-.TH SMB.CONF 5 smb.conf smb.conf
+.TH SMB.CONF 5 "02 Nov 1997" "smb.conf 1.9.18alpha10"
.SH NAME
smb.conf \- configuration file for smbd
.SH SYNOPSIS
%M = the internet name of the client machine
+%N = the name of your NIS home directory server. This is obtained from
+your NIS auto.map entry. If you have not compiled Samba with -DAUTOMOUNT
+then this value will be the same as %L.
+
%d = The process id of the current server process
%a = the architecture of the remote machine. Only some are recognised,
Here is a list of all global parameters. See the section of each
parameter for details. Note that some are synonyms.
+announce as
+
+announce version
+
auto services
+bind interfaces only
+
browse list
character set
domain controller
+domain sid
+
+domain group
+
+domain logons
+
domain master
encrypt passwords
include
+interfaces
+
keepalive
lock dir
log level
+logon drive
+
+logon home
+
logon path
logon script
message command
+netbios aliases
+
netbios name
nis homedir
printcap name
+printer driver file
+
protocol
read bmpx
unix realname
+username level
+
username map
use rhosts
delete readonly
+delete veto files
+
deny hosts
directory
dont descend
+dos filetimes
+
exec
fake oplocks
+follow symlinks
+
force create mode
force directory mode
only user
+oplocks
+
path
postexec
printer driver
+printer driver location
+
print ok
printable
.SS EXPLANATION OF EACH PARAMETER
.RS 3
-.SS admin users (G)
+.SS admin users (S)
This is a list of users who will be granted administrative privileges
on the share. This means that they will do all file operations as the
.B Example:
admin users = jason
+.SS announce as (G)
+
+This specifies what type of server nmbd will announce itself as in
+browse lists. By default this is set to Windows NT. The valid options
+are "NT", "Win95" or "WfW" meaining Windows NT, Windows 95 and
+Windows for Workgroups respectively. Do not change this parameter
+unless you have a specific need to stop Samba appearing as an NT
+server as this may prevent Samba servers from participating as
+browser servers correctly.
+
+.B Default:
+ announce as = NT
+
+.B Example
+ announce as = Win95
+
+.SS announce version (G)
+
+This specifies the major and minor version numbers that nmbd
+will use when announcing itself as a server. The default is 4.2.
+Do not change this parameter unless you have a specific need to
+set a Samba server to be a downlevel server.
+
+.B Default:
+ announce version = 4.2
+
+.B Example:
+ announce version = 2.0
+
.SS auto services (G)
This is a list of services that you want to be automatically added to
the browse lists. This is most useful for homes and printers services
A synonym for this parameter is 'hosts allow'.
This parameter is a comma delimited set of hosts which are permitted to access
-a services. If specified in the [global] section, matching hosts will be
-allowed access to any service that does not specifically exclude them from
-access. Specific services my have their own list, which override those
-specified in the [global] section.
+a service.
+
+If specified in the [global] section then it will apply to all
+services, regardless of whether the individual service has a different
+setting.
You can specify the hosts by name or IP number. For example, you could
restrict access to only the hosts on a Class C subnet with something like
.B Example:
available = no
+
+.SS bind interfaces only (G)
+This global parameter (new for 1.9.18) allows the Samba admin to limit
+what interfaces on a machine will serve smb requests. If affects file service
+(smbd) and name service (nmbd) in slightly different ways.
+
+For name service it causes nmbd to bind to ports 137 and 138 on
+the interfaces listed in the 'interfaces' parameter. nmbd also binds
+to the 'all addresses' interface (0.0.0.0) on ports 137 and 138
+for the purposes of reading broadcast messages. If this option is
+not set then nmbd will service name requests on all of these
+sockets. If "bind interfaces only" is set then nmbd will check
+the source address of any packets coming in on the broadcast
+sockets and discard any that don't match the broadcast addresses
+of the interfaces in the 'interfaces' parameter list. As unicast
+packets are received on the other sockets it allows nmbd to
+refuse to serve names to machines that send packets that arrive
+through any interfaces not listed in the 'interfaces' list.
+IP Source address spoofing does defeat this simple check, however
+so it must not be used seriously as a security feature for nmbd.
+
+For file service it causes smbd to bind only to the interface
+list given in the 'interfaces' parameter. This restricts the
+networks that smbd will serve to packets coming in those interfaces.
+Note that you should not use this parameter for machines that
+are serving ppp or other intermittant or non-broadcast network
+interfaces as it will not cope with non-permanent interfaces.
+
+.B Default:
+ bind interfaces only = False
+
+.B Example:
+ bind interfaces only = True
+
.SS browseable (S)
This controls whether this share is seen in the list of available
shares in a net view and in the browse list.
client code page = 437
.SS comment (S)
-This is a text field that is seen when a client does a net view to
-list what shares are available. It will also be used when browsing is
-fully supported.
+This is a text field that is seen next to a share when a client does a
+net view to list what shares are available.
+
+If you want to set the string that is displayed next to the machine
+name then see the server string command.
.B Default:
No comment string
.SS create mask (S)
A synonym for this parameter is 'create mode'.
-This parameter is the octal modes which are used when converting DOS modes
-to UNIX modes.
-
When a file is created, the neccessary permissions are calculated
according to the mapping from DOS modes to UNIX permissions, and
the resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
modes of a file. Any bit *not* set here will be removed from the
modes set on a file when it is created.
-The default value of this parameter removes the 'user' execute
-bit and the 'group' and 'other' write and execute bits from the
-UNIX modes.
+The default value of this parameter removes the 'group' and 'other'
+write and execute bits from the UNIX modes.
Following this Samba will bit-wise 'OR' the UNIX mode created from
this parameter with the value of the "force create mode" parameter
-which is set to 0700 by default. This causes the 'user' read, write
-and execute bits to be set for every file created. You must have at
-least 'user' read, write and execute bits set for Samba to work properly.
+which is set to 000 by default.
For Samba 1.9.17 and above this parameter no longer affects directory
modes. See the parameter 'directory mode' for details.
See also the "force create mode" parameter for forcing particular
mode bits to be set on created files.
-See also the "directory mode" paramter for masking mode bits on created
+See also the "directory mode" parameter for masking mode bits on created
directories.
.B Default:
- create mask = 0644
+ create mask = 0744
.B Example:
create mask = 0775
.B Example:
deny hosts = 150.203.4. badhost.mynet.edu.au
+
+.SS delete veto files (S)
+
+This option is used when Samba is attempting to delete a directory
+that contains one or more vetoed directories (see the 'veto files' option).
+If this option is set to False (the default) then if a vetoed directory
+contains any non-vetoed files or directories then the directory delete
+will fail. This is usually what you want.
+
+If this option is set to True, then Samba will attempt
+to recursively delete any files and directories within the vetoed
+directory. This can be useful for integration with file serving
+systems such as Netatalk, which create meta-files within directories
+you might normally veto DOS/Windows users from seeing (eg. .AppleDouble)
+
+Setting 'delete veto files = True' allows these directories to be
+transparently deleted when the parent directory is deleted (so long
+as the user has permissions to do so).
+
+.B Default:
+ delete veto files = False
+
+.B Example:
+ delete veto files = True
+
+See
+.B veto files
+
.SS dfree command (G)
The dfree command setting should only be used on systems where a
problem occurs with the internal disk space calculations. This has
modes set on a directory when it is created.
The default value of this parameter removes the 'group' and 'other'
-write bits from the UNIX mode.
+write bits from the UNIX mode, allowing only the user who owns the
+directory to modify it.
Following this Samba will bit-wise 'OR' the UNIX mode created from
this parameter with the value of the "force directory mode" parameter.
.B Example:
directory mask = 0775
+
.SS directory mode (S)
See
.B directory mask.
.B Default:
domain controller = no
+.SS domain groups (G)
+
+Specifies the NT Domain groups that the user belongs to, and the attributes
+associated with that group. This parameter is a white-space separated list
+of group ids (in decimal), followed by an option attribute (in decimal) which
+defaults to a value of 7 if not specified. A group id and the user attributes
+associated with it are separated by "/".
+
+.B
+It is known that attributes are ignored by NT 4.0 Workstation, but not by
+NT 3.51 Workstation. Furthermore, no information on the exact meaning of
+NT Domain groups is presently known.
+
+.B Default:
+ domain groups = 776/7
+
+.B Example:
+ domain groups = 776 1024/7 777
+
+.SS domain sid (G)
+
+Specifies the SID when using Samba as a Logon Server for NT Workstations.
+The format of SIDs supported by samba at present is S-1-N-nnn-nnn-nnn-nnn-nnn.
+The number N indicates the number of sub-authorities (nnn).
+
+.B Default:
+ domain sid = none
+
+.B Example:
+ domain sid = S-1-5-21-123-456-789-123
+
+.SS domain logons (G)
+
+If set to true, the Samba server will serve Windows 95 domain logons
+for the workgroup it is in. For more details on setting up this feature
+see the file DOMAINS.txt in the Samba source documentation directory.
+
+.B Default:
+ domain logons = no
+
.SS domain master (G)
Enable WAN-wide browse list collation. Local master browsers on
.B Example:
dont descend = /proc,/dev
+.SS dos filetimes (S)
+Under DOS and Windows, if a user can write to a file they can change
+the timestamp on it. Under POSIX semantics, only the owner of the file
+or root may change the timestamp. By default, Samba runs with POSIX
+semantics and refuses to change the timestamp on a file if the user
+smbd is acting on behalf of is not the file owner. Setting this option
+to True allows DOS semantics and smbd will change the file timstamp as
+DOS requires. This is a correct implementation of a previous compile-time
+options (UTIME_WORKAROUND) which was broken and is now removed.
+
+.B Default:
+ dos filetimes = False
+
+.B Example:
+ dos filetimes = True
+
.SS encrypt passwords (G)
This boolean controls whether encrypted passwords will be negotiated
data. With some oplock types the client may even cache file open/close
operations. This can give enormous performance benefits.
-Samba does not support opportunistic locks because they are very
-difficult to do under Unix. Samba can fake them, however, by granting
-a oplock whenever a client asks for one. This is controlled using the
-smb.conf option "fake oplocks". If you set "fake oplocks = yes" then
-you are telling the client that it may aggressively cache the file
-data.
+When you set "fake oplocks = yes" Samba will always grant oplock
+requests no matter how many clients are using the file.
By enabling this option on all read-only shares or shares that you know
will only be accessed from one client at a time you will see a big
at the same time you can get data corruption. Use this option
carefully!
+It is generally much better to use the real oplock support except for
+physically read-only media such as CDROMs.
+
This option is disabled by default.
+.SS follow symlinks (S)
+
+This parameter allows the Samba administrator to stop smbd from
+following symbolic links in a particular share. Setting this
+parameter to "No" prevents any file or directory that is a
+symbolic link from being followed (the user will get an error).
+This option is very useful to stop users from adding a symbolic
+link to /etc/pasword in their home directory for instance.
+However it will slow filename lookups down slightly.
+
+This option is enabled (ie. smbd will follow symbolic links)
+by default.
+
.SS force create mode (S)
This parameter specifies a set of UNIX mode bit permissions that
will *always* be set on a file created by Samba. This is done
by bitwise 'OR'ing these bits onto the mode bits of a file that
is being created. The default for this parameter is (in octel)
-0700 as files must have at least 'user' read/write/execute bits
-set for Samba to work correctly. This operation is done after
-the mode mask in the parameter "create mask" is applied.
+000. The modes in this parameter are bitwise 'OR'ed onto the
+file mode after the mask set in the "create mask" parameter
+is applied.
See also the parameter "create mask" for details on masking mode
bits on created files.
.B Default:
- force create mode = 0700
+ force create mode = 000
.B Example:
force create mode = 0755
.SS hide files(S)
-This is a list of files and directories that are not visible but are
+This is a list of files or directories that are not visible but are
accessible. The DOS 'hidden' attribute is applied to any files or
directories that match.
-Each entry in the list must be separated by a "\\", which allows spaces
-to be included in the entry. '*' and '?' can be used to specify multiple
-files or directories. The default, for example, is used to hide all files
-beginning with a dot.
+Each entry in the list must be separated by a "/", which allows spaces
+to be included in the entry. '*' and '?' can be used to specify multiple
+files or directories as in DOS wildcards.
-Each entry must be a unix path, not a DOS path. Therefore, the pathname
-specified between separators "\\", if it incudes directories, must use the
-unix directory specifier "/", not the DOS directory specifier "\\".
+Each entry must be a unix path, not a DOS path and must not include the
+unix directory separator "/".
Note that the case sensitivity option is applicable in hiding files.
-See also "veto files" and "case sensitive"
+Setting this parameter will affect the performance of Samba, as
+it will be forced to check all files and directories for a match
+as they are scanned.
+
+See also "hide dot files", "veto files" and "case sensitive"
.B Default
- hide files = */.*
+ No files or directories are hidden by this option (dot files are
+ hidden by default because of the "hide dot files" option).
.B Example
- hide files = \\*/.*\\DesktopFolderDB\\TrashFor%m\\resource.frk\\
+ hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
The above example is based on files that the Macintosh client (DAVE)
creates for internal use, and also still hides all files beginning with
will be loaded for browsing by default.
.B Default:
- load printers = no
+ load printers = yes
.B Example:
- load printers = yes
+ load printers = no
.SS local master (G)
This option allows the nmbd to become a local master browser on a
.B Example:
lock directory = /usr/local/samba/var/locks
+
.SS locking (S)
This controls whether or not locking will be performed by the server in
response to lock requests from the client.
.SS log level (G)
see "debug level"
+.SS logon drive (G)
+
+This parameter specifies the local path to which the home directory
+will be connected (see "logon home") and is only used by NT Workstations.
+
+.B Example:
+ logon drive = h:
+
+.SS logon home (G)
+
+This parameter specifies the home directory location when a Win95 or
+NT Workstation logs into a Samba PDC. It allows you to do "NET USE
+H: /HOME" from a command prompt, for example.
+
+.B
+This option takes the standard substitutions, allowing you to have
+separate logon scripts for each user or machine.
+
+.B Example:
+ logon home = "\\\\remote_smb_server\\%U"
+
+.B Default:
+ logon home = "\\\\%N\\%U"
+
.SS logon path (G)
This parameter specifies the home directory where roaming profiles
-(USER.DAT / USER.MAN files) are stored.
+(USER.DAT / USER.MAN files for Windows 95) are stored.
This option takes the standard substitutions, allowing you to have
separate logon scripts for each user or machine. It also specifies
read-only - rename it to USER.MAN to achieve the desired effect
(a MANdatory profile).
+Windows clients can sometimes maintain a connection to the [homes]
+share, even though there is no user logged in. Therefore, it is
+vital that the logon path does not include a reference to the
+homes share (i.e \\\\%N\\HOMES\profile_path will cause problems).
+
+.B
+This option takes the standard substitutions, allowing you to have
+separate logon scripts for each user or machine.
+
.B Default:
- logon path = \\\\%L\\%U
+ logon path = \\\\%N\\%U\\profile
.B Example:
- logon path = \\\\PROFILESERVER\\HOME_DIR\\%U
+ logon path = \\\\PROFILESERVER\\HOME_DIR\\%U\\PROFILE
.SS logon script (G)
mangled stack = 100
.SS map archive (S)
-This controls whether the DOS archive attribute should be mapped to UNIX
-execute bits. The DOS archive bit is set when a file has been modified
+This controls whether the DOS archive attribute should be mapped to the
+UNIX owner execute bit. The DOS archive bit is set when a file has been modified
since its last backup. One motivation for this option it to keep Samba/your
PC from making any file it touches from becoming executable under UNIX.
This can be quite annoying for shared source code, documents, etc...
+Note that this requires the 'create mask' to be set such that owner
+execute bit is not masked out (ie. it must include 100). See the
+parameter "create mask" for details.
+
.B Default:
map archive = yes
map archive = no
.SS map hidden (S)
-This controls whether DOS style hidden files should be mapped to UNIX
-execute bits.
+This controls whether DOS style hidden files should be mapped to the
+UNIX world execute bit.
+
+Note that this requires the 'create mask' to be set such that the world
+execute bit is not masked out (ie. it must include 001).
+See the parameter "create mask" for details.
.B Default:
map hidden = no
.B Example:
map hidden = yes
.SS map system (S)
-This controls whether DOS style system files should be mapped to UNIX
-execute bits.
+This controls whether DOS style system files should be mapped to the
+UNIX group execute bit.
+
+Note that this requires the 'create mask' to be set such that the group
+execute bit is not masked out (ie. it must include 010). See the parameter
+"create mask" for details.
.B Default:
map system = no
.B Example:
min print space = 2000
+.SS netbios aliases (G)
+
+This is a list of names that nmbd will advertise as additional
+names by which the Samba server is known. This allows one machine
+to appear in browse lists under multiple names. If a machine is
+acting as a browse server or logon server none of these names
+will be advertised as either browse server or logon servers, only
+the primary name of the machine will be advertised with these
+capabilities.
+
+See also 'netbios name'.
+
+.B Example:
+ netbios aliases = TEST TEST1 TEST2
+
.SS netbios name (G)
This sets the NetBIOS name by which a Samba server is known. By
default it is the same as the first component of the host's DNS name.
+If a machine is a browse server or logon server this name (or the
+first component of the hosts DNS name) will be the name that these
+services are advertised under.
+
+See also 'netbios aliases'.
+
+.B Example:
+ netbios name = MYNAME
.SS nis homedir (G)
Get the home share server from a NIS (or YP) map. For unix systems that
.B Example:
only user = True
+.SS oplocks (S)
+This boolean option tells smbd whether to issue oplocks (opportunistic
+locks) to file open requests on this share. The oplock code was introduced in
+Samba 1.9.18 and can dramatically (approx 30% or more) improve the speed
+of access to files on Samba servers. It allows the clients to agressively
+cache files locally and you may want to disable this option for unreliable
+network environments (it is turned on by default in Windows NT Servers).
+For more information see the file Speed.txt in the Samba docs/ directory.
+
+.B Default:
+ oplocks = True
+
+.B Example:
+ oplocks = False
+
+
.SS os level (G)
This integer value controls what level Samba advertises itself as for
browse elections. See BROWSING.txt for details.
will try each in turn till it finds one that responds. This is useful
in case your primary server goes down.
+If you are using a WindowsNT server as your password server then you
+will have to ensure that your users are able to login from the Samba
+server, as the network logon will appear to come from there rather
+than from the users workstation.
+
.SS path (S)
A synonym for this parameter is 'directory'.
.B Example:
printcap name = /etc/myprintcap
+
.SS printer (S)
A synonym for this parameter is 'printer name'.
See
.B printer.
+.SS printer driver file (G)
+This parameter tells Samba where the printer driver definition file,
+used when serving drivers to Windows 95 clients, is to be found. If
+this is not set, the default is :
+
+SAMBA_INSTALL_DIRECTORY/lib/printers.def
+
+This file is created from Windows 95 'msprint.def' files found on the
+Windows 95 client system. For more details on setting up serving of
+printer drivers to Windows 95 clients, see the documentation file
+docs/PRINTER_DRIVER.txt.
+
+.B Default:
+ None (set in compile).
+
+.B Example:
+ printer driver file = /usr/local/samba/printers/drivers.def
+
+Related parameters.
+.B printer driver location
+
+.SS printer driver location (S)
+This parameter tells clients of a particular printer share where
+to find the printer driver files for the automatic installation
+of drivers for Windows 95 machines. If Samba is set up to serve
+printer drivers to Windows 95 machines, this should be set to
+
+\e\eMACHINE\ePRINTER$
+
+Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
+is a share you set up for serving printer driver files. For more
+details on setting this up see the documentation file
+docs/PRINTER_DRIVER.txt.
+
+.B Default:
+ None
+
+.B Example:
+ printer driver location = \e\eMACHINE\ePRINTER$
+
+Related paramerers.
+.B printer driver file
+
+
.SS printing (G)
This parameters controls how printer status information is interpreted
on your system, and also affects the default values for the "print
.SS strip dot (G)
This is a boolean that controls whether to strip trailing dots off
-filenames. This helps with some CDROMs that have filenames ending in a
+UNIX filenames. This helps with some CDROMs that have filenames ending in a
single dot.
-NOTE: This option is now obsolete, and may be removed in future. You
-should use the "mangled map" option instead as it is much more
-general.
+.B Default:
+ strip dot = no
+
+.B Example:
+ strip dot = yes
.SS syslog (G)
This parameter maps how Samba debug messages are logged onto the
username = fred
username = fred, mary, jack, jane, @users, @pcgroup
+.SS username level (G)
+
+This option helps Samba to try and 'guess' at the real UNIX username,
+as many DOS clients send an all-uppercase username. By default Samba
+tries all lowercase, followed by the username with the first letter
+capitalized, and fails if the username is not found on the UNIX machine.
+
+If this parameter is set to non-zero the behaviour changes. This
+parameter is a number that specifies the number of uppercase combinations
+to try whilst trying to determine the UNIX user name. The higher the number
+the more combinations will be tried, but the slower the discovery
+of usernames will be. Use this parameter when you have strange
+usernames on your UNIX machine, such as 'AstrangeUser'.
+
+.B Default:
+ username level = 0
+
+.B Example:
+ username level = 5
+
.SS username map (G)
This option allows you to to specify a file containing a mapping of
You can have as many mappings as you like in a username map file.
+You can map Windows usernames that have spaces in them by using double
+quotes around the name. For example:
+
+ tridge = "Andrew Tridgell"
+
+would map the windows username "Andrew Tridgell" to the unix username
+tridge.
+
Note that the remapping is applied to all occurrences of
usernames. Thus if you connect to "\e\eserver\efred" and "fred" is
remapped to "mary" then you will actually be connecting to
.SS veto files(S)
This is a list of files and directories that are neither visible nor
-accessible. Each entry in the list must be separated by a "\\", which
+accessible. Each entry in the list must be separated by a "/", which
allows spaces to be included in the entry. '*' and '?' can be used to
specify multiple files or directories as in DOS wildcards.
-Each entry must be a unix path, not a DOS path. Therefore, the pathname
-specified between separators "\\", if it incudes directories, must use the
-unix directory specifier "/", not the DOS directory specifier "\\".
+Each entry must be a unix path, not a DOS path and must not include the
+unix directory separator "/".
Note that the case sensitivity option is applicable in vetoing files.
*are automatically deleted* along with it, if the user has UNIX permissions
to do so.
+Setting this parameter will affect the performance of Samba, as
+it will be forced to check all files and directories for a match
+as they are scanned.
+
See also "hide files" and "case sensitive"
.B Default
Example 1.
Veto any files containing the word Security,
any ending in .tmp, and any directory containing the
- component /root/.
+ word root.
- veto files = \\*Security*\\*.tmp\\*/root/*\\
+ veto files = /*Security*/*.tmp/*root*/
Example 2.
Veto the Apple specific files that a NetAtalk server
creates.
- veto files = \.AppleDouble\.bin\.AppleDesktop\Network Trash Folder\
+ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
.SS volume (S)
This allows you to override the volume label returned for a
tricky. Take extreme care when designing these sections. In particular,
ensure that the permissions on spool directories are correct.
.SH VERSION
-This man page is (mostly) correct for version 1.9.16 of the Samba suite, plus some
+This man page is (mostly) correct for version 1.9.18 of the Samba suite, plus some
of the recent patches to it. These notes will necessarily lag behind
development of the software, so it is possible that your version of
the server has extensions or parameter semantics that differ from or are not