use this option, <a href="smbd.8.html"><strong>smbd</strong></a> must be set to
-<a href="smb.conf.5.html#securityequalserver"><strong>security=server</strong></a> or
-<a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a> and <strong>"add user script"</strong>
-must be set to a full pathname for a script that will create a UNIX user
-given one argument of <strong>%u</strong>, which expands into the UNIX user name to
-create.
-<p>When the Windows user attempts to access the Samba server, at
-<em>"login"</em>(session setup in the SMB protocol) time,
-<a href="smbd.8.html"><strong>smbd</strong></a> contacts the <a href="smb.conf.5.html#passwordserver"><strong>password
-server</strong></a> and attempts to authenticate the given user
-with the given password. If the authentication succeeds then
-<a href="smbd.8.html"><strong>smbd</strong></a> attempts to find a UNIX user in the UNIX
-password database to map the Windows user into. If this lookup fails,
-and <strong>"add user script"</strong> is set then <a href="smbd.8.html"><strong>smbd</strong></a> will
-call the specified script <em>AS ROOT</em>, expanding any <strong>%u</strong> argument
-to be the user name to create.
-<p>If this script successfully creates the user then
-<a href="smbd.8.html"><strong>smbd</strong></a> will continue on as though the UNIX user
-already existed. In this way, UNIX users are dynamically created to
-match existing Windows NT accounts.
-<p>See also <a href="smb.conf.5.html#securityequalserver"><strong>security=server</strong></a>,
-<a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a>, <a href="smb.conf.5.html#passwordserver"><strong>password
-server</strong></a>, <a href="smb.conf.5.html#deleteuserscript"><strong>delete user
-script</strong></a>.
-<p><strong>Default:</strong>
-<code> add user script = <empty string></code>
-<p><strong>Example:</strong>
-<code> add user script = /usr/local/samba/bin/add_user %u</code>
-<p><a name="adminusers"></a>
-<p></p><dt><strong><strong>admin users (S)</strong></strong><dd>
-<p>This is a list of users who will be granted administrative privileges
-on the share. This means that they will do all file operations as the
-super-user (root).
-<p>You should use this option very carefully, as any user in this list
-will be able to do anything they like on the share, irrespective of
-file permissions.
-<p><strong>Default:</strong> <br>
-<code> no admin users</code>
-<p><strong>Example:</strong> <br>
-<code> admin users = jason</code>
-<p><a name="allowhosts"></a>
-<p></p><dt><strong><strong>allow hosts (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#hostsallow"><strong>hosts allow</strong></a>.
-<p><a name="allowtrusteddomains"></a>
-<p></p><dt><strong><strong>allow trusted domains (G)</strong></strong><dd>
-<p>This option only takes effect when the <a href="smb.conf.5.html#security"><strong>security</strong></a>
-option is set to <strong>server</strong> or <strong>domain</strong>. If it is set to no,
-then attempts to connect to a resource from a domain or workgroup other than
-the one which smbd is running in will fail, even if that domain
-is trusted by the remote server doing the authentication.
-<p>This is useful if you only want your Samba server to serve resources
-to users in the domain it is a member of. As an example, suppose that there are
-two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains
-the Samba server. Under normal circumstances, a user with an account
-in DOMB can then access the resources of a UNIX account with the same
-account name on the Samba server even if they do not have an account
-in DOMA. This can make implementing a security boundary difficult.
-<p><strong>Default:</strong>
-<code> allow trusted domains = Yes</code>
-<p><strong>Example:</strong>
-<code> allow trusted domains = No</code>
-<p><a name="alternatepermissions"></a>
-<p></p><dt><strong><strong>alternate permissions (S)</strong></strong><dd>
-<p>This is a deprecated parameter. It no longer has any effect in Samba2.0.
-In previous versions of Samba it affected the way the DOS "read only"
-attribute was mapped for a file. In Samba2.0 a file is marked "read only"
-if the UNIX file does not have the 'w' bit set for the owner of the file,
-regardless if the owner of the file is the currently logged on user or not.
-<p><a name="announceas"></a>
-<p></p><dt><strong><strong>announce as (G)</strong></strong><dd>
-<p>This specifies what type of server <a href="nmbd.8.html"><strong>nmbd</strong></a> will
-announce itself as, to a network neighborhood browse list. By default
-this is set to Windows NT. The valid options are : "NT", which is a
-synonym for "NT Server", "NT Server", "NT Workstation", "Win95" or
-"WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95
-and Windows for Workgroups respectively. Do not change this parameter
-unless you have a specific need to stop Samba appearing as an NT server
-as this may prevent Samba servers from participating as browser servers correctly.
-<p><strong>Default:</strong>
-<code> announce as = NT Server</code>
-<p><strong>Example</strong>
-<code> announce as = Win95</code>
-<p><a name="announceversion"></a>
-<p></p><dt><strong><strong>announce version (G)</strong></strong><dd>
-<p>This specifies the major and minor version numbers that nmbd will use
-when announcing itself as a server. The default is 4.2. Do not change
-this parameter unless you have a specific need to set a Samba server
-to be a downlevel server.
-<p><strong>Default:</strong>
-<code> announce version = 4.2</code>
-<p><strong>Example:</strong>
-<code> announce version = 2.0</code>
-<p><a name="autoservices"></a>
-<p></p><dt><strong><strong>auto services (G)</strong></strong><dd>
-<p>This is a list of services that you want to be automatically added to
-the browse lists. This is most useful for homes and printers services
-that would otherwise not be visible.
-<p>Note that if you just want all printers in your printcap file loaded
-then the <a href="smb.conf.5.html#loadprinters"><strong>"load printers"</strong></a> option is easier.
-<p><strong>Default:</strong>
-<code> no auto services</code>
-<p><strong>Example:</strong>
-<code> auto services = fred lp colorlp</code>
-<p><a name="available"></a>
-<p></p><dt><strong><strong>available (S)</strong></strong><dd>
-<p>This parameter lets you <em>'turn off'</em> a service. If <code>'available = no'</code>,
-then <em>ALL</em> attempts to connect to the service will fail. Such failures
-are logged.
-<p><strong>Default:</strong>
-<code> available = yes</code>
-<p><strong>Example:</strong>
-<code> available = no</code>
-<p><a name="bindinterfacesonly"></a>
-<p></p><dt><strong><strong>bind interfaces only (G)</strong></strong><dd>
-<p>This global parameter allows the Samba admin to limit what interfaces
-on a machine will serve smb requests. If affects file service
-<a href="smbd.8.html"><strong>smbd</strong></a> and name service <a href="nmbd.8.html"><strong>nmbd</strong></a>
-in slightly different ways.
-<p>For name service it causes <a href="nmbd.8.html"><strong>nmbd</strong></a> to bind to ports
-137 and 138 on the interfaces listed in the
-<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a>
-parameter. <a href="nmbd.8.html"><strong>nmbd</strong></a> also binds to the 'all
-addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes
-of reading broadcast messages. If this option is not set then
-<a href="nmbd.8.html"><strong>nmbd</strong></a> will service name requests on all of these
-sockets. If <strong>"bind interfaces only"</strong> is set then
-<a href="nmbd.8.html"><strong>nmbd</strong></a> will check the source address of any
-packets coming in on the broadcast sockets and discard any that don't
-match the broadcast addresses of the interfaces in the
-<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> parameter list. As unicast packets
-are received on the other sockets it allows <a href="nmbd.8.html"><strong>nmbd</strong></a>
-to refuse to serve names to machines that send packets that arrive
-through any interfaces not listed in the
-<a href="smb.conf.5.html#interfaces"><strong>"interfaces"</strong></a> list. IP Source address spoofing
-does defeat this simple check, however so it must not be used
-seriously as a security feature for <a href="nmbd.8.html"><strong>nmbd</strong></a>.
-<p>For file service it causes <a href="smbd.8.html"><strong>smbd</strong></a> to bind only to
-the interface list given in the <a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a>
-parameter. This restricts the networks that <a href="smbd.8.html"><strong>smbd</strong></a>
-will serve to packets coming in those interfaces. Note that you
-should not use this parameter for machines that are serving PPP or
-other intermittent or non-broadcast network interfaces as it will not
-cope with non-permanent interfaces.
-<p>If <strong>"bind interfaces only"</strong> is set then unless the network address
-<em>127.0.0.1</em> is added to the <a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> parameter
-list <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> and
-<a href="swat.8.html"><strong>swat</strong></a> may not work as expected due to the
-reasons covered below.
-<p>To change a users SMB password, the <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a>
-by default connects to the <em>"localhost" - 127.0.0.1</em> address as an SMB
-client to issue the password change request. If <strong>"bind interfaces only"</strong>
-is set then unless the network address <em>127.0.0.1</em> is added to the
-<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> parameter list then
-<a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> will fail to connect in it's
-default mode. <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> can be forced to
-use the primary IP interface of the local host by using its
-<a href="smbpasswd.8.html#minusr"><strong>"-r remote machine"</strong></a> parameter, with
-<strong>"remote machine"</strong> set to the IP name of the primary interface
-of the local host.
-<p>The <a href="swat.8.html"><strong>swat</strong></a> status page tries to connect with
-<a href="smbd.8.html"><strong>smbd</strong></a> and <a href="nmbd.8.html"><strong>nmbd</strong></a> at the address
-<em>127.0.0.1</em> to determine if they are running. Not adding <em>127.0.0.1</em> will cause
-<a href="smbd.8.html"><strong>smbd</strong></a> and <a href="nmbd.8.html"><strong>nmbd</strong></a> to always show
-"not running" even if they really are. This can prevent
-<a href="swat.8.html"><strong>swat</strong></a> from starting/stopping/restarting
-<a href="smbd.8.html"><strong>smbd</strong></a> and <a href="nmbd.8.html"><strong>nmbd</strong></a>.
-<p><strong>Default:</strong>
-<code> bind interfaces only = False</code>
-<p><strong>Example:</strong>
-<code> bind interfaces only = True</code>
-<p><a name="blockinglocks"></a>
-<p></p><dt><strong><strong>blocking locks (S)</strong></strong><dd>
-<p>This parameter controls the behavior of <a href="smbd.8.html"><strong>smbd</strong></a> when
-given a request by a client to obtain a byte range lock on a region
-of an open file, and the request has a time limit associated with it.
-<p>If this parameter is set and the lock range requested cannot be
-immediately satisfied, Samba 2.0 will internally queue the lock
-request, and periodically attempt to obtain the lock until the
-timeout period expires.
-<p>If this parameter is set to "False", then Samba 2.0 will behave
-as previous versions of Samba would and will fail the lock
-request immediately if the lock range cannot be obtained.
-<p>This parameter can be set per share.
-<p><strong>Default:</strong>
-<code> blocking locks = True</code>
-<p><strong>Example:</strong>
-<code> blocking locks = False</code>
-<p><a name="browsable"></a>
-<p></p><dt><strong><strong>browsable (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a>.
-<p><a name="browselist"></a>
-<p></p><dt><strong><strong>browse list(G)</strong></strong><dd>
-<p>This controls whether <a href="smbd.8.html"><strong>smbd</strong></a> will serve a browse
-list to a client doing a NetServerEnum call. Normally set to true. You
-should never need to change this.
-<p><strong>Default:</strong>
-<code> browse list = Yes</code>
-<p><a name="browseable"></a>
-<p></p><dt><strong><strong>browseable</strong></strong><dd>
-<p>This controls whether this share is seen in the list of available
-shares in a net view and in the browse list.
-<p><strong>Default:</strong>
-<code> browseable = Yes</code>
-<p><strong>Example:</strong>
-<code> browseable = No</code>
-<p><a name="casesensitive"></a>
-<p></p><dt><strong><strong>case sensitive (S)</strong></strong><dd>
-<p>See the discussion in the section <a href="smb.conf.5.html#NAMEMANGLING"><strong>NAME MANGLING</strong></a>.
-<p><a name="casesignames"></a>
-<p></p><dt><strong><strong>casesignames (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a>.
-<p><a name="changenotifytimeout"></a>
-<p></p><dt><strong><strong>change notify timeout (G)</strong></strong><dd>
-<p>One of the new NT SMB requests that Samba 2.0 supports is the
-"ChangeNotify" requests. This SMB allows a client to tell a server to
-<em>"watch"</em> a particular directory for any changes and only reply to
-the SMB request when a change has occurred. Such constant scanning of
-a directory is expensive under UNIX, hence an
-<a href="smbd.8.html"><strong>smbd</strong></a> daemon only performs such a scan on each
-requested directory once every <strong>change notify timeout</strong> seconds.
-<p><strong>change notify timeout</strong> is specified in units of seconds.
-<p><strong>Default:</strong>
-<code> change notify timeout = 60</code>
-<p><strong>Example:</strong>
-<code> change notify timeout = 300</code>
-<p>Would change the scan time to every 5 minutes.
-<p><a name="characterset"></a>
-<p></p><dt><strong><strong>character set (G)</strong></strong><dd>
-<p>This allows a smbd to map incoming filenames from a DOS Code page (see
-the <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> parameter) to several
-built in UNIX character sets. The built in code page translations are:
-<p><dl>
-<p><li > <strong>ISO8859-1</strong> Western European UNIX character set. The parameter
-<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code
-page 850 if the <strong>character set</strong> parameter is set to iso8859-1
-in order for the conversion to the UNIX character set to be done
-correctly.
-<p><li > <strong>ISO8859-2</strong> Eastern European UNIX character set. The parameter
-<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code
-page 852 if the <strong>character set</strong> parameter is set to ISO8859-2
-in order for the conversion to the UNIX character set to be done
-correctly.
-<p><li > <strong>ISO8859-5</strong> Russian Cyrillic UNIX character set. The parameter
-<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code
-page 866 if the <strong>character set</strong> parameter is set to ISO8859-5
-in order for the conversion to the UNIX character set to be done
-correctly.
-<p><li > <strong>ISO8859-7</strong> Greek UNIX character set. The parameter
-<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code
-page 737 if the <strong>character set</strong> parameter is set to ISO8859-7
-in order for the conversion to the UNIX character set to be done
-correctly.
-<p><li > <strong>KOI8-R</strong> Alternate mapping for Russian Cyrillic UNIX
-character set. The parameter <a href="smb.conf.5.html#clientcodepage"><strong>client code
-page</strong></a> <em>MUST</em> be set to code page 866 if the
-<strong>character set</strong> parameter is set to KOI8-R in order for the
-conversion to the UNIX character set to be done correctly.
-<p></dl>
-<p><em>BUG</em>. These MSDOS code page to UNIX character set mappings should
-be dynamic, like the loading of MS DOS code pages, not static.
-<p>See also <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a>. Normally this
-parameter is not set, meaning no filename translation is done.
-<p><strong>Default:</strong>
-<code> character set = <empty string></code>
-<p><strong>Example:</strong>
-<code> character set = ISO8859-1</code>
-<p><a name="clientcodepage"></a>
-<p></p><dt><strong><strong>client code page (G)</strong></strong><dd>
-<p>This parameter specifies the DOS code page that the clients accessing
-Samba are using. To determine what code page a Windows or DOS client
-is using, open a DOS command prompt and type the command "chcp". This
-will output the code page. The default for USA MS-DOS, Windows 95, and
-Windows NT releases is code page 437. The default for western european
-releases of the above operating systems is code page 850.
-<p>This parameter tells <a href="smbd.8.html"><strong>smbd</strong></a> which of the
-<code>codepage.XXX</code> files to dynamically load on startup. These files,
-described more fully in the manual page <a href="make_smbcodepage.1.html"><strong>make_smbcodepage
-(1)</strong></a>, tell <a href="smbd.8.html"><strong>smbd</strong></a> how
-to map lower to upper case characters to provide the case insensitivity
-of filenames that Windows clients expect.
-<p>Samba currently ships with the following code page files :
-<p><dl>
-<p><li > <strong>Code Page 437 - MS-DOS Latin US</strong>
-<p><li > <strong>Code Page 737 - Windows '95 Greek</strong>
-<p><li > <strong>Code Page 850 - MS-DOS Latin 1</strong>
-<p><li > <strong>Code Page 852 - MS-DOS Latin 2</strong>
-<p><li > <strong>Code Page 861 - MS-DOS Icelandic</strong>
-<p><li > <strong>Code Page 866 - MS-DOS Cyrillic</strong>
-<p><li > <strong>Code Page 932 - MS-DOS Japanese SJIS</strong>
-<p><li > <strong>Code Page 936 - MS-DOS Simplified Chinese</strong>
-<p><li > <strong>Code Page 949 - MS-DOS Korean Hangul</strong>
-<p><li > <strong>Code Page 950 - MS-DOS Traditional Chinese</strong>
-<p></dl>
-<p>Thus this parameter may have any of the values 437, 737, 850, 852,
-861, 932, 936, 949, or 950. If you don't find the codepage you need,
-read the comments in one of the other codepage files and the
-<a href="make_smbcodepage.1.html"><strong>make_smbcodepage (1)</strong></a> man page and
-write one. Please remember to donate it back to the Samba user
-community.
-<p>This parameter co-operates with the <a href="smb.conf.5.html#validchars"><strong>"valid
-chars"</strong></a> parameter in determining what characters are
-valid in filenames and how capitalization is done. If you set both
-this parameter and the <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> parameter
-the <strong>"client code page"</strong> parameter <em>MUST</em> be set before the
-<a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> parameter in the <strong>smb.conf</strong>
-file. The <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> string will then augment
-the character settings in the "client code page" parameter.
-<p>If not set, <strong>"client code page"</strong> defaults to 850.
-<p>See also : <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a>
-<p><strong>Default:</strong>
-<code> client code page = 850</code>
-<p><strong>Example:</strong>
-<code> client code page = 936</code>
-<p><a name="codingsystem"></a>
-<p></p><dt><strong><strong>codingsystem (G)</strong></strong><dd>
-<p>This parameter is used to determine how incoming Shift-JIS Japanese
-characters are mapped from the incoming <a href="smb.conf.5.html#clientcodepage"><strong>"client code
-page"</strong></a> used by the client, into file names in the
-UNIX filesystem. Only useful if <a href="smb.conf.5.html#clientcodepage"><strong>"client code
-page"</strong></a> is set to 932 (Japanese Shift-JIS).
-<p>The options are :
-<p><dl>
-<p><li > <strong>SJIS</strong> Shift-JIS. Does no conversion of the incoming filename.
-<p><li > <strong>JIS8, J8BB, J8BH, J8@B, J8@J, J8@H </strong> Convert from incoming
-Shift-JIS to eight bit JIS code with different shift-in, shift out
-codes.
-<p><li > <strong>JIS7, J7BB, J7BH, J7@B, J7@J, J7@H </strong> Convert from incoming
-Shift-JIS to seven bit JIS code with different shift-in, shift out
-codes.
-<p><li > <strong>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </strong> Convert from incoming
-Shift-JIS to JUNET code with different shift-in, shift out codes.
-<p><li > <strong>EUC</strong> Convert an incoming Shift-JIS character to EUC code.
-<p><li > <strong>HEX</strong> Convert an incoming Shift-JIS character to a 3 byte hex
-representation, i.e. <code>:AB</code>.
-<p><li > <strong>CAP</strong> Convert an incoming Shift-JIS character to the 3 byte hex
-representation used by the Columbia AppleTalk Program (CAP),
-i.e. <code>:AB</code>. This is used for compatibility between Samba and CAP.
-<p></dl>
-<p><a name="comment"></a>
-<p></p><dt><strong><strong>comment (S)</strong></strong><dd>
-<p>This is a text field that is seen next to a share when a client does a
-queries the server, either via the network neighborhood or via "net
-view" to list what shares are available.
-<p>If you want to set the string that is displayed next to the machine
-name then see the server string command.
-<p><strong>Default:</strong>
-<code> No comment string</code>
-<p><strong>Example:</strong>
-<code> comment = Fred's Files</code>
-<p><a name="configfile"></a>
-<p></p><dt><strong><strong>config file (G)</strong></strong><dd>
-<p>This allows you to override the config file to use, instead of the
-default (usually <strong>smb.conf</strong>). There is a chicken and egg problem
-here as this option is set in the config file!
-<p>For this reason, if the name of the config file has changed when the
-parameters are loaded then it will reload them from the new config
-file.
-<p>This option takes the usual substitutions, which can be very useful.
-<p>If the config file doesn't exist then it won't be loaded (allowing you
-to special case the config files of just a few clients).
-<p><strong>Example:</strong>
-<code> config file = /usr/local/samba/lib/smb.conf.%m</code>
-<p><a name="copy"></a>
-<p></p><dt><strong><strong>copy (S)</strong></strong><dd>
-<p>This parameter allows you to <em>'clone'</em> service entries. The specified
-service is simply duplicated under the current service's name. Any
-parameters specified in the current section will override those in the
-section being copied.
-<p>This feature lets you set up a 'template' service and create similar
-services easily. Note that the service being copied must occur earlier
-in the configuration file than the service doing the copying.
-<p><strong>Default:</strong>
-<code> none</code>
-<p><strong>Example:</strong>
-<code> copy = otherservice</code>
-<p><a name="createmask"></a>
-<p></p><dt><strong><strong>create mask (S)</strong></strong><dd>
-<p>A synonym for this parameter is <a href="smb.conf.5.html#createmode"><strong>'create mode'</strong></a>.
-<p>When a file is created, the necessary permissions are calculated
-according to the mapping from DOS modes to UNIX permissions, and the
-resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
-This parameter may be thought of as a bit-wise MASK for the UNIX modes
-of a file. Any bit <em>*not*</em> set here will be removed from the modes set
-on a file when it is created.
-<p>The default value of this parameter removes the 'group' and 'other'
-write and execute bits from the UNIX modes.
-<p>Following this Samba will bit-wise 'OR' the UNIX mode created from
-this parameter with the value of the "force create mode" parameter
-which is set to 000 by default.
-<p>This parameter does not affect directory modes. See the parameter
-<a href="smb.conf.5.html#directorymode"><strong>'directory mode'</strong></a> for details.
-<p>See also the <a href="smb.conf.5.html#forcecreatemode"><strong>"force create mode"</strong></a> parameter
-for forcing particular mode bits to be set on created files. See also
-the <a href="smb.conf.5.html#directorymode"><strong>"directory mode"</strong></a> parameter for masking
-mode bits on created directories.
-See also the <a href="smb.conf.5.html#inheritpermissions"><strong>"inherit permissions"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> create mask = 0744</code>
-<p><strong>Example:</strong>
-<code> create mask = 0775</code>
-<p><a name="createmode"></a>
-<p></p><dt><strong><strong>create mode (S)</strong></strong><dd>
-<p>This is a synonym for <a href="smb.conf.5.html#createmask"><strong>create mask</strong></a>.
-<p><a name="deadtime"></a>
-<p></p><dt><strong><strong>deadtime (G)</strong></strong><dd>
-<p>The value of the parameter (a decimal integer) represents the number
-of minutes of inactivity before a connection is considered dead, and
-it is disconnected. The deadtime only takes effect if the number of
-open files is zero.
-<p>This is useful to stop a server's resources being exhausted by a large
-number of inactive connections.
-<p>Most clients have an auto-reconnect feature when a connection is
-broken so in most cases this parameter should be transparent to users.
-<p>Using this parameter with a timeout of a few minutes is recommended
-for most systems.
-<p>A deadtime of zero indicates that no auto-disconnection should be
-performed.
-<p><strong>Default:</strong>
-<code> deadtime = 0</code>
-<p><strong>Example:</strong>
-<code> deadtime = 15</code>
-<p><a name="debughirestimestamp"></a>
-<p></p><dt><strong><strong>debug hires timestamp (G)</strong></strong><dd>
-<p>Sometimes the timestamps in the log messages are needed with a
-resolution of higher that seconds, this boolean parameter adds
-microsecond resolution to the timestamp message header when turned on.
-<p>Note that the parameter <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a>
-must be on for this to have an effect.
-<p><strong>Default:</strong>
-<code> debug hires timestamp = No</code>
-<p><strong>Example:</strong>
-<code> debug hires timestamp = Yes</code>
-<p><a name="debugtimestamp"></a>
-<p></p><dt><strong><strong>debug timestamp (G)</strong></strong><dd>
-<p>Samba2.0 debug log messages are timestamped by default. If you are
-running at a high <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a> these timestamps
-can be distracting. This boolean parameter allows timestamping to be turned
-off.
-<p><strong>Default:</strong>
-<code> debug timestamp = Yes</code>
-<p><strong>Example:</strong>
-<code> debug timestamp = No</code>
-<p><a name="debugpid"></a>
-<p></p><dt><strong><strong>debug pid (G)</strong></strong><dd>
-<p>When using only one log file for more then one forked smbd-process
-there may be hard to follow which process outputs which message.
-This boolean parameter is adds the process-id to the timestamp message
-headers in the logfile when turned on.
-<p>Note that the parameter <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a>
-must be on for this to have an effect.
-<p><strong>Default:</strong>
-<code> debug pid = No</code>
-<p><strong>Example:</strong>
-<code> debug pid = Yes</code>
-<p><a name="debuguid"></a>
-<p></p><dt><strong><strong>debug uid (G)</strong></strong><dd>
-<p>Samba is sometimes run as root and sometime run as the connected
-user, this boolean parameter inserts the current euid, egid, uid
-and gid to the timestamp message headers in the log file if turned on.
-<p>Note that the parameter <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a>
-must be on for this to have an effect.
-<p><strong>Default:</strong>
-<code> debug uid = No</code>
-<p><strong>Example:</strong>
-<code> debug uid = Yes</code>
-<p><a name="debuglevel"></a>
-<p></p><dt><strong><strong>debug level (G)</strong></strong><dd>
-<p>The value of the parameter (an integer) allows the debug level
-(logging level) to be specified in the <strong>smb.conf</strong> file. This is to
-give greater flexibility in the configuration of the system.
-<p>The default will be the debug level specified on the command line
-or level zero if none was specified.
-<p><strong>Example:</strong>
-<code> debug level = 3</code>
-<p><a name="default"></a>
-<p></p><dt><strong><strong>default (G)</strong></strong><dd>
-<p>A synonym for <a href="smb.conf.5.html#defaultservice"><strong>default service</strong></a>.
-<p><a name="defaultcase"></a>
-<p></p><dt><strong><strong>default case (S)</strong></strong><dd>
-<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a>. Also note
-the <a href="smb.conf.5.html#shortpreservecase"><strong>"short preserve case"</strong></a> parameter.
-<p><a name="defaultservice"></a>
-<p></p><dt><strong><strong>default service (G)</strong></strong><dd>
-<p>This parameter specifies the name of a service which will be connected
-to if the service actually requested cannot be found. Note that the
-square brackets are <em>NOT</em> given in the parameter value (see example
-below).
-<p>There is no default value for this parameter. If this parameter is not
-given, attempting to connect to a nonexistent service results in an
-error.
-<p>Typically the default service would be a <a href="smb.conf.5.html#guestok"><strong>guest ok</strong></a>,
-<a href="smb.conf.5.html#readonly"><strong>read-only</strong></a> service.
-<p>Also note that the apparent service name will be changed to equal that
-of the requested service, this is very useful as it allows you to use
-macros like <a href="smb.conf.5.html#percentS"><strong>%S</strong></a> to make a wildcard service.
-<p>Note also that any <code>'_'</code> characters in the name of the service used
-in the default service will get mapped to a <code>'/'</code>. This allows for
-interesting things.
-<p><strong>Example:</strong>
-<pre>
-
- default service = pub
+ </TT
+>
+ </PRE
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN48"
+></A
+><H2
+>SPECIAL SECTIONS</H2
+><DIV
+CLASS="REFSECT2"
+><A
+NAME="AEN50"
+></A
+><H3
+>The [global] section</H3
+><P
+>parameters in this section apply to the server
+ as a whole, or are defaults for sections which do not
+ specifically define certain items. See the notes
+ under paraMETERS for more information.</P
+></DIV
+><DIV
+CLASS="REFSECT2"
+><A
+NAME="AEN53"
+></A
+><H3
+>The [homes] section</H3
+><P
+>If a section called homes is included in the
+ configuration file, services connecting clients to their
+ home directories can be created on the fly by the server.</P
+><P
+>When the connection request is made, the existing
+ sections are scanned. If a match is found, it is used. If no
+ match is found, the requested section name is treated as a
+ user name and looked up in the local password file. If the
+ name exists and the correct password has been given, a share is
+ created by cloning the [homes] section.</P
+><P
+>Some modifications are then made to the newly
+ created share:</P
+><P
+></P
+><UL
+><LI
+><P
+>The share name is changed from homes to
+ the located username.</P
+></LI
+><LI
+><P
+>If no path was given, the path is set to
+ the user's home directory.</P
+></LI
+></UL
+><P
+>If you decide to use a <I
+CLASS="EMPHASIS"
+>path=</I
+> line
+ in your [homes] section then you may find it useful
+ to use the %S macro. For example :</P
+><P
+><TT
+CLASS="USERINPUT"
+><B
+>path=/data/pchome/%S</B
+></TT
+></P
+><P
+>would be useful if you have different home directories
+ for your PCs than for UNIX access.</P
+><P
+>This is a fast and simple way to give a large number
+ of clients access to their home directories with a minimum
+ of fuss.</P
+><P
+>A similar process occurs if the requested section
+ name is "homes", except that the share name is not
+ changed to that of the requesting user. This method of using
+ the [homes] section works well if different users share
+ a client PC.</P
+><P
+>The [homes] section can specify all the parameters
+ a normal service section can specify, though some make more sense
+ than others. The following is a typical and suitable [homes]
+ section:</P
+><PRE
+CLASS="SCREEN"
+> <TT
+CLASS="COMPUTEROUTPUT"
+> [homes]
+ writeable = yes
+ </TT
+>
+ </PRE
+><P
+>An important point is that if guest access is specified
+ in the [homes] section, all home directories will be
+ visible to all clients <I
+CLASS="EMPHASIS"
+>without a password</I
+>.
+ In the very unlikely event that this is actually desirable, it
+ would be wise to also specify <I
+CLASS="EMPHASIS"
+>read only
+ access</I
+>.</P
+><P
+>Note that the <I
+CLASS="EMPHASIS"
+>browseable</I
+> flag for
+ auto home directories will be inherited from the global browseable
+ flag, not the [homes] browseable flag. This is useful as
+ it means setting browseable=no in the [homes] section
+ will hide the [homes] share but make any auto home
+ directories visible.</P
+></DIV
+><DIV
+CLASS="REFSECT2"
+><A
+NAME="AEN78"
+></A
+><H3
+>The [printers] section</H3
+><P
+>This section works like [homes],
+ but for printers.</P
+><P
+>If a [printers] section occurs in the
+ configuration file, users are able to connect to any printer
+ specified in the local host's printcap file.</P
+><P
+>When a connection request is made, the existing sections
+ are scanned. If a match is found, it is used. If no match is found,
+ but a [homes] section exists, it is used as described
+ above. Otherwise, the requested section name is treated as a
+ printer name and the appropriate printcap file is scanned to see
+ if the requested section name is a valid printer share name. If
+ a match is found, a new printer share is created by cloning
+ the [printers] section.</P
+><P
+>A few modifications are then made to the newly created
+ share:</P
+><P
+></P
+><UL
+><LI
+><P
+>The share name is set to the located printer
+ name</P
+></LI
+><LI
+><P
+>If no printer name was given, the printer name
+ is set to the located printer name</P
+></LI
+><LI
+><P
+>If the share does not permit guest access and
+ no username was given, the username is set to the located
+ printer name.</P
+></LI
+></UL
+><P
+>Note that the [printers] service MUST be
+ printable - if you specify otherwise, the server will refuse
+ to load the configuration file.</P
+><P
+>Typically the path specified would be that of a
+ world-writeable spool directory with the sticky bit set on
+ it. A typical [printers] entry would look like
+ this:</P
+><PRE
+CLASS="SCREEN"
+><TT
+CLASS="COMPUTEROUTPUT"
+> [printers]
+ path = /usr/spool/public
+ guest ok = yes
+ printable = yes
+ </TT
+></PRE
+><P
+>All aliases given for a printer in the printcap file
+ are legitimate printer names as far as the server is concerned.
+ If your printing subsystem doesn't work like that, you will have
+ to set up a pseudo-printcap. This is a file consisting of one or
+ more lines like this:</P
+><PRE
+CLASS="SCREEN"
+> <TT
+CLASS="COMPUTEROUTPUT"
+> alias|alias|alias|alias...
+ </TT
+>
+ </PRE
+><P
+>Each alias should be an acceptable printer name for
+ your printing subsystem. In the [global] section, specify
+ the new file as your printcap. The server will then only recognize
+ names found in your pseudo-printcap, which of course can contain
+ whatever aliases you like. The same technique could be used
+ simply to limit access to a subset of your local printers.</P
+><P
+>An alias, by the way, is defined as any component of the
+ first entry of a printcap record. Records are separated by newlines,
+ components (if there are more than one) are separated by vertical
+ bar symbols ('|').</P
+><P
+>NOTE: On SYSV systems which use lpstat to determine what
+ printers are defined on the system you may be able to use
+ "printcap name = lpstat" to automatically obtain a list
+ of printers. See the "printcap name" option
+ for more details.</P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN101"
+></A
+><H2
+>paraMETRS</H2
+><P
+>parameters define the specific attributes of sections.</P
+><P
+>Some parameters are specific to the [global] section
+ (e.g., <I
+CLASS="EMPHASIS"
+>security</I
+>). Some parameters are usable
+ in all sections (e.g., <I
+CLASS="EMPHASIS"
+>create mode</I
+>). All others
+ are permissible only in normal sections. For the purposes of the
+ following descriptions the [homes] and [printers]
+ sections will be considered normal. The letter <I
+CLASS="EMPHASIS"
+>G</I
+>
+ in parentheses indicates that a parameter is specific to the
+ [global] section. The letter <I
+CLASS="EMPHASIS"
+>S</I
+>
+ indicates that a parameter can be specified in a service specific
+ section. Note that all <I
+CLASS="EMPHASIS"
+>S</I
+> parameters can also be specified in
+ the [global] section - in which case they will define
+ the default behavior for all services.</P
+><P
+>parameters are arranged here in alphabetical order - this may
+ not create best bedfellows, but at least you can find them! Where
+ there are synonyms, the preferred synonym is described, others refer
+ to the preferred synonym.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN111"
+></A
+><H2
+>VARIABLE SUBSTITUTIONS</H2
+><P
+>Many of the strings that are settable in the config file
+ can take substitutions. For example the option "path =
+ /tmp/%u" would be interpreted as "path =
+ /tmp/john" if the user connected with the username john.</P
+><P
+>These substitutions are mostly noted in the descriptions below,
+ but there are some general substitutions which apply whenever they
+ might be relevant. These are:</P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>%S</DT
+><DD
+><P
+>the name of the current service, if any.</P
+></DD
+><DT
+>%P</DT
+><DD
+><P
+>the root directory of the current service,
+ if any.</P
+></DD
+><DT
+>%u</DT
+><DD
+><P
+>user name of the current service, if any.</P
+></DD
+><DT
+>%g</DT
+><DD
+><P
+>primary group name of %u.</P
+></DD
+><DT
+>%U</DT
+><DD
+><P
+>session user name (the user name that the client
+ wanted, not necessarily the same as the one they got).</P
+></DD
+><DT
+>%G</DT
+><DD
+><P
+>primary group name of %U.</P
+></DD
+><DT
+>%H</DT
+><DD
+><P
+>the home directory of the user given
+ by %u.</P
+></DD
+><DT
+>%v</DT
+><DD
+><P
+>the Samba version.</P
+></DD
+><DT
+>%h</DT
+><DD
+><P
+>the internet hostname that Samba is running
+ on.</P
+></DD
+><DT
+>%m</DT
+><DD
+><P
+>the NetBIOS name of the client machine
+ (very useful).</P
+></DD
+><DT
+>%L</DT
+><DD
+><P
+>the NetBIOS name of the server. This allows you
+ to change your config based on what the client calls you. Your
+ server can have a "dual personality".</P
+></DD
+><DT
+>%M</DT
+><DD
+><P
+>the internet name of the client machine.
+ </P
+></DD
+><DT
+>%N</DT
+><DD
+><P
+>the name of your NIS home directory server.
+ This is obtained from your NIS auto.map entry. If you have
+ not compiled Samba with the <I
+CLASS="EMPHASIS"
+>--with-automount</I
+>
+ option then this value will be the same as %.</P
+></DD
+><DT
+>%p</DT
+><DD
+><P
+>the path of the service's home directory,
+ obtained from your NIS auto.map entry. The NIS auto.map entry
+ is split up as "%N:%p".</P
+></DD
+><DT
+>%R</DT
+><DD
+><P
+>the selected protocol level after
+ protocol negotiation. It can be one of CORE, COREPLUS,
+ LANMAN1, LANMAN2 or NT1.</P
+></DD
+><DT
+>%d</DT
+><DD
+><P
+>The process id of the current server
+ process.</P
+></DD
+><DT
+>%a</DT
+><DD
+><P
+>the architecture of the remote
+ machine. Only some are recognized, and those may not be
+ 100% reliable. It currently recognizes Samba, WfWg,
+ WinNT and Win95. Anything else will be known as
+ "UNKNOWN". If it gets it wrong then sending a level
+ 3 log to <A
+HREF="mailto:samba@samba.org"
+TARGET="_top"
+>samba@samba.org
+ </A
+> should allow it to be fixed.</P
+></DD
+><DT
+>%I</DT
+><DD
+><P
+>The IP address of the client machine.</P
+></DD
+><DT
+>%T</DT
+><DD
+><P
+>the current date and time.</P
+></DD
+><DT
+>%$(<TT
+CLASS="REPLACEABLE"
+><I
+>envvar</I
+></TT
+>)</DT
+><DD
+><P
+>The value of the environment variable
+ <TT
+CLASS="REPLACEABLE"
+><I
+>envar</I
+></TT
+>.</P
+></DD
+></DL
+></DIV
+><P
+>There are some quite creative things that can be done
+ with these substitutions and other smb.conf options.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN201"
+></A
+><H2
+>NAME MANGLING</H2
+><P
+>Samba supports "name mangling" so that DOS and
+ Windows clients can use files that don't conform to the 8.3 format.
+ It can also be set to adjust the case of 8.3 format filenames.</P
+><P
+>There are several options that control the way mangling is
+ performed, and they are grouped here rather than listed separately.
+ For the defaults look at the output of the testparm program. </P
+><P
+>All of these options can be set separately for each service
+ (or globally, of course). </P
+><P
+>The options are: </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>mangle case= yes/no</DT
+><DD
+><P
+> controls if names that have characters that
+ aren't of the "default" case are mangled. For example,
+ if this is yes then a name like "Mail" would be mangled.
+ Default <I
+CLASS="EMPHASIS"
+>no</I
+>.</P
+></DD
+><DT
+>case sensitive = yes/no</DT
+><DD
+><P
+>controls whether filenames are case sensitive. If
+ they aren't then Samba must do a filename search and match on passed
+ names. Default <I
+CLASS="EMPHASIS"
+>no</I
+>.</P
+></DD
+><DT
+>default case = upper/lower</DT
+><DD
+><P
+>controls what the default case is for new
+ filenames. Default <I
+CLASS="EMPHASIS"
+>lower</I
+>.</P
+></DD
+><DT
+>preserve case = yes/no</DT
+><DD
+><P
+>controls if new files are created with the
+ case that the client passes, or if they are forced to be the
+ "default" case. Default <I
+CLASS="EMPHASIS"
+>yes</I
+>.
+ </P
+></DD
+><DT
+>short preserve case = yes/no</DT
+><DD
+><P
+>controls if new files which conform to 8.3 syntax,
+ that is all in upper case and of suitable length, are created
+ upper case, or if they are forced to be the "default"
+ case. This option can be use with "preserve case = yes"
+ to permit long filenames to retain their case, while short names
+ are lowered. Default <I
+CLASS="EMPHASIS"
+>yes</I
+>.</P
+></DD
+></DL
+></DIV
+><P
+>By default, Samba 2.2 has the same semantics as a Windows
+ NT server, in that it is case insensitive but case preserving.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN234"
+></A
+><H2
+>NOTE ABOUT USERNAME/PASSWORD VALIDATION</H2
+><P
+>There are a number of ways in which a user can connect
+ to a service. The server follows the following steps in determining
+ if it will allow a connection to a specified service. If all the
+ steps fail then the connection request is rejected. If one of the
+ steps pass then the following steps are not checked.</P
+><P
+>If the service is marked "guest only = yes" then
+ steps 1 to 5 are skipped.</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>If the client has passed a username/password
+ pair and that username/password pair is validated by the UNIX
+ system's password programs then the connection is made as that
+ username. Note that this includes the
+ \\server\service%<TT
+CLASS="REPLACEABLE"
+><I
+>username</I
+></TT
+> method of passing
+ a username.</P
+></LI
+><LI
+><P
+>If the client has previously registered a username
+ with the system and now supplies a correct password for that
+ username then the connection is allowed.</P
+></LI
+><LI
+><P
+>The client's netbios name and any previously
+ used user names are checked against the supplied password, if
+ they match then the connection is allowed as the corresponding
+ user.</P
+></LI
+><LI
+><P
+>If the client has previously validated a
+ username/password pair with the server and the client has passed
+ the validation token then that username is used. </P
+></LI
+><LI
+><P
+>If a "user = " field is given in the
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file for the service and the client
+ has supplied a password, and that password matches (according to
+ the UNIX system's password checking) with one of the usernames
+ from the "user=" field then the connection is made as
+ the username in the "user=" line. If one
+ of the username in the "user=" list begins with a
+ '@' then that name expands to a list of names in
+ the group of the same name.</P
+></LI
+><LI
+><P
+>If the service is a guest service then a
+ connection is made as the username given in the "guest
+ account =" for the service, irrespective of the
+ supplied password.</P
+></LI
+></OL
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN253"
+></A
+><H2
+>COMPLETE LIST OF GLOBAL PARAMETERS</H2
+><P
+>Here is a list of all global parameters. See the section of
+ each parameter for details. Note that some are synonyms.</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>allow trusted domains</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>announce as</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>announce version</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>auto services</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>bind interfaces only</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>browse list</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>change notify timeout</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>character set</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>coding system</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>config file</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>deadtime</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>debug hires timestamp</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>debug pid</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>debug timestamp</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>debug uid</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>debug level</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>default</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>default service</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>delete user script</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>dfree command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>dns proxy</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>domain admin group</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>domain admin users</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>domain groups</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>domain guest group</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>domain guest users</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>domain logons</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>domain master</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>getwd cache</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>hide local users</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>homedir map</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>hosts equiv</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>keepalive</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>kernel oplocks</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lm announce</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lm interval</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>load printers</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>local master</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lock dir</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lock directory</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>log file</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>log level</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>logon drive</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>logon home</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>logon path</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>logon script</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lpq cache time</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>machine password timeout</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>mangled stack</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max disk size</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max log size</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max mux</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max open files</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max packet</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max ttl</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max wins ttl</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max xmit</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>message command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>min passwd length</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>min password length</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>min wins ttl</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>name resolve order</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>netbios aliases</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>netbios name</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>netbios scope</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>nis homedir</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>nt acl support</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>nt pipe support</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>nt smb support</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>null passwords</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ole locking compatibility</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>oplock break wait time</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>os level</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>panic action</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat debug</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>password level</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>prefered master</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>preferred master</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>preload</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printcap</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printcap name</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver file</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>private dir</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>protocol</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>read bmpx</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>read prediction</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>read raw</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>read size</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>remote announce</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>remote browse sync</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>restrict anonymous</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>root</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>root dir</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>root directory</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>server string</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>shared mem size</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>smb passwd file</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>smbrun</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>socket address</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>socket options</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>source environment</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl CA certDir</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl CA certFile</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl ciphers</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl client cert</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl client key</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl compatibility</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl hosts</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl hosts resign</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl require clientcert</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl require servercert</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl server cert</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl server key</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>ssl version</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>stat cache</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>stat cache size</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>strip dot</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>syslog</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>syslog only</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>template homedir</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>template shell</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>time offset</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>time server</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>timestamp logs</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>unix password sync</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>unix realname</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>update encrypted</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>use rhosts</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>username level</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>username map</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>utmp directory</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>valid chars</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>winbind cache time</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>winbind gid</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>winbind uid</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>wins hook</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>wins proxy</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>wins server</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>wins support</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>write raw</I
+></TT
+> </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN710"
+></A
+><H2
+>COMPLETE LIST OF SERVICE PARAMETERS</H2
+><P
+>Here is a list of all service parameters. See the section of
+ each parameter for details. Note that some are synonyms.</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>admin users</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>allow hosts</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>alternate permissions</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>available</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>blocking locks</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>browsable</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>browseable</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>case sensitive</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>casesignames</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>comment</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>copy</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>create mode</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>default case</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>delete readonly</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>delete veto files</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>deny hosts</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory mode</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>directory security mask</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>dont descend</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>dos filetime resolution</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>dos filetimes</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>exec</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>fake directory create times</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>fake oplocks</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>follow symlinks</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force directory security mode</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force group</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>force user</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>fstype</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>group</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>guest ok</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>guest only</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>hide dot files</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>hide files</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>hosts allow</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>hosts deny</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>include</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>inherit permissions</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>invalid users</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>level2 oplocks</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>locking</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lppause command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lpq command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lpresume command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>lprm command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>magic output</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>magic script</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>mangle case</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>mangle locks</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>mangled map</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>mangled names</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>mangling char</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>map archive</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>map hidden</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>map system</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>max connections</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>min print space</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>only guest</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>only user</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>oplock contention limit</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>path</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>postexec</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>postscript</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>preexec</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>preexec close</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>preserve case</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>print command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>print ok</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printable</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer admin</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer driver location</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printer name</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>public</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>queuepause command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>queueresume command</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>read list</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>read only</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>root postexec</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>root preexec</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>root preexec close</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>set directory</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>share modes</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>short preserve case</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>status</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>strict locking</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>strict sync</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>sync always</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>username</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>users</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>utmp</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>valid users</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>veto files</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>veto oplock files</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>volume</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>wide links</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>writable</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>write cache size</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>write list</I
+></TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>write ok</I
+></TT
+> </P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>writeable</I
+></TT
+> </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN1053"
+></A
+><H2
+>EXPLANATION OF EACH PARAMETER</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><A
+NAME="ADDUSERSCRIPT"
+></A
+>add user script (G)</DT
+><DD
+><P
+>This is the full pathname to a script that will
+ be run <I
+CLASS="EMPHASIS"
+>AS ROOT</I
+> by <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)
+ </A
+> under special circumstances decribed below.</P
+><P
+>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> to create the required UNIX users
+ <I
+CLASS="EMPHASIS"
+>ON DEMAND</I
+> when a user accesses the Samba server.</P
+><P
+>In order to use this option, <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+>
+ must be set to <TT
+CLASS="PARAMETER"
+><I
+>security=server</I
+></TT
+> or <TT
+CLASS="PARAMETER"
+><I
+> security=domain</I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+>
+ must be set to a full pathname for a script that will create a UNIX
+ user given one argument of <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+>, which expands into
+ the UNIX user name to create.</P
+><P
+>When the Windows user attempts to access the Samba server,
+ at login (session setup in the SMB protocol) time, <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd</A
+> contacts the <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> and
+ attempts to authenticate the given user with the given password. If the
+ authentication succeeds then <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+>
+ attempts to find a UNIX user in the UNIX password database to map the
+ Windows user into. If this lookup fails, and <TT
+CLASS="PARAMETER"
+><I
+>add user script
+ </I
+></TT
+> is set then <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> will
+ call the specified script <I
+CLASS="EMPHASIS"
+>AS ROOT</I
+>, expanding
+ any <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+> argument to be the user name to create.</P
+><P
+>If this script successfully creates the user then <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> will continue on as though the UNIX user
+ already existed. In this way, UNIX users are dynamically created to
+ match existing Windows NT accounts.</P
+><P
+>See also <A
+HREF="smb.conf.5.html#security"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+> security</I
+></TT
+></A
+>, <A
+HREF="smb.conf.5.html#passwordserver"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+></A
+>, <A
+HREF="smb.conf.5.html#deleteuserscript"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>delete user
+ script</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>add user script = <empty string>
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>add user script = /usr/local/samba/bin/add_user
+ %u</B
+></P
+></DD
+><DT
+><A
+NAME="ADMINUSERS"
+></A
+>admin users (S)</DT
+><DD
+><P
+>This is a list of users who will be granted
+ administrative privileges on the share. This means that they
+ will do all file operations as the super-user (root).</P
+><P
+>You should use this option very carefully, as any user in
+ this list will be able to do anything they like on the share,
+ irrespective of file permissions.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no admin users</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>admin users = jason</B
+></P
+></DD
+><DT
+><A
+NAME="ALLOWHOSTS"
+></A
+>allow hosts (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="smb.conf.5.html#hostsallow"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>hosts allow</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ALLOWTRUSTEDDOMAINS"
+></A
+>allow trusted domains (G)</DT
+><DD
+><P
+>This option only takes effect when the <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+>security</A
+> option is set to
+ <TT
+CLASS="PARAMETER"
+><I
+>server</I
+></TT
+> or <TT
+CLASS="PARAMETER"
+><I
+>domain</I
+></TT
+>.
+ If it is set to no, then attempts to connect to a resource from
+ a domain or workgroup other than the one which smbd is running
+ in will fail, even if that domain is trusted by the remote server
+ doing the authentication.</P
+><P
+>This is useful if you only want your Samba server to
+ serve resources to users in the domain it is a member of. As
+ an example, suppose that there are two domains DOMA and DOMB. DOMB
+ is trusted by DOMA, which contains the Samba server. Under normal
+ circumstances, a user with an account in DOMB can then access the
+ resources of a UNIX account with the same account name on the
+ Samba server even if they do not have an account in DOMA. This
+ can make implementing a security boundary difficult.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>allow trusted domains = yes</B
+></P
+></DD
+><DT
+><A
+NAME="ANNOUNCEAS"
+></A
+>announce as (G)</DT
+><DD
+><P
+>This specifies what type of server
+ <A
+HREF="nmbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>nmbd</B
+></A
+>
+ will announce itself as, to a network neighborhood browse
+ list. By default this is set to Windows NT. The valid options
+ are : "NT" (which is a synonym for "NT Server"), "NT Server",
+ "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
+ Windows NT Workstation, Windows 95 and Windows for Workgroups
+ respectively. Do not change this parameter unless you have a
+ specific need to stop Samba appearing as an NT server as this
+ may prevent Samba servers from participating as browser servers
+ correctly.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>announce as = NT Server</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>announce as = Win95</B
+></P
+></DD
+><DT
+><A
+NAME="ANNOUCEVERSION"
+></A
+>annouce version (G)</DT
+><DD
+><P
+>This specifies the major and minor version numbers
+ that nmbd will use when announcing itself as a server. The default
+ is 4.2. Do not change this parameter unless you have a specific
+ need to set a Samba server to be a downlevel server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>announce version = 4.2</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>announce version = 2.0</B
+></P
+></DD
+><DT
+><A
+NAME="AUTOSERVICES"
+></A
+>auto services (G)</DT
+><DD
+><P
+>This is a list of services that you want to be
+ automatically added to the browse lists. This is most useful
+ for homes and printers services that would otherwise not be
+ visible.</P
+><P
+>Note that if you just want all printers in your
+ printcap file loaded then the <A
+HREF="smb.conf.5.html#loadprinters"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>load printers</I
+></TT
+></A
+> option is easier.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no auto services</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>auto services = fred lp colorlp</B
+></P
+></DD
+><DT
+><A
+NAME="AVAILABLE"
+></A
+>available (S)</DT
+><DD
+><P
+>This parameter lets you "turn off" a service. If
+ <TT
+CLASS="PARAMETER"
+><I
+>available = no</I
+></TT
+>, then <I
+CLASS="EMPHASIS"
+>ALL</I
+>
+ attempts to connect to the service will fail. Such failures are
+ logged.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>available = yes</B
+></P
+></DD
+><DT
+><A
+NAME="BINDINTERFACESONLY"
+></A
+>bind interfaces only (G)</DT
+><DD
+><P
+>This global parameter allows the Samba admin
+ to limit what interfaces on a machine will serve smb requests. If
+ affects file service <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> and
+ name service <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> in slightly
+ different ways.</P
+><P
+>For name service it causes <B
+CLASS="COMMAND"
+>nmbd</B
+> to bind
+ to ports 137 and 138 on the interfaces listed in the <A
+HREF="#INTERFACES"
+>interfaces</A
+> parameter. <B
+CLASS="COMMAND"
+>nmbd
+ </B
+> also binds to the "all addresses" interface (0.0.0.0)
+ on ports 137 and 138 for the purposes of reading broadcast messages.
+ If this option is not set then <B
+CLASS="COMMAND"
+>nmbd</B
+> will service
+ name requests on all of these sockets. If <TT
+CLASS="PARAMETER"
+><I
+>bind interfaces
+ only</I
+></TT
+> is set then <B
+CLASS="COMMAND"
+>nmbd</B
+> will check the
+ source address of any packets coming in on the broadcast sockets
+ and discard any that don't match the broadcast addresses of the
+ interfaces in the <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> parameter list.
+ As unicast packets are received on the other sockets it allows
+ <B
+CLASS="COMMAND"
+>nmbd</B
+> to refuse to serve names to machines that
+ send packets that arrive through any interfaces not listed in the
+ <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> list. IP Source address spoofing
+ does defeat this simple check, however so it must not be used
+ seriously as a security feature for <B
+CLASS="COMMAND"
+>nmbd</B
+>.</P
+><P
+>For file service it causes <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+>
+ to bind only to the interface list given in the <A
+HREF="#INTERFACES"
+> interfaces</A
+> parameter. This restricts the networks that
+ <B
+CLASS="COMMAND"
+>smbd</B
+> will serve to packets coming in those
+ interfaces. Note that you should not use this parameter for machines
+ that are serving PPP or other intermittent or non-broadcast network
+ interfaces as it will not cope with non-permanent interfaces.</P
+><P
+>If <TT
+CLASS="PARAMETER"
+><I
+>bind interfaces only</I
+></TT
+> is set then
+ unless the network address <I
+CLASS="EMPHASIS"
+>127.0.0.1</I
+> is added
+ to the <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> parameter list <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)</B
+></A
+>
+ and <A
+HREF="swat.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>swat(8)</B
+></A
+> may
+ not work as expected due to the reasons covered below.</P
+><P
+>To change a users SMB password, the <B
+CLASS="COMMAND"
+>smbpasswd</B
+>
+ by default connects to the <I
+CLASS="EMPHASIS"
+>localhost - 127.0.0.1</I
+>
+ address as an SMB client to issue the password change request. If
+ <TT
+CLASS="PARAMETER"
+><I
+>bind interfaces only</I
+></TT
+> is set then unless the
+ network address <I
+CLASS="EMPHASIS"
+>127.0.0.1</I
+> is added to the
+ <TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+> parameter list then <B
+CLASS="COMMAND"
+> smbpasswd</B
+> will fail to connect in it's default mode.
+ <B
+CLASS="COMMAND"
+>smbpasswd</B
+> can be forced to use the primary IP interface
+ of the local host by using its <A
+HREF="smbpasswd.8.html#minusr"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>remote machine</I
+></TT
+></I
+></TT
+>
+ </A
+> parameter, with <TT
+CLASS="REPLACEABLE"
+><I
+>remote machine</I
+></TT
+> set
+ to the IP name of the primary interface of the local host.</P
+><P
+>The <B
+CLASS="COMMAND"
+>swat</B
+> status page tries to connect with
+ <B
+CLASS="COMMAND"
+>smbd</B
+> and <B
+CLASS="COMMAND"
+>nmbd</B
+> at the address
+ <I
+CLASS="EMPHASIS"
+>127.0.0.1</I
+> to determine if they are running.
+ Not adding <I
+CLASS="EMPHASIS"
+>127.0.0.1</I
+> will cause <B
+CLASS="COMMAND"
+> smbd</B
+> and <B
+CLASS="COMMAND"
+>nmbd</B
+> to always show
+ "not running" even if they really are. This can prevent <B
+CLASS="COMMAND"
+> swat</B
+> from starting/stopping/restarting <B
+CLASS="COMMAND"
+>smbd</B
+>
+ and <B
+CLASS="COMMAND"
+>nmbd</B
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>bind interfaces only = no</B
+></P
+></DD
+><DT
+><A
+NAME="BLOCKINGLOCKS"
+></A
+>blocking locks (S)</DT
+><DD
+><P
+>This parameter controls the behavior of <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> when given a request by a client
+ to obtain a byte range lock on a region of an open file, and the
+ request has a time limit associated with it.</P
+><P
+>If this parameter is set and the lock range requested
+ cannot be immediately satisfied, Samba 2.2 will internally
+ queue the lock request, and periodically attempt to obtain
+ the lock until the timeout period expires.</P
+><P
+>If this parameter is set to <TT
+CLASS="CONSTANT"
+>False</TT
+>, then
+ Samba 2.2 will behave as previous versions of Samba would and
+ will fail the lock request immediately if the lock range
+ cannot be obtained.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>blocking locks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="BROWSABLE"
+></A
+>browsable (S)</DT
+><DD
+><P
+>See the <A
+HREF="#BROWSEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+> browseable</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="BROWSELIST"
+></A
+>browse list (G)</DT
+><DD
+><P
+>This controls whether <A
+HREF="smbd.8.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> will serve a browse list to
+ a client doing a <B
+CLASS="COMMAND"
+>NetServerEnum</B
+> call. Normally
+ set to <TT
+CLASS="CONSTANT"
+>true</TT
+>. You should never need to change
+ this.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>browse list = yes</B
+></P
+></DD
+><DT
+><A
+NAME="BROWSEABLE"
+></A
+>browseable (S)</DT
+><DD
+><P
+>This controls whether this share is seen in
+ the list of available shares in a net view and in the browse list.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>browseable = yes</B
+></P
+></DD
+><DT
+><A
+NAME="CASESENSITIVE"
+></A
+>case sensitive (S)</DT
+><DD
+><P
+>See the discussion in the section <A
+HREF="#AEN201"
+>NAME MANGLING</A
+>.</P
+></DD
+><DT
+><A
+NAME="CASESIGNAMES"
+></A
+>casesignames (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#CASESENSITIVE"
+>case
+ sensitive</A
+>.</P
+></DD
+><DT
+><A
+NAME="CHANGENOTIFYTIMEOUT"
+></A
+>change notify timeout (G)</DT
+><DD
+><P
+>This SMB allows a client to tell a server to
+ "watch" a particular directory for any changes and only reply to
+ the SMB request when a change has occurred. Such constant scanning of
+ a directory is expensive under UNIX, hence an <A
+HREF="smbd.8.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> daemon only performs such a scan
+ on each requested directory once every <TT
+CLASS="PARAMETER"
+><I
+>change notify
+ timeout</I
+></TT
+> seconds.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>change notify timeout = 60</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>change notify timeout = 300</B
+></P
+><P
+>Would change the scan time to every 5 minutes.</P
+></DD
+><DT
+><A
+NAME="CHARACTERSET"
+></A
+>character set (G)</DT
+><DD
+><P
+>This allows a smbd to map incoming filenames
+ from a DOS Code page (see the <A
+HREF="#CLIENTCODEPAGE"
+>client
+ code page</A
+> parameter) to several built in UNIX character sets.
+ The built in code page translations are:</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>ISO8859-1</TT
+> : Western European
+ UNIX character set. The parameter <TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+>
+ <I
+CLASS="EMPHASIS"
+>MUST</I
+> be set to code page 850 if the
+ <TT
+CLASS="PARAMETER"
+><I
+>character set</I
+></TT
+> parameter is set to
+ <TT
+CLASS="CONSTANT"
+>ISO8859-1</TT
+> in order for the conversion to the
+ UNIX character set to be done correctly.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>ISO8859-2</TT
+> : Eastern European
+ UNIX character set. The parameter <TT
+CLASS="PARAMETER"
+><I
+>client code page
+ </I
+></TT
+> <I
+CLASS="EMPHASIS"
+>MUST</I
+> be set to code page 852 if
+ the <TT
+CLASS="PARAMETER"
+><I
+> character set</I
+></TT
+> parameter is set
+ to <TT
+CLASS="CONSTANT"
+>ISO8859-2</TT
+> in order for the conversion
+ to the UNIX character set to be done correctly. </P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>ISO8859-5</TT
+> : Russian Cyrillic
+ UNIX character set. The parameter <TT
+CLASS="PARAMETER"
+><I
+>client code page
+ </I
+></TT
+> <I
+CLASS="EMPHASIS"
+>MUST</I
+> be set to code page
+ 866 if the <TT
+CLASS="PARAMETER"
+><I
+>character set </I
+></TT
+> parameter is
+ set to <TT
+CLASS="CONSTANT"
+>ISO8859-5</TT
+> in order for the conversion
+ to the UNIX character set to be done correctly. </P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>ISO8859-7</TT
+> : Greek UNIX
+ character set. The parameter <TT
+CLASS="PARAMETER"
+><I
+>client code page
+ </I
+></TT
+> <I
+CLASS="EMPHASIS"
+>MUST</I
+> be set to code page
+ 737 if the <TT
+CLASS="PARAMETER"
+><I
+>character set</I
+></TT
+> parameter is
+ set to <TT
+CLASS="CONSTANT"
+>ISO8859-7</TT
+> in order for the conversion
+ to the UNIX character set to be done correctly.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>KOI8-R</TT
+> : Alternate mapping
+ for Russian Cyrillic UNIX character set. The parameter
+ <TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+> <I
+CLASS="EMPHASIS"
+>MUST</I
+>
+ be set to code page 866 if the <TT
+CLASS="PARAMETER"
+><I
+>character set</I
+></TT
+>
+ parameter is set to <TT
+CLASS="CONSTANT"
+>KOI8-R</TT
+> in order for the
+ conversion to the UNIX character set to be done correctly.</P
+></LI
+></UL
+><P
+><I
+CLASS="EMPHASIS"
+>BUG</I
+>. These MSDOS code page to UNIX character
+ set mappings should be dynamic, like the loading of MS DOS code pages,
+ not static.</P
+><P
+>Normally this parameter is not set, meaning no filename
+ translation is done.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>character set = <empty string></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>character set = ISO8859-1</B
+></P
+></DD
+><DT
+><A
+NAME="CLIENTCODEPAGE"
+></A
+>client code page (G)</DT
+><DD
+><P
+>This parameter specifies the DOS code page
+ that the clients accessing Samba are using. To determine what code
+ page a Windows or DOS client is using, open a DOS command prompt
+ and type the command <B
+CLASS="COMMAND"
+>chcp</B
+>. This will output
+ the code page. The default for USA MS-DOS, Windows 95, and
+ Windows NT releases is code page 437. The default for western
+ european releases of the above operating systems is code page 850.</P
+><P
+>This parameter tells <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+>
+ which of the <TT
+CLASS="FILENAME"
+>codepage.<TT
+CLASS="REPLACEABLE"
+><I
+>XXX</I
+></TT
+>
+ </TT
+> files to dynamically load on startup. These files,
+ described more fully in the manual page <A
+HREF="make_smbcodepage.1.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>make_smbcodepage(1)</B
+></A
+>, tell <B
+CLASS="COMMAND"
+> smbd</B
+> how to map lower to upper case characters to provide
+ the case insensitivity of filenames that Windows clients expect.</P
+><P
+>Samba currently ships with the following code page files :</P
+><P
+></P
+><UL
+><LI
+><P
+>Code Page 437 - MS-DOS Latin US</P
+></LI
+><LI
+><P
+>Code Page 737 - Windows '95 Greek</P
+></LI
+><LI
+><P
+>Code Page 850 - MS-DOS Latin 1</P
+></LI
+><LI
+><P
+>Code Page 852 - MS-DOS Latin 2</P
+></LI
+><LI
+><P
+>Code Page 861 - MS-DOS Icelandic</P
+></LI
+><LI
+><P
+>Code Page 866 - MS-DOS Cyrillic</P
+></LI
+><LI
+><P
+>Code Page 932 - MS-DOS Japanese SJIS</P
+></LI
+><LI
+><P
+>Code Page 936 - MS-DOS Simplified Chinese</P
+></LI
+><LI
+><P
+>Code Page 949 - MS-DOS Korean Hangul</P
+></LI
+><LI
+><P
+>Code Page 950 - MS-DOS Traditional Chinese</P
+></LI
+></UL
+><P
+>Thus this parameter may have any of the values 437, 737, 850, 852,
+ 861, 932, 936, 949, or 950. If you don't find the codepage you need,
+ read the comments in one of the other codepage files and the
+ <B
+CLASS="COMMAND"
+>make_smbcodepage(1)</B
+> man page and write one. Please
+ remember to donate it back to the Samba user community.</P
+><P
+>This parameter co-operates with the <TT
+CLASS="PARAMETER"
+><I
+>valid
+ chars</I
+></TT
+> parameter in determining what characters are
+ valid in filenames and how capitalization is done. If you set both
+ this parameter and the <TT
+CLASS="PARAMETER"
+><I
+>valid chars</I
+></TT
+> parameter
+ the <TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+> parameter
+ <I
+CLASS="EMPHASIS"
+>MUST</I
+> be set before the <TT
+CLASS="PARAMETER"
+><I
+>valid
+ chars</I
+></TT
+> parameter in the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+ file. The <TT
+CLASS="PARAMETER"
+><I
+>valid chars</I
+></TT
+> string will then
+ augment the character settings in the <TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+>
+ parameter.</P
+><P
+>If not set, <TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+> defaults
+ to 850.</P
+><P
+>See also : <A
+HREF="#VALIDCHARS"
+><TT
+CLASS="PARAMETER"
+><I
+>valid
+ chars</I
+></TT
+></A
+></P
+><P
+>Default: <B
+CLASS="COMMAND"
+>client code page = 850</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>client code page = 936</B
+></P
+></DD
+><DT
+><A
+NAME="CODINGSYSTEM"
+></A
+>codingsystem (G)</DT
+><DD
+><P
+>This parameter is used to determine how incoming
+ Shift-JIS Japanese characters are mapped from the incoming <A
+HREF="#CLIENTCODEPAGE"
+><TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+>
+ </A
+> used by the client, into file names in the UNIX filesystem.
+ Only useful if <TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+> is set to
+ 932 (Japanese Shift-JIS). The options are :</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>SJIS</TT
+> - Shift-JIS. Does no
+ conversion of the incoming filename.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>JIS8, J8BB, J8BH, J8@B,
+ J8@J, J8@H </TT
+> - Convert from incoming Shift-JIS to eight
+ bit JIS code with different shift-in, shift out codes.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>JIS7, J7BB, J7BH, J7@B, J7@J,
+ J7@H </TT
+> - Convert from incoming Shift-JIS to seven bit
+ JIS code with different shift-in, shift out codes.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </TT
+>
+ - Convert from incoming Shift-JIS to JUNET code with different shift-in,
+ shift out codes.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>EUC</TT
+> - Convert an incoming
+ Shift-JIS character to EUC code.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>HEX</TT
+> - Convert an incoming
+ Shift-JIS character to a 3 byte hex representation, i.e.
+ <TT
+CLASS="CONSTANT"
+>:AB</TT
+>.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>CAP</TT
+> - Convert an incoming
+ Shift-JIS character to the 3 byte hex representation used by
+ the Columbia AppleTalk Program (CAP), i.e. <TT
+CLASS="CONSTANT"
+>:AB</TT
+>.
+ This is used for compatibility between Samba and CAP.</P
+></LI
+></UL
+></DD
+><DT
+><A
+NAME="COMMENT"
+></A
+>comment (S)</DT
+><DD
+><P
+>This is a text field that is seen next to a share
+ when a client does a queries the server, either via the network
+ neighborhood or via <B
+CLASS="COMMAND"
+>net view</B
+> to list what shares
+ are available.</P
+><P
+>If you want to set the string that is displayed next to the
+ machine name then see the <A
+HREF="#SERVERSTRING"
+><TT
+CLASS="PARAMETER"
+><I
+> server string</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>No comment string</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>comment = Fred's Files</B
+></P
+></DD
+><DT
+><A
+NAME="CONFIGFILE"
+></A
+>config file (G)</DT
+><DD
+><P
+>This allows you to override the config file
+ to use, instead of the default (usually <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>).
+ There is a chicken and egg problem here as this option is set
+ in the config file!</P
+><P
+>For this reason, if the name of the config file has changed
+ when the parameters are loaded then it will reload them from
+ the new config file.</P
+><P
+>This option takes the usual substitutions, which can
+ be very useful.</P
+><P
+>If the config file doesn't exist then it won't be loaded
+ (allowing you to special case the config files of just a few
+ clients).</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>config file = /usr/local/samba/lib/smb.conf.%m
+ </B
+></P
+></DD
+><DT
+><A
+NAME="COPY"
+></A
+>copy (S)</DT
+><DD
+><P
+>This parameter allows you to "clone" service
+ entries. The specified service is simply duplicated under the
+ current service's name. Any parameters specified in the current
+ section will override those in the section being copied.</P
+><P
+>This feature lets you set up a 'template' service and
+ create similar services easily. Note that the service being
+ copied must occur earlier in the configuration file than the
+ service doing the copying.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>none</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>copy = otherservice</B
+></P
+></DD
+><DT
+><A
+NAME="CREATEMASK"
+></A
+>create mask (S)</DT
+><DD
+><P
+>A synonym for this parameter is
+ <A
+HREF="#CREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>create mode</I
+></TT
+>
+ </A
+>.</P
+><P
+>When a file is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX
+ permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
+ with this parameter. This parameter may be thought of as a bit-wise
+ MASK for the UNIX modes of a file. Any bit <I
+CLASS="EMPHASIS"
+>not</I
+>
+ set here will be removed from the modes set on a file when it is
+ created.</P
+><P
+>The default value of this parameter removes the
+ 'group' and 'other' write and execute bits from the UNIX modes.</P
+><P
+>Following this Samba will bit-wise 'OR' the UNIX mode created
+ from this parameter with the value of the <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></A
+>
+ parameter which is set to 000 by default.</P
+><P
+>This parameter does not affect directory modes. See the
+ parameter <A
+HREF="#DIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>directory mode
+ </I
+></TT
+></A
+> for details.</P
+><P
+>See also the <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ create mode</I
+></TT
+></A
+> parameter for forcing particular mode
+ bits to be set on created files. See also the <A
+HREF="#DIRECTORYMODE"
+> <TT
+CLASS="PARAMETER"
+><I
+>directory mode"</I
+></TT
+></A
+> parameter for masking
+ mode bits on created directories. See also the <A
+HREF="#INHERITPERMISSIONS"
+> <TT
+CLASS="PARAMETER"
+><I
+>inherit permissions</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>create mask = 0744</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>create mask = 0775</B
+></P
+></DD
+><DT
+><A
+NAME="CREATEMODE"
+></A
+>create mode (S)</DT
+><DD
+><P
+>This is a synonym for <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> create mask</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DEADTIME"
+></A
+>deadtime (G)</DT
+><DD
+><P
+>The value of the parameter (a decimal integer)
+ represents the number of minutes of inactivity before a connection
+ is considered dead, and it is disconnected. The deadtime only takes
+ effect if the number of open files is zero.</P
+><P
+>This is useful to stop a server's resources being
+ exhausted by a large number of inactive connections.</P
+><P
+>Most clients have an auto-reconnect feature when a
+ connection is broken so in most cases this parameter should be
+ transparent to users.</P
+><P
+>Using this parameter with a timeout of a few minutes
+ is recommended for most systems.</P
+><P
+>A deadtime of zero indicates that no auto-disconnection
+ should be performed.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>deadtime = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>deadtime = 15</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGHIRESTIMESTAMP"
+></A
+>debug hires timestamp (G)</DT
+><DD
+><P
+>Sometimes the timestamps in the log messages
+ are needed with a resolution of higher that seconds, this
+ boolean parameter adds microsecond resolution to the timestamp
+ message header when turned on.</P
+><P
+>Note that the parameter <A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+> debug timestamp</I
+></TT
+></A
+> must be on for this to have an
+ effect.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>debug hires timestamp = no</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGTIMESTAMP"
+></A
+>debug timestamp (G)</DT
+><DD
+><P
+>Samba 2.2 debug log messages are timestamped
+ by default. If you are running at a high <A
+HREF="#DEBUGLEVEL"
+> <TT
+CLASS="PARAMETER"
+><I
+>debug level</I
+></TT
+></A
+> these timestamps
+ can be distracting. This boolean parameter allows timestamping
+ to be turned off.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>debug timestamp = yes</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGPID"
+></A
+>debug pid (G)</DT
+><DD
+><P
+>When using only one log file for more then one
+ forked smbd-process there may be hard to follow which process
+ outputs which message. This boolean parameter is adds the process-id
+ to the timestamp message headers in the logfile when turned on.</P
+><P
+>Note that the parameter <A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+> debug timestamp</I
+></TT
+></A
+> must be on for this to have an
+ effect.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>debug pid = no</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGUID"
+></A
+>debug uid (G)</DT
+><DD
+><P
+>Samba is sometimes run as root and sometime
+ run as the connected user, this boolean parameter inserts the
+ current euid, egid, uid and gid to the timestamp message headers
+ in the log file if turned on.</P
+><P
+>Note that the parameter <A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+> debug timestamp</I
+></TT
+></A
+> must be on for this to have an
+ effect.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>debug uid = no</B
+></P
+></DD
+><DT
+><A
+NAME="DEBUGLEVEL"
+></A
+>debug level (G)</DT
+><DD
+><P
+>The value of the parameter (an integer) allows
+ the debug level (logging level) to be specified in the
+ <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file. This is to give greater
+ flexibility in the configuration of the system.</P
+><P
+>The default will be the debug level specified on
+ the command line or level zero if none was specified.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>debug level = 3</B
+></P
+></DD
+><DT
+><A
+NAME="DEFAULT"
+></A
+>default (G)</DT
+><DD
+><P
+>A synonym for <A
+HREF="#DEFAULTSERVICE"
+><TT
+CLASS="PARAMETER"
+><I
+> default service</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DEFAULTCASE"
+></A
+>default case (S)</DT
+><DD
+><P
+>See the section on <A
+HREF="#AEN201"
+> NAME MANGLING"</A
+>. Also note the <A
+HREF="#SHORTPRESERVECASE"
+> <TT
+CLASS="PARAMETER"
+><I
+>short preserve case"</I
+></TT
+></A
+> parameter.</P
+></DD
+><DT
+><A
+NAME="DEFAULTSERVICE"
+></A
+>default service (G)</DT
+><DD
+><P
+>This parameter specifies the name of a service
+ which will be connected to if the service actually requested cannot
+ be found. Note that the square brackets are <I
+CLASS="EMPHASIS"
+>NOT</I
+>
+ given in the parameter value (see example below).</P
+><P
+>There is no default value for this parameter. If this
+ parameter is not given, attempting to connect to a nonexistent
+ service results in an error.</P
+><P
+>Typically the default service would be a <A
+HREF="#GUESTOK"
+> <TT
+CLASS="PARAMETER"
+><I
+>guest ok</I
+></TT
+></A
+>, <A
+HREF="#READONLY"
+> <TT
+CLASS="PARAMETER"
+><I
+>read-only</I
+></TT
+></A
+> service.</P
+><P
+>Also note that the apparent service name will be changed
+ to equal that of the requested service, this is very useful as it
+ allows you to use macros like <TT
+CLASS="PARAMETER"
+><I
+>%S</I
+></TT
+> to make
+ a wildcard service.</P
+><P
+>Note also that any "_" characters in the name of the service
+ used in the default service will get mapped to a "/". This allows for
+ interesting things.</P
+><P
+>Example:</P
+><PRE
+CLASS="SCREEN"
+><TT
+CLASS="COMPUTEROUTPUT"
+> default service = pub
- [pub]
- path = /%S
-
-</pre>
-
-<p><a name="deleteuserscript"></a>
-<p></p><dt><strong><strong>delete user script (G)</strong></strong><dd>
-<p>This is the full pathname to a script that will be run <em>AS ROOT</em> by
-<a href="smbd.8.html"><strong>smbd (8)</strong></a> under special circumstances decribed
-below.
-<p>Normally, a Samba server requires that UNIX users are created for all
-users accessing files on this server. For sites that use Windows NT
-account databases as their primary user database creating these users
-and keeping the user list in sync with the Windows NT PDC is an
-onerous task. This option allows <a href="smbd.8.html"><strong>smbd</strong></a> to delete
-the required UNIX users <em>ON DEMAND</em> when a user accesses the Samba
-server and the Windows NT user no longer exists.
-<p>In order to use this option, <a href="smbd.8.html"><strong>smbd</strong></a> must be set to
-<a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a> and <strong>"delete user
-script"</strong> must be set to a full pathname for a script that will delete
-a UNIX user given one argument of <strong>%u</strong>, which expands into the UNIX
-user name to delete. <em>NOTE</em> that this is different to the
-<a href="smb.conf.5.html#adduserscript"><strong>add user script</strong></a> which will work with the
-<a href="smb.conf.5.html#securityequalserver"><strong>security=server</strong></a> option as well as
-<a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a>. The reason for this
-is only when Samba is a domain member does it get the information
-on an attempted user logon that a user no longer exists. In the
-<a href="smb.conf.5.html#securityequalserver"><strong>security=server</strong></a> mode a missing user
-is treated the same as an invalid password logon attempt. Deleting
-the user in this circumstance would not be a good idea.
-<p>When the Windows user attempts to access the Samba server, at
-<em>"login"</em>(session setup in the SMB protocol) time,
-<a href="smbd.8.html"><strong>smbd</strong></a> contacts the <a href="smb.conf.5.html#passwordserver"><strong>password
-server</strong></a> and attempts to authenticate the given user
-with the given password. If the authentication fails with the specific
-Domain error code meaning that the user no longer exists then
-<a href="smbd.8.html"><strong>smbd</strong></a> attempts to find a UNIX user in the UNIX
-password database that matches the Windows user account. If this lookup succeeds,
-and <strong>"delete user script"</strong> is set then <a href="smbd.8.html"><strong>smbd</strong></a> will
-call the specified script <em>AS ROOT</em>, expanding any <strong>%u</strong> argument
-to be the user name to delete.
-<p>This script should delete the given UNIX username. In this way, UNIX
-users are dynamically deleted to match existing Windows NT accounts.
-<p>See also <a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a>,
-<a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a>, <a href="smb.conf.5.html#adduserscript"><strong>add user
-script</strong></a>.
-<p><strong>Default:</strong>
-<code> delete user script = <empty string></code>
-<p><strong>Example:</strong>
-<code> delete user script = /usr/local/samba/bin/del_user %u</code>
-<p><a name="deletereadonly"></a>
-<p></p><dt><strong><strong>delete readonly (S)</strong></strong><dd>
-<p>This parameter allows readonly files to be deleted. This is not
-normal DOS semantics, but is allowed by UNIX.
-<p>This option may be useful for running applications such as rcs, where
-UNIX file ownership prevents changing file permissions, and DOS
-semantics prevent deletion of a read only file.
-<p><strong>Default:</strong>
-<code> delete readonly = No</code>
-<p><strong>Example:</strong>
-<code> delete readonly = Yes</code>
-<p><a name="deletevetofiles"></a>
-<p></p><dt><strong><strong>delete veto files (S)</strong></strong><dd>
-<p>This option is used when Samba is attempting to delete a directory
-that contains one or more vetoed directories (see the <a href="smb.conf.5.html#vetofiles"><strong>'veto
-files'</strong></a> option). If this option is set to False (the
-default) then if a vetoed directory contains any non-vetoed files or
-directories then the directory delete will fail. This is usually what
-you want.
-<p>If this option is set to True, then Samba will attempt to recursively
-delete any files and directories within the vetoed directory. This can
-be useful for integration with file serving systems such as <strong>NetAtalk</strong>,
-which create meta-files within directories you might normally veto
-DOS/Windows users from seeing (e.g. <code>.AppleDouble</code>)
-<p>Setting <code>'delete veto files = True'</code> allows these directories to be
-transparently deleted when the parent directory is deleted (so long
-as the user has permissions to do so).
-<p>See also the <a href="smb.conf.5.html#vetofiles"><strong>veto files</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> delete veto files = False</code>
-<p><strong>Example:</strong>
-<code> delete veto files = True</code>
-<p><a name="denyhosts"></a>
-<p></p><dt><strong><strong>deny hosts (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#hostsdeny"><strong>hosts deny</strong></a>.
-<p><a name="dfreecommand"></a>
-<p></p><dt><strong><strong>dfree command (G)</strong></strong><dd>
-<p>The dfree command setting should only be used on systems where a
-problem occurs with the internal disk space calculations. This has
-been known to happen with Ultrix, but may occur with other operating
-systems. The symptom that was seen was an error of "Abort Retry
-Ignore" at the end of each directory listing.
-<p>This setting allows the replacement of the internal routines to
-calculate the total disk space and amount available with an external
-routine. The example below gives a possible script that might fulfill
-this function.
-<p>The external program will be passed a single parameter indicating a
-directory in the filesystem being queried. This will typically consist
-of the string <code>"./"</code>. The script should return two integers in
-ascii. The first should be the total disk space in blocks, and the
-second should be the number of available blocks. An optional third
-return value can give the block size in bytes. The default blocksize
-is 1024 bytes.
-<p>Note: Your script should <em>NOT</em> be setuid or setgid and should be
-owned by (and writeable only by) root!
-<p><strong>Default:</strong>
-<code> By default internal routines for determining the disk capacity
-and remaining space will be used.</code>
-<p><strong>Example:</strong>
-<code> dfree command = /usr/local/samba/bin/dfree</code>
-<p>Where the script dfree (which must be made executable) could be:
-<p><pre>
-
- #!/bin/sh
- df $1 | tail -1 | awk '{print $2" "$4}'
-
-</pre>
-
-<p>or perhaps (on Sys V based systems):
-<p><pre>
-
- #!/bin/sh
- /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
-
-</pre>
-
-<p>Note that you may have to replace the command names with full
-path names on some systems.
-<p><a name="directory"></a>
-<p></p><dt><strong><strong>directory (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#path"><strong>path</strong></a>.
-<p><a name="directorymask"></a>
-<p></p><dt><strong><strong>directory mask (S)</strong></strong><dd>
-<p>This parameter is the octal modes which are used when converting DOS
-modes to UNIX modes when creating UNIX directories.
-<p>When a directory is created, the necessary permissions are calculated
-according to the mapping from DOS modes to UNIX permissions, and the
-resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
-This parameter may be thought of as a bit-wise MASK for the UNIX modes
-of a directory. Any bit <em>*not*</em> set here will be removed from the
-modes set on a directory when it is created.
-<p>The default value of this parameter removes the 'group' and 'other'
-write bits from the UNIX mode, allowing only the user who owns the
-directory to modify it.
-<p>Following this Samba will bit-wise 'OR' the UNIX mode created from
-this parameter with the value of the "force directory mode"
-parameter. This parameter is set to 000 by default (i.e. no extra mode
-bits are added).
-<p>See the <a href="smb.conf.5.html#forcedirectorymode"><strong>"force directory mode"</strong></a> parameter
-to cause particular mode bits to always be set on created directories.
-<p>See also the <a href="smb.conf.5.html#createmode"><strong>"create mode"</strong></a> parameter for masking
-mode bits on created files, and the <a href="smb.conf.5.html#directorysecuritymask"><strong>"directory security mask"</strong></a>
-parameter.
-<p>See also the <a href="smb.conf.5.html#inheritpermissions"><strong>"inherit permissions"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> directory mask = 0755</code>
-<p><strong>Example:</strong>
-<code> directory mask = 0775</code>
-<p><a name="directorymode"></a>
-<p></p><dt><strong><strong>directory mode (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#directorymask"><strong>directory mask</strong></a>.
-<p><a name="directorysecuritymask"></a>
-<p></p><dt><strong><strong>directory security mask (S)</strong></strong><dd>
-<p>This parameter controls what UNIX permission bits can be modified
-when a Windows NT client is manipulating the UNIX permission on a
-directory using the native NT security dialog box.
-<p>This parameter is applied as a mask (AND'ed with) to the changed
-permission bits, thus preventing any bits not in this mask from
-being modified. Essentially, zero bits in this mask may be treated
-as a set of bits the user is not allowed to change.
-<p>If not set explicitly this parameter is set to the same value as the
-<a href="smb.conf.5.html#directorymask"><strong>directory mask</strong></a> parameter. To allow a user to
-modify all the user/group/world permissions on a directory, set this
-parameter to 0777.
-<p><em>Note</em> that users who can access the Samba server through other
-means can easily bypass this restriction, so it is primarily
-useful for standalone "appliance" systems. Administrators of
-most normal systems will probably want to set it to 0777.
-<p>See also the <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>force directory security
-mode</strong></a>, <a href="smb.conf.5.html#securitymask"><strong>security
-mask</strong></a>, <a href="smb.conf.5.html#forcesecuritymode"><strong>force security mode</strong></a>
-parameters.
-<p><strong>Default:</strong>
-<code> directory security mask = <same as directory mask></code>
-<p><strong>Example:</strong>
-<code> directory security mask = 0777</code>
-<p><a name="dnsproxy"></a>
-<p></p><dt><strong><strong>dns proxy (G)</strong></strong><dd>
-<p>Specifies that <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS
-server and finding that a NetBIOS name has not been registered, should
-treat the NetBIOS name word-for-word as a DNS name and do a lookup
-with the DNS server for that name on behalf of the name-querying
-client.
-<p>Note that the maximum length for a NetBIOS name is 15 characters, so
-the DNS name (or DNS alias) can likewise only be 15 characters,
-maximum.
-<p><a href="nmbd.8.html"><strong>nmbd</strong></a> spawns a second copy of itself to do the
-DNS name lookup requests, as doing a name lookup is a blocking action.
-<p>See also the parameter <a href="smb.conf.5.html#winssupport"><strong>wins support</strong></a>.
-<p><strong>Default:</strong>
-<code> dns proxy = yes</code>
-<p><a name="domainadmingroup"></a>
-<strong>domain admin group (G)</strong>
-<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished
-Samba NT Domain Controller Code. It may be removed in a later release.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list <strong>Samba-ntdom</strong> available by visiting the web page at
-<a href="http://lists.samba.org/">http://lists.samba.org/</a>
-<p><a name="domainadminusers"></a>
-<p></p><dt><strong><strong>domain admin users (G)</strong></strong><dd>
-<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished
-Samba NT Domain Controller Code. It may be removed in a later release.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list <strong>Samba-ntdom</strong> available by visiting the web page at
-<a href="http://lists.samba.org/">http://lists.samba.org/</a>
-<p><a name="domaingroups"></a>
-<p></p><dt><strong><strong>domain groups (G)</strong></strong><dd>
-<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished
-Samba NT Domain Controller Code. It may be removed in a later release.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list <strong>Samba-ntdom</strong> available by visiting the web page at
-<a href="http://lists.samba.org/">http://lists.samba.org/</a>
-<p><a name="domainguestgroup"></a>
-<p></p><dt><strong><strong>domain guest group (G)</strong></strong><dd>
-<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished
-Samba NT Domain Controller Code. It may be removed in a later release.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list <strong>Samba-ntdom</strong> available by visiting the web page at
-<a href="http://lists.samba.org/">http://lists.samba.org/</a>
-<p><a name="domainguestusers"></a>
-<p></p><dt><strong><strong>domain guest users (G)</strong></strong><dd>
-<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished
-Samba NT Domain Controller Code. It may be removed in a later release.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list <strong>Samba-ntdom</strong> available by visiting the web page at
-<a href="http://lists.samba.org/">http://lists.samba.org/</a>
-<p><a name="domainlogons"></a>
-<p></p><dt><strong><strong>domain logons (G)</strong></strong><dd>
-<p>If set to true, the Samba server will serve Windows 95/98 Domain
-logons for the <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> it is in. For more
-details on setting up this feature see the file DOMAINS.txt in the
-Samba documentation directory <code>docs/</code> shipped with the source code.
-<p>Note that Win95/98 Domain logons are <em>NOT</em> the same as Windows
-NT Domain logons. NT Domain logons require a Primary Domain Controller
-(PDC) for the Domain. It is intended that in a future release Samba
-will be able to provide this functionality for Windows NT clients
-also.
-<p><strong>Default:</strong>
-<code> domain logons = no</code>
-<p><a name="domainmaster"></a>
-<p></p><dt><strong><strong>domain master (G)</strong></strong><dd>
-<p>Tell <a href="nmbd.8.html"><strong>nmbd</strong></a> to enable WAN-wide browse list
-collation. Setting this option causes <a href="nmbd.8.html"><strong>nmbd</strong></a> to
-claim a special domain specific NetBIOS name that identifies it as a
-domain master browser for its given
-<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a>. Local master browsers in the same
-<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> on broadcast-isolated subnets will give
-this <a href="nmbd.8.html"><strong>nmbd</strong></a> their local browse lists, and then
-ask <a href="smbd.8.html"><strong>smbd</strong></a> for a complete copy of the browse list
-for the whole wide area network. Browser clients will then contact
-their local master browser, and will receive the domain-wide browse
-list, instead of just the list for their broadcast-isolated subnet.
-<p>Note that Windows NT Primary Domain Controllers expect to be able to
-claim this <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> specific special NetBIOS
-name that identifies them as domain master browsers for that
-<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> by default (i.e. there is no way to
-prevent a Windows NT PDC from attempting to do this). This means that
-if this parameter is set and <a href="nmbd.8.html"><strong>nmbd</strong></a> claims the
-special name for a <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> before a Windows NT
-PDC is able to do so then cross subnet browsing will behave strangely
-and may fail.
-<p><strong>Default:</strong>
-<code> domain master = no</code>
-<p><a name="dontdescend"></a>
-<p></p><dt><strong><strong>dont descend (S)</strong></strong><dd>
-<p>There are certain directories on some systems (e.g., the <code>/proc</code> tree
-under Linux) that are either not of interest to clients or are
-infinitely deep (recursive). This parameter allows you to specify a
-comma-delimited list of directories that the server should always show
-as empty.
-<p>Note that Samba can be very fussy about the exact format of the "dont
-descend" entries. For example you may need <code>"./proc"</code> instead of
-just <code>"/proc"</code>. Experimentation is the best policy :-)
-<p><strong>Default:</strong>
-<code> none (i.e., all directories are OK to descend)</code>
-<p><strong>Example:</strong>
-<code> dont descend = /proc,/dev</code>
-<p><a name="dosfiletimeresolution"></a>
-<p></p><dt><strong><strong>dos filetime resolution (S)</strong></strong><dd>
-<p>Under the DOS and Windows FAT filesystem, the finest granularity on
-time resolution is two seconds. Setting this parameter for a share
-causes Samba to round the reported time down to the nearest two second
-boundary when a query call that requires one second resolution is made
-to <a href="smbd.8.html"><strong>smbd</strong></a>.
-<p>This option is mainly used as a compatibility option for Visual C++
-when used against Samba shares. If oplocks are enabled on a share,
-Visual C++ uses two different time reading calls to check if a file
-has changed since it was last read. One of these calls uses a
-one-second granularity, the other uses a two second granularity. As
-the two second call rounds any odd second down, then if the file has a
-timestamp of an odd number of seconds then the two timestamps will not
-match and Visual C++ will keep reporting the file has changed. Setting
-this option causes the two timestamps to match, and Visual C++ is
-happy.
-<p><strong>Default:</strong>
-<code> dos filetime resolution = False</code>
-<p><strong>Example:</strong>
-<code> dos filetime resolution = True</code>
-<p><a name="dosfiletimes"></a>
-<p></p><dt><strong><strong>dos filetimes (S)</strong></strong><dd>
-<p>Under DOS and Windows, if a user can write to a file they can change
-the timestamp on it. Under POSIX semantics, only the owner of the file
-or root may change the timestamp. By default, Samba runs with POSIX
-semantics and refuses to change the timestamp on a file if the user
-smbd is acting on behalf of is not the file owner. Setting this option
-to True allows DOS semantics and smbd will change the file timestamp as
-DOS requires.
-<p><strong>Default:</strong>
-<code> dos filetimes = False</code>
-<p><strong>Example:</strong>
-<code> dos filetimes = True</code>
-<p><a name="encryptpasswords"></a>
-<p></p><dt><strong><strong>encrypt passwords (G)</strong></strong><dd>
-<p>This boolean controls whether encrypted passwords will be negotiated
-with the client. Note that Windows NT 4.0 SP3 and above and also
-Windows 98 will by default expect encrypted passwords unless a
-registry entry is changed. To use encrypted passwords in Samba see the
-file ENCRYPTION.txt in the Samba documentation directory <code>docs/</code>
-shipped with the source code.
-<p>In order for encrypted passwords to work correctly
-<a href="smbd.8.html"><strong>smbd</strong></a> must either have access to a local
-<a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a> file (see the
-<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> program for information on
-how to set up and maintain this file), or set the
-<a href="smb.conf.5.html#security"><strong>security=</strong></a> parameter to either
-<a href="smb.conf.5.html#securityequalserver"><strong>"server"</strong></a> or
-<a href="smb.conf.5.html#securityequaldomain"><strong>"domain"</strong></a> which causes
-<a href="smbd.8.html"><strong>smbd</strong></a> to authenticate against another server.
-<p><a name="exec"></a>
-<p></p><dt><strong><strong>exec (S)</strong></strong><dd>
-<p>This is a synonym for <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a>.
-<p><a name="fakedirectorycreatetimes"></a>
-<p></p><dt><strong><strong>fake directory create times (S)</strong></strong><dd>
-<p>NTFS and Windows VFAT file systems keep a create time for all files
-and directories. This is not the same as the ctime - status change
-time - that Unix keeps, so Samba by default reports the earliest of
-the various times Unix does keep. Setting this parameter for a share
-causes Samba to always report midnight 1-1-1980 as the create time for
-directories.
-<p>This option is mainly used as a compatibility option for Visual C++
-when used against Samba shares. Visual C++ generated makefiles have
-the object directory as a dependency for each object file, and a make
-rule to create the directory. Also, when NMAKE compares timestamps it
-uses the creation time when examining a directory. Thus the object
-directory will be created if it does not exist, but once it does exist
-it will always have an earlier timestamp than the object files it
-contains.
-<p>However, Unix time semantics mean that the create time reported by
-Samba will be updated whenever a file is created or deleted in the
-directory. NMAKE therefore finds all object files in the object
-directory bar the last one built are out of date compared to the
-directory and rebuilds them. Enabling this option ensures directories
-always predate their contents and an NMAKE build will proceed as
-expected.
-<p><strong>Default:</strong>
-<code> fake directory create times = False</code>
-<p><strong>Example:</strong>
-<code> fake directory create times = True</code>
-<p><a name="fakeoplocks"></a>
-<p></p><dt><strong><strong>fake oplocks (S)</strong></strong><dd>
-<p>Oplocks are the way that SMB clients get permission from a server to
-locally cache file operations. If a server grants an oplock
-(opportunistic lock) then the client is free to assume that it is the
-only one accessing the file and it will aggressively cache file
-data. With some oplock types the client may even cache file open/close
-operations. This can give enormous performance benefits.
-<p>When you set <code>"fake oplocks = yes"</code> <a href="smbd.8.html"><strong>smbd</strong></a> will
-always grant oplock requests no matter how many clients are using the
-file.
-<p>It is generally much better to use the real <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a>
-support rather than this parameter.
-<p>If you enable this option on all read-only shares or shares that you
-know will only be accessed from one client at a time such as
-physically read-only media like CDROMs, you will see a big performance
-improvement on many operations. If you enable this option on shares
-where multiple clients may be accessing the files read-write at the
-same time you can get data corruption. Use this option carefully!
-<p>This option is disabled by default.
-<p><a name="followsymlinks"></a>
-<p></p><dt><strong><strong>follow symlinks (S)</strong></strong><dd>
-<p>This parameter allows the Samba administrator to stop
-<a href="smbd.8.html"><strong>smbd</strong></a> from following symbolic links in a
-particular share. Setting this parameter to <em>"No"</em> prevents any file
-or directory that is a symbolic link from being followed (the user
-will get an error). This option is very useful to stop users from
-adding a symbolic link to <code>/etc/passwd</code> in their home directory for
-instance. However it will slow filename lookups down slightly.
-<p>This option is enabled (i.e. <a href="smbd.8.html"><strong>smbd</strong></a> will follow
-symbolic links) by default.
-<p><a name="forcecreatemode"></a>
-<p></p><dt><strong><strong>force create mode (S)</strong></strong><dd>
-<p>This parameter specifies a set of UNIX mode bit permissions that will
-<em>*always*</em> be set on a file by Samba. This is done by bitwise
-'OR'ing these bits onto the mode bits of a file that is being created
-or having its permissions changed. The default for this parameter is
-(in octal) 000. The modes in this parameter are bitwise 'OR'ed onto
-the file mode after the mask set in the <a href="smb.conf.5.html#createmask"><strong>"create
-mask"</strong></a> parameter is applied.
-<p>See also the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> for details
-on masking mode bits on files.
-<p>See also the <a href="smb.conf.5.html#inheritpermissions"><strong>"inherit permissions"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> force create mode = 000</code>
-<p><strong>Example:</strong>
-<code> force create mode = 0755</code>
-<p>would force all created files to have read and execute permissions set
-for 'group' and 'other' as well as the read/write/execute bits set for
-the 'user'.
-<p><a name="forcedirectorymode"></a>
-<p></p><dt><strong><strong>force directory mode (S)</strong></strong><dd>
-<p>This parameter specifies a set of UNIX mode bit permissions that will
-<em>*always*</em> be set on a directory created by Samba. This is done by
-bitwise 'OR'ing these bits onto the mode bits of a directory that is
-being created. The default for this parameter is (in octal) 0000 which
-will not add any extra permission bits to a created directory. This
-operation is done after the mode mask in the parameter
-<a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a> is applied.
-<p>See also the parameter <a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a> for
-details on masking mode bits on created directories.
-<p>See also the <a href="smb.conf.5.html#inheritpermissions"><strong>"inherit permissions"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> force directory mode = 000</code>
-<p><strong>Example:</strong>
-<code> force directory mode = 0755</code>
-<p>would force all created directories to have read and execute
-permissions set for 'group' and 'other' as well as the
-read/write/execute bits set for the 'user'.
-<p><a name="forcedirectorysecuritymode"></a>
-<p></p><dt><strong><strong>force directory security mode (S)</strong></strong><dd>
-<p>This parameter controls what UNIX permission bits can be modified when
-a Windows NT client is manipulating the UNIX permission on a directory
-using the native NT security dialog box.
-<p>This parameter is applied as a mask (OR'ed with) to the changed
-permission bits, thus forcing any bits in this mask that the user may
-have modified to be on. Essentially, one bits in this mask may be
-treated as a set of bits that, when modifying security on a directory,
-the user has always set to be 'on'.
-<p>If not set explicitly this parameter is set to the same value as the
-<a href="smb.conf.5.html#forcedirectorymode"><strong>force directory mode</strong></a> parameter. To allow
-a user to modify all the user/group/world permissions on a directory,
-with restrictions set this parameter to 000.
-<p><em>Note</em> that users who can access the Samba server through other
-means can easily bypass this restriction, so it is primarily
-useful for standalone "appliance" systems. Administrators of
-most normal systems will probably want to set it to 0000.
-<p>See also the <a href="smb.conf.5.html#directorysecuritymask"><strong>directory security mask</strong></a>,
-<a href="smb.conf.5.html#securitymask"><strong>security mask</strong></a>, <a href="smb.conf.5.html#forcesecuritymode"><strong>force security
-mode</strong></a> parameters.
-<p><strong>Default:</strong>
-<code> force directory security mode = <same as force directory mode></code>
-<p><strong>Example:</strong>
-<code> force directory security mode = 0</code>
-<p><a name="forcegroup"></a>
-<p></p><dt><strong><strong>force group (S)</strong></strong><dd>
-<p>This specifies a UNIX group name that will be assigned as the default
-primary group for all users connecting to this service. This is useful
-for sharing files by ensuring that all access to files on service will
-use the named group for their permissions checking. Thus, by assigning
-permissions for this group to the files and directories within this
-service the Samba administrator can restrict or allow sharing of these
-files.
-<p>In Samba 2.0.5 and above this parameter has extended functionality in the following
-way. If the group name listed here has a '+' character prepended to it
-then the current user accessing the share only has the primary group
-default assigned to this group if they are already assigned as a member
-of that group. This allows an administrator to decide that only users
-who are already in a particular group will create files with group
-ownership set to that group. This gives a finer granularity of ownership
-assignment. For example, the setting <code>force group = +sys</code> means
-that only users who are already in group sys will have their default
-primary group assigned to sys when accessing this Samba share. All
-other users will retain their ordinary primary group.
-<p>If the <a href="smb.conf.5.html#forceuser"><strong>"force user"</strong></a> parameter is also set the
-group specified in <strong>force group</strong> will override the primary group
-set in <a href="smb.conf.5.html#forceuser"><strong>"force user"</strong></a>.
-<p>See also <a href="smb.conf.5.html#forceuser"><strong>"force user"</strong></a>
-<p><strong>Default:</strong>
-<code> no forced group</code>
-<p><strong>Example:</strong>
-<code> force group = agroup</code>
-<p><a name="forcesecuritymode"></a>
-<p></p><dt><strong><strong>force security mode (S)</strong></strong><dd>
-<p>This parameter controls what UNIX permission bits can be modified when
-a Windows NT client is manipulating the UNIX permission on a file
-using the native NT security dialog box.
-<p>This parameter is applied as a mask (OR'ed with) to the changed
-permission bits, thus forcing any bits in this mask that the user may
-have modified to be on. Essentially, one bits in this mask may be
-treated as a set of bits that, when modifying security on a file, the
-user has always set to be 'on'.
-<p>If not set explicitly this parameter is set to the same value as the
-<a href="smb.conf.5.html#forcecreatemode"><strong>force create mode</strong></a> parameter. To allow
-a user to modify all the user/group/world permissions on a file,
-with no restrictions set this parameter to 000.
-<p><em>Note</em> that users who can access the Samba server through other
-means can easily bypass this restriction, so it is primarily
-useful for standalone "appliance" systems. Administrators of
-most normal systems will probably want to set it to 0000.
-<p>See also the <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>force directory security
-mode</strong></a>, <a href="smb.conf.5.html#directorysecuritymask"><strong>directory security
-mask</strong></a>, <a href="smb.conf.5.html#securitymask"><strong>security mask</strong></a>
-parameters.
-<p><strong>Default:</strong>
-<code> force security mode = <same as force create mode></code>
-<p><strong>Example:</strong>
-<code> force security mode = 0</code>
-<p><a name="forceuser"></a>
-<p></p><dt><strong><strong>force user (S)</strong></strong><dd>
-<p>This specifies a UNIX user name that will be assigned as the default
-user for all users connecting to this service. This is useful for
-sharing files. You should also use it carefully as using it
-incorrectly can cause security problems.
-<p>This user name only gets used once a connection is established. Thus
-clients still need to connect as a valid user and supply a valid
-password. Once connected, all file operations will be performed as the
-<code>"forced user"</code>, no matter what username the client connected as.
-<p>This can be very useful.
-<p>In Samba 2.0.5 and above this parameter also causes the primary
-group of the forced user to be used as the primary group for all
-file activity. Prior to 2.0.5 the primary group was left as the
-primary group of the connecting user (this was a bug).
-<p>See also <a href="smb.conf.5.html#forcegroup"><strong>"force group"</strong></a>
-<p><strong>Default:</strong>
-<code> no forced user</code>
-<p><strong>Example:</strong>
-<code> force user = auser</code>
-<p><a name="fstype"></a>
-<p></p><dt><strong><strong>fstype (S)</strong></strong><dd>
-<p>This parameter allows the administrator to configure the string that
-specifies the type of filesystem a share is using that is reported by
-<a href="smbd.8.html"><strong>smbd</strong></a> when a client queries the filesystem type
-for a share. The default type is <strong>"NTFS"</strong> for compatibility with
-Windows NT but this can be changed to other strings such as "Samba" or
-"FAT" if required.
-<p><strong>Default:</strong>
-<code> fstype = NTFS</code>
-<p><strong>Example:</strong>
-<code> fstype = Samba</code>
-<p><a name="getwdcache"></a>
-<p></p><dt><strong><strong>getwd cache (G)</strong></strong><dd>
-<p>This is a tuning option. When this is enabled a caching algorithm
-will be used to reduce the time taken for getwd() calls. This can have
-a significant impact on performance, especially when the
-<a href="smb.conf.5.html#widelinks"><strong>widelinks</strong></a> parameter is set to False.
-<p><strong>Default:</strong>
-<code> getwd cache = No</code>
-<p><strong>Example:</strong>
-<code> getwd cache = Yes</code>
-<p><a name="group"></a>
-<p></p><dt><strong><strong>group (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#forcegroup"><strong>"force group"</strong></a>.
-<p><a name="guestaccount"></a>
-<p></p><dt><strong><strong>guest account (S)</strong></strong><dd>
-<p>This is a username which will be used for access to services which are
-specified as <a href="smb.conf.5.html#guestok"><strong>'guest ok'</strong></a> (see below). Whatever
-privileges this user has will be available to any client connecting to
-the guest service. Typically this user will exist in the password
-file, but will not have a valid login. The user account <strong>"ftp"</strong> is
-often a good choice for this parameter. If a username is specified in
-a given service, the specified username overrides this one.
-<p>One some systems the default guest account "nobody" may not be able to
-print. Use another account in this case. You should test this by
-trying to log in as your guest user (perhaps by using the <code>"su -"</code>
-command) and trying to print using the system print command such as
-<strong>lpr (1)</strong> or <strong>lp (1)</strong>.
-<p><strong>Default:</strong>
-<code> specified at compile time, usually "nobody"</code>
-<p><strong>Example:</strong>
-<code> guest account = ftp</code>
-<p><a name="guestok"></a>
-<p></p><dt><strong><strong>guest ok (S)</strong></strong><dd>
-<p>If this parameter is <em>'yes'</em> for a service, then no password is
-required to connect to the service. Privileges will be those of the
-<a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a>.
-<p>See the section below on <a href="smb.conf.5.html#security"><strong>security</strong></a> for more
-information about this option.
-<p><strong>Default:</strong>
-<code> guest ok = no</code>
-<p><strong>Example:</strong>
-<code> guest ok = yes</code>
-<p><a name="guestonly"></a>
-<p></p><dt><strong><strong>guest only (S)</strong></strong><dd>
-<p>If this parameter is <em>'yes'</em> for a service, then only guest
-connections to the service are permitted. This parameter will have no
-affect if <a href="smb.conf.5.html#guestok"><strong>"guest ok"</strong></a> or <a href="smb.conf.5.html#public"><strong>"public"</strong></a>
-is not set for the service.
-<p>See the section below on <a href="smb.conf.5.html#security"><strong>security</strong></a> for more
-information about this option.
-<p><strong>Default:</strong>
-<code> guest only = no</code>
-<p><strong>Example:</strong>
-<code> guest only = yes</code>
-<p><a name="hidedotfiles"></a>
-<p></p><dt><strong><strong>hide dot files (S)</strong></strong><dd>
-<p>This is a boolean parameter that controls whether files starting with
-a dot appear as hidden files.
-<p><strong>Default:</strong>
-<code> hide dot files = yes</code>
-<p><strong>Example:</strong>
-<code> hide dot files = no</code>
-<p><a name="hidefiles"></a>
-<p></p><dt><strong><strong>hide files(S)</strong></strong><dd>
-<p>This is a list of files or directories that are not visible but are
-accessible. The DOS 'hidden' attribute is applied to any files or
-directories that match.
-<p>Each entry in the list must be separated by a <code>'/'</code>, which allows
-spaces to be included in the entry. <code>'*'</code> and <code>'?'</code> can be used
-to specify multiple files or directories as in DOS wildcards.
-<p>Each entry must be a Unix path, not a DOS path and must not include the
-Unix directory separator <code>'/'</code>.
-<p>Note that the case sensitivity option is applicable in hiding files.
-<p>Setting this parameter will affect the performance of Samba, as it
-will be forced to check all files and directories for a match as they
-are scanned.
-<p>See also <a href="smb.conf.5.html#hidedotfiles"><strong>"hide dot files"</strong></a>, <a href="smb.conf.5.html#vetofiles"><strong>"veto
-files"</strong></a> and <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a>.
-<p><strong>Default</strong>
-<pre>
-
- No files or directories are hidden by this option (dot files are
- hidden by default because of the "hide dot files" option).
-
-</pre>
-
-<p><strong>Example</strong>
-<code> hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/</code>
-<p>The above example is based on files that the Macintosh SMB client
-(DAVE) available from <a href="http://www.thursby.com"><strong>Thursby</strong></a> creates for
-internal use, and also still hides all files beginning with a dot.
-<p><a name="hidelocalusers"></a>
-<p></p><dt><strong><strong>hide local users(G)</strong></strong><dd>
-<p>This parameter toggles the hiding of local UNIX users (root, wheel, floppy, etc)
-from remote clients.
-<p><strong>Default:</strong>
-<code> hide local users = No</code>
-<p><strong>Example:</strong>
-<code> hide local users = Yes</code>
-<p><a name="homedirmap"></a>
-<p></p><dt><strong><strong>homedir map (G)</strong></strong><dd>
-<p>If <a href="smb.conf.5.html#nishomedir"><strong>"nis homedir"</strong></a> is true, and
-<a href="smbd.8.html"><strong>smbd</strong></a> is also acting as a Win95/98 <a href="smb.conf.5.html#domainlogons"><strong>logon
-server</strong></a> then this parameter specifies the NIS (or YP)
-map from which the server for the user's home directory should be
-extracted. At present, only the Sun auto.home map format is
-understood. The form of the map is:
-<p><code>username server:/some/file/system</code>
-<p>and the program will extract the servername from before the first
-<code>':'</code>. There should probably be a better parsing system that copes
-with different map formats and also Amd (another automounter) maps.
-<p>NB: A working NIS is required on the system for this option to work.
-<p>See also <a href="smb.conf.5.html#nishomedir"><strong>"nis homedir"</strong></a>, <a href="smb.conf.5.html#domainlogons"><strong>domain
-logons</strong></a>.
-<p><strong>Default:</strong>
-<code> homedir map = auto.home</code>
-<p><strong>Example:</strong>
-<code> homedir map = amd.homedir</code>
-<p><a name="hostsallow"></a>
-<p></p><dt><strong><strong>hosts allow (S)</strong></strong><dd>
-<p>A synonym for this parameter is <a href="smb.conf.5.html#allowhosts"><strong>'allow hosts'</strong></a>
-<p>This parameter is a comma, space, or tab delimited set of hosts which
-are permitted to access a service.
-<p>If specified in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section then it will
-apply to all services, regardless of whether the individual service
-has a different setting.
-<p>You can specify the hosts by name or IP number. For example, you could
-restrict access to only the hosts on a Class C subnet with something
-like <code>"allow hosts = 150.203.5."</code>. The full syntax of the list is
-described in the man page <strong>hosts_access (5)</strong>. Note that this man
-page may not be present on your system, so a brief description will
-be given here also.
-<p>Note that the localhost address 127.0.0.1 will always be allowed
-access unless specifically denied by a "hosts deny" option.
-<p>You can also specify hosts by network/netmask pairs and by netgroup
-names if your system supports netgroups. The <em>EXCEPT</em> keyword can also
-be used to limit a wildcard list. The following examples may provide
-some help:
-<p><strong>Example 1</strong>: allow all IPs in 150.203.*.* except one
-<p><code> hosts allow = 150.203. EXCEPT 150.203.6.66</code>
-<p><strong>Example 2</strong>: allow hosts that match the given network/netmask
-<p><code> hosts allow = 150.203.15.0/255.255.255.0</code>
-<p><strong>Example 3</strong>: allow a couple of hosts
-<p><code> hosts allow = lapland, arvidsjaur</code>
-<p><strong>Example 4</strong>: allow only hosts in NIS netgroup "foonet", but
-deny access from one particular host
-<p><code> hosts allow = @foonet</code>
-<p><code> hosts deny = pirate</code>
-<p>Note that access still requires suitable user-level passwords.
-<p>See <a href="testparm.1.html"><strong>testparm (1)</strong></a> for a way of testing your
-host access to see if it does what you expect.
-<p><strong>Default:</strong>
-<code> none (i.e., all hosts permitted access)</code>
-<p><strong>Example:</strong>
-<code> allow hosts = 150.203.5. myhost.mynet.edu.au</code>
-<p><a name="hostsdeny"></a>
-<p></p><dt><strong><strong>hosts deny (S)</strong></strong><dd>
-<p>The opposite of <a href="smb.conf.5.html#hostsallow"><strong>'hosts allow'</strong></a> - hosts listed
-here are <em>NOT</em> permitted access to services unless the specific
-services have their own lists to override this one. Where the lists
-conflict, the <a href="smb.conf.5.html#hostsallow"><strong>'allow'</strong></a> list takes precedence.
-<p><strong>Default:</strong>
-<code> none (i.e., no hosts specifically excluded)</code>
-<p><strong>Example:</strong>
-<code> hosts deny = 150.203.4. badhost.mynet.edu.au</code>
-<p><a name="hostsequiv"></a>
-<p></p><dt><strong><strong>hosts equiv (G)</strong></strong><dd>
-<p>If this global parameter is a non-null string, it specifies the name
-of a file to read for the names of hosts and users who will be allowed
-access without specifying a password.
-<p>This is not be confused with <a href="smb.conf.5.html#hostsallow"><strong>hosts allow</strong></a> which
-is about hosts access to services and is more useful for guest
-services. <strong>hosts equiv</strong> may be useful for NT clients which will not
-supply passwords to samba.
-<p>NOTE: The use of <strong>hosts equiv</strong> can be a major security hole. This is
-because you are trusting the PC to supply the correct username. It is
-very easy to get a PC to supply a false username. I recommend that the
-<strong>hosts equiv</strong> option be only used if you really know what you are
-doing, or perhaps on a home network where you trust your spouse and
-kids. And only if you <em>really</em> trust them :-).
-<p><strong>Default</strong>
-<code> No host equivalences</code>
-<p><strong>Example</strong>
-<code> hosts equiv = /etc/hosts.equiv</code>
-<p><a name="include"></a>
-<p></p><dt><strong><strong>include (G)</strong></strong><dd>
-<p>This allows you to include one config file inside another. The file
-is included literally, as though typed in place.
-<p>It takes the standard substitutions, except <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>,
-<a href="smb.conf.5.html#percentP"><strong>%P</strong></a> and <a href="smb.conf.5.html#percentS"><strong>%S</strong></a>.
-<p><a name="inheritpermissions"></a>
-<p></p><dt><strong><strong>inherit permissions (S)</strong></strong><dd>
-<p>The permissions on new files and directories are normally governed by
-<a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a>,
-<a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a>,
-<a href="smb.conf.5.html#forcecreatemode"><strong>"force create mode"</strong></a> and
-<a href="smb.conf.5.html#forcedirectorymode"><strong>"force directory mode"</strong></a>
-but the boolean inherit permissions parameter overrides this.
-<p>New directories inherit the mode of the parent directory,
-including bits such as setgid.
-<p>New files inherit their read/write bits from the parent directory.
-Their execute bits continue to be determined by
-<a href="smb.conf.5.html#maparchive"><strong>"map archive"</strong></a>,
-<a href="smb.conf.5.html#maphidden"><strong>"map hidden"</strong></a> and
-<a href="smb.conf.5.html#mapsystem"><strong>"map system"</strong></a> as usual.
-<p>Note that the setuid bit is *never* set via inheritance
-(the code explicitly prohibits this).
-<p>This can be particularly useful on large systems with many users,
-perhaps several thousand,
-to allow a single <strong>[homes]</strong> share to be used flexibly by each user.
-<p>See also <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a>, <a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a>,
-<a href="smb.conf.5.html#forcecreatemode"><strong>"force create mode"</strong></a> and
-<a href="smb.conf.5.html#forcedirectorymode"><strong>"force directory mode"</strong></a>.
-<p><strong>Default</strong>
-<code> inherit permissions = no</code>
-<p><strong>Example</strong>
-<code> inherit permissions = yes</code>
-<p><a name="interfaces"></a>
-<p></p><dt><strong><strong>interfaces (G)</strong></strong><dd>
-<p>This option allows you to override the default network interfaces list
-that Samba will use for browsing, name registration and other NBT
-traffic. By default Samba will query the kernel for the list of all
-active interfaces and use any interfaces except 127.0.0.1 that are
-broadcast capable.
-<p>The option takes a list of interface strings. Each string can be in
-any of the following forms:
-<p><dl>
-<li > a network interface name (such as eth0). This may include
- shell-like wildcards so eth* will match any interface starting
- with the substring "eth"
-<li > an IP address. In this case the netmask is determined
- from the list of interfaces obtained from the kernel
-<li > an IP/mask pair.
-<li > a broadcast/mask pair.
-</dl>
-<p>The "mask" parameters can either be a bit length (such as 24 for a C
-class network) or a full netmask in dotted decmal form.
-<p>The "IP" parameters above can either be a full dotted decimal IP
-address or a hostname which will be looked up via the OSes normal
-hostname resolution mechanisms.
-<p>For example, the following line:
-<p><code>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</code>
-<p>would configure three network interfaces corresponding to the eth0
-device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of
-the latter two interfaces would be set to 255.255.255.0.
-<p>See also <a href="smb.conf.5.html#bindinterfacesonly"><strong>"bind interfaces only"</strong></a>.
-<p><a name="invalidusers"></a>
-<p></p><dt><strong><strong>invalid users (S)</strong></strong><dd>
-<p>This is a list of users that should not be allowed to login to this
-service. This is really a <em>"paranoid"</em> check to absolutely ensure an
-improper setting does not breach your security.
-<p>A name starting with a <code>'@'</code> is interpreted as an NIS netgroup first
-(if your system supports NIS), and then as a UNIX group if the name
-was not found in the NIS netgroup database.
-<p>A name starting with <code>'+'</code> is interpreted only by looking in the
-UNIX group database. A name starting with <code>'&'</code> is interpreted only
-by looking in the NIS netgroup database (this requires NIS to be
-working on your system). The characters <code>'+'</code> and <code>'&'</code> may be
-used at the start of the name in either order so the value
-<code>"+&group"</code> means check the UNIX group database, followed by the NIS
-netgroup database, and the value <code>"&+group"</code> means check the NIS
-netgroup database, followed by the UNIX group database (the same as
-the <code>'@'</code> prefix).
-<p>The current servicename is substituted for
-<a href="smb.conf.5.html#percentS"><strong>%S</strong></a>. This is useful in the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a>
-section.
-<p>See also <a href="smb.conf.5.html#validusers"><strong>"valid users"</strong></a>.
-<p><strong>Default:</strong>
-<code> No invalid users</code>
-<p><strong>Example:</strong>
-<code> invalid users = root fred admin @wheel</code>
-<p><a name="keepalive"></a>
-<p></p><dt><strong><strong>keepalive (G)</strong></strong><dd>
-<p>The value of the parameter (an integer) represents the number of
-seconds between <strong>'keepalive'</strong> packets. If this parameter is zero, no
-keepalive packets will be sent. Keepalive packets, if sent, allow the
-server to tell whether a client is still present and responding.
-<p>Keepalives should, in general, not be needed if the socket being used
-has the SO_KEEPALIVE attribute set on it (see <a href="smb.conf.5.html#socketoptions"><strong>"socket
-options"</strong></a>). Basically you should only use this option
-if you strike difficulties.
-<p><strong>Default:</strong>
-<code> keepalive = 0</code>
-<p><strong>Example:</strong>
-<code> keepalive = 60</code>
-<p><a name="kerneloplocks"></a>
-<p></p><dt><strong><strong>kernel oplocks (G)</strong></strong><dd>
-<p>For UNIXs that support kernel based <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a>
-(currently only IRIX but hopefully also Linux and FreeBSD soon) this
-parameter allows the use of them to be turned on or off.
-<p>Kernel oplocks support allows Samba <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> to be
-broken whenever a local UNIX process or NFS operation accesses a file
-that <a href="smbd.8.html"><strong>smbd</strong></a> has oplocked. This allows complete
-data consistency between SMB/CIFS, NFS and local file access (and is a
-<em>very</em> cool feature :-).
-<p>This parameter defaults to <em>"On"</em> on systems that have the support,
-and <em>"off"</em> on systems that don't. You should never need to touch
-this parameter.
-<p>See also the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a> and <a href="smb.conf.5.html#level2oplocks"><strong>"level2 oplocks"</strong></a>
-parameters.
-<p><a name="ldapfilter"></a>
-<p></p><dt><strong><strong>ldap filter (G)</strong></strong><dd>
-<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a
-password database stored on an LDAP server back-end. These options
-are only available if your version of Samba was configured with
-the <strong>--with-ldap</strong> option.
-<p>This parameter specifies an LDAP search filter used to search for a
-user name in the LDAP database. It must contain the string
-<a href="smb.conf.5.html#percentU"><strong>%u</strong></a> which will be replaced with the user being
-searched for.
-<p><strong>Default:</strong>
-<code> empty string.</code>
-<p><a name="ldapport"></a>
-<p></p><dt><strong><strong>ldap port (G)</strong></strong><dd>
-<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a
-password database stored on an LDAP server back-end. These options
-are only available if your version of Samba was configured with
-the <strong>--with-ldap</strong> option.
-<p>This parameter specifies the TCP port number to use to contact
-the LDAP server on.
-<p><strong>Default:</strong>
-<code> ldap port = 389.</code>
-<p><a name="ldaproot"></a>
-<p></p><dt><strong><strong>ldap root (G)</strong></strong><dd>
-<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a
-password database stored on an LDAP server back-end. These options
-are only available if your version of Samba was configured with
-the <strong>--with-ldap</strong> option.
-<p>This parameter specifies the entity to bind to the LDAP server
-as (essentially the LDAP username) in order to be able to perform
-queries and modifications on the LDAP database.
-<p>See also <a href="smb.conf.5.html#ldaprootpasswd"><strong>ldap root passwd</strong></a>.
-<p><strong>Default:</strong>
-<code> empty string (no user defined)</code>
-<p><a name="ldaprootpasswd"></a>
-<p></p><dt><strong><strong>ldap root passwd (G)</strong></strong><dd>
-<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a
-password database stored on an LDAP server back-end. These options
-are only available if your version of Samba was configured with
-the <strong>--with-ldap</strong> option.
-<p>This parameter specifies the password for the entity to bind to the
-LDAP server as (the password for this LDAP username) in order to be
-able to perform queries and modifications on the LDAP database.
-<p><em>BUGS:</em> This parameter should <em>NOT</em> be a readable parameter
-in the <strong>smb.conf</strong> file and will be removed once a correct
-storage place is found.
-<p>See also <a href="smb.conf.5.html#ldaproot"><strong>ldap root</strong></a>.
-<p><strong>Default:</strong>
-<code> empty string.</code>
-<p><a name="ldapserver"></a>
-<p></p><dt><strong><strong>ldap server (G)</strong></strong><dd>
-<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a
-password database stored on an LDAP server back-end. These options
-are only available if your version of Samba was configured with
-the <strong>--with-ldap</strong> option.
-<p>This parameter specifies the DNS name of the LDAP server to use
-for SMB/CIFS authentication purposes.
-<p><strong>Default:</strong>
-<code> ldap server = localhost</code>
-<p><a name="ldapsuffix"></a>
-<p></p><dt><strong><strong>ldap suffix (G)</strong></strong><dd>
-<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a
-password database stored on an LDAP server back-end. These options
-are only available if your version of Samba was configured with
-the <strong>--with-ldap</strong> option.
-<p>This parameter specifies the <code>"dn"</code> or LDAP <em>"distinguished name"</em>
-that tells <a href="smbd.8.html"><strong>smbd</strong></a> to start from when searching
-for an entry in the LDAP password database.
-<p><strong>Default:</strong>
-<code> empty string.</code>
-<p><a name="level2oplocks"></a>
-<p></p><dt><strong><strong>level2 oplocks (S)</strong></strong><dd>
-<p>This parameter (new in Samba 2.0.5) controls whether Samba supports
-level2 (read-only) oplocks on a share. In Samba 2.0.5 this parameter
-defaults to "False" as the code is new, but will default to "True"
-in a later release.
-<p>Level2, or read-only oplocks allow Windows NT clients that have an
-oplock on a file to downgrade from a read-write oplock to a read-only
-oplock once a second client opens the file (instead of releasing all
-oplocks on a second open, as in traditional, exclusive oplocks). This
-allows all openers of the file that support level2 oplocks to cache
-the file for read-ahead only (ie. they may not cache writes or lock
-requests) and increases performance for many acesses of files that
-are not commonly written (such as application .EXE files).
-<p>Once one of the clients which have a read-only oplock writes to
-the file all clients are notified (no reply is needed or waited
-for) and told to break their oplocks to "none" and delete any
-read-ahead caches.
-<p>It is recommended that this parameter be turned on to speed access
-to shared executables (and also to test the code :-).
-<p>For more discussions on level2 oplocks see the CIFS spec.
-<p>Currently, if <a href="smb.conf.5.html#kerneloplocks"><strong>"kernel oplocks"</strong></a> are supported
-then level2 oplocks are not granted (even if this parameter is set
-to <code>"true"</code>). Note also, the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a> parameter must
-be set to "true" on this share in order for this parameter to have any
-effect.
-<p>See also the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a> and <a href="smb.conf.5.html#kerneloplocks"><strong>"kernel oplocks"</strong></a> parameters.
-<p><strong>Default:</strong>
-<code> level2 oplocks = False</code>
-<p><strong>Example:</strong>
-<code> level2 oplocks = True</code>
-<p><a name="lmannounce"></a>
-<p></p><dt><strong><strong>lm announce (G)</strong></strong><dd>
-<p>This parameter determines if <a href="nmbd.8.html"><strong>nmbd</strong></a> will produce
-Lanman announce broadcasts that are needed by <strong>OS/2</strong> clients in order
-for them to see the Samba server in their browse list. This parameter
-can have three values, <code>"true"</code>, <code>"false"</code>, or <code>"auto"</code>. The
-default is <code>"auto"</code>. If set to <code>"false"</code> Samba will never produce
-these broadcasts. If set to <code>"true"</code> Samba will produce Lanman
-announce broadcasts at a frequency set by the parameter <a href="smb.conf.5.html#lminterval"><strong>"lm
-interval"</strong></a>. If set to <code>"auto"</code> Samba will not send Lanman
-announce broadcasts by default but will listen for them. If it hears
-such a broadcast on the wire it will then start sending them at a
-frequency set by the parameter <a href="smb.conf.5.html#lminterval"><strong>"lm interval"</strong></a>.
-<p>See also <a href="smb.conf.5.html#lminterval"><strong>"lm interval"</strong></a>.
-<p><strong>Default:</strong>
-<code> lm announce = auto</code>
-<p><strong>Example:</strong>
-<code> lm announce = true</code>
-<p><a name="lminterval"></a>
-<p></p><dt><strong><strong>lm interval (G)</strong></strong><dd>
-<p>If Samba is set to produce Lanman announce broadcasts needed by
-<strong>OS/2</strong> clients (see the <a href="smb.conf.5.html#lmannounce"><strong>"lm announce"</strong></a>
-parameter) then this parameter defines the frequency in seconds with
-which they will be made. If this is set to zero then no Lanman
-announcements will be made despite the setting of the <a href="smb.conf.5.html#lmannounce"><strong>"lm
-announce"</strong></a> parameter.
-<p>See also <a href="smb.conf.5.html#lmannounce"><strong>"lm announce"</strong></a>.
-<p><strong>Default:</strong>
-<code> lm interval = 60</code>
-<p><strong>Example:</strong>
-<code> lm interval = 120</code>
-<p><a name="loadprinters"></a>
-<p></p><dt><strong><strong>load printers (G)</strong></strong><dd>
-<p>A boolean variable that controls whether all printers in the printcap
-will be loaded for browsing by default. See the
-<a href="smb.conf.5.html#printers"><strong>"printers"</strong></a> section for more details.
-<p><strong>Default:</strong>
-<code> load printers = yes</code>
-<p><strong>Example:</strong>
-<code> load printers = no</code>
-<p><a name="localmaster"></a>
-<p></p><dt><strong><strong>local master (G)</strong></strong><dd>
-<p>This option allows <a href="nmbd.8.html"><strong>nmbd</strong></a> to try and become a
-local master browser on a subnet. If set to False then
-<a href="nmbd.8.html"><strong>nmbd</strong></a> will not attempt to become a local master
-browser on a subnet and will also lose in all browsing elections. By
-default this value is set to true. Setting this value to true doesn't
-mean that Samba will <em>become</em> the local master browser on a subnet,
-just that <a href="nmbd.8.html"><strong>nmbd</strong></a> will <em>participate</em> in
-elections for local master browser.
-<p>Setting this value to False will cause <a href="nmbd.8.html"><strong>nmbd</strong></a>
-<em>never</em> to become a local master browser.
-<p><strong>Default:</strong>
-<code> local master = yes</code>
-<p><a name="lockdir"></a>
-<p></p><dt><strong><strong>lock dir (G)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#lockdirectory"><strong>"lock directory"</strong></a>.
-<p><a name="lockdirectory"></a>
-<p></p><dt><strong><strong>lock directory (G)</strong></strong><dd>
-<p>This option specifies the directory where lock files will be placed.
-The lock files are used to implement the <a href="smb.conf.5.html#maxconnections"><strong>"max
-connections"</strong></a> option.
-<p><strong>Default:</strong>
-<code> lock directory = /tmp/samba</code>
-<p><strong>Example:</strong>
-<code> lock directory = /usr/local/samba/var/locks</code>
-<p><a name="locking"></a>
-<p></p><dt><strong><strong>locking (S)</strong></strong><dd>
-<p>This controls whether or not locking will be performed by the server
-in response to lock requests from the client.
-<p>If <code>"locking = no"</code>, all lock and unlock requests will appear to
-succeed and all lock queries will indicate that the queried lock is
-clear.
-<p>If <code>"locking = yes"</code>, real locking will be performed by the server.
-<p>This option <em>may</em> be useful for read-only filesystems which <em>may</em>
-not need locking (such as cdrom drives), although setting this
-parameter of <code>"no"</code> is not really recommended even in this case.
-<p>Be careful about disabling locking either globally or in a specific
-service, as lack of locking may result in data corruption. You should
-never need to set this parameter.
-<p><strong>Default:</strong>
-<code> locking = yes</code>
-<p><strong>Example:</strong>
-<code> locking = no</code>
-<p><a name="logfile"></a>
-<p></p><dt><strong><strong>log file (G)</strong></strong><dd>
-<p>This options allows you to override the name of the Samba log file
-(also known as the debug file).
-<p>This option takes the standard substitutions, allowing you to have
-separate log files for each user or machine.
-<p><strong>Example:</strong>
-<code> log file = /usr/local/samba/var/log.%m</code>
-<p><a name="loglevel"></a>
-<p></p><dt><strong><strong>log level (G)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a>.
-<p><a name="logondrive"></a>
-<p></p><dt><strong><strong>logon drive (G)</strong></strong><dd>
-<p>This parameter specifies the local path to which the home directory
-will be connected (see <a href="smb.conf.5.html#logonhome"><strong>"logon home"</strong></a>) and is only
-used by NT Workstations.
-<p>Note that this option is only useful if Samba is set up as a
-<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>.
-<p><strong>Example:</strong>
-<code> logon drive = h:</code>
-<p><a name="logonhome"></a>
-<p></p><dt><strong><strong>logon home (G)</strong></strong><dd>
-<p>This parameter specifies the home directory location when a Win95/98 or
-NT Workstation logs into a Samba PDC. It allows you to do
-<p><code>"NET USE H: /HOME"</code>
-<p>from a command prompt, for example.
-<p>This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine.
-<p>This parameter can be used with Win9X workstations to ensure that
-roaming profiles are stored in a subdirectory of the user's home
-directory. This is done in the following way:
-<p><code>" logon home = \\%L\%U\profile"</code>
-<p>This tells Samba to return the above string, with substitutions made
-when a client requests the info, generally in a NetUserGetInfo request.
-Win9X clients truncate the info to \\server\share when a user does <code>"net use /home"</code>,
-but use the whole string when dealing with profiles.
-<p>Note that in prior versions of Samba, the <code>"logon path"</code> was returned rather than
-<code>"logon home"</code>. This broke <code>"net use /home"</code> but allowed profiles outside the
-home directory. The current implementation is correct, and can be used for profiles
-if you use the above trick.
-<p>Note that this option is only useful if Samba is set up as a
-<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>.
-<p><strong>Example:</strong>
-<code> logon home = "\\remote_smb_server\%U"</code>
-<p><strong>Default:</strong>
-<code> logon home = "\\%N\%U"</code>
-<p><a name="logonpath"></a>
-<p></p><dt><strong><strong>logon path (G)</strong></strong><dd>
-<p>This parameter specifies the home directory where roaming profiles
-(NTuser.dat etc files for Windows NT) are stored. Contrary to previous
-versions of these manual pages, it has nothing to do with Win 9X roaming
-profiles. To find out how to handle roaming profiles for Win 9X system, see
-the <code>"logon home"</code> parameter.
-<p>This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine. It also specifies
-the directory from which the <code>"application data"</code>, (<code>"desktop"</code>, <code>"start menu"</code>,
-<code>"network neighborhood"</code>, <code>"programs"</code> and other folders, and their
-contents, are loaded and displayed on your Windows NT client.
-<p>The share and the path must be readable by the user for the
-preferences and directories to be loaded onto the Windows NT
-client. The share must be writeable when the logs in for the first
-time, in order that the Windows NT client can create the NTuser.dat
-and other directories.
-<p>Thereafter, the directories and any of the contents can, if required, be
-made read-only. It is not advisable that the NTuser.dat file be made
-read-only - rename it to NTuser.man to achieve the desired effect (a
-<em>MAN</em>datory profile).
-<p>Windows clients can sometimes maintain a connection to the [homes]
-share, even though there is no user logged in. Therefore, it is vital
-that the logon path does not include a reference to the homes share
-(i.e. setting this parameter to <code>\\%N\HOMES\profile_path</code> will cause
-problems).
-<p>This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine.
-<p>Note that this option is only useful if Samba is set up as a
-<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>.
-<p><strong>Default:</strong>
-<code> logon path = \\%N\%U\profile</code>
-<p><strong>Example:</strong>
-<code> logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE</code>
-<p><a name="logonscript"></a>
-<p></p><dt><strong><strong>logon script (G)</strong></strong><dd>
-<p>This parameter specifies the batch file (.bat) or NT command file
-(.cmd) to be downloaded and run on a machine when a user successfully
-logs in. The file must contain the DOS style cr/lf line endings.
-Using a DOS-style editor to create the file is recommended.
-<p>The script must be a relative path to the <code>[netlogon]</code> service. If
-the <code>[netlogon]</code> service specifies a <a href="smb.conf.5.html#path"><strong>path</strong></a> of
-/usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the
-file that will be downloaded is:
-<p><code>/usr/local/samba/netlogon/STARTUP.BAT</code>
-<p>The contents of the batch file is entirely your choice. A suggested
-command would be to add <code>NET TIME \\SERVER /SET /YES</code>, to force every
-machine to synchronize clocks with the same time server. Another use
-would be to add <code>NET USE U: \\SERVER\UTILS</code> for commonly used
-utilities, or <code>NET USE Q: \\SERVER\ISO9001_QA</code> for example.
-<p>Note that it is particularly important not to allow write access to
-the <code>[netlogon]</code> share, or to grant users write permission on the
-batch files in a secure environment, as this would allow the batch
-files to be arbitrarily modified and security to be breached.
-<p>This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine.
-<p>Note that this option is only useful if Samba is set up as a
-<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>.
-<p><strong>Example:</strong>
-<code> logon script = scripts\%U.bat</code>
-<p><a name="lppausecommand"></a>
-<p></p><dt><strong><strong>lppause command (S)</strong></strong><dd>
-<p>This parameter specifies the command to be executed on the server host
-in order to stop printing or spooling a specific print job.
-<p>This command should be a program or script which takes a printer name
-and job number to pause the print job. One way of implementing this is
-by using job priorities, where jobs having a too low priority won't be
-sent to the printer.
-<p>If a <code>"%p"</code> is given then the printername is put in its place. A
-<code>"%j"</code> is replaced with the job number (an integer). On HPUX (see
-<a href="smb.conf.5.html#printing"><strong>printing=hpux</strong></a>), if the <code>"-p%p"</code> option is added
-to the lpq command, the job will show up with the correct status,
-i.e. if the job priority is lower than the set fence priority it will
-have the PAUSED status, whereas if the priority is equal or higher it
-will have the SPOOLED or PRINTING status.
-<p>Note that it is good practice to include the absolute path in the
-lppause command as the PATH may not be available to the server.
-<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter.
-<p><strong>Default:</strong>
- Currently no default value is given to this string, unless the
-value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>SYSV</code>, in
-which case the default is :
-<p><code> lp -i %p-%j -H hold</code>
-<p>or if the value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>softq</code>,
-then the default is:
-<p><code> qstat -s -j%j -h</code>
-<p><strong>Example for HPUX:</strong>
- lppause command = /usr/bin/lpalt %p-%j -p0
-<p><a name="lpqcachetime"></a>
-<p></p><dt><strong><strong>lpq cache time (G)</strong></strong><dd>
-<p>This controls how long lpq info will be cached for to prevent the
-<strong>lpq</strong> command being called too often. A separate cache is kept for
-each variation of the <strong>lpq</strong> command used by the system, so if you
-use different <strong>lpq</strong> commands for different users then they won't
-share cache information.
-<p>The cache files are stored in <code>/tmp/lpq.xxxx</code> where xxxx is a hash of
-the <strong>lpq</strong> command in use.
-<p>The default is 10 seconds, meaning that the cached results of a
-previous identical <strong>lpq</strong> command will be used if the cached data is
-less than 10 seconds old. A large value may be advisable if your
-<strong>lpq</strong> command is very slow.
-<p>A value of 0 will disable caching completely.
-<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> lpq cache time = 10</code>
-<p><strong>Example:</strong>
-<code> lpq cache time = 30</code>
-<p><a name="lpqcommand"></a>
-<p></p><dt><strong><strong>lpq command (S)</strong></strong><dd>
-<p>This parameter specifies the command to be executed on the server host
-in order to obtain <code>"lpq"</code>-style printer status information.
-<p>This command should be a program or script which takes a printer name
-as its only parameter and outputs printer status information.
-<p>Currently eight styles of printer status information are supported;
-BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX
-systems. You control which type is expected using the
-<a href="smb.conf.5.html#printing"><strong>"printing ="</strong></a> option.
-<p>Some clients (notably Windows for Workgroups) may not correctly send
-the connection number for the printer they are requesting status
-information about. To get around this, the server reports on the first
-printer service connected to by the client. This only happens if the
-connection number sent is invalid.
-<p>If a <code>%p</code> is given then the printername is put in its place. Otherwise
-it is placed at the end of the command.
-<p>Note that it is good practice to include the absolute path in the <strong>lpq
-command</strong> as the PATH may not be available to the server.
-<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> depends on the setting of printing =</code>
-<p><strong>Example:</strong>
-<code> lpq command = /usr/bin/lpq %p</code>
-<p><a name="lpresumecommand"></a>
-<p></p><dt><strong><strong>lpresume command (S)</strong></strong><dd>
-<p>This parameter specifies the command to be executed on the server host
-in order to restart or continue printing or spooling a specific print
-job.
-<p>This command should be a program or script which takes a printer name
-and job number to resume the print job. See also the <a href="smb.conf.5.html#lppausecommand"><strong>"lppause
-command"</strong></a> parameter.
-<p>If a <code>%p</code> is given then the printername is put in its place. A
-<code>%j</code> is replaced with the job number (an integer).
-<p>Note that it is good practice to include the absolute path in the <strong>lpresume
-command</strong> as the PATH may not be available to the server.
-<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter.
-<p><strong>Default:</strong>
-<p>Currently no default value is given to this string, unless the
-value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>SYSV</code>, in
-which case the default is :
-<p><code> lp -i %p-%j -H resume</code>
-<p>or if the value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>softq</code>,
-then the default is:
-<p><code> qstat -s -j%j -r</code>
-<p><strong>Example for HPUX:</strong>
-<code> lpresume command = /usr/bin/lpalt %p-%j -p2</code>
-<p><a name="lprmcommand"></a>
-<p></p><dt><strong><strong>lprm command (S)</strong></strong><dd>
-<p>This parameter specifies the command to be executed on the server host
-in order to delete a print job.
-<p>This command should be a program or script which takes a printer name
-and job number, and deletes the print job.
-<p>If a <code>%p</code> is given then the printername is put in its place. A
-<code>%j</code> is replaced with the job number (an integer).
-<p>Note that it is good practice to include the absolute path in the
-<strong>lprm command</strong> as the PATH may not be available to the server.
-<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> depends on the setting of "printing ="</code>
-<p><strong>Example 1:</strong>
-<code> lprm command = /usr/bin/lprm -P%p %j</code>
-<p><strong>Example 2:</strong>
-<code> lprm command = /usr/bin/cancel %p-%j</code>
-<p><a name="machinepasswordtimeout"></a>
-<p></p><dt><strong><strong>machine password timeout (G)</strong></strong><dd>
-<p>If a Samba server is a member of an Windows NT Domain (see the
-<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>) parameter) then
-periodically a running <a href="smbd.8.html"><strong>smbd</strong></a> process will try and
-change the <strong>MACHINE ACCOUNT PASWORD</strong> stored in the file called
-<code><Domain>.<Machine>.mac</code> where <code><Domain></code> is the name of the
-Domain we are a member of and <code><Machine></code> is the primary
-<a href="smb.conf.5.html#netbiosname"><strong>"NetBIOS name"</strong></a> of the machine
-<a href="smbd.8.html"><strong>smbd</strong></a> is running on. This parameter specifies how
-often this password will be changed, in seconds. The default is one
-week (expressed in seconds), the same as a Windows NT Domain member
-server.
-<p>See also <a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, and the
-<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>) parameter.
-<p><strong>Default:</strong>
-<code> machine password timeout = 604800</code>
-<p><a name="magicoutput"></a>
-<p></p><dt><strong><strong>magic output (S)</strong></strong><dd>
-<p>This parameter specifies the name of a file which will contain output
-created by a magic script (see the <a href="smb.conf.5.html#magicscript"><strong>"magic
-script"</strong></a> parameter below).
-<p>Warning: If two clients use the same <a href="smb.conf.5.html#magicscript"><strong>"magic
-script"</strong></a> in the same directory the output file content
-is undefined.
-<p><strong>Default:</strong>
-<code> magic output = <magic script name>.out</code>
-<p><strong>Example:</strong>
-<code> magic output = myfile.txt</code>
-<p><a name="magicscript"></a>
-<p></p><dt><strong><strong>magic script (S)</strong></strong><dd>
-<p>This parameter specifies the name of a file which, if opened, will be
-executed by the server when the file is closed. This allows a UNIX
-script to be sent to the Samba host and executed on behalf of the
-connected user.
-<p>Scripts executed in this way will be deleted upon completion,
-permissions permitting.
-<p>If the script generates output, output will be sent to the file
-specified by the <a href="smb.conf.5.html#magicoutput"><strong>"magic output"</strong></a> parameter (see
-above).
-<p>Note that some shells are unable to interpret scripts containing
-carriage-return-linefeed instead of linefeed as the end-of-line
-marker. Magic scripts must be executable <em>"as is"</em> on the host,
-which for some hosts and some shells will require filtering at the DOS
-end.
-<p>Magic scripts are <em>EXPERIMENTAL</em> and should <em>NOT</em> be relied upon.
-<p><strong>Default:</strong>
-<code> None. Magic scripts disabled.</code>
-<p><strong>Example:</strong>
-<code> magic script = user.csh</code>
-<p><a name="manglecase"></a>
-<p></p><dt><strong><strong>mangle case (S)</strong></strong><dd>
-<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a>.
-<p><a name="manglelocks"></a>
-<p></p><dt><strong><strong>mangle locks (S)</strong></strong><dd>
-<p>This option is was introduced with Samba 2.0.4 and above and has been
-removed in Samba 2.0.6 as Samba now dynamically configures such things
-on 32 bit systems.
-<p><a name="mangledmap"></a>
-<p></p><dt><strong><strong>mangled map (S)</strong></strong><dd>
-<p>This is for those who want to directly map UNIX file names which can
-not be represented on Windows/DOS. The mangling of names is not always
-what is needed. In particular you may have documents with file
-extensions that differ between DOS and UNIX. For example, under UNIX
-it is common to use <code>".html"</code> for HTML files, whereas under
-Windows/DOS <code>".htm"</code> is more commonly used.
-<p>So to map <code>"html"</code> to <code>"htm"</code> you would use:
-<p><code> mangled map = (*.html *.htm)</code>
-<p>One very useful case is to remove the annoying <code>";1"</code> off the ends
-of filenames on some CDROMS (only visible under some UNIXs). To do
-this use a map of (*;1 *).
-<p><strong>default:</strong>
-<code> no mangled map</code>
-<p><strong>Example:</strong>
-<code> mangled map = (*;1 *)</code>
-<p><a name="manglednames"></a>
-<p></p><dt><strong><strong>mangled names (S)</strong></strong><dd>
-<p>This controls whether non-DOS names under UNIX should be mapped to
-DOS-compatible names ("mangled") and made visible, or whether non-DOS
-names should simply be ignored.
-<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a> for details
-on how to control the mangling process.
-<p>If mangling is used then the mangling algorithm is as follows:
-<p><dl>
-<p><li > The first (up to) five alphanumeric characters before the
-rightmost dot of the filename are preserved, forced to upper case, and
-appear as the first (up to) five characters of the mangled name.
-<p><li > A tilde <code>"~"</code> is appended to the first part of the mangled
-name, followed by a two-character unique sequence, based on the
-original root name (i.e., the original filename minus its final
-extension). The final extension is included in the hash calculation
-only if it contains any upper case characters or is longer than three
-characters.
-<p>Note that the character to use may be specified using the
-<a href="smb.conf.5.html#manglingchar"><strong>"mangling char"</strong></a> option, if you don't like
-<code>'~'</code>.
-<p><li > The first three alphanumeric characters of the final extension
-are preserved, forced to upper case and appear as the extension of the
-mangled name. The final extension is defined as that part of the
-original filename after the rightmost dot. If there are no dots in the
-filename, the mangled name will have no extension (except in the case
-of <a href="smb.conf.5.html#hidefiles"><strong>"hidden files"</strong></a> - see below).
-<p><li > Files whose UNIX name begins with a dot will be presented as DOS
-hidden files. The mangled name will be created as for other filenames,
-but with the leading dot removed and <code>"___"</code> as its extension regardless
-of actual original extension (that's three underscores).
-<p></dl>
-<p>The two-digit hash value consists of upper case alphanumeric
-characters.
-<p>This algorithm can cause name collisions only if files in a directory
-share the same first five alphanumeric characters. The probability of
-such a clash is 1/1300.
-<p>The name mangling (if enabled) allows a file to be copied between UNIX
-directories from Windows/DOS while retaining the long UNIX
-filename. UNIX files can be renamed to a new extension from
-Windows/DOS and will retain the same basename. Mangled names do not
-change between sessions.
-<p><strong>Default:</strong>
-<code> mangled names = yes</code>
-<p><strong>Example:</strong>
-<code> mangled names = no</code>
-<p><a name="manglingchar"></a>
-<p></p><dt><strong><strong>mangling char (S)</strong></strong><dd>
-<p>This controls what character is used as the <em>"magic"</em> character in
-<a href="smb.conf.5.html#manglednames"><strong>name mangling</strong></a>. The default is a <code>'~'</code> but
-this may interfere with some software. Use this option to set it to
-whatever you prefer.
-<p><strong>Default:</strong>
-<code> mangling char = ~</code>
-<p><strong>Example:</strong>
-<code> mangling char = ^</code>
-<p><a name="mangledstack"></a>
-<p></p><dt><strong><strong>mangled stack (G)</strong></strong><dd>
-<p>This parameter controls the number of mangled names that should be
-cached in the Samba server <a href="smbd.8.html"><strong>smbd</strong></a>.
-<p>This stack is a list of recently mangled base names (extensions are
-only maintained if they are longer than 3 characters or contains upper
-case characters).
-<p>The larger this value, the more likely it is that mangled names can be
-successfully converted to correct long UNIX names. However, large
-stack sizes will slow most directory access. Smaller stacks save
-memory in the server (each stack element costs 256 bytes).
-<p>It is not possible to absolutely guarantee correct long file names, so
-be prepared for some surprises!
-<p><strong>Default:</strong>
-<code> mangled stack = 50</code>
-<p><strong>Example:</strong>
-<code> mangled stack = 100</code>
-<p><a name="maparchive"></a>
-<p></p><dt><strong><strong>map archive (S)</strong></strong><dd>
-<p>This controls whether the DOS archive attribute should be mapped to
-the UNIX owner execute bit. The DOS archive bit is set when a file
-has been modified since its last backup. One motivation for this
-option it to keep Samba/your PC from making any file it touches from
-becoming executable under UNIX. This can be quite annoying for shared
-source code, documents, etc...
-<p>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a>
-parameter to be set such that owner execute bit is not masked out
-(i.e. it must include 100). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create
-mask"</strong></a> for details.
-<p><strong>Default:</strong>
-<code> map archive = yes</code>
-<p><strong>Example:</strong>
-<code> map archive = no</code>
-<p><a name="maphidden"></a>
-<p></p><dt><strong><strong>map hidden (S)</strong></strong><dd>
-<p>This controls whether DOS style hidden files should be mapped to the
-UNIX world execute bit.
-<p>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> to be
-set such that the world execute bit is not masked out (i.e. it must
-include 001). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a>
-for details.
-<p><strong>Default:</strong>
-<code> map hidden = no</code>
-<p><strong>Example:</strong>
-<code> map hidden = yes</code>
-<p><a name="mapsystem"></a>
-<p></p><dt><strong><strong>map system (S)</strong></strong><dd>
-<p>This controls whether DOS style system files should be mapped to the
-UNIX group execute bit.
-<p>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> to be
-set such that the group execute bit is not masked out (i.e. it must
-include 010). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a>
-for details.
-<p><strong>Default:</strong>
-<code> map system = no</code>
-<p><strong>Example:</strong>
-<code> map system = yes</code>
-<p><a name="maptoguest"></a>
-<p></p><dt><strong><strong>map to guest (G)</strong></strong><dd>
-<p>This parameter is only useful in <a href="smb.conf.5.html#security"><strong>security</strong></a> modes
-other than <a href="smb.conf.5.html#securityequalshare"><strong>"security=share"</strong></a> - i.e. user,
-server, and domain.
-<p>This parameter can take three different values, which tell
-<a href="smbd.8.html"><strong>smbd</strong></a> what to do with user login requests that
-don't match a valid UNIX user in some way.
-<p>The three settings are :
-<p><dl>
-<p><li > <strong>"Never"</strong> - Means user login requests with an invalid password
-are rejected. This is the default.
-<p><li > <strong>"Bad User"</strong> - Means user logins with an invalid password are
-rejected, unless the username does not exist, in which case it is
-treated as a guest login and mapped into the <a href="smb.conf.5.html#guestaccount"><strong>"guest
-account"</strong></a>.
-<p><li > <strong>"Bad Password"</strong> - Means user logins with an invalid
-password are treated as a guest login and mapped into the
-<a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. Note that this can
-cause problems as it means that any user incorrectly typing their
-password will be silently logged on a <strong>"guest"</strong> - and
-will not know the reason they cannot access files they think
-they should - there will have been no message given to them
-that they got their password wrong. Helpdesk services will
-<em>*hate*</em> you if you set the <strong>"map to guest"</strong> parameter
-this way :-).
-<p></dl>
-<p>Note that this parameter is needed to set up <strong>"Guest"</strong> share
-services when using <a href="smb.conf.5.html#security"><strong>security</strong></a> modes other than
-share. This is because in these modes the name of the resource being
-requested is <em>*not*</em> sent to the server until after the server has
-successfully authenticated the client so the server cannot make
-authentication decisions at the correct time (connection to the
-share) for <strong>"Guest"</strong> shares.
-<p>For people familiar with the older Samba releases, this parameter
-maps to the old compile-time setting of the GUEST_SESSSETUP value
-in local.h.
-<p><strong>Default:</strong>
-<code> map to guest = Never</code>
- <strong>Example</strong>:
-<code> map to guest = Bad User</code>
-<p><a name="maxconnections"></a>
-<p></p><dt><strong><strong>max connections (S)</strong></strong><dd>
-<p>This option allows the number of simultaneous connections to a service
-to be limited. If <strong>"max connections"</strong> is greater than 0 then
-connections will be refused if this number of connections to the
-service are already open. A value of zero mean an unlimited number of
-connections may be made.
-<p>Record lock files are used to implement this feature. The lock files
-will be stored in the directory specified by the <a href="smb.conf.5.html#lockdirectory"><strong>"lock
-directory"</strong></a> option.
-<p><strong>Default:</strong>
-<code> max connections = 0</code>
-<p><strong>Example:</strong>
-<code> max connections = 10</code>
-<p><a name="maxdisksize"></a>
-<p></p><dt><strong><strong>max disk size (G)</strong></strong><dd>
-<p>This option allows you to put an upper limit on the apparent size of
-disks. If you set this option to 100 then all shares will appear to be
-not larger than 100 MB in size.
-<p>Note that this option does not limit the amount of data you can put on
-the disk. In the above case you could still store much more than 100
-MB on the disk, but if a client ever asks for the amount of free disk
-space or the total disk size then the result will be bounded by the
-amount specified in <strong>"max disk size"</strong>.
-<p>This option is primarily useful to work around bugs in some pieces of
-software that can't handle very large disks, particularly disks over
-1GB in size.
-<p>A <strong>"max disk size"</strong> of 0 means no limit.
-<p><strong>Default:</strong>
-<code> max disk size = 0</code>
-<p><strong>Example:</strong>
-<code> max disk size = 1000</code>
-<p><a name="maxlogsize"></a>
-<p></p><dt><strong><strong>max log size (G)</strong></strong><dd>
-<p>This option (an integer in kilobytes) specifies the max size the log
-file should grow to. Samba periodically checks the size and if it is
-exceeded it will rename the file, adding a <code>".old"</code> extension.
-<p>A size of 0 means no limit.
-<p><strong>Default:</strong>
-<code> max log size = 5000</code>
-<p><strong>Example:</strong>
-<code> max log size = 1000</code>
-<p><a name="maxmux"></a>
-<p></p><dt><strong><strong>max mux (G)</strong></strong><dd>
-<p>This option controls the maximum number of outstanding simultaneous
-SMB operations that samba tells the client it will allow. You should
-never need to set this parameter.
-<p><strong>Default:</strong>
-<code> max mux = 50</code>
-<p><a name="maxopenfiles"></a>
-<p></p><dt><strong><strong>max open files (G)</strong></strong><dd>
-<p>This parameter limits the maximum number of open files that one
-<a href="smbd.8.html"><strong>smbd</strong></a> file serving process may have open for
-a client at any one time. The default for this parameter is set
-very high (10,000) as Samba uses only one bit per unopened file.
-<p>The limit of the number of open files is usually set by the
-UNIX per-process file descriptor limit rather than this parameter
-so you should never need to touch this parameter.
-<p><strong>Default:</strong>
-<code> max open files = 10000</code>
-<p><a name="maxpacket"></a>
-<p></p><dt><strong><strong>max packet (G)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#packetsize"><strong>"packet size"</strong></a>.
-<p><a name="maxttl"></a>
-<p></p><dt><strong><strong>max ttl (G)</strong></strong><dd>
-<p>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> what the default 'time
-to live' of NetBIOS names should be (in seconds) when
-<a href="nmbd.8.html"><strong>nmbd</strong></a> is requesting a name using either a
-broadcast packet or from a WINS server. You should never need to
-change this parameter. The default is 3 days.
-<p><strong>Default:</strong>
-<code> max ttl = 259200</code>
-<p><a name="maxwinsttl"></a>
-<p></p><dt><strong><strong>max wins ttl (G)</strong></strong><dd>
-<p>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS
-server <a href="smb.conf.5.html#winssupport"><strong>(wins support =true)</strong></a> what the maximum
-'time to live' of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will
-grant will be (in seconds). You should never need to change this
-parameter. The default is 6 days (518400 seconds).
-<p>See also the <a href="smb.conf.5.html#minwinsttl"><strong>"min wins ttl"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> max wins ttl = 518400</code>
-<p><a name="maxxmit"></a>
-<p></p><dt><strong><strong>max xmit (G)</strong></strong><dd>
-<p>This option controls the maximum packet size that will be negotiated
-by Samba. The default is 65535, which is the maximum. In some cases
-you may find you get better performance with a smaller value. A value
-below 2048 is likely to cause problems.
-<p><strong>Default:</strong>
-<code> max xmit = 65535</code>
-<p><strong>Example:</strong>
-<code> max xmit = 8192</code>
-<p><a name="messagecommand"></a>
-<p></p><dt><strong><strong>message command (G)</strong></strong><dd>
-<p>This specifies what command to run when the server receives a WinPopup
-style message.
-<p>This would normally be a command that would deliver the message
-somehow. How this is to be done is up to your imagination.
-<p>An example is:
-<p><code> message command = csh -c 'xedit %s;rm %s' &</code>
-<p>This delivers the message using <strong>xedit</strong>, then removes it
-afterwards. <em>NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
-IMMEDIATELY</em>. That's why I have the <code>'&'</code> on the end. If it doesn't
-return immediately then your PCs may freeze when sending messages
-(they should recover after 30secs, hopefully).
-<p>All messages are delivered as the global guest user. The command takes
-the standard substitutions, although <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> won't work
-(<a href="smb.conf.5.html#percentU"><strong>%U</strong></a> may be better in this case).
-<p>Apart from the standard substitutions, some additional ones apply. In
-particular:
-<p><dl>
-<p><li > <code>"%s"</code> = the filename containing the message.
-<p><li > <code>"%t"</code> = the destination that the message was sent to (probably the server
-name).
-<p><li > <code>"%f"</code> = who the message is from.
-<p></dl>
-<p>You could make this command send mail, or whatever else takes your
-fancy. Please let us know of any really interesting ideas you have.
-<p>Here's a way of sending the messages as mail to root:
-<p><code>message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s</code>
-<p>If you don't have a message command then the message won't be
-delivered and Samba will tell the sender there was an
-error. Unfortunately WfWg totally ignores the error code and carries
-on regardless, saying that the message was delivered.
-<p>If you want to silently delete it then try:
-<p><code>"message command = rm %s"</code>.
-<p><strong>Default:</strong>
-<code> no message command</code>
-<p><strong>Example:</strong>
-<code> message command = csh -c 'xedit %s;rm %s' &</code>
-<p><a name="minprintspace"></a>
-<p></p><dt><strong><strong>min print space (S)</strong></strong><dd>
-<p>This sets the minimum amount of free disk space that must be available
-before a user will be able to spool a print job. It is specified in
-kilobytes. The default is 0, which means a user can always spool a print
-job.
-<p>See also the <a href="smb.conf.5.html#printing"><strong>printing</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> min print space = 0</code>
-<p><strong>Example:</strong>
-<code> min print space = 2000</code>
-<p><a name="minpasswdlength"></a>
-<p></p><dt><strong><strong>min passwd length (G)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#minpasswordlength"><strong>"min password length"</strong></a>.
-<p><a name="minpasswordlength"></a>
-<p></p><dt><strong><strong>min password length (G)</strong></strong><dd>
-<p>This option sets the minimum length in characters of a plaintext password
-than smbd will accept when performing UNIX password changing.
-<p>See also <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>,
-<a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> and <a href="smb.conf.5.html#passwdchatdebug"><strong>"passwd chat
-debug"</strong></a>.
-<p><strong>Default:</strong>
-<code> min password length = 5</code>
-<p><a name="minwinsttl"></a>
-<p></p><dt><strong><strong>min wins ttl (G)</strong></strong><dd>
-<p>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS
-server <a href="smb.conf.5.html#winssupport"><strong>(wins support = true)</strong></a> what the minimum
-'time to live' of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will
-grant will be (in seconds). You should never need to change this
-parameter. The default is 6 hours (21600 seconds).
-<p><strong>Default:</strong>
-<code> min wins ttl = 21600</code>
-<p><a name="nameresolveorder"></a>
-<p></p><dt><strong><strong>name resolve order (G)</strong></strong><dd>
-<p>This option is used by the programs in the Samba suite to determine
-what naming services and in what order to resolve host names to IP
-addresses. The option takes a space separated string of different name
-resolution options.
-<p>The options are :"lmhosts", "host", "wins" and "bcast". They cause
-names to be resolved as follows :
-<p><dl>
-<p><li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file.
-If the line in lmhosts has no name type attached to the NetBIOS
-name (see the <a href="lmhosts.5.html"><strong>lmhosts (5)</strong></a> for details) then
-any name type matches for lookup.
-<p><li > <strong>host</strong> : Do a standard host name to IP address resolution,
-using the system /etc/hosts, NIS, or DNS lookups. This method of name
-resolution is operating system depended for instance on IRIX or
-Solaris this may be controlled by the <em>/etc/nsswitch.conf</em> file).
-Note that this method is only used if the NetBIOS name type being
-queried is the 0x20 (server) name type, otherwise it is ignored.
-<p><li > <strong>wins</strong> : Query a name with the IP address listed in the
-<a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> parameter. If no WINS server has
-been specified this method will be ignored.
-<p><li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces
-listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter. This is the
-least reliable of the name resolution methods as it depends on the
-target host being on a locally connected subnet.
-<p></dl>
-<p><strong>Default:</strong>
-<code> name resolve order = lmhosts host wins bcast</code>
-<p><strong>Example:</strong>
-<code> name resolve order = lmhosts bcast host</code>
-<p>This will cause the local lmhosts file to be examined first, followed
-by a broadcast attempt, followed by a normal system hostname lookup.
-<p><a name="netbiosaliases"></a>
-<p></p><dt><strong><strong>netbios aliases (G)</strong></strong><dd>
-<p>This is a list of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will
-advertise as additional names by which the Samba server is known. This
-allows one machine to appear in browse lists under multiple names. If
-a machine is acting as a <a href="smb.conf.5.html#localmaster"><strong>browse server</strong></a> or
-<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a> none of these names will be
-advertised as either browse server or logon servers, only the primary
-name of the machine will be advertised with these capabilities.
-<p>See also <a href="smb.conf.5.html#netbiosname"><strong>"netbios name"</strong></a>.
-<p><strong>Default:</strong>
-<code> empty string (no additional names)</code>
-<p><strong>Example:</strong>
-<code> netbios aliases = TEST TEST1 TEST2</code>
-<p><a name="netbiosname"></a>
-<p></p><dt><strong><strong>netbios name (G)</strong></strong><dd>
-<p>This sets the NetBIOS name by which a Samba server is known. By
-default it is the same as the first component of the host's DNS name.
-If a machine is a <a href="smb.conf.5.html#localmaster"><strong>browse server</strong></a> or
-<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a> this name (or the first component
-of the hosts DNS name) will be the name that these services are
-advertised under.
-<p>See also <a href="smb.conf.5.html#netbiosaliases"><strong>"netbios aliases"</strong></a>.
-<p><strong>Default:</strong>
-<code> Machine DNS name.</code>
-<p><strong>Example:</strong>
-<code> netbios name = MYNAME</code>
-<p><a name="netbiosscope"></a>
-<p></p><dt><strong><strong>netbios scope (G)</strong></strong><dd>
-<p>This sets the NetBIOS scope that Samba will operate under. This should
-not be set unless every machine on your LAN also sets this value.
-<p><a name="nishomedir"></a>
-<p></p><dt><strong><strong>nis homedir (G)</strong></strong><dd>
-<p>Get the home share server from a NIS map. For UNIX systems that use an
-automounter, the user's home directory will often be mounted on a
-workstation on demand from a remote server.
-<p>When the Samba logon server is not the actual home directory server,
-but is mounting the home directories via NFS then two network hops
-would be required to access the users home directory if the logon
-server told the client to use itself as the SMB server for home
-directories (one over SMB and one over NFS). This can be very
-slow.
-<p>This option allows Samba to return the home share as being on a
-different server to the logon server and as long as a Samba daemon is
-running on the home directory server, it will be mounted on the Samba
-client directly from the directory server. When Samba is returning the
-home share to the client, it will consult the NIS map specified in
-<a href="smb.conf.5.html#homedirmap"><strong>"homedir map"</strong></a> and return the server listed
-there.
-<p>Note that for this option to work there must be a working NIS
-system and the Samba server with this option must also be a
-<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>.
-<p><strong>Default:</strong>
-<code> nis homedir = false</code>
-<p><strong>Example:</strong>
-<code> nis homedir = true</code>
-<p><a name="ntaclsupport"></a>
-<p></p><dt><strong><strong>nt acl support (G)</strong></strong><dd>
-<p>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a>
-will attempt to map UNIX permissions into Windows NT access control lists.
-<p><strong>Default:</strong>
-<code> nt acl support = yes</code>
-<p><strong>Example:</strong>
-<code> nt acl support = no</code>
-<p><a name="ntpipesupport"></a>
-<p></p><dt><strong><strong>nt pipe support (G)</strong></strong><dd>
-<p>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a>
-will allow Windows NT clients to connect to the NT SMB specific
-<code>IPC$</code> pipes. This is a developer debugging option and can be left
-alone.
-<p><strong>Default:</strong>
-<code> nt pipe support = yes</code>
-<p><a name="ntsmbsupport"></a>
-<p></p><dt><strong><strong>nt smb support (G)</strong></strong><dd>
-<p>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a>
-will negotiate NT specific SMB support with Windows NT
-clients. Although this is a developer debugging option and should be
-left alone, benchmarking has discovered that Windows NT clients give
-faster performance with this option set to <code>"no"</code>. This is still
-being investigated. If this option is set to <code>"no"</code> then Samba
-offers exactly the same SMB calls that versions prior to Samba2.0
-offered. This information may be of use if any users are having
-problems with NT SMB support.
-<p><strong>Default:</strong>
-<code> nt support = yes</code>
-<p><a name="nullpasswords"></a>
-<p></p><dt><strong><strong>null passwords (G)</strong></strong><dd>
-<p>Allow or disallow client access to accounts that have null passwords.
-<p>See also <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a>.
-<p><strong>Default:</strong>
-<code> null passwords = no</code>
-<p><strong>Example:</strong>
-<code> null passwords = yes</code>
-<p><a name="olelockingcompatibility"></a>
-<p></p><dt><strong><strong>ole locking compatibility (G)</strong></strong><dd>
-<p>This parameter allows an administrator to turn off the byte range lock
-manipulation that is done within Samba to give compatibility for OLE
-applications. Windows OLE applications use byte range locking as a
-form of inter-process communication, by locking ranges of bytes around
-the 2^32 region of a file range. This can cause certain UNIX lock
-managers to crash or otherwise cause problems. Setting this parameter
-to <code>"no"</code> means you trust your UNIX lock manager to handle such cases
-correctly.
-<p><strong>Default:</strong>
-<code> ole locking compatibility = yes</code>
-<p><strong>Example:</strong>
-<code> ole locking compatibility = no</code>
-<p><a name="onlyguest"></a>
-<p></p><dt><strong><strong>only guest (S)</strong></strong><dd>
-<p>A synonym for <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a>.
-<p><a name="onlyuser"></a>
-<p></p><dt><strong><strong>only user (S)</strong></strong><dd>
-<p>This is a boolean option that controls whether connections with
-usernames not in the <a href="smb.conf.5.html#user"><strong>user=</strong></a> list will be allowed. By
-default this option is disabled so a client can supply a username to
-be used by the server.
-<p>Note that this also means Samba won't try to deduce usernames from the
-service name. This can be annoying for the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a>
-section. To get around this you could use "<a href="smb.conf.5.html#user"><strong>user</strong></a> =
-<a href="smb.conf.5.html#percentS"><strong>%S</strong></a>" which means your <a href="smb.conf.5.html#user"><strong>"user"</strong></a> list
-will be just the service name, which for home directories is the name
-of the user.
-<p>See also the <a href="smb.conf.5.html#user"><strong>user</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> only user = False</code>
-<p><strong>Example:</strong>
-<code> only user = True</code>
-<p><a name="oplocks"></a>
-<p></p><dt><strong><strong>oplocks (S)</strong></strong><dd>
-<p>This boolean option tells smbd whether to issue oplocks (opportunistic
-locks) to file open requests on this share. The oplock code can
-dramatically (approx. 30% or more) improve the speed of access to files
-on Samba servers. It allows the clients to aggressively cache files
-locally and you may want to disable this option for unreliable network
-environments (it is turned on by default in Windows NT Servers). For
-more information see the file Speed.txt in the Samba docs/ directory.
-<p>Oplocks may be selectively turned off on certain files on a per share basis.
-See the 'veto oplock files' parameter. On some systems oplocks are recognized
-by the underlying operating system. This allows data synchronization between
-all access to oplocked files, whether it be via Samba or NFS or a local
-UNIX process. See the <a href="smb.conf.5.html#kerneloplocks"><strong>kernel oplocks</strong></a> parameter
-for details.
-<p>See also the <a href="smb.conf.5.html#kerneloplocks"><strong>"kernel oplocks"</strong></a> and
-<a href="smb.conf.5.html#level2oplocks"><strong>"level2 oplocks"</strong></a> parameters.
-<p><strong>Default:</strong>
-<code> oplocks = True</code>
-<p><strong>Example:</strong>
-<code> oplocks = False</code>
-<p><a name="oplockbreakwaittime"></a>
-<p></p><dt><strong><strong>oplock break wait time (G)</strong></strong><dd>
-<p>This is a tuning parameter added due to bugs in both Windows 9x and WinNT.
-If Samba responds to a client too quickly when that client issues an SMB that
-can cause an oplock break request, then the client redirector can fail and
-not respond to the break request. This tuning parameter (which is set in
-milliseconds) is the amount of time Samba will wait before sending an
-oplock break request to such (broken) clients.
-<p><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
-OPLOCK CODE</em>.
-<p><strong>Default:</strong>
-<code> oplock break wait time = 10</code>
-<p><a name="oplockcontentionlimit"></a>
-<p></p><dt><strong><strong>oplock contention limit (S)</strong></strong><dd>
-<p>This is a <em>very</em> advanced <a href="smbd.8.html"><strong>smbd</strong></a> tuning option to improve
-the efficiency of the granting of oplocks under multiple client contention for the same file.
-<p>In brief it specifies a number, which causes smbd not to grant an oplock even
-when requested if the approximate number of clients contending for an oplock on
-the same file goes over this limit. This causes <a href="smbd.8.html"><strong>smbd</strong></a> to
-behave in a similar way to Windows NT.
-<p><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
-OPLOCK CODE</em>.
-<p><strong>Default:</strong>
-<code> oplock contention limit = 2</code>
-<p><a name="oslevel"></a>
-<p></p><dt><strong><strong>os level (G)</strong></strong><dd>
-<p>This integer value controls what level Samba advertises itself as for
-browse elections. The value of this parameter determines whether
-<a href="nmbd.8.html"><strong>nmbd</strong></a> has a chance of becoming a local master
-browser for the <a href="smb.conf.5.html#workgroup"><strong>WORKGROUP</strong></a> in the local broadcast
-area. The default is zero, which means <a href="nmbd.8.html"><strong>nmbd</strong></a> will
-lose elections to Windows machines. See BROWSING.txt in the Samba
-docs/ directory for details.
-<p><strong>Default:</strong>
-<code> os level = 20</code>
-<p><strong>Example:</strong>
-<code> os level = 65 ; This will win against any NT Server</code>
-<p><a name="packetsize"></a>
-<p></p><dt><strong><strong>packet size (G)</strong></strong><dd>
-<p>This is a deprecated parameter that has no effect on the current
-Samba code. It is left in the parameter list to prevent breaking
-old <strong>smb.conf</strong> files.
-<p><a name="panicaction"></a>
-<p></p><dt><strong><strong>panic action (G)</strong></strong><dd>
-<p>This is a Samba developer option that allows a system command to be
-called when either <a href="smbd.8.html"><strong>smbd</strong></a> or
-<a href="nmbd.8.html"><strong>nmbd</strong></a> crashes. This is usually used to draw
-attention to the fact that a problem occurred.
-<p><strong>Default:</strong>
-<code> panic action = <empty string></code>
-<p><a name="passwdchat"></a>
-<p></p><dt><strong><strong>passwd chat (G)</strong></strong><dd>
-<p>This string controls the <em>"chat"</em> conversation that takes places
-between <a href="smbd.8.html"><strong>smbd</strong></a> and the local password changing
-program to change the users password. The string describes a sequence
-of response-receive pairs that <a href="smbd.8.html"><strong>smbd</strong></a> uses to
-determine what to send to the <a href="smb.conf.5.html#passwdprogram"><strong>passwd</strong></a> program
-and what to expect back. If the expected output is not received then
-the password is not changed.
-<p>This chat sequence is often quite site specific, depending on what
-local methods are used for password control (such as NIS etc).
-<p>The string can contain the macros <code>"%o"</code> and <code>"%n"</code> which are
-substituted for the old and new passwords respectively. It can also
-contain the standard macros <code>"\n"</code>, <code>"\r"</code>, <code>"\t"</code> and <code>"\s"</code>
-to give line-feed, carriage-return, tab and space.
-<p>The string can also contain a <code>'*'</code> which matches any sequence of
-characters.
-<p>Double quotes can be used to collect strings with spaces in them into
-a single string.
-<p>If the send string in any part of the chat sequence is a fullstop
-<code>"."</code> then no string is sent. Similarly, is the expect string is a
-fullstop then no string is expected.
-<p>Note that if the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>
-parameter is set to true, then this sequence is called <em>*AS ROOT*</em>
-when the SMB password in the smbpasswd file is being changed, without
-access to the old password cleartext. In this case the old password
-cleartext is set to <code>""</code> (the empty string).
-<p>See also <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>,
-<a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> and <a href="smb.conf.5.html#passwdchatdebug"><strong>"passwd chat
-debug"</strong></a>.
-<p><strong>Example:</strong>
-<pre>
- passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"
-
-</pre>
-
-<p><strong>Default:</strong>
-<pre>
- passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*
-</pre>
-
-<p><a name="passwdchatdebug"></a>
-<p></p><dt><strong><strong>passwd chat debug (G)</strong></strong><dd>
-<p>This boolean specifies if the passwd chat script parameter is run in
-<code>"debug"</code> mode. In this mode the strings passed to and received from
-the passwd chat are printed in the <a href="smbd.8.html"><strong>smbd</strong></a> log with
-a <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a> of 100. This is a dangerous
-option as it will allow plaintext passwords to be seen in the
-<a href="smbd.8.html"><strong>smbd</strong></a> log. It is available to help Samba admins
-debug their <a href="smb.conf.5.html#passwdchat"><strong>"passwd chat"</strong></a> scripts when calling
-the <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> and should be turned off
-after this has been done. This parameter is off by default.
-<p>See also <a href="smb.conf.5.html#passwdchat"><strong>"passwd chat"</strong></a>, <a href="smb.conf.5.html#passwdprogram"><strong>"passwd
-program"</strong></a>.
-<p><strong>Example:</strong>
-<code> passwd chat debug = True</code>
-<p><strong>Default:</strong>
-<code> passwd chat debug = False</code>
-<p><a name="passwdprogram"></a>
-<p></p><dt><strong><strong>passwd program (G)</strong></strong><dd>
-<p>The name of a program that can be used to set UNIX user passwords.
-Any occurrences of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> will be replaced with the
-user name. The user name is checked for existence before calling the
-password changing program.
-<p>Also note that many passwd programs insist in <em>"reasonable"</em>
-passwords, such as a minimum length, or the inclusion of mixed case
-chars and digits. This can pose a problem as some clients (such as
-Windows for Workgroups) uppercase the password before sending it.
-<p><em>Note</em> that if the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>
-parameter is set to <code>"True"</code> then this program is called <em>*AS
-ROOT*</em> before the SMB password in the
-<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file is changed. If this UNIX
-password change fails, then <a href="smbd.8.html"><strong>smbd</strong></a> will fail to
-change the SMB password also (this is by design).
-<p>If the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> parameter is
-set this parameter <em>MUST USE ABSOLUTE PATHS</em> for <em>ALL</em> programs
-called, and must be examined for security implications. Note that by
-default <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> is set to
-<code>"False"</code>.
-<p>See also <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>.
-<p><strong>Default:</strong>
-<code> passwd program = /bin/passwd</code>
-<p><strong>Example:</strong>
-<code> passwd program = /sbin/passwd %u</code>
-<p><a name="passwordlevel"></a>
-<p></p><dt><strong><strong>password level (G)</strong></strong><dd>
-<p>Some client/server combinations have difficulty with mixed-case
-passwords. One offending client is Windows for Workgroups, which for
-some reason forces passwords to upper case when using the LANMAN1
-protocol, but leaves them alone when using COREPLUS!
-<p>This parameter defines the maximum number of characters that may be
-upper case in passwords.
-<p>For example, say the password given was <code>"FRED"</code>. If <strong>password
-level</strong> is set to 1, the following combinations would be tried if
-<code>"FRED"</code> failed:
-<p><code>"Fred"</code>, <code>"fred"</code>, <code>"fRed"</code>, <code>"frEd"</code>, <code>"freD"</code>
-<p>If <strong>password level</strong> was set to 2, the following combinations would
-also be tried:
-<p><code>"FRed"</code>, <code>"FrEd"</code>, <code>"FreD"</code>, <code>"fREd"</code>, <code>"fReD"</code>,
-<code>"frED"</code>, <code>..</code>
-<p>And so on.
-<p>The higher value this parameter is set to the more likely it is that a
-mixed case password will be matched against a single case
-password. However, you should be aware that use of this parameter
-reduces security and increases the time taken to process a new
-connection.
-<p>A value of zero will cause only two attempts to be made - the password
-as is and the password in all-lower case.
-<p><strong>Default:</strong>
-<code> password level = 0</code>
-<p><strong>Example:</strong>
-<code> password level = 4</code>
-<p><a name="passwordserver"></a>
-<p></p><dt><strong><strong>password server (G)</strong></strong><dd>
-<p>By specifying the name of another SMB server (such as a WinNT box)
-with this option, and using <a href="smb.conf.5.html#security"><strong>"security = domain"</strong></a> or
-<a href="smb.conf.5.html#security"><strong>"security = server"</strong></a> you can get Samba to do all
-its username/password validation via a remote server.
-<p>This options sets the name of the password server to use. It must be a
-NetBIOS name, so if the machine's NetBIOS name is different from its
-internet name then you may have to add its NetBIOS name to the lmhosts
-file which is stored in the same directory as the <strong>smb.conf</strong> file.
-<p>The name of the password server is looked up using the parameter
-<a href="smb.conf.5.html#nameresolveorder"><strong>"name resolve order="</strong></a> and so may resolved
-by any method and order described in that parameter.
-<p>The password server much be a machine capable of using the "LM1.2X002"
-or the "LM NT 0.12" protocol, and it must be in user level security
-mode.
-<p>NOTE: Using a password server means your UNIX box (running Samba) is
-only as secure as your password server. <em>DO NOT CHOOSE A PASSWORD
-SERVER THAT YOU DON'T COMPLETELY TRUST</em>.
-<p>Never point a Samba server at itself for password serving. This will
-cause a loop and could lock up your Samba server!
-<p>The name of the password server takes the standard substitutions, but
-probably the only useful one is <a href="smb.conf.5.html#percentm"><strong>%m</strong></a>, which means
-the Samba server will use the incoming client as the password
-server. If you use this then you better trust your clients, and you
-better restrict them with hosts allow!
-<p>If the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter is set to
-<strong>"domain"</strong>, then the list of machines in this option must be a list
-of Primary or Backup Domain controllers for the
-<a href="smb.conf.5.html#workgroup"><strong>Domain</strong></a> or the character <code>*</code>, as the Samba server is cryptographicly
-in that domain, and will use cryptographicly authenticated RPC calls
-to authenticate the user logging on. The advantage of using
-<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a> is that if you list
-several hosts in the <strong>"password server"</strong> option then
-<a href="smbd.8.html"><strong>smbd</strong></a> will try each in turn till it finds one
-that responds. This is useful in case your primary server goes down.
-<p>If the <strong>"password server"</strong> option is set to the character <code>*</code>,
-then Samba will attempt to auto-locate the Primary or Backup Domain controllers
-to authenticate against by doing a query for the name <code>WORKGROUP<1C></code>
-and then contacting each server returned in the list of IP addresses
-from the <a href="smb.conf.5.html#nameresolveorder"><strong>name resolution</strong></a> source.
-<p>If the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter is set to
-<a href="smb.conf.5.html#securityequalserver"><strong>"server"</strong></a>, then there are different
-restrictions that <a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>
-doesn't suffer from:
-<p><dl>
-<p><li > You may list several password servers in the <strong>"password server"</strong>
-parameter, however if an <a href="smbd.8.html"><strong>smbd</strong></a> makes a connection
-to a password server, and then the password server fails, no more
-users will be able to be authenticated from this
-<a href="smbd.8.html"><strong>smbd</strong></a>. This is a restriction of the SMB/CIFS
-protocol when in <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> mode
-and cannot be fixed in Samba.
-<p><li > If you are using a Windows NT server as your password server then
-you will have to ensure that your users are able to login from the
-Samba server, as when in
-<a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> mode the network
-logon will appear to come from there rather than from the users
-workstation.
-<p></dl>
-<p>See also the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> password server = <empty string></code>
-<p><strong>Example:</strong>
-<code> password server = NT-PDC, NT-BDC1, NT-BDC2</code>
-<p><strong>Example:</strong>
-<code> password server = *</code>
-<p><a name="path"></a>
-<p></p><dt><strong><strong>path (S)</strong></strong><dd>
-<p>This parameter specifies a directory to which the user of the service
-is to be given access. In the case of printable services, this is
-where print data will spool prior to being submitted to the host for
-printing.
-<p>For a printable service offering guest access, the service should be
-readonly and the path should be world-writeable and have the sticky bit
-set. This is not mandatory of course, but you probably won't get the
-results you expect if you do otherwise.
-<p>Any occurrences of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> in the path will be replaced
-with the UNIX username that the client is using on this
-connection. Any occurrences of <a href="smb.conf.5.html#percentm"><strong>%m</strong></a> will be replaced
-by the NetBIOS name of the machine they are connecting from. These
-replacements are very useful for setting up pseudo home directories
-for users.
-<p>Note that this path will be based on <a href="smb.conf.5.html#rootdir"><strong>"root dir"</strong></a> if
-one was specified.
-<p><strong>Default:</strong>
-<code> none</code>
-<p><strong>Example:</strong>
-<code> path = /home/fred</code>
-<p><a name="postexec"></a>
-<p></p><dt><strong><strong>postexec (S)</strong></strong><dd>
-<p>This option specifies a command to be run whenever the service is
-disconnected. It takes the usual substitutions. The command may be run
-as the root on some systems.
-<p>An interesting example may be do unmount server resources:
-<p><code>postexec = /etc/umount /cdrom</code>
-<p>See also <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a>.
-<p><strong>Default:</strong>
-<code> none (no command executed)</code>
-<p><strong>Example:</strong>
-<code> postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log</code>
-<p><a name="postscript"></a>
-<p></p><dt><strong><strong>postscript (S)</strong></strong><dd>
-<p>This parameter forces a printer to interpret the print files as
-postscript. This is done by adding a <code>%!</code> to the start of print output.
-<p>This is most useful when you have lots of PCs that persist in putting
-a control-D at the start of print jobs, which then confuses your
-printer.
-<p><strong>Default:</strong>
-<code> postscript = False</code>
-<p><strong>Example:</strong>
-<code> postscript = True</code>
-<p><a name="preexec"></a>
-<p></p><dt><strong><strong>preexec (S)</strong></strong><dd>
-<p>This option specifies a command to be run whenever the service is
-connected to. It takes the usual substitutions.
-<p>An interesting example is to send the users a welcome message every
-time they log in. Maybe a message of the day? Here is an example:
-<p><pre>
-
- preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &
-
-</pre>
-
-<p>Of course, this could get annoying after a while :-)
-<p>See also <a href="smb.conf.5.html#preexecclose"><strong>preexec close</strong></a> and <a href="smb.conf.5.html#postexec"><strong>postexec</strong></a>.
-<p><strong>Default:</strong>
-<code> none (no command executed)</code>
-<p><strong>Example:</strong>
-<code> preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log</code>
-<p><a name="preexecclose"></a>
-<p></p><dt><strong><strong>preexec close (S)</strong></strong><dd>
-<p>This boolean option controls whether a non-zero return code from
-<a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a> should close the service being connected to.
-<p><strong>Default:</strong>
-<code> preexec close = no</code>
-<p><strong>Example:</strong>
-<code> preexec close = yes</code>
-<p><a name="preferredmaster"></a>
-<p></p><dt><strong><strong>preferred master (G)</strong></strong><dd>
-<p>This boolean parameter controls if <a href="nmbd.8.html"><strong>nmbd</strong></a> is a
-preferred master browser for its workgroup.
-<p>If this is set to true, on startup, <a href="nmbd.8.html"><strong>nmbd</strong></a> will
-force an election, and it will have a slight advantage in winning the
-election. It is recommended that this parameter is used in
-conjunction with <a href="smb.conf.5.html#domainmaster"><strong>"domain master = yes"</strong></a>, so
-that <a href="nmbd.8.html"><strong>nmbd</strong></a> can guarantee becoming a domain
-master.
-<p>Use this option with caution, because if there are several hosts
-(whether Samba servers, Windows 95 or NT) that are preferred master
-browsers on the same subnet, they will each periodically and
-continuously attempt to become the local master browser. This will
-result in unnecessary broadcast traffic and reduced browsing
-capabilities.
-<p>See also <a href="smb.conf.5.html#oslevel"><strong>os level</strong></a>.
-<p><strong>Default:</strong>
-<code> preferred master = no</code>
-<p><strong>Example:</strong>
-<code> preferred master = yes</code>
-<p><a name="preferedmaster"></a>
-<p></p><dt><strong><strong>prefered master (G)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#preferredmaster"><strong>"preferred master"</strong></a> for people
-who cannot spell :-).
-<p><a name="preload"></a>
-<p></p><dt><strong><strong>preload</strong></strong><dd>
-Synonym for <a href="smb.conf.5.html#autoservices"><strong>"auto services"</strong></a>.
-<p><a name="preservecase"></a>
-<p></p><dt><strong><strong>preserve case (S)</strong></strong><dd>
-<p>This controls if new filenames are created with the case that the
-client passes, or if they are forced to be the <code>"default"</code> case.
-<p><strong>Default:</strong>
-<code> preserve case = yes</code>
-<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a> for a
-fuller discussion.
-<p><a name="printcommand"></a>
-<p></p><dt><strong><strong>print command (S)</strong></strong><dd>
-<p>After a print job has finished spooling to a service, this command
-will be used via a <code>system()</code> call to process the spool
-file. Typically the command specified will submit the spool file to
-the host's printing subsystem, but there is no requirement that this
-be the case. The server will not remove the spool file, so whatever
-command you specify should remove the spool file when it has been
-processed, otherwise you will need to manually remove old spool files.
-<p>The print command is simply a text string. It will be used verbatim,
-with two exceptions: All occurrences of <code>"%s"</code> and <code>"%f"</code> will be
-replaced by the appropriate spool file name, and all occurrences of
-<code>"%p"</code> will be replaced by the appropriate printer name. The spool
-file name is generated automatically by the server, the printer name
-is discussed below.
-<p>The print command <em>MUST</em> contain at least one occurrence of <code>"%s"</code>
-or <code>"%f"</code> - the <code>"%p"</code> is optional. At the time a job is
-submitted, if no printer name is supplied the <code>"%p"</code> will be
-silently removed from the printer command.
-<p>If specified in the <a href="smb.conf.5.html#global"><strong>"[global]"</strong></a> section, the print
-command given will be used for any printable service that does not
-have its own print command specified.
-<p>If there is neither a specified print command for a printable service
-nor a global print command, spool files will be created but not
-processed and (most importantly) not removed.
-<p>Note that printing may fail on some UNIXs from the <code>"nobody"</code>
-account. If this happens then create an alternative guest account that
-can print and set the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a> in the
-<a href="smb.conf.5.html#global"><strong>"[global]"</strong></a> section.
-<p>You can form quite complex print commands by realizing that they are
-just passed to a shell. For example the following will log a print
-job, print the file, then remove it. Note that <code>';'</code> is the usual
-separator for command in shell scripts.
-<p><code>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s</code>
-<p>You may have to vary this command considerably depending on how you
-normally print files on your system. The default for the parameter
-varies depending on the setting of the <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a>
-parameter.
-<p><strong>Default:</strong>
- For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> BSD, AIX, QNX, LPRNG or PLP :
-<code> print command = lpr -r -P%p %s</code>
-<p>For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> SYS or HPUX :
-<code> print command = lp -c -d%p %s; rm %s</code>
-<p>For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> SOFTQ :
-<code> print command = lp -d%p -s %s; rm %s</code>
-<p><strong>Example:</strong>
-<code> print command = /usr/local/samba/bin/myprintscript %p %s</code>
-<p><a name="printok"></a>
-<p></p><dt><strong><strong>print ok (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#printable"><strong>printable</strong></a>.
-<p><a name="printable"></a>
-<p></p><dt><strong><strong>printable (S)</strong></strong><dd>
-<p>If this parameter is <code>"yes"</code>, then clients may open, write to and
-submit spool files on the directory specified for the service.
-<p>Note that a printable service will ALWAYS allow writing to the service
-path (user privileges permitting) via the spooling of print data. The
-<a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> parameter controls only non-printing
-access to the resource.
-<p><strong>Default:</strong>
-<code> printable = no</code>
-<p><strong>Example:</strong>
-<code> printable = yes</code>
-<p><a name="printcap"></a>
-<p></p><dt><strong><strong>printcap (G)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#printcapname"><strong>printcapname</strong></a>.
-<p><a name="printeradmin"></a>
-<p></p><dt><strong><strong>printer admin (S)</strong></strong><dd>
-<p>This is a list of users that can do anything to printers via the
-remote administration interfaces offered by MSRPC (usually using a NT
-workstation). Note that the root user always has admin rights.
-<p><strong>Default:</strong>
-<code> printer admin = <empty string></code>
-<p><strong>Example:</strong>
-<code> printer admin = admin, @staff</code>
-<p><a name="printcapname"></a>
-<p></p><dt><strong><strong>printcap name (G)</strong></strong><dd>
-<p>This parameter may be used to override the compiled-in default
-printcap name used by the server (usually /etc/printcap). See the
-discussion of the <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> section above for
-reasons why you might want to do this.
-<p>On System V systems that use <strong>lpstat</strong> to list available printers you
-can use <code>"printcap name = lpstat"</code> to automatically obtain lists of
-available printers. This is the default for systems that define SYSV
-at configure time in Samba (this includes most System V based
-systems). If <strong>"printcap name"</strong> is set to <strong>lpstat</strong> on these systems
-then Samba will launch <code>"lpstat -v"</code> and attempt to parse the output
-to obtain a printer list.
-<p>A minimal printcap file would look something like this:
-<p><pre>
-
- print1|My Printer 1
- print2|My Printer 2
- print3|My Printer 3
- print4|My Printer 4
- print5|My Printer 5
-
-</pre>
-
-<p>where the <code>'|'</code> separates aliases of a printer. The fact that the
-second alias has a space in it gives a hint to Samba that it's a
-comment.
-<p><em>NOTE</em>: Under AIX the default printcap name is
-<code>"/etc/qconfig"</code>. Samba will assume the file is in AIX <code>"qconfig"</code>
-format if the string <code>"/qconfig"</code> appears in the printcap filename.
-<p><strong>Default:</strong>
-<code> printcap name = /etc/printcap</code>
-<p><strong>Example:</strong>
-<code> printcap name = /etc/myprintcap</code>
-<p><a name="printer"></a>
-<p></p><dt><strong><strong>printer (S)</strong></strong><dd>
-<p>This parameter specifies the name of the printer to which print jobs
-spooled through a printable service will be sent.
-<p>If specified in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section, the printer
-name given will be used for any printable service that does not have
-its own printer name specified.
-<p><strong>Default:</strong>
- none (but may be <code>"lp"</code> on many systems)
-<p><strong>Example:</strong>
- printer name = laserwriter
-<p><a name="printerdriver"></a>
-<p></p><dt><strong><strong>printer driver (S)</strong></strong><dd>
-<p>This option allows you to control the string that clients receive when
-they ask the server for the printer driver associated with a
-printer. If you are using Windows95 or WindowsNT then you can use this
-to automate the setup of printers on your system.
-<p>You need to set this parameter to the exact string (case sensitive)
-that describes the appropriate printer driver for your system. If you
-don't know the exact string to use then you should first try with no
-<strong>"printer driver"</strong> option set and the client will give you a list of
-printer drivers. The appropriate strings are shown in a scrollbox
-after you have chosen the printer manufacturer.
-<p>See also <a href="smb.conf.5.html#printerdriverfile"><strong>"printer driver file"</strong></a>.
-<p><strong>Example:</strong>
- printer driver = HP LaserJet 4L
-<p><a name="printerdriverfile"></a>
-<p></p><dt><strong><strong>printer driver file (G)</strong></strong><dd>
-<p>This parameter tells Samba where the printer driver definition file,
-used when serving drivers to Windows 95 clients, is to be found. If
-this is not set, the default is :
-<p><code>SAMBA_INSTALL_DIRECTORY/lib/printers.def</code>
-<p>This file is created from Windows 95 <code>"msprint.inf"</code> files found on
-the Windows 95 client system. For more details on setting up serving
-of printer drivers to Windows 95 clients, see the documentation file
-in the docs/ directory, PRINTER_DRIVER.txt.
-<p><strong>Default:</strong>
-<code> None (set in compile).</code>
-<p><strong>Example:</strong>
-<code> printer driver file = /usr/local/samba/printers/drivers.def</code>
-<p>See also <a href="smb.conf.5.html#printerdriverlocation"><strong>"printer driver location"</strong></a>.
-<p><a name="printerdriverlocation"></a>
-<p></p><dt><strong><strong>printer driver location (S)</strong></strong><dd>
-<p>This parameter tells clients of a particular printer share where to
-find the printer driver files for the automatic installation of
-drivers for Windows 95 machines. If Samba is set up to serve printer
-drivers to Windows 95 machines, this should be set to
-<p><code>\\MACHINE\PRINTER$</code>
-<p>Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
-is a share you set up for serving printer driver files. For more
-details on setting this up see the documentation file in the docs/
-directory, PRINTER_DRIVER.txt.
-<p><strong>Default:</strong>
-<code> None</code>
-<p><strong>Example:</strong>
-<code> printer driver location = \\MACHINE\PRINTER$</code>
-<p>See also <a href="smb.conf.5.html#printerdriverfile"><strong>"printer driver file"</strong></a>.
-<p><a name="printername"></a>
-<p></p><dt><strong><strong>printer name (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#printer"><strong>printer</strong></a>.
-<p><a name="printing"></a>
-<p></p><dt><strong><strong>printing (S)</strong></strong><dd>
-<p>This parameters controls how printer status information is interpreted
-on your system. It also affects the default values for the
-<a href="smb.conf.5.html#printcommand"><strong>"print command"</strong></a>, <a href="smb.conf.5.html#lpqcommand"><strong>"lpq
-command"</strong></a> <a href="smb.conf.5.html#lppausecommand"><strong>"lppause command"</strong></a>,
-<a href="smb.conf.5.html#lpresumecommand"><strong>"lpresume command"</strong></a>, and <a href="smb.conf.5.html#lprmcommand"><strong>"lprm
-command"</strong></a> if specified in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a>
-section.
-<p>Currently eight printing styles are supported. They are
-<strong>"printing=BSD"</strong>, <strong>"printing=AIX"</strong>,
-<strong>"printing=LPRNG"</strong>, <strong>"printing=PLP"</strong>, <strong>"printing=SYSV"</strong>,
-<strong>"printing="HPUX"</strong>, <strong>"printing=QNX"</strong>, <strong>"printing=SOFTQ"</strong>,
-and <strong>"printing=CUPS"</strong>.
-<p>To see what the defaults are for the other print commands when using
-the various options use the <a href="testparm.1.html"><strong>"testparm"</strong></a> program.
-<p>This option can be set on a per printer basis
-<p>See also the discussion in the <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> section.
-<p><a name="protocol"></a>
-<p></p><dt><strong><strong>protocol (G)</strong></strong><dd>
-<p>The value of the parameter (a string) is the highest protocol level
-that will be supported by the server.
-<p>Possible values are :
-<p><dl>
-<p><li > CORE: Earliest version. No concept of user names.
-<p><li > COREPLUS: Slight improvements on CORE for efficiency.
-<p><li > LANMAN1: First <em>"modern"</em> version of the protocol. Long
-filename support.
-<p><li > LANMAN2: Updates to Lanman1 protocol.
-<p><li > NT1: Current up to date version of the protocol. Used by Windows
-NT. Known as CIFS.
-<p></dl>
-<p>Normally this option should not be set as the automatic negotiation
-phase in the SMB protocol takes care of choosing the appropriate
-protocol.
-<p><strong>Default:</strong>
-<code> protocol = NT1</code>
-<p><strong>Example:</strong>
-<code> protocol = LANMAN1</code>
-<p><a name="public"></a>
-<p></p><dt><strong><strong>public (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#guestok"><strong>"guest ok"</strong></a>.
-<p><a name="queuepausecommand"></a>
-<p></p><dt><strong><strong>queuepause command (S)</strong></strong><dd>
-<p>This parameter specifies the command to be executed on the server host
-in order to pause the printerqueue.
-<p>This command should be a program or script which takes a printer name
-as its only parameter and stops the printerqueue, such that no longer
-jobs are submitted to the printer.
-<p>This command is not supported by Windows for Workgroups, but can be
-issued from the Printer's window under Windows 95 & NT.
-<p>If a <code>"%p"</code> is given then the printername is put in its
-place. Otherwise it is placed at the end of the command.
-<p>Note that it is good practice to include the absolute path in the
-command as the PATH may not be available to the server.
-<p><strong>Default:</strong>
-<code> depends on the setting of "printing ="</code>
-<p><strong>Example:</strong>
-<code> queuepause command = disable %p</code>
-<p><a name="queueresumecommand"></a>
-<p></p><dt><strong><strong>queueresume command (S)</strong></strong><dd>
-<p>This parameter specifies the command to be executed on the server host
-in order to resume the printerqueue. It is the command to undo the
-behavior that is caused by the previous parameter
-(<a href="smb.conf.5.html#queuepausecommand"><strong>"queuepause command</strong></a>).
-<p>This command should be a program or script which takes a printer name
-as its only parameter and resumes the printerqueue, such that queued
-jobs are resubmitted to the printer.
-<p>This command is not supported by Windows for Workgroups, but can be
-issued from the Printer's window under Windows 95 & NT.
-<p>If a <code>"%p"</code> is given then the printername is put in its
-place. Otherwise it is placed at the end of the command.
-<p>Note that it is good practice to include the absolute path in the
-command as the PATH may not be available to the server.
-<p><strong>Default:</strong>
-<code> depends on the setting of "printing ="</code>
-<p><strong>Example:</strong>
-<code> queuepause command = enable %p</code>
-<p><a name="readbmpx"></a>
-<p></p><dt><strong><strong>read bmpx (G)</strong></strong><dd>
-<p>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a>
-will support the "Read Block Multiplex" SMB. This is now rarely used
-and defaults to off. You should never need to set this parameter.
-<p><strong>Default:</strong>
- read bmpx = No
-<p><a name="readlist"></a>
-<p></p><dt><strong><strong>read list (S)</strong></strong><dd>
-<p>This is a list of users that are given read-only access to a
-service. If the connecting user is in this list then they will not be
-given write access, no matter what the <a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a>
-option is set to. The list can include group names using the syntax
-described in the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a> parameter.
-<p>See also the <a href="smb.conf.5.html#writelist"><strong>"write list"</strong></a> parameter and
-the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> read list = <empty string></code>
-<p><strong>Example:</strong>
-<code> read list = mary, @students</code>
-<p><a name="readonly"></a>
-<p></p><dt><strong><strong>read only (S)</strong></strong><dd>
-<p>Note that this is an inverted synonym for
-<a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a>.
-<p><a name="readprediction"></a>
-<p></p><dt><strong><strong>read prediction (G)</strong></strong><dd>
-<p><em>NOTE</em>: This code is currently disabled in Samba2.0 and
-may be removed at a later date. Hence this parameter has
-no effect.
-<p>This options enables or disables the read prediction code used to
-speed up reads from the server. When enabled the server will try to
-pre-read data from the last accessed file that was opened read-only
-while waiting for packets.
-<p><strong>Default:</strong>
-<code> read prediction = False</code>
-<p><a name="readraw"></a>
-<p></p><dt><strong><strong>read raw (G)</strong></strong><dd>
-<p>This parameter controls whether or not the server will support the raw
-read SMB requests when transferring data to clients.
-<p>If enabled, raw reads allow reads of 65535 bytes in one packet. This
-typically provides a major performance benefit.
-<p>However, some clients either negotiate the allowable block size
-incorrectly or are incapable of supporting larger block sizes, and for
-these clients you may need to disable raw reads.
-<p>In general this parameter should be viewed as a system tuning tool and left
-severely alone. See also <a href="smb.conf.5.html#writeraw"><strong>"write raw"</strong></a>.
-<p><strong>Default:</strong>
-<code> read raw = yes</code>
-<p><a name="readsize"></a>
-<p></p><dt><strong><strong>read size (G)</strong></strong><dd>
-<p>The option <strong>"read size"</strong> affects the overlap of disk reads/writes
-with network reads/writes. If the amount of data being transferred in
-several of the SMB commands (currently SMBwrite, SMBwriteX and
-SMBreadbraw) is larger than this value then the server begins writing
-the data before it has received the whole packet from the network, or
-in the case of SMBreadbraw, it begins writing to the network before
-all the data has been read from disk.
-<p>This overlapping works best when the speeds of disk and network access
-are similar, having very little effect when the speed of one is much
-greater than the other.
-<p>The default value is 16384, but very little experimentation has been
-done yet to determine the optimal value, and it is likely that the
-best value will vary greatly between systems anyway. A value over
-65536 is pointless and will cause you to allocate memory
-unnecessarily.
-<p><strong>Default:</strong>
-<code> read size = 16384</code>
-<p><strong>Example:</strong>
-<code> read size = 8192</code>
-<p><a name="remoteannounce"></a>
-<p></p><dt><strong><strong>remote announce (G)</strong></strong><dd>
-<p>This option allows you to setup <a href="nmbd.8.html"><strong>nmbd</strong></a> to
-periodically announce itself to arbitrary IP addresses with an
-arbitrary workgroup name.
-<p>This is useful if you want your Samba server to appear in a remote
-workgroup for which the normal browse propagation rules don't
-work. The remote workgroup can be anywhere that you can send IP
-packets to.
-<p>For example:
-<p><code> remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code>
-<p>the above line would cause nmbd to announce itself to the two given IP
-addresses using the given workgroup names. If you leave out the
-workgroup name then the one given in the
-<a href="smb.conf.5.html#workgroup"><strong>"workgroup"</strong></a> parameter is used instead.
-<p>The IP addresses you choose would normally be the broadcast addresses
-of the remote networks, but can also be the IP addresses of known
-browse masters if your network config is that stable.
-<p>See the documentation file BROWSING.txt in the docs/ directory.
-<p><strong>Default:</strong>
-<code> remote announce = <empty string></code>
-<p><strong>Example:</strong>
-<code> remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code>
-<p><a name="remotebrowsesync"></a>
-<p></p><dt><strong><strong>remote browse sync (G)</strong></strong><dd>
-<p>This option allows you to setup <a href="nmbd.8.html"><strong>nmbd</strong></a> to
-periodically request synchronization of browse lists with the master
-browser of a samba server that is on a remote segment. This option
-will allow you to gain browse lists for multiple workgroups across
-routed networks. This is done in a manner that does not work with any
-non-samba servers.
-<p>This is useful if you want your Samba server and all local clients to
-appear in a remote workgroup for which the normal browse propagation
-rules don't work. The remote workgroup can be anywhere that you can
-send IP packets to.
-<p>For example:
-<p><code> remote browse sync = 192.168.2.255 192.168.4.255</code>
-<p>the above line would cause <a href="nmbd.8.html"><strong>nmbd</strong></a> to request the
-master browser on the specified subnets or addresses to synchronize
-their browse lists with the local server.
-<p>The IP addresses you choose would normally be the broadcast addresses
-of the remote networks, but can also be the IP addresses of known
-browse masters if your network config is that stable. If a machine IP
-address is given Samba makes NO attempt to validate that the remote
-machine is available, is listening, nor that it is in fact the browse
-master on it's segment.
-<p><strong>Default:</strong>
-<code> remote browse sync = <empty string></code>
-<p><strong>Example:</strong>
-<code> remote browse sync = 192.168.2.255 192.168.4.255</code>
-<p><a name="restrictanonymous"></a>
-<p></p><dt><strong><strong>restrict anonymous (G)</strong></strong><dd>
-<p>This is a boolean parameter. If it is true, then anonymous access
-to the server will be restricted, namely in the case where the server
-is expecting the client to send a username, but it doesn't. Setting
-it to true will force these anonymous connections to be denied, and
-the client will be required to always supply a username and password
-when connecting. Use of this parameter is only recommened for homogenous
-NT client environments.
-<p>This parameter makes the use of macro expansions that rely
-on the username (%U, %G, etc) consistant. NT 4.0 likes to use
-anonymous connections when refreshing the share list, and this
-is a way to work around that.
-<p>When restrict anonymous is true, all anonymous connections are denied
-no matter what they are for. This can effect the ability of a machine
-to access the samba Primary Domain Controller to revalidate it's machine
-account after someone else has logged on the client interactively. The
-NT client will display a message saying that the machine's account in
-the domain doesn't exist or the password is bad. The best way to deal
-with this is to reboot NT client machines between interactive logons,
-using "Shutdown and Restart", rather than "Close all programs and logon
-as a different user".
-<p><strong>Default:</strong>
-<code> restrict anonymous = false</code>
-<p><strong>Example:</strong>
-<code> restrict anonymous = true</code>
-<p><a name="root"></a>
-<p></p><dt><strong><strong>root (G)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#rootdirectory"><strong>"root directory"</strong></a>.
-<p><a name="rootdir"></a>
-<p></p><dt><strong><strong>root dir (G)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#rootdirectory"><strong>"root directory"</strong></a>.
-<p><a name="rootdirectory"></a>
-<p></p><dt><strong><strong>root directory (G)</strong></strong><dd>
-<p>The server will <code>"chroot()"</code> (i.e. Change it's root directory) to
-this directory on startup. This is not strictly necessary for secure
-operation. Even without it the server will deny access to files not in
-one of the service entries. It may also check for, and deny access to,
-soft links to other parts of the filesystem, or attempts to use
-<code>".."</code> in file names to access other directories (depending on the
-setting of the <a href="smb.conf.5.html#widelinks"><strong>"wide links"</strong></a> parameter).
-<p>Adding a <strong>"root directory"</strong> entry other than <code>"/"</code> adds an extra
-level of security, but at a price. It absolutely ensures that no
-access is given to files not in the sub-tree specified in the <strong>"root
-directory"</strong> option, <em>*including*</em> some files needed for complete
-operation of the server. To maintain full operability of the server
-you will need to mirror some system files into the <strong>"root
-directory"</strong> tree. In particular you will need to mirror /etc/passwd
-(or a subset of it), and any binaries or configuration files needed
-for printing (if required). The set of files that must be mirrored is
-operating system dependent.
-<p><strong>Default:</strong>
-<code> root directory = /</code>
-<p><strong>Example:</strong>
-<code> root directory = /homes/smb</code>
-<p><a name="rootpostexec"></a>
-<p></p><dt><strong><strong>root postexec (S)</strong></strong><dd>
-<p>This is the same as the <a href="smb.conf.5.html#postexec"><strong>"postexec"</strong></a> parameter
-except that the command is run as root. This is useful for unmounting
-filesystems (such as cdroms) after a connection is closed.
-<p>See also <a href="smb.conf.5.html#postexec"><strong>"postexec"</strong></a>.
-<p><a name="rootpreexec"></a>
-<p></p><dt><strong><strong>root preexec (S)</strong></strong><dd>
-<p>This is the same as the <a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a> parameter except
-that the command is run as root. This is useful for mounting
-filesystems (such as cdroms) before a connection is finalized.
-<p>See also <a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a>
-and <a href="smb.conf.5.html#rootpreexecclose"><strong>"root preexec close"</strong></a>.
-<p><a name="rootpreexecclose"></a>
-<p></p><dt><strong><strong>root preexec close (S)</strong></strong><dd>
-<p>This is the same as the <a href="smb.conf.5.html#preexecclose"><strong>"preexec close"</strong></a> parameter
-except that the command is run as root.
-<p>See also <a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a>, <a href="smb.conf.5.html#preexecclose"><strong>"preexec close"</strong></a>.
-<p><a name="security"></a>
-<p></p><dt><strong><strong>security (G)</strong></strong><dd>
-<p>This option affects how clients respond to Samba and is one of the most
-important settings in the <strong>smb.conf</strong> file.
-<p>The option sets the <code>"security mode bit"</code> in replies to protocol
-negotiations with <a href="smbd.8.html"><strong>smbd</strong></a> to turn share level
-security on or off. Clients decide based on this bit whether (and how)
-to transfer user and password information to the server.
-<p>The default is <a href="smb.conf.5.html#securityequaluser">"security=user"</a>, as this is
-the most common setting needed when talking to Windows 98 and Windows
-NT.
-<p>The alternatives are <a href="smb.conf.5.html#securityequalshare"><strong>"security = share"</strong></a>,
-<a href="smb.conf.5.html#securityequalserver"><strong>"security = server"</strong></a> or
-<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>.
-<p><em>*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR
-PREVIOUS VERSIONS OF SAMBA *******</em>.
-<p>In previous versions of Samba the default was
-<a href="smb.conf.5.html#securityequalshare"><strong>"security=share"</strong></a> mainly because that was
-the only option at one stage.
-<p>There is a bug in WfWg that has relevance to this setting. When in
-user or server level security a WfWg client will totally ignore the
-password you type in the "connect drive" dialog box. This makes it
-very difficult (if not impossible) to connect to a Samba service as
-anyone except the user that you are logged into WfWg as.
-<p>If your PCs use usernames that are the same as their usernames on the
-UNIX machine then you will want to use <strong>"security = user"</strong>. If you
-mostly use usernames that don't exist on the UNIX box then use
-<strong>"security = share"</strong>.
-<p>You should also use <a href="smb.conf.5.html#securityequalshare"><strong>security=share</strong></a> if
-you want to mainly setup shares without a password (guest
-shares). This is commonly used for a shared printer server. It is more
-difficult to setup guest shares with
-<a href="smb.conf.5.html#securityequaluser"><strong>security=user</strong></a>, see the <a href="smb.conf.5.html#maptoguest"><strong>"map to
-guest"</strong></a>parameter for details.
-<p>It is possible to use <a href="smbd.8.html"><strong>smbd</strong></a> in a <em>"hybrid
-mode"</em> where it is offers both user and share level security under
-different <a href="smb.conf.5.html#netbiosaliases"><strong>NetBIOS aliases</strong></a>. See the
-<a href="smb.conf.5.html#netbiosaliases"><strong>NetBIOS aliases</strong></a> and the
-<a href="smb.conf.5.html#include"><strong>include</strong></a> parameters for more information.
-<p>The different settings will now be explained.
-<p><dl>
-<p><a name="securityequalshare"></a>
-<p></p><dt><strong><strong>"security=share"</strong></strong><dd> When clients connect to a share level
-security server then need not log onto the server with a valid
-username and password before attempting to connect to a shared
-resource (although modern clients such as Windows 95/98 and Windows NT
-will send a logon request with a username but no password when talking
-to a <strong>security=share</strong> server). Instead, the clients send
-authentication information (passwords) on a per-share basis, at the
-time they attempt to connect to that share.
-<p>Note that <a href="smbd.8.html"><strong>smbd</strong></a> <em>*ALWAYS*</em> uses a valid UNIX
-user to act on behalf of the client, even in <strong>"security=share"</strong>
-level security.
-<p>As clients are not required to send a username to the server
-in share level security, <a href="smbd.8.html"><strong>smbd</strong></a> uses several
-techniques to determine the correct UNIX user to use on behalf
-of the client.
-<p>A list of possible UNIX usernames to match with the given
-client password is constructed using the following methods :
-<p><dl>
-<p><li > If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is set, then
-all the other stages are missed and only the <a href="smb.conf.5.html#guestaccount"><strong>"guest
-account"</strong></a> username is checked.
-<p><li > Is a username is sent with the share connection request, then
-this username (after mapping - see <a href="smb.conf.5.html#usernamemap"><strong>"username
-map"</strong></a>), is added as a potential username.
-<p><li > If the client did a previous <em>"logon"</em> request (the
-SessionSetup SMB call) then the username sent in this SMB
-will be added as a potential username.
-<p><li > The name of the service the client requested is added
-as a potential username.
-<p><li > The NetBIOS name of the client is added to the list as a
-potential username.
-<p><li > Any users on the <a href="smb.conf.5.html#user"><strong>"user"</strong></a> list are added
-as potential usernames.
-<p></dl>
-<p>If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is not set, then
-this list is then tried with the supplied password. The first user for
-whom the password matches will be used as the UNIX user.
-<p>If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is set, or no
-username can be determined then if the share is marked as available to
-the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>, then this guest user will
-be used, otherwise access is denied.
-<p>Note that it can be <em>*very*</em> confusing in share-level security as to
-which UNIX username will eventually be used in granting access.
-<p>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"</strong></a>.
-<p><a name="securityequaluser"></a>
-<p></p><dt><strong><strong>"security=user"</strong></strong><dd>
-<p>This is the default security setting in Samba2.0. With user-level
-security a client must first <code>"log-on"</code> with a valid username and
-password (which can be mapped using the <a href="smb.conf.5.html#usernamemap"><strong>"username
-map"</strong></a> parameter). Encrypted passwords (see the
-<a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter) can also
-be used in this security mode. Parameters such as
-<a href="smb.conf.5.html#user"><strong>"user"</strong></a> and <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a>, if set
-are then applied and may change the UNIX user to use on this
-connection, but only after the user has been successfully
-authenticated.
-<p><em>Note</em> that the name of the resource being requested is
-<em>*not*</em> sent to the server until after the server has successfully
-authenticated the client. This is why guest shares don't work in user
-level security without allowing the server to automatically map unknown
-users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the
-<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on
-doing this.
-<p>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"</strong></a>.
-<p><a name="securityequalserver"></a>
-<p></p><dt><strong><strong>"security=server"</strong></strong><dd>
-<p>In this mode Samba will try to validate the username/password by
-passing it to another SMB server, such as an NT box. If this fails it
-will revert to <strong>"security = user"</strong>, but note that if encrypted
-passwords have been negotiated then Samba cannot revert back to
-checking the UNIX password file, it must have a valid smbpasswd file
-to check users against. See the documentation file in the docs/
-directory ENCRYPTION.txt for details on how to set this up.
-<p><em>Note</em> that from the clients point of view <strong>"security=server"</strong> is
-the same as <a href="smb.conf.5.html#securityequaluser"><strong>"security=user"</strong></a>. It only
-affects how the server deals with the authentication, it does not in
-any way affect what the client sees.
-<p><em>Note</em> that the name of the resource being requested is
-<em>*not*</em> sent to the server until after the server has successfully
-authenticated the client. This is why guest shares don't work in server
-level security without allowing the server to automatically map unknown
-users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the
-<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on
-doing this.
-<p>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"</strong></a>.
-<p>See also the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> parameter.
-and the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter.
-<p><a name="securityequaldomain"></a>
-<p></p><dt><strong><strong>"security=domain"</strong></strong><dd>
-<p>This mode will only work correctly if
-<a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> has been used to add this machine
-into a Windows NT Domain. It expects the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted
-passwords"</strong></a> parameter to be set to <code>"true"</code>. In
-this mode Samba will try to validate the username/password by passing
-it to a Windows NT Primary or Backup Domain Controller, in exactly the
-same way that a Windows NT Server would do.
-<p><em>Note</em> that a valid UNIX user must still exist as well as the
-account on the Domain Controller to allow Samba to have a valid
-UNIX account to map file access to.
-<p><em>Note</em> that from the clients point of view <strong>"security=domain"</strong> is
-the same as <a href="smb.conf.5.html#securityequaluser"><strong>"security=user"</strong></a>. It only
-affects how the server deals with the authentication, it does not in
-any way affect what the client sees.
-<p><em>Note</em> that the name of the resource being requested is
-<em>*not*</em> sent to the server until after the server has successfully
-authenticated the client. This is why guest shares don't work in domain
-level security without allowing the server to automatically map unknown
-users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the
-<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on
-doing this.
-<p><em>BUG:</em> There is currently a bug in the implementation of
-<strong>"security=domain</strong> with respect to multi-byte character
-set usernames. The communication with a Domain Controller
-must be done in UNICODE and Samba currently does not widen
-multi-byte user names to UNICODE correctly, thus a multi-byte
-username will not be recognized correctly at the Domain Controller.
-This issue will be addressed in a future release.
-<p>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"</strong></a>.
-<p>See also the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> parameter.
-and the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter.
-<p></dl>
-<p><strong>Default:</strong>
-<code> security = USER</code>
-<p><strong>Example:</strong>
-<code> security = DOMAIN</code>
-<p><a name="securitymask"></a>
-<p></p><dt><strong><strong>security mask (S)</strong></strong><dd>
-<p>This parameter controls what UNIX permission bits can be modified
-when a Windows NT client is manipulating the UNIX permission on a
-file using the native NT security dialog box.
-<p>This parameter is applied as a mask (AND'ed with) to the changed
-permission bits, thus preventing any bits not in this mask from
-being modified. Essentially, zero bits in this mask may be treated
-as a set of bits the user is not allowed to change.
-<p>If not set explicitly this parameter is set to the same value as the
-<a href="smb.conf.5.html#createmask"><strong>create mask</strong></a> parameter. To allow a user to
-modify all the user/group/world permissions on a file, set this
-parameter to 0777.
-<p><em>Note</em> that users who can access the Samba server through other
-means can easily bypass this restriction, so it is primarily
-useful for standalone "appliance" systems. Administrators of
-most normal systems will probably want to set it to 0777.
-<p>See also the <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>force directory security
-mode</strong></a>, <a href="smb.conf.5.html#directorysecuritymask"><strong>directory security
-mask</strong></a>, <a href="smb.conf.5.html#forcesecuritymode"><strong>force security
-mode</strong></a> parameters.
-<p><strong>Default:</strong>
-<code> security mask = <same as create mask></code>
-<p><strong>Example:</strong>
-<code> security mask = 0777</code>
-<p><a name="serverstring"></a>
-<p></p><dt><strong><strong>server string (G)</strong></strong><dd>
-<p>This controls what string will show up in the printer comment box in
-print manager and next to the IPC connection in <code>"net view"</code>. It can be
-any string that you wish to show to your users.
-<p>It also sets what will appear in browse lists next to the machine
-name.
-<p>A <code>"%v"</code> will be replaced with the Samba version number.
-<p>A <code>"%h"</code> will be replaced with the hostname.
-<p><strong>Default:</strong>
-<code> server string = Samba %v</code>
-<p><strong>Example:</strong>
-<code> server string = University of GNUs Samba Server</code>
-<p><a name="setdirectory"></a>
-<p></p><dt><strong><strong>set directory (S)</strong></strong><dd>
-<p>If <code>"set directory = no"</code>, then users of the service may not use the
-setdir command to change directory.
-<p>The setdir command is only implemented in the Digital Pathworks
-client. See the Pathworks documentation for details.
-<p><strong>Default:</strong>
-<code> set directory = no</code>
-<p><strong>Example:</strong>
-<code> set directory = yes</code>
-<p><a name="sharemodes"></a>
-<p></p><dt><strong><strong>share modes (S)</strong></strong><dd>
-<p>This enables or disables the honoring of the <code>"share modes"</code> during a
-file open. These modes are used by clients to gain exclusive read or
-write access to a file.
-<p>These open modes are not directly supported by UNIX, so they are
-simulated using shared memory, or lock files if your UNIX doesn't
-support shared memory (almost all do).
-<p>The share modes that are enabled by this option are DENY_DOS,
-DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.
-<p>This option gives full share compatibility and enabled by default.
-<p>You should <em>*NEVER*</em> turn this parameter off as many Windows
-applications will break if you do so.
-<p><strong>Default:</strong>
-<code> share modes = yes</code>
-<p><a name="sharedmemsize"></a>
-<p></p><dt><strong><strong>shared mem size (G)</strong></strong><dd>
-<p>It specifies the size of the shared memory (in bytes) to use between
-<a href="smbd.8.html"><strong>smbd</strong></a> processes. This parameter defaults to one
-megabyte of shared memory. It is possible that if you have a large
-server with many files open simultaneously that you may need to
-increase this parameter. Signs that this parameter is set too low are
-users reporting strange problems trying to save files (locking errors)
-and error messages in the smbd log looking like <code>"ERROR
-smb_shm_alloc : alloc of XX bytes failed"</code>.
-<p>If your OS refuses the size that Samba asks for then Samba will try a
-smaller size, reducing by a factor of 0.8 until the OS accepts it.
-<p><strong>Default:</strong>
-<code> shared mem size = 1048576</code>
-<p><strong>Example:</strong>
-<code> shared mem size = 5242880 ; Set to 5mb for a large number of files.</code>
-<p><a name="shortpreservecase"></a>
-<p></p><dt><strong><strong>short preserve case (S)</strong></strong><dd>
-<p>This boolean parameter controls if new files which conform to 8.3
-syntax, that is all in upper case and of suitable length, are created
-upper case, or if they are forced to be the <code>"default"</code> case. This
-option can be use with <a href="smb.conf.5.html#preservecaseoption"><strong>"preserve case
-=yes"</strong></a> to permit long filenames to retain their
-case, while short names are lowered. Default <em>Yes</em>.
-<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>NAME MANGLING</strong></a>.
-<p><strong>Default:</strong>
-<code> short preserve case = yes</code>
-<p><a name="smbpasswdfile"></a>
-<p></p><dt><strong><strong>smb passwd file (G)</strong></strong><dd>
-<p>This option sets the path to the encrypted smbpasswd file. By default
-the path to the smbpasswd file is compiled into Samba.
-<p><strong>Default:</strong>
-<code> smb passwd file= <compiled default></code>
-<p><strong>Example:</strong>
-<code> smb passwd file = /usr/samba/private/smbpasswd</code>
-<p><a name="smbrun"></a>
-<p></p><dt><strong><strong>smbrun (G)</strong></strong><dd>
-<p>This sets the full path to the <strong>smbrun</strong> binary. This defaults to the
-value in the Makefile.
-<p>You must get this path right for many services to work correctly.
-<p>You should not need to change this parameter so long as Samba
-is installed correctly.
-<p><strong>Default:</strong>
-<code> smbrun=<compiled default></code>
-<p><strong>Example:</strong>
-<code> smbrun = /usr/local/samba/bin/smbrun</code>
-<p><a name="socketaddress"></a>
-<p></p><dt><strong><strong>socket address (G)</strong></strong><dd>
-<p>This option allows you to control what address Samba will listen for
-connections on. This is used to support multiple virtual interfaces on
-the one server, each with a different configuration.
-<p>By default samba will accept connections on any address.
-<p><strong>Example:</strong>
-<code> socket address = 192.168.2.20</code>
-<p><a name="socketoptions"></a>
-<p></p><dt><strong><strong>socket options (G)</strong></strong><dd>
-<p>This option allows you to set socket options to be used when talking
-with the client.
-<p>Socket options are controls on the networking layer of the operating
-systems which allow the connection to be tuned.
-<p>This option will typically be used to tune your Samba server for
-optimal performance for your local network. There is no way that Samba
-can know what the optimal parameters are for your net, so you must
-experiment and choose them yourself. We strongly suggest you read the
-appropriate documentation for your operating system first (perhaps
-<strong>"man setsockopt"</strong> will help).
-<p>You may find that on some systems Samba will say "Unknown socket
-option" when you supply an option. This means you either incorrectly
-typed it or you need to add an include file to includes.h for your OS.
-If the latter is the case please send the patch to
-<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>.
-<p>Any of the supported socket options may be combined in any way you
-like, as long as your OS allows it.
-<p>This is the list of socket options currently settable using this
-option:
-<p><dl>
-<p><li > SO_KEEPALIVE
-<p><li > SO_REUSEADDR
-<p><li > SO_BROADCAST
-<p><li > TCP_NODELAY
-<p><li > IPTOS_LOWDELAY
-<p><li > IPTOS_THROUGHPUT
-<p><li > SO_SNDBUF *
-<p><li > SO_RCVBUF *
-<p><li > SO_SNDLOWAT *
-<p><li > SO_RCVLOWAT *
-<p></dl>
-<p>Those marked with a <code>*</code> take an integer argument. The others can
-optionally take a 1 or 0 argument to enable or disable the option, by
-default they will be enabled if you don't specify 1 or 0.
-<p>To specify an argument use the syntax SOME_OPTION=VALUE for example
-<code>SO_SNDBUF=8192</code>. Note that you must not have any spaces before or after
-the = sign.
-<p>If you are on a local network then a sensible option might be
-<p><code>socket options = IPTOS_LOWDELAY</code>
-<p>If you have a local network then you could try:
-<p><code>socket options = IPTOS_LOWDELAY TCP_NODELAY</code>
-<p>If you are on a wide area network then perhaps try setting
-IPTOS_THROUGHPUT.
-<p>Note that several of the options may cause your Samba server to fail
-completely. Use these options with caution!
-<p><strong>Default:</strong>
-<code> socket options = TCP_NODELAY</code>
-<p><strong>Example:</strong>
-<code> socket options = IPTOS_LOWDELAY</code>
-<p><a name="sourceenvironment"></a>
-<p></p><dt><strong><strong>source environment (G)</strong></strong><dd>
-<p>This parameter causes Samba to set environment variables as per the
-content of the file named.
-<p>The file <strong>must</strong> be owned by root and not world writable in order
-to be read (this is a security check).
-<p>If the value of this parameter starts with a "|" character then Samba will
-treat that value as a pipe command to open and will set the environment
-variables from the oput of the pipe. This command must not be world writable
-and must reside in a directory that is not world writable.
-<p>The contents of the file or the output of the pipe should be formatted
-as the output of the standard Unix env(1) command. This is of the form :
-<p>Example environment entry:
-<code> SAMBA_NETBIOS_NAME=myhostname </code>
-<p><strong>Default:</strong>
-<code>No default value</code>
-<p><strong>Examples:</strong>
-<p><code> source environment = |/etc/smb.conf.sh</code>
-<p><code> source environment = /usr/local/smb_env_vars</code>
-<p><a name="ssl"></a>
-<p></p><dt><strong><strong>ssl (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This variable enables or disables the entire SSL mode. If it is set to
-"no", the SSL enabled samba behaves exactly like the non-SSL samba. If
-set to "yes", it depends on the variables <a href="smb.conf.5.html#sslhosts"><strong>"ssl
-hosts"</strong></a> and <a href="smb.conf.5.html#sslhostsresign"><strong>"ssl hosts resign"</strong></a>
-whether an SSL connection will be required.
-<p><strong>Default:</strong>
-<code> ssl=no</code>
- <strong>Example:</strong>
-<code> ssl=yes</code>
-<p><a name="sslCAcertDir"></a>
-<p></p><dt><strong><strong>ssl CA certDir (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This variable defines where to look up the Certification
-Authorities. The given directory should contain one file for each CA
-that samba will trust. The file name must be the hash value over the
-"Distinguished Name" of the CA. How this directory is set up is
-explained later in this document. All files within the directory that
-don't fit into this naming scheme are ignored. You don't need this
-variable if you don't verify client certificates.
-<p><strong>Default:</strong>
-<code> ssl CA certDir = /usr/local/ssl/certs</code>
-<p><a name="sslCAcertFile"></a>
-<p></p><dt><strong><strong>ssl CA certFile (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This variable is a second way to define the trusted CAs. The
-certificates of the trusted CAs are collected in one big file and this
-variable points to the file. You will probably only use one of the two
-ways to define your CAs. The first choice is preferable if you have
-many CAs or want to be flexible, the second is preferable if you only
-have one CA and want to keep things simple (you won't need to create
-the hashed file names). You don't need this variable if you don't
-verify client certificates.
-<p><strong>Default:</strong>
-<code> ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem</code>
-<p><a name="sslciphers"></a>
-<p></p><dt><strong><strong>ssl ciphers (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This variable defines the ciphers that should be offered during SSL
-negotiation. You should not set this variable unless you know what you
-are doing.
-<p><a name="sslclientcert"></a>
-<p></p><dt><strong><strong>ssl client cert (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>The certificate in this file is used by
-<a href="smbclient.1.html"><strong>smbclient</strong></a> if it exists. It's needed if the
-server requires a client certificate.
-<p><strong>Default:</strong>
-<code> ssl client cert = /usr/local/ssl/certs/smbclient.pem</code>
-<p><a name="sslclientkey"></a>
-<p></p><dt><strong><strong>ssl client key (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This is the private key for <a href="smbclient.1.html"><strong>smbclient</strong></a>. It's
-only needed if the client should have a certificate.
-<p><strong>Default:</strong>
-<code> ssl client key = /usr/local/ssl/private/smbclient.pem</code>
-<p><a name="sslcompatibility"></a>
-<p></p><dt><strong><strong>ssl compatibility (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This variable defines whether SSLeay should be configured for bug
-compatibility with other SSL implementations. This is probably not
-desirable because currently no clients with SSL implementations other
-than SSLeay exist.
-<p><strong>Default:</strong>
-<code> ssl compatibility = no</code>
-<p><a name="sslhosts"></a>
-<p></p><dt><strong><strong>ssl hosts (G)</strong></strong><dd>
-<p>See <a href="smb.conf.5.html#sslhostsresign"><strong>"ssl hosts resign"</strong></a>.
-<p><a name="sslhostsresign"></a>
-<p></p><dt><strong><strong>ssl hosts resign (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>These two variables define whether samba will go into SSL mode or
-not. If none of them is defined, samba will allow only SSL
-connections. If the <a href="smb.conf.5.html#sslhosts"><strong>"ssl hosts"</strong></a> variable lists
-hosts (by IP-address, IP-address range, net group or name), only these
-hosts will be forced into SSL mode. If the <strong>"ssl hosts resign"</strong>
-variable lists hosts, only these hosts will NOT be forced into SSL
-mode. The syntax for these two variables is the same as for the
-<a href="smb.conf.5.html#hostsallow"><strong>"hosts allow"</strong></a> and <a href="smb.conf.5.html#hostsdeny"><strong>"hosts
-deny"</strong></a> pair of variables, only that the subject of the
-decision is different: It's not the access right but whether SSL is
-used or not. See the <a href="smb.conf.5.html#allowhosts"><strong>"allow hosts"</strong></a> parameter for
-details. The example below requires SSL connections from all hosts
-outside the local net (which is 192.168.*.*).
-<p><strong>Default:</strong>
-<code> ssl hosts = <empty string></code>
-<code> ssl hosts resign = <empty string></code>
-<p><strong>Example:</strong>
-<code> ssl hosts resign = 192.168.</code>
-<p><a name="sslrequireclientcert"></a>
-<p></p><dt><strong><strong>ssl require clientcert (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>If this variable is set to <code>"yes"</code>, the server will not tolerate
-connections from clients that don't have a valid certificate. The
-directory/file given in <a href="smb.conf.5.html#sslCAcertDir"><strong>"ssl CA certDir"</strong></a> and
-<a href="smb.conf.5.html#sslCAcertFile"><strong>"ssl CA certFile"</strong></a> will be used to look up the
-CAs that issued the client's certificate. If the certificate can't be
-verified positively, the connection will be terminated. If this
-variable is set to <code>"no"</code>, clients don't need certificates. Contrary
-to web applications you really <em>*should*</em> require client
-certificates. In the web environment the client's data is sensitive
-(credit card numbers) and the server must prove to be trustworthy. In
-a file server environment the server's data will be sensitive and the
-clients must prove to be trustworthy.
-<p><strong>Default:</strong>
-<code> ssl require clientcert = no</code>
-<p><a name="sslrequireservercert"></a>
-<p></p><dt><strong><strong>ssl require servercert (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>If this variable is set to <code>"yes"</code>, the
-<a href="smbclient.1.html"><strong>smbclient</strong></a> will request a certificate from
-the server. Same as <a href="smb.conf.5.html#sslrequireclientcert"><strong>"ssl require
-clientcert"</strong></a> for the server.
-<p><strong>Default:</strong>
-<code> ssl require servercert = no</code>
-<p><a name="sslservercert"></a>
-<p></p><dt><strong><strong>ssl server cert (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This is the file containing the server's certificate. The server _must_
-have a certificate. The file may also contain the server's private key.
-See later for how certificates and private keys are created.
-<p><strong>Default:</strong>
-<code> ssl server cert = <empty string></code>
-<p><a name="sslserverkey"></a>
-<p></p><dt><strong><strong>ssl server key (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This file contains the private key of the server. If this variable is
-not defined, the key is looked up in the certificate file (it may be
-appended to the certificate). The server <em>*must*</em> have a private key
-and the certificate <em>*must*</em> match this private key.
-<p><strong>Default:</strong>
-<code> ssl server key = <empty string></code>
-<p><a name="sslversion"></a>
-<p></p><dt><strong><strong>ssl version (G)</strong></strong><dd>
-<p>This variable is part of SSL-enabled Samba. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option <code>"--with-ssl"</code> was given at configure time.
-<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em>
-enabled by default in any current binary version of Samba.
-<p>This enumeration variable defines the versions of the SSL protocol
-that will be used. <code>"ssl2or3"</code> allows dynamic negotiation of SSL v2
-or v3, <code>"ssl2"</code> results in SSL v2, <code>"ssl3"</code> results in SSL v3 and
-"tls1" results in TLS v1. TLS (Transport Layer Security) is the
-(proposed?) new standard for SSL.
-<p><strong>Default:</strong>
-<code> ssl version = "ssl2or3"</code>
-<p><a name="statcache"></a>
-<p></p><dt><strong><strong>stat cache (G)</strong></strong><dd>
-<p>This parameter determines if <a href="smbd.8.html"><strong>smbd</strong></a> will use a
-cache in order to speed up case insensitive name mappings. You should
-never need to change this parameter.
-<p><strong>Default:</strong>
-<code> stat cache = yes</code>
-<p><a name="statcachesize"></a>
-<p></p><dt><strong><strong>stat cache size (G)</strong></strong><dd>
-<p>This parameter determines the number of entries in the <a href="smb.conf.5.html#statcache"><strong>stat
-cache</strong></a>. You should never need to change this parameter.
-<p><strong>Default:</strong>
-<code> stat cache size = 50</code>
-<p><a name="status"></a>
-<p></p><dt><strong><strong>status (G)</strong></strong><dd>
-<p>This enables or disables logging of connections to a status file that
-<a href="smbstatus.1.html"><strong>smbstatus</strong></a> can read.
-<p>With this disabled <a href="smbstatus.1.html"><strong>smbstatus</strong></a> won't be able
-to tell you what connections are active. You should never need to
-change this parameter.
-<p><strong>Default:</strong>
- status = yes
-<p><a name="strictlocking"></a>
-<p></p><dt><strong><strong>strict locking (S)</strong></strong><dd>
-<p>This is a boolean that controls the handling of file locking in the
-server. When this is set to <code>"yes"</code> the server will check every read and
-write access for file locks, and deny access if locks exist. This can
-be slow on some systems.
-<p>When strict locking is <code>"no"</code> the server does file lock checks only
-when the client explicitly asks for them.
-<p>Well behaved clients always ask for lock checks when it is important,
-so in the vast majority of cases <strong>"strict locking = no"</strong> is
-preferable.
-<p><strong>Default:</strong>
-<code> strict locking = no</code>
-<p><strong>Example:</strong>
-<code> strict locking = yes</code>
-<p><a name="strictsync"></a>
-<p></p><dt><strong><strong>strict sync (S)</strong></strong><dd>
-<p>Many Windows applications (including the Windows 98 explorer shell)
-seem to confuse flushing buffer contents to disk with doing a sync to
-disk. Under UNIX, a sync call forces the process to be suspended until
-the kernel has ensured that all outstanding data in kernel disk
-buffers has been safely stored onto stable storage. This is very slow
-and should only be done rarely. Setting this parameter to "no" (the
-default) means that smbd ignores the Windows applications requests for
-a sync call. There is only a possibility of losing data if the
-operating system itself that Samba is running on crashes, so there is
-little danger in this default setting. In addition, this fixes many
-performance problems that people have reported with the new Windows98
-explorer shell file copies.
-<p>See also the <a href="smb.conf.5.html#syncalways"><strong>"sync always"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> strict sync = no</code>
-<p><strong>Example:</strong>
-<code> strict sync = yes</code>
-<p><a name="stripdot"></a>
-<p></p><dt><strong><strong>strip dot (G)</strong></strong><dd>
-<p>This is a boolean that controls whether to strip trailing dots off
-UNIX filenames. This helps with some CDROMs that have filenames ending
-in a single dot.
-<p><strong>Default:</strong>
-<code> strip dot = no</code>
-<p><strong>Example:</strong>
-<code> strip dot = yes</code>
-<p><a name="syncalways"></a>
-<p></p><dt><strong><strong>sync always (S)</strong></strong><dd>
-<p>This is a boolean parameter that controls whether writes will always
-be written to stable storage before the write call returns. If this is
-false then the server will be guided by the client's request in each
-write call (clients can set a bit indicating that a particular write
-should be synchronous). If this is true then every write will be
-followed by a fsync() call to ensure the data is written to disk.
-Note that the <a href="smb.conf.5.html#strictsync"><strong>"strict sync"</strong></a> parameter must be
-set to <code>"yes"</code> in order for this parameter to have any affect.
-<p>See also the <a href="smb.conf.5.html#strictsync"><strong>"strict sync"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> sync always = no</code>
-<p><strong>Example:</strong>
-<code> sync always = yes</code>
-<p><a name="syslog"></a>
-<p></p><dt><strong><strong>syslog (G)</strong></strong><dd>
-<p>This parameter maps how Samba debug messages are logged onto the
-system syslog logging levels. Samba debug level zero maps onto syslog
-LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps
-onto LOG_NOTICE, debug level three maps onto LOG_INFO. All higher
-levels are mapped to LOG_DEBUG.
-<p>This paramter sets the threshold for sending messages to syslog.
-Only messages with debug level less than this value will be sent
-to syslog.
-<p><strong>Default:</strong>
-<code> syslog = 1</code>
-<p><a name="syslogonly"></a>
-<p></p><dt><strong><strong>syslog only (G)</strong></strong><dd>
-<p>If this parameter is set then Samba debug messages are logged into the
-system syslog only, and not to the debug log files.
-<p><strong>Default:</strong>
-<code> syslog only = no</code>
-<p><a name="templatehomedir"></a>
-<p></p><dt><strong><strong>template homedir (G)</strong></strong><dd>
-<p>NOTE: this parameter is only available in Samba 3.0.
-<p>When filling out the user information for a Windows NT user, the
-<a href="winbindd.8.html"><strong>winbindd</strong></a> daemon uses this parameter to fill in
-the home directory for that user. If the string <code>%D</code> is present it is
-substituted with the user's Windows NT domain name. If the string <code>%U</code>
-is present it is substituted with the user's Windows NT user name.
-<p><strong>Default:</strong>
-<code> template homedir = /home/%D/%U</code>
-<p><a name="templateshell"></a>
-<p></p><dt><strong><strong>template shell (G)</strong></strong><dd>
-<p>NOTE: this parameter is only available in Samba 3.0.
-<p>When filling out the user information for a Windows NT user, the
-<a href="winbindd.8.html"><strong>winbindd</strong></a> daemon uses this parameter to fill in
-the login shell for that user.
-<p><strong>Default:</strong>
-<code> template shell = /bin/false</code>
-<p><a name="timeoffset"></a>
-<p></p><dt><strong><strong>time offset (G)</strong></strong><dd>
-<p>This parameter is a setting in minutes to add to the normal GMT to
-local time conversion. This is useful if you are serving a lot of PCs
-that have incorrect daylight saving time handling.
-<p><strong>Default:</strong>
-<code> time offset = 0</code>
-<p><strong>Example:</strong>
-<code> time offset = 60</code>
-<p><a name="timeserver"></a>
-<p><p></p><dt><strong><strong>time server (G)</strong></strong><dd>
-<p>This parameter determines if <a href="nmbd.8.html"><strong>nmbd</strong></a> advertises
-itself as a time server to Windows clients. The default is False.
-<p><strong>Default:</strong>
-<code> time server = False</code>
-<p><strong>Example:</strong>
-<code> time server = True</code>
-<p><a name="timestamplogs"></a>
-<p></p><dt><strong><strong>timestamp logs (G)</strong></strong><dd>
-<p>Synonym for <a href="debugtimestamp"><strong>"debug timestamp"</strong></a>.
-<p><a name="unixpasswordsync"></a>
-<p></p><dt><strong><strong>unix password sync (G)</strong></strong><dd>
-<p>This boolean parameter controls whether Samba attempts to synchronize
-the UNIX password with the SMB password when the encrypted SMB
-password in the smbpasswd file is changed. If this is set to true the
-program specified in the <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a>
-parameter is called <em>*AS ROOT*</em> - to allow the new UNIX password to be
-set without access to the old UNIX password (as the SMB password has
-change code has no access to the old password cleartext, only the
-new). By default this is set to <code>"false"</code>.
-<p>See also <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a>, <a href="smb.conf.5.html#passwdchat"><strong>"passwd
-chat"</strong></a>.
-<p><strong>Default:</strong>
-<code> unix password sync = False</code>
-<p><strong>Example:</strong>
-<code> unix password sync = True</code>
-<p><a name="unixrealname"></a>
-<p></p><dt><strong><strong>unix realname (G)</strong></strong><dd>
-<p>This boolean parameter when set causes samba to supply the real name
-field from the unix password file to the client. This is useful for
-setting up mail clients and WWW browsers on systems used by more than
-one person.
-<p><strong>Default:</strong>
-<code> unix realname = no</code>
-<p><strong>Example:</strong>
-<code> unix realname = yes</code>
-<p><a name="updateencrypted"></a>
-<p></p><dt><strong><strong>update encrypted (G)</strong></strong><dd>
-<p>This boolean parameter allows a user logging on with a plaintext
-password to have their encrypted (hashed) password in the smbpasswd
-file to be updated automatically as they log on. This option allows a
-site to migrate from plaintext password authentication (users
-authenticate with plaintext password over the wire, and are checked
-against a UNIX account database) to encrypted password authentication
-(the SMB challenge/response authentication mechanism) without forcing
-all users to re-enter their passwords via smbpasswd at the time the
-change is made. This is a convenience option to allow the change over
-to encrypted passwords to be made over a longer period. Once all users
-have encrypted representations of their passwords in the smbpasswd
-file this parameter should be set to <code>"off"</code>.
-<p>In order for this parameter to work correctly the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypt
-passwords"</strong></a> parameter must be set to <code>"no"</code> when
-this parameter is set to <code>"yes"</code>.
-<p>Note that even when this parameter is set a user authenticating to
-smbd must still enter a valid password in order to connect correctly,
-and to update their hashed (smbpasswd) passwords.
-<p><strong>Default:</strong>
-<code> update encrypted = no</code>
-<p><strong>Example:</strong>
-<code> update encrypted = yes</code>
-<p><a name="userhosts"></a>
-<p></p><dt><strong><strong>use rhosts (G)</strong></strong><dd>
-<p>If this global parameter is a true, it specifies that the UNIX users
-<code>".rhosts"</code> file in their home directory will be read to find the
-names of hosts and users who will be allowed access without specifying
-a password.
-<p>NOTE: The use of <strong>use rhosts</strong> can be a major security hole. This is
-because you are trusting the PC to supply the correct username. It is
-very easy to get a PC to supply a false username. I recommend that the
-<strong>use rhosts</strong> option be only used if you really know what you are
-doing.
-<p><strong>Default:</strong>
-<code> use rhosts = no</code>
-<p><strong>Example:</strong>
-<code> use rhosts = yes</code>
-<p><a name="user"></a>
-<p></p><dt><strong><strong>user (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#username"><strong>"username"</strong></a>.
-<p><a name="users"></a>
-<p></p><dt><strong><strong>users (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#username"><strong>"username"</strong></a>.
-<p><a name="username"></a>
-<p></p><dt><strong><strong>username (S)</strong></strong><dd>
-<p>Multiple users may be specified in a comma-delimited list, in which
-case the supplied password will be tested against each username in
-turn (left to right).
-<p>The <strong>username=</strong> line is needed only when the PC is unable to supply
-its own username. This is the case for the COREPLUS protocol or where
-your users have different WfWg usernames to UNIX usernames. In both
-these cases you may also be better using the <code>\\server\share%user</code>
-syntax instead.
-<p>The <strong>username=</strong> line is not a great solution in many cases as it
-means Samba will try to validate the supplied password against each of
-the usernames in the username= line in turn. This is slow and a bad
-idea for lots of users in case of duplicate passwords. You may get
-timeouts or security breaches using this parameter unwisely.
-<p>Samba relies on the underlying UNIX security. This parameter does not
-restrict who can login, it just offers hints to the Samba server as to
-what usernames might correspond to the supplied password. Users can
-login as whoever they please and they will be able to do no more
-damage than if they started a telnet session. The daemon runs as the
-user that they log in as, so they cannot do anything that user cannot
-do.
-<p>To restrict a service to a particular set of users you can use the
-<a href="smb.conf.5.html#validusers"><strong>"valid users="</strong></a> parameter.
-<p>If any of the usernames begin with a <code>'@'</code> then the name will be
-looked up first in the yp netgroups list (if Samba is compiled with
-netgroup support), followed by a lookup in the UNIX groups database
-and will expand to a list of all users in the group of that name.
-<p>If any of the usernames begin with a <code>'+'</code> then the name will be
-looked up only in the UNIX groups database and will expand to a list
-of all users in the group of that name.
-<p>If any of the usernames begin with a <code>'&'</code> then the name will be
-looked up only in the yp netgroups database (if Samba is compiled with
-netgroup support) and will expand to a list of all users in the
-netgroup group of that name.
-<p>Note that searching though a groups database can take quite some time,
-and some clients may time out during the search.
-<p>See the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"</strong></a> for more
-information on how this parameter determines access to the services.
-<p><strong>Default:</strong>
-<code> The guest account if a guest service, else the name of the service.</code>
-<p><strong>Examples:</strong>
-<pre>
-
- username = fred
- username = fred, mary, jack, jane, @users, @pcgroup
-
-</pre>
-
-<p><a name="usernamelevel"></a>
-<p></p><dt><strong><strong>username level (G)</strong></strong><dd>
-<p>This option helps Samba to try and 'guess' at the real UNIX username,
-as many DOS clients send an all-uppercase username. By default Samba
-tries all lowercase, followed by the username with the first letter
-capitalized, and fails if the username is not found on the UNIX
-machine.
-<p>If this parameter is set to non-zero the behavior changes. This
-parameter is a number that specifies the number of uppercase
-combinations to try whilst trying to determine the UNIX user name. The
-higher the number the more combinations will be tried, but the slower
-the discovery of usernames will be. Use this parameter when you have
-strange usernames on your UNIX machine, such as <code>"AstrangeUser"</code>.
-<p><strong>Default:</strong>
-<code> username level = 0</code>
-<p><strong>Example:</strong>
-<code> username level = 5</code>
-<p><a name="usernamemap"></a>
-<p></p><dt><strong><strong>username map (G)</strong></strong><dd>
-<p>This option allows you to specify a file containing a mapping of
-usernames from the clients to the server. This can be used for several
-purposes. The most common is to map usernames that users use on DOS or
-Windows machines to those that the UNIX box uses. The other is to map
-multiple users to a single username so that they can more easily share
-files.
-<p>The map file is parsed line by line. Each line should contain a single
-UNIX username on the left then a <code>'='</code> followed by a list of
-usernames on the right. The list of usernames on the right may contain
-names of the form @group in which case they will match any UNIX
-username in that group. The special client name <code>'*'</code> is a wildcard
-and matches any name. Each line of the map file may be up to 1023
-characters long.
-<p>The file is processed on each line by taking the supplied username and
-comparing it with each username on the right hand side of the <code>'='</code>
-signs. If the supplied name matches any of the names on the right hand
-side then it is replaced with the name on the left. Processing then
-continues with the next line.
-<p>If any line begins with a <code>'#'</code> or a <code>';'</code> then it is ignored
-<p>If any line begins with an <code>'!'</code> then the processing will stop after
-that line if a mapping was done by the line. Otherwise mapping
-continues with every line being processed. Using <code>'!'</code> is most
-useful when you have a wildcard mapping line later in the file.
-<p>For example to map from the name <code>"admin"</code> or <code>"administrator"</code> to
-the UNIX name <code>"root"</code> you would use:
-<p><code> root = admin administrator</code>
-<p>Or to map anyone in the UNIX group <code>"system"</code> to the UNIX name
-<code>"sys"</code> you would use:
-<p><code> sys = @system</code>
-<p>You can have as many mappings as you like in a username map file.
-<p>If your system supports the NIS NETGROUP option then the netgroup
-database is checked before the <code>/etc/group</code> database for matching
-groups.
-<p>You can map Windows usernames that have spaces in them by using double
-quotes around the name. For example:
-<p><code> tridge = "Andrew Tridgell"</code>
-<p>would map the windows username <code>"Andrew Tridgell"</code> to the unix
-username tridge.
-<p>The following example would map mary and fred to the unix user sys,
-and map the rest to guest. Note the use of the <code>'!'</code> to tell Samba
-to stop processing if it gets a match on that line.
-<p><pre>
-
- !sys = mary fred
- guest = *
-
-</pre>
-
-<p>Note that the remapping is applied to all occurrences of
-usernames. Thus if you connect to <code>"\\server\fred"</code> and <code>"fred"</code>
-is remapped to <code>"mary"</code> then you will actually be connecting to
-<code>"\\server\mary"</code> and will need to supply a password suitable for
-<code>"mary"</code> not <code>"fred"</code>. The only exception to this is the username
-passed to the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> (if you have
-one). The password server will receive whatever username the client
-supplies without modification.
-<p>Also note that no reverse mapping is done. The main effect this has is
-with printing. Users who have been mapped may have trouble deleting
-print jobs as PrintManager under WfWg will think they don't own the
-print job.
-<p><strong>Default:</strong>
-<code> no username map</code>
-<p><strong>Example:</strong>
-<code> username map = /usr/local/samba/lib/users.map</code>
-<p><a name="utmp"></a>
-<p></p><dt><strong><strong>utmp (S)</strong></strong><dd>
-<p>This boolean parameter is only available if Samba has been configured and compiled
-with the option <code>--with-utmp</code>. If set to True then Samba will attempt
-to add utmp or utmpx records (depending on the UNIX system) whenever a
-connection is made to a Samba server. Sites may use this to record the
-user connecting to a Samba share.
-<p>See also the <a href="smb.conf.5.html#utmpdirectory"><strong>"utmp directory"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code>utmp = False</code>
-<p><strong>Example:</strong>
-<code>utmp = True</code>
-<p><a name="utmpdirectory"></a>
-<p></p><dt><strong><strong>utmp directory(G)</strong></strong><dd>
-<p>This parameter is only available if Samba has been configured and compiled
-with the option <code>--with-utmp</code>. It specifies a directory pathname that is
-used to store the utmp or utmpx files (depending on the UNIX system) that
-record user connections to a Samba server. See also the <a href="smb.conf.5.html#utmp"><strong>"utmp"</strong></a>
-parameter. By default this is not set, meaning the system will use whatever
-utmp file the native system is set to use (usually /var/run/utmp on Linux).
-<p><strong>Default:</strong>
-<code>no utmp directory</code>
-<p><strong>Example:</strong>
-<code>utmp directory = /var/adm/</code>
-<p><a name="winbindcachetime"></a>
-<p></p><dt><strong>winbind cache time</strong><dd>
-<p>NOTE: this parameter is only available in Samba 3.0.
-<p>This parameter specifies the number of seconds the
-<a href="winbindd.8.html"><strong>winbindd</strong></a> daemon will cache user and group
-information before querying a Windows NT server again.
-<p><strong>Default:</strong>
-<code> winbind cache type = 15</code>
-<p><a name="winbindgid"></a>
-<p></p><dt><strong>winbind gid</strong><dd>
-<p>NOTE: this parameter is only available in Samba 3.0.
-<p>The winbind gid parameter specifies the range of group ids that are
-allocated by the <a href="winbindd.8.html"><strong>winbindd</strong></a> daemon. This range of
-group ids should have no existing local or nis groups within it as strange
-conflicts can occur otherwise.
-<p><strong>Default:</strong>
-<code> winbind gid = <empty string></code>
-<p><strong>Example:</strong>
-<code> winbind gid = 10000-20000</code>
-<p><a name="winbinduid"></a>
-<p></p><dt><strong>winbind uid</strong><dd>
-<p>NOTE: this parameter is only available in Samba 3.0.
-<p>The winbind uid parameter specifies the range of user ids that are
-allocated by the <a href="winbindd.8.html"><strong>winbindd</strong></a> daemon. This range of
-ids should have no existing local or nis users within it as strange
-conflicts can occur otherwise.
-<p><strong>Default:</strong>
-<code> winbind uid = <empty string></code>
-<p><strong>Example:</strong>
-<code> winbind uid = 10000-20000</code>
-<p><a name="validchars"></a>
-<p></p><dt><strong><strong>valid chars (G)</strong></strong><dd>
-<p>The option allows you to specify additional characters that should be
-considered valid by the server in filenames. This is particularly
-useful for national character sets, such as adding u-umlaut or a-ring.
-<p>The option takes a list of characters in either integer or character
-form with spaces between them. If you give two characters with a colon
-between them then it will be taken as an lowercase:uppercase pair.
-<p>If you have an editor capable of entering the characters into the
-config file then it is probably easiest to use this method. Otherwise
-you can specify the characters in octal, decimal or hexadecimal form
-using the usual C notation.
-<p>For example to add the single character <code>'Z'</code> to the charset (which
-is a pointless thing to do as it's already there) you could do one of
-the following
-<p><pre>
-
- valid chars = Z
- valid chars = z:Z
- valid chars = 0132:0172
-
-</pre>
-
-<p>The last two examples above actually add two characters, and alter the
-uppercase and lowercase mappings appropriately.
-<p>Note that you MUST specify this parameter after the <a href="smb.conf.5.html#clientcodepage"><strong>"client
-code page"</strong></a> parameter if you have both set. If
-<a href="smb.conf.5.html#clientcodepage"><strong>"client code page"</strong></a> is set after the
-<strong>"valid chars"</strong> parameter the <strong>"valid chars"</strong> settings will be
-overwritten.
-<p>See also the <a href="smb.conf.5.html#clientcodepage"><strong>"client code page"</strong></a> parameter.
-<p><strong>Default:</strong>
-<pre>
-
- Samba defaults to using a reasonable set of valid characters
- for English systems
-
-</pre>
-
-<p><strong>Example</strong>
-<code> valid chars = 0345:0305 0366:0326 0344:0304</code>
-<p>The above example allows filenames to have the Swedish characters in
-them.
-<p>NOTE: It is actually quite difficult to correctly produce a <strong>"valid
-chars"</strong> line for a particular system. To automate the process
-<a href="mailto:tino@augsburg.net"><em>tino@augsburg.net</em></a> has written a package called <strong>"validchars"</strong>
-which will automatically produce a complete <strong>"valid chars"</strong> line for
-a given client system. Look in the examples/validchars/ subdirectory
-of your Samba source code distribution for this package.
-<p><a name="validusers"></a>
-<p></p><dt><strong><strong>valid users (S)</strong></strong><dd>
-<p>This is a list of users that should be allowed to login to this
-service. Names starting with <code>'@'</code>, <code>'+'</code> and <code>'&'</code> are
-interpreted using the same rules as described in the <a href="smb.conf.5.html#invalidusers"><strong>"invalid
-users"</strong></a> parameter.
-<p>If this is empty (the default) then any user can login. If a username
-is in both this list and the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a>
-list then access is denied for that user.
-<p>The current servicename is substituted for
-<a href="smb.conf.5.html#percentS"><strong>"%S"</strong></a>. This is useful in the
-<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> section.
-<p>See also <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a>.
-<p><strong>Default:</strong>
-<code> No valid users list. (anyone can login)</code>
-<p><strong>Example:</strong>
-<code> valid users = greg, @pcusers</code>
-<p><a name="vetofiles"></a>
-<p></p><dt><strong><strong>veto files(S)</strong></strong><dd>
-<p>This is a list of files and directories that are neither visible nor
-accessible. Each entry in the list must be separated by a <code>'/'</code>,
-which allows spaces to be included in the entry. <code>'*'</code> and <code>'?'</code>
-can be used to specify multiple files or directories as in DOS
-wildcards.
-<p>Each entry must be a unix path, not a DOS path and must <em>*not*</em> include the
-unix directory separator <code>'/'</code>.
-<p>Note that the <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a> option is
-applicable in vetoing files.
-<p>One feature of the veto files parameter that it is important to be
-aware of, is that if a directory contains nothing but files that match
-the veto files parameter (which means that Windows/DOS clients cannot
-ever see them) is deleted, the veto files within that directory *are
-automatically deleted* along with it, if the user has UNIX permissions
-to do so.
-<p>Setting this parameter will affect the performance of Samba, as it
-will be forced to check all files and directories for a match as they
-are scanned.
-<p>See also <a href="smb.conf.5.html#hidefiles"><strong>"hide files"</strong></a> and <a href="smb.conf.5.html#casesensitive"><strong>"case
-sensitive"</strong></a>.
-<p><strong>Default:</strong>
-<code> No files or directories are vetoed.</code>
-<p><strong>Examples:</strong>
-<p>Example 1.
-<p><pre>
-
-
- Veto any files containing the word Security,
- any ending in .tmp, and any directory containing the
- word root.
-
- veto files = /*Security*/*.tmp/*root*/
-
-</pre>
-
-<p>Example 2.
-<p><pre>
-
- Veto the Apple specific files that a NetAtalk server
- creates.
-
- veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
-
-</pre>
-
-<p><a name="vetooplockfiles"></a>
-<p></p><dt><strong><strong>veto oplock files (S)</strong></strong><dd>
-<p>This parameter is only valid when the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a>
-parameter is turned on for a share. It allows the Samba administrator
-to selectively turn off the granting of oplocks on selected files that
-match a wildcarded list, similar to the wildcarded list used in the
-<a href="smb.conf.5.html#vetofiles"><strong>"veto files"</strong></a> parameter.
-<p><strong>Default:</strong>
-<code> No files are vetoed for oplock grants.</code>
-<p><strong>Examples:</strong>
-<p>You might want to do this on files that you know will be heavily
-contended for by clients. A good example of this is in the NetBench
-SMB benchmark program, which causes heavy client contention for files
-ending in <code>".SEM"</code>. To cause Samba not to grant oplocks on these
-files you would use the line (either in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a>
-section or in the section for the particular NetBench share :
-<p><code> veto oplock files = /*.SEM/</code>
-<p><a name="volume"></a>
-<p></p><dt><strong><strong>volume (S)</strong></strong><dd>
-<p>This allows you to override the volume label returned for a
-share. Useful for CDROMs with installation programs that insist on a
-particular volume label.
-<p>The default is the name of the share.
-<p><a name="widelinks"></a>
-<p></p><dt><strong><strong>wide links (S)</strong></strong><dd>
-<p>This parameter controls whether or not links in the UNIX file system
-may be followed by the server. Links that point to areas within the
-directory tree exported by the server are always allowed; this
-parameter controls access only to areas that are outside the directory
-tree being exported.
-<p>Note that setting this parameter can have a negative effect on your
-server performance due to the extra system calls that Samba has to
-do in order to perform the link checks.
-<p><strong>Default:</strong>
-<code> wide links = yes</code>
-<p><strong>Example:</strong>
-<code> wide links = no</code>
-<p><a name="winsproxy"></a>
-<p></p><dt><strong><strong>wins proxy (G)</strong></strong><dd>
-<p>This is a boolean that controls if <a href="nmbd.8.html"><strong>nmbd</strong></a> will
-respond to broadcast name queries on behalf of other hosts. You may
-need to set this to <code>"yes"</code> for some older clients.
-<p><strong>Default:</strong>
-<code> wins proxy = no</code>
-<p><a name="winsserver"></a>
-<p></p><dt><strong><strong>wins server (G)</strong></strong><dd>
-<p>This specifies the IP address (or DNS name: IP address for preference)
-of the WINS server that <a href="nmbd.8.html"><strong>nmbd</strong></a> should register with.
-If you have a WINS server on your network then you should set this to
-the WINS server's IP.
-<p>You should point this at your WINS server if you have a
-multi-subnetted network.
-<p><em>NOTE</em>. You need to set up Samba to point to a WINS server if you
-have multiple subnets and wish cross-subnet browsing to work correctly.
-<p>See the documentation file BROWSING.txt in the docs/ directory of your
-Samba source distribution.
-<p><strong>Default:</strong>
-<code> wins server = </code>
-<p><strong>Example:</strong>
-<code> wins server = 192.9.200.1</code>
-<p><a name="winshook"></a>
-<p></p><dt><strong><strong>wins hook (G)</strong></strong><dd>
-<p>When Samba is running as a WINS server this allows you to call an
-external program for all changes to the WINS database. The primary use
-for this option is to allow the dynamic update of external name
-resolution databases such as dynamic DNS.
-<p>The wins hook parameter specifies the name of a script or executable
-that will be called as follows:
-<p>wins_hook operation name nametype ttl IP_list
-<p>The first argument is the operation and is one of "add", "delete",
-or "refresh". In most cases the operation can be ignored as the rest
-of the parameters provide sufficient information. Note that "refresh"
-may sometimes be called when the name has not previously been added,
-in that case it should be treated as an add.
-<p>The second argument is the netbios name. If the name is not a legal
-name then the wins hook is not called. Legal names contain only
-letters, digits, hyphens, underscores and periods.
-<p>The third argument is the netbios name type as a 2 digit hexadecimal
-number.
-<p>The fourth argument is the TTL (time to live) for the name in seconds.
-<p>The fifth and subsequent arguments are the IP addresses currently
-registered for that name. If this list is empty then the name should
-be deleted.
-<p>An example script that calls the BIND dynamic DNS update program
-"nsupdate" is provided in the examples directory of the Samba source
-code.
-<p><a name="winssupport"></a>
-<p></p><dt><strong><strong>wins support (G)</strong></strong><dd>
-<p>This boolean controls if the <a href="nmbd.8.html"><strong>nmbd</strong></a> process in
-Samba will act as a WINS server. You should not set this to true
-unless you have a multi-subnetted network and you wish a particular
-<a href="nmbd.8.html"><strong>nmbd</strong></a> to be your WINS server. Note that you
-should <em>*NEVER*</em> set this to true on more than one machine in your
-network.
-<p><strong>Default:</strong>
-<code> wins support = no</code>
-<p><a name="workgroup"></a>
-<p></p><dt><strong><strong>workgroup (G)</strong></strong><dd>
-<p>This controls what workgroup your server will appear to be in when
-queried by clients. Note that this parameter also controls the Domain
-name used with the <a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>
-setting.
-<p><strong>Default:</strong>
-<code> set at compile time to WORKGROUP</code>
-<p><strong>Example:</strong>
- workgroup = MYGROUP
-<p><a name="writable"></a>
-<p></p><dt><strong><strong>writable (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> for people who can't spell :-).
-<p><a name="writelist"></a>
-<p></p><dt><strong><strong>write list (S)</strong></strong><dd>
-<p>This is a list of users that are given read-write access to a
-service. If the connecting user is in this list then they will be
-given write access, no matter what the <a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a>
-option is set to. The list can include group names using the @group
-syntax.
-<p>Note that if a user is in both the read list and the write list then
-they will be given write access.
-<p>See also the <a href="smb.conf.5.html#readlist"><strong>"read list"</strong></a> option.
-<p><strong>Default:</strong>
-<code> write list = <empty string></code>
-<p><strong>Example:</strong>
-<code> write list = admin, root, @staff</code>
-<p><a name="writecachesize"></a>
-<p></p><dt><strong><strong>write cache size (S)</strong></strong><dd>
-<p>This integer parameter (new with Samba 2.0.7) if set to non-zero causes Samba to create an in-memory
-cache for each oplocked file (it does <strong>not</strong> do this for non-oplocked files). All
-writes that the client does not request to be flushed directly to disk will be
-stored in this cache if possible. The cache is flushed onto disk when a write
-comes in whose offset would not fit into the cache or when the file is closed
-by the client. Reads for the file are also served from this cache if the data
-is stored within it.
-<p>This cache allows Samba to batch client writes into a more efficient write
-size for RAID disks (ie. writes may be tuned to be the RAID stripe size) and
-can improve performance on systems where the disk subsystem is a bottleneck
-but there is free memory for userspace programs.
-<p>The integer parameter specifies the size of this cache (per oplocked file)
-in bytes.
-<p><strong>Default:</strong>
-<code> write cache size = 0</code>
-<p><strong>Example:</strong>
-<code> write cache size = 262144</code>
-for a 256k cache size per file.
-<p><a name="writeok"></a>
-<p></p><dt><strong><strong>write ok (S)</strong></strong><dd>
-<p>Synonym for <a href="smb.conf.5.html#writeable"><strong>writeable</strong></a>.
-<p><a name="writeraw"></a>
-<p></p><dt><strong><strong>write raw (G)</strong></strong><dd>
-<p>This parameter controls whether or not the server will support raw
-writes SMB's when transferring data from clients. You should never
-need to change this parameter.
-<p><strong>Default:</strong>
-<code> write raw = yes</code>
-<p><a name="writeable"></a>
-<p></p><dt><strong><strong>writeable</strong></strong><dd>
-<p>An inverted synonym is <a href="smb.conf.5.html#readonly"><strong>"read only"</strong></a>.
-<p>If this parameter is <code>"no"</code>, then users of a service may not create
-or modify files in the service's directory.
-<p>Note that a printable service <a href="smb.conf.5.html#printable"><strong>("printable = yes")</strong></a>
-will <em>*ALWAYS*</em> allow writing to the directory (user privileges
-permitting), but only via spooling operations.
-<p><strong>Default:</strong>
-<code> writeable = no</code>
-<p><strong>Examples:</strong>
-<pre>
-
- read only = no
- writeable = yes
- write ok = yes
-
-</pre>
+ [pub]
+ path = /%S
+ </TT
+></PRE
+></DD
+><DT
+><A
+NAME="DELETEUSERSCRIPT"
+></A
+>delete user script (G)</DT
+><DD
+><P
+>This is the full pathname to a script that will
+ be run <I
+CLASS="EMPHASIS"
+>AS ROOT</I
+> by <A
+HREF="smbd.8.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> under special circumstances
+ decribed below.</P
+><P
+>Normally, a Samba server requires that UNIX users are
+ created for all users accessing files on this server. For sites
+ that use Windows NT account databases as their primary user database
+ creating these users and keeping the user list in sync with the
+ Windows NT PDC is an onerous task. This option allows <B
+CLASS="COMMAND"
+> smbd</B
+> to delete the required UNIX users <I
+CLASS="EMPHASIS"
+>ON
+ DEMAND</I
+> when a user accesses the Samba server and the
+ Windows NT user no longer exists.</P
+><P
+>In order to use this option, <B
+CLASS="COMMAND"
+>smbd</B
+> must be
+ set to <TT
+CLASS="PARAMETER"
+><I
+>security=domain</I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>delete
+ user script</I
+></TT
+> must be set to a full pathname for a script
+ that will delete a UNIX user given one argument of <TT
+CLASS="PARAMETER"
+><I
+>%u
+ </I
+></TT
+>, which expands into the UNIX user name to delete.
+ <I
+CLASS="EMPHASIS"
+>NOTE</I
+> that this is different to the <A
+HREF="#ADDUSERSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+></A
+>
+ which will work with the <TT
+CLASS="PARAMETER"
+><I
+>security=server</I
+></TT
+> option
+ as well as <TT
+CLASS="PARAMETER"
+><I
+>security=domain</I
+></TT
+>. The reason for this
+ is only when Samba is a domain member does it get the information
+ on an attempted user logon that a user no longer exists. In the
+ <TT
+CLASS="PARAMETER"
+><I
+>security=server</I
+></TT
+> mode a missing user
+ is treated the same as an invalid password logon attempt. Deleting
+ the user in this circumstance would not be a good idea.</P
+><P
+>When the Windows user attempts to access the Samba server,
+ at <I
+CLASS="EMPHASIS"
+>login</I
+> (session setup in the SMB protocol)
+ time, <B
+CLASS="COMMAND"
+>smbd</B
+> contacts the <A
+HREF="#PASSWORDSERVER"
+> <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+></A
+> and attempts to authenticate
+ the given user with the given password. If the authentication fails
+ with the specific Domain error code meaning that the user no longer
+ exists then <B
+CLASS="COMMAND"
+>smbd</B
+> attempts to find a UNIX user in
+ the UNIX password database that matches the Windows user account. If
+ this lookup succeeds, and <TT
+CLASS="PARAMETER"
+><I
+>delete user script</I
+></TT
+> is
+ set then <B
+CLASS="COMMAND"
+>smbd</B
+> will all the specified script
+ <I
+CLASS="EMPHASIS"
+>AS ROOT</I
+>, expanding any <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+>
+ argument to be the user name to delete.</P
+><P
+>This script should delete the given UNIX username. In this way,
+ UNIX users are dynamically deleted to match existing Windows NT
+ accounts.</P
+><P
+>See also <A
+HREF="#SECURITYEQUALSDOMAIN"
+>security=domain</A
+>,
+ <A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+>
+ </A
+>, <A
+HREF="#ADDUSERSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>add user script</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>delete user script = <empty string>
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>delete user script = /usr/local/samba/bin/del_user
+ %u</B
+></P
+></DD
+><DT
+><A
+NAME="DELETEREADONLY"
+></A
+>delete readonly (S)</DT
+><DD
+><P
+>This parameter allows readonly files to be deleted.
+ This is not normal DOS semantics, but is allowed by UNIX.</P
+><P
+>This option may be useful for running applications such
+ as rcs, where UNIX file ownership prevents changing file
+ permissions, and DOS semantics prevent deletion of a read only file.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>delete readonly = no</B
+></P
+></DD
+><DT
+><A
+NAME="DELETEVETOFILES"
+></A
+>delete veto files (S)</DT
+><DD
+><P
+>This option is used when Samba is attempting to
+ delete a directory that contains one or more vetoed directories
+ (see the <A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>veto files</I
+></TT
+></A
+>
+ option). If this option is set to False (the default) then if a vetoed
+ directory contains any non-vetoed files or directories then the
+ directory delete will fail. This is usually what you want.</P
+><P
+>If this option is set to <TT
+CLASS="CONSTANT"
+>True</TT
+>, then Samba
+ will attempt to recursively delete any files and directories within
+ the vetoed directory. This can be useful for integration with file
+ serving systems such as NetAtalk which create meta-files within
+ directories you might normally veto DOS/Windows users from seeing
+ (e.g. <TT
+CLASS="FILENAME"
+>.AppleDouble</TT
+>)</P
+><P
+>Setting <B
+CLASS="COMMAND"
+>delete veto files = yes</B
+> allows these
+ directories to be transparently deleted when the parent directory
+ is deleted (so long as the user has permissions to do so).</P
+><P
+>See also the <A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>veto
+ files</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>delete veto files = no</B
+></P
+></DD
+><DT
+><A
+NAME="DENYHOSTS"
+></A
+>deny hosts (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#HOSTSDENY"
+><TT
+CLASS="PARAMETER"
+><I
+>hosts
+ deny</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DFREECOMMAND"
+></A
+>dfree command (G)</DT
+><DD
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>dfree command</I
+></TT
+> setting should
+ only be used on systems where a problem occurs with the internal
+ disk space calculations. This has been known to happen with Ultrix,
+ but may occur with other operating systems. The symptom that was
+ seen was an error of "Abort Retry Ignore" at the end of each
+ directory listing.</P
+><P
+>This setting allows the replacement of the internal routines to
+ calculate the total disk space and amount available with an external
+ routine. The example below gives a possible script that might fulfill
+ this function.</P
+><P
+>The external program will be passed a single parameter indicating
+ a directory in the filesystem being queried. This will typically consist
+ of the string <TT
+CLASS="FILENAME"
+>./</TT
+>. The script should return two
+ integers in ascii. The first should be the total disk space in blocks,
+ and the second should be the number of available blocks. An optional
+ third return value can give the block size in bytes. The default
+ blocksize is 1024 bytes.</P
+><P
+>Note: Your script should <I
+CLASS="EMPHASIS"
+>NOT</I
+> be setuid or
+ setgid and should be owned by (and writeable only by) root!</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>By default internal routines for
+ determining the disk capacity and remaining space will be used.
+ </I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>dfree command = /usr/local/samba/bin/dfree
+ </B
+></P
+><P
+>Where the script dfree (which must be made executable) could be:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>
+ #!/bin/sh
+ df $1 | tail -1 | awk '{print $2" "$4}'
+ </PRE
+></P
+><P
+>or perhaps (on Sys V based systems):</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>
+ #!/bin/sh
+ /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+ </PRE
+></P
+><P
+>Note that you may have to replace the command names
+ with full path names on some systems.</P
+></DD
+><DT
+><A
+NAME="DIRECTORY"
+></A
+>directory (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PATH"
+><TT
+CLASS="PARAMETER"
+><I
+>path
+ </I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="DIRECTORYMASK"
+></A
+>directory mask (S)</DT
+><DD
+><P
+>This parameter is the octal modes which are
+ used when converting DOS modes to UNIX modes when creating UNIX
+ directories.</P
+><P
+>When a directory is created, the necessary permissions are
+ calculated according to the mapping from DOS modes to UNIX permissions,
+ and the resulting UNIX mode is then bit-wise 'AND'ed with this
+ parameter. This parameter may be thought of as a bit-wise MASK for
+ the UNIX modes of a directory. Any bit <I
+CLASS="EMPHASIS"
+>not</I
+> set
+ here will be removed from the modes set on a directory when it is
+ created.</P
+><P
+>The default value of this parameter removes the 'group'
+ and 'other' write bits from the UNIX mode, allowing only the
+ user who owns the directory to modify it.</P
+><P
+>Following this Samba will bit-wise 'OR' the UNIX mode
+ created from this parameter with the value of the <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode
+ </I
+></TT
+></A
+> parameter. This parameter is set to 000 by
+ default (i.e. no extra mode bits are added).</P
+><P
+>See the <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ directory mode</I
+></TT
+></A
+> parameter to cause particular mode
+ bits to always be set on created directories.</P
+><P
+>See also the <A
+HREF="#CREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>create mode
+ </I
+></TT
+></A
+> parameter for masking mode bits on created files,
+ and the <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory
+ security mask</I
+></TT
+></A
+> parameter.</P
+><P
+>Also refer to the <A
+HREF="#INHERITPERMISSIONS"
+><TT
+CLASS="PARAMETER"
+><I
+> inherit permissions</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>directory mask = 0755</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>directory mask = 0775</B
+></P
+></DD
+><DT
+><A
+NAME="DIRECTORYMODE"
+></A
+>directory mode (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> directory mask</I
+></TT
+></A
+></P
+></DD
+><DT
+><A
+NAME="DIRECTORYSECURITYMASK"
+></A
+>directory security mask (S)</DT
+><DD
+><P
+>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog
+ box.</P
+><P
+>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</P
+><P
+>If not set explicitly this parameter is set to the same
+ value as the <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory
+ mask</I
+></TT
+></A
+> parameter. To allow a user to
+ modify all the user/group/world permissions on a directory, set
+ this parameter to 0777.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to set
+ it to 0777.</P
+><P
+>See also the <A
+HREF="#FORCEDIRECTORYSECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+> force directory security mode</I
+></TT
+></A
+>, <A
+HREF="#SECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+>,
+ <A
+HREF="#FORCESECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode
+ </I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>directory security mask = <same as
+ directory mask></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>directory security mask = 0777</B
+></P
+></DD
+><DT
+><A
+NAME="DNSPROXY"
+></A
+>dns proxy (G)</DT
+><DD
+><P
+>Specifies that <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ when acting as a WINS server and finding that a NetBIOS name has not
+ been registered, should treat the NetBIOS name word-for-word as a DNS
+ name and do a lookup with the DNS server for that name on behalf of
+ the name-querying client.</P
+><P
+>Note that the maximum length for a NetBIOS name is 15
+ characters, so the DNS name (or DNS alias) can likewise only be
+ 15 characters, maximum.</P
+><P
+><B
+CLASS="COMMAND"
+>nmbd</B
+> spawns a second copy of itself to do the
+ DNS name lookup requests, as doing a name lookup is a blocking
+ action.</P
+><P
+>See also the parameter <A
+HREF="#WINSSUPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+> wins support</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>dns proxy = yes</B
+></P
+></DD
+><DT
+><A
+NAME="DOMAINADMINGROUP"
+></A
+>domain admin group (G)</DT
+><DD
+><P
+>This is an <I
+CLASS="EMPHASIS"
+>EXPERIMENTAL</I
+> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <A
+HREF="mailto:samba-ntdom@samba.org"
+TARGET="_top"
+>samba-ntdom</A
+> available by
+ visiting the web page at <A
+HREF="http://lists.samba.org/"
+TARGET="_top"
+> http://lists.samba.org/</A
+>.</P
+></DD
+><DT
+><A
+NAME="DOMAINADMINUSERS"
+></A
+>domain admin users (G)</DT
+><DD
+><P
+>This is an <I
+CLASS="EMPHASIS"
+>EXPERIMENTAL</I
+> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <A
+HREF="mailto:samba-ntdom@samba.org"
+TARGET="_top"
+>samba-ntdom</A
+> available by
+ visiting the web page at <A
+HREF="http://lists.samba.org/"
+TARGET="_top"
+> http://lists.samba.org/</A
+>.</P
+></DD
+><DT
+><A
+NAME="DOMAINGROUPS"
+></A
+>domain groups (G)</DT
+><DD
+><P
+>This is an <I
+CLASS="EMPHASIS"
+>EXPERIMENTAL</I
+> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <A
+HREF="mailto:samba-ntdom@samba.org"
+TARGET="_top"
+>samba-ntdom</A
+> available by
+ visiting the web page at <A
+HREF="http://lists.samba.org/"
+TARGET="_top"
+> http://lists.samba.org/</A
+>.</P
+></DD
+><DT
+><A
+NAME="DOMAINGUESTGROUP"
+></A
+>domain guest group (G)</DT
+><DD
+><P
+>This is an <I
+CLASS="EMPHASIS"
+>EXPERIMENTAL</I
+> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <A
+HREF="mailto:samba-ntdom@samba.org"
+TARGET="_top"
+>samba-ntdom</A
+> available by
+ visiting the web page at <A
+HREF="http://lists.samba.org/"
+TARGET="_top"
+> http://lists.samba.org/</A
+>.</P
+></DD
+><DT
+><A
+NAME="DOMAINGUESTUSERS"
+></A
+>domain guest users (G)</DT
+><DD
+><P
+>This is an <I
+CLASS="EMPHASIS"
+>EXPERIMENTAL</I
+> parameter
+ that is part of the unfinished Samba NT Domain Controller Code. It may
+ be removed in a later release. To work with the latest code builds
+ that may have more support for Samba NT Domain Controller functionality
+ please subscribe to the mailing list <A
+HREF="mailto:samba-ntdom@samba.org"
+TARGET="_top"
+>samba-ntdom</A
+> available by
+ visiting the web page at <A
+HREF="http://lists.samba.org/"
+TARGET="_top"
+> http://lists.samba.org/</A
+>.</P
+></DD
+><DT
+><A
+NAME="DOMAINLOGONS"
+></A
+>domain logons (G)</DT
+><DD
+><P
+>If set to true, the Samba server will serve
+ Windows 95/98 Domain logons for the <A
+HREF="#WORKGROUP"
+> <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+></A
+> it is in. Samba 2.2 also
+ has limited capability to act as a domain controller for Windows
+ NT 4 Domains. For more details on setting up this feature see
+ the file DOMAINS.txt in the Samba documentation directory <TT
+CLASS="FILENAME"
+>docs/
+ </TT
+> shipped with the source code.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>domain logons = no</B
+></P
+></DD
+><DT
+><A
+NAME="DOMAINMASTER"
+></A
+>domain master (G)</DT
+><DD
+><P
+>Tell <A
+HREF="nmbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+> nmbd(8)</B
+></A
+> to enable WAN-wide browse list
+ collation. Setting this option causes <B
+CLASS="COMMAND"
+>nmbd</B
+> to
+ claim a special domain specific NetBIOS name that identifies
+ it as a domain master browser for its given <A
+HREF="#WORKGROUP"
+> <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+></A
+>. Local master browsers
+ in the same <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> on broadcast-isolated
+ subnets will give this <B
+CLASS="COMMAND"
+>nmbd</B
+> their local browse lists,
+ and then ask <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+>
+ for a complete copy of the browse list for the whole wide area
+ network. Browser clients will then contact their local master browser,
+ and will receive the domain-wide browse list, instead of just the list
+ for their broadcast-isolated subnet.</P
+><P
+>Note that Windows NT Primary Domain Controllers expect to be
+ able to claim this <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> specific special
+ NetBIOS name that identifies them as domain master browsers for
+ that <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> by default (i.e. there is no
+ way to prevent a Windows NT PDC from attempting to do this). This
+ means that if this parameter is set and <B
+CLASS="COMMAND"
+>nmbd</B
+> claims
+ the special name for a <TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+> before a Windows
+ NT PDC is able to do so then cross subnet browsing will behave
+ strangely and may fail.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>domain master = no</B
+></P
+></DD
+><DT
+><A
+NAME="DONTDESCEND"
+></A
+>dont descend (S)</DT
+><DD
+><P
+>There are certain directories on some systems
+ (e.g., the <TT
+CLASS="FILENAME"
+>/proc</TT
+> tree under Linux) that are either not
+ of interest to clients or are infinitely deep (recursive). This
+ parameter allows you to specify a comma-delimited list of directories
+ that the server should always show as empty.</P
+><P
+>Note that Samba can be very fussy about the exact format
+ of the "dont descend" entries. For example you may need <TT
+CLASS="FILENAME"
+> ./proc</TT
+> instead of just <TT
+CLASS="FILENAME"
+>/proc</TT
+>.
+ Experimentation is the best policy :-) </P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>none (i.e., all directories are OK
+ to descend)</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>dont descend = /proc,/dev</B
+></P
+></DD
+><DT
+><A
+NAME="DOSFILETIMERESOLUTION"
+></A
+>dos filetime resolution (S)</DT
+><DD
+><P
+>Under the DOS and Windows FAT filesystem, the finest
+ granularity on time resolution is two seconds. Setting this parameter
+ for a share causes Samba to round the reported time down to the
+ nearest two second boundary when a query call that requires one second
+ resolution is made to <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+>
+ </A
+>.</P
+><P
+>This option is mainly used as a compatibility option for Visual
+ C++ when used against Samba shares. If oplocks are enabled on a
+ share, Visual C++ uses two different time reading calls to check if a
+ file has changed since it was last read. One of these calls uses a
+ one-second granularity, the other uses a two second granularity. As
+ the two second call rounds any odd second down, then if the file has a
+ timestamp of an odd number of seconds then the two timestamps will not
+ match and Visual C++ will keep reporting the file has changed. Setting
+ this option causes the two timestamps to match, and Visual C++ is
+ happy.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>dos filetime resolution = no</B
+></P
+></DD
+><DT
+><A
+NAME="DOSFILETIMES"
+></A
+>dos filetimes (S)</DT
+><DD
+><P
+>Under DOS and Windows, if a user can write to a
+ file they can change the timestamp on it. Under POSIX semantics,
+ only the owner of the file or root may change the timestamp. By
+ default, Samba runs with POSIX semantics and refuses to change the
+ timestamp on a file if the user <B
+CLASS="COMMAND"
+>smbd</B
+> is acting
+ on behalf of is not the file owner. Setting this option to <TT
+CLASS="CONSTANT"
+> True</TT
+> allows DOS semantics and smbd will change the file
+ timestamp as DOS requires.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>dos filetimes = no</B
+></P
+></DD
+><DT
+><A
+NAME="ENCRYPTPASSWORDS"
+></A
+>encrypt passwords (G)</DT
+><DD
+><P
+>This boolean controls whether encrypted passwords
+ will be negotiated with the client. Note that Windows NT 4.0 SP3 and
+ above and also Windows 98 will by default expect encrypted passwords
+ unless a registry entry is changed. To use encrypted passwords in
+ Samba see the file ENCRYPTION.txt in the Samba documentation
+ directory <TT
+CLASS="FILENAME"
+>docs/</TT
+> shipped with the source code.</P
+><P
+>In order for encrypted passwords to work correctly
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> must either
+ have access to a local <A
+HREF="smbpasswd.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smbpasswd(5)
+ </TT
+></A
+> file (see the <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+> smbpasswd(8)</B
+></A
+> program for information on how to set up
+ and maintain this file), or set the <A
+HREF="#SECURITY"
+>security=[serve|domain]</A
+> parameter which
+ causes <B
+CLASS="COMMAND"
+>smbd</B
+> to authenticate against another
+ server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>encrypt passwords = no</B
+></P
+></DD
+><DT
+><A
+NAME="EXEC"
+></A
+>exec (S)</DT
+><DD
+><P
+>This is a synonym for <A
+HREF="#PREEXEC"
+> <TT
+CLASS="PARAMETER"
+><I
+>preexec</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="FAKEDIRECTORYCREATETIMES"
+></A
+>fake directory create times (S)</DT
+><DD
+><P
+>NTFS and Windows VFAT file systems keep a create
+ time for all files and directories. This is not the same as the
+ ctime - status change time - that Unix keeps, so Samba by default
+ reports the earliest of the various times Unix does keep. Setting
+ this parameter for a share causes Samba to always report midnight
+ 1-1-1980 as the create time for directories.</P
+><P
+>This option is mainly used as a compatibility option for
+ Visual C++ when used against Samba shares. Visual C++ generated
+ makefiles have the object directory as a dependency for each object
+ file, and a make rule to create the directory. Also, when NMAKE
+ compares timestamps it uses the creation time when examining a
+ directory. Thus the object directory will be created if it does not
+ exist, but once it does exist it will always have an earlier
+ timestamp than the object files it contains.</P
+><P
+>However, Unix time semantics mean that the create time
+ reported by Samba will be updated whenever a file is created or
+ deleted in the directory. NMAKE therefore finds all object files
+ in the object directory bar the last one built are out of date
+ compared to the directory and rebuilds them. Enabling this option
+ ensures directories always predate their contents and an NMAKE build
+ will proceed as expected.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>fake directory create times = no</B
+></P
+></DD
+><DT
+><A
+NAME="FAKEOPLOCKS"
+></A
+>fake oplocks (S)</DT
+><DD
+><P
+>Oplocks are the way that SMB clients get permission
+ from a server to locally cache file operations. If a server grants
+ an oplock (opportunistic lock) then the client is free to assume
+ that it is the only one accessing the file and it will aggressively
+ cache file data. With some oplock types the client may even cache
+ file open/close operations. This can give enormous performance benefits.
+ </P
+><P
+>When you set <B
+CLASS="COMMAND"
+>fake oplocks = yes</B
+>, <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> will
+ always grant oplock requests no matter how many clients are using
+ the file.</P
+><P
+>It is generally much better to use the real <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+></A
+> support rather
+ than this parameter.</P
+><P
+>If you enable this option on all read-only shares or
+ shares that you know will only be accessed from one client at a
+ time such as physically read-only media like CDROMs, you will see
+ a big performance improvement on many operations. If you enable
+ this option on shares where multiple clients may be accessing the
+ files read-write at the same time you can get data corruption. Use
+ this option carefully!</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>fake oplocks = no</B
+></P
+></DD
+><DT
+><A
+NAME="FOLLOWSYMLINKS"
+></A
+>follow symlinks (S)</DT
+><DD
+><P
+>This parameter allows the Samba administrator
+ to stop <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+>
+ from following symbolic links in a particular share. Setting this
+ parameter to <TT
+CLASS="CONSTANT"
+>no</TT
+> prevents any file or directory
+ that is a symbolic link from being followed (the user will get an
+ error). This option is very useful to stop users from adding a
+ symbolic link to <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> in their home
+ directory for instance. However it will slow filename lookups
+ down slightly.</P
+><P
+>This option is enabled (i.e. <B
+CLASS="COMMAND"
+>smbd</B
+> will
+ follow symbolic links) by default.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>follow symlinks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="FORCECREATEMODE"
+></A
+>force create mode (S)</DT
+><DD
+><P
+>This parameter specifies a set of UNIX mode bit
+ permissions that will <I
+CLASS="EMPHASIS"
+>always</I
+> be set on a
+ file by Samba. This is done by bitwise 'OR'ing these bits onto
+ the mode bits of a file that is being created or having its
+ permissions changed. The default for this parameter is (in octal)
+ 000. The modes in this parameter are bitwise 'OR'ed onto the file
+ mode after the mask set in the <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+>
+ parameter is applied.</P
+><P
+>See also the parameter <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>create
+ mask</I
+></TT
+></A
+> for details on masking mode bits on files.</P
+><P
+>See also the <A
+HREF="#INHERITPERMISSIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>inherit
+ permissions</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>force create mode = 000</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force create mode = 0755</B
+></P
+><P
+>would force all created files to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</P
+></DD
+><DT
+><A
+NAME="FORCEDIRECTORYMODE"
+></A
+>force directory mode (S)</DT
+><DD
+><P
+>This parameter specifies a set of UNIX mode bit
+ permissions that will <I
+CLASS="EMPHASIS"
+>always</I
+> be set on a directory
+ created by Samba. This is done by bitwise 'OR'ing these bits onto the
+ mode bits of a directory that is being created. The default for this
+ parameter is (in octal) 0000 which will not add any extra permission
+ bits to a created directory. This operation is done after the mode
+ mask in the parameter <TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+> is
+ applied.</P
+><P
+>See also the parameter <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> directory mask</I
+></TT
+></A
+> for details on masking mode bits
+ on created directories.</P
+><P
+>See also the <A
+HREF="#INHERITPERMISSIONS"
+><TT
+CLASS="PARAMETER"
+><I
+> inherit permissions</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>force directory mode = 000</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force directory mode = 0755</B
+></P
+><P
+>would force all created directories to have read and execute
+ permissions set for 'group' and 'other' as well as the
+ read/write/execute bits set for the 'user'.</P
+></DD
+><DT
+><A
+NAME="FORCEDIRECTORYSECURITYMODE"
+></A
+>force directory security mode (S)</DT
+><DD
+><P
+>This parameter controls what UNIX permission bits
+ can be modified when a Windows NT client is manipulating the UNIX
+ permission on a directory using the native NT security dialog box.</P
+><P
+>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a directory, the user has always set to be 'on'.</P
+><P
+>If not set explicitly this parameter is set to the same
+ value as the <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ directory mode</I
+></TT
+></A
+> parameter. To allow
+ a user to modify all the user/group/world permissions on a
+ directory, with restrictions set this parameter to 000.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that users who can access the
+ Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to set
+ it to 0000.</P
+><P
+>See also the <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> directory security mask</I
+></TT
+></A
+>, <A
+HREF="#SECURITYMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>security mask</I
+></TT
+></A
+>,
+ <A
+HREF="#FORCESECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force security mode
+ </I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>force directory security mode = <same as
+ force directory mode></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force directory security mode = 0</B
+></P
+></DD
+><DT
+><A
+NAME="FORCEGROUP"
+></A
+>force group (S)</DT
+><DD
+><P
+>This specifies a UNIX group name that will be
+ assigned as the default primary group for all users connecting
+ to this service. This is useful for sharing files by ensuring
+ that all access to files on service will use the named group for
+ their permissions checking. Thus, by assigning permissions for this
+ group to the files and directories within this service the Samba
+ administrator can restrict or allow sharing of these files.</P
+><P
+>In Samba 2.0.5 and above this parameter has extended
+ functionality in the following way. If the group name listed here
+ has a '+' character prepended to it then the current user accessing
+ the share only has the primary group default assigned to this group
+ if they are already assigned as a member of that group. This allows
+ an administrator to decide that only users who are already in a
+ particular group will create files with group ownership set to that
+ group. This gives a finer granularity of ownership assignment. For
+ example, the setting <TT
+CLASS="FILENAME"
+>force group = +sys</TT
+> means
+ that only users who are already in group sys will have their default
+ primary group assigned to sys when accessing this Samba share. All
+ other users will retain their ordinary primary group.</P
+><P
+>If the <A
+HREF="#FORCEUSER"
+><TT
+CLASS="PARAMETER"
+><I
+>force user
+ </I
+></TT
+></A
+> parameter is also set the group specified in
+ <TT
+CLASS="PARAMETER"
+><I
+>force group</I
+></TT
+> will override the primary group
+ set in <TT
+CLASS="PARAMETER"
+><I
+>force user</I
+></TT
+>.</P
+><P
+>See also <A
+HREF="#FORCEUSER"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ user</I
+></TT
+></A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no forced group</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force group = agroup</B
+></P
+></DD
+><DT
+><A
+NAME="FORCESECURITYMODE"
+></A
+>force security mode (S)</DT
+><DD
+><P
+>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog
+ box.</P
+><P
+>This parameter is applied as a mask (OR'ed with) to the
+ changed permission bits, thus forcing any bits in this mask that
+ the user may have modified to be on. Essentially, one bits in this
+ mask may be treated as a set of bits that, when modifying security
+ on a file, the user has always set to be 'on'.</P
+><P
+>If not set explicitly this parameter is set to the same
+ value as the <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ create mode</I
+></TT
+></A
+> parameter. To allow a user to
+ modify all the user/group/world permissions on a file, with no
+ restrictions set this parameter to 000.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that users who can access
+ the Samba server through other means can easily bypass this restriction,
+ so it is primarily useful for standalone "appliance" systems.
+ Administrators of most normal systems will probably want to set
+ it to 0000.</P
+><P
+>See also the <A
+HREF="#FORCEDIRECTORYSECURITYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+> force directory security mode</I
+></TT
+></A
+>,
+ <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory security
+ mask</I
+></TT
+></A
+>, <A
+HREF="#SECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> security mask</I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>force security mode = <same as force
+ create mode></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force security mode = 0</B
+></P
+></DD
+><DT
+><A
+NAME="FORCEUSER"
+></A
+>force user (S)</DT
+><DD
+><P
+>This specifies a UNIX user name that will be
+ assigned as the default user for all users connecting to this service.
+ This is useful for sharing files. You should also use it carefully
+ as using it incorrectly can cause security problems.</P
+><P
+>This user name only gets used once a connection is established.
+ Thus clients still need to connect as a valid user and supply a
+ valid password. Once connected, all file operations will be performed
+ as the "forced user", no matter what username the client connected
+ as.</P
+><P
+>This can be very useful.</P
+><P
+>In Samba 2.0.5 and above this parameter also causes the
+ primary group of the forced user to be used as the primary group
+ for all file activity. Prior to 2.0.5 the primary group was left
+ as the primary group of the connecting user (this was a bug).</P
+><P
+>See also <A
+HREF="#FORCEGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>force group
+ </I
+></TT
+></A
+></P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no forced user</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>force user = auser</B
+></P
+></DD
+><DT
+><A
+NAME="FSTYPE"
+></A
+>fstype (S)</DT
+><DD
+><P
+>This parameter allows the administrator to
+ configure the string that specifies the type of filesystem a share
+ is using that is reported by <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)
+ </B
+></A
+> when a client queries the filesystem type
+ for a share. The default type is <TT
+CLASS="CONSTANT"
+>NTFS</TT
+> for
+ compatibility with Windows NT but this can be changed to other
+ strings such as <TT
+CLASS="CONSTANT"
+>Samba</TT
+> or <TT
+CLASS="CONSTANT"
+>FAT
+ </TT
+> if required.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>fstype = NTFS</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>fstype = Samba</B
+></P
+></DD
+><DT
+><A
+NAME="GETWDCACHE"
+></A
+>getwd cache (G)</DT
+><DD
+><P
+>This is a tuning option. When this is enabled a
+ caching algorithm will be used to reduce the time taken for getwd()
+ calls. This can have a significant impact on performance, especially
+ when the <A
+HREF="#WIDELINKS"
+><TT
+CLASS="PARAMETER"
+><I
+>wide links</I
+></TT
+>
+ </A
+>parameter is set to <TT
+CLASS="CONSTANT"
+>False</TT
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>getwd cache = No</B
+></P
+></DD
+><DT
+><A
+NAME="GROUP"
+></A
+>group (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#FORCEGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ group</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="GUESTACCOUNT"
+></A
+>guest account (S)</DT
+><DD
+><P
+>This is a username which will be used for access
+ to services which are specified as <A
+HREF="#GUESTOK"
+><TT
+CLASS="PARAMETER"
+><I
+> guest ok</I
+></TT
+></A
+> (see below). Whatever privileges this
+ ser has will be available to any client connecting to the guest service.
+ Typically this user will exist in the password file, but will not
+ have a valid login. The user account "ftp" is often a good choice
+ for this parameter. If a username is specified in a given service,
+ the specified username overrides this one.</P
+><P
+>One some systems the default guest account "nobody" may not
+ be able to print. Use another account in this case. You should test
+ this by trying to log in as your guest user (perhaps by using the
+ <B
+CLASS="COMMAND"
+>su -</B
+> command) and trying to print using the
+ system print command such as <B
+CLASS="COMMAND"
+>lpr(1)</B
+> or <B
+CLASS="COMMAND"
+> lp(1)</B
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>specified at compile time, usually
+ "nobody"</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>guest account = ftp</B
+></P
+></DD
+><DT
+><A
+NAME="GUESTOK"
+></A
+>guest ok (S)</DT
+><DD
+><P
+>If this parameter is <TT
+CLASS="CONSTANT"
+>yes</TT
+> for
+ a service, then no password is equired to connect to the service.
+ Privileges will be those of the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+> guest account</I
+></TT
+></A
+>.</P
+><P
+>See the section below on <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+> security</I
+></TT
+></A
+> for more information about this option.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>guest ok = no</B
+></P
+></DD
+><DT
+><A
+NAME="GUESTONLY"
+></A
+>guest only (S)</DT
+><DD
+><P
+>If this parameter is <TT
+CLASS="CONSTANT"
+>yes</TT
+> for
+ a service, then only guest connections to the service are permitted.
+ This parameter will have no affect if <A
+HREF="#GUESTOK"
+> <TT
+CLASS="PARAMETER"
+><I
+>guest ok</I
+></TT
+></A
+> is not set for the service.</P
+><P
+>See the section below on <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+> security</I
+></TT
+></A
+> for more information about this option.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>guest only = no</B
+></P
+></DD
+><DT
+><A
+NAME="HIDEDOTFILES"
+></A
+>hide dot files (S)</DT
+><DD
+><P
+>This is a boolean parameter that controls whether
+ files starting with a dot appear as hidden files.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>hide dot files = yes</B
+></P
+></DD
+><DT
+><A
+NAME="HIDEFILES"
+></A
+>hide files(S)</DT
+><DD
+><P
+>This is a list of files or directories that are not
+ visible but are accessible. The DOS 'hidden' attribute is applied
+ to any files or directories that match.</P
+><P
+>Each entry in the list must be separated by a '/',
+ which allows spaces to be included in the entry. '*'
+ and '?' can be used to specify multiple files or directories
+ as in DOS wildcards.</P
+><P
+>Each entry must be a Unix path, not a DOS path and must
+ not include the Unix directory separator '/'.</P
+><P
+>Note that the case sensitivity option is applicable
+ in hiding files.</P
+><P
+>Setting this parameter will affect the performance of Samba,
+ as it will be forced to check all files and directories for a match
+ as they are scanned.</P
+><P
+>See also <A
+HREF="#HIDEDOTFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>hide
+ dot files</I
+></TT
+></A
+>, <A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+> veto files</I
+></TT
+></A
+> and <A
+HREF="#CASESENSITIVE"
+> <TT
+CLASS="PARAMETER"
+><I
+>case sensitive</I
+></TT
+></A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no file are hidden</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>hide files =
+ /.*/DesktopFolderDB/TrashFor%m/resource.frk/</B
+></P
+><P
+>The above example is based on files that the Macintosh
+ SMB client (DAVE) available from <A
+HREF="http://www.thursby.com"
+TARGET="_top"
+>
+ Thursby</A
+> creates for internal use, and also still hides
+ all files beginning with a dot.</P
+></DD
+><DT
+><A
+NAME="HIDELOCALUSERS"
+></A
+>hide local users(G)</DT
+><DD
+><P
+>This parameter toggles the hiding of local UNIX
+ users (root, wheel, floppy, etc) from remote clients.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>hide local users = no</B
+></P
+></DD
+><DT
+><A
+NAME="HOMEDIRMAP"
+></A
+>homedir map (G)</DT
+><DD
+><P
+>If<A
+HREF="#NISHOMEDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>nis homedir
+ </I
+></TT
+></A
+> is <TT
+CLASS="CONSTANT"
+>True</TT
+>, and <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+> is also acting
+ as a Win95/98 <TT
+CLASS="PARAMETER"
+><I
+>logon server</I
+></TT
+> then this parameter
+ specifies the NIS (or YP) map from which the server for the user's
+ home directory should be extracted. At present, only the Sun
+ auto.home map format is understood. The form of the map is:</P
+><P
+><B
+CLASS="COMMAND"
+>username server:/some/file/system</B
+></P
+><P
+>and the program will extract the servername from before
+ the first ':'. There should probably be a better parsing system
+ that copes with different map formats and also Amd (another
+ automounter) maps.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE :</I
+>A working NIS client is required on
+ the system for this option to work.</P
+><P
+>See also <A
+HREF="#NISHOMEDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>nis homedir</I
+></TT
+>
+ </A
+>, <A
+HREF="#DOMAINLOGONS"
+><TT
+CLASS="PARAMETER"
+><I
+>domain logons</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>homedir map = auto.home</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>homedir map = amd.homedir</B
+></P
+></DD
+><DT
+><A
+NAME="HOSTSALLOW"
+></A
+>hosts allow (S)</DT
+><DD
+><P
+>A synonym for this parameter is <TT
+CLASS="PARAMETER"
+><I
+>allow
+ hosts</I
+></TT
+>.</P
+><P
+>This parameter is a comma, space, or tab delimited
+ set of hosts which are permitted to access a service.</P
+><P
+>If specified in the [global] section then it will
+ apply to all services, regardless of whether the individual
+ service has a different setting.</P
+><P
+>You can specify the hosts by name or IP number. For
+ example, you could restrict access to only the hosts on a
+ Class C subnet with something like <B
+CLASS="COMMAND"
+>allow hosts = 150.203.5.
+ </B
+>. The full syntax of the list is described in the man
+ page <TT
+CLASS="FILENAME"
+>hosts_access(5)</TT
+>. Note that this man
+ page may not be present on your system, so a brief description will
+ be given here also.</P
+><P
+>Note that the localhost address 127.0.0.1 will always
+ be allowed access unless specifically denied by a <A
+HREF="#HOSTSDENY"
+><TT
+CLASS="PARAMETER"
+><I
+>hosts deny</I
+></TT
+></A
+> option.</P
+><P
+>You can also specify hosts by network/netmask pairs and
+ by netgroup names if your system supports netgroups. The
+ <I
+CLASS="EMPHASIS"
+>EXCEPT</I
+> keyword can also be used to limit a
+ wildcard list. The following examples may provide some help:</P
+><P
+>Example 1: allow all IPs in 150.203.*.*; except one</P
+><P
+><B
+CLASS="COMMAND"
+>hosts allow = 150.203. EXCEPT 150.203.6.66</B
+></P
+><P
+>Example 2: allow hosts that match the given network/netmask</P
+><P
+><B
+CLASS="COMMAND"
+>hosts allow = 150.203.15.0/255.255.255.0</B
+></P
+><P
+>Example 3: allow a couple of hosts</P
+><P
+><B
+CLASS="COMMAND"
+>hosts allow = lapland, arvidsjaur</B
+></P
+><P
+>Example 4: allow only hosts in NIS netgroup "foonet", but
+ deny access from one particular host</P
+><P
+><B
+CLASS="COMMAND"
+>hosts allow = @foonet</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>hosts deny = pirate</B
+></P
+><P
+>Note that access still requires suitable user-level passwords.</P
+><P
+>See <A
+HREF="testparm.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>testparm(1)</B
+>
+ </A
+> for a way of testing your host access to see if it does
+ what you expect.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>none (i.e., all hosts permitted access)
+ </I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>allow hosts = 150.203.5. myhost.mynet.edu.au
+ </B
+></P
+></DD
+><DT
+><A
+NAME="HOSTSDENY"
+></A
+>hosts deny (S)</DT
+><DD
+><P
+>The opposite of <TT
+CLASS="PARAMETER"
+><I
+>hosts allow</I
+></TT
+>
+ - hosts listed here are <I
+CLASS="EMPHASIS"
+>NOT</I
+> permitted access to
+ services unless the specific services have their own lists to override
+ this one. Where the lists conflict, the <TT
+CLASS="PARAMETER"
+><I
+>allow</I
+></TT
+>
+ list takes precedence.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>none (i.e., no hosts specifically excluded)
+ </I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>hosts deny = 150.203.4. badhost.mynet.edu.au
+ </B
+></P
+></DD
+><DT
+><A
+NAME="HOSTSEQUIV"
+></A
+>hosts equiv (G)</DT
+><DD
+><P
+>If this global parameter is a non-null string,
+ it specifies the name of a file to read for the names of hosts
+ and users who will be allowed access without specifying a password.
+ </P
+><P
+>This is not be confused with <A
+HREF="#HOSTSALLOW"
+> <TT
+CLASS="PARAMETER"
+><I
+>hosts allow</I
+></TT
+></A
+> which is about hosts
+ access to services and is more useful for guest services. <TT
+CLASS="PARAMETER"
+><I
+> hosts equiv</I
+></TT
+> may be useful for NT clients which will
+ not supply passwords to samba.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE :</I
+> The use of <TT
+CLASS="PARAMETER"
+><I
+>hosts equiv
+ </I
+></TT
+> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the
+ <TT
+CLASS="PARAMETER"
+><I
+>hosts equiv</I
+></TT
+> option be only used if you really
+ know what you are doing, or perhaps on a home network where you trust
+ your spouse and kids. And only if you <I
+CLASS="EMPHASIS"
+>really</I
+> trust
+ them :-).</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no host equivalences</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>hosts equiv = /etc/hosts.equiv</B
+></P
+></DD
+><DT
+><A
+NAME="INCLUDE"
+></A
+>include (G)</DT
+><DD
+><P
+>This allows you to include one config file
+ inside another. The file is included literally, as though typed
+ in place.</P
+><P
+>It takes the standard substitutions, except <TT
+CLASS="PARAMETER"
+><I
+>%u
+ </I
+></TT
+>, <TT
+CLASS="PARAMETER"
+><I
+>%P</I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>%S</I
+></TT
+>.
+ </P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no file included</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>include = /usr/local/samba/lib/admin_smb.conf
+ </B
+></P
+></DD
+><DT
+><A
+NAME="INHERITPERMISSIONS"
+></A
+>inherit permissions (S)</DT
+><DD
+><P
+>The permissions on new files and directories
+ are normally governed by <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> create mask</I
+></TT
+></A
+>, <A
+HREF="#DIRECTORYMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>directory mask</I
+></TT
+></A
+>, <A
+HREF="#FORCECREATEMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+>
+ </A
+> and <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force
+ directory mode</I
+></TT
+></A
+> but the boolean inherit
+ permissions parameter overrides this.</P
+><P
+>New directories inherit the mode of the parent directory,
+ including bits such as setgid.</P
+><P
+>New files inherit their read/write bits from the parent
+ directory. Their execute bits continue to be determined by
+ <A
+HREF="#MAPARCHIVE"
+><TT
+CLASS="PARAMETER"
+><I
+>map archive</I
+></TT
+>
+ </A
+>, <A
+HREF="#MAPHIDDEN"
+><TT
+CLASS="PARAMETER"
+><I
+>map hidden</I
+></TT
+>
+ </A
+> and <A
+HREF="#MAPSYSTEM"
+><TT
+CLASS="PARAMETER"
+><I
+>map system</I
+></TT
+>
+ </A
+> as usual.</P
+><P
+>Note that the setuid bit is <I
+CLASS="EMPHASIS"
+>never</I
+> set via
+ inheritance (the code explicitly prohibits this).</P
+><P
+>This can be particularly useful on large systems with
+ many users, perhaps several thousand,to allow a single [homes]
+ share to be used flexibly by each user.</P
+><P
+>See also <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>create mask
+ </I
+></TT
+></A
+>, <A
+HREF="#DIRECTORYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+> directory mask</I
+></TT
+></A
+>, <A
+HREF="#FORCECREATEMODE"
+> <TT
+CLASS="PARAMETER"
+><I
+>force create mode</I
+></TT
+></A
+> and <A
+HREF="#FORCEDIRECTORYMODE"
+><TT
+CLASS="PARAMETER"
+><I
+>force directory mode</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>inherit permissions = no</B
+></P
+></DD
+><DT
+><A
+NAME="INTERFACES"
+></A
+>interfaces (G)</DT
+><DD
+><P
+>This option allows you to override the default
+ network interfaces list that Samba will use for browsing, name
+ registration and other NBT traffic. By default Samba will query
+ the kernel for the list of all active interfaces and use any
+ interfaces except 127.0.0.1 that are broadcast capable.</P
+><P
+>The option takes a list of interface strings. Each string
+ can be in any of the following forms:</P
+><P
+></P
+><UL
+><LI
+><P
+>a network interface name (such as eth0).
+ This may include shell-like wildcards so eth* will match
+ any interface starting with the substring "eth"</P
+></LI
+><LI
+><P
+>an IP address. In this case the netmask is
+ determined from the list of interfaces obtained from the
+ kernel</P
+></LI
+><LI
+><P
+>an IP/mask pair. </P
+></LI
+><LI
+><P
+>a broadcast/mask pair.</P
+></LI
+></UL
+><P
+>The "mask" parameters can either be a bit length (such
+ as 24 for a C class network) or a full netmask in dotted
+ decmal form.</P
+><P
+>The "IP" parameters above can either be a full dotted
+ decimal IP address or a hostname which will be looked up via
+ the OSes normal hostname resolution mechanisms.</P
+><P
+>For example, the following line:</P
+><P
+><B
+CLASS="COMMAND"
+>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
+ </B
+></P
+><P
+>would configure three network interfaces corresponding
+ to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
+ The netmasks of the latter two interfaces would be set to 255.255.255.0.</P
+><P
+>See also <A
+HREF="#BINDINTERFACESONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>bind
+ interfaces only</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="INVALIDUSERS"
+></A
+>invalid users (S)</DT
+><DD
+><P
+>This is a list of users that should not be allowed
+ to login to this service. This is really a <I
+CLASS="EMPHASIS"
+>paranoid</I
+>
+ check to absolutely ensure an improper setting does not breach
+ your security.</P
+><P
+>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</P
+><P
+>A name starting with '+' is interpreted only
+ by looking in the UNIX group database. A name starting with
+ '&' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&' may be used at the start of the name in either order
+ so the value <TT
+CLASS="PARAMETER"
+><I
+>+&group</I
+></TT
+> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <TT
+CLASS="PARAMETER"
+><I
+>&+group"</I
+></TT
+> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</P
+><P
+>The current servicename is substituted for <TT
+CLASS="PARAMETER"
+><I
+>%S</I
+></TT
+>.
+ This is useful in the [homes] section.</P
+><P
+>See also <A
+HREF="#VALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>valid users
+ </I
+></TT
+></A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no invalid users</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>invalid users = root fred admin @wheel
+ </B
+></P
+></DD
+><DT
+><A
+NAME="KEEPALIVE"
+></A
+>keepalive (G)</DT
+><DD
+><P
+>The value of the parameter (an integer) represents
+ the number of seconds between <TT
+CLASS="PARAMETER"
+><I
+>keepalive</I
+></TT
+>
+ packets. If this parameter is zero, no keepalive packets will be
+ sent. Keepalive packets, if sent, allow the server to tell whether
+ a client is still present and responding.</P
+><P
+>Keepalives should, in general, not be needed if the socket
+ being used has the SO_KEEPALIVE attribute set on it (see <A
+HREF="#SOCKETOPTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>socket options</I
+></TT
+></A
+>).
+ Basically you should only use this option if you strike difficulties.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>keepalive = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>keepalive = 60</B
+></P
+></DD
+><DT
+><A
+NAME="KERNELOPLOCKS"
+></A
+>kernel oplocks (G)</DT
+><DD
+><P
+>For UNIXs that support kernel based <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+></A
+>
+ (currently only IRIX and the Linux 2.4 kernel), this parameter
+ allows the use of them to be turned on or off.</P
+><P
+>Kernel oplocks support allows Samba <TT
+CLASS="PARAMETER"
+><I
+>oplocks
+ </I
+></TT
+> to be broken whenever a local UNIX process or NFS operation
+ accesses a file that <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+>
+ </A
+> has oplocked. This allows complete data consistency between
+ SMB/CIFS, NFS and local file access (and is a <I
+CLASS="EMPHASIS"
+>very</I
+>
+ cool feature :-).</P
+><P
+>This parameter defaults to <TT
+CLASS="CONSTANT"
+>on</TT
+> on systems
+ that have the support, and <TT
+CLASS="CONSTANT"
+>off</TT
+> on systems that
+ don't. You should never need to touch this parameter.</P
+><P
+>See also the <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+>
+ </A
+> and <A
+HREF="#LEVEL2OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>level2 oplocks
+ </I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>kernel oplocks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LEVEL2OPLOCKS"
+></A
+>level2 oplocks (S)</DT
+><DD
+><P
+>This parameter controls whether Samba supports
+ level2 (read-only) oplocks on a share.</P
+><P
+>Level2, or read-only oplocks allow Windows NT clients
+ that have an oplock on a file to downgrade from a read-write oplock
+ to a read-only oplock once a second client opens the file (instead
+ of releasing all oplocks on a second open, as in traditional,
+ exclusive oplocks). This allows all openers of the file that
+ support level2 oplocks to cache the file for read-ahead only (ie.
+ they may not cache writes or lock requests) and increases performance
+ for many acesses of files that are not commonly written (such as
+ application .EXE files).</P
+><P
+>Once one of the clients which have a read-only oplock
+ writes to the file all clients are notified (no reply is needed
+ or waited for) and told to break their oplocks to "none" and
+ delete any read-ahead caches.</P
+><P
+>It is recommended that this parameter be turned on
+ to speed access to shared executables (and also to test
+ the code :-).</P
+><P
+>For more discussions on level2 oplocks see the CIFS spec.</P
+><P
+>Currently, if <A
+HREF="#KERNELOPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>kernel
+ oplocks</I
+></TT
+></A
+> are supported then level2 oplocks are
+ not granted (even if this parameter is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>).
+ Note also, the <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+>
+ </A
+> parameter must be set to "true" on this share in order for
+ this parameter to have any effect.</P
+><P
+>See also the <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+>
+ </A
+> and <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>kernel oplocks</I
+></TT
+>
+ </A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>level2 oplocks = False</B
+></P
+></DD
+><DT
+><A
+NAME="LMANNOUNCE"
+></A
+>lm announce (G)</DT
+><DD
+><P
+>This parameter determines if <A
+HREF="nmbd.8.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>nmbd(8)</B
+></A
+> will produce Lanman announce
+ broadcasts that are needed by OS/2 clients in order for them to see
+ the Samba server in their browse list. This parameter can have three
+ values, <TT
+CLASS="CONSTANT"
+>true</TT
+>, <TT
+CLASS="CONSTANT"
+>false</TT
+>, or
+ <TT
+CLASS="CONSTANT"
+>auto</TT
+>. The default is <TT
+CLASS="CONSTANT"
+>auto</TT
+>.
+ If set to <TT
+CLASS="CONSTANT"
+>false</TT
+> Samba will never produce these
+ broadcasts. If set to <TT
+CLASS="CONSTANT"
+>true</TT
+> Samba will produce
+ Lanman announce broadcasts at a frequency set by the parameter
+ <TT
+CLASS="PARAMETER"
+><I
+>lm interval</I
+></TT
+>. If set to <TT
+CLASS="CONSTANT"
+>auto</TT
+>
+ Samba will not send Lanman announce broadcasts by default but will
+ listen for them. If it hears such a broadcast on the wire it will
+ then start sending them at a frequency set by the parameter
+ <TT
+CLASS="PARAMETER"
+><I
+>lm interval</I
+></TT
+>.</P
+><P
+>See also <A
+HREF="#LMINTERVAL"
+><TT
+CLASS="PARAMETER"
+><I
+>lm interval
+ </I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>lm announce = auto</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lm announce = true</B
+></P
+></DD
+><DT
+><A
+NAME="LMINTERVAL"
+></A
+>lm interval (G)</DT
+><DD
+><P
+>If Samba is set to produce Lanman announce
+ broadcasts needed by OS/2 clients (see the <A
+HREF="#LMANNOUNCE"
+> <TT
+CLASS="PARAMETER"
+><I
+>lm announce</I
+></TT
+></A
+> parameter) then this
+ parameter defines the frequency in seconds with which they will be
+ made. If this is set to zero then no Lanman announcements will be
+ made despite the setting of the <TT
+CLASS="PARAMETER"
+><I
+>lm announce</I
+></TT
+>
+ parameter.</P
+><P
+>See also <A
+HREF="#LMANNOUNCE"
+><TT
+CLASS="PARAMETER"
+><I
+>lm
+ announce</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>lm interval = 60</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lm interval = 120</B
+></P
+></DD
+><DT
+><A
+NAME="LOADPRINTERS"
+></A
+>load printers (G)</DT
+><DD
+><P
+>A boolean variable that controls whether all
+ printers in the printcap will be loaded for browsing by default.
+ See the <A
+HREF="#AEN78"
+>printers</A
+> section for
+ more details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>load printers = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LOCALMASTER"
+></A
+>local master (G)</DT
+><DD
+><P
+>This option allows <A
+HREF="nmbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+> nmbd(8)</B
+></A
+> to try and become a local master browser
+ on a subnet. If set to <TT
+CLASS="CONSTANT"
+>False</TT
+> then <B
+CLASS="COMMAND"
+> nmbd</B
+> will not attempt to become a local master browser
+ on a subnet and will also lose in all browsing elections. By
+ default this value is set to true. Setting this value to true doesn't
+ mean that Samba will <I
+CLASS="EMPHASIS"
+>become</I
+> the local master
+ browser on a subnet, just that <B
+CLASS="COMMAND"
+>nmbd</B
+> will <I
+CLASS="EMPHASIS"
+> participate</I
+> in elections for local master browser.</P
+><P
+>Setting this value to False will cause <B
+CLASS="COMMAND"
+>nmbd</B
+>
+ <I
+CLASS="EMPHASIS"
+>never</I
+> to become a local master browser.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>local master = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LOCKDIR"
+></A
+>lock dir (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#LOCKDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+> lock directory</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="LOCKDIRECTORY"
+></A
+>lock directory (G)</DT
+><DD
+><P
+>This option specifies the directory where lock
+ files will be placed. The lock files are used to implement the
+ <A
+HREF="#MAXCONNECTIONS"
+><TT
+CLASS="PARAMETER"
+><I
+>max connections</I
+></TT
+>
+ </A
+> option.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>lock directory = /tmp/samba</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lock directory = /usr/local/samba/var/locks</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="LOCKING"
+></A
+>locking (S)</DT
+><DD
+><P
+>This controls whether or not locking will be
+ performed by the server in response to lock requests from the
+ client.</P
+><P
+>If <B
+CLASS="COMMAND"
+>locking = no</B
+>, all lock and unlock requests
+ will appear to succeed and all lock queries will indicate that the
+ queried lock is clear.</P
+><P
+>If <B
+CLASS="COMMAND"
+>locking = yes</B
+>, real locking will be performed
+ by the server.</P
+><P
+>This option <I
+CLASS="EMPHASIS"
+>may</I
+> be useful for read-only
+ filesystems which <I
+CLASS="EMPHASIS"
+>may</I
+> not need locking (such as
+ cdrom drives), although setting this parameter of <TT
+CLASS="CONSTANT"
+>no</TT
+>
+ is not really recommended even in this case.</P
+><P
+>Be careful about disabling locking either globally or in a
+ specific service, as lack of locking may result in data corruption.
+ You should never need to set this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>locking = yes</B
+></P
+></DD
+><DT
+><A
+NAME="LOGFILE"
+></A
+>log file (G)</DT
+><DD
+><P
+>This options allows you to override the name
+ of the Samba log file (also known as the debug file).</P
+><P
+>This option takes the standard substitutions, allowing
+ you to have separate log files for each user or machine.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>log file = /usr/local/samba/var/log.%m
+ </B
+></P
+></DD
+><DT
+><A
+NAME="LOGLEVEL"
+></A
+>log level (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#DEBUGLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+> debug level</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="LOGONDRIVE"
+></A
+>logon drive (G)</DT
+><DD
+><P
+>This parameter specifies the local path to
+ which the home directory will be connected (see <A
+HREF="#LOGONHOME"
+><TT
+CLASS="PARAMETER"
+><I
+>logon home</I
+></TT
+></A
+>)
+ and is only used by NT Workstations. </P
+><P
+>Note that this option is only useful if Samba is set up as a
+ logon server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>logon drive = z:</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>logon drive = h:</B
+></P
+></DD
+><DT
+><A
+NAME="LOGONHOME"
+></A
+>logon home (G)</DT
+><DD
+><P
+>This parameter specifies the home directory
+ location when a Win95/98 or NT Workstation logs into a Samba PDC.
+ It allows you to do </P
+><P
+><TT
+CLASS="PROMPT"
+>C:\> </TT
+><TT
+CLASS="USERINPUT"
+><B
+>NET USE H: /HOME</B
+></TT
+>
+ </P
+><P
+>from a command prompt, for example.</P
+><P
+>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</P
+><P
+>This parameter can be used with Win9X workstations to ensure
+ that roaming profiles are stored in a subdirectory of the user's
+ home directory. This is done in the following way:</P
+><P
+><B
+CLASS="COMMAND"
+>logon home = \\%L\%U\profile</B
+></P
+><P
+>This tells Samba to return the above string, with
+ substitutions made when a client requests the info, generally
+ in a NetUserGetInfo request. Win9X clients truncate the info to
+ \\server\share when a user does <B
+CLASS="COMMAND"
+>net use /home"</B
+>
+ but use the whole string when dealing with profiles.</P
+><P
+>Note that in prior versions of Samba, the <A
+HREF="#LOGONPATH"
+> <TT
+CLASS="PARAMETER"
+><I
+>logon path</I
+></TT
+></A
+> was returned rather than
+ <TT
+CLASS="PARAMETER"
+><I
+>logon home</I
+></TT
+>. This broke <B
+CLASS="COMMAND"
+>net use
+ /home</B
+> but allowed profiles outside the home directory.
+ The current implementation is correct, and can be used for
+ profiles if you use the above trick.</P
+><P
+>This option is only useful if Samba is set up as a logon
+ server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>logon home = "\\%N\%U"</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>logon home = "\\remote_smb_server\%U"</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="LOGONPATH"
+></A
+>logon path (G)</DT
+><DD
+><P
+>This parameter specifies the home directory
+ where roaming profiles (NTuser.dat etc files for Windows NT) are
+ stored. Contrary to previous versions of these manual pages, it has
+ nothing to do with Win 9X roaming profiles. To find out how to
+ handle roaming profiles for Win 9X system, see the <A
+HREF="#LOGONHOME"
+> <TT
+CLASS="PARAMETER"
+><I
+>logon home</I
+></TT
+></A
+> parameter.</P
+><P
+>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine. It also
+ specifies the directory from which the "Application Data",
+ (<TT
+CLASS="FILENAME"
+>desktop</TT
+>, <TT
+CLASS="FILENAME"
+>start menu</TT
+>,
+ <TT
+CLASS="FILENAME"
+>network neighborhood</TT
+>, <TT
+CLASS="FILENAME"
+>programs</TT
+>
+ and other folders, and their contents, are loaded and displayed on
+ your Windows NT client.</P
+><P
+>The share and the path must be readable by the user for
+ the preferences and directories to be loaded onto the Windows NT
+ client. The share must be writeable when the logs in for the first
+ time, in order that the Windows NT client can create the NTuser.dat
+ and other directories.</P
+><P
+>Thereafter, the directories and any of the contents can,
+ if required, be made read-only. It is not advisable that the
+ NTuser.dat file be made read-only - rename it to NTuser.man to
+ achieve the desired effect (a <I
+CLASS="EMPHASIS"
+>MAN</I
+>datory
+ profile). </P
+><P
+>Windows clients can sometimes maintain a connection to
+ the [homes] share, even though there is no user logged in.
+ Therefore, it is vital that the logon path does not include a
+ reference to the homes share (i.e. setting this parameter to
+ \%N\%U\profile_path will cause problems).</P
+><P
+>This option takes the standard substitutions, allowing
+ you to have separate logon scripts for each user or machine.</P
+><P
+>Note that this option is only useful if Samba is set up
+ as a logon server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>logon path = \\%N\%U\profile</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>logon path = \\PROFILESERVER\PROFILE\%U</B
+></P
+></DD
+><DT
+><A
+NAME="LOGONSCRIPT"
+></A
+>logon script (G)</DT
+><DD
+><P
+>This parameter specifies the batch file (.bat) or
+ NT command file (.cmd) to be downloaded and run on a machine when
+ a user successfully logs in. The file must contain the DOS
+ style cr/lf line endings. Using a DOS-style editor to create the
+ file is recommended.</P
+><P
+>The script must be a relative path to the [netlogon]
+ service. If the [netlogon] service specifies a <A
+HREF="#PATH"
+> <TT
+CLASS="PARAMETER"
+><I
+>path</I
+></TT
+></A
+> of <TT
+CLASS="FILENAME"
+>/usr/local/samba/netlogon
+ </TT
+>, and <B
+CLASS="COMMAND"
+>logon script = STARTUP.BAT</B
+>, then
+ the file that will be downloaded is:</P
+><P
+><TT
+CLASS="FILENAME"
+>/usr/local/samba/netlogon/STARTUP.BAT</TT
+></P
+><P
+>The contents of the batch file is entirely your choice. A
+ suggested command would be to add <B
+CLASS="COMMAND"
+>NET TIME \\SERVER /SET
+ /YES</B
+>, to force every machine to synchronize clocks with
+ the same time server. Another use would be to add <B
+CLASS="COMMAND"
+>NET USE
+ U: \\SERVER\UTILS</B
+> for commonly used utilities, or <B
+CLASS="COMMAND"
+> NET USE Q: \\SERVER\ISO9001_QA</B
+> for example.</P
+><P
+>Note that it is particularly important not to allow write
+ access to the [netlogon] share, or to grant users write permission
+ on the batch files in a secure environment, as this would allow
+ the batch files to be arbitrarily modified and security to be
+ breached.</P
+><P
+>This option takes the standard substitutions, allowing you
+ to have separate logon scripts for each user or machine.</P
+><P
+>This option is only useful if Samba is set up as a logon
+ server.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no logon script defined</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>logon script = scripts\%U.bat</B
+></P
+></DD
+><DT
+><A
+NAME="LPPAUSECOMMAND"
+></A
+>lppause command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to stop printing or spooling
+ a specific print job.</P
+><P
+>This command should be a program or script which takes
+ a printer name and job number to pause the print job. One way
+ of implementing this is by using job priorities, where jobs
+ having a too low priority won't be sent to the printer.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printername
+ is put in its place. A <TT
+CLASS="PARAMETER"
+><I
+>%j</I
+></TT
+> is replaced with
+ the job number (an integer). On HPUX (see <TT
+CLASS="PARAMETER"
+><I
+>printing=hpux
+ </I
+></TT
+>), if the <TT
+CLASS="PARAMETER"
+><I
+>-p%p</I
+></TT
+> option is added
+ to the lpq command, the job will show up with the correct status, i.e.
+ if the job priority is lower than the set fence priority it will
+ have the PAUSED status, whereas if the priority is equal or higher it
+ will have the SPOOLED or PRINTING status.</P
+><P
+>Note that it is good practice to include the absolute path
+ in the lppause command as the PATH may not be available to the server.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: Currently no default value is given to
+ this string, unless the value of the <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+>
+ parameter is <TT
+CLASS="CONSTANT"
+>SYSV</TT
+>, in which case the default is :</P
+><P
+><B
+CLASS="COMMAND"
+>lp -i %p-%j -H hold</B
+></P
+><P
+>or if the value of the <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+> parameter
+ is <TT
+CLASS="CONSTANT"
+>SOFTQ</TT
+>, then the default is:</P
+><P
+><B
+CLASS="COMMAND"
+>qstat -s -j%j -h</B
+></P
+><P
+>Example for HPUX: <B
+CLASS="COMMAND"
+>lppause command = /usr/bin/lpalt
+ %p-%j -p0</B
+></P
+></DD
+><DT
+><A
+NAME="LPQCACHETIME"
+></A
+>lpq cache time (G)</DT
+><DD
+><P
+>This controls how long lpq info will be cached
+ for to prevent the <B
+CLASS="COMMAND"
+>lpq</B
+> command being called too
+ often. A separate cache is kept for each variation of the <B
+CLASS="COMMAND"
+> lpq</B
+> command used by the system, so if you use different
+ <B
+CLASS="COMMAND"
+>lpq</B
+> commands for different users then they won't
+ share cache information.</P
+><P
+>The cache files are stored in <TT
+CLASS="FILENAME"
+>/tmp/lpq.xxxx</TT
+>
+ where xxxx is a hash of the <B
+CLASS="COMMAND"
+>lpq</B
+> command in use.</P
+><P
+>The default is 10 seconds, meaning that the cached results
+ of a previous identical <B
+CLASS="COMMAND"
+>lpq</B
+> command will be used
+ if the cached data is less than 10 seconds old. A large value may
+ be advisable if your <B
+CLASS="COMMAND"
+>lpq</B
+> command is very slow.</P
+><P
+>A value of 0 will disable caching completely.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>lpq cache time = 10</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lpq cache time = 30</B
+></P
+></DD
+><DT
+><A
+NAME="LPQCOMMAND"
+></A
+>lpq command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to obtain <B
+CLASS="COMMAND"
+>lpq
+ </B
+>-style printer status information.</P
+><P
+>This command should be a program or script which
+ takes a printer name as its only parameter and outputs printer
+ status information.</P
+><P
+>Currently eight styles of printer status information
+ are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ.
+ This covers most UNIX systems. You control which type is expected
+ using the <TT
+CLASS="PARAMETER"
+><I
+>printing =</I
+></TT
+> option.</P
+><P
+>Some clients (notably Windows for Workgroups) may not
+ correctly send the connection number for the printer they are
+ requesting status information about. To get around this, the
+ server reports on the first printer service connected to by the
+ client. This only happens if the connection number sent is invalid.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printername
+ is put in its place. Otherwise it is placed at the end of the
+ command.</P
+><P
+>Note that it is good practice to include the absolute path
+ in the <TT
+CLASS="PARAMETER"
+><I
+>lpq command</I
+></TT
+> as the PATH may not be
+ available to the server.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>depends on the setting of <TT
+CLASS="PARAMETER"
+><I
+> printing</I
+></TT
+></I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>lpq command = /usr/bin/lpq %p</B
+></P
+></DD
+><DT
+><A
+NAME="LPRESUMECOMMAND"
+></A
+>lpresume command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to restart or continue
+ printing or spooling a specific print job.</P
+><P
+>This command should be a program or script which takes
+ a printer name and job number to resume the print job. See
+ also the <A
+HREF="#LPPAUSECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+>lppause command
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printername
+ is put in its place. A <TT
+CLASS="PARAMETER"
+><I
+>%j</I
+></TT
+> is replaced with
+ the job number (an integer).</P
+><P
+>Note that it is good practice to include the absolute path
+ in the <TT
+CLASS="PARAMETER"
+><I
+>lpresume command</I
+></TT
+> as the PATH may not
+ be available to the server.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: Currently no default value is given
+ to this string, unless the value of the <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+>
+ parameter is <TT
+CLASS="CONSTANT"
+>SYSV</TT
+>, in which case the default is :</P
+><P
+><B
+CLASS="COMMAND"
+>lp -i %p-%j -H resume</B
+></P
+><P
+>or if the value of the <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+> parameter
+ is <TT
+CLASS="CONSTANT"
+>SOFTQ</TT
+>, then the default is:</P
+><P
+><B
+CLASS="COMMAND"
+>qstat -s -j%j -r</B
+></P
+><P
+>Example for HPUX: <B
+CLASS="COMMAND"
+>lpresume command = /usr/bin/lpalt
+ %p-%j -p2</B
+></P
+></DD
+><DT
+><A
+NAME="LPRMCOMMAND"
+></A
+>lprm command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to delete a print job.</P
+><P
+>This command should be a program or script which takes
+ a printer name and job number, and deletes the print job.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printername
+ is put in its place. A <TT
+CLASS="PARAMETER"
+><I
+>%j</I
+></TT
+> is replaced with
+ the job number (an integer).</P
+><P
+>Note that it is good practice to include the absolute
+ path in the <TT
+CLASS="PARAMETER"
+><I
+>lprm command</I
+></TT
+> as the PATH may not be
+ available to the server.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>depends on the setting of <TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></I
+></P
+><P
+>Example 1: <B
+CLASS="COMMAND"
+>lprm command = /usr/bin/lprm -P%p %j
+ </B
+></P
+><P
+>Example 2: <B
+CLASS="COMMAND"
+>lprm command = /usr/bin/cancel %p-%j
+ </B
+></P
+></DD
+><DT
+><A
+NAME="MACHINEPASSWORDTIMEOUT"
+></A
+>machine password timeout (G)</DT
+><DD
+><P
+>If a Samba server is a member of an Windows
+ NT Domain (see the <A
+HREF="#SECURITYEQUALSDOMAIN"
+>security=domain</A
+>)
+ parameter) then periodically a running <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd(8)</A
+> process will try and change the MACHINE ACCOUNT
+ PASSWORD stored in the TDB called <TT
+CLASS="FILENAME"
+>private/secrets.tdb
+ </TT
+>. This parameter specifies how often this password
+ will be changed, in seconds. The default is one week (expressed in
+ seconds), the same as a Windows NT Domain member server.</P
+><P
+>See also <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)
+ </B
+></A
+>, and the <A
+HREF="#SECURITYEQUALSDOMAIN"
+> security=domain</A
+>) parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>machine password timeout = 604800</B
+></P
+></DD
+><DT
+><A
+NAME="MAGICOUTPUT"
+></A
+>magic output (S)</DT
+><DD
+><P
+>This parameter specifies the name of a file
+ which will contain output created by a magic script (see the
+ <A
+HREF="#MAGICSCRIPT"
+><TT
+CLASS="PARAMETER"
+><I
+>magic script</I
+></TT
+></A
+>
+ parameter below).</P
+><P
+>Warning: If two clients use the same <TT
+CLASS="PARAMETER"
+><I
+>magic script
+ </I
+></TT
+> in the same directory the output file content
+ is undefined.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>magic output = <magic script name>.out
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>magic output = myfile.txt</B
+></P
+></DD
+><DT
+><A
+NAME="MAGICSCRIPT"
+></A
+>magic script (S)</DT
+><DD
+><P
+>This parameter specifies the name of a file which,
+ if opened, will be executed by the server when the file is closed.
+ This allows a UNIX script to be sent to the Samba host and
+ executed on behalf of the connected user.</P
+><P
+>Scripts executed in this way will be deleted upon
+ completion, permissions permitting.</P
+><P
+>If the script generates output, output will be sent to
+ the file specified by the <A
+HREF="#MAGICOUTPUT"
+><TT
+CLASS="PARAMETER"
+><I
+> magic output</I
+></TT
+></A
+> parameter (see above).</P
+><P
+>Note that some shells are unable to interpret scripts
+ containing carriage-return-linefeed instead of linefeed as
+ the end-of-line marker. Magic scripts must be executable
+ <I
+CLASS="EMPHASIS"
+>as is</I
+> on the host, which for some hosts and
+ some shells will require filtering at the DOS end.</P
+><P
+>Magic scripts are <I
+CLASS="EMPHASIS"
+>EXPERIMENTAL</I
+> and
+ should <I
+CLASS="EMPHASIS"
+>NOT</I
+> be relied upon.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>None. Magic scripts disabled.</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>magic script = user.csh</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLECASE"
+></A
+>mangle case (S)</DT
+><DD
+><P
+>See the section on <A
+HREF="#AEN201"
+> NAME MANGLING</A
+></P
+></DD
+><DT
+><A
+NAME="MANGLEDMAP"
+></A
+>mangled map (S)</DT
+><DD
+><P
+>This is for those who want to directly map UNIX
+ file names which can not be represented on Windows/DOS. The mangling
+ of names is not always what is needed. In particular you may have
+ documents with file extensions that differ between DOS and UNIX.
+ For example, under UNIX it is common to use <TT
+CLASS="FILENAME"
+>.html</TT
+>
+ for HTML files, whereas under Windows/DOS <TT
+CLASS="FILENAME"
+>.htm</TT
+>
+ is more commonly used.</P
+><P
+>So to map <TT
+CLASS="FILENAME"
+>html</TT
+> to <TT
+CLASS="FILENAME"
+>htm</TT
+>
+ you would use:</P
+><P
+><B
+CLASS="COMMAND"
+>mangled map = (*.html *.htm)</B
+></P
+><P
+>One very useful case is to remove the annoying <TT
+CLASS="FILENAME"
+>;1
+ </TT
+> off the ends of filenames on some CDROMS (only visible
+ under some UNIXs). To do this use a map of (*;1 *;).</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no mangled map</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>mangled map = (*;1 *;)</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLEDNAMES"
+></A
+>mangled names (S)</DT
+><DD
+><P
+>This controls whether non-DOS names under UNIX
+ should be mapped to DOS-compatible names ("mangled") and made visible,
+ or whether non-DOS names should simply be ignored.</P
+><P
+>See the section on <A
+HREF="#AEN201"
+> NAME MANGLING</A
+> for details on how to control the mangling process.</P
+><P
+>If mangling is used then the mangling algorithm is as follows:</P
+><P
+></P
+><UL
+><LI
+><P
+>The first (up to) five alphanumeric characters
+ before the rightmost dot of the filename are preserved, forced
+ to upper case, and appear as the first (up to) five characters
+ of the mangled name.</P
+></LI
+><LI
+><P
+>A tilde "~" is appended to the first part of the mangled
+ name, followed by a two-character unique sequence, based on the
+ original root name (i.e., the original filename minus its final
+ extension). The final extension is included in the hash calculation
+ only if it contains any upper case characters or is longer than three
+ characters.</P
+><P
+>Note that the character to use may be specified using
+ the <A
+HREF="#MANGLINGCHAR"
+><TT
+CLASS="PARAMETER"
+><I
+>mangling char</I
+></TT
+>
+ </A
+> option, if you don't like '~'.</P
+></LI
+><LI
+><P
+>The first three alphanumeric characters of the final
+ extension are preserved, forced to upper case and appear as the
+ extension of the mangled name. The final extension is defined as that
+ part of the original filename after the rightmost dot. If there are no
+ dots in the filename, the mangled name will have no extension (except
+ in the case of "hidden files" - see below).</P
+></LI
+><LI
+><P
+>Files whose UNIX name begins with a dot will be
+ presented as DOS hidden files. The mangled name will be created as
+ for other filenames, but with the leading dot removed and "___" as
+ its extension regardless of actual original extension (that's three
+ underscores).</P
+></LI
+></UL
+><P
+>The two-digit hash value consists of upper case
+ alphanumeric characters.</P
+><P
+>This algorithm can cause name collisions only if files
+ in a directory share the same first five alphanumeric characters.
+ The probability of such a clash is 1/1300.</P
+><P
+>The name mangling (if enabled) allows a file to be
+ copied between UNIX directories from Windows/DOS while retaining
+ the long UNIX filename. UNIX files can be renamed to a new extension
+ from Windows/DOS and will retain the same basename. Mangled names
+ do not change between sessions.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>mangled names = yes</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLINGCHAR"
+></A
+>mangling char (S)</DT
+><DD
+><P
+>This controls what character is used as
+ the <I
+CLASS="EMPHASIS"
+>magic</I
+> character in <A
+HREF="#AEN201"
+>name mangling</A
+>. The default is a '~'
+ but this may interfere with some software. Use this option to set
+ it to whatever you prefer.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>mangling char = ~</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>mangling char = ^</B
+></P
+></DD
+><DT
+><A
+NAME="MANGLEDSTACK"
+></A
+>mangled stack (G)</DT
+><DD
+><P
+>This parameter controls the number of mangled names
+ that should be cached in the Samba server <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd(8)</A
+>.</P
+><P
+>This stack is a list of recently mangled base names
+ (extensions are only maintained if they are longer than 3 characters
+ or contains upper case characters).</P
+><P
+>The larger this value, the more likely it is that mangled
+ names can be successfully converted to correct long UNIX names.
+ However, large stack sizes will slow most directory access. Smaller
+ stacks save memory in the server (each stack element costs 256 bytes).
+ </P
+><P
+>It is not possible to absolutely guarantee correct long
+ file names, so be prepared for some surprises!</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>mangled stack = 50</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>mangled stack = 100</B
+></P
+></DD
+><DT
+><A
+NAME="MAPARCHIVE"
+></A
+>map archive (S)</DT
+><DD
+><P
+>This controls whether the DOS archive attribute
+ should be mapped to the UNIX owner execute bit. The DOS archive bit
+ is set when a file has been modified since its last backup. One
+ motivation for this option it to keep Samba/your PC from making
+ any file it touches from becoming executable under UNIX. This can
+ be quite annoying for shared source code, documents, etc...</P
+><P
+>Note that this requires the <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+>
+ parameter to be set such that owner execute bit is not masked out
+ (i.e. it must include 100). See the parameter <A
+HREF="#CREATEMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+> for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>map archive = yes</B
+></P
+></DD
+><DT
+><A
+NAME="MAPHIDDEN"
+></A
+>map hidden (S)</DT
+><DD
+><P
+>This controls whether DOS style hidden files
+ should be mapped to the UNIX world execute bit.</P
+><P
+>Note that this requires the <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+>
+ to be set such that the world execute bit is not masked out (i.e.
+ it must include 001). See the parameter <A
+HREF="#CREATEMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+> for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>map hidden = no</B
+></P
+></DD
+><DT
+><A
+NAME="MAPSYSTEM"
+></A
+>map system (S)</DT
+><DD
+><P
+>This controls whether DOS style system files
+ should be mapped to the UNIX group execute bit.</P
+><P
+>Note that this requires the <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+>
+ to be set such that the group execute bit is not masked out (i.e.
+ it must include 010). See the parameter <A
+HREF="#CREATEMASK"
+> <TT
+CLASS="PARAMETER"
+><I
+>create mask</I
+></TT
+></A
+> for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>map system = no</B
+></P
+></DD
+><DT
+><A
+NAME="MAPTOGUEST"
+></A
+>map to guest (G)</DT
+><DD
+><P
+>This parameter is only useful in <A
+HREF="#SECURITY"
+> security</A
+> modes other than <TT
+CLASS="PARAMETER"
+><I
+>security=share</I
+></TT
+>
+ - i.e. <TT
+CLASS="CONSTANT"
+>user</TT
+>, <TT
+CLASS="CONSTANT"
+>server</TT
+>,
+ and <TT
+CLASS="CONSTANT"
+>domain</TT
+>.</P
+><P
+>This parameter can take three different values, which tell
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> what to do with user
+ login requests that don't match a valid UNIX user in some way.</P
+><P
+>The three settings are :</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>Never</TT
+> - Means user login
+ requests with an invalid password are rejected. This is the
+ default.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>Bad User</TT
+> - Means user
+ logins with an invalid password are rejected, unless the username
+ does not exist, in which case it is treated as a guest login and
+ mapped into the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+> guest account</I
+></TT
+></A
+>.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>Bad Password</TT
+> - Means user logins
+ with an invalid password are treated as a guest login and mapped
+ into the <A
+HREF="#GUESTACCOUNT"
+>guest account</A
+>. Note that
+ this can cause problems as it means that any user incorrectly typing
+ their password will be silently logged on as a "guest" - and
+ will not know the reason they cannot access files they think
+ they should - there will have been no message given to them
+ that they got their password wrong. Helpdesk services will
+ <I
+CLASS="EMPHASIS"
+>hate</I
+> you if you set the <TT
+CLASS="PARAMETER"
+><I
+>map to
+ guest</I
+></TT
+> parameter this way :-).</P
+></LI
+></UL
+><P
+>Note that this parameter is needed to set up "Guest"
+ share services when using <TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+> modes other than
+ share. This is because in these modes the name of the resource being
+ requested is <I
+CLASS="EMPHASIS"
+>not</I
+> sent to the server until after
+ the server has successfully authenticated the client so the server
+ cannot make authentication decisions at the correct time (connection
+ to the share) for "Guest" shares.</P
+><P
+>For people familiar with the older Samba releases, this
+ parameter maps to the old compile-time setting of the <TT
+CLASS="CONSTANT"
+> GUEST_SESSSETUP</TT
+> value in local.h.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>map to guest = Never</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>map to guest = Bad User</B
+></P
+></DD
+><DT
+><A
+NAME="MAXCONNECTIONS"
+></A
+>max connections (S)</DT
+><DD
+><P
+>This option allows the number of simultaneous
+ connections to a service to be limited. If <TT
+CLASS="PARAMETER"
+><I
+>max connections
+ </I
+></TT
+> is greater than 0 then connections will be refused if
+ this number of connections to the service are already open. A value
+ of zero mean an unlimited number of connections may be made.</P
+><P
+>Record lock files are used to implement this feature. The
+ lock files will be stored in the directory specified by the <A
+HREF="#LOCKDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+>lock directory</I
+></TT
+></A
+>
+ option.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max connections = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max connections = 10</B
+></P
+></DD
+><DT
+><A
+NAME="MAXDISKSIZE"
+></A
+>max disk size (G)</DT
+><DD
+><P
+>This option allows you to put an upper limit
+ on the apparent size of disks. If you set this option to 100
+ then all shares will appear to be not larger than 100 MB in
+ size.</P
+><P
+>Note that this option does not limit the amount of
+ data you can put on the disk. In the above case you could still
+ store much more than 100 MB on the disk, but if a client ever asks
+ for the amount of free disk space or the total disk size then the
+ result will be bounded by the amount specified in <TT
+CLASS="PARAMETER"
+><I
+>max
+ disk size</I
+></TT
+>.</P
+><P
+>This option is primarily useful to work around bugs
+ in some pieces of software that can't handle very large disks,
+ particularly disks over 1GB in size.</P
+><P
+>A <TT
+CLASS="PARAMETER"
+><I
+>max disk size</I
+></TT
+> of 0 means no limit.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max disk size = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max disk size = 1000</B
+></P
+></DD
+><DT
+><A
+NAME="MAXLOGSIZE"
+></A
+>max log size (G)</DT
+><DD
+><P
+>This option (an integer in kilobytes) specifies
+ the max size the log file should grow to. Samba periodically checks
+ the size and if it is exceeded it will rename the file, adding
+ a <TT
+CLASS="FILENAME"
+>.old</TT
+> extension.</P
+><P
+>A size of 0 means no limit.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max log size = 5000</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max log size = 1000</B
+></P
+></DD
+><DT
+><A
+NAME="MAXMUX"
+></A
+>max mux (G)</DT
+><DD
+><P
+>This option controls the maximum number of
+ outstanding simultaneous SMB operations that samba tells the client
+ it will allow. You should never need to set this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max mux = 50</B
+></P
+></DD
+><DT
+><A
+NAME="MAXOPENFILES"
+></A
+>max open files (G)</DT
+><DD
+><P
+>This parameter limits the maximum number of
+ open files that one <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> file
+ serving process may have open for a client at any one time. The
+ default for this parameter is set very high (10,000) as Samba uses
+ only one bit per unopened file.</P
+><P
+>The limit of the number of open files is usually set
+ by the UNIX per-process file descriptor limit rather than
+ this parameter so you should never need to touch this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max open files = 10000</B
+></P
+></DD
+><DT
+><A
+NAME="MAXTTL"
+></A
+>max ttl (G)</DT
+><DD
+><P
+>This option tells <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ what the default 'time to live' of NetBIOS names should be (in seconds)
+ when <B
+CLASS="COMMAND"
+>nmbd</B
+> is requesting a name using either a
+ broadcast packet or from a WINS server. You should never need to
+ change this parameter. The default is 3 days.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max ttl = 259200</B
+></P
+></DD
+><DT
+><A
+NAME="MAXWINSTTL"
+></A
+>max wins ttl (G)</DT
+><DD
+><P
+>This option tells <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)
+ </A
+> when acting as a WINS server (<A
+HREF="#WINSSUPPORT"
+> <TT
+CLASS="PARAMETER"
+><I
+>wins support=yes</I
+></TT
+></A
+>) what the maximum
+ 'time to live' of NetBIOS names that <B
+CLASS="COMMAND"
+>nmbd</B
+>
+ will grant will be (in seconds). You should never need to change this
+ parameter. The default is 6 days (518400 seconds).</P
+><P
+>See also the <A
+HREF="#MINWINSTTL"
+><TT
+CLASS="PARAMETER"
+><I
+>min
+ wins ttl"</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max wins ttl = 518400</B
+></P
+></DD
+><DT
+><A
+NAME="MAXXMIT"
+></A
+>max xmit (G)</DT
+><DD
+><P
+>This option controls the maximum packet size
+ that will be negotiated by Samba. The default is 65535, which
+ is the maximum. In some cases you may find you get better performance
+ with a smaller value. A value below 2048 is likely to cause problems.
+ </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>max xmit = 65535</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>max xmit = 8192</B
+></P
+></DD
+><DT
+><A
+NAME="MESSAGECOMMAND"
+></A
+>message command (G)</DT
+><DD
+><P
+>This specifies what command to run when the
+ server receives a WinPopup style message.</P
+><P
+>This would normally be a command that would
+ deliver the message somehow. How this is to be done is
+ up to your imagination.</P
+><P
+>An example is:</P
+><P
+><B
+CLASS="COMMAND"
+>message command = csh -c 'xedit %s;rm %s' &</B
+>
+ </P
+><P
+>This delivers the message using <B
+CLASS="COMMAND"
+>xedit</B
+>, then
+ removes it afterwards. <I
+CLASS="EMPHASIS"
+>NOTE THAT IT IS VERY IMPORTANT
+ THAT THIS COMMAND RETURN IMMEDIATELY</I
+>. That's why I
+ have the '&' on the end. If it doesn't return immediately then
+ your PCs may freeze when sending messages (they should recover
+ after 30secs, hopefully).</P
+><P
+>All messages are delivered as the global guest user.
+ The command takes the standard substitutions, although <TT
+CLASS="PARAMETER"
+><I
+> %u</I
+></TT
+> won't work (<TT
+CLASS="PARAMETER"
+><I
+>%U</I
+></TT
+> may be better
+ in this case).</P
+><P
+>Apart from the standard substitutions, some additional
+ ones apply. In particular:</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%s</I
+></TT
+> = the filename containing
+ the message.</P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%t</I
+></TT
+> = the destination that
+ the message was sent to (probably the server name).</P
+></LI
+><LI
+><P
+><TT
+CLASS="PARAMETER"
+><I
+>%f</I
+></TT
+> = who the message
+ is from.</P
+></LI
+></UL
+><P
+>You could make this command send mail, or whatever else
+ takes your fancy. Please let us know of any really interesting
+ ideas you have.</P
+><P
+>Here's a way of sending the messages as mail to root:</P
+><P
+><B
+CLASS="COMMAND"
+>message command = /bin/mail -s 'message from %f on
+ %m' root < %s; rm %s</B
+></P
+><P
+>If you don't have a message command then the message
+ won't be delivered and Samba will tell the sender there was
+ an error. Unfortunately WfWg totally ignores the error code
+ and carries on regardless, saying that the message was delivered.
+ </P
+><P
+>If you want to silently delete it then try:</P
+><P
+><B
+CLASS="COMMAND"
+>message command = rm %s</B
+></P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no message command</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>message command = csh -c 'xedit %s;
+ rm %s' &</B
+></P
+></DD
+><DT
+><A
+NAME="MINPRINTSPACE"
+></A
+>min print space (S)</DT
+><DD
+><P
+>This sets the minimum amount of free disk
+ space that must be available before a user will be able to spool
+ a print job. It is specified in kilobytes. The default is 0, which
+ means a user can always spool a print job.</P
+><P
+>See also the <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>min print space = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>min print space = 2000</B
+></P
+></DD
+><DT
+><A
+NAME="MINPASSWDLENGTH"
+></A
+>min passwd length (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#MINPASSWORDLENGTH"
+> <TT
+CLASS="PARAMETER"
+><I
+>min password length</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="MINPASSWORDLENGTH"
+></A
+>min password length (G)</DT
+><DD
+><P
+>This option sets the minimum length in characters
+ of a plaintext password than smbd will accept when performing
+ UNIX password changing.</P
+><P
+>See also <A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+></A
+>, <A
+HREF="#PASSWDPROGRAM"
+> <TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+></A
+> and <A
+HREF="#PASSWDCHATDEBUG"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat debug</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>min password length = 5</B
+></P
+></DD
+><DT
+><A
+NAME="MINWINSTTL"
+></A
+>min wins ttl (G)</DT
+><DD
+><P
+>This option tells <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ when acting as a WINS server (<A
+HREF="#WINSSUPPORT"
+><TT
+CLASS="PARAMETER"
+><I
+> wins support = yes</I
+></TT
+></A
+>) what the minimum 'time to live'
+ of NetBIOS names that <B
+CLASS="COMMAND"
+>nmbd</B
+> will grant will be (in
+ seconds). You should never need to change this parameter. The default
+ is 6 hours (21600 seconds).</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>min wins ttl = 21600</B
+></P
+></DD
+><DT
+><A
+NAME="NAMERESOLVEORDER"
+></A
+>name resolve order (G)</DT
+><DD
+><P
+>This option is used by the programs in the Samba
+ suite to determine what naming services and in what order to resolve
+ host names to IP addresses. The option takes a space separated
+ string of different name resolution options.</P
+><P
+>The options are :"lmhosts", "host", "wins" and "bcast". They
+ cause names to be resolved as follows :</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>lmhosts</TT
+> : Lookup an IP
+ address in the Samba lmhosts file. If the line in lmhosts has
+ no name type attached to the NetBIOS name (see the <A
+HREF="lmhosts.5.html"
+TARGET="_top"
+>lmhosts(5)</A
+> for details) then
+ any name type matches for lookup.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>host</TT
+> : Do a standard host
+ name to IP address resolution, using the system <TT
+CLASS="FILENAME"
+>/etc/hosts
+ </TT
+>, NIS, or DNS lookups. This method of name resolution
+ is operating system depended for instance on IRIX or Solaris this
+ may be controlled by the <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+>
+ file). Note that this method is only used if the NetBIOS name
+ type being queried is the 0x20 (server) name type, otherwise
+ it is ignored.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>wins</TT
+> : Query a name with
+ the IP address listed in the <A
+HREF="#WINSSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+> wins server</I
+></TT
+></A
+> parameter. If no WINS server has
+ been specified this method will be ignored.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>bcast</TT
+> : Do a broadcast on
+ each of the known local interfaces listed in the <A
+HREF="#INTERFACES"
+><TT
+CLASS="PARAMETER"
+><I
+>interfaces</I
+></TT
+></A
+>
+ parameter. This is the least reliable of the name resolution
+ methods as it depends on the target host being on a locally
+ connected subnet.</P
+></LI
+></UL
+><P
+>Default: <B
+CLASS="COMMAND"
+>name resolve order = lmhosts host wins bcast
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>name resolve order = lmhosts bcast host
+ </B
+></P
+><P
+>This will cause the local lmhosts file to be examined
+ first, followed by a broadcast attempt, followed by a normal
+ system hostname lookup.</P
+></DD
+><DT
+><A
+NAME="NETBIOSALIASES"
+></A
+>netbios aliases (G)</DT
+><DD
+><P
+>This is a list of NetBIOS names that <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> will advertise as additional
+ names by which the Samba server is known. This allows one machine
+ to appear in browse lists under multiple names. If a machine is
+ acting as a browse server or logon server none
+ of these names will be advertised as either browse server or logon
+ servers, only the primary name of the machine will be advertised
+ with these capabilities.</P
+><P
+>See also <A
+HREF="#NETBIOSNAME"
+><TT
+CLASS="PARAMETER"
+><I
+>netbios
+ name</I
+></TT
+></A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>empty string (no additional names)</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>netbios aliases = TEST TEST1 TEST2</B
+></P
+></DD
+><DT
+><A
+NAME="NETBIOSNAME"
+></A
+>netbios name (G)</DT
+><DD
+><P
+>This sets the NetBIOS name by which a Samba
+ server is known. By default it is the same as the first component
+ of the host's DNS name. If a machine is a browse server or
+ logon server this name (or the first component
+ of the hosts DNS name) will be the name that these services are
+ advertised under.</P
+><P
+>See also <A
+HREF="#NETBIOSALIASES"
+><TT
+CLASS="PARAMETER"
+><I
+>netbios
+ aliases</I
+></TT
+></A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>machine DNS name</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>netbios name = MYNAME</B
+></P
+></DD
+><DT
+><A
+NAME="NETBIOSSCOPE"
+></A
+>netbios scope (G)</DT
+><DD
+><P
+>This sets the NetBIOS scope that Samba will
+ operate under. This should not be set unless every machine
+ on your LAN also sets this value.</P
+></DD
+><DT
+><A
+NAME="NISHOMEDIR"
+></A
+>nis homedir (G)</DT
+><DD
+><P
+>Get the home share server from a NIS map. For
+ UNIX systems that use an automounter, the user's home directory
+ will often be mounted on a workstation on demand from a remote
+ server. </P
+><P
+>When the Samba logon server is not the actual home directory
+ server, but is mounting the home directories via NFS then two
+ network hops would be required to access the users home directory
+ if the logon server told the client to use itself as the SMB server
+ for home directories (one over SMB and one over NFS). This can
+ be very slow.</P
+><P
+>This option allows Samba to return the home share as
+ being on a different server to the logon server and as
+ long as a Samba daemon is running on the home directory server,
+ it will be mounted on the Samba client directly from the directory
+ server. When Samba is returning the home share to the client, it
+ will consult the NIS map specified in <A
+HREF="#HOMEDIRMAP"
+> <TT
+CLASS="PARAMETER"
+><I
+>homedir map</I
+></TT
+></A
+> and return the server
+ listed there.</P
+><P
+>Note that for this option to work there must be a working
+ NIS system and the Samba server with this option must also
+ be a logon server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>nis homedir = no</B
+></P
+></DD
+><DT
+><A
+NAME="NTACLSUPPORT"
+></A
+>nt acl support (G)</DT
+><DD
+><P
+>This boolean parameter controls whether
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will attempt to map
+ UNIX permissions into Windows NT access control lists.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>nt acl support = yes</B
+></P
+></DD
+><DT
+><A
+NAME="NTPIPESUPPORT"
+></A
+>nt pipe support (G)</DT
+><DD
+><P
+>This boolean parameter controls whether
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will allow Windows NT
+ clients to connect to the NT SMB specific <TT
+CLASS="CONSTANT"
+>IPC$</TT
+>
+ pipes. This is a developer debugging option and can be left
+ alone.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>nt pipe support = yes</B
+></P
+></DD
+><DT
+><A
+NAME="NTSMBSUPPORT"
+></A
+>nt smb support (G)</DT
+><DD
+><P
+>This boolean parameter controls whether <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will negotiate NT specific SMB
+ support with Windows NT clients. Although this is a developer
+ debugging option and should be left alone, benchmarking has discovered
+ that Windows NT clients give faster performance with this option
+ set to <TT
+CLASS="CONSTANT"
+>no</TT
+>. This is still being investigated.
+ If this option is set to <TT
+CLASS="CONSTANT"
+>no</TT
+> then Samba offers
+ exactly the same SMB calls that versions prior to Samba 2.0 offered.
+ This information may be of use if any users are having problems
+ with NT SMB support.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>nt support = yes</B
+></P
+></DD
+><DT
+><A
+NAME="NULLPASSWORDS"
+></A
+>null passwords (G)</DT
+><DD
+><P
+>Allow or disallow client access to accounts
+ that have null passwords. </P
+><P
+>See also <A
+HREF="smbpasswd.5.html"
+TARGET="_top"
+>smbpasswd (5)</A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>null passwords = no</B
+></P
+></DD
+><DT
+><A
+NAME="OLELOCKINGCOMPATIBILITY"
+></A
+>ole locking compatibility (G)</DT
+><DD
+><P
+>This parameter allows an administrator to turn
+ off the byte range lock manipulation that is done within Samba to
+ give compatibility for OLE applications. Windows OLE applications
+ use byte range locking as a form of inter-process communication, by
+ locking ranges of bytes around the 2^32 region of a file range. This
+ can cause certain UNIX lock managers to crash or otherwise cause
+ problems. Setting this parameter to <TT
+CLASS="CONSTANT"
+>no</TT
+> means you
+ trust your UNIX lock manager to handle such cases correctly.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ole locking compatibility = yes</B
+></P
+></DD
+><DT
+><A
+NAME="ONLYGUEST"
+></A
+>only guest (S)</DT
+><DD
+><P
+>A synonym for <A
+HREF="#GUESTONLY"
+><TT
+CLASS="PARAMETER"
+><I
+> guest only</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ONLYUSER"
+></A
+>only user (S)</DT
+><DD
+><P
+>This is a boolean option that controls whether
+ connections with usernames not in the <TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+>
+ list will be allowed. By default this option is disabled so a client
+ can supply a username to be used by the server.</P
+><P
+>Note that this also means Samba won't try to deduce
+ usernames from the service name. This can be annoying for
+ the [homes] section. To get around this you could use <B
+CLASS="COMMAND"
+>user =
+ %S</B
+> which means your <TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+> list
+ will be just the service name, which for home directories is the
+ name of the user.</P
+><P
+>See also the <A
+HREF="#USER"
+><TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+>
+ </A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>only user = no</B
+></P
+></DD
+><DT
+><A
+NAME="OPLOCKS"
+></A
+>oplocks (S)</DT
+><DD
+><P
+>This boolean option tells smbd whether to
+ issue oplocks (opportunistic locks) to file open requests on this
+ share. The oplock code can dramatically (approx. 30% or more) improve
+ the speed of access to files on Samba servers. It allows the clients
+ to aggressively cache files ocally and you may want to disable this
+ option for unreliable network environments (it is turned on by
+ default in Windows NT Servers). For more information see the file
+ <TT
+CLASS="FILENAME"
+>Speed.txt</TT
+> in the Samba <TT
+CLASS="FILENAME"
+>docs/</TT
+>
+ directory.</P
+><P
+>Oplocks may be selectively turned off on certain files on
+ a per share basis. See the <A
+HREF="#VETOOPLOCKFILES"
+><TT
+CLASS="PARAMETER"
+><I
+> veto oplock files</I
+></TT
+></A
+> parameter. On some systems
+ oplocks are recognized by the underlying operating system. This
+ allows data synchronization between all access to oplocked files,
+ whether it be via Samba or NFS or a local UNIX process. See the
+ <TT
+CLASS="PARAMETER"
+><I
+>kernel oplocks</I
+></TT
+> parameter for details.</P
+><P
+>See also the <A
+HREF="#KERNELOPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>kernel
+ oplocks</I
+></TT
+></A
+> and <A
+HREF="#LEVEL2OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+> level2 oplocks</I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>oplocks = yes</B
+></P
+></DD
+><DT
+><A
+NAME="OPLOCKBREAKWAITTIME"
+></A
+>oplock break wait time (G)</DT
+><DD
+><P
+>This is a tuning parameter added due to bugs in
+ both Windows 9x and WinNT. If Samba responds to a client too
+ quickly when that client issues an SMB that can cause an oplock
+ break request, then the client redirector can fail and not respond
+ to the break request. This tuning parameter (which is set in milliseconds)
+ is the amount of time Samba will wait before sending an oplock break
+ request to such (broken) clients.</P
+><P
+><I
+CLASS="EMPHASIS"
+>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</I
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>oplock break wait time = 10</B
+></P
+></DD
+><DT
+><A
+NAME="OPLOCKCONTENTIONLIMIT"
+></A
+>oplock contention limit (S)</DT
+><DD
+><P
+>This is a <I
+CLASS="EMPHASIS"
+>very</I
+> advanced
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> tuning option to
+ improve the efficiency of the granting of oplocks under multiple
+ client contention for the same file.</P
+><P
+>In brief it specifies a number, which causes smbd not to
+ grant an oplock even when requested if the approximate number of
+ clients contending for an oplock on the same file goes over this
+ limit. This causes <B
+CLASS="COMMAND"
+>smbd</B
+> to behave in a similar
+ way to Windows NT.</P
+><P
+><I
+CLASS="EMPHASIS"
+>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+ AND UNDERSTOOD THE SAMBA OPLOCK CODE</I
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>oplock contention limit = 2</B
+></P
+></DD
+><DT
+><A
+NAME="OSLEVEL"
+></A
+>os level (G)</DT
+><DD
+><P
+>This integer value controls what level Samba
+ advertises itself as for browse elections. The value of this
+ parameter determines whether <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ has a chance of becoming a local master browser for the <TT
+CLASS="PARAMETER"
+><I
+> WORKGROUP</I
+></TT
+> in the local broadcast area. The default is
+ zero, which means <B
+CLASS="COMMAND"
+>nmbd</B
+> will lose elections to
+ Windows machines. See <TT
+CLASS="FILENAME"
+>BROWSING.txt</TT
+> in the
+ Samba <TT
+CLASS="FILENAME"
+>docs/</TT
+> directory for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>os level = 20</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>os level = 65 </B
+></P
+></DD
+><DT
+><A
+NAME="PANICACTION"
+></A
+>panic action (G)</DT
+><DD
+><P
+>This is a Samba developer option that allows a
+ system command to be called when either <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd(8)</A
+> or <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+>
+ crashes. This is usually used to draw attention to the fact that
+ a problem occurred.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>panic action = <empty string></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>panic action = "/bin/sleep 90000"</B
+></P
+></DD
+><DT
+><A
+NAME="PASSWDCHAT"
+></A
+>passwd chat (G)</DT
+><DD
+><P
+>This string controls the <I
+CLASS="EMPHASIS"
+>"chat"</I
+>
+ conversation that takes places between <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd</A
+> and the local password changing
+ program to change the users password. The string describes a
+ sequence of response-receive pairs that <A
+HREF="smbd.8.html"
+TARGET="_top"
+> smbd(8)</A
+> uses to determine what to send to the
+ <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+>
+ </A
+> and what to expect back. If the expected output is not
+ received then the password is not changed.</P
+><P
+>This chat sequence is often quite site specific, depending
+ on what local methods are used for password control (such as NIS
+ etc).</P
+><P
+>The string can contain the macros <TT
+CLASS="PARAMETER"
+><I
+>%o</I
+></TT
+>
+ and <TT
+CLASS="PARAMETER"
+><I
+>%n</I
+></TT
+> which are substituted for the old
+ and new passwords respectively. It can also contain the standard
+ macros <TT
+CLASS="CONSTANT"
+>\n</TT
+>, <TT
+CLASS="CONSTANT"
+>\r</TT
+>, <TT
+CLASS="CONSTANT"
+> \t</TT
+> and <TT
+CLASS="CONSTANT"
+>%s</TT
+> to give line-feed,
+ carriage-return, tab and space.</P
+><P
+>The string can also contain a '*' which matches
+ any sequence of characters.</P
+><P
+>Double quotes can be used to collect strings with spaces
+ in them into a single string.</P
+><P
+>If the send string in any part of the chat sequence
+ is a fullstop ".", then no string is sent. Similarly,
+ is the expect string is a fullstop then no string is expected.</P
+><P
+>Note that if the <A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+></A
+> parameter is set to true, then this
+ sequence is called <I
+CLASS="EMPHASIS"
+>AS ROOT</I
+> when the SMB password
+ in the smbpasswd file is being changed, without access to the old
+ password cleartext. In this case the old password cleartext is set
+ to "" (the empty string).</P
+><P
+>See also <A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix password
+ sync</I
+></TT
+></A
+>, <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+> passwd program</I
+></TT
+></A
+> and <A
+HREF="#PASSWDCHATDEBUG"
+> <TT
+CLASS="PARAMETER"
+><I
+>passwd chat debug</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>passwd chat = *old*password* %o\n *new*
+ password* %n\n *new*password* %n\n *changed*</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>passwd chat = "*Enter OLD password*" %o\n
+ "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password
+ changed*"</B
+></P
+></DD
+><DT
+><A
+NAME="PASSWDCHATDEBUG"
+></A
+>passwd chat debug (G)</DT
+><DD
+><P
+>This boolean specifies if the passwd chat script
+ parameter is run in <I
+CLASS="EMPHASIS"
+>debug</I
+> mode. In this mode the
+ strings passed to and received from the passwd chat are printed
+ in the <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> log with a
+ <A
+HREF="#DEBUGLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>debug level</I
+></TT
+></A
+>
+ of 100. This is a dangerous option as it will allow plaintext passwords
+ to be seen in the <B
+CLASS="COMMAND"
+>smbd</B
+> log. It is available to help
+ Samba admins debug their <TT
+CLASS="PARAMETER"
+><I
+>passwd chat</I
+></TT
+> scripts
+ when calling the <TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+> and should
+ be turned off after this has been done. This parameter is off by
+ default.</P
+><P
+>See also <<A
+HREF="#PASSWDCHAT"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd chat</I
+></TT
+>
+ </A
+>, <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd program</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>passwd chat debug = no</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>passwd chat debug = yes</B
+></P
+></DD
+><DT
+><A
+NAME="PASSWDPROGRAM"
+></A
+>passwd program (G)</DT
+><DD
+><P
+>The name of a program that can be used to set
+ UNIX user passwords. Any occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+>
+ will be replaced with the user name. The user name is checked for
+ existence before calling the password changing program.</P
+><P
+>Also note that many passwd programs insist in <I
+CLASS="EMPHASIS"
+>reasonable
+ </I
+> passwords, such as a minimum length, or the inclusion
+ of mixed case chars and digits. This can pose a problem as some clients
+ (such as Windows for Workgroups) uppercase the password before sending
+ it.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that if the <TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+> parameter is set to <TT
+CLASS="CONSTANT"
+>True
+ </TT
+> then this program is called <I
+CLASS="EMPHASIS"
+>AS ROOT</I
+>
+ before the SMB password in the <A
+HREF="smbpasswd.5.html"
+TARGET="_top"
+>smbpasswd(5)
+ </A
+> file is changed. If this UNIX password change fails, then
+ <B
+CLASS="COMMAND"
+>smbd</B
+> will fail to change the SMB password also
+ (this is by design).</P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>unix password sync</I
+></TT
+> parameter
+ is set this parameter <I
+CLASS="EMPHASIS"
+>MUST USE ABSOLUTE PATHS</I
+>
+ for <I
+CLASS="EMPHASIS"
+>ALL</I
+> programs called, and must be examined
+ for security implications. Note that by default <TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+> is set to <TT
+CLASS="CONSTANT"
+>False</TT
+>.</P
+><P
+>See also <A
+HREF="#UNIXPASSWORDSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>unix
+ password sync</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>passwd program = /bin/passwd</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>passwd program = /sbin/npasswd %u</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="PASSWORDLEVEL"
+></A
+>password level (G)</DT
+><DD
+><P
+>Some client/server combinations have difficulty
+ with mixed-case passwords. One offending client is Windows for
+ Workgroups, which for some reason forces passwords to upper
+ case when using the LANMAN1 protocol, but leaves them alone when
+ using COREPLUS!</P
+><P
+>This parameter defines the maximum number of characters
+ that may be upper case in passwords.</P
+><P
+>For example, say the password given was "FRED". If <TT
+CLASS="PARAMETER"
+><I
+> password level</I
+></TT
+> is set to 1, the following combinations
+ would be tried if "FRED" failed:</P
+><P
+>"Fred", "fred", "fRed", "frEd","freD"</P
+><P
+>If <TT
+CLASS="PARAMETER"
+><I
+>password level</I
+></TT
+> was set to 2,
+ the following combinations would also be tried: </P
+><P
+>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</P
+><P
+>And so on.</P
+><P
+>The higher value this parameter is set to the more likely
+ it is that a mixed case password will be matched against a single
+ case password. However, you should be aware that use of this
+ parameter reduces security and increases the time taken to
+ process a new connection.</P
+><P
+>A value of zero will cause only two attempts to be
+ made - the password as is and the password in all-lower case.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>password level = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>password level = 4</B
+></P
+></DD
+><DT
+><A
+NAME="PASSWORDSERVER"
+></A
+>password server (G)</DT
+><DD
+><P
+>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <B
+CLASS="COMMAND"
+>security = domain
+ </B
+> or <B
+CLASS="COMMAND"
+>security = server</B
+> you can get Samba
+ to do all its username/password validation via a remote server.</P
+><P
+>This options sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.</P
+><P
+>The name of the password server is looked up using the
+ parameter <A
+HREF="#NAMERESOLVEORDER"
+><TT
+CLASS="PARAMETER"
+><I
+>name
+ resolve order</I
+></TT
+></A
+> and so may resolved
+ by any method and order described in that parameter.</P
+><P
+>The password server much be a machine capable of using
+ the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in
+ user level security mode.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> Using a password server
+ means your UNIX box (running Samba) is only as secure as your
+ password server. <I
+CLASS="EMPHASIS"
+>DO NOT CHOOSE A PASSWORD SERVER THAT
+ YOU DON'T COMPLETELY TRUST</I
+>.</P
+><P
+>Never point a Samba server at itself for password
+ serving. This will cause a loop and could lock up your Samba
+ server!</P
+><P
+>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <TT
+CLASS="PARAMETER"
+><I
+>%m
+ </I
+></TT
+>, which means the Samba server will use the incoming
+ client as the passwordserver. If you use this then you better
+ trust your clients, and you better restrict them with hosts allow!</P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+> parameter is set to
+ <TT
+CLASS="CONSTANT"
+>domain</TT
+>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is cryptographicly
+ in that domain, and will use cryptographicly authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <B
+CLASS="COMMAND"
+> security = domain</B
+> is that if you list several hosts in the
+ <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> option then <B
+CLASS="COMMAND"
+>smbd
+ </B
+> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <TT
+CLASS="CONSTANT"
+>WORKGROUP<1C></TT
+>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>security</I
+></TT
+> parameter is
+ set to <TT
+CLASS="CONSTANT"
+>server</TT
+>, then there are different
+ restrictions that <B
+CLASS="COMMAND"
+>security = domain</B
+> doesn't
+ suffer from:</P
+><P
+></P
+><UL
+><LI
+><P
+>You may list several password servers in
+ the <TT
+CLASS="PARAMETER"
+><I
+>password server</I
+></TT
+> parameter, however if an
+ <B
+CLASS="COMMAND"
+>smbd</B
+> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <B
+CLASS="COMMAND"
+>smbd</B
+>. This is a
+ restriction of the SMB/CIFS protocol when in <B
+CLASS="COMMAND"
+>security=server
+ </B
+> mode and cannot be fixed in Samba.</P
+></LI
+><LI
+><P
+>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <B
+CLASS="COMMAND"
+> security=server</B
+> mode the network logon will appear to
+ come from there rather than from the users workstation.</P
+></LI
+></UL
+><P
+>See also the <A
+HREF="#SECURITY"
+><TT
+CLASS="PARAMETER"
+><I
+>security
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>password server = <empty string></B
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>password server = NT-PDC, NT-BDC1, NT-BDC2
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>password server = *</B
+></P
+></DD
+><DT
+><A
+NAME="PATH"
+></A
+>path (S)</DT
+><DD
+><P
+>This parameter specifies a directory to which
+ the user of the service is to be given access. In the case of
+ printable services, this is where print data will spool prior to
+ being submitted to the host for printing.</P
+><P
+>For a printable service offering guest access, the service
+ should be readonly and the path should be world-writeable and
+ have the sticky bit set. This is not mandatory of course, but
+ you probably won't get the results you expect if you do
+ otherwise.</P
+><P
+>Any occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%u</I
+></TT
+> in the path
+ will be replaced with the UNIX username that the client is using
+ on this connection. Any occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%m</I
+></TT
+>
+ will be replaced by the NetBIOS name of the machine they are
+ connecting from. These replacements are very useful for setting
+ up pseudo home directories for users.</P
+><P
+>Note that this path will be based on <A
+HREF="#ROOTDIR"
+> <TT
+CLASS="PARAMETER"
+><I
+>root dir</I
+></TT
+></A
+> if one was specified.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>none</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>path = /home/fred</B
+></P
+></DD
+><DT
+><A
+NAME="POSTEXEC"
+></A
+>postexec (S)</DT
+><DD
+><P
+>This option specifies a command to be run
+ whenever the service is disconnected. It takes the usual
+ substitutions. The command may be run as the root on some
+ systems.</P
+><P
+>An interesting example may be do unmount server
+ resources:</P
+><P
+><B
+CLASS="COMMAND"
+>postexec = /etc/umount /cdrom</B
+></P
+><P
+>See also <A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>preexec</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>none (no command executed)</I
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>postexec = echo \"%u disconnected from %S
+ from %m (%I)\" >> /tmp/log</B
+></P
+></DD
+><DT
+><A
+NAME="POSTSCRIPT"
+></A
+>postscript (S)</DT
+><DD
+><P
+>This parameter forces a printer to interpret
+ the print files as postscript. This is done by adding a <TT
+CLASS="CONSTANT"
+>%!
+ </TT
+> to the start of print output.</P
+><P
+>This is most useful when you have lots of PCs that persist
+ in putting a control-D at the start of print jobs, which then
+ confuses your printer.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>postscript = no</B
+></P
+></DD
+><DT
+><A
+NAME="PREEXEC"
+></A
+>preexec (S)</DT
+><DD
+><P
+>This option specifies a command to be run whenever
+ the service is connected to. It takes the usual substitutions.</P
+><P
+>An interesting example is to send the users a welcome
+ message every time they log in. Maybe a message of the day? Here
+ is an example:</P
+><P
+><B
+CLASS="COMMAND"
+>preexec = csh -c 'echo \"Welcome to %S!\" |
+ /usr/local/samba/bin/smbclient -M %m -I %I' & </B
+></P
+><P
+>Of course, this could get annoying after a while :-)</P
+><P
+>See also <A
+HREF="#PREEXECCLOSE"
+><TT
+CLASS="PARAMETER"
+><I
+>preexec close
+ </I
+></TT
+></A
+> and <A
+HREF="#POSTEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>postexec
+ </I
+></TT
+></A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>none (no command executed)</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>preexec = echo \"%u connected to %S from %m
+ (%I)\" >> /tmp/log</B
+></P
+></DD
+><DT
+><A
+NAME="PREEXECCLOSE"
+></A
+>preexec close (S)</DT
+><DD
+><P
+>This boolean option controls whether a non-zero
+ return code from <A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+>preexec
+ </I
+></TT
+></A
+> should close the service being connected to.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>preexec close = no</B
+></P
+></DD
+><DT
+><A
+NAME="PREFERREDMASTER"
+></A
+>preferred master (G)</DT
+><DD
+><P
+>This boolean parameter controls if <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> is a preferred master browser
+ for its workgroup.</P
+><P
+>If this is set to true, on startup, <B
+CLASS="COMMAND"
+>nmbd</B
+>
+ will force an election, and it will have a slight advantage in
+ winning the election. It is recommended that this parameter is
+ used in conjunction with <B
+CLASS="COMMAND"
+><A
+HREF="#DOMAINMASTER"
+><TT
+CLASS="PARAMETER"
+><I
+> domain master</I
+></TT
+></A
+> = yes</B
+>, so that <B
+CLASS="COMMAND"
+> nmbd</B
+> can guarantee becoming a domain master.</P
+><P
+>Use this option with caution, because if there are several
+ hosts (whether Samba servers, Windows 95 or NT) that are preferred
+ master browsers on the same subnet, they will each periodically
+ and continuously attempt to become the local master browser.
+ This will result in unnecessary broadcast traffic and reduced browsing
+ capabilities.</P
+><P
+>See also <A
+HREF="#OSLEVEL"
+><TT
+CLASS="PARAMETER"
+><I
+>os level</I
+></TT
+>
+ </A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>preferred master = no</B
+></P
+></DD
+><DT
+><A
+NAME="PREFEREDMASTER"
+></A
+>prefered master (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PREFERREDMASTER"
+><TT
+CLASS="PARAMETER"
+><I
+> preferred master</I
+></TT
+></A
+> for people who cannot spell :-).</P
+></DD
+><DT
+><A
+NAME="PRELOAD"
+></A
+>preload</DT
+><DD
+><P
+>Synonym for <A
+HREF="#AUTOSERVICES"
+><TT
+CLASS="PARAMETER"
+><I
+> auto services</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="PRESERVECASE"
+></A
+>preserve case (S)</DT
+><DD
+><P
+> This controls if new filenames are created
+ with the case that the client passes, or if they are forced to
+ be the <A
+HREF="#DEFAULTCASE"
+><TT
+CLASS="PARAMETER"
+><I
+>derault case
+ </I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>preserve case = yes</B
+></P
+><P
+>See the section on <A
+HREF="#AEN201"
+>NAME
+ MANGLING"</A
+> for a fuller discussion.</P
+></DD
+><DT
+><A
+NAME="PRINTCOMMAND"
+></A
+>print command (S)</DT
+><DD
+><P
+>After a print job has finished spooling to
+ a service, this command will be used via a <B
+CLASS="COMMAND"
+>system()</B
+>
+ call to process the spool file. Typically the command specified will
+ submit the spool file to the host's printing subsystem, but there
+ is no requirement that this be the case. The server will not remove
+ the spool file, so whatever command you specify should remove the
+ spool file when it has been processed, otherwise you will need to
+ manually remove old spool files.</P
+><P
+>The print command is simply a text string. It will be used
+ verbatim, with two exceptions: All occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%s
+ </I
+></TT
+> and <TT
+CLASS="PARAMETER"
+><I
+>%f</I
+></TT
+> will be replaced by the
+ appropriate spool file name, and all occurrences of <TT
+CLASS="PARAMETER"
+><I
+>%p
+ </I
+></TT
+> will be replaced by the appropriate printer name. The
+ spool file name is generated automatically by the server, the printer
+ name is discussed below.</P
+><P
+>The print command <I
+CLASS="EMPHASIS"
+>MUST</I
+> contain at least
+ one occurrence of <TT
+CLASS="PARAMETER"
+><I
+>%s</I
+></TT
+> or <TT
+CLASS="PARAMETER"
+><I
+>%f
+ </I
+></TT
+> - the <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is optional. At the time
+ a job is submitted, if no printer name is supplied the <TT
+CLASS="PARAMETER"
+><I
+>%p
+ </I
+></TT
+> will be silently removed from the printer command.</P
+><P
+>If specified in the [global] section, the print command given
+ will be used for any printable service that does not have its own
+ print command specified.</P
+><P
+>If there is neither a specified print command for a
+ printable service nor a global print command, spool files will
+ be created but not processed and (most importantly) not removed.</P
+><P
+>Note that printing may fail on some UNIXs from the
+ <TT
+CLASS="CONSTANT"
+>nobody</TT
+> account. If this happens then create
+ an alternative guest account that can print and set the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+>
+ in the [global] section.</P
+><P
+>You can form quite complex print commands by realizing
+ that they are just passed to a shell. For example the following
+ will log a print job, print the file, then remove it. Note that
+ ';' is the usual separator for command in shell scripts.</P
+><P
+><B
+CLASS="COMMAND"
+>print command = echo Printing %s >>
+ /tmp/print.log; lpr -P %p %s; rm %s</B
+></P
+><P
+>You may have to vary this command considerably depending
+ on how you normally print files on your system. The default for
+ the parameter varies depending on the setting of the <A
+HREF="#PRINTING"
+> <TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: For <B
+CLASS="COMMAND"
+>printing= BSD, AIX, QNX, LPRNG
+ or PLP :</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>print command = lpr -r -P%p %s</B
+></P
+><P
+>For <B
+CLASS="COMMAND"
+>printing= SYS or HPUX :</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>print command = lp -c -d%p %s; rm %s</B
+></P
+><P
+>For <B
+CLASS="COMMAND"
+>printing=SOFTQ :</B
+></P
+><P
+><B
+CLASS="COMMAND"
+>print command = lp -d%p -s %s; rm %s</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>print command = /usr/local/samba/bin/myprintscript
+ %p %s</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTOK"
+></A
+>print ok (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PRINTABLE"
+> <TT
+CLASS="PARAMETER"
+><I
+>printable</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="PRINTABLE"
+></A
+>printable (S)</DT
+><DD
+><P
+>If this parameter is <TT
+CLASS="CONSTANT"
+>yes</TT
+>, then
+ clients may open, write to and submit spool files on the directory
+ specified for the service. </P
+><P
+>Note that a printable service will ALWAYS allow writing
+ to the service path (user privileges permitting) via the spooling
+ of print data. The <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable
+ </I
+></TT
+></A
+> parameter controls only non-printing access to
+ the resource.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>printable = no</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTCAP"
+></A
+>printcap (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PRINTCAPNAME"
+><TT
+CLASS="PARAMETER"
+><I
+> printcap name</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="PRINTERADMIN"
+></A
+>printer admin (S)</DT
+><DD
+><P
+>This is a list of users that can do anything to
+ printers via the remote administration interfaces offered by MSRPC
+ (usually using a NT workstation). Note that the root user always
+ has admin rights.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>printer admin = <empty string></B
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer admin = admin, @staff</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTCAPNAME"
+></A
+>printcap name (G)</DT
+><DD
+><P
+>This parameter may be used to override the
+ compiled-in default printcap name used by the server (usually <TT
+CLASS="FILENAME"
+> /etc/printcap</TT
+>). See the discussion of the <A
+HREF="#AEN78"
+>[printers]</A
+> section above for reasons
+ why you might want to do this.</P
+><P
+>On System V systems that use <B
+CLASS="COMMAND"
+>lpstat</B
+> to
+ list available printers you can use <B
+CLASS="COMMAND"
+>printcap name = lpstat
+ </B
+> to automatically obtain lists of available printers. This
+ is the default for systems that define SYSV at configure time in
+ Samba (this includes most System V based systems). If <TT
+CLASS="PARAMETER"
+><I
+> printcap name</I
+></TT
+> is set to <B
+CLASS="COMMAND"
+>lpstat</B
+> on
+ these systems then Samba will launch <B
+CLASS="COMMAND"
+>lpstat -v</B
+> and
+ attempt to parse the output to obtain a printer list.</P
+><P
+>A minimal printcap file would look something like this:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> print1|My Printer 1
+ print2|My Printer 2
+ print3|My Printer 3
+ print4|My Printer 4
+ print5|My Printer 5
+ </PRE
+></P
+><P
+>where the '|' separates aliases of a printer. The fact
+ that the second alias has a space in it gives a hint to Samba
+ that it's a comment.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE</I
+>: Under AIX the default printcap
+ name is <TT
+CLASS="FILENAME"
+>/etc/qconfig</TT
+>. Samba will assume the
+ file is in AIX <TT
+CLASS="FILENAME"
+>qconfig</TT
+> format if the string
+ <TT
+CLASS="FILENAME"
+>qconfig</TT
+> appears in the printcap filename.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>printcap name = /etc/printcap</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printcap name = /etc/myprintcap</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTER"
+></A
+>printer (S)</DT
+><DD
+><P
+>This parameter specifies the name of the printer
+ to which print jobs spooled through a printable service will be sent.</P
+><P
+>If specified in the [global] section, the printer
+ name given will be used for any printable service that does
+ not have its own printer name specified.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>none (but may be <TT
+CLASS="CONSTANT"
+>lp</TT
+>
+ on many systems)</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer name = laserwriter</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERDRIVER"
+></A
+>printer driver (S)</DT
+><DD
+><P
+>This option allows you to control the string
+ that clients receive when they ask the server for the printer driver
+ associated with a printer. If you are using Windows95 or WindowsNT
+ then you can use this to automate the setup of printers on your
+ system.</P
+><P
+>You need to set this parameter to the exact string (case
+ sensitive) that describes the appropriate printer driver for your
+ system. If you don't know the exact string to use then you should
+ first try with no <A
+HREF="#PRINTERDRIVER"
+><TT
+CLASS="PARAMETER"
+><I
+> printer driver</I
+></TT
+></A
+> option set and the client will
+ give you a list of printer drivers. The appropriate strings are
+ shown in a scrollbox after you have chosen the printer manufacturer.</P
+><P
+>See also <A
+HREF="#PRINTERDRIVERFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>printer
+ driver file</I
+></TT
+></A
+>.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer driver = HP LaserJet 4L</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERDRIVERFILE"
+></A
+>printer driver file (G)</DT
+><DD
+><P
+>This parameter tells Samba where the printer driver
+ definition file, used when serving drivers to Windows 95 clients, is
+ to be found. If this is not set, the default is :</P
+><P
+><TT
+CLASS="FILENAME"
+><TT
+CLASS="REPLACEABLE"
+><I
+>SAMBA_INSTALL_DIRECTORY</I
+></TT
+>
+ /lib/printers.def</TT
+></P
+><P
+>This file is created from Windows 95 <TT
+CLASS="FILENAME"
+>msprint.inf
+ </TT
+> files found on the Windows 95 client system. For more
+ details on setting up serving of printer drivers to Windows 95
+ clients, see the documentation file in the <TT
+CLASS="FILENAME"
+>docs/</TT
+>
+ directory, <TT
+CLASS="FILENAME"
+>PRINTER_DRIVER.txt</TT
+>.</P
+><P
+>See also <A
+HREF="#PRINTERDRIVERLOCATION"
+><TT
+CLASS="PARAMETER"
+><I
+> printer driver location</I
+></TT
+></A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>None (set in compile).</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer driver file =
+ /usr/local/samba/printers/drivers.def</B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERDRIVERLOCATION"
+></A
+>printer driver location (S)</DT
+><DD
+><P
+>This parameter tells clients of a particular printer
+ share where to find the printer driver files for the automatic
+ installation of drivers for Windows 95 machines. If Samba is set up
+ to serve printer drivers to Windows 95 machines, this should be set to</P
+><P
+><B
+CLASS="COMMAND"
+>\\MACHINE\PRINTER$</B
+></P
+><P
+>Where MACHINE is the NetBIOS name of your Samba server,
+ and PRINTER$ is a share you set up for serving printer driver
+ files. For more details on setting this up see the documentation
+ file in the <TT
+CLASS="FILENAME"
+>docs/</TT
+> directory, <TT
+CLASS="FILENAME"
+> PRINTER_DRIVER.txt</TT
+>.</P
+><P
+>See also <A
+HREF="#PRINTERDRIVERFILE"
+><TT
+CLASS="PARAMETER"
+><I
+> printer driver file</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>none</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>printer driver location = \\MACHINE\PRINTER$
+ </B
+></P
+></DD
+><DT
+><A
+NAME="PRINTERNAME"
+></A
+>printer name (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#PRINTER"
+><TT
+CLASS="PARAMETER"
+><I
+> printer</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="PRINTING"
+></A
+>printing (S)</DT
+><DD
+><P
+>This parameters controls how printer status
+ information is interpreted on your system. It also affects the
+ default values for the <TT
+CLASS="PARAMETER"
+><I
+>print command</I
+></TT
+>,
+ <TT
+CLASS="PARAMETER"
+><I
+>lpq command</I
+></TT
+>, <TT
+CLASS="PARAMETER"
+><I
+>lppause command
+ </I
+></TT
+>, <TT
+CLASS="PARAMETER"
+><I
+>lpresume command</I
+></TT
+>, and
+ <TT
+CLASS="PARAMETER"
+><I
+>lprm command</I
+></TT
+> if specified in the
+ [global]f> section.</P
+><P
+>Currently eight printing styles are supported. They are
+ <TT
+CLASS="CONSTANT"
+>BSD</TT
+>, <TT
+CLASS="CONSTANT"
+>AIX</TT
+>,
+ <TT
+CLASS="CONSTANT"
+>LPRNG</TT
+>, <TT
+CLASS="CONSTANT"
+>PLP</TT
+>,
+ <TT
+CLASS="CONSTANT"
+>SYSV</TT
+>, <TT
+CLASS="CONSTANT"
+>HPUX</TT
+>,
+ <TT
+CLASS="CONSTANT"
+>QNX</TT
+>, <TT
+CLASS="CONSTANT"
+>SOFTQ</TT
+>,
+ and <TT
+CLASS="CONSTANT"
+>CUPS</TT
+>.</P
+><P
+>To see what the defaults are for the other print
+ commands when using the various options use the <A
+HREF="testparm.1.html"
+TARGET="_top"
+>testparm(1)</A
+> program.</P
+><P
+>This option can be set on a per printer basis</P
+><P
+>See also the discussion in the <A
+HREF="#AEN78"
+> [printers]</A
+> section.</P
+></DD
+><DT
+><A
+NAME="PRIVATEDIR"
+></A
+>private dir(G)</DT
+><DD
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>private dir</I
+></TT
+> parameter
+ allows an administator to define a directory path used to hold the
+ various databases Samba will use to store things like a the machine
+ trust account information when acting as a domain member (i.e. where
+ the secrets.tdb file will be located), where the passdb.tbd file
+ will stored in the case of using the experiemental tdbsam support,
+ etc...</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>private dir = <compile time location
+ of smbpasswd></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>private dir = /etc/smbprivate</B
+></P
+></DD
+><DT
+><A
+NAME="PROTOCOL"
+></A
+>protocol (G)</DT
+><DD
+><P
+>The value of the parameter (a string) is the highest
+ protocol level that will be supported by the server.</P
+><P
+>Possible values are :</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>CORE</TT
+>: Earliest version. No
+ concept of user names.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>COREPLUS</TT
+>: Slight improvements on
+ CORE for efficiency.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>LANMAN1</TT
+>: First <I
+CLASS="EMPHASIS"
+> modern</I
+> version of the protocol. Long filename
+ support.</P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>LANMAN2</TT
+>: Updates to Lanman1 protocol.
+ </P
+></LI
+><LI
+><P
+><TT
+CLASS="CONSTANT"
+>NT1</TT
+>: Current up to date version of
+ the protocol. Used by Windows NT. Known as CIFS.</P
+></LI
+></UL
+><P
+>Normally this option should not be set as the automatic
+ negotiation phase in the SMB protocol takes care of choosing
+ the appropriate protocol.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>protocol = NT1</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>protocol = LANMAN1</B
+></P
+></DD
+><DT
+><A
+NAME="PUBLIC"
+></A
+>public (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#GUESTOK"
+><TT
+CLASS="PARAMETER"
+><I
+>guest
+ ok</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="QUEUEPAUSECOMMAND"
+></A
+>queuepause command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to pause the printerqueue.</P
+><P
+>This command should be a program or script which takes
+ a printer name as its only parameter and stops the printerqueue,
+ such that no longer jobs are submitted to the printer.</P
+><P
+>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printer's window under Windows 95
+ and NT.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printername
+ is put in its place. Otherwise it is placed at the end of the command.
+ </P
+><P
+>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>depends on the setting of <TT
+CLASS="PARAMETER"
+><I
+>printing
+ </I
+></TT
+></I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>queuepause command = disable %p</B
+></P
+></DD
+><DT
+><A
+NAME="QUEUERESUMECOMMAND"
+></A
+>queueresume command (S)</DT
+><DD
+><P
+>This parameter specifies the command to be
+ executed on the server host in order to resume the printerqueue. It
+ is the command to undo the behavior that is caused by the
+ previous parameter (<A
+HREF="#QUEUEPAUSECOMMAND"
+><TT
+CLASS="PARAMETER"
+><I
+> queuepause command</I
+></TT
+></A
+>).</P
+><P
+>This command should be a program or script which takes
+ a printer name as its only parameter and resumes the printerqueue,
+ such that queued jobs are resubmitted to the printer.</P
+><P
+>This command is not supported by Windows for Workgroups,
+ but can be issued from the Printer's window under Windows 95
+ and NT.</P
+><P
+>If a <TT
+CLASS="PARAMETER"
+><I
+>%p</I
+></TT
+> is given then the printername
+ is put in its place. Otherwise it is placed at the end of the
+ command.</P
+><P
+>Note that it is good practice to include the absolute
+ path in the command as the PATH may not be available to the
+ server.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>depends on the setting of <A
+HREF="#PRINTING"
+><TT
+CLASS="PARAMETER"
+><I
+>printing</I
+></TT
+></A
+></I
+>
+ </P
+><P
+>Example: <B
+CLASS="COMMAND"
+>queuepause command = enable %p
+ </B
+></P
+></DD
+><DT
+><A
+NAME="READBMPX"
+></A
+>read bmpx (G)</DT
+><DD
+><P
+>This boolean parameter controls whether <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will support the "Read
+ Block Multiplex" SMB. This is now rarely used and defaults to
+ <TT
+CLASS="CONSTANT"
+>no</TT
+>. You should never need to set this
+ parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>read bmpx = no</B
+></P
+></DD
+><DT
+><A
+NAME="READLIST"
+></A
+>read list (S)</DT
+><DD
+><P
+>This is a list of users that are given read-only
+ access to a service. If the connecting user is in this list then
+ they will not be given write access, no matter what the <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable</I
+></TT
+></A
+>
+ option is set to. The list can include group names using the
+ syntax described in the <A
+HREF="#INVALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+> invalid users</I
+></TT
+></A
+> parameter.</P
+><P
+>See also the <A
+HREF="#WRITELIST"
+><TT
+CLASS="PARAMETER"
+><I
+> write list</I
+></TT
+></A
+> parameter and the <A
+HREF="#INVALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>invalid users</I
+></TT
+>
+ </A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>read list = <empty string></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>read list = mary, @students</B
+></P
+></DD
+><DT
+><A
+NAME="READONLY"
+></A
+>read only (S)</DT
+><DD
+><P
+>Note that this is an inverted synonym for <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="READRAW"
+></A
+>read raw (G)</DT
+><DD
+><P
+>This parameter controls whether or not the server
+ will support the raw read SMB requests when transferring data
+ to clients.</P
+><P
+>If enabled, raw reads allow reads of 65535 bytes in
+ one packet. This typically provides a major performance benefit.
+ </P
+><P
+>However, some clients either negotiate the allowable
+ block size incorrectly or are incapable of supporting larger block
+ sizes, and for these clients you may need to disable raw reads.</P
+><P
+>In general this parameter should be viewed as a system tuning
+ tool and left severely alone. See also <A
+HREF="#WRITERAW"
+> <TT
+CLASS="PARAMETER"
+><I
+>write raw</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>read raw = yes</B
+></P
+></DD
+><DT
+><A
+NAME="READSIZE"
+></A
+>read size (G)</DT
+><DD
+><P
+>The option <TT
+CLASS="PARAMETER"
+><I
+>read size</I
+></TT
+>
+ affects the overlap of disk reads/writes with network reads/writes.
+ If the amount of data being transferred in several of the SMB
+ commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
+ than this value then the server begins writing the data before it
+ has received the whole packet from the network, or in the case of
+ SMBreadbraw, it begins writing to the network before all the data
+ has been read from disk.</P
+><P
+>This overlapping works best when the speeds of disk and
+ network access are similar, having very little effect when the
+ speed of one is much greater than the other.</P
+><P
+>The default value is 16384, but very little experimentation
+ has been done yet to determine the optimal value, and it is likely
+ that the best value will vary greatly between systems anyway.
+ A value over 65536 is pointless and will cause you to allocate
+ memory unnecessarily.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>read size = 16384</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>read size = 8192</B
+></P
+></DD
+><DT
+><A
+NAME="REMOTEANNOUNCE"
+></A
+>remote announce (G)</DT
+><DD
+><P
+>This option allows you to setup <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> to periodically announce itself
+ to arbitrary IP addresses with an arbitrary workgroup name.</P
+><P
+>This is useful if you want your Samba server to appear
+ in a remote workgroup for which the normal browse propagation
+ rules don't work. The remote workgroup can be anywhere that you
+ can send IP packets to.</P
+><P
+>For example:</P
+><P
+><B
+CLASS="COMMAND"
+>remote announce = 192.168.2.255/SERVERS
+ 192.168.4.255/STAFF</B
+></P
+><P
+>the above line would cause nmbd to announce itself
+ to the two given IP addresses using the given workgroup names.
+ If you leave out the workgroup name then the one given in
+ the <A
+HREF="#WORKGROUP"
+><TT
+CLASS="PARAMETER"
+><I
+>workgroup</I
+></TT
+></A
+>
+ parameter is used instead.</P
+><P
+>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable.</P
+><P
+>See the documentation file <TT
+CLASS="FILENAME"
+>BROWSING.txt</TT
+>
+ in the <TT
+CLASS="FILENAME"
+>docs/</TT
+> directory.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>remote announce = <empty string>
+ </B
+></P
+></DD
+><DT
+><A
+NAME="REMOTEBROWSESYNC"
+></A
+>remote browse sync (G)</DT
+><DD
+><P
+>This option allows you to setup <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> to periodically request
+ synchronization of browse lists with the master browser of a samba
+ server that is on a remote segment. This option will allow you to
+ gain browse lists for multiple workgroups across routed networks. This
+ is done in a manner that does not work with any non-samba servers.</P
+><P
+>This is useful if you want your Samba server and all local
+ clients to appear in a remote workgroup for which the normal browse
+ propagation rules don't work. The remote workgroup can be anywhere
+ that you can send IP packets to.</P
+><P
+>For example:</P
+><P
+><B
+CLASS="COMMAND"
+>remote browse sync = 192.168.2.255 192.168.4.255
+ </B
+></P
+><P
+>the above line would cause <B
+CLASS="COMMAND"
+>nmbd</B
+> to request
+ the master browser on the specified subnets or addresses to
+ synchronize their browse lists with the local server.</P
+><P
+>The IP addresses you choose would normally be the broadcast
+ addresses of the remote networks, but can also be the IP addresses
+ of known browse masters if your network config is that stable. If
+ a machine IP address is given Samba makes NO attempt to validate
+ that the remote machine is available, is listening, nor that it
+ is in fact the browse master on it's segment.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>remote browse sync = <empty string>
+ </B
+></P
+></DD
+><DT
+><A
+NAME="RESTRICTANONYMOUS"
+></A
+>restrict anonymous (G)</DT
+><DD
+><P
+>This is a boolean parameter. If it is true, then
+ anonymous access to the server will be restricted, namely in the
+ case where the server is expecting the client to send a username,
+ but it doesn't. Setting it to true will force these anonymous
+ connections to be denied, and the client will be required to always
+ supply a username and password when connecting. Use of this parameter
+ is only recommened for homogenous NT client environments.</P
+><P
+>This parameter makes the use of macro expansions that rely
+ on the username (%U, %G, etc) consistant. NT 4.0
+ likes to use anonymous connections when refreshing the share list,
+ and this is a way to work around that.</P
+><P
+>When restrict anonymous is true, all anonymous connections
+ are denied no matter what they are for. This can effect the ability
+ of a machine to access the samba Primary Domain Controller to revalidate
+ it's machine account after someone else has logged on the client
+ interactively. The NT client will display a message saying that
+ the machine's account in the domain doesn't exist or the password is
+ bad. The best way to deal with this is to reboot NT client machines
+ between interactive logons, using "Shutdown and Restart", rather
+ than "Close all programs and logon as a different user".</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>restrict anonymous = no</B
+></P
+></DD
+><DT
+><A
+NAME="ROOT"
+></A
+>root (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#ROOTDIRECTORY"
+> <TT
+CLASS="PARAMETER"
+><I
+>root directory"</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ROOTDIR"
+></A
+>root dir (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#ROOTDIRECTORY"
+> <TT
+CLASS="PARAMETER"
+><I
+>root directory"</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ROOTDIRECTORY"
+></A
+>root directory (G)</DT
+><DD
+><P
+>The server will <B
+CLASS="COMMAND"
+>chroot()</B
+> (i.e.
+ Change it's root directory) to this directory on startup. This is
+ not strictly necessary for secure operation. Even without it the
+ server will deny access to files not in one of the service entries.
+ It may also check for, and deny access to, soft links to other
+ parts of the filesystem, or attempts to use ".." in file names
+ to access other directories (depending on the setting of the <A
+HREF="#WIDELINKS"
+><TT
+CLASS="PARAMETER"
+><I
+>wide links</I
+></TT
+></A
+>
+ parameter).</P
+><P
+>Adding a <TT
+CLASS="PARAMETER"
+><I
+>root directory</I
+></TT
+> entry other
+ than "/" adds an extra level of security, but at a price. It
+ absolutely ensures that no access is given to files not in the
+ sub-tree specified in the <TT
+CLASS="PARAMETER"
+><I
+>root directory</I
+></TT
+>
+ option, <I
+CLASS="EMPHASIS"
+>including</I
+> some files needed for
+ complete operation of the server. To maintain full operability
+ of the server you will need to mirror some system files
+ into the <TT
+CLASS="PARAMETER"
+><I
+>root directory</I
+></TT
+> tree. In particular
+ you will need to mirror <TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+> (or a
+ subset of it), and any binaries or configuration files needed for
+ printing (if required). The set of files that must be mirrored is
+ operating system dependent.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>root directory = /</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>root directory = /homes/smb</B
+></P
+></DD
+><DT
+><A
+NAME="ROOTPOSTEXEC"
+></A
+>root postexec (S)</DT
+><DD
+><P
+>This is the same as the <TT
+CLASS="PARAMETER"
+><I
+>postexec</I
+></TT
+>
+ parameter except that the command is run as root. This
+ is useful for unmounting filesystems
+ (such as cdroms) after a connection is closed.</P
+><P
+>See also <A
+HREF="#POSTEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+> postexec</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ROOTPREEXEC"
+></A
+>root preexec (S)</DT
+><DD
+><P
+>This is the same as the <TT
+CLASS="PARAMETER"
+><I
+>preexec</I
+></TT
+>
+ parameter except that the command is run as root. This
+ is useful for mounting filesystems
+ (such as cdroms) after a connection is closed.</P
+><P
+>See also <A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+> preexec</I
+></TT
+></A
+> and <A
+HREF="#PREEXECCLOSE"
+> <TT
+CLASS="PARAMETER"
+><I
+>preexec close</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="ROOTPREEXECCLOSE"
+></A
+>root preexec close (S)</DT
+><DD
+><P
+>This is the same as the <TT
+CLASS="PARAMETER"
+><I
+>preexec close
+ </I
+></TT
+> parameter except that the command is run as root.</P
+><P
+>See also <A
+HREF="#PREEXEC"
+><TT
+CLASS="PARAMETER"
+><I
+> preexec</I
+></TT
+></A
+> and <A
+HREF="#PREEXECCLOSE"
+> <TT
+CLASS="PARAMETER"
+><I
+>preexec close</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="SECURITY"
+></A
+>security (G)</DT
+><DD
+><P
+>This option affects how clients respond to
+ Samba and is one of the most important settings in the <TT
+CLASS="FILENAME"
+> smb.conf</TT
+> file.</P
+><P
+>The option sets the "security mode bit" in replies to
+ protocol negotiations with <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)
+ </A
+> to turn share level security on or off. Clients decide
+ based on this bit whether (and how) to transfer user and password
+ information to the server.</P
+><P
+>The default is <B
+CLASS="COMMAND"
+>security = user</B
+>, as this is
+ the most common setting needed when talking to Windows 98 and
+ Windows NT.</P
+><P
+>The alternatives are <B
+CLASS="COMMAND"
+>security = share</B
+>,
+ <B
+CLASS="COMMAND"
+>security = server</B
+> or <B
+CLASS="COMMAND"
+>security=domain
+ </B
+>.</P
+><P
+>In versions of Samba prior to 2..0, the default was
+ <B
+CLASS="COMMAND"
+>security = share</B
+> mainly because that was
+ the only option at one stage.</P
+><P
+>There is a bug in WfWg that has relevance to this
+ setting. When in user or server level security a WfWg client
+ will totally ignore the password you type in the "connect
+ drive" dialog box. This makes it very difficult (if not impossible)
+ to connect to a Samba service as anyone except the user that
+ you are logged into WfWg as.</P
+><P
+>If your PCs use usernames that are the same as their
+ usernames on the UNIX machine then you will want to use
+ <B
+CLASS="COMMAND"
+>security = user</B
+>. If you mostly use usernames
+ that don't exist on the UNIX box then use <B
+CLASS="COMMAND"
+>security =
+ share</B
+>.</P
+><P
+>You should also use <B
+CLASS="COMMAND"
+>security = share</B
+> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. It is more difficult
+ to setup guest shares with <B
+CLASS="COMMAND"
+>security = user</B
+>, see
+ the <A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+>
+ </A
+>parameter for details.</P
+><P
+>It is possible to use <B
+CLASS="COMMAND"
+>smbd</B
+> in a <I
+CLASS="EMPHASIS"
+> hybrid mode</I
+> where it is offers both user and share
+ level security under different <A
+HREF="#NETBIOSALIASES"
+> <TT
+CLASS="PARAMETER"
+><I
+>NetBIOS aliases</I
+></TT
+></A
+>. </P
+><P
+>The different settings will now be explained.</P
+><P
+><A
+NAME="SECURITYEQUALSHARE"
+></A
+><I
+CLASS="EMPHASIS"
+>SECURITY = SHARE
+ </I
+></P
+><P
+>When clients connect to a share level security server then
+ need not log onto the server with a valid username and password before
+ attempting to connect to a shared resource (although modern clients
+ such as Windows 95/98 and Windows NT will send a logon request with
+ a username but no password when talking to a <B
+CLASS="COMMAND"
+>security = share
+ </B
+> server). Instead, the clients send authentication information
+ (passwords) on a per-share basis, at the time they attempt to connect
+ to that share.</P
+><P
+>Note that <B
+CLASS="COMMAND"
+>smbd</B
+> <I
+CLASS="EMPHASIS"
+>ALWAYS</I
+>
+ uses a valid UNIX user to act on behalf of the client, even in
+ <B
+CLASS="COMMAND"
+>security = share</B
+> level security.</P
+><P
+>As clients are not required to send a username to the server
+ in share level security, <B
+CLASS="COMMAND"
+>smbd</B
+> uses several
+ techniques to determine the correct UNIX user to use on behalf
+ of the client.</P
+><P
+>A list of possible UNIX usernames to match with the given
+ client password is constructed using the following methods :</P
+><P
+></P
+><UL
+><LI
+><P
+>If the <A
+HREF="#GUESTONLY"
+><TT
+CLASS="PARAMETER"
+><I
+>guest
+ only</I
+></TT
+></A
+> parameter is set, then all the other
+ stages are missed and only the <A
+HREF="#GUESTACCOUNT"
+> <TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+> username is checked.
+ </P
+></LI
+><LI
+><P
+>Is a username is sent with the share connection
+ request, then this username (after mapping - see <A
+HREF="#USERNAMEMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>username map</I
+></TT
+></A
+>),
+ is added as a potential username.</P
+></LI
+><LI
+><P
+>If the client did a previous <I
+CLASS="EMPHASIS"
+>logon
+ </I
+> request (the SessionSetup SMB call) then the
+ username sent in this SMB will be added as a potential username.
+ </P
+></LI
+><LI
+><P
+>The name of the service the client requested is
+ added as a potential username.</P
+></LI
+><LI
+><P
+>The NetBIOS name of the client is added to
+ the list as a potential username.</P
+></LI
+><LI
+><P
+>Any users on the <A
+HREF="#USER"
+><TT
+CLASS="PARAMETER"
+><I
+> user</I
+></TT
+></A
+> list are added as potential usernames.
+ </P
+></LI
+></UL
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>guest only</I
+></TT
+> parameter is
+ not set, then this list is then tried with the supplied password.
+ The first user for whom the password matches will be used as the
+ UNIX user.</P
+><P
+>If the <TT
+CLASS="PARAMETER"
+><I
+>guest only</I
+></TT
+> parameter is
+ set, or no username can be determined then if the share is marked
+ as available to the <TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+>, then this
+ guest user will be used, otherwise access is denied.</P
+><P
+>Note that it can be <I
+CLASS="EMPHASIS"
+>very</I
+> confusing
+ in share-level security as to which UNIX username will eventually
+ be used in granting access.</P
+><P
+>See also the section <A
+HREF="#AEN234"
+> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
+>.</P
+><P
+><A
+NAME="SECURITYEQUALUSER"
+></A
+><I
+CLASS="EMPHASIS"
+>SECURIYT = USER
+ </I
+></P
+><P
+>This is the default security setting in Samba 2.2.
+ With user-level security a client must first "log=on" with a
+ valid username and password (which can be mapped using the <A
+HREF="#USERNAMEMAP"
+><TT
+CLASS="PARAMETER"
+><I
+>username map</I
+></TT
+></A
+>
+ parameter). Encrypted passwords (see the <A
+HREF="#ENCRYPTPASSWORDS"
+> <TT
+CLASS="PARAMETER"
+><I
+>encrypted passwords</I
+></TT
+></A
+> parameter) can also
+ be used in this security mode. Parameters such as <A
+HREF="#USER"
+> <TT
+CLASS="PARAMETER"
+><I
+>user</I
+></TT
+></A
+> and <A
+HREF="#GUESTONLY"
+> <TT
+CLASS="PARAMETER"
+><I
+>guest only</I
+></TT
+></A
+> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that the name of the resource being
+ requested is <I
+CLASS="EMPHASIS"
+>not</I
+> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+>.
+ See the <A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+>
+ </A
+> parameter for details on doing this.</P
+><P
+>See also the section <A
+HREF="#AEN234"
+> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
+>.</P
+><P
+><A
+NAME="SECURITYEQUALSERVER"
+></A
+><I
+CLASS="EMPHASIS"
+>SECURITY = SERVER
+ </I
+></P
+><P
+>In this mode Samba will try to validate the username/password
+ by passing it to another SMB server, such as an NT box. If this
+ fails it will revert to <B
+CLASS="COMMAND"
+>security = user</B
+>, but note
+ that if encrypted passwords have been negotiated then Samba cannot
+ revert back to checking the UNIX password file, it must have a valid
+ <TT
+CLASS="FILENAME"
+>smbpasswd</TT
+> file to check users against. See the
+ documentation file in the <TT
+CLASS="FILENAME"
+>docs/</TT
+> directory
+ <TT
+CLASS="FILENAME"
+>ENCRYPTION.txt</TT
+> for details on how to set this
+ up.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that from the clients point of
+ view <B
+CLASS="COMMAND"
+>security = server</B
+> is the same as <B
+CLASS="COMMAND"
+> security = user</B
+>. It only affects how the server deals
+ with the authentication, it does not in any way affect what the
+ client sees.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that the name of the resource being
+ requested is <I
+CLASS="EMPHASIS"
+>not</I
+> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+>.
+ See the <A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+>
+ </A
+> parameter for details on doing this.</P
+><P
+>See also the section <A
+HREF="#AEN234"
+> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
+>.</P
+><P
+>See also the <A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>password
+ server</I
+></TT
+></A
+> parameter and the <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypted passwords</I
+></TT
+>
+ </A
+> parameter.</P
+><P
+><A
+NAME="SECURITYEQUALSDOMAIN"
+></A
+><I
+CLASS="EMPHASIS"
+>SECURITY = DOMAIN
+ </I
+></P
+><P
+>This mode will only work correctly if <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+>smbpasswd(8)</A
+> has been used to add this
+ machine into a Windows NT Domain. It expects the <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypted passwords</I
+></TT
+>
+ </A
+> parameter to be set to <TT
+CLASS="CONSTANT"
+>true</TT
+>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that from the clients point
+ of view <B
+CLASS="COMMAND"
+>security = domain</B
+> is the same as <B
+CLASS="COMMAND"
+>security = user
+ </B
+>. It only affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that the name of the resource being
+ requested is <I
+CLASS="EMPHASIS"
+>not</I
+> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <A
+HREF="#GUESTACCOUNT"
+><TT
+CLASS="PARAMETER"
+><I
+>guest account</I
+></TT
+></A
+>.
+ See the <A
+HREF="#MAPTOGUEST"
+><TT
+CLASS="PARAMETER"
+><I
+>map to guest</I
+></TT
+>
+ </A
+> parameter for details on doing this.</P
+><P
+><I
+CLASS="EMPHASIS"
+>BUG:</I
+> There is currently a bug in the
+ implementation of <B
+CLASS="COMMAND"
+>security = domain</B
+> with respect
+ to multi-byte character set usernames. The communication with a
+ Domain Controller must be done in UNICODE and Samba currently
+ does not widen multi-byte user names to UNICODE correctly, thus
+ a multi-byte username will not be recognized correctly at the
+ Domain Controller. This issue will be addressed in a future release.</P
+><P
+>See also the section <A
+HREF="#AEN234"
+> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A
+>.</P
+><P
+>See also the <A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+>password
+ server</I
+></TT
+></A
+> parameter and the <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypted passwords</I
+></TT
+>
+ </A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>security = USER</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>security = DOMAIN</B
+></P
+></DD
+><DT
+><A
+NAME="SECURITYMASK"
+></A
+>security mask (S)</DT
+><DD
+><P
+>This parameter controls what UNIX permission
+ bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security
+ dialog box.</P
+><P
+>This parameter is applied as a mask (AND'ed with) to
+ the changed permission bits, thus preventing any bits not in
+ this mask from being modified. Essentially, zero bits in this
+ mask may be treated as a set of bits the user is not allowed
+ to change.</P
+><P
+>If not set explicitly this parameter is set to the same
+ value as the <A
+HREF="#CREATEMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>create mask
+ </I
+></TT
+></A
+> parameter. To allow a user to modify all the
+ user/group/world permissions on a file, set this parameter to
+ 0777.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that users who can access the
+ Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone
+ "appliance" systems. Administrators of most normal systems will
+ probably want to set it to 0777.</P
+><P
+>See also the <A
+HREF="#FORCEDIRECTORYSECURITYMODE"
+> <TT
+CLASS="PARAMETER"
+><I
+>force directory security mode</I
+></TT
+></A
+>,
+ <A
+HREF="#DIRECTORYSECURITYMASK"
+><TT
+CLASS="PARAMETER"
+><I
+>directory
+ security mask</I
+></TT
+></A
+>, <A
+HREF="#FORCESECURITYMODE"
+> <TT
+CLASS="PARAMETER"
+><I
+>force security mode</I
+></TT
+></A
+> parameters.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>security mask = <same as create mask>
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>security mask = 0777</B
+></P
+></DD
+><DT
+><A
+NAME="SERVERSTRING"
+></A
+>server string (G)</DT
+><DD
+><P
+>This controls what string will show up in the
+ printer comment box in print manager and next to the IPC connection
+ in <B
+CLASS="COMMAND"
+>net view"</B
+>. It can be any string that you wish
+ to show to your users.</P
+><P
+>It also sets what will appear in browse lists next
+ to the machine name.</P
+><P
+>A <TT
+CLASS="PARAMETER"
+><I
+>%v</I
+></TT
+> will be replaced with the Samba
+ version number.</P
+><P
+>A <TT
+CLASS="PARAMETER"
+><I
+>%h</I
+></TT
+> will be replaced with the
+ hostname.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>server string = Samba %v</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>server string = University of GNUs Samba
+ Server</B
+></P
+></DD
+><DT
+><A
+NAME="SETDIRECTORY"
+></A
+>set directory (S)</DT
+><DD
+><P
+>If <B
+CLASS="COMMAND"
+>set directory = no</B
+>, then
+ users of the service may not use the setdir command to change
+ directory.</P
+><P
+>The <B
+CLASS="COMMAND"
+>setdir</B
+> command is only implemented
+ in the Digital Pathworks client. See the Pathworks documentation
+ for details.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>set directory = no</B
+></P
+></DD
+><DT
+><A
+NAME="SHAREMODES"
+></A
+>share modes (S)</DT
+><DD
+><P
+>This enables or disables the honoring of
+ the <TT
+CLASS="PARAMETER"
+><I
+>share modes</I
+></TT
+> during a file open. These
+ modes are used by clients to gain exclusive read or write access
+ to a file.</P
+><P
+>These open modes are not directly supported by UNIX, so
+ they are simulated using shared memory, or lock files if your
+ UNIX doesn't support shared memory (almost all do).</P
+><P
+>The share modes that are enabled by this option are
+ <TT
+CLASS="CONSTANT"
+>DENY_DOS</TT
+>, <TT
+CLASS="CONSTANT"
+>DENY_ALL</TT
+>,
+ <TT
+CLASS="CONSTANT"
+>DENY_READ</TT
+>, <TT
+CLASS="CONSTANT"
+>DENY_WRITE</TT
+>,
+ <TT
+CLASS="CONSTANT"
+>DENY_NONE</TT
+> and <TT
+CLASS="CONSTANT"
+>DENY_FCB</TT
+>.
+ </P
+><P
+>This option gives full share compatibility and enabled
+ by default.</P
+><P
+>You should <I
+CLASS="EMPHASIS"
+>NEVER</I
+> turn this parameter
+ off as many Windows applications will break if you do so.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>share modes = yes</B
+></P
+></DD
+><DT
+><A
+NAME="SHAREDMEMSIZE"
+></A
+>shared mem size (G)</DT
+><DD
+><P
+>It specifies the size of the shared memory (in
+ bytes) to use between <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+>
+ processes. This parameter defaults to one megabyte of shared
+ memory. It is possible that if you have a large erver with many
+ files open simultaneously that you may need to increase this
+ parameter. Signs that this parameter is set too low are users
+ reporting strange problems trying to save files (locking errors)
+ and error messages in the smbd log looking like <I
+CLASS="EMPHASIS"
+>ERROR
+ smb_shm_alloc : alloc of XX bytes failed</I
+>.</P
+><P
+>If your OS refuses the size that Samba asks for then
+ Samba will try a smaller size, reducing by a factor of 0.8 until
+ the OS accepts it.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>shared mem size = 1048576</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>shared mem size = 5242880 ; Set to 5mb for a
+ large number of files.</B
+></P
+></DD
+><DT
+><A
+NAME="SHORTPRESERVECASE"
+></A
+>short preserve case (S)</DT
+><DD
+><P
+>This boolean parameter controls if new files
+ which conform to 8.3 syntax, that is all in upper case and of
+ suitable length, are created upper case, or if they are forced
+ to be the <A
+HREF="#DEFAULTCASE"
+><TT
+CLASS="PARAMETER"
+><I
+>default case
+ </I
+></TT
+></A
+>. This option can be use with <A
+HREF="#PRESERVECASE"
+><B
+CLASS="COMMAND"
+>preserve case = yes</B
+>
+ </A
+> to permit long filenames to retain their case, while short
+ names are lowered. </P
+><P
+>See the section on <A
+HREF="#AEN201"
+> NAME MANGLING</A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>short preserve case = yes</B
+></P
+></DD
+><DT
+><A
+NAME="SMBPASSWDFILE"
+></A
+>smb passwd file (G)</DT
+><DD
+><P
+>This option sets the path to the encrypted
+ smbpasswd file. By default the path to the smbpasswd file
+ is compiled into Samba.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>smb passwd file= <compiled
+ default></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>smb passwd file = /usr/samba/private/smbpasswd
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SMBRUN"
+></A
+>smbrun (G)</DT
+><DD
+><P
+>This sets the full path to the <B
+CLASS="COMMAND"
+>smbrun
+ </B
+> binary. This defaults to the value in the <TT
+CLASS="FILENAME"
+> Makefile</TT
+>.</P
+><P
+>You must get this path right for many services
+ to work correctly.</P
+><P
+>You should not need to change this parameter so
+ long as Samba is installed correctly.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>smbrun=<compiled default>
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>smbrun = /usr/local/samba/bin/smbrun
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SOCKETADDRESS"
+></A
+>socket address (G)</DT
+><DD
+><P
+>This option allows you to control what
+ address Samba will listen for connections on. This is used to
+ support multiple virtual interfaces on the one server, each
+ with a different configuration.</P
+><P
+>By default samba will accept connections on any
+ address.</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>socket address = 192.168.2.20</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="SOCKETOPTIONS"
+></A
+>socket options (G)</DT
+><DD
+><P
+>This option allows you to set socket options
+ to be used when talking with the client.</P
+><P
+>Socket options are controls on the networking layer
+ of the operating systems which allow the connection to be
+ tuned.</P
+><P
+>This option will typically be used to tune your Samba
+ server for optimal performance for your local network. There is
+ no way that Samba can know what the optimal parameters are for
+ your net, so you must experiment and choose them yourself. We
+ strongly suggest you read the appropriate documentation for your
+ operating system first (perhaps <B
+CLASS="COMMAND"
+>man setsockopt</B
+>
+ will help).</P
+><P
+>You may find that on some systems Samba will say
+ "Unknown socket option" when you supply an option. This means you
+ either incorrectly typed it or you need to add an include file
+ to includes.h for your OS. If the latter is the case please
+ send the patch to <A
+HREF="mailto:samba@samba.org"
+TARGET="_top"
+> samba@samba.org</A
+>.</P
+><P
+>Any of the supported socket options may be combined
+ in any way you like, as long as your OS allows it.</P
+><P
+>This is the list of socket options currently settable
+ using this option:</P
+><P
+></P
+><UL
+><LI
+><P
+>SO_KEEPALIVE</P
+></LI
+><LI
+><P
+>SO_REUSEADDR</P
+></LI
+><LI
+><P
+>SO_BROADCAST</P
+></LI
+><LI
+><P
+>TCP_NODELAY</P
+></LI
+><LI
+><P
+>IPTOS_LOWDELAY</P
+></LI
+><LI
+><P
+>IPTOS_THROUGHPUT</P
+></LI
+><LI
+><P
+>SO_SNDBUF *</P
+></LI
+><LI
+><P
+>SO_RCVBUF *</P
+></LI
+><LI
+><P
+>SO_SNDLOWAT *</P
+></LI
+><LI
+><P
+>SO_RCVLOWAT *</P
+></LI
+></UL
+><P
+>Those marked with a <I
+CLASS="EMPHASIS"
+>'*'</I
+> take an integer
+ argument. The others can optionally take a 1 or 0 argument to enable
+ or disable the option, by default they will be enabled if you
+ don't specify 1 or 0.</P
+><P
+>To specify an argument use the syntax SOME_OPTION=VALUE
+ for example <B
+CLASS="COMMAND"
+>SO_SNDBUF=8192</B
+>. Note that you must
+ not have any spaces before or after the = sign.</P
+><P
+>If you are on a local network then a sensible option
+ might be</P
+><P
+><B
+CLASS="COMMAND"
+>socket options = IPTOS_LOWDELAY</B
+></P
+><P
+>If you have a local network then you could try:</P
+><P
+><B
+CLASS="COMMAND"
+>socket options = IPTOS_LOWDELAY TCP_NODELAY</B
+></P
+><P
+>If you are on a wide area network then perhaps try
+ setting IPTOS_THROUGHPUT. </P
+><P
+>Note that several of the options may cause your Samba
+ server to fail completely. Use these options with caution!</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>socket options = TCP_NODELAY</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>socket options = IPTOS_LOWDELAY</B
+></P
+></DD
+><DT
+><A
+NAME="SOURCEENVIRONMENT"
+></A
+>source environment (G)</DT
+><DD
+><P
+>This parameter causes Samba to set environment
+ variables as per the content of the file named.</P
+><P
+>If the value of this parameter starts with a "|" character
+ then Samba will treat that value as a pipe command to open and
+ will set the environment variables from the output of the pipe.</P
+><P
+>The contents of the file or the output of the pipe should
+ be formatted as the output of the standard Unix <B
+CLASS="COMMAND"
+>env(1)
+ </B
+> command. This is of the form :</P
+><P
+>Example environment entry:</P
+><P
+><B
+CLASS="COMMAND"
+>SAMBA_NETBIOS_NAME=myhostname</B
+></P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>No default value</I
+></P
+><P
+>Examples: <B
+CLASS="COMMAND"
+>source environment = |/etc/smb.conf.sh
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>source environment =
+ /usr/local/smb_env_vars</B
+></P
+></DD
+><DT
+><A
+NAME="SSL"
+></A
+>ssl (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This variable enables or disables the entire SSL mode. If
+ it is set to <TT
+CLASS="CONSTANT"
+>no</TT
+>, the SSL enabled samba behaves
+ exactly like the non-SSL samba. If set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>,
+ it depends on the variables <A
+HREF="#SSLHOSTS"
+><TT
+CLASS="PARAMETER"
+><I
+> ssl hosts</I
+></TT
+></A
+> and <A
+HREF="#SSLHOSTSRESIGN"
+> <TT
+CLASS="PARAMETER"
+><I
+>ssl hosts resign</I
+></TT
+></A
+> whether an SSL
+ connection will be required.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl=no</B
+></P
+></DD
+><DT
+><A
+NAME="SSLCACERTDIR"
+></A
+>ssl CA certDir (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This variable defines where to look up the Certification
+ Authorities. The given directory should contain one file for
+ each CA that samba will trust. The file name must be the hash
+ value over the "Distinguished Name" of the CA. How this directory
+ is set up is explained later in this document. All files within the
+ directory that don't fit into this naming scheme are ignored. You
+ don't need this variable if you don't verify client certificates.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl CA certDir = /usr/local/ssl/certs
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLCACERTFILE"
+></A
+>ssl CA certFile (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This variable is a second way to define the trusted CAs.
+ The certificates of the trusted CAs are collected in one big
+ file and this variable points to the file. You will probably
+ only use one of the two ways to define your CAs. The first choice is
+ preferable if you have many CAs or want to be flexible, the second
+ is preferable if you only have one CA and want to keep things
+ simple (you won't need to create the hashed file names). You
+ don't need this variable if you don't verify client certificates.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLCIPHERS"
+></A
+>ssl ciphers (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This variable defines the ciphers that should be offered
+ during SSL negotiation. You should not set this variable unless
+ you know what you are doing.</P
+></DD
+><DT
+><A
+NAME="SSLCLIENTCERT"
+></A
+>ssl client cert (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>The certificate in this file is used by <A
+HREF="smbclient.1.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbclient(1)</B
+></A
+> if it exists. It's needed
+ if the server requires a client certificate.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl client cert = /usr/local/ssl/certs/smbclient.pem
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLCLIENTKEY"
+></A
+>ssl client key (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This is the private key for <A
+HREF="smbclient.1.html"
+TARGET="_top"
+> <B
+CLASS="COMMAND"
+>smbclient(1)</B
+></A
+>. It's only needed if the
+ client should have a certificate. </P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl client key = /usr/local/ssl/private/smbclient.pem
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLCOMPATIBILITY"
+></A
+>ssl compatibility (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This variable defines whether SSLeay should be configured
+ for bug compatibility with other SSL implementations. This is
+ probably not desirable because currently no clients with SSL
+ implementations other than SSLeay exist.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl compatibility = no</B
+></P
+></DD
+><DT
+><A
+NAME="SSLHOSTS"
+></A
+>ssl hosts (G)</DT
+><DD
+><P
+>See <A
+HREF="#SSLHOSTSRESIGN"
+><TT
+CLASS="PARAMETER"
+><I
+> ssl hosts resign</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="SSLHOSTSRESIGN"
+></A
+>ssl hosts resign (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>These two variables define whether samba will go
+ into SSL mode or not. If none of them is defined, samba will
+ allow only SSL connections. If the <A
+HREF="#SSLHOSTS"
+> <TT
+CLASS="PARAMETER"
+><I
+>ssl hosts</I
+></TT
+></A
+> variable lists
+ hosts (by IP-address, IP-address range, net group or name),
+ only these hosts will be forced into SSL mode. If the <TT
+CLASS="PARAMETER"
+><I
+> ssl hosts resign</I
+></TT
+> variable lists hosts, only these
+ hosts will NOT be forced into SSL mode. The syntax for these two
+ variables is the same as for the <A
+HREF="#HOSTSALLOW"
+><TT
+CLASS="PARAMETER"
+><I
+> hosts allow</I
+></TT
+></A
+> and <A
+HREF="#HOSTSDENY"
+> <TT
+CLASS="PARAMETER"
+><I
+>hosts deny</I
+></TT
+></A
+> pair of variables, only
+ that the subject of the decision is different: It's not the access
+ right but whether SSL is used or not. </P
+><P
+>The example below requires SSL connections from all hosts
+ outside the local net (which is 192.168.*.*).</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl hosts = <empty string></B
+></P
+><P
+><B
+CLASS="COMMAND"
+>ssl hosts resign = <empty string></B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>ssl hosts resign = 192.168.</B
+></P
+></DD
+><DT
+><A
+NAME="SSLREQUIRECLIENTCERT"
+></A
+>ssl require clientcert (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>If this variable is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>, the
+ server will not tolerate connections from clients that don't
+ have a valid certificate. The directory/file given in <A
+HREF="#SSLCACERTDIR"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl CA certDir</I
+></TT
+>
+ </A
+> and <A
+HREF="#SSLCACERTFILE"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl CA certFile
+ </I
+></TT
+></A
+> will be used to look up the CAs that issued
+ the client's certificate. If the certificate can't be verified
+ positively, the connection will be terminated. If this variable
+ is set to <TT
+CLASS="CONSTANT"
+>no</TT
+>, clients don't need certificates.
+ Contrary to web applications you really <I
+CLASS="EMPHASIS"
+>should</I
+>
+ require client certificates. In the web environment the client's
+ data is sensitive (credit card numbers) and the server must prove
+ to be trustworthy. In a file server environment the server's data
+ will be sensitive and the clients must prove to be trustworthy.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl require clientcert = no</B
+></P
+></DD
+><DT
+><A
+NAME="SSLREQUIRESERVERCERT"
+></A
+>ssl require servercert (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>If this variable is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>, the
+ <A
+HREF="smbclient.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbclient(1)</B
+>
+ </A
+> will request a certificate from the server. Same as
+ <A
+HREF="#SSLREQUIRECLIENTCERT"
+><TT
+CLASS="PARAMETER"
+><I
+>ssl require
+ clientcert</I
+></TT
+></A
+> for the server.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl require servercert = no</B
+>
+ </P
+></DD
+><DT
+><A
+NAME="SSLSERVERCERT"
+></A
+>ssl server cert (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This is the file containing the server's certificate.
+ The server <I
+CLASS="EMPHASIS"
+>must</I
+> have a certificate. The
+ file may also contain the server's private key. See later for
+ how certificates and private keys are created.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl server cert = <empty string>
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLSERVERKEY"
+></A
+>ssl server key (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This file contains the private key of the server. If
+ this variable is not defined, the key is looked up in the
+ certificate file (it may be appended to the certificate).
+ The server <I
+CLASS="EMPHASIS"
+>must</I
+> have a private key
+ and the certificate <I
+CLASS="EMPHASIS"
+>must</I
+>
+ match this private key.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl server key = <empty string>
+ </B
+></P
+></DD
+><DT
+><A
+NAME="SSLVERSION"
+></A
+>ssl version (G)</DT
+><DD
+><P
+>This variable is part of SSL-enabled Samba. This
+ is only available if the SSL libraries have been compiled on your
+ system and the configure option <B
+CLASS="COMMAND"
+>--with-ssl</B
+> was
+ given at configure time.</P
+><P
+><I
+CLASS="EMPHASIS"
+>Note</I
+> that for export control reasons
+ this code is <I
+CLASS="EMPHASIS"
+>NOT</I
+> enabled by default in any
+ current binary version of Samba.</P
+><P
+>This enumeration variable defines the versions of the
+ SSL protocol that will be used. <TT
+CLASS="CONSTANT"
+>ssl2or3</TT
+> allows
+ dynamic negotiation of SSL v2 or v3, <TT
+CLASS="CONSTANT"
+>ssl2</TT
+> results
+ in SSL v2, <TT
+CLASS="CONSTANT"
+>ssl3</TT
+> results in SSL v3 and
+ <TT
+CLASS="CONSTANT"
+>tls1</TT
+> results in TLS v1. TLS (Transport Layer
+ Security) is the new standard for SSL.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>ssl version = "ssl2or3"</B
+></P
+></DD
+><DT
+><A
+NAME="STATCACHE"
+></A
+>stat cache (G)</DT
+><DD
+><P
+>This parameter determines if <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)</A
+> will use a cache in order to
+ speed up case insensitive name mappings. You should never need
+ to change this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>stat cache = yes</B
+></P
+></DD
+><DT
+><A
+NAME="STATCACHESIZE"
+></A
+>stat cache size (G)</DT
+><DD
+><P
+>This parameter determines the number of
+ entries in the <TT
+CLASS="PARAMETER"
+><I
+>stat cache</I
+></TT
+>. You should
+ never need to change this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>stat cache size = 50</B
+></P
+></DD
+><DT
+><A
+NAME="STATUS"
+></A
+>status (G)</DT
+><DD
+><P
+>This enables or disables logging of connections
+ to a status file that <A
+HREF="smbstatus.1.html"
+TARGET="_top"
+>smbstatus(1)</A
+>
+ can read.</P
+><P
+>With this disabled <B
+CLASS="COMMAND"
+>smbstatus</B
+> won't be able
+ to tell you what connections are active. You should never need to
+ change this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>status = yes</B
+></P
+></DD
+><DT
+><A
+NAME="STRICTLOCKING"
+></A
+>strict locking (S)</DT
+><DD
+><P
+>This is a boolean that controls the handling of
+ file locking in the server. When this is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>
+ the server will check every read and write access for file locks, and
+ deny access if locks exist. This can be slow on some systems.</P
+><P
+>When strict locking is <TT
+CLASS="CONSTANT"
+>no</TT
+> the server does file
+ lock checks only when the client explicitly asks for them.</P
+><P
+>Well behaved clients always ask for lock checks when it
+ is important, so in the vast majority of cases <B
+CLASS="COMMAND"
+>strict
+ locking = no</B
+> is preferable.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>strict locking = no</B
+></P
+></DD
+><DT
+><A
+NAME="STRICTSYNC"
+></A
+>strict sync (S)</DT
+><DD
+><P
+>Many Windows applications (including the Windows
+ 98 explorer shell) seem to confuse flushing buffer contents to
+ disk with doing a sync to disk. Under UNIX, a sync call forces
+ the process to be suspended until the kernel has ensured that
+ all outstanding data in kernel disk buffers has been safely stored
+ onto stable storage. This is very slow and should only be done
+ rarely. Setting this parameter to <TT
+CLASS="CONSTANT"
+>no</TT
+> (the
+ default) means that smbd ignores the Windows applications requests for
+ a sync call. There is only a possibility of losing data if the
+ operating system itself that Samba is running on crashes, so there is
+ little danger in this default setting. In addition, this fixes many
+ performance problems that people have reported with the new Windows98
+ explorer shell file copies.</P
+><P
+>See also the <A
+HREF="#SYNCALWAYS"
+><TT
+CLASS="PARAMETER"
+><I
+>sync
+ always></I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>strict sync = no</B
+></P
+></DD
+><DT
+><A
+NAME="STRIPDOT"
+></A
+>strip dot (G)</DT
+><DD
+><P
+>This is a boolean that controls whether to
+ strip trailing dots off UNIX filenames. This helps with some
+ CDROMs that have filenames ending in a single dot.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>strip dot = no</B
+></P
+></DD
+><DT
+><A
+NAME="SYNCALWAYS"
+></A
+>sync always (S)</DT
+><DD
+><P
+>This is a boolean parameter that controls
+ whether writes will always be written to stable storage before
+ the write call returns. If this is false then the server will be
+ guided by the client's request in each write call (clients can
+ set a bit indicating that a particular write should be synchronous).
+ If this is true then every write will be followed by a <B
+CLASS="COMMAND"
+>fsync()
+ </B
+> call to ensure the data is written to disk. Note that
+ the <TT
+CLASS="PARAMETER"
+><I
+>strict sync</I
+></TT
+> parameter must be set to
+ <TT
+CLASS="CONSTANT"
+>yes</TT
+> in order for this parameter to have
+ any affect.</P
+><P
+>See also the <A
+HREF="#STRICTSYNC"
+><TT
+CLASS="PARAMETER"
+><I
+>strict
+ sync</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>sync always = no</B
+></P
+></DD
+><DT
+><A
+NAME="SYSLOG"
+></A
+>syslog (G)</DT
+><DD
+><P
+>This parameter maps how Samba debug messages
+ are logged onto the system syslog logging levels. Samba debug
+ level zero maps onto syslog <TT
+CLASS="CONSTANT"
+>LOG_ERR</TT
+>, debug
+ level one maps onto <TT
+CLASS="CONSTANT"
+>LOG_WARNING</TT
+>, debug level
+ two maps onto <TT
+CLASS="CONSTANT"
+>LOG_NOTICE</TT
+>, debug level three
+ maps onto LOG_INFO. All higher levels are mapped to <TT
+CLASS="CONSTANT"
+> LOG_DEBUG</TT
+>.</P
+><P
+>This paramter sets the threshold for sending messages
+ to syslog. Only messages with debug level less than this value
+ will be sent to syslog.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>syslog = 1</B
+></P
+></DD
+><DT
+><A
+NAME="SYSLOGONLY"
+></A
+>syslog only (G)</DT
+><DD
+><P
+>If this parameter is set then Samba debug
+ messages are logged into the system syslog only, and not to
+ the debug log files.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>syslog only = no</B
+></P
+></DD
+><DT
+><A
+NAME="TEMPLATEHOMEDIR"
+></A
+>template homedir (G)</DT
+><DD
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> this parameter is
+ only available in Samba 3.0.</P
+><P
+>When filling out the user information for a Windows NT
+ user, the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+>winbindd(8)</A
+> daemon
+ uses this parameter to fill in the home directory for that user.
+ If the string <TT
+CLASS="PARAMETER"
+><I
+>%D</I
+></TT
+> is present it is substituted
+ with the user's Windows NT domain name. If the string <TT
+CLASS="PARAMETER"
+><I
+>%U
+ </I
+></TT
+> is present it is substituted with the user's Windows
+ NT user name.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>template homedir = /home/%D/%U</B
+></P
+></DD
+><DT
+><A
+NAME="TEMPLATESHELL"
+></A
+>template shell (G)</DT
+><DD
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> this parameter is
+ only available in Samba 3.0.</P
+><P
+>When filling out the user information for a Windows NT
+ user, the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+>winbindd(8)</A
+> daemon
+ uses this parameter to fill in the login shell for that user.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>template shell = /bin/false</B
+></P
+></DD
+><DT
+><A
+NAME="TIMEOFFSET"
+></A
+>time offset (G)</DT
+><DD
+><P
+>This parameter is a setting in minutes to add
+ to the normal GMT to local time conversion. This is useful if
+ you are serving a lot of PCs that have incorrect daylight
+ saving time handling.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>time offset = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>time offset = 60</B
+></P
+></DD
+><DT
+><A
+NAME="TIMESERVER"
+></A
+>time server (G)</DT
+><DD
+><P
+>This parameter determines if <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>
+ nmbd(8)</A
+> advertises itself as a time server to Windows
+ clients.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>time server = no</B
+></P
+></DD
+><DT
+><A
+NAME="TIMESTAMPLOGS"
+></A
+>timestamp logs (G)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#DEBUGTIMESTAMP"
+><TT
+CLASS="PARAMETER"
+><I
+> debug timestamp</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="UNIXPASSWORDSYNC"
+></A
+>unix password sync (G)</DT
+><DD
+><P
+>This boolean parameter controls whether Samba
+ attempts to synchronize the UNIX password with the SMB password
+ when the encrypted SMB password in the smbpasswd file is changed.
+ If this is set to true the program specified in the <TT
+CLASS="PARAMETER"
+><I
+>passwd
+ program</I
+></TT
+>parameter is called <I
+CLASS="EMPHASIS"
+>AS ROOT</I
+> -
+ to allow the new UNIX password to be set without access to the
+ old UNIX password (as the SMB password has change code has no
+ access to the old password cleartext, only the new).</P
+><P
+>See also <A
+HREF="#PASSWDPROGRAM"
+><TT
+CLASS="PARAMETER"
+><I
+>passwd
+ program</I
+></TT
+></A
+>, <A
+HREF="#PASSWDCHAT"
+><TT
+CLASS="PARAMETER"
+><I
+> passwd chat</I
+></TT
+></A
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>unix password sync = no</B
+></P
+></DD
+><DT
+><A
+NAME="UNIXREALNAME"
+></A
+>unix realname (G)</DT
+><DD
+><P
+>This boolean parameter when set causes samba
+ to supply the real name field from the unix password file to
+ the client. This isuseful for setting up mail clients and WWW
+ browsers on systems used by more than one person.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>unix realname = no</B
+></P
+></DD
+><DT
+><A
+NAME="UPDATEENCRYPTED"
+></A
+>update encrypted (G)</DT
+><DD
+><P
+>This boolean parameter allows a user logging
+ on with a plaintext password to have their encrypted (hashed)
+ password in the smbpasswd file to be updated automatically as
+ they log on. This option allows a site to migrate from plaintext
+ password authentication (users authenticate with plaintext
+ password over the wire, and are checked against a UNIX account
+ database) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing
+ all users to re-enter their passwords via smbpasswd at the time the
+ change is made. This is a convenience option to allow the change over
+ to encrypted passwords to be made over a longer period. Once all users
+ have encrypted representations of their passwords in the smbpasswd
+ file this parameter should be set to <TT
+CLASS="CONSTANT"
+>no</TT
+>.</P
+><P
+>In order for this parameter to work correctly the <A
+HREF="#ENCRYPTPASSWORDS"
+><TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords</I
+></TT
+>
+ </A
+> parameter must be set to <TT
+CLASS="CONSTANT"
+>no</TT
+> when
+ this parameter is set to <TT
+CLASS="CONSTANT"
+>yes</TT
+>.</P
+><P
+>Note that even when this parameter is set a user
+ authenticating to <B
+CLASS="COMMAND"
+>smbd</B
+> must still enter a valid
+ password in order to connect correctly, and to update their hashed
+ (smbpasswd) passwords.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>update encrypted = no</B
+></P
+></DD
+><DT
+><A
+NAME="USERHOSTS"
+></A
+>use rhosts (G)</DT
+><DD
+><P
+>If this global parameter is a true, it specifies
+ that the UNIX users <TT
+CLASS="FILENAME"
+>.rhosts</TT
+> file in their home directory
+ will be read to find the names of hosts and users who will be allowed
+ access without specifying a password.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> The use of <TT
+CLASS="PARAMETER"
+><I
+>use rhosts
+ </I
+></TT
+> can be a major security hole. This is because you are
+ trusting the PC to supply the correct username. It is very easy to
+ get a PC to supply a false username. I recommend that the <TT
+CLASS="PARAMETER"
+><I
+> use rhosts</I
+></TT
+> option be only used if you really know what
+ you are doing.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>use rhosts = no</B
+></P
+></DD
+><DT
+><A
+NAME="USER"
+></A
+>user (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#USERNAME"
+><TT
+CLASS="PARAMETER"
+><I
+> username</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="USERS"
+></A
+>users (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#USERNAME"
+><TT
+CLASS="PARAMETER"
+><I
+> username</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="USERNAME"
+></A
+>username (S)</DT
+><DD
+><P
+>Multiple users may be specified in a comma-delimited
+ list, in which case the supplied password will be tested against
+ each username in turn (left to right).</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>username</I
+></TT
+> line is needed only when
+ the PC is unable to supply its own username. This is the case
+ for the COREPLUS protocol or where your users have different WfWg
+ usernames to UNIX usernames. In both these cases you may also be
+ better using the \\server\share%user syntax instead.</P
+><P
+>The <TT
+CLASS="PARAMETER"
+><I
+>username</I
+></TT
+> line is not a great
+ solution in many cases as it means Samba will try to validate
+ the supplied password against each of the usernames in the
+ <TT
+CLASS="PARAMETER"
+><I
+>username</I
+></TT
+> line in turn. This is slow and
+ a bad idea for lots of users in case of duplicate passwords.
+ You may get timeouts or security breaches using this parameter
+ unwisely.</P
+><P
+>Samba relies on the underlying UNIX security. This
+ parameter does not restrict who can login, it just offers hints
+ to the Samba server as to what usernames might correspond to the
+ supplied password. Users can login as whoever they please and
+ they will be able to do no more damage than if they started a
+ telnet session. The daemon runs as the user that they log in as,
+ so they cannot do anything that user cannot do.</P
+><P
+>To restrict a service to a particular set of users you
+ can use the <A
+HREF="#VALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>valid users
+ </I
+></TT
+></A
+> parameter.</P
+><P
+>If any of the usernames begin with a '@' then the name
+ will be looked up first in the yp netgroups list (if Samba
+ is compiled with netgroup support), followed by a lookup in
+ the UNIX groups database and will expand to a list of all users
+ in the group of that name.</P
+><P
+>If any of the usernames begin with a '+' then the name
+ will be looked up only in the UNIX groups database and will
+ expand to a list of all users in the group of that name.</P
+><P
+>If any of the usernames begin with a '&'then the name
+ will be looked up only in the yp netgroups database (if Samba
+ is compiled with netgroup support) and will expand to a list
+ of all users in the netgroup group of that name.</P
+><P
+>Note that searching though a groups database can take
+ quite some time, snd some clients may time out during the
+ search.</P
+><P
+>See the section <A
+HREF="#AEN234"
+>NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</A
+> for more information on how
+ this parameter determines access to the services.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>The guest account if a guest service,
+ else the name of the service.</B
+></P
+><P
+>Examples:<B
+CLASS="COMMAND"
+>username = fred, mary, jack, jane,
+ @users, @pcgroup</B
+></P
+></DD
+><DT
+><A
+NAME="USERNAMELEVEL"
+></A
+>username level (G)</DT
+><DD
+><P
+>This option helps Samba to try and 'guess' at
+ the real UNIX username, as many DOS clients send an all-uppercase
+ username. By default Samba tries all lowercase, followed by the
+ username with the first letter capitalized, and fails if the
+ username is not found on the UNIX machine.</P
+><P
+>If this parameter is set to non-zero the behavior changes.
+ This parameter is a number that specifies the number of uppercase
+ combinations to try whilst trying to determine the UNIX user name. The
+ higher the number the more combinations will be tried, but the slower
+ the discovery of usernames will be. Use this parameter when you have
+ strange usernames on your UNIX machine, such as <TT
+CLASS="CONSTANT"
+>AstrangeUser
+ </TT
+>.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>username level = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>username level = 5</B
+></P
+></DD
+><DT
+><A
+NAME="USERNAMEMAP"
+></A
+>username map (G)</DT
+><DD
+><P
+>This option allows you to specify a file containing
+ a mapping of usernames from the clients to the server. This can be
+ used for several purposes. The most common is to map usernames
+ that users use on DOS or Windows machines to those that the UNIX
+ box uses. The other is to map multiple users to a single username
+ so that they can more easily share files.</P
+><P
+>The map file is parsed line by line. Each line should
+ contain a single UNIX username on the left then a '=' followed
+ by a list of usernames on the right. The list of usernames on the
+ right may contain names of the form @group in which case they
+ will match any UNIX username in that group. The special client
+ name '*' is a wildcard and matches any name. Each line of the
+ map file may be up to 1023 characters long.</P
+><P
+>The file is processed on each line by taking the
+ supplied username and comparing it with each username on the right
+ hand side of the '=' signs. If the supplied name matches any of
+ the names on the right hand side then it is replaced with the name
+ on the left. Processing then continues with the next line.</P
+><P
+>If any line begins with a '#' or a ';' then it is
+ ignored</P
+><P
+>If any line begins with an '!' then the processing
+ will stop after that line if a mapping was done by the line.
+ Otherwise mapping continues with every line being processed.
+ Using '!' is most useful when you have a wildcard mapping line
+ later in the file.</P
+><P
+>For example to map from the name <TT
+CLASS="CONSTANT"
+>admin</TT
+>
+ or <TT
+CLASS="CONSTANT"
+>administrator</TT
+> to the UNIX name <TT
+CLASS="CONSTANT"
+> root</TT
+> you would use:</P
+><P
+><B
+CLASS="COMMAND"
+>root = admin administrator</B
+></P
+><P
+>Or to map anyone in the UNIX group <TT
+CLASS="CONSTANT"
+>system</TT
+>
+ to the UNIX name <TT
+CLASS="CONSTANT"
+>sys</TT
+> you would use:</P
+><P
+><B
+CLASS="COMMAND"
+>sys = @system</B
+></P
+><P
+>You can have as many mappings as you like in a username
+ map file.</P
+><P
+>If your system supports the NIS NETGROUP option then
+ the netgroup database is checked before the <TT
+CLASS="FILENAME"
+>/etc/group
+ </TT
+> database for matching groups.</P
+><P
+>You can map Windows usernames that have spaces in them
+ by using double quotes around the name. For example:</P
+><P
+><B
+CLASS="COMMAND"
+>tridge = "Andrew Tridgell"</B
+></P
+><P
+>would map the windows username "Andrew Tridgell" to the
+ unix username "tridge".</P
+><P
+>The following example would map mary and fred to the
+ unix user sys, and map the rest to guest. Note the use of the
+ '!' to tell Samba to stop processing if it gets a match on
+ that line.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> !sys = mary fred
+ guest = *
+ </PRE
+></P
+><P
+>Note that the remapping is applied to all occurrences
+ of usernames. Thus if you connect to \\server\fred and <TT
+CLASS="CONSTANT"
+> fred</TT
+> is remapped to <TT
+CLASS="CONSTANT"
+>mary</TT
+> then you
+ will actually be connecting to \\server\mary and will need to
+ supply a password suitable for <TT
+CLASS="CONSTANT"
+>mary</TT
+> not
+ <TT
+CLASS="CONSTANT"
+>fred</TT
+>. The only exception to this is the
+ username passed to the <A
+HREF="#PASSWORDSERVER"
+><TT
+CLASS="PARAMETER"
+><I
+> password server</I
+></TT
+></A
+> (if you have one). The password
+ server will receive whatever username the client supplies without
+ modification.</P
+><P
+>Also note that no reverse mapping is done. The main effect
+ this has is with printing. Users who have been mapped may have
+ trouble deleting print jobs as PrintManager under WfWg will think
+ they don't own the print job.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no username map</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>username map = /usr/local/samba/lib/users.map
+ </B
+></P
+></DD
+><DT
+><A
+NAME="UTMP"
+></A
+>utmp (S)</DT
+><DD
+><P
+>This boolean parameter is only available if
+ Samba has been configured and compiled with the option <B
+CLASS="COMMAND"
+> --with-utmp</B
+>. If set to True then Samba will attempt
+ to add utmp or utmpx records (depending on the UNIX system) whenever a
+ connection is made to a Samba server. Sites may use this to record the
+ user connecting to a Samba share.</P
+><P
+>See also the <A
+HREF="#UTMPDIRECTORY"
+><TT
+CLASS="PARAMETER"
+><I
+> utmp directory</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>utmp = no</B
+></P
+></DD
+><DT
+><A
+NAME="UTMPDIRECTORY"
+></A
+>utmp directory(G)</DT
+><DD
+><P
+>This parameter is only available if Samba has
+ been configured and compiled with the option <B
+CLASS="COMMAND"
+> --with-utmp</B
+>. It specifies a directory pathname that is
+ used to store the utmp or utmpx files (depending on the UNIX system) that
+ record user connections to a Samba server. See also the <A
+HREF="#UTMP"
+> <TT
+CLASS="PARAMETER"
+><I
+>utmp</I
+></TT
+></A
+> parameter. By default this is
+ not set, meaning the system will use whatever utmp file the
+ native system is set to use (usually
+ <TT
+CLASS="FILENAME"
+>/var/run/utmp</TT
+> on Linux).</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>no utmp directory</I
+></P
+></DD
+><DT
+><A
+NAME="WINBINDCACHETIME"
+></A
+>winbind cache time</DT
+><DD
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> this parameter is only
+ available in Samba 3.0.</P
+><P
+>This parameter specifies the number of seconds the
+ <A
+HREF="winbindd.8.html"
+TARGET="_top"
+>winbindd(8)</A
+> daemon will cache
+ user and group information before querying a Windows NT server
+ again.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind cache type = 15</B
+></P
+></DD
+><DT
+><A
+NAME="WINBINDGID"
+></A
+>winbind gid</DT
+><DD
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> this parameter is only
+ available in Samba 3.0.</P
+><P
+>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+> winbindd(8)</A
+> daemon. This range of group ids should have no
+ existing local or nis groups within it as strange conflicts can
+ occur otherwise.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind gid = <empty string>
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind gid = 10000-20000</B
+></P
+></DD
+><DT
+><A
+NAME="WINBINDUID"
+></A
+>winbind uid</DT
+><DD
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> this parameter is only
+ available in Samba 3.0.</P
+><P
+>The winbind gid parameter specifies the range of group
+ ids that are allocated by the <A
+HREF="winbindd.8.html"
+TARGET="_top"
+> winbindd(8)</A
+> daemon. This range of ids should have no
+ existing local or nis users within it as strange conflicts can
+ occur otherwise.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>winbind uid = <empty string>
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>winbind uid = 10000-20000</B
+></P
+></DD
+><DT
+><A
+NAME="VALIDCHARS"
+></A
+>valid chars (G)</DT
+><DD
+><P
+>The option allows you to specify additional
+ characters that should be considered valid by the server in
+ filenames. This is particularly useful for national character
+ sets, such as adding u-umlaut or a-ring.</P
+><P
+>The option takes a list of characters in either integer
+ or character form with spaces between them. If you give two
+ characters with a colon between them then it will be taken as
+ an lowercase:uppercase pair.</P
+><P
+>If you have an editor capable of entering the characters
+ into the config file then it is probably easiest to use this
+ method. Otherwise you can specify the characters in octal,
+ decimal or hexadecimal form using the usual C notation.</P
+><P
+>For example to add the single character 'Z' to the charset
+ (which is a pointless thing to do as it's already there) you could
+ do one of the following</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> valid chars = Z
+ valid chars = z:Z
+ valid chars = 0132:0172
+ </PRE
+></P
+><P
+>The last two examples above actually add two characters,
+ and alter the uppercase and lowercase mappings appropriately.</P
+><P
+>Note that you <I
+CLASS="EMPHASIS"
+>MUST</I
+> specify this parameter
+ after the <TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+> parameter if you
+ have both set. If <TT
+CLASS="PARAMETER"
+><I
+>client code page</I
+></TT
+> is set after
+ the <TT
+CLASS="PARAMETER"
+><I
+>valid chars</I
+></TT
+> parameter the <TT
+CLASS="PARAMETER"
+><I
+>valid
+ chars</I
+></TT
+> settings will be overwritten.</P
+><P
+>See also the <A
+HREF="#CLIENTCODEPAGE"
+><TT
+CLASS="PARAMETER"
+><I
+>client
+ code page</I
+></TT
+></A
+> parameter.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>Samba defaults to using a reasonable set
+ of valid characters for English systems</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>valid chars = 0345:0305 0366:0326 0344:0304
+ </B
+></P
+><P
+>The above example allows filenames to have the Swedish
+ characters in them.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> It is actually quite difficult to
+ correctly produce a <TT
+CLASS="PARAMETER"
+><I
+>valid chars</I
+></TT
+> line for
+ a particular system. To automate the process <A
+HREF="mailto:tino@augsburg.net"
+TARGET="_top"
+>tino@augsburg.net</A
+> has written
+ a package called <B
+CLASS="COMMAND"
+>validchars</B
+> which will automatically
+ produce a complete <TT
+CLASS="PARAMETER"
+><I
+>valid chars</I
+></TT
+> line for
+ a given client system. Look in the <TT
+CLASS="FILENAME"
+>examples/validchars/
+ </TT
+> subdirectory of your Samba source code distribution
+ for this package.</P
+></DD
+><DT
+><A
+NAME="VALIDUSERS"
+></A
+>valid users (S)</DT
+><DD
+><P
+>This is a list of users that should be allowed
+ to login to this service. Names starting with '@', '+' and '&'
+ are interpreted using the same rules as described in the
+ <TT
+CLASS="PARAMETER"
+><I
+>invalid users</I
+></TT
+> parameter.</P
+><P
+>If this is empty (the default) then any user can login.
+ If a username is in both this list and the <TT
+CLASS="PARAMETER"
+><I
+>invalid
+ users</I
+></TT
+> list then access is denied for that user.</P
+><P
+>The current servicename is substituted for <TT
+CLASS="PARAMETER"
+><I
+>%S
+ </I
+></TT
+>. This is useful in the [homes] section.</P
+><P
+>See also <A
+HREF="#INVALIDUSERS"
+><TT
+CLASS="PARAMETER"
+><I
+>invalid users
+ </I
+></TT
+></A
+></P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>No valid users list (anyone can login)
+ </I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>valid users = greg, @pcusers</B
+></P
+></DD
+><DT
+><A
+NAME="VETOFILES"
+></A
+>veto files(S)</DT
+><DD
+><P
+>This is a list of files and directories that
+ are neither visible nor accessible. Each entry in the list must
+ be separated by a '/', which allows spaces to be included
+ in the entry. '*' and '?' can be used to specify multiple files
+ or directories as in DOS wildcards.</P
+><P
+>Each entry must be a unix path, not a DOS path and
+ must <I
+CLASS="EMPHASIS"
+>not</I
+> include the unix directory
+ separator '/'.</P
+><P
+>Note that the <TT
+CLASS="PARAMETER"
+><I
+>case sensitive</I
+></TT
+> option
+ is applicable in vetoing files.</P
+><P
+>One feature of the veto files parameter that it is important
+ to be aware of, is that if a directory contains nothing but files
+ that match the veto files parameter (which means that Windows/DOS
+ clients cannot ever see them) is deleted, the veto files within
+ that directory <I
+CLASS="EMPHASIS"
+>are automatically deleted</I
+> along
+ with it, if the user has UNIX permissions to do so.</P
+><P
+>Setting this parameter will affect the performance
+ of Samba, as it will be forced to check all files and directories
+ for a match as they are scanned.</P
+><P
+>See also <A
+HREF="#HIDEFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>hide files
+ </I
+></TT
+></A
+> and <A
+HREF="#CASESENSITIVE"
+><TT
+CLASS="PARAMETER"
+><I
+> case sensitive</I
+></TT
+></A
+>.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>No files or directories are vetoed.
+ </I
+></P
+><P
+>Examples:<PRE
+CLASS="PROGRAMLISTING"
+> ; Veto any files containing the word Security,
+ ; any ending in .tmp, and any directory containing the
+ ; word root.
+ veto files = /*Security*/*.tmp/*root*/
-<p></dl>
-<p><a name="WARNINGS"></a>
-<h2>WARNINGS</h2>
-
-<p>Although the configuration file permits service names to contain
-spaces, your client software may not. Spaces will be ignored in
-comparisons anyway, so it shouldn't be a problem - but be aware of the
-possibility.
-<p>On a similar note, many clients - especially DOS clients - limit
-service names to eight characters. <a href="smbd.8.html"><strong>Smbd</strong></a> has no
-such limitation, but attempts to connect from such clients will fail
-if they truncate the service names. For this reason you should
-probably keep your service names down to eight characters in length.
-<p>Use of the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a>
-special sections make life for an administrator easy, but the various
-combinations of default attributes can be tricky. Take extreme care
-when designing these sections. In particular, ensure that the
-permissions on spool directories are correct.
-<p><a name="VERSION"></a>
-<h2>VERSION</h2>
-
-<p>This man page is correct for version 2.0 of the Samba suite.
-<p><a name="SEEALSO"></a>
-<h2>SEE ALSO</h2>
-
-<p><a href="smbd.8.html"><strong>smbd (8)</strong></a>, <a href="smbclient.1.html"><strong>smbclient (1)</strong></a>,
-<a href="nmbd.8.html"><strong>nmbd (8)</strong></a>, <a href="testparm.1.html"><strong>testparm (1)</strong></a>,
-<a href="testprns.1.html"><strong>testprns (1)</strong></a>, <a href="samba.7.html"><strong>Samba</strong></a>,
-<a href="nmblookup.1.html"><strong>nmblookup (1)</strong></a>, <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a>,
-<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>.
-<p><a name="AUTHOR"></a>
-<h2>AUTHOR</h2>
-
-<p>The original Samba software and related utilities were created by
-Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed
-by the Samba Team as an Open Source project similar to the way the
-Linux kernel is developed.
-<p>The original Samba man pages were written by Karl Auer. The man page
-sources were converted to YODL format (another excellent piece of Open
-Source software, available at
-<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>)
-and updated for the Samba2.0 release by Jeremy Allison.
-<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>.
-<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full
-list of contributors and details on how to submit bug reports,
-comments etc.
-</body>
-</html>
+ ; Veto the Apple specific files that a NetAtalk server
+ ; creates.
+ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+ </PRE
+></P
+></DD
+><DT
+><A
+NAME="VETOOPLOCKFILES"
+></A
+>veto oplock files (S)</DT
+><DD
+><P
+>This parameter is only valid when the <A
+HREF="#OPLOCKS"
+><TT
+CLASS="PARAMETER"
+><I
+>oplocks</I
+></TT
+></A
+>
+ parameter is turned on for a share. It allows the Samba administrator
+ to selectively turn off the granting of oplocks on selected files that
+ match a wildcarded list, similar to the wildcarded list used in the
+ <A
+HREF="#VETOFILES"
+><TT
+CLASS="PARAMETER"
+><I
+>veto files</I
+></TT
+></A
+>
+ parameter.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>No files are vetoed for oplock
+ grants</I
+></P
+><P
+>You might want to do this on files that you know will
+ be heavily contended for by clients. A good example of this
+ is in the NetBench SMB benchmark program, which causes heavy
+ client contention for files ending in <TT
+CLASS="FILENAME"
+>.SEM</TT
+>.
+ To cause Samba not to grant oplocks on these files you would use
+ the line (either in the [global] section or in the section for
+ the particular NetBench share :</P
+><P
+>Example: <B
+CLASS="COMMAND"
+>veto oplock files = /*;.SEM/
+ </B
+></P
+></DD
+><DT
+><A
+NAME="VOLUME"
+></A
+>volume (S)</DT
+><DD
+><P
+> This allows you to override the volume label
+ returned for a share. Useful for CDROMs with installation programs
+ that insist on a particular volume label.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>the name of the share</I
+></P
+></DD
+><DT
+><A
+NAME="WIDELINKS"
+></A
+>wide links (S)</DT
+><DD
+><P
+>This parameter controls whether or not links
+ in the UNIX file system may be followed by the server. Links
+ that point to areas within the directory tree exported by the
+ server are always allowed; this parameter controls access only
+ to areas that are outside the directory tree being exported.</P
+><P
+>Note that setting this parameter can have a negative
+ effect on your server performance due to the extra system calls
+ that Samba has to do in order to perform the link checks.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>wide links = yes</B
+></P
+></DD
+><DT
+><A
+NAME="WINSPROXY"
+></A
+>wins proxy (G)</DT
+><DD
+><P
+>This is a boolean that controls if <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>nmbd(8)</A
+> will respond to broadcast name
+ queries on behalf of other hosts. You may need to set this
+ to <TT
+CLASS="CONSTANT"
+>yes</TT
+> for some older clients.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>wins proxy = no</B
+></P
+></DD
+><DT
+><A
+NAME="WINSSERVER"
+></A
+>wins server (G)</DT
+><DD
+><P
+>This specifies the IP address (or DNS name: IP
+ address for preference) of the WINS server that <A
+HREF="nmbd.8.html"
+TARGET="_top"
+> nmbd(8)</A
+> should register with. If you have a WINS server on
+ your network then you should set this to the WINS server's IP.</P
+><P
+>You should point this at your WINS server if you have a
+ multi-subnetted network.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE</I
+>. You need to set up Samba to point
+ to a WINS server if you have multiple subnets and wish cross-subnet
+ browsing to work correctly.</P
+><P
+>See the documentation file <TT
+CLASS="FILENAME"
+>BROWSING.txt</TT
+>
+ in the docs/ directory of your Samba source distribution.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>not enabled</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>wins server = 192.9.200.1</B
+></P
+></DD
+><DT
+><A
+NAME="WINSHOOK"
+></A
+>wins hook (G)</DT
+><DD
+><P
+>When Samba is running as a WINS server this
+ allows you to call an external program for all changes to the
+ WINS database. The primary use for this option is to allow the
+ dynamic update of external name resolution databases such as
+ dynamic DNS.</P
+><P
+>The wins hook parameter specifies the name of a script
+ or executable that will be called as follows:</P
+><P
+><B
+CLASS="COMMAND"
+>wins_hook operation name nametype ttl IP_list
+ </B
+></P
+><P
+></P
+><UL
+><LI
+><P
+>The first argument is the operation and is one
+ of "add", "delete", or "refresh". In most cases the operation can
+ be ignored as the rest of the parameters provide sufficient
+ information. Note that "refresh" may sometimes be called when the
+ name has not previously been added, in that case it should be treated
+ as an add.</P
+></LI
+><LI
+><P
+>The second argument is the netbios name. If the
+ name is not a legal name then the wins hook is not called.
+ Legal names contain only letters, digits, hyphens, underscores
+ and periods.</P
+></LI
+><LI
+><P
+>The third argument is the netbios name
+ type as a 2 digit hexadecimal number. </P
+></LI
+><LI
+><P
+>The fourth argument is the TTL (time to live)
+ for the name in seconds.</P
+></LI
+><LI
+><P
+>The fifth and subsequent arguments are the IP
+ addresses currently registered for that name. If this list is
+ empty then the name should be deleted.</P
+></LI
+></UL
+><P
+>An example script that calls the BIND dynamic DNS update
+ program <B
+CLASS="COMMAND"
+>nsupdate</B
+> is provided in the examples
+ directory of the Samba source code. </P
+></DD
+><DT
+><A
+NAME="WINSSUPPORT"
+></A
+>wins support (G)</DT
+><DD
+><P
+>This boolean controls if the <A
+HREF="nmbd.8.html"
+TARGET="_top"
+>
+ nmbd(8)</A
+> process in Samba will act as a WINS server. You should
+ not set this to true unless you have a multi-subnetted network and
+ you wish a particular <B
+CLASS="COMMAND"
+>nmbd</B
+> to be your WINS server.
+ Note that you should <I
+CLASS="EMPHASIS"
+>NEVER</I
+> set this to true
+ on more than one machine in your network.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>wins support = no</B
+></P
+></DD
+><DT
+><A
+NAME="WORKGROUP"
+></A
+>workgroup (G)</DT
+><DD
+><P
+>This controls what workgroup your server will
+ appear to be in when queried by clients. Note that this parameter
+ also controls the Domain name used with the <A
+HREF="#WORKGROUP"
+><B
+CLASS="COMMAND"
+>security=domain</B
+></A
+>
+ setting.</P
+><P
+>Default: <I
+CLASS="EMPHASIS"
+>set at compile time to WORKGROUP</I
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>workgroup = MYGROUP</B
+></P
+></DD
+><DT
+><A
+NAME="WRITABLE"
+></A
+>writable (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+> writeable</I
+></TT
+></A
+> for people who can't spell :-).</P
+></DD
+><DT
+><A
+NAME="WRITELIST"
+></A
+>write list (S)</DT
+><DD
+><P
+>This is a list of users that are given read-write
+ access to a service. If the connecting user is in this list then
+ they will be given write access, no matter what the <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+>writeable</I
+></TT
+></A
+>
+ option is set to. The list can include group names using the
+ @group syntax.</P
+><P
+>Note that if a user is in both the read list and the
+ write list then they will be given write access.</P
+><P
+>See also the <A
+HREF="#READLIST"
+><TT
+CLASS="PARAMETER"
+><I
+>read list
+ </I
+></TT
+></A
+> option.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>write list = <empty string>
+ </B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>write list = admin, root, @staff
+ </B
+></P
+></DD
+><DT
+><A
+NAME="WRITECACHESIZE"
+></A
+>write cache size (S)</DT
+><DD
+><P
+>This integer parameter (new with Samba 2.0.7)
+ if set to non-zero causes Samba to create an in-memory cache for
+ each oplocked file (it does <I
+CLASS="EMPHASIS"
+>not</I
+> do this for
+ non-oplocked files). All writes that the client does not request
+ to be flushed directly to disk will be stored in this cache if possible.
+ The cache is flushed onto disk when a write comes in whose offset
+ would not fit into the cache or when the file is closed by the client.
+ Reads for the file are also served from this cache if the data is stored
+ within it.</P
+><P
+>This cache allows Samba to batch client writes into a more
+ efficient write size for RAID disks (ie. writes may be tuned to
+ be the RAID stripe size) and can improve performance on systems
+ where the disk subsystem is a bottleneck but there is free
+ memory for userspace programs.</P
+><P
+>The integer parameter specifies the size of this cache
+ (per oplocked file) in bytes.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>write cache size = 0</B
+></P
+><P
+>Example: <B
+CLASS="COMMAND"
+>write cache size = 262144</B
+></P
+><P
+>for a 256k cache size per file.</P
+></DD
+><DT
+><A
+NAME="WRITEOK"
+></A
+>write ok (S)</DT
+><DD
+><P
+>Synonym for <A
+HREF="#WRITEABLE"
+><TT
+CLASS="PARAMETER"
+><I
+> writeable</I
+></TT
+></A
+>.</P
+></DD
+><DT
+><A
+NAME="WRITERAW"
+></A
+>write raw (G)</DT
+><DD
+><P
+>This parameter controls whether or not the server
+ will support raw writes SMB's when transferring data from clients.
+ You should never need to change this parameter.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>write raw = yes</B
+></P
+></DD
+><DT
+><A
+NAME="WRITEABLE"
+></A
+>writeable (S)</DT
+><DD
+><P
+>An inverted synonym is <A
+HREF="#READONLY"
+> <TT
+CLASS="PARAMETER"
+><I
+>read only</I
+></TT
+></A
+>.</P
+><P
+>If this parameter is <TT
+CLASS="CONSTANT"
+>no</TT
+>, then users
+ of a service may not create or modify files in the service's
+ directory.</P
+><P
+>Note that a printable service (<B
+CLASS="COMMAND"
+>printable = yes</B
+>)
+ will <I
+CLASS="EMPHASIS"
+>ALWAYS</I
+> allow writing to the directory
+ (user privileges permitting), but only via spooling operations.</P
+><P
+>Default: <B
+CLASS="COMMAND"
+>writeable = no</B
+></P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN5053"
+></A
+><H2
+>WARNINGS</H2
+><P
+>Although the configuration file permits service names
+ to contain spaces, your client software may not. Spaces will
+ be ignored in comparisons anyway, so it shouldn't be a
+ problem - but be aware of the possibility.</P
+><P
+>On a similar note, many clients - especially DOS clients -
+ limit service names to eight characters. <A
+HREF="smbd.8.html"
+TARGET="_top"
+>smbd(8)
+ </A
+> has no such limitation, but attempts to connect from such
+ clients will fail if they truncate the service names. For this reason
+ you should probably keep your service names down to eight characters
+ in length.</P
+><P
+>Use of the [homes] and [printers] special sections make life
+ for an administrator easy, but the various combinations of default
+ attributes can be tricky. Take extreme care when designing these
+ sections. In particular, ensure that the permissions on spool
+ directories are correct.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN5059"
+></A
+><H2
+>VERSION</H2
+><P
+>This man page is correct for version 2.2 of
+ the Samba suite.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN5062"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><A
+HREF="samba.7.html"
+TARGET="_top"
+>samba(7)</A
+>,
+ <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbpasswd(8)</B
+></A
+>,
+ <A
+HREF="swat.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>swat(8)</B
+></A
+>,
+ <A
+HREF="smbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbd(8)</B
+></A
+>,
+ <A
+HREF="nmbd.8.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>nmbd(8)</B
+></A
+>,
+ <A
+HREF="smbclient.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>smbclient(1)</B
+></A
+>,
+ <A
+HREF="nmblookup.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>nmblookup(1)</B
+></A
+>,
+ <A
+HREF="testparm.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>testparm(1)</B
+></A
+>,
+ <A
+HREF="testprns.1.html"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>testprns(1)</B
+></A
+>
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN5082"
+></A
+><H2
+>AUTHOR</H2
+><P
+>The original Samba software and related utilities
+ were created by Andrew Tridgell. Samba is now developed
+ by the Samba Team as an Open Source project similar
+ to the way the Linux kernel is developed.</P
+><P
+>The original Samba man pages were written by Karl Auer.
+ The man page sources were converted to YODL format (another
+ excellent piece of Open Source software, available at
+ <A
+HREF="ftp://ftp.icce.rug.nl/pub/unix/"
+TARGET="_top"
+> ftp://ftp.icce.rug.nl/pub/unix/</A
+>) and updated for the Samba 2.0
+ release by Jeremy Allison. The conversion to DocBook for
+ Samba 2.2 was done by Gerald Carter</P
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
-.TH "smb\&.conf " "5" "10 Jan 2001" "Samba" "SAMBA"
-.PP
-.SH "NAME"
-smb\&.conf \- The configuration file for the Samba suite
-.PP
-.SH "SYNOPSIS"
-.PP
-\fBsmb\&.conf\fP The \fBsmb\&.conf\fP file is a configuration file for the
-Samba suite\&. \fBsmb\&.conf\fP contains runtime configuration information
-for the Samba programs\&. The \fBsmb\&.conf\fP file is designed to be
-configured and administered by the \fBswat (8)\fP
-program\&. The complete description of the file format and possible
-parameters held within are here for reference purposes\&.
-.PP
-.SH "FILE FORMAT"
-.PP
-The file consists of sections and parameters\&. A section begins with
-the name of the section in square brackets and continues until the
-next section begins\&. Sections contain parameters of the form
-.PP
-\f(CW\'name = value\'\fP
-.PP
-The file is line-based - that is, each newline-terminated line
-represents either a comment, a section name or a parameter\&.
-.PP
-Section and parameter names are not case sensitive\&.
-.PP
-Only the first equals sign in a parameter is significant\&. Whitespace
-before or after the first equals sign is discarded\&. Leading, trailing
-and internal whitespace in section and parameter names is
-irrelevant\&. Leading and trailing whitespace in a parameter value is
-discarded\&. Internal whitespace within a parameter value is retained
-verbatim\&.
-.PP
-Any line beginning with a semicolon (\';\') or a hash (\'#\') character is
-ignored, as are lines containing only whitespace\&.
-.PP
-Any line ending in a \f(CW\'\e\'\fP is "continued" on the next line in the
-customary UNIX fashion\&.
-.PP
-The values following the equals sign in parameters are all either a
-string (no quotes needed) or a boolean, which may be given as yes/no,
-0/1 or true/false\&. Case is not significant in boolean values, but is
-preserved in string values\&. Some items such as create modes are
-numeric\&.
-.PP
-.SH "SECTION DESCRIPTIONS"
-.PP
+.\" This manpage has been automatically generated by docbook2man-spec
+.\" from a DocBook document. docbook2man-spec can be found at:
+.\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
+.\" Please send any bug reports, improvements, comments, patches,
+.\" etc. to Steve Cheng <steve@ggi-project.org>.
+.TH "SMB.CONF" "5" "22 February 2001" "" ""
+.SH NAME
+smb.conf \- The configuration file for the Samba suite
+.SH "SYNOPSIS"
+.PP
+The \fIsmb.conf\fR file is a configuration
+file for the Samba suite. \fIsmb.conf\fR contains
+runtime configuration information for the Samba programs. The
+\fIsmb.conf\fR file is designed to be configured and
+administered by the \fBswat(8)\fR
+ <URL:swat.8.html> program. The complete description of the file format and
+possible parameters held within are here for reference purposes.
+.SH "FILE FORMAT"
+.PP
+The file consists of sections and parameters. A section
+begins with the name of the section in square brackets and continues
+until the next section begins. Sections contain parameters of the
+form
+.PP
+\fIname\fR = \fIvalue
+\fR.PP
+The file is line-based - that is, each newline-terminated
+line represents either a comment, a section name or a parameter.
+.PP
+Section and parameter names are not case sensitive.
+.PP
+Only the first equals sign in a parameter is significant.
+Whitespace before or after the first equals sign is discarded.
+Leading, trailing and internal whitespace in section and parameter
+names is irrelevant. Leading and trailing whitespace in a parameter
+value is discarded. Internal whitespace within a parameter value
+is retained verbatim.
+.PP
+Any line beginning with a semicolon (';') or a hash ('#')
+character is ignored, as are lines containing only whitespace.
+.PP
+Any line ending in a '\\' is continued
+on the next line in the customary UNIX fashion.
+.PP
+The values following the equals sign in parameters are all
+either a string (no quotes needed) or a boolean, which may be given
+as yes/no, 0/1 or true/false. Case is not significant in boolean
+values, but is preserved in string values. Some items such as
+create modes are numeric.
+.SH "SECTION DESCRIPTIONS"
+.PP
Each section in the configuration file (except for the
-\fB[global]\fP section) describes a shared resource (known
-as a \fI"share"\fP)\&. The section name is the name of the shared resource
-and the parameters within the section define the shares attributes\&.
-.PP
-There are three special sections, \fB[global]\fP,
-\fB[homes]\fP and \fB[printers]\fP, which are
-described under \fB\'special sections\'\fP\&. The
-following notes apply to ordinary section descriptions\&.
-.PP
-A share consists of a directory to which access is being given plus
-a description of the access rights which are granted to the user of
-the service\&. Some housekeeping options are also specifiable\&.
-.PP
-Sections are either filespace services (used by the client as an
-extension of their native file systems) or printable services (used by
-the client to access print services on the host running the server)\&.
-.PP
-Sections may be designated \fBguest\fP services, in which
-case no password is required to access them\&. A specified UNIX
-\fBguest account\fP is used to define access
-privileges in this case\&.
-.PP
-Sections other than guest services will require a password to access
-them\&. The client provides the username\&. As older clients only provide
-passwords and not usernames, you may specify a list of usernames to
-check against the password using the \fB"user="\fP option in
-the share definition\&. For modern clients such as Windows 95/98 and
-Windows NT, this should not be necessary\&.
-.PP
-Note that the access rights granted by the server are masked by the
-access rights granted to the specified or guest UNIX user by the host
-system\&. The server does not grant more access than the host system
-grants\&.
-.PP
-The following sample section defines a file space share\&. The user has
-write access to the path \f(CW/home/bar\fP\&. The share is accessed via
-the share name "foo":
-.PP
-
-.nf
+[global] section) describes a shared resource (known
+as a "share"). The section name is the name of the
+shared resource and the parameters within the section define
+the shares attributes.
+.PP
+There are three special sections, [global],
+[homes] and [printers], which are
+described under \fBspecial sections\fR. The
+following notes apply to ordinary section descriptions.
+.PP
+A share consists of a directory to which access is being
+given plus a description of the access rights which are granted
+to the user of the service. Some housekeeping options are
+also specifiable.
+.PP
+Sections are either filespace services (used by the
+client as an extension of their native file systems) or
+printable services (used by the client to access print services
+on the host running the server).
+.PP
+Sections may be designated \fBguest\fR services,
+in which case no password is required to access them. A specified
+UNIX \fBguest account\fR is used to define access
+privileges in this case.
+.PP
+Sections other than guest services will require a password
+to access them. The client provides the username. As older clients
+only provide passwords and not usernames, you may specify a list
+of usernames to check against the password using the "user="
+option in the share definition. For modern clients such as
+Windows 95/98/ME/NT/2000, this should not be necessary.
+.PP
+Note that the access rights granted by the server are
+masked by the access rights granted to the specified or guest
+UNIX user by the host system. The server does not grant more
+access than the host system grants.
+.PP
+The following sample section defines a file space share.
+The user has write access to the path \fI/home/bar\fR.
+The share is accessed via the share name "foo":
+.sp
+.nf
+ [foo]
+ path = /home/bar
+ writeable = true
+
+
+.sp
+.fi
+.PP
+The following sample section defines a printable share.
+The share is readonly, but printable. That is, the only write
+access permitted is via calls to open, write to and close a
+spool file. The \fBguest ok\fR parameter means
+access will be permitted as the default guest user (specified
+elsewhere):
+.sp
+.nf
+ [aprinter]
+ path = /usr/spool/public
+ writeable = false
+ printable = true
+ guest ok = true
+
+
+.sp
+.fi
+.SH "SPECIAL SECTIONS"
+.SS "THE GLOBAL SECTION"
+.PP
+parameters in this section apply to the server
+as a whole, or are defaults for sections which do not
+specifically define certain items. See the notes
+under paraMETERS for more information.
+.SS "THE HOMES SECTION"
+.PP
+If a section called homes is included in the
+configuration file, services connecting clients to their
+home directories can be created on the fly by the server.
+.PP
+When the connection request is made, the existing
+sections are scanned. If a match is found, it is used. If no
+match is found, the requested section name is treated as a
+user name and looked up in the local password file. If the
+name exists and the correct password has been given, a share is
+created by cloning the [homes] section.
+.PP
+Some modifications are then made to the newly
+created share:
+.TP 0.2i
+\(bu
+The share name is changed from homes to
+the located username.
+.TP 0.2i
+\(bu
+If no path was given, the path is set to
+the user's home directory.
+.PP
+If you decide to use a \fBpath=\fR line
+in your [homes] section then you may find it useful
+to use the %S macro. For example :
+.PP
+.PP
+\fBpath=/data/pchome/%S\fR
+.PP
+.PP
+would be useful if you have different home directories
+for your PCs than for UNIX access.
+.PP
+.PP
+This is a fast and simple way to give a large number
+of clients access to their home directories with a minimum
+of fuss.
+.PP
+.PP
+A similar process occurs if the requested section
+name is "homes", except that the share name is not
+changed to that of the requesting user. This method of using
+the [homes] section works well if different users share
+a client PC.
+.PP
+.PP
+The [homes] section can specify all the parameters
+a normal service section can specify, though some make more sense
+than others. The following is a typical and suitable [homes]
+section:
+.PP
+.sp
+.nf
+ [homes]
+ writeable = yes
+
+
+.sp
+.fi
+.PP
+An important point is that if guest access is specified
+in the [homes] section, all home directories will be
+visible to all clients \fBwithout a password\fR.
+In the very unlikely event that this is actually desirable, it
+would be wise to also specify \fBread only
+access\fR.
+.PP
+.PP
+Note that the \fBbrowseable\fR flag for
+auto home directories will be inherited from the global browseable
+flag, not the [homes] browseable flag. This is useful as
+it means setting browseable=no in the [homes] section
+will hide the [homes] share but make any auto home
+directories visible.
+.PP
+.SS "THE PRINTERS SECTION"
+.PP
+This section works like [homes],
+but for printers.
+.PP
+If a [printers] section occurs in the
+configuration file, users are able to connect to any printer
+specified in the local host's printcap file.
+.PP
+When a connection request is made, the existing sections
+are scanned. If a match is found, it is used. If no match is found,
+but a [homes] section exists, it is used as described
+above. Otherwise, the requested section name is treated as a
+printer name and the appropriate printcap file is scanned to see
+if the requested section name is a valid printer share name. If
+a match is found, a new printer share is created by cloning
+the [printers] section.
+.PP
+A few modifications are then made to the newly created
+share:
+.TP 0.2i
+\(bu
+The share name is set to the located printer
+name
+.TP 0.2i
+\(bu
+If no printer name was given, the printer name
+is set to the located printer name
+.TP 0.2i
+\(bu
+If the share does not permit guest access and
+no username was given, the username is set to the located
+printer name.
+.PP
+Note that the [printers] service MUST be
+printable - if you specify otherwise, the server will refuse
+to load the configuration file.
+.PP
+.PP
+Typically the path specified would be that of a
+world-writeable spool directory with the sticky bit set on
+it. A typical [printers] entry would look like
+this:
+.PP
+.sp
+.nf
+ [printers]
+ path = /usr/spool/public
+ guest ok = yes
+ printable = yes
+
+.sp
+.fi
+.PP
+All aliases given for a printer in the printcap file
+are legitimate printer names as far as the server is concerned.
+If your printing subsystem doesn't work like that, you will have
+to set up a pseudo-printcap. This is a file consisting of one or
+more lines like this:
+.PP
+.sp
+.nf
+ alias|alias|alias|alias...
+
+
+.sp
+.fi
+.PP
+Each alias should be an acceptable printer name for
+your printing subsystem. In the [global] section, specify
+the new file as your printcap. The server will then only recognize
+names found in your pseudo-printcap, which of course can contain
+whatever aliases you like. The same technique could be used
+simply to limit access to a subset of your local printers.
+.PP
+.PP
+An alias, by the way, is defined as any component of the
+first entry of a printcap record. Records are separated by newlines,
+components (if there are more than one) are separated by vertical
+bar symbols ('|').
+.PP
+.PP
+NOTE: On SYSV systems which use lpstat to determine what
+printers are defined on the system you may be able to use
+"printcap name = lpstat" to automatically obtain a list
+of printers. See the "printcap name" option
+for more details.
+.PP
+.SH "PARAMETRS"
+.PP
+parameters define the specific attributes of sections.
+.PP
+Some parameters are specific to the [global] section
+(e.g., \fBsecurity\fR). Some parameters are usable
+in all sections (e.g., \fBcreate mode\fR). All others
+are permissible only in normal sections. For the purposes of the
+following descriptions the [homes] and [printers]
+sections will be considered normal. The letter \fBG\fR
+in parentheses indicates that a parameter is specific to the
+[global] section. The letter \fBS\fR
+indicates that a parameter can be specified in a service specific
+section. Note that all \fBS\fR parameters can also be specified in
+the [global] section - in which case they will define
+the default behavior for all services.
+.PP
+parameters are arranged here in alphabetical order - this may
+not create best bedfellows, but at least you can find them! Where
+there are synonyms, the preferred synonym is described, others refer
+to the preferred synonym.
+.SH "VARIABLE SUBSTITUTIONS"
+.PP
+Many of the strings that are settable in the config file
+can take substitutions. For example the option "path =
+/tmp/%u" would be interpreted as "path =
+/tmp/john" if the user connected with the username john.
+.PP
+These substitutions are mostly noted in the descriptions below,
+but there are some general substitutions which apply whenever they
+might be relevant. These are:
+.TP
+\fB%S\fR
+the name of the current service, if any.
+.TP
+\fB%P\fR
+the root directory of the current service,
+if any.
+.TP
+\fB%u\fR
+user name of the current service, if any.
+.TP
+\fB%g\fR
+primary group name of %u.
+.TP
+\fB%U\fR
+session user name (the user name that the client
+wanted, not necessarily the same as the one they got).
+.TP
+\fB%G\fR
+primary group name of %U.
+.TP
+\fB%H\fR
+the home directory of the user given
+by %u.
+.TP
+\fB%v\fR
+the Samba version.
+.TP
+\fB%h\fR
+the internet hostname that Samba is running
+on.
+.TP
+\fB%m\fR
+the NetBIOS name of the client machine
+(very useful).
+.TP
+\fB%L\fR
+the NetBIOS name of the server. This allows you
+to change your config based on what the client calls you. Your
+server can have a "dual personality".
+.TP
+\fB%M\fR
+the internet name of the client machine.
+.TP
+\fB%N\fR
+the name of your NIS home directory server.
+This is obtained from your NIS auto.map entry. If you have
+not compiled Samba with the \fB--with-automount\fR
+option then this value will be the same as %.
+.TP
+\fB%p\fR
+the path of the service's home directory,
+obtained from your NIS auto.map entry. The NIS auto.map entry
+is split up as "%N:%p".
+.TP
+\fB%R\fR
+the selected protocol level after
+protocol negotiation. It can be one of CORE, COREPLUS,
+LANMAN1, LANMAN2 or NT1.
+.TP
+\fB%d\fR
+The process id of the current server
+process.
+.TP
+\fB%a\fR
+the architecture of the remote
+machine. Only some are recognized, and those may not be
+100% reliable. It currently recognizes Samba, WfWg,
+WinNT and Win95. Anything else will be known as
+"UNKNOWN". If it gets it wrong then sending a level
+3 log to samba@samba.org
+ <URL:mailto:samba@samba.org> should allow it to be fixed.
+.TP
+\fB%I\fR
+The IP address of the client machine.
+.TP
+\fB%T\fR
+the current date and time.
+.TP
+\fB%$(\fIenvvar\fB)\fR
+The value of the environment variable
+\fIenvar\fR.
+.PP
+There are some quite creative things that can be done
+with these substitutions and other smb.conf options.
+.PP
+.SH "NAME MANGLING"
+.PP
+Samba supports "name mangling" so that DOS and
+Windows clients can use files that don't conform to the 8.3 format.
+It can also be set to adjust the case of 8.3 format filenames.
+.PP
+There are several options that control the way mangling is
+performed, and they are grouped here rather than listed separately.
+For the defaults look at the output of the testparm program.
+.PP
+All of these options can be set separately for each service
+(or globally, of course).
+.PP
+The options are:
+.TP
+\fBmangle case= yes/no\fR
+controls if names that have characters that
+aren't of the "default" case are mangled. For example,
+if this is yes then a name like "Mail" would be mangled.
+Default \fBno\fR.
+.TP
+\fBcase sensitive = yes/no\fR
+controls whether filenames are case sensitive. If
+they aren't then Samba must do a filename search and match on passed
+names. Default \fBno\fR.
+.TP
+\fBdefault case = upper/lower\fR
+controls what the default case is for new
+filenames. Default \fBlower\fR.
+.TP
+\fBpreserve case = yes/no\fR
+controls if new files are created with the
+case that the client passes, or if they are forced to be the
+"default" case. Default \fByes\fR.
+.TP
+\fBshort preserve case = yes/no\fR
+controls if new files which conform to 8.3 syntax,
+that is all in upper case and of suitable length, are created
+upper case, or if they are forced to be the "default"
+case. This option can be use with "preserve case = yes"
+to permit long filenames to retain their case, while short names
+are lowered. Default \fByes\fR.
+.PP
+By default, Samba 2.2 has the same semantics as a Windows
+NT server, in that it is case insensitive but case preserving.
+.PP
+.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
+.PP
+There are a number of ways in which a user can connect
+to a service. The server follows the following steps in determining
+if it will allow a connection to a specified service. If all the
+steps fail then the connection request is rejected. If one of the
+steps pass then the following steps are not checked.
+.PP
+If the service is marked "guest only = yes" then
+steps 1 to 5 are skipped.
+.IP 1.
+If the client has passed a username/password
+pair and that username/password pair is validated by the UNIX
+system's password programs then the connection is made as that
+username. Note that this includes the
+\\\\server\\service%\fIusername\fR method of passing
+a username.
+.IP 2.
+If the client has previously registered a username
+with the system and now supplies a correct password for that
+username then the connection is allowed.
+.IP 3.
+The client's netbios name and any previously
+used user names are checked against the supplied password, if
+they match then the connection is allowed as the corresponding
+user.
+.IP 4.
+If the client has previously validated a
+username/password pair with the server and the client has passed
+the validation token then that username is used.
+.IP 5.
+If a "user = " field is given in the
+\fIsmb.conf\fR file for the service and the client
+has supplied a password, and that password matches (according to
+the UNIX system's password checking) with one of the usernames
+from the "user=" field then the connection is made as
+the username in the "user=" line. If one
+of the username in the "user=" list begins with a
+\&'@' then that name expands to a list of names in
+the group of the same name.
+.IP 6.
+If the service is a guest service then a
+connection is made as the username given in the "guest
+account =" for the service, irrespective of the
+supplied password.
+.SH "COMPLETE LIST OF GLOBAL PARAMETERS"
+.PP
+Here is a list of all global parameters. See the section of
+each parameter for details. Note that some are synonyms.
+.TP 0.2i
+\(bu
+\fIadd user script\fR
+.TP 0.2i
+\(bu
+\fIallow trusted domains\fR
+.TP 0.2i
+\(bu
+\fIannounce as\fR
+.TP 0.2i
+\(bu
+\fIannounce version\fR
+.TP 0.2i
+\(bu
+\fIauto services\fR
+.TP 0.2i
+\(bu
+\fIbind interfaces only\fR
+.TP 0.2i
+\(bu
+\fIbrowse list\fR
+.TP 0.2i
+\(bu
+\fIchange notify timeout\fR
+.TP 0.2i
+\(bu
+\fIcharacter set\fR
+.TP 0.2i
+\(bu
+\fIclient code page\fR
+.TP 0.2i
+\(bu
+\fIcoding system\fR
+.TP 0.2i
+\(bu
+\fIconfig file\fR
+.TP 0.2i
+\(bu
+\fIdeadtime\fR
+.TP 0.2i
+\(bu
+\fIdebug hires timestamp\fR
+.TP 0.2i
+\(bu
+\fIdebug pid\fR
+.TP 0.2i
+\(bu
+\fIdebug timestamp\fR
+.TP 0.2i
+\(bu
+\fIdebug uid\fR
+.TP 0.2i
+\(bu
+\fIdebug level\fR
+.TP 0.2i
+\(bu
+\fIdefault\fR
+.TP 0.2i
+\(bu
+\fIdefault service\fR
+.TP 0.2i
+\(bu
+\fIdelete user script\fR
+.TP 0.2i
+\(bu
+\fIdfree command\fR
+.TP 0.2i
+\(bu
+\fIdns proxy\fR
+.TP 0.2i
+\(bu
+\fIdomain admin group\fR
+.TP 0.2i
+\(bu
+\fIdomain admin users\fR
+.TP 0.2i
+\(bu
+\fIdomain groups\fR
+.TP 0.2i
+\(bu
+\fIdomain guest group\fR
+.TP 0.2i
+\(bu
+\fIdomain guest users\fR
+.TP 0.2i
+\(bu
+\fIdomain logons\fR
+.TP 0.2i
+\(bu
+\fIdomain master\fR
+.TP 0.2i
+\(bu
+\fIencrypt passwords\fR
+.TP 0.2i
+\(bu
+\fIgetwd cache\fR
+.TP 0.2i
+\(bu
+\fIhide local users\fR
+.TP 0.2i
+\(bu
+\fIhomedir map\fR
+.TP 0.2i
+\(bu
+\fIhosts equiv\fR
+.TP 0.2i
+\(bu
+\fIinterfaces\fR
+.TP 0.2i
+\(bu
+\fIkeepalive\fR
+.TP 0.2i
+\(bu
+\fIkernel oplocks\fR
+.TP 0.2i
+\(bu
+\fIlm announce\fR
+.TP 0.2i
+\(bu
+\fIlm interval\fR
+.TP 0.2i
+\(bu
+\fIload printers\fR
+.TP 0.2i
+\(bu
+\fIlocal master\fR
+.TP 0.2i
+\(bu
+\fIlock dir\fR
+.TP 0.2i
+\(bu
+\fIlock directory\fR
+.TP 0.2i
+\(bu
+\fIlog file\fR
+.TP 0.2i
+\(bu
+\fIlog level\fR
+.TP 0.2i
+\(bu
+\fIlogon drive\fR
+.TP 0.2i
+\(bu
+\fIlogon home\fR
+.TP 0.2i
+\(bu
+\fIlogon path\fR
+.TP 0.2i
+\(bu
+\fIlogon script\fR
+.TP 0.2i
+\(bu
+\fIlpq cache time\fR
+.TP 0.2i
+\(bu
+\fImachine password timeout\fR
+.TP 0.2i
+\(bu
+\fImangled stack\fR
+.TP 0.2i
+\(bu
+\fImap to guest\fR
+.TP 0.2i
+\(bu
+\fImax disk size\fR
+.TP 0.2i
+\(bu
+\fImax log size\fR
+.TP 0.2i
+\(bu
+\fImax mux\fR
+.TP 0.2i
+\(bu
+\fImax open files\fR
+.TP 0.2i
+\(bu
+\fImax packet\fR
+.TP 0.2i
+\(bu
+\fImax ttl\fR
+.TP 0.2i
+\(bu
+\fImax wins ttl\fR
+.TP 0.2i
+\(bu
+\fImax xmit\fR
+.TP 0.2i
+\(bu
+\fImessage command\fR
+.TP 0.2i
+\(bu
+\fImin passwd length\fR
+.TP 0.2i
+\(bu
+\fImin password length\fR
+.TP 0.2i
+\(bu
+\fImin wins ttl\fR
+.TP 0.2i
+\(bu
+\fIname resolve order\fR
+.TP 0.2i
+\(bu
+\fInetbios aliases\fR
+.TP 0.2i
+\(bu
+\fInetbios name\fR
+.TP 0.2i
+\(bu
+\fInetbios scope\fR
+.TP 0.2i
+\(bu
+\fInis homedir\fR
+.TP 0.2i
+\(bu
+\fInt acl support\fR
+.TP 0.2i
+\(bu
+\fInt pipe support\fR
+.TP 0.2i
+\(bu
+\fInt smb support\fR
+.TP 0.2i
+\(bu
+\fInull passwords\fR
+.TP 0.2i
+\(bu
+\fIole locking compatibility\fR
+.TP 0.2i
+\(bu
+\fIoplock break wait time\fR
+.TP 0.2i
+\(bu
+\fIos level\fR
+.TP 0.2i
+\(bu
+\fIpanic action\fR
+.TP 0.2i
+\(bu
+\fIpasswd chat\fR
+.TP 0.2i
+\(bu
+\fIpasswd chat debug\fR
+.TP 0.2i
+\(bu
+\fIpasswd program\fR
+.TP 0.2i
+\(bu
+\fIpassword level\fR
+.TP 0.2i
+\(bu
+\fIpassword server\fR
+.TP 0.2i
+\(bu
+\fIprefered master\fR
+.TP 0.2i
+\(bu
+\fIpreferred master\fR
+.TP 0.2i
+\(bu
+\fIpreload\fR
+.TP 0.2i
+\(bu
+\fIprintcap\fR
+.TP 0.2i
+\(bu
+\fIprintcap name\fR
+.TP 0.2i
+\(bu
+\fIprinter driver file\fR
+.TP 0.2i
+\(bu
+\fIprivate dir\fR
+.TP 0.2i
+\(bu
+\fIprotocol\fR
+.TP 0.2i
+\(bu
+\fIread bmpx\fR
+.TP 0.2i
+\(bu
+\fIread prediction\fR
+.TP 0.2i
+\(bu
+\fIread raw\fR
+.TP 0.2i
+\(bu
+\fIread size\fR
+.TP 0.2i
+\(bu
+\fIremote announce\fR
+.TP 0.2i
+\(bu
+\fIremote browse sync\fR
+.TP 0.2i
+\(bu
+\fIrestrict anonymous\fR
+.TP 0.2i
+\(bu
+\fIroot\fR
+.TP 0.2i
+\(bu
+\fIroot dir\fR
+.TP 0.2i
+\(bu
+\fIroot directory\fR
+.TP 0.2i
+\(bu
+\fIsecurity\fR
+.TP 0.2i
+\(bu
+\fIserver string\fR
+.TP 0.2i
+\(bu
+\fIshared mem size\fR
+.TP 0.2i
+\(bu
+\fIsmb passwd file\fR
+.TP 0.2i
+\(bu
+\fIsmbrun\fR
+.TP 0.2i
+\(bu
+\fIsocket address\fR
+.TP 0.2i
+\(bu
+\fIsocket options\fR
+.TP 0.2i
+\(bu
+\fIsource environment\fR
+.TP 0.2i
+\(bu
+\fIssl\fR
+.TP 0.2i
+\(bu
+\fIssl CA certDir\fR
+.TP 0.2i
+\(bu
+\fIssl CA certFile\fR
+.TP 0.2i
+\(bu
+\fIssl ciphers\fR
+.TP 0.2i
+\(bu
+\fIssl client cert\fR
+.TP 0.2i
+\(bu
+\fIssl client key\fR
+.TP 0.2i
+\(bu
+\fIssl compatibility\fR
+.TP 0.2i
+\(bu
+\fIssl hosts\fR
+.TP 0.2i
+\(bu
+\fIssl hosts resign\fR
+.TP 0.2i
+\(bu
+\fIssl require clientcert\fR
+.TP 0.2i
+\(bu
+\fIssl require servercert\fR
+.TP 0.2i
+\(bu
+\fIssl server cert\fR
+.TP 0.2i
+\(bu
+\fIssl server key\fR
+.TP 0.2i
+\(bu
+\fIssl version\fR
+.TP 0.2i
+\(bu
+\fIstat cache\fR
+.TP 0.2i
+\(bu
+\fIstat cache size\fR
+.TP 0.2i
+\(bu
+\fIstrip dot\fR
+.TP 0.2i
+\(bu
+\fIsyslog\fR
+.TP 0.2i
+\(bu
+\fIsyslog only\fR
+.TP 0.2i
+\(bu
+\fItemplate homedir\fR
+.TP 0.2i
+\(bu
+\fItemplate shell\fR
+.TP 0.2i
+\(bu
+\fItime offset\fR
+.TP 0.2i
+\(bu
+\fItime server\fR
+.TP 0.2i
+\(bu
+\fItimestamp logs\fR
+.TP 0.2i
+\(bu
+\fIunix password sync\fR
+.TP 0.2i
+\(bu
+\fIunix realname\fR
+.TP 0.2i
+\(bu
+\fIupdate encrypted\fR
+.TP 0.2i
+\(bu
+\fIuse rhosts\fR
+.TP 0.2i
+\(bu
+\fIusername level\fR
+.TP 0.2i
+\(bu
+\fIusername map\fR
+.TP 0.2i
+\(bu
+\fIutmp directory\fR
+.TP 0.2i
+\(bu
+\fIvalid chars\fR
+.TP 0.2i
+\(bu
+\fIwinbind cache time\fR
+.TP 0.2i
+\(bu
+\fIwinbind gid\fR
+.TP 0.2i
+\(bu
+\fIwinbind uid\fR
+.TP 0.2i
+\(bu
+\fIwins hook\fR
+.TP 0.2i
+\(bu
+\fIwins proxy\fR
+.TP 0.2i
+\(bu
+\fIwins server\fR
+.TP 0.2i
+\(bu
+\fIwins support\fR
+.TP 0.2i
+\(bu
+\fIworkgroup\fR
+.TP 0.2i
+\(bu
+\fIwrite raw\fR
+.SH "COMPLETE LIST OF SERVICE PARAMETERS"
+.PP
+Here is a list of all service parameters. See the section of
+each parameter for details. Note that some are synonyms.
+.TP 0.2i
+\(bu
+\fIadmin users\fR
+.TP 0.2i
+\(bu
+\fIallow hosts\fR
+.TP 0.2i
+\(bu
+\fIalternate permissions\fR
+.TP 0.2i
+\(bu
+\fIavailable\fR
+.TP 0.2i
+\(bu
+\fIblocking locks\fR
+.TP 0.2i
+\(bu
+\fIbrowsable\fR
+.TP 0.2i
+\(bu
+\fIbrowseable\fR
+.TP 0.2i
+\(bu
+\fIcase sensitive\fR
+.TP 0.2i
+\(bu
+\fIcasesignames\fR
+.TP 0.2i
+\(bu
+\fIcomment\fR
+.TP 0.2i
+\(bu
+\fIcopy\fR
+.TP 0.2i
+\(bu
+\fIcreate mask\fR
+.TP 0.2i
+\(bu
+\fIcreate mode\fR
+.TP 0.2i
+\(bu
+\fIdefault case\fR
+.TP 0.2i
+\(bu
+\fIdelete readonly\fR
+.TP 0.2i
+\(bu
+\fIdelete veto files\fR
+.TP 0.2i
+\(bu
+\fIdeny hosts\fR
+.TP 0.2i
+\(bu
+\fIdirectory\fR
+.TP 0.2i
+\(bu
+\fIdirectory mask\fR
+.TP 0.2i
+\(bu
+\fIdirectory mode\fR
+.TP 0.2i
+\(bu
+\fIdirectory security mask\fR
+.TP 0.2i
+\(bu
+\fIdont descend\fR
+.TP 0.2i
+\(bu
+\fIdos filetime resolution\fR
+.TP 0.2i
+\(bu
+\fIdos filetimes\fR
+.TP 0.2i
+\(bu
+\fIexec\fR
+.TP 0.2i
+\(bu
+\fIfake directory create times\fR
+.TP 0.2i
+\(bu
+\fIfake oplocks\fR
+.TP 0.2i
+\(bu
+\fIfollow symlinks\fR
+.TP 0.2i
+\(bu
+\fIforce create mode\fR
+.TP 0.2i
+\(bu
+\fIforce directory mode\fR
+.TP 0.2i
+\(bu
+\fIforce directory security mode\fR
+.TP 0.2i
+\(bu
+\fIforce group\fR
+.TP 0.2i
+\(bu
+\fIforce security mode\fR
+.TP 0.2i
+\(bu
+\fIforce user\fR
+.TP 0.2i
+\(bu
+\fIfstype\fR
+.TP 0.2i
+\(bu
+\fIgroup\fR
+.TP 0.2i
+\(bu
+\fIguest account\fR
+.TP 0.2i
+\(bu
+\fIguest ok\fR
+.TP 0.2i
+\(bu
+\fIguest only\fR
+.TP 0.2i
+\(bu
+\fIhide dot files\fR
+.TP 0.2i
+\(bu
+\fIhide files\fR
+.TP 0.2i
+\(bu
+\fIhosts allow\fR
+.TP 0.2i
+\(bu
+\fIhosts deny\fR
+.TP 0.2i
+\(bu
+\fIinclude\fR
+.TP 0.2i
+\(bu
+\fIinherit permissions\fR
+.TP 0.2i
+\(bu
+\fIinvalid users\fR
+.TP 0.2i
+\(bu
+\fIlevel2 oplocks\fR
+.TP 0.2i
+\(bu
+\fIlocking\fR
+.TP 0.2i
+\(bu
+\fIlppause command\fR
+.TP 0.2i
+\(bu
+\fIlpq command\fR
+.TP 0.2i
+\(bu
+\fIlpresume command\fR
+.TP 0.2i
+\(bu
+\fIlprm command\fR
+.TP 0.2i
+\(bu
+\fImagic output\fR
+.TP 0.2i
+\(bu
+\fImagic script\fR
+.TP 0.2i
+\(bu
+\fImangle case\fR
+.TP 0.2i
+\(bu
+\fImangle locks\fR
+.TP 0.2i
+\(bu
+\fImangled map\fR
+.TP 0.2i
+\(bu
+\fImangled names\fR
+.TP 0.2i
+\(bu
+\fImangling char\fR
+.TP 0.2i
+\(bu
+\fImap archive\fR
+.TP 0.2i
+\(bu
+\fImap hidden\fR
+.TP 0.2i
+\(bu
+\fImap system\fR
+.TP 0.2i
+\(bu
+\fImax connections\fR
+.TP 0.2i
+\(bu
+\fImin print space\fR
+.TP 0.2i
+\(bu
+\fIonly guest\fR
+.TP 0.2i
+\(bu
+\fIonly user\fR
+.TP 0.2i
+\(bu
+\fIoplock contention limit\fR
+.TP 0.2i
+\(bu
+\fIoplocks\fR
+.TP 0.2i
+\(bu
+\fIpath\fR
+.TP 0.2i
+\(bu
+\fIpostexec\fR
+.TP 0.2i
+\(bu
+\fIpostscript\fR
+.TP 0.2i
+\(bu
+\fIpreexec\fR
+.TP 0.2i
+\(bu
+\fIpreexec close\fR
+.TP 0.2i
+\(bu
+\fIpreserve case\fR
+.TP 0.2i
+\(bu
+\fIprint command\fR
+.TP 0.2i
+\(bu
+\fIprint ok\fR
+.TP 0.2i
+\(bu
+\fIprintable\fR
+.TP 0.2i
+\(bu
+\fIprinter\fR
+.TP 0.2i
+\(bu
+\fIprinter admin\fR
+.TP 0.2i
+\(bu
+\fIprinter driver\fR
+.TP 0.2i
+\(bu
+\fIprinter driver location\fR
+.TP 0.2i
+\(bu
+\fIprinter name\fR
+.TP 0.2i
+\(bu
+\fIprinting\fR
+.TP 0.2i
+\(bu
+\fIpublic\fR
+.TP 0.2i
+\(bu
+\fIqueuepause command\fR
+.TP 0.2i
+\(bu
+\fIqueueresume command\fR
+.TP 0.2i
+\(bu
+\fIread list\fR
+.TP 0.2i
+\(bu
+\fIread only\fR
+.TP 0.2i
+\(bu
+\fIroot postexec\fR
+.TP 0.2i
+\(bu
+\fIroot preexec\fR
+.TP 0.2i
+\(bu
+\fIroot preexec close\fR
+.TP 0.2i
+\(bu
+\fIsecurity mask\fR
+.TP 0.2i
+\(bu
+\fIset directory\fR
+.TP 0.2i
+\(bu
+\fIshare modes\fR
+.TP 0.2i
+\(bu
+\fIshort preserve case\fR
+.TP 0.2i
+\(bu
+\fIstatus\fR
+.TP 0.2i
+\(bu
+\fIstrict locking\fR
+.TP 0.2i
+\(bu
+\fIstrict sync\fR
+.TP 0.2i
+\(bu
+\fIsync always\fR
+.TP 0.2i
+\(bu
+\fIuser\fR
+.TP 0.2i
+\(bu
+\fIusername\fR
+.TP 0.2i
+\(bu
+\fIusers\fR
+.TP 0.2i
+\(bu
+\fIutmp\fR
+.TP 0.2i
+\(bu
+\fIvalid users\fR
+.TP 0.2i
+\(bu
+\fIveto files\fR
+.TP 0.2i
+\(bu
+\fIveto oplock files\fR
+.TP 0.2i
+\(bu
+\fIvolume\fR
+.TP 0.2i
+\(bu
+\fIwide links\fR
+.TP 0.2i
+\(bu
+\fIwritable\fR
+.TP 0.2i
+\(bu
+\fIwrite cache size\fR
+.TP 0.2i
+\(bu
+\fIwrite list\fR
+.TP 0.2i
+\(bu
+\fIwrite ok\fR
+.TP 0.2i
+\(bu
+\fIwriteable\fR
+.SH "EXPLANATION OF EACH PARAMETER"
+.TP
+\fBadd user script (G)\fR
+This is the full pathname to a script that will
+be run \fBAS ROOT\fR by smbd(8)
+ <URL:smbd.8.html> under special circumstances decribed below.
+
+Normally, a Samba server requires that UNIX users are
+created for all users accessing files on this server. For sites
+that use Windows NT account databases as their primary user database
+creating these users and keeping the user list in sync with the
+Windows NT PDC is an onerous task. This option allows smbd <URL:smbd.8.html> to create the required UNIX users
+\fBON DEMAND\fR when a user accesses the Samba server.
+
+In order to use this option, smbd <URL:smbd.8.html>
+must be set to \fIsecurity=server\fR or \fI security=domain\fR and \fIadd user script\fR
+must be set to a full pathname for a script that will create a UNIX
+user given one argument of \fI%u\fR, which expands into
+the UNIX user name to create.
+
+When the Windows user attempts to access the Samba server,
+at login (session setup in the SMB protocol) time, smbd <URL:smbd.8.html> contacts the \fIpassword server\fR and
+attempts to authenticate the given user with the given password. If the
+authentication succeeds then smbd <URL:smbd.8.html>
+attempts to find a UNIX user in the UNIX password database to map the
+Windows user into. If this lookup fails, and \fIadd user script
+\fRis set then smbd <URL:smbd.8.html> will
+call the specified script \fBAS ROOT\fR, expanding
+any \fI%u\fR argument to be the user name to create.
+
+If this script successfully creates the user then smbd <URL:smbd.8.html> will continue on as though the UNIX user
+already existed. In this way, UNIX users are dynamically created to
+match existing Windows NT accounts.
+
+See also \fI security\fR <URL:smb.conf.5.html#security>, \fIpassword server\fR <URL:smb.conf.5.html#passwordserver>, \fIdelete user
+script\fR <URL:smb.conf.5.html#deleteuserscript>.
+
+Default: \fBadd user script = <empty string>
+\fR
+Example: \fBadd user script = /usr/local/samba/bin/add_user
+%u\fR
+.TP
+\fBadmin users (S)\fR
+This is a list of users who will be granted
+administrative privileges on the share. This means that they
+will do all file operations as the super-user (root).
+
+You should use this option very carefully, as any user in
+this list will be able to do anything they like on the share,
+irrespective of file permissions.
+
+Default: \fBno admin users\fR
+
+Example: \fBadmin users = jason\fR
+.TP
+\fBallow hosts (S)\fR
+Synonym for \fIhosts allow\fR <URL:smb.conf.5.html#hostsallow>.
+.TP
+\fBallow trusted domains (G)\fR
+This option only takes effect when the security <URL:smb.conf.5.html> option is set to
+\fIserver\fR or \fIdomain\fR.
+If it is set to no, then attempts to connect to a resource from
+a domain or workgroup other than the one which smbd is running
+in will fail, even if that domain is trusted by the remote server
+doing the authentication.
+
+This is useful if you only want your Samba server to
+serve resources to users in the domain it is a member of. As
+an example, suppose that there are two domains DOMA and DOMB. DOMB
+is trusted by DOMA, which contains the Samba server. Under normal
+circumstances, a user with an account in DOMB can then access the
+resources of a UNIX account with the same account name on the
+Samba server even if they do not have an account in DOMA. This
+can make implementing a security boundary difficult.
+
+Default: \fBallow trusted domains = yes\fR
+.TP
+\fBannounce as (G)\fR
+This specifies what type of server
+\fBnmbd\fR <URL:nmbd.8.html>
+will announce itself as, to a network neighborhood browse
+list. By default this is set to Windows NT. The valid options
+are : "NT" (which is a synonym for "NT Server"), "NT Server",
+"NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
+Windows NT Workstation, Windows 95 and Windows for Workgroups
+respectively. Do not change this parameter unless you have a
+specific need to stop Samba appearing as an NT server as this
+may prevent Samba servers from participating as browser servers
+correctly.
+
+Default: \fBannounce as = NT Server\fR
+
+Example: \fBannounce as = Win95\fR
+.TP
+\fBannouce version (G)\fR
+This specifies the major and minor version numbers
+that nmbd will use when announcing itself as a server. The default
+is 4.2. Do not change this parameter unless you have a specific
+need to set a Samba server to be a downlevel server.
+
+Default: \fBannounce version = 4.2\fR
+
+Example: \fBannounce version = 2.0\fR
+.TP
+\fBauto services (G)\fR
+This is a list of services that you want to be
+automatically added to the browse lists. This is most useful
+for homes and printers services that would otherwise not be
+visible.
+
+Note that if you just want all printers in your
+printcap file loaded then the \fIload printers\fR <URL:smb.conf.5.html#loadprinters> option is easier.
+
+Default: \fBno auto services\fR
+
+Example: \fBauto services = fred lp colorlp\fR
+.TP
+\fBavailable (S)\fR
+This parameter lets you "turn off" a service. If
+\fIavailable = no\fR, then \fBALL\fR
+attempts to connect to the service will fail. Such failures are
+logged.
+
+Default: \fBavailable = yes\fR
+.TP
+\fBbind interfaces only (G)\fR
+This global parameter allows the Samba admin
+to limit what interfaces on a machine will serve smb requests. If
+affects file service smbd(8) <URL:smbd.8.html> and
+name service nmbd(8) <URL:nmbd.8.html> in slightly
+different ways.
+
+For name service it causes \fBnmbd\fR to bind
+to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd
+\fRalso binds to the "all addresses" interface (0.0.0.0)
+on ports 137 and 138 for the purposes of reading broadcast messages.
+If this option is not set then \fBnmbd\fR will service
+name requests on all of these sockets. If \fIbind interfaces
+only\fR is set then \fBnmbd\fR will check the
+source address of any packets coming in on the broadcast sockets
+and discard any that don't match the broadcast addresses of the
+interfaces in the \fIinterfaces\fR parameter list.
+As unicast packets are received on the other sockets it allows
+\fBnmbd\fR to refuse to serve names to machines that
+send packets that arrive through any interfaces not listed in the
+\fIinterfaces\fR list. IP Source address spoofing
+does defeat this simple check, however so it must not be used
+seriously as a security feature for \fBnmbd\fR.
+
+For file service it causes smbd(8) <URL:smbd.8.html>
+to bind only to the interface list given in the interfaces parameter. This restricts the networks that
+\fBsmbd\fR will serve to packets coming in those
+interfaces. Note that you should not use this parameter for machines
+that are serving PPP or other intermittent or non-broadcast network
+interfaces as it will not cope with non-permanent interfaces.
+
+If \fIbind interfaces only\fR is set then
+unless the network address \fB127.0.0.1\fR is added
+to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fR <URL:smbpasswd.8.html>
+and \fBswat(8)\fR <URL:swat.8.html> may
+not work as expected due to the reasons covered below.
+
+To change a users SMB password, the \fBsmbpasswd\fR
+by default connects to the \fBlocalhost - 127.0.0.1\fR
+address as an SMB client to issue the password change request. If
+\fIbind interfaces only\fR is set then unless the
+network address \fB127.0.0.1\fR is added to the
+\fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode.
+\fBsmbpasswd\fR can be forced to use the primary IP interface
+of the local host by using its \fI-r remote machine\fR
+ <URL:smbpasswd.8.html#minusr> parameter, with \fIremote machine\fR set
+to the IP name of the primary interface of the local host.
+
+The \fBswat\fR status page tries to connect with
+\fBsmbd\fR and \fBnmbd\fR at the address
+\fB127.0.0.1\fR to determine if they are running.
+Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show
+"not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR
+and \fBnmbd\fR.
+
+Default: \fBbind interfaces only = no\fR
+.TP
+\fBblocking locks (S)\fR
+This parameter controls the behavior of smbd(8) <URL:smbd.8.html> when given a request by a client
+to obtain a byte range lock on a region of an open file, and the
+request has a time limit associated with it.
+
+If this parameter is set and the lock range requested
+cannot be immediately satisfied, Samba 2.2 will internally
+queue the lock request, and periodically attempt to obtain
+the lock until the timeout period expires.
+
+If this parameter is set to False, then
+Samba 2.2 will behave as previous versions of Samba would and
+will fail the lock request immediately if the lock range
+cannot be obtained.
+
+Default: \fBblocking locks = yes\fR
+.TP
+\fBbrowsable (S)\fR
+See the \fI browseable\fR.
+.TP
+\fBbrowse list (G)\fR
+This controls whether \fBsmbd(8)\fR <URL:smbd.8.html> will serve a browse list to
+a client doing a \fBNetServerEnum\fR call. Normally
+set to true. You should never need to change
+this.
+
+Default: \fBbrowse list = yes\fR
+.TP
+\fBbrowseable (S)\fR
+This controls whether this share is seen in
+the list of available shares in a net view and in the browse list.
+
+Default: \fBbrowseable = yes\fR
+.TP
+\fBcase sensitive (S)\fR
+See the discussion in the section NAME MANGLING.
+.TP
+\fBcasesignames (S)\fR
+Synonym for case
+sensitive.
+.TP
+\fBchange notify timeout (G)\fR
+This SMB allows a client to tell a server to
+"watch" a particular directory for any changes and only reply to
+the SMB request when a change has occurred. Such constant scanning of
+a directory is expensive under UNIX, hence an \fBsmbd(8)\fR <URL:smbd.8.html> daemon only performs such a scan
+on each requested directory once every \fIchange notify
+timeout\fR seconds.
+
+Default: \fBchange notify timeout = 60\fR
+
+Example: \fBchange notify timeout = 300\fR
+
+Would change the scan time to every 5 minutes.
+.TP
+\fBcharacter set (G)\fR
+This allows a smbd to map incoming filenames
+from a DOS Code page (see the client
+code page parameter) to several built in UNIX character sets.
+The built in code page translations are:
+.RS
+.TP 0.2i
+\(bu
+ISO8859-1 : Western European
+UNIX character set. The parameter \fIclient code page\fR
+\fBMUST\fR be set to code page 850 if the
+\fIcharacter set\fR parameter is set to
+ISO8859-1 in order for the conversion to the
+UNIX character set to be done correctly.
+.TP 0.2i
+\(bu
+ISO8859-2 : Eastern European
+UNIX character set. The parameter \fIclient code page
+\fR\fBMUST\fR be set to code page 852 if
+the \fI character set\fR parameter is set
+to ISO8859-2 in order for the conversion
+to the UNIX character set to be done correctly.
+.TP 0.2i
+\(bu
+ISO8859-5 : Russian Cyrillic
+UNIX character set. The parameter \fIclient code page
+\fR\fBMUST\fR be set to code page
+866 if the \fIcharacter set \fR parameter is
+set to ISO8859-5 in order for the conversion
+to the UNIX character set to be done correctly.
+.TP 0.2i
+\(bu
+ISO8859-7 : Greek UNIX
+character set. The parameter \fIclient code page
+\fR\fBMUST\fR be set to code page
+737 if the \fIcharacter set\fR parameter is
+set to ISO8859-7 in order for the conversion
+to the UNIX character set to be done correctly.
+.TP 0.2i
+\(bu
+KOI8-R : Alternate mapping
+for Russian Cyrillic UNIX character set. The parameter
+\fIclient code page\fR \fBMUST\fR
+be set to code page 866 if the \fIcharacter set\fR
+parameter is set to KOI8-R in order for the
+conversion to the UNIX character set to be done correctly.
+.RE
+.PP
+\fBBUG\fR. These MSDOS code page to UNIX character
+set mappings should be dynamic, like the loading of MS DOS code pages,
+not static.
+.PP
+.PP
+Normally this parameter is not set, meaning no filename
+translation is done.
+.PP
+.PP
+Default: \fBcharacter set = <empty string>\fR
+.PP
+.PP
+Example: \fBcharacter set = ISO8859-1\fR
+.PP
+.TP
+\fBclient code page (G)\fR
+This parameter specifies the DOS code page
+that the clients accessing Samba are using. To determine what code
+page a Windows or DOS client is using, open a DOS command prompt
+and type the command \fBchcp\fR. This will output
+the code page. The default for USA MS-DOS, Windows 95, and
+Windows NT releases is code page 437. The default for western
+european releases of the above operating systems is code page 850.
+
+This parameter tells smbd(8) <URL:smbd.8.html>
+which of the \fIcodepage.XXX
+\fRfiles to dynamically load on startup. These files,
+described more fully in the manual page \fBmake_smbcodepage(1)\fR <URL:make_smbcodepage.1.html>, tell \fB smbd\fR how to map lower to upper case characters to provide
+the case insensitivity of filenames that Windows clients expect.
+
+Samba currently ships with the following code page files :
+.RS
+.TP 0.2i
+\(bu
+Code Page 437 - MS-DOS Latin US
+.TP 0.2i
+\(bu
+Code Page 737 - Windows '95 Greek
+.TP 0.2i
+\(bu
+Code Page 850 - MS-DOS Latin 1
+.TP 0.2i
+\(bu
+Code Page 852 - MS-DOS Latin 2
+.TP 0.2i
+\(bu
+Code Page 861 - MS-DOS Icelandic
+.TP 0.2i
+\(bu
+Code Page 866 - MS-DOS Cyrillic
+.TP 0.2i
+\(bu
+Code Page 932 - MS-DOS Japanese SJIS
+.TP 0.2i
+\(bu
+Code Page 936 - MS-DOS Simplified Chinese
+.TP 0.2i
+\(bu
+Code Page 949 - MS-DOS Korean Hangul
+.TP 0.2i
+\(bu
+Code Page 950 - MS-DOS Traditional Chinese
+.RE
+.PP
+Thus this parameter may have any of the values 437, 737, 850, 852,
+861, 932, 936, 949, or 950. If you don't find the codepage you need,
+read the comments in one of the other codepage files and the
+\fBmake_smbcodepage(1)\fR man page and write one. Please
+remember to donate it back to the Samba user community.
+.PP
+.PP
+This parameter co-operates with the \fIvalid
+chars\fR parameter in determining what characters are
+valid in filenames and how capitalization is done. If you set both
+this parameter and the \fIvalid chars\fR parameter
+the \fIclient code page\fR parameter
+\fBMUST\fR be set before the \fIvalid
+chars\fR parameter in the \fIsmb.conf\fR
+file. The \fIvalid chars\fR string will then
+augment the character settings in the \fIclient code page\fR
+parameter.
+.PP
+.PP
+If not set, \fIclient code page\fR defaults
+to 850.
+.PP
+.PP
+See also : \fIvalid
+chars\fR
+.PP
+.PP
+Default: \fBclient code page = 850\fR
+.PP
+.PP
+Example: \fBclient code page = 936\fR
+.PP
+.TP
+\fBcodingsystem (G)\fR
+This parameter is used to determine how incoming
+Shift-JIS Japanese characters are mapped from the incoming \fIclient code page\fR
+used by the client, into file names in the UNIX filesystem.
+Only useful if \fIclient code page\fR is set to
+932 (Japanese Shift-JIS). The options are :
+.RS
+.TP 0.2i
+\(bu
+SJIS - Shift-JIS. Does no
+conversion of the incoming filename.
+.TP 0.2i
+\(bu
+JIS8, J8BB, J8BH, J8@B,
+J8@J, J8@H - Convert from incoming Shift-JIS to eight
+bit JIS code with different shift-in, shift out codes.
+.TP 0.2i
+\(bu
+JIS7, J7BB, J7BH, J7@B, J7@J,
+J7@H - Convert from incoming Shift-JIS to seven bit
+JIS code with different shift-in, shift out codes.
+.TP 0.2i
+\(bu
+JUNET, JUBB, JUBH, JU@B, JU@J, JU@H
+- Convert from incoming Shift-JIS to JUNET code with different shift-in,
+shift out codes.
+.TP 0.2i
+\(bu
+EUC - Convert an incoming
+Shift-JIS character to EUC code.
+.TP 0.2i
+\(bu
+HEX - Convert an incoming
+Shift-JIS character to a 3 byte hex representation, i.e.
+:AB.
+.TP 0.2i
+\(bu
+CAP - Convert an incoming
+Shift-JIS character to the 3 byte hex representation used by
+the Columbia AppleTalk Program (CAP), i.e. :AB.
+This is used for compatibility between Samba and CAP.
+.RE
+.PP
+.TP
+\fBcomment (S)\fR
+This is a text field that is seen next to a share
+when a client does a queries the server, either via the network
+neighborhood or via \fBnet view\fR to list what shares
+are available.
+
+If you want to set the string that is displayed next to the
+machine name then see the \fI server string\fR parameter.
+
+Default: \fBNo comment string\fR
+
+Example: \fBcomment = Fred's Files\fR
+.TP
+\fBconfig file (G)\fR
+This allows you to override the config file
+to use, instead of the default (usually \fIsmb.conf\fR).
+There is a chicken and egg problem here as this option is set
+in the config file!
+
+For this reason, if the name of the config file has changed
+when the parameters are loaded then it will reload them from
+the new config file.
+
+This option takes the usual substitutions, which can
+be very useful.
+
+If the config file doesn't exist then it won't be loaded
+(allowing you to special case the config files of just a few
+clients).
+
+Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m
+\fR.TP
+\fBcopy (S)\fR
+This parameter allows you to "clone" service
+entries. The specified service is simply duplicated under the
+current service's name. Any parameters specified in the current
+section will override those in the section being copied.
+
+This feature lets you set up a 'template' service and
+create similar services easily. Note that the service being
+copied must occur earlier in the configuration file than the
+service doing the copying.
+
+Default: \fBnone\fR
+
+Example: \fBcopy = otherservice\fR
+.TP
+\fBcreate mask (S)\fR
+A synonym for this parameter is
+\fIcreate mode\fR
+\&.
+
+When a file is created, the necessary permissions are
+calculated according to the mapping from DOS modes to UNIX
+permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
+with this parameter. This parameter may be thought of as a bit-wise
+MASK for the UNIX modes of a file. Any bit \fBnot\fR
+set here will be removed from the modes set on a file when it is
+created.
+
+The default value of this parameter removes the
+\&'group' and 'other' write and execute bits from the UNIX modes.
+
+Following this Samba will bit-wise 'OR' the UNIX mode created
+from this parameter with the value of the \fIforce create mode\fR
+parameter which is set to 000 by default.
+
+This parameter does not affect directory modes. See the
+parameter \fIdirectory mode
+\fRfor details.
+
+See also the \fIforce
+create mode\fR parameter for forcing particular mode
+bits to be set on created files. See also the \fIdirectory mode"\fR parameter for masking
+mode bits on created directories. See also the \fIinherit permissions\fR parameter.
+
+Default: \fBcreate mask = 0744\fR
+
+Example: \fBcreate mask = 0775\fR
+.TP
+\fBcreate mode (S)\fR
+This is a synonym for \fI create mask\fR.
+.TP
+\fBdeadtime (G)\fR
+The value of the parameter (a decimal integer)
+represents the number of minutes of inactivity before a connection
+is considered dead, and it is disconnected. The deadtime only takes
+effect if the number of open files is zero.
+
+This is useful to stop a server's resources being
+exhausted by a large number of inactive connections.
+
+Most clients have an auto-reconnect feature when a
+connection is broken so in most cases this parameter should be
+transparent to users.
+
+Using this parameter with a timeout of a few minutes
+is recommended for most systems.
+
+A deadtime of zero indicates that no auto-disconnection
+should be performed.
+
+Default: \fBdeadtime = 0\fR
+
+Example: \fBdeadtime = 15\fR
+.TP
+\fBdebug hires timestamp (G)\fR
+Sometimes the timestamps in the log messages
+are needed with a resolution of higher that seconds, this
+boolean parameter adds microsecond resolution to the timestamp
+message header when turned on.
+
+Note that the parameter \fI debug timestamp\fR must be on for this to have an
+effect.
+
+Default: \fBdebug hires timestamp = no\fR
+.TP
+\fBdebug timestamp (G)\fR
+Samba 2.2 debug log messages are timestamped
+by default. If you are running at a high \fIdebug level\fR these timestamps
+can be distracting. This boolean parameter allows timestamping
+to be turned off.
+
+Default: \fBdebug timestamp = yes\fR
+.TP
+\fBdebug pid (G)\fR
+When using only one log file for more then one
+forked smbd-process there may be hard to follow which process
+outputs which message. This boolean parameter is adds the process-id
+to the timestamp message headers in the logfile when turned on.
+
+Note that the parameter \fI debug timestamp\fR must be on for this to have an
+effect.
+
+Default: \fBdebug pid = no\fR
+.TP
+\fBdebug uid (G)\fR
+Samba is sometimes run as root and sometime
+run as the connected user, this boolean parameter inserts the
+current euid, egid, uid and gid to the timestamp message headers
+in the log file if turned on.
+
+Note that the parameter \fI debug timestamp\fR must be on for this to have an
+effect.
+
+Default: \fBdebug uid = no\fR
+.TP
+\fBdebug level (G)\fR
+The value of the parameter (an integer) allows
+the debug level (logging level) to be specified in the
+\fIsmb.conf\fR file. This is to give greater
+flexibility in the configuration of the system.
+
+The default will be the debug level specified on
+the command line or level zero if none was specified.
+
+Example: \fBdebug level = 3\fR
+.TP
+\fBdefault (G)\fR
+A synonym for \fI default service\fR.
+.TP
+\fBdefault case (S)\fR
+See the section on NAME MANGLING". Also note the \fIshort preserve case"\fR parameter.
+.TP
+\fBdefault service (G)\fR
+This parameter specifies the name of a service
+which will be connected to if the service actually requested cannot
+be found. Note that the square brackets are \fBNOT\fR
+given in the parameter value (see example below).
+
+There is no default value for this parameter. If this
+parameter is not given, attempting to connect to a nonexistent
+service results in an error.
+
+Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service.
+
+Also note that the apparent service name will be changed
+to equal that of the requested service, this is very useful as it
+allows you to use macros like \fI%S\fR to make
+a wildcard service.
+
+Note also that any "_" characters in the name of the service
+used in the default service will get mapped to a "/". This allows for
+interesting things.
+
+Example:
+.sp
+.nf
+ default service = pub
+
+ [pub]
+ path = /%S
+
+.sp
+.fi
+.TP
+\fBdelete user script (G)\fR
+This is the full pathname to a script that will
+be run \fBAS ROOT\fR by \fBsmbd(8)\fR <URL:smbd.8.html> under special circumstances
+decribed below.
+
+Normally, a Samba server requires that UNIX users are
+created for all users accessing files on this server. For sites
+that use Windows NT account databases as their primary user database
+creating these users and keeping the user list in sync with the
+Windows NT PDC is an onerous task. This option allows \fB smbd\fR to delete the required UNIX users \fBON
+DEMAND\fR when a user accesses the Samba server and the
+Windows NT user no longer exists.
+
+In order to use this option, \fBsmbd\fR must be
+set to \fIsecurity=domain\fR and \fIdelete
+user script\fR must be set to a full pathname for a script
+that will delete a UNIX user given one argument of \fI%u
+\fR, which expands into the UNIX user name to delete.
+\fBNOTE\fR that this is different to the \fIadd user script\fR
+which will work with the \fIsecurity=server\fR option
+as well as \fIsecurity=domain\fR. The reason for this
+is only when Samba is a domain member does it get the information
+on an attempted user logon that a user no longer exists. In the
+\fIsecurity=server\fR mode a missing user
+is treated the same as an invalid password logon attempt. Deleting
+the user in this circumstance would not be a good idea.
+
+When the Windows user attempts to access the Samba server,
+at \fBlogin\fR (session setup in the SMB protocol)
+time, \fBsmbd\fR contacts the \fIpassword server\fR and attempts to authenticate
+the given user with the given password. If the authentication fails
+with the specific Domain error code meaning that the user no longer
+exists then \fBsmbd\fR attempts to find a UNIX user in
+the UNIX password database that matches the Windows user account. If
+this lookup succeeds, and \fIdelete user script\fR is
+set then \fBsmbd\fR will all the specified script
+\fBAS ROOT\fR, expanding any \fI%u\fR
+argument to be the user name to delete.
+
+This script should delete the given UNIX username. In this way,
+UNIX users are dynamically deleted to match existing Windows NT
+accounts.
+
+See also security=domain,
+\fIpassword server\fR
+, \fIadd user script\fR
+\&.
+
+Default: \fBdelete user script = <empty string>
+\fR
+Example: \fBdelete user script = /usr/local/samba/bin/del_user
+%u\fR
+.TP
+\fBdelete readonly (S)\fR
+This parameter allows readonly files to be deleted.
+This is not normal DOS semantics, but is allowed by UNIX.
+
+This option may be useful for running applications such
+as rcs, where UNIX file ownership prevents changing file
+permissions, and DOS semantics prevent deletion of a read only file.
+
+Default: \fBdelete readonly = no\fR
+.TP
+\fBdelete veto files (S)\fR
+This option is used when Samba is attempting to
+delete a directory that contains one or more vetoed directories
+(see the \fIveto files\fR
+option). If this option is set to False (the default) then if a vetoed
+directory contains any non-vetoed files or directories then the
+directory delete will fail. This is usually what you want.
+
+If this option is set to True, then Samba
+will attempt to recursively delete any files and directories within
+the vetoed directory. This can be useful for integration with file
+serving systems such as NetAtalk which create meta-files within
+directories you might normally veto DOS/Windows users from seeing
+(e.g. \fI.AppleDouble\fR)
+
+Setting \fBdelete veto files = yes\fR allows these
+directories to be transparently deleted when the parent directory
+is deleted (so long as the user has permissions to do so).
+
+See also the \fIveto
+files\fR parameter.
+
+Default: \fBdelete veto files = no\fR
+.TP
+\fBdeny hosts (S)\fR
+Synonym for \fIhosts
+deny\fR.
+.TP
+\fBdfree command (G)\fR
+The \fIdfree command\fR setting should
+only be used on systems where a problem occurs with the internal
+disk space calculations. This has been known to happen with Ultrix,
+but may occur with other operating systems. The symptom that was
+seen was an error of "Abort Retry Ignore" at the end of each
+directory listing.
+
+This setting allows the replacement of the internal routines to
+calculate the total disk space and amount available with an external
+routine. The example below gives a possible script that might fulfill
+this function.
+
+The external program will be passed a single parameter indicating
+a directory in the filesystem being queried. This will typically consist
+of the string \fI./\fR. The script should return two
+integers in ascii. The first should be the total disk space in blocks,
+and the second should be the number of available blocks. An optional
+third return value can give the block size in bytes. The default
+blocksize is 1024 bytes.
+
+Note: Your script should \fBNOT\fR be setuid or
+setgid and should be owned by (and writeable only by) root!
+
+Default: \fBBy default internal routines for
+determining the disk capacity and remaining space will be used.
+\fR
+Example: \fBdfree command = /usr/local/samba/bin/dfree
+\fR
+Where the script dfree (which must be made executable) could be:
+
+.sp
+.nf
+
+ #!/bin/sh
+ df $1 | tail -1 | awk '{print $2" "$4}'
+
+.sp
+.fi
+
+or perhaps (on Sys V based systems):
+
+.sp
+.nf
+ #!/bin/sh
+ /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+
+.sp
+.fi
+
+Note that you may have to replace the command names
+with full path names on some systems.
+.TP
+\fBdirectory (S)\fR
+Synonym for \fIpath
+\fR\&.
+.TP
+\fBdirectory mask (S)\fR
+This parameter is the octal modes which are
+used when converting DOS modes to UNIX modes when creating UNIX
+directories.
+
+When a directory is created, the necessary permissions are
+calculated according to the mapping from DOS modes to UNIX permissions,
+and the resulting UNIX mode is then bit-wise 'AND'ed with this
+parameter. This parameter may be thought of as a bit-wise MASK for
+the UNIX modes of a directory. Any bit \fBnot\fR set
+here will be removed from the modes set on a directory when it is
+created.
+
+The default value of this parameter removes the 'group'
+and 'other' write bits from the UNIX mode, allowing only the
+user who owns the directory to modify it.
+
+Following this Samba will bit-wise 'OR' the UNIX mode
+created from this parameter with the value of the \fIforce directory mode
+\fRparameter. This parameter is set to 000 by
+default (i.e. no extra mode bits are added).
+
+See the \fIforce
+directory mode\fR parameter to cause particular mode
+bits to always be set on created directories.
+
+See also the \fIcreate mode
+\fRparameter for masking mode bits on created files,
+and the \fIdirectory
+security mask\fR parameter.
+
+Also refer to the \fI inherit permissions\fR parameter.
+
+Default: \fBdirectory mask = 0755\fR
+
+Example: \fBdirectory mask = 0775\fR
+.TP
+\fBdirectory mode (S)\fR
+Synonym for \fI directory mask\fR
+.TP
+\fBdirectory security mask (S)\fR
+This parameter controls what UNIX permission bits
+can be modified when a Windows NT client is manipulating the UNIX
+permission on a directory using the native NT security dialog
+box.
+
+This parameter is applied as a mask (AND'ed with) to
+the changed permission bits, thus preventing any bits not in
+this mask from being modified. Essentially, zero bits in this
+mask may be treated as a set of bits the user is not allowed
+to change.
+
+If not set explicitly this parameter is set to the same
+value as the \fIdirectory
+mask\fR parameter. To allow a user to
+modify all the user/group/world permissions on a directory, set
+this parameter to 0777.
+
+\fBNote\fR that users who can access the
+Samba server through other means can easily bypass this restriction,
+so it is primarily useful for standalone "appliance" systems.
+Administrators of most normal systems will probably want to set
+it to 0777.
+
+See also the \fI force directory security mode\fR, \fIsecurity mask\fR,
+\fIforce security mode
+\fRparameters.
+
+Default: \fBdirectory security mask = <same as
+directory mask>\fR
+
+Example: \fBdirectory security mask = 0777\fR
+.TP
+\fBdns proxy (G)\fR
+Specifies that nmbd(8) <URL:nmbd.8.html>
+when acting as a WINS server and finding that a NetBIOS name has not
+been registered, should treat the NetBIOS name word-for-word as a DNS
+name and do a lookup with the DNS server for that name on behalf of
+the name-querying client.
+
+Note that the maximum length for a NetBIOS name is 15
+characters, so the DNS name (or DNS alias) can likewise only be
+15 characters, maximum.
+
+\fBnmbd\fR spawns a second copy of itself to do the
+DNS name lookup requests, as doing a name lookup is a blocking
+action.
+
+See also the parameter \fI wins support\fR.
+
+Default: \fBdns proxy = yes\fR
+.TP
+\fBdomain admin group (G)\fR
+This is an \fBEXPERIMENTAL\fR parameter
+that is part of the unfinished Samba NT Domain Controller Code. It may
+be removed in a later release. To work with the latest code builds
+that may have more support for Samba NT Domain Controller functionality
+please subscribe to the mailing list samba-ntdom <URL:mailto:samba-ntdom@samba.org> available by
+visiting the web page at http://lists.samba.org/ <URL:http://lists.samba.org/>.
+.TP
+\fBdomain admin users (G)\fR
+This is an \fBEXPERIMENTAL\fR parameter
+that is part of the unfinished Samba NT Domain Controller Code. It may
+be removed in a later release. To work with the latest code builds
+that may have more support for Samba NT Domain Controller functionality
+please subscribe to the mailing list samba-ntdom <URL:mailto:samba-ntdom@samba.org> available by
+visiting the web page at http://lists.samba.org/ <URL:http://lists.samba.org/>.
+.TP
+\fBdomain groups (G)\fR
+This is an \fBEXPERIMENTAL\fR parameter
+that is part of the unfinished Samba NT Domain Controller Code. It may
+be removed in a later release. To work with the latest code builds
+that may have more support for Samba NT Domain Controller functionality
+please subscribe to the mailing list samba-ntdom <URL:mailto:samba-ntdom@samba.org> available by
+visiting the web page at http://lists.samba.org/ <URL:http://lists.samba.org/>.
+.TP
+\fBdomain guest group (G)\fR
+This is an \fBEXPERIMENTAL\fR parameter
+that is part of the unfinished Samba NT Domain Controller Code. It may
+be removed in a later release. To work with the latest code builds
+that may have more support for Samba NT Domain Controller functionality
+please subscribe to the mailing list samba-ntdom <URL:mailto:samba-ntdom@samba.org> available by
+visiting the web page at http://lists.samba.org/ <URL:http://lists.samba.org/>.
+.TP
+\fBdomain guest users (G)\fR
+This is an \fBEXPERIMENTAL\fR parameter
+that is part of the unfinished Samba NT Domain Controller Code. It may
+be removed in a later release. To work with the latest code builds
+that may have more support for Samba NT Domain Controller functionality
+please subscribe to the mailing list samba-ntdom <URL:mailto:samba-ntdom@samba.org> available by
+visiting the web page at http://lists.samba.org/ <URL:http://lists.samba.org/>.
+.TP
+\fBdomain logons (G)\fR
+If set to true, the Samba server will serve
+Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also
+has limited capability to act as a domain controller for Windows
+NT 4 Domains. For more details on setting up this feature see
+the file DOMAINS.txt in the Samba documentation directory \fIdocs/
+\fRshipped with the source code.
+
+Default: \fBdomain logons = no\fR
+.TP
+\fBdomain master (G)\fR
+Tell \fB nmbd(8)\fR <URL:nmbd.8.html> to enable WAN-wide browse list
+collation. Setting this option causes \fBnmbd\fR to
+claim a special domain specific NetBIOS name that identifies
+it as a domain master browser for its given \fIworkgroup\fR. Local master browsers
+in the same \fIworkgroup\fR on broadcast-isolated
+subnets will give this \fBnmbd\fR their local browse lists,
+and then ask \fBsmbd(8)\fR <URL:smbd.8.html>
+for a complete copy of the browse list for the whole wide area
+network. Browser clients will then contact their local master browser,
+and will receive the domain-wide browse list, instead of just the list
+for their broadcast-isolated subnet.
+
+Note that Windows NT Primary Domain Controllers expect to be
+able to claim this \fIworkgroup\fR specific special
+NetBIOS name that identifies them as domain master browsers for
+that \fIworkgroup\fR by default (i.e. there is no
+way to prevent a Windows NT PDC from attempting to do this). This
+means that if this parameter is set and \fBnmbd\fR claims
+the special name for a \fIworkgroup\fR before a Windows
+NT PDC is able to do so then cross subnet browsing will behave
+strangely and may fail.
+
+Default: \fBdomain master = no\fR
+.TP
+\fBdont descend (S)\fR
+There are certain directories on some systems
+(e.g., the \fI/proc\fR tree under Linux) that are either not
+of interest to clients or are infinitely deep (recursive). This
+parameter allows you to specify a comma-delimited list of directories
+that the server should always show as empty.
+
+Note that Samba can be very fussy about the exact format
+of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR.
+Experimentation is the best policy :-)
+
+Default: \fBnone (i.e., all directories are OK
+to descend)\fR
+
+Example: \fBdont descend = /proc,/dev\fR
+.TP
+\fBdos filetime resolution (S)\fR
+Under the DOS and Windows FAT filesystem, the finest
+granularity on time resolution is two seconds. Setting this parameter
+for a share causes Samba to round the reported time down to the
+nearest two second boundary when a query call that requires one second
+resolution is made to \fBsmbd(8)\fR
+ <URL:smbd.8.html>.
+
+This option is mainly used as a compatibility option for Visual
+C++ when used against Samba shares. If oplocks are enabled on a
+share, Visual C++ uses two different time reading calls to check if a
+file has changed since it was last read. One of these calls uses a
+one-second granularity, the other uses a two second granularity. As
+the two second call rounds any odd second down, then if the file has a
+timestamp of an odd number of seconds then the two timestamps will not
+match and Visual C++ will keep reporting the file has changed. Setting
+this option causes the two timestamps to match, and Visual C++ is
+happy.
+
+Default: \fBdos filetime resolution = no\fR
+.TP
+\fBdos filetimes (S)\fR
+Under DOS and Windows, if a user can write to a
+file they can change the timestamp on it. Under POSIX semantics,
+only the owner of the file or root may change the timestamp. By
+default, Samba runs with POSIX semantics and refuses to change the
+timestamp on a file if the user \fBsmbd\fR is acting
+on behalf of is not the file owner. Setting this option to True allows DOS semantics and smbd will change the file
+timestamp as DOS requires.
+
+Default: \fBdos filetimes = no\fR
+.TP
+\fBencrypt passwords (G)\fR
+This boolean controls whether encrypted passwords
+will be negotiated with the client. Note that Windows NT 4.0 SP3 and
+above and also Windows 98 will by default expect encrypted passwords
+unless a registry entry is changed. To use encrypted passwords in
+Samba see the file ENCRYPTION.txt in the Samba documentation
+directory \fIdocs/\fR shipped with the source code.
+
+In order for encrypted passwords to work correctly
+\fBsmbd(8)\fR <URL:smbd.8.html> must either
+have access to a local \fIsmbpasswd(5)
+\fR <URL:smbpasswd.5.html> file (see the \fB smbpasswd(8)\fR <URL:smbpasswd.8.html> program for information on how to set up
+and maintain this file), or set the security=[serve|domain] parameter which
+causes \fBsmbd\fR to authenticate against another
+server.
+
+Default: \fBencrypt passwords = no\fR
+.TP
+\fBexec (S)\fR
+This is a synonym for \fIpreexec\fR.
+.TP
+\fBfake directory create times (S)\fR
+NTFS and Windows VFAT file systems keep a create
+time for all files and directories. This is not the same as the
+ctime - status change time - that Unix keeps, so Samba by default
+reports the earliest of the various times Unix does keep. Setting
+this parameter for a share causes Samba to always report midnight
+1-1-1980 as the create time for directories.
+
+This option is mainly used as a compatibility option for
+Visual C++ when used against Samba shares. Visual C++ generated
+makefiles have the object directory as a dependency for each object
+file, and a make rule to create the directory. Also, when NMAKE
+compares timestamps it uses the creation time when examining a
+directory. Thus the object directory will be created if it does not
+exist, but once it does exist it will always have an earlier
+timestamp than the object files it contains.
+
+However, Unix time semantics mean that the create time
+reported by Samba will be updated whenever a file is created or
+deleted in the directory. NMAKE therefore finds all object files
+in the object directory bar the last one built are out of date
+compared to the directory and rebuilds them. Enabling this option
+ensures directories always predate their contents and an NMAKE build
+will proceed as expected.
+
+Default: \fBfake directory create times = no\fR
+.TP
+\fBfake oplocks (S)\fR
+Oplocks are the way that SMB clients get permission
+from a server to locally cache file operations. If a server grants
+an oplock (opportunistic lock) then the client is free to assume
+that it is the only one accessing the file and it will aggressively
+cache file data. With some oplock types the client may even cache
+file open/close operations. This can give enormous performance benefits.
+
+When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fR <URL:smbd.8.html> will
+always grant oplock requests no matter how many clients are using
+the file.
+
+It is generally much better to use the real \fIoplocks\fR support rather
+than this parameter.
+
+If you enable this option on all read-only shares or
+shares that you know will only be accessed from one client at a
+time such as physically read-only media like CDROMs, you will see
+a big performance improvement on many operations. If you enable
+this option on shares where multiple clients may be accessing the
+files read-write at the same time you can get data corruption. Use
+this option carefully!
+
+Default: \fBfake oplocks = no\fR
+.TP
+\fBfollow symlinks (S)\fR
+This parameter allows the Samba administrator
+to stop \fBsmbd(8)\fR <URL:smbd.8.html>
+from following symbolic links in a particular share. Setting this
+parameter to no prevents any file or directory
+that is a symbolic link from being followed (the user will get an
+error). This option is very useful to stop users from adding a
+symbolic link to \fI/etc/passwd\fR in their home
+directory for instance. However it will slow filename lookups
+down slightly.
+
+This option is enabled (i.e. \fBsmbd\fR will
+follow symbolic links) by default.
+
+Default: \fBfollow symlinks = yes\fR
+.TP
+\fBforce create mode (S)\fR
+This parameter specifies a set of UNIX mode bit
+permissions that will \fBalways\fR be set on a
+file by Samba. This is done by bitwise 'OR'ing these bits onto
+the mode bits of a file that is being created or having its
+permissions changed. The default for this parameter is (in octal)
+000. The modes in this parameter are bitwise 'OR'ed onto the file
+mode after the mask set in the \fIcreate mask\fR
+parameter is applied.
+
+See also the parameter \fIcreate
+mask\fR for details on masking mode bits on files.
+
+See also the \fIinherit
+permissions\fR parameter.
+
+Default: \fBforce create mode = 000\fR
+
+Example: \fBforce create mode = 0755\fR
+
+would force all created files to have read and execute
+permissions set for 'group' and 'other' as well as the
+read/write/execute bits set for the 'user'.
+.TP
+\fBforce directory mode (S)\fR
+This parameter specifies a set of UNIX mode bit
+permissions that will \fBalways\fR be set on a directory
+created by Samba. This is done by bitwise 'OR'ing these bits onto the
+mode bits of a directory that is being created. The default for this
+parameter is (in octal) 0000 which will not add any extra permission
+bits to a created directory. This operation is done after the mode
+mask in the parameter \fIdirectory mask\fR is
+applied.
+
+See also the parameter \fI directory mask\fR for details on masking mode bits
+on created directories.
+
+See also the \fI inherit permissions\fR parameter.
+
+Default: \fBforce directory mode = 000\fR
+
+Example: \fBforce directory mode = 0755\fR
+
+would force all created directories to have read and execute
+permissions set for 'group' and 'other' as well as the
+read/write/execute bits set for the 'user'.
+.TP
+\fBforce directory security mode (S)\fR
+This parameter controls what UNIX permission bits
+can be modified when a Windows NT client is manipulating the UNIX
+permission on a directory using the native NT security dialog box.
+
+This parameter is applied as a mask (OR'ed with) to the
+changed permission bits, thus forcing any bits in this mask that
+the user may have modified to be on. Essentially, one bits in this
+mask may be treated as a set of bits that, when modifying security
+on a directory, the user has always set to be 'on'.
+
+If not set explicitly this parameter is set to the same
+value as the \fIforce
+directory mode\fR parameter. To allow
+a user to modify all the user/group/world permissions on a
+directory, with restrictions set this parameter to 000.
+
+\fBNote\fR that users who can access the
+Samba server through other means can easily bypass this restriction,
+so it is primarily useful for standalone "appliance" systems.
+Administrators of most normal systems will probably want to set
+it to 0000.
+
+See also the \fI directory security mask\fR, \fIsecurity mask\fR,
+\fIforce security mode
+\fRparameters.
+
+Default: \fBforce directory security mode = <same as
+force directory mode>\fR
+
+Example: \fBforce directory security mode = 0\fR
+.TP
+\fBforce group (S)\fR
+This specifies a UNIX group name that will be
+assigned as the default primary group for all users connecting
+to this service. This is useful for sharing files by ensuring
+that all access to files on service will use the named group for
+their permissions checking. Thus, by assigning permissions for this
+group to the files and directories within this service the Samba
+administrator can restrict or allow sharing of these files.
+
+In Samba 2.0.5 and above this parameter has extended
+functionality in the following way. If the group name listed here
+has a '+' character prepended to it then the current user accessing
+the share only has the primary group default assigned to this group
+if they are already assigned as a member of that group. This allows
+an administrator to decide that only users who are already in a
+particular group will create files with group ownership set to that
+group. This gives a finer granularity of ownership assignment. For
+example, the setting \fIforce group = +sys\fR means
+that only users who are already in group sys will have their default
+primary group assigned to sys when accessing this Samba share. All
+other users will retain their ordinary primary group.
+
+If the \fIforce user
+\fRparameter is also set the group specified in
+\fIforce group\fR will override the primary group
+set in \fIforce user\fR.
+
+See also \fIforce
+user\fR.
+
+Default: \fBno forced group\fR
+
+Example: \fBforce group = agroup\fR
+.TP
+\fBforce security mode (S)\fR
+This parameter controls what UNIX permission
+bits can be modified when a Windows NT client is manipulating
+the UNIX permission on a file using the native NT security dialog
+box.
+
+This parameter is applied as a mask (OR'ed with) to the
+changed permission bits, thus forcing any bits in this mask that
+the user may have modified to be on. Essentially, one bits in this
+mask may be treated as a set of bits that, when modifying security
+on a file, the user has always set to be 'on'.
+
+If not set explicitly this parameter is set to the same
+value as the \fIforce
+create mode\fR parameter. To allow a user to
+modify all the user/group/world permissions on a file, with no
+restrictions set this parameter to 000.
+
+\fBNote\fR that users who can access
+the Samba server through other means can easily bypass this restriction,
+so it is primarily useful for standalone "appliance" systems.
+Administrators of most normal systems will probably want to set
+it to 0000.
+
+See also the \fI force directory security mode\fR,
+\fIdirectory security
+mask\fR, \fI security mask\fR parameters.
+
+Default: \fBforce security mode = <same as force
+create mode>\fR
+
+Example: \fBforce security mode = 0\fR
+.TP
+\fBforce user (S)\fR
+This specifies a UNIX user name that will be
+assigned as the default user for all users connecting to this service.
+This is useful for sharing files. You should also use it carefully
+as using it incorrectly can cause security problems.
+
+This user name only gets used once a connection is established.
+Thus clients still need to connect as a valid user and supply a
+valid password. Once connected, all file operations will be performed
+as the "forced user", no matter what username the client connected
+as.
+
+This can be very useful.
+
+In Samba 2.0.5 and above this parameter also causes the
+primary group of the forced user to be used as the primary group
+for all file activity. Prior to 2.0.5 the primary group was left
+as the primary group of the connecting user (this was a bug).
+
+See also \fIforce group
+\fR
+Default: \fBno forced user\fR
+
+Example: \fBforce user = auser\fR
+.TP
+\fBfstype (S)\fR
+This parameter allows the administrator to
+configure the string that specifies the type of filesystem a share
+is using that is reported by \fBsmbd(8)
+\fR <URL:smbd.8.html> when a client queries the filesystem type
+for a share. The default type is NTFS for
+compatibility with Windows NT but this can be changed to other
+strings such as Samba or FAT
+if required.
+
+Default: \fBfstype = NTFS\fR
+
+Example: \fBfstype = Samba\fR
+.TP
+\fBgetwd cache (G)\fR
+This is a tuning option. When this is enabled a
+caching algorithm will be used to reduce the time taken for getwd()
+calls. This can have a significant impact on performance, especially
+when the \fIwide links\fR
+parameter is set to False.
+
+Default: \fBgetwd cache = No\fR
+.TP
+\fBgroup (S)\fR
+Synonym for \fIforce
+group\fR.
+.TP
+\fBguest account (S)\fR
+This is a username which will be used for access
+to services which are specified as \fI guest ok\fR (see below). Whatever privileges this
+ser has will be available to any client connecting to the guest service.
+Typically this user will exist in the password file, but will not
+have a valid login. The user account "ftp" is often a good choice
+for this parameter. If a username is specified in a given service,
+the specified username overrides this one.
+
+One some systems the default guest account "nobody" may not
+be able to print. Use another account in this case. You should test
+this by trying to log in as your guest user (perhaps by using the
+\fBsu -\fR command) and trying to print using the
+system print command such as \fBlpr(1)\fR or \fB lp(1)\fR.
+
+Default: \fBspecified at compile time, usually
+"nobody"\fR
+
+Example: \fBguest account = ftp\fR
+.TP
+\fBguest ok (S)\fR
+If this parameter is yes for
+a service, then no password is equired to connect to the service.
+Privileges will be those of the \fI guest account\fR.
+
+See the section below on \fI security\fR for more information about this option.
+
+Default: \fBguest ok = no\fR
+.TP
+\fBguest only (S)\fR
+If this parameter is yes for
+a service, then only guest connections to the service are permitted.
+This parameter will have no affect if \fIguest ok\fR is not set for the service.
+
+See the section below on \fI security\fR for more information about this option.
+
+Default: \fBguest only = no\fR
+.TP
+\fBhide dot files (S)\fR
+This is a boolean parameter that controls whether
+files starting with a dot appear as hidden files.
+
+Default: \fBhide dot files = yes\fR
+.TP
+\fBhide files(S)\fR
+This is a list of files or directories that are not
+visible but are accessible. The DOS 'hidden' attribute is applied
+to any files or directories that match.
+
+Each entry in the list must be separated by a '/',
+which allows spaces to be included in the entry. '*'
+and '?' can be used to specify multiple files or directories
+as in DOS wildcards.
+
+Each entry must be a Unix path, not a DOS path and must
+not include the Unix directory separator '/'.
+
+Note that the case sensitivity option is applicable
+in hiding files.
+
+Setting this parameter will affect the performance of Samba,
+as it will be forced to check all files and directories for a match
+as they are scanned.
+
+See also \fIhide
+dot files\fR, \fI veto files\fR and \fIcase sensitive\fR.
+
+Default: \fBno file are hidden\fR
+
+Example: \fBhide files =
+/.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR
+
+The above example is based on files that the Macintosh
+SMB client (DAVE) available from
+Thursby <URL:http://www.thursby.com> creates for internal use, and also still hides
+all files beginning with a dot.
+.TP
+\fBhide local users(G)\fR
+This parameter toggles the hiding of local UNIX
+users (root, wheel, floppy, etc) from remote clients.
+
+Default: \fBhide local users = no\fR
+.TP
+\fBhomedir map (G)\fR
+If\fInis homedir
+\fRis True, and \fBsmbd(8)\fR <URL:smbd.8.html> is also acting
+as a Win95/98 \fIlogon server\fR then this parameter
+specifies the NIS (or YP) map from which the server for the user's
+home directory should be extracted. At present, only the Sun
+auto.home map format is understood. The form of the map is:
+
+\fBusername server:/some/file/system\fR
+
+and the program will extract the servername from before
+the first ':'. There should probably be a better parsing system
+that copes with different map formats and also Amd (another
+automounter) maps.
+
+\fBNOTE :\fRA working NIS client is required on
+the system for this option to work.
+
+See also \fInis homedir\fR
+, \fIdomain logons\fR
+\&.
+
+Default: \fBhomedir map = auto.home\fR
+
+Example: \fBhomedir map = amd.homedir\fR
+.TP
+\fBhosts allow (S)\fR
+A synonym for this parameter is \fIallow
+hosts\fR.
+
+This parameter is a comma, space, or tab delimited
+set of hosts which are permitted to access a service.
+
+If specified in the [global] section then it will
+apply to all services, regardless of whether the individual
+service has a different setting.
+
+You can specify the hosts by name or IP number. For
+example, you could restrict access to only the hosts on a
+Class C subnet with something like \fBallow hosts = 150.203.5.
+\fR\&. The full syntax of the list is described in the man
+page \fIhosts_access(5)\fR. Note that this man
+page may not be present on your system, so a brief description will
+be given here also.
+
+Note that the localhost address 127.0.0.1 will always
+be allowed access unless specifically denied by a \fIhosts deny\fR option.
+
+You can also specify hosts by network/netmask pairs and
+by netgroup names if your system supports netgroups. The
+\fBEXCEPT\fR keyword can also be used to limit a
+wildcard list. The following examples may provide some help:
+
+Example 1: allow all IPs in 150.203.*.*; except one
+
+\fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
+
+Example 2: allow hosts that match the given network/netmask
+
+\fBhosts allow = 150.203.15.0/255.255.255.0\fR
+
+Example 3: allow a couple of hosts
+
+\fBhosts allow = lapland, arvidsjaur\fR
+
+Example 4: allow only hosts in NIS netgroup "foonet", but
+deny access from one particular host
+
+\fBhosts allow = @foonet\fR
+
+\fBhosts deny = pirate\fR
+
+Note that access still requires suitable user-level passwords.
+
+See \fBtestparm(1)\fR
+ <URL:testparm.1.html> for a way of testing your host access to see if it does
+what you expect.
+
+Default: \fBnone (i.e., all hosts permitted access)
+\fR
+Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au
+\fR.TP
+\fBhosts deny (S)\fR
+The opposite of \fIhosts allow\fR
+- hosts listed here are \fBNOT\fR permitted access to
+services unless the specific services have their own lists to override
+this one. Where the lists conflict, the \fIallow\fR
+list takes precedence.
+
+Default: \fBnone (i.e., no hosts specifically excluded)
+\fR
+Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au
+\fR.TP
+\fBhosts equiv (G)\fR
+If this global parameter is a non-null string,
+it specifies the name of a file to read for the names of hosts
+and users who will be allowed access without specifying a password.
+
+This is not be confused with \fIhosts allow\fR which is about hosts
+access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will
+not supply passwords to samba.
+
+\fBNOTE :\fR The use of \fIhosts equiv
+\fRcan be a major security hole. This is because you are
+trusting the PC to supply the correct username. It is very easy to
+get a PC to supply a false username. I recommend that the
+\fIhosts equiv\fR option be only used if you really
+know what you are doing, or perhaps on a home network where you trust
+your spouse and kids. And only if you \fBreally\fR trust
+them :-).
+
+Default: \fBno host equivalences\fR
+
+Example: \fBhosts equiv = /etc/hosts.equiv\fR
+.TP
+\fBinclude (G)\fR
+This allows you to include one config file
+inside another. The file is included literally, as though typed
+in place.
+
+It takes the standard substitutions, except \fI%u
+\fR, \fI%P\fR and \fI%S\fR.
+
+Default: \fBno file included\fR
+
+Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf
+\fR.TP
+\fBinherit permissions (S)\fR
+The permissions on new files and directories
+are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR
+and \fIforce
+directory mode\fR but the boolean inherit
+permissions parameter overrides this.
+
+New directories inherit the mode of the parent directory,
+including bits such as setgid.
+
+New files inherit their read/write bits from the parent
+directory. Their execute bits continue to be determined by
+\fImap archive\fR
+, \fImap hidden\fR
+and \fImap system\fR
+as usual.
+
+Note that the setuid bit is \fBnever\fR set via
+inheritance (the code explicitly prohibits this).
+
+This can be particularly useful on large systems with
+many users, perhaps several thousand,to allow a single [homes]
+share to be used flexibly by each user.
+
+See also \fIcreate mask
+\fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR
+\&.
+
+Default: \fBinherit permissions = no\fR
+.TP
+\fBinterfaces (G)\fR
+This option allows you to override the default
+network interfaces list that Samba will use for browsing, name
+registration and other NBT traffic. By default Samba will query
+the kernel for the list of all active interfaces and use any
+interfaces except 127.0.0.1 that are broadcast capable.
+
+The option takes a list of interface strings. Each string
+can be in any of the following forms:
+.RS
+.TP 0.2i
+\(bu
+a network interface name (such as eth0).
+This may include shell-like wildcards so eth* will match
+any interface starting with the substring "eth"
+.TP 0.2i
+\(bu
+an IP address. In this case the netmask is
+determined from the list of interfaces obtained from the
+kernel
+.TP 0.2i
+\(bu
+an IP/mask pair.
+.TP 0.2i
+\(bu
+a broadcast/mask pair.
+.RE
+.PP
+The "mask" parameters can either be a bit length (such
+as 24 for a C class network) or a full netmask in dotted
+decmal form.
+.PP
+.PP
+The "IP" parameters above can either be a full dotted
+decimal IP address or a hostname which will be looked up via
+the OSes normal hostname resolution mechanisms.
+.PP
+.PP
+For example, the following line:
+.PP
+.PP
+\fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
+\fR.PP
+.PP
+would configure three network interfaces corresponding
+to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
+The netmasks of the latter two interfaces would be set to 255.255.255.0.
+.PP
+.PP
+See also \fIbind
+interfaces only\fR.
+.PP
+.TP
+\fBinvalid users (S)\fR
+This is a list of users that should not be allowed
+to login to this service. This is really a \fBparanoid\fR
+check to absolutely ensure an improper setting does not breach
+your security.
+
+A name starting with a '@' is interpreted as an NIS
+netgroup first (if your system supports NIS), and then as a UNIX
+group if the name was not found in the NIS netgroup database.
+
+A name starting with '+' is interpreted only
+by looking in the UNIX group database. A name starting with
+\&'&' is interpreted only by looking in the NIS netgroup database
+(this requires NIS to be working on your system). The characters
+\&'+' and '&' may be used at the start of the name in either order
+so the value \fI+&group\fR means check the
+UNIX group database, followed by the NIS netgroup database, and
+the value \fI&+group"\fR means check the NIS
+netgroup database, followed by the UNIX group database (the
+same as the '@' prefix).
+
+The current servicename is substituted for \fI%S\fR.
+This is useful in the [homes] section.
+
+See also \fIvalid users
+\fR\&.
+
+Default: \fBno invalid users\fR
+
+Example: \fBinvalid users = root fred admin @wheel
+\fR.TP
+\fBkeepalive (G)\fR
+The value of the parameter (an integer) represents
+the number of seconds between \fIkeepalive\fR
+packets. If this parameter is zero, no keepalive packets will be
+sent. Keepalive packets, if sent, allow the server to tell whether
+a client is still present and responding.
+
+Keepalives should, in general, not be needed if the socket
+being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR).
+Basically you should only use this option if you strike difficulties.
+
+Default: \fBkeepalive = 0\fR
+
+Example: \fBkeepalive = 60\fR
+.TP
+\fBkernel oplocks (G)\fR
+For UNIXs that support kernel based \fIoplocks\fR
+(currently only IRIX and the Linux 2.4 kernel), this parameter
+allows the use of them to be turned on or off.
+
+Kernel oplocks support allows Samba \fIoplocks
+\fRto be broken whenever a local UNIX process or NFS operation
+accesses a file that \fBsmbd(8)\fR
+ <URL:smbd.8.html> has oplocked. This allows complete data consistency between
+SMB/CIFS, NFS and local file access (and is a \fBvery\fR
+cool feature :-).
+
+This parameter defaults to on on systems
+that have the support, and off on systems that
+don't. You should never need to touch this parameter.
+
+See also the \fIoplocks\fR
+and \fIlevel2 oplocks
+\fRparameters.
+
+Default: \fBkernel oplocks = yes\fR
+.TP
+\fBlevel2 oplocks (S)\fR
+This parameter controls whether Samba supports
+level2 (read-only) oplocks on a share.
+
+Level2, or read-only oplocks allow Windows NT clients
+that have an oplock on a file to downgrade from a read-write oplock
+to a read-only oplock once a second client opens the file (instead
+of releasing all oplocks on a second open, as in traditional,
+exclusive oplocks). This allows all openers of the file that
+support level2 oplocks to cache the file for read-ahead only (ie.
+they may not cache writes or lock requests) and increases performance
+for many acesses of files that are not commonly written (such as
+application .EXE files).
+
+Once one of the clients which have a read-only oplock
+writes to the file all clients are notified (no reply is needed
+or waited for) and told to break their oplocks to "none" and
+delete any read-ahead caches.
+
+It is recommended that this parameter be turned on
+to speed access to shared executables (and also to test
+the code :-).
+
+For more discussions on level2 oplocks see the CIFS spec.
+
+Currently, if \fIkernel
+oplocks\fR are supported then level2 oplocks are
+not granted (even if this parameter is set to yes).
+Note also, the \fIoplocks\fR
+parameter must be set to "true" on this share in order for
+this parameter to have any effect.
+
+See also the \fIoplocks\fR
+and \fIkernel oplocks\fR
+parameters.
+
+Default: \fBlevel2 oplocks = False\fR
+.TP
+\fBlm announce (G)\fR
+This parameter determines if \fBnmbd(8)\fR <URL:nmbd.8.html> will produce Lanman announce
+broadcasts that are needed by OS/2 clients in order for them to see
+the Samba server in their browse list. This parameter can have three
+values, true, false, or
+auto. The default is auto.
+If set to false Samba will never produce these
+broadcasts. If set to true Samba will produce
+Lanman announce broadcasts at a frequency set by the parameter
+\fIlm interval\fR. If set to auto
+Samba will not send Lanman announce broadcasts by default but will
+listen for them. If it hears such a broadcast on the wire it will
+then start sending them at a frequency set by the parameter
+\fIlm interval\fR.
+
+See also \fIlm interval
+\fR\&.
+
+Default: \fBlm announce = auto\fR
+
+Example: \fBlm announce = true\fR
+.TP
+\fBlm interval (G)\fR
+If Samba is set to produce Lanman announce
+broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this
+parameter defines the frequency in seconds with which they will be
+made. If this is set to zero then no Lanman announcements will be
+made despite the setting of the \fIlm announce\fR
+parameter.
+
+See also \fIlm
+announce\fR.
+
+Default: \fBlm interval = 60\fR
+
+Example: \fBlm interval = 120\fR
+.TP
+\fBload printers (G)\fR
+A boolean variable that controls whether all
+printers in the printcap will be loaded for browsing by default.
+See the printers section for
+more details.
+
+Default: \fBload printers = yes\fR
+.TP
+\fBlocal master (G)\fR
+This option allows \fB nmbd(8)\fR <URL:nmbd.8.html> to try and become a local master browser
+on a subnet. If set to False then \fB nmbd\fR will not attempt to become a local master browser
+on a subnet and will also lose in all browsing elections. By
+default this value is set to true. Setting this value to true doesn't
+mean that Samba will \fBbecome\fR the local master
+browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser.
+
+Setting this value to False will cause \fBnmbd\fR
+\fBnever\fR to become a local master browser.
+
+Default: \fBlocal master = yes\fR
+.TP
+\fBlock dir (G)\fR
+Synonym for \fI lock directory\fR.
+.TP
+\fBlock directory (G)\fR
+This option specifies the directory where lock
+files will be placed. The lock files are used to implement the
+\fImax connections\fR
+option.
+
+Default: \fBlock directory = /tmp/samba\fR
+
+Example: \fBlock directory = /usr/local/samba/var/locks\fR
+.TP
+\fBlocking (S)\fR
+This controls whether or not locking will be
+performed by the server in response to lock requests from the
+client.
+
+If \fBlocking = no\fR, all lock and unlock requests
+will appear to succeed and all lock queries will indicate that the
+queried lock is clear.
+
+If \fBlocking = yes\fR, real locking will be performed
+by the server.
+
+This option \fBmay\fR be useful for read-only
+filesystems which \fBmay\fR not need locking (such as
+cdrom drives), although setting this parameter of no
+is not really recommended even in this case.
+
+Be careful about disabling locking either globally or in a
+specific service, as lack of locking may result in data corruption.
+You should never need to set this parameter.
+
+Default: \fBlocking = yes\fR
+.TP
+\fBlog file (G)\fR
+This options allows you to override the name
+of the Samba log file (also known as the debug file).
+
+This option takes the standard substitutions, allowing
+you to have separate log files for each user or machine.
+
+Example: \fBlog file = /usr/local/samba/var/log.%m
+\fR.TP
+\fBlog level (G)\fR
+Synonym for \fI debug level\fR.
+.TP
+\fBlogon drive (G)\fR
+This parameter specifies the local path to
+which the home directory will be connected (see \fIlogon home\fR)
+and is only used by NT Workstations.
+
+Note that this option is only useful if Samba is set up as a
+logon server.
+
+Default: \fBlogon drive = z:\fR
+
+Example: \fBlogon drive = h:\fR
+.TP
+\fBlogon home (G)\fR
+This parameter specifies the home directory
+location when a Win95/98 or NT Workstation logs into a Samba PDC.
+It allows you to do
+
+C:\\> \fBNET USE H: /HOME\fR
+
+from a command prompt, for example.
+
+This option takes the standard substitutions, allowing
+you to have separate logon scripts for each user or machine.
+
+This parameter can be used with Win9X workstations to ensure
+that roaming profiles are stored in a subdirectory of the user's
+home directory. This is done in the following way:
+
+\fBlogon home = \\\\%L\\%U\\profile\fR
+
+This tells Samba to return the above string, with
+substitutions made when a client requests the info, generally
+in a NetUserGetInfo request. Win9X clients truncate the info to
+\\\\server\\share when a user does \fBnet use /home"\fR
+but use the whole string when dealing with profiles.
+
+Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than
+\fIlogon home\fR. This broke \fBnet use
+/home\fR but allowed profiles outside the home directory.
+The current implementation is correct, and can be used for
+profiles if you use the above trick.
+
+This option is only useful if Samba is set up as a logon
+server.
+
+Default: \fBlogon home = "\\\\%N\\%U"\fR
+
+Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR
+.TP
+\fBlogon path (G)\fR
+This parameter specifies the home directory
+where roaming profiles (NTuser.dat etc files for Windows NT) are
+stored. Contrary to previous versions of these manual pages, it has
+nothing to do with Win 9X roaming profiles. To find out how to
+handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter.
+
+This option takes the standard substitutions, allowing you
+to have separate logon scripts for each user or machine. It also
+specifies the directory from which the "Application Data",
+(\fIdesktop\fR, \fIstart menu\fR,
+\fInetwork neighborhood\fR, \fIprograms\fR
+and other folders, and their contents, are loaded and displayed on
+your Windows NT client.
+
+The share and the path must be readable by the user for
+the preferences and directories to be loaded onto the Windows NT
+client. The share must be writeable when the logs in for the first
+time, in order that the Windows NT client can create the NTuser.dat
+and other directories.
+
+Thereafter, the directories and any of the contents can,
+if required, be made read-only. It is not advisable that the
+NTuser.dat file be made read-only - rename it to NTuser.man to
+achieve the desired effect (a \fBMAN\fRdatory
+profile).
+
+Windows clients can sometimes maintain a connection to
+the [homes] share, even though there is no user logged in.
+Therefore, it is vital that the logon path does not include a
+reference to the homes share (i.e. setting this parameter to
+\\%N\\%U\\profile_path will cause problems).
+
+This option takes the standard substitutions, allowing
+you to have separate logon scripts for each user or machine.
+
+Note that this option is only useful if Samba is set up
+as a logon server.
+
+Default: \fBlogon path = \\\\%N\\%U\\profile\fR
+
+Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR
+.TP
+\fBlogon script (G)\fR
+This parameter specifies the batch file (.bat) or
+NT command file (.cmd) to be downloaded and run on a machine when
+a user successfully logs in. The file must contain the DOS
+style cr/lf line endings. Using a DOS-style editor to create the
+file is recommended.
+
+The script must be a relative path to the [netlogon]
+service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon
+\fR, and \fBlogon script = STARTUP.BAT\fR, then
+the file that will be downloaded is:
+
+\fI/usr/local/samba/netlogon/STARTUP.BAT\fR
+
+The contents of the batch file is entirely your choice. A
+suggested command would be to add \fBNET TIME \\\\SERVER /SET
+/YES\fR, to force every machine to synchronize clocks with
+the same time server. Another use would be to add \fBNET USE
+U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example.
+
+Note that it is particularly important not to allow write
+access to the [netlogon] share, or to grant users write permission
+on the batch files in a secure environment, as this would allow
+the batch files to be arbitrarily modified and security to be
+breached.
+
+This option takes the standard substitutions, allowing you
+to have separate logon scripts for each user or machine.
+
+This option is only useful if Samba is set up as a logon
+server.
+
+Default: \fBno logon script defined\fR
+
+Example: \fBlogon script = scripts\\%U.bat\fR
+.TP
+\fBlppause command (S)\fR
+This parameter specifies the command to be
+executed on the server host in order to stop printing or spooling
+a specific print job.
+
+This command should be a program or script which takes
+a printer name and job number to pause the print job. One way
+of implementing this is by using job priorities, where jobs
+having a too low priority won't be sent to the printer.
+
+If a \fI%p\fR is given then the printername
+is put in its place. A \fI%j\fR is replaced with
+the job number (an integer). On HPUX (see \fIprinting=hpux
+\fR), if the \fI-p%p\fR option is added
+to the lpq command, the job will show up with the correct status, i.e.
+if the job priority is lower than the set fence priority it will
+have the PAUSED status, whereas if the priority is equal or higher it
+will have the SPOOLED or PRINTING status.
+
+Note that it is good practice to include the absolute path
+in the lppause command as the PATH may not be available to the server.
+
+See also the \fIprinting
+\fRparameter.
+
+Default: Currently no default value is given to
+this string, unless the value of the \fIprinting\fR
+parameter is SYSV, in which case the default is :
+
+\fBlp -i %p-%j -H hold\fR
+
+or if the value of the \fIprinting\fR parameter
+is SOFTQ, then the default is:
+
+\fBqstat -s -j%j -h\fR
+
+Example for HPUX: \fBlppause command = /usr/bin/lpalt
+%p-%j -p0\fR
+.TP
+\fBlpq cache time (G)\fR
+This controls how long lpq info will be cached
+for to prevent the \fBlpq\fR command being called too
+often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different
+\fBlpq\fR commands for different users then they won't
+share cache information.
+
+The cache files are stored in \fI/tmp/lpq.xxxx\fR
+where xxxx is a hash of the \fBlpq\fR command in use.
+
+The default is 10 seconds, meaning that the cached results
+of a previous identical \fBlpq\fR command will be used
+if the cached data is less than 10 seconds old. A large value may
+be advisable if your \fBlpq\fR command is very slow.
+
+A value of 0 will disable caching completely.
+
+See also the \fIprinting
+\fRparameter.
+
+Default: \fBlpq cache time = 10\fR
+
+Example: \fBlpq cache time = 30\fR
+.TP
+\fBlpq command (S)\fR
+This parameter specifies the command to be
+executed on the server host in order to obtain \fBlpq
+\fR-style printer status information.
+
+This command should be a program or script which
+takes a printer name as its only parameter and outputs printer
+status information.
+
+Currently eight styles of printer status information
+are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ.
+This covers most UNIX systems. You control which type is expected
+using the \fIprinting =\fR option.
+
+Some clients (notably Windows for Workgroups) may not
+correctly send the connection number for the printer they are
+requesting status information about. To get around this, the
+server reports on the first printer service connected to by the
+client. This only happens if the connection number sent is invalid.
+
+If a \fI%p\fR is given then the printername
+is put in its place. Otherwise it is placed at the end of the
+command.
+
+Note that it is good practice to include the absolute path
+in the \fIlpq command\fR as the PATH may not be
+available to the server.
+
+See also the \fIprinting
+\fRparameter.
+
+Default: \fBdepends on the setting of \fI printing\fB\fR
+
+Example: \fBlpq command = /usr/bin/lpq %p\fR
+.TP
+\fBlpresume command (S)\fR
+This parameter specifies the command to be
+executed on the server host in order to restart or continue
+printing or spooling a specific print job.
+
+This command should be a program or script which takes
+a printer name and job number to resume the print job. See
+also the \fIlppause command
+\fRparameter.
+
+If a \fI%p\fR is given then the printername
+is put in its place. A \fI%j\fR is replaced with
+the job number (an integer).
+
+Note that it is good practice to include the absolute path
+in the \fIlpresume command\fR as the PATH may not
+be available to the server.
+
+See also the \fIprinting
+\fRparameter.
+
+Default: Currently no default value is given
+to this string, unless the value of the \fIprinting\fR
+parameter is SYSV, in which case the default is :
+
+\fBlp -i %p-%j -H resume\fR
+
+or if the value of the \fIprinting\fR parameter
+is SOFTQ, then the default is:
+
+\fBqstat -s -j%j -r\fR
+
+Example for HPUX: \fBlpresume command = /usr/bin/lpalt
+%p-%j -p2\fR
+.TP
+\fBlprm command (S)\fR
+This parameter specifies the command to be
+executed on the server host in order to delete a print job.
+
+This command should be a program or script which takes
+a printer name and job number, and deletes the print job.
+
+If a \fI%p\fR is given then the printername
+is put in its place. A \fI%j\fR is replaced with
+the job number (an integer).
+
+Note that it is good practice to include the absolute
+path in the \fIlprm command\fR as the PATH may not be
+available to the server.
+
+See also the \fIprinting
+\fRparameter.
+
+Default: \fBdepends on the setting of \fIprinting
+\fB\fR
+Example 1: \fBlprm command = /usr/bin/lprm -P%p %j
+\fR
+Example 2: \fBlprm command = /usr/bin/cancel %p-%j
+\fR.TP
+\fBmachine password timeout (G)\fR
+If a Samba server is a member of an Windows
+NT Domain (see the security=domain)
+parameter) then periodically a running smbd(8) <URL:smbd.8.html> process will try and change the MACHINE ACCOUNT
+PASSWORD stored in the TDB called \fIprivate/secrets.tdb
+\fR\&. This parameter specifies how often this password
+will be changed, in seconds. The default is one week (expressed in
+seconds), the same as a Windows NT Domain member server.
+
+See also \fBsmbpasswd(8)
+\fR <URL:smbpasswd.8.html>, and the security=domain) parameter.
+
+Default: \fBmachine password timeout = 604800\fR
+.TP
+\fBmagic output (S)\fR
+This parameter specifies the name of a file
+which will contain output created by a magic script (see the
+\fImagic script\fR
+parameter below).
+
+Warning: If two clients use the same \fImagic script
+\fRin the same directory the output file content
+is undefined.
+
+Default: \fBmagic output = <magic script name>.out
+\fR
+Example: \fBmagic output = myfile.txt\fR
+.TP
+\fBmagic script (S)\fR
+This parameter specifies the name of a file which,
+if opened, will be executed by the server when the file is closed.
+This allows a UNIX script to be sent to the Samba host and
+executed on behalf of the connected user.
+
+Scripts executed in this way will be deleted upon
+completion, permissions permitting.
+
+If the script generates output, output will be sent to
+the file specified by the \fI magic output\fR parameter (see above).
+
+Note that some shells are unable to interpret scripts
+containing carriage-return-linefeed instead of linefeed as
+the end-of-line marker. Magic scripts must be executable
+\fBas is\fR on the host, which for some hosts and
+some shells will require filtering at the DOS end.
+
+Magic scripts are \fBEXPERIMENTAL\fR and
+should \fBNOT\fR be relied upon.
+
+Default: \fBNone. Magic scripts disabled.\fR
+
+Example: \fBmagic script = user.csh\fR
+.TP
+\fBmangle case (S)\fR
+See the section on NAME MANGLING
+.TP
+\fBmangled map (S)\fR
+This is for those who want to directly map UNIX
+file names which can not be represented on Windows/DOS. The mangling
+of names is not always what is needed. In particular you may have
+documents with file extensions that differ between DOS and UNIX.
+For example, under UNIX it is common to use \fI.html\fR
+for HTML files, whereas under Windows/DOS \fI.htm\fR
+is more commonly used.
+
+So to map \fIhtml\fR to \fIhtm\fR
+you would use:
+
+\fBmangled map = (*.html *.htm)\fR
+
+One very useful case is to remove the annoying \fI;1
+\fRoff the ends of filenames on some CDROMS (only visible
+under some UNIXs). To do this use a map of (*;1 *;).
+
+Default: \fBno mangled map\fR
+
+Example: \fBmangled map = (*;1 *;)\fR
+.TP
+\fBmangled names (S)\fR
+This controls whether non-DOS names under UNIX
+should be mapped to DOS-compatible names ("mangled") and made visible,
+or whether non-DOS names should simply be ignored.
+
+See the section on NAME MANGLING for details on how to control the mangling process.
+
+If mangling is used then the mangling algorithm is as follows:
+.RS
+.TP 0.2i
+\(bu
+The first (up to) five alphanumeric characters
+before the rightmost dot of the filename are preserved, forced
+to upper case, and appear as the first (up to) five characters
+of the mangled name.
+.TP 0.2i
+\(bu
+A tilde "~" is appended to the first part of the mangled
+name, followed by a two-character unique sequence, based on the
+original root name (i.e., the original filename minus its final
+extension). The final extension is included in the hash calculation
+only if it contains any upper case characters or is longer than three
+characters.
+
+Note that the character to use may be specified using
+the \fImangling char\fR
+option, if you don't like '~'.
+.TP 0.2i
+\(bu
+The first three alphanumeric characters of the final
+extension are preserved, forced to upper case and appear as the
+extension of the mangled name. The final extension is defined as that
+part of the original filename after the rightmost dot. If there are no
+dots in the filename, the mangled name will have no extension (except
+in the case of "hidden files" - see below).
+.TP 0.2i
+\(bu
+Files whose UNIX name begins with a dot will be
+presented as DOS hidden files. The mangled name will be created as
+for other filenames, but with the leading dot removed and "___" as
+its extension regardless of actual original extension (that's three
+underscores).
+.RE
+.PP
+The two-digit hash value consists of upper case
+alphanumeric characters.
+.PP
+.PP
+This algorithm can cause name collisions only if files
+in a directory share the same first five alphanumeric characters.
+The probability of such a clash is 1/1300.
+.PP
+.PP
+The name mangling (if enabled) allows a file to be
+copied between UNIX directories from Windows/DOS while retaining
+the long UNIX filename. UNIX files can be renamed to a new extension
+from Windows/DOS and will retain the same basename. Mangled names
+do not change between sessions.
+.PP
+.PP
+Default: \fBmangled names = yes\fR
+.PP
+.TP
+\fBmangling char (S)\fR
+This controls what character is used as
+the \fBmagic\fR character in name mangling. The default is a '~'
+but this may interfere with some software. Use this option to set
+it to whatever you prefer.
+
+Default: \fBmangling char = ~\fR
+
+Example: \fBmangling char = ^\fR
+.TP
+\fBmangled stack (G)\fR
+This parameter controls the number of mangled names
+that should be cached in the Samba server smbd(8) <URL:smbd.8.html>.
+
+This stack is a list of recently mangled base names
+(extensions are only maintained if they are longer than 3 characters
+or contains upper case characters).
+
+The larger this value, the more likely it is that mangled
+names can be successfully converted to correct long UNIX names.
+However, large stack sizes will slow most directory access. Smaller
+stacks save memory in the server (each stack element costs 256 bytes).
+
+It is not possible to absolutely guarantee correct long
+file names, so be prepared for some surprises!
+
+Default: \fBmangled stack = 50\fR
+
+Example: \fBmangled stack = 100\fR
+.TP
+\fBmap archive (S)\fR
+This controls whether the DOS archive attribute
+should be mapped to the UNIX owner execute bit. The DOS archive bit
+is set when a file has been modified since its last backup. One
+motivation for this option it to keep Samba/your PC from making
+any file it touches from becoming executable under UNIX. This can
+be quite annoying for shared source code, documents, etc...
+
+Note that this requires the \fIcreate mask\fR
+parameter to be set such that owner execute bit is not masked out
+(i.e. it must include 100). See the parameter \fIcreate mask\fR for details.
+
+Default: \fBmap archive = yes\fR
+.TP
+\fBmap hidden (S)\fR
+This controls whether DOS style hidden files
+should be mapped to the UNIX world execute bit.
+
+Note that this requires the \fIcreate mask\fR
+to be set such that the world execute bit is not masked out (i.e.
+it must include 001). See the parameter \fIcreate mask\fR for details.
+
+Default: \fBmap hidden = no\fR
+.TP
+\fBmap system (S)\fR
+This controls whether DOS style system files
+should be mapped to the UNIX group execute bit.
+
+Note that this requires the \fIcreate mask\fR
+to be set such that the group execute bit is not masked out (i.e.
+it must include 010). See the parameter \fIcreate mask\fR for details.
+
+Default: \fBmap system = no\fR
+.TP
+\fBmap to guest (G)\fR
+This parameter is only useful in security modes other than \fIsecurity=share\fR
+- i.e. user, server,
+and domain.
+
+This parameter can take three different values, which tell
+smbd(8) <URL:smbd.8.html> what to do with user
+login requests that don't match a valid UNIX user in some way.
+
+The three settings are :
+.RS
+.TP 0.2i
+\(bu
+Never - Means user login
+requests with an invalid password are rejected. This is the
+default.
+.TP 0.2i
+\(bu
+Bad User - Means user
+logins with an invalid password are rejected, unless the username
+does not exist, in which case it is treated as a guest login and
+mapped into the \fI guest account\fR.
+.TP 0.2i
+\(bu
+Bad Password - Means user logins
+with an invalid password are treated as a guest login and mapped
+into the guest account. Note that
+this can cause problems as it means that any user incorrectly typing
+their password will be silently logged on as a "guest" - and
+will not know the reason they cannot access files they think
+they should - there will have been no message given to them
+that they got their password wrong. Helpdesk services will
+\fBhate\fR you if you set the \fImap to
+guest\fR parameter this way :-).
+.RE
+.PP
+Note that this parameter is needed to set up "Guest"
+share services when using \fIsecurity\fR modes other than
+share. This is because in these modes the name of the resource being
+requested is \fBnot\fR sent to the server until after
+the server has successfully authenticated the client so the server
+cannot make authentication decisions at the correct time (connection
+to the share) for "Guest" shares.
+.PP
+.PP
+For people familiar with the older Samba releases, this
+parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.
+.PP
+.PP
+Default: \fBmap to guest = Never\fR
+.PP
+.PP
+Example: \fBmap to guest = Bad User\fR
+.PP
+.TP
+\fBmax connections (S)\fR
+This option allows the number of simultaneous
+connections to a service to be limited. If \fImax connections
+\fRis greater than 0 then connections will be refused if
+this number of connections to the service are already open. A value
+of zero mean an unlimited number of connections may be made.
+
+Record lock files are used to implement this feature. The
+lock files will be stored in the directory specified by the \fIlock directory\fR
+option.
+
+Default: \fBmax connections = 0\fR
+
+Example: \fBmax connections = 10\fR
+.TP
+\fBmax disk size (G)\fR
+This option allows you to put an upper limit
+on the apparent size of disks. If you set this option to 100
+then all shares will appear to be not larger than 100 MB in
+size.
+
+Note that this option does not limit the amount of
+data you can put on the disk. In the above case you could still
+store much more than 100 MB on the disk, but if a client ever asks
+for the amount of free disk space or the total disk size then the
+result will be bounded by the amount specified in \fImax
+disk size\fR.
+
+This option is primarily useful to work around bugs
+in some pieces of software that can't handle very large disks,
+particularly disks over 1GB in size.
+
+A \fImax disk size\fR of 0 means no limit.
+
+Default: \fBmax disk size = 0\fR
+
+Example: \fBmax disk size = 1000\fR
+.TP
+\fBmax log size (G)\fR
+This option (an integer in kilobytes) specifies
+the max size the log file should grow to. Samba periodically checks
+the size and if it is exceeded it will rename the file, adding
+a \fI.old\fR extension.
+
+A size of 0 means no limit.
+
+Default: \fBmax log size = 5000\fR
+
+Example: \fBmax log size = 1000\fR
+.TP
+\fBmax mux (G)\fR
+This option controls the maximum number of
+outstanding simultaneous SMB operations that samba tells the client
+it will allow. You should never need to set this parameter.
+
+Default: \fBmax mux = 50\fR
+.TP
+\fBmax open files (G)\fR
+This parameter limits the maximum number of
+open files that one smbd(8) <URL:smbd.8.html> file
+serving process may have open for a client at any one time. The
+default for this parameter is set very high (10,000) as Samba uses
+only one bit per unopened file.
+
+The limit of the number of open files is usually set
+by the UNIX per-process file descriptor limit rather than
+this parameter so you should never need to touch this parameter.
+
+Default: \fBmax open files = 10000\fR
+.TP
+\fBmax ttl (G)\fR
+This option tells nmbd(8) <URL:nmbd.8.html>
+what the default 'time to live' of NetBIOS names should be (in seconds)
+when \fBnmbd\fR is requesting a name using either a
+broadcast packet or from a WINS server. You should never need to
+change this parameter. The default is 3 days.
+
+Default: \fBmax ttl = 259200\fR
+.TP
+\fBmax wins ttl (G)\fR
+This option tells nmbd(8)
+ <URL:nmbd.8.html> when acting as a WINS server ( \fIwins support=yes\fR) what the maximum
+\&'time to live' of NetBIOS names that \fBnmbd\fR
+will grant will be (in seconds). You should never need to change this
+parameter. The default is 6 days (518400 seconds).
+
+See also the \fImin
+wins ttl"\fR parameter.
+
+Default: \fBmax wins ttl = 518400\fR
+.TP
+\fBmax xmit (G)\fR
+This option controls the maximum packet size
+that will be negotiated by Samba. The default is 65535, which
+is the maximum. In some cases you may find you get better performance
+with a smaller value. A value below 2048 is likely to cause problems.
+
+Default: \fBmax xmit = 65535\fR
+
+Example: \fBmax xmit = 8192\fR
+.TP
+\fBmessage command (G)\fR
+This specifies what command to run when the
+server receives a WinPopup style message.
+
+This would normally be a command that would
+deliver the message somehow. How this is to be done is
+up to your imagination.
+
+An example is:
+
+\fBmessage command = csh -c 'xedit %s;rm %s' &\fR
+
+This delivers the message using \fBxedit\fR, then
+removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT
+THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I
+have the '&' on the end. If it doesn't return immediately then
+your PCs may freeze when sending messages (they should recover
+after 30secs, hopefully).
+
+All messages are delivered as the global guest user.
+The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better
+in this case).
+
+Apart from the standard substitutions, some additional
+ones apply. In particular:
+.RS
+.TP 0.2i
+\(bu
+\fI%s\fR = the filename containing
+the message.
+.TP 0.2i
+\(bu
+\fI%t\fR = the destination that
+the message was sent to (probably the server name).
+.TP 0.2i
+\(bu
+\fI%f\fR = who the message
+is from.
+.RE
+.PP
+You could make this command send mail, or whatever else
+takes your fancy. Please let us know of any really interesting
+ideas you have.
+.PP
+.PP
+Here's a way of sending the messages as mail to root:
+.PP
+.PP
+\fBmessage command = /bin/mail -s 'message from %f on
+%m' root < %s; rm %s\fR
+.PP
+.PP
+If you don't have a message command then the message
+won't be delivered and Samba will tell the sender there was
+an error. Unfortunately WfWg totally ignores the error code
+and carries on regardless, saying that the message was delivered.
+.PP
+.PP
+If you want to silently delete it then try:
+.PP
+.PP
+\fBmessage command = rm %s\fR
+.PP
+.PP
+Default: \fBno message command\fR
+.PP
+.PP
+Example: \fBmessage command = csh -c 'xedit %s;
+rm %s' &\fR
+.PP
+.TP
+\fBmin print space (S)\fR
+This sets the minimum amount of free disk
+space that must be available before a user will be able to spool
+a print job. It is specified in kilobytes. The default is 0, which
+means a user can always spool a print job.
+
+See also the \fIprinting
+\fRparameter.
+
+Default: \fBmin print space = 0\fR
+
+Example: \fBmin print space = 2000\fR
+.TP
+\fBmin passwd length (G)\fR
+Synonym for \fImin password length\fR.
+.TP
+\fBmin password length (G)\fR
+This option sets the minimum length in characters
+of a plaintext password than smbd will accept when performing
+UNIX password changing.
+
+See also \fIunix
+password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR
+\&.
+
+Default: \fBmin password length = 5\fR
+.TP
+\fBmin wins ttl (G)\fR
+This option tells nmbd(8) <URL:nmbd.8.html>
+when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live'
+of NetBIOS names that \fBnmbd\fR will grant will be (in
+seconds). You should never need to change this parameter. The default
+is 6 hours (21600 seconds).
+
+Default: \fBmin wins ttl = 21600\fR
+.TP
+\fBname resolve order (G)\fR
+This option is used by the programs in the Samba
+suite to determine what naming services and in what order to resolve
+host names to IP addresses. The option takes a space separated
+string of different name resolution options.
+
+The options are :"lmhosts", "host", "wins" and "bcast". They
+cause names to be resolved as follows :
+.RS
+.TP 0.2i
+\(bu
+lmhosts : Lookup an IP
+address in the Samba lmhosts file. If the line in lmhosts has
+no name type attached to the NetBIOS name (see the lmhosts(5) <URL:lmhosts.5.html> for details) then
+any name type matches for lookup.
+.TP 0.2i
+\(bu
+host : Do a standard host
+name to IP address resolution, using the system \fI/etc/hosts
+\fR, NIS, or DNS lookups. This method of name resolution
+is operating system depended for instance on IRIX or Solaris this
+may be controlled by the \fI/etc/nsswitch.conf\fR
+file). Note that this method is only used if the NetBIOS name
+type being queried is the 0x20 (server) name type, otherwise
+it is ignored.
+.TP 0.2i
+\(bu
+wins : Query a name with
+the IP address listed in the \fI wins server\fR parameter. If no WINS server has
+been specified this method will be ignored.
+.TP 0.2i
+\(bu
+bcast : Do a broadcast on
+each of the known local interfaces listed in the \fIinterfaces\fR
+parameter. This is the least reliable of the name resolution
+methods as it depends on the target host being on a locally
+connected subnet.
+.RE
+.PP
+Default: \fBname resolve order = lmhosts host wins bcast
+\fR.PP
+.PP
+Example: \fBname resolve order = lmhosts bcast host
+\fR.PP
+.PP
+This will cause the local lmhosts file to be examined
+first, followed by a broadcast attempt, followed by a normal
+system hostname lookup.
+.PP
+.TP
+\fBnetbios aliases (G)\fR
+This is a list of NetBIOS names that nmbd(8) <URL:nmbd.8.html> will advertise as additional
+names by which the Samba server is known. This allows one machine
+to appear in browse lists under multiple names. If a machine is
+acting as a browse server or logon server none
+of these names will be advertised as either browse server or logon
+servers, only the primary name of the machine will be advertised
+with these capabilities.
+
+See also \fInetbios
+name\fR.
+
+Default: \fBempty string (no additional names)\fR
+
+Example: \fBnetbios aliases = TEST TEST1 TEST2\fR
+.TP
+\fBnetbios name (G)\fR
+This sets the NetBIOS name by which a Samba
+server is known. By default it is the same as the first component
+of the host's DNS name. If a machine is a browse server or
+logon server this name (or the first component
+of the hosts DNS name) will be the name that these services are
+advertised under.
+
+See also \fInetbios
+aliases\fR.
+
+Default: \fBmachine DNS name\fR
+
+Example: \fBnetbios name = MYNAME\fR
+.TP
+\fBnetbios scope (G)\fR
+This sets the NetBIOS scope that Samba will
+operate under. This should not be set unless every machine
+on your LAN also sets this value.
+.TP
+\fBnis homedir (G)\fR
+Get the home share server from a NIS map. For
+UNIX systems that use an automounter, the user's home directory
+will often be mounted on a workstation on demand from a remote
+server.
+
+When the Samba logon server is not the actual home directory
+server, but is mounting the home directories via NFS then two
+network hops would be required to access the users home directory
+if the logon server told the client to use itself as the SMB server
+for home directories (one over SMB and one over NFS). This can
+be very slow.
+
+This option allows Samba to return the home share as
+being on a different server to the logon server and as
+long as a Samba daemon is running on the home directory server,
+it will be mounted on the Samba client directly from the directory
+server. When Samba is returning the home share to the client, it
+will consult the NIS map specified in \fIhomedir map\fR and return the server
+listed there.
+
+Note that for this option to work there must be a working
+NIS system and the Samba server with this option must also
+be a logon server.
+
+Default: \fBnis homedir = no\fR
+.TP
+\fBnt acl support (G)\fR
+This boolean parameter controls whether
+smbd(8) <URL:smbd.8.html> will attempt to map
+UNIX permissions into Windows NT access control lists.
+
+Default: \fBnt acl support = yes\fR
+.TP
+\fBnt pipe support (G)\fR
+This boolean parameter controls whether
+smbd(8) <URL:smbd.8.html> will allow Windows NT
+clients to connect to the NT SMB specific IPC$
+pipes. This is a developer debugging option and can be left
+alone.
+
+Default: \fBnt pipe support = yes\fR
+.TP
+\fBnt smb support (G)\fR
+This boolean parameter controls whether smbd(8) <URL:smbd.8.html> will negotiate NT specific SMB
+support with Windows NT clients. Although this is a developer
+debugging option and should be left alone, benchmarking has discovered
+that Windows NT clients give faster performance with this option
+set to no. This is still being investigated.
+If this option is set to no then Samba offers
+exactly the same SMB calls that versions prior to Samba 2.0 offered.
+This information may be of use if any users are having problems
+with NT SMB support.
+
+Default: \fBnt support = yes\fR
+.TP
+\fBnull passwords (G)\fR
+Allow or disallow client access to accounts
+that have null passwords.
+
+See also smbpasswd (5) <URL:smbpasswd.5.html>.
+
+Default: \fBnull passwords = no\fR
+.TP
+\fBole locking compatibility (G)\fR
+This parameter allows an administrator to turn
+off the byte range lock manipulation that is done within Samba to
+give compatibility for OLE applications. Windows OLE applications
+use byte range locking as a form of inter-process communication, by
+locking ranges of bytes around the 2^32 region of a file range. This
+can cause certain UNIX lock managers to crash or otherwise cause
+problems. Setting this parameter to no means you
+trust your UNIX lock manager to handle such cases correctly.
+
+Default: \fBole locking compatibility = yes\fR
+.TP
+\fBonly guest (S)\fR
+A synonym for \fI guest only\fR.
+.TP
+\fBonly user (S)\fR
+This is a boolean option that controls whether
+connections with usernames not in the \fIuser\fR
+list will be allowed. By default this option is disabled so a client
+can supply a username to be used by the server.
+
+Note that this also means Samba won't try to deduce
+usernames from the service name. This can be annoying for
+the [homes] section. To get around this you could use \fBuser =
+%S\fR which means your \fIuser\fR list
+will be just the service name, which for home directories is the
+name of the user.
+
+See also the \fIuser\fR
+parameter.
+
+Default: \fBonly user = no\fR
+.TP
+\fBoplocks (S)\fR
+This boolean option tells smbd whether to
+issue oplocks (opportunistic locks) to file open requests on this
+share. The oplock code can dramatically (approx. 30% or more) improve
+the speed of access to files on Samba servers. It allows the clients
+to aggressively cache files ocally and you may want to disable this
+option for unreliable network environments (it is turned on by
+default in Windows NT Servers). For more information see the file
+\fISpeed.txt\fR in the Samba \fIdocs/\fR
+directory.
+
+Oplocks may be selectively turned off on certain files on
+a per share basis. See the \fI veto oplock files\fR parameter. On some systems
+oplocks are recognized by the underlying operating system. This
+allows data synchronization between all access to oplocked files,
+whether it be via Samba or NFS or a local UNIX process. See the
+\fIkernel oplocks\fR parameter for details.
+
+See also the \fIkernel
+oplocks\fR and \fI level2 oplocks\fR parameters.
+
+Default: \fBoplocks = yes\fR
+.TP
+\fBoplock break wait time (G)\fR
+This is a tuning parameter added due to bugs in
+both Windows 9x and WinNT. If Samba responds to a client too
+quickly when that client issues an SMB that can cause an oplock
+break request, then the client redirector can fail and not respond
+to the break request. This tuning parameter (which is set in milliseconds)
+is the amount of time Samba will wait before sending an oplock break
+request to such (broken) clients.
+
+\fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
+
+Default: \fBoplock break wait time = 10\fR
+.TP
+\fBoplock contention limit (S)\fR
+This is a \fBvery\fR advanced
+smbd(8) <URL:smbd.8.html> tuning option to
+improve the efficiency of the granting of oplocks under multiple
+client contention for the same file.
+
+In brief it specifies a number, which causes smbd not to
+grant an oplock even when requested if the approximate number of
+clients contending for an oplock on the same file goes over this
+limit. This causes \fBsmbd\fR to behave in a similar
+way to Windows NT.
+
+\fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
+AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
+
+Default: \fBoplock contention limit = 2\fR
+.TP
+\fBos level (G)\fR
+This integer value controls what level Samba
+advertises itself as for browse elections. The value of this
+parameter determines whether nmbd(8) <URL:nmbd.8.html>
+has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area. The default is
+zero, which means \fBnmbd\fR will lose elections to
+Windows machines. See \fIBROWSING.txt\fR in the
+Samba \fIdocs/\fR directory for details.
+
+Default: \fBos level = 20\fR
+
+Example: \fBos level = 65 \fR
+.TP
+\fBpanic action (G)\fR
+This is a Samba developer option that allows a
+system command to be called when either smbd(8) <URL:smbd.8.html> or nmbd(8) <URL:nmbd.8.html>
+crashes. This is usually used to draw attention to the fact that
+a problem occurred.
+
+Default: \fBpanic action = <empty string>\fR
+
+Example: \fBpanic action = "/bin/sleep 90000"\fR
+.TP
+\fBpasswd chat (G)\fR
+This string controls the \fB"chat"\fR
+conversation that takes places between smbd <URL:smbd.8.html> and the local password changing
+program to change the users password. The string describes a
+sequence of response-receive pairs that smbd(8) <URL:smbd.8.html> uses to determine what to send to the
+\fIpasswd program\fR
+and what to expect back. If the expected output is not
+received then the password is not changed.
+
+This chat sequence is often quite site specific, depending
+on what local methods are used for password control (such as NIS
+etc).
+
+The string can contain the macros \fI%o\fR
+and \fI%n\fR which are substituted for the old
+and new passwords respectively. It can also contain the standard
+macros \\n, \\r, \\t and %s to give line-feed,
+carriage-return, tab and space.
+
+The string can also contain a '*' which matches
+any sequence of characters.
+
+Double quotes can be used to collect strings with spaces
+in them into a single string.
+
+If the send string in any part of the chat sequence
+is a fullstop ".", then no string is sent. Similarly,
+is the expect string is a fullstop then no string is expected.
+
+Note that if the \fIunix
+password sync\fR parameter is set to true, then this
+sequence is called \fBAS ROOT\fR when the SMB password
+in the smbpasswd file is being changed, without access to the old
+password cleartext. In this case the old password cleartext is set
+to "" (the empty string).
+
+See also \fIunix password
+sync\fR, \fI passwd program\fR and \fIpasswd chat debug\fR.
+
+Default: \fBpasswd chat = *old*password* %o\\n *new*
+password* %n\\n *new*password* %n\\n *changed*\fR
+
+Example: \fBpasswd chat = "*Enter OLD password*" %o\\n
+"*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password
+changed*"\fR
+.TP
+\fBpasswd chat debug (G)\fR
+This boolean specifies if the passwd chat script
+parameter is run in \fBdebug\fR mode. In this mode the
+strings passed to and received from the passwd chat are printed
+in the smbd(8) <URL:smbd.8.html> log with a
+\fIdebug level\fR
+of 100. This is a dangerous option as it will allow plaintext passwords
+to be seen in the \fBsmbd\fR log. It is available to help
+Samba admins debug their \fIpasswd chat\fR scripts
+when calling the \fIpasswd program\fR and should
+be turned off after this has been done. This parameter is off by
+default.
+
+See also <\fIpasswd chat\fR
+, \fIpasswd program\fR
+\&.
+
+Default: \fBpasswd chat debug = no\fR
+
+Example: \fBpasswd chat debug = yes\fR
+.TP
+\fBpasswd program (G)\fR
+The name of a program that can be used to set
+UNIX user passwords. Any occurrences of \fI%u\fR
+will be replaced with the user name. The user name is checked for
+existence before calling the password changing program.
+
+Also note that many passwd programs insist in \fBreasonable
+\fRpasswords, such as a minimum length, or the inclusion
+of mixed case chars and digits. This can pose a problem as some clients
+(such as Windows for Workgroups) uppercase the password before sending
+it.
+
+\fBNote\fR that if the \fIunix
+password sync\fR parameter is set to True
+then this program is called \fBAS ROOT\fR
+before the SMB password in the smbpasswd(5)
+ <URL:smbpasswd.5.html> file is changed. If this UNIX password change fails, then
+\fBsmbd\fR will fail to change the SMB password also
+(this is by design).
+
+If the \fIunix password sync\fR parameter
+is set this parameter \fBMUST USE ABSOLUTE PATHS\fR
+for \fBALL\fR programs called, and must be examined
+for security implications. Note that by default \fIunix
+password sync\fR is set to False.
+
+See also \fIunix
+password sync\fR.
+
+Default: \fBpasswd program = /bin/passwd\fR
+
+Example: \fBpasswd program = /sbin/npasswd %u\fR
+.TP
+\fBpassword level (G)\fR
+Some client/server combinations have difficulty
+with mixed-case passwords. One offending client is Windows for
+Workgroups, which for some reason forces passwords to upper
+case when using the LANMAN1 protocol, but leaves them alone when
+using COREPLUS!
+
+This parameter defines the maximum number of characters
+that may be upper case in passwords.
+
+For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations
+would be tried if "FRED" failed:
+
+"Fred", "fred", "fRed", "frEd","freD"
+
+If \fIpassword level\fR was set to 2,
+the following combinations would also be tried:
+
+"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
+
+And so on.
+
+The higher value this parameter is set to the more likely
+it is that a mixed case password will be matched against a single
+case password. However, you should be aware that use of this
+parameter reduces security and increases the time taken to
+process a new connection.
+
+A value of zero will cause only two attempts to be
+made - the password as is and the password in all-lower case.
+
+Default: \fBpassword level = 0\fR
+
+Example: \fBpassword level = 4\fR
+.TP
+\fBpassword server (G)\fR
+By specifying the name of another SMB server (such
+as a WinNT box) with this option, and using \fBsecurity = domain
+\fRor \fBsecurity = server\fR you can get Samba
+to do all its username/password validation via a remote server.
+
+This options sets the name of the password server to use.
+It must be a NetBIOS name, so if the machine's NetBIOS name is
+different from its internet name then you may have to add its NetBIOS
+name to the lmhosts file which is stored in the same directory
+as the \fIsmb.conf\fR file.
+
+The name of the password server is looked up using the
+parameter \fIname
+resolve order\fR and so may resolved
+by any method and order described in that parameter.
+
+The password server much be a machine capable of using
+the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in
+user level security mode.
+
+\fBNOTE:\fR Using a password server
+means your UNIX box (running Samba) is only as secure as your
+password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT
+YOU DON'T COMPLETELY TRUST\fR.
+
+Never point a Samba server at itself for password
+serving. This will cause a loop and could lock up your Samba
+server!
+
+The name of the password server takes the standard
+substitutions, but probably the only useful one is \fI%m
+\fR, which means the Samba server will use the incoming
+client as the passwordserver. If you use this then you better
+trust your clients, and you better restrict them with hosts allow!
+
+If the \fIsecurity\fR parameter is set to
+domain, then the list of machines in this
+option must be a list of Primary or Backup Domain controllers for the
+Domain or the character '*', as the Samba server is cryptographicly
+in that domain, and will use cryptographicly authenticated RPC calls
+to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the
+\fIpassword server\fR option then \fBsmbd
+\fRwill try each in turn till it finds one that responds. This
+is useful in case your primary server goes down.
+
+If the \fIpassword server\fR option is set
+to the character '*', then Samba will attempt to auto-locate the
+Primary or Backup Domain controllers to authenticate against by
+doing a query for the name WORKGROUP<1C>
+and then contacting each server returned in the list of IP
+addresses from the name resolution source.
+
+If the \fIsecurity\fR parameter is
+set to server, then there are different
+restrictions that \fBsecurity = domain\fR doesn't
+suffer from:
+.RS
+.TP 0.2i
+\(bu
+You may list several password servers in
+the \fIpassword server\fR parameter, however if an
+\fBsmbd\fR makes a connection to a password server,
+and then the password server fails, no more users will be able
+to be authenticated from this \fBsmbd\fR. This is a
+restriction of the SMB/CIFS protocol when in \fBsecurity=server
+\fRmode and cannot be fixed in Samba.
+.TP 0.2i
+\(bu
+If you are using a Windows NT server as your
+password server then you will have to ensure that your users
+are able to login from the Samba server, as when in \fB security=server\fR mode the network logon will appear to
+come from there rather than from the users workstation.
+.RE
+.PP
+See also the \fIsecurity
+\fRparameter.
+.PP
+.PP
+Default: \fBpassword server = <empty string>\fR
+.PP
+.PP
+Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2
+\fR.PP
+.PP
+Example: \fBpassword server = *\fR
+.PP
+.TP
+\fBpath (S)\fR
+This parameter specifies a directory to which
+the user of the service is to be given access. In the case of
+printable services, this is where print data will spool prior to
+being submitted to the host for printing.
+
+For a printable service offering guest access, the service
+should be readonly and the path should be world-writeable and
+have the sticky bit set. This is not mandatory of course, but
+you probably won't get the results you expect if you do
+otherwise.
+
+Any occurrences of \fI%u\fR in the path
+will be replaced with the UNIX username that the client is using
+on this connection. Any occurrences of \fI%m\fR
+will be replaced by the NetBIOS name of the machine they are
+connecting from. These replacements are very useful for setting
+up pseudo home directories for users.
+
+Note that this path will be based on \fIroot dir\fR if one was specified.
+
+Default: \fBnone\fR
+
+Example: \fBpath = /home/fred\fR
+.TP
+\fBpostexec (S)\fR
+This option specifies a command to be run
+whenever the service is disconnected. It takes the usual
+substitutions. The command may be run as the root on some
+systems.
+
+An interesting example may be do unmount server
+resources:
+
+\fBpostexec = /etc/umount /cdrom\fR
+
+See also \fIpreexec\fR
+\&.
+
+Default: \fBnone (no command executed)\fR
+
+Example: \fBpostexec = echo \\"%u disconnected from %S
+from %m (%I)\\" >> /tmp/log\fR
+.TP
+\fBpostscript (S)\fR
+This parameter forces a printer to interpret
+the print files as postscript. This is done by adding a %!
+to the start of print output.
+
+This is most useful when you have lots of PCs that persist
+in putting a control-D at the start of print jobs, which then
+confuses your printer.
+
+Default: \fBpostscript = no\fR
+.TP
+\fBpreexec (S)\fR
+This option specifies a command to be run whenever
+the service is connected to. It takes the usual substitutions.
+
+An interesting example is to send the users a welcome
+message every time they log in. Maybe a message of the day? Here
+is an example:
+
+\fBpreexec = csh -c 'echo \\"Welcome to %S!\\" |
+/usr/local/samba/bin/smbclient -M %m -I %I' & \fR
+
+Of course, this could get annoying after a while :-)
+
+See also \fIpreexec close
+\fRand \fIpostexec
+\fR\&.
+
+Default: \fBnone (no command executed)\fR
+
+Example: \fBpreexec = echo \\"%u connected to %S from %m
+(%I)\\" >> /tmp/log\fR
+.TP
+\fBpreexec close (S)\fR
+This boolean option controls whether a non-zero
+return code from \fIpreexec
+\fRshould close the service being connected to.
+
+Default: \fBpreexec close = no\fR
+.TP
+\fBpreferred master (G)\fR
+This boolean parameter controls if nmbd(8) <URL:nmbd.8.html> is a preferred master browser
+for its workgroup.
+
+If this is set to true, on startup, \fBnmbd\fR
+will force an election, and it will have a slight advantage in
+winning the election. It is recommended that this parameter is
+used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master.
+
+Use this option with caution, because if there are several
+hosts (whether Samba servers, Windows 95 or NT) that are preferred
+master browsers on the same subnet, they will each periodically
+and continuously attempt to become the local master browser.
+This will result in unnecessary broadcast traffic and reduced browsing
+capabilities.
+
+See also \fIos level\fR
+\&.
+
+Default: \fBpreferred master = no\fR
+.TP
+\fBprefered master (G)\fR
+Synonym for \fI preferred master\fR for people who cannot spell :-).
+.TP
+\fBpreload\fR
+Synonym for \fI auto services\fR.
+.TP
+\fBpreserve case (S)\fR
+This controls if new filenames are created
+with the case that the client passes, or if they are forced to
+be the \fIderault case
+\fR\&.
+
+Default: \fBpreserve case = yes\fR
+
+See the section on NAME
+MANGLING" for a fuller discussion.
+.TP
+\fBprint command (S)\fR
+After a print job has finished spooling to
+a service, this command will be used via a \fBsystem()\fR
+call to process the spool file. Typically the command specified will
+submit the spool file to the host's printing subsystem, but there
+is no requirement that this be the case. The server will not remove
+the spool file, so whatever command you specify should remove the
+spool file when it has been processed, otherwise you will need to
+manually remove old spool files.
+
+The print command is simply a text string. It will be used
+verbatim, with two exceptions: All occurrences of \fI%s
+\fRand \fI%f\fR will be replaced by the
+appropriate spool file name, and all occurrences of \fI%p
+\fRwill be replaced by the appropriate printer name. The
+spool file name is generated automatically by the server, the printer
+name is discussed below.
+
+The print command \fBMUST\fR contain at least
+one occurrence of \fI%s\fR or \fI%f
+\fR- the \fI%p\fR is optional. At the time
+a job is submitted, if no printer name is supplied the \fI%p
+\fRwill be silently removed from the printer command.
+
+If specified in the [global] section, the print command given
+will be used for any printable service that does not have its own
+print command specified.
+
+If there is neither a specified print command for a
+printable service nor a global print command, spool files will
+be created but not processed and (most importantly) not removed.
+
+Note that printing may fail on some UNIXs from the
+nobody account. If this happens then create
+an alternative guest account that can print and set the \fIguest account\fR
+in the [global] section.
+
+You can form quite complex print commands by realizing
+that they are just passed to a shell. For example the following
+will log a print job, print the file, then remove it. Note that
+\&';' is the usual separator for command in shell scripts.
+
+\fBprint command = echo Printing %s >>
+/tmp/print.log; lpr -P %p %s; rm %s\fR
+
+You may have to vary this command considerably depending
+on how you normally print files on your system. The default for
+the parameter varies depending on the setting of the \fIprinting\fR parameter.
+
+Default: For \fBprinting= BSD, AIX, QNX, LPRNG
+or PLP :\fR
+
+\fBprint command = lpr -r -P%p %s\fR
+
+For \fBprinting= SYS or HPUX :\fR
+
+\fBprint command = lp -c -d%p %s; rm %s\fR
+
+For \fBprinting=SOFTQ :\fR
+
+\fBprint command = lp -d%p -s %s; rm %s\fR
+
+Example: \fBprint command = /usr/local/samba/bin/myprintscript
+%p %s\fR
+.TP
+\fBprint ok (S)\fR
+Synonym for \fIprintable\fR.
+.TP
+\fBprintable (S)\fR
+If this parameter is yes, then
+clients may open, write to and submit spool files on the directory
+specified for the service.
+
+Note that a printable service will ALWAYS allow writing
+to the service path (user privileges permitting) via the spooling
+of print data. The \fIwriteable
+\fRparameter controls only non-printing access to
+the resource.
+
+Default: \fBprintable = no\fR
+.TP
+\fBprintcap (G)\fR
+Synonym for \fI printcap name\fR.
+.TP
+\fBprinter admin (S)\fR
+This is a list of users that can do anything to
+printers via the remote administration interfaces offered by MSRPC
+(usually using a NT workstation). Note that the root user always
+has admin rights.
+
+Default: \fBprinter admin = <empty string>\fR
+
+Example: \fBprinter admin = admin, @staff\fR
+.TP
+\fBprintcap name (G)\fR
+This parameter may be used to override the
+compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons
+why you might want to do this.
+
+On System V systems that use \fBlpstat\fR to
+list available printers you can use \fBprintcap name = lpstat
+\fRto automatically obtain lists of available printers. This
+is the default for systems that define SYSV at configure time in
+Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on
+these systems then Samba will launch \fBlpstat -v\fR and
+attempt to parse the output to obtain a printer list.
+
+A minimal printcap file would look something like this:
+
+.sp
+.nf
+ print1|My Printer 1
+ print2|My Printer 2
+ print3|My Printer 3
+ print4|My Printer 4
+ print5|My Printer 5
+
+.sp
+.fi
+
+where the '|' separates aliases of a printer. The fact
+that the second alias has a space in it gives a hint to Samba
+that it's a comment.
+
+\fBNOTE\fR: Under AIX the default printcap
+name is \fI/etc/qconfig\fR. Samba will assume the
+file is in AIX \fIqconfig\fR format if the string
+\fIqconfig\fR appears in the printcap filename.
+
+Default: \fBprintcap name = /etc/printcap\fR
+
+Example: \fBprintcap name = /etc/myprintcap\fR
+.TP
+\fBprinter (S)\fR
+This parameter specifies the name of the printer
+to which print jobs spooled through a printable service will be sent.
+
+If specified in the [global] section, the printer
+name given will be used for any printable service that does
+not have its own printer name specified.
+
+Default: \fBnone (but may be lp
+on many systems)\fR
+
+Example: \fBprinter name = laserwriter\fR
+.TP
+\fBprinter driver (S)\fR
+This option allows you to control the string
+that clients receive when they ask the server for the printer driver
+associated with a printer. If you are using Windows95 or WindowsNT
+then you can use this to automate the setup of printers on your
+system.
+
+You need to set this parameter to the exact string (case
+sensitive) that describes the appropriate printer driver for your
+system. If you don't know the exact string to use then you should
+first try with no \fI printer driver\fR option set and the client will
+give you a list of printer drivers. The appropriate strings are
+shown in a scrollbox after you have chosen the printer manufacturer.
+
+See also \fIprinter
+driver file\fR.
+
+Example: \fBprinter driver = HP LaserJet 4L\fR
+.TP
+\fBprinter driver file (G)\fR
+This parameter tells Samba where the printer driver
+definition file, used when serving drivers to Windows 95 clients, is
+to be found. If this is not set, the default is :
+
+\fISAMBA_INSTALL_DIRECTORY
+/lib/printers.def\fR
+
+This file is created from Windows 95 \fImsprint.inf
+\fRfiles found on the Windows 95 client system. For more
+details on setting up serving of printer drivers to Windows 95
+clients, see the documentation file in the \fIdocs/\fR
+directory, \fIPRINTER_DRIVER.txt\fR.
+
+See also \fI printer driver location\fR.
+
+Default: \fBNone (set in compile).\fR
+
+Example: \fBprinter driver file =
+/usr/local/samba/printers/drivers.def\fR
+.TP
+\fBprinter driver location (S)\fR
+This parameter tells clients of a particular printer
+share where to find the printer driver files for the automatic
+installation of drivers for Windows 95 machines. If Samba is set up
+to serve printer drivers to Windows 95 machines, this should be set to
+
+\fB\\\\MACHINE\\PRINTER$\fR
+
+Where MACHINE is the NetBIOS name of your Samba server,
+and PRINTER$ is a share you set up for serving printer driver
+files. For more details on setting this up see the documentation
+file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR.
+
+See also \fI printer driver file\fR.
+
+Default: \fBnone\fR
+
+Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$
+\fR.TP
+\fBprinter name (S)\fR
+Synonym for \fI printer\fR.
+.TP
+\fBprinting (S)\fR
+This parameters controls how printer status
+information is interpreted on your system. It also affects the
+default values for the \fIprint command\fR,
+\fIlpq command\fR, \fIlppause command
+\fR, \fIlpresume command\fR, and
+\fIlprm command\fR if specified in the
+[global]f> section.
+
+Currently eight printing styles are supported. They are
+BSD, AIX,
+LPRNG, PLP,
+SYSV, HPUX,
+QNX, SOFTQ,
+and CUPS.
+
+To see what the defaults are for the other print
+commands when using the various options use the testparm(1) <URL:testparm.1.html> program.
+
+This option can be set on a per printer basis
+
+See also the discussion in the [printers] section.
+.TP
+\fBprivate dir(G)\fR
+The \fIprivate dir\fR parameter
+allows an administator to define a directory path used to hold the
+various databases Samba will use to store things like a the machine
+trust account information when acting as a domain member (i.e. where
+the secrets.tdb file will be located), where the passdb.tbd file
+will stored in the case of using the experiemental tdbsam support,
+etc...
+
+Default: \fBprivate dir = <compile time location
+of smbpasswd>\fR
+
+Example: \fBprivate dir = /etc/smbprivate\fR
+.TP
+\fBprotocol (G)\fR
+The value of the parameter (a string) is the highest
+protocol level that will be supported by the server.
+
+Possible values are :
+.RS
+.TP 0.2i
+\(bu
+CORE: Earliest version. No
+concept of user names.
+.TP 0.2i
+\(bu
+COREPLUS: Slight improvements on
+CORE for efficiency.
+.TP 0.2i
+\(bu
+LANMAN1: First \fB modern\fR version of the protocol. Long filename
+support.
+.TP 0.2i
+\(bu
+LANMAN2: Updates to Lanman1 protocol.
+.TP 0.2i
+\(bu
+NT1: Current up to date version of
+the protocol. Used by Windows NT. Known as CIFS.
+.RE
+.PP
+Normally this option should not be set as the automatic
+negotiation phase in the SMB protocol takes care of choosing
+the appropriate protocol.
+.PP
+.PP
+Default: \fBprotocol = NT1\fR
+.PP
+.PP
+Example: \fBprotocol = LANMAN1\fR
+.PP
+.TP
+\fBpublic (S)\fR
+Synonym for \fIguest
+ok\fR.
+.TP
+\fBqueuepause command (S)\fR
+This parameter specifies the command to be
+executed on the server host in order to pause the printerqueue.
+
+This command should be a program or script which takes
+a printer name as its only parameter and stops the printerqueue,
+such that no longer jobs are submitted to the printer.
+
+This command is not supported by Windows for Workgroups,
+but can be issued from the Printer's window under Windows 95
+and NT.
+
+If a \fI%p\fR is given then the printername
+is put in its place. Otherwise it is placed at the end of the command.
+
+Note that it is good practice to include the absolute
+path in the command as the PATH may not be available to the
+server.
+
+Default: \fBdepends on the setting of \fIprinting
+\fB\fR
+Example: \fBqueuepause command = disable %p\fR
+.TP
+\fBqueueresume command (S)\fR
+This parameter specifies the command to be
+executed on the server host in order to resume the printerqueue. It
+is the command to undo the behavior that is caused by the
+previous parameter (\fI queuepause command\fR).
+
+This command should be a program or script which takes
+a printer name as its only parameter and resumes the printerqueue,
+such that queued jobs are resubmitted to the printer.
+
+This command is not supported by Windows for Workgroups,
+but can be issued from the Printer's window under Windows 95
+and NT.
+
+If a \fI%p\fR is given then the printername
+is put in its place. Otherwise it is placed at the end of the
+command.
+
+Note that it is good practice to include the absolute
+path in the command as the PATH may not be available to the
+server.
+
+Default: \fBdepends on the setting of \fIprinting\fB\fR
+
+Example: \fBqueuepause command = enable %p
+\fR.TP
+\fBread bmpx (G)\fR
+This boolean parameter controls whether smbd(8) <URL:smbd.8.html> will support the "Read
+Block Multiplex" SMB. This is now rarely used and defaults to
+no. You should never need to set this
+parameter.
+
+Default: \fBread bmpx = no\fR
+.TP
+\fBread list (S)\fR
+This is a list of users that are given read-only
+access to a service. If the connecting user is in this list then
+they will not be given write access, no matter what the \fIwriteable\fR
+option is set to. The list can include group names using the
+syntax described in the \fI invalid users\fR parameter.
+
+See also the \fI write list\fR parameter and the \fIinvalid users\fR
+parameter.
+
+Default: \fBread list = <empty string>\fR
+
+Example: \fBread list = mary, @students\fR
+.TP
+\fBread only (S)\fR
+Note that this is an inverted synonym for \fIwriteable\fR.
+.TP
+\fBread raw (G)\fR
+This parameter controls whether or not the server
+will support the raw read SMB requests when transferring data
+to clients.
+
+If enabled, raw reads allow reads of 65535 bytes in
+one packet. This typically provides a major performance benefit.
+
+However, some clients either negotiate the allowable
+block size incorrectly or are incapable of supporting larger block
+sizes, and for these clients you may need to disable raw reads.
+
+In general this parameter should be viewed as a system tuning
+tool and left severely alone. See also \fIwrite raw\fR.
+
+Default: \fBread raw = yes\fR
+.TP
+\fBread size (G)\fR
+The option \fIread size\fR
+affects the overlap of disk reads/writes with network reads/writes.
+If the amount of data being transferred in several of the SMB
+commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
+than this value then the server begins writing the data before it
+has received the whole packet from the network, or in the case of
+SMBreadbraw, it begins writing to the network before all the data
+has been read from disk.
+
+This overlapping works best when the speeds of disk and
+network access are similar, having very little effect when the
+speed of one is much greater than the other.
+
+The default value is 16384, but very little experimentation
+has been done yet to determine the optimal value, and it is likely
+that the best value will vary greatly between systems anyway.
+A value over 65536 is pointless and will cause you to allocate
+memory unnecessarily.
+
+Default: \fBread size = 16384\fR
+
+Example: \fBread size = 8192\fR
+.TP
+\fBremote announce (G)\fR
+This option allows you to setup nmbd(8) <URL:nmbd.8.html> to periodically announce itself
+to arbitrary IP addresses with an arbitrary workgroup name.
+
+This is useful if you want your Samba server to appear
+in a remote workgroup for which the normal browse propagation
+rules don't work. The remote workgroup can be anywhere that you
+can send IP packets to.
+
+For example:
+
+\fBremote announce = 192.168.2.255/SERVERS
+192.168.4.255/STAFF\fR
+
+the above line would cause nmbd to announce itself
+to the two given IP addresses using the given workgroup names.
+If you leave out the workgroup name then the one given in
+the \fIworkgroup\fR
+parameter is used instead.
+
+The IP addresses you choose would normally be the broadcast
+addresses of the remote networks, but can also be the IP addresses
+of known browse masters if your network config is that stable.
+
+See the documentation file \fIBROWSING.txt\fR
+in the \fIdocs/\fR directory.
+
+Default: \fBremote announce = <empty string>
+\fR.TP
+\fBremote browse sync (G)\fR
+This option allows you to setup nmbd(8) <URL:nmbd.8.html> to periodically request
+synchronization of browse lists with the master browser of a samba
+server that is on a remote segment. This option will allow you to
+gain browse lists for multiple workgroups across routed networks. This
+is done in a manner that does not work with any non-samba servers.
+
+This is useful if you want your Samba server and all local
+clients to appear in a remote workgroup for which the normal browse
+propagation rules don't work. The remote workgroup can be anywhere
+that you can send IP packets to.
+
+For example:
+
+\fBremote browse sync = 192.168.2.255 192.168.4.255
+\fR
+the above line would cause \fBnmbd\fR to request
+the master browser on the specified subnets or addresses to
+synchronize their browse lists with the local server.
+
+The IP addresses you choose would normally be the broadcast
+addresses of the remote networks, but can also be the IP addresses
+of known browse masters if your network config is that stable. If
+a machine IP address is given Samba makes NO attempt to validate
+that the remote machine is available, is listening, nor that it
+is in fact the browse master on it's segment.
+
+Default: \fBremote browse sync = <empty string>
+\fR.TP
+\fBrestrict anonymous (G)\fR
+This is a boolean parameter. If it is true, then
+anonymous access to the server will be restricted, namely in the
+case where the server is expecting the client to send a username,
+but it doesn't. Setting it to true will force these anonymous
+connections to be denied, and the client will be required to always
+supply a username and password when connecting. Use of this parameter
+is only recommened for homogenous NT client environments.
+This parameter makes the use of macro expansions that rely
+on the username (%U, %G, etc) consistant. NT 4.0
+likes to use anonymous connections when refreshing the share list,
+and this is a way to work around that.
- [foo]
- path = /home/bar
- writeable = true
+When restrict anonymous is true, all anonymous connections
+are denied no matter what they are for. This can effect the ability
+of a machine to access the samba Primary Domain Controller to revalidate
+it's machine account after someone else has logged on the client
+interactively. The NT client will display a message saying that
+the machine's account in the domain doesn't exist or the password is
+bad. The best way to deal with this is to reboot NT client machines
+between interactive logons, using "Shutdown and Restart", rather
+than "Close all programs and logon as a different user".
+Default: \fBrestrict anonymous = no\fR
+.TP
+\fBroot (G)\fR
+Synonym for \fIroot directory"\fR.
+.TP
+\fBroot dir (G)\fR
+Synonym for \fIroot directory"\fR.
+.TP
+\fBroot directory (G)\fR
+The server will \fBchroot()\fR (i.e.
+Change it's root directory) to this directory on startup. This is
+not strictly necessary for secure operation. Even without it the
+server will deny access to files not in one of the service entries.
+It may also check for, and deny access to, soft links to other
+parts of the filesystem, or attempts to use ".." in file names
+to access other directories (depending on the setting of the \fIwide links\fR
+parameter).
-.fi
-
+Adding a \fIroot directory\fR entry other
+than "/" adds an extra level of security, but at a price. It
+absolutely ensures that no access is given to files not in the
+sub-tree specified in the \fIroot directory\fR
+option, \fBincluding\fR some files needed for
+complete operation of the server. To maintain full operability
+of the server you will need to mirror some system files
+into the \fIroot directory\fR tree. In particular
+you will need to mirror \fI/etc/passwd\fR (or a
+subset of it), and any binaries or configuration files needed for
+printing (if required). The set of files that must be mirrored is
+operating system dependent.
-.PP
-The following sample section defines a printable share\&. The share
-is readonly, but printable\&. That is, the only write access permitted
-is via calls to open, write to and close a spool file\&. The
-\fB\'guest ok\'\fP parameter means access will be permitted
-as the default guest user (specified elsewhere):
-.PP
+Default: \fBroot directory = /\fR
-.nf
-
+Example: \fBroot directory = /homes/smb\fR
+.TP
+\fBroot postexec (S)\fR
+This is the same as the \fIpostexec\fR
+parameter except that the command is run as root. This
+is useful for unmounting filesystems
+(such as cdroms) after a connection is closed.
- [aprinter]
- path = /usr/spool/public
- writeable = false
- printable = true
- guest ok = true
+See also \fI postexec\fR.
+.TP
+\fBroot preexec (S)\fR
+This is the same as the \fIpreexec\fR
+parameter except that the command is run as root. This
+is useful for mounting filesystems
+(such as cdroms) after a connection is closed.
-.fi
-
+See also \fI preexec\fR and \fIpreexec close\fR.
+.TP
+\fBroot preexec close (S)\fR
+This is the same as the \fIpreexec close
+\fRparameter except that the command is run as root.
-.PP
-.SH "SPECIAL SECTIONS"
-.PP
-.IP
-.IP "\fBThe [global] section\fP"
-.IP
-Parameters in this section apply to the server as a whole, or are
-defaults for sections which do not specifically define certain
-items\&. See the notes under \fB\'PARAMETERS\'\fP for more
-information\&.
-.IP
-.IP "\fBThe [homes] section\fP"
-.IP
-If a section called \f(CW\'homes\'\fP is included in the configuration file,
-services connecting clients to their home directories can be created
-on the fly by the server\&.
-.IP
-When the connection request is made, the existing sections are
-scanned\&. If a match is found, it is used\&. If no match is found, the
-requested section name is treated as a user name and looked up in the
-local password file\&. If the name exists and the correct password has
-been given, a share is created by cloning the [homes] section\&.
-.IP
-Some modifications are then made to the newly created share:
-.IP
-.IP
-.IP o
-The share name is changed from \f(CW\'homes\'\fP to the located
-username
-.IP
-.IP o
-If no path was given, the path is set to the user\'s home
-directory\&.
-.IP
-.IP
-If you decide to use a \fBpath=\fP line in your [homes]
-section then you may find it useful to use the \fB%S\fP
-macro\&. For example :
-.IP
-\f(CWpath=/data/pchome/%S\fP
-.IP
-would be useful if you have different home directories for your PCs
-than for UNIX access\&.
-.IP
-This is a fast and simple way to give a large number of clients access
-to their home directories with a minimum of fuss\&.
-.IP
-A similar process occurs if the requested section name is \f(CW"homes"\fP,
-except that the share name is not changed to that of the requesting
-user\&. This method of using the [homes] section works well if different
-users share a client PC\&.
-.IP
-The [homes] section can specify all the parameters a normal service
-section can specify, though some make more sense than others\&. The
-following is a typical and suitable [homes] section:
-.IP
-
-.nf
-
+See also \fI preexec\fR and \fIpreexec close\fR.
+.TP
+\fBsecurity (G)\fR
+This option affects how clients respond to
+Samba and is one of the most important settings in the \fI smb.conf\fR file.
- [homes]
- writeable = yes
+The option sets the "security mode bit" in replies to
+protocol negotiations with smbd(8)
+ <URL:smbd.8.html> to turn share level security on or off. Clients decide
+based on this bit whether (and how) to transfer user and password
+information to the server.
-.fi
-
+The default is \fBsecurity = user\fR, as this is
+the most common setting needed when talking to Windows 98 and
+Windows NT.
-.IP
-An important point is that if guest access is specified in the [homes]
-section, all home directories will be visible to all clients
-\fBwithout a password\fP\&. In the very unlikely event that this is
-actually desirable, it would be wise to also specify \fBread only
-access\fP\&.
-.IP
-Note that the \fBbrowseable\fP flag for auto home
-directories will be inherited from the global browseable flag, not the
-[homes] browseable flag\&. This is useful as it means setting
-browseable=no in the [homes] section will hide the [homes] share but
-make any auto home directories visible\&.
-.IP
-.IP "\fBThe [printers] section\fP"
-.IP
-This section works like \fB[homes]\fP, but for printers\&.
-.IP
-If a \fB[printers]\fP section occurs in the configuration file, users are
-able to connect to any printer specified in the local host\'s printcap
-file\&.
-.IP
-When a connection request is made, the existing sections are
-scanned\&. If a match is found, it is used\&. If no match is found, but a
-\fB[homes]\fP section exists, it is used as described
-above\&. Otherwise, the requested section name is treated as a printer
-name and the appropriate printcap file is scanned to see if the
-requested section name is a valid printer share name\&. If a match is
-found, a new printer share is created by cloning the \fB[printers]\fP
-section\&.
-.IP
-A few modifications are then made to the newly created share:
-.IP
-.IP
-.IP o
-The share name is set to the located printer name
-.IP
-.IP o
-If no printer name was given, the printer name is set to the
-located printer name
-.IP
-.IP o
-If the share does not permit guest access and no username was
-given, the username is set to the located printer name\&.
-.IP
-.IP
-Note that the \fB[printers]\fP service MUST be printable - if you specify
-otherwise, the server will refuse to load the configuration file\&.
-.IP
-Typically the path specified would be that of a world-writeable spool
-directory with the sticky bit set on it\&. A typical \fB[printers]\fP entry
-would look like this:
-.IP
-
-.nf
-
+The alternatives are \fBsecurity = share\fR,
+\fBsecurity = server\fR or \fBsecurity=domain
+\fR\&.
- [printers]
- path = /usr/spool/public
- guest ok = yes
- printable = yes
+In versions of Samba prior to 2..0, the default was
+\fBsecurity = share\fR mainly because that was
+the only option at one stage.
-.fi
-
+There is a bug in WfWg that has relevance to this
+setting. When in user or server level security a WfWg client
+will totally ignore the password you type in the "connect
+drive" dialog box. This makes it very difficult (if not impossible)
+to connect to a Samba service as anyone except the user that
+you are logged into WfWg as.
-.IP
-All aliases given for a printer in the printcap file are legitimate
-printer names as far as the server is concerned\&. If your printing
-subsystem doesn\'t work like that, you will have to set up a
-pseudo-printcap\&. This is a file consisting of one or more lines like
-this:
-.IP
+If your PCs use usernames that are the same as their
+usernames on the UNIX machine then you will want to use
+\fBsecurity = user\fR. If you mostly use usernames
+that don't exist on the UNIX box then use \fBsecurity =
+share\fR.
-.nf
-
- alias|alias|alias|alias\&.\&.\&.
-.fi
-
+You should also use \fBsecurity = share\fR if you
+want to mainly setup shares without a password (guest shares). This
+is commonly used for a shared printer server. It is more difficult
+to setup guest shares with \fBsecurity = user\fR, see
+the \fImap to guest\fR
+parameter for details.
-.IP
-Each alias should be an acceptable printer name for your printing
-subsystem\&. In the \fB[global]\fP section, specify the new
-file as your printcap\&. The server will then only recognize names
-found in your pseudo-printcap, which of course can contain whatever
-aliases you like\&. The same technique could be used simply to limit
-access to a subset of your local printers\&.
-.IP
-An alias, by the way, is defined as any component of the first entry
-of a printcap record\&. Records are separated by newlines, components
-(if there are more than one) are separated by vertical bar symbols
-("|")\&.
-.IP
-NOTE: On SYSV systems which use lpstat to determine what printers are
-defined on the system you may be able to use \fB"printcap name =
-lpstat"\fP to automatically obtain a list of
-printers\&. See the \fB"printcap name"\fP option for
-more details\&.
-.IP
-.PP
-.SH "PARAMETERS"
-.PP
-Parameters define the specific attributes of sections\&.
-.PP
-Some parameters are specific to the \fB[global]\fP section
-(e\&.g\&., \fBsecurity\fP)\&. Some parameters are usable in
-all sections (e\&.g\&., \fBcreate mode\fP)\&. All others are
-permissible only in normal sections\&. For the purposes of the following
-descriptions the \fB[homes]\fP and
-\fB[printers]\fP sections will be considered normal\&.
-The letter \f(CW\'G\'\fP in parentheses indicates that a parameter is
-specific to the \fB[global]\fP section\&. The letter \f(CW\'S\'\fP
-indicates that a parameter can be specified in a service specific
-section\&. Note that all \f(CW\'S\'\fP parameters can also be specified in the
-\fB[global]\fP section - in which case they will define
-the default behavior for all services\&.
-.PP
-Parameters are arranged here in alphabetical order - this may not
-create best bedfellows, but at least you can find them! Where there
-are synonyms, the preferred synonym is described, others refer to the
-preferred synonym\&.
-.PP
-.SH "VARIABLE SUBSTITUTIONS"
-.PP
-Many of the strings that are settable in the config file can take
-substitutions\&. For example the option \fB\f(CW"path =
-/tmp/%u"\fP\fP would be interpreted as \f(CW"path = /tmp/john"\fP if
-the user connected with the username john\&.
-.PP
-These substitutions are mostly noted in the descriptions below, but
-there are some general substitutions which apply whenever they might
-be relevant\&. These are:
-.PP
-.IP
-.IP o
-\fB%S\fP = the name of the current service, if any\&.
-.IP
-.IP o
-\fB%P\fP = the root directory of the current service, if any\&.
-.IP
-.IP o
-\fB%u\fP = user name of the current service, if any\&.
-.IP
-.IP o
-\fB%g\fP = primary group name of \fB%u\fP\&.
-.IP
-.IP o
-\fB%U\fP = session user name (the user name that
-the client wanted, not necessarily the same as the one they got)\&.
-.IP
-.IP o
-\fB%G\fP = primary group name of \fB%U\fP\&.
-.IP
-.IP o
-\fB%H\fP = the home directory of the user given by \fB%u\fP\&.
-.IP
-.IP o
-\fB%v\fP = the Samba version\&.
-.IP
-.IP o
-\fB%h\fP = the internet hostname that Samba is running on\&.
-.IP
-.IP o
-\fB%m\fP = the NetBIOS name of the client machine (very useful)\&.
-.IP
-.IP o
-\fB%L\fP = the NetBIOS name of the server\&. This allows you to change your
-config based on what the client calls you\&. Your server can have a "dual
-personality"\&.
-.IP
-.IP o
-\fB%M\fP = the internet name of the client machine\&.
-.IP
-.IP o
-\fB%N\fP = the name of your NIS home directory server\&. This is
-obtained from your NIS auto\&.map entry\&. If you have not compiled Samba
-with the \fB--with-automount\fP option then this value will be the same
-as \fB%L\fP\&.
-.IP
-.IP o
-\fB%p\fP = the path of the service\'s home directory, obtained from your NIS
-auto\&.map entry\&. The NIS auto\&.map entry is split up as "%N:%p"\&.
-.IP
-.IP o
-\fB%R\fP = the selected protocol level after protocol
-negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1\&.
-.IP
-.IP o
-\fB%d\fP = The process id of the current server process\&.
-.IP
-.IP o
-\fB%a\fP = the architecture of the remote
-machine\&. Only some are recognized, and those may not be 100%
-reliable\&. It currently recognizes Samba, WfWg, WinNT and
-Win95\&. Anything else will be known as "UNKNOWN"\&. If it gets it wrong
-then sending a level 3 log to \fIsamba@samba\&.org\fP
-should allow it to be fixed\&.
-.IP
-.IP o
-\fB%I\fP = The IP address of the client machine\&.
-.IP
-.IP o
-\fB%T\fP = the current date and time\&.
-.IP
-.PP
-There are some quite creative things that can be done with these
-substitutions and other smb\&.conf options\&.
-.PP
-.SH "NAME MANGLING"
-.PP
-Samba supports \fI"name mangling"\fP so that DOS and Windows clients can
-use files that don\'t conform to the 8\&.3 format\&. It can also be set to
-adjust the case of 8\&.3 format filenames\&.
-.PP
-There are several options that control the way mangling is performed,
-and they are grouped here rather than listed separately\&. For the
-defaults look at the output of the testparm program\&.
-.PP
-All of these options can be set separately for each service (or
-globally, of course)\&.
-.PP
-The options are:
-.PP
-\fB"mangle case = yes/no"\fP controls if names that have characters that
-aren\'t of the "default" case are mangled\&. For example, if this is yes
-then a name like \f(CW"Mail"\fP would be mangled\&. Default \fIno\fP\&.
-.PP
-\fB"case sensitive = yes/no"\fP controls whether filenames are case
-sensitive\&. If they aren\'t then Samba must do a filename search and
-match on passed names\&. Default \fIno\fP\&.
-.PP
-\fB"default case = upper/lower"\fP controls what the default case is for new
-filenames\&. Default \fIlower\fP\&.
-.PP
-\fB"preserve case = yes/no"\fP controls if new files are created with the
-case that the client passes, or if they are forced to be the \f(CW"default"\fP
-case\&. Default \fIYes\fP\&.
-.PP
-.PP
-\fB"short preserve case = yes/no"\fP controls if new files which conform
-to 8\&.3 syntax, that is all in upper case and of suitable length, are
-created upper case, or if they are forced to be the \f(CW"default"\fP
-case\&. This option can be use with \fB"preserve case =
-yes"\fP to permit long filenames to retain their
-case, while short names are lowered\&. Default \fIYes\fP\&.
-.PP
-By default, Samba 2\&.0 has the same semantics as a Windows NT
-server, in that it is case insensitive but case preserving\&.
-.PP
-.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
-.PP
-There are a number of ways in which a user can connect to a
-service\&. The server follows the following steps in determining if it
-will allow a connection to a specified service\&. If all the steps fail
-then the connection request is rejected\&. If one of the steps pass then
-the following steps are not checked\&.
-.PP
-If the service is marked \fB"guest only = yes"\fP then
-steps 1 to 5 are skipped\&.
-.PP
-.IP
-.IP 1\&.
-Step 1: If the client has passed a username/password pair and
-that username/password pair is validated by the UNIX system\'s password
-programs then the connection is made as that username\&. Note that this
-includes the \f(CW\e\eserver\eservice%username\fP method of passing a
-username\&.
-.IP
-.IP 2\&.
-Step 2: If the client has previously registered a username with
-the system and now supplies a correct password for that username then
-the connection is allowed\&.
-.IP
-.IP 3\&.
-Step 3: The client\'s netbios name and any previously used user
-names are checked against the supplied password, if they match then
-the connection is allowed as the corresponding user\&.
-.IP
-.IP 4\&.
-Step 4: If the client has previously validated a
-username/password pair with the server and the client has passed the
-validation token then that username is used\&.
-.IP
-.IP 5\&.
-Step 5: If a \fB"user = "\fP field is given in the
-smb\&.conf file for the service and the client has supplied a password,
-and that password matches (according to the UNIX system\'s password
-checking) with one of the usernames from the \fBuser=\fP
-field then the connection is made as the username in the
-\fB"user="\fP line\&. If one of the username in the
-\fBuser=\fP list begins with a \f(CW\'@\'\fP then that name
-expands to a list of names in the group of the same name\&.
-.IP
-.IP 6\&.
-Step 6: If the service is a guest service then a connection is
-made as the username given in the \fB"guest account
-="\fP for the service, irrespective of the supplied
-password\&.
-.IP
-.PP
-.SH "COMPLETE LIST OF GLOBAL PARAMETERS"
-.PP
-Here is a list of all global parameters\&. See the section of each
-parameter for details\&. Note that some are synonyms\&.
-.PP
-.IP
-.IP o
-\fBadd user script\fP
-.IP
-.IP o
-\fBallow trusted domains\fP
-.IP
-.IP o
-\fBannounce as\fP
-.IP
-.IP o
-\fBannounce version\fP
-.IP
-.IP o
-\fBauto services\fP
-.IP
-.IP o
-\fBbind interfaces only\fP
-.IP
-.IP o
-\fBbrowse list\fP
-.IP
-.IP o
-\fBchange notify timeout\fP
-.IP
-.IP o
-\fBcharacter set\fP
-.IP
-.IP o
-\fBclient code page\fP
-.IP
-.IP o
-\fBcoding system\fP
-.IP
-.IP o
-\fBconfig file\fP
-.IP
-.IP o
-\fBdeadtime\fP
-.IP
-.IP o
-\fBdebug hires timestamp\fP
-.IP
-.IP o
-\fBdebug pid\fP
-.IP
-.IP o
-\fBdebug timestamp\fP
-.IP
-.IP o
-\fBdebug uid\fP
-.IP
-.IP o
-\fBdebug level\fP
-.IP
-.IP o
-\fBdefault\fP
-.IP
-.IP o
-\fBdefault service\fP
-.IP
-.IP o
-\fBdelete user script\fP
-.IP
-.IP o
-\fBdfree command\fP
-.IP
-.IP o
-\fBdns proxy\fP
-.IP
-.IP o
-\fBdomain admin group\fP
-.IP
-.IP o
-\fBdomain admin users\fP
-.IP
-.IP o
-\fBdomain groups\fP
-.IP
-.IP o
-\fBdomain guest group\fP
-.IP
-.IP o
-\fBdomain guest users\fP
-.IP
-.IP o
-\fBdomain logons\fP
-.IP
-.IP o
-\fBdomain master\fP
-.IP
-.IP o
-\fBencrypt passwords\fP
-.IP
-.IP o
-\fBgetwd cache\fP
-.IP
-.IP o
-\fBhide local users\fP
-.IP
-.IP o
-\fBhomedir map\fP
-.IP
-.IP o
-\fBhosts equiv\fP
-.IP
-.IP o
-\fBinterfaces\fP
-.IP
-.IP o
-\fBkeepalive\fP
-.IP
-.IP o
-\fBkernel oplocks\fP
-.IP
-.IP o
-\fBldap filter\fP
-.IP
-.IP o
-\fBldap port\fP
-.IP
-.IP o
-\fBldap root\fP
-.IP
-.IP o
-\fBldap root passwd\fP
-.IP
-.IP o
-\fBldap server\fP
-.IP
-.IP o
-\fBldap suffix\fP
-.IP
-.IP o
-\fBlm announce\fP
-.IP
-.IP o
-\fBlm interval\fP
-.IP
-.IP o
-\fBload printers\fP
-.IP
-.IP o
-\fBlocal master\fP
-.IP
-.IP o
-\fBlock dir\fP
-.IP
-.IP o
-\fBlock directory\fP
-.IP
-.IP o
-\fBlog file\fP
-.IP
-.IP o
-\fBlog level\fP
-.IP
-.IP o
-\fBlogon drive\fP
-.IP
-.IP o
-\fBlogon home\fP
-.IP
-.IP o
-\fBlogon path\fP
-.IP
-.IP o
-\fBlogon script\fP
-.IP
-.IP o
-\fBlpq cache time\fP
-.IP
-.IP o
-\fBmachine password timeout\fP
-.IP
-.IP o
-\fBmangled stack\fP
-.IP
-.IP o
-\fBmap to guest\fP
-.IP
-.IP o
-\fBmax disk size\fP
-.IP
-.IP o
-\fBmax log size\fP
-.IP
-.IP o
-\fBmax mux\fP
-.IP
-.IP o
-\fBmax open files\fP
-.IP
-.IP o
-\fBmax packet\fP
-.IP
-.IP o
-\fBmax ttl\fP
-.IP
-.IP o
-\fBmax wins ttl\fP
-.IP
-.IP o
-\fBmax xmit\fP
-.IP
-.IP o
-\fBmessage command\fP
-.IP
-.IP o
-\fBmin passwd length\fP
-.IP
-.IP o
-\fBmin password length\fP
-.IP
-.IP o
-\fBmin wins ttl\fP
-.IP
-.IP o
-\fBname resolve order\fP
-.IP
-.IP o
-\fBnetbios aliases\fP
-.IP
-.IP o
-\fBnetbios name\fP
-.IP
-.IP o
-\fBnetbios scope\fP
-.IP
-.IP o
-\fBnis homedir\fP
-.IP
-.IP o
-\fBnt acl support\fP
-.IP
-.IP o
-\fBnt pipe support\fP
-.IP
-.IP o
-\fBnt smb support\fP
-.IP
-.IP o
-\fBnull passwords\fP
-.IP
-.IP o
-\fBole locking compatibility\fP
-.IP
-.IP o
-\fBoplock break wait time\fP
-.IP
-.IP o
-\fBos level\fP
-.IP
-.IP o
-\fBpacket size\fP
-.IP
-.IP o
-\fBpanic action\fP
-.IP
-.IP o
-\fBpasswd chat\fP
-.IP
-.IP o
-\fBpasswd chat debug\fP
-.IP
-.IP o
-\fBpasswd program\fP
-.IP
-.IP o
-\fBpassword level\fP
-.IP
-.IP o
-\fBpassword server\fP
-.IP
-.IP o
-\fBprefered master\fP
-.IP
-.IP o
-\fBpreferred master\fP
-.IP
-.IP o
-\fBpreload\fP
-.IP
-.IP o
-\fBprintcap\fP
-.IP
-.IP o
-\fBprintcap name\fP
-.IP
-.IP o
-\fBprinter driver file\fP
-.IP
-.IP o
-\fBprivate dir\fP
-.IP
-.IP o
-\fBprotocol\fP
-.IP
-.IP o
-\fBread bmpx\fP
-.IP
-.IP o
-\fBread prediction\fP
-.IP
-.IP o
-\fBread raw\fP
-.IP
-.IP o
-\fBread size\fP
-.IP
-.IP o
-\fBremote announce\fP
-.IP
-.IP o
-\fBremote browse sync\fP
-.IP
-.IP o
-\fBrestrict anonymous\fP
-.IP
-.IP o
-\fBroot\fP
-.IP
-.IP o
-\fBroot dir\fP
-.IP
-.IP o
-\fBroot directory\fP
-.IP
-.IP o
-\fBsecurity\fP
-.IP
-.IP o
-\fBserver string\fP
-.IP
-.IP o
-\fBshared mem size\fP
-.IP
-.IP o
-\fBsmb passwd file\fP
-.IP
-.IP o
-\fBsmbrun\fP
-.IP
-.IP o
-\fBsocket address\fP
-.IP
-.IP o
-\fBsocket options\fP
-.IP
-.IP o
-\fBsource environment\fP
-.IP
-.IP o
-\fBssl\fP
-.IP
-.IP o
-\fBssl CA certDir\fP
-.IP
-.IP o
-\fBssl CA certFile\fP
-.IP
-.IP o
-\fBssl ciphers\fP
-.IP
-.IP o
-\fBssl client cert\fP
-.IP
-.IP o
-\fBssl client key\fP
-.IP
-.IP o
-\fBssl compatibility\fP
-.IP
-.IP o
-\fBssl hosts\fP
-.IP
-.IP o
-\fBssl hosts resign\fP
-.IP
-.IP o
-\fBssl require clientcert\fP
-.IP
-.IP o
-\fBssl require servercert\fP
-.IP
-.IP o
-\fBssl server cert\fP
-.IP
-.IP o
-\fBssl server key\fP
-.IP
-.IP o
-\fBssl version\fP
-.IP
-.IP o
-\fBstat cache\fP
-.IP
-.IP o
-\fBstat cache size\fP
-.IP
-.IP o
-\fBstrip dot\fP
-.IP
-.IP o
-\fBsyslog\fP
-.IP
-.IP o
-\fBsyslog only\fP
-.IP
-.IP o
-\fBtemplate homedir\fP
-.IP
-.IP o
-\fBtemplate shell\fP
-.IP
-.IP o
-\fBtime offset\fP
-.IP
-.IP o
-\fBtime server\fP
-.IP
-.IP o
-\fBtimestamp logs\fP
-.IP
-.IP o
-\fBunix password sync\fP
-.IP
-.IP o
-\fBunix realname\fP
-.IP
-.IP o
-\fBupdate encrypted\fP
-.IP
-.IP o
-\fBuse rhosts\fP
-.IP
-.IP o
-\fBusername level\fP
-.IP
-.IP o
-\fBusername map\fP
-.IP
-.IP o
-\fButmp directory\fP
-.IP
-.IP o
-\fBvalid chars\fP
-.IP
-.IP o
-\fBwinbind cache time\fP
-.IP
-.IP o
-\fBwinbind gid\fP
-.IP
-.IP o
-\fBwinbind uid\fP
-.IP
-.IP o
-\fBwins hook\fP
-.IP
-.IP o
-\fBwins proxy\fP
-.IP
-.IP o
-\fBwins server\fP
-.IP
-.IP o
-\fBwins support\fP
-.IP
-.IP o
-\fBworkgroup\fP
-.IP
-.IP o
-\fBwrite raw\fP
-.IP
-.PP
-.SH "COMPLETE LIST OF SERVICE PARAMETERS"
-.PP
-Here is a list of all service parameters\&. See the section of each
-parameter for details\&. Note that some are synonyms\&.
-.PP
-.IP
-.IP o
-\fBadmin users\fP
-.IP
-.IP o
-\fBallow hosts\fP
-.IP
-.IP o
-\fBalternate permissions\fP
-.IP
-.IP o
-\fBavailable\fP
-.IP
-.IP o
-\fBblocking locks\fP
-.IP
-.IP o
-\fBbrowsable\fP
-.IP
-.IP o
-\fBbrowseable\fP
-.IP
-.IP o
-\fBcase sensitive\fP
-.IP
-.IP o
-\fBcasesignames\fP
-.IP
-.IP o
-\fBcomment\fP
-.IP
-.IP o
-\fBcopy\fP
-.IP
-.IP o
-\fBcreate mask\fP
-.IP
-.IP o
-\fBcreate mode\fP
-.IP
-.IP o
-\fBdefault case\fP
-.IP
-.IP o
-\fBdelete readonly\fP
-.IP
-.IP o
-\fBdelete veto files\fP
-.IP
-.IP o
-\fBdeny hosts\fP
-.IP
-.IP o
-\fBdirectory\fP
-.IP
-.IP o
-\fBdirectory mask\fP
-.IP
-.IP o
-\fBdirectory mode\fP
-.IP
-.IP o
-\fBdirectory security mask\fP
-.IP
-.IP o
-\fBdont descend\fP
-.IP
-.IP o
-\fBdos filetime resolution\fP
-.IP
-.IP o
-\fBdos filetimes\fP
-.IP
-.IP o
-\fBexec\fP
-.IP
-.IP o
-\fBfake directory create times\fP
-.IP
-.IP o
-\fBfake oplocks\fP
-.IP
-.IP o
-\fBfollow symlinks\fP
-.IP
-.IP o
-\fBforce create mode\fP
-.IP
-.IP o
-\fBforce directory mode\fP
-.IP
-.IP o
-\fBforce directory security mode\fP
-.IP
-.IP o
-\fBforce group\fP
-.IP
-.IP o
-\fBforce security mode\fP
-.IP
-.IP o
-\fBforce user\fP
-.IP
-.IP o
-\fBfstype\fP
-.IP
-.IP o
-\fBgroup\fP
-.IP
-.IP o
-\fBguest account\fP
-.IP
-.IP o
-\fBguest ok\fP
-.IP
-.IP o
-\fBguest only\fP
-.IP
-.IP o
-\fBhide dot files\fP
-.IP
-.IP o
-\fBhide files\fP
-.IP
-.IP o
-\fBhosts allow\fP
-.IP
-.IP o
-\fBhosts deny\fP
-.IP
-.IP o
-\fBinclude\fP
-.IP
-.IP o
-\fBinherit permissions\fP
-.IP
-.IP o
-\fBinvalid users\fP
-.IP
-.IP o
-\fBlevel2 oplocks\fP
-.IP
-.IP o
-\fBlocking\fP
-.IP
-.IP o
-\fBlppause command\fP
-.IP
-.IP o
-\fBlpq command\fP
-.IP
-.IP o
-\fBlpresume command\fP
-.IP
-.IP o
-\fBlprm command\fP
-.IP
-.IP o
-\fBmagic output\fP
-.IP
-.IP o
-\fBmagic script\fP
-.IP
-.IP o
-\fBmangle case\fP
-.IP
-.IP o
-\fBmangle locks\fP
-.IP
-.IP o
-\fBmangled map\fP
-.IP
-.IP o
-\fBmangled names\fP
-.IP
-.IP o
-\fBmangling char\fP
-.IP
-.IP o
-\fBmap archive\fP
-.IP
-.IP o
-\fBmap hidden\fP
-.IP
-.IP o
-\fBmap system\fP
-.IP
-.IP o
-\fBmax connections\fP
-.IP
-.IP o
-\fBmin print space\fP
-.IP
-.IP o
-\fBonly guest\fP
-.IP
-.IP o
-\fBonly user\fP
-.IP
-.IP o
-\fBoplock contention limit\fP
-.IP
-.IP o
-\fBoplocks\fP
-.IP
-.IP o
-\fBpath\fP
-.IP
-.IP o
-\fBpostexec\fP
-.IP
-.IP o
-\fBpostscript\fP
-.IP
-.IP o
-\fBpreexec\fP
-.IP
-.IP o
-\fBpreexec close\fP
-.IP
-.IP o
-\fBpreserve case\fP
-.IP
-.IP o
-\fBprint command\fP
-.IP
-.IP o
-\fBprint ok\fP
-.IP
-.IP o
-\fBprintable\fP
-.IP
-.IP o
-\fBprinter\fP
-.IP
-.IP o
-\fBprinter admin\fP
-.IP
-.IP o
-\fBprinter driver\fP
-.IP
-.IP o
-\fBprinter driver location\fP
-.IP
-.IP o
-\fBprinter name\fP
-.IP
-.IP o
-\fBprinting\fP
-.IP
-.IP o
-\fBpublic\fP
-.IP
-.IP o
-\fBqueuepause command\fP
-.IP
-.IP o
-\fBqueueresume command\fP
-.IP
-.IP o
-\fBread list\fP
-.IP
-.IP o
-\fBread only\fP
-.IP
-.IP o
-\fBroot postexec\fP
-.IP
-.IP o
-\fBroot preexec\fP
-.IP
-.IP o
-\fBroot preexec close\fP
-.IP
-.IP o
-\fBsecurity mask\fP
-.IP
-.IP o
-\fBset directory\fP
-.IP
-.IP o
-\fBshare modes\fP
-.IP
-.IP o
-\fBshort preserve case\fP
-.IP
-.IP o
-\fBstatus\fP
-.IP
-.IP o
-\fBstrict locking\fP
-.IP
-.IP o
-\fBstrict sync\fP
-.IP
-.IP o
-\fBsync always\fP
-.IP
-.IP o
-\fBuser\fP
-.IP
-.IP o
-\fBusername\fP
-.IP
-.IP o
-\fBusers\fP
-.IP
-.IP o
-\fButmp\fP
-.IP
-.IP o
-\fBvalid users\fP
-.IP
-.IP o
-\fBveto files\fP
-.IP
-.IP o
-\fBveto oplock files\fP
-.IP
-.IP o
-\fBvolume\fP
-.IP
-.IP o
-\fBwide links\fP
-.IP
-.IP o
-\fBwritable\fP
-.IP
-.IP o
-\fBwrite cache size\fP
-.IP
-.IP o
-\fBwrite list\fP
-.IP
-.IP o
-\fBwrite ok\fP
-.IP
-.IP o
-\fBwriteable\fP
-.IP
-.PP
-.SH "EXPLANATION OF EACH PARAMETER"
-.PP
-.IP
-.IP "\fBadd user script (G)\fP"
-.IP
-This is the full pathname to a script that will be run \fIAS ROOT\fP by
-\fBsmbd (8)\fP under special circumstances decribed
-below\&.
-.IP
-Normally, a Samba server requires that UNIX users are created for all
-users accessing files on this server\&. For sites that use Windows NT
-account databases as their primary user database creating these users
-and keeping the user list in sync with the Windows NT PDC is an
-onerous task\&. This option allows \fBsmbd\fP to create
-the required UNIX users \fION DEMAND\fP when a user accesses the Samba
-server\&.
-.IP
-In order to use this option, \fBsmbd\fP must be set to
-\fBsecurity=server\fP or
-\fBsecurity=domain\fP and \fB"add user script"\fP
-must be set to a full pathname for a script that will create a UNIX user
-given one argument of \fB%u\fP, which expands into the UNIX user name to
-create\&.
-.IP
-When the Windows user attempts to access the Samba server, at
-\fI"login"\fP(session setup in the SMB protocol) time,
-\fBsmbd\fP contacts the \fBpassword
-server\fP and attempts to authenticate the given user
-with the given password\&. If the authentication succeeds then
-\fBsmbd\fP attempts to find a UNIX user in the UNIX
-password database to map the Windows user into\&. If this lookup fails,
-and \fB"add user script"\fP is set then \fBsmbd\fP will
-call the specified script \fIAS ROOT\fP, expanding any \fB%u\fP argument
-to be the user name to create\&.
-.IP
-If this script successfully creates the user then
-\fBsmbd\fP will continue on as though the UNIX user
-already existed\&. In this way, UNIX users are dynamically created to
-match existing Windows NT accounts\&.
-.IP
-See also \fBsecurity=server\fP,
-\fBsecurity=domain\fP, \fBpassword
-server\fP, \fBdelete user
-script\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW add user script = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW add user script = /usr/local/samba/bin/add_user %u\fP
-.IP
-.IP "\fBadmin users (S)\fP"
-.IP
-This is a list of users who will be granted administrative privileges
-on the share\&. This means that they will do all file operations as the
-super-user (root)\&.
-.IP
-You should use this option very carefully, as any user in this list
-will be able to do anything they like on the share, irrespective of
-file permissions\&.
-.IP
-\fBDefault:\fP
-.br
-\f(CW no admin users\fP
-.IP
-\fBExample:\fP
-.br
-\f(CW admin users = jason\fP
-.IP
-.IP "\fBallow hosts (S)\fP"
-.IP
-Synonym for \fBhosts allow\fP\&.
-.IP
-.IP "\fBallow trusted domains (G)\fP"
-.IP
-This option only takes effect when the \fBsecurity\fP
-option is set to \fBserver\fP or \fBdomain\fP\&. If it is set to no,
-then attempts to connect to a resource from a domain or workgroup other than
-the one which smbd is running in will fail, even if that domain
-is trusted by the remote server doing the authentication\&.
-.IP
-This is useful if you only want your Samba server to serve resources
-to users in the domain it is a member of\&. As an example, suppose that there are
-two domains DOMA and DOMB\&. DOMB is trusted by DOMA, which contains
-the Samba server\&. Under normal circumstances, a user with an account
-in DOMB can then access the resources of a UNIX account with the same
-account name on the Samba server even if they do not have an account
-in DOMA\&. This can make implementing a security boundary difficult\&.
-.IP
-\fBDefault:\fP
-\f(CW allow trusted domains = Yes\fP
-.IP
-\fBExample:\fP
-\f(CW allow trusted domains = No\fP
-.IP
-.IP "\fBalternate permissions (S)\fP"
-.IP
-This is a deprecated parameter\&. It no longer has any effect in Samba2\&.0\&.
-In previous versions of Samba it affected the way the DOS "read only"
-attribute was mapped for a file\&. In Samba2\&.0 a file is marked "read only"
-if the UNIX file does not have the \'w\' bit set for the owner of the file,
-regardless if the owner of the file is the currently logged on user or not\&.
-.IP
-.IP "\fBannounce as (G)\fP"
-.IP
-This specifies what type of server \fBnmbd\fP will
-announce itself as, to a network neighborhood browse list\&. By default
-this is set to Windows NT\&. The valid options are : "NT", which is a
-synonym for "NT Server", "NT Server", "NT Workstation", "Win95" or
-"WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95
-and Windows for Workgroups respectively\&. Do not change this parameter
-unless you have a specific need to stop Samba appearing as an NT server
-as this may prevent Samba servers from participating as browser servers correctly\&.
-.IP
-\fBDefault:\fP
-\f(CW announce as = NT Server\fP
-.IP
-\fBExample\fP
-\f(CW announce as = Win95\fP
-.IP
-.IP "\fBannounce version (G)\fP"
-.IP
-This specifies the major and minor version numbers that nmbd will use
-when announcing itself as a server\&. The default is 4\&.2\&. Do not change
-this parameter unless you have a specific need to set a Samba server
-to be a downlevel server\&.
-.IP
-\fBDefault:\fP
-\f(CW announce version = 4\&.2\fP
-.IP
-\fBExample:\fP
-\f(CW announce version = 2\&.0\fP
-.IP
-.IP "\fBauto services (G)\fP"
-.IP
-This is a list of services that you want to be automatically added to
-the browse lists\&. This is most useful for homes and printers services
-that would otherwise not be visible\&.
-.IP
-Note that if you just want all printers in your printcap file loaded
-then the \fB"load printers"\fP option is easier\&.
-.IP
-\fBDefault:\fP
-\f(CW no auto services\fP
-.IP
-\fBExample:\fP
-\f(CW auto services = fred lp colorlp\fP
-.IP
-.IP "\fBavailable (S)\fP"
-.IP
-This parameter lets you \fI\'turn off\'\fP a service\&. If \f(CW\'available = no\'\fP,
-then \fIALL\fP attempts to connect to the service will fail\&. Such failures
-are logged\&.
-.IP
-\fBDefault:\fP
-\f(CW available = yes\fP
-.IP
-\fBExample:\fP
-\f(CW available = no\fP
-.IP
-.IP "\fBbind interfaces only (G)\fP"
-.IP
-This global parameter allows the Samba admin to limit what interfaces
-on a machine will serve smb requests\&. If affects file service
-\fBsmbd\fP and name service \fBnmbd\fP
-in slightly different ways\&.
-.IP
-For name service it causes \fBnmbd\fP to bind to ports
-137 and 138 on the interfaces listed in the
-\fB\'interfaces\'\fP
-parameter\&. \fBnmbd\fP also binds to the \'all
-addresses\' interface (0\&.0\&.0\&.0) on ports 137 and 138 for the purposes
-of reading broadcast messages\&. If this option is not set then
-\fBnmbd\fP will service name requests on all of these
-sockets\&. If \fB"bind interfaces only"\fP is set then
-\fBnmbd\fP will check the source address of any
-packets coming in on the broadcast sockets and discard any that don\'t
-match the broadcast addresses of the interfaces in the
-\fB\'interfaces\'\fP parameter list\&. As unicast packets
-are received on the other sockets it allows \fBnmbd\fP
-to refuse to serve names to machines that send packets that arrive
-through any interfaces not listed in the
-\fB"interfaces"\fP list\&. IP Source address spoofing
-does defeat this simple check, however so it must not be used
-seriously as a security feature for \fBnmbd\fP\&.
-.IP
-For file service it causes \fBsmbd\fP to bind only to
-the interface list given in the \fB\'interfaces\'\fP
-parameter\&. This restricts the networks that \fBsmbd\fP
-will serve to packets coming in those interfaces\&. Note that you
-should not use this parameter for machines that are serving PPP or
-other intermittent or non-broadcast network interfaces as it will not
-cope with non-permanent interfaces\&.
-.IP
-If \fB"bind interfaces only"\fP is set then unless the network address
-\fI127\&.0\&.0\&.1\fP is added to the \fB\'interfaces\'\fP parameter
-list \fBsmbpasswd\fP and
-\fBswat\fP may not work as expected due to the
-reasons covered below\&.
-.IP
-To change a users SMB password, the \fBsmbpasswd\fP
-by default connects to the \fI"localhost" - 127\&.0\&.0\&.1\fP address as an SMB
-client to issue the password change request\&. If \fB"bind interfaces only"\fP
-is set then unless the network address \fI127\&.0\&.0\&.1\fP is added to the
-\fB\'interfaces\'\fP parameter list then
-\fBsmbpasswd\fP will fail to connect in it\'s
-default mode\&. \fBsmbpasswd\fP can be forced to
-use the primary IP interface of the local host by using its
-\fB"-r remote machine"\fP parameter, with
-\fB"remote machine"\fP set to the IP name of the primary interface
-of the local host\&.
-.IP
-The \fBswat\fP status page tries to connect with
-\fBsmbd\fP and \fBnmbd\fP at the address
-\fI127\&.0\&.0\&.1\fP to determine if they are running\&. Not adding \fI127\&.0\&.0\&.1\fP will cause
-\fBsmbd\fP and \fBnmbd\fP to always show
-"not running" even if they really are\&. This can prevent
-\fBswat\fP from starting/stopping/restarting
-\fBsmbd\fP and \fBnmbd\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW bind interfaces only = False\fP
-.IP
-\fBExample:\fP
-\f(CW bind interfaces only = True\fP
-.IP
-.IP "\fBblocking locks (S)\fP"
-.IP
-This parameter controls the behavior of \fBsmbd\fP when
-given a request by a client to obtain a byte range lock on a region
-of an open file, and the request has a time limit associated with it\&.
-.IP
-If this parameter is set and the lock range requested cannot be
-immediately satisfied, Samba 2\&.0 will internally queue the lock
-request, and periodically attempt to obtain the lock until the
-timeout period expires\&.
-.IP
-If this parameter is set to "False", then Samba 2\&.0 will behave
-as previous versions of Samba would and will fail the lock
-request immediately if the lock range cannot be obtained\&.
-.IP
-This parameter can be set per share\&.
-.IP
-\fBDefault:\fP
-\f(CW blocking locks = True\fP
-.IP
-\fBExample:\fP
-\f(CW blocking locks = False\fP
-.IP
-.IP "\fBbrowsable (S)\fP"
-.IP
-Synonym for \fBbrowseable\fP\&.
-.IP
-.IP "\fBbrowse list(G)\fP"
-.IP
-This controls whether \fBsmbd\fP will serve a browse
-list to a client doing a NetServerEnum call\&. Normally set to true\&. You
-should never need to change this\&.
-.IP
-\fBDefault:\fP
-\f(CW browse list = Yes\fP
-.IP
-.IP "\fBbrowseable\fP"
-.IP
-This controls whether this share is seen in the list of available
-shares in a net view and in the browse list\&.
-.IP
-\fBDefault:\fP
-\f(CW browseable = Yes\fP
-.IP
-\fBExample:\fP
-\f(CW browseable = No\fP
-.IP
-.IP "\fBcase sensitive (S)\fP"
-.IP
-See the discussion in the section \fBNAME MANGLING\fP\&.
-.IP
-.IP "\fBcasesignames (S)\fP"
-.IP
-Synonym for \fB"case sensitive"\fP\&.
-.IP
-.IP "\fBchange notify timeout (G)\fP"
-.IP
-One of the new NT SMB requests that Samba 2\&.0 supports is the
-"ChangeNotify" requests\&. This SMB allows a client to tell a server to
-\fI"watch"\fP a particular directory for any changes and only reply to
-the SMB request when a change has occurred\&. Such constant scanning of
-a directory is expensive under UNIX, hence an
-\fBsmbd\fP daemon only performs such a scan on each
-requested directory once every \fBchange notify timeout\fP seconds\&.
-.IP
-\fBchange notify timeout\fP is specified in units of seconds\&.
-.IP
-\fBDefault:\fP
-\f(CW change notify timeout = 60\fP
-.IP
-\fBExample:\fP
-\f(CW change notify timeout = 300\fP
-.IP
-Would change the scan time to every 5 minutes\&.
-.IP
-.IP "\fBcharacter set (G)\fP"
-.IP
-This allows a smbd to map incoming filenames from a DOS Code page (see
-the \fBclient code page\fP parameter) to several
-built in UNIX character sets\&. The built in code page translations are:
-.IP
-.IP
-.IP o
-\fBISO8859-1\fP Western European UNIX character set\&. The parameter
-\fBclient code page\fP \fIMUST\fP be set to code
-page 850 if the \fBcharacter set\fP parameter is set to iso8859-1
-in order for the conversion to the UNIX character set to be done
-correctly\&.
-.IP
-.IP o
-\fBISO8859-2\fP Eastern European UNIX character set\&. The parameter
-\fBclient code page\fP \fIMUST\fP be set to code
-page 852 if the \fBcharacter set\fP parameter is set to ISO8859-2
-in order for the conversion to the UNIX character set to be done
-correctly\&.
-.IP
-.IP o
-\fBISO8859-5\fP Russian Cyrillic UNIX character set\&. The parameter
-\fBclient code page\fP \fIMUST\fP be set to code
-page 866 if the \fBcharacter set\fP parameter is set to ISO8859-5
-in order for the conversion to the UNIX character set to be done
-correctly\&.
-.IP
-.IP o
-\fBISO8859-7\fP Greek UNIX character set\&. The parameter
-\fBclient code page\fP \fIMUST\fP be set to code
-page 737 if the \fBcharacter set\fP parameter is set to ISO8859-7
-in order for the conversion to the UNIX character set to be done
-correctly\&.
-.IP
-.IP o
-\fBKOI8-R\fP Alternate mapping for Russian Cyrillic UNIX
-character set\&. The parameter \fBclient code
-page\fP \fIMUST\fP be set to code page 866 if the
-\fBcharacter set\fP parameter is set to KOI8-R in order for the
-conversion to the UNIX character set to be done correctly\&.
-.IP
-.IP
-\fIBUG\fP\&. These MSDOS code page to UNIX character set mappings should
-be dynamic, like the loading of MS DOS code pages, not static\&.
-.IP
-See also \fBclient code page\fP\&. Normally this
-parameter is not set, meaning no filename translation is done\&.
-.IP
-\fBDefault:\fP
-\f(CW character set = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW character set = ISO8859-1\fP
-.IP
-.IP "\fBclient code page (G)\fP"
-.IP
-This parameter specifies the DOS code page that the clients accessing
-Samba are using\&. To determine what code page a Windows or DOS client
-is using, open a DOS command prompt and type the command "chcp"\&. This
-will output the code page\&. The default for USA MS-DOS, Windows 95, and
-Windows NT releases is code page 437\&. The default for western european
-releases of the above operating systems is code page 850\&.
-.IP
-This parameter tells \fBsmbd\fP which of the
-\f(CWcodepage\&.XXX\fP files to dynamically load on startup\&. These files,
-described more fully in the manual page \fBmake_smbcodepage
-(1)\fP, tell \fBsmbd\fP how
-to map lower to upper case characters to provide the case insensitivity
-of filenames that Windows clients expect\&.
-.IP
-Samba currently ships with the following code page files :
-.IP
-.IP
-.IP o
-\fBCode Page 437 - MS-DOS Latin US\fP
-.IP
-.IP o
-\fBCode Page 737 - Windows \'95 Greek\fP
-.IP
-.IP o
-\fBCode Page 850 - MS-DOS Latin 1\fP
-.IP
-.IP o
-\fBCode Page 852 - MS-DOS Latin 2\fP
-.IP
-.IP o
-\fBCode Page 861 - MS-DOS Icelandic\fP
-.IP
-.IP o
-\fBCode Page 866 - MS-DOS Cyrillic\fP
-.IP
-.IP o
-\fBCode Page 932 - MS-DOS Japanese SJIS\fP
-.IP
-.IP o
-\fBCode Page 936 - MS-DOS Simplified Chinese\fP
-.IP
-.IP o
-\fBCode Page 949 - MS-DOS Korean Hangul\fP
-.IP
-.IP o
-\fBCode Page 950 - MS-DOS Traditional Chinese\fP
-.IP
-.IP
-Thus this parameter may have any of the values 437, 737, 850, 852,
-861, 932, 936, 949, or 950\&. If you don\'t find the codepage you need,
-read the comments in one of the other codepage files and the
-\fBmake_smbcodepage (1)\fP man page and
-write one\&. Please remember to donate it back to the Samba user
-community\&.
-.IP
-This parameter co-operates with the \fB"valid
-chars"\fP parameter in determining what characters are
-valid in filenames and how capitalization is done\&. If you set both
-this parameter and the \fB"valid chars"\fP parameter
-the \fB"client code page"\fP parameter \fIMUST\fP be set before the
-\fB"valid chars"\fP parameter in the \fBsmb\&.conf\fP
-file\&. The \fB"valid chars"\fP string will then augment
-the character settings in the "client code page" parameter\&.
-.IP
-If not set, \fB"client code page"\fP defaults to 850\&.
-.IP
-See also : \fB"valid chars"\fP
-.IP
-\fBDefault:\fP
-\f(CW client code page = 850\fP
-.IP
-\fBExample:\fP
-\f(CW client code page = 936\fP
-.IP
-.IP "\fBcodingsystem (G)\fP"
-.IP
-This parameter is used to determine how incoming Shift-JIS Japanese
-characters are mapped from the incoming \fB"client code
-page"\fP used by the client, into file names in the
-UNIX filesystem\&. Only useful if \fB"client code
-page"\fP is set to 932 (Japanese Shift-JIS)\&.
-.IP
-The options are :
-.IP
-.IP
-.IP o
-\fBSJIS\fP Shift-JIS\&. Does no conversion of the incoming filename\&.
-.IP
-.IP o
-\fBJIS8, J8BB, J8BH, J8@B, J8@J, J8@H \fP Convert from incoming
-Shift-JIS to eight bit JIS code with different shift-in, shift out
-codes\&.
-.IP
-.IP o
-\fBJIS7, J7BB, J7BH, J7@B, J7@J, J7@H \fP Convert from incoming
-Shift-JIS to seven bit JIS code with different shift-in, shift out
-codes\&.
-.IP
-.IP o
-\fBJUNET, JUBB, JUBH, JU@B, JU@J, JU@H \fP Convert from incoming
-Shift-JIS to JUNET code with different shift-in, shift out codes\&.
-.IP
-.IP o
-\fBEUC\fP Convert an incoming Shift-JIS character to EUC code\&.
-.IP
-.IP o
-\fBHEX\fP Convert an incoming Shift-JIS character to a 3 byte hex
-representation, i\&.e\&. \f(CW:AB\fP\&.
-.IP
-.IP o
-\fBCAP\fP Convert an incoming Shift-JIS character to the 3 byte hex
-representation used by the Columbia AppleTalk Program (CAP),
-i\&.e\&. \f(CW:AB\fP\&. This is used for compatibility between Samba and CAP\&.
-.IP
-.IP
-.IP "\fBcomment (S)\fP"
-.IP
-This is a text field that is seen next to a share when a client does a
-queries the server, either via the network neighborhood or via "net
-view" to list what shares are available\&.
-.IP
-If you want to set the string that is displayed next to the machine
-name then see the server string command\&.
-.IP
-\fBDefault:\fP
-\f(CW No comment string\fP
-.IP
-\fBExample:\fP
-\f(CW comment = Fred\'s Files\fP
-.IP
-.IP "\fBconfig file (G)\fP"
-.IP
-This allows you to override the config file to use, instead of the
-default (usually \fBsmb\&.conf\fP)\&. There is a chicken and egg problem
-here as this option is set in the config file!
-.IP
-For this reason, if the name of the config file has changed when the
-parameters are loaded then it will reload them from the new config
-file\&.
-.IP
-This option takes the usual substitutions, which can be very useful\&.
-.IP
-If the config file doesn\'t exist then it won\'t be loaded (allowing you
-to special case the config files of just a few clients)\&.
-.IP
-\fBExample:\fP
-\f(CW config file = /usr/local/samba/lib/smb\&.conf\&.%m\fP
-.IP
-.IP "\fBcopy (S)\fP"
-.IP
-This parameter allows you to \fI\'clone\'\fP service entries\&. The specified
-service is simply duplicated under the current service\'s name\&. Any
-parameters specified in the current section will override those in the
-section being copied\&.
-.IP
-This feature lets you set up a \'template\' service and create similar
-services easily\&. Note that the service being copied must occur earlier
-in the configuration file than the service doing the copying\&.
-.IP
-\fBDefault:\fP
-\f(CW none\fP
-.IP
-\fBExample:\fP
-\f(CW copy = otherservice\fP
-.IP
-.IP "\fBcreate mask (S)\fP"
-.IP
-A synonym for this parameter is \fB\'create mode\'\fP\&.
-.IP
-When a file is created, the necessary permissions are calculated
-according to the mapping from DOS modes to UNIX permissions, and the
-resulting UNIX mode is then bit-wise \'AND\'ed with this parameter\&.
-This parameter may be thought of as a bit-wise MASK for the UNIX modes
-of a file\&. Any bit \fI*not*\fP set here will be removed from the modes set
-on a file when it is created\&.
-.IP
-The default value of this parameter removes the \'group\' and \'other\'
-write and execute bits from the UNIX modes\&.
-.IP
-Following this Samba will bit-wise \'OR\' the UNIX mode created from
-this parameter with the value of the "force create mode" parameter
-which is set to 000 by default\&.
-.IP
-This parameter does not affect directory modes\&. See the parameter
-\fB\'directory mode\'\fP for details\&.
-.IP
-See also the \fB"force create mode"\fP parameter
-for forcing particular mode bits to be set on created files\&. See also
-the \fB"directory mode"\fP parameter for masking
-mode bits on created directories\&.
-See also the \fB"inherit permissions"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW create mask = 0744\fP
-.IP
-\fBExample:\fP
-\f(CW create mask = 0775\fP
-.IP
-.IP "\fBcreate mode (S)\fP"
-.IP
-This is a synonym for \fBcreate mask\fP\&.
-.IP
-.IP "\fBdeadtime (G)\fP"
-.IP
-The value of the parameter (a decimal integer) represents the number
-of minutes of inactivity before a connection is considered dead, and
-it is disconnected\&. The deadtime only takes effect if the number of
-open files is zero\&.
-.IP
-This is useful to stop a server\'s resources being exhausted by a large
-number of inactive connections\&.
-.IP
-Most clients have an auto-reconnect feature when a connection is
-broken so in most cases this parameter should be transparent to users\&.
-.IP
-Using this parameter with a timeout of a few minutes is recommended
-for most systems\&.
-.IP
-A deadtime of zero indicates that no auto-disconnection should be
-performed\&.
-.IP
-\fBDefault:\fP
-\f(CW deadtime = 0\fP
-.IP
-\fBExample:\fP
-\f(CW deadtime = 15\fP
-.IP
-.IP "\fBdebug hires timestamp (G)\fP"
-.IP
-Sometimes the timestamps in the log messages are needed with a
-resolution of higher that seconds, this boolean parameter adds
-microsecond resolution to the timestamp message header when turned on\&.
-.IP
-Note that the parameter \fBdebug timestamp\fP
-must be on for this to have an effect\&.
-.IP
-\fBDefault:\fP
-\f(CW debug hires timestamp = No\fP
-.IP
-\fBExample:\fP
-\f(CW debug hires timestamp = Yes\fP
-.IP
-.IP "\fBdebug timestamp (G)\fP"
-.IP
-Samba2\&.0 debug log messages are timestamped by default\&. If you are
-running at a high \fB"debug level"\fP these timestamps
-can be distracting\&. This boolean parameter allows timestamping to be turned
-off\&.
-.IP
-\fBDefault:\fP
-\f(CW debug timestamp = Yes\fP
-.IP
-\fBExample:\fP
-\f(CW debug timestamp = No\fP
-.IP
-.IP "\fBdebug pid (G)\fP"
-.IP
-When using only one log file for more then one forked smbd-process
-there may be hard to follow which process outputs which message\&.
-This boolean parameter is adds the process-id to the timestamp message
-headers in the logfile when turned on\&.
-.IP
-Note that the parameter \fBdebug timestamp\fP
-must be on for this to have an effect\&.
-.IP
-\fBDefault:\fP
-\f(CW debug pid = No\fP
-.IP
-\fBExample:\fP
-\f(CW debug pid = Yes\fP
-.IP
-.IP "\fBdebug uid (G)\fP"
-.IP
-Samba is sometimes run as root and sometime run as the connected
-user, this boolean parameter inserts the current euid, egid, uid
-and gid to the timestamp message headers in the log file if turned on\&.
-.IP
-Note that the parameter \fBdebug timestamp\fP
-must be on for this to have an effect\&.
-.IP
-\fBDefault:\fP
-\f(CW debug uid = No\fP
-.IP
-\fBExample:\fP
-\f(CW debug uid = Yes\fP
-.IP
-.IP "\fBdebug level (G)\fP"
-.IP
-The value of the parameter (an integer) allows the debug level
-(logging level) to be specified in the \fBsmb\&.conf\fP file\&. This is to
-give greater flexibility in the configuration of the system\&.
-.IP
-The default will be the debug level specified on the command line
-or level zero if none was specified\&.
-.IP
-\fBExample:\fP
-\f(CW debug level = 3\fP
-.IP
-.IP "\fBdefault (G)\fP"
-.IP
-A synonym for \fBdefault service\fP\&.
-.IP
-.IP "\fBdefault case (S)\fP"
-.IP
-See the section on \fB"NAME MANGLING"\fP\&. Also note
-the \fB"short preserve case"\fP parameter\&.
-.IP
-.IP "\fBdefault service (G)\fP"
-.IP
-This parameter specifies the name of a service which will be connected
-to if the service actually requested cannot be found\&. Note that the
-square brackets are \fINOT\fP given in the parameter value (see example
-below)\&.
-.IP
-There is no default value for this parameter\&. If this parameter is not
-given, attempting to connect to a nonexistent service results in an
-error\&.
-.IP
-Typically the default service would be a \fBguest ok\fP,
-\fBread-only\fP service\&.
-.IP
-Also note that the apparent service name will be changed to equal that
-of the requested service, this is very useful as it allows you to use
-macros like \fB%S\fP to make a wildcard service\&.
-.IP
-Note also that any \f(CW\'_\'\fP characters in the name of the service used
-in the default service will get mapped to a \f(CW\'/\'\fP\&. This allows for
-interesting things\&.
-.IP
-\fBExample:\fP
-
-.nf
-
+It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share
+level security under different \fINetBIOS aliases\fR.
- default service = pub
-
- [pub]
- path = /%S
+The different settings will now be explained.
-.fi
-
+\fBSECURITY = SHARE
+\fR
+When clients connect to a share level security server then
+need not log onto the server with a valid username and password before
+attempting to connect to a shared resource (although modern clients
+such as Windows 95/98 and Windows NT will send a logon request with
+a username but no password when talking to a \fBsecurity = share
+\fRserver). Instead, the clients send authentication information
+(passwords) on a per-share basis, at the time they attempt to connect
+to that share.
-.IP
-.IP "\fBdelete user script (G)\fP"
-.IP
-This is the full pathname to a script that will be run \fIAS ROOT\fP by
-\fBsmbd (8)\fP under special circumstances decribed
-below\&.
-.IP
-Normally, a Samba server requires that UNIX users are created for all
-users accessing files on this server\&. For sites that use Windows NT
-account databases as their primary user database creating these users
-and keeping the user list in sync with the Windows NT PDC is an
-onerous task\&. This option allows \fBsmbd\fP to delete
-the required UNIX users \fION DEMAND\fP when a user accesses the Samba
-server and the Windows NT user no longer exists\&.
-.IP
-In order to use this option, \fBsmbd\fP must be set to
-\fBsecurity=domain\fP and \fB"delete user
-script"\fP must be set to a full pathname for a script that will delete
-a UNIX user given one argument of \fB%u\fP, which expands into the UNIX
-user name to delete\&. \fINOTE\fP that this is different to the
-\fBadd user script\fP which will work with the
-\fBsecurity=server\fP option as well as
-\fBsecurity=domain\fP\&. The reason for this
-is only when Samba is a domain member does it get the information
-on an attempted user logon that a user no longer exists\&. In the
-\fBsecurity=server\fP mode a missing user
-is treated the same as an invalid password logon attempt\&. Deleting
-the user in this circumstance would not be a good idea\&.
-.IP
-When the Windows user attempts to access the Samba server, at
-\fI"login"\fP(session setup in the SMB protocol) time,
-\fBsmbd\fP contacts the \fBpassword
-server\fP and attempts to authenticate the given user
-with the given password\&. If the authentication fails with the specific
-Domain error code meaning that the user no longer exists then
-\fBsmbd\fP attempts to find a UNIX user in the UNIX
-password database that matches the Windows user account\&. If this lookup succeeds,
-and \fB"delete user script"\fP is set then \fBsmbd\fP will
-call the specified script \fIAS ROOT\fP, expanding any \fB%u\fP argument
-to be the user name to delete\&.
-.IP
-This script should delete the given UNIX username\&. In this way, UNIX
-users are dynamically deleted to match existing Windows NT accounts\&.
-.IP
-See also \fBsecurity=domain\fP,
-\fBpassword server\fP, \fBadd user
-script\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW delete user script = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW delete user script = /usr/local/samba/bin/del_user %u\fP
-.IP
-.IP "\fBdelete readonly (S)\fP"
-.IP
-This parameter allows readonly files to be deleted\&. This is not
-normal DOS semantics, but is allowed by UNIX\&.
-.IP
-This option may be useful for running applications such as rcs, where
-UNIX file ownership prevents changing file permissions, and DOS
-semantics prevent deletion of a read only file\&.
-.IP
-\fBDefault:\fP
-\f(CW delete readonly = No\fP
-.IP
-\fBExample:\fP
-\f(CW delete readonly = Yes\fP
-.IP
-.IP "\fBdelete veto files (S)\fP"
-.IP
-This option is used when Samba is attempting to delete a directory
-that contains one or more vetoed directories (see the \fB\'veto
-files\'\fP option)\&. If this option is set to False (the
-default) then if a vetoed directory contains any non-vetoed files or
-directories then the directory delete will fail\&. This is usually what
-you want\&.
-.IP
-If this option is set to True, then Samba will attempt to recursively
-delete any files and directories within the vetoed directory\&. This can
-be useful for integration with file serving systems such as \fBNetAtalk\fP,
-which create meta-files within directories you might normally veto
-DOS/Windows users from seeing (e\&.g\&. \f(CW\&.AppleDouble\fP)
-.IP
-Setting \f(CW\'delete veto files = True\'\fP allows these directories to be
-transparently deleted when the parent directory is deleted (so long
-as the user has permissions to do so)\&.
-.IP
-See also the \fBveto files\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW delete veto files = False\fP
-.IP
-\fBExample:\fP
-\f(CW delete veto files = True\fP
-.IP
-.IP "\fBdeny hosts (S)\fP"
-.IP
-Synonym for \fBhosts deny\fP\&.
-.IP
-.IP "\fBdfree command (G)\fP"
-.IP
-The dfree command setting should only be used on systems where a
-problem occurs with the internal disk space calculations\&. This has
-been known to happen with Ultrix, but may occur with other operating
-systems\&. The symptom that was seen was an error of "Abort Retry
-Ignore" at the end of each directory listing\&.
-.IP
-This setting allows the replacement of the internal routines to
-calculate the total disk space and amount available with an external
-routine\&. The example below gives a possible script that might fulfill
-this function\&.
-.IP
-The external program will be passed a single parameter indicating a
-directory in the filesystem being queried\&. This will typically consist
-of the string \f(CW"\&./"\fP\&. The script should return two integers in
-ascii\&. The first should be the total disk space in blocks, and the
-second should be the number of available blocks\&. An optional third
-return value can give the block size in bytes\&. The default blocksize
-is 1024 bytes\&.
-.IP
-Note: Your script should \fINOT\fP be setuid or setgid and should be
-owned by (and writeable only by) root!
-.IP
-\fBDefault:\fP
-\f(CW By default internal routines for determining the disk capacity
-and remaining space will be used\&.\fP
-.IP
-\fBExample:\fP
-\f(CW dfree command = /usr/local/samba/bin/dfree\fP
-.IP
-Where the script dfree (which must be made executable) could be:
-.IP
+Note that \fBsmbd\fR \fBALWAYS\fR
+uses a valid UNIX user to act on behalf of the client, even in
+\fBsecurity = share\fR level security.
-.nf
-
+As clients are not required to send a username to the server
+in share level security, \fBsmbd\fR uses several
+techniques to determine the correct UNIX user to use on behalf
+of the client.
- #!/bin/sh
- df $1 | tail -1 | awk \'{print $2" "$4}\'
+A list of possible UNIX usernames to match with the given
+client password is constructed using the following methods :
+.RS
+.TP 0.2i
+\(bu
+If the \fIguest
+only\fR parameter is set, then all the other
+stages are missed and only the \fIguest account\fR username is checked.
+.TP 0.2i
+\(bu
+Is a username is sent with the share connection
+request, then this username (after mapping - see \fIusername map\fR),
+is added as a potential username.
+.TP 0.2i
+\(bu
+If the client did a previous \fBlogon
+\fRrequest (the SessionSetup SMB call) then the
+username sent in this SMB will be added as a potential username.
+.TP 0.2i
+\(bu
+The name of the service the client requested is
+added as a potential username.
+.TP 0.2i
+\(bu
+The NetBIOS name of the client is added to
+the list as a potential username.
+.TP 0.2i
+\(bu
+Any users on the \fI user\fR list are added as potential usernames.
+.RE
+.PP
+If the \fIguest only\fR parameter is
+not set, then this list is then tried with the supplied password.
+The first user for whom the password matches will be used as the
+UNIX user.
+.PP
+.PP
+If the \fIguest only\fR parameter is
+set, or no username can be determined then if the share is marked
+as available to the \fIguest account\fR, then this
+guest user will be used, otherwise access is denied.
+.PP
+.PP
+Note that it can be \fBvery\fR confusing
+in share-level security as to which UNIX username will eventually
+be used in granting access.
+.PP
+.PP
+See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
+.PP
+.PP
+\fBSECURIYT = USER
+\fR.PP
+.PP
+This is the default security setting in Samba 2.2.
+With user-level security a client must first "log=on" with a
+valid username and password (which can be mapped using the \fIusername map\fR
+parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also
+be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and
+may change the UNIX user to use on this connection, but only after
+the user has been successfully authenticated.
+.PP
+.PP
+\fBNote\fR that the name of the resource being
+requested is \fBnot\fR sent to the server until after
+the server has successfully authenticated the client. This is why
+guest shares don't work in user level security without allowing
+the server to automatically map unknown users into the \fIguest account\fR.
+See the \fImap to guest\fR
+parameter for details on doing this.
+.PP
+.PP
+See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
+.PP
+.PP
+\fBSECURITY = SERVER
+\fR.PP
+.PP
+In this mode Samba will try to validate the username/password
+by passing it to another SMB server, such as an NT box. If this
+fails it will revert to \fBsecurity = user\fR, but note
+that if encrypted passwords have been negotiated then Samba cannot
+revert back to checking the UNIX password file, it must have a valid
+\fIsmbpasswd\fR file to check users against. See the
+documentation file in the \fIdocs/\fR directory
+\fIENCRYPTION.txt\fR for details on how to set this
+up.
+.PP
+.PP
+\fBNote\fR that from the clients point of
+view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals
+with the authentication, it does not in any way affect what the
+client sees.
+.PP
+.PP
+\fBNote\fR that the name of the resource being
+requested is \fBnot\fR sent to the server until after
+the server has successfully authenticated the client. This is why
+guest shares don't work in user level security without allowing
+the server to automatically map unknown users into the \fIguest account\fR.
+See the \fImap to guest\fR
+parameter for details on doing this.
+.PP
+.PP
+See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
+.PP
+.PP
+See also the \fIpassword
+server\fR parameter and the \fIencrypted passwords\fR
+parameter.
+.PP
+.PP
+\fBSECURITY = DOMAIN
+\fR.PP
+.PP
+This mode will only work correctly if smbpasswd(8) <URL:smbpasswd.8.html> has been used to add this
+machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR
+parameter to be set to true. In this
+mode Samba will try to validate the username/password by passing
+it to a Windows NT Primary or Backup Domain Controller, in exactly
+the same way that a Windows NT Server would do.
+.PP
+.PP
+\fBNote\fR that a valid UNIX user must still
+exist as well as the account on the Domain Controller to allow
+Samba to have a valid UNIX account to map file access to.
+.PP
+.PP
+\fBNote\fR that from the clients point
+of view \fBsecurity = domain\fR is the same as \fBsecurity = user
+\fR\&. It only affects how the server deals with the authentication,
+it does not in any way affect what the client sees.
+.PP
+.PP
+\fBNote\fR that the name of the resource being
+requested is \fBnot\fR sent to the server until after
+the server has successfully authenticated the client. This is why
+guest shares don't work in user level security without allowing
+the server to automatically map unknown users into the \fIguest account\fR.
+See the \fImap to guest\fR
+parameter for details on doing this.
+.PP
+.PP
+\fBBUG:\fR There is currently a bug in the
+implementation of \fBsecurity = domain\fR with respect
+to multi-byte character set usernames. The communication with a
+Domain Controller must be done in UNICODE and Samba currently
+does not widen multi-byte user names to UNICODE correctly, thus
+a multi-byte username will not be recognized correctly at the
+Domain Controller. This issue will be addressed in a future release.
+.PP
+.PP
+See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
+.PP
+.PP
+See also the \fIpassword
+server\fR parameter and the \fIencrypted passwords\fR
+parameter.
+.PP
+.PP
+Default: \fBsecurity = USER\fR
+.PP
+.PP
+Example: \fBsecurity = DOMAIN\fR
+.PP
+.TP
+\fBsecurity mask (S)\fR
+This parameter controls what UNIX permission
+bits can be modified when a Windows NT client is manipulating
+the UNIX permission on a file using the native NT security
+dialog box.
-.fi
-
+This parameter is applied as a mask (AND'ed with) to
+the changed permission bits, thus preventing any bits not in
+this mask from being modified. Essentially, zero bits in this
+mask may be treated as a set of bits the user is not allowed
+to change.
-.IP
-or perhaps (on Sys V based systems):
-.IP
+If not set explicitly this parameter is set to the same
+value as the \fIcreate mask
+\fRparameter. To allow a user to modify all the
+user/group/world permissions on a file, set this parameter to
+0777.
-.nf
-
+\fBNote\fR that users who can access the
+Samba server through other means can easily bypass this
+restriction, so it is primarily useful for standalone
+"appliance" systems. Administrators of most normal systems will
+probably want to set it to 0777.
- #!/bin/sh
- /usr/bin/df -k $1 | tail -1 | awk \'{print $3" "$5}\'
+See also the \fIforce directory security mode\fR,
+\fIdirectory
+security mask\fR, \fIforce security mode\fR parameters.
-.fi
-
+Default: \fBsecurity mask = <same as create mask>
+\fR
+Example: \fBsecurity mask = 0777\fR
+.TP
+\fBserver string (G)\fR
+This controls what string will show up in the
+printer comment box in print manager and next to the IPC connection
+in \fBnet view"\fR. It can be any string that you wish
+to show to your users.
-.IP
-Note that you may have to replace the command names with full
-path names on some systems\&.
-.IP
-.IP "\fBdirectory (S)\fP"
-.IP
-Synonym for \fBpath\fP\&.
-.IP
-.IP "\fBdirectory mask (S)\fP"
-.IP
-This parameter is the octal modes which are used when converting DOS
-modes to UNIX modes when creating UNIX directories\&.
-.IP
-When a directory is created, the necessary permissions are calculated
-according to the mapping from DOS modes to UNIX permissions, and the
-resulting UNIX mode is then bit-wise \'AND\'ed with this parameter\&.
-This parameter may be thought of as a bit-wise MASK for the UNIX modes
-of a directory\&. Any bit \fI*not*\fP set here will be removed from the
-modes set on a directory when it is created\&.
-.IP
-The default value of this parameter removes the \'group\' and \'other\'
-write bits from the UNIX mode, allowing only the user who owns the
-directory to modify it\&.
-.IP
-Following this Samba will bit-wise \'OR\' the UNIX mode created from
-this parameter with the value of the "force directory mode"
-parameter\&. This parameter is set to 000 by default (i\&.e\&. no extra mode
-bits are added)\&.
-.IP
-See the \fB"force directory mode"\fP parameter
-to cause particular mode bits to always be set on created directories\&.
-.IP
-See also the \fB"create mode"\fP parameter for masking
-mode bits on created files, and the \fB"directory security mask"\fP
-parameter\&.
-.IP
-See also the \fB"inherit permissions"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW directory mask = 0755\fP
-.IP
-\fBExample:\fP
-\f(CW directory mask = 0775\fP
-.IP
-.IP "\fBdirectory mode (S)\fP"
-.IP
-Synonym for \fBdirectory mask\fP\&.
-.IP
-.IP "\fBdirectory security mask (S)\fP"
-.IP
-This parameter controls what UNIX permission bits can be modified
-when a Windows NT client is manipulating the UNIX permission on a
-directory using the native NT security dialog box\&.
-.IP
-This parameter is applied as a mask (AND\'ed with) to the changed
-permission bits, thus preventing any bits not in this mask from
-being modified\&. Essentially, zero bits in this mask may be treated
-as a set of bits the user is not allowed to change\&.
-.IP
-If not set explicitly this parameter is set to the same value as the
-\fBdirectory mask\fP parameter\&. To allow a user to
-modify all the user/group/world permissions on a directory, set this
-parameter to 0777\&.
-.IP
-\fINote\fP that users who can access the Samba server through other
-means can easily bypass this restriction, so it is primarily
-useful for standalone "appliance" systems\&. Administrators of
-most normal systems will probably want to set it to 0777\&.
-.IP
-See also the \fBforce directory security
-mode\fP, \fBsecurity
-mask\fP, \fBforce security mode\fP
-parameters\&.
-.IP
-\fBDefault:\fP
-\f(CW directory security mask = <same as directory mask>\fP
-.IP
-\fBExample:\fP
-\f(CW directory security mask = 0777\fP
-.IP
-.IP "\fBdns proxy (G)\fP"
-.IP
-Specifies that \fBnmbd\fP when acting as a WINS
-server and finding that a NetBIOS name has not been registered, should
-treat the NetBIOS name word-for-word as a DNS name and do a lookup
-with the DNS server for that name on behalf of the name-querying
-client\&.
-.IP
-Note that the maximum length for a NetBIOS name is 15 characters, so
-the DNS name (or DNS alias) can likewise only be 15 characters,
-maximum\&.
-.IP
-\fBnmbd\fP spawns a second copy of itself to do the
-DNS name lookup requests, as doing a name lookup is a blocking action\&.
-.IP
-See also the parameter \fBwins support\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW dns proxy = yes\fP
-.IP
-\fBdomain admin group (G)\fP
-.IP
-This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It may be removed in a later release\&.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by visiting the web page at
-http://lists\&.samba\&.org/
-.IP
-.IP "\fBdomain admin users (G)\fP"
-.IP
-This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It may be removed in a later release\&.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by visiting the web page at
-http://lists\&.samba\&.org/
-.IP
-.IP "\fBdomain groups (G)\fP"
-.IP
-This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It may be removed in a later release\&.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by visiting the web page at
-http://lists\&.samba\&.org/
-.IP
-.IP "\fBdomain guest group (G)\fP"
-.IP
-This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It may be removed in a later release\&.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by visiting the web page at
-http://lists\&.samba\&.org/
-.IP
-.IP "\fBdomain guest users (G)\fP"
-.IP
-This is an \fBEXPERIMENTAL\fP parameter that is part of the unfinished
-Samba NT Domain Controller Code\&. It may be removed in a later release\&.
-To work with the latest code builds that may have more support for
-Samba NT Domain Controller functionality please subscribe to the
-mailing list \fBSamba-ntdom\fP available by visiting the web page at
-http://lists\&.samba\&.org/
-.IP
-.IP "\fBdomain logons (G)\fP"
-.IP
-If set to true, the Samba server will serve Windows 95/98 Domain
-logons for the \fBworkgroup\fP it is in\&. For more
-details on setting up this feature see the file DOMAINS\&.txt in the
-Samba documentation directory \f(CWdocs/\fP shipped with the source code\&.
-.IP
-Note that Win95/98 Domain logons are \fINOT\fP the same as Windows
-NT Domain logons\&. NT Domain logons require a Primary Domain Controller
-(PDC) for the Domain\&. It is intended that in a future release Samba
-will be able to provide this functionality for Windows NT clients
-also\&.
-.IP
-\fBDefault:\fP
-\f(CW domain logons = no\fP
-.IP
-.IP "\fBdomain master (G)\fP"
-.IP
-Tell \fBnmbd\fP to enable WAN-wide browse list
-collation\&. Setting this option causes \fBnmbd\fP to
-claim a special domain specific NetBIOS name that identifies it as a
-domain master browser for its given
-\fBworkgroup\fP\&. Local master browsers in the same
-\fBworkgroup\fP on broadcast-isolated subnets will give
-this \fBnmbd\fP their local browse lists, and then
-ask \fBsmbd\fP for a complete copy of the browse list
-for the whole wide area network\&. Browser clients will then contact
-their local master browser, and will receive the domain-wide browse
-list, instead of just the list for their broadcast-isolated subnet\&.
-.IP
-Note that Windows NT Primary Domain Controllers expect to be able to
-claim this \fBworkgroup\fP specific special NetBIOS
-name that identifies them as domain master browsers for that
-\fBworkgroup\fP by default (i\&.e\&. there is no way to
-prevent a Windows NT PDC from attempting to do this)\&. This means that
-if this parameter is set and \fBnmbd\fP claims the
-special name for a \fBworkgroup\fP before a Windows NT
-PDC is able to do so then cross subnet browsing will behave strangely
-and may fail\&.
-.IP
-\fBDefault:\fP
-\f(CW domain master = no\fP
-.IP
-.IP "\fBdont descend (S)\fP"
-.IP
-There are certain directories on some systems (e\&.g\&., the \f(CW/proc\fP tree
-under Linux) that are either not of interest to clients or are
-infinitely deep (recursive)\&. This parameter allows you to specify a
-comma-delimited list of directories that the server should always show
-as empty\&.
-.IP
-Note that Samba can be very fussy about the exact format of the "dont
-descend" entries\&. For example you may need \f(CW"\&./proc"\fP instead of
-just \f(CW"/proc"\fP\&. Experimentation is the best policy :-)
-.IP
-\fBDefault:\fP
-\f(CW none (i\&.e\&., all directories are OK to descend)\fP
-.IP
-\fBExample:\fP
-\f(CW dont descend = /proc,/dev\fP
-.IP
-.IP "\fBdos filetime resolution (S)\fP"
-.IP
-Under the DOS and Windows FAT filesystem, the finest granularity on
-time resolution is two seconds\&. Setting this parameter for a share
-causes Samba to round the reported time down to the nearest two second
-boundary when a query call that requires one second resolution is made
-to \fBsmbd\fP\&.
-.IP
-This option is mainly used as a compatibility option for Visual C++
-when used against Samba shares\&. If oplocks are enabled on a share,
-Visual C++ uses two different time reading calls to check if a file
-has changed since it was last read\&. One of these calls uses a
-one-second granularity, the other uses a two second granularity\&. As
-the two second call rounds any odd second down, then if the file has a
-timestamp of an odd number of seconds then the two timestamps will not
-match and Visual C++ will keep reporting the file has changed\&. Setting
-this option causes the two timestamps to match, and Visual C++ is
-happy\&.
-.IP
-\fBDefault:\fP
-\f(CW dos filetime resolution = False\fP
-.IP
-\fBExample:\fP
-\f(CW dos filetime resolution = True\fP
-.IP
-.IP "\fBdos filetimes (S)\fP"
-.IP
-Under DOS and Windows, if a user can write to a file they can change
-the timestamp on it\&. Under POSIX semantics, only the owner of the file
-or root may change the timestamp\&. By default, Samba runs with POSIX
-semantics and refuses to change the timestamp on a file if the user
-smbd is acting on behalf of is not the file owner\&. Setting this option
-to True allows DOS semantics and smbd will change the file timestamp as
-DOS requires\&.
-.IP
-\fBDefault:\fP
-\f(CW dos filetimes = False\fP
-.IP
-\fBExample:\fP
-\f(CW dos filetimes = True\fP
-.IP
-.IP "\fBencrypt passwords (G)\fP"
-.IP
-This boolean controls whether encrypted passwords will be negotiated
-with the client\&. Note that Windows NT 4\&.0 SP3 and above and also
-Windows 98 will by default expect encrypted passwords unless a
-registry entry is changed\&. To use encrypted passwords in Samba see the
-file ENCRYPTION\&.txt in the Samba documentation directory \f(CWdocs/\fP
-shipped with the source code\&.
-.IP
-In order for encrypted passwords to work correctly
-\fBsmbd\fP must either have access to a local
-\fBsmbpasswd (5)\fP file (see the
-\fBsmbpasswd (8)\fP program for information on
-how to set up and maintain this file), or set the
-\fBsecurity=\fP parameter to either
-\fB"server"\fP or
-\fB"domain"\fP which causes
-\fBsmbd\fP to authenticate against another server\&.
-.IP
-.IP "\fBexec (S)\fP"
-.IP
-This is a synonym for \fBpreexec\fP\&.
-.IP
-.IP "\fBfake directory create times (S)\fP"
-.IP
-NTFS and Windows VFAT file systems keep a create time for all files
-and directories\&. This is not the same as the ctime - status change
-time - that Unix keeps, so Samba by default reports the earliest of
-the various times Unix does keep\&. Setting this parameter for a share
-causes Samba to always report midnight 1-1-1980 as the create time for
-directories\&.
-.IP
-This option is mainly used as a compatibility option for Visual C++
-when used against Samba shares\&. Visual C++ generated makefiles have
-the object directory as a dependency for each object file, and a make
-rule to create the directory\&. Also, when NMAKE compares timestamps it
-uses the creation time when examining a directory\&. Thus the object
-directory will be created if it does not exist, but once it does exist
-it will always have an earlier timestamp than the object files it
-contains\&.
-.IP
-However, Unix time semantics mean that the create time reported by
-Samba will be updated whenever a file is created or deleted in the
-directory\&. NMAKE therefore finds all object files in the object
-directory bar the last one built are out of date compared to the
-directory and rebuilds them\&. Enabling this option ensures directories
-always predate their contents and an NMAKE build will proceed as
-expected\&.
-.IP
-\fBDefault:\fP
-\f(CW fake directory create times = False\fP
-.IP
-\fBExample:\fP
-\f(CW fake directory create times = True\fP
-.IP
-.IP "\fBfake oplocks (S)\fP"
-.IP
-Oplocks are the way that SMB clients get permission from a server to
-locally cache file operations\&. If a server grants an oplock
-(opportunistic lock) then the client is free to assume that it is the
-only one accessing the file and it will aggressively cache file
-data\&. With some oplock types the client may even cache file open/close
-operations\&. This can give enormous performance benefits\&.
-.IP
-When you set \f(CW"fake oplocks = yes"\fP \fBsmbd\fP will
-always grant oplock requests no matter how many clients are using the
-file\&.
-.IP
-It is generally much better to use the real \fBoplocks\fP
-support rather than this parameter\&.
-.IP
-If you enable this option on all read-only shares or shares that you
-know will only be accessed from one client at a time such as
-physically read-only media like CDROMs, you will see a big performance
-improvement on many operations\&. If you enable this option on shares
-where multiple clients may be accessing the files read-write at the
-same time you can get data corruption\&. Use this option carefully!
-.IP
-This option is disabled by default\&.
-.IP
-.IP "\fBfollow symlinks (S)\fP"
-.IP
-This parameter allows the Samba administrator to stop
-\fBsmbd\fP from following symbolic links in a
-particular share\&. Setting this parameter to \fI"No"\fP prevents any file
-or directory that is a symbolic link from being followed (the user
-will get an error)\&. This option is very useful to stop users from
-adding a symbolic link to \f(CW/etc/passwd\fP in their home directory for
-instance\&. However it will slow filename lookups down slightly\&.
-.IP
-This option is enabled (i\&.e\&. \fBsmbd\fP will follow
-symbolic links) by default\&.
-.IP
-.IP "\fBforce create mode (S)\fP"
-.IP
-This parameter specifies a set of UNIX mode bit permissions that will
-\fI*always*\fP be set on a file by Samba\&. This is done by bitwise
-\'OR\'ing these bits onto the mode bits of a file that is being created
-or having its permissions changed\&. The default for this parameter is
-(in octal) 000\&. The modes in this parameter are bitwise \'OR\'ed onto
-the file mode after the mask set in the \fB"create
-mask"\fP parameter is applied\&.
-.IP
-See also the parameter \fB"create mask"\fP for details
-on masking mode bits on files\&.
-.IP
-See also the \fB"inherit permissions"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW force create mode = 000\fP
-.IP
-\fBExample:\fP
-\f(CW force create mode = 0755\fP
-.IP
-would force all created files to have read and execute permissions set
-for \'group\' and \'other\' as well as the read/write/execute bits set for
-the \'user\'\&.
-.IP
-.IP "\fBforce directory mode (S)\fP"
-.IP
-This parameter specifies a set of UNIX mode bit permissions that will
-\fI*always*\fP be set on a directory created by Samba\&. This is done by
-bitwise \'OR\'ing these bits onto the mode bits of a directory that is
-being created\&. The default for this parameter is (in octal) 0000 which
-will not add any extra permission bits to a created directory\&. This
-operation is done after the mode mask in the parameter
-\fB"directory mask"\fP is applied\&.
-.IP
-See also the parameter \fB"directory mask"\fP for
-details on masking mode bits on created directories\&.
-.IP
-See also the \fB"inherit permissions"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW force directory mode = 000\fP
-.IP
-\fBExample:\fP
-\f(CW force directory mode = 0755\fP
-.IP
-would force all created directories to have read and execute
-permissions set for \'group\' and \'other\' as well as the
-read/write/execute bits set for the \'user\'\&.
-.IP
-.IP "\fBforce directory security mode (S)\fP"
-.IP
-This parameter controls what UNIX permission bits can be modified when
-a Windows NT client is manipulating the UNIX permission on a directory
-using the native NT security dialog box\&.
-.IP
-This parameter is applied as a mask (OR\'ed with) to the changed
-permission bits, thus forcing any bits in this mask that the user may
-have modified to be on\&. Essentially, one bits in this mask may be
-treated as a set of bits that, when modifying security on a directory,
-the user has always set to be \'on\'\&.
-.IP
-If not set explicitly this parameter is set to the same value as the
-\fBforce directory mode\fP parameter\&. To allow
-a user to modify all the user/group/world permissions on a directory,
-with restrictions set this parameter to 000\&.
-.IP
-\fINote\fP that users who can access the Samba server through other
-means can easily bypass this restriction, so it is primarily
-useful for standalone "appliance" systems\&. Administrators of
-most normal systems will probably want to set it to 0000\&.
-.IP
-See also the \fBdirectory security mask\fP,
-\fBsecurity mask\fP, \fBforce security
-mode\fP parameters\&.
-.IP
-\fBDefault:\fP
-\f(CW force directory security mode = <same as force directory mode>\fP
-.IP
-\fBExample:\fP
-\f(CW force directory security mode = 0\fP
-.IP
-.IP "\fBforce group (S)\fP"
-.IP
-This specifies a UNIX group name that will be assigned as the default
-primary group for all users connecting to this service\&. This is useful
-for sharing files by ensuring that all access to files on service will
-use the named group for their permissions checking\&. Thus, by assigning
-permissions for this group to the files and directories within this
-service the Samba administrator can restrict or allow sharing of these
-files\&.
-.IP
-In Samba 2\&.0\&.5 and above this parameter has extended functionality in the following
-way\&. If the group name listed here has a \'+\' character prepended to it
-then the current user accessing the share only has the primary group
-default assigned to this group if they are already assigned as a member
-of that group\&. This allows an administrator to decide that only users
-who are already in a particular group will create files with group
-ownership set to that group\&. This gives a finer granularity of ownership
-assignment\&. For example, the setting \f(CWforce group = +sys\fP means
-that only users who are already in group sys will have their default
-primary group assigned to sys when accessing this Samba share\&. All
-other users will retain their ordinary primary group\&.
-.IP
-If the \fB"force user"\fP parameter is also set the
-group specified in \fBforce group\fP will override the primary group
-set in \fB"force user"\fP\&.
-.IP
-See also \fB"force user"\fP
-.IP
-\fBDefault:\fP
-\f(CW no forced group\fP
-.IP
-\fBExample:\fP
-\f(CW force group = agroup\fP
-.IP
-.IP "\fBforce security mode (S)\fP"
-.IP
-This parameter controls what UNIX permission bits can be modified when
-a Windows NT client is manipulating the UNIX permission on a file
-using the native NT security dialog box\&.
-.IP
-This parameter is applied as a mask (OR\'ed with) to the changed
-permission bits, thus forcing any bits in this mask that the user may
-have modified to be on\&. Essentially, one bits in this mask may be
-treated as a set of bits that, when modifying security on a file, the
-user has always set to be \'on\'\&.
-.IP
-If not set explicitly this parameter is set to the same value as the
-\fBforce create mode\fP parameter\&. To allow
-a user to modify all the user/group/world permissions on a file,
-with no restrictions set this parameter to 000\&.
-.IP
-\fINote\fP that users who can access the Samba server through other
-means can easily bypass this restriction, so it is primarily
-useful for standalone "appliance" systems\&. Administrators of
-most normal systems will probably want to set it to 0000\&.
-.IP
-See also the \fBforce directory security
-mode\fP, \fBdirectory security
-mask\fP, \fBsecurity mask\fP
-parameters\&.
-.IP
-\fBDefault:\fP
-\f(CW force security mode = <same as force create mode>\fP
-.IP
-\fBExample:\fP
-\f(CW force security mode = 0\fP
-.IP
-.IP "\fBforce user (S)\fP"
-.IP
-This specifies a UNIX user name that will be assigned as the default
-user for all users connecting to this service\&. This is useful for
-sharing files\&. You should also use it carefully as using it
-incorrectly can cause security problems\&.
-.IP
-This user name only gets used once a connection is established\&. Thus
-clients still need to connect as a valid user and supply a valid
-password\&. Once connected, all file operations will be performed as the
-\f(CW"forced user"\fP, no matter what username the client connected as\&.
-.IP
-This can be very useful\&.
-.IP
-In Samba 2\&.0\&.5 and above this parameter also causes the primary
-group of the forced user to be used as the primary group for all
-file activity\&. Prior to 2\&.0\&.5 the primary group was left as the
-primary group of the connecting user (this was a bug)\&.
-.IP
-See also \fB"force group"\fP
-.IP
-\fBDefault:\fP
-\f(CW no forced user\fP
-.IP
-\fBExample:\fP
-\f(CW force user = auser\fP
-.IP
-.IP "\fBfstype (S)\fP"
-.IP
-This parameter allows the administrator to configure the string that
-specifies the type of filesystem a share is using that is reported by
-\fBsmbd\fP when a client queries the filesystem type
-for a share\&. The default type is \fB"NTFS"\fP for compatibility with
-Windows NT but this can be changed to other strings such as "Samba" or
-"FAT" if required\&.
-.IP
-\fBDefault:\fP
-\f(CW fstype = NTFS\fP
-.IP
-\fBExample:\fP
-\f(CW fstype = Samba\fP
-.IP
-.IP "\fBgetwd cache (G)\fP"
-.IP
-This is a tuning option\&. When this is enabled a caching algorithm
-will be used to reduce the time taken for getwd() calls\&. This can have
-a significant impact on performance, especially when the
-\fBwidelinks\fP parameter is set to False\&.
-.IP
-\fBDefault:\fP
-\f(CW getwd cache = No\fP
-.IP
-\fBExample:\fP
-\f(CW getwd cache = Yes\fP
-.IP
-.IP "\fBgroup (S)\fP"
-.IP
-Synonym for \fB"force group"\fP\&.
-.IP
-.IP "\fBguest account (S)\fP"
-.IP
-This is a username which will be used for access to services which are
-specified as \fB\'guest ok\'\fP (see below)\&. Whatever
-privileges this user has will be available to any client connecting to
-the guest service\&. Typically this user will exist in the password
-file, but will not have a valid login\&. The user account \fB"ftp"\fP is
-often a good choice for this parameter\&. If a username is specified in
-a given service, the specified username overrides this one\&.
-.IP
-One some systems the default guest account "nobody" may not be able to
-print\&. Use another account in this case\&. You should test this by
-trying to log in as your guest user (perhaps by using the \f(CW"su -"\fP
-command) and trying to print using the system print command such as
-\fBlpr (1)\fP or \fBlp (1)\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW specified at compile time, usually "nobody"\fP
-.IP
-\fBExample:\fP
-\f(CW guest account = ftp\fP
-.IP
-.IP "\fBguest ok (S)\fP"
-.IP
-If this parameter is \fI\'yes\'\fP for a service, then no password is
-required to connect to the service\&. Privileges will be those of the
-\fBguest account\fP\&.
-.IP
-See the section below on \fBsecurity\fP for more
-information about this option\&.
-.IP
-\fBDefault:\fP
-\f(CW guest ok = no\fP
-.IP
-\fBExample:\fP
-\f(CW guest ok = yes\fP
-.IP
-.IP "\fBguest only (S)\fP"
-.IP
-If this parameter is \fI\'yes\'\fP for a service, then only guest
-connections to the service are permitted\&. This parameter will have no
-affect if \fB"guest ok"\fP or \fB"public"\fP
-is not set for the service\&.
-.IP
-See the section below on \fBsecurity\fP for more
-information about this option\&.
-.IP
-\fBDefault:\fP
-\f(CW guest only = no\fP
-.IP
-\fBExample:\fP
-\f(CW guest only = yes\fP
-.IP
-.IP "\fBhide dot files (S)\fP"
-.IP
-This is a boolean parameter that controls whether files starting with
-a dot appear as hidden files\&.
-.IP
-\fBDefault:\fP
-\f(CW hide dot files = yes\fP
-.IP
-\fBExample:\fP
-\f(CW hide dot files = no\fP
-.IP
-.IP "\fBhide files(S)\fP"
-.IP
-This is a list of files or directories that are not visible but are
-accessible\&. The DOS \'hidden\' attribute is applied to any files or
-directories that match\&.
-.IP
-Each entry in the list must be separated by a \f(CW\'/\'\fP, which allows
-spaces to be included in the entry\&. \f(CW\'*\'\fP and \f(CW\'?\'\fP can be used
-to specify multiple files or directories as in DOS wildcards\&.
-.IP
-Each entry must be a Unix path, not a DOS path and must not include the
-Unix directory separator \f(CW\'/\'\fP\&.
-.IP
-Note that the case sensitivity option is applicable in hiding files\&.
-.IP
-Setting this parameter will affect the performance of Samba, as it
-will be forced to check all files and directories for a match as they
-are scanned\&.
-.IP
-See also \fB"hide dot files"\fP, \fB"veto
-files"\fP and \fB"case sensitive"\fP\&.
-.IP
-\fBDefault\fP
-
-.nf
-
+It also sets what will appear in browse lists next
+to the machine name.
- No files or directories are hidden by this option (dot files are
- hidden by default because of the "hide dot files" option)\&.
+A \fI%v\fR will be replaced with the Samba
+version number.
-.fi
-
+A \fI%h\fR will be replaced with the
+hostname.
-.IP
-\fBExample\fP
-\f(CW hide files = /\&.*/DesktopFolderDB/TrashFor%m/resource\&.frk/\fP
-.IP
-The above example is based on files that the Macintosh SMB client
-(DAVE) available from \fBThursby\fP creates for
-internal use, and also still hides all files beginning with a dot\&.
-.IP
-.IP "\fBhide local users(G)\fP"
-.IP
-This parameter toggles the hiding of local UNIX users (root, wheel, floppy, etc)
-from remote clients\&.
-.IP
-\fBDefault:\fP
-\f(CW hide local users = No\fP
-.IP
-\fBExample:\fP
-\f(CW hide local users = Yes\fP
-.IP
-.IP "\fBhomedir map (G)\fP"
-.IP
-If \fB"nis homedir"\fP is true, and
-\fBsmbd\fP is also acting as a Win95/98 \fBlogon
-server\fP then this parameter specifies the NIS (or YP)
-map from which the server for the user\'s home directory should be
-extracted\&. At present, only the Sun auto\&.home map format is
-understood\&. The form of the map is:
-.IP
-\f(CWusername server:/some/file/system\fP
-.IP
-and the program will extract the servername from before the first
-\f(CW\':\'\fP\&. There should probably be a better parsing system that copes
-with different map formats and also Amd (another automounter) maps\&.
-.IP
-NB: A working NIS is required on the system for this option to work\&.
-.IP
-See also \fB"nis homedir"\fP, \fBdomain
-logons\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW homedir map = auto\&.home\fP
-.IP
-\fBExample:\fP
-\f(CW homedir map = amd\&.homedir\fP
-.IP
-.IP "\fBhosts allow (S)\fP"
-.IP
-A synonym for this parameter is \fB\'allow hosts\'\fP
-.IP
-This parameter is a comma, space, or tab delimited set of hosts which
-are permitted to access a service\&.
-.IP
-If specified in the \fB[global]\fP section then it will
-apply to all services, regardless of whether the individual service
-has a different setting\&.
-.IP
-You can specify the hosts by name or IP number\&. For example, you could
-restrict access to only the hosts on a Class C subnet with something
-like \f(CW"allow hosts = 150\&.203\&.5\&."\fP\&. The full syntax of the list is
-described in the man page \fBhosts_access (5)\fP\&. Note that this man
-page may not be present on your system, so a brief description will
-be given here also\&.
-.IP
-Note that the localhost address 127\&.0\&.0\&.1 will always be allowed
-access unless specifically denied by a "hosts deny" option\&.
-.IP
-You can also specify hosts by network/netmask pairs and by netgroup
-names if your system supports netgroups\&. The \fIEXCEPT\fP keyword can also
-be used to limit a wildcard list\&. The following examples may provide
-some help:
-.IP
-\fBExample 1\fP: allow all IPs in 150\&.203\&.*\&.* except one
-.IP
-\f(CW hosts allow = 150\&.203\&. EXCEPT 150\&.203\&.6\&.66\fP
-.IP
-\fBExample 2\fP: allow hosts that match the given network/netmask
-.IP
-\f(CW hosts allow = 150\&.203\&.15\&.0/255\&.255\&.255\&.0\fP
-.IP
-\fBExample 3\fP: allow a couple of hosts
-.IP
-\f(CW hosts allow = lapland, arvidsjaur\fP
-.IP
-\fBExample 4\fP: allow only hosts in NIS netgroup "foonet", but
-deny access from one particular host
-.IP
-\f(CW hosts allow = @foonet\fP
-.IP
-\f(CW hosts deny = pirate\fP
-.IP
-Note that access still requires suitable user-level passwords\&.
-.IP
-See \fBtestparm (1)\fP for a way of testing your
-host access to see if it does what you expect\&.
-.IP
-\fBDefault:\fP
-\f(CW none (i\&.e\&., all hosts permitted access)\fP
-.IP
-\fBExample:\fP
-\f(CW allow hosts = 150\&.203\&.5\&. myhost\&.mynet\&.edu\&.au\fP
-.IP
-.IP "\fBhosts deny (S)\fP"
-.IP
-The opposite of \fB\'hosts allow\'\fP - hosts listed
-here are \fINOT\fP permitted access to services unless the specific
-services have their own lists to override this one\&. Where the lists
-conflict, the \fB\'allow\'\fP list takes precedence\&.
-.IP
-\fBDefault:\fP
-\f(CW none (i\&.e\&., no hosts specifically excluded)\fP
-.IP
-\fBExample:\fP
-\f(CW hosts deny = 150\&.203\&.4\&. badhost\&.mynet\&.edu\&.au\fP
-.IP
-.IP "\fBhosts equiv (G)\fP"
-.IP
-If this global parameter is a non-null string, it specifies the name
-of a file to read for the names of hosts and users who will be allowed
-access without specifying a password\&.
-.IP
-This is not be confused with \fBhosts allow\fP which
-is about hosts access to services and is more useful for guest
-services\&. \fBhosts equiv\fP may be useful for NT clients which will not
-supply passwords to samba\&.
-.IP
-NOTE: The use of \fBhosts equiv\fP can be a major security hole\&. This is
-because you are trusting the PC to supply the correct username\&. It is
-very easy to get a PC to supply a false username\&. I recommend that the
-\fBhosts equiv\fP option be only used if you really know what you are
-doing, or perhaps on a home network where you trust your spouse and
-kids\&. And only if you \fIreally\fP trust them :-)\&.
-.IP
-\fBDefault\fP
-\f(CW No host equivalences\fP
-.IP
-\fBExample\fP
-\f(CW hosts equiv = /etc/hosts\&.equiv\fP
-.IP
-.IP "\fBinclude (G)\fP"
-.IP
-This allows you to include one config file inside another\&. The file
-is included literally, as though typed in place\&.
-.IP
-It takes the standard substitutions, except \fB%u\fP,
-\fB%P\fP and \fB%S\fP\&.
-.IP
-.IP "\fBinherit permissions (S)\fP"
-.IP
-The permissions on new files and directories are normally governed by
-\fB"create mask"\fP,
-\fB"directory mask"\fP,
-\fB"force create mode"\fP and
-\fB"force directory mode"\fP
-but the boolean inherit permissions parameter overrides this\&.
-.IP
-New directories inherit the mode of the parent directory,
-including bits such as setgid\&.
-.IP
-New files inherit their read/write bits from the parent directory\&.
-Their execute bits continue to be determined by
-\fB"map archive"\fP,
-\fB"map hidden"\fP and
-\fB"map system"\fP as usual\&.
-.IP
-Note that the setuid bit is *never* set via inheritance
-(the code explicitly prohibits this)\&.
-.IP
-This can be particularly useful on large systems with many users,
-perhaps several thousand,
-to allow a single \fB[homes]\fP share to be used flexibly by each user\&.
-.IP
-See also \fB"create mask"\fP, \fB"directory mask"\fP,
-\fB"force create mode"\fP and
-\fB"force directory mode"\fP\&.
-.IP
-\fBDefault\fP
-\f(CW inherit permissions = no\fP
-.IP
-\fBExample\fP
-\f(CW inherit permissions = yes\fP
-.IP
-.IP "\fBinterfaces (G)\fP"
-.IP
-This option allows you to override the default network interfaces list
-that Samba will use for browsing, name registration and other NBT
-traffic\&. By default Samba will query the kernel for the list of all
-active interfaces and use any interfaces except 127\&.0\&.0\&.1 that are
-broadcast capable\&.
-.IP
-The option takes a list of interface strings\&. Each string can be in
-any of the following forms:
-.IP
-.IP o
-a network interface name (such as eth0)\&. This may include
-shell-like wildcards so eth* will match any interface starting
-with the substring "eth"
-.IP o
-an IP address\&. In this case the netmask is determined
-from the list of interfaces obtained from the kernel
-.IP o
-an IP/mask pair\&.
-.IP o
-a broadcast/mask pair\&.
-.IP
-The "mask" parameters can either be a bit length (such as 24 for a C
-class network) or a full netmask in dotted decmal form\&.
-.IP
-The "IP" parameters above can either be a full dotted decimal IP
-address or a hostname which will be looked up via the OSes normal
-hostname resolution mechanisms\&.
-.IP
-For example, the following line:
-.IP
-\f(CWinterfaces = eth0 192\&.168\&.2\&.10/24 192\&.168\&.3\&.10/255\&.255\&.255\&.0\fP
-.IP
-would configure three network interfaces corresponding to the eth0
-device and IP addresses 192\&.168\&.2\&.10 and 192\&.168\&.3\&.10\&. The netmasks of
-the latter two interfaces would be set to 255\&.255\&.255\&.0\&.
-.IP
-See also \fB"bind interfaces only"\fP\&.
-.IP
-.IP "\fBinvalid users (S)\fP"
-.IP
-This is a list of users that should not be allowed to login to this
-service\&. This is really a \fI"paranoid"\fP check to absolutely ensure an
-improper setting does not breach your security\&.
-.IP
-A name starting with a \f(CW\'@\'\fP is interpreted as an NIS netgroup first
-(if your system supports NIS), and then as a UNIX group if the name
-was not found in the NIS netgroup database\&.
-.IP
-A name starting with \f(CW\'+\'\fP is interpreted only by looking in the
-UNIX group database\&. A name starting with \f(CW\'&\'\fP is interpreted only
-by looking in the NIS netgroup database (this requires NIS to be
-working on your system)\&. The characters \f(CW\'+\'\fP and \f(CW\'&\'\fP may be
-used at the start of the name in either order so the value
-\f(CW"+&group"\fP means check the UNIX group database, followed by the NIS
-netgroup database, and the value \f(CW"&+group"\fP means check the NIS
-netgroup database, followed by the UNIX group database (the same as
-the \f(CW\'@\'\fP prefix)\&.
-.IP
-The current servicename is substituted for
-\fB%S\fP\&. This is useful in the \fB[homes]\fP
-section\&.
-.IP
-See also \fB"valid users"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW No invalid users\fP
-.IP
-\fBExample:\fP
-\f(CW invalid users = root fred admin @wheel\fP
-.IP
-.IP "\fBkeepalive (G)\fP"
-.IP
-The value of the parameter (an integer) represents the number of
-seconds between \fB\'keepalive\'\fP packets\&. If this parameter is zero, no
-keepalive packets will be sent\&. Keepalive packets, if sent, allow the
-server to tell whether a client is still present and responding\&.
-.IP
-Keepalives should, in general, not be needed if the socket being used
-has the SO_KEEPALIVE attribute set on it (see \fB"socket
-options"\fP)\&. Basically you should only use this option
-if you strike difficulties\&.
-.IP
-\fBDefault:\fP
-\f(CW keepalive = 0\fP
-.IP
-\fBExample:\fP
-\f(CW keepalive = 60\fP
-.IP
-.IP "\fBkernel oplocks (G)\fP"
-.IP
-For UNIXs that support kernel based \fBoplocks\fP
-(currently only IRIX but hopefully also Linux and FreeBSD soon) this
-parameter allows the use of them to be turned on or off\&.
-.IP
-Kernel oplocks support allows Samba \fBoplocks\fP to be
-broken whenever a local UNIX process or NFS operation accesses a file
-that \fBsmbd\fP has oplocked\&. This allows complete
-data consistency between SMB/CIFS, NFS and local file access (and is a
-\fIvery\fP cool feature :-)\&.
-.IP
-This parameter defaults to \fI"On"\fP on systems that have the support,
-and \fI"off"\fP on systems that don\'t\&. You should never need to touch
-this parameter\&.
-.IP
-See also the \fB"oplocks"\fP and \fB"level2 oplocks"\fP
-parameters\&.
-.IP
-.IP "\fBldap filter (G)\fP"
-.IP
-This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server back-end\&. These options
-are only available if your version of Samba was configured with
-the \fB--with-ldap\fP option\&.
-.IP
-This parameter specifies an LDAP search filter used to search for a
-user name in the LDAP database\&. It must contain the string
-\fB%u\fP which will be replaced with the user being
-searched for\&.
-.IP
-\fBDefault:\fP
-\f(CW empty string\&.\fP
-.IP
-.IP "\fBldap port (G)\fP"
-.IP
-This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server back-end\&. These options
-are only available if your version of Samba was configured with
-the \fB--with-ldap\fP option\&.
-.IP
-This parameter specifies the TCP port number to use to contact
-the LDAP server on\&.
-.IP
-\fBDefault:\fP
-\f(CW ldap port = 389\&.\fP
-.IP
-.IP "\fBldap root (G)\fP"
-.IP
-This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server back-end\&. These options
-are only available if your version of Samba was configured with
-the \fB--with-ldap\fP option\&.
-.IP
-This parameter specifies the entity to bind to the LDAP server
-as (essentially the LDAP username) in order to be able to perform
-queries and modifications on the LDAP database\&.
-.IP
-See also \fBldap root passwd\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW empty string (no user defined)\fP
-.IP
-.IP "\fBldap root passwd (G)\fP"
-.IP
-This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server back-end\&. These options
-are only available if your version of Samba was configured with
-the \fB--with-ldap\fP option\&.
-.IP
-This parameter specifies the password for the entity to bind to the
-LDAP server as (the password for this LDAP username) in order to be
-able to perform queries and modifications on the LDAP database\&.
-.IP
-\fIBUGS:\fP This parameter should \fINOT\fP be a readable parameter
-in the \fBsmb\&.conf\fP file and will be removed once a correct
-storage place is found\&.
-.IP
-See also \fBldap root\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW empty string\&.\fP
-.IP
-.IP "\fBldap server (G)\fP"
-.IP
-This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server back-end\&. These options
-are only available if your version of Samba was configured with
-the \fB--with-ldap\fP option\&.
-.IP
-This parameter specifies the DNS name of the LDAP server to use
-for SMB/CIFS authentication purposes\&.
-.IP
-\fBDefault:\fP
-\f(CW ldap server = localhost\fP
-.IP
-.IP "\fBldap suffix (G)\fP"
-.IP
-This parameter is part of the \fIEXPERIMENTAL\fP Samba support for a
-password database stored on an LDAP server back-end\&. These options
-are only available if your version of Samba was configured with
-the \fB--with-ldap\fP option\&.
-.IP
-This parameter specifies the \f(CW"dn"\fP or LDAP \fI"distinguished name"\fP
-that tells \fBsmbd\fP to start from when searching
-for an entry in the LDAP password database\&.
-.IP
-\fBDefault:\fP
-\f(CW empty string\&.\fP
-.IP
-.IP "\fBlevel2 oplocks (S)\fP"
-.IP
-This parameter (new in Samba 2\&.0\&.5) controls whether Samba supports
-level2 (read-only) oplocks on a share\&. In Samba 2\&.0\&.5 this parameter
-defaults to "False" as the code is new, but will default to "True"
-in a later release\&.
-.IP
-Level2, or read-only oplocks allow Windows NT clients that have an
-oplock on a file to downgrade from a read-write oplock to a read-only
-oplock once a second client opens the file (instead of releasing all
-oplocks on a second open, as in traditional, exclusive oplocks)\&. This
-allows all openers of the file that support level2 oplocks to cache
-the file for read-ahead only (ie\&. they may not cache writes or lock
-requests) and increases performance for many acesses of files that
-are not commonly written (such as application \&.EXE files)\&.
-.IP
-Once one of the clients which have a read-only oplock writes to
-the file all clients are notified (no reply is needed or waited
-for) and told to break their oplocks to "none" and delete any
-read-ahead caches\&.
-.IP
-It is recommended that this parameter be turned on to speed access
-to shared executables (and also to test the code :-)\&.
-.IP
-For more discussions on level2 oplocks see the CIFS spec\&.
-.IP
-Currently, if \fB"kernel oplocks"\fP are supported
-then level2 oplocks are not granted (even if this parameter is set
-to \f(CW"true"\fP)\&. Note also, the \fB"oplocks"\fP parameter must
-be set to "true" on this share in order for this parameter to have any
-effect\&.
-.IP
-See also the \fB"oplocks"\fP and \fB"kernel oplocks"\fP parameters\&.
-.IP
-\fBDefault:\fP
-\f(CW level2 oplocks = False\fP
-.IP
-\fBExample:\fP
-\f(CW level2 oplocks = True\fP
-.IP
-.IP "\fBlm announce (G)\fP"
-.IP
-This parameter determines if \fBnmbd\fP will produce
-Lanman announce broadcasts that are needed by \fBOS/2\fP clients in order
-for them to see the Samba server in their browse list\&. This parameter
-can have three values, \f(CW"true"\fP, \f(CW"false"\fP, or \f(CW"auto"\fP\&. The
-default is \f(CW"auto"\fP\&. If set to \f(CW"false"\fP Samba will never produce
-these broadcasts\&. If set to \f(CW"true"\fP Samba will produce Lanman
-announce broadcasts at a frequency set by the parameter \fB"lm
-interval"\fP\&. If set to \f(CW"auto"\fP Samba will not send Lanman
-announce broadcasts by default but will listen for them\&. If it hears
-such a broadcast on the wire it will then start sending them at a
-frequency set by the parameter \fB"lm interval"\fP\&.
-.IP
-See also \fB"lm interval"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW lm announce = auto\fP
-.IP
-\fBExample:\fP
-\f(CW lm announce = true\fP
-.IP
-.IP "\fBlm interval (G)\fP"
-.IP
-If Samba is set to produce Lanman announce broadcasts needed by
-\fBOS/2\fP clients (see the \fB"lm announce"\fP
-parameter) then this parameter defines the frequency in seconds with
-which they will be made\&. If this is set to zero then no Lanman
-announcements will be made despite the setting of the \fB"lm
-announce"\fP parameter\&.
-.IP
-See also \fB"lm announce"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW lm interval = 60\fP
-.IP
-\fBExample:\fP
-\f(CW lm interval = 120\fP
-.IP
-.IP "\fBload printers (G)\fP"
-.IP
-A boolean variable that controls whether all printers in the printcap
-will be loaded for browsing by default\&. See the
-\fB"printers"\fP section for more details\&.
-.IP
-\fBDefault:\fP
-\f(CW load printers = yes\fP
-.IP
-\fBExample:\fP
-\f(CW load printers = no\fP
-.IP
-.IP "\fBlocal master (G)\fP"
-.IP
-This option allows \fBnmbd\fP to try and become a
-local master browser on a subnet\&. If set to False then
-\fBnmbd\fP will not attempt to become a local master
-browser on a subnet and will also lose in all browsing elections\&. By
-default this value is set to true\&. Setting this value to true doesn\'t
-mean that Samba will \fIbecome\fP the local master browser on a subnet,
-just that \fBnmbd\fP will \fIparticipate\fP in
-elections for local master browser\&.
-.IP
-Setting this value to False will cause \fBnmbd\fP
-\fInever\fP to become a local master browser\&.
-.IP
-\fBDefault:\fP
-\f(CW local master = yes\fP
-.IP
-.IP "\fBlock dir (G)\fP"
-.IP
-Synonym for \fB"lock directory"\fP\&.
-.IP
-.IP "\fBlock directory (G)\fP"
-.IP
-This option specifies the directory where lock files will be placed\&.
-The lock files are used to implement the \fB"max
-connections"\fP option\&.
-.IP
-\fBDefault:\fP
-\f(CW lock directory = /tmp/samba\fP
-.IP
-\fBExample:\fP
-\f(CW lock directory = /usr/local/samba/var/locks\fP
-.IP
-.IP "\fBlocking (S)\fP"
-.IP
-This controls whether or not locking will be performed by the server
-in response to lock requests from the client\&.
-.IP
-If \f(CW"locking = no"\fP, all lock and unlock requests will appear to
-succeed and all lock queries will indicate that the queried lock is
-clear\&.
-.IP
-If \f(CW"locking = yes"\fP, real locking will be performed by the server\&.
-.IP
-This option \fImay\fP be useful for read-only filesystems which \fImay\fP
-not need locking (such as cdrom drives), although setting this
-parameter of \f(CW"no"\fP is not really recommended even in this case\&.
-.IP
-Be careful about disabling locking either globally or in a specific
-service, as lack of locking may result in data corruption\&. You should
-never need to set this parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW locking = yes\fP
-.IP
-\fBExample:\fP
-\f(CW locking = no\fP
-.IP
-.IP "\fBlog file (G)\fP"
-.IP
-This options allows you to override the name of the Samba log file
-(also known as the debug file)\&.
-.IP
-This option takes the standard substitutions, allowing you to have
-separate log files for each user or machine\&.
-.IP
-\fBExample:\fP
-\f(CW log file = /usr/local/samba/var/log\&.%m\fP
-.IP
-.IP "\fBlog level (G)\fP"
-.IP
-Synonym for \fB"debug level"\fP\&.
-.IP
-.IP "\fBlogon drive (G)\fP"
-.IP
-This parameter specifies the local path to which the home directory
-will be connected (see \fB"logon home"\fP) and is only
-used by NT Workstations\&.
-.IP
-Note that this option is only useful if Samba is set up as a
-\fBlogon server\fP\&.
-.IP
-\fBExample:\fP
-\f(CW logon drive = h:\fP
-.IP
-.IP "\fBlogon home (G)\fP"
-.IP
-This parameter specifies the home directory location when a Win95/98 or
-NT Workstation logs into a Samba PDC\&. It allows you to do
-.IP
-\f(CW"NET USE H: /HOME"\fP
-.IP
-from a command prompt, for example\&.
-.IP
-This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine\&.
-.IP
-This parameter can be used with Win9X workstations to ensure that
-roaming profiles are stored in a subdirectory of the user\'s home
-directory\&. This is done in the following way:
-.IP
-\f(CW" logon home = \e\e%L\e%U\eprofile"\fP
-.IP
-This tells Samba to return the above string, with substitutions made
-when a client requests the info, generally in a NetUserGetInfo request\&.
-Win9X clients truncate the info to \e\eserver\eshare when a user does \f(CW"net use /home"\fP,
-but use the whole string when dealing with profiles\&.
-.IP
-Note that in prior versions of Samba, the \f(CW"logon path"\fP was returned rather than
-\f(CW"logon home"\fP\&. This broke \f(CW"net use /home"\fP but allowed profiles outside the
-home directory\&. The current implementation is correct, and can be used for profiles
-if you use the above trick\&.
-.IP
-Note that this option is only useful if Samba is set up as a
-\fBlogon server\fP\&.
-.IP
-\fBExample:\fP
-\f(CW logon home = "\e\eremote_smb_server\e%U"\fP
-.IP
-\fBDefault:\fP
-\f(CW logon home = "\e\e%N\e%U"\fP
-.IP
-.IP "\fBlogon path (G)\fP"
-.IP
-This parameter specifies the home directory where roaming profiles
-(NTuser\&.dat etc files for Windows NT) are stored\&. Contrary to previous
-versions of these manual pages, it has nothing to do with Win 9X roaming
-profiles\&. To find out how to handle roaming profiles for Win 9X system, see
-the \f(CW"logon home"\fP parameter\&.
-.IP
-This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine\&. It also specifies
-the directory from which the \f(CW"application data"\fP, (\f(CW"desktop"\fP, \f(CW"start menu"\fP,
-\f(CW"network neighborhood"\fP, \f(CW"programs"\fP and other folders, and their
-contents, are loaded and displayed on your Windows NT client\&.
-.IP
-The share and the path must be readable by the user for the
-preferences and directories to be loaded onto the Windows NT
-client\&. The share must be writeable when the logs in for the first
-time, in order that the Windows NT client can create the NTuser\&.dat
-and other directories\&.
-.IP
-Thereafter, the directories and any of the contents can, if required, be
-made read-only\&. It is not advisable that the NTuser\&.dat file be made
-read-only - rename it to NTuser\&.man to achieve the desired effect (a
-\fIMAN\fPdatory profile)\&.
-.IP
-Windows clients can sometimes maintain a connection to the [homes]
-share, even though there is no user logged in\&. Therefore, it is vital
-that the logon path does not include a reference to the homes share
-(i\&.e\&. setting this parameter to \f(CW\e\e%N\eHOMES\eprofile_path\fP will cause
-problems)\&.
-.IP
-This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine\&.
-.IP
-Note that this option is only useful if Samba is set up as a
-\fBlogon server\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW logon path = \e\e%N\e%U\eprofile\fP
-.IP
-\fBExample:\fP
-\f(CW logon path = \e\ePROFILESERVER\eHOME_DIR\e%U\ePROFILE\fP
-.IP
-.IP "\fBlogon script (G)\fP"
-.IP
-This parameter specifies the batch file (\&.bat) or NT command file
-(\&.cmd) to be downloaded and run on a machine when a user successfully
-logs in\&. The file must contain the DOS style cr/lf line endings\&.
-Using a DOS-style editor to create the file is recommended\&.
-.IP
-The script must be a relative path to the \f(CW[netlogon]\fP service\&. If
-the \f(CW[netlogon]\fP service specifies a \fBpath\fP of
-/usr/local/samba/netlogon, and logon script = STARTUP\&.BAT, then the
-file that will be downloaded is:
-.IP
-\f(CW/usr/local/samba/netlogon/STARTUP\&.BAT\fP
-.IP
-The contents of the batch file is entirely your choice\&. A suggested
-command would be to add \f(CWNET TIME \e\eSERVER /SET /YES\fP, to force every
-machine to synchronize clocks with the same time server\&. Another use
-would be to add \f(CWNET USE U: \e\eSERVER\eUTILS\fP for commonly used
-utilities, or \f(CWNET USE Q: \e\eSERVER\eISO9001_QA\fP for example\&.
-.IP
-Note that it is particularly important not to allow write access to
-the \f(CW[netlogon]\fP share, or to grant users write permission on the
-batch files in a secure environment, as this would allow the batch
-files to be arbitrarily modified and security to be breached\&.
-.IP
-This option takes the standard substitutions, allowing you to have
-separate logon scripts for each user or machine\&.
-.IP
-Note that this option is only useful if Samba is set up as a
-\fBlogon server\fP\&.
-.IP
-\fBExample:\fP
-\f(CW logon script = scripts\e%U\&.bat\fP
-.IP
-.IP "\fBlppause command (S)\fP"
-.IP
-This parameter specifies the command to be executed on the server host
-in order to stop printing or spooling a specific print job\&.
-.IP
-This command should be a program or script which takes a printer name
-and job number to pause the print job\&. One way of implementing this is
-by using job priorities, where jobs having a too low priority won\'t be
-sent to the printer\&.
-.IP
-If a \f(CW"%p"\fP is given then the printername is put in its place\&. A
-\f(CW"%j"\fP is replaced with the job number (an integer)\&. On HPUX (see
-\fBprinting=hpux\fP), if the \f(CW"-p%p"\fP option is added
-to the lpq command, the job will show up with the correct status,
-i\&.e\&. if the job priority is lower than the set fence priority it will
-have the PAUSED status, whereas if the priority is equal or higher it
-will have the SPOOLED or PRINTING status\&.
-.IP
-Note that it is good practice to include the absolute path in the
-lppause command as the PATH may not be available to the server\&.
-.IP
-See also the \fB"printing"\fP parameter\&.
-.IP
-\fBDefault:\fP
-Currently no default value is given to this string, unless the
-value of the \fB"printing"\fP parameter is \f(CWSYSV\fP, in
-which case the default is :
-.IP
-\f(CW lp -i %p-%j -H hold\fP
-.IP
-or if the value of the \fB"printing"\fP parameter is \f(CWsoftq\fP,
-then the default is:
-.IP
-\f(CW qstat -s -j%j -h\fP
-.IP
-\fBExample for HPUX:\fP
-lppause command = /usr/bin/lpalt %p-%j -p0
-.IP
-.IP "\fBlpq cache time (G)\fP"
-.IP
-This controls how long lpq info will be cached for to prevent the
-\fBlpq\fP command being called too often\&. A separate cache is kept for
-each variation of the \fBlpq\fP command used by the system, so if you
-use different \fBlpq\fP commands for different users then they won\'t
-share cache information\&.
-.IP
-The cache files are stored in \f(CW/tmp/lpq\&.xxxx\fP where xxxx is a hash of
-the \fBlpq\fP command in use\&.
-.IP
-The default is 10 seconds, meaning that the cached results of a
-previous identical \fBlpq\fP command will be used if the cached data is
-less than 10 seconds old\&. A large value may be advisable if your
-\fBlpq\fP command is very slow\&.
-.IP
-A value of 0 will disable caching completely\&.
-.IP
-See also the \fB"printing"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW lpq cache time = 10\fP
-.IP
-\fBExample:\fP
-\f(CW lpq cache time = 30\fP
-.IP
-.IP "\fBlpq command (S)\fP"
-.IP
-This parameter specifies the command to be executed on the server host
-in order to obtain \f(CW"lpq"\fP-style printer status information\&.
-.IP
-This command should be a program or script which takes a printer name
-as its only parameter and outputs printer status information\&.
-.IP
-Currently eight styles of printer status information are supported;
-BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ\&. This covers most UNIX
-systems\&. You control which type is expected using the
-\fB"printing ="\fP option\&.
-.IP
-Some clients (notably Windows for Workgroups) may not correctly send
-the connection number for the printer they are requesting status
-information about\&. To get around this, the server reports on the first
-printer service connected to by the client\&. This only happens if the
-connection number sent is invalid\&.
-.IP
-If a \f(CW%p\fP is given then the printername is put in its place\&. Otherwise
-it is placed at the end of the command\&.
-.IP
-Note that it is good practice to include the absolute path in the \fBlpq
-command\fP as the PATH may not be available to the server\&.
-.IP
-See also the \fB"printing"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW depends on the setting of printing =\fP
-.IP
-\fBExample:\fP
-\f(CW lpq command = /usr/bin/lpq %p\fP
-.IP
-.IP "\fBlpresume command (S)\fP"
-.IP
-This parameter specifies the command to be executed on the server host
-in order to restart or continue printing or spooling a specific print
-job\&.
-.IP
-This command should be a program or script which takes a printer name
-and job number to resume the print job\&. See also the \fB"lppause
-command"\fP parameter\&.
-.IP
-If a \f(CW%p\fP is given then the printername is put in its place\&. A
-\f(CW%j\fP is replaced with the job number (an integer)\&.
-.IP
-Note that it is good practice to include the absolute path in the \fBlpresume
-command\fP as the PATH may not be available to the server\&.
-.IP
-See also the \fB"printing"\fP parameter\&.
-.IP
-\fBDefault:\fP
-.IP
-Currently no default value is given to this string, unless the
-value of the \fB"printing"\fP parameter is \f(CWSYSV\fP, in
-which case the default is :
-.IP
-\f(CW lp -i %p-%j -H resume\fP
-.IP
-or if the value of the \fB"printing"\fP parameter is \f(CWsoftq\fP,
-then the default is:
-.IP
-\f(CW qstat -s -j%j -r\fP
-.IP
-\fBExample for HPUX:\fP
-\f(CW lpresume command = /usr/bin/lpalt %p-%j -p2\fP
-.IP
-.IP "\fBlprm command (S)\fP"
-.IP
-This parameter specifies the command to be executed on the server host
-in order to delete a print job\&.
-.IP
-This command should be a program or script which takes a printer name
-and job number, and deletes the print job\&.
-.IP
-If a \f(CW%p\fP is given then the printername is put in its place\&. A
-\f(CW%j\fP is replaced with the job number (an integer)\&.
-.IP
-Note that it is good practice to include the absolute path in the
-\fBlprm command\fP as the PATH may not be available to the server\&.
-.IP
-See also the \fB"printing"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW depends on the setting of "printing ="\fP
-.IP
-\fBExample 1:\fP
-\f(CW lprm command = /usr/bin/lprm -P%p %j\fP
-.IP
-\fBExample 2:\fP
-\f(CW lprm command = /usr/bin/cancel %p-%j\fP
-.IP
-.IP "\fBmachine password timeout (G)\fP"
-.IP
-If a Samba server is a member of an Windows NT Domain (see the
-\fB"security=domain"\fP) parameter) then
-periodically a running \fBsmbd\fP process will try and
-change the \fBMACHINE ACCOUNT PASWORD\fP stored in the file called
-\f(CW<Domain>\&.<Machine>\&.mac\fP where \f(CW<Domain>\fP is the name of the
-Domain we are a member of and \f(CW<Machine>\fP is the primary
-\fB"NetBIOS name"\fP of the machine
-\fBsmbd\fP is running on\&. This parameter specifies how
-often this password will be changed, in seconds\&. The default is one
-week (expressed in seconds), the same as a Windows NT Domain member
-server\&.
-.IP
-See also \fBsmbpasswd (8)\fP, and the
-\fB"security=domain"\fP) parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW machine password timeout = 604800\fP
-.IP
-.IP "\fBmagic output (S)\fP"
-.IP
-This parameter specifies the name of a file which will contain output
-created by a magic script (see the \fB"magic
-script"\fP parameter below)\&.
-.IP
-Warning: If two clients use the same \fB"magic
-script"\fP in the same directory the output file content
-is undefined\&.
-.IP
-\fBDefault:\fP
-\f(CW magic output = <magic script name>\&.out\fP
-.IP
-\fBExample:\fP
-\f(CW magic output = myfile\&.txt\fP
-.IP
-.IP "\fBmagic script (S)\fP"
-.IP
-This parameter specifies the name of a file which, if opened, will be
-executed by the server when the file is closed\&. This allows a UNIX
-script to be sent to the Samba host and executed on behalf of the
-connected user\&.
-.IP
-Scripts executed in this way will be deleted upon completion,
-permissions permitting\&.
-.IP
-If the script generates output, output will be sent to the file
-specified by the \fB"magic output"\fP parameter (see
-above)\&.
-.IP
-Note that some shells are unable to interpret scripts containing
-carriage-return-linefeed instead of linefeed as the end-of-line
-marker\&. Magic scripts must be executable \fI"as is"\fP on the host,
-which for some hosts and some shells will require filtering at the DOS
-end\&.
-.IP
-Magic scripts are \fIEXPERIMENTAL\fP and should \fINOT\fP be relied upon\&.
-.IP
-\fBDefault:\fP
-\f(CW None\&. Magic scripts disabled\&.\fP
-.IP
-\fBExample:\fP
-\f(CW magic script = user\&.csh\fP
-.IP
-.IP "\fBmangle case (S)\fP"
-.IP
-See the section on \fB"NAME MANGLING"\fP\&.
-.IP
-.IP "\fBmangle locks (S)\fP"
-.IP
-This option is was introduced with Samba 2\&.0\&.4 and above and has been
-removed in Samba 2\&.0\&.6 as Samba now dynamically configures such things
-on 32 bit systems\&.
-.IP
-.IP "\fBmangled map (S)\fP"
-.IP
-This is for those who want to directly map UNIX file names which can
-not be represented on Windows/DOS\&. The mangling of names is not always
-what is needed\&. In particular you may have documents with file
-extensions that differ between DOS and UNIX\&. For example, under UNIX
-it is common to use \f(CW"\&.html"\fP for HTML files, whereas under
-Windows/DOS \f(CW"\&.htm"\fP is more commonly used\&.
-.IP
-So to map \f(CW"html"\fP to \f(CW"htm"\fP you would use:
-.IP
-\f(CW mangled map = (*\&.html *\&.htm)\fP
-.IP
-One very useful case is to remove the annoying \f(CW";1"\fP off the ends
-of filenames on some CDROMS (only visible under some UNIXs)\&. To do
-this use a map of (*;1 *)\&.
-.IP
-\fBdefault:\fP
-\f(CW no mangled map\fP
-.IP
-\fBExample:\fP
-\f(CW mangled map = (*;1 *)\fP
-.IP
-.IP "\fBmangled names (S)\fP"
-.IP
-This controls whether non-DOS names under UNIX should be mapped to
-DOS-compatible names ("mangled") and made visible, or whether non-DOS
-names should simply be ignored\&.
-.IP
-See the section on \fB"NAME MANGLING"\fP for details
-on how to control the mangling process\&.
-.IP
-If mangling is used then the mangling algorithm is as follows:
-.IP
-.IP
-.IP o
-The first (up to) five alphanumeric characters before the
-rightmost dot of the filename are preserved, forced to upper case, and
-appear as the first (up to) five characters of the mangled name\&.
-.IP
-.IP o
-A tilde \f(CW"~"\fP is appended to the first part of the mangled
-name, followed by a two-character unique sequence, based on the
-original root name (i\&.e\&., the original filename minus its final
-extension)\&. The final extension is included in the hash calculation
-only if it contains any upper case characters or is longer than three
-characters\&.
-.IP
-Note that the character to use may be specified using the
-\fB"mangling char"\fP option, if you don\'t like
-\f(CW\'~\'\fP\&.
-.IP
-.IP o
-The first three alphanumeric characters of the final extension
-are preserved, forced to upper case and appear as the extension of the
-mangled name\&. The final extension is defined as that part of the
-original filename after the rightmost dot\&. If there are no dots in the
-filename, the mangled name will have no extension (except in the case
-of \fB"hidden files"\fP - see below)\&.
-.IP
-.IP o
-Files whose UNIX name begins with a dot will be presented as DOS
-hidden files\&. The mangled name will be created as for other filenames,
-but with the leading dot removed and \f(CW"___"\fP as its extension regardless
-of actual original extension (that\'s three underscores)\&.
-.IP
-.IP
-The two-digit hash value consists of upper case alphanumeric
-characters\&.
-.IP
-This algorithm can cause name collisions only if files in a directory
-share the same first five alphanumeric characters\&. The probability of
-such a clash is 1/1300\&.
-.IP
-The name mangling (if enabled) allows a file to be copied between UNIX
-directories from Windows/DOS while retaining the long UNIX
-filename\&. UNIX files can be renamed to a new extension from
-Windows/DOS and will retain the same basename\&. Mangled names do not
-change between sessions\&.
-.IP
-\fBDefault:\fP
-\f(CW mangled names = yes\fP
-.IP
-\fBExample:\fP
-\f(CW mangled names = no\fP
-.IP
-.IP "\fBmangling char (S)\fP"
-.IP
-This controls what character is used as the \fI"magic"\fP character in
-\fBname mangling\fP\&. The default is a \f(CW\'~\'\fP but
-this may interfere with some software\&. Use this option to set it to
-whatever you prefer\&.
-.IP
-\fBDefault:\fP
-\f(CW mangling char = ~\fP
-.IP
-\fBExample:\fP
-\f(CW mangling char = ^\fP
-.IP
-.IP "\fBmangled stack (G)\fP"
-.IP
-This parameter controls the number of mangled names that should be
-cached in the Samba server \fBsmbd\fP\&.
-.IP
-This stack is a list of recently mangled base names (extensions are
-only maintained if they are longer than 3 characters or contains upper
-case characters)\&.
-.IP
-The larger this value, the more likely it is that mangled names can be
-successfully converted to correct long UNIX names\&. However, large
-stack sizes will slow most directory access\&. Smaller stacks save
-memory in the server (each stack element costs 256 bytes)\&.
-.IP
-It is not possible to absolutely guarantee correct long file names, so
-be prepared for some surprises!
-.IP
-\fBDefault:\fP
-\f(CW mangled stack = 50\fP
-.IP
-\fBExample:\fP
-\f(CW mangled stack = 100\fP
-.IP
-.IP "\fBmap archive (S)\fP"
-.IP
-This controls whether the DOS archive attribute should be mapped to
-the UNIX owner execute bit\&. The DOS archive bit is set when a file
-has been modified since its last backup\&. One motivation for this
-option it to keep Samba/your PC from making any file it touches from
-becoming executable under UNIX\&. This can be quite annoying for shared
-source code, documents, etc\&.\&.\&.
-.IP
-Note that this requires the \fB"create mask"\fP
-parameter to be set such that owner execute bit is not masked out
-(i\&.e\&. it must include 100)\&. See the parameter \fB"create
-mask"\fP for details\&.
-.IP
-\fBDefault:\fP
-\f(CW map archive = yes\fP
-.IP
-\fBExample:\fP
-\f(CW map archive = no\fP
-.IP
-.IP "\fBmap hidden (S)\fP"
-.IP
-This controls whether DOS style hidden files should be mapped to the
-UNIX world execute bit\&.
-.IP
-Note that this requires the \fB"create mask"\fP to be
-set such that the world execute bit is not masked out (i\&.e\&. it must
-include 001)\&. See the parameter \fB"create mask"\fP
-for details\&.
-.IP
-\fBDefault:\fP
-\f(CW map hidden = no\fP
-.IP
-\fBExample:\fP
-\f(CW map hidden = yes\fP
-.IP
-.IP "\fBmap system (S)\fP"
-.IP
-This controls whether DOS style system files should be mapped to the
-UNIX group execute bit\&.
-.IP
-Note that this requires the \fB"create mask"\fP to be
-set such that the group execute bit is not masked out (i\&.e\&. it must
-include 010)\&. See the parameter \fB"create mask"\fP
-for details\&.
-.IP
-\fBDefault:\fP
-\f(CW map system = no\fP
-.IP
-\fBExample:\fP
-\f(CW map system = yes\fP
-.IP
-.IP "\fBmap to guest (G)\fP"
-.IP
-This parameter is only useful in \fBsecurity\fP modes
-other than \fB"security=share"\fP - i\&.e\&. user,
-server, and domain\&.
-.IP
-This parameter can take three different values, which tell
-\fBsmbd\fP what to do with user login requests that
-don\'t match a valid UNIX user in some way\&.
-.IP
-The three settings are :
-.IP
-.IP
-.IP o
-\fB"Never"\fP - Means user login requests with an invalid password
-are rejected\&. This is the default\&.
-.IP
-.IP o
-\fB"Bad User"\fP - Means user logins with an invalid password are
-rejected, unless the username does not exist, in which case it is
-treated as a guest login and mapped into the \fB"guest
-account"\fP\&.
-.IP
-.IP o
-\fB"Bad Password"\fP - Means user logins with an invalid
-password are treated as a guest login and mapped into the
-\fB"guest account"\fP\&. Note that this can
-cause problems as it means that any user incorrectly typing their
-password will be silently logged on a \fB"guest"\fP - and
-will not know the reason they cannot access files they think
-they should - there will have been no message given to them
-that they got their password wrong\&. Helpdesk services will
-\fI*hate*\fP you if you set the \fB"map to guest"\fP parameter
-this way :-)\&.
-.IP
-.IP
-Note that this parameter is needed to set up \fB"Guest"\fP share
-services when using \fBsecurity\fP modes other than
-share\&. This is because in these modes the name of the resource being
-requested is \fI*not*\fP sent to the server until after the server has
-successfully authenticated the client so the server cannot make
-authentication decisions at the correct time (connection to the
-share) for \fB"Guest"\fP shares\&.
-.IP
-For people familiar with the older Samba releases, this parameter
-maps to the old compile-time setting of the GUEST_SESSSETUP value
-in local\&.h\&.
-.IP
-\fBDefault:\fP
-\f(CW map to guest = Never\fP
-\fBExample\fP:
-\f(CW map to guest = Bad User\fP
-.IP
-.IP "\fBmax connections (S)\fP"
-.IP
-This option allows the number of simultaneous connections to a service
-to be limited\&. If \fB"max connections"\fP is greater than 0 then
-connections will be refused if this number of connections to the
-service are already open\&. A value of zero mean an unlimited number of
-connections may be made\&.
-.IP
-Record lock files are used to implement this feature\&. The lock files
-will be stored in the directory specified by the \fB"lock
-directory"\fP option\&.
-.IP
-\fBDefault:\fP
-\f(CW max connections = 0\fP
-.IP
-\fBExample:\fP
-\f(CW max connections = 10\fP
-.IP
-.IP "\fBmax disk size (G)\fP"
-.IP
-This option allows you to put an upper limit on the apparent size of
-disks\&. If you set this option to 100 then all shares will appear to be
-not larger than 100 MB in size\&.
-.IP
-Note that this option does not limit the amount of data you can put on
-the disk\&. In the above case you could still store much more than 100
-MB on the disk, but if a client ever asks for the amount of free disk
-space or the total disk size then the result will be bounded by the
-amount specified in \fB"max disk size"\fP\&.
-.IP
-This option is primarily useful to work around bugs in some pieces of
-software that can\'t handle very large disks, particularly disks over
-1GB in size\&.
-.IP
-A \fB"max disk size"\fP of 0 means no limit\&.
-.IP
-\fBDefault:\fP
-\f(CW max disk size = 0\fP
-.IP
-\fBExample:\fP
-\f(CW max disk size = 1000\fP
-.IP
-.IP "\fBmax log size (G)\fP"
-.IP
-This option (an integer in kilobytes) specifies the max size the log
-file should grow to\&. Samba periodically checks the size and if it is
-exceeded it will rename the file, adding a \f(CW"\&.old"\fP extension\&.
-.IP
-A size of 0 means no limit\&.
-.IP
-\fBDefault:\fP
-\f(CW max log size = 5000\fP
-.IP
-\fBExample:\fP
-\f(CW max log size = 1000\fP
-.IP
-.IP "\fBmax mux (G)\fP"
-.IP
-This option controls the maximum number of outstanding simultaneous
-SMB operations that samba tells the client it will allow\&. You should
-never need to set this parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW max mux = 50\fP
-.IP
-.IP "\fBmax open files (G)\fP"
-.IP
-This parameter limits the maximum number of open files that one
-\fBsmbd\fP file serving process may have open for
-a client at any one time\&. The default for this parameter is set
-very high (10,000) as Samba uses only one bit per unopened file\&.
-.IP
-The limit of the number of open files is usually set by the
-UNIX per-process file descriptor limit rather than this parameter
-so you should never need to touch this parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW max open files = 10000\fP
-.IP
-.IP "\fBmax packet (G)\fP"
-.IP
-Synonym for \fB"packet size"\fP\&.
-.IP
-.IP "\fBmax ttl (G)\fP"
-.IP
-This option tells \fBnmbd\fP what the default \'time
-to live\' of NetBIOS names should be (in seconds) when
-\fBnmbd\fP is requesting a name using either a
-broadcast packet or from a WINS server\&. You should never need to
-change this parameter\&. The default is 3 days\&.
-.IP
-\fBDefault:\fP
-\f(CW max ttl = 259200\fP
-.IP
-.IP "\fBmax wins ttl (G)\fP"
-.IP
-This option tells \fBnmbd\fP when acting as a WINS
-server \fB(wins support =true)\fP what the maximum
-\'time to live\' of NetBIOS names that \fBnmbd\fP will
-grant will be (in seconds)\&. You should never need to change this
-parameter\&. The default is 6 days (518400 seconds)\&.
-.IP
-See also the \fB"min wins ttl"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW max wins ttl = 518400\fP
-.IP
-.IP "\fBmax xmit (G)\fP"
-.IP
-This option controls the maximum packet size that will be negotiated
-by Samba\&. The default is 65535, which is the maximum\&. In some cases
-you may find you get better performance with a smaller value\&. A value
-below 2048 is likely to cause problems\&.
-.IP
-\fBDefault:\fP
-\f(CW max xmit = 65535\fP
-.IP
-\fBExample:\fP
-\f(CW max xmit = 8192\fP
-.IP
-.IP "\fBmessage command (G)\fP"
-.IP
-This specifies what command to run when the server receives a WinPopup
-style message\&.
-.IP
-This would normally be a command that would deliver the message
-somehow\&. How this is to be done is up to your imagination\&.
-.IP
-An example is:
-.IP
-\f(CW message command = csh -c \'xedit %s;rm %s\' &\fP
-.IP
-This delivers the message using \fBxedit\fP, then removes it
-afterwards\&. \fINOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
-IMMEDIATELY\fP\&. That\'s why I have the \f(CW\'&\'\fP on the end\&. If it doesn\'t
-return immediately then your PCs may freeze when sending messages
-(they should recover after 30secs, hopefully)\&.
-.IP
-All messages are delivered as the global guest user\&. The command takes
-the standard substitutions, although \fB%u\fP won\'t work
-(\fB%U\fP may be better in this case)\&.
-.IP
-Apart from the standard substitutions, some additional ones apply\&. In
-particular:
-.IP
-.IP
-.IP o
-\f(CW"%s"\fP = the filename containing the message\&.
-.IP
-.IP o
-\f(CW"%t"\fP = the destination that the message was sent to (probably the server
-name)\&.
-.IP
-.IP o
-\f(CW"%f"\fP = who the message is from\&.
-.IP
-.IP
-You could make this command send mail, or whatever else takes your
-fancy\&. Please let us know of any really interesting ideas you have\&.
-.IP
-Here\'s a way of sending the messages as mail to root:
-.IP
-\f(CWmessage command = /bin/mail -s \'message from %f on %m\' root < %s; rm %s\fP
-.IP
-If you don\'t have a message command then the message won\'t be
-delivered and Samba will tell the sender there was an
-error\&. Unfortunately WfWg totally ignores the error code and carries
-on regardless, saying that the message was delivered\&.
-.IP
-If you want to silently delete it then try:
-.IP
-\f(CW"message command = rm %s"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW no message command\fP
-.IP
-\fBExample:\fP
-\f(CW message command = csh -c \'xedit %s;rm %s\' &\fP
-.IP
-.IP "\fBmin print space (S)\fP"
-.IP
-This sets the minimum amount of free disk space that must be available
-before a user will be able to spool a print job\&. It is specified in
-kilobytes\&. The default is 0, which means a user can always spool a print
-job\&.
-.IP
-See also the \fBprinting\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW min print space = 0\fP
-.IP
-\fBExample:\fP
-\f(CW min print space = 2000\fP
-.IP
-.IP "\fBmin passwd length (G)\fP"
-.IP
-Synonym for \fB"min password length"\fP\&.
-.IP
-.IP "\fBmin password length (G)\fP"
-.IP
-This option sets the minimum length in characters of a plaintext password
-than smbd will accept when performing UNIX password changing\&.
-.IP
-See also \fB"unix password sync"\fP,
-\fB"passwd program"\fP and \fB"passwd chat
-debug"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW min password length = 5\fP
-.IP
-.IP "\fBmin wins ttl (G)\fP"
-.IP
-This option tells \fBnmbd\fP when acting as a WINS
-server \fB(wins support = true)\fP what the minimum
-\'time to live\' of NetBIOS names that \fBnmbd\fP will
-grant will be (in seconds)\&. You should never need to change this
-parameter\&. The default is 6 hours (21600 seconds)\&.
-.IP
-\fBDefault:\fP
-\f(CW min wins ttl = 21600\fP
-.IP
-.IP "\fBname resolve order (G)\fP"
-.IP
-This option is used by the programs in the Samba suite to determine
-what naming services and in what order to resolve host names to IP
-addresses\&. The option takes a space separated string of different name
-resolution options\&.
-.IP
-The options are :"lmhosts", "host", "wins" and "bcast"\&. They cause
-names to be resolved as follows :
-.IP
-.IP
-.IP o
-\fBlmhosts\fP : Lookup an IP address in the Samba lmhosts file\&.
-If the line in lmhosts has no name type attached to the NetBIOS
-name (see the \fBlmhosts (5)\fP for details) then
-any name type matches for lookup\&.
-.IP
-.IP o
-\fBhost\fP : Do a standard host name to IP address resolution,
-using the system /etc/hosts, NIS, or DNS lookups\&. This method of name
-resolution is operating system depended for instance on IRIX or
-Solaris this may be controlled by the \fI/etc/nsswitch\&.conf\fP file)\&.
-Note that this method is only used if the NetBIOS name type being
-queried is the 0x20 (server) name type, otherwise it is ignored\&.
-.IP
-.IP o
-\fBwins\fP : Query a name with the IP address listed in the
-\fBwins server\fP parameter\&. If no WINS server has
-been specified this method will be ignored\&.
-.IP
-.IP o
-\fBbcast\fP : Do a broadcast on each of the known local interfaces
-listed in the \fBinterfaces\fP parameter\&. This is the
-least reliable of the name resolution methods as it depends on the
-target host being on a locally connected subnet\&.
-.IP
-.IP
-\fBDefault:\fP
-\f(CW name resolve order = lmhosts host wins bcast\fP
-.IP
-\fBExample:\fP
-\f(CW name resolve order = lmhosts bcast host\fP
-.IP
-This will cause the local lmhosts file to be examined first, followed
-by a broadcast attempt, followed by a normal system hostname lookup\&.
-.IP
-.IP "\fBnetbios aliases (G)\fP"
-.IP
-This is a list of NetBIOS names that \fBnmbd\fP will
-advertise as additional names by which the Samba server is known\&. This
-allows one machine to appear in browse lists under multiple names\&. If
-a machine is acting as a \fBbrowse server\fP or
-\fBlogon server\fP none of these names will be
-advertised as either browse server or logon servers, only the primary
-name of the machine will be advertised with these capabilities\&.
-.IP
-See also \fB"netbios name"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW empty string (no additional names)\fP
-.IP
-\fBExample:\fP
-\f(CW netbios aliases = TEST TEST1 TEST2\fP
-.IP
-.IP "\fBnetbios name (G)\fP"
-.IP
-This sets the NetBIOS name by which a Samba server is known\&. By
-default it is the same as the first component of the host\'s DNS name\&.
-If a machine is a \fBbrowse server\fP or
-\fBlogon server\fP this name (or the first component
-of the hosts DNS name) will be the name that these services are
-advertised under\&.
-.IP
-See also \fB"netbios aliases"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW Machine DNS name\&.\fP
-.IP
-\fBExample:\fP
-\f(CW netbios name = MYNAME\fP
-.IP
-.IP "\fBnetbios scope (G)\fP"
-.IP
-This sets the NetBIOS scope that Samba will operate under\&. This should
-not be set unless every machine on your LAN also sets this value\&.
-.IP
-.IP "\fBnis homedir (G)\fP"
-.IP
-Get the home share server from a NIS map\&. For UNIX systems that use an
-automounter, the user\'s home directory will often be mounted on a
-workstation on demand from a remote server\&.
-.IP
-When the Samba logon server is not the actual home directory server,
-but is mounting the home directories via NFS then two network hops
-would be required to access the users home directory if the logon
-server told the client to use itself as the SMB server for home
-directories (one over SMB and one over NFS)\&. This can be very
-slow\&.
-.IP
-This option allows Samba to return the home share as being on a
-different server to the logon server and as long as a Samba daemon is
-running on the home directory server, it will be mounted on the Samba
-client directly from the directory server\&. When Samba is returning the
-home share to the client, it will consult the NIS map specified in
-\fB"homedir map"\fP and return the server listed
-there\&.
-.IP
-Note that for this option to work there must be a working NIS
-system and the Samba server with this option must also be a
-\fBlogon server\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW nis homedir = false\fP
-.IP
-\fBExample:\fP
-\f(CW nis homedir = true\fP
-.IP
-.IP "\fBnt acl support (G)\fP"
-.IP
-This boolean parameter controls whether \fBsmbd\fP
-will attempt to map UNIX permissions into Windows NT access control lists\&.
-.IP
-\fBDefault:\fP
-\f(CW nt acl support = yes\fP
-.IP
-\fBExample:\fP
-\f(CW nt acl support = no\fP
-.IP
-.IP "\fBnt pipe support (G)\fP"
-.IP
-This boolean parameter controls whether \fBsmbd\fP
-will allow Windows NT clients to connect to the NT SMB specific
-\f(CWIPC$\fP pipes\&. This is a developer debugging option and can be left
-alone\&.
-.IP
-\fBDefault:\fP
-\f(CW nt pipe support = yes\fP
-.IP
-.IP "\fBnt smb support (G)\fP"
-.IP
-This boolean parameter controls whether \fBsmbd\fP
-will negotiate NT specific SMB support with Windows NT
-clients\&. Although this is a developer debugging option and should be
-left alone, benchmarking has discovered that Windows NT clients give
-faster performance with this option set to \f(CW"no"\fP\&. This is still
-being investigated\&. If this option is set to \f(CW"no"\fP then Samba
-offers exactly the same SMB calls that versions prior to Samba2\&.0
-offered\&. This information may be of use if any users are having
-problems with NT SMB support\&.
-.IP
-\fBDefault:\fP
-\f(CW nt support = yes\fP
-.IP
-.IP "\fBnull passwords (G)\fP"
-.IP
-Allow or disallow client access to accounts that have null passwords\&.
-.IP
-See also \fBsmbpasswd (5)\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW null passwords = no\fP
-.IP
-\fBExample:\fP
-\f(CW null passwords = yes\fP
-.IP
-.IP "\fBole locking compatibility (G)\fP"
-.IP
-This parameter allows an administrator to turn off the byte range lock
-manipulation that is done within Samba to give compatibility for OLE
-applications\&. Windows OLE applications use byte range locking as a
-form of inter-process communication, by locking ranges of bytes around
-the 2^32 region of a file range\&. This can cause certain UNIX lock
-managers to crash or otherwise cause problems\&. Setting this parameter
-to \f(CW"no"\fP means you trust your UNIX lock manager to handle such cases
-correctly\&.
-.IP
-\fBDefault:\fP
-\f(CW ole locking compatibility = yes\fP
-.IP
-\fBExample:\fP
-\f(CW ole locking compatibility = no\fP
-.IP
-.IP "\fBonly guest (S)\fP"
-.IP
-A synonym for \fB"guest only"\fP\&.
-.IP
-.IP "\fBonly user (S)\fP"
-.IP
-This is a boolean option that controls whether connections with
-usernames not in the \fBuser=\fP list will be allowed\&. By
-default this option is disabled so a client can supply a username to
-be used by the server\&.
-.IP
-Note that this also means Samba won\'t try to deduce usernames from the
-service name\&. This can be annoying for the \fB[homes]\fP
-section\&. To get around this you could use "\fBuser\fP =
-\fB%S\fP" which means your \fB"user"\fP list
-will be just the service name, which for home directories is the name
-of the user\&.
-.IP
-See also the \fBuser\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW only user = False\fP
-.IP
-\fBExample:\fP
-\f(CW only user = True\fP
-.IP
-.IP "\fBoplocks (S)\fP"
-.IP
-This boolean option tells smbd whether to issue oplocks (opportunistic
-locks) to file open requests on this share\&. The oplock code can
-dramatically (approx\&. 30% or more) improve the speed of access to files
-on Samba servers\&. It allows the clients to aggressively cache files
-locally and you may want to disable this option for unreliable network
-environments (it is turned on by default in Windows NT Servers)\&. For
-more information see the file Speed\&.txt in the Samba docs/ directory\&.
-.IP
-Oplocks may be selectively turned off on certain files on a per share basis\&.
-See the \'veto oplock files\' parameter\&. On some systems oplocks are recognized
-by the underlying operating system\&. This allows data synchronization between
-all access to oplocked files, whether it be via Samba or NFS or a local
-UNIX process\&. See the \fBkernel oplocks\fP parameter
-for details\&.
-.IP
-See also the \fB"kernel oplocks"\fP and
-\fB"level2 oplocks"\fP parameters\&.
-.IP
-\fBDefault:\fP
-\f(CW oplocks = True\fP
-.IP
-\fBExample:\fP
-\f(CW oplocks = False\fP
-.IP
-.IP "\fBoplock break wait time (G)\fP"
-.IP
-This is a tuning parameter added due to bugs in both Windows 9x and WinNT\&.
-If Samba responds to a client too quickly when that client issues an SMB that
-can cause an oplock break request, then the client redirector can fail and
-not respond to the break request\&. This tuning parameter (which is set in
-milliseconds) is the amount of time Samba will wait before sending an
-oplock break request to such (broken) clients\&.
-.IP
-\fIDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
-OPLOCK CODE\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW oplock break wait time = 10\fP
-.IP
-.IP "\fBoplock contention limit (S)\fP"
-.IP
-This is a \fIvery\fP advanced \fBsmbd\fP tuning option to improve
-the efficiency of the granting of oplocks under multiple client contention for the same file\&.
-.IP
-In brief it specifies a number, which causes smbd not to grant an oplock even
-when requested if the approximate number of clients contending for an oplock on
-the same file goes over this limit\&. This causes \fBsmbd\fP to
-behave in a similar way to Windows NT\&.
-.IP
-\fIDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
-OPLOCK CODE\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW oplock contention limit = 2\fP
-.IP
-.IP "\fBos level (G)\fP"
-.IP
-This integer value controls what level Samba advertises itself as for
-browse elections\&. The value of this parameter determines whether
-\fBnmbd\fP has a chance of becoming a local master
-browser for the \fBWORKGROUP\fP in the local broadcast
-area\&. The default is zero, which means \fBnmbd\fP will
-lose elections to Windows machines\&. See BROWSING\&.txt in the Samba
-docs/ directory for details\&.
-.IP
-\fBDefault:\fP
-\f(CW os level = 20\fP
-.IP
-\fBExample:\fP
-\f(CW os level = 65 ; This will win against any NT Server\fP
-.IP
-.IP "\fBpacket size (G)\fP"
-.IP
-This is a deprecated parameter that has no effect on the current
-Samba code\&. It is left in the parameter list to prevent breaking
-old \fBsmb\&.conf\fP files\&.
-.IP
-.IP "\fBpanic action (G)\fP"
-.IP
-This is a Samba developer option that allows a system command to be
-called when either \fBsmbd\fP or
-\fBnmbd\fP crashes\&. This is usually used to draw
-attention to the fact that a problem occurred\&.
-.IP
-\fBDefault:\fP
-\f(CW panic action = <empty string>\fP
-.IP
-.IP "\fBpasswd chat (G)\fP"
-.IP
-This string controls the \fI"chat"\fP conversation that takes places
-between \fBsmbd\fP and the local password changing
-program to change the users password\&. The string describes a sequence
-of response-receive pairs that \fBsmbd\fP uses to
-determine what to send to the \fBpasswd\fP program
-and what to expect back\&. If the expected output is not received then
-the password is not changed\&.
-.IP
-This chat sequence is often quite site specific, depending on what
-local methods are used for password control (such as NIS etc)\&.
-.IP
-The string can contain the macros \f(CW"%o"\fP and \f(CW"%n"\fP which are
-substituted for the old and new passwords respectively\&. It can also
-contain the standard macros \f(CW"\en"\fP, \f(CW"\er"\fP, \f(CW"\et"\fP and \f(CW"\es"\fP
-to give line-feed, carriage-return, tab and space\&.
-.IP
-The string can also contain a \f(CW\'*\'\fP which matches any sequence of
-characters\&.
-.IP
-Double quotes can be used to collect strings with spaces in them into
-a single string\&.
-.IP
-If the send string in any part of the chat sequence is a fullstop
-\f(CW"\&."\fP then no string is sent\&. Similarly, is the expect string is a
-fullstop then no string is expected\&.
-.IP
-Note that if the \fB"unix password sync"\fP
-parameter is set to true, then this sequence is called \fI*AS ROOT*\fP
-when the SMB password in the smbpasswd file is being changed, without
-access to the old password cleartext\&. In this case the old password
-cleartext is set to \f(CW""\fP (the empty string)\&.
-.IP
-See also \fB"unix password sync"\fP,
-\fB"passwd program"\fP and \fB"passwd chat
-debug"\fP\&.
-.IP
-\fBExample:\fP
-
-.nf
-
- passwd chat = "*Enter OLD password*" %o\en "*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"
+Default: \fBserver string = Samba %v\fR
-.fi
-
+Example: \fBserver string = University of GNUs Samba
+Server\fR
+.TP
+\fBset directory (S)\fR
+If \fBset directory = no\fR, then
+users of the service may not use the setdir command to change
+directory.
-.IP
-\fBDefault:\fP
+The \fBsetdir\fR command is only implemented
+in the Digital Pathworks client. See the Pathworks documentation
+for details.
-.nf
-
- passwd chat = *old*password* %o\en *new*password* %n\en *new*password* %n\en *changed*
-.fi
-
+Default: \fBset directory = no\fR
+.TP
+\fBshare modes (S)\fR
+This enables or disables the honoring of
+the \fIshare modes\fR during a file open. These
+modes are used by clients to gain exclusive read or write access
+to a file.
-.IP
-.IP "\fBpasswd chat debug (G)\fP"
-.IP
-This boolean specifies if the passwd chat script parameter is run in
-\f(CW"debug"\fP mode\&. In this mode the strings passed to and received from
-the passwd chat are printed in the \fBsmbd\fP log with
-a \fB"debug level"\fP of 100\&. This is a dangerous
-option as it will allow plaintext passwords to be seen in the
-\fBsmbd\fP log\&. It is available to help Samba admins
-debug their \fB"passwd chat"\fP scripts when calling
-the \fB"passwd program"\fP and should be turned off
-after this has been done\&. This parameter is off by default\&.
-.IP
-See also \fB"passwd chat"\fP, \fB"passwd
-program"\fP\&.
-.IP
-\fBExample:\fP
-\f(CW passwd chat debug = True\fP
-.IP
-\fBDefault:\fP
-\f(CW passwd chat debug = False\fP
-.IP
-.IP "\fBpasswd program (G)\fP"
-.IP
-The name of a program that can be used to set UNIX user passwords\&.
-Any occurrences of \fB%u\fP will be replaced with the
-user name\&. The user name is checked for existence before calling the
-password changing program\&.
-.IP
-Also note that many passwd programs insist in \fI"reasonable"\fP
-passwords, such as a minimum length, or the inclusion of mixed case
-chars and digits\&. This can pose a problem as some clients (such as
-Windows for Workgroups) uppercase the password before sending it\&.
-.IP
-\fINote\fP that if the \fB"unix password sync"\fP
-parameter is set to \f(CW"True"\fP then this program is called \fI*AS
-ROOT*\fP before the SMB password in the
-\fBsmbpasswd\fP file is changed\&. If this UNIX
-password change fails, then \fBsmbd\fP will fail to
-change the SMB password also (this is by design)\&.
-.IP
-If the \fB"unix password sync"\fP parameter is
-set this parameter \fIMUST USE ABSOLUTE PATHS\fP for \fIALL\fP programs
-called, and must be examined for security implications\&. Note that by
-default \fB"unix password sync"\fP is set to
-\f(CW"False"\fP\&.
-.IP
-See also \fB"unix password sync"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW passwd program = /bin/passwd\fP
-.IP
-\fBExample:\fP
-\f(CW passwd program = /sbin/passwd %u\fP
-.IP
-.IP "\fBpassword level (G)\fP"
-.IP
-Some client/server combinations have difficulty with mixed-case
-passwords\&. One offending client is Windows for Workgroups, which for
-some reason forces passwords to upper case when using the LANMAN1
-protocol, but leaves them alone when using COREPLUS!
-.IP
-This parameter defines the maximum number of characters that may be
-upper case in passwords\&.
-.IP
-For example, say the password given was \f(CW"FRED"\fP\&. If \fBpassword
-level\fP is set to 1, the following combinations would be tried if
-\f(CW"FRED"\fP failed:
-.IP
-\f(CW"Fred"\fP, \f(CW"fred"\fP, \f(CW"fRed"\fP, \f(CW"frEd"\fP, \f(CW"freD"\fP
-.IP
-If \fBpassword level\fP was set to 2, the following combinations would
-also be tried:
-.IP
-\f(CW"FRed"\fP, \f(CW"FrEd"\fP, \f(CW"FreD"\fP, \f(CW"fREd"\fP, \f(CW"fReD"\fP,
-\f(CW"frED"\fP, \f(CW\&.\&.\fP
-.IP
-And so on\&.
-.IP
-The higher value this parameter is set to the more likely it is that a
-mixed case password will be matched against a single case
-password\&. However, you should be aware that use of this parameter
-reduces security and increases the time taken to process a new
-connection\&.
-.IP
-A value of zero will cause only two attempts to be made - the password
-as is and the password in all-lower case\&.
-.IP
-\fBDefault:\fP
-\f(CW password level = 0\fP
-.IP
-\fBExample:\fP
-\f(CW password level = 4\fP
-.IP
-.IP "\fBpassword server (G)\fP"
-.IP
-By specifying the name of another SMB server (such as a WinNT box)
-with this option, and using \fB"security = domain"\fP or
-\fB"security = server"\fP you can get Samba to do all
-its username/password validation via a remote server\&.
-.IP
-This options sets the name of the password server to use\&. It must be a
-NetBIOS name, so if the machine\'s NetBIOS name is different from its
-internet name then you may have to add its NetBIOS name to the lmhosts
-file which is stored in the same directory as the \fBsmb\&.conf\fP file\&.
-.IP
-The name of the password server is looked up using the parameter
-\fB"name resolve order="\fP and so may resolved
-by any method and order described in that parameter\&.
-.IP
-The password server much be a machine capable of using the "LM1\&.2X002"
-or the "LM NT 0\&.12" protocol, and it must be in user level security
-mode\&.
-.IP
-NOTE: Using a password server means your UNIX box (running Samba) is
-only as secure as your password server\&. \fIDO NOT CHOOSE A PASSWORD
-SERVER THAT YOU DON\'T COMPLETELY TRUST\fP\&.
-.IP
-Never point a Samba server at itself for password serving\&. This will
-cause a loop and could lock up your Samba server!
-.IP
-The name of the password server takes the standard substitutions, but
-probably the only useful one is \fB%m\fP, which means
-the Samba server will use the incoming client as the password
-server\&. If you use this then you better trust your clients, and you
-better restrict them with hosts allow!
-.IP
-If the \fB"security"\fP parameter is set to
-\fB"domain"\fP, then the list of machines in this option must be a list
-of Primary or Backup Domain controllers for the
-\fBDomain\fP or the character \f(CW*\fP, as the Samba server is cryptographicly
-in that domain, and will use cryptographicly authenticated RPC calls
-to authenticate the user logging on\&. The advantage of using
-\fB"security=domain"\fP is that if you list
-several hosts in the \fB"password server"\fP option then
-\fBsmbd\fP will try each in turn till it finds one
-that responds\&. This is useful in case your primary server goes down\&.
-.IP
-If the \fB"password server"\fP option is set to the character \f(CW*\fP,
-then Samba will attempt to auto-locate the Primary or Backup Domain controllers
-to authenticate against by doing a query for the name \f(CWWORKGROUP<1C>\fP
-and then contacting each server returned in the list of IP addresses
-from the \fBname resolution\fP source\&.
-.IP
-If the \fB"security"\fP parameter is set to
-\fB"server"\fP, then there are different
-restrictions that \fB"security=domain"\fP
-doesn\'t suffer from:
-.IP
-.IP
-.IP o
-You may list several password servers in the \fB"password server"\fP
-parameter, however if an \fBsmbd\fP makes a connection
-to a password server, and then the password server fails, no more
-users will be able to be authenticated from this
-\fBsmbd\fP\&. This is a restriction of the SMB/CIFS
-protocol when in \fB"security=server"\fP mode
-and cannot be fixed in Samba\&.
-.IP
-.IP o
-If you are using a Windows NT server as your password server then
-you will have to ensure that your users are able to login from the
-Samba server, as when in
-\fB"security=server"\fP mode the network
-logon will appear to come from there rather than from the users
-workstation\&.
-.IP
-.IP
-See also the \fB"security"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW password server = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW password server = NT-PDC, NT-BDC1, NT-BDC2\fP
-.IP
-\fBExample:\fP
-\f(CW password server = *\fP
-.IP
-.IP "\fBpath (S)\fP"
-.IP
-This parameter specifies a directory to which the user of the service
-is to be given access\&. In the case of printable services, this is
-where print data will spool prior to being submitted to the host for
-printing\&.
-.IP
-For a printable service offering guest access, the service should be
-readonly and the path should be world-writeable and have the sticky bit
-set\&. This is not mandatory of course, but you probably won\'t get the
-results you expect if you do otherwise\&.
-.IP
-Any occurrences of \fB%u\fP in the path will be replaced
-with the UNIX username that the client is using on this
-connection\&. Any occurrences of \fB%m\fP will be replaced
-by the NetBIOS name of the machine they are connecting from\&. These
-replacements are very useful for setting up pseudo home directories
-for users\&.
-.IP
-Note that this path will be based on \fB"root dir"\fP if
-one was specified\&.
-.IP
-\fBDefault:\fP
-\f(CW none\fP
-.IP
-\fBExample:\fP
-\f(CW path = /home/fred\fP
-.IP
-.IP "\fBpostexec (S)\fP"
-.IP
-This option specifies a command to be run whenever the service is
-disconnected\&. It takes the usual substitutions\&. The command may be run
-as the root on some systems\&.
-.IP
-An interesting example may be do unmount server resources:
-.IP
-\f(CWpostexec = /etc/umount /cdrom\fP
-.IP
-See also \fBpreexec\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW none (no command executed)\fP
-.IP
-\fBExample:\fP
-\f(CW postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log\fP
-.IP
-.IP "\fBpostscript (S)\fP"
-.IP
-This parameter forces a printer to interpret the print files as
-postscript\&. This is done by adding a \f(CW%!\fP to the start of print output\&.
-.IP
-This is most useful when you have lots of PCs that persist in putting
-a control-D at the start of print jobs, which then confuses your
-printer\&.
-.IP
-\fBDefault:\fP
-\f(CW postscript = False\fP
-.IP
-\fBExample:\fP
-\f(CW postscript = True\fP
-.IP
-.IP "\fBpreexec (S)\fP"
-.IP
-This option specifies a command to be run whenever the service is
-connected to\&. It takes the usual substitutions\&.
-.IP
-An interesting example is to send the users a welcome message every
-time they log in\&. Maybe a message of the day? Here is an example:
-.IP
-
-.nf
-
+These open modes are not directly supported by UNIX, so
+they are simulated using shared memory, or lock files if your
+UNIX doesn't support shared memory (almost all do).
- preexec = csh -c \'echo \e"Welcome to %S!\e" | /usr/local/samba/bin/smbclient -M %m -I %I\' &
+The share modes that are enabled by this option are
+DENY_DOS, DENY_ALL,
+DENY_READ, DENY_WRITE,
+DENY_NONE and DENY_FCB.
-.fi
-
+This option gives full share compatibility and enabled
+by default.
-.IP
-Of course, this could get annoying after a while :-)
-.IP
-See also \fBpreexec close\fP and \fBpostexec\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW none (no command executed)\fP
-.IP
-\fBExample:\fP
-\f(CW preexec = echo \e"%u connected to %S from %m (%I)\e" >> /tmp/log\fP
-.IP
-.IP "\fBpreexec close (S)\fP"
-.IP
-This boolean option controls whether a non-zero return code from
-\fB"preexec"\fP should close the service being connected to\&.
-.IP
-\fBDefault:\fP
-\f(CW preexec close = no\fP
-.IP
-\fBExample:\fP
-\f(CW preexec close = yes\fP
-.IP
-.IP "\fBpreferred master (G)\fP"
-.IP
-This boolean parameter controls if \fBnmbd\fP is a
-preferred master browser for its workgroup\&.
-.IP
-If this is set to true, on startup, \fBnmbd\fP will
-force an election, and it will have a slight advantage in winning the
-election\&. It is recommended that this parameter is used in
-conjunction with \fB"domain master = yes"\fP, so
-that \fBnmbd\fP can guarantee becoming a domain
-master\&.
-.IP
-Use this option with caution, because if there are several hosts
-(whether Samba servers, Windows 95 or NT) that are preferred master
-browsers on the same subnet, they will each periodically and
-continuously attempt to become the local master browser\&. This will
-result in unnecessary broadcast traffic and reduced browsing
-capabilities\&.
-.IP
-See also \fBos level\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW preferred master = no\fP
-.IP
-\fBExample:\fP
-\f(CW preferred master = yes\fP
-.IP
-.IP "\fBprefered master (G)\fP"
-.IP
-Synonym for \fB"preferred master"\fP for people
-who cannot spell :-)\&.
-.IP
-.IP "\fBpreload\fP"
-Synonym for \fB"auto services"\fP\&.
-.IP
-.IP "\fBpreserve case (S)\fP"
-.IP
-This controls if new filenames are created with the case that the
-client passes, or if they are forced to be the \f(CW"default"\fP case\&.
-.IP
-\fBDefault:\fP
-\f(CW preserve case = yes\fP
-.IP
-See the section on \fB"NAME MANGLING"\fP for a
-fuller discussion\&.
-.IP
-.IP "\fBprint command (S)\fP"
-.IP
-After a print job has finished spooling to a service, this command
-will be used via a \f(CWsystem()\fP call to process the spool
-file\&. Typically the command specified will submit the spool file to
-the host\'s printing subsystem, but there is no requirement that this
-be the case\&. The server will not remove the spool file, so whatever
-command you specify should remove the spool file when it has been
-processed, otherwise you will need to manually remove old spool files\&.
-.IP
-The print command is simply a text string\&. It will be used verbatim,
-with two exceptions: All occurrences of \f(CW"%s"\fP and \f(CW"%f"\fP will be
-replaced by the appropriate spool file name, and all occurrences of
-\f(CW"%p"\fP will be replaced by the appropriate printer name\&. The spool
-file name is generated automatically by the server, the printer name
-is discussed below\&.
-.IP
-The print command \fIMUST\fP contain at least one occurrence of \f(CW"%s"\fP
-or \f(CW"%f"\fP - the \f(CW"%p"\fP is optional\&. At the time a job is
-submitted, if no printer name is supplied the \f(CW"%p"\fP will be
-silently removed from the printer command\&.
-.IP
-If specified in the \fB"[global]"\fP section, the print
-command given will be used for any printable service that does not
-have its own print command specified\&.
-.IP
-If there is neither a specified print command for a printable service
-nor a global print command, spool files will be created but not
-processed and (most importantly) not removed\&.
-.IP
-Note that printing may fail on some UNIXs from the \f(CW"nobody"\fP
-account\&. If this happens then create an alternative guest account that
-can print and set the \fB"guest account"\fP in the
-\fB"[global]"\fP section\&.
-.IP
-You can form quite complex print commands by realizing that they are
-just passed to a shell\&. For example the following will log a print
-job, print the file, then remove it\&. Note that \f(CW\';\'\fP is the usual
-separator for command in shell scripts\&.
-.IP
-\f(CWprint command = echo Printing %s >> /tmp/print\&.log; lpr -P %p %s; rm %s\fP
-.IP
-You may have to vary this command considerably depending on how you
-normally print files on your system\&. The default for the parameter
-varies depending on the setting of the \fB"printing="\fP
-parameter\&.
-.IP
-\fBDefault:\fP
-For \fB"printing="\fP BSD, AIX, QNX, LPRNG or PLP :
-\f(CW print command = lpr -r -P%p %s\fP
-.IP
-For \fB"printing="\fP SYS or HPUX :
-\f(CW print command = lp -c -d%p %s; rm %s\fP
-.IP
-For \fB"printing="\fP SOFTQ :
-\f(CW print command = lp -d%p -s %s; rm %s\fP
-.IP
-\fBExample:\fP
-\f(CW print command = /usr/local/samba/bin/myprintscript %p %s\fP
-.IP
-.IP "\fBprint ok (S)\fP"
-.IP
-Synonym for \fBprintable\fP\&.
-.IP
-.IP "\fBprintable (S)\fP"
-.IP
-If this parameter is \f(CW"yes"\fP, then clients may open, write to and
-submit spool files on the directory specified for the service\&.
-.IP
-Note that a printable service will ALWAYS allow writing to the service
-path (user privileges permitting) via the spooling of print data\&. The
-\fB"writeable"\fP parameter controls only non-printing
-access to the resource\&.
-.IP
-\fBDefault:\fP
-\f(CW printable = no\fP
-.IP
-\fBExample:\fP
-\f(CW printable = yes\fP
-.IP
-.IP "\fBprintcap (G)\fP"
-.IP
-Synonym for \fBprintcapname\fP\&.
-.IP
-.IP "\fBprinter admin (S)\fP"
-.IP
-This is a list of users that can do anything to printers via the
-remote administration interfaces offered by MSRPC (usually using a NT
-workstation)\&. Note that the root user always has admin rights\&.
-.IP
-\fBDefault:\fP
-\f(CW printer admin = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW printer admin = admin, @staff\fP
-.IP
-.IP "\fBprintcap name (G)\fP"
-.IP
-This parameter may be used to override the compiled-in default
-printcap name used by the server (usually /etc/printcap)\&. See the
-discussion of the \fB[printers]\fP section above for
-reasons why you might want to do this\&.
-.IP
-On System V systems that use \fBlpstat\fP to list available printers you
-can use \f(CW"printcap name = lpstat"\fP to automatically obtain lists of
-available printers\&. This is the default for systems that define SYSV
-at configure time in Samba (this includes most System V based
-systems)\&. If \fB"printcap name"\fP is set to \fBlpstat\fP on these systems
-then Samba will launch \f(CW"lpstat -v"\fP and attempt to parse the output
-to obtain a printer list\&.
-.IP
-A minimal printcap file would look something like this:
-.IP
+You should \fBNEVER\fR turn this parameter
+off as many Windows applications will break if you do so.
-.nf
-
+Default: \fBshare modes = yes\fR
+.TP
+\fBshared mem size (G)\fR
+It specifies the size of the shared memory (in
+bytes) to use between smbd(8) <URL:smbd.8.html>
+processes. This parameter defaults to one megabyte of shared
+memory. It is possible that if you have a large erver with many
+files open simultaneously that you may need to increase this
+parameter. Signs that this parameter is set too low are users
+reporting strange problems trying to save files (locking errors)
+and error messages in the smbd log looking like \fBERROR
+smb_shm_alloc : alloc of XX bytes failed\fR.
- print1|My Printer 1
- print2|My Printer 2
- print3|My Printer 3
- print4|My Printer 4
- print5|My Printer 5
+If your OS refuses the size that Samba asks for then
+Samba will try a smaller size, reducing by a factor of 0.8 until
+the OS accepts it.
-.fi
-
+Default: \fBshared mem size = 1048576\fR
-.IP
-where the \f(CW\'|\'\fP separates aliases of a printer\&. The fact that the
-second alias has a space in it gives a hint to Samba that it\'s a
-comment\&.
-.IP
-\fINOTE\fP: Under AIX the default printcap name is
-\f(CW"/etc/qconfig"\fP\&. Samba will assume the file is in AIX \f(CW"qconfig"\fP
-format if the string \f(CW"/qconfig"\fP appears in the printcap filename\&.
-.IP
-\fBDefault:\fP
-\f(CW printcap name = /etc/printcap\fP
-.IP
-\fBExample:\fP
-\f(CW printcap name = /etc/myprintcap\fP
-.IP
-.IP "\fBprinter (S)\fP"
-.IP
-This parameter specifies the name of the printer to which print jobs
-spooled through a printable service will be sent\&.
-.IP
-If specified in the \fB[global]\fP section, the printer
-name given will be used for any printable service that does not have
-its own printer name specified\&.
-.IP
-\fBDefault:\fP
-none (but may be \f(CW"lp"\fP on many systems)
-.IP
-\fBExample:\fP
-printer name = laserwriter
-.IP
-.IP "\fBprinter driver (S)\fP"
-.IP
-This option allows you to control the string that clients receive when
-they ask the server for the printer driver associated with a
-printer\&. If you are using Windows95 or WindowsNT then you can use this
-to automate the setup of printers on your system\&.
-.IP
-You need to set this parameter to the exact string (case sensitive)
-that describes the appropriate printer driver for your system\&. If you
-don\'t know the exact string to use then you should first try with no
-\fB"printer driver"\fP option set and the client will give you a list of
-printer drivers\&. The appropriate strings are shown in a scrollbox
-after you have chosen the printer manufacturer\&.
-.IP
-See also \fB"printer driver file"\fP\&.
-.IP
-\fBExample:\fP
-printer driver = HP LaserJet 4L
-.IP
-.IP "\fBprinter driver file (G)\fP"
-.IP
-This parameter tells Samba where the printer driver definition file,
-used when serving drivers to Windows 95 clients, is to be found\&. If
-this is not set, the default is :
-.IP
-\f(CWSAMBA_INSTALL_DIRECTORY/lib/printers\&.def\fP
-.IP
-This file is created from Windows 95 \f(CW"msprint\&.inf"\fP files found on
-the Windows 95 client system\&. For more details on setting up serving
-of printer drivers to Windows 95 clients, see the documentation file
-in the docs/ directory, PRINTER_DRIVER\&.txt\&.
-.IP
-\fBDefault:\fP
-\f(CW None (set in compile)\&.\fP
-.IP
-\fBExample:\fP
-\f(CW printer driver file = /usr/local/samba/printers/drivers\&.def\fP
-.IP
-See also \fB"printer driver location"\fP\&.
-.IP
-.IP "\fBprinter driver location (S)\fP"
-.IP
-This parameter tells clients of a particular printer share where to
-find the printer driver files for the automatic installation of
-drivers for Windows 95 machines\&. If Samba is set up to serve printer
-drivers to Windows 95 machines, this should be set to
-.IP
-\f(CW\e\eMACHINE\ePRINTER$\fP
-.IP
-Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
-is a share you set up for serving printer driver files\&. For more
-details on setting this up see the documentation file in the docs/
-directory, PRINTER_DRIVER\&.txt\&.
-.IP
-\fBDefault:\fP
-\f(CW None\fP
-.IP
-\fBExample:\fP
-\f(CW printer driver location = \e\eMACHINE\ePRINTER$\fP
-.IP
-See also \fB"printer driver file"\fP\&.
-.IP
-.IP "\fBprinter name (S)\fP"
-.IP
-Synonym for \fBprinter\fP\&.
-.IP
-.IP "\fBprinting (S)\fP"
-.IP
-This parameters controls how printer status information is interpreted
-on your system\&. It also affects the default values for the
-\fB"print command"\fP, \fB"lpq
-command"\fP \fB"lppause command"\fP,
-\fB"lpresume command"\fP, and \fB"lprm
-command"\fP if specified in the \fB[global]\fP
-section\&.
-.IP
-Currently eight printing styles are supported\&. They are
-\fB"printing=BSD"\fP, \fB"printing=AIX"\fP,
-\fB"printing=LPRNG"\fP, \fB"printing=PLP"\fP, \fB"printing=SYSV"\fP,
-\fB"printing="HPUX"\fP, \fB"printing=QNX"\fP, \fB"printing=SOFTQ"\fP,
-and \fB"printing=CUPS"\fP\&.
-.IP
-To see what the defaults are for the other print commands when using
-the various options use the \fB"testparm"\fP program\&.
-.IP
-This option can be set on a per printer basis
-.IP
-See also the discussion in the \fB[printers]\fP section\&.
-.IP
-.IP "\fBprivate dir(G)\fP"
-.IP
-The \fBprivate dir\fP parameter allows an administator to define a
-directory path used to hold the various databases Samba will use
-to store things like a the machine trust account information
-when acting as a domain member (i\&.e\&. where the secrets\&.tdb file will
-be located), where the passdb\&.tbd file will stored in the case
-of using the experiemental tdbsam support, etc\&.\&.\&.
-.IP
-\fBDefault:\fP
-\f(CW private dir = <compile time location of smbpasswd>\fP
-.IP
-\fBExample:\fP
-\f(CW private dir = /etc/smbprivate\fP
-.IP
-.IP "\fBprotocol (G)\fP"
-.IP
-The value of the parameter (a string) is the highest protocol level
-that will be supported by the server\&.
-.IP
-Possible values are :
-.IP
-.IP
-.IP o
-CORE: Earliest version\&. No concept of user names\&.
-.IP
-.IP o
-COREPLUS: Slight improvements on CORE for efficiency\&.
-.IP
-.IP o
-LANMAN1: First \fI"modern"\fP version of the protocol\&. Long
-filename support\&.
-.IP
-.IP o
-LANMAN2: Updates to Lanman1 protocol\&.
-.IP
-.IP o
-NT1: Current up to date version of the protocol\&. Used by Windows
-NT\&. Known as CIFS\&.
-.IP
-.IP
-Normally this option should not be set as the automatic negotiation
-phase in the SMB protocol takes care of choosing the appropriate
-protocol\&.
-.IP
-\fBDefault:\fP
-\f(CW protocol = NT1\fP
-.IP
-\fBExample:\fP
-\f(CW protocol = LANMAN1\fP
-.IP
-.IP "\fBpublic (S)\fP"
-.IP
-Synonym for \fB"guest ok"\fP\&.
-.IP
-.IP "\fBqueuepause command (S)\fP"
-.IP
-This parameter specifies the command to be executed on the server host
-in order to pause the printerqueue\&.
-.IP
-This command should be a program or script which takes a printer name
-as its only parameter and stops the printerqueue, such that no longer
-jobs are submitted to the printer\&.
-.IP
-This command is not supported by Windows for Workgroups, but can be
-issued from the Printer\'s window under Windows 95 & NT\&.
-.IP
-If a \f(CW"%p"\fP is given then the printername is put in its
-place\&. Otherwise it is placed at the end of the command\&.
-.IP
-Note that it is good practice to include the absolute path in the
-command as the PATH may not be available to the server\&.
-.IP
-\fBDefault:\fP
-\f(CW depends on the setting of "printing ="\fP
-.IP
-\fBExample:\fP
-\f(CW queuepause command = disable %p\fP
-.IP
-.IP "\fBqueueresume command (S)\fP"
-.IP
-This parameter specifies the command to be executed on the server host
-in order to resume the printerqueue\&. It is the command to undo the
-behavior that is caused by the previous parameter
-(\fB"queuepause command\fP)\&.
-.IP
-This command should be a program or script which takes a printer name
-as its only parameter and resumes the printerqueue, such that queued
-jobs are resubmitted to the printer\&.
-.IP
-This command is not supported by Windows for Workgroups, but can be
-issued from the Printer\'s window under Windows 95 & NT\&.
-.IP
-If a \f(CW"%p"\fP is given then the printername is put in its
-place\&. Otherwise it is placed at the end of the command\&.
-.IP
-Note that it is good practice to include the absolute path in the
-command as the PATH may not be available to the server\&.
-.IP
-\fBDefault:\fP
-\f(CW depends on the setting of "printing ="\fP
-.IP
-\fBExample:\fP
-\f(CW queuepause command = enable %p\fP
-.IP
-.IP "\fBread bmpx (G)\fP"
-.IP
-This boolean parameter controls whether \fBsmbd\fP
-will support the "Read Block Multiplex" SMB\&. This is now rarely used
-and defaults to off\&. You should never need to set this parameter\&.
-.IP
-\fBDefault:\fP
-read bmpx = No
-.IP
-.IP "\fBread list (S)\fP"
-.IP
-This is a list of users that are given read-only access to a
-service\&. If the connecting user is in this list then they will not be
-given write access, no matter what the \fB"writeable"\fP
-option is set to\&. The list can include group names using the syntax
-described in the \fB"invalid users"\fP parameter\&.
-.IP
-See also the \fB"write list"\fP parameter and
-the \fB"invalid users"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW read list = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW read list = mary, @students\fP
-.IP
-.IP "\fBread only (S)\fP"
-.IP
-Note that this is an inverted synonym for
-\fB"writeable"\fP\&.
-.IP
-.IP "\fBread prediction (G)\fP"
-.IP
-\fINOTE\fP: This code is currently disabled in Samba2\&.0 and
-may be removed at a later date\&. Hence this parameter has
-no effect\&.
-.IP
-This options enables or disables the read prediction code used to
-speed up reads from the server\&. When enabled the server will try to
-pre-read data from the last accessed file that was opened read-only
-while waiting for packets\&.
-.IP
-\fBDefault:\fP
-\f(CW read prediction = False\fP
-.IP
-.IP "\fBread raw (G)\fP"
-.IP
-This parameter controls whether or not the server will support the raw
-read SMB requests when transferring data to clients\&.
-.IP
-If enabled, raw reads allow reads of 65535 bytes in one packet\&. This
-typically provides a major performance benefit\&.
-.IP
-However, some clients either negotiate the allowable block size
-incorrectly or are incapable of supporting larger block sizes, and for
-these clients you may need to disable raw reads\&.
-.IP
-In general this parameter should be viewed as a system tuning tool and left
-severely alone\&. See also \fB"write raw"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW read raw = yes\fP
-.IP
-.IP "\fBread size (G)\fP"
-.IP
-The option \fB"read size"\fP affects the overlap of disk reads/writes
-with network reads/writes\&. If the amount of data being transferred in
-several of the SMB commands (currently SMBwrite, SMBwriteX and
-SMBreadbraw) is larger than this value then the server begins writing
-the data before it has received the whole packet from the network, or
-in the case of SMBreadbraw, it begins writing to the network before
-all the data has been read from disk\&.
-.IP
-This overlapping works best when the speeds of disk and network access
-are similar, having very little effect when the speed of one is much
-greater than the other\&.
-.IP
-The default value is 16384, but very little experimentation has been
-done yet to determine the optimal value, and it is likely that the
-best value will vary greatly between systems anyway\&. A value over
-65536 is pointless and will cause you to allocate memory
-unnecessarily\&.
-.IP
-\fBDefault:\fP
-\f(CW read size = 16384\fP
-.IP
-\fBExample:\fP
-\f(CW read size = 8192\fP
-.IP
-.IP "\fBremote announce (G)\fP"
-.IP
-This option allows you to setup \fBnmbd\fP to
-periodically announce itself to arbitrary IP addresses with an
-arbitrary workgroup name\&.
-.IP
-This is useful if you want your Samba server to appear in a remote
-workgroup for which the normal browse propagation rules don\'t
-work\&. The remote workgroup can be anywhere that you can send IP
-packets to\&.
-.IP
-For example:
-.IP
-\f(CW remote announce = 192\&.168\&.2\&.255/SERVERS 192\&.168\&.4\&.255/STAFF\fP
-.IP
-the above line would cause nmbd to announce itself to the two given IP
-addresses using the given workgroup names\&. If you leave out the
-workgroup name then the one given in the
-\fB"workgroup"\fP parameter is used instead\&.
-.IP
-The IP addresses you choose would normally be the broadcast addresses
-of the remote networks, but can also be the IP addresses of known
-browse masters if your network config is that stable\&.
-.IP
-See the documentation file BROWSING\&.txt in the docs/ directory\&.
-.IP
-\fBDefault:\fP
-\f(CW remote announce = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW remote announce = 192\&.168\&.2\&.255/SERVERS 192\&.168\&.4\&.255/STAFF\fP
-.IP
-.IP "\fBremote browse sync (G)\fP"
-.IP
-This option allows you to setup \fBnmbd\fP to
-periodically request synchronization of browse lists with the master
-browser of a samba server that is on a remote segment\&. This option
-will allow you to gain browse lists for multiple workgroups across
-routed networks\&. This is done in a manner that does not work with any
-non-samba servers\&.
-.IP
-This is useful if you want your Samba server and all local clients to
-appear in a remote workgroup for which the normal browse propagation
-rules don\'t work\&. The remote workgroup can be anywhere that you can
-send IP packets to\&.
-.IP
-For example:
-.IP
-\f(CW remote browse sync = 192\&.168\&.2\&.255 192\&.168\&.4\&.255\fP
-.IP
-the above line would cause \fBnmbd\fP to request the
-master browser on the specified subnets or addresses to synchronize
-their browse lists with the local server\&.
-.IP
-The IP addresses you choose would normally be the broadcast addresses
-of the remote networks, but can also be the IP addresses of known
-browse masters if your network config is that stable\&. If a machine IP
-address is given Samba makes NO attempt to validate that the remote
-machine is available, is listening, nor that it is in fact the browse
-master on it\'s segment\&.
-.IP
-\fBDefault:\fP
-\f(CW remote browse sync = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW remote browse sync = 192\&.168\&.2\&.255 192\&.168\&.4\&.255\fP
-.IP
-.IP "\fBrestrict anonymous (G)\fP"
-.IP
-This is a boolean parameter\&. If it is true, then anonymous access
-to the server will be restricted, namely in the case where the server
-is expecting the client to send a username, but it doesn\'t\&. Setting
-it to true will force these anonymous connections to be denied, and
-the client will be required to always supply a username and password
-when connecting\&. Use of this parameter is only recommened for homogenous
-NT client environments\&.
-.IP
-This parameter makes the use of macro expansions that rely
-on the username (%U, %G, etc) consistant\&. NT 4\&.0 likes to use
-anonymous connections when refreshing the share list, and this
-is a way to work around that\&.
-.IP
-When restrict anonymous is true, all anonymous connections are denied
-no matter what they are for\&. This can effect the ability of a machine
-to access the samba Primary Domain Controller to revalidate it\'s machine
-account after someone else has logged on the client interactively\&. The
-NT client will display a message saying that the machine\'s account in
-the domain doesn\'t exist or the password is bad\&. The best way to deal
-with this is to reboot NT client machines between interactive logons,
-using "Shutdown and Restart", rather than "Close all programs and logon
-as a different user"\&.
-.IP
-\fBDefault:\fP
-\f(CW restrict anonymous = false\fP
-.IP
-\fBExample:\fP
-\f(CW restrict anonymous = true\fP
-.IP
-.IP "\fBroot (G)\fP"
-.IP
-Synonym for \fB"root directory"\fP\&.
-.IP
-.IP "\fBroot dir (G)\fP"
-.IP
-Synonym for \fB"root directory"\fP\&.
-.IP
-.IP "\fBroot directory (G)\fP"
-.IP
-The server will \f(CW"chroot()"\fP (i\&.e\&. Change it\'s root directory) to
-this directory on startup\&. This is not strictly necessary for secure
-operation\&. Even without it the server will deny access to files not in
-one of the service entries\&. It may also check for, and deny access to,
-soft links to other parts of the filesystem, or attempts to use
-\f(CW"\&.\&."\fP in file names to access other directories (depending on the
-setting of the \fB"wide links"\fP parameter)\&.
-.IP
-Adding a \fB"root directory"\fP entry other than \f(CW"/"\fP adds an extra
-level of security, but at a price\&. It absolutely ensures that no
-access is given to files not in the sub-tree specified in the \fB"root
-directory"\fP option, \fI*including*\fP some files needed for complete
-operation of the server\&. To maintain full operability of the server
-you will need to mirror some system files into the \fB"root
-directory"\fP tree\&. In particular you will need to mirror /etc/passwd
-(or a subset of it), and any binaries or configuration files needed
-for printing (if required)\&. The set of files that must be mirrored is
-operating system dependent\&.
-.IP
-\fBDefault:\fP
-\f(CW root directory = /\fP
-.IP
-\fBExample:\fP
-\f(CW root directory = /homes/smb\fP
-.IP
-.IP "\fBroot postexec (S)\fP"
-.IP
-This is the same as the \fB"postexec"\fP parameter
-except that the command is run as root\&. This is useful for unmounting
-filesystems (such as cdroms) after a connection is closed\&.
-.IP
-See also \fB"postexec"\fP\&.
-.IP
-.IP "\fBroot preexec (S)\fP"
-.IP
-This is the same as the \fB"preexec"\fP parameter except
-that the command is run as root\&. This is useful for mounting
-filesystems (such as cdroms) before a connection is finalized\&.
-.IP
-See also \fB"preexec"\fP
-and \fB"root preexec close"\fP\&.
-.IP
-.IP "\fBroot preexec close (S)\fP"
-.IP
-This is the same as the \fB"preexec close"\fP parameter
-except that the command is run as root\&.
-.IP
-See also \fB"preexec"\fP, \fB"preexec close"\fP\&.
-.IP
-.IP "\fBsecurity (G)\fP"
-.IP
-This option affects how clients respond to Samba and is one of the most
-important settings in the \fBsmb\&.conf\fP file\&.
-.IP
-The option sets the \f(CW"security mode bit"\fP in replies to protocol
-negotiations with \fBsmbd\fP to turn share level
-security on or off\&. Clients decide based on this bit whether (and how)
-to transfer user and password information to the server\&.
-.IP
-The default is "security=user", as this is
-the most common setting needed when talking to Windows 98 and Windows
-NT\&.
-.IP
-The alternatives are \fB"security = share"\fP,
-\fB"security = server"\fP or
-\fB"security=domain"\fP\&.
-.IP
-\fI*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2\&.0 THAN FOR
-PREVIOUS VERSIONS OF SAMBA *******\fP\&.
-.IP
-In previous versions of Samba the default was
-\fB"security=share"\fP mainly because that was
-the only option at one stage\&.
-.IP
-There is a bug in WfWg that has relevance to this setting\&. When in
-user or server level security a WfWg client will totally ignore the
-password you type in the "connect drive" dialog box\&. This makes it
-very difficult (if not impossible) to connect to a Samba service as
-anyone except the user that you are logged into WfWg as\&.
-.IP
-If your PCs use usernames that are the same as their usernames on the
-UNIX machine then you will want to use \fB"security = user"\fP\&. If you
-mostly use usernames that don\'t exist on the UNIX box then use
-\fB"security = share"\fP\&.
-.IP
-You should also use \fBsecurity=share\fP if
-you want to mainly setup shares without a password (guest
-shares)\&. This is commonly used for a shared printer server\&. It is more
-difficult to setup guest shares with
-\fBsecurity=user\fP, see the \fB"map to
-guest"\fPparameter for details\&.
-.IP
-It is possible to use \fBsmbd\fP in a \fI"hybrid
-mode"\fP where it is offers both user and share level security under
-different \fBNetBIOS aliases\fP\&. See the
-\fBNetBIOS aliases\fP and the
-\fBinclude\fP parameters for more information\&.
-.IP
-The different settings will now be explained\&.
-.IP
-.IP
-.IP "\fB"security=share"\fP"
-When clients connect to a share level
-security server then need not log onto the server with a valid
-username and password before attempting to connect to a shared
-resource (although modern clients such as Windows 95/98 and Windows NT
-will send a logon request with a username but no password when talking
-to a \fBsecurity=share\fP server)\&. Instead, the clients send
-authentication information (passwords) on a per-share basis, at the
-time they attempt to connect to that share\&.
-.IP
-Note that \fBsmbd\fP \fI*ALWAYS*\fP uses a valid UNIX
-user to act on behalf of the client, even in \fB"security=share"\fP
-level security\&.
-.IP
-As clients are not required to send a username to the server
-in share level security, \fBsmbd\fP uses several
-techniques to determine the correct UNIX user to use on behalf
-of the client\&.
-.IP
-A list of possible UNIX usernames to match with the given
-client password is constructed using the following methods :
-.IP
-.IP
-.IP o
-If the \fB"guest only"\fP parameter is set, then
-all the other stages are missed and only the \fB"guest
-account"\fP username is checked\&.
-.IP
-.IP o
-Is a username is sent with the share connection request, then
-this username (after mapping - see \fB"username
-map"\fP), is added as a potential username\&.
-.IP
-.IP o
-If the client did a previous \fI"logon"\fP request (the
-SessionSetup SMB call) then the username sent in this SMB
-will be added as a potential username\&.
-.IP
-.IP o
-The name of the service the client requested is added
-as a potential username\&.
-.IP
-.IP o
-The NetBIOS name of the client is added to the list as a
-potential username\&.
-.IP
-.IP o
-Any users on the \fB"user"\fP list are added
-as potential usernames\&.
-.IP
-.IP
-If the \fB"guest only"\fP parameter is not set, then
-this list is then tried with the supplied password\&. The first user for
-whom the password matches will be used as the UNIX user\&.
-.IP
-If the \fB"guest only"\fP parameter is set, or no
-username can be determined then if the share is marked as available to
-the \fB"guest account"\fP, then this guest user will
-be used, otherwise access is denied\&.
-.IP
-Note that it can be \fI*very*\fP confusing in share-level security as to
-which UNIX username will eventually be used in granting access\&.
-.IP
-See also the section \fB"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"\fP\&.
-.IP
-.IP "\fB"security=user"\fP"
-.IP
-This is the default security setting in Samba2\&.0\&. With user-level
-security a client must first \f(CW"log-on"\fP with a valid username and
-password (which can be mapped using the \fB"username
-map"\fP parameter)\&. Encrypted passwords (see the
-\fB"encrypted passwords"\fP parameter) can also
-be used in this security mode\&. Parameters such as
-\fB"user"\fP and \fB"guest only"\fP, if set
-are then applied and may change the UNIX user to use on this
-connection, but only after the user has been successfully
-authenticated\&.
-.IP
-\fINote\fP that the name of the resource being requested is
-\fI*not*\fP sent to the server until after the server has successfully
-authenticated the client\&. This is why guest shares don\'t work in user
-level security without allowing the server to automatically map unknown
-users into the \fB"guest account"\fP\&. See the
-\fB"map to guest"\fP parameter for details on
-doing this\&.
-.IP
-See also the section \fB"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"\fP\&.
-.IP
-.IP "\fB"security=server"\fP"
-.IP
-In this mode Samba will try to validate the username/password by
-passing it to another SMB server, such as an NT box\&. If this fails it
-will revert to \fB"security = user"\fP, but note that if encrypted
-passwords have been negotiated then Samba cannot revert back to
-checking the UNIX password file, it must have a valid smbpasswd file
-to check users against\&. See the documentation file in the docs/
-directory ENCRYPTION\&.txt for details on how to set this up\&.
-.IP
-\fINote\fP that from the clients point of view \fB"security=server"\fP is
-the same as \fB"security=user"\fP\&. It only
-affects how the server deals with the authentication, it does not in
-any way affect what the client sees\&.
-.IP
-\fINote\fP that the name of the resource being requested is
-\fI*not*\fP sent to the server until after the server has successfully
-authenticated the client\&. This is why guest shares don\'t work in server
-level security without allowing the server to automatically map unknown
-users into the \fB"guest account"\fP\&. See the
-\fB"map to guest"\fP parameter for details on
-doing this\&.
-.IP
-See also the section \fB"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"\fP\&.
-.IP
-See also the \fB"password server"\fP parameter\&.
-and the \fB"encrypted passwords"\fP parameter\&.
-.IP
-.IP "\fB"security=domain"\fP"
-.IP
-This mode will only work correctly if
-\fBsmbpasswd\fP has been used to add this machine
-into a Windows NT Domain\&. It expects the \fB"encrypted
-passwords"\fP parameter to be set to \f(CW"true"\fP\&. In
-this mode Samba will try to validate the username/password by passing
-it to a Windows NT Primary or Backup Domain Controller, in exactly the
-same way that a Windows NT Server would do\&.
-.IP
-\fINote\fP that a valid UNIX user must still exist as well as the
-account on the Domain Controller to allow Samba to have a valid
-UNIX account to map file access to\&.
-.IP
-\fINote\fP that from the clients point of view \fB"security=domain"\fP is
-the same as \fB"security=user"\fP\&. It only
-affects how the server deals with the authentication, it does not in
-any way affect what the client sees\&.
-.IP
-\fINote\fP that the name of the resource being requested is
-\fI*not*\fP sent to the server until after the server has successfully
-authenticated the client\&. This is why guest shares don\'t work in domain
-level security without allowing the server to automatically map unknown
-users into the \fB"guest account"\fP\&. See the
-\fB"map to guest"\fP parameter for details on
-doing this\&.
-.IP
-\fIBUG:\fP There is currently a bug in the implementation of
-\fB"security=domain\fP with respect to multi-byte character
-set usernames\&. The communication with a Domain Controller
-must be done in UNICODE and Samba currently does not widen
-multi-byte user names to UNICODE correctly, thus a multi-byte
-username will not be recognized correctly at the Domain Controller\&.
-This issue will be addressed in a future release\&.
-.IP
-See also the section \fB"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"\fP\&.
-.IP
-See also the \fB"password server"\fP parameter\&.
-and the \fB"encrypted passwords"\fP parameter\&.
-.IP
-.IP
-\fBDefault:\fP
-\f(CW security = USER\fP
-.IP
-\fBExample:\fP
-\f(CW security = DOMAIN\fP
-.IP
-.IP "\fBsecurity mask (S)\fP"
-.IP
-This parameter controls what UNIX permission bits can be modified
-when a Windows NT client is manipulating the UNIX permission on a
-file using the native NT security dialog box\&.
-.IP
-This parameter is applied as a mask (AND\'ed with) to the changed
-permission bits, thus preventing any bits not in this mask from
-being modified\&. Essentially, zero bits in this mask may be treated
-as a set of bits the user is not allowed to change\&.
-.IP
-If not set explicitly this parameter is set to the same value as the
-\fBcreate mask\fP parameter\&. To allow a user to
-modify all the user/group/world permissions on a file, set this
-parameter to 0777\&.
-.IP
-\fINote\fP that users who can access the Samba server through other
-means can easily bypass this restriction, so it is primarily
-useful for standalone "appliance" systems\&. Administrators of
-most normal systems will probably want to set it to 0777\&.
-.IP
-See also the \fBforce directory security
-mode\fP, \fBdirectory security
-mask\fP, \fBforce security
-mode\fP parameters\&.
-.IP
-\fBDefault:\fP
-\f(CW security mask = <same as create mask>\fP
-.IP
-\fBExample:\fP
-\f(CW security mask = 0777\fP
-.IP
-.IP "\fBserver string (G)\fP"
-.IP
-This controls what string will show up in the printer comment box in
-print manager and next to the IPC connection in \f(CW"net view"\fP\&. It can be
-any string that you wish to show to your users\&.
-.IP
-It also sets what will appear in browse lists next to the machine
-name\&.
-.IP
-A \f(CW"%v"\fP will be replaced with the Samba version number\&.
-.IP
-A \f(CW"%h"\fP will be replaced with the hostname\&.
-.IP
-\fBDefault:\fP
-\f(CW server string = Samba %v\fP
-.IP
-\fBExample:\fP
-\f(CW server string = University of GNUs Samba Server\fP
-.IP
-.IP "\fBset directory (S)\fP"
-.IP
-If \f(CW"set directory = no"\fP, then users of the service may not use the
-setdir command to change directory\&.
-.IP
-The setdir command is only implemented in the Digital Pathworks
-client\&. See the Pathworks documentation for details\&.
-.IP
-\fBDefault:\fP
-\f(CW set directory = no\fP
-.IP
-\fBExample:\fP
-\f(CW set directory = yes\fP
-.IP
-.IP "\fBshare modes (S)\fP"
-.IP
-This enables or disables the honoring of the \f(CW"share modes"\fP during a
-file open\&. These modes are used by clients to gain exclusive read or
-write access to a file\&.
-.IP
-These open modes are not directly supported by UNIX, so they are
-simulated using shared memory, or lock files if your UNIX doesn\'t
-support shared memory (almost all do)\&.
-.IP
-The share modes that are enabled by this option are DENY_DOS,
-DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB\&.
-.IP
-This option gives full share compatibility and enabled by default\&.
-.IP
-You should \fI*NEVER*\fP turn this parameter off as many Windows
-applications will break if you do so\&.
-.IP
-\fBDefault:\fP
-\f(CW share modes = yes\fP
-.IP
-.IP "\fBshared mem size (G)\fP"
-.IP
-It specifies the size of the shared memory (in bytes) to use between
-\fBsmbd\fP processes\&. This parameter defaults to one
-megabyte of shared memory\&. It is possible that if you have a large
-server with many files open simultaneously that you may need to
-increase this parameter\&. Signs that this parameter is set too low are
-users reporting strange problems trying to save files (locking errors)
-and error messages in the smbd log looking like \f(CW"ERROR
-smb_shm_alloc : alloc of XX bytes failed"\fP\&.
-.IP
-If your OS refuses the size that Samba asks for then Samba will try a
-smaller size, reducing by a factor of 0\&.8 until the OS accepts it\&.
-.IP
-\fBDefault:\fP
-\f(CW shared mem size = 1048576\fP
-.IP
-\fBExample:\fP
-\f(CW shared mem size = 5242880 ; Set to 5mb for a large number of files\&.\fP
-.IP
-.IP "\fBshort preserve case (S)\fP"
-.IP
-This boolean parameter controls if new files which conform to 8\&.3
-syntax, that is all in upper case and of suitable length, are created
-upper case, or if they are forced to be the \f(CW"default"\fP case\&. This
-option can be use with \fB"preserve case
-=yes"\fP to permit long filenames to retain their
-case, while short names are lowered\&. Default \fIYes\fP\&.
-.IP
-See the section on \fBNAME MANGLING\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW short preserve case = yes\fP
-.IP
-.IP "\fBsmb passwd file (G)\fP"
-.IP
-This option sets the path to the encrypted smbpasswd file\&. By default
-the path to the smbpasswd file is compiled into Samba\&.
-.IP
-\fBDefault:\fP
-\f(CW smb passwd file= <compiled default>\fP
-.IP
-\fBExample:\fP
-\f(CW smb passwd file = /usr/samba/private/smbpasswd\fP
-.IP
-.IP "\fBsmbrun (G)\fP"
-.IP
-This sets the full path to the \fBsmbrun\fP binary\&. This defaults to the
-value in the Makefile\&.
-.IP
-You must get this path right for many services to work correctly\&.
-.IP
-You should not need to change this parameter so long as Samba
-is installed correctly\&.
-.IP
-\fBDefault:\fP
-\f(CW smbrun=<compiled default>\fP
-.IP
-\fBExample:\fP
-\f(CW smbrun = /usr/local/samba/bin/smbrun\fP
-.IP
-.IP "\fBsocket address (G)\fP"
-.IP
-This option allows you to control what address Samba will listen for
-connections on\&. This is used to support multiple virtual interfaces on
-the one server, each with a different configuration\&.
-.IP
-By default samba will accept connections on any address\&.
-.IP
-\fBExample:\fP
-\f(CW socket address = 192\&.168\&.2\&.20\fP
-.IP
-.IP "\fBsocket options (G)\fP"
-.IP
-This option allows you to set socket options to be used when talking
-with the client\&.
-.IP
-Socket options are controls on the networking layer of the operating
-systems which allow the connection to be tuned\&.
-.IP
-This option will typically be used to tune your Samba server for
-optimal performance for your local network\&. There is no way that Samba
-can know what the optimal parameters are for your net, so you must
-experiment and choose them yourself\&. We strongly suggest you read the
-appropriate documentation for your operating system first (perhaps
-\fB"man setsockopt"\fP will help)\&.
-.IP
-You may find that on some systems Samba will say "Unknown socket
-option" when you supply an option\&. This means you either incorrectly
-typed it or you need to add an include file to includes\&.h for your OS\&.
-If the latter is the case please send the patch to
-\fIsamba@samba\&.org\fP\&.
-.IP
-Any of the supported socket options may be combined in any way you
-like, as long as your OS allows it\&.
-.IP
-This is the list of socket options currently settable using this
-option:
-.IP
-.IP
-.IP o
+Example: \fBshared mem size = 5242880 ; Set to 5mb for a
+large number of files.\fR
+.TP
+\fBshort preserve case (S)\fR
+This boolean parameter controls if new files
+which conform to 8.3 syntax, that is all in upper case and of
+suitable length, are created upper case, or if they are forced
+to be the \fIdefault case
+\fR\&. This option can be use with \fBpreserve case = yes\fR
+to permit long filenames to retain their case, while short
+names are lowered.
+
+See the section on NAME MANGLING.
+
+Default: \fBshort preserve case = yes\fR
+.TP
+\fBsmb passwd file (G)\fR
+This option sets the path to the encrypted
+smbpasswd file. By default the path to the smbpasswd file
+is compiled into Samba.
+
+Default: \fBsmb passwd file= <compiled
+default>\fR
+
+Example: \fBsmb passwd file = /usr/samba/private/smbpasswd
+\fR.TP
+\fBsmbrun (G)\fR
+This sets the full path to the \fBsmbrun
+\fRbinary. This defaults to the value in the \fI Makefile\fR.
+
+You must get this path right for many services
+to work correctly.
+
+You should not need to change this parameter so
+long as Samba is installed correctly.
+
+Default: \fBsmbrun=<compiled default>
+\fR
+Example: \fBsmbrun = /usr/local/samba/bin/smbrun
+\fR.TP
+\fBsocket address (G)\fR
+This option allows you to control what
+address Samba will listen for connections on. This is used to
+support multiple virtual interfaces on the one server, each
+with a different configuration.
+
+By default samba will accept connections on any
+address.
+
+Example: \fBsocket address = 192.168.2.20\fR
+.TP
+\fBsocket options (G)\fR
+This option allows you to set socket options
+to be used when talking with the client.
+
+Socket options are controls on the networking layer
+of the operating systems which allow the connection to be
+tuned.
+
+This option will typically be used to tune your Samba
+server for optimal performance for your local network. There is
+no way that Samba can know what the optimal parameters are for
+your net, so you must experiment and choose them yourself. We
+strongly suggest you read the appropriate documentation for your
+operating system first (perhaps \fBman setsockopt\fR
+will help).
+
+You may find that on some systems Samba will say
+"Unknown socket option" when you supply an option. This means you
+either incorrectly typed it or you need to add an include file
+to includes.h for your OS. If the latter is the case please
+send the patch to samba@samba.org <URL:mailto:samba@samba.org>.
+
+Any of the supported socket options may be combined
+in any way you like, as long as your OS allows it.
+
+This is the list of socket options currently settable
+using this option:
+.RS
+.TP 0.2i
+\(bu
SO_KEEPALIVE
-.IP
-.IP o
+.TP 0.2i
+\(bu
SO_REUSEADDR
-.IP
-.IP o
+.TP 0.2i
+\(bu
SO_BROADCAST
-.IP
-.IP o
+.TP 0.2i
+\(bu
TCP_NODELAY
-.IP
-.IP o
+.TP 0.2i
+\(bu
IPTOS_LOWDELAY
-.IP
-.IP o
+.TP 0.2i
+\(bu
IPTOS_THROUGHPUT
-.IP
-.IP o
+.TP 0.2i
+\(bu
SO_SNDBUF *
-.IP
-.IP o
+.TP 0.2i
+\(bu
SO_RCVBUF *
-.IP
-.IP o
+.TP 0.2i
+\(bu
SO_SNDLOWAT *
-.IP
-.IP o
+.TP 0.2i
+\(bu
SO_RCVLOWAT *
-.IP
-.IP
-Those marked with a \f(CW*\fP take an integer argument\&. The others can
-optionally take a 1 or 0 argument to enable or disable the option, by
-default they will be enabled if you don\'t specify 1 or 0\&.
-.IP
-To specify an argument use the syntax SOME_OPTION=VALUE for example
-\f(CWSO_SNDBUF=8192\fP\&. Note that you must not have any spaces before or after
-the = sign\&.
-.IP
-If you are on a local network then a sensible option might be
-.IP
-\f(CWsocket options = IPTOS_LOWDELAY\fP
-.IP
+.RE
+.PP
+Those marked with a \fB'*'\fR take an integer
+argument. The others can optionally take a 1 or 0 argument to enable
+or disable the option, by default they will be enabled if you
+don't specify 1 or 0.
+.PP
+.PP
+To specify an argument use the syntax SOME_OPTION=VALUE
+for example \fBSO_SNDBUF=8192\fR. Note that you must
+not have any spaces before or after the = sign.
+.PP
+.PP
+If you are on a local network then a sensible option
+might be
+.PP
+.PP
+\fBsocket options = IPTOS_LOWDELAY\fR
+.PP
+.PP
If you have a local network then you could try:
-.IP
-\f(CWsocket options = IPTOS_LOWDELAY TCP_NODELAY\fP
-.IP
-If you are on a wide area network then perhaps try setting
-IPTOS_THROUGHPUT\&.
-.IP
-Note that several of the options may cause your Samba server to fail
-completely\&. Use these options with caution!
-.IP
-\fBDefault:\fP
-\f(CW socket options = TCP_NODELAY\fP
-.IP
-\fBExample:\fP
-\f(CW socket options = IPTOS_LOWDELAY\fP
-.IP
-.IP "\fBsource environment (G)\fP"
-.IP
-This parameter causes Samba to set environment variables as per the
-content of the file named\&.
-.IP
-The file \fBmust\fP be owned by root and not world writable in order
-to be read (this is a security check)\&.
-.IP
-If the value of this parameter starts with a "|" character then Samba will
-treat that value as a pipe command to open and will set the environment
-variables from the oput of the pipe\&. This command must not be world writable
-and must reside in a directory that is not world writable\&.
-.IP
-The contents of the file or the output of the pipe should be formatted
-as the output of the standard Unix env(1) command\&. This is of the form :
-.IP
+.PP
+.PP
+\fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
+.PP
+.PP
+If you are on a wide area network then perhaps try
+setting IPTOS_THROUGHPUT.
+.PP
+.PP
+Note that several of the options may cause your Samba
+server to fail completely. Use these options with caution!
+.PP
+.PP
+Default: \fBsocket options = TCP_NODELAY\fR
+.PP
+.PP
+Example: \fBsocket options = IPTOS_LOWDELAY\fR
+.PP
+.TP
+\fBsource environment (G)\fR
+This parameter causes Samba to set environment
+variables as per the content of the file named.
+
+If the value of this parameter starts with a "|" character
+then Samba will treat that value as a pipe command to open and
+will set the environment variables from the output of the pipe.
+
+The contents of the file or the output of the pipe should
+be formatted as the output of the standard Unix \fBenv(1)
+\fRcommand. This is of the form :
+
Example environment entry:
-\f(CW SAMBA_NETBIOS_NAME=myhostname \fP
-.IP
-\fBDefault:\fP
-\f(CWNo default value\fP
-.IP
-\fBExamples:\fP
-.IP
-\f(CW source environment = |/etc/smb\&.conf\&.sh\fP
-.IP
-\f(CW source environment = /usr/local/smb_env_vars\fP
-.IP
-.IP "\fBssl (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-This variable enables or disables the entire SSL mode\&. If it is set to
-"no", the SSL enabled samba behaves exactly like the non-SSL samba\&. If
-set to "yes", it depends on the variables \fB"ssl
-hosts"\fP and \fB"ssl hosts resign"\fP
-whether an SSL connection will be required\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl=no\fP
-\fBExample:\fP
-\f(CW ssl=yes\fP
-.IP
-.IP "\fBssl CA certDir (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
+
+\fBSAMBA_NETBIOS_NAME=myhostname\fR
+
+Default: \fBNo default value\fR
+
+Examples: \fBsource environment = |/etc/smb.conf.sh
+\fR
+Example: \fBsource environment =
+/usr/local/smb_env_vars\fR
+.TP
+\fBssl (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+This variable enables or disables the entire SSL mode. If
+it is set to no, the SSL enabled samba behaves
+exactly like the non-SSL samba. If set to yes,
+it depends on the variables \fI ssl hosts\fR and \fIssl hosts resign\fR whether an SSL
+connection will be required.
+
+Default: \fBssl=no\fR
+.TP
+\fBssl CA certDir (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
This variable defines where to look up the Certification
-Authorities\&. The given directory should contain one file for each CA
-that samba will trust\&. The file name must be the hash value over the
-"Distinguished Name" of the CA\&. How this directory is set up is
-explained later in this document\&. All files within the directory that
-don\'t fit into this naming scheme are ignored\&. You don\'t need this
-variable if you don\'t verify client certificates\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl CA certDir = /usr/local/ssl/certs\fP
-.IP
-.IP "\fBssl CA certFile (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-This variable is a second way to define the trusted CAs\&. The
-certificates of the trusted CAs are collected in one big file and this
-variable points to the file\&. You will probably only use one of the two
-ways to define your CAs\&. The first choice is preferable if you have
-many CAs or want to be flexible, the second is preferable if you only
-have one CA and want to keep things simple (you won\'t need to create
-the hashed file names)\&. You don\'t need this variable if you don\'t
-verify client certificates\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl CA certFile = /usr/local/ssl/certs/trustedCAs\&.pem\fP
-.IP
-.IP "\fBssl ciphers (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-This variable defines the ciphers that should be offered during SSL
-negotiation\&. You should not set this variable unless you know what you
-are doing\&.
-.IP
-.IP "\fBssl client cert (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-The certificate in this file is used by
-\fBsmbclient\fP if it exists\&. It\'s needed if the
-server requires a client certificate\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl client cert = /usr/local/ssl/certs/smbclient\&.pem\fP
-.IP
-.IP "\fBssl client key (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-This is the private key for \fBsmbclient\fP\&. It\'s
-only needed if the client should have a certificate\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl client key = /usr/local/ssl/private/smbclient\&.pem\fP
-.IP
-.IP "\fBssl compatibility (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-This variable defines whether SSLeay should be configured for bug
-compatibility with other SSL implementations\&. This is probably not
-desirable because currently no clients with SSL implementations other
-than SSLeay exist\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl compatibility = no\fP
-.IP
-.IP "\fBssl hosts (G)\fP"
-.IP
-See \fB"ssl hosts resign"\fP\&.
-.IP
-.IP "\fBssl hosts resign (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-These two variables define whether samba will go into SSL mode or
-not\&. If none of them is defined, samba will allow only SSL
-connections\&. If the \fB"ssl hosts"\fP variable lists
-hosts (by IP-address, IP-address range, net group or name), only these
-hosts will be forced into SSL mode\&. If the \fB"ssl hosts resign"\fP
-variable lists hosts, only these hosts will NOT be forced into SSL
-mode\&. The syntax for these two variables is the same as for the
-\fB"hosts allow"\fP and \fB"hosts
-deny"\fP pair of variables, only that the subject of the
-decision is different: It\'s not the access right but whether SSL is
-used or not\&. See the \fB"allow hosts"\fP parameter for
-details\&. The example below requires SSL connections from all hosts
-outside the local net (which is 192\&.168\&.*\&.*)\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl hosts = <empty string>\fP
-\f(CW ssl hosts resign = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW ssl hosts resign = 192\&.168\&.\fP
-.IP
-.IP "\fBssl require clientcert (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-If this variable is set to \f(CW"yes"\fP, the server will not tolerate
-connections from clients that don\'t have a valid certificate\&. The
-directory/file given in \fB"ssl CA certDir"\fP and
-\fB"ssl CA certFile"\fP will be used to look up the
-CAs that issued the client\'s certificate\&. If the certificate can\'t be
-verified positively, the connection will be terminated\&. If this
-variable is set to \f(CW"no"\fP, clients don\'t need certificates\&. Contrary
-to web applications you really \fI*should*\fP require client
-certificates\&. In the web environment the client\'s data is sensitive
-(credit card numbers) and the server must prove to be trustworthy\&. In
-a file server environment the server\'s data will be sensitive and the
-clients must prove to be trustworthy\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl require clientcert = no\fP
-.IP
-.IP "\fBssl require servercert (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-If this variable is set to \f(CW"yes"\fP, the
-\fBsmbclient\fP will request a certificate from
-the server\&. Same as \fB"ssl require
-clientcert"\fP for the server\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl require servercert = no\fP
-.IP
-.IP "\fBssl server cert (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-This is the file containing the server\'s certificate\&. The server _must_
-have a certificate\&. The file may also contain the server\'s private key\&.
-See later for how certificates and private keys are created\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl server cert = <empty string>\fP
-.IP
-.IP "\fBssl server key (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-This file contains the private key of the server\&. If this variable is
-not defined, the key is looked up in the certificate file (it may be
-appended to the certificate)\&. The server \fI*must*\fP have a private key
-and the certificate \fI*must*\fP match this private key\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl server key = <empty string>\fP
-.IP
-.IP "\fBssl version (G)\fP"
-.IP
-This variable is part of SSL-enabled Samba\&. This is only available if
-the SSL libraries have been compiled on your system and the configure
-option \f(CW"--with-ssl"\fP was given at configure time\&.
-.IP
-\fINote\fP that for export control reasons this code is \fI**NOT**\fP
-enabled by default in any current binary version of Samba\&.
-.IP
-This enumeration variable defines the versions of the SSL protocol
-that will be used\&. \f(CW"ssl2or3"\fP allows dynamic negotiation of SSL v2
-or v3, \f(CW"ssl2"\fP results in SSL v2, \f(CW"ssl3"\fP results in SSL v3 and
-"tls1" results in TLS v1\&. TLS (Transport Layer Security) is the
-(proposed?) new standard for SSL\&.
-.IP
-\fBDefault:\fP
-\f(CW ssl version = "ssl2or3"\fP
-.IP
-.IP "\fBstat cache (G)\fP"
-.IP
-This parameter determines if \fBsmbd\fP will use a
-cache in order to speed up case insensitive name mappings\&. You should
-never need to change this parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW stat cache = yes\fP
-.IP
-.IP "\fBstat cache size (G)\fP"
-.IP
-This parameter determines the number of entries in the \fBstat
-cache\fP\&. You should never need to change this parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW stat cache size = 50\fP
-.IP
-.IP "\fBstatus (G)\fP"
-.IP
-This enables or disables logging of connections to a status file that
-\fBsmbstatus\fP can read\&.
-.IP
-With this disabled \fBsmbstatus\fP won\'t be able
-to tell you what connections are active\&. You should never need to
-change this parameter\&.
-.IP
-\fBDefault:\fP
-status = yes
-.IP
-.IP "\fBstrict locking (S)\fP"
-.IP
-This is a boolean that controls the handling of file locking in the
-server\&. When this is set to \f(CW"yes"\fP the server will check every read and
-write access for file locks, and deny access if locks exist\&. This can
-be slow on some systems\&.
-.IP
-When strict locking is \f(CW"no"\fP the server does file lock checks only
-when the client explicitly asks for them\&.
-.IP
-Well behaved clients always ask for lock checks when it is important,
-so in the vast majority of cases \fB"strict locking = no"\fP is
-preferable\&.
-.IP
-\fBDefault:\fP
-\f(CW strict locking = no\fP
-.IP
-\fBExample:\fP
-\f(CW strict locking = yes\fP
-.IP
-.IP "\fBstrict sync (S)\fP"
-.IP
-Many Windows applications (including the Windows 98 explorer shell)
-seem to confuse flushing buffer contents to disk with doing a sync to
-disk\&. Under UNIX, a sync call forces the process to be suspended until
-the kernel has ensured that all outstanding data in kernel disk
-buffers has been safely stored onto stable storage\&. This is very slow
-and should only be done rarely\&. Setting this parameter to "no" (the
+Authorities. The given directory should contain one file for
+each CA that samba will trust. The file name must be the hash
+value over the "Distinguished Name" of the CA. How this directory
+is set up is explained later in this document. All files within the
+directory that don't fit into this naming scheme are ignored. You
+don't need this variable if you don't verify client certificates.
+
+Default: \fBssl CA certDir = /usr/local/ssl/certs
+\fR.TP
+\fBssl CA certFile (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+This variable is a second way to define the trusted CAs.
+The certificates of the trusted CAs are collected in one big
+file and this variable points to the file. You will probably
+only use one of the two ways to define your CAs. The first choice is
+preferable if you have many CAs or want to be flexible, the second
+is preferable if you only have one CA and want to keep things
+simple (you won't need to create the hashed file names). You
+don't need this variable if you don't verify client certificates.
+
+Default: \fBssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
+\fR.TP
+\fBssl ciphers (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+This variable defines the ciphers that should be offered
+during SSL negotiation. You should not set this variable unless
+you know what you are doing.
+.TP
+\fBssl client cert (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+The certificate in this file is used by \fBsmbclient(1)\fR <URL:smbclient.1.html> if it exists. It's needed
+if the server requires a client certificate.
+
+Default: \fBssl client cert = /usr/local/ssl/certs/smbclient.pem
+\fR.TP
+\fBssl client key (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+This is the private key for \fBsmbclient(1)\fR <URL:smbclient.1.html>. It's only needed if the
+client should have a certificate.
+
+Default: \fBssl client key = /usr/local/ssl/private/smbclient.pem
+\fR.TP
+\fBssl compatibility (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+This variable defines whether SSLeay should be configured
+for bug compatibility with other SSL implementations. This is
+probably not desirable because currently no clients with SSL
+implementations other than SSLeay exist.
+
+Default: \fBssl compatibility = no\fR
+.TP
+\fBssl hosts (G)\fR
+See \fI ssl hosts resign\fR.
+.TP
+\fBssl hosts resign (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+These two variables define whether samba will go
+into SSL mode or not. If none of them is defined, samba will
+allow only SSL connections. If the \fIssl hosts\fR variable lists
+hosts (by IP-address, IP-address range, net group or name),
+only these hosts will be forced into SSL mode. If the \fI ssl hosts resign\fR variable lists hosts, only these
+hosts will NOT be forced into SSL mode. The syntax for these two
+variables is the same as for the \fI hosts allow\fR and \fIhosts deny\fR pair of variables, only
+that the subject of the decision is different: It's not the access
+right but whether SSL is used or not.
+
+The example below requires SSL connections from all hosts
+outside the local net (which is 192.168.*.*).
+
+Default: \fBssl hosts = <empty string>\fR
+
+\fBssl hosts resign = <empty string>\fR
+
+Example: \fBssl hosts resign = 192.168.\fR
+.TP
+\fBssl require clientcert (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+If this variable is set to yes, the
+server will not tolerate connections from clients that don't
+have a valid certificate. The directory/file given in \fIssl CA certDir\fR
+and \fIssl CA certFile
+\fRwill be used to look up the CAs that issued
+the client's certificate. If the certificate can't be verified
+positively, the connection will be terminated. If this variable
+is set to no, clients don't need certificates.
+Contrary to web applications you really \fBshould\fR
+require client certificates. In the web environment the client's
+data is sensitive (credit card numbers) and the server must prove
+to be trustworthy. In a file server environment the server's data
+will be sensitive and the clients must prove to be trustworthy.
+
+Default: \fBssl require clientcert = no\fR
+.TP
+\fBssl require servercert (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+If this variable is set to yes, the
+\fBsmbclient(1)\fR
+ <URL:smbclient.1.html> will request a certificate from the server. Same as
+\fIssl require
+clientcert\fR for the server.
+
+Default: \fBssl require servercert = no\fR
+.TP
+\fBssl server cert (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+This is the file containing the server's certificate.
+The server \fBmust\fR have a certificate. The
+file may also contain the server's private key. See later for
+how certificates and private keys are created.
+
+Default: \fBssl server cert = <empty string>
+\fR.TP
+\fBssl server key (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+This file contains the private key of the server. If
+this variable is not defined, the key is looked up in the
+certificate file (it may be appended to the certificate).
+The server \fBmust\fR have a private key
+and the certificate \fBmust\fR
+match this private key.
+
+Default: \fBssl server key = <empty string>
+\fR.TP
+\fBssl version (G)\fR
+This variable is part of SSL-enabled Samba. This
+is only available if the SSL libraries have been compiled on your
+system and the configure option \fB--with-ssl\fR was
+given at configure time.
+
+\fBNote\fR that for export control reasons
+this code is \fBNOT\fR enabled by default in any
+current binary version of Samba.
+
+This enumeration variable defines the versions of the
+SSL protocol that will be used. ssl2or3 allows
+dynamic negotiation of SSL v2 or v3, ssl2 results
+in SSL v2, ssl3 results in SSL v3 and
+tls1 results in TLS v1. TLS (Transport Layer
+Security) is the new standard for SSL.
+
+Default: \fBssl version = "ssl2or3"\fR
+.TP
+\fBstat cache (G)\fR
+This parameter determines if smbd(8) <URL:smbd.8.html> will use a cache in order to
+speed up case insensitive name mappings. You should never need
+to change this parameter.
+
+Default: \fBstat cache = yes\fR
+.TP
+\fBstat cache size (G)\fR
+This parameter determines the number of
+entries in the \fIstat cache\fR. You should
+never need to change this parameter.
+
+Default: \fBstat cache size = 50\fR
+.TP
+\fBstatus (G)\fR
+This enables or disables logging of connections
+to a status file that smbstatus(1) <URL:smbstatus.1.html>
+can read.
+
+With this disabled \fBsmbstatus\fR won't be able
+to tell you what connections are active. You should never need to
+change this parameter.
+
+Default: \fBstatus = yes\fR
+.TP
+\fBstrict locking (S)\fR
+This is a boolean that controls the handling of
+file locking in the server. When this is set to yes
+the server will check every read and write access for file locks, and
+deny access if locks exist. This can be slow on some systems.
+
+When strict locking is no the server does file
+lock checks only when the client explicitly asks for them.
+
+Well behaved clients always ask for lock checks when it
+is important, so in the vast majority of cases \fBstrict
+locking = no\fR is preferable.
+
+Default: \fBstrict locking = no\fR
+.TP
+\fBstrict sync (S)\fR
+Many Windows applications (including the Windows
+98 explorer shell) seem to confuse flushing buffer contents to
+disk with doing a sync to disk. Under UNIX, a sync call forces
+the process to be suspended until the kernel has ensured that
+all outstanding data in kernel disk buffers has been safely stored
+onto stable storage. This is very slow and should only be done
+rarely. Setting this parameter to no (the
default) means that smbd ignores the Windows applications requests for
-a sync call\&. There is only a possibility of losing data if the
+a sync call. There is only a possibility of losing data if the
operating system itself that Samba is running on crashes, so there is
-little danger in this default setting\&. In addition, this fixes many
+little danger in this default setting. In addition, this fixes many
performance problems that people have reported with the new Windows98
-explorer shell file copies\&.
-.IP
-See also the \fB"sync always"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW strict sync = no\fP
-.IP
-\fBExample:\fP
-\f(CW strict sync = yes\fP
-.IP
-.IP "\fBstrip dot (G)\fP"
-.IP
-This is a boolean that controls whether to strip trailing dots off
-UNIX filenames\&. This helps with some CDROMs that have filenames ending
-in a single dot\&.
-.IP
-\fBDefault:\fP
-\f(CW strip dot = no\fP
-.IP
-\fBExample:\fP
-\f(CW strip dot = yes\fP
-.IP
-.IP "\fBsync always (S)\fP"
-.IP
-This is a boolean parameter that controls whether writes will always
-be written to stable storage before the write call returns\&. If this is
-false then the server will be guided by the client\'s request in each
-write call (clients can set a bit indicating that a particular write
-should be synchronous)\&. If this is true then every write will be
-followed by a fsync() call to ensure the data is written to disk\&.
-Note that the \fB"strict sync"\fP parameter must be
-set to \f(CW"yes"\fP in order for this parameter to have any affect\&.
-.IP
-See also the \fB"strict sync"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW sync always = no\fP
-.IP
-\fBExample:\fP
-\f(CW sync always = yes\fP
-.IP
-.IP "\fBsyslog (G)\fP"
-.IP
-This parameter maps how Samba debug messages are logged onto the
-system syslog logging levels\&. Samba debug level zero maps onto syslog
-LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps
-onto LOG_NOTICE, debug level three maps onto LOG_INFO\&. All higher
-levels are mapped to LOG_DEBUG\&.
-.IP
-This paramter sets the threshold for sending messages to syslog\&.
-Only messages with debug level less than this value will be sent
-to syslog\&.
-.IP
-\fBDefault:\fP
-\f(CW syslog = 1\fP
-.IP
-.IP "\fBsyslog only (G)\fP"
-.IP
-If this parameter is set then Samba debug messages are logged into the
-system syslog only, and not to the debug log files\&.
-.IP
-\fBDefault:\fP
-\f(CW syslog only = no\fP
-.IP
-.IP "\fBtemplate homedir (G)\fP"
-.IP
-NOTE: this parameter is only available in Samba 3\&.0\&.
-.IP
-When filling out the user information for a Windows NT user, the
-\fBwinbindd\fP daemon uses this parameter to fill in
-the home directory for that user\&. If the string \f(CW%D\fP is present it is
-substituted with the user\'s Windows NT domain name\&. If the string \f(CW%U\fP
-is present it is substituted with the user\'s Windows NT user name\&.
-.IP
-\fBDefault:\fP
-\f(CW template homedir = /home/%D/%U\fP
-.IP
-.IP "\fBtemplate shell (G)\fP"
-.IP
-NOTE: this parameter is only available in Samba 3\&.0\&.
-.IP
-When filling out the user information for a Windows NT user, the
-\fBwinbindd\fP daemon uses this parameter to fill in
-the login shell for that user\&.
-.IP
-\fBDefault:\fP
-\f(CW template shell = /bin/false\fP
-.IP
-.IP "\fBtime offset (G)\fP"
-.IP
-This parameter is a setting in minutes to add to the normal GMT to
-local time conversion\&. This is useful if you are serving a lot of PCs
-that have incorrect daylight saving time handling\&.
-.IP
-\fBDefault:\fP
-\f(CW time offset = 0\fP
-.IP
-\fBExample:\fP
-\f(CW time offset = 60\fP
-.IP
-.IP
-.IP "\fBtime server (G)\fP"
-.IP
-This parameter determines if \fBnmbd\fP advertises
-itself as a time server to Windows clients\&. The default is False\&.
-.IP
-\fBDefault:\fP
-\f(CW time server = False\fP
-.IP
-\fBExample:\fP
-\f(CW time server = True\fP
-.IP
-.IP "\fBtimestamp logs (G)\fP"
-.IP
-Synonym for \fB"debug timestamp"\fP\&.
-.IP
-.IP "\fBunix password sync (G)\fP"
-.IP
-This boolean parameter controls whether Samba attempts to synchronize
-the UNIX password with the SMB password when the encrypted SMB
-password in the smbpasswd file is changed\&. If this is set to true the
-program specified in the \fB"passwd program"\fP
-parameter is called \fI*AS ROOT*\fP - to allow the new UNIX password to be
-set without access to the old UNIX password (as the SMB password has
-change code has no access to the old password cleartext, only the
-new)\&. By default this is set to \f(CW"false"\fP\&.
-.IP
-See also \fB"passwd program"\fP, \fB"passwd
-chat"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW unix password sync = False\fP
-.IP
-\fBExample:\fP
-\f(CW unix password sync = True\fP
-.IP
-.IP "\fBunix realname (G)\fP"
-.IP
-This boolean parameter when set causes samba to supply the real name
-field from the unix password file to the client\&. This is useful for
-setting up mail clients and WWW browsers on systems used by more than
-one person\&.
-.IP
-\fBDefault:\fP
-\f(CW unix realname = no\fP
-.IP
-\fBExample:\fP
-\f(CW unix realname = yes\fP
-.IP
-.IP "\fBupdate encrypted (G)\fP"
-.IP
-This boolean parameter allows a user logging on with a plaintext
-password to have their encrypted (hashed) password in the smbpasswd
-file to be updated automatically as they log on\&. This option allows a
-site to migrate from plaintext password authentication (users
-authenticate with plaintext password over the wire, and are checked
-against a UNIX account database) to encrypted password authentication
-(the SMB challenge/response authentication mechanism) without forcing
+explorer shell file copies.
+
+See also the \fIsync
+always>\fR parameter.
+
+Default: \fBstrict sync = no\fR
+.TP
+\fBstrip dot (G)\fR
+This is a boolean that controls whether to
+strip trailing dots off UNIX filenames. This helps with some
+CDROMs that have filenames ending in a single dot.
+
+Default: \fBstrip dot = no\fR
+.TP
+\fBsync always (S)\fR
+This is a boolean parameter that controls
+whether writes will always be written to stable storage before
+the write call returns. If this is false then the server will be
+guided by the client's request in each write call (clients can
+set a bit indicating that a particular write should be synchronous).
+If this is true then every write will be followed by a \fBfsync()
+\fRcall to ensure the data is written to disk. Note that
+the \fIstrict sync\fR parameter must be set to
+yes in order for this parameter to have
+any affect.
+
+See also the \fIstrict
+sync\fR parameter.
+
+Default: \fBsync always = no\fR
+.TP
+\fBsyslog (G)\fR
+This parameter maps how Samba debug messages
+are logged onto the system syslog logging levels. Samba debug
+level zero maps onto syslog LOG_ERR, debug
+level one maps onto LOG_WARNING, debug level
+two maps onto LOG_NOTICE, debug level three
+maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.
+
+This paramter sets the threshold for sending messages
+to syslog. Only messages with debug level less than this value
+will be sent to syslog.
+
+Default: \fBsyslog = 1\fR
+.TP
+\fBsyslog only (G)\fR
+If this parameter is set then Samba debug
+messages are logged into the system syslog only, and not to
+the debug log files.
+
+Default: \fBsyslog only = no\fR
+.TP
+\fBtemplate homedir (G)\fR
+\fBNOTE:\fR this parameter is
+only available in Samba 3.0.
+
+When filling out the user information for a Windows NT
+user, the winbindd(8) <URL:winbindd.8.html> daemon
+uses this parameter to fill in the home directory for that user.
+If the string \fI%D\fR is present it is substituted
+with the user's Windows NT domain name. If the string \fI%U
+\fRis present it is substituted with the user's Windows
+NT user name.
+
+Default: \fBtemplate homedir = /home/%D/%U\fR
+.TP
+\fBtemplate shell (G)\fR
+\fBNOTE:\fR this parameter is
+only available in Samba 3.0.
+
+When filling out the user information for a Windows NT
+user, the winbindd(8) <URL:winbindd.8.html> daemon
+uses this parameter to fill in the login shell for that user.
+
+Default: \fBtemplate shell = /bin/false\fR
+.TP
+\fBtime offset (G)\fR
+This parameter is a setting in minutes to add
+to the normal GMT to local time conversion. This is useful if
+you are serving a lot of PCs that have incorrect daylight
+saving time handling.
+
+Default: \fBtime offset = 0\fR
+
+Example: \fBtime offset = 60\fR
+.TP
+\fBtime server (G)\fR
+This parameter determines if
+nmbd(8) <URL:nmbd.8.html> advertises itself as a time server to Windows
+clients.
+
+Default: \fBtime server = no\fR
+.TP
+\fBtimestamp logs (G)\fR
+Synonym for \fI debug timestamp\fR.
+.TP
+\fBunix password sync (G)\fR
+This boolean parameter controls whether Samba
+attempts to synchronize the UNIX password with the SMB password
+when the encrypted SMB password in the smbpasswd file is changed.
+If this is set to true the program specified in the \fIpasswd
+program\fRparameter is called \fBAS ROOT\fR -
+to allow the new UNIX password to be set without access to the
+old UNIX password (as the SMB password has change code has no
+access to the old password cleartext, only the new).
+
+See also \fIpasswd
+program\fR, \fI passwd chat\fR.
+
+Default: \fBunix password sync = no\fR
+.TP
+\fBunix realname (G)\fR
+This boolean parameter when set causes samba
+to supply the real name field from the unix password file to
+the client. This isuseful for setting up mail clients and WWW
+browsers on systems used by more than one person.
+
+Default: \fBunix realname = no\fR
+.TP
+\fBupdate encrypted (G)\fR
+This boolean parameter allows a user logging
+on with a plaintext password to have their encrypted (hashed)
+password in the smbpasswd file to be updated automatically as
+they log on. This option allows a site to migrate from plaintext
+password authentication (users authenticate with plaintext
+password over the wire, and are checked against a UNIX account
+database) to encrypted password authentication (the SMB
+challenge/response authentication mechanism) without forcing
all users to re-enter their passwords via smbpasswd at the time the
-change is made\&. This is a convenience option to allow the change over
-to encrypted passwords to be made over a longer period\&. Once all users
+change is made. This is a convenience option to allow the change over
+to encrypted passwords to be made over a longer period. Once all users
have encrypted representations of their passwords in the smbpasswd
-file this parameter should be set to \f(CW"off"\fP\&.
-.IP
-In order for this parameter to work correctly the \fB"encrypt
-passwords"\fP parameter must be set to \f(CW"no"\fP when
-this parameter is set to \f(CW"yes"\fP\&.
-.IP
-Note that even when this parameter is set a user authenticating to
-smbd must still enter a valid password in order to connect correctly,
-and to update their hashed (smbpasswd) passwords\&.
-.IP
-\fBDefault:\fP
-\f(CW update encrypted = no\fP
-.IP
-\fBExample:\fP
-\f(CW update encrypted = yes\fP
-.IP
-.IP "\fBuse rhosts (G)\fP"
-.IP
-If this global parameter is a true, it specifies that the UNIX users
-\f(CW"\&.rhosts"\fP file in their home directory will be read to find the
-names of hosts and users who will be allowed access without specifying
-a password\&.
-.IP
-NOTE: The use of \fBuse rhosts\fP can be a major security hole\&. This is
-because you are trusting the PC to supply the correct username\&. It is
-very easy to get a PC to supply a false username\&. I recommend that the
-\fBuse rhosts\fP option be only used if you really know what you are
-doing\&.
-.IP
-\fBDefault:\fP
-\f(CW use rhosts = no\fP
-.IP
-\fBExample:\fP
-\f(CW use rhosts = yes\fP
-.IP
-.IP "\fBuser (S)\fP"
-.IP
-Synonym for \fB"username"\fP\&.
-.IP
-.IP "\fBusers (S)\fP"
-.IP
-Synonym for \fB"username"\fP\&.
-.IP
-.IP "\fBusername (S)\fP"
-.IP
-Multiple users may be specified in a comma-delimited list, in which
-case the supplied password will be tested against each username in
-turn (left to right)\&.
-.IP
-The \fBusername=\fP line is needed only when the PC is unable to supply
-its own username\&. This is the case for the COREPLUS protocol or where
-your users have different WfWg usernames to UNIX usernames\&. In both
-these cases you may also be better using the \f(CW\e\eserver\eshare%user\fP
-syntax instead\&.
-.IP
-The \fBusername=\fP line is not a great solution in many cases as it
-means Samba will try to validate the supplied password against each of
-the usernames in the username= line in turn\&. This is slow and a bad
-idea for lots of users in case of duplicate passwords\&. You may get
-timeouts or security breaches using this parameter unwisely\&.
-.IP
-Samba relies on the underlying UNIX security\&. This parameter does not
-restrict who can login, it just offers hints to the Samba server as to
-what usernames might correspond to the supplied password\&. Users can
-login as whoever they please and they will be able to do no more
-damage than if they started a telnet session\&. The daemon runs as the
-user that they log in as, so they cannot do anything that user cannot
-do\&.
-.IP
-To restrict a service to a particular set of users you can use the
-\fB"valid users="\fP parameter\&.
-.IP
-If any of the usernames begin with a \f(CW\'@\'\fP then the name will be
-looked up first in the yp netgroups list (if Samba is compiled with
-netgroup support), followed by a lookup in the UNIX groups database
-and will expand to a list of all users in the group of that name\&.
-.IP
-If any of the usernames begin with a \f(CW\'+\'\fP then the name will be
-looked up only in the UNIX groups database and will expand to a list
-of all users in the group of that name\&.
-.IP
-If any of the usernames begin with a \f(CW\'&\'\fP then the name will be
-looked up only in the yp netgroups database (if Samba is compiled with
-netgroup support) and will expand to a list of all users in the
-netgroup group of that name\&.
-.IP
-Note that searching though a groups database can take quite some time,
-and some clients may time out during the search\&.
-.IP
-See the section \fB"NOTE ABOUT USERNAME/PASSWORD
-VALIDATION"\fP for more
-information on how this parameter determines access to the services\&.
-.IP
-\fBDefault:\fP
-\f(CW The guest account if a guest service, else the name of the service\&.\fP
-.IP
-\fBExamples:\fP
-
-.nf
-
+file this parameter should be set to no.
- username = fred
- username = fred, mary, jack, jane, @users, @pcgroup
+In order for this parameter to work correctly the \fIencrypt passwords\fR
+parameter must be set to no when
+this parameter is set to yes.
-.fi
-
+Note that even when this parameter is set a user
+authenticating to \fBsmbd\fR must still enter a valid
+password in order to connect correctly, and to update their hashed
+(smbpasswd) passwords.
+
+Default: \fBupdate encrypted = no\fR
+.TP
+\fBuse rhosts (G)\fR
+If this global parameter is a true, it specifies
+that the UNIX users \fI.rhosts\fR file in their home directory
+will be read to find the names of hosts and users who will be allowed
+access without specifying a password.
+
+\fBNOTE:\fR The use of \fIuse rhosts
+\fRcan be a major security hole. This is because you are
+trusting the PC to supply the correct username. It is very easy to
+get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what
+you are doing.
+
+Default: \fBuse rhosts = no\fR
+.TP
+\fBuser (S)\fR
+Synonym for \fI username\fR.
+.TP
+\fBusers (S)\fR
+Synonym for \fI username\fR.
+.TP
+\fBusername (S)\fR
+Multiple users may be specified in a comma-delimited
+list, in which case the supplied password will be tested against
+each username in turn (left to right).
-.IP
-.IP "\fBusername level (G)\fP"
-.IP
-This option helps Samba to try and \'guess\' at the real UNIX username,
-as many DOS clients send an all-uppercase username\&. By default Samba
-tries all lowercase, followed by the username with the first letter
-capitalized, and fails if the username is not found on the UNIX
-machine\&.
-.IP
-If this parameter is set to non-zero the behavior changes\&. This
-parameter is a number that specifies the number of uppercase
-combinations to try whilst trying to determine the UNIX user name\&. The
+The \fIusername\fR line is needed only when
+the PC is unable to supply its own username. This is the case
+for the COREPLUS protocol or where your users have different WfWg
+usernames to UNIX usernames. In both these cases you may also be
+better using the \\\\server\\share%user syntax instead.
+
+The \fIusername\fR line is not a great
+solution in many cases as it means Samba will try to validate
+the supplied password against each of the usernames in the
+\fIusername\fR line in turn. This is slow and
+a bad idea for lots of users in case of duplicate passwords.
+You may get timeouts or security breaches using this parameter
+unwisely.
+
+Samba relies on the underlying UNIX security. This
+parameter does not restrict who can login, it just offers hints
+to the Samba server as to what usernames might correspond to the
+supplied password. Users can login as whoever they please and
+they will be able to do no more damage than if they started a
+telnet session. The daemon runs as the user that they log in as,
+so they cannot do anything that user cannot do.
+
+To restrict a service to a particular set of users you
+can use the \fIvalid users
+\fRparameter.
+
+If any of the usernames begin with a '@' then the name
+will be looked up first in the yp netgroups list (if Samba
+is compiled with netgroup support), followed by a lookup in
+the UNIX groups database and will expand to a list of all users
+in the group of that name.
+
+If any of the usernames begin with a '+' then the name
+will be looked up only in the UNIX groups database and will
+expand to a list of all users in the group of that name.
+
+If any of the usernames begin with a '&'then the name
+will be looked up only in the yp netgroups database (if Samba
+is compiled with netgroup support) and will expand to a list
+of all users in the netgroup group of that name.
+
+Note that searching though a groups database can take
+quite some time, snd some clients may time out during the
+search.
+
+See the section NOTE ABOUT
+USERNAME/PASSWORD VALIDATION for more information on how
+this parameter determines access to the services.
+
+Default: \fBThe guest account if a guest service,
+else the name of the service.\fR
+
+Examples:\fBusername = fred, mary, jack, jane,
+@users, @pcgroup\fR
+.TP
+\fBusername level (G)\fR
+This option helps Samba to try and 'guess' at
+the real UNIX username, as many DOS clients send an all-uppercase
+username. By default Samba tries all lowercase, followed by the
+username with the first letter capitalized, and fails if the
+username is not found on the UNIX machine.
+
+If this parameter is set to non-zero the behavior changes.
+This parameter is a number that specifies the number of uppercase
+combinations to try whilst trying to determine the UNIX user name. The
higher the number the more combinations will be tried, but the slower
-the discovery of usernames will be\&. Use this parameter when you have
-strange usernames on your UNIX machine, such as \f(CW"AstrangeUser"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW username level = 0\fP
-.IP
-\fBExample:\fP
-\f(CW username level = 5\fP
-.IP
-.IP "\fBusername map (G)\fP"
-.IP
-This option allows you to specify a file containing a mapping of
-usernames from the clients to the server\&. This can be used for several
-purposes\&. The most common is to map usernames that users use on DOS or
-Windows machines to those that the UNIX box uses\&. The other is to map
-multiple users to a single username so that they can more easily share
-files\&.
-.IP
-The map file is parsed line by line\&. Each line should contain a single
-UNIX username on the left then a \f(CW\'=\'\fP followed by a list of
-usernames on the right\&. The list of usernames on the right may contain
-names of the form @group in which case they will match any UNIX
-username in that group\&. The special client name \f(CW\'*\'\fP is a wildcard
-and matches any name\&. Each line of the map file may be up to 1023
-characters long\&.
-.IP
-The file is processed on each line by taking the supplied username and
-comparing it with each username on the right hand side of the \f(CW\'=\'\fP
-signs\&. If the supplied name matches any of the names on the right hand
-side then it is replaced with the name on the left\&. Processing then
-continues with the next line\&.
-.IP
-If any line begins with a \f(CW\'#\'\fP or a \f(CW\';\'\fP then it is ignored
-.IP
-If any line begins with an \f(CW\'!\'\fP then the processing will stop after
-that line if a mapping was done by the line\&. Otherwise mapping
-continues with every line being processed\&. Using \f(CW\'!\'\fP is most
-useful when you have a wildcard mapping line later in the file\&.
-.IP
-For example to map from the name \f(CW"admin"\fP or \f(CW"administrator"\fP to
-the UNIX name \f(CW"root"\fP you would use:
-.IP
-\f(CW root = admin administrator\fP
-.IP
-Or to map anyone in the UNIX group \f(CW"system"\fP to the UNIX name
-\f(CW"sys"\fP you would use:
-.IP
-\f(CW sys = @system\fP
-.IP
-You can have as many mappings as you like in a username map file\&.
-.IP
-If your system supports the NIS NETGROUP option then the netgroup
-database is checked before the \f(CW/etc/group\fP database for matching
-groups\&.
-.IP
-You can map Windows usernames that have spaces in them by using double
-quotes around the name\&. For example:
-.IP
-\f(CW tridge = "Andrew Tridgell"\fP
-.IP
-would map the windows username \f(CW"Andrew Tridgell"\fP to the unix
-username tridge\&.
-.IP
-The following example would map mary and fred to the unix user sys,
-and map the rest to guest\&. Note the use of the \f(CW\'!\'\fP to tell Samba
-to stop processing if it gets a match on that line\&.
-.IP
-
-.nf
-
+the discovery of usernames will be. Use this parameter when you have
+strange usernames on your UNIX machine, such as AstrangeUser
+\&.
- !sys = mary fred
- guest = *
+Default: \fBusername level = 0\fR
-.fi
-
+Example: \fBusername level = 5\fR
+.TP
+\fBusername map (G)\fR
+This option allows you to specify a file containing
+a mapping of usernames from the clients to the server. This can be
+used for several purposes. The most common is to map usernames
+that users use on DOS or Windows machines to those that the UNIX
+box uses. The other is to map multiple users to a single username
+so that they can more easily share files.
+
+The map file is parsed line by line. Each line should
+contain a single UNIX username on the left then a '=' followed
+by a list of usernames on the right. The list of usernames on the
+right may contain names of the form @group in which case they
+will match any UNIX username in that group. The special client
+name '*' is a wildcard and matches any name. Each line of the
+map file may be up to 1023 characters long.
+
+The file is processed on each line by taking the
+supplied username and comparing it with each username on the right
+hand side of the '=' signs. If the supplied name matches any of
+the names on the right hand side then it is replaced with the name
+on the left. Processing then continues with the next line.
+
+If any line begins with a '#' or a ';' then it is
+ignored
-.IP
-Note that the remapping is applied to all occurrences of
-usernames\&. Thus if you connect to \f(CW"\e\eserver\efred"\fP and \f(CW"fred"\fP
-is remapped to \f(CW"mary"\fP then you will actually be connecting to
-\f(CW"\e\eserver\emary"\fP and will need to supply a password suitable for
-\f(CW"mary"\fP not \f(CW"fred"\fP\&. The only exception to this is the username
-passed to the \fB"password server"\fP (if you have
-one)\&. The password server will receive whatever username the client
-supplies without modification\&.
-.IP
-Also note that no reverse mapping is done\&. The main effect this has is
-with printing\&. Users who have been mapped may have trouble deleting
-print jobs as PrintManager under WfWg will think they don\'t own the
-print job\&.
-.IP
-\fBDefault:\fP
-\f(CW no username map\fP
-.IP
-\fBExample:\fP
-\f(CW username map = /usr/local/samba/lib/users\&.map\fP
-.IP
-.IP "\fButmp (S)\fP"
-.IP
-This boolean parameter is only available if Samba has been configured and compiled
-with the option \f(CW--with-utmp\fP\&. If set to True then Samba will attempt
+If any line begins with an '!' then the processing
+will stop after that line if a mapping was done by the line.
+Otherwise mapping continues with every line being processed.
+Using '!' is most useful when you have a wildcard mapping line
+later in the file.
+
+For example to map from the name admin
+or administrator to the UNIX name root you would use:
+
+\fBroot = admin administrator\fR
+
+Or to map anyone in the UNIX group system
+to the UNIX name sys you would use:
+
+\fBsys = @system\fR
+
+You can have as many mappings as you like in a username
+map file.
+
+If your system supports the NIS NETGROUP option then
+the netgroup database is checked before the \fI/etc/group
+\fRdatabase for matching groups.
+
+You can map Windows usernames that have spaces in them
+by using double quotes around the name. For example:
+
+\fBtridge = "Andrew Tridgell"\fR
+
+would map the windows username "Andrew Tridgell" to the
+unix username "tridge".
+
+The following example would map mary and fred to the
+unix user sys, and map the rest to guest. Note the use of the
+\&'!' to tell Samba to stop processing if it gets a match on
+that line.
+
+.sp
+.nf
+ !sys = mary fred
+ guest = *
+
+.sp
+.fi
+
+Note that the remapping is applied to all occurrences
+of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you
+will actually be connecting to \\\\server\\mary and will need to
+supply a password suitable for mary not
+fred. The only exception to this is the
+username passed to the \fI password server\fR (if you have one). The password
+server will receive whatever username the client supplies without
+modification.
+
+Also note that no reverse mapping is done. The main effect
+this has is with printing. Users who have been mapped may have
+trouble deleting print jobs as PrintManager under WfWg will think
+they don't own the print job.
+
+Default: \fBno username map\fR
+
+Example: \fBusername map = /usr/local/samba/lib/users.map
+\fR.TP
+\fButmp (S)\fR
+This boolean parameter is only available if
+Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to True then Samba will attempt
to add utmp or utmpx records (depending on the UNIX system) whenever a
-connection is made to a Samba server\&. Sites may use this to record the
-user connecting to a Samba share\&.
-.IP
-See also the \fB"utmp directory"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CWutmp = False\fP
-.IP
-\fBExample:\fP
-\f(CWutmp = True\fP
-.IP
-.IP "\fButmp directory(G)\fP"
-.IP
-This parameter is only available if Samba has been configured and compiled
-with the option \f(CW--with-utmp\fP\&. It specifies a directory pathname that is
+connection is made to a Samba server. Sites may use this to record the
+user connecting to a Samba share.
+
+See also the \fI utmp directory\fR parameter.
+
+Default: \fButmp = no\fR
+.TP
+\fButmp directory(G)\fR
+This parameter is only available if Samba has
+been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
used to store the utmp or utmpx files (depending on the UNIX system) that
-record user connections to a Samba server\&. See also the \fB"utmp"\fP
-parameter\&. By default this is not set, meaning the system will use whatever
-utmp file the native system is set to use (usually /var/run/utmp on Linux)\&.
-.IP
-\fBDefault:\fP
-\f(CWno utmp directory\fP
-.IP
-\fBExample:\fP
-\f(CWutmp directory = /var/adm/\fP
-.IP
-.IP "winbind cache time"
-.IP
-NOTE: this parameter is only available in Samba 3\&.0\&.
-.IP
+record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is
+not set, meaning the system will use whatever utmp file the
+native system is set to use (usually
+\fI/var/run/utmp\fR on Linux).
+
+Default: \fBno utmp directory\fR
+.TP
+\fBwinbind cache time\fR
+\fBNOTE:\fR this parameter is only
+available in Samba 3.0.
+
This parameter specifies the number of seconds the
-\fBwinbindd\fP daemon will cache user and group
-information before querying a Windows NT server again\&.
-.IP
-\fBDefault:\fP
-\f(CW winbind cache type = 15\fP
-.IP
-.IP "winbind gid"
-.IP
-NOTE: this parameter is only available in Samba 3\&.0\&.
-.IP
-The winbind gid parameter specifies the range of group ids that are
-allocated by the \fBwinbindd\fP daemon\&. This range of
-group ids should have no existing local or nis groups within it as strange
-conflicts can occur otherwise\&.
-.IP
-\fBDefault:\fP
-\f(CW winbind gid = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW winbind gid = 10000-20000\fP
-.IP
-.IP "winbind uid"
-.IP
-NOTE: this parameter is only available in Samba 3\&.0\&.
-.IP
-The winbind uid parameter specifies the range of user ids that are
-allocated by the \fBwinbindd\fP daemon\&. This range of
-ids should have no existing local or nis users within it as strange
-conflicts can occur otherwise\&.
-.IP
-\fBDefault:\fP
-\f(CW winbind uid = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW winbind uid = 10000-20000\fP
-.IP
-.IP "\fBvalid chars (G)\fP"
-.IP
-The option allows you to specify additional characters that should be
-considered valid by the server in filenames\&. This is particularly
-useful for national character sets, such as adding u-umlaut or a-ring\&.
-.IP
-The option takes a list of characters in either integer or character
-form with spaces between them\&. If you give two characters with a colon
-between them then it will be taken as an lowercase:uppercase pair\&.
-.IP
-If you have an editor capable of entering the characters into the
-config file then it is probably easiest to use this method\&. Otherwise
-you can specify the characters in octal, decimal or hexadecimal form
-using the usual C notation\&.
-.IP
-For example to add the single character \f(CW\'Z\'\fP to the charset (which
-is a pointless thing to do as it\'s already there) you could do one of
-the following
-.IP
-
-.nf
-
+winbindd(8) <URL:winbindd.8.html> daemon will cache
+user and group information before querying a Windows NT server
+again.
- valid chars = Z
- valid chars = z:Z
- valid chars = 0132:0172
+Default: \fBwinbind cache type = 15\fR
+.TP
+\fBwinbind gid\fR
+\fBNOTE:\fR this parameter is only
+available in Samba 3.0.
-.fi
-
+The winbind gid parameter specifies the range of group
+ids that are allocated by the winbindd(8) <URL:winbindd.8.html> daemon. This range of group ids should have no
+existing local or nis groups within it as strange conflicts can
+occur otherwise.
-.IP
-The last two examples above actually add two characters, and alter the
-uppercase and lowercase mappings appropriately\&.
-.IP
-Note that you MUST specify this parameter after the \fB"client
-code page"\fP parameter if you have both set\&. If
-\fB"client code page"\fP is set after the
-\fB"valid chars"\fP parameter the \fB"valid chars"\fP settings will be
-overwritten\&.
-.IP
-See also the \fB"client code page"\fP parameter\&.
-.IP
-\fBDefault:\fP
-
-.nf
-
+Default: \fBwinbind gid = <empty string>
+\fR
+Example: \fBwinbind gid = 10000-20000\fR
+.TP
+\fBwinbind uid\fR
+\fBNOTE:\fR this parameter is only
+available in Samba 3.0.
- Samba defaults to using a reasonable set of valid characters
- for English systems
+The winbind gid parameter specifies the range of group
+ids that are allocated by the winbindd(8) <URL:winbindd.8.html> daemon. This range of ids should have no
+existing local or nis users within it as strange conflicts can
+occur otherwise.
-.fi
-
+Default: \fBwinbind uid = <empty string>
+\fR
+Example: \fBwinbind uid = 10000-20000\fR
+.TP
+\fBvalid chars (G)\fR
+The option allows you to specify additional
+characters that should be considered valid by the server in
+filenames. This is particularly useful for national character
+sets, such as adding u-umlaut or a-ring.
-.IP
-\fBExample\fP
-\f(CW valid chars = 0345:0305 0366:0326 0344:0304\fP
-.IP
-The above example allows filenames to have the Swedish characters in
-them\&.
-.IP
-NOTE: It is actually quite difficult to correctly produce a \fB"valid
-chars"\fP line for a particular system\&. To automate the process
-\fItino@augsburg\&.net\fP has written a package called \fB"validchars"\fP
-which will automatically produce a complete \fB"valid chars"\fP line for
-a given client system\&. Look in the examples/validchars/ subdirectory
-of your Samba source code distribution for this package\&.
-.IP
-.IP "\fBvalid users (S)\fP"
-.IP
-This is a list of users that should be allowed to login to this
-service\&. Names starting with \f(CW\'@\'\fP, \f(CW\'+\'\fP and \f(CW\'&\'\fP are
-interpreted using the same rules as described in the \fB"invalid
-users"\fP parameter\&.
-.IP
-If this is empty (the default) then any user can login\&. If a username
-is in both this list and the \fB"invalid users"\fP
-list then access is denied for that user\&.
-.IP
-The current servicename is substituted for
-\fB"%S"\fP\&. This is useful in the
-\fB[homes]\fP section\&.
-.IP
-See also \fB"invalid users"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW No valid users list\&. (anyone can login)\fP
-.IP
-\fBExample:\fP
-\f(CW valid users = greg, @pcusers\fP
-.IP
-.IP "\fBveto files(S)\fP"
-.IP
-This is a list of files and directories that are neither visible nor
-accessible\&. Each entry in the list must be separated by a \f(CW\'/\'\fP,
-which allows spaces to be included in the entry\&. \f(CW\'*\'\fP and \f(CW\'?\'\fP
-can be used to specify multiple files or directories as in DOS
-wildcards\&.
-.IP
-Each entry must be a unix path, not a DOS path and must \fI*not*\fP include the
-unix directory separator \f(CW\'/\'\fP\&.
-.IP
-Note that the \fB"case sensitive"\fP option is
-applicable in vetoing files\&.
-.IP
-One feature of the veto files parameter that it is important to be
-aware of, is that if a directory contains nothing but files that match
-the veto files parameter (which means that Windows/DOS clients cannot
-ever see them) is deleted, the veto files within that directory *are
-automatically deleted* along with it, if the user has UNIX permissions
-to do so\&.
-.IP
-Setting this parameter will affect the performance of Samba, as it
-will be forced to check all files and directories for a match as they
-are scanned\&.
-.IP
-See also \fB"hide files"\fP and \fB"case
-sensitive"\fP\&.
-.IP
-\fBDefault:\fP
-\f(CW No files or directories are vetoed\&.\fP
-.IP
-\fBExamples:\fP
-.IP
-Example 1\&.
-.IP
-
-.nf
-
+The option takes a list of characters in either integer
+or character form with spaces between them. If you give two
+characters with a colon between them then it will be taken as
+an lowercase:uppercase pair.
+If you have an editor capable of entering the characters
+into the config file then it is probably easiest to use this
+method. Otherwise you can specify the characters in octal,
+decimal or hexadecimal form using the usual C notation.
- Veto any files containing the word Security,
- any ending in \&.tmp, and any directory containing the
- word root\&.
+For example to add the single character 'Z' to the charset
+(which is a pointless thing to do as it's already there) you could
+do one of the following
- veto files = /*Security*/*\&.tmp/*root*/
+.sp
+.nf
+ valid chars = Z
+ valid chars = z:Z
+ valid chars = 0132:0172
+
+.sp
+.fi
-.fi
-
+The last two examples above actually add two characters,
+and alter the uppercase and lowercase mappings appropriately.
-.IP
-Example 2\&.
-.IP
+Note that you \fBMUST\fR specify this parameter
+after the \fIclient code page\fR parameter if you
+have both set. If \fIclient code page\fR is set after
+the \fIvalid chars\fR parameter the \fIvalid
+chars\fR settings will be overwritten.
-.nf
-
+See also the \fIclient
+code page\fR parameter.
- Veto the Apple specific files that a NetAtalk server
- creates\&.
+Default: \fBSamba defaults to using a reasonable set
+of valid characters for English systems\fR
- veto files = /\&.AppleDouble/\&.bin/\&.AppleDesktop/Network Trash Folder/
+Example: \fBvalid chars = 0345:0305 0366:0326 0344:0304
+\fR
+The above example allows filenames to have the Swedish
+characters in them.
-.fi
-
+\fBNOTE:\fR It is actually quite difficult to
+correctly produce a \fIvalid chars\fR line for
+a particular system. To automate the process tino@augsburg.net <URL:mailto:tino@augsburg.net> has written
+a package called \fBvalidchars\fR which will automatically
+produce a complete \fIvalid chars\fR line for
+a given client system. Look in the \fIexamples/validchars/
+\fRsubdirectory of your Samba source code distribution
+for this package.
+.TP
+\fBvalid users (S)\fR
+This is a list of users that should be allowed
+to login to this service. Names starting with '@', '+' and '&'
+are interpreted using the same rules as described in the
+\fIinvalid users\fR parameter.
+
+If this is empty (the default) then any user can login.
+If a username is in both this list and the \fIinvalid
+users\fR list then access is denied for that user.
+
+The current servicename is substituted for \fI%S
+\fR\&. This is useful in the [homes] section.
+
+See also \fIinvalid users
+\fR
+Default: \fBNo valid users list (anyone can login)
+\fR
+Example: \fBvalid users = greg, @pcusers\fR
+.TP
+\fBveto files(S)\fR
+This is a list of files and directories that
+are neither visible nor accessible. Each entry in the list must
+be separated by a '/', which allows spaces to be included
+in the entry. '*' and '?' can be used to specify multiple files
+or directories as in DOS wildcards.
+
+Each entry must be a unix path, not a DOS path and
+must \fBnot\fR include the unix directory
+separator '/'.
+
+Note that the \fIcase sensitive\fR option
+is applicable in vetoing files.
-.IP
-.IP "\fBveto oplock files (S)\fP"
-.IP
-This parameter is only valid when the \fB"oplocks"\fP
-parameter is turned on for a share\&. It allows the Samba administrator
+One feature of the veto files parameter that it is important
+to be aware of, is that if a directory contains nothing but files
+that match the veto files parameter (which means that Windows/DOS
+clients cannot ever see them) is deleted, the veto files within
+that directory \fBare automatically deleted\fR along
+with it, if the user has UNIX permissions to do so.
+
+Setting this parameter will affect the performance
+of Samba, as it will be forced to check all files and directories
+for a match as they are scanned.
+
+See also \fIhide files
+\fRand \fI case sensitive\fR.
+
+Default: \fBNo files or directories are vetoed.
+\fR
+Examples:
+.sp
+.nf
+ ; Veto any files containing the word Security,
+ ; any ending in .tmp, and any directory containing the
+ ; word root.
+ veto files = /*Security*/*.tmp/*root*/
+
+ ; Veto the Apple specific files that a NetAtalk server
+ ; creates.
+ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+
+.sp
+.fi
+.TP
+\fBveto oplock files (S)\fR
+This parameter is only valid when the \fIoplocks\fR
+parameter is turned on for a share. It allows the Samba administrator
to selectively turn off the granting of oplocks on selected files that
match a wildcarded list, similar to the wildcarded list used in the
-\fB"veto files"\fP parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW No files are vetoed for oplock grants\&.\fP
-.IP
-\fBExamples:\fP
-.IP
-You might want to do this on files that you know will be heavily
-contended for by clients\&. A good example of this is in the NetBench
-SMB benchmark program, which causes heavy client contention for files
-ending in \f(CW"\&.SEM"\fP\&. To cause Samba not to grant oplocks on these
-files you would use the line (either in the \fB[global]\fP
-section or in the section for the particular NetBench share :
-.IP
-\f(CW veto oplock files = /*\&.SEM/\fP
-.IP
-.IP "\fBvolume (S)\fP"
-.IP
-This allows you to override the volume label returned for a
-share\&. Useful for CDROMs with installation programs that insist on a
-particular volume label\&.
-.IP
-The default is the name of the share\&.
-.IP
-.IP "\fBwide links (S)\fP"
-.IP
-This parameter controls whether or not links in the UNIX file system
-may be followed by the server\&. Links that point to areas within the
-directory tree exported by the server are always allowed; this
-parameter controls access only to areas that are outside the directory
-tree being exported\&.
-.IP
-Note that setting this parameter can have a negative effect on your
-server performance due to the extra system calls that Samba has to
-do in order to perform the link checks\&.
-.IP
-\fBDefault:\fP
-\f(CW wide links = yes\fP
-.IP
-\fBExample:\fP
-\f(CW wide links = no\fP
-.IP
-.IP "\fBwins proxy (G)\fP"
-.IP
-This is a boolean that controls if \fBnmbd\fP will
-respond to broadcast name queries on behalf of other hosts\&. You may
-need to set this to \f(CW"yes"\fP for some older clients\&.
-.IP
-\fBDefault:\fP
-\f(CW wins proxy = no\fP
-.IP
-.IP "\fBwins server (G)\fP"
-.IP
-This specifies the IP address (or DNS name: IP address for preference)
-of the WINS server that \fBnmbd\fP should register with\&.
-If you have a WINS server on your network then you should set this to
-the WINS server\'s IP\&.
-.IP
+\fIveto files\fR
+parameter.
+
+Default: \fBNo files are vetoed for oplock
+grants\fR
+
+You might want to do this on files that you know will
+be heavily contended for by clients. A good example of this
+is in the NetBench SMB benchmark program, which causes heavy
+client contention for files ending in \fI.SEM\fR.
+To cause Samba not to grant oplocks on these files you would use
+the line (either in the [global] section or in the section for
+the particular NetBench share :
+
+Example: \fBveto oplock files = /*;.SEM/
+\fR.TP
+\fBvolume (S)\fR
+This allows you to override the volume label
+returned for a share. Useful for CDROMs with installation programs
+that insist on a particular volume label.
+
+Default: \fBthe name of the share\fR
+.TP
+\fBwide links (S)\fR
+This parameter controls whether or not links
+in the UNIX file system may be followed by the server. Links
+that point to areas within the directory tree exported by the
+server are always allowed; this parameter controls access only
+to areas that are outside the directory tree being exported.
+
+Note that setting this parameter can have a negative
+effect on your server performance due to the extra system calls
+that Samba has to do in order to perform the link checks.
+
+Default: \fBwide links = yes\fR
+.TP
+\fBwins proxy (G)\fR
+This is a boolean that controls if nmbd(8) <URL:nmbd.8.html> will respond to broadcast name
+queries on behalf of other hosts. You may need to set this
+to yes for some older clients.
+
+Default: \fBwins proxy = no\fR
+.TP
+\fBwins server (G)\fR
+This specifies the IP address (or DNS name: IP
+address for preference) of the WINS server that nmbd(8) <URL:nmbd.8.html> should register with. If you have a WINS server on
+your network then you should set this to the WINS server's IP.
+
You should point this at your WINS server if you have a
-multi-subnetted network\&.
-.IP
-\fINOTE\fP\&. You need to set up Samba to point to a WINS server if you
-have multiple subnets and wish cross-subnet browsing to work correctly\&.
-.IP
-See the documentation file BROWSING\&.txt in the docs/ directory of your
-Samba source distribution\&.
-.IP
-\fBDefault:\fP
-\f(CW wins server = \fP
-.IP
-\fBExample:\fP
-\f(CW wins server = 192\&.9\&.200\&.1\fP
-.IP
-.IP "\fBwins hook (G)\fP"
-.IP
-When Samba is running as a WINS server this allows you to call an
-external program for all changes to the WINS database\&. The primary use
-for this option is to allow the dynamic update of external name
-resolution databases such as dynamic DNS\&.
-.IP
-The wins hook parameter specifies the name of a script or executable
-that will be called as follows:
-.IP
-wins_hook operation name nametype ttl IP_list
-.IP
-The first argument is the operation and is one of "add", "delete",
-or "refresh"\&. In most cases the operation can be ignored as the rest
-of the parameters provide sufficient information\&. Note that "refresh"
-may sometimes be called when the name has not previously been added,
-in that case it should be treated as an add\&.
-.IP
-The second argument is the netbios name\&. If the name is not a legal
-name then the wins hook is not called\&. Legal names contain only
-letters, digits, hyphens, underscores and periods\&.
-.IP
-The third argument is the netbios name type as a 2 digit hexadecimal
-number\&.
-.IP
-The fourth argument is the TTL (time to live) for the name in seconds\&.
-.IP
-The fifth and subsequent arguments are the IP addresses currently
-registered for that name\&. If this list is empty then the name should
-be deleted\&.
-.IP
-An example script that calls the BIND dynamic DNS update program
-"nsupdate" is provided in the examples directory of the Samba source
-code\&.
-.IP
-.IP "\fBwins support (G)\fP"
-.IP
-This boolean controls if the \fBnmbd\fP process in
-Samba will act as a WINS server\&. You should not set this to true
-unless you have a multi-subnetted network and you wish a particular
-\fBnmbd\fP to be your WINS server\&. Note that you
-should \fI*NEVER*\fP set this to true on more than one machine in your
-network\&.
-.IP
-\fBDefault:\fP
-\f(CW wins support = no\fP
-.IP
-.IP "\fBworkgroup (G)\fP"
-.IP
-This controls what workgroup your server will appear to be in when
-queried by clients\&. Note that this parameter also controls the Domain
-name used with the \fB"security=domain"\fP
-setting\&.
-.IP
-\fBDefault:\fP
-\f(CW set at compile time to WORKGROUP\fP
-.IP
-\fBExample:\fP
-workgroup = MYGROUP
-.IP
-.IP "\fBwritable (S)\fP"
-.IP
-Synonym for \fB"writeable"\fP for people who can\'t spell :-)\&.
-.IP
-.IP "\fBwrite list (S)\fP"
-.IP
-This is a list of users that are given read-write access to a
-service\&. If the connecting user is in this list then they will be
-given write access, no matter what the \fB"writeable"\fP
-option is set to\&. The list can include group names using the @group
-syntax\&.
-.IP
-Note that if a user is in both the read list and the write list then
-they will be given write access\&.
-.IP
-See also the \fB"read list"\fP option\&.
-.IP
-\fBDefault:\fP
-\f(CW write list = <empty string>\fP
-.IP
-\fBExample:\fP
-\f(CW write list = admin, root, @staff\fP
-.IP
-.IP "\fBwrite cache size (S)\fP"
-.IP
-This integer parameter (new with Samba 2\&.0\&.7) if set to non-zero causes Samba to create an in-memory
-cache for each oplocked file (it does \fBnot\fP do this for non-oplocked files)\&. All
-writes that the client does not request to be flushed directly to disk will be
-stored in this cache if possible\&. The cache is flushed onto disk when a write
-comes in whose offset would not fit into the cache or when the file is closed
-by the client\&. Reads for the file are also served from this cache if the data
-is stored within it\&.
-.IP
-This cache allows Samba to batch client writes into a more efficient write
-size for RAID disks (ie\&. writes may be tuned to be the RAID stripe size) and
-can improve performance on systems where the disk subsystem is a bottleneck
-but there is free memory for userspace programs\&.
-.IP
-The integer parameter specifies the size of this cache (per oplocked file)
-in bytes\&.
-.IP
-\fBDefault:\fP
-\f(CW write cache size = 0\fP
-.IP
-\fBExample:\fP
-\f(CW write cache size = 262144\fP
-for a 256k cache size per file\&.
-.IP
-.IP "\fBwrite ok (S)\fP"
-.IP
-Synonym for \fBwriteable\fP\&.
-.IP
-.IP "\fBwrite raw (G)\fP"
-.IP
-This parameter controls whether or not the server will support raw
-writes SMB\'s when transferring data from clients\&. You should never
-need to change this parameter\&.
-.IP
-\fBDefault:\fP
-\f(CW write raw = yes\fP
-.IP
-.IP "\fBwriteable\fP"
-.IP
-An inverted synonym is \fB"read only"\fP\&.
-.IP
-If this parameter is \f(CW"no"\fP, then users of a service may not create
-or modify files in the service\'s directory\&.
-.IP
-Note that a printable service \fB("printable = yes")\fP
-will \fI*ALWAYS*\fP allow writing to the directory (user privileges
-permitting), but only via spooling operations\&.
-.IP
-\fBDefault:\fP
-\f(CW writeable = no\fP
-.IP
-\fBExamples:\fP
-
-.nf
-
+multi-subnetted network.
- read only = no
- writeable = yes
- write ok = yes
+\fBNOTE\fR. You need to set up Samba to point
+to a WINS server if you have multiple subnets and wish cross-subnet
+browsing to work correctly.
-.fi
-
+See the documentation file \fIBROWSING.txt\fR
+in the docs/ directory of your Samba source distribution.
+
+Default: \fBnot enabled\fR
+
+Example: \fBwins server = 192.9.200.1\fR
+.TP
+\fBwins hook (G)\fR
+When Samba is running as a WINS server this
+allows you to call an external program for all changes to the
+WINS database. The primary use for this option is to allow the
+dynamic update of external name resolution databases such as
+dynamic DNS.
+
+The wins hook parameter specifies the name of a script
+or executable that will be called as follows:
+
+\fBwins_hook operation name nametype ttl IP_list
+\fR.RS
+.TP 0.2i
+\(bu
+The first argument is the operation and is one
+of "add", "delete", or "refresh". In most cases the operation can
+be ignored as the rest of the parameters provide sufficient
+information. Note that "refresh" may sometimes be called when the
+name has not previously been added, in that case it should be treated
+as an add.
+.TP 0.2i
+\(bu
+The second argument is the netbios name. If the
+name is not a legal name then the wins hook is not called.
+Legal names contain only letters, digits, hyphens, underscores
+and periods.
+.TP 0.2i
+\(bu
+The third argument is the netbios name
+type as a 2 digit hexadecimal number.
+.TP 0.2i
+\(bu
+The fourth argument is the TTL (time to live)
+for the name in seconds.
+.TP 0.2i
+\(bu
+The fifth and subsequent arguments are the IP
+addresses currently registered for that name. If this list is
+empty then the name should be deleted.
+.RE
+.PP
+An example script that calls the BIND dynamic DNS update
+program \fBnsupdate\fR is provided in the examples
+directory of the Samba source code.
+.PP
+.TP
+\fBwins support (G)\fR
+This boolean controls if the
+nmbd(8) <URL:nmbd.8.html> process in Samba will act as a WINS server. You should
+not set this to true unless you have a multi-subnetted network and
+you wish a particular \fBnmbd\fR to be your WINS server.
+Note that you should \fBNEVER\fR set this to true
+on more than one machine in your network.
+
+Default: \fBwins support = no\fR
+.TP
+\fBworkgroup (G)\fR
+This controls what workgroup your server will
+appear to be in when queried by clients. Note that this parameter
+also controls the Domain name used with the \fBsecurity=domain\fR
+setting.
+
+Default: \fBset at compile time to WORKGROUP\fR
+
+Example: \fBworkgroup = MYGROUP\fR
+.TP
+\fBwritable (S)\fR
+Synonym for \fI writeable\fR for people who can't spell :-).
+.TP
+\fBwrite list (S)\fR
+This is a list of users that are given read-write
+access to a service. If the connecting user is in this list then
+they will be given write access, no matter what the \fIwriteable\fR
+option is set to. The list can include group names using the
+@group syntax.
+
+Note that if a user is in both the read list and the
+write list then they will be given write access.
+
+See also the \fIread list
+\fRoption.
+
+Default: \fBwrite list = <empty string>
+\fR
+Example: \fBwrite list = admin, root, @staff
+\fR.TP
+\fBwrite cache size (S)\fR
+This integer parameter (new with Samba 2.0.7)
+if set to non-zero causes Samba to create an in-memory cache for
+each oplocked file (it does \fBnot\fR do this for
+non-oplocked files). All writes that the client does not request
+to be flushed directly to disk will be stored in this cache if possible.
+The cache is flushed onto disk when a write comes in whose offset
+would not fit into the cache or when the file is closed by the client.
+Reads for the file are also served from this cache if the data is stored
+within it.
+
+This cache allows Samba to batch client writes into a more
+efficient write size for RAID disks (ie. writes may be tuned to
+be the RAID stripe size) and can improve performance on systems
+where the disk subsystem is a bottleneck but there is free
+memory for userspace programs.
+
+The integer parameter specifies the size of this cache
+(per oplocked file) in bytes.
+
+Default: \fBwrite cache size = 0\fR
+
+Example: \fBwrite cache size = 262144\fR
+
+for a 256k cache size per file.
+.TP
+\fBwrite ok (S)\fR
+Synonym for \fI writeable\fR.
+.TP
+\fBwrite raw (G)\fR
+This parameter controls whether or not the server
+will support raw writes SMB's when transferring data from clients.
+You should never need to change this parameter.
+
+Default: \fBwrite raw = yes\fR
+.TP
+\fBwriteable (S)\fR
+An inverted synonym is \fIread only\fR.
+
+If this parameter is no, then users
+of a service may not create or modify files in the service's
+directory.
+
+Note that a printable service (\fBprintable = yes\fR)
+will \fBALWAYS\fR allow writing to the directory
+(user privileges permitting), but only via spooling operations.
-.IP
-.PP
-.SH "WARNINGS"
-.PP
-Although the configuration file permits service names to contain
-spaces, your client software may not\&. Spaces will be ignored in
-comparisons anyway, so it shouldn\'t be a problem - but be aware of the
-possibility\&.
-.PP
-On a similar note, many clients - especially DOS clients - limit
-service names to eight characters\&. \fBSmbd\fP has no
-such limitation, but attempts to connect from such clients will fail
-if they truncate the service names\&. For this reason you should
-probably keep your service names down to eight characters in length\&.
-.PP
-Use of the \fB[homes]\fP and \fB[printers]\fP
-special sections make life for an administrator easy, but the various
-combinations of default attributes can be tricky\&. Take extreme care
-when designing these sections\&. In particular, ensure that the
-permissions on spool directories are correct\&.
-.PP
-.SH "VERSION"
-.PP
-This man page is correct for version 2\&.0 of the Samba suite\&.
-.PP
-.SH "SEE ALSO"
-.PP
-\fBsmbd (8)\fP, \fBsmbclient (1)\fP,
-\fBnmbd (8)\fP, \fBtestparm (1)\fP,
-\fBtestprns (1)\fP, \fBSamba\fP,
-\fBnmblookup (1)\fP, \fBsmbpasswd (5)\fP,
-\fBsmbpasswd (8)\fP\&.
-.PP
-.SH "AUTHOR"
-.PP
-The original Samba software and related utilities were created by
-Andrew Tridgell \fIsamba@samba\&.org\fP\&. Samba is now developed
-by the Samba Team as an Open Source project similar to the way the
-Linux kernel is developed\&.
-.PP
-The original Samba man pages were written by Karl Auer\&. The man page
-sources were converted to YODL format (another excellent piece of Open
-Source software, available at
-\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fP)
-and updated for the Samba2\&.0 release by Jeremy Allison\&.
-\fIsamba@samba\&.org\fP\&.
-.PP
-See \fBsamba (7)\fP to find out how to get a full
-list of contributors and details on how to submit bug reports,
-comments etc\&.
+Default: \fBwriteable = no\fR
+.SH "WARNINGS"
+.PP
+Although the configuration file permits service names
+to contain spaces, your client software may not. Spaces will
+be ignored in comparisons anyway, so it shouldn't be a
+problem - but be aware of the possibility.
+.PP
+On a similar note, many clients - especially DOS clients -
+limit service names to eight characters. smbd(8)
+ <URL:smbd.8.html> has no such limitation, but attempts to connect from such
+clients will fail if they truncate the service names. For this reason
+you should probably keep your service names down to eight characters
+in length.
+.PP
+Use of the [homes] and [printers] special sections make life
+for an administrator easy, but the various combinations of default
+attributes can be tricky. Take extreme care when designing these
+sections. In particular, ensure that the permissions on spool
+directories are correct.
+.SH "VERSION"
+.PP
+This man page is correct for version 2.2 of
+the Samba suite.
+.SH "SEE ALSO"
+.PP
+samba(7) <URL:samba.7.html>,
+\fBsmbpasswd(8)\fR <URL:smbpasswd.8.html>,
+\fBswat(8)\fR <URL:swat.8.html>,
+\fBsmbd(8)\fR <URL:smbd.8.html>,
+\fBnmbd(8)\fR <URL:nmbd.8.html>,
+\fBsmbclient(1)\fR <URL:smbclient.1.html>,
+\fBnmblookup(1)\fR <URL:nmblookup.1.html>,
+\fBtestparm(1)\fR <URL:testparm.1.html>,
+\fBtestprns(1)\fR <URL:testprns.1.html>
+.SH "AUTHOR"
+.PP
+The original Samba software and related utilities
+were created by Andrew Tridgell. Samba is now developed
+by the Samba Team as an Open Source project similar
+to the way the Linux kernel is developed.
+.PP
+The original Samba man pages were written by Karl Auer.
+The man page sources were converted to YODL format (another
+excellent piece of Open Source software, available at
+ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
+release by Jeremy Allison. The conversion to DocBook for
+Samba 2.2 was done by Gerald Carter
git.samba.org / kai / samba.git / commitdiff